## Math 5410/4410 Take-Home Midterm Spring 2002

Answers obtained by clicking on the problem number.

This exam is due in class on Thursday, March 21st. Do all problems. The exam totals 100 points. Please show all work as answers alone are not sufficient. Submit partial solutions for partial credit. All work submitted must be your own.

1. Suppose the Merkle-Hellman Knapsack Cryptosystem has as its public list of sizes the vector

t = (1394, 1256, 1987, 439, 650, 724, 339, 2303, 810).

If Oscar has discovered that the prime used to set up the system is 2503,

1. Determine, by trial and error, the value of a so that a-1 t mod p is a permutation of a superincreasing list.
2. How would Oscar decrypt the ciphertext 3155? (Answer is a binary string)

2. Suppose that three users, Bob, Bart and Bert, of an RSA system all have the same public encryption exponent, b = 3. Let their (public) moduli be n1, n2 and n3. Suppose that Alice encrypts the same message x to all three. That is, Alice computes yi x3 mod ni, 1 i 3. Describe how Oscar can compute x, given y1, y2 and y3 (and the public information) without factoring any of the moduli.

3. Use the Pohlig-Hellman algorithm to find the discrete logarithm of 125 to the base 2 in Z181, i.e., solve for x : 2x = 125 mod (181). [Note: I expect to see the details of the Pohlig-Hellman algorithm, the answer alone is not sufficient, nor is any other method for obtaining it.]

4. Consider the non-linear feedback function f(s0, s1, s2, s3) = s0s3 + s2 + s0s2s3 + s1s2 and the sequence generated from the starting state 0001. Determine the linear equivalence of this sequence and construct a LFSR which will generate the same sequence.

5. Suppose there are four people in a room, exactly one of whom is a foreign agent. The other three people have been given pairs corresponding to a Shamir secret sharing scheme in which any two people can determine the secret. The foreign agent has randomly chosen a pair of numbers for himself. The people and pairs are as follows. All the numbers are mod 11.

A: (1,4) B: (3,7) C: (5,1) D: (7,2)

Determine who the foreign agent is and what the secret is.

1. By trial and error 8^), it can be determined that a = 1987 (so, a-1 = 325 mod 2503). The superincreasing set (in order corresponding to the original t) is {7, 211, 1, 4, 998, 18, 43, 78, 435}. (A reasonable approach to this would involve realizing that the smallest element of the superincreasing set can not be very large given that the prime used is so small. Assuming that this smallest element is 1, 2, 3, etc. in turn, and multiplying by numbers which would yield such a value, has a high probability of success. Indeed, in this example the third attempt would work.)
2. Oscar decrypts 3155 by first multiplying it by 325 mod(2503) to convert it to the same system as the superincreasing set and then solving the subset sum problem. This gives, (3155)(325) = 1648 = 998 + 435 + 211 + 4, and so, corresponds to the bit string 010110001. Note that the ordering must be the same as in the original list t. It is a simple check to verify that this is the correct answer since, 1256 + 439 + 650 + 810 = 3155.

We can assume that the public moduli (n1, n2 and n3) are relatively prime in pairs, for if not, the system is easily broken by a protocol failure (if two of them are equal) or by taking the gcd of two which are not relatively prime (yielding the common prime factor, and hence breaking the system). Now we can apply the Chinese remainder theorem to the system of equivalences:

z yi mod (ni)
for 1 i 3. There is a unique solution z to this system which is less than n1n2n3. On the other hand, we know that x3 is a solution to this system, and since x < ni for 1 i 3, we have that x3 < n1n2n3. Therefore x3 = z (as integers, this is not a modular statement!). Oscar can now find x as the integer cube root of z (this is not a discrete log computation). Note that this argument would not work if there were fewer than three messages (with encryption exponent 3) or if the encryption exponent was larger (with only three messages).

Since p-1 = 180 = 22325 is the product of small primes, the Pohlig-Hellman technique will work for this example. We calculate the exponents x2x mod(22), x3x mod(32) and x5x mod 5, and then put them together with the Chinese remainder theorem. The calculations below are made easy if you note that 12551 mod (181).

Let x2 = c0 + c1(2).
125(180/2) = 12590 1 mod (181) so c0 = 0.
125(180/4) = 12545 1 mod (181) so c1 = 0.
Thus, x2 = 0 + 0 = 0.

Let x3 = c0 + c1(3).
125(180/3) = 12560 1 mod (181), so c0 = 0.
125(180/9) = 12520 1 mod (181), so c1 = 0.
Thus, x3 = 0 + 0 = 0.

Finally, x5 is just an integer mod 5.
125(180/5) = 12536 125 mod (181). But, since 23(36)125 mod (181), we have x5 = 3.

Now using the Chinese remainder theorem to solve the system of equivalences:

x 0 mod 4
x 0 mod 9
x 3 mod 5
x = 0 + 0 + 3(36)(36-1 mod 5) = 3(36)(1) = 108 mod 180.

The sequence produced by the non-linear feedback function f(s0, s1, s2, s3) = s0s3 + s2 + s0s2s3 + s1s2 with the starting state 0001 is 000101010101010101... . We see that after the first two (or three) bits, the sequence becomes periodic with period 01 (or 10, it doesn't matter which you work with). A linear feedback shift register can only reproduce the periodic part of this sequence. For this periodic sequence, the truncated polynomial S(2)(x) = x (or = 1). In either case, gcd(S(2)(x), x2 + 1) = 1, so we have m*(x) = x2+1/1 = x2+1. Therefore, m(x) = x2 + 1 and the linear equivalence is 2. The LFSR with characteristic polynomial x2 + 1 (having 2 registers, c0 = 1 and c1 = 0) produces the periodic sequence 01010101... with starting state 01 or 10101010... with starting state 10.

In the (2, )-Shamir scheme being used, the secret is the constant term of a polynomial over Z11 of degree 1, that is, a linear polynomial. Since the graph of this polynomial is a line, we can use geometric ideas to answer the question instead of the interpolation polynomial approach. The shares of the scheme are the coordinates of points in a plane, and the three "good" ones are points on the same line. To determine which three points are on a line, we use the determinantal area formula for triangles. That is, we calculate the area of the triangle determined by say, A, B and C. If this is zero, then the points are on a line, otherwise they are not. For A, B, C we get
 det 1 4 13 7 15 1 1 = 7 + 20 + 3 - 35 - 12 - 1 = -18 = 4 mod 11
which says, since it is not zero, that the foreign agent is one of A, B or C. Doing the same for A, B and D gives
 det 1 4 13 7 17 2 1 = 7 + 28 + 6 - 49 - 12 - 2 = -22 = 0 mod 11
and so, A, B and D are on the same line, thus C is the foreign agent. To determine the secret we calculate the equation of the line determined by any two of A, B or D and read off the constant term. Thus, for the linear equation y = xm + k, using A and B we have:

4 = 1m + k
7 = 3m + k
----------
12 = 3m + 3k
7 = 3m + k
------------
5 = 2k 30 = 12k 8 = k (mod 11).
and so the secret is 8.