Take-Home Final Exam of CS549: Cryptography and Network

Security
Assigned: November 27th, 2010
Due Date: 11:59PM, Dec 5th, 2010. Chicago Time.
No Extensions!
Fall 2010, CS Department, IIT

1. The maximum score of this take-home final exam is 130 points.

2. You should finish this exam yourself: do NOT discuss with anyone, do NOT copy or get help from the
solutions of other students. You can use any book, lecture notes, or Internet as guidance.
3. Please type your answer. We will NOT accept any solution that is not typed.
4. You MUST upload your solution to blackboard.
If you want, in addition to uploading your solution to blackboard, you can send the instructor (email:
[email protected] ) the electronic file in PDF format. When you send solution also by email, please use subject
“Take-home final exam of CS549” and also use proper name to name your file.
5. Do not forget to put your name on the file of your solution and name your PDF file as “lastname-final-
CS549-Fall2010.pdf”, where lastname is your last name.
6. We do not accept MS WORD file for electronic submission.

The following are the four questions for your take-home final exam of CS549.

1. (10 points)
Consider the RSA Full Domain Hash signing method. Let (N, d) be an RSA public key used by Alice
∗
and let H be a hash function that outputs elements in ZN . Here N is the production of two large prime
numbers p and q. Suppose an attacker can find 7 messages M1 , M2 , · · · , M7 such that
7
Y
H(Mi ) ≡ 1 mod N.
i=1

Assume that the attacker can get the signatures for 6 of the above 7 messages (but not all 7 messages).
Show how the attacker can get the signature of the other message.
2. (40 points)
This question is about RSA encryption system. Given an integer modulus n = p · q, and an encryption key
e with gcd(e, φ(n)) = 1, we know that the number d, with e · d = 1 mod φ(n), can serve as the decryption
key for RSA system. In other words, given any message m and ciphertext c = me mod n, the computation
cd mod n will give you the original message m.
Assume that Alice randomly selected two prime numbers p = 73 and q = 101. Alice randomly selected a
random number e1 = 119 as her public key (for encryption). Assume that Bob also selected p = 73 and
q = 101 for his RSA system and Bob selected a random number e2 = 253 as his public key. Alice published
her public key e1 = 119 and n = 7373. Bob published his public key e2 = 253 and n = 7373.
Charlie wants to send a message m = 2008 to both Alice and Bob using their public key for encryption.
Answer the following questions. For all computations, you need to show the details (step by step) of your
calculation. You cannot just list the number directly computed by using some code as your answer.
(a) (5 points) What is the ciphertext C1 Charlie sent to Alice?
(b) (5 points) What is the ciphertext C2 Charlie sent to Bob?
(c) (5 points) What is the decryption key d1 used by Alice based on RSA system?
(d) (5 points) Show the process Alice decrypts the ciphertext using only the procedure C1d1 mod n?
(e) (10 points) Assume that Bob uses the Chinese Remainder Theorem approach (see our lectures) instead
for decryption. Show all the computations done by Bob to decrypt the ciphertext C2 .
 (f) (10 points) Assume that an attacker Oscar intercepted both the ciphertext C1 and the ciphertext C2 .
Oscar only knows n, e1 , e2 . Is it possible that Oscar can recover the original message m (assuming
the Oscar cannot do factoring of n now)? If possible, show the computing procedure Oscar can use
to find m.
3. (30 points)
A bit-commitment scheme will allow a user (say Alice) commit a bit (or a number) to another user (say
Bob) without telling bob about it. Later on, Bob can ask Alice to reveal the commitment and Alice cannot
change the information without being caught. Let b be the bit to be committed by Alice to Bob, and x
be some additional information chosen by Alice. Let function f be a public function (known to everyone
including Alice and Bob) that will compute the commitment by Alice. The commitment f (x, b) is often
called blob.
A bit-commitment protocol is often needed to have following properties
• Concealing: Bob cannot find the value of b by only knowing the commitment f (x, b) sent by Alice.
It is called perfectly concealing, if it is theoretically impossible for Bob to find out b without Alice
revealing x to Bob.
• Binding: sender Alice can open the blob by revealing x (and b) to Bob. It is a perfect binding if
Alice cannot alter her commitment after she has made it, i.e., it will be theoretically impossible for
Alice to find another x0 such that f (x, b) = f (x0 , b). Here b is the complement of bit b, i.e., b = 1 if
b = 0 and b = 0 if b = 1.
A simple perfect binding protocol works as follows. Assume that Alice and Bob agree upon a common
large prime number p and a primitive root g mod p. Assume that Alice has a number 1 < a < p − 1 that
she wants to commit to Bob. Alice computes C = g a mod p and sends it to Bob.

(a) (5 points) Prove that the above scheme is perfectly binding scheme.
(b) (10 points) Show that Bob can recover some information about a. You only need to prove that (by
giving a polynomial-time method and showing its correctness) Bob can know the last bit of a.
(c) (8 points) Show that Bob can find the value of a in polynomial time of log p if he knows that the
value a satisfies
A + c1 log p ≤ a ≤ A + c2 log p
for some fixed constant integers A, c1 , and c2 . Here constants are independent of number p.
Please give a detailed polynomial-time method which Bob can use to find integer a. Also you need to
analyze the time-complexity of your method.
(d) (7 points) Show that the following protocol is still perfectly binding.
i. Alice randomly selects a positive integer r < p − 1 such that gcd(r, p − 1) = 1. Alice computes
b = a · r mod (p − 1). Alice sends Bob two integers C1 = g r mod p and C2 = g b mod p.
ii. To reveal the commitment, Alice needs to reveal r and a to Bob.

4. (30 points)
This question is about RSA encryption. Assume that Alice chooses an integer n that is the production of
two large prime numbers p and q. Alice will publish a public key e, together with n. Alice will keep the
secret key d where d · e = 1 mod φ(n). 1
Suppose Bob wishes to send a message M to Alice. He turns M into a number m with 0 < m < n, using
some previously agreed-upon reversible protocol f known as a padding scheme such as Optimal Asymmetric
Encryption Padding (OAEP). In other words, m = f (M) for some function f .
Bob now has m, and knows n and e, which Alice has announced. He then computes the ciphertext c
corresponding to m as:
c = me mod n
This can be done quickly using the method of exponentiation by squaring. Bob then transmits c to Alice.

(a) (5 points) Why we need to use padding for encryption in practice? In other words, in practical
implementations, why we cannot just encrypt the original number represented by the message M?
1 Originally we said that d · e = 1 mod n, which is a typo.
 (b) (5 points) A cryptosystem is considered to be semantically secure (in other words, indistinguisha-
bility) if no adversary A, given an encryption C of a message randomly chosen from two messages
{M1 , M2 } determined by the adversary, can identify the message choice with probability significantly
better than that of random guessing (1/2). In other words, adversary A can know whether C is the
encryption of message M1 or message M2 .
Show that why the textbook RSA encryption (we learned in class where the encryption of a message
M is simply c = Me mod n) is not semantic secure?
(c) (10 points) For convenience, assume our RSA exponent e is 3 and that gcd(e, φ(n)) = 1. A proposal
to make RSA semantically secure is as follows: Let |x| denote the number of bits representing a
number x. If k = |n| and 4 divides k, define the length of a valid message M to be |M| < 3k/4. For
each encryption operation, choose k/4 random bits r, append them to M such that m = M · 2k/4 + r,
and encrypt the value m. Note that |m| < |n|, so m ∈ Zn . When we decrypt a ciphertext, we will
simply discard the k/4 least significant bits of the decrypted plaintext. Is this scheme semantically
secure? Prove or disprove it either way.
(d) (10 points) Suppose we have a standard RSA public-key/private-key pair. Consider an RSA-variant
where we will first select a random r ∈ Zn . To encrypt a message M, we first convert it to an integer
m ∈ Zn , where m is just the value of M. We will compute a ciphertext of the form c = (m ⊕ r, re
mod n) = (s, t), where ⊕ is the binary XOR operator. To decrypt c, one can simply decrypt t using
RSA and XOR the result with s. Is this scheme semantically secure? Prove or disprove it either way.

5. (20 points)
This question is about the zero-knowledge proof systems. Assume that Alice wants to prove to Bob that
she knows a solution x of equation y = g x mod p, where p is a large prime integer and g is the primitive
root mod p. Here both Alice and Bob know the integers y, g and p.
Assume that Alice and Bob use the following protocol.
(a) Alice randomly selects a number 0 < j < n, and computes r = g j mod p. Alice sends the integer r
to Bob.
(b) Bob randomly selects a bit i ∈ {0, 1}, and sends i to Alice.
(c) Alice computes h = i · x + j mod (p − 1) and sends Bob h.
(d) Bob checks if g h = y i · r mod p, and accepts Alice’s proof if the equation holds. Otherwise, Bob
rejects the proof.
Assume that Alice and Bob repeat the above protocol for k rounds. Bob accepts the Alice’s proof if he
accepts the proof for all these k rounds, and rejects the proof if he rejects in any round. Prove the following
(assume that Bob follows the protocol).
(a) (4 points) Completeness: Bob will accept the proof if Alice indeed knows x (assume that Alice follows
protocol also).
1
(b) (4 points) Soundness: Bob will reject the proof with probability sufficiently close to 1 − 2k
, if Alice
does not know the number x even if Alice does not follow the protocol (trying to cheat).
(c) (4 points) Zero-knowledge: Prove that Bob gets nothing about the integer x after Alice and Bob
conduct the above protocol and Alice does not use j twice.
(d) (4 points) Show a method for Bob that he can get the number x if Alice uses the integer j twice.
(e) (4 points) Show that Alice can cheat if Bob fixes his challenge i (to either 1 or 0).