MMTE-006

CRYPTOGRAPHY
Indira Gandhi
National Open University
School of Sciences

Block

3
PUBLIC KEY CRYPTOSYSTEMS AND DIGITAL
SIGNATURE
UNIT 7
Public Key Encryption 5
UNIT 8
Digital Signatures 37
UNIT 9
Practical Guide 53
 Curriculum Design Committee
Dr. B.D. Acharya Prof. O.P. Gupta Prof. C. Musili
Dept. of Science & Technology Dept. of Financial Studies Dept. of Mathematics and Statistics
New Delhi University of Delhi University of Hyderabad
Prof. Adimurthi Prof. S.D. Joshi Prof. Sankar Pal
School of Mathematics Dept. of Electrical Engineering ISI, Kolkata
TIFR, Bangalore IIT, Delhi Prof. A.P. Singh
Prof. Archana Aggarwal Dr. R. K. Khanna PG Dept. of Mathematics
CESP, School of Social Sciences Scientific Analysis Group University of Jammu
JNU, New Delhi DRDO, Delhi Faculty Members
Prof. R. B. Bapat Prof. Susheel Kumar School of Sciences, IGNOU
Indian Statistical Institute, New Delhi Dept. of Management Studies Dr. Deepika
IIT, Delhi Prof. Poornima Mital
Prof. M.C. Bhandari Dr. Atul Razdan
Dept. of Mathematics Prof. Veni Madhavan Prof. Parvin Sinclair
IIT, Kanpur Scientific Analysis Group Prof. Sujatha Varma
Prof. R. Bhatia DRDO, Delhi Dr. S. Venkataraman
Indian Statistical Institute, New Delhi Prof. J.C. Mishra
Prof. A. D. Dharmadhikari Dept. of Mathematics
Dept. of Statistics IIT, Kharagpur
University of Pune

Course Design Committee

Prof. C.A. Murthy Faculty Members

ISI, Kolkata School of Sciences, IGNOU
Prof. S.B. Pal Dr. Deepika
IIT, Kharagpur Prof. Poornima Mital
Dr. Atul Razdan
Dr. B.S. Panda Prof. Parvin Sinclair
IIT, Delhi Dr. S. Venkataraman
Prof. C.E. Veni Madhavan
IISC, Bangalore

Block Preparation Team

Dr. Dhananjay Dey (Editor) Dr. S. Venkataraman
Scientist ‘F’ School of Sciences
DRDO IGNOU

Course Coordinator: Dr. S. Venkataraman

Block Production
Shri Sunil Kumar, AR(P)
School of Sciences, IGNOU
January, 2015
c Indira Gandhi National Open University, 2015
ISBN:978-81-266-
All rights reserved. No part of this work may be reproduced in any form, by mimeograph or any other means, without written permission from
the Indira Gandhi National Open University.
Further information on the Indira Gandhi National Open University courses may be obtained from the University’s office at Maidan Garhi,
New Delhi-110 068 or from the University’s website http://www.ingou.ac.in.
Printed and Published on behalf of Indira Gandhi National Open University, New Delhi, by Director, School of Sciences.
BLOCK INTRODUCTION
In the previous block, we saw that the development of computers made many of the
earlier ciphers obsolete and led to the development of stronger ciphers. Another major
development that followed the development of modern computer is that of networking.
This enabled computers to communicate each other. This, in turn, lead to the internet
and world wide web. These developments made more demands on Cryptography. In
this Block, we will discuss some modern developments, particularly those that have
played a key role in the internet era and have driven e-commerce development.

One of the problems that was a hurdle for widespread use of Cryptography was the
problem of key exchange, i.e. exchange of keys before communication can be started.
Parties had to meet at one place to agree on keys or keys had to be distributed by trusted
couriers. The secrecy could be compromised if these means were not adopted.

In their path breaking paper [5], Diffie and Hellman discussed a secure method for
exchanging keys without meeting in person or using trusted couriers. Their method was
based on the fact that finding discrete logarithms is difficult. They also proposed a
frame work for a new type of cryptosystems called Public Key Cryptosystems.

In this cryptosystem, it is possible for perfect strangers to exchange information

secretly without meeting in person. This is possible because, in this cryptosystem, the
encryption function of each user is made public while the decryption function is kept
secret. Since the encryption function of any user, say Alice, is available, any other user,
say Bob, Bob can send a message to Alice, encrypted with her encryption function.
Since decryption function is kept a secret, only Alice, who is the intended recipient of
the message can decrypt and read the messsage. To find the decryption function, any
eavesdropper has to solve a computationally difficult problem. However, Diffie and
Hellman did not propose such a cryptosystem.

In their paper [14], Rivest, Shamir and Adleman proposed such a cryptosystem based
on the fact that it is difficult to factorise a natural number. They also proposed a method
for digitally signing documents, which is an analogue of the physical signature on
documents. In [6], ElGamal proposed a cryptosystem based on the fact that it is
difficult to find discrete logarithms in an abelian group. We discuss these cryptosystems
in Unit 7. In the same Unit, we also take on the role of a cryptanalyst who tries to break
these cryptosystems. Since the two cryptosystems are based on the computational
difficulty of factoring and discrete logarithm problems, we discuss methods for
factoring and solving discrete logatithms.

It is now known that James Ellis, who worked for Communication-Electronics Security
Group (GESG) which was a part of Government Communications Headquarters
(GCHQ) of UK also came up with the idea of a public key cryptosytem in 1969.
Clifford Cocks, also of the GCHQ came up with a system similar to RSA in 1973. The
Diffie-Hellman key exchange was discovered by Williamson of GCHQ around 1975,

In the third Unit, we discuss digital signatures. They are the digital analogues of the
conventional signatures. Digital signatures provide the functionalities provided by
conventional signatures, namely authentication and non-repudiation. In this Unit, we
discuss three digital signature algorithms, namely RSA signature algorithm, ElGamal
algorithm and Digital Signature Standard.

In the final Unit, we have given the practical exercises for this course. As in other
courses, you have to complete 70% of the sessions to be elgible to appear for the
practical examination.

If you have comments, corrections or if you need clarification, please write to:
[email protected].
NOTATIONS AND SYMBOLS

a⊕b Bit string obtained by XORing the bit string a with bit string b, page 12

C Ciphertext space, page 6

≡ Congruent to, page 7

Dk Decryption function, page 6

alogα k Discrete antilogarithm of k to the base α, page 13

logα γ Discrete logarithm of γ to the base α, page 13

(EA , DA ) Encryption and decryption functions of Alice, page 39

(EB , DB ) Encryption and decryption functions of Bob, page 39

Ek Encryption function, page 6

φ Euler Phi function, page 7

Fq Finite field with q elements, page 13

Z∗n Group of units in Zn , page 13

K Key Space, page 6

M Message, page 7

(nA , eA ) Modulus and public key of Alice, page 42

(nB , eB ) Modulus and public key of Bob, page 42

F∗q Multiplicative group of nonzero elements of Fq , page 13

P Plaintext space, page 6

Zn Ring of integers modulo n, page 13

UNIT 7 PUBLIC KEY ENCRYPTION
Structure Page No.
7.1 Introduction 5
Objectives
7.2 Public Key Cryptosystems 6
7.3 The RSA Cryptosystem 7
7.4 Diffie-Hellman Key Exchange and the ElGamal Cryptosystem 13
Diffie-Hellman key exchange
ElGamal Cryptosystem
7.5 Integer Factorisation and Discrete Logarithms 18
Computing Discrete Logarithms
7.6 Summary 31
7.7 Solutions/Answers 31

7.1 INTRODUCTION

In the previous block, we discussed some symmetric key cryptosystems where we can
obtain the decryption key from the encryption key. Because of this reason, the key has
to be kept secret and the parties that want to communicate securely have to find a way
of exchanging the keys. This was not a problem in the earlier times when the
cryptography was not used widely and the users were very few.

However, things changed with invention of more communication tools and the digital
computer. Many commercial organisations started using cryptography and they faced
the problem of distributing keys. The organisations exchanged keys through trusted
couriers or meeting in person. In their path breaking paper [5], Diffie and Hellman
proposed the framework for a new cryptosystem called public key cryptosystem.
However, they did not give any concrete example. In public key cryptosystem, the
encryption key can be made public without compromising the security. So, people can
send messages to each other without exchanging keys before.

In Sec. 2, we will introduce you to public key cryptosystems. In Sec. 3, we will discuss
RSA public key cryptosystem. In Sec. 4, we will discuss the ElGamal public key
cryptosystem. In the same paper where they discussed the public key crypto system,
Diffie and Hellman also gave a method of exchanging keys without meeting in person
or using trusted couriers. We will discuss this also in Sec. 4. The security of the RSA
cryptosystem is based on the fact that integer factorisation is a ‘hard’ problem.
Similarly, the security of the ElGamal cryptosystem is based on the fact that discrete
logarithm problems is a ‘hard’ problem. we will discuss the integer factorisation
problem and discrete logarithms problem in Sec. 5.

Objectives
After studying this unit, you should be able to
• explain what is a one way function;
• explain what is a cryptographic protocol;
• explain the RSA algorithm;
• explain the ElGamal algorithm;
• explain Fermat factorisation algorithm, p − 1 algorithm and the quadratic sieve
algorithm; and 5
Public Key Cryptosystems • explain Pohling-Hellman algorithm, Baby Step-Giant Step alogrithm and the index
and Digital Signature
calculus algorithm for discrete logarithms.

7.2 PUBLIC KEY CRYPTOSYSTEMS

In Block 2, we discussed symmetric key cryptosystems like DES, AES and RC4. The
drawback in these systems is that the communicating parties have to exchange the keys
securely before they start their communication. Another issue is the huge storage
required for storing all the encryption and decryption keys. Also, until the parties
exchange the keys, it is not possible for the parties to communicate securely. In
commercial activities, organisations need to communicate securely with other
organisations or persons with whom they have not had any previous transaction. In
such cases, commercial organisations may lose business opportunities if they wait till
they decide upon the keys.

To overcome this difficulty, in [5], Diffie and Hellman described a new concept, the
public key cryptosystem. However, they didn’t propose any specific cryptosytem based
on this. As we will see later, specific systems that were based on this concept were
invented by others. In the same paper they also proposed a method by which two
parties that want to communicate with each other can exchange keys securely without
meeting in person.

Note that, in the case of symmetric key cryptosystems, we assume that it is not possible
break the cryptosystem by exhaustive key search, i.e. it will require impossibly large
memory and time to try out all the keys. As we will see in the definition that follows, in
the public key cryptosystems, we assume that it is ‘computationally infeasible’ to find
the decryption key from the encryption key.

Before we formally define a public key cryptosystem, we need the following definition:

Definition 1: A task is computationally infeasible if either the memory required or the

time taken for carrying out the task is finite, but impossibly large.

We begin by formally defining a public key cryptosystem.

Definition 2: A public key cryptosystem is a pair of families {Ek }k∈K and {Dk }k∈K
You may like to refer to of functions satisfying
pages 51 and 52 of Block 1
to recall what K , P and C Ek : P −→ C (1)
are.
and

Dk : C −→ P (2)

such that:
1) For every k ∈ K , Ek is the inverse of Dk .
2) For every k ∈ K and p ∈ P, c ∈ C , Ek (p) and Dk (c) are easy to compute.
3) For every k ∈ K , it is feasible to compute inverse pairs Ek and Dk from k.
4) For almost every k ∈ K , it is computationally infeasible to derive Dk from Ek
without knowing k.

Property 4 of Definition 2 allows us to disclose the enciphering function Ek without

compromising security. The cryptosystem has two parts, a family of enciphering
transformations and a famility of deciphering transformations. It is infeasible to find the
6 deciphering transformation from the enciphering transformation.
Property 3 of Definition 2 guarantees that we can compute the corresponding pairs of Public Key Encryption
inverse transformations when there is no constraint on what the enciphering
transformation or deciphering transformation should be.

Definition 3: A bijective function f : A −→ B is a one way function if we can compute

f(a) easily for any a ∈ A, but, given b ∈ B, it is computationally infeasible to compute
its inverse image f−1 (b).

After the paper [5] was published, many people provided examples of one way
functions and designed cryptosystems based on them. We will discuss some of them
now.

In [14], Rivest, Shamir and Adleman described the RSA cryptosystem. This is one of
the most popular systems for public key encryption and is widely used. Let us now
discuss this encryption algorithm.

7.3 THE RSA CRYPTOSYSTEM

Suppose you are given two 300 digit prime numbers and asked to multiply them, you Of course, with
can multiply them quite quickly on a computer. But, if you are given a product of two improvements in
carefully chosen 300 digit primes and asked to find what the primes are, it may take computational power, the
millions of years to find it using the knowledge and the computing power available number of digits required to
make factorisation
now. This was the idea behind the design of the RSA cryptosystem that we will study in
computationally infeasible
this section. will increase.
Suppose Bob wants to use the RSA cryptosystem to receive messages. He does the
following:

1) Selects two large primes p and q and multiplies them to get n = pq.

2) Selects e such that Recall that (a, b) denotes

the greatest common divisor
(e, (p − 1)(q − 1)) = 1. (3) of a and b.

Note that, (p − 1)(q − 1) = φ (n) where φ (n) is the Euler’s φ function(see Block 1
of this course and Block 1 of MMT-003.). He can then find integers d, d0 using
extended euclidean algorithm(see Unit 2 of Block 1)such that

de + d0 (p − 1)(q − 1) = 1, i.e. de ≡ 1 (mod (q − 1)(p − 1)). (4)

We call n, the modulus of encryption, e, the encryption exponent and d, the

decryption exponent.

3) Publishes the values of n and e, but keeps p, q and d a secret.

Now, if Alice wants to send a message to Bob, she looks up the values of n and e. She
represents the message by a number, say M , 0 ≤ M ≤ n − 1, and calculates

c ≡ Me (mod n)

and sends the value c to Bob. If the message is long, she breaks up the message into
blocks so that each block can be represented by a number between 0 and n − 1. We will
discuss some methods for converting text into numbers in the practical guide. Here, we
will assume that we have converted text to a number using any of the methods.

Bob decrypts the message by raising c to the power d modulo n. Of course, both Bob
and Alice can calculate the powers using repeated squaring algorithm we discussed in 7
Public Key Cryptosystems Block 1. Before we prove that the encryption and decryption work correctly, let us look
and Digital Signature
at some examples.

Example 1: Let us take p = 13, q = 19. Then, n = 247 and φ (n) = 12 · 18 = 216. Let
us take e = 7. Note that, this is a valid choice since (7, 216) = 1. Using extended
euclidean algorithm, we get 7 · 31 − 216 = 1, so d = 31.

Suppose the message is M = 115. We have,

1157 ≡ 210 (mod 247).

We can calculate 1157 (mod 247) using repeated square algorithm in page 34 of Block
1 with the help of a calculator. Here are the values at the end of each iteration, so that
you can check your calculations.

At the end of iteration 1, m = 3 P = 115 b = 134

At the end of iteration 2, m = 1 P = 96 b = 172
At the end of iteration 3, m = 0 P = 210 b = 191

Here, we have calculated all the values modulo 247. We have also used the same
notation as in Block 1. So, c, the encrypted text is 210.

Again, to decrypt, we raise 210 to the power 31 modulo 247. Here are the calculations
using repeated squaring method:

At the end of iteration 1, m = 15 P = 210 b = 134

At the end of iteration 2, m=7 P = 229 b = 172
At the end of iteration 3, m=3 P = 115 b = 191
At the end of iteration 4, m=1 P = 229 b = 172
At the end of iteration 5, m=0 P = 115 b = 191

So, 21031 ≡ 115 (mod 247). So, the encryption and decryption functions work
correctly.

∗∗∗

Here are some exercises for you to check your understanding.

E1) Take p = 7, q = 11. Find φ (n). Check that e = 6 is a proper encryption exponent
and if it is not, find a suitable encryption and decryption exponent. Encrypt the
message M = 40 and check your decryption exponent by checking that c
decrypts correctly.

E2) Let p = 17, q = 23 and e = 71. If the ciphertext is 171, find the plaintext.

Let us now see why the RSA algorithm is correct. Suppose M is the plain text and c is
the cipher text.

We have

cd ≡ (M e )d ≡ M ed (mod n) (5)

We have M ed = M 1+kφ (n) for some integer k since ed ≡ 1 (mod φ (n)). So, if
(M , n) = 1, then M ed ≡ M (mod n) since M φ (n) ≡ 1 (mod n) by Euler’s theorem.

If (M , n) 6= 1, we have p | M , q - M , or q | M , p - M or both p and q divide M . Let

us first consider the case p | M , q - M . Then, M ≡ 0 (mod p), so M ed ≡ 0 ≡ M
8 (mod p).
Since (M , q) = 1, M q−1 ≡ 1 (mod q) by Fermat’s theorem. So, Public Key Encryption

k(p−1)
M 1+k(p−1)(q−1) ≡ M · M k(p−1)(q−1) ≡ M · M q−1 ≡ M (mod q).

In other words, p
| M ed − M , and q | M ed − M . Therefore, since (p, q) = 1,

pq | M ed − M , i.e. M ed ≡ M (mod n).

We can dispose the other case, q | M , p - M , similarly. If M is divisible by both p and

q, then M ≡ 0 (mod n), So, M ed ≡ 0 ≡ M (mod n).

Let us now verify that the RSA cryptosystem has the properties mentioned in
Definition 2. Let us take

K = {(e, p, q) ∈ N × N × N | (e, (p − 1)(q − 1)) = 1} .

For each k = (e, p, q) ∈ K , we have Ek : P −→ C given by Ek (M ) ≡ M e (mod n)

and Dk (c) ≡ cd (mod n) where d is uniquely determined mod (p − 1)(q − 1). So,
condition 1) of Definition 2 is satisfied. We can easily compute these powers by
repeated squaring algorithm. So, 2) of Definition 2 is also satisfied.

Of course, once we know e, p and q, we can easily calculate d. So, condition 3) is also
satisfied.

Regarding 4), it is believed by experts that only way of finding d from n and e is to
factorise n, find φ (n) and use it to find d from e and φ (n) by extended euclidean
algorithm. Of course, we cannot prove that factorising n is the only way to find φ (n),
though experts believe this is so. DeLaurentis, [4], and Miller,[8], show that computing
an RSA private key (p, q, d) from its public key (n, e) is as difficult as factoring.

Remark 1: Note that, if we know n and φ (n), we can recover p and q as follows: We
have

φ (n) = pq − p − q + 1 = n − (p + q) + 1

Since we know n, we can find p + q from the above equation. Since we know pq = n
and p + q, we can find p and q by factoring the quadratic equation

x2 − (p + q)x + pq = 0.

For example, if we know that n = 29591 and φ (n) = 29232. Then,

φ (n) = 29232 = n − (p + q) + 1 = 29591 − (p + q) + 1

∴ p + q = 29591 + 1 − 29232 = 360

So, p and q are the roots of the equation x2 − 360x + 29591. Solving, we get the roots
127 and 233. So, 29591 = 127 · 233.

Here is an exercise to test your understanding of the above remark.

E3) You are given that n = 31309 and φ (n) = 30940. Find the factors of p and q.

What we have described is the bare bones version of the RSA algorithm. However,
when we implement it, we have to take many precautions. Let us now discuss some of
them now.

We mentioned that the only way of finding the decryption exponent seems to be
factoring n. It is easy to factorise n if the primes are not properly chosen. If p and q are 9
Public Key Cryptosystems
and Digital Signature
See pages 41 and 42 of
Block 1 for a discussion of
Rabin-Miller test.
10
close to each other so that |p − q| is small, then we can factorise n using Fermat’s
method that we will discuss in the section on integer factorisation.
Also, if p − 1 has small prime factors, we can factorise n using Pollard’s p − 1
algorithm; we will discuss this algorithm in Sec. 5. If p + 1 has small prime factors,
then we can factor n using William’s p + 1 algorithm. See [17] for a discussion of this
algorithm. For these reasons, we have the notion of strong prime. A prime p is called a
strong prime if
1) p − 1 has a large prime factor, say r.
2) p + 1 has a large prime factor.
3) r − 1 has a large prime factor.
However if we choose a large prime at random, then we expect p − 1 and p + 1 to have
large prime factors. Even if we choose strong primes, we can factor n using the number
field sieve if the primes are not large enough. So, it makes better sense to choose a large
prime factor at random since this affords protection both against p − 1 and p + 1
factoring algorithms as well as the modern algorithms like the number field sieve. See
[12] for a discussion on this.
Let us now discuss how to generate a random prime. Suppose we want to generate a
k-bit prime m. We set the first and last bit of m to 1 and use a pseudo random bit
generator to generate the remaining k − 2 bits. We choose random bits that are
uniformly distributed. We first check by trial division if m is a prime by dividing m by
all primes up to a certain limit, usually, 106 . We then apply the Rabin-Miller test three
times. If the test returns NO, then probability of m being composite is less than 2180 . We
then consider m to be a prime. If m turns out to be composite, the receiver of
messages(Bob) will detect it because the decryption will not work properly. In this
case, Alice can generate a new set of primes and start afresh. Note that, this has very
negligible probability.
The decryption exponent should be sufficiently large so that it cannot be found using
1/4
brute force. Also, in [16], Wiener proves that if d < n , we can calculate d from n and
3
e.
Interestingly, according to a result of Miller, if we know d and n, we can factorise n
using a probabilistic algorithm. We will discuss this method later in the section on
integer factorisation.
Another issue regarding the security of the RSA is the choice of encrpytion exponent.
Suppose there are three recipients, all of them with the same encrption exponent 3, but
with different modulus ni , i = 1, 2, 3. Then, we calculate yi = M 3 (mod ni ) and send
them to the recipients. Suppose two of them, say n1 and n2 , are not coprime. Then,
(n1 , n2 ) is a non-trivial factor of n1 and n2 and any adversary can factorise both of them.
So, we can always assume that ni are pairwise coprime.
If Eve gets hold of the messages yi , 1 ≤ i ≤ 3, she can compute
M 3 mod n1 n2 n3
using chinese remainder theorem since ni are pairwise coprime. Since m < ni ,
m3 < n1 n2 n3 . So, M 3 mod n1 n2 n3 is equal to M 3 and the adversary can find M by
taking the cube root of M 3 mod n1 n2 n3 . Because of this, the encryption exponent
should not be too small. Let us now look at an example.
Example 2: Suppose Alice encrypts a message M using exponent 3 and three
different moduli, 799, 1159 and 1909. She gets three different values 593 (mod 799),
1122 (mod 1159) and 1727 (mod 1909). She then sends it to 3 different recipients. Public Key Encryption
Suppose, Eve manges to get hold of all the 3 encrypted messages. She solves the
congruences

x ≡ 593 (mod 799) x ≡ 1122 (mod 1159) x ≡ 1727 (mod 1909)

using Chinese remainder theorem. We have n1 = 799, n2 = 1159, n3 = 1909. So, See page 74 of Block 1,
N = n1 · n2 · n3 = 1767812269, N1 = n2 · n3 = 1159.1909 = 2212531, N2 = 1525291 MMT-003 study guide for a
and N3 = 799 · 1159 = 926041. We have a1 = 593, a2 = 1122 and a3 = 1727. Recall discussion of Chinese
that N0i is such that Ni N0i ≡ 1 (mod ni ). We can find N0i using extended euclidean Remainder Theroem.
algorithm. We have, N01 = 8, N02 = 74, N03 = 1768. So,

x = 593 · 2212531 · 8 + 1122 · 1525291 · 74 + 1727 · 926041 · 1768

= 2964652430988
≡ 31255875 (mod 1767812269)
√
Taking cube root, she will get 3 31255875 = 315, thus recovering the message
m = 315.

∗∗∗

Try an exercise now to check your understanding of the above example.

E4) Eve knows that Alice has encrypted a message using the exponent 3 and 3
different moduli. The encrypted messages and the modulii are 78 (mod 989), 254
(mod 1273) and 66 (mod 1513). Find the message.

Since the encryption key is known in RSA, we may succeed in a known plain text
attack. Consider the following situation. Suppose Bob sends Alice e-mails periodically,
informing about the date of a particular event. Suppose Eve gets hold of one of these
messages and knows that the date of the event in the letter is in a specific format. To
find the date, Eve has to just encrypt all the 365 dates in the format used by Bob and
check if the encrypted text in Bob’s message contains any of 365 possible texts.

We can overcome many of the problems we mentioned above by using the Optimally
Assymetric Encryption Protocal(OAEP) discovered by Bellare and Rogaway, [1]. Our
discussion follows [15].

In this method, Alice does the following: Suppose Bob’s encryption exponent is e and
the modulus is n. Further, suppose that the size of n is k bits. Alice and Bob fix three
positive integers k0 , k1 and k2 such that k0 + k1 + k2 = k. Alice’s message should be k2
bits long. (If length of the message is less than k2 , she can pad the message with zeros.
If the length of the message is greater than k2 , she can always divide the message into
chunks of size k2 . In this process, there may be at most one chunk with size less than
k2 . She can pad this with zeros so that all the chunks have size k2 .) Let G be a
pseudorandom generator that takes as input a string of size k0 and outputs a string of
size k1 + k2 bits and H be a function that takes as input a string of size k1 + k2 bits and
outputs a string of size k0 bits. We usually construct G and H from hash functions.

To encrypt the message Alice concatenates the message with k1 zero bits and expands
the message to M ||0k1 and this string has size k1 + k2 . Next, she selects a random
string r of length k0 bits, uses it as the random seed for G(r) and computes

x1 = M ||0k1 ⊕ G(r), x2 = r ⊕ H (x1 ) (6)

Note that G(r) and M ||0k1 have length k1 + k2 . Also, r and H (x1 ) have length k0 . So,
the XOR operations in Eqn. (6) are possible. 11
Public Key Cryptosystems If x1 ||x2 is a binary number bigger than n, Alice choses another random string r and
and Digital Signature
computes the new values of x1 and x2 . If G(r) produces fairly random outputs, x1 ||x2
will be less than n in binary with a probability greater than half. After getting a string r
with x1 ||x2 < n, Alice then encypts x1 ||x2 to get the ciphertext

E(M ) = (x1 ||x2 )e = c (mod n) (7)

The process is summarised in Fig. 1. Note that, the inputs and outputs are in oval

Message M Random String r

k2 bits k0 bits

Concatenate k1 G: Input-k0 bits

zeros Output k1 + k2 bits

M ||0k1 G(r)
k1 + k2 bits k1 + k2 bits

Apply XOR

x1 = M ||0k1 ⊕ G(r)
k1 + k2 bits

H: Input-k1 + k2 bits
Output k0 bits

H(x1 )
k0 bits

Apply XOR

x2 = r ⊕ H(x1 )
Concatenate k0 bits

x1 ||x2 c ≡ (x1 ||x2 )e (mod n)

k0 + k1 + k2 bits

Ciphertext c

Fig. 1: OAEP encryption

boxes and the processes are in square boxes.

Bob decrypts the ciphertext by using his private key d and finding cd (mod n). He then
writes the result in the form

cd (mod n) = y1 ||y2 (8)

where y1 has k1 + k2 bits and y2 has k0 bits. Note that y1 = x1 and y2 = x2 since
d
cd ≡ ((x1 ||x2 )e ) = (x1 ||x2 ) .

Since x1 = M ||0k1 ⊕ G(r), Bob can find M ||0k1 if he can find r and hence G(r) because

12 y1 ⊕ G(r) = x1 ⊕ G(r) = M ||0k1 ⊕ G(r) ⊕ G(r) = M ||0k1 .

So, if Bob can find r, he can find M ||0k1 , discard the last k1 bits and recover the Public Key Encryption
message.

Let us see how Bob can find r. Bob can recover the random string r by calculating
H (y1 ) ⊕ y2 = H (x1 ) ⊕ x2
= H (x1 ) ⊕ r ⊕ H (x1 ) (from Eqn. (6))
= r.
Note that we can use OAEP with any public key cryptosystem. We simply have to
change the encryption and decryption functions. If we use this method, we cannot call
the encryption operation a function on the plaintext space. This is because the same
plain text may be encrypted differently at different times depending on the choice of the
random string chosen. However, given the ciphertext we can always recover the
plaintext provided we know the decryption exponent.

We have merely touched upon the various attacks on the RSA cryptosystem. For a more
detailed discussion of other methods of attacking the RSA cryptosystem see [13], [15].

In the next section, we will discuss the ElGamal cryptosystem. This system is based on
discrete logarithms. Before you read the next section, you may find it useful go through
the discussion on discrete logarithms on pages 21, 22 and 23 of Block 1.

7.4 DIFFIE-HELLMAN KEY EXCHANGE AND THE

ELGAMAL CRYPTOSYSTEM
In this section, we will discuss the ElGamal cryptosystem which is based on difficulty
of finding discrete logarithms. This system was discovered by ElGamal in 1985. Let us
start by recalling the definition and the basic properties of discrete logarithms over a
finite field.
Definition 4: Let Fq be a finite field with q elements. For an element γ ∈ F∗q , suppose
γ = α k with 0 ≤ k < q − 1. Then, we call k the logarithm of γ to the base α. We write
logα γ = k. If 0 ≤ k < q − 1, then α k is the antilogarithm of k to the base α. We write
alogα k = γ.

Note that logγ : F∗q −→ {0, 1, . . . , q − 2} and alogγ : {0, 1, . . . , q − 2} −→ F∗q are inverse
functions of each other. Further, they satisfy the relations
logγ (αβ ) ≡ logγ (α) + logγ (β ) (mod q − 1) (9)
logγ (αβ −1 ) ≡ logγ (α) − logγ (β ) (mod q − 1) (10)
In the first block, we have already seen examples of discrete logarithms in general finite
fields. Let us now look at an example over a finite field of the type Fp , where p is a
prime.

Example 3: Consider Z23 a finite field with 23 elements. Then, 5 is a primitive root for
Z23 . In Table 1 we have computed all the powers of 5.

i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
5i 1 5 2 10 4 20 8 17 16 11 9 22 18 21 13 19 3 15 6 7 12 14
Table 1: Powers of 5 in Z23 .

So, we can read off the discrete logarithm to the base 5 of any element of Z∗23 from this
table. For example, if we want to find the discrete logarithm of 17, we see that it
appears under i = 7, i.e. 57 = 17. So, log5 17 = 7. The table of logarithms is in Table 2. 13
Public Key Cryptosystems i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
and Digital Signature log5 i 0 2 16 4 1 18 19 6 10 3 9 20 14 21 17 8 7 12 15 5 13 11
Table 2: Logarithms to the base 5 in Z23 .

∗∗∗

Recall that the natural logarithm, ln n, and the logarithm to the base 10, log n, are
continuous functions of n. For example log 20 = 1.301029996 and
log 21 = 1.322219295 is quite close to this. So, we can make use of continuity and
differentiability of these functions to calculate logarithms and antilogarithms using
numberical methods. However, as you can see from Table 2, this is not the case for
discrete logarithms. In Table 2, while the discrete log of 2 to the base 5 is 2, the discrete
log of 3 to the base 5 is 16, which is nowhere near 2. It increases and decreases with n
in such a way that we can’t use numerical methods to calculate discrete logarithms. You
can see the comparison of discrete logarithm to the base 5 and the usual logarithm to the
base five in Fig. 2. The red dots correspond to the values of the discrete logarithm to the
base five and the values of log5 n are joined by a blue line. As you can see, the values of
the discrete logarithm are all over the place, but the values of log5 n are continuous.

22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Fig. 2: Plot of Discrete logarithm (mod 23) to the base 5 and log5 n

We can always make a table like Table 2, but the amount of computation grows large
very quickly with increase in p. If all the prime factors of p − 1 are sufficiently small,
there are other methods for calculating discrete logarithms. However, the calculation of
discrete logarithms is very difficult if we choose our p so that p − 1 has at least one large
prime factor. We exploit this property for creating one-way functions in the following
sections. In the next subsection, we will see how Alice and Bob can use this property of
14 discrete logarithms to safely exchange keys for a symmetric key cryptosystem.
7.4.1 Diffie-Hellman key exchange Public Key Encryption

As we mentioned earlier, one problem in symmetric key cryptosystem is the problem of

key exchange. We now describe a method by which Bob and Alice can decide upon a
key without meeting in person.

1) Alice chooses a large prime p such that p − 1 has a large prime factor. She then
chooses a primitive root α (mod p). She selects an integer x, 0 < x < p − 1. She
keeps the value of x secret, finds α x (mod p) and sends the values (p, α, α x ) to
Bob.

2) Bob chooses a y, 0 < y < p − 1 and keeps it secret. He finds α y (mod p) and
sends it to Alice.

3) Alice computes α xy = (α y )x from the value of α y since she knows x. Bob

computes α xy (mod p) = (α x )y (mod p) since he knows y.

Of course, Bob can also initiate the process by choosing the prime p, a primitive root α
(mod p) and y, 0 < y < p − 1 and sending (p, α, α y ) to Alice. Either way, at the end of
the exchanges, both Alice and Bob have the number α xy and they can use this as the
key for some symmetric key cryptosystem like AES.

Let us see why this system is secure. Eve has to calculate α xy (mod p) from the value
of α, α x and α y . This is a computationally infeasible problem known as the
Computational Diffie-Hellman problem.

Of course, if Eve can compute discrete logs, she can find x from α x and compute
(α y )x = α xy from the given value of α y and x. As we will see in the section on
factorisation and discrete logarithms, if p − 1 has a large prime factor, it is difficult to
find discrete logarithim mod p. So, this problem is no harder than the problem of
computation of discrete logs. However, it is not known whether solving Computational
Diffie-Hellman problem is equivalent to finding Discrete logs.

Let us look at an example to understand the Diffie-Hellman key exchange.

Example 4: Suppose Alice chooses p = 127 and α = 3. She chooses x = 71 and

computes 371 (mod 127) ≡ 43 (mod 127). She then sends the values (127, 3, 43) to
Bob. Bob chooses y = 85, computes 385 ≡ 57 (mod 127) and sends the value 57 to
Alice. Alice finds 5771 (mod 127) and gets 29. Bob finds 4385 (mod 127) and gets the
same number 29. So, Alice and Bob have the same number at the end of the process.
Eve can’t find out this number with the information available to her.

∗∗∗

Here is an exercise to check your understanding of the above example.

E5) Suppose Alice chooses p = 127 and α = 3 and computes 37 ≡ 28 (mod 127).
She starts the Diffie-Hellman key exchange process by sending (127, 3, 28) to
Bob. Bob responds by sending 39 ≡ 125 (mod 127). At the end of the key
exchange process, what number will both of them have?

In the next subsection, we will discuss the ElGamal Cryptosystem. This also uses
discrete logarithm.

15
Public Key Cryptosystems 7.4.2 ElGamal Cryptosystem
and Digital Signature

In the case of ElGamal cryptosystem, we work in the field F∗P . This is our ciphertext
space C . To setup such a system, Bob does the following:

1) He chooses a large prime p such that p − 1 has a large prime factor. We will see
why it is necessary for p − 1 to have a large prime factor later. He also chooses an
arbitrary primitive root g mod p, i.e g ∈ Fp such that the cyclic group generated by
g is the whole of F∗p .
2) He chooses at random an integer x such that 0 < x ≤ p − 2, computes y = gx ,
publishes (p, g, y) and keeps x a secret.

If Alice wants to send a message to Bob, she chooses at random a natural number k

such that 1 ≤ k ≤ p − 2. She keeps the value of k secret and sends the pair gk , M yk to

x
Bob. Since Bob knows x, he can compute gk = (gx )k = yk . Bob can easily find

−1
y−k = yk using extended euclidean algorithm. So, he can recover the message by
multiplying M yk by y−k :
M ≡ M yk y−k (mod p)

Note that, strictly speaking, we cannot put this in the framework of Definition 2. This is
because the same message will encrypt to different ciphertexts at different times
depending on the value of k that Alice selects. However, apart from this, in essence, it
is a public key cryptosystem in the sense that anyone can send a message to Bob using
the publicly available values of p, g and y. Also, we can encrypt and decrypt fast using
the repeated squaring algorithm.

If Eve wants to recover the message from gk , M yk , she has to calculate yk = gxk

from gx and gk . As we saw earlier, this is the computational Diffie-Hellman problem

and this is computationally hard to solve.

Let us see how we can find a primitive root mod p. Note that, we can check that g is a
n
primitive root for a prime p as follows: Suppose p − 1 = ∏kj=1 qj j is the factorisation of
n
p − 1 into distinct powers. Let ti = ∏kj=1,j6=i qj j and gi = gti for each i, 1 ≤ i ≤ k. Then g
ni −1
q
is a primitive root mod p iff gi i 6≡ 1 (mod p) for each value of i. This is a simple
exercise in group theory. We leave this to you as an exercise to verify this fact.

We can put this in a slightly different way. We have

gi = gti
ni −1 ni −1
q
∴ gi i = gti qj

But,
!
k
nj p−1
ti qni i −1 = ∏ qj qni i −1 =
j6=i qi
p−1
Writing si = qi , we have the following criterion:
Proposition 1: Let p be a prime and suppose
k
n
p − 1 = ∏ qj j
j=1

Then, g ∈ F∗p is a primitive root if and only if gsi 6≡ 1 (mod p) for each i, 1 ≤ i ≤ k
16 where si = p−1
qi .
Let us now look at an example. Public Key Encryption

Example 5: Suppose Bob selects 109 as the prime p. Then, p − 1 = 108 = 22 · 33 . Let
q1 = 2, q2 = 3. Then s1 = 2 · 33 and s2 = 22 · 32 .

Let us now check if 2 is a primitive root. We have gs1 = 254 = 254 ≡ 108 ≡ −1 6≡ 1
(mod 109). But, gs2 = 236 ≡ 1 (mod 109). So, 2 is not a primitive root.

Let us check if 3 is a primitive root. We have 3s1 = 354 ≡ 1 (mod 109). So, 3 is not a
primitive root. We need not check 4 because 4 is a perfect power.

Let us check if 5 is a primitive root. We have 5s1 = 554 ≡ 1 (mod 109), so 5 is not a
primitive root.

Let us now try 6. We have

gs1 = 654 ≡ 108 ≡ −1 (mod 109) and gs2 = 636 ≡ 63 6≡ 1 (mod 109).

So, 6 is a primitive root mod 109.

Suppose Bob chooses x = 40. Then, he calculates g40 = 640 ≡ 7 (mod 109). He keeps
the value x = 40 secret and publishes the values p = 109, g = 6 and g40 = 7.

Suppose Alice wants to send the message M = 17 to Bob. She chooses k = 13 and
finds

gk = 613 ≡ 96 (mod 109) and gxk = (gx )k = 713 ≡ 80 (mod 109).

She then finds M gxk = 17 · 80 ≡ 52 (mod 109). She then sends (96, 52) to Bob. To

p−1−x
recover the message Bob computes gk = 96109−1−40 = 9668 ≡ 15 (mod 109).
He then multiplies the encrypted message 52 by 15 to get 52 · 15 = 780 ≡ 17
(mod 109), thus recovering the message.

∗∗∗

E6) Let G be a finite abelian group and let n divide the order of G. Suppose
n
n = ∏kj=1 qj j and let g ∈ G. Write

k
n
ti = ∏ qj j and gi = gti .
j=1,j6=i

Then, g has order n if and only if gn = 1 and gi has order qni i for each i, i.e.
ni −1 ni
q q
gi i 6= 1 and gi i = 1 for all values of j.

E7) Suppose Bob chooses p = 181. Check that 2 is a primitive root mod 181. Suppose
Bob chooses x = 21 and publishes (181, 2, 86). He receives the pair (7, 122). Find
the message.

Recall that the security of RSA cryptosystem depends on the fact that it is difficult, in
general, to factorise a natural number. Similarly, the security of the ElGamal
cryptosystem depends on the fact that it is difficult find disrete logs in Z∗p , p a prime. In
the next section, we will see that we can solve these problems under certain conditions
using certain methods. We will gain some insights by studying the conditions under
which these problems can be solved and the methods by which they can be solved. This
insight is of help to us in strengthening these cryptosystems. 17
Public Key Cryptosystems
and Digital Signature
7.5 INTEGER FACTORISATION AND DISCRETE
LOGARITHMS

In this section, we will wear the hat of a cryptanalyst and look at methods for breaking
the RSA and the ElGamal cryptosystem. We will discuss the problems of integer
factorisation and discrete logarithms, the problems a cryptanalyst has to solve if she has
to break the RSA and ElGamal cryptosystems, respectively. Our discussion follows
[15].

We start with integer factorisation. For all practical purposes, the method of dividing an
√
integer n by all primes p ≤ n is much too slow. In this section, we will discuss other
methods which are faster. Before we move on to more general methods, we would like
to amplify our remark that we can factorise the modulus n used in RSA cryptosystem if
we know the decryption exponent.

We mentioned while discussing the RSA cryptosystem that we can factor n if we know
both the encryption and decryption exponent. In [8], Miller proved that we can
successfully factorise n, with a high probability, if we know any multiple of φ (n). Since
ed ≡ 1 (mod φ (n)), ed − 1 is a multiple of φ (n). So, we can apply Miller’s method to
factorise n if we know e and d. We will discuss this method now.

Here is how the probabilistic algorithm works. Suppose we can find an exponent r such
that

br ≡ 1 (mod n) for all b with (b, n) = 1. (11)

Note that, any multiple of φ (n) will satisfy this condition since aφ (n) ≡ 1 (mod n) for
all a with (a, n) = 1, by Euler’s theorem. If e and d are the encryption and decryption
exponents, we have bed−1 ≡ 1 (mod n) for all b with (b, n) = 1. So, there is always an r
satisfying Eqn. (11).

Write r = a2s with a odd. Choose a random b with 1 < b < n − 1. If gcd(b, n) 6= 1 we
have a factor of n. Otherwise, let b0 = ba (mod n). We find b1 , b2 , . . ., in N such that

b1 ≡ b20 (mod n), b2 ≡ b21 (mod n), b23 ≡ b2 (mod n),

etc. If b0 ≡ 1 (mod n), we choose another b and repeat the procedure. Also, if bk ≡ −1
(mod n) for some k, we choose a different b and repeat the procedure. If bk+1 ≡ 1
(mod n) and bk 6≡ ±1 (mod n) for some k, (bk − 1, n) gives a non-trivial divisor of n.
This is because, b2k ≡ bk+1 ≡ 1 (mod n) or (bk − 1) (bk + 1) = b2k − 1 ≡ 0 (mod n). So,
n | (bk + 1) (bk − 1). Since bk 6≡ ±1 (mod n), n - bk − 1 and n - bk + 1. So, (n, bk − 1)
and (bk + 1, n) must be non-trivial factors of n. Also, since bs ≡ 1 (mod n), for each b
with (b, n) = 1, it is guaranteed that there is a k such that bk ≡ 1 (mod n).(Why?)

Although it is only a probabilistic algorithm, the probability of finding a non trivial

factor using this algorithm is high. So, if the decryption exponent leaks out, changing
only e and d is not enough. We have to start from scratch with a new set of values for p
and q and choose new values for e and d corresponding to the new value of n.

Let us now look at an example.

Example 6: Suppose n = 667, e = 39, d = 79. We have 39 · 79 − 1 = 23 · 385. Let us

take b = 3. Then, (3, 667) = 1. We have

b0 = 3385 ≡ 162 (mod 667)

b1 ≡ b20 ≡ 231 (mod 667)

18 b2 ≡ b21 ≡1 (mod 667)

We have b2 ≡ 1 (mod 667) and b1 6≡ ±1 (mod 667). Also, Public Key Encryption
(b1 − 1, 667) = (230, 667) = 23. So, 667 = 23 · 29.

∗∗∗

Here is an exercise for you to try.

E8) Let n = 12193, e = 303, d = 79. You can take for granted the following
information:

b0 ≡ 2187 ≡ 9079 (mod 12193)

b1 ≡ 90792 ≡ 3561 (mod 12193)
b2 ≡ 35612 ≡ 1 (mod 12193)

Factor n.

Remark 2: Even if we find one b and one r > 0, where b and r are integers with br ≡ 1
(mod n), we may succeed in factoring n. We write r = 2s a with a odd. We then find
b0 = ba , b1 ≡ b20 (mod n), · · · and proceed exactly as before. Of course, we may get
bk ≡ −1 (mod n), for some k ≤ s − 1 and this method may fail.
Another method we mentioned in our discussion of the precautions we have to take
while implementing the RSA algorithm is Pollard’s p − 1 algorithm. Pollard invented
this algorithm in 1974. Using this method, we can factorise a number n if there is a
prime p which divides n and p − 1 has only small prime factors. Here is a brief
description of the method.

The p − 1 Factoring Algorithm. Choose an integer a > 1. We often choose a = 2. We

choose a bound B and compute b ≡ aB! (mod n) as follows. Let b1 ≡ a (mod n) and
j
bj ≡ bj−1 (mod n). Then bB ≡ b (mod n). Let d = gcd(b − 1, n). If 1 < d < n, we have
found a nontrivial factor of n.

Suppose p is a prime factor of n such that p − 1 has only small prime factors. Then B! is
likely to be divisible by p − 1, say B! = (p − 1)k. We have

b ≡ aB! ≡ (ap−1 )k ≡ 1 (mod p)

by Fermat’s theorem, so p will occur in the greatest common divisor of b − 1 and n. If q

is another prime factor of n, it is unlikely that b ≡ 1 (mod q), unless q − 1 also has only
small prime factors. If d = n, not all is lost. In this case, we have an exponent r (namely
B!) and an a such that ar ≡ 1 (mod n). There is a good chance that the method due to
Miller that we mentioned in the previous will yield a factor of n.

Let us look at an example.

Example 7: Consider the number n = 162983. Let us choose B = 30 as the bound. We

have 230! ≡ 155655 (mod n) and (155654, n) = 349, yielding a factor. By division, we
get the other factor 467.

∗∗∗

Try the next exercise to check your understanding of the above example.

E9) Let n = 16867. Factor n using p − 1-algorithm, taking the value of B to be 10.

In the previous section, we mentioned a method which is attributed to Fermat called

Fermat factorisation method. Dividing by powers of two if necessary, we can always 19
Public Key Cryptosystems assume that n is odd. In this method, we try find positive integers x and y such that
and Digital Signature
x2 − y2 = n. We then have (x + y)(x − y) = n. If x − y > 1, we have a factor of n,
namely x − y. Conversely, suppose n = pq where p and q are odd numbers, p, q > 1. We
have n = (x + y)(x − y) if we take x = p+q p−q
2 , y = 2 . Thus, if n is odd, it is composite if
and only if n = (x + y)(x − y) for x, y > 1, x, y ∈ N.

Given an odd integer n, how do we find x and y? For various values of i, we check
whether n + i2 is a perfect square. As we saw just now, if there is a factorisation n = pq,
then n = x2 − y2 with x = p+q p−q
2 , y = 2 . So, the number of values of i we have to check
will be at most

p − q 
  
min n = pq, where p, q ∈ N, p, q > 1
2 

If there are factors p and q that are close to each other, p − q is small and so n can be
factored easily. Let us now look at an example.

Example 8: Suppose n = 66013. We have n + 1 = 66014, n + 22 = 66017, . . .,

n + 52 = 66038 which are not perfect squares, but n + 62 = 66049 = 2572 . Therefore,
n = 2572 − 62 = (257 + 6)(257 − 6) = 251 · 263.

∗∗∗

Try the following exercise to check your understanding.

E10) Factor 51067 using Fermat’s method.

Kraitchik observed that it is not necessary find x and y such that x2 − y2 = n; it is

enough to find x and y such that x2 ≡ y2 (mod n) with x 6≡ y (mod n). If
1 < (x − y, n) < n, then d = (x − y, n) is a proper divisor of n. Pomerance and others
developed the quadratic sieve algorithm using this idea. (See [11] for an account of this
algorithm.) The number field sieve, a generalisation of the quadratic sieve has already
superseded the quadratic sieve. Still, quadratic sieve is of interest because the ideas
behind this are used in the number field sieve. We will now discuss a simple algorithm
that is quite similar to the quadratic sieve algorithm. Our algorithm will be useful in
understanding the main ideas behind the quadratic sieve algorithm. We will follow [15]
in the treatment of this algorithm.

We present the algorithm through an example.

Example 9: Suppose we want to factor n = 7680587. We fix a limit B. The set of

primes less than B is called our factor base. We fix B = 20 for our example. So, our
factor base consists of the primes 2, 3, 5, 7, 11, 13, 17, 19. We find integers x1 , x2 , . . .,
x` such that the prime divisors of x2i (mod 7680587) are less than B; we will see how
to find such numbers later. For example, 39292 ≡ 75867 (mod 7680587)  and
75867 = 3 · 113 · 19, so 3929 is one such number. If there are q primes p1 , p2 , . . . , pq

in the factor base, we form a ` × q matrix as follows: Each column of the matrix
corresponds to a prime in the factor base and each row corresponds to a xi such that
x2i ≡ ci (mod 7680587) with all the prime divisors of ci less than or equal to B. The
entry in the ith row, jth column gives the power of the jth prime that divides ci . For
example, since 39292 ≡ 75867 (mod 7680587) and 75867 = 3 · 113 · 19, 3929 will
correspond to the row [0, 1, 0, 0, 3, 0, 0, 1] indicating that the power of 3 dividing 75867
20 is 1, the power of 11 dividing 75867 is 3 and the power of 19 dividing 75867 is 1 and
the primes 2, 5, 7, 13 and 17 do not divide 75867. Similarly, we find that Public Key Encryption

48012 ≡ 7840 (mod 7680587) 7840 = 25 · 5 · 72

78392 ≡ 5225 (mod 7680587) 5225 = 52 · 11 · 19
96022 ≡ 31360 (mod 7680587) 31360 = 27 · 5 · 72
99972 ≡ 92378 (mod 7680587) 92378 = 2 · 11 · 13 · 17 · 19
2
14403 ≡ 70560 (mod 7680587) 70560 = 25 · 32 · 5 · 72
149322 ≡ 227601 (mod 7680587) 227601 = 32 · 113 · 19

We obtain the matrix

2 3 5 7 11 13 17 19
3929 0 1 0 0 3 0 0 1
4801 5 0 1 2 0 0 0 0
7839 0 0 2 0 1 0 0 1
. (12)
9602 7 0 1 2 0 0 0 0
9997 1 0 0 0 1 1 1 1
14403 5 2 1 2 0 0 0 0
14932 0 2 0 0 3 0 0 1
h√ i
To find numbers like 3929, 4801, . . ., we look at the numbers in + j for small values
of j. Here [x] denotes the greatest√integer less than or equal to x. The√square of such a
number is approximately in + 2j in + j2 , which is approximately 2j in + j2 mod n. As
long as i is not too large, this number is fairly small, hence there is a good chance it is a
product of small primes. For example, if we take i = 3, j = 1, we have
√
3 · 7680587 + 1 = 4801.1834 and [4801.1834] = 4801.

We have

48012 ≡ 7840 and 7840 = 25 · 5 · 72

so, we get the second row of the matrix in Eqn. (12).

We look for linear dependencies mod 2 among the rows of Eqn. (12). We reduce the
rows of the matrix in Eqn. (12) mod 2 to get matrix

0 1 0 0 1 0 0 1
 
1 0 1 0 0 0 0 0
0 0 0 0 1 0 0 1
 
1 0 1 0 0 0 0 0 . (13)
 
 
1 0 0 0 1 1 1 1
 
1 0 1 0 0 0 0 0
0 0 0 0 1 0 0 1

We note that second, fourth and sixth rows are identical. Also, third and the seventh
rows are identical. Since we are working modulo 2, any two of them add up to 0. A
systematic way of finding relations is to view Eqn. (13) as map from F72 to F82 and find
the relations from the kernel. For example, the kernel of the matrix in Eqn. (13) is
generated by the vectors {(0, 1, 0, 1, 0, 0, 0), (0, 1, 0, 0, 0, 1, 0), (0, 0, 1, 0, 0, 1)}. From the
kernel, we have the following relations:
1. Note that, on multiplying Eqn. (13) on the left by the first vector (0, 1, 0, 1, 0, 0, 0),
we get the sum of the second and fourth columns as the answer. Since
(0, 1, 0, 1, 0, 0, 0) is in the kernel, this implies that the sum of the second and fourth
rows are zero. 21
Public Key Cryptosystems 2. Similarly, from the second vector in the kernel we get that the sum of the second
and Digital Signature
and sixth rows are zero.
3. From the third vector in the kernel we get that the sum of the third and eighth rows
are zero.
When we have such a dependency, we get a relation of the form

x2 ≡ y2 (mod 7680587).

For example:
1. The sum of the second and fourth rows of the matrix in Eqn. (13) is 0. The second
row corresponds to the relation

48012 ≡ 25 · 5 · 72 (mod 7680587)

and the fourth row corresponds to the relation

96022 ≡ 27 · 5 · 72 (mod 7680587).

Recall that, if Multiplying the congruences

a ≡ b (mod n)
and 48012 ≡ 25 · 5 · 72 (mod 7680587) and 96022 ≡ 27 · 5 · 72 (mod 7680587)
c ≡ d (mod n), then
ac ≡ bd (mod n). we get the congruence

2
(4801 · 9602)2 ≡ 212 · 52 · 74 ≡ 26 · 5 · 72 (mod 7680587)

2. The sum of the second and sixth rows of the matrix in Eqn. (13) is 0. The second
row corresponds the congruence

48012 ≡ 25 · 5 · 72 (mod 7680587)

and the sixth row corresponds to the congruence

144032 ≡ 25 · 32 · 5 · 72 (mod 7680587).

Multiplying the congruences

48012 ≡ 25 · 5 · 72 (mod 7680587) and 144032 ≡ 25 · 32 · 5 · 72 (mod 7680587)

we get the congruence

2
(4801 · 14403)2 ≡ 25 · 3 · 5 · 7 (mod 7680587).

3. The sum of the third and sixth rows of the matrix in Eqn. (13) is 0. The third row
corresponds to the congruence

78392 ≡ 52 · 11 · 19 (mod 7689587)

and the seventh row corresponds to the congruence

149322 ≡ 32 · 113 · 19 (mod 7680587)

Multiplying the congruences

78392 ≡ 52 ·11·19 (mod 7680587) and 149322 ≡ 32 ·113 ·19 (mod 7680587)

we get the congruence

2
22 (7839 · 14932)2 ≡ 3 · 5 · 112 · 19 (mod 7680587)
Therefore, we have found three relations of the form x2 ≡ y2 (mod n). If x 6≡ ±y Public Key Encryption
(mod n), then gcd(x − y, n) yields a nontrivial factor of n. If x ≡ ±y (mod n), then
gcd(x − y, n) = 1 or n, so we don’t obtain a factorisation.
1. We have

2
(4801 · 9602)2 ≡ 26 · 5 · 72 (mod 7680587),
6 2
but 4801 · 9602 ≡ 2 · 5 · 7 (mod 7680587).

So, this relation does not yield a factor of 7680587.

2. We have

2
(4801 · 14403)2 ≡ 25 · 3 · 5 · 72 (mod 7680587)
5 2
but (4801 · 14403) ≡ 2 · 3 · 5 · 7 (mod 7680587).

So, this relation does not yield a factor 7680587.

3. We have

2
(7839 · 14932)2 ≡ 3 · 5 · 112 · 19 (mod 7680587)
and (7839 · 14932) 6≡ 3 · 5 · 112 · 19 (mod 7680587).

We have (7839 · 14932 − 3 · 5 · 112 · 19, 7680587) = 1129. Thus, we have found a
factor of 7680587. Dividing 7680587 by 1129, we get the other factor 6803. You
can check that 1129 and 6803 are primes.
Note that, for the sake of simplicity, we have taken only seven rows. But, in practice,
we usually make sure there are more rows than columns, i.e. ` > q, so that the kernel of
the reduced matrix is always non-trivial.

∗∗∗

Try the following exercise to check your understanding of the above example.

E11) Factorise n = 115697 using the following relations:

4862 ≡ 2 · 74 (mod 115697)

2 3 4
972 ≡ 2 · 7 (mod 115697)
2 9 2
1407 ≡ 2 · 5 (mod 115697)

The quadratic sieve is an improved version of the above method. The number field sieve
uses more sophisticated techniques to produce relations of the form x2 ≡ y2 (mod n)
and is somewhat faster in many situations. See [7] for an exposition of this method.

Next, we shall discuss methods for finding discrete logarithms. You may like to review
the relevant portions from Block 1 and Sec. 4 of this Unit before proceeding further.

7.5.1 Computing Discrete Logarithms

Let us fix a prime p and suppose α and β be non-zero integers. Suppose that we have to
find x such that

αx ≡ β (mod p). (14)

Recall that, the problem of finding x is called the discrete logarithm problem because
if x satisfies Eqn. (14), then we say that x is the discrete logarithm of β to the base α.
Of course, a solution may not exist for arbitrary α and β . However, if we take α to be a 23
Public Key Cryptosystems primitive root mod p, there is always a solution to Eqn. (14) for any nonzero β . So,
and Digital Signature
from now, we will assume that α is a primitive root mod p for the sake of simplicity.
Observe that,

α m1 ≡ α m2 (mod p) ⇔ m1 ≡ m2 (mod p − 1). (15)

Note that, we can formulate the problem in Eqn. (14) in a more general setting.
Suppose G is a cyclic group of order n and α is a generator of G. If β ∈ G, we can ask
for the solution to the equation

αx = β . (16)

The equation has a solution that lies between 0 and n − 1.

We now describe a method due to Pohlig and Hellman for solving Eqn. (16). See [10].
Pohlig and Hellman discuss a method for solving Eqn. (14) on the previous page, but
we will discuss the method in the more general situation given by Eqn. (16). Our will
work for Eqn. (14) because Z∗p is a cyclic group of order p − 1.

We first show how to reduce the problem in Eqn. (16) to the case where the cyclic
group has prime power order. Suppose

n = ∏ qri i
i

is the factorisation of n into primes. Set

ni = n
r
, αi = α ni and βi = β ni .
qi i

Then, the order of αi is qri i and it generates the unique Sylow-qi subgroup of G.(Why?)
Further, order of βi divides qri i and so βi is in the Sylow-qi subgroup of G. So, the
equation

αix = βi (17)

has a solution for each i, 1 ≤ i ≤ k. Let x(i), 1 ≤ i ≤ k, be a solution of Eqn. (17). The
next proposition says how to get the solution to Eqn. (16) from the solutions to the
family of equations given by Eqn. (17).

Proposition 2: Suppose x(i) is a solution to Eqn. (17) for 1 ≤ i ≤ k and

x ∈ {0, 1, . . . , n − 1} is a solution to the set of simultaneous congruences x ≡ x(i)
(mod qri i ). Then, x is a solution to Eqn. (16).

Proof: We have

n
α −x β i = (α ni )−x β ni ≡ αi−x βi
r
−x(i)+kqi i
= αi βi , k ∈ Z (∵ x ≡ x(i) (mod qri i ))
(∵ αi has order qri i )
−x(i)
= αi βi
=1

where we denote the identity element of G by 1. Thus, order of (α −x β ) divides ni for

all i. So, the order divides the gcd of ni . But, the gcd of ni is one, so the order of α −x β
is one, i.e. α −x β = 1 or α x ≡ β . 

Next, we show how to compute x(i) for 1 ≤ i ≤ k.

We write x(i) as

24 x(i) = x0 (qi ) + x1 (qi )qi + x2 (qi )q2i + · · · + xri −1 (qi )qri i −1 . (18)
where Public Key Encryption

0 ≤ xj (qi ) ≤ qi − 1 for 0 ≤ j ≤ ri − 1.

We’ll determine the coefficients x0 (qi ), x1 (qi ), . . . xri −1 (qi ) successively, and thus obtain
x mod qri i .

For simplifying notation, we will fix a qi and write q for qi and k for ri . We will also
write x0 , x1 , . . . instead of x0 (qi ), x1 (qi ), . . ..

Raising both sides of Eqn. (17) to the power qk−1 , we get

xqk−1 qk−1
αi = βi (19)

From Eqn. (18), we get

qk−1 x = x0 qk−1 + qk x1 + x2 q + · · · + xk−1 qk−2 = x0 qk−1 + qk m (20)

where m is an integer. Since αi has order qk , it follows that

xqk−1 x qk−1 mqk x qk−1

αi = αi 0 αi = αi 0 . (21)

qk−1
Writing γi = αi and δ0 (q) = βi , we can write Eqn. (21) as
k−1
γix0 = δ0 (q)q (22)
k−1
where γi and δ0 (q)q have order q and we have to solve Eqn. (22) in a group of order
q. We solve this equation by brute force; we find different powers of γi and see which
k−1
power of γi gives δ0 (q)q . The solution to Eqn. (22) will give us the value of x0 .

Suppose we have found x0 , x1 , . . ., xi−1 and we want to find xi , 1 ≤ i ≤ k − 1. We have

x qi +···+xk−1 qk−1 −(x0 +x1 q+···+xi−1 qi−1 )

αi i = β αi (23)

Denoting the right hand side of Eqn. (23) by δi (q) and raising both sides of Eqn. (23) to
the power qk−i−1 , we get
k−1 +x k 2k−i−2 k−i−1
(αi )xi q i+1 q +···+xk−1 q
= δi (q)q (24)

The left hand side of Eqn. (24) is

x qk−1 +xi+1 qk +···+xk−1 q2k−i−2 x qk−1 +m0 qk

αi i = αi i for some integer m0 .
x qk−1 m0 qk x qk−1
= αi i αi = αi i
k−1
since αi has order qk . So, denoting (αi )q by γi we can write Eqn. (24) as
k−i−1
(γi )xi = δi (q)q (25)

and this is a discret logarithm problem with solution xi . Since γi has order q, we have to
solve Eqn. (25) in a group of order q. As we did in the case of x0 , we again solve for xi
by brute force.

Let us summarise the procedure for solving Eqn. (14).

1) Write n = qr11 qr22 · · · qrkk and set ni = n/qri i , αi = α ni and βi = β ni . 25

Public Key Cryptosystems 2) Write x(i) = x0 (qi ) + x1 (qi )qi + · · · + xri −1 (qi )qri i −1 . Solve for x0 (qi ), x1 (qi ), . . .,
and Digital Signature
xri −1 (qi ) as follows:
Write
r −1
qi
γi = αi i

To find x0 (qi ) solve the equation

r −1 ri −1
qi
γix = βi i = δ0 (qi )qi (26)

where we write δ0 (qi ) for βi . Eqn. (26) is an equation in a subgroup of order qi

and we have to solve this to get x0 (i).
After getting x0 (qi ), x1 (qi ), . . . x`−1 (qi ), compute

−(x0 (qi )+x1 (qi )qi +···+x`−1 (qi )q`−1

i )
δ` (qi ) = βi αi
−x`−1 (qi )q`−1
= δ`−1 (qi )αi i
, 1 ≤ ` ≤ ri − 1

−x`−1 (qi )q`−1

i.e. δ` (qi ) = δ`−1 (qi )αi i
, 1 ≤ ` ≤ ri − 1 (27)

and solve the equation

ri −`−1
γix = δ` (qi )qi . (28)

This will give the value of x` (qi ). Successively solving for x0 (qi ), x1 (qi ), . . .,
xri −1 (qi ), we will get x(i) = x0 (qi ) + x1 (qi )qi + · · · + xri −1 (qi )qri i −1 .

3) After finding x(1), x(2), . . ., x(k), solve the simultaneous congruences

x ≡ x(i) (mod qri i )

using Chinese Remainder Theorem to find the value of x.

Let us look at an example now.

Example 10: Suppose p = 2269. Here, the order of the group Z∗p is 2268, i.e.
n = 2268. Then, 2 is a primitive root. Suppose we want to solve the equation

2x ≡ 6 (mod 2269).

We have 2268 = 22 · 34 · 7. So,

q1 = 2, r1 = 2, q2 = 3, r2 = 4, q3 = 7, r3 = 1.

We also have
2268 2268 2268
n1 = 22
= 567, n2 = 34
= 28, n3 = 7 = 324.

We have

α1 = α n1 = α 567 ≡ 1287 (mod 2269) and β1 = 6567 = 982 (mod 2269). (29)
r −1
q1
26 γ1 = α1 1 = α12 = α12 = 12872 ≡ 2268 (mod 2269)
Let x(2) = x0 (2) + x1 (2) · 2. We have to solve the equation γ1x = β12 to find the value of Public Key Encryption
x0 (2), i.e.

γ1x = β12 or 2268x ≡ 2268 (mod 2269)

to get x0 (2). So, x0 (2) = 1. We have

−x0 (2)
δ1 (2) = β1 α1 = β1 α1−1 ≡ 982 · 1287−1 ≡ 2268 (mod 2269)

We have to solve the equation Eqn. (28) with ` = 1 to get x1 (2). In other words, we
have to solve the equation
2−1−1
γ1x ≡ δ12 = δ1 or 2268x ≡ 2268 (mod 2269)

So, x1 (2) = 1. Therefore, x(2) = 3.

Let us now compute x(3). We write

x(3) = x0 (3) + x1 (3) · 3 + x2 (3) · 32 + x3 (3) · 33 .

We have

α2 = α n2 = α 28 ,
3
so α2 ≡ 228 ≡ 1411 (mod 2269). Further, γ2 = α23 so

γ2 ≡ 141127 ≡ 2186 (mod 2269).

We have β2 = β n2 , so β2 ≡ 628 ≡ 2252 (mod 2269). To find x0 (3), we have to solve

Eqn. (26) with q2 = 3, r2 = 4, i.e.

2186x ≡ 225227 (mod 2269) or 2186x ≡ 2186 (mod 2269)

So x0 (3) = 1.

To find x1 (3), we have to solve Eqn. (28) with ` = 1. First, let us compute δ1 (3). We
have

δ1 (3) = β2 α2−1 or δ1 = 2252 · 1411−1 ≡ 82 (mod 2269)

We have
4−1−1
δ1 (3)3 = δ19 ≡ 829 ≡ 1 (mod 2269)

To find x1 (3), we have to solve the equation

γ2x ≡ 1 (mod 2269)

So, x1 (3) = 0. So,

4−2−1
δ2 (3) = δ1 (3) ≡ 82 (mod 2269) and δ2 (3)3 = δ2 (3)3 ≡ 823 ≡ 1 (mod 2269)

To find x2 (3), we have to solve the equation

4−2−1
γ2x = δ2 (3)3 or γ2x = 1

So, x2 (3) = 0. Again,

4−3−1
δ3 (3) = δ2 (3) ≡ 82 (mod 2269) and δ3 (3)3 = δ3 (3) ≡ 82 (mod 2269). 27
Public Key Cryptosystems To find x3 (3), we have to solve the equation
and Digital Signature
γ2x = δ3 (3) or 2186x ≡ 82 (mod 2269).

We have 21862 ≡ 82 (mod 2269), so x3 (3) = 2. So,

x(3) = x0 (3) + x1 (3) · 3 + x2 (3) · 32 + x3 (3) · 33 = 1 + 0 · 3 + 0 · 32 + 2 · 33 = 55.

Let us now compute x(7). We have,

α3 = α n3 = 2324 ≡ 738 (mod 2269) and β3 = β n3 ≡ 6324 ≡ 84 (mod 2269)

Further, here r3 = 1. So, x(7) = x0 (7) and γ3 = α3 . We have

1−1
δ0 (7) = β37 = β3 .

So, we have to solve the equation

738x ≡ 84 (mod 2269)

We have 7382 ≡ 84 (mod 2269). So, x(7) = 2.

To find the value of x, we have to solve the congruences

x ≡ 3 (mod 4)
x ≡ 55 (mod 81)
x ≡ 2 (mod 7)

using chinese remainder theorem. Solving, we get x = 1675.

∗∗∗

Here is an exercise for you to try:

E12) Solve the equation 5x ≡ 7 (mod 97).

Pohlig-Hellman algorithm is feasible to apply only if all the qi are small. So, for this
reason, in Diffie-Hellman key exchange and Elgamal algorithm, we have to ensure that
p − 1 has a large prime factor.

Notice that, for applying Pohlig-Hellman algorithm, we need to know the prime
factorisation of n, the order of the group. In the next subsection, we discuss the
Baby-Step, Giant-Step algorithm due to Daniel Shanks for discrete logarithm for which
we don’t need the prime factorisation of n. Our discussion follows [2].

7.5.2 Baby-Step Giant-Step Algorithm

Suppose we want to solve Eqn. (16), i.e. the equation α x ≡ β (mod n). In Baby-Step
Giant-Step algorithm, we do the following:
√
We choose m = d ne and write x = mq + r where 0 ≤ r < m. The baby-step finds r and
the giant-step finds q if q 6= 0.

Baby-Step We first compute

β α −r , r  0 ≤ r < m . (30)



If (1, r) figures in the list for some r, say r0 , then r0 is a solution of

28 Eqn. (16) and we are done.
Giant-Step Otherwise, we set γ = α m and find the values γ, γ 2 , . . ., successively and Public Key Encryption
see if any of the values match the values β α −r we computed in the
previous step. If the value of γ q matches the first coordinate of one of the
values in Eqn. (30), i.e. γ q = β α −r for some q and some r, 0 ≤ r ≤ m,
then γ q = β α r0 or α mq = β α −r0 . In other words, x = mq + r0 is a
solution to Eqn. (16). Note that, we can stop as soon as a value of γ q
matches the first coordinate of the values we computed in Eqn. (30).
Although we don’t need the factorisation of n in this method, we need to
√
store about n pairs we compute in the baby-step part of the method.

Example 11: Let us solve the equation 5x ≡ 13 (mod 97) using this method.
√
We have m = d 97e = 10, β = 13, α = 5. So,

For r = 0, β α 0 = 13. For r = 1, β α −1 = 22.

For r = 2, β α −2 = 82. For r = 3, β α −3 = 94.
For r = 4, β α −4 = 77. For r = 5, β α −5 = 93.
For r = 6, β α −6 = 38. For r = 7, β α −7 = 27.
For r = 8, β α −8 = 83. For r = 9, β α −9 = 36.

Thus, the baby step set is

B = {(13, 0), (22, 1), (82, 2), (94, 3), (77, 4), (93, 5), (38, 6),
(27, 7), (83, 8), (36, 9)} (31)

There is no pair in Eqn. (31) with first coordinate 1, so we carry out the giant step. We
first find γ = α 10 ≡ 510 ≡ 53 (mod 97). Since 53 is not the first coordinate of any of
the pairs in Eqn. (31), we compute 532 ≡ 93 (mod 97). We see that 93 appears as the
first coordinate in the sixth element of Eqn. (31). The value of r in this case is 5 and the
value of q is 2. So, x = 2 · 10 + 5 = 25 is the solution to our equation 5x ≡ 13 (mod 97)

∗∗∗

Try the following exercise to check your understanding of the baby-step, giant-step
algorithm.

E13) Solve the equation 5x ≡ 4 (mod 73) using baby-step, giant-step method.

While this algorithm has the advantage that we don’t need the factorisation of the order
of the group, the memory requirements become large when the order of the group is
≈ 1020 . In the next subsection, we discuss the index calculus algorithm for finding
discrete logarithms.

7.5.3 Index Calculus Algorithm

In this subsection, we will discuss the index calculus algorithm which is similar to the
quadratic sieve algorithm. Our discussion follows [15]. The algorithm has the
following steps.

Precomputation In this step we fix a bound B and suppose q1 , q2 , . . ., qm be the

primes that are less than B. We call these primes our factor
base. We then generate relations of the form
m
α k ≡ ∏ qri i (mod p). (32)
i=1 29
Public Key Cryptosystems We choose a random k and store the relation if all the prime
and Digital Signature
factors of α k are less than B. For each relation of the form
Eqn. (32), by taking discrete logarithm to the base α, we get a
linear equation
m
k ≡ ∑ ri logα qi (mod p − 1) (33)
i=1

Once we have enough relations of the type Eqn. (33) we solve

for logα qi .
Discrete logarithm To solve α x ≡ β (mod p) we choose r at random and find
β α −r (mod p) and see if it is B smooth, i.e. if the prime
factors of β α −r are less than B. If yes, we can write
m
β ≡ α r ∏ qsi i (mod p)
j=1

or
m
logα β = r + ∑ si logα qi (34)
j=1

Since we know the values of r, si and logα qi , we can find

logα β .

Of course, once we do the precomputation, we can reuse it for computing several

discrete logs for the same prime p.

Let us now look at an example to understand this method.

Example 12: Let p = 137 and α = 2. Let B = 10, so we are working with the primes
2, 3, 5, 7. A calculation yields the following:

51 ≡ 5 (mod 137)
57 ≡ 5 · 7 (mod 137)
550 ≡ 5 · 33 (mod 137)
65 4
5 ≡ 2 · 5 (mod 137)

Therefore,

1 ≡ log5 (5) (mod 136) (35)

7 ≡ log5 (5) + log5 (7) (mod 136) (36)
65 ≡ 4 log5 (2) + log5 (5) (mod 136) (37)
50 ≡ 3 log5 (3) + log5 (5) (mod 136) (38)

Note that we are abusing the notation here. We are not taking the usual logarithm with
respect to 5, but taking the discrete logarithm in the group Z∗137 to the base 5.

Eqn. (35) and Eqn. (36) yield log5 (7) ≡ 6 (mod 136).

Eqn. (35) and Eqn. (37) yield

64 = 4 log5 (2) (mod 136) or 64 − 4 log5 (2) = 136t

for some integer t. Dividing the second equation throughout by four, we get
30 16 − log5 (2) = 34t or 16 ≡ log5 (2) (mod 34). This means that log5 (2) is congruent to
16 (mod 135) or 16 + 34 = 50 (mod 136) or 50 + 34 = 84 (mod 136) or Public Key Encryption
84 + 34 = 118 (mod 136). We find 516 , 550 , 584 and 5118 and see which of them equals
2 (mod 137). We see that 5118 ≡ 2 (mod 137), so log5 (2) = 118.

From Eqn. (35) on the preceding page and Eqn. (38) on the facing page, we get
3 log5 (3) ≡ 49 (mod 136). Since 3 is coprime to 136, we can solve this to get
log5 (3) = 107.

Suppose now that we want to find log5 (29). Finding 29 · 5−r (mod 137) for some
random values of r, we find that 29 · 5−31 ≡ 135 = 33 · 5 (mod 137). So,

log5 (29) ≡ 3 log5 (3) + log5 (5) + 31 log5 (5) = 321 + 1 + 31 ≡ 81 (mod 136)

So, 581 ≡ 29 (mod 137).

∗∗∗

Here is an exercise for you to test your understanding of index calculus algorithm.

E14) Solve the equation 2x ≡ 31 (mod 163) using index calculus algorithm. You are
given the following information:

212 ≡ 21 (mod 163)

217 ≡ 20 (mod 163)
240 ≡ 9 (mod 163)

Further, it is known that 31 · 2−14 ≡ 45.

We end this unit here. In the next section, we summarise the contents of the Unit.

7.6 SUMMARY
Let us summarise the main topics that we have discussed in this unit. In this Unit, we
have discussed

1) the concept of a Public Key Cryptosystem;

2) the concept a one way function;

3) the RSA algorithm;

4) the ElGamal algorithm;

5) the Fermat factorisation algorithm, p − 1 algorithm and the quadratic sieve

algorithm for factorising integers; and

6) the Pohling-Hellman algorithm, Baby Step-Giant Step alogrithm and the index
calculus algorithm for discrete logarithms.

7.7 SOLUTIONS/ANSWERS

E1) We have φ (n) = 6 × 10 = 60. However, 6 and 60 are not coprime, so we cannot
choose 6 as our exponent. However, we can choose e = 7 since (7, 60) = 1. Using
extended euclidean algorithm, we get

7 · (−17) + 2 · 60 = 1 31
Public Key Cryptosystems So, we can choose d = 43 ≡ −17 (mod 60). Using repeated squaring algorithm,
and Digital Signature
we have:

At the end of iteration 1, m = 3 P = 40 b = 60

At the end of iteration 2, m = 1 P = 13 b = 58
At the end of iteration 3, m = 0 P = 61 b = 53

So,

M 7 ≡ 61 (mod 77)

Also, check that 6143 ≡ 40 (mod 77).

E2) Here, φ (391) = 16 · 22 = 352. Using extended Euclidean Algorithm, we get

71 · 119 − 24 · 352 = 1,

so d = 119. So, we have

c119 = 171119 ≡ 273 (mod 391)

E3) From φ (n) = n − (p + q) + 1, we get

30940 = 31309 − (p + q) + 1
∴ p + q = 31309 − 30940 + 1 = 369

So, the quadratic equation is x2 − 370x + 31309. We leave it to you to solve the
equation and find p and q.

E4) We have

a1 = 78 N1 = 1926049 N01 = 694

a2 = 254 N2 = 1496357 N02 = 654
a3 = 66 N3 = 1258997 N03 = 1187

Also, N = 1904862461. So,

x = 78 · 1926049 · 694 + 254 · 1496357 · 654 + 66 · 1258997 · 1187

= 451462066854 ≡ 9663597 (mod 1904862461)
√
3
We have 9663597 = 213. Therefore, m = 213.

E5) Both of them will have 126 since 1257 ≡ 289 ≡ 126 (mod 127).

E6) In this exercise, let O(g) denote the order of g ∈ G. In general, we have

O(g)
O gk = (39)


.
(k, O(g))

Suppose g has order n. Then, gn = 1. Use Eqn. (39) to show that gi = gti has order
ni −1
q
qni i . So, gi i 6= 1.
ni −1
q
Conversely, suppose that gn = 1 and gi i 6= 1 for each i. We have O(g) | n since
gn = 1. Further, gi has order qni i . Since O(gi ) = O (gti ) and O(gk ) | O(g) for all
k ∈ N, from Eqn. (39), it follows that qni | O(g). Since qn1 , qn2 , · · · are pairwise
coprime, it follows that n | O(g). Since n | O(g) and O(g) | n, it follows that
32 O(g) = n.
E7) Here p − 1 = 180 = 22 · 32 · 5. Let us take g = 2 and check if it is a primitive root. Public Key Encryption
We have q1 = 2, q2 = 3, q3 = 5, s1 = 2 · 32 · 5 = 90, s2 = 22 · 3 · 5 = 60 and
s3 = 22 · 32 = 36. . We have

290 ≡ 180 ≡ −1 (mod 181)

260 ≡ 48 6≡ 1 (mod 181)
36
2 ≡ 59 6≡ 1 (mod 181)

So, 2 is a primitive root mod 181.

p−1−x
We have gk = 7. So, as in the example Bob computes gk = 7159 ≡ 162
(mod 181). M = 122 · 162 ≡ 35 (mod 181). So, the message is M = 35.

E8) We have ed − 1 = 23936 = 27 · 187. We take b = 2. We are given that

b0 ≡ 2187 ≡ 9079 (mod 12193)

b1 ≡ 90792 ≡ 3561 (mod 12193)
b2 ≡ 35612 ≡ 1 (mod 12193)

We see that b1 6≡ ±1 (mod 12193). So, we have

(b1 − 1, 12193) = (3560, 12193) = 89. Wep can easily check 89 is a prime by
checking that none of the primes less than b89c = 9, namely 2, 3, and 5, is
divides 89. Dividing 12193 by 89, we get the other factor 137. Wepsimilarly check
that 137 is a prime by checking that none of the primes less than b137c = 11
divides 137. So, n = 89 · 137.

E9) We have 210! ≡ 2627 (mod 16867) and (2626, 16867) = 101. The other factor is
167.

E10) We have 51067 + 32 = 2262 . Therefore, 51067 = (226 + 3)(226 − 3) = 223 · 229.

E11) Multiplying the first two relations, we get

2
(486 · 972)2 ≡ 22 · 74 (mod 115697).

But, we have 486 · 972 ≡ 22 · 74 (mod 115697), so this relation gives us nothing.
Multiplying the first and third relations, we get

2
(486 · 1407)2 ≡ 25 · 5 · 72 (mod 115697).

Here, 486 · 1407 6≡ 25 · 5 · 72 (mod 115697). Also,

(486 · 1407 − 25 · 5 · 72 , 115697) = 911.

So, 911 is a factor of 115697. Dividing 115697 by 911, we get the other factor
127.

E12) We have n = 96 = 25 · 3. So, q1 = 2, q2 = 3, r1 = 5, r2 = 1. Further, n1 = 3 and

n2 = 32. Also, α ≡ 5 (mod 97) and β ≡ 7 (mod 97). Let us write

x(2) = x0 (2) + x1 (2) · 2 + x2 (2) · 22 + x3 (2) · 23 + x4 (2) · 24

So,

α1 ≡ 53 ≡ 28 (mod 97) and β1 ≡ 52 (mod 97)

Further,
5−1 5−1
γ1 = 282 = 2816 ≡ 96 (mod 97) and δ0 (2) = β12 = 5216 ≡ 96 (mod 97) 33
Public Key Cryptosystems To find x0 (2), we have to solve the equation
and Digital Signature
96x ≡ 96 (mod 97).

Therefore, x0 (2) = 1.
Next, we compute
−x0 (2)
δ1 (2) = β1 α1 ≡ 52 · 28−1 = 52 · 52 ≡ 85 (mod 97)

and
5−1−1
δ12 = δ18 = 858 ≡ 96 (mod 97)

So, again, we have to solve the equation

96x ≡ 96 (mod 97)

to get x1 (2) and the solution is again 1.

Next, we compute

δ2 (2) = δ1 (2)α −2·x1 (2) = 85 · 28−2 ≡ 47 (mod 97)

To find x2 (2), we have to solve the equation

5−2−1
γ1x = δ2 (2)2 or 96x ≡ 96 (mod 97)

So, x2 (2) = 1.
To find x3 (2), we have to solve the equation γ1x = δ3 (2)2 . We have
2
δ3 (2) = δ2 (2)α −x2 (2)2 = 47 · 28−4 ≡ 75 (mod 97)

and δ3 (2)2 ≡ 96 (mod 97). Thus, x3 (2) is a solution to 96x ≡ 96 and so

x3 (2) = 1.
To find x4 (2), we have to solve
−x3 (2)·23
γ1x = δ4 (2) = δ3 (2)α1 = 75 · 28−8 ≡ 96 (mod 97)

Again, x4 (2) = 1. So, x(2) = 31.

We next find x(3) = x0 (3). We have

α2 = α n2 = α 32 ≡ 35 (mod 97), β2 = β n2 ≡ 35 (mod 97)

To find x0 (3), we have to solve the equation

γ2x = δ0 (3) where δ0 (3) = β2 ≡ 35 (mod 97) and γ2 = α2 ≡ 35 (mod 97)

So, x0 (3) = 1. Solving the congruences

x ≡ 31 (mod 32)
x ≡ 1 (mod 3)

we get x = 31.

E13) The set for the baby-step is

B = {(4, 0), (30, 1), (6, 2), (45, 3), (9, 4), (31, 5), (50, 6),
(10, 7), (2, 8), (15, 9)} . (40)

There is no pair in Eqn. (40) with first coordinate 1. So, we carry out the
giant-step. We set γ = 59 = 10 and we see that this occurs as the first coordinate
of the eighth pair in Eqn. (40) and the value of r for this pair is 7. We have q = 1,
34 so x = 1 · 9 + 7 = 16.
E14) We have the following equations: Public Key Encryption

1 ≡ log2 (2) (mod 162) (41)

12 ≡ log2 (3) + log2 (7) (mod 162) (42)
17 ≡ 2 log2 (2) + log2 (5) (mod 162) (43)
40 ≡ 2 log2 (3) (mod 162) (44)

From Eqn. (41) and Eqn. (43), we see that log2 (5) = 15 .
From Eqn. (44), we see that 20 ≡ log2 (3) (mod 81). So, log2 (3) ≡ 20 or
20 + 81 = 101 (mod 162). Checking, we find that 2101 ≡ 3 (mod 163), so
log2 (3) = 101.
Using the value of log2 (3) in Eqn. (42), we see that

log2 (7) = 12 − 101 = −89 ≡ 73 (mod 162)

We are given that 31 · 2−14 ≡ 45 = 32 · 5 · (mod 163). So,

log2 (31) = 14 + 2 log2 (3) + log2 (5) = 14 + 202 + 15 ≡ 69 (mod 162)

35
Public Key Cryptosystems
and Digital Signature

36
UNIT 8 DIGITAL SIGNATURES
Structure Page No.
8.1 Introduction 37
Objectives
8.2 Digital Signature Algorithms 38
RSA Digital Signature Algorithm
ElGamal Digital Signature Algorithm
Digital Signature Standard
8.3 Summary 50
8.4 Solutions/Answers 50

8.1 INTRODUCTION

In the earlier units, we have seen how cryptography protects the communication
between Alice and Bob from the prying eyes of Eve. However, the methods and
algorithms that we have seen so far doesn’t protect Alice and Bob from each other in
the following sense: Suppose Alice is a stock broker and Bob is a client who buys and
sell stocks through Alice. Assume that they use some public key cryptosystem to
communicate with each other. Suppose Bob asks Eve to sell some stocks and they go
up in value afterwards. Bob can claim that he never sent the message and that it was
forged by Alice since the encrytion exponent of Bob is in the public domain. The other
way around, suppose Alice wants to offload some worthless stock on Bob. Since Bob’s
encryption algorithm is in the public domain, she can forge a message from Bob that
supposedly instructs her to buy those worthless stocks and claim that she was acting on
Bob’s instructions when she purchased the stocks. Of course, these problems could
arise in the case of symmetric key cryptosystems also because both Alice and Bob have
the encryption an decryption keys. How to address this issue?

In a traditional commercial transaction, the physical signature of the writer on a paper

document served to authenticate the document and for non-repudiation. So, the
question arises, whether there is a digital analogue that can serve the same purpose and
protects Alice and Bob from each other. We answer this question in this Unit. In
Sec. 8.2, we explain two alogrithms for digital signatures which provide the essential
functionalities of the physical signature.

Objectives
After studying this unit, you should be able to
• define digital signature;

• explain the functionalities provided digital signatures;

• explain direct and arbitrated signature schemes;

• explain how to sign a message using RSA algorithm and verify a signature created
with RSA algorithm;

• explain how to sign a message using ElGamal algorithm and verify the signature
created using ElGamal algorithm;and

• explain how to sign a message using Digital Signature Standard and verify the
signature created using Digital Signature Standard.
37
Public Key Cryptosystems
and Digital Signature
8.2 DIGITAL SIGNATURE ALGORITHMS

In the third unit of the first block of this course, we discussed the goals of cryptography
which is to achieve PAIN, i.e. namely Privacy/confidentiality, Authentication, Integrity
of data and Non-repudiation. As we have seen already, the cryptosytems provide
privacy. Symmetric key cryptosystems provide certain level of authentication also if we
assume that no one other than the authorised persons have access to the keys. If Bob
and Alice alone know a key and Bob receives a message encrypted with this key, Bob
can be certain that the message was sent by Alice. This is not there in public key
cryptosystems because anyone can send a message using the encyrption exponent
available in the public domain.

Even in the case of private key cryptosystems the following situations can arise:

1) Bob can send a message to Alice and deny that he sent it at a latter date.

2) Alice can forge a message and claim that Bob sent it to her.

In the case of public key cryptosystems, a third person, say Eve, can fool Alice into
thinking a message from Eve to be a message from Bob.

To avoid such situations, we need the digital analogues of the conventional signatures
used in paper documents. Note that, in the case of paper documents, the signature in
one document cannot be pasted on another without being detected. So, whatever the
digital analogue of the conventional signature be, it should not be possible to copy the
digital signature from one document to another document. In other words, the digital
signature and the document it authenticates must be ‘inseparable’ from each other. How
do we achieve this?

Before we discuss specific algorithms, let us first see what are the properties of a digital
signature. With the help of digital signature, we should be able to:

1) Verify the author of signature.

2) Authenticate the contents of the message, i.e. check that the message has not been
tampered with.

3) Resolve disputes with the help of a third party if necessary.

To be of use, the digital signature has to satisfy the following conditions:

1) The signature should be a bit pattern that should depend on the sender.

2) Creation of digital signature should involve a secret information that is known

only to the sender.

3) It should be easy to compute the digital signature.

4) The computation for verifying the signature should be easy.

5) It should be computationally infeasible to construct a message for an existing

digital signature. For example, suppose Eve intercepts a message M by Alice to
Bob with signature s. She should not be able to create another messsage M 0 with
38 the same signature s.
6) It should be computationally infeasible to construct a fraudulent signature for an Digital Signatures
existing message. For example, it should not be possible for Eve create a message
M and create a signature s and make it appear that Alice has created and signed
the message.

We begin by formally defining digital signature.(See [9].)

Definition 5: The digital signature for a data is the result of a cryptographic

transformation of the data that, when properly implemented, provides a mechanism for
verifying origin, authentication, data integrity and signatory non-repudiation.

The different approaches that have been suggested for digital signatures fall into two
broad categories, namely direct signatures and arbitrated signatures.

Direct Signatures involve only Alice and Bob, the communicating parties. Suppose
(EA , DA ) is the public encryption function, private decryption function, respectively, of
Alice and (EB , DB ) is the public encryption function and private decryption function
pair of Bob. (For example, they could be RSA exponentiation functions for encryption
and decryption.) Let h denote a hash function. The following are the steps involved:
ALICE BOB

Encryption function: EA (Public) Encryption function: EB (Public)

Decryption function: DA (Private) Decryption function: DB (Private)

M c = EB (M ) (s, c) (x, y) M = DB (y)

h(M ) s = DA (h(M ))

YES
EA (x) = h(M )?

Sender
NO is
Alice
Sender
may not
be Alice

Signature Alice does the following:

1) Encrypts the message M with Bob’s public key to create the
cipher text c = EB (M ).
2) Creates the hash h(M ) of the message and encrypts it with her
private encryption function DA to create the signature
s = DA (h(M )).
3) Alice sends the pair (s, c) to Bob.
Verification Bob receives the pair (x, y). Bob checks whether EA (x) and h(DB (y))
are the same. If they are the same, the signature is verified.

Let us see why this is so. Note that, on the one hand,

EA (x) = EA (s) = EA (DA (h(M ))) = h(M ). 39

Public Key Cryptosystems
and Digital Signature
See page 50 of block 2 for
properties of hash functions.
40
On the other hand,
h(DB (y)) = h(DB (EB (h(M )))) = h(M ).
If the message has been tampered with, the hash value of the tampered message will not
match the hash value calculated from the signature.
Note that, encryption of the message is optional and Alice may encrypt the message
only if it is confidential. If she doesn’t encrypt the message and sends the signature,
message pair (s, M ) to Bob, Bob has to check that
h(DB (s)) = h(M )
Note that, only Alice could have created DA (h(M )) because she alone knows the
decryption function DA . So, only Alice could have sent the message.
Suppose Eve wants to create another message with the same digital signature. She will
have to create a message M 0 such that h(M ) = h(M 0 ). By the properties of hash
function, it is computationaly infeasible to produce a message M 0 such that
h(M ) = h(M 0 ) because of the collision resistance property of hash funtions.
Suppose Alice claims at a later date that she never sent the message (s, c) and the issue
is taken up by a judge. Bob can submit (s, M ) to the judge and the judge can calculate
EA (s) and h(M ). If the two values are equal the judge concludes that Alice must have
sent the message if they are equal because only Alice could have created
s = DA (h(M )) because only she has access to DA .
There are some shortcomings in this scheme. If Alice wants to deny that she sent the
message, she may claim that her secret key was stolen by someone else and misused to
create the message and its signature. One way to overcome this is to include a time
stamp in the message and insist that Alice report any loss of key to a central authority.
Another possible problem could be that Eve could steal Alice’s key at time T and she
may send a message signed with Alice’s signature and a time stamp before or equal to
T.
Some of these problems can be avoided by using arbitrated schemes. We now discuss
an arbitrated scheme that works with symmetric key cryptosystem. Suppose Alice
wants to send a message to Bob. We assume that there is an arbiter trusted by both
Alice and Bob. Alice shares a secret key kA with arbiter and Bob shares a secret key kB
with the arbiter. Let (EkA , DkA ) be the encryption and decryption functions
corresponding to kA and (EkB , DkB ) be the encryption and decryption functions
corresponding to kB . Alice sends the message to Bob as follows:
1) Alice finds the hash of the message h(M ). She encrypts this hash value and a text
XA , that identifies that the sender of the message is Alice, to get
s = EkA (h(M )||XA ). This is the signature for the message. She sends this along
with the message to tthe arbiter.
2) The arbiter knows kA and therefore DkA and can compute
DkA (s) = DkA (EkA (h(M )||XA )) = h(M |)||XA .
She extracts XA and h(M ). From XA , she knows that the sender is supposedly
Alice. She can confirm this by comparing the value of h(M ) that she has
extracted from the signature to the hash value she calculates from the message
itself. If they are the same, she is satisified that the message is from Alice.
3) If M is a valid message for Bob, she concatenates the identity of Alice with the Digital Signatures
message M and signature s, encrypts it using Bob’s key and sends it to Bob, i.e.,
she sends EkB (XA ||M ||s). Bob can then decrypt this using DkB and obtain the
identity of the sender and the message.

If Alice denies that she sent the message, Bob can send EkB (XA ||M ||s) to the
arbitrator. The arbiter can decrypt it using DkB and obtain XA , the identity of the sender,
the message M and the signature EkA (h(M )||XA ). She compares the value h(M )
computed from M with the value extracted from the signature s. If they are equal,
arbitrator concludes that the message has been sent by Alice. This is because Bob
cannot tamper with s since he doesn’t know kA . In this method, Bob cannot verify
directly that the message has been sent by Alice. He needs the services of the arbitrator
for verification.

We now discuss some digital signature algorithsms. A good reference for our
discussion is FIPS 186-4, [9]. The document gives three different algorithms, the RSA
Digital Signature Algorithm, the Digital Signature Standard (DSA) and Elliptic Curve
Digital Signature Algorithm (ECDSA). In this section, we will discuss the RSA Digital
Signature Algorithm, the ElGamal algorithm and the Digital Signature Standard (DSA).

8.2.1 RSA Digital Signature Algorithm

In their paper [14], Rivest, Shamir and Adleman also suggest a method for digitally
signing documents using their algorithm. We now describe the algorithm. This is
similar to the RSA algorithm. Suppose Alice wants to sign and send a message. She
does the following:

1) Alice generates two primes p and q as she does for the RSA algorithm and
computes n = pq. She then chooses eA such that (eA , φ (n)) = 1. She then
computes the inverse dA of eA using extended euclidean algorithm. Her
encryption and decryption functions are, respectively, EA (M ) = M eA (mod n)
and DA (M ) = M dA (mod n). She then publishes (n, eA ).

2) To sign a message M she computes the hash h(M ) of the message using some
standard Hash function like SHA for h and raises the hash of the message to power
dA , i.e. s = DA (h(M )) = h(M )dA (mod n). She then sends (M , s) to Bob.

To verify the signature, Bob downloads (n, eA ). He finds the value h(M ) and checks
whether this is the same as EA (s) = seA ≡ (h(M ))dA eA (mod n). If seA ≡ h(M )
(mod n), the message has been sent by Alice.

Let us now look at an example.

Example 13: Suppose the public key, private key and the modulus of Alice are e = 13,
d = 37 and n = 77. She publishes the values (77, 7) on the web. Let us suppose that the
message she wants to send is M = 17. Then, she calculates s = M 37 . For the sake of
simplicity, we assume that she raises the whole message to the power dA instead raising
the hash value h(M ) to the power dA . Using repeated squaring algorithm we have the
following:
Values at the end of iteration 1:

P = 17, b = 58, m = 18.

Values at the end of iteration 2:

P = 17, b = 53, m = 9. 41
Public Key Cryptosystems Values at the end of iteration 3:
and Digital Signature
P = 54, b = 37, m = 4.

Values at the end of iteration 4:

P = 54, b = 60, m = 2.

Values at the end of iteration 5:

P = 54, b = 58, m = 1.

Values at the end of iteration 6:

P = 52, b = 53, m = 0.

So, 52 is the signature of the message. She sends the pair (17, 52) to Bob. To check the
signature, Bob downloads the values n = 77 and e = 13. He then checks whether
seA = M . In this example, Bob calculates 5213 (mod 77). Again, using repeated
squaring algorithm, we have the following: Values at the end of iteration 1:

P = 52, b = 9, m = 6.

Values at the end of iteration 2:

P = 52, b = 4, m = 3.

Values at the end of iteration 3:

P = 54, b = 16, m = 1.

Values at the end of iteration 4:

P = 17, b = 25, m = 0.

Bob finds that 5213 ≡ 17 (mod 77). So, he is convinced that the message was indeed
sent by Alice.

∗∗∗

Here is an exercise for you to check your understanding of RSA Signature Algorithm.

E1) Suppose Alice chooses n = 221, e = 11, d = 35.

a) Suppose, Alice wants to send the message M = 25 to Bob. Find the
signature of the message assuming that Alice signs the message and not the
hash of the message.
b) Bob receives a message-signature pair (82, 10). Verify the signature.

In Example 13 on the previous page, we assumed that Alice does not want to encrypt
her message. Suppose, she wants to encrypt the message using RSA as well as sign her
message using RSA digital signature algorithm.

Suppose she signs first and encrypts later; she first finds s = DA (h(M )) = h(M )dA
(mod n) and then c = EB (M ) = M eB (mod n). She sends (c, s) to Bob. Bob
downloads (nA , eA ), the modulus and public key of Alice. Then, using the value of eA ,
he computes

42 EA (s) = EA (DA (h(M ))) = h(M )dA eA (mod n) = h(M ) (mod n).
He then decrypts and finds the message M = DB (c) = cdB = M eB dB ≡ M (mod n). Digital Signatures
Then, he finds the hash value h(M ) and checks if EA (s) = h(M ). If it is, Bob can be
sure that the message was sent by Alice.

Now, Bob has a pair (s, M ) and if Alice denies that she sent the message, Bob can
submit the pair (s, M ) to a judge. The judge checks whether EA (s) = h(M ). If this is
the case then DA (M ) has to be s and Bob cannot produce DA (M ) because Bob does
not know DA .

On the other hand, suppose Alice encrypts the message before signing. In this case, she
computes

c = EB (M ), s = DA (h(c)) = DA (h(EB (M ))).

She sends (s, c) to Bob. Bob can recover the message by computing

DB (c) = DB (EB (M )) = M .

Bob can calculate h(c) since he knows c. Bob checks whether EA (s) = h(c). If it is, he
can be sure that message was sent by Alice.

In case Alice denies that she sent the message, Bob submits the pair (s, M ) to a judge.
The judge finds EB (M ) = c and checks whether h(c) = EA (s). If this is the case,
DA (h(c)) must be s and Alice alone could have produced s = DA (h(c)).

Now, the question is whether Alice should first encrypt the message and then sign it or
sign first and encrypt afterwards. Both have problems as we will see presently.

Suppose Alice sends the sales plan M ="SALES PLAN" to her colleague Bob. Alice
signs first and encrypts later. She computes the signature s = DA (h(M )). She then
encrypts the message with Bob’s public key to find c = EB (M ). She then sends (c, s) to
Bob. At a later time, suppose Bob has a fight with Alice and wants to make her appear
guilty of divulging trade secrets to a rival, say, Charlie.

Bob can do the following: He knows DB , so he can find M = DB (EB (M )) = M . He

then encrypts it with the public key of Charlie and sends c1 = EC (M ) where EC is the
public encryption function of Charlie. He sends the pair (c1 , s) to Charlie and make it
appear that Alice is the sender of the message. Charlie decrypts the message using his
private decryption function DC and find the message M = DC (c1 ). He will then find
the message M and finds that h (M ) = EA (s). Charlie will be thus misled into
thinking the message was sent by Alice to him. When it becomes known that the trade
secret has been divulged to a rival, Alice will be blamed.

So, in this case, the signature authenticates the sender, but it cannot be used to
determine who is the intended recipient. One simple solution is to include the name of
the recipient in the message.

Suppose Alice encrypts first and signs later. Suppose Alice has an exciting new idea and
she sends it to Bob, her Boss. She sends the message M ="MY IDEA" as follows: She
computes c = EB (M ) and then finds the s = DA (h(c)) and sends the pair (s, c) to Bob.

Her rival Charlie may block the message and do the following in an attempt to claim
credit for the idea. Since he knows EA , he can find EA (s) = EA (DA (h(c))) = h(c).
Then, he computes s1 = DC (h(c)) and sends (s1 , c) to Bob. Bob will be fooled into
believing that Charlie is the discoverer of the new idea.

In this case, the signature can be used to determine who the recipient is, but it cannot be
used to determine who the sender is. One simple solution to the issue is to include the
name of the sender as a part of the message. 43
Public Key Cryptosystems In general, the solution is to make these signing procedures a part of properly designed
and Digital Signature
cryptographic protocols. A Cryptographic protocol is a step by step procedure for
carrying out crytographic procedures like encryption or signing. Cryptographic
protocols ensures that the cryptographic algorithms are used securely.

A thorough discussion of the issues involved is beyond the scope of this course. If you
are interested in knowing more, see [3] and the references given there for a detailed
discussion of the issues involved.

We end our discussion of RSA signature algorithm here. In the next sub-section, we
will discuss a digital signature procedure due to ElGamal.

8.2.2 ElGamal Digital Signature

In this sub-section, we will discuss a digital signature scheme due to ElGamal. As in

the case of RSA, the underlying idea behind the scheme is similar to that of RSA. Here
also, the security of the scheme will depend on the difficulty in finding discrete
logarithm.

Suppose Alice wants to digitally sign her messages using ElGamal Scheme. She
chooses a prime p such that p − 1 has at least one large prime factor. She then chooses a
primitive root α, i.e. α ∈ Z∗p such that α generates the cyclic group Z∗p . She chooses
another integer a such that 2 ≤ a ≤ p − 2. She finds β = α a (mod p) and makes the
values (p, α, β ) public. She keeps the value of a secret.

Suppose she wants to sign a message M . She chooses a secret integer k, 2 ≤ k ≤ p − 2

such that (k, p − 1) = 1. She finds r = α k (mod p). She can solve the congruence

kx ≡ M − ar (mod p − 1). (1)

for the value of x. Indeed, since k is coprime to p − 1, the congruence Eqn. (1) has a
unique solution s with 0 ≤ s ≤ p − 2. She sends the triple (M , r, s) to Bob.

To verify the signature, Bob has to check that

α M = rs β r (mod p). (2)

Let us see why these two values should be equal. Note that since s is a solution
to Eqn. (1), sk ≡ M − ar mod p − 1. So, sk − M + ar is a multiple of p − 1. Since α is
an element of order p − 1, it follows that

α sk−M +ar ≡ 1 (mod p).

We can rewrite the last equation as

α M ≡ α sk α ar (3)

But, α sk = rs since r = α k . Also, β = α a , so α ar = β r . Substituting these values

in Eqn. (3), we get Eqn. (2).

Note that, since only Alice knows the values of a, k and r only she could solve the
congruence Eqn. (1).

Suppose Eve wants to forge the signature of Alice for a mess M1 . She can choose some
value k1 and find r1 = α k1 . If she has to convince Bob that the message was sent by
Alice, she has to find a s such that

44 α M1 ≡ rs1 β r1 or rs1 ≡ α M1 β −r1 .

For this, she has to solve the discrete logarithm problem Digital Signatures

rx1 = γ

in Z∗p , where we denote α M1 β −r1 by γ. In general, this discrete logarithm problem is a

problem that is difficult to solve if p − 1 has a large prime factor. Thus, Eve will not be
able to fake Alice’s signature.

Let us now look at an example to understand the procedure.

Example 14: Suppose Alice chooses p = 173. Then 2 is a primitive root for for 173.
So, she chooses α = 2. Then, she chooses a = 8 and finds

β = 28 = 256 ≡ 83 (mod 173).

She makes the triple (173, 2, 83) public.

Suppose Alice wants to send sign and send the message M = 16 to Bob. Here,
172 = 4 · 43. She chooses k = 9 which is coprime to 172. So, r = α k = 29 ≡ 166
(mod 173). To find s, she has to solve equation 9x ≡ 16 − 8 · 166 (mod 172) or
9x ≡ 64 (mod 172) since 16 − 8 · 166 = −1312 ≡ 64 (mod 172). Using extended
euclidean algorithm, we get (−19) · 9 + 172 = 1. So, −19 is the inverse of 9 in Z∗172 .
−1
We have −19 ≡ 153 (mod 172), i.e 9 is 153 in Z∗172 . Solving 9x ≡ 64 (mod 172),
we get x ≡ 153 · 64 ≡ 160 (mod 172). She sends the value (16, 166, 160) to Bob.

To verify the signature, Bob finds α M = 216 ≡ 142 (mod 173) to find the LHS value
in Eqn. (2) on the preceding page.

Next, he finds the values in the RHS. First, he finds

rs = 166160 ≡ 47 (mod 173).

He then finds

β r = 83166 ≡ 84 (mod 173)

Mutliplying rs and β r , we get

47 · 84 = 3948 ≡ 142 (mod 173)

and this agrees with LHS value. So, Bob is convinced that the message was sent by
Alice.

∗∗∗

Here is an exercise to check your understanding of the ElGamal signature scheme.

E2) Suppose Alice chooses p = 139. Then, 2 is a primitive root so, she chooses α = 2.
She chooses a = 9 and finds β = α a = 29 ≡ 95 (mod 139). She makes the triple
(139, 2, 95) public. Suppose she wants to send the message 25 to Bob.
i) Find the signature for the message if she chooses k = 11.
ii) Explain in detail how Bob will verify the signature.

Next, we discuss some precautions that Alice has to take to make sure that the Eve is
not able to forge her signature. One precaution is that Alice should not choose the same
value of r for signing two different messages. Let us see what happens when Alice does
this. 45
Public Key Cryptosystems Suppose Aice signs two messages, M1 and M2 with the same value of r and hence the
and Digital Signature
same value of k. Eve can find this out because Alice sends the value of r to Bob along
with the message.

Since Alice uses the same value of r, we have

M1 − s1 k ≡ ar ≡ M2 − s2 k mod p − 1 or s1 k − s2 k ≡ M1 − M2 (mod p − 1)

Since s1 , s2 , M1 and M2 are known, Eve can solve the congruence

(s1 − s2 ) k ≡ M1 − M2 (mod p − 1). (4)

for k.

Recall how we solve such congruences. Suppose, we want to solve the congruence

ax ≡ b (mod n) (5)

and (a, n) = d. Then, we know from Unit 6 in MMT-003 that Eqn. (5) has a solution if
and only if d | b. We let a0 = da , and b0 = db and n0 = nd . We consider the congruence

a0 x ≡ b0 (mod n0 ) (6)

Since (a0 , n0 ) = 1, Eqn. (6) has a unique solution x0 and we can find it by finding the
−1
inverse a0 of a0 in Zn0 using extended euclidean algorithm and multiplying both sides
−1
of Eqn. (6) by a0 . Then, all the solutions of Eqn. (5) are given by x0 + i dn ,
0 ≤ i ≤ d − 1. So, Eqn. (5) has d solutions.

Suppose (s1 − s2 , p − 1) = d. Then, there are d solutions, k1 , k2 , . . . , kd , to Eqn. (4).

Usually, d is small. Eve finds α k1 , α k2 , etc and checks for which ki we have α ki = r.
Eve can thus find the value of k.

Once Eve finds k, she solves any one of the equations

ar ≡ M1 − s1 k (mod p − 1) (7)

or

ar ≡ M2 − s2 k (mod p − 1) (8)

for a. For the sake of definiteness, let us assume that Eve solve Eqn. (8). Again, if
` = (r, p − 1), there are ` solutions to Eqn. (7), say a1 , a2 , . . . a` . Eve finds α a1 , α a2 , . . .,
α a` and checks which ai gives α ai = β . Thus, she can find the value of a. Once she
finds a, Eve can easily forge Alice’s signature. Let us now look at an example.

Example 15: Suppose Alice chooses p = 173, α = 2, a = 8, β = 83, k = 9, r = 166 as

in Example 14 on the preceding page. Suppose the message is M1 = 16. Then, we saw
in Example 14 on the previous page that the signature for the message M1 = 16 is
s1 = 160.

Suppose Alice uses the same value k = 9 and signs the message M2 = 40. Then, Alice
has to solve the equation

9x ≡ 40 − 8 · 166 ≡ 88 (mod 172)

−1
to find the signature s2 . As before, in Z172 , 9 is 153. So,

x ≡ 153 · 88 ≡ 48 (mod 172).

46 In other words, the signature for M2 is s2 ≡ 48 (mod 172).

Eve notices that Alice has used the same r, so she knows that Alice has used the same Digital Signatures
value of k. To find the value of k she has to solve for Eqn. (4) on the facing pagefor k.
Substituting the values of s1 , s2 , M1 and M2 in Eqn. (4) on the preceding page, she has
to solve the congruence

(160 − 48)k ≡ −24 (mod 172) or 112k ≡ 148 (mod 172) (9)

Comparing Eqn. (5) on the facing page, we have a = 112, b = 148, n = 172 and
d = (112, 172) = 4. So, we have a0 = 112 0 148 0 172
4 = 28, b = 4 = 37, n = 4 = 43.
Comparing with Eqn. (6) on the preceding page, we first solve the congruence

28x ≡ 37 (mod 43). (10)

−1
By extended euclidean algorithm, we get 20 · 28 + (−13) · 43 = 1. So, 28 = 20 in
Z43 . So,

x ≡ 20 · 37 ≡ 9 (mod 43)

So, the solutions are

9 + 0 · 43, 9 + 1 · 43, 9 + 2 · 43, 9 + 3 · 43,

i.e 9, 52, 95 and 138. Finding 29 (mod 173), 252 (mod 173), 295 (mod 173), 2138
(mod 173), Eve finds that 29 ≡ 166 (mod 173). So, she has the value of k.

Next, she solves the congruence Eqn. (7) on the facing page with M1 = 16, s1 = 160,
k = 9. In other words, she has to solve the congruence

166a ≡ 16 − 160 · 9 ≡ 124 (mod 172) (11)

Again, comparing with Eqn. (5) on the preceding page, we see that r = 166, b = 124,
n = 172 and d = (166, 172) = 2. So,

166 124 172

a1 = = 83, b1 = = 121, n1 = = 86.
2 2 2
Comparing with Eqn. (6) on the facing page, Eve has to solve the congruence

83x ≡ 62 (mod 86) (12)

By extended euclidean algorithm, we get (−29) · 83 + 28 · 86 = 1. Further, −29 ≡ 57

−1
(mod 86). Hence 83 is 57 in Z86 . So, the solution to Eqn. (12) is

x ≡ 57 · 62 ≡ 8 (mod 86)

So, the solutions to Eqn. (11) are 8 and 8 + 86 = 94. Eve easily checks that 28 ≡ 83 = β
(mod 173) and so, she finds that a = 8. Eve can now forge Alice’s signature.

∗∗∗

Try the next exercise to see if you have understood Example 15 on the preceding page.

E3) Alice has published the values p = 173, α = 5, β = 84. She sends the signed
messages (25, 26, 101) and (35, 26, 167) to Bob. Find the value of a.

In the next section, we will discuss the Digital Signature Standard, another digital
signature algorithm based on discrete logarithm. This removes some shortcomings that
are in the ElGamal signature scheme. 47
Public Key Cryptosystems 8.2.3 Digital Signature Standard(DSS)
and Digital Signature

The Digital Signature Standard (DSS) or Digital Signature Algorithm (DSA) was
proposed by NIST (National Institute of Standards and Technology) in 1991 and was
adopted in 1994. NIST continues to release updates on the use of algorithm from time
to time. At the time of writing this Unit, the last released version of the algorithm is
Federal Information Processing Standards (FIPS) 186-4. [9]. This was released in July
2013. To keep the discussion simple, we discuss only a special case of the algorithm.
For a general version of the algorithm, you can refer to FIPS 186-4 which is available
for download from the NIST website.

We assume that we will be signing the hash of the message and that the hash function
we use produces an output of length 160 bits. To set up the signature scheme, Alice
does the following:

1) She chooses a prime q of size 160 bits, i.e. a prime q such that 2159 < q < 2160 .
She then chooses another prime p which is of size 1024 bits such that q | p − 1.
You can refer to [9] for the details regarding choice of primes.

2) She chooses a primitive root g (mod p) and sets α = g(p−1)/q (mod p). Then, α
has order q in Z∗p .

3) She chooses a secret value a and computes β = α a . She then makes the values
(p, q, α, β ) public.

As we did in RSA digital signature scheme, here also we will assume that Alice signs
the message rather than the hash of the message. Suppose she wants to sign a message.
She calculates the hash and gets 160-bit number M . She generates a signature for the
message as follows:

1) She chooses a secret value k such that 0 < k < q − 1 and finds r = α k (mod p)

(mod q).

2) She then solves the equation

kx ≡ M + ar (mod q). (13)

The solution to Eqn. (13) is the signature s to the message. She sends (r, s) along with
the message to Bob.

Bob verifies the message as follows:

1) Bob calculates the hash of the message using the same hash function used by
Alice and gets the value M .

2) Bob finds u1 ≡ s−1 M (mod q) and u2 ≡ s−1 r (mod q).

3) He then finds v ≡ (α u1 β u2 (mod p)) (mod q). If v = r the signature is valid.

Let us see how this proceduce works. Note that, from Eqn. (13), we get

k ≡ s−1 (M + ar) (mod q) (14)

So, q | (k − s−1 (M + ar)). Since α has order q in Z∗p , we have

−1 (M +ar)
α k−s ≡1 (mod p)
k s−1 M −1 ar

48 or α ≡ α αs (mod p)
Reducing both sides (mod q), we get Digital Signatures

 −1 −1

α k (mod p) (mod q) ≡ α s M α s ar (mod p) (mod q) (15)

Note that, in equation Eqn. (13) on the facing page, we do not directly reduce α k
(mod q) to get r. First, we reduce α k (mod p) and then reduce it mod q. So, we have
to proceed similarly when we calculate the RHS of equation Eqn. (15). Note that
α k ≡ r (mod p), so the value of the RHS in Eqn. (15) is r. On the other hand,
−1 r
(α a )s
−1 M −1 (M +ar) −1 M −1 r
α u1 β u2 = α s = αs ≡ αs βs (mod p)

Reducing mod q, we get that

v ≡ (α u1 β u2 (mod p)) (mod q)

As we have already seen, the value of LHS is r, so v = r. Let us now look at an example.

Example 16: To keep the example simple, instead of taking a 160 bit prime q, we will
suppose that Alice chooses q = 43 and p = 173. Then, she takes g = 2 and

α = g(p−1)/q = 2172/43 = 24 ≡ 16 (mod 172).

She then chooses a = 7 and finds β = α a = 167 ≡ 6 (mod 173). She then publishes
(173, 43, 16, 6).

Suppose the hash of the message she wants to sign is 30. She chooses k = 9 and finds
r = α k = 169 ≡ 152 (mod 173) and 152 ≡ 23 (mod 43), so r = 23. She solves the
equation

9s ≡ 30 + 7 · 23 ≡ 19 (mod 43)
−1
for s. We have 9 = 24 in Z−1
43 . So,

s ≡ 19 · 24 ≡ 26 (mod 43)

She sends (23, 26) along with the message.

Bob then calculates the hash of the message and finds M = 30. He finds that
−1
s−1 = 26 = 5 in Z43 . He then finds

u1 = s−1 M = 5 · 30 = 150 ≡ 21 (mod 43) and u2 = s−1 r = 5 · 23 ≡ 29 (mod 43).

Bob finds

α u1 β u2 = 1621 629 ≡ 152 (mod 172)

and 152 ≡ 23 (mod 43) = r. So, the signature is verified.

∗∗∗

Here is an exercise for you to check your understanding of digital signature standard.

E4) a) Suppose Alice chooses p = 167, q = 83, g = 5 which is a primitive root (mod
p). She chooses α = g(p−1)/q = 5166/83 = 52 = 25. She chooses a = 8 and
gets β = 258 ≡ 144 (mod 167). Assume that she chooses k = 13 and the
hash of the message she wants to sign is 39. Find the signature of the
message if Alice Digital Signature Standard. 49
Public Key Cryptosystems
and Digital Signature
b) Assume that Alice has published the values (p, q, α, β ) = (167, 83, 25, 144).
She sends a message to Bob along with the pair (r, s) = (31, 61) which was
created using Digital Signature Algorithm. Bob finds that the hash of the
message is 47. Explain how Bob will check whether the message has been
sent by Alice or not.

We conclude this section with some remarks.

1) Note that, in ElGamal signature scheme, we need to perform three

exponentiations, but in DSS, we need to perform only two exponentiations.

2) Unlike the Elgamal signature scheme, we can use the same r again. Suppose h1 is
the hash of the first message and h2 is the hash of the second message, both signed
with the same value of r. Suppose further, that the signature of the first message is
s1 and the signature of the second message is s2 . Then,

s1 k − h1 ≡ ar = s2 k − h2 (mod q)

Then, to find k, Eve has to solve

k(s1 − s2 ) ≡ (h1 − h2 ) (mod q)

for k. After solving (mod q) and Eve gets a value k0 (mod q). There are
2512−160 = 2342 numbers modulo p which reduce to k0 modulo q. Eve has to find
the value α i for each of these 2342 values of i and see which of these values gives r
(mod p) to find the value of k. This is computationally infeasible.

8.3 SUMMARY

In this Unit we have discussed

1) the definition of digital signature;

2) the functionalities provided digital signatures;

3) direct and arbitrated signature schemes;

4) how to sign a message using RSA algorithm and verify a signature created with
RSA algorithm;

5) how to sign a message using ElGamal algorithm and verify the signature created
using ElGamal algorithm;and

6) how to sign a message using Digital Signature Standard and verify the signature
created using Digital Signature Standard.

8.4 SOLUTIONS/ANSWERS

E1) a) She has to find dA (25) = 2535 (mod 221). Using repeated squaring
algorithm, we have the following:
Values at the end of iteration 1:

P = 25, b = 183, m = 17

Values at the end of iteration 2:

50 P = 155, b = 118, m = 8
 Values at the end of iteration 3: Digital Signatures

P = 155, b = 1, m = 4

Values at the end of iteration 4:

P = 155, b = 1, m = 2

Values at the end of iteration 5:

P = 155, b = 1, m = 1

Values at the end of iteration 6:

P = 155, b = 1, m = 0

So, we have 2535 ≡ 155 (mod 221).

b) We find 8211 (mod 221) using repeated squaring algorithm:
Values at the end of iteration 1:

P = 82, b = 94, m = 5

Values at the end of iteration 2:

P = 194, b = 217, m = 2

Values at the end of iteration 3:

P = 194, b = 16, m = 1

Values at the end of iteration 4:

P = 10, b = 35, m = 0

So, we have 8211 ≡ 10 (mod 221). So, the signature is correct.

E2) i) We have

r = α k = 211 = 102 (mod 139)

To find the signature s she has to solve the equation

11x = 25 − 9.102 ≡ 73 (mod 138)

Using extended euclidean algorithm, we get (−25) · 11 + 2 · 138 = 1, and

−25 ≡ 113 (mod 138). So, inverse of 11 in Z∗138 is 113. Solving for x, we
get x ≡ 113 · 73 ≡ 107 (mod 138). So, the signature is 107.
ii) To verify the signature Bob first finds

α M = 225 ≡ 110 (mod 139).

He then finds rs = 102107 ≡ 123 (mod 139). He also finds β r = 95102 ≡ 80

(mod 139). Next, he finds β r rs = 80 · 123 ≡ 110 (mod 139) and this is the
same as the value of α M . So, the message must have been sent by Alice.

E3) We have to solve the congruence

(101 − 167)k ≡ 25 − 35 (mod 172) or 66k ≡ 10 (mod 172) (16)

We have (66, 172) = 2 and 2 divides 10. So, we have to solve the congruence

33k ≡ 5 (mod 86) 51

Public Key Cryptosystems Solving, we get k ≡ 21 (mod 172). So, the solutions to Eqn. (16) on the previous
and Digital Signature
page are 21 and 21 + 86 = 107. Finding 521 and 5107 , we find that 521 ≡ 26
(mod 173), so k = 21.
To find a, we have to solve

26a ≡ 140 (mod 172) (17)

We have (26, 172) = 2 and 2 divides 140. So, we have to solve the congruence

13a ≡ 70 (mod 86)

Solving, we get a = 12. so, the solution to Eqn. (17) are 12, 12 + 86 = 98.
We see that α 12 ≡ 84 (mod 173), so a = 12.

E4) a) We have r = α k = 2513 = 114 (mod 167) and 114 ≡ 31 (mod 83), so
r = 31. We have to solve the equation

13x ≡ 39 + 8 · 31 ≡ 38 (mod 83)

−1
Using extended euclidean algorithm, we get 13 is 32 in Z83 , so

x ≡ 32 · 38 ≡ 54 (mod 83).

So, the signature of the message is s = 54.

−1
b) Bob finds that s−1 = 61 in Z∗83 is 49. He finds that u1 = 49 · 47 ≡ 62
(mod 83) and u2 = 49 · 31 ≡ 25 (mod 83). He then finds α u1 = 2562 ≡ 157
(mod 167) and β u2 ≡ 14425 ≡ 22 (mod 167). Further,
α u1 β u2 = 157.22 ≡ 114 (mod 167) and 114 ≡ 31 (mod 83) and this is equal
to the value of r. So, Bob is convinced that the message was sent by Alice.

52
 UNIT 9 PRACTICAL GUIDE
Note: In all the sessions,the characters in all the texts used are in capitals and there are
no punctuation characters.

In some of the programmes, we ask you to read from files and write to files. Here is a
template that you can use in such programmes. This templates contain commands for
opening, reading, writing and closing files. You have to fill in the code for processing
the information.
1 /* Template for input, output*/
2 # i n c l u d e <stdio.h>
3 # i n c l u d e <stdlib.h>
4 # i n c l u d e <ctype.h>
5 # i n c l u d e <string.h>
6 v o i d decrypt_key( c h a r *input);
7 v o i d encry_decry(FILE *fp_in,FILE *fp_out, c h a r *key);
8 i n t main()
9 {
10 FILE *fp_in,*fp_out;
11 c h a r in_name[40],out_name[40],key[20];
12 printf("Enter an input file name-not more than twenty characters:\n");
13 scanf("%s",in_name);
14 getchar();
15 i f ((fp_in=fopen(in_name,"r+"))==NULL){
16 printf("Unable to open the file. Are you sure the file exists?\n");
17 printf("Bye!");
18 exit(1);
19 }/*endif*/
20 printf("Enter an output file name-not more that twenty characters:\n");
21 scanf("%s",out_name);
22 getchar();
23 i f ((fp_out=fopen(out_name,"w+"))==NULL){
24 printf("Unable to open the file. Bye!\n");
25 exit(1);
26 }/*endif*/
27 w h i l e ((ch=getc(fp_in))!=EOF){
28 /*Do whatever you want with the character*/
29 }/*end while*/
30 fclose(fp_in);
31 fclose(fp_out);
32 printf("Done!\n");
33 r e t u r n 0;
34 }/*end main*/

Session 1
Program 1
Write a C programme that reads a text file, and writes a text file in which

1) all the punctuation marks and other characters are removed.

2) all the letters converted to capitals

3) the output grouped in blocks of five.

For example, if the input file contains the text

Long years ago we made a tryst with destiny,

and now the time comes when we shall redeem 53
Public Key Cryptosystems the output should be
and Digital Signature

LONGY EARSA GOWEM ADEAT RYSTW ITHDE STINY

ANDNO WTHET IMECO MESWH ENWES HALLR EDEEM

Here is a version without file input output. Modify it so that it reads the input from a
file and writes the output to another file. Also, modify it so that it prompts for the
number of characters in each block and the number of characters in each line.
1 /*Programme to convert a text file
2 in such a way that each line contains 30 characters
3 and the text is divided into blocks of five.*/
4 # i n c l u d e <stdio.h>
5 # d e f i n e MAX_STRING 100
6 i n t main()
7 {
8 i n t i=0,j=0,k=0;
9 c h a r s[MAX_STRING];
10 printf("Enter the string that you want to convert.\n:");
11 printf("Length should be not greater than 50.\n");
12 gets(s);
13 w h i l e (s[k] !=’\0’){
14 i f (isalpha(s[k])){
15 s[k]=toupper(s[k]);
16 printf("%c",s[k]);
17 i++;
18 j++;
19 i f (i==5){
20 printf(" ");/*Print a space after
21 printing 5 characters*/
22 i=0;/*Initialise i to 0*/
23 }
24 i f (j==30){
25 printf("\n");/*After printing 30
26 characters, print a new line character."
27 j=i=0;/*Initialise i and j to 0.*/
28 }
29 }
30 k++;
31 }
32 r e t u r n 0;
33 }

Program 2
Write a programme that encrypts(and therefore decrypts) text using an affine cipher. It
should prompt for the values of a and b and use the values to encrypt/decrypt from the
text in a file. It should give an error message if a is not co-prime to 26. You can use the
following programme as a starting point and modify it suitably if you like.
1 /* Programme for affine cipher*/
2 /*The programme assumes that the
3 input file contains only upper case characters
4 and spaces*/
5 # i n c l u d e <stdio.h>
6 # d e f i n e MAX_SIZE 50
7 i n t check( i n t a);
8 v o i d encry_decry( c h a r s[], i n t a, i n t b);
9 i n t inverse( i n t a);
10 i n t main()
11 {
54 12 i n t a,b,c,ch,resp;
13 c h a r s[MAX_SIZE]; Digital Signatures
14 printf("Enter the text. Not longer than 50...\n");
15 gets(s);
16 printf("What do you want to do?\n");
17 printf("Enter 1 if you want to encrypt.\n");
18 printf("Enter 2 if you want to decrypt.\n");
19 scanf("%d",&resp);
20 getchar();
21 printf("Enter the value of a:\n");
22 printf("It should be relative prime to 26.\n");
23 scanf("%d",&a);
24 getchar();
25 i f (check(a)){
26 printf("a is not coprime to 26! Exiting.\n");
27 r e t u r n (1);
28 }
29 printf("Enter the value of b:\n");
30 scanf("%d",&b);
31 i f (b < 0){
32 printf("b cannot be negative! Exiting.\n");
33 r e t u r n (1);
34 }
35 s w i t c h (resp){
36 case 1:
37 encry_decry(s,a,b);
38 break;
39 case 2:
40 c=inverse(a);
41 b=(-b*c)%26;
42 w h i l e (b<0){/*Make sure that the value of b is +ve*/
43 b=b+26;
44 };
45 encry_decry(s,c,b);
46 break;
47 }
48 r e t u r n 0;
49 }
50 i n t check( i n t a)
51 {
52 i f ((a % 2 == 0)||(a % 13==0)){
53 r e t u r n 1;
54 }
55 else{
56 r e t u r n 0;
57 }
58 }
59 v o i d encry_decry( c h a r s[], i n t a, i n t b)
60 {
61 c h a r ch;
62 w h i l e (*s!=’\0’){
63 ch=*s;
64 i f (isalpha(ch)){
65 ch=ch-’A’;
66 ch=(a*ch+b)%26;
67 ch=ch+’A’;
68 printf("%c",ch);
69 }
70 else{
71 printf("%c",ch);
72 }
73 s++;
74 }
55
Public Key Cryptosystems 75 return;
and Digital Signature 76 }
77 i n t inverse( i n t a)
78 /*Find inverse by brute force*/
79 {
80 i n t i=1;
81 w h i l e ((i*a)%26!=1)
82 i++;
83 r e t u r n (i);
84 }

Use it to decrypt the following text which was encrypted with a = 7, b = 14.

XQMRL SBEKO DQUID QXSDU NAQKR OVNSK

LQJSB PIPYN ODPLS NIKIP LARLO BRLQJ
SKRSB CRSIB VQRMQ QBUSB JOBJU ORRQD
RLIKQ MLIOD QBIRP DIXQK KSIBO NUQRO
PLAKS CSOBK ODQMS NNSBE RICIB XQKKR
LORRL QAJIB IRGBI MMLOR USBJO CRYON
NASKI DLIMU ORRQD SKCIB KRSRY RQJVY
RRLQA DQUOS BCIBF SBCQJ RLORR LQDQS
KOBSU POKKO VNQEY NXVQR MQQBR LQRMI
OBJRL ORVIR LVQNI BERIM LOROC RYONN
AQTSK RKSBR LQMID NJ

Program 3
The following text was encrypted using a shift cipher.

HVWGW GFSOZ ZMGWA DZSOO

Write a program that gives the outputs for all the 26 different keys and hence decrypt
the text.

Session 2
Program 1
Write a program that reads from file, encrypts or decrypts the text using Vigenere
cipher and writes the output to another output file specified. Use it to decrypt the
following text that was encrypted using the key ‘SUCCESS’.

OYUJE DDFIV HPSYF ITHEA DOYUJ EDDYI

QPXGL ZYGPH OWKBC NPXAY BVKRX JSHEG
EFVGH VJIKW SMCPH GUWUP UAWKZ UNNJA
YZNYK XZYJI YKRYU GHHKH WFUYC PHYJG
QKPKK LJYPI XZAFN JGEAJ

You can use the following programme as your starting point.

1 /* Programme for vigenere cipher*/
2 # i n c l u d e <stdio.h>
3 # i n c l u d e <stdlib.h>
4 # i n c l u d e <ctype.h>
5 # i n c l u d e <string.h>
6 # d e f i n e MAX_STRING 100
56 7 v o i d decrypt_key( c h a r input[]);
 8 v o i d encry_decry( c h a r text[], c h a r key[]); Digital Signatures
9 i n t main()
10 {
11 c h a r text[MAX_STRING],key[20];
12 i n t resp,i=-1,key_len;
13 printf("What do you want to do?\n");
14 printf("Enter 1 for encrypting text and ");
15 printf("2 for decrypting text.\n");
16 scanf("%d",&resp);
17 getchar();
18 printf("Enter the text.\n");
19 printf("Not more than 100 characters:\n");
20 gets(text);
21 printf("Enter the key:\n");
22 gets(key);
23 s w i t c h (resp){
24 case 1:
25 encry_decry(text,key);
26 break;
27 case 2:
28 printf("Decrypting ...\n");
29 decrypt_key(key);
30 printf("Decryption key is %s.\n",key);
31 printf("Starting Decryption...\n");
32 encry_decry(text,key);
33 break;
34 default:
35 printf("Incorrect choice. Exiting.\n");
36 exit(1);
37 }/*End switch*/
38 r e t u r n 0;
39 }/*end main*/
40 v o i d decrypt_key( c h a r *input)
41 {
42 i n t l=0,i=0;
43 l=strlen(input);
44 printf("Finding the decryption key...\n");
45 printf("String length is %d.\n",l);
46 w h i l e (i<l){
47 input[i]= ’A’ + (26-(input[i]-’A’)) %26 ;
48 i++;
49 }
50 return;
51 }
52 v o i d encry_decry( c h a r text[], c h a r key[])
53 {
54 i n t i=-1,key_len=0;
55 c h a r ch;
56 key_len=strlen(key);
57 printf("Keylength is %d.\n",key_len);
58 printf("Encrypting with key %s\n",key);
59 w h i l e (*text!=’\0’){
60 i f (isalpha(*text)){
61 i++;
62 *text=(*text+key[i]-2*’A’)%26+’A’;
63 printf("%c",*text);
64 i f (i == key_len-1){
65 i=-1;}
66 }
67 else{
68 printf("%c",*text);
69 }/*end of if-else*/
57
Public Key Cryptosystems 70 text++;
and Digital Signature 71 }/*end while*/
72 return;
73 }

Program 2
Write a program that reads a text file in which all the punctuation characters are
removed and all the characters are in upper case and gives the frequency of each of the
26 characters. For example, if the input text is

IDNIG HTHOU RWHEN THEWO RLDSL EEPSI NDIAW

the output should be as in Table 1.

Table 1

A B C D E F G H I J K L M
0.0286 0.0000 0.0000 0.0857 0.1143 0.0000 0.0286 0.1143 0.1143 0.0000 0.0000 0.0571 0.0000
N O P Q R S T U V W X Y Z
0.0857 0.0571 0.0286 0.0000 0.0571 0.0571 0.0571 0.0286 0.0000 0.0857 0.0000 0.0000 0.0000

Find the frequency of the letters in the following text encrypted using an affine cipher.

QEWTK NNXCB JNKOX CRJKY NQEWT KNNOC

CXBCB TEEXZ QEWTK NNJYO TBYXJ RKXUE
KXZCX BTEWE KWKXZ CUEKX WQEWT KNNJY
OTBQY BTORC QYXOU CXJYZ EXUEK XZORC
QYXOW BREXO BTYXB TEKYR

You can use the following programme as your starting point.

1 /* Programme for frequency count.*/
2 # i n c l u d e <stdio.h>
3 # i n c l u d e <stdlib.h>
4 # i n c l u d e <ctype.h>
5 # d e f i n e MAX_STRING 100
6 i n t check( i n t a);
7 i n t main()
8 {
9 c h a r text[MAX_STRING];
10 f l o a t frequency[26];
11 i n t i,count[26],k,charcount=0;
12 printf("Enter the input string.\
13 Not longer than 100 characters and in upper case..\n");
14 gets(text);
15 printf("You entered %s\n",text);
16 f o r (i=0;i<26;i++)
17 count[i]=0;
18 w h i l e (text[k]!=’\0’){
19 i f (isalpha(text[k])){
20 text[k]=text[k]-’A’;
21 count[text[k]]=count[text[k]]+1;
22 charcount++;
23 }
24 k++;
25 }
26 f o r (i=0;i<26;i++)
58 27 frequency[i]=count[i]/( f l o a t )charcount;
28 printf("Total number of characters is %d. \n",charcount); Digital Signatures
29 printf("Char Freq Char Freq\n");
30 f o r (i=0;i<13;i++){
31 printf("%c %f %c %f \n",i+’A’,frequency[i],i+13+’A’,frequency[i+13]);
32 }
33 r e t u r n 0;
34 }

Session 3

For many of the practical sessions, we will use GP. So, in this session, you will explore
GP and familiarise yourself with the basic features of the package. This package is
available under GPL(General Public Licence) from
http://pari.math.u-bordeaux.fr/download.html. Download
Pari-2.3.3 which is the stable version. The windows version from
http://pari.math.u-bordeaux.fr/pub/pari/windows/Pari-2-3-4.exe.
Download the file and double click on the file to install the programme. During the
installation, opt for a shortcut on the desktop. The installer does this by default, so just
accept all the defaults that the installer offers. You can start GP by double clicking on
the icon on the desktop. You will get a window that looks like this: Note the question

Fig. 1: GP/Pari window

mark in the last line. This is the prompt and you have to type your commands there.

The most important command you have to know is the command to quit!. Type \q to
quit the program now. Restart the programme by double clicking on the short cut.

We will first give a short guided tour of gp. Many software packages offer help. Some
help is available in gp also. The user manual and a tutorial are available in PDF format
in the directory c:\ProgrammeFiles\PARI\doc and you can view them using
acrobat reader. There is also some online help. Let us see how to access it. Type a
question mark ? at the command line. You will get the following output.

? ?

Help topics: for a list of relevant subtopics, type ?n

for n in

0: user-defined identifiers (variable, alias, function)

1: Standard monadic or dyadic OPERATORS 59

Public Key Cryptosystems 2: CONVERSIONS and similar elementary functions
and Digital Signature
3: TRANSCENDENTAL functions

4: NUMBER THEORETICAL functions

5: Functions related to ELLIPTIC CURVES

6: Functions related to general NUMBER FIELDS

7: POLYNOMIALS and power series

8: Vectors, matrices, LINEAR ALGEBRA and sets

9: SUMS, products, integrals and similar functions

10: GRAPHIC functions

11: PROGRAMMING under GP

12: The PARI community

Also:

? functionname (short on-line help)

?\(keyboard shortcuts)

?. (member functions)

Extended help looks available:

?? (opens the full user’s manual in a dvi previewer)

?? tutorial / refcard / libpari (tutorial/reference

card/libpari manual)

?? keyword (long help text about "keyword" from the

user’s manual)

??? keyword (a propos: list of related functions).

Let us see what are the number theoretic functions provided by gp. For this we type ?4
at the commandline. You will get the following output.

? ?4

addprimes bestappr bezout bezoutres

bigomega binomial chinese content
contfrac contfracpnqn core coredisc
dirdiv direuler dirmul divisors
eulerphi factor factorback factorcantor
factorff factorial factorint factormod
ffinit fibonacci gcd hilbert
isfundamental ispower isprime ispseudoprime
issquare issquarefree kronecker lcm
moebius nextprime numbpart numdiv
omega precprime prime primepi
60 primes qfbclassno qfbcompraw qfbhclassno
qfbnucomp qfbnupow qfbpowraw qfbprimeform Digital Signatures
qfbred qfbsolve quadclassunit quaddisc
quadgen quadhilbert quadpoly quadray
quadregulator quadunit removeprimes sigma
sqrtint zncoppersmith znlog znorder
znprimroot znstar

The function gcd looks familiar. Is it the usual gcd function?. Let us type ?gcd to
confirm our guess.

? ?gcd
gcd(x,{y}): greatest common divisor of x and y.

So, our guess is correct. We will come back to these number theoretic functions a little
later. There are a few more basic commands that we have to pick up before we look at
them.

Before we move on to other topics, there is one useful command you should know, the
command \l. It enables a log file. All the computations you do while the log file is
enabled is saved to a file called pari.gp by default. If you want to use a different file
name, say mysession.gp, give it as an argument.

\l mysession.gp

The gp program responds as follows:

? \l mysession.gp
logfile = "mysession.gp"
log = 1 (on)

You can disable this at anytime by typing \l.

Start recording your session now. Type

\l session3.gp

Save a record of the sessions, record your calculations and show it to your practical
counsellor. Also, add a printout of the session to your practical file.

The GP/Pari package has the four basic operations represented by the four operators
‘+’,‘-’,‘∗’ and ‘/’. Let us first explore these three operations first. Type 2+2 at the
command prompt. The following is what you will see.

? 2+2
%1 = 4
?

It prints the answer 4. Note the %1 at the beginning line. GP numbers the output serially
as %1, %2 etc. You can use the output in the later commands. Try typing %1*%1.

? %1*%1
%2 = 16 61
Public Key Cryptosystems Incidentally, we have also introduced the multiplication operator ∗. There is also a
and Digital Signature
power operator.

? 2^4
%3 = 16

All these are available in calculators are also, so what is special about gp? To begin
with, it lets you do modular arithmetic. For example, let us look at 2 mod 21. We enter
2 mod 21 as follows:

? Mod(2,21)
%4 = Mod(2, 21)

We can add and multiply mod 21. Let us multiply 5 mod 21 and 2 mod 21.

? Mod(2,21)*Mod(5,21)
%5 = Mod(10, 21)
? Mod(5,21)^2
%6 = Mod(4, 21)

So, even the power operator works!

Now let us see if the inverse operation works for integer mod also.

? Mod(2,21)^-1
%7 = Mod(11, 21)
? Mod(2,21)*Mod(11,21)
%8 = Mod(1, 21)

So, the inverse operator works in modular arithmetic. Let us now try Mod(3,21)^-1.
We know that it doesn’t exist because 3 is not relatively prime to 21.

? Mod(3,21)^-1
*** impossible inverse modulo: Mod(3, 21).

So, gp knows this too! Here are some exercises for you to try out. Type the following
commands on the command line in the order we have given below and try to understand
what they do.

1) a=I 2) a^2 3) Pi 4) 1/7 5) 1/7.0 6) \p 5

7) Pi 8) \p 28 9) b=vector(10,i,i+1);print(b)
10) b[3] 11) c=vector(10,i,i^2) 12) b+c

The following points are worth noting while you do the above exercise:

√
1) The symbol I is used for −1.

2) \Pi prints the value of π using the current precision which is 28 digits.

3) 1/7 is treated as a rational number while 1/7.0 is treated as a floating point

62 number.
4) After the command \p 5, gp prints only π using only 5 digits. The command \p Digital Signatures
28 restores the precision to 28 digits. Command 9) creates a list of length 10,
indexed from 1(not from 0 as in C) with i + 1 as the ith entry and command 10)
prints the 3rd element of the list.
5) Command 11) creates a list of length 10 with i2 as the ith entry. Command 12)
adds the elements of the lists b and c component wise and prints the answer in the
form of a list.

The package can work with polynomials also. Try the following commands:
1) x^2+1-(2*x^2+2) 2) (x-1)*(x^2+x+1) 3) (x^3-1)/(x-1)
4) (x^3-1)% (x-1) 5) (x^3+x^2+1)/(x^2+1)

The gp package can factorise, even modulo an integer. Let us check out the capabilities
in this direction. We know that (x − 1)2 = x2 − 2x + 1, so let us ask gp to factorise
x2 − 2x + 1.

? factor(x^2-2*x+1)

%28 =

[x - 1 2]

Note that this output means that x − 1 is a factor and it occurs twice. We know that
x3 − 2x2 + 2x + 2 is irreducible by Eisenstein’s criterion. Let us check this out.

? factor(x^3-2*x^2+2*x+2)

%29 =

[x^3 - 2*x^2 + 2*x + 2 1]

Let us now see if x6 − 2x2 + 2x + 2 factors mod 7.

? factormod(x^3-2*x^2+2*x+2,7)

%30 =

[Mod(1, 7)*x + Mod(3, 7) 1]

[Mod(1, 7)*x^2 + Mod(2, 7)*x + Mod(3, 7) 1]

So, x3 + 2x2 + 2 ∗ x + 2 = (x + 3)(x2 + 2x + 3) in Z7 [x]!

Another useful fact is that the gcd function works for polynomials and for polynomials
with coefficients in Zp . Let us explore this now. Let us first store the factors we found.
This is possible because gp outputs the answer in the form of a matrix. In this case the
answer is a 2 × 2 matrix with the factors given in the first column. Note that, if a is any
matrix object in gp, a[i,j] is the element in the ith row and jth column as we would
expect.

? ans=%30

%31 =

[Mod(1, 7)*x + Mod(3, 7) 1]

[Mod(1, 7)*x^2 + Mod(2, 7)*x + Mod(3, 7) 1]

? f1=ans[1,1]

%32 = Mod(1, 7)*x + Mod(3, 7) 63

Public Key Cryptosystems ? f2=ans[2,1]
and Digital Signature
%33 = Mod(1, 7)*x^2 + Mod(2, 7)*x + Mod(3, 7)

? gcd(f1,f2)

%35 = 1

So, the two factors do not have any non trivial common factor! We knew this because
f2 is irreducible.

Let us now conclude with a brief discussion on using matrices in gp. Let us first see
how to enter a matrix in gp.

? m=[1,3;2,7]

%38 =

[1 3]

[2 7]

Note that rows are separated by a semi-colon and the entries in a row are separated by a
comma. Here is how we find the transpose of a matrix:

? m~

%39 =

[1 2]

[3 7]

What about the inverse?

? m^-1

%40 =

[7 -3]

[-2 1]

? m*m^-1

%41 =

[1 0]

[0 1]

Let us now see how to find the determinant and the character polynomial of a matrix.

? matdet(m)

%40 = 1

? charpoly(m)

%41 = x^2 - 8*x + 1

The entries of a matrix could be integermods also.

64 ? m1=[Mod(1,11),Mod(3,11);Mod(2,11),Mod(7,11)]
%42 = Digital Signatures

[Mod(1, 11) Mod(3, 11)]

[Mod(2, 11) Mod(7, 11)]

? matdet(m1)

%43 = Mod(1, 11)

? charpoly(m1)

%44 = x^2 + Mod(3, 11)*x + Mod(1, 11)

Here are some exercises for you.

1) Find the inverse of

2 4 7
 
3 2 1 ∈ GL2 (Z11 )
2 1 6

2) Find all the irreducible polynomials of degree 9 over Z2 .(Hint: They are all the
factors of a single polynomial.)

Session 4
We hope you are convinced that gp is more than a calculator. In fact, it can even use
variables, and has decision structures and control structures. Let us look at a few
examples. Start gp and activate the log file by typing

\l session4.gp

In many algorithms, it is necessary to find a quadratic non-residue modulo a prime p.

Let us now write a small program that does that.

?f(p)=a=1;while(a,b=Mod(random()%p,p);a=issquare(b));print(lift(b))

Let us try and understand this program. The first thing that may strike you is that we
have not declared any variables or functions in the program. You can start using a
variable right away. Here, the backbone is the while() loop. Let us type ?while to
get a short summary of the usage of while().

? ?while

while(a,seq): while a is nonzero evaluate the expression

sequence seq.

Otherwise 0.

So, this is similar to the C language. But, note the difference also. The instructions that
have to be repeated when the conditions are true has to be within the round brackets
after while, separated by a comma. In fact, we will see that this is a common feature
of all loop constructs in gp. Also, note that the instructions that appear after the comma
are separated by a semi-colon.

The command random() returns a (pseudo)random number between 1 and 231 . The
command random()%p gives the remainder on division of the random number
returned by the chosen prime p. So, the instruction b=Mod(random()%p,p); finds
a random number between 0 and p, creates the residue class of that number mod p. The 65
Public Key Cryptosystems command issquare(b) checks whether b is a square modulo p or not. If b is a
and Digital Signature
square mod p, it returns the value 1; otherwise, it returns the value 0. The value
returned is stored in a, so the while end loop is repeated till a non-residue mod p is
found. The function lift(a), if a is a residue mod of the form Mod(x,n), returns
an integer in the range [0, n − 1] that is in the same residue class mod n as x. Type the
commands s=Mod(18,7) followed by t=lift(s) to convince yourself.

Let us now write our own function that tells whether a is a residue mod p or not, where
p is a prime. First, we write a function that stores all the squares in a set first. Here is
how we create and store all the squares mod 97.

? v=vector(96,i,Mod(i,97)^2);

Note the semicolon at the end. This means that we are asking gp to perform the
calculation and store in v, but not to print the answer. The output is too long with 96
elements in it and we do not want it to be printed.

But, there are only 48 squares, so how come the list has 96 elements? The point is
a2 ≡ (97 − a)2 (mod 97), so a2 will be stored twice. We can remove the duplicates by
converting v into a set. Let us do this now.

w=Set(v);

Once again, we suppress the output by using a semi-colon. We can check that
everything is all right by finding the length of w.

? length(w)

The output should be 48 if everything is fine.

How to check whether something is a square or not using w? For example, let us check
if Mod(6,97) is a square or not.

? setsearch(w,Mod(6,97))

%72 = 26
So, gp is telling us that Mod(6,26) is the 26th element in the list w. We now have all
the pieces necessary for the programme. Let us now write the general function.
?
Issquare(a,p)=w=Set(vector(p-1,i,Mod(i,p)^2));if(setsearch(w,a),1,0)

First of all, note that the first letter of the function name is in capitals. This is to
differentiate the function from the function issquare that already exists in gp.

The new element in the program is the if statement. Let us understand what it does.
Let us type

? ?if

The output is

if(a,seq1,seq2): if a is nonzero, seq1 is evaluated,

otherwise seq2. seq1 and seq2 are optional, and if seq2
is omitted, the preceding comma can be omitted also.

The command setsearch(w,a) returns the position of a in the list if it is there, i.e.
if a is a square. In this case, the if statement returns the value 1. If a is not in w, then
setsearch(w,a) returns the value 0 and so the if statement returns the value 0.
So, our function Issquare returns the value 1 if a is a square mod p and it returns 0
66 if it is not a square mod p.
Let us look at some more examples of control structures. Let us now write a Digital Signatures
programme that encrypts a text string using affine cipher.

As before, we will first assemble the various parts of our programme. We will try out
each of the parts in the task of encrypting the string “ABC” using the keys a = 3, b = 4.

The first one is the function Vecsmall which converts a string into a array of numbers
with each entry in the array containing the ASCII value of a character in the string. For
example, let us see what happens when we convert the string ABC to a vector of
integers.

? v=Vecsmall("ABC")

%17 = Vecsmall([65, 66, 67])

? v[1]

%18 = 65

If you refer to the ASCII table given in the first block of the C programming course,
you will find that the ASCII value of A is 65, B is 66 and C is 67. As you know, the
characters A—Z are indexed from 65 to 90. Later, we will re-index the characters from
0 to 26. Since we have to loop over the length of v, we have to find the length v and
store it in a variable.

? l=length(v)

%20 = 3

Unfortunately, v is of type t_VECSMALL and it can’t store residue classes. So, we will
now create another general list and transfer the values. While doing so, we will also
re-index the characters from 0 to 26.

? u=vector(l,i,0)

%21 = [0, 0, 0]

? for(i=1,l,u[i]=v[i]-65)

Next, we replace the ith entry of u with its residue class mod 26 and then carry out the
encryption.

? for(i=1,l,u[i]=Mod(u[i],26);u[i]=3*u[i]+4)

? u

%22 = [Mod(4, 26), Mod(7, 26), Mod(10, 26)]

The next step is to revert to natural numbers from residue classes.

? for(i=1,l,u[i]=lift(u[i]))

? u

%23 = [4, 7, 10]

We then convert back ASCII by adding 65, the ASCII code of A, to all the entries.

? for(i=1,l,u[i]=u[i]+65)

? u

%24 = [69, 72, 75] 67

Public Key Cryptosystems Finally, we print the string.
and Digital Signature
? Strchr(u)

%25 = "EHK"

Here is everything combined in the form of a small function. Go through it carefully

and try to understand it.

f(a,b,c)=local(v,w,u,l);

v=Vecsmall(a);

l=length(v);

w=vector(l,i,0);

for(i=1,l,w[i]=v[i]-65);\\Subtract 65.

if(gcd(b,26)>1,print ("Wrong choice of b");

return(failure);,

for(i=1,l,

w[i]=Mod(w[i],26);\\replace w[i] by residue

\\class of w[i] modulo 26

w[i]=b*w[i]+c;\\Encrypt.

w[i]=lift(w[i]);\\Convert from residue

\\class to integer

w[i]=w[i]+65;\\convert back to ASCII

);\\End of for statement

);\\End of for loop

u=Strchr(w);\\Convert to string again.

return(u);

Here the double backslashes \\ are used for inserting comments in the program. The
source of the function is in a file called affine.gp. Read the file with the command

\r affine.gp

Use the function f to decrypt the following ciphertexts encrypted using affine cipher.
Write a loop that prints all the possible decryptions of the given texts and find out
which is the correct one.
1) "HYYRXPZYY" 2) PEEPHBPEQPFC
3) "AYMLYVKOSCXYLYVBTYY"

Write a function in gp that carries out encryption using the Vigenere cipher. Use it to
encrypt the following texts.
1) ATHINGOFBEAUTYISAJOYFOREVER using KEATS as the key.
2) FORTHEFOOLSRUSHINWHEREANGELSFFEARTOTREAD using POPE as the
key.
Write a function in gp that carries out decryption using the Vigenere cipher. Use it to
68 decrypt the following text.
1) NETKKAFCYMBFEMNEIQUNXRXWLBUNOFULUOCZMYUSXKFIZUSGBBJT Digital Signatures
using the key MARKTWAIN.
2) QQVRECDWQDGVDMAZVLPCXZVWGWPCAWXIHUNITRYJVETOSUOEEMMK
using the key BIERCE.
Session 5
Write programs in gp for the following:
1) Miller-Rabin test.
2) Finding a random irreducible polynomial of degree 20 over Z7 .
3) AKS algorithm for testing primality.
Session 6
Suppose, we use a recurrence relation

xn+k ≡ ak−1 xn+k−1 + ak−2 xn+k−2 + · · · + a0 xn (mod 2) (1)

to generate a Pseudo-Random Bit Sequence using a LFSR and suppose that

Sn = (xn+1 , xn+2 , . . . , xn+k )

is the nth state vector. Then, Sn describes the contents of the cells xm , xm+1 , . . .,
xm+k−1 after n clock cycles. Thus, S0 describes the initial state and is called the initial
state vector. The nth state vector and the n + 1th state vector are related by relation
0 0 0 . . . 0 a0
 
1 0 0 . . . 0 a1 
sn+1 = sn 0 1 0 . . . 0 a2 
 
(2)
 
. . . . . .. 
 .. .. .. .. .. . 
0 0 0 . . . 1 ak−1
Use this to write a function in C that simulates a LFSR. It should take an initial state
vector (x1 , x2 , . . . , xk ) and the coefficients a0 , a2 , . . ., ak−1 of the polynomial
p(x) = xk + ak−1 xk−1 + · · · + a1 x + a0 and number of terms ` of the Pseudo-Random Bit
Sequence as input and output ` terms of the Pseudo-Random Bit Sequence generated
by the LFSR given by the polynomial p(x) as output.

Session 7
In this session, we discuss RSA cryptosystem. We first discuss prime generation. Here
is a gp script that generates a 64 bit prime:

mrandomprime={
local(i,j,k,v,number);
number=0;
while(!isprime(number),
number=0;
v=vector(64);
v[1]=v[64]=1;
for(i=2,63,v[i]=random()%2);
for(i=1,64,j=i-1;number+=v[i]*2^j);
);
return(number);
}

This script implements the method discussed in page 10 of Block 3 for generating a
k-bit prime. 69
Public Key Cryptosystems
and Digital Signature
E5) Modify the script so that it takes the number of bits as an argument and returns a
prime of the required size. For example, mrandomprime(512) should return a
512 bit prime.

Example 17: Let us take p = 9353888059, q = 9353896091, so that

n = pq = 87495296950731677369. We have φ (n) = 87495296932023893220. Let us
take e = 65537. Then, d = 50962936505884432853. Suppose the message is
"HELLOHOWAREYOU". We take A = 1, B = 2, . . ., Z = 27 and consider
"HELLOHOWAREYOU" as a number in base 27.

H E L L O H O W A R E Y O U
8 5 12 12 15 8 15 23 1 18 5 25 15 21
Table 2: Numerical values

Now, we convert the text into a number. The numerical value of the message is

8 + 5 · 27 + 12 · 272 + 12 · 273 + 15 · 274 + 8 · 275 + 15 · 276 + 23 · 277 + 1 · 278

+ 18 · 279 + 5 · 2710 + 25 · 2711 + 15 · 2712 + 21 · 2713 = 87495221502384554951
(3)

Here are gp scripts for converting a text to number and number to text:

text2num(a)={local(integer,i,j,l,t);
integer=0;
t=Vecsmall(a);
l=length(t);
for(i=1,l,j=i-1;integer+=(t[i]-64)*27^j);
return(integer);
}
num2text(n)={
local(w,a,b,c);
a=n;
w=[];
while(a,b=a%27;c=b+64;w=concat(w,[c]);print(w);a=(a-b)\27);
return(Strchr(w));
}

Save the scripts in a file and load the file into GP. The command
text2num("HELLOHOWAREYOU") returns the value 87495221502384554951. The
command num2text(87495221502384554951) returns the text
"HELLOHOWAREYOU".

Now, encrypt the text as follows:

? e=65537;d=50962936505884432853;n=87495296950731677369;
? text2num("HELLOHOWAREYOU")
%35 = 87495221502384554951
? Mod(%,n)^e
%36 = Mod(59907042726193783589, 87495296950731677369)
? num2text(lift(%))
70 %37 = "ECXYGYZGTQLCUN"
Now, continue and decrypt the text "ECXYGYZGTQLCUN" as follows: Digital Signatures

? text2num(%)
%38 = 59907042726193783589
? Mod(%,n)^d
%39 = Mod(87495221502384554951, 87495296950731677369)
? num2text(lift(%))
%40 = "HELLOHOWAREYOU"
?
∗∗∗

E6) Write a gp script for converting a text string into a number as above and a gp
script for converting a number back to text that accepts any radix instead of 27.
The function should take the radix also as an argument.

E7) Take n = 226763712889709753296232030807650038581,

φ (n) = 226763712889709753265737268085970700000, e = 65537.
a) Encrypt the text "TOBEORNOTTOBE".
b) Find d. Use it to decrypt the text
"ZPALCLPZBYXTVIVAE@UCAXSRHDM" which was encrypted with
e = 65537.

Session 8
Use Fermat factorisation algorithm in GP to factor
n = 100416730655787958391455215892041411419.

Use GP and Pohlig-Hellman algorithm to solve the equation

7x ≡ 13 (mod 52489).

71
Bibliography

[1] M. Bellare and P. Rogaway, “Optimal asymmetric encryption,” in Advances in

Cryptology—EUROCRYPT’94, ser. Lecture Notes in Computer Science,
A. De Santis, Ed. Springer Berlin / Heidelberg, 1995, vol. 950, pp. 92–111.

[2] J. Buchmann, Introduction to Cryptography, ser. Springer Undergraduate Texts in

Mathematics and Technology. Springer, 2004.

[3] D. Davis, “Defective sign & encrypt in s/mime, PKCS#7, MOSS, PEM, PGP, and
XML,” in Proceedings of the General Track: 2002 USENIX Annual Technical
Conference. Berkeley, CA, USA: USENIX Association, 2001, pp. 65–78.
[Online]. Available: http://dl.acm.org/citation.cfm?id=647055.715781

[4] J. M. DeLaurentis, “A Further Weakness in the Common Modulus Protocol for

the RSA Cryptosystem,” Cryptologia, vol. 8, pp. 253–259, 1984.

[5] W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Trans.

Inform. Theory, vol. IT-22, pp. 644–654, Nov. 1976.

[6] T. E. Gamal, “A public key cryptosystem and a signature scheme based on

discrete logarithms,” IEEE Trans. Inform. Theory, vol. 31, pp. 469–472, 1985.

[7] A. Lenstra and H. Lenstra, The Development of the Number Field Sieve, ser.
Lecture Notes in Mathematics. Springer, 1993.

[8] G. L. Miller, “Riemann’s hypothesis and tests for primality,” JCSS, vol. 13, no. 3,
pp. 300–317, 1976.

[9] FIPS PUB 186-4, FEDERAL INFORMATION PROCESSING STANDARDS

PUBLICATION, Digital Signature Standard (DSS), National Institute of
Standards and Technology Std.

[10] S. C. Pohlig and M. E. Hellman, “An improved algorithm for computing

logarithms over GF(p) and its cryptographic significance,” IEEE Trans. Inform.
Theory, vol. IT-24, no. 1, pp. 106–110, Jan. 1978.

[11] C. Pomerance, “A tale of two sieves,” Notices Amer. Math. Soc, vol. 43, pp.
1473–1485, 1996.

[12] R. Rivest and R. Silverman, “Are ‘Strong’ Primes Needed for RSA?” Cryptology
ePrint Archive, Report 2001/007, 2001, http://eprint.iacr.org/.

[13] R. L. Rivest and B. S. K. Jr., “RSA problem,” in Encyclopedia of Cryptography

and Security. Kluwer Academic Publishers, 2005, available at
http://people.csail.mit.edu/rivest/RivestKaliski-RSAProblem.pdf.

[14] R. L. Rivest, A. Shamir, and L. M. Adleman, “A Method for Obtaining Digital

Signatures and Public-Key Cryptosystems,” Communications of the ACM, vol. 21,
no. 2, pp. 120–126, 1978.

[15] W. Trappe and L. C. Washington, Introduction to Cryptography with Coding

Theory, Second ed. Pearson, 2006.

[16] M. J. Wiener, “Cryptanalysis of Short RSA Secret Exponents,” IEEE Transactions

on Information Theory, vol. 36, no. 3, pp. 553–558, May 1990.

[17] H. C. Williams, “A p + 1 Method of Factoring,” Mathematics of Computation,

vol. 39, no. 159, pp. 225–234, Jul. 1982.
Index

Baby-step, giant-step algorithm, 28

Computational Diffie-Hellman problem,

15

deciphering transformation, 6
Diffie-Hellman, 6
Diffie-Hellman key exchange, 13
Digial signature standard, 50
Digital Signature
arbitrated, 39
Definition of, 39
direct, 39
Digital signature standard, 48
Discrete Logarithm, 13

ElGamal Cryptosystem, 16–17

ElGamal digital signature algorithm,
44–47
enciphering transformation, 6
extended euclidean algorithm, 7

factor base, 20
Fermat factorisation method, 20

Index calculus algorithm, 29

Integer Factorisation, 18

Miller’s probabilistic algorithm for

factorisation, 18

one way function, 7

Optimally Asymmetric Encryption
Protocol(OAEP), 11

Pohlig-Hellman algorithm, 24
Pollard’s p − 1 algorithm, 19
primitive root, 16
public key cryptosystem, 6
definition of, 6

quadratic sieve algorithm, 20

repeated squaring algorithm, 8

RSA cryptosystem, 7–13
decryption exponent, 7
encryption exponent, 7
modulus of encryption, 7
RSA digital signature algorithm, 41–44
RSA encryption Algorithm, 8
73