14 views

Uploaded by Amudha Datchanmourty

save

- stagnegraphy
- zhang2016.pdf
- MIT6_045JS11_rsa
- [IJCT-V2I5P16] Authors :A.Senthilkumar , R.Divya
- Crptography Exam Questions and Solutions
- White Paper: Cincom VisualWorks Security Library
- RSA Encryption Program(Eclipse) - Mobile Security Labware
- AndrewLindell-BlackHat07
- Certificates Troubleshooting Guide
- Public Key Cryptography
- Most Important Questions Sem5.PDF-1
- IJAIEM-2013-06-26-083
- NE7202-NIS Unit Wise Qns
- An Enhanced Secure Communication System for Network Intrusion
- 100% verified Question Answers for 210-260 Exam
- Literature Survey
- IMPLEMENTATION OF BLIND DIGITAL SIGNATURE USING ECC
- Adapting Singlet Login in Distributed Systems
- Interview Q&A Lotus
- Emotion-based multimedia browsing (R&D Proposals)
- [IJCST-V1I3P2]: Adoni Krishna kumar, konolla Siva Ramakrishna, Sagarla Venkatesh
- cryptography final
- Regulation of Certifying Authorities
- A New Group Signature Scheme with Efficient Membership Revocation
- Report on Kerberos
- cryptography - _Diffie-Hellman Key Exchange_ in plain English - Information Security Stack Exchange.pdf
- kmip-ug-v1.2-cnd01
- gb.ps
- README.txt
- Block Chain
- Dispatches from Pluto: Lost and Found in the Mississippi Delta
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
- The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution
- Sapiens: A Brief History of Humankind
- The Unwinding: An Inner History of the New America
- Yes Please
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
- Grand Pursuit: The Story of Economic Genius
- This Changes Everything: Capitalism vs. The Climate
- The Emperor of All Maladies: A Biography of Cancer
- The Prize: The Epic Quest for Oil, Money & Power
- John Adams
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
- The World Is Flat 3.0: A Brief History of the Twenty-first Century
- Rise of ISIS: A Threat We Can't Ignore
- Smart People Should Build Things: How to Restore Our Culture of Achievement, Build a Path for Entrepreneurs, and Create New Jobs in America
- The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
- Team of Rivals: The Political Genius of Abraham Lincoln
- The New Confessions of an Economic Hit Man
- How To Win Friends and Influence People
- Angela's Ashes: A Memoir
- Steve Jobs
- Bad Feminist: Essays
- You Too Can Have a Body Like Mine: A Novel
- The Incarnations: A Novel
- The Light Between Oceans: A Novel
- Leaving Berlin: A Novel
- The Silver Linings Playbook: A Novel
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)
- Extremely Loud and Incredibly Close: A Novel
- A Man Called Ove: A Novel
- Bel Canto
- The Master
- The First Bad Man: A Novel
- We Are Not Ourselves: A Novel
- The Blazing World: A Novel
- The Rosie Project: A Novel
- Brooklyn: A Novel
- The Flamethrowers: A Novel
- Life of Pi
- The Love Affairs of Nathaniel P.: A Novel
- The Perks of Being a Wallflower
- Lovers at the Chameleon Club, Paris 1932: A Novel
- The Bonfire of the Vanities: A Novel
- A Prayer for Owen Meany: A Novel
- The Cider House Rules
- The Art of Racing in the Rain: A Novel
- Wolf Hall: A Novel
- The Wallcreeper
- Interpreter of Maladies
- Beautiful Ruins: A Novel
- The Kitchen House: A Novel
- Good in Bed

You are on page 1of 3

Assigned: November 27th, 2010 Due Date: 11:59PM, Dec 5th, 2010. Chicago Time. No Extensions! Fall 2010, CS Department, IIT 1. The maximum score of this take-home ﬁnal exam is 130 points. 2. You should ﬁnish this exam yourself: do NOT discuss with anyone, do NOT copy or get help from the solutions of other students. You can use any book, lecture notes, or Internet as guidance. 3. Please type your answer. We will NOT accept any solution that is not typed. 4. You MUST upload your solution to blackboard. If you want, in addition to uploading your solution to blackboard, you can send the instructor (email: xli@cs.iit.edu ) the electronic ﬁle in PDF format. When you send solution also by email, please use subject “Take-home ﬁnal exam of CS549” and also use proper name to name your ﬁle. 5. Do not forget to put your name on the ﬁle of your solution and name your PDF ﬁle as “lastname-ﬁnalCS549-Fall2010.pdf”, where lastname is your last name. 6. We do not accept MS WORD ﬁle for electronic submission. The following are the four questions for your take-home ﬁnal exam of CS549. 1. (10 points) Consider the RSA Full Domain Hash signing method. Let (N, d) be an RSA public key used by Alice ∗ and let H be a hash function that outputs elements in ZN . Here N is the production of two large prime numbers p and q. Suppose an attacker can ﬁnd 7 messages M1 , M2 , · · · , M7 such that

7

H(Mi ) ≡ 1 mod N.

i=1

Assume that the attacker can get the signatures for 6 of the above 7 messages (but not all 7 messages). Show how the attacker can get the signature of the other message. 2. (40 points) This question is about RSA encryption system. Given an integer modulus n = p · q, and an encryption key e with gcd(e, φ(n)) = 1, we know that the number d, with e · d = 1 mod φ(n), can serve as the decryption key for RSA system. In other words, given any message m and ciphertext c = me mod n, the computation cd mod n will give you the original message m. Assume that Alice randomly selected two prime numbers p = 73 and q = 101. Alice randomly selected a random number e1 = 119 as her public key (for encryption). Assume that Bob also selected p = 73 and q = 101 for his RSA system and Bob selected a random number e2 = 253 as his public key. Alice published her public key e1 = 119 and n = 7373. Bob published his public key e2 = 253 and n = 7373. Charlie wants to send a message m = 2008 to both Alice and Bob using their public key for encryption. Answer the following questions. For all computations, you need to show the details (step by step) of your calculation. You cannot just list the number directly computed by using some code as your answer. (a) (5 points) What is the ciphertext C1 Charlie sent to Alice? (b) (5 points) What is the ciphertext C2 Charlie sent to Bob? (c) (5 points) What is the decryption key d1 used by Alice based on RSA system?

d (d) (5 points) Show the process Alice decrypts the ciphertext using only the procedure C1 1 mod n?

(e) (10 points) Assume that Bob uses the Chinese Remainder Theorem approach (see our lectures) instead for decryption. Show all the computations done by Bob to decrypt the ciphertext C2 .

Let function f be a public function (known to everyone including Alice and Bob) that will compute the commitment by Alice. (30 points) This question is about RSA encryption. using some previously agreed-upon reversible protocol f known as a padding scheme such as Optimal Asymmetric Encryption Padding (OAEP). It is a perfect binding if Alice cannot alter her commitment after she has made it. 1 Suppose Bob wishes to send a message M to Alice. Later on.e. b) is often called blob. Alice needs to reveal r and a to Bob. b) sent by Alice. Alice computes C = g a mod p and sends it to Bob. You only need to prove that (by giving a polynomial-time method and showing its correctness) Bob can know the last bit of a. together with n. p − 1) = 1. m = f (M) for some function f . ii. i. it will be theoretically impossible for Alice to ﬁnd another x such that f (x. Alice will publish a public key e. why we cannot just encrypt the original number represented by the message M? 1 Originally we said that d · e = 1 mod n. which Alice has announced. which is a typo. He then computes the ciphertext c corresponding to m as: c = me mod n This can be done quickly using the method of exponentiation by squaring. Alice randomly selects a positive integer r < p − 1 such that gcd(r. e1 . It is called perfectly concealing. 4. • Binding: sender Alice can open the blob by revealing x (and b) to Bob. 3. e2 . Assume that Alice and Bob agree upon a common large prime number p and a primitive root g mod p. and c2 . A simple perfect binding protocol works as follows. Alice will keep the secret key d where d · e = 1 mod φ(n). b) = f (x . Bob now has m. if it is theoretically impossible for Bob to ﬁnd out b without Alice revealing x to Bob. Alice sends Bob two integers C1 = g r mod p and C2 = g b mod p. Here b is the complement of bit b. (d) (7 points) Show that the following protocol is still perfectly binding. c1 .. He turns M into a number m with 0 < m < n.e. Is it possible that Oscar can recover the original message m (assuming the Oscar cannot do factoring of n now)? If possible. Bob can ask Alice to reveal the commitment and Alice cannot change the information without being caught. in practical implementations. Please give a detailed polynomial-time method which Bob can use to ﬁnd integer a. Bob then transmits c to Alice. and knows n and e. i. (c) (8 points) Show that Bob can ﬁnd the value of a in polynomial time of log p if he knows that the value a satisﬁes A + c1 log p ≤ a ≤ A + c2 log p for some ﬁxed constant integers A. i. b). The commitment f (x. . (b) (10 points) Show that Bob can recover some information about a. (a) (5 points) Prove that the above scheme is perfectly binding scheme. Oscar only knows n.(f) (10 points) Assume that an attacker Oscar intercepted both the ciphertext C1 and the ciphertext C2 . Assume that Alice has a number 1 < a < p − 1 that she wants to commit to Bob. Also you need to analyze the time-complexity of your method. Assume that Alice chooses an integer n that is the production of two large prime numbers p and q. and x be some additional information chosen by Alice. (30 points) A bit-commitment scheme will allow a user (say Alice) commit a bit (or a number) to another user (say Bob) without telling bob about it. b = 1 if b = 0 and b = 0 if b = 1. Let b be the bit to be committed by Alice to Bob. Alice computes b = a · r mod (p − 1). In other words. To reveal the commitment. Here constants are independent of number p. (a) (5 points) Why we need to use padding for encryption in practice? In other words. show the computing procedure Oscar can use to ﬁnd m. A bit-commitment protocol is often needed to have following properties • Concealing: Bob cannot ﬁnd the value of b by only knowing the commitment f (x..

For each encryption operation. given an encryption C of a message randomly chosen from two messages {M1 . and sends i to Alice. Consider an RSA-variant where we will ﬁrst select a random r ∈ Zn . (d) (4 points) Show a method for Bob that he can get the number x if Alice uses the integer j twice. g and p. Is this scheme semantically secure? Prove or disprove it either way. re mod n) = (s. 1 . so m ∈ Zn . To decrypt c. To encrypt a message M. append them to M such that m = M · 2k/4 + r. We will compute a ciphertext of the form c = (m ⊕ r. Is this scheme semantically secure? Prove or disprove it either way. (e) (4 points) Show that Alice can cheat if Bob ﬁxes his challenge i (to either 1 or 0). . φ(n)) = 1. where ⊕ is the binary XOR operator. can identify the message choice with probability signiﬁcantly better than that of random guessing (1/2). Bob accepts the Alice’s proof if he accepts the proof for all these k rounds. choose k/4 random bits r. we will simply discard the k/4 least signiﬁcant bits of the decrypted plaintext. (a) Alice randomly selects a number 0 < j < n. Assume that Alice wants to prove to Bob that she knows a solution x of equation y = g x mod p. (b) Bob randomly selects a bit i ∈ {0. Otherwise. Assume that Alice and Bob use the following protocol. (20 points) This question is about the zero-knowledge proof systems. 1}. adversary A can know whether C is the encryption of message M1 or message M2 . and rejects the proof if he rejects in any round.(b) (5 points) A cryptosystem is considered to be semantically secure (in other words. assume our RSA exponent e is 3 and that gcd(e. (d) Bob checks if g h = y i · r mod p. Bob rejects the proof. where m is just the value of M. we ﬁrst convert it to an integer m ∈ Zn . In other words. 5. (c) Alice computes h = i · x + j mod (p − 1) and sends Bob h. Prove the following (assume that Bob follows the protocol). 2k if Alice (c) (4 points) Zero-knowledge: Prove that Bob gets nothing about the integer x after Alice and Bob conduct the above protocol and Alice does not use j twice. When we decrypt a ciphertext. and computes r = g j mod p. (b) (4 points) Soundness: Bob will reject the proof with probability suﬃciently close to 1 − does not know the number x even if Alice does not follow the protocol (trying to cheat). t). one can simply decrypt t using RSA and XOR the result with s. Alice sends the integer r to Bob. where p is a large prime integer and g is the primitive root mod p. and encrypt the value m. Note that |m| < |n|. M2 } determined by the adversary. A proposal to make RSA semantically secure is as follows: Let |x| denote the number of bits representing a number x. Assume that Alice and Bob repeat the above protocol for k rounds. If k = |n| and 4 divides k. indistinguishability) if no adversary A. and accepts Alice’s proof if the equation holds. deﬁne the length of a valid message M to be |M| < 3k/4. (a) (4 points) Completeness: Bob will accept the proof if Alice indeed knows x (assume that Alice follows protocol also). Here both Alice and Bob know the integers y. (d) (10 points) Suppose we have a standard RSA public-key/private-key pair. Show that why the textbook RSA encryption (we learned in class where the encryption of a message M is simply c = Me mod n) is not semantic secure? (c) (10 points) For convenience.

- stagnegraphyUploaded bydukerex
- zhang2016.pdfUploaded byify
- MIT6_045JS11_rsaUploaded byMuhammad Al Kahfi
- [IJCT-V2I5P16] Authors :A.Senthilkumar , R.DivyaUploaded byIjctJournals
- Crptography Exam Questions and SolutionsUploaded byRajeswari Purushotham
- White Paper: Cincom VisualWorks Security LibraryUploaded byCincom Smalltalk
- RSA Encryption Program(Eclipse) - Mobile Security LabwareUploaded byterbaru
- AndrewLindell-BlackHat07Uploaded bySushant Sharma
- Certificates Troubleshooting GuideUploaded byAndrei Matei
- Public Key CryptographyUploaded byHarneet Singh Chugga
- Most Important Questions Sem5.PDF-1Uploaded byAkash Kambli
- IJAIEM-2013-06-26-083Uploaded byeditorijaiem
- NE7202-NIS Unit Wise QnsUploaded bykathir
- An Enhanced Secure Communication System for Network IntrusionUploaded byRajakumar Srini
- 100% verified Question Answers for 210-260 ExamUploaded byDylan
- Literature SurveyUploaded bySiddhartha Bashetty
- IMPLEMENTATION OF BLIND DIGITAL SIGNATURE USING ECCUploaded byijcsn
- Adapting Singlet Login in Distributed SystemsUploaded byesatjournals
- Interview Q&A LotusUploaded bySaravana Kumar
- Emotion-based multimedia browsing (R&D Proposals)Uploaded byantonio.feynmann
- [IJCST-V1I3P2]: Adoni Krishna kumar, konolla Siva Ramakrishna, Sagarla VenkateshUploaded byIJETA - EighthSenseGroup
- cryptography finalUploaded byapi-291748834
- Regulation of Certifying AuthoritiesUploaded byakkig1
- A New Group Signature Scheme with Efficient Membership RevocationUploaded byATS
- Report on KerberosUploaded byShobhit Jain
- cryptography - _Diffie-Hellman Key Exchange_ in plain English - Information Security Stack Exchange.pdfUploaded byHerman Selwyin
- kmip-ug-v1.2-cnd01Uploaded byNandhini Haribabu
- gb.psUploaded by'Pulkit Sharma
- README.txtUploaded byRikki Kaka
- Block ChainUploaded byMohsen BM