Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
History of logarithms wikipedia , lookup
Big O notation wikipedia , lookup
Line (geometry) wikipedia , lookup
Proofs of Fermat's little theorem wikipedia , lookup
Collatz conjecture wikipedia , lookup
List of prime numbers wikipedia , lookup
Quadratic reciprocity wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
IMT3701 Cryptology – Solutions RSA – Exercise 1 1.1 a) 391 = 4 · 81 + 67 thus 391 ≡ 67 (mod 81) b) −391 (mod 81) ≡ −67 (mod 81) ≡ 14 (mod 81) c) 81 (mod 391) ≡ 81 (mod 391) 1.2 The factorization of 828 is given by 828 = 2 2 · 32 · 23. Thus it follows that for a integer, n, to divide 828 n must be on the form n = 2a 3b 23c , where 0 ≤ a ≤ 2, 0 ≤ b ≤ 2 and 0 ≤ c ≤ 1. The number of possible factorizations is thus given by 3 · 3 · 2 = 18. An integer dividing 828 is either 1, 828, or a product of one or several elements of the factorization of 828. We construct the following table: 1 2 3 23 2·2 =4 2·3 =6 2 · 23 = 46 3·3 =9 3 · 23 = 49 2 · 2 · 3 = 12 2 · 2 · 23 = 96 2 · 3 · 3 = 18 2 · 3 · 23 = 138 3 · 3 · 23 = 207 2 · 2 · 3 · 3 = 36 2 · 2 · 3 · 23 = 276 2 · 3 · 3 · 23 = 414 2 · 2 · 3 · 3 · 23 = 828 1.3 Given d = gcd(a, b), writing d as a linear combination of a and b is equivalent to finding s and t such that d = sa + tb. This expression is linear in both a and b, therefore we say that d can be expressed as a linear combination of a and b. The extended euclidean algorithm is well suited for finding such an expression. 1 a) We apply the euclidean algorithm on 1547 and 560 in order to find gcd(1547, 560). 1547 = 2 · 560 + 427 560 = 1 · 427 + 133 427 = 3 · 133 + 28 133 = 4 · 28 + 21 28 = 1 · 21 + 7 21 = 3 · 7 Thus d = gdc(1547, 560) = 7. Applying the extended euclidean algorithm gives: 7 = 28 − 1 · 21 = 28 − 1(133 − 4 · 28) = 5 · 28 − 1 · 133 = 5(427 − 3 · 133) − 1 · 133 = 5 · 427 − 16 · 133 = 5 · 427 − 16(560 − 1 · 427) = 21 · 427 − 16 · 560 = 21 · (1547 − 2 · 560) − 16 · 560 = 21 · 1547 − 58 · 560. We conclude that 7 = 21 · 1547 − 58 · 560, so s = −58 and t = 21. b) We apply the euclidean algorithm on 187 and 34 in order to find gcd(187, 34). 187 = 5 · 34 + 17 34 = 2 · 17 + 0. Thus gcd(187, 34) = 17. Applying the extended euclidean algorithm gives: 17 = 1 · 187 − 5 · 34. We conclude that s = 1 and t = −5. c) We apply the euclidean algorithm on 841 and 160 in order to find gcd(841, 160). 841 = 5 · 160 + 41 160 = 3 · 41 + 37 41 = 37 + 4 37 = 9 · 4 + 1 4 = 4 · 1 + 0. 2 a a−1 1 1 3 19 5 17 9 25 11 23 13 13 15 15 27 27 Tabell 1: Invertible elements in Z28 and their inverses. Thus gcd(841, 160) = 1. Applying the extended euclidean algorithm gives: 1 = 37 − 9 · 4 = 37 − 9(41 − 37) = 10 · 37 − 9 · 41 = 10(160 − 3 · 41) − 9 · 41 = 10 · 160 − 39 · 41 = 10 · 160 − 39(841 − 5 · 160) = 205 · 160 − 39 · 841. We conclude that s = −39 and t = 205. 1.4 Invertible elements in Z28 do not have any prime factors in common with 28. The prime factoring of 28 is 2 · 72 . Thus all odd numbers smaller than 26, with exception of the multiples of 7 are invertible in Z 28 . To find the inverse of these elements we use the Extended Euclidean algorithm. The results are given in Table 1. Remember that (a −1 )−1 = a. 1.5 Equations on the form ax ≡ b (mod n) can be solved as follows. if d = gcd(a, n) = 1 use EEA to find an integer s satisfying as ≡ 1 (mod n). Then x = bs (mod n). If d = gcd(a, n) > 1 we have two cases: 1. If d - b the equation has no solutions. 2. If d|b, use the above method to find the solution x 0 of the equation (a/d)x0 ≡ (b/d) (mod n/d), where a/d, b/d, and n/d are integers. Then the solutions x, of the equation ax ≡ b (mod n), are then the elements x0 , x0 + (n/d), x0 + 2(n/d), . . . , x0 + (d − 1)(n/d). Written in a more compact form: x ≡ x0 + k n d (mod n), k∈Z We now have what is needed to solve the congruence equations. 3 a) Consider the equation 3x ≡ 4 (mod 7). We see that gcd(7, 3) = 1 , so the equation is savable. EEA gives us 1 = 7 − 2 · 3, which is equivalent with 3−1 ≡ −2 (mod 7) ≡ 5 (mod 7). Thus x =5·4 (mod 7) ≡ 6 (mod 7). b) Consider the equation 3x ≡ 4 (mod 12). Here we find gcd(12, 3) = 3, and that 3 - 4. Thus the equation has no solutions. c) Consider the equation 9x ≡ 12 (mod 21). Here we find gcd(21, 9) = 3, and that 3|12. Thus we consider the equation 9/3x 0 ≡ 12/3 (mod 21/3), and finally the equation 3x0 ≡ 4 (mod 7). From a) we know that x0 = 6 (mod 7). Now we have the solutions 6 (mod 21) 13 (mod 21) x≡ 20 (mod 21). This is equivalent with x ≡ 6 + 7k (mod 21), k ∈ Z. d) Consider the equation 27x ≡ 25 (mod 256). We find gcd(256, 27) = 1. Using EEA we find 27−1 = 19 (mod 256). Thus x ≡ 19·25 (mod 256) = 457 (mod 256) ≡ 219 (mod 256). 1.6 We solve the system of equations using the well known methodology from real number, but remember that all operations are modulo 29. We start by defining L1 and L2 as follows: L1 : 7x + y ≡ 24 L2 : 4x + y ≡ 15 (mod 29) (mod 29). Then L1 − L2 : 3x ≡ 9 (mod 29), which is equivalent with x = 3. This is substituted into L2 and we find y ≡ 15 − 4 · 3 (mod 29) ≡ 3 (mod 29). Thus x ≡ y ≡ −3 (mod 29). If statistical analysis of an affine cipher shows that the letter h is encrypted with the letter Y, and that the letter e is encrypted with the letter P, solving this system will give the cryptanalyst the secret key. 4 Exercise 2 2.1 We carry out multiplications and divisions as we are used to, but keep in mind that we are working in some base b. This leads to other carries than what we are used to in the base 10. i) We carry out the multiplication 2 1 2 · 1 1 2 2 1 1 1 2 1 2 0 2 1 2 2 0 1 1 1 1 Thus (212)3 · (122)3 = (112111)3 . ii) we carry out the division 4 2 1 1 0 5 1 1 1 2 2 : 126 = 260. 5 3 2 3 1 1 2 Thus (40122)7 : (126)7 = 12 260 126 . 7 iii) We carry out the multiplication 1 0 1 1 0 1 · 1 1 0 0 1 1 0 1 1 0 1 0 0 1 0 1 1 0 1 1 0 1 1 0 1 1 0 0 0 1 1 0 0 1 0 1 Thus (101101)2 · (11001)2 = (10001100101)2 5 iv) We carry out the division 1 0 0 1 1 1 0 1 1 1 0 0 0 1 0 1 1 0 0 0 1 : 1011 = 1101 0 1 1 0 0 1 0 1 0 1 1 0 1 1 1 0 1 0 Thus (10011001)2 : (1011)2 = 1010 1101 1101 . 2 2.2 We do not seek tight estimates in this course. In the lecture we have seen that the complexity of the multiplication of two numbers of bit length k is O(k 2 ). Using smart algorithms this complexity can be squeezed down to O(k log(k) log(log(k)) bit operations. This is actually better than O(k 1+ , for arbitrary small > 0. We do not seek such optimizations. i) Finding 3n is the same as carrying out the multiplication 3| × 3 ×{z· · · × 3} . n−1 multiplications Thus the number of multiplications is O(n). Assume that we have carried out j − 1 multiplications, 0 < j < n − 1. How many bit operations is then needed to find 3j = 3j−1 3? We know that 3 = (11)2 , but what is the length of 3j−1 written in base 2? The length of all 3 j−1 will be smaller than or equal to the length of 3 n written in base 2. We know that the length of an integer k written in the base b is given by log(k) blog b (k)c + 1 = + 1. log b As log(an ) = n log(a) We find that the binary length of 3 n is log(3) log(3n ) +1=n + 1. log(2) log(2) Thus the length of 3n is of order O(n). We conclude that the multiplication 3j = 3j−1 3 requires O(n) bit operations. Finally, the total number of bit operations for the n − 1 multiplications will be O(n) · O(n) = O(n2 ). 6 ii) In this case the length of n is log(n). Thus each product has O(n log(n)) digits, and as a consequence each multiplication will require O(n log 2 (n)) bit operations. We conclude that the total number of bit operations is of order O(n2 log2 (n)). iii) Suppose that a ≥ b and that we want to find a : b. If b divides b we see that the number of binary operations will not exceed the number of binary digits in a multiplied with the length a Thus the number of binary operations is bounded by log 22 (a), and we conclude that division is of complexity O(log 2 (a)). If b does not divide a the algorithm does not terminate. iv) For the Euclidean algorithm we have to determine the number of divisions the algorithm has to perform. Given a > b, the algorithm for finding gcd(a, b) is the following. a = q1 b + r1 b = q 2 r1 + r 2 .. . rk−2 = qk rk−1 + rk rk−1 = qk+1 rk + 0 We want to show that rj+2 < 12 rj . If rj+1 < 21 rj , the property is trivial. Assuming that rj+1 > 12 rj the next gives rj = 1 · rj+1 · rj+2 . Thus rj+2 = rj − rj+1 < 21 rj . We see that for every second iteration the size of the reminder is divided by two. In addition we know that the reminder never is smaller than 1. From this we conclude that the number of divisions is bounded by 2 log 2 (a). Thus the complexity of the algorithm is O(log(a)) · O(log 2 (a)) = O(log 3 (a)). 2.3 We want to find x ≡ 8103 (mod 13). First we observe that 13 - 8. Applying the notation used in Fermat’s little theorem gives p = 13 and p − 1 = 12. We then see that 103 = 8 · 12 + 7, thus 8103 = 88·12+7 8 = 812 87 , ≡ 8 7 812 ≡ 1 (mod 13) ≡ (−5) 6 ≡ (−5) (−5) (mod 13) 7 (mod 13) (mod 13) ≡ 253 (−5) ≡ (−1)3 (−5) ≡ 5 (mod 13). 2.4 We know that 11|211213 if and only if 2 11213 ≡ 0 (mod 11). From Fermat’s little theorem we know that 210 = 1 (mod 11). We find that 11213 = 1121 · 7 p1 p2 p3 p4 a1 -1 1 1 -1 a2 1 -1 -1 0 a3 1 -1 1 1 a4 1 1 -1 1 Tabell 2: The Jacobi symbols p1 p2 p3 p4 a1 -1 755 1 3261 a2 1 233 -1 3358 a3 1 1 1 6952 ai pi a4 1 4438 -1 1534 (pi −1) 2 Tabell 3: Calculations of ai (mod pi ) 10 + 3, thus 211213 = 210 ≡ 23 1121 23 (mod 11) ≡ 8 (mod 11) From this we can conclude that 11 - 211213 . Exercise 3 (Exam 2004) p−1 a) Letting a be an odd integer and p be a prime, we know that ap = a 2 (mod p). This is what the Solovay-Strassens primality test is based on. We p−1 use Table 1 and Table 2 from the exercise, but note that a 2 (mod p) in Table 2. Based on the primality test we conclude that it is very likely that p1 and p3 are primes. b) The algorithm is based on a for loop which is executed k − 1 times. k is the number of binary digits of n which gives a contribution O(log(n)) to the complexity. The for loop contains two multiplications. In line 4 a (of maximal bit length O(log(m))) is multiplied with b i (maximal bit length O(log(m)). The number of binary operations required for this multiplication is therefor of orderO(log 2 (m). By a similar argument the multiplication in line 6 is of order O(log 2 (m). We conclude that one execution of the for loop is of complexity O(log 2 (m) and that the algorithm requires O(log(n) log 2 (m) bit operations. 8 c) In general factoring large numbers is a hard problem. But depending on the properties of the prime factors, we know that there exists a certain number of algorithms that can speed up the factorization. Given that the difference between the factors is small, we know that Fermat’s factorization can be applied. Let n be the integer we want to factor. √ √ We then set t = b nA c + 1, t = b nA c + 2 . . . until we find t2 − n = s2 where s2 is a perfect square. Then we know that n A = (t − s)(t + s). When nA is factorized a cryptanalyst can easily find d A = e−1 A (mod φ(nA )), where φ(nA ) = (t − s − 1)(t + s − 1). d) Given a public key crypto system where the users A and B respectively have chosen EA and EB as their public encryption functions, and D A and DB as their private decryption functions. Let m be the message that A wishes to transmit to B. Suppose that A and B executes the protocol described in Figure 1. The confidentiality is ensured by the encryption of m, while authentication and integrity is given from the test s = h(m 0 ). Note that this is only a one way authentication. Exercise 4 √ a) We have n = 4087. Then b nc = 63. We see that 642 − 4087 = 9 = 32 , and as a congruence it follows that 4087 = 642 − 32 = (64 − 3)(64 + 3) = 61 · 67, and we have factored 4087. 1: 2: 3: 4: 5: 6: 7: 8: b0 ← b, a ← 1, n = n0 + 2n1 + 22 n2 + . . . 2k−1 nk−1 for i = 0 to k − 1 do if ni = 1 then a = a · bi end if bi+1 = b2i (mod m) end for Return a Algorithm 1: Algorithm that finds a ≡ b n (mod m) 9 EA , E B A DA B DB beskjed m h(m) c = EB (m, DA (h(m))) c DB (c0 ) = (m0 , DA (s)) EA (DA (s)) = s ? s = h(m0 ) Figur 1: A protocol between two uses A and B which through a public key cryptosystem and a hash function provides confidentiality, authentication, and integrity in a message transfer. b) In this case we apply Pollard’s rho algorithm to factor 4087 by means of the function f (x) = x2 + x + 1 and x0 = 2. We find the following table: k 0 1 2 3 4 5 6 7 h j 0 1 1 2 2 2 2 0 1 1 3 3 3 3 xk 2 7 57 3307 2745 1343 2626 3734 xj 2 7 7 3307 3307 3307 3307 gcd(xk − xj , 4087) gcd(7 − 2, 4087) = 1 gcd(57 − 7, 4087) = 1 gcd(3307 − 7, 4087) = 1 gcd(2745 − 3307, 4087) = 1 gcd(1343 − 3307, 4087) = 1 gcd(2626 − 3307, 4087) = 1 gcd(3734 − 3307.4087) = 61 We conclude that 61 factors 4087. By division we find that the other factor is 67. 10