Homework III, Foundations of Cryptography 2018

Before you start: 1. The deadlines in this course are strict and stated on the course homepage. 2. Read the detailed homework rules at the course homepage. 3. Read about I and T-points and grades in the course description. The problems are given in no particular order. If something seems wrong, then visit the course homepage to see if any errata was posted. If this does not help, then email [email protected]. Don’t forget to prefix your email subject with DD2448. We may publish hints on the homepage if a problem appears to be harder than expected.

1 Do a literature study of the (in)security of the SSL/TLS protocol (through the years).

1a (5T) Summarize in roughly a page your findings in your own words. Summarizing SSL/TLS and issues with it in one page is challenging. Choose carefully what you present and how you present it.

1b (2T) In class we considered Diffie-Hellman key exchange and noted that we can derive a key for AES, and this is essentially the secure channel functionality provided by SSL/TLS, so why is it so complex? (mention two major reasons)

a
2 (2T) We denote the Legendre/Jacobi symbol of a modulo b by b . For each of the follow- ing expressions, state if it is a Legendre symbol, Jacobi symbol, or not defined, and compute 13
23
31
the symbol by hand (we want to see your intermediate results) if possible: 32 , 359 , 37 , 59816457545754
52384
75456731 , and 55859483645694 .

3 Recall that the fundamental theorem of finite abelian groups says that any finite commutative group is isomorphic to a direct sum of groups of prime power orders and let N = 120. We may make the sum canonical by ordering terms by prime and then power.

3a (2T) Give the direct sum of subgroups isomorphic to ZN .

∗ 3b (2T) Give the direct sum of subgroups isomorphic to ZN .

Page 1 (of 4)

Foundations of cryptography • Spring 2018 Douglas Wikström ∗ 4 You are given an n-bit RSA modulus N and two randomly chosen elements g, y ∈ ZN , where y = gx mod N, and then we execute the following protocol:

1. I choose r ∈ [0, 22n − 1] randomly and compute α = gr mod N.

2. You choose a random challenge c ∈ [0, 2n − 1] and hand it to me.

3. I reply by d = xc + r (computed over the integers without any modular reduction).

4. You accept if ycα = gd mod N.

In class we considered a similar protocol executed over a group of prime order and argued that this is a so called proof of knowledge.

4a (3T) Describe what goes wrong if we use the same analysis for the above protocol?

4b (1T) Can you still say something useful about this protocol? Points for interesting ideas!

5 Let p = kq + 1, where p is a 3248-bit prime, q is a 256-bit prime, and k factors into distinct ∗ primes of bitsize at most 32. Suppose that Gq is the unique subgroup of Zp of size q generated x by g. You are given an El Gamal public key y = g mod p, where x ∈ Zq is randomly chosen. ∗ ∗ Then you can ask me to decrypt any El Gamal ciphertext (u, v) ∈ Zp × Zp, i.e., I will return u−xv mod p to you.

5a (3T) Describe an attack such that you can recover my secret key x.

5b (1T) Can you help me avoid your attack?

6 The Strong RSA assumption states that if N = pq, where p and q are randomly chosen primes ∗ with the same number of bits and g is randomly chosen in ZN , then for every polynomial time algorithm A, Pr [A(N, g) = (e, β) ∧ βe = g mod N ∧ e > 1] is negligible. In class we considered the RSA signature scheme, i.e., RSA with full domain hash. In this problem we develop a different scheme based on the strong RSA assumption. Our construction is similar to some efficient provably secure signature schemes, but we only consider a simplified scheme and analyze its security in the random oracle model. The private key of our scheme consists of two random n/2-bit safe1 primes p and q. The public key consists of the modulus N = pq and a random element g from the subgroup QRN of ∗ n/3 quadratic residues in ZN . Suppose that H : {0, 1} → P ∩ {0, 1} is a random oracle, where P denotes the set of odd primes. A signature s of a message m is computed as s = g1/H(m) mod N, −1 1 where 1/H(m) should be understood as H(m) mod 2 (p − 1)(q − 1). To verify a signature s, one simply checks that sH(m) mod N = g.

6a (1T) For a standard RSA modulus we do not require that p and q are safe. Prove that this does not change the hardness of factoring N in any essential way. Hint: Use the prime number theorem to estimate heuristically the probability that a randomly chosen prime is safe by chance.

1A prime p is safe if (p − 1)/2 is prime as well.

Page 2 (of 4)

Foundations of cryptography • Spring 2018 Douglas Wikström 6b (1T) Prove that if the strong RSA assumption holds, then the standard RSA assumption holds. (The opposite direction is unknown.)

6c (1T) Prove that the signature scheme is correct, i.e., that (g1/H(m) mod N)H(m) mod N = g for every message m.

n/3 0 6d (1T) Let p1, . . . , pk ∈ P ∩ {0, 1} be primes and let g ∈ QRN be randomly chosen. Prove Qk 0 pi that if we define g = (g ) i=1 mod N, then g is randomly distributed in QRN . Thus, given a random element g0 we can construct another random element g of which we can take any pith root modulo N.

6e (1T) Suppose that there exists a polynomial time algorithm A such that for random keys (pk, sk) = ((N, g), (p, q)) and random H,

Signsk(·),H(·) Pr[A (pk) = (m, s) ∧ Verifypk(m, s) = 1 ∧ ∀i : mi 6= m] ≥ δ ,

where mi is the ith query to the signature oracle Signsk(·) and δ is non-negligible, i.e., A breaks the signature scheme. (In the literature the random oracle is often implicit. Here we make it explicit.) Prove that without loss of generality we may assume that A never asks the same query twice and that it always evaluates the random oracle H on the message m of its output.

6f (1T) Use the above to prove that given a random RSA modulus N and a random element 0 g ∈ QRN you can generate a public key pk = (N, g) such that you can simulate (without the secret key sk) a signature oracle Sign0(·) and a random oracle H(·) such that

Sign0(·),H(·) Pr[A (pk) = (m, s) ∧ Verifypk(m, s) = 1 ∧ ∀i : mi 6= m] ≥ δ −  ,

0 where mi is the ith query to the “signature oracle” Sign (·) and  is exponentially small.

6g (1T) Prove that if A has polynomial running time T (n) and j is randomly chosen in {1, 2,...,T (n)}, then

Sign0(·),H(·) 0 Pr[A (pk) = (m, s) ∧ Verifypk(m, s) = 1 ∧ ∀i : mi 6= m ∧ m = mj] ≥ δ/T (n) − 0

0 where mi is the ith query to the signature oracle and mj is the ith query to the random oracle, and 0 is exponentially small.

Q 0 0 pi 6h (2T) Let N be an RSA modulus, let g ∈ QRN , and define g = (g ) i6=j mod N. Prove that if (m, s) satisfies Verifypk(m, s) = 1 and H(m) = pj, then we can find integers a and Q ρ 0 b such that apj + b i6=j pi = 1 and construct (β, ρ) such that β mod N = g and ρ > 2.

Page 3 (of 4)

Foundations of cryptography • Spring 2018 Douglas Wikström 6i (2T) Use the above observations to describe an algorithm A0 that runs A as a subroutine and breaks the strong RSA assumption, i.e., A0 takes an RSA modulus N and a random 0 ρ 0 element g ∈ QRN as input and must use A to output (β, ρ) such that β mod N = g and ρ > 2.

6j (2T) Suppose that we only wish to sign a polynomial h(n) number of distinct messages known in advance (we can think of the messages as the integers 1, . . . , h(n)). Can you modify the signature scheme for this setting and prove its security without the random oracle?

7 Read about Lamport’s one-time signatures.

7a (2T) Define the key generation, signature, and verification algorithms.

7b (2T) How many signatures of randomly chosen messages computed using the same secret key do you need to recover it? Describe your attack and prove that it works with large probability.

8 (10I) Implement the arithmetic of an elliptic curve. A detailed description is found on Kattis. https://kth.kattis.com/problems/kth.krypto.ellipticcurvearithm. Make sure that your code is commented and well structured. Up to 10I points may be subtracted if this is not the case. Keep in mind that you must be able to explain your solution during the oral exam.

9 (4T) You are given a pseudo-random function Fn = {fn,γ}γ∈Γn , where n ∈ N is the security parameter and Γn is a set of possible keys for the security parameter n. Suppose that fn,γ : n log n {0, 1} → {0, 1} for every γ ∈ Γn. Can you use this to construct a pseudorandom function 0 0 0 n n 0 Fn = {fn,γ}γ∈Γn such that fn,γ : {0, 1} → {0, 1} ? Prove that it works in that case, or explain informally why you think it is not possible if you think it is not possible.

10 Consider SHA-256 to be a random oracle in a practical application.

10a (1T) Construct an (almost) random oracle {0, 1}∗ → {0, 1}3000 based on SHA-256.

10b (2T) What is the collision resistance of your function?

10c (1T) Explain how to solve this problem using SHA-3/Keccak.

Page 4 (of 4)

Foundations of cryptography • Spring 2018 Douglas Wikström