Download IMT3701 Cryptology

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
Document related concepts

History of logarithms wikipedia , lookup

Big O notation wikipedia , lookup

Line (geometry) wikipedia , lookup

Addition wikipedia , lookup

Proofs of Fermat's little theorem wikipedia , lookup

Arithmetic wikipedia , lookup

Collatz conjecture wikipedia , lookup

List of prime numbers wikipedia , lookup

Algorithm wikipedia , lookup

Quadratic reciprocity wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Transcript 
IMT3701 Cryptology
– Solutions RSA –
Exercise 1
1.1
a) 391 = 4 · 81 + 67 thus 391 ≡ 67 (mod 81)
b) −391 (mod 81) ≡ −67 (mod 81) ≡ 14 (mod 81)
c) 81 (mod 391) ≡ 81 (mod 391)
1.2 The factorization of 828 is given by 828 = 2 2 · 32 · 23. Thus it follows that
for a integer, n, to divide 828 n must be on the form
n = 2a 3b 23c ,
where 0 ≤ a ≤ 2, 0 ≤ b ≤ 2 and 0 ≤ c ≤ 1. The number of possible
factorizations is thus given by 3 · 3 · 2 = 18. An integer dividing 828 is either
1, 828, or a product of one or several elements of the factorization of 828.
We construct the following table:
1
2
3
23
2·2 =4
2·3 =6
2 · 23 = 46
3·3 =9
3 · 23 = 49
2 · 2 · 3 = 12
2 · 2 · 23 = 96
2 · 3 · 3 = 18
2 · 3 · 23 = 138
3 · 3 · 23 = 207
2 · 2 · 3 · 3 = 36
2 · 2 · 3 · 23 = 276
2 · 3 · 3 · 23 = 414
2 · 2 · 3 · 3 · 23 = 828
1.3 Given d = gcd(a, b), writing d as a linear combination of a and b is equivalent
to finding s and t such that
d = sa + tb.
This expression is linear in both a and b, therefore we say that d can be
expressed as a linear combination of a and b. The extended euclidean algorithm is well suited for finding such an expression.
1
a) We apply the euclidean algorithm on 1547 and 560 in order to find
gcd(1547, 560).
1547 = 2 · 560 + 427
560 = 1 · 427 + 133
427 = 3 · 133 + 28
133 = 4 · 28 + 21
28 = 1 · 21 + 7
21 = 3 · 7
Thus d = gdc(1547, 560) = 7. Applying the extended euclidean algorithm gives:
7 = 28 − 1 · 21 = 28 − 1(133 − 4 · 28)
= 5 · 28 − 1 · 133 = 5(427 − 3 · 133) − 1 · 133
= 5 · 427 − 16 · 133 = 5 · 427 − 16(560 − 1 · 427)
= 21 · 427 − 16 · 560 = 21 · (1547 − 2 · 560) − 16 · 560
= 21 · 1547 − 58 · 560.
We conclude that 7 = 21 · 1547 − 58 · 560, so s = −58 and t = 21.
b) We apply the euclidean algorithm on 187 and 34 in order to find
gcd(187, 34).
187 = 5 · 34 + 17
34 = 2 · 17 + 0.
Thus gcd(187, 34) = 17. Applying the extended euclidean algorithm
gives:
17 = 1 · 187 − 5 · 34.
We conclude that s = 1 and t = −5.
c) We apply the euclidean algorithm on 841 and 160 in order to find
gcd(841, 160).
841 = 5 · 160 + 41
160 = 3 · 41 + 37
41 = 37 + 4
37 = 9 · 4 + 1
4 = 4 · 1 + 0.
2
a
a−1
1
1
3
19
5
17
9
25
11
23
13
13
15
15
27
27
Tabell 1: Invertible elements in Z28 and their inverses.
Thus gcd(841, 160) = 1. Applying the extended euclidean algorithm
gives:
1 = 37 − 9 · 4 = 37 − 9(41 − 37)
= 10 · 37 − 9 · 41 = 10(160 − 3 · 41) − 9 · 41
= 10 · 160 − 39 · 41 = 10 · 160 − 39(841 − 5 · 160)
= 205 · 160 − 39 · 841.
We conclude that s = −39 and t = 205.
1.4 Invertible elements in Z28 do not have any prime factors in common with
28. The prime factoring of 28 is 2 · 72 . Thus all odd numbers smaller than
26, with exception of the multiples of 7 are invertible in Z 28 . To find the
inverse of these elements we use the Extended Euclidean algorithm. The
results are given in Table 1. Remember that (a −1 )−1 = a.
1.5 Equations on the form
ax ≡ b
(mod n)
can be solved as follows. if d = gcd(a, n) = 1 use EEA to find an integer s
satisfying as ≡ 1 (mod n). Then
x = bs (mod n).
If d = gcd(a, n) > 1 we have two cases:
1. If d - b the equation has no solutions.
2. If d|b, use the above method to find the solution x 0 of the equation
(a/d)x0 ≡ (b/d)
(mod n/d),
where a/d, b/d, and n/d are integers. Then the solutions x, of the
equation ax ≡ b (mod n), are then the elements
x0 , x0 + (n/d), x0 + 2(n/d), . . . , x0 + (d − 1)(n/d).
Written in a more compact form:
x ≡ x0 + k
n
d
(mod n),
k∈Z
We now have what is needed to solve the congruence equations.
3
a) Consider the equation 3x ≡ 4 (mod 7). We see that gcd(7, 3) = 1 , so
the equation is savable. EEA gives us 1 = 7 − 2 · 3, which is equivalent
with 3−1 ≡ −2 (mod 7) ≡ 5 (mod 7). Thus
x =5·4
(mod 7) ≡ 6
(mod 7).
b) Consider the equation 3x ≡ 4 (mod 12). Here we find gcd(12, 3) = 3,
and that 3 - 4. Thus the equation has no solutions.
c) Consider the equation 9x ≡ 12 (mod 21). Here we find gcd(21, 9) = 3,
and that 3|12. Thus we consider the equation 9/3x 0 ≡ 12/3 (mod 21/3),
and finally the equation
3x0 ≡ 4
(mod 7).
From a) we know that x0 = 6 (mod 7). Now we have the solutions

 6 (mod 21)
13 (mod 21)
x≡

20 (mod 21).
This is equivalent with x ≡ 6 + 7k (mod 21), k ∈ Z.
d) Consider the equation 27x ≡ 25 (mod 256). We find gcd(256, 27) = 1.
Using EEA we find 27−1 = 19 (mod 256). Thus x ≡ 19·25 (mod 256) =
457 (mod 256) ≡ 219 (mod 256).
1.6 We solve the system of equations using the well known methodology from
real number, but remember that all operations are modulo 29. We start by
defining L1 and L2 as follows:
L1 : 7x + y ≡ 24
L2 : 4x + y ≡ 15
(mod 29)
(mod 29).
Then L1 − L2 : 3x ≡ 9 (mod 29), which is equivalent with x = 3. This is
substituted into L2 and we find
y ≡ 15 − 4 · 3
(mod 29) ≡ 3
(mod 29).
Thus x ≡ y ≡ −3 (mod 29).
If statistical analysis of an affine cipher shows that the letter h is encrypted
with the letter Y, and that the letter e is encrypted with the letter P, solving
this system will give the cryptanalyst the secret key.
4
Exercise 2
2.1 We carry out multiplications and divisions as we are used to, but keep in
mind that we are working in some base b. This leads to other carries than
what we are used to in the base 10.
i) We carry out the multiplication
2 1 2
·
1
1 2
2 1
1 1 2
1
2
0
2
1
2 2
0 1
1
1 1
Thus
(212)3 · (122)3 = (112111)3 .
ii) we carry out the division
4
2
1
1
0
5
1
1
1 2 2 : 126 = 260.
5
3 2
3 1
1 2
Thus
(40122)7 : (126)7 =
12
260
126
.
7
iii) We carry out the multiplication
1 0 1 1 0 1
· 1 1 0 0 1
1 0 1 1 0 1
0
0
1 0 1 1 0 1
1 0 1 1 0 1
1 0 0 0 1 1 0 0 1 0 1
Thus
(101101)2 · (11001)2 = (10001100101)2
5
iv) We carry out the division
1 0 0 1 1
1 0 1 1
1 0 0 0
1 0 1
1 0
0 0 1 : 1011 = 1101
0
1
1 0
0
1 0 1 0 1
1 0 1 1
1 0 1 0
Thus
(10011001)2 : (1011)2 =
1010
1101
1101
.
2
2.2 We do not seek tight estimates in this course. In the lecture we have seen
that the complexity of the multiplication of two numbers of bit length k
is O(k 2 ). Using smart algorithms this complexity can be squeezed down to
O(k log(k) log(log(k)) bit operations. This is actually better than O(k 1+ ,
for arbitrary small > 0. We do not seek such optimizations.
i) Finding 3n is the same as carrying out the multiplication
3| × 3 ×{z· · · × 3} .
n−1 multiplications
Thus the number of multiplications is O(n). Assume that we have carried out j − 1 multiplications, 0 < j < n − 1. How many bit operations
is then needed to find 3j = 3j−1 3? We know that 3 = (11)2 , but what
is the length of 3j−1 written in base 2? The length of all 3 j−1 will be
smaller than or equal to the length of 3 n written in base 2. We know
that the length of an integer k written in the base b is given by
log(k)
blog b (k)c + 1 =
+ 1.
log b
As log(an ) = n log(a) We find that the binary length of 3 n is
log(3)
log(3n )
+1=n
+ 1.
log(2)
log(2)
Thus the length of 3n is of order O(n). We conclude that the multiplication 3j = 3j−1 3 requires O(n) bit operations. Finally, the total
number of bit operations for the n − 1 multiplications will be
O(n) · O(n) = O(n2 ).
6
ii) In this case the length of n is log(n). Thus each product has O(n log(n))
digits, and as a consequence each multiplication will require O(n log 2 (n))
bit operations. We conclude that the total number of bit operations is
of order O(n2 log2 (n)).
iii) Suppose that a ≥ b and that we want to find a : b. If b divides b we
see that the number of binary operations will not exceed the number
of binary digits in a multiplied with the length a Thus the number of
binary operations is bounded by log 22 (a), and we conclude that division
is of complexity O(log 2 (a)). If b does not divide a the algorithm does
not terminate.
iv) For the Euclidean algorithm we have to determine the number of divisions the algorithm has to perform. Given a > b, the algorithm for
finding gcd(a, b) is the following.
a = q1 b + r1
b = q 2 r1 + r 2
..
.
rk−2 = qk rk−1 + rk
rk−1 = qk+1 rk + 0
We want to show that rj+2 < 12 rj . If rj+1 < 21 rj , the property is
trivial. Assuming that rj+1 > 12 rj the next gives rj = 1 · rj+1 · rj+2 .
Thus rj+2 = rj − rj+1 < 21 rj . We see that for every second iteration
the size of the reminder is divided by two. In addition we know that
the reminder never is smaller than 1. From this we conclude that the
number of divisions is bounded by 2 log 2 (a).
Thus the complexity of the algorithm is
O(log(a)) · O(log 2 (a)) = O(log 3 (a)).
2.3 We want to find x ≡ 8103 (mod 13). First we observe that 13 - 8. Applying
the notation used in Fermat’s little theorem gives p = 13 and p − 1 = 12.
We then see that 103 = 8 · 12 + 7, thus
8103 = 88·12+7
8
= 812 87 ,
≡ 8
7
812 ≡ 1
(mod 13) ≡ (−5)
6
≡ (−5) (−5)
(mod 13)
7
(mod 13)
(mod 13) ≡ 253 (−5)
≡ (−1)3 (−5) ≡ 5
(mod 13).
2.4 We know that 11|211213 if and only if 2 11213 ≡ 0 (mod 11). From Fermat’s
little theorem we know that 210 = 1 (mod 11). We find that 11213 = 1121 ·
7
p1
p2
p3
p4
a1
-1
1
1
-1
a2
1
-1
-1
0
a3
1
-1
1
1
a4
1
1
-1
1
Tabell 2: The Jacobi symbols
p1
p2
p3
p4
a1
-1
755
1
3261
a2
1
233
-1
3358
a3
1
1
1
6952
ai pi
a4
1
4438
-1
1534
(pi −1)
2
Tabell 3: Calculations of ai
(mod pi )
10 + 3, thus
211213 =
210
≡ 23
1121
23
(mod 11) ≡ 8
(mod 11)
From this we can conclude that 11 - 211213 .
Exercise 3 (Exam 2004)
p−1
a) Letting a be an odd integer and p be a prime, we know that ap = a 2
(mod p). This is what the Solovay-Strassens primality test is based on. We
p−1
use Table 1 and Table 2 from the exercise, but note that a 2 (mod p) in
Table 2. Based on the primality test we conclude that it is very likely that
p1 and p3 are primes.
b) The algorithm is based on a for loop which is executed k − 1 times. k is the
number of binary digits of n which gives a contribution O(log(n)) to the
complexity.
The for loop contains two multiplications. In line 4 a (of maximal bit
length O(log(m))) is multiplied with b i (maximal bit length O(log(m)).
The number of binary operations required for this multiplication is therefor
of orderO(log 2 (m). By a similar argument the multiplication in line 6 is of
order O(log 2 (m).
We conclude that one execution of the for loop is of complexity O(log 2 (m)
and that the algorithm requires O(log(n) log 2 (m) bit operations.
8
c) In general factoring large numbers is a hard problem. But depending on the
properties of the prime factors, we know that there exists a certain number
of algorithms that can speed up the factorization.
Given that the difference between the factors is small, we know that Fermat’s factorization can be applied. Let n be the integer we want to factor.
√
√
We then set t = b nA c + 1, t = b nA c + 2 . . . until we find t2 − n = s2
where s2 is a perfect square. Then we know that n A = (t − s)(t + s).
When nA is factorized a cryptanalyst can easily find d A = e−1
A (mod φ(nA )),
where φ(nA ) = (t − s − 1)(t + s − 1).
d) Given a public key crypto system where the users A and B respectively
have chosen EA and EB as their public encryption functions, and D A and
DB as their private decryption functions. Let m be the message that A
wishes to transmit to B.
Suppose that A and B executes the protocol described in Figure 1. The
confidentiality is ensured by the encryption of m, while authentication and
integrity is given from the test s = h(m 0 ). Note that this is only a one way
authentication.
Exercise 4
√
a) We have n = 4087. Then b nc = 63. We see that 642 − 4087 = 9 = 32 , and
as a congruence it follows that
4087 = 642 − 32
= (64 − 3)(64 + 3)
= 61 · 67,
and we have factored 4087.
1:
2:
3:
4:
5:
6:
7:
8:
b0 ← b, a ← 1, n = n0 + 2n1 + 22 n2 + . . . 2k−1 nk−1
for i = 0 to k − 1 do
if ni = 1 then
a = a · bi
end if
bi+1 = b2i (mod m)
end for
Return a
Algorithm 1: Algorithm that finds a ≡ b n (mod m)
9
EA , E B
A
DA
B
DB
beskjed m
h(m)
c = EB (m, DA (h(m)))
c
DB (c0 ) = (m0 , DA (s))
EA (DA (s)) = s
?
s = h(m0 )
Figur 1: A protocol between two uses A and B which through a public key cryptosystem and a hash function provides confidentiality, authentication, and integrity in a message transfer.
b) In this case we apply Pollard’s rho algorithm to factor 4087 by means of
the function f (x) = x2 + x + 1 and x0 = 2. We find the following table:
k
0
1
2
3
4
5
6
7
h j
0
1
1
2
2
2
2
0
1
1
3
3
3
3
xk
2
7
57
3307
2745
1343
2626
3734
xj
2
7
7
3307
3307
3307
3307
gcd(xk − xj , 4087)
gcd(7 − 2, 4087) = 1
gcd(57 − 7, 4087) = 1
gcd(3307 − 7, 4087) = 1
gcd(2745 − 3307, 4087) = 1
gcd(1343 − 3307, 4087) = 1
gcd(2626 − 3307, 4087) = 1
gcd(3734 − 3307.4087) = 61
We conclude that 61 factors 4087. By division we find that the other factor
is 67.
10
Related documents
Fall 2016 Midterm
Fall 2016 Midterm
REVIEW SENTENCE, FRAGMENT, RUN
REVIEW SENTENCE, FRAGMENT, RUN
Problem Set 8 The getting is
Problem Set 8 The getting is
CS 3333 Mathematical Foundations of CS
CS 3333 Mathematical Foundations of CS
Solving Linear Congruence
Solving Linear Congruence
TEST #2 Directions: Solve five of the following eight problems: three
TEST #2 Directions: Solve five of the following eight problems: three
MT 437 – Cryptography Fall 2014
MT 437 – Cryptography Fall 2014
[Part 2]
[Part 2]
COT 4100 Homework #5
COT 4100 Homework #5
MAS144 – Computational Mathematics and Statistics A (Statistics)
MAS144 – Computational Mathematics and Statistics A (Statistics)
Math 4707 Intro to combinatorics and graph theory
Math 4707 Intro to combinatorics and graph theory