Sample solutions to 2009 exam as provided by Dr. Purser 1

Sample solutions to 2009 exam as provided by Dr. Purser
Decrypted by Killian Rogan
May 11, 2011
1
Outline the ideas incorporated into Differential Crypt-Analysis (DCA) and Linear CryptAnalysis (LCA).
What does the analyst/attacker hope to find? Are these chosen or known, plaintext or cyphertext
techniques?
Discuss taking the reversibility of encryption algorithms into account.
As applied to DES, both techniques rely on the non-linearity of the S-boxes What is meant by this?
How is it relevant? WHy may other operations in the algorithm be regarded as linear?
Why do DCA and LCA require a large number of tests? Why and how is this related to the number
of rounds?
Answer
of p and c you enable k to be queued. (Eg. If prob of tree equation < 1/2 and p = 1 and c = 1 then
we conclude k = 1 to make equation untrue)
The equation is established by establishing relevant equations with known probability for each
and & working out the probability that all simultaneously apply (to give the input to output
probability) or better the XOR sum of all the round equations
!
n
1 X n−1
1
Prob ∼
+
2
pi −
.
2
2
i=1
Intermediate data of the rounds must cancel in the XOR sum, but intermediate key bits are relevant
- choose appropriate selections
ofbits.
1
number of tests are needed to make good conclusions. Clearly
prob
- being known plaintext - LCA can work backwards as known cyphertext. Hence 2 bits (linear constraints on k) can be found. More still can be found by “exploring” the final round - hypothetically
altering the final key & observing the change in the output anomaly.
The linear characteristics exploited by LCA can be found (again) in theS-boxes. The scope
for non-uniform linear characteristics is very much greater than that for non-uniform Differential
characteristics and as such it is harder to make & check an algorithm proof against LCA attacks.
The student should demonstrate he understands the general concepts and use of DCA, LCA.
It would be quite unreasonable to expect a real mastery!
Clearly a very large 1
2
1. Prove that aφ(n) = 1 mod n where φ(n) is Euler’s Totient Function, and a is an integer prime
to n
Q 2. Show that φ(n) = n i 1 − r1i where the ri are the prime factors of n
3. Prove that if Order(a) mod n equals t, then
Order(as ) =
t
.
HCF(s, t)
4. Prove that if n1 and n2 are coprime and Order(x) = t1 mod n1 and Order(x) = t2 mod n2
then Order(x) = LCM(t1 , t2 ) mod (n1 n2 ).
5. Is it possible for Order(x) mod n to divide (n − 1) for all x, and what are the consequences of
this when performing primality tests?
Answer
2.1
ai is one of φ(n) integers less than & prime to n. aai 6= aaj mod n else a(ai − aj ) = 0 mod n,
impossible
Y
Y
∴
(aai ) =
aj (ai in different orders mod n)
i
j
or αφ(n)
Y
ai =
Y
aj (aφ(n) = 1
mod n)
2.2
Firstly φ(ab) = φ(a)φ(b) if (a, b) coprime because, by Chinese Remainder Theorem ∃φ(a)φ(b)
something mod s(ab) to x = α mod a, x = β mod b (*) with α, β less than and prime to a, b
respectively, and these φ(a)φ(b) solutions are therefore less than and prime to (ab).
∴ φ(ab) ≥ φ(a)φ(b)
But any integer less than and prime to (ab) gives rise to (*) so already counted.
∴ φ(ab) = φ(a)φ(a)
Y e
Y
Y
∴ φ(n) = φ
pi i =
φ((pi )e2 ) =
(1 − pi )
i
i
=n
i
Y
1
(1 − )
pi
i
These elements mod pi not prime to
pei i
2
2.3
O(a) = t
∴ at
mod n = 1
Let
x = O(as )
mod t and h = HCF(s, t)
∴ s = ih, t = jh i, j coprime
(as )
t/h
=
ai t = (at )i = 1
mod n
and
(as )x = 1 ⇒ aihx = 1
also
t
h
t|ihx → j|ix
x|
ie.
∴ j|x
t
|x
h
∴ x = Order(as ) =
t
h
(Because x| ht and ht |x)
2.4
O(x)
mod n1 = t1 , O(x)
mod n2 = t2
Let
xk
Order(x) mod n1 n2 = k
λ = LCM(t1 , t2 )
mod n1 n2 = 1 ⇒ xk
mod n1 = 1 ⇒ t1 |λ
k
mod n2 = 1 ⇒ t2 |λ
⇒x
t1 |φ(n1 ) and t1 |φ(n2 )
t1 , t2 coprime ∴ λ|k.
also
xλ
xλ
)
mod n1 =1
mod n2 =1
⇒ xλ = 1
mod n1 n2 → k|λ
Again, as λ|k and k|λ
∴ k = Order(k)
mod n1 n2 = LCM(t1 , t2 )
3
2.5
If n is prime p Order(x) divides (p − 1) for all x. If n is composite this is not so. In general
λ(φ(n1 ), φ(n2 )) 6 |(n1 n2 − 1)
A primality test on n of typet xn−1 = 1 mod n for all x however is not good because if n is a
Carmichael number, λ|(n − 1) and one is decieved.
Example n = 561 = 3 × 11 × 17
LCM(φ(3), φ(11), φ(17)) = 80
(n − 1) = 560, we have 80|560(= 7)
∴ xn−1 = 1 mod n for all x
3
Describe the procedure, based on sieving over a factor base, for solving for xin the equation y = ax
mod p where y, a, p are known and p is prime. Does it matter if a is primitive or not? Discuss.
The procedure above involves matrix inversion. How could this be done?
Answer
Find x from y = ax mod p where y, a, p known. Pick random ni and try to factorise ani mod p
over the factor base of primes pi . . . pm .
1. i.e.
e
ani = prodj=1,m pj ij
i = 1, M if possible
2. Next we suppose pj = aNj mod p for some Nj (this is true if a is primitive). Substituting
above & taking logs gives
X
ni =
Nj eij mod (p − 1) i = 1, M
j=1,m
The solve for Nj by Gaussian elimination and so we know pj = aNj
3. Choose random s and evaluate
y.as
mod p =
Y
e0
pj j
if possible; if not try new s
j=1,m
If successful we have, taking logs
x+s=
X
Nj e0j
mod (p − 1)
j=1,m
giving x.
If a is primitive we certainly have pj = aNj mod p for some Nj . If a is not primitive find a
primitive c and express a = cr (some problem to find r from a = cr mod p. Then original problem
is
y = crx mod p = cz mod p
Solve for z as before then x = r−1 z mod (p − 1).
NOTE: Solving the simultaneous equations in 2 for Nj is messy. Do it by mod di where di are the
e
prime factors of (p − 1) so we can get inverses mod pj . Problems if mod pj j ej > 1 Problems with
pj = 2 At the end put together using CRT.
4
4
Cryptographic security services are used to ensure the confidentiality, integrity and authenticity
of digital messages. They can also be used to prove that such message were sent or received by
specific persons and they can providemany other security functions. Which security functions
do Message Authentication Checks (MACs) and Digital Signatures (DS) provide? Discuss how a
MAC and a DS provide these functions and explain the difference between a MAC and a DS by
considering public and secret keys.
What is meant by certification of a public key; and why is it necessary? How is it provided?
Answer
A MAC is created from the message and a secret key, k held by the sender and known to the
recipient, using a known algorithm.-DIAGRAM-.The received message is processed to regenerate
the MAC which is compared with the received MAC. If received message = sent message and
received key k = sender’s key k then we assume message is uncorrupted and from sender( i.e. he
who holds the key). Then a MAC provides an integrity of message check on a proof of sender
to the recipient, BUT a MAC can be repudiated by a sender. He can say didn’t send the message
because the receiver has the same key and could create the MAC himself.
For non-repudiation we require public/private key pairs & Digital Signatures. The sender signs
the message (or rather a SOMETHING or hash H of the message) with his private key. The recipient validates the signature with the sender’s public key. -DIAGRAM-. The signature to a hash H
of the message inverted by the recipient to retrieve the H(message) & compare with the MAC of
the recieved message.
The DS provides non-repudiation because no-one but the sender has his private key.
Public keys need to be certified otherwise anyone could generate a key pair, keep the secret key &
proclaim the public key belongs to someone else & so impersonate that other person. Certification
is usually by a TTP (Trusted Third Party). The TTP signs the public key togethers with owner’s
ID, expiry date, etc. -DIAGRAM-
5
The Advanced Encyption System (AES/Rijndael) has been introduce to supersede the Data Encryption Algorithm (DEA/DES).
Contrast the two algorithms and highlight those features of Rijndael which make it superior to
DES. Answer
The student can describe DES & Rijndal
• 16 rounds Feistel
• 64 bit data, split into 2 32 bit parts
• 56 bit key
• key schedule & one
• reversibility
• f() function & S boxes with nonlinearity & strong non-uniform differential characteristics
Rijndal
5
• Various versions 128, 192 & 256 bit / data or key
• Squares with 4*4 bytes
– BS Byte/Sub
– SL Shift left (row)
– MC Mix columns
– XK XOR fabkey
• Prewhiten, postwhiten
• 10 rounds (256), 12 rounds(192), 14 rounds(256)
• Key schedule
Student can discuss BS, SC + MC operator
comparing point to
• Whitening against DCA/LCA effects
• Uniformity No useful (to an attacker) Differential, Linear anomalies
• Larger keys (128 -v- 64 bit)
• Speed + for ASFC implementation
The student can elaborate on details - the more (correct) the better.
6
The defect of the Diffie-Hellman shared secret scheme is that the parties involved have no proof
of each others’ identities.
Discuss the MTI/AO, MTI/CO and MQV improvements on Diffie-Hellman, and show how they
remedy this defect.
What is “forward secrecy” (or “future proofing”)? Do these techniques provide it?
Answer
Diffie-Hellman scheme is A, B share a base α and a modulus n
7
How does one test if an integer is a QR (Quadratic Residue) mod p, where p is prime? If x is a QR
how does one extract its square root? If the modulus n is the product of two primes p, q, how does
one extract the square root of a QR?
What relevance have QRs to Rabin encryption? How are multiple square roots handled in that
technique?
Answer
mod p∃ a primitive α. If x is a QR x = α2s mod p for some s. Then
x
p−1
2
= α(p−1)s = 1
6
mod p
Convesely, if x is not a QR
x
p−1
2
x = αs mod p s odd
1
1
2
= α(p−1)s
= 1 2 mod p = −1
Because GF(p) is a field, ∃ only two square roots of 1, namely 1, −1
QR →x
QNR →x
p−1
2
p−1
2
=1
= −1
If p = 4k + 3 for some k then
xp+1 = xp−1 .x2 = x2
So
xp+1
But
x
p+1
4
=x
1
4
1
= x2
4k+4
4
mod p
mod p
= xk+1
mod p
Example p = 19 k = 4 x = 7
1
75 = 72 .72 .7 = 11.11.7 = 11 = 7 2
mod 19
1
If, however, p = 4k + 1, there is a much more sophisticated metho to find c 2 (if c a QR). it involves
p+1
forming an irreducible f (x) = x2 + bx + c (i.e. b2 − 4c) is QNR and dividing x 2 by f (x) and the
remainder is the root.
Bonus for students who can show this.
1
1
If n = p.q then in principle ∃ 4 square roots. One first factorises and finds c 2 mod p, c 2 mod q and
puts them together using CRT to get m1 , m2 , m3 , m4 with m2i = c mod n. m2 = −m1 , m4 = −m3
Rabin encryption has cyphertexst c = m2 mod n. The secret key is the factors if n. To decrypt find
1
c 2 . There are four possibilites. Which one do we choose? Answer: Build into m a checksum then
the solution with the correct checksum is the right one. Note: an attacker that finds the soultions
(eg. by theft) can break the system: Given m1 , m2 , m3 , m4 one can factorise n.
8
Describe the Digital Signature Algorithm (DSA). Why must the base have a large prime order?
Describe the Korean Digital Signature Algorithm (KDSA) and contrastKDSA with DSA.
DSA
• Base α, modulus p
• Order(α) = q|(p − 1) q = large prime (160 bit)
• Secret key = x < q
7
• Public key = y = αx mod p (certified)
• To Sign form random k < q
r = ((αk )
mod p)
mod q)
s = k −1 (H(m) + rx)
mod q)
H(m) = Hash of message; (r, s) = signature to message
• To verify form s−1 mod q. Test
−1
−1
αs H(m) × y s r
mod p
mod q = r?
If correct, accept signature
Note
αs
−1H(m) ×y s−1 r
= αs
−1 (H(m)+xr)
= αk(H(m)+xr)
= αk
mod p
−1 (H(m)+xr)
Hence thing above =r
The above involves forming k −1 mod q on signing, s−1 mod q on verifying. The message is not
linked to the sender’s certificate.
KDSA is faster & more secure on these 3 points:
• H(Z|m) used, Z = Signatory’s certificate
Secret key = x < q
−1
Public key = y = αx
mod p
• Sign invert k
r = H(αk
mod p) < q
s = x(k − (r ⊕ H(z|m))
(H() more secure
mod q
• Validate Test
r = H(y s .αe mod p) with e = r ⊕ H(Z|M )
(
−1
= H(αsx .αe mod p)
= H(αk mod p)
Improvements
1. Sign no k −1 ; Verify no s−1
2. H(αk mod p) instead of (αk mod p) mod q
3. H(Z|m)
4. ⊕ instead of + (s1 -s2 secure)
8
9
Hash functions are used in digital signatures. How?
What criteria should a hash function fulfill to be secure in this usage? Describe the SHA-1 function.
Hash function may be used with a secret key to provide a MAC. Explain how this is done.
Answer
A digital signature is attached to a message (so tha its authenticity can be verified) and the signature is created from a digest or compressed form of the message (m) using the signatory’s private
key, k. The method of compression is called a hash H(m) and the signature = S(k, H(m)). Compression is needed so that the signature is not too long. (On reception the recipient decrypts the
encrypted H(m) with the sender’s public key and checks whether
Decrypted H(m) = H(Recieved m)
For this purpsoe it must not be possible to find another m0 such that H(m0 ) = H(m) - otherwise
the valid signature to m could be attached to m0 making it appear that the original signatory had
signed the replacement message.
Similarly , it must be impossible to find m1 , m2 such that H(m1 ) = H(m2 ) - otherwise perhaps
a valid m1 can be signed by a user & then the signature attached to m2 . These critera of course
apply to extensions & curtailment of messages.
SHA-1 has the general form:
• 512 bit input at a time (16 32-bit words)
• 160 bit output
-DIAGRAM1. Divide Mi into 16 32-bit words W (0) to W (15)
2. Construct W (16) to W (79) from them
3. Set A = H0 , B = H1 , C = H2 , D = H3 , E = H4 (initial constants)
4. Loop 80 t=0,79 times
Temp = S 5 (A) + f (t, B, C, D) + E + W (t) + K(t)
E = D, D = C, C = S 30 (B), B = A, A = Temp
5. H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4 + E
6. i = i + 1 Next block of input
The student is not expected to remember all the details but should show the general idea. Mention
Padding & Message length.
The socalled Hash-MAC is a method of producing a MAC (message authentication check) from a
function and a key. The officially recommend approach is
HMAC(key, message) = H(K ⊕ opad, H(K ⊕ ipad, message))
ipad and opad are constants of block length.
9
10
Describe the RSA technique for implementing public key cryptology. Illustrate your description
using a modulus of 143.
Explain how, with the Chinese Remainder Theorem, operations using the secret key may be
speeded up if the factors of the modulus are explicitly employed. Illustrate your explanation.
Choosing a small public key exponent will clearly speed up operations based on the public key.
Are there associated dangers if this is done?
Answer
In RSA every user has a key pair; e = public key, d = private/secret key, and a modulus n.
de = 1
mod φ(n) = 1
mod (p − 1)(q − 1)
where n = p.q = Product of two primes which are secret (i.e. security is based on attacker not being
able to factorise n, so not being able to find φ(n), and so not being able to find d = e−1 mod φ(n).
To send a secret message, m, encrypted to another user one employs the other user’s public key &
forms
c = me mod n
The recipient can decrypt the message by cd
cd = med
mod n = m1+Kφ(n)
mod n = m
To sign a message m the user uses his own secret key d & forms a signature H(m)d mod n, where
H(m) = Hash(message). The recipient performs (H(m)d )e mod n = H(m) and checks if this
equals H(received message.
NOTE: d is protected from discovery in Sig = H(m)d mod n (Sig known, H(m) known, p known)
by the discrete log (DL) problem.
Example p = 11, q = 13, n = 143, φ(n) = (p − 1)(q − 1) = 10 ∗ 12 = 120
Suppose e = 7 then d = 103 as 7 × 103 = 1 mod 120
To encrypt message m = 2
c = 27
mod 143 = 128 = −15
cd = (−15)103
mod 143
2
(−15) = 225 = 82 mod 143
(−15)4 = 822 = 6724 = 3
(−15)8 = 9
(−15)16 = 81
(−15)32 = 6561 = 126 = −17
(−15)64 = (−17)2 = 289 = 3
(−15)96 = 3 × −17 = −51
(−15)100 = −51 × 3 = −153 = −10
(−15)102 = −10 × 82 = −820 = 38
(−15)103 = 38 × −15 = −570 = 2
∴ m = 2 Correct
10
If we use p, q we can form
mp = (cd
mod p) = cdp
mod p
dp = d
mod (p − 1)
mq = (cd
mod q) = cdq
mod p dq = d
mod (q − 1)
& use the Chinese Remainder Theorem to find cd mod n = cd mod pq
(
dp = 103 mod 10 = 3
using the above figures
dq = 103 mod 12 = 7
mp = 1283
3
mp = 7
mod 11
mod 11
=7×5=2
7
mq = 128
mod 11
mod 13
7
= (−2)
mod 13
= 64 × −2
mod 13
= −1 × −2 mod 13
=2
mod 13
∴m=2
If e is small e.g. e = 3 a message m could be sent to 3 differente destinations ( assuming they use
the same exponent but differente moduli n1 , n2 , n3 ) as
c1 = me
mod n1
c2 = me
mod n2
c3 = me
mod n3
Then an attacker could find c = me mod (n1 n2 n3 ) using CRT & since m < n1 , n2 , n3 , me (e = 3) <
(n1 n2 n3 ). so m can be found m = c13 . i.e. a small public key exponent shared between k users can
lead to a message sent to all k users being decrypted by an attacker.
11