Answered step by step
Verified Expert Solution
Question
1 Approved Answer
For reasons, that will become clear, the version of RSA encryption covered in the lecture is called naive RSA in [ Sma 1 6 ]
For reasons, that will become clear, the version of RSA encryption covered in the lecture is called "naive RSA" in Sma In practice, it is recommended that RSA be used with some sort of message padding. A standard way is using optimal asymmetric encryption padding OAEP In this
question, we will cover a simpler version, which at least makes the scheme semantically secure under chosen plaintext attacks. The CEO of the organization XYZ decides to hold a vote to decide whether employees should be allowed to work from home WFH either one, two or three days a week. All employees of XYZ excluding the CEOneed to vote either WFH one", WFH two" or WFH three". To ensure privacy, the CEO asks employees to send their votes by emailing them to the CEO. Furthermore, the CEO tells them to encrypt their votes using her RSA public key The messages are encoded as:
one
two
three
The CEO recieves the sequence of ciphertexts:
where is the ciphertext from employee For completeness, assume the employees are in the order:
Alice, Bob, Charlie, Dave
So eg Bob's ciphertext is
a How many possible sequences of votes are there and why?
b Assume you, the eavesdropper, gets the sequence:After observing this, how many possible sequences of votes are there and why?
c Suppose the CEO's RSA public key is What is Dave's vote? How did you come to this conclusion? Your answer should not involve any decryption. The issue raised above is that naive RSA is deterministic. We would want different ciphertexts, even if the same plaintext is encrypted twice. To do this, instead of letting be from the set dots,we will restrict it to a smaller set, and then use the remaining bits for a random number We will then encrypt instead of Let rin Let be the number of bits in the binary representation of Then, encryption of the message in this "padded" version of RSA is:
Chocse a random rin
Encrypt as
Decryption after receiving is:
Decrypt as
Retrieve the last bits as the message
In practice, we will first convert both and into their integer representations, and then encrypt
d Suppose so can be from the set dots, Assume you, the eavesdropper, gets the sequence:
encrypted via the padded RSA scheme using Without decrypting, find the sequence of votes.
Hint: You can use the following observation in your for loop in PARI to output encryptions. If min
then
e Suppose now that so can be from the set What is the time complexity of your attack from part d Is the attack feasible? If you were an employee, would you recommend this encryption scheme to the CEO?A realworld account of a similar form of data release using deterministically encrypted IDs can be found here CRT
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started