Math 470
Answers to Exam 2 Sample Problems
October 30, 2011
Please note: Not all of the work for solving these problems is given in the solutions below, but mainly
the solutions are intended to give you enough information about how to solve the problems completely. For
example, the work for the solution of the quadratic equation in problem 2 and the calculation of the gcd
in problem 5 are not shown. The work for obtaining these results would be necessary for full credit on an
exam.
1. David and Eleanor are using RSA to communicate secretly.
(a) David’s public encryption key is (m, e) = (91, 5). Eleanor wants to encode the plaintext ‘3’ to
send to David. What does she send?
(b) On another occasion, you intercept the ciphertext ‘4’ sent to David. What was the plaintext?
Solution: (a) Since 35 ≡ 61 (mod 91), she sends 61.
(b) First we need to find the decryption exponent d. Since 91 = 7 · 13, we calculate that φ(91) =
6 · 12 = 72. So we need de ≡ 1 (mod 72). We calculate that d ≡ 51 ≡ 29 (mod 72). So the plaintext is
429 ≡ 23
(mod 91).
2. Alice and Bob are using RSA to communicate secretly. Bob’s public encryption key is (n, e) =
(332621, 103). Eve discovers that φ(n) = 331452. What is the factorization of n?
Solution: Knowing n and φ(n), we know that the prime factors of n are roots of the quadratic equation
X 2 − (n − φ(n) + 1)X + n = X 2 − 1170X + 332621 = 0.
By the quadratic formula, we find that the solutions are X = 487 and X = 683. Thus n = 487 · 683 ,
which can be verified simply on a calculator.
3. Use the Miller-Rabin Test to show that 561 is composite.
Solution: We write n − 1 = 560 = 2k · m with m odd. We find easily that 560 = 24 · 35, so k = 4 and
m = 35. Picking a random number a with 1 < a < 560, I pick a = 3 (you are free to pick whatever you
want for a, as long as the algorithm works with it; if not, try a different a). We construct the sequence
b0 , b1 , b2 , b3 = bk−1 :
b0 ≡ 335 ≡ 78
b1 ≡
b2 ≡
b3 ≡
b20
b21
b22
(mod 561),
≡ 474
(mod 561),
≡ 276
(mod 561),
≡ 441
(mod 561).
Since b0 6≡ ±1 (mod 561) and b1 , b2 , b3 6≡ −1 (mod 561), the Miller-Rabin test implies that 561 is
composite.
4. The following congruences hold:
34733274656 ≡ 1
53013
274656
≡1
34734274656 ≡ 60108
(mod 274657)
(mod 274657)
3473369265 ≡ 71394
5301372015 ≡ 182831
87745
274656
≡1
(mod 274657)
34733138530 ≡ 12019
(mod 277061)
53013144030 ≡ 288060
(mod 288061)
1
(mod 274657)
(mod 277061)
(mod 288061)
(1)
(2)
(3)
(4)
(a) What do lines (1) and (2) imply about the primality of 274657? Explain.
(b) What does line (3) imply about the primality of 277061? Explain.
(c) What does line (4) imply about the primality of 288061? Explain.
Solution: (a) With n = 274657, each of the congruences in lines (1) and (2) is calculating an−1
(mod n) for various a. Most are congruent to 1, except for the second, which is 60108. Thus
274657 is composite by the Fermat Primality Test.
(b) With n = 277061, we see that n − 1 = 277060 = 22 · 69265. The Miller-Rabin Test involves
calculating a69265 (mod n) and a2·69265 = a138530 (mod n) for randomly chosen a. When a = 34733,
these are exactly the numbers calculated in line (3). Since a69265 6≡ ±1 (mod 277061) and a138530 6≡ −1
(mod 277061), we conclude that 277061 is composite by the Miller-Rabin Test.
(c) With n = 288061, we see that n − 1 = 288060 = 22 · 72015. The Miller-Rabin Test involves
calculating a72015 (mod n) and a2·72015 = a144030 (mod n) for randomly chosen a. When a = 53013,
these are exactly the numbers calculated in line (4). Now a72015 6≡ ±1 (mod 277061) but a144030 ≡ −1
(mod 288061), so the Miller-Rabin Test is inconclusive. Likewise the only other information we can
glean from this data is that 53013288060 ≡ 1 (mod 288061), so the Fermat Primality Test is also
inconclusive. Thus the information in line (4) is inconclusive in determining the primality of 288061.
5. Suppose that n = 4897 is being used for RSA encryption, and suppose that we know that the encryption
exponent is e = 67 and the decryption exponent is d = 71. Suppose further that the following
congruences hold:
21189 ≡ 4896
1189
4
1189
6
≡1
31189 ≡ 1
(mod 4897)
(mod 4897)
≡ 4896
≡ 414
1189
≡1
5
(mod 4897)
(mod 4897)
1189
7
(mod 4897)
(mod 4897).
Use the Universal Exponent Factorization Method to factor 4897.
Solution: Because e = 67 and d = 71 are encryption and decryption exponents for RSA modulo
n = 4897, we know that r = de − 1 = 4756 is a universal exponent modulo 4897. To use the Universal
Exponent Factorization Method we write r = 2k · m with m odd, so r = 22 · 1189. To perform this
test we calculate b0 = a1189 and b1 = a2·1189 = b20 modulo 4897 for randomly chosen a. If b0 ≡ ±1
(mod 4897), we need a new a. Looking at the data given, this rules out all but a = 5. So b0 = 414 and
b1 ≡ b20 ≡ 4142 ≡ 1
(mod 4897).
Since b0 6≡ −1 (mod 4897) but b20 ≡ 1 (mod 4897), the universal exponent factorization algorithm
implies that gcd(b0 − 1, n) will be a non-trivial factor of 4897. Indeed, we calculate that
gcd(413, 4897) = 59,
(requires Euclidean algorithm to show completely),
so 59 | 4897, and we find 4897 = 59 · 83.
6. Let n = 10981. Suppose that in performing the quadratic sieve you have found that
912 − n = −2700,
982 − n = −1377,
1052 − n = 44,
1072 − n = 468,
1152 − n = 2244,
1162 − n = 2475.
Use this information to factor n. Show your work.
Solution: We calculate some factorizations:
−2700 = −22 · 33 · 52 ,
−1377 = −34 · 17,
44 = 22 · 11,
468 = 22 · 32 · 13,
2244 = 22 · 3 · 11 · 17,
2475 = 32 · 52 · 11.
2
Therefore,
912 ≡ −22 · 33 · 52
2
2
2
2
105 ≡ 2 · 11
982 ≡ −34 · 17
(mod 10981),
115 = 2 · 3 · 11 · 17
2
2
(mod 10981),
2
2
2
(mod 10981).
107 ≡ 2 · 3 · 13
(mod 10981),
116 ≡ 3 · 5 · 11
(mod 10981),
(mod 10981),
2
We are looking for products of these congruences that will yield a perfect square on the right-hand
side (we automatically get one on the left-hand side). There are various combinations that will work,
which we find by inspection. For example,
1052 · 1162 ≡ 22 · 32 · 52 · 112
(mod 10981).
From this we take x = 105·116 = 12180 and y = 2·3·5·11 = 330. We check that x 6≡ ±y (mod 10981),
and moreover x − y ≡ 869 (mod 10981). Thus
gcd(x − y, n) = gcd(869, 10981) = 79
(requires Euclidean algorithm to show completely),
and we check that 10981 = 79 · 139.
7. Calculate the discrete logarithms L5 (10), L5 (100), and L25 (15) modulo 17.
Solution: We calculate some powers of 5 modulo 17:
5
m
m
(mod 17)
1
5
2
8
3
6
4
13
5
14
6
2
This table can easily be extended if you need more data, but it will be enough here. We see that 56 ≡ 2
(mod 17), so L5 (2) = 6, and since
L5 (10) ≡ L5 (2) + L5 (5)
(mod 16),
we see that L5 (10) = 6 + 1 = 7. Likewise,
L5 (100) ≡ 2L5 (10)
(mod 16),
and so L5 (100) = 14. Since 100 ≡ 15 (mod 17), we can check that 514 ≡ 15 (mod 17). To calculate
L25 (15) we want to find x so that 25x ≡ 52x ≡ 15 (mod 17). Therefore,
2L25 (15) = L5 (15) = L5 (100) = 14,
and so L25 (15) = 7.
8. The number 2 is a primitive root modulo 29. Use the Pohlig-Hellman algorithm to find L2 (3).
Solution: We write 29 − 1 = 22 · 7. Starting with q = 2, we see that (p − 1)/q = 14. The algorithm
will yield y1 = x0 + 2x1 with each xi ∈ {0, 1}. We first look for x0 with 214x0 ≡ 314 ≡ 28 (mod 29),
and a simple check by calculator yields x0 = 1.
2
We then let β1 ≡ 2−x0 · 3 ≡ 16 (mod 29). Next we search for x1 with 214x1 ≡ 16(p−1)/q ≡ 167 ≡ 1
(mod 29). Therefore we take x1 = 0, and so y1 = 1.
Now we take q = 7. We see that (p−1)/q = 4. The algorithm yields y2 = x0 with x0 ∈ {0, 1, 2, 3, 4, 5, 6}.
We need x0 to satisfy 24x0 ≡ 34 ≡ 23 (mod 29). We check the seven possibilities for x0 and find x0 = 5,
and so y2 = 5.
Finally, we find x = L2 (3) as a simultaneous solution modulo 28 of the system of congruences
x ≡ y1 ≡ 1
(mod 4),
x ≡ y2 ≡ 5
(mod 7).
The Chinese Remainder Theorem yields exactly one solution modulo 28, namely x ≡ 5 (mod 28).
Therefore, by the Pohlig-Hellman algorithm L2 (3) = 5.
3