Cryptography Final Exam 2013/06/18

Part I (3 points each)

1. Let  : GF(15625)  GF(15625) be the map defined by  (x) = x n. Which value

of n makes  an isomorphism?
A. 2 B. 3 C. 5 D. 6 E. None of the above

2. Let n be the bit length of the base field of ECC (Elliptic Curve Cryptography). What
is the computational complexity of ECC? Do not confuse it with “security level”.
A. O(n2) B. O(n3) C. O(n4) D. O(n5) E. None of the above

3. Let n be an RSA modulus with n = pq, where p and q are primes. Let e and d with
ed  1 (mod k) be public and private exponents of RSA respectively. Which is k?
A. pq + 1 C. pq + p + q + 1 B. pq  1 D. pq  p  q  1 E. None of the above

4. For which prime numbers p and q, a multiplicative cyclic group of order q can be
constructed as a subgroup of (Zp*, )? Cryptographic primitives based on the
discrete logarithm problem are operated on such groups.
A. p = 863, q = 109 B. p = 857, q = 107
C. p = 859, q = 103 D. p = 853, q = 101 E. None of the above

5. Which should NOT be listed on a certificate?

A. Period of Validity B. Signature signed by CA
C. Serial number D. Subject’s Private key E. None of the above

6. For a secure hash function h, which should NOT be computationally infeasible?

A. Given y, find x with y = h(x) B. Given x, find x with x  x and h(x) = h(x)
C. Given x, find y with y = h(x) D. Find x and x with x  x and h(x) = h(x)
E. None of the above

7. The implementations of ECC consist of four layers. Which layer is computationally

most expensive and deserves most effort of optimization?
A. Bottom layer  modular arithmetic, i.e., +, , , and  in GF(p)
B. Basic group operations, i.e., P + Q and 2 P on elliptic curve groups
C. Scalar multiplications, i.e., k P on elliptic curve groups
D. Upper layer  protocols, such as ECDH and ECDSA
E. None of the above
8. Which property is NOT provided by MACs (Message Authentication Codes)?
A. Fixed output length  fixed-size authentication tags are generated
B. Integrity  any manipulation of a message during transit will be detected
C. Authentication  the receiver is assured of the origin of the message
D. Non-repudiation  the sender cannot deny the origination of the message
E. None of the above

9. Which statement about DSA (Digital Signature Algorithm) is FALSE?

A. Proposed by NIST to be a Federal US Government standard
B. Based on the Elgamal signature scheme
C. Signature verification is faster compared to RSA of similar security level
D. Can be attacked if the same ephemeral key is used to sign two different messages
E. None of the above

10. Which statement about key establishment with KDC (Key Distribution Center) is FALSE?
A. Every user shares a KEK (Key Encryption Key) with KDC and each other user
B. KDC sends session keys encrypted by KEKs to users
C. In a system with n users, only n long-term key pairs are required
D. If a new user is added, a secure key is only needed between the user and the KDC
E. None of the above

Part II (3 points each)

 Study the structure of GF(26)

 GF(26) has 4 subfields: GF(2), GF(22), GF( 11 ), and GF(26) itself
 There are 12 generators of the cyclic multiplicative group GF(26)*

 Alice and Bob will agree a key by ECDH (Elliptic

Curve Diffie-Hellman key exchange) on the group
defined by y2 = x3 + x +4 over GF(23). P = (7, 3)
is fixed as the base point.
 The order of the elliptic curve group is 13 .
 Alice selects a = 21, then sends the point A =
21P = (10, 5) to Bob. Using “double-and-add”
for scalar multiplication (similar to “square-
and-multiply” for exponentiation), Alice needs
4 doublings and 14 additions.
 Bob selects b = 3, then sends the point B = 3P
= (18, 9) to Bob. The agreed key comes from
the x-coordinate of the point nP = 15 , where n = 16 .
 Consider ElGamal encryption with the domain parameters p = 47, and g = 4 as
a generator of the subgroup with order 23 of Z47*.
 Alice’s private key is a = 3, then her public key is ( p, g, h) = (47, 4, 17 ).
 The ciphertext (c1, c2) = (37, 12) is obtained from Bob, where c1 = gk mod p
and k is a random ephemeral key chosen by him. Then the corresponding
plaintext is m = 18 .

 SHA (Secure Hash Algorithm) standards are published by NIST.

 The output length of SHA-1 is 19 bits. The complexity of finding a collision
has been reduced to 263 from 280 by the research led by Xiaoyun Wang.
 SHA-2 has four possible output lengths: 224, 20 (=m), 21 (=n), and
512 bits. According to Suite B announced by NSA (National Security Agency),
SHA-m and SHA-n are used to protect classified information up to Secret and
Top Secret levels of US government respectively.
 SHA-3 competition was won by Keccak algorithm in October, 2012.

 Complete the Left-to-Right Square-and-Multiply for modular exponentiation:

INPUT: x, modulus n, and k = (kt , ..., k1, k0)2 with k = ∑𝑡𝑖=0 𝑘𝑖 2𝑖 where ki {0, 1}
OUTPUT: x k mod n
1. r ← x
2. For i from 22 downto 0 do
2.1 r ← r2 mod n
2.2 If ki = 1 then r ← 23 mod n
3. Return (r)

 Miller-Rabin primality test is extensively used for prime generations.

 The test is based on the following fact:
If a  1 (mod n) but 24 (mod n), then n must be a composite.
 Complete the Miller-Rabin test to determine the primality of an integer n:
Write n –1 = 2k m where m is odd
Choose a  {2, …, n –2} randomly
Compute b = 25 (mod n)
If (b  1 and b  (n − 1))
i =1
While (i < k and b  (n − 1))
b = 26 (mod n)
If (b = 1) Output (Composite, a)
i = i +1
If (b  (n − 1)) Output (Composite, a)
Output “Probable Prime”
 RSA decryption is usually performed with Chinese Remainder Theorem (CRT).
Suppose Bob has public modulus N = 221 (= 13  17) with prime factors p = 13
and q = 17 kept secret, and public exponent e = 5 for encryption.
 The value of Euler  -function for N is  (221) = 27 .
 Bob’s private key for decryption is d = 28 , where 0 < d <  (221).
 The ciphertext c = 73 sent by Alice is decrypted by Bob as follows.
 cd mod p = (c mod p) d mod  (p) mod p = 8 = A, where 0  A < p.
 cd mod q = (c mod q) d mod  (q) mod q = 29 = B, where 0  B < q.
 Solve the system of equations by CRT: cd  A (mod p); cd  B (mod q),
and obtain the plaintext is m = cd mod N = 30 , where 0  m < N.
This answer can be double-checked by the equality c  me (mod N).

Part III (Write down all details of your work)

31 (4 points)
Apparently that there are 2 irreducible polynomials of degree 1 over GF(2):
x and x +1. Answer the following questions.
(a) How many monic irreducible polynomial of degree 1 over GF(22)?
(b) How many monic irreducible polynomial of degree 2 over GF(22)?
(c) How many irreducible polynomials of degree 5 over GF(2)?
(d) How many irreducible polynomials of degree 10 over GF(2)?

32 (6 points)
Let n be the output length in bit of a hash function h, and t mutually distinct
message (x1, x2, …, xt) be randomly selected to test collision h(xi) = h(xj).
(a) What is the probability for no collision among t hash values?
(b) What is the Taylor series at 0 for the function f (x) = ex ?
(c) Denote the probability of at least one collision by  = 1  P(no collision).
Use the linear approximation of ex to deduce that
Cryptography Midterm Exam 2013/06/18
Name: ____________ Student ID number: ____________

1 2 3 4 5 6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 & 32
Cryptography Midterm Exam 2013/06/18

Solution
1 2 3 4 5 6 7 8 9 10

C B E B D C A D C A
11 12 13 14 15

8 (or 23) 36 29 2 (1, 12)

16 17 18 19 20

5 (or 63) 17 28 160 256

21 22 23 24 25

384 t 1 rx a2  1 am
26 27 28 29 30

b2 192 77 3 190

31
25 −2 210 −25 −22 +2
(a) 4 (b) 6 (c) =6 (d) = 99
5 10

32