Assignment 5 distributed

Transcription

Assignment 5 distributed
INFO-I 538: Introduction to Cryptography
Spring 2015 – Assignment 5
Assigned:
Due date:
Submit to:
Total points:
March 25, 2015
April 8, 2015 by 11:59 pm
[email protected]
30
1. [5 points] Solve each of the following and show how you did it. You can (indeed, should) ask Wolfram
Alpha (or any symbolic computation package) to compute modular exponentiations for you; however,
you may not ask for the solution to any modular exponentiation in which the exponent is not an integer.
(Note: 104 723, 7 919, and 7 907 are all primes.)
(a) Compute both square roots of 123 modulo 104 723, or prove that no such square roots exist.
(b) Compute both square roots of 1 234 modulo 104 723, or prove that no such square roots exist.
(c) Compute a 17th root of 500 modulo 62 615 533 = 7 919 · 7 907.
2. [3 points] Consider the following key-exchange protocol:
(i) Alice chooses a key k ∈ R {0, 1} n and pad r ∈ R {0, 1} n , and then she sends s B k ⊕ r to Bob.
(ii) Bob chooses t ∈ R {0, 1} n , and then he sends u B s ⊕ t to Alice.
(iii) Alice computes w B u ⊕ r, and then she sends w to Bob.
(iv) Alice outputs k and Bob outputs k 0 B w ⊕ t.
Show that Alice and Bob output the same key (i.e., show that k = k 0), and then analyze the security of
the scheme (i.e., either prove that it is secure or exhibit a concrete attack against it).
3. [3 points] Let (Gen, Enc, Dec) be a public-key encryption scheme. Show that, given a public key pk
and a ciphertext c computed as c ← Encpk (m), it is possible for an unbounded attacker to determine
m with probability 1. This implies that perfectly-secret public-key encryption is impossible.
4. [2 points] Say a deterministic public-key encryption scheme is used to encrypt a message m that is
known to lie in a small set of L possible values. Show how it is possible to determine m in time
linear in L (assume that encryption of an element takes a single unit of time). This implies that secure
deterministic public-key encryption is impossible, even against computationally limited attackers.
5. [3 points] The public exponent e in RSA can be chosen arbitrarily, subject to gcd(e, ϕ(n)) = 1. Popular
choices of e include e = 3 and e = 216 + 1. Explain why such e are preferable to a random value of
the same length. (Hint: Think about how modular exponentiations are evaluated in practice — even
look up some modular multiplication algorithms.)
6. [4 points] The natural way of applying hybrid encryption to the El Gamal encryption scheme is as
follows. The public key is pk = hG, q, g, hi as in the El Gamal scheme, and to encrypt a message m the
sender chooses random k ← {0, 1} n and sends hg r , hr · k, Enc f (k ) (m)i, where r ∈ R Z∗q , where Enc is
the encryption algorithm from some symmetric-key encryption scheme, and where f (k) is a function
that maps group elements to bit-strings suitable for use as keys in the symmetric-key encryption
scheme. Suggest an improvement that results in a shorter ciphertext containing only a single group
element followed by a private key encryption of m. (You should provide a convincing explanation of
why your approach is secure, but you need not provide a rigorous formal proof of its security.)
7. [7 points] A commitment scheme enables Alice to “commit” to a value x using a short string C that
she can show to Bob. The commitment scheme is said to be unconditionally hiding if the commitment
string does not reveal to Bob any information about the committed value x. At a later time, Alice
may “open” the commitment (or “decommit”) and thereby convince Bob that the committed value is
x. The commitment is computationally binding if no PPT committer Alice cannot convince Bob that
the committed value is some x 0 , x.
Here is an example of a commitment scheme:
Public values: A cyclic group G of prime order q, and two random generators g, h ∈ R G.
Commit: To commit to an integer x ∈ Zq , Alice chooses r ∈ R Zq and computes C B g x hr .
Alice outputs the commitment C and retains (x, r) for the later opening of C.
Decommit: To open C to x, Alice sends (x, r) to Bob. Bob verifies the opening by
computing C 0 B g x hr and then checking that C = C 0.
Provide formal (game-based) definitions for the unconditional hiding property and for the computational binding property, and then prove that, under your proposed definitions, the given commitment
scheme is secure under the DL assumption. (Note: When defining security games, clarity is extremely
important!)
To prove that the scheme is unconditionally hiding, you should prove that Pr[x | C] = Pr[x 0 | C] for all
x, x 0 ∈ Zq . To prove that it is computationally binding under the DL assumption, you should provide
a reduction; i.e., show that if Alice can open C to (x, r) and (x 0, r 0 ) with x , x 0, then she can solve the
DL problem in G.
8. [3 points] Explain how a man-in-the-middle attacker can leverage its position between Alice and Bob
to break the security of the (unauthenticated) Diffie-Hellman key-exchange protocol. In particular,
show how the attacker can end up sharing one key k A with Alice and a (different) key k B with Bob in
such a way that Alice and Bob cannot detect that anything has gone wrong.
What happens if Alice and Bob try to detect the presence of a man-in-the-middle attacker by sending
each other (encrypted) questions that only the other party would know how to answer?