Cryptography - Sage

More documents

Recommendations

Info

is 624499148328708779 — pretty much a random number of size q. On the other hand,if we reduce modulo p, the result is 1. This follows from Fermat’s little theorem, since2.powermod(p − 1, pq) mod p is equal to the result 2.powermod(p − 1, p).Exercise 7.3 Let g(x) = x 17 + x 5 + 1, and use the function powermod to verify the polynomialanalogue of Fermat’s little theorem for the polynomials x, x 2 + x + 1, etc.Solution. For the polynomial g(x) = x 17 + x 5 + 1, we should use exponent e = 2 17 − 1,which we note is prime. We verify that each of the results x.powermod(e, g) and (x 2 + x +1)powermod(e, g) is 1. Since e is prime, this proves that g(x) is not only irreducible, butalso primitive.Exercise 7.4 Let h(x) = x 17 + x 15 + x 10 + x 5 + 1 and compute a(x) 217 −1 mod g(x)h(x) forvarious a(x). What is the result reduced modulo g(x)? Why does the same not hold truefor a(x) 217 −1 mod g(x)h(x), reduced modulo h(x)?Solution. With g(x) as above and h(x) = x 17 + x 15 + x 10 + x 5 + 1, the resultsx.powermod(e,gh).mod(g) equals 1 holds as expected, exactly as in the previous exercise.In this case, if h(x) is also irreducible, then the result:x.powermod(e, gh) mod h = x 16 + x 15 + x 14 + x 11 + x 10 + x 8 + x 6 + x 3 + 1would also have been 1. The fact that this result does not give 1 is a consequence of thereducibility of h:h = (x 3 + x 2 + 1)(x 14 + x 13 + x 11 + x 8 + x 5 + x 4 + x 3 + x 2 + 1).Public Key <strong>Cryptography</strong>The RSA cryptosystem is based on the difficulty of factoring large integers into its compositeprimes.Based on Fermat’s little theorem, we know that a m ≡ 1 mod p exactly when p−1 dividesm. Therefore we recover the identity a u ≡ a mod p where u is of the form 1 + (p − 1)r.Now given any e such that e and p − 1 have no common divisors, there exists a d such thated ≡ 1 mod p − 1. In other words, u = ed is of the form 1 + (p − 1)r. This means that themapa ↦→ a e mod pfollowed bya e mod p ↦→ (a e mod p) d mod p ≡ a ed mod p = a mod pare inverse maps. This only works for a prime p.123
Exercise 8.5 Use SAGE to find a large prime p and to compute inverse exponentiationpairs e and d. The following functions are of use:random prime, gcd, xgcd, and inverse mod.The RSA cryptosystem is based on the fact that for primes p and q and any integer e withno common factors with p − 1 and q − 1, it is possible to find an d 1 such thated 1 ≡ 1 mod (p − 1),ed 2 ≡ 1 mod (q − 1).Using the Chinese remainder theorem, it is possible to then find the unique d such thatd = d 1 mod (p − 1) and d = d 2 mod (q − 1)in the range 1 ≤ d < (p − 1)(q − 1). This d has the property thata ed ≡ a mod n.The send a message securely, the public key (e, n) is used. First we encoding the message asan integer a mod n, then form the ciphertext a e mod n. The recipient recovers the messageusing the secret exponent d.Solution. The function call random prime(2 100 ) returns a random prime of up to 100bits. Suppose that the primesp = 1172991670841347272989353064539,q = 300997517969507552061104346547,are found with this function, and set e = 5. We want to build the inverse exponent d suchthat ed ≡ 1 mod (p − 1) and ed ≡ 1 mod (q − 1). Note first that gcd(e, p − 1) = 1 andgcd(e, q − 1) = 1, so that such a d must exist. We first compute each of d mod (p − 1) andd mod (q − 1).sage: p = 1172991670841347272989353064539sage: q = 300997517969507552061104346547sage: e = 5sage: d1 = inverse_mod(e,p-1)sage: d1703795002504808363793611838723sage: d2 = inverse_mod(e,q-1)sage: d2240798014375606041648883477237The value of d can now be computed modulo the value lcm(p − 1, q − 1) — this is sufficientto determine the inverse, rather than the larger value of the product (p − 1)(q − 1).124 Appendix C. Solutions to Exercises
Page 1 and 2:
Author (David R. Kohel) /Title (Cry
Page 4 and 5:
CONTENTS1 Introduction to Cryptogra
Page 6:
PrefaceWhen embarking on a project
Page 10 and 11:
information. We introduce here some
Page 12 and 13:
ut strings in A ∗ map injectively
Page 14 and 15:
CHAPTERTWOClassical Cryptography2.1
Page 16 and 17:
LV MJ CW XP QO IG EZ NB YH UA DS RK
Page 18 and 19:
As a special case, consider 2-chara
Page 20 and 21:
Note that if d k = 1, then we omit
Page 22:
ExercisesSubstitution ciphersExerci
Page 25 and 26:
Ciphertext-only AttackThe cryptanal
Page 27 and 28:
of size n, suppose that p i is the
Page 29 and 30:
Note that ZKZ and KZA are substring
Page 31:
Checking possible keys, the partial
Page 34 and 35:
sage: X = pt.frequency_distribution
Page 36 and 37:
CHAPTERFOURInformation TheoryInform
Page 38 and 39:
For each of these we can extend our
Page 40 and 41:
in terms of the cryptosystem), then
Page 42 and 43:
CHAPTERFIVEBlock CiphersData Encryp
Page 44 and 45:
Deciphering. Suppose we begin with
Page 46 and 47:
The Advanced Encryption Standard al
Page 48 and 49:
1. Malicious substitution of a ciph
Page 50 and 51:
locks M j−1 , . . . , M 1 as well
Page 52:
where X = K ⊕ M = (X 1 , X 2 , X
Page 55 and 56:
6.2 Properties of Stream CiphersSyn
Page 57 and 58:
Exercise. Verify that the equality
Page 59 and 60:
n 2 n − 11 12 33 74 155 316 637 1
Page 61 and 62:
Exercise 6.6 In the previous exerci
Page 63 and 64:
Exercise 6.9 Compute the first 8 te
Page 65 and 66:
which holds since −4 = 17 + (−1
Page 67 and 68:
must therefore have a divisor of de
Page 69 and 70:
Shrinking Generator cryptosystemLet
Page 72 and 73:
CHAPTEREIGHTPublic Key Cryptography
Page 74 and 75:
Initial setup:1. Alice and Bob publ
Page 76 and 77:
We apply this rule in the RSA algor
Page 78 and 79: the discrete logarithm problem (DLP
Page 80 and 81: Man in the Middle AttackThe man-in-
Page 82: Exercise 8.6 Fermat’s little theo
Page 85 and 86: k < p − 1 with GCD(k, p − 1) =
Page 88 and 89: CHAPTERTENSecret SharingA secret sh
Page 90: using any t shares (x 1 , y 1 ), .
Page 93 and 94: sage-------------------------------
Page 95 and 96: sage: x.is_unit?Type:builtin_functi
Page 97 and 98: Python (hence SAGE) has useful data
Page 99 and 100: sage: n = 12sage: for i in range(n)
Page 101 and 102: sage: I = [55+i for i in range(3)]
Page 103 and 104: sage: I = [7, 4, 11, 11, 14, 22, 14
Page 105 and 106: ExercisesRead over the above SAGE t
Page 107 and 108: 102
Page 109 and 110: Solution. The block length is the n
Page 111 and 112: Solution.below.The coincidence inde
Page 113 and 114: analysis of the each of the decimat
Page 115 and 116: arbitrary permutation of the alphab
Page 117 and 118: In order to understand naturally oc
Page 119 and 120: We do this by first verifying the e
Page 121 and 122: Solution.None provided.Linear feedb
Page 123 and 124: Multiplying each through by the con
Page 125 and 126: Solution. The linear complexity of
Page 127: If a, b, and c are as above, then f
Page 131 and 132: Solution. Now we can verify that e
Page 133 and 134: which has no common factors with p
Page 135 and 136: sage: p = 2^32+61sage: m = (p-1).qu
Page 137 and 138: sage: a5 := a^n5sage: c5 := c^n5sag
Page 139 and 140: The application of this function E
Page 141 and 142: 5. (∗) How many elements a of G h
Page 143: 1. The value f(0) of the polynomial
show all

Cryptography - Sage

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?