Cryptography Final Exam 2014/06/17

Part I (3 points each)

1. Whose order of the following multiplicative groups is NOT 24?

A. Z35* B. Z39* C. Z52* D. Z56* E. None of the above

2. Which has the closest security level to RSA-3072?

A. AES-192 B. AES-256 C. ECC-256 D. ECC-384 E. None of the above

3. Which is a generator of the cyclic multiplicative group of order 7 in Z43*?

A. 6 (43 –1) / 3 B. 6 (43 –1) / 6 C. 6 (43 –1) / 7 D. 6 (43 –1) / 14 E. None of the above

4. Suppose a4  1 (mod n). Which implies that n (>10000) is a composite number?

A. a2  2014 (mod n) B. a2  1 (mod n)
C. a  2014 (mod n) D. a  1 (mod n) E. None of the above

5. Which property is NOT provided by MACs (Message Authentication Codes)?

A. Arbitrary input size B. Non-repudiation
C. Message integrity D. Message authentication E. None of the above

6. Let n be an RSA modulus with n = pq, where p and q are large primes. Let e and d
with ed  1 (mod k) be public and private exponent of RSA respectively. We have
k =  (n) originally. Which is a better k, so that the decryption still works but d is
possibly smaller? Actually it was formulated in SP 800-56B published by NIST.
A. LCM(( p1), (q1)) B. LCM(( p+1), (q+1))
C. GCD(( p1), (q1)) D. GCD(( p+1), (q+1)) E. None of the above

7. Let kpu denote Bob’s public key. The basic structure of Bob’s certificate can be
expressed as Cert(Bob) = (kpu, ID(Bob), FK (kpu, ID(Bob))), where F denotes some
cryptographic operation. Which kind of key is K (belonging to Certificate Authority)?
A. Public key for encryption B. Private key for decryption
C. Public key for verification D. Private key for signing E. None of the above

8. For a secure hash function h, which should NOT be computationally infeasible?

A. Given x, find y with y = h(x) B. Find x and x with x  x and h(x) = h(x)
C. Given y, find x with y = h(x) D. Given x, find x with x  x and h(x) = h(x)
E. None of the above
9. Which statement about hash functions or MACs is FALSE?
A. HMAC is a MAC built from hash functions
B. CBC-MAC is a MAC constructed from block ciphers
C. SHA-1 is used in Bitcoin for Proof-of-Work
D. SHA-2 has four possible output lengths: 224, 256, 384, and 512 bits
E. None of the above

10. Which statement about KEK (Key Encryption Key) is FALSE?

A. KDC (Key Distribution Center) shares a KEK with each user respectively
B. KDC sends session keys encrypted by KEKs to users
C. If a new user is added, the corresponding KEK does not affect the other users
D. If KEKs are compromised, an attacker still cannot decrypt past messages
E. None of the above

Part II (3 points each)

 Transactions of today’s major cryptographic currency, such as Bitcoin and Litecoin,

are executed by ECDSA (Elliptic Curve Digital Signature Algorithm). Perform a
small ECDSA on the elliptic curve group defined by y2 = x3 + x + 4 over GF(23) as
the figure. The base point is G = (4, 7).
28 solutions
 The order of G is n = 11 .
 G = 12 .
 2G = 13 .
 Choose x = 3 randomly as the private
key, then the public key is P = 14 .
 To sign a message m, the following
steps are executed:
 Calculate e = HASH(m). Assume
z = 12 is the Ln leftmost bits of e.
 Choose k = 5 randomly as an ephemeral key.
 Calculate r = x1 mod n, where (x1, y1) = kG = 15 .
 Calculate s = k 1(z + rx) mod n = 16 ..
 The signature is the pair (r, s)
 To verify the signature (r, s), the following steps are executed:
 Calculate t = z s1 mod n
 Calculate u = r s1 mod n
 Calculate v = x2 mod n, where (x2, y2) = V = t G +u P.
 The signature (r, s) is accepted if 17 .
 All modern factoring algorithms, such as Number Field Sieve and Quadratic Sieve,
were inspired by Fermat’s idea: Find x and y satisfying x2  y2 (mod N) to factor N.
From 85352  54882 (mod 104983), the prime factorization 104983 = p  q is
obtained as p = 18 and q = 19 with p > q.

 Given a point P on an elliptic curve E, compute 47P in the elliptic curve group.
 Using standard “Double-and-Add”, u doublings and v additions are required.
We have u = 20 . and v = 21 ..
  P is obtained without effort. If the addition of  P is allowed, u doublings
and minimal w additions are required. Then we have w = 22 ..

 RSA signature is usually implemented with Chinese Remainder Theorem (CRT).

Suppose Bob has public modulus N = 247 (= 13  19) with prime factors p = 13
and q = 19 kept secret, and public exponent e = 5 for signature verification.
 The value of Euler  -function for N is  (247) = 23 .
 Bob’s private key for signing is d = 24 , where 0 < d <  (247).
 Bob signs the message m = 62 as follows.
 md mod p = (m mod p) d mod  (p) mod p = 4 = A, where 0  A < p.
 md mod q = (m mod q) d mod  (q) mod q = 25 = B, where 0  B < q.
 Solve the system of equations by CRT: md  A (mod p); md  B (mod q),
and obtain the signature s = md mod N = 26 , where 0  s < N.
This answer can be double-checked by the equality m  s e (mod N).

 Among the following public-key schemes, choose the correct ones to satisfy the
specified property respectively.
A. RSA encryption
B. RSA signature
C. ElGamal encryption
D. Diffie-Hellman key exchange
E. ECDH (Elliptic Curve Diffie-Hellman)
F. DSA (Digital Signature Algorithm)
G. ECDSA (Elliptic Curve Digital Signature Algorithm)
 The security of 27 are based on the difficulty of discrete logarithm problem
(DLP) over finite fields (usually prime fields).
 28 are included in “Suite B” regulated by National Security Agency of USA.
 In addition to public key or private key, there is an ephemeral key used in the
protocols of 29 .
 30 can be used for “key transport”, that is, a session key is generated by
one party then sent by these schemes to the other party.
Part III (Write down all details of your work)

31 (6 points)
Given an elliptic curve E (over a finite field F) and a base point G  E as the domain
parameters for ECDH (Elliptic Curve Diffie-Hellman) key exchange scheme.
(a) How do Alice and Bob agree a shared symmetric key by ECDH?
(b) How to perform Man-in-the-Middle attack on ECDH between Alice and Bob?
(c) How to avoid Man-in-the-Middle attack?

32 (4 points)
According to the revelation by Edward Snowden, the existence of “Bullrun” program
of NSA, National Security Agency of USA, was revealed in September 2013. One of
the purposes of Bullrun was described as being “to covertly introduce weaknesses into
the encryption standards followed by hardware and software developers around the
world.” The New York Times stated plainly that “the NSA had inserted a backdoor into
a 2006 standard adopted by NIST, called the Dual EC DRBG standard.”
The random number generator Dual_EC_DRBG was published in SP 800-90A
by NIST in 2006. A simplified structure of Dual_EC_DRBG can be expressed as
si =  ( x (si1  P))
ri =  ( x (si  Q))
for each step i = 1, 2, 3, …, where s0 is the seed;
si is the i-th internal state;
ri is the i-th random output value;
P and Q are two fixed points on the NIST P-256 curve;
x is the extraction of x-coordinate, i.e., x(a, b) = a for every point (a, b) on the curve;
 maps field elements to non-negative integers, taking the bit vector representation of
a field element and interpreting it as the binary expansion of an integer.
Denote n as the order of the elliptic curve group defined by NIST P-256 curve.
Apparently NSA has the value t such that Q = t  P. Explain how the backdoor works.
That is, given an output rj, explain how NSA derives every future output ri for i > j.
Cryptography Final Exam 2014/06/17
Name: __________ Department: ________ Student ID#: __________

1 2 3 4 5 6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 & 32
Cryptography Final Exam 2014/06/17

Solution
1 2 3 4 5 6 7 8 9 10

E C E A B A D A C D
11 12 13 14 15

29 (4, 16) (10, 18) (13, 11) (8, 8)

16 17 18 19 20

13 v=r 379 277 5

21 22 23 24 25

4 2 216 173 6
26 27 28 29 30

82 CDF EG CFG AC