Sample solutions to 2009 exam as provided by Dr. Purser 1
Sample solutions to 2009 exam as provided by Dr. Purser Decrypted by Killian Rogan May 11, 2011 1 Outline the ideas incorporated into Differential Crypt-Analysis (DCA) and Linear CryptAnalysis (LCA). What does the analyst/attacker hope to find? Are these chosen or known, plaintext or cyphertext techniques? Discuss taking the reversibility of encryption algorithms into account. As applied to DES, both techniques rely on the non-linearity of the S-boxes What is meant by this? How is it relevant? WHy may other operations in the algorithm be regarded as linear? Why do DCA and LCA require a large number of tests? Why and how is this related to the number of rounds? Answer of p and c you enable k to be queued. (Eg. If prob of tree equation < 1/2 and p = 1 and c = 1 then we conclude k = 1 to make equation untrue) The equation is established by establishing relevant equations with known probability for each and & working out the probability that all simultaneously apply (to give the input to output probability) or better the XOR sum of all the round equations ! n 1 X n−1 1 Prob ∼ + 2 pi − . 2 2 i=1 Intermediate data of the rounds must cancel in the XOR sum, but intermediate key bits are relevant - choose appropriate selections ofbits. 1 number of tests are needed to make good conclusions. Clearly prob - being known plaintext - LCA can work backwards as known cyphertext. Hence 2 bits (linear constraints on k) can be found. More still can be found by “exploring” the final round - hypothetically altering the final key & observing the change in the output anomaly. The linear characteristics exploited by LCA can be found (again) in theS-boxes. The scope for non-uniform linear characteristics is very much greater than that for non-uniform Differential characteristics and as such it is harder to make & check an algorithm proof against LCA attacks. The student should demonstrate he understands the general concepts and use of DCA, LCA. It would be quite unreasonable to expect a real mastery! Clearly a very large 1 2 1. Prove that aφ(n) = 1 mod n where φ(n) is Euler’s Totient Function, and a is an integer prime to n Q 2. Show that φ(n) = n i 1 − r1i where the ri are the prime factors of n 3. Prove that if Order(a) mod n equals t, then Order(as ) = t . HCF(s, t) 4. Prove that if n1 and n2 are coprime and Order(x) = t1 mod n1 and Order(x) = t2 mod n2 then Order(x) = LCM(t1 , t2 ) mod (n1 n2 ). 5. Is it possible for Order(x) mod n to divide (n − 1) for all x, and what are the consequences of this when performing primality tests? Answer 2.1 ai is one of φ(n) integers less than & prime to n. aai 6= aaj mod n else a(ai − aj ) = 0 mod n, impossible Y Y ∴ (aai ) = aj (ai in different orders mod n) i j or αφ(n) Y ai = Y aj (aφ(n) = 1 mod n) 2.2 Firstly φ(ab) = φ(a)φ(b) if (a, b) coprime because, by Chinese Remainder Theorem ∃φ(a)φ(b) something mod s(ab) to x = α mod a, x = β mod b (*) with α, β less than and prime to a, b respectively, and these φ(a)φ(b) solutions are therefore less than and prime to (ab). ∴ φ(ab) ≥ φ(a)φ(b) But any integer less than and prime to (ab) gives rise to (*) so already counted. ∴ φ(ab) = φ(a)φ(a) Y e Y Y ∴ φ(n) = φ pi i = φ((pi )e2 ) = (1 − pi ) i i =n i Y 1 (1 − ) pi i These elements mod pi not prime to pei i 2 2.3 O(a) = t ∴ at mod n = 1 Let x = O(as ) mod t and h = HCF(s, t) ∴ s = ih, t = jh i, j coprime (as ) t/h = ai t = (at )i = 1 mod n and (as )x = 1 ⇒ aihx = 1 also t h t|ihx → j|ix x| ie. ∴ j|x t |x h ∴ x = Order(as ) = t h (Because x| ht and ht |x) 2.4 O(x) mod n1 = t1 , O(x) mod n2 = t2 Let xk Order(x) mod n1 n2 = k λ = LCM(t1 , t2 ) mod n1 n2 = 1 ⇒ xk mod n1 = 1 ⇒ t1 |λ k mod n2 = 1 ⇒ t2 |λ ⇒x t1 |φ(n1 ) and t1 |φ(n2 ) t1 , t2 coprime ∴ λ|k. also xλ xλ ) mod n1 =1 mod n2 =1 ⇒ xλ = 1 mod n1 n2 → k|λ Again, as λ|k and k|λ ∴ k = Order(k) mod n1 n2 = LCM(t1 , t2 ) 3 2.5 If n is prime p Order(x) divides (p − 1) for all x. If n is composite this is not so. In general λ(φ(n1 ), φ(n2 )) 6 |(n1 n2 − 1) A primality test on n of typet xn−1 = 1 mod n for all x however is not good because if n is a Carmichael number, λ|(n − 1) and one is decieved. Example n = 561 = 3 × 11 × 17 LCM(φ(3), φ(11), φ(17)) = 80 (n − 1) = 560, we have 80|560(= 7) ∴ xn−1 = 1 mod n for all x 3 Describe the procedure, based on sieving over a factor base, for solving for xin the equation y = ax mod p where y, a, p are known and p is prime. Does it matter if a is primitive or not? Discuss. The procedure above involves matrix inversion. How could this be done? Answer Find x from y = ax mod p where y, a, p known. Pick random ni and try to factorise ani mod p over the factor base of primes pi . . . pm . 1. i.e. e ani = prodj=1,m pj ij i = 1, M if possible 2. Next we suppose pj = aNj mod p for some Nj (this is true if a is primitive). Substituting above & taking logs gives X ni = Nj eij mod (p − 1) i = 1, M j=1,m The solve for Nj by Gaussian elimination and so we know pj = aNj 3. Choose random s and evaluate y.as mod p = Y e0 pj j if possible; if not try new s j=1,m If successful we have, taking logs x+s= X Nj e0j mod (p − 1) j=1,m giving x. If a is primitive we certainly have pj = aNj mod p for some Nj . If a is not primitive find a primitive c and express a = cr (some problem to find r from a = cr mod p. Then original problem is y = crx mod p = cz mod p Solve for z as before then x = r−1 z mod (p − 1). NOTE: Solving the simultaneous equations in 2 for Nj is messy. Do it by mod di where di are the e prime factors of (p − 1) so we can get inverses mod pj . Problems if mod pj j ej > 1 Problems with pj = 2 At the end put together using CRT. 4 4 Cryptographic security services are used to ensure the confidentiality, integrity and authenticity of digital messages. They can also be used to prove that such message were sent or received by specific persons and they can providemany other security functions. Which security functions do Message Authentication Checks (MACs) and Digital Signatures (DS) provide? Discuss how a MAC and a DS provide these functions and explain the difference between a MAC and a DS by considering public and secret keys. What is meant by certification of a public key; and why is it necessary? How is it provided? Answer A MAC is created from the message and a secret key, k held by the sender and known to the recipient, using a known algorithm.-DIAGRAM-.The received message is processed to regenerate the MAC which is compared with the received MAC. If received message = sent message and received key k = sender’s key k then we assume message is uncorrupted and from sender( i.e. he who holds the key). Then a MAC provides an integrity of message check on a proof of sender to the recipient, BUT a MAC can be repudiated by a sender. He can say didn’t send the message because the receiver has the same key and could create the MAC himself. For non-repudiation we require public/private key pairs & Digital Signatures. The sender signs the message (or rather a SOMETHING or hash H of the message) with his private key. The recipient validates the signature with the sender’s public key. -DIAGRAM-. The signature to a hash H of the message inverted by the recipient to retrieve the H(message) & compare with the MAC of the recieved message. The DS provides non-repudiation because no-one but the sender has his private key. Public keys need to be certified otherwise anyone could generate a key pair, keep the secret key & proclaim the public key belongs to someone else & so impersonate that other person. Certification is usually by a TTP (Trusted Third Party). The TTP signs the public key togethers with owner’s ID, expiry date, etc. -DIAGRAM- 5 The Advanced Encyption System (AES/Rijndael) has been introduce to supersede the Data Encryption Algorithm (DEA/DES). Contrast the two algorithms and highlight those features of Rijndael which make it superior to DES. Answer The student can describe DES & Rijndal • 16 rounds Feistel • 64 bit data, split into 2 32 bit parts • 56 bit key • key schedule & one • reversibility • f() function & S boxes with nonlinearity & strong non-uniform differential characteristics Rijndal 5 • Various versions 128, 192 & 256 bit / data or key • Squares with 4*4 bytes – BS Byte/Sub – SL Shift left (row) – MC Mix columns – XK XOR fabkey • Prewhiten, postwhiten • 10 rounds (256), 12 rounds(192), 14 rounds(256) • Key schedule Student can discuss BS, SC + MC operator comparing point to • Whitening against DCA/LCA effects • Uniformity No useful (to an attacker) Differential, Linear anomalies • Larger keys (128 -v- 64 bit) • Speed + for ASFC implementation The student can elaborate on details - the more (correct) the better. 6 The defect of the Diffie-Hellman shared secret scheme is that the parties involved have no proof of each others’ identities. Discuss the MTI/AO, MTI/CO and MQV improvements on Diffie-Hellman, and show how they remedy this defect. What is “forward secrecy” (or “future proofing”)? Do these techniques provide it? Answer Diffie-Hellman scheme is A, B share a base α and a modulus n 7 How does one test if an integer is a QR (Quadratic Residue) mod p, where p is prime? If x is a QR how does one extract its square root? If the modulus n is the product of two primes p, q, how does one extract the square root of a QR? What relevance have QRs to Rabin encryption? How are multiple square roots handled in that technique? Answer mod p∃ a primitive α. If x is a QR x = α2s mod p for some s. Then x p−1 2 = α(p−1)s = 1 6 mod p Convesely, if x is not a QR x p−1 2 x = αs mod p s odd 1 1 2 = α(p−1)s = 1 2 mod p = −1 Because GF(p) is a field, ∃ only two square roots of 1, namely 1, −1 QR →x QNR →x p−1 2 p−1 2 =1 = −1 If p = 4k + 3 for some k then xp+1 = xp−1 .x2 = x2 So xp+1 But x p+1 4 =x 1 4 1 = x2 4k+4 4 mod p mod p = xk+1 mod p Example p = 19 k = 4 x = 7 1 75 = 72 .72 .7 = 11.11.7 = 11 = 7 2 mod 19 1 If, however, p = 4k + 1, there is a much more sophisticated metho to find c 2 (if c a QR). it involves p+1 forming an irreducible f (x) = x2 + bx + c (i.e. b2 − 4c) is QNR and dividing x 2 by f (x) and the remainder is the root. Bonus for students who can show this. 1 1 If n = p.q then in principle ∃ 4 square roots. One first factorises and finds c 2 mod p, c 2 mod q and puts them together using CRT to get m1 , m2 , m3 , m4 with m2i = c mod n. m2 = −m1 , m4 = −m3 Rabin encryption has cyphertexst c = m2 mod n. The secret key is the factors if n. To decrypt find 1 c 2 . There are four possibilites. Which one do we choose? Answer: Build into m a checksum then the solution with the correct checksum is the right one. Note: an attacker that finds the soultions (eg. by theft) can break the system: Given m1 , m2 , m3 , m4 one can factorise n. 8 Describe the Digital Signature Algorithm (DSA). Why must the base have a large prime order? Describe the Korean Digital Signature Algorithm (KDSA) and contrastKDSA with DSA. DSA • Base α, modulus p • Order(α) = q|(p − 1) q = large prime (160 bit) • Secret key = x < q 7 • Public key = y = αx mod p (certified) • To Sign form random k < q r = ((αk ) mod p) mod q) s = k −1 (H(m) + rx) mod q) H(m) = Hash of message; (r, s) = signature to message • To verify form s−1 mod q. Test −1 −1 αs H(m) × y s r mod p mod q = r? If correct, accept signature Note αs −1H(m) ×y s−1 r = αs −1 (H(m)+xr) = αk(H(m)+xr) = αk mod p −1 (H(m)+xr) Hence thing above =r The above involves forming k −1 mod q on signing, s−1 mod q on verifying. The message is not linked to the sender’s certificate. KDSA is faster & more secure on these 3 points: • H(Z|m) used, Z = Signatory’s certificate Secret key = x < q −1 Public key = y = αx mod p • Sign invert k r = H(αk mod p) < q s = x(k − (r ⊕ H(z|m)) (H() more secure mod q • Validate Test r = H(y s .αe mod p) with e = r ⊕ H(Z|M ) ( −1 = H(αsx .αe mod p) = H(αk mod p) Improvements 1. Sign no k −1 ; Verify no s−1 2. H(αk mod p) instead of (αk mod p) mod q 3. H(Z|m) 4. ⊕ instead of + (s1 -s2 secure) 8 9 Hash functions are used in digital signatures. How? What criteria should a hash function fulfill to be secure in this usage? Describe the SHA-1 function. Hash function may be used with a secret key to provide a MAC. Explain how this is done. Answer A digital signature is attached to a message (so tha its authenticity can be verified) and the signature is created from a digest or compressed form of the message (m) using the signatory’s private key, k. The method of compression is called a hash H(m) and the signature = S(k, H(m)). Compression is needed so that the signature is not too long. (On reception the recipient decrypts the encrypted H(m) with the sender’s public key and checks whether Decrypted H(m) = H(Recieved m) For this purpsoe it must not be possible to find another m0 such that H(m0 ) = H(m) - otherwise the valid signature to m could be attached to m0 making it appear that the original signatory had signed the replacement message. Similarly , it must be impossible to find m1 , m2 such that H(m1 ) = H(m2 ) - otherwise perhaps a valid m1 can be signed by a user & then the signature attached to m2 . These critera of course apply to extensions & curtailment of messages. SHA-1 has the general form: • 512 bit input at a time (16 32-bit words) • 160 bit output -DIAGRAM1. Divide Mi into 16 32-bit words W (0) to W (15) 2. Construct W (16) to W (79) from them 3. Set A = H0 , B = H1 , C = H2 , D = H3 , E = H4 (initial constants) 4. Loop 80 t=0,79 times Temp = S 5 (A) + f (t, B, C, D) + E + W (t) + K(t) E = D, D = C, C = S 30 (B), B = A, A = Temp 5. H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4 + E 6. i = i + 1 Next block of input The student is not expected to remember all the details but should show the general idea. Mention Padding & Message length. The socalled Hash-MAC is a method of producing a MAC (message authentication check) from a function and a key. The officially recommend approach is HMAC(key, message) = H(K ⊕ opad, H(K ⊕ ipad, message)) ipad and opad are constants of block length. 9 10 Describe the RSA technique for implementing public key cryptology. Illustrate your description using a modulus of 143. Explain how, with the Chinese Remainder Theorem, operations using the secret key may be speeded up if the factors of the modulus are explicitly employed. Illustrate your explanation. Choosing a small public key exponent will clearly speed up operations based on the public key. Are there associated dangers if this is done? Answer In RSA every user has a key pair; e = public key, d = private/secret key, and a modulus n. de = 1 mod φ(n) = 1 mod (p − 1)(q − 1) where n = p.q = Product of two primes which are secret (i.e. security is based on attacker not being able to factorise n, so not being able to find φ(n), and so not being able to find d = e−1 mod φ(n). To send a secret message, m, encrypted to another user one employs the other user’s public key & forms c = me mod n The recipient can decrypt the message by cd cd = med mod n = m1+Kφ(n) mod n = m To sign a message m the user uses his own secret key d & forms a signature H(m)d mod n, where H(m) = Hash(message). The recipient performs (H(m)d )e mod n = H(m) and checks if this equals H(received message. NOTE: d is protected from discovery in Sig = H(m)d mod n (Sig known, H(m) known, p known) by the discrete log (DL) problem. Example p = 11, q = 13, n = 143, φ(n) = (p − 1)(q − 1) = 10 ∗ 12 = 120 Suppose e = 7 then d = 103 as 7 × 103 = 1 mod 120 To encrypt message m = 2 c = 27 mod 143 = 128 = −15 cd = (−15)103 mod 143 2 (−15) = 225 = 82 mod 143 (−15)4 = 822 = 6724 = 3 (−15)8 = 9 (−15)16 = 81 (−15)32 = 6561 = 126 = −17 (−15)64 = (−17)2 = 289 = 3 (−15)96 = 3 × −17 = −51 (−15)100 = −51 × 3 = −153 = −10 (−15)102 = −10 × 82 = −820 = 38 (−15)103 = 38 × −15 = −570 = 2 ∴ m = 2 Correct 10 If we use p, q we can form mp = (cd mod p) = cdp mod p dp = d mod (p − 1) mq = (cd mod q) = cdq mod p dq = d mod (q − 1) & use the Chinese Remainder Theorem to find cd mod n = cd mod pq ( dp = 103 mod 10 = 3 using the above figures dq = 103 mod 12 = 7 mp = 1283 3 mp = 7 mod 11 mod 11 =7×5=2 7 mq = 128 mod 11 mod 13 7 = (−2) mod 13 = 64 × −2 mod 13 = −1 × −2 mod 13 =2 mod 13 ∴m=2 If e is small e.g. e = 3 a message m could be sent to 3 differente destinations ( assuming they use the same exponent but differente moduli n1 , n2 , n3 ) as c1 = me mod n1 c2 = me mod n2 c3 = me mod n3 Then an attacker could find c = me mod (n1 n2 n3 ) using CRT & since m < n1 , n2 , n3 , me (e = 3) < (n1 n2 n3 ). so m can be found m = c13 . i.e. a small public key exponent shared between k users can lead to a message sent to all k users being decrypted by an attacker. 11
© Copyright 2024