Math 110 Problem Set 3

by Olena Bormashenko

6.1

The ciphertext 5859 was obtained from the RSA algorithm using n = 11413 and e = 7467. Using
the factorization 11413 = 101  113, nd the plaintext.
Solution:

We need to compute d such that

d e  1 (mod 100  112)
Let us use the Euclidean algorithm to solve for d.
11200 = 7467 + 3733
7467 = 2  3733 + 1
Thus, we have that
1 = 7467 ? 2  3733 =
= 7467 ? 2  (11200 ? 7467) =
= 3  7467 ? 2  11200
so we see that d = 3. Then, we have that
m  58593 (mod 11413) 
 1415
6.6

The ciphertext 75 was obtained using RSA with n = 437 and e = 3. You know that the plaintext
is either 8 or 9. Determine which it is without factoring n.
Solution:

Let us check which one works. We have that

83  512  75(mod 437)
93  729  292 (mod 437)
so the plaintext is 8.,
6.6

Let n be the product of two large primes. Alice wants to send a message m to Bob, where
gcd(m; n) = 1. Alice and Bob choose intergers a and b relatives prime to (n). Alice computs
c  ma (mod n) and sends c to Bob. Bob computes d  cb (mod n) and sends d back to Alice.
Since Alice knows a, she nds a1 such that aa1  1(mod (n)). Then she computes e 
da1 (mod n) and sends e to Bob. Explain what Bob must now do to obtain m, and show that
this works.,

1
Solution:

We have that,
e  da1  cba1  mbaa1 (mod n)
Since aa1  1(mod (n)), we have that mbaa1  mb (mod n): Thus, as Bob knows b, he can cal-
culate b1 such that bb1  1(mod (n)) and then calculate eb1. This, from above reasoning, will
be mbb1  m (mod (n)).

6.7

Naive Nelson uses RSA to receive a single ciphertext c, corresponding to the message m. His
public modulus is n and his public encryption exponent is e. Since he feels guilty that his
system was used only once, he agrees to decrypt any ciphertext that someone sends him, as long
as it is not c, and return the answer to that person. Evil Eve sends him the ciphertext
2ec (mod n). Show how this allows Eve to nd m.
Solution:

Naive Nelson returns m1 to Eve such that,

2ec  me1 (mod n)
) c  ((2?1)m1)e (mod n)
) m  (2?1)m1 (mod n)
Thus, to nd m Eve just needs to nd the inverse of 2 mod n, which is actually n +2 1 (mod n).
Therefore, Eve can nd m.

6.16

Suppose two users Alice and Bob have the same RSA modulus n and suppose that their encryp-
tion exponents eA and eB are relatively prime. Charles wants to send the message m to Alice
and Bob, so he encrypts to get cA  meA and cB  meB (mod n). Show how Eve can nd m if
she intercepts cA and cB.
Solution:

Since eA and eB are relatively prime, Eve can nd integers a and b such that,
1 = eA a + eB b
Then, we have that,
m  meAa + eBb  caA cbB (mod n)
Thus, if Eve intercepts cA and cB she can calculate m using the above formula.,

6.17

Suppose Alice uses the RSA method as follows. She starts with a message consisting of several
letters, and assigns a = 1; b = 2;  ; z = 26: She then encrypts each letter separately. For
example, if her message is cat, she calculates 3e (mod n); 1e (mod n) and 20e (mod n). Then she
sends the encrypted message to Bob. Explain how Eve can nd the message without factoring
n. In particular, suppose n = 8881 and e = 13. Eve intercepts the message

2
 4461 794 2015 2015 3603,
Find the message without factoring 8881.
Solution:

Since we know e and n we can just make a table which tells us which letter gets mapped to
which number. As we only have 26 letters, this is easy to do. Let us make such a table for this
case:,
a  113  1(mod 8881)
b  213  8192(mod 8881)
c  313  4624(mod 8881)
d  413  4028(mod 8881)
e  513  794(mod 8881)
f  613  2343(mod 8881)
g  713  231(mod 8881)
h  813  4461(mod 8881)
i  913  4809(mod 8881)
j  1013  3556(mod 8881)
k  1113  476(mod 8881)
l  1213  2015(mod 8881)
m  1313  513(mod 8881)
n  1413  699(mod 8881)
o  1513  3603(mod 8881)
p  1613  8078(mod 8881)
q  1713  2825(mod 8881)
r  1813  8093(mod 8881)
s  1913  2547(mod 8881)
t  2013  1072(mod 8881)
u  2113  2424(mod 8881)
v  2213  633(mod 8881)
w  2313  413(mod 8881)
x  2413  5982(mod 8881)
y  2513  8766(mod 8881)
z  2613  1783(mod 8881)
Thus, we see that the plaintext was hello.

6.19

Let n = pq be the product of two distinct primes.,

(a) Let m be a multiple of (n): Show that if gcd(a; n) = 1, then am  1(mod p) and (mod q ).
(b) Suppose m is an in part (a), and let a be arbitrary (possibly gcd(a; n)  1): Show that
am+1  a (mod p) and (mod q).
(c) Let e and d be encryption and decryption exponents for RSA with modulus n. Show that
aed  a (mod n) for all a. This shows that we do not need to assume gcd(a; n) = 1 in order to
use RSA.
(d) If p and q are large, why is it likely that gcd(a; n) = 1 for a randomly chosen a?

3
Solution:

(a) Write m = c  (n): Then, we have that gcd(a; n) = 1 so we have that gcd(ac ; n) = 1. Thus,
by Euler's Theorem we have that,
am  ac (n)  (ac) (n)  1(mod n)
Since n = pq we have that am  1(mod p) and (mod q):
(b) Since m is a multiple of (n), we have that m is divisible by p ? 1. Write m = c  ( p ? 1).
Then, if p doesn't divide a, by Fermat's Little Theorem, since p doesn't divide ac,
am+1  ac(p ?1) + 1  a  (ac) p ?1  a (mod p)
If p does divide a, clearly both sides are 0 (mod p). Thus, the equation holds in both cases.
Similar reasoning produces the equality for q.
(c) Since we have that
ed  1( mod (n))
we have that ed ? 1 is divisible by (n). Thus, from part (b) we see that
aed  a (mod n)
as required.
(d) The probability that gcd(a; n) = 1 is by denition (nn) , since (n) is exactly the number of
elements below n relatively prime to n. This is (1 ? 1p )(1 ? 1q ), which is close to 1 when p and q
are large.

6.26

Suppose Bob's encryption company produces two machines, A and B, both of which are sup-
posed to be implementations of RSA using the same modulus n = pq for some unknown primes
p and q. Both machines also use the same encryption exponent e. Each machine receives a mes-
sage m and outputs a ciphertext that is supposed to be me (mod n): Machine A always produces
the correct output. However, Machine B, because of imiplementation and hardware errors,
always outputs a ciphertext c (mod n) such that c  me (mod p) and c  me + 1(mod q). How
could you use machines A and B to nd p and q ?
Solution:

Say that given a message m; Machine A produces the output d while Machine B produces the
output d. Then we have that
d  me (mod n)
c  me (mod p)
c  me + 1(mod q)
Thus, let us consider c ? d. We see that p divides it, while q divides c ? d ? 1, so q doesn't
divide c ? d. This means that gcd(n; c ? d) = p. We have an algorithm for nding the gcd, so we
see that we can nd p using this. Once we have p, it is easy to nd q as n = pq.