This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner HW 2 Solution 1. (4 pts.) Any questions Any constructive responses is given full credit. 2. (20 pts.) PGP If you emailed your TA with a correctly signed encrypted message you will receive full credit. 3. (10 pts.) Onetime pad (a) No, this scheme does not have the security guarantees of a onetime pad. Table 1 lists the resulting encrypted messages using this scheme. We can see that some outcomes exclude certain inputs. For example, given ( M , K ) = 11 an attacker knows that the sent message M is not 0. (b) We wish to design a new encryption algorithm E * ( , ) that has the security guarantees of the onetime pad. We require that given E * ( M , K ) , an attacker should get no information about M . This property is satisfied for any E * ( M , K ) that is uniform on { , 1 , 2 } . One such algorithm is as follows: E * ( M , K ) = M + K mod 3 . Table 2 confirms that each outcome is equally likely. 4. (10 pts.) An RSA reduction We wish to factor N = pq . Since e = 3 and d are inverses modulo ( N ) = ( p 1 )( q 1 ) , have that 3 d = ed = 1 + k ( p 1 )( q 1 ) = 1 + k ( N ) for some k { 1 , 2 ,... } . Also we have that d < ( N ) , so k { 1 , 2 } . (In fact k = 2 always.) Table 1: Encrypted messages using E M K E(M,K) 00 00 00 00 01 01 00 10 10 01 00 01 01 01 00 01 10 11 10 00 10 10 01 11 10 10 00 CS 161, Fall 2005, HW 2 1 Table 2: Encrypted messages using E * M K E * ( M , K ) 00 00 00 00 01 01 00 10 10 01 00 01 01 01 10 01 10 00 10 00 10 10 01 00 10 10 01 We have a finite number of possible values of k , so we can check which k is correct as follows: Fix a k . Given this guess at k , we can infer a presumed values for ( N ) via ( N ) k = 3 d 1 k . Also the true value for ( N ) satisfies ( N ) = ( p 1 )( q 1 ) = pq p q + 1 = N N q q + 1; rewriting this, we can solve for q via the quadratic equation, given the value of ( N ) . This gives a way to test whether our guess ( N ) k was correct, since we can use our guess to solve for q and test whether the resulting q is indeed a factor of N . The running time is polynomial in the number of bits of N : we use O ( 1 ) operations on integers no larger than N , which corresponds to O (( lg N ) 2 ) bit operations. An algorithm for general e is given in G. Miller, Riemanns hypothesis and tests for primality, Journal of Computer and System Sciences , 13(3):300317, 1976. This algorithm is in time polynomial to the number of bits in N ....
View Full
Document
 Fall '05
 Joseph
 Computer Security

Click to edit the document details