University of Virginia, Department of Computer Science CS588: Cryptology - Principles and Applications, Fall 2001

Problem Set 3: Public-Key Cryptosystems - Selected Answers

1. Key Distribution

a. (5) Suppose a council of n people want to establish keys so that any person may communicate secretly with any other person (that is each pair of people have a unique key). How many unique keys are necessary?
Answer: This is the number of pairs formable from n people: C(n,2) or n(n-1)/2.

Consider the following scheme for establishing 4-person secret communication:

Alice generate three secret keys, K1, K2 and K3 and securely gives Bob K2 and K3, Colleen K1 and K3 and Doug K1 and K2. Bob generates secret key K4 and gives it to Colleen and Doug. Hence, after meeting securely and distributing the keys each person knows the following keys:

A: K1, K2, K3
B: K2, K3, K4
C: K1, K3, K4
D: K1, K2, K4
Alice claims they can now all communicate securely with any other person since any pair of people know a pair of keys that no other pair of people know. Hence, if Alice wants to communicate with Bob, the will use KAB = K2 XOR K3. She claims this is secure since know one else knows both K2 and K3.

Likewise,

KBC = 3 XOR 4
KCD = 1 XOR 4
KAC = 1 XOR 3
KBD = 2 XOR 4
b. (10) This scheme requires less total keys than the unique key per communicating pair scheme from part a. (Your answer to part a should confirm this.) Is any security sacrificed for the reduction in number of keys? (One way to answer this would be to describe trust models under which it is secure and insecure.)

We are giving up some security because other parties share some part of the key used between any communicating pair. This fact is exploitable if two parties team up. Since each person lacks a key that all other parties have, a team can collude to decrypt other's messages by sharing keys with each other.

For example, if Bob and Alice exchange K1 and K4, they can both decrypt Colleen and Doug's communications.

Our security model must trust that no two council members will be willing to share keys.

Note: We should not assume that the cipher used is a simple XOR just because the keys are XORed together. The cipher could be DES, from which it would be very difficult to obtain the key, even though a party knows one of the two keys used in the encryption.

c. (10) Can this scheme be scaled to allow 5 people to communicate with the same level of security as in (b), with 5 keys? (Explain how, or why not.)

Yes, it can be extended simply. Alice generates four secret keys, K1, K2, K3 and K4 and securely gives Bob K1, K2 and K3, Colleen K1, K2 and K4, Doug K1, K3 and K4, and Ethel K2, K3 and K4. Bob generates secret key K5 and gives it to Colleen, Doug, and Ethel. Each person now knows:

A: K1, K2, K3, K4
B: K1, K2, K3, K5
C: K1, K2, K4, K5
D: K1, K3, K4, K5
E: K2, K3, K4, K5

Hence, communicating pairs use the following keys:

KAB = 1 XOR 2 XOR 3
KAC = 1 XOR 2 XOR 4
KAD = 1 XOR 3 XOR 4
KAE = 2 XOR 3 XOR 4
KBC = 1 XOR 2 XOR 5
KBD = 1 XOR 3 XOR 5
KBE = 2 XOR 3 XOR 5
KCD = 1 XOR 4 XOR 5
KCE = 2 XOR 4 XOR 5
KDE = 3 XOR 4 XOR 5

We still have the same problem of collusion and the same trust model. In one sense, the consequences of collusion are worse. Colluding parties can now eavesdrop on three (rather than two) other council members.

2. Prime Directive

[Question due to Wade Trappe and Lawrence Washington]

a. (5) Alice wants to securely send m to Bob. She selects p, a prime > m and integer a relatively prime to p - 1. She sends c = ma mod p and p to Bob over an insecure channel. Bob selects an integer b that is relatively prime to p - 1, computes d = cb mod p and sends d to Alice. Alice finds g such that ag ≡ 1 mod p - 1. (Recall since a is relatively prime to p - 1, it must have a multiplicative inverse mod p - 1.) She then computes e = dg mod p and sends e to Bob. Explain what Bob must do to obtain m.

Message e = mabg mod p. Since a and g are multiplicative inverses mod p - 1, they will cancel:

ag = 1 + k(p - 1),  so by substitution and commutitivity:

e = mb(1 + k(p - 1) mod p,  and by distribution, rules of exponents, and commutivity:

e = mbm(p - 1)bk mod p,  and since p is prime, p - 1 = φ(p), and by Euler's Theorem,

e = mb1bk mod p,  and finally by simplification:

e = mb mod p

Bob must find h such that bh ≡ 1 mod p - 1. He can do this easily using the Extended Euclidian Algorithm. Then he computes eh mod p, which will reduce to m as above.

b. (5) How vulnerable is this protocol to a passive eavesdropper?

An eavesdropper will see ma mod p, mab mod p, and mb mod p. The original message m cannot be deduced from these transmissions without computing discrete logarithms, which is believed to be hard. The protocol is safe from passive eavesdropping as long as p is large enough to make it impractical to find the discrete logarithm.

c. (5) How vulnerable is it to an active eavesdropper?

An active eavesdropper can mount a classic woman-in-the-middle attack. Since the end parties are not authenticated to each other in any way, Alice will never know that it is really Eve with whom she is communicating. Eve can then impersonate Alice to Bob, if it is important that Bob not become suspicious about not receiving the message.

3. Primal Tendancies

In the RSA paper, the authors claim that it is okay to use a probablistic prime number test since if a composite number is choosen the receiver would probably detecte it by noticing that decryption didn't work correctly.

That is, choosing a composite number is not likely to lead to a substantial security flaw, since the problem would be detected in the first transmission. Note that if it were not detected, choosing a composite number for p or q would be bad, because an attacker would have an easier time factoring n = p * q = (p1 * p2) * q since one of the p factors is small (around sqrt (sqrt (n))).

a. (10) Illustrate that decryption doesn't work if the choosen p is composite using an example. That is, pick p, q, e and d consistent with the RSA algorithm except p is composite, and show for some M: D (E (M)) ¹ M.

Choose p = 10, a composite number.
Choose q = 7, prime.
Let n = pq = 70.
Choose d = 5, prime to (p - 1)(q - 1) = 54.
Compute e such that ed ≡ 1 mod (p - 1)(q - 1):

Since 11 x 5 = 55 ≡ 1 mod 54, let e = 11.

Choose M = 2, between 0 and n - 1 = 69.
Show that D(E(M)) ≠ M:
211 mod 70 = 18.
185 mod 70 = 58.
18 ≠ 58.

b. (5) Show how the proof that D (E (M)) = M breaks if p is composite. (You don't need to reproduce a complete proof, just identify the step of the proof that depends on p being prime.)

We compute e and d such that ed ≡ 1 mod (p - 1)(q - 1). Therefore ed - 1 = k(p - 1)(q - 1) for some k. By Euler's Theorem, Mφ(n) ≡ 1 mod n. In order to show that RSA works, we need to substitute ed - 1 for φ(n). We know φ(n) = φ(p)φ(q) whenever n = pq and p, q coprime. Even if p is prime to q, we cannot assume φ(p) = p - 1, since p is composite. Therefore, we cannot do the substitution--the proof is broken.

4. Annonymous Tallying

A group of students are trying to figure out how many of them read the RSA paper before class, but no one wants to reveal to anyone else whether or not they read the paper.

We attempted (unsuccessfully) to do this in class by having the first student pick a random number to initialize the process. Then every student (including the first) adds one to the last number if she read the paper, and whispers it to the student next to her. The difference between the number at the end and the initialization number gives the total number of students who had read the paper.

Unlike our attempt to do this in class, the individuals are not able to communicate over a secure channel (e.g., whisper something to the person sitting next to them without others overhearing).

a. (10) Describe a protocol that can be used to annonymously tally the number of students who have read the paper without revealing anything about whether or not a particular individual has read the paper and without depending on any secure channels.

Answer: We just need to find a way of "whispering" by writting numbers on the board publically. This is easy: each pair that needs to communicate should use Diffie-Hellman to established a shared secret key, and then encrypt messages using a strong symmetric cipher (for example, AES) using that shared secret key.

Note that the protocol requires the students to communicate secretely in a circle. For example, if there are four students A, B, C, and D, we can start with A generating the large random number, then passing either that number or that number plus 1 to B. This message would be encrypted using a shared secret key establised between A and B using Diffie-Hellman. Then B passes to C, C passes to D, and D passes to A. At this point, A can calculate and report the number of students who read the paper.

A common wrong answer was for every student to generate an RSA public-private key pair and writhe the public key on the board. Then A would pass her value to B by encrypting it with B's public key. This looks like it would work, since only B can decrypt the message. However, A can determine whether or not B read the paper by looking at the message B sends to C. This message is either EKUC[n] or EKUC[n + 1] (where n is the number A sent to B). A simply has to compute each of these (which she can do easily, since she knows KUC just as well as B does, and compare them to the value B writes on the board. In a similar manner, after C has decrypted the message from B, she can determine if B read the paper by checking if A sent B, EKUB[n] or EKUB[n - 1] (where n is the number she received from B).

This is the same problem as with the Poker protocol in question 5! If the space of possible messages is small, it is easy for an eavesdropper to tell which message was encrypted using a public key.

b. (5 + possible bonus) With the protocol we used in class, the first person can cheat and make the total any number she wants by revealing a different starting number. Any other person can cheat by modifying the passed number in some way other than adding zero or one (for example, someone could add 17 if he believes the class will be punished if the total is too low). Improve your protocol to make it resistant to these forms of cheating. (Of course, we can't do anything about individuals lying about whether of not they read the paper.)

The simplest way to do this is to use the anonymous routing protocol from Lecture 12 (onion routing). The basic idea is that each student should send a message indicating whether or not they read the book to a randomly selected other student using anonymous routing. The recipient can reveal the message without anyone knowing who created it.

For this to be secure, we need to ensure:

1. No one can create more than one message.
2. No one can alter anyone elses message.
First Attempt

Each student uses "0" to indicate they didn't read the paper, and "1" to indicate they did. Each student selects three random students, and uses onion routing to send the bit to the third student via the first two.

For example, Alice is a conscientious student who read the paper. She randomly selects Fred, Holly and Cathy.

1. Each student writes exactly one string on the board - the "0" or "1" indicating whether or not she read the book, encrypted with the public keys of the three randomly choosen students and concatenated (we use | to indicate string concatenation) with an agreed tag. We use the tag, "its for you", so that when someone decrypts a message with the correct key they can tell that it is correct.

For example, Alice writes:

EKUF [ "its for you" | EKUH [ "its for you" | EKUC ["its for you" | 1]]]
2. Every student tries to decrypt every string on the board using their private key. If the decrypted message starts with "its for you", she knows that the message was intended for her.

Note that some students will find their public key decrypts more than one of the strings on the board; others will find they key does not decrypt any of the messages. Fred will be able to decrypt the string Alice wrote using EKRF to get:

"its for you" | EKUH [ "its for you" | EKUC ["its for you" | 1]]]
3. After all students have finished decrypting, they each go up in turn and write strings on the board. Fred will write,
EKUH [ "its for you" | EKUC ["its for you" | 1]]]
4. As in step 2, each student attempts to decrypt all the strings on the board using her private key.

Holly will be able to decrypt the string Fred wrote, to get:

"its for you" | EKUC ["its for you" | 1]
5. As in step 3, after all students have finished decrypting, they each go up in turn and write strings on the board. Holly will write,
EKUC ["its for you" | 1]
6. As in step 2, each student attempts to decrypt all the strings on the board using her private key. Cathy will be able to decrypt the string Holly wrote to get, ["its for you" | 1].
7. At this point, all the strings have arrived at their final destination, and the final recipient has received either a "0" or a "1" indicating if some classmate read the paper. Each student writes the "0"'s and "1"'s they received on the board. The number of "1"'s indicated the number of students who read the paper.
How well does this work?

We are concerned with two properties: confidentiality (does it reveal whether or not someone read the paper) and integrity (does it produce an accurate count or can one dishonorable classmate mess up the tally).

Before reading further in the solutions, we recommend you try and analyze the security of this protocol yourself.

Confidentiality: Suppose Bob wants to find out if Alice read the paper. He records a, the string Alice writes on the board in step 1. In step 3, for each string x on the board, Bob calculates EKUX ("its for you" | x) where KUX is the public key of the student who wrote string x. One of these will match the string Alice wrote. Bob can do the same thing in step 5, and finally in step 7 to see if Alice read the paper!

Integrity: Certainly, Cathy can cheat at the end by writing a 0 instead of a 1. (Of course, Bob was trying to break the confidentiality as above, he would know Cathy cheated, but couldn't admit to knowing this without revealing he was snooping!) Someone could try to write more strings on the board then they received, but this would be quickly noticed when the total number of strings on the board exceeds the total number of students. Can someone alter more responses than just the ones they receive at the end? Yes, a malicious student could alter every message they receive during the three rounds. Instead of writing the correct decrypted message, he can just generate a new onion-routed message that encrypts whatever response he wants and travels over the remaning number of steps. Note that is Alice remembers that she routed her response to Cathy, she would know someone cheated if Cathy does not write at least one 1 on the board. So, Cathy has to be careful if she wants to cheat without getting caught - she must write at least one of every value she receives. For example, if she received four messages, one 1 and three 0's, she must write at least one 1 and one 0, but the other two responses can be whatever she wants.

Second Attempt

Clearly, this protocol doesn't work so well.

One fix would be to use something other than just 0 and 1 to denote the response. For example, we can append a random string to the response.

Then, Alice would initially write,

EKUF [ "its for you" | EKUH [ "its for you" | EKUC ["its for you" | 1 | RA]]]
Alice's random string RA would be passed through all the messages. At the end, instead of just writing 0 or 1 on the board, the final recipient writes the response and the associated random string. Alice checks that Cathy writes 1 | RA on the board. If Cathy does not write this on the board, Alice knows someone cheated (or messed up a decryption accidentally). She can't be sure it was Cathy though --- it could have been Fred or Holly. Alice can tell who cheated, exactly, however, if she pays attention to the intermediate steps. For example, she knows Fred must write EKUH [ "its for you" | EKUC ["its for you" | 1 | RA]]] on the board.

So, this makes it much harder for the final recipient to cheat without getting caught. Have we solved the confidentiality problem?

No! The backwards tracing still works -- the snooper can try encrypting messages on the board with public keys just as before.

Third Attempt

So, we need to solve the problem of the messages encrypted with public keys being known.

One approach would be to avoid writing these on the board directly. Instead of writing the inner message directly, we could establish a shared secret key with its recipient and use symmetric encryption to encrypt the inner message using that key.

For example, in the first step, Alice would establish a shared secret key, KAF with Fred, and write:

EKAF [ EKUF [ "its for you" | EKUH [ "its for you" | EKUC ["its for you" | 1 | RA]]]]
Of course, we need to do this without anyone else knowing Alice is sending her message to Fred. Hence, Alice should go through the Diffie-Hellman protocol to establish a shared secret key with every other student before beginning the protocol. Every pair of students must establish a shared secrety key.

We still have a problem though - after the first recipient decrypts the message, he must be able to send it to the second recipient. In the original protocol, the first recipient has no way of knowing who the second recipient is.

Because of onion routing, though, it is okay to allow this. Fred will know Alice send a message to him, and he passed it to Holly, but will not know Holly passed it to Cathy and hence will not be able to determine Alice's response. Likewise, Holly will receive a message from Fred, but not know it is Alice's response.

So, in step 1, Alice writes:

EKAF [ EKUF [ "send to: Holly" | EKUH [ "send to: Cathy" | EKUC ["Here it is: " | 1 | RA]]]]
Fred can decrypt the two outer layers using the symmetric KAF and KRF. In step 3, he now encrypts the next message using a shared symmetric key he established with Holly:
EKBH [EKUH [ "send to: Cathy" | EKUC ["Here it is: " | 1 | RA]]]
Similarily, in step 5, Holly will use her shared symmetric key with Cathy.

Not that in steps 2, 4 and 6, each student will now have to try decrypting each string on the board with first her symmetric key with the student who wrote that string, and then her private key.

Alice will be able to detect cheating if Cathy does not write 1 | RA on the board at the end. In this case, she cannot tell which one of Bob, Holly or Fred cheated though, since she does not know their respective shared symmetric keys. The only way to deal with cheating is to repeat the protocol from the beginning. This time, Alice will pick three different random people to avoid any of the possible cheaters. Note that everyone else should also pick different paths for their messages --- if only the one who suspects cheating changes hers, it would be easy to trace the only different message through all the steps to determine Alice's response.

Analysis

I believe this is secure, and invlunerable to cheating (except of course, anyone can lie in their actual response). If you can find a serious security vulnerability in it, that is worth 100 bonus points.

[29 Oct 2001 - Matthew Mah found a serious vulnerability.]

From a practical viewpoint, this protocol has some drawbacks. For a class with n students it requires:

• Setup: n2 / 2 Diffie-Hellman key exchanges to set up all the symmetric keys at the beginning. Each Diffie-Hellman key exchange involves 4 modular multiplies (2 for each participant) = 2n2 modular exponentiation. Substantial additional work would be required to generate everyone's public-private key pairs, but let's assume we already have those.
• Step 1: every student must perform 1 symmetric encryption and 3 public-key encryptions. The public-key encryptions are much more work than the symmetric encryption, so we will only count modular exponentiations. Each RSA encryption requires one - so there are 3n total.
• Step 2: every student has to try decrypting each string on the board with her symmetric key (shared with the person who wrote that string) and private key. Each decryption requires one modular exponentiation, so there are n for each student, and n2 total.
• Step 3: requires n symmetric encryptions.
• Step 4: like step 2, n2 modular exponentiations.
• Step 5: requires n symmetric encryptions.
• Step 6: like step 2, n2 modular exponentiations.
So, there are > 5n2 modular exponentiations required. (Of course, this assumes the case where we don't need to repeat the whole thing because someone cheated!)

There are lots of other ways to do this, but none I know of that do not also require ridiculous amounts of work. A different approach to this question would be to start with the card shuffling protocol in question 5. Counting tallies is like shuffling cards - just instead of starting with cards numbered 1 - 52, each student creates their own card with 0 or 1 representing their response. In addition to this, we need to include a random value to prevent the reverse encryption attack. It would be a good excercise to work out the details.

Final Attempt

That's a lot of work. It would be a lot less work if everyone always read the assigned papers.

5. Public-Key Poker

Alice, Bob and Cathy Sharky want to play poker. After seeing Cathy's shuffling skills, they decide it would be better to play on the Internet using virtual cards, then to use physical cards.

A playing card deck has 52 cards. They agree to identify each card using a number:

```   suit = 0 | 1 | 2 | 3 (hearts, clubs, diamonds, spades)
number = 1 (Ace) | 2 | 3 | ... | 10 | 11 | 12 | 13
cardid = (13 * suit) + number
```
so the queen of diamonds is card 26 + 12 = 38.

Play proceeds as follows:

1. Alice, Bob and Cathy each generate RSA public-private key pairs: KUA (Alice's public key), KRA (Alice's private key); KUB, KRB; KUC, KRC. The public keys KUA, KUB, KUC are securely published.
2. Alice generates a "deck" of 52 cards by encrypting the card identifiers (1-52) with KUA. She sends all the cards in random order to Bob.
3. Bob encrypts all cards with KUB, and sends the cards in random order to Cathy.
4. Cathy encrypts all the cards with KUC, and sends the cards in random order to Alice. At this point, the card m is encrypted as EKUC [EKUB [EKUA [m]]]].
5. Alice chooses two cards, and sends the remaning 50 cards to Bob (and keeps a copy of them for herself).
6. Bob chooses two cards from the cards Alice sent, and sends the remaning 48 cards to Cathy (and keeps a copy of them for himself).
7. Cathy chooses two cards from the cards Bob sent, and sends the remaining 46 cards to Alice.
8. Each player publishes their private keys. The all decrypt their cards and reveal their hands. Each player also decrypts the cards they passed to the next player to make sure no one cheated.

a. (8) Alice and Bob are subject to the UVA Honor Code, but Cathy has no such scruples. After Cathy gets royal flushes (the best poker hand) for the first few hands, Alice and Bob begin to get suspicious that Cathy might be cheating. How is it possible for Cathy to always pick the best cards (even though the private keys are kept secret and she can't break RSA)?

b. (5) Suggest a simple modification to the protocol that makes it (nearly) impossible for Cathy (or anyone else) to cheat.

Note that it would be just as secure (and much more efficient) to just use symmetric encryption (there is no need for a public-private key pair if we are keeping the public key secret). We'd have to be careful to use and encryption algorithm where it is difficult to find a different key that decrypts the cards in a way that switches cards around (but still makes the deck look valid).

Another approach would be for each player to add a random string to every card. Instead of producing the deck { 1, .. 52 }, Alice would use { 1 | RA, ... 52 | RA }.

c. (7) In a real poker game (for example "Texas Hole 'Em"), we need to deal hidden cards to each player but also deal some cards that are revealed to everyone. Consider a game where each player is dealt two secret cards, and then five community cards are dealt and revealed to everyone. We need to reveal the community cards to every player without revealing anything about the private cards until the end of the game. Modify the protocal so that after each player has their two hidden cards, the five community cards can be revealed.

6. Hashing(10) Holly Hashly suggests creating a 128-bit hash of an arbitrarily long message by selecting a 128-bit prime number n, and a random 128-bit exponent e that is relatively prime to n and using Me mod n as a cryptographic hash function. Both e and n are public.

How well does this satisfy the 5 properties of cryptographic hash functions (from Lecture 10)?

Answer (due to David Friedman and Eric Peeters):

Even Distribution:

Many to One:

Collision Resistant:

Efficient:
Page 208 of "Making, Breaking Codes" describes a fast exponentiation algorithm. The algorithm takes at most 2 log2 e steps (e is the exponent), with each step including one multiplication. Garrett writes, "When the exponentiation is done modulo n, the numbers involved stay below n2, as well." This is true, but there will be at least one calculation of M2. Since M is arbitrary length, this can be an impractical calculation. As long as M is a small number, the efficiency is close to RSA, which is acceptable but not speedy.

One Way:
We can determine a lot about M by using Euler's theorem.
h = Me mod n
hd = Med mod n ≡ M mod n
when ed ≡ 1 mod φ(n)
Since n is prime, φ(n) = n - 1
So we need to find ed ≡ 1 mod n - 1 and calculate hd to get M mod n
It is not hard to find d, since we do this for RSA. Once we have M mod n we can try multiples of n to get an M that makes sense. This is better than brute force, but still requires some searching.