Download CHAP11 Cryptography

11. INTEGERS MOD m AND
PUBLIC KEY CRYPTOGRAPHY
§ 11.1. Days of the Week
When we do calculations with days of the week we use a system that is called the
system of integers modulo 7, or ℤ7 for short. This is a system in which we throw away
multiples of 7 (whole weeks) and only keep remainders after division by 7.
Today is Thursday. What day of the week
will it be in 8 days time? Clearly it will be a
Friday. We do not count forward 8 days. We
simply recognise that in 7 days time it will still be
a Thursday, so 8 days will bring us to a Friday.
In 72 days time it will be a Saturday. We
can ignore 70 of the 72 days because they
represent so many whole weeks. We simply
count 2 days forward from today.
What day of the week will it be in 1000
days time? Dividing 1000 by 7 we get a quotient
of 142 with a remainder of 6. The quotient is
unimportant, only the remainder. So if we were doing the calculation in our head, and we
were feeling particularly lazy, we might say something like this. “Throw away 700 to get
300. Now discard 280, leaving 20. Take off 14 and this leaves us with 6. We simply
subtract suitable multiples of 7 repeatedly until we get an answer in the range 0 to 6.”
Having discovered that it will be the same day of the week in 6 days time as it will be
in 1000, what then? Would we count forward 6 days from today? Not if we are particularly
lazy. We would realise that in 6 days time it will be the same day of week as it was yesterday.
If today is Thursday our answer is Wednesday. In the system of days of the week 6 days
forward is the same as one day back.
The mathematical system that underlies all this is the system ℤ7. It consists of 7
numbers 0, 1, 2, 3, 4, 5 and 6. These numbers may look like integers but they are not. For if
we add the integers 5 and 4 we get 9, but if we add the numbers 5 and 4 in this ℤ7 system we
get 2. Five days from now plus a further 4 days brings us to the same day of the week as it
will be in 2 days time.
You could take the view that 5 + 4 is 9 but in the system ℤ7 the symbol 9 is just
another name for 2 since they differ by 7. The important thing, however, is that we quote our
final answer using the standard names for these numbers, that is one of the symbols 0, 1, 2, 3,
4, 5 or 6.
To avoid confusing calculations in the mod 7 system with those for ordinary integers
we often add a note to remind us that our result is valid for the mod 7 system. So we might
write 5 + 4 ≡ 2(mod 7). However if we’re doing a lot of calculations in ℤ7 we can simply
announce that we’re working in that system and simply write 5 + 4 = 2.
209
The system ℤ7 is. in many ways. a miniature version of the system of integers. We
can add and multiply any two numbers in the system and our answer will be one of the 7
numbers.
§ 11.2. The system ℤ7
We can describe the workings of the system ℤ7 by setting out its addition and
multiplication tables.
+
0
1
2
3
4
5
6
0
0
1
2
3
4
5
6
1
1
2
3
4
5
6
0
2
2
3
4
5
6
0
1
3
3
4
5
6
0
1
2
4
4
5
6
0
1
2
3
5
5
6
0
1
2
3
4
6
6
0
1
2
3
4
5
×
0
1
2
3
4
5
6
0
0
0
0
0
0
0
0
1
0
1
2
3
4
5
6
2
0
2
4
6
1
3
5
3
0
3
6
2
5
1
4
4
0
4
1
5
2
6
3
5
0
5
3
1
6
4
2
6
0
6
5
4
3
2
1
Examine these tables and look for patterns.
Note that the entries in the body of each table are all in the set {0, 1, 2, 3, 4, 5, 6}. We
describe this by saying that:
ℤ7 is closed under addition and multiplication.
Secondly both tables are symmetric about the (top-left to bottom-right) diagonal. We
describe this by saying that addition and multiplication in ℤ7 are commutative. That is:
For all numbers x and y in the system, x + y = y + x and xy = yx.
Note that each table has a row that’s identical with the numbers above the table. This
reflects the fact that there are numbers in the system that have no effect when they’re added to
or multiplied by any number. These numbers are called the “identities”. The additive identity
is the number 0 and the multiplicative identity is the number 1. The special properties of
these numbers are described by the statements:
For any x in the system 0 + x = x = x + 0 and
1x = x = x1.
210
Something that you wouldn't notice just by casual observation, are the associative
laws:
For any x, y and z in the system x + (y + z) = (x + y) + z and
x(yz) = (xy)z.
In the addition table every one of the 7 numbers appears in each row and column.
This allows subtraction to be possible. What is 2 − 5? It should mean “that number which
when added to 5 gives 2”. We look along the 5 row until we reach a 2. The fact that every
number appears in every row and column guarantees that we'll find a 2. There it is in the “4”
column. So 5 + 4 = 2 and hence 2 − 5 = 4.
In particular the number 0 appears in each row and column. That is:
For every number x there is a number y such that x + y = 0 = y + x.
We denote this additive inverse of x by y = −x. The following table gives the additive
inverses of all the elements of ℤ7.
0
0
x
−x
1
6
2
5
3
4
4
3
5
2
6
1
When it comes to multiplication things are just a little different. The first row and
column consist entirely of 0's. But if we focus our attention on the non-zero part we get every
non-zero number appearing exactly once in each row and column. This allows us to divide in
this system, provided we don't want to divide by zero.
What is 3/5 in ℤ7? In other words, what number when multiplied by 5 gives 3? We
look along the “5” row until we find a 3. We are guaranteed to find a 3 because every number
occurs exactly one in the 5 row. There it is, in the “2” column. So 5.2 = 3 and hence 3/5 = 2.
In particular the number 1 appears in each row and column (apart from the 0 one).
That is:
For every non-zero number x there is a number y such that xy = 1 = yx.
We denote this multiplicative inverse of x by y = x−1. The following table gives the
multiplicative inverses of all the non-zero elements of ℤ7.
x
x−1
1
1
2
4
3
5
4
2
5
3
6
6
The advantage of having only a finite number of numbers in our mini number system,
ℤ7, is that we can describe any function from ℤ7 to ℤ7 by means of a table of values. Above
we have the table for f(x) = x−1. What about some other powers?
x
x2
x3
x4
x5
1
1
1
1
1
2
4
1
2
4
3
2
6
4
5
211
4
2
1
4
2
5
4
6
2
3
6
1
6
1
6
Notice that we don’t need a calculator to complete this table. We simply multiply
each row by the first to get the next. So there is no need to compute 55, for example. We
simply multiply 54 by 5, that is, 2 times 5 which, mod 7, is 3.
Now something rather remarkable happens when we compute the next power.
x
x6
1
1
2
1
3
1
4
1
5
1
6
1
So x6 ≡ 1 (mod 7) for all non-zero x ∈ ℤ7. You may wonder why we would ever want to raise
days of the week to powers. The answer is that we wouldn’t. Doing calculations with the
calendar is just one of the more elementary applications of these finite mathematical systems.
A much more important application is to the science of cryptography, the science of secret
codes. Transmitting information securely is no longer only of interest to secret agents and the
military. It’s of vital interest to business. But of course 7 is much too small a number for
these purposes. What we have done for 7 can be done for any modulus.
§ 11.3. The system ℤm
For any positive integer, m, the system of integers mod m is the set {0, 1, 2, ... , m−1}
with addition and multiplication carried out modulo m, that is the result of adding or
multiplying two of these elements is adjusted to give one of these m numbers by subtracting a
suitable multiple of m. More formally we add or multiply in the usual way but then take the
remainder on dividing by m.
The smallest of these is ℤ1 but as this contains just one number 0 with 0 + 0 = 0 and
0.0 = 0 it is not of much use. The smallest useful example is ℤ2, the integers modulo 2. Here
we have just two numbers 0 and 1. They combine just as they normally do in integer
arithmetic with one exception: 1 + 1 = 0. Here are the full addition and multiplication tables
for ℤ2.
+
0
1
0
1
×
0
1
0
0
0
0
1
0
0
1
1
1
Incidentally, notice that these tables have the same patterns as the addition and
multiplication tables for the entities “odd” and “even”. If you consider 0 as representing
“even” and 1 representing “odd” then 1 + 1 = 0 is simply recording the fact that “odd plus odd
is even”.
No wonder ℤ2 is sometimes called “dunces arithmetic”. Apart from having very little
to learn by way of one's tables, a dunce could get 50% of the answers in an arithmetic test
correct just by guessing!
But surely ℤ2 is far too simple a mathematical system to be of any practical use. For
cryptography it is, but there’s another sort of code – the error-correcting code. Here the goal
is not to conceal the message but to compensate for a small number of errors that can creep in
when a message is transmitted electronically. Here ℤ2 is admirably suited because every
message transmitted electronically is just a long string of 0's and 1's.
tables.
Let's try ℤ8, the system of integers modulo 8. Here are its addition and multiplication
212
+
0
1
2
3
4
5
6
7
0
0
1
2
3
4
5
6
7
1
1
2
3
4
5
6
7
0
2
2
3
4
5
6
7
0
1
3
3
4
5
6
7
0
1
2
4
4
5
5
7
0
1
2
3
5
5
5
7
0
1
2
3
4
6
6
7
0
1
2
3
4
5
×
0
1
2
3
4
5
6
7
7
7
0
1
2
3
4
5
6
0
0
0
0
0
0
0
0
0
1
0
1
2
3
4
5
6
7
2
0
2
4
6
0
2
4
6
3
0
3
6
1
4
7
2
5
4
0
4
0
4
0
4
0
4
5
0
5
2
7
4
1
6
3
6
0
6
4
2
0
6
4
2
7
0
7
6
5
4
3
2
1
Notice that the above addition table is very similar to the one for ℤ7. Each row is
identical to the one above but moved one place to the left, with the number that falls off the
left-hand edge “wrapping around” to the right-hand end. But with multiplication the pattern
is very different. With ℤ7 the non-zero entries were uniformly distributed with each one
appearing in every row and column in the non-zero part of the table. But with ℤ8 2's, 4's and
6's occur more frequently than 1's, 3's, 5's and 7's and 0's creep into the non-zero part of the
table (for example 2 × 4 = 0 even though neither 2 nor 4 is zero).
The system ℤ7 behaves much more like the arithmetic we're used to than ℤ8. In ℤ7
the cancellation law:
If xy = 0 then x = 0 or y = 0
is valid. In ℤ8 it is not.
The lack of the cancellation law in ℤ8 turns our normal notions of algebra on their
head. Take the solution of quadratic equations. A quadratic can’t have more than two
solutions, right? Wrong! At least for ℤ8 it’s wrong. Take the quadratic equation x2 − 1 = 0.
Solving, we get (x − 1)(x + 1) = 0. So far so good, even in ℤ8. But as soon as we try to say
“hence x − 1 = 0 or x + 1 = 0” we’ve transgressed in ℤ8 because this last step appeals to the
cancellation law which is just not true in ℤ7.
In fact the quadratic x2 − 1 = 0 has as many as four solutions in ℤ8 as is shown by the
following table of squares.
x
x2
0
0
1
1
2
4
3
1
4
0
5
1
6
4
7
1
So why is the arithmetic and algebra of ℤ8 so different to that of ℤ7? The difference is
simply due to the fact that 7 is prime and 8 is not.
The Cancellation Law states that:
If xy = 0 then x = 0 or y = 0.
An equivalent statement is:
If a ≠ 0 and ax = ay then x = y.
[Remember that ax = ay is equivalent to a(x − y) = 0.]
213
While the Cancellation Law holds in ordinary arithmetic it fails to hold in many
algebraic systems. For example it doesn’t hold for matrices.
Example 1: The Cancellation Law doesn’t hold in ℤ100 since 10.10 = 0 in ℤ100 while 10 ≠ 0
in that system.
Theorem 1: If p > 1, the Cancellation Law holds in ℤp if and only if p is prime.
Proof: Suppose the modulus p is not prime. Then p = ab for some a, b with 0 < a, b < p.
Then in ℤp, ab = 0 while a ≠ 0 and b ≠ 0 and so the cancellation law fails. In other words if
the cancellation law holds in ℤp then p must be prime.
Now suppose that p is prime and suppose that in ℤp, ab = 0 where a ≠ 0. Hence in ℤ
a is not divisible by p. Since p is prime this means that a and p are coprime.
Hence 1 = ah + pk for some integers h, k. Multiplying both sides by b we get
b = (ab)h + p(bk). In ℤp this gives b = 0. So if ab = 0 in ℤp either a = 0 or b = 0.
If we’re using the same modulus, m, in a piece of work we simply announce at the
beginning that we are working in ℤm. But if we need to change the modulus we use a
different notation that constantly reminds us of which modulus we are using at any given
time.
We say that a is congruent to b modulo m if a and b have the same remainders on
division by m. We write this as a ≡ b(mod m). In ℤm this simply means that a = b. In ℤ it
means that m divides a − b or that a = b + mq for some integer q.
Example 2: 27 ≡ 13(mod 7) since 7 divides 27 − 13 = 14, or equivalently, 27 = 13 + 7.2.
In ℤ7, 27 = 13. They are just alternative ways of writing 6.
§ 11.4. Inverses in ℤm
For many applications it is important to be able to find an inverse in ℤm where one
exists. The elements that have inverses are called “units”.
A unit of ℤm is any element of ℤm that has an inverse under multiplication.
Theorem 2: Any product of units is a unit.
Proof: It is sufficient to prove this for a product of two units.
Since (b−1a−1)(ab) = 1 it is clear that ab has an inverse.
The special property of units is that it is always possible to cancel them in equations.
Theorem 3: If a is a unit of ℤm and ax = ay then x = y.
Proof: If ax = ay and a is a unit then a−1(ax) = a−1(ay) and so x = y.
Theorem 4: a ∈ ℤm is a unit if and only if GCD(a, m) = 1.
Proof: Suppose that a is a unit of ℤm. Then for some b ∈ ℤm, ab = 1.
In ℤ this becomes ab = 1 + mq for some q ∈ ℤ.
Let d = GCD(a, m). Then, since d divides both a and m it follows that d divides 1.
214
Suppose now that GCD(a, m) = 1.
Then 1 = ah + mk for some h, k ∈ ℤ.
In ℤm this becomes 1 = ah, so a has an inverse, namely h.
We can find inverses modulo m by working out the greatest common divisor by the
Euclidean algorithm and then working backwards to express 1 in the form ab + mc.
Example 3: Find the inverse of 35 modulo 143.
Solution:
4
11
1
35) 143
3) 35
2) 3
140
33
2
3
2
1
So 1 = 3 − 2
= 3 − (35 − 3.11) = 3.12 − 35
= (143 − 35.4).12 − 35 = 143.12 − 35.49.
Hence 35(−49) ≡ 1(mod 143). So the inverse of 35 modulo 143 is −49 = 94.
Theorem 5: Let a, m be positive integers and let {an}, {qn}, {bn} be sequences of integers
defined recursively for n ≥ 0 (until an = 1) by:
a0 = m, b0 =0,
a1 = a, b1 = 1 and, for n ≥ 2:
qn = INT(an−2/an),
an = an−2 − an−1qn−1,
bn = bn−2 − bn−1qn−1 for n ≥ 2.
Then for all n, abn ≡ an(mod m).
Proof: For n = 0 this merely says that 0 ≡ m(mod m), which is certainly true.
For n = 1 this says that a ≡ a(mod m), which is also true.
Suppose now that n ≥ 2 and suppose that abn ≡ an(mod m).
Then abn+1 = a(bn−1 − bnqn) ≡ abn−1 − abnqn ≡ an−1 − anqn(mod m) ≡ an+1(mod m).
Corollary: If a, m are coprime, ultimately an = 1 and so bn ≡ a−1(mod m).
So by computing the sequence {bn} in parallel with the {an} we can find the inverse of
a modulo m. We set our working in three columns. The first column contains the successive
values of q. The second column contains the values of an and the third column contains the
values of bn.
To begin with we set down the following values in the second and third columns. The
first column remains blank at this stage.
qn
an
m
a
bn
0
1
These rows correspond to n = 0 and n = 1.
We compute each of the remaining rows from the two rows above it as follows:
215
qn−1
INT(an−2 /an−1)
an−2
an−1
an−2 − an−1qn−1
bn−2
bn−1
bn−2 − bn−1qn−1
We continue until we obtain a “1” in the middle column. The required inverse will now
appear in the third column. The table will have the form:
qn
…
qn−1
INT(an−2 /an−1)
…
an
m
a
…
an−2
an−1
an−2 − an−1qn−1
…
1
bn
0
1
…
bn−2
bn−1
bn−2 − bn−1qn−1
…
inverse
Each item in the first column is obtained by finding the quotient on dividing the two most
recent two entries in the middle column and the quotient goes in the middle column.
∆
quotient
remainder
For the third column we do the remainder calculation on the two most recent entries in the
third column, but using the same quotient as before.
q
A
a
A − a.q
B
b
B − b.q
Example 4: Find the inverse of 35 mod 143.
Solution: We begin with:
qn
an
143
35
bn
0
1
For the next row we find INT(143/35) = 4, 143 − 35.4 = 3and 0 − 1.4 = −4.
qn
4
an
143
35
3
The table is completed in the same way:
216
bn
0
1
−4
qn
an
143
35
3
2
1
4
11
1
bn
0
1
−4
45
−49
So the inverse of 35 modulo 143 is − 49 = 94.
§ 11.5. Powers in ℤm
Consider the geometric progression 1, x, x2, x3, .... for some x ∈ ℤm. Since ℤm is finite
we must get repetitions. And once one power is equal to an earlier one the same block of
numbers simply repeats.
For example in ℤ10, the powers of 3 are 1, 3, 9, 7, 1, 3, 9, 7, .... The powers of 2 are 1,
2, 4, 8, 6, 2, 4, 8, 6, ......
This simple fact enables us to answer questions in our head that would appear to
require enormous amounts of computation.
Example 5: What is the final digit in71995 ?
Solution: There’s no need to compute the complete value of 71995. In any case to do so
would require more than a normal calculator. But computing the first few powers of 7
modulo 10, until we get a repetition, we have:
n
7n
0
1
1
7
2
9
3
3
4
1
Since in ℤ10, 74 = 1 then 7 to any multiple of 4 will give 1 in ℤ10. So we need only find the
remainder on dividing 1995 by 4. Now 1995 = 498.4 + 3, so 71995 = (74)498.73 = 73 = 3 in ℤ10.
Hence 71995 ends in a 3.
The following Theorem is known as Fermat's “Little” Theorem. This is to distinguish
it from his celebrated “Last Theorem”. Fermat's Last Theorem states that for all integers
n ≥ 3 there are no solutions to the equation xn + yn = zn for non-zero integers x, y and z.
We all know that 32 + 42 = 52 and 52 + 122 = 132. There infinitely many such integer
solutions to the equation x2 + y2 = z2. But when it comes to n = 3, or any larger value of n, the
situation is quite different.
There are, of course, trivial solutions such as 0n + 1n = 1n but no non-trivial solutions.
It was proved for n = 3 a long time ago, and over the years for larger and larger values of n.
But it wasn’t until the late 20th century that it was proved that there are no non-trivial
solutions for all n.
Fermat claimed to have proved this theorem 350 years ago in a note in one of his
books but claimed “the margin is too small to contain it”. There has been much controversy
as to whether he really did have a complete proof, but as it took over 350 years for such a
proof to be found, and since this proof required whole tracts of mathematics that were not
developed until the late 20th century, the consensus seems to be that he only thought he had a
proof.
217
His “Little” Theorem, on the other hand, is one that he is known to have proved.
There are now numerous proofs of this theorem – here are three of them.
Theorem 6 (FERMAT): If p is prime and a is a not a multiple of p then ap−1 ≡ 1(mod p).
Proof: #1: We prove by induction on a that for all a ≥ 1, ap ≡ a(mod p).
If a = 1 the result is clearly true so suppose now that it is true for a. Then by the Binomial
Theorem, (a + 1)p = ap + pap−1 + ½p(p − 1)ap−2 + ... + 1. Since p is prime, all the binomial
coefficients, except the first and the last, are multiples of p so, modulo p:
(a + 1)p ≡ ap + 1 ≡ a + 1 (mod p) by the induction hypothesis.
Hence the result holds for a + 1. To get from ap = a to ap−1 = 1 we use the Cancellation Law.
Proof #2: (For those who know a little group theory) Since p is prime the non-zero elements
of ℤp form a group under multiplication. By Lagrange’s Theorem the order of each element
of this group divides p − 1, the order of the group. Hence ap−1 = 1 for all non-zero a ∈ ℤp.
Proof #3: Let N = (p − 1)! = 1.2.3 … (p −1). Clearly p doesn’t divide N and so in ℤp, N ≠ 0.
In the remainder of the proof we interpret everything as elements of ℤp.
Multiply each of the factors of N by a.
Hence ap−1N = a.2a.3a. … .(p −1).
By the cancellation law, no two of these factors are equal, so they must be all the non-zero
elements in some order. Hence the right hand side of the above equation is N.
So ap−1N = N and, since N ≠ 0, it follows by the Cancellation Law that ap−1 = 1.
Example 6: p = 7
N = 1.2.3.4.5.6
Now modulo 7, {2, 4, 6, 8, 10, 12} = {2, 4, 1, 3, 5}. Both sets therefore have the same
product,
26N = 2.4.6.1.3.5 = N
∴ 26 = 1 in ℤ7.
Note that in this example N = 720 ≡ −1(mod 7). This holds for all primes p.
Theorem 7: If p is prime then (p −1)! ≡ −1(mod p).
Proof: Now (p −1)! = 1.2.3 … (p − 1). Each one of these factors has an inverse in ℤp and it
will cancel its inverse, provided that inverse is a different element of ℤp. So N is the product
of all those elements of ℤp that are equal to their own inverse.
But if x = x−1 then x2 = 1 and so (x − 1)(x + 1) = 0. Since the cancellation law holds in ℤp
(for prime p) we must have x = 1 or x = −1. The product of these is −1.
§ 11.6. Euler's ϕ-Function
We define ϕ(n) to be the number of units of ℤm. In other words, it is the number of integers
from 1 to m that are coprime with m.
Example 7: ϕ(10) = 4 since the units of Z10 are 1, 3, 7 and 9.
ϕ(21) = 12 since the units of ℤ21 are 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19 and 20.
218
Theorem 8: If p is prime and n ≥ 1, ϕ(pn) = pn−1(p − 1).
Proof: Of the numbers from 1 to pn, the ones that are not coprime to pn are the multiples of
p. There are pn−1 of these and so ϕ(pn) = pn − pn−1 = pn−1(p − 1).
Corollary: ϕ(p) = p −1.
Theorem 9: If p, q are distinct primes then ϕ(pmqn) = pm−1(p −1)qm−1(q −1).
Proof: Of the numbers from 1 to pmqn the ones that are not coprime to pmqn are the multiples
of p and the multiples of q.
Now there are pm−1qn multiples of p in this range, and pmqn−1 multiples of q. But don’t
forget that the pm−1qn−1 multiples of pq will get counted both times, and so by the Principle of
Inclusion-Exclusion we have ϕ(pmqn) = pmqn − pm−1qn − pmqn−1 + pm−1qn−1
= pm−1(p −1)qm−1(q −1).
Corollary: ϕ(pq) = (p − 1)(q −1).
The general case is as follows. We omit the proof.
Theorem 10: ϕ(p1n1 p2n2 … pknk) = p1n1−1(p1 − 1) p2n2−1(p2 − 1) … pknk−1(pk − 1).
An alternative formulation of this theorem is as follows. If the distinct prime divisors
N
of N are p1, p2, …, pk then ϕ(N) =
.
(p1 − 1)...(pk − 1)
Leonard Euler gave the following generalisation of Fermat's Little Theorem.
Theorem 11 (EULER): If a is coprime with n then aϕ(n) ≡ 1 (mod n).
Proof #1: This proof is adapted from Proof #3 of Fermat’s Little Theorem.
Let N be the product of all the units of ℤn. Clearly N ≠ 0.
Multiply each of the factors of N by a.
Hence aϕ(n)N is the product of each of the units after being multiplied by a.
By the cancellation law, no two of these factors are equal, so they must be all the units in
some order. Hence aϕ(n)N = N. Now the product of any collection of units is a unit so N is a
unit. By the Cancellation Law aϕ(n) = 1.
Proof #2: However the simplest proof is by group theory. The elements of ℤn that are
coprime with n are precisely the units. They form a group, often denoted by ℤn#, under
multiplication. The order (size) of this group is ϕ(n). By Lagrange's Theorem the order of
each element divides the order of the group and so if a is one of these units, aϕ(n) = 1 in ℤn.
Example 8: ϕ(20) = ϕ(22.5) = 21(2 − 1)50(5 −1) = 2.4 = 8.
ϕ(7000) = ϕ(23.53.7) = 22.52.4.6 = 2400.
In computing powers modulo n, we can use Euler’s theorem to break down the power
to a much smaller one.
Example 9: Find 694803 modulo 7000.
Solution: ϕ(7000) = 2400 so
692400 ≡ 1 and hence
219
694800 ≡ 1 so 694803 ≡ 693 ≡ 328509 ≡ 6509.
If the modulus is large, even breaking down a power to a smaller one may still result
in a large power, too large to compute with the computing device available. The trick here is
to break the power up as a sum of powers of 2. The number to be raised is then squared
repeatedly. But at each stage the answer is reduced modulo the modulus, so that the numbers
involved in the calculation are never bigger than the square of the modulus.
Example 10: Find 694900 modulo 7000.
Solution: As above, 694800 ≡ 1(mod 7000) so 694900 ≡ 69100.
692 ≡ 4761
694 ≡ 47612 ≡ 22667121 ≡ 1121
698 ≡ 3641
6916 ≡ 5881
6932 ≡ 6161
6964 ≡ 3921
Now 100 = 64 + 32 + 4 so
69100 = 6964.6932.694
≡ 3921.6161.1121
≡ 24157281.1121
≡ 281.1121
≡ 315001
≡1
Hence 695000 ≡ 1
§ 11.7. The RSA Code: How it Works
The need for privacy in sending messages from one person to another has greatly
increased with the introduction of electronic communication. There are many systems that
have been developed over the years, with varying degrees of security. Public-key
cryptography refers to those systems where members of a
large universe of users (the public) want to be able to send a
message to any other user of the system. The system is
operated by an operator who issues to each user certain
encoding and decoding keys.
Although
messages
will
normally be alphanumeric they can
be converted to sequences of large numbers by some straightforward conversion process. We’ll assume that a “message” is just
one of these large numbers.
The method described here is called the RSA code after the
three people who devised it, Ron Rivest, Adi Shanir and Leonard
Adleman in 1977. Actually it was devised earlier, in 1973, by
Clifford Cocks working for the British Intelligence Agency GCHQ
but it remained secret until 1997 when it was declassified. This
mirrors the invention of the computer, which was assumed to be by
the Americans until British classified documents were declassified
many years later, showing that the British (a team led by Alan
Clifford Cox in 2015
Turing) had got there first.
220
SETTING UP
For each user the operator chooses two large prime numbers p, q and computes n = pq. This
is the modulus for that user. In practice p, q would be very large primes with something like
100 digits each so n would have a couple of hundred digits.
Then the operator computes, for each user, ϕ(n) = (p − 1)(q − 1).
Secondly, for each user, the operator chooses an encoding number, e, that is coprime to ϕ(n).
The numbers n and e for each user are made public, in some sort of directory, but the values
of p, q and ϕ(n) for each user are kept completely secret.
Traditionally, in describing public key systems, the sender of a message is known as
Alice and the recipient is called Bob. Any third person who might intercept the message is
known as Eve.
In principle Eve could discover the values of p and q for any user by simply
factorising their modulus. But in practice these numbers are so large that it’s computationally
infeasible to do this. And unless the values of p and q could be found there would be no way
of computing ϕ(n).
Finally, for each user, the operator calculates the
inverse of their encoding number modulo their
modulus. This is a number d so that ed ≡ 1(mod n).
These numbers, d, are the so-called decoding
numbers. Each user has one and each user is
informed only of their own decoding number.
SENDING A MESSAGE
Suppose Alice wants to send a message m to Bob. [Only messages that are coprime to Bob’s
modulus n are possible so whatever method is used to convert symbols to numbers, the
multiples of Bob’s primes p and q must be avoided. This is not difficult.]
Alice looks up the directory for user Bob's encoding number e and modulus n and calculates
me (mod n).
RECEIVING A MESSAGE
Bob takes the encoded message me and calculates (me)d (mod n).
Example 11: In an RSA Public Key cryptographic system a certain user is given the modulus
95 and an encoding number of 65. The operator knows that 95 is the product of the two
primes 5 and 19. Find the corresponding decoding number.
Solution: ϕ(95) = ϕ(5.19) = 4.18 = 72. We now verify that 65 is coprime with 72.
1
9
3
65) 72
7) 65
2) 7
65
63
6
7
2
1
221
So 1 = 7 − 2.3
= 7 − (65 − 7.9)3 = 7.28 − 65.3
= (72 − 65)28 − 65.3 = 72.28 − 65.31
Modulo 72 this becomes 1 = −65.31 so the inverse of 65 is −31 = 41.
corresponding decoding number.
This is the
Example 12:
Alice: p1 = 5, q1 = 19, n1 = 95, ϕ(n1) = 72, e1 = 65, d1 = 41. N.B. 65.41 ≡ 2665 ≡ 1(mod 72)
Bob: p2 = 7, q2 = 11, n2 = 77, ϕ(n2) = 60, e2 = 53, d2 = 17. N.B. 53.17 ≡ 901 ≡ 1(mod 60)
OPERATOR KNOWS
A
p1 = 5
q1 = 15
n1 = 95
ϕ(n1) = 72
e1 = 65
d1 = 41
B
p2 = 7
q2 = 11
n2 = 77
ϕ(n2) = 60
e2 = 53
d2 = 17
Eve KNOWS
A
n1 = 95
e1 = 65
B
n2 = 77
e2 = 53
Alice KNOWS
A
n1 = 95
e1 = 65
d1 = 41
B
n2 = 77
e2 = 53
Bob KNOWS
A
n1 = 95
e1 = 65
Suppose Alice wants to send the message m = 4 to Bob.
She looks up her directory and finds e2 = 53 for Bob.
She therefore calculates m′ as follows:
m′ ≡ 453 (mod 77)
41 ≡ 4
42 ≡ 16
44 ≡ 256 ≡ 25
48 ≡ 625 ≡ 9
416 ≡ 81 ≡ 4
432 ≡ 16
Now 453 = 432+16+4+1 = 432.416.44.41 ≡ 16 . 4 . 25 . 4 ≡ 6400 ≡ 9 (mod 77)
Hence m′ = 9 and this is what gets transmitted to Bob.
Bob receives m′ = 9. He uses his own decoding number, d2 = 17 to calculate:
m′′ ≡ 917 (mod 77)
91 ≡ 9
92 ≡ 81 ≡ 4
94 ≡ 16
98 ≡ 256 ≡ 25
916 ≡ 625 ≡ 9
So 917 ≡ 9.9 ≡ 81 ≡ 4 (mod 77).
Thus m′′ = 4 = m. This is the original message.
222
B
n2 = 77
e2 = 53
d2 = 17
§ 11.8. The RSA Code: Why it Works
Suppose m is the original message, n is the modulus of the recipient, e is the encoding
number of recipient and d is the decoding number of recipient.
Then m′ = me (mod n)
m′′ = (m′)d = med (mod n).
Now d was chosen so that ed ≡ 1 (mod ϕ(n)).
So ed = k.ϕ(n) + 1.
Thus m′′ ≡ med ≡ mkϕ(n)+1 (mod n) ≡ (mϕ(n))k.m (mod n) ≡ 1k.m (mod n) ≡ m (mod n).
Hence the original message is recovered.
§ 11.9. The RSA Code: Is it Secure?
Once ϕ(n) is known it’s relatively easy for anybody to compute another user’s
decoding number and therefore read his electronic mail. The security of the code therefore
lies in the difficulty of calculating ϕ(n).
Of course the operator has no difficulty in computing ϕ(n) because the operator knows
the primes p, q. The users know n = pq and so in principle all they have to do is factorise it.
This is no real difficulty if n has only 10 digits but it is not possible, with current technology
to factorise a typical 500 digit number.
It is a very elementary programming exercise to write a factorisation program along
the simple-minded lines of trying every possible factor. Even though there are much more
sophisticated methods available, they are all just clever variations on this simple-minded
approach. Whatever method is used, the number of steps involved grows exponentially with
the number of digits.
A 200 digit number (a product of two very large primes) has been factorised in recent
years, but it took several months, using a large number of powerful computers working in
parallel. Perhaps in another 20 years improvements in hardware and software might reduce
this to 1 week of computing time but for some time the code is safe. And of course in 20
years time when it might be possible to factorise 400 digit numbers it will be possible to
generate 1000 digit primes and so use a 2000 digit value of n.
While ever it is much easier to generate a k digit prime than it is to factorise a 2k digit
number this cryptosystem can always stay one step ahead of would-be crackers. The RSA
algorithm is currently used whenever sensitive data, such as account numbers and passwords,
have to be transmitted electronically.
One weakness with the above system is that the operator knows everything. This is
the current situation. The message is transmitted to the operator who then encodes it and
sends the encrypted message to the recipient. A new protocol is E2EE – End to End
Encryption. The message is encrypted in the user’s device and sent, via the operator, to the
recipient where it is decrypted. Using a modified form of the above algorithm, the operator,
or anyone who might intercept the transmission, is unable to decrypt the message.
Hence if some government agency asks the operator to hand over a decrypted message
they are, correctly, able to affirm that this is not possible. In 2016 such E2EE systems are
starting to be implemented. However some governments are expected to resist these
developments and may legislate against them.
223
§ 11.10. Cracking the RSA Code
As described above, the RSA code seems secure. But it doesn’t pay to be too
complacent. For example it might have occurred to you that the system could be simplified
by using the same modulus for all users. After all, if it can’t be factorised, why not?
Example 13:
OPERATOR KNOWS
p = 37
q = 73
n = 2701
ϕ(n) = 2592
A
B
e1 = 125
e2 = 325
d1 = 1493 d2 = 973
Eve KNOWS
Alice KNOWS
Bob KNOWS
n = 2701
A
B
e1 = 125 e2 = 15
n = 2701
A
B
e1 = 125
e2 = 15
d1 = 1493
n = 2701
A
e1 = 125
B
e2 = 325
d2 = 973
Eve doesn’t know ϕ(n). (We’ll assume that n is so large that she can’t factorise it.) But she
does know that e1d1 ≡ 1(mod ϕ(n)) so that ϕ(n) divides 125.1493 − 1 = 186624.
186624
.
This means that 186624 = kϕ(n), for some integer k, giving k =
ϕ(n)
186624 186624
Now ϕ(n) < n but for large n will be close to n. So k >
= 2701 ≈ 69.09, but it
n
will only be a little bigger.
186624
Try k = 70. This gives ϕ(n) = 70
≈ 2666.057. This is not an integer.
186624
Try k = 71. This gives ϕ(n) = 71
≈ 2628.507. This is not an integer.
186624
Try k = 72. This gives ϕ(n) = 72
= 2592. This is an integer and so is probably the
correct value. To be completely sure one can use ϕ(n) to factorise n.
In this example, if p, q are the factors of n we know that we know that:
pq = 2701 and
(p − 1)(q − 1) = ϕ(n) = 2592
Subtracting, we get p + q − 1 = 109, so p + q = 110.
So p, q are the roots of a quadratic equation, and given the sum of the roots and the product
of the roots the quadratic must be x2 − 110x + 2701.
110 ± 1102 − 4.2701
Solving, we get x =
2
110 ± 1296
=
2
110 ± 36
=
2
= 73, 37. These are the factors of 2701.
Once Eve has discovered p and q for Bob she can work out his ϕ(n) and she can then
work out his decoding number and so, if she intercepts any message to Bob, she can decode
it. But this has come about only if the same modulus is used for every user.
224
§ 11.11. Signature Verification
Another problem with computer security is to be able to guarantee that a particular
message has come from whoever it’s supposed to. If I send a message to your bank,
masquerading as you, and request that your balance be transferred into a certain Swiss bank
account, it would be comforting to know that your bank could tell that the request hadn’t
come from you. Of course I’d need to have somehow obtained your account details and
password, but that’s not impossible. Signature verification is an additional security measure.
Signature verification uses the RSA system in reverse. If I want to send a message to
you, in such a way that you could be sure that it has indeed come from me, I would encode it
using my decoding number instead of your encoding number. When you receive it you
decode it using my encoding number. If it comes out as a recognisable message then it must
have come from me.
If the original message is m, and my modulus is n and my decoding number is d then I
calculate m ′ = md modulo n. When you receive m′ you calculate (m′)e.
But (m′)e ≡ (md)e ≡ med ≡ m.
But how would you know that m was the correct original message? With a short,
cryptic you might not. But with a much longer message, the fact that it made sense when
converted to alphanumeric characters would guarantee its validity. If someone else attempted
to encode the message to send money from your account to some Swiss bank account, and
used the wrong decoding number (remember that only I know my own decoding number) the
output after decoding would be gibberish.
Example 14:
OPERATOR KNOWS
A
p1 = 5
q1 = 15
n1 = 95
ϕ(n1) = 72
e1 = 65
d1 = 41
B
p2 = 7
q2 = 11
n2 = 77
ϕ(n2) = 60
e2 = 53
d2 = 17
Eve KNOWS
A
n1 = 95
e1 = 65
B
n2 = 77
e2 = 53
Alice KNOWS
A
n1 = 95
e1 = 65
d1 = 41
B
n2 = 77
e2 = 53
Bob KNOWS
A
n1 = 95
e1 = 65
B
n2 = 77
e2 = 53
d2 = 17
Suppose Alice wants to send the message m = 2 to Bob so that Bob can ensure that it came
from Alice. Then Alice computes 241(mod 95).
22 = 4
24 = 16
28 ≡ 66
216 ≡ 81
232 ≡ 6
Hence 241 = 232.28.2 ≡ 6.66.2 ≡ 32.
225
She transmits this message, 32 and when Bob receives this he calculates 3265.
322 ≡ 74
324 ≡ 61
328 ≡ 16
3216 ≡ 66
3232 ≡ 81
3264 ≡ 6
Hence 3265 ≡ 6.32 ≡ 2. If Eve had sent the message, using a wrong encoding number, it
would have been decoded as some other number, such as 7. How does Bob know that it
wasn’t Eve who sent the message? After all 7 is just as plausible as 2.
But remember that, in practice, the messages will be converted as quite large numbers.
So a message that had come from Alice might be decrypted by Bob as:
PLEASE SEND $1000 TO BANK ACCOUNT 51238.
If Eve had sent this, with 51238 as her own account, Bob might decrypt it as:
NGDR JU2CDF NK7RC G9KHB LQXZYQ.
EXERCISES FOR CHAPTER 11
EXERCISES 11A (Arithmetic Mod m)
Ex 11A1: If x = 7 and y = 6, compute x3 + y3 (mod 11).
Ex 11A2: Find the inverses of the non-zero elements of ℤ11.
Ex 11A3: Which elements of ℤ15 have inverses under multiplication?
Ex 11A4: Find the remainder on dividing 1331967 by 31.
Ex 11A5: Calculate ϕ(2600). Hence find 31000 in ℤ2600.
Ex 11A6: In ℤ1271 find 10371234567.
Ex 11A7: Find the remainder on dividing 111603 by 600.
Ex 11A8: Find the inverse of 125 modulo 2592. (This obtains the decoding number for user
A in example 13.)
Ex 11A9: (i) Solve the equation 143x ≡ 1(mod 300).
(ii) Find ϕ(78200).
EXERCISES 11B (Public Key Cryptography)
Ex 11B1: (a) You are a user in a Public Key Cryptographic System based on the RSA system.
You wish to send the message 12 to another user whose modulus is 527 and whose encoding
number is 113. What is the encoded message that you would send?
(b) Factorise 527 into primes (in practical Public Key Systems this would be the “stumbling
block”). Use this factorisation to compute the decoding number for the other user.
(c) Now use that other user’s decoding number to decode the message sent in part (a).
226
Ex 11B2: Suppose you are setting up a Public Key Cryptographic system, using the RSA
algorithm and you choose to use the same modulus 4331 = 61.71 for all users. (This is risky,
as we’ve seen in §11.10, even for large primes.) In choosing encoding numbers for the users
you’d obviously avoid e = 1. Suppose that encoding numbers that are prime or perfect
squares are considered to be unlucky and are avoided. Choose the smallest suitable encoding
number for a user and calculate the corresponding decoding number.
Ex 11B3: You are Alice Turnbull, a user of a Public Key Cryptographic system and you’ve
been issued with this directory of moduli and encoding keys for all users.
DIRECTORY
USER
.......................................
TURING Alan
TURNBULL Alice
TURTLE Bob
.......................................
modulus
….………..
4343
7259
9301
….………..
encoding number
………………
1573
3907
129
………………
You are also issued with a secret decoding number:
TOP SECRET
Alice Turnbull:
Your Decoding number is 4003.
DO NOT REVEAL THIS TO
ANYONE
(a) You wish to send the message 2195 to Alan Turing. What should you send?
(b) You receive the message 157, apparently from Bob Turtle. Decode it.
(c) The message includes the information in “plain text” to the effect that it has come from
Bob Turtle and, when the main message is decoded it should read 8143. Was it a forgery?
Ex 11B4: You are setting up an RSA Public Key coding system and, for subscriber A, you’ve
chosen the primes p = 31, q = 83 and the encoding number e = 77.
(i) Calculate the corresponding decoding number, d.
(ii) Subscriber B wishes to send the message m = 14 to A. What does she send to A?
(iii) B receives the message 14 from A, who claims that it is his encoding number encoded by
his decoding number (using his modulus). Check whether this message did come from A.
Ex 11B5: An RSA Public Key coding system works with modulus 391 which is the product
of two primes. A message, represented by the number 20, is sent to someone whose encoding
key is 53.
(i) What is the corresponding encoded message?
(ii) The corresponding decoding key is 93. Use this information to find the two prime
factors, p and q, of 391.
(iii) Check that ϕ(391) = (p − 1)(q − 1).
(iv) Use this to find the decoding number for someone who has an encoding key of 91.
227
Ex 11B6: An RSA Public Key system works with the same modulus, 673627, for all users. It
is the product of two primes. A message, represented by the number 3, is sent to someone
whose encoding key is 13.
(i) What is the corresponding encoded message?
(ii) The corresponding decoding key is 103381. Use this information to find the two
prime factors, p and q of 673627.
(iii) Check that ϕ(673627) = (p − 1)(q − 1).
(iv) Use this to find the decoding number for someone else, with an encoding key of 7.
Ex 11B7: An RSA Public Key system assigns to a user the modulus 42547, the encoding key
77 and decoding key 41573. Use this information to find the two prime factors of 42547.
SOLUTIONS FOR CHAPTER 11
Ex 11A1: 9
Ex 11A2:
1
x
-1
1
x
2
6
3
4
4
3
5
9
6
2
7
8
8
7
9
5
10
10
Ex 11A3: 1, 2, 4, 7, 8, 11, 13, 14.
Ex 11A4: 17.
Ex 11A5: ϕ(2600) = 960; 31000 = 601
Ex 11A6: 872
Ex 11A7: ϕ(600) = ϕ(23.3.52) = 22.2.5.4 = 160. Thus 11160 = 1 in ℤ600.
Hence 111603 = 113 = 1331 = 131. Thus the remainder is 131.
Ex 11A8:
20
1
1
1
3
125) 2592
92) 125
33) 92
26) 33
7) 26
250
92
66
26
21
92
33
26
7
5
Hence 1 = 5 − 2.2
= 5 − 2(7 − 5) = 3.5 − 2.7
= 3(26 − 3.7) − 2.7 = 3.26 − 11.7
= 3.26 − 11(33 − 26) = 14.26 − 11.33
= 14(92 − 33.2) − 11.33 = 14.92 − 39.33
= 14.92 − 39(125 − 92) = 53.92 − 39.125
= 53(2592 − 125.20) − 39.125 = 53.2592 − 1099.125.
Hence 1 ≡ (−1099).125 (mod 2592).
The inverse of 125 modulo 2592 is therefore − 1099 ≡ 1493.
228
1
5) 7
5
2
2
2) 5
4
1
Ex 11A9:
300 = 143.2 + 14
143 = 14.10 + 3
14 = 3.4 + 2
3 = 2.1 + 1
∴1=3−2
= 3 − (14 − 3.4)
= 3.5 − 14
= (143 − 14.10).5 − 14
= 143.5 − 14.51
= 143.5 − (300 − 2.143).51
= 143.107 − 300.51
≡ 143.107 (mod 300).
∴ x ≡ 107(mod 300).
(ii) ϕ(78200) = ϕ(23.52.17.23) = 22.5.4.16.22 = 28160.
Ex 11B1: (a) Send 12113 (mod 527). Now in ℤ527:
122 = 144;
124 = 20736 = 183;
128 = 33489 = 288;
1216 = 82944 = 205;
1232 = 42025 = 392;
1264 = 153664 = 307;
113
∴ 12 = 1264.1232.1216.12
= 307.392.205.12
= 120344.2460
= 188.352
= 66176 = 301. So the transmitted message is 301.
(b) 527 = 17.31 and so ϕ(527) = 16.30 = 480.
Now 480 = 113.4 + 28 and
113 = 28.4 + 1.
Hence 1 = 113 − (480 − 113.4).4
= 17.113 − 480.4
and so in ℤ480, 1 = 17.113.
Thus the decoding number is 17.
CHECK: If we now decode the message 301 using this decoding number we get
30117(mod 527). Using the same method as in (a) we get 12, the original message.
Ex 11B2: (a) m = pq = 4331 and ϕ(m) = 60 × 70 = 4200. An encoding number needs to be
any number that is coprime with 4200. It therefore must have no factors of 2, 3, 5 or 7.
Clearly e = 1 is unsuitable, and we’re told to avoid primes and square values of e. The
smallest suitable number is thus e = 11.13 = 143.
We now find the inverse of 143 modulo 4331.
4200 = 143.29 + 53
143 = 53.2 + 37
53 = 37 + 16
37 = 16.2 + 5
229
16 = 5.3 + 1 so
1 = 16 − 5.3
= 16 − (37 − 16.2).3
= 16.7 − 37.3
= (53 − 37).7 − 37.3
= 53.7 − 37.10
= 53.7 − (143 − 53.2).10
= 53.27 − 143.10
= (4200 − 143.29).27 − 143.10
= 4200.27 − 143.793.
So d = −793 = 3407.
Thus e = 143 and d = 3407.
Ex 11B3: (a) The encoded message is 21951573 (mod 4343).
Now 1573 = 1024 + 512 + 32 + 4 + 1 m
We prepare a table of values of 219522 modulo 4343.
1
2
4
8
16
32
m
m
2195 1638 3413
643
864 3843
2195
64
2449
128
4261
256
2381
512
1546
1024
1466
So 21951573 = 2195.3413.3843.1546.1466 = 4203.3843.1546.1466 = 512.1546.1466
= 1126.1466 = 376.
(b) The decoded message is 1574003 (mod 7259).
Now 4003 = 2048 + 1024 + 512 + 256 + 128 + 32 + 2 + 1.
1
2
4
8
16
32
64
m
m
157
2872 2160 5322 6325 1276 2160
157
4003
So 157
≡ 5322.2160.1276.6325.5322.1276.2872.4003
≡ 4523.5951.3707.5619
≡ 1.3562
≡ 3562
128
5322
256
6325
(c) We must calculate 3562129 (mod 9301).
m
3562m
1
3562
2
1280
4
1424
8
158
16
6362
32
6393
64
1855
128
8956
3562129 ≡ 8956.3562 ≡ 8143.
Hence we assume that it must have genuinely come from Andreas Turtle.
Ex 11B4:
(i) n = 2573. ϕ(n) = 30.82 = 2460.
So we must solve 77d ≡ 1(mod 2460).
2460 = 77.31 + 73
77 = 73.1 + 4
73 = 4.18 + 1
∴ 1 = 73 − 4.18
230
512
1276
1024
2160
2048
5322
= 73 − (77 − 73).18
= 73.19 − 77.18
= (2460 − 77.31).19 − 77.18
= 2460.19 − 77.607
≡ − 77.607 (mod 2460)
∴ d ≡ − 607 ≡ 1853 (mod 2460).
So the decoding key is 1853.
(ii) B sends 14e (mod pq), that is, 1477(mod 2573).
142 ≡ 196
144 ≡ 2394
148 ≡ 1165
1416 ≡ 1254
1432 ≡ 413
1464 ≡ 751
77 = 64 + 8 + 4 + 1
∴ 1477 ≡ 751.1165.2394.14
≡ 95.67 ≡ 1219.
So B sends A the coded message 1219.
(iii) If A had sent his encoding number, coded by his decoding number, then it should have
been 77d (mod 2573). That would mean that 77d ≡ 14(mod 2573).
Then 7777d ≡ 1477(mod 2573), that is 1477 ≡ 77 (mod 2573). But from (ii) we found that
1477 ≡ 1219, not 77. Therefore either A got it wrong, or more likely, the message came from
someone else pretending to be A.
Ex 11B5:
(i) The encoded message is 2053 (mod 391).
202 ≡ 400 ≡ 9
204 ≡ 81
208 ≡ 305
2016 ≡ 358
2032 ≡ 307
53 = 32 + 16 + 4 + 1 so
53
20 = 307.358.81.20
= 35.56 = 5.
So the encoded message is 5.
(ii) 53.93 = 4929 ≡ 1(mod ϕ(391)).
Hence 4928 = ϕ(391)k for some k.
Now ϕ(391) < 391 so k > 4928/391 ≈ 12.60.
Try k = 13. Then ϕ(391) = 4928/13 ≈ 379.077. This is impossible.
Try k = 14. Then ϕ(391) = 4928/14 = 352. This is probably correct.
If p, q are the prime factors of 391 we therefore have pq = 391.
Because the numbers are small in this exercise it would be very easy to find p and q but let’s
pretend that this is not feasible, as would be the case with 200 digit primes.
231
So pq = 391 and
ϕ(391) = (p − 1)(q − 1) = 352.
Subtracting, we get p + q − 1 = 39 so p + q = 40.
So p, q are the roots o a quadratic where the sum of the roots is 40 and the product is 391.
This quadratic equation is x2 − 40x + 391 = 0.
40 ± 36
Solving, we get x =
= 17 and 23.
2
(iii) (p − 1)(q − 1) = 16.22 = 352 = ϕ(391).
(iv) The decoding number for e = 91 would satisfy 91d ≡ 1 (mod 352).
Now 352 = 91.3 + 79
91 = 79.1 + 12
79 = 12.6 + 7
12 = 7.1 + 5
7 = 5.1 + 2
5 = 2.2 + 1
∴ 1 = 5 − 2.2
= 5 − (7 − 5).2
= 5.3 − 7.2
= (12 − 7).3 − 7.2
= 12.3 − 7.5
= 12.3 − (79 − 12.6).5
= 12.33 − 79.5
= (91 − 79).33 − 79.5
= 91.33 − 79.38
= 91.33 − (352 − 91.3).38
= 91.147 − 352.38 ≡ 91.147 (mod 352).
Hence the decoding number is 147.
Ex 11B6:
(i) 313 = 1594323 ≡ 247069(mod 673627). So the encoded message is 247069.
(ii) Let e = 13, d = 103381. Then ed = 1343953 ≡ 1 (mod(p − 1)(q − 1)).
Hence (p − 1)(q − 1) divides 134952.
We know also that pq = 673627. Since (p − 1)(q − 1) is less than pq but most likely has the
same order of magnitude as pq it is likely that
134952 = 2(p − 1)(q − 1), which gives (p − 1)(q − 1) = 671976.
Hence pq − p − q + 1 = 671976 which gives
p + q = pq + 1 − 671976 = 673627 + 1 − 671976 = 1652.
We therefore have p + q = 1652 and pq = 673627. It follows that p, q are solutions to the
quadratic equation x2 − 1652x + 673627 = 0. The solutions of this quadratic are the integers
733 and 919. We can check that they are indeed the two factors of 673627.
(iii) (p − 1)(q − 1) = 732.918 = 671976.
(iv) If now e = 7 then the corresponding decoding key satisfies 7d ≡ 1 (mod 671976).
The solution can be easily found to be 479983.
232
Ex 11B7: Let e = 77, d = 41573, n = pq = 42547.
Then ed − 1 = 3201120 = kϕ(n) for some integer k.
3201120 3201120
k=
> 42547 ≈ 75.23.
ϕ(n)
Try k = 76: ϕ(n) = 42120. Since this is an integer it is probably the correct value.
pq = 42547
(p − 1)(q − 1) = 42120
∴p + q − 1 = 427 so p + q = 428.
Hence p, q are the roots of the quadratic x2 − 428x + 42547.
So the prime factors of 42547 are 271, 157.
233
234