Cryptography

Answers of End-Semester Examination

prepared by Dr. Ashok Kumar Das (Course Instructor)

End Semester Examination (M. Tech. 2009-11)

International Institute of Information Technology, Bhubaneswar

Time: 3 hrs. Maximum Marks: 60
Instruction: Answer any six questions from the Q1-Q8.
You may wish to answer a bonus question, Q9 to add the marks
in your aggregate for higher grade.

1. (a) Describe the ElGamal encryption algorithm in detail.

Answer: If users A (Alice) and B (Bob) wish to send some secret messages, they need to follow the
followings.
• Key Generation: The recipient of messages, Bob (User B) proceeds as follows:
1. He chooses a large prime q, such that (q − 1) has a big prime factor and a primitive root
α ∈ Zq∗ .
2. He chooses an integer XB (< q) in the range 1 ≤ XB ≤ q−1 at random. The triple (q, α, XB )
is the secret key (private key) of Bob.
3. He computes YB = αXB mod q. The public key of Bob is (q, α, YB ) and XB is kept secret.
• Encryption: User A (Alice) encrypts a plaintext M < q intended for user B (Bob) as follows:
1. Choose at random an integer XA such that 1 ≤ XA ≤ q − 1.
2. Compute K = YBXA mod q.
3. Encrypt M as the pair of integers (C1 , C2 ) where C1 = αXA mod q and C2 = KM mod q.
• Decryption: User B (Bob) recovers the plaintext as follows.
1. Compute K = C1XB mod q.
2. Compute M = C2 K −1 mod q.

(b) Write the end-to-end encryption procedure for encrypting communications channels in network se-
curity. Write its advantages and disadvantages.

1
 Answer: In this approach, encryption and decryption only take place at the network layer and above
of the OSI model. By providing end-to-end encryption, the data remains encrypted until it reaches its
final destination.
Advantages: Higher secrecy level.
Disadvantages:
• The primary problem with EEE encryption is that the routing information for the data is not
encrypted; a good cryptanalyst can learn much who is talking to whom, at what times and for how
long, without ever knowing the contents of those conversations.
• Key management is also more difficult, since individual users must make sure they have common
keys.
• Traffic analysis is possible, since routing information is not encryption.
• Encryption is offline.

(c) Better security can be achieved by using both link-by-link encryption (LLE) and end-to-end encryp-
tion (EEE) - Justify the truthness of this statement.

Answer: Combining the two, while most expensive, is the most effectively way of securing a network.
Encryption of each physical link makes any analysis of the routing information impossible, while end-
to-end encryption reduces the threat of unencrypted data at the various nodes in the network.

[5 + 3 + 2 = 10]

2. (a) Describe in detail encryption and decryptions of triple DES with two keys (3DES with two keys).
What is the significance behind using decryption in encryption of 3DES with two keys?
Answer: The triple encryption method that uses only two keys, follows an encrypt-decrypt-encrypt
(EDE) sequence is given as follows.
Encryption
P → EK1 (P ) → DK2 (A) → EK1 (B) → C,
where A = EK1 (P ) and B = DK2 (A) = DK2 (EK1 (P )).
From the encryption we have the following equation:
C = EK1 [DK2 [EK1 [P ]]].

Encryption
For decryption we have: P = DK1 [EK2 [DK1 [C]]].
C → DK1 (C) → EK2 (B) → DK1 (A) → P ,
where A = EK1 (P ) and B = DK2 (A) = DK2 (EK1 (P )).

There is no cryptographic significance of using decryption in encryption of 3DES with two keys. Even
one can use all encryptions, all decryptions, or DED procedure instead of EDE procedure, because
encryption and decryption for DES are same, only the round keys for DES decryption are to be supplied
in the reverse way.

2
 2

(b) Given 3 is a primitive root of the prime 17. Construct a table of indices and use it to solve the
congruence: 9x8 ≡ 8(mod17).
Answer: Let r = 3 and n = 17. We know a ≡ r indr,n (a) (mod n). Here φ(n) = 17 − 1 = 16, since n
is prime.
We have the following powers:
31 ≡ 3(mod 17), 32 ≡ 9(mod 17), 33 ≡ 10(mod 17), 34 ≡ 13(mod 17),
35 ≡ 5(mod 17), 36 ≡ 15(mod 17), 37 ≡ 11(mod 17), 38 ≡ 16(mod 17),
39 ≡ 14(mod 17), 310 ≡ 8(mod 17), 311 ≡ 7(mod 17), 312 ≡ 4(mod 17),
313 ≡ 12(mod 17), 314 ≡ 2(mod 17), 315 ≡ 6(mod 17), 316 ≡ 1(mod 17).

The table of indices is given in Table 1.

Table 1: Index Table

a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
ind3,17 (a) 16 14 1 12 5 15 11 10 2 3 7 13 4 9 6 8

The given congruence is: 9x8 ≡ 8(mod17). Taking the index on both sides, we have,
ind3,17 (9) + ind3,17 (x8 ) ≡ ind3,17 (8)(mod φ(17), using the rules of indices.
⇒ 2 + 8.ind3,17 (x) ≡ 10(mod 16)
⇒ 8 × ind3,17 (x) ≡ 8(mod 16)
16
⇒ ind3,17 (x) ≡ 1(mod gcd(8,16) )
⇒ ind3,17 (x) ≡ 1(mod 2)
This implies that 2 | [ind3,17 (x) − 1].
We note that the congruence has gcd(k, φ(n)) = gcd(8, 16) = 8 solutions. Thus, we have,
ind3,17 (x) = 1, 3, 5, 7, 9, 11, 13, 15 and these satisfy the above.
Now, using the table of indices, we have the following 8 solutions of the given congruence:
ind3,17 (x) = 1 ⇒ x = 3
ind3,17 (x) = 3 ⇒ x = 10
ind3,17 (x) = 5 ⇒ x = 5
ind3,17 (x) = 7 ⇒ x = 11
ind3,17 (x) = 9 ⇒ x = 14
ind3,17 (x) = 11 ⇒ x = 7
ind3,17 (x) = 13 ⇒ x = 12
ind3,17 (x) = 15 ⇒ x = 6

[(3+1) + 6 = 10]

3. (a) State the Discrete Logarithm Problem (DLP) and Integer Factorization Problem (IFP). What is your
view for the statement IFP is more secure than DLP? If so, why?

3
Answer:
DLP: Given a multiplicative group (G, ·), an element g ∈ G having order φ(p) = p − 1 (g is a primitive
root of p, p being a prime) and y = g x (mod p). To find the discrete logarithm x.
This problem is computationally infeasible (NP-hard), when the prime p is large.

IFP: Given a composite integer n = p × q. To find the prime factors p and q from n.
This problem is computationally infeasible (NP-hard), when n is large.

The DLP and IFP are NP-hard problems, both are difficult to solve.

(b) Show that a known plaintext attack can deduce the key pair (K1 , K2 ) in 3DES with two keys with
the expected running time of the order 2120−log2 (n) , where n is the number of known plaintext-ciphertext
pairs available to an attacker.
Answer:
A known-plaintext attack is outlined by Oorschot in 1990. This method is an improvement over the
chosen-plaintext attack, but requires more effort.
The attack is based on the observation that if we know A and C, where A = EK1 (P ), and C = EK1 (B),
with B = DK2 (A), then the problem reduces to that of an attack on double DES (2DES). The encryp-
tion of 3DES with two keys K1 and K2 is as follows:
P → EK1 (P ) → DK2 (A) → EK1 (B) → C,
where A = EK1 (P ) and B = DK2 (A) = DK2 (EK1 (P )).

The attack proceeds as follows:

(i) Obtain n (P,C) pairs. Place these in a Table (Table 2) sorted on the values of P.

Table 2: n known plaintext-ciphertext pairs, sorted on P.

Pi Ci
... ...
.. ..
. .
... ...

(ii) Pick an arbitrary a for A, and create a second table (Table 3).
For each of the 256 possible keys K1 = i, calculate the plaintext value Pi that produces a as Pi = Di (a).
For a match of Pi in Table 2, create an entry in Table 3 consisting of the K1 = i value and the value of
B such that B = Di (C).
At the end of this step, sort Table 3 on the values of B.

(iii) For each of the 256 possible keys K2 = j, calculate Bj such that Bj = Di (a) is satisfies. If there is
a match for Bj in Table 3, then the candidate keys pair is (K1 , K2 ) = (i, j).

4
 Table 3: Intermediate values and candidate keys.

Bj KeyK1 = i
... ...
.. ..
. .
... ...

(iv) To confirm that the candidate keys pair (K1 , K2 ) = (i, j) are deduced correctly, the attacker test
each candidate keys pair on a few other plaintext-ciphertext pairs so that the probability that the can-
didate keys pair are correct is very high. If a pair of keys produces the desired ciphertext, the task is
completed by the attacker.
If no pair succeeds, the attacker repeats Step 1 with a new value of a.

The expected running time of the attack is on the order of

64
(256 ) 2n

2120
= n

2120
= 2log2 n

= 2120−log2 n .

[4 + 6 = 10]

4. (a) Let A → B : M represent the message M is sent from A to B. Suppose A has sent the following
message to B as
A → B : EK [M||EKRa (H(M||S))], where S is the secret value shared between A and B, K the secret
key shared between A and B, E the encryption function, H()˙ the hash function and KRa the private
key of A. Show how the destination node B verifies the authentication of message M.
Answer:
The destination B does the following steps in order to verify the message authentication on the message
m:
−→ EK [M||EKRa (H(M||S))]
−→ DK (EK [M||EKRa (H(M||S))]) = M||EKRa (H(M||S))
−→ DKUa (EKRa (H(M||S)) to retrieve x = H(M||S)
Then computes the hash value of the received message M with the secret value S as y = H(M||S).
Finally verifies whether x = y or not. If this check is valid, then only B assures that the message is
correct; otherwise rejects the message.

5
(b) Describe briefly the logical operation of SHA − 1.
Answer: The logical operation of SHA-1 consists of the following five steps.

Step-1 [Append padding bits]:

The message is padded so that its length is congruent to 448 (mod 512), i.e, length ≡ 448(mod512).
The number of padding bits is in the range 1 to 512 bits.
The padding consists of a single 1-bit followed by the necessary number of 0-bits.

Step-2 [Append length]:

A block of 64-bits is appended to the message.
It consists the length of the original message (before the padding).

Step-3 [Initialize the MD buffer]:

A 160-bit buffer is used to hold intermediate and final results of the hash function.
The buffer can be represented as five 32-bit registers (5 × 32 = 160 bits ), say, A, B, C, D, and E.
These registers are initialized to the following 32-bit integers (in hexadecimal value):
A = 67 45 23 01
B = EF CD AB 89
C = 98 BA AB F E (reverse of buffer B)
D = 10 32 54 76 (reverse of buffer A)
A = C3 D2 E1 F 0

These values A, B, C, D, and E are stored in big-endian format, in which the most significant byte of
a word in the low-address byte position. As 32-bit strings, the initialization values (in hexadecimal)
appear as follows:
A = 67 45 23 01
B = EF CD AB 89
C = 98 BA AB F E
D = 10 32 54 76
A = C3 D2 E1 F 0

Step-4 [Process message in 512-bit blocks]:

It consists of four rounds. Each round takes a round primitive function fi i = 1, 2, . . . , 5. In each round,
the inputs are: the current 512-bit block being processed (Yq ) and the 160-bit buffer value ABCDE
and updates the contents of the buffer.

Step-5 [Output]:
After all L 512-bit blocks have been processed the output from the Lth stage is the 160-bit message
digest.

We can summarize the behavior of SHA-1 in the following algorithm:

Algorithm: SHA-1 {
/∗ Input: The algorithm takes an input a message with a maximum length of less than 264 bits; the
input is processed in 512-bit blocks.

6
 Output: A 160-bit message digest. ∗/

1. CV0 = IV ;
2. for q = 0 to L − 1 do
3. CVq+1 = SUM32 (CVq , ABCDEq );
4. MD = CVl .
}
where IV = initial value of the ABCDE buffer, defined in Step-3,
ABCDEq = the output of the last round of processing of the q th message block,
L = the number of blocks in the message (including padding and length fields),
SUM32 = Addition modulo 232 performed separately on each word of the pair of inputs,
MD = final message digest.

[4 + 6 = 10]

5. (a) Prove that the Diffie-Hellman key exchange protocol is secure against only passive attacks, but is
insecure against active attack.
Answer: Here we show that there is a man-in-the-middle attack which is an active attack makes the
insecurity of the famous Diffie-Hellman key exchange protocol as follows:
Let q be a sufficiently large prime, such that it is intractable to compute the discrete logarithms in Zq∗ .
Let α(< q) be a primitive of q. q and α are public elements and hence these are also known to an
attacker, say Eve.
The following table (Table 4) shows that Eve (attacker) can simultaneously establish two keys: one
key with Alice (User A) and another with Bob (User B). But this situation is unaware to both Alice
and Bob, they assume that there is only one secret key KA,B established between A and B. Thus, when
Alice (A) sends a secret message M towards Bob (B), Eve (C) can eavesdrop that ciphertext and use
the key KA,C between A and C to decrypt the message, and after that the original message is again
encrypted using the key KE,B and sends the ciphertext to B by C (Eve). Upon receiving the ciphertext,
Bob (B) recovers the plaintext using the key KE,B which Bob (B) assumes it is the key shared between
A and B. Thus, both A and B are fooled by Eve (C). A similar situation happens when Bob (B) sends
a secret message towards Alice (A).

(b) In RSA, we know that gcd(e, φ(n)) = 1. What is about chosen e in RSA: e must be even or e must
be odd or e can be any number ? Justify your answer.
Answer: In RSA, we have gcd(e, φ(n) = 1. Again, we have n = p × q, where p and q are large primes.
Thus, p and q must be odd integers, φ(n) = (p − 1) × (q − 1) is even, since both (p − 1) and (q − 1)
are both even numbers.
Thus, being φ(n) is even, so e must be odd in order to satisfy gcd(e, φ(n) = 1. Hence, in RSA, the
chosen e must be always an odd integer.

7
 Table 4: Man-in-the-middle attack on Diffie-Hellman Key Exchange Protocol.

A (Alice) Eve, Attacker (C) Bob (B)

1. Choose a private
key XA (< q).
2. Compute public
YA = αXA (modq)
3. A −→ B : YA
4.Eve(C) eavesdrops message.
5. Choose a private
key XC (< q).
6. Compute public
YC = αXC (modq)
7. C −→ B : YC
8. A ←− C : YC
9. B assumes YC has
come from A, not
from Eve (C)
10. Choose a private
key XB (< q).
11. Compute public
YB = αXB (modq)
A ←− B : YB
12. A assumes YC has
come from B, not
from Eve (C)
13. Computes the key shared
between A and B as
KA,B = YCXA (modq)
This is actually key
shared between A and C
14. C traps the message
YB and never sends it
to A.
15. Computes key shared between
A and C as KA,C = YAXC (modq)
16. Computes key shared between
C and B as KC,B = YBXC (modq)
17. Computes the key shared
between A and B as
KA,B = YCXB (modq)
This is actually key
shared between C and B.

8
 (c) If g is a primitive root of m and g1 ≡ g(mod m), then prove that g1 is also a primitive root of m.
Answer: Given g is a primitive root of m. By definition, O(g) = φ(m) modulo m. This means that
g φ(m) ≡ 1(mod m), but g k 6= 1(mod m), 1 ≤ k < φ(m).
Again, given g1 ≡ g (mod m). To prove g1 is also a primitive root of m, it requires to show that
φ(m)
g1 ≡ 1(mod m), but g1k 6= 1(mod m), 1 ≤ k < φ(m). Hence, it is sufficient to prove that g1k ≡
g k (mod m) for any integer k satisfying 1 ≤ k ≤ φ(m).
As g1 ≡ g( mod m), from the definition of congruent operation, we have g1 = g + lm, for some integer
l.
Therefore, g1k = (g
+ lm)k
= 0 g (lm)0 + k1 g k−1(lm)1 + . . . + kk g 0(lm)k
k k

= g k + l′ m,

where l′ = k1 g k−1l + k2 g k−2l2 + . . . + lk mk−1 is an integer.

⇒ g1k ≡ g k (mod m). This proves that g1 is also a primitive root of m.

[5 + 2 + 3 = 10]

6. (a) State the Euler Theorem.

k
If a be prime to p, then prove that aφ(p ) ≡ 1(mod pk ), for k ≥ 1.
Answer:
Part-1:
Euler Theorem: For every a and n that are relatively prime, i.e., gcd(a, n) = 1, aφ(n) ≡ 1(mod n),
where φ(n) is the Euler′ s totient or phi function defined as follows: φ(n) is the number of all positive
integers less than n and relatively prime to n, that is, φ(n) = | {a | 0 < a < n, gcd(a, n) = 1} |.

Part-2:
k
To prove aφ(p ) ≡ 1(mod pk ), for k ≥ 1, we use the strong principle of Mathematical Induction as
follows.
[Basis Step]

1
• If k = 1, then aφ(p ) ≡ aφ(p) ≡ ap−1 ≡ 1(mod p), by Fermat′ s Theorem, since p is prime and so
gcd(a, p) = 1.
Thus, the statement is true for k = 1.
• If k = 2, then φ(p2 ) = p2 (1 − p1 ) = p2 = p.
Since ap−1 ≡ 1(mod p), ap−1 = 1 + lp, some integer l.
⇒ (ap−1 )p = (1 + lp)p
⇒ ap −p = 1 + p.(lp) + p(p−1)
2
2!
(lp)2 + . . . + (lp)p
2
⇒ ap −p = 1 + l′ p2 , for some integer l′ ,
where l′ = l + p(p−1)
2!
(l)2 + . . . + lp .pp−2.
2
This implies that aφ(p ) ≡ 1(mod p2 ).
Thus, the statement is also true for k = 2.

[Hypothesis Step]
n n
Assume that the statement is true for k = n. So, aφ(p ) ≡ 1(mod pn ). Hence, we have, aφ(p ) =

9
 n −pn−1
1 + mpn , some integer m, that is, ap = 1 + mpn .

[Induction Step]
n n−1
ap −p = 1 + mpn
pn −pn−1 p
⇒ (a ) = (1 + mpn )p
⇒ ap −p = 1 + p.(mpn ) + p(p−1)
n+1 n
2!
(mpn )2 + . . . + (mpn )p
n+1 n
⇒ ap −p = 1 + m′ pn+1 , for some integer m′ ,
where m′ = l + p(p−1)
2!
(m)2 .p + . . . + mp .pn(p−1)−1 .
n+1
This implies that aφ(p ) ≡ 1(mod pn+1 ).
Thus, the statement is also true for k = n + 1.

k
Hence, by the principle of mathematical induction, aφ(p ) ≡ 1(mod pk ), for k ≥ 1.

(b) State the RSA algorithm by clearly stating the key generation, encryption and decryption parts.
Answer:
RSA is a block cipher, where each plaintext block is a number between 0 and n − 1, that is, each
plaintext block Mi < n.

Key Generation: The recipient of the message, B executes the following steps:

1. Select two distinct large primes p and q (Generation of primes may be done using the Miller-Robin
primality test algorithm).
2. Compute n = p × q.
3. Compute φ(n) = (p − 1)(q − 1).
4. Select e such that gcd(e, φ(n)) = 1, where 1 < e < φ(n).
5. Compute d such that ed ≡ 1(mod φ(n), that is, d ≡ e−1 (mod φ(n). The computation of modu-
lar inverse is to be done using the extended Euclid′ s GCD algorithm.

The public key of B is KUb = (n, e) and the private key of B is KRb = (d, n).

Encryption: The sender A encrypts a pliantext M(< n) using the public key KUb of recipient B as
follows:
C = EKUb (M) = M e (mod n).
Here the modular exponentiation is to be performed using the efficient square-and-multiply algorithm.

Decryption: The recipient B decrypts the received ciphertext C in order to recover the original pli-
antext using its own private key KRb as follows:
M = DKRb (C) = C d (mod n).
Here the modular exponentiation is to be performed using the efficient square-and-multiply algorithm.

[Correctness Proof]
We have, C d (mod n)

10
 = (M e (mod n))d (mod n)
= M ed (mod n)
= M 1 (mod n), since ed ≡ 1(mod φ(n).
= M.

[(2+4) + 4 = 10]

7. (a) Suppose two parties would like to establish a symmetric key using the Diffie-Hellman key exchange
protocol with a common prime q = 11 and a primitive root α = 2.
(i) Show that 2 is a primitive root of 11.
(ii) If the user A has the public key YA = 9, what is the private key of A, XA ?
(iii) If the user B has the public key YB = 3, what is the secret shared key KA,B ?

Answer:
(i) Let α = 2 and q = 11. Then gcd(α, q) = 1 and φ(q) = 11 − 1 = 10. We see that
21 ≡ 2(mod 11), 22 ≡ 4(mod 11), 23 ≡ 8(mod 11),
24 ≡ 5(mod 11), 25 ≡ 10(mod 11), 26 ≡ 9(mod 11),
27 ≡ 7(mod 11),28 ≡ 3(mod 11),29 ≡ 6(mod 11),
210 ≡ 1(mod 11).
Thus, we have 2φ(q) = 210 ≡ 1(mod 11), but 2k 6= 1(mod 11), for 1 ≤ k < φ(11) = 10. Hence, 2 is a
primitive root of 11.
(ii) We know, YA ≡ αXA mod q
⇒ 9 ≡ 2XA mod 11
⇒ XA = 6 is the required A’s private key.
(iii) We have B’s public key YB = 3.
Again, KA,B = YBXA = YAXB mod q. So, KA,B = YBXA mod q = 36 mod 11 = 3 is the required
shared secret key between A and B.

2
1
(b) If p be an odd prime and a be prime to p, then using Fermat′ s theorem prove that a 2 (p−1) ≡ ±1
(mod p).
Answer:
Since p is prime and a is prime to p i.e., gcd(a, p) = 1, so by Fermat’s theorem, we have ap−1 ≡
1(mod p).
Since p is odd, so p − 1 is even and it has at least one factor 2, that is, it is always divisible by 2. Thus,
p−1
2
is an integer.
Therefore, ap−1 ≡ 1(mod p)
⇒ ap−1 − 1 ≡ 0(mod p)
p−1
⇒ (a 2 )2 − 1 ≡ 0(mod p)
p−1 p−1
⇒ (a 2 + 1)(a 2 − 1) ≡ 0(mod p)
p−1 p−1
⇒ p | [(a 2 + 1)(a 2 − 1) − 0]
p−1 p−1
⇒ p | (a 2 + 1)(a 2 − 1)

11
 p−1 p−1 p−1 p−1
Since p is prime, so either p | (a 2 + 1) or p | (a 2 11). Now, if p | (a 2 + 1), then a 2 +1 ≡
0(modp)
p−1
⇒ a 2 ≡ −1(modp).
p−1 p−1
On the other hand, if p | (a 2 − 1), then a 2 − 1 ≡ 0(modp)
p−1
⇒ a 2 ≡ +1(modp).
p−1
Combining both together, we have, a 2 ≡ ±1(modp).

[(2+2+2) + 4 = 10]

8. (a) Compare the performances and security between MD5 and SHA-1.
Answer:
Because both are derived from MD4 (Message Digest Version 4), SHA-1 and MD5 are quit similar.
They have the following differences:

Security against brute-force attacks: The most obvious and most important difference is that the SHA-1
digest is 32-bit longer than the MD5 (for SHA-1, MD is 160-bits, and for MD5, MD is 128-bits). Thus,
using a brute-force technique, the difficulty of producing any message having a given message digest
(MD) is on the order of 2128 operations for MD5 and 2160 operations for SHA-1.
Again using a brute-force attack technique, the difficulty pf producing two messages having the same
message digest (MD) is on the order of 2128/2 = 264 operations for MD5 and 2160/2 = 280 operations
for SHA-1, by the birthday paradox attack. Thus, SHA-1 is considerably stronger against brute-force
attacks than MD5.

Performances: Because both algorithms rely heavily on addition modulo 232 , both do well on a 32-bit
architectures. SHA-1 involves more steps (80 versus 64 for MD5) and must process a 160-bit buffer
compared to MD5′s 128-bit buffer. Thus, SHA-1 should execute more slowly than MD5 on the same
hardware.

(b) Describe the collision attack on a hash function.

Answer:
An attacker Eve needs to find two messages, M ands M ′ ; such that h(M) = h(M ′ ). Eve can create a
list of k messages and run the following algorithm.

• Algorithm: Collision Attack

for (i = 1 to k ) {
create(M[i]);
D[i] ← h( M[i] ); // D[i] is a list of crated messages.
for (j = 1 to i-1 ) {
if ( D[i] == D[j] )
return ( M[i] and M[j] );
}

12
}
return failure;
}

(c) Let h : {0, 1}∗ → {0, 1}n be a hash function. Using the birthday paradox problem, find the mini-
mum value of k, the number of input messages such that the probability P of having a collision in hash
values with P ≥ 32 .
Answer:
According to this problem, in the modified version of the birthday paradox, we need to find the mini-
mum size, k, of the sample set, such that, with probability P ≥ 23 , at least two samples have the same
values.
We use the following strategy as follows.

1. We assign probabilities to samples one at a time. Assume that Pi is the probability that the sample
i has a same value as one of the previous samples, and Qi the probability that the sample i has a
value different from all the previous samples.
(a) Because there is no sample before the first sample, P1 = 0 and Q1 = 1 − P1 = 1 − 0 = 1.
(b) Because there is one sample before the second sample, and the first sample can have one of
the N values,
P2 = N1 and Q2 = 1 − N1 , since in general, Pk = 1 − Qk .
(c) Because there are two samples before the third sample, and each of the two samples can have
one of the N values, we have,
P3 = N2 , and Q3 = 1 − N2 .
(d) Continuing in this fashion, we finally have,
Pk = k−1N
, and Qk = 1 − k−1N
.

2. Assuming that all samples are independent, the probability Q that all samples have different values
is
Q = Q1 × Q2 × . . . × Qk
= 1 × (1 − N1 ) × (1 − N2 ) × . . . × (1 − k−1
N
)
−1 −2 −(k−1)
⇒ Q = e N × eN ×...× e N
x
using the approximation 1 − x ≈ e−x , with x = N
.
− 1+2+...+(k−1)
⇒Q=e N
k(k−1)
⇒ Q = e− 2N
k2
⇒ Q = e− 2N , using the approximation k(k − 1) ≈ k 2 , for a large k.
3. Finally, if P is the probability that at least two samples have the same values, then we have,
k2
P = 1 − Q = 1 − e− 2N .
Now we have to find the minimum size of the sample with P ≥ 23 . Then
k2
2
1 − e− 2N ≥ 3
k2
1
⇒ e− 2N ≤ 3
k2
⇒ e 2N ≥ 3
⇒ k 2 ≥ 2.ln(3).N

13
 p
⇒ k ≥ p2.ln(3).N √
⇒ k ≥ 2.ln(3) × N .

n
p producesn n-bits message digest, N = 2 . Hence, we have the minimum
Since the hash function
value of k as k = 2.ln(3) × 2 2

[2 + 2 + 5 = 10]

9.[Bonus Question] Suppose you want to implement RSA algorithm using the following encoding proce-
dure:
A = 01, B = 02, ..., Z = 26, , = 27, . = 28, ? = 20, 0 = 30, 1 = 31, ..., 9 = 39, ! = 40 (the blank space is
considered as 00).
Let the plaintext you have taken as cryptography is an interesting subject.

(a) Encode the plaintext using the given encoding standard.

Answer: After encoding we have the following encoded plaintext as:
M = 0318251620150718011608250009190001140009142005180519200914070019210210050320, which
contains 76 decimal digits.

(b) Assume that the public key supplied to you as (e, n) = (7, 187). Note that 187 = 17 × 11. Determine
the number of plaintext blocks.
Answer: In order to determine the total number of plaintext blocks, we have to choose a plaintext block Mi
such that its numerical value is less than n = 187.
Thus, from this careful analysis, we have to choose a block which contains only two digits, because if we
choose three digits, say, 031 for first block, then the next block is 825 which is not less than n = 187. Hence,
total number of plaintext blocks is 762
= 38.

(c) Encrypt only the last plaintext block. Show that from the computed ciphertext you get the original
plaintext.

Answer: Obviously the last plaintext block is M38 = 20. The ciphertext corresponding to this block is
given by
e
C38 = M38 (mod n)
7
= 20 (mod 187)
= 201 × 202 × 204 (mod 187), using the repeated square-and-multiply algorithm

Now, 201 ≡ 20(mod 187)

2
20 ≡ 26(mod 187)
204 (mod 187) ≡ (202 (mod 187) × (202 (mod 187)

14
⇒ 204 (mod 187) ≡ 26 × 26(mod 187) ≡ 115(mod 187)
Thus, we have, C38 = 20 × 26 × 115(mod 187) = 147.

In order to decrypt the ciphertext, we have to find out d such that d ≡ e−1 (modφ(n)). Here, φ(n) =
(17 − 1) × (11 − 1) = 160, since n = 187 = 17 × 11, and p = 17 and q = 11 are both primes. Since
gcd(e, φ(n)) = gcd(7, 160) = 1, so e−1 (mod φ(n)) always exists. We use the Euclid extended GCD algo-
rithm to compute d as follows:
160 = 22 × 7 + 6
7= 1×6+1

So, gcd(7, 160) = 1

=7−1×6
= 7 − [160 − 22 × 7]
= (−1) × 160 + 23 × 7.
Hence, d = e−1 (mod160) = 23.

The recovered plaintext corresponding the ciphertext block C38 becomes as

d
C38 (mod n) = 14723 (mod187)
= 147 × 1472 × 1474 × 14716 (mod 187)
1

Now, 1471 ≡ 147(mod 187)

1472 ≡ 104(mod 187)
1474 ≡ 1472 × 1472 ≡ 104 × 104 ≡ 157(mod 187)
1478 ≡ 1474 × 1474 ≡ 157 × 157 ≡ 152(mod 187)
14716 ≡ 1478 × 1478 ≡ 152 × 152 ≡ 103(mod 187)

d
Hence, C38 (mod n) = 14723 (mod187)
= (147 × 104) × (157 × 103)(mod187)
= 141 × 89(mod187)
= 20(mod187) is the correct recovered plaintext block M38 .

[2 + 3 + 5 = 10]

************************* End of question paper *******************

15