CMPT 404 — Cryptography and Protocols Outline Solutions to Exercises on Pseudorandom Generators, Functions and Permutations. 1. (a)p Which of the following functions are superpolynomial: - 2 n; - n3 log n; - n log n? (b) Prove that for every superpolynomial function T the function 1 1 (T (n 3 )) 5 n4 is also superpolynomial. p (a) 2 n and n3 log n are superpolynomial; n log n is not. (b) If 2 1 (T (n 3 )) 5 < p(n) n4 for some polynomial p(n), then 1 20 5 T (n 3 ) < n p (n); and T (m) < m60p5(m3); 1 60 5 3 where m = n 3 . However, m p (m ) is a polynomial in m. 2. (optional) This exercise will unable to test your favorite pseudorandom generator. The test is based on a well known property of random integers: Given two randomly chosen integers m and n, the probability 6 they are relatively prime (their greatest common divisor is 1) is π2 . Use this property in a program to determine statistically the value of π. The program should call the random number generator from the system library to generate the random integers. It should loop through a large number of random numbers to estimate the probability that two numbers are relatively prime. From this find an approximate value of π. Report the type/name of the random number generator(s), the number of pairs of numbers in your sam- ple, and the approximate value of π. For python’s random.randrange with range 50000000 and 10000000 trials the value of π is 3.1401. 3. Suppose you have a true random bit generator where each bit in the generated stream has the same probability of being a 0 or 1 as any other bit in the stream and that the bits are not correlated; that is the bits are generated from identical independent distribution. However, the bit stream is biased. The probability of a 1 is 1=2 + δ, and the probability of a 0 is 1=2 − δ, where 0 < δ < 1=2. A simple deskewing algorithm is as follows: Examine the bit stream as a sequence of non-overlapping pairs. Discard all 00 and 11 pairs. Replace each 01 pair with 0 and each 10 pair with 1. (a) What is the probability of occurrence of each pair in the original sequence? (b) What is the probability of occurrence of 0 and 1 in the modified sequence? (c) What is the expected number of input bits to produce k output bits? (d) Suppose that the algorithm uses overlapping successive bit pairs instead of non-overlapping succes- sive bit pairs. That is, the first output bit is based on input bits 1 and 2, the second output bit is based on input bits 2 and 3, and so on. What can you say about the output bit stream? Is it independent? 1 (a) Since every bit is chosen independently, the first bit is 1 with probability 1=2 + δ, and is 0 with probability 1=2 − δ. The same is true for the second bit of a pair, and it is independent of the first bit. Thus, 00 occur with probability (1=2 − δ)(1=2 − δ); 01 occurs with probability (1=2 − δ)(1=2 + δ); 10 occurs with probability (1=2 + δ)(1=2 − δ); and 11 occurs with probability (1=2 + δ)(1=2 + δ). (b) Since the probabilities of 01 and 10 in the original stream are equal, 0 and 1 also occur with the same probability, that is, 1=2. (c) We consider the original stream as a sequence of pairs. The pairs are clearly independent, so to find the expected number of bits in the output we need to find the probability that 01 or 10 occurs. This probability equals 2(1=2 + δ)(1=2 − δ) = 1=2 − 2δ2. Thus, if the original stream contains n bits (assume it is even), then n 2 the expected number of output bits 2 (1=2 − 2δ ). If we want to obain k output bits, the expected number of 2k original bits is 1=2−2δ2 . (d) The output stream is not independent. Indeed, if some output bit is 0, that is, the original stream contains pair 01, then the next pair starts with 1. If it is 10 then the next output bit is 1. If the original stream contains several consequent 1s, then some pairs are 11 and therefore skipped. But then, the first pair that is not skipped must be 10. In a similar way, after each 1 in the output stream we must have a 0. Thus the output stream looks like 01010101... 4. Suppose we use a full length RC4 seed (256 bytes) in the Key Scheduling Algorithm. What such a RC4 key value leaves S unchanged during the KSA? That is, after the initial permutation of S, the entries of S will be equal to the values from 0 to 255 in ascending order. The initialization phase of RC4 (that is, the KSA) works as follows: It starts with the identity permutation of bits, S[i] = i, and the key K, T [i] = K[i (mod keylength)]. Since in our case keylength = 256, we may assume T = K. Then starting from i = j = 0 it performs 256 rounds of the form j = (j + S[i] + T [i]) (mod 256) and Swap(S[i];S[j]). Therefore, if we can choose T in such a way that j = i in every iteration, the resulting S will still be the identity permutation. Clearly, in the first iteration, i = 0, the value T [0] = 0 will do. Suppose, we are successful up to iteration i − 1, that is, after considering rounds 0; 1; : : : ; i − 1 the permutation S remains the identical permutation, and the current value of j is i − 1. Then in round i the value of j is set to be j = j + S[i] + T [i] (mod 256) = i − 1 + i + T [i] (mod 256). We want it to be i, and so we need to solve the equation i = i − 1 + i + T [i] (mod 256) T [i] = 1 − i (mod 256) 5. The RSA SecurID card is a credit-card sized device that displays 6 digits that change every minute. The idea is that when you log into your account remotely (say when you want to log into your UNIX account in SFU from an Internet Cafe) then you have to type the numbers that appear in the card in addition to your PIN or password. (a) What is the security advantage of such a card over traditional password? That is, what sort of attack can this card resist which cannot be resisted using a standard password mechanism. (Assume that it’s possible for users to remember a 6-digits PIN or a password with similar security.) (b) Describe how you would implement such a scheme using pseudorandom functions. Assume that the PRF family takes a seed of size n, and that the number of possible devices is m (for m < 2n). How many bits of storage does your implementation use at the server and each of the devices? (there is an implementation that uses at most O(n) bits). (a) This device can be used in 2 modes. First, if a block cipher is used then the device provides a pseudorandom string that can be added to a password. Second, if a stream cipher is used, the device provides an extra password that changes all the time (don’t forget to replace batteries). In either case it improves the security of protocols, in which the key is not changed frequently. A possible attack in such a protocol is to intercept the encrypted 2 password, and later use it to get access to the server. If the password effectively changes every minute this type of attack is less likely. 6 (b) Let ffsg be a PRF and s a key assigned to each individual device. Then the device outputs fs(m) (mod 10 ) where m is the number of minutes passed since a certain moment modulo 2n. Then both, a device and the server, must store only the current time m, and a secret key s. Moreover, for the device the key can be replaced with an implementation of the function fs rather than the family ffsg. n n 0 0 2n 6. Let ffsg, fs : f0; 1g ! f0; 1g be a secure PRP. Consider the family of permutations ffsg, fs : f0; 1g ! f0; 1g2n defined as follows: for any x; x0 2 f0; 1gn 0 0 0 fs(xx ) = fs(x)fs(x ⊕ x ) 0 0 0 (xx denotes the concatenation of x and x ). Show that ffsg is not a secure PRP. 0 n It suffices to observe that fs on strings of the form x0 (that is the last n bits equal to 0) outputs fs(x)fs(x). 1 0 The probability that a random function outputs such a repeated string is 2n , and therefore fs can easily be distinguished from the random function. n 7. Let ffsg be a pseudorandom permutation collection, where for s 2 f0; 1g , fs is a permutation over f0; 1gm. Consider the following scheme (E; D) that encrypts m=2-bit messages in the following way: on m=2 m=2 input x 2 f0; 1g , Ek chooses r at random from f0; 1g and outputs fk(x; r) (where comma denotes m=2 −1 concatenation), on input y 2 f0; 1g , Dk computes (x; r) = fk (y) and outputs x.