Math 470 Answers to Final Exam Sample Problems December 6, 2011 Please note: These problems only cover material since the second mid-term exam, and even then they do not cover all possible topics or types of problems. Mainly they can serve to provide you with ideas on what types of problems might be asked on this material. 1. Samantha uses the RSA signature scheme with primes p = 13 and q = 23 and public verification exponent v = 53. (a) What is Samantha’s public modulus? What is her private signing key? (b) Samantha signs the digital document D = 100. What is the signature? Solution: (a) Samantha’s public modulus is n = pq = 13 · 23 = 299 . Her private signing key is 1 1 53 (mod φ(299)). Since φ(299) = 12 · 22 = 264, we calculate 53 modulo 264: applying the Euclidean algorithm, we have 264 = 4·53+52 and 53 = 52+1, and so 1 = 53−52 = 53−(264−4·53) = 5·53−264. Therefore, Samantha’s private signing key is 1 53 ≡ 5 (mod 264) . (b) Samantha signs D = 100 by evaluating D5 (mod 299). Since D5 = 1010 ≡ 16 (mod 299), the digital signature is (100, 16) . 2. Given that 3 is a primitive root modulo 29, use Shanks’ Babystep-Giantstep Algorithm to find x so that 3x ≡ 2 (mod 29). √ √ Solution: Let N = b p − 1c + 1 = b 28c + 1 = 6. We calculate two lists: 3j −6k 2·3 (mod 29), 0 ≤ j < 6 : (mod 29), 0 ≤ k < 6 : 1, 3, 9, 27, 23, 11; 2, 15, 11, 10, 17, 26. Since 11 appears on both lists with j = 5 and k = 2, the Babystep-Giantstep Algorithm yields that x = j + N k ≡ 5 + 6 · 2 = 17 . A note on calculating the above lists quickly: for the first list, each term is obtained from the previous term by multiplying by 3; for the second list, each term is obtained from the previous term by multiplying by 3−6 ≡ 22 (mod 29). In answering this question, we did not need to complete the second list — once we got to 11 on the second list, we could stop since we had obtained a match. 3. Ryan and Terri are communicating using the ElGamal cryptosystem with prime p = 23 and primitive root α = 7. (a) Terri creates her public key by choosing the exponent a = 5. What is Terri’s public key? (b) Ryan wants to send the message ‘3’ to Terri. Demonstrate how Ryan encrypts the message. Be specific. (c) Terri receives the encrypted message (r, t) = (9, 6) from Ryan. What is his plaintext message? Solution: (a) Terri’s public key is (p, α, β) where β ≡ αa (mod p), so her public key is (p, α, β) = (23, 7, 17) . (b) First Ryan chooses a random number k, 2 ≤ k ≤ p − 2. Suppose Ryan chooses k = 3. Then Ryan calculates r ≡ αk ≡ 73 ≡ 21 (mod 23). Finally Ryan calculate t ≡ β k m ≡ 173 · 3 ≡ 19 (mod 23). Ryan sends (r, t) = (21, 19) to Terri. (c) Terri computes tr−a ≡ 6 · 9−5 ≡ 18 (mod 23). 4. In this problem we will work modulo 19. Consider the following table. m 13m (mod 19) 1 13 2 17 3 12 4 4 5 14 6 11 7 10 8 16 9 18 10 6 11 2 12 7 13 15 14 5 15 8 16 9 17 3 (a) Calculate the discrete logarithms L13 (7) and L13 (7203 ). (b) Alice and Bob are using the Diffie-Hellman key exchange protocol with (p, α) = (19, 13) to agree on a key for a shift cipher. Bob’s secret exponent is 5, and he receives the message 11, SVVRVBA. What message did Alice send to him? (c) What information did Bob exchange with Alice to notify her of the key they would be using? Solution: (a) From the table we see that L13 (7) = 12 . Therefore L13 (7203 ) ≡ 203 · L13 (7) (mod 18), and so L13 (7203 ) ≡ 203 · 12 ≡ 6 (mod 18). (b) The first part of the message is used to obtain the key for the shift cipher. Bob finds the key by calculating K ≡ 115 ≡ 7 (mod 19). Bob shifts SVVRVBA by −7 decrypt and finds the decrypted message LOOKOUT . (c) Bob would exchange 135 ≡ 14 with Alice to let her know what key they were agreeing to. 5. Suppose p is a large prime and α is a primitive root for p. For m ∈ Z, define h(m) = αm (mod p). (a) Explain how h is pre-image resistant. (b) Show that h is not strongly collision-free by finding a counterexample. (a) To show that h is pre-image resistant, we need to show that for a given y ∈ {1, 2, . . . , p − 1}, it is difficult to find m ∈ Z such that h(m) = y. Now finding such an m is equivalent to solving the congruence αm ≡ y (mod p). In other words, finding m is equivalent to the Discrete Logarithm Problem modulo p, which is computationaly infeasible for large p. (b) For numbers m1 , m2 , we know that m1 ≡ m2 (mod p − 1) =⇒ αm1 ≡ αm2 (mod p) =⇒ h(m1 ) = h(m2 ). Therefore, since we can easily pick two distinct numbers m1 and m2 with m1 ≡ m2 (mod p − 1), in which case h(m1 ) = h(m2 ), it follows that it is easy to find collisions for h. 6. Alice is signing a document using the ElGamal signature scheme. She is using p = 23 and α = 5. She chooses a = 9 for her private exponent. (a) What is Alice’s public key? (b) Demonstrate how Alice signs the document D = 10. Be specific. (c) How does Bob verify that Alice has signed the document? Solution: (a) Much like in 3(a), Alice’s public key is (p, α, β) with β ≡ αa (mod p). Since αa ≡ 59 ≡ 11 (mod 23). Therefore, her public key is (p, α, β) = (23, 5, 11) . (b) Alice selects a secret number k, with 2 ≤ k ≤ p − 1 and gcd(k, p − 1) = 1. Suppose she selects k = 7. She computes r ≡ αk ≡ 57 ≡ 17 (mod 23), and she computes s≡ 1 (D − ar) ≡ 19(10 − 9 · 17) ≡ 11 k (mod 22). 18 1 The signed document is then (D, r, s) = (10, 17, 11) . (c) Bob uses Alice’s public key to compute v1 ≡ β r · rs ≡ 1117 · 1711 ≡ 9 (mod 23) and v2 ≡ αD ≡ 510 ≡ 9 (mod 23). Since v1 ≡ v2 (mod 23), Bob concludes that Alice’s signature is valid. 7. Answer the following questions using the Hamming [7, 4] code. (a) You receive (0, 1, 1, 0, 1, 1, 0). Does it contain any errors? Can you correct them? (b) You receive (1, 1, 1, 1, 0, 0, 1). Does it contain any errors? Can you correct them? Solution: (a) We calculate 1 1 0 (0, 1, 1, 0, 1, 1, 0) · 1 1 0 0 1 0 1 1 0 1 0 0 1 1 1 ≡ (0, 0, 0) 0 0 1 (mod 2). Therefore, we conclude that the received transmission contains no errors. (b) We calculate 1 1 0 (1, 1, 1, 1, 0, 0, 1) · 1 1 0 0 1 0 1 1 0 1 0 0 1 1 1 ≡ (1, 1, 0) 0 0 1 (mod 2). Since this is the first row in the 7 × 3 Hamming matrix, there must be an error in the first bit, so we conclude that the correct message should be (0, 1, 1, 1, 0, 0, 1) . 1 8. You receive 0 0 How many? Can 0 1 0 1 0 0 using a two-dimensional parity check code. Does it contain any errors? 1 0 0 you correct them? Solution: Adding up the rows and columns modulo 2, we see that there are errors in the 2nd and 3rd rows and the 1st and 3rd columns. Therefore there were at least two errors in the transmission, in two of the four entries at the intersections of these rows and columns. However, we do not know exactly where they were, so we cannot correct them.