University of Virginia, Department of Computer Science
CS551: Security and Privacy on the Internet, Fall 2000

Problem Set 3: Public-Key Cryptosystems Out: 27 September 2000
Due: 11 October 2000, before class

Warning: This problem set is substantially harder and longer than problem set 1 or 2. Start working on it early!

Collaboration Policy

You may work with up to two other students on this problem set. You must write up your answers independently, and understand completely everything you turn in. Working together means discussing the questions and criticing possible solutions; it does not permit splitting up questions in a group.

You may consult any outside resources you wish including books, papers, web sites and people. If you use resources other than the class materials, indicate what you used along with your answer.

Problem set answers may be hand-written, but only if your hand writting is neat enough for us to read it. For full credit, answers must be clear and concise.

1. Key Distribution

Recall the Keys "R" Us distribution scheme from Lecture 6:
The protocol is:
  1. Alice meets securely with Keys "R" Us and agrees on secret key KA
  2. Bob meets securely with Keys "R" Us and agrees on secret key KB
  3. Alice sends E ("Bob", KA) to Keys "R" Us
  4. Keys "R" Us generate a new, random key: K1
  5. Keys "R" US sends Alice, E (K1, KA); Alice decrypts using KA to get K1.
  6. Keys "R" US sends Bob, E ("Alice" || K1, KB); Bob decrypts using KB to get K1.
  7. Alice and Bob communicate using shared secret key K1.

a. (15) One of the problems with the Keys "R" Us protocol is the trusted third party can eavesdrop on all communications between Alice and Bob since Keys "R" Us knows K1. Suggest a modification to the scheme that solves this problem.

Your solution should satisfy these requirements:

  1. Alice and Bob agree on a secret key, K1, without ever meeting.
  2. Alice and Bob can be assured they are communicating with each other.
  3. No one besides Alice and Bob (including (semi-) trusted parties and eavesdroppers) can obtain any information about K1. You may assume there is a perfect encryption function E (m, k), and that independent semi-trusted third do not conspire together.
  4. Your scheme must not use exponentiation or modulo arithmetic. (It shouldn't be based on a public-key cryptosystems we have seen.)
Alice and Bob may meet securely with (hint: one or more) trusted third parties at the beginning of the protocol.

b. (up to 20 bonus points) Since Alice and Bob are having an illicit affair (its a cyber affair, so they still cannot meet in person to exchange keys), not only do they want their messages to be private, they don't want anyone else to know they are even communicating with each other. Once they have obtained a secret key, this is easy: Alice posts her encrypted message in a public place where Bob knows to look (for example, they can place classified ads in the New York Times).

Adapt your solution to (a) to meet the additional requirement that no one (including trusted parties) can know Alice and Bob are communicating with each other. The other requirements should still hold, including Alice and Bob still obtain a shared secret key, and Alice should be confident she is communicating with Bob and vice versa.

2. Primal Tendancies

In the RSA paper, the authors claim that it is okay to use a probablistic prime number test since if a composite number is choosen the receiver would probably detecte it by noticing that decryption didn't work correctly.

That is, choosing a composite number is not likely to lead to a substantial security flaw, since the problem would be detected in the first transmission. Note that if it were not detected, choosing a composite number for p or q would be bad, because an attacker would have an easier time factoring n = p * q = (p1 * p2) * q since one of the p factors is small (around sqrt (sqrt (n))).

a. (10) Illustrate that decryption doesn't work if the choosen p is composite using an example. That is, pick p, q, e and d consistent with the RSA algorithm except p is composite, and show for some M: D (E (M)) ¹ M.

b. (5) Show how the proof that D (E (M)) = M breaks if p is composite. (You don't need to reproduce a complete proof, just identify the step of the proof that depends on p being prime.)

3. Public-Key Poker

Alice, Bob and Colleen Hacker want to play poker on the Internet. A playing card deck has 52 cards. They agree to identify each card using a number:
   suit = 0 | 1 | 2 | 3 (hearts, clubs, diamonds, spades)
   number = 1 (Ace) | 2 | 3 | ... | 10 | 11 | 12 | 13 
   cardid = (13 * suit) + number
so the queen of diamonds is card 26 + 12 = 38.

Play proceeds as follows:

  1. Alice, Bob and Colleen each generate RSA public-private key pairs: KUA (Alice's public key), KRA (Alice's private key); KUB, KRB; KUC, KRC. The public keys KUA, KUB, KUC are securely published.
  2. Alice generates a "deck" of 52 cards, encrypts all cards with KUA. She sends all the cards in random order to Bob.
  3. Bob encrypts all cards with KUB, and sends the cards in random order to Colleen.
  4. Colleen encrypts all the cards with KUC, and sends the cards in random order to Alice. At this point, the card m is encrypted as EKUC [EKUB [EKUA [m]]]].
  5. Alice chooses five cards, and sends the remaning 47 cards to Bob (and keeps a copy of them for himself).
  6. Bob chooses five cards from the cards Alice sent, and sends the remaning 42 cards to Colleen (and keeps a copy of them for himself).
  7. Colleen chooses five cards from the cards Bob sent, and sends the remaining 37 cards to Alice.
  8. Each player publishes their private keys. The all decrypt their cards and reveal their hands. Each player also decrypts the cards they passed to the next player to make sure no one cheated.

a. (10) Alice and Bob are subject to the UVA Honor Code, but Colleen has no such scruples. After Colleen gets royal flushes (the best poker hand) for the first few hands, Alice and Bob begin to get suspicious that Colleen might be cheating. How is it possible for Colleen to always pick the best cards?

b. (10) Suggest a simple modification to the protocol that makes it (nearly) impossible for Colleen (or anyone else) to cheat.

c. (10 + up to 15 bonus points) In most poker games, cards are revealed one at a time followed by rounds of betting. Consider a poker game (5 card stud) that works as follows:

  1. Dealer shuffles the deck. The dealer is one of the players, and isn't trusted. The other players can observe that the dealer shuffles fairly.
  2. The player to the right of the dealer cuts the deck, just to make sure the shuffle was fair.
  3. The dealer gives each player (including herself) one card face down in turn, starting with the player to her left. Each player can read her own card, but this card will not be revealed to the other players until the end of the hand.
  4. The dealer gives each player (including herself) a second card, face up. All players can see the face up cards.
  5. The players make bets or fold. (You don't need to worry about this part of the poker protocol.)
  6. The dealer gives each player (including herself) a third card, face up.
  7. The players make bets or fold.
  8. The dealer gives each player (including herself) a fourth card, face up.
  9. The players make bets or fold.
  10. The dealer gives each player (including herself) a fifth card, face down.
  11. The players make bets or fold.
  12. All players still in the game reveal their face down cards, and the best hand wins the pot.
Design a protocol that supports a distributed poker game over the Internet. The closer you can get to the physical poker game described above, the better.

For bonus credit, your protocol must not allow any player to cheat, must not require a trusted third party, and should not require losing players to reveal their hands (or the dealer to reveal the unused cards) to catch cheaters. Regular credit (10 points) will be given to solutions which satisfy the no cheating requirement but not the other two. That is, if you can't solve it without a trusted third party dealer, submit a solution that uses one.

4. Hash House Harriers

(10) Lem E. Tweakit thinks he can improve on the Data Authentication Algorithm (described in Stalling, p. 252-3) when a smaller MAC is required by using Output Feedback Mode instead of the Cipher Block Chaining mode used by Data Authentication Algorithm. He produces a 16-bit MAC by using DES in 16-bit OFB mode starting with an intialization vector of zero, and uses the last ciphertext output as the MAC. Assuming 16 bits provides sufficient security for Lem's purposes, does this satisfy the required properties of a MAC function?

5. Interplanetary IOUs

Consider the IOU request protocol from Lecture 9:
It works as follows:
  1. Bob sends Alice an IOU message, x.
  2. Alice computes H(x) using a cryptographic hash function, and sends Bob the hash result encrypted with her private key: EKRA [H (x)].
  3. Bob can decrypt EKRA [H (x)] using Alice's public key to verify that Alice signed the IOU message x.
  4. Bob can send M and EKRA [H (x)] to a Judge to prove that Alice agreed to the IOU message x.
This protocol is vulnerable to the Birthday Attack since Bob gets to select x. One solution is to use a large message digest (that is, have H(x) be 128 bits). Alice is on Mars, however, and her Interplanetary Internet connection is too slow to send 128 bits reliably.

Colleen Hacker suggests that Alice only agree to sign hashes for messages of the form I, Alice, owe Bob n dollars where n is an integer (written without spaces or commas). Alice and Bob securely inform the Judge that only messages of that form should be considered valid IOUs.

a. (15) Assuming Alice will only sign hashes for messages of the given form where n is in the range 1...212, how much work is it for Bob to cheat? That is, how much work must he do to with high probability find a pair of messages x = I, Alice, owe Bob n dollars and y = I, Alice, owe Bob m dollars where n is agreeable to Alice (in the range 1 - 4096, there are 212 possible x messages) and m > 10000?

To keep the math simple, you may assume that none of the choosen x message hash to the same value as any other x message, and none of y messages hash to the same value as any other y message. Note that this underestimates the actual amount of work required.

b. (15) Suppose Alice owes Bob a legitimate debt of $1000, and signs a hash for the corresponding IOU message: I, Alice, owe Bob 1000 dollars. Alice refuses to pay, and Bob brings the case to Martian small claims court. He shows the Judge the IOU message and corresponding hash digest signed with Alice's private key.

Alice claims, "Yes, it is signed with my private key, but I didn't sign the IOU. A cracker broke into my machine and stole my private key, and posted it on the Internet. Bob forged the IOU. You should put Bob in jail instead of making me pay the IOU." To back up her statement, she shows the Judge a public Internet site that reveals her private key.

Suggest a way to prevent this. (Consider non-cryptographic solutions; if you find a purely cryptographic one you've done something amazing.)

CS 655 University of Virginia
Department of Computer Science
CS 551: Security and Privacy on the Internet
David Evans