0% found this document useful (0 votes)
164 views6 pages

Homework 1 2015 Fall Solutions

This document provides solutions to homework problems for a cryptography course. The problems cover topics like the security of the one-time pad, public-key versus symmetric-key cryptography, polynomial-time reductions, the Euclidean algorithm, AES encryption, modular arithmetic, and group theory concepts like generators and subgroups of prime order.

Uploaded by

abrar nahin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
164 views6 pages

Homework 1 2015 Fall Solutions

This document provides solutions to homework problems for a cryptography course. The problems cover topics like the security of the one-time pad, public-key versus symmetric-key cryptography, polynomial-time reductions, the Euclidean algorithm, AES encryption, modular arithmetic, and group theory concepts like generators and subgroups of prime order.

Uploaded by

abrar nahin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

lOMoARcPSD|15338780

Homework 1-2015-Fall-Solutions

Introduction to Cryptography (National Taiwan University)

StuDocu is not sponsored or endorsed by any college or university


Downloaded by abrar nahin ([email protected])
lOMoARcPSD|15338780

5233/IOC5063 Theory of Cryptology, Fall 2015 21-Oct-2015

Homework 1 Solutions
Instructor: Prof. Wen-Guey Tzeng Scribe: Amir Rezapour

1. Show that Vernams one-time pad is perfectly secure.


Answer. we need to show ∀m ∈ M, c ∈ C P r[M = m|C = c] = P [M = m]
Assuming key k ∈ K is randomly chosen, we have
P r[C = c|M = m]P r[M = m] P r[k = m ⊕ c]P r[M = m]
P r[M = m|C = c] = =
P r[C = c] P r[C = c]
= P r[M = m]
(1)

2. Assume that a plaintext bit M is given with P r[M = b] = pb , where b ∈ 0, 1. Assume


that random key K of the one-time pad encryption is chosen by P r[K = 0] = 0.45
and P r[K = 1] = 0.55. Consider the one-time pad encryption C = M ⊕ K.
(a) Assume that an adversary A1 guesses M randomly without even examining the
ciphertext C. Show that the success probability of A1 is exactly 0.5.
Answer.

Pr[A1 succeeds]
= Pr[A1 (·) = M ′ ∧ M = M ′ ]
= Pr[A1 (·) = 0 ∧ M = 0] + Pr[A1 (·) = 1 ∧ M = 1]
1 1
= · p0 + · p 1
2 2
1
= · (p0 + p1 )
2
1
=
2

(b) Suggest a good strategy A2 of guessing M if p0 and p1 are known.
Answer.

0.45 · p0
Pr[M = 0|C = 0] =
0.45 · p0 + 0.55 · p1
0.55 · p1
Pr[M = 1|C = 0] =
0.45 · p0 + 0.55 · p1
0.55 · p0
Pr[M = 0|C = 1] =
0.55 · p0 + 0.45 · p1
0.45 · p1
Pr[M = 1|C = 1] =
0.55 · p0 + 0.45 · p1

1-1

Downloaded by abrar nahin ([email protected])


lOMoARcPSD|15338780

When C = 0, A2 guesses M = 0 if 0.45 · p0 > 0.55 · p1 , M = 1 if 0.45 · p0 < 0.55 · p1 ,


or a random bit if 0.45 · p0 = 0.55 · p1 .
When C = 1, A2 guesses M = 0 if 0.55 · p0 > 0.45 · p1 , M = 1 if 0.55 · p0 < 0.45 · p1 ,
or a random bit if 0.55 · p0 = 0.45 · p1 .

3. Discuss the advantages and disadvantages of public-key and symmetric-key cryptosys-


tems.
Answer. public-key:
Advantage: Key management is easy. A user doesn’t need to share a secret with
another user. He just publishes his public key.
Disadvantage: Public-key cryptosystems are based on hard computational problems.
The computation of public-key cryptosystems is more complex than the computation
of symmetric-key cryptosystems.
symmetric-key:
Advantage: The Computational cost is less complex than public-key cryptosystems.
Easy to implement, usually implemented in a hardware level and can handle big
messages.
Disadvantage:Key sharing problem.

4. Describe the polynomial-time reduction A ploy B.


Answer.
A polynomial-time Turing reduction from a problem A to a problem B is an algorithm
that solves problem A using a polynomial number of calls to a subroutine for problem
B, and polynomial time outside of those subroutine calls. ✷

5. The Euclidean algorithm computes gcd(a, b).

(a) Give the algorithm and show that its computation time is polynomial in the total
length m of a and b, where m = len(a) + len(b).
Answer.

Euclidean(a,b)
{
while (b != 0)
{
a = a mod b;
swap (a,b);
}
return a;
}

1-2

Downloaded by abrar nahin ([email protected])


lOMoARcPSD|15338780

The above Euclidean function outputs gcd(a, b). It reduces the length of a and
b alternatively in the while-loop. In each iteration, a = a mod b reduces the
length of a at least one bit. The loop ends when b = 0, i.e., len(b) = 0. In the
worst case, the while-loop takes len(a) + len(b) iterations. The complexity of
computing a = a mod b is O((len(a) − len(b) + 1) ∗ len(b)), and the complexity
of swapping (a, b) is O(len(a) + len(b)). Thus, the computation time of the
Euclidean function is (len(a) + len(b)) ∗ O((len(a) − len(b) + 1) ∗ len(b) + len(a) +
len(b)) = O(m3 + m2 ) = O(m3 ), which is polynomial time of m.

(b) Solve the equation r × 128 + s × 54 = 2.


Answer. Using Euclidean algorithm:
128 = 54 × 2 + 20, 54 = 20 × 2 + 14 ,20 = 14 × 1 + 6 and finally 14 = 6 × 2 + 2.
(We stop here because the remainder is equal to gcd(128, 54)).
Now we compute r, s as following:
From the last equation we have 2 = 14 − 6 × 2 = 14 − 2(20 − 14) = 3 × 14 − 2 × 20
2 = −2 × 20 + 3(54 − 2 × 20) = 3 × 54 − 8 × 20
2 = 3 × 54 − 8(128 − 54 × 2) = 19 × 54 − 8 × 128.
Therefore, the tuple (r = −8, s = 19) is one of many possible solutions.

6. In the SubBytes of AES, f (x) = x−1 mod X8 + X4 + X3 + X + 1. Compute


f (11101001).
Answer.
The extended Euclidean algorithm computes gcd(a, b) and (x, y) such that ax + by =
gcd(a, b). If gcd(a, b) = 1, x is the inverse of a under modulo b. We use the algorithm
to compute f (11101001) under GF (28 ) as follows:

• Compute gcd(a, b)

# a b ⌊a/b⌋
1 X8+ X4
+ X3 + X + 1 X7 + X6
+ X5 + X3 + 1 X +1
2 X + X + X5 + X3 + 1
7 6 X5 X2 + X + 1
3 X5 X3 + 1 X2
4 X3 + 1 X2 X
5 X2 1 X2

• Compute (x, y) reversely

# x y
5 0 1
4 1 X
3 X X3 + 1
2 X3 + 1 X + X + X3 + X2 + 1
5 4

1 X5 + X4 + X3 + X2 + 1 X6 + X3 + X2 + X

1-3

Downloaded by abrar nahin ([email protected])


lOMoARcPSD|15338780

We have X 6 + X 3 + X 2 + X is the inverse of X 7 + X 6 + X 5 + X 3 + 1 under GF (28 )


and f (11101001) = 01001110. ✷

7. Compute 291/2 mod 151, where 151 is prime.


Answer.
Observe that in case p = 4k + 3: a1/2 = a(p+1)/4 mod p. p = 151 = 4.37 + 3, hence,
291/2 = 29(151+1)/4 mod 151 = 86. ✷

8. Find a group of prime order 23.


Answer.
We have prime q = 23 and prime p = 2 × 23 + 1 = 47. The multiplicative cyclic group
Z∗p has the following properties:

• |Z∗p | = 46
• 3 is a generator of Z∗p

Then we can define the cyclic group (Fq , ×) of order q as below:

• 4 is a generator of Fq
• Multiplication × is under modulo 47

9. Consider group Z∗19 . What are the orders of 5 and 11? Find all generators for Z∗19 .
Find subgroups of orders 2, 3, 6, 9 if they exist. Find QR19 .
Answer.
We have ord(5) = 9 and ord(11) = 3. 2, 3, 10, 13, 14, 15 are generators of Z19 ∗ . We have

subgroups F2 = h18i, F3 = h7i, h11i, F6 = h8i, h12i, F9 = h4i, h5i, h6i, h9i, h16i, h17i.
QR19 = {1, 4, 5, 6, 7, 9, 11, 16, 17} ✷

10. Use the Chinese Remainder Theorem to compute 0 ≤ x < 352 for x mod 3 = 1,
x mod 11 = 3, and x mod 16 = 13.
Answer.

• Compute the inverses

(11 ∗ 16)−1 mod 3 = 2


(3 ∗ 16)−1 mod 11 = 3
(3 ∗ 11)−1 mod 16 = 1

• Compute x ≤ 168

x ≡ 1 ∗ 11 ∗ 16 ∗ 2 + 3 ∗ 3 ∗ 16 ∗ 3 + 13 ∗ 3 ∗ 11 ∗ 1 (mod 528)
≡ 352 + 432 + 429 (mod 528)
≡ 157 (mod 528)

1-4

Downloaded by abrar nahin ([email protected])


lOMoARcPSD|15338780

11. Apply the Rabin-Miller primality test for n1 = 133 and n2 = 257.
Answer.
We test n1 = 133 and n2 = 257 for 10 rounds as follows:

• Test n1 = 133 (133 − 1 = 22 × 33)


2 ×33
– 22 ≡ 64 (mod 133)
Therefore, n1 = 133 is not a prime.
• Test n2 = 257 (257 − 1 = 28 )
8 7 6 5
– 22 ≡ 1 (mod 257), 22 ≡ 1 (mod 257),22 ≡ 1 (mod 257), 22 ≡ 1 (mod
4 3
257), 22 ≡ 1 (mod 257),22 ≡ −1 (mod 257)
8 7
– 32 ≡ 1 (mod 257), 32 ≡ −1 (mod 257)
8 7 6 5
– 42 ≡ 1 (mod 257), 42 ≡ 1 (mod 257),42 ≡ 1 (mod 257), 42 ≡ 1 (mod
4 3 2
257), 42 ≡ 1 (mod 257),42 ≡ 1 (mod 257)42 ≡ −1 (mod 257)
8 7
– 52 ≡ 1 (mod 257), 52 ≡ −1 (mod 257)
8 7
– 62 ≡ 1 (mod 257), 62 ≡ −1 (mod 257)
8 7
– 72 ≡ 1 (mod 257), 72 ≡ −1 (mod 257)
8 7 6 5
– 82 ≡ 1 (mod 257), 82 ≡ 1 (mod 257),82 ≡ 1 (mod 257), 82 ≡ 1 (mod
4 3
257), 82 ≡ 1 (mod 257),82 ≡ −1 (mod 257)
8 7 6
– 92 ≡ 1 (mod 257), 92 ≡ 1 (mod 257), 92 ≡ −1 (mod 257)
8 7
– 102 ≡ 1 (mod 257), 102 ≡ −1 (mod 257)
8 7 6 5
– 112 ≡ 1 (mod 257), 112 ≡ 1 (mod 257), 112 ≡ 1 (mod 257), 112 ≡ −1
(mod 257)
Therefore, n2 = 257 may be a prime.

1-5

Downloaded by abrar nahin ([email protected])

You might also like