Technion – Israel Institute of Technology
Computer Science Department
Examination in Modern Cryptology - 236506
Winter Semester, 2010-2011
13.2.2011, Moed A
Lecturer in charge: Eli Biham
Lecturer: Yaniv Carmeli
Teaching Assistant: Yohay Kaplan
Exam. Duration: Three hours.
The exam. contains 4 questions. Answer all of them.
A single formula sheet of size A4 is allowed. Any other study material is forbidden during
the exam. In particular, cell-phones are not allowed. Submit your formula sheet with the
exam.
Devote the first 10 minutes for reading and understanding all the questions.
Make your answers as short and as clear as possible. Explain all your answers.
Allocate in advance two pages in your notebook for each question, according to the
order of the questions.
Write in an orderly and clean manner, with clear handwriting. Unclear answers will
not be checked.
Good Luck!
Exam in Modern Cryptology, 13.2.2011
1
©All rights reserved.
Question 1 (30 points)
This question deals with zero-knowledge protocols, and with the Fiat-Shamir identification
scheme.
a. Define the notion of interactive proof system.
b. Define the notion of Zero-Knowledge proofs. How do we prove that a proof system
for a language L is zero knowledge? Elaborate on the motivation behind it.
c. What is a perfect zero knowledge protocol? What is a computational zero knowledge
protocol?
In class we saw the Fiat Shamir protocol. Reminder:
Preparation:
1. The prover chooses 2 large primes p,q and computes n=pq.
2. The prover chooses a secret key S  Z n* , and publishes I  S 2 mod n as the public key.
The proof:
Perform t times:
1. The prover chooses R  Z n* randomly, and sends X  R 2 mod n to the verifier.
2. The verifier chooses a random bit b and sends it to the prover.
3. The prover sends the verifier one of the following values, according to the value
of b:
a. If b=0, sends R .
b. If b=1, sends RS mod n .
4. The verifier verifies the prover’s answer, and rejects if it is not correct.
If the prover’s answers were correct in all t iterations, the verifier accepts.
d. Explain how the verifier verifies in Step 4 the prover’s answer from Step 3.
e. Prove that the Fiat-Shamir protocol is an interactive proof, and that it is a zero
knowledge protocol. Is it perfect or computational zero knowledge?
f. Researchers from the UN (University of Nowhere) claimed that during the execution
of the Fiat-Shamir protocol, the verifier can learn the modular square root of X, which
he cannot compute alone. Therefore, it is not a zero-knowledge protocol. Is their
claim correct? Explain.
g. Assume that during a run of the Fiat-Shamir protocol, after the prover sends
X  R 2 mod n to the verifier, the least significant bit of R is flipped in the prover's
memory. The prover then uses this flipped value for the rest of the round. How can
the verifier use this error to get the secret S ?
Exam in Modern Cryptology, 13.2.2011
2
©All rights reserved.
Question 2 (15 points)
During the semester we have seen register fault attacks on RSA, where the Right-To-Left
algorithm was used for exponentiations.
The attacks we saw assumed that the value of one unknown bit was flipped during the run
of the algorithms, and used this information to retrieve the private key.
In this question we deal with register fault attacks, when the Left-To-Right algorithm is
used for exponentiations.
Reminder:
The Left-To-Right algorithm for computing x d mod n :
1. z  1
2. For k  log n  down to 0 do:
1.1 If dk  1 then z  z 2·x mod n
1.2 Else z  z 2 mod n
3. Output z .
Show how one can attack RSA if decryptions are performed using the Left-to-Right
algorithm. You may assume that attacker can control the iteration number in which one
bit of the register z is flipped (but he doesn’t know which of the bits of z will be flipped).
Describe the stages of the attack in detail, and explain its correctness.
Exam in Modern Cryptology, 13.2.2011
3
©All rights reserved.
Question 3 (30 points)
This question deals with a registered mail protocol.
A has a message M {0,1}128 which is intended for B. A wants to be able to prove that B
received the message M. B wants to receive the message.
Protocol I
1. A and B choose together a random number R {0,1}128 which will be used as an
identifier for the message.
2. A chooses K {0,1}128 , computes AES K ( M ) , and sends the result to B.
3. B signs the massage “I got message number R”. Denote the signature as S.
4. For i=0 to 127 do:
 A sends the i'th bit of K to B.
 B sends the i'th bit of S to A.
a. Explain how can A and B choose a random number R {0,1}128 , such that none of
them can bias the resulting random number.
b. Is the above protocol fair?
Protocol II
1. A randomly chooses K , 1 ,  2 ,,  n {0,1}128 .
2. For every i A computes i '  i  K .
3. A computes the following 2n+1 ciphertexts, and sends them to B:
AES1 (0), AES 2 (0), , AES n (0),
AES '1 (0), AES '2 (0), , AES 'n (0), AES K ( M )
4. B randomly chooses 1 ,  2 ,,  n ,  1 ,  2 , ,  n  {0,1}128 .
5. B computes for every 1  i  n : AES i (0), AES i (0) .
6. B signs the message “My 2n ciphertexts are (lists the ciphertexts). A’s 2n+1
ciphertexts are (lists the ciphertexts). If ……………….., then …………………..”
and sends the message and the signature to A.
7. A and B use OT21 for ………………..
8. ……………..
c. Complete the above protocol (missing parts in steps 6,7,8 and add additional steps if
needed), to obtain a secure and fair protocol.
d. Prove that your complete protocol is secure and fair. What is the probability that one
player deceives the other?
e. After A and B successfully run the protocol, B denied receiving the message. How
can A convince a judge the B did get the message? How will the judge verify her
claim?
Exam in Modern Cryptology, 13.2.2011
4
©All rights reserved.
Question 4 (25 Points)
We define DESV – a new cipher based on DES.
DESV takes two keys K {0,1}56 K '' {0,1}64 . Encryption is performed by:
DESVK , K '' ( M )  DES K ( M )  K ''
a. Show that it is possible to retrieve the keys of DESV with a complexity better than of
exhaustive search. How many messages and their encryptions are required for the
attack?
We now define another cipher, DESX, which takes three keys K {0,1}56 K ', K '' {0,1}64
(the total key length is 184 bits). Encryption is performed by:
DESX K , K ', K '' ( M )  DES K ( M  K ')  K ''
b. Show that it is possible to retrieve the keys of DESX with a complexity better than of
exhaustive search. How many messages and their encryptions are required for the
attack?
Researchers from the University of DESneyland found 3 values 1 , 1 ,  1 {0,1}128 (all
different than one another, and all non-zero) for which, for every M,C,K it holds that:
If AES K ( M )  C then AES K 1 ( M  1 )  C   1
c. How can this property be used to decrease the complexity of an exhaustive search
attack on AES? Describe your attack in detail. What is the complexity of the attack?
How many encrypted messages are required for it to work?
Researchers from the University of DESneyworld found 3 other values  2 ,  2 ,  2 {0,1}128
(all different than one another, different from 1 , 1 ,  1 , and all non-zero) for which, for every
M,C,K it holds that:
If AES K ( M )  C then AES K  2 ( M   2 )  C   2
d. Is it possible to use this second property to further decrease the complexity of the
attack? If so – describe the attack. Otherwise, explain.
Exam in Modern Cryptology, 13.2.2011
5
©All rights reserved.