Problems 8
Problems 8
5501 Cryptology
Homework 8
April 2, 2009
3. (Stinson 5.24) Suppose throughout this question that p is an odd prime and gcd(a, p) = 1.
Suppose that i ≥ 2 and b2 ≡ a (mod pi−1 ). In the ad hoc exercises last week it was shown that
there is a unique x ∈ ZZpi , such that x2 ≡ a (mod pi ) and x ≡ b (mod pi−1 ) and a method was
described how this x can be computed efficiently.
Illustrate this method in the following situation: starting with the congruence 62 ≡ 17 ( mod 19),
find square roots of 17 modulo 192 and modulo 193 .
4. Compute
2120 (mod122183).
5. Let n = pq, where p and q are primes. We can assume that p > q > 2 and we denote d = p−q 2
and x = p+q . Then n = x2 − d2 . Attempt to factor n = 400219845261001 by searching for small
2 √
non-negative integers t such that x2 − n = (d ne + t)2 − n is a perfect square. (This is a simple
form of the Quadratic Sieve method.)
6. (Stinson): This exercise illustrates an example of a protocol failure (presented by Gus Simmons)
involving RSA; it is called the common modulus protocol failure. Suppose Bob has an RSA
cryptosystem with modulus n and encryption exponent b1 , and Charlie has an RSA Cryptosystem
with (the same) modulus n and encryption exponent b2 . Suppose also that gcd(b1 , b2 ) = 1. Now,
consider the situation that arises if Alice encrypts the same plaintext x to send it to both Bob and
Charlie. Thus, she computes y1 = xb1 mod n and y2 = xb2 mod n and then she sends y1 to Bob
and y2 to Charlie. Suppose Oscar intercepts y1 and y2 , and performs following computations:
Input: n, b1 , b2 , y1 , y2
i) Compute c1 = b−1
1 mod b2
ii) Compute c2 = (c1 b1 − 1)/b2
iii) Compute x1 = y1c1 (y2c2 )−1 mod n
(a) Prove that the value x1 computed in step iii) is in fact Alice’s plaintext, x. Thus Oscar can
decrypt the message Alice sent, even though the cryptosystem may be “secure”.
(b) Illustrate the attack by computing x by this method if n = 18721, b1 = 43, b2 = 7717,
y1 = 12677 and y2 = 14702.