This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Massachusetts Institute of Technology Handout 14 6.857: Network and Computer Security October 21, 2003 Professor Ronald L. Rivest Problem Set 4 Solutions Problem 41. Paillier Encryption (a) Groups wrote implementations of Paillier in C, C++, Java, and Python. The shortest implementation was in Python; the second shortest was in C++ using the NTL large number library. (b) Groups were awarded 5 points for a correct decryption and 5 points for a correct encryption. Many students asked how the number to be decrypted was chosen. The number was simply a randomlygenerated 10 digit number. We graded the problem by doing quick scan through the log file to verify that the number you reported was given to someone in your group. The PINs were to prevent one group of students from sabotaging another student’s results. Luckily that didn’t happen, so we didn’t need to use them. (c) There are two security ﬂaws with Ben’s idea. The first is that a person could vote more than once. However, on the night before the problem set was due, we sent out email saying that this ﬂaw would be handled by standard voter registration techniques. The second ﬂaw — the one we were looking for — is that a person can stuff the ballot box with a single vote by submitting a ciphertext for an m > 1. In fact, a person could even take away votes by voting with a negative m , which would be an m that is somewhat less than n ; that is, if Ben wanted to remove 10 votes, he could vote with m = n − 10. A third ﬂaw is that the scheme does not protect the votes of voters, since the agency is able to decrypt any individual voter’s vote at any time. You need to trust the agency. One group of students suggested an active attack: if you are in favor of the resolution, multiply each ciphertext by g , and if you are opposed multiply each ciphertext by g − 1 . That’s a lot of work; you could just multiply a single ciphertext by g 500 to add 500 votes to the resolution. It was incorrect to state that there were only two valid ciphertexts, allowing an attacker to create a dictionary of possible ciphertexts. That’s the whole point of a randomized cryptosystem — involving the random value r in the calculation of each ciphertext prevents this kind of attack. Grading policy: 5 points for working code, 5 points for a valid encryption, 5 points for a valid decryp tion, and 5 points for identifying a valid ﬂaw. Distribution of scores on problem 41: 70 60 50 40 students 30 20 10 2 4 6 8 10 12 14 16 18 20 points awarded Average score: 19.12 Problem 42. MegaSoft Encryption (Courtesy of Subhasish Bhattacharya, Javed Samuel, ChiHeng Wang, and David Wilson.) There were a few common errors made on this problem: • Arguing that a = g 2 r (mod p ) has order q , because a q = 1 (mod p ). This is true, but you also need to show that a x = 1 (mod p ) for 1 ≤ x < q , otherwise a might have order smaller than q . 2 6.857 : Handout 14: Problem Set 4 Solutions • Arguing that raising...
View
Full
Document
This note was uploaded on 04/28/2009 for the course CS 6.857 taught by Professor Rivest during the Spring '03 term at MIT.
 Spring '03
 Rivest
 Computer Security

Click to edit the document details