INFO-I 538: Introduction to Cryptography Spring 2015 – Assignment 5 Assigned: Due date: Submit to: Total points: March 25, 2015 April 8, 2015 by 11:59 pm [email protected] 30 1. [5 points] Solve each of the following and show how you did it. You can (indeed, should) ask Wolfram Alpha (or any symbolic computation package) to compute modular exponentiations for you; however, you may not ask for the solution to any modular exponentiation in which the exponent is not an integer. (Note: 104 723, 7 919, and 7 907 are all primes.) (a) Compute both square roots of 123 modulo 104 723, or prove that no such square roots exist. (b) Compute both square roots of 1 234 modulo 104 723, or prove that no such square roots exist. (c) Compute a 17th root of 500 modulo 62 615 533 = 7 919 · 7 907. 2. [3 points] Consider the following key-exchange protocol: (i) Alice chooses a key k ∈ R {0, 1} n and pad r ∈ R {0, 1} n , and then she sends s B k ⊕ r to Bob. (ii) Bob chooses t ∈ R {0, 1} n , and then he sends u B s ⊕ t to Alice. (iii) Alice computes w B u ⊕ r, and then she sends w to Bob. (iv) Alice outputs k and Bob outputs k 0 B w ⊕ t. Show that Alice and Bob output the same key (i.e., show that k = k 0), and then analyze the security of the scheme (i.e., either prove that it is secure or exhibit a concrete attack against it). 3. [3 points] Let (Gen, Enc, Dec) be a public-key encryption scheme. Show that, given a public key pk and a ciphertext c computed as c ← Encpk (m), it is possible for an unbounded attacker to determine m with probability 1. This implies that perfectly-secret public-key encryption is impossible. 4. [2 points] Say a deterministic public-key encryption scheme is used to encrypt a message m that is known to lie in a small set of L possible values. Show how it is possible to determine m in time linear in L (assume that encryption of an element takes a single unit of time). This implies that secure deterministic public-key encryption is impossible, even against computationally limited attackers. 5. [3 points] The public exponent e in RSA can be chosen arbitrarily, subject to gcd(e, ϕ(n)) = 1. Popular choices of e include e = 3 and e = 216 + 1. Explain why such e are preferable to a random value of the same length. (Hint: Think about how modular exponentiations are evaluated in practice — even look up some modular multiplication algorithms.) 6. [4 points] The natural way of applying hybrid encryption to the El Gamal encryption scheme is as follows. The public key is pk = hG, q, g, hi as in the El Gamal scheme, and to encrypt a message m the sender chooses random k ← {0, 1} n and sends hg r , hr · k, Enc f (k ) (m)i, where r ∈ R Z∗q , where Enc is the encryption algorithm from some symmetric-key encryption scheme, and where f (k) is a function that maps group elements to bit-strings suitable for use as keys in the symmetric-key encryption scheme. Suggest an improvement that results in a shorter ciphertext containing only a single group element followed by a private key encryption of m. (You should provide a convincing explanation of why your approach is secure, but you need not provide a rigorous formal proof of its security.) 7. [7 points] A commitment scheme enables Alice to “commit” to a value x using a short string C that she can show to Bob. The commitment scheme is said to be unconditionally hiding if the commitment string does not reveal to Bob any information about the committed value x. At a later time, Alice may “open” the commitment (or “decommit”) and thereby convince Bob that the committed value is x. The commitment is computationally binding if no PPT committer Alice cannot convince Bob that the committed value is some x 0 , x. Here is an example of a commitment scheme: Public values: A cyclic group G of prime order q, and two random generators g, h ∈ R G. Commit: To commit to an integer x ∈ Zq , Alice chooses r ∈ R Zq and computes C B g x hr . Alice outputs the commitment C and retains (x, r) for the later opening of C. Decommit: To open C to x, Alice sends (x, r) to Bob. Bob verifies the opening by computing C 0 B g x hr and then checking that C = C 0. Provide formal (game-based) definitions for the unconditional hiding property and for the computational binding property, and then prove that, under your proposed definitions, the given commitment scheme is secure under the DL assumption. (Note: When defining security games, clarity is extremely important!) To prove that the scheme is unconditionally hiding, you should prove that Pr[x | C] = Pr[x 0 | C] for all x, x 0 ∈ Zq . To prove that it is computationally binding under the DL assumption, you should provide a reduction; i.e., show that if Alice can open C to (x, r) and (x 0, r 0 ) with x , x 0, then she can solve the DL problem in G. 8. [3 points] Explain how a man-in-the-middle attacker can leverage its position between Alice and Bob to break the security of the (unauthenticated) Diffie-Hellman key-exchange protocol. In particular, show how the attacker can end up sharing one key k A with Alice and a (different) key k B with Bob in such a way that Alice and Bob cannot detect that anything has gone wrong. What happens if Alice and Bob try to detect the presence of a man-in-the-middle attacker by sending each other (encrypted) questions that only the other party would know how to answer?
© Copyright 2024