550.371/650.471 Cryptology, Exam 2, Spring 2017
In all of the exam problems, you may use without proof any logically preceding result. Note that
blank answers will be given 20% of the credit, but answers without merit will not receive any credit.
Problem 1: (10 points) Suppose that n is an odd, composite integer; in particular, say that
n = a · b, where a ≤ b are nontrivial factors (and a, b are obviously odd). Prove that Fermat Factorization will eventually factor n. Use your answer to briefly explain a takeaway lesson for RSA.
Solution: When i =
b−a
2
(which is an integer because a, b are odd, hence b − a is even) then
2
2
b2 −2ab+a2
= b +2ab+a
= ( b+a
)2 , and b+a
4
4
2
2
b+a
b−a
b+a
b−a
2
( b−a
)
=
(
−
))(
+
)
=
a
·
b.
2
2
2
2
2
n + i2 = ab + ( b−a
)2 = ab +
2
even. Thus, n =
( b+a
)2
2
−
is an integer since b + a is
The takeaway lesson is not to choose RSA modulus using primes that are near each other.
Problem 2: (10 points) Suppose that p is a prime number such that p ≡ 3 mod 4, and c ∈ Zp
has a square root mod p. Show that c
p+1
4
mod p is a square roots of c mod p. Don’t forget to cite
by name any relevant result that you use!
Solution: Say m ∈ Zp is such that m2 = c mod p; if m = 0 then our result is clearly trivial. Else
m ∈ Z∗p , so (c
p+1
4
)2 = ((m2 )
p+1
4
)2 = mp+1 = m2 mp−1 = m2 · 1 = c mod p by Fermat’s Theorem.
1
Problem 3: (10 points) Suppose p and q are prime numbers such that q = 2p + 1. Prove that if
a ∈ Zq such that a 6= 0, 1, −1 mod q then ap 6= 1 mod q implies that a is a primitive root mod q.
Solution: Note that a 6= 0 mod q means that a ∈ Z∗q . Since |Z∗q | = 2p, we have by Lagrange’s
Theorem that the order of a ∈ Z∗q is either 1, 2, p, or 2p, since these are the only positive divisors
of 2p. Now, order(a) is not 1 since a 6= 1 mod q. Also, order(a) is not 2 since a 6= −1 mod q
(and −1 mod q is the only square root mod q of 1, besides 1 itself). Next, order(a) is not p since
ap 6= 1 mod q. Thus we must conclude that order(a) = 2p, i.e. < a >= Z∗q , i.e. a is a primitive
root mod q.
Problem 4: (10 points) Suppose that Bob publishes his RSA modulus n and his encryption
exponent e, and does not publish his decryption exponent d, nor the primes p and q such that
n = pq. Unbeknownst to Bob, Eve knows d. Describe specifically how Eve can efficiently factor n
with probability of failure at most
1
.
1000
(Hint: 210 = 1024.)
Solution:
Eve thus knows k = ed − 1 which, as a multiple of φ(n), is a universal exponent for Z∗n . With
` = 10 random bases a ∈ Z∗n for exponent factorization, the probability that any one fails to
factor n is less than 21 , so the probability that all of them fail to factor n is ≤ ( 21 )10 =
2
1
1024
<
1
.
1000
Problem 5: (10 points) Suppose p, q are distinct primes. Prove that φ(pq) = φ(p)φ(q).
Solution: Indeed, pq =
P
d|pq:d>0
φ(d) = φ(pq) + φ(p) + φ(q) + φ(1) = φ(pq) + (p − 1) + (q − 1) + 1.
Thus, φ(pq) = pq − (p − 1) − (q − 1) − 1 = (p − 1)(q − 1) = φ(p)φ(q).
Problem 6: (10 points) Recall that the basic motions of Rubik’s Cube are R, G, B, Y, W, N .
Consider the group of all motions of Rubik’s Cube. The following questions are short-answer.
a) Write down the elements in < R >, i.e. the subgroup generated by R.
b) Write a group which is isomorphic to < R >.
c) Write down the elements of any left coset for < R >.
d) Write down the elements of any other left coset for < R >.
Solution: The elements of < R > are {∅, R, R2 , R3 }; the subgroup < R > is isomorphic to Z4 , +.
One left coset is ∅· < R >=< R >, and another left coset consists of {GY, GY R, GY RR, GY RRR}.
3
SCRAP PAPER: Will not be collected and will not be read.
4