Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Similar documents
Solution of Exercise Sheet 7

Lecture 1: Introduction to Public key cryptography

ECS 189A Final Cryptography Spring 2011

Leftovers from Lecture 3

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Introduction to Modern Cryptography. Benny Chor

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Exercise Sheet Cryptography 1, 2011

1 Number Theory Basics

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Lecture 10: NMAC, HMAC and Number Theory

CPSC 467: Cryptography and Computer Security

Cryptography. pieces from work by Gordon Royle

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Chapter 8 Public-key Cryptography and Digital Signatures

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Lecture 10 - MAC s continued, hash & MAC

Introduction to Cryptography. Lecture 8

MATH 158 FINAL EXAM 20 DECEMBER 2016

Public-Key Cryptosystems CHAPTER 4

Public Key Cryptography

Introduction to Cryptography Lecture 4

Lecture Notes, Week 6

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Question: Total Points: Score:

Introduction to Cybersecurity Cryptography (Part 4)

1 Cryptographic hash functions

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Introduction to Cybersecurity Cryptography (Part 4)

CPSC 467b: Cryptography and Computer Security

Asymmetric Encryption

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Exam Security January 19, :30 11:30

Solution to Midterm Examination

CPSC 467: Cryptography and Computer Security

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Introduction to Modern Cryptography. Benny Chor

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Cryptography and Security Midterm Exam

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

CPSC 467: Cryptography and Computer Security

1 Cryptographic hash functions

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Classical Cryptography

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

5199/IOC5063 Theory of Cryptology, 2014 Fall

Authentication. Chapter Message Authentication

Lecture 10: NMAC, HMAC and Number Theory

Cryptography IV: Asymmetric Ciphers

CPSC 467: Cryptography and Computer Security

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Lecture 5, CPA Secure Encryption from PRFs

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Lecture V : Public Key Cryptography

Cryptographic Hash Functions

Lecture 7: ElGamal and Discrete Logarithms

One can use elliptic curves to factor integers, although probably not RSA moduli.

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

Lecture 22: RSA Encryption. RSA Encryption

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

CRYPTOGRAPHY AND NUMBER THEORY

2 Message authentication codes (MACs)

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Mathematics of Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Algorithmic Number Theory and Public-key Cryptography

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Notes 10: Public-key cryptography

Block Ciphers/Pseudorandom Permutations

Public Key Cryptography

Cryptography and Security Final Exam

Cryptography. P. Danziger. Transmit...Bob...

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

A survey on quantum-secure cryptographic systems

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

10 Concrete candidates for public key crypto

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Digital Signatures. Adam O Neill based on

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Week 7 An Application to Cryptography

Other Public-Key Cryptosystems

All-Or-Nothing Transforms Using Quasigroups

Public-Key Encryption: ElGamal, RSA, Rabin

Cryptographical Security in the Quantum Random Oracle Model

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Discrete Mathematics GCD, LCM, RSA Algorithm

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Introduction to Public-Key Cryptosystems:

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Transcription:

0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod s mailbox (second floor, Schreiber building). S This assignment contains seven dry problems and one wet problem. Efficient solutions are always sought, but a solution that works inefficiently is better than none. The answers to the the wet problem should be given as the output of a maple or xmaple session. Problem 1: Substitution Ciphers The following text has been enciphered by a simple substitution cipher; just decode it. xbsafsjeozjzwohthhswqyvxztwhfccsbwoosc msbstcqyshvzodscboycmsbzjzwohthvscmyqh It should be rather easy once you have a partial key. The PATTERN program at the following link could give you a lead: http://www.und.nodak.edu/org/crypto/crypto/ words/pattern.lists/pattern.english.zip Problem 2: Enhancing DES The following two keys enhancements to DES were proposed in order to increase the complexity of finding the keys by exhaustive search. DESV k,k1 (M) = DES k (M) k 1, DESW k,k1 (M) = DES k (M k 1 ) The keys lengths is k = 56 and k 1 = 64 (k 1 is the same length as the block length). Show that both these proposals do not increase the complexity of breaking the cryptosystem using brute-force key search. That is, show how to break these schemes using on the order of 2 56 DES encryptions/decryptions. You may assume that you have a moderate number of plaintext-ciphertext pairs, C i = DESV/W k,k1 (M i ). 1

Problem 3: Meet in the Middle In lecture 2 we described a meet in the middle attack against double DES. The attack required 2 56 decryptions, 2 56 encryptions and storage for 2 56 messages (the decryptions of the ciphertext under all possible keys), 64 bits each. The attack used a small number of plaintext/ciphertext pairs: M i and C i = DES k2 (DES k1 (M i )). You were hired to perform the same task, only your employer, hurt by the recent market trends, has supplied you with a machine capable of storing only 2 40 words of 64 bits each. How many encryption and decryption operations do you need in order to recover the secret key k 1, k 2 with high probability. Does the number of required plaintext/ciphertext pairs increase? Problem 4: Cryptographic Hash Functions Let m = m 1 m 2... m n where for every i (i = 1,..., n), m i is a 128 bits binary string. Define a hash function, H to operate on messages of this form. h 0 is defined as the all zero string of length 128. for every i, 1 i n, define h i = AES mi (h i 1 ). H(m) = h n. a. Show how to find collisions for H (namely two different messages that are mapped by H to the same string) using approximately 2 64 AES applications. b. Given a random string m, show how to find a different string m such that H(m) = H(m ), using approximately 2 64 AES applications. Hint: Recall the attack on double DES. Problem 5: Claw Free Permutations Two permutations f 0, f 1 : D D is called claw free if it is infeasible to find x, y D such that f 0 (x) = f 1 (y). a. Let p be a prime number, g a primitive element in Z p, and a Zp. Define the two permutations f 0, f 1 : Zp Zp by f 0 (x) = g x (mod p) and f 1 (y) = ag y (mod p). Assume it is infeasible to find a z such that g z = a. Prove that f 0, f 1 are claw free permutations. b. Let m = b 1 b 2... b n be an n bit message (the b i s are bits). Let f 0, f 1 be claw free permutations on D. Define the function H by H(m) = f b1 (f b2... (f bn (IV )...)), 2

where IV is the all zero string in D. For example, if m = 011 then H(m) = f 0 (f 1 (f 1 (IV ))). Assume that it is infeasible to find a z D such that f 0 (z) = IV or f 1 (z) = IV. Prove that H is a collision resistant hash functions. In other words, show that if m 1 m 2 and H(m 1 ) = H(m 2 ), then we can efficiently either find a pair x, y D such that f 0 (x) = f 1 (y), or a z D such that f 0 (z) = IV or f 1 (z) = IV. Note that m 1 and m 2 can have different lengths. Problem 6: CBC MACs and variable length messages In this problem we will explore the security of CBC MACs when the length of the message is allowed to vary. The constructions use a block cipher, E : {0, 1} k {0, 1} n {0, 1} n which you should assume to be secure (E K (t) is the encryption of n length t under k length key K). In general, let x = x 1, x 2,..., x l, where for each i, x i {0, 1} n. For all the variants considered in this problem, the authentication of the message x is defined as the concatanation of x with MAC K (x), where K is the secret key (shared by Alice and Bob), and MAC K (x) is of length n. We say that Fred, the forging adversary, succeeds if after seeing a small number of messages z 1,z 2,..., z s of his choice and their MACs under the unknown secret key K, he can produce a new message w (w / {z 1, z 2,..., z s }) together with MAC K (w). We emphasize that w can, and typically will, be constructed out of pieces depending on the z i s. By small number we mean s is either a constant or at most a (fixed) polynomial in n, the block length of x. In addition to the number s of message/mac pairs, Fred is also limited to polynomial time computations (polynomial in n). Remark: This type of forgery is called adaptive existential forgery (adaptive since the choice of each z i+1 can depend on all previous i message/mac pairs, and existential because it demonstrates the existence of a message whose MAC can be forged). This is the strongest form of reasonable adversary considered in the crypto world. a. Consider the application of regular CBC MAC to messages of arbitrary length. Formally, given x = x 1, x 2,..., x l, we define y 0 = 0 n, and for 0 i l 1, y i+1 = E K (y i xi+1 ). Then CBC MAC K (x) = y l. Show that this MAC is completely insecure: Break it with a constant number of queries. b. In order to overcome the problem of applying regular CBC MAC to messages of arbitrary length, consider the following patch: MAC K (x 1, x 2,..., x l ) = CBC MAC K (x 1, x 2,..., x l, l), where l, the number of blocks in x is written in binary using n bits. Show 3

that this patch does not hold water either: Break it with a constant number of queries. c. Consider the following attempt to allow one to MAC messages of arbitrary length. The domain for the MAC is ({0, 1} n ) +. To MAC the message x = x 1, x 2,..., x l, under the secret key (K, K ), compute CBC MAC K (x) K, where K has k bits and K has n bits. Show that this MAC is completely insecure: Break it with a constant number of queries. Problem 7: Orders a. Let a, m be two positive integers, with 1 a m 1. The order of a modulo m, ord m a, is defined as the minimum positive integer l such that a l = 1 (mod m), and if no such l exists. Prove that ord m a < if and only if gcd(a, m) = 1. b. Let x be an integer, and let p be an odd prime divisor of x 16 + 1. Prove that p = 1 (mod 32). Problem 8: Primitive Elements in Z p a. Let p > 2 be a prime number and let g be a primitive element in Z p. Find a characterization of all integers e, 1 e p 2 such that g e mod p is also a primitive element in Z p. Prove the characterization. b. Let p > 2 be a prime number and let g 0 be an element in Z p. Suppose p 1,..., p k are all the prime factors of p 1. Show that g is a primitive element iff for all i, 1 i k, g (p 1)/pi 1 (mod p). Show that this enables to test efficiently if g is a primitive element, provided the factorization of p 1 is known. c. Unfortunately, factoring integers is a hard problem, even if they are of the form p 1. Take p = 2 521 1. Using Maple s isprime( ) for testing primality of an integer, verify that p is indeed a prime. Now apply Maple s ifactor( ) to p 1. This procedure tries to factor its integer argument. For large integers it obviously not always succeeds. Neither does it always succeeds for primes minus 1. However for our p, ifactor produces the complete factorization after a few minutes (even on Benny s MacBook). Produce this factorization. d. For p = 2 521 1, find a random integer g, g > 10 7, such that g is a primitive element of Z p but g + 1 is not a primitive element of Z p. Print a Maple session that explicitly proves both statements. (The probability that among the fewer than 100 g s submitted by the course participants there will be a collision is so small that we will interpret such collision as a collusion and will act accordingly.) 4

Hint: You can make the search easier by using Maple s commands F F := GF(p, 1); x := F F [ConvertIn](g); F F [isprimitiveelement](x); for verifying g s primitivity status in the field Z p = GF (p, 1). However in your explicit proof you should not use such FF implementation, but rather use only the mod p function and &ˆ (exponentiation) to appropriate powers. e. Instead of looking for a prime p and trying to factor p 1, a different procedure is to look at random for a prime q and then test if p = 2q + 1 is also a prime. In that case, the only factors of p 1 are 2 and q. You may think that having both q and 2q + 1 being primes is such a rare event that we will never run into one. Write a short Maple code that prints out two such pairs, with q > 2 400 in both cases. You can definitely use isprime( ) here. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback