14.4: Exercises

Exercise \(14.1\)

Let \(p\) be an odd prime, as usual. Recall that \(\mathbb{Q R}_{p}^{*}\) is the set of quadratic residues mod \(p\) - that is, \(\mathbb{Q R}_{p}^{*}=\left\{x \in \mathbb{Z}_{p}^{*} \mid \exists y: x \equiv{ }_{p} y^{2}\right\}\). Show that if \(g\) is a primitive root of \(\mathbb{Z}_{p}^{*}\) then \(\left\langle g^{2}\right\rangle=\mathbb{Q} \mathbb{R}_{p}^{*}\)

Note: This means that \(g^{a} \in \mathbb{Q R}_{p}^{*}\) if and only if \(a\) is even \(-\) and in particular, the choice of generator \(g\) doesn’t matter.

Exercise \(14.2\)

Suppose \(N=p q\) where \(p\) and \(q\) are distinct primes. Show that \(\left|\mathbb{Q} \mathbb{R}_{N}^{*}\right|=\left|\mathbb{Q} \mathbb{R}_{p}^{*}\right| \cdot\left|\mathbb{Q} \mathbb{R}_{q}^{*}\right|\).

Hint:

Exercise \(14.3\)

Suppose you are given \(X \in\langle g\rangle\). You are allowed to choose any \(X^{\prime} \neq X\) and learn the discrete log of \(X^{\prime}\) (with respect to base \(g\) ). Show that you can use this ability to learn the discrete \(\log\) of \(X\)

Exercise \(14.4\)

Let \(\langle g\rangle\) be a cyclic group with \(n\) elements and generator \(g\). Show that for all integers \(a\), it is true that \(g^{a}=g^{a \% n}\).

Note: As a result, \(\langle g\rangle\) is isomorphic to the additive group \(\mathbb{Z}_{n}\).

Exercise \(14.5\)

Let \(g\) be a primitive root of \(\mathbb{Z}_{n}^{*}\). Recall that \(\mathbb{Z}_{n}^{*}\) has \(\phi(n)\) elements. Show that \(g^{a}\) is a primitive root of \(\mathbb{Z}_{n}^{*}\) if and only if \(\operatorname{gcd}(a, \phi(n))=1\)

Note: It follows that, for every \(n\), there are either 0 or \(\phi(\phi(n))\) primitive roots mod \(n\).

Exercise \(14.6\)

Let \(\langle g\rangle\) be a cyclic group with \(n\) elements. Show that for all \(x, y \in\langle g\rangle\), it is true that \(x^{n}=y^{n} .\)

\(\dot{\varepsilon}_{u}\left(v_{v} b\right)\) SI ๆеч \(M \cdot v \mathrm{~}\)

Hint:

Exercise \(14.7\)

(a) Prove the following variant of Lemma 4.10: Suppose you fix a value \(x \in \mathbb{Z}_{N}\). Then when sampling \(q=\sqrt{2 N}\) values \(r_{1}, \ldots, r_{q}\) uniformly from \(\mathbb{Z}_{N}\), with probability at least \(0.6\) there exist \(i \neq j\) with \(r_{i} \equiv_{N} r_{j}+x\).

(b) Let \(g\) be a primitive root of \(\mathbb{Z}_{p}^{*}\) (for some prime \(p\) ). Consider the problem of computing the discrete \(\log\) of \(X \in \mathbb{Z}_{p}^{*}\) with respect to \(g-\) that is, finding \(x\) such that \(X \equiv_{p} g^{x}\). Argue that if one can find integers \(r\) and \(s\) such that \(g^{r} \equiv_{p} X \cdot g^{s}\) then one can compute the discrete \(\log\) of \(X\).

(c) Combine the above two observations to describe a \(O(\sqrt{p})\)-time algorithm for the discrete logarithm problem in \(\mathbb{Z}_{p}^{*}\).

Exercise \(14.8\)

In an execution of DHKA, the eavesdropper observes the following values:

\[\begin{array}{ll} p=461733370363 & A=114088419126 \\ g=2 & B=276312808197 \end{array}\]

What will be Alice & Bob’s shared key?

Exercise \(14.9\)

Explain what is wrong in the following argument:

In Diffie-Hellman key agreement, Alice sends \(A=g^{a}\) and Bob sends \(B=g^{b}\). Their shared key is \(g^{a b}\). To break the scheme, the eavesdropper can simply compute \(A \cdot B=\left(g^{a}\right)\left(g^{b}\right)=g^{a b}\).

Exercise \(14.10\)

Let \(\mathbb{G}\) be a cyclic group with \(n\) elements and generator \(g\). Consider the following algorithm:

Let \(D H=\left\{\left(g^{a}, g^{b}, g^{a b}\right) \in \mathbb{G}^{3} \mid a, b, \in \mathbb{Z}_{n}\right\}\)

(a) Suppose \((A, B, C) \in D H\). Show that the output distribution of \(\operatorname{RAND}(A, B, C)\) is the uniform distribution over \(D H\)

(b) Suppose \((A, B, C) \notin D H\). Show that the output distribution of \(\operatorname{RAND}(A, B, C)\) is the uniform distribution over \(\mathbb{G}^{3}\).

\(\star\) (c) Consider the problem of determining whether a given triple \((A, B, C)\) is in the set \(D H\). Suppose you have an algorithm \(\mathcal{A}\) that solves this problem on average slightly better than chance. That is: \[\begin{aligned} &\operatorname{Pr}[\mathcal{A}(A, B, C)=1]>0.51 \text { when }(A, B, C) \text { chosen uniformly in } D H \\ &\operatorname{Pr}[\mathcal{A}(A, B, C)=0]>0.51 \text { when }(A, B, C) \text { chosen uniformly in } \mathbb{G}^{3} \end{aligned}\] The algorithm \(\mathcal{A}\) does not seem very useful if you have a particular triple \((A, B, C)\) and you really want to know whether it is in \(D H\). You might have one of the triples for which \(\mathcal{A}\) gives the wrong answer, and there’s no real way to know.

Show how to construct a randomized algorithm \(\mathcal{A}^{\prime}\) such that: for every \((A, B, C) \in \mathbb{G}^{3}\) : \[\operatorname{Pr}\left[\mathcal{A}^{\prime}(A, B, C)=[(A, B, C) \stackrel{?}{\in} D H]\right]>0.99\] Here the input \(A, B, C\) is fixed and the probability is over the internal randomness in \(\mathcal{A}^{\prime}\). So on every possible input, \(\mathcal{A}^{\prime}\) gives a very reliable answer.