University of Virginia, Department of Computer ScienceCS588: Cryptology - Principles and Applications, Fall 2001 |

Problem Set 3: Public-Key CryptosystemsOut: 1 October 2001

Due: 10 October 2001, before class

Collaboration Policy - Read Carefully, Changed from PS2You are encouraged to work with other students on this problem set, exceptProblem set answers may be hand-written, but only if your hand writting is neat enough for us to read it. For full credit, answers must be clear and concise.you may not work with people on your project team or with whom you collaborated on problem set 1 or 2. You must write up your answers independently, and understand completely everything you turn in. Working together means discussing the questions and criticing possible solutions; it does not permit splitting up questions in a group.You may consult any outside resources you wish including books, papers, web sites and people. If you use resources other than the class materials, indicate what you used along with your answer.

Occasionally, we will reuse problems from last year's version of this course. You should

notlook at answers from previous semesters.

## 1. Key Distribution

a. (5)Suppose a council ofnpeople want to establish keys so that any person may communicate secretly with any other person (that is each pair of people have a unique key). How many unique keys are necessary?Consider the following scheme for establishing

4-person secret communication:Alice generate three secret keys,

K_{1},K_{2}andK_{3}and securely gives BobK_{2}andK_{3}, ColleenK_{1}andK_{3}and DougK_{1}andK_{2}. Bob generates secret keyK_{4}and gives it to Colleen and Doug. Hence, after meeting securely and distributing the keys each person knows the following keys:A:Alice claims they can now all communicate securely with any other person since any pair of people know a pair of keys that no other pair of people know. Hence, if Alice wants to communicate with Bob, the will useK_{1},K_{2},K_{3}

B:K_{2},K_{3},K_{4}

C:K_{1},K_{3},K_{4}

D:K_{1},K_{2},K_{4}

K_{AB}=K_{2}XORK_{3}. She claims this is secure since know one else knows bothK_{2}andK_{3}.Likewise,

K_{BC}= 3 XOR 4

K_{CD}= 1 XOR 4

K_{AC}= 1 XOR 3

K_{AD}= 1 XOR 2

K_{BD}= 2 XOR 4

b. (10)This scheme requires less total keys than the unique key per communicating pair scheme from part a. (Your answer to part a should confirm this.) Is any security sacrificed for the reduction in number of keys? (One way to answer this would be to describe trust models under which it is secure and insecure.)

c. (10)Can this scheme be scaled to allow 5 people to communicate with the same level of security as in (b), with 5 keys? (Explain how, or why not.)## 2. Prime Directive

[Question due to Wade Trappe and Lawrence Washington]

a. (5)Alice wants to securely sendmto Bob. She selectsp, a prime >mand integerarelatively prime top - 1. She sendsc=m^{a}modpandpto Bob over an insecure channel. Bob selects an integerbthat is relatively prime top - 1, computesd=c^{b}modpand sendsdto Alice. Alice findsgsuch thatag≡ 1 modp- 1. (Recall sinceais relatively prime top- 1, it must have a multiplicative inverse modp- 1.) She then computese=d^{g}modpand sendseto Bob. Explain what Bob must do to obtainm.

b. (5)How vulnerable is this protocol to a passive eavesdropper?

c. (5)How vulnerable is it to an active eavesdropper?## 3. Primal Tendancies

In the RSA paper, the authors claim that it is okay to use a probablistic prime number test since if a composite number is choosen the receiver would probably detecte it by noticing that decryption didn't work correctly.

That is, choosing a composite number is not likely to lead to a substantial security flaw, since the problem would be detected in the first transmission. Note that if it were not detected, choosing a composite number for

por q would be bad, because an attacker would have an easier time factoringn=p*q= (p_{1}*p_{2}) *qsince one of thepfactors is small (around sqrt (sqrt (n))).

a. (10)Illustrate that decryption doesn't work if the choosenpis composite using an example. That is, pickp,q,eanddconsistent with the RSA algorithm exceptpis composite, and show for someM:D(E(M)) ¹M.

b. (5)Show how the proof thatD(E(M)) =Mbreaks ifpis composite. (You don't need to reproduce a complete proof, just identify the step of the proof that depends onpbeing prime.)## 4. Annonymous Tallying

A group of students are trying to figure out how many of them read the RSA paper before class, but no one wants to reveal to anyone else whether or not they read the paper.We attempted (unsuccessfully) to do this in class by having the first student pick a random number to initialize the process. Then every student (including the first) adds one to the last number if she read the paper, and whispers it to the student next to her. The difference between the number at the end and the initialization number gives the total number of students who had read the paper.

Unlike our attempt to do this in class, the individuals are not able to communicate over a secure channel (e.g., whisper something to the person sitting next to them without others overhearing).

a. (10)Describe a protocol that can be used to annonymously tally the number of students who have read the paper without revealing anything about whether or not a particular individual has read the paper and without depending on any secure channels.

b. (5 + possible bonus)With the protocol we used in class, the first person can cheat and make the total any number she wants by revealing a different starting number. Any other person can cheat by modifying the passed number in some way other than adding zero or one (for example, someone could add 17 if he believes the class will be punished if the total is too low). Improve your protocol to make it resistant to these forms of cheating. (Of course, we can't do anything about individuals lying about whether of not they read the paper.)## 5. Public-Key Poker

Alice, Bob and Cathy Sharky want to play poker. After seeing Cathy's shuffling skills, they decide it would be better to play on the Internet using virtual cards, then to use physical cards.A playing card deck has 52 cards. They agree to identify each card using a number:

suit = 0 | 1 | 2 | 3 (hearts, clubs, diamonds, spades) number = 1 (Ace) | 2 | 3 | ... | 10 | 11 | 12 | 13 cardid = (13 * suit) + numberso the queen of diamonds is card 26 + 12 = 38.Play proceeds as follows:

- Alice, Bob and Cathy each generate RSA public-private key pairs: KU
_{A}(Alice's public key), KR_{A}(Alice's private key); KU_{B}, KR_{B}; KU_{C}, KR_{C}. The public keys KU_{A}, KU_{B}, KU_{C}are securely published.- Alice generates a "deck" of 52 cards by encrypting the card identifiers (1-52) with KU
_{A}. She sends all the cards in random order to Bob.- Bob encrypts all cards with KU
_{B}, and sends the cards in random order to Cathy.- Cathy encrypts all the cards with KU
_{C}, and sends the cards in random order to Alice. At this point, the cardmis encrypted as E_{KUC}[E_{KUB}[E_{KUA}[m]]]].- Alice chooses two cards, and sends the remaning 50 cards to Bob (and keeps a copy of them for herself).
- Bob chooses two cards from the cards Alice sent, and sends the remaning 48 cards to Cathy (and keeps a copy of them for himself).
- Cathy chooses two cards from the cards Bob sent, and sends the remaining 46 cards to Alice.
- Each player publishes their private keys. The all decrypt their cards and reveal their hands. Each player also decrypts the cards they passed to the next player to make sure no one cheated.

a. (8)Alice and Bob are subject to the UVA Honor Code, but Cathy has no such scruples. After Cathy gets royal flushes (the best poker hand) for the first few hands, Alice and Bob begin to get suspicious that Cathy might be cheating. How is it possible for Cathy to always pick the best cards (even though the private keys are kept secret and she can't break RSA)?

b. (5)Suggest a simple modification to the protocol that makes it (nearly) impossible for Cathy (or anyone else) to cheat.

c. (7)In a real poker game (for example "Texas Hold 'Em"), we need to deal hidden cards to each player but also deal some cards that are revealed to everyone. Consider a game where each player is dealt two secret cards, and then five community cards are dealt and revealed to everyone. We need to reveal the community cards to every player without revealing anything about the private cards until the end of the game. Modify the protocal so that after each player has their two hidden cards, the five community cards can be revealed.## 6. Hashing

(10)Holly Hashly suggests creating a 128-bit hash of an arbitrarily long message by selecting a 128-bit prime numbern, and a random 128-bit exponentethat is relatively prime tonand usingM^{e}modnas a cryptographic hash function. Botheandnare public.How well does this satisfy the 5 properties of cryptographic hash functions (from Lecture 10)?

University of Virginia Department of Computer Science CS 588: Cryptology - Principles and Applications |
David Evansevans@cs.virginia.edu |