Check the file attached.
COMP2300/COMP6300 Applied Cryptography Assignment 2 Total marks: 30 Weighting: 15% Deadline: Sunday (End of Week 12), 31 May 2020 (11:59 pm). Note: Submit the assignment via Turnitin (Include Student Name and ID in assignment). Objectives This assignment has been designed to test your knowledge of number theory, abstract algebra, and public-key cryptography. Notes • Assumptions (if any) must be stated clearly in your answers. • There may not be one right answer for some of the questions. So, your explanations need to present your case clearly. The explanations you provide do not have to be long; conciseness is preferred to meandering. • It is recommended that you use Pari/GP for the numerical components of the assignment. However, you are free to use another programming language (such as Java) provided the question/answer/solution can be naturally translated into a similar problem in that programming language. 1 • The hints to solutions of almost all questions in this assignment are in the textbook [Sma16]. Submission • On line submission via Turnitin. Assignments will be marked and returned online. There are no hardcopy submissions for written assignments. Ensure you submit the correct file. The submission process shows you a complete preview of your entire assignment after you have uploaded it but before you have submitted it. Carefully check through every single page to ensure everything is there and the correct version has been uploaded. Multiple submissions may be possible via Turnitin prior to the final due date and time of an assessment task and originality reports may be made available to students to view and check their levels of similarity prior to making a final submission. Students are encouraged to use these reports to ensure that they do not breach the Academic Honesty Policy through high levels of similarity (plagiarism). Teaching staff will use the report to judge whether plagiarism has occurred and whether penalties should apply for breaches of the Academic Honesty Policy. Any similar text identified by Turnitin will be considered carefully to see if it is indeed a breach of the Academic Honesty Policy. 2 Question 1 (10 marks) This question tests your knowledge of what constitutes a group. Let n be a composite number. Let X = {1, 2, . . . , n− 1}. (a) Let x ∈ X. Show that if there are integers a, b such that ax + bn = 1, then gcd(x, n) = 1. (2 marks) (b) Let x ∈ X. Show that if gcd(x, n) 6= 1 then ax ≡ 1 (mod n) has no solution for any integer a. (2 marks) (c) Show that there is at least one element x ∈ X, such that gcd(x, n) 6= 1. (2 marks) (d) Let ∗ be multiplication modulo n. That is, for x, y ∈ X, x ∗ y = xy (mod n). Prove that (X, ∗) is not a group. (2 marks) (e) Let n = 13424. Let a = 13314 and let b = 5889. What are the multiplicative inverses of a and b modulo n? Show how you obtained the result. (2 marks) Question 2 (5 marks) Recall that a Carmichael number n is any composite number which satisfies Fermat’s little theorem, i.e., an−1 ≡ 1 (mod n), for every a such that gcd(a, n) = 1. Such a number is also called a pseudoprime. Write a PARI/GP script that finds and prints all Carmichael numbers less than or equal to 10,000. (Hint: You may use the isprime() command in PARI/GP). (5 marks) Question 3 (5 marks) The discrete logarithm problem (DLP) is not always hard. In particular, we cannot simply choose any group G with an operation (addition or multiplication; appropriately defined), and assume that DLP is hard in that group. The following questions highlight this. (a) Show that the discrete logarithm problem (DLP) is easy on the group of integers modulo a prime n under addition, i.e., the group (Zn,+). More precisely, given g, h ∈ Zn, find an x such that x · g ≡ h (mod n). (3 marks) (b) Let n = 1, 200, g = 23 and h = 25. Find x such that x · g ≡ h (mod n). (Hint: You may use the gcdext() command in PARI/GP). (2 marks) Question 4 (6 marks) An encryption system is considered malleable if given a ciphertext of some unknown plaintext, it is possible to obtain a valid ciphertext of a related plaintext without even knowing the contents of the plaintext. This is problematic depending on the application. For instance, in bidding for a contract, a company might outbid its competitor by simply multiplying it’s rival company’s encrypted bid by 0.9, without even knowing the bid [DDN03]. The following questions relate to the malleability of versions of RSA and Elgamal cryptosystems taught in the lectures. 3 (a) Given the ciphertext c of an unknown message m encrypted using RSA with public key (e,N), show how can you obtain a valid encryption of 2m under (e,N) without knowing m? (2 marks) (b) Given the following ciphertext c of some message m encrypted using RSA (parameters below), show the steps to obtain the ciphertext c′ of 2m using PARI/GP. c = 2753530075851447763243109653595159359042630876252568885 N = 3611071334998558413568664531648678147429348805583447333 e = 3521903392012306527486431544128257140903969440488848271 (2 marks) (c) Consider now the randomized Elgamal cryptosystem. We are given the ciphertext (r, c) of some unknown message m computed as r = gk for some random integer k, and c = m× hk, where h is the public key. Can we obtain the ciphertext of the message 2m? (2 marks) Question 5 (4 marks) Let S be a set of size n, and let f be a random one-to-one map from S to itself. Starting with a random element x0 ∈ S, define: xi+1 = f(xi), for i ≥ 0. This creates the sequence x0, x1, x2, x3, . . .. The birthday paradox tells us that if we keep track of these values, we will find a pair such that xi = xj , with i 6= j after O( √ n) evaluations of f . After this the sequence repeats itself, i.e., creates a cycle. Let t be the smallest i for which we can find some j such that the above is true. Then, the sequence x0, x1, . . . , xt−1 forms a “tail” of length t, and for all i ≥ t, we have xi = xi+T , where T is the length of the cycle. In Figure 1, the tail is of length t = 4 and the length of the cycle is T = 11. Furthermore, for all i ≥ t, we see that xi = xi+T . Thus, if xi = xj , then j = i + T . (a) In Pollard’s rho algorithm, we try to find an m such that xm = x2m. Show that if the sequence is cyclic, i.e., xi = xj for some i ≥ t and j 6= i, then there must exist an i, call it m, such that xm = x2m. (2 marks) (b) Why does Pollard’s rho algorithm, which seeks to find an m such that xm = x2m, only require constant space? (2 marks) References [DDN03] Danny Dolev, Cynthia Dwork, and Moni Naor. Nonmalleable cryptography. SIAM review, 45(4):727–784, 2003. [Sma16] Nigel P Smart. Cryptography made simple, volume 481. Springer, 2016. 4 x8 x9 x10 x11 x12 x13 x14 x4 x5 x6 x7 x3 x2 x1 x0 Figure 1: Pollard’s rho. 5