K EY M ANAGEMENT ; O THER P UBLIC -K EY C RYPTOSYSTEMS
10.7 An elliptic curve is one that is described by cubic equations, similar to those used for calculating the circumference of an ellipse. In general, cubic equations for elliptic curves take the form
y2+axy+by=x3+cx2+dx+e
wherea,b,c,d, andeare real numbers andxandytake on values in the real numbers
10.8 Also called the point at infinity and designated byO. This value serves as the additive identity in elliptic-curve arithmetic.
10.9 If three points on an elliptic curve lie on a straight line, their sum is O.
A A NS N SW W ER E RS S T T O O P P R R O O BL B L EM E MS S
10.1 a. YA= 75mod 71= 51 b. YB= 712mod 71= 4 c. K= 45mod 71= 30 10.2 a. (11) = 10
210= 1024 = 1 mod 11
If you check 2nforn< 10, you will find that none of the values is 1 mod 11.
b. 6, because 26mod 11 = 9 c. K= 36mod 11= 3
10.3 For example, the key could be
xAgxBg xAxBg. Of course, Eve can find that trivially just by multiplying the public information. In fact, no such system could be secure anyway, because Eve can find the secret numbers xAand xBby using Fermat’s Little Theorem to takeg-th roots.
10.4 xB= 3,xA= 5, the secret combined key is (33)5= 315 = 14348907.
10.5 1. Darth prepares for the attack by generating a random private keyXDand then computing the corresponding public keyYD.
2. Alice transmitsYAto Bob.
3. Darth interceptsYAand transmitsYDto Bob. Darth also calculates K2 YA XDmodq
4. Bob receivesYDand calculates K1 YD XBmodq . 5. Bob transmitsXAto Alice.
6. Darth interceptsXAand transmitsYD to Alice. Darth calculates
K1 YB XDmodq.
7. Alice receivesYDand calculates
K2 YD XAmodq .
10.6 From Figure 10.7, we have, for private key XB, B's public key is YBXBmod q. 1. User B computes C1 XBmod qkXBmod q.
ButK YB kmod qXBmod qkmod qkXBmod q
So step 1 enables user B to recover K.
2. Next, user B computes C2K1mod qKMK1mod qM, which is the desired plaintext.
10.7 a. (49, 57) b. C2= 29
10.8 a. For a vertical tangent line, the point of intersection is infinity. Therefore 2Q=O.
b. 3Q= 2Q+Q=O+Q=Q.
10.9 We use Equation (10.1), which defines the form of the elliptic curve asy2=x3+ax +b, and Equation (10.2), which says that an elliptic curve over the real numbers defines a group if 4a3+ 27b2≠ 0.
a. Fory2=x3–x, we have 4(–1)3+ 27(0) = –4 ≠ 0.
b. Fory2=x3+x+ 1, we have 4(1)3+ 27(1) = 21 ≠ 0.
10.10 Yes, since the equation holds true forx= 4 andy= 7:
72= 43– 5(4) + 5 49 = 64 – 20 + 5 = 49
10.11 a. First we calculateR=P+Q, using Equations (10.3).
∆= (8.5 – 9.5)/(–2.5 + 3.5) = – 1 xR= 1 + 3.5 + 2.5 = 7
yR= –8.5 – (–3.5 – 7) = 2 R= (7, 2)
b. ForR= 2P, we use Equations (10.4), witha= –36 xr= [(36.75 – 36)/19]2+ 77
10.13
x (x3+ x + 6) mod 11 square roots mod p? y
0 6 no
1 8 no
2 5 yes 4, 7
3 3 yes 5, 6
4 8 no
5 4 yes 2, 9
6 8 no
7 4 yes 2, 9
8 9 yes 3, 8
9 7 no
10 4 yes 2, 9
10.14 The negative of a pointP= (xP,yP) is the point –P= (xP, –yPmodp). Thus –P = (5,9); –Q = (3,0); –R = (0,11)
10.15 We follow the rules of addition described in Section 10.4. To compute 2G = (2, 7) + (2, 7), we first compute
= (322+ 1)/(27) mod 11
= 13/14 mod 11 = 2/3 mod 11 = 8 Then we have
x3= 82– 2 – 2 mod 11 = 5 y3= 8(2 – 5) – 7 mod 11 = 2 2G = (5, 2)
Similarly, 3G = 2G + G, and so on. The result:
2G = (5, 2) 3G = (8, 3) 4G = (10, 2) 5G = (3, 6) 6G = (7, 9) 7G = (7, 2) 8G = (3, 5) 9G = (10, 9) 10G = (8, 8) 11G = (5, 9) 12G = (2, 4) 13G = (2, 7)
10.16 a. PB= nBG = 7(2, 7) = (7, 2). This answer is seen in the preceding table.
b. Cm= {kG, Pm+ kPB}
= {3(2, 7), (10, 9) + 3(7, 2)} = {(8,3), (10, 9) + (3, 5)} = {(8, 3), (10, 2)}
c. Pm= (10, 2) – 7(8, 3) = (10, 2) – (3, 5) = (10, 2) + (3, 6) = (10, 9) 10.17 a. S+kYA=M–kxAG+kxAG=M.
b. The imposter gets Alice’s public verifying keyYAand sends BobM,k, andS= M–kYAfor anyk.
10.18 a. S+kYA=M–xAC1+kYA=M–xAkG+kxAG=M.
b. Suppose an imposter has an algorithm that takes as input the publicG,YA= xAG, Bob’sC1=kG, and the messageMand returns a valid signature which Bob can verify asS=M–kYAand Alice can reproduce asM–xAC1. The imposter intercepts an encoded messageCm= {k'G',Pm+k'PA} from Bob to Alice wherePA=nAG'is Alice’s public key. The imposter gives the algorithm the inputG=G',YA=PA,C1=k'G',M=Pm+k'PAand the algorithm
computes anSwhich Alice could "verify" asS=Pm+k'PA–nAk'G'=Pm. c. Speed, likelihood of unintentional error, opportunity for denial of service or
traffic analysis.
A A N N SW S WE ER R S S T T O O Q Q UE U ES ST T IO I ON N S S
11.1 Masquerade:Insertion of messages into the network from a fraudulent source.
This includes the creation of messages by an opponent that are purported to come from an authorized entity. Also included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the message recipient.
Content modification:Changes to the contents of a message, including insertion, deletion, transposition, and modification.Sequence modification:Any
modification to a sequence of messages between parties, including insertion, deletion, and reordering.Timing modification:Delay or replay of messages. In a connection-oriented application, an entire session or sequence of messages could be a replay of some previous valid session, or individual messages in the
sequence could be delayed or replayed. In a connectionless application, an individual message (e.g., datagram) could be delayed or replayed.
11.2 At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message. This lower-level function is then used as primitive in a higher-level authentication protocol that enables a receiver to verify the authenticity of a message.
11.3 Message encryption, message authentication code, hash function.
11.4 Error control code, then encryption.
11.5 An authenticator that is a cryptographic function of both the data to be authenticated and a secret key.
11.6 A hash function, by itself, does not provide message authentication. A secret key must be used in some fashion with the hash function to produce authentication.
A MAC, by definition, uses a secret key to calculated a code used for authentication.
11.7 Figure 11.5 illustrates a variety of ways in which a hash code can be used to provide message authentication, as follows:a.The message plus concatenated hash code is encrypted using symmetric encryption.b.Only the hash code is encrypted, using symmetric encryption.c.Only the hash code is encrypted, using public-key encryption and using the sender's private key. d.If