solution homework 02

Security in Computing (3rd Edition)

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner HW 2 Solution 1. (4 pts.) Any questions Any constructive responses is given full credit. 2. (20 pts.) PGP If you emailed your TA with a correctly signed encrypted message you will receive full credit. 3. (10 pts.) One-time pad (a) No, this scheme does not have the security guarantees of a one-time pad. Table 1 lists the resulting encrypted messages using this scheme. We can see that some outcomes exclude certain inputs. For example, given ( M , K ) = 11 an attacker knows that the sent message M is not 0. (b) We wish to design a new encryption algorithm E * ( , ) that has the security guarantees of the one-time pad. We require that given E * ( M , K ) , an attacker should get no information about M . This property is satisfied for any E * ( M , K ) that is uniform on { , 1 , 2 } . One such algorithm is as follows: E * ( M , K ) = M + K mod 3 . Table 2 confirms that each outcome is equally likely. 4. (10 pts.) An RSA reduction We wish to factor N = pq . Since e = 3 and d are inverses modulo ( N ) = ( p- 1 )( q- 1 ) , have that 3 d = ed = 1 + k ( p- 1 )( q- 1 ) = 1 + k ( N ) for some k { 1 , 2 ,... } . Also we have that d < ( N ) , so k { 1 , 2 } . (In fact k = 2 always.) Table 1: Encrypted messages using E M K E(M,K) 00 00 00 00 01 01 00 10 10 01 00 01 01 01 00 01 10 11 10 00 10 10 01 11 10 10 00 CS 161, Fall 2005, HW 2 1 Table 2: Encrypted messages using E * M K E * ( M , K ) 00 00 00 00 01 01 00 10 10 01 00 01 01 01 10 01 10 00 10 00 10 10 01 00 10 10 01 We have a finite number of possible values of k , so we can check which k is correct as follows: Fix a k . Given this guess at k , we can infer a presumed values for ( N ) via ( N ) k = 3 d- 1 k . Also the true value for ( N ) satisfies ( N ) = ( p- 1 )( q- 1 ) = pq- p- q + 1 = N- N q- q + 1; rewriting this, we can solve for q via the quadratic equation, given the value of ( N ) . This gives a way to test whether our guess ( N ) k was correct, since we can use our guess to solve for q and test whether the resulting q is indeed a factor of N . The running time is polynomial in the number of bits of N : we use O ( 1 ) operations on integers no larger than N , which corresponds to O (( lg N ) 2 ) bit operations. An algorithm for general e is given in G. Miller, Riemanns hypothesis and tests for primality, Journal of Computer and System Sciences , 13(3):300-317, 1976. This algorithm is in time polynomial to the number of bits in N ....
View Full Document

Page1 / 5

solution homework 02 - CS 161 Computer Security Fall 2005

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online