View the step-by-step solution to:

# CMPT 404 Cryptography and Protocols Exercises on Public Key Cryptography. Thursday, April 5th (at the beginning of the class) 1. Prove the following:...

I only need help with questions 4, 5, 6, and 7. I tried my best to solve each but don't know where to start. Any advice would be greatly appreciated.

Thanks!
CMPT 404 — Cryptography and Protocols Exercises on Public Key Cryptography. Due: Thursday, April 5th (at the beginning of the class) 1. Prove the following: if there exists a collision resistant hash function collection mapping n +1 bit strings into n bits strings, then there exists a collection mapping arbitrary length bit strings into n bit strings. 2. Consider the following key exchange protocol: - Alice chooses k,r ∈ { 0 , 1 } n at random, and sends s = k r to Bob. - Bob chooses t ∈ { 0 , 1 } n at random and sends u = s t to Alice. - Alice computes w = u r and sends w to Bob. - Alice takes k as a key, and Bob takes w t as a key. Show that Alice and Bob output the same key. Analyze the security of the scheme (i.e. either prove its security or show a concrete attack). 3. Suppose we have a set of blocks encrypted with the RSA scheme and we do not have the private key. Assume n = pq , e is the public key. Suppose also someone tells us they know one of the plaintext blocks has a common factor with n . Does this help us to break the scheme? 4. Fix n , and assume there exists an adversary Eve running in time T for which Pr[ Eve ( x e ) = x ] = 0 . 01 , where the probability is taken over random choice of x Z * n . Show that it is possible to construct an adversary Eve 0 for which Pr[ Eve 0 ( x e ) = x ] = 0 . 99 . The running time T 0 of the new adversary should be polynomial in T and the size of n . 5. (Non malleability of CCA secure schemes.) An attractive way to perform a bidding is the following: the seller publishes a public key e . Each buyer sends through the net the encryption E e ( x ) of its bid, and then the seller will decrypt all of these and award the product to the highest bidder. One aspect of security we need from E ( · ) is that given an encryption E e ( x ), it will be hard for someone not knowing x to come up with E e (1 . 01 · x ) (otherwise bidder B could always take the bid of bidder A and make into a bid that is one per cent higher). You’ll show that this property is also related to CCA security: (a) Show a CPA-secure public key encryption such that there is an algorithm that given e and a ciphertext y = E e ( x ), converts y into a ciphertext y 0 that decrypts to x + 1. (b) Show that if E is CCA secure then there is no such algorithm. In particular show that if M is any polynomial time algorithm, and X is a set of possible numbers x , then Pr ( e,d ) K [ D d ( M ( e, E e ( x ))) = 1 . 01 · x ] < 1 | X | + n - ω (1) 1
6. Let p 3 be a prime number, and let g be a primitive root modulo p . (These are public keys, known to all parties including the adversary.) Assume the discrete logarithm problem is hard. Consider the digital signature scheme DS = ( K ; Sign ; Ver ): Key generation K : Choose x,y Z p uniformly at random, and set X = g x , Y = g y . X,Y is a public key, x,y private. Signing Sign ( M ): z := y + xM (mod p ), return z . Veriﬁcation Ver ( M ; z ): if M 6∈ Z p then return 0 if g z = Y X M then return 1 else return 0 (a) Show that Ver ( M ; z ) = 1 for any key-pair (( X ; Y ); ( x ; y )) that might be output by K, any message M Z p , and any z that might be output by Sign ( M ). (b) Show that this scheme is insecure with regard to Chosen Message attacks by presenting a practical adversary Eve . You should specify the adversary, state the number of oracle queries it makes, and justify the correctness of the adversary. 7. Let f be a one-way permutation. Consider the following signature scheme for messages in the set { 1 ,...,n } : - To generate keys, choose random x ∈ { 0 , 1 } n and set y = f n ( x ) (that is, f applied n times). The public key is y and the private key is x . - To sign message i ∈ { 1 ,...,n } , output f n - i ( x ) (where f 0 ( x ) = x by deﬁnition). - To verify signature σ on message i with respect to public key y , check whether y = f i ( σ ). (a) Show that the above is not a secure (even one-time) signature scheme. Given a signature on a message i , for what messages j can an adversary output a forgery? (b) Prove that no polytime adversary, given a signature on i can output a forgery on any message j > i except with negligible probability (c) Suggest how to modify the scheme so as to obtain a one-time secure signature scheme. 8. (optional) Write an implementation (using pseudocode or your favorite programming lan- guage) of the ‘ideal’ key exchange protocol. This implementation should include all necessary details and checks of parameters. It can be based on Diﬃe-Hellman idea, as we did in the class, or any other valid approach. If you need to use a hash function or primality check, imaging you have a library with necessary functions. You also do not need to care about realization of integer arithmetic. 2

Dear Student, I have reviewed your assignment thoroughly, based on your assignment details and current... View the full answer

### Why Join Course Hero?

Course Hero has all the homework and study help you need to succeed! We’ve got course-specific notes, study guides, and practice tests along with expert tutors.

### -

Educational Resources
• ### -

Study Documents

Find the best study resources around, tagged to your specific courses. Share your own to gain free Course Hero access.

Browse Documents