Download Cryptography Exercises for CST Part II by Markus Kuhn - Lent 2021 and more Exercises Cryptography and System Security in PDF only on Docsity!
Cryptography
– exercises
Markus Kuhn
Lent 2021 – CST Part II
Some of the exercises require the implementation of short programs. The model answers use Perl (see Part IB Unix Tools course), but you can use any language you prefer, as long as it supports an arbitrary-length integer type and offers a SHA-1 function. Include both your source code and the required output into your answers.
Before starting any programming exercise, first estimate how many minutes the solution will take you. Please include in your answers both this estimate, as well as the actual time you required.
1 Historic ciphers
Exercise 1: Decipher the shift cipher text LUXDZNUAMNDODJUDTUZDGYQDLUXDGOJDCKDTKKJDOZ
Exercise 2: How can you break any transposition cipher with dloga ne chosen plaintexts, if a is the size of the alphabet and n is the permutation block length?
2 Perfect secrecy
Exercise 3: Show that the shift cipher provides unconditional security if ∀K ∈ Z 26 : P(K) = 26−^1 for plaintexts M ∈ Z 26.
Exercise 4: Show that an encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if
(a) for every probability distribution over M, every message M ∈ M, and every ci- phertext C ∈ C with P(C) > 0 we have
P(C|M ) = P(C).
(b) for every probability distribution over M, every message pair M 0 , M 1 ∈ M, and every ciphertext C ∈ C with P(C) > 0 we have
P(C|M 0 ) = P(C|M 1 ).
3 Semantic security
4 Block ciphers
Exercise 5: If the round function f in a Feistel construction is a pseudo-random func- tion, how many rounds r are at least necessary to build a pseudo-random permutation? What test can you apply to distinguish a Feistel structure with r − 1 rounds (with high probability) from a random permutation?
Exercise 6: Using a given pseudo-random function F : { 0 , 1 }^100 → { 0 , 1 }^100 , construct a pseudo-random permutation P : { 0 , 1 }^300 → { 0 , 1 }^300 by extending the Feistel principle appropriately.
Exercise 7: What happens to the ciphertext block if all bits in both the key and plaintext block of DES are inverted?
Exercise 8: Given a hardware implementation of the DES encryption function, what has to be modified to make it decrypt?
5 Modes of operation
Exercise 9: In the CBC mode of operation, the initial vector (IV) is chosen uniformly at random, using a secure source of random bits. Show that CBC would not be CPA secure if the initial vector could be anticipated by the adversary, for example because it is generated instead using a counter or a time-stamp.
Exercise 10: Explain for each of the discussed modes of operation (ECB, CBC, CFB, OFB, CTR) of a block cipher how decryption works.
Exercise 11: A sequence of plaintext blocks M 1 ,... , M 8 is encrypted using DES into a sequence of ciphertext blocks. Where an IV is used, it is numbered C 0. A transmission error occurs and one bit in ciphertext block C 3 changes its value. As a consequence, the receiver obtains after decryption a corrupted plaintext block sequence M 1 ′,... , M 8 ′. For the discussed modes of operation (ECB, CBC, CFB, OFB, CTR), how many bits do you expect to be wrong in each block M (^) i′? (Hint: You may find it helpful to draw decryption block diagrams.)
Exercise 12: Your opponent has invented a new stream-cipher mode of operation for 128-bit key AES. He thinks that OFB could be improved by feeding back into the key port rather than the data port of the AES chip. He therefore sets R 0 = K and generates the key stream by Ri+1 = ERi (R 0 ). Is this better or worse than OFB?
Exercise 13: A programmer wants to use CBC in order to protect both the integrity and confidentiality of network packets. She attaches a block of zero bits Mn+1 to the end of the plaintext M 1 ‖... ‖Mn as redundancy, then encrypts with CBC. At the receiving end, she verifies that the added redundant bits are still all zero after CBC decryption. Does this test ensure the integrity of the transferred message?
(c) Write a subroutine that finds two different input passwords that lead to a collision in genpasswd, i.e. in the first 36 bits of SHA-1, and provide an example such a collision. How many passwords did your program have to generate to find a first collision, and in what run-time? One example collision: $ perl -e 'use Digest::SHA qw(sha1_hex);while(@ARGV) {print sha1_hex(shift @ARGV),"\n"}' f7KNL4 EBP37l ee2109291564192a7372f4caa2477af1646bb ee2109291ee27e1d3ee028c21cefc5d55312a (d ) Like part (c), but this time your program must operate in a small amount of memory (i.e., the memory it requires must not grow with the number of passwords generated so far). Compare the number of passwords generated and the execution time with part (c).
10 Key distribution problem
11 Number theory and group theory
Exercise 20: Use Euclid’s algorithm to calculate gcd(36, 24).
Exercise 21: The following Perl program implements a non-recursive form of the Eu- clidean algorithm:
#!/usr/bin/perl use bigint; # use arbitrary-length integer type
sub gcd { my ($a0, $b0) = @; my ( $a, $b) = @;
while (1) { my $q = $a / $b; if ($a == $b * $q) { print "gcd($a0,$b0) = $b\n"; return $b; } ($a, $b) = ($b, $a-$b*$q); } }
gcd(2250,360);
Modify it, such that it implements a non-recursive form of the extended Euclidean algo- rithm. To do so, first define two additional local variables
my ($aa, $ab) = (1, 0); my ($ba, $bb) = (0, 1);
that record how $a and $b can be represented as linear combinations of their initial values $a0 and $b0, by maintaining the following invariant:
$a == $a0 * $aa + $b0 * $ab $b == $a0 * $ba + $b0 * $bb (a) Extend the final 2-tuple assignment ($a, $b) = ($b, $a-$b*$q); into a 6-tuple assignment ($a, $aa, $ab, $b, $ba, $bb) = ($b, ... ); that maintains the above invariant. (b) Extend the print and return statements to output the gcd result also as a linear combination of the input values. (c) If your function is called with egcd(2250,360) it should output gcd(2250,360) = 90 = 2250 * 1 + 360 * - What is the output of your function if called with the following values? gcd(733810016255931844845,1187329547587210582322)
Exercise 22: Show how the following two basic properties of every group (G, • ) follow from the group axioms given on slide 159:
(a) The neutral element of any group is unique. In other words: if both e and e′^ are neutral elements of the group, with g • e = g = e • g and g • e′^ = g = e′^ • g for every group element g, then show that this implies e = e′. (b) The inverse element of any group element is unique. In other words: if e is the neutral element of a group and if we have group elements g, f, h where f and h are inverse elements of g, that is g • f = e = f • g and g • h = e = h • g, show that this implies f = h.
Exercise 23: Let (F, �, �) be a field. The definition of a field requires that � is left- distributive over �, which means that for any a, b, c ∈ F: a�(b�c) = (a�b)�(a�c). Show that this requirement implies the right-distributive property (a � b) � c = (a � c) � (b � c).
Exercise 24:
(a) Convert your implementation of the extended Euclidean algorithm from Exercise 21 into an implementation of a function modinv(a, n) that returns a−^1 such that aa−^1 mod n = 1, or aborts with an error if no such a−^1 exists. Verify that it outputs modinv(806515533049393, 1304969544928657) = 806515533049393 and fails for modinv(4505490,7290036). (b) Which calculation steps of the extended Euclidean algorithm can be dropped for this application? (c) What is modinv(892302390667940581330701, 1208925819614629174706111)?
Exercise 25: Use Euler’s theorem to calculate the inverse
(a) 5−^1 mod 7 (b) 5−^1 mod 12 (c) 5−^1 mod 15
Exercise 26: Given an abelian group (G, • ), let H be the set of its quadratic residues, that is H = {g^2 | g ∈ G}. Show that (H, • ) is a subgroup of (G, • ).
14 Digital signatures
Exercise 32: A device vendor uses the DSA signature scheme to digitally sign configu- ration updates. The system parameters are
p = 0x8df2a494492276aa3d25759bb06869cbeac0d83afb8d0cf7cbb8324f0d7882e d0762fc5b7210eafc2e9adac32ab7aac49693dfbf83724c2ec0736ee31c q = 0xc773218c737ec8ee993b4f2ded30f48edace915f g = 0x626d027839ea0a13413163a55b4cb500299d5522956cefcb3bff10f399ce2c2e 71cb9de5fa24babf58e5b79521925c9cc42e9f6f464b088cc572af53e6d
and the vendor’s public key is
y = 0xeb772a91db3b69af90c5da844d7733f24270bdd11aac373b26f58ff528ef 94b1e746e3f20b8b89ce9e5d641abbff3e3fa7dedd3264b1b313d7cd569656c
The vendor has already signed two messages:
H(m 1 ) = SHA-1("Monday") = 0x932eeb1076c85e522f02e15441fa371e3fd000ac r 1 = 0x8f4378d1b2877d8aa7c0687200640d4bba72f2e s 1 = 0x696de4ffb102249aef907f348fb10ca704a4b H(m 2 ) = SHA-1("Tuesday") = 0x42e43b612a5dfae57ddf5929f0fb945ae83cbf r 2 = 0x8f4378d1b2877d8aa7c0687200640d4bba72f2e s 2 = 0x25f87cbb380eb4d7244963e65b76677bc968297e
(a) Calculate gq^ mod p. (b) Verify that the two signatures are valid under the given public key y. (Preferably perform the required calculations using the modinv and modexp routines that you implemented yourself in exercises 24 and 27. Alternatively, download a computer- algebra system, such as Sage or PARI/GP.) (c) What mistake did the vendor make when generating these two signatures? (d ) Exploit this mistake to reconstruct the secrets k and x used to generate these sig- natures. [Hint: Start by subtracting the two defining equations for s 1 and s 2 from each other.] (e) Use this information to falsify a signature for the new message
H(m 3 ) = SHA-1("Wednesday") = 0x5656b9b79b0316fc611a9c30d2ffac25228b
and then verify its correctness against public key y.
