Академический Документы
Профессиональный Документы
Культура Документы
by Olena Bormashenko
6.1
The ciphertext 5859 was obtained from the RSA algorithm using n = 11413 and e = 7467. Using
the factorization 11413 = 101 113, nd the plaintext.
Solution:
The ciphertext 75 was obtained using RSA with n = 437 and e = 3. You know that the plaintext
is either 8 or 9. Determine which it is without factoring n.
Solution:
Let n be the product of two large primes. Alice wants to send a message m to Bob, where
gcd(m; n) = 1. Alice and Bob choose intergers a and b relatives prime to (n). Alice computs
c ma (mod n) and sends c to Bob. Bob computes d cb (mod n) and sends d back to Alice.
Since Alice knows a, she nds a1 such that aa1 1(mod (n)). Then she computes e
da1 (mod n) and sends e to Bob. Explain what Bob must now do to obtain m, and show that
this works.,
1
Solution:
We have that,
e da1 cba1 mbaa1 (mod n)
Since aa1 1(mod (n)), we have that mbaa1 mb (mod n): Thus, as Bob knows b, he can cal-
culate b1 such that bb1 1(mod (n)) and then calculate eb1. This, from above reasoning, will
be mbb1 m (mod (n)).
6.7
Naive Nelson uses RSA to receive a single ciphertext c, corresponding to the message m. His
public modulus is n and his public encryption exponent is e. Since he feels guilty that his
system was used only once, he agrees to decrypt any ciphertext that someone sends him, as long
as it is not c, and return the answer to that person. Evil Eve sends him the ciphertext
2ec (mod n). Show how this allows Eve to nd m.
Solution:
6.16
Suppose two users Alice and Bob have the same RSA modulus n and suppose that their encryp-
tion exponents eA and eB are relatively prime. Charles wants to send the message m to Alice
and Bob, so he encrypts to get cA meA and cB meB (mod n). Show how Eve can nd m if
she intercepts cA and cB.
Solution:
Since eA and eB are relatively prime, Eve can nd integers a and b such that,
1 = eA a + eB b
Then, we have that,
m meAa + eBb caA cbB (mod n)
Thus, if Eve intercepts cA and cB she can calculate m using the above formula.,
6.17
Suppose Alice uses the RSA method as follows. She starts with a message consisting of several
letters, and assigns a = 1; b = 2; ; z = 26: She then encrypts each letter separately. For
example, if her message is cat, she calculates 3e (mod n); 1e (mod n) and 20e (mod n). Then she
sends the encrypted message to Bob. Explain how Eve can nd the message without factoring
n. In particular, suppose n = 8881 and e = 13. Eve intercepts the message
2
4461 794 2015 2015 3603,
Find the message without factoring 8881.
Solution:
Since we know e and n we can just make a table which tells us which letter gets mapped to
which number. As we only have 26 letters, this is easy to do. Let us make such a table for this
case:,
a 113 1(mod 8881)
b 213 8192(mod 8881)
c 313 4624(mod 8881)
d 413 4028(mod 8881)
e 513 794(mod 8881)
f 613 2343(mod 8881)
g 713 231(mod 8881)
h 813 4461(mod 8881)
i 913 4809(mod 8881)
j 1013 3556(mod 8881)
k 1113 476(mod 8881)
l 1213 2015(mod 8881)
m 1313 513(mod 8881)
n 1413 699(mod 8881)
o 1513 3603(mod 8881)
p 1613 8078(mod 8881)
q 1713 2825(mod 8881)
r 1813 8093(mod 8881)
s 1913 2547(mod 8881)
t 2013 1072(mod 8881)
u 2113 2424(mod 8881)
v 2213 633(mod 8881)
w 2313 413(mod 8881)
x 2413 5982(mod 8881)
y 2513 8766(mod 8881)
z 2613 1783(mod 8881)
Thus, we see that the plaintext was hello.
6.19
3
Solution:
(a) Write m = c (n): Then, we have that gcd(a; n) = 1 so we have that gcd(ac ; n) = 1. Thus,
by Euler's Theorem we have that,
am ac (n) (ac) (n) 1(mod n)
Since n = pq we have that am 1(mod p) and (mod q):
(b) Since m is a multiple of (n), we have that m is divisible by p ? 1. Write m = c ( p ? 1).
Then, if p doesn't divide a, by Fermat's Little Theorem, since p doesn't divide ac,
am+1 ac(p ?1) + 1 a (ac) p ?1 a (mod p)
If p does divide a, clearly both sides are 0 (mod p). Thus, the equation holds in both cases.
Similar reasoning produces the equality for q.
(c) Since we have that
ed 1( mod (n))
we have that ed ? 1 is divisible by (n). Thus, from part (b) we see that
aed a (mod n)
as required.
(d) The probability that gcd(a; n) = 1 is by denition (nn) , since (n) is exactly the number of
elements below n relatively prime to n. This is (1 ? 1p )(1 ? 1q ), which is close to 1 when p and q
are large.
6.26
Suppose Bob's encryption company produces two machines, A and B, both of which are sup-
posed to be implementations of RSA using the same modulus n = pq for some unknown primes
p and q. Both machines also use the same encryption exponent e. Each machine receives a mes-
sage m and outputs a ciphertext that is supposed to be me (mod n): Machine A always produces
the correct output. However, Machine B, because of imiplementation and hardware errors,
always outputs a ciphertext c (mod n) such that c me (mod p) and c me + 1(mod q). How
could you use machines A and B to nd p and q ?
Solution:
Say that given a message m; Machine A produces the output d while Machine B produces the
output d. Then we have that
d me (mod n)
c me (mod p)
c me + 1(mod q)
Thus, let us consider c ? d. We see that p divides it, while q divides c ? d ? 1, so q doesn't
divide c ? d. This means that gcd(n; c ? d) = p. We have an algorithm for nding the gcd, so we
see that we can nd p using this. Once we have p, it is easy to nd q as n = pq.