(1)WhatistheciphertextthatisproducedwhenRSAencryptionwithpublickey (e, n) = (3, 2669) is usedto encrypt the message BESTWISHES? Use the protocol A = 00, B = 01, ..., Z = 25 and break your messageup into blocks of length 4. (If a cipherthext block has fewer than four digits, add enough zeros at the beginningto make it have four digits.)

Solution: The numerical equivalent of the message, broken up into blocks of 4, is 0104, 1819, 2208, 1807, 0418.We encrypt by raising each block to the power e = 3 and reducing modulo n = 2669 to get

1043 ≡ 1215 (mod 2669);

18193 ≡ 1224 (mod 2669);

22083 ≡ 1471 (mod 2669);

18073 ≡ 23 (mod 2669);

4183 ≡ 116 (mod 2669).

The ciphertext is thus 12151224147100230116.

(2)UseMathematicatosolvethefollowingproblem.AlicehasaslowcomputerandpublishesanRSApublic key

(e, n) = (952859796010804402537, 137515498286936942046107746703624480207957)

that is not very secure since the numbers aren’t very large. Bob sends her an urgent ciphertext message usingthis public key, broken up into the following blocks:

113403756589260093949278318603930681886413,

125987468369297610213653477519525084178728,

43944784289127338075793492865014310001164,

135739830937229599489426895906452425083187,

109850539078433810931837688030802520077173,

112469132477024143792191502981504997455475,

94610945754028346269684292682885558347040.

You intercepted the message. Assuming you know that the plaintext was broken into blocks of eight digits,decipher the message. (Remember that you need to add zeros at the beginning of those plaintext blocks thatcome out with fewer than eight numbers. Also remember to load the crypto notebook and use the commandalph1 to convert your numerical plaintext to letters.)

Solution: See the last two pages.

(3) Recall that if we know the factorization of n = pq, then φ(n) = (p − 1)(q − 1) is easy to compute. In thisproblem, you will show that knowing n and φ(n) leads to the factorization of n. Thus factoring n is a problemof the same complexity as finding φ(n).(a) (5 pts) Show that p+ q = n− φ(n) + 1.(b) (3 pts) By using the fact that q = n/p, show that p satisfies the quadratic equation

p2 + (φ(n)− n− 1)p+ n = 0.

CRYPTOGRAPHY

Our online Tutors are available 24*7 to provide Help with Cryptography Homework/Assignment or a

long term Graduate/Undergraduate Cryptography Project. Our Tutors being experienced and proficient

in Cryptography ensure to provide high quality Cryptography Homework Help. Upload your

Cryptography Assignment at ‘Submit Your Assignment’ button or email it to info@assignmentpedia.com.

You can use our ‘Live Chat’ option to schedule an Online Tutoring session with our Cryptography

Tutors.

(c) (3 pts) Deduce that p and q are

p =(n− φ(n) + 1) +

√(n− φ(n) + 1)2 − 4n

2

q =(n− φ(n) + 1)−

√(n− φ(n) + 1)2 − 4n

2

Solution:(a) There are n integers up to and including n. Since n = pq, the following are the integers that are not

relatively prime to n:

p, 2p, 3p, ..., qp,

q, 2q, 3q, ..., (p− 1)q.

Note that we do not include pq in the second line since this number is listed in the first line already. Thusthere are p + q − 1 integers up to and including n that are not relatively prime to n. This leaves φ(n)integers. Thus (p+ q − 1) + φ(n) = n as desired.

(b) Plugging in q = n/p in the equation from part (a), we get

p+ n/p− 1 = n− φ(n)p2 + n− p = np− φ(n)p

p2 + φ(n)p− np− p+ n = 0

p2 + (φ(n)− n− 1)p+ n = 0.

(c) Solving the quadratic equation from (b) gives

p =(n− φ(n) + 1)±

√(n− φ(n) + 1)2 − 4n

2.

Switching the roles of p and q in part (b) gives the same quadratic equation with the same solutions. Sincep and q are distinct, one of p or q thus must be

(n− φ(n) + 1) +√

(n− φ(n) + 1)2 − 4n

2

and the other

(n− φ(n) + 1)−√(n− φ(n) + 1)2 − 4n

2.

RSA security

(4) Notice that the RSA decryption requires the use of Euler’s Formula with base P , where P is a plaintext block,and enciphering modulus n = pq, but the condition gcd(P, n) = 1 is never in fact checked (and this a hypothesisfor the Euler’s Formula).(a) (5 pts) Show that it is extremely unlikely that this condition is not satistied by showing that the probability

that P and n are not relatively prime is 1p + 1

q −1pq . Thus if both p and q are larger than 10100, the

probability that gcd(P, n) 6= 1 is less than 10−99. (Recall that the probability of an event occurring is thenumber of ways it can occur divided by the total number of possible events.)

(b) (3 pts) Suppose a cryptanalyst discovers a plaintext block P that is not relatively prime to n. Show thatthe cryptanalyst can factor n. (Hint: Recall that P < n.)

Solution:

(a) From an earlier problem, there are q + p − 1 integers (number of ways the event we’re interested in canoccur) up to including n that are not relatively prime to n (total number of outcomes). The probability isthen

q + p− 1

n=q

n+p

n− 1

n=

q

pq+

p

pq− 1

pq=

1

p+

1

q− 1

pq.

(b) Since a block P is less than n, if gcd(P, n) 6= 1, we must have gcd(P, n) = p or gcd(P, n) = q since p andq are the only factors of n. Euclidean algorithm then can be used for finding gcd(P, n) quickly. This givesone factor of n, and dividing n by this factor immediately gives the other.

(5) (3 pts) Suppose the length of each block in an RSA cipher is precisely the length of the numerical equivalentof each letter. How could this cipher be broken?

Solution: Since each letter is being encrypted the same way throughout a message, the RSA in this case reducesto a simple monoalphabetic substitution cipher which can be broken by frequency analysis.

(6) (3 pts) The exponent e = 2 should never be used in an RSA public key. Why?

Solution: To find the private key d from the public key (e, n), we need gcd(e, φ(n)) = gcd(e, (p−1)(q−1)) = 1.However, (p− 1)(q− 1) is necessarily even, so if e = 2, gcd(e, φ(n)) = 2, and private key does not exist. (Notethat this shows that e should more generally never be even.)

(7) (5 pts) One instance of how RSA can be subverted is when there is a common modulus protocol failure, whichmeans that two parties are using the same modulus n but different exponents e for encryption. Show that theplaintext of a message sent to each of these two parties can be recovered from the ciphertext messages if theexponents are relatively prime.

Solution: Suppose Alice1 and Alice2 are using same modulus n and exponents e1 and e2 for their public keys.Suppose Bob encrypts the same message P using (e1, n) and (e2, n) and sends the ciphertexts to Alice1 andAlice2. Eve intercepts both ciphertexts P e1 and P e2 and first uses Euclidean algorithm to solve ue1 + ve2 = 1fast (she can do this since gcd(e1, e2) = 1). Note that this step can be performed without the ciphertexts.Then she computes (P e1)u and (P e2)v mod n. She can then recover P by multiplying these two numbers since

(P e1)u(P e2)v ≡ P e1uP e2v (mod n) ≡ P e1u+e2v (mod n) ≡ P (mod n).

H* Problem 2 solution *L

H*The following few lines is how e and n were computed. You did not need to know this.*L

p = NextPrime@Random@Integer, 810^20, 10^21<DD

Out[170]= 906 819 166 412 721 858 083

In[171]:= q = NextPrime@Random@Integer, 810^20, 10^21<DD

Out[171]= 151 645 998 872 005 891 879

e = NextPrime@Random@Integer, 810^20, 10^21<DD

Out[172]= 952 859 796 010 804 402 537

H*So far, we have randomly choosen large Hbut not too largeL p, q, and e.*L

In[173]:= n = p * q

Out[173]= 137 515 498 286 936 942 046 107 746 703 624 480 207 957

In[148]:= P = num1@"youreallyneedafastercomputer"D

Out[148]= 25 152 118 050 112 122 514 050 504 010 601 192 005 180 315 131 621 200 518

H*This is the plaintext, converted to numbers*L

In[191]:= c1 = PowerMod@25 152 118, e, nDc2 = PowerMod@05 011 212, e, nDc3 = PowerMod@25 140 505, e, nDc4 = PowerMod@04 010 601, e, nDc5 = PowerMod@19 200 518, e, nDc6 = PowerMod@03 151 316, e, nDc7 = PowerMod@21 200 518, e, nD

Out[191]= 113 403 756 589 260 093 949 278 318 603 930 681 886 413

Out[192]= 125 987 468 369 297 610 213 653 477 519 525 084 178 728

Out[193]= 43 944 784 289 127 338 075 793 492 865 014 310 001 164

Out[194]= 135 739 830 937 229 599 489 426 895 906 452 425 083 187

Out[195]= 109 850 539 078 433 810 931 837 688 030 802 520 077 173

Out[196]= 112 469 132 477 024 143 792 191 502 981 504 997 455 475

Out[197]= 94 610 945 754 028 346 269 684 292 682 885 558 347 040

H*This is the ciphertext,made out of plaintext blocks of length 8. This is what you intercepted. *L

H*To break the message, do the following*L

In[188]:= Phi = EulerPhi@nD

Out[188]= 137 515 498 286 936 942 045 049 281 538 339 752 457 996

H*The cipher is weak since Mathematica can figure out PhiHnL fast*L

In[190]:= d = PowerMod@e, -1, PhiD

Out[190]= 15 837 563 809 419 715 974 639 737 748 420 536 708 137

H*Since you have PhiHnL, you can figure out the private key d fast*L

In[198]:= p1 = PowerMod@c1, d, nDp2 = PowerMod@c2, d, nDp3 = PowerMod@c3, d, nDp4 = PowerMod@c4, d, nDp5 = PowerMod@c5, d, nDp6 = PowerMod@c6, d, nDp7 = PowerMod@c7, d, nD

Out[198]= 25 152 118

Out[199]= 5 011 212

Out[200]= 25 140 505

Out[201]= 4 010 601

Out[202]= 19 200 518

Out[203]= 3 151 316

Out[204]= 21 200 518

H* These are the plaintext blocks. Remember to add zerosat the beginning of each block whose size is less than eight. *L

H*Finally we can convert back to text.*L

alph1@25 152 118 050 112 122 514 050 504 010 601 192 005 180 315 131 621 200 518D

Out[208]= youreallyneedafastercomputer

2 RSA homework problem.nb

visit us at www.assignmentpedia.com or email us at info@assignmentpedia.com or call us at +1 520 8371215