Student Name: ________________________________________________

Faculty of Science
Final Examination

Computer Science 308-547A
Cryptography and Data Security

Examiner:	Prof. Claude Crépeau	Date:	Dec. 18, 2000
Associate Examiner:	Prof. David Avis	Time:	9:00 — 12:00

INSTRUCTION:

This examination is worth 50% of your final grade.
The total of all questions is 105 points.
Each question is assigned a value found in parenthesis next to it.
This is an open book examination. All documentation is permitted.
Faculty standard calculator permitted only.
This examination consists of 6 questions on 3 pages, including title page.

Suggestion: read all the questions and their values before you start answering.

Question 1. Combining RSA and El Gamal (20 points)

Alice is a bit paranoid. She has a public RSA key (n,e) (and related private key d) but has decided to supplement it with an El Gamal public key (p,g,a,b=a^a mod p) (and related private key a).

Explain how Alice can sign messages using both systems in such a way that an adversary must break both signature schemes in order to forge her signature.
Explain how Bob can encrypt messages for Alice using both systems in such a way that an adversary must break both cryptosystems in order to discover the message transmitted.

Question 2. Enigma (10 points)

Consider the following Enigma ciphertext c and plaintexts p₁,p₂,p₃,p₄,p₅ :

c₁:loteq nfaxz plued mcbge hhedw iiedw luhve yfbcw uhuhj lmqad yrscf …
p₁:Diesi stein eJAVA Imple menta tiond esbek annte nWUrf elsvo nRubi …

p₂:Puzzl eSpie lzeug derfr Uhen8 0erJa hreer lebtm itRub iKsGa messe …

p₃:MitRu biKsG amesf UrPCC DROMz eigtH asbro Inter activ eeinm almeh …

p₄:Dochk eineA ngstb eiall enRub ikVar iante nsind versc hiede neSch …

p₅:MitSm ische nSied enRub iksCu bedur chmit Rsetz enSie Ihnwi ederi …

for each of these five plaintexts p_i (1£i£5), say whether or not ciphertext c is a possible encryption of p_i.

Question 3. Shared RSA (20+5 points)

Alice is a bit hypochondriac. She has a public RSA key (n,e) (and related private key d) but has decided to provide her best friends Bob and Cole with private keys d_b,d_c such that d=d_b*d_c mod f(n), in case she dies.

Show that individually d_b or d_c is useless to decipher messages encrypted with (n,e).

Show how Bob and Cole can decrypt a ciphertext c intended to Alice without revealing d_b or d_c.

Show how they can make sure that the decryption process was successful.

Show how they can convince each other that they jointly have the power to decrypt ciphertexts intended for Alice without revealing d_b or d_c to each other, before such a ciphertext is given to them.

(5 bonus points) Show that if they share d_b and d_c then they can factor n and compute d.

Question 4. Private Key cryptosystem (10 points)

Consider the following family of permutations { p_k : {0,1}²ⁿ Æ {0,1}²ⁿ }_k defined from a Pseudo-Random Function Generator { f_k : {0,1}ⁿ Æ {0,1}ⁿ }_k :

p_k(x,y) = [ y , x‰f_k(y) ]

Explain how Alice and Bob could share a secret key kand use both p_k and p_k^-1 to do encryption/decryption of bit-strings of size n. What would be the security properties of such a system ? (Make the strongest possible statement among - "cipheretext only attack" - "known plaintext attack" - "chosen plaintext attack" - "chosen ciphertext attack" - and justify your answer).

Question 5. Short and Sweet (25 points)

(a) (4 points)

Explain the difference between the concepts of "digital signature" and "undeniable signature".

(b) (5 points)

In the Diffie-Hellman key exchange protocol with public parameters (p,g), exhibit one bit of information about the key g^ab mod p that can be easily computed from g^a mod p and g^b mod p.

Suggest a simple way of reducing the redundancy of English without loosing any of its expressive power.

(d) (6 points)

Show how to construct a cryptographic hash function using x² mod n and argue that it is collision free.

(e) (6 points)

Modify the OFB and CFB modes of DES so that the encryption schemes remain the same but in a way that only the decryption function of DES is used to do the decryption of long messages.

Question 6. Small RSA (15 points)

Define, for n=pq, the function l(n)=f(n)/gcd(p-1,q-1). An extension of Euler's theorem is that for all x, 0<x<n, such that gcd(x,n)=1, we have x^l(n) † 1 (mod n).

Let (n,e) be an RSA public key and d be the corresponding RSA private decryption key. Show that for at least half the e's, there exists a d', 0<d'<l(n)<d, such that d' may be used to decrypt instead of d.

Discuss the pros and cons of having gcd(p-1,q-1) be fairly large with respect to n, in terms of efficiency and security.