Homework 2 Solutions: 1 Security Protocols
Homework 2 Solutions: 1 Security Protocols
Homework 2 Solutions: 1 Security Protocols
1 Security Protocols
1. (3 points) Three-pass protocol. Suppose Alice and Bob decide to use the following “three-pass
protocol” to setup a shared secret session key K. First, Alice chooses a random K. Alice also
generates a random secret one-time pad key KA and XORs it with K. She sends M1 = KA
⊕K to Bob. Bob generates a random secret one-time pad key KB , XORs what he receives
with it to compute M2 = M1 ⊕KB , and sends M2 to Alice. Alice computes M3 = M2 ⊕KA ,
and sends M3 to Bob, who recovers K as M3 ⊕KB . Note that KA is known only to Alice,
KB only to Bob.
• Step 1. Alice selects a large prime number p and a multiplicative generator α (mod p).
Both p and α are made public.
• Step 2. Alice picks a secret random x, with 1 ≤ x ≤ (p − 2). She sends MA = αx (mod
p).
• Step 3. Bob picks a secret random y, with 1 ≤ y ≤ (p − 2). She sends MB = αy (mod
p).
• Step 4. Using the received messages, Bob and Alice compute the shared session key K.
Alice calculates K with the knowledge of her secret and Bob’s message, by computing
MB x (mod p). Similarly, Bob computes MA y (mod p).
Here is man-in-the-middle attack on DHKE different from the one studied in class. This
version of the man-in-the-middle attack differs from the one seen in class, as it has the
“advantage” that Eve does not have to intercept and retransmit all the messages between
Alice and Bob.
Suppose Eve discovers that p = M q +1, where q is an integer and M is small. Eve intercepts
αx (mod p) and αy (mod p) sent by Alice and Bob in steps 2 and 3 respectively. Eve sends
Bob (αx )q (mod p) as message MA in step 2, and sends Alice (αy )q (mod p) in step 3. Step
4 proceeds as described, but using the modified values of MA and MB .
• (2 points) Show that the Alice and Bob calculate the same key K ′ .
Solution. Alice computes K ′ as (MB )x (mod p). Eve tampers sending (αy )q (mod p)
as MB . So Alice computes ((αy )q )x (mod p) as K ′ , which is αxyq (mod p). Similary, Bob
computes K ′ as (MA )y (mod p). Eve tampers sending (αx )q (mod p) as MA . Similary,
Bob computes K ′ as ((αx )q )y (mod p), which is same K ′ as what Alice computes (αxyq
(mod p)).
• (3 points) Show that there are only M possible values for K ′ , so Eve may find K ′ by
exhaustive search.
Hint. Recall that the generator α is specially chosen. It generates all elements between 1
and p under the exponentiation operation without repeats. Therefore, α(p−1) = 1 (mod
p).
Solution. The exponent of α that results in computation of K ′ is (xyq) – let us term
this value as t. We know that (p − 1) is M q. There must exist some n,r such that xy =
nM + r, where r = (xy) (mod M ). So, we get :
K ′ = αxyq (mod p)
= α(nM +r)q (mod p)
= α(nM q+rq) (mod p)
= (αnM q ) (αrq ) (mod p)
= ((αM q )n ) (αrq ) (mod p)
By Fermat’s Theorem (also restated as hint) αM q is 1 (mod p),
= (1) (αrq ) (mod p)
Since r can only take values between 0 and (M − 1), the exponent has to be one of M
multiples of q. Eve knows q and M is small, so she can exhaustively search for K ′ .
2 Secret Sharing
In this section we study secret sharing schemes.
Definition of (n,t) threshold secret sharing scheme. A (n, t) threshold secret sharing scheme is
one where the secret can be efficiently computed given t of the n shares, but any (t − 1) shares
reveal no information about the secret.
1. Shamir polynomial scheme. (4 points) Suppose we using the scheme using polynomials module
a prime p, as described in class and the lecture notes. This scheme is called Shamir polynomial
scheme.
• (3 points) You have to setup a (30, 2) Shamir scheme, working mod prime p = 101. Two
of the shares are (1, 13) and (3, 12). Another person received the share (2, ∗), but the
part denoted by ∗ is unreadable. What is the correct value of ∗?
Solution. Let the polynomial be M + S1 x (mod 101) . The polynomial has degree 1
because we need 2 shares to be sufficient to reconstruct the secret M .
Substituting for the two given shares
M + 1 × S1 = 13 (mod 101)
M + 3 × S1 = 12 (mod 101)
Writing it in matrix form,
µ ¶µ ¶ µ ¶
1 1 M 13
= (mod 101)
1 3 S1 12
Solving the set of equations, we get,
µ ¶ µ ¶
M 27/2
= (mod 101)
S1 −1/2
The
µ ¶ resultµis : ¶
M 27/2
= (mod 101)
S1 −1/2
We are working (mod 101), and we need the coefficients mod 101. Since we know that
1/2 ≡ 51 (mod 101), we can replace 1/2 (mod 101) with 51. Therefore,
M ≡ 27 (1/2) (mod 101) ≡ 27 (51) (mod 101) ≡ 64 (mod 101).
Similarly,
S1 ≡ −51 (mod 101)
Polynomial is thus,
64 − 51x (mod 101)
The third share is simply an evaluation of this polynomial at x = 2, which is 63.
• Extensibility. (1 points) It is easy to extend Shamir’s polynomial mod p scheme, to add
new users. Show how could you extend a (n, t) Shamir scheme to a (n + 1, t) scheme
that includes an extra user, without changing the shares for existing n users.
Solution. Simply evaluate the polynomial at another point xn+1 , and give (xn+1 ,f (xn+1 ))
as the new share. No changes to existing shares are needed for this.
• Military office (4 points) A certain military office consists of 1 general, 2 colonels and
5 desk clerks. They have control of a powerful missile. They don’t want the missile
launched unless the general decides to launch it, or the 2 colonels decide to launch it, or
the 5 desk clerks decide to launch it, or 1 colonel and 3 desk clerks decide to launch it.
Describe how would you realize this policy with a secret sharing scheme.
Solution. Distribute the shares of a (30, 10) threshold scheme as follows : The general
gets 10 shares, each colonel gets 5 shares, and desk clerks gets 2 shares each. Atleast 10
shares are needed to get the secret.
• XOR created shares. (3 points) Consider the following secret sharing scheme. To share
a secret a ∈ {0, 1}ℓ among a group of n people, we choose n − 1 values a1 , a2 . . . an−1 ,
independently at random, where each ai ∈ {0, 1}ℓ . We select an = a ⊕a1 ⊕a2 ⊕. . . an−1 .
We then distribute ai to the ith person in the group.
(a) (1 point) Is this a secure (n, n) threshold secret sharing scheme? Solution. Yes.
(b) (2 points) If your answer in previous sub-part is ’yes’, specifically :
– Show that a can be recovered from the n shares.
– Argue that any (n − 1) shares do not reveal any information about a.
If your answer in previous sub-part is ’no’, then either show that a can not be
recovered from all the n shares, or, that less than n shares are sufficient to recover
some information about a.
Solution. If all ’n’ shares are present, then a can be computed as a1 ⊕a2 . . . ⊕an .
Suppose we have 1 share missing, say ai . Then at best we can compute (a ⊕ai ) =
a1 ⊕a2 . . . ⊕an . Since ai is chosen at random, the quantity (a ⊕ai ) is akin to a
one-time pad encryption, which reveals no information about a.
(c) Visual Secret Sharing. (7 points) It turns out that you don’t need computers or
sophisticated mathematics to realize secret sharing - you can implement even some
of the more complex secret sharing scenarios using nothing but transparency sheets
that can be overlaid on one another.
Suppose we decide to store a secret key text as a black-and-white image, say I. We
would ideally like to break the image I into two image shares, say I1 and I2 , such
that neither I1 nor I2 provides any information about I individually, but if the two
are superimposed one on top of the other than I “pops out”.
To do this, the following idea is proposed: each pixel in I will be converted into a
2 × 2 square of sub-pixels in I1 and I2 . In I1 , we choose the shape of that sub-pixel
square to be one out of the patterns shown below (in Figure 1) at random.
X X
X X
Figure 1: Two possible patters for a sub-pixel block in I1 and I2 . (X denotes a black sub-pixel).
X X X X
X X
Figure 2: Revised scheme – Three possible patterns for a sub-pixel block in I1′ , I2′ and I3′ . (X
denotes a black sub-pixel).
• Step 1. Peggy chooses a random number r1 and lets r2 = sr1−1 (mod n), such that r1 r2
= s(mod n).
She computes x1 = r12 (mod n) and x2 = r22 (mod n), and sends x1 and x2 to Victor.
• Step 2. Victor checks that x1 x2 = y (mod n), then chooses either x1 or x2 at random
and asks Peggy to supply a square root of it. He checks that it is a correct square root.
The first two steps are repeated in several rounds, until Victor is convinced. It should be
clear that of course, if Peggy knows s, the procedure works without problems.
• (3 points) Suppose Peggy does not know s. Can she construct two numbers x1 , x2 for
each of which she knows the square roots, and such that x1 x2 = y (mod n)? Why or
why not ? How does this fact help Victor find out that she does not know s?
Solution. No, she can not know such x1 and x2 . We can prove it by contradiction.
Suppose she does not s but knows such x1 and x2 . Let their square roots be a1 and a2
respectively which Peggy knows. If so, then a1 a2 is the sqaure root of y (as (a1 a2 )2 =
x1 x2 (mod N )), which can be computed by Peggy. This violates the assumption that
Peggy does not know s.
• (3 points) Suppose, however, that Peggy predicts correctly that Victor will always ask for
square root of x2 . How can she compute x1 and x2 such that the method always falsely
convinces Victor that Peggy knows s at Step 2 of each round? (The trivial solution is to
send x2 = 1; this is easily detected and Victor is smart enough to check for this case.)
Solution. Peggy picks a random r (mod N ) such that gcd (r, N ) = 1. At step 1 she
sends x2 = r2 (mod N ) and x1 = x−1 2 y (mod N ). She sends r as the square root of x2
in step 2.
• (3 points) Suppose that Victor chooses to ask Peggy for square root of either x1 or x2
randomly in Step 2. Peggy does not know s, and tries her luck in each round by guessing
whether Victor will ask for x2 or not in step 2. She constructs x1 ,x2 using her guess, in
the way you’ve devised in the previous sub-part, and sends them to Victor. What is the
probability that Victor is falsely convinced that Peggy knows s after t = 10 rounds of
the method.
Solution. She could compute either x1 or x2 using a random r as shown above. With
a probabolity p, Victor could ask her for the same xi which is computed from r2 (mod
N ) only and requires no use of s. The probability that Victor always asks for this xi in
any step is 0.5. Thus, after t rounds, p = (0.5)t . Substituting t = 10, p = (0.5)10 .