This commit is contained in:
parent
0086817700
commit
0b78d472b6
474
cw/cw.tex
474
cw/cw.tex
@ -72,278 +72,304 @@
|
||||
Once you find a key that is the same length as the cipher text, we know that we found the right key.
|
||||
|
||||
\section*{2}
|
||||
\subsection*{2.1}
|
||||
Ciphertext:
|
||||
6cea122f3b42975bdbbeb7f2c6efaf9fd5a54fdd62\textbf{3c}27\textbf{6f}55358f4fbcb7a9492d0451b7019c69faef5fd23103ff7ec521fbbc6516ca2cb2ca663d5dbff86bcf
|
||||
\subsection*{2.1}
|
||||
Ciphertext:
|
||||
6cea122f3b42975bdbbeb7f2c6efaf9fd5a54fdd62\textbf{3c}27\textbf{6f}55358f4fbcb7a9492d0451b7019c69faef5fd23103ff7ec521fbbc6516ca2cb2ca663d5dbff86bcf
|
||||
|
||||
T=2nd block
|
||||
T=2nd block
|
||||
|
||||
U=6th byte from the 2nd block
|
||||
U=6th byte from the 2nd block
|
||||
|
||||
V=0x33
|
||||
V=0x33
|
||||
|
||||
W=0x3c
|
||||
W=0x3c
|
||||
|
||||
X=8th byte from the 2nd block
|
||||
X=8th byte from the 2nd block
|
||||
|
||||
Y=0x6c
|
||||
Y=0x6c
|
||||
|
||||
Z=0x6f
|
||||
Z=0x6f
|
||||
|
||||
To change the given cipher text, we need to first find the block we want to change and go to the previous block, this only works for blocks after the first one, after that, we need to find the value that comes out of the Encryption function, and we can do that if we follow this formula:
|
||||
$$\text{After Encryption}\oplus\text{Previous Block Original Ciphertext}=\text{PlainText}\iff\text{After Encryption}=\text{Previous Block Original Ciphertext}\oplus\text{PlainText}$$
|
||||
After we calculate the value that comes out of the encryption function and before we xor with the previous block, we can now calculate the value that we need to change the previous block in the cipher text to:
|
||||
$$\text{After Encryption}\oplus\text{Previous Block Altered Ciphertext}=\text{Altered PlainText}\iff\text{Previous Block Altered Ciphertext}=\text{After Encryption}\oplus\text{Altered PlainText}$$
|
||||
|
||||
\subsection*{2.2}
|
||||
The block before the block where change happens become altered as well.
|
||||
|
||||
\subsection*{2.3}
|
||||
The change is similar to the one described in 2.1 but with the iv value instead of the previous block
|
||||
$$\text{After Encryption}\oplus\text{Original IV value}=\text{PlainText}\iff\text{After Encryption}=\text{Original IV value}\oplus\text{PlainText}$$
|
||||
After we calculate the value that comes out of the encryption function and before we xor with IV value, we can now calculate the value that we need to change the IV value to:
|
||||
$$\text{After Encryption}\oplus\text{New IV value}=\text{Altered PlainText}\iff\text{New IV value}=\text{After Encryption}\oplus\text{Altered PlainText}$$
|
||||
|
||||
|
||||
\subsection*{2.4}
|
||||
You cannot change the location word "station'' because the word is spread between 2 blocks, which means that to change the second part of the word "ion'', you need to change the previos block but by changing the previous block the rest of the word "stat'' would have become garbled.
|
||||
|
||||
To change the given cipher text we need to first find the block we want to change and go to the previous block, this only works for blocks after the first one, after that we need to find the value that comes out of the Encryption function and we can do that if we follow this formula:
|
||||
$$\text{After Encrytion}\oplus\text{Previous Block Original Ciphertext}=\text{PlainText}\iff\text{After Encryption}=\text{Previous Block Original Ciphertext}\oplus\text{PlainText}$$
|
||||
After we calculate the value that comes out of the encryption function and before we xor with the previous block we can now calculate the value that we need to change the previous block in the cipher text to:
|
||||
$$\text{After Encrytion}\oplus\text{Previous Block Altered Ciphertext}=\text{Altered PlainText}\iff\text{Previous Block Altered Ciphertext}=\text{After Encrytion}\oplus\text{Altered PlainText}$$
|
||||
\subsection*{2.2}
|
||||
The block before the block where the change appens becomes altered as well.
|
||||
\subsection*{2.3}
|
||||
The change is similiar to the one described in 2.1 but with the iv value instead of the previous block
|
||||
$$\text{After Encrytion}\oplus\text{Original IV value}=\text{PlainText}\iff\text{After Encryption}=\text{Original IV value}\oplus\text{PlainText}$$
|
||||
After we calculate the value that comes out of the encryption function and before we xor with IV value we can now calculate the value that we need to change the IV value to:
|
||||
$$\text{After Encrytion}\oplus\text{New IV value}=\text{Altered PlainText}\iff\text{New IV value}=\text{After Encrytion}\oplus\text{Altered PlainText}$$
|
||||
\subsection*{2.4}
|
||||
You can not change the location word "station'', because the word is spread between 2 blocks which means that to change the second part of the word "ion'', you need to change the previos block but by changing the previous block the rest of the word "stat'' would have become garbled.
|
||||
\section*{3}
|
||||
\subsection*{3.1}
|
||||
The computational hard problem is factorization
|
||||
\subsection*{3.2}
|
||||
I used factorization to obatin the cipher text is "handlebars''
|
||||
\subsection*{3.3}
|
||||
I used the general number sieve to factorize\cite{cadonfs} to factorize the public modulus and obtained:
|
||||
$$p=112546167358047505471958486197519319605436748416824057782825895564365669780011$$
|
||||
and
|
||||
$$q=65802972772386034028625679514602920156340140357656235951559577501150333990623$$
|
||||
with p and q I calculated
|
||||
$$d=1545653943570564246212141988589994139279645559486726912293297140150091598977726717239879077953798120855868459360771804433616650588668281034152580212290153$$
|
||||
with d you can decrypt the ciphertext
|
||||
I used the openssl crypto libaray with the $p,q,d,m,e$ to decrypt the cipher text
|
||||
\subsection*{3.4}
|
||||
While factorizing the numbers takes more time, then a dictionary attack, it allows me to decrypting any message that was encrypted with this public key. It also allows me to decrypt messages that have diferent padding including padding methods that use random values.
|
||||
\subsection*{3.5}
|
||||
Yes, since I know the private key I can just decrypt the message.
|
||||
\subsection*{3.1}
|
||||
The computational hard problem is factorization
|
||||
|
||||
\subsection*{3.2}
|
||||
I used factorization to obtain the private key. After obtaining the private key, I can decrypt the cipher text and obtain "handlebars''
|
||||
|
||||
\subsection*{3.3}
|
||||
I used the general number sieve to factorize\cite{cadonfs} to factorize the public modulus and obtained:
|
||||
$$p=112546167358047505471958486197519319605436748416824057782825895564365669780011$$
|
||||
and
|
||||
$$q=65802972772386034028625679514602920156340140357656235951559577501150333990623$$
|
||||
with p and q I calculated
|
||||
$$d=15456539435705642462121419885899941392796455594867269122932971401500915$$
|
||||
$$98977726717239879077953798120855868459360771804433616650588668281034152580212290153$$
|
||||
with d you can decrypt the ciphertext
|
||||
I used the OpenSSL crypto library with the $p,q,d,m,e$ to decrypt the cipher text
|
||||
|
||||
\subsection*{3.4}
|
||||
While factorizing the numbers takes more time, than a dictionary attack, it allows me to decrypt any message that was encrypted with this public key. It also allows me to decrypt messages that have different padding, including padding methods that use random values.
|
||||
|
||||
\subsection*{3.5}
|
||||
Yes, since I know the private key I can just decrypt the message.
|
||||
|
||||
\section*{4}
|
||||
\subsection*{4.1}
|
||||
$$P||R = E(K,C)$$
|
||||
then you can remove the $R$ part and the $P$ can be obtained
|
||||
\subsection*{4.2}
|
||||
The q pairs could look like: $${(1, k),(2,k),(3,k)\cdots(q, k)}$$
|
||||
where k is a constant value for simplicity sets say $k=0$
|
||||
\subsection*{4.1}
|
||||
$$P||R = E(K,C)$$
|
||||
then you can remove the $R$ part and the $P$ can be obtained
|
||||
|
||||
$E_b$ is the list of encrypted values returned by the oracle
|
||||
\subsection*{4.2}
|
||||
The q pairs could look like: $${(1, k),(2,k),(3,k)\cdots(q, k)}$$
|
||||
where k is a constant value for simplicity sets say $k=0$
|
||||
|
||||
This q pairs work because when the oracle selects b=0:
|
||||
$E_b$ is the list of encrypted values returned by the oracle
|
||||
|
||||
There will be no colisions:
|
||||
$$\nexists i,k : i \ne j \land P_{0i} \ne p E_{0i} \implies E_{0i} \ne E_{0j}$$
|
||||
there if you don't find any colissions you can assume that the the oracle selected b=0
|
||||
These q pairs work because when the oracle selects b=0:
|
||||
|
||||
if the oracle selects b=1:
|
||||
There will be no collisions:
|
||||
$$\forall i,k : i \ne j \land P_{0i} \ne P_{0j} \implies E_{0i} \ne E_{0j}$$
|
||||
|
||||
If q is big enough, there will be colissions:
|
||||
$$\exists i,k : i \ne j \land P_{1i} = P_{1j} \land R_i = R_j \implies E_{1i} = E_{1j}$$
|
||||
where $R$ is the list of random values generated for each pair
|
||||
therefore if you don't find any colissions you can assume that the the oracle selected b=0
|
||||
|
||||
\subsection*{4.3}
|
||||
Our random value is $R = u-bit long digit$ which means that it has $2^u$ possible values.
|
||||
And since we know that $q$ balls into $p$ holes a colision is bound to happend at the probability of $\frac{q^2}{2p}$ we can calculate:
|
||||
$$\frac{q^2}{2(2^u)}>\frac{1}{2}\iff q> 2^{\frac{u}{2}}$$
|
||||
if the oracle selects b=1 and if q is big enough, there will be colissions:
|
||||
|
||||
\subsection*{4.4}
|
||||
The size of TripleDES is 64 bit long which makes $u=64/2=32$ making the q
|
||||
$q> 2^\frac{32}{2}\iff q > 65536$
|
||||
\subsection*{4.5}
|
||||
The size of AES is 128 bit long which makes $u=128/2=64$ making the q
|
||||
$q>t 2^\frac{64}{2}\iff q > 4294967296$
|
||||
\subsection*{4.6}
|
||||
Since in in both 4.4 and 4.5 the value of $q$ is not large enough the scheme is not CPA secure
|
||||
$$\exists i,k : i \ne j \land P_{1i} = P_{1j} \land R_i = R_j \implies E_{1i} = E_{1j}$$
|
||||
where $R$ is the list of random values generated for each pair
|
||||
|
||||
\subsection*{4.3}
|
||||
Our random value is $R = u-bit long digit$ which means that it has $2^u$ possible values.
|
||||
And since we know that if we throw $q$ balls into $p$ holes, a collision is bound to happen at the probability of $\frac{q^2}{2p}$, that guessing a $2^u$ random value by doing $q$ guesses is:
|
||||
$$\frac{q^2}{2(2^u)}$$
|
||||
We can calculate:
|
||||
$$\frac{q^2}{2(2^u)}>\frac{1}{2}\iff q> 2^{\frac{u}{2}}$$
|
||||
|
||||
|
||||
\subsection*{4.4}
|
||||
The size of TripleDES is 64 bit long which makes $u=64/2=32$ making the q
|
||||
$$q> 2^\frac{32}{2}\iff q > 65536$$
|
||||
|
||||
\subsection*{4.5}
|
||||
The size of AES is 128 bit long which makes $u=128/2=64$ making the q
|
||||
$$q>t 2^\frac{64}{2}\iff q > 4294967296$$
|
||||
|
||||
\subsection*{4.6}
|
||||
Since in both 4.4 and 4.5 the value of $q$ is not large enough, the scheme is not CPA secure
|
||||
|
||||
\section*{5}
|
||||
\subsection*{5.1}
|
||||
The hash function is collision resistanteeee for $n=1$, since if the block size is one the hash function is the encryption. Therefore:
|
||||
if the message is only one block long:
|
||||
$$H=E$$
|
||||
$$m\ne m'$$
|
||||
$$H(m)=E(K, IV \oplus m) = C_1$$
|
||||
$$H(m')=E(K, IV \oplus m') = C_2$$
|
||||
And if there the hashing function was not collision resistant that would imply
|
||||
$$C_1=C_2\Rightarrow D(C_1)=D(C_2) \Rightarrow m=m'$$
|
||||
and since $m\ne m'$ the hash function is collision resistant, for messages with 1 block.
|
||||
\subsection*{5.1}
|
||||
The hash function is collision resistant for $n=1$, since if the block size is one of, the hash function is the encryption. Therefore:
|
||||
if the message is only one block long:
|
||||
|
||||
For if the block size is bigger than one we can say
|
||||
$$H(m)=E(m)_{\text{Last Block}}$$
|
||||
$$E(m)=E(K, m)$$
|
||||
$$\exists a,b,c,d : m = a||b \land m' = c||d$$
|
||||
where a,b,c,d are the size of one block
|
||||
$$H(m)=E(b \oplus E(a \oplus IV)) = C_1$$
|
||||
$$H(m')=E(d \oplus E(c \oplus IV)) = C_2$$
|
||||
since it's possible to have:
|
||||
$$b \oplus E(a \oplus IV) = d \oplus E(c \oplus IV) \implies$$
|
||||
$$\implies C_1=C_2$$
|
||||
with:
|
||||
$$a \ne b \ne c \ne d$$
|
||||
therefore
|
||||
$$H(m)=H(m') \land m\ne m'$$
|
||||
therefore the hash function is not collision resistant.
|
||||
Since this can be expanded with more than 2 blocks the hash functions is not collision resistant for any message bigger than 1 block.
|
||||
\subsection*{5.2}
|
||||
When the message has the size of a block, the authenticated encryption system scheme has both data confidentiality and integrity because the hash function is only collision resistant with messages of block size 1, because of that is impossible to change the ciphertext in away that when the mac is generated on the receiver side, the mac will be the same and since the mac key is not public the attacker cannot generate the new mac.
|
||||
When the message has a bigger size than one block, the scheme still has data confidentiality because the message can still not be decrypted without knowing the key, but it has no longer data integrity because the attacker can change the message in such a way that it would generate a hash collision; therefore the sender could not prove that the information that was received was not sent that way by the server.
|
||||
$$H=E$$
|
||||
$$m\ne m'$$
|
||||
$$H(m)=E(K, IV \oplus m) = C_1$$
|
||||
$$H(m')=E(K, IV \oplus m') = C_2$$
|
||||
And if the hashing function was not collision resistant, that would imply
|
||||
$$C_1=C_2\implies D(C_1)=D(C_2) \implies m=m'$$
|
||||
and since $m\ne m'$ the hash function is collision resistant, for messages with 1 block.
|
||||
|
||||
For if the block size is bigger than one we can say
|
||||
$$H(m)=E(m)_{\text{Last Block}}$$
|
||||
$$E(m)=E(K, m)$$
|
||||
$$\exists a,b,c,d : m = a||b \land m' = c||d$$
|
||||
where a,b,c,d are the size of one block
|
||||
$$H(m)=E(b \oplus E(a \oplus IV)) = C_1$$
|
||||
$$H(m')=E(d \oplus E(c \oplus IV)) = C_2$$
|
||||
since it's possible to have:
|
||||
$$b \oplus E(a \oplus IV) = d \oplus E(c \oplus IV) \implies$$
|
||||
$$\implies C_1=C_2$$
|
||||
with:
|
||||
$$a \ne b \ne c \ne d$$
|
||||
therefore
|
||||
$$H(m)=H(m') \land m\ne m'$$
|
||||
therefore, the hash function is not collision resistant.
|
||||
Since this can be expanded with more than 2 blocks, the hash function is not collision resistant for any message bigger than 1 block.
|
||||
|
||||
\subsection*{5.2}
|
||||
When the message has the size of a block, the authenticated encryption system scheme has both data confidentiality and integrity because the hash function is only collision resistant with messages of block size 1. As a result, it is impossible to change the ciphertext in away that when the MAC is generated on the receiver side, the mac will not be the same. And since the mac key is not public, the attacker cannot generate a new mac to authenticate the fake message.
|
||||
|
||||
When the message has a bigger size than one block, the scheme still has data confidentiality because the message can still not be decrypted without knowing the key. But it has no longer data integrity because the attacker can change the message in such a way that it would generate a hash collision; therefore the receiver could not prove that the information that was received was not sent that way by the sender; therefore the encryption system does not have data integrity.
|
||||
|
||||
\section*{6}
|
||||
\subsection*{6.1}
|
||||
\subsubsection*{6.1.1}
|
||||
Bob can check if the equation holds then Bob knows that Alice signed the Contract
|
||||
$$h = H(g^s\times y^h \text{ mod } p || C)$$
|
||||
where y is Alice's pub key.
|
||||
\subsection*{6.1}
|
||||
\subsubsection*{6.1.1}
|
||||
Bob can check if the equation holds then Bob knows that Alice signed the Contract
|
||||
$$h = H(g^s\times y^h \text{ mod } p || C)$$
|
||||
where y is Alice's pub key.
|
||||
|
||||
\subsubsection*{6.1.2}
|
||||
If the Alice used the the same r then this equation would only have 2 variables to solve, $a$ and $r$ which makes this equation possible to solve.
|
||||
$$\begin{cases}
|
||||
s = r - h \times a \text{ mod } q\\
|
||||
s' = r - h' \times a \text{ mod } q
|
||||
\end{cases} \iff
|
||||
\begin{cases}
|
||||
r = s + h \times a \\
|
||||
a = \frac{s' - s}{h - h'} \land h \ne h'
|
||||
\end{cases}
|
||||
$$
|
||||
therefor Alice private key $a$ is:
|
||||
$$
|
||||
a = \frac{s' - s}{h - h'}
|
||||
$$
|
||||
\subsubsection*{6.1.2}
|
||||
If the Alice used the the same r then this equation would only have 2 variables to solve, $a$ and $r$ which makes this equation possible to solve.
|
||||
$$\begin{cases}
|
||||
s = r - h \times a \text{ mod } q\\
|
||||
s' = r - h' \times a \text{ mod } q
|
||||
\end{cases} \iff
|
||||
\begin{cases}
|
||||
r = s + h \times a \\
|
||||
a = \frac{s' - s}{h - h'} \land h \ne h'
|
||||
\end{cases}
|
||||
$$
|
||||
therefor Alice private key $a$ is:
|
||||
$$
|
||||
a = \frac{s' - s}{h - h'}
|
||||
$$
|
||||
|
||||
\subsection*{6.2}
|
||||
\subsubsection*{6.2.1}
|
||||
To sign a contract $C$ Alice first chooses 2 random values $r$ and $c_2$ then $z$ is callulated $z=g^r\times y_b^{c_2}$. After we have $z$ we can calculate the intermidary value $c$, $c = H(y_a, y_b, C, z)$. After having $c$ we calculate $c_1$, $c_1 = c - c_2$. $c_1$ is then used to callulate $s = r - c1 \times a mod q$. The signature is $(c_1, c_2, s)$
|
||||
\subsubsection*{6.2.2}
|
||||
No because Alice only needs Bob's public key which is publicly avaiable
|
||||
\subsubsection*{6.2.3}
|
||||
The signature is verified if the equation holds
|
||||
$$c_1 + c_2 = H(y_a, y_b, C, g^s\times y_a^{c_1} \times y_b^{c_2} mod p )$$
|
||||
\subsubsection*{6.2.4}
|
||||
No because the signature is generated from multiple public keys and Alice's private key therefore chris will not be able to tell who signed the contract
|
||||
\subsection*{6.2}
|
||||
\subsubsection*{6.2.1}
|
||||
To sign a contract $C$ Alice first chooses 2 random values $r$ and $c_2$ then $z$ is calculated $z=g^r\times y_b^{c_2}$. After we have $z$ we can calculate the intermediary value $c$, $c = H(y_a, y_b, C, z)$. After having $c$ we calculate $c_1$, $c_1 = c - c_2$. $c_1$ is then used to calculate $s = r - c1 \times a mod q$. The signature is $(c_1, c_2, s)$
|
||||
|
||||
\subsection*{6.3}
|
||||
\subsubsection*{6.3.1}
|
||||
The encryption works because the numbers that were chosen by Alice and Bo b make this equation work
|
||||
$$(m^{r_a})^{r_b} = m (\text{mod } p)$$
|
||||
\subsubsection*{6.2.2}
|
||||
No because Alice only needs Bob's public key which is publicly avaiable
|
||||
|
||||
which means that
|
||||
\subsubsection*{6.2.3}
|
||||
The signature is verified if the equation holds
|
||||
$$c_1 + c_2 = H(y_a, y_b, C, g^s\times y_a^{c_1} \times y_b^{c_2} mod p )$$
|
||||
|
||||
$$(((m^{r_{a\text{ alice}}})^{r_{a\text{ bob}}})^{r_{b\text{ alice}}})^{r_{b\text{ bob}}} = m (\text{mod } p)$$
|
||||
\subsubsection*{6.2.4}
|
||||
No, because the signature is generated from multiple public keys and Alice's private key; therefore Chris will not be able to tell who signed the contract
|
||||
|
||||
in this case $r_a$ from alice cancels $r_b$ from alice, and $r_a$ from bob cancels $r_b$ from bob
|
||||
\subsubsection*{6.3.2}
|
||||
To send an encrypted message using this system between 2 people, i.e. Alice and Bob:
|
||||
\begin{enumerate}
|
||||
\item Bob and Alice choose a prime $p$
|
||||
\item The sender, let's say Alice, selects $m$ and two random values $r_{a1}$ and $r_{a2}$ such that $(m^{r_{a1}})^{r_{a2}} = m (\text{mod } p)$
|
||||
\item Alice then calculates $t1 = m^{r_{a1}} (\text{mod } p)$, Alice sends $t1$ to bob.
|
||||
\item Bob selects two random values $r_{b1}$ and $r_{b2}$ such that $(m^{r_{b1}})^{r_{b2}} = m (\text{mod } p)$
|
||||
\item Bob then calculates $t2 = t1^{r_{b1}} (\text{mod } p)$, Bob sends $t2$ to Alice
|
||||
\item Alice then calculates $t3 = t2^{r_{a2}} (\text{mod } p)$, this undoes step 3, then Alice sends $t3$ to bob
|
||||
\item Bob then calculates $m = t3^{r_{b2}} (\text{mod } p)$, this undoes step 5
|
||||
\end{enumerate}
|
||||
\subsubsection*{6.3.3}
|
||||
Information is exchanged 4 times with this crypto system, they choose the primes and then 3 exchanges happen during the encryption process.
|
||||
While for ElGamal you need to exchange information only twice, once to exchange public keys and the second to exchange the encrypted message
|
||||
\subsubsection*{6.3.4}
|
||||
If the discrite logarithm problem is easy to solve then Elgamal is also easy to solve. While for this case the being able to solve the discrite logarithm problem does not help an attacker with breaking the algorithm because the attacker only knows the result of the exponenciation and does not know the value of the base which is publicly known with Elgamal.
|
||||
The Diffle-Hellman problem also does not apply since that problem rellies on. if we know $g^x$ and $g^y$ being able to figure out $g^{xy}$ but on this case the problem is slightly different. Is being able to figure out $(g^x)^y$.
|
||||
\subsection*{6.3}
|
||||
\subsubsection*{6.3.1}
|
||||
The encryption works because the numbers that were chosen by Alice and Bob make this equation work
|
||||
$$(m^{r_a})^{r_b} = m (\text{mod } p)$$
|
||||
|
||||
which means that
|
||||
|
||||
$$(((m^{r_{a\text{ alice}}})^{r_{a\text{ bob}}})^{r_{b\text{ alice}}})^{r_{b\text{ bob}}} = m (\text{mod } p)$$
|
||||
|
||||
in this case, $r_a$ from Alice cancels $r_b$ from Alice, and $r_a$ from Bob cancels $r_b$ from Bob.
|
||||
|
||||
\subsubsection*{6.3.2}
|
||||
To send an encrypted message using this system between 2 people, i.e. Alice and Bob:
|
||||
|
||||
\begin{enumerate}
|
||||
\item Bob and Alice choose a prime $p$
|
||||
\item The sender, let's say Alice, selects $m$ and two random values $r_{a1}$ and $r_{a2}$ such that $(m^{r_{a1}})^{r_{a2}} = m (\text{mod } p)$
|
||||
\item Alice then calculates $t1 = m^{r_{a1}} (\text{mod } p)$, Alice sends $t1$ to bob.
|
||||
\item Bob selects two random values $r_{b1}$ and $r_{b2}$ such that $(m^{r_{b1}})^{r_{b2}} = m (\text{mod } p)$
|
||||
\item Bob then calculates $t2 = t1^{r_{b1}} (\text{mod } p)$, Bob sends $t2$ to Alice
|
||||
\item Alice then calculates $t3 = t2^{r_{a2}} (\text{mod } p)$, this undoes step 3, then Alice sends $t3$ to bob
|
||||
\item Bob then calculates $m = t3^{r_{b2}} (\text{mod } p)$, this undoes step 5
|
||||
\end{enumerate}
|
||||
|
||||
\subsubsection*{6.3.3}
|
||||
Information is exchanged 4 times with this crypto system, they choose the primes and then 3 exchanges happen during the encryption process.
|
||||
|
||||
While for ElGamal you need to exchange information only twice, once to exchange public keys and the second to exchange the encrypted message
|
||||
|
||||
\subsubsection*{6.3.4}
|
||||
If the discrete logarithm problem is easy to solve, then Elgamal is also easy to solve. While for this case, the being able to solve the discrete logarithm problem does not help an attacker with breaking the algorithm; because the attacker only knows the result of the exponentiation and does not know the value of the base. This is not the case with Elgamal, where the base is publicly known.
|
||||
|
||||
The Diffie-Hellman problem also does not apply, since that problem relies on. If we know $g^x$ and $g^y$ being able to figure out $g^{xy}$ but in this case the problem is slightly different. It is being able to figure out $(g^x)^y$.
|
||||
|
||||
Therefore, this crypto system can not be broken by being able to break the discrete logarithm problem
|
||||
|
||||
Therefore this crypto system can no be broken by being able to break the discrete logarithm problem
|
||||
|
||||
\section*{7}
|
||||
\subsection*{7.1}
|
||||
$$v1 = (137, 312), v2 = (215, -187)$$
|
||||
$$u1 = (1975,438), u2 = (7548, 1627)$$
|
||||
\subsection*{7.1}
|
||||
$$v1 = (137, 312), v2 = (215, -187)$$
|
||||
$$u1 = (1975,438), u2 = (7548, 1627)$$
|
||||
|
||||
$$B = \begin{pmatrix}
|
||||
137 & 312 \\
|
||||
215 & -187 \\
|
||||
\end{pmatrix}$$
|
||||
$$U = \begin{pmatrix}
|
||||
1975 & 438\\
|
||||
7548 & 1627\\
|
||||
\end{pmatrix}$$
|
||||
$$B = \begin{pmatrix}
|
||||
137 & 312 \\
|
||||
215 & -187 \\
|
||||
\end{pmatrix}$$
|
||||
$$U = \begin{pmatrix}
|
||||
1975 & 438\\
|
||||
7548 & 1627\\
|
||||
\end{pmatrix}$$
|
||||
|
||||
A:
|
||||
A:
|
||||
|
||||
$$det(L)=|det(B)|=|-92699|=92699$$
|
||||
$$det(L)=|det(B)|=|-92699|=92699$$
|
||||
|
||||
$$H(B)=(\frac{det(L)}{\|v1\|\times\|v2\|})^\frac{1}{n}=(\frac{92699}{\sqrt{v1_1^2 + v1_2^2}\times\sqrt{v2_1^2 + v2_2^2}})^\frac{1}{2}=$$
|
||||
$$H(B)=(\frac{det(L)}{\|v1\|\times\|v2\|})^\frac{1}{n}=(\frac{92699}{\sqrt{v1_1^2 + v1_2^2}\times\sqrt{v2_1^2 + v2_2^2}})^\frac{1}{2}=$$
|
||||
|
||||
$$=\frac{\sqrt{92699}}{9427678922^{\frac{1}{4}}}\approx0.977094\approx0.98$$
|
||||
$$=\frac{\sqrt{92699}}{9427678922^{\frac{1}{4}}}\approx0.977094\approx0.98$$
|
||||
|
||||
$$H(U)=(\frac{det(L)}{\|u1\|\times\|u2\|})^\frac{1}{n}=(\frac{92699}{\sqrt{u1_1^2 + u1_2^2}\times\sqrt{u2_1^2 + u2_2^2}})^\frac{1}{2}=$$
|
||||
$$=\frac{\sqrt{92699}}{243990681350077^{\frac{1}{4}}}\approx0.0770361\approx0.077$$
|
||||
$$H(U)=(\frac{det(L)}{\|u1\|\times\|u2\|})^\frac{1}{n}=(\frac{92699}{\sqrt{u1_1^2 + u1_2^2}\times\sqrt{u2_1^2 + u2_2^2}})^\frac{1}{2}=$$
|
||||
$$=\frac{\sqrt{92699}}{243990681350077^{\frac{1}{4}}}\approx0.0770361\approx0.077$$
|
||||
|
||||
B:
|
||||
$$w = (30548, 6642)$$
|
||||
$$\begin{cases}
|
||||
30548=137t_1 + 215t_2\\
|
||||
6642=312t_1 + -187t_2\\
|
||||
\end{cases}= \begin{cases}
|
||||
t_1 = \frac{7140506}{92699}\\
|
||||
t_2 = \frac{8621022}{92699}\\
|
||||
\end{cases}=\begin{cases}
|
||||
t_1 \approx 77.03\\
|
||||
t_2 \approx 93\\
|
||||
\end{cases}=\begin{cases}
|
||||
t_1 \approx 77\\
|
||||
t_2 \approx 93\\
|
||||
\end{cases}
|
||||
$$
|
||||
B:
|
||||
$$w = (30548, 6642)$$
|
||||
$$\begin{cases}
|
||||
30548=137t_1 + 215t_2\\
|
||||
6642=312t_1 + -187t_2\\
|
||||
\end{cases}= \begin{cases}
|
||||
t_1 = \frac{7140506}{92699}\\
|
||||
t_2 = \frac{8621022}{92699}\\
|
||||
\end{cases}=\begin{cases}
|
||||
t_1 \approx 77.03\\
|
||||
t_2 \approx 93\\
|
||||
\end{cases}=\begin{cases}
|
||||
t_1 \approx 77\\
|
||||
t_2 \approx 93\\
|
||||
\end{cases}$$
|
||||
|
||||
$$v'=77(137,312) + 93(215,-187)=(30544, 6633)$$
|
||||
$$r=w-v'=(4, 9)$$
|
||||
$$v'=77(137,312) + 93(215,-187)=(30544, 6633)$$
|
||||
$$r=w-v'=(4, 9)$$
|
||||
|
||||
$$
|
||||
w = v'\times m + r\iff
|
||||
m= (30544, 6633)\times\begin{pmatrix}
|
||||
1975 & 438\\
|
||||
7548 & 1627\\
|
||||
\end{pmatrix}^{-1}\iff
|
||||
m=(4,3)
|
||||
$$
|
||||
$$w = v'\times m + r\iff
|
||||
m= (30544, 6633)\times\begin{pmatrix}
|
||||
1975 & 438\\
|
||||
7548 & 1627\\
|
||||
\end{pmatrix}^{-1}\iff
|
||||
m=(4,3)$$
|
||||
|
||||
The plaintext is $(4, 3)$ and the $r=(4,9)$
|
||||
The plaintext is $(4, 3)$ and the $r=(4,9)$
|
||||
|
||||
C:
|
||||
$$\begin{cases}
|
||||
30548=1975t_1 + 7548t_2\\
|
||||
6642=438t_1 + 1627t_2\\
|
||||
\end{cases}= \begin{cases}
|
||||
t_1 = \frac{432220}{92699}\\
|
||||
t_2 = \frac{262074}{92699}\\
|
||||
\end{cases}=\begin{cases}
|
||||
t_1 \approx 4.66\\
|
||||
t_2 \approx 2.83\\
|
||||
\end{cases}=\begin{cases}
|
||||
t_1 \approx 5\\
|
||||
t_2 \approx 3\\
|
||||
\end{cases}
|
||||
$$
|
||||
C:
|
||||
$$\begin{cases}
|
||||
30548=1975t_1 + 7548t_2\\
|
||||
6642=438t_1 + 1627t_2\\
|
||||
\end{cases}= \begin{cases}
|
||||
t_1 = \frac{432220}{92699}\\
|
||||
t_2 = \frac{262074}{92699}\\
|
||||
\end{cases}=\begin{cases}
|
||||
t_1 \approx 4.66\\
|
||||
t_2 \approx 2.83\\
|
||||
\end{cases}=\begin{cases}
|
||||
t_1 \approx 5\\
|
||||
t_2 \approx 3\\
|
||||
\end{cases}
|
||||
$$
|
||||
|
||||
$$v'=5(1975,438) + 3(7548, 1627)=(32519, 7071)$$
|
||||
$$v'=5(1975,438) + 3(7548, 1627)=(32519, 7071)$$
|
||||
|
||||
|
||||
$$
|
||||
w = v'\times m' + r\iff
|
||||
m'= (32519, 7071)\times\begin{pmatrix}
|
||||
1975 & 438\\
|
||||
7548 & 1627\\
|
||||
\end{pmatrix}^{-1}\iff
|
||||
m'=(5,3)
|
||||
$$
|
||||
$$
|
||||
w = v'\times m' + r\iff
|
||||
m'= (32519, 7071)\times\begin{pmatrix}
|
||||
1975 & 438\\
|
||||
7548 & 1627\\
|
||||
\end{pmatrix}^{-1}\iff
|
||||
m'=(5,3)
|
||||
$$
|
||||
|
||||
Using $u_1$ and $u_2$ we do not dectypt correctly $m\ne m'$
|
||||
|
||||
Using $u_1$ and $u_2$ we do not dectypt correctly $m\ne m'$
|
||||
|
||||
\subsection*{7.2}
|
||||
No, he should not.
|
||||
If $r$ is not changed, then we could submit to the oracle $(1,0)$ and $(2,0)$ and if the oracle gives us 2 cipher texts that are the same then we know that $b = 1$ and if they are different, then we know its $b=0$ therefore not changing the $r$ is not secure.
|
||||
|
||||
\subsection*{7.2}
|
||||
No he should not.
|
||||
If r is not changed then we could submit to the oracle (1,0) and (2,0) and if the oracle gives us 2 cipher texts that are the same then we know that b = 1 and if they are different then we know its b=0 therefore not changing the r is not secure.
|
||||
|
||||
|
||||
\section*{References}
|
||||
|
Reference in New Issue
Block a user