I.D. NUMBER SURNAME OTHER NAMES

Transcription

1 THE UNIVERSITY OF CALGARY DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS AND STATISTICS FINAL EXAMINATION SOLUTION KEY CPSC/PMAT 418 L01 Introduction to Cryptography Fall 2017 December 19, 2017, 8:00-11:00 Time: 3 hours I.D. NUMBER SURNAME OTHER NAMES STUDENT IDENTIFICATION Each candidate must sign the Seating List confirming presence at the examination. All candidates for final examinations are required to place their University of Calgary student I.D. cards on their desks for the duration of the examination. Students without an I.D. card who can produce an acceptable alternative I.D., e.g., one with a printed name and photograph, are allowed to write the examination. A student without acceptable I.D. will be required to complete an Identification Form. The form indicates that there is no guarantee that the examination paper will be graded if any discrepancies in identification are discovered after verification with the student s file. A student who refuses to produce identification or who refuses to complete and sign the Identification Form is not permitted to write the examination. EXAMINATION RULES 1. Students late in arriving will not normally be admitted after one-half hour of the examination time has passed. 2. No candidate will be permitted to leave the examination room until one-half hour has elapsed after the opening of the examination, nor during the last 15 minutes of the examination. All candidates remaining during the last 15 minutes of the examination period must remain at their desks until their papers have been collected by an invigilator. 3. All inquiries and requests must be addressed to supervisors only. 4. Candidates are strictly cautioned against: (a) speaking to other candidates or communicating with them under any circumstances whatsoever; (b) (c) (d) bringing into the examination room any textbook, notebook or memoranda not authorized by the examiner; making use of calculators and/or portable computing machines not authorized by the instructor; leaving answer papers exposed to view; (e) attempting to read other students examination papers. The penalty for violation of these rules is suspension or expulsion or such other penalty as may be determined. 5. Discarded matter is to be struck out and not removed by mutilation of the examination paper. 6. Candidates are cautioned against writing on their exam paper any matter extraneous to the actual answering of the question set. 7. The candidate is to write his/her ID number and name on the exam paper as directed. 8. During the examination a candidate must report to a supervisor before leaving the examination room. 9. Candidates must stop writing when the signal is given. Exam papers must be handed to the supervisor-in-charge promptly. Failure to comply with these regulations will be cause for rejection of an answer paper. 10. If during the course of an examination a student becomes ill or receives word of domestic affliction, the student must report at once to the supervisor, hand in the unfinished paper and request that it be cancelled. If physical and/or emotional ill health is the cause, the student must report at once to a physician/counsellor so that subsequent application for a deferred examination is supported by a completed Physical/Counsellor Statement form. Students can consult professionals at University Health Services or Counselling and Student Development Centre during normal working hours or consult their physician/counsellor in the community. Once an examination has been handed in for marking, a student cannot request that the examination be cancelled for whatever reason. Such a request will be denied. Retroactive withdrawals will also not be considered. Question Total Actual Marks Marks Total 104 INSTRUCTIONS This is a closed book exam. No aids are permitted; this includes calculators. Total marks: 104. Score will be out of 100, so you can get up to 104%. Answer all the questions in the space provided. Use the last 3 pages to continue answers if you need more space, or as rough paper. Page 1 of 14

2 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 2 of [10 marks] Multiple Choice Questions For each question, check exactly one answer. (a) [1 mark] Assuming that keys are chosen with equal likelihood, the one-time pad provides semantic security computational security perfect secrecy none of the above (b) [1 mark] Assuming that keys are chosen with equal likelyhood, the entropy of the key space for DES is 64 bits 56 bits 48 bits 32 bits (c) [1 mark] Which mode of operation for a block cipher computes the current ciphertext block by taking the XOR of the current plaintext block with the previous ciphertext block and encrypting the result? Electronic code book Cipher block chaining Cipher feedback Output feedback (d) [1 mark] Let p be a prime and g a primitive root of p. Which of the following properties is true for g? g p 1 1 (mod p) g k 1 (mod p) for all integers k with 1 k p 2 Every element of Z p is a power of g All of the above (e) [1 mark] The security of the Diffie-Hellman key agreement protocol depends on the presumed intractability of the following mathematical problem? Integer factorization problem Discrete logarithm problem Quadratic residuosity problem Primality testing

3 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 3 of 14 (Multiple Choice Questions, cont d) (f) [1 mark] Let m, n N, and let φ denotes Euler s phi function. Under what sufficient condition is φ(mn) = φ(m)φ(n)? Only when m and n are coprime Only when m and n are even Only when m and n are odd Always (g) [1 mark] Encryption functions in public key cryptosystems are one-way functions trap-door one-way functions hash functions linear functions (h) [1 mark] Which of the following approaches can be used to successfully break RSA, given knowledge of the public key (e, n)? Factoring n Finding φ(n) Finding the private key d All of the above (i) [1 mark] Suppose n = pq where p and q are distinct primes, and a Z n. Then a is a pseudosquare modulo n if the following is true: a is a quadratic residue modulo both p and q a is a quadratic residue modulo exactly one of p and q a is a quadratic non-residue modulo both p and q None of the above (j) [1 mark] In a public key infrastructure, which entity or mechanism ensures the authenticity of cryptographic keys? Key distribution centre Peer authentication Certification authority All of the above

4 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 4 of [10 marks] TRUE/FALSE Questions Answer every questions with TRUE or FALSE. Just state your answer; no explanations are required. (a) [1 mark] AES is based on a Feistel network structure, just like DES. FALSE (b) [1 mark] The S-boxes in AES provide diffusion. FALSE (c) [1 mark] In a synchronous stream cipher, the state of the device depends on the previous state but not on the input. FALSE (d) [1 mark] The Keccak algorithm underlying SHA-3 is an iterated hash function. TRUE (e) [1 mark] An algorithm for solving the discrete logarithm problem can be used to solve the Diffie-Hellman problem. TRUE (f) [1 mark] 2 is a quadratic non-residue modulo 7. FALSE because (mod 7) (g) [1 mark] 3 is a primitive root of 7. TRUE (h) [1 mark] The ElGamal public key cryptosystem is signature capable. FALSE as messages are integers modulo a prime and ciphertexts are pairs of such integers. (i) [1 mark] The Goldwasser-Micali public key cryptosystem is GMR-secure provided the discrete logarithm problem is intractable. FALSE the underlying problem is the quadratic residuosity problem. (j) [1 mark] SSH provides an encrypted channel between a server and a client. TRUE

5 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 5 of [10 marks] Definitions (a) [2 marks] Define what it means for an attack on a cryptosystem to be active. An attacker interacts with the system (e.g. modifies the information, as opposed to just listening. (b) [2 marks] Define what it means for a hash function to be weakly collision resistant. Given any input x to H, it is computationally infeasible to find a different input x x to H with H(x) = H(x ) (c) [2 marks] Define hybrid encryption. Encrypting a session key (say, for a conventional cryptosystem) for transmission using a public key system (d) [2 marks] Let p be an odd prime and a Z. Define the Legendre symbol ( a p). 0 if p divides a, 1 if a is a quadratic residue modulo p, 1 if a is a quadratic non-residue modulo p. (e) [2 marks] Define indistinguishability under chosen ciphertext attacks No (active) adversary with access to a decryption oracle (that decrypts arbitrary ciphertexts) can in expected polynomial time select two plaintext messages M 1 and M 2 and then correctly distinguish between encryptions of M 1 and M 2 with probability significantly greater than 1/2.

6 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 6 of [10 marks] Short Answer Questions (a) [2 marks] State Kerkhoff s principle. The security of a cryptosystem should depend entirely upon knowledge of the key, not of the method. (b) i. [1 mark] How many bits of security does a 160-bit hash function provide? 80 ii. [1 mark] What is the name of the attack that this security level must protect against? Birthday attack (c) [2 marks] Name two cryptographic services provided by digital signatures. Data authentication, non-repudiation (d) [2 marks] Describe the next-bit test for a pseudorandom bit sequence. There is no polynomial time algorithm that, on input of the first k bits of an output sequence, can predict the (k + 1)-st bit with probability significantly greater than 1/2. (e) [2 marks] Name two cryptographic services provided by the station-to-station protocol. Any two of entity authentication, authenticated key agreement, key confirmation, forward secrecy

7 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 7 of [10 marks] Simple Computations (a) [3 marks] Consider a random variable X with four outcomes X 1, X 2, X 3, X 4 and respective probabilities p(x 1 ) = 1 2, p(x 2) = 1 4, p(x 3) = p(x 4 ) = 1 8. Compute the entropy H(X). Give the actual value of H(X), not just the formula. H(X) = 1 2 log 2(2) log 2(4) log 2(8) = = = 7 4 = 1.75 (b) [2 marks] Determine the value of the Legendre symbol ( 3 13). Use any method you like. Show your work. ( ) 3 13 = ( 1) ( ) 13 = 3 ( ) 13 = 3 ( ) 1 = 1 3 (c) [2 marks] Let φ denote Euler s phi function. Determine φ(24). Show your work. φ(24) = φ(3)φ(2 3 ) = (3 1)(2 1)2 3 1 = = 8 Z 24 = {1, 5, 7, 11, 13, 17, 19, 23} (d) [3 marks] Let f(x) = x 2 + 1, g(x) = x 3 + x + 1 be polynomials with binary coefficients. Compute f(x)g(x) (mod x 4 + 1). Show your work. f(x)g(x) = (x 5 + x 3 + x 2 ) + (x 3 + x + 1) = x 5 + x 2 + x + 1 x (mod x 4 + 1)

8 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 8 of [4 marks] Affine Linear Cipher The affine linear cipher is generalization of the shift cipher as follows. Plaintexts and ciphertexts are elements in Z 26, and keys are pairs (a, b) with a, b Z 26 and gcd(a, 26) = 1. To encrypt a message M with the key (a, b), the sender computes and sends C am + b (mod 26), 0 C 25. To decrypt a ciphertext C, the receiver computes the modular inverse a of a modulo 26 and obtains the plaintext via M a (C b) (mod 26), 0 M 25. (a) [1 marks] Encrypt the plaintext M = 6 under the affine linear cipher with key (7, 4) = (mod 26). (b) [3 marks] Decrypt the ciphertext C = 3 under the affine linear cipher with key (7, 4). Show your work. 26 = = = = = 5 2(7 5) = = 3(26 3 7) 2 7 = So a (mod 26) and hence M 15(3 4) (mod 26).

9 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 9 of [9 marks] Modes of Operation for Block Ciphers Let E K denote encryption under a secret key K of some block cipher, and suppose that M 1, M 2,... are message blocks. (a) [2 marks] Describe how to use the cipher in electronic code book (ECB) mode. Blocks are encrypted sequentially, one at a time: C i = E K (M i ) (i N) (b) [3 marks] Describe the encryption and decryption procedures when using the block cipher in output feedback (OFB) mode in its simplest form (i.e. with one register). KS 0 = IV, KS i = E K (KS i 1 ) C i = KS i M i, M i = C i KS i (i N) (c) [1 mark] Is a block cipher in OFB mode a synchronous or a self-synchronizing stream cipher? Just state the answer, no justification is needed. Synchronous stream cipher (d) [1 mark] Does the initial value IV for a block cipher in CFB mode need to be sent in encrypted form or can it be sent in the clear without compromising security? Just state the answer, no justification is needed. In the clear (e) [2 marks] State an advantage of using a block cipher in OFB mode as opposed to ECB mode. Identical plaintext blocks encrypt to different ciphertext blocks in CFB mode, but in ECB mode, they yield identical ciphertext blocks. OFB also provides better error propagation (and better diffusion) than ECB.

10 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 10 of [5 marks] Message Authentication Codes (a) [2 marks] Define what it means for a message authentication code to be computation resistant. Given zero or more message/mac pairs, it is computationally infeasible to generate a new message/mac pair where the message is distinct from all the given messages. (b) [3 marks] Consider the following message authentication code called BCMAC (for block cipher message authentication code ) which is derived from a block cipher that operates on n-bit plaintexts. BCMAC takes as input a message M of bit length 2n 2 and produces the corresponding tag as follows (here, E K is encryption under the block cipher using key K and denotes concatenation): (1) Write M = M 0 M 1 where M 0, M 1 each have length n 1; (2) BCMAC(M) = E K (0 M 0 ) E K (1 M 1 ). Show that BCMAC is not computation resistant as follows. Suppose an adversary Eve has two distinct messages M = M 0 M 1 and M = M 0 M 1, with M 0 M 0 and M 1 M 1, along with their respective message authentication tags BCMAC(M) and BCMC(M ). Carefully show how Eve can use this information to defeat computation resistance. Eve is given M and M, along with their respective tags BCMAC(M) = E K (0 M 0 ) E K (1 M 1 ), BCMAC(M ) = E K (0 M 0) E K (1 M 1). Put M = M 0 M 1. Then M M as M 0 M 0, and M M as M 1 M 1. Now the adversary can compute BMAC(M ) = E K (0 M 0) E K (1 M 1 ), since the first half of BCMAC(M ) is identical to the first half of BCMAC(M ) and the second half of BCMAC(M ) is identical to the second half of BCMAC(M). So the adversary has found a new message M along with its BCMAC tag. Note that a similar proof works for the choice M = M 0 M 1.

11 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 11 of [6 marks] RSA Common Modulus Suppose two users (1 and 2) share the same RSA encryption modulus n, but have different encryption exponents e 1 and e 2, respectively, with gcd(e 1, e 2 ) = 1. Suppose that a third party sends the same message M to both users, i.e. she sends C 1 M e 1 (mod n) to user 1 and C 2 M e 2 (mod n) to user 2. (a) [4 marks] Carefully explain a procedure by which an adversary can efficiently recover M. Use the Extended Euclidean Algorithm to find integers x, y with e 1 x + e 2 y = 1. Then C x 1 C y 2 (M e 1 ) x (M e 2 2 )y M e 1x+e 2 y = M 1 = M (mod n). (b) [1 mark] What kind of attack is this (ciphertext only, known plaintext, chosen plaintext, chosen ciphertext)? Ciphertext only attack. (c) [1 mark] Is this attack active or passive? Passive 10. [6 marks] RSA-OAEP Consider the RSA-OAEP public key encryption scheme given by C (s t) e (mod n) with s = (M 0 k 1 ) G(r) and t = r H(s), where (e, n) is the RSA public key, G and H are random functions, r is a random number, and denotes concatenation. For this question, provide clear succinct answers of 1-2 sentences. (a) [2 marks] What is the role of the random input r? To ensure that a given message does not always encrypt to the same ciphertext. (b) [2 marks] What is the role of the k 1 -bit input string in s consisting of k 1 zeros? To prevent chosen ciphertext attacks by introducing redundancy into the message. Upon decryption, a message is rejected if the prescribed redundancy is not present. (c) [2 marks] Suppose SHA-256 is used to implement the functions G and H. Does this SHA-256 based implementation of RSA-OAEP achieve plaintext awareness? Justify your answer. No. The analysis of OAEP assumes that the functions G and H are random, and SHA- 256 is not random.

12 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 12 of [10 marks] RSA as a signature scheme Suppose Alice s public RSA key is (e, n), her private RSA key is d, and she wishes to deploy RSA as a signature scheme. (a) [2 marks] Explain how Alice can use RSA in combination with a cryptographic hash function H : {0, 1} Z n to sign any message M {0, 1}. Signature to M is S H(M) d (mod n), S Z n. (b) [2 marks] Explain how anyone can verify an RSA signature S to a given message M. Compute S e (mod n) and H(M). If they match, the signature is accepted as valid. (c) [3 marks] Suppose Alice does not hash her messages before generating signatures. Explain how an adversary Eve can commit existential forgery against Alice. Eve generates a random S Z n and computes M S e (mod N). She sends the message M with signature S to Bob. Bob verifies by computing S e (mod n) and comparing the result with M. Since they match, he accepts the signature as coming from Alice. (d) [3 marks] Suppose Eve manages to find φ(n). Explain how she can factor n. n = pq and φ(n) = (p 1)(q 1) = n p n/p + 1, so p 2 (n + 1 φ(n))p + n = 0. This is a quadratic equation in p which can be solved for p using the quadratic formula; the second solution is q. p q } = n + 1 φ(n) 2 (n ) + 1 φ(n) 2 ± n. 2

13 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 13 of [14 marks] ElGamal Public Key Cryptosystem Recall that for the ElGamal public key cryptosystem, Alice produces her public and private keys as follows: 1. Selects a large prime p and a primitive root g of p. 2. Randomly selects x such that 0 < x < p 1 and computes y g x (mod p). 3. Alice s public key is (p, g, y); her private key is x. Bob encrypts a message M Z p intended for Alice as follows: 1. Obtains Alice s public key (p, g, y). 2. Selects a random integer k with 0 < k < p Computes C 1 g k (mod p), 0 C 1 < p. 4. Computes C 2 y k M (mod p), 0 < C 2 < p. 5. Sends the ciphertext (C 1, C 2 ). Alice decrypts the ciphertext (C 1, C 2 ) with her private key x by computing C 2 (mod p). C p 1 x 1 (a) [3 marks] Carefully prove that the decryption is correct, i.e. that C 2 C p 1 x 1 M (mod p). Show all your work. C 2 C p 1 x 1 (My k )(C p 1 x 1 ) (Mg xk )(g k(p 1 x) ) Mg xk+k(p 1) kx M(g p 1 ) k M (mod p), where the last congruence follows from g p 1 1 (mod p). (b) Suppose Alice selects p = 11, g = 2 and x = 9. i. [2 marks] Use the primitive root test to verify that 2 is a primitive root of 11. Show your work. 2 (11 1)/ (mod 11) 2 (11 1)/ (mod 11) ii. [3 marks] Use the binary exponentiation algorithm to compute Alice s public key. Show your work. Solutions not using binary exponentiation will get no credit. 9 = (1001) 2 r 0 = 2 r 1 = 2 2 = 4 r 2 = 4 2 = 5 y r (mod 11) Alice s full public key is (11, 2, 6).

14 CPSC/PMAT 418 (L01) Introduction to Cryptography Fall 2017 Page 14 of 14 (ElGamal Public Key Cryptosystem, cont d) (c) Bob might be tempted to use the same random number k for repeated encryptions rather than generating a random k for each new ciphertext. That way, he can pre-compute and store the first component C 1 of the ciphertext (C 1, C 2 ), thereby speeding up encryption significantly. Suppose Eve intercepts a ciphertext (C 1, C 2 ) that is the encryption of some plaintext M with Alice s public key; she wants to find M. She has previously obtained a plaintext M and its encryption (C 1, C 2 ) under Alice s public key. Eve also knows that the same k value was used for both encryptions (but she does not know this value k). i. [1 mark] What kind of attack is this (ciphertext only, known plaintext, chosen plaintext, chosen ciphertext)? Known plaintext attack. ii. [2 marks] Carefully explain how Eve can find y k (mod p). She first finds the inverse of M (mod p) and then computes y k C 2(M ) 1 (mod p) iii. [2 marks] Carefully explain how Eve can find M. She first finds the inverse of y k (mod p) and then computes M C 2 y k (mod p) iv. [1 mark] Which number theoretic algorithm does Eve use in her attack described in parts (c) (ii) and (iii)? Just state the name, no need to explain the algorithm. Extended Euclidean Algorithm / Modular Inversion End of Solution Key RS / rs