Mark/handouts
Mark/handouts
1
0
Fork 0
Code Pull Requests 1 Actions Packages Releases Activity

Finished cryptography handout

Browse Source
This commit is contained in:
Mark 2023-08-18 11:12:20 -07:00
parent 760872a815
commit bc43a4ecce
Signed by: Mark
GPG Key ID: AD62BB059C2AAEE4
8 changed files with 443 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Advanced/Cryptography/main.tex
View File

@ -21,8 +21,9 @@
\input{parts/1 mod}
\input{parts/2 groups}
\input{parts/3 DLP}
%\input{parts/part 3}
\input{parts/4 DiffieHellman}
\input{parts/5 Elgamal}
%\input{parts/challenge}
\input{parts/challenge}
\end{document}

48
Advanced/Cryptography/parts/2 groups.tex
View File

@ -45,55 +45,11 @@ What is the smallest group we can create?
Verifying that the trivial group is a group is trivial.
\end{solution}
\vfill
\vfill
\pagebreak
%\problem{}
%Show that a group has exactly one identity element.
%\vfill
%\problem{}
%Show that each element in a group has exactly one inverse.
%\vfill
%\problem{}
%Show that $(\mathbb{Z}_n^\times, \times)$ is a group for any $n \in \mathbb{Z}^+$.
%\vfill
%\problem{}
%Let $(G, \ast)$ be a group and $a, b, c \in G$. Show that...
%\begin{itemize}
% \item $a \ast b = a \ast c \implies b = c$
% \item $b \ast a = c \ast a \implies b = c$
%\end{itemize}
%This means that we can \say{cancel} operations in groups, much like we do in algebra.
%\vfill
%\pagebreak
% \problem{}
% Let $G$ be the set of all bijections $A \to A$. \par
% Let $\circ$ be the usual composition operator. \par
% Is $(G, \circ)$ a group?
%
% \vfill
%
% \definition{}
% Note that our definition of a group does \textbf{not} state that $a \ast b = b \ast a$. \par
% Many interesting groups do not have this property.
% Those that do are called \textit{abelian} groups. \par
%
% \vspace{2mm}
%
% One example of a non-abelian group is the set of invertible 2x2 matrices under matrix multiplication. In this handout, all % groups are abelian.
%
%
%
% \problem{}
% Show that if $G$ has four elements, $(G, \ast)$ is abelian.
\problem{}
Let $(G, \ast)$ be a group with finitely many elements, and let $a \in G$. \par

2
Advanced/Cryptography/parts/3 DLP.tex
View File

@ -31,7 +31,7 @@ Then learn \LaTeX, write a paper, and enjoy free admission to the graduate progr
\vfill
The discrete logarithm can be quickly computed in a few special cases. But, in general, there is no known way to efficiently compute it in general. Interestingly enough, we haven't been able to prove that an efficient solution \textit{doesn't} exist. The best we can offer is a \say{proof by effort:} many smart people have been trying for long time and haven't solved it yet. It probably doesn't exist.
The discrete logarithm can be quickly computed in a few special cases, but there is no known way to efficiently compute it in general. Interestingly enough, we haven't been able to prove that an efficient solution \textit{doesn't} exist. The best we can offer is a \say{proof by effort:} many smart people have been trying for long time and haven't solved it yet. It probably doesn't exist.
\vspace{2mm}

126
Advanced/Cryptography/parts/4 DiffieHellman.tex Executable file
View File

@ -0,0 +1,126 @@
\section{Diffie-Hellman Key Exchange}
One problem we encounter in computer science is \textit{secure key exchange}: How can two parties (usually called Alice and Bob) agree on a \say{key} without revealing anything to an eavesdropper (Eve)?
\begin{center}
\begin{tikzpicture}
\node (A) at (0, 0) {Alice};
\node (B) at (4, 0) {Bob};
\node (E) at (2, -1) {Eve};
\draw[-]
(A) edge (B)
(E) edge (2, 0)
;
\end{tikzpicture}
\end{center}
A simple mathematical solution to the key exchange problem is the \textit{Diffie-Hellman key exchange algorithm}, detailed below.
\vspace{1mm}
Values that are \textit{public} are known to everyone. Values that are sent are also known to everyone: we assume that everyone can see what Alice and Bob send to each other.
Eve can read all public values, but she cannot change them in any way.
\begin{center}
\begin{tikzpicture}[scale = 0.5]
\def\bx{18}
\def\ex{13}
\node[anchor = center] at (\ex, 7.5) {\textbf{Setup}};
\draw[-] (\ex-4.5, 7) -- (\ex+4.5, 7);
\node[anchor = west] at (\ex-4, 6) {Let $p$ be a prime number};
\node[anchor = west] at (\ex-4, 5) {Let $g$ be a generator in $\mathbb{Z}_p^\times$};
\node[anchor = west] at (\ex-4, 4) {Both $g$ and $p$ are public.};
\node[anchor = center] at (4, 1.5) {\textbf{Alice}};
\draw[-] (-0.5, 1) -- (8.5, 1);
\node[anchor = west] at (0, 0) {Pick a random $a \in \mathbb{Z}_p^\times$};
\node[anchor = west] at (0, -1) {Set $A = g^a$};
\node[anchor = west] at (0, -3) {Publish $A$};
\draw[->] (6, -3) -- (\ex - 1, -3);
\node[anchor = west] at (0, -5) {\color{gray} Compute ...};
\node[anchor = center] at (\bx+4, 1.5) {\textbf{Bob}};
\draw[-] (\bx-0.5, 1) -- (\bx+8.5, 1);
\node[anchor = west] at (\bx, 0) {Pick a random $b \in \mathbb{Z}_p^\times$};
\node[anchor = west] at (\bx, -1) {Set $B = g^b$};
\node[anchor = west] at (\bx, -4) {Publish $B$};
\draw[->] (\bx - 1, -4) -- (\ex+1, -4);
\node[anchor = west] at (\bx, -5) {\color{gray} Compute ...};
\node[anchor = center] at (\ex, 1.5) {\textbf{Public}};
\draw[-] (\ex-2, 1) -- (\ex+2, 1);
\node[anchor = center] at (\ex, 0) {$p, g$};
\node[fill=white, anchor = center] at (\ex, -3) {$A$};
\node[fill=white, anchor = center] at (\ex, -4) {$B$};
\end{tikzpicture}
\end{center}
\problem{}
Complete the algorithm. What should Alice and Bob compute? \par
What is their shared secret?
\vfill
\problem{}
Let $p = 11$, $g = 2$, $a = 9$, and $b = 4$. \par
Run the algorithm. What is the resultingw shared secret?
\begin{solution}
$g^b = 5$\par
$g^a = 6$\par
$g^{ab} = g^{ba} = 9$
\end{solution}
\vfill
\pagebreak
\problem{}
Is the Diffie-Hellman key exchange algorithm secure? What information does Eve have? \par
What does Eve need to do to find the value Alice and Bob agreed on?
\vfill
\problem{}
Now, say Eve can change information in transit. \par
That is, she can pretend to be Alice to send information to Bob. \par
How can she break this system? \par
\note[Note]{This is called a \textit{man-in-the-middle} attack.}
\vfill
\pagebreak

128
Advanced/Cryptography/parts/5 Elgamal.tex Executable file
View File

@ -0,0 +1,128 @@
\section{Elgamal Asymmetric Encryption}
Another cryptographic tool we often use is the \textit{public key cryptosystem}.
In such a system, one has two keys: a \textit{public key} that can only encrypt data, and a \textit{private key} that can decrypt it.
The following problem provides a simple example.
\problem{}
Alice wants to send a secret letter to Bob. Eve, the postman, would like to see what is inside. \par
\vspace{2mm}
Alice has a box, a lock, and a key. Bob does not own a lock. \par
Eve will open the box if she can, but she will not try to break any locks. \par
Also, she will always deliver the box without modifying its contents.
\vspace{2mm}
How can Alice send her letter without letting Eve read it?
\vfill
Elgamal encryption allows Alice to publish a public key ($A$ in the diagram below),
which Bob can use to encrypt a message. Alice then uses here private key ($a$) to decrypt it.
\begin{center}
\begin{tikzpicture}[scale = 0.5]
\def\bx{18}
\def\ex{13}
\node[anchor = center] at (\ex, 7.5) {\textbf{Setup}};
\draw[-] (\ex-4.5, 7) -- (\ex+4.5, 7);
\node[anchor = west] at (\ex-4, 6) {Let $p$ be a prime number};
\node[anchor = west] at (\ex-4, 5) {Let $g$ be a generator in $\mathbb{Z}_p^\times$};
\node[anchor = west] at (\ex-4, 4) {Both $g$ and $p$ are public.};
\node[anchor = center] at (4, 1.5) {\textbf{Alice}};
\draw[-] (-0.5, 1) -- (8.5, 1);
\node[anchor = west] at (0, 0) {Pick a random $a \in \mathbb{Z}_p^\times$};
\node[anchor = west] at (0, -1) {Set $A = g^a$};
\node[anchor = west] at (0, -2) {Publish $A$};
\draw[->] (6, -2) -- (\ex - 1, -2);
\draw[->] (\ex+1, -2) -- (\bx - 1, -2);
\node[anchor = west] at (0, -6) {Compute $c_2 \times c_1^{-a}$};
\node[anchor = west] at (0, -7) {$= (mA^k)(g^{-ak})$};
\node[anchor = west] at (0, -8) {$= (m)(g^{ak}g^{-ak})$};
\node[anchor = west] at (0, -9) {$= m$};
\node[anchor = center] at (\bx+4, 1.5) {\textbf{Bob}};
\draw[-] (\bx-0.5, 1) -- (\bx+8.5, 1);
\node[anchor = west] at (\bx, 0) {Bob has a message $m \in \mathbb{Z}_p^\times$};
\node[anchor = west] at (\bx, -1) {Pick a random $k \in \mathbb{Z}_p^\times$};
\node[anchor = west] at (\bx, -3) {Set $c_1 = g^k$};
\node[anchor = west] at (\bx, -4) {Set $c_2 = mA^k$};
\node[anchor = west] at (\bx, -5) {Publish $(c_1, c_2)$};
\draw[->] (\bx-1, -5) -- (\ex+1.5, -5);
\draw[->] (\ex-1.5, -5) -- (6, -5);
\node[anchor = center] at (\ex, 1.5) {\textbf{Public}};
\draw[-] (\ex-2, 1) -- (\ex+2, 1);
\node[anchor = center] at (\ex, 0) {$p, g$};
\node[fill=white, anchor = center] at (\ex, -2) {$A$};
\node[fill=white, anchor = center] at (\ex, -5) {$(c_1, c_2)$};
\end{tikzpicture}
\end{center}
\problem{}
Let $p = 17$, $g = 2$, $a = 7$, $k = 10$, and $m = 3$ \par
Run this algorithm and make sure it works.
\begin{solution}
$A = 2^7 = 9$\par
$c_1 = 2^10 = 4$\par
$c_2 = 3(9^{10}) = 5$
\vspace{2mm}
$c_1^a = 13$, so $c_1^{-a} = 4$\par
$c_2 \times c_1^a = 5 \times 4 = 3 = m$
\end{solution}
\vfill
\pagebreak
\problem{}
Is this secure? What information does Eve have? \par
What does Eve need to find $m$?
\vfill
\problem{}
Say Bob re-uses the same $k$ twice.\par
Let $(c_1, c_2)$ and $(d_1, d_2)$ be two ciphertexts generated with this key, encrypting messages $m_1$ and $m_2$. \par
Also, say Eve knows the value of $m_1 - m_2$. How can Eve find $m_1$ and $m_2$?\par
\note[Note]{If Bob doesn't change his key, Eve will also be able to decrypt future messages.}
\begin{solution}
$c_2 - d_2 = (m_1 - m_2)A^k$. \par
So, $(c_2 - d_2)(m_1 - m_2)^{-1} = A^k$.\par
Now that we have $A^k$, we can compute $m_1 = c_2 \times A^{-k}$.
\end{solution}
\vfill
\pagebreak

183
Advanced/Cryptography/parts/challenge.tex Executable file
View File

@ -0,0 +1,183 @@
\section{Bonus Problems}
\problem{}
Show that a group has exactly one identity element.
\vfill
\problem{}
Show that each element in a group has exactly one inverse.
\vfill
\problem{}
Let $(G, \ast)$ be a group and $a, b, c \in G$. Show that...
\begin{itemize}
\item $a \ast b = a \ast c \implies b = c$
\item $b \ast a = c \ast a \implies b = c$
\end{itemize}
This means that we can \say{cancel} operations in groups, much like we do in algebra.
\vfill
\pagebreak
\problem{}
Let $G$ be the set of all bijections $A \to A$. \par
Let $\circ$ be the usual composition operator. \par
Is $(G, \circ)$ a group?
\vfill
\definition{}
Note that our definition of a group does \textbf{not} state that $a \ast b = b \ast a$. \par
Many interesting groups do not have this property.
Those that do are called \textit{abelian} groups. \par
\vspace{2mm}
One example of a non-abelian group is the set of invertible 2x2 matrices under matrix multiplication.
\problem{}
Show that if $G$ has four elements, $(G, \ast)$ is abelian.
\vfill
\pagebreak
\problem{}
Prove \ref{mod_has_inverse}: \par
$a$ has an inverse mod $m$ iff $\gcd(a, m) = 1$ \par
\begin{solution}
Assume $a^\star$ is the inverse of $a \pmod{m}$. \par
Then $a^\star \times a \equiv 1 \pmod{m}$ \par
Therefore, $aa^\star - 1 = km$, and $aa^\star - km = 1$ \par
We know that $\gcd(a, m)$ divides $a$ and $m$, therefore $\gcd(a, m)$ must divide $1$. \par
$\gcd(a, m) = 1$ \par
Now, assume $\gcd(a, m) = 1$. \par
By the Extended Euclidean Algorithm, we can find $(u, v)$ that satisfy $au+mv=1$ \par
So, $au-1 = mv$. \par
$m$ divides $au-1$, so $au \equiv 1 \pmod{m}$ \par
$u$ is $a^\star$.
\end{solution}
\vfill
\problem{}<eua_runtime>
The Euclidean Algorithm (From \ref{euclid}) can be written as follows: \par
\begin{itemize}
\item Assume $a > b$.
\item Set $e_0 = a$ and $e_1 = b$. \par
\item Let $e_{n+1} = \text{remainder}(r_{n-1} \div r_{n})$ \par
\item Stop when $e_{k} = 0$.
\item Then, $\gcd(a, b) = e_{k-1}$. \par
\end{itemize}
Let $F_n$ be the $n^{\text{th}}$ Fibonacci number. ($F_0 = 0$; $F_1 = 1$; $F_2 = 1$; $\dots$) \par
\vspace{2mm}
Show that if the Euclidean algorithm requires $n$ steps for an input $(a, b)$, then $a \geq F_{n+2}$ and $b \geq F_{n+1}$.
In other words, show that the longest-running input of a given size is a Fibonacci pair.
\begin{solution}
The easiest way to go about this is induction on $n$: \par
\textcolor{gray}{\textit{Base Case:}}
If $n = 1$, $b$ divides $a$ with no remainder, and the smallest possible $a, b$ for which this is true is $(2, 1) = (F_3, F_2)$.
\linehack{}
\textcolor{gray}{\textit{Induction:}}
Assume that for $n$ steps, $a \geq F_{n+2}$ and $b \geq F_{n+1}$.
Now, say the algorithm takes $n+1 = m$ steps. \par
The first step gives us $a = q_0b + r_0$ \par
Therefore, the pair $(b, r_0)$ must take $m-1$ steps. \par
We thus know that $b \geq F_{m+1}$ and $r_0 \geq F_m$ \hfill \textcolor{gray}{by our induction hypothesis} \par
Therefore, $a = q_0b + r_0 \geq b + r_0$ \par
But $b + r_0 = F_{m+1} + F_{m} = F_{m+2}$, \par
so $a \geq F_{m+2}$.
\end{solution}
\vfill
\pagebreak
\problem{Chinese Remainder Theorem}
There are certain things whose number is unknown. If we count them by threes, we have two left over; by fives, we have three left over; and by sevens, two are left over. How many things are there?
\begin{solution}
$x \equiv 2 \pmod{3}$ \par
$x \equiv 3 \pmod{5}$ \par
$x \equiv 2 \pmod{7}$ \par
$x = 23 + 105k\ \forall k \in \mathbb{Z}$
\end{solution}
\vfill
\problem{}<flt_prereq>
Show that if $p$ is prime, $\binom{p}{i} \equiv 0 \pmod{p}$
for $0 < i < p$.
\begin{solution}
$\binom{p}{i} = \frac{p!}{i!(p-i)!}$ tells us that $i!(p-i)!$ divides $p! = p(p-1)!$. \\
However, $i!(p-i)!$ and $p$ are coprime, since all factors of $i!(p-i)!$ are smaller than $p$. \\
Therefore, $i!(p-i)!$ must divide $(p-1)!$ \par
So, $\binom{p}{i} = p \times \frac{(p-1)!}{i!(p-i)!}$, and $\binom{p}{i} \equiv 0 \pmod{p}$.
\end{solution}
\vfill
\pagebreak
\problem{Fermat's Little Theorem}
Show that if $p$ is prime and $a \not\equiv 0 \pmod{p}$, then $a^{p-1} \equiv 1 \pmod{p}$. \\
You may want to use \ref{flt_prereq}. \par
\hint{It may be easier to show that $a^p \equiv a \pmod{p}$}
\begin{solution}
Use induction:
$1 \equiv 1 \pmod{p}$ \par
Using \ref{flt_prereq} and the binomial theorem, we have
$2^p = (1 + 1)^p = 1 + \binom{p}{1} + \binom{p}{2} + \dots + \binom{p}{p-1} + 1 \equiv 1 + 0 + ... + 0 + 1 \equiv 2 \pmod{p}$ \par
Then,
$3^p = (1 + 2)^p = 1 + \binom{p}{1}2 + \binom{p}{2}2^2 + \dots + \binom{p}{p-1}2^{p-1} + 2^p \equiv 1 + 0 + ... + 0 + 2 \equiv 3 \pmod{p}$ \par
We can repeat this for all $a$. This proof can be presented more formally with a bit of induction.
\end{solution}
\vfill
\problem{}
Show that for any three integers $a, b, c$, \par
$\gcd(ac + b, a) = \gcd(a, b)$ \par
%\begin{solution}
% This problem is hard, \\
% I'll write a solution eventually.
%\end{solution}
\vfill
[Note on \ref{eua_runtime}] This proof can be used to show that the Euclidean algorithm finishes in logarithmic time, and it is the first practical application of the Fibonacci numbers. If you have finished all challenge problems, finish the proof: show that the Euclidean runs in $O(\log{n})$
\pagebreak

142
Advanced/Cryptography/parts/old-challenge.tex
View File

@ -1,142 +0,0 @@
\section{Challenge Problems}
\problem{}
Prove \ref{mod_has_inverse}: \\
$a$ has an inverse mod $m$ iff $\gcd(a, m) = 1$ \\
\begin{hint}
To prove an iff statement, prove each direction separately: \\
Assume that the left side is true and show that left $\implies$ right, \\
then do the reverse.
\end{hint}
\begin{solution}
Assume $a^\star$ is the inverse of $a \pmod{m}$. \\
Then $a^\star \times a \equiv 1 \pmod{m}$ \\
Therefore, $aa^\star - 1 = km$, and $aa^\star - km = 1$ \\
We know that $\gcd(a, m)$ divides $a$ and $m$, therefore $\gcd(a, m)$ must divide $1$. \\
$\gcd(a, m) = 1$ \\
Now, assume $\gcd(a, m) = 1$. \\
By the Extended Euclidean Algorithm, we can find $(u, v)$ that satisfy $au+mv=1$ \\
So, $au-1 = mv$. \\
$m$ divides $au-1$, so $au \equiv 1 \pmod{m}$ \\
$u$ is $a^\star$.
\end{solution}
\vfill
\problem{}<eua_runtime>
The Euclidean Algorithm (From \ref{euclid_algorithm}) can be written as follows: \\
Assume $a > b$.
Set $e_0 = a$ and $e_1 = b$. \\
Let $e_{n+1} = \text{remainder}(r_{n-1} \div r_{n})$ \\
Stop when $e_{k} = 0$.
Then, $\gcd(a, b) = e_{k-1}$. \\
Let $F_n$ be the $n^{\text{th}}$ Fibonacci number. ($F_0 = 0$; $F_1 = 1$; $F_2 = 1$; $\dots$)\\
Show that if the Euclidean algorithm requires $n$ steps for an input $(a, b)$, then $a \geq F_{n+2}$ and $b \geq F_{n+1}$.
(In other words, show that the longest-running input of a given size is a Fibonacci pair.)
\begin{solution}
The easiest way to go about this is induction on $n$: \\
\textcolor{gray}{\textit{Base Case:}}
If $n = 1$, $b$ divides $a$ with no remainder, and the smallest possible $a, b$ for which this is true is $(2, 1) = (F_3, F_2)$.
\linehack{}
\textcolor{gray}{\textit{Induction:}}
Assume that for $n$ steps, $a \geq F_{n+2}$ and $b \geq F_{n+1}$.
Now, say the algorithm takes $n+1 = m$ steps. \\
The first step gives us $a = q_0b + r_0$ \\
Therefore, the pair $(b, r_0)$ must take $m-1$ steps. \\
We thus know that $b \geq F_{m+1}$ and $r_0 \geq F_m$ \hfill \textcolor{gray}{by our induction hypothesis} \\
Therefore, $a = q_0b + r_0 \geq b + r_0$ \\
But $b + r_0 = F_{m+1} + F_{m} = F_{m+2}$, \\
so $a \geq F_{m+2}$.
\end{solution}
\vfill
\pagebreak
\problem{Chinese Remainder Theorem}
There are certain things whose number is unknown. If we count them by threes, we have two left over; by fives, we have three left over; and by sevens, two are left over. How many things are there?
\begin{solution}
$x \equiv 2 \pmod{3}$ \\
$x \equiv 3 \pmod{5}$ \\
$x \equiv 2 \pmod{7}$ \\
$x = 23 + 105k\ \forall k \in \mathbb{Z}$
\end{solution}
\vfill
\problem{}<flt_prereq>
Show that if $p$ is prime, $\binom{p}{i} \equiv 0 \pmod{p}$
for $0 < i < p$.
\begin{solution}
$\binom{p}{i} = \frac{p!}{i!(p-i)!}$ tells us that $i!(p-i)!$ divides $p! = p(p-1)!$. \\
However, $i!(p-i)!$ and $p$ are coprime, since all factors of $i!(p-i)!$ are smaller than $p$. \\
Therefore, $i!(p-i)!$ must divide $(p-1)!$ \\
So, $\binom{p}{i} = p \times \frac{(p-1)!}{i!(p-i)!}$, and $\binom{p}{i} \equiv 0 \pmod{p}$.
\end{solution}
\vfill
\problem{Fermat's Little Theorem}
Show that if $p$ is prime and $a \not\equiv 0 \pmod{p}$, then $a^{p-1} \equiv 1 \pmod{p}$. \\
You may want to use \ref{flt_prereq}.
\begin{hint}
It may be easier to show that $a^p \equiv a \pmod{p}$
\end{hint}
\begin{solution}
Use induction:
$1 \equiv 1 \pmod{p}$ \\
Using \ref{flt_prereq} and the binomial theorem, we have
$2^p = (1 + 1)^p = 1 + \binom{p}{1} + \binom{p}{2} + \dots + \binom{p}{p-1} + 1 \equiv 1 + 0 + ... + 0 + 1 \equiv 2 \pmod{p}$ \\
Then,
$3^p = (1 + 2)^p = 1 + \binom{p}{1}2 + \binom{p}{2}2^2 + \dots + \binom{p}{p-1}2^{p-1} + 2^p \equiv 1 + 0 + ... + 0 + 2 \equiv 3 \pmod{p}$ \\
We can repeat this for all $a$. This proof can be presented more formally with a bit of induction.
\end{solution}
\vfill
%\problem{}
%Prove \ref{theorem:gcd_abc}: \\
%For any integers $a, b, c$, \\
%$\gcd(ac + b, a) = \gcd(a, b)$\\
%\begin{solution}
% This problem is hard, \\
% I'll write a solution eventually.
%\end{solution}
%\vfill
[Note on \ref{eua_runtime}] This proof can be used to show that the Euclidean algorithm finishes in logarithmic time, and it is the first practical application of the Fibonacci numbers. If you have finished all challenge problems, finish the proof: show that the Euclidean runs in $O(\log{n})$
\pagebreak

165
Advanced/Cryptography/parts/old-part 3.tex
View File

@ -1,165 +0,0 @@
\section{Symmetric Cryptosystems}
\definition{}
The goal of cryptography is to establish private communication between two parties over
a public channel. The rest of this handout tries to achieve this goal, using the tools we've
developed in the last two sections. \\
In this handout, a ``symmetric cryptosystem'' consists of the following:
\begin{itemize}
\item[-] A public prime number $p$ (Ideally, a \textit{big} prime number).
\item[-] $k$, a secret key that is shared between both parties. This is NOT public.
\item[-] $E_k(m) = c$, a function that uses key $k$ to encrypt message $m$ into a ciphertext $c$.
\item[-] $D_k(c) = m$, a function that uses key $k$ to decrypt a ciphertext $c$ into message $m$. \\
\item[-] Of course, $D_k(E_k(m)) = m$. \\
\end{itemize}
We have a good reason for picking a prime $p$. A prime base guarantees that every\footnote[1]{except those $\equiv 0 \pmod{p}$, of course} integer has an inverse mod $p$. Review \ref{mod_has_inverse} and convince yourself that this is true. \\
\vspace{2ex}
We'll assume that the secret key $k$ has been shared beforehand. How such a $k$ is created is beyond the scope of this handout, but those that are curious may look up ``Diffie-Hellman Key Exchange'' (Computerphile offers a
pretty good introduction). \\
\vspace{2ex}
One may wonder why we care about secretly exchanging numbers. Those of you with experience in computing may have an answer: any information---text, images, etc---may be represented as a number. For example, we can encode the 26 letters of the alphabet as the numbers $1 - 26$. Such mappings are called ``encodings.'' \\
\vspace{2ex}
Finally, you will notice that the encryption schemes that follow can only take a limited range of inputs. Indeed, even the cyphers in use today have a limited input size. A simple (though possibly insecure) way to overcome this limitation is to split the message into blocks of a desired size, encrypting each independently.
\vfill
\pagebreak
\problem{Multiplication mod p}
Consider the cryptosystem where
\begin{itemize}
\item[-] $p$ is a prime (for this problem, fix $p = 11$. Remember, $p$ is public.)
\item[-] $k$ is an integer
\item[-] $E_k(m) = k \times m \pmod{p}$
\item[-] $D_k(c) = k^\star \times c \pmod{p}$
\end{itemize}
\problempart{}
Encrypt $m = 8$ with $k = 5$. \\
Decrypt $c = 3$ with $k = 9$. \\
\textcolor{gray}{In other words, find $E_5(8)$ and $D_9(3)$}
\begin{solution}
$E_5(8) = 5 \times 8 \equiv 7$ \\
$D_9(3) = k^\star \times 3 = 5 \times 3 \equiv 4$
\end{solution}
\vfill
\problempart{}
Using this cryptosystem, Nikita sends a message to Sanjit. \\
Looking over Sanjit's shoulder, you find that $E_k(9) = 8$ \\
What key was used? \\
\textcolor{gray}{This is called a \textit{known plaintext attack}. With a good cryptosystem, it will be very difficult to solve this problem.}
\begin{solution}
$E_k = c = km$ \\
$E_k \times m^\star = kmm^\star = k$ \\
$m^\star = 5; k = 7$
\end{solution}
\vfill
\problempart{}<mult_analysis>
If you know many ciphertexts encrypted with the same key, can you find the key used to create them? \\
What range of values can this system effectively encrypt?
Justify all answers.
\begin{solution}
If the messages are independent, no. However, analysis is possible if the plaintexts have a known structure.
\linehack{}
$m \in \{1, 2, ..., 10\}$ \\
Note that $m$ cannot be $\equiv 0$.
\end{solution}
\vfill
\pagebreak
\problem{The Affine Cipher}
Consider the cryptosystem where
\begin{itemize}
\item[-] $p$ is a prime (for this problem, fix $p = 541$)
\item[-] $k = (k_1,\ k_2)$ is a tuple of two integers
\item[-] $E_k(m) = k_1 \times m + k_2 \pmod{p}$
\item[-] $D_k(c) = k_1^\star \times (c - k_2) \pmod{p}$
\end{itemize}
\problempart{}
Encrypt $m = 204$ with $k = (34,\ 71)$. \\
Decrypt $c = 431$ with $k = (34,\ 71)$.
\begin{solution}
$E_k(204) = 34 \times 204 + 71 \equiv 515$ \\
$k^\star = 366$
\hfill\textcolor{gray}{Known from \ref{find_inverse}}\\
$D_k(431) = 366 (431 - 71) \equiv 297$
\end{solution}
\vfill
\problempart{}
Now, let $p = 601$. You know two plaintext-ciphertext pairs:\\
$(m_1,\ c_1) = (387,\ 324)$ \\
$(m_2,\ c_2) = (491,\ 381)$ \\
How would you find $(k_1, k_2)$? \\
\textcolor{gray}{\textit{Note: } You do NOT have to find $k$. The calculations take a lot of manual labor. All you need to do is detail the steps you \textit{would} take if you had a calculator.}
\begin{solution}
$E_k(387) = k_1 \times 387 + k_2 \equiv 324 \pmod{601}$ \\
$E_k(491) = k_1 \times 491 + k_2 \equiv 381 \pmod{601}$ \\
$387k_1 + k_2 - 324 \equiv 491k_1 + k_2 - 381$ \\
$387k_1 + 57 \equiv 491k_1$ \\
$104k_1 \equiv 57$ \\
So $104k_1 + 601a = 57$ \\
Solve $104k_1 + 601a = \gcd(601, 104) = 1$, then scale.
\hfill\textcolor{gray}{Remember, 601 is prime.} \\
$k_1 \equiv -2964 \equiv 41 \pmod{601}$. \\
Substitute $k_1 = 41$. \\
$(k_1, k_2) = (41, 83)$
\end{solution}
\vfill
\problempart{}
If you only know one message and its corresponding ciphertext, can you find the encryption key? \\
If you know many ciphertexts encrypted with the same key, can you find the key used to create them? \\
What range of values can this system effectively encrypt?
Justify all answers.
\begin{solution}
Given $m$ and $c$, you cannot find $k_1$ or $k_2$.
\linehack{}
Given any number of ciphertexts, you cannot find $k$.
\linehack{}
$m \in \{1, 2, ..., 540\}$
Other answers are the same as those to \ref{mult_analysis}.
\end{solution}
\vfill
\pagebreak