Exercises (from Stinson’s book)

CS547A Homework set #5

Due Tuesday December, 5 2000 in class at 14:30 SHARP

Exercises (from Stinson’s book)

• 7.4 •

Suppose n=pq, where p and q are two (secret) distinct large primes such that p=2p₁+1 and q=2q₁+1, where p₁ and q₁ are prime. Suppose that a is an element of order 2p₁q₁ in Z_n* (this is the largest order of any element in Z_n*). Define a hash function h : {1,2,…,n²} -> Z_n* by the rule h(x) = a^x mod n.

Now, suppose that n = 603241 and a = 11 are used to define a hash function h of this type. Suppose that we are given three collisions for h:

h(1294755) = h(80115359) = h(52738737).

Use this information to factor n.

• 7.5 •

Suppose h₁ : {0,1}^2m ->{0,1}^m is a strongly collision-free hash function.

(a) Define h₂ : {0,1}^4m ->{0,1}^m as in Figure 7.13. Prove that h₂ is strongly collision-free.

(b) For an integer i>1, define a hash function h_i : {0,1}^2ⁱm ->{0,1}^m recursively from h_i-1, as indicated in Figure 7.14. Prove that h_i is strongly collision-free.

FIGURE 7.13 Hashing 4m bits to m bits

write x in {0,1}^4m as x = x₁||x₂, where x₁,x₂ in {0,1}^2m

define h₂(x) = h₁(h₁(x₁) || h₁(x₂)) .

FIGURE 7.14 Hashing 2ⁱm bits to m bits

write x in {0,1}^2ⁱm as x = x₁||x₂, where x₁,x₂ in {0,1}^2^i-1m

define h_i(x) = h₁(h_i-1(x₁) || h_i-1 (x₂)) .

• 9.3 •

Suppose that Alice uses the Schnorr Scheme with p=122503, q=1201, t=10 and a=11538 (as in Exercise 9.2). Now suppose that v = 51131, and Olga has learned that

a³v¹⁴⁸ = a¹⁵⁸v¹⁰⁷⁷ (mod p).

Show how Olga can compute Alice’s secret exponent a.

• 9.7 •

Suppose that Alice is using the Guillou-Quisquater Scheme with n = 199543, b=523 and v = 146152. Suppose that Olga has discovered that

v⁴⁵⁶101360^b = v²⁵⁷36056^b (mod n).

Show how Olga can compute u.

Other Exercises
Goldwasser-Micali

Let n=p*q, the product of two primes, and let y be an element of QNR_n[+1]. Remember that the Goldwasser-Micali cryptosystem with public parameters (n,y) encrypts a zero bit by [a random quadratic residue] modulo n and a one bit by [a random quadratic residue] x y modulo n.

Let GM(m₁),GM(m₂) be the Goldwasser-Micali encryption of messages m₁ and m₂ as computed and sent by Bob to Alice. Suppose Bob applied his personal signature to the encryption of each bit.

Imagine the government witnessed Bob's transmission of both messages to Alice and they wish to have some minor information about the messages as follows.

Show how Bob can prove that both GM(m₁),GM(m₂) were encryptions of the same message m₁=m₂ without disclosing anything at all about it.

Show how Bob can prove that GM(m₁),GM(m₂) were encryptions of messages m₁ and m₂ that differed in an even or odd number of positions, without disclosing anything else about them.

Assume m₁,m₂ have even length, |m₁|=|m₂|=2k. Show how Bob can prove that GM(m₁),GM(m₂) were encryptions of different messages m₁<>m₂ by disclosing nothing except for the fact that they differed somewhere among all but one of the positions. (Bob can but aside one encrypted bit at a fixed position of GM(m₁) and GM(m₂), and then prove that the remaining truncated messages are different without disclosing anything about them except for the fact that they differ). Explain why we need messages of even length 2k.

How much uncertainty is left about m₁,m₂ when only learning that they differ ? How much uncertainty is left about m₁,m₂ when learning that they differ by the method suggested in (c) ?

(in both cases assume that the a priori uncertainty was maximum.)