Download here

Solutions for Homework 7, 550.371/650.471 Cryptology, Spring 2017
Problem 1: Write a MATLAB program to perform exponent factorization; in particular, the input should be positive integers a, k, and n such that ak = 1 mod n, and the output (if all goes
well) should be nontrivial factors d1 and d2 such that n = d1 · d2 . Use your algorithm to factor
n = 68309797 using k = 341466300 with base a = 2 and again with base a = 5.
Solution: Note that k = 341466300 = 22 · 85366575. Thus, for the base a = 2 we then compute µ0 = 285366575 = 36802533 mod 68309797, then we compute µ1 = 368025332 = 1 mod
68309797, and we can then use the Euclid Algorithm to compute gcd(36802533−1, 68309797) = 8527
which is a nontrivial factor of 68309797; indeed, 68309797 = 8011 · 8527 is a prime factorization.
For the base a = 5 we then compute µ0 = 585366575 = 31507264 mod 68309797, then we compute µ1 = 315072642 = 1 mod 68309797, and we can then use the Euclid Algorithm to compute
gcd(31507264 − 1, 68309797) = 8011, a nontrivial factor of 68309797.
Problem 2: Prove that if m and n are relatively prime positive integers then φ(mn) = φ(m) · φ(n).
(Hint: Use induction on mn. Also note the correspondence between divisors of mn and pairs (d, d0 )
such that d is a divisor of m and d0 is a divisor of n; specifically, d · d0 is a divisor of mn.)
Solution: In this first paragraph we point out an important relationship between the divisors of
mn and the divisors of m and the divisors of n: Let us say that m =
ai
i=1 pi
Qr
is a prime factoriza-
tion such that p1 , p2 , . . . , pr are distinct primes and a1 , a2 , . . . , ar are positive integers, and say that
n=
bi
i=1 qi
Qs
is a prime factorization such that q1 , q2 , . . . , qs are distinct primes and b1 , b2 , . . . , bs are
positive integers. Recall that the positive divisors of m are all precisely the integers
αi
i=1 pi
Qr
for
nonnegative integers αi such that 0 ≤ αi ≤ ai , for all i, and the positive divisors of n are all precisely
the integers
βi
i=1 qi
Qs
for nonnegative integers βi such that 0 ≤ βi ≤ bi , for all i. Because m and n
are relatively prime, we have that p1 , p2 , . . . , pr , q1 , q2 , . . . , qs are distinct, hence the positive divisors
of mn =
ai
i=1 pi
Qr
bi
i=1 qi
Qs
are precisely the integers
αi
i=1 pi
Qr
βi
i=1 qi
Qs
for nonnegative integers αi and
nonnegative integers βi such that 0 ≤ αi ≤ ai and 0 ≤ βi ≤ bi for all i. The point of this is that the
divisors of mn are precisely integers d · d0 where d is a divisor of m and d0 is a divisor of n.
Now, we prove that φ(mn) = φ(m) · φ(n) for all relatively prime positive integers m and n by
strong induction on the value of mn. If mn = 1 then trivially φ(1 · 1) = 1 = φ(1) · φ(1), and suppose
the desired result is true for all values of mn less than some fixed positive integer, and consider a case
where mn exactly equals that fixed integer. By a theorem from lecture, by the previous paragraph,
and using the induction hypothesis, we have that m =
mn =
X
φ(d · d0 )
d,d0 >0:d|m,d0 |n
1
P
d>0:d|m φ(d),
n=
P
d0 >0:d0 |n φ(d
0 ),
and


φ(d) · φ(d0 ) − φ(m) · φ(n) + φ(mn)
X
= 
d,d0 >0:d|m,d0 |n

= 
 
X
φ(d) · 
d>0:d|m

X
φ(d0 ) − φ(m) · φ(n) + φ(mn)
d0 >0:d0 |n
= mn − φ(m) · φ(n) + φ(mn),
from which we conclude φ(mn) = φ(m) · φ(n), as desired, and the result follows by induction.
Problem 3: Using the previous problem (and a problem from a previous homework), find a formula
for φ(n) and a formula for
φ(n)
n
in terms of positive integer n’s prime factorization. Simplify the
latter formula as much as possible. What does
that are in
φ(n)
n
have to do with the fraction of members of Zn
Zn∗ ?
Solution: Say that n =
ai
i=1 pi
Qr
is a prime factorization such that p1 , p2 , . . . , pr are distinct primes
and a1 , a2 , . . . , ar are positive integers. By previous homework problems and the relative primality
ai
i=1 pi )
Qr
ai
i=1 φ(pi )
Qr
= Qri=1 (pai − pai −1 ).
r
(pai −pai −1 )
=
Thus we obtain that the fraction of members of Zn that are in Z∗n are precisely i=1Qr pai
of the distinct prime powers, we have that φ(n) = φ(
=
Q
i=1
Qr
i
1
i=1 (1 − pi ). (Notice the interesting fact that this fraction only depends on which primes divide n.)
Problem 4: (Problem 16 on page 194 in Trappe and Washington text) Suppose two users Alice
and Bob have the same RSA modulus n and suppose that their encryption exponents eA and eB
are relatively prime. Charles wants to send the message m to Alice and Bob, so he encrypts to get
cA = meA mod n and cB = meB mod n. Show how Eve can find m if she intercepts cA and cB .
Solution: Since eA and eB are relatively prime and are also public knowledge, Eve knows them and
uses Extended Euclid Algorithm to efficiently obtain integers x and y such that x · eA + y · eB = 1.
Now, because Eve knows the ciphertexts cA and cB and the RSA modulus n, Eve can (efficiently, with
fast exponentiation) compute (cA )x · (cB )y mod n; this yields the plaintext m since (cA )x · (cB )y =
(meA )x · (meB )y = mx·eA +y·eB = m1 mod n.
Problem 5: Suppose n = p1 p2 p3 · · · pm for distinct prime numbers p1 , p2 , . . . pm . Prove that if
pi − 1|n − 1 for all i = 1, 2, . . . , m then n is a Carmichael number.
Solution: Say that ci · (pi − 1) = n − 1 for all i = 1, 2, . . . , m. For any a ∈ Z∗n note that a is relatively
prime with n and hence with pi for all i = 1, 2, . . . , m, thus a ∈ Z∗pi . Thus, for each i = 1, 2, . . . , m
we have by Fermat’s Theorem that an−1 = (api −1 )ci = 1ci = 1 mod pi , ie we have pi |(an−1 − 1) for
all i = 1, 2, . . . , m. Because the pi are primes, we have that n =
that
an−1
Qm
n−1
i=1 pi |(a
− 1), which means
= 1 mod n, which means (because a was arbitrary) that n is a Carmichael number.
2