Computer Science and Engineering, UCSD Fall 10CSE 107: Introduction to Modern Cryptography Instructor: Mihir BellareProblem Set 1 Solutions October 4, 2010

Problem Set 1 Solutions

Problem 2. [30 points] The ciphertext

QFL HCVPS PX V ANSWLCEZK NCJVS; PQ XQVCQX QFL BPSZQL RNZ JLQ ZT PS QFL

BNCSPSJ VSW WNLX SNQ XQNT ZSQPK RNZ JLQ QN DKVXX

has been created using a punctuation-respecting substitution cipher on the alphabet of Englishletters. Your task is to decrypt this ciphertext and recover the plaintext. Show the steps you usedto arrive at your solution, the final plaintext, and a table providing, for each letter, its decoding.(Hint: J decodes to G.)

An example of this type of cryptanalysis was done in class. It is also in Chapter 2 of the notes,and the latter can serve as a model for how to approach the problem and write the solution.

We typically begin with a frequency analysis. In this case, however, I skipped that stage, sincesomething else sprang to my attention. Namely there are three occurences of the word QFL in theciphertext, one at the very beginning. What three letter word could be so common and occur atthe beginning of the sentence? I felt pretty comfortable guessing it to be THE. This tells me thatπ−1(Q) = T, π−1(F) = H and π−1(L) = E, where π denotes the permutation (key) that was used forencryption. The ciphertext contains the word QN. Knowing that Q decodes to T, the only choicefor N is O. The second row of the table in Fig. 1 shows where we are. (We have taken into accountthe hint as well.) Now let us write the ciphertext again, this time indicating above different letterswhat we believe them to represent:

THE O E O G ; T T T THE TE O GET THEQFL HCVPS PX V ANSWLCEZK NCJVS; PQ XQVCQX QFL BPSZQL RNZ JLQ ZT PS QFL

O G OE OT TO T O GET TOBNCSPSJ VSW WNLX SNQ XQNT ZSQPK RNZ JLQ QN DKVXX

The ciphertext contains the word PQ. Since Q stands for T, P could be only I or A. The third wordof the ciphertext is PX. This could then be one of: IN, IS, AN, AS, AM, so X could be one of: N, S,M. But we have a ciphertext word XQVCQX and we know that Q stands for T. The only one of theconsonants N, S, M that fits before and after a T is S. Conclusion: π−1(X) = S. Now the two choicesfor the third word of the ciphertext are IS and AS, but only the first seems like a grammatical fit.(I imagine HCVPS is a noun, and we follow it by the verb IS.) So I guess π−1(P) = I. This meansthat π−1(V) = A. (The symbol V occurs by itself in the ciphertext and can thus only represent I

or A.) The two letter word PS occurs in the ciphertext. At this point this could only be IN. (Weknow P represents I, and so S could only be T or N, but only the latter is still available.) The lastthree letters of the ciphertext word WNLX being OES, the only choice for W is D. The third row of the

1

τ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

π−1(τ) H G E O T

π−1(τ) H G E O I T N A D S

π−1(τ) W M R C F H B G L E O I T Y N P A D S U

Figure 1: Cryptanalysis of Problem 1.

table in Fig. 1 shows our view of π at this point, and the following shows where we are in terms ofdecryption of the ciphertext:

THE AIN IS A ONDE O GAN; IT STA TS THE IN TE O GET IN THEQFL HCVPS PX V ANSWLCEZK NCJVS; PQ XQVCQX QFL BPSZQL RNZ JLQ ZT PS QFL

O NING AND DOES NOT STO NTI O GET TO ASSBNCSPSJ VSW WNLX SNQ XQNT ZSQPK RNZ JLQ QN DKVXX

At this point it is pretty easy. XQVCQX could only be STARTS, meaning C represents R. So the lastfour letters of HCVPS are RAIN, and although many choices of the first letter yield English words,namely B, D, G, T, the only one still available is B, so H represents B. You can now pretty much readit off. The fourth row of Fig. 1 shows our final view of π, and the following shows the decryptedciphertext:

THE BRAIN IS A WONDERFUL ORGAN; IT STARTS THE MINUTE YOU GET UP IN THEQFL HCVPS PX V ANSWLCEZK NCJVS; PQ XQVCQX QFL BPSZQL RNZ JLQ ZT PS QFL

MORNING AND DOES NOT STOP UNTIL YOU GET TO CLASSBNCSPSJ VSW WNLX SNQ XQNT ZSQPK RNZ JLQ QN DKVXX

The message, by the way, is a slight corruption of a quote due to Robert Frost.

Problem 3. [30 points] Let m = 6, and let Zm denote the set {0, . . . ,m − 1}. Let X mod mdenote the remainder obtained when dividing X by m.

1. [15 points] Consider the symmetric encryption scheme in which the encryption of messageM ∈ Zm under key K ∈ Zm is (M + K) mod m. Is this encryption scheme perfectly secure?Why or why not?

The simplest way to get a handle on what is going on here is to make a table whose row K,column M entry is EK(M):

K =

M =

0 1 2 3 4 5

0 0 1 2 3 4 5

1 1 2 3 4 5 0

2 2 3 4 5 0 1

3 3 4 5 0 1 2

4 4 5 0 1 2 3

5 5 0 1 2 3 4

2

Now we claim that

Pr [EK(M) = C] =1

6(1)

for every M ∈ Zm and C ∈ Zm, where the probability is over a random choice of K fromZm. This implies the scheme is perfectly secure. So why is Equation (1) true? For exampleconsider M = 2 and C = 5. Then the probability that EK(M) = C is the number of timesC occurs in column M of the table divided by the number of choices for K. But C occursexactly once in this column and the number of possible rows is 6 so the probability is 1/6.More generally we can compute

Pr [EK(M) = C] =|{K ∈ Zm: K + M mod m = C}|

|Zm|

=1

6

because the size of the set in the numerator is 1.

Pictorially, there is an easy way to see why the scheme is perfectly secure. It is because inevery column of the table, every value in Zm shows up exactly once.

2. [15 points] Consider the symmetric encryption scheme in which the encryption of messageM ∈ Zm under key K ∈ Zm is (M + 2K) mod m. Is this encryption scheme perfectly secure?Why or why not?

Again, make a table whose row K, column M entry is EK(M):

K =

M =

0 1 2 3 4 5

0 0 1 2 3 4 5

1 2 3 4 5 0 1

2 4 5 0 1 2 3

3 0 1 2 3 4 5

4 2 3 4 5 0 1

5 4 5 0 1 2 3

Let C = 4 and M1 = 0 and M2 = 1. Then

Pr [EK(M1) = C] =2

6=

1

3

Pr [EK(M2) = C] =0

6= 0 .

Since we have found M1,M2, C such that

Pr [EK(M1) = C] 6= Pr [EK(M2) = C]

the scheme is not perfectly secure.

Why are the probabilities as claimed? To evaluate the probability that EK(M) = C just countthe number of times C occurs in column M of the table and divide by the number of keys,which is 6.

3

In both cases, the key is a randomly chosen element of Zm and the message space is also Zm.

4

Computer Science and Engineering, UCSD Fall 10CSE 107: Introduction to Modern Cryptography Instructor: Mihir BellareProblem Set 2 Solutions October 11, 2010

Problem Set 2 Solutions

Problem 1. [30 points] Let K by a 56-bit DES key and L a 64-bit auxiliary key. For any 64-bitplaintext M let

DESY(K ‖ L,M) = DES(K,L ⊕M) .

This defines a family of functions DESY: {0, 1}120 × {0, 1}64 → {0, 1}64.

(a) [8 points] Show that DESY is a block cipher.

A block cipher is a map E: {0, 1}k × {0, 1}n → {0, 1}n for some k, n with the property ofbeing invertible, namely given K,C there is a unique M such that E(K,M) = C. This M isdenoted E−1(K,C) and must be easily computable given K,C.

The DESY map has the desired form with k = 120 and n = 64. The important thing isto show it is invertible. This is true because DES itself is invertible. We observe that ifDESY(K ‖ L,M) = C then M can be recovered via

M = DES−1(K,C) ⊕ L .

Accordingly, DESY has as inverse

DESY−1(K ‖ L,C) = DES

−1(K,C) ⊕ L .

This is easily computable given the key K ‖ L.

(b) [22 points] Let (M1, C1), (M2, C2) be input-output examples of DESY under a random 120-bit target key K ‖ L. Present an attack that given (M1, C1), (M2, C2) recovers the target keyusing at most 257 computations of DES or DES

−1. (As usual, the job is actually only to recovera key consistent with the input-output examples, but in practice this is typically equally tothe target key.)

Let T1, . . . , T256 denote a listing of all 56-bit DES keys. The attack is:

For i = 1, . . . , 256 doL←M1 ⊕ DES

−1(Ti, C1)If DES(Ti, L ⊕M2) = C2 then return Ti ‖ L

If Ti ‖L is returned by the attack, then this key is consistent with the input-output examples.The attack uses 256 DES computations and 256 DES

−1 computations.

Problem 2. [50 points] Let F : {0, 1}k × {0, 1}l → {0, 1}l be a family of functions and let r ≥ 1

1

be an integer. The r-round Feistel cipher associated to F is the family of functions F (r): {0, 1}k ×{0, 1}2l → {0, 1}2l, defined as follows for any key K ∈ {0, 1}k and input x ∈ {0, 1}2l–

Function F (r)(K,x)Parse x as L0R0 with |L0| = |R0| = lFor i = 1, . . . , r do

Li ← Ri−1 ; Ri ← F (K,Ri−1) ⊕ Li−1

Return LrRr

1. [20 points] Show that F (1) is not a secure PRF by presenting a practical adversary A such

that Advprf

F (1)(A) is close to one.

Adversary A, as per the definition of the PRF game, has access to an oracle for a function

Fn: {0, 1}2l → {0, 1}2l. It is trying to determine whether Fn = F(1)

Kfor some K or Fn was

chosen at random. It works as follows:

Adversary Ax1 ← 12l

y ← Fn(x1)Parse y as LR, where |L| = |R| = lIf L = 1l then return 1 else return 0

The advantage of A is by definition

Advprf

F (1)(A) = Pr[

RealAF (1)⇒1

]

− Pr[

RandA

{0,1}2l⇒1]

.

We claim that the first term above is equal to 1 and the second term is equal to 2−l. (And thusthe advantage of our adversary is 1 − 2−l, which is almost 1.) To justify our claim, considerthe first term. Here, we are asking what is the probability that A outputs 1 given that it isin game Real, meaning its oracle Fn is a random instance of the family F (1). Due to the factthat L1 = R0 in the code of F (1), the condition that A tests will always be true, so it willalways output 1 in game Real. Now, consider the second term above. Here, we are askingwhat is the probability that A outputs 1 given that it is in game Rand, meaning its oracle Fnis a random function of 2l bits to 2l bits. In that case, there is a slight possibility that Fn willoutput a string that begins with l ones, causing A to output 1. Specifically, the probabilityof this event is 2−l.

Adversary A is practical because it makes only one oracle query and has running time O(l).

2. [30 points] Show that F (2) is not a secure PRF by presenting a practical adversary A such

that Advprf

F (2)(A) is close to one.

Adversary A, as per the definition of the PRF game, has access to an oracle for a function

Fn: {0, 1}2l → {0, 1}2l. It is trying to determine whether Fn = F(2)

Kfor some K or Fn was

chosen at random. It works as follows:

Adversary A

2

x1 ← 0l1l

y1 ← Fn(x1)Parse y1 as L1,2R1,2, where |L1,2| = |R1,2| = lx2 ← L1,21

l

y2 ← Fn(x2)Parse y2 as L2,2R2,2, where |L2,2| = |R2,2| = lIf L2,2 = 0l then return 1 else return 0

The advantage of A is by definition

Advprf

F (2)(A) = Pr[

RealAF (2)⇒1

]

− Pr[

RandA

{0,1}2l⇒1]

.

We claim that the first term above is equal to 1 and the second term is equal to 2−l. (And thusthe advantage of our adversary is 1 − 2−l, which is almost 1.) To justify our claim, considerthe first term. Here, we are asking what is the probability that A outputs 1 given that it is ingame Real, meaning its oracle Fn is a random instance of the family F (2). Note that, in gameReal, the left half of y1 will be L1,2 = FK(1l) ⊕ 0l = FK(1l). In the second query, A usesthis value as the left half of the input to Fn, so it gets xor-ed with the value of the functionat the right half of x2. But A chose the right half to be 1l, so FK(1l) is xor-ed with itself inthe first round. Since any value xor-ed with itself is 0l, and the right half of the first round’sresult is propagated to the left hand side of the output, we know that the left half of y2 willbe 0l. Now, consider the second term above. Here, we are asking what is the probability thatA outputs 1 given that it is in game Rand, meaning its oracle Fn is a random function of2l bits to 2l bits. In that case, there is a slight possibility that Fn will output a string thatbegins with l 0’s, causing A to output 1. Specifically, the probability of this event is 2−l.

Adversary A is practical because it makes only two oracle queries and has running time O(l).

For both (1) and (2) above, say what is the advantage achieved by your adversary. Also say whatis its running time and the number of oracle queries it makes.

3

Computer Science and Engineering, UCSD Fall 10CSE 107: Introduction to Modern Cryptography Instructor: Mihir BellareProblem Set 3 Solutions February 1, 2010

Problem Set 3 Solutions

Problem 1 [50 points] Let K be the key-generation algorithm that returns a random 128-bitstring as the key K. Let E be the following encryption algorithm, based on the block cipher AES.

function EK(M)

R $←{0, 1}128

C[0]← Rfor i = 1, . . . , n do

W [i]← (R + i) mod 2128

C[i]← AESK(M [i] ⊕W [i])C ← C[0]C[1] . . . C[n]return C

Above W [i] ← (R + i) mod 2128 means we regard R as an interger, add i to it, take the resultmodulo 2128, view this as a 128-bit string, and assign it to W [i]. The message space is the set ofall strings whose length is a positive multiple of 128, and, as usual M [i] denotes the i-th (128-bit)block of a message M and n denotes the number of blocks.

1. [10 points] Specify a decryption algorithm D such that SE = (K, E ,D) is a symmetric en-cryption scheme.

Algorithm DK(C)R← C[0]For i = 1, . . . ,m do

W [i]← (R + i) mod 2128

M [i]← AES−1

K(C[i]) ⊕W [i]

Return M

2. Show that this scheme is insecure by presenting a practical adversary A such that Advind-cpa

SE

(A)is high. State the value of the advantage achieved by your adversary and the number of oraclequeries it makes.

Let I1 denote the 128-bit string representation of the integer 1.

adversary A

C[0]C[1]C[2] $← LR(0128 ‖ 0128, I1 ‖ 0128)

1

if C[1] = C[2] then return 1 else return 0

Suppose we are playing game LeftSE

, so that C[0]C[1]C[2] $←EK(0128 ‖ 0128). Then

C[0] = R

C[1] = AESK(0128 ⊕ (R + 1)) = AESK(R + 1)

C[2] = AESK(0128 ⊕ (R + 2)) = AESK(R + 2) .

Since AES is a block cipher, C[0], C[1] above cannot be equal. So

Pr[

LeftASE

⇒ 1]

= 0 .

Suppose we are playing game RightSE

, so that C[0]C[1]C[2]$←EK(I1 ‖ 0128). Then

C[0] = R

C[1] = AESK(I1 ⊕ (R + 1))

C[2] = AESK(0128 ⊕ (R + 2)) .

Notice that if R ends in 01, then R + 1 ends in 10 and R + 2 ends in 11, and thus (R + 1)⊕ I1

ends in 11 and (R + 2)⊕ 0128 also ends in 11. In this case,

C[1] = C[2]

so the game returns 1. Since the probability that R ends with 01 is 1/4 we have

Pr[

RightA

SE

⇒ 1]

≥1

4.

So

Advind-cpa

SE,A≥

1

4− 0 =

1

4.

A makes 1 oracle query and its running time is very small.

Problem 2 [25 points] A nuclear plant transmits 235 ciphertexts to a monitoring station. Eachciphertext encrypts, under a key shared between the parties, a voltage measurement that is eitherHIGH or LOW. (Each of these values is encoded in binary for the encryption.) Consider thefollowing choices of encryption scheme:

1. [9 points] DES in CBC$ mode

2. [8 points] 2DES in CBC$ mode

3. [8 points] AES in ECB mode

2

For each choice, discuss possible threats and indicate to what extent they impact security. Highlightdifferences in the security provided by the schemes and what types of guarantees are available.Ultimately indicate for each choice whether it is secure or not. Strive to concisely provide onlyrelevant information; you lose points otherwise.

Let M1, . . . ,Mq denote the messages encrypted, and C1, . . . , Cq the corresponding ciphertexts,where q = 235. The adversary A of coures knows C1, . . . , Cq but it would be prudent to also assumeit knows a few plaintexts. Specifically we assume it knows M1. This is realistic because A may beworking at the plant or have a posteriori knowledge.

1. [9 points] DES in CBC$ mode

The relevant attacks are exhaustive key search and the birthday attack. The value of q is toosmall for linear or differential cryptanalysis to be a threat.

A CBC$ ciphertext where A knows the plaintext provides it with an input-output exampleof DES under the encryption key. This allows it to mount an exhaustive key-search attack,which finds the key in just a few hours using appropriate key-search machines. This is animportant threat.

The birthday attack on CBC$ mode becomes a threat once the number of messages encryptedreaches 2n/2 where n is the block length of the underlying block cipher. This is true herebecause n = 64 so 2n/2 = 232 while q = 235 > 232. Exploiting collisions in the initial vectors,this will be able to detect equality amongst some of the plaintexts, meaning partial informationis lost. The attack is less damaging than key recovery, but it only requires 264/2 = 232 timecompared to 256 time for the key-recovery attack.

CBC$ is IND-CPA, but only for q < 232.

In conclusion, the scheme is not secure.

2. [8 points] 2DES in CBC$ mode

Since the key-length is 112, exhaustive key search is not a threat. The meet-in-the-middleattack takes only 257 time but is impractical due to its space requirements and is not a seriousthreat. Linear and differential cryptanalysis fail. The real threat is the birthday attack onCBC$ mode. The blocklength of 2DES is only 64, just as for DES, and q = 235 > 264/2 = 232,so this attack succeeds in detecting some equalities amongst plaintexts. This loss of partialinformation may be damaging.

In conclusion, the scheme is not secure.

3. [8 points] AES in ECB mode

The key length of AES is too large for exhaustive search. But ECB mode is totally insecure.Knowing just M1, the adversary can figure out M2, . . . ,Mq by the following simple procedure:For each i if Ci = C1 then Mi = M1 and else Mi 6= M1.

In conclusion, the scheme is not secure.

3

Computer Science and Engineering, UCSD Fall 10CSE 107: Introduction to Modern Cryptography Instructor: Mihir BellareProblem Set 4 Solutions November 1, 2010

Problem Set 4 Solutions

Problem 1. [20 points] Define the family of functions H: {0, 1}64 × {0, 1}192 → {0, 1}128 asfollows:

function HK(x)a ‖ b← xy ← AESK ‖ a(b)

return y

Here, a ‖ b ← x means we split x as x = a ‖ b with |a| = 64 and |b| = 128. Show that H is notcollision-resistant by presenting a practical adversary A such that Advcr

H(A) is close to one. (Thebetter the attack, the more points you get.)

The first thing to do is look at the definition of collision-resistance. The game shows us that theadversary gets as input the randomly chosen key K defining the particular instance HK of thefamily H that it is attacking. Now we use the fact that AES is a block cipher and thus given K ‖a1

one can easily compute AES−1

K ‖ a1. The adversary with input the key K proceeds as follows:

adversary A(K)

Let a1, a2 be two different 64-bit strings and let b1 be any 128-bit string

h← AESK ‖ a1(b1) ; b2 ← AES

−1

K ‖ a2(h)

x1 ← a1 ‖ b1 ; x2 ← a2 ‖ b2

return x1, x2

This adversary is very practical, using only two AES or AES−1 computations. We claim that the

x1, x2 it returns is a collision for HK , which means that Advcr

H(A) = 1. The claim is true because

AESK ‖ a2(b2) = AESK ‖ a2

(AES−1

K ‖ a2(h)) = h = AESK ‖ a1

(b1) ,

and also a1, a2 being different implies x1 6= x2.

Problem 2. [30 points] Let h: K×{0, 1}2b → {0, 1}b be a compression function. Define H: K×{0, 1}4b → {0, 1}b as follows:

function H(K,M)M1 ‖M2 ←MV1 ← h(K,M1) ; V2 ← h(K,M2)V ← h(K,V1 ‖ V2)return V

1

adversary Ah(K)

Run AH(K) to get its output (y1, y2)

Parse y1 as M1,1 ‖M1,2 where |M1,1| = |M1,2| = 2b

Parse y2 as M2,1 ‖M2,2 where |M2,1| = |M2,2| = 2b

V1,1 ← h(K,M1,1) ; V1,2 ← h(K,M1,2)

V2,1 ← h(K,M2,1) ; V2,2 ← h(K,M2,2)

V1 ← h(K,V1,1 ‖ V1,2)

V2 ← h(K,V2,1 ‖ V2,2)

If (V1 6= V2 OR y1 = y2) return FAIL // AH did not find a collision, so neither will Ah

If V1,1 ‖ V1,2 6= V2,1 ‖ V2,2 then return (V1,1 ‖ V1,2, V2,1 ‖ V2,2)

If M1,1 6= M2,1 then return (M1,1,M2,1)

If M1,2 6= M2,2 then return (M1,2,M2,2)

Figure 1: Adversary Ah for the proof of the theorem.

Here, M1 ‖M2 ← M means we split M as M = M1 ‖M2 with |M1| = |M2| = 2b. Show that if his collision-resistant then so is H. Do this by stating and proving an analogue of the Theorem inclass, which also appears as Theorem 6.8 in the course notes.

Theorem: Let h,H be as above. Suppose we are given an adversary AH that attempts to findcollisions in H. Then we can construct an adversary Ah that attempts to find collisions in h, and

Advcr

H(AH) ≤ Advcr

h (Ah) . (1)

Furthermore, the running time of Ah is that of AH plus the time to perform 6 computations of h.

This theorem says that if h is collision-resistant then so is H. Why? Let AH be a practical adversaryattacking H. Then Ah is also practical, because its running time is that of AH plus a little more,namely the time for 6 computations of h. But h is collision-resistant so we know that Advcr

h (Ah)is low. Equation (1) then tells us that Advcr

H(AH) is low, meaning H is collision-resistant as well.

Proof of theorem: We follow the proof of Theorem 6.8 in the notes. Adversary Ah, taking inputa key K ∈ K, is depicted in Fig. 1. It runs AH on input K to get a pair (y1, y2) of messages, each4b bits long. We claim that if y1, y2 is a collision for HK then Ah will return a collision for hK .

Adversary Ah computes V1 = HK(y1) and V2 = HK(y2). If y1, y2 is a collision for HK then weknow that V1 = V2. Let us assume this. Now, let us look at the inputs to the application of hK

that yielded these outputs. These are V1,1 ‖ V1,2 and V2,1 ‖ V2,2. If these inputs are different, theyform a collision for hK , and Ah outputs them.

If they are not different then we know that V1,1 = V2,1 and V1,2 = V2,2. That V1,1 = V2,1 meansthat h(K,M1,1) = h(K,M2,1). So M1,1,M2,1 form a collision for h unless they happen to be equal.Similarly, that V1,2 = V2,2 means that h(K,M1,2) = h(K,M2,2) and so M1,2,M2,2 form a collisionfor h unless they happen to be equal. Adversary Ah checks for these equalities and returns anunequal pair. The key point is that we cannot have both M1,1 = M2,1 and M1,2 = M2,2 since thatwould imply y1 = y2, but we know that y1 6= y2 because it is a collision for HK .

2

Problem 3. [20 points] Let sha1: {0, 1}672 → {0, 1}160 be the compression function underlyingthe SHA1 hash function. We define a message authentication scheme MA = (K,T ,V) as follows.The key generation algorithm returns a random 160 bit string as the key K, and the tagging andverifying algorithms are:

Algorithm TK(M)M [1] . . . M [n]←MC[0]← KFor i = 1, . . . , n do

C[i]← sha1(C[i− 1] ‖M [i])Return C[n]

Algorithm VK(M,σ)If σ = TK(M) then return 1Else return 0

Above, M [1] . . . M [n] ← M means we break M = M [1] . . . M [n] into 512-bit blocks. The messagespace is the set of all strings whose length is a positive multiple of 512. Present a practical chosen-message attack that succeeds in forgery using one query to the tagging oracle.

adversary A

x← 0512

y ← Tag(x)

T ← sha1(y ‖ 1512)

return (0512 ‖ 1512, T )

We have

y = sha1(K ‖ 0512)

T = sha1(y ‖ 1512)

= TK(0512 ‖ 1512)

So Advuf-cma

MA(A) = 1.

3

Computer Science and Engineering, UCSD Fall 10CSE 107: Introduction to Modern Cryptography Instructor: Mihir BellareProblem Set 5 Solutions November 8, 2010

Problem Set 5 Solutions

Problem 1. [40 points] Let E: {0, 1}k × {0, 1}l → {0, 1}l be a secure block cipher, wherek, l ≥ 128. Let K be the key-generation algorithm that returns a random k-bit key K. Let

Plaintexts = {M ∈ {0, 1}l : 0 < |M | < l2l and |M | mod l = 0 } .

Let T ,V be the following tagging and verification algorithms:

algorithm TK(M)if M 6∈ Plaintexts then return ⊥Break M into l bit blocks, M = M [1] . . . M [n]M [n + 1]← 〈n〉C[0]← 0l

for i = 1, . . . , n + 1 doC[i]← EK(C[i− 1] ⊕M [i])

return C[n + 1]

algorithm VK(M,σ)if M 6∈ Plaintexts then return 0if σ = TK(M) then return 1else return 0

Above, 〈n〉 denotes the l-bit binary representation of the integer n.

Show thatMA = (K,T ,V) is an insecure message-authentication scheme by presenting a practicaladversary A such that Advuf-cma

MA(A) = 1. Say how many queries A makes to each of its oracles,

and what is its running time. (The number of points you get depends on these quantities.)

Dicsussion. We saw that the CBC-MAC is not secure when one wants to authenticate strings ofvarying length. The above is a possible fix, which appends the number of blocks in the messageto the message before computing the CBC-MAC. Your task is to show that this fix does not work,meaning the scheme is still insecure.

Recall that the adversary is given oracles Tag(·) and Verify(·, ·). Our adversary A proceeds asfollows:

adversary ATag0 ← Tag(0l)Tag1 ← Tag(0l ‖ 〈1〉 ‖ Tag0)d← Verify(0l ‖ 〈3〉 ‖Tag1,Tag1)

This adversary makes two queries to its Tag(·) oracle and one to its Verify(·, ·) oracle, and hasrunning time O(l) plus the time for the computations of responses to oracle queries. We claim thatAdvuf-cma

MA

(A) = 1. Let us now justify this. We let Z = EK(0). Then notice that

Tag0 = EK(Z ⊕ 〈1〉)

Tag1 = EK(Z ⊕ 〈3〉) .

1

However, it is also the case that

TK(0l ‖ 〈3〉 ‖ Tag1) = EK(Z ⊕ 〈3〉) .

Thus VK will accept Tag1 as the tag for 0l ‖ 〈3〉 ‖ Tag1.

Problem 2. [40 points] Consider the following computational problem:

Input: N, a, b, x, y where N ≥ 1 is an integer, a, b ∈ Z∗

Nand x, y are integers with 0 ≤ x, y < N

Output: axby mod N

Let k = |N |. The naive algorithm for this first computes ax mod N , then computes by mod N ,and multiplies them modulo N . This has a worst case cost of 4k + 1 multiplications modulo N .Design an alternative, faster algorithm for this problem that uses at most 2k + 1 multiplicationsmodulo N .

Let us first explain the claim about the naive algorithm. On inputs N, a, b, x, y it would do thefollowing:

A← MOD-EXP(a, x,N)B ← MOD-EXP(b, y,N)z ← MOD-MULT(A,B,N)Return z

The algorithm MOD-EXP was presented in class and is shown in the slides for the ComputationalNumber Theory chapter. It is the special case of algorithm EXPG when the group G is Z∗

N. Each

iteration of the for loop of that algorithm uses two modular multiplications in the worst case, thefirst to obtain w = y2 mod N from y and the second to obtain w ·abi mod N . Thus, MOD-EXP uses2k modular multiplications in all. So the above naive algorithm uses 4k+1 modular multiplications.

The faster algorithm extends the ideas of EXPG. It works as follows:

Alg FASTEXP(N, a, b, x, y)Let xk−1 . . . x1x0 be the binary representation of xLet yk−1 . . . y1y0 be the binary representation of yc← ab mod Nz ← 1for i = k − 1 downto 0 do

if xi = 1 and yi = 1 then z ← z2 · c mod Nif xi = 1 and yi = 0 then z ← z2 · a mod Nif xi = 0 and yi = 1 then z ← z2 · b mod Nif xi = 0 and yi = 0 then z ← z2 mod N

return z

Since 0 ≤ x, y < N and N is k-bits long, we know that x and y are also at most k bits long.Therefore, the number of iterations for the loop is at most k. Since each loop incurs at most twomodular multiplications, the total number of multiplications in the for loop is 2k. Adding the

2

one multiplication done on the 4th line of the code to get c, we have that the total number ofmultiplications for FASTEXP is 2k + 1 as desired.

3

Computer Science and Engineering, UCSD Fall 10CSE 107: Introduction to Modern Cryptography Instructor: Mihir BellareProblem Set 6 Solutions November 28, 2010

Problem Set 6 Solutions

Problem 1 [40 points] Let p ≥ 3 be a prime and g ∈ Z∗

p a generator of Z∗

p. (These are publicquantities, known to all parties including the adversary.) Consider the key-generation and encryp-tion algorithms below:

Algorithm K

x $← Z∗

p−1

X ← gx mod preturn (X,x)

Algorithm E(X,M)if M 6∈ Z∗

p then return ⊥

y $← Zp−1 ; Y ← gy mod pZ ← Xy mod p ; W ← Y ·M mod preturn (Z,W )

The message space associated to public key X is Messages(X) = Z∗

p. We let k be the bit-lengthof p.

1. [10 points] Specify a decryption algorithm D such that AE = (K, E ,D) is an asymmetricencryption scheme satisfying the correct decryption property. State the running time of youralgorithm as a function of k (the lower this is, the more credit you get) and prove that thecorrect decryption property holds.

The decryption algorithm takes input the secret key x and a ciphertext C = (Z,W ) and mustreturn the underlying message M . It works as follows:

algorithm D(x,C)Parse C as (Z,W )s← x−1 mod (p− 1)Y ← Zs mod pM ←W · Y −1 mod preturn M

Note that in the key-generation algorithm x is chosen from Z∗

p−1(and not Zp−1). This implies

that x has an inverse modulo p − 1. The decryption algorithm begins by computing thisinverse and denoting it by s. The fact that s is the inverse of x modulo p − 1 means thatxs mod (p− 1) = 1.

Now, to show that the decryption algorithm is correct we have to show that

D(x, E(X,M)) = M

for any M ∈ Z∗

p. Let C = (Z,W ) be an output of E(X,M). We want to show that D(x,C) =M . Let y be the value chosen by the encryption algorithm such that Y = gy mod p. Then

1

Z = Xy = gxy mod p. Now, we first claim that Y is correctly re-computed by the decryptionalgorithm. This is true because modulo p we have:

Zs ≡ (gxy)s ≡ gxys mod (p−1) ≡ g1·y mod (p−1) ≡ gy ≡ Y .

Since W = Y M mod p, the decryption algorithm, knowing Y , can recover M via M ←WY −1 mod p.

The decryption algorithm performs one modular exponentiation, which is O(k3); a couple ofmodular inverses, each of which is O(k2); and a modular multiplication, which is O(k2). Soits running time is O(k3).

2. [30 points] Show that this scheme is insecure with regard to the ind-cpa property by present-

ing an adversary A such that Advind-cpa

AE

(A) is high. You should specify the adversary, stateits running time in as a function of k (the smaller this is, the more credit you get), state thevalue of its advantage (the larger this is, the more credit you get) and justify the correctnessof the adversary.

As for the El Gamal scheme studied in class, the weakness of this scheme is that given thepublic key X and a ciphertext C = (Z,W ) an adversary can compute the Jacobi symbol of themessage M . To illustrate this, let y be the value chosen at random by the encryption algorithmin its computation on input M and output C. Let Y = gy mod p and Z = Xy mod p. Thenwe have the following equations, which we justify following their statements:

Jp(M) = Jp(WY −1 mod p) (1)

= Jp(W ) · Jp(Y−1 mod p) (2)

= Jp(W ) · Jp(Y ) (3)

= Jp(W ) · Jp(Z) . (4)

Let us explain the reasoning behind the equations above. Equation (1) is true because the4th line of the encryption algorithm tells us that M = WY −1 mod p. Equation (2) is truebecause of the Proposition we saw in class stating that Jp(ab mod p) = Jp(a) · Jp(b) forall a, b ∈ Z∗

p. Equation (3) is true because of the Proposition we saw in class stating thatJp(a) = Jp(a

−1 mod p) for all a ∈ Z∗

p. Finally, we claim that Jp(Y ) = Jp(Z), which justifiesEquation (4). Why is this claim true? We know that Z ≡ Xy ≡ gxy (mod p). Observe thatx is an odd number. (Why? The key-generation algorithm tells us that x ∈ Z∗

p−1, meaning

gcd(x, p − 1) = 1. But p is odd so p − 1 is even, and so x must be odd, else gcd(x, p − 1)would be at least two.) Since x is odd, xy mod (p−1) is even if and only if y is even. In otherwords, gxy mod p is a square iff gy mod p is a square. That is, Jp(g

xy mod p) = Jp(gy) mod p.

But Z = gxy mod p and Y = gy mod p so we have justified the claim that Jp(Y ) = Jp(Z) andhence justified Equation (4).

The import of Equation (4) is that Jp(M) can be computed if we know Jp(W ) and Jp(Z). ButW,Z are part of the ciphertext and so an adversary can compute Jp(W ) and Jp(Z). Thus anadversary can compute Jp(M) given the (public key and) the ciphertext, which is a securityweakness in the scheme.

We capitalize on this in the same was as in the attack on the El Gamal scheme. Our adversaryA has access to the oracle LR(·, ·), takes input the public key X, and proceeds as follows:

2

adversary A(X)

M0 ← g ; M1 ← g2 mod p

C$← LR(M0,M1)

Parse C as (Z,W )if Jp(W ) · Jp(Z) = 1 then d← 1 else d← 0return d

The adversary picks M0 to be a non-square, meaning Jp(M0) = −1, and picks M1 to bea square, meaning Jp(M1) = 1. It then computes Jp(Mb) via Equation (4), where b is thechallenge bit chosen in the experiment. If this value is 1 it knows that the chosen messagewas M1, and if not it knows that the chosen message was M0.

To see how well this adversary does, we need to compute its advantage

Advind-cpa

AE

(A) = Pr[

RightA

AE

⇒ 1]

− Pr[

LeftAAE

⇒ 1]

.

Assume b = 1. This means that the ciphertext C = (Z,W ) obtained by A above is an

encryption of M1, meaning the experiment generated it via C $←E(X,M1). The Equation (4)tells us that Jp(W ) · Jp(Z) = Jp(M1). We know the latter is 1 because M1 = g2 mod p. So A

returns 1. In other words, Pr[

RightA

AE1⇒ 1

]

= 1.

On the other hand, assume b = 0. This means that the ciphertext C = (Z,W ) obtained by A

above is an encryption of M0, meaning the experiment generated it via C$←E(X,M0). The

Equation (4) tells us that Jp(W ) ·Jp(Z) = Jp(M0). We know the latter is −1 because M0 = g.

So A returns 0. In other words, Pr[

LeftAAE⇒ 1

]

= 0.

Now, plugging this into the advantage formula we get

Advind-cpa

AE

(A) = 1− 0 = 1 .

The running time of the adversary is O(k3) since it does some Jacobi symbol computationsand these are modular exponeniations via the formula Jp(a) ≡ a(p−1)/2 (mod p), valid forall a ∈ Z∗

p, that we proved in class.

3