Math 157: Problem Set 5

Due March 2nd at 11:59PM

Instructions. Solve any 4 of the 5 problems and answer the survey below for a
full score on this problem set. You will receive additional credit if you solve all 5
problems.
For the programming questions, make sure to include the answers to questions in
your pdf. In your code, you may wish to use the Python command pow(a,e,m),
which efficiently computes ae mod m.

Problem 1
1. To break RSA encryption, why does it suffice for an adversary to factor the
public modulus n?
2. Bob would like to communicate with you using RSA encryption. You send Bob
the public key information n = 744869283793155923729084959 and e = 65537.
Bob sends the ciphertext 230351530242749042261940685. You compute the
decryption exponent d = 110189781430651250899659233. What message did
Bob encrypt?
Hint: Use Python. The primes used to generate n were p = 9576890767 and
q = 77777777977777777. For debugging purposes, you may wish to verify that
d is an inverse to e modulo φ(n).
3. William Stanley Jevons was an English economist and logician. His 1874 book
Principles of Science discussed the possibility of using integer factorization as
a computationally difficult problem on which to base a cryptographic system.
In it, he wrote,
Can the reader say what two numbers multiplied together will pro-
duce the number 8,616,460,799? I think it unlikely that anyone but
myself will ever know.
Write a Python script that determines these numbers.
Hint: the number is small enough that your algorithm does not need to be
efficient.

1
Problem 2
1. We discussed in class how the Diffie–Hellman protocol allows two parties to
determine a shared secret over an insecure channel. Generalize the protocol to
three parties. The shared secret they agree on should not be discoverable by
an eavesdropper.1
2. Generalize to four parties, where each party is allowed to perform only 3 mod-
ular exponentiations.2 (There is no limit on the number of times they can com-
municate.)

Problem 3
Recall that a Carmichael number is a composite number n such that for all a coprime
to n, we have
an−1 ≡ 1 mod n.
On the other hand, if n is composite and the above equality holds for some particular
a, then we say that n is a pseudoprime to base a.
1. Let N = (6t + 1)(12t + 1)(18t + 1), where t is such that each of 6t + 1, 12t +
1, 18t + 1 is prime. Show that N is a Carmichael number.
2. Use the above result to find a Carmichael number with over 30 digits; in other
words, we want to find t such that each of 6t + 1, 12t + 1, 18t + 1 is a prime
with roughly ten digits. Once you have found a candidate for t, you should
verify that these are in fact primes (and not just pseudoprimes to some base,
for example); for this, a brute force check should suffice.
If you complete Problem 1, then you don’t need to submit code for this problem.
1
More precisely, don’t permit any attacks that aren’t already inherent in the 2-party scheme. Of
course, your protocol will not resist an eavesdropper who can solve the relevant discrete logarithm
problem.
2
It is likely your solution to the previous part used 3 exponentiations also, and adapting it in
the natural way will use 4 with 4 parties, so you’ll have to be more efficient. With N parties, you
can establish a shared secret with only ⌈log2 N ⌉ + 1 exponentiations, but you don’t have to prove
this.

2
Problem 4
Let a and n be coprime integers. Recall from Homework 4 that the smallest integer
r ≥ 1 such that ar ≡ 1 mod n is called the (multiplicative) order of a. On that
assignment, we showed that r always divides φ(n); you may use that fact for this
problem. More generally, if ab ≡ 1 mod n, then r divides b.
Finding the order of a mod n is considered to be difficult if the order is divisible by a
large prime. We will see in this problem that, if we can quickly compute the order of
a mod n for several choices of a, then we can use this information to factor n. This
is the basis for some attacks on RSA (if the primes used in the public key are not
“safe primes”). It’s also the underlying principle behind Shor’s algorithm. Quantum
computers are (only in theory, for now) able to compute multiplicative orders far
quicker than any known algorithm for classical computers. Shor’s algorithm exploits
this to quickly factor integers. Let’s see how it works. Assume n is the product of
two distinct prime numbers p, q > 2.
1. We write (Z/nZ)× for the set of residues mod n which are coprime to n. The
number of elements of (Z/nZ)× is φ(n) = (p−1)(q −1). Prove that the number
of elements of (Z/nZ)× with even multiplicative order is at least 21 φ(n).
Hint: If a has odd order, what about −a?
This means we will quickly pick an element with even multiplicative order if we pick
integers randomly. So let’s assume we’ve picked an element a in (Z/nZ)× with even
multiplicative order r. We know that ar ≡ 1 mod n, which means that n divides
ar −1. Since r is even, we can factor this to conclude that n divides (ar/2 −1)(ar/2 +1).
Note that n does not divide ar/2 − 1, or else ar/2 ≡ 1 mod n which means r was not
the smallest power of a which is 1 mod n.
2. Let a be coprime to n with even multiplicative order r, and let rp and rq be
the multiplicative orders of a mod p and a mod q, respectively. Show that
ar/2 ≡ −1 mod n if and only if rrp and rrq are both odd.

Hint: By Sun Tzu’s theorem, ar/2 ≡ −1 mod n if and only if ar/2 ≡ −1

mod p and ar/2 ≡ −1 mod q.
Remark: The number r is actually the least common multiple of rp and rq , but
you don’t need to show this. You may use this fact in the next part if it is
helpful.

3
 3. Consider the sets

S = {a ∈ (Z/nZ)× | (r = the order of a) is even and n divides ar/2 + 1}

E = {a ∈ (Z/nZ)× | (r = the order of a) is even}.

Show that the fraction
#S
#E
is at most 12 . For simplicity, you can assume 21 (p − 1) and 12 (q − 1) are both
primes.3
Hint: Let e be the number guaranteed by Sun Tzu’s theorem to satisfy e ≡ 1
mod p and e ≡ −1 mod q. If a is in S, show that ae is in E but not S.
We’ve determined that, on average, at least one in every 4 choices of a will have the
following two properties:
• The multiplicative order of a mod n is an even number r, and
• n divides (ar/2 − 1)(ar/2 + 1) but n divides neither ar/2 − 1 nor ar/2 + 1.
Once we find such an a, then the greatest common divisor of n and ar/2 + 1 will be
either p or q. Hence, we can compute a factor of n by computing gcd(n, ar/2 + 1).
So factoring is easy if we can compute multiplicative orders!

Problem 5
There are three parts to this problem.
We discussed in class that factoring numbers is hard and takes a long time. The
security of RSA encryption depends on this fact.
However, the practicality of RSA depends on easily being able to generate large
prime numbers. If it also took a long time to generate the keys, the system would
be useless.
Recall from class the Fermat primality test. The idea of the test is as follows. We
know that for any prime p, ap−1 ≡ 1 mod p for any a relatively prime to p. However,
if n is not prime, then it’s unlikely (or so we hope) that an−1 ≡ 1 mod n for a
3
p and q are called safe primes if they satisfy this condition. Among other benefits, safe primes
maximize this fraction.

4
randomly chosen residue a. So we can test for the primality of n by examining
whether an−1 ≡ 1 mod n for many a, and if this equivalence holds for all of them,
we can (hopefully) be confident the number is prime.
We say that a is a witness to n being composite if an−1 ̸≡ 1 mod n. If we find such
a witness, then we know that n is composite. We say that n is pseudoprime to base
a if an−1 ≡ 1 mod n holds.
1. Let a be a witness to n being composite. Show that if b is a number such that
1 ≤ b < n and n is pseudoprime to base b, then n is not a pseudoprime to base
ab.
Hint: use the definitions of witness and pseudoprime.
2. Suppose n has at least one base a that is a witness to n being composite with
a relatively prime to n. Then show at least half the bases 1 through n − 1 are
witnesses to n being composite.
Hint: you can suppose there is at least one base b to which n is pseudoprime,
or you’re done. Enumerate the bases to which n is pseudoprime as b1 , . . . , bk .
Consider ab1 , . . . , abk , and use the previous part.
So, we are now in the following situation. Suppose we have some number n and we
want to know whether it is prime. If there exists at least one a such that a witnesses
n being composite, and (a, n) = 1, then at least half of the bases are witnesses. If
we randomly choose m distinct bases to test, then the probability of finding of never
finding a witness is less than (1/2)m (since the probability of choosing a witness is
at least 1/2). This is great because the error probability decays exponentially. By
choosing m large and testing the Fermat identity an−1 ≡ 1 mod n with random bases
m times, we can determine with near certainty whether n is prime. For instance, if
n passes m = 34 tests, then the error probability is less than 1 in 1010 , which is good
enough for all practical purposes.
So, to recapitulate, if we’re testing a number n for primality, and n happens to have
at least one witness a with (a, n) = 1, then we’re very happy. We can determine
quickly whether n is prime.
What happens if there is no witness with (a, n) = 1? As mentioned in class and above,
such numbers are called Carmichael numbers. Then we’re extremely unhappy. In
this case, the only way the test can determine that n is prime is if we get lucky
and randomly test a number not coprime to n. It can be shown that is vanishingly

5
unlikely.4 So no matter how much testing we do, practically speaking, we’ll nearly
always be fooled in this case. Carmichael numbers are rare, but common enough to
be problematic.
Ignore the issue of Carmichael numbers for a moment, and let’s discuss the practical
implications of this test.
This method is quite fast. As mentioned on the Wikipedia page for trial division, √
trying to deterministically check
√ that n is prime by checking for factors up to n
takes time that grows like n. But the Fermat test takes time that grows like
k × (log n)3 for k trials.5 And, as we noted, even k ≈ 30 gets good results.
The upshot is that the Fermat
√ primality test is really great! Since (log n)3 grows
super slowly compared to n, its easy to find RSA public keys, but hard to factor
the public modulus n.
Putting this information together, we have the following practical algorithm for gen-
erating large primes (e.g. to create RSA keys).
• Generate some large odd number N randomly.
• Test N for primality using the Fermat test with lots of random bases.
• If we succeed, hope that we didn’t hit a Carmichael number.
• If we fail, start again with N + 2.
By the prime number theorem, we should find a prime in about 1
2
ln N steps of this
algorithm.
Except for the “hope that we didn’t hit a Carmichael number” part, this is exactly
how your computer generates prime numbers.6
This leads us to the final part of this problem, which would be impossible to do in a
reasonable amount of time using naive approaches like trial division.
4
Sketch of argument: a certain theorem tells us that Carmichael numbers are square-free, and
for such numbers φ(n)/n ≈ 1 for large n, so hitting a witness happens with probability approaching
zero.
5
The reason for this is, as we discussed, we can take powers in congruences quickly by repeated
squaring. A few extra log n factors appear due to miscellaneous computational overhead elsewhere
in the algorithm. Also, this is a crude upper bound; a slightly better one is possible.
6
Up to small optimizations like skipping multiples of other small primes like 3, 5, . . . .

6
 3. Use Python and the Fermat test with k = 10 to generate a probably prime
number of at least 100 digits.7
Note: It’s not really necessary that the bases a be chosen randomly (since you
already have some randomness coming from the choice of N ). It may be easier
(in terms of coding) just to pick a set of 10 fixed bases, insert that into your
code, and then test against everything in the list for each random N .
For randomly generating integers, you can use the randrange command. First
import the command with the line from random import randrange. Then
use it as describe here: https://docs.python.org/3/library/random.html#
random.randrange.
In real life, we take care of the Carmichael number issue with additional testing,
using the Miller–Rabin test.

Extra Credit
Pick an attack on RSA or Diffie–Hellman, and describe the mathematics behind it.
The Handbook of Applied Cryptography is a good source for this, but you can use
any you like.

Survey
How many hours did it take you to complete this assignment, including programming
and typesetting?

7
Primes with over 100 digits are acceptable and encouraged. You may wish to see how large you
can go.