Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some of the questions, stricter bounds than requested are roven. 1 Question 1 In this question we show that using e = in RSA crytosystem is roblematic. The crytosystem we consider is given by N = q for rime,q, where log N = n 1, and < q < N. The ublic key is N, and the rivate key is N, d, where d Z ϕn) and d 1 mod ϕn)). We also assume that n > 6. We immediately note several facts. First, since q < N, = N q > N N. Therefore, N = 1 N < < q < N 1.1) Second, since n > 6, it follows that N 64 > 6, and by 1.1),, q > 1.) Finally, by 1.), < ϕn) = 1)q 1), and from d 1 mod ϕn)) it follows that Z ϕn) and gcd, ϕn)) = 1 A N : d = AϕN) + 1 1.) 1.1 1 A Lemma 1.1. 1 A. Proof. By 1.), A = d 1 ϕn) 1.4)
1. A 1 1 QUESTION 1 Since d Z ϕn), we have 1 d ϕn) 1 d ϕn) d 1 ϕn) 4 0 < 4 A < by 1.4) ϕn) ϕn) 1 A A N) 1. A 1 Lemma 1.. A 1. Proof. Assume by contradiction that A = 1. Then, by 1.), d = ϕn) + 1 = 1)q 1) + 1 Also by 1.) and 1.),, q, 1, q 1 0 mod ) since and q are rime, and 1 and q 1 can t have common factors with non-trivial factors of. Moreover, 1, q 1 +, q + 0 + mod ) and therefore, since 1 and q 1 have to belong to some equivalence class modulo, 1, q 1 1 mod ) Consequently, we have d mod = 1)q 1) + 1 ) mod ) ) ) = 1) mod q 1) mod + 1 mod = mod = This is clearly a contradiction to d 0 mod ). 1. Comuting d given ϕn) By 1.), we have d = AϕN) + 1 By Lemma 1.1 and Lemma 1., it follows that A =, therefore d is given by d = ϕn) + 1 1.5) Clearly, 1.5) can be comuted in time On) shift-left oeration, addition of constant and division by constant oerations, each of which has time comlexity logarithmic in N). Page of 10 M. Orlov, Y. Gleyzer
QUESTION 1.4 Bounds on ϕn) 1.4 Bounds on ϕn) Lemma 1.. N 4 N < ϕn) < N N. Proof. Lower bound is given by ϕn) = 1)q 1) = q q + 1 > N q > N N N by 1.1) = N 4 N Uer bound is derived in similar way: ϕn) = N q 1) < N 1 1 N N by 1.1) = N N 1.5 Finding d close to d From Sec. 1. and by Lemma 1., Eve can efficiently comute bounds on d, knowing only N: d l = N 4 N) + 1 d u = N N) + 1 d l < d < d u We note that d u d l = N and by efficiently comuting d = d l + d u Eve can assure that d d < N = N 5 N + 1 = N 8 N + 1 = N N + 1 Question We consider odd rimes and q, with = q + 1. M. Orlov, Y. Gleyzer Page of 10
.1 Primitive elements in Z QUESTION.1 Primitive elements in Z Lemma.1. Let a Z, and a ±1 mod ). Then, exactly one of {a, a mod )} is a rimitive element modulo, and the other is a quadratic residue modulo and not a rimitive element modulo ). Proof. Let a Z, and a ±1 mod ). We note that ) ) a a a 1 1 a) mod ) by Theorem 5.10, [1] 1) q a ) 1 mod ) a 1 ) mod ) q is odd 1 mod ) by Euler s Theorem Since a Z, it follows that a 0 mod ), and therefore ) ) a a, {1, 1} Consequently, ) a = 1 ) a = 1 or ) a = 1 ) a = 1 The rime divisors of 1 are and q. For x {a, a}, x 1 q = a 1 mod ) since roots of 1 modulo are ±1 mod ), and x ±1 mod ). Additionally, x 1 ) x mod ) which is not congruent to 1 mod ) for one of {a, a}, and is congruent to 1 mod ) for the other. Therefore, by Theorem 5.8, [1], exactly one of {a, a} is a rimitive element modulo, and the other is a quadratic residue modulo by Euler s Criterion.. Algorithm for finding a rimitive element A straightforward algorithm for finding a rimitive element modulo, based on Lemma.1, is shown in Alg. 1. Multilication of two numbers modulo n can be erformed in Olog n) time, and exonentiation in ower k modulo n can be done using Olog k) multilications. Thus, the time-comlexity of Alg. 1 is Olog ). 1 1 Tighter uer bounds can be achieved, for examle, by using FFTs or Karatsuba algorithm for multilication. Page 4 of 10 M. Orlov, Y. Gleyzer
QUESTION Algorithm 1 PRIMITIVE-ELEMENT) Require: and 1 are odd rimes Ensure: A rimitive element in Z is returned 1: if 1 1 mod ) then : return : else 4: return Question An ElGamal crytosystem is given by a rivate key, g, b and a ublic key, g, B, where is rime, g is a rimitive element modulo, b Z 1 and B g b mod ). Encrytion function for message M Z and random a Z 1 is given by em, a) = g a mod, B a M mod = A, C and decrytion is erformed using the tradoor b by d A, C ) = A b ) 1 C ) mod = M.1 Multilicativity of ElGamal Lemma.1. For messages M 1, M Z and a 1, a Z 1 for which the corresonding crytograms are it holds that em 1, a 1 ) = A 1, C 1 em, a ) = A, C e M 1 M mod, a 1 + a mod 1) ) = A 1 A mod, C 1 C mod Proof. The identity is easy to verify: e M 1 M mod, a 1 + a mod 1) ) = g a1+a mod 1) mod, B a1+a mod 1) M 1 M mod = g a1+a mod, B a1+a M 1 M mod by Euler s Theorem = g a1 g a mod, B a1 M 1 B a M mod = A 1 A mod, C 1 C mod. Chosen cihertext attack Lemma.1 can be used to mount a chosen cihertext attack against ElGamal crytosystem as follows. Suose Eve intercets a crytogram A, C, em, a) = A, C M. Orlov, Y. Gleyzer Page 5 of 10
4 QUESTION 4 for some message M Z and some a Z 1, and is allowed to ask for decrytion of any other crytogram. Noting that 1 Z, Z 1 for > and e1, 1) = g, B it is straightforward to aly Lemma.1 to see that e M, a + 1 mod 1) ) = ga mod, BC mod Moreover, since g is a rimitive element modulo, g 1 mod ), and therefore ga mod, BC mod A, C and Eve can ask for decrytion of this crytogram and recover the message: d ga mod, BC mod ) = M 4 Question 4 In this question we assume odd rime, with g Z which is a rimitive element modulo. 4.1 Criterion for quadratic residue Lemma 4.1. For a, b Z 1, K g ab mod ) is a quadratic residue modulo if and only if a is even or b is even. Proof. First, assume that a or b is even, then ab = i for some i N. Therefore, K g ab = g i = g i ) mod ) and K is a quadratic residue modulo with roots ±g i mod ). Conversely, assume that K is a quadratic residue modulo : y Z : y K g ab mod ) Since g is a rimitive element modulo, and thus! i Z 1 : y g i mod ) g i ) = g i g ab mod ) Again, since g is a rimitive element modulo, and by Euler s Theorem, i ab mod ϕ) = 1) which means that k Z : ab = k 1) + i Since is odd, 1 is even, as well as i, and therefore ab is even, from which it follows that one of {a, b} is even. Page 6 of 10 M. Orlov, Y. Gleyzer
4 QUESTION 4 4. Distribution of the key in Diffie-Hellman 4. Distribution of the key in Diffie-Hellman In Diffie-Hellman key exchange rotocol, a and b are chosen from Z 1 using uniform distribution, and we can comute the robability PQR K that the chosen key K = g ab mod is a quadratic residue using Lemma 4.1: ) 1 PQR K = 1 Pr[a is odd] Pr[b is odd] = 1 = 4 On the other hand, in uniform distribution on Z the robability P U QR that a chosen element in Z is a quadratic residue is given by P U QR = QRZ ) 1 If we consider a common case in Diffie-Hellman key exchange rotocol, where = q + 1 for odd rimes, q, by Lemma.1 there are quadratic residues modulo, which are not congruent to ±1 mod ). Alying Euler s Criterion to ±1 mod ) we see that 1 is not a quadratic residue modulo because q is odd). Thus, in this case, P U QR = + 1 1 = 1 4 = P QR K Therefore, in general, the key that is generated in Diffie-Hellman key exchange rotocol is not distributed uniformly over Z. 4. Determining whether K is a quadratic residue Lemma 4.. Consider a, b Z 1, and A g a mod ) B g b mod ) K g ab mod ) Then, K is a quadratic residue modulo if and only if one of {A, B} is a quadratic residue modulo. Proof. Assume that K is a quadratic residue modulo. By Lemma 4.1, a or b is even. Without loss of generality, assume that a is even, a = i, in which case A g a = g i = g i ) mod ) and A is a quadratic residue modulo with roots ±g i mod ). Conversely, assume without loss of generality that A is a quadratic residue modulo. By Euler s Criterion, 1 A 1 g a 1 mod ) Since g is a rimitive element modulo, it follows that 1) a 1 and therefore a N in other words, a is even. Thus, by Lemma 4.1, K is a quadratic residue modulo. M. Orlov, Y. Gleyzer Page 7 of 10
4.4 Semantic security of ElGamal 4 QUESTION 4 Thus Eve, who interceted A and B during Diffie-Hellman key exchange, can efficiently comute ) A = A 1 mod ) B = B 1 mod and infer that K is a quadratic residue modulo if and only if ) ) A B = 1 = 1 Note that K is either a quadratic residue, or quadratic non-residue, since K Z : ) K {1, 1} and thus K ) can be efficiently comuted. 4.4 Semantic security of ElGamal Consider an ElGamal crytosystem with the rivate key, g, b and the ublic key, g, B, where B g b mod ). Suose that Eve, who knows the ublic key, g, B, intercets a crytogram A, C = g a, B a M for some M Z and a Z 1. Note that using the rocess described in Sec. 4., Eve can efficiently comute B a ), and she can also efficiently comute C ) using Euler s Criterion. The following lemma shows that the value of the Legendre symbol is a multilicative roerty. Lemma 4.. For rime and A, B Z, ) ) ) A B AB mod = Proof. A ) ) B = A 1 1 B mod = AB) 1 mod ) AB mod = Therefore, ) ) M B a 1 ) C = = B a ) ) C Page 8 of 10 M. Orlov, Y. Gleyzer
5 QUESTION 5 and Eve can efficiently check whether the encryted message is a quadratic residue modulo. ElGamal crytosystem is thus not semantically secure when both quadratic residue and quadratic non-residue modulo messages are allowed. 5 Question 5 Denote τ = {0, 1}. In this question we show that for m τ 64 and K τ 64, DESm, K) = DESm, K) 5.1) which can be generalized for similar Feistel-tye cihers. First, let us define σ k,l as the set of all functions σ : τ k τ l which select l bits in some order from a k-bit string, ossibly with reetitions. We note that k, l N, σ σ k,l : x τ k : σx) = σx) 5.) We also define π k as the set of all k-bit ermutation functions. Since π k σ k,k, as a rivate case of 5.) we see that k N, π π k : x τ k : πx) = πx) 5.) Finally, we note two roerties of the exclusive-or oeration: k N, x, y τ k : x y = x y k N, x, y τ k : x y = x y 5.4a) 5.4b) One round of DES encrytion g : τ τ τ 48 τ τ is given by L i, R i = g L i 1, R i 1, K i ) = R i 1, L i 1 fr i 1, K i ) 5.5) for 1 i 16, where the round key K i is given by K i = σ i K) 5.6) where K is the encrytion key, and σ i σ 64,48. The function f : τ τ 48 τ is given by fr, K) = π P S 1,...,8 σe R) K )) 5.7) where σ E σ,48 is the bit exansion function, π P π is a bit ermutation, and S 1,...,8 : τ 48 τ is the non-linear comonent of the crytosystem the eight S-boxes). Finally, the encrytion function DES : τ 64 τ 64 τ 64 is given by DESm, K) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) 5.8) where π IP π 64 is the initial ermutation, and π swa π 64 is a ermutation that rotates the block by bits. 4 We have now established the notation to rove 5.1). We are not comletely loyal to the notations in [], in order to describe the encrytion rocess more clearly. We don t break round keys generation rocess into rimitive choice ermutations π PC-1 and π PC- and bit shift oerations, but each round key is clearly a choice ermutation of K. 4 We ignore trivial conversions between 64-bit block and two -bit blocks for clarity. M. Orlov, Y. Gleyzer Page 9 of 10
REFERENCES REFERENCES Lemma 5.1. For all m, K τ 64, DESm, K) = DESm, K) Proof. First, we show that the following holds for f: fr, K) = π P S 1,...,8 σe R) K )) by 5.7) = π P S 1,...,8 σe R) K )) by 5.) = π P S 1,...,8 σe R) K )) by 5.4a) 5.9) = fr, K) by 5.7) Consequently, in round 1 i 16, g L i 1, R i 1, K i ) = R i 1, L i 1 fr i 1, K i ) by 5.5) = R i 1, L i 1 fr i 1, K i ) by 5.9) = R i 1, L i 1 fr i 1, K i ) by 5.4b) 5.10) = g L i 1, R i 1, K i ) by 5.5) We also note that K) i = σ i K) by 5.6) = σ i K) by 5.) 5.11) = K i by 5.6) We can now finally see that DESm, K) = π 1 IP π swag gπ IP m), K) 1 )..., K) 16 ))) by 5.8) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.11) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.10). = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.10) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.) = DESm, K) by 5.8) References [1] Douglas R. Stinson. Crytograhy: Theory and Practice. Discrete Mathematics and its Alications. CRC Press, second edition, 00. [] Data Encrytion Standard DES). U.S. Deartment of Commerce / National Institute of Standards and Technology, October 1999. Page 10 of 10 M. Orlov, Y. Gleyzer