Digital Log

    Intro To Cryptography - Chapter 2

    Problem 2.3

    Let gg be a primitive root for Fp\mathbb{F}_p.

    (a) Suppose that x=ax = a and x=bx =b are both integer solutions to the congruence gxhmod  pg^x \equiv h \mod p. Prove that abmod  p1a \equiv b \mod p-1. Explain why this means that the map (2.1) on page 65 is well-defined.

    Proof: Let ab=(p1)q+ra-b = (p-1)\cdot q + r such that 0r<p10 \le r < p - 1. If we can show that r=0r = 0, then by definition we can conclude abmod  p1a \equiv b \mod p-1. Notice that

    hga=gb+(p1)q+r=gb(gp1)qgrhgrmod  p. h \equiv g^a = g^{b + (p-1)\cdot q + r} = g^b \cdot (g^{p-1})^q \cdot g^r \equiv h \cdot g^r \mod p.

    To be pedantic, we know hh has an inverse hp2h^{p-2}, so we can multiply both sides of this equivalence by the inverse to find that 1grmod  p1 \equiv g^r \mod p. But recall 0r<p10 \le r < p-1; because gg is a generator, it must be the case that r=0r = 0, completing the proof.

    Lastly, by definition logg\log_g is a well-defined function if it maps deterministically; that is, h=j    logg(h)=logg(j)h = j \implies \log_g(h) = \log_g(j) for all h,jFph, j \in \mathbb{F}_p^{\ast}. Recall that gg is a generator, so we can write h=gah = g^a and j=gbj = g^b for some a,bZa, b \in \mathbb{Z}. Equivalently, ga=gbg^a = g^b in Fq\mathbb{F}_q^{\ast}. From the statement proved above, we know that this implies a=ba = b in Z/(p1)Z\mathbb{Z}/(p-1)\mathbb{Z}. Therefore logg(h)=logg(j)\log_g(h) = \log_g(j) and logg\log_g is well-defined.

    (b) Prove that logg(h1h2)=logg(h1)+logg(h2)\log_g(h_1h_2) = \log_g(h_1) + \log_g(h_2) for all h1,h2Fph_1, h_2 \in \mathbb{F}_p^\ast.

    Proof: Let a,bZ/(p1)Za, b \in \mathbb{Z}/(p-1)\mathbb{Z} such that ga=h1g^a = h_1 and gb=h2g^b = h_2. Then

    logg(h1h2)=logg(gagb)=logg(ga+b)=a+b=logg(h1)+logg(h2). \log_g(h_1h_2) = \log_g(g^ag^b) = \log_g(g^{a+b}) = a + b = \log_g(h_1) + \log_g(h_2).

    (c) Prove that logg(hn)=nlogg(h)\log_g(h^n) = n \log_g(h) for all hFph \in \mathbb{F}_p^\ast and all nZn \in \mathbb{Z}.

    Proof: First we'll handle n0n \ge 0 by induction. For the base case, clearly

    logg(h0)=logg(1)=0=0logg(h). \log_g(h^0) = \log_g(1) = 0 = 0 \cdot \log_g(h).

    Next suppose for some k>=0k >= 0, logg(hk)=klogg(h)\log_g(h^k) = k\log_g(h). By part (b) we have

    logg(hk+1)=logg(hkh)=logg(hk)+logg(h) \log_g(h^{k+1}) = \log_g(h^kh) = \log_g(h^k) + \log_g(h)

    and by the inductive hypothesis,

    logg(hk+1)=klogg(h)+logg(h)=(k+1)logg(h). \log_g(h^{k+1}) = k\log_g(h) + \log_g(h) = (k+1)\log_g(h).

    We conclude by induction that the statement holds for all n0n \ge 0. For negative numbers, let's do induction in reverse. First, let's consider the base case of a negative exponent:

    h1=h11=h1hp1=hp2h^{-1} = h^{-1}\cdot 1 = h^{-1}\cdot h^{p-1} = h^{p-2}

    in Fp\mathbb{F}_p^\ast, a fact which we've previously seen in the fast powering algorithm. Since we've already proved this for nonnegative integers, and p20p - 2 \ge 0, we have

    logg(h1)=logg(hp2)=(p2)logg(h)=(p1)logg(h)logg(h)=1logg(h). \begin{align*} \log_g(h^{-1}) &= \log_g(h^{p-2}) = (p-2)\log_g(h) \\ &= (p-1)\log_g(h) - \log_g(h) \\ &= -1 \cdot \log_g(h). \end{align*}

    Suppose our statement holds for some k1k \le -1. Then

    logg(hk1)=logg(hkh1)=logg(hk)+logg(h1) \log_g(h^{k-1}) = \log_g(h^kh^{-1}) = \log_g(h^k) + \log_g(h^{-1})

    and by the inductive hypothesis and base case, we know

    logg(hk)+logg(h1)=klogg(h)logg(h)=(k1)logg(h). \log_g(h^k) + \log_g(h^{-1}) = k\log_g(h) - \log_g(h) = (k-1)\log_g(h).

    By induction, we conclude the statement holds for all negative integers nn. We have thus tediously and pedantically completed the proof.

    Problem 2.6

    Alice and Bob agree to use the prime p=1373p = 1373 and the base g=2g = 2 for a Diffie-Hellman key exchange. Alice sends Bob the value A=974A = 974. Bob asks your assistance, so you tell him to use the secret exponent b=871b = 871. What value BB should Bob send to Alice, and what is their secret shared value? Can you figure out Alice's secret exponent?

    Solution: Bob should send

    B=gbmod  p=2871mod  1373=805 B = g^b \mod p = 2^{871} \mod 1373 = 805

    Their secret shared value is

    S=Abmod  p=974871mod  1373=397. S = A^b \mod p = 974^{871} \mod 1373 = 397.

    Since there are at most 1372 values to search for p=1373p = 1373, it is quite easy to find a=587a = 587:

    const A: u32 = 974;
const P: u32 = 1373;
let e = (1..P).find(|&e| mod_pow(2, e, P) == A);
assert_eq!(e, Some(587));

    Problem 2.9

    Suppose that Eve is able to solve the Diffie-Hellman; that is, given gu,gvmod  pg^u, g^v \mod p, then she is able to compute guvmod  pg^{uv} \mod p. Show that Eve can break the Elgamal PKC.

    Proof: Suppose Alice and Bob are communicating via Elgamal with parameters g,pg, p, where Alice has chosen private key aa and public key AA. Suppose further that Bob has used random element kk in his encryption of ciphertext (c1,c2)(c_1, c_2). We need to show that Eve can recover the underlying plaintext mm.

    Eve can do this by using her Diffie-Hellman oracle with values A=gaA = g^a and c1=gkc_1 = g^k to obtain s=gaks = g^{ak}. Then she can compute the inverse s1s^{-1} (via the sp2s^{p-2} and fast powering algorithm for example) and use it to find mm:

    c2s1mAk(gak)1mgak(gak)1mmod  p c_2 \cdot s^{-1} \equiv mA^k \cdot (g^{ak})^{-1} \equiv m\cdot g^{ak}\cdot (g^{ak})^{-1} \equiv m \mod p

    Problem 2.14

    Prove that each of the following maps is a group homomorphism.

    (a) The map ϕ:ZZ/NZ\phi: \mathbb{Z} \to \mathbb{Z}/N\mathbb{Z} that sends aZa\in \mathbb{Z} to amod  Na\mod N.

    Proof: Let a=Nqa+raa = N\cdot q_a + r_a and b=Nqb+rbb = N\cdot q_b + r_b such that 0ra,rb<N0 \le r_a, r_b < N. It follows that ϕ(a)=ra\phi(a) = r_a and ϕ(b)=rb\phi(b) = r_b. Finally

    ϕ(a+b)=ϕ(Nqa+ra+Nqb+rb)=Nqa+ra+Nqb+rbmod  Nra+rbϕ(a)+ϕ(b)mod  N \begin{align*} \phi(a+b) &= \phi(N\cdot q_a + r_a + N\cdot q_b + r_b) \\ &= N\cdot q_a + r_a + N\cdot q_b + r_b \mod N \\ &\equiv r_a + r_b \\ &\equiv \phi(a) + \phi(b) \mod N \end{align*}

    (b) The map ϕ:RGL2(R)\phi: \mathbb{R}^\ast \to GL_2(\mathbb{R}) defined by

    ϕ(a)=(a00a1).\phi(a) = \begin{pmatrix} a & 0 \\ 0 & a^{-1} \end{pmatrix}.

    Proof: Let a,bRa, b \in \mathbb{R}^\ast.

    ϕ(a)ϕ(b)=(a00a1)(b00b1)=(ab00a1b1)=(ab00(ab)1)=ϕ(ab) \begin{align*} \phi(a)\phi(b) &= \begin{pmatrix}a & 0 \\ 0 & a^{-1}\end{pmatrix}\begin{pmatrix}b & 0 \\ 0 & b^{-1}\end{pmatrix} \\ &= \begin{pmatrix}ab & 0 \\ 0 & a^{-1}b^{-1}\end{pmatrix} \\ &= \begin{pmatrix}ab & 0 \\ 0 & (ab)^{-1}\end{pmatrix} \\ &= \phi(ab) \end{align*}

    (c) The discrete log map logg:FpZ/(p1)Zlog_g: \mathbb{F}_p^\ast \to \mathbb{Z}/(p-1)\mathbb{Z} where gg is a primitive root modulo pp.

    Proof: This follows immediately from Problem 2.3(b) proved above.

    Problem 2.19

    Solve the 1700-year-old Chinese remainder theorem problem from the Sun Tzu Suan Ching:

    We have a number of things, but we do not know exactly how many. If we count them by threes, we have two left over. If we count them by fives, we have three left over. If we count them by sevens, we have two left over. How many things are there?

    Solution: This translates to the following system of congruences:

    1. x2mod  3x \equiv 2 \mod 3
    2. x3mod  5x \equiv 3 \mod 5
    3. x2mod  7x \equiv 2 \mod 7

    We can satisfy the first congruence generally with x=2+3yx = 2 + 3y. Substituting this into the second congruence,

    2+3y3mod  5    3y1mod  5 2 + 3y \equiv 3 \mod 5 \implies 3y \equiv 1 \mod 5

    and, using the program written for 1.34c, we find 312mod  53^{-1} \equiv 2 \mod 5, so

    y2mod  5y \equiv 2 \mod 5

    and this gives the value

    x=2+3y=2+32=8 x = 2 + 3y = 2 + 3\cdot 2 = 8

    as a solution to the first two congruences. A general solution is thus

    x=8+15z. x = 8 + 15z.

    Substituting this into the third equation yields

    8+15z2mod  7    z1.8 + 15z \equiv 2 \mod 7 \implies z \equiv 1.

    Finally,

    x=8+15z=8+15=23.x = 8 + 15z = 8 + 15 = 23.

    A quick sanity check shows that indeed:

    1. 232mod  323 \equiv 2 \mod 3
    2. 233mod  523 \equiv 3 \mod 5
    3. 232mod  723 \equiv 2 \mod 7

    Problem 2.35

    Let

    a=x5+3x45x33x2+2x+2 \textbf{a} = x^5 + 3x^4 - 5x^3 - 3x^2 + 2x + 2

    b=x5+x42x3+4x2+x+5 \textbf{b} = x^5 + x^4 - 2x^3 + 4x^2 + x + 5

    Use the Euclidean algorithm to compute gcd(a,b)\gcd(\textbf{a}, \textbf{b}) in each of the following rings.

    (a) F2[x]\mathbb{F}_2[x]

    1. a=b1+(x3+x2+x+1)\textbf{a} = \textbf{b}\cdot1 + (x^3 + x^2 + x + 1)
    2. b=(x3+x2+x+1)(x2+1)+0\textbf{b} = (x^3 + x^2 + x + 1)\cdot (x^2 + 1) + 0

    Therefore gcd(a,b)=x3+x2+x+1.\gcd(\textbf{a}, \textbf{b}) = x^3 + x^2 + x + 1.

    (b) F3[x]\mathbb{F}_3[x]

    1. a=b1+(2x4+2x2+x)\textbf{a} = \textbf{b}\cdot 1 + (2x^4 + 2x^2 + x)
    2. b=(2x4+2x2+x)(2x+2)+(x2+2x+2)\textbf{b} = (2x^4 + 2x^2 + x)\cdot (2x + 2) + (x^2 + 2x + 2)
    3. (2x4+2x2+x)=(x2+2x+2)(2x2+2x)+0(2x^4 + 2x^2 + x) = (x^2 + 2x + 2)\cdot (2x^2 + 2x) + 0

    Therefore gcd(a,b)=x2+2x+2.\gcd(\textbf{a}, \textbf{b}) = x^2 + 2x + 2.

    (c) F5[x]\mathbb{F}_5[x]

    1. a=b1+(2x4+2x3+3x2+x+2)\textbf{a} = \textbf{b}\cdot 1 + (2x^4 + 2x^3 + 3x^2 + x + 2)
    2. b=(2x4+2x3+3x2+x+2)(3x)+(4x3+x2)\textbf{b} = (2x^4 + 2x^3 + 3x^2 + x + 2)\cdot (3x) + (4x^3 + x^2)
    3. (2x4+2x3+3x2+x+2)=(4x3+x2)(3x+1)+(2x2+x+2)(2x^4 + 2x^3 + 3x^2 + x + 2) = (4x^3 + x^2)\cdot (3x + 1) + (2x^2 + x + 2)
    4. (4x3+x2)=(2x2+x+2)(2x+2)+(4x+1)(4x^3 + x^2) = (2x^2 + x + 2)\cdot (2x + 2) + (4x + 1)
    5. (2x2+x+2)=(4x+1)(2x+2)+0(2x^2 + x + 2) = (4x + 1)\cdot (2x + 2) + 0

    Therefore gcd(a,b)=x+4\gcd(\textbf{a}, \textbf{b}) = x + 4, the monic version of polynomial 4x+1.4x + 1.

    (d) F7[x]\mathbb{F}_7[x]

    1. a=b1+(2x43x3+x3)\textbf{a} = \textbf{b}\cdot1 + (2x^4 - 3x^3 + x - 3)
    2. b=(2x43x3+x3)(4x+3)+3x\textbf{b} = (2x^4 - 3x^3 + x - 3)\cdot(4x + 3) + 3x
    3. 4x+3=3x6+34x + 3 = 3x\cdot 6 + 3
    4. 3x=3x+03x = 3\cdot x + 0

    Since 11 is the monic version of polynomial 33, gcd(a+b)=1\gcd(\textbf{a} + \textbf{b}) = 1.