Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Transcription

1 Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on Monday, 10/31/2016 Full Name: UCI ID Number: Sources: Guidelines: Use any word processor (or handwrite and scan your answers). Upload your solutions as a PDF to the associated EEE dropbox (labeled CS134: Homework 2 ). No late submission will be accepted into the EEE dropbox. The solution to the homework will be posted on Monday 10/31/2016, no late submission (even via ) will be accepted after posting of the solution. No collaboration is allowed. The only people you may ask for help are the TA and professor for the course. Copying, paraphrasing or copying answers from the internet or other sources is not allowed, and to do so would be a violation of academic honesty. You must list any sources you used to arrive at your answers (e.g., reference books, Wikipedia etc). Warning: any submission not following the above guidelines may receive a score of zero.

2 1 [5 pts total] Multiple Choice Questions There is only one correct answer for each of the following question. Answer justification is not required. 1. Which of the following is a NON-cryptographic property of a good hash function? A. One-way-ness B. Weak-collision-resistance C. Strong-collision-resistance D. Arbitrary-length input 2. What is the correct comparison of SHA-1 and MD5? A. MD5 is more secure than SHA-1 B. SHA-1 is more computationally expensive than MD5 C. MD5 does not work on an extremely large input (> 2 64 bits) while SHA-1 does D. Neither can be used as an encryption function 3. Which of the following is NOT a property of a group? A. Closure B. Distribution C. Identity D. Inverse 4. Which of the following is NOT an Abelian group? A. (Z N, modular multiplication) B. (Z, addition) C. (set of 5x5 non-singular real matrices, matrix addition) D. (set of 5x5 non-singular real matrices, matrix multiplication) 5. Which of the following is a subgroup of Z 13 under modular multiplication? A. {2, 7} B. {1, 2, 7, 12} C. {1, 6, 12} D. {1, 5, 10, 11} 6. What security service CANNOT be provided by a digital signature? A. Availability B. Integrity C. Non-repudiation D. Authentication Page 2

3 7. The security of Diffie-Hellman key exchange relies on which assumption? A. It is computationally infeasible to compute a GCD of two large numbers. B. It is computationally infeasible to compute an inverse modulo prime p. C. It is computationally infeasible to test whether a large number is prime. D. It is computationally infeasible to solve the discrete log problem. E. All of the above 8. What is the objective of Diffie-Hellman key exchange? A. to protect encrypted data from man-in-the-middle attack B. to perform mutual authentication on both sides C. to prove to another party that one holds a secret key without revealing it D. to establish a shared secret key on both sides 9. The security of RSA encryption relies on which assumption? A. It is computationally infeasible to compute a GCD of two large numbers. B. It is computationally infeasible to factor a large number. C. It is computationally infeasible to test whether a large number is prime. D. It is computationally infeasible to compute a square modulo n. E. All of the above 10. Which of the following scheme is an example of zero-knowledge proof? A. Fiat-Shamir identification B. El Gamal encryption C. RSA signature D. Diffie-Hellman key exchange E. All of the above Page 3

4 2 [5 pts total] Fill In The Blanks 1. The digest size of SHA-1 is bits. 2. The block size of MD5 is bits. 3. A prefix MAC construction, i.e. H(K AB m), cannot provide the integrity of a message because 4. The inverse of 9 in Z 11 is. 5. ord(9) in Z 11 =. 6. If α is a primitive element in Z p for a prime p, this means ord(α) equals. 7. Square-and-Multiply algorithm can be used to compute 5 8 mod 9 in iterations. 8. The Digital Signature Standard (DSS) is a variant of signature scheme. 9. Extended Euclidean Algorithm can be used to speed-up the calculation of in RSA Encryption, given a public exponent (e) and the modulus factor (p and q). 10. In RSA signature scheme, a signature of a message m can be created by computing y = (m d mod n) whereas the signature can be verified by. Assume d is the secret key, e is the public key, and n is a product of two large prime numbers.. Page 4

5 3 [4 pts] Birthday Paradox Suppose the California DMV comes up with a new license plate with a special serial number format. This serial number format consists of only 3 letters: first two being a digit (0 to 9) and last one being an English uppercase letter (A to Z). Each serial number is randomly generated when issued. (a) Suppose Alice and Bob apply for this new license plate. What is the probability that both of them receive the same plate number? (b) Suppose the California DMV wants to ensure that the probability that at least two license plates have the same number is less than 1%. What is the maximum number of this type of license plates that they can issue? (c) Suppose the California DMV wants to issue exactly 50 license plates. How many more DIGITS should be added at the end of this serial number format in order to ensure that the probability that at least two license plates have the same number is still less than 1%. Page 5

6 4 [4 pts] Groups and Subgroups (a) List all elements in the group Z 10. (b) Show that the group (Z 10 under modular multiplication) is cyclic. (c) Suppose S = {1, 3, 9}. Is S a subgroup of Z 10 under modular multiplication? If it is, show that all subgroup properties hold for S. If it is not, briefly explain why not. (d) Suppose S = {1, 3, 7}. Is S a subgroup of Z 10 under modular multiplication? If it is, show that all subgroup properties hold for S. If it is not, briefly explain why not. Page 6

7 5 [4 pts] RSA Assume the following RSA parameters: p = 13, q = 5, d = 29, C = 7 (a) Use Chinese Remainder Theorem to find the value of plaintext M. Show your work. (b) Use Extended Euclidean Algorithm to find the value of public exponent e. Show your work. Page 7

8 6 [3 pts] 3-Party Diffie-Hellman Recall from the lecture that the Diffie-Hellman protocol allows two parties to establish a shared secret key. However, the use of Diffie-Hellman is not limited to only two parties. In fact, the Diffie-Hellman scheme can be extended to support the key establishment between any number of parties. Describe how to establish a shared secret key between three parties based on the Diffie-Hellman key exchange scheme. (Note that minimizing communication rounds and bandwidth consumed between the parties in this case is not a concern.) Page 8

9 7 [3 pts] Randomness in El Gamal s Scheme Suppose Alice wants to encrypt two messages using El Gamal Public Key Cryptosystem. However, she is lazy and does not want to generate a new random number for the second encryption. Thus, she applies the same random number (which is only secret to her) for both encryptions. Suppose Eve learns both ciphertexts and one of the plaintext message. Show that Eve can efficiently learn the value of the other plaintext message as well. Also, you can assume that the same public- and private-key pair is used for both encryptions. Page 9

10 8 [3 pts] Fiat-Shamir One of the requirements of the Fiat-Shamir identification protocol is to have a trusted-third party generate n and keep its factors (prime p and q) secret from the prover and verifier. Suppose the verifier knows one of those two factors. Explain how the verifier can learn the secret of the prover when Fiat-Shamir identification protocol is run by both sides. (Hint: you may assume it is computationally feasible to compute a 1/2 mod b ONLY when b is a prime less than n.) Page 10