1
Cryptography HW#3
[1] (a)What is the birthday paradox? (5 points)
(b)We call two persons a matching pair if they have the same birthday. There are
100 

 pairs among 100 people then how many matching pairs in average among
 2 
100 
 pairs? (Assume that nobody has 2/29 as his/her birthday.) (5 points)
these 
 2 
[2] (a)Suppose we construct a keyed hash function hK from an unkeyed iterated hash
function, say h, by defining IV=K and keeping its value secret, find a
(1,1)-forgery for hK. (Assume the message to be hashed is padded). (6 points.)
(b)Now, consider HMAC:
HMAC K ( x)  SHA 1(( K  opad ) || SHA 1(( K  ipad ) || x))
Does HMAC suffer a (1,1)-forgery attack as (a) too?
Explain it. (6 points)
[3] Suppose that f: {0,1}  {0,1} is preimage resistant bijection(meaning 1-1).
Define h: {0,1}2m  {0,1}m as follows. Given x in {0,1}2m, write x=x’||x’’
where x’ and x’’ are in {0,1}m. Then we define h(x)=f(x’  x’’).
Prove that h is not second preimage resistant. (10 points)
[4] In Double-DES, c = DESk2DESk1(m), where m is the plaintext, c is the
ciphertext, and key pair (k1, k2) is of 112 bits. A meet-in-the-middle attack is
m
m
trying to find a key pair (i, j) such that DESj-1(c) = DESi(m). What is the
probability that this (i, j) = (k1, k2)? (Show your reason.) (6 points)
[5] (a) In RSA cryptosystem, if you know Alice’s ciphertext c = 15 and her public key
(e, n) = (7, 55), what is Alice’s private key d? and what is the plaintext m?
(5 points)
(b) In Diffie-Hellman key exchange, let α= 2 be a generator in Z13*. Suppose you
are an eavesdropper and get αa = 10 from Alice andαb = 4 from Bob, then try to
find the shared secret keyαab.(5 points)
[6] Let n = p1p2…pk where the pi are distinct odd primes. If a  Qn (i.e. a is a quadratic
residue modulo n), then how many distinct square roots does a have? Briefly describe
how to calculate these square roots. (10 points)
[7] In Shanks’ algorithm, suppose p = 113, and we wish to find log357. So we have
 = 3,  = 57 and m =  112  = 11. Then 11 mod 113 = 76
Assume we have two lists L1 and L2, where L1 is the list of ordered pairs (j, 76j mod
113) for 0  j  10:
(0, 1)
(1, 76)
(7, 71) (8, 85)
(2, 13)
(3, 84)
(9, 19) (10, 88)
(4, 56)
(5, 75)
and L2 is the list of ordered pairs (i, 573-i mod 113), 0  i  10:
(6, 50)
2
(0, 57)
(1, 19)
(2, 44)
(3, 90)
(4, 30)
(5, 10)
(6, 41)
(7, 89) (8, 105)
(9, 35) (10, 87)
Use these two lists L1 and L2 to calculate log357. (10 points)
[8] Let p=229. The element  = 6 is a generator of Z229*. Consider  = 13. Then
log613 is computed as follows, using the index-calculus method.
1. The factor base is chosen to be the first 5 primes: S={2, 3, 5, 7, 11}
2. The following six relations involving elements of the factor base are obtained
(unsuccessful attempts are not shown):
6100 mod 229 = 180 = 22  32  5
618 mod 229 = 176 = 24  11
612 mod 229 = 165 = 3  5  11
662 mod 229 = 154 = 2  7  11
6143 mod 229 = 198 = 2  32  11
6206 mod 229 = 210 = 2  3  5  7
(a) List the six equations involving the logarithms of elements in the factor base.
(put a proper modulo in each equation.) (5 points)
(b) Solving the linear system of six equations (in (a)) in five unknowns yields the
solutions log62=21, log63=208, log65=98, log67=107, and log611=162.
Suppose that integer k=77 is selected and 13  677 mod 229 = 147=3  72
Calculate log613. (5 points)
[9] Prove that x  0 is a generator modulo 97 if and only if x32  1(mod 97) and
x48  1 (mod 97) (10 points)
[10] Let E be the elliptic curve y2=x3+2x+3 defined over Z5
(a) Find all the points on E. (6 points)
(b)  = (3,4) is a point of E. Calculate 2 and 3. (Show your steps.) (6 points)
[11] (a) What is the chosen message attack model in digital signature? (3 points)
(b) Under the chosen message attack model, how do you get the RSA signature
of x? (5 points)
(c) In RSA signature scheme, given a y in Zn* can your find a message x in Zn*
such that (x, y) passes the verification with the signer’s public key only? If yes
show how. (5 points)