T-79.5501 Cryptology
Homework 9
March 18, 2016
SOLUTIONS
1. We
j
0
1
2
3
4
compute:
rj
37869107
84773093
37869107
9034879
1729591
qj
0
2
4
5
5
6
..
.
386924
181895
..
.
4
2
..
.
cj
1
0
1
4
21
..
.
dj
0
1
2
9
47
..
.
n0
75738213 (<< n, too small, and odd)
>n
84754668
..
.
If the solution is obtained at j = 2 it would mean that φ(n) = (p−1)(q−1)
is an odd number, which cannot be the case, since both p − 1 and q − 1 are
even numbers. For j = 4 the candidate value n0 for φ(n) is divisible by 4
as it should be. Substituting the values n = 84773093 and n0 = 84754668
in the equation x2 − (n − n0 + 1)x + n = 0 we get
x2 − 18426x + 84773093 = 0,
from where the solutions (= values of p and q) are x = 9213 ± 326. The
value of the private exponent is a = 47 = d4 . We also see that φ(n) =
correct n0 = 84754668.
2. (a) To decrypt, Bob must calculate the four square roots of the ciphertext
c modulo n. Applying the extended Euclidean algorithm to (p, q) Bob
finds 1 = up+vq = 19·131−8·311 from where 131−1 ≡ 19 (mod 311)
and 311−1 ≡ −8 ≡ 123 (mod 131).
Recall Euler’s criterion that says if y is a quadratic residue modulo p,
then y (p−1)/2 ≡ 1 (mod p). As p ≡ q ≡ 3 (mod 4), the square roots
modulo p and q are ±y (p+1)/4 and ±y (p+1)/4 . Hence, we calculate
√
mp = c ≡ c(p+1)/4 = 58933 ≡ 117 (mod 131)
√
mq = c ≡ c(q+1)/4 = 58978 ≡ 30 (mod 311) .
Using CRT we get the four square roots modulo n as
r = upmq + vqmp = 19 · 131 · 30 + 123 · 311 · 117 ≡ 28020
−r = n − r ≡ 12721
(mod 40741)
s = upmq − vqmp = 19 · 131 · 30 + 8 · 311 · 117 ≡ 39838
−s = n − s ≡ 903
(mod 40741)
(mod 40741)
(mod 40741)
and knowing the ciphertext is a date, we recover 903 so the date is
March 9.
(b) Alice sees Bob discarding 28020. Since 28020 6≡ ±903 (mod 40741),
Alice now knows all square roots of c modulo n, namely ±903 (mod 40741)
and ±28020 (mod 40741). She can easily factor n by computing
gcd(903 + 28020, n) = 311 and n = 311 · 131.
3. The problem description gives us the following congruences:
x2 ≡ 1479
2
x ≡ 418
(mod 2183)
(mod 2279)
Using the Extended Euclidean algorithm, we get 2183−1 ≡ 546 (mod 2279)
and 2279−1 ≡ 1660 (mod 2183). Using CRT, we get
x2 = 1479 · 2279 · 1660 + 418 · 2183 · 546 ≡ 4016016 (mod 2183 · 2279) .
√
Since 0 < x < 2183, it follows x = 4016016 = 2004. Carol has now
computed x without factoring moduli.
4. (a) The encryption of message x = 2012 is y = x2 mod n = 14785. To
obtain b1 we compute the Jacobi symbol
2
2012
2 · 503
503
40741
501
2
=
=
=
=
=
= −1,
40741
40741
40741
503
503
501
and, hence, we get b1 = 1. Since x < n2 , we get b2 = 0.
(b) We set p = 131 and q = 311 and denote Bob’s decryption of y =
14785 by x. Then x mod p = xp = ±xp = ±2012 mod 131 = ±47
and x mod q = xq = ±xq = ±2012 mod 311 = ±146. Alice knows
that b1 = 1, for x = 2012. She also knows that both p and q are
congruent to 3 mod 4 so that
−1
−1
= −1 and
= −1.
p
q
So when Alice asks Bob to return a root with b01 = 0, Alice knows
that Bob returns either
(1)
x = (xp , xq ) = (−xp , xq ) = (84, 146)
(2)
x = (xp , xq ) = (xp , −xq ) = (47, 165).
or
b02
The bit
determines, which of the two roots Bob returns. In both
cases, Alice will be able to factor n.
Using 311−1 ≡ 123 (mod 131), 131−1 ≡ 19 (mod 311) and the CRT
we get
(84, 146) = 32179
(47, 165) = 8562
Since b02 = 0, Bob gives the decryption 8562 to Alice.
(c) Alice computes g = gcd(n, x − x). In case (1) (x − x) mod q =
xq − xq = 0. It means that q divides xq − xq and Alice gets g =
q = 311. Similarly, when Bob returns decryption (2), as is the
case now, Alice computes gcd(n, x − x) = gcd(40741, 2012 − 8562) =
gcd(40741, 34191) = 131 = p
(d) Since p ≡ 3 mod 4 there exist an integer k such that p = 4k + 3. It
p−1
follows from Euler’s criterion that ( ap ) = a 2 ≡ a2k+1 mod p and
p−1
2
( pb ) = ( p−a
≡ (−a)2k+1 ≡ −a2k+1 mod p. As a result
p ) = (p − a)
b
a
we have ( p ) = −( p ) which means one is a quadratic residue modulo
p and one is a quadratic non-residue.
5. (a) The idea is to use first the DLP algorithm to solve for an exponent
y such that
αy = β mod p,
and then compute a square root of y modulo q. Since q is assumed
to satisfy q = 3 mod 4 this step is easy to solve.
(b) Now α = 18 and q = 11. We first solve the DLP
18y ≡ 13
(mod 23).
We find y by exhaustive search in this small group:
i
0
1
2
3
..
.
αi
1
18
2
13
..
.
We get y = 3. To find x we compute the square root of y modulo 11:
x=y
11+1
4
= y 3 mod 11 = 5.
6. We instantiate Shanks’ algorithm for the particular case α = 5, n = 24,
and β = 1013 where operations are done in the multiplicative group Z∗2016 .
As n = 24 we take m = 5.
j
0
1
2
3
4
αmj mod 2016
1
1109
121
1133
529
From β = 1013 and α−1 = 5−1 = 1613(mod2016)we can compute:
i
0
1
2
3
βα−i mod 2016
1013
1009
605
121
···
So j = 2 and i = 3. We conclude that logα (β) = (m · j + i) mod n =
5 · 2 + 3 = 13.