CS549 Take home final exam

Submitted By: Amit SinhaCWID: 10433818Section: Bangalore

1. (40 points)This question is about RSA encryption system. Given an integer modulus n = p · q, and an encryption key e with gcd(e, Ø (n)) = 1, we know that the integer d, with e · d = 1 mod Ø (n), can serve as the decryption key for RSA system. In other words, given any message m and ciphertext c = m^e mod n, the computation c^d mod n will give you the original message m.Assume that Alice randomly selected two prime numbers p = 73 and q = 101. Alice randomly selected a random number e1 = 113 as her public key (for encryption). Assume that Bob also selected p = 73 and q = 101 for his RSA system and Bob selected a random number e2 = 127 as his public key. Alice published her public key e1 = 113 and n = 7373. Bob published his public key e2 = 127 and n = 7373.Charlie wants to send a message m = 2009 to both Alice and Bob using their public key for encryption.Answer the following questions. For all computations, you need to show the details (step by step) of your calculation. You cannot just list the number directly computed by using some code as your answer.(a) (5 points) What is the ciphertext C1 Charlie sent to Alice?[Answer]The cipher text sent by Charlie will be as follows:c = m ^ e mod nwhere m = 2009 e = 113 n = 7373

c = 2009113 mod 7373

Let’s compute 2009113 mod 7373

Let’s first represent 113 in binary format

113 = 26 + 25 + 24 + 20

2009113 = 2009^(26 +25+24+20 )

2009113 = 2009(2^6). 2009(2^5) . 2009(2^4) . 2009(2^0) ----- call it eq 1

Now let’s multiply the numbers below and compute mod 7373

2009 mod 7373 = 2009

20092 mod 7373 = 30502009(2^2) mod 7373 = 51472009(2^3) mod 7373 = 4202009(2^4) mod 7373 = 68212009(2^5) mod 7373 = 24112009(2^6) mod 7373 = 2997

Putting the above values in equation 1 gives

2009113 mod 7373 = 2997*2411*6821*2009 mod 7373

= 603

Cipher text(c1) = 603

(b) (5 points) What is the ciphertext C2 Charlie sent to Bob?

[Answer] The cipher text sent by Charlie to Bob will be as follows:c = m ^ e mod nwhere m = 2009 e = 127 n = 7373

c = 2009127 mod 7373

Let’s compute 2009127 mod 7373

Let’s first represent 127 in binary format

127 = 26 + 25 + 24 + 23 + 22 + 21 + 20

2009127 = 2009^(26 +25+24+23 +22+21+20 )

2009127 = 2009(2^6). 2009(2^5) . 2009(2^4) . 2009(2^3). 2009(2^2) .2009(2^1) .2009(2^0) ----- call it eq 1

Now let’s multiply the numbers below and compute mod 7373

2009 mod 7373 = 2009

20092 mod 7373 = 3050

2009(2^2) mod 7373 = 51472009(2^3) mod 7373 = 4202009(2^4) mod 7373 = 68212009(2^5) mod 7373 = 24112009(2^6) mod 7373 = 2997

Putting the above values in equation 1 gives

2009127 mod 7373 = 2997*2411*6821*420*5147*3050*2009 mod 7373

= 911

Cipher text(C2) = 911

(c) (5 points) What is the decryption key d1 used by Alice based on RSA system?[Answer]Alice uses the following parameters:p = 73 q=101 e1=113 n = 7373

Let d1 denote the decryption keye1 * d1 = 1 mod Ø (n)

Ø (n) = (p-1)(q-1) = (73-1)(101-1) = 72*100 = 7200

d1 = e1-1 mod Ø (n) = 113-1 mod 7200

Now lets calculate gcd(7200,113)

gcd(7200,113)≡ gcd(113,81) ≡ gcd(81,32)≡ gcd(32,17)≡ gcd(17,15)≡ gcd(15,2)≡ gcd(2,1)≡ 1At each stage above the transformation can be written as follows:

=

=

=

=

=

=

So from the above transformation we can say that below

=

Where a,b,c and d can be obtained by multiplying the 2D matrixes above

=

From equation 2 we have1 = c * 7200 + d*113 Or 1 = -53* 7200 + (3377*113)

Or 3377*113 = 1 + 53*7200

113-1 mod 7200 = 3377

So decryption key d1 = 3377

(d) (5 points) Show the process Alice decrypts the ciphertext using only the procedure C1^d1 mod n?[Answer] Alice would decrypt the message as follows:m = c ^ d1 mod n c = 603 d = 3377 n = 7373

m = 603 ^ 3377 mod 7373

Let’s first represent 3377 in binary format

3377 = 211 + 210 + 28 + 25 + 24 + 20

6033377 = 603(2^11). 603(2^10) . 603(2^8) . 603(2^5) .603(2^4) . 603(2^0)

Now let’s multiply the numbers below and compute mod 7373

603 mod 7373 = 6036032 mod 7373 = 2332603(2^2) mod 7373 = 4323603(2^3) mod 7373 = 5147603(2^4) mod 7373 = 420603(2^5) mod 7373 = 6821603(2^6) mod 7373 = 2411603(2^7) mod 7373 = 2997603(2^8) mod 7373 = 1695603(2^9) mod 7373 = 4928603(2^10) mod 7373 = 5895603(2^11) mod 7373 = 2076

6033377 = 2076* 5895*1695*6821*420*603 mod 7373 = 2009

Hence m = c ^ d1 mod n = 2009

(e) (10 points) Assume that Bob uses the Chinese Remainder Theorem approach (see our lectures) instead for decryption. Show all the computations done by Bob to decrypt the ciphertext C2.[Answer]Bob wish to compute the value of m = c2^d2 mod n.Parameters used by Bob:p = 73 q = 101 n = 7373 e2= 127 Ø (n) = 7200

He has to first compute d2 as below:d2 = e1-1 mod Ø (n) = 127-1 mod 7200 = 6463

It’s given that c2 = 911, p = 73, q = 101He uses Chinese remainder theorem(CRT).So he computes the following intermediate results for CRT:vp = c2d2 mod p = c2d2 mod p-1 mod p = 9116463 mod 72 mod 73 = 38 vq = c2d2 mod q = c2d2 mod q-1 mod q = 9116463 mod 100 mod 101 = 90

Xp = q * (q-1 mod p) = 101 * (101-1 mod 73)= 101 *60 = 6060

Xq = p * (p-1 mod q) = 73 * (73-1 mod 101)= 73 *18 = 1314

Using CRT then, m can computed asm = (VpXp + VqXq) mod n.= 38*6060 + 90*1314 mod 7373= 230280 + 118260 mod 7373= 2009

(f) (10 points) Assume that an attacker Oscar intercepted both the ciphertext C1 and the ciphertext C2.Oscar only knows n, e1, e2. Is it possible that Oscar can recover the original message m (assuming the Oscar cannot do factoring of n now)? If possible, show the computing procedure Oscar can use to find m.[Answer]Parameters known to attacker Oscar are:c1 = 603c2 = 911e1 = 113e2 = 127n = 7373

To recover m, Oscar has the following equation603 = m113 mod 7373Oscar can perform Chose Ciphertext Attack(CCA) as the message was not padded before encryption.Oscar can compute X = (c1 * 2e1 ) mod n= 603 * 2113 mod 7373= 6229The he can send X = 6229 to Alice and get the decrypted text Y = Xd1 mod nback.Y = Xd1 mod n = 62293377 mod 7373 = 4018.Here Y = Xd1 mod n = (c1 * 2e1 )^d1 mod n = (c1d1 * 2e1d1 ) mod n = m*2 mod ni.e 4018 = 2 * m mod 7373hence m = 2-1 * 4018 mod 7373 = 3687 * 4018 mod 7373 = 2009

2. (30 points)A bit-commitment scheme will allow a user (say Alice) commit a bit (or a number) to another user (say Bob) without telling bob about it. Later on, Bob can ask Alice to reveal the commitment and Alice cannot change the information without being caught. Let b be the bit to be committed and x be some additional information chosen by Alice. Let function f be a public function (known to everyone) that will compute the commitment by Alice. The commitment f(x, b) is often called blob.A bit-commitment protocol is often needed to have following properties• Concealing: Bob cannot find the value of b by only knowing the commitment f(x, b). It is called perfectly concealing, if it is theoretically impossible for Bob to find out b without Alice revealing x.• Binding: sender Alice can open the blob by revealing x (and b). It is a perfect binding if Alice cannot alter her commitment after she has made it, i.e., it will be theoretically impossible for Alice to find another x’ such that f(x, b) = f(x’, b). Here b is the complement of bit b, i.e., b = 1 if b = 0 and b = 0 if b = 1.A simple perfect binding protocol works as follows. Assume that Alice and Bob agree upon a common large prime number p and a primitive root g mod p. Assume that Alice has a number 1 < a < p−1 that she wants to commit to Bob. Alice computes C = ga mod p and sends it to Bob.(a) (5 points) Prove that it is perfectly binding scheme.

[Answer]Alice has a number a, 1 < a < p-1, that she wants to commit to BobShe computes C = ga mod p and sends it to Bob. Perfectly binding scheme means that Alice cannot find another x′ such that f(x, b) = f(x′, b).So to prove that it’s a perfect binding scheme, we need to show that for all values of x other than a, where 1< x < p-1, gx mod p is not equal to ga mod p

Since g is primitive root of prime number p, for all the value of exponent x, 1< x < p-1, gx

mod p gives a unique number between {1, p}.It means that if ga mod p = gx mod p then this implies x=a.So it’s proved that after Alice commits a to Bob, she can’t change it.

(b) (10 points) Show that Bob can recover some information about a. You only need to prove that (by giving a polynomial-time method and showing its correctness) Bob can know the last bit of a.[Answer]Bob gets the commitment C = ga mod p where 1<a<p-1.The commitment C can be either quadratic residue of prime p or it can be non-quadratic residue of prime p.

If C is Quadratic Residue then C(p-1)/2 = 1(mod p) If C is non quadratic residue then C(p-1)/2 = -1 (mod p)(This has already been proved in the assignments so not proving it again )

Since Bob gets C, and he knows prime p, he can compute C(p-1)/2 (mod p).If C(p-1)/2 = 1 C is Quadratic Residue of prime p(ga)(p-1)/2 = 1 (mod p) [ C = ga mod p](ga/2)(p-1) = 1 (mod p) For above condition to be true, a has to be even number, Hence it’s proved that last bit of a is 0.

If C(p-1)/2 = -1 C is Non Quadratic Residue of prime p(ga)(p-1)/2 = -1 (mod p) [ C = ga mod p](ga/2)(p-1) = -1 (mod p) For above condition to be true, a has to be an odd number, Hence it’s proved that last bit of a is 1.So Bob can find out at least last bit of a by using above method.

(c) (8 points) Show that Bob can find the value of a in polynomial time of log p if he knows that the value a satisfies

A + c1 log p ≤ a ≤ A + c2 log pfor some fixed constant integers A, c1, and c2. Here constants are independent of number p. Please give a detailed polynomial-time method which Bob can use to find integer a. Also you need to analyze the time-complexity of your method.[Answer]It’s give that value of a lies between A + c1 log p and A + c2 log pSo bob has to loop for (A + c2 log p) – (A + c1 log p) = (c2 - c1)log p times.i.e. he has to loop for all a from (A + c1 log p) to (A + c2 log p) and compute ga mod p to see if it equals C.So total number of iteration performed will be (c2 - c1)log p

In first iteration, he will compute gi mod p where i = A + c1 log p

In 2nd iteration, he will compute gi+1 mod p = gi.g mod pIn 3rd iteration, he will compute gi+2 mod p = gi+1.g mod p…….…….In (c2 - c1)log pth iteration, he will compute g(c2 - c1)log p mod n = g(c2 - c1)log p-1.g mod nIn one of the iteration, he will find C = gi mod p and his search will get over. In the worst case, he will have to make all (c2 - c1)log pth iteration to get the value of a.Hence it’s proved that Bob can find the value of a in polynomial time of log p.The complexity of this algorithm will be O(log p ).

(d) (7 points) Show that the following protocol is still perfectly binding.i. Alice randomly selects a positive integer r < p-1 such that gcd(r, p-1) = 1. Alice computes b = a.r mod (p-1). Alice sends Bob two integers C1 = gr mod p and C2 = gb mod p.ii. To reveal the commitment, Alice needs to reveal r and a to Bob.

[Answer]Let’s prove it by contradiction. Suppose that the protocol has no perfect binding, in that case there exist r1 and a1 other than r and a such thatgr = gr1 (mod p) AND gb = ga.r = ga1. r1 (mod p)Let’s consider gr = gr1 (mod p) firstSince g is primitive root of prime number p, every exponent of g between 1 and p, generates a unique number between 1 and p. So if gr = gr1 (mod p) then it means r1 = r (mod p).

Now consider gb = ga.r = ga1. r1 (mod p)Since g is primitive root of prime number p, every exponent of g between 1 and p, generates a unique number between 1 and p. So if ga.r = ga1. r1(mod p) it means a.r = a1. r1

(mod p)We have already proven that r1 = r (mod p) and hence a = a1 (mod p).So we couldn’t find unique value of (a1, r1) other than (a, r) which could satisfy gr = gr1 (mod p) AND gb = ga.r = ga1. r1(mod p)

So our assumption that it doesn’t have perfect binding was wrong. Hence it’s proved that the protocol has perfect binding.

3. (30 points)This question is about RSA encryption. Assume that Alice chooses an integer n that is the production of two large prime numbers p and q. Alice will publish a public key e, together with n. Alice will keep the secret key d where d.e = 1 mod φ(n).Suppose Bob wishes to send a message M to Alice. He turns M into a number m with 0 < m < n, using some previously agreed-upon reversible protocol f known as a padding scheme such as Optimal Asymmetric Encryption Padding (OAEP). In other words, m = f(M) for some function f.Bob now has m, and knows n and e, which Alice has announced. He then computes the cipher text c corresponding to m as: c = me mod nThis can be done quickly using the method of exponentiation by squaring. Bob then transmits c to Alice.

(a) (5 points) Why we need to use padding for encryption in practice? In other words, in practical implementations, why we cannot just encrypt the original number represented by the message M?[Answer]If padding is not used then the RSA algorithm is not semantically secure and vulnerable to Chosen Ciphertext attack and Chosen Plaintext attack.

Chosen ciphertext attack takes advantage of following property of RSA:E(M1, e) * E(M2, e) = E(M1*M2, e)For example, CCA can be used as below to get the plain text for cipher text C:1. Compute X = C * 2e mod n.2. Submit X as chosen cipher text and receive back Y = Xd mod n. Now note the following:

X = (C mod n) * (2e mod n) = (Me mod n) * (2e mod n) = (2M)e mod nTherefore, Y = 2M mod n. From this we can deduce M easily. To overcome this simple attack, practical RSA based cryptosystems randomly pad the plaint text prior to encryption. This randomizes the cipher text so that such attack can be avoided as the property of RSA described above doesn’t hold any longer.

b) (5 points) A cryptosystem is considered to be semantically secure (in other words, indistinguishability) if no adversary A, given an encryption C of a message randomly chosen from two messages {M1,M2}determined by the adversary, can identify the message choice with probability significantly better than that of random guessing (1/2). In other words, adversary A can know whether C is the encryption of message M1 or message M2.Show that why the textbook RSA encryption (we learned in class where the encryption of a message M is simply c =Me mod n) is not semantic secure?[Answer]The adversary generates two messages M1 and M2, and transmits them to a challenge oracle along with the public key. The challenge oracle randomly selects one of the messages , encrypts the message under the public key, and returns the resulting ciphertext C to the adversary. An underlying cryptosystem is semantically secure if the adversary cannot determine which of the two messages was chosen by the oracle, with probability significantly greater than 1 / 2.

For RSA, the adversary could simply compute the deterministic encryption of M1 and M2 and compare these encryptions with the returned ciphertext C = Me mod n to successfully guess the oracle's choice. So textbook RSA system is not semantically secure.

(c) (10 points) For convenience, assume our RSA exponent e is 3 and that gcd(e,φ(n)) = 1. A proposal to make RSA semantically secure is as follows: Let |x| denote the number of bits representing a number x. If k = |n| and 4 divides k, define the length of a valid message M to be |M| < 3k/4. For each encryption operation, choose k/4 random bits r, append them to M such that m =M.2k/4 + r, and encrypt the value m. Note that |m| < |n|, so m Є Zn. When we decrypt a ciphertext, we will simply discard the k/4 least significant bits of the decrypted plaintext. Is this scheme semantically secure? Prove or disprove it either way.[Answer] Assume adversary generates two equal-length messages M1 and M2(where |Mi| < 3k/4 where k=|n| and 4 divides k) and transmits them to a challenge oracle along with the public key. The challenge oracle selects one of the messages by flipping a uniformly-weighted coin, encrypts the message under the public key, and returns the resulting ciphertext C to the adversary.

An underlying cryptosystem is IND-CPA (and thus semantically secure under chosen plaintext attack) if the adversary cannot determine which of the two messages was

chosen by the oracle, with probability significantly greater than 1 / 2 (the success rate of random guessing).

Suppose oracle chooses M1 and encrypts it using the above scheme: He chosse k/4 random bits r1 and appends it to M1 such that m1 =M1.2k/4 + r1 and then encrypts m1 with public key e=3 to get C = m1

3 mod n which is sent to adversary.C = m1

3 mod n = (M1 .2k/4 + r1)3 =( M1

3 .23k/4 +3M12 .22k/4. r1 +3M1 .2k/4. r1

2+ r13) mod n

Adversary encrypts both M1 and M2 to find out C1 and C2 using the same procedure:He chooses k/4 random bits r2 and r3 and computes m1 and m2 asm1 =M1 .2k/4 + r2 and m2 =M2 .2k/4 + r3. And then he computes C1 = m1

3 mod n and = (M1 .2k/4 + r2)3 =( M1

3 .23k/4 +3M12 .22k/4. r2 +3M1 .2k/4. r2

2+ r23) mod n

C2 = m23 mod n

= (M2 .2k/4 + r3)3 =( M23 .23k/4 +3M2

2 .22k/4. r3 +3M2 .2k/4. r32+ r3

3) mod n

It’s clear that encrypted text C received from oracle will not match with C1 and C2 because of k/4 randomly chosen bits r1, r2 and r3. It may also happen that C is equal to C2 because of randomly chosen bits r1 and r3. So adversary can no way say that encrypted text C received from oracle belongs to plaintext M1 or M2 with probability significantly greater than ½. If n is very big, the k/4 bits also is going to be big and adversary will be no way able to try all the possible combination for r2 and r3 for his encryption. So it is proved that the scheme is semantically secure.

(d) (10 points) Suppose we have a standard RSA public-key/private-key pair. Consider an RSA-variant where we will first select a random r Є Zn. To encrypt a message M, we first convert it to an integer m Є Zn, where m is just the value of M.

We will compute a cipher text of the form ),()mod,( tsnrrmc e , where is the binary XOR operator. To decrypt c, one can simply decrypt t using RSA and XOR the result with s. Is this scheme semantically secure? Prove or disprove it either way.[Answer]Assume adversary generates two equal-length messages M1 and M2 and transmits them to a challenge oracle along with the public key e. The challenge oracle selects one of the messages by flipping a uniformly-weighted coin, encrypts the message under the public key, and returns the resulting ciphertext C(s,t) to the adversary.

An underlying cryptosystem is IND-CPA (and thus semantically secure under chosen plaintext attack) if the adversary cannot determine which of the two messages was chosen by the oracle, with probability significantly greater than 1 / 2 (the success rate of random guessing).

Suppose oracle chooses M1 and encrypts it using the above scheme: He chooses a random r, r Є Zn, and then encrypts M1 with public key e get C = (M1 EXOR r, re mod n) = (s, t) which is sent back to adversary.

s is the result of M1 EXOR r and hence all the 1 bits in r will invert the corresponding 1 bits of M1.

Hence, adversary can very easily compare s and both the message M1 and M2 to find out whether s belongs to M1 or M2.So its proved that the scheme is not semantically secure.

5. (20 points)This question is about the zero-knowledge proof systems. Assume that Alice wants to prove to Bob that she knows a solution x of equation y = gx mod p, where p is a large prime integer and g is the primitive root mod p. Here both Alice and Bob know the integers y, g and p.Assume that Alice and Bob use the following protocol.(a) Alice randomly selects a number 0 < j < n, and computes r = gj mod p. Alice sends the integer r to Bob.(b) Bob randomly selects a bit i Є{0, 1}, and sends i to Alice.(c) Alice computes h = i.x + j mod (p-1) and sends Bob h.(d) Bob checks if gh = yi.r mod p, and accepts Alice's proof if the equation holds. Otherwise, Bob rejects the proof.Assume that Alice and Bob repeat the above protocol for k rounds. Bob accepts the Alice's proof if he accepts the proof for all these k rounds, and rejects the proof if he rejects in any round. Prove the following (assume that Bob follows the protocol).(a) (4 points) Completeness: Bob will accept the proof if Alice indeed knows x (assume that Alice follows protocol also).[Answer]Proof of Completeness/Correctness:It’s given that Alice and Bob know the integers y, g and p.Bob checks if gh = yi.r mod p to accepts the proof.We need to prove that if Alice knows the solution of y = gx mod p then gh = yi.r mod p always holds.LHS gh mod p = g(ix+ j) mod (p-1) mod p [h = h = i.x + j mod (p-1)] = g(ix+ j) mod p = (gx)i . gj mod p = yi. r mod p

= RHS proved.

(b) (4 points) Soundness: Bob will reject the proof with probability sufficiently close to 1-1/2k , if Alice does not know the number x even if Alice does not follow the protocol (trying to cheat).[Answer](b) Proof of Soundness: We know that i Є{0, 1},

so h = j if i=0 and h = x+j if i=1.Bob checks if gh = yi.r (mod p) to accepts the proof.If i=0, gj = r (mod p) which is true always.If i=1, gx+ j= y.r (mod p), this is true only if Alice knows the solution x or she doesn’t follow the protocol. She may cheat by first choosing h and then computing r=ghy -1 mod p.However, since the value of i is selected randomly, probability that Alice cheats and doesn’t get caught is ½.

Since Alice and Bob repeat the above protocol for k rounds, probability that Alice cheats and doesn’t get caught even once in k rounds is 1/2k(which is very small).Hence the probability that Alice cheats and gets caught at least once in k rounds = 1-1/2k ( which is most likely). Hence its proved that if Alice cheats Bob will reject the proof with probability sufficiently close to 1-1/2k.(c) (4 points) Zero-knowledge: Prove that Bob gets nothing about the integer x after Alice and Bob conduct the above protocol and Alice does not use j twice.[Answer]Proof of Zero-knowledge:After following the protocols for k round, Bob has following data:(r1, i1, h1), (r2, i2, h2), (r3, i3, h3)....... (rk, ik, hk) where r=gj mod p and h=ix + j (mod p-1)

He uses these data to check gh = yi.r (mod p)If i=0, h = j (mod p-1)If i=1, h = x + j (mod p-1)Using above, equation Bob can find out the value of x if Alice uses same j twice. However it’s given that Alice doesn’t uses the same j twice. Since Alice choose j randomly for every round, h is also a random number.

Since Bob already knows y, g and p AND h, i and r are randomly generated number, Bob gets to know nothing about integer x(the solution). So it’s proves the zero-knowledge property of protocol.

(d) (4 points) Show a method for Bob that he can get the number x if Alice uses the integer j twice. [Answer]Suppose Alice uses j twice. In that case, Bob can send a i=0 to Alice and get h=j (mod p-1) in 1st round.Then he can send i=1 to Alice and get h=x + j (mod p-1) in 2nd round.And then he can solve these two equations to get x as x = h-j (mod p-1).(e) (4 points) Show that Alice can cheat if Bob fixes his challenge i (to either 1 or 0).[Answer]If Bob fixes his challenge(i) to 0 then Alice can cheat by sending r=gj and h=j (mod p-1) every time. In that case, the verificationgh = yi.r (mod p)

gj = r (i=0) always holds true.

If Bob fixes his challenge(i) to 1 then Alice can cheat by computing h first and then r as r=ghy-1. In that case, the verificationgh = yi.r (mod p)gh = y.gh.y-1 (i=1) = gh always holds true.

So it’s proved that if Bob fixes the challenge, Alice can cheat.