Problem Set 6 Solutions Math 158, Fall 2016

Similar documents
Data security (Cryptography) exercise book

Solutions for the Practice Final

Assignment 2. Due: Monday Oct. 15, :59pm

Cryptography, Number Theory, and RSA

Number Theory/Cryptography (part 1 of CSC 282)

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

NUMBER THEORY AMIN WITNO

The Chinese Remainder Theorem

MA/CSSE 473 Day 9. The algorithm (modified) N 1

EE 418: Network Security and Cryptography

Solutions to Problem Set 6 - Fall 2008 Due Tuesday, Oct. 21 at 1:00

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

b) Find all positive integers smaller than 200 which leave remainder 1, 3, 4 upon division by 3, 5, 7 respectively.

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Discrete Math Class 4 ( )

CHAPTER 2. Modular Arithmetic

Public Key Encryption

Collection of rules, techniques and theorems for solving polynomial congruences 11 April 2012 at 22:02

Math 255 Spring 2017 Solving x 2 a (mod n)

Diffie-Hellman key-exchange protocol

SOLUTIONS TO PROBLEM SET 5. Section 9.1

DUBLIN CITY UNIVERSITY

The Chinese Remainder Theorem

Math 319 Problem Set #7 Solution 18 April 2002

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Fermat s little theorem. RSA.

Primitive Roots. Chapter Orders and Primitive Roots

Practice Midterm 2 Solutions

Solutions for the Practice Questions

CMath 55 PROFESSOR KENNETH A. RIBET. Final Examination May 11, :30AM 2:30PM, 100 Lewis Hall

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

University of British Columbia. Math 312, Midterm, 6th of June 2017

Exam 1 7 = = 49 2 ( ) = = 7 ( ) =

Introduction to Modular Arithmetic

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Public-key Cryptography: Theory and Practice

Final exam. Question Points Score. Total: 150

UNIVERSITY OF MANITOBA DATE: December 7, FINAL EXAMINATION TITLE PAGE TIME: 3 hours EXAMINER: M. Davidson

SOLUTIONS FOR PROBLEM SET 4

Discrete Square Root. Çetin Kaya Koç Winter / 11

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Introduction. and Z r1 Z rn. This lecture aims to provide techniques. CRT during the decription process in RSA is explained.

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 4 October 2013

Wilson s Theorem and Fermat s Theorem

Constructions of Coverings of the Integers: Exploring an Erdős Problem

ON THE EQUATION a x x (mod b) Jam Germain

Distribution of Primes

Number Theory. Konkreetne Matemaatika

Solutions to Exam 1. Problem 1. a) State Fermat s Little Theorem and Euler s Theorem. b) Let m, n be relatively prime positive integers.

Solutions for the 2nd Practice Midterm

L29&30 - RSA Cryptography

1 Introduction to Cryptology

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 24 February 2012

Math 127: Equivalence Relations

DUBLIN CITY UNIVERSITY

DTTF/NB479: Dszquphsbqiz Day 30

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

Foundations of Cryptography

Application: Public Key Cryptography. Public Key Cryptography

Modular Arithmetic. Kieran Cooney - February 18, 2016

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

MATH 324 Elementary Number Theory Solutions to Practice Problems for Final Examination Monday August 8, 2005

The congruence relation has many similarities to equality. The following theorem says that congruence, like equality, is an equivalence relation.

Number Theory and Security in the Digital Age

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

MODULAR ARITHMETIC II: CONGRUENCES AND DIVISION

Overview. The Big Picture... CSC 580 Cryptography and Computer Security. January 25, Math Basics for Cryptography

Sheet 1: Introduction to prime numbers.

MA 111, Topic 2: Cryptography

Number Theory - Divisibility Number Theory - Congruences. Number Theory. June 23, Number Theory

Q(173)Q(177)Q(188)Q(193)Q(203)

The number theory behind cryptography

Outline Introduction Big Problems that Brun s Sieve Attacks Conclusions. Brun s Sieve. Joe Fields. November 8, 2007

PT. Primarity Tests Given an natural number n, we want to determine if n is a prime number.

Number Theory and Public Key Cryptography Kathryn Sommers

MAT199: Math Alive Cryptography Part 2

Algorithmic Number Theory and Cryptography (CS 303)

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

EE 418 Network Security and Cryptography Lecture #3

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

Lecture 8. Outline. 1. Modular Arithmetic. Clock Math!!! 2. Inverses for Modular Arithmetic: Greatest Common Divisor. 3. Euclid s GCD Algorithm

A4M33PAL, ZS , FEL ČVUT

Unless stated otherwise, explain your logic and write out complete sentences. No notes, books, calculators, or other electronic devices are permitted.

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Is 1 a Square Modulo p? Is 2?

Applications of Fermat s Little Theorem and Congruences

Classical Cryptography

ElGamal Public-Key Encryption and Signature

To be able to determine the quadratic character of an arbitrary number mod p (p an odd prime), we. The first (and most delicate) case concerns 2

MTH 3527 Number Theory Quiz 10 (Some problems that might be on the quiz and some solutions.) 1. Euler φ-function. Desribe all integers n such that:

Goldbach conjecture (1742, june, the 7 th )

Discrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions

MAT Modular arithmetic and number theory. Modular arithmetic

CS70: Lecture 8. Outline.

Implementation / Programming: Random Number Generation

Modular Arithmetic. claserken. July 2016

Transcription:

All exercise numbers from the textbook refer to the second edition. 1. (a) Textbook exercise 3.3 (this shows, as we mentioned in class, that RSA decryption always works when the modulus is a product of two primes, regardless of whether the original message was a unit modulo N or not). (b) Suppose that Bob publishes a public key N = 117, e = 5 (note that this is not an RSA public key, since 117 isn t a product of two primes), and he requests that Alice encrypt her message m (where 0 m < N) by sending him c m e (mod N), as in RSA. Find two different messages m 1, m 2 which give the same ciphertext. This shows that Bob cannot always decrypt messages unambiguously in this system. (Try to find m 1 and m 2 using a principle that you would be able to generalize, rather than by guess-and-check). Note. In general, unique decryption will be possible as long as N is squarefree, meaning it is not divisible by any square. For example, decryption is always possible if N = pqr, where p, q, r are distinct prime (see problem 11). (a) Suppose that x c d (mod pq). We wish to show that x e c (mod pq). In other words, we wish to show that c de c (mod pq). By the Chinese remainder theorem, it suffices to prove that both c de c (mod p) and c de c (mod q). Since de 1 (mod (p 1)(q 1)) by assumption, we may write de = 1 + k(p 1)(q 1) for some integer k. Consider first the congruence modulo p. There are two cases: p c and p c. First, if p c, then Fermat s little theorem implies that c p 1 1 (mod p). Therefore c de = c (c p 1 ) k(q 1) c 1 k(q 1) c (mod p), as desired. The second case is p c. In this case, both c and c de are congruent to 0 modulo p, so certainly c de c (mod p). The congruence modulo q is established in exactly the same way. So c de c is divisible by both p and q, hence it is divisible by pq, and c de c (mod pq). Note. All that was needed was that de 1 was divisible by both (p 1) and (q 1), which is slightly weaker than being divisible by their product. (b) Note that 117 = 3 2 13. Observe that by the Chinese remainder theorem, two numbers are congruent modulo 117 if and only if they are congruent modulo 9 and also congruent modulo 13. One option is to choose two integers m 1, m 2 which are congruent modulo 13, both divisible by 3, yet not congruent modulo 9. Then it is guaranteed that m 5 1 m5 2 (mod 13) (since m 1 m 2 (mod 13)), and both m 1, m 2 will be divisible by 3 5, hence both congruent to 0 (mod 9) (and congruent to each other). For example, one could solve m 1 1 (mod 13) m 2 1 (mod 13) m 1 3 (mod 9) m 2 6 (mod 9) to obtain m 1 66 (mod 117) and m 2 105 (mod 117). Indeed these satisfy m 5 1 m 5 2 27 (mod 117). Note. In fact, one can show that this is the only way to construct such pairs: one must choose numbers that are congruent modulo 13, but with different remainder modulo 9, both chosen from {0, 3, 6} (so that both are divisible by 3). 2. Textbook exercise 3.6. Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 1 of 13

(a) As explained in class, we can solve this congruence by finding d e 1 (mod φ(n)) (which exists since we are assuming gcd(e, φ(n)) = 1), and then computing c d (mod φ(n)). The reason given in class is that: since c is a unit modulo N, any solution x must be a unit as well (any common factor of x and N would be a common factor of x e and N), so Euler s formula implies c φ(n) 1 (mod N). Since de = 1 + kφ(n) for some integer k, it follows that c d x de x (x φ(n) ) k x (mod N). So any solution x satisfies x c d (mod N). Conversely, if x c d (mod N), then x e c de c (mod N) by the same reasoning. (b) i. N = 1463 factors into primes as 7 11 19, so φ(n) = (7 1)(11 1)(19 1) = 1080. The inverse of e = 577 modulo 1080 is 73. So the answer is 60 73 (mod 1463), which simplifies to 1390 (mod 1463). ii. N = 1625 factors into primes as 5 3 13, so φ(n) = N(1 1 5 )(1 1 13 ) = 53 13 4 5 12 13 = 5 2 4 12 = 1200. The inverse of 959 modulo 1200 is 239. Therefore we compute 1583 239 147 (mod 1625). iii. N = 2134440 factors into primes as 2 3 3 2 5 7 2 11 2. Therefore φ(n) = (2 2 1)(3 2)(4)(7 6)(11 10) = 443520 (in the second step of this computation, I have used the fact that p e (1 1 p ) = pe 1 (p 1), applied to each prime individually, to simplify the expression in exercise 3.5(d)). The inverse of 133957 modulo 443520 is 326413. Therefore we compute 224689 326413 1892929 (mod 2134440) 3. Textbook exercise 3.10. (a) The way we discussed finding decryption exponents in class, one would have d e 1 (mod φ(n)), hence φ(n) (de 1). So one can employ the following idea: construct several encryption-decryption pairs with your magic box, and compute the greatest common divisor of the various numbers de 1. Hopefully, this will be a small multiple of φ(n) (or better yet, φ(n) itself). Once we know φ(n) and N, we can factor N using the quadratic formula (see Remark 3.11). As long as we take encryption-decryption pairs, its unlikely that the various numbers de 1 will have a common factor larger than φ(n) (see Homework 2, problem 1). Unfortunately, there is a small wrinkle: this is not the only way to find decryption exponents. Indeed, Remark 3.6 points out that it s enough to make sure de 1 (mod (p 1)(q 1)/g), where g = gcd(p 1, q 1). In fact, this is both necessary and sufficient 1. It s possible that your magic box is giving exponents satisfying this weaker condition (indeed, the examples in parts (b) through (d) are of this form). The good news is that this only adds a bit of complication: if we choose enough key pairs, the gcd of the numbers de 1 will be some multiple of (p 1)(q 1)/g, and very possibly (p 1)(q 1)/g itself. Then we can try to guess φ(n) by taking a multiple of this gcd that is close to N (note that φ(n) = N p q + 1, so its order of magnitude will be close to N). 1 One way to prove this is to show that de must be congruent to 1 modulo p 1 and modulo q 1, which shows that de 1 is divisible by the least common multiple of p 1 and q 1; one can then argue that this least common multiple is (p 1)(q 1)/g. Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 2 of 13

This strategy may seem a big loose (and doesn t carry guarantees), but the following examples shows that is can be made to work. (b) We begin by finding the gcd of the numbers de 1. >>> from fractions import gcd >>> N = 38749709 >>> e = [10988423,25910155] >>> d = [16784693,11514115] >>> gcd(d[0]*e[0]-1,d[1]*e[1]-1) 19368558 This is too small to be φ(n), but it could very plausibly be φ(n)/2 (e.g. if gcd(p 1, q 1) = 2), since it is just under half of N (and we know that φ(n) is only a little less than N in relative terms). Going with this assumption, let s attempt to compute p, q as outlined in Remark 3.11. >>> M = gcd(d[0]*e[0]-1,d[1]*e[1]-1) >>> phi = 2*M >>> b = N - phi + 1 # This should be p+q. We ll solve X^2 - bx + N = 0. >>> import math # So that I can use sqrt >>> p = (b-math.sqrt(b*b - 4*N))/2 >>> q = (b+math.sqrt(b*b - 4*N))/2 >>> p,q (5347.0, 7247.0) # Reported with decimals since sqrt was used. Indeed, this worked! We can check that 5347 7247 = N. (c) We can proceed similarly to before, but now we take the gcd of three numbers. Here is the transcript from the python terminal. >>> N = 225022969 >>> e = [70583995,173111957,180311381] >>> d = [4911157,7346999,29597249] >>> M = gcd( gcd(d[0]*e[0]-1,d[1]*e[1]-1),d[2]*e[2]-1) >>> float(n)/m 6.000841978863939 >>> phi = 6 * M # Seems like a reasonable guess >>> b = N - phi + 1 # Should be p+q >>> p = (b-math.sqrt(b*b-4*n))/2 >>> q = (b+math.sqrt(b*b-4*n))/2 >>> print p,q 10867.0 20707.0 >>> p*q 225022969.0 #Success! (d) Similar to before: >>> N = 1291233941 >>> e = [1103927639,1022313977,387632407] >>> d = [76923209,106791263,7764043] >>> M = gcd( gcd(d[0]*e[0]-1,d[1]*e[1]-1), d[2]*e[2]-1 ) >>> float(n)/m 10.00085538680072 Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 3 of 13

>>> phi = 10*M # Seems like a good guess >>> b = N - phi + 1 >>> p = (b + math.sqrt(b*b-4*n) )/2 >>> q = (b - math.sqrt(b*b-4*n) )/2 >>> print p,q 97151.0 13291.0 >>> p*q 1291233941.0 4. Textbook exercise 3.17. (a) The primes less than 100 are 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97 There are 25 total. Of these, the first 8 are less than 20, and two more are less than 30. So π(20) = 8, π(30) = 10, π(100) = 25. (b) There are a number of ways to count primes that will be fast enough to count up to 100000. For the sake of variety, the code below illustrates the sieve of Eratosthenes, which is a very old and reasonably quick way to do it (search online to find details and history). def primestobound(n): isprime = [True]*(N+1) primes = [] for p in xrange(2,n+1): if not(isprime[p]): continue primes += [p] k = p while k<=n/p: isprime[k*p] = False k += 1 return primes def pi(n): return len(primestobound(n)) Using the function pi(n), we can empirically examine the ratio π(x)/(x/ ln(x)) as follows. >>> from math import log >>> for X in [100,1000,10000,100000]:... print X,pi(X),pi(X)/(X/log(X))... 100 25 1.1512925465 1000 168 1.16050288687 10000 1229 1.13195083172 100000 9592 1.1043198106 Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 4 of 13

From these data, the prime number theorem looks plausible enough, although one might conjecture that the limit is closer to 1.1 than to 1 itself. More data would be needed to clearly see the convergence to 1. 5. Textbook exercise 3.18. (a) We can sort the primes up to 100 into congruence classes modulo 4 as follows. 0 (mod 4) : (none) 1 (mod 4) : 5, 13, 17, 29, 37, 41, 53, 61, 73, 89, 97 2 (mod 4) : 2 Just by counting, we obtain: 3 (mod 4) : 3, 7, 11, 19, 23, 31, 43, 47, 59, 67, 71, 79, 83 π 1 (10) = 1 π 1 (25) = 3 π 1 (100) = 11 π 3 (10) = 2 π 3 (25) = 5 π 3 (100) = 13 Note that these are are fairly close to each other, but π 3 is always one or two larger than π 1. (b) Using a previously written function primestobound(n) that gives a list of all primes N, there are various ways to count the number of elements in a given congruence class. Here is a particularly pythonic one-liner for this. def pi(n,rem,modulus): return len([p for p in primestobound(n) if p%modulus == rem]) Using this function, we can interrogate the relationship between π 1 and π 3 as follows. >>> for X in [100,1000,10000,100000]:... print X, pi(x,1,4), pi(x,3,4), float(pi(x,3,4))/pi(x,1,4)... 100 11 13 1.18181818182 1000 80 87 1.0875 10000 609 619 1.01642036125 100000 4783 4808 1.00522684508 (c) These data suggest that, asymptotically speaking π 1 (X) and π 3 (X) are the same their ratio seems to go to 1. Furthermore, the data suggest that this ratio approaches 1 from above, not below, i.e. that more primes are 3 (mod 4) than 1 (mod 4) (by a shrinking margin in relative terms). One might conjecture that π 3 (X) > π 1 (X) for all X. The investigation of this conjecture (and related questions) is described in Granville and Martin s very interesting article Prime Number Races, which you can find here: http://www.maa.org/sites/default/files/pdf/upload_library/22/ Ford/granville1.pdf, The conjecture turns out to be false, but one needs to look at more data to determine this. 6. For each integer n between 1,000,000 and 1,000,009 inclusive, determine the proportion of the numbers from 1 to n 1 inclusive that are Miller-Rabin witnesses. Which of these numbers are prime? (The figures you obtain should convince you that the 75% figure from Rabin s theorem is rather conservative, and explains why most people are not worried about using only a few Miller-Rabin trials to test primality). Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 5 of 13

We first require a function is witness(a,n) that determines whether or not a is a witness modulo n. See the solution to problem 9 for one implementation. With this in hand, we can determine these proportions as follows. >>> for n in xrange(1000000,1000010):... wits = 0... for a in xrange(1,n):... if is_witness(a,n): wits += 1... print n, float(wits)/(n-1)... 1000000 0.999998999999 1000001 0.99625 1000002 0.999999000001 1000003 0.0 1000004 0.999999000003 1000005 0.999998000008 1000006 0.999997000015 1000007 0.999902000588 1000008 0.999999000007 1000009 0.999994000048 One of these numbers is prime: 1000003 (since it has no witnesses to compositness). The others are composite. Note that in all cases, at least 99.5% of the candidates are witnesses. So even a single Miller-Rabin trial is quite conclusive (at least for these choices of n). 7. Textbook exercise 3.22. (We will discuss Pollard s algorithm in class on Monday). (a) Here s what happens when I arbitrarily choose a = 2, and start raising it to larger and larger powers as prescribed by Pollard. At each step, I check whether gcd(a 1, n) has become interesting yet. >>> n = 1739 >>> a = 2 >>> gcd(a-1,n) 1 >>> a = pow(a,2,n) >>> gcd(a-1,n) 1 >>> a = pow(a,3,n) >>> gcd(a-1,n) 1 >>> a = pow(a,5,n) >>> gcd(a-1,n) 1 >>> a = pow(a,6,n) >>> gcd(a-1,n) 37 After 6 tries, a factor is found: p = 37. The other is 1739/37 = 47. The reason that this worked so quickly is that p 1 = 36 = 2 2 3 2 ; these are both very small primes, so very quickly (for small k) 2 k! 1 (mod 37). Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 6 of 13

(b) This time, I ll automate the process a bit. To keep track of how things evolve, I ll print the value of a at each step, and stop once gcd(a 1, n) > 1. As before, I ll use a = 2 for simplicity. >>> n = 220459 >>> i = 1 >>> a = 2 >>> while True:... print i,a,gcd(a-1,n)... if gcd(a-1,n) > 1: break... i += 1... a = pow(a,i,n)... 1 2 1 2 4 1 3 64 1 4 22332 1 5 85054 1 6 4046 1 7 43103 1 8 179601 449 Again, this didn t take too long. We found the factor p = 449, because 2 8! 1 (mod n). This worked because 449 1 = 448 factors into 2 8 7, which divides 8!. (c) We proceed like before. >>> n = 48356747 >>> a = 2 >>> i = 1 >>> while True:... print i,a,gcd(a-1,n)... if gcd(a-1,n) > 1: break... i += 1... a = pow(a,i,n)... 1 2 1 2 4 1 3 64 1 4 16777216 1 5 29007256 1 6 6497326 1 7 11540770 1 8 13320680 1 9 2119447 1 10 32129514 1 11 4931912 1 12 35410324 1 13 46845551 1 14 45774461 1 15 46983891 1 Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 7 of 13

16 8398521 1 17 9367160 1 18 17907956 1 19 13944673 6917 So after getting to 2 19! (mod n), we found one factor: p = 6917. The other is n/p = 6991. This worked because 6917 1 factors into small primes: it is 2 2 7 13 19. This divides 19!, which is why we found the factor once 2 19! (mod n) was computed. 8. Suppose that p is a large prime (e.g. 1024 bits), g is a primitive root modulo p, and Alice has an Elgamal public key A corresponding to a private key a (that is, A g a (mod p), and Alice knows the number a). Bob does not believe that Alice actually knows the private key a corresponding to A, so she asks her to solve the following challenge to prove it. Bob will give Alice a positive integer d of his choosing. Alice must return (in a reasonable amount of time) two integers b, c such that g b b c A d (mod p). If she succeeds, Bob will be convinved that Alice really does know her private key. (a) Describe a procedure that Alice can use to solve Bob s challenge efficiently. Hint. Choose an integer e at random, and choose b to be g e (mod p). Then find a choice of c. (b) Explain briefly why Bob should be convinced that Eve (or anyone else who doesn t know the private key) would not be able to carry out the procedure you describe in part (a). Note. This exercise prefigures the basic idea behind Elgamal digital signatures, which we will discuss soon. You can solve this problem without knowing anything about signatures, however. (a) Following the hint, suppose that Alice begins by choosing an integer k at random and setting b g k (mod p) (we ll see shortly that she shouldn t choose it completely at random, but impose a mild condition; this will come out in the analysis). We still need to choose c. At this stage, she is attempting to solve the congruence g b g kc g ad (mod p), i.e. g b+kc ad 1 (mod p). Since g is a primitive root, it s order is p 1, and this congruence is equivalent to (p 1) (b + kc ad), i.e. b + kc ad 0 (mod p 1). But all of the variables in this congruence have been fixed except one: Alice needs merely solve for c to obtain c k 1 (ad b) (mod p 1). Note that there is one tricky point here: she can only do this if she previously chose k relatively prime to p 1, so that it has an inverse modulo p 1. But that s no problem: she got to chose k herself, so she can just make sure to choose k relatively prime to p 1. (b) In order to carry out this process, Alice needed to use her knowledge of the secret key a in a crucial way. Without it, she would not have been able to write the congruence entirely in terms of powers of g, which was the crucial step to move from modulo p to modulo p 1. (It is conceivable that there is a completely different route to solving the congruence that doesn t require knowing a, of course; but the method outlined in part (a) cannot be adapted.) Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 8 of 13

Programming problems Full formulation and submission: https://www.hackerrank.com/m158-2016-pset-6 9. Determine whether a given integer N (up to 1024 bits long) is prime or not. Here is one implementation of the Miller-Rabin primality test. We first write a method to test if a specific integer a is a witness for n, then write a wrapper function that simply calls this function on 100 randomly chosen values of a, seeing if any one of them turn out to be witnesses. To save time, it is sensible not to finish all 100 trials once we have found even one witness; the function returns right away in this case. import random # Determines whether a is a Miller-Rabin witness of n def is_witness(a,n): q = n-1 k = 0 while q%2 == 0: q /= 2 k += 1 b = pow(a,q,n) if b == 1: return False for i in xrange(k): if b == n-1: return False b = b*b % n return True # Miller-Rabin test, with 100 trials by default def is_prime(n, trials=100): for i in xrange(trials): a = random.randrange(1,n) if is_witness(a,n): return False return True n = int(raw_input()) if is_prime(n): print prime else: print composite 10. Generate two prime numbers p, q, of specified length (number of bits), such that p 1 (mod q), along with a number g {1, 2,, p 1} such that ord[g] p = q. Hint. See exercise 1.33 in the textbook for a useful fact that can help you create g (Problem Set 2, number 6). Note. Generating p, q, g of this form is important for choosing parameters for the DSA system, which we will discuss soon. Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 9 of 13

First, we must decide how to create p and q. If we choose p first, then finding q will be difficult: we would need to factor p 1. It is easier to go in the opposite order: we can first choose q, and then choose p of the form p = 1 + kq. As discussed in class, if k is chosen at random, then the odds of 1 + kq being prime are about the same as the odds that any other integer of that size is prime, so we can expect to find a prime fairly quickly. One issue that must be sorted out is what range to choose k in when hunting for p. We can work this out by solving the inequalities 2 pbits 1 1 + kq 2 pbits 1, obtaining 2 pbits 1 1 q k 2pbits 2. q As long as we choose k in that range, we ll get values of p of the right size. The next matter to consider is how to find the integer g of order q. Here we follow the hint and invoke the result of exercise 1.33 in the textbook (Problem set 2, problem 6): if we just choose a number a {1, 2,, p 1} at random, and set g a (p 1)/q (mod p), then (a) As long as g 1 (mod p), it will be an element of order q, as desired, and (b) With probability 1 1 q, g won t be 1 (mod p). Probability 1 1 q is high enough that we ll find such a g in very short order (if q is over 64 bits or so in length, as it would be in applications, 1 1 q is so close to 1 that you would not expect to ever need to try more that one random value of a in this process). Here s a sample implementation (if you haven t seen the syntax 1 << n before: it just does the same thing as 2 n, but it s more universal across other programming languages). ### Omitted: is_prime function from previous problem. # Make a random prime of given size def makeprime(bits): while True: p = random.randrange(1<<(bits-1), 1<<bits) if is_prime(p): return p # Make a prime of a given size, in a given congruence class def makeprimeincongclass(bits, rem, modulus): # Find p as rem + k*modulus for some k. Must find min and max possible k. # mink is (2^(bits-1) - rem)/modulus, rounded up. # Rounding up is achieved by adding modulus-1 before division. mink = ((1<<(bits-1))-rem + modulus - 1)/modulus # maxk is (2^bits - 1 - rem)/modulus, rounded down. maxk = ((1<<bits) - 1 - rem)/modulus while True: k = random.randrange(mink,maxk+1) p = rem+modulus*k if is_prime(p): return p def dsaparams(qbits,pbits): q = makeprime(qbits) Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 10 of 13

p = makeprime(pbits,1,q) g = 1 # Just to make the while loop run the first time while g == 1: a = random.randrange(1,p) g = pow(a,(p-1)/q,p) return p,q,g qbits,pbits = map(int,raw_input().split()) p,q,g = dsaparams(qbits,pbits) print p,q,g 11. Alice decides that she wants to receive messages using a non-standard variant of RSA. Like in the usual RSA, she will choose a public key N, e, where N is a number whose factorization she knows, and gcd(e, φ(n)) = 1. In this case, she will take N = pqr, where p, q, r are distinct primes. To encrypt a message m for Alice (0 m < N), Bob computes c m e (mod N). Given the three primes p, q, r, the number e, and the ciphertext c sent by Bob, recover the original plaintext m. Note. While this setup is perfectly functional, in practice it is more efficient to use products of two primes, hence that is the standard. I encourage you to think about why it is more efficient to use only two primes. We proceed as in problem 3 of this problem set, using φ(pqr) = (p 1)(q 1)(r 1). We can simply invert e modulo φ(pqr) and use it as a decryption exponent. ### Omitted: impementation of extended Euclidean algorithm p,q,r,e,c = map(int,raw_input().split()) N = p*q*r phi = (p-1)*(q-1)*(r-1) d = ext_euclid(e,phi)[0] % phi print pow(c,d,n) 12. You will be given an RSA modulus (a product of two distinct primes), 112 bits in length. Factor it if possible. The primes will have been chosen completely at random, i.e. no effort has been made to avoid weak primes. As a result, some of the moduli will be susceptible to Pollard s algorithm (which we discuss in class on Monday), but not all. You are not expected to solve all, or even most, of the test cases; a score of 10/50 (as listed on hackerrank; this corresponds to 20 out of 100 test cases correct) will be regarded as full points in the actual grading spreadsheet. If you devise a problem to solve more testcases than these, you will receive extra credit. Here s one implementation of Pollard s p 1 algorithm that solves 20/100 test cases (10/50 points). It differs from the presentation of the book in two main ways: (a) Rather than choosing one value of a (like a = 2), it runs a series of trials (until one succeeds), choosing a different a at random each time. Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 11 of 13

(b) Instead of stopping at some chosen value for the exponent, it only stops once either a factor is found or a becomes 1 (mod N). Both are detected in the same way: the gcd of a 1 and N becomes greater than 1. import random,fractions # Use Pollard s algorithm to find SOME factor of N # It s possible that it will return N itself def pollard_findfact(n): a = random.randrange(1,n) # Check first whether a is a unit. If not, you have a factor. if fractions.gcd(a,n)!= 1: return fractions.gcd(a,n) j = 2 while fractions.gcd(a-1,n) == 1: a = pow(a,j,n) j += 1 return fractions.gcd(a-1,n) def pollard(n): p = N while p == N: p = pollard_findfact(n) q = N/p if p<q: return p,q else: return q,p # I/O N = int(raw_input()) p,q = pollard(n) print p,q There are a number of ways to try to improve this algorithm to squeeze the runtime down by a constant factor and get a few more test cases in the time limit. One way is suggested in the book: only compute gcd(a 1, N) periodically (not after every step). This saves more time than you would expect; the divide operations needed in the Euclidean algorithm are somewhat more expensive than the multiplications in the fast-powering algorithm. In case you are curious, the following code is the most effective program I found after a fair bit of experimentation. I would not be surprised if it is possible to squeeze still better performance out with some different ideas. This program is able to solve 38/100 test cases within the time limit (19/50 points). I encourage you to puzzle out the ideas underlying this code, and am happy to explain it during office hours. The basic idea is to reach up to larger primes in the exponent more rapidly by skipping any numbers that have already-present factors in them (in this case, we include large powers of 2, 3, 5, 7, 11, and 13 at the beginning, and then skip multiples of any of these primes for the rest of the program). Do note, however, that it is not any better asymptotically than the much easier-to-implement solution above; it just squeezes the Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 12 of 13

constant factor in the runtime down somewhat. In real applications you probably wouldn t want to do this sort of optimization unless you re planning to run a program for a period of weeks or months. import random,fractions smallprimes = 2*3*5*7*11*13 remainders = [i for i in xrange(smallprimes) if fractions.gcd(i,smallprimes)==1] # Use Pollard s algorithm to find SOME factor of N # It s possible that it will return N itself def pollard_findfact(n): a = random.randrange(1,n) for p in [2,3,5,7,11,13]: a = pow(a,p**50,n) if fractions.gcd(a-1,n) > 1: return fractions.gcd(a-1,n) j = 0 while fractions.gcd(a-1,n) == 1: for r in remainders: a = pow(a,smallprimes*j+r,n) j += 1 return fractions.gcd(a-1,n) def pollard(n): while True: p = pollard_findfact(n) assert(p > 1) if p < N: q = N/p if p<q: return p,q else: return q,p Due the night of Thursday 10/27 (hard deadline 4am on 10/28). page 13 of 13

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback