Computer Science and Engineering, UCSD
Spring 11
CSE 207:
Modern Cryptography
Instructor:
Mihir Bellare
Problem Set 6 Solutions
May 18, 2011
Problem Set 6 Solutions
Problem 1.
[35 points]
Let
p
≥
3 be a prime and
g
∈
Z
*
p
a generator of
Z
*
p
.
(These are
public quantities, known to all parties including the adversary.) Consider the keygeneration and
encryption algorithms below:
Algorithm
K
x
$
←
Z
*
p

1
X
←
g
x
mod
p
return (
X, x
)
Algorithm
E
(
X, M
)
if
M
6∈
Z
*
p
then return
⊥
y
$
←
Z
p

1
;
Y
←
g
y
mod
p
Z
←
X
y
mod
p
;
W
←
Y
·
M
mod
p
return (
Z, W
)
The message space associated to public key
X
is
Messages
(
X
) =
Z
*
p
. We let
k
be the bitlength
of
p
.
1.
[15 points]
Specify a decryption algorithm
D
such that
AE
= (
K
,
E
,
D
) is an asymmetric
encryption scheme satisfying the correct decryption property. State the running time of your
algorithm as a function of
k
(the lower this is, the more credit you get) and prove that the
correct decryption property holds.
The decryption algorithm takes input the secret key
x
and a ciphertext
C
= (
Z, W
) and must
return the underlying message
M
. It works as follows:
algorithm
D
(
x, C
)
Parse
C
as (
Z, W
)
s
←
x

1
mod (
p

1)
Y
←
Z
s
mod
p
M
←
W
·
Y

1
mod
p
return
M
Note that in the keygeneration algorithm
x
is chosen from
Z
*
p

1
(and not
Z
p

1
). This implies
that
x
has an inverse modulo
p

1.
The decryption algorithm begins by computing this
inverse and denoting it by
s
.
The fact that
s
is the inverse of
x
modulo
p

1 means that
xs
mod (
p

1) = 1.
Now, to show that the decryption algorithm is correct we have to show that
D
(
x,
E
(
X, M
)) =
M
for any
M
∈
Z
*
p
. Let
C
= (
Z, W
) be an output of
E
(
X, M
). We want to show that
D
(
x, C
) =
M
. Let
y
be the value chosen by the encryption algorithm such that
Y
=
g
y
mod
p
. Then
1
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Z
=
X
y
=
g
xy
mod
p
. Now, we first claim that
Y
is correctly recomputed by the decryption
algorithm. This is true because modulo
p
we have:
Z
s
≡
(
g
xy
)
s
≡
g
xys
mod (
p

1)
≡
g
1
·
y
mod (
p

1)
≡
g
y
≡
Y .
This is the end of the preview.
Sign up
to
access the rest of the document.
 Winter '08
 daniele
 Computer Science, Cryptography, adversary

Click to edit the document details