#### CSCI 7000 - Crypto Seminar -
Spring 2003

### Assignment #6

##### Due: Never

1. Suppose Bob has an RSA cryptosystem with a large modulus n which is
impractical for any adversary to factor. Alice has a message she wishes
to send to Bob which is a string of uppercase alphabetical characters without
spaces or punctuation. For example, the message might be "HELLOTHERE".
In order to encode her message, she first converts each letter to a number
between 0 and 25 using the normal method: A is 0, B is 1, C is 2, ... ,
and Z is 25. This yields a list of numbers, each number being between
0 and 25. Then she encrypts each of these numbers as usual with Bob's
RSA public key. For example, if she has the message "HI", this results
in the numbers 7 and 8. If Bob's public key is (n=18721, e=25), then
the ciphertext is 7^{25} mod 18721, 8^{25} mod 18721.
Explain why this is a poor use of RSA by giving an attack on this system.
You cannot assume that you can factor n. Illustrate your attack by
decrypting the following ciphertext which was generated using the
public key (n=18721, e=25):

18718, 13444, 4644, 13444, 1437, 0, 17173, 13444

2. Suppose we use two different RSA public keys (n, e1) and (n, e2) where
e1 is not equal to e2. In
other words, the modulus n is the same, but the public exponents are
different. Explain how you can recover the plaintext M if you are
given C1 = M^{e1} mod n and C2 = M^{e2} mod n.

3. As we well-know, CBCMAC is secure only if the number of blocks in the
length of the message is fixed. We define a new MAC called XMAC which
is a modification of CBCMAC attempting to allow msgs of *any* length.
XMAC is defined as follows: choose two random keys, K and L, where K is
a 56-bit DES key and L is a 64-bit string. Let CBCMAC_{K} be
the CBCMAC over DES with key K.
Now define XMAC(M) = CBCMAC_{K}(M) xor L. Please answer the
following two questions, giving a convincing argument for your answers.

- Is XMAC secure over messages with a fixed block-length?
- Is XMAC secure over messages of any block length?

4. Describe how to find the remaining WEP-key bytes K[4..7] by extending
the attack we covered in class.