JAZOON'13 - Thomas Hug & Bartosz Majsak - Git Workshop -Essentials
Cryptography - lecture notesstudents.mimuw.edu.pl/~ap248382/files/crypto/kryptografia.pdf ·...
-
Upload
duongtuyen -
Category
Documents
-
view
242 -
download
0
Transcript of Cryptography - lecture notesstudents.mimuw.edu.pl/~ap248382/files/crypto/kryptografia.pdf ·...
Cryptography - lecture notes
Jacek Pomyka la
Bartosz Zra lek
June 9, 2011
Contents
1 Arithmetical and complexity fundamentals 41.1 Divisibility relation in positive integers . . . . . . . . . . . . . . . 41.2 Arithmetical functions . . . . . . . . . . . . . . . . . . . . . . . . 51.3 Basic algorithms and their complexities . . . . . . . . . . . . . . 61.4 Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 61.5 Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Classical ciphers 102.1 Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.2 Classification of ciphers . . . . . . . . . . . . . . . . . . . . . . . 112.3 Affine cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . 122.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3 Cryptoanalysis of classical ciphers 14
4 Asymmetric cryptology and hard computational problems 194.1 Public key cryptosystem . . . . . . . . . . . . . . . . . . . . . . . 194.2 Asymmetric system constructions and efficiency . . . . . . . . . . 204.3 Hard computational problems and one-way functions . . . . . . . 214.4 Amplification method in solving the hard computational problems 224.5 DLP problem exemplified . . . . . . . . . . . . . . . . . . . . . . 24
4.5.1 First approach (Collision approach) . . . . . . . . . . . . 254.5.2 Second approach . . . . . . . . . . . . . . . . . . . . . . . 25
4.6 Factoring and RSA problem . . . . . . . . . . . . . . . . . . . . . 264.6.1 Division algorithm in ZN [x] . . . . . . . . . . . . . . . . . 28
4.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5 Fermat-Euclid witnesses and Dirichlet characters 315.1 Dirichlet characters . . . . . . . . . . . . . . . . . . . . . . . . . . 325.2 Least character non-residue and zeros of L-functions . . . . . . . 345.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
6 Smoothness in hard computational problems 376.1 Silver-Pohlig-Hellman algorithm for DLP . . . . . . . . . . . . . 376.2 Trial division algorithm . . . . . . . . . . . . . . . . . . . . . . . 386.3 Towards Knuth-Trabb Pardo conjecture . . . . . . . . . . . . . . 39
1
7 Conditional factoring 407.1 Pollard p− 1 algorithm . . . . . . . . . . . . . . . . . . . . . . . 407.2 Quantitative approach to fast factorable numbers . . . . . . . . . 417.3 Smooth number estimates . . . . . . . . . . . . . . . . . . . . . . 427.4 Fellows-Koblitz method . . . . . . . . . . . . . . . . . . . . . . . 437.5 Complexity estimate . . . . . . . . . . . . . . . . . . . . . . . . . 447.6 Hansel - Berlekamp improvement . . . . . . . . . . . . . . . . . . 447.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8 Monotone structures and secret sharing 488.1 Random variables . . . . . . . . . . . . . . . . . . . . . . . . . . . 488.2 Secret sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498.3 Reconstruction and privacy requirements for monotone structures 508.4 Access structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 508.5 Construction of perfect secret sharing for monotone structures . 508.6 Shamir secret sharing . . . . . . . . . . . . . . . . . . . . . . . . 51
9 Interactive proof systems(IPS) 53
10 Perfect secrecy of cryptosystem* 57
11 Arithmetic circuity for DLP problem* 6111.1 Arithmetic circuity . . . . . . . . . . . . . . . . . . . . . . . . . . 6111.2 Deterministic lower bound . . . . . . . . . . . . . . . . . . . . . . 62
12 The Cramer-Shoup signature scheme* 6412.1 Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . 6412.2 Strong RSA Assumption . . . . . . . . . . . . . . . . . . . . . . . 6612.3 Description of the scheme . . . . . . . . . . . . . . . . . . . . . . 6612.4 Security of the protocol . . . . . . . . . . . . . . . . . . . . . . . 6712.5 Technical Lemme . . . . . . . . . . . . . . . . . . . . . . . . . . . 6812.6 Reduction proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
13 Solutions 7013.1 Arithmetical and complexity fundamentals . . . . . . . . . . . . . 7013.2 Classical ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 7113.3 Asymmetric cryptology and hard computational problems . . . . 7213.4 Conditional factoring . . . . . . . . . . . . . . . . . . . . . . . . . 74
2
Chapters marked with * contain additional material not required on theexam.
3
Chapter 1
Arithmetical andcomplexity fundamentals
1.1 Divisibility relation in positive integers
Definition 1.1. For any a, b ∈ Z we say that a is a divisor of b iff there existsan integer c such that ac = b and use the notation a|b.
It is easy to check directly from the definition the following basic propertiesof the divisibility relation:
(i) a|b⇒ a|bc for any c ∈ Z
(ii) a|b ∧ b|c⇒ a|c (transitivity)
(iii) a|b ∧ a|c⇒ a|b± c
Definition 1.2. Let p be a positive integer (p ∈ N). We say that p is a primenumber iff it has only the trivial divisors, i.e.
p = a · b⇒ |a| = p ∨ |b| = p
Definition 1.3. The highest power of p dividing a is denoted by νp(a). Wewrite pνp(a)||a.
Note that we have νp(ab) = νp(a) + νp(b). The principal theorem (funda-mental theorem of arithmetic) is the following
Theorem 1.4. Any positive integer n can be represented as a product of primepowers
n =∏p|n
pνp(n)
The representation is unique up to the ordering of the prime factors.
Definition 1.5. The greatest common divisor (gcd) of any two integers a, b (ab 6=0) is the positive integer d satisfying the conditions:
(i) d|a ∧ d|b
4
(ii) for any d′ satisfying the condition (i) we have d′|d
Definition 1.6. Least common multiple (lcm) of any two integers a, b (ab 6= 0)is the positive integer l satisfying the conditions:
(i) a|l ∧ b|l
(ii) for any l′ satisfying the condition (i) we have l|l′
We call the numbers a and b coprime (orthogonal) iff gcd(a, b) = 1 anddenote it as: a ⊥ b.
Corollary 1.7.gcd(a, b) =
∏p|ab
pmin(νp(a),νp(b))
lcm(a, b) =∏p|ab
pmax(νp(a),νp(b))
1.2 Arithmetical functions
Definition 1.8. Arithmetical function f is any function defined on the set ofnatural numbers N.
Below is the list of some important arithmetical functions.
ω(n) =∑
p−primep|n
1 number of all prime divisors
Ω(n) =∑pν ||n
ν number of distinct prime divisors
τa(n) =∑d|n
da divisor function
φ(n) =∑
1≤k≤ngcd(k,n)=1
1 Euler phi function
p−(n) smallest prime divisor of n
p+(n) greatest prime divisor of n
In order to investigate the behaviour of the above functions the Dirichletconvolution is a convenient tool
f ? g =∑d|n
f(d) · g(n
d)
Properties of the orthogonality relation ⊥
(i) a ⊥ bc⇒ a ⊥ b ∧ a ⊥ c
(ii) a|bc ∧ a ⊥ b⇒ a|c
(iii) a|c ∧ b|c ∧ a ⊥ b⇒ ab|c
5
1.3 Basic algorithms and their complexities
Definition 1.9. f, g – arithmetical functions. We write f = O(g) if there existsan absolute constant c > 0 such that for all n > c we have
|f(n)| < c · g(n)
Remark 1.10. Having as input of the algorithm the integer value a > 0 wedenote commonly by |a| the bit-length of a (size of a).
The polynomial-time algorithm is the algorithm which running time is boundedby some polynomial of the input size poly(|a|).
Example 1.11. The basic addition and multiplication algorithms are polyno-mial time algorithms (linear and quadratic respectively).
1.4 Euclidean Algorithm
Let a, b be positive integers. There exists q ∈ Z+ and 0 ≤ r < k such that
a = qb+ r
The common algorithm computing q and r runs in a quadratic time. Therepeated steps of this division with remainder operations lead to the followingEuclidean algorithm computing the gcd(a, b).
a = qb+ r1
b = q1r1 + r2
r1 = q2r2 + r3
...
The last nonzero remainder rk such that rk−1 = qk rk+rk+1 (rk+1 = 0) is equalto gcd(a, b).
Lemma 1.12. The complexity of the Euclidean algorithm is O(ln a) where (a, b)(a > b) is the input pair.
Proof. To prove this lemma it is sufficient to show that the number of operationsof the division with remainder is O(ln a) Consider two consecutive steps:
rj−1 = qjrj + rj+1
rj = qj+1rj+1 + rj+2
We will prove that rj+2 <12rj . It is clear when rj+1 ≤ 1
2rj , so assume thatrj+1 > 1
2rj . Then by the second equality qj+1 = 1 and therefore rj+2 ≤rj − rj+1 <
12rj as required.
Remark 1.13. Reading the suitable divisions from the last to the first one, onecan express gcd(a, b) as a linear combination of a and b with integer coefficients,i.e. gcd(a, b) = a · x + b · y. The suitable algorithm is called the extendedEuclidean algorithm.
6
1.5 Congruences
Definition 1.14. Let a, b,m be any integers (m > 0). We say that a and bare congruent modulo m iff they have the same remainder when divided by mor equivalently
a ≡ b (mod m) iff m|a− b
Remark 1.15. ≡ is an equivalence relation.
Theorem 1.16. (Euler) If a ⊥ m then aφ(m) ≡ 1 (mod m)
Proof. Consider the set R of remainders ri (mod m) such that ri ⊥ m. Theelements ari (mod m) form the permutation of the set R since ari ≡ arj (modm) would imply that ri ≡ rj (mod m). Therefore the products of elements ofthe above sets are congruent modulo m, i.e.
aφ(m)∏
ri =∏
ri (mod m)
Hence subtracting both sides of the above congruence we easily derive thataφ(m) − 1 ≡ 0 (mod m) as claimed.
Remark 1.17. Using the Euclidean algorithm we can easily compute the solu-tion of the congruence ax ≡ b (mod m) or equivalently the equation ax+bm = 1provided a ⊥ m.
Corollary 1.18. (Fermat little theorem) If p is a prime number then forany integer a
ap ≡ a (mod m)
Proof. It suffices to observe that φ(p) = p − 1 for every prime number p andmultiply both sides of the corresponding congruence by a.
Solving the congruences modulo the composite numbers may be reducedto the corresponding solutions modulo prime powers. This follows from thefollowing
Theorem 1.19. (Chinese remainder theorem) For any sequence of num-bers ai, i = 1, 2, . . . there exists a simultaneous solution x of the following con-gruences with coprime moduli mi ⊥ mj(i 6= j)
x ≡ ai(mod mi), i = 1, 2, . . .
Moreover the corresponding solution is unique modulo product M of the modulimi.
Proof. Define the values
Mi =M
mi
Since Mi ⊥ mi we can compute by the extended Euclidean algorithm the valuesMi satisfying the congruences
MiMi ≡ 1 (mod mi)
7
Now we see that the number x =∑i
MiMiai is congruent to a1 modulom1 (other
terms are divisible by m1), a2 modulo m2 and so on. The second conclusionfollows if we remark that two solutions x, x′ must satisfy
mi|x− x′for, i = 1, 2, . . .
Since mi ⊥ mj we conclude that x ≡ x′ (mod M) as claimed.
Definition 1.20. The arithmetical function f is called multiplicative iff
(i) f 6≡ 0
(ii) f(mn) = f(m) · f(n) for any m ⊥ nNote that this definition implies that if f is a multiplicative function then
f(1) = 1.
Corollary 1.21. The Euler φ function is multiplicative.
Corollary 1.22. The Dirichlet convolution of multiplicative functions f, g isalso a multiplicative function.
Proof. We need to show that for every m,n such that m ⊥ n
f ? g(mn) = f ? g(m) · f ? g(n)
Consider the left side of the equality.
f ? g(mn) =∑d|nm
f(d)g(nm
d)
Since m ⊥ n, we know that d = d1d2, where d1|m, d2|n, d1 ⊥ d2. Thus, by themultiplicativity of f and g, we have∑
d|nm
f(d)g(nm
d) =
∑d1|md2|n
f(d1)f(d2)g(m
d1)g(
n
d2) =
=∑d1|m
f(d1)g(m
d1)∑d2|n
f(d2)g(n
d2) = f ? g(m) · f ? g(n)
Remark 1.23. Let 1 : N → N be a function such that 1(n) = 1 for every n.Then, if f is a multiplicative function then
f ? 1(n) =∏p|n
(1 + f(p) + f(p2) + . . .)
In particular, for f = φ we get:∑d|n
φ(d) =∏p|n
(1 + φ(p) + φ(p2) + . . .)
Note that φ(pα) = pα−1(p− 1). Thus
1 +φ(p) +φ(p2) + . . . = 1 + (p− 1) + (p2− p) + . . .+ (pνp(n)− pνp(n)−1) = pνp(n)
Finally we get: ∑d|n
φ(d) =∏p|n
pνp(n) = n
8
1.6 Exercises
1. Let k, n ∈ N and let ϕk(n) be the number of invertible k × k matriceswith coefficients in Zn, i.e. ϕk(n) = #Mk(Zn)∗. It is known that ϕ(n) =ϕ1(n) = n
∏p|n
(1− 1
p
). Find a similar formula for ϕk(n) (k arbitrary). In
connection with exercise 1, compute ϕ2(26).Hint: Using the Chinese Remainder Theorem reduce to the case when nis a prime power.
2. Let p be an odd prime. The goal of this exercise is to prove that thegroup Z∗pα is cyclic. Let g be a generator of Z∗p. We will show thatthere is a generator of Z∗pα of the form h = g + tp (mod pα), wheret ∈ 0, 1, . . . , p− 1.
(a) Let r be the order of h in Z∗pα . Show that r = pj(p − 1) for somej ∈ 0, . . . , α− 1.
(b) Show that t can be chosen so as to satisfy (g + tp)p−1 6= 1 (p2).
(c) For t as in (b), show that j = n− 1.Hint: Prove by induction that (g + tp)p
i(p−1) = 1 + ai+1pi+1, where
p - ai+1, i = 0, . . . , α− 2.
9
Chapter 2
Classical ciphers
2.1 Cryptosystem
Definition 2.1. A cryptosystem is a five-tuple (P, C,K, E ,D), where
(i) P is a finite set of possible plaintext characters
(ii) C is a finite set of possible ciphertext characters
(iii) K set of possible keys (keyspace)
(iv) For each K ∈ K there is an encryption rule eK ∈ E and a correspondingdecryption rule dK ∈ D.Moreover eK : P −→ C, dK : C −→ P are functions satisfying the condi-tion:
dK(eK(x)) = x for every x ∈ P
Remark 2.2. Since dK is a function eK must be an injective function. There-fore if P = C then the encryption function is a permutation of P.
Example 2.3. (For English alphabet)Shift cipherP = C = K = Z26 eK(x) = x+K (mod 26), dK(y) = y −K (mod 26)Substitution cipherP = C = Z26 K = π : π is an arbitrary permutation of Z26 eπ(x) = π(x),dπ(y) = π−1(y).
To see how the cryptosystem works in practice we consider the correspond-ing communication model (figure 2.1).
The string of subsequent plaintext elements x = x1x2 . . . xn is transferred tothe corresponding string of ciphertext elements y = y1y2 . . . yn, whereyi = eK(xi). The substitution cipher seems to be more relevant than the shiftcipher above due to the following requirement:
1. The encryption (decryption) functions eK(dK) should be efficiently com-putable.
2. An opponent Eve upon seeing the ciphertext string y should be unable todetermine the key K that was used for the plaintext string x.
10
Figure 2.1: Communication model
2.2 Classification of ciphers
Till now we assumed that the ciphertext stream had the form
y = eK(x1)eK(x2) . . .
i.e. the corresponding parts (blocks) of the ciphertext stream were encryptedusing the same key K (this justifies the common name block ciphers).In the alternative approach we assume that the subsequent parts of the cipher-text stream depend on (varying elements zi of the keystream z = z1z2 . . .) i.e.yi = ezi(xi), where zi = fi(K,x1, x2, . . . , xi−1), K ∈ K and xj are correspond-ing plaintext characters.The formal definition is the following.
Definition 2.4. A stream cipher is a tuple (P, C,K,L,F , E ,D), where the con-ditions below are satisfied (with P, C,K defined above)
(i) L is a finite set called the keystream alphabet
(ii) F = f1, f2, . . . is the keystream generator: fi : K × Pi−1 −→ L
(iii) For each z ∈ L, there are encryption ez ∈ E and decryption dz ∈ D rules,eZ : P −→ C, dz : C −→ P are functions satisfying the condition
dz(ez(x)) = x for any plaintext x ∈ P.
In practical application the cipher works on the set of words over the givenalphabet A. In this connection we distinct two types of ciphers:
1 monoalphabetic one - if once a key is chosen, each alphabetic character ismapped to a unique alphabetic character.
2 polyalphabetic one - if above condition is not satisfied. Below we give anexample of polyalphabetic cipher.
11
Example 2.5. (Permutation cipher)P = C = (Z26)m,K = π : π-permutation of 1, 2, . . . ,mFor any key π ∈ K we define:
eπ(x1, . . . , xm) = (eπ(1), . . . , eπ(m))
dπ(y1, . . . , ym) = (yπ−1(1), . . . , yπ−1(m)).
Example 2.6. (Linear Feedback Shift Register cipher)P=C = K = L = Z26, z1 = K, zi = xi−1 (i > 2) ez(x) = x + z (mod 26)dz(y) = y − z (mod 26).Now, for K = 2 and plaintext given below we have:
Plaintext: 1, 3, 25, . . .Keystream: 2, 1, 3, 25, . . .Ciphertext: 3, 4, 2, . . .
To decrypt the ciphertext y1y2y3 = 3 4 2 ... we compute x1 = y1 − z1 =y1−K = 3−2 = 1 (mod 26) then x2 = y2−z2 = y2−x1 = 4−1 = 3 (mod 26), x3 = y3 − z3 = y3 − x2 = 2− 3 = 25 (mod 26).
2.3 Affine cryptosystems
We assume that the alphabet has n characters, |A| = n.First we consider one-dimensional case P = C = Zn, K = Z∗n × Zn = K =(a, b) ∈ Z2
n : a ⊥ nWe define
eK(x) = ax+ b (mod n)
dK(y) = a(y − b) (mod n)
where aa = 1 (mod n).Clearly we have dK(eK(x)) = dK(ax+ b) = a(ax) = x.To consider the multidimensional case we introduce the auxiliary function
g : Zln −→ Znl
g((x1, . . . , xl)) =l∑i=1
xini−1
We define:P = C = Zln, K = Z∗nl × Znl
eK = g−1 k g, dK = g−1 k gwhere K = (a, b) and k(x) = ax+ b (mod nl), k(x) = a(y − b) (mod nl).
Another approach uses the keyspace K = K = (A, b) ∈ M∗l×l(Zn) × Zln andapplies the matrix multiplication to define the encryption (decryption) function:
eK(x) = A ·
x1
x2
...xl
+
b1b2...bl
(mod n)
12
dK(y) = A ·
y1
y2
...yl
−
b1b2...bl
(mod n)
where A is the inverse matrix to A (mod n).In particular choosing K = K = (Id, b) we obtain the Vigenere cipher, whiletaking K = K = (k, 0) the Hill cipher.
Let us return to the stream ciphers
yi = ezi(xi), where
zi = fi(K,x1, x2, . . . , xi−1), i = 1, 2, . . .
We call it the synchronous iff the keystream is independent of the plaintextstream, i.e. zi = fi(K) in which case we think of K as a ’seed’ that generatesthe keystream.The stream cipher is called d-periodic iff zi+d = zi for all i = 1, 2, . . . Below wegive an example of synchronous stream cipher.
Example 2.7. (Linear Recurrence Stream cipher)We define yi = ezi(xi) with zi = fi(K) K = (k1, k2, . . . , km, c1, c2, . . . , cm) andthe keystream given by the following recurrence of degree m (provided c1 6= 0)
zi+m = c1zi + c2zi+1 + . . .+ cmzi+m−1 for i = 1, 2, . . .
where the initial values are fixed as
(z1, z2, . . . , zm) = (k1, k2, . . . , km).
Vernam cipher (one-time pad) A = Z2, P = C = K = (Z2)n.K = (k1, k2, . . . , kn) The encryption and decryption are defined by the sameformulae:
eK(x) = (x1 + k1, x2 + k2, . . . , xn + kn) (mod 2)
dK(y) = (y1 + k1, y2 + k2, . . . , yn + kn) (mod 2)
The cipher is very easy to implement and is a well-known realization of the socalled perfect secrecy property of cryptographic system.
2.4 Exercises
1. Consider the Hill cipher with the Latin alphabet (represented by Z26) and2× 2 matrices.
(a) Suppose that the encryption of the digraphs “TH” and “HE” givesrespectively “RH” and “NI”. Find the (only) enciphering matrix A.
(b) Suppose that the plaintext “GIVE” yields the ciphertext “WKNC”.Find the possible enciphering matrices A.
13
Chapter 3
Cryptoanalysis of classicalciphers
The efficient hardware implementation of the non-synchronous stream ciphermay be produced by linear feedback shift register (LFSR) to obtain the keystreaminitialized by two vectors (c1, ...cn), (z1, ..., zn) ∈ (Z2)m and the linear recurrence
Zi+m =m∑j=1
cjzj+i−1
See the picture belowc1 . . . cm
z1 . . . zm zm+1
z1 z2 . . . zm+1 zm+2
Below we consider the simple example (over Z26) with
P=C = K = L = Z26, z1 = K, zi = xi−1 (i > 2) ez(x) = x+ z (mod26)dz(y) = y − z (mod26).
Example 3.1. (K=2)
Plaintext 1, 3, 25, ...Keystream K=2, 1, 3,25, ...
Ciphertext 3, 4, 2, ...
To decrypt the ciphertext y1y2y3 = 3 4 2 ... we compute x1 = y1 − z1 =y1 −K = 3− 2 = 1 (mod26) then x2 = y2 − z2 = y2 − x1 = 4− 1 = 3 (mod26) ,x3 = y3 − z3 = y3 − x2 = 2− 3 = 25 (mod26).
In the classical cryptosystems the encryption and decryption functions are equiv-alent from the computational point of view. If we know how to encrypt then weknow how to decrypt and vice versa. It is not the case in the asymmetric cryp-tography where one of the encryption or decryption keys is kept secret, whilethe other is made public.
14
Definition 3.2. Kerckhoffs principleThe security of the cipher is based on the secrecy of the cryptographic keys, butnot the secrecy of cryptosystem used.
The most common types of attacks on the cryptosystem are the following:
Ciphertext only:The adversary (opponent) possesses a string of ciphertext - y.
Known plaintext:The adversary possesses the strings of plaintext - x and the corresponding ci-phertext - y.
Chosen plaintext:The adversary has obtained a temporary access to the encryption machinery,computing (x,y) with the chosen x string.
Chosen ciphertext:The adversary has obtained a temporary access to the decryption machinery,computing (x,y) with the chosen string y.
Cryptoanalysis of the affine ciphers is based on the statistical examination ofthe characters of English alphabet together with the linear algebra ingredients.The frequencies of the most and least occurrences of English letters are approx-imately given below:
E - 12,7% T - 9,1% A - 8,2%Q - 0,1% X - 0,1% Z - 0,1%
Comparing them with the frequencies of the letters in the ciphertext we areable to prepare the ’ciphertext only’ attack using the suitable correspondencesand grammatical rules concerning digrams trigrams etc. This analysis can beapplied to substitution or affine ciphers. In case when the encryption processis done on the block of letters (k-grams, k> 1) the statistical investigation isless powerful but still has some significance. The known plaintext attack can besuccessfully realized by the linear algebra tools writing and solving the suitableequations of type
Ax+b=y (mod n)
with the matrices of respective dimensions.
Example 3.3. Consider one-dimensional affine cryptosystem (Over Zn) withencryption map ek(x) = g−1 k g k(x) = ax+ b (modn2) and pair of plaintextsx = (x1, x2) x′ = (x′1, x
′2) such that x1−x′1 ⊥ n (modn) and the corresponding
ciphertexts y = (y1, y2) y′ = (y′1, y′2) such that y1 − y′1 ⊥ n (modn)
We have g((x1, x2)) = x1 + nx2. To compute the key k = (a, b)modn2 it issufficient to solve the following system of congruences in a, b ∈ Zn(a 6= 0modn):
a(x1 + nx2) + b = y1 + ny2mod(n2)
15
a(x′1 + nx′2) + b = y′1 + ny′2mod(n2)
Subtracting both sides of the above congruences we derive
a[(x1 − x′1) + n(x2 − x′2)] = y1 − y′1 + n(y2 − y′2) (modn2)
and since x1 6= x′1 (modn), y1 6= y′1 (modn) the suitable solution (a, b) ∈ Z∗n2 ×Zn2 exists.
Example 3.4. Consider two-dimensional Hill cipher over Zn with the encryp-tion map given as:
eK(x1, x2) = k(x1
x2
)where
k =(a bc d
)∈M∗2×2(Zn)
Assume that the plaintext pairs x = (x1, x2), x′ = (x′1, x′2) ∈ Z2
n are linearlyindependent. To compute the key k it is sufficient to solve the following systemof congruences: (
a bc d
) (x1
x2
)=(y1
y2
)mod n
(a bc d
) (x′1x′2
)=(y′1y′2
)mod n
16
Stream cipher cryptoanalysis
We consider only LFSR-based stream cipher with the encryption map given by
yi = xi + zi (mod2)
where the keystream satisfies the linear recurrence relation
zi+m =m∑j=1
cjzj+i−1
with ci ∈ Z2 (c 6= 0).Since the operations are linear we expect that the cryptosystem is vulnerable
to known-plaintext attack similarly as in the case of Hill cipher knowing thestring
x = x1x2...xn
y = y1y2...yn
We first compute the keystream
zi = xi + yi (mod2) i = 1, 2, ..., n
Nowzm+1 = c1z1 + c2z2 + ...+ cmzmzm+2 = c1z2 + c2z3 + ...+ cmzm+1
.
.
.
z2m = c1zm = c2zm+1 + ...+ cmz2m−1
Hence solving the system if the equations (provided the suitable rows are linearlyindependent).
(c1, ..., cm) = (zm+1, ..., z2m)
z1 z2 . . . zmz2 z3 . . . zm+1
.
.
.zm zm+1 . . . z2m−1
−1
(mod2)
We compute the recurrence that generates the keystream.
Cryptoanalysis of Vigenere Cipher
One method is due to Friedrich Kasiki(1863). The basic observation is:If the same plaintext x occurs in a positions moved by the multiplicity of thekey length then the same ciphertext will occur conversely. When we observethe same segments of ciphertext of length at least 3 then we have a good chancethat they correspond to identical segments of plaintext. We expect that gcd ofthe suitable distances among their positions will be the key length. Knowingthe length of the key we perform the frequency analysis on the letters occurredin the fixed arithmetical progressions modulo the key length.Another approach due to William F. Friedman (1920) is based on the notion ofcoincidence index for the string x = x1x2...xn of n alphabetic characters Ic(x)defined (for English alphabet) by:
17
Ic(x) =P25i=0 fi(fi−1)
n(n−1)
where fi are the corresponding frequencies of alphabetic letters occurring in thestring x.Using the expected probabilities p0, p1, ..., p25 for the occurrence of the subse-quent letters we find that the approximate value of Ic(x) should be equal to
25∑i=0
p2i = 0, 065
Now observing the cryptogram y = y1y2... of the Vigenere cipher with thekeyword length being equal to m we divide it on the columns vectors:
y1 =
y1
ym+1
.
.
.y2m+1
y2 =
y2
ym+2
.
.
.y2m+2
... ym =
ymy2m
.
.
.y2m+m
Since the corresponding columns are encrypted by the fixed alphabetic characterof the keyword, the value Ic(yi) i=1,2,...,m should not be far from 0,065. Onthe other hand if m is not the keyword length, we have quite a good chance tofind a column with a distribution of characters close to a random one i.e. withIc ≈ 26( 1
26 )2 = 0, 038. In this way we may easily distinguish the proper choiceof the keyword length.
18
Chapter 4
Asymmetric cryptology andhard computationalproblems
4.1 Public key cryptosystem
Definition 4.1. A public key cryptosystem is a six-tuple (P, C,K, E ,R,D),where
(i) P - plaintext set
(ii) C - ciphertext set
(iii) K - keyspace, where K = K = (k, k′); k is called the secret key, k′ is thepublic key
(iv) R - space of random elements
(v) E - encryption rules set
(vi) D - decryption rules set
(vii) For each pair (k, k′) there is an encryption function ek′ : P ×R → C ∈ Eand decryption function dk : C → P ∈ D. Of course similarly to definitionof classical cryptosystem they satisfy condition:
dk ek′(x, r) = x for every x ∈ P and r ∈ R.
In distinction to the definition of classical cryptosystem now we assume thatthe keyspace is composed of pairs. Moreover the encryption depends usually onsome random source of elements. In the above definition we have to do withthe public key encryption system.
On the other hand if the encryption depends on the private key k we com-monly call C = S the signatures set. In this case we have ek : P ×R → S andand decryption dk′ = verk′ : C → S ∈ 0, 1 is called the signature verification.
19
Example 4.2. (ElGamal cryptosystem)1
Let p is the prime number, g - generator of Zp and P = Z∗p.Consider the public key cryptosystem (P, C,K, E ,R,D) where keyspace is
K = K = (k, k′) : k′ = gk mod p, ciphertext space is C = Z∗p×Z∗p, R = Zp−1.Encryption function is ek′(x, r) = (y1, y2) where y1 = gr, y2 = x(k′)r mod pand dk(y1, y2) = y2y
−k1 in case of encryption system.
In case of digital signature system let R = Z∗p−1, C = S = Z∗p × Z∗p−1,signature function is sigk(x, r) = (y1, y2) where y1 = gr, y2 = (x − ky1)r−1
mod p− 1 and verk′(x, (y1, y2)) = 1 ⇐⇒ yy21 (k′)y1 = gx mod p .
4.2 Asymmetric system constructions and effi-ciency
The most popular public key cryptosystems are based on good pseudorandomgenerators and efficient primality testing.
The asymptotic number of primes less than x is xln x so there is quite high
chance that randomly chosen natural number is prime (it is proportional toinverse of the number of bits of the chosen number). However the problem offinding the proof that given number is prime is not trivial from the computa-tional perspective (certified prime numbers). It is referred usually to primalitytesting algorithms.
One of the approach we will deal with more carefully concerns the notion ofthe primality witness b ∈ B and the primality condition for the testing numbern - PC = PC(n, b) expressing the necessary condition for the number n to beprime. We require to obtain also the sufficient condition provided PC(n, b) holdsholds true for sufficiently many witnesses b. We start from a small basis B andthen extend it to the large space 〈B〉 generated by B(amplification idea). Suchstrategy is created to obtain the suitable algorithms returning prime numbersas it is clear from the examples below.
First let PC(n, b) be the Fermat equation
(4.1) bn−1 = 1 (mod n).
However it is not quite correct since there exist infinitely many compositenumbers n such that PC(n, b) holds for all b ⊥ n (Carmichael numbers).
One can replace (4.1) by the Euler equation (applied in Solovay-Strassentest)
(4.2) bn−1
2 =(b
n
)(mod n).
where(bn
)denotes the Jacobi symbol.
Due to multiplicativity property checking the condition (4.2) for b ∈ B weconclude that it holds for the whole group 〈B〉 ⊂ Z∗n. The ,,amplification effect”
1Taher ElGamal - Egyptian cryptographer. In 1985 he published paper titled A Publickey Cryptosystem and A Signature Scheme based on discrete Logarithms where he proposedsystem called his name.
20
here is still not sufficient since we know that the small set B = [1, 2 ln2 n]generates the whole Z∗n only under the extended Riemann Hypothesis.
But the real advantage is obtained by the polynomial Fermat type condition
(4.3) (x+ b)n = xn + b
in the quotient ring Zn[x]/Φr(x), where Φr(x) = xr − 1 is the cyclotomic poly-nomial (r is a prime number) applied in the deterministic AKS primality test2. The higher space Zn[x]/Φr(x) instead of Zn allows us to play with the ampli-fication idea more efficiently. For any prime factor p|n the ring Rn is a directsum of Z∗p and the remaining copies isomorphic to the group of units of the fieldF∗pk with k expressed by the order of n (mod r). Now if n is composite and thePC(n, r, b) is satisfied we can prove that the orders of (x + b) in F∗pk are low.On the other hand the group 〈x+ b, b ∈ B〉 is large already for |B| being of sizeof (lnn)c. Since F∗pk is cyclic we obtain the contradiction with the compositnessof n.
4.3 Hard computational problems and one-wayfunctions
The security aspect of the public key cryptosystem is in general referred to thehardness of given computational problems. It is convenient to express it in termsof families of one-way functions f : X → Y .
We require that the computation of f for a given x ∈ X is feasible whilegiven a random y ∈ Imf it is infeasible to compute x ∈ X: f(x) = y.
Example 4.3. (Factoring problem)The typical example is
f : N× N→ N(4.4)f(n, n′) = n · n′ = m.
If m is a product of two large prime numbers it is hard to compute (n, n′) /∈(1,m), (m, 1) so that nn′ = m.
Example 4.4. (Computing roots in Z∗n)Another example deals with the group operation (in multiplicative setting).
Let us considerf(x) = xk = y.
Number y can be computed efficiently provided the group operation is effi-cient (iterative squaring method). The inverse operation x = k
√y is also easy
if G = (Zn,+) but it is not the case if G = (Z∗n, ∗). If the order φ(n) of Z∗n isknown we compute k
√y efficiently and deterministically provided k⊥n. If not
the generalization of Tonelli’s algorithm allows us to compute k√y in heuristic
polynomial time. The particular quadratic equation2Agrawal Kayal Saxena primality test is a deterministic primality-proving algorithm cre-
ated and published by three Indian Institute of Technology Kanpur computer scientists,Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, on August 6 2002, in a paper titled”PRIMES is in P”.
21
x2 = y (mod n), n = pq
shows that if one can find 3 distinct solutions of it then one can also factorthe number n 3, so we ,,expect” that computing the square roots here is as hardas factoring problem.
Example 4.5. (Discrete logarithm problem)Now let us fix the group element g but let the exponent x ∈ Z vary. Let us
consider
f(x) = gx = y
Here the inverse operation is directly related to the discrete logarithm problem(DLP).
All those three mentioned above functions are good candidates for the one-way functions and are widely used in cryptography.
4.4 Amplification method in solving the hardcomputational problems
Assume we are given the instance of a hard computational problem (HCP)related to one-way function (e.g. group homomorphism) f : X → Y (we assumethat both X and Y have group structure). One of the imaginable strategy tocompute (given a random y ∈Imf) an element x ∈ X such that f(x) = y is thefollowing:
(i) We choose relatively small basis B ⊂Imf which generates the large sub-space of Imf denoted by 〈B〉.
(ii) We choose a set X ′ ⊂ X related somehow to the given instance of HCPin a random way and try to find a representation of f(x′) in B for x′ ∈ X ′(amplification).
(iii) Using the algebraic methods we try to extract nontrivial relations amongf(X ′) and 〈B〉 obtaining e.g. some coimages of b′ ∈ 〈B〉 under f .
(iv) Finally we use them to find the solution of the HCP related to the respec-tive instance.
Example 4.6. (DLP problem)To demonstrate how the above strategy works for HCP we start from the
DLP problem. The instance of the problem is (α, β) ∈ Z∗p × Z∗p. We choose thebasis B consisting of small primes bi in the interval [1, B]. The subspace 〈B〉 isthe subgroup of Z∗p generated by B. For a random x′ ∈ Z∗p we try to representf(x′) = αx
′in the basis B i.e.
(4.5) αx′
=∏bi∈B
bcii where ci ∈ Z.
3Reader should check it as an exercise.
22
Of course we can find such representation just for some x′ but if we choosesufficiently many x′ ∈ Z∗p and take the logarithm of both sides of (4.5) we canuse the Gauss elimination method to compute logα bi for bi ∈ B. Similarlyrepresenting
βαl =∏bi∈B
bdii
for a random l and subtracting the logarithms we compute logα β. This stepalso needs to be repeated many times to pick the right l.
The crucial point is to choose B big enough to represent many randomelements in the basis but not too big in order to have efficient algorithm solvingthe corresponding system of linear equations derived from (4.5).
Example 4.7. (Roots computing)Now we consider the problem of roots computing for the equation
x2 = b (mod n) where n = pq.
The related ,,one-way” function is
f : Z∗n → (Z∗n)2
f(x) = x2 (mod n).
Any b ∈ (Z∗n)2 can be written as b = y2 (mod n). We want to compute thesolution x ∈ Z∗n s.t. x 6= ±y (mod n) of the equation
x2 = y2 (mod n).
As before we choose the set
X ′ = x1, . . . , xs ⊂ Z∗n
and a basis B consisting of small prime numbers. In this case application ofthe amplification idea is more sophisticated since we consider the related vectorspace (α1, . . . , αB) ∈ ZB2 , B = |B| of exponents mod 2 representing the givenf(x′) = (x′)2 (mod n). If |X ′| > B then we will find efficiently the linear combi-nation of f(x′) = f(
∏i∈I xi), I ⊂ 1, 2, . . . , s representing vector 0. Therefore
by definingx =
∏i∈I
xi
we have
x2 = (∏i∈I
xi)2 =∏i∈I
∏bj∈B
bαi,jj
=∏bj∈B
b2βjj =
∏j
bβjj
2
= y2 (mod n).
We acknowledge that y was constructed using the representation of f(x′) in the,,exponent” space, hence computing a ,,random” square root of it, we may hopethat y 6= ±x (mod n) as required.
Example 4.8. (Factoring problem)Now let us consider the factoring problem which itself is not directly ex-
pressed by the related homomorphism f : X → Y . However if we have some
23
additional information that restricts this problem to some sufficiently rare sub-sequence of natural numbers the factorization could be done efficiently. Assumethat we search for divisors d|N of special type, namely d ≡ r (mod s) with slarge enough. The following idea (due to Coppersmith) might be successfullyapplied.
Let (N, r, s), r⊥s be an instance of the problem. Without loosing the gen-erality we may assume that r, s⊥N since otherwise we could regard N
gcd(N,r)
or Ngcd(N,s) instead of N . First let us remark that if d = sx + r|N then
d′ = Nd = sy + r′, where rr′ ≡ N (mod s) and 0 < r′ < s.
If s > N1/2 then either d or d′ must have x = 0 or y = 0 respectively andthen it is uniquely defined. Concluding there exist at most two divisors d, d′|Ncongruent to r (mod s). Now we sketch an idea allowing to find such divisors(infact it works with the restriction s > Nα, α > 1
4 ). The congruence sx + r ≡ 0(mod d) is equivalent to
(4.6) x+ rs ≡ 0 (mod d)
where ss ≡ 1 (mod N). We consider the space of linear(integer) combinations ofgu,v = xuNm−v(x+ rs)v which forms a lattice and remark that any x satisfying(4.6) also satisfies the congruence
gu,v(x) = 0 (mod dm).
Applying the Hermite bound for the vector of the lattice of the lowest norm weconclude that it is less than cw(detL)1/w, where w is the number of vectors inthe lattice. Let h(x) =
∑aix
i be the polynomial representing this vector.On the other hand we have by the Cauchy-Schwarz inequality that h(x) =
|∑aix
i| = |∑aiX
i(‖x‖X
)| ≤
∑|aiXi| ≤
√deg h‖h(xX)‖ for any |x| < X. The
LLL4 method allows us to find efficiently the vector u′ with the norm comparableto ‖u‖ and finally we derive at x0 such that |u′(x0)| < dm for suitably chosen X.This allows to find x0 as the polynomial root over Z (instead of Zdm). Remarkthat since d > s = Nα (α > 1
4 ) the number dm is large enough while ‖h′(xX)‖is controlled by the Hermite bound.
4.5 DLP problem exemplified
Let G = (Gi) be a finite cyclic group (of order d), with the the generator α ∈ G.Given any β ∈ G compute t ∈ Z such that
αt = β.
For some cyclic groups (e.g. G = Zm where Zm = (Zm,+)) the problem DLPcan be easily solved (using e.g. the Euclidean algorithm). On the other handletting G = Zq∗ with q being the Sophie Germain prime the DLP is intractable.
Assume that the instance (α, β) of DLP is fixed.
4The LLL-reduction algorithm (Lenstra-Lenstra-Lovasz lattice basis reduction) is a poly-nomial time lattice reduction algorithm invented by Arjen Lenstra, Hendrik Lenstra and LaszloLovasz in 1982.
24
4.5.1 First approach (Collision approach)
To compute t = logαβ let us assume that we are given a ’random’ function
f : G→ G.
Let y0 = 1, yi = f i(y0), i ≥ 0. We expect the sequence yi to behave as a randomsequence of elements of G, to find the collision:
yl = ym l < m with m = O(√d).
Choosing f = fα,β to be multiplication by α or β, the corresponding iterationsyi = f i(y0) can be easily represented as
yi = αaiβbi , i ≥ 0.
Hence αalβbl = αamβbm and
logα β =al − ambm − bl
(mod d).
Example 4.9. Baby-step Giant-step algorithmLet m = b
√dc and write β = αt = αim+j . Then
(αm)i = βα−j
We can sort the m pairs ((βα−j , j)) and find such j for which (αm)i = βα−j
for i = 0, 1, 2, . . .m− 1. This can be done in O(m1+ε) = O(d12 +ε) deterministic
time (for instance, using hash tables).
Example 4.10. We set G = A ∪B
f(y)α,β =
αy if y ∈ Aβy if y ∈ B
y0 = 1 and define yi = f iα,β(y0).
4.5.2 Second approach
Given the instance (α, β) we consider two power lists:
αk k ∈ Z+
βαl l ∈ Z+
Suppose we find p ∈ G such that
(1)αk = pc
βαl = pec, e ∈ Z
Thenlogα β = (logα p)(e− c)− l.
25
Hence the computation of t = logα β is easy:
logα β =ek
c− l (mod d).
Finding p satisfying (1) is therefore as hard as computing of logα β. Howeverwe can weaken the above constrains by choosing the base
B = p1, p2, ..., pr pi ∈ G
so that for many k and e we have the representations
(2) αkj =∏i≤I
peiji j ≤ J
(3) βαk =∏i≤I
peii
For J > I we can expect that the first I equations allow to compute the valuesof logα pi and then we derive from the last one that
logα β =∑i
ei logα pi − k (mod d).
Summing up we choose random kj and try to factor αkj in the base B. Assumethat we search for the solution with |eij | ≤ ti ≤ T (of bounded height). Let-ting pi be the small prime numbers, we can apply the well known estimate ofPomerance for the psi function
ψ(x, y) > x1− log log xlog y
to prove that for many kj the solution of (2) can be efficiently computed.
4.6 Factoring and RSA problem
The most popular public key cryptosystems are based on DLP and Factoringproblems.
Definition 4.11. Factoring AssumptionThere exists no probabilistic polynomial-time algorithm that given N(= pq) findsa nontrivial factor of N with non-negligible probability.
The familiar factoring based Rivest, Shamir and Adleman (RSA) cryptosystemis in fact related to the following RSA Assumption.
Definition 4.12. RSA AssumptionThere exist no probabilistic polynomial-time algorithm, that given (N, e) suchthat e ⊥ ϕ(N) and y ∈ Z∗N computes x ∈ Z∗N such that xe ≡ y (mod N) withnon-negligible probability.
26
We will investigate the relation between the above two assumptions in the sequel.The RSA Assumption is a stronger one since it implies the Factoring Assump-tion. To see this we assume that RSA Assumption is not valid. Then thecorresponding algorithm factoring N may be used to compute efficiently thesolutions
xe ≡ y (mod p)
xe ≡ y (mod q)
and apply the CRT to compute x ≡ e√y (mod N)
Remark 4.13. It is easy to see that the problem of computing solutions ofquadratic equation
x2 ≡ y (mod N)
is as ’hard’ as factoring of N.Assume we have the algorithm A that for given y ∈ (Z∗N )2 computes randomlyone of the four roots x, −x, z, −z (mod N). We apply the following algorithmB using as a subroutine algorithm A that finds the factorization N = pq.
(1) Choose random a ∈ Z∗N and compute y ≡ a2 (mod N)
(2) Use A to compute x ≡ √y (mod N). Obviously with probability 12 A
computes the root x /∈ ±a (mod N).
(3) B computes gcd(x − a,N). Since pq|x2 − a2 = (x − a)(x + a) and pq .(x − a), pq . (x + a) we conclude that gcd(x − a,N) = p or converselygcd(x+ a,N) = q
Remark 4.14. The equations x2 = a2 (mod N) are the basic equations in theFermat factoring method and its development called the factor bases method.The key point is to generate the equations of type
y2i =
∏p⊆B
pαp,i (mod N) i = 1, 2, . . .
and solving the suitable system of equations to find the set I such that∏i∈I
(yi)2 = z2 =∏p⊆B
pαp
, with pαp ≡ 0 (mod 2) for all p ⊆ B.
Definition 4.15. E-root problemGiven y ∈ ZN compute e
√y (mod N).
Remark 4.16. Given y ∈ ZN the computing e√y (mod N) is equivalent to
computing e√yf provided e ⊥ f .
To see this we writey
1e = (y
fe )αyβ (mod N)
that is equivalent toαf + βe = 1 (mod ϕ(N))
Hence using the Euclidean algorithm we are able to compute α, β ∈ Z such thatαf + βe = 1 (e ⊥ f) and set y
1e := (y
fe )αyβ (mod N)
27
Let d ≡ e−1 (mod ϕ(N)), where e ≤ N . Then y1e ≡ yd (mod N).
If d < 13N
14 and p < q < 2q then M.Wiener proved that the computation of d
may be efficiently done.The key point is to consider the equality
ed− kϕ(N) = 1, k ∈ N
and check that| eϕ(N) −
kd | =
1dϕ(N) , hence | eN −
kd |
kd√N
since N − ϕ(N)√N .
Thereforek
d=
e
N+O(
1d2
)
may be obtained as at most logN convergent of the continued fraction for eN .
4.6.1 Division algorithm in ZN [x]
Let N = pq. ZN [x] is not the Euclidean domain (it is not even the integraldomain) but in case when no division by the zero divisor occurs we can performthe subsequent divisions for the pair (z(x), h(x)) (mod N)z = qh+ r1
h = q1r1 + r2
r1 = q2r2 + r3
.
.
.and generally rl−2 = ql−1rl−1 + rl, where deg rl < deg rl−1.Writing rl = c(rl)xdeg(rl−2)−deg(rl−1) + . . . we see that c(rl) ≡ c(rl−2)
c)(rl−1) (mod N)If all operations are well defined modulo N and we obtain the equation
rk−2 = qk−1rk−1 + rk
rk−1 = qkrk
such that degrk (mod p) 6m degrk (mod q) then rk(x) = cdxd+. . . where cd 6≡ 0
(mod N), cd ≡ 0 (mod p) and gcd(cd, N) = p
4.7 Exercises
1. Consider the following cryptosystem. Alice chooses a, b, a′, b′ ∈ N andcomputes M = ab − 1, e = a′M + a, d = b′M + b, n = ed−1
M . Now Bobwants to encrypt a message m, 0 < m < n, to Alice under her public key(n, e). He computes c = em (n) (i.e. the remainder of the division of emby n) and sends the ciphertext c to Alice.
(a) Show that n ∈ N.
(b) Show that Alice can decrypt c using her private key d.
(c) Break the system.
28
2. Consider the following cryptosystem. Alice chooses two large prime num-bers p, q and computes n = pq. She further chooses g ∈ Z∗n, r1, r2 ∈ Znand computes g1 = gr1(p−1) (n), g2 = gr2(q−1) (n). Now Bob wants toencrypt a message m, 0 < m < n, to Alice under her public key (n, g1, g2).He chooses s1, s2 ∈ Zn, computes ci = mgsii (n) (i = 1, 2) and finallysends the ciphertext (c1, c2) to Alice.
(a) Show that Alice can decrypt the ciphertext using the Chinese Re-mainder Theorem (and her private key (p, q)).
(b) Break the system.
3. Let n be an RSA modulus (i.e. n = pq for some prime numbers p andq), e and d the encryption and decryption exponent respectively (i.e. e isany natural number s.t. e⊥φ(n) and d = e−1 (mod φ(n))). Prove thatmed ≡ m (n) for any m ∈ N (regardless of whether m is coprime to n ornot).
4. Let n = pq be a RSA modulus, e, d ∈ N. Prove that med ≡ m (n) holdsfor all integers m if and only if ed ≡ 1 (LCM(p− 1, q − 1)). We can callany d satisfying the last congruence a deciphering RSA key.
5. Let p = 61, q = 73, e = 7. Compute 3 deciphering keys d such that0 < d < 1000 (see exercise 4).
6. Alice and Bob use the RSA cryptosystem with the same modulus n =nA = nB and coprime encryption exponents eA and eB . Carol sends themrespectively the ciphertexts cA and cB corresponding to the same plaintextm (e.g. an invitation). Show that if Eve manages to intercept cA and cB ,she can read m.
7. Alice uses the RSA cryptosystem with the encryption exponent e = 3(we assume that 3 - ϕ(n), where n is the “modulus”). Suppose that Bobsends Alice two ciphertexts corresponding to the plaintexts m and m+ 1.Suppose also that both ciphertexts are intercepted by Eve. Show that shecan read m.
8. Let n = pq be a RSA modulus,p, q > 2 , e a natural number (not neces-sarily coprime to ϕ(n)). Prove that
#m ∈ Zn : me = m = (1 + GCD(e− 1, p− 1))(1 + GCD(e− 1, q − 1)).
For which values of e coprime to ϕ(n) is that number minimal?
9. Find a deterministic algorithm, which given an integer n having two dis-tinct prime factors (n not necessarily squarefree) as well as the value ofϕ(n), computes these factors. What is the complexity of your algorithm?
10. Devise a probabilistic algorithm, which given an integer n and a multipleM of ϕ(n) (in the RSA cryptosystem the integer ed − 1 is such a multi-ple), finds the complete factorization of n. Give the complexity of youralgorithm.Hint: Reduce first to the case when n is odd. Then consider the chainGi = a ∈ Z∗n : a
M
2i = 1 of subgroups of Z∗n, i = 0, 1, . . . , k, where 2k
is the largest power of 2 dividing M . Also use the Chinese RemainderTheorem and exercise 2 to describe the square roots of 1 in Z∗n.
29
11. Let e ∈ N and let P(e) be the following computational problem.
Input: a, n ∈ N such that (a, n) = 1.
Output: x ∈ N such that xe ≡ a (n), if this congruence has a solution.
Prove that P(2) is randomly equivalent to factoring integers. For whichvalues of e can this be generalized?
30
Chapter 5
Fermat-Euclid witnessesand Dirichlet characters
For fixed n, let us denote for simplicity:
ord(b) := ord(b) (mod n)
Definition 5.1. b is a Fermat-Euclid compositness witness (FE-witness)s forn iff
∃q|ord(b) gcd(bord(b)q − 1, n) 6= 1, n
Let us denote by eq(m) the highest power of q dividing m. Let n =∏p p
ep(n) =pe11 p
e22 . . . pess be a prime powers representation of an odd number n. We denote
φ(n) =∏sr=1 p
er−1r (pr − 1) =
∏sr=1 φr
By the Chinese Remainder Theorem we have:
Z∗n ≡s⊕r=1
Z∗perr ≡s⊕r=1
Zφr
For each r = 1, 2 . . . s, let gr be the generator of Z∗perr
(isomorphic to Zφr ).Now, all b ∈ Z∗n can be represented as (b (mod pe11 ), . . . , b (mod pess )) which isequivalent to
(gv1(b)1 , . . . , gvs(b)s )
Where vr(b) has following property: vr(bb′) = vr(b) + vr(b′) (mod φr)Let us denote
ordr(b) = ord(b) (mod perr )
Lemma 5.2. Assume that for some q|ord(b) we have that gcd(bord(b)q − 1, n) is
either 1 or n.Then for any pr|n we have ord(b) = ordr(b).
Proof. See exercise 1.
Lemma 5.3. We have ordr(b) = φrgcd(φr,vr(b))
31
Proof. We have
bordr(b) =(gvr(b)r
) φrgcd(φr,vr(b))
= 1 (mod perr )
Moreover if eq(vr(b)) = β, eq(φr) = α then we see that
eq
(φr
gcd(φr, vr(b))
)is the smallest power of q satisfying the above equality.
5.1 Dirichlet characters
Let χ′r : Z∗perr→ C∗ be a group homomorphism. Now for generator gr of group
Z∗perr
We have that1 = χ′r(g
φrr ) = χ′r(gr)
φr
so
χ′r(h) = e(mr
vr(h)φr
)where e(x) = e2πix (e is here the Euler number). Hence
χ′r(hh′) = e
(mr
vr(hh′)φr
)= e
(mr
vr(h) + vr(h′) (mod φr)φr
)
= e(mr
vr(h)φr
)e(mr
vr(h′)φr
)= χr(h)χr(h′)
and, for b ∈ Z∗perr
χ′r(b) = χ′r(gvr(b)r ) = e
(mr
vr(b)φr
)where mr ∈ 0, 1, . . . , φr − 1. Similarly we can define χ′ : Z∗n → C∗
χ′(b) = χ′((b (mod pe11 ), . . . , b (mod pess ))) =s∏r=1
e
(mr
vr(b)φr
)Definition 5.4. Let χ′ : Z∗n → C∗ be a group homomorphism. Dirichlet char-acter χ : Z → C∗ is extension to Z of the homomorphism χ′ with followingproperties:
χ(m) = χ′(m (mod n))
χ(k) = 0 if k 6⊥ n
Dirichlet character modulo n satisfies the following conditions
χ(m+ n) = χ(m)
χ(mm′) = χ(m)χ(m′)
χ(m) 6= 0 iff m ⊥ n
32
The characters χ( (mod n)) form a group structure with the neutral element:
χ0(m) =
1 if m ⊥ n0 if m 6⊥ n
Letting χ(b; perr ) = e(vr(b)φr
)we have:
χ(b;n) = χ(b; pe11 )m1 . . . χ(b; pess )ms
with the corresponding characters modulo perr , r = 1, 2, . . . , s. The case mr ≡ 0(mod φr), r = 1, 2, . . . , s corresponds to the principal character (neutral elementin the relevant group structure)
χ0(b;n) =
1 if b ⊥ n0 if b 6⊥ n
From now we shall assume for simplicity that n is a squarefree number. There-fore we have that φr = (pr−1) r = 1, 2, . . . , s. Letting pk, pl be a distinct primedivisors of n, we conclude that there exists a prime q such that eq(φk) > eq(φl).Let us consider the character χ induced by
χφkq
k χφll
where χk(b) = e(vk(b)φk
), χl(b) = e
(vl(b)φl
).
χ is of order q since χq = χ0, but χ 6= χ0. Assume that for some positive integerb we have
χ(b) 6= 0, 1
Then we have that if b ⊥ pkpl then
χ(b) = e(vk(b)q
)satisfies χ(b) 6= 0, 1 only if vk(b) 6≡ 0 (mod q) and therefore by lemma 5.3
eq(ordk(b)) = eq
(φk
gcd(φk, vk(b))
)= eq(φk)
hence the q-th power dividing ordk(b) is maximal possible. On the other handwe obtain
eq(ordl(b)) ≤ eq(φl) < eq(φk)
hence ordk(b) 6= ordl(b) and in view of Lemma 5.2 b is a FE witness.Therefore we have shown that in order to prove that b is a FE witness it is suffi-cient to point out the particular (non-principal) Dirichlet character χ satisfying:
χ(b) 6= 0, 1
Definition 5.5. The least character non-residue is the smallest natural numberb = bχ such that
χ(bχ) 6= 0, 1
33
We can construct also the suitable character even if eq(φk) = eq(φl) holds withq = 2. Then we take the (non-principal) Dirichlet character χ induced by χkχl
with χk(b) = e(vk(b)φk
)φk2χl(b) = e
(vl(b)φl
)φl2
If χ(b) 6= 0, 1 and b ⊥ pkpl then
vk(b) + vl(b) 6≡ 0 (mod 2)
hence exactly one of vk(b), vl(b) is ≡ 1 (mod 2) This means that e2(vk(b)) 6=e2(vl(b)) and again in view of Lemma 5.3 we conclude that e2(ordk(b)) 6=e2(ordl(b)) as required.
5.2 Least character non-residue and zeros of L-functions
We reduced the problem of existing small FE witnesses to proving that the leastcharacter non-residue bχ admits the bound B of polynomial size. It is so pro-vided for the corresponding Dirichlet L-series L(s, χ) the Generalized RiemannHypothesis holds true. In fact we will outline the proof of a bit stronger re-sult giving the bound B = Θ(lnn1/δ) provided there are no zeros of L(s, χ) forRe(s) > 1− δ The crucial observation is that whenever bχ > B the sum:
(5.1)∑b≤B
χ(b) >∑
b⊥n≤B
1 ≥ B
lnB(1− ε)− Ω(n)
where Ω(n) denotes the number of distinct prime divisors of n (we have thatΩ(n) = 0(ln lnn)) with any ε > 0 and B-large enough.
We will show that if χ 6= χ0 then thesis not the case. For technical reasonit is advised to consider the weighted character sum, namely
SB(χ) =∑b≤B
Λ(b)χ(b)(B − b)
where Λ(b) is the Von Mangoldt function:
Λ(b) =
ln p if b = pm
0 otherwise
Theorem 5.6.
SB(χ) = 1χB2
2−∑ρ
Bρ+1
ρ(ρ+ 1)+O(B2−δ/2 lnn)
where
1χ =
1 for χ = χ0
0 otherwise
and ρ are the nontrivial zeros s = ρ of L(s, χ)
Proof. The proof follows in three steps using:
1. Estimate for L′
L (s, χ) for Re(s) = δ
34
2. Computation of the Mellin’s transform of L′
L (s, χ)
3. Application of theorem of residua
The Dirichlet L-series
L(s, χ) =∑n∈N
χ(n)n−s =∏p∈P
(1− χ(p)p−s)−1
can be expressed using the Euler product representation and the power seriesexpansion of (1− x)−1 around unity as
L(s, χ) =∏p
(∞∑k=0
xk), x = χ(p)p−s, Re(s) > 1
Calculating the logarithmic derivative of both sides
d
ds(lnL(s, χ)) =
d
ds(∑p∈P
ln ((1− χ(p)p−s)−1))
= −∑p∈P
d
dsln (1− χ(p)p−s) =
∑p∈P
1(1− χ(p)p−s)
χ(p)p−s ln p
=∑k≥0
∑p∈P
(χ(p)p−s)kχ(p)p−s ln p =∑k
∑p
χ(pk)(pk)−s ln p =∑n
χ(n)n−sΛ(n)
we obtain
L′
L(s, χ) = −
∑b≥1
χ(b)Λ(b)b−s
The function L′
L (s, χ) is meromorphic in the whole plane with a pole at s = 1provided χ = χ0 and all the others being apply the bound (Karatsuba 1983)
L′
L(s, χ) = O(ln (n(|Im(s)|+ 2)))
and the theorem of residue to evaluate the following Mellin transform of L′
L (s, χ)
12πi
∫Re(s)=2
L′
L(s, χ)
Bs+1
s(s+ 1)ds
By the uniform convergence of this series we may change the summation andintegration above and apply the basic formula:∫
Re(s)=2xs
ds
s(s+ 1)=
1− x−1 for x > 10 0 < x ≤ 1
to derive
SB(χ) = − 12πi
∫Re(s)=2
L′
L(s, χ)
Bs+1
s(s+ 1)ds
Moving the contour of integration from Re(s) = 2 to Re(s) = 1 − δ, δ > 0 weobserve the residuum corresponding to χ = χ0 at s = 1 contributes to B2
2 . The
35
remaining poles correspond to the nontrivial zeros s = ρ of L(s, χ) contributingthe residuum equal to − Bρ+1
ρ(ρ+1) . We obtain
SB(χ) = 1χB2
2−∑ρ
Bρ+1
ρ(ρ+ 1)− 1
2πi
∫Re(s)=1−δ
L′
L(s, χ)
Bs+1
s(s+ 1)ds
Applying the bound we have
∣∣∣∣∣ 12πi
∫Re(s)=1−δ
L′
L(s, χ)
Bs+1
s(s+ 1)ds
∣∣∣∣∣ ≤ 12πi
B1+1−δ∫ ∞
0
O(ln (n(t+ 2)))(t+ 1− δ)2
dt
so finally
SB(χ) = 1χB2
2−∑ρ
Bρ+1
ρ(ρ+ 1)+O(B2−δ lnn)
Example 5.7. Assuming that the primes pk, pl ≡ 1 (mod 4) and consider thequadratic character χ(b) =
(b
pkpl
). Let b be an odd prime number. Applying
the Gauss reciprocity formula we get
χ(b) =(pkpl
b
)(−1)
b−12
pkpl2 =
(pkb
)(plb
)Half of the residue classes in Z∗b represent the quadratic residues and half not.Therefore for randomly chosen pk and pl the chance that χ(b) = 1 is 1
2 ·12 + 1
2 ·12 =
12We may therefore expect that the chance that χ(b) = 1 for b = 3, 5, 7 . . . dimin-ishes exponentially. However in order to prove the viewpoints result we shouldrather consider the sum
∑b≤B
(pkplb
)and prove that for large B its order of
magnitude is less than BlnB .
5.3 Exercises
1. Prove lemma 5.2.
36
Chapter 6
Smoothness in hardcomputational problems
The investigation of two basic computational problems (DLP and factorization)are strongly related to distribution of smooth (or almost smooth) numbers. Letn = pe11 p
e22 . . . pekk , p1 > p2 > · · · > pk be the corresponding prime powers in
factorization of n. Let Pl(n) = pl be the l-th largest prime divisor of n (ifl > ω(n) we set P (l) = 1).
Definition 6.1. A positive integer n is called to be (k, y) smooth iff Pk(n) ≤ y.
Therefore (1, y) smooth notion is equivalent to the conventional y-smoothnumber. Analogously as in the case of y-smooth numbers the correspondingfunction is defined as follows
ψk(x, y) = #n ≤ x : Pk(n) ≤ y
. Any composite integer can be uniquely split as n = s(n)r(n), where s(n) =∏p≤y p
ep , r(n) =∏p>y p
ep .
6.1 Silver-Pohlig-Hellman algorithm for DLP
Let G be a multiplicative group, e(G) - the group exponent. The methodconsists of the following steps:
1. Factoring of the group exponent e(G) =∏
q−primeqeq .
2. Reduction of DLP in G to DLP in Im fq and application of CRT wherefq : x 7→ xe(G)/qeq .
3. Reduction of DLP in Im fq to DLP in Im gq, where gq : G → G andgq(x) = xe(G)/q.
4. Application of baby step-giant step method.
Let us explain the above steps in the case when G = Z∗n, where n is an oddnumber.
37
We have that e(G) = λ(n) = lcmp|n φ(pep) =∏
q−primeqeq where λ(n) is called
Carmichael function.Let a, b ∈ Z∗n, b ∈< a >. Therefore there exist x = x (mod λ(n)) (i.e.
remainder from division by λ(n)) such that
(6.1) ax = b (mod n).
By CRT it is sufficient to find the representation x (mod qeq ) for all q dividinge(G).
Let us write x (mod qe) = x0 +x1q+ · · ·+xe−1qe−1, with e = eq and xi = xi
(mod q) for i = 0, 1, . . . , e− 1.By rising both sides of (6.1) to power λ(n)
q we derive that (aλ(n)/q)x0 =bλ(n)/q (mod n) (because λ(n) is exponent of G). Hence we can find the suitablex0 = x0 (mod q).
Having computed x0 we can divide both sides of (6.1) by ax0 to obtainaq(x1+x2q+···+xe−1q
e−2) = ba−x0 (mod n) and by rising both sides to λ(n)/q2 weobtain (aλ(n)/q)x1 = (ba−x0)λ(n)/q2
(mod n). In a similar way we compute x2,x3, etc. We can make the relevant algorithm faster by computing in advancethe q-roots of unity modulo n.
The trivial search of xi above can be improved by the application of babystep-giant step algorithm. The idea is the following:
Let m = d√qe and write any x ∈ [0, q) as x = im + j where 0 ≤ i, j < m.The equation (6.1) has the form aim+j = b (mod n) which is equivalent toaj = ba−im (mod n).
By sorting the list aj (mod n), j ≤ m we improve the trivial search todeterministic algorithm of running time O(q1/2+ε).
6.2 Trial division algorithm
The (2, y)-smooth numbers appear in the trial division algorithm of factoriza-tion. The algorithm is expressed by the following diagram
If m 6= 1
m : md //
66llllllllllllllIf m = 1 then STOP
Check if d|m
Y ES
77ppppppppppp
NO''NNNNNNNNNNN
d : d+ 1 //
((RRRRRRRRRRRRRR If d >√m then STOP
If d ≤√m
XX
We remark that this algorithm works as a trivial primality test in the regionbetween P2(n) and
√P1(n). Therefore using the deterministic polynomial pri-
38
mality test AKS we arrive at the complexity bound O(P2(n)α) = O(P2(n)1+ε)where α is the logarithmic contribution from AKS test.
Through applying the trial division algorithm together with AKS test weobtain immediately the deterministic running time of the corresponding Silver-Pohlig- Hellman algorithm for DLP in Z∗n. Namely the factorization of thegroup order takes roughly O(P2(e(G))1+ε) operations while the remaining stepsO(P1(n)
12 +ε) hence we obtain the complexity boundO((P2(λ(n))+
√P1(n))1+ε).
6.3 Towards Knuth-Trabb Pardo conjecture
Let F (x, t,A) denote the number of integers n ≤ x which can be completelyfactorized by the deterministic algorithm A in at most t arithmetic opera-tions involving integers of O(log x) bits. By arithmetic operation we mean acomparison, assignment or computation of the binary representation arisingfrom an addition, subtraction, multiplication, division or application of Eu-clidean algorithm. We are interested in asymptotic behaviour or the lowerbound for F (x, logc x,A). It is obvious that all the prime powers of logc x-smooth numbers are counted in the above. However any product of prime pby a suitable smooth number s is also counted by the function F . ThereforeF (x, y,A) ≥
∑y<p≤ xy
∑s≤ xp
P1(s)≤y
1 =∑
y<p≤ xyψ(xp , y), with y = logc x. Applying the
partial summation we obtain that the above sum is asymptotically equal tox/y∫y
xt ρ(
log xt
log y
)dt
log t where ρ(s) is the suitable Dickman function 1 In fact we ob-
serve that to the counting function F (x, y,A) contribute the (2, y)-smooth num-bers i.e. F (x, y,A) ≥ ψ2(x, y) with y = logc x. Hafner and McCurley provedthat for 2 ≤ y ≤ x we have ψ2(x, y) = xP2(s)1 + o( 1
log y ) where s = log xlog y and
P2(s) is related with P1(s) via the equation sP2(s) =s∫
s−1
P2(t)dt+s−1∫0
P1(t)dt,
for s > 1.From this equation they received the asymptotic with the remainder term
P2(s) = eγ
s (1+o( 1s )), s > 1. In distinction to the asymptotic behaviour of P1(s)
we see that the “probability” that the integer n ≤ x is (2, x1/s)-smooth is likeeγ
s while in case of (1, x1/s)-smooth is like s−s. We therefore obtain throughsetting s = log x
log logc x that F (x, logc x, TD) xlog x log log x, as x→∞. By appli-
cation of factoring algorithm based on elliptic curves (EC) they proved slightlybetter bound F (x, logc x,EC) x
log x (log log x)6/5−ε. Conditionally assumingthe Riemann hypothesis the right-hand side bound above can be improved tox
log x (log log x)2−ε.
1Dickman function or Dickman–de Bruijn function is a special function used to estimatethe proportion of smooth numbers up to a given bound. It satisfies the delay differentialequation uρ′(u) + ρ(u− 1) = 0 with initial conditions ρ(u) = 1 for 0 ≤ u ≤ 1. V. Ramaswamiproved that ψ(x, x1/a) = xρ(a) +O(x/ log x).
39
Chapter 7
Conditional factoring
7.1 Pollard p− 1 algorithm
In this section we discuss the main tool that allows us to factorize the compositenumbers having a prime factor of specific property.
Definition 7.1. Let G be a finite group. We define the exponent of G asλ(G) = mink ∈ N : ∀g∈Ggk = 1. We use the notation λ(n) = λ(Z∗n).
Lemma 7.2. Let n ∈ N be odd, ω(n) ≥ 2. Let M be a multiple of λ(n), i.e.∀a∈Z∗na
M = 1. Finally let B(n) = a ∈ Z∗n : ∃l1 < gcd(aM
2l − 1, n) < n. Then
| B(n) |ϕ(n)
≥ 12
.
Proof. Let M = 2s · t, where 2 - t. Consider the chain G0 ⊇ G1 ⊇ · · · ⊇ Gs ofsubgroups of Z∗n defined as follows
Gi = a ∈ Z∗n : aM
2i = 1.
Also let Hi = a ∈ Z∗n : aM
2i = ±1. Of course Hi 6 Z∗n.First we will show that Gi 6= Z∗n for some i. Since (−1)t = −1 6= 1, Gs 6=
Z∗n. Let i0 = mini : Gi 6= Z∗n. We will show that Hi0 6= Z∗n. Gi0 6= Z∗n,therefore there is some a ∈ Z∗n such that a
M
2i0 6= 1. But Gi0−1 = Z∗n. So(a
M
2i0 )2 = aM
2i0−1 = 1. So aM
2i0 = −1 or aM
2i0 6= ±1. In the latter case Hi0 6= Z∗n.In the former case consider the factorization of n = pe11 p
e22 . . . pekk , where pi, i =
1, 2, . . . k are distinct prime numbers. Then we have Z∗n ' Z∗pe11×Z∗
pe22×· · ·×Z∗
pekk
.
We can write a = (a1, a2, .., ak). Let b = (1, a2, .., ak). Then bM
2i0 6= ±1, soHi0 6= Z∗n.
Now we will show that Z∗n \Hi0 ⊆ B(n). We know that Hi0−1 = Z∗n. Takesome a ∈ Z∗n \Hi0 . Then a
M
2i0 6= ±1, but (aM
2i0 )2 = aM
2i0−1 = 1. Let x = aM
2i0 .As previously, we can write x = (x1, x2, . . . , xk) ∈ Z∗
pe11×Z∗
pe22× · · · ×Z∗
pekk
. We
know that x2i = 1, because x2 = 1. Thus xi = ±1. However, (x1, x2, . . . , xk) 6=
(±1,±1, . . . ,±1), because x 6= ±1. Therefore 1 < gcd(x−1, n) < n, so a ∈ B(n).Thus Z∗n \Hi0 ⊆ B(n).
40
Finally, because Hi0 6 Z∗n and Hi0 6= Z∗n, | Hi0 |≤ 12 | Z
∗n |. Thus | B(n) |≥
12 | Z
∗n |.
Corollary 7.3 (Miller-Rabin test). Let n be a composite integer. Then a cer-tificate of the compositness of n can be found in random polynomial time inlnn.
Proof. Let M = n− 1. Consider two cases:
1. λ(n) | n− 1, thus ∀a∈Z∗nan−1 = 1. This would mean, that n is prime.
2. λ(n) - n − 1. Let H = a ∈ Z∗n : an−1 = 1. Of course H 6 Z∗n, butH 6= Z∗n. Hence |H|
|Z∗n|≤ 1
2 . This means that we may randomly choosea ∈ Z∗n and with probability at least 1
2 we have an−1 6= 1, which impliesthat n is composite. Repeating this step k times gives us the probabilityat least 1
2k.
Corollary 7.4 (Pollard p−1 algorithm). Let n be an integer and p a prime fac-tor of n such that p−1 is B-smooth. Then p can be found in random polynomialtime in lnn and B.
We leave the proof as the exercise 1.
7.2 Quantitative approach to fast factorable num-bers
We have already remarked that the factoring of special sequences of naturalnumbers (e.g. Coppersmith or p-1 Pollard method) can be done efficiently (inpolynomial time). There is a Knuth-Trabb Prado conjecture saying that thereexists a sequence of natural numbers ζ of positive density i.e.
d(C) = limsupx→∞#n ∈ C : n ≤ x
x> 0
and a deterministic algorithm D such that any element of C can be factoredby D in polynomial time. This is still an open problem deeply related to thedistribution of smooth numbers as well as their generalization to so called sec-ond order smoothness related to counting the integers with the small second(highest) prime divisor. Applying the estimate for the number of second ordersmooth number, Hafner et al. showed the deterministic polynomial algorithmfactoring at least x
ln x (ln lnx)65−εpositive integers ≤ x, for any ε > 0. In the
sequel we will consider the reduction problem of factoring n to factoring ϕ(n).If n = pq the task is trivial since we have the system of two equations with twounknowns p, q which may be efficiently solved. However, already for ω(n) = 3the problem seems to be a nontrivial one. Moreover, we may assume withoutloosing the generality that n is squarefree, since otherwise we could consider therelated problem with ( n
gcd(n,ϕ) ,ϕ
gcd(n,ϕ) ) instead of (n, ϕ). The starting pointin our approach will be the notion of so called (B, q) order matrices. Let Abe a positive integer and let p1, p2, . . . , ps be the prime numbers such that
41
pr ≡ 1(modA), r = 1, 2, . . . , s. Let q be a prime divisor of A. We considerthe B-tables M(A,n; q), with n = p1p2 . . . ps as follows:
b1 : eq(ord1b1), . . . , eq(ordsb1)
b2 : eq(ord1b2), . . . , eq(ordsb2)
...
bt : eq(ord1bt), . . . , eq(ordsbt)
where b1 < b2 < · · · < bt are ordered elements of B and ordrb denotes theorder of b (mod pr), r = 1, 2, . . . s. If for any q | A the B-table M(A,n; q) havethe rows consisted of the same elements we call it the Fermat-Euler B-tablesset. The construction of such B-tables set is strictly related to the reductionproblem: n→ ϕ(n).
Namely, let B = b1, . . . , bt, n be the product of s distinct prime numbersp1, p2, . . . , ps and A = lcmb∈Bord b. Then the set of B-tables M(A,n; q) withq | A is the Fermat-Euler B-tables set.
We sill estimate the complexity of the algorithm factoring n (with the givenfactorization of ϕ(n)) first applying the classical approaches of Fellows andKoblitz method and Hensal-Berlekamp method.
7.3 Smooth number estimates
Let x ≥ y ≥ 2, n = ln xln y , P
+ be the largest prime divisor of n, P−(n) be thelowest prime divisor of n. We will also write p− = p− = P−(n) and p+ =p+ = P+(n). We define ψ(x, y) = #n ≤ x : P+(n) ≤ y. If n is fixed then1xψ(x, y) = 1
xψ(x, x1u ) tends to a nonzero limit as x tends to infinity and is
denoted by ρ - Dickman-de Bruijn ρ-function. We know that ρ(n) satisfies thefollowing conditions:
ρ(u) = 1 for 0 ≤ u ≤ 1
ρ(u) =1u
∫ u
u−1
ρ(t)dt for u > 1
As u → ∞ we know the asymptotic unconditional result provided 1 ≤ u ≤(ln y)
35−ε that is y > exp((lnx)
53 +ε). We can extend the size of u up to y
12−ε
that is y ≥ (lnx)2+ε provided Riemann Hypothesis is true. For 1 ≤ n ≤ y1−ε
that is y ≥ (lnx)1+ε Canfield, Erdos and Pomerance proved a weaker result
ψ(x, y) = xu−u−o(u), as u→∞.
We remark thatuu = xε
withε =
ln lnx− ln ln yln y
.
In the above we can release the uo(u) term resigning from the equality.Namely Konyvagin and Pomerance have proved the lower bound
ψ(x, y) ≥ x1− ln ln xln y
42
whenever x ≥ 4, 2 ≤ y ≤ x.The last estimate is reasonably good provided y = (lnx)c with c > 1. In the
sequel we will refer to the equality ψ(x, y) = x1−ε, where ε = ε(x, y) is definedby
uu(1+η) = xε
i.e. ε =ln ln x
ln yln y (1 + η), where η = η(n) tends to 0 as n tends to infinity.
7.4 Fellows-Koblitz method
We consider B to be a set of primes ≤ B. The main idea is to look for theorders of FE witnesses locally i.e. in Z∗pr , r = 1, 2, . . . , s. Using the boundsfor ψ(p,B), p = pr we generate the large subspace of Z∗p of order p1−δ
− with
δ = ln( ln plnB )
lnB (1 + η).We know by the Konyagin-Pomerance estimate that
δ ≤ ln ln plnB
≤ ln ln p+
lnB=: δ+
providedB ≥ (ln p)c, (c > 1).
The element b is FE-witness only if
p1−δ+k ≤ 〈B mod pk〉 = lcm ordpk b = lcm ordpl b | pl − 1
for any 1 ≤ k, l ≤ s. Having in mind that P−(n) ≤ n1s ≤ P+(n) we derive the
balanced decomposition n = p1p2 . . . ps such that pr ∈ [(n1s )1−δ+ , (n
1s )
11−δ+ ], r =
1, 2, . . . s. Since ordb∈B b (mod n) = ordr b, r = 1, . . . , s we have that A =A(B) = lcmb∈B ord b (mod n) satisfies
(n1s )1−δ+ ≤ p1−δ+
+ ≤ A ≤ p− ≤ (n1s )
11−δ+
i.e.s ∈ [
lnnlnA
(1− δ+),lnnlnA
(1
1− δ+)]
Writing pr−1 = Aar(ar ≥ 1) we can detect pr searching for ar in the interval
[1, prA ] ⊆ [1, pδ+r ] of length at most nδ+s . Using the evaluation δ+ = ln ln p+(n)
lnB ≤ln ln(n
1s )
11−δ+
lnB = ln lnn−lnS(1−δ+)lnB we see that the worst case (s = 3) gives the
bound δ+ ≤ ln lnnlnB . We derive that the exponent δ+
s above is:
δ+s≤ ln lnn
lnB· lnA
lnn· 1
1− δ+≤ 2 · ln lnn
lnn· lnA
lnB
provided B ≥ (lnn)2.
43
7.5 Complexity estimate
The relevant algorithm verifies at most O( BlnB ) FE witnesses, each in polynomial
time L, say. Finally the cost of searching the required interval for ar, r ≤ s isnδ+s , which amounts to the complexity bounds
O(L · B
lnB+ n
δs ) = O((B + n
δs )1+ε)
Optimizing we let lnB = δs lnn i.e. B = O(exp
√ln lnn · lnA) giving the com-
plexity bound of the Fellows-Koblitz type algorithm
O(e√
lnA·ln lnn(1+ε)) = O(e(lnn)12 +ε
)
7.6 Hansel - Berlekamp improvement
As we remarked the Fellows-Koblitz method is relatively weak in the case whenthe number of prime divisors of n, ω(n) = s is small. The cost of trivial searchfor ar : Aar = pr − 1 being O(n
δs ) is to high. Here we will apply another idea
that allows to replace the trivial search by the more sophisticated method.Namely, let p−1 = Aap for p | n. Then n =
∏p p =
∏p (Aap+ 1). In order
to detect ap we look for the polynomial
s∑k=0
bkXk :=
∏p
(apX + 1)
representing n for X = A. If 0 ≤ bk < A above then the representation is uniqueand computing the polynomial roots X = − 1
apwe derive ap. The required
condition 0 ≤ bk < A is ensured provided the number s of prime divisors of ndoes not exceed essentially 1
δ . Hence it will improve the above Fellows-Koblitzapproach in the required region. Namely we have
Lemma 7.5. Len n =∏si=1(Aai + 1) =
∑k bkA
k and As+1 > n(sb s2 c). Then
0 ≤ bk < A.
Proof. We have bk =∑ai1 . . . aik ≤ a1 . . . as
(sb s2 c)≤ (a1 . . . as · As)( 1
As
(sb s2 c)) ≤
nA−s(sb s2 c)
which is less than A in view of the inequality As+1 > n(sb s2 c).
Lemma 7.6. Let A > (n1s )1−δ, where s ≤ min 1
3δ ,√
lnnln 4 . Then As+1 >
n(sb s2 c)
for n sufficiently large.
Proof. It is sufficient to prove that As+1
n > 2s, whenA > (n1s )1−δ i.e. n(1+ 1
s )(1−δ)−1 >2s. For large n we obtain that the exponent in the left hand side above is at least1s − δ >
12s , hence it remains to check whether n
12s > 2s. The last inequality
follows from the inequality: s ≤√
lnnln 4 .
Now let ∆ = ln lnnlnB . Then δ+ ≤ ∆ and Fellows Koblitz method gives the com-
plexity bound O((B + n∆s )1+ε) where B ≥ (lnn)2, s ∈ [ lnn
lnA (1−∆), lnnlnA ·
11−∆ ].
44
The Hensel-Berlekamp improvement refers to the case when s is large. Namely,let B : lnB = (lnn)β , 0 < β ≤ 1
3 . If s < (lnn)β we see that s < (lnn)β <
min 13
lnBln lnn ,
√lnnln 4 provided lnB > (lnn)β+ε giving the complexity bound
O(B1+ε) = O(exp(lnn)β+ε). If s > (lnn)β we apply Fellows-Koblitz methodwith the bound << (B + n
∆s )1+ε << exp((lnn)β+ε + lnn ln lnn
lnB ·1
(lnn)β) <<
exp(((lnn)β + (lnn)1−2β)1+ε). The optimal choice of the parameter β is β = 13
which gives the factoring algorithm in the running time O(exp(lnn)13 +ε).
7.7 Exercises
1. (Pollard p− 1 algorithm)
Prove corollary 7.4.
2. Let n be odd. Suppose that an−1 ≡ 1 (mod n) for every 2 ≤ a ≤ (lnn)2.Prove that n is squarefree. (We can use the lemma: for every n we haveΨ(n, (lnn)2) >
√n where Ψ(x, y) = #n ≤ x : nis y-smooth).
3. (Finding a certificate of primality of n when the complete factorization ofn− 1 is known (Furer, Fellows and Koblitz)) Suppose that for all 2 ≤ a ≤(lnn)2 we have:
(a) an−1 ≡ 1 (mod n)
(b) GCD(aordn(a)
q − 1, n) = 1 for every prime q|ordn(a)
(c) LCM2≤a≤(lnn)2ordn(a) >√n.
Prove that n is prime if and only if assumptions a, b, c hold.
4. (Lemma) Let n ∈ N,B ⊂ Z∗n. Suppose that we are given ord(b) for allb ∈ B. Then a generator of < B > or (in particular, when < B > is notcyclic) a nontrivial factor of n can be found in deterministic polynomialtime in lnn and q, where q is greatest prime divisor of Πb∈Bord(b).
5. Let n ∈ N. Suppose that p− 1 is B-smooth for some prime factor p of n.Then p can be computed in deterministic polynomial time in lnn and B.
6. Prove that
n ∈ P⇔ an−1
2 : a ∈ Z∗n = −1, 1
7. Consider following primality test (known as Lehmann primality test)
(a) Choose some k ∈ N and a1, . . . , ak ∈ Z∗p
(b) Check whether an−1
2i = ±1 for i = 1, 2, . . . , k
(c) Check whether an−1
2i = −1 for at least one i in 1, 2, . . . , k
Find an upper bound for the probability of giving an wrong answer (forfixed odd n)
45
8. Show that every Carmichael number is odd, squarefree and divisible by atleast three distinct prime numbers. Following formulation of a Carmichaelnumber may be useful:
n is Carmichael number⇔ n is composite and λ(n)|n− 1
Where λ(n) is the exponent of Z∗n (Carmichael function) for n = pe11 , . . . , pekk :
λ(n) = LCM1≤i≤k(λ(pe1i ))
λ(pα) =
pα−1(p− 1) for p 6= 2
1 for α = 12 for α = 23 for α ≥ 3
9. Show that finding a quadratic nonresidue (mod p) and computing squareroots (mod p) are deterministically equivalent
10. Show that factoring and square rooting are equivalent in random polyno-mial time.
11. Let consider toss-up by phone protocol:
(a) Alice chooses two big primes p1, p2 and sends number n = p1p2 toBob.
(b) Bob chooses a ∈ Z∗n and sends b = a2 to Alice.
(c) Alice solves an equation x2 = b and sends to Bob one solution.
(d) Bob wins, when he can find p1, p2 in polynomial time.
What is probability of Bob’s win?
12. Let consider a game:
(a) Alice chooses two (different) big primes p1 ≡ p2 ≡ 1 (mod 4) andsends number n = p1p2 to Bob.
(b) Bob chooses a ∈ Z∗n and sends b = a4 to Alice.
(c) Alice solves an equation x4 = b and sends to Bob one of solutions.
(d) Bob wins, when he can find p1, p2 in polynomial time.
Show, that probability of Bob’s win is greater or equal 58 .
13. (Cantor, Zassenhaus)
Let p 6= 2 - prime, f ∈ Fp[X], f = fe11 . . . fekk - decomposition of f intoa product of irreducible polynomials fi (fi 6= fj for i 6= j). Show, thatfinding factorization of f is easy, we can do it in three steps:
(a) Find a squarefree part of f (f1f2 . . . fk).
(b) Find distinct degree factorization - gd = Πdeg(fj)=dfj .
(c) Find the complete factorization of gd for every d.
46
First step is not necessary, but reduces computations.
First and second step’s algorithms are deterministic, third one is proba-bilistic.
14. Show that computing the value of τ(n) is equivalent to finding the com-plete factorization of n, i.e.:
(a) Given the complete factorization of n we can compute τ(n).
(b) Given τ(n) we can find the complete factorization of n in randompolynomial time.
47
Chapter 8
Monotone structures andsecret sharing
Let P = 1, 2, . . . , n
Definition 8.1. A monotone structure on P is a collection Γ 6= 2P of subsetsof P satisfying the following conditions
1. P ∈ Γ.
2. If A ∈ Γ and A ⊂ B ⊂ P then B ∈ Γ.
Definition 8.2. An anti-monotone structure A on P is a collection of subsetsof P such that if A ∈ A and B ⊂ A then B ∈ A.
Example 8.3. 1, 2, 3
1, 2
uuuuuuuuu1, 3 2, 3
IIIIIIIII
1
uuuuuuuuu2
IIIIIIIII
uuuuuuuuu3
IIIIIIIII
monotonicity
OO
∅
JJJJJJJJJJJ
ttttttttttt anti-monotonicityDepending on the direction we can consider the above diagram as an exampleof a monotone or an anti-monotone structure1.
8.1 Random variables
We consider the probability space (Ω, µ), |Ω| < ∞. Let S : Ω → X be arandom variable. By abuse of notation we shall denote by S the set of valuesof a random variable S. The induced probability distribution on S is definedby PS(s) = PS(S = s) = µ(S−1(s)). Therefore we can regard (S, PS) as a
1Both defined types of structures are ordered with respect to the relation of inclusion.
48
corresponding probability space. Conversely a probability space (S, PS) may beviewed as a random variable defined on some abstract probability space (Ω, µ).
Let (Si, PSi) = (Si, Pi), i = 1, 2, . . . , n be a collection of random variablesdefined on the same probability space (Ω, µ). Regarding them as a probabil-ity spaces we define the joint probability space S1S2 . . . Sn as a pair (S0, P0),satisfying:
S0 = S1 × S2 × · · · × SnP0(Π−1
i (Si)) = Pi(Si) for i = 1, 2, . . . , n
where Πi is the projection of S0 onto the i-th component. If it exists we say thatS1, . . . , Sn are jointly distributed and we write prob(S1 = s1, . . . , Sn = sn) =P0(S0 = (s1, . . . , sn)) = P0((s1, . . . , sn)).
Example 8.4. S2
(s′2, p′2) − (1− ε)p1 εp′1
(s2, p2) − εp1 (1− ε)p′1
//| |
OO
(s1, p1) (s′1, p′1) S1
It is easy to verify when S1 and S2 are jointly distributed. Let S1, S2 berandom variables defined on (Ω, µ) and S = S1S2 be their joint probabilitydistribution. Assume that prob(S2 = s2) > 0. Then we define the conditionalprobability as follows prob(S1 = s1|S2 = s2) = PS((s1,s2))
P (S2=s2) .
Example 8.5. In the above example we have
prob(S1 = s1|S2 = s2) =εp1
p2
prob(S1 = s′1|S2 = s2) =(1− ε)p′1
p2
8.2 Secret sharing
Let S, S1, . . . , Sn be random variables defined on (Ω, µ). For a non-empty setA = i1, . . . , ik ⊂ P = 1, 2, . . . , n we define SA to be a joint probabilitydistribution Si1Si2 . . . Sik . Moreover SA denotes the corresponding subsequencesof (S1, dots, Sn).
Definition 8.6. A secret sharing scheme Σ is a tuple (S, S1, . . . , Sn) satisfyingthe conditions:
1. Prob(S = s) = 1|S| for all s ∈ S.
49
2. If prob(SP = sp) > 0 then there is a unique s ∈ S: prob(S = s|SP =sP ) = 1.
The values taken by S are called secrets, while the values taken by Si for i =1, 2, . . . , n are called shares. P = P (Σ) is called the player set.
8.3 Reconstruction and privacy requirements formonotone structures
In what follows we consider monotone structure Γ consisting of all subsets B ofP such that we are able to reconstruct the secret s (Reconstruction property).
On the other hand we consider the opposite anti-monotone structure A con-sisting of subsets A ∈ P such that we are not able to derive any informationabout the secret s (Γ-privacy condition).
We formalize the above notions in the following way:
Definition 8.7. A sharing scheme Σ = (S, S1, . . . , Sn) satisfies Γ-reconstructionif for all B ∈ Γ distribution SB determines s uniquely i.e. if prob(SB = sB) > 0then there exists a unique s ∈ S: prob(S = s|SB = sB) = 1.
Definition 8.8. A sharing scheme Σ = (S, S1, . . . , Sn) satisfies A-privacy if forall A ∈ A with A 6= ∅, SA gives no information on S i.e. prob(SA = sA) > 0implies that for all s ∈ S prob(S = s|SA = sa) = 1
|S| .
8.4 Access structure
We consider the tuple AS = (Σ,Γ,A). We call this triple an access structure ifΓ = Γ(Σ) and A = A(Σ) satisfy the maximality condition. More precisely:
Definition 8.9. The access structure of Σ is a pair (Γ(Σ),A(Σ)) where Γ(Σ) isthe maximal monotone structure Γ such that Σ satisfies Γ-reconstruction whileA(Σ) is the maximal anti-monotone structure A such that Σ satisfies A-privacy.
Definition 8.10. Scheme Σ is called perfect if Γ(Σ) ∪ A(Σ) = P (Σ). If addi-tionally S1 = · · · = Sn then Σ is ideal.
For each monotone structure Γ there exists a perfect secret sharing schemeΣ such that Γ = Γ(Σ).
8.5 Construction of perfect secret sharing formonotone structures
There exists two basic approaches for construction of a perfect sharing for thegeneral access structure. One is related to the family of all minimal qualified setsof A. In the first case we follow the idea of AON (all or nothing) access structurewith the trivial monotonic structure Γ = P. For this case we may apply eitherSSS2 scheme or the simpler additive secret sharing scheme as follows.
Let s ∈ K be a secret to be distributed among the set of players P .2Shamir secret sharing
50
For each j ∈ P we select an independent and uniformly random rj ∈ K.
Fix j0 ∈ P and for any j ∈ P \ j0 we define the share sj = rj whilesj0 = s−
∑j∈P\j0
rj .
Let Γ = B1, . . . , Bm. For each Bj ∈ Γ we independently distribute additivelythe secret s i.e. s =
∑i s
(j)i . Finally the i-th share is equal to si = s(j)
i , j ∈1, . . . ,m : i ∈ Bj i.e. each Bj that i is a member of contributes one s(j)
i tothe i-th share Si.
Example 8.11.
B1
•s(1)1 •s(1)
2 , s(2)2
B2
•s(2)3
In the second approach we distribute rather the missing shares in the familyA0 of maximal non-qualified sets.
Let A0 = A1, . . . , Al.Without loss of generality we can assume that P ⊂ ∪A0. We choose ran-
domly s1, s2, . . . , sl ∈ K such that∑sj = s. Now any j /∈ A1 obtains the value
s1, any j /∈ A2 obtains the value s2, . . . , any j /∈ Al obtains the value sl, We seethat in any set Aj0 the value sj0 is missing, so this is really non-qualified set. Onthe other hand sj0 is distributed to each member of Aj with j 6= j0. Thereforesince each player not belonging to Aj0 is a member of some Aj (j 6= j0) byadding any new player to Aj0 we obtain the complete set of shares sj and a newgroup is a qualified one.
s1 ∈ Ak(k 6= 1)
A1
s2, . . . , sl
8.6 Shamir secret sharing
Let K - finite field of cardinality > n, S = S1 = · · · = Sn = K, PS - the uniformprobability distribution, Γ = B ⊂ P : |B| ≥ t+ 1 and A = A ⊂ P : |A| ≤ t.
51
We define the probabilistic space (Ω, µ) = (Kt+1, µ): µ(k) = 1|K|t+1 for any
k ∈ Kt+1.Now let f = f(X) = a0 + a1X + · · · + atX
t ∈ K[X] be selected randomly,i.e. each ai ∈ K is selected uniformly and independently from K. The secrets is defined as the value f(0) = a0. We define the random variable Si so thatSi = si ⇐⇒ f(X) = si. Hence prob(Si = si) = #f :(xi,si)∈Graph f
|K|t+1 = |K|t|K|t+1 =
1|K| = 1
q . In a similar fashion by taking A = i1, . . . ik we obtain prob(SA = sA)= prob(Si1 = si1 , . . . , Sik = sik) = 1
qk.
This is easily seen when looking at the linear equation system1 xi1 · · · xti1...
.... . .
...1 xik · · · xtik
a0
...at
=
si1...sik
For any chosen vector (si1 , . . . , sik) we can find the suitable f = [a0, . . . , at]
so that f(xij ) = sij , j = 1, 2, . . . , k. This is clear if we extend the systemby adding the suitable (t + 1) − k rows and checking that the correspondingVandermonde determinant is not 0.
Now we see that for |A| ≤ t prob(S = s|SA = sA) = PS,SA (s,sA)
PSA (sA) =prob(f(0)=s,f(xi1 )=si1 ,...,f(xik )=sik )
prob(f(xi1 )=si1 ,...,f(xik )=sik ) = q−(k+1
q−k= 1
q since k ≤ t.On the other hand for any B: |B| ≥ t+ 1 we have prob(S = s|SB = sB) =
PS,SB (s,sB)
PSB (sB) = q−(t+1)
q−(t+1) = 1 since k ≥ t+ 1.
52
Chapter 9
Interactive proofsystems(IPS)
There are many situations where it is necessary to prove ones identity. Thepassword or the PIN number are just the examples. One serious risk in provingthe identity to the authentication concerns the ability to impersonate the prover.The interactive proof systems are built to authenticate the prover during theinteractive protocol made with the verifier, i.e.
Figure 9.1:
The moves consist of:
1. Receive a message from the opposite party
2. Perform some computation
3. Send a message to the opposite party
The interactive proof system may be based on the public key cryptography.Let (P, C,K, E ,D) be corresponding cryptosystem with K = (k,K) = (sk, pk)
A −→ B
53
The encryption by the public key of B is traditionally denoted by
Enc(pkB ,m) = c,Dec(skB , c) = m, IPS may be realized as follows
P ←− V
c = Enc(pkp,m)
−→
Dec(skp, c)
The verifier V accepts the proof if Dec(sk, c) = m and reject otherwise.The weak point of such IPS is its vulnerability on the side attack (if theVerifier is not honest she may use the protocol to decrypt the messagesintended for the Prover.The general idea of application the Public Key Cryptography for IPS is thefollowing: let φ be a one way function φ: z −→ Z.Let (x, X = Φ(x)) be the corresponding pair of private/public keys of theprover. The prover with the public key X will prove the knowledge of thesecret key x. The protocol runs as follows:
1. P −→ V
R = Φ(r) commitment.
P ←− V
c challenge
−→
f(x, r, c) response
V accepts the proof if f(x, r, c) and F(X, R, c) are consistent
The protocol usually works with f(x, r, c) = r+ cx and F (X,R, c) = RXc, if Φis a group homomorphism.
Example 9.1. q, p - primes such that q|p− 1, g ∈ Z∗p element of order q,Φ(z) = Z = gz (mod p), r ∈ Zq, c ∈ Z2t
P −→ gr = R −→ V
P ←− c− V
P − r + cx = s −→ V .
The verifier V accepts the proof if gs = RXc and rejects otherwise.
Remark 9.2. If the prover can response correctly on two distinct challengesc, c′ ∈ Z2t then she can compute x = s−s′
c−c′ , which contradicts the assumptionthat Φ is one-way function.
54
Remark 9.3. From the above the strategy of the illegitimate prover can befollows: first she guess the value of c. Then computes the commitmentZ = gu
Xc .If the verifier challenges with c′ = c then the value s = u is accepted by Vsince gu = ZXc.
Security.If P and V follow the behaviour specified in the protocol they are called honest.The prover that does not know prover’s secret and tries to convince the verifieris called a dishonest (cheating) prover.The verifier not following he behaviour specifier in the protocol is called adishonest (cheating) verifier. Dishonesty usually concerns the privatecomputations and the transmission of the resulted data. The verifier cansometimes obtain some additional information from the prover (and use theme.g. in the side attack) when cheating during the protocol.The basic requirements of the IPS are the following:(knowledge completeness)If P is honest (knows the prover’s secret) then verifier always accepts the proof.(knowledge soundness)If P can convince the verifier (with reasonable probability) then she knowsprover’s secret.Security (colloquially speaking) means
Honest and only honest prover will be ’accepted’ by verifier
Verifier learns no more than it is needed to check the proof (zeroknowledge)
Example 9.4. (Fiat-Shamir identification)Settings: n = pq, p 6= q, p, q-primes, x - random element of Z∗n, X = x2 (modn), (n, X) - public parametersΦ : Z∗n −→ (Z∗n)2, Φ(z) = z2 (mod n)x = prover’s secret keyProtocol
P selects randomly r ∈ Z∗n computes R = rw (mod n) and sends R to V
V selects c ∈ 0, 1 at random and sends it to P
P computes s = rxc (mod n) and sends it to V
V accepts if s2 = RXc (mod n)
completeness is obvioussoundnessAssume that a cheating prover E is accepted after the following steps of theprotocol:
r −→ Z commitment
c ∈ 0,1 challenge√ZXc response
55
It is clear, that choosing Z = r2X−ec (mod n), E’s proof is accepted withprobability 1
2 . The probability > 12 would mean that for some r ∈ Z∗n, E
computes the ’commitment’ Z such that the response√ZXc would be
accepted for c = 0 as well as c = 1. Hence E would be able to compute√ZX√Z
=√X = x (mod n)
Since x was chosen randomly computing square root of X is probably as hardas the factoring of n. This contradicts the assumption that the factorisation isintractable.
Zero knowledgeThe above IPS based on public key cryptosystem showed that the verifier
could learn some knowledge by interacting with the prover. This violates thesecurity requirement (from the prover point of view). To define formally the
zero knowledge property we will consider the probabilistic algorithms P and Vexecuted by the prover and verifier respectively (i.e. having the access to asource of random bits). Moreover we will consider the possibly dishonest
verifier denoted by V ∗. We assume that both P and V (V ∗) have a commoninput X. The interactive proof system consists of n moves with the exchanged
message mi sent in the i-th move. The transcript of the joint computationbetween P and V ∗ will be defined by
trP,V ∗(X) = (m1,m2, ...,mn)It is accepting transcript if after the last move V ∗ accepts the proof (remark
that the transcript is not determined by X).
Theorem 9.5. The Fiat-Shamir identifications scheme is zero-knowledge.Proof:We construct the probabilistic simulator S(V ∗, X) running in expectedpolynomial time which outputs the accepting transcript trP,V ∗(X) with thesame probability distribution as for the read transcript. The read transcript hasthe form (R, c,
√RXc) where R ∈ (Z∗n)2, c ∈ 0, 1,
√RXc = rxc ∈ Z∗n
The algorithm used simulator has as input the pair: (algorithm V ∗, int X). Itruns as follows
Algorithm
while c 6= c doselect c, r uniformly at randomZ ←− r2X−c
c←− V ∗(Z)otherwisereturn (Z, c, r)
The simulator first guess the challenge value c, then computes thecommitment Z = Z(r, c) and asks the verifier V ∗ for the challenge c. If c = cthen she outputs with the accepted transcript (Z, c, r). Since the uniformchoice of c and the choice c (by V ∗(X)) with distribution probabilities (p,1-p), say are independent the probability that c = c is equal to p
2 + 1−p2 = 1
2 .Therefore the expected loop size in the above algorithm is 2. Moreover theaccepting transcriptions (R, c, rxc) and (Z, c, r) have the same probabilitydistributions R, Z are random elements of (Z∗n)2 c, c are distributed accordingto V ∗, r, and rxc are random element of Z∗n.
56
Chapter 10
Perfect secrecy ofcryptosystem*
We say that the cryptosystem is computationally secure if the best knownalgorithm breaking it requires a specified (sufficiently large) number ofoperations.Possible approach to provide evidence of computational security is to reduceits security to some well-studied problem that is though to be difficult(provable security).On the other hand we will regard the given cryptosystem as unconditionallysecure if it cannot be broken, even with infinite computational resources. Tostudy this approach the appropriate framework is provided by the probabilitytheory.In what follows we shall consider the probability space (X,PX), whereX = x1, x2, .., xn is a finite set and the probability distribution PX is definedby PX(X = xi) = pi(i ≤ n), so that
∑l−1i=0 pi = 1.
Any map S : X −→ Y with probability distribution in Y defined by
Ps(y) = Px(s−1(y))
will be called a Y -valued random variable on X (inducted by S). Theprobabilistic space (X,Px) can be naturally regarded as a random variabledefined on some probability space (Ω, PΩ) with the corresponding mapSX : Ω −→ X. This identification will be frequently used in the sequel.Let (S, PX) and (Y, PY ) be given probability spaces. The joint probabilitydistribution defined on X + Y , so that Pπ1 = PX , Pπ2 = PY , whereπ1 : X + Y −→ X, π2 : X + Y −→ Y are the corresponding projection maps.The probability spaces (X,PX) and (Y, PY ) are called independent (withrespect to PXY ) iff
PXY (x, y) = PX(x)PY (y)
for any x ∈ X, y ∈ Y . Similarly the random variables S,T are called jointlydistributed if we are given the joint probability distribution PST of S and T .They are called independent iff PST (S = s, T = t) = PS(S = s)PT (T = t) forany s ∈ ImS and t ∈ ImT .
Example 10.1. For ε = 0 the random variables (X, pX) and (Y, PY ) areindependent. For ε = 1
8 not.
57
py(π−12 (y2)) →
Y
34 p(x1, y2) = 3
8 − ε38 + ε = p(x2, y2)
py(π−12 (y1)) → 1
4 p(x1, y1) = 18 − ε
18 − ε = p(x2, y1)
12
12
X↑ ↑
px(π−11 (y1)) px(π−1
1 (y2))Similarly the distribution
Y
12 p(x1, y2) = 1
4 − ε p(x2, y2) = 14 + ε
12 p(x1, y1) = 1
4 + ε p(x2, y1) = 14 − ε
12
12
Xprovides independence of X and Y when ε = 0 and strict correlation whenε = 1
4 .
The joint probability is related to conditional probability by the equality
p(x, y) = p(x|y)p(y)
Assuming that p(y) > 0 we can easily express the independence of X and bythe equality
p(x|y) = p(x)
for all x ∈ X, y ∈ Y . To investigate the perfect secrecy of cryptosystem it isconvenient to apply the following
Theorem 10.2. (Bayes’ theorem) If p(y) > 0 then p(x, y) = p(y|x)p(x)p(y) .
Consider the cryptosystem (P, C,K, ε,D). Assume that P and K randomvariables with the corresponding probability distributions PP and PKrespectively. The cryptographic key k ∈ K is selected randomly (according tothe probability distribution PK) from K only for one encryption. The a prioriprobability that the plaintext x occurs is P3(x). Since k ∈ K is chosen beforeAlice knows the plaintext it is reasonable to assume that (P, PP) and (K, PK)are independent random variables. Obviously PP and PK induce a probabilitydistribution on C by the equality
PC(y) =∑
k:g∈C(k)
p(K)kPP(dky)
where C(k) = ek(x) : x ∈ PFor the conditional probability we derive
PC(y|x) =∑
k:x=kk(y)
PK(k)
and using Bayes’ theorem we obtain explicitly
P(P )(x|y) =PP(x)PC(y|x)
PC(y)
58
Definition 10.3. A cryptosystem (P, C,K, ε,D) has perfect secrecy ifPmathcalP (x|y) = PmathcalP (x) for all x ∈ P, y ∈ (C). (a posterioriprobability that the plaintext is x given that the ciphertext y is observed isidentical to the a priori probability that plaintext is x).
Example 10.4.P = a, b C = A,B K = k1, k2
We have
Ck1 = A,B = Ck2
Simplifying the notation PC = p, PP = p, pK(ki) = p(ki) we derive
p(A|a) = p(k1), p(A|b) = p(k2)
p(B|a) = p(k2), p(B|b) = p(k1)
Hence
p(A) = p(k1)p(dk1(A)) + p(k2)p(dk2(A)) = p(k1)p(a) + p(k2)p(b)
p(B) = p(k1)p(b) + p(k2)p(a)
and therefore
p(a|A) =p(a)p(A|a)
p(A)=p(a)p(k1)p(A)
p(a|B) =p(a)p(B|a)
p(B)=p(a)p(k2)p(B)
59
p(b|A) =p(b)p(A|b)p(A)
=p(b)p(k2)p(A)
p(b|B) =p(b)p(B|b)p(B)
=p(b)p(k1)p(B)
Now p(x|y) = p(x) for all x, y 6= iff p(k1) = p(k2) = p(A) = p(B) and insertingthe values of p(A) and p(B) we see that the condition p(k1) = p(k2) is
necessary and sufficient to have the perfect secrecy of the above cryptosystem.
We will prove the following
Theorem 10.5. The shift cipher (P, C,K, ε,D) withP = C = K = Zn, y = ek(x) = x+ k (mod n) has perfect secrecy for theuniform distribution of keys from K and any plaintext probability distribution.
Proof By the definition we have
PC(y) =∑
k:y∈C(k)
pK(k)PP(dk(y)) =∑k∈Zn
1nPP(y − k) =
1n2
∑k∈Zn
1 =1n
Now p(y|x) = pK((y − x) (mod n)) = 1n and applying the Bayes’ theorem we
obtain PP(x|y) = PP(x)PC(y|x)PC(y) , as required.
60
Chapter 11
Arithmetic circuity for DLPproblem*
11.1 Arithmetic circuity
In this section we introduce the computational model that relates the DLP tothe arithmetic circuity with nontrivial collisions.We assume that G = 〈g〉, g|d = ]G, t = logg x for any x ∈ G. The algorithmcomputing t will use only the group operations. Formally the instructions willbe defined as
ϕ = (I1, ..., Il), (l-length of the circuit)
where for the input (g, x) the algorithm computes:
y−2 ← 1
y−1 ← g
y0 ← x
and generally:yk ← yiy
±1j i, j < k
is related to the instruction Ik = (i, j, ε = ±1) with k ≤ l.
Definition 11.1. The trace of the circuit C (on the input (g, x)) is thesequence z−2 = 1, z−1 = g, z0 = x,... .
zk = zizεj where Ik = (i, j, ε)
If g is fixed we write zk = zk(x)
The trace exponents are defined by τk ∈ Z[t]:
τ−2 = 0, τ−1 = 1, τ0 = t, τk = τi + ετj
for k ≥ 1 and Ik = (i, j, ε). If zk(x) = xcgb then τk = ct+ b andzk(ga) = gca+b ∈ G.We say that the algorithm is successful (in computation of logg x) if and onlyif the nontrivial collision u = v occurs in C i.e. zk(x) = zk′(x) for some 1 ≤ k,k′ ≤ l.The notion of nontriviality is explained below:
61
Definition 11.2. Let τi, τj ∈ Z[t], q|d. The pair (i, j) respects q if and only ifτi − τj 6≡ 0 (mod q).The collision yi = yj (in the circuit C) respects q if and only if (i, j) respects q.
Directly from the definition we have that if the collision yi = yj respects q1
and q1|q2|d then yi = yj also respects q2.The collision yi = yj is nontrivial if and only if it respects q for any q|d.
Example 11.3. Assume that d is not a power of 2 and q = 2|d. Consider theinstructions Im and I2m generating the collision ym = y2m with
ym = gd
y2m = xd
We have τm − τ2m = d− dt = d(1− t) ≡ 0 (mod q) hence ym = y2m does notrespect q. Such collision does not help us with the computation of t = logg x.
Moreover the collision ym = y2m is trivial (if q 6= d) with ym = gdq , y2m = x
dq
since the congruenced
q≡ td
q(mod d)
determines only t (mod q) i.e. solves the DLP problem only in the subgroupH = 〈g
dq 〉. Formally we have τm − τ2m = d
q (1− t) ≡ 0 (mod q′) for q′ being aprime divisor of d
q .
Definition 11.4. Let C be the arithmetic circuit (in G) and g|]G = d. Thesuccess rate δC,q of C over G respecting q is the function
δC,q = d−1]
x ∈ G : on input x a collisionrespecting q occurs in C
.
Obviously we haveδC,q1 ≤ δC,q2 provided q1|q2|d.
11.2 Deterministic lower bound
Let C be an arithmetic circuit of length l. Any nontrivial collision yi = yj forC must respect q for any q|d. Letting τ = τi − τj we see that
τ 6≡ 0 (mod q)
τ(t0) 6≡ 0 (mod d)
where x = gt0 .We will prove that any arithmetic circuit having the success rate δC,q (i.e.having on input x a collision respecting q with frequency δC,q) has length atleast l ≥
√2δC,qp− 3 where q = pe is a power of prime number. In particular
if d = p then the minimal length of any arithmetic circuit having the successrate δC = 1 is equal to
√2p− 3.
First we prove the following
62
Lemma 11.5. Let d ≥ 2, pe|d, τ = c1t+ c0 ∈ Z[t] with τ 6≡ 0 (mod pe). Then
]a ∈ Zd : τ(a) ≡ 0 (mod pe) ≤ d
p
Proof We can write τ = pi(c′1t+ c0) with pi ‖ τ . If c′1 ≡ 0 (mod p) then thecongruence τ ≡ 0 (mod pe) has no solutions at all, hence the conclusion isobvious. Otherwise we represent a satisfying
c′1a+ c0 ≡ 0 (mod pe−i) as
a = a0 + a1p+ ..+ ae−ipe−i.
Then a0 is fixed and hence the congruence has at most pe−i−1 solutions. Bythe CRT we obtain the result.
Proof of the lower boundFor given C a collision in C is of the form yi(x) = yj(x) with −2 ≤ i < j ≤ l.There are (l+2)(l+3)
2 such pairs (i, j) and each of them respects q for at most dp
values of x. Hence the total number of possible collisions is ≤ (l+2)(l+3)d2p and
therefore δC,q ≤ (l+2)(l+3)2p which implies (l + 3)2 ≥ 2δC,qp as desired.
63
Chapter 12
The Cramer-Shoupsignature scheme*
12.1 Digital signatures
Definition 12.1. Let Ik, k ∈ N, be disjoint subsets of N and I =⋃k∈N Ik be
called the (infinite) index set (partitioned into finite disjoint subsets Ik).Assume that the indices are binary encoded and by | i | denote the binarylength of i ∈ I. I is called a key set with security parameter k (or an index setwith security parameter k) if
1. The security parameter k of i ∈ I can be derived by a deterministicpolynomial algorithm.
2. There exist an absolute constant m ∈ N such that
k1m 6| i |6 km, i ∈ Ik
conclusion we write I = (Ik)k∈N instead of I =⋃k∈N Ik
Example 12.2. Let Ik = n ∈ N : n = pq, | p |=| q |= kI = (Ik)k∈N is an index set with security parameter k.
Definition 12.3. Let J = (Jk)k∈N be an index set with security parameter kand (Xj)j∈J be a family of sets. Consider two probability distributionsp = (pj)j∈J and p = (pj)j∈J or (Xj)j∈J .We say that p is polynomially bounded by p if there exists a polynomial Q suchthat
pj(x) ≤ Q(k)Pj(x)
for all k ∈ N, j ∈ Jk and x ∈ Xj.
Example 12.4. (Xj)j∈J , (Yj)j∈J : Yj ⊆ Xj , j ∈ J .Assume that there is Q: (*)
| Yj | Qk >| Xj |
64
for all k, j ∈ Jk.Then the image of the uniform distributions on (Yj)j∈J under the inclusionsYj ⊆ Xj is polynomially bounded by the uniform distributions on (Xj)j∈J .
(Xj , pj) uniform distribution on Xj
(Xj , pj) image distribution under the inclusion map f : Yj → Xj , f(y) = y1|Yj | if x ∈ Yj0 if x ∈ XjYj
We have to check if
pj(x) ≤ Q(k)pj(x)
i.e.
1| Yj |
≤ Q(k)1| Xj |
which follows from (*).
Definition 12.5. The sequence of red numbers ε = (εk)k∈N is called negligibleif for any positive polynomial Q ∈ Z[x] there is a k0 ∈ N such that | εk |6 1
Q(k)
for k > k0
proposition. Let J = (Jk)k∈N be an index set with security parameter k.Consider two probability distributions (Xj , pj) and (Xj , pj), j ∈ J such that pjis polynomially bounded by pj ; j ∈ J . Let (εj)j∈J be a family of events ε 6 Xj
whose probability is negligible with respect to p, i.e. for any positivepolynomial P then is k0 ∈ N such that pj(εj) ≤ 1
p(k)fork > k0andj ∈ Jk. Thenthe events (εj)j∈J have negligible probability also with respect to p.proof. There is polynomial Q : p 6 Q(k)pjforj ∈ JNow let R be any positive polynomial. Then for k > k0(R)andj ∈ Jk we have
pj(εj) 6 Q(k)pj(εj) 61
R(k)
as required.Digital signatures(K, S, V)K - key generation algorithm which on input 1k (k-security parameter) returnsa pair (ph, sk)S - signing algorithm which on input sk and n message m to be signer outputsthe signature σ for mV - verification algorithm, which on input (pk,m, σ) returns accept or reject.Types of attacksKey only attack - *** E only knows pkKnown-signature attack - E knows pk and has seen the signatures for somearbitrary messagesUniversal forgery - E is able to forge the signature of any message.Retrieval of secret key - E finds out the secret key sk.success level
65
1. Existential forgeryE forges signature for at least one message not necessary of her choice.
2. Selective forgery.E succeeds in forging the signature of some messages of her choice.
3. Universal forgery.E succeeds to forge the signature of any message.
4. Retrieval of secret key.E finds out the secret key sk.
12.2 Strong RSA Assumption
Let I = n = pq, p 6= q, |p| = |q|, Ik = n ∈ I, |p| = |q| = k.For every Q - positive polynomial and every probabilistic polynomialalgorithm A which on input has n ∈ I and X ∈ Z∗n, outputs e > 1 and x ∈ Z∗n,there exists k0 ∈ N such that:
P[xe = X : n u←− Ik, Xu←− Z∗n (e, x)← A(n,X)] 6
1Q(k)
for k > k0 (u - denotes the uniform distribution).
Definition 12.6. ISG := n ∈ I, n = pq, p = 2p+ 1, q = 2q + 1, p, q - SophieGermain primesISG, k = ISG ∩ Ik
Remark 12.7. Assuming the hypothetical distribution of Sophie Germainprimes the distribution n
u←− ISG, k is polynomially bounded by thedistribution n
u←− Ik as k →∞
12.3 Description of the scheme
CSDSS = (keygen, sign, verify)Keygen
1) uu←− ISG, k
2)
g
u←− QRn := (Z∗n)2
Xu←− QRn
e← GenPrime(λl+1)with k
1c < l + 1 < k − 1, c - fixed
3) pk = (n, g, X, e)sk = (p, q)
Remark 12.8. QRn ⊂ Z∗n is a subgroup of index 4 hence |QRn| = pq
Remark 12.9. GenPrime is a polynomial probabilistic algorithm outputtinga k-bit prime such that given any positive polynomial R the probability thatfor at least two i, j 6 R(k) ei, ej ← GenPrime(λk+1) GenPrime is negligible(i.e. for any P - positive is less then 1
P (k) for k > k0).
66
Figure 12.1: Adversary algorithm breaks the instance of ERP problem
Sign
m ∈ 0, 1∗
e← GenPrime(λl+1)
Xu←− QRn
x := Xeg−h(m)
y := (Xgh(x))1e
sig(m) = [m,σ] where σ = (e, X, y)
Verify
(1) check whether e is an odd l + 1 bit integer not divisible by e
(2) check if (y)e = Xgh(x) where x = (X)eg−h(m)
Remark 12.10. To compute the signature σ = (e, X, y) we may (given e ande) either generate X and extract the e-th root of Xgh(x) or generate random xand extract the e-th root of xgh(m). In both cases we meet the hard ERP(according to Strong RSA Assumption) problem.
12.4 Security of the protocol
Adversary A (attacks the ERP - E-th Root Problem)Forger F (forges the signature Sig(m))InteractionA: Input: n ∈ ISG, z ∈ Z∗n Output: pair (e, z
1e )
1. A chooses randomly the security parameter l and the secure hashfunction h ∈ Hl
2. In a clever way selects the remaining public parameters of pk, pk = (n,g, X, e)
67
3. Interaction
F requests A for the signatures of selected messages mi
A (in a clever way) computes the valid signatures σi = (ei, Xi, yi)without knowing sk (i.e. the prime factors of and sends them to F).In this step A simulates the legitimate signer.
F computes the valid signature σ of m/neqmi, i = 1, 2, ...
A using the forged signature sig(m) = [m,σ] computes r-th rootmodulo n of z for some r > 1
The transcript of communication between F and A should beindistinguishable from the corresponding transcript between F andthe legitimate signer.
Remark 12.11. Let σi = (e, X, y). The forgery consists of several casesaccording to the relation among the forged value of e and ei or X and Xi
i = 1, 2, .... In the sequel we will consider only the most interesting case whenei - e for all i = 1,2,...
12.5 Technical Lemme
There exists a deterministic polynomial time algorithm that for all k givenn ∈ ISG, k an odd positive integer e (|e| < k − 1), number f and elementsu, v ∈ Z∗n satisfying ue = vf as input, outputs the r-th root v
1r ∈ Z∗n of v with
r = egcd(e,f) = e
d
Proof Since |e| < k − 1 we have that r, d ⊥ ϕ(n) = 4pq. Letting s = fd we
have r ⊥ s and ued = v
fd i.e. ur = vs. Now we represent v
1r as uαvβ i.e.
v = uαrvβr = (vs)α · vβr = vαs+βr
To complete the proof it is sufficient to remark that α and β can be efficientlycomputed by the extended Euclidean algorithm.
12.6 Reduction proof
We will prove that having an instance (n, z) of ERP where n u←− ISG, z u←− Z∗nthe steps
(A) (1) selects randomly security parameter l and a secure hash functionh ∈ Hl
(2) In a clever way generates PUB = (e, g, X)
(AF)F A↓ ↓mi 7−→ σi = (ei, Xi, yi)
(F) [m, σ], σ = (e, X, y)
(A) with the aid of [m, σ] computes z1r with r > 1.
68
Moreover in the communication (AF) A almost perfectly simulates thelegitimate signer i.e. the generated pk and computed σi are defined withdistribution polynomially close to the distribution generated by the legitimatesigner.More precisely:
(A) (z)e, ei ← GenPrime(λl+1)g := z2e
Qi ei
au←− 1, 2, ..., n2
X := ga
(AF) σi = (ei, Xi, yi) with random Xi ∈ QRn, xi = (X)eg−h(mi) and
yi = (Xgh(xi))1ei = g
a+h(xi)ei = z(2e
Qj 6=i ej)(a+h(xi))
(F) σ = (e, X, y) with m 6= mi and by assumption: ei - e.Since |e| = |e| = l + 1 < k − 1 and e is prime we have e ⊥ e and thereforee ⊥ 2e
∏i ei. If [m, σ] is valid then (y)e = Xgh(x) = z(2e
Qi ei)(a+h(x))
By the above lemma there exists a suitable polynomial time algorithmcomputing z
1r with
r =e
gcd(e, ze∏i ei(a+ h(x)))
=e
gcd(e, a+ h(x))
The probability that r = 1 is negligible which is easy to see when representinga = bpq + c ∈ 1, 2, ..., n2. Let s be a prime dividing e and assume thata+ h(x) = bpq + c+ h(x) = 0 (mod s) with c and h(x) mod pq being fixed.Hence #a : a+ h(x) ≡ 0 (mod s), a (mod pq), h(x)fixed = #b :bpq + c+ h(x) ≡ 0 (mod s) e, h(x)− fixed 6 n2
pqs
Summing over the possible values of a+ h(x) mod pq we conclude that theprobability that a+ h(x) ≡ 0 (mod s) is asymptotically lower that 1
2 .To complete the arguments it remains that the distribution of g is polynomialclose to the uniform distribution in QRn. This is obvious since z2 is a randomelement of QRn and e
∏i ei ⊥ ϕ(n). Moreover since g is chosen uniformly from
QRn the random variable ga a ∈ 1, 2, ..., n2 has a polynomial closedistribution to the uniform distribution. To see this we represent as abovea = bpq + e and check that #a ≡ c mod pq, a 6 n2 = n2
pq +O(1). Hence for
any c mod pq the corresponding probability isn2pq +O(1)
n2 = 1pq +O( 1
n2 ) given thesame probability that ga = X ∈ QRn.
69
Chapter 13
Solutions
13.1 Arithmetical and complexityfundamentals
1. 1) Let n =∏i=ji=1 p
αii . Since Mk(Z∗n) is isomorphic to
Mk(Zpα1i
)× · · · ×Mk(Zpαli ) we get that #Mk(Z∗n) =∏
#Mk(Zpαii ).
2) Let us try to calculate number of matrices Mk(Zp)∗. Let us look onthe number of possible choices of A ∈Mk(Zp)∗ and look on its columnsc1, . . . , ck. First column can be chosen on pk − p0 ways (the only vectorwhich cannot be chosen is 0 vector). We can choose c2 on pk − p1 ways(it has to be linearly independent from c1, i.e. it cannot be a multiple ofc1). Analogously c3 can be any vector from (Zp)n which is not a linearcombination of c1 and c2 so we have pk − p2 choices. For i= 4, . . . , k weget pk − pi−1 choices so #Mk(Zp)∗ =
∏i=k−1i=0 (pk − pi).
3) To solve the problem for n = pα and any A ∈Mk(Zpα) we will showthat A ∈Mk(Zpα)∗ iff A (mod p) ∈Mk(Zp)∗. Here and below A(mod p) means matrix with the coefficients from Z∗pα considered aselements of Z∗p.Let us consider 2 cases:
⇒ If A ∈Mk(Zpα)∗ then there exists A−1 ∈Mk(Zpα)∗. So (A(mod p))(A−1 (mod p)) = Id (mod p) and A (mod p) ∈Mk(Zp)∗.⇐ Let us take matrix A ∈Mk(Zpα) s.t. A (mod p) ∈Mk(Zp)∗.We’ll use indirect proof. If A /∈Mk(Zpα)∗ then its columns v1, v2, . . . , vkare linearly dependent over Zpα . So there exist a vector v ∈ Zkpα s.t.Av = 0. But if we consider v (mod p) then we see that A (mod p)cannot belong to Mk(Zp)∗ because its columns are linearly dependent.So assumption A /∈Mk(Zpα)∗ results in contradiction.
For each matrix A ∈Mk(Zp)∗ there are (pα−1)k2
matrices in Mk(Zpα)∗
congruent to A modulo p (each of k2 elements in the matrix has pα−1
“versions” in Z∗pα so from the fact which we just proved and point 2) weconclude that #Mk(Zpα)∗ = (pα)k
2 ∏i=ki=1(1− p−i).
70
4) From facts 1) and 3) we know that#Mk(Zn)∗ = nk
2 ∏p|n
(1− p−1) . . . (1− p−k). Observe that for k = 1 we
get standard formula for Euler function φ(n) as expected.
2. a) From definition of order we know that hr ≡ 1 (mod pα) sohr = (g + tp)r ≡ gr ≡ 1 (mod p). Generator g has order p− 1 in Z∗pso p− 1|r. On the other hand order of the subgroup generated by hdivides order of the group Z∗pα which is equal to pα−1(p− 1).In other words p− 1|r and r|pα−1(p− 1). Therefore r = pj(p− 1)for some j ∈ 0, . . . , α− 1.
b) Since (g + tp)p−1 =∑i=p−1i=0
(p−1i
)gi(tp)p−1−i ≡ 1 + (p− 1)gp−2pt
(mod p2) we can take t = g because then (g + tp)p−1 ≡ 1− p(mod p2).
c) Base condition of the induction is fulfilled for i = 0 for example whenwe take t = g in b).Let us take i < α− 2 such that (g + tp)p
i(p−1) = 1 + ai+1pi+1 where
p - ai+1. We have that (g + tp)pi+1(p−1) = (1 + ai+1p
i+1)p =1 + ai+1p
i+2 +∑j=p−1j=2
(pj
)ai+1p
ji+ 1. From assumptions we knowthat p is odd prime so p ≥ 3 so the sum is divisible by pi+3.Therefore (g + tp)p
i+1(p−1) = 1 + ai+2pi+2 for some integer ai+2 and
this completes induction step.
13.2 Classical ciphers
1. a) By conversion letters to numbers we obtain following equivalences:
“TH”: s1 =(
197
)“RH”: t1 =
(177
)“HE”: s2 =
(74
)“NI”:
t2 =(
138
).
Let us consider the encrypting matrix A. Let B, C be the matriceswith columns s1, s2 and t1, t2 respectively. From Hill cypherdefinition we know that Asi = ti for i = 1, 2 which can be writtenin the matrix form AB = C. Matrix B is invertible so A = CB−1.From Cramer’s rule (or by solving linear equations set) we obtain
B−1 =(
4 −7−7 −7
)so A =
(17 137 8
)(4 −7−7 −7
)=(
13 2424 −1
).
b) We would like to proceed similarly to the previous case but here we
obtain matrices B =(
6 218 4
)and C =
(22 1310 2
). The problem is
that B is not invertible (mod 26).
Let us consider system of equations for coefficients of A =(a bc d
).
We know that AB = C, so
6a+ 8b ≡ −4−5a+ 4b ≡ 13
and6c+ 8d ≡ 10−5c+ 4d ≡ 2
. Equations have solutions a = 3, b ∈ 7, 20,
71
c = 2, d ∈ 3, 16 so there are 4 different encoding matrices whichcan produce our transformation.
13.3 Asymmetric cryptology and hardcomputational problems
1. a) From definitions of n, e, d and M we obtain thatn = ed−1
M = (a′M+a)(b′M+b)−1M = a′b′M + a′ + b′ + 1.
b) From definition of n we have ed ≡ 1 (mod n) and by this we canobserve that cd ≡ med ≡ m (mod n).
c) We know that n = ed−1M which is equivalent to 1 = ed− nM , so e⊥n.
Hence extended Euclidean algorithm produces integer numbers xand y s.t. 1 = ex+ yn so x = e−1 (mod n). On the other handc ≡ em (mod n) is equivalent to e−1c ≡ m (mod n) so if we wantto get m it is enough to take xc (mod n).
2. a) Since g ∈ Z∗n we know that g⊥p ∧ g⊥q. Therefore from Euler’stheorem g1 = gφ(p)r1 = 1 (mod p). Hence c1 = m (mod p).Similarly c2 = m (mod q). These facts combined with constructiveversion of Chinese Remainder Theorem allow us to get back ourmessage m.
b) If g1 = 1(n) then c1 = m (mod n) and system is broken because ofthe choice of the trivial key. Otherwise gcd(g1 − 1, n) = p (becausein a) we proved that g1 = 1(p) and g1 < n) so we can compute pand q and proceed as in a).
3. From Chinese remainder theorem we know that if med ≡ m (mod p) andmed ≡ m (mod q) then med ≡ m (mod n) (because n = pq). We’llconsider just first case because second is analogous.
If p|m then med ≡ 0 ≡ m (mod p).
Otherwise since ed ≡ 1 (mod φ(n)) and φ(n) = φ(p)φ(q) we have thated ≡ 1 (mod φ(p)) and from Euler’s theorem med−1 ≡ 1 (mod p). Hencemed ≡ m (mod p).
4. We have to prove theorem in both directions.
⇐ Proof is analogous to the previous problem. Again we use Chineseremainder theorem and consider p and q separately and get thatmed ≡ m (mod n).
⇒ Now we know that for all messages m we have that med ≡ m(mod n). Let us take generator g of Z∗p as a message m. Number g isgenerator so its order is p− 1 so if ged ≡ g (mod pq) then in particularlyged ≡ g (mod p) and p− 1|ed− 1. Similarly for q and generator of Z∗q sop− 1|ed− 1, q − 1|ed− 1 and hence LCM(p− 1, q − 1)|ed− 1.
5. We calculate that LCM(p− 1, q − 1) = 360. From extended Euclidalgorithm we know that e−1 (mod 360) = 103 so from the previousexercise we know that 103, 463 and 823 are deciphering keys.
72
6. If p|m then also p|cA and gcd(cA, n) ∈ p, n depending whether q|m ornot. If gcd(cA, n) = p then it remains to calculate m (mod q) and getmessage from CRT. Case gcd(cA, n) = q is symmetric.
Now we’ll solve the case for m⊥n (possibly n is just a prime number p orq if one of the previous mentioned cases occurred). We know that eA⊥eBso from extended Euclidean algorithm we get integers x, y such thatxeA + yeB = 1. Let us observe that cxAc
yB ≡ mxeA+yeB ≡ m (mod n).
One of the numbers x, y is negative and here we use assumption thatm⊥n to calculate c−1
A (mod n) or c−1B (mod n).
7. We’ll start with 2 known numbers and after some calculations we’ll getmessage m.
1. m3.
2. m3 + 3m2 + 3m+ 1.
3. 1) + 2) ⇒ m(m+ 1).
4. 1) + 3) ⇒ m5 +m4.
5. 3) ⇒ m4 + 2m3 +m2.
6. 1) + 5) ⇒ m4 +m2.
7. 4) + 6) ⇒ m5 −m2 = m2(m3 − 1).
8. Let us consider two cases:
i. Number m3 − 1 is invertible (mod n) then from 7) and 1) wecan calculate m2 and from 3) we get m.
ii. Number m3 − 1 is not invertible (mod n).If gcd(m3 − 1, n) = p (symmetrically q) then we factorized nand we can just compute private key 3−1 (mod φ(n)).If gcd(m3 − 1, n) = n then m ∈ Z∗n and m3 ≡ 1 (mod n) soorder of m is 3 or 1. But from Lagrange theorem order of thesubgroup divides order of the group which is φ(n) and fromassumption is not divisible by 3. Hence order of m is 1, i.e.m = 1. This case can be checked manually.
8. First we need to calculate number of messages m ∈ Zn such thatn = pq|me −m. In other words we calculate number of messages m ∈ Znsuch that p|me −m and q|me −m. Let us look on the message m(mod p).
0 is always one of possible solutions.
If m 6= 0 then m has an inverse and p|me−1 − 1. Let m = gs where g isgenerator of Z∗p. From previous facts we see that p|gs(e−1) − 1 sogs(e−1) ≡ 1 (mod p).
Let d = gcd(p− 1, e− 1). Since g is a generator we have thatp− 1|s(e− 1) and p−1
d |s. Therefore we get solutions sk = k p−1d for
k = 0, 1, . . . , d− 1. If we take any other integer k we won’t get anythingnew because sk will be congruent modulo (p− 1).
Together with m ≡ 0 (mod p) we get 1 + gcd(p− 1, e− 1) solutions for p.
In the same way we get 1 + gcd(q − 1, e− 1) solutions for q.
73
For each pair of solutions modulo p and q from CRT we can get exactlyone message m < n. Hence we get our equality.
Now we want to minimize number of messages m which do not changewhen raised to power e. Since we assume that e⊥φ(n) and 2|φ(n) forn > 2 we know that 2| gcd(p− 1, e− 1) and 2| gcd(q − 1, e− 1) so#m ∈ Zn : me = m = (1+GCD(e−1, p−1))(1+GCD(e−1, q−1)) ≥ 9.
Now it remains to find e for which we achieve the bound. But takinge = (p− 1)(q − 1)− 1 is enough. The only common divisor of e− 1 andp− 1 or q − 1 is 2.
9. First we check if n is a square of some prime number. If it is we’re done.
Otherwise we know that n = pq and φ(n) = (q − 1)(p− 1) for someprime numbers p, q. The second equation is equivalent top+ q = n− φ(n) + 1. If we call the right side k we can observe thatequation x2 − xk + n = x2 − x(p+ q) + pq = 0 has 2 solutions p and qwhich are numbers we’re looking for.
13.4 Conditional factoring
1. Let us take number M such that p− 1|M . Then ∀a∈Z∗paM ≡ 1 (mod p)
so p| gcd(aM − 1, n). If gcd(aM − 1, n) 6= n we found nontrivial divisor ofn and we are done. But what happens when gcd(aM − 1, n) = n ?
Let us consider λ(n) (exponent of the group Z∗n, i.e. the least positiveinteger e such that ∀a∈Z∗na
e = 1, so called Carmichael function) and twocases:
1. If λ(n) -M then G = a ∈ Z∗n : aM = 1 is a proper subgroup of Z∗nand from Lagrange theorem its order is divisor of #Z∗n. Hence#G#Z∗n
≤ 12 so if we choose random a sufficiently many times we have
a big chance to pick a number a which does not belong to G.
2. Second case is when λ(n)|M . But here we can use lemma 7.2.Finding l might take not more than logarithmic time so if we takerandom a many times we’ll find nontrivial divisor with probabilityarbitrary close to 1 in polynomial time.
But how to choose M ?
It is enough to take M =∏
q∈P,q≤Bqb
lnnln q c. By taking logarithm of both
sides we get that lnM =∑q∈P,q≤B
⌊lnnln q
⌋ln q ≤ B lnn = O(B lnn).
If n = pe11 . . . pekk then 2e1+···+ek ≤ n. Therefore e1 + · · ·+ ek ≤ lnnln 2 and
algorithm needs to be repeated O(lnn) times to factorize n.
2. Let H = a ∈ Z∗p2 : an−1 = 1 be a subgroup of Z∗p2 . Let also assumethat p2|n for some prime p (p > 2). We have an−1 ≡ 1 (mod p2) for all2 ≤ a ≤ (lnn)2, in particular for all 2 ≤ a ≤ (ln p2)2. From lemmaapplied to p2, we have #H ≥ #a ≤ p2 : ais(ln p2)2 − smooth > p.
74
On the other side, we have H is a cyclic group as a subgroup of cyclicgroup Z∗p2 . We know, that for every a ∈ H, an−1 = 1, so #H|n− 1. Wehave also #H|#Z∗p2 = p(p− 1). Hence we have#H| gcd(n− 1, p(p− 1)|p− 1, so #H ≤ p− 1, which is contradiction of#H > p.
3. First we will show, how we can check three conditions in polynomialtime (of course we can check the first one, and we will show, that if firstone holds, then we can check second and third one).
Assume that an−1 ≡ 1 (mod n). We have ordn(a)|n− 1 = qe11 . . . qekk ,where q1, . . . , qk are prime numbers less or equal B and e1 + . . . ek < lnn.Hence ordn(a) = qf1
1 . . . qfkk , where fi ≤ ei for all 1 ≤ i ≤ k. We will
compute fi. First we check an−1qi ≡ 1 (mod n). If it doesn’t hold we have
fi = ei, in the other case we have fi < ei and we can continue by
checking an−1q2i ≡ 1 (mod n) and so on. When we have factorization of
ordn(a) of course it is easy to check second and third assumption.
Now we will show, that if any assumption doesn’t hold, n has to becomposite.
If n is prime, of course we have an−1 6≡ 1 (mod n).
Because GCD(aordn(a)
q − 1, n)|n and GCD(aordn(a)
q − 1, n) < n, if wehave GCD(a
ordn(a)q − 1, n) > 1 we also have n - composite.
Finally we have also for prime n that Z∗n - cyclic. HenceLCM2≤a≤(lnn)2ordn(a) = # < a ∈ Z∗n : 2 ≤ a ≤ (lnn)2 >≥Ψ(n, (lnn)2) >
√n.
The last part is to show that our three assumptions implies n prime.
We suppose n is composite and consider the smallest prime factor p of n(hence p ≤
√n. In general, if GCD(a, n) = 1 and p|n, we have
ordp(a)|ordn(a). Let 2 ≤ a ≤ (lnn)2. Assume that ordp(a) is a properdivisor of ordn(a). Then ordp(a)| ordn(a)
q for some prime q. Hence
aordn(a)
q ≡ 1 (mod p), so p|aordn(a)
q − 1 and p|GCD(aordn(a)
q − 1, n),which is contradiction with assumption b. Hence we haveordp(a) = ordn(a) for all 2 ≤ a ≤ (lnn)2.
Let A = LCM2≤a≤(lnn)2ordn(a) = LCM2≤a≤(lnn)2ordp(a)|p− 1.We have A ≤ p− 1 <
√n. This is in contradiction with assumption c, so
we have n is prime.
4. Let’s first note that it is sufficient to consider the case when #B = 2. Ifthe lemma is true for #B = 2, then by induction: B = b1, . . . , bk,apply the lemma to B′ = b1, . . . , bk−1, which either gives us a factor ofn or a generator c of B′ and 〈B〉 = 〈c, bk〉,ord(c) = lcm(ord(b1), . . . , ord(bk−1)).
Let’s from now assume B = a, b.Moreover, we can assume, that ord(a) = sα andord(b) = sβ , α ≤ β, s ∈ P. This is because we can factorize ord(a) and
75
ord(b), since both are q − smooth. Then let’s take
as = aord(a)sα , s ∈ P, sα ‖ ord(a)
bs = bord(b)sβ , s ∈ P, sβ ‖ ord(b)
Then ord(as) = sα and ord(bs) = sβ . Let’s then take Bs = as, bs,apply the lemma for every s, which either gives us a factor of n or agenerator of 〈Bs〉 = 〈cs〉. Then 〈B〉 = 〈
∏s cs〉.
Keeping in mind the above considerations it is now sufficient to show thealgorithm for the following problem:
Input: n ∈ N; 2 - n; a, b ∈ Z∗n; s ∈ P, α ∈ N, ordn(b) = sα; asα
= 1Output: a ”proof” that a ∈ 〈b〉 or a nontrivial factor of n.
n = pf11 · · · · · p
fkk
Z∗n ' Z∗pf11× · · · × Z∗
pfkk
We can writea = (a1, . . . , ak), b = (b1, . . . , bk).
For some i we have ordi(b) = sα. Of course asα
i = 1. There is some l ∈ Zsuch that bli = ai.
Now we will show how to find a ”proof” that bl = a or a nontrivial factorof n. Let’s write l = l0 + l1s+ · · ·+ lα−1s
α−1. We havebl0+l1s+···+lα−1s
α−1
i = ai. But
(bsα−1
i )l0 = asα−1
i ⇔ pfii | gcd((bsα−1
)l0 − asα−1
, n).
So it is sufficient to check whether 1 < gcd((bsα−1
)j − asα−1, n) < n for
j = 0, . . . , s− 1. For some j we will have gcd((bsα−1
)j − asα−1, n) > 1.
Then either this gcd will be a nontrivial factor of n or it will be equal ton. But then (bs
α−1)j = as
α−1and (bs
α−1
i )j = asα−1
i . Hence j = l0. Sonow we have bl1s+···+lα−1s
α−1
i = aib−l0i and then
(bsα−1
i )l1 = (aib−l0i )sα−2⇔ pfii | gcd((bs
α−1)l1 − (ab−l0)s
α−2, n)
which gives us the similar case.
5. Let M =∏q∈P,q≤B q
[ lnnln q ]. Then p− 1 |M and lnM ≤ B lnn. Take
some a ∈ Zn. Then we have aM ≡ 1(p), and thus p | gcd(aM − 1, n). Ifgcd(aM − 1, n) < n then we have a nontrivial factor. Let’s assume thefollowing (if any of these points is not true we easily find a divisor of n,see exercise 3):
1. aM ≡ 1(n), for all 2 ≤ a ≤ (lnn)2
2. gcd(aordn(a)
q − 1, n) = 1 for every 2 ≤ a ≤ (lnn)2 and every primedivisor q of ordn(a)
3. H := 〈2, . . . , b(lnn)2c〉 is cyclic
76
We will show that n is prime. Here we have that ords(a) = ordn(a) for2 ≤ a ≤ (lnn)2, where s is the smallest prime factor of n. We know that
#H ≥ ψ(n, (lnn)2) >√n
But on the other hand, because h is cyclic, we have
#H = lcm2≤a≤(lnn)2ordn(a) = lcm2≤a≤(lnn)2ords(a) | s− 1
If n is not prime, then obviously s− 1 <√n, which gives us the
contradiction.
6. We will prove the equivalence in both ways.
(⇒) For prime numbers we have an−1
2 =(an
)∈ −1, 1
(⇐) We will consider two cases:
1. n = lm, GCD(l,m) = 1: Using the CRT (Z∗n ≡ Z∗l × Z∗m) we canchoose b of order φ(l). then we have contradicting
1 = bn−1 = bφ(l)φ(m)+(n−1−φ(n)) 6= 1
2. n = pα:p ∈ P, α ≥ 2
an−1
2 = ±1 ∀a ∈ Z∗n
∀a ∈ Z∗n an−1 = 1
Z∗pα is cyclic of order pα−1(p− 1). Take b ∈ Z∗pα of order p.bn−1 = 1, so p|n− 1 = pα − 1 and we get the contradiction.
7. We will consider two cases:
1. n is prime.For a ∈ Z∗n random we conclude that P (a
n−12 = 1) = 1
2 . Now wedenote f(a) = a
n−12 for a ∈ Z∗n. we have:
#f−1(1) = #f−1(−1)
b ∈ ker(φ) where bn−1
2 = 1. So if n is prime then probability is 2−k
2. n is composite
i. an−12 : a ∈ Z∗n = 1 - then case 2 is false
ii. #an−12 : a ∈ Z∗n > 2 - then an−1
2 = ±1 : a ∈ Z∗n = f−1(±1)is proper subgroup of Z∗n , #f−1(±1) ≤ #Z∗n
2
8. We want to prove that every Carmichael number is odd, squarefree, anddivisible by at least three distinct primes.
1. Assume that pα|n, α > 1, p 6= 2. Using the Carmichael function λ(n)we have
λ(pα) = pα−1(p− 1)|λ(n)|n− 1
And we get the contradicting p|n− 1.
77
2. Now let us assume that n = pq for p, q ∈ P\2 such that p 6= q.from following equations
p− 1 = λ(p)|λ(n)|n− 1
q − 1 = λ(q)|λ(n)|n− 1
we conclude thatn− 1 = pq − 1 = p(q − 1) + (p− 1) = q(p− 1) + (q − 1) so p = qwhich gives us the contradiction.
9. We will prove the polynomial time equivalence in both ways:
Finding square roots reduced to Finding quadratic nonresidue:Following algorithm (known as Tonelli-Shanks algorithm) whichcalculates square root of a can be derandomized when we found thequadratic nonresidue (mod p). We assume that p is odd.
1. choose random g ∈ Z for which(gp
)= −1
2. let p− 1 = 2st, 2 6 |t3. e← 04. for i = 1, 2, . . . s− 1 do:
if (ag−e)p−1
2 6= 1 then e← 2i + e
5. h← ag−e
6. b← ge2h
t+12
7. return b;
Finding quadratic nonresidue reduced to Finding square roots:
We can calculate√−1, 4√−1 =
√√−1, 8√−1 =
√√√−1, . . . in
field Zp and at some point we will obtain quadratic nonresidue.
10. First we will show that square rooting reduces in random polynomialtime to problem of factoring.
Let n = pe11 . . . pekk and x2 ≡ a (mod n), what is equivalent (ChineseRemainder Theorem) to x2 ≡ a (mod peii ) for i = 1, . . . , k.
We can compute roots modulo p for p - prime. Now we will show, how tocompute square root modulo pl+1 from square root modulo pl.
Let suppose x2 ≡ a (mod pl) (p ∈ P, p 6= 2). If y2 ≡ a (mod pl+1), wehave y ≡ ±x (mod pl), so we are looking for y = x+ bpl. From y2 ≡ a(mod pl+1) we have x2 + 2xbpl ≡ a (mod pl+1) and 2xbpl ≡ a− x2
(mod pl+1), which is equivalent to 2xb ≡ c (mod p), and alsob ≡ 2−1x−1c (mod p).
Fact, that factoring reduces in random polynomial time to squarerooting in case n = p1p2 for prime numbers p1, p2 is conclusion form thenext exercise - we can randomly choose a ∈ Z∗n, compute b = a2 andsolve equation x2 = b. We can find p1, p2 with 1
2 probability.
11. Let a ≡ ai (mod pi) for i = 1, 2. We have four solutions of equationx2 = b, all are (±a1,±a2). If Bob got (a1, a2) or (−a1,−a2) he didn’t gotany new information and can’t factor n. If it was for example (a1,−a2)
78
(the same for (−a1, a2)), he can computec = (a1,−a2) + (a1, a2) = (2a1, 0) and has p2 = gcd(n, c). Hence theprobability of Bob’s win is 1
2 .
12. We know, that Z∗n ' Z∗p1× Z∗p2
. Let a = (a1, a2). Solutions of equationx4 = b are x = (εi1a1, ε
j2a2), where 0 ≤ i, j ≤ 3, εi - element of order 4 in
Z∗pi .Let c4 = b, ca−1 = (α, β), B =(a1, a2), (−a1,−a2), (ε1a1, ε2a2), (ε31a1, ε
32a2), (ε31a1, ε2a2), (ε1a1, ε
32a2).
If c ∈ B, then ord(α) = ord(β). If c /∈ B, then ord(α) 6= ord(β) (andord(α), ord(β) ∈ 1, 2, 4). In the second case Bob can find p1, p2- weshow it on example ord(α) = 2, ord(β) = 4. We have (α, β)2 = (1, 6= 1),so (α, β)− 1 = (0, 6= 0) and gcd((α, β)− 1, n)) = p1.
13. 1. Let f = a0 + a1X + . . .+ alXl, n = maxm : ∀i:ai 6=0p
m|i. Becauseof in Fp[X] we have (α+ β)p
m
= αpm
+ βpm
, we have f = hpn
forsome h ∈ Fp[X] and h′ 6= 0.Now we have f1 . . . fk = h
gcd(h,h′) .
2. We assume, that f is squarefree (it’s not necessary, but it reducescomputations).Let Id be a set of all monic irreducible polynomials of degree d inFp[X]. We have (it’s fact from algebra II, we assume it’s true)Xpn −X = Πd|nΠq∈Idq. Hence gd = gcd(f,Xpd −X).
3. Let gd = q1q2 . . . qs be a decomposition of gd into a product of sirreducible polynomials.We have(Fp[X]/(gd))∗ ' (Fp[X]/∗(q1))× . . .× (Fp[X]/∗(qs)) ' F
∗pd × . . .× F
∗pd .
Let take random α ∈ Fp[X]/(gd). If gcd(α, gd) is nontrivial, then it’snontrivial factor of gd. Otherwise α ∈ (Fp[X]/(gd))∗. We look atgcd(α
p−12 − 1, gd), which will be a nontrivial factor of gd with
probability 1− 22s = 1− 21−s (we have α
p−12 = (±1, . . . ,±1), so gcd
is trivial factor if and only if αp−1
2 = ±(1, . . . , 1)).
14. Ad. 1.
τ(n1n2) = τ(n1)τ(n2) for n1, n2 coprime. Given the factorization ofn = pe11 . . . pekk we have
τ(n) =k∏i=1
τ(peii ) =∏
(1 + pi + · · ·+ peii ) =∏ 1− pei+1
i
1− pi
Ad. 2. We will show that only in the case of square-free n. However, it’strue for non-square-free n too. For square-free n = p1 . . . pk, we haveτ(n) = (p1 + 1) . . . (pk + 1). Let’s consider the following algorithm:Input: n ∈ N, τ(n), n - square freeOutput: complete factorization of n
1. If τ(n) = n+ 1 then stop (n is prime).
79
2. If n is even, then stop (n = 2m, 2 - m, τ(m) = τ(n)3 ).
3. Try to factor n using Pollard’s p− 1 algorithm with M = τ(n).
4. Choose a random a ∈ Z∗n5. Choose random α, β ∈ Zn, not both zero. If gcd(α, n) or gcd(β, n)
is a nontrivial factor of n then stop.
6. For r = αX + β compute rτ(n) = δX + γ(mod X2 − a).
7. If gcd(δ, n) is a nontrivial factor then stop. Otherwise goto 5.
Now let’s prove the correctness of the above algorithm. First assumethat a ∈ QR(p) and a 6∈ QR(q) for some prime divisors p, q of n. This istrue with the probability 1
4 , it’s enough to execute the algorithmsimultaneously in sufficient number of copies to have an arbitraryprobability. We will show that δ ≡ 0(p), i.e. rτ(n) ∈ Fp.
Zp = Fp ⊆ Zp[X]/(X2 − a) ' Fp2
r ∈ Z∗p2 , thus rp2−1 = 1, (rp+1)p−1 = 1 and (rp+1)p = rp+1. So rp+1 ∈ Fp
which implies that rτ(n) = (rp+1)k ∈ Fp and thus δ ≡ 0(p).
Now we will show that with probability ≥ 12 (on random r) q - δ.
Zq[X]/(X2 − a) ' Zq × Zq
Let’s mark the following elements:
u1X + v1 ↔ (1, 0)
u2X + v2 ↔ (0, 1)
r ↔ (c1, c2)
Thus r = c1(u1X + v1) + c2(u2X + v2), rtau(n) =ctau(n)1 (u1X + v1) + c
tau(n)2 (u2X + v2) and δ = c
tau(n)1 u1 + c
tau(n)2 u2.
Assume that q | δ. Then ctau(n)1 u1 + c
tau(n)2 u2 ≡ 0(q), but u1, u2 6≡ 0(q).
Thus cτ(n)2 = −cτ(n)
1 u1u−12 . Let’s see how many elements c1, c2 may fulfill
this equality.#(c1, c2) ∈ Zq × Zq \ (0, 0) : cτ(n)
2 = −cτ(n)1 u1u
−12
q2 − 1≤
(q − 1) gcd(τ(n), q − 1)q2 − 1
≤ 12q−1q+1 ≤
12 . The last but one inequality follows
from the fact q − 1 - τ(n) (see step 3. of the algorithm).
80