Cryptography and network security solutions manual william stallings fourth edition

Microsoft Word Solutions Crypto4e doc SOLUTIONS MANUAL CRYPTOGRAPHY AND NETWORK SECURITY PRINCIPLES AND PRACTICE FOURTH EDITION WILLIAM STALLINGS 2 Copyright 2006 William Stallings 3 © 2006 by William[.]

Introduction

Masquerade Replay Modificatio n of messages

Masquerade Replay Modificatio n of messages

2.1 Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm

2.3 One key for symmetric ciphers, two keys for asymmetric ciphers

A stream cipher encrypts digital data one bit or byte at a time, while a block cipher processes a block of plaintext as a whole to generate a ciphertext block of the same length.

In the context of ciphertext-only attacks, a brute-force method of testing all possible keys can be impractical if the key space is extensive Consequently, attackers often resort to analyzing the ciphertext through various statistical tests In scenarios involving known plaintext, if an analyst captures plaintext messages along with their encryptions, they may deduce the key by examining how the plaintext is transformed Additionally, in chosen plaintext attacks, the analyst can select specific messages to encrypt, strategically choosing patterns that may expose the key's structure.

An encryption scheme is considered unconditionally secure when the ciphertext produced does not provide sufficient information to uniquely identify the corresponding plaintext, regardless of the amount of ciphertext available In contrast, a scheme is deemed computationally secure if the expense of decrypting the cipher surpasses the value of the encrypted data, and the time needed to break the cipher exceeds the useful lifespan of the information.

2.8 The Caesar cipher involves replacing each letter of the alphabet with the letter standing k places further down the alphabet, for k in the range 1 through 25

2.9 A monoalphabetic substitution cipher maps a plaintext alphabet to a ciphertext alphabet, so that each letter of the plaintext alphabet maps to a single unique letter of the ciphertext alphabet

2.10 The Playfair algorithm is based on the use of a 5 × 5 matrix of letters constructed

Classical Encryption Techniques

2.11 A polyalphabetic substitution cipher uses a separate monoalphabetic substitution cipher for each successive letter of plaintext, depending on a key

Generating large quantities of random keys poses a practical challenge, as heavily utilized systems may need millions of random characters regularly The task of providing truly random characters in such high volumes is substantial.

The challenge of key distribution and protection is significant, as both the sender and receiver require a key of equal length for every message transmitted, leading to a substantial key distribution issue.

2.13 A transposition cipher involves a permutation of the plaintext letters

2.14 Steganography involves concealing the existence of a message

A change in the value of \( b \) uniformly shifts the relationship between plaintext and ciphertext letters, maintaining a one-to-one mapping The valid values for \( a \) include 2, 4, 6, 8, 10, 12, 13, 14, 16, 18, 20, 22, 24, with any value of \( a \) greater than 25 being equivalent to \( a \mod 26 \) Additionally, \( a \) and 26 must not share any common positive integer factors other than 1.

A and 26 are relatively prime, meaning their greatest common divisor is 1 This can be understood by noting that \( E(a, p) = E(a, q) \) (for \( 0 \leq p \leq q < 26 \)) if and only if \( a(p - q) \) is divisible by 26.

26 are relatively prime Then, a(p – q) is not divisible by 26, because there is no way to reduce the fraction a/26 and (p – q) is less than 26 2 Suppose that a and

26 have a common factor k > 1 Then E(a, p) = E(a, q), if q = p + m/k ≠ p

2.2 There are 12 allowable values of a (1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25) There are

26 allowable values of b, from 0 through 25) Thus the total number of distinct affine Caesar ciphers is 12 × 26 = 312

2.3 Assume that the most frequent plaintext letter is e and the second most frequent letter is t Note that the numerical values are e = 4; B = 1; t = 19; U = 20 Then we have the following equations:

Thus, 19 = 15a mod 26 By trial and error, we solve: a = 3

In the Bishop's hostel at the Devil's seat, located at twenty-one degrees and thirteen minutes northeast by north, one can find a good glass The main branch is situated on the seventh limb's east side, where a shot is taken from the left eye of the death's head, creating a direct line from the tree that extends fifty feet outward.

The first letter 't' corresponds to 'A', 'h' to 'B', 'e' to 'C', and 's' to 'D', with subsequent occurrences of letters in the key sentence being ignored The resulting ciphertext is "SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA," which translates to the plaintext "basilisk to leviathan blake is contact." This is a monalphabetic cipher, making it relatively easy to break Additionally, the last sentence may not include all letters of the alphabet; therefore, the first sentence can be used along with subsequent sentences until all 26 letters are represented.

The cipher in the text indicates specific words on a book's page, with the first entry, 534, pointing to page 534, and C2 referring to column two The subsequent numbers identify words within that column, while the names DOUGLAS and BIRLSTONE are mentioned as irrelevant to that page.

The two matrices are utilized in reverse order for encoding Initially, the ciphertext is arranged in columns within the second matrix, following the sequence specified by the second memory word Subsequently, the contents of the second matrix are read from left to right and top to bottom, and then organized into columns in the first matrix according to the first memory word The plaintext is finally read in the same left-to-right, top-to-bottom manner While this method is considered weak, it can be effective for time-sensitive information, especially when the adversary lacks immediate access to advanced cryptanalysis tools Additionally, it requires only basic materials like paper and pencil, making it easy to remember.

2.9 PT BOAT ONE OWE NINE LOST IN ACTION IN BLACKETT STRAIT TWO MILES SW MERESU COVE X CREW OF TWELVE X REQUEST ANY

Cyclic rotations of rows and columns result in equivalent substitutions For instance, the matrix in part a of this problem is derived from the matrix in Problem 2.10a by rotating the columns one step and the rows three steps.

The total number of unique keys in a 5x5 configuration is calculated by recognizing that each configuration has five equivalent row rotations and, for each of these, four equivalent column rotations This results in each configuration representing 25 equivalent configurations Therefore, the total number of unique keys is given by the formula \$\frac{25!}{25} = 24!\$.

2.13 A mixed Caesar cipher The amount of shift is determined by the keyword, which determines the placement of letters in the matrix

2.14 a Difficulties are things that show what men are b Irrationally held truths may be more harmful than reasoned errors

2.15 a We need an even number of letters, so append a "q" to the end of the message

Then convert the letters into the corresponding alphabetic positions:

The calculations proceed two letters at a time The first pair:

The first two ciphertext characters are alphabetic positions 7 and 22, which correspond to GV The complete ciphertext:

GVUIGVKODZYPUHEKJHUZWFZFWSJSDZMUDZMYCJQMFWWUQRKR b We first perform a matrix inversion Note that the determinate of the encryption matrix is (9 × 7) – (4 × 5) = 43 Using the matrix inversion formula from the book:

Here we used the fact that (43) –1 = 23 in Z 26 Once the inverse matrix has been determined, decryption can proceed Source: [LEWA00]

2.16 Consider the matrix K with elements k ij to consist of the set of column vectors K j , where:

The ciphertext of the following chosen plaintext n-grams reveals the columns of K:

2.18 key: legleglegle plaintext: explanation ciphertext: PBVWETLXOZR

2.20 your package ready Friday 21st room three Please destroy this immediately

2.21 a Lay the message out in a matrix 8 letters across Each integer in the key tells you which letter to choose in the corresponding row Result:

He sits between the cherubim, bringing joy to the isles, much like the rivers in the south The security of the system is questionable; with each row offering eight possibilities, an 8n letter ciphertext results in 8^n potential plaintexts Ultimately, it lacks security, as demonstrated when Lord Peter deciphered it in "The Nine Tailors."

Most modern symmetric block encryption algorithms utilize the Feistel block cipher structure, making an examination of the Feistel design essential for understanding the principles underlying contemporary ciphers.

A stream cipher encrypts digital data one bit or byte at a time, while a block cipher processes a block of plaintext as a whole to generate a ciphertext block of the same length.

Using a small block size, like \( n = 4 \), makes the system similar to a classical substitution cipher, which is susceptible to statistical analysis of the plaintext Conversely, a larger block size results in a key size approximately equal to \( n \times 2^n \), rendering the system impractical.

In a product cipher, multiple basic ciphers are applied in succession, resulting in a final output that is cryptographically more secure than any individual cipher used in the process.

Block Ciphers and the Date Encryption Standard

B LOCK C IPHERS AND THE D ATA

The encryption standard limits hardware implementation, raising concerns about the algorithm's execution speed While it's important to create a complex algorithm to resist cryptanalysis, a clear and concise explanation of the algorithm enhances its analyzability This clarity allows for better identification of cryptanalytic vulnerabilities, ultimately leading to greater assurance of the algorithm's strength.

3.7 The S-box is a substitution function that introduces nonlinearity and adds to the complexity of the transformation

3.8 The avalanche effect is a property of any encryption algorithm such that a small change in either the plaintext or the key produces a significant change in the ciphertext

3.9 Differential cryptanalysis is a technique in which chosen plaintexts with particular

XOR difference patterns are encrypted The difference patterns of the resulting ciphertext provide information that can be used to determine the encryption key

Linear cryptanalysis is based on finding linear approximations to describe the transformations performed in a block cipher

For an n-bit block size, there are \$2^n\$ possible plaintext and ciphertext blocks, ranging from 0 to \$2^n - 1\$ To ensure a reversible mapping, each plaintext block must correspond to a unique ciphertext block The total number of reversible mappings is given by \$(2^n)!\$ Theoretically, the key length could be \$\log_2((2^n)!)\$ bits, which would require maintaining a large mapping table However, a more efficient approach is to define the key as the sequence of ciphertext values for each plaintext block, from 0 to \$2^n - 1\$, resulting in a key size of \$n \times 2^n\$ without the need for a large table.

The key schedule ensures that the round functions in rounds 9 through 16 are mirror images of those in rounds 1 through 8, leading to identical encryption and decryption processes Given a ciphertext \( c \), we can set \( m' = c \) and request the encryption oracle to encrypt \( m' \), which will return the corresponding ciphertext.

3.3 a We need only determine the probability that for the remaining N – t plaintexts

In the context of permutations, we find that for a specific permutation \( P_i \), the expected values \( E[K, P_i] \) and \( E[K', P_i] \) are not equal, while they are equal for all other permutations with a probability of \( 1 - \frac{1}{(N - t)!} \) Assuming \( E[K, P_i] = P_i \) simplifies our analysis, as \( E_K(\cdot) \) encompasses all permutations Consequently, we aim to determine the probability that a permutation of \( N - t \) objects has exactly \( t' \) fixed points, representing the additional \( t' \) points of agreement between \( E(K, \cdot) \) and \( E(K', \cdot) \) The number of permutations with \( t' \) fixed points corresponds to the ways in which \( t' \) out of \( N - t \) objects can be fixed, while the remaining \( N - t - t' \) objects are not.

Then using Problem 3.4 we have that

  × Pr(no fixed points in N – t – t' objects)

We see that this reduces to the solution to part (a) when t' = N – t

The symmetric group on \(2n\) objects, denoted as \(S_{2n}\), consists of all permutations of the set \([0, 1, \ldots, 2n - 1]\), where \(N = 2n\) For each index \(i\) in the range \(0 \leq i \leq N\), let \(A_i\) represent the set of mappings \(\pi \in S_{2m}\) such that \(\pi(i) = i\) It can be concluded that the size of \(A_i\) is \(|A_i| = (N - 1)!\), and the union of these sets for \(1 \leq i \leq k\) yields \(|\bigcup_{1 \leq i \leq k} A_i| = (N - k)!\) This framework is grounded in the inclusion-exclusion principle.

Pr(no fixed points in π)

Then since e –1 ≈ 0.368, we find that for even small values of N, approximately 37% of permutations contain no fixed points

Input to the first round of decryption LD 0 RD 0 = RE 16 LE 16 = IP(C) = 1111 111 (64 bits)

Output of the first round of decryption = LD1RD1

Thus, the bits no 1 and 16 of the output are equal to ‘1’

We are looking for bits no 1 and 16 of RD 1 (33 and 48 of the entire output)

The analysis of the permutation P reveals that bit 1 of F(RD 0 , K 16 ) is derived from the fourth output of the S-box S4, while bit 16 originates from the second output of the S-box S3 These bits are then XOR-ed with 1's from the corresponding positions of LD0.

E(RD 0 ) ≈ K 16 = 0000…000 (48 bits), and thus inputs to all eight S-boxes are equal to “000000”

The output from the S-box S4 is “0111”, indicating that the fourth output is ‘1’ Meanwhile, the output from the S-box S3 is “1010”, which means the second output is ‘0’ Consequently, after performing the XOR operation, bit number 33 of the first round output is determined to be ‘0’.

3.7 In the solution given below the following general properties of the XOR function are used:

A ⊕ 1 = A' (A ⊕ B)' = A' ⊕ B = A ⊕ B' A' ⊕ B' = A ⊕ B Where A' = the bitwise complement of A a F (R n , K n+1 ) = 1

L n+2 = R n+1 = L n ' ; R n+2 = L n+1 = R n ' i.e., after each two rounds we obtain the bit complement of the original input, and every four rounds we obtain back the original input:

An input to the inverse initial permutation is R 16 L 16

Therefore, the transformation computed by the modified DES can be represented as follows:

C = IP –1 (SWAP(IP(M))), where SWAP is a permutation exchanging the position of two halves of the input: SWAP(A, B) = (B, A)

This function is linear and affine, representing a permutation that results from the product of three permutations: IP, SWAP, and IP –1 Notably, this permutation differs from the identity permutation Additionally, we have F (R n , K n+1 ) = R n '.

R n+3 = L n+2 ⊕ F (R n+2 , K n+3 ) = (L n ≈ R n ') ⊕ L n ' = R n ' ⊕ 1 = R n i.e., after each three rounds we come back to the original input

An input to the inverse initial permutation is R 16 L 16

A function described by (1) and (2) is affine, as bitwise complement is affine, and the other transformations are linear

The transformation computed by the modified DES can be represented as follows:

C = IP –1 (FUN2(IP(M))), where FUN2(A, B) = (A ⊕ B', B)

This function is affine as a product of three affine functions

In all cases decryption looks exactly the same as encryption

3.8 a First, pass the 64-bit input through PC-1 (Table 3.4a) to produce a 56-bit result

Then perform a left circular shift separately on the two 28-bit halves Finally, pass the 56-bit result through PC-2 (Table 3.4b) to produce the 48-bit K 1 : in binary notation: 0000 1011 0000 0010 0110 0111

1001 1011 0100 1001 1010 0101 in hexadecimal notation: 0 B 0 2 6 7 9 B 4 9 A 5 b L 0 , R 0 are derived by passing the 64-plaintext through IP (Table 3.2a):

R 0 = 1111 0000 1010 1010 1111 0000 1010 1010 c The E table (Table 3.2c) expands R 0 to 48 bits:

S 8 10 (1000) = S 8 2 (8) = 0 (base 10) = 0000 (base 2) f B = 0000 1100 0010 0001 0110 1101 0101 0000 g Using Table 3.2d, P(B) = 1001 0010 0001 1100 0010 0000 1001 1100 h R 1 = 0101 1110 0001 1100 1110 1100 0110 0011 i L 1 = R 0 The ciphertext is the concatenation of L 1 and R 1 Source: [MEYE82]

3.9 The reasoning for the Feistel cipher, as shown in Figure 3.6 applies in the case of

The article discusses the impact of the IP and IP –1 functions in the encryption process Specifically, it highlights that the input to the final IP –1 function consists of RE 1 6 concatenated with LE 16, and the resulting output from this stage is the ciphertext.

On decryption, the first step is to take the ciphertext and pass it through IP

The operation involving IP and its inverse, IP –1, results in RE 16 || LE 16, which is equivalent to LD 0 || RD 0 By applying the same logic as in the Feistel cipher, we find that LE 0 = RD 16 and RE 0 = LD 16 The decryption process concludes by passing LD 0 || RD 0 through IP –1, reaffirming that IP is the inverse of its counterpart.

IP –1 , passing the plaintext through IP as the first step of encryption yields LD 0 ||

RD 0 , thus showing that decryption is the inverse of encryption

3.10 a Let us work this from the inside out

PC-1 is fundamentally similar to IP, with every eighth bit removed, allowing for a comparable implementation However, it lacks any notable cryptographic significance.

3.13 a The equality in the hint can be shown by listing all 1-bit possibilities:

The equality \$A \oplus B = A' \oplus B'\$ is clearly valid In Figure 3.8, when both the plaintext and key in an encryption are complemented, the inputs to the first XOR operation remain complemented, resulting in an output identical to that of the uncomplemented inputs However, in the second XOR operation, only one input is complemented, leading to an output that is the complement of what would be produced with uncomplemented inputs Additionally, in a chosen plaintext attack, if the analyst selects plaintext \$X\$, they can obtain the corresponding output \$Y_1\$.

An exhaustive key search can be significantly optimized, requiring only \$2^{55}\$ encryptions instead of \$2^{56}\$ This is demonstrated by noting that the transformation of \$Y^2\$ results in \$E[K', X]\$ By selecting a test key \$T\$ and performing the encryption \$E[T, X]\$, if the output is \$Y^1\$, then \$T\$ is confirmed as the correct key Conversely, if the output matches \$ (Y^2)' \$, then \$T'\$ is identified as the correct key This method effectively eliminates two potential keys with just one encryption attempt.

The result can be illustrated by examining how the bits are utilized A straightforward method to visualize this is by numbering the 64 bits of the key, interpreting each vertical column of two digits as a numerical value.

The key assignment begins with the first bit identified as 21, followed by 10 and 13 for the subsequent bits, while eight bits remain unnumbered The utilized numbers range from 01 to 28 and 30 to 57, which helps clarify the selection process for the subkeys Consequently, the subkey for the first iteration comprises 48 bits, specifically from 01 to 24 and 30 to 53, arranged in their natural numerical order Notably, the first 24 bits of each subkey consistently originate from the designated bits 01 through 28.

24 bits of each subkey will always be from the bits designated 30 through 57

Finite Fields

2 2 0 1 2 0 2 1 a Yes The identity element is 0, and the inverses of 0, 1, 2 are respectively 0, 2, 1 b No The identity element is 1, but 0 has no inverse

4.3 S is a ring We show using the axioms in Figure 4.1:

(A1) Closure: The sum of any two elements in S is also in S

(A2) Associative: S is associative under addition, by observation

(A3) Identity element: a is the additive identity element for addition

(A4) Inverse element: The additive inverses of a and b are b and a, respectively

(A5) Commutative: S is commutative under addition, by observation

(M1) Closure: The product of any two elements in S is also in S

(M2) Associative: S is associative under multiplication, by observation

(M3) Distributive laws: S is distributive with respect to the two operations, by observation

4.4 The equation is the same For integer a < 0, a will either be an integer multiple of n of fall between two consecutive multiples qn and (q + 1)n, where q < 0 The remainder satisfies the condition 0 ≤ r ≤ n

4.5 In this diagram, q is a negative integer

–1 –2 4.6 a 2 b 3 c 4 There are other correct answers

4.7 Section 4.2 defines the relationship: a = n × a/n + (a mod n) Thus, we can define the mod operator as: a mod n = a – n × a/n a 5 mod 3 = 5 – 3 5/3 = 2 b 5 mod –3 = 5 – (–3) 5/(–3) = –1 c –5 mod 3 = –5 – 3 (–5)/3 = 1 d –5 mod –3 = –5 – (–3) (–5)/(–3) = –2

This example is from [GRAH94]

4.9 Recall Figure 4.2 and that any integer a can be written in the form a = qn + r where q is some integer and r one of the numbers

According to the second definition, the remainders listed are not congruent modulo \( n \) since their differences are less than \( n \), indicating that \( n \) does not divide these differences Consequently, if two numbers are not congruent modulo \( n \), they must yield different remainders Thus, we can conclude that \( n \) divides \( (a - b) \) if and only if \( a \) and \( b \) share the same remainder when divided by \( n \).

4.11 a This is the definition of congruence as used in Section 4.2 b The first two statements mean a – b = nk; b – c = nm so that a – c = (a – b) + (b – c) = n(k + m)

4.12 a Let c = a mod n and d = b mod n Then c = a + kn; d = b + mn; c – d = (a – b) + (k – m)n

Therefore (c – d) = (a – b) mod n b Using the definitions of c and d from part (a), cd = ab + n(kb + ma + kmn)

4.14 We have 1 ≡ 1 (mod 9); 10 ≡ 1 (mod 9); 10 2 ≡ 10(10) ≡ 1(1) ≡ 1 (mod 9); 10 n–1 ≡ 1 (mod 9) Express N as a 0 + a 1 10 1 + … + a n–1 10 n–1 Then N ≡ a 0 + a 1 + … + a n–1

4.15 a gcd(24140, 16762) = gcd(16762, 7378) = gcd(7378, 2006) = gcd(2006, 1360) gcd(1360, 646) = gcd (646, 68) = gcd(68, 34) = gcd(34, 0) = 34 b 35

To demonstrate that \( m > 2r \), we can rewrite this as \( qn + r > 2r \), which simplifies to \( qn > r \) Given that \( n > r \), it follows that \( qn > r \) Additionally, a review of the pseudocode for Euclid's algorithm reveals that the relationships established by the algorithm can be clearly articulated.

A i = q i+1 A i+1 + A i+2 The relationship A i+2 < A i /2 follows immediately from (a) c From (b), we see that A 3 < 2 –1 A 1 , that A 5 < 2 –1 A 3 < 2 –2 A 5 , and in general that

For all integers \( j \) satisfying \( 1 < 2j + 1 \leq k + 2 \), where \( k \) represents the number of steps in the algorithm, the inequality \( 2j + 1 < 2 - j \) holds If \( k \) is odd, setting \( j = \frac{k + 1}{2} \) leads to \( N > \frac{k + 1}{2} \) Conversely, if \( k \) is even, using \( j = \frac{k}{2} \) results in \( N > \frac{k}{2} \) In both scenarios, it follows that \( k < 2N \).

4.17 a Euclid: gcd(2152, 764) = gcd(764, 624) = gcd(624, 140) = gcd(140, 64) = gcd(64,

A 18 = 2, B 18 = 1, C 18 = 4; A 19 = 1, B 19 = 1, C 19 = 4; gcd(2152, 764) = 1 × 4 = 4 b Euclid's algorithm requires a "long division" at each step whereas the Stein algorithm only requires division by 2, which is a simple operation in binary arithmetic

4.18 a If A n and B n are both even, then 2 × gcd(A n+1 , B n+1 ) = gcd(A n , B n ) But C n+1 2C n , and therefore the relationship holds

If one of A n and B n is even and one is odd, then dividing the even number does not change the gcd Therefore, gcd(A n+1 , B n+1 ) = gcd(A n , B n ) But C n+1 C n , and therefore the relationship holds

If both A n and B n are odd, we can use the following reasoning based on the rules of modular arithmetic Let D = gcd(A n , B n ) Then D divides |A n – B n | and D divides min(A n , B n ) Therefore, gcd(A n+1 , B n+1 ) = gcd(A n , B n ) But C n+1

The relationship between \( A_n \) and \( B_n \) is maintained, particularly when at least one of \( A_n \) or \( B_n \) is even, leading to a division by 2 in the generation of \( A_{n+1} \) and \( B_{n+1} \) This ensures that the relationship continues to hold true.

If both \( A_n \) and \( B_n \) are odd, then \( A_{n+1} \) is even, confirming the relationship Every two iterations reduce the product \( AB \) by a factor of 2, starting from \( AB < 2^{2N} \) There are at most \( \log(2^{2N}) = 2N \) pairs of iterations, leading to a maximum of \( 4N \) iterations Initially, we have \( A_1 = A \), \( B_1 = B \), and \( C_1 = 1 \), which gives \( C_1 \times \gcd(A_1, B_1) = \gcd(A, B) \) By extending this, we find that \( C_n \times \gcd(A_n, B_n) = \gcd(A, B) \) The algorithm concludes when \( A_n = B_n \), at which point \( \gcd(A_n, B_n) = A_n \), resulting in \( C_n \times A_n = \gcd(A, B) \).

4.19 a 3239 b gcd(40902, 24240) = 34 ≠ 1, so there is no multiplicative inverse c 550

4.21 Let S be the set of polynomials whose coefficients form a field F Recall that addition is defined as follows: For f x( )= a i x i i=0

∑ m ; n ≥ m then addition is defined as: f x ( )+g x ( )= ( a i +b i ) x i i=0

Using the axioms in Figure 4.1, we now examine the addition operation:

(A1) Closure: The sum of any two elements in S is also in S This is so because the sum of any two coefficients is also a valid coefficient, because F is a field

(A2) Associative: S is associative under addition This is so because coefficient addition is associative

(A3) Identity element: 0 is the additive identity element for addition

(A4) Inverse element: The additive inverse of a polynomial f(x) a polynomial with the coefficients –a i

(A5) Commutative: S is commutative under addition This is so because coefficient addition is commutative

Multiplication is defined as follows: f x( )×g x( )= c i x i i= 0 n+m ∑ where c k =a 0 b k +a 1 b k−1 +L+a k−1 b 1 +a k b 0

In the last formula, we treat a i as zero for i > n and b i as zero for i > m

(M1) Closure: The product of any two elements in S is also in S This is so because the product of any two coefficients is also a valid coefficient, because F is a field

(M2) Associative: S is associative under multiplication This is so because coefficient multiplication is associative

(M3) Distributive laws: S is distributive with respect to the two operations, by the field properties of the coefficients

The equation for \( c_k \) indicates that for \( k = n + m \) with monic functions \( f(x) \) and \( g(x) \), the only nonzero term is \( a_n b_m \), which equals 1 Therefore, \( c_{n+m} = a_n b_m \neq 0 \) Additionally, when \( m \neq n \), the highest degree coefficient corresponds to \( \max[m,n] \) However, this is not true in general when \( m = n \), as the highest-degree coefficients may cancel each other out.

The polynomial can be classified as reducible, represented as \((x + 1)(x^2 + x + 1)\) However, it is also deemed irreducible since factoring it would imply that one of the factors is either \(x\) or \((x + 1)\), leading to potential roots of \(x = 0\) or \(x = 1\) Substituting these values into the polynomial reveals that it has no roots Additionally, the expression \((x + 1)^4\) is another example of a reducible polynomial.

5.1 Security: Actual security; randomness; soundness, other security factors

Cost: Licensing requirements; computational efficiency; memory requirements Algorithm and Implementation Characteristics: Flexibility; hardware and software suitability; simplicity

5.2 General security; software implementations; restricted-space environments; hardware implementations; attacks on implementations; encryption vs decryption; key agility; other versatility and flexibility; potential for instruction-level parallelism

Power analysis is based on the principle that the power consumption of a smart card during cryptographic operations correlates with the specific instruction being executed and the data being processed.

5.4 Rijndael allows for block lengths of 128, 192, or 256 bits AES allows only a block length of 128 bits

5.5 The State array holds the intermediate results on the 128-bit block at each stage in the processing

5.6 1 Initialize the S-box with the byte values in ascending sequence row by row

The first row contains {00}, {01}, {02}, etc., the second row contains {10}, {11}, etc., and so on Thus, the value of the byte at row x, column y is {xy}

2 Map each byte in the S-box to its multiplicative inverse in the finite field GF(2 8 ); the value {00} is mapped to itself

In the S-box, each byte is composed of 8 bits, denoted as \(b_7, b_6, b_5, b_4, b_3, b_2, b_1, b_0\) To transform each bit of these bytes, the following operation is applied: \(b_i' = b_i \oplus b_{(i+4) \mod 8} \oplus b_{(i+5) \mod 8} \oplus b_{(i+6) \mod 8} \oplus b_{(i+7) \mod 8} \oplus c_i\), where \(c_i\) represents the \(i\)th bit of the byte \(c\) with a value of 63, specifically \(c = (01100011)\) The prime symbol (') indicates that the variable is updated with the value calculated on the right side of the equation.

Each byte of State is transformed by mapping its leftmost 4 bits to a row value and its rightmost 4 bits to a corresponding new byte.

Advanced Encryption Standard

A DVANCED E NCRYPTION S TANDARD as a column value These row and column values serve as indexes into the S-box to select a unique 8-bit output value

The first row of the State remains unchanged, while the second row undergoes a 1-byte circular left shift The third row is modified with a 2-byte circular left shift, and the fourth row is adjusted with a 3-byte circular left shift.

5.10 MixColumns operates on each column individually Each byte of a column is mapped into a new value that is a function of all four bytes in that column

5.11 The 128 bits of State are bitwise XORed with the 128 bits of the round key

5.12 The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of 44 words (156 bytes) The expansion is defined by the pseudocode in Section 5.2

The SubBytes transformation processes the State by mapping each byte to a new byte through the S-box, while SubWord applies a similar mapping to each byte of an input word using the S-box.

ShiftRows, as detailed in Question 5.8, is a crucial operation in the encryption process The RotWord function executes a one-byte circular left shift on a word, effectively mirroring the ShiftRows operation applied to the second row of the State.

The AES decryption algorithm employs a different sequence of transformations compared to encryption, despite having identical key schedules The decryption process mirrors the encryption algorithm's transformations, but with each transformation replaced by its inverse To maintain this equivalence, adjustments to the key schedule are necessary.

5.1 We want to show that d(x) = a(x) x b(x) mod (x 4 + 1) = 1 Substituting into

Equation (5.12) in Appendix 5A, we have: d 0 d 1 d 2 d 3

But this is the same set of equations discussed in the subsection on the MixColumn

The first equation is verified in the text For the second equation, we have {09} • {02} = 00010010; and {0D} • {03} = {0D} ⊕ ({0D} • {02}) = 00001101 ⊕ 00011010 00010111 Then

For the third equation, we have {0D} • {02} = 00011010; and {0B} • {03} = {0B} ⊕ ({0B} • {02}) = 00001011 ⊕ 00010110 = 00011101 Then

For the fourth equation, we have {0B} • {02} = 00010110; and {0E} • {03} = {0E} ⊕ ({0E} • {02}) = 00001110 ⊕ 00011100 = 00010010 Then

5.2 a {01} b We need to show that the transformation defined by Equation 5.2, when applied to {01} –1 , produces the correct entry in the S-box We have

The result is {7C}, which is the same as the value for {01} in the S-box (Table 5.4a)

5.5 It is easy to see that x 4 mod (x 4 + 1) = 1 This is so because we can write: x 4 = [1 × (x 4 + 1)] + 1 Recall that the addition operation is XOR Then, x 8 mod (x 4 + 1) = [x 4 mod (x 4 + 1)] × [x 4 mod (x 4 + 1)] = 1 × 1 = 1

So, for any positive integer a, x 4a mod (x 4 + 1) = 1 Now consider any integer i of the form i = 4a + (i mod 4) Then, x i mod (x 4 + 1) = [(x 4a ) × (x i mod 4 )] mod (x 4 + 1)

= [x 4a mod (x 4 + 1)] × [x i mod 4 mod (x 4 + 1)] = x i mod 4 The same result can be demonstrated using long division

The AddRoundKey, MixColumn, ByteSub, and ShiftRow steps are crucial in the AES encryption process The MixColumn step facilitates interaction among different bytes, while the ByteSub step introduces nonlinearity, enhancing security The ShiftRow step permutes the bytes, ensuring a complex arrangement Notably, AES does not involve wholesale swapping of rows or columns; the MixColumn step effectively alters every byte in a column, eliminating the need for row swaps, and the ShiftRow step transfers bytes between columns, negating the necessity for column swaps These insights were provided by John Savard.

To ensure that multiplications consistently take the same amount of time, regardless of the argument's value, it is essential to incorporate no-operation cycles as necessary to achieve uniform timing.

Verification with the Inverse Mix Column transformation gives

After changing one bit in the input,

Input’ = 77 89 AB CD, and the corresponding output

The number of bits that changed in the output as a result of a single-bit change in the input is 5

To get the above result, observe that (x 5 + x 2 + x) mod (x 4 + x + 1) = 0

5.12 The decryption process should be the reverse of the encryption process

Triple encryption involves encrypting a plaintext block three times using the same encryption algorithm Initially, the plaintext is encrypted, and the output is then encrypted again For the second stage, the decryption algorithm is typically employed instead of the encryption algorithm, followed by a final encryption to complete the process.

An attack on a double encryption algorithm necessitates a known (plaintext, ciphertext) pair This method involves encrypting the plaintext to generate an intermediate value and decrypting the ciphertext to yield another intermediate value By employing table lookup techniques, this approach significantly enhances the efficiency of brute-force attempts to test all key pairs.

6.3 Triple encryption can be used with three distinct keys for the three stages; alternatively, the same key can be used for the first and third stage

The use of decryption in the second stage of 3DES lacks cryptographic significance; however, it offers the benefit of enabling 3DES users to decrypt data that was encrypted with the older single DES by repeating the key.

6.5 1 The encryption sequence should have a large period 2.The keystream should approximate the properties of a true random number stream as close as possible 3

To protect against brute-force attacks, it is essential to use a key that is sufficiently long Similar principles that apply to block ciphers are relevant in this context Therefore, with today's technology, a minimum key length of 128 bits is recommended.

When two plaintexts are encrypted with the same key using a stream cipher, cryptanalysis becomes relatively straightforward By XORing the two ciphertext streams, the outcome reveals the XOR of the original plaintexts This method can lead to successful cryptanalysis, especially if the plaintexts consist of text strings, credit card numbers, or other byte streams with identifiable characteristics.

6.7 The actual encryption involves only the XOR operation Key stream generation involves the modulo operation and byte swapping

6.8 In some modes, the plaintext does not pass through the encryption function, but is XORed with the output of the encryption function The math works out that for

More on Symmetric Ciphers

In the case of secret initialization vectors (IVs), the 3-loop configuration offers enhanced security against brute force attacks due to the increased number of bits that need to be determined compared to the 1-loop setup For software implementations, performance metrics are generally comparable, although the 1-loop method requires two fewer XOR operations per block The 3-loop approach may gain an advantage by processing a larger set of blocks with a single key before switching Overall, the performance differences arising from the choice of mode are likely to be less significant than variations caused by different programming styles.

In hardware implementations, the three-loop method is three times faster than the one-loop method due to pipelining Specifically, let \( P_i \) represent the stream of input plaintext blocks, \( X_i \) denote the output of the first DES, \( Y_i \) signify the output of the second DES, and \( C_i \) indicate the output of the final DES, which collectively form the system's ciphertext.

In the 1-loop case, we have:

[where C 0 is the single IV]

If P 1 is presented at t=0 (where time is measured in units of DES operations),

X 1 will be available at t=1, Y 1 at t=2 and C 1 at t=3 At t=1, the first DES is free to do more work, but that work will be:

X 2 = DES( XOR( P 2 , C 1 ) ) but C 1 is not available until t=3, therefore X 2 can not be available until t=4, Y 2 at t=5 and C 2 at t=6

In the 3-loop case, we have:

[where X 0 , Y 0 and C 0 are three independent IVs]

If P 1 is presented at t=0, X1 is available at t=1 Both X 2 and Y 1 are available at t=4 X 3 , Y 2 and C 1 are available at t=3 X 4 , Y 3 and C 2 are available at t=4

Therefore, a new ciphertext block is produced every 1 tick, as opposed to every

3 ticks in the single-loop case This gives the three-loop construct a throughput three times greater than the one-loop construct

To enhance security, it is recommended to use ECB instead of CBC The final initialization vector (IV) is unnecessary, as the absence of a feedback loop mitigates the risk of chosen-ciphertext differential cryptanalysis attacks However, the additional IVs still contribute to the key that can be derived during known plaintext attacks.

The Merkle-Hellman attack identifies the two keys, K1 and K2, by locating a plaintext-ciphertext pair where the intermediate value A equals 0 The initial step involves generating a comprehensive list of all plaintexts that can result in A = 0.

P i = D[i, 0] for i = 0 1 , 2 56 – 1 Then, use each P i as a chosen plaintext and obtain the corresponding ciphertexts C i :

C i = E[i, P i ] for i = 0 1 , 2 56 – 1 The next step is to calculate the intermediate value B i for each C i using K 3 = K 1 = i

A table is created containing triples of the form (P_i or B_i, i, flag), where the flag denotes whether the triple is of P-type or B-type The 256 P_i values can also serve as intermediate B values All P_i and B_i values are included in the table, which is then sorted by the first entry of each triple A search is conducted to identify consecutive P and B values where B_i equals P_j Each matching pair of indices, i and j, represents a potential candidate for the key pair K_1 and K_4 These candidate pairs are subsequently tested against additional plaintext-ciphertext pairs to eliminate any false positives.

In the event of corruption in block C1, the output block P3 relies solely on the input blocks C2 and C3 An error in P1 directly impacts C1, which in turn affects C2, leading to a cascading effect that influences all ciphertext blocks However, during decryption, the algorithm successfully restores the correct plaintext for all blocks except the one that was corrupted This demonstrates that the error only affects the corresponding decrypted plaintext block.

Nine plaintext characters are impacted, with the corresponding ciphertext character being clearly modified Furthermore, the modified ciphertext character is fed into the shift register and remains until the subsequent eight characters are processed.

After decryption, the final byte of the last block indicates the amount of padding to be removed, ensuring that there is always at least one byte of padding present.

6.8 a Assume that the last block of plaintext is only L bytes long, where L < 2w/8

The encryption sequence is as follows (The description in RFC 2040 has an error; the description here is correct.):

1 Encrypt the first (N – 2) blocks using the traditional CBC technique

2 XOR P N–1 with the previous ciphertext block C N–2 to create Y N–1

4 Select the first L bytes of E N–1 to create C N

5 Pad P N with zeros at the end and exclusive-OR with E N–1 to create Y N

The last two blocks of the ciphertext are C N–1 and C N b P N–1 = C N–2 ⊕ D(K, [C N || X])

P N = left-hand portion of (P N || X) where || is the concatenation function

6.9 a Assume that the last block (P N ) has j bits After encrypting the last full block

To generate the output ciphertext, the leftmost j bits of the re-encrypted ciphertext (C N–1) are XORed with a short block Although an attacker is unable to retrieve the last plaintext block, they can systematically alter it by modifying individual bits in the ciphertext, particularly affecting the last few bits.

6.10 Use a key of length 255 bytes The first two bytes are zero; that is K[0] = K[1] = 0 Thereafter, we have: K[2] = 255; K[3] = 254; … K[255]= 2

6.11 a Simply store i, j, and S, which requires 8 + 8 + (256 × 8) = 2064 bits b The number of states is [256! × 256 2 ] ≈ 2 1700 Therefore, 1700 bits are required

6.12 a By taking the first 80 bits of v || c, we obtain the initialization vector, v Since v, c, k are known, the message can be recovered (i.e., decrypted) by computing

In the encryption process RC4(v || k) ⊕ c, if an adversary detects that the values \( v_i \) and \( v_j \) are identical for different indices \( i \) and \( j \), it indicates that the same key stream was utilized for encrypting both messages \( m_i \) and \( m_j \) This scenario exposes the messages to potential vulnerabilities from the cryptanalysis discussed previously Given that the key remains constant, the key stream is influenced by the randomly selected 80-bit value \( v \) Consequently, after approximately \( \pi \) iterations, the security of the encryption may be compromised.

2 2 80 ≈ 2 40 messages are sent, we expect the same v, and hence the same key stream, to be used more than once d The key k should be changed sometime before 2 40 messages are sent

7.1 LAN, dial-in communications server, Internet, wiring closet

Link encryption secures each vulnerable communication link with encryption devices at both ends, while end-to-end encryption ensures that the data is encrypted by the source host before being transmitted unchanged across the network to the destination terminal.

The identities of partners play a crucial role in communication frequency, revealing patterns in message length and quantity that indicate significant information exchange Additionally, specific events often correlate with meaningful conversations between certain partners, highlighting the importance of these interactions.

Traffic padding generates a continuous stream of ciphertext, even when no plaintext is present, by producing random data When plaintext is available, it is encrypted and sent; otherwise, random data is encrypted and transmitted This approach prevents attackers from differentiating between actual data flow and padding, making it impossible to determine the volume of traffic.

7.5 For two parties A and B, key distribution can be achieved in a number of ways, as follows:

1 A can select a key and physically deliver it to B

2 A third party can select the key and physically deliver it to A and B

3 If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key

4 If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links to A and B

A session key is a temporary encryption key utilized for secure communication between two parties, while a master key serves as a long-term key for encoding the transmission of session keys between a key distribution center and a principal Typically, master keys are distributed using noncryptographic methods.

7.7 A nonce is a value that is used only once, such as a timestamp, a counter, or a

Confidentiality Using Symmetric Encryption

A key distribution center is an authorized system responsible for transmitting temporary session keys to principals Each session key is securely sent in an encrypted format, utilizing a master key that is shared with the intended principal.

Statistical randomness describes a sequence of numbers or letters that seems random and meets specific statistical tests for randomness When an algorithm generates a statistically random sequence, it becomes predictable if one knows the algorithm and its starting point In contrast, an unpredictable sequence cannot be determined solely by understanding the method used for its generation.

Mail-bagging optimizes data transmission by reducing time and costs, while also minimizing the temporary storage required by intermediate systems to buffer messages This is particularly important for electronic mail systems handling a high volume of messages Routing decisions can be influenced by the implementation of mail-bagging, which introduces a slight increase in the complexity of the forwarding protocol Additionally, utilizing standardized encryption schemes like PGP or S/MIME ensures that messages are secure, providing equal protection for both systems involved.

7.2 1 The timing of message transmissions may be varied, with the amount of time between messages serving as the covert channel

2 A message could include a name of a file; the length of the filename could function as a covert channel

3 A message could report on the amount of available storage space; the value could function as a covert channel

In the proposed connection scheme, A initiates a request to B by sending an encrypted nonce (Na) using a shared key with the Key Distribution Center (KDC) If B is willing to accept the connection, it requests a session key from the KDC, including A's encrypted nonce and its own generated nonce (Nb), both encrypted with B's key The KDC responds with two encrypted blocks: one for B containing the session key, A's identifier, and B's nonce, and another for A, which is relayed through B This process ensures that both A and B securely obtain the session key and verify each other's authenticity through the use of nonces The scheme is designed to provide a level of security comparable to existing methods.

Figure 7.9 One advantage of the proposed scheme is that the, in the event that

B rejects a connection, the overhead of an interaction with the KDC is avoided

In the communication process, A sends the server his source name A, his destination name Z, and the encrypted message E(K_a, R), indicating his intention to send the same message to Z using the key R The server then responds by sending E(K_z, R) to A, which Z intercepts Since Z possesses his key K_z, he is able to decrypt E(K_z, R) and access the message.

R that can be used to decrypt E(R, M) and obtain M

7.5 We give the result for a = 3:

7.6 a Maximum period is 2 4–2 = 4 b a must be 5 or 11 c The seed must be odd

7.7 When m = 2 k , the right-hand digits of X n are much less random than the left-hand digits See [KNUT98], page 13 for a discussion

7.8 Let us start with an initial seed of 1 The first generator yields the sequence:

1, 6, 10, 8, 9, 2, 12, 7, 3, 5, 4, 11, 1, The second generator yields the sequence:

Because of the patterns evident in the second half of the latter sequence, most people would consider it to be less random than the first sequence

Many software packages utilize a linear congruential generator with \( m = 2^k \) As previously mentioned in Problem 5.6, this configuration results in a distribution where the right-hand digits exhibit significantly less randomness compared to the left-hand digits To address this issue, we can implement a linear congruential generator of a different structure.

The equation \( X_{n+1} = (aX_n + c) \mod m \) generates sequences of integers that can be all even, all odd, or alternate between the two, depending on the values of \( a \) and \( c \) Typically, these parameters are selected to produce alternating even and odd integers, which significantly affects simulations for calculating \( \pi \) The accuracy of these simulations relies on counting integer pairs with a greatest common divisor (gcd) of 1 In a truly random set of integers, about 25% of pairs would consist of two even integers, which have a gcd greater than 1 According to Cesaro's method, the expected proportion of pairs with a gcd of 1 should be around 60.8% However, when using pairs with one odd and one even integer, this proportion increases to approximately 80%, resulting in an underestimated value of \( \pi \) For more insights, refer to Danilowicz, R.

"Demonstrating the Dangers of Pseudo-Random Numbers," SIGCSE Bulletin, June

The equation \$11 (0.5 + \partial) 2 = 0.25 + \partial + \partial^2\$ illustrates the relationship between input and output probabilities In the modified sequence, both 0s and 1s have an equal probability of 0.5 due to the equal likelihood of 01 and 10 in the initial sequence The probability of discarding any specific pair, either 00 or 11, is \$0.5 + 2\partial^2\$, leading to an expected number of input bits required to generate \$x\$ output bits as \$\frac{x}{0.25 - \partial^2}\$ Ultimately, the algorithm yields a completely predictable sequence of alternating 1's and 0's.

7.11 a For the sequence of input bits a 1 , a 2 , …, a n , the output bit b is defined as: b = a 1 ⊕ a 2 ⊕ … ⊕ a n b 0.5 – 2∂ 2 c 0.5 – 8∂ 4 d The limit as n goes to infinity is 0.5

7.12 Yes The eavesdropper is left with two strings, one sent in each direction, and their

XOR is the secret key

8.1 An integer p > 1 is a prime number if and only if its only divisors are ±1 and ±p

8.2 We say that a nonzero b divides a if a = mb for some m, where a, b, and m are integers

8.3 Euler's totient function, written φ(n), is the number of positive integers less than n and relatively prime to n

8.4 The algorithm takes a candidate integer n as input and returns the result

A number is classified as "composite" if it is not prime, while the result is "inconclusive" if it could be either prime or not When an algorithm is applied multiple times to a number and consistently yields inconclusive results, the likelihood of the number being prime increases with each test By increasing the number of tests conducted, the probability of accepting a number as prime can be adjusted to approach 1.0.

8.5 If r and n are relatively prime integers with n > 0 and if φ(n) is the least positive exponent m such that a m ≡ 1 mod n, then r is called a primitive root modulo n

8.6 The two terms are synonymous

Assuming \( p_n \) is the largest prime, we conclude that \( X > p_n \) is not prime, allowing us to find a prime \( p_m \) that divides \( X \) However, \( p_m \) cannot be any of the primes \( p_1, p_2, \ldots, p_n \) since it would imply \( p_m \) divides the difference \( X - p_1 p_2 \ldots p_n = 1 \), which is impossible, leading to \( m > n \) This construction demonstrates the existence of a prime number outside any finite set of primes, proving that the complete set of prime numbers is infinite We have established that there exists a prime greater than \( p_n \) that divides \( X = 1 + p_1 p_2 \ldots p_n \), indicating that \( p_{n+1} \) is less than or equal to this prime, and thus \( p_{n+1} \leq X \).

8.2 a gcd(a, b) = d if and only if a is a multiple of d and b is a multiple of d and

Introduction to Number Theory

I NTRODUCTION TO N UMBER T HEORY multiple of d is just 1/d Thus the probability that gcd(a, b) = d is equal to 1/d times 1/d times P, namely, P/d 2 b We have

To satisfy this equation, we must have

8.3 If p were any prime dividing n and n + 1 it would also have to divide

8.4 Fermat's Theorem states that if p is prime and a is a positive integer not divisible by p, then a p–1 ≡ 1 (mod p) Therefore 3 10 ≡ 1 (mod 11) Therefore

If \( a \) is an integer counted in \( \phi(n) \), meaning it is not larger than \( n \) and is coprime to \( n \), then \( n - a \) is also such an integer, as \( \gcd(a, n) = \gcd(m - a, m) \) The integers \( a \) and \( n - a \) are distinct; if they were equal, it would imply \( n = 2a \), contradicting the condition that \( \gcd(a, n) = 1 \) Consequently, for \( n > 2 \), the integers counted in \( \phi(n) \) can be paired, indicating that their total must be even.

8.10 Only multiples of p have a factor in common with p n , when p is prime There are just p n–1 of these ≤ p n , so φ(p n ) = p n – p n–1

8.12 It follows immediately from the result stated in Problem 8.10

8.14 a For n = 5, 2 n – 2 = 30, which is divisible by 5 b We can rewrite the Chinese test as (2 n – 2) ≡ 0 mod n, or equivalently,

2 n ≡ 2 (mod n) By Fermat's Theorem, this relationship is true if n is prime (Equation 8.2) c For n = 15, 2 n – 2 = 32,766, which is divisible by 15 d 2 10 = 1024 ≡ 1 (mod 341)

8.15 First consider a = 1 In step 3 of TEST(n), the test is if 1 q mod n = 1 then return("inconclusive") This clearly returns "inconclusive." Now consider a = n – 1

In step 5 of TEST(n), for j = 0, the test is if (n – 1) q mod n = n – 1 then return("inconclusive") This condition is met by inspection

8.16 In Step 1 of TEST(2047), we set k = 1 and q = 1023, because (2047 – 1) = (2 1 )(1023)

In Step 2 we select a = 2 as the base

In Step 3, we have a q mod n = 2 1023 mod 2047 = (2 11 ) 93 mod 2047 = (2048) 93 mod

2047 = 1 and so the test is passed

There are numerous proofs available in various number theory books, each offering a unique perspective In this article, we present a concise proof by defining \( M_i = \frac{M}{m_i} \) Since all factors of \( M \) are pairwise relatively prime, it follows that \( \text{gcd}(M_i, m_i) \) holds true.

= 1 Thus, there are solutions N i of

N i M i ≡ 1 (mod m i ) With these N i , the solution x to the set of congruences is: x ≡ a 1 N 1 M 1 + … + a k N k M k (mod M)

To see this, we introduce the notation 〈x〉 m , by which we mean the least positive residue of x modulo m With this notation, we have

The expression \$\langle x \rangle \equiv a_i N_i M_i \equiv a_i \,(\text{mod } m_i)\$ indicates that all other terms in the summation contributing to \$x\$ include the factor \$m_i\$, thus not affecting the residue modulo \$m_i\$ Since \$N_i M_i \equiv 1 \,(\text{mod } m_i)\$, the solution is uniquely defined modulo \$M\$, thereby demonstrating this version of the Chinese Remainder Theorem.

The set of linear congruences

35b ≡ 1 (mod 3); 21b ≡ 1 (mod 5); 15b ≡ 1 (mod 7) has the solutions b 1 = 2; b 2 = 1; b 3 = 1 Then, x ≡ 2 × 2 × 35 + 3 × 1 × 21 + 2 × 1 × 15 ≡ 233 (mod 105) = 23

8.19 If the day in question is the xth (counting from and including the first Monday), then x = 1 + 2K 1 = 2 + 3K 2 = 3 + 4K 3 = 4 + K 4 = 5 + 6K 5 = 6 + 5K 6 = 7K 7 where the K i are integers; i.e.,

(1) x ≡ 1 mod 2; (2) x ≡ 2 mod 3; (3) x ≡ 3 mod 4; (4) x ≡ 4 mod 1; (5) x ≡ 5 mod 6;

Of these congruences, (4) is no restriction, and (1) and (2) are included in (3) and

(5) Of the two latter, (3) shows that x is congruent to 3, 7, or 11 (mod 12), and (5) shows the x is congruent to 5 or 11, so that (3) and (5) together are equivalent to x

≡ 11 (mod 12) Hence, the problem is that of solving: x ≡ 11 (mod 12); x ≡ 6 mod 5; x ≡ 0 mod 7 or x ≡ –1 (mod 12); x ≡ 1 mod 5; x ≡ 0 mod 7

The first x satisfying the condition is 371

Plaintext refers to the readable message or data input into an encryption algorithm, which performs various transformations based on the provided public or private key This key pair is essential, as one key is used for encryption while the other is used for decryption The output of the encryption process is known as ciphertext, a scrambled version of the original message that varies with different keys To retrieve the original plaintext, the decryption algorithm takes the ciphertext and the corresponding key, effectively reversing the encryption process.

A user's private key remains confidential and is solely known to the user, while the public key is shared for others to utilize The private key enables the encryption of a signature that can be verified by anyone possessing the public key Conversely, the public key can encrypt information that is exclusively decryptable by the holder of the private key.

Encryption involves the sender using the recipient's public key to secure a message, while digital signatures are created by the sender signing the message with their private key through a cryptographic algorithm Additionally, key exchange allows both parties to collaborate in sharing a session key, utilizing various methods that may involve the private keys of one or both participants.

9.4 1 It is computationally easy for a party B to generate a pair (public key PU b , private key PR b )

2 It is computationally easy for a sender A, knowing the public key and the message to be encrypted, M, to generate the corresponding ciphertext:

3 It is computationally easy for the receiver B to decrypt the resulting ciphertext using the private key to recover the original message:

Public-Key Cryptography and RSA

P UBLIC -K EY C RYPTOGRAPHY AND RSA

4 It is computationally infeasible for an opponent, knowing the public key, PU b , to determine the private key, PR b

5 It is computationally infeasible for an opponent, knowing the public key, PU b , and a ciphertext, C, to recover the original message, M

A one-way function is defined as a mapping from a domain to a range where each function value has a unique inverse The key characteristic of a one-way function is that while it is easy to compute the function, calculating its inverse is infeasible.

A trap-door one-way function is straightforward to compute in one direction, but reversing it is impractical without specific additional information When this extra information is available, the inverse can be determined in polynomial time.

9.7 1 Pick an odd integer n at random (e.g., using a pseudorandom number generator)

2 Pick an integer a < n at random

3 Perform the probabilistic primality test, such as Miller-Rabin If n fails the test, reject the value n and go to step 1

4 If n has passed a sufficient number of tests, accept n; otherwise, go to step 2

9.1 This proof is discussed in the CESG report mentioned in Chapter 9 [ELLI99] a

In a secure communication process, Alice encrypts a plaintext message \( p \) to send to Bob Bob utilizes mappings \( M1 \) and \( M3 \), while Alice employs \( M2 \) He selects a random private key \( k \) and maps it through \( M1 \) to generate a public key \( x \), which is sent to Alice Using \( x \), Alice encrypts \( p \) with \( M2 \) to produce the ciphertext \( z \), which she forwards to Bob Bob then decrypts \( z \) using his private key \( k \) and mapping \( M3 \), recovering the original plaintext message \( p \) If the numbers involved are sufficiently large and the mappings \( M1 \) and \( M2 \) are random enough, it becomes impractical to deduce \( p \) without knowledge of \( k \).

9.4 By trail and error, we determine that p = 59 and q = 61 Hence φ(n) = 58 x 60 = 3480 Then, using the extended Euclidean algorithm, we find that the multiplicative inverse of 31 modulu φ(n) is 3031

9.5 Suppose the public key is n = pq, e Probably the order of e relative to (p – 1)(q – 1) is small so that a small power of e gives us something congruent to

In the worst-case scenario, when the order is 2, the public exponent \( e \) and the private key \( d \) are identical For instance, if \( p = 7 \) and \( q = 5 \), then the product \( (p - 1)(q - 1) \) equals 24 If we choose \( e = 5 \), it follows that \( e^2 \) is congruent to 1 modulo \( (p - 1)(q - 1) \), meaning that 25 is congruent to 24 modulo 1.

If a plaintext block shares a common factor with \( n \) modulo \( n \), the encoded block will also share this common factor Since we encode blocks smaller than \( pq \), the common factor must be either \( p \) or \( q \), indicating that the plaintext block is a multiple of \( p \) or \( q \) Each block can be tested for primality, and if it is prime, it corresponds to either \( p \) or \( q \).

In this case we divide into n to find the other factor If not prime, we factor it and try the factors as divisors of n

9.7 No, it is not safe Once Bob leaks his private key, Alice can use this to factor his modulus, N Then Alice can crack any message that Bob sends

Here is one way to factor the modulus:

Let \( k = ed - 1 \), which is congruent to \( 0 \mod \phi(N) \), where \( \phi \) is the Euler totient function By selecting a random \( x \) from the multiplicative group \( Z(N) \), we find that \( x^k \equiv 1 \mod N \) This leads to the conclusion that \( x^{k/2} \) serves as a square root of \( 1 \mod N \) With a 50% probability, this results in a nontrivial square root of \( N \), allowing us to compute \( \gcd(x^{k/2} - 1, N) \) to obtain a prime factor of \( N \).

If x k/2 = 1 mod N, then try x k/4 , x k/ 8 , etc

This will fail if and only if x k 2 i ≡ –1 for some i If it fails, then choose a new x This will factor N in expected polynomial time

In the context of cryptography, consider the alphabetic characters represented by the set {A, B, …, Z}, where each character corresponds to an integer indicating its position in the alphabet, forming the message block values SM = {0, 1, 2, …, 25} The ciphertext block values SC can be derived as SC = {0 e mod N, 1 e mod N, …, 25 e mod N}, which can be computed by anyone who possesses Bob's public key.

The most effective method to attack the described scheme involves calculating \$M^e \mod N\$ for every possible value of \$M\$ Subsequently, a look-up table is created where the ciphertext serves as the index, and the corresponding plaintext is stored as the value at the appropriate location in the table.

9.9 a We consider n = 233, 235, 237, 239, and 241, and the base a = 2: n = 233

233 – 1=2 3 × 29, thus k=3, q) a q mod n = 2 29 mod 233 = 1 test returns “inconclusive” (“probably prime”) n = 235

2 119 mod 239 = 1 test returns “inconclusive” (“probably prime”) n = 241

15 ≠ 241 – 1 test returns “inconclusive” (“probably prime”) b M=2, e#, n#3 × 241V,153 therefore p#3 and q$1 e = 23 = (10111)2

D 1 2 4 32 2048 21,811 c Compute private key (d, p, q) given public key (e#, n#3 × 241V,153) Since n#3 × 241V,153, p#3 and q$1 φ(n) = (p – 1)(q – 1) = 55,680

Using Extended Euclidean algorithm, we obtain d = 23 –1 mod 55680 = 19,367 d Without CRT: M = 21,811 19,367 mod 56,153 = 2

With CRT: d p = d mod (p – 1) d q = d mod (q-1) d p = 19367 mod 232 = 111 d q = 19367 mod 240 = 167

9.10 C = (M dS mod NS) eR mod NR = S eR mod NR where

M’ = (C dR mod NR) eS mod NS = S’ eS mod NS where

The scheme does not work correctly if S ≠ S’ This situation may happen for a significant subset of messages M if N S > N R In this case, it might happen that N R

≤ S < N S , and since by definition S’ < N R , then S ≠ S’, and therefore also M’ ≠ M For all other relations between N S and N R , the scheme works correctly (although

N S = N R is discouraged for security reasons)

To address the issue, both parties can utilize two sets of keys: one pair for encryption and another for signing, ensuring that all signing keys \( N_{SGN} \) are smaller than the encryption keys \( N_{ENC} \).

9.11 3rd element, because it equals to the 1st squared,

5th element, because it equals to the product of 1st and 2nd

7th element, because it equals to the cube of 1st, etc

9.12 Refer to Figure 9.5 The private key k is the pair {d, n}; the public key x is the pair

{e, n}; the plaintext p is M; and the ciphertext z is C M1 is formed by calculating d

= e -1 mod φ(n) M2 consists of raising M to the power e (mod n) M2 consists of raising C to the power d (mod n)

9.14 This algorithm is discussed in the CESG report mentioned in Chapter 6 [ELLI99], and is known as Cocks algorithm a Cocks makes use of the Chinese remainder theorem (see Section 8.4 and

The article discusses the reconstruction of integers within a specific range using their residues modulo a set of pairwise relatively prime moduli Specifically, for relatively prime integers P and Q, any integer M in the range \(0 \leq M < N\) can be uniquely identified by its residues \(M \mod P\) and \(M \mod Q\), allowing for the recovery of M from these residues The security of this method is based on the challenge of factoring the integer N In the RSA encryption system, a user generates a pair of integers, d and e, satisfying the condition \(de \equiv 1 \mod ((P - 1)(Q - 1))\), and subsequently publishes e and N as the public key.

The RSA algorithm is notable for its symmetrical nature, utilizing the same process for both encryption and decryption, which streamlines the required software In this system, the exponent \( e \) can be chosen freely, allowing for a simplified encryption process with the public key, while the more complex decryption is reserved for the recipient The private key \( k \) consists of the pair \( P \) and \( Q \), while the public key \( x \) is represented by \( N \) The plaintext \( p \) is denoted as \( M \), and the ciphertext \( z \) is referred to as \( C \) The value \( M1 \) is obtained by multiplying \( P \) and \( Q \), while \( M2 \) is calculated by raising \( M \) to the power of \( N \) modulo \( N \) The process described in the problem statement constitutes \( M3 \).

9.15 1) Adversary X intercepts message sent by A to B, i.e [A, E(PU b , M), B]

3) B acknowledges receipt by sending X [B, E(PU x , M), X]

4) X decrypts E(PU x , M) using his secret decryption key, thus getting M

The algorithm in Figure 9.7 processes the binary representation of \( b \) from left to right, determining the operations based on the bits When the current exponent \( c \) is evaluated, a bit value of 0 results in doubling the exponent through a left shift, while a bit value of 1 leads to doubling the exponent and incrementing it by 1 Each loop iteration applies specific identities: for \( b_i = 0 \), the identity used is \( a^{2c} \mod n = (a^c)^2 \mod n \), and for \( b_i = 1 \), it is \( a^{2c+1} \mod n = a \times (a^c)^2 \mod n \).

The algorithm preserves the invariant that d = a c mod n as it increases c by doublings and incrementations until c = b

The algorithm discussed, adapted from [KNUT98, page 462], processes the binary representation of \( b \) from right to left, focusing on the least significant to the most significant bits It maintains the invariant that \( a_n = d \times T_E \) Ultimately, when \( E = 0 \), it results in \( a_n = d \).

9.18 Note that because Z = r e mod n, then r = Z d mod n Bob computes: tY mod n = r –1 X d mod n = r –1 Z d C d mod n = C d mod n = M

By observing that \( x_{i+1} = x_i \times x \), we can significantly reduce the amount of recomputation needed for the S terms in algorithm P2 The algorithm initializes with integer variables \( n \) and \( i \), and real variables \( x \) and \( polyval \) It also defines arrays \( a \), \( S \), and \( power \) of size 101 The process begins by reading the values of \( x \) and \( n \), setting \( power[0] \) to 1, and reading the first element of array \( a \) into \( S[0] \) Subsequently, for each index \( i \) from 1 to \( n \), the algorithm reads the next element of array \( a \) and calculates \( power[i] \) as \( x \times power[i - 1] \).

S[i] := a[i] × power[i] end; polyval := 0; for i ;= 0 upto n do polyval := polyval + S[i]; write ('value at', x, 'is', polyval) end b The hint, known as Horner's rule, can be written in expanded form for P(x):

The revised algorithm, referred to as algorithm P2, utilizes integer variables \( n \) and \( i \), and real variables \( x \) and \( polyval \) It also employs an array \( a \) of real numbers indexed from 0 to 100 The algorithm begins by reading the values of \( x \) and \( n \), initializing \( polyval \) to 0 It then iterates from 0 to \( n \), reading values into the array and updating \( polyval \) by multiplying it with \( x \) and the corresponding array element Finally, it outputs the calculated value of \( polyval \) at the specified \( x \).

P3 is a substantial improvement over P2 not only in terms of time but also in terms of storage requirements

9.22 a w –1 ≡ 3 (mod 20); a = (7, 1, 15, 10); ciphertext = 18 b w –1 ≡ 387 (mod 491); a = (203, 118, 33, 269, 250, 9, 112, 361); ciphertext = 357 c w –1 ≡ 15 (mod 53); a = (39, 32, 11, 22, 37); ciphertext = 119 d w –1 ≡ 1025 (mod 9291); a = (8022, 6463, 7587, 7986, 65, 8005, 6592, 7274); ciphertext = 30869

9.23 To see this requirement, let us redo the derivation Appendix F, expanding the vectors to show the actual arithmetic

The sender develops a simple knapsack vector a' and a corresponding hard knapsack a = wa' mod m To send a message x, the sender computes and sends:

Now, the receiver can easily compute S' and solve for x: