Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 7

Date : 03/12/2004 ECE575 – HW4 Venkat Suryadevara

Problem 8.6.1:
Show that if someone discovers the value of k used in the ElGamal signature scheme,
then a can also be determined.

“a” can be found in the following way if “k” is used in ElGamal Signature Scheme
In ElGamal SS, s is given by
s = k ^–1 (m-a*r)
 s*k = m-a*r
 s*k – m = -a*r
 (m-s*k)/r = a
Hence, if “k’ is known then “a” can be computed.

Problem 8.6.3:
Let p =11, q=5,  =3, and k=3. Show that (  ^k (mod p)) (mod q)  (  ^k (mod q))
(mod p). This shows that the order of operations in the DSA is important.

3. Given the values p=11, q=5, =3, k=3

If we find the value of (k (mod p)) (mod q) , we get

(k (mod p)) (mod q) =(33(mod 11))(mod 5)=(27 (mod 11))(mod 5)=5 (mod 5)=1
then computing (k (mod q)) (mod p) , we get
(k(mod q)) (mod p)= 33(mod 5)) (mod 11)
= (27 (mod 5)) (mod 11)
= 2 (mod 11)
Finally, (k (mod p)) (mod q) = 1 and (k (mod q)) (mod p) =2. Thus we conclude that
(k (mod p)) (mod q) ≠ (k (mod q)) (mod p).So the order of operation in DSA is

Problem 8.6.4:
Let p be a prime and let  be an integer with p  . Let h(x)   ^x (mod p). Explain
why h(x) is not good cryptographic hash function.

.Hash function is h(x) = x (mod p)
:h(x) is not a good hash function because
.Assume p=7, =5. and find different values of x
;We get the same value for x=3 ,x=9,x=15

> modp(Power(5,3),7);
> modp(Power(5,9),7);

> modp(Power(5,15),7);
Since the hash function is mapping different values of x to the same hash key, the given
function cannot be a good hash function.

Problem 15.6.2:
(a) List the points on the elliptic curve E: y2 = x3 – 2 (mod7).
(b) Find the sum (3, 2) + (6, 5) on E
(c) Find the sum (3, 2) + (3, 2) on E.

x  0  y 2  2 mod 7  5 mod 7  no solution
x  1  y 2  1 mod 7  6 mod 7  no solution
x  2  y 2  6 mod 7  no solution
x  3  y 2  25 mod 7  (5) 2 mod 7  no solution
 (3,5), (3,2)
x  4  y 2  62 mod 7  6 mod 7  no solution
x  5  y 2  214 mod 7  4 mod 7  (2) 2 mod 7
 (5,2), (5,5)

x  6  y 2  214 mod 7  4 mod 7  (2) mod 7

 (6,2), (6,5)
and the last point is (  , )
P  ( x 1  3, y1  2)
Q  ( x 2  6, y 2  5)
P  Q  R ( x3 , y 3 )

 y  y1 5  2
  2  1
x 2  x1 63

 x3    x1  x 2  1  3  6  8 mod 7  6 mod 7

 y   ( x  x )  y  (3  6)  2  5 mod 7  2 mod 7
 3 1 3 1

P+Q=R  (3,2)+(6,5)=(6,2)
(c) P(x1, y1)=(3,2) on E
P(x1, y2)=(3,2) on E
Since we are adding point P to itself, it is one of the cases of the addition rule for Elliptic
Crypto Systems.
3 x1  a 3(3 2 )  
  mod 7( note a   )
2 y1 2 2
 27  4 1 mod 7  6  4 1 mod 7
 6  2 mod 7  12 mod 7  5 mod 7
 6  2 mod 7  12 mod 7  5 mod 7

 x3  2  x1  x 2  25  3  3  19 mod 7  5 mod 7

 y 3   ( x1  x3 )  y1  5(3  5)  2  12 mod 7  2 mod 7

P+P= R  (3, 2) + (3, 2)=(5, 2)

(a) The points on the curve are (3, 2), (3, 5), (5, 2), (5, 5), (6, 2), (6, 5) and (  , )
(b) (3, 2) + (6, 5) = (6, 2)
(c) (3, 2) + (3, 2) = (5, 2)

Problem 15.6.10:
Let x = b1b2…bw be an integer written in binary. Let P be a point on the elliptic curve E.
(a) Show that Rw = xP
Let x be a positive integer and let P be a point on the elliptic curve.
(b) Show that the given procedure computes xP


Excluded in this HW

Computer Problems

Problem 8.7.1:
Suppose we use ElGamal signature scheme with p=655539,  =2,  =33384. We send
two signed messages (m, r, s): (809, 18357, 2042) (=hi) and (22505, 18357, 26272)
(a) Show that the same value of k was used for each signature
(b) Use this fact to find this value of k and to find the value of a such that  =  ^a
(mod p)
Given values: p=65539, alpha=2, beta=33384, m1=809, m2=22505, r=18357, s1=1042,

k can be found using k  (1-m2)/(s1-s2) mod p

There can be different solutions for k which is given by d = gcd(s1-s2,p-1);
> d=gcd(1042-26272,65539-1);
d  6
solving for k after dividing the all the terms in the congruence by 6 we get
> k1= modp(((m1-m2)/6)/((s1-s2)/6),(p-1)/6);
m1  m2 p 1
k1  modp  ,  
  s1 s2  6 6 
 6    
  6 6  
  
> k1=modp(((809-22505)/6)/((1042-26272)/6),(65539-1)/6);
k1  1814
Check all the 6 possible values of k and verify which values gives the correct encryption.
The k that gives us r will be the final solution.
> k2:=k1+(p-1)/6;
k2 := 12737
> k3:=k2+(p-1)/6;
k3 := 23660
> k4:=k3+(p-1)/6;
k4 := 34583
> k5:=k4+(p-1)/6;
k5 := 45506
> k6:=k5+(p-1)/6;
k6 := 56429

Trying different k values to calculate r

>r1:=alpha^k1 mod p;
r1 := 51656
> r2:=alpha^k2 mod p;
r2 := 33299
> r3:=alpha^k3 mod p;
r3 := 47182
> r4:=alpha^k4 mod p;
r4 := 13883
> r5:=alpha^k5 mod p;
r5 := 32240
> r6:=alpha^k6 mod p;
r6 := 18357
For k6 := 56429 we get the required r hence k6 is the required k

Now solving for “a” using the equation ar = m1-ks1 (mod p-1)

There are gcd(r,p-1) possible values of a

> gcd(r,p-1);

.Since there are 3 values of “a”, we can find them

:r:=18357 >
> a1:=(r/3)&^(-1)*((m1-k6*s1)/3) mod ((p-1)/3);
a1 := 9871
> a2:=a1+(p-1)/3;
a2 := 31717
> a3:=a2+(p-1)/3;
a3 := 53563
; a
For each value of “a” , find β= α
;beta1:=alpha^(a1) mod p >
 := 33384
> beta2:=alpha^(a2) mod p;
 := 35730
> beta3:=alpha^(a3) mod p;
 := 61964
“a” is 9871 which gives the correct β.
Thus k = 56429 and a=9871.

Problem 8.7.4:
(a) If there are 30 people in classroom, what is the probability that at least two have
the same birthday
(b) How many people should there be in a classroom in order to have a 99% chance
that at least two have the same birthday
(c) How many people should there be in a classroom in order to have 100%
probability that at least two have the same birthday
> 1-mul(1.-i/365, i=1..29);

(b) > 1-mul(1.-i/365, i=1..56);

bytes used=3015796, alloc=2227816, time=0.66
Hence the number of people should be 57 in order to have a 99% chance that at least two
have the same birthday.

(c) > 1-mul(1.-i/365, i=1..123);

Hence the number of people should be 124 (or greater) in order to have a 100% chance
that at least two have the same birthday.

Problem 15.7.2:
You want to represent the message 12345 as a point (x, y) on the curve
y2=x3 + 7x + 11 (mod 593899) write x = 12345_ and find a value of the missing last digit
of x such that there is a point on the curve with this x- co-ordinate.
After trying all possible solutions for x, we get…
For x = 123450, y2 = 474965 (mod 593899) It has no solution
For x = 123451, y2 = 426106 (mod 593899) It has no solution
For x = 123452, y2 = 524054 (mod 593899) It has no solution
For x = 123453, y2 = 174916 (mod 593899) It has no solution
For x = 123454, y2 = 566496 (mod 593899) It has no solution
For x = 123455, y2 = 511002 (mod 593899) It has no solution
For x = 123456, y2 = 8440 (mod 593899) It has no solution
For x = 123457, y2 = 246614 (mod 593899) It has no solution
For x = 123458, y2 = 37732 (mod 593899) It has no solution
For x = 123459, y2 = 569598 (mod 593899) It has no solution
Hence there exists no solution for x for which y has a square root.

Problem 15.7.4:
Let P= (2, 3) be a point on the elliptic curve y^2  x^3 – 10x +21 (mod 557).
(a) Show that 189P =  but 63P   and 27P  
(b)Show that P has order 189
(c)Show that elliptical curve has 567 points using Hasse’s Theorem

(a) > p=[2,3];
p = [2, 3]

> multell([2,3],189,-10,21,557);
["infinity", "infinity"]

> multell([2,3],63,-10,21,557);
[38, 535]
> multell([2,3],27,-10,21,557);
[136, 360]

> multell([2,3],189,-10,21,557);
["infinity", "infinity"]
(c) From the given problem, we know that the order of the given curve is 189 And
according to Lagrange’s Theorem, The number of points N is an integral multiple of
order Hence N = 189C. According to Hasse’s theorem, modulus (N – p – 1)  2 p.
Here p=557. So the condition becomes: absolute (189C - 557- 1)  47.
This condition is satisfied only if C = 567. Hence the number of points on the given curve
is N = 189*C = 189*3 = 567
Hence this elliptic curve has 567 points.

Problem 15.7.5:
Compute the difference (5, 9) – (1, 1) on the elliptic curve y^2  x^3 – 11x + 11 (mod
593899). Note that the answer involves large integers, even though the original points
have small coordinates.

> addell([5,9],[1,-1],-11,11,593899);
[148475, 222715]

> x:=148475;
x := 148475

> y:=222715;
y := 222715

> y:=222715^2;
y := 49601971225

> m:=((x&^3) - (11*x) + 11) mod 593899;

m := 120644

> 49601971225 mod 593899;


(Using the rule P – Q = P + (-Q))

Answer: Hence the difference between the points is [148475, 222715] (substituting these
values of x and y, LHS=RHS)

You might also like