Advanced Cryptography
CSCI762
Spring 2020
Assignment 0, Tuesday, January 21
Final exam from the first cryptography course in Fall 2019.
This is to see how much of the common background this group
has. Do not study for this exam, possibly just review what
you had in earlier cryptography related courses. This way
I will be able to see better what to focus on in class.
Assignment 1, due Tuesday, February 4
Decrypt the
ciphertext from the table
7.4 page 305 (6.3 page 278 in the third edition),
which was obtained by an application of the ElGamal Cryptosystem
7.1 page 257 (6.1 page 235).
The parameters of the system are p = 31847 = 1 + 2*15923 (15923
is prime), alpha=5, a=7899
and beta=18074. Each element of Z_{p}
in the range <0,17575> represents three
alphabetic characters as in Exercise
6.13 page 247 (5.12 page 227).
You have to use squareandmultiply algorithm
for modular exponentiation, and
the Extended Euclid Algorithm
or other notbyforce algorithm for calculating modular inverses.
You may use parts of the code from previous course assignments,
What are the secret values of parameter k used for encryption?
Use both Shanks' algorithm and brute force (for verification) to find them.
Note, that k's are not needed for the decryption. In this
toy example they can be found with the help of any discrete logarithm
algorithm. Find the first 30 values of k.
Submit in class a hardcopy of the following
(or in special situations a single pdf or txt document by email):
 brief explanations what you did
 hardcopy of the source code of your programs
 original plaintexts
 list of recovered values of k
Sample solution by Hannah Miller.
Assignment 2, due Monday, February 10
Complete the
first step
of the termlong research paper and presentation project.
We will review all proposals in class on 2/11.
Assignment 3, due Tuesday, February 18
This task is for everybody.

RSAsafe primes.
Using MillerRabin probabilistic primality test (possibly
implemented by you last Fall, or from some library), generate
randomly regular primes and RSAsafe primes of b bits.
Report on relative performance for regular and RSAsafe primes
for b varying from 10 to 70 with step 10.
Choose one of the two following tasks involving
PollardPHO algortihm. The double pointers to chapters
and pages are as in editions 3 and 4 of the textbook,
respectively.

PollardRHO factoring.
Explore implementations of two variants of the PollardRHO
factoring algorithm: plain
(Alg. 5.9 page 193/Alg. 6.9 page 216), and using
Brent's accumulator of k consecutive arguments to gcd.
Focus on time performance evaluations, and recommend the
values of k to be used for bbit RSA modulus n,
where b varies from 10 to (at least) 70 with step 10.
Solve exercise 5.26 page 232/6.27 page 253.
(For this algorithm it does not matter if the factors of
n are RSAsafe or not)

PollardRHO discrete logarithms.
Explore implementation of the PollardRHO
discrete logarithm algorithm 6.2 page 240/7.2 page 262.
Follow the comments in class instead of direct computation
of the inverse in the last line. Show details of
the computations for at least two cases:
one with gcd=1 and one with gcd!=1 at the end.
Solve exercise 6.3 page 276/7.3 page 303.
Compare performance to Shanks' algorithm from the previous
assignment for b varying from 10 to 40 with step 10,
and report on performace on up to 70 bits for PollardRHO.
(For this algorithm it matters that the modulus
n itself is an RSAsafe prime)
Hint: in all three parts above go to more bits if you can.
Sample solution by Tom Arnold.
Assignment 4, Galois fields, due Tuesday, March 3
The due date is postponed till Thursday, March 5.
Solve parts 1 and 2 by hand, use computer help to solve 3 and 4.
In all exercises explain what you did and show the details
of your work. Attach source code as applicable.

The polynomial x^{4} + x + 1 is irreducible
in Z_{2}[x].
Compute x^{15} mod x^{4} + x + 1 in Z_{2}[x],
i.e. in the Galois field GF(2^{4}). Use two approaches:
standard squareandmultiply for exponent 15, and for the exponent
written as (16  1).

Find all irreducible polynomials in
Z_{2}[x] of degree 5. You can assume
that the polynomial x^{2} + x + 1 is
the only irreducible binary quadratic (you do not need to show that).

Solve exercise 6.12 pages 277/278 (7.12 pages 305/306).
You can use this representation of the
Galois field GF(27)

Let p=131.
First show that (x^{2}+1) is irreducible in
Z_{p}[x]  this can be done by hand
using the Euler criterion for quadratic residuosity.
Next, represent GF(p^{2})
by polynomials modulo (x^{2}+1). Use naive algorithm
to find the number of elements of each order in
GF(p^{2}), and list 10 smallest monic primitive (generators
with coefficient 1 in the highest degree term) elements.
Illustrate the computation of discrete logarithm of (x+101) with base
equal to the smallest such generator using Shanks' algorithm.
Sample solution by Thomas Bottom.
Assignment 5, due Thursday, March 19
Due date has been postponed till March 26.
The break at RIT has been extended by
one week, until March 23. Thus, the due date of the current assignment
is also delayed by a week until March 26. Please submit your work by
sending a pdf in an email (can be a scan of a document produced by
any means).
Exploring elliptic curves.
For edition 4 of the textbook, use chapter 7 (instead of 6),
same exercise numbers, pages 306/307.
 Solve exercise 6.13 page 278.
Note that the answer in (c) must be a divisor of (a).
 Solve exercise 6.14 page 279.
 Solve exercise 6.15 page 279.
 Solve exercise 6.16 page 279.
 Proving associativity of point addition on elliptic curves is
quite complicated. In this exercise you will do just a special
case of it. Suppose that points P=(p1,p2) and Q=(q1,q2), p1 not equal to q1,
are on an elliptic curve E (either real or modular).
It is obvious that ((P) + P) + Q = Q.
Prove that (P) + (P + Q) = Q by
 using geometric reasoning on the plane
 using only algebraic transformations defining point addition
Sample solution by Thomas Bottom, except exercise 6.16b
Solution to exercise 6.16b
Assignment 6, due Tuesday, April 7
EC and NAF
Submit pdf by email, it can be a scan of documents produced by other means.

Let B_{k}, k ≥ 2, consist of
all 01 strings of length k with both
ends equal to 1 (there are 2^{k2} of them).
Show explicitly two bijections:
between 16 strings in B_{6} and their NAF representations,
and 32 strings in B_{7} and their NAF representations.
 Solve exercise 6.17 page 279 (ECIES).
In (a) show the intermediate values of variables.
This exercise is not in edition 4 of the textbook. Edition 4 does not
include the ECIES scheme, but a similar to it cryptosystem 7.2 EC ElGamal.
For this problem use the ECIES slide discussed in class.
Let E be the elliptic curve y^2=x^3+2x+7 defined over Z_31.
It can be shown that #E=39 and P=(2,9) is an eleement of order 39 in E.
The simplified ECIES
defined on E has Z_31^* as its plaintext space.
Suppose the private key is m=8.
(a) Compute Q = mP.
(b) Decrypt the ciphertext ((18,1),21), ((3,1),18), ((17,0),19), ((28,0),8).
(c) Assuming that each plaintext represents one alphabetic character,
convert the plaintext into an English word. Use the correspondence
A<>1, ..., Z<>26, because 0 is not allowed in a plaintext ordered pair.
 Solve exercise 6.18 page 279 (7.19 page 307).
Sample solution for questions 13 by Hannah Miller.

(Optional) Prove that the NAF representation is unique.
You need to show that two distinct NAF strings cannot encode
the same integer.
A nice
solution at crypto stackexchange.
Interesting papers on generalizations of NAF to more digits and positions:
Redundant tauadic expansions I: nonadjacent digit sets and their
applications to scalar multiplication (2011),
and
Minimality of the Hamming Weight of the tauNAF for Koblitz
Curves and Improved Combination with Point Halving (2006),
by Roberto Avanzi, Clemens Heuberger, Helmut Prodinger.
Assignment 7, due Tuesday, April 21
Digital signatures
Submit a single pdf by email.
 Solve exercise 7.6 page 319 (8.6 page 335/336).
 Solve exercise 7.7 page 319 (8.7 page 336).
 Solve exercise 7.9 page 320 (8.10 page 337).
In the SHA3 competition NIST requested
that the new hash has to be 0preimage resistant.
 Solve exercise 7.13 page 320 (8.14 page 338).
Two submissions complementing each other:
sample solution by Devin Kott,
sample solution by Tom Arnold.
Back to the course page