T-79.4501 Cryptography and Data Security EXAM Thursday, April 29, 2010 Problems and Solutions

T-79.4501 Cryptography and Data Security EXAM Thursday, April 29, 2010 Problems and solutions

1. (6 pts) The Atbash cipher is a simple substitution cipher, which converts the order of the alphabet, that is, it encrypts A to Z, B to Y, C to X, and so on, on the English alphabet. Consider double encryption using the Atbash cipher and Shift cipher on the English alphabet. Usually these ciphers do not commute, that is, if you apply Atbash first and then Shift the result is different from what you get if you apply Shift first and then Atbash. But there is one non-zero key of the Shift cipher, for which the encryption result is the same in both ways. What is it? Justify your answer.

Solution. Let A be the encryption operation deﬁned by the Atbash cipher and SK be the encryption operation of the Shift cipher with key K on the alphabet {0, 1,..., 25} = {a, b, . . . , z}. Given x in this alphabet these operations are deﬁned as follows:

A(x) = 25 − x mod 26

SK (x) = x + K mod 26

Then the ciphers commute if and only if

A(SK (x)) = SK (A(x)), for all x ∈ {0, 1,..., 25}

what is equivalent to

25 − (x + K) = (25 − x) + K (mod 26)

from where we get that 2K = 0 (mod 26). The only non-zero key K that satisﬁes this equation is K = 13.

2. (a) (2 pts) What is triple encryption? What is its advantage compared to double encryption? Solution. see Lecture 5, pages 14-15 (b) (2 pts) Why the middle operation of the 3DES (triple-DES) encryption is decryption rather than encryption? Solution. see Lecture 5, page 14 (c) (2 pts) What is hybrid encryption? Solution. It is a data conﬁdentiality method, where the data is encrypted using a symmet- ric encryption scheme and a key K, and then the key K is encrypted using an asymmetric encryption scheme using the recipient’s public key. Both ciphertexts are sent to the recipient, who ﬁrst decrypts the key K using its private key and the decrypts the data using K. (Lecture 13, page 2)

3. Consider the RSA cryptosystem with modulus n = 31 · 113 = 3503.

(a) (2 pts) A random number generator produces two random numbers: 429 and 29. Show that 429 is not a suitable value for the private decryption exponent d. Explain. Solution. It is required that gcd(d, φ(n)) = 1. This does not hold for d = 429 as 3 divides both 429 and φ(n) = 30 · 112 = 3360. (b) (2 pts) Compute the public encryption exponent e using d = 29. Solution. e = d−1 mod φ(n) and can be computed using the Euclidean algorithm. The result is e = −811 mod 3360 = 2549. i qi ri vi = vi−2 − vi−1qi 0 3360 0 1 29 1 2 115 25 −115 3 1 4 116 4 6 1 −811

(c) (2 pts) Decrypt the ciphertext c = 2010 using d = 29 and the Chinese Remainder Theorem with the knowledge of the prime factors of the modulus.

Solution.

m = cd mod n = 201029 mod 3503 ( 2629 mod 31 = 6 mod 31 = 8929 mod 113 = 21 mod 113

Then we ﬁnd u and v such that u31 + v113 = 1. Running the Euclidean algorithm gives u = 62 and v = −17. By Lecture 8, page 4, we obtain

m = 21 · 62 · 31 + 6 · (−17) · 113 mod 3503 = 812.

4. Consider polynomial arithmetic in the set of 3-bit integers using polynomial x3 + x + 1.

(a) (3 pts) Determine the discrete logarithm of 6 = 110 to the base 2 = 010. Solution. We compute to the base 2 = x: x0 = 1 x1 = x x2 = x2 x3 = x + 1 x4 = x2 + x = 110 = 6 It follows that the discrete logarithm of 6 to the base 2 is 4. (b) (3 pts) Calculate the inverse of 6 = 110. Solution. By continuing as above, we get: x5 = x2 + x + 1 x6 = x2 + 1 x7 = 1 It follows that x4 · x3 = 1, from where we see that the inverse of x4 = 6 is x3 = x + 1 = 3. Another way of ﬁnding the inverse of 6 = x2 + x modulo x3 + x + 1 would be to compute it using the Euclidean algorithm.

5. (6 pts) The standard SHA-2 family consists of two hash-functions SHA-256 and SHA-512. Con- sider the following two methods of computing a 512-bit hash code H for a given message M:

1. Using SHA-256: Split the message into two disjoint parts M1 and M2, compute H1 = SHA-256(M1) and H2 = SHA-256(M2) and form H = H1||H2 as the concatenation of the two 256-bit hash codes. 2. Using SHA-512: Compute the hash code as H = SHA-512(M). Which of the two methods, in your opinion, gives better resistance against collision attack, or are the methods about equally strong? Justify your answer. Solution. Colliding message pairs for construction 1 can be found as follows. Search ﬁrst a colliding pair 0 M1 and M1 for SHA-256. By Birthday paradox this succeeds with probability 1/2 and with 128 0 0 complexity 2 . Select any M2. Then M = M1||M2 and M = M1||M2 is a colliding message pair for construction 1. For the second construction, that is plain SHA-512, the claimed security level (minimum attack complexity) is 2256, see Table in Lecture 7, page 12. Hence it is justiﬁed to say that construction 1 is essentially weaker than construction 2.

Exam Calculator Policy: It is allowed to use any ordinary, non-programmable calculator.