1
Cryptography HW#3
[1] (a)What is the birthday paradox? (5 points)
(b)We call two persons a matching pair if they have the same birthday. There are
100 

 pairs among 100 people then how many matching pairs in average among
 2 
100 
 pairs? (Assume that nobody has 2/29 as his/her birthday.) (5 points)
these 
 2 
Sol:
(a) Prat least two people have the same birthday among 23 people   0.5
(b) Let
1, if i, j have the same birthday
I ij  
0, otherwise
1
Then, E ( I ij ) 
. Here I ij ' s are not independent.
365


1 0 0 1

E  I ij    E ( I ij )  
 2 3 6 5
 i j  i j
[2] (a)Suppose we construct a keyed hash function hK from an unkeyed iterated hash
function, say h, by defining IV=K and keeping its value secret, find a
(1,1)-forgery for hK. (Assume the message to be hashed is padded). (6 points.)
(b)Now, consider HMAC:
HMAC K ( x)  SHA 1(( K  opad ) || SHA 1(( K  ipad ) || x))
Does HMAC suffer a (1,1)-forgery attack as (a) too?
Explain it. (6 points)
Sol:
(a)
1. The adversary query one valid pair (x,z).
2. Suppose y = x || pad(x), |y| = rt, and let x’ = x || pad(x) || w, where w is any
bitstring of length t, so, y’ = x || pad(x) || w || pad(x’), |y’| = r’t
3. Adversary can compute
zr+1 ← compress(z || yr+1)
zr+2 ← compress(zr+1 || yr+2)
…
z’ ← compress(zr’-1 || yr’)
4. hk(x’) = z’
2
(b) SHA-1 is an iterated hash function, but HMAC is a nested MAC algorithm.
Therefore, Because SHA-1 is secure against not only an unknown-key
collision attack, but a little MAC attack. By Theorem 4.9, HMAC is also
secure against a big MAC attack. HMAC doesn’t suffer a (1,1)-forger.
[3] Suppose that f: {0,1}m  {0,1}m is preimage resistant bijection(meaning 1-1).
Define h: {0,1}2m  {0,1}m as follows. Given x in {0,1}2m, write x=x’||x’’
where x’ and x’’ are in {0,1}m. Then we define h(x)=f(x’  x’’).
Prove that h is not second preimage resistant. (10 points)
Sol:
For a given x = x’||x’’, we can find y = x’’||x’ ,
then h(y) = f(x’’  x’) = f(x’  x’’) = h(x).
[4]
In Double-DES, c = DESk2DESk1(m), where m is the plaintext, c is the
ciphertext, and key pair (k1, k2) is of 112 bits. A meet-in-the-middle attack is
trying to find a key pair (i, j) such that DESj-1(c) = DESi(m). What is the
probability that this (i, j) = (k1, k2)? (Show your reason.) (6 points)
Sol:
Check all possible (i, j) such that DESj-1(c) = DESi(m), one of (i, j)’s is a real key
2 56  2 56
The number of (i, j)’s such that DESj (c) = DESi(m) is
 2 48 ,
64
2
1
so solution is 48 .
2
-1
[5] (a) In RSA cryptosystem, if you know Alice’s ciphertext c = 15 and her public key
(e, n) = (7, 55), what is Alice’s private key d? and what is the plaintext m?
(5 points)
(b) In Diffie-Hellman key exchange, let α= 2 be a generator in Z13*. Suppose you
are an eavesdropper and get αa = 10 from Alice andαb = 4 from Bob, then try to
find the shared secret keyαab.(5 points)
Sol:
(a)
d  e 1 mod  (n)  7 1 mod  (55)  7 1 mod 40  23
m  c d mod 55  15 23 mod 55  20
(b) Solve a = 10, b = 2, so αab = 220 = 9 mod 13
[6] Let n = p1p2…pk where the pi are distinct odd primes. If a  Qn (i.e. a is a quadratic
residue modulo n), then how many distinct square roots does a have? Briefly describe
how to calculate these square roots. (10 points)
3
Sol:
Find two square roots of a mod every pi, and then for any pi, pick one square root. By
using the CRT, you can find a square root of a mod n. So, there are 2k square roots.
[7] In Shanks’ algorithm, suppose p = 113, and we wish to find log357. So we have
 = 3,  = 57 and m =  112  = 11. Then 11 mod 113 = 76
Assume we have two lists L1 and L2, where L1 is the list of ordered pairs (j, 76j mod
113) for 0  j  10:
(0, 1)
(1, 76)
(7, 71) (8, 85)
(2, 13)
(3, 84)
(9, 19) (10, 88)
(4, 56)
(5, 75)
(6, 50)
and L2 is the list of ordered pairs (i, 573-i mod 113), 0  i  10:
(0, 57) (1, 19)
(2, 44) (3, 90)
(4, 30)
(5, 10) (6, 41)
(7, 89) (8, 105)
(9, 35) (10, 87)
Use these two lists L1 and L2 to calculate log357. (10 points)
Sol:
We use (9, 19) in L1 and (1, 19) in L2 .
 76 9  57  3 1
 57  76 9  31  3911  31
 log 3 57  log 3 39111  100
[8] Let p=229. The element  = 6 is a generator of Z229*. Consider  = 13. Then
log613 is computed as follows, using the index-calculus method.
1. The factor base is chosen to be the first 5 primes: S={2, 3, 5, 7, 11}
2. The following six relations involving elements of the factor base are obtained
(unsuccessful attempts are not shown):
6100 mod 229 = 180 = 22  32  5
618 mod 229 = 176 = 24  11
612 mod 229 = 165 = 3  5  11
662 mod 229 = 154 = 2  7  11
6143 mod 229 = 198 = 2  32  11
6206 mod 229 = 210 = 2  3  5  7
(a) List the six equations involving the logarithms of elements in the factor base.
(put a proper modulo in each equation.) (5 points)
(b) Solving the linear system of six equations (in (a)) in five unknowns yields the
solutions log62=21, log63=208, log65=98, log67=107, and log611=162.
Suppose that integer k=77 is selected and 13  677 mod 229 = 147=3  72
Calculate log613. (5 points)
4
Sol:
(a)
100  2 log 6 2  2 log 6 3  log 6 5 (mod 228)
18  4 log 6 2  log 6 11 (mod 228)
12  log 6 3  log 6 5  log 6 11 (mod 228)
62  log 6 2  log 6 7  log 6 11 (mod 228)
143  log 6 2  2 log 6 3  log 6 11 (mod 228)
206  log 6 2  log 6 3  log 6 5  log 6 7 (mod 228)
(b)
[9] Prove that x  0 is a generator modulo 97 if and only if x32  1(mod 97) and
x48  1 (mod 97) (10 points)
Sol:
[10] Let E be the elliptic curve y2=x3+2x+3 defined over Z5
(a) Find all the points on E. (6 points)
(b)  = (3,4) is a point of E. Calculate 2 and 3. (Show your steps.) (6 points)
Sol:
(a)
(b)
5
[11] (a) What is the chosen message attack model in digital signature? (3 points)
(b) Under the chosen message attack model, how do you get the RSA signature
of x? (5 points)
(c) In RSA signature scheme, given a y in Zn* can your find a message x in Zn*
such that (x, y) passes the verification with the signer’s public key only? If yes
show how. (5 points)
Sol: