This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner HW 2 Solution 1. (4 pts.) Any questions Any constructive responses is given full credit. 2. (20 pts.) PGP If you emailed your TA with a correctly signed encrypted message you will receive full credit. 3. (10 pts.) Onetime pad (a) No, this scheme does not have the security guarantees of a onetime pad. Table 1 lists the resulting encrypted messages using this scheme. We can see that some outcomes exclude certain inputs. For example, given ( M , K ) = 11 an attacker knows that the sent message M is not 0. (b) We wish to design a new encryption algorithm E * ( · , · ) that has the security guarantees of the onetime pad. We require that given E * ( M , K ) , an attacker should get no information about M . This property is satisfied for any E * ( M , K ) that is uniform on { , 1 , 2 } . One such algorithm is as follows: E * ( M , K ) = M + K mod 3 . Table 2 confirms that each outcome is equally likely. 4. (10 pts.) An RSA reduction We wish to factor N = pq . Since e = 3 and d are inverses modulo ϕ ( N ) = ( p 1 )( q 1 ) , have that 3 d = ed = 1 + k ( p 1 )( q 1 ) = 1 + k ϕ ( N ) for some k ∈ { 1 , 2 ,... } . Also we have that d < ϕ ( N ) , so k ∈ { 1 , 2 } . (In fact k = 2 always.) Table 1: Encrypted messages using E M K E(M,K) 00 00 00 00 01 01 00 10 10 01 00 01 01 01 00 01 10 11 10 00 10 10 01 11 10 10 00 CS 161, Fall 2005, HW 2 1 Table 2: Encrypted messages using E * M K E * ( M , K ) 00 00 00 00 01 01 00 10 10 01 00 01 01 01 10 01 10 00 10 00 10 10 01 00 10 10 01 We have a finite number of possible values of k , so we can check which k is correct as follows: Fix a k . Given this guess at k , we can infer a presumed values for ϕ ( N ) via ϕ ( N ) k = 3 d 1 k . Also the true value for ϕ ( N ) satisfies ϕ ( N ) = ( p 1 )( q 1 ) = pq p q + 1 = N N q q + 1; rewriting this, we can solve for q via the quadratic equation, given the value of ϕ ( N ) . This gives a way to test whether our guess ϕ ( N ) k was correct, since we can use our guess to solve for q and test whether the resulting q is indeed a factor of N . The running time is polynomial in the number of bits of N : we use O ( 1 ) operations on integers no larger than N , which corresponds to O (( lg N ) 2 ) bit operations. An algorithm for general e is given in G. Miller, “Riemann’s hypothesis and tests for primality,” Journal of Computer and System Sciences , 13(3):300317, 1976. This algorithm is in time polynomial to the number of bits in N ....
View
Full
Document
This homework help was uploaded on 01/29/2008 for the course CS 194 taught by Professor Joseph during the Fall '05 term at Berkeley.
 Fall '05
 Joseph
 Computer Security

Click to edit the document details