ITN581 - Cryptographic
Fundamentals and Applications
Semester
1 2002 - Assignment 2 (85 marks)
Gavin Longmuir
(answers in red)
1. (10 marks)
Use the Lehmann-Peralta test to
examine whether each of the following numbers are prime. In these tests use the
five random numbers 7, 32, 101, 150, 360 for each test. Show all work.
k = 5, a {7, 32, 101, 150, 360}
calculate ai(p-1)/2
(mod p)
(i)
69301373
734650686 บ 1 mod 69301373
3234650686 บ -1 mod 69301373
10134650686 บ 1 mod 69301373
15034650686 บ 1 mod 69301373
36034650686 บ 1 mod 69301373
ai(p-1)/2 (mod p) บ 1 or บ -1 for ai and at
least one ai บ -1 then p is prime
69301373 is prime with probability of 1-(.5)5
= 0.96875
(ii)
497025
7248512 บ 163096 mod 497025
32248512 บ 376726 mod 497025
101248512 บ 286126 mod 497025
150248512 บ 48600 mod 497025
360248512 บ 486900 mod 497025
ai(p-1)/2 (mod p) is not บ 1 or บ -1 for ai for at
least one value then p is composite
497025 is not prime
(iii)
3872150317295
71936075158647 บ 432665620428 mod 3872150317295
321936075158647 บ 1579613429288 mod 3872150317295
1011936075158647 บ 3743021638776 mod 3872150317295
1501936075158647 บ 1164820752890 mod 3872150317295
3601936075158647 บ 3105733254965 mod 3872150317295
ai(p-1)/2 (mod p) is not บ 1 or บ -1 for ai for at
least one value then p is composite
3872150317295 is not prime
(iv)
51921038173
725960519086 บ 1 mod 51921038173
3225960519086 บ -1 mod 51921038173
10125960519086 บ -1 mod 51921038173
15025960519086 บ -1 mod 51921038173
36025960519086 บ 1 mod 51921038173
ai(p-1)/2 (mod p) บ 1 or บ -1 for ai and at
least one ai บ -1 then p is prime
51921038173 is prime with probability of 1-(.5)5
= 0.96875
(v)
7613991836111
725960519086 บ 1 mod 7613991836111
3225960519086 บ 1 mod 7613991836111
10125960519086 บ -1 mod 7613991836111
15025960519086 บ 1 mod 7613991836111
36025960519086 บ 1 mod 7613991836111
ai(p-1)/2 (mod p) บ 1 or บ -1 for ai and at
least one ai บ -1 then p is prime
7613991836111 is prime with
probability of 1-(.5)5 = 0.96875
2. (2 marks)
For the numbers examined in
Question 1 which have been shown to be prime what is the probability that the
number is prime using the Lehmann-Peralta test.
See workings including in answer to question 1 (i), (iv), and
(v)
3. (2 marks)
Pepin's Theorem says that a
necessary and sufficient condition for a Fermat number Fn = 2r
+ 1 is prime (where r = 2n) is that
3k
บ-1 (mod Fn)
where k =2j-1 and j = 2n.
Use Pepin's Theorem to show that
F5 is not prime.
n = 5, r = j = 25 = 32
F5 = 2r
+ 1 = 232 + 1 = 4294967297
k = 232-1
3.k บ 2147483647 (mod 4294967297)
which is not บ -1 (mod 4294967297)
hence
F5 is not prime
4. (4 marks)
Use the Sieve of Eratoshenes to
find a complete factorization of
(i)
389459 and
Members of φ(100) are:
2,3,5,7,11,13,17,19,23,29,31,37,41,43,47,53,59,61,67,71,79,89,97
2,3,5,7,11 product ่ 1122660
13,17,19,23,29 product ่ 2800733
31,37,41,43,47 product ่ 95041567
53,59,61,67 product ่ 12780049
71,73,79,89,97 product ่ 3534842281
gcd(1122660,389459) = 7
gcd(2800733,389459) = 23
gcd(95041567,389459) = 41
gcd(12780049,389459) = 59
gcd(3534842281,389459) = 1
factors are: 7,23,41,59
(ii) 2826195
gcd(1122660,2826195) = 15 = 3.5
gcd(2800733,2826195) = 29
gcd(95041567,2826195) = 1
gcd(12780049,2826195) = 1
gcd(3534842281,2826195) = 6497 = 73.89
factors are: 3,5,29,73,89
given that all prime factors are
less than 100.
Hint: List all the prime numbers less than 100: 2,3,5,7,.... Then divide the primes into groups of size 5
(say). Calculate the product of each
group. Then find the gcd (using the
software package) of the number to be factored (n) and the product of the first
group. If the answer is one, then this
means that none of the factors in that group is a factor of n. If the answer is not one, then this means
that one or more of the factors in that group is a factor of n, and can be
divided out of n before continuing on to the next group.
5(a) (2 marks)
Factor each of the following
numbers using Fermat Factorization.
Show all work.
(i)
17653
n = 17653, √17653 = approx 132.9, let t = 133
let z = t2 n
t = 133, z = 1332 17653 = 36, which is a perfect square
√36 = 6, let s = z, n = t2 s2 = (t + s)(t
s)
thus 17653 = 1332 62 = (133 + 6)(133 6) =
(139)(127)
factors are 139 and 127
(ii)
5392629
n = 5392629, √5392629 = approx 2322.2, let t = 2323
let z = t2 n
t = 2323, z = 23232 5392629 = 3700, not perfect
t = 2324, z = 23242 5392629 = 8347, not perfect
t = 2325, z = 23252 5392629 = 12996, perfect
√12996 = 114, let s = z, n = t2 s2 = (t +
s)(t s)
thus 5392629 = 23252 1142
= (2325 + 114)(2325 114) = (2439)(2211)
factors are 2439 and 2211
5(b) (2 marks)
Show why the 35-bit integer
23364327887 is a particularly bad choice for n = pq (because the two prime
factors are too close to one another); that is, show that n can easily be
factored by Fermat factorization.
n = 23364327887, √23364327887 = approx
152853.9
let t = 152854, let z = t2 n
t = 152854, z = 1528542 23364327887
= 17429, not perfect
t = 152855, z = 1528552 23364327887
= 323138, not perfect
t = 152856, z = 1528562 23364327887
= 628849, perfect
√628849 = 793, let s = z, n = t2 s2 = (t +
s)(t s)
thus 23364327887 = 1528562 7932
= (152856 + 793)(152856 793)
= (153649)(152063)
factors are 153649 and 152063
6. (4 marks)
Factor each of the following
numbers using Pollard's Rho method using f(x) = x2 + 1 with initial
seed x0 = 3.
x0 = 3, f(x) = x2 + 1
xi+1 บ f(xi) mod n
xi+2 บ f(xi+1) mod n
gcd(xi+2 x(i+2)/2, n) = d
(i)
1271143
x1 บ f(x0) mod 1271143 บ 10 mod 1271143
x2 บ f(x1) mod 1271143 บ 101 mod 1271143
gcd(x2 x1, 1271143) = gcd(101
10, 1271143) = 1
x3 บ f(x2) mod 1271143 บ 10202 mod 1271143
x4 บ f(x3) mod 1271143 บ 1118222 mod 1271143
gcd(x4 x2, 1271143) = gcd(1118222 101, 1271143) = 1
x5 บ f(x4) mod 1271143 บ 885614 mod 1271143
x6 บ f(x5) mod 1271143 บ 401138 mod 1271143
gcd(x6 x3, 1271143) = gcd(401138 10202, 1271143) = 1
x7 บ f(x6) mod 1271143 บ 244961 mod 1271143
x8 บ f(x7) mod 1271143 บ 315064 mod 1271143
gcd(x8 x4, 1271143) = gcd(315064 1118222, 1271143) =
1
x9 บ f(x8) mod 1271143 บ 496084 mod 1271143
x10 บ f(x9) mod 1271143 บ 965685 mod 1271143
gcd(x10 x5, 1271143) = gcd(965685 885614, 1271143) =
1
x11 บ f(x10) mod 1271143 บ 151279 mod 1271143
x12 บ f(x11) mod 1271143 บ 948413 mod 1271143
gcd(x12 x6, 1271143) = gcd(948413 401138, 1271143) =
1
x13 บ f(x12) mod 1271143 บ 1008910 mod 1271143
x14 บ f(x13) mod 1271143 บ 1123419 mod 1271143
gcd(x14 x7, 1271143) = gcd(1123419 244961, 1271143) =
1
x15 บ f(x14) mod 1271143 บ 668296 mod 1271143
x16 บ f(x15) mod 1271143 บ 908281 mod 1271143
gcd(x16 x8, 1271143) = gcd(908281 315064, 1271143) =
127
thus 1271143 = 127 . b ่ b = 1271143 / 127 = 10009
่ factors are 127 and 10009
(ii)
1134407
x1 บ f(x0) mod 1134407 บ 10 mod 1134407
x2 บ f(x1) mod 1134407 บ 101 mod 1134407
gcd(x2 x1, 1134407) = gcd(101 10, 1134407) = 1
x3 บ f(x2) mod 1134407 บ 10202 mod 1134407
x4 บ f(x3) mod 1134407 บ 1118222 mod 1134407
gcd(x4 x2, 1134407) = gcd(1118222 101, 1134407) = 1
x5 บ f(x4) mod 1134407 บ 1040616 mod 1134407
x6 บ f(x5) mod 1134407 บ 559804 mod 1134407
gcd(x6 x3, 1134407) = gcd(559804 10202, 1134407) = 1
x7 บ f(x6) mod 1134407 บ 584667 mod 1134407
x8 บ f(x7) mod 1134407 บ 101952 mod 1134407
gcd(x8 x4, 1134407) = gcd(101952 1118222, 1134407) = 1
x9 บ f(x8) mod 1134407 บ 773371 mod 1134407
x10 บ f(x9) mod 1134407 บ 225776 mod 1134407
gcd(x10 x5, 1134407) = gcd(225776 1040616, 1134407) = 1
x11 บ f(x10) mod 1134407 บ 223632 mod 1134407
x12 บ f(x11) mod 1134407 บ 938830 mod 1134407
gcd(x12 x6, 1134407) = gcd(938830 559804, 1134407) = 1
x13 บ f(x12) mod 1134407 บ 427704 mod 1134407
x14 บ f(x13) mod 1134407 บ 776425 mod 1134407
gcd(x14 x7, 1134407) = gcd(776425 584667, 1134407) = 1
x15 บ f(x14) mod 1134407 บ 556756 mod 1134407
x16 บ f(x15) mod 1134407 บ 530787 mod 1134407
gcd(x16 x8, 1134407) = gcd(530787 101952, 1134407) = 113
thus 1134407 = 113 . b ่ b = 1134407 / 113 = 10039
่ factors are 113 and 10039
7. (3 marks)
It has been proposed in the
future to use 300 digit prime numbers in Europe in the RSA cipher. Use the
prime number theorem to estimate the probability of selecting a prime number of
300 decimal digits at random from odd 300 digit numbers.
π(x) represents number of primes between 1 and x
Prime number Theorem states that π(x) approaches x/ln(x) as x approaches
∞
[π(10300)
π(10299)] / [(10300 10299)/2]
= [(10300/ln 10300)
(10299/ln 10299)] / [(10300 10299)/2]
= [10299(10/300 ln(10) (1/299 ln(10))] / [10299(10
1)/2]
= [(1/30 ln(10) (1/299 ln(10))] / [9/2]
= (2/9) [1/ln(10)] [(1/30) (1/299)]
= (2/9) [1/ln(10)] [269/8970]
= [538/80730] / ln(10)
= approx 1/346
8. (1 mark)
Given the Modulus N=33217, the public key e=13147, and the
message M=25317, compute the cryptogram in the RSA cryptosystem.
The factorisation of n = 33217 = 563 x 59. This will enable you to determine phi(n), and hence d, the
decryption key. Verify your
answer by decrypting the cryptogram and recovering the message.
p = 563, q = 59, n = pq = 33217
e = 13147
M = 25317
C = Me mod n
= 2531713147 mod 33217
= 21745
φ(n) = (p 1)(q 1)
φ(33217) = 562 . 58 = 32596
d = e-1 mod φ(n)
= 13147-1
mod 32596
= 22391
M = Cd mod n
= 2174522391
mod 33217
= 25317
9. (3 marks)
Consider the RSA system for N =
3551 (p = 53, q = 67). Compute numbers
of unconcealable messages while applying the following public keys:
Number of unconcealable messages is given by:
(1 + gcd(K 1, p 1)) (1 +
gcd(K 1, q 1))
(a)
K = 701,
(1 + gcd(700,52)) (1 + gcd(700,66))
(1 + 4) (1 + 2) ่ 15 unconcealable messages
(b) K = 1392,
(1 + gcd(1391,52)) (1 + gcd(1391,66))
(1 + 13) (1 + 1) ่ 28 unconcealable messages
(c) K = 1210.
(1 + gcd(1209,52)) (1 + gcd(1209,66))
(1 + 13) (1 + 3) ่ 56 unconcealable messages
10. (6 marks)
For each of the following
sequences and "volumes", decide whether the knapsack problem is
superincreasing and how many solutions (if any) it has:
Superincreasing set members element ej is greater
than the sum of previous members e1 to ej-1
let set be denoted {e1, e2, e3, e4,
e5, e6} and the solution
{m1, m2, m3, m4, m5, m6}
(a)
{2,5,8,20,36,72},
V = 50,
superincreasing set
50 ≥ 72 ่ no m6 = 0
50 ≥ 36 ่ yes m5 = 1, 50 36 = 14
14 ≥ 20 ่ no m4 = 0
14 ≥ 8 ่ yes m3 = 1, 14 8 = 6
6 ≥ 5 ่ yes m2 = 1, 6 5 = 1
1 ≥ 2 ่ no m1 = 0
still remainder thus no solution
(b)
{1,3,9,20,32,78},
V = 73,
not superincreasing set
m6 must be zero as value larger than
volume, sum of remainders doesnt get close enough ่ thus no solution
(c)
{5,9,19,39,75,159},
V = 125,
superincreasing set
125 ≥ 159 ่ no m6 = 0
125 ≥ 75 ่ yes m5 = 1, 125 75 = 50
50 ≥ 39 ่ yes m4 = 1, 50 39 = 11
11 ≥ 19 ่ no m3 = 0
11 ≥ 9 ่ yes m2 = 1, 11 9 = 2
2 ≥ 5 ่ no m1 = 0
still remainder thus no solution
(d)
{2,3,6,11,23,55},
V = 34,
not superincreasing set
34 ≥ 55 ่ no m6 = 0
34 ≥ 23 ่ yes m5 = 1, 34 23 = 11
11 ≥ 11 ่ yes m4 = 1, 11 11 = 0
all other values are zero,
since values e0, e1, and e2 also equal 11 two
solutions exist.
(e)
{3,8,12,18,42,89},
V = 119,
not superincreasing set
119 ≥ 89 ่ yes m6 = 1, 119 89 = 30
30 ≥ 42 ่ no m5 = 0
30 ≥ 18 ่ yes m4 = 1, 30 18 = 12
12 ≥ 12 ่ yes m3 = 1, 12 12 = 0
all other values are zero
one solution exists
(f) {2,6,7,20,45,100}, V = 65.
not superincreasing set
65 ≥ 100 ่ no m6 = 0
65 ≥ 45 ่ yes m5 = 1, 65 45 = 20
20 ≥ 20 ่ yes m4 = 1, 20 20 = 0
all other values are zero
one solution exists
11. (4 marks)
Using a Knapsack cipher, suppose
that plaintext message units are single letters in the usual 26-letter alphabet
with A-Z corresponding to 0-25. You
receive the sequence of ciphertext message units, 1317, 653, 3284, 1408, 1317,
653, 48, 2061, 1271, 2677, 2013, 1271, 2679, 653 The public key is the sequence {1269, 1271, 653, 48, 1360} and
the secret key is n=630,p=1889.
(a) Try to decipher the
message without using the deciphering key.
Check by
using the deciphering key and the algorithm for
a superincreasing
knapsack problem.
Since the public key set is small an exhaustive search is possible
Let C = {1317, 653, 3284, 1408, 1317, 653, 48, 2061, 1271, 2677, 2013,
1271, 2679, 653}
= { ▲ ■ ∆ ♥
▲ ■ ♫ ♦ ∩ ☼ ♦ ☺■ }
= { S E ∆ ♥ S E ♫
I ∩ ☼ I ☺ E }
n = 630, n-1 = 3 mod
1889
S = {1269, 1271, 653, 48, 1360}
= {e1, e2, e3, e4, e5}
di บ ei n-1
mod p
d1 บ e1 n-1
mod 1889 = 29
d2 บ e2 n-1
mod 1889 = 35
d3 บ e3 n-1
mod 1889 = 70
d4 บ e4 n-1
mod 1889 = 144
d5 บ e5 n-1
mod 1889 = 302
S ′ = {d1,
d2, d3, d4, d5} = {29, 35, 70, 144,
302}
Let j be current message unit ่ Mj = n-1 Cj mod p
M1 บ 1317 . 3 mod 1889 = 173
factoring 173 into S ′ ่ gives binary vector {1,0,0,1,0} = 18 ่ S
M2 บ 653 . 3 mod 1889 = 70
factoring 70 into S ′ ่ gives binary vector {0,0,1,0,0} = 4 ่ E
M3 บ 3284 . 3 mod 1889 = 407
factoring 407 into S ′ ่ gives binary vector {0,1,1,0,1} = 13 ่ N
M4 บ 1408 . 3 mod 1889 = 446
factoring 446 into S ′ ่ gives binary vector {0,0,0,1,1} = 3 ่ D
M5 บ 1317 . 3 mod 1889 = 173
factoring 173 into S ′ ่ gives binary vector {1,0,0,1,0} = 18 ่ S
M6 บ 653 . 3 mod 1889 = 70
factoring 70 into S ′ ่ gives binary vector {0,0,1,0,0} = 4 ่ E
M7 บ 48 . 3 mod 1889 = 144
factoring 144 into S ′ ่ gives binary vector {0,0,0,1,0} = 2 ่ C
M8 บ 2061 . 3 mod 1889 = 516
factoring 516 into S ′ ่ gives binary vector {0,0,1,1,1} = 7 ่ H
M9 บ 1271 . 3 mod 1889 = 35
factoring 35 into S ′ ่ gives binary vector {0,1,0,0,0} = 8 ่ I
M10 บ 2677 . 3 mod 1889 = 475
factoring 475 into S ′ ่ gives binary vector {1,0,0,1,1} = 19 ่ T
M11 บ 2013 . 3 mod 1889 = 372
factoring 372 into S ′ ่ gives binary vector {0,0,1,0,1} = 5 ่ F
M12 บ 1271 . 3 mod 1889 = 35
factoring 35 into S ′ ่ gives binary vector {0,1,0,0,0} = 8 ่ I
M13 บ 2679 . 3 mod 1889 = 481
factoring 481 into S ′ ่ gives binary vector {0,1,0,1,1} = 11 ่ L
M14 บ 653 . 3 mod 1889 = 70
factoring 70 into S ′ ่ gives binary vector {0,0,1,0,0} = 4 ่ E
M ่ S E N D S E C H I T F I L E
(b) Use the above public key to send the
message ONETHOUSAND.
S = {1269, 1271, 653, 48,
1360}
ONETHOUSAND ่ 14, 13, 4, 19, 7, 14, 20, 18, 0, 13, 3
่2 01110, 01101, 00100, 10011, 00111, 01110, 10100,
10010, 00000, 01101, 00011
่ 1972, 3284, 653, 2677, 2061, 1972, 1922, 1317, 0,
3284, 1408
12. (5 Marks)
An RSA cipher system has a
modulus of n=71257651313, encryption key e=315479. A cryptogram C= 28193496995 was received by you.
Calculate the decryption key (d)
and retrieve the message (m).
Hint: Use Fermat factorisation
to determine p and q.
n = 71257651313, √71257651313 = approx 266941.3
let t = 266942, let z = t2 n
t = 266942, z = 2669422 71257651313
= 380051, not
perfect
t = 266943, z = 2669432 71257651313
= 913936, perfect
√913936 = 956, let s = z, n = t2 s2 = (t +
s)(t s)
thus 71257651313
= 2669432 - 9562
= (266943 + 956)(266943
956)
= (267899)(265987)
factors are 267899 and 265987
p = 267899, q = 265987, n = pq =
71257651313
e = 315479
C = 28193496995
φ(n) = (p 1)(q 1)
φ(71257651313) = 267898 . 265986 = 71257117428
d = e-1 mod φ(n)
= 315479-1 mod 71257117428
= 31819832483
M = Cd mod n
= 2819349699531819832483 mod 71257651313
= 315296
13. (6 marks)
Using an RSA cipher, suppose
that both plaintexts and ciphertexts consist of trigraph message units, but
while plaintexts are written in the 27-letter alphabet (consisting of A-Z and
blank = 26), ciphertexts are written in the 28-letter alphabet obtained by
adding the symbol "/" (with numberical equivalent 27) to the
27-letter alphabet. We require that each
user A choose nA between 273 = 19683 and 283 =
21952, so that a plaintext trigraph in the 27-letter alphabet corresponds to a
ciphertext trigraph in the 28-letter alphabet.
(a) If your deciphering key is KD =
(n,d) = (21583,20787), decipher the
message "YSNAUOZHXXH " (one blank at
the end).
n = 21583, d = 20787, display blank character as _
let C = C1, C2,
C3, C4, where each Ci is a tuple of three
characters
values C1, C2, C3,
C4 are in a 28 character alphabet
RSA decryption m = cd mod n
C1 = YSN = 24 . 282
+ 18 . 28 + 13 = 19333
M1 = 1933320787
mod 21583 = 13649
= m1(1) 272 + m1(2) 27 + m1(3)
= 18 . 272 + 19 . 27 + 14 = STO
C2 = AUO = 0 . 282
+ 20 . 28 + 14 = 574
M2 = 57420787
mod 21583 = 11652
= m2(1) 272 + m2(2) 27 + m2(3)
= 15 . 272 + 26 . 27 + 15 = P_P
C3 = ZHX = 25 . 282
+ 7 . 28 + 23 = 19819
M3 = 1981920787
mod 21583 = 660
= m3(1) 272 + m3(2) 27 + m3(3)
= 0 . 272 + 24 . 27 + 12 = AYM
C4 = XH_ = 23 . 282
+ 7 . 28 + 26 = 18254
M4 = 1825420787 mod
21583 = 3286
= m4(1) 272 + m4(2) 27 + m4(3)
= 4 . 272 + 13 . 27 + 19 = ENT
Message ่ STOP_PAYMENT
(b) If in part (a) you know that f(n) = 21280,
find
(i)
e = d-1
mod f(n), and
e = 20787-1 mod 21280
= 6043
(ii)
the
factorization of n.
n = 21583, √21583 = approx 146.9, let t = 147
let z = t2 n
t = 147, z = 1472 21583 = 26, not perfect
t = 148, z = 1482 21583 = 321, not perfect
t = 149, z = 1492 21583 = 618, not perfect
t = 150, z = 1502 21583 = 917, not perfect
t = 151, z = 1512 21583 = 1218, not perfect
t = 152, z = 1522 21583 = 1521, perfect
√1521 = 39, let s = z, n = t2 s2 = (t +
s)(t s)
thus 21583 = 1522 392
= (152 + 39)(152 39) = (191)(113)
factors are 191 and 113
Note that the
method for converting characters into numbers used in this question is
applied as
follows:
Digraphs: C = c0c1 = n0b
+ n1 = N
Trigraphs: C = c0c1c2
= n0b2 + n1b + n2 = N
where C is the
character-tuple consisting of characters ci , ni is the
numerical
representation
of the character ci , b is the size of the encoding alphabet, and N
is the
resulting
numerical value of the C character-tuple.
For example, using a 40-letter
alphabet, to
convert ABC to a number: C = ABC = 0 *
402 + 1 * 40 + 2 = 42 = N
14. (6 marks)
In the field Z409 determine
which of the following are generators of the multiplicative group:
p = 409, thus p 1 is 408 = 23
. 3 . 17, p1 = 2, p2 = 3, p3 = 17
h(1) = (p 1)/p1 = 204
h(2) = (p 1)/p2 = 136
h(3) = (p 1)/p3 = 24
if xh(i) บ 1 mod p for any i = 1..3 then x is NOT a generator in Z409
(i)
2
2204 บ 1 mod 409
่ 2 is NOT a generator in Z409
(ii) 7
7204 บ 408 mod 409
7136 บ 53 mod 409
724 บ 1 mod 409
่ 7 is NOT a generator in Z409
(ii)
29
29204 บ 408 mod 409
29136 บ 53 mod 409
2924 บ 216 mod 409
่ 29 is a generator in Z409
15 (9 marks)
Let
p be the prime 1058041.
(i) (2 marks)
Show that g=12 is not a
generator of the nonzero integers
modulo 1058041 under multiplication.
Let
g be a generator of the field Zp
if {xk
: k is an integer} = Zp-0
p = 1058041
ฎ p-1 = 1058040 = 23.32.5.2939
ฎ h(1) = (p-1)/2 = 529020
h(2)
= (p-1)/3 = 352680
h(3)
= (p-1)/5 = 211608
h(4)
= (p-1)/2939 = 360
Is 12 a
generator?
12h(1) บ 1 mod p
ฎ 12 is not a generator of Zp
(ii) (4 marks)
Suppose that Alice and
Bob select secret keys a=2783 and b=8059
respectively.
Outline a procedure for Alice and Bob to exchange key gab
using the Diffie-Hellman discrete log cipher.
Public knowledge is:
large prime p =
1058041
g = generator of
integers modulo p
Alice and Bob wish to
generate a common key over an insecure channel
Alice generates a modulo p ่ 2783 mod 1058041
Bob generates b modulo p ่ 8059 mod 1058041
Alice calculates ga
่ g2783 and sends
value to Bob
Bob calculates gb
่ g8059 and sends
value to Alice
Alice determines secret
common key
(gb)a mod
p ่ (g8059)2783
mod 1058041 ่ g3460
Bob determines secret common
key
(ga)b mod
p ่ (g2783)8059
mod 1058041 ่ g3460
This procedure doesnt prevent man-in-the-middle attack,
additional authentication required to prevent such an event.
(iii) (3 marks)
Suppose that Bob and Alice decide to exchange
messages using the
ElGamal cipher where Alice selects the same
secret key, a, as given
in (ii) above and the public key ga. Suppose Bob encrypts the
message m, which is an integer between 0 and
p-1, using Alice's
public key ga.
Suppose Alice receives the pair (mgak,
gk) = (477738, 88884).
Use Alice's private key, a, to decrypt (477738,
88884) to recover
the message m.
a = 2783
p = 1058041
(mgak,gk)
= (477738,88884)
gak
= (gk)a = 88884a บ 937112 mod p
m = mgak(gak)-1
บ 477738 * 937112-1 mod p
บ 766240 mod p
16. (4 marks)
Bob and Alice decide to set up a
digital signature in a communications network using the ElGamal cipher over the
integers modulo p=700001 with generator g=12.
Alice selects the secret key a=13579.
p and ga=55058 are Alice's public keys.
Suppose Alice wants to send the
message m=24680 to Bob. Alice selects
k=57683.
Outline the protocol required
for Alice to attach a signatures to the message which is being transmitted to
Bob. Include Bob's verification.
p = 700001, g = 12, a = 13579, ga
= 55058
m = 24580, let hash function be
trivial function such that h = f(m) = m
k = 57683
check that k is relatively prime to p
1
gcd(k, (p 1)) = 1
gcd(57683, 700000) = 1
Alice calculates r and s signature
pair
r = gk mod p
= 1257683 mod 700001 = 583276
h = gk . a + k . s mod (p
1)
24680 = 1257683 . 13579 +
57683 s mod 700000
24680 = 504804 + 57683 s mod 700000
219876 = 57683 s mod 700000
219876 (57683)-1 = s mod
700000
219876 (48347) = s = 144972
Alice sends m,r,s to Bob
Bob verifies and accepts as valid if gh
mod p = (ga)r . rs mod p
1224680 mod 700001 = 55058583276
. 583276144972 mod 700001
94164 mod 700001 = 663126 . 387518 mod
700001
= 94164 mod 700001
17. (12 marks)
Let E denote the set
of points (x,y) such that y2 = x3 + x + 1 over the
integers mod 19.
E(Z19)
= {(x,y): y2 = x3 + x + 1} U {φ}, a = 1, b = 1, all calculations in Z19
(i) Find all the
distinct points on E. (2
marks)
look at all x ε Z19, calculate z = x3
+ x + 1 (mod 19), if it has a Quadratic Residue mod 19, then can solve for y
Quadratic Residue test z(p-1)/2
บ 1 mod p ่ z9 บ 1
mod 19
let
x = 0, z = 1, is Quadratic Residue mod 19, y = 1, 18
x
= 1, z = 3, not QR
x
= 2, z = 11, QR, y = 7, 12
x
= 3, z = 9, QR, y = 3, 16
x
= 4, z = 15, not QR
x
= 5, z = 17, QR, y = 6, 13
x
= 6, z = 14, not QR
x
= 7, z = 9, QR, y = 3, 16
x
= 8, z = 8, not QR
x
= 9, z = 17, QR, y = 6, 13
x
= 10, z = 4, QR, y = 2, 17
x
= 11, z = 3, not QR
x
= 12, z = 12, not QR
x
= 13, z = 7, QR, y = 8, 11
x
= 14, z = 4, QR, y = 2, 17
x
= 15, z = 9, QR, y = 3, 16
x
= 16, z = 9, QR, y = 3, 16
x
= 17, z = 10, not QR
x
= 18, z = 18, not QR
Points on E are: (0,1), (0,18), (2,7),
(2,12), (3,3), (3,16), (5,6), (5,13), (7,3), (7,16), (9,6), (9,13), (10,2),
(10,17), (13,8), (13,11), (14,2), (14,17), (15,3), (15,16), (16,3), (16,16), (φ)
(ii) Let P =
(17,4) and Q = (11,3). Find 2P and P +
Q. (6 marks)
let
P = (17,4), x1 = 17, y1 = 4
2P
= (x2,y2)
λ = (3x12 + a)(2y1)-1
= (12 + 1)(12) = 4
x2 = λ2 2x1
= 16 15 = 1
y2 = λ (x1 x2) y1
= 4 (17 1) 4 = 3
Thus
2P = (1,3)
let
P = (17,4), x1 = 17, y1 = 4
let
Q = (11,3), x2 = 11, y2 = 3
P +
Q = (x3,y3)
λ = (y2 y1)(x2
x1)-1
= (3 4)(11
17)-1 = 16
x3 = λ2 x1 x2
= 9 17 11 =
0
y3 = λ (x1 x3) y1
= 16 (17 0)
4 = 2
Thus P + Q = (0,2)
(iii) For P defined above, find the set of all points H={ kP : k is a
positive integer}
(4
marks)
P = (17,4), let x1 = 17, y1
= 4
2P = (1,3), let x2 = 1, y2
= 3
3P = P + 2P
λ = (y2 y1)(x2
x1)-1
= (3 4)(1 17)-1 = 6
x3 = λ2
x1 x2
= 17 17 1 = 18
y3
= λ (x1 x3) y1
= 6 (17 18) 4 = 9
่ 3P
= (18,9)
4P = P
+ 3P
λ = (y3 y1)(x3
x1)-1
= (9 4)(18 17)-1 = 5
x4 = λ2 x1 x3
= 6 17 18 =
9
y4 = λ (x1 x4) y1
= 5 (17 9) 4
= 0
่ 4P = (9,0)
5P = P + 4P
λ = (y4 y1)(x4
x1)-1
= (0 4)(9 17)-1 = 10
x5 = λ2 x1 x4
= 5 17 9 =
17
y5 = λ (x1 x5) y1
= 10 (17 9)
4 = 0
่ 5P = (17,0)
6P = P + 5P
λ = (y5 y1)(x5
x1)-1
= (0 4)(17 17)-1 = ?
0-1 is not defined, P = (17,4) is not a generator in Z19