**[✏️ replace this text with your name(s) and your ID number(s)]**

# Homework 2

*Due date:* February 19, 2025 (Wednesday) at 8 PM

This homework helps you get a grasp in using SageMath for doing computations in number theory and algebra.
This *should* be a bit easier than the previous homework.

This homework has 33 points in total, but will be divided by 30 to get the final percentage. Final percentages are capped at 100%.

Please be guided on the policies regarding late submissions, regrading, and collaboration.
If any, please direct all your questions and clarifications about this homework in the `#hw2-help` channel on the Discord server.

## Getting started

SageMath is what you call a *computer algebra system*, a kind of software that can manipulate mathematical
expressions and objects in a way similar to how mathematicans do it manually.

It covers a lot of fields of math (from undergrad to research-level) so it's likely that we'll just
scratch the surface in terms of features for this course.
In particular, we'll use SageMath for its very efficient implementations of number-theoretic algorithms 
and various tools to deal with algebraic structures that are widely used in cryptography.

*Side note:* I also used SageMath (and also Python) for my undergrad thesis, so I should have enough
experience to help you out, so ask away at the `#sagemath-help` channel!

## Some reminders

Before starting, please make sure you have selected the correct kernel.
On the top right corner of the notebook, it should say **SageMath**, not Python 3.

You may find the following pages from the SageMath docs helpful:
* https://doc.sagemath.org/html/en/reference/finite_rings/sage/rings/finite_rings/integer_mod.html
* https://doc.sagemath.org/html/en/thematic_tutorials/numtheory_rsa.html
* https://doc.sagemath.org/html/en/constructions/number_theory.html
* https://doc.sagemath.org/html/en/tutorial/tour_polynomial.html
* https://doc.sagemath.org/html/en/constructions/polynomials.html

## 2-1. Some warm-ups [8 pts]

**(a) [2 pts]** Use the `next_prime()` function to construct **two** different 8-digit prime numbers and save them in variables named `a` and `b`.
Then, use the `is_prime()` function to verify that your primes `a` and `b` are really prime.

**(b) [2 pts]** Verify that $1$ is the greatest common divisor of your two primes from part (a). Then, find two integers that make a "linear combination" of your two primes equal to $1$; i.e., find integers $x$ and $y$ such that $ax + by = 1$.
Include a verification of your result.

For the next two parts, we consider the set of integers mod $40$:

In [2]:
Z40 = IntegerModRing(40)
Z40

Ring of integers modulo 40

This is a group under addition mod $40$, which we will ignore.
Instead we are interested in the subset of elements which have an inverse under *multiplication* mod $40$, namely the subgroup $\mathbb{Z}_{40}^*$.

**(c) [2 pts]** Determine how big this subgroup is by executing the command `Z40.unit_group_order()`, and then obtain a list of these elements with `Z40.list_of_elements_of_multiplicative_group()`.

Now consider $\langle 7 \rangle$, the cyclic subgroup of $\mathbb{Z}_{40}^*$ generated by the element $7 \in \mathbb{Z}_{40}^*$.

**(d) [2 pts]** Determine the elements of the cyclic subgroup of $\mathbb{Z}_{40}^*$ generated by $7$ using a list comprehension.
What is the order of $7$ in $\mathbb{Z}_{40}^*$?

**(e) [3 bonus pts] (This part is optional.)** The group $\mathbb{Z}_{49}^*$ is cyclic. Using only theorems about the structure of cyclic groups (particularly Lagrange's theorem and Theorem 4.16 from the course notes), describe each of the subgroups of $\mathbb{Z}_{49}^*$ by specifying its order and by giving an explicit generator, similar to Example 4.13 in the notes.
Do not repeat any of the subgroups — in other words, present each subgroup exactly once.

You can use Sage to check your work on the subgroups, but your answer about the subgroups should rely only on the theorems and be a nicely written paragraph with a table, etc.

**Solution:** [✏️ put your write-up to part (e) here]

## 2-2. Cyclic redundancy checks [10 pts]

A *cyclic redundancy check* (CRC) is a method used to check data integrity. To transmit some binary data using a CRC, a *check value* is first computed from the data. When the data is received, the check value is computed again using the received data. If the check value matches the one previously calculated, the data is valid. If the check value does not match the one previously calculated, then that indicates the data was corrupted in transit and is invalid.

There are many different implementations of CRCs, so we'll present a simple version. To generate a check value, we first convert the binary data to a polynomial in $\mathbb{Z}_2[x]$, where the coefficients are the bits in the data. For example, to generate the check value for the 8-bit string `10101111`, we write:
$$
\begin{align*}
    \texttt{10101111} &\Rightarrow 1x^7 + 0x^6 + 1x^5 + 0x^4 + 1x^3 + 1x^2 + 1x + 1\\
    &= x^7 + x^5 + x^3 + x^2 + x + 1.
\end{align*}
$$
    We then get the remainder from dividing this polynomial by some generator polynomial. For this example, let's use the generator polynomial $x^3 + x + 1$. This means we are working in the finite field $\mathbb{Z}_2[x]/\langle x^3 + x + 1\rangle$.

**(a) [2 pts]** Show that the remainder when $x^7 + x^5 + x^3 + x^2 + x + 1$ is divided by $x^3 + x + 1$ is $x$.

Since $x^7 + x^5 + x^3 + x^2 + x + 1 \equiv x \pmod{x^3 + x + 1}$, we then convert the remainder $x$ back into a bit string. Since our generator polynomial has degree 3, our check value must be 3 bits long.
$$
\begin{align*}
    x &= 0x^2 + 1x + 0\\
    &\Rightarrow \texttt{010}.
\end{align*}
$$
Therefore, the correct check value for `10101111` computed using the generator polynomial $x^3 + x + 1$ is `010`.

**(b) [5 pts]** You receive the data `01101100` with CRC check value `111`, using the generator polynomial $x^3 + x + 1$. Is the data valid?

In practice, we use larger generator polynomials, so we now have a larger range of check values.
CRC-32 is a cyclic redundancy check algorithm which relies on the finite field $K = \mathbb{Z}_2[x]/\langle g(x)\rangle$, where
$$
    g(x) = x^{32} + x^{26} + x^{23} + x^{22} + x^{16} + x^{12} + x^{11} + x^{10}  + x^{8} + x^{7} + x^{5} + x^{4} + x^{2} + x + 1.
$$

**(c) [3 pts]** Without using SageMath, how many elements does $K$ have? Justify your answer, but *please* do not list down all the elements of $K$.

**Solution:** [✏️ put your answer to part (c) here]

## 2-3. Key exchange with group theory [8 pts]

**ℹ️ Note:** Answer this item manually.

Alice and Bob want to have a *shared secret*, a piece of information which both of them knows but no one else does.
Fortunately, they both recently learned group theory!

They both decided to use the group $G = \{a,b,c,d,e,f,g,h\}$, defined with the multiplication table below:
$$
\begin{array}{c|cccc|cccc}
    \cdot & a & b & c & d & e & f & g & h \\\hline
        a & a & b & c & d & e & f & g & h \\
        b & b & c & d & a & g & h & f & e \\
        c & c & d & a & b & f & e & h & g \\
        d & d & a & b & c & h & g & e & f \\\hline
        e & e & h & f & g & a & c & d & b \\
        f & f & g & e & h & c & a & b & d \\
        g & g & e & h & f & b & d & a & c \\
        h & h & f & g & e & d & b & c & a \\
\end{array}
$$

Here, $a$ is the identity element (not $e$). For any $x, y \in G$, define the operation $x \diamond y = y^{-1} \cdot x \cdot y$.

**(a) [2 pts]** Verify that $G$ is *not* abelian by picking any two distinct elements $x, y \in G$ such that $x \cdot y \ne y \cdot x$.

**Solution:** [✏️ put your answer to part (a) here]

**(b) [2 pts]** Find $d^{-1}$, the inverse of $d$.

**Solution:** [✏️ put your answer to part (b) here]

Their "homebrew" key exchange protocol works like this:

* First, Alice and Bob agree to pick the element $w = e$ to start with. This agreement is performed through a non-secure channel, so it is not a secret that $e$ was chosen for the value of $w$.
    
* Alice then picks $b$ in secret and computes $P_A = w \diamond b$, while Bob independently picks $c$ in secret and computes $P_B = w \diamond c$. 
    
* Then, Alice sends $P_A$ to Bob while Bob sends $P_B$ to Alice. These are also done through a non-secure channel, so neither $P_A$ nor $P_B$ are secret.

**(c) [2 pts]** What are the values of $P_A$ and $P_B$? (the answers must be a letter from $a$ to $h$)

**Solution:** [✏️ put your answer to part (c) here]

* Since Alice knows she picked $b$, she then computes $K_A = P_B \diamond b$. Similarly, since Bob knows he picked $c$, he then computes $K_B = P_A \diamond c$.

**(d) [2 pts]** What are the values of $K_A$ and $K_B$? Are they equal?

**Solution:** [✏️ put your answer to part (d) here]

**⚠️ Warning:** Do not confuse $a \cdot b$ and $a \diamond b$!

## 2-4. EZ CDH [4 pts]

One of the earliest developments in public-key cryptography was the *Diffie–Hellman key exchange protocol*.
In a nutshell, Diffie–Hellman works like this:
1. Alice and Bob agree to work in a cyclic group $G$ and use the generator $g \in G$.
   For our example here, suppose $G = \mathbb{Z}_{23}^*$, the multiplicative group of integers modulo $23$,
   and use $g = 5$ (which is a generator of $\mathbb{Z}_{23}^*$) as the base.

2. Alice chooses a secret integer uniformly at random, say $a = 4$, then sends Bob $A = g^a \,\text{(in $\mathbb{Z}_{p}^*$)}$.
    
   Here, $A = 5^4 = 4 \,\text{(in $\mathbb{Z}_{23}^*$)}$.
   
3. Bob chooses a secret integer uniformly at random, say $b = 3$, then sends Alice $B = g^b \,\text{(in $\mathbb{Z}_{p}^*$)}$.
    
   Here, $B = 5^3 = 10 \,\text{(in $\mathbb{Z}_{23}^*$)}$.

4. Alice computes $s = B^a \,\text{(in $\mathbb{Z}_{p}^*$)}$.

   $s = 10^4 = 18 \,\text{(in $\mathbb{Z}_{p}^*$)}$
   
4. Bob computes $s = A^b \,\text{(in $\mathbb{Z}_{p}^*$)}$.

   $s = 4^3 = 18 \,\text{(in $\mathbb{Z}_{p}^*$)}$
   
5. Alice and Bob now share a secret, which is $s = 18$.

It relies on the yet unproven hardness of the computational Diffie–Hellman (CDH) problem:
> Let $G$ be a (multiplicative) cyclic group. Given a generator $g$, and elements $g^a$ and $g^b$, find $g^{ab}$.

Typically you would use $\mathbb{Z}_p^*$ as your cyclic group.
Now let's say Alice and Bob decided to do Diffie–Hellman using an *additive* group $(\mathbb{Z}_p, +)$ instead.
Recall that in an additive group, the associated operation is addition (instead of multiplication), and group exponentiation works like multiplying by a constant.
So $g h$ turns into $g + h$ and $g^x$ turns into $x \cdot g$.

What could go wrong?
It turns out, the CDH problem becomes **trivial** for $(\mathbb{Z}_p, +)$, the set of integers mod $p$ under addition, so if Diffie–Hellman is done using this group, then the secret shared key $s$ can be easily recovered!

Suppose you have intercepted the values of $p$, $g$, $A = a \cdot g$, and $B = b \cdot g$ (remember these are all publicly known, unlike $a$ and $b$), each defined as follows:

In [5]:
p = 26252224380041047747122591194022887149606289495583988602108153223076105239345713403708414193367723342835700767028826621933301528577621675004701754797657444383241868615529900860134429255439131226429056482990442958014081622857451797053181679889832593668643778150520532513821598194302936931987644628206366307016154187413361996418218134120157336904570688208025410591110777302835970098122474666165460550417030400590807644619120346173596400270510603471434129931967590413985206434931078061344456864191168422370416631720528602666860196571809429832072103925681951495398210296474633895268747642683340902741844837855876639885661

In [6]:
g = 10358660391518567616235732436992715220505399810845827441257333108393443171959889069099715138044684141838118325500386741093800010558270378466883199825399330676381466009675928281488401043191332587062637256044696977384105044684466794686621421205589974180482443673243898688602649369028804054011906974785078294135687717039605783356266531235356135655782238895109470371160490304119821561072702573864453584670985173202273982561449531592431520177035322176963872128032236270259466337044311497471533890454091926268065712857277627251241513856846766590882663345959517800443199041098980907470045584969568016546154101486496241468201

In [7]:
A = 20782609745887880863084861164817249644924468778279537828708132307538860361752107659413744391033231295802952551707126922034793630858200019397812144632753634677474169838613791886799852405274342993668918505580248151348428078538557152645014288314096818927299400546703691486452341016537368653345507885348897354018203545337816947203535525392237362546715226227331771463778302927380311598270422291713440018223431224064432559679726313089126054258132462588337710509735129504402910939762843747281910591718386954799004365155651056783262429118602808290058749065586300403862436089590093386848556545179733658861380177829783058929436

In [8]:
B = 15652288550587494861877284061022581048876566461069217909821769631889690057460105326867911142783886861327646427717099133808430792895834938107266178689476692623686149419620572377238190972372792877990229731096982385952118208285712974512553297363466052295585111005436433385888720359053256192304284989071596582442026662910185323452995814587766386534864308324395516118953743865708020444605410498568021948384059886368186871833659783431183873460050303589135767256406110172836808069604572530592421554590407545064725362034890296313995545962574180455654390941548009781096282021384272056883168764941369041848165926711813244361023

Find out what the shared secret $s = (ab)\cdot g$ is, *without* resorting to brute force.