is 624499148328708779 — pretty much a random number of size q. On the other hand,if we reduce modulo p, the result is 1. This follows from Fermat’s little theorem, since2.powermod(p − 1, pq) mod p is equal to the result 2.powermod(p − 1, p).Exercise 7.3 Let g(x) = x 17 + x 5 + 1, and use the function powermod to verify the polynomialanalogue of Fermat’s little theorem for the polynomials x, x 2 + x + 1, etc.Solution. For the polynomial g(x) = x 17 + x 5 + 1, we should use exponent e = 2 17 − 1,which we note is prime. We verify that each of the results x.powermod(e, g) and (x 2 + x +1)powermod(e, g) is 1. Since e is prime, this proves that g(x) is not only irreducible, butalso primitive.Exercise 7.4 Let h(x) = x 17 + x 15 + x 10 + x 5 + 1 and compute a(x) 217 −1 mod g(x)h(x) forvarious a(x). What is the result reduced modulo g(x)? Why does the same not hold truefor a(x) 217 −1 mod g(x)h(x), reduced modulo h(x)?Solution. With g(x) as above and h(x) = x 17 + x 15 + x 10 + x 5 + 1, the resultsx.powermod(e,gh).mod(g) equals 1 holds as expected, exactly as in the previous exercise.In this case, if h(x) is also irreducible, then the result:x.powermod(e, gh) mod h = x 16 + x 15 + x 14 + x 11 + x 10 + x 8 + x 6 + x 3 + 1would also have been 1. The fact that this result does not give 1 is a consequence of thereducibility of h:h = (x 3 + x 2 + 1)(x 14 + x 13 + x 11 + x 8 + x 5 + x 4 + x 3 + x 2 + 1).Public Key <strong>Cryptography</strong>The RSA cryptosystem is based on the difficulty of factoring large integers into its compositeprimes.Based on Fermat’s little theorem, we know that a m ≡ 1 mod p exactly when p−1 dividesm. Therefore we recover the identity a u ≡ a mod p where u is of the form 1 + (p − 1)r.Now given any e such that e and p − 1 have no common divisors, there exists a d such thated ≡ 1 mod p − 1. In other words, u = ed is of the form 1 + (p − 1)r. This means that themapa ↦→ a e mod pfollowed bya e mod p ↦→ (a e mod p) d mod p ≡ a ed mod p = a mod pare inverse maps. This only works for a prime p.123
Exercise 8.5 Use SAGE to find a large prime p and to compute inverse exponentiationpairs e and d. The following functions are of use:random prime, gcd, xgcd, and inverse mod.The RSA cryptosystem is based on the fact that for primes p and q and any integer e withno common factors with p − 1 and q − 1, it is possible to find an d 1 such thated 1 ≡ 1 mod (p − 1),ed 2 ≡ 1 mod (q − 1).Using the Chinese remainder theorem, it is possible to then find the unique d such thatd = d 1 mod (p − 1) and d = d 2 mod (q − 1)in the range 1 ≤ d < (p − 1)(q − 1). This d has the property thata ed ≡ a mod n.The send a message securely, the public key (e, n) is used. First we encoding the message asan integer a mod n, then form the ciphertext a e mod n. The recipient recovers the messageusing the secret exponent d.Solution. The function call random prime(2 100 ) returns a random prime of up to 100bits. Suppose that the primesp = 1172991670841347272989353064539,q = 300997517969507552061104346547,are found with this function, and set e = 5. We want to build the inverse exponent d suchthat ed ≡ 1 mod (p − 1) and ed ≡ 1 mod (q − 1). Note first that gcd(e, p − 1) = 1 andgcd(e, q − 1) = 1, so that such a d must exist. We first compute each of d mod (p − 1) andd mod (q − 1).sage: p = 1172991670841347272989353064539sage: q = 300997517969507552061104346547sage: e = 5sage: d1 = inverse_mod(e,p-1)sage: d1703795002504808363793611838723sage: d2 = inverse_mod(e,q-1)sage: d2240798014375606041648883477237The value of d can now be computed modulo the value lcm(p − 1, q − 1) — this is sufficientto determine the inverse, rather than the larger value of the product (p − 1)(q − 1).124 Appendix C. Solutions to Exercises
- Page 1 and 2:
Author (David R. Kohel) /Title (Cry
- Page 4 and 5:
CONTENTS1 Introduction to Cryptogra
- Page 6:
PrefaceWhen embarking on a project
- Page 10 and 11:
information. We introduce here some
- Page 12 and 13:
ut strings in A ∗ map injectively
- Page 14 and 15:
CHAPTERTWOClassical Cryptography2.1
- Page 16 and 17:
LV MJ CW XP QO IG EZ NB YH UA DS RK
- Page 18 and 19:
As a special case, consider 2-chara
- Page 20 and 21:
Note that if d k = 1, then we omit
- Page 22:
ExercisesSubstitution ciphersExerci
- Page 25 and 26:
Ciphertext-only AttackThe cryptanal
- Page 27 and 28:
of size n, suppose that p i is the
- Page 29 and 30:
Note that ZKZ and KZA are substring
- Page 31:
Checking possible keys, the partial
- Page 34 and 35:
sage: X = pt.frequency_distribution
- Page 36 and 37:
CHAPTERFOURInformation TheoryInform
- Page 38 and 39:
For each of these we can extend our
- Page 40 and 41:
in terms of the cryptosystem), then
- Page 42 and 43:
CHAPTERFIVEBlock CiphersData Encryp
- Page 44 and 45:
Deciphering. Suppose we begin with
- Page 46 and 47:
The Advanced Encryption Standard al
- Page 48 and 49:
1. Malicious substitution of a ciph
- Page 50 and 51:
locks M j−1 , . . . , M 1 as well
- Page 52:
where X = K ⊕ M = (X 1 , X 2 , X
- Page 55 and 56:
6.2 Properties of Stream CiphersSyn
- Page 57 and 58:
Exercise. Verify that the equality
- Page 59 and 60:
n 2 n − 11 12 33 74 155 316 637 1
- Page 61 and 62:
Exercise 6.6 In the previous exerci
- Page 63 and 64:
Exercise 6.9 Compute the first 8 te
- Page 65 and 66:
which holds since −4 = 17 + (−1
- Page 67 and 68:
must therefore have a divisor of de
- Page 69 and 70:
Shrinking Generator cryptosystemLet
- Page 72 and 73:
CHAPTEREIGHTPublic Key Cryptography
- Page 74 and 75:
Initial setup:1. Alice and Bob publ
- Page 76 and 77:
We apply this rule in the RSA algor
- Page 78 and 79: the discrete logarithm problem (DLP
- Page 80 and 81: Man in the Middle AttackThe man-in-
- Page 82: Exercise 8.6 Fermat’s little theo
- Page 85 and 86: k < p − 1 with GCD(k, p − 1) =
- Page 88 and 89: CHAPTERTENSecret SharingA secret sh
- Page 90: using any t shares (x 1 , y 1 ), .
- Page 93 and 94: sage-------------------------------
- Page 95 and 96: sage: x.is_unit?Type:builtin_functi
- Page 97 and 98: Python (hence SAGE) has useful data
- Page 99 and 100: sage: n = 12sage: for i in range(n)
- Page 101 and 102: sage: I = [55+i for i in range(3)]
- Page 103 and 104: sage: I = [7, 4, 11, 11, 14, 22, 14
- Page 105 and 106: ExercisesRead over the above SAGE t
- Page 107 and 108: 102
- Page 109 and 110: Solution. The block length is the n
- Page 111 and 112: Solution.below.The coincidence inde
- Page 113 and 114: analysis of the each of the decimat
- Page 115 and 116: arbitrary permutation of the alphab
- Page 117 and 118: In order to understand naturally oc
- Page 119 and 120: We do this by first verifying the e
- Page 121 and 122: Solution.None provided.Linear feedb
- Page 123 and 124: Multiplying each through by the con
- Page 125 and 126: Solution. The linear complexity of
- Page 127: If a, b, and c are as above, then f
- Page 131 and 132: Solution. Now we can verify that e
- Page 133 and 134: which has no common factors with p
- Page 135 and 136: sage: p = 2^32+61sage: m = (p-1).qu
- Page 137 and 138: sage: a5 := a^n5sage: c5 := c^n5sag
- Page 139 and 140: The application of this function E
- Page 141 and 142: 5. (∗) How many elements a of G h
- Page 143: 1. The value f(0) of the polynomial