Cryptography Assignment 3

Similar documents
Cryptography Assignment 5

Public Key Cryptosystems RSA

Elliptic Curves and Cryptography

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,

CDH/DDH-Based Encryption. K&L Sections , 11.4.

Advanced Cryptography Midterm Exam

A Public-Key Cryptosystem Based on Lucas Sequences

x 2 a mod m. has a solution. Theorem 13.2 (Euler s Criterion). Let p be an odd prime. The congruence x 2 1 mod p,

Practice Final Solutions

Practice Final Solutions

Cryptography. Lecture 8. Arpita Patra

CS 6260 Some number theory. Groups

MATH342 Practice Exam

MATH 3240Q Introduction to Number Theory Homework 7

Tanja Lange Technische Universiteit Eindhoven

Cryptanalysis of Pseudorandom Generators

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols

A Block Cipher Involving a Key and a Key Bunch Matrix, Supplemented with Key-Based Permutation and Substitution

Lecture Notes, Week 6

CERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education

A Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem

.4. Congruences. We say that a is congruent to b modulo N i.e. a b mod N i N divides a b or equivalently i a%n = b%n. So a is congruent modulo N to an

DIRICHLET S THEOREM ON PRIMES IN ARITHMETIC PROGRESSIONS. 1. Introduction

Primes - Problem Sheet 5 - Solutions

AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction

1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings

ERRATA AND SUPPLEMENTARY MATERIAL FOR A FRIENDLY INTRODUCTION TO NUMBER THEORY FOURTH EDITION

Lattice Attacks on the DGHV Homomorphic Encryption Scheme

Improved Hidden Vector Encryption with Short Ciphertexts and Tokens

Jacobi symbols and application to primality

The Hasse Minkowski Theorem Lee Dicker University of Minnesota, REU Summer 2001

Math 104B: Number Theory II (Winter 2012)

Mobius Functions, Legendre Symbols, and Discriminants

Math 261 Exam 2. November 7, The use of notes and books is NOT allowed.

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Bayesian System for Differential Cryptanalysis of DES

Quadratic Reciprocity

MAT 311 Solutions to Final Exam Practice

Efficient Cryptosystems From 2 k -th Power Residue Symbols

By Evan Chen OTIS, Internal Use

Chapter 8 Public-key Cryptography and Digital Signatures

Introduction to Cryptography. Lecture 8

A secure approach for embedding message text on an elliptic curve defined over prime fields, and building 'EC-RSA-ELGamal' Cryptographic System

Lecture 1: Introduction to Public key cryptography

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS

Verifying Two Conjectures on Generalized Elite Primes

CPSC 467b: Cryptography and Computer Security

MATH 371 Class notes/outline October 15, 2013

Math 312: Introduction to Number Theory Lecture Notes. Lior Silberman

Number Theory Naoki Sato

Representing Integers as the Sum of Two Squares in the Ring Z n

Introductory Number Theory

Bilinear Entropy Expansion from the Decisional Linear Assumption

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM

Chapter 3. Number Theory. Part of G12ALN. Contents

Research Article New Mixed Exponential Sums and Their Application

A CRITERION FOR POLYNOMIALS TO BE CONGRUENT TO THE PRODUCT OF LINEAR POLYNOMIALS (mod p) ZHI-HONG SUN

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding

Diophantine Equations and Congruences

QUADRATIC RECIPROCITY

Elementary Number Theory Review. Franz Luef

CPSC 467b: Cryptography and Computer Security

QUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES

Prime Reciprocal Digit Frequencies and the Euler Zeta Function

Introduction to Cybersecurity Cryptography (Part 5)

RECIPROCITY LAWS JEREMY BOOHER

Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013

#A8 INTEGERS 12 (2012) PARTITION OF AN INTEGER INTO DISTINCT BOUNDED PARTS, IDENTITIES AND BOUNDS

Elementary Number Theory MARUCO. Summer, 2018

14 Diffie-Hellman Key Agreement

Solvability and Number of Roots of Bi-Quadratic Equations over p adic Fields

QUADRATIC RECIPROCITY

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

PARTITIONS AND (2k + 1) CORES. 1. Introduction

MAS 4203 Number Theory. M. Yotov

Quadratic Residues, Quadratic Reciprocity. 2 4 So we may as well start with x 2 a mod p. p 1 1 mod p a 2 ±1 mod p

A New and Optimal Chosen-message Attack on RSA-type Cryptosystems

We collect some results that might be covered in a first course in algebraic number theory.

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

CPSC 467: Cryptography and Computer Security

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract

GAUSSIAN INTEGERS HUNG HO

RSA RSA public key cryptosystem

Lecture 21: Quantum Communication

Lecture 11: Key Agreement

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

arxiv: v2 [math.nt] 9 Oct 2018

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Research Article A New Sum Analogous to Gauss Sums and Its Fourth Power Mean

MA3H1 TOPICS IN NUMBER THEORY PART III

Topics in Cryptography. Lecture 5: Basic Number Theory

Algebraic Number Theory

Elementary Analysis in Q p

Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

6 Binary Quadratic forms

ECS 189A Final Cryptography Spring 2011

Transcription:

Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some of the questions, stricter bounds than requested are roven. 1 Question 1 In this question we show that using e = in RSA crytosystem is roblematic. The crytosystem we consider is given by N = q for rime,q, where log N = n 1, and < q < N. The ublic key is N, and the rivate key is N, d, where d Z ϕn) and d 1 mod ϕn)). We also assume that n > 6. We immediately note several facts. First, since q < N, = N q > N N. Therefore, N = 1 N < < q < N 1.1) Second, since n > 6, it follows that N 64 > 6, and by 1.1),, q > 1.) Finally, by 1.), < ϕn) = 1)q 1), and from d 1 mod ϕn)) it follows that Z ϕn) and gcd, ϕn)) = 1 A N : d = AϕN) + 1 1.) 1.1 1 A Lemma 1.1. 1 A. Proof. By 1.), A = d 1 ϕn) 1.4)

1. A 1 1 QUESTION 1 Since d Z ϕn), we have 1 d ϕn) 1 d ϕn) d 1 ϕn) 4 0 < 4 A < by 1.4) ϕn) ϕn) 1 A A N) 1. A 1 Lemma 1.. A 1. Proof. Assume by contradiction that A = 1. Then, by 1.), d = ϕn) + 1 = 1)q 1) + 1 Also by 1.) and 1.),, q, 1, q 1 0 mod ) since and q are rime, and 1 and q 1 can t have common factors with non-trivial factors of. Moreover, 1, q 1 +, q + 0 + mod ) and therefore, since 1 and q 1 have to belong to some equivalence class modulo, 1, q 1 1 mod ) Consequently, we have d mod = 1)q 1) + 1 ) mod ) ) ) = 1) mod q 1) mod + 1 mod = mod = This is clearly a contradiction to d 0 mod ). 1. Comuting d given ϕn) By 1.), we have d = AϕN) + 1 By Lemma 1.1 and Lemma 1., it follows that A =, therefore d is given by d = ϕn) + 1 1.5) Clearly, 1.5) can be comuted in time On) shift-left oeration, addition of constant and division by constant oerations, each of which has time comlexity logarithmic in N). Page of 10 M. Orlov, Y. Gleyzer

QUESTION 1.4 Bounds on ϕn) 1.4 Bounds on ϕn) Lemma 1.. N 4 N < ϕn) < N N. Proof. Lower bound is given by ϕn) = 1)q 1) = q q + 1 > N q > N N N by 1.1) = N 4 N Uer bound is derived in similar way: ϕn) = N q 1) < N 1 1 N N by 1.1) = N N 1.5 Finding d close to d From Sec. 1. and by Lemma 1., Eve can efficiently comute bounds on d, knowing only N: d l = N 4 N) + 1 d u = N N) + 1 d l < d < d u We note that d u d l = N and by efficiently comuting d = d l + d u Eve can assure that d d < N = N 5 N + 1 = N 8 N + 1 = N N + 1 Question We consider odd rimes and q, with = q + 1. M. Orlov, Y. Gleyzer Page of 10

.1 Primitive elements in Z QUESTION.1 Primitive elements in Z Lemma.1. Let a Z, and a ±1 mod ). Then, exactly one of {a, a mod )} is a rimitive element modulo, and the other is a quadratic residue modulo and not a rimitive element modulo ). Proof. Let a Z, and a ±1 mod ). We note that ) ) a a a 1 1 a) mod ) by Theorem 5.10, [1] 1) q a ) 1 mod ) a 1 ) mod ) q is odd 1 mod ) by Euler s Theorem Since a Z, it follows that a 0 mod ), and therefore ) ) a a, {1, 1} Consequently, ) a = 1 ) a = 1 or ) a = 1 ) a = 1 The rime divisors of 1 are and q. For x {a, a}, x 1 q = a 1 mod ) since roots of 1 modulo are ±1 mod ), and x ±1 mod ). Additionally, x 1 ) x mod ) which is not congruent to 1 mod ) for one of {a, a}, and is congruent to 1 mod ) for the other. Therefore, by Theorem 5.8, [1], exactly one of {a, a} is a rimitive element modulo, and the other is a quadratic residue modulo by Euler s Criterion.. Algorithm for finding a rimitive element A straightforward algorithm for finding a rimitive element modulo, based on Lemma.1, is shown in Alg. 1. Multilication of two numbers modulo n can be erformed in Olog n) time, and exonentiation in ower k modulo n can be done using Olog k) multilications. Thus, the time-comlexity of Alg. 1 is Olog ). 1 1 Tighter uer bounds can be achieved, for examle, by using FFTs or Karatsuba algorithm for multilication. Page 4 of 10 M. Orlov, Y. Gleyzer

QUESTION Algorithm 1 PRIMITIVE-ELEMENT) Require: and 1 are odd rimes Ensure: A rimitive element in Z is returned 1: if 1 1 mod ) then : return : else 4: return Question An ElGamal crytosystem is given by a rivate key, g, b and a ublic key, g, B, where is rime, g is a rimitive element modulo, b Z 1 and B g b mod ). Encrytion function for message M Z and random a Z 1 is given by em, a) = g a mod, B a M mod = A, C and decrytion is erformed using the tradoor b by d A, C ) = A b ) 1 C ) mod = M.1 Multilicativity of ElGamal Lemma.1. For messages M 1, M Z and a 1, a Z 1 for which the corresonding crytograms are it holds that em 1, a 1 ) = A 1, C 1 em, a ) = A, C e M 1 M mod, a 1 + a mod 1) ) = A 1 A mod, C 1 C mod Proof. The identity is easy to verify: e M 1 M mod, a 1 + a mod 1) ) = g a1+a mod 1) mod, B a1+a mod 1) M 1 M mod = g a1+a mod, B a1+a M 1 M mod by Euler s Theorem = g a1 g a mod, B a1 M 1 B a M mod = A 1 A mod, C 1 C mod. Chosen cihertext attack Lemma.1 can be used to mount a chosen cihertext attack against ElGamal crytosystem as follows. Suose Eve intercets a crytogram A, C, em, a) = A, C M. Orlov, Y. Gleyzer Page 5 of 10

4 QUESTION 4 for some message M Z and some a Z 1, and is allowed to ask for decrytion of any other crytogram. Noting that 1 Z, Z 1 for > and e1, 1) = g, B it is straightforward to aly Lemma.1 to see that e M, a + 1 mod 1) ) = ga mod, BC mod Moreover, since g is a rimitive element modulo, g 1 mod ), and therefore ga mod, BC mod A, C and Eve can ask for decrytion of this crytogram and recover the message: d ga mod, BC mod ) = M 4 Question 4 In this question we assume odd rime, with g Z which is a rimitive element modulo. 4.1 Criterion for quadratic residue Lemma 4.1. For a, b Z 1, K g ab mod ) is a quadratic residue modulo if and only if a is even or b is even. Proof. First, assume that a or b is even, then ab = i for some i N. Therefore, K g ab = g i = g i ) mod ) and K is a quadratic residue modulo with roots ±g i mod ). Conversely, assume that K is a quadratic residue modulo : y Z : y K g ab mod ) Since g is a rimitive element modulo, and thus! i Z 1 : y g i mod ) g i ) = g i g ab mod ) Again, since g is a rimitive element modulo, and by Euler s Theorem, i ab mod ϕ) = 1) which means that k Z : ab = k 1) + i Since is odd, 1 is even, as well as i, and therefore ab is even, from which it follows that one of {a, b} is even. Page 6 of 10 M. Orlov, Y. Gleyzer

4 QUESTION 4 4. Distribution of the key in Diffie-Hellman 4. Distribution of the key in Diffie-Hellman In Diffie-Hellman key exchange rotocol, a and b are chosen from Z 1 using uniform distribution, and we can comute the robability PQR K that the chosen key K = g ab mod is a quadratic residue using Lemma 4.1: ) 1 PQR K = 1 Pr[a is odd] Pr[b is odd] = 1 = 4 On the other hand, in uniform distribution on Z the robability P U QR that a chosen element in Z is a quadratic residue is given by P U QR = QRZ ) 1 If we consider a common case in Diffie-Hellman key exchange rotocol, where = q + 1 for odd rimes, q, by Lemma.1 there are quadratic residues modulo, which are not congruent to ±1 mod ). Alying Euler s Criterion to ±1 mod ) we see that 1 is not a quadratic residue modulo because q is odd). Thus, in this case, P U QR = + 1 1 = 1 4 = P QR K Therefore, in general, the key that is generated in Diffie-Hellman key exchange rotocol is not distributed uniformly over Z. 4. Determining whether K is a quadratic residue Lemma 4.. Consider a, b Z 1, and A g a mod ) B g b mod ) K g ab mod ) Then, K is a quadratic residue modulo if and only if one of {A, B} is a quadratic residue modulo. Proof. Assume that K is a quadratic residue modulo. By Lemma 4.1, a or b is even. Without loss of generality, assume that a is even, a = i, in which case A g a = g i = g i ) mod ) and A is a quadratic residue modulo with roots ±g i mod ). Conversely, assume without loss of generality that A is a quadratic residue modulo. By Euler s Criterion, 1 A 1 g a 1 mod ) Since g is a rimitive element modulo, it follows that 1) a 1 and therefore a N in other words, a is even. Thus, by Lemma 4.1, K is a quadratic residue modulo. M. Orlov, Y. Gleyzer Page 7 of 10

4.4 Semantic security of ElGamal 4 QUESTION 4 Thus Eve, who interceted A and B during Diffie-Hellman key exchange, can efficiently comute ) A = A 1 mod ) B = B 1 mod and infer that K is a quadratic residue modulo if and only if ) ) A B = 1 = 1 Note that K is either a quadratic residue, or quadratic non-residue, since K Z : ) K {1, 1} and thus K ) can be efficiently comuted. 4.4 Semantic security of ElGamal Consider an ElGamal crytosystem with the rivate key, g, b and the ublic key, g, B, where B g b mod ). Suose that Eve, who knows the ublic key, g, B, intercets a crytogram A, C = g a, B a M for some M Z and a Z 1. Note that using the rocess described in Sec. 4., Eve can efficiently comute B a ), and she can also efficiently comute C ) using Euler s Criterion. The following lemma shows that the value of the Legendre symbol is a multilicative roerty. Lemma 4.. For rime and A, B Z, ) ) ) A B AB mod = Proof. A ) ) B = A 1 1 B mod = AB) 1 mod ) AB mod = Therefore, ) ) M B a 1 ) C = = B a ) ) C Page 8 of 10 M. Orlov, Y. Gleyzer

5 QUESTION 5 and Eve can efficiently check whether the encryted message is a quadratic residue modulo. ElGamal crytosystem is thus not semantically secure when both quadratic residue and quadratic non-residue modulo messages are allowed. 5 Question 5 Denote τ = {0, 1}. In this question we show that for m τ 64 and K τ 64, DESm, K) = DESm, K) 5.1) which can be generalized for similar Feistel-tye cihers. First, let us define σ k,l as the set of all functions σ : τ k τ l which select l bits in some order from a k-bit string, ossibly with reetitions. We note that k, l N, σ σ k,l : x τ k : σx) = σx) 5.) We also define π k as the set of all k-bit ermutation functions. Since π k σ k,k, as a rivate case of 5.) we see that k N, π π k : x τ k : πx) = πx) 5.) Finally, we note two roerties of the exclusive-or oeration: k N, x, y τ k : x y = x y k N, x, y τ k : x y = x y 5.4a) 5.4b) One round of DES encrytion g : τ τ τ 48 τ τ is given by L i, R i = g L i 1, R i 1, K i ) = R i 1, L i 1 fr i 1, K i ) 5.5) for 1 i 16, where the round key K i is given by K i = σ i K) 5.6) where K is the encrytion key, and σ i σ 64,48. The function f : τ τ 48 τ is given by fr, K) = π P S 1,...,8 σe R) K )) 5.7) where σ E σ,48 is the bit exansion function, π P π is a bit ermutation, and S 1,...,8 : τ 48 τ is the non-linear comonent of the crytosystem the eight S-boxes). Finally, the encrytion function DES : τ 64 τ 64 τ 64 is given by DESm, K) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) 5.8) where π IP π 64 is the initial ermutation, and π swa π 64 is a ermutation that rotates the block by bits. 4 We have now established the notation to rove 5.1). We are not comletely loyal to the notations in [], in order to describe the encrytion rocess more clearly. We don t break round keys generation rocess into rimitive choice ermutations π PC-1 and π PC- and bit shift oerations, but each round key is clearly a choice ermutation of K. 4 We ignore trivial conversions between 64-bit block and two -bit blocks for clarity. M. Orlov, Y. Gleyzer Page 9 of 10

REFERENCES REFERENCES Lemma 5.1. For all m, K τ 64, DESm, K) = DESm, K) Proof. First, we show that the following holds for f: fr, K) = π P S 1,...,8 σe R) K )) by 5.7) = π P S 1,...,8 σe R) K )) by 5.) = π P S 1,...,8 σe R) K )) by 5.4a) 5.9) = fr, K) by 5.7) Consequently, in round 1 i 16, g L i 1, R i 1, K i ) = R i 1, L i 1 fr i 1, K i ) by 5.5) = R i 1, L i 1 fr i 1, K i ) by 5.9) = R i 1, L i 1 fr i 1, K i ) by 5.4b) 5.10) = g L i 1, R i 1, K i ) by 5.5) We also note that K) i = σ i K) by 5.6) = σ i K) by 5.) 5.11) = K i by 5.6) We can now finally see that DESm, K) = π 1 IP π swag gπ IP m), K) 1 )..., K) 16 ))) by 5.8) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.11) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.10). = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.10) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.) = DESm, K) by 5.8) References [1] Douglas R. Stinson. Crytograhy: Theory and Practice. Discrete Mathematics and its Alications. CRC Press, second edition, 00. [] Data Encrytion Standard DES). U.S. Deartment of Commerce / National Institute of Standards and Technology, October 1999. Page 10 of 10 M. Orlov, Y. Gleyzer

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback