Download Cryptography Midterm Solutions

Cryptography Midterm Solutions
1. Show that 223 ≡ 10 mod 29.
Solution
I thought this one was free marks. Sorry that it caused people so much
trouble. Everything mod 29:
223
=
(25 )4 · 23
≡
324 · 23
≡
34 · 23
≡
27 · 24
≡
(−2) · (−5) ≡ 10
2. Show the following for positive real functions f, g, and h. If g(x) = O(2x ),
h(x) = O(x2 ), and f (x) = g(x) + h(x) for all x, then f (x) = O(2x ).
Solution
As g(x) = O(2x ), there is cg such that limx→∞ g(x)/2x < cg . Similarily
there is ch such that limx→∞ h(x)/x2 < ch . Also, by l’hopital we have that
lim
x→∞
x2
2x
2
= lim
= lim
= 0.
x→∞ ln 2 · 2x
x→∞ (ln 2)2 2x
2x
So
lim f (x)/2x
x→∞
=
=
=
=
g(x) + h(x)
2x
lim g(x)/2x + lim h(x)/2x
lim
x→∞
x→∞
x→∞
lim g(x)/2x + lim h(x)/x2 · lim x2 /2x
x→∞
x→∞
x→∞
cg + ch · 0 = cg
This gives us that that f (x) = O(2x ).
3. Use the Chinese Remainder theorem to find a solution to x2 ≡ 52 mod 136.
Observe that 136 = 8 × 17)
Solution
Modulo 8 the equation is x2 ≡ 4 so has 2 as a solution. Modulo 17 the
equation is x2 ≡ 1 so has 1 as a solution. We lift these solutions to a solution
modulo 136.
x1 = 2 is a solution to the first equation x ≡ 2 mod 8. So x2 = 2 + 8c where
c = (1 − 2)8−1 mod 17. Mod 17, 2 · 8 ≡ −1 so 15 · 8 ≡ (−2) · 8 = 1. Thus
8−1 = 15, and so c = −15 ≡ 2. Thus x2 = 2 + 8(2) = 18 is the solution to
our equation.
4. Write pseudo-code for a program that determines whether or not g is a
generator modulo a prime p.
Solution
Let D be a list of the divisors of p − 1 that are less than p − 1.
FOR d in D DO:
IF g d = 1 modulo p THEN OUTPUT ’g is not a generator’ and STOP
END (DO loop)
OUTPUT ’g is a generator’ and STOP.
Even better: Let D be the list of p/q for prime divisors q < p of p. And then
continue as above.
OR (for two out of 3 points)
Decide if 3 is a primitive element modulo 37.
Solution
Since 37 − 1 = 36 = 9 · 4 we must evaluate 312 and 318 . Modulo 37 we have
36 = 272 = −102 = 100 = 26 = −11 so 312 = (36 )2 = −112 = 132 = −16 6= 1
and 318 = 312 · 36 = −11 · −16 = 176 = 1. So no, 3 is not a primitive element.
5. Let (u1 , v1 ) and (u2 , v2 ) be two integer solutions to au + bv = 1. Prove
that a divides v2 − v1 .
Solution
As there is a solution, we have that gcd(a, b) = 1. As they are both solutions
au1 + bv1 = 1 = au2 + bv2 . Collecting terms, a(u1 − u2 ) = b(v2 − v1 ). So
a|b(v2 − v1 ). As gcd(a, b) = 1 this gives us that a|(v2 − v1 ).
6. (a) What is the El Gamal Problem (EGP) for a prime p and a generator
g of F∗p .
Solution
Given p, g, A = g a , c1 = g b and c2 = mAb where a, b and m are secret, find
m. (Every thing is modulo p.)
(b) Give a polynomial reduction of the EGP to the discrete log problem (DLP) for p and g. (Give the reduction and argue that it is
polynomial.)
Solution
Solving the DLP logg A we get a. Then we can solve the El Gamal problem
−ab mg ab = m. This algorithm for input
as Alice would: compute c−a
1 c2 = g
of k bits requires DLP (k) plus inversion O(k3 ) powering O(k3 ) and a product O(k2 ). So it has running time O(DLP (k) + k3 ). This is a polynomial
reduction to DLP .
7. Prove that φ(m) = m − 1 implies that m is prime.
Solution
As φ(m) is the number of integers in 1, . . . , m that are relatively prime to
m, and m is never one of these, φ(m) = m − 1 implies that all numbers
1, . . . , m − 1 are prime to m. This means that m is prime.
8. Let p be an odd prime and let g be a primitive root modulo p. An integer
a has a square root modulo p if there is some integer b such that b2 = a
modulo p. Prove that a has a square root modulo p if and only if logg (a)
modulo p is even.
Solution
If logg (a) is even, so 2e for some integer e, then g 2e = a and so b = g e is
a square root of a. On the other hand, if b2 = a modulo p then where e =
logg (b), (so 1 ≤ e ≤ p − 1), we have that g 2e = b2 = a. Write 2e = c(p − 1) + r
for some r with 1 ≤ r ≤ p − 1. Then g r = g 2e−c(p−1) = g 2e · g (p−1)·c ≡ g 2e ≡
a. So logg (a) = r, but r = 2e − c(p − 1), so because e and p − 1 are even, so
is r.