University of Virginia, Department of Computer ScienceCS588: Cryptology - Principles and Applications, Fall 2001 |

Problem Set 3: Public-Key Cryptosystems - Selected Answers

## 1. Key Distribution

a. (5)Suppose a council ofnpeople want to establish keys so that any person may communicate secretly with any other person (that is each pair of people have a unique key). How many unique keys are necessary?Answer:This is the number of pairs formable fromnpeople: C(n,2) or n(n-1)/2.Consider the following scheme for establishing

4-person secret communication:Alice generate three secret keys,

K_{1},K_{2}andK_{3}and securely gives BobK_{2}andK_{3}, ColleenK_{1}andK_{3}and DougK_{1}andK_{2}. Bob generates secret keyK_{4}and gives it to Colleen and Doug. Hence, after meeting securely and distributing the keys each person knows the following keys:A:Alice claims they can now all communicate securely with any other person since any pair of people know a pair of keys that no other pair of people know. Hence, if Alice wants to communicate with Bob, the will useK_{1},K_{2},K_{3}

B:K_{2},K_{3},K_{4}

C:K_{1},K_{3},K_{4}

D:K_{1},K_{2},K_{4}K_{AB}=K_{2}XORK_{3}. She claims this is secure since know one else knows bothK_{2}andK_{3}.Likewise,

K_{BC}= 3 XOR 4K_{CD}= 1 XOR 4K_{AC}= 1 XOR 3K_{AD}= 1 XOR 2K_{BD}= 2 XOR 4b. (10)This scheme requires less total keys than the unique key per communicating pair scheme from part a. (Your answer to part a should confirm this.) Is any security sacrificed for the reduction in number of keys? (One way to answer this would be to describe trust models under which it is secure and insecure.)Answer:We are giving up some security because other parties share some part of the key used between any communicating pair. This fact is exploitable if two parties team up. Since each person lacks a key that all other parties have, a team can collude to decrypt other's messages by sharing keys with each other.

For example, if Bob and Alice exchange

K_{1}andK_{4}, they can both decrypt Colleen and Doug's communications.Our security model must trust that no two council members will be willing to share keys.

Note:We should not assume that the cipher used is a simple XOR just because the keys are XORed together. The cipher could be DES, from which it would be very difficult to obtain the key, even though a party knows one of the two keys used in the encryption.

c. (10)Can this scheme be scaled to allow 5 people to communicate with the same level of security as in (b), with 5 keys? (Explain how, or why not.)Answer:Yes, it can be extended simply. Alice generates four secret keys,

K_{1},K_{2},K_{3}andK_{4}and securely gives BobK_{1},K_{2}andK_{3}, ColleenK_{1},K_{2}andK_{4}, DougK_{1},K_{3}andK_{4}, and EthelK_{2},K_{3}andK_{4}. Bob generates secret keyK_{5}and gives it to Colleen, Doug, and Ethel. Each person now knows:A:

K_{1},K_{2},K_{3},K_{4}

B:K_{1},K_{2},K_{3},K_{5}

C:K_{1},K_{2},K_{4},K_{5}

D:K_{1},K_{3},K_{4},K_{5}

E:K_{2},K_{3},K_{4},K_{5}

Hence, communicating pairs use the following keys:

K_{AB}= 1 XOR 2 XOR 3K_{AC}= 1 XOR 2 XOR 4K_{AD}= 1 XOR 3 XOR 4K_{AE}= 2 XOR 3 XOR 4K_{BC}= 1 XOR 2 XOR 5K_{BD}= 1 XOR 3 XOR 5K_{BE}= 2 XOR 3 XOR 5K_{CD}= 1 XOR 4 XOR 5K_{CE}= 2 XOR 4 XOR 5K_{DE}= 3 XOR 4 XOR 5We still have the same problem of collusion and the same trust model. In one sense, the consequences of collusion are worse. Colluding parties can now eavesdrop on three (rather than two) other council members.

## 2. Prime Directive

[Question due to Wade Trappe and Lawrence Washington]

a. (5)Alice wants to securely sendmto Bob. She selectsp, a prime >mand integerarelatively prime top - 1. She sendsc=m^{a}modpandpto Bob over an insecure channel. Bob selects an integerbthat is relatively prime top - 1, computesd=c^{b}modpand sendsdto Alice. Alice findsgsuch thatag≡ 1 modp- 1. (Recall sinceais relatively prime top- 1, it must have a multiplicative inverse modp- 1.) She then computese=d^{g}modpand sendseto Bob. Explain what Bob must do to obtainm.

Answer:Message

e=m^{abg}modp. Sinceaandgare multiplicative inverses modp- 1, they will cancel:ag= 1 +k(p- 1), so by substitution and commutitivity:e=m^{b(1 + k(p - 1)}modp, and by distribution, rules of exponents, and commutivity:e=m^{b}m^{(p - 1)bk}modp, and sincepis prime,p- 1 = φ(p), and by Euler's Theorem,e=m^{b}1^{bk}modp, and finally by simplification:e=m^{b}modpBob must find

hsuch thatbh≡ 1 modp- 1. He can do this easily using the Extended Euclidian Algorithm. Then he computese^{h}modp, which will reduce tomas above.b. (5)How vulnerable is this protocol to a passive eavesdropper?

Answer:An eavesdropper will see

m^{a}modp,m^{ab}modp, andm^{b}modp. The original messagemcannot be deduced from these transmissions without computing discrete logarithms, which is believed to be hard. The protocol is safe from passive eavesdropping as long aspis large enough to make it impractical to find the discrete logarithm.c. (5)How vulnerable is it to an active eavesdropper?3. Primal Tendancies

Answer:An active eavesdropper can mount a classic woman-in-the-middle attack. Since the end parties are not authenticated to each other in any way, Alice will never know that it is really Eve with whom she is communicating. Eve can then impersonate Alice to Bob, if it is important that Bob not become suspicious about not receiving the message.

In the RSA paper, the authors claim that it is okay to use a probablistic prime number test since if a composite number is choosen the receiver would probably detecte it by noticing that decryption didn't work correctly.

That is, choosing a composite number is not likely to lead to a substantial security flaw, since the problem would be detected in the first transmission. Note that if it were not detected, choosing a composite number for

por q would be bad, because an attacker would have an easier time factoringn=p*q= (p_{1}*p_{2}) *qsince one of thepfactors is small (around sqrt (sqrt (n))).

a. (10)Illustrate that decryption doesn't work if the choosenpis composite using an example. That is, pickp,q,eanddconsistent with the RSA algorithm exceptpis composite, and show for someM:D(E(M)) ¹M.Answer(due to Kenneth Pickering):Choose

p= 10, a composite number.

Chooseq= 7, prime.

Letn=pq= 70.

Choosed= 5, prime to (p- 1)(q- 1) = 54.

Computeesuch thated≡ 1 mod (p- 1)(q- 1):Since 11 x 5 = 55 ≡ 1 mod 54, lete= 11.

ChooseM= 2, between 0 andn- 1 = 69.

Show that D(E(M)) ≠ M:

2^{11}mod 70 = 18.

18^{5}mod 70 = 58.

18 ≠ 58.b. (5)Show how the proof thatD(E(M)) =Mbreaks ifpis composite. (You don't need to reproduce a complete proof, just identify the step of the proof that depends onpbeing prime.)

Answer:We compute

eanddsuch thated≡ 1 mod (p- 1)(q- 1). Thereforeed- 1 =k(p- 1)(q- 1) for somek. By Euler's Theorem,M^{φ(n)}≡ 1 modn. In order to show that RSA works, we need to substituteed- 1 for φ(n). We know φ(n) = φ(p)φ(q) whenevern=pqandp,qcoprime. Even ifpis prime toq, we cannot assume φ(p) =p- 1, sincepis composite. Therefore, we cannot do the substitution--the proof is broken.## 4. Annonymous Tallying

A group of students are trying to figure out how many of them read the RSA paper before class, but no one wants to reveal to anyone else whether or not they read the paper.We attempted (unsuccessfully) to do this in class by having the first student pick a random number to initialize the process. Then every student (including the first) adds one to the last number if she read the paper, and whispers it to the student next to her. The difference between the number at the end and the initialization number gives the total number of students who had read the paper.

Unlike our attempt to do this in class, the individuals are not able to communicate over a secure channel (e.g., whisper something to the person sitting next to them without others overhearing).

a. (10)Describe a protocol that can be used to annonymously tally the number of students who have read the paper without revealing anything about whether or not a particular individual has read the paper and without depending on any secure channels.Answer:We just need to find a way of "whispering" by writting numbers on the board publically. This is easy: each pair that needs to communicate should use Diffie-Hellman to established a shared secret key, and then encrypt messages using a strong symmetric cipher (for example, AES) using that shared secret key.Note that the protocol requires the students to communicate secretely in a circle. For example, if there are four students A, B, C, and D, we can start with A generating the large random number, then passing either that number or that number plus 1 to B. This message would be encrypted using a shared secret key establised between A and B using Diffie-Hellman. Then B passes to C, C passes to D, and D passes to A. At this point, A can calculate and report the number of students who read the paper.

A common

wronganswer was for every student to generate an RSA public-private key pair and writhe the public key on the board. Then A would pass her value to B by encrypting it with B's public key. This looks like it would work, since only B can decrypt the message. However, A can determine whether or not B read the paper by looking at the message B sends to C. This message is either E_{KUC}[n] or E_{KUC}[n+ 1] (wherenis the number A sent to B). A simply has to compute each of these (which she can do easily, since she knows KU_{C}just as well as B does, and compare them to the value B writes on the board. In a similar manner, after C has decrypted the message from B, she can determine if B read the paper by checking if A sent B, E_{KUB}[n] or E_{KUB}[n- 1] (wherenis the number she received from B).This is the same problem as with the Poker protocol in question 5! If the space of possible messages is small, it is easy for an eavesdropper to tell which message was encrypted using a public key.

b. (5 + possible bonus)With the protocol we used in class, the first person can cheat and make the total any number she wants by revealing a different starting number. Any other person can cheat by modifying the passed number in some way other than adding zero or one (for example, someone could add 17 if he believes the class will be punished if the total is too low). Improve your protocol to make it resistant to these forms of cheating. (Of course, we can't do anything about individuals lying about whether of not they read the paper.)Answer:The simplest way to do this is to use the anonymous routing protocol from Lecture 12 (onion routing). The basic idea is that each student should send a message indicating whether or not they read the book to a randomly selected other student using anonymous routing. The recipient can reveal the message without anyone knowing who created it.

For this to be secure, we need to ensure:

- No one can create more than one message.
- No one can alter anyone elses message.
First AttemptEach student uses "0" to indicate they didn't read the paper, and "1" to indicate they did. Each student selects three random students, and uses onion routing to send the bit to the third student via the first two.

For example, Alice is a conscientious student who read the paper. She randomly selects Fred, Holly and Cathy.

How well does this work?

- Each student writes exactly one string on the board - the "0" or "1" indicating whether or not she read the book, encrypted with the public keys of the three randomly choosen students and concatenated (we use | to indicate string concatenation) with an agreed tag. We use the tag, "its for you", so that when someone decrypts a message with the correct key they can tell that it is correct.
For example, Alice writes:

E_{KUF}[ "its for you" | E_{KUH}[ "its for you" | E_{KUC}["its for you" | 1]]]- Every student tries to decrypt every string on the board using their private key. If the decrypted message starts with "its for you", she knows that the message was intended for her.
Note that some students will find their public key decrypts more than one of the strings on the board; others will find they key does not decrypt any of the messages. Fred will be able to decrypt the string Alice wrote using E

_{KR}F to get:"its for you" | E_{KUH}[ "its for you" | E_{KUC}["its for you" | 1]]]- After all students have finished decrypting, they each go up in turn and write strings on the board. Fred will write,
E_{KUH}[ "its for you" | E_{KUC}["its for you" | 1]]]- As in step 2, each student attempts to decrypt all the strings on the board using her private key.
Holly will be able to decrypt the string Fred wrote, to get:

"its for you" | E_{KUC}["its for you" | 1]- As in step 3, after all students have finished decrypting, they each go up in turn and write strings on the board. Holly will write,
E_{KUC}["its for you" | 1]- As in step 2, each student attempts to decrypt all the strings on the board using her private key. Cathy will be able to decrypt the string Holly wrote to get, ["its for you" | 1].
- At this point, all the strings have arrived at their final destination, and the final recipient has received either a "0" or a "1" indicating if some classmate read the paper. Each student writes the "0"'s and "1"'s they received on the board. The number of "1"'s indicated the number of students who read the paper.
We are concerned with two properties: confidentiality (does it reveal whether or not someone read the paper) and integrity (does it produce an accurate count or can one dishonorable classmate mess up the tally).

Before reading further in the solutions, we recommend you try and analyze the security of this protocol yourself.

Confidentiality:Suppose Bob wants to find out if Alice read the paper. He recordsa, the string Alice writes on the board in step 1. In step 3, for each stringxon the board, Bob calculates E_{KUX}("its for you" |x) where KU_{X}is the public key of the student who wrote stringx. One of these will match the string Alice wrote. Bob can do the same thing in step 5, and finally in step 7 to see if Alice read the paper!

Integrity:Certainly, Cathy can cheat at the end by writing a0instead of a1. (Of course, Bob was trying to break the confidentiality as above, he would know Cathy cheated, but couldn't admit to knowing this without revealing he was snooping!) Someone could try to write more strings on the board then they received, but this would be quickly noticed when the total number of strings on the board exceeds the total number of students. Can someone alter more responses than just the ones they receive at the end? Yes, a malicious student could alter every message they receive during the three rounds. Instead of writing the correct decrypted message, he can just generate a new onion-routed message that encrypts whatever response he wants and travels over the remaning number of steps. Note that is Alice remembers that she routed her response to Cathy, she would know someone cheated if Cathy does not write at least one1on the board. So, Cathy has to be careful if she wants to cheat without getting caught - she must write at least one of every value she receives. For example, if she received four messages, one1and three0's, she must write at least one1and one0, but the other two responses can be whatever she wants.

Second AttemptClearly, this protocol doesn't work so well.

One fix would be to use something other than just

0and1to denote the response. For example, we can append a random string to the response.Then, Alice would initially write,

EAlice's random string R_{KUF}[ "its for you" | E_{KUH}[ "its for you" | E_{KUC}["its for you" | 1 | R_{A}]]]_{A}would be passed through all the messages. At the end, instead of just writing0or1on the board, the final recipient writes the response and the associated random string. Alice checks that Cathy writes1| R_{A}on the board. If Cathy does not write this on the board, Alice knows someone cheated (or messed up a decryption accidentally). She can't be sure it was Cathy though --- it could have been Fred or Holly. Alice can tell who cheated, exactly, however, if she pays attention to the intermediate steps. For example, she knows Fred must write E_{KUH}[ "its for you" | E_{KUC}["its for you" | 1 | R_{A}]]] on the board.So, this makes it much harder for the final recipient to cheat without getting caught. Have we solved the confidentiality problem?

No!The backwards tracing still works -- the snooper can try encrypting messages on the board with public keys just as before.

Third AttemptSo, we need to solve the problem of the messages encrypted with public keys being known.

One approach would be to avoid writing these on the board directly. Instead of writing the inner message directly, we could establish a shared secret key with its recipient and use symmetric encryption to encrypt the inner message using that key.

For example, in the first step, Alice would establish a shared secret key, K

_{AF}with Fred, and write:EOf course, we need to do this without anyone else knowing Alice is sending her message to Fred. Hence, Alice should go through the Diffie-Hellman protocol to establish a shared secret key with every other student before beginning the protocol. Every pair of students must establish a shared secrety key._{KAF}[ E_{KUF}[ "its for you" | E_{KUH}[ "its for you" | E_{KUC}["its for you" | 1 | R_{A}]]]]We still have a problem though - after the first recipient decrypts the message, he must be able to send it to the second recipient. In the original protocol, the first recipient has no way of knowing who the second recipient is.

Because of onion routing, though, it is okay to allow this. Fred will know Alice send a message to him, and he passed it to Holly, but will not know Holly passed it to Cathy and hence will not be able to determine Alice's response. Likewise, Holly will receive a message from Fred, but not know it is Alice's response.

So, in step 1, Alice writes:

EFred can decrypt the two outer layers using the symmetric K_{KAF}[ E_{KUF}[ "send to: Holly" | E_{KUH}[ "send to: Cathy" | E_{KUC}["Here it is: " | 1 | R_{A}]]]]_{AF}and KR_{F}. In step 3, he now encrypts the next message using a shared symmetric key he established with Holly:ESimilarily, in step 5, Holly will use her shared symmetric key with Cathy._{KBH}[E_{KUH}[ "send to: Cathy" | E_{KUC}["Here it is: " | 1 | R_{A}]]]Not that in steps 2, 4 and 6, each student will now have to try decrypting each string on the board with first her symmetric key with the student who wrote that string, and then her private key.

Alice will be able to detect cheating if Cathy does not write 1 | R

_{A}on the board at the end. In this case, she cannot tell which one of Bob, Holly or Fred cheated though, since she does not know their respective shared symmetric keys. The only way to deal with cheating is to repeat the protocol from the beginning. This time, Alice will pick three different random people to avoid any of the possible cheaters. Note that everyone else should also pick different paths for their messages --- if only the one who suspects cheating changes hers, it would be easy to trace the only different message through all the steps to determine Alice's response.

AnalysisI believe this is secure, and invlunerable to cheating (except of course, anyone can lie in their actual response). If you can find a serious security vulnerability in it, that is worth 100 bonus points.

[29 Oct 2001 - Matthew Mah found a serious vulnerability.]From a practical viewpoint, this protocol has some drawbacks. For a class with

nstudents it requires:So, there are > 5

- Setup:
n^{2}/ 2 Diffie-Hellman key exchanges to set up all the symmetric keys at the beginning. Each Diffie-Hellman key exchange involves 4 modular multiplies (2 for each participant) = 2n^{2}modular exponentiation. Substantial additional work would be required to generate everyone's public-private key pairs, but let's assume we already have those.- Step 1: every student must perform 1 symmetric encryption and 3 public-key encryptions. The public-key encryptions are much more work than the symmetric encryption, so we will only count modular exponentiations. Each RSA encryption requires one - so there are 3
ntotal.- Step 2: every student has to try decrypting each string on the board with her symmetric key (shared with the person who wrote that string) and private key. Each decryption requires one modular exponentiation, so there are
nfor each student, andn^{2}total.- Step 3: requires
nsymmetric encryptions.- Step 4: like step 2,
n^{2}modular exponentiations.- Step 5: requires
nsymmetric encryptions.- Step 6: like step 2,
n^{2}modular exponentiations.n^{2}modular exponentiations required. (Of course, this assumes the case where we don't need to repeat the whole thing because someone cheated!)

Alternate AnswerThere are lots of other ways to do this, but none I know of that do not also require ridiculous amounts of work. A different approach to this question would be to start with the card shuffling protocol in question 5. Counting tallies is like shuffling cards - just instead of starting with cards numbered 1 - 52, each student creates their own card with 0 or 1 representing their response. In addition to this, we need to include a random value to prevent the reverse encryption attack. It would be a good excercise to work out the details.

Final AttemptThat's a lot of work. It would be a lot less work if everyone always read the assigned papers.

## 5. Public-Key Poker

Alice, Bob and Cathy Sharky want to play poker. After seeing Cathy's shuffling skills, they decide it would be better to play on the Internet using virtual cards, then to use physical cards.A playing card deck has 52 cards. They agree to identify each card using a number:

suit = 0 | 1 | 2 | 3 (hearts, clubs, diamonds, spades) number = 1 (Ace) | 2 | 3 | ... | 10 | 11 | 12 | 13 cardid = (13 * suit) + numberso the queen of diamonds is card 26 + 12 = 38.Play proceeds as follows:

- Alice, Bob and Cathy each generate RSA public-private key pairs: KU
_{A}(Alice's public key), KR_{A}(Alice's private key); KU_{B}, KR_{B}; KU_{C}, KR_{C}. The public keys KU_{A}, KU_{B}, KU_{C}are securely published.- Alice generates a "deck" of 52 cards by encrypting the card identifiers (1-52) with KU
_{A}. She sends all the cards in random order to Bob.- Bob encrypts all cards with KU
_{B}, and sends the cards in random order to Cathy.- Cathy encrypts all the cards with KU
_{C}, and sends the cards in random order to Alice. At this point, the cardmis encrypted as E_{KUC}[E_{KUB}[E_{KUA}[m]]]].- Alice chooses two cards, and sends the remaning 50 cards to Bob (and keeps a copy of them for herself).
- Bob chooses two cards from the cards Alice sent, and sends the remaning 48 cards to Cathy (and keeps a copy of them for himself).
- Cathy chooses two cards from the cards Bob sent, and sends the remaining 46 cards to Alice.
- Each player publishes their private keys. The all decrypt their cards and reveal their hands. Each player also decrypts the cards they passed to the next player to make sure no one cheated.

a. (8)Alice and Bob are subject to the UVA Honor Code, but Cathy has no such scruples. After Cathy gets royal flushes (the best poker hand) for the first few hands, Alice and Bob begin to get suspicious that Cathy might be cheating. How is it possible for Cathy to always pick the best cards (even though the private keys are kept secret and she can't break RSA)?Answer(due to Stavan Parikh):

b. (5)Suggest a simple modification to the protocol that makes it (nearly) impossible for Cathy (or anyone else) to cheat.Answer(due to Stavan Parikh):

Note that it would be just as secure (and much more efficient) to just use symmetric encryption (there is no need for a public-private key pair if we are keeping the public key secret). We'd have to be careful to use and encryption algorithm where it is difficult to find a different key that decrypts the cards in a way that switches cards around (but still makes the deck look valid).

Another approach would be for each player to add a random string to every card. Instead of producing the deck { 1, .. 52 }, Alice would use { 1 | R

_{A}, ... 52 | R_{A}}.

c. (7)In a real poker game (for example "Texas Hole 'Em"), we need to deal hidden cards to each player but also deal some cards that are revealed to everyone. Consider a game where each player is dealt two secret cards, and then five community cards are dealt and revealed to everyone. We need to reveal the community cards to every player without revealing anything about the private cards until the end of the game. Modify the protocal so that after each player has their two hidden cards, the five community cards can be revealed.6. HashingAnswer(due to Stavan Parikh):

(10)Holly Hashly suggests creating a 128-bit hash of an arbitrarily long message by selecting a 128-bit prime numbern, and a random 128-bit exponentethat is relatively prime tonand usingM^{e}modnas a cryptographic hash function. Botheandnare public.How well does this satisfy the 5 properties of cryptographic hash functions (from Lecture 10)?

Answer(due to David Friedman and Eric Peeters):

Even Distribution:

Many to One:

Collision Resistant:

Efficient:

Page 208 of "Making, Breaking Codes" describes a fast exponentiation algorithm. The algorithm takes at most 2 log_{2}esteps (eis the exponent), with each step including one multiplication. Garrett writes, "When the exponentiation is done modulon, the numbers involved stay belown^{2}, as well." This is true, but there will be at least one calculation ofM^{2}. SinceMis arbitrary length, this can be an impractical calculation. As long asMis a small number, the efficiency is close to RSA, which is acceptable but not speedy.

One Way:

We can determine a lot aboutMby using Euler's theorem.h = Mwhen^{e}mod n

h^{d}= M^{ed}mod n ≡ M mod ned ≡ 1 mod φ(n)Sincenis prime,φ(n) = n - 1

So we need to finded ≡ 1 mod n - 1and calculatehto get^{d}M mod n

It is not hard to findd, since we do this for RSA. Once we haveM mod nwe can try multiples ofnto get anMthat makes sense. This is better than brute force, but still requires some searching.

University of
Virginia Department of Computer Science CS 588: Cryptology - Principles and Applications |
David Evansevans@cs.virginia.edu |