o Original message m = c^d mod n.

Example:

1. Key Generation:

1. Explain RSA algorithm with example? o p = 11, q = 13 (Small primes for simplicity)

Answer: o n = 11 * 13 = 143

RSA (Rivest–Shamir–Adleman) is a widely used asymmetric (public-key) cryptosystem based o φ(n) = (11-1) * (13-1) = 10 * 12 = 120
on the presumed difficulty of factoring large integers.
o Choose e = 7 (since gcd(7, 120) = 1)
Algorithm Steps:
o Find d such that 7 * d ≡ 1 (mod 120). Using Extended Euclidean Algorithm,
1. Key Generation: d = 103 (since 7 * 103 = 721 = 6 * 120 + 1).

o Choose two distinct large prime numbers, p and q. o Public Key: (143, 7)

o Calculate n = p * q. n is the modulus for both public and private keys. o Private Key: (143, 103)

o Calculate Euler's totient function: φ(n) = (p-1) * (q-1). 2. Encryption: Message M = 9 (so m = 9)

o Choose an integer e (public exponent) such that 1 < e < φ(n) and gcd(e, o c = 9^7 mod 143
φ(n)) = 1 (i.e., e and φ(n) are coprime).
o 9^7 = 4,782,969
o Calculate d (private exponent) such that d * e ≡ 1 (mod φ(n)). d is the
o 4,782,969 mod 143 = 48
modular multiplicative inverse of e modulo φ(n).
o Ciphertext c = 48
o Public Key: (n, e)
3. Decryption: Received c = 48
o Private Key: (n, d) (Keep p, q, φ(n) secret).
o m = 48^103 mod 143
2. Encryption: (Alice wants to send message M to Bob)
o Calculating this large power (using modular exponentiation): 48^103 mod
o Alice obtains Bob's public key (n, e).
143 = 9.
o Represent the message M as an integer m such that 0 <= m < n.
o Original message m = 9.
o Ciphertext c = m^e mod n.

o Alice sends c to Bob.

2. Explain different Hash functions?
3. Decryption: (Bob receives ciphertext c)
Answer:
o Bob uses his private key (n, d).
A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size process them sequentially using a compression function, updating an internal state at each
(the "message") to a fixed-size bit string (the "hash value", "hash", or "message digest"). step. The final state is the hash value.
They are fundamental building blocks in cryptography.

Key Properties of Cryptographic Hash Functions:

3. Explain Fermat's Little Theorem?
1. Pre-image Resistance (One-way): Given a hash value h, it should be
Answer:
computationally infeasible to find any message m such that H(m) = h.
Fermat's Little Theorem (FLT) is a fundamental theorem in elementary number theory
2. Second Pre-image Resistance (Weak Collision Resistance): Given a message m1,
concerning properties of integers modulo a prime number.
it should be computationally infeasible to find a different message m2 such that
H(m1) = H(m2). Statement:

3. Collision Resistance (Strong Collision Resistance): It should be computationally If p is a prime number, then for any integer a not divisible by p, the following congruence
infeasible to find any two distinct messages m1 and m2 such that H(m1) = H(m2). holds:
a^(p-1) ≡ 1 (mod p)
Types/Examples:
An alternative form, which holds for any integer a (including those divisible by p) and prime
1. MD Family (Message Digest):
p, is:
o MD5: Produces a 128-bit hash. Widely used historically, but now a^p ≡ a (mod p)
considered broken due to known collision vulnerabilities. Should not be
Conditions:
used for security purposes.
• The modulus p must be a prime number.
2. SHA Family (Secure Hash Algorithm): Developed by NIST (USA).
• For the first form (a^(p-1) ≡ 1 (mod p)), the integer a must not be a multiple of p
o SHA-1: Produces a 160-bit hash. Also considered broken due to practical
(i.e., gcd(a, p) = 1).
collision attacks. Deprecated for most uses.
Explanation & Significance:
o SHA-2: A family including SHA-224, SHA-256, SHA-384, SHA-512. Produce
longer hashes (224-512 bits). SHA-256 and SHA-512 are widely used and • The theorem states that if you take any number a not divisible by a prime p, raise
currently considered secure. They use the Merkle–Damgård construction. it to the power p-1, and divide by p, the remainder will always be 1.
o SHA-3: A newer standard (selected from the Keccak algorithm). Uses a • It provides a property that all prime numbers satisfy.
different internal structure ("sponge construction") than SHA-1/SHA-2.
Offers similar hash lengths (SHA3-224, SHA3-256, etc.) and is considered Applications in Cryptography:
secure. Designed to be resistant to attacks that might affect Merkle–
1. Primality Testing: FLT forms the basis of the Fermat primality test. If a^(n-1) ≢ 1
Damgård based hashes.
(mod n) for some a where gcd(a, n) = 1, then n is definitely composite. However,
General Construction: Most traditional hash functions (MD5, SHA-1, SHA-2) use the the converse is not always true ( Carmichael numbers are composite but satisfy the
Merkle–Damgård construction. They break the input message into fixed-size blocks and congruence for all a).
 2. Modular Multiplicative Inverse: If p is prime and a is not divisible by p, we can find o Calculate the public key y = g^x mod p.
the modular inverse of a modulo p. Since a^(p-1) ≡ 1 (mod p), we can write a *
o Private Key: x
a^(p-2) ≡ 1 (mod p). Therefore, a^(p-2) is the modular inverse of a modulo p. This
is useful in algorithms like RSA key generation (though Euler's theorem is more o Public Key: (p, q, g, y)
general).
3. Signature Generation: (Sign message M)
Example:
Let p = 7 (prime) and a = 3 (not divisible by 7). o Generate a random secret number k (per-message key): 0 < k < q.
According to FLT, 3^(7-1) ≡ 1 (mod 7). Crucially, k must be unique and secret for each signature.
3^6 = 729. o Calculate r = (g^k mod p) mod q. If r=0, choose a new k.
729 ÷ 7 = 104 with a remainder of 1.
So, 729 ≡ 1 (mod 7), confirming the theorem. o Calculate the hash of the message: H(M) (using SHA-2 or similar). Treat
Using the alternative form: 3^7 = 2187. 2187 ÷ 7 = 312 with a remainder of 3. So 3^7 ≡ 3 H(M) as an integer.
(mod 7).
o Calculate s = [k⁻¹ * (H(M) + x*r)] mod q. Where k⁻¹ is the modular
multiplicative inverse of k mod q. If s=0, choose a new k.

4. Explain DSA Algorithm? o Signature: (r, s)

Answer: 4. Signature Verification: (Verify signature (r', s') for message M')

DSA (Digital Signature Algorithm) is a U.S. Federal Government standard (FIPS 186) for o Check if 0 < r' < q and 0 < s' < q. If not, invalid.
digital signatures. It is based on the computational difficulty of the discrete logarithm
o Calculate w = (s')⁻¹ mod q.
problem in a finite field. DSA is used for generating and verifying digital signatures, ensuring
data integrity, authentication, and non-repudiation. o Calculate H(M').

Algorithm Components: o Calculate u1 = (H(M') * w) mod q.

1. Global Public Parameters: (Shared by a group of users) o Calculate u2 = (r' * w) mod q.

o Choose a prime q (e.g., 160, 256 bits). o Calculate v = ((g^u1 * y^u2) mod p) mod q.

o Choose a larger prime p such that (p-1) is a multiple of q (e.g., 1024, 2048, o Verification: The signature is valid if and only if v = r'.
3072 bits).
Security: Relies on the difficulty of computing discrete logarithms (finding x given g, p, y)
o Choose g, a generator of a subgroup of order q modulo p. Calculated as g and the security of the hash function. Reusing k leads to private key compromise.
= h^((p-1)/q) mod p for some h (1 < h < p-1).

2. Key Generation: (Per user)

5. Explain Knapsack cryptosystem with example?
o Choose a private key x randomly: 0 < x < q.
Answer:
The Knapsack cryptosystem is an early public-key cryptosystem based on the subset sum o Since bᵢ = (w * aᵢ) mod m, then C' = ( (∑ pᵢ * bᵢ) * w⁻¹ ) mod m = ( (∑ pᵢ * w
problem (a variation of the knapsack problem), which is NP-complete. The core idea is to * aᵢ) * w⁻¹ ) mod m = ( ∑ pᵢ * aᵢ ) mod m.
use an "easy" knapsack problem as the private key and transform it into a seemingly "hard"
o Because m > ∑ aᵢ, we have C' = ∑ pᵢ * aᵢ.
knapsack problem as the public key.
o Solve the easy subset sum problem for C' using the private
Concept:
superincreasing sequence a to recover the binary plaintext vector P. (Start
• Easy Knapsack (Private): A superincreasing sequence a = (a₁, a₂, ..., from a<0xE2><0x82><0x99>, if C' >= a<0xE2><0x82><0x99>, then
a<0xE2><0x82><0x99>), where each element aᵢ is greater than the sum of all p<0xE2><0x82><0x99>=1 and subtract a<0xE2><0x82><0x99> from C',
preceding elements (aᵢ > ∑ a<0xE2><0x82><0x9D> for j<i). Solving the subset sum else p<0xE2><0x82><0x99>=0. Repeat for a<0xE2><0x82><0x99>₋₁ etc.).
problem for such a sequence is easy using a greedy approach.
Example:
• Hard Knapsack (Public): The superincreasing sequence a is transformed into a
1. Key Generation:
general-looking sequence b = (b₁, b₂, ..., b<0xE2><0x82><0x99>) using modular
arithmetic. This b is the public key. o a = (2, 3, 6, 13, 27) (superincreasing)

Merkle-Hellman Knapsack Cryptosystem (Example Variant): o ∑ aᵢ = 51. Choose m = 60 (m > 51).

1. Key Generation: o Choose w = 7 (gcd(7, 60) = 1).

o Choose a superincreasing sequence a = (a₁, ..., a<0xE2><0x82><0x99>). o w⁻¹ = 43 (since 7 * 43 = 301 = 5 * 60 + 1 ≡ 1 (mod 60)).

o Choose a modulus m such that m > ∑ aᵢ. o b₁ = (7 * 2) mod 60 = 14

o Choose a multiplier w such that gcd(w, m) = 1. o b₂ = (7 * 3) mod 60 = 21

o Calculate the public key sequence b where bᵢ = (w * aᵢ) mod m. o b₃ = (7 * 6) mod 60 = 42

o Calculate the modular inverse w⁻¹ such that w * w⁻¹ ≡ 1 (mod m). o b₄ = (7 * 13) mod 60 = 91 mod 60 = 31

o Public Key: b = (b₁, ..., b<0xE2><0x82><0x99>) o b₅ = (7 * 27) mod 60 = 189 mod 60 = 9

o Private Key: (a, m, w, w⁻¹) o Public Key: b = (14, 21, 42, 31, 9)

2. Encryption: (Plaintext P is a binary vector P = (p₁, ..., p<0xE2><0x82><0x99>)) o Private Key: ( (2, 3, 6, 13, 27), 60, 7, 43 )

o Ciphertext C = ∑ (pᵢ * bᵢ) (sum of public key elements corresponding to 1s 2. Encryption: Plaintext P = (1, 0, 1, 1, 0)
in the plaintext).
o C = p₁b₁ + p₂b₂ + p₃b₃ + p₄b₄ + p₅b₅ = 1*14 + 0*21 + 1*42 + 1*31 + 0*9 =
3. Decryption: (Received Ciphertext C) 14 + 42 + 31 = 87.

o Calculate C' = (C * w⁻¹) mod m. 3. Decryption: Received C = 87

o C' = (87 * 43) mod 60 = 3741 mod 60 = 21.

 o Solve subset sum for C' = 21 using a = (2, 3, 6, 13, 27): o Mitigation: Ensure d is large enough, typically around the same order of
magnitude as n.
▪ 21 < 27 -> p₅ = 0
3. Low Public Exponent Attacks:
▪ 21 >= 13 -> p₄ = 1, C' = 21 - 13 = 8
o Description: Using a small public exponent e (like e=3) speeds up
▪ 8 >= 6 -> p₃ = 1, C' = 8 - 6 = 2
encryption. However:
▪ 2 < 3 -> p₂ = 0
▪ If the message m is small such that m^e < n, then c = m^e.
▪ 2 >= 2 -> p₁ = 1, C' = 2 - 2 = 0 Decryption becomes a simple e-th root calculation over integers,
easily done.
o Recovered plaintext P = (1, 0, 1, 1, 0).
▪ Related Message Attack: If the same message m is sent to e
Status: Most knapsack cryptosystems, including Merkle-Hellman, have been broken by recipients with the same small e but different moduli nᵢ, an
attacks exploiting the underlying mathematical structure (e.g., using lattice reduction attacker can recover m using the Chinese Remainder Theorem.
algorithms like LLL). They are primarily of historical interest.
o Mitigation: Use proper padding schemes (like OAEP) before encryption.
Avoid sending the exact same unpadded message to multiple recipients
6. Explain different attacks on RSA Algorithm? with small e. e = 65537 (2^16 + 1) is common, balancing efficiency and
security.
Answer:
4. Chosen Ciphertext Attacks (CCA):
RSA's security relies on the difficulty of factoring the modulus n. Attacks target this
assumption or exploit weaknesses in implementation or parameter choices. o Description: An attacker obtains the decryption of chosen ciphertexts
(which may not be related to the target ciphertext). If RSA is used without
1. Factoring Attacks: proper padding ("textbook RSA"), it's highly vulnerable. Bleichenbacher's
attack demonstrated CCA against RSA with PKCS#1 v1.5 padding used in
o Description: If an attacker can factor the public modulus n into its prime
SSL/TLS.
factors p and q, they can calculate φ(n) = (p-1)(q-1). Knowing φ(n) and the
public exponent e, they can easily compute the private exponent d using o Mitigation: Use CCA-secure padding schemes like OAEP (Optimal
the Extended Euclidean Algorithm (d * e ≡ 1 (mod φ(n))). Asymmetric Encryption Padding).
o Mitigation: Use sufficiently large prime factors p and q (e.g., 1024 bits 5. Timing Attacks / Side-Channel Attacks:
each for a 2048-bit modulus n) to make factorization computationally
infeasible with current algorithms and hardware. o Description: Attackers measure the time taken for decryption operations
(or other side channels like power consumption). Variations in time can
2. Low Private Exponent Attacks (Wiener's Attack): leak information about the private key d, especially if modular
exponentiation is implemented naively.
o Description: If the private exponent d is chosen too small (e.g., d < (1/3)
* n^(1/4)), Wiener's attack using continued fractions can efficiently o Mitigation: Use constant-time implementation techniques for modular
recover d from the public key (n, e). exponentiation. Employ blinding: multiply the ciphertext by a random
 number before decryption and adjust the result afterward, randomizing o Represent the message M as an integer m such that 1 ≤ m < p. (Note: m=0
the intermediate values and execution time. often problematic).

6. Common Modulus Attack: o Choose a random secret integer k (ephemeral key) such that 1 ≤ k < p-1.
k must be unique for each message.
o Description: If multiple users share the same modulus n but have
different public/private exponent pairs (e₁, d₁), (e₂, d₂), etc. If the same o Calculate c₁ = g^k mod p.
message m is encrypted with two different public keys (n, e₁) and (n, e₂)
o Calculate the shared secret s = y^k mod p = (g^x)^k mod p = g^(xk) mod
resulting in c₁ and c₂, the attacker might recover m.
p.
o Mitigation: Never share the same modulus n between different entities.
o Calculate c₂ = m * s mod p = m * y^k mod p.

o Ciphertext: (c₁, c₂) (Ciphertext is twice the size of the plaintext).

7. Explain ELGAMAL Cryptosystem?
o Alice sends (c₁, c₂) to Bob.
Answer:
3. Decryption: (Bob receives ciphertext (c₁, c₂))
The ElGamal cryptosystem is an asymmetric (public-key) algorithm for encryption, based on
o Bob uses his private key x.
the Diffie-Hellman key exchange principle. Its security relies on the computational difficulty
of the discrete logarithm problem (DLP) in a finite group. o Calculate the shared secret s = c₁^x mod p = (g^k)^x mod p = g^(kx) mod
p.
Algorithm Steps:
o Calculate the modular multiplicative inverse of s modulo p, denoted s⁻¹.
1. Key Generation:
o Recover the original message m = (c₂ * s⁻¹) mod p.
o Choose a large prime number p.
▪ Verification: (c₂ * s⁻¹) mod p = (m * y^k * (c₁^x)⁻¹) mod p = (m *
o Choose a generator g (a primitive root modulo p, or generator of a
g^(xk) * (g^(kx))⁻¹) mod p = m mod p.
suitable subgroup).
Properties:
o Choose a private key x randomly such that 1 ≤ x < p-1.
• Probabilistic Encryption: The same plaintext encrypted multiple times will result
o Calculate the public key y = g^x mod p.
in different ciphertexts because of the random choice of k. This enhances security
o Public Key: (p, g, y) against chosen-plaintext attacks compared to textbook RSA.

o Private Key: x • Security: Relies on the difficulty of the Discrete Logarithm Problem (finding x given
p, g, y) and the related Computational Diffie-Hellman problem (finding g^(xk) given
2. Encryption: (Alice wants to send message M to Bob)
g^x and g^k).
o Alice obtains Bob's public key (p, g, y).
 • Efficiency: Encryption requires two modular exponentiations, decryption requires o Bob compares the result V with the hash he computed h'.
one exponentiation and one modular inverse. Generally slower than RSA for
o Verification: If V = h', the signature is valid. This verifies that:
encryption but comparable for decryption.
▪ The message was signed by the owner of the private key
corresponding to the public key used (Authentication).
8. Explain RSA Digital Signature?
▪ The message has not been altered since it was signed (Integrity).
Answer:
▪ The sender cannot deny signing the message (Non-repudiation,
The RSA algorithm can be used not only for encryption but also for creating digital assuming secure key management).
signatures, providing data integrity, authentication, and non-repudiation. The process
▪ If V ≠ h', the signature is invalid (either the message was altered,
essentially reverses the roles of the public and private keys compared to encryption.
the signature is wrong, or the wrong public key was used).
Algorithm Steps:
Padding Schemes: In practice, "textbook" RSA signing as described above is insecure.
1. Key Generation: Same as RSA encryption. Standardized padding schemes like PKCS#1 v1.5 padding or PSS (Probabilistic Signature
Scheme) are crucial. These schemes format the hash H(M) before applying the RSA
o Generate an RSA key pair: Public Key (n, e), Private Key (n, d).
operation, preventing various cryptographic attacks (e.g., existential forgery). PSS is
2. Signature Generation: (Alice wants to sign message M) generally preferred for new applications.

o Alice uses her private key (n, d).

o First, compute a cryptographic hash of the message M: H(M). This ensures 9. Explain different Attacks on digital signature?
integrity and creates a fixed-size input for RSA. Common hash functions
Answer:
include SHA-256. Let h = H(M).
Attacks on digital signature schemes aim to forge signatures or compromise the security
o Apply the RSA private key operation (decryption function) to the hash h:
properties (authenticity, integrity, non-repudiation) they provide. Attacks can be
S = h^d mod n
categorized by the information and capabilities available to the attacker.
o The value S is the digital signature for message M.
1. Key-Only Attack:
o Alice sends the message M along with the signature S to Bob: (M, S).
o Attacker Knows: Only the signer's public key.
3. Signature Verification: (Bob receives message M' and signature S')
o Goal: Forge a valid signature for any message. This is the hardest scenario
o Bob uses Alice's public key (n, e). for the attacker. A secure signature scheme must resist this.

o Bob computes the hash of the received message M': H(M'). Let h' = H(M'). o Example: Trying to find the private key from the public key or finding
mathematical weaknesses in the algorithm itself without message-
o Bob applies the RSA public key operation (encryption function) to the signature examples.
received signature S':
V = (S')^e mod n 2. Known Message Attack:
 o Attacker Knows: Public key and a set of messages along with their 5. Collision Attack on Hash Function:
corresponding valid signatures.
o Description: If the hash function H used in the signature scheme is not
o Goal: Forge a valid signature for a different, specific message chosen by collision-resistant, an attacker can find two different messages M1 and
the attacker, or any message not already signed. M2 such that H(M1) = H(M2).

o Example: Analyzing existing message-signature pairs to deduce o Attack: The attacker prepares two messages: M1 (innocuous) and M2
information about the private key or find patterns. (malicious). They ask the signer to sign M1, obtaining signature S. Since
H(M1) = H(M2), the signature S is also valid for the malicious message M2.
3. Chosen Message Attack (Generic / Directed):
The attacker can then present (M2, S) as if the signer signed M2.
o Attacker Knows: Public key and can obtain valid signatures for messages
o Mitigation: Use strong, collision-resistant hash functions (e.g., SHA-256,
they choose (before attempting the forgery).
SHA-3).
▪ Generic: Attacker chooses messages arbitrarily.
6. Implementation Attacks (Side-Channel / Fault Attacks): Exploiting information
▪ Directed: Attacker chooses messages based on previous results leaked during the signing process (timing, power) or inducing errors to reveal key
or targeted towards forging a signature for a specific final material. Requires physical proximity or access to the signing device.
message.

o Goal: Forge a valid signature for a specific message (usually one the
10. Diffie Hellman key Agreement algorithm?
attacker couldn't get signed directly). This is a powerful attack model.
Answer:
o Example: Requesting signatures for messages with specific mathematical
structures to exploit potential weaknesses in the signing algorithm or The Diffie-Hellman (DH) key agreement algorithm allows two parties (e.g., Alice and Bob)
hash function interaction. who have never met before to establish a shared secret key over an insecure
communication channel. This shared secret can then be used, for example, to encrypt
4. Existential Forgery:
subsequent communications using a symmetric cipher. DH is a key exchange protocol, not
o Attacker Goal: Create at least one valid message-signature pair (M, S) that an encryption algorithm itself.
was not generated by the legitimate signer. The attacker doesn't
Algorithm Steps:
necessarily get to choose the message M; any valid pair suffices.
1. Agreement on Global Public Parameters:
o Significance: This is the weakest attack goal, but successful existential
forgery breaks the fundamental non-repudiation property. Many attacks o Alice and Bob agree (publicly) on two numbers:
start by achieving existential forgery. Textbook RSA signatures are
▪ A large prime number p.
vulnerable to this.
▪ A generator g, which is a primitive root modulo p (or a generator
o Example: If no hashing or padding is used (S = M^d mod n), an attacker
of a suitable subgroup modulo p). 1 < g < p.
can choose a signature S, compute M = S^e mod n, and now (M, S) is a
valid pair. Hashing and padding prevent this. 2. Key Generation & Exchange:
 o Alice: with Alice and Bob, and relay messages between them, making them believe they
share a secret directly when they actually share secrets with Mallory.
▪ Chooses a secret random integer a (her private key): 1 ≤ a < p-1.
• Mitigation: DH needs to be combined with an authentication mechanism (e.g.,
▪ Computes her public value A = g^a mod p.
using pre-shared keys, certificates, or passwords) to verify the identities of the
▪ Sends A to Bob over the insecure channel. communicating parties and ensure the exchanged public values A and B actually
came from Alice and Bob, respectively.
o Bob:

▪ Chooses a secret random integer b (his private key): 1 ≤ b < p-1.

11. Explain RABIN Cryptosystem?
▪ Computes his public value B = g^b mod p.
Answer:
▪ Sends B to Alice over the insecure channel.
The Rabin cryptosystem is an asymmetric (public-key) algorithm for encryption, developed
3. Shared Secret Calculation: by Michael O. Rabin. Its security is computationally equivalent to the problem of factoring
o Alice: Receives B from Bob. Computes the shared secret S = B^a mod p. the modulus n. It is similar to RSA but uses squaring for encryption.

▪ S = (g^b)^a mod p = g^(ba) mod p. Algorithm Steps:

o Bob: Receives A from Alice. Computes the shared secret S = A^b mod p. 1. Key Generation:

▪ S = (g^a)^b mod p = g^(ab) mod p. o Choose two distinct large prime numbers, p and q. For easier decryption,
they are often chosen such that p ≡ 3 (mod 4) and q ≡ 3 (mod 4) (Blum
Result: Both Alice and Bob independently compute the same shared secret value S = g^(ab) integers).
mod p.
o Calculate the modulus n = p * q.
Security:
o Public Key: n
• The security relies on the difficulty of the Discrete Logarithm Problem (DLP): Given
p, g, and A = g^a mod p, it is computationally infeasible to find the private key a. o Private Key: (p, q)

• An eavesdropper (Eve) listening on the channel knows p, g, A, and B. To find the 2. Encryption: (Alice wants to send message M to Bob)
secret S, Eve would need to compute either a (from A) or b (from B), which is the o Alice obtains Bob's public key n.
DLP, or solve the Computational Diffie-Hellman (CDH) Problem: Given p, g, g^a
mod p, and g^b mod p, compute g^(ab) mod p. CDH is also believed to be hard. o Represent the message M as an integer m such that 0 ≤ m < n. To ensure
unique decryption, m usually needs some redundancy added (e.g.,
Vulnerability: append a known suffix or hash).
• The basic DH protocol is vulnerable to a Man-in-the-Middle (MitM) attack. An o Ciphertext c = m^2 mod n.
active attacker (Mallory) can intercept the communication, establish separate keys
o Alice sends c to Bob.
3. Decryption: (Bob receives ciphertext c) Bob checks which of the four potential plaintexts has the correct
redundancy.
o Bob uses his private key (p, q).
Security:
o Decryption involves finding the square roots of c modulo n. Since finding
square roots modulo n is equivalent to factoring n, Bob uses his • Provable Security: Decrypting Rabin ciphertexts is computationally equivalent to
knowledge of p and q. factoring the modulus n. If an attacker could decrypt arbitrary Rabin messages,
they could factor n. This is a strong security property not proven for RSA.
o Step 1: Find square roots modulo p and q:
• Vulnerability: Highly vulnerable to chosen-ciphertext attacks (CCA). If an attacker
▪ Find the square roots of c mod p. Let them be ±mₚ. (If p ≡ 3 (mod
can get Bob to decrypt chosen ciphertexts c', they can potentially factor n.
4), this is easy: mₚ = c^((p+1)/4) mod p).
Therefore, Rabin requires CCA-secure padding schemes for practical use.
▪ Find the square roots of c mod q. Let them be
• Ambiguity: The main disadvantage is the four-fold ambiguity in decryption,
±m<0xE1><0xB5><0xA2>. (If q ≡ 3 (mod 4),
requiring redundancy schemes.
m<0xE1><0xB5><0xA2> = c^((q+1)/4) mod q).

o Step 2: Combine using Chinese Remainder Theorem (CRT):

12. Different between MAC and MDC?
▪ There are four possible systems of congruences:
Answer:
1. x ≡ mₚ (mod p) and x ≡ m<0xE1><0xB5><0xA2> (mod q)
-> Solution m₁ MAC (Message Authentication Code) and MDC (Modification Detection Code) are both
cryptographic checksums used to ensure data integrity, but they differ significantly in their
2. x ≡ mₚ (mod p) and x ≡ -m<0xE1><0xB5><0xA2> (mod
purpose regarding authentication and their use of keys.
q) -> Solution m₂
MDC (Modification Detection Code):
3. x ≡ -mₚ (mod p) and x ≡ m<0xE1><0xB5><0xA2> (mod
q) -> Solution m₃ • Also Known As: Cryptographic Hash Function (e.g., SHA-256, MD5).

4. x ≡ -mₚ (mod p) and x ≡ -m<0xE1><0xB5><0xA2> (mod • Purpose: Primarily Integrity. Detects any change (accidental or malicious) to the
q) -> Solution m₄ data.
▪ Bob uses the CRT to find the four solutions m₁, m₂, m₃, m₄ • Input: Takes only the message M as input: H(M).
modulo n.
• Key: Does not use a secret key. Anyone can compute the hash H(M) if they know
4. Ambiguity Resolution: the message M and the hash algorithm H.
o One of the four solutions (m₁, m₂, m₃, m₄) is the original plaintext m. • Output: A fixed-size hash value or digest.
o Bob needs a way to determine the correct one. This is typically done by • Security Property Provided: Integrity only. It cannot prove who created the data
adding redundancy to the original message M before converting it to m. or the hash, only that the data hasn't changed since the hash was computed by
For example, M might be required to end with a specific sequence of bits. someone.
 • Example Use: Verifying file downloads (comparing computed hash with published
hash), some digital signature schemes (hash-then-sign).
13. Explain different Hash functions based on Block Cipher?
MAC (Message Authentication Code):
Answer:
• Purpose: Provides both Integrity and Data Origin Authentication. Verifies that the
While dedicated hash functions like SHA-2 and SHA-3 are common, it's also possible to
message hasn't been altered AND that it originated from a party who possesses
construct cryptographic hash functions using block ciphers (like AES) as the underlying
the shared secret key.
primitive. These constructions typically fit into an iterated framework like Merkle-Damgård,
• Input: Takes the message M AND a secret key K shared between sender and where the block cipher serves as the compression function.
receiver: MAC(K, M).
General Idea:
• Key: Requires a shared secret key K. Only parties with the key can compute or The compression function f takes the current hash state Hᵢ₋₁ and the current message block
verify the MAC. Mᵢ as input and produces the next hash state Hᵢ = f(Hᵢ₋₁, Mᵢ). In block cipher-based
constructions, f involves one or more calls to the block cipher's encryption function E, using
• Output: A fixed-size tag (the MAC value). Hᵢ₋₁ and Mᵢ (and possibly their combination or fixed values) as the key and plaintext inputs.
• Security Properties Provided: Integrity and Authentication. It confirms the Common Construction Schemes (Davies-Meyer Structure):
message is unchanged and comes from an entity holding the secret key. It does not
provide non-repudiation (since either party with the key could have generated the Many schemes are based on the Davies-Meyer structure or variations thereof. Let
MAC). E<0xE2><0x82><0x96>(m) denote encrypting message m with key k using the block cipher
E.
• Example Use: Authenticating messages in network protocols (IPsec, TLS),
protecting stored data where symmetric keys are used. Examples include HMAC 1. Davies-Meyer:
(Hash-based MAC) and CMAC (Cipher-based MAC). o Hᵢ = E<0xE1><0xB5><0xA3>ᵢ(Hᵢ₋₁) ⊕ Hᵢ₋₁
Key Differences Summarized: o The previous hash state Hᵢ₋₁ is used as the key to encrypt the current
message block Mᵢ. The result is then XORed with the previous hash state
Feature MDC (Hash Function) MAC (Message Authentication Code)
Hᵢ₋₁ to produce the new hash state Hᵢ.
Primary Goal Integrity Integrity & Authentication
o Widely used and proven secure under ideal cipher models.
Secret Key No Yes (Shared Secret Key) 2. Matyas-Meyer-Oseas:

Input Message M Message M, Key K o Hᵢ = E<0xE1><0xB5><0xBD>ᵢ₋₁(Mᵢ) ⊕ Mᵢ

Verification Anyone can verify Only key holders can verify o The previous hash state Hᵢ₋₁ is used as the plaintext input, and the current
message block Mᵢ is used as the key. The result is XORed with the message
Proves Origin? No Yes (origin from key holder) block Mᵢ. (Note: Key schedule overhead might be high if Mᵢ changes
frequently).
Examples SHA-256, SHA-3, MD5 (broken) HMAC-SHA256, CMAC-AES
3. Miyaguchi-Preneel:
 o Hᵢ = E<0xE1><0xB5><0xBD>ᵢ₋₁(Mᵢ) ⊕ Mᵢ ⊕ Hᵢ₋₁ 1. Elliptic Curve: An elliptic curve over a finite field (e.g., modulo a prime p) is defined
by an equation, typically of the form: y² ≡ x³ + ax + b (mod p), where a and b are
o Similar to Matyas-Meyer-Oseas, but the output of the encryption is
constants satisfying 4a³ + 27b² ≠ 0 (mod p).
XORed with both the message block Mᵢ and the previous hash state Hᵢ₋₁.
2. Points on the Curve: The "points" in ECC are pairs (x, y) that satisfy the curve
o Considered one of the most secure single-block-length constructions.
equation, plus a special point called the "point at infinity" (O).
Whirlpool Hash Function:
3. Group Operation (Point Addition): There's a defined "addition" operation for
Whirlpool is an example of a hash function designed using a dedicated block cipher (called
points on the curve. Given two points P and Q, P + Q = R, where R is another point
'W') based on AES principles, specifically constructed for hashing. It uses a Miyaguchi-
on the curve. This operation has properties like associativity and commutativity,
Preneel scheme.
forming an abelian group with O as the identity element. Geometrically, R is found
Advantages: by drawing a line through P and Q; the line intersects the curve at a third point, -
R. R is the reflection of -R across the x-axis. Special rules apply for P + P (point
• Can leverage existing hardware/software implementations of block ciphers. doubling) and P + O.
• Security can be formally analyzed based on the properties of the underlying block 4. Scalar Multiplication: kP = P + P + ... + P (k times). This can be computed efficiently
cipher. using methods like the double-and-add algorithm.
Disadvantages: 5. Elliptic Curve Discrete Logarithm Problem (ECDLP): Given points P (a base point)
and Q on the curve, find the integer k such that Q = kP. This is believed to be
• Often slower than dedicated hash functions (like SHA-2, SHA-3) that are optimized
computationally hard for well-chosen curves, forming the basis of ECC security.
specifically for hashing speed.
ECC Algorithm Steps (Generic):
• Block size limitations of the cipher might constrain the hash output size or internal
state size, potentially impacting security compared to hashes with larger internal 1. Domain Parameters: Define the curve and field: (p, a, b, G, n, h)
states.
o p: Prime defining the finite field.
• Need careful design to avoid weaknesses related to the block cipher's properties
(e.g., weak keys). o a, b: Coefficients of the curve equation.

o G: Base point (a generator point on the curve).

14. Explain Elliptic curve cryptosystem with example? o n: Order of the point G (smallest integer such that nG = O). n is typically
prime.
Answer:
o h: Cofactor (usually small, often 1).
Elliptic Curve Cryptography (ECC) is an approach to public-key cryptography based on the
algebraic structure of elliptic curves over finite fields. ECC allows for smaller keys compared 2. Key Generation:
to non-EC cryptography (like RSA, Diffie-Hellman) while providing equivalent security levels. o Choose a private key d randomly: 1 ≤ d < n.
Core Concepts: o Calculate the public key Q = dG (scalar multiplication of base point G by
d).
 o Private Key: d

o Public Key: Q (and the domain parameters) 15. Different between HMAC and Cipher MAC?

Example: ECDH Key Exchange (Elliptic Curve Diffie-Hellman) Answer:

This example shows how Alice and Bob establish a shared secret using ECC. HMAC (Hash-based Message Authentication Code) and Cipher MAC (often referring to CBC-
MAC or its variants like CMAC) are both types of Message Authentication Codes (MACs).
1. Setup: Alice and Bob agree on ECC domain parameters (p, a, b, G, n, h).
They provide data integrity and authentication using a shared secret key, but they are
2. Alice: constructed using different underlying cryptographic primitives.

o Chooses private key d<0xE2><0x82><0x90>. HMAC (Hash-based MAC):

o Computes public key Q<0xE2><0x82><0x90> = d<0xE2><0x82><0x90>G. • Underlying Primitive: Cryptographic Hash Function (e.g., SHA-256, SHA-3).

o Sends Q<0xE2><0x82><0x90> to Bob. • Construction: Uses the hash function along with the secret key K in a specific
nested structure. The standard construction (RFC 2104) is:
3. Bob:
HMAC(K, M) = H( (K' ⊕ opad) || H( (K' ⊕ ipad) || M ) )
o Chooses private key d<0xE1><0xB5><0xB3>. where H is the hash function, M is the message, K' is the key padded or hashed to
the block size of H, and ipad and opad are specific constant padding strings.
o Computes public key Q<0xE1><0xB5><0xB3> = d<0xE1><0xB5><0xB3>G.
• Security: Security is well-analyzed and proven based on the properties of the
o Sends Q<0xE1><0xB5><0xB3> to Alice. underlying hash function (like collision resistance and pseudorandomness).
4. Shared Secret Calculation: Generally considered very secure and robust.

o Alice: Computes S = d<0xE2><0x82><0x90>Q<0xE1><0xB5><0xB3> = • Performance: Depends on the speed of the underlying hash function.
d<0xE2><0x82><0x90>(d<0xE1><0xB5><0xB3>G) =
• Flexibility: Can be used with various hash functions (HMAC-SHA256, HMAC-SHA1,
(d<0xE2><0x82><0x90>d<0xE1><0xB5><0xB3>)G.
etc.). Handles variable-length messages securely.
o Bob: Computes S = d<0xE1><0xB5><0xB3>Q<0xE2><0x82><0x90> = Cipher MAC (Cipher-based MAC):
d<0xE1><0xB5><0xB3>(d<0xE2><0x82><0x90>G) =
(d<0xE1><0xB5><0xB3>d<0xE2><0x82><0x90>)G. • Underlying Primitive: Block Cipher (e.g., AES, DES).

5. Result: Both Alice and Bob compute the same point S. They typically use the x- • Construction (Basic CBC-MAC): Uses the block cipher in Cipher Block Chaining
coordinate of this point S (or a hash of it) as their shared secret key for symmetric (CBC) mode with a fixed, zero Initialization Vector (IV).
encryption.
1. Pad the message M to a multiple of the block size.
Other ECC applications include ECDSA (Elliptic Curve Digital Signature Algorithm). The key
2. Encrypt the padded message using CBC mode with IV=0 and key K.
advantage is that a 256-bit ECC key provides comparable security to a 3072-bit RSA key,
leading to faster computations and lower bandwidth requirements. 3. The final block of ciphertext (or a truncation of it) is the MAC tag.
 • Security: 16. Find multiplication inverse using Fermat's theorem?

o Basic CBC-MAC: Secure only for fixed-length messages. It is insecure for Answer:
variable-length messages (vulnerable to extension attacks).
Fermat's Little Theorem (FLT) can be used to find the modular multiplicative inverse of an
o CMAC (Cipher-based MAC / OMAC1): An enhancement of CBC-MAC integer a modulo a prime p, provided a is not divisible by p.
(standardized in RFC 4493 and NIST SP 800-38B) that securely handles
Theorem Recap:
variable-length messages by processing the last block differently (using
Fermat's Little Theorem states: If p is a prime number and a is an integer not divisible by p
derived keys).
(i.e., gcd(a, p) = 1), then:
• Performance: Depends on the speed of the underlying block cipher. AES hardware a^(p-1) ≡ 1 (mod p)
acceleration can make CMAC very fast.
Deriving the Inverse Formula:
• Flexibility: Tied to a specific block cipher (CMAC-AES, CMAC-TDES).
1. Start with the congruence from FLT: a^(p-1) ≡ 1 (mod p).
Key Differences Summarized:
2. Rewrite a^(p-1) as a * a^(p-2). The congruence becomes: a * a^(p-2) ≡ 1 (mod p).
Feature HMAC Cipher MAC (e.g., CMAC) 3. The definition of a modular multiplicative inverse a⁻¹ is a number such that a * a⁻¹
≡ 1 (mod p).
Based On Hash Function (SHA-2, etc.) Block Cipher (AES, etc.)
4. Comparing the equation from step 2 with the definition in step 3, we see that a^(p-
Nested hash with key XORed CBC mode encryption (with mods for 2) satisfies the condition for being the inverse of a.
Construction
padding CMAC)
Formula:
Secure (for CMAC); Insecure (basic The modular multiplicative inverse of a modulo a prime p (where a % p ≠ 0) is given by:
Var. Length Msg Secure (by design)
CBC-MAC) a⁻¹ ≡ a^(p-2) (mod p)

RFC 4493 / NIST SP 800-38B (for Calculation Steps:

Standard RFC 2104
CMAC)
1. Ensure the modulus p is prime and a is not a multiple of p.
Security Basis Properties of Hash Function Properties of Block Cipher 2. Calculate the exponent p-2.

Common 3. Compute a^(p-2) modulo p. This often requires using modular exponentiation
HMAC-SHA256 AES-CMAC
Examples techniques (like binary exponentiation) for efficiency if p is large.

In essence, HMAC uses hashing principles, while Cipher MACs use encryption principles to Example:
achieve message authentication. CMAC is the secure standard for block cipher-based MACs, Find the multiplicative inverse of a = 5 modulo p = 17.
overcoming the limitations of basic CBC-MAC.
1. p = 17 is prime. a = 5 is not divisible by 17. Conditions are met.

2. The inverse 5⁻¹ ≡ 5^(p-2) (mod p) = 5^(17-2) (mod 17) = 5^15 (mod 17).
 3. Calculate 5^15 mod 17: 2. Server (S): The application server providing the desired service (e.g., file server,
email server).
o 5^1 = 5 (mod 17)
3. Key Distribution Center (KDC): The trusted third party. It consists of two logical
o 5^2 = 25 ≡ 8 (mod 17)
parts:
o 5^4 ≡ 8^2 = 64 ≡ 13 ≡ -4 (mod 17)
o Authentication Server (AS): Authenticates the client initially and issues a
o 5^8 ≡ (-4)^2 = 16 ≡ -1 (mod 17) Ticket-Granting Ticket (TGT). Shares a long-term secret key with each
registered client (usually derived from the user's password).
o 5^15 = 5^(8+4+2+1) = 5^8 * 5^4 * 5^2 * 5^1 (mod 17)
o Ticket-Granting Server (TGS): Issues service tickets for specific servers
o 5^15 ≡ (-1) * (-4) * 8 * 5 (mod 17) based on a valid TGT. Shares a long-term secret key with each registered
o 5^15 ≡ 4 * 8 * 5 = 32 * 5 ≡ 15 * 5 (mod 17) (since 32 ≡ 15 (mod 17)) service.

o 5^15 ≡ 75 (mod 17) Core Concept: Tickets and Authenticators

o 75 = 4 * 17 + 7, so 75 ≡ 7 (mod 17). Kerberos uses encrypted "tickets" (containing session keys and identity information) and
time-stamped "authenticators" (proving freshness and identity) to manage authentication.
4. Therefore, the inverse of 5 modulo 17 is 7.
Simplified Authentication Flow:
Check: 5 * 7 = 35. 35 = 2 * 17 + 1, so 35 ≡ 1 (mod 17). Correct.
1. AS Request (Client -> AS): The client requests authentication from the AS, sending
Limitation: This method only works when the modulus p is prime. For composite moduli, its ID and the ID of the TGS.
use Euler's totient theorem or the Extended Euclidean Algorithm.
2. AS Reply (AS -> Client): The AS verifies the client's existence. It generates a session
key (SK_CTGS) for the client and TGS. It sends back:
17. Explain the concept of KERBEROS? o SK_CTGS encrypted with the client's long-term secret key.
Answer: o A Ticket-Granting Ticket (TGT), which contains SK_CTGS, client ID, and
expiration time, all encrypted with the TGS's secret key.
Kerberos is a network authentication protocol designed to provide strong authentication
for client/server applications by using secret-key cryptography. Developed at MIT, its 3. TGS Request (Client -> TGS): The client decrypts SK_CTGS using its key. To access
primary goal is to allow users and services to prove their identity to each other over an Server S, the client creates an Authenticator (containing client ID and timestamp,
insecure network connection without transmitting passwords directly. It provides mutual encrypted with SK_CTGS) and sends it along with the TGT and the ID of Server S to
authentication (both client and server authenticate each other) and uses a trusted third the TGS.
party.
4. TGS Reply (TGS -> Client): The TGS decrypts the TGT (using its key) and the
Key Components: Authenticator (using SK_CTGS from the TGT). It verifies the timestamp and client
ID. If valid, it generates a new session key (SK_CS) for the client and Server S. It
1. Client (C): The user or workstation seeking access to a service.
sends back:
 o SK_CS encrypted with SK_CTGS. 2. Initialization: The internal state is initialized with specific constant values.

o A Service Ticket (ST), which contains SK_CS, client ID, and expiration time, 3. Processing Blocks: Each 512-bit message block is processed sequentially.
all encrypted with Server S's secret key. The block is expanded into multiple words, and these words, along with
constants and the current internal state, are passed through 64 rounds of
5. Server Request (Client -> Server S): The client decrypts SK_CS using SK_CTGS. It
complex bitwise operations (rotations, shifts, XOR, AND, addition modulo
creates a new Authenticator (client ID, timestamp, encrypted with SK_CS) and
2^32). The output of these rounds updates the internal state.
sends it along with the Service Ticket (ST) to Server S.
4. Final Output: After processing the last block, the final internal state value
6. Server Verification (Server S): Server S decrypts the ST using its own secret key,
is the 256-bit SHA-256 hash.
retrieving SK_CS. It decrypts the Authenticator using SK_CS and verifies the client
ID and timestamp. If valid, authentication is successful. Optionally, the server can • Security: Currently considered secure and resistant to known collision, pre-image,
send back a confirmation encrypted with SK_CS for mutual authentication. and second pre-image attacks. Widely recommended for use.

Benefits: Strong authentication, avoids plaintext passwords on the network, potential for • Usage: Very common in TLS/SSL, SSH, PGP, digital signatures, blockchain
single sign-on. technologies (like Bitcoin), file integrity verification, password hashing.
Trust Model: Relies heavily on the security and availability of the KDC. Timestamps require
2. MD5 (Message Digest 5):
reasonably synchronized clocks across the network.
• Family: Part of the Message Digest family, designed by Ron Rivest (RFC 1321).

18. Explain any two Hash algorithms? • Output Size: Produces a 128-bit (16-byte) hash value.

Answer: • Construction: Also based on the Merkle–Damgård construction. Processes input

messages in blocks of 512 bits.
Here are explanations for two common hash algorithms: SHA-256 and MD5.
• Internal State: Maintains an internal state of 128 bits (four 32-bit words).
1. SHA-256 (Secure Hash Algorithm 256-bit):
• Process: Similar structure to SHA-256 but simpler:
• Family: Part of the SHA-2 family, designed by the NSA and published by NIST (FIPS
PUB 180-4). 1. Padding: Message padded to a multiple of 512 bits, including length.

• Output Size: Produces a 256-bit (32-byte) hash value. 2. Initialization: Internal state initialized with specific constants.

• Construction: Based on the Merkle–Damgård construction. It processes input 3. Processing Blocks: Each 512-bit block undergoes 4 rounds, each with 16
messages in blocks of 512 bits (64 bytes). steps, using non-linear functions, modular addition, and bitwise
rotations. The operations are simpler than SHA-256.
• Internal State: Maintains an internal state of 256 bits (eight 32-bit words).
4. Final Output: The final internal state is the 128-bit MD5 hash.
• Process:
• Security: Broken. Significant vulnerabilities, particularly practical collision attacks,
1. Padding: The input message is padded so its length is a multiple of 512 have been known for many years. It is computationally feasible to find two
bits. Padding includes the original message length.
 different messages that produce the same MD5 hash. Pre-image resistance is also • Essentially, the RO acts like a function that provides perfectly random and
weakened compared to modern hashes. consistent outputs for every possible input, with outputs generated on demand.

• Usage: Should NOT be used for security-related purposes like digital signatures, Properties of a Random Oracle:
SSL certificates, or password storage. Its use should be limited to non-
• Deterministic: Same input always yields the same output.
cryptographic checksums for detecting accidental data corruption (e.g., verifying
file integrity after download, where malicious collisions are not the primary • Uniform Output: Outputs are uniformly distributed in the output range.
concern). Many systems have deprecated or removed support for MD5 in security
contexts. • Unpredictable: Outputs for new inputs are unpredictable, even given previous
input-output pairs. There's no discernible structure or algorithm relating inputs to
outputs other than the stored lookup table.
19. RABIN Cryptosystem Usage in Security Proofs:
(This question is identical to Question 11. Please refer to the answer provided for Question • Cryptographers design protocols (e.g., padding schemes like OAEP for RSA,
11 above.) signature schemes like FDH) assuming the hash function used is a Random Oracle.

• They then mathematically prove that the protocol is secure (e.g., resistant to
20. Random Oracle Model (ROM): chosen-plaintext attacks, unforgeable) within this idealized model.

Answer: • The proof typically works by showing that any attacker breaking the protocol could
be used to violate one of the fundamental properties of the RO (e.g., predict its
The Random Oracle Model (ROM) is a theoretical framework used in cryptography to output or find collisions more easily than random chance would allow), which is
analyze the security of protocols, particularly those involving hash functions. It's an impossible by definition of the RO.
idealized model where the hash function is replaced by a hypothetical entity called a
Random Oracle. Limitations and Criticisms:

Concept: • Real Hash Functions are Not Random Oracles: Real-world hash functions (SHA-
256, SHA-3) are deterministic algorithms with specific internal structures. They are
• A Random Oracle (RO) is imagined as a publicly accessible black box. not truly random functions.
• When queried with an input string x, the RO behaves as follows: • ROM Proofs Don't Guarantee Real-World Security: A proof in the ROM provides
strong heuristic evidence that a scheme is likely secure when instantiated with a
o If x has been queried before, the RO returns the same response it gave
previously. "good" cryptographic hash function. However, it's not a guarantee. An attack might
exist that specifically exploits the internal structure of the chosen hash function in
o If x is a new query, the RO generates a truly random output string (of the a way that wouldn't work against a true RO.
appropriate fixed length for the hash function being modeled) chosen
uniformly from the output domain, records the pair (x, output), and • Uninstantiable Schemes: Some cryptographic schemes have been proven secure
returns the output. in the ROM but are known to be insecure no matter which real hash function is
used to instantiate them.
Conclusion: The ROM is a valuable tool for designing and gaining confidence in computation involving bitwise operations (AND, OR, XOR, rotation) and
cryptographic protocols, simplifying security proofs by abstracting away the complexities of modular addition, updating the internal state registers.
real hash functions. However, proofs in the ROM should be interpreted with caution,
4. Final Output: The final value of the 160-bit internal state after processing
understanding the gap between the ideal model and real-world implementations. Security
all blocks is the SHA-1 hash.
proofs in the "standard model" (which don't rely on random oracles) are generally preferred
when available, though often much harder to achieve. • Security: Considered Broken. While pre-image resistance is still largely intact
practically, collision resistance is completely broken.

o Theoretical attacks showing weaknesses were published starting in 2005.

21. MD5
o In 2017, the SHAttered attack demonstrated the first practical public
(MD5 was described as one of the two hash algorithms in the answer to Question 18. Please
collision, creating two different PDF files with the same SHA-1 hash.
refer to that description.)
o Finding collisions is now feasible for well-resourced attackers (cost
estimated in the tens of thousands of US dollars).
22. SHA - 1
• Usage: Deprecated for most security purposes, especially digital signatures and
Answer: certificate generation. Major web browsers no longer trust certificates signed with
SHA-1. NIST formally deprecated SHA-1 for most uses in 2011 and disallowed its
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function developed by the NSA
use for digital signatures after 2013. It should be phased out and replaced with
and published by NIST in 1995 (FIPS PUB 180-1). It was designed as part of the Secure Hash
SHA-2 (SHA-256, SHA-512) or SHA-3 algorithms in all security-sensitive
Standard.
applications. Still found in some legacy systems and non-cryptographic contexts
• Output Size: Produces a 160-bit (20-byte) hash value. like Git version control (where collision resistance is less critical than second pre-
image resistance).
• Construction: Based on the Merkle–Damgård construction, similar in structure to
MD4 and MD5, but with modifications intended to increase security. It processes
input messages in blocks of 512 bits.
23. RC5
• Internal State: Maintains an internal state of 160 bits (five 32-bit words).
Answer:
• Process:
RC5 is a symmetric-key block cipher designed by Ron Rivest in 1994. It is notable for its
1. Padding: The message is padded to be a multiple of 512 bits, including simplicity and its parameterization, allowing variable block sizes, key sizes, and number of
the original message length. rounds.

2. Initialization: The 160-bit internal state is initialized with five constant 32- Key Features:
bit words.
1. Type: Symmetric-key block cipher (uses the same key for encryption and
3. Processing Blocks: Each 512-bit message block is processed. The block is decryption).
expanded into 80 words, and these are used over 80 rounds of 2. Parameterization: Defined as RC5-w/r/b:
 o w: Word size in bits (16, 32, or 64). This determines the block size, which Usage:
is 2w (so block sizes can be 32, 64, or 128 bits).
• RC5 was submitted as a candidate for the Advanced Encryption Standard (AES) but
o r: Number of rounds (0 to 255). Determines the security level; more was not selected (Rijndael was chosen).
rounds mean higher security but slower speed.
• It has been used in various commercial products and protocols, often where its
o b: Key length in bytes (0 to 255). Allows for very flexible key sizes up to parameter flexibility is advantageous.
2040 bits.
• Its simplicity makes it suitable for both hardware and software implementations.
3. Design: Uses a Feistel-like network but operates on the whole block. It employs
only simple operations readily available on microprocessors: • RC5 is patented, which may have limited its adoption compared to open standards
like AES.
o Integer addition modulo 2^w.

o Bitwise XOR.
24. Euler theorem find the multiplication inverse
o Data-dependent rotations (variable rotation amounts). The amount of
rotation in a round depends on the data being processed, which Answer:
complicates cryptanalysis. Euler's totient theorem (often just called Euler's theorem in this context) provides a method
4. Key Schedule: Has a complex key schedule algorithm that expands the secret key to find the modular multiplicative inverse of an integer a modulo a composite integer n,
K into an array S of 2r + 2 round subkeys. This schedule uses the same operations provided that a and n are coprime (gcd(a, n) = 1). It generalizes Fermat's Little Theorem to
as the encryption/decryption process, along with some pre-defined constants composite moduli.
(derived from the base of natural logarithms e and the golden ratio φ). Euler's Totient Function (φ(n)):
5. Encryption/Decryption: Encryption involves an initial XOR and addition with First, we need Euler's totient function, φ(n). It counts the number of positive integers less
subkeys, followed by r rounds of the core operations, mixing in subkeys at each than or equal to n that are relatively prime (coprime) to n.
step. Decryption reverses the process, using subtraction, XOR, and reverse • If n is prime, φ(n) = n-1.
rotations.
• If n = p*q where p and q are distinct primes, φ(n) = (p-1)(q-1).
Security:
• If n = p^k where p is prime, φ(n) = p^k - p^(k-1).
• Generally considered secure when used with adequate parameters (e.g., RC5-
32/12/16 denotes 64-bit blocks, 12 rounds, 16-byte/128-bit key, which is a • It's multiplicative: if gcd(m, n) = 1, then φ(m*n) = φ(m)*φ(n).
common configuration).
Euler's Theorem Statement:
• Vulnerable to attacks if the number of rounds r is too low relative to the block size If a and n are positive integers such that gcd(a, n) = 1, then:
and key size. Differential and linear cryptanalysis have been applied. a^φ(n) ≡ 1 (mod n)

• The data-dependent rotations provide resistance against standard differential and Deriving the Inverse Formula:
linear attacks to some extent.
1. Start with the congruence from Euler's theorem: a^φ(n) ≡ 1 (mod n).
 2. Rewrite a^φ(n) as a * a^(φ(n)-1). The congruence becomes: a * a^(φ(n)-1) ≡ 1 (mod Check: 7 * 3 = 21. 21 ≡ 1 (mod 10). Correct.
n).
Note: While useful, calculating φ(n) requires factoring n. The Extended Euclidean Algorithm
3. The definition of a modular multiplicative inverse a⁻¹ is a number such that a * a⁻¹ can find the modular inverse without needing to factor n or compute φ(n), and it works
≡ 1 (mod n). whenever gcd(a, n)=1.

4. Comparing the equation from step 2 with the definition in step 3, we see that
a^(φ(n)-1) satisfies the condition for being the inverse of a.
25. CHINESE REMAINDER THEOREM (CRT):
Formula:
Answer:
The modular multiplicative inverse of a modulo n (where gcd(a, n) = 1) is given by:
a⁻¹ ≡ a^(φ(n)-1) (mod n) The Chinese Remainder Theorem (CRT) is a theorem from number theory that provides a
way to solve a system of simultaneous linear congruences when the moduli are pairwise
Calculation Steps:
coprime. It essentially states that if we know the remainders of an integer x when divided
1. Ensure gcd(a, n) = 1. by several pairwise coprime integers, we can uniquely determine the remainder of x when
divided by the product of these integers.
2. Calculate φ(n). This usually requires knowing the prime factorization of n.
Theorem Statement:
3. Calculate the exponent φ(n)-1.
Let n₁, n₂, ..., n<0xE2><0x82><0x96> be positive integers that are pairwise coprime (i.e.,
4. Compute a^(φ(n)-1) modulo n, likely using modular exponentiation.
gcd(nᵢ, nⱼ) = 1 for all i ≠ j). Let a₁, a₂, ..., a<0xE2><0x82><0x96> be any integers.
Example: Then the system of congruences:
Find the multiplicative inverse of a = 7 modulo n = 10. x ≡ a₁ (mod n₁)
x ≡ a₂ (mod n₂)
1. gcd(7, 10) = 1. Conditions met. ...
2. Calculate φ(10). The integers less than or equal to 10 and coprime to 10 are {1, 3, x ≡ a<0xE2><0x82><0x96> (mod n<0xE2><0x82><0x96>)
7, 9}. There are 4 such numbers. So, φ(10) = 4. (Alternatively, 10 = 2*5, so φ(10) = has a unique solution for x modulo N = n₁ * n₂ * ... * n<0xE2><0x82><0x96>.
φ(2)*φ(5) = (2-1)*(5-1) = 1 * 4 = 4). Finding the Solution:
3. The inverse 7⁻¹ ≡ 7^(φ(10)-1) (mod 10) = 7^(4-1) (mod 10) = 7^3 (mod 10). One common method to construct the solution x is:
4. Calculate 7^3 mod 10: 1. Calculate the product of the moduli: N = n₁ * n₂ * ... * n<0xE2><0x82><0x96>.
o 7^1 = 7 (mod 10) 2. For each i from 1 to k, calculate Nᵢ = N / nᵢ. (This Nᵢ is the product of all moduli
o 7^2 = 49 ≡ 9 (mod 10) except nᵢ).

o 7^3 = 7^2 * 7^1 ≡ 9 * 7 = 63 ≡ 3 (mod 10) 3. For each i, find the modular multiplicative inverse yᵢ of Nᵢ modulo nᵢ. That is, find yᵢ
such that Nᵢ * yᵢ ≡ 1 (mod nᵢ). This inverse exists because nᵢ is coprime to all other
5. Therefore, the inverse of 7 modulo 10 is 3. moduli, hence gcd(Nᵢ, nᵢ) = 1. The Extended Euclidean Algorithm is typically used
here.
 4. The unique solution x modulo N is given by the sum: o x = (2*35*2 + 3*21*1 + 2*15*1) mod 105
x = (a₁N₁y₁ + a₂N₂y₂ + ... +
o x = (140 + 63 + 30) mod 105
a<0xE2><0x82><0x96>N<0xE2><0x82><0x96>y<0xE2><0x82><0x96>) mod N
o x = 233 mod 105
Applications in Cryptography:
o 233 = 2 * 105 + 23
• RSA Optimization: CRT is significantly used to speed up RSA private key operations
(decryption and signing). Instead of computing m = c^d mod n directly (where n = o x = 23.
p*q), the holder of the private key (p, q, d) can compute: The unique solution modulo 105 is x = 23.

o m₁ = c^d mod p (often faster using dₚ = d mod (p-1))

o m₂ = c^d mod q (often faster using d<0xE1><0xB5><0xA2> = d mod (q-1)) 26. Miller Rabin primality Test
Then use CRT to combine m₁ and m₂ (solving x ≡ m₁ (mod p) and x ≡ m₂
Answer:
(mod q)) to find the unique solution m modulo n. Exponentiation modulo
the smaller primes p and q is much faster (roughly 4 times speedup The Miller-Rabin primality test is a probabilistic algorithm used to efficiently determine
overall). whether a large number n is likely prime. It is more sophisticated than the Fermat primality
test and does not suffer from the problem of Carmichael numbers (composite numbers that
• Rabin Cryptosystem: Used in the decryption step to combine the square roots
pass the Fermat test for all bases).
found modulo p and q into the four possible plaintext candidates modulo n.
Basis:
• Secret Sharing Schemes: Some schemes (like Shamir's) are related, though CRT
The test relies on properties related to square roots of 1 modulo n:
usually applies when moduli are coprime, while Shamir's works over a single prime
field. 1. If n is prime, Fermat's Little Theorem states a^(n-1) ≡ 1 (mod n) for gcd(a, n)=1.

Example: 2. If n is prime, the only solutions to x² ≡ 1 (mod n) are x ≡ 1 and x ≡ -1 (mod n).
Solve the system: x ≡ 2 (mod 3), x ≡ 3 (mod 5), x ≡ 2 (mod 7).
Algorithm Steps: (To test an odd integer n > 2 for primality)
1. n₁=3, n₂=5, n₃=7. They are pairwise coprime. N = 3*5*7 = 105.
1. Factor out powers of 2 from n-1: Find integers s > 0 and d (odd) such that n - 1 =
2. N₁ = N/n₁ = 105/3 = 35. N₂ = N/n₂ = 105/5 = 21. N₃ = N/n₃ = 105/7 = 15. 2^s * d.

3. Find inverses: 2. Choose a random base (witness): Select a random integer a such that 1 < a < n-1.

o 35y₁ ≡ 1 (mod 3) -> 2y₁ ≡ 1 (mod 3) -> y₁ = 2. 3. Compute x = a^d mod n: Calculate the first term in the sequence using modular
exponentiation.
o 21y₂ ≡ 1 (mod 5) -> 1y₂ ≡ 1 (mod 5) -> y₂ = 1.
4. Check initial condition: If x = 1 or x = n-1 (≡ -1 mod n), then n might be prime (it
o 15y₃ ≡ 1 (mod 7) -> 1y₃ ≡ 1 (mod 7) -> y₃ = 1.
passes the test for this base a). Go to step 7 (Pass).
4. Compute solution:
5. Iterative Squaring: Repeat the following s-1 times (for r from 1 to s-1):
o x = (a₁N₁y₁ + a₂N₂y₂ + a₃N₃y₃) mod N
 o Calculate x = x² mod n.

o If x = n-1, then n might be prime (it passes the test for this base a). Go to
step 7 (Pass).

o (If x = 1 at this stage, n must be composite because we found a non-trivial

square root of 1 in the previous step, so proceed to Fail).

6. Final Check: If the loop finishes without x ever becoming n-1 (and it wasn't 1 or n-
1 initially), then n is definitely composite. The base a is called a "Miller-Rabin
witness" to the compositeness of n. Go to step 8 (Fail).

7. (Pass): n passes the test for base a. It is probably prime.

8. (Fail): n is definitely composite.

Probability and Usage:

• If n is actually prime, it will pass the test for all bases a.

• If n is composite, it will fail the test for at least 3/4 of the possible bases a.

• Therefore, the probability that a composite number n passes the test for a single
randomly chosen a is at most 1/4.

• Iteration: To increase confidence, the test is repeated k times with k different

randomly chosen bases a. If n passes all k tests, the probability that n is actually
composite is extremely low (at most (1/4)^k). For typical values of k (e.g., 15-50),
the probability of error is negligible for practical purposes.

Conclusion: Miller-Rabin is a fast and effective probabilistic primality test, widely used in
practice, particularly in generating large prime numbers for cryptographic systems like RSA.
While it doesn't provide mathematical certainty like deterministic tests (which are much
slower), it offers arbitrarily high confidence levels by adjusting the number of iterations k.