## Advanced Cryptography CSCI-762 Spring 2018

### Assignment 0, Tuesday, January 23

Final exam from the first cryptography course in the fall 2017. This is to see the common background of the group.

### Assignment 1, due Tuesday, February 6

Decrypt the ciphertext from the table 6.3 page 278, which was obtained by an application of the ElGamal Cryptosystem 6.1 page 235. The parameters of the system are p = 31847 = 1 + 2*15923 (15923 is prime), alpha=5, a=7899 and beta=18074. Each element of Zp in the range <0,17575> represents three alphabetic characters as in Exercise 5.12 page 227. You have to use square-and-multiply algorithm for modular exponentiation, and the Extended Euclid Algorithm or other not-by-force algorithm for calculating modular inverses. You may use parts of the code from previous course assignments,

What are the secret values of parameter k used for encryption? Use both Shanks' algorithm and brute force (for verification) to find them. Note, that k's are not needed for the decryption. In this toy example they can be found with the help of any discrete logarithm algorithm. Find the first 30 values of k.

Submit in class a hardcopy of the following (or in special situations a single pdf or txt document by email):

• brief explanations what you did
• hardcopy of the source code of your programs
• original plaintexts
• list of recovered values of k

### Assignment 2, due Sunday, February 11

Complete the first step of the term-long research paper and presentation project. We will review all proposals in class on 2/13.

### Assignment 3, due Tuesday, February 20

Due date extended to Thursday, February 22.
• RSA-safe primes. Using Miller-Rabin probabilistic primality test (possibly implemented by you last Fall, or from some library), generate randomly regular primes and RSA-safe primes of b bits. Report on relative performance for regular and RSA-safe primes for b varying from 10 to 70 with step 10.

• Pollard-RHO factoring. Explore implementations of two variants of the Pollard-RHO factoring algorithm: plain (Alg. 5.9 page 193), and using Brent's accumulator of k consecutive arguments to gcd. Focus on time performance evaluations, and recommend the values of k to be used for b-bit RSA modulus n, where b varies from 10 to (at least) 70 with step 10. Solve exercise 5.26 page 232. (For this algorithm it does not matter if the factors of n are RSA-safe or not)

• Pollard-RHO discrete logarithms. Explore implementation of the Pollard-RHO discrete logarithm algorithm 6.2 page 240. Follow the comments in class instead of direct computation of the inverse in the last line. Show details of the computations for at least two cases: one with gcd=1 and one with gcd!=1 at the end. Solve exercise 6.3 page 276. Compare performance to Shanks' algorithm from the previous assignment for b varying from 10 to 40 with step 10, and report on performace on up to 70 bits for Pollard-RHO. (For this algorithm it matters that the modulus n itself is an RSA-safe prime)
Hint: in all three parts above go to more bits if you can.

Sample solution by Kritka Sahni.

### Assignment 4, Galois fields, due Tuesday, March 6

Due date extended to Thursday, March 8.

Solve parts 1 and 2 by hand, use computer help to solve 3 and 4. In all exercises explain what you did and show the details of your work. Attach source code as applicable.

1. The polynomial x4 + x + 1 is irreducible in Z2[x]. Compute x15 mod x4 + x + 1 in Z2[x], i.e. in the Galois field GF(24). Use two approaches: standard square-and-multiply for exponent 15, and for the exponent written as (16 - 1).

2. Find all irreducible polynomials in Z2[x] of degree 5. You can assume that the polynomial x2 + x + 1 is the only irreducible binary quadratic (you do not need to show that).

3. Solve exercise 6.12 pages 277/278. You can use this representation of the Galois field GF(27)

4. Let p=131. First show that (x2+1) is irreducible in Zp[x] - this can be done by hand using the Euler criterion for quadratic residuosity. Next, represent GF(p2) by polynomials modulo (x2+1). Use naive algorithm to find the number of elements of each order in GF(p2), and list 10 smallest monic primitive (generators with coefficient 1 in the highest degree term) elements. Illustrate the computation of discrete logarithm of (x+101) with base equal to the smallest such generator using Shanks' algorithm.

Sample solution by Daichi Mae.

### Assignment 5, due Thursday, March 22

Exploring elliptic curves.
1. Solve exercise 6.13 page 278. Note that the answer in (c) must be a divisor of (a).
2. Solve exercise 6.14 page 279.
3. Solve exercise 6.15 page 279.
4. Solve exercise 6.16 page 279.

5. Proving associativity of point addition on elliptic curves is quite complicated. In this exercise you will do just a special case of it. Suppose that points P=(p1,p2) and Q=(q1,q2), p1 not equal to q1, are on an elliptic curve E (either real or modular). It is obvious that ((-P) + P) + Q = Q. Prove that (-P) + (P + Q) = Q by
• using geometric reasoning on the plane
• using only algebraic transformations defining point addition

Sample solution by Scott Furman.
Sample solution by Kritka Sahni.

### Assignment 6, due Tuesday, April 24

#### Part I: EC and NAF

1. Solve exercise 6.17 page 279 (ECIES). In (a) show the intermediate values of variables.
2. Solve exercise 6.18 page 279.
3. (Optional) Prove that the NAF representation is unique. You need to show that two distinct NAF strings cannot encode the same integer. Interesting papers on generalizations of NAF to more digits and positions: Redundant tau-adic expansions I: non-adjacent digit sets and their applications to scalar multiplication (2011), and Minimality of the Hamming Weight of the tau-NAF for Koblitz Curves and Improved Combination with Point Halving (2006), by Roberto Avanzi, Clemens Heuberger, Helmut Prodinger.

#### Part II: Digital signatures

1. Solve exercise 7.6 page 319.
2. Solve exercise 7.7 page 319.
3. Solve exercise 7.9 page 320.
In the SHA-3 competition NIST requested that the new hash has to be 0-preimage resistant.

Back to the course page