CSE 4383/6383 QUIZ 1 FALL 2010 Solutions 1. Explain the Terms

CSE 4383/6383 QUIZ 1 FALL 2010 Solutions

1. Explain the terms confusion and diffusion in the context of block-ciphers.

Confusion: How changing one bit of the key affects the cipher text text for the same plain text Diffusuion: How changing one-bit of the plain text affects the cipher text for the same key

2. What is the difference between a good cipher and a strong cipher? The only attack against a good cipher is brute-force attack. A strong cipher is a good cipher with large key size to make brute-force attacks prohibitive.

3. Given a good block cipher with 40-bit keys and 64-bit block size, explain how a cipher with 120-bit key size can be realized. Use repeated encryption using 4 independent 40-bit keys. Even while the key length is 160-bits, due to the possibility of meet-in-the-middle attack the resulting 160-bit cipher has 120-bit strength

4. Why is it necessary to ensure that initial values are never reused in stream ciphers. Two plaintext sequences p1 and p2 when encrypted using the same IV yield cipher texts c1 and c2 where c1=p1 XOR z and c2 = p2 XOR z Thus c1 XOR c2 = p1 XOR p2 An attacker who has access only to cipher texts c1 and c2 can now get the XOR of two plain texts

5. Match the following: ECB Suitable for random access encryption / decryption (CTR) OFB This mode can convert a block cipher to a stream cipher (OFB) CBC Identical plain text blocks map to identical cipher text blocks (ECB) CTR Ideally, initial value should be encrypted (CBC) CFB Both encryption and decryption use the block cipher in the encryption mode (CFB)

6. What is the difference between a hash function and a compression function? A compression function takes fixed size inputs and produces fixed size outputs (where the output size is less than the input size). A hash function is derived by repeatedly using a compression function. If the compression function is pre-image resistant and collision resistant, then using the Merkle-Damagard construction we can derive a hash function (using the compression functions as building blocks) which is pre-image resistant and collision resistant.

7. What is a keyed message authentication code ( HMAC)? A one way function of a message and a key. A HMAC accompanying a message M computed using a key K provides the assurance to the receiver that only an entity with access to key K could have computed the HMAC. 8. What is the metric for security for the following cryptographic primitives • Block-cipher – key length • Hash function – hash length • HMAC – key length (does not depend on the hash length)

9. Evaluate the following using Fermat's little theorem or Euler Fermat's Theorem • 1245 mod 7 12 mod 7 = 5; 45 mod 6 = 3; 1245 mod 7 is thus the same as 5^3 mod 7 = 6 • 2453 mod 15 24 mod 15 is the same as 9 mod 15 As 15=5x3 Phi(15) = (5-1)x(3-1)=8 Thus the exponent can b reduce mod 8 53 mod 8 = 5 Or 2453 mod 15 is the same as 9^ 5 mod 15 = 9.

10. Evaluate 4556 mod 83 using the square-and-multiply algorithm.

56 in binary notation is 1 1 1 0 0 0

loop 6 times starting from b5=1 to b0=0 (b5=1, b4=1, b3=1, b2=0, b1=0, b0=0) z = 1 First loop: b5=1; z = z^2 * 45 mod 83 = 45 mod 83 (z=45) Second loop b4=1; z= z^2 * 45 mod 83 = 74 mod 83 (z=74) Third loop b3 = 1; z = z^2 * 45 mod 83 = 76 mod 83 (z=76) Fourth loop b2=0; z=z^2 mod 83 = 49 mod 83 ( z=49) Fifth loop b1=0; z=z^2 mod 83 = 77 mod 83 ( z=77) Sixth loop b0=0; z=z^2 mod 83 = 36 mod 83 ( z=36)

4556 mod 83 is the same as 36 mod 83

11. Briefly explain the procedure for generation of i) an RSA key pair; ii) a El Gamal key pair

RSA: choose two primes p, and q Compute n=p*q Phi(n)=(p-1)*(q-1) choose an encryption exponent e relatively prime to Phi(n) Compute decryption exponent d such that d is the multiplicative inverse of d mod Phi(n) (or ed = 1 + k * Phi(n) where k is any integer)

Now (n,e) are public keys d is the private key. 12. Discuss the advantages and disadvantages of RSA and El Gamal for their use for encryption and digital signatures.

ElGamal encryption and signatures require twice the bandwidth overhead of RSA as a mask needs to be sent in addition to the cipher text / signature EL Gamal encryption and decryption have the same computational complexity. Similarly ElGamal signing an verification have the same complexity. For RSA we can choose small public exponent e (if e is 3 bits only three square and multiply loops are required to compute the exponent). However d will still be of the same order of the modulus n (for example, 2000 bits). Thus, in RSA 1) encryption can be fast but decryption slow (comparable to ElGamal encryption and decryption) 2) signing is slow (comparable to ElGamal signing and verification) but verification can be fast.

Low verification complexity is an especially desirable feature as high verification complexity can kead to easy denial of service attacks (an attacker can send random bits as signature- that the signature is random will be recognized only after the expensive verification process)