EE720 - Quiz3

EE 720: An Introduction to Number Theory and Cryptography (Spring 2019)
Instructor: Saravanan Vijayakumaran

Indian Institute of Technology Bombay
Quiz 3 : 20 points April 18, 2019
1. (5 points) An element x ∈ Z∗N which satisfies xN −1 6= 1 mod N is said to be a witness

that N is composite.
For a given N , suppose there exists a witness that N is composite. Prove that at
least half the elements of Z∗N are witnesses that N is composite.
Note: You can use the following result without giving a proof.
Let G be a finite group and H ⊆ G. If H is nonempty and for all a, b ∈ H we have ab ∈ H, then H
is a subgroup of G.
Solution: Consider the subset H of Z∗N which consists of elements a ∈ Z∗N sat-
isfying aN −1 = 1 mod N .
H = a ∈ Z∗N | aN −1 = 1 mod N

In other words, H is the set of elements in Z∗N which are not witnesses.
H is a subgroup of Z∗N by the result in the hint. By the hypothesis, H 6= Z∗N . By
Lagrange’s theorem, the order of H is a proper divisor of |Z∗N |. Since the largest
proper divisor of an integer m is possibly m/2, the size of H is at most |Z∗N /2|,
i.e.
|H| ≤ |Z∗N /2| =⇒ |H c | ≥ |Z∗N /2|.
As H c is the set of witnesses in Z∗N , at least half the elements of Z∗N are witnesses
that N is composite.
2. (5 points) For an odd integer N , let N − 1 = 2r u where u is odd and r ≥ 1. An

integer x ∈ Z∗N is said to be a strong witness that N is composite if
(i) xu 6= ±1 mod N and

i
(ii) x2 u 6= −1 mod N for all i ∈ {1, 2, . . . , r − 1}.
If x ∈ Z∗N is a witness, prove that it is also a strong witness. The definition of a

witness is given in question 1.
Solution: To prove A =⇒ B, it enough to prove that B c =⇒ Ac . Here is A is

the statement “x ∈ Z∗N is a witness” and B is the statement “x ∈ Z∗N is a strong
witness”.
If x ∈ Z∗N is not a strong witness then one of the two statements is true:
(i) xu = 1 mod N or xu = −1 mod N .

i
(ii) x2 u 6= −1 mod N for some i ∈ {1, 2, . . . , r − 1}.
r
If xu = ±1 mod N , then xN −1 = x2 u = 1 mod N because it is obtained by
repeatedly squaring xu . Note that (±1)2 = 1 mod N . So x is not a witness that
N is composite.
i r
If x2 u = −1 mod N for some i ∈ {1, 2, . . . , r − 1} , then xN −1 = x2 u = 1 mod N
i
because it is obtained by repeatedly squaring x2 u . So x is not a witness that N
is composite.
3. (5 points) Suppose the GenRSA algorithm is used to generate two encryption-decryption

exponent pairs (e1 , d1 ) and (e2 , d2 ) for the same modulus N , where we have e1 6= e2
and gcd(e1 , e2 ) = 1. Also, suppose the same message m ∈ Z∗N is encrypted via plain
RSA using both the exponents to get ciphertexts c1 , c2 given by
c1 = me1 mod N,
c2 = me2 mod N.
Show how a PPT adversary can recover m from c1 , c2 using the public information
N, e1 , e2 .
Solution: Since gcd(e1 , e2 ) = 1, there exist integers X and Y such that
Xe1 + Y e2 = 1.
Computing X and Y from e1 , e2 involves the extended Euclidean algorithm which

is polynomial time.
Given X and Y , the adversary can calculate m as
e1 X e2 Y
cX Y
1 · c2 = (m1 ) · (m2 ) mod N
= mXe1 +Y e2 mod N = m1 mod N = m mod N.
4. Alice is using the plain RSA signature scheme with public key h143, 7i.
(a) (2 points) What is Alice’s private key?
Solution: Since N = 143 = 13 × 11, φ(N ) = 12 × 10 = 120.

Alice’s private key is the integer d ∈ Z∗120 such that 7d = 1 mod 120.
Hint 1 tells us that 721 = 1 mod 120. This gives us d = 103 as 7×103 = 721.
(b) (3 points) What is the plain RSA signature corresponding to the message m =
2? Reduce your answer to an integer in the set {0, 1, . . . , 142}.
Solution: In general, the plain RSA signature is σ = md mod N . Here it is

σ = 2103 mod 143.
Grading scheme: 1.5 points out of 3 if σ is not reduced further.
To reduce σ to an integer in Z∗143 , we calculate the following.
2103 mod 13 = 212×8+7 mod 13 = 27 mod 13 (Fermat’s little theorem)

= 128 mod 13 = 11 mod 13
2 mod 11 = 210×10+3 mod 11 = 23 mod 11 (Fermat’s little theorem)
103
= 8 mod 11
We have the system of congruences
σ = 11 mod 13,
σ = 8 mod 11,
which can be solved using the procedure in Hint 2.

M = 143, p1 = 13, p2 = 11, M1 = 11, M2 = 13
M1 y1 = 1 mod p1 =⇒ 11y1 = 1 mod 13 =⇒ y1 = 6 mod 13.
M2 y2 = 1 mod p2 =⇒ 11y2 = 1 mod 11 =⇒ y2 = 6 mod 11.
The signature is given by
σ = a1 M1 y1 + a2 M2 y2 mod M
=⇒ σ = 11 × 11 × 6 + 8 × 13 × 6 mod 143
= 225 × 6 mod 143 = 82 × 6 mod 143 = 492 mod 143 = 63 mod 143.
So the signature on the message 2 is 63.

EE720 - Quiz3

Uploaded by

Copyright:

Available Formats

EE720 - Quiz3

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EE720 - Quiz3

Uploaded by

Copyright:

Available Formats

EE 720: An Introduction to Number Theory and Cryptography (Spring 2019)

Instructor: Saravanan Vijayakumaran

1. (5 points) An element x ∈ Z∗N which satisfies xN −1 6= 1 mod N is said to be a witness

|H| ≤ |Z∗N /2| =⇒ |H c | ≥ |Z∗N /2|.

2. (5 points) For an odd integer N , let N − 1 = 2r u where u is odd and r ≥ 1. An

(i) xu 6= ±1 mod N and

If x ∈ Z∗N is a witness, prove that it is also a strong witness. The definition of a

Solution: To prove A =⇒ B, it enough to prove that B c =⇒ Ac . Here is A is

(i) xu = 1 mod N or xu = −1 mod N .

3. (5 points) Suppose the GenRSA algorithm is used to generate two encryption-decryption

Solution: Since gcd(e1 , e2 ) = 1, there exist integers X and Y such that

Computing X and Y from e1 , e2 involves the extended Euclidean algorithm which

Solution: Since N = 143 = 13 × 11, φ(N ) = 12 × 10 = 120.

Solution: In general, the plain RSA signature is σ = md mod N . Here it is

2103 mod 13 = 212×8+7 mod 13 = 27 mod 13 (Fermat’s little theorem)

We have the system of congruences

which can be solved using the procedure in Hint 2.

M1 y1 = 1 mod p1 =⇒ 11y1 = 1 mod 13 =⇒ y1 = 6 mod 13.

M2 y2 = 1 mod p2 =⇒ 11y2 = 1 mod 11 =⇒ y2 = 6 mod 11.

The signature is given by

So the signature on the message 2 is 63.

You might also like