Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download IMT3701 Cryptology
Document related concepts
Quartic function wikipedia , lookup
Cubic function wikipedia , lookup
Elementary algebra wikipedia , lookup
System of polynomial equations wikipedia , lookup
System of linear equations wikipedia , lookup
History of algebra wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Transcript
IMT3701 Cryptology
– Solutions RSA 3 –
Exercise 1
a) Let α be a root of f (x). Then it follows that α generates GF (2 3 ) and that
the elements in the field can be written as polynomials on the form
a2 α2 + a 1 α + a 0 ,
where ai ∈ Z2 for i ∈ {0, 1, 2}. As α is a root of f (x) the relation α 3 = α2 +1
follows. Using this relation we find the following table with the elements of
(Z2 [x]/((g(x)))∗ :
i a 2 a1 a0
0 0 0 1
1 0 1 0
2 1 0 0
3 1 0 1
4 1 1 1
5 0 1 1
6 1 1 0
In addition the field also contains the element (0 0 0).
b) A natural representation is to represent a letter with its position in the
alphabet, in this case a number in Z∗8 . Then write the number is the base
2. This defines an isomorphy between Z ∗8 and GF (23 ). For the letters A to
G this process is summarized in the following table:
Character Z8
A
1
B
2
C
3
D
4
E
5
F
6
G
7
1
Z 23
GF (23 )
(0 0 1)2 (0 0 1)
(0 1 0)2 (0 1 0)
(0 1 1)2 (0 1 1)
(1 0 0)2 (1 0 0)
(1 0 1)2 (1 0 1)
(1 1 0)2 (1 1 0)
(1 1 1)2 (1 1 1)
We choose not to include the all zero element, as this element is not well
suited for exponentiation.
We now want to encrypt the message “ACDC” using ElGamals crypto
system as presented in Figure 1 of the exercise set. From the table we see
that the clear text consists of the following elements
(0 0 1), (0 1 1), (1 0 0), (0 1 1)
To ease the computations we represent the element as powers of α. Note
that this is not feasible in real case applications, where the algorithm for
modular exponentiation must be employed. We see that the clear text
elements can be represented by
α0 , α 5 , α 2 , α 5 .
Further we have a = k = 2. B Is supposed to send g k , mg ak to A. We have
the following computations:
Expression
gk
m1 g ak
m2 g ak
m3 g ak
m4 g ak
Computation Representative Cipher text
α2
(1 0 0)
D
α0 α4 = α 4
(1 1 1)
G
5
4
2
α α =α
(1 0 0)
D
α2 α4 = α 6
(1 1 0)
F
5
4
2
α α =α
(1 0 0)
D
Thus A receives the cryptogram “DGDDDFDD”.
c) The problem by applying the protocol in this way is that a clear text element always is mapped to the same cipher text element. This Facilitates
statistical analysis of the cipher text, and the encryption is not stronger
than the classical affine cipher. To solve this problem a new random k
must be chosen for the encryption of every clear text element.
Exercise 2
As 23 is a prime, we know that Z∗23 is under multiplication is a cyclic group of
order n = 22. It is given that α = 5 generates Z∗23 . Using the notation from the
lecture we now have that
√
m = d 22e = d4, 6e = 5
The construction of Table 1 is the first step of the algorithm. The table is so
small that there is no need to sort the entries.
2
j
5j mod 23
0
1
1
5
2
2
3
10
4
4
Table 1: The five first powers of α
We then have to find the inverse of 5 in Z23 using the Extended Euclidean Algorithm.
23 = 4 · 5 + 3 1 = 3 − 2 = 3 − (5 − 3)
5 =3+2
= 2 · 3 − 5 = 2(23 − 4 · 5) − 5
3 =2+1
= 2 · 23 − 9 · 5.
Thus 5−1 mod 23 ≡ −9 ≡ 14 and
α−m = 5−5 ≡ 145 ≡ 15
mod 23.
We are now ready to find discrete algorithms. First we want to find log 5 10 in
Z23 . From Table 1 we see that 53 ≡ 10 mod 23, thus log 5 10 ≡ 3 in Z23 .
i
3 · 15i mod 23
0
3
1
22
2
8
3
5
Table 2: The three first iterations of step 5 in the baby-step giant-step algorithm
The second case is not that obvious and several iterations has to be carried out
in step 5 of the algorithm. The iterations are summarized in Table 2. In step
three we find that 5 is an entry in Table 1. This gives
log5 3 ≡ 3 · 5 + 1 ≡ 16
mod 23.
Exercise 3
We want to solve the following system of congruence equations:
13x ≡ 4 (mod 99)
15x ≡ 56 (mod 101)
We have that gcd(99, 101) = 1, thus if we first solve both equations with respect
to x we can use the Chinese reminder theorem to solve the system.
We first solve the equation, 13x ≡ 4 (mod 99), using EA and EEA
99
13
8
5
3
= 7 · 13 + 8 1 = 3 − 2 = 3 − (5 − 3)
=8+5
= 2 · 3 − 5 = 2(8 − 5) − 5
=5+3
= 2 · 8 − 3 · 5 = 2 · 8 − 3(13 − 8)
=3+2
= 5 · 8 − 3 · 13 = 5(99 − 7 · 13) − 3 · 13
=2+1
= 5 · 99 − 38 · 13.
3
Thus 13−1 (mod 99) ≡ −38 (mod 99) ≡ 61. The first equation can now be
written asx ≡ 4 × 61 (mod 99) ≡ 46 (mod 99). We solve the second equation in
the same way:
101
15
11
4
= 6 · 15 + 11 1 = 4 − 3 = 4 − (11 − 2 · 4)
= 3 · 4 − 11 = 3(15 − 11) − 11
= 11 + 4
=2·4+3
= 3 · 15 − 4 · 11 = 3 · 15 − 4(101 − 6 · 16)
=3+1
= 27 · 15 − 4 · 101
Thus 15−1 (mod 101) ≡ 27 which yields that the second equation is equivalent
to x ≡ 56 · 27 (mod 101) ≡ 98 (mod 101) ≡ −3.
We conclude that the original set of equation is equivalent to
x ≡ 46 (mod 99)
x ≡ −3 (mod 101)
Applying the Chinese reminder theorem we have M = 99 · 101 = 9999, and find
the following table
1
2
i
mi
99 101
Mi 101 99
yi
50 50
The computations are the following:
• We find y1 = 101−1 (mod 99) ≡ 2−1 (mod 99) using EEA
99 = 49 · 2 + 1 1 = 99 − 49 · 2.
Thus 101−1 (mod 99) ≡ −49 (mod 99) ≡ 50.
• We also find y2 = 99−1 (mod 101) using EEA
101 = 99 + 2
1 = 99 − 49 · 2 = 99 − 49(101 − 99)
99 = 49 · 2 + 1
= 50 · 99 − 49 · 101
Thus 99−1 (mod 101) ≡ 50.
Substituting into the Chinese reminder theorem we now find that
x ≡ 46 · 101 · 50 − 3 · 99 · 50
x ≡ 7471.
4
(mod 9999)
Exercise 4
Using the same notation as in the lecture we here have that n = 37 − 1 = 36 =
22 ·32 . Thus we will find two congruence equations which will help us to determine
the discrete logarithm, a, of β = 28.
• Case q = 2 and c = 2: We let β0 = β = 28. We are then given the
relationship
2836/2 = 236a0 /2
2818 = 218a0 .
(1)
Given that 18 = (10010)2 and the values from Table 3 we find that
2818 ≡ 7 · 16 ≡ 1
(mod 37)
and
218 ≡ 4 · 9 ≡ −1
(mod 37).
Thus Equation 1 is equivalent to
1 = −1a0 .
0
The first value of a0 satisfying this is a0 = 0. We find β1 = 28 · 2−0·2 = 28,
from which we deduce the relation
2836/2
2
= 236a1 /2
289 = 218a1 .
(2)
We know that 9 = (1001)2 so using Table 3 we find 289 ≡ 28 · 33 ≡ −1
(mod 37). Thus Equation 2 is equivalent to
−1 = −1a1 ,
and we find a1 = 1. We have now found the first congruence equation:
a = 0 · 20 + 1 · 21
= 2
i
i
22 mod 37
i
282 mod 37
mod 4
mod 4.
0
28
2
1
7
4
2
12
16
(3)
3
33
34
4
16
9
Table 3: Repeated squaring of 2 and 28 modulo 37
5
• Case q = 3 and c = 2 Again let β0 = β = 28. We are then given the
relationship
2836/3 = 236a0 /3
2812 = 212a0
(4)
Given that 12 = (1100)2 and the values from Table 3 we find that
2812 ≡ 12 · 33 ≡ 26
and 212 ≡ 16 · 34 ≡ 26
(mod 37)
(mod 37).
Thus Equation 4 is equivalent to
26 = 26a0 .
0
a0 = 1 satisfies this. From this we find β1 = 28 · 2−1·3 = 28 · 2−1 . We then
apply EEA to find 2−1 mod 37:
37 = 18 · 2 + 1 1 = 37 − 18 · 2
Thus 2−1 ≡ −18 ≡ 19 mod 37, and we find β1 ≡ 28 · 19 ≡ 14 mod 37.
From this we deduce the relation
1436/3
2
= 212a1
144 = 26a1
10 = 26a2 .
We find that 262 ≡ 10 mod 37 and conclude that a1 = 2 We have now
found the second congruence equation:
a = 2 · 30 + 2 · 31
= 7
mod 9
mod 9.
(5)
Combining Equation 3 and Equation 5 we get the following set of congruence
equations
a ≡ 2 (mod 4)
a ≡ 7 (mod 9)
We find the following values
i
mi
Mi
yi
1
4
9
1
2
9
4
7
Thus it follows from the Chinese reminder theorem that
a ≡ 2·9·1+7·4·7
≡ 34
mod 36.
We conclude that log 2 28 = 34 in Z37 .
6
(mod 36)
Exercise 5
First we observe that since 5 generates Z 10007 we have log5 5 = 1. The lucky
exponents gives rise to the following factorizations:
54063
5
5136
5
9865
mod 10007 ≡ 42 = 2 · 3 · 7
mod 10007 ≡ 54 = 2 · 3
3
(mod 10007)
(mod 10007)
3
mod 10007 ≡ 189. = 3 · 7.
(mod 10007)
Thus we have a 3 equations with 3 unknowns. Taking log 5 on both sides we find
log5 3 + log5 7 = 4063 (mod 10006)
L1 : log5 2 +
L2 : log5 2 + 3 log 5 3
= 5136 (mod 10006)
L3 :
3 log 5 3 + log5 7 = 9865 (mod 10006)
To ease the writing we carry out the following substitutions: X = log 5 2, Y =
log5 3 and Z = log 5 7. We then have the set
L1 : X + Y + Z = 4063 (mod 10006)
L : X + 3Y
= 5136 (mod 10006)
2
L3 :
3Y + Z = 9865 (mod 10006)
We want to eliminate X from L2
L1 : X + Y
L − L2 :
− 2Y
?
1
L3 :
3Y
+ Z = 4063
+ Z = 8933
+ Z = 9865
Then, finally, we eliminate Y from L3
L1 : X + Y + Z = 4063
L2 :
− 2Y + Z = 8933
3L2 + 2L3 :
5Z = 6505
(mod 10006)
(mod 10006)
(mod 10006)
(mod 10006)
(mod 10006)
(mod 10006)
Thus we have to find 5−1 (mod 10006). Applying EEA
10006 = 2001 · 5 + 1 1 = 10006 − 2001 · 5,
and it follows that 5−1 (mod 10006) ≡ −2001 ≡ 8005. From this we find
Z ≡ 6505 × 8005 ≡ 1301.
Now it would be natural to substitute into L 2 . The problem is that 2 is not
invertible in Z10006 . But if we in the equation set ? consider L 2 + L3 we find
Y + 2Z = 8933 + 9865
⇔ Y = 8933 + 8965 − 2 · 1301 ≡ 6190
7
mod 10006.
i
i
52 mod 10007
i
i
52 mod 10007
0
5
7
2312
1
25
8
1606
2
625
9
7437
3
352
10
280
4
3820
11
8351
5
2124
12
418
6
269
Table 4: Powers of 5
Finally it follows from L1 that
X = 4063 − 6190 − 1301 ≡ 6578
mod 10006
Now assuming that we want to find log 5 9451 log 10007 and that we have chosen
the exponent k = 7736. We then find
9451 · 57736
mod 10007 = 8400 = 24 · 31 · 52 · 71 ,
The computation of 57736 mod 10007 is a modular exponentiation where 7736 =
(1111000111000)2 ) and the repeated squaring of 7736 are as in Table 4.
Finally we find
log 5 9451 ≡ 4 · 6578 + 1 · 6190 + 2 · 1 + 1 · 1301 − 7736 ≡ 6057
mod 10007.
Exercise 6
Remember that given an elliptic curve E over a finite field the addition of P =
(x1 , y1 ) and Q = (x2 , y2 ) is done in the following way:
1. If x2 = x1 and y2 = −y1 , then P + Q = O.
2. Otherwise P + Q = (x3 , y3 ) where
x3 = λ 2 − x 1 − x 2
y3 = λ(x1 − x3 ) − y1
and
λ=
(y2 − y1 )(x2 − x1 )−1 , if P =
6 Q
(3x21 + a)(2y1 )−1 ,
if P = Q
3. To complete the definition we also have
P + O = O + P = P,
for all P ∈ E.
8
In the given ElGamal example we have that α = (2, 7), that E is an elliptic curve
over Z11 defined by y 2 = x3 + x + 6, and that As private key is 7. Our first
task is then to compute 7α. Knowing that 7 = (111) 2 we have the relationship
7α = (1 + 2(1 + 2))α, thus we will have to carry out two point multiple and
two additions. The first point multiple and the first multiplication is carried out
using the rules of point multiple and addition. The next operations will be carried
out using the table on slide 40 of lecture 3 and leaving the computations to the
reader.
We start by finding 2α. In this case
λ ≡ (3 · 22 + 1)(2 · 7)−1 ≡ 13 · 14−1
≡ 13 · 3−1 ≡ 2 · 4
≡ 8
mod 11
We now find x2α and y2α by insertion:
x2α ≡ 82 − 2 · 2 ≡ 64 − 4 ≡ 5
mod 11
y2α ≡ 8(2 − 5) − 7 ≡ 8 · (−3) − 7 ≡ −31 ≡ 2
mod 11
Thus 2α = (5, 2). The next task is to find 2α + α, which is to add (5, 2) and
(2, 7). Again we start by finding λ:
λ ≡ (7 − 2)(2 − 5)−1 ≡ 5 · (−3)−1 ≡ 5 · 7
≡ 2
mod 11.
Now we have
x2α+α ≡ 22 − 5 − 2 ≡ −3 ≡ −8, and
y2α+α ≡ 2(5 + 3) − 2 ≡ 16 − 2 ≡ 3
We now have to find a point multiple, that is 2(α + 2α) = 6α. From the table we
see that this is the point (7, 9). Finally we find
7α = α + 2(α + 2α) = (2, 7).
The encryption transformation is given by e(x, k) = (k(2, 7), x + k(7, 2)). In the
example x = (10, 9) and k = 3. This gives the following intermediate computations:
γ = 3(2, 7) = 3α = (8, 3)
δ = (10, 9) + 3(7, 2) = 9α + 3 · 7α
= 9α + 21α = 30α = 4α
= (10, 2),
9
where the last inequality follows from 30 ≡ 4 mod 13, as there are 13 points on
the elliptic curve.
Decryption then goes as follows
x = δ − aγ
= 4α − 7 · 3α = (4 − 21)α = −17α = 9α
= (10, 9),
and we have retrieved the plain text.
10
![[Part 2]](http://s1.studyres.com/store/data/008795781_1-3298003100feabad99b109506bff89b8-150x150.png)
