Survey

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Survey

Document related concepts

Quartic function wikipedia , lookup

Cubic function wikipedia , lookup

Elementary algebra wikipedia , lookup

System of polynomial equations wikipedia , lookup

System of linear equations wikipedia , lookup

History of algebra wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Transcript

IMT3701 Cryptology – Solutions RSA 3 – Exercise 1 a) Let α be a root of f (x). Then it follows that α generates GF (2 3 ) and that the elements in the field can be written as polynomials on the form a2 α2 + a 1 α + a 0 , where ai ∈ Z2 for i ∈ {0, 1, 2}. As α is a root of f (x) the relation α 3 = α2 +1 follows. Using this relation we find the following table with the elements of (Z2 [x]/((g(x)))∗ : i a 2 a1 a0 0 0 0 1 1 0 1 0 2 1 0 0 3 1 0 1 4 1 1 1 5 0 1 1 6 1 1 0 In addition the field also contains the element (0 0 0). b) A natural representation is to represent a letter with its position in the alphabet, in this case a number in Z∗8 . Then write the number is the base 2. This defines an isomorphy between Z ∗8 and GF (23 ). For the letters A to G this process is summarized in the following table: Character Z8 A 1 B 2 C 3 D 4 E 5 F 6 G 7 1 Z 23 GF (23 ) (0 0 1)2 (0 0 1) (0 1 0)2 (0 1 0) (0 1 1)2 (0 1 1) (1 0 0)2 (1 0 0) (1 0 1)2 (1 0 1) (1 1 0)2 (1 1 0) (1 1 1)2 (1 1 1) We choose not to include the all zero element, as this element is not well suited for exponentiation. We now want to encrypt the message “ACDC” using ElGamals crypto system as presented in Figure 1 of the exercise set. From the table we see that the clear text consists of the following elements (0 0 1), (0 1 1), (1 0 0), (0 1 1) To ease the computations we represent the element as powers of α. Note that this is not feasible in real case applications, where the algorithm for modular exponentiation must be employed. We see that the clear text elements can be represented by α0 , α 5 , α 2 , α 5 . Further we have a = k = 2. B Is supposed to send g k , mg ak to A. We have the following computations: Expression gk m1 g ak m2 g ak m3 g ak m4 g ak Computation Representative Cipher text α2 (1 0 0) D α0 α4 = α 4 (1 1 1) G 5 4 2 α α =α (1 0 0) D α2 α4 = α 6 (1 1 0) F 5 4 2 α α =α (1 0 0) D Thus A receives the cryptogram “DGDDDFDD”. c) The problem by applying the protocol in this way is that a clear text element always is mapped to the same cipher text element. This Facilitates statistical analysis of the cipher text, and the encryption is not stronger than the classical affine cipher. To solve this problem a new random k must be chosen for the encryption of every clear text element. Exercise 2 As 23 is a prime, we know that Z∗23 is under multiplication is a cyclic group of order n = 22. It is given that α = 5 generates Z∗23 . Using the notation from the lecture we now have that √ m = d 22e = d4, 6e = 5 The construction of Table 1 is the first step of the algorithm. The table is so small that there is no need to sort the entries. 2 j 5j mod 23 0 1 1 5 2 2 3 10 4 4 Table 1: The five first powers of α We then have to find the inverse of 5 in Z23 using the Extended Euclidean Algorithm. 23 = 4 · 5 + 3 1 = 3 − 2 = 3 − (5 − 3) 5 =3+2 = 2 · 3 − 5 = 2(23 − 4 · 5) − 5 3 =2+1 = 2 · 23 − 9 · 5. Thus 5−1 mod 23 ≡ −9 ≡ 14 and α−m = 5−5 ≡ 145 ≡ 15 mod 23. We are now ready to find discrete algorithms. First we want to find log 5 10 in Z23 . From Table 1 we see that 53 ≡ 10 mod 23, thus log 5 10 ≡ 3 in Z23 . i 3 · 15i mod 23 0 3 1 22 2 8 3 5 Table 2: The three first iterations of step 5 in the baby-step giant-step algorithm The second case is not that obvious and several iterations has to be carried out in step 5 of the algorithm. The iterations are summarized in Table 2. In step three we find that 5 is an entry in Table 1. This gives log5 3 ≡ 3 · 5 + 1 ≡ 16 mod 23. Exercise 3 We want to solve the following system of congruence equations: 13x ≡ 4 (mod 99) 15x ≡ 56 (mod 101) We have that gcd(99, 101) = 1, thus if we first solve both equations with respect to x we can use the Chinese reminder theorem to solve the system. We first solve the equation, 13x ≡ 4 (mod 99), using EA and EEA 99 13 8 5 3 = 7 · 13 + 8 1 = 3 − 2 = 3 − (5 − 3) =8+5 = 2 · 3 − 5 = 2(8 − 5) − 5 =5+3 = 2 · 8 − 3 · 5 = 2 · 8 − 3(13 − 8) =3+2 = 5 · 8 − 3 · 13 = 5(99 − 7 · 13) − 3 · 13 =2+1 = 5 · 99 − 38 · 13. 3 Thus 13−1 (mod 99) ≡ −38 (mod 99) ≡ 61. The first equation can now be written asx ≡ 4 × 61 (mod 99) ≡ 46 (mod 99). We solve the second equation in the same way: 101 15 11 4 = 6 · 15 + 11 1 = 4 − 3 = 4 − (11 − 2 · 4) = 3 · 4 − 11 = 3(15 − 11) − 11 = 11 + 4 =2·4+3 = 3 · 15 − 4 · 11 = 3 · 15 − 4(101 − 6 · 16) =3+1 = 27 · 15 − 4 · 101 Thus 15−1 (mod 101) ≡ 27 which yields that the second equation is equivalent to x ≡ 56 · 27 (mod 101) ≡ 98 (mod 101) ≡ −3. We conclude that the original set of equation is equivalent to x ≡ 46 (mod 99) x ≡ −3 (mod 101) Applying the Chinese reminder theorem we have M = 99 · 101 = 9999, and find the following table 1 2 i mi 99 101 Mi 101 99 yi 50 50 The computations are the following: • We find y1 = 101−1 (mod 99) ≡ 2−1 (mod 99) using EEA 99 = 49 · 2 + 1 1 = 99 − 49 · 2. Thus 101−1 (mod 99) ≡ −49 (mod 99) ≡ 50. • We also find y2 = 99−1 (mod 101) using EEA 101 = 99 + 2 1 = 99 − 49 · 2 = 99 − 49(101 − 99) 99 = 49 · 2 + 1 = 50 · 99 − 49 · 101 Thus 99−1 (mod 101) ≡ 50. Substituting into the Chinese reminder theorem we now find that x ≡ 46 · 101 · 50 − 3 · 99 · 50 x ≡ 7471. 4 (mod 9999) Exercise 4 Using the same notation as in the lecture we here have that n = 37 − 1 = 36 = 22 ·32 . Thus we will find two congruence equations which will help us to determine the discrete logarithm, a, of β = 28. • Case q = 2 and c = 2: We let β0 = β = 28. We are then given the relationship 2836/2 = 236a0 /2 2818 = 218a0 . (1) Given that 18 = (10010)2 and the values from Table 3 we find that 2818 ≡ 7 · 16 ≡ 1 (mod 37) and 218 ≡ 4 · 9 ≡ −1 (mod 37). Thus Equation 1 is equivalent to 1 = −1a0 . 0 The first value of a0 satisfying this is a0 = 0. We find β1 = 28 · 2−0·2 = 28, from which we deduce the relation 2836/2 2 = 236a1 /2 289 = 218a1 . (2) We know that 9 = (1001)2 so using Table 3 we find 289 ≡ 28 · 33 ≡ −1 (mod 37). Thus Equation 2 is equivalent to −1 = −1a1 , and we find a1 = 1. We have now found the first congruence equation: a = 0 · 20 + 1 · 21 = 2 i i 22 mod 37 i 282 mod 37 mod 4 mod 4. 0 28 2 1 7 4 2 12 16 (3) 3 33 34 4 16 9 Table 3: Repeated squaring of 2 and 28 modulo 37 5 • Case q = 3 and c = 2 Again let β0 = β = 28. We are then given the relationship 2836/3 = 236a0 /3 2812 = 212a0 (4) Given that 12 = (1100)2 and the values from Table 3 we find that 2812 ≡ 12 · 33 ≡ 26 and 212 ≡ 16 · 34 ≡ 26 (mod 37) (mod 37). Thus Equation 4 is equivalent to 26 = 26a0 . 0 a0 = 1 satisfies this. From this we find β1 = 28 · 2−1·3 = 28 · 2−1 . We then apply EEA to find 2−1 mod 37: 37 = 18 · 2 + 1 1 = 37 − 18 · 2 Thus 2−1 ≡ −18 ≡ 19 mod 37, and we find β1 ≡ 28 · 19 ≡ 14 mod 37. From this we deduce the relation 1436/3 2 = 212a1 144 = 26a1 10 = 26a2 . We find that 262 ≡ 10 mod 37 and conclude that a1 = 2 We have now found the second congruence equation: a = 2 · 30 + 2 · 31 = 7 mod 9 mod 9. (5) Combining Equation 3 and Equation 5 we get the following set of congruence equations a ≡ 2 (mod 4) a ≡ 7 (mod 9) We find the following values i mi Mi yi 1 4 9 1 2 9 4 7 Thus it follows from the Chinese reminder theorem that a ≡ 2·9·1+7·4·7 ≡ 34 mod 36. We conclude that log 2 28 = 34 in Z37 . 6 (mod 36) Exercise 5 First we observe that since 5 generates Z 10007 we have log5 5 = 1. The lucky exponents gives rise to the following factorizations: 54063 5 5136 5 9865 mod 10007 ≡ 42 = 2 · 3 · 7 mod 10007 ≡ 54 = 2 · 3 3 (mod 10007) (mod 10007) 3 mod 10007 ≡ 189. = 3 · 7. (mod 10007) Thus we have a 3 equations with 3 unknowns. Taking log 5 on both sides we find log5 3 + log5 7 = 4063 (mod 10006) L1 : log5 2 + L2 : log5 2 + 3 log 5 3 = 5136 (mod 10006) L3 : 3 log 5 3 + log5 7 = 9865 (mod 10006) To ease the writing we carry out the following substitutions: X = log 5 2, Y = log5 3 and Z = log 5 7. We then have the set L1 : X + Y + Z = 4063 (mod 10006) L : X + 3Y = 5136 (mod 10006) 2 L3 : 3Y + Z = 9865 (mod 10006) We want to eliminate X from L2 L1 : X + Y L − L2 : − 2Y ? 1 L3 : 3Y + Z = 4063 + Z = 8933 + Z = 9865 Then, finally, we eliminate Y from L3 L1 : X + Y + Z = 4063 L2 : − 2Y + Z = 8933 3L2 + 2L3 : 5Z = 6505 (mod 10006) (mod 10006) (mod 10006) (mod 10006) (mod 10006) (mod 10006) Thus we have to find 5−1 (mod 10006). Applying EEA 10006 = 2001 · 5 + 1 1 = 10006 − 2001 · 5, and it follows that 5−1 (mod 10006) ≡ −2001 ≡ 8005. From this we find Z ≡ 6505 × 8005 ≡ 1301. Now it would be natural to substitute into L 2 . The problem is that 2 is not invertible in Z10006 . But if we in the equation set ? consider L 2 + L3 we find Y + 2Z = 8933 + 9865 ⇔ Y = 8933 + 8965 − 2 · 1301 ≡ 6190 7 mod 10006. i i 52 mod 10007 i i 52 mod 10007 0 5 7 2312 1 25 8 1606 2 625 9 7437 3 352 10 280 4 3820 11 8351 5 2124 12 418 6 269 Table 4: Powers of 5 Finally it follows from L1 that X = 4063 − 6190 − 1301 ≡ 6578 mod 10006 Now assuming that we want to find log 5 9451 log 10007 and that we have chosen the exponent k = 7736. We then find 9451 · 57736 mod 10007 = 8400 = 24 · 31 · 52 · 71 , The computation of 57736 mod 10007 is a modular exponentiation where 7736 = (1111000111000)2 ) and the repeated squaring of 7736 are as in Table 4. Finally we find log 5 9451 ≡ 4 · 6578 + 1 · 6190 + 2 · 1 + 1 · 1301 − 7736 ≡ 6057 mod 10007. Exercise 6 Remember that given an elliptic curve E over a finite field the addition of P = (x1 , y1 ) and Q = (x2 , y2 ) is done in the following way: 1. If x2 = x1 and y2 = −y1 , then P + Q = O. 2. Otherwise P + Q = (x3 , y3 ) where x3 = λ 2 − x 1 − x 2 y3 = λ(x1 − x3 ) − y1 and λ= (y2 − y1 )(x2 − x1 )−1 , if P = 6 Q (3x21 + a)(2y1 )−1 , if P = Q 3. To complete the definition we also have P + O = O + P = P, for all P ∈ E. 8 In the given ElGamal example we have that α = (2, 7), that E is an elliptic curve over Z11 defined by y 2 = x3 + x + 6, and that As private key is 7. Our first task is then to compute 7α. Knowing that 7 = (111) 2 we have the relationship 7α = (1 + 2(1 + 2))α, thus we will have to carry out two point multiple and two additions. The first point multiple and the first multiplication is carried out using the rules of point multiple and addition. The next operations will be carried out using the table on slide 40 of lecture 3 and leaving the computations to the reader. We start by finding 2α. In this case λ ≡ (3 · 22 + 1)(2 · 7)−1 ≡ 13 · 14−1 ≡ 13 · 3−1 ≡ 2 · 4 ≡ 8 mod 11 We now find x2α and y2α by insertion: x2α ≡ 82 − 2 · 2 ≡ 64 − 4 ≡ 5 mod 11 y2α ≡ 8(2 − 5) − 7 ≡ 8 · (−3) − 7 ≡ −31 ≡ 2 mod 11 Thus 2α = (5, 2). The next task is to find 2α + α, which is to add (5, 2) and (2, 7). Again we start by finding λ: λ ≡ (7 − 2)(2 − 5)−1 ≡ 5 · (−3)−1 ≡ 5 · 7 ≡ 2 mod 11. Now we have x2α+α ≡ 22 − 5 − 2 ≡ −3 ≡ −8, and y2α+α ≡ 2(5 + 3) − 2 ≡ 16 − 2 ≡ 3 We now have to find a point multiple, that is 2(α + 2α) = 6α. From the table we see that this is the point (7, 9). Finally we find 7α = α + 2(α + 2α) = (2, 7). The encryption transformation is given by e(x, k) = (k(2, 7), x + k(7, 2)). In the example x = (10, 9) and k = 3. This gives the following intermediate computations: γ = 3(2, 7) = 3α = (8, 3) δ = (10, 9) + 3(7, 2) = 9α + 3 · 7α = 9α + 21α = 30α = 4α = (10, 2), 9 where the last inequality follows from 30 ≡ 4 mod 13, as there are 13 points on the elliptic curve. Decryption then goes as follows x = δ − aγ = 4α − 7 · 3α = (4 − 21)α = −17α = 9α = (10, 9), and we have retrieved the plain text. 10