Cryptography - Sage

More documents

Recommendations

Info

We apply this rule in the RSA algorithm for x ≡ 1 mod p − 1 to conclude that m =m x mod p.RSA ProtocolPublic key: (e, n) where n = pq for two large primes p and q such thatGCD(e, p − 1) = GCD(e, q − 1) = 1.Private key: (d, n) where ed ≡ 1 mod (p − 1) and ed ≡ 1 mod (q − 1).Initial setup:1. Alice obtains Bob’s public key (e, n).For each message m Alice → Bob:1. Alice computes c = m e mod n.2. Alice sends the ciphertext message c to Bob.3. Bob deciphers the ciphertext message as m = c d mod n.The correctness of the deciphering follows from the construction of d such that ed ≡1 mod n. By the above rule, it follows thatfrom which it follows that m = m ed mod pq.m ≡ m ed mod p and m ≡ m ed mod q,Example. Let p = 11 and q = 23, so n = 253, and e = 3. We verify that GCD(e, p−1) = 1and GCD(e, q − 1) = 1. Suppose that the ciphertext is c = 29 in Z/253Z. To constructthe inverse of exponentiation by e, we need to find d 1 and d 2 such thate d 1 ≡ 1 mod (p − 1)e d 2 ≡ 1 mod (q − 1)First we compute the extended GCD’s of the pairs (e, p−1) = (3, 10) and (e, q−1) = (3, 22).These are given by the relations:−3 · 3 + 1 · 10 = 1−7 · 3 + 1 · 22 = 1giving the equalities −3e ≡ 1 mod 10 and −7e ≡ 1 mod 22. Therefore if ed 1 ≡ 1 mod 10,then we haved 1 ≡ (−3 e) d 1 mod 10 ≡ −3 (e d 1 ) mod 10 ≡ −3 mod 10 ≡ 7 mod 10.Similarly if ed 2 ≡ 1 mod 22, then we haved 2 ≡ (−7 e) d 2 mod 22 ≡ −7(e d 2 ) mod 22 ≡ −7 mod 22 ≡ 15 mod 22.Now we can compute the plaintext message m such that c = m 3 mod 253. First we computem 1 = c d 1mod 11 ≡ 7 7 mod 11 ≡ 7 4 7 2 7 mod 11≡ 3 · 5 · 7 mod 11 ≡ 3 · 2 mod 11 ≡ 6 mod 11,RSA 71
and similarlym 2 = c d 2mod 23 ≡ 6 15 mod 23≡ 6 8 6 4 6 2 6 mod 23 ≡ (−5 · 8) (13 · 6) mod 23≡ 6 · 9 mod 23 ≡ 8 mod 23.Now we can combine m 1 = 6 mod 11 and m 2 = 8 mod 23 by the Chinese remaindertheorem. We expressed the extended GCD of 11 and 23 as:rp + sq = −2 · 11 + 1 · 23 = 1.Setting m = m 2 + kq, we find m 1 = (m 2 + kq) mod p, whences(m 1 − m 2 ) ≡ s(k q) mod p ≡ k(s q) mod p ≡ k mod p.So we have solved for k ≡ s(m 1 − m 2 ) mod p ≡ 1 (6 − 8) ≡ −2 mod p. Therefore m ≡m 1 + kq mod 253 ≡ 6 − 46 mod 253 ≡ 213 mod 253.RSA with exponent 3. A commonly used exponent for RSA encryption is e = 3.This allows efficient enciphering using only two arithmetic operations (two multiplicationsor one squaring and one multiplication). No such gain is achieved for deciphering.However, this presents algorithm presents the following problem for security. Let m be amessage to be sent to three parties, with RSA moduli n 1 , n 2 , and n 3 . The encoding of themessage satisfies 0 ≤ m < n i . By means of the Chinese remainder theorem, we can recoverc = m 3 mod n 1 n 2 n 3 from the three enciphered messages c 1 = m 3 mod n 1 , c 2 = m 3 mod n 2 ,and c 3 = m 3 mod n 3 . While the latter messages c i , as the modular representatives of somehuge integer, appear random. But from the bounds on m, the cube satisfies the bound:0 ≤ m 3 < n 1 n 2 n 3 ,hence the smallest modular representative c equals m 3 , and the cube root can be extractedas an integer to recover m.A valid protocol to overcome this dilemma, for e = 3, is to never send the same messageto more than one party. This is achieved by adding unique random padding to everymessage prior to enciphering. This turns the message m into three distinct messages m 1 ,m 2 , and m 3 . The Chinese remainder theorem then solves for some integer0 ≤ c < n 1 n 2 n 3such that c ≡ m i mod n i , but this integer no longer bears any relation to any cube m 3 .8.3 ElGamal CryptosystemsThe ElGamal Cryptosystem is implicitly based on the difficultly of finding a solution tothe discrete logarithm in F ∗ p: given a primitive element a of F ∗ p and another element b,72 Chapter 8. Public Key <strong>Cryptography</strong>
Page 1 and 2:
Author (David R. Kohel) /Title (Cry
Page 4 and 5:
CONTENTS1 Introduction to Cryptogra
Page 6:
PrefaceWhen embarking on a project
Page 10 and 11:
information. We introduce here some
Page 12 and 13:
ut strings in A ∗ map injectively
Page 14 and 15:
CHAPTERTWOClassical Cryptography2.1
Page 16 and 17:
LV MJ CW XP QO IG EZ NB YH UA DS RK
Page 18 and 19:
As a special case, consider 2-chara
Page 20 and 21:
Note that if d k = 1, then we omit
Page 22:
ExercisesSubstitution ciphersExerci
Page 25 and 26: Ciphertext-only AttackThe cryptanal
Page 27 and 28: of size n, suppose that p i is the
Page 29 and 30: Note that ZKZ and KZA are substring
Page 31: Checking possible keys, the partial
Page 34 and 35: sage: X = pt.frequency_distribution
Page 36 and 37: CHAPTERFOURInformation TheoryInform
Page 38 and 39: For each of these we can extend our
Page 40 and 41: in terms of the cryptosystem), then
Page 42 and 43: CHAPTERFIVEBlock CiphersData Encryp
Page 44 and 45: Deciphering. Suppose we begin with
Page 46 and 47: The Advanced Encryption Standard al
Page 48 and 49: 1. Malicious substitution of a ciph
Page 50 and 51: locks M j−1 , . . . , M 1 as well
Page 52: where X = K ⊕ M = (X 1 , X 2 , X
Page 55 and 56: 6.2 Properties of Stream CiphersSyn
Page 57 and 58: Exercise. Verify that the equality
Page 59 and 60: n 2 n − 11 12 33 74 155 316 637 1
Page 61 and 62: Exercise 6.6 In the previous exerci
Page 63 and 64: Exercise 6.9 Compute the first 8 te
Page 65 and 66: which holds since −4 = 17 + (−1
Page 67 and 68: must therefore have a divisor of de
Page 69 and 70: Shrinking Generator cryptosystemLet
Page 72 and 73: CHAPTEREIGHTPublic Key Cryptography
Page 74 and 75: Initial setup:1. Alice and Bob publ
Page 78 and 79: the discrete logarithm problem (DLP
Page 80 and 81: Man in the Middle AttackThe man-in-
Page 82: Exercise 8.6 Fermat’s little theo
Page 85 and 86: k < p − 1 with GCD(k, p − 1) =
Page 88 and 89: CHAPTERTENSecret SharingA secret sh
Page 90: using any t shares (x 1 , y 1 ), .
Page 93 and 94: sage-------------------------------
Page 95 and 96: sage: x.is_unit?Type:builtin_functi
Page 97 and 98: Python (hence SAGE) has useful data
Page 99 and 100: sage: n = 12sage: for i in range(n)
Page 101 and 102: sage: I = [55+i for i in range(3)]
Page 103 and 104: sage: I = [7, 4, 11, 11, 14, 22, 14
Page 105 and 106: ExercisesRead over the above SAGE t
Page 107 and 108: 102
Page 109 and 110: Solution. The block length is the n
Page 111 and 112: Solution.below.The coincidence inde
Page 113 and 114: analysis of the each of the decimat
Page 115 and 116: arbitrary permutation of the alphab
Page 117 and 118: In order to understand naturally oc
Page 119 and 120: We do this by first verifying the e
Page 121 and 122: Solution.None provided.Linear feedb
Page 123 and 124: Multiplying each through by the con
Page 125 and 126: Solution. The linear complexity of
Page 127 and 128:
If a, b, and c are as above, then f
Page 129 and 130:
Exercise 8.5 Use SAGE to find a lar
Page 131 and 132:
Solution. Now we can verify that e
Page 133 and 134:
which has no common factors with p
Page 135 and 136:
sage: p = 2^32+61sage: m = (p-1).qu
Page 137 and 138:
sage: a5 := a^n5sage: c5 := c^n5sag
Page 139 and 140:
The application of this function E
Page 141 and 142:
5. (∗) How many elements a of G h
Page 143:
1. The value f(0) of the polynomial
show all

Cryptography - Sage

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?