\documentclass[11pt]{article}
\usepackage{amsfonts,amsthm,amsmath,amssymb}
\usepackage{array}
\usepackage{epsfig}
\usepackage{fullpage}
\usepackage{color}
%%%%%%%%%%%%%%% MACROS specific to this PSET %%%%%%%%%%%%%%%%%%%%%%
\newcommand{\lat}{\mathcal{L}}
\newcommand{\basis}{\mathbf{B}}
\newcommand{\vol}{\mathsf{vol}}
\newcommand{\sh}{\lambda_1}
%\newcommand{\det}{\mathsf{det}}
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\R}{\mathbb{R}}
\newcommand{\Q}{\mathbb{Q}}
\newcommand{\N}{\mathbb{N}}
%%%%%%%%% Vectors and Matrices
\newcommand{\vecv}{\mathbf{v}}
\newcommand{\vecb}{\mathbf{b}}
\newcommand{\vecbt}{\widetilde{\vecb}}
\newcommand{\vecs}{\mathbf{s}}
\newcommand{\vect}{\mathbf{t}}
\newcommand{\vecy}{\mathbf{y}}
\newcommand{\matB}{\mathbf{B}}
\newcommand{\poly}{\mathsf{poly}}
\newcommand{\Span}{\mathsf{Span}}
\newcommand{\dist}{\mathsf{dist}}
\def\rot{\mathsf{Rot}}
\def\bydef{\stackrel{\Delta}{=}}
\def\matA{\mathbf{A}}
\def\vecy{\mathbf{y}}
\def\vece{\mathbf{e}}
\def\vecz{\mathbf{z}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\title{MAT 301 Problem Set 4\\{\large [Posted: March 12, 2013. Due: March 25, 2013. Worth: 50 points]}}
\author{}
\date{}
\begin{document}
\maketitle
%\input{pset-preamble.tex}
%\lecture{1}{Vinod Vaikuntanathan}{September 13, 2011}{October 3, 2011}
\def\sslwe{\mathsf{ssLWE}}
\def\lwe{\mathsf{LWE}}
% Macros for vectors
\def\veca{\mathbf{a}}
\def\vecs{\mathbf{s}}
\def\vecc{\mathbf{c}}
\vspace*{-0.7in}
\medskip \noindent
\begin{enumerate}
\item \textbf{Pollard (10 marks)}
Use Pollard's $p-1$ algorithm to factor $N = 1739$, given that $N$ is a product of two primes $p$
and $q$ such that $p-1$ is $3$-smooth. Show your work.
\item \textbf{Factoring with Cube Roots (20 marks)}
Let $p = 1 \pmod{3}$ be a prime number. It turns out that the equation $x^3 = a \pmod{p}$ has
either no solutions or three solutions, depending on what $a$ is.
\begin{itemize}
\item Take as example $p = 13$. What are the solutions to the equation $x^3 = 1 \pmod{13}$?
\item Generalizing this, what are the solutions to the equation $x^3 = 1 \pmod{p}$? Prove your statement. {\em (Hint: let $g$ be a generator of $\mathbb{Z}_p^*$.
Think of what the solutions could be as powers of $g$.)}
\end{itemize}
Now, let $q$ be another prime such that $q = 1\pmod{3}$ as well, and let $N = pq$.
\begin{itemize}
\item How many solutions does the equation $x^3 = 1 \pmod{N}$ have? Prove your assertion.
{\em (Hint: Chinese Remaindering)}.
\item Imagine that I give you $N$ (but not $p$ or $q$) and I also give you a solution to
the equation $x^3 = 1 \pmod{N}$ such that (a) $x \neq 1 \pmod{N}$ and (b) $(x+1)^2 \neq x \pmod{N}$.
Show how to use such an $x$ to factor $N$.
\end{itemize}
\item \textbf{(20 marks)} Answer either one of the two questions below.
\begin{itemize}
\item \textbf{El Gamal Signatures} Suppose that Samantha the signer uses the El Gamal signature scheme and that she
is careless and uses the same ephemeral key $e$ to sign two messages $M$ and $M'$.
\begin{itemize}
\item How can Eve detect that Samantha has made this mistake?
\item If the signature on $M$ is $(\sigma_1,\sigma_2)$ and that on $M'$ is $(\sigma_1', \sigma_2')$, explain
how Eve can recover $s$, Samantha's private signing key.
\end{itemize}
(Problem 7.7 from the text)
\item \textbf{Schnorr Signatures} Below is the Schnorr Signature Scheme that you can obtain from the
Schnorr identification scheme we saw in class.
Samantha the signer has a public key
$PK = (p, g, g^x \pmod{p})$ where $p$ is a prime, $g$ a generator of $\mathbb{Z}_p^*$ and $x$ is a random
number in $\mathbb{Z}_{p-1}$. Her secret key $SK = x$. To sign a message $M \in \mathbb{Z}_{p-1}$, she
computes $\sigma_1 = g^a \pmod{p}$ where $a$ is a random number in $\mathbb{Z}_{p-1}$, $c = H(M)$ where $H$ is a
``hash function'' we mentioned in class, and $\sigma_2 = a+cx \pmod{p-1}$.
The signature is $\sigma = (\sigma_1,\sigma_2)$.
Now, assume as before that Samantha the signer has a faulty random number generator that produces the
same random number $a$ when she tries to sign two different messages $M$ and $M'$.
If the signature on $M$ is $(\sigma_1,\sigma_2)$ and that on $M'$ is $(\sigma_1', \sigma_2')$, explain
how Eve can recover $s$, Samantha's private signing key. You may assume for the purposes of this problem
that $H$ is a one-to-one function.
\end{itemize}
\end{enumerate}
\end{document}