Problems for week 5-6, Cryptography
Problems for week 5-6, Cryptography
Problems for week 5-6, Cryptography
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
A wants to send message m to B and there<strong>for</strong>e sends B a message containing the<br />
names of the two parties and the message encrypted <strong>for</strong> B. B acknowledges the<br />
message by first decrypting the last part to recover m and then sending back a<br />
similarly structured message to A, but with the roles of the two parties interchanged.<br />
A can now decrypt the last part, check that she gets m and conclude that B has<br />
indeed received m.<br />
(a) This protocol is not secure against adversaries within the organization. More<br />
precisely, consider an adversary who himself has a key pair and can send messages<br />
and get them acknowledged. Show that if he, by eavesdropping, gets<br />
access to the two messages sent in a protocol run between A and B, he can go<br />
on to recover m.<br />
(b) Both messages in the protocol have the structure S, R, E eR (m), where S denotes<br />
Sender and R denotes Receiver of the message. It is proposed to modify the<br />
message structure to S, R, E eR (m||X) <strong>for</strong> some suitable X. For each of the<br />
following three proposals <strong>for</strong> X, explain why or why not it prevents the attack<br />
from (a).<br />
i. X = S.<br />
ii. X = R.<br />
iii. X = message number within the run, i.e. X = 1 <strong>for</strong> the first message and<br />
X = 2 <strong>for</strong> the second.<br />
7. We consider here the Blum-Goldwasser public-key stream cipher. A simplified version<br />
of this scheme goes as follows.<br />
Alice chooses p, q to be primes both congruent to 3 modulo 4 and N = p · q. N is<br />
her public key; p and q are private.<br />
To encrypt message m of length n bits <strong>for</strong> Alice, Bob first generates a bitstream as<br />
follows. He chooses a random seed s and computes<br />
x 0 = s<br />
x n+1 = x 2 n mod N.<br />
The bitstream is b 2 b 3 . . . b n+1 where b k is the least significant bit of x k . Then Bob<br />
encrypts m by bitwise xor c = m ⊕ b 2 b 2 . . . b n+1 . Note that the least significant bit<br />
of the two first x i are not used. Finally, he sends to Alice the pair (x n , c). The first<br />
component differs from the secret-key stream ciphers as discussed in lecture 11; the<br />
point is that s is not a shared secret between Alice and Bob. Instead, Alice (and only<br />
Alice) can use x n to recover x 2 , which is what she needs to recreate the bitstream.<br />
Let us show this:<br />
(a) Assume Alice receives (x, c). As a first step, she computes d such that d ·<br />
2 n mod Φ(N) = 4, where n is the length of c. Show that she can do this. (Note<br />
also that if message lengths are known she can precompute d and store it as<br />
part of her private key.)<br />
(b) Show that x d = x 2 .<br />
(c) How does Alice decrypt the message?<br />
(d) Why cannot the Adversary decrypt the message?<br />
8. (Requires material from lecture 12). The bitstream generator in the previous exercise<br />
is called the Blum-Blum-Shub generator and is very well-known. It has been<br />
proved to be cryptographically secure. What is its advantage over the RSA bitstream<br />
generator?<br />
2