LCS35 Challenge [SOLVED - April 2019]

LCS35 IS SOLVED. It had been confirmed that Bernard Fabrot solved the challenge using a Core i7-6700, the GNU Multiple Precision Arithmetic Library and 3,5 years of time.

The LCS35 challenge (see also Scienceblogs) is a neat little and still unsolved challenge posed by Ron Rivest, one of the inventors of the famous RSA cryptosystem, back in the year 1999. It consists of a single task: Given 2048-bit RSA integer $n$ and an exponent $t$, compute the following value $W$: $$W \equiv 2^{(2^t)}  \pmod{N}$$ The actual values for the challenge are:

n = 631446608307288889379935712613129233236329881833084137558899
    077270195712892488554730844605575320651361834662884894808866
    350036848039658817136198766052189726781016228055747539383830
    826175971321892666861177695452639157012069093997368008972127
    446466642331918780683055206795125307008202024124623398241073
    775370512734449416950118097524189066796385875485631980550727
    370990439711973361466670154390536015254337398252457931357531
    765364633198906465140213398526580034199190398219284471021246
    488745938885358207031808428902320971090703239693491996277899
    532332018406452247646396635593736700936921275809208629319872
    7008292431243681

t = 79685186856218

Additionally, there is an integer $z$, which has to be xor'ed with $W$ to reveal the actual 'plaintext', i.e.: $$\text{Plaintext} \leftarrow z \otimes W $$ The given value for $z$ is:

z = 427338526681239414707099486152541907807623930474842759553127
    699575212802021361367225451651600353733949495680760238284875
    258690199022379638588291839885522498545851997481849074579523
    880422628363751913235562086585480775061024927773968205036369
    669785002263076319003533000450157772067087172252728016627835
    400463807389033342175518988780339070669313124967596962087173
    533318107116757443584187074039849389081123568362582652760250
    029401090870231288509578454981440888629750522601069337564316
    940360631375375394366442662022050529545706707758321979377282
    989361374561414204719371297211725179287931039547753581030226
    7611143659071382

As written in [1], the plaintext consists of two parts. One is a secret message and the second part is a hint towards the factorisation of $n$, i.e., the exponent $E$, such that $\text{nextPrime}(5^E \text{ mod }2^{1024})$ is a divisor of $n$. They designed the challenge such that, even when considering Moore's Law, it will probably first be solved around the year 2035. The reason that this might probably be true is, that this problem is non parallelizable. It is a linear operation that only involves squaring the previous output. $$ (2^{2^0})^2 = 2^{(2^1)} \rightarrow (2^{(2^1)})^2 = 2^{(2^2)} \rightarrow (2^{(2^2)})^2 = 2^{(2^3)}\rightarrow \ldots \rightarrow (2^{(2^{t-1})})^2 = 2^{(2^t)}$$ It is compareable to the Proof-Of-Work method, modern crypto currency use to mine their coins. If the factorisation of $n$ is known, than this task would be very easy, even if $t$ would be much larger, say around the size of $n$. One simply computes $$2^t \equiv e \pmod{\varphi(n)}$$ and afterward $2^e \equiv W\pmod{N}$. Since $e < \varphi(n) < n$, this is of complexity $\mathcal{O}(\text{log}_2 n)$ and thus can be computed in milliseconds on modern PCs.

Counting satisfying solutions using planar bipartite double covers

🔲 This post is related to a paper of mine (Title: On the construction of graphs with a planar bipartite double cover from boolean formulas and its application to counting satisfying solutions) that will get published later this year in the Journal of Theoretical Computer Science. It is related to [this] blog post which i wrote already four years ago and settles some of its questions.

In a short overview, the paper adresses the following action chain:

1. Assume you have a boolean CNF formula $\Phi$
2. You build the incidence graph $\mathcal{I}$ of $\Phi$ using some techniques from the literature, e.g., each clause is represented by a node and also each variable is represented by a node. Then there is an edge between a clause-node and a variable-node if the variable occurs in that clause in $\Phi$.
3. You replace each node in $\mathcal{I}$ with a gadget, i.e., a small graph that has certain properties, which only have edge weights from 0 and 1. The properties of the gadgets ensure that the permanent of $\mathcal{G}$ contains #$\Phi$, as Valiant did in his paper.
4. You build the bipartite double cover $\mathcal{G}^{**}$ for which it holds that $$\text{PerfMatch}(\mathcal{G}^{**}) = \text{Permanent}(\textbf{A}_\mathcal{G})$$
5. If $\mathcal{G}^{**}$ is planar, then $\text{PerfMatch}(\mathcal{G}^{**})$ could be counted in polynomial time.

        //PerfMatch counts the number of Perfect Matchings of a graph

Sidenote: In [this] last blog post i talked about perfect matchings and setups which allow their efficient computation.

On Giuga Numbers

In number theory, certain numbers are sometimes given special names if their prime factorisations have a special property. For an integer $n$, a divisor $d$ is called a proper divisor as long as $d < n$. Also $1$ is a proper divisor in this case. This gives us the following examples:

1. Prime Numbers: An integer $n$ with only one proper divisor.
2. Perfect Numbers (also Deficient / Abundant Numbers): An integer $n$ such that the sum of all its proper divisors is equal to $n$. (Deficient $< n$; Abundant $> n$).
3. Carmichael Numbers : An integer $n$ such that $(p-1) | (n/p-1)$ for each prime factor $p$ of $n$
4. Giuga Numbers : An integer $n$ such that $p | (n/p-1)$ for each prime factor $p$ of $n$

To 1.) It is known since Euclid that there are infinite many prime numbers. 

To 2.) It is not known if there are infinite many perfect numbers nor is know if there exists a single odd perfect number since all currently known perfect numbers are even e.g., $6 = 1\cdot 2\cdot 3 = 1+2+3=6$ or $28 = 1\cdot 2^2\cdot 7 = 1 + 2 + 4 + 7 + 14 = 28$. The total number of known perfect numbers is 49.

To 3.) Carmichael numbers are often mentioned in relationship with primality testing. A Carmichael number is a composite number $n$ that passes every Fermat primality test as long as the chosen basis $b$ is co-prime to $n$. In particular, every Carmichael number must be odd. In 1994 Alford, Granville and Pomerance [1] proved that there exists infinitely many Carmichael numbers. There even exists an algorithm to construct new Carmichael numbers [2].

To 4.) The definition of a Giuga number is very similar to the one of a Carmichael number. However, the status quo is more similar to the perfect numbers. It is not known if there are infinitely many Giuga numbers and every known Giuga number is even (actually, in fact all known Giuga numbers are a multiple of $6$). E.g. $30 = 2\cdot 3\cdot 5$ because $$2 | \frac{30}{2}-1$$ $$3 | \frac{30}{3}-1$$ $$5 | \frac{30}{5}-1$$ Currently (2019) there are 13 known Giuga numbers.

Kryptos - The Cipher (Part 2)

This is Part 2 about Kryptos and the first post can be found here. In this post i will focus more on
speculations, brainstorming and solutions attempts.


One noticeable fact is, that the letters KRYPTOS somehow are involved in the decryption process of all previous ciphers. In K1 and K2 they were directly used as one of the keywords in the Vigenère-Variant Quagmire3. For K3 there are several ways to transpose the ciphertext in order to reveal the plaintext, but one of them has to do with ordering/reordering the letters of KRYPTOS alphabetically. So, it seems plausible, that also in K4 these letters play a role in one or the other way. A further hint towards this is, that the letters of KRYPTOS all appear on the right side or in direct neighborhood on the left side, as marked below:

$\small{\texttt{25| E C D M R I P F E I M E H N L S S T T R T V D O H W ? }}$$\small{\texttt{ O B }}$$\small{\texttt{ K R }}$
$\small{\texttt{26| U O X O G H U L B S O L I F B B W F L R V Q Q P R N G K S }}$$\small{\texttt{ S O }}$
$\small{\texttt{27| }}$$\small{\texttt{ T }}$$\small{\texttt{ W T Q S J Q S S E K Z Z W A T J K L U D I A W I N F B N }}$$\small{\texttt{ Y P }}$
$\small{\texttt{28| V T T M Z F P K W G D K Z X T J C D I G K U H U A U E K C A R }}$

The position of the seven letters for KRYPTOS are all touching each other. This seems too strange to be by chance and i am not the first who mentioned this [1].

Kryptos - The Cipher (Part 1)

Introduction

KRYPTOS - Von Jim Sanborn - Jim Sanborn, CC BY-SA 3.0,
https://commons.wikimedia.org/w/index.php?curid=8253447

Since I think that KRYPTOS does not need any introduction, I will only give you a brief description of one of the most famous and only partially solved ciphers known today:

1. KRYPTOS was constructed in Nov. 1990 on the ground of the CIA Headquarter in Langley, Virginia by Jim Sanborn
2. It contains 4 ciphers (K1,K2,K3,K4) on its left side and some kind of Vigenère-Table on its right side.
3. K1, K2 and K3 were solved by James Gillogly in 1999. Afterwards, the CIA and later the NSA claimed that they had a solution to the first three ciphers at an earlier point in time.
4. Ed Scheidt, a cryptoanalyst and former director of the CIA, gave Sanborn the input of possible cryptographic techniques to use.
5. K1 is a variant of the Vigenère-Cipher (Quagmire 3) with the codewords KRYPTOS and PALIMPSEST
6. K2 is a variant of the Vigenère-Cipher (Quagmire 3) with the codewords KRYPTOS and ABSCISSA
7. K3 is a Transposition cipher
8. Jim Sanborn said that the previous ciphers K1,K2 and K3 contain information that will help to solve the last cipher K4
9. 2010 Sanborn published the clue that the 6 letters from 64-69 of the ciphertext K4 decrypt to 'BERLIN'. Four years later, he revealed that the characters 70-74 decrypt to 'CLOCK'
10. However, K4 remains unsolved. 

This post is more of introductory nature, so if you already know a lot of KRYPTOS you will probably not learn anything new.