RSA, P���������� ��� S����� S������

4 Computer Science Mentors ��

Feb �� - Feb ��
Spring ����

Amogh Gupta, Sylvia Jin, Aekus Bhathal, Abinav Routhu, Debayan Bandyopadhyay

� RSA
�. RSA-BC��� [Practice Bank]
Bob would like to receive messages from Alice via RSA.

(a) He chooses � primes, p = 7 and q = 11. What is N ?

Solution: N = pq = (7) (11) = 77

(b) He chooses e = 7. To what number is e relatively prime?

Solution: e must be relatively prime to (p 1) (q 1) = 60.

(c) Calculate d .

Solution: d = e 1 mod (p 1) (q 1) = 7 1 mod 60 = 43

(d) Imagine Alice wants the send Bob a message x = 30. She applies her encryption function E (x ) to ��. What is the
encrypted message x 0 ?

Solution: E (x ) = x e mod N ! 307 mod 77 = 2

(e) What is the result of Bob applying his decryption function D (x 0 ) ?

Solution: D (x 0 ) = (x 0 ) d mod 77 = 243 mod 77 = 30

�. Prove the correctness of RSA.
Hint: Proving RSA amounts to showing that given d = e 1 mod (p 1) (q 1) :

(x e ) d = x mod N [x 2 {0, 1, 2, . . . , N 1}

Solution:

(x e ) d = x mod N [x 2 {0, 1, 2, . . . , N 1}
1) (q 1)k
(x e ) d x = x 1+(p x mod N
(p 1) (q 1)k
= x (x 1) mod N

Now, we will show that the last expression is divisible by both p and q by FLT.

Case �: x mod p = 0:

x (x (p 1) (q 1)k
1) = 0(0 (p 1) (q 1)k
1) = 0 mod p

Case �: x mod p , 0:

x (x (p 1) (q 1)k
1) = x ((x (p 1) (q 1)k
) 1) mod p
x (1 1) = 0 mod p

A symmetric argument works for q . If the expression is divisible by both p and q , then it is divisible by pq = N . Thus,

x (x (p 1) (q 1)k
1) = 0 mod N
(x e ) d = x mod N

�. For all r not divisible by primes p or q , find some a and b such that

r (p 1) (q 1)
ap bq ⌘ 0 ( mod pq )

Solution: First, we do some groundskeeping to tidy up the equation

r (p 1) (q 1)
⌘ ap + bq ( mod pq ) (�)

Let’s denote the left side of the equation LHS and the right side RHS. First, we work on the LHS.

Recall that the product of exponents x y z can be rewritten in two forms (x y ) z and (x z ) y . Hence,

r (p 1) (q 1)
= (r p 1 ) q 1

1 p 1
= (r q )

Page �
Now, we apply FLT:

(r p 1 ) q 1
⌘ 1q 1
⌘1 ( mod p)
q 1 p 1 p 1
(r ) ⌘1 ⌘1 ( mod q )

Now, we can treat the LHS as an unknown. Since p and q are prime and thus coprime, we can now apply CRT to find
r (p 1) (q 1) mod pq :

r (p 1) (q 1)
⌘ (1)pp q 1 + (1)q q p 1 ( mod pq )

Hence, we find that a = p q 1 and b = q p 1 satisfies (�) for all r not divisible by p or q (here p q 1 is the modular inverse of
p mod q and q p 1 is the modular inverse of q mod p ).

Page �
�. In each of the following examples, Alice and Bob wish to send messages to one another and eve wishes to intercept the
message. RSA is either used incorrectly (yields an incorrect result), is used correctly but can be broken, or is both correct and
can not be broken. Select the option that best applies and explain. Assume that p, q are prime and Bob publishes the public
key (N = pq, e)

(a) Eve, Alice, and Bob share a menu. Bob asks Alice what dish she wants, and Alice responds with the name of the dish using
standard RSA encryption.

Solution: Broken. Since there are a finite number of options, Eve can just guess-and-check. Eve knows the public key
that Bob will release in order to receive Alice’s message, so now Eve can just encrypt all menu items using e and see
which one matches Alice’s encrypted message, which she can publicly see.

(b) Eve is able to extort extra details from Alice and Bob. She now also knows the value of (p 1) (q 1) ( mod p)

Solution: Correct. Eve’s goal is to compute (p 1) (q 1) so that she is able to find d = e 1 mod (p 1) (q 1) .

Given (p 1) (q 1) ⌘ pq p q + 1 ⌘ q + 1 ( mod p) , Eve can find q ( mod p) . But this simply isn’t
enough information since rewriting q = k p + m where m is known introduces another variable k . Using the only
other information we have about p and q , N = pq = k p 2 + mp .

Now, to solve for k , Eve would have to be able to e�ciently factor p (q m) , which we know is a hard, otherwise she
can also e�ciently factor pq .

(c) Bob selects e where e is coprime to N but not coprime to (p 1) (q 1) .

Solution: Incorrect. RSA works only if e is coprime to (p 1) (q 1) so that there exists d = e 1 ( mod (p 1) (q 1)) .

It is possible for e to be coprime with N but not with (p 1) (q 1) . For instance, if p = 5 and q = 7, choose e = 4.
Now, there is no multiplicative inverse such that 4d ⌘ 1 ( mod 4 · 6) .

Page �
� Polynomials
[Note �, Page �]
Property �: A non-zero polynomial of degree d has at most d roots.
Property �: Given d + 1 pairs (x 1 , y 1 ), . . . , (x d +1 , y d +1 ) , with all the x i distinct, there is a unique polynomial p (x ) of
degree (at most) d such that p (x i ) = yi for 1  i  d + 1.

�. In this problem, consider all polynomials to be over GF(p ), where p > n for all the n defined in the problems.

(a) How many distinct degree n polynomials are there?

Solution: A degree n polynomial must be of the form a n x n + a n x n 1 · · · + a 1 x + a 0 , where a n , 0, and each a i is

taken from GF(p ) (or in other words, from � to p 1), and a polynomial is determined uniquely by its coe�cients.
Thus, we have p 1 choices for a n and p choices for a 0, a 1, . . . , a n 1 , giving (p 1)p n such polynomials.

(b) How many distinct polynomials p (x ) of degree at most n are there?

Solution: We follow the same solution as in part (a), but now there are p choices for a n , since a n can be �. We thus
get p n+1 polynomials.

(c) How many distinct polynomials of degree at most n are there such that p (0) = 1 and p (1) = 2?

Solution: A polynomial of degree at most n is uniquely determined by the values of the polynomial at n + 1 points
(for example, p (0), p (1), . . . , p (n 1), p (n) ). We have p choices for the values of p (2), p (3), . . . , p (n 1), p (n)
(since they can taken on any value from 0 to p 1), and these values combined with the p (0) and p (1) uniquely
determine a polynomial, so there are p n 1 such polynomials.

�. Let n 2 be a positive integer, and let p be a prime greater than n . Find all polynomials q (x ) of degree at most n in GF(p )
such that (x 2)q (x ) = x q (x 1) .

Solution: First, we plug in x = 0, giving that 2q (0) = 0. Thus, q (0) = 0, so � is a root of q (x ) . Then q has a fac-
tor of x , so q (x ) = x q 1 (x ) and q (x 1) = (x 1)q 1 (x 1) for some polynomial q 1 in GF(p ). Then we have that
(x 2)x q 1 (x ) = x (x 1)q 1 (x 1) .

Next, we plug in x = 1. Then 1q 1 (1) = 0, so q 1 (1) = 0. Thus, q 1 has a factor of x 1, so q 1 (x ) = (x 1)q 2 (x ) and
q 1 (x 1) = (x 2)q 2 (x 1) . Substituting in, we get (x 2)x (x 1)q 2 (x ) = x (x 1) (x 2)q 2 (x 1) . Moreover,
note that q 2 has degree at most n 2.

Suppose that x is not equal to 0, 1 or 2. Then q 2 (x ) = q 2 (x 1) . Thus, we conclude that q 2 (2) = q 2 (3) = · · · =
q 2 (n) = c , where c is some constant. Note that we have n 1 values of the polynomial q 2 , which has degree at most
n 2. Thus, there is a unique polynomial that satisfies these equations; specifically, the constant polynomial q 2 (x ) = c .

Thus, we conclude that q (x ) = x q 1 (x ) = x (x 1)q 2 (x ) = cx (x 1) for some constant c in GF(p ).

Page �
� Lagrange Interpolation
�. In this question, we want to demonstrate the intuition behind the Lagrange interpolation technique.

Let p (x ) be a polynomial of degree � over GF(�). Suppose p (1) = 2, p (2) = 1 and p (3) = 4. We would like to find the
coe�cient representation for p .

(a) Suppose we had polynomials, p 1 , p 2 , and p 3 , of degree 2 satisfying the following properties:

p 1 (1) = 1, p 1 (2) = 0, p 1 (3) = 0

p 2 (1) = 0, p 2 (2) = 1, p 2 (3) = 0
p 3 (1) = 0, p 3 (2) = 0, p 3 (3) = 1

How can we express p in terms of p 1 , p 2 , and p 3 ?

Solution: p = 2p 1 + p 2 + 4p 3 .

(b) Now let’s actually find the coe�cient representation of p 1 . To start o� with, show that p 1 must have the form c (x 2) (x
3) for some constant c 2 G F (7) .

Solution: We know that p 1 has zeros 2 and 3 so it must have (x 2) (x 3) as factors. Since it is degree 2, it must
be of the form c (x 2) (x 3) .

(c) What is the value of c ? What is the coe�cient representation of p 1 ?

Solution: We must multiply (x 2) (x 3) by a constant factor that will make it equalled to 1 at x = 1. Thus we
must take the multiplicative inverse of (1 2) (1 3) = 2 mod 7. This turns out to be 4. Thus, c = 4, and expanding
shows that the coe�cient representation of p 1 is 4x 2 + x + 3.

(d) Now find p 2 and p 3 using the same method.

Solution: p 2 = 6x 2 + 4x + 4, p 3 = 4x 2 + 2x + 1

(e) Using what we’ve done so far, find p

Solution: p = 2(4x 2 + x + 3) + (6x 2 + 4x + 4) + 4(4x 2 + 2x + 1) = 2x 2 mod 7

(f) Do you see how this relates to CRT?

Solution: Lagrange interpolation is similar to CRT, where instead of taking numbers modulo some di�erent n i , we
take polynomials modulo polynomials x n i .

�. Suppose that P and Q are degree n polynomials such that P (1) = Q (1), · · · , P (n + 1) = Q (n + 1) . Show that P = Q .

Solution: By Lagrange Interpolation, a degree at most n polynomial is determined by its value at n + 1 points. Thus, we
conclude that P and Q must be the same.

Page �
�. Let p be a degree � polynomial in GF(�) that goes through the points (�, �), (�, �), and (�, �). Find p .

Solution: Using Lagrange interpolation:

(x 2) (x 3) (x 1) (x 3) (x 1) (x 2)
p (x ) = 2 ⇤ +1⇤ +4⇤
(1 2) (1 3) (2 1) (2 3) (3 1) (3 2)
2
p (x ) = x 5x + 6 x + 4x 3 + 2x 2 6x + 4
2

p (x ) = 2x 2 7x + 7
2
p (x ) = 2x ( mod 7)

To do this with coe�cients, we have the system of equations:

p (1) ⌘ a 2 + a 1 + a 0 ⌘ 2 mod 7
p (2) ⌘ 4a 2 + 2a 1 + a 0 ⌘ 1 mod 7
p (3) ⌘ 9a 2 + 3a 1 + a 0 ⌘ 2a 2 + 3a 1 + a 0 ⌘ 4 mod 7

This is a system of � equations with � variables that can be solved (painfully) to get the same answer.

Page �
� Secret Sharing
�. (SU�� MT�) A group of 23 o�cials are voting on whether to pass a law. All the o�cials need to vote in favor of the law for it to
pass. To make the voting fair, they want to use an anonymous secret-sharing scheme, such that other members of the group
cannot see what an o�cial voted for (unless the vote is unanimous, which makes determining this trivial). Suppose there is a
third party who will pick a degree d polynomial P (x ) in G F (23) , give each o�cial a point (i , P (i )) , and be able to confirm if
a guessed polynomial is correct or not (but not reveal the polynomial itself).

(a) What should degree d be for this scheme? Why?

Solution: 22, so that we need 23 correct and unique points to reconstruct the polynomial.

(b) If o�cial i wants to vote in favor of the law, what must they do?

Solution: They should send in the point (i , P (i )) .

(c) If o�cial i wants to vote against the law, what must they do?

Solution: They should send in the point (i , q ) such that q . P (i ) ( mod23) to prevent everyone from having that
correct point to interpolate the polynomial.

(d) Explain why P (x ) can be recovered with a unanimous vote, and cannot be recovered otherwise.

Solution: All 23 correct points are needed to recover the 22-degree polynomial. If some people voted against the
law, their points will not be a part of P (x ) , so an incorrect polynomial will be recovered.

(e) Explain why this scheme is anonymous.

Solution: All our third party is able to do is tell us if the interpolated polynomial is correct (P (x ) ) or not. If we get
the incorrect polynomial, we do not have any information to deduce which of the provided points actually deviated
from the correct polynomial.

Page �
�. Encoding Graphs
Let’s say that we want to encode simple graphs on n vertices as polynomials and send it over a channel. We label the vertices
of a graph G from 0 . . . n 1. We create some mapping X : F n ! F n that maps each vertex label to its corresponding vertex’s
degree in G . We send G along a channel by transferring points (i , X (i )) . Answer the following questions:

(a) Find the polynomial that encodes a K n complete graph. Is this polynomial unique to this type of graph? In other words,
does this polynomial only represent the K n graph?

Solution: The polynomial that represents this graph is going to be P (x ) = n 1 because every node has degree
n 1. This is unique because the only graphs where every vertex is of degree n 1 are K n graphs.

(b) Assume that n is even. Find the polynomial that encodes a K n , n bipartite graph
2 2

Solution: We know that each vertex in a K n , n bipartite has degree n2 , so the polynomial is going to be P (x ) = n2 .
2 2

(c) Is it always the case that there is a unique graph for every polynomial encoded this way? If yes, prove so; if not, provide
a counterexample.

Solution: No. Think about the graph on � vertices where each vertex has a degree of �. You can have a simple cycle
on all � vertices or have two separate K 3 subgraphs.

Page �
� Appendix
Proof of Fermat’s Little Theorem: Let S denote the set of non-zero integers mod p , i.e., S = {1, 2, . . . , p 1}. Consider
the sequence of numbers a, 2a, 3a, . . . , (p 1)a mod p . We already saw in the previous Lecture Note that, whenever
gcd (p, a) = 1 (i.e., p, a are coprime, which certainly holds here since p is prime) these numbers are all distinct. Therefore,
since none of them is zero, and there are p 1 of them, they must include each element of S exactly once. Therefore, the
set of numbers
S 0 = {a mod p, 2a mod p, . . . , (p 1)a mod p }
is exactly the same as S (just in a di�erent order)!
Now suppose we take the product of all numbers in S , mod p . Clearly, this product is

1 ⇥ 2 ⇥ · · · ⇥ (p 1) = (p 1) ! mod p. (�)

On the other hand, what if we take the product of all the numbers in S 0 ? Clearly this is

1
a ⇥ 2a ⇥ · · · ⇥ (p 1)a = a p (p 1) ! mod p. (�)

But from our observation in the previous paragraph that the sets of numbers in S and in S 0 are exactly the same (mod p ),
the products in (�) and (�) must in fact be equal mod p . Hence we have

1
(p 1) ! ⌘ a p (p 1) ! ( mod p). (�)

Finally, since p is prime, we know that every non-zero integer has an inverse mod p , and therefore (p 1) ! has an inverse
mod p . Hence we can multiply both sides of (�) by the inverse of (p 1) ! to get a p 1 ⌘ 1 ( mod p) , as required.

Page ��