This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Computer Science and Engineering, UCSD Spring 11 CSE 207: Modern Cryptography Instructor: Mihir Bellare Problem Set 6 Solutions May 18, 2011 Problem Set 6 Solutions Problem 1. [35 points] Let p 3 be a prime and g Z * p a generator of Z * p . (These are public quantities, known to all parties including the adversary.) Consider the key-generation and encryption algorithms below: Algorithm K x $ Z * p- 1 X g x mod p return ( X,x ) Algorithm E ( X,M ) if M 6 Z * p then return y $ Z p- 1 ; Y g y mod p Z X y mod p ; W Y M mod p return ( Z,W ) The message space associated to public key X is Messages ( X ) = Z * p . We let k be the bit-length of p . 1. [15 points] Specify a decryption algorithm D such that AE = ( K , E , D ) is an asymmetric encryption scheme satisfying the correct decryption property. State the running time of your algorithm as a function of k (the lower this is, the more credit you get) and prove that the correct decryption property holds. The decryption algorithm takes input the secret key x and a ciphertext C = ( Z,W ) and must return the underlying message M . It works as follows: algorithm D ( x,C ) Parse C as ( Z,W ) s x- 1 mod ( p- 1) Y Z s mod p M W Y- 1 mod p return M Note that in the key-generation algorithm x is chosen from Z * p- 1 (and not Z p- 1 ). This implies that x has an inverse modulo p- 1. The decryption algorithm begins by computing this inverse and denoting it by s . The fact that s is the inverse of x modulo p- 1 means that xs mod ( p- 1) = 1. Now, to show that the decryption algorithm is correct we have to show that D ( x, E ( X,M )) = M for any M Z * p . Let C = ( Z,W ) be an output of E ( X,M ). We want to show that D ( x,C ) = M . Let y be the value chosen by the encryption algorithm such that Y = g y mod p . Then 1 Z = X y = g xy mod p . Now, we first claim that Y is correctly re-computed by the decryption algorithm. This is true because modulo p we have: Z s ( g xy ) s g xys mod ( p- 1) g 1 y mod ( p- 1) g y...
View Full Document
This note was uploaded on 08/31/2011 for the course CSE 207 taught by Professor Daniele during the Winter '08 term at UCSD.
- Winter '08
- Computer Science