YALE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE

	CPSC 467a: Cryptography and Computer Security	Handout #15
Xueyuan Su		November 9, 2008

Solution to Problem Set 4

Due on Monday, November 3, 2008.

In the problems below, “textbook” refers to Douglas R. Stinson, Cryptography: Theory and Practice, Third Edition, Chapman & Hall/CRC, 2006.

Problem 1: Homomorpohic Mapping χ

Textbook, problem 5.5.

Solution:

According to Chinese remainder theorem, define the function χ^-1 : Z₃ × Z₅ × Z₇ → Z₁₀₅ as follows:

( ) - 1 ∑ 3 χ (a1,a2,a3) = aiMiNi mod 105, i=1

(1)

where {n_i} = {3,5,7}, N_i = 105∕n_i and M_i = N_i^-1 mod n_i. Therefore, we compute χ^-1(a₁,a₂,a₃) as follows:

) n1 = 3,N1 = 35,M1 = 35-1 mod 3 = 2 } n2 = 5,N2 = 21,M2 = 21-1 mod 5 = 1 n = 7,N = 15,M = 15-1 mod 7 = 1 ) 3 3 3

⇒ χ-1(a1,a2,a3) = (70a1 + 21a2 + 15a3) mod 105

(2)

Thus we can compute χ^-1(2,2,3) = (70 × 2 + 21 × 2 + 15 × 3) mod 105 = 17.

Problem 2: Chinese Remainder Theorem

Textbook, problem 5.6.

Solution:

According to Chinese remainder theorem, define x as follows:

( ) - 1 ∑3 x = χ (a1,a2,a3) = aiMiNi mod (25 × 26× 27), i=1

(3)

Therefore, we compute χ^-1(a₁,a₂,a₃) as follows:

n₁ = 25, N₁ = 702, M₁ = 702^-1 mod 25 = (-12) mod 25 = 13.

| | --i|--ri---ui----vi-|qi- 1 |702 1 0 | 2 | 25 0 1 |28 | | 3 | 2 1 - 28 |12 4 | 1 - 12 337 |

n₂ = 26, N₂ = 675, M₂ = 675^-1 mod 26 = (-1) mod 26 = 25.

| | i | ri ui vi| qi -1-|675----1----0-|---- | | 2 | 26 0 1 |25 3 | 25 1 - 25 | 1 4 | 1 - 1 26 |

n₃ = 27, N₃ = 650, M₃ = 650^-1 mod 27 = (-13) mod 27 = 14.

i| ri ui vi |qi -1-|650-----1-----0-|--- | | 2 | 27 0 1 |24 3 | 2 1 - 24 |13 4 | 1 - 13 313 |

x = χ-1(12,9,23) = (702× 13 × 12 + 675× 25 × 9+ 650× 14 × 23) mod (25× 26 × 27) = 14387

Problem 3: Primitive Root

Textbook, problem 5.9.

Solution:

Lucas test says, g is a primitive root of p if and only if g^(p-1)∕q ⁄≡ 1 (mod p) for all q > 1 such that q∣(p - 1). Now because p and q are odd primes such that p = 2q + 1, there are only two integers that we need to test with, 2 and q. We know that α ⁄≡±1 (mod p). Then α² ⁄≡ 1 (mod p) since if it were, α would be a square root of 1 (mod p), and the only square roots of 1 modulo a prime are ±1.

Now let us look at α^q. Since p is a prime and α Z*_p, then ϕ(p) = p- 1 = 2q, so by Euler’s theorem, α^2q ≡ 1 (mod p). Then α^q is a square root of 1 (mod p), so

q α ≡ ±1 (mod p).

(4)

According to Lucas test, α is a primitive root of p if and only if α^q ⁄≡ 1 (mod p). Combining this with (4), we conclude that α is a primitive root of p if and only if α^q ≡-1 (mod p).

Problem 4: RSA Speedup

Textbook, problem 5.13.

Solution:

We have the following equations:
$dp = d mod (p- 1 ) (5) d = d mod (q - 1) (6) q d xp = y p mod p (7) xq = ydq mod q (8) x = Mpqxp + Mqpxq mod n (9)$
Combining (5) and (7) gives
$x = ydmod (p-1) mod p p$ (10)

Since p is prime, ϕ(p) = p - 1. According to Euler’s theorem, if gcd(a,p) = 1, then a^p-1 ≡ 1 (mod p), which implies
$d ⌊d∕(p-1)⌋(p-1)+d mod(p-1) dmod(p-1) y = y ≡ y (mod p)$ (11)

Combining (10) and (11) gives
$d y mod p ≡ xp (mod p)$ (12)

Similarly, from (6) and (8) we can derive
$d y mod p ≡ xq (mod q)$ (13)

Therefore, according to Chinese reminder theorem, there is a unique solution for y^d mod p, which is calculated exactly the same as (9) does. Thus we conclude that the value x returned by this algorithm is in fact y^d mod p.
$dp = 1234577 mod (1511- 1) = 907 dq = 1234577 mod (2003- 1) = 1345 M = 2003 -1 mod 1511 = 777 p -1 Mq = 1511 mod 2003 = 973$
$xp = 152702907 mod 1511 = 242 x = 1527021345 mod 2003 = 1087 q x = (777 × 2003× 242+ 973 × 1511 × 1087) mod (1511× 2003) = 1443247$

Problem 5: RSA Insecure Against Chosen Ciphertext Attack

Textbook, problem 5.14

Solution:

Let yŷ ≡ 1 (mod n). Then the multiplicative property implies

1 = yˆy mod n = eK(x)eK(ˆx) mod n = ek(xxˆmod n)

(14)

Applying decryption function D_K^′(⋅) to both sides of (14) and noting D_K^′(1) = 1, we have

1 = xˆx mod n

(15)

Given , we can easily compute x using extended Euclidean algorithm.

Problem 6: RSA Common Modulus Failure

Textbook, problem 5.16.

Solution:

We have the following equations:
$b1 y1 = x mod n (16) y2 = xb2 mod n (17) - 1 c1 = b1 mod b2 (18) c2 = (c1b1 - 1)∕b2 (19) x1 = yc1(yc2)-1 mod n (20) 1 2$
Plugging (17-19) into (20) gives
$x1 = (xb1c1)(xb2c2)-1 mod n = (xb1c1)(xb1c1-1)-1 mod n b1c+1- bc = x 1 1 1 mod n = x mod n = x (21)$
Applying (18-20) gives
$-1 c1 = 43 mod 7717 = 2692 c2 = (2692× 43 - 1)∕7717 = 15 2692 -15 x1 = (12677 × 14702 ) mod 18721 = (13145× 3947- 1) mod 18721 = (13145× 5668) mod 18721 = 15001 (22)$