CMPT 404 — Cryptography and Protocols
Outline Solutions to Exercises on Public Key Cryptography.
1. Prove the following: if there exists a collision resistant hash function collection mapping n + 1 bit strings
into n bits strings, then there exists a collection mapping arbitrary length bit strings into n bit strings.
One possible way to do that is the following. Let f : {0, 1}n+1 → {0, 1}n be the given hash function. Then a
hash function g is defined on a string s = s1 . . . sm inductively: If |s| = n + 1 then g(s) = f (s); if |s| > n + 1
then g(s) = f (g(s1 . . . sm−1 )sm ).
Let us prove it is collision resistant. Suppose that an adversary Adv found a collision, that is strings s and t
such that g(s) = g(t). Let s, t be of length m and `, respectively. Let us denote s0 = t0 = g(s) = g(t),
i−1
i−1
i−1
and for each i strings si , ti be such that si−1 = f (si−1
. . . si−1
= f (ti−1
. . . ti−1
1
n+1 )sn+2 . . . and t
1
n+1 )tn+2 . . ..
j
j
j
j
Let also j be the smallest number such that s1 . . . sn+1 6= t1 . . . tn+1 . Such a number exists, as s 6= t. Then
f (sj1 . . . sjn+1 ) = f (tj1 . . . tjn+1 ), a collision for the hash function f . Thus if Adv is able to find a collision for g
she is able to find a collision for f in almost the same time.
2. Consider the following key exchange protocol:
- Alice chooses k, r ∈ {0, 1}n at random, and sends s = k ⊕ r to Bob.
- Bob chooses t ∈ {0, 1}n at random and sends u = s ⊕ t to Alice.
- Alice computes w = u ⊕ r and sends w to Bob.
- Alice takes k as a key, and Bob takes w ⊕ t as a key.
Show that Alice and Bob output the same key. Analyze the security of the scheme (i.e. either prove its
security or show a concrete attack).
We need to verify that w ⊕ t = k. This follows from an easy computation:
w ⊕ t = u ⊕ r ⊕ t = s ⊕ t ⊕ r ⊕ t = k ⊕ r ⊕ t ⊕ r ⊕ t = k.
The protocol is insecure. Indeed, an attacker can intercept s, u, w. Note, however, that w ⊕ u = r and s ⊕ r = k.
Therefore the attacker can easily recover the key.
3. Suppose we have a set of blocks encrypted with the RSA scheme and we do not have the private key.
Assume n = pq, e is the public key. Suppose also someone tells us they know one of the plaintext blocks
has a common factor with n. Does this help us to break the scheme?
It does. Suppose, m is the plaintext block such that gcd(m, n) > 1, say, m = p · `. Then the corresponding
ciphertext is c ≡ me = (p · `)e = pe · `e (mod n) also has a common factor with n. The ciphertext c is known
to the attacker, and therefore she can find p = gcd(c, n).
4. Fix n, and assume there exists an adversary Eve running in time T for which
Pr[Eve(xe ) = x] = 0.01,
where the probability is taken over random choice of x ∈ Z∗n . Show that it is possible to construct an
adversary Eve0 for which
Pr[Eve0 (xe ) = x] = 0.99.
The running time T 0 of the new adversary should be polynomial in T and the size of n.
Since x and n are relatively prime, for any a ∈ Z∗n there is exactly one r ∈ Z∗n such that a ≡ rx (mod n).
Therefore for random r the distribution of rx is uniform. Observe also that we can always verify if the algorithm
returned a correct answer: If Eve(xe ) = y, then y = x if and only if y e = xe . We construct Eve0 as follows:
1
for i from 1 to k do
choose a random ri ∈ Z∗n relatively prime with n
find y = Eve(xe rie )
if y e = xe rie then output(y/ri )
endfor
First of all, observe that if Eve0 outputs a value, it is x. Moreover, Eve0 outputs x if any of the k runs of Eve is
successful. Compute the probability that none of these k trials is successful:
Pr[Eve0 (xe ) is unsuccessful] =
k
Y
Pr[Eve(xe rie ) is unsuccessful] ≤ 0.99k .
i=1
Choosing k sufficiently large (but constant!) we can achieve probability of success 0.99.
5. An attractive way to perform a bidding is the following: the seller publishes a public key e. Each buyer
sends through the net the encryption Ee (x) of its bid, and then the seller will decrypt all of these and
award the product to the highest bidder.
One aspect of security we need from E(·) is that given an encryption Ee (x), it will be hard for someone
not knowing x to come up with Ee (1.01 · x) (otherwise bidder B could always take the bid of bidder A
and make into a bid that is one per cent higher). You’ll show that this property is also related to CCA
security:
(a) Show a CPA-secure public key encryption such that there is an algorithm that given e and a ciphertext y = Ee (x), converts y into a ciphertext y 0 that decrypts to
i. 1.01 · x,
ii. (optional) x + 1.
(b) Show that if E is CCA secure then there is no such algorithm.
(a.i) Suppose RSA is being used. Then given a ciphertext C of a plaintext x, change it to (1.01)e C. This
decrypts to 1.01x.
(a.ii) Obtaining x + 1 requires a little bit more work. Consider the following encryption scheme:
Key generation: n, e, d are chosen as in RSA, n, e is the public key, and e is the private key.
Encryption E(x):
for a message x ∈ Z√n , choose a random r1 , r2 ∈ Z√n and compute R = (r1 + 2n/2 r2 )e and C = r1 + x
(mod n). Output (R, C). (One has to be careful choosing r1 , r2 so that r1 + 2n/2 r2 ∈ Zn .)
Decryption D(R, C):
compute r1 + 2n/2 r2 = Rd . Output C − r1 (mod n).
Observe that if (R, C) encrypts x then (R, C + 1) encrypts x + 1.
It only remains to show that this scheme as secure as RSA.
(b) If such an algorithm exists then we can break the CCA-secure scheme. A very sketchy description of the
attack is: Make a challenge P1 , P2 , receive an encryption C of one of the plaintexts. Suppose it is an encryption
of P ∈ {P1 , P2 }. Convert C into C 0 such that it decrypts to 1.01P . Ask the receiver to decrypt C 0 , and divide
the result by 1.01.
6. Let p ≥ 3 be a prime number, and let g be a primitive root modulo p. (These are public keys, known to
all parties including the adversary.) Assume the discrete logarithm problem is hard. Consider the digital
signature scheme DS = (K; Sign; Ver):
2
Key generation K: Choose x, y ∈ Zp uniformly at random, and set X = g x , Y = g y .
X, Y is a public key, x, y private.
Signing Sign(M ):
z := y + xM (mod p),
return z.
Verification Ver(M ; z):
if M 6∈ Zp then return 0
if g z ≡ Y X M (mod p) then return 1
else return 0
(a) Show that Ver(M ; z) = 1 for any key-pair ((X; Y ); (x; y)) that might be output by K, any message
M ∈ Zp , and any z that might be output by Sign(M ).
(b) Show that this scheme is insecure with regard to Chosen Message attacks by presenting a practical
adversary Eve. You should specify the adversary, state the number of oracle queries it makes, and
justify the correctness of the adversary.
(a) It suffices to check that if z is obtained in the legitimate way, then g z ≡ Y X M mod p.
g z = g y+xM = g y g xM ≡ Y X M
(mod p).
(b) The adversary asks to sign 2 messages, 5 and −5. This way she obtains z1 = y + 5x and z−1 = y − 5x, and
then can find the private keys x, y.
7. Let f be a one-way permutation. Consider the following signature scheme for messages in the set {1, . . . , n}:
- To generate keys, choose random x ∈ {0, 1}n and set y = f n (x) (that is, f applied n times). The public
key is y and the private key is x.
- To sign message i ∈ {1, . . . , n}, output f n−i (x) (where f 0 (x) = x by definition).
- To verify signature σ on message i with respect to public key y, check whether y = f i (σ).
(a) Show that the above is not a secure (even one-time) signature scheme. Given a signature on a message
i, for what messages j can an adversary output a forgery?
(b) Prove that no polytime adversary, given a signature on i can output a forgery on any message j > i
except with negligible probability.
(c) Suggest how to modify the scheme so as to obtain a one-time secure signature scheme.
(a) Suppose the adversary knows the signature for i, that is, z = f n−i (x). Then she can forge a signature for
any j < i by outputting f i−j (z) = f i−j (f n−i (x)) = f i−j+n−i (x) = f n−j (x).
(b) Suppose there is an adversary Eve that, given z = f n−i (x) can forge a signature for j > i. First, observe
that, since f is a permutation, there is only one value t such that f j (t) = y, and t = f n−j (x). Therefore, Eve is
able to forge f n−j (x). Next, if Eve produces t = f n−j (x) the she can also produce f n−i−1 (x) = f j−i−1 (t).
However, f n−i−1 (x) is the preimage of z with respect to f , a contradiction, as f is a one-way permutation.
(c) One way to make the scheme a secure one-time signature scheme is to introduce two signatures in such a
way that one of them prevents forging smaller messages (like the one above), and the other one prevents forging
greater messages.
- To generate keys, choose random x1 , x2 ∈ {0, 1}n and set y1 = f n (x1 ), y2 = f n (x2 ) (that is, f applied n
times). The public key is y1 , y2 and the private key is x1 , x2 .
- To sign message i ∈ {1, . . . , n}, output f n−i (x1 ) and f i (x2 ) (where f 0 (x) = x by definition).
- To verify signature σ1 , σ2 on message i with respect to public key y1 , y2 , check whether y1 = f i (σ1 ) and
y2 = f n−i (σ2 ).
3