Modern Cryptology - Problem Set 1

1: GCD
=======================

**1.1 Facts about gcd**<br><br>
1. $gcd(an + b, n) = gcd(b,n)$:<br>
$gcd(an+b,n) = max\{x : x|an+b \wedge x|n\} =^{(*)} max\{x : x|b \wedge x|n\} = gcd(b,n)$ <br><br>
explanation of (*):<br>
we shall prove: $x|an+b \wedge x|n \iff x|b \wedge x|n$<br><br>
($\Rightarrow$) $x|an+b \wedge x|n$<br>
$\Rightarrow$ there exists $c,d \in \mathbb{Z}$ such that $cx = an+b \wedge dx = n$<br>
$\Rightarrow cx = adx +b$<br>
$\Rightarrow (c - ad)x = b$<br>
$\Rightarrow x|b$<br>
$\Rightarrow x|b \wedge x|n$<br><br>
($\Leftarrow$) $x|b \wedge x|n$<br>
$\Rightarrow$ there exists $c,d \in \mathbb{Z}$ such that $cx = b \wedge dx = n$<br>
$\Rightarrow$ for any $a \in \mathbb{Z} : an+b = adx+cx = (ad+c)x$<br>
$\Rightarrow$ $x|an+b \wedge x|b$<br><br>

2. $gcd(a,n) | gcd(ab,n)$:<br>
An equivalent way of defining $gcd(ab,n)$ is the number in the set { $ x : x|ab \wedge x|n $ }<br>
such that every other member $d$ of this set divides it.<br>
$\Rightarrow$<br>
All common divisors of ab, n divide gcd(ab,n).<br>
$gcd(a,n)$ is a divisor of $ab, n$, so as such it divides their gcd and so we get what we wanted to prove.<br><br>

3. Let $p \in \mathbb{Z}$ be a prime number. If $p|ab$ then $p|a$ or $p|b$:<br>
$a,b$ can be represented as products of primes.<br>
So we denote:<br>
$ a = \Pi p_i^{k_i}, b = \Pi p_i^{m_i}, \Rightarrow ab = \Pi p_i^{k_i+m_i}$.<br>
Assume p is the $j$th prime.<br>
From $p|ab$ it folllows $k_j + m_j > 1$.<br>
Remember $\forall i \in \mathbb{N} : k_i,m_i \in \mathbb{N}$ so it follows that $m_j > 1 \lor k_j > 1 $. <br>
So $p|a \lor p|b$.<br><br>

4. $gcd(a,n) = gcd(b,n) = 1 \Rightarrow gcd(ab,n) = 1$ :<br>
Denote $g_1 = gcd(a,n), g_2 = gcd(b,n), g_3 = gcd(ab,n)$.<br>
Assume by contradiction $g_3 > 1$.<br>
$g_3|ab \wedge g_3|n$.<br>
$\Rightarrow$ There exists a prime p such that $p|g_3$ so $p|ab$ and $p|n$.<br>
$\Rightarrow$ $(p|a \lor p|b) \wedge  p|n$.<br>
$\Rightarrow$ $ (p|a \wedge p|n) \lor (p|b \wedge p|n)$.<br>
$\Rightarrow$ $p|g_1 \lor p|g_2$.<br>
$\Rightarrow$ $g_1 > 1 \lor g_2 > 1$. And thats a contradiction.<br><br>

**1.2 extended euclidean algorithm**

In [1]:
def gcd(a,b):
    """     given a,b computes their gcd and x,y such that a*x + b*y = gcd. 
    returns those in the form of a tuple (gcd,x,y)    """
    if a == b:
        return (a,1,0)
    elif a < b:
        a,b = b,a
    a0,b0 = a,b
    if b == 0:
        return (a,1,0)
    if a % b == 0:
        return (b,0,1)
    
    As, Bs = [a], [b]
    Rs, Ds = [], [] # remainders, multipliers
    
    lastR = None
    while lastR != 0:     # a = d*b + r ==> (a,b) = (b,r). 
        Rs.append(a % b) ; Ds.append(a // b) # saving remainders and multipliers for later.
        lastR = Rs[-1]
        As.append(b)     ; Bs.append(lastR)
        a, b = As[-1], Bs[-1]
    gcd = As[-1]
    
    # from the euclidian process we got equations and now we use them to compute x,y
    Ds.pop()
    y, x = 1, -Ds.pop() 
    for i in range(len(Ds)): 
        if i%2 == 0:
            y = y - x*Ds[-1-i]
        else:
            x = x - y*Ds[-1-i]
    if a0*x + b0*y == gcd:
        return (gcd,x,y)
    return (gcd,y,x)

time complexity of worst case is $log(N)$ where $N = max(a,b)$

**1.3 computing inverses in $\mathbb{Z}_n^*$**<br><br>
<u>Algorithm</u>: Given $a \in \mathbb{Z}_n^*$ we compute the Extended Euclidean Algorithm on ($a,n$), we get some result ($gcd,x,y$) and return $x$.<br><br>
<u>Correctness</u>: We know by definition of $\mathbb{Z}_n^*$ that $gcd(a,n) = 1$ so by applying the Extended Euclidean Algorithm on ($a,n$) we get result ($1,x,y$): $x,y \in \mathbb{Z}$ such that:<br>
$ax + ny = 1$<br>
$\Rightarrow ax (mod n) = 1$<br>
$\Rightarrow$ $x$ is the inverse of $a$ by definition.<br> 

**1.4 $\mathbb{Z}_n^*$ is a group**<br><br>
<u>Closure</u>: let there be $a,b \in \mathbb{Z}_n^*$.<br>
$gcd(a,n) = gcd(b,n) = 1 \Rightarrow^{(1.1:4)} gcd(ab,n) = 1 \Rightarrow^{(1.1:1)} gcd(ab(mod n),n) = 1$<br>
also $0 \le ab(mod n) \lt n \Rightarrow ab(mod n) \in \mathbb{Z}_n^*$<br><br>
<u>Associativity</u>: let there be $a,b,c \in \mathbb{Z}_n^*$.<br>
$((a * b)(mod n) * c)(mod n) = ((a*b)*c)(mod n) = (a*(b*c))(mod n) = (a*(b*c)(mod n))(mod n)$<br><br>
<u>Identity</u>: For all $a \in \mathbb{Z}_n^*$ : $1*a (mod n) = a$ so $1$ is the identity.<br><br>
<u>Inverse</u>: Follows immediatly from the correctess proof of the algorithm in (1.3).


2: Modular Exponentiation
=======================

**2.1 general groups**<br><br>
I suggest the following algorithm.
given g,x we return with recursion the result of $alg(g = g^2 , x = \lfloor x/2 \rfloor) * g^{x (mod 2)}$.<br>
with stoping conditions of $g^1 = g$ and $g^0 = 1$.<br>
complexity: every recursive call is doing at most 1 group operation plus some O(1) calculations. there will be at most log(x) calls.<br>
so overall the complexity is $O( (log(x) + c)* log(|G|) ) = O(log(x) * log(|G|))$.

In [2]:
class Group: # ============= not important ============
    def __init__(self, op):
        self.identity = 1
        self.op = op
    def operation(self,a,b):
        return self.op(a,b)
G = Group(lambda a,b: a*b)

In [3]:
def g_exp_x(G,g,x): # ========= the algorithm ============= 
    if x == 0:
        return G.identity
    if x == 1:
        return g
    return G.operation( g_exp_x(G, G.operation(g,g), x//2), g if x%2 else G.identity )

**2.2 over $\mathbb{Z}_n^*$**<br><br>
The previous algorithm does exactly what is needed, further,<br>
I will prove the same algorithm achieves the required time complexity.<br>
Time complexity of the algorithm for general group is $O(($operation-time$) * log(|G|))$.<br>
Now because $|\mathbb{Z}_N^*| = N$ the time complexity we get is $O(poly(log(x), log(N)) * log(N)) = O(poly(log(x), log(N)))$

In [4]:
N = 25
Z_N = Group(lambda a,b: (a*b)%N)
print(g_exp_x(Z_N, 23, 3)) # 23^3(mod 25) == 17

17


3: Data Processing Inequality
=======================

**3.1 Statistical Distance**<br><br>
Assume, for the sake of contradiction that: $ SD(f(X),f(Y)) > SD(X,Y) $.<br><br>
Remember : $SD(X,Y) = max_D|adv_D(X,Y)|$.<br><br>
Let us build $D'$ such that $adv_{D'}(X,Y) > SD(X,Y)$ and by that reach a contradiction to the maximality of $SD(X,Y)$.<br><br>
First lets define another distinguisher $D''$:<br>
$D''$ is the distinguisher such that $adv_{D''}(f(X),f(Y)) = SD(f(X),f(Y))$.(exists from definition of $SD$)<br><br>
$D'$ is the distinguisher that takes distributions $X,Y$, applies $f$ on them and computes $D''$.<br><br>
By definition of $D'$ : $$adv_{D'}(X,Y) = adv_{D''}(f(X),f(Y)) = SD(f(X),f(Y))$$<br>
That is a contradiction because: $$adv_{D'}(X,Y) = SD(f(X),f(Y)) > SD(X,Y) = max_D|adv_D(X,Y)|$$

**3.2 Computational Distance**<br><br>
$X \approx^c Y$.<br>
$\Rightarrow \forall $ PPT $ D : |Pr_{x \leftarrow X_n}[D(x) = 1] - Pr_{x \leftarrow Y_n}[D(x) = 1]| \leq negl(n)$.<br>
In particular for any $D'$ that computes $f$ on the input (which takes polynomial time) and then computes some PPT $D''$ on the result, it holds that $D'$ is PPT.<br>So it follows:<br>
$$\forall \text{ PPT } D' : |Pr_{x \leftarrow X_n}[D'(x) = 1] - Pr_{x \leftarrow Y_n}[D'(x) = 1]| \leq negl(n)$$<br>
$\Rightarrow^{(D'' \text{defines} D')} $
$$\forall \text{ PPT } D'' : |Pr_{x \leftarrow X_n}[D'(x) = 1] - Pr_{x \leftarrow Y_n}[D'(x) = 1]| \leq negl(n)$$<br>
$\Rightarrow $
$$\forall \text{ PPT } D'' : |Pr_{x \leftarrow X_n}[D''(f(x)) = 1] - Pr_{x \leftarrow Y_n}[D''(f(x)) = 1]| \leq negl(n)$$<br>
$\Rightarrow $
$$\forall \text{ PPT } D'' : |Pr_{x \leftarrow f(X_n)}[D''(x) = 1] - Pr_{x \leftarrow f(Y_n)}[D''(x) = 1]| \leq negl(n)$$<br>
$\Rightarrow $
$$f(X) \approx^c f(Y)$$