Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Wiles's proof of Fermat's Last Theorem wikipedia , lookup
Vincent's theorem wikipedia , lookup
Approximations of π wikipedia , lookup
Collatz conjecture wikipedia , lookup
Proofs of Fermat's little theorem wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
DUBLIN CITY UNIVERSITY SEMESTER ONE EXAMINATIONS 2013 MODULE: (Title & Code) CA642 Cryptography and Number Theory COURSE: M.Sc. in Security and Forensic Computing YEAR: 1 EXAMINERS: (Including Telephone Nos.) Dr. M. Haahr, Prof. M. O’Neill, Dr. G. Hamilton, Ext no. 5017. TIME ALLOWED: 3 hours INSTRUCTIONS: Please answer all questions. All questions carry equal marks. Please do not turn over this page until instructed to do so The use of programmable or text storing calculators is expressly forbidden. Module Code: CA642 Semester One Examinations 2013 PAGE 1 OF 7 QUESTION 1 [TOTAL MARKS: 20] 1(a) [5 Marks] Calculate 67−1 (mod 119) and use this to calculate 43/67 (mod 119). Solution: We need to use the extended Euclidean GCD algorithm to calculate this: 119 67 52 15 = = = = 67 + 52 52 + 15 (3 × 15) + 7 (2 × 7) + 1 So: 52 15 7 1 = = = = 119 − 67 67 − 52 = 67 − 119 + 67 = (2 × 67) − 119 52 − (3 × 15) = 119 − 67 − (6 × 67) + (3 × 119) = (4 × 119) − (7 × 67) 15 − (2 × 7) = (2 × 67) − 119 − (8 × 119) + (14 × 67) = (16 × 67) − (9 × 119) So 67−1 (mod 119) = 16 43/67 (mod 119) = 43 × 16 (mod 119) = 93 1(b) [5 Marks] Calculate φ(36), where φ is the Euler Totient function. Use this to calculate 13788 (mod 36). Solution: φ(36) = 12 13788 (mod 36) = 13788 (mod φ(36)) (mod 36) = 13788 (mod 12) (mod 36) = 138 (mod 36) = ((132 )2 )2 (mod 36) = (252 )2 (mod 36) = 132 (mod 36) = 25 1(c) [5 Marks] Calculate the quadratic residues in Z∗17 . Solution: This can be done by direct calculation. Since the quadratic residues are symmetric, they only need to be calculated for half of the values. In this case the quadratic residues are: 1, 4, 9, 16, 8, 2, 15, 13. 1(d) [5 Marks] Derive a formula for finding the square roots of a number modulo prime p, where p ≡ 3 (mod 4). Solution: If a is a quadratic residue modulo p then: a(p−1)/2 ≡ 1 (mod p) Multiplying both sides by a: a(p+1)/2 ≡ a (mod p) √ Taking the square roots of both sides: ±a(p+1)/4 ≡ a (mod p) If p ≡ 3 (mod 4), then (p + 1)/4 is an integer, and this can be used to calculate the square root. Module Code: CA642 Semester One Examinations 2013 PAGE 2 OF 7 QUESTION 2 [TOTAL MARKS: 20] 2(a) [5 Marks] Block ciphers are usually designed to provide confusion and diffusion. Explain what is meant by each of these properties, and give examples of the features of block ciphers which are used to provide them. Solution: Confusion means that each bit of the ciphertext has a highly non-linear relationship with the plaintext bits and the key bits. Some features of block ciphers which are used to provide this are non-linear S-Boxes, the mixing of operations from different algebraic groups and data-dependent transformations. Diffusion means that the effect of changing plaintext bits or key bits are spread and therefore affect many ciphertext bits. Some features of block ciphers which are used to provide this are P-Boxes, Feistel structures and pseudo-Hadamard transformations. 2(b) [10 Marks] Compare and contrast the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) with respect to the following (use diagrams if necessary): • Encryption algorithm • Decryption algorithm • Block size • Key size • Number of rounds • Robustness against attacks Solution: This is mostly bookwork, but some thought has to be out in to inverting the encryption algorithm to implement decryption. Block size: DES 64, AES 128. Key size: DES 56, AES 128/192/256. Number of rounds: DES 16, AES 10/12/14. DES is slightly vulnerable to linear and differential cryptanalysis attacks, and to brute force attacks; AES is much more robust against attacks. 2(c) [5 Marks] Describe how DES and AES provide confusion and diffusion. Solution: DES provides confusion through the S-Boxes, which were designed by hand for this purpose. It provides diffusion through the expansion permutation, P-Boxes and Feistel structure. AES provides confusion through its S-Box, which is generated by determining the multiplicative inverse in GF (28 ) = Z2 [x] (mod x8 + x4 + x3 + x + 1), which is a non-linear function. It provides diffusion through the shift rows and mix columns operations. Module Code: CA642 Semester One Examinations 2013 PAGE 3 OF 7 QUESTION 3 [TOTAL MARKS: 20] Using the diagram below, explain in detail the steps required to launch a successful differential cryptanalysis attack on the FEAL-4 block cipher. [20 Marks] Solution: This was the subject of a course project, so the students should know this in detail. Module Code: CA642 Semester One Examinations 2013 PAGE 4 OF 7 QUESTION 4 [TOTAL MARKS: 20] Consider a toy RSA example in which the public key is (N = 33, e = 17). 4(a) [6 Marks] Determine the value of the private key. Solution: The private exponent d = e−1 (mod φ(N )) i.e. 17−1 (mod 20). This can be calculated using the extended Euclidean GCD algorithm: 20 17 3 = = = 17 × 1 + 3 5×3+2 (1 × 2) + 1 So: 3 2 1 = = = 20 − (17 × 1) 17 − (5 × 3) = 17 − (5 × 20) + (5 × 17) = (6 × 17) − (5 × 20) 3 − (1 × 2) = 20 − (17 × 1) − (6 × 17) + (5 × 20) = (6 × 20) − (7 × 17) So 17−1 (mod 20) = −7 = 13 (mod 20) The private key is therefore (N = 33, d = 13). 4(b) [7 Marks] Describe how encryption is done in RSA. Give an efficient algorithm which can be used to implement this encryption, and use this algorithm to encrypt the message 27. Solution: Encryption is RSA is done by calculating c = me (mod N ). An efficient algorithm for this modular exponentiation is the square and multiply algorithm; this can be computed bit by bit left-to-right or right-to-left. The left-to-right variant for computing me (mod N ) where e has n bits en−1 . . . e0 is as follows: y = 1 for i = n-1 downto 0 do y = (y*y) mod N if ei = 1 then y = (y*m) mod N end end To encrypt 27, we need to compute 2717 (mod 33). Using the described algorithm, this is computed as follows: i 4 3 2 1 0 xi 1 0 0 0 1 y 1 × 1 × 27 (mod 33) = 27 27 × 27 (mod 33) = 3 3 × 3 (mod 33) = 9 9 × 9 (mod 33) = 15 15 × 15 × 27 (mod 33) = 3 So the encrypted value is 3. Module Code: CA642 Semester One Examinations 2013 PAGE 5 OF 7 4(c) [7 Marks] Describe how decryption is done in RSA. Describe a technique which can be used to implement this decryption more efficiently using the prime factors of the modulus, and use this technique to decrypt the ciphertext generated above. Solution: We want to calculate cd (mod pq) and can calculate this more efficiently using cd (mod p) and cd (mod q) and the Chinese Remainder Theorem. To calculate 313 (mod 33), we calculate 313 (mod 3) and 313 (mod 11) and combine using the Chinese Remainder Theorem. 313 (mod 3) = 0 and 313 (mod 11) = 33 (mod 11) = 5, so 313 (mod 33) = 27 So the decrypted value is 27. QUESTION 5 [TOTAL MARKS: 20] 5(a) [5 Marks] Show that the problem of computing modular square roots with a composite modulus is no harder than the problem of integer factorisation. Solution: Using an oracle for integer factorisation, we can find the prime factors pi of N . √ √ We can then compute x (mod pi ) (can be done in polynomial time), and therefore x (mod N ) using the Chinese Remainder Theorem (we have to be a little careful if powers of pi greater than one divide N . So the problem of computing modular square roots is no harder than the problem of integer factorisation. 5(b) [8 Marks] Show how the number 209 might be factored using the Pollard p − 1 method using a smoothness bound B = 6. How can we make sure that the product of two large prime numbers is not vulnerable to this particular method of factorisation? Solution: Since 209 is odd, we use a = 2. The primes p < B are 2, 3, 5 and the corresponding exponents e s.t. pe ≤ B are 2, 1, 1 respectively. We calculate M = 22 × 31 × 51 = 60 260 (mod 209) = 45 and gcd(44,209)= 11. So 11 is one factor and we can easily determine that 19 is the other. Module Code: CA642 Semester One Examinations 2013 PAGE 6 OF 7 To make sure that the product of two large prime numbers is not vulnerable to this method of factorisation, we need to ensure that for each prime factor p, p − 1 is not the product of small prime factors. 5(c) [7 Marks] Describe how square roots modulo a composite pq where √ p and q are prime can be computed. Use the described method to compute 23 (mod 209). Solution: √ A square root of x modulo a composite pq can be computed by firstly calculating x (mod p) √ √ and x (mod q) and then using the Chinese Remainder Theorem to calculate x (mod pq). √ √ √ a (mod p) = ±a(p+1)/4 , if p ≡ 3 (mod 4) 4 (mod 11) = ±233 (mod 11) = ±1 4 (mod 19) = ±235 (mod 19) = ±17 Using the CRT we can therefore calculate √ 23 (mod 209) as ±188, ±131 Module Code: CA642 Semester One Examinations 2013 PAGE 7 OF 7