Exercise 4

Prob 1. Bob is a paranoid cryptographer who does not trust dedicated hash functions such as
SHA1 and SHA-2. Bob decided to build his own hash function based on some ideas from number
theory. More precisely, Bob decided to use the following hash function: H(m)= m2 mod n, n= p
× q, where p and q are two large distinct primes. Does this hash function satisfy the one-wayness
property? What about collision resistance? Explain.

Sol. Since p and q are secret, then finding the square root mod n is a hard problem. Thus this hash
function satisfies the one-wayness property. On the other hand, H does not satisfy the weak/strong
collision resistance property because for any m, -m would also have the same hash value, i.e.,
H(m)=H(-m).

Prob. 2 Consider a (4,3) Shamir secret sharing scheme with p=17. Show how the secret can be
recovered from the following shares: (1,10), (2,16), and (3,2).

Sol.
Form 3 equations in 3 unknowns.
10=a0+a1+a2 mod 17
16=a0+2a1+4a2 mod 17
2=a0+3 a1+9a2 mod 17
=> a0=1, a1=2 and a2=7. Thus the secret =a0=1

Prob. 3 Let x=111 and y=19301. Factor n=21311 using the fact that x2 ≡y2 mod n.

Ans.
Note that
x2=y2 mod n -> x2-y2 =0 mod n -> (x-y)(x+y)=0 mod n ->
(x-y)(x+y)=Kn=Kpq for some integer K). Let K=k1 K2. Thus we have
(x-y)=k1 p & x-y)=k2 q
Then we can factor n as follows:
gcd(x ±y,n)=p or q.

Prob. 4 Suppose Bob has an RSA Cryptosystem with a large modulus n for which the factorization
cannot be found in a reasonable amount of time. Suppose Alice sends a message to Bob by
representing each alphabetic character as an integer between 0 and 25 (i.e., A<->0, B<->1, etc.),
and then encrypting each residue modulo n as a separate plaintext character. Describe how Ever can
easily decrypt a message which is encrypted in this way.

Ans. Eve can construct a lookup table for all the valid 26 ciphertexts by encrypting the letters A to
Z using Bob’s public key. Then Eve can use this table (or more precisely the inverse of this table)
tp decrypt any ciphertext encrypted by Alice.
Prob. 5 . Determine the problems in the following protocol in which A wants to establish a shared
session key with B using the help of a trusted authority S

A→S: A, B
S→A: KAB
A→B: A, KAB

Ans. The key is sent in the clear.