Thursday, October 25, 2018

De Bruijn Sequences and the Discrete Logarithm Problem

This blog post is about De Bruijn sequences and its relationship to cryptography. We focus here on De Bruijn sequences over the alphabet $A=\{0,1\}$.
Definition [De Bruijn sequence (binary)]. A binary string of length $2^n$ is called a De Bruijn sequence of order $n$ if each possible $n$-bit string occurs exactly once (incl. wrap-around) as a substring. 
Picture 1 - DeBruijn graph for n=3
De Bruijn sequences are the shortest possible bitstring that contains all possible $n$-bit substrings. For each $n$ there are $$\frac{2^{2^{n-1}}}{2^n}$$ possible De Bruijn sequences. For example, a De Bruijn sequence of order $n=3$ is $$00011101$$ and of order $n=4$ is $$0000101100111101$$ There are several ways to create De Bruijn sequences. One way is walk along an Hamiltonian Cycle in the corresponding De Bruijn graph (see Picture 1). A De Bruijn graph is a directed graph of degree $2$ which has $2^n$ vertices. There is an edge from vertex $i$ to the two vertices $$(2i\;\text{mod}\:2^{n-1})\;\text{and}\;(2i\;\text{mod}\;2^{n-1})+1$$ The example sequence above for $n=3$ can be obtained by visiting the vertices in the graph from Picture 1 in the following order: $0,1,3,7,6,5,2,4,(0)$. Another way to create De Bruijn sequences is to use a Linear Feedback Shift Register (LFSR), loaded with a primitive polynomial of degree $n$ to create a $m$-sequence. $m$-sequences are De Bruijn sequences that miss the substring $0_n$, i.e., the substring that consists of $n$ zeros (sometimes also called a punctured De Bruijn sequence). There is also a relationship between discrete logarithms in GF$(2^n)$ and $m$-sequences which however is not the relationship i want to cover here. A good point to start reading about this topic is the book Algebraic Shift Registers Sequences from Goresky and Klapper [1].

Saturday, July 07, 2018

Kryptos - The Cipher (Part 3)

This post is about is more or less a collection of several approaches and facts that has been said as well as some speculations.

▊ B-ary integer representation. According to [1] during a Question and Answer round, Jim Sanborn was asked again about the hint BERLIN. The question was if N decodes to B, Y decodes to E, etc, etc. and Jim confirmed it does. Emphatically. It is written, that Jim Sanborn rattled through the entire crib:
\begin{align}
  \texttt{N} &\stackrel{\text{decode}}{\rightarrow} \texttt{B} \\
  \texttt{Y} &\stackrel{\text{decode}}{\rightarrow}  \texttt{E} \\
  \texttt{P} &\stackrel{\text{decode}}{\rightarrow}  \texttt{R} \\
  \texttt{V} &\stackrel{\text{decode}}{\rightarrow}  \texttt{L} \\
  \texttt{T} &\stackrel{\text{decode}}{\rightarrow}  \texttt{I} \\
  \texttt{T} &\stackrel{\text{decode}}{\rightarrow}  \texttt{N}
\end{align} When the same question was asked to Ed, Jim cut in and said “I’m the only one who knows.” If we trust Sanborn, this neglects any form of Transpositional Cipher. So also the promising approach from Scott to use Quagmire3 with EMUFPHZLRFA (the first eleven letters from K1) and the linear congruence $77$+$38$x mod $97$, which yields BERLIN at the correct position, must be a dead end.

KRYPTOS - Unaligned letters; Source [1]
As i already wrote previously, Sanborn said that there are many interesting clocks in Berlin but we should delve into that particular clock. Hence many people tried to use the special way this clock works in order to get hints towards the used encryption system for K4. And the special way is, that the Berlin Clock uses a base 5 representation to illuminate the time.So lets stay with the idea that a different base representation of integers is the key to solve K4. Are the further hints towards such a usage? Yes, there are:
  1. In the YouTube Video [4], Ed Scheidt mentions at least one time different base representation of information
  2. The upperscript letters in row Y,A,R in row $15$. The also form the word ARY which is the typical term when talking about different base notations, e.g., $3$-ary numbers, binARY number, tenARY numbers or in general $b$-ary numbers. 
  3. He created other sculptures using binary numbers (IRS Computing Center) [3].

Tuesday, May 29, 2018

Methods to compute the class number

The class number is an important term from algebraic number theory. It specifies the order of the class group of an algebraic number field $K$ and can be interpreted as the number of different ways to factorize an element of $K$ into prime elements. If the class number is equal to $1$, the $K$ is called a unique factorization domain, e.g. the integers $\mathbb{Z}$. It is long known that for imaginary quadratic fields the class number is $1$ only for the values: $$K = \mathbf{Q}(\sqrt{d}), d \in \{-1,-2,-3,-7,-11,-19,-43,-67,-163\}$$ There are a surprisingly large number of ways to compute the class number of a quadratic field, which i want to show you next.

Thursday, March 22, 2018

LCS35 Challenge [SOLVED - April 2019]

LCS35 IS SOLVED. It had been confirmed that Bernard Fabrot solved the challenge using a Core i7-6700, the GNU Multiple Precision Arithmetic Library and 3,5 years of time.

The LCS35 challenge (see also Scienceblogs) is a neat little and still unsolved challenge posed by Ron Rivest, one of the inventors of the famous RSA cryptosystem, back in the year 1999. It consists of a single task: Given 2048-bit RSA integer $n$ and an exponent $t$, compute the following value $W$: $$W \equiv 2^{(2^t)}  \pmod{N}$$ The actual values for the challenge are:

n = 631446608307288889379935712613129233236329881833084137558899
    077270195712892488554730844605575320651361834662884894808866
    350036848039658817136198766052189726781016228055747539383830
    826175971321892666861177695452639157012069093997368008972127
    446466642331918780683055206795125307008202024124623398241073
    775370512734449416950118097524189066796385875485631980550727
    370990439711973361466670154390536015254337398252457931357531
    765364633198906465140213398526580034199190398219284471021246
    488745938885358207031808428902320971090703239693491996277899
    532332018406452247646396635593736700936921275809208629319872
    7008292431243681

t = 79685186856218

Additionally, there is an integer $z$, which has to be xor'ed with $W$ to reveal the actual 'plaintext', i.e.: $$\text{Plaintext} \leftarrow z \otimes W $$ The given value for $z$ is:

z = 427338526681239414707099486152541907807623930474842759553127
    699575212802021361367225451651600353733949495680760238284875
    258690199022379638588291839885522498545851997481849074579523
    880422628363751913235562086585480775061024927773968205036369
    669785002263076319003533000450157772067087172252728016627835
    400463807389033342175518988780339070669313124967596962087173
    533318107116757443584187074039849389081123568362582652760250
    029401090870231288509578454981440888629750522601069337564316
    940360631375375394366442662022050529545706707758321979377282
    989361374561414204719371297211725179287931039547753581030226
    7611143659071382

As written in [1], the plaintext consists of two parts. One is a secret message and the second part is a hint towards the factorisation of $n$, i.e., the exponent $E$, such that $\text{nextPrime}(5^E \text{ mod }2^{1024})$ is a divisor of $n$. They designed the challenge such that, even when considering Moore's Law, it will probably first be solved around the year 2035. The reason that this might probably be true is, that this problem is non parallelizable. It is a linear operation that only involves squaring the previous output. $$ (2^{2^0})^2 = 2^{(2^1)} \rightarrow (2^{(2^1)})^2 = 2^{(2^2)} \rightarrow (2^{(2^2)})^2 = 2^{(2^3)}\rightarrow \ldots \rightarrow (2^{(2^{t-1})})^2 = 2^{(2^t)}$$ It is compareable to the Proof-Of-Work method, modern crypto currency use to mine their coins. If the factorisation of $n$ is known, than this task would be very easy, even if $t$ would be much larger, say around the size of $n$. One simply computes $$2^t \equiv e \pmod{\varphi(n)}$$ and afterward $2^e \equiv W\pmod{N}$. Since $e < \varphi(n) < n$, this is of complexity $\mathcal{O}(\text{log}_2 n)$ and thus can be computed in milliseconds on modern PCs.