Cryptography: Private vs Public Key Systems

Questions and Answers

In a private key cryptosystem, what must be true of the encryption and decryption functions, $e_k$ and $d_k$, for a given key $k$?

• $e_k(d_k(m)) = d_k(e_k(m))$ for all messages $m$
• $e_k(d_k(m)) = m$ for all messages $m$
• $d_k(e_k(m)) = m$ for all messages $m$ (correct)
• Both A and B

In a public key cryptosystem, encryption functions depend on both the public and private keys.

False (B)

What is the primary advantage of public key cryptosystems over private key cryptosystems regarding key exchange?

No need to exchange a key beforehand or exchange any information in secret.

The inverse of a one-way function is ______ to compute without knowledge of the corresponding trapdoor information, but is easy to compute with the trapdoor.

hard

Match the properties to the type of cryptosystem that exhibits them:

Faster encryption/decryption speeds = Private Key Cryptosystem Eliminates the need for secure key exchange = Public Key Cryptosystem Requires a pre-shared secret key = Private Key Cryptosystem Both parties have symmetric encryption/decryption capabilities = Private Key Cryptosystem

What is the worst-case number of division steps required by the Euclidean algorithm to compute $gcd(a, b)$ where $a > b > 1$?

$2 + 2log_2(b)$ (A)

The Euclidean algorithm needs at least $log_2(b)$ division steps for ALL pairs of integers a, and b.

False (B)

According to the provided text, what sequence is used to prove that the Euclidean algorithm needs at least $log_2(b)$ division steps for infinitely many integers?

Fibonacci sequence

In each step of the Euclidean algorithm, the remainders $r_i$ decrease by a factor of at least 2 every ______ steps.

two

If applying the Euclidean algorithm to compute gcd(a, b) results in the following divisions with remainders: $a = q_1b + r_2$ $b = q_2r_2 + r_3$ $r_2 = q_3r_3 + r_4$ $r_3 = q_4r_4 + 0$, what is the value of gcd(a, b)?

$r_4$ (C)

Given that 151 is prime and $5^{601} \equiv 5 \pmod{151}$, according to Fermat's Little Theorem, what is the result of $a^{k} \equiv \pmod{151}$?

a (C)

If p is a prime number, then for all integers $a$, where $a$ is not divisible by $p$, $a^{p} = a(mod p)$

False (B)

Assuming a system of congruences leads to the equation $12 + k \equiv 2 \pmod{15}$, what is the equivalent value of k?

5

If 2 is a primitive root modulo 53, then $ord(4) =$ ______

26

Match the congruence relation with its solutions if 2 is a primitive root in $F_{53}$ and $4^x \equiv 11 \pmod{53}$:

$4^x \equiv 11 \pmod{53}$ = $x \equiv 3 \pmod{26}$

In the context of a discrete logarithm problem (DLP) to the base g in group G, what are you trying to find given an element h G?

An integer x such that gx = h. (D)

Shank's Babystep-Giantstep algorithm does NOT require precomputation of any values.

False (B)

If the group is (Z/NZ, +) with addition as the group operation, and g is relatively prime to N, how can the DLP to base g be solved very quickly?

By finding the multiplicative inverse of g modulo N

Pollard's rho method has O(1) requirement for ______

storage

Match these DLP algorithms with its complexities

Shank's Babystep-Giantstep = O(N log N) steps Pollard's rho = O(N) steps

In digital signature schemes, what is a practical use case?

Verifying software updates are from the original authors. (D)

Larger documents are easier to sign directly without using hashes for digital signature algorithms.

False (B)

What makes it hard for attackers to claim any documents have been signed with a known signature?

It is hard for attackers to map the same hash.

Instead of signing a message, you sign the ______

hash

In the Pohlig-Hellman theorem, when does it allow one to solve DLPs quickly in Fp?

when p-1 only has small prime factors (D)

The Pohlig-Hellman theorem applies only when the base g has PRIME order.

False (B)

What implications does the Pohlig-Hellman theorem have for choices of primes to use when picking a prime p and a primitive root in Fp for use as a base for a DLP if you want the DLP to be secure?

One should pick p so that p-1 has at least one large prime factor

The Pohlig-Hellman theorem allows one to solve DLPs quickly in $F_p$ if $p - 1$ only has ______ prime factors.

small

Match each step to the correct phase of RSA usage by Alice wanting to receive secure messages:

Others encrypt messages using Alice's setup. = Encryption Alice sets up what is needed to receive others' encrypted message. = Setup Alice can decrypt received messages = Decryption

According to the best approaches known, what mathematical problem underpins the security of RSA?

Factoring large numbers (B)

The quadratic sieve method has polynomial running time

False (B)

What is one of the best attack methods for breaking RSA?

Factoring n

The Miller-Rabin test is used to help generate large ______ needed for RSA.

primes

Given p=503, g=53 and h=204, which of these equations uses table data to compute logg(h)?

logg(h) = 88 + 2logg(2) + logg(3) + logg(5) (C)

Index calculus is likely to succeed in generating a table using smoothness since enough smooth numbers are likely to be hit.

True (A)

What does the number of the number of solutions the Hasse bound say about the number of points of $E(F_p)$

That the number of points of E(Fp) is p + 1 + tp where |tp| 2p.

Elliptic curves have DLP algorithms performing at ______ that of O(p)

better

If computing square roots mod p is quick if p \equiv 3 mod 4, then, is that for fast powering Alice and Bob for the Elliptic curve Diffie Helman is required to ?

True (B)

Pollard's and lenstra's equation method algorithms work in

The same way

What does lenstra do if N = pq a product of two primes p<Q?

factorization method (A)

If lenstra is run to try to invert N for elliptisic curve but it is not invertible in Z/NZ what is its equivalent equation according to the text

111 P = 0 over 743 (A)

Flashcards

Private Key Cryptosystem

A cryptosystem using the same key for encryption and decryption.

Public Key Cryptosystem

A cryptosystem using separate keys for encryption (public) and decryption (private).

One-Way Function with Trapdoor

An easily computed invertible function whose inverse is hard to compute without specific 'trapdoor' knowledge.

Advantage of Public Key

Public Key Cryptosystem does not need secure pre-exchange and changes keys easy

Advantage of Private Key

Private key systems are more faster computationally and have symmetric capabilities

Practical Cryptosystem

Fast Encryption, fast decryption with key, slow decryption without.

Secure Against Known Plaintext Attack

Knowing a ciphertext/plaintext pair doesn't help decrypt others.

Secure Against Chosen Plaintext Attack

Picking a plaintext and getting the ciphertext doesn't help decrypt others.

Euclidean Algorithm

Successively perform division with remainder until a remainder of 0 is found.

Euclidean Algorithm Termination

The Euclidean Algorithm is guaranteed to terminate in a limited number of steps.

Discrete Logarithm Problem

Problem of finding x: g^x = h in group G.

Shanks's Babystep-Giantstep Algorithm

Algorithm for solving DLP by collision finding.

Shanks's Steps

Baby-step Giant-step needs less steps and O(√N) .

Pollard's rho Storage

Pollard's rho Algorithm needs small storage requirements.

DLP in (Z/NZ, +)

DLP converted to basic algebra because it's easy.

Use for Digital Signature

Verifies document approval by a specific party.

Hashing Function

Outputs a short, unique 'fingerprint' of a document.

Pohlig–Hellman Theorem

Reduces DLP difficulty if the group order has only small prime factors

RSA Parameter Implications

Ensures RSA security by selecting primes with at least one big prime factor

Generate Large Primes for RSA

Pick random integers and test if primes until we have found two

Index Calculus

Algorithm to solve DLP to compute factorisation.

Pollard's p-1

Based on multiplication over Fp

Lenstra Elliptic Curve

Based on addition on elliptic curve over Z/NZ.

If 11P=O

There exist one more point after calculation.

Study Notes

Private Key Cryptosystem Framework

• A private key cryptosystem consists of a set M of allowable plaintexts and a set C of ciphertexts
• It also has a set K of keys
• For each key k ∈ K, there's a pair of functions: encryption ek: M → C and decryption dk: C → M
• These functions ensure that dk(ek(m)) = m for all m ∈ M
• ek are called encryption functions, and dk are decryption functions

Public Key Cryptosystem Framework

• Public key systems' keys consist of private (kpriv) and public (kpub) key pairs
• Encryption functions only depend on the public key: ek = ekpub
• Decryption depends on the private key
• ekpub should be a one-way function: easily invertible with kpriv knowledge but hard without it
• kpriv, the private key, is trapdoor information

Public Key Cryptosystem Advantages

• Public key systems eliminate the need for prior key exchange or secret information sharing
• They also facilitate frequent key changes

Private Key Cryptosystem Advantages

• Private key systems are generally faster
• Communicating parties possess symmetric encryption and decryption capabilities

Practical Cryptosystem Requirements

• Practical cryptosystems should encrypt and decrypt fast using respective keys
• Decrypting without the decryption key should be computationally slow

Security Against Plaintext Attacks

• A system secure against known plaintext attacks means knowing ciphertext/plaintext pairs (c, m) or knowing a number of such pairs doesn't help decrypt other ciphertexts
• Systems secure against chosen plaintext attacks mean being able to pick a plaintext 'm' and getting its corresponding ciphertext 'c' shouldn't make decrypting other ciphertexts easier

Euclidean Algorithm Description

• The Euclidean Algorithm involves performing successive division with remainder
• Continue succeeding divisions until a remainder of 0 is hit
• At the end, gcd(a, b) = rn, where 'rn' is the last non-zero remainder

Euclidean Algorithm Termination Proof

• The remainders ri decrease by a factor of at least 2 every two steps
• Provided that 2k + 1 < n, b = r1 > 2r3 > 2^2r5 > ... > 2^kr2k+1 ≥ 2^k
• Taking k = floor((n-1)/2), it's shown that k < log2(b) which implies n ≤ 2 + 2log2(b)

Euclidean Algorithm Minimum Steps for Fibonacci Sequence

• Using Fibonacci sequence ak+1 = ak + ak-1, set a = an+1 and b = an
• The described algorithm then outputs: an+1 = an + an-1, an = an-1 + an-2... a3 = a2 + a1, a2 = 2a1 + 0
• This takes n steps to complete

Minimum Step Bound on Fibonacci Sequence

• Since an ≤ 2n (shown via ak+1 ≤ 2ak and a1 = 1), it algorithm takes: n > log2(an) = log2(b) steps to complete
• Infinitely many choices of n result in infinitely many different integers b

Fermat's Little Theorem Application

• Since 151 is prime, a^k ≡ a (mod 151) when k ≡ 1 (mod 150)
• Since 601 ≡ 1 (mod 150), 5^601 ≡ 5 (mod 151)

Solving Congruences

• Convert first congruence to x, plug into second congruence, and find all solutions to the coefficient
• Use coefficient to formulate all solutions in Z

Discrete Logarithm Problem (DLP)

• Given h ∈ G, a DLP seeks an integer x such that g^x = h, if it exists

Shank's Babystep-Giantstep Algorithm

• Assume g has order N and you want to solve g^x= h
• Compute n= ceil(sqrt(N)) + 1
• Compute two lists: L1 = 1, g, g^2,..., g^n and L2 = h, hg^-n, hg^-2n,...,hg^-n^2
• Find a collision: g^j = hg^-kn; then g^(j+kn) = h so x = j+kn

Shank's Babystep-Giantstep Steps and Storage

• The algorithm needs O(√N log N) steps, which is the size of the lists to compute them (including sorting and searching).
• Needs storage of O(√N) in general to store the two lists

Pollard's Rho Method Advantages and Disadvantages

• Pollard's rho has a storage requirement of O(1)
• Main disadvantage is that its analysis relies on probabilistic reasoning with a function not known to be sufficiently 'mixing', with an expected running time of O(√N) otherwise

DLP with Addition as Operation

• In the group (Z/NZ, +), the DLP g^x = h (multiplicative notation) becomes gx = h (additive notation)
• Find g^-1 quickly using the Extended Euclidean Algorithm, and then compute x = g^-1h (mod N)
• Running time is then O(log N)

Digital Signature Schemes

• Digital signature schemes are used practically in verifying software updates from original authors and proving approvals by a particular party for presented documents

Steps in Digital Signature Scheme

• Compute a hash of the document and feeds it to a hashing functions which outputs and short interger
• One signs the shortened hash instead

Hashing

• Signatures are usually the same size or bigger compared to documents needing to be signed, feeding the document to a specific hashing function outputs a short integer h
• Make it computationally infeasible to come up with any other documents/attack vectors mapping to the same hash

Pohlig-Hellman Theorem

• The Pohlig-Hellman theorem applies to solving a DLP to a base g, when the order N of g is known to factor as N = (q1^e1)(q2^e2)...(qt^et), where the qi are distinct primes

Picking a Prime P for DLP

• Select a prime p so that p - 1 has at least one large prime factor
• Pohlig-Hellman can solve DLPs quickly in Fp if P - 1 only has small prime factors

Miller-Rabin Test in RSA Parameter generation

• Miller-Rabin test can help generate large primes for RSA, by picking large integers at random and testing primality until 2 likely primes are hit
• Prime number theorem ensures success after not too many attempts since a proportion 1/log N of all integers below N are prime
• Miller-Rabin test effectively ID's primes since at least 75% of numbers below and odd composite n, are Miller-Rabin witnesses for n's composite numbers

Pollard's Rho vs Lenstra's Elliptic Curve Factorization

• While Pollard's algorithm works in multiplication over Fp, Lenstra's elliptic curve factorization uses addition on an elliptic curve over Z/NZ

Lenstra's Elliptic Curve Factorization Running Time

• It has ~O(e^(sqrt2((log p) (log log p))) - average time
• It's better than quadratic sieve if N = pq is a product of two primes with p < q (N having relatively small prime factor will make it better)