2014 Exam 2
2014 Exam 2
6. Let n be an RSA modulus with n = pq, where p and q are large primes. Let e and d
with ed 1 (mod k) be public and private exponent of RSA respectively. We have
k = (n) originally. Which is a better k, so that the decryption still works but d is
possibly smaller? Actually it was formulated in SP 800-56B published by NIST.
A. LCM(( p1), (q1)) B. LCM(( p+1), (q+1))
C. GCD(( p1), (q1)) D. GCD(( p+1), (q+1)) E. None of the above
7. Let kpu denote Bob’s public key. The basic structure of Bob’s certificate can be
expressed as Cert(Bob) = (kpu, ID(Bob), FK (kpu, ID(Bob))), where F denotes some
cryptographic operation. Which kind of key is K (belonging to Certificate Authority)?
A. Public key for encryption B. Private key for decryption
C. Public key for verification D. Private key for signing E. None of the above
Given a point P on an elliptic curve E, compute 47P in the elliptic curve group.
Using standard “Double-and-Add”, u doublings and v additions are required.
We have u = 20 . and v = 21 ..
P is obtained without effort. If the addition of P is allowed, u doublings
and minimal w additions are required. Then we have w = 22 ..
Among the following public-key schemes, choose the correct ones to satisfy the
specified property respectively.
A. RSA encryption
B. RSA signature
C. ElGamal encryption
D. Diffie-Hellman key exchange
E. ECDH (Elliptic Curve Diffie-Hellman)
F. DSA (Digital Signature Algorithm)
G. ECDSA (Elliptic Curve Digital Signature Algorithm)
The security of 27 are based on the difficulty of discrete logarithm problem
(DLP) over finite fields (usually prime fields).
28 are included in “Suite B” regulated by National Security Agency of USA.
In addition to public key or private key, there is an ephemeral key used in the
protocols of 29 .
30 can be used for “key transport”, that is, a session key is generated by
one party then sent by these schemes to the other party.
Part III (Write down all details of your work)
31 (6 points)
Given an elliptic curve E (over a finite field F) and a base point G E as the domain
parameters for ECDH (Elliptic Curve Diffie-Hellman) key exchange scheme.
(a) How do Alice and Bob agree a shared symmetric key by ECDH?
(b) How to perform Man-in-the-Middle attack on ECDH between Alice and Bob?
(c) How to avoid Man-in-the-Middle attack?
32 (4 points)
According to the revelation by Edward Snowden, the existence of “Bullrun” program
of NSA, National Security Agency of USA, was revealed in September 2013. One of
the purposes of Bullrun was described as being “to covertly introduce weaknesses into
the encryption standards followed by hardware and software developers around the
world.” The New York Times stated plainly that “the NSA had inserted a backdoor into
a 2006 standard adopted by NIST, called the Dual EC DRBG standard.”
The random number generator Dual_EC_DRBG was published in SP 800-90A
by NIST in 2006. A simplified structure of Dual_EC_DRBG can be expressed as
si = ( x (si1 P))
ri = ( x (si Q))
for each step i = 1, 2, 3, …, where s0 is the seed;
si is the i-th internal state;
ri is the i-th random output value;
P and Q are two fixed points on the NIST P-256 curve;
x is the extraction of x-coordinate, i.e., x(a, b) = a for every point (a, b) on the curve;
maps field elements to non-negative integers, taking the bit vector representation of
a field element and interpreting it as the binary expansion of an integer.
Denote n as the order of the elliptic curve group defined by NIST P-256 curve.
Apparently NSA has the value t such that Q = t P. Explain how the backdoor works.
That is, given an output rj, explain how NSA derives every future output ri for i > j.
Cryptography Final Exam 2014/06/17
Name: __________ Department: ________ Student ID#: __________
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15
16 17 18 19 20
21 22 23 24 25
26 27 28 29 30
31 & 32
Cryptography Final Exam 2014/06/17
Solution
1 2 3 4 5 6 7 8 9 10
E C E A B A D A C D
11 12 13 14 15
4 2 216 173 6
26 27 28 29 30
82 CDF EG CFG AC