Olin Wong

ID# 008435258
CS166 Section 02, Fall 2014
Assignment 04

All sources used to create the answers are drawn from the book or from previous experiences.

1) This problem deals with digital certificates (aka public key certificates)
a) What information must a digital certificate contain?

A digital certificate must contain a user’s name, along with that user’s public key, and the
signature of a certificate authority (CA). Source: the book.

b) What additional information can a digital certificate contain?

You could add in information like the user’s work department and phone number.
Source: the book.

c) Why might it be a good idea to minimize the amount of information in a digital certificate?

The more information there is in the certificate, the higher chance it will become invalid
due to the reorganization. Source: the book.

2) Suppose that Bob receives Alice’s digital certificate from someone claiming to be Alice.
a) Before Bob verifies the signature on the certificate, what does he know about the identity of
the sender of the certificate?

Nothing much, because certificates are like public keys, everyone can access them.
Source: the book.

b) How does Bob verify the signature on the certificate and what useful information does Bob
gain by verifying the signature?

By using the public key of the CA that Alice is using, he can verify if this certificate is
really Alice’s certificate or not. Because the CA signature means that they have assigned
Alice a special private key that have only given her. Source: the book.

c) After Bob verifies the signature on the certificate, what does he know about the identity of the
sender of the certificate?

Even if you can check that the signature on the certificate really is Alice’s, you can’t
really know the identity of the sender using this method. Source: the book.

6) Suppose that Alice’s RSA public key is (N, e) = (33, 3) and her private key is d= 7.
a) If Bob encrypts the message M = 19 using Alice’s public key, what is the ciphertext C. Show
that Alice can decrypt C to obtain M.
 Encrypt
C= Me mod N = 193 = 6859 = 28 mod 33 C is 28.
Decrypt
M = Cd mod N = 287 = 13, 492, 928, 512 = 13492928512 * 33 + 19 = 19 mod 33
Source: the book and google calculator.

b) Let S be the result when Alice digitally signs the message M = 25. What is S? If Bob receives
M and S, explain the process Bob will use to verify the signature and show that in this particular
case, the signature verification succeeds.

S is Alice’s private key. If Bob receives M and S, a.k.a. a digitally signed message, since
he has the public key, he can decrypt. And since Alice should be the only holder of the
private key that pairs with the public key he is using to decrypt, he can verify that this
message really was sent by Alice, or at least someone who has Alice’s private key.
Source: the book.

8) To speed up RSA, it is now possible to choose e = 3 for all users. However, this creates the
possibility of a cube root attack as discussed this chapter.
a) Explain the cube root attack and how to prevent it.

Because if plaintext M satisfies M < N1/3, then C = Me = M3. Essentially you can just
compute the cube root of the ciphetext to recover the plaintext. Padding seems to be the
answer for almost everything now. Source: the book.

b) For (N, e) = (33, 3) and d = 7, show that the cube root attack works when M = 3 but not when
M = 4.

Compute the Ciphertext

M = 3 C = Me mod N C = 33 = 27 = 27 mod 33
M = 4 C = Me mod N C = 43 = 64 = 31 mod 33

Decrypt the Ciphertext using cube root attack

If M < N1/3, then C = Me = M3
M = 3, 3 < 331/3(3.2075), then 27 mod 33 = M3 and so the cube root of 27 mod 33 is 3.
M = 4, 4 < 331/3(3.2075), NOPE. Try anyways. 31 mod 33 = M 3, cube root of 31 mod 33 is not 4.
So, cube root attack does not work for M =4. Source: the book, and google calculator.

10) Consider the RSA public key cryptosystem. The best generally known attack is to factor the
modulus, and the best known factoring algorithm (for a sufficiently large modulus) is the number
field sieve. In terms of bits, the work factor for the number field sieve is
f(n) = 1.9223n1/3(LOG2 n)2/3, where n is the number of bits in the number being factored. For
example, since f(390) =about= 60, the work required to factor a 390-bit RSA modulus is roughly
equivalent to the work needed for an exhaustive search to recover a 61-bit symmetric key.
a) Graph the function f(n) for 1 <= n <= 10,000.
 Source: wolframalpha.

b) A 1024-bit RSA modulus N provides roughly the same security as a symmetric key of what
length?

F(n) = 1.9223*(1024^(1/3))*((log base 2 1024)^(2/3) )

A symmetric key of length 89.9334, about 90. Source: book and google calculator.

c) A 2048-bit RSA key modulus N provides roughly the same security as a symmetric key of
what length?

F(n) = 1.9223*(2048^(1/3))*((log base 2 2048)^(2/3) )

A symmetric key of length 120.742, about 121. Source: book and google calculator.

d) What size of modulus N is required to have security roughly comparable to a 256-bit

symmetric key?

256 = 1.9223*(n^(1/3))*((log base 2 n)^(2/3) )

A size of roughly 12,707.2. Source: book and google calculator.

15) A digital signature provides for data integrity and a MAC provides for data integrity. Why
does a signature also provide for non-repudiation while a MAC does not?

While both provide integrity, a digital signature provides non-repudiation. Meaning, you
know the message really was from who you thought it was from, or at least the holder of
the private key. Which should only be 1 person, hopefully. Source: the book.

19a) When Alice sends a message M to Bob, she and Bob agree to use the following protocol:
(i) Alice computes S = [M]Alice
(ii) Alice sends (M, S) to Bob.
(iii) Bob computes V = {S}Alice
(iv) Bob accepts the signature as valid provided V = M.
With this protocol it’s possible for Trudy to forge Alice’s signature on a random “message” as
follows. Trudy generates a value R. She then computes N = {R}Alice and sends (N, R) to Bob.
Following the protocol above, Bob computes V = {R}Alice and, since V = N, Bob accepts the
signature. Bob then believes that Alice sent him the signed nonsense “message” N. As a result,
Bob gets very annoyed with Alice.
a) Is this attack a serious concern, or just an annoyance? Justify your answer.

Well, Trudy is basically just sending random messages that are encrypted using Alice’s
public key. Yes it is an attack, since you don’t know if the message if from Alice or not,
and if Trudy sends them in waves, then Alice’s real message could be lost among the
rubbish. Bob will get a bunch of messages that are supposedly from Alice, but a lot of
them mean nothing. Source: the book and my brain.

22) Consider the knapsack cryptosystem. Suppose the public key consists of (18, 30, 7, 26) and
n = 47.
a) Find the private key, assuming m = 6.

Generate super-increasing knapsack which is the key.

Public key: (18, 30, 7, 26)
Private key# *m = public key #
X6 = 6*X = 6*X mod 476*X = 18 x = 3
X6 = 6*X = 6*X mod 476*X = 30 x = 5
X6 = 6*X = 6*X mod 47 6*X = 7 x = 7/6
X6 = 6*X = 6*X mod 47 6*X = 26 x = 13/3

Private key: (3, 5, 7/6, 13/3) and 6-1 mod 47 = 8

Something feels wrong here :/
Source: the book and my brain+math

b) Encrypt the message M = 1110 (given in binary). Give your result in decimal.

Encrypt 1110
(18, 30, 7, 26) is public key.
18 + 30 + 7 = 55
Ciphertext is now 55.
Source: the book, and notes from class.

23) Prove that for the knapsack cryptosystem, it is always possible to decrypt the ciphertext in
linear time, providing that you know the private key. (Prove, meaning explain.)

It is solvable in linear time because the private key knapsack is super-increasing, which
means that when they want to find the sum, they start at the end of the knapsack (n, n,n ,
n, n) of n terms, and can easily find the sum by starting at the greatest and then adding
backwards to the smallest to see if it equals to the sum. Source: reading the formulas in
the book and my brain.

25) Man in the middle attack. Suppose that Trudy wants to establish a single Diffie-Hellman
value gabt mod p, that she, Alice, and Bob share. Does the attack illustrated below succeed?
Justify your answer.
 No, usually Alice and Trudy would be sharing the value gat mod p while Trudy and Bob
would share gbt mod p. Since Trudy establishes secrets with both of them beforehand,
they think they are talking to the other. Trudy can see ga mod p and gb mod p, so tries to
create value gabt by integrating his t. But, even if he integrates his t into the other by
making ga(bt) = t and gb(at) = t, Trudy won’t have a “shared key” because he is missing the
owner’s letter, that’s why he can’t have a shared key for 3 people. Source: the book.

30) Suppose that Bob uses the following variant of RSA. He first chooses N, then he finds two
encryption exponents e0 and e1 and the corresponding decryption exponents d0 and d1. He asks
Alice to encrypt he message M to him by first computing C0 = M^e0 mod N, then encrypting C0
to obtain the ciphertext, C1 = Ce1 subzero mod N. Alice then sends C1 to Bob. Does this double
encryption increase the security as compared to a single RSA encryption. Why or why not?

Not really, if you use a factoring attack in a sort of brute force way, the fact that you did
it twice doesn’t really matter, just makes things slower. If, theoretically, the first time
should be impossible to break, and it is broken, the second layer is based on the first layer
and can be easily computed. Source: the book and my brain.