CRYPTOGRAPHY ASSIGNMENT

Submitted By:
Submitted To: 1. Saksham Agarwal (106117082)
Kunwar Singh
Assistant Professor 2. Ashutosh Kumar Singh (106117012)
Computer Science and Engineering 3. Mandeep Singh (106117046)
National Institute of Technology,
Tiruchirappalli-620015 4. Karan Puruswani (106117038)
5. Prajwal Hanu (106117070)
 Pag e |1

Q.1. What is a one-way function? What is a trapdoor one-way function?

A one-way function is a mathematical function that is significantly easier to compute in one

direction (the forward direction) than in the opposite direction (the inverse direction).It might be
possible, for example, to compute the function in the forward direction in seconds but to
compute its inverse could take months or years, if at all possible.
Informally, a function f is a one-way function if
1. The description of f is publicly known and does not require any secret information for its
operation.
2. Given x, it is easy to compute f(x).
3. Given y, in the range of f, it is hard to find an x such that f(x) = y. More precisely, any efficient
algorithm solving a P-problem succeeds in inverting f with negligible probability.

A trapdoor one-way function is a one-way function for which the inverse direction is easy given
a certain piece of information (the trapdoor), but difficult otherwise.
An example of such trapdoor one-way functions may be finding the prime factors of large
numbers. Nowadays, this task is practically infeasible. On the other hand, knowing one of the
factors, it is easy to compute the other ones.

Q.2. State and prove the correctness of RSA Cryptosystem.

The correctness of the RSA algorithm follows from the following theorem.
Theorem 3: M ed ≡ M mod n holds for all integers M.
Proof. Recall that the integers e > 0 and k > 0 are chosen such that
ed = 1 + k(p − 1)(q − 1).
It suffices to show that the two congruences

Med ≡ M mod p and Med ≡ M mod q

hold. Indeed, p and q are distinct primes, so gcd(p, q) = 1, and the above
congruences imply M ed ≡ M mod n by the Chinese Remainder Theorem.

If M ≡ 0 mod p, then certainly M ed ≡ M mod p. If M≠0 mod p, then

Mp−1 ≡ 1 mod p by Corollary 2; hence,

Med ≡ M1+k(p−1)(q−1) ≡ M(Mp−1)k(q−1) ≡ M 1k(q−1) ≡ M mod p.
Therefore, M ed ≡ M mod p holds for all integers M. Replacing p by q in
the previous argument shows that M ed ≡ M mod q for all integers M.
Q.3 Find the computational cost (in terms of bit operation) of key generation in RSA
algorithm.

t(n) = O(logn) 2 + O(c) + O(c) + O(logn) + O(logn)

O(logn) 2 is for choosing p and q

Cryptography
 Pag e |2

O(c) is for calculating n

O(c) is for calculating φ(n)
O(logn) is for calculating gcd(e; φ(n))
O(logn) is for calculating d

Q.4 For RSA with parameters: e = 7 and n = 17 31.

(a) Encrypt the message block M = 2.
(b) Compute a private key corresponding to the given above public key.
(c) Perform the decryption of the obtained ciphertext using the method which is four
times faster than usual method(Using CRT).

(a) C = 27 mod(17 * 31) = 128

(b) n = 527, e = 7, φ(n) = 16 ∗ 30 = 480
d = e-1 mod φ(n) = 7-1 mod (480)

k rk qk a b

0 480 - 1 0

1 7 68 0 1

2 4 1 1 -68

3 3 1 -1 69

4 1 3 2 -137

7-1 mod (480) = -137 + 480 = 343

d = 343

(c) m = cd mod n = 128343 mod (527)

xp = 128343 mod (17-1)mod(17)
= 1287mod16 mod (17)
= 249 mod16 mod (17)
= 217 mod (17)

xq = 128343 mod (31-1) mod (31)

= 128343 mod 30 mod (31)
= 21 mod 30 mod(31)
=2
Cd mod pq = (2 * 31(q -1mod p) + 2 * 17(p -1 mod q)) mod (527)

Cryptography
 Pag e |3

k rk qk a b

0 31 - 1 0

1 17 1 0 1

2 14 1 1 -1

3 3 4 -1 2

4 2 1 -5 9

5 1 2 -6 11

q-1 mod p = 11
p-1 mod q = -6 + 17 = 11
cd mod pq = (2*31*11 + 2*17*11) mod 527 = 2

Q.5 Let N be the product of two primes. Prove formally that hardness of factorization of N
implies hardness of nding (N) given N.

Let N = pq where p and q are primes (given) which implies that:

Φ(N) = Φ(p) ∗ Φ(q) = (p − 1) ∗ (q − 1)
The above computation takes O(1) time if the values p,q i.e., the factorization of N is known.
Hence if we can factorize N as a product of 2 primes then we can find
Φ(N)
easily in O(1) time.
In other words if factorizing N takes O(f(n)) time then finding
Φ(N)
takes: O(f(n)) + O(1) = O(f(n)) where f(n) is non deterministic time.
Hence hardness of factorization of N implies hardness of finding Φ(N) given N.

Q6. Let (N; e) be an RSA public key. Given the private key d, show that one can efficiently
factor the modulus N.

Since (N, e) is the public key and the private key d is given, we now know (N, e, d). We also
know that d ☰ e-1 mod Φ(N)
So, ed ☰ 1 mod Φ(N)
ed - 1 = Multiple of Φ(N)
Now, choose a random g in [2, N-1]
Let k = ed - 1 = 2t r and let x = 1.
While (x == 1), {
Compute x = gk/2 mod N and set k = k/2
}

Cryptography
 Pag e |4

So, y = gcd(x-1, N). Then p = y and q = N/p. Thus we can efficiently factor the modulus
N.

Q7. Alice and Bob have the same modulus n for RSA, and encryption exponents eA and
eB with gcd(e A; eB ) = 1. Charles sends them the same message m encrypted with th ese
keys, resulting in the ciphertexts c A and cB . Adversary intercepts both c A and cB . How
can she find m?

Sol :
Since eA and eB are relatively prime, Eve can find integers p and q such that
p(eA) + q(eB) = 1.
Then, since m1≡mp(eA)+ q(eB) ≡m(eA)p m(eB)q (cA)p (cB) q (mod n),
Eve can discover m by computing (c A)p(cB)q ((mod n).
Note that n, e A, and eB are all public, so available to Eve.

Q8. Solve the equation x 2 + 4x + 1 = 0 in Z 23.

Sol:
We can rewrite the given equation as follows :
(x + 2)2 ≡ 3 mod 23
We now replace (x + 2) with y. So we get y 2 ≡ 3 mod 23.
Solving the equation, we find that the value of y is either 7 or 16. If y = 7,
then x = 5. If y = 16, then x = 14.

Q9. What is the 11th root of 2 in Z19?

Sol:
We want a solution to x 11 = 2 (mod 19).
Check that 2 is a primitive root mod 19
[218 = 1 (mod 19) by Fermat, and 2n ≠ 1 (mod 19) for any integer n = 1, 2, ..., 18.]
Take "discrete logs" both sides, base 2:
11 log₂(x) = 1 (mod 19-1), since 2 = 2^1
11 log₂(x) = 55 (mod 18), since 1 = 55 (mod 18)
log₂(x) = 5 (mod 18).
Hence, x = 2^5 = 32 (mod 19).
= 13

Q10. Solve the following system of congruences:

x ☰ 12(mod 25)
x ☰ 9(mod 26)

Cryptography
 Pag e |5

x ☰ 23(mod 27)

Sol:
Compute N= 25*26*27
y1=N/25=(26*27)
y2=N/26=(25*27)
y3=N/27=(25*26)

Now Using extended Euclidean Algorithm, Calculate inverse

z1= (y1)-1 mod n1
= (26*27)-1 mod 25
= 13
z2= (y2)-1 mod n2
= (25*27)-1 mod 26
= 25
z3= (y3)-1 mod n3
= (26*25)-1 mod 27
= 14

Finally
X-1 (x,y,z)=(13*26*27)x+(25*25*27)y+(14*25*26)z (mod 25*26*27)
So
X-1(12,9,23)=470687 (mod 25*26*27)
= 14387

Q11. Let p be an odd prime. Then show that there are exactly (p - 1)=2 quadratic
residues modulo p and exactly (p - 1)=2 quadratic non residues modulo p.

Sol:
Consider b2 mod p for b = 1, 2, . . . ,(p − 1)/2. We know these give all the quadratic
residues, since
(p − b)2 ≡ b2 mod p. Moreover these squares are all different mod p. For

b2 ≡ c 2 mod p ⇒ (b + c)(b − c) ≡ 0 mod p

⇒ b ≡ ±c mod p.
We can express this in group-theoretic terms as follows:
The map
θ : x → x 2 : (Z/p)× → (Z/p)× is a homomorphism, and

ker θ = {±1}.

Cryptography
 Pag e |6

By the first isomorphism theorem of group theory, if θ : G → H is a homomorphism

then
im θ ≅ G/ ker θ.
In particular, if G is finite then
#(ker θ) · #(im θ) = #(G).
(This holds for abelian or non-abelian groups.)
In our case, im θ is just the set of non-zero quadratic residues. It follows that they
constitute just half of the non-zero residues mod p; the other half must be the quadratic
non-residues.

OR

a2 ≡ xmodp, we try values of a from 1 to p - 1.

Since we know that a2 modp = (p - a)2 modp this means that two different values of a
produce the same x.
Hence, the number of quadratic residues modulo p are (p - 1)/2.
Since the total number of residues are p-1, total number of quadratic non
residues are (p - 1) - (p - 1)/2 = (p - 1)/2

Ques 12: Let g is the generator of the cyclic group Z p. Show that g is quadratic
non residue mod p.
Answer:
Since g is generator of Zp; gp-1 = 1 If g is quadratic residue mod p then
g(p-1)/2 = 1
=> g can generate only (p-1)/2 values which is not true.
Hence, g(p-1)/2 ≠ 1
ஃ g is quadratic non residue mod p.

Ques 13: Solve following quadratic congruent equation.

(i)b2 ☰ 44(mod 83)

Answer:
We can write it as: = [44 83]
= [4 83]*[4 83]*[11 83]
= [83 4]*[11 83]
= [3 4]*[11 83]
= [3 2]*[3 2]*[11 83]
= [3 2]*[3 2]*-[83 11]
= -[1 2]*[1 2]*[6 11]

Cryptography
 Pag e |7

= 1*[6 11]
=> [6 11] = 0

(ii)b2 ☰ 11(mod 29)

Answer:
We can write it as: = [11 29]
= [29 11]
= [7 11]
=> [7 11] = 0

(iii)b2 ☰ 15(mod 59)

Answer:
We can write it as: = [15 59]
= [59 15]
= [14 15]
=> [14 15] = 0

Ques 14: Using only CRT, show that if x ≅ y mod p and x ≅ y mod q then x ≅ y
mod N.
Answer:
x ≡ y mod p
x≡ y mod q
Using CRT
x ≡ (y.p.(p-1 mod q) + y.q.(q-1 mod p))modpq

Since the GCD of p and q is 1, px + qy = 1 for some x and y.Then,

x = p-1 mod q
And
y = q-1 mod p
Hence,
p:(p-1 mod q) + y:q:(q-1 mod p) = 1
Therefore,
x ≡ y mod pq
Hence,
x ≡ y mod N

Ques 15: Prove that an element s ∈ Z*N is a Q.R. mod N if and only if s is a Q.R.
mod p and s is a Q.R. mod q. Hence, the number of Q.R. in ZN is p-1/2 q-1 /2?
Answer:

Cryptography
 Pag e |8

We know that for a given prime p, and a number a, there are (p-1)/2 possibilities of a for
which a is QR mod p.
Similarly, there are (p-1)/2 possibilities of a for which a is QNR mod p.
Given s is a QR mod p, so number of possibilities of s = (p-1)/2.
Given s is a QR mod p, so number of possibilities of s = (q-1)/2.
But,
N = pq.
So number of possibilities for s to be a QR mod N = p-1 /2 q-1/2

Ques 16: Show that computing the square root of a QR in ZN is as hard as

factoring N. (Hint: When the factorization of N = pq is known one computes the
square root of x ∈ Z*N by first computing the square root in Zp of x mod p and the
square root in Zq of x mod q and then using the CRT to obtain the square root of x
in ZN).
Answer:
We need to find the of x mod N1, it means we have to nd x 2^-1 mod N
Given N = pq
First we find the square root of x mod p i.e x 2^-1 mod p
2-1 = k(p-1) + 2-1modp-1 for some key k ε Z
x 2^-1 mod p = x k(p-1).x 2^-1 mod p-1 mod p
But , x k(p-1) = x (p-1)^k= 1 (By Fermat's theorem)
x 2^-1 mod q = x 2^-1 mod q = v q
x 2^-1 ≡v p mod p x 2^-1 = v q mod q

Next , we find the square root of x mod q i.e x 2^-1 mod q

2-1 = k(q-1) + 2-1modq-1 for some key k ε Z
x 2^-1 mod q = x k(q-1).x 2^-1 mod q-1 mod q
But , x k(q-1) = x (q-1)^k= 1 (By Fermat's theorem)
x 2^-1 mod p = x 2^-1 mod p = v p
x 2^-1 ≡v p mod p x 2^-1 = v q mod q

According to CRT,
x 2^-1= (v p.(q)(q-1 mod p) + v q(p)(p-1 mod q)) mod (pq)
But GCD(p,q) = 1 (p and q are relatively prime)
p-1 mod q; q-1 mod p exists
Substituting for vp and vq , we get

x 2^-1 = [x 2^-1 mod p-1 q (q-1 mod p) + x 2^-1 mod q-1:p(p-1 mod q)] mod (pq)

Cryptography
 Pag e |9

Ques 17: Using the algorithm(discussed in class), find Jacobi of the following.
(i) (3053/6823)
Answer:

(ii) (7411/9283)
Answer:

Ques 18: Let sender A sends the same message M to three different receivers
using their respective public keys that have the same e = 3 but different value of
n. Let’s assume you can intercept all three transmissions. Can you find plaintext
M in a feasible time.
Answer:
Small values for e, such as 3, are considered cryptographically insecure.

Given:

Cryptography
 P a g e | 10

1. Let’s say, a sender A sends the same message M to three different receivers using their
respective public keys that have the same e = 3 but different values of n .
Assume:
1. Let these values of n be denoted n1, n2, and n3.
2. Let’s assume that an attacker can intercept all three transmissions.

The attacker will see three ciphertext messages:

C1 = M3 mod n1
C2 = M3 mod n2 ,and
C3 = M3 mod n3.
Assuming that n 1, n2, and n3 are relatively prime on a pairwise basis, the attacker can use the
Chinese Remainder Theorem (CRT) to reconstruct M 3 modulo N = n1 × n2 × n3.
(This assumes that M 3 < n1n2n3, which is bound to be true since M < n 1, M < n2, and M < n3).

Having reconstructed M 3 , all that the attacker has to do is to figure out the cube-root of M 3 to
recover M. So finding the cube-root can be done in feasible time.
Hence the plaintext can also be found in a feasible time.

Ques 19: Show that text-RSA is vulnerable under following security notions. (i)
IND-CPA (semantic security) (ii) IND-CCA
Answer:
(i) Adversary knows his choice of plaintext and corresponding cipher texts.
choose 2 messages whose jacobi is 1 and -1 as follows:
m0 : j [m 0] = 1
m0 : j [m 1] = 1
Now adversary sends m 0 and m 1 to challenger and he encrypts m b
c = e (m b)
Now adversary calculates jacobi of m 0 and m 1
if j[m b] = 1 then its m 0
if j[m b] = 1 then its m 1
Hence the adversary correctly guessed. Therefore it is not semantically secure
under IND-CPA.

(ii) c* = (m e) mod n c1, c2 adversary choose -x.

c1 = x e mod n can be known since e is public.
c1 = (m*)e mod n
c1c* = (xm*)e modn
he will ask what is plaintext for c1c* so plain text becomes xm*
m* = xm*x -1modn

Cryptography
 P a g e | 11

Ques 20: If m is chosen from a small list of possible values (m < 2l, m has l−bits).
Show that attacker can compute message m in time O(l2α),l/2 < α < l which is
better than brute force method. (Meet in middle attack)
Answer:
Meet in the middle attack
Let c = m e
Assume m = rs
Therefore c = (rs)e
c/(r)e = se
Let m be l bits long. For all r <2l/2 nd c/(r)e and store the values in sorted
order in a table.
Now pick a random s and compute se and check if this value exists in the
table. If it exists, then we know r and s, so we can compute m = rs. If it does
not exist then pick another s.
Time for generating and computing c/re all possible values of r = O(2l/2)
Time for sorting = O(2l/2log(2l/2))
Time for searching all possible values of s = 2l/2 O(log(2l/2 ))
Therefore total time = O(l2a ) where l/2 <a <l

Ques 21: Let (Gen,E,D) be a chosen ciphertext secure public-key encryption

system with message space {0,1} 128. Which of the following is also chosen
ciphertext secure?
(i)(Gen,E/,D/) where E/(pk,m) = E(pk,m⊕1128) and D/(sk,c) = D(sk,c)⊕1128
(ii)(Gen,E/,D/) where E/(pk,m) = (E(pk,m),E(pk,0128 )) and D/(sk,(c1,c2)) = D(sk,c1).
(iii)(Gen,E/,D/) where E/(pk,m) = (E(pk,m),E(pk,m)) and D/(sk,(c1,c2)) = D(sk,c1).
Answer:

(i) This scheme is chosen ciphertext secure, since the only thing extra in this scheme is
inverting the message before encryption. The original scheme is chosen ciphertext secure so
this scheme also is chosen ciphertext secure.

(ii)This scheme is not chosen ciphertext secure. The attacker can send any two messages m0
and m1. The challenger will then send the ciphertext (c1,c2). The attacker can then ask for the
decryption of (c1,E(1 128)) for which the challenger will either send m0 or m1. Using that the
attacker can identify which of m0 or m1 was encrypted.

Cryptography
 P a g e | 12

(iii)This scheme is not chosen ciphertext secure. The attacker can send any two messages m0
and m1. The challenger will then send the ciphertext (c1,c2). The attacker can then ask for the
decryption of (c1,E(m2)), where m2 is some random message (high prob ability that E(m2) is not
E(m0) or E(m1), for which the challenger will either send m0 or m1. Using that the attacker can
identity which of m0 or m1 was encrypted.

Q22. Alice and Bob wish to resolve a dispute over telephone. We can encode the
possibilities of the dispute by a binary value. For this they engage a protocol:
(i). Alice ! Bob : Alice picks up randomly an x, which is a 200 bit number and
computes the function f(x). Alice sends f(x) to Bob.
(ii). Bob ! Alice : Bob tells Alice whether x was even parity or odd parity.
(iii). Alice ! Bob : Alice then sends x to Bob, so that Bob can verify whether his
guess was correct. If Bob's guess was right, Bob wins. Otherwise Alice has the
dispute solved in her own way. They decide upon the following function, f : X ! Y ,
where X is a random variable denoting a 200 bit sequence and Y is a random
variable denoting a 100 bit sequence. The function f is defined as follows: f(x) = (
the most significant 100 bits of x) V (the least significant 100 bits of x), 8x 2 X
Here _ denotes bitwise OR.
Answer the following questions in this regard:
(i). Suppose Bob's strategy to guess the even or odd of x is that if the least
significant bit of f(x) is zero then x is even else x is odd. If Alice is honest, what is
the probability of Bob to be successful in guessing whether x is even or odd
correctly?
(ii). What is Alice's probability of cheating Bob?
(iii). What happens when the above function (V) is replaced by bit-wise XOR?
Rework the above sub-parts for this change.

Sol:
(i) A Real Instance of f
• The function f is defined as follows:
f(x) = (the most significant 100 bits of x) V (the least significant 100 bits of x), x ε X –

Here V denotes bitwise OR.

Bob’s Strategy
• Bob’s Experiment:
– Input f(x)
– Output Parity of x
• Algorithm:

Cryptography
 P a g e | 13

If [f(x)]0 =0, then x is even

else x is odd
Bob’s Probability of Success
• If X is chosen at random, Pr[X is even]=Pr[X is odd]=1/2
Pr[Bob succeeds]=Pr[X is even]Pr[Bob Succeeds|X is even]+Pr[X is odd]Pr[Bob
Succeeds|X is odd] = ½ ½ + ½ 1 = ¾
(ii) Remember we compute Alice’s cheating probability irrespective of Bob’s strategy.
• Alice can cheat by changing the parity of x
• Case 1: X is even.
– f(x)]0 =0, with prob.= ½ . In this case Alice cannot cheat.
– f(x)]1 =1, with prob.= ½. In this case Alice can cheat.
So in this case, prob. of success for Alice = ¼ .

Case 2: X is odd.
– f(x)]0 =0, this is not possible from the definition of f.
– f(x)]0 =1. In this case Alice can cheat.
• So in this case, prob. of success for Alice = ½ .
• So, Alice can cheat with a prob. of ¼ + ½ = ¾.
(iii) Pr[Bob Succeeds] = Pr[X is even]*Pr[Bob succeeds | x is even] + Pr[X is
odd]*Pr[Bob succeeds | x is odd] = 1/2*(Pr[Bob succeeds | x is even] + Pr[Bob succeeds
| x is odd])

Even case: x[0] = 0

f(x)0 = x[100] ∧ x[0] = x[100]
Implies,
Pr[Bob succeeds | x is even] = 1/2 (each bit is chosen randomly)
Odd case: x[0] = 1
f(x)0 = x[100] ∧ 1
Implies, Pr[Bob succeeds | x is odd] = 1/2
Pr[Bob succeeds] = (1/2)*(1/2+ 1/2) = 1/2

Cryptography