Cryptography 8, Exercises - Computer Science, Exercises of Cryptography and System Security

Prof. Salil Vadhan, Computer Science, Cryptography, Merkle Trees, Harvard, Exercises

Typology: Exercises

2010/2011

Uploaded on 10/29/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/CSCI E-177: Introduction to Cryptography
Problem Set 8
Assigned: Dec. 7, 2006 Due: FRI Dec. 15, 2006 (1:10 PM)
Justify all of your answers. See the syllabus for collaboration and lateness policies. You can submit
by email to ciocan@eecs (please include source files) or by hardcopy to Carol Harlow in MD 343.
Problem 1. (Authentication + Encryption) Let (GE, E, D) be a private-key encryption
scheme secure against chosen plaintext attack and let (GM, M, V ) be a secure message authentica-
tion code (i.e. one that is existentially unforgeable under chosen message attack). Alice wants to
send Bob a message min a private and authenticated way. They share a secret key k= (k1, k2),
where k1
R
GEand k2
R
GM.
Consider her sending each of the following as means to this end. For each, say whether you
think it is secure or not, and briefly justify your answer. In analyzing these, you should assume that
the primitives have the properties guaranteed by their definitions, but no more. For an option to be
good it must work for every choice of secure encryption scheme and secure authentication scheme.
Thus, to show that one is not good, you should find a secure encryption scheme and authentication
scheme which make the result insecure. For the cases which are good, you don’t need to give a
formal proof, just intuition. Out of all the ones you deemed secure, which would you prefer in
terms of performance?
Note that this question is considered in Katz–Lindell §4.7, except that they use security against
chosen ciphertext attack as their notion of security for encryption (both for the initial encryption
scheme (GE, E, D) and the combined scheme), which can result in different answers for identical
constructions.
1. (m, Mk2(Ek1(m)))
2. (Ek1(m), Ek1(Mk2(m)))
3. Ek1(m, a), where adenotes a unique identifier for Alice known to Bob (e.g. her Harvard ID
number).
4. (Ek1(m), Mk2(m, Ek1(m))), where both occurrences of Ek1(m1) refer to the same ciphertext
(i.e. use the same randomness and state).
5. (Ek1(m), Mk2(Ek1(m))), where again both occurrences of Ek1(m) refer to the same ciphertext.
Extra credit: Suppose the adversary Eve could determine whether messages corrupted or
injected by her are accepted or rejected by Bob. Which of the methods you deemed secure above
are still secure?
1
pf2

Partial preview of the text

Download Cryptography 8, Exercises - Computer Science and more Exercises Cryptography and System Security in PDF only on Docsity!

CS 120/CSCI E-177: Introduction to Cryptography

Problem Set 8

Assigned: Dec. 7, 2006 Due: FRI Dec. 15, 2006 (1:10 PM)

Justify all of your answers. See the syllabus for collaboration and lateness policies. You can submit by email to ciocan@eecs (please include source files) or by hardcopy to Carol Harlow in MD 343.

Problem 1. (Authentication + Encryption) Let (GE , E, D) be a private-key encryption scheme secure against chosen plaintext attack and let (GM , M, V ) be a secure message authentica- tion code (i.e. one that is existentially unforgeable under chosen message attack). Alice wants to send Bob a message m in a private and authenticated way. They share a secret key k = (k 1 , k 2 ), where k 1 ←R GE and k 2 ←R GM. Consider her sending each of the following as means to this end. For each, say whether you think it is secure or not, and briefly justify your answer. In analyzing these, you should assume that the primitives have the properties guaranteed by their definitions, but no more. For an option to be good it must work for every choice of secure encryption scheme and secure authentication scheme. Thus, to show that one is not good, you should find a secure encryption scheme and authentication scheme which make the result insecure. For the cases which are good, you don’t need to give a formal proof, just intuition. Out of all the ones you deemed secure, which would you prefer in terms of performance? Note that this question is considered in Katz–Lindell §4.7, except that they use security against chosen ciphertext attack as their notion of security for encryption (both for the initial encryption scheme (GE , E, D) and the combined scheme), which can result in different answers for identical constructions.

  1. (m, Mk 2 (Ek 1 (m)))
  2. (Ek 1 (m), Ek 1 (Mk 2 (m)))
  3. Ek 1 (m, a), where a denotes a unique identifier for Alice known to Bob (e.g. her Harvard ID number).
  4. (Ek 1 (m), Mk 2 (m, Ek 1 (m))), where both occurrences of Ek 1 (m 1 ) refer to the same ciphertext (i.e. use the same randomness and state).
  5. (Ek 1 (m), Mk 2 (Ek 1 (m))), where again both occurrences of Ek 1 (m) refer to the same ciphertext.

Extra credit: Suppose the adversary Eve could determine whether messages corrupted or injected by her are accepted or rejected by Bob. Which of the methods you deemed secure above are still secure?

Problem 2. (Off-line/On-line Signatures) Public-key signatures are quite expensive. The idea of designing off-line/on-line signatures is to split the signing process into two components. The off-line component will prepare some information σ 1 before the message to be signed is known. This component could be a little slow since it is done off-line. The on-line component is performed after the message m arrives. It uses σ 1 together with m and the signing key to produce the “final” signature σ. The on-line signature component should be “fast”. Let (G, S, V ) be a standard secure signature scheme, and let (G′, S′, V ′) be a secure one-time signature scheme. The signing and verification keys of the off-line/on-line signature scheme will just be a pair of keys (sk , pk ) ←R G(1n) for the standard signature scheme. In the off-line phase, we pick the random one-time keys (sk ′, pk ′) ←R G(1n; ) and sign pk ′^ using the standard signing key: σ 1 = Ssk (pk ′). In the on-line phase, we use the one-time signature to produce σ 2 ←R S sk′ ′ (m). The overall signature is σ = (σ 1 , σ 2 , pk ′).

  • What is the verification algorithm for the off-line/on-line scheme?
  • Prove that the off-line/on-line scheme is secure (i.e. is existentially unforgeable under chosen message attack).

Problem 3. (Merkle Trees)

  1. Suppose we have a family of collision-resistant hash functions H = {hk : { 0 , 1 }^2 n^ → { 0 , 1 }n}k∈{ 0 , 1 }n^. One way to build collision-resistant hash functions for longer inputs is to use the Merkle– Damg˚ard construction given in class. Another way is to use a Merkle tree, defined as fol- lows. Define Hik : { 0 , 1 }^2 i·n → { 0 , 1 }n^ by setting H k^0 (x) = x and and Hi k+1 (x ◦ y) = hk(Hki(x)◦Hki(y)), where ‖x‖ = ‖y‖ and ◦ denotes concatenation. Show that for i = O(log n), the family Hi^ = {Hki : { 0 , 1 }^2 i·n → { 0 , 1 }n} is collision-resistant.
  2. Suppose you want to be able to detect that no one has tampered with your hard disk D when you are on vacation. One way to accomplish this is to apply a collision-resistant hash function Hk to your entire hard disk D, take both the key k and the hash value z = Hk(D) with you (e.g. as a printout or on a USB disk), and check that the hash value is consistent upon return. Then, even if an adversary learns k and z, it will be infeasible for the adversary to modify your disk into D′^ such that Hk(D′) = z (by collision resistance). Suppose however, you do not want to spend the time to verify the entire disk upon return, but just a small file (say n bits long). Describe how the verification process can be made more efficient by using Hk constructed from a Merkle tree. (You still only need to bring k and Hk(D) with you on vacation, but you can store more information insecurely at your home computer.)