Suppose that n = pq, where p and q are distinct odd primes and where a,b satisfy ab = 1 (mod (p-1)(q-1)). The RSA encryption operation is e(x) = x^b mod n and the decryption operation is d(y) = y^a mod n. We proved that d(e(x)) = x if x in Z_n*. Prove that the same statement is true for any x in Z_n.

( NOTE: Z_n = { 0,1,2,…,n-1 } and Z_n* = { a in Z_n | gcd(a,n)=1 } )

Use the fact that x₁ = x₂ (mod pq) if and only if x₁ = x₂ (mod p) and

x₁ = x₂ (mod q).This follows from the Chinese remainder theorem.

We give (yet another) protocol failure involving RSA. Suppose that three users in a network, say Bob, Bart and Bert, all have public encryption exponents b=3. Let their moduli be denoted by n₁, n₂, n₃. Now suppose Alice encrypts the same plaintext x to send to Bob, Bart and Bert. That is, Alice computes y_i = x³ mod n_i, i=1,2,3. Describe how Oscar can compute x, given y₁, y₂ and y₃, without factoring any of the moduli. (!!!)

A plaintext x is said to be fixed if e_K(x) = x. Show that, for the RSA Cryptosystem,

the number of fixed plaintexts x ΠZ_n* is equal to gcd(b-1,p-1) x gcd(b-1,q-1).

Consider the system of two congruences e_K (x) = x (mod p), e_K (x) = x (mod q).

1. Let n=p*q, the product of two primes, such that p>q.

Show that if p^1/2 - q^1/2 < 2^1/2 then ceiling(n^1/2) = (p+q)/2.

2. Deduce from (a) an efficient algorithm to factor RSA modulus for which

p^1/2 - q^1/2 < 2^1/2.

3. Generalize this factoring method using products of the form ceiling((kn)^1/2) =(ap+bq)/2 for n=p*q and k=a*b for known a,b.

Let

We say that { p_k : {0,1}ⁿ -> {0,1}ⁿ }_k is a Pseudo-Random Permutation Generator (PRPG) if it is a PRFG and each p_k is a permutation (a one-to-one function). Consider the following family of permutations { p_k : {0,1}²ⁿ -> {0,1}²ⁿ }_k defined from a Pseudo-Random Function Generator { f_k : {0,1}ⁿ -> {0,1}ⁿ }_k :

p_k(x,y) = [ y , x xor f_k(y) ]

1. Show that p_k(x,y) is indeed a permutation (a one-to-one function).

Define similarly

p_k1,k2(x,y) = p_k1(p_k2(x,y))

p_k1,k2,k3(x,y) = p_k1(p_k2(p_k3(x,y))

It has been proven that { p_k1,k2,k3(x,y): {0,1}²ⁿ -> {0,1}²ⁿ }_k1,k2,k3 is a PRPG.

(I am not asking you to prove this because it is too difficult…)

2. Show that { p_k : {0,1}²ⁿ -> {0,1}²ⁿ }_k is not a PRPG.
3. Show that { p_k1,k2 : {0,1}²ⁿ -> {0,1}²ⁿ }_k1,k2 is not a PRPG.
4. Explain the relationship between these permutations and DES.
5. Show how to compute their inverses p^-1_k(x,y), p^-1_k1,k2 (x,y), p^-1_k1,k2,k3(x,y).
6. Explain how Alice and Bob could share a secret key k1,k2,k3 and use both p_k1,k2,k3 and

(Make the strongest possible statement).