Download DUBLIN CITY UNIVERSITY

DUBLIN CITY UNIVERSITY
SEMESTER ONE EXAMINATIONS 2013
MODULE:
(Title & Code)
CA642 Cryptography and Number Theory
COURSE:
M.Sc. in Security and Forensic Computing
YEAR:
1
EXAMINERS:
(Including Telephone Nos.)
Dr. M. Haahr,
Prof. M. O’Neill,
Dr. G. Hamilton, Ext no. 5017.
TIME ALLOWED:
3 hours
INSTRUCTIONS:
Please answer all questions.
All questions carry equal marks.
Please do not turn over this page until instructed to do so
The use of programmable or text storing calculators is expressly forbidden.
Module Code: CA642
Semester One Examinations 2013
PAGE 1 OF 7
QUESTION 1
[TOTAL MARKS: 20]
1(a)
[5 Marks]
Calculate 67−1 (mod 119) and use this to calculate 43/67 (mod 119).
Solution:
We need to use the extended Euclidean GCD algorithm to calculate this:
119
67
52
15
=
=
=
=
67 + 52
52 + 15
(3 × 15) + 7
(2 × 7) + 1
So:
52
15
7
1
=
=
=
=
119 − 67
67 − 52 = 67 − 119 + 67 = (2 × 67) − 119
52 − (3 × 15) = 119 − 67 − (6 × 67) + (3 × 119) = (4 × 119) − (7 × 67)
15 − (2 × 7) = (2 × 67) − 119 − (8 × 119) + (14 × 67) = (16 × 67) − (9 × 119)
So 67−1 (mod 119) = 16
43/67 (mod 119) = 43 × 16 (mod 119) = 93
1(b)
[5 Marks]
Calculate φ(36), where φ is the Euler Totient function. Use this to calculate 13788
(mod 36).
Solution:
φ(36) = 12
13788 (mod 36) = 13788 (mod φ(36)) (mod 36) = 13788 (mod 12) (mod 36) = 138 (mod 36) =
((132 )2 )2 (mod 36) = (252 )2 (mod 36) = 132 (mod 36) = 25
1(c)
[5 Marks]
Calculate the quadratic residues in Z∗17 .
Solution:
This can be done by direct calculation. Since the quadratic residues are symmetric, they only
need to be calculated for half of the values. In this case the quadratic residues are: 1, 4, 9, 16,
8, 2, 15, 13.
1(d)
[5 Marks]
Derive a formula for finding the square roots of a number modulo prime p, where
p ≡ 3 (mod 4).
Solution:
If a is a quadratic residue modulo p then: a(p−1)/2 ≡ 1 (mod p)
Multiplying both sides by a: a(p+1)/2 ≡ a (mod p) √
Taking the square roots of both sides: ±a(p+1)/4 ≡ a (mod p)
If p ≡ 3 (mod 4), then (p + 1)/4 is an integer, and this can be used to calculate the square root.
Module Code: CA642
Semester One Examinations 2013
PAGE 2 OF 7
QUESTION 2
[TOTAL MARKS: 20]
2(a)
[5 Marks]
Block ciphers are usually designed to provide confusion and diffusion. Explain
what is meant by each of these properties, and give examples of the features of
block ciphers which are used to provide them.
Solution:
Confusion means that each bit of the ciphertext has a highly non-linear relationship with the
plaintext bits and the key bits. Some features of block ciphers which are used to provide this are
non-linear S-Boxes, the mixing of operations from different algebraic groups and data-dependent
transformations.
Diffusion means that the effect of changing plaintext bits or key bits are spread and therefore
affect many ciphertext bits. Some features of block ciphers which are used to provide this are
P-Boxes, Feistel structures and pseudo-Hadamard transformations.
2(b)
[10 Marks]
Compare and contrast the Data Encryption Standard (DES) and the Advanced
Encryption Standard (AES) with respect to the following (use diagrams if necessary):
• Encryption algorithm
• Decryption algorithm
• Block size
• Key size
• Number of rounds
• Robustness against attacks
Solution:
This is mostly bookwork, but some thought has to be out in to inverting the encryption algorithm
to implement decryption. Block size: DES 64, AES 128. Key size: DES 56, AES 128/192/256.
Number of rounds: DES 16, AES 10/12/14. DES is slightly vulnerable to linear and differential
cryptanalysis attacks, and to brute force attacks; AES is much more robust against attacks.
2(c)
[5 Marks]
Describe how DES and AES provide confusion and diffusion.
Solution:
DES provides confusion through the S-Boxes, which were designed by hand for this purpose. It
provides diffusion through the expansion permutation, P-Boxes and Feistel structure.
AES provides confusion through its S-Box, which is generated by determining the multiplicative inverse in GF (28 ) = Z2 [x] (mod x8 + x4 + x3 + x + 1), which is a non-linear function. It
provides diffusion through the shift rows and mix columns operations.
Module Code: CA642
Semester One Examinations 2013
PAGE 3 OF 7
QUESTION 3
[TOTAL MARKS: 20]
Using the diagram below, explain in detail the steps required to launch a successful
differential cryptanalysis attack on the FEAL-4 block cipher.
[20 Marks]
Solution:
This was the subject of a course project, so the students should know this in detail.
Module Code: CA642
Semester One Examinations 2013
PAGE 4 OF 7
QUESTION 4
[TOTAL MARKS: 20]
Consider a toy RSA example in which the public key is (N = 33, e = 17).
4(a)
[6 Marks]
Determine the value of the private key.
Solution:
The private exponent d = e−1 (mod φ(N )) i.e. 17−1 (mod 20). This can be calculated using
the extended Euclidean GCD algorithm:
20
17
3
=
=
=
17 × 1 + 3
5×3+2
(1 × 2) + 1
So:
3
2
1
=
=
=
20 − (17 × 1)
17 − (5 × 3) = 17 − (5 × 20) + (5 × 17) = (6 × 17) − (5 × 20)
3 − (1 × 2) = 20 − (17 × 1) − (6 × 17) + (5 × 20) = (6 × 20) − (7 × 17)
So 17−1 (mod 20) = −7 = 13 (mod 20)
The private key is therefore (N = 33, d = 13).
4(b)
[7 Marks]
Describe how encryption is done in RSA. Give an efficient algorithm which can be
used to implement this encryption, and use this algorithm to encrypt the message
27.
Solution:
Encryption is RSA is done by calculating c = me (mod N ). An efficient algorithm for this
modular exponentiation is the square and multiply algorithm; this can be computed bit by bit
left-to-right or right-to-left. The left-to-right variant for computing me (mod N ) where e has n
bits en−1 . . . e0 is as follows:
y = 1
for i = n-1 downto 0 do
y = (y*y) mod N
if ei = 1 then
y = (y*m) mod N
end
end
To encrypt 27, we need to compute 2717 (mod 33). Using the described algorithm, this is computed as follows:
i
4
3
2
1
0
xi
1
0
0
0
1
y
1 × 1 × 27 (mod 33) = 27
27 × 27 (mod 33) = 3
3 × 3 (mod 33) = 9
9 × 9 (mod 33) = 15
15 × 15 × 27 (mod 33) = 3
So the encrypted value is 3.
Module Code: CA642
Semester One Examinations 2013
PAGE 5 OF 7
4(c)
[7 Marks]
Describe how decryption is done in RSA. Describe a technique which can be
used to implement this decryption more efficiently using the prime factors of the
modulus, and use this technique to decrypt the ciphertext generated above.
Solution:
We want to calculate cd (mod pq) and can calculate this more efficiently using cd (mod p) and
cd (mod q) and the Chinese Remainder Theorem.
To calculate 313 (mod 33), we calculate 313 (mod 3) and 313 (mod 11) and combine using the
Chinese Remainder Theorem.
313 (mod 3) = 0 and 313 (mod 11) = 33 (mod 11) = 5, so 313 (mod 33) = 27
So the decrypted value is 27.
QUESTION 5
[TOTAL MARKS: 20]
5(a)
[5 Marks]
Show that the problem of computing modular square roots with a composite
modulus is no harder than the problem of integer factorisation.
Solution:
Using an oracle for integer factorisation, we can find the prime factors pi of N .
√
√
We can then compute x (mod pi ) (can be done in polynomial time), and therefore x (mod N )
using the Chinese Remainder Theorem (we have to be a little careful if powers of pi greater than
one divide N .
So the problem of computing modular square roots is no harder than the problem of integer
factorisation.
5(b)
[8 Marks]
Show how the number 209 might be factored using the Pollard p − 1 method using
a smoothness bound B = 6. How can we make sure that the product of two large
prime numbers is not vulnerable to this particular method of factorisation?
Solution:
Since 209 is odd, we use a = 2.
The primes p < B are 2, 3, 5 and the corresponding exponents e s.t. pe ≤ B are 2, 1, 1
respectively.
We calculate M = 22 × 31 × 51 = 60
260 (mod 209) = 45 and gcd(44,209)= 11.
So 11 is one factor and we can easily determine that 19 is the other.
Module Code: CA642
Semester One Examinations 2013
PAGE 6 OF 7
To make sure that the product of two large prime numbers is not vulnerable to this method
of factorisation, we need to ensure that for each prime factor p, p − 1 is not the product of small
prime factors.
5(c)
[7 Marks]
Describe how square roots modulo a composite pq where
√ p and q are prime can
be computed. Use the described method to compute 23 (mod 209).
Solution:
√
A square
root of x modulo a composite pq can be computed by firstly calculating
x (mod p)
√
√
and x (mod q) and then using the Chinese Remainder Theorem to calculate x (mod pq).
√
√
√
a (mod p) = ±a(p+1)/4 , if p ≡ 3 (mod 4)
4 (mod 11) = ±233 (mod 11) = ±1
4 (mod 19) = ±235 (mod 19) = ±17
Using the CRT we can therefore calculate
√
23 (mod 209) as ±188, ±131
Module Code: CA642
Semester One Examinations 2013
PAGE 7 OF 7