1)

(2)

(3)

(4)

(5)

RSA CRYPTOSYSTEM

 

1-We have shown that if p is a prime number then for all a, ap = a mod p (Fermat). Hence if there exists a such that ap ?= a mod p, then p is a composite number (not a prime). Use this to show 231 is composite number.

2-In the following two examples, you are going to extract roots modulo N. In both examples N is prime. This a difficult problem when N is not prime. The RSA encryption is based in this difficulty where the N is product of two large distinct primes (N is published but not its factors).

(a) Use the Euclidean Algorithm to show the gcd(19, 96) = 1. Hence find d such that 19d = 1 mod (97) and solve x19 = 36 mod (97).

(b) Solve x137 = 428 mod 541.

3-Alice publishes her RSA public key: modulus, that means N = 2038667 and exponent e = 103.

(a) Bob wants to send Alice the (plaintext) message m = 892383. What ciphertext does Bob send to Alice?

(b) Alice knows that N factors into two primes one of which is p = 1301. Find the decryption exponent d for Alice.

(c) Alice receives the ciphertext c = 317730 from Bob. Decrypt the message.

4-In an RSA encryption, Bob got a little creative and wanted to guard against trans- mission errors. So he encrypted his message m twice by using two encryption exponents e1 and e2. That is, he transmitted to Alice c1 = me1 and c2 = me2. Now the eves dropper, Eve, has N = pq, e1, e2, c1 and c2. However, Bob made a grave miscalculation: the greatest common divisor of e1 and e2 was 1. Show Eve can recover Bob's plaintext message m without factoring N.

Hint. The gcd(e1, e2) = 1 implies that there are integers n and m such that ne1 + me2 = 1.

Miller-Rabin test for primality.

Theorem 1. Let p be an odd prime number and factor p−1 = 2kq so that q is odd1 Then for all natural numbers a either

 aq=1 mod(p)

1Since p is odd, p − 1 is even. Factor the largest possible power of 2 out of p − 1.

 

5-

RSA CRYPTOSYSTEM 2

or, one of the following numbers is congruent to −1 modulo p aq, a2q,...,a2k−1q.

Hence, by logic, if there exists a natural number a such that aq ?= 1 mod (p) and none of the numbers

aq, a2q ...,a2k−1q

are −1 mod (p), then p is not a prime number.

Let us work through an example to show the Carmichael number p = 118901521

is not a prime number. We will show that a = 2 fulfils both conditions to guarantee that p is not prime. Why did I pick a = 2? That is the smallest number to try; if 2 does not work, try 3....

> sage p=118901521

> sage divmod(p-1,16)

  (7431345, 0) # divmod(p-1,32) will return a non-zero remainder.

   #So highest power of 2 that can be factored from p-1 is 16=2^4; so k=4.

> q=divmod(p-1,16)[0] # the zeroth item of the list divmod is the quotient.

> sage mod(2^q, p), # see what is this. It is not 1.

Now, we will compute 2q, 22q, 24q, 28q modulo p (here 8 = 2k−1; the k for this p was 4). We will verify none of them are −1 modulo p, that is 118901520. We can setup a table of 2q, 22q, a4q, 28q modulo p. The table syntax is table() and rows are in [ ]. So, e.g., table([[1, 2], [3, 4]]) would return a table whose first row is 1, 2 and second row is 3, 4. Look at sage manual for header rows, dividers etc.

Continue the sage worksheet.

> var('x')

> table([(x, mod(2^(q*2^x), p)) for x in [0..3]])

This will return a table that shows the remainder of 2q, 22q, 24q, 28q when divided by p. None of them are −1 mod (p), i.e., none of the remainders were p − 1.

For practice, you verify that the Carmichael number p = 75361 is not a prime. Then test an integer that is in fact prime, p = 104513, using a = 3. What did you notice?

Note: It can be shown that numbers of the form (6k + 1)(12k + 1(18k + 1) are Carmichael numbers if each of the three factors are prime. That is how we know 118901521 = 271 ∗ 541 ∗ 811 is a Carmichael number.

As common Fermat didn't give a proof (this time saying "I would send you the show, on the off chance that I didn't fear its being excessively long" [Burton80, p79]). Euler previously distributed a proof in 1736, yet Leibniz left basically a similar verification in an unpublished composition from at some point before 1683.

 

Start by posting the main p-1 positive products of a:

 

a, 2a, 3a, ... (p - 1)a

 

Assume that ra and sa are the equivalent modulo p, at that point we have r = s (mod p), so the p-1 products of an above are particular and nonzero; that is, they should be consistent to 1, 2, 3, ..., p-1 in some request. Increase every one of these congruences together and we find

a (2a) (3a) ... ((p-1)a) ≡ 1.2.3.....(p-1) (mod p)

 

which is, a(p-1)(p-1)! ≡ (p-1)! (mod p). Gap both side by (p-1)! to finish the verification.

 

 

In some cases Fermat's Little Theorem is introduced in the accompanying structure:

Result.

 

Leave p alone a prime and an any number, at that point ap ≡ a (mod p).

 

Verification.

 

The outcome is trival (the two sides are zero) if p partitions a. In the event that p doesn't separate a, we need just duplicate the consistency in Fermat's Little Theorem by a to finish the evidence.

 

An indivisible number is a positive number, which is distinct on 1 and itself. Different whole numbers, more noteworthy than 1, are composite. Coprime numbers are a bunch of whole numbers that have no basic divisor other than 1 or - 1.

The key hypothesis of number juggling:

 

Any sure number can be isolated in primes in basically just a single way. The expression 'basically one way' implies that we don't consider the request for the components significant.

 

One is neither a prime nor composite number. One isn't composite since it doesn't have two unmistakable divisors. In the event that one is prime, number 6, for instance, has two distinct portrayals as a result of indivisible numbers: 6 = 2 * 3 and 6 = 1 * 2 * 3. This would negate the basic hypothesis of math.

Euclid's hypothesis:

 

 

There is no biggest indivisible number.

To demonstrate this present, how about we consider just n indivisible numbers: p1, p2, ... , pn. However, no superb pi separates the number

N = p1 * p2 * ... * pn + 1,

 

so N can't be composite. This negates the way that the arrangement of primes is limited.

 

Exercise 1. Succession an is characterized recursively:

 

Demonstrate that ai and aj, I ¹ j are moderately prime.

Clue: Prove that an+1 = a1a2... a + 1 and utilize Euclid's hypothesis.

Exercise 2. Ferma numbers Fn (n ≥ 0) are positive whole numbers of the structure

Demonstrate that Fi and Fj, I ≠ j are moderately prime.

Clue: Prove that Fn +1 = F0F1F2... Fn + 2 and utilize Euclid's hypothesis.

 

Dirichlet's hypothesis about number juggling movements:

 

For any two positive coprime numbers an and b there are limitlessly numerous primes of the structure a + n*b, where n > 0.

 

 

 

Step-by-step explanation

Preliminary division:

 

Preliminary division is the least complex of all factorization methods. It addresses a savage power technique, where we are attempting to partition n by each number I not more prominent than the square base of n. (For what reason don't we need to test esteems bigger than the square base of n?) The strategy factor prints the factorization of number n. The variables will be imprinted in a line, isolated with one space. The number n can contain close to one factor, more noteworthy than n.

 

void factor(int n) {

int I;

for(i=2;i<=(int)sqrt(n);i++) {

while(n % I == 0) {

printf("%d ",I);

n/= I;

}

}

in the event that (n > 1) printf("%d",n);

printf("\n");

}

 

Consider a difficult that requests you to discover the factorization from whole number g(- 231 < g <231) in the structure

 

g = f1 x f2 x ... x fn or g = - 1 x f1 x f2 x ... x fn

where fi is a prime more prominent than 1 and fi ≤ fj for I < j.

For instance, for g = - 192 the appropriate response is - 192 = - 1 x 2 x 2 x 2 x 2 x 2 x 2 x 3.

To tackle the issue, it is sufficient to utilize preliminary division as demonstrated in work factor.

 

Sifter of Eratosthenes:

 

The most proficient approach to locate all little primes was proposed by the Greek mathematician Eratosthenes. His thought was to make a rundown of positive numbers not more noteworthy than n and consecutively strike out the products of primes not exactly or equivalent to the square foundation of n. After this methodology just primes are left in the rundown.

 

The strategy of discovering indivisible numbers gen_primes will utilize an exhibit primes[MAX] as a rundown of numbers. The components of this cluster will be filled so that

Toward the starting we mark all numbers as prime. At that point for each indivisible number (I ≥ 2), not more noteworthy than √MAX, we mark all numbers ii, i(i + 1), ... as composite.

void gen_primes() {

int i,j;

for(i=0;i<MAX;i++) primes[i] = 1;

for(i=2;i<=(int)sqrt(MAX);i++)

in the event that (primes[i])

for(j=i;ji<MAX;j++) primes[ij] = 0;

}

For instance, in the event that MAX = 16, subsequent to calling gen_primes, the exhibit 'primes' will contain next qualities:

i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

primes[i] 1 1 1 1 0 1 0 1 0 0 0 1 0 1 0 0

 

Goldbach's Conjecture:

 

For any number (n ≥ 4) there exist two indivisible numbers p1 and p2 with the end goal that p1 + p2 = n. In a difficult we may have to locate the quantity of basically various sets (p1, p2), fulfilling the condition in the guess for a given considerably number n (4 ≤ n ≤ 2 15). (The word 'basically' implies that for each pair (p1, p2) we have p1 ≤p2.)

 

For instance, for n = 10 we have two such combines: 10 = 5 + 5 and 10 = 3 + 7.

To address this,as n ≤ 215 = 32768, we'll fill an exhibit primes[32768] utilizing capacity gen_primes. We are keen on primes, not more noteworthy than 32768.

 

The capacity FindSol(n) finds the quantity of various sets (p1, p2), for which n = p1 + p2. As p1 ≤ p2, we have p1 ≤ n/2. So to take care of the difficult we need to locate the quantity of sets (I, n - I), with the end goal that I and n - I are indivisible numbers and 2 ≤ I ≤ n/2.

int FindSol(int n) {

int i,res=0;

for(i=2;i<=n/2;i++)

on the off chance that (primes[i] && primes[n-i]) res++;

bring res back;

}

 

 

Euler's totient work

 

The quantity of positive numbers, not more prominent than n, and moderately prime with n, equivalents to Euler's totient work φ (n). In images we can express that

 

φ (n) ={a Î N: 1 ≤ a ≤ n, gcd(a, n) = 1}

 

This capacity has the accompanying properties:

 

On the off chance that p is prime, φ § = p - 1 and φ (dad) = p a * (1 - 1/p) for any a.

On the off chance that m and n are coprime, φ (m * n) = φ (m) * φ (n).

 

On the off chance that n = ,, Euler capacity can be discovered utilizing equation:

 

φ (n) = n * (1 - 1/p 1) * (1 - 1/p 2) * ... * (1 - 1/p k)

The capacity fi(n) finds the estimation of φ(n):

int fi(int n) {

int result = n;

for(int i=2;i*i <= n;i++) {

on the off chance that (n % I == 0) result - = result/I;

while (n % I == 0) n/= I;

}

in the event that (n > 1) result - = result/n;

bring result back;

}

 

For instance, to discover φ(616) we need to factorize the contention: 616 = 23 * 7 * 11. At that point, utilizing the equation, we'll get:

φ(616) = 616 * (1 - 1/2) * (1 - 1/7) * (1 - 1/11) = 616 * 1/2 * 6/7 * 10/11 = 240.

 

Let's assume you have a difficult that, for a given number n (0 < n ≤ 109), requests you to locate the number from positive numbers not as much as n and moderately prime to n. For instance, for n = 12 we have 4 such numbers: 1, 5, 7 and 11.

 

The arrangement: The quantity of positive whole numbers not as much as n and moderately prime to n equivalents to φ(n). In this issue, at that point, we need do just to assess Euler's totient work.

 

Or on the other hand consider a situation where you are approached to compute a capacity Answer(x, y), with x and y the two numbers in the reach [1, n], 1 ≤ n ≤ 50000. In the event that you know Answer(x, y), you can undoubtedly determine Answer(kx, ky) for any number k. In the present circumstance you need to know the number of estimations of Answer(x, y) you need to precalculate. The capacity Answer isn't symmetric.

 

For instance, if n = 4, you need to precalculate 11 qualities: Answer(1, 1), Answer(1, 2), Answer(2, 1), Answer(1, 3), Answer(2, 3), Answer(3, 2), Answer(3, 1), Answer(1, 4), Answer(3, 4), Answer(4, 3) and Answer(4, 1).

The arrangement here is to let res(i) be the base number of Answer(x, y) to precalculate, where x, y Î{1, ... , i}. Clearly res(1) = 1, since, in such a case that n = 1, it is sufficient to know Answer(1, 1). Tell we res(i). So for n = I + 1 we need to discover Answer(1, I + 1), Answer(2, I + 1), ... , Answer(i + 1, I + 1), Answer(i + 1, 1), Answer(i + 1, 2), ... , Answer(i + 1, I).