YALE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE

	CPSC 467a: Cryptography and Computer Security	Handout #13
Xueyuan Su		November 4, 2008

Solution to Midterm Examination

Instructions:

This is a closed book examination. Answer any 5 of the following 6 questions. Write the numbers of the five questions that you want graded on the cover of your bluebook. All questions count equally. You have 75 minutes. Remember to write your name on your bluebook and to justify your answers. Good Luck!

___________________________________________________________________________________

Problem 1: Symmetric Cryptosystems and Information Security

Consider the encryption function for a symmetric cryptosystem described by the table below, where = = = {0,1,2,3}:

| m ---|0--1--2--3- 0 |3 0 2 1 k 1 |1 3 0 2 2 |2 1 0 3 3 |0 2 3 1 |

Give the corresponding decryption function.
What does it mean for a cryptosystem to be information-theoretically secure?
Is this cryptosystem information-theoretically secure? Why or why not?

Solution:

From the original encryption function, we can easily derive the decryption function as: $| c ---|0--1--2--3- 0 |1 3 2 0 k 1 |2 0 3 1 2 |2 1 0 3 3 |0 3 1 2 |$
For the cryptosystem to have perfect secrecy (be information-theoretically secure), it means that the random variables c and m are statistically independent, that is,
$prob[m = m0 ∧c = c0] = prob[m = m0 ]× prob[c = c0]$ (1)

for all m₀ and c₀ . An equivalent definition in terms of conditional probability is
$prob[m = m | c = c ] = prob[m = m ] 0 0 0$ (2)

for all m₀ and c₀ such that prob[c = c₀]≠0. Hence, even after Eve receives the ciphertext c₀, her opinion of the likelihood of each message m₀ is the same as it was initially, so she has learned nothing about m₀.
No, this cryptosystem is not information-theoretically secure. A simple observation is that prob[m = 3] = 1∕4, but prob[m = 3∣c = 0] = 0. Similarly, prob[m = 2] = 1∕4, but prob[m = 2∣c = 1] = 0. Therefore, after receiving c = 0 or c = 1, we have learned partial information about m.

Problem 2: Attacks

We have discussed a number of different possible attacks on a cryptosystem by a passive eavesdropper Eve, depending on what information is available to her.

Describe the following three kinds of attack on a cryptosystem: ciphertext only, known plaintext, chosen plaintext. For each, give a scenario in which such an attack might be plausible for Eve to carry out.
Consider the following simple cryptosystem: A message m = m₁m₂…m_t is a t-bit string. A key is a single bit k {0,1}. The encryption function is E_k(m) = c, where c = c₁c₂…c_t and c_i = m_i ⊕ b, for i = 1,…,t. Discuss the security of this system under each of the three kinds of attacks (from part (a) above). Where the system is insecure, describe carefully the sense in which it insecure. Be sure to say also how the security is affected by the choice of t.

Solution:

Ciphertext-only
Eve knows only c and tries to recover m. Eve is able to perform such attack if she has access to the communication channel between Alice and Bob, for example, if she controls the gateway through which Alice accesses the Internet.
Known plaintext
Eve knows a sequence of plaintext-ciphertext pairs (m₁,c₁), …, (m_r,c_r). Now she obtains a new ciphertext c ⁄ {c₁,…,c_r} and wants to recover the corresponding message m. Eve is able to perform such an attack if the previous plaintext-ciphertext pairs are revealed by Alice or Bob. Eve might also get information about the previous plaintext-ciphertext pairs by looking into Alice’s swap files.
Chosen plaintext
This is like a known plaintext attack, except that before getting c, Eve gets to choose messages m₁, …, m_r and somehow get Alice (or Bob) to encrypt them for her and supply her with the corresponding ciphertexts c₁, …, c_r. Eve is able to perform such attack if Alice is a server that provides encryption service. Eve can also perform such an attack on an asymmetric cryptosystem such as RSA where she has access to the public encryption key.
Ciphertext-only
When t = 1, this cryptosystem is information-theoretically secure. When t > 1, Eve is able to get partial information about the plaintext. In particular, if the ciphertext is c = c₁…c_t, she knows that the plaintext is either c or (the complement of c).
Known plaintext
Whatever length the message is, one plaintext-ciphertext pair is sufficient to recover the key and break the cryptosystem.
Chosen plaintext
A chosen plaintext attack is stronger than a known plaintext attack, so again, whatever length the message is, one plaintext-ciphertext pair is sufficient to recover the key and break the cryptosystem.

Problem 3: DES

Recall that the heart of DES is a round of the form:

Consider a simplified DES-like cryptosystem consisting of n such rounds, where the function f is defined by f_K(X) = K ⊕ X. Here we assume that the key K is 32-bits long and that the same key is used at each round, that is, K_i = K for each round i.

This system is used to encrypt a 64-bit message M as follows: L₀ is the leftmost 32-bits of M and R₀ is the rightmost 32-bits of M. The ciphertext E_K(M) is L_n ⋅ R_n.

Describe how to decrypt messages encrypted with E_K.
Express L₁, R₁, L₂, R₂ in terms of L₀, R₀, and K.
Show why increasing the number of rounds n can actually decrease security.

Solution:

This is a simplified DES-like cryptosystem. Like DES, decryption can be done by starting with the left and right halves of the ciphertext, L_n and R_n respectively, and working backwards round by round to the plaintext message M = L₀ ⋅ R₀. In round i of encryption, the algorithm works as follows:
${ L = R i+1 i (3) Ri+1 = Li ⊕ Ri ⊕ K$
To decrypt, we solve (3) to express L_i and R_i in terms of L_i+1 and R_i+1. This yields
${ Li = Li+1 ⊕ Ri+1 ⊕ K (4) Ri = Li+1$
Applying (4) for i = n - 1,n - 2,…,0 yields the desired plaintext.
We remark that, also like DES, the encryption and decryption functions for each round are almost the same. Let E_K(L_i ⋅ R_i) = L_i+1 ⋅ R_i+1 be the encryption function defined by (3). Let D_K(L_i+1 ⋅R_i+1) = L_i ⋅R_i be the corresponding decryption function defined by (4). One can easily verify that
$Ri ⋅Li = EK (Ri+1 ⋅Li+1).$ (5)

Thus, if S(L⋅R) = R ⋅L is the function that swaps the left and right halves of its 64-bit argument, then it follows from (5) that
$S (Ek (S(Li+1 ⋅ Ri+1))) = Li ⋅Ri = DK (Li+1 ⋅Ri+1 ).$ (6)
${ L1 = R0 R1 = L0 ⊕ R0 ⊕ K (7) { L2 = R1 = L0 ⊕ R0 ⊕ K R2 = L1 ⊕ R1 ⊕ K = R0 ⊕ L0 ⊕ R0 ⊕ K ⊕ K = L0 (8)$
If we continue the encryption to the third round, we will find that
${ L3 = R2 = L0 (9) R3 = L2 ⊕ R2 ⊕ K = L0 ⊕ R0 ⊕ K ⊕ L0 ⊕ K = R0$
Therefore, increasing the number of rounds from 2 to 3 results in the ciphertext being identical to the plaintext, so there is no security at all.

Problem 4: Chaining Modes

Let (E,D) be a block cipher and let m₁,m₂,…,m_t be a sequence of t plaintext blocks. Happy Hacker was not happy with the chaining modes he learned about in CPSC 467, so he invented his own. He defines a sequence of t + 2 ciphertext blocks c₀,c₁,c₂,…,c_t,c_t+1 which satisfies the equation

ci = Ek (ci-1 ⊕ mi ⊕ ci+1), for i = 1,...,t.

Describe how to reconstruct m₁,…,m_t given c₀,…,c_t+1.
Happy was having trouble figuring out how to compute the c_i’s because of the cirular dependencies. Please help him by showing how to compute c_i+1 from c_i-1, c_i, and m_i, where 1 ≤ i ≤ t. How should he choose c₀ and c₁?

Solution:

For i = 1, …, t, we have the condition
$ci = Ek (ci-1 ⊕ mi ⊕ ci+1)$ (10)

Applying decryption function to both sides of (10) gives
$Dk (ci) = Dk(Ek (ci-1 ⊕ mi ⊕ ci+1)) = c ⊕ m ⊕ c (11) i-1 i i+1$
Adding (using ⊕) the expression (⊕c_i-1 ⊕ c_i+1) to (11) and swapping the two sides gives
$mi = Dk (ci)⊕ ci-1 ⊕ ci+1$ (12)
Adding (using ⊕) (⊕c_i-1 ⊕ m_i) to (11) and swapping the two sides gives
$c = D (c )⊕ c ⊕ m , i+1 k i i-1 i$ (13)

where 1 ≤ i ≤ t. In order to get started, we set c₀ and c₁ to some fixed initialization vectors.

Problem 5: RSA

My toy RSA key is N = 187,e = 107. You observe a ciphertext c = 2. What is the plaintext? (Note: 187 = 11 * 17.)

Solution:

Given N = 187 = 11 × 17, it is easy to compute ϕ(N) = (11 - 1) × (17 - 1) = 160.

Next, given e = 107, which is relative prime to 160, we use extended Euclidean algorithm to compute d such that ed ≡ 1 (mod 107):

i	r_i	u_i	v_i	q_i

1	160	1	0
2	107	0	1	1
3	53	1	-1	2
4	1	-2	3

The result from the table is d = v₄ = 3.

Finally we apply the decryption function of RSA to get the plaintext

m = cd mod N = 23 mod 187 = 8

(14)

Problem 6: Euler’s Theorem

Define Euler’s totient function ϕ(n), and state Euler’s theorem.
Calculate 2^5⁴⁹ mod 29.
(Hint: This problem is easily solved by hand using Euler’s theorem to reduce the size of the exponents.)

Solution:

Let Z*_n = {a Z_n∣gcd(a,n) = 1}, then Euler’s totient function ϕ(n) is the cardinality of Z*_n. If we represent an integer n by its prime factors as follows
$∏ n = pei, i i$ (15)

then ϕ(n) can be calculated as
$∏ ϕ(n) = (pi - 1)peii-1, i$ (16)

Euler’s theorem says, for every x that is relative prime to n,
$xϕ(n) ≡ 1 (mod n)$ (17)
Given n = 29, it is easy to compute ϕ(29) = 29-1 = 28, and ϕ(ϕ(29)) = (2-1)×2^2-1 ×(7-1) = 12.
After verifying gcd(5,28) = 1, applying Euler’s theorem gives
$549 = (512)4 × 51 = (5ϕ(28))4 × 51 ≡ 51 (mod 28)$ (18)

Therefore after verifying gcd(2,29) = 1, we have
$2549 ≡ 251 (mod 29),$ (19)

which implies 2^5⁴⁹ mod 29 = 2^5¹ mod 29 = 3.