You are on page 1of 3

Take-Home Final Exam of CS549: Cryptography and Network Security

Assigned: November 27th, 2010 Due Date: 11:59PM, Dec 5th, 2010. Chicago Time. No Extensions! Fall 2010, CS Department, IIT 1. The maximum score of this take-home final exam is 130 points. 2. You should finish this exam yourself: do NOT discuss with anyone, do NOT copy or get help from the solutions of other students. You can use any book, lecture notes, or Internet as guidance. 3. Please type your answer. We will NOT accept any solution that is not typed. 4. You MUST upload your solution to blackboard. If you want, in addition to uploading your solution to blackboard, you can send the instructor (email: xli@cs.iit.edu ) the electronic file in PDF format. When you send solution also by email, please use subject “Take-home final exam of CS549” and also use proper name to name your file. 5. Do not forget to put your name on the file of your solution and name your PDF file as “lastname-finalCS549-Fall2010.pdf”, where lastname is your last name. 6. We do not accept MS WORD file for electronic submission. The following are the four questions for your take-home final exam of CS549. 1. (10 points) Consider the RSA Full Domain Hash signing method. Let (N, d) be an RSA public key used by Alice ∗ and let H be a hash function that outputs elements in ZN . Here N is the production of two large prime numbers p and q. Suppose an attacker can find 7 messages M1 , M2 , · · · , M7 such that
7

H(Mi ) ≡ 1 mod N.
i=1

Assume that the attacker can get the signatures for 6 of the above 7 messages (but not all 7 messages). Show how the attacker can get the signature of the other message. 2. (40 points) This question is about RSA encryption system. Given an integer modulus n = p · q, and an encryption key e with gcd(e, φ(n)) = 1, we know that the number d, with e · d = 1 mod φ(n), can serve as the decryption key for RSA system. In other words, given any message m and ciphertext c = me mod n, the computation cd mod n will give you the original message m. Assume that Alice randomly selected two prime numbers p = 73 and q = 101. Alice randomly selected a random number e1 = 119 as her public key (for encryption). Assume that Bob also selected p = 73 and q = 101 for his RSA system and Bob selected a random number e2 = 253 as his public key. Alice published her public key e1 = 119 and n = 7373. Bob published his public key e2 = 253 and n = 7373. Charlie wants to send a message m = 2008 to both Alice and Bob using their public key for encryption. Answer the following questions. For all computations, you need to show the details (step by step) of your calculation. You cannot just list the number directly computed by using some code as your answer. (a) (5 points) What is the ciphertext C1 Charlie sent to Alice? (b) (5 points) What is the ciphertext C2 Charlie sent to Bob? (c) (5 points) What is the decryption key d1 used by Alice based on RSA system?
d (d) (5 points) Show the process Alice decrypts the ciphertext using only the procedure C1 1 mod n?

(e) (10 points) Assume that Bob uses the Chinese Remainder Theorem approach (see our lectures) instead for decryption. Show all the computations done by Bob to decrypt the ciphertext C2 .

Let function f be a public function (known to everyone including Alice and Bob) that will compute the commitment by Alice. (30 points) This question is about RSA encryption. using some previously agreed-upon reversible protocol f known as a padding scheme such as Optimal Asymmetric Encryption Padding (OAEP). It is a perfect binding if Alice cannot alter her commitment after she has made it. 1 Suppose Bob wishes to send a message M to Alice. Later on.e. b) is often called blob. Alice needs to reveal r and a to Bob. b) sent by Alice. Alice computes C = g a mod p and sends it to Bob. You only need to prove that (by giving a polynomial-time method and showing its correctness) Bob can know the last bit of a. together with n. p − 1) = 1. m = f (M) for some function f . ii. i. it will be theoretically impossible for Alice to find another x such that f (x. Alice will publish a public key e. why we cannot just encrypt the original number represented by the message M? 1 Originally we said that d · e = 1 mod n. which Alice has announced. which is a typo. He then computes the ciphertext c corresponding to m as: c = me mod n This can be done quickly using the method of exponentiation by squaring. Alice randomly selects a positive integer r < p − 1 such that gcd(r. e1 . It is called perfectly concealing. 4. • Binding: sender Alice can open the blob by revealing x (and b) to Bob. 3. e2 . Assume that Alice and Bob agree upon a common large prime number p and a primitive root g mod p. and c2 . A simple perfect binding protocol works as follows. Alice will keep the secret key d where d · e = 1 mod φ(n). b) = f (x . Bob now has m. if it is theoretically impossible for Bob to find out b without Alice revealing x to Bob. Alice sends Bob two integers C1 = g r mod p and C2 = g b mod p. Here b is the complement of bit b. (d) (7 points) Show that the following protocol is still perfectly binding. c1 .. He turns M into a number m with 0 < m < n.e. Is it possible that Oscar can recover the original message m (assuming the Oscar cannot do factoring of n now)? If possible. Bob can ask Alice to reveal the commitment and Alice cannot change the information without being caught. in practical implementations. Please give a detailed polynomial-time method which Bob can use to find integer a. Bob then transmits c to Alice. and knows n and e. i. (c) (8 points) Show that Bob can find the value of a in polynomial time of log p if he knows that the value a satisfies A + c1 log p ≤ a ≤ A + c2 log p for some fixed constant integers A. i. b). The commitment f (x. . (b) (10 points) Show that Bob can recover some information about a. (a) (5 points) Prove that the above scheme is perfectly binding scheme. Oscar only knows n.(f) (10 points) Assume that an attacker Oscar intercepted both the ciphertext C1 and the ciphertext C2 . Assume that Alice has a number 1 < a < p − 1 that she wants to commit to Bob. Also you need to analyze the time-complexity of your method. Assume that Alice chooses an integer n that is the production of two large prime numbers p and q. and x be some additional information chosen by Alice. (30 points) A bit-commitment scheme will allow a user (say Alice) commit a bit (or a number) to another user (say Bob) without telling bob about it. b = 1 if b = 0 and b = 0 if b = 1. Let b be the bit to be committed by Alice to Bob. Alice computes b = a · r mod (p − 1). In other words. To reveal the commitment. Here constants are independent of number p. (a) (5 points) Why we need to use padding for encryption in practice? In other words. show the computing procedure Oscar can use to find m. A bit-commitment protocol is often needed to have following properties • Concealing: Bob cannot find the value of b by only knowing the commitment f (x..

For each encryption operation. given an encryption C of a message randomly chosen from two messages {M1 . and sends i to Alice. Consider an RSA-variant where we will first select a random r ∈ Zn . (d) (4 points) Show a method for Bob that he can get the number x if Alice uses the integer j twice. g and p. Is this scheme semantically secure? Prove or disprove it either way. re mod n) = (s. 1 . so m ∈ Zn . To decrypt c. To encrypt a message M. append them to M such that m = M · 2k/4 + r. We will compute a ciphertext of the form c = (m ⊕ r. Is this scheme semantically secure? Prove or disprove it either way. (e) (4 points) Show that Alice can cheat if Bob fixes his challenge i (to either 1 or 0). . φ(n)) = 1. where ⊕ is the binary XOR operator. can identify the message choice with probability significantly better than that of random guessing (1/2). Bob accepts the Alice’s proof if he accepts the proof for all these k rounds. choose k/4 random bits r. we will simply discard the k/4 least significant bits of the decrypted plaintext. (a) Alice randomly selects a number 0 < j < n. Assume that Alice wants to prove to Bob that she knows a solution x of equation y = g x mod p. (b) Bob randomly selects a bit i ∈ {0. Otherwise. Assume that Alice and Bob use the following protocol. (20 points) This question is about the zero-knowledge proof systems. 1}. adversary A can know whether C is the encryption of message M1 or message M2 . and rejects the proof if he rejects in any round.(b) (5 points) A cryptosystem is considered to be semantically secure (in other words. assume our RSA exponent e is 3 and that gcd(e. (d) Bob checks if g h = y i · r mod p. Bob rejects the proof. where m is just the value of M. we first convert it to an integer m ∈ Zn . In other words. 5. (c) Alice computes h = i · x + j mod (p − 1) and sends Bob h. Prove the following (assume that Bob follows the protocol). 2k if Alice (c) (4 points) Zero-knowledge: Prove that Bob gets nothing about the integer x after Alice and Bob conduct the above protocol and Alice does not use j twice. When we decrypt a ciphertext. and computes r = g j mod p. (b) (4 points) Soundness: Bob will reject the proof with probability sufficiently close to 1 − does not know the number x even if Alice does not follow the protocol (trying to cheat). t). one can simply decrypt t using RSA and XOR the result with s. Alice sends the integer r to Bob. where p is a large prime integer and g is the primitive root mod p. and encrypt the value m. Note that |m| < |n|. M2 } determined by the adversary. A proposal to make RSA semantically secure is as follows: Let |x| denote the number of bits representing a number x. Assume that Alice and Bob repeat the above protocol for k rounds. If k = |n| and 4 divides k. indistinguishability) if no adversary A. and accepts Alice’s proof if the equation holds. define the length of a valid message M to be |M| < 3k/4. (a) (4 points) Completeness: Bob will accept the proof if Alice indeed knows x (assume that Alice follows protocol also). Here both Alice and Bob know the integers y. (d) (10 points) Suppose we have a standard RSA public-key/private-key pair. Show that why the textbook RSA encryption (we learned in class where the encryption of a message M is simply c = Me mod n) is not semantic secure? (c) (10 points) For convenience.