Cryptology Design Fundamentals Grundlagen des kryptographischen Systementwurfs Lecture ID: ET-IDA-28 Final Examination Open book examination v8 Prof. W. Adi Date : 06.04. 2011 Duration : 70 Minutes Maximum marks 70% Sample Solution Vorname ……………………………………….. Nachname ……………………………………….. Matrikel-Nr. ………………………………………..

Marks: ∑ Problem 1 Problem 2 Problem 3 Problem 4 Problem 5 Problem 6 ........... 2

Problem 1: RSA Solution 1: Assume having a setup of RSA cryptosystem with two peers Alice (A) and Bob (B) having the secret prime number pairs (11,23) and (19,7) respectively. 1. Choose the appropriate open keys EA and EB from the following lists. List (A ) = {121,46,23} and list (B) = {28,35,39} respectively. Compute the corresponding secret keys DA and DB respectively. Bob enciphers the message M = 5 which should be sent to Alice as the cryptogram CB. In a further step Bob signs M to generate the signature SB and sends it to Alice. Calculate CB and SB . Decipher the cryptogram CB on Alice´s side. Verify the signature SB on Alice’s side Alice signs the received message M and sends her signature SA back to Bob. Calculate the signature SA. Verify SA on Bob’s side How many public key pairs are selectable for Alice and how many for Bob. MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen? Solution 1:

NA = 23x11= 253 , φ (NA ) = (23-1)(11-1) = 220 = 11 x 2 x 2 x 5 1. Choose the appropriate secret keys EA and EB from the following lists. List (A ) = {121,46,23} and list (B) = {28,35,39} respectively. Compute the corresponding public keys DA and DB respectively. NA = 23x11= 253 , φ (NA ) = (23-1)(11-1) = 220 = 11 x 2 x 2 x 5 gcd [ EA, φ (NA ) ] = 1 => select 23 as gcd (220,23) = 1 EA = 23 DA = 67 mod 220 = 67 (see computation below) DA = 23 -1 mod 220 =67 n1 n2 b1 b2 q r 220 23 1 9 13 -9 10 1- -9x1 3 -19 67 DB = 35 -1 mod 108 = -37= 71 NB = 19 x 7 = 133 , φ (NB) = (19-1)(7-1) = 108 = 33 x22 gcd (EB, φ (NB ) ] =1 => select 35 as gcd (108,35) = 1 EB = 35 DB = -37 mod 108 = 71 (see computation below) n1 n2 b1 b2 q r 108 35 1 3 -3 11 2 34 -37 4

Decryption: 3. Decipher the cryptogram CB on Alice´s side. Bob enciphers the message M = 5 which should be sent to Alice as the cryptogram CB. In a further step Bob signs M to generate the signature SB and sends it to Alice. Calculate CB and SB . 3. Decipher the cryptogram CB on Alice´s side. Decryption: 4. Verify the signature SB on Alice’s side 5. Alice signs the received message M and sends her signature SA back to Bob. Calculate the signature SA. Verify SA on Bob’s side 6. How many public key pairs are selectable for Alice and how many for Bob. # of keys for user A = φ [φ (NA )] = φ (220 ) = φ (22.5.11 )= 220(1 -1/2 ) ( 1 – 1/5 ) ( 1 – 1/11 ) = 80 keys # of keys for user B = φ [φ (NB )] = φ (108 ) = φ (22 . 33 )= 108 (1 -1/2 ) (1 -1/3 ) = 36 keys

Compute the cipher‘s unicity distance nu. (10 Marks) P2: Secrecy theory: A block cipher has a key size of 128 bits is encrypting a clear text having the entropy of 60 bits and a block size of 128 bits. Compute the cipher‘s unicity distance nu. The unicity distance should be increased by a factor 3 by plain text padding. Compute the new resulting clear text length. If the clear text is compressed by 50%. Compute the new unicity distance of the cipher. After all the above cipher changes, an observer was able to watch 1000 cipher text bits. Would the observer with unlimited resources theoretically be able to break the cipher in that case ? Give reasoning for your answer.

Solution: K= 128 Bits, H(x)=60 Bits, N = 128 1. Unicity distance As r = [ N – H(x) ] / N => r = [ 128- 60] / 128 = 0,53 Unicity distance nu = K/r = 128/0,53 = 241,5 Bits 2. n‘u = nu ( L + N ) / N = 3 nu ( L + N ) / N = 3 => L = 2N = 2 x 128 = 256 Bits Information text size is still 128 Bits. New total clear text size size is = 3N = 384 Bits 3. After 50% compression N‘= 128/2 = 64 Bits As r‘ = [ N‘ – H(x) ] / ( L + N‘) = 64-60 / (256+64) = 0,0125 Nu“ = K/r‘ = 128/0,0125 = 10240 Bits 4. The observer can not theoretically break the cipher as the number of the observed cryptogram bits (1000 bits) is less than the unicity disctance (10240 bits) of the cipher.

(20 marks) P 3: DH over GF(27) A Diffie-Hellman (DH) public key exchange system uses GF(27) deploying the irreducible Polynomial P(x) = x7 + x3 + 1 as field modulus. Compute the exponents of the element δ=x = 000010 as xi mod P(x) for i= 1 to 15 and x30 in GF(27) Which elements multiplicative orders are possible in GF(27)? Compute the multiplicative order of the element x and give reasoning for your computations. Compute the multiplicative order of the element β= (1+x3) in GF(27). Hint β=(1+x3) = x7 Use the element α=(1+x3) as a public element and compute the DH public keys Ya and Yb for users A and B having the secret keys Xa=40 und Xb=60. Compute the polynomial and binary pattern for the users A and B shared key ZAB . What is the probability of picking up a primitive element in GF(27) if such element is randomly selected?. MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

Solution: Compute the exponents of the element δ=x = 000010 as xi mod P(x) for i= 1 to 15 and x30 in GF(27) P(x) = x7 + x3 + 1 = 0 => x7 = x3 + 1 x1 = x x2 = x2 x3 = x3 x4 = x4 x5 = x5 x6 = x6 x7 = x3 + 1 x8 = x4 + x x9 = x5 + x2 x10 = x6 + x3 x11 = x7 + x4 = x3 + 1 + x4 x12 = x5 + x4 + x1 x13 = x6 + x5 + x2 x14 = x7 + x6 + x3 = x6 + 1 x15 = x7 +x = x3 +x +1 X30 = x6 + x2 +1 2. Which elements multiplicative orders are possible in GF(27)? Compute the multiplicative order of the element x and give reasoning for your computations. Possible orders are the divisors of 27-1 = 127 divisors of 127 are: 1, 127 3. Compute the multiplicative order of the element β= (1+x3) in GF(27). Hint β=(1+x3) = x7 β= (1 + x3 ) as x3 + 1 = x7 => β= x7 ord (β) = ord (x7) = ord x / gcd (ord x , 7 ) = 127 / gcd (127,7) = 127 / 1 = 127 => ord (β) = 127

Public directory GF(27) Zab = x6 +x5 = = 1100000 4. Use the element α=(1+x3) as a public element and compute the DH public keys Ya and Yb for users A and B having the secret keys Xa=40 und Xb=60. User A: Xa= 40 , Ya = α40 =( x7) 40 =x 280 mod 127= x 26 = (x13)2 =(x6 + x5 + x2 )2 = x12 + x10 + x4 = x5 + x4 + x + x6 + x3 + x4 Ya = x6 + x5 + x3+ x = 1101010 User B: Xb= 60 , Yb = α60 =( x7) 60 = x 420 mod 127= x39 = (x30) x9 =(x6 + x2 + 1) x9 = (x6 + x2 + 1) (x5 + x2 ) = x11 + x7 + x5 +x8 + x4 + x2 Yb= x4 + x5 + x2 +x = 0110110 Public directory GF(27) α=(1+x3), P(x) = x7 + x3 + 1 Ya = = x6 + x5 + x3+ x = 1101010 Yb = x4 + x5 + x2 +x = = 0110110 5. Compute the polynomial and binary pattern for the users A and B shared key ZAB . Common secret key for users A and B Zab = ( (x7 )40) 60 = x 16800 mod 127 = x 36 = x30 x6 =(x6 + x2 + 1) x6 = x12 + x8 + x6 = x5 + x4 + x+ x4 + x + x6 Zab = x6 +x5 = = 1100000 6. What is the probability of picking up a primitive element in GF(27) if such element is randomly selected?. Number of primitive elements is φ (27-1 )= φ (127 )= (127-1) = 126 probability of picking up a primitive element = 126/127 = 99.2 % 10

Possible orders are the divisors of 28 -1 = 255 = 5. 3.17 Compute the multiplicative inverse of x5+x+ 1 modulo P(x) = x8 + x4 + x3 + x+ 1 . P(x) is an irreducible polynomial. Compute the possible multiplicative orders for elements in GF(28). (6 P) Solution: B2 = B1 – q B2 1. Extended gcd Algorithm: P1(x) P2(x) B1(x) B2(x) Q(x) R(x) x8 + x4 + x3 + x+ 1 x5+x+ 1 1 x3 x+ 1 x5+x+ 1 x+ 1 -x3 x4 + x3+ x2 + x 1 1 x+ 1 1 -x3 x7 + x6+ x5 + x4 + 1 x + 1 Possible orders are the divisors of 28 -1 = 255 = 5. 3.17 => Possible orders are : 1, 3, 5, 15, 17, 51, 85, 255

Prove that N is prime according to Pocklington’s Theorem. P5: El-Gamal crypto system is set up using the prime number N = 4·13 + 1 = 53 generated by applying Pocklington’s Theorem, where q=13 is prime. Prove that N is prime according to Pocklington’s Theorem. Compute a primitive element α for the public directory. Furthermore compute the probability that a randomly selected element is primitive. User A having the secret key Xa= 7 receives a cryptogram Ca as an encrypted message M=22 using the random number K=4. Compute the public key Ya and Ca . Decrypt the cryptogram Ca on the receiver side showing all necessary computation therefore. MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

Solution: 1. Prove that N is prime according to Pocklington’s Theorem. N = R . F + 1 = 4 . 13 + 1 = 53, F = 13 and R =4. Is 53 a prime? Proof: 1. gcd ( a (N-1)/ pj –1 , N ) = gcd ( 252/13 –1 , 53 ) = gcd ( 15 , 53 ) = 1 is true 2. a N-1 = 1 ( mod N )  252= 1 (mod 53) is true 3. F > 53 => 13 > 7,2 is true As all conditions 1, 2 and 3 are all true  53 is prime 2. Compute a primitive element α for the public directory. Furthermore compute the probability that a randomly selected element is primitive. Possible multiplicative orders are the divisors of of φ (53) = 52 that is => 1, 2, 4, 13, 26, 52 Checking if the element 2 is a primitive one: 2 1 ≠ 1 , 2 2 ≠ 1 , 24 = 16≠ 1, 213 =30 ≠1, 226 =-1 ≠1 Ord (2) = 52  2 is a primitive element # of all non-zero elements : 53 – 1 = 52 # of primitive elements: φ ( 52 ) = φ ( 22 . 13 ) = 22 . 13 (1-1/2) (1 -1/13) =24 P( element=primitive ) = ( 24 / 52 ) . 100 = 46,15%

Encryption: Decryption: 3. User A having the secret key Xa= 7 receives a cryptogram Ca as an encrypted message M=22 using the random number K=4. Compute the public key Ya and Ca . Encryption: Public directory User A. XA = 7 YA =  Xa = 2 7 =22 User B. M = 22 K = 4 α = 2 , GF(53) YA = 2 7 = 22 R = K = 24 = 16 C = M . YAK = 22 . (27) 4 = 22 . 2 28 =18 Ca{ Decryption: mod 52 Z-1 = (  K )-XA = R -XA = ( 2 4 ) -7 = 2 -28 = 2 24 M = C . R -XA = 22 . 2 28 . 2 24 = 22 . 252 mod 52 = 22 (mod 53)

(15 P) P6: Omura proof-of-identity protocol uses GF(25) arithmetic is set up using the irreducible polynomial 1 + x2 + x5: How many primitive elements do exist in GF(25)? Compute the probability that a randomly selected element is primitive in GF(25). Compute the order of the element α = (1 + x2) and use it as an open reference element for Omura proof-of-identity protocol system. compute the public keys ya and yb for users A and B for xa =7 and xb = 9. 3. Generate a “Challenge” to identify user A by using the random integer K=8 to prove the identity of user A. Compute the challenge R and the response of user A (possibly in binary form) and show all computations required to verify his/her identity. MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

Primitive element have order 25 -1 = 31. Solution: How many primitive elements do exist in GF(25)? Compute the probability that a randomly selected element is primitive in GF(25). Primitive element have order 25 -1 = 31. Number of primitive elements is  ( 31 ) = (31-1) = 30 P( element=primitive ) = ( 30/31 ) . 100 = 96,77 % 2. Compute the order of the element α = (1 + x2) and use it as an open reference element for Omura proof-of-identity protocol system. compute the public keys ya and yb for users A and B for xa =7 and xb = 9. Possible orders are the divisors of of 31, that is : 1 or 31 Checking the order of the element α = (1 + x2) α1 = (1 + x2) ≠ 1 => ord(α) = 31

Omura Proof-of-Identity Protocol 3. Generate a “Challenge” to identify user A by using the random integer K=8 to prove the identity of user A. Compute the challenge R and the response of user A (possibly in binary form) and show all computations required to verify his/her identity. α = (1 + x2) = x5 x5 = (1 + x2) x6 = (x + x3) x7 = (x2 + x4) x8 = (x3 + x5) = x3 + 1 + x2 x9 = x4 + x3 + x = 11010 Omura Proof-of-Identity Protocol public directory =x is a primitive element in GF(25) P(x) = 1 + x2 + x5 Xa = ya Xa = 7 ya =  Xa = (x5)7 =x35 mod 31 =x4 Verifier Prover A Randomly choose k=8 compute R = k = = (x5)8 =x40 mod 31 =x9 xa Who are you?, R= x9 = x4 + x3 + x = 11010 R I am user A, R Xa = x =00010 Check x = yak = x 4. 8 x = x32=x => User is authentic R Xa R Xa =  k. Xa =(x9)7 =x63 mod 31 =x = 00010