HOMEWORK 11 MATH 4753

Similar documents
HOMEWORK 8 SOLUTIONS MATH 4753

Math 430 Midterm II Review Packet Spring 2018 SOLUTIONS TO PRACTICE PROBLEMS

Public-key Cryptography: Theory and Practice

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

ECE596C: Handout #11

Elementary Number Theory MARUCO. Summer, 2018

18. Cyclotomic polynomials II

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

CONTINUED FRACTIONS, PELL S EQUATION, AND TRANSCENDENTAL NUMBERS

MATH 145 Algebra, Solutions to Assignment 4

Elementary Number Theory Review. Franz Luef

Introduction to Public-Key Cryptosystems:

Introduction to Cybersecurity Cryptography (Part 5)

Chapter 8 Public-key Cryptography and Digital Signatures

Elementary Number Theory and Cryptography, 2014

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Lecture Notes, Week 6

Mathematics for Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Part II. Number Theory. Year

18.310A Final exam practice questions

A Few Primality Testing Algorithms

NOTES ON FINITE FIELDS

Homework 7 solutions M328K by Mark Lindberg/Marie-Amelie Lawn

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Final Report. Cryptography and Number Theory Boot Camp NSF-REU. Summer 2017

MATH 310: Homework 7

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Math 120 HW 9 Solutions

Encryption: The RSA Public Key Cipher

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

(January 14, 2009) q n 1 q d 1. D = q n = q + d

CPSC 467b: Cryptography and Computer Security

CONTEMPORARY CRYPTOSYSTEMS

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Introduction to Elliptic Curve Cryptography. Anupam Datta

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Ma/CS 6a Class 2: Congruences

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

RSA Cryptosystem and Factorization

MATH 361: NUMBER THEORY FOURTH LECTURE

Solutions to Practice Final 3

COMP4109 : Applied Cryptography

Basic elements of number theory

Computations/Applications

Basic Algorithms in Number Theory

Basic elements of number theory

Math 547, Exam 2 Information.

Mathematical Foundations of Public-Key Cryptography

Ma/CS 6a Class 2: Congruences

PMA225 Practice Exam questions and solutions Victor P. Snaith

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

One can use elliptic curves to factor integers, although probably not RSA moduli.

8 Elliptic Curve Cryptography

Iterated Encryption and Wiener s attack on RSA

Homework 8 Solutions to Selected Problems

} has dimension = k rank A > 0 over F. For any vector b!

Factorization in Polynomial Rings

Congruence of Integers

Elliptic curves: Theory and Applications. Day 3: Counting points.

Number Theory and Group Theoryfor Public-Key Cryptography

Factorization in Integral Domains II

Number theory (Chapter 4)

CPSC 467b: Cryptography and Computer Security

RABIN PUBLIC-KEY CRYPTOSYSTEM IN RINGS OF POLYNOMIALS OVER FINITE FIELDS

Fall 2017 September 20, Written Homework 02

LECTURE NOTES IN CRYPTOGRAPHY

CIS 551 / TCOM 401 Computer and Network Security

Discrete Mathematics GCD, LCM, RSA Algorithm

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

Discrete Mathematics and Probability Theory Summer 2014 James Cook Midterm 1

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Lecture 1: Introduction to Public key cryptography

Honors Algebra 4, MATH 371 Winter 2010 Assignment 3 Due Friday, February 5 at 08:35

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

The security of RSA (part 1) The security of RSA (part 1)

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

1/30: Polynomials over Z/n.

CPSC 467: Cryptography and Computer Security

Course 2316 Sample Paper 1

Lecture 11 - Basic Number Theory.

Introduction to Arithmetic Geometry

Polynomials. Chapter 4

Public Key Encryption

MATH 25 CLASS 21 NOTES, NOV Contents. 2. Subgroups 2 3. Isomorphisms 4

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

MATH3302 Cryptography Problem Set 2

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright

Homework Problems, Math 134, Spring 2007 (Robert Boltje)

MATH 115, SUMMER 2012 LECTURE 12

Constructing genus 2 curves over finite fields

Math/Mthe 418/818. Review Questions

Transcription:

HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question 1. Let q be prime. x 1 f(x) in (Z/qZ)[x]. Prove that f(1) 0 mod q if and only if Proof. When q is prime Z/qZ is a field, so by the division algorithm for polynomials, dividing f(x) by x 1, we know there exist q(x), r(x) (Z/qZ)[x] with deg r(x) < deg(x 1) = 1 (so that r(x) = r is a constant such that: f(x) = q(x)(x 1) + r. Plugging in x = 1 gives f(1) = r 0 mod q, so in fact, f(x) = q(x)(x 1) and x 1 mod f(x) as desired. Question 2. When we choose f(x) in the NTRU cryptosystem, we decide to look for f T (d + 1, d) instead of T (d, d). There is a good reason for this. Show that for any prime q and any polynomial f T (d, d) where d N/2, that f / R q. Can you still prove the result if q is not assumed to be prime? Proof. Note that f T (d, d) implies that f(1) 0 mod q, so when q is prime, this implies that x 1 f(x), but x 1 x N 1 for any N N, so they share a common factor and f(x) cannot be invertible. The proof of the general case can be reduced to this by observing that if p q is any prime, then there is a natural homomorphism R q R p that just reduces the mod q coefficients to be modulo p, and that if f(x) has an inverse in R q, that is, if we have f(x)k(x) = 1 for some k(x) in R q, then this is still a factorization in R p, but that s a contradiction because if f(1) 0 mod q, it is still 0 mod p, and by the previous question, this means that f(x) is not invertible mod p. (There are also more direct proofs that you can come up with that construct explicit factorizations of f(x) and advoid reducing modulo a prime factor of q.) Date: May 6, 2017. 1

2 HOMEWORK 11 MATH 4753 Question 3 (Variant of HPS 7.29). Alice and Bob use the NTRU cryptosystem with (N, p, q) = 7, 3, 37. Alice s private key is: f(x) = 1 + x x 3 + x 4 + x 6. Compute F 3 (x) = f(x) 1 in R p, and use this to decrypt the message: e(x) = 2 + 8x 2 16x 3 9x 4 18x 5 3x 6 received from Bob into an encoded message m(x) R p. Solution. Performing the Euclidean algorithm with coefficients mod 3 for gcd(f(x), x 7 1) results in: (2x 6 + 2x 4 + 2x 2 + x)f(x) + (x 5 + 2x 3 + 2x 2 + 2x + 2)(x 7 1) = 1 so f(x) 1 = 2x 6 + 2x 4 + 2x 2 + x R 3. We now compute: to get a(x) = f(x)e(x) in R q = R 37, a(x) = 3x 12 18x 11 12x 10 +6x 9 +17x 8 10x 7 +11x 6 +x 5 5x 4 15x 3 8x 2 +2x 2. (Notice that we took the centered lift here, so coefficients are in ( q/2, q/2].) Then we compute m(x) = F 3 (x)a(x) in R p = R 3 to get: m(x) = x 6 + x 5 + x 4 + x (again in centered lift form). Review for the Final Exam Write up solutions for 2 of the following questions. You are strongly encouraged to study the remainder for the exam. For the purposes of a review, consider Question 3 above as a possible exam question as well. Question 4. Consider the elliptic curve given by E : y 2 = x 3 x + 1 over Q. Compute the discriminant of the curve. Compute by hand the points 2P and 3P, where P = (1, 1) E(Q). Solution. The discriminant D = 16(4a 3 + 27b 2 ) = 16(4( 1) 3 + 27(1) 2 ) = 368 0. To compute 2P, we use the doubling formula: λ = 3x2 + a 2y = 3(1)2 1 2(1) = 1. Then x 3 = λ 2 x 1 x 2 = 1 2 1 1 = 1, and thus y 3 = y 1 + λ(x 3 x 1 ) = 1 + 1( 1 1) = 1, so 2P = (x 3, y 3 ) = ( 1, 1).

HOMEWORK 11 MATH 4753 3 Now, let s compute 3P = 2P + P. This time λ = y 2 y 1 x 2 x 1 = 1 1 1 1 = 0. Thus x 3 = λ 2 x 1 x 2 = 0 1 ( 1) = 0. Therefore y 3 = y 1 +λ(x 3 x 1 ) = 1. Therefore 3P = (x 3, y 3 ) = (0, 1). Question 5. Define a primitive root modulo n. (Do this in general, not just for a prime, though for some n primitive roots may not exist.) Find a primitive root modulo 13 by hand. Proof. A primitive root modulo n is an element of order ϕ(n). Equivalently, g is a primitive root if and only if every unit modulo n is a power of g, {g 1, g 2,... g ϕ(n) } = (Z/nZ). Since ϕ(13) = 13 1 = 12, the maximal divisors are 4, 6, so it suffices to show that g 4 1 mod 13 and g 6 1 mod 13 to show that g is a primitive root. You can check that g = 2 works. Question 6. Compute gcd(12354, 546) by hand using the Euclidean algorithm. Solution. So the GCD is 6. 12354 = 22 546 + 342 = gcd(12354, 546) 546 = 1 342 + 204 = gcd(546, 342) 342 = 1 204 + 138 = gcd(342, 204) 204 = 1 138 + 66 = gcd(204, 138) 138 = 2 66 + 6 = gcd(138, 66) 66 = 6 11 + 0 = gcd(66, 6) = 6 Question 7. Find all x Z satisfying: Prove your answer. x 1 mod 6 x 2 mod 3 Proof. We reduce x 1 mod 6 to the two factors of 6 to get: { x 1 mod 2 x 1 mod 6 = x 1 mod 3 The latter equation contradicts x 2 mod 3, so there are no solutions.

4 HOMEWORK 11 MATH 4753 Question 8. Define a primitive root modulo n. (Do this in general, not just for a prime, though for some n primitive roots may not exist.) Find a primitive root modulo 11 by hand. Solution. This is accidentally a repeat of question 5 above. Question 9. Define what an elliptic curve E over a field F is. (Be sure to remember all conditions an elliptic curve must meet.) Explain how Bob sends messages to Alice using the elliptic curve El Gamal cryptosystem. (In particular, describe all information which is exchanged between Alice and Bob and how it is computed.) Solution. An elliptic curve E over a field F is the set of solutions (x, y) to the equation: y 2 = x 3 + ax + b, a, b F, together with a point O, given by [0 : 1 : 0] in projective coordinates, at infinity, that has nonzero discriminant D = 16(4a 3 + 27b 2 ) 0. It has a geometrically defined group law which we denote + between points, for which O is the identity. In EC El Gamal, Alice s public key is a curve E over the field F p for a prime p, and a point P E(F p ) of high order, and a second point Q = kp, where the choice of k N is Alice s private key. To send Alice a message, Bob first: (1) Encodes the message as a point P m E(F p ). (2) Chooses an ephemeral random key t N. (3) Sends to Alice: { = tp C 1 C 2 = tq + P m Alice decrypts this by computing P m = C 2 kc 1 and decoding P m. Question 10. Define what it means for L R n to be a lattice. Given a basis (v 1,..., v n ) for a lattice L, define the Hadamard constant H(v 1,..., v n ), and explain what the difference between a good basis and a bad basis is in terms of the Hadamard constant. Proof. ( ) 1/n det L H(v 1,..., v n ) =, v 1 v n where det L = det(v 1 v 2 v n ). The Hadamard constant satisfies 0 < H(v 1,..., v n ) 1. A good basis has constant near 1, which indicates near-orthogonality, while a bad basis has constant near 0.

HOMEWORK 11 MATH 4753 5 Question 11. Explain how Alice and Bob communicate in the GGH cryptosystem. (In particular, describe all information which is exchanged between Alice and Bob and how it is computed.) Proof. Alice chooses a private key of V = (v 1 v 2 v n ) of vectors with integer coordinates a good basis for a lattice, and a public key of W = V E is V changed by some random elementary column operations in order to produce a new basis W which has very bad Hadamard constant. She publishes W and a parameter δ which is chosen to be small relative to the lengths of the vectors in V. Bob then encodes a message as a vector m Z n, and encrypts it by sending: e = W m + r, where r R n is a random vector with length r < δ. Alice decodes this by writing e in the V basis by computing V 1 e, rounding the coefficients to the nearest integers to produce a vector a (Babai s algorithm), and then computing V a = W m, so that m = W 1 V a. Since V is a good basis, the small random vector r is correctly rounded out, but in a bad basis (like W ), Babai s algorithm fails and introduces (large) errors. Question 12. Suppose that E is an elliptic curve defined over the field F 7 that happens to have #E(F 7 ) = 8. Determine how many points E has over the fields F 7 2 and F 7 3. Solution. As usual, set t = p + 1 #E(F p ) = 7 + 1 8 = 0, and then we solve for z in the characteristic equation of Frobenius: z 2 tz + p = 0 = z = ± 7 Call these roots α, β. Then our formula is that: This yields: #E(F p k) = p k + 1 α k β k. #E(F 7 2) = 49 + 1 ( 7) ( 7) = 64 and #E(F 7 3) = 7 3 + 1, as the signs cancel. Question 13. Let N = pq and suppose we want to factor N to recover p, q, where p, q are large distinct primes. Define what it means for a natural number to be B-power smooth. Suppose that E = y 2 + ax + 1 is an elliptic curve defined over F p and F q for some a Z, and that #E(F p ) is B-power smooth and #E(F q ) is not. Explain how one would factor N using Lenstra s method, and why the prime p would likely be recovered first.

6 HOMEWORK 11 MATH 4753 Solution. A natural number n is B-power smooth if the prime power factorization of n = p k 1 1 p kt t satisfies p k i i B for 1 i t. In Lenstra s method, one choose a point P = (0, 1) on the given family of curves (here E = y 2 + ax + 1) and proceeds to compute mp where m = lcm{1, 2,..., B} with mod N arithmetic (although elliptic curves are properly only defined over fields!). If #E(F p ) is B-power smooth then #E(F p ) m and so mp = O in E(F p ). This means that as we try to compute mp, one of the slopes λ that we compute should have a denominator which is 0 mod p. There is a good chance that if #E(F q ) is not B-power smooth then mp O in E(F q ), and so when the denominator vanishes mod p, it does not vanish mod q, so when attempting to compute its inverse mod N by using the Euclidean algorithm, we compute a GCD of gcd(n, denom.) = p, and we have factored N. Proof-based Review Questions Write out a solution for one of these questions to turn in with this assignment. Question 14. Let p be an odd prime and g a primitive root modulo p. Prove that x F p is a square (also known as a quadratic residue ) if and only if log g (x) is even. Conclude that exactly half of the values of F p have square roots, and the other half do not. Proof. Let k = log g (x) mod (p 1), so that x g k mod p. Since p 1 is even, the reduction modulo 2 is well-defined, so the notion of even and odd is preserved mod p 1. Now, if x has a square root, call it y, then y g l mod p for some l Z/(p 1)Z (since y must be nonzero as well), and then x y 2 g 2l mod p, so k 2l mod (p 1), so k is even. Further, there are (p 1)/2 even numbers modulo p 1, and each of them is a square (cut the exponent in half to get its square root), and also a root of the polynomial: z (p 1)/2 1 mod p by the Euler criterion. Therefore, by the Lagrange theorem for fields, the polynomial above in z can have at most (p 1)/2 roots, so any number x which is an odd power of g cannot be one of its roots, and hence it must satisfy x (p 1)/2 1 mod p, since ( ) z (p 1)/2 2 z p 1 1 mod p so the value of z (p 1)/2 mod p must square to 1, and hence must be ±1 mod p; and as all the even powers of g cover the +1 roots, all the odd powers of g must be the 1 roots. But then the odd powers of g are not squares, since any square x y 2 mod p will result in a value of x (p 1)/2 y p 1 +1 mod p by Euler.

HOMEWORK 11 MATH 4753 7 Question 15. Let p be a prime. Explain how one constructs the field F p 2. Explain why, if a F p, the equation x 2 = a always has a root in F p 2. Proof. Fix a number c F p If a F p which is not a square. Then we construct F p 2 = F p [ c] = {x + y c : x, y F p }. is another number which is not a square, then we claim that: a = b c = 0 + b c Fp [ c], for some b F p, and thus a F p 2. To see this, square both sides of the equation to obtain an equation in F p : a b 2 c mod p. Now, in terms of a primitive root g, a, c are both odd powers. Call them a g 2k+1 mod p and c g 2l+1 mod p. It follows that b g 2(k l) mod p, and in particular, it is a square, so a solution for b exists. Question 16. Let N = pq be a product of distinct odd primes and g = gcd(p 1, q 1). Prove that for all x (Z/NZ), x ϕ(n)/g 1 mod N. Proof. We use the Chinese Remainder Theorem: { x x ϕ(n)/g 1 mod N ϕ(n)/g 1 mod p x ϕ(n)/g 1 mod q Since ϕ(n)/g = (p 1) q 1 and q 1 Z, we get that x ϕ(n)/g g g (x p 1 ) (q 1)/g 1 (q 1)/g 1 mod p by Euler s lemma, and likewise we get that it is 1 mod q, proving the result. Question 17. Let N, q > 1 and let R q = (Z/qZ)[x]/(x N 1). Prove that f(x) R q gcd(x N 1, f(x)) (Z/qZ). Proof. (Note that we could have said gcd(f(x), x N 1) = 1, as there is no harm dividing by units, and we usually make this normalization.) There are two directions we must prove. First, assume f(x) R q, and we will show that gcd(x N 1, f(x)) (Z/qZ). Let k(x) denote f(x) 1 so that f(x)k(x) 1 mod x N 1. This means that there exists l(x) (Z/qZ)[x] such that f(x)k(x) = 1 + l(x)(x N 1) f(x)k(x) l(x)(x N 1) = 1. Now, any common divisor d(x) of f(x) and x N 1 divides the entire left hand side of that equality, so it divides 1, that is, d(x) 1, but then d(x) = c R q is a constant unit.

8 HOMEWORK 11 MATH 4753 Now, assume gcd(x N 1, f(x)) (Z/qZ). By Bézout s theorem means there exists c (Z/qZ) and k(x), l(x) (Z/qZ)[x] such that k(x)f(x) + l(x)(x N 1) = c. But then reducing modulo x N 1 gives: k(x)f(x) = c in R q, and thus c 1 k(x) = f(x) 1 in R q, so f(x) is invertible. Oklahoma State University, Spring 2017

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback