View the step-by-step solution to:

CMPT 404 Cryptography and Protocols Exercises on Public Key Cryptography. Thursday, April 5th (at the beginning of the class) 1. Prove the following:...

I only need help with questions 4, 5, 6, and 7. I tried my best to solve each but don't know where to start. Any advice would be greatly appreciated.

Thanks!
CMPT 404 — Cryptography and Protocols Exercises on Public Key Cryptography. Due: Thursday, April 5th (at the beginning of the class) 1. Prove the following: if there exists a collision resistant hash function collection mapping n +1 bit strings into n bits strings, then there exists a collection mapping arbitrary length bit strings into n bit strings. 2. Consider the following key exchange protocol: - Alice chooses k,r ∈ { 0 , 1 } n at random, and sends s = k r to Bob. - Bob chooses t ∈ { 0 , 1 } n at random and sends u = s t to Alice. - Alice computes w = u r and sends w to Bob. - Alice takes k as a key, and Bob takes w t as a key. Show that Alice and Bob output the same key. Analyze the security of the scheme (i.e. either prove its security or show a concrete attack). 3. Suppose we have a set of blocks encrypted with the RSA scheme and we do not have the private key. Assume n = pq , e is the public key. Suppose also someone tells us they know one of the plaintext blocks has a common factor with n . Does this help us to break the scheme? 4. Fix n , and assume there exists an adversary Eve running in time T for which Pr[ Eve ( x e ) = x ] = 0 . 01 , where the probability is taken over random choice of x Z * n . Show that it is possible to construct an adversary Eve 0 for which Pr[ Eve 0 ( x e ) = x ] = 0 . 99 . The running time T 0 of the new adversary should be polynomial in T and the size of n . 5. (Non malleability of CCA secure schemes.) An attractive way to perform a bidding is the following: the seller publishes a public key e . Each buyer sends through the net the encryption E e ( x ) of its bid, and then the seller will decrypt all of these and award the product to the highest bidder. One aspect of security we need from E ( · ) is that given an encryption E e ( x ), it will be hard for someone not knowing x to come up with E e (1 . 01 · x ) (otherwise bidder B could always take the bid of bidder A and make into a bid that is one per cent higher). You’ll show that this property is also related to CCA security: (a) Show a CPA-secure public key encryption such that there is an algorithm that given e and a ciphertext y = E e ( x ), converts y into a ciphertext y 0 that decrypts to x + 1. (b) Show that if E is CCA secure then there is no such algorithm. In particular show that if M is any polynomial time algorithm, and X is a set of possible numbers x , then Pr ( e,d ) K [ D d ( M ( e, E e ( x ))) = 1 . 01 · x ] < 1 | X | + n - ω (1) 1
Background image of page 1
6. Let p 3 be a prime number, and let g be a primitive root modulo p . (These are public keys, known to all parties including the adversary.) Assume the discrete logarithm problem is hard. Consider the digital signature scheme DS = ( K ; Sign ; Ver ): Key generation K : Choose x,y Z p uniformly at random, and set X = g x , Y = g y . X,Y is a public key, x,y private. Signing Sign ( M ): z := y + xM (mod p ), return z . Verification Ver ( M ; z ): if M 6∈ Z p then return 0 if g z = Y X M then return 1 else return 0 (a) Show that Ver ( M ; z ) = 1 for any key-pair (( X ; Y ); ( x ; y )) that might be output by K, any message M Z p , and any z that might be output by Sign ( M ). (b) Show that this scheme is insecure with regard to Chosen Message attacks by presenting a practical adversary Eve . You should specify the adversary, state the number of oracle queries it makes, and justify the correctness of the adversary. 7. Let f be a one-way permutation. Consider the following signature scheme for messages in the set { 1 ,...,n } : - To generate keys, choose random x ∈ { 0 , 1 } n and set y = f n ( x ) (that is, f applied n times). The public key is y and the private key is x . - To sign message i ∈ { 1 ,...,n } , output f n - i ( x ) (where f 0 ( x ) = x by definition). - To verify signature σ on message i with respect to public key y , check whether y = f i ( σ ). (a) Show that the above is not a secure (even one-time) signature scheme. Given a signature on a message i , for what messages j can an adversary output a forgery? (b) Prove that no polytime adversary, given a signature on i can output a forgery on any message j > i except with negligible probability (c) Suggest how to modify the scheme so as to obtain a one-time secure signature scheme. 8. (optional) Write an implementation (using pseudocode or your favorite programming lan- guage) of the ‘ideal’ key exchange protocol. This implementation should include all necessary details and checks of parameters. It can be based on Diffie-Hellman idea, as we did in the class, or any other valid approach. If you need to use a hash function or primality check, imaging you have a library with necessary functions. You also do not need to care about realization of integer arithmetic. 2
Background image of page 2
Sign up to view the entire interaction

Top Answer

Dear Student, I have reviewed your assignment thoroughly, based on your assignment details and current... View the full answer

Sign up to view the full answer

Why Join Course Hero?

Course Hero has all the homework and study help you need to succeed! We’ve got course-specific notes, study guides, and practice tests along with expert tutors.

-

Educational Resources
  • -

    Study Documents

    Find the best study resources around, tagged to your specific courses. Share your own to gain free Course Hero access.

    Browse Documents
  • -

    Question & Answers

    Get one-on-one homework help from our expert tutors—available online 24/7. Ask your own questions or browse existing Q&A threads. Satisfaction guaranteed!

    Ask a Question
Ask a homework question - tutors are online