University of Virginia, Department of Computer Science CS588: Cryptology - Principles and Applications, Fall 2001

 Problem Set 3: Public-Key Cryptosystems Out: 1 October 2001 Due: 10 October 2001, before class

Collaboration Policy - Read Carefully, Changed from PS2

You are encouraged to work with other students on this problem set, except you may not work with people on your project team or with whom you collaborated on problem set 1 or 2. You must write up your answers independently, and understand completely everything you turn in. Working together means discussing the questions and criticing possible solutions; it does not permit splitting up questions in a group.

You may consult any outside resources you wish including books, papers, web sites and people. If you use resources other than the class materials, indicate what you used along with your answer.

Occasionally, we will reuse problems from last year's version of this course. You should not look at answers from previous semesters.

Problem set answers may be hand-written, but only if your hand writting is neat enough for us to read it. For full credit, answers must be clear and concise.

### 1. Key Distribution

a. (5) Suppose a council of n people want to establish keys so that any person may communicate secretly with any other person (that is each pair of people have a unique key). How many unique keys are necessary?

Consider the following scheme for establishing 4-person secret communication:

Alice generate three secret keys, K1, K2 and K3 and securely gives Bob K2 and K3, Colleen K1 and K3 and Doug K1 and K2. Bob generates secret key K4 and gives it to Colleen and Doug. Hence, after meeting securely and distributing the keys each person knows the following keys:

A: K1, K2, K3
B: K2, K3, K4
C: K1, K3, K4
D: K1, K2, K4
Alice claims they can now all communicate securely with any other person since any pair of people know a pair of keys that no other pair of people know. Hence, if Alice wants to communicate with Bob, the will use KAB = K2 XOR K3. She claims this is secure since know one else knows both K2 and K3.

Likewise,

KBC = 3 XOR 4
KCD = 1 XOR 4
KAC = 1 XOR 3
KBD = 2 XOR 4
b. (10) This scheme requires less total keys than the unique key per communicating pair scheme from part a. (Your answer to part a should confirm this.) Is any security sacrificed for the reduction in number of keys? (One way to answer this would be to describe trust models under which it is secure and insecure.)

c. (10) Can this scheme be scaled to allow 5 people to communicate with the same level of security as in (b), with 5 keys? (Explain how, or why not.)

### 2. Prime Directive

[Question due to Wade Trappe and Lawrence Washington]

a. (5) Alice wants to securely send m to Bob. She selects p, a prime > m and integer a relatively prime to p - 1. She sends c = ma mod p and p to Bob over an insecure channel. Bob selects an integer b that is relatively prime to p - 1, computes d = cb mod p and sends d to Alice. Alice finds g such that ag ≡ 1 mod p - 1. (Recall since a is relatively prime to p - 1, it must have a multiplicative inverse mod p - 1.) She then computes e = dg mod p and sends e to Bob. Explain what Bob must do to obtain m.

b. (5) How vulnerable is this protocol to a passive eavesdropper?

c. (5) How vulnerable is it to an active eavesdropper?

### 3. Primal Tendancies

In the RSA paper, the authors claim that it is okay to use a probablistic prime number test since if a composite number is choosen the receiver would probably detecte it by noticing that decryption didn't work correctly.

That is, choosing a composite number is not likely to lead to a substantial security flaw, since the problem would be detected in the first transmission. Note that if it were not detected, choosing a composite number for p or q would be bad, because an attacker would have an easier time factoring n = p * q = (p1 * p2) * q since one of the p factors is small (around sqrt (sqrt (n))).

a. (10) Illustrate that decryption doesn't work if the choosen p is composite using an example. That is, pick p, q, e and d consistent with the RSA algorithm except p is composite, and show for some M: D (E (M)) ¹ M.

b. (5) Show how the proof that D (E (M)) = M breaks if p is composite. (You don't need to reproduce a complete proof, just identify the step of the proof that depends on p being prime.)

### 4. Annonymous Tallying

A group of students are trying to figure out how many of them read the RSA paper before class, but no one wants to reveal to anyone else whether or not they read the paper.

We attempted (unsuccessfully) to do this in class by having the first student pick a random number to initialize the process. Then every student (including the first) adds one to the last number if she read the paper, and whispers it to the student next to her. The difference between the number at the end and the initialization number gives the total number of students who had read the paper.

Unlike our attempt to do this in class, the individuals are not able to communicate over a secure channel (e.g., whisper something to the person sitting next to them without others overhearing).

a. (10) Describe a protocol that can be used to annonymously tally the number of students who have read the paper without revealing anything about whether or not a particular individual has read the paper and without depending on any secure channels.

b. (5 + possible bonus) With the protocol we used in class, the first person can cheat and make the total any number she wants by revealing a different starting number. Any other person can cheat by modifying the passed number in some way other than adding zero or one (for example, someone could add 17 if he believes the class will be punished if the total is too low). Improve your protocol to make it resistant to these forms of cheating. (Of course, we can't do anything about individuals lying about whether of not they read the paper.)

### 5. Public-Key Poker

Alice, Bob and Cathy Sharky want to play poker. After seeing Cathy's shuffling skills, they decide it would be better to play on the Internet using virtual cards, then to use physical cards.

A playing card deck has 52 cards. They agree to identify each card using a number:

```   suit = 0 | 1 | 2 | 3 (hearts, clubs, diamonds, spades)
number = 1 (Ace) | 2 | 3 | ... | 10 | 11 | 12 | 13
cardid = (13 * suit) + number
```
so the queen of diamonds is card 26 + 12 = 38.

Play proceeds as follows:

1. Alice, Bob and Cathy each generate RSA public-private key pairs: KUA (Alice's public key), KRA (Alice's private key); KUB, KRB; KUC, KRC. The public keys KUA, KUB, KUC are securely published.
2. Alice generates a "deck" of 52 cards by encrypting the card identifiers (1-52) with KUA. She sends all the cards in random order to Bob.
3. Bob encrypts all cards with KUB, and sends the cards in random order to Cathy.
4. Cathy encrypts all the cards with KUC, and sends the cards in random order to Alice. At this point, the card m is encrypted as EKUC [EKUB [EKUA [m]]]].
5. Alice chooses two cards, and sends the remaning 50 cards to Bob (and keeps a copy of them for herself).
6. Bob chooses two cards from the cards Alice sent, and sends the remaning 48 cards to Cathy (and keeps a copy of them for himself).
7. Cathy chooses two cards from the cards Bob sent, and sends the remaining 46 cards to Alice.
8. Each player publishes their private keys. The all decrypt their cards and reveal their hands. Each player also decrypts the cards they passed to the next player to make sure no one cheated.

a. (8) Alice and Bob are subject to the UVA Honor Code, but Cathy has no such scruples. After Cathy gets royal flushes (the best poker hand) for the first few hands, Alice and Bob begin to get suspicious that Cathy might be cheating. How is it possible for Cathy to always pick the best cards (even though the private keys are kept secret and she can't break RSA)?

b. (5) Suggest a simple modification to the protocol that makes it (nearly) impossible for Cathy (or anyone else) to cheat.

c. (7) In a real poker game (for example "Texas Hold 'Em"), we need to deal hidden cards to each player but also deal some cards that are revealed to everyone. Consider a game where each player is dealt two secret cards, and then five community cards are dealt and revealed to everyone. We need to reveal the community cards to every player without revealing anything about the private cards until the end of the game. Modify the protocal so that after each player has their two hidden cards, the five community cards can be revealed.

### 6. Hashing

(10) Holly Hashly suggests creating a 128-bit hash of an arbitrarily long message by selecting a 128-bit prime number n, and a random 128-bit exponent e that is relatively prime to n and using Me mod n as a cryptographic hash function. Both e and n are public.

How well does this satisfy the 5 properties of cryptographic hash functions (from Lecture 10)?