CSci 5471: Modern Cryptography, Spring 2010 Homework #6
Yongdae Kim
–
Due: Apr 20th (Tuesday) 9:00 AM
–
Show all steps. Please ask any questions, if the problems are not clear.
1.
ElGamal vs. DifﬁeHellman Algorithm (30 pt total)
Suppose you have an algorithm
A
that breaks ElGamal en
cryption. In other words, given legitimate ciphertext
(
r,c
)
of a plaintext
m
with parameters
g,p,q
,
A
can computes
m
without knowing the private key. More formally, for a given
(
r,c,y,g,p,q
)
,
A
outputs
m
. Mathematically, you
can write
A
(
r,c,y,g,p,q
)
→
m
for any
(
r,c,y,g,p,q
)
where
–
Public information:
q
is a 160bit prime number and
p
is a 1024bit prime number satisfying
q

p

1
.
g
is a
generator of a subgroup
G
of
Z
*
p
.
–
Public key of a user is
y
where
y
=
g
x
(mod
p
)
.
–
ElGamal ciphertext:
(
r,c
)
where
r
=
g
k
(mod
p
)
with a random integer
k
and
c
=
my
k
(mod
p
)
where
m
is a message.
Show that you can break a DifﬁeHellman key agreement protocol using this algorithm. More formally, show that
using this algorithm you can compute
g
xy
(mod
p
)
for any
(
g
x
(mod
p
)
,g
y
(mod
p
)
,g,p,q
)
.
(Hint) You need to manipulate input of the algorithm
A
so that it will output DifﬁeHellman key you want to
compute.
2.
Strong Passwordbased Authentication (30 pts)
Let
S
be Alice’s password,
p
be a large prime,
g
be an element
of
Z
*
p
whose order is a prime
q
(
p
=
kq
+ 1
),
h
be a cryptographically secure hash function with 160 bit output.
Alice has a public key