{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

# ss6 - Computer Science and Engineering UCSD CSE 207 Modern...

This preview shows pages 1–3. Sign up to view the full content.

Computer Science and Engineering, UCSD Spring 11 CSE 207: Modern Cryptography Instructor: Mihir Bellare Problem Set 6 Solutions May 18, 2011 Problem Set 6 Solutions Problem 1. [35 points] Let p 3 be a prime and g Z * p a generator of Z * p . (These are public quantities, known to all parties including the adversary.) Consider the key-generation and encryption algorithms below: Algorithm K x \$ Z * p - 1 X g x mod p return ( X, x ) Algorithm E ( X, M ) if M 6∈ Z * p then return y \$ Z p - 1 ; Y g y mod p Z X y mod p ; W Y · M mod p return ( Z, W ) The message space associated to public key X is Messages ( X ) = Z * p . We let k be the bit-length of p . 1. [15 points] Specify a decryption algorithm D such that AE = ( K , E , D ) is an asymmetric encryption scheme satisfying the correct decryption property. State the running time of your algorithm as a function of k (the lower this is, the more credit you get) and prove that the correct decryption property holds. The decryption algorithm takes input the secret key x and a ciphertext C = ( Z, W ) and must return the underlying message M . It works as follows: algorithm D ( x, C ) Parse C as ( Z, W ) s x - 1 mod ( p - 1) Y Z s mod p M W · Y - 1 mod p return M Note that in the key-generation algorithm x is chosen from Z * p - 1 (and not Z p - 1 ). This implies that x has an inverse modulo p - 1. The decryption algorithm begins by computing this inverse and denoting it by s . The fact that s is the inverse of x modulo p - 1 means that xs mod ( p - 1) = 1. Now, to show that the decryption algorithm is correct we have to show that D ( x, E ( X, M )) = M for any M Z * p . Let C = ( Z, W ) be an output of E ( X, M ). We want to show that D ( x, C ) = M . Let y be the value chosen by the encryption algorithm such that Y = g y mod p . Then 1

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Z = X y = g xy mod p . Now, we first claim that Y is correctly re-computed by the decryption algorithm. This is true because modulo p we have: Z s ( g xy ) s g xys mod ( p - 1) g 1 · y mod ( p - 1) g y Y .
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

### Page1 / 5

ss6 - Computer Science and Engineering UCSD CSE 207 Modern...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online