стр. 1(всего 2)СОДЕРЖАНИЕ >>
224 Solutions to Odd-Numbered Exercises 1.1вЂ“1.17

Solutions to Odd-Numbered Exercises

Section 1.1 (In the solutions, we will violate the convention of having plaintext in
lower case in order to increase readability due to the smaller font size we use herein.)

1.1 I THINK THEREFORE I AM
This is the phrase coined by the seventeenth century philosopher-mathematician
RenВґ Descartes, and may be said to be the signature of the basis of his reasoning.
e
It was originally given in Latin as: Cogito ergo sum.
1.3 BEHOLD THE SIGN
1.5 NON SEQUITUR
This is the Latin phrase for a conclusion that does not follow logically from the
premises.
1.7 TRUTH CONQUERS ALL THINGS
1.9 WAR IS IMMINENT
1.11 NEVER SAY ANYTHING
1.13 VANITY
1.15 Since

m = (01110011010010010011010000110000100011110000000011) =
(01110)(01101)(00100)(10011)(01000)
(01100)(00100)(01111)(00000)(00011),
then the decimal equivalents are

14, 13, 4, 19, 8, 12, 4, 15, 0, 3,

to which correspond the letters O, N, E, T, I, M, E, P, A, D, to give us the En-
glish plaintext:
1.17 Since k + c =

(11010111101111010101111011101011010) +

(10010100111110111011010011101101001) =
(01000011010001101110101000000110011) =
(01000)(01101)(00011)(01110)
(10100)(00001)(10011),
then the decimal equivalents are 8, 13, 3, 14, 20, 1, and 19. Hence, via Table
1.2, we get the English equivalents: I, N, D, O, U, B, T , to give us the English
plaintext:
IN DOUBT

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 1.19вЂ“1.47 225

1.19 Since k + c =

(11010111101111010101111011101011010) +

(11010100111110111110101011111001000) =
(00000011010001101011010000010010010) =
(00000)(01101)(00011)(01011)
(01000)(00100)(10010),
then the decimal equivalents are 0, 13, 3, 11, 8, 4, and 18. Hence, via Table
1.2, we get the English equivalents: A, N, D, L, I, E, S, to give us the English
plaintext: AND LIES

1.21 Since
k + c = (11010111101111010101111011101011010) +
(11111100000111110001010001111001011) =
(00101011101000100100101010010010001) =
(00101)(01110)(10001)(00100)
(10101)(00100)(10001),
then the decimal equivalents are 5, 14, 17, 4, 21, 4, and 17. Hence, via Table
1.2, we get the English equivalents: F, O, R, E, V, E, R, to give us the English
plaintext:
FOREVER
Section 1.2
1.23 SEARCH THE CAVES
1.25 BOMB THE CAMPS
1.27 SURROUND THE CITY
1.29 SHE CREATED A STATE
1.31 HE DESTROYED TOWNS
1.33 BOTH STRUGGLES END
1.35 FIND THE SECRET NOW
1.37 HAVE ANOTHER ONE
1.39 TRY TO REMEMBER
1.41 WHERE IS THE GOLD
Note that we discard the Z at the end since it was a п¬Ѓller to make the last triplet.
1.43 SUMMERTIME
Note that we discard two copies of Z at the end since they were used as п¬Ѓller to
make the last triplet.

1.45 LETвЂ™S ROLL
Note that the apostrophe is tacitly understood.
1.47 ALL EVIL DOERS FAIL

В© 2003 by CRC Press LLC
226 Solutions to Odd-Numbered Exercises 1.49вЂ“1.65

1.49 TRUST HIM
1.51 SPLENDID
1.53 FORGED SIGNATURES
1.55 GOOD DEEDS PREVAIL
1.57 FILLED WITH REGRET
1.59 We use induction on n. If n = 2, then b2 > 2b1 > b1 , so S = {b1 , b2 } is a
superincreasing sequence. Assume that

S = {b1 , b2 , . . . , bnв€’1 },

which satisп¬Ѓes
bj+1 > 2bj for 1 в‰¤ j в‰¤ n в€’ 2
is a superincreasing sequence. Suppose that bn > 2bnв€’1 . Since S is a superin-
creasing sequence, then
nв€’2 nв€’1
bn > bnв€’1 + bnв€’1 > bnв€’1 + bj = bj .
j=1 j=1

Hence, by induction all such sets are superincreasing sequences.
Section 1.3
1.61 The key is MATH, and the plaintext is:

NEVER SAY NEVER AGAIN UNDER ANY
CIRCUMSTANCES WHATSOEVER
1.63 The key is FIX, and the plaintext is:

CRYPTOGRAPHERS MAKE VERY HIGH SALARIES
Note that we throw away two copies of Z tacked on the end as п¬Ѓller to make up
the last trigram.
1.65 The key is FAIR, and the plaintext is:

JOHN NASH WAS A PIONEER OF GAME THEORY
Note that we throw away a Z tacked on the end as п¬Ѓller to make up the last
trigram.S1
S1 John Forbes Nash (1928вЂ“) was born June 13, 1928 in Blueп¬Ѓeld, West Virginia. He п¬Ѓrst
became interested in mathematics at the age of fourteen. He was inspired by BellвЂ™s book Men
of Mathematics . However, the mathematics that he learned at school bored him, and
coupled with his lack of social skills, caused his teachers to brand him as obtuse. In 1941,
Nash began the study of mathematics at Blueп¬Ѓeld College where his mathematical talent
began to shine through to his educators. John won a Westinghouse scholarship and entered
Carnegie Tech (now Carnegie-Mellon University) in June 1945, where he intended to study
chemical engineering. Yet, his absorption into mathematics deepened, so he took courses in
tensor calculus and relativity, the latter being taught by the new head of department, John
Synge, who along with other professors in mathematics, saw NashвЂ™s considerable talent and

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 1.67вЂ“2.3 227

1.67 The key is GOLD, and the plaintext is:

ALL THAT GLITTERS IS NOT GOLD BUT
PLATINUM IS ALWAYS PRECIOUS
Note that we throw away a Z tacked on the end as п¬Ѓller to make up the last
trigram.
Section 2.1
2.1 There are at most two solutions modulo a given prime. Thus, by the Chinese
Remainder Theorem there will be at most four modulo pq. We now exhibit
those four. We need only show that

В±(xpa(q+1)/4 + yqa(p+1)/4 )
are square roots of a modulo pq since the other case has the same argument.
We have

(xpa(q+1)/4 + yqa(p+1)/4 )2 в‰Ў x2 p2 a(q+1)/2 + y 2 q 2 a(p+1)/2 в‰Ў

x2 p2 z q+1 + y 2 q 2 z p+1 в‰Ў z 2 (x2 p2 z qв€’1 + y 2 q 2 z pв€’1 ) (mod n),
and since z pв€’1 в‰Ў 1 (mod p) and z qв€’1 в‰Ў 1 (mod q), then this is congruent to:

z 2 (x2 p2 + y 2 q 2 ) в‰Ў z 2 (xp + yq)2 в‰Ў z 2 в‰Ў a (mod n).

2.3 Alice selects m = 21 and sends w в‰Ў m2 в‰Ў 441 (mod n) to Bob. Bob selects c = 0
and sends it to Alice who computes r = 21, which gets sent back to Bob, who
computes r2 в‰Ў 441 в‰Ў w В· tc (mod n). Thus we set a = 1 and execute another
A
round.
countenanced him to continue his mathematical journey. In 1948, he received a B.A. and an
M.A. in mathematics. In September 1948, he accepted a prestigious fellowship from Lefshetz,
head of the Mathematics Department at Princeton, to take up doctoral studies. During his
studies in 1949, he wrote a paper that would, forty-п¬Ѓve years later, earn him the Nobel prize
in economics. In 1950, he was granted his Ph.D. for a thesis called Non-Cooperative Games.
In the summer of that year, he was working for RAND Corporation, where he worked from
time to time over the later years. In 1952, he was teaching at MIT where he met Eleanor
Stier with whom he had a son on June 19, 1953. However, despite her persuasions, he did not
marry her. He did marry one of his students, Alicia Larde, in February 1957. By the end of
1958, with Alicia pregnant, he began a decline into schizophrenia. (The term Schizophrenia
was coined by Eugene Bleuler in 1908 to mean a вЂњspeciп¬Ѓc type of alteration of thinking, feeling
and relation to the external worldвЂќ.) An example of his descent into mental illness is given by
the following anecdote. One winter morning at MIT in 1959 he entered the lounge carrying
the New York Times and commented that the story in the upper left-hand corner of the
front page contained an enciphered message from extra-terrestrials, a message that only he
could decrypt. He saw hidden messages in everyday life that were symptoms of his delusions.
For decades, Nash was in and out of hospitals for treatment. Amazingly, his mathematical
battle with the disease. In 1994, he won (jointly with Harsanyi and Selten) the Nobel Prize
in Economics for his research in game theory. By 1999, he was also honoured with the I. P.
Steele Prize by the American Mathematical Society for a вЂњseminal contribution to researchвЂќ.
For more on his life, the book: A Beautiful Mind  is recommended as is the movie of
the same name starring Russell Crowe who won a Golden Globe award on January 20, 2002,
for his penetrating portrayal of NashвЂ™s life.

В© 2003 by CRC Press LLC
228 Solutions to Odd-Numbered Exercises 2.3вЂ“2.23

Alice selects m = 12 and sends w = 144 to Bob. Bob selects c = 1, which Alice
subsequently uses to compute r в‰Ў 12 В· 111 в‰Ў 1332 (mod n) and sends r to Bob,
who then B veriп¬Ѓes that

r2 в‰Ў 757855 в‰Ў 144 В· 12321 в‰Ў w В· tc (mod n).
A

Since a is now set to zero, Bob accepts AliceвЂ™s proof.
Section 2.2
2.5 First, note that we have for each i = 0, 1, . . . , aj в€’ 1,
aj в€’1
(j)
b k pk
xi = (S1)
j
k=i

and
ОІi = О±xi ,
so
(pв€’1)/pi+1 i+1
в‰Ў О±(pв€’1)xi /pj
j
ОІi (mod p).
Thus, it suп¬ѓces to prove:
(j)
i+1
О±(pв€’1)xi /pj в‰Ў О±(pв€’1)bi /pj
(mod p),

which holds precisely when
(j)
(p в€’ 1)bi
(p в€’ 1)xi
в‰Ў (mod p в€’ 1)
i+1
pj
pj

by FermatвЂ™s Little Theorem. From (S1),
(j)
(p в€’ 1)(xi в€’ pi bi )
(j)
(p в€’ 1)bi
(p в€’ 1)xi j
в€’ = =
i+1 i+1
pj
pj pj
пЈ« пЈ¶ пЈ« пЈ¶
aj в€’1 aj в€’1
pв€’1 пЈ­
bk pk в€’ bi pi пЈё = (p в€’ 1) пЈ­ bk pkв€’iв€’1 пЈё ,
(j) (j) (j)
j j j
i+1
pj k=i k=i+1

which is congruent to 0 modulo p в€’ 1.
2.7 log2 (19) в‰Ў 35 (mod 37).
2.9 log3 (31) в‰Ў 1176 (mod 1579).
2.11 log3 (7) в‰Ў 1227 (mod 1721).
2.13 log10 (3) в‰Ў 813 (mod 1783).
2.15 log14 (5) в‰Ў 718 (mod 1871).
2.17 log23 (3) в‰Ў 490 (mod 2161).
2.19 log13 (2) в‰Ў 1300 (mod 2351).
2.21 log19 (3) в‰Ў 1402 (mod 2689).
2.23 log22 (3) в‰Ў 2314 (mod 3361).

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 2.25вЂ“3.11 229

Section 2.3
2.25 69.
2.27 91.
2.29 7.
2.31 First, we determine d, the deciphering key, by using the Euclidean algorithm to
solve 69d + 166x = 1, and d = 77, x = в€’32 yields the least positive value of d, so
we decipher via 8577 в‰Ў 12 (mod 167), 5077 в‰Ў 4 (mod 167), 9677 в‰Ў 18 (mod 167),
077 в‰Ў 0 (mod 167), and 2777 в‰Ў 6 (mod 167). Thus, via Table 1.2, we get the
letter equivalents of 12, 4, 18, 18, 0, 6, 4 to be

MESSAGE.

2.33 As in Exercise 2.31, we determine that d = 1053 and decipher to get plaintext
numerical equivalents 8, 13, 19, 0, 2, 19, which decrypt to

INTACT.

2.35 k = 2245.
2.37 k = 2902.
2.39 k = 871.
2.41 k = 1876.
2.43 k = 571.
2.45 k = 637.
2.47 k = 2425.
Section 3.1
3.1 By solving 7d + 16600y = 1, where (p в€’ 1)(q в€’ 1) = 16600, we get that d = 4743
with y = в€’2. Thus, x = 8081.
3.3 As in Exercise 3.1 above, 7d + 33820y = 1, yields d = 9663, y = в€’2, and x = 723.
3.5 As above, 7d + 1082400y = 1, yields d = 773143, y = в€’5, and x = 315043.
3.7 As above, 7d + 3706560y = 1, yields d = 2647543, y = в€’5, and x = 168536.
3.9 As above, 5d + 4726896y = 1, yields d = 3781517, y = в€’4, and x = 4598308.
3.11 Since ed в‰Ў 1 (mod (p в€’ 1)(q в€’ 1)), there exists a g в€€ Z such that

ed = 1 + g(p в€’ 1)(q в€’ 1).

If p x, then by FermatвЂ™s Little Theorem, xpв€’1 в‰Ў 1 (mod p). Hence,

xed в‰Ў x1+g(pв€’1)(qв€’1) в‰Ў x(xg(qв€’1) )pв€’1 в‰Ў x (mod p). (S2)

If p x, then (S2) holds again since x в‰Ў 0 (mod p). Hence,

xed в‰Ў x (mod p)

for any x. Similarly, xed в‰Ў x (mod q). Since p = q, xed в‰Ў x (mod n). Thus,

(xe )d в‰Ў xed в‰Ў x (mod n).

В© 2003 by CRC Press LLC
230 Solutions to Odd-Numbered Exercises 3.13вЂ“3.27

d
3.13 Since x в‰Ў c в‰Ў cd (y e )d в‰Ў xy (mod n), then Mallory computes

x в‰Ў x y в€’1 (mod n).

Section 3.2
3.15 Let в€€ N be the least value such that n < N +1 . Such an must exist since
n в€€ N and N > 1. Moreover, is unique. If n < N , then this contradicts the
minimality of + 1 in this regard. Thus, N в‰¤ n < N +1 since n > N .
3.17 Let k > be chosen, so that N k в‰Ґ N +1 > n, and suppose that we have a
plaintext message blocks m, m1 such that m > n. Then if

me в‰Ў me (mod n),
1

we get, upon decryption m в‰Ў med в‰Ў med в‰Ў m1 (mod n). Thus, there is a
1
nonnegative integer r such that m = m1 + nr. However, m > n, so r > 0.
Hence, the same ciphertext block c в‰Ў me в‰Ў me (mod n) will yield (at least) two
1
diп¬Ђerent plaintext messages, m and m в€’ nr, only one of which will be correct.
As an illustration, if k = 3 = + 1 in Example 3.10, then POW has 3-digit
base 26 numerical equivalent 15 В· 262 + 14 В· 26 + 23 = 10526, which enciphers as
10526701 в‰Ў 1420 (mod 1943). However, deciphering yields

142029 в‰Ў 811 (mod 1943),

and of the values 811 + 1943j for j = 0, 1, 2, 3, 4, 5, only j = 5 yields 10526.
3.19 Using the solution of Exercise 3.14, we know that p = 3371 and q = 3449.
3.21 As in Exercise 3.19, we have p = 4651 and q = 5003.
3.23 As in Exercise 3.19, we have p = 5657 and q = 6397.
3.25 As in Exercise 3.19, we have p = 9203 and q = 9533.
3.27 We write the cryptogram as 5-digit base 26 integers since = 4:

EGSIO = 4 В· 264 + 6 В· 263 + 18 В· 262 + 8 В· 26 + 14 = 1945750,

XEWXG = 23 В· 264 + 4 В· 263 + 22 В· 262 + 23 В· 26 + 6 = 10596228,
and

DPXMA = 3 В· 264 + 15 В· 263 + 23 В· 262 + 12 В· 26 + 0 = 1650428.

Then determine the deciphering key via ed+П†(n)x = 11d+10758720 = 1, which
gives d = 1956131 (for x = в€’2). Thus, deciphering:

1945750d в‰Ў 111414 (mod n), 10596228d в‰Ў 213617 (mod n),

and 1650428d в‰Ў 301506 (mod n).
Also, since
111414 = 6 В· 263 + 8 В· 262 + 21 В· 26 + 4 = GIVE
213617 = 12 В· 263 + 4 В· 262 + 0 В· 26 + 1 = MEAB,
301506 = 17 В· 263 + 4 В· 262 + 0 В· 26 + 10 = REAK,
we have the plaintext: GIVE ME A BREAK.

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 3.29вЂ“3.39 231

3.29 As in Exercise 3.27, we write:

FENFL = 5 В· 264 + 4 В· 263 + 13 В· 262 + 5 В· 26 + 11 = 2364113,

PLNMZ = 15 В· 264 + 11 В· 263 + 13 В· 262 + 12 В· 26 + 25 = 7057101,
and

XLMPS = 23 В· 264 + 11 В· 263 + 12 В· 262 + 15 В· 26 + 18 = 10712304.

Thus, deciphering:

2364113d в‰Ў 2122640 (mod n), 7057101d в‰Ў 199958 (mod n),

and 10712304d в‰Ў 339408 (mod n),
and since,

2122640 = 4 В· 263 + 16 В· 262 + 20 В· 26 + 0 = EQUA

199958 = 11 В· 263 + 9 В· 262 + 20 В· 26 + 18 = LJUS,
339408 = 19 В· 263 + 8 В· 262 + 2 В· 26 + 4 = TICE,
we have the plaintext: EQUAL JUSTICE.
3.31 As above:

BOTDT = 1 В· 264 + 14 В· 263 + 19 В· 262 + 3 В· 26 + 19 = 715981,

and
ICBYJ = 8 В· 264 + 2 В· 263 + 1 В· 262 + 24 В· 26 + 9 = 3692269,
and deciphering:

715981d в‰Ў 93634 (mod n), and 3692269d в‰Ў 321207 (mod n).

Then,
93634 = 5 В· 263 + 8 В· 262 + 13 В· 26 + 8 = FINI
321207 = 18 В· 263 + 7 В· 262 + 4 В· 26 + 3 = SHED,
so the plaintext is FINISHED.
Section 3.3
3.33 (О±b )pв€’1в€’a = 32409в€’1в€’6 в‰Ў 379 (mod 409), and

(О±b )в€’a mО±ab в‰Ў 379 В· 12 в‰Ў 49 = m (mod 409).

3.35 (О±b )pв€’1в€’a = 512941в€’1в€’14 в‰Ў 864 (mod 941), and

(О±b )в€’a mО±ab в‰Ў 864 В· 303 в‰Ў 194 = m (mod 941).

3.37 (О±b )в€’a = (3, 3, 2)в€’44 = (1, 4, 1), so

О±в€’ab mО±ab = (1, 4, 1)(0, 2, 1) = (4, 4, 4) = m.

3.39 (О±b )в€’a = (0, 3, 1)в€’24 = (1, 0, 0), so

О±в€’ab mО±ab = (1, 0, 0)(4, 0, 4) = (0, 1, 0) = m.

В© 2003 by CRC Press LLC
232 Solutions to Odd-Numbered Exercises 3.41вЂ“3.59

3.41 Mallory intercepts meA and encrypts with his own enciphering key meA eM . Then
he sends it back to Alice, impersonating Bob. Alice, thinking it is Bob, sends
back meA eM dA = meM , which Mallory intercepts. He then easily decrypts via
his deciphering key to get meM dM = m. This demonstrates how easily the
system is compromised by such an attack and why it requires more security, in
terms of authentication of communicating entities, if it is to be used.
3.43 Bob has public key (p, О±, О±a ) = (15485863, 6, 7776), which Alice obtains. She
converts the English plaintext via Table 1.2 on page 3 to the numerical equiv-
alents: 19, 14, 3, 0, 24. Since 265 < p < 266 , she can represent the plaintext
message as a single 5-digit base 26 integer:

19 В· 264 + 14 В· 263 + 3 В· 262 + 0 В· 26 + 24 = 8930660.

She п¬Ѓrst computes О±b = 669 в‰Ў 13733130 (mod p), then

mО±ab в‰Ў 8930660 В· 777669 в‰Ў 4578170 (mod p).

She sends c = (13733130, 4578170) to Bob. He uses his private key to compute

(О±b )pв€’1в€’a в‰Ў 137331301548585863в€’1в€’5 в‰Ў 2620662 (mod p)

and
(О±b )в€’a mО±ab в‰Ў 2620662 В· 4578170 в‰Ў 8930660 в‰Ў m (mod p),
and using Table 1.2, he converts back to the English plaintext.
Section 3.4
3.45 Since each entity needs both the enciphering key and deciphering key to be kept
secret, this is вЂњn choose 2вЂќ, namely, the binomial coeп¬ѓcient:

n
= n!/((n в€’ 2)!2!) = n(n в€’ 1)/2.
2

3.47 Since
(k )d в‰Ў 4019872802607 в‰Ў 234561 (mod n),
then k = (2, 3, 4, 5, 6, 1), from which we deduce that kв€’1 = (6, 1, 2, 3, 4, 5), so
kв€’1 (c) = (18, 8, 11, 21, 4, 17) = SILVER.
3.49 (k )d в‰Ў 1525853802607 в‰Ў 421653 (mod n), k = (4, 2, 1, 6, 5, 3), and kв€’1 =
(3, 2, 6, 1, 5, 4). Thus, kв€’1 (c) = (1, 0, 3, 9, 14, 1) = BAD JOB.
3.51 (k )d в‰Ў 7155548802607 в‰Ў 624315 (mod n), k = (6, 2, 4, 3, 1, 5), and kв€’1 =
(5, 2, 4, 3, 6, 1), so kв€’1 (c) = (5, 17, 8, 4, 13, 3) = FRIEND.
3.53 (k )d в‰Ў 371155802607 в‰Ў 214365 (mod n), k = (2, 1, 4, 3, 6, 5), and kв€’1 =
(2, 1, 4, 3, 6, 5), so kв€’1 (c) = (12, 14, 13, 8, 4, 18) = MONIES.
3.55 (k )d в‰Ў 8182887802607 в‰Ў 462135 (mod n), k = (4, 6, 2, 1, 3, 5), and kв€’1 =
(4, 3, 5, 1, 6, 2), so kв€’1 (c) = (0, 17, 0, 1, 8, 2) = ARABIC.
3.57 (k )d в‰Ў 4125753802607 в‰Ў 246351 (mod n), k = (2, 4, 6, 3, 5, 1), and kв€’1 =
(6, 1, 4, 2, 5, 3), so kв€’1 (c) = (7, 8, 19, 12, 0, 13) = HITMAN.
3.59 (k )d в‰Ў 1968543802607 в‰Ў 613245 (mod n), k = (6, 1, 3, 2, 4, 5), and kв€’1 =
(2, 4, 3, 5, 6, 1), so kв€’1 (c) = (3, 0, 17, 10, 4, 17) = DARKER.

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 3.61вЂ“4.9 233

3.61 (k )d в‰Ў 7066510802607 в‰Ў 415263 (mod n), k = (4, 1, 5, 2, 6, 3), and kв€’1 =
(2, 4, 6, 1, 3, 5), so kв€’1 (c) = (25, 4, 1, 17, 0, 18) = ZEBRAS.
Section 4.2
e
4.1 Let p|n be prime and set c = m(nв€’1)/q where q is a prime, e в€€ N and q e ||b. There-
e eв€’1
fore, since gcd(m(nв€’1)/q в€’ 1, n) = 1, cq в‰Ў 1 (mod p), but cq в‰Ў 1 (mod p).
Thus, ordp (c) = q e , so q e (p в€’ 1) by Proposition C.19. Since q was arbitrarily
в€љ
chosen, p в‰Ў 1 (mod b). For the last assertion of the exercise, assume b > n в€’
в€љ
1, but n is composite. Let p be the smallest prime dividing n. Then p в‰¤ n, so
в€љ в€љ
n в‰Ґ p > b в‰Ґ n, a contradiction. Hence, n is prime.
4.3 If n is prime, then by Exercise 4.1 we have the result with m = mq for all q (nв€’1).
Conversely, if such mq exist, then by the Chinese Remainder Theorem, we may
п¬Ѓnd a solution x = m to the system of congruences

x в‰Ў mq (mod q e )

for all primes q such that q e ||(n в€’ 1). Thus, the result now follows from Exercise
4.1.
4.5 If Fn is prime, the result follows from Exercise 4.4. Conversely, if p be a prime
Fn в€’1 Fn в€’1
в‰Ў в€’1 (mod p), so 3 2 в‰Ў в€’1 (mod p). If b =
divisor of Fn , then 3 2
ordp (3), then b (Fn в€’ 1) by Proposition C.19. Thus b = 2m for some integer
m with 1 в‰¤ m в‰¤ 2n . Suppose that m = 2n . Then
2n в€’1 2n в€’mв€’1
m
в€’1 в‰Ў 32 = (32 )2 в‰Ў 1 (mod p),

so p = 2, a contradiction. Hence,
n
ordp (3) = 22 = Fn в€’ 1.

By FermatвЂ™s Little Theorem and Proposition C.19, ordp (3)|pв€’1. Hence, p = Fn .
4.7 Assume п¬Ѓrst that (pj в€’ 1) (n в€’ 1) for all j = 1, 2, . . . , r. If gcd(a, n) = 1, then
gcd(a, pj ) = 1 for all j = 1, 2, . . . , r. Thus, apj в€’1 в‰Ў 1 (mod pj ), by FermatвЂ™s
Little Theorem. Since n в€’ 1 = mj (pj в€’ 1) for some mj в€€ N,

anв€’1 в‰Ў amj (pj в€’1) в‰Ў (apj в€’1 )mj в‰Ў 1 (mod pj ).
r
Hence, anв€’1 в‰Ў 1 (mod namely, anв€’1 в‰Ў 1 (mod n).
j=1 pj ),
в‰Ў 1 (mod n) for each a with gcd(a, n) = 1. In
nв€’1
Conversely, suppose that a
particular, if a is a primitive root modulo p, for any prime divisor p of n, then
(p в€’ 1) (n в€’ 1), by Proposition C.19 on page 216.

Section 4.3
4.9 If b2 в‰Ў 1 (mod pa ), then pa (b + 1)(b в€’ 1). Notice that p cannot divide both
(bв€’1) and b+1 since that would mean bв€’1 в‰Ў b+1 (mod p). so в€’1 в‰Ў 1 (mod p),
forcing p = 2, a contradiction. Thus, either pa (b в€’ 1) or pa (b + 1). In other
words, b в‰Ў В±1 (mod pa ). Conversely, if b в‰Ў В±1 (mod pa ), then b2 в‰Ў 1 (mod pa ).

В© 2003 by CRC Press LLC
234 Solutions to Odd-Numbered Exercises 4.11вЂ“4.27

4.11 They are both Carmichael numbers for the following reasons, using Exercise 4.7.
For n = 8911 = 7 В· 19 В· 67, each of 6, 18 and 66 divide n в€’ 1. For n = 10585 =
5 В· 29 В· 73, all of 4, 28, and 72 divide n в€’ 1. Also, 10585 is an Euler pseudoprime
to base 2 since
2
в‰Ў 25292 (mod 10585).
10585
4.13 By Exercise 4.8, E(n) is a subgroup of (Z/nZ)в€— . Since the cardinality of (Z/nZ)в€—
is П†(n) by Example C.17, and since n is composite, then E(n) = (Z/nZ)в€— by
Exercise 4.12, so E(n) is a proper subgroup of (Z/nZ)в€— . Thus, by Example
C.17, |E(n)| П†(n). Hence, |E(n)| в‰¤ П†(n)/2 since |E(n)| = П†(n) and П†(n) is
even when n > 2.
4.15 Since, by repeated squaring, we get 214670 в‰Ў в€’1 (mod 29341) and ( 29341 ) = в€’1,
2

then 29341 is an Euler pseudoprime to base 2 since 29341 = 13 В· 37 В· 61.
4.17 As above, we get, 231372 в‰Ў 1 в‰Ў ( 62745 ) (mod 62745), and since 62745 = 3 В· 5 В·
2

47 В· 89, then 62745 is an Euler pseudoprime to base 2.
4.19 Let n = 2821. Then by the repeated squaring method, we determine that
31410 в‰Ў 1 в‰Ў ( 2821 ) (mod 2821). Since 2821 = 7 В· 13 В· 31, then 2821 is an Euler
3

pseudoprime to base 3. Moreover, since 6, 12, and 30 all divide n в€’ 1 = 2820,
then by Exercise 4.7, 2821 is a Carmichael number.
Section 4.4
4.21 If n в€€ spsp(a), then ad в‰Ў 1 (mod n) for some divisor d of n в€’ 1. Thus,
(ad )(nв€’1)/d в‰Ў 1(nв€’1)/d в‰Ў 1 (mod n), whence n в€€ psp(a).
4.23 Let g = gcd((x в€’ y), n). We need only show that g = 1, n. If g = 1, then
since n (x в€’ y)(x + y), we must have n (x + y), contradicting the hypothesis
that x в‰Ў в€’y (mod n). If g = n, then x в‰Ў y (mod n), a contradiction to the
hypothesis that x в‰Ў y (mod n). Hence, since g n, it is a nontrivial factor of it.
4.25 Each is a strong pseudoprime to base 2 for the following reasons. For n = 15841,
n в€’ 1 = 25 В· 495 and 2495 в‰Ў 1 (mod n). For n = 29341, n в€’ 1 = 22 В· 7335 and
22В·7335 в‰Ў в€’1 (mod n), while 27335 в‰Ў В±1 (mod n). For n = 52633, n в€’ 1 = 23 В·
6579 and 26579 в‰Ў 1 (mod n). For n = 252601, n в€’ 1 = 23 В· 31575, and we have
both 22В·31575 в‰Ў в€’1 (mod n) and 231575 в‰Ў В±1 (mod n).
They are all Carmichael numbers for the following reasons, using Exercise 4.7.
For n = 15841 = 7 В· 31 В· 73, all of 6, 30, and 72 divide n в€’ 1. For n = 29341 =
13 В· 67 В· 61, all of 12, 66, and 60 divide n в€’ 1. For n = 52633 = 7 В· 73 В· 103, all
of 6, 72, and 102 divide n в€’ 1. For n = 252601 = 41 В· 61 В· 101, all of 40, 60, and
100 divide n в€’ 1.
4.27 Let n be a Carmichael number that is a strong pseudoprime to every base a
prime to n. Furthermore, suppose that n в€’ 1 = 2t m where t в€€ N and m is odd.
Let a be a primitive root modulo any prime p dividing n. If am в‰Ў 1 (mod n),
then am в‰Ў 1 (mod p). However, since a is a primitive root modulo p, then by
Proposition C.19, (p в€’ 1) m, a contradiction. Suppose that there exists a
j j+1
value of j such that 0 в‰¤ j в‰¤ t в€’ 1, and a2 в‰Ў в€’1 (mod n). Then a2 в‰Ў1
m m

(mod p), so (p в€’ 1) (2j+1 m) as above. Thus,
j j+1 j+1
в€’1 в‰Ў a2 m
в‰Ў (a(pв€’1)/2 )(2 m)/(pв€’1)
в‰Ў (в€’1)2 m
в‰Ў 1 (mod p),

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 4.27вЂ“5.5 235

a contradiction since p is odd. Hence, no such Carmichael number can exist.
4.29 For a = 2 we have n в€’ 1 = 24 В· 35; 235 в‰Ў 263 (mod 561); 22В·35 в‰Ў 166 (mod 561);
24В·35 в‰Ў 67 (mod 561); and 28В·35 в‰Ў 1 (mod 561). Hence, 561 is composite by the
strong pseudoprimality test.
4.31 Since 120 = 23 В· 15 and 315 в‰Ў 1 (mod 121), then 121 is a strong pseudoprime to
base 3.
4.33 Since 24 = 23 В· 3; 73 в‰Ў 18 (mod 25); and 182 в‰Ў в€’1 (mod 25), then 25 is a strong
pseudoprime to base 7.
4.35 Since a(nв€’1)/2 в‰Ў ( n ) (mod n), then anв€’1 в‰Ў 1 (mod n).
a

4.37 If n = pb в€€ psp(a), and n в€’ 1 = 2t m where m is odd, then

(a(nв€’1)/2 )2 в‰Ў 1 (mod n),

so by Exercise 4.9, a(nв€’1)/2 в‰Ў В±1 (mod n). If a(nв€’1)/2 в‰Ў 1 (mod n), and n в€’ 1
is even we repeat the above argument to get a(nв€’1)/4 в‰Ў В±1 (mod n) and keep
repeating it which ultimately achieves that n в€€ spsp(a). The converse follows
from Exercise 4.21.
Section 5.1
a
5.1 We use induction on a to show that x2 в‰Ў 1 (mod 2a+2 ) for all odd x в€€ Z. If
a = 1, then it is easy to see that x2 в‰Ў 1 (mod 8), so we may assume that
aв€’1
x2 в‰Ў 1 (mod 2a+1 ).
a
Therefore, x2 = (1 + 2a+1 t)2 for some t в€€ Z. In other words,
a
x2 в‰Ў 1 (mod 2a+2 ).
a
5.3 Let n = r pj j be a prime factorization of n, with p1 = 2. By Exercise 5.2,
j=1
О»(n) is a universal exponent for n. We must prove that it is minimal. Let gj be
a
a primitive root modulo pj j for each j = 2, 3, . . . , r, which exist by the Primitive
Root Theorem C.21 on page 216. Thus, by the Chinese Remainder Theorem
C.13, the system of congruences
a
x в‰Ў 3 (mod 2a1 ), and x в‰Ў gj (mod pj j ), (2 в‰¤ j в‰¤ r),

has a solution x = a which is unique modulo n. If am в‰Ў 1 (mod n) for some
a
m в€€ N, then am в‰Ў 1 (mod pj j ) for each j, so ordpaj (a) m, by Proposition C.19.
j
a
Thus, since a satisп¬Ѓes the r congruences above, then О»(pj j ) = ordpaj (a). Hence,
j
a
О»(pj j ) m for all j. Therefore, О»(n) m. We have shown that О»(n) = ordn (a).

5.5 We have e = 25 В· 405. Choose a = 2 and compute 2405 в‰Ў 1 (mod n), so we go to
step (1) and choose another base, a = 3. We compute

x0 в‰Ў 3405 в‰Ў 2820 (mod n),

then x1 в‰Ў 28202 в‰Ў 218 (mod n), and x2 в‰Ў 2182 в‰Ў 1 (mod n). Since we know
that x1 в‰Ў В±1 (mod n), then gcd(217, 15841) = 217 is a factor of n. Indeed
n = 217 В· 73.

В© 2003 by CRC Press LLC
236 Solutions to Odd-Numbered Exercises 5.7вЂ“5.19

5.7 Since e = 22 В· 26643, we may try a = 2 and compute,

x0 в‰Ў 226643 в‰Ў 25719 в‰Ў В±1 (mod n),

then x1 в‰Ў 257192 в‰Ў 1 (mod n). Hence, gcd(25718, 107381) = 167 is a factor of
n. In fact, n = 167 В· 643.
5.9 Since e = 23 В· 1831595, then we choose a base a = 3 and compute as follows where
all congruences are assumed modulo n.

x0 в‰Ў 31831595 в‰Ў 10750120; x1 в‰Ў 107501202 в‰Ў 13251402;

and x2 в‰Ў 132514022 в‰Ў 1. Since x1 в‰Ў В±1, then gcd(n, 13251401) = 3371, and
n = 3371 В· 4349.
5.11 Since e = 2 В· 223713, then we choose a = 2 and compute the following where all
congruences ae modulo n. Since 2223713 в‰Ў 1, we need a new base. We select
a = 3 and compute

x0 в‰Ў 3223713 в‰Ў 23944214; x1 в‰Ў 239442142 в‰Ў 1,

and since x0 в‰Ў В±1, then gcd(x0 в€’ 1, n) = 7103 n. Indeed n = 6679 В· 7103.

5.13 We have that e = 23 В· 1600875 and we select a = 2 to compute the following
where all congruences are modulo n. Since x0 в‰Ў 21600875 в‰Ў 76859538 в‰Ў в€’1, we
must choose a new base a = 3.Then

31600875 в‰Ў 44940756; x1 в‰Ў x2 в‰Ў 9649071; x2 в‰Ў x2 в‰Ў 1;
0 1

and since x1 в‰Ў В±1, then gcd(x1 в€’ 1, n) = 8539 n, and n = 8539 В· 9001.
5.15 Since 3 is a primitive root of F6 = 18446744073709551617 if n is prime,
then we know that 3e/2 в‰Ў в€’1 (mod n) if indeed it is prime. By repeated
squaring, we calculate that 3e/2 в‰Ў 3653528722731049759 в‰Ў В±1 (mod n), so
gcd(3653528722731049758, n) = 274177 n. Indeed we now have factored the
sixth Fermat number since

F6 = 274177 В· 67280421310721.

Section 5.2
5.17 We check that gcd(aj в€’ 1, n) = 1 for all j = 1, 2, . . . , 6, then

a7 в‰Ў 86977 в‰Ў 4747 (mod n),

gcd(4746, n) = 113, and n = 113 В· 107. Note that 112 = 24 В· 7 is B-smooth.
5.19 We compute that gcd(aj в€’ 1, n) = 1 for j = 1, 2, . . . , 7. Then we check that

a8 в‰Ў 324948 в‰Ў 12320 (mod n),

gcd(12319, 37151) = 97, and n = 97 В· 383. Here 96 = 25 В· 3 is B-smooth.

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 5.21вЂ“5.23 237

5.21 Randomly select a1 = 614, then

b1 в‰Ў 6142 в‰Ў 840 в‰Ў 23 В· 3 В· 5 В· 7 (mod n),

so b1 is 7-smooth, and we keep it. Randomly select a2 = 51 and compute
512 в‰Ў 2601 (mod n), which is not 7-smooth since it is divisible by only 3 from
S4 and is not a perfect power of 3, so we discard it. Randomly select a2 = 1009
and compute
b2 в‰Ў 10092 в‰Ў 2 В· 3 В· 53 (mod n),
which is then saved. Randomly select a3 = 45 and compute

b3 в‰Ў 452 в‰Ў 34 В· 52 (mod n),

which is saved. Randomly select a4 = 56 and compute

b4 в‰Ў 562 в‰Ў 26 В· 72 (mod n),

and it is kept. Randomly select a5 = 100 and compute 1002 в‰Ў 1451 (mod n),
which is not divisible by any of the primes in S4 so it is discarded. Randomly
select a5 = 983 and compute

b5 в‰Ў 9832 в‰Ў 22 В· 32 В· 7 (mod n),

and save it. We have reached r + 1 = 5 such bi , so we now search for the subset
T. Notice that b3 and b4 are squares themselves. However, for b3 , x = 45,
y = 32 В· 5 and x в€’ y = 0. Similarly for b4 , the same thing happens, so we need
another subset. We see that if we choose T = {1, 2, 5}, then we get

bi в‰Ў 6142 В· 10092 В· 9832 в‰Ў 26 В· 34 В· 54 В· 72 (mod n).
iв€€T

Thus,
xв‰Ў ai в‰Ў 614 В· 1009 В· 983 в‰Ў 6043 (mod n),
iв€€T

and
y в‰Ў 23 В· 32 В· 52 В· 7 в‰Ў 4051 (mod n).
Thus x2 в‰Ў y 2 (mod n) and

gcd(x в€’ y, n) = gcd(6043 в€’ 4051, 8549) = gcd(1992, 8549) = 83.

In fact, 8549 = 83 В· 103. Of course, sometimes luck plays a role. Suppose that
the п¬Ѓrst random choice that we made was a1 = 744. Then since

7442 в‰Ў 28 В· 52 (mod n)

and gcd(744 в€’ 24 В· 5, n) = gcd(664, 8549) = 83, then we have a quick and simple
factorization. However, one cannot rely on luck alone, and this is unlikely to
happen for the large numbers that are used in practice.
Section 5.3
5.23 6P = (2238, 2448)

В© 2003 by CRC Press LLC
238 Solutions to Odd-Numbered Exercises 5.25вЂ“6.1

5.25 Since each point jP = (xj , yj ) on E(Z/nZ) has at most n2 possibilities for any
j, then there exists a value k such that jP = kP .
5.27 Let = qk + s where 0 в‰¤ s < k. Since kP = o, then qkP = o. Therefore, by
Exercise 5.26, ( в€’ qk)P = sP = o. However, since s < k and k is the least
positive such value, then s = 0, and we have proved that k .
5.29 2P в‰Ў (9в€’1 , в€’82 В· 27в€’1 ) в‰Ў (442, 2501) (mod n). However, to compute 6P we
must compute 4P в‰Ў (в€’26567/242064, 352876013/119095488) в‰Ў o (mod n) since
gcd(242064, 3977) = 41, and indeed 3977 = 41 В· 97.
5.31 2P в‰Ў (4055, 10810) (mod n) and 4P в‰Ў (363, 16880) (mod n), but
18984764783665 82719639550389910598
6P в‰Ў в‰Ў o (mod n)
,
25724631321 4125947892943869
since gcd(25724631321, 18247) = 71, and 18247 = 71 В· 257.
5.33 We compute that 2P в‰Ў (4268, 11378) (mod n) and 4P в‰Ў (9877, 27743) (mod n),
but 6P is as in Exercise 5.31 and gcd((25724631321, 38411) = 71. We have
factored n = 38411 = 71 В· 541.
Section 5.4
5.35 Since (a) holds, then
в€љ в€љ в€љ
k
2(1/2k) i=1 (1/k)
k
2n 2n 2n
2
aв‰€ = = ,
M M M
i=1

so the п¬Ѓrst condition is satisп¬Ѓed in (5.11). Since b2 в‰Ў n (mod a2 ) given the
solution to the system of congruences via the Chinese Remainder Theorem,
then a2 (b2 в€’ n), so (b2 в€’ n)/a2 = c в€€ Z, which is the second condition. If
b в‰Ґ a2 /2, then replace b by b в€’ a2 , and we have |b| < a2 /2, which is the last
condition.
For the choices given, we set a = 11 В· 17 = 187, and compute b1 = 23 since
232 в‰Ў n (mod 112 ) and b2 = 79 since 792 в‰Ў n (mod 172 ). Then we use the
Chinese Remainder Theorem to solve b в‰Ў 23 (mod 112 ) and b в‰Ў 79 (mod 172 )
for b = 11639. Since b2 в‰Ў 31384 в‰Ў n (mod a2 ), then c = (b2 в€’ n)/a2 = 1802.
Section 6.1
r r
6.1 Let m1 = si /r and m2 = j=1 tj /r. First we observe that,
i=1

r r r
1
var({si }r ) 2
s2 + m2 =
(si в€’ m1 ) /r = в€’ 2m1
= si
i=1 i 1
r
i=1 i=1 i=1

r r r r r r
1 1 1
s2 s2 s2 в€’m2 ,
в€’ 2m1 в€’ m1
si + m1 si = si =
i i i 1
r r r
i=1 i=1 i=1 i=1 i=1 i=1
var({tj }r ) var({si }i=1 +{tj }j=1 ).
r r
and a similar result holds for and for There-
j=1
fore, if we let
r r r r
1 1
m= 2 (si + tj ) = 2 r si + r tj = m1 + m2 ,
r r
i=1 j=1 i=1 j=1

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 6.1вЂ“6.13 239

then
r r
1
var({si }r {tj }r ) (si + tj )2 в€’ (m1 + m2 )2 =
+ =2
i=1 j=1
r i=1 j=1

r r r
1
s2 r t2 в€’ (m1 + m2 )2 =
+ 2si tj +
i j
r2 i=1 j=1 j=1
r r r r
1 1 2
s2 t2 tj в€’ m2 в€’ m2 в€’ 2m1 m2 =
+ +2 si
i j 1 2
r r r
i=1 j=1 i=1 j=1
r r
1 1
s2 в€’ m2 + t2 в€’ m2 = var({si }r ) + var({tj }r ).
i 1 j 2 i=1 j=1
r r
i=1 j=1

Also, var({si }r ) = 0 = var({si }r ) for {si }ri=1 = {4, 4, 4, 4, }, since
i=1 i=1
m = 4, and for {tj }r = {5, 10, 50, 100}, var({tj }r ) = 23275/16 and
j=1 j=1

var({tj }r ) = 38.14.
j=1

Section 6.2
6.3 Using the Chinese remainder theorem, there is a solution to x в‰Ў ci в‰Ў m3 (mod ni )
for each i = 1, 2, 3. Since m3 < n1 n2 n3 , then x = m3 . By computing the cube
root of the integer x, we retrieve m.
6.5 We solve 1 = ed + П†(n)x = 5d + 5903364x and get d = 1180673 for x = в€’1.
6.7 As above, we solve 1 = ed + П†(n)x = 3d + 20734288x and get d = 13822859 for
x = в€’2.
6.9 As above, we solve 1 = ed + П†(n)x = 3d + 56579188x and get d = 37719459 for
x = в€’2.
6.11 Since d < П†(n), and 0 < m в‰¤ e, then Eve can multiply ed в€’ m(n в€’ p в€’ q + 1) = 1
by p and reduce modulo 2n/4 to get

(ed)p в€’ mp(n в€’ p + 1) + mn в‰Ў p (mod 2n/4 ),

which may be rewrite as

mnp2 в€’ (mn + m + 1 + ed)p + mn в‰Ў 0 (mod 2n/4 ).

Since Eve knows n/4 of the least signiп¬Ѓcant bits of d, she knows ed modulo 2n/4 .
Now Eve can try each of the possible values of p and use Theorem 6.8 to test
each one. Hence, after at most e log2 e trials, she has factored n.
Section 6.3
6.13 By Exercise 5.2 on page 95, aО»(n)+1 в‰Ў a (mod n) for all a prime to n. If p n,
then we need only show that p divides aО»(n)+1 в€’ a for each prime dividing n
since n is squarefree. However, aО»(n)+1 в‰Ў a в‰Ў 0 (mod p) for each such a. This
completes the proof. However, if n is not squarefree, then this does not hold in
general. For instance, if n = 12, then О»(12) = 2 and

10О»(12)+1 в‰Ў 103 в‰Ў 4 в‰Ў 10 (mod 12).

В© 2003 by CRC Press LLC
240 Solutions to Odd-Numbered Exercises 6.15вЂ“7.9

6.15 Since modular exponentiation is computationally easy using, for instance, the
repeated squaring method, but п¬Ѓnding f в€’1 (y) в‰Ў y d (mod n) is computationally
infeasible without knowledge of d, then this is a one-way, trapdoor function with
d as the trapdoor. See the discussion in Section 5.1, especially the discussion at
the bottom of page 94.
6.17 Use the extended Euclidean algorithm C.5 on page 213 on e and 2n to п¬Ѓnd
integers d and m such that ed + 2n m = 1. Then destroy all records of p, q,
n , and m , and keep d as the private key (trapdoor). Thus, me в‰Ў c (mod n) is
the enciphering function and cd в‰Ў m (mod n) is the deciphering function where
ed в‰Ў 1 (mod П†(n)).
Section 6.4
6.19 We have that n = 2AB + 1 = 307 and mnв€’1 в‰Ў 2306 в‰Ў 1 (mod n) and
gcd(m(nв€’1)/p , n) = gcd(218 в€’ 1, 307) = 1, so 307 is a provable prime and since
307 = (100110011)2 , it is a 9-bit prime.
6.21 Since n = 2AB + 1 = 2311, and 22310 в‰Ў 1 (mod n) with gcd(2462 в€’ 1, n) = 1,
then 2311 is a provable prime and 2311 = (100100000111)2 , which is 12 bits so
we are done.
6.23 (a) Since f : (Z/nZ)в€— в†’ (Z/nZ)в€— , then there are only п¬Ѓnitely many possibilities
for sa , so eventually sa+1 в‰Ў sj for some j в‰¤ .
jв€’1
(b) f (2) = (8, 512, 161, 2), so = 4 which is the answer to (c).
Section 7.1
7.1 Alice is identiп¬Ѓed since,

Оґ в‰Ў О±y v r в‰Ў О±k+er v r в‰Ў О±k+er О±в€’er в‰Ў О±k в‰Ў Оі (mod p).

7.3 Alice computes y в‰Ў k + er в‰Ў 1001 + 151 В· 512 (mod 1559), and Bob computes

Оґ в‰Ў О±y v r в‰Ў 49363 В· 460512 в‰Ў 502 в‰Ў Оі в‰Ў 501 (mod 3119),

so Bob rejects AliceвЂ™s proof of identity.
7.5 As above, y в‰Ў 4 + 8 В· 3 в‰Ў 11 (mod 17), and

Оґ в‰Ў 366811 В· 45083 в‰Ў 4104 в‰Ў Оі (mod 7481),

so Bob accepts AliceвЂ™s proof of identity.
7.7 In step (9), Bob must verify TrentвЂ™s signature. However, since v = v then s = s,
so verT (k) ((IA , v , s )) = 0, and Bob rejects the proof of identity.
7.9 Alice computes
y1 в‰Ў k1 + e1 r в‰Ў 10 + 25 В· 8 в‰Ў 1 (mod q)
y2 в‰Ў k2 + e2 r в‰Ў 9 + 27 В· 8 в‰Ў 5 (mod q),
and sends them to Bob who computes

Оґ в‰Ў О±11 В· О±22 В· v r в‰Ў 4431 В· 25415 В· 17688 в‰Ў 2490 в‰Ў Оі (mod p),
y y

so he accepts AliceвЂ™s proof of identity.

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 7.11вЂ“7.35 241

7.11 As above,
y1 в‰Ў 1007 + 998 В· 256 в‰Ў 1144 (mod q)
y2 в‰Ў 506 + 5 В· 256 в‰Ў 1786 (mod q).
Then Bob computes,

Оґ в‰Ў 251144 В· 11331786 В· 771256 в‰Ў 3009 в‰Ў Оі (mod p),

so Bob rejects AliceвЂ™s proof of identity.

Section 7.2
7.13 Since sigk (m)e в‰Ў 15971133 в‰Ў 911 в‰Ў m (mod 20497), then Bob accepts AliceвЂ™s
signature.
7.15 Since sigk (m)e в‰Ў 317905611 в‰Ў 116106 в‰Ў 1111 в‰Ў m (mod 58320), then Bob
rejects AliceвЂ™s signature.
7.17 We have, sd z в€’1 в‰Ў z ed md z в€’1 в‰Ў zmd z в€’1 в‰Ў md (mod n), since ed в‰Ў 1 (mod П†(n)).
Alice does not know if she is signing away her life savings or confessing to a
murder she did not commit. Hence, for her to sign blindly requires safeguards.
7.19 Оґ в‰Ў y ОІ ОІ Оі в‰Ў 11227 227207 в‰Ў 25 (mod p) and Пѓ в‰Ў О±m в‰Ў 52 в‰Ў 25 (mod p), so it is
accepted.
7.21 As above, Оґ в‰Ў 711330 33037 в‰Ў 495 (mod p), and Пѓ в‰Ў 11191 в‰Ў 495, so it is accepted.
7.23 We have,
в€’1
y ОІ1 ОІ1 1 в‰Ў О±aОІ1 О±(r1 +ar2 )Оі1 в‰Ў О±aОІ1 О±(r1 +ar2 )(в€’ОІ1 r2
Оі )
в‰Ў
в€’1 в€’1
О±aОІ1 О±в€’ОІ1 r1 r2 в€’ОІ1 a
в‰Ў О±в€’ОІ1 r1 r2 в‰Ў О±Оі1 r1 в‰Ў О±m1 (mod p).
7.25 Since ОІ, Оі, and m are known, then knowledge of r means that he may compute
a в‰Ў (m в€’ rОі)ОІ в€’1 (mod p в€’ 1).
7.27 When Alice sends her valid signature to Bob, we have:

Оґ в‰Ў О±Оі y h в‰Ў О±r+eh О±в€’eh в‰Ў О±r в‰Ў ОІ (mod p).

7.29 Bob computes Оґ в‰Ў О±Оі В· y h в‰Ў 12206 В· 1456101 в‰Ў 913 в‰Ў ОІ (mod p), so he accepts
AliceвЂ™s signature.
7.31 As above, Bob computes Оґ в‰Ў 107925 В· 42721 в‰Ў 1217 в‰Ў ОІ (mod p), so he accepts.
Section 7.3
7.33 Since we have that A is unique to Alice and

f Ak в‰Ў g11 g22 (g11 g22 )k в‰Ў g11 +ke1 g22 +ke2 в‰Ў g11 g22 (mod p),
f f e e f f

then AliceвЂ™s identity is indeed veriп¬Ѓed.
7.35 Since only the bank knows x, then only the bank can send a response satisfying
both
О±r в‰Ў О±xc+w в‰Ў (О±x )c О±w в‰Ў hc y2 (mod p)
and
Ar в‰Ў Axc+w в‰Ў (Ax )c Aw в‰Ў mc y3 (mod p).

В© 2003 by CRC Press LLC
242 Solutions to Odd-Numbered Exercises 7.37вЂ“8.5

7.37 By Exercise 7.34, XY в‰Ў y1 (mod p), and y1 в‰Ў Ax (mod p) with A в‰Ў 1 (mod p)
by step (1) of the protocol for opening AliceвЂ™s account. Also, x в€€ (Z/qZ)в€— , by
step (3) of the setup stage, so x в‰Ў 0 (mod q), which completes the proof.

Section 8.1
8.1 First we observe that
xi в€’ x
в‰Ў 0 (mod p)
Kk (xi ) =
xk в€’ x
1в‰¤ в‰¤t
=k

if i = k since Kk (xi ) has a factor (xi в€’ xi )/(xk в€’ xi ). Also,
Kk (xk ) в‰Ў 1 (mod p)
since all factors are of the form (xk в€’ x )/(xk в€’ x ) = 1. We note that
1/(xk в€’ x ) в‰Ў (xk в€’ x )в€’1 (mod p),
so as long as k = , such inverses exist. Therefore,
t
f (xi ) в‰Ў mk Kk (xi ) в‰Ў mi (mod p)
k=1

for i = 1, 2, . . . , t.
8.3 Although g(x) produces the same values, it does so at only one of the three values
of xi that f (x) produces them. We have
f (1) в‰Ў g(1) в‰Ў 7 (mod p),
but
g(2) в‰Ў f (3) в‰Ў 1407 (mod p), g(3) в‰Ў f (5) в‰Ў 334 (mod p).
and

Note that
(x в€’ 2)(x в€’ 3) (x в€’ 1)(x в€’ 3) (x в€’ 1)(x в€’ 2)
g(x) в‰Ў 7 + 1407 + 334 (mod p),
(1 в€’ 2)(1 в€’ 3) (2 в€’ 1)(2 в€’ 3) (3 в€’ 1)(3 в€’ 2)
whereas,
(x в€’ 3)(x в€’ 5) (x в€’ 1)(x в€’ 5) (x в€’ 1)(x в€’ 3)
f (x) в‰Ў 7 + 1407 + 334 (mod p),
(1 в€’ 3)(1 в€’ 5) (3 в€’ 1)(3 в€’ 5) (5 в€’ 1)(5 в€’ 3)
and, of course, f (0) в‰Ў 3301 (mod p), while g(0) в‰Ў 2856, which is not the original
message.
8.5 We calculate p(x) for x = 1, 3, 5 and get (1, 488), (3, 2400), and (5, 1881). Then
we compute the Lagrange interpolation formula to get,
2431 2 4343 11037
f (x) = в€’ xв€’
x+ .
8 2 8
Since 8в€’1 в‰Ў 529 (mod p), 2в€’1 в‰Ў 2116 (mod p), and
в€’2431 В· 529 в‰Ў 225; 4343 В· 2116 в‰Ў 56; в€’11037 В· 529 в‰Ў 207,
all modulo p, then we recover the message at f (0) в‰Ў p(0) в‰Ў 207.

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 8.7вЂ“8.15 243

8.7 As above, we calculate (1, 1087), (3, 1677), (5, 2819), and plug this into the La-
grange interpolation formula to get immediately that f (x) = 69x2 + 19x + 999.
8.9 We have, m+rp = 50909 < 248605 = a1 В·a2 В·a3 . Thus we compute s1 в‰Ў 4 (mod 5),
s2 в‰Ў 5 (mod 7), and s3 в‰Ў 1188 (mod 7109). When the participants poll their
shares and use the Chinese Remainder Theorem, they recover

50909 в‰Ў 519 в‰Ў m (mod 5039).

8.11 As above, rp + m = 713371 < a1 В· a2 В· a3 = 770110;

s1 в‰Ў 1 (mod 10), s2 в‰Ў 10 (mod 11), and s3 в‰Ў 6270 (mod 7001).

The Chinese Remainder Theorem recovers 713371 в‰Ў 3071 в‰Ў m (mod p).
8.13 We compute,
c1 в‰Ў 90 в€’ 15 В· 59 в€’ 52 В· 409 в‰Ў 69 (mod 503),
c2 в‰Ў 90 в€’ 11 В· 59 в€’ 123 В· 409 в‰Ў 440 (mod 503),
c3 в‰Ў 90 в€’ 308 В· 59 в€’ 400 В· 409 в‰Ў 404 (mod 503),
so the distributed hyperplanes are,

в‰Ў 69 + 15x1 + 52x2 ; в‰Ў 440 + 11x1 + 123x2 ; в‰Ў 404 + 308x1 + 400x2 ,
1 2 3

all congruences modulo 503. Plugging these values into (8.4), we get,

пЈ« пЈ¶пЈ« пЈ¶пЈ« пЈ¶
в€’1 в€’69
15 52 x1
пЈ­ 11 в€’1 пЈё пЈ­ x2 пЈё = пЈ­ в€’440 пЈё = C.
123
AX =
в€’1 в€’404
308 400 x3

then solving for det(A) = 22195, and using CramerвЂ™s rule, we get

(x1 , x2 , x3 ) = (105323/22195, в€’110043/22195, в€’2610936/22195).

However, 22195в€’1 в‰Ў 8 (mod 503) and

105323 В· 8 в‰Ў 59; в€’110043 В· 8 в‰Ў 409; в€’2610936 В· 8 в‰Ў 90,

all congruences modulo 503. Thus, (m1 , m2 , m3 ) = (59, 409, 90), and the secret
message m1 = 59 is retrieved.
8.15 As above,
c1 в‰Ў 718 в€’ 297 В· 107 в€’ 306 В· 1 в‰Ў 269 (mod 719),
c2 в‰Ў 718 в€’ 419 В· 107 в€’ 537 В· 1 в‰Ў 645 (mod 719),
c3 в‰Ў 718 в€’ 698 В· 107 в€’ 709 В· 1 в‰Ў 99 (mod 719),
so the distributed hyperplanes are,

в‰Ў 269+297x1 +306x2 ; в‰Ў 645+419x1 +537x2 ; в‰Ў 99+698x1 +709x2 ,
1 2 3

all congruences modulo 719. Thus,

В© 2003 by CRC Press LLC
244 Solutions to Odd-Numbered Exercises 8.15вЂ“8.19

пЈ« пЈ¶пЈ« пЈ¶пЈ« пЈ¶
в€’1 в€’269
297 306 x1
пЈ­ 419 в€’1 пЈё пЈ­ x2 пЈё = пЈ­ в€’645 пЈё = C.
537
AX =
в€’1 в€’99
698 709 x3

then solving for det(A) = 43465, we get
(x1 , x2 , x3 ) = (190798/43465, в€’171516/43465, 3175039/8693).
However, 43465в€’1 в‰Ў 323 (mod 719), 8693в€’1 в‰Ў 177 (mod 719), and
190798 В· 323 в‰Ў 107; в€’171516 В· 323 в‰Ў 1; 3175039 В· 177 в‰Ў 718,
all congruences modulo 719. Thus, (m1 , m2 , m3 ) = (107, 1, 718), and the secret
message m1 = 107 is retrieved.
t
8.17 In matrix-theoretic terms, the equation mk в‰Ў m + cj xj (mod p) is written
k
j=1
as

пЈ« пЈ¶пЈ« пЈ¶ пЈ« пЈ¶
В·В·В· xtв€’1
1 x1 c0 m1
1
пЈ¬ пЈ·пЈ¬ пЈ·пЈ¬ пЈ·
В·В·В· xtв€’1 c1 m2
1 x2
пЈ¬ пЈ·пЈ¬ пЈ·пЈ¬ пЈ·
2
пЈ·в‰ЎпЈ¬
AC = пЈ¬ пЈ·пЈ¬ пЈ· (mod p).
. .
. . . .
пЈ­ пЈёпЈ­ пЈёпЈ­ пЈё
. .
. . . . . .
. . . .
В·В·В· tв€’1
ct mt
1 xt xt
We now show that
(xk в€’ xi )
det(A) = (S3)
1в‰¤i<kв‰¤t

We use induction on t. If t = 2, then
1 x1
det(xj ) = = x2 в€’ x1 .
k 1 x2
This is the induction step. Now assume that the result holds for all such n Г— n
matrices with n < t. If cof(Aj,k ) denotes the cofactor of the matrix A = (xj ),
k
then by (C.37),
t
det(xj ) xj cof(Aj,k ).
=
k k
i=1
By induction hypothesis, the result holds for each Aj,k , so the entire result holds.
Since we have shown that (S3) holds, it is clear that det(A) в‰Ў 0 (mod p) if an
only if xk в‰Ў xi (mod p) for some i = k.

Section 8.2
8.19 We have,
sdA (pe + IB )eA в‰Ў О±eB dA ((cB в€’ IB )de + IB )eA в‰Ў О±eB dA (cB в€’ IB + IB )eA в‰Ў
B
B

О±eB dA (cB )eA в‰Ў О±eB dA О±dB eA в‰Ў О±eB dA +eA dB в‰Ў k (mod n),
and
sdB (pe + IA )eB в‰Ў О±eA dB ((cA в€’ IA )de + IA )eB в‰Ў О±eA dB (cA в€’ IA + IA )eB в‰Ў
A
A

О±eA dB (cA )eB в‰Ў О±eA dB О±dA eB в‰Ў О±eA dB +dA eB в‰Ў k (mod n).

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 8.21вЂ“8.27 245

8.21 All congruences are modulo n = 48959 = pq. We perform the calculations within
the scheme. Alice and Bob, respectively, compute, cA в‰Ў О±dA в‰Ў 310279 в‰Ў 38953
and cB в‰Ў О±dB в‰Ў 332773 в‰Ў 11653, and Trent computes

pA в‰Ў (cA в€’ IA )d в‰Ў (38953 в€’ 21)9701 в‰Ў 35736,

and
pB в‰Ў (cB в€’ IB )d в‰Ў (11653 в€’ 93)9701 в‰Ў 30197.
Then Alice and Bob compute, respectively,

sA в‰Ў О±eA в‰Ў 3151 в‰Ў 3211,

and
sB в‰Ў О±eB в‰Ў 337 в‰Ў 26897.
Lastly, Alice and Bob, respectively, compute,

k в‰Ў sdA (pe + IB )eA в‰Ў 2689710279 (301975 + 93)151 в‰Ў 28578,
B
B

and
k в‰Ў sdB (pe + IA )eB в‰Ў 321132773 (357365 + 21)37 в‰Ў 28578,
A
A

the self-certiп¬Ѓed shared key.
8.23 As above, we do the calculations. All congruences are modulo n = 295907 = pq.

cA в‰Ў 72021 в‰Ў 204856, and cB в‰Ў 73011 в‰Ў 59114,

pA в‰Ў (204856 в€’ 156)290315 в‰Ў 26211,
pB в‰Ў (59114 в€’ 1001)290315 в‰Ў 217630,
sA в‰Ў 714033 в‰Ў 90187, and sB в‰Ў 7221675 в‰Ў 15244,
k в‰Ў 152442021 (217630131 + 1001)14033 в‰Ў 124394,
and lastly BobвЂ™s calculation,

k в‰Ў 901873011 (26211131 + 156)221675 в‰Ў 124394,

to establish the shared key.
8.25 Trent computes, with all congruences modulo p,

p(x, y) в‰Ў 11 + 13(x + y) + 200xy,

fA (x) в‰Ў 141 + 210x; fB (x) в‰Ў 122 + 380x; fC (x) в‰Ў 183 + 24x;
from which are computed the session keys,

kA,B в‰Ў 316; kA,C в‰Ў 423; kB,C в‰Ў 203.

8.27 As above,
p(x, y) в‰Ў 5 + 15(x + y) + 25xy,
fA (x) в‰Ў 287 + 485x; fB (x) в‰Ў 186 + 47x; fC (x) в‰Ў 95 + 165x;
from which we get,

kA,B в‰Ў 746; kA,C в‰Ў 770; kB,C в‰Ў 468.

В© 2003 by CRC Press LLC
246 Solutions to Odd-Numbered Exercises 8.29вЂ“9.3

8.29 As above,
p(x, y) в‰Ў 5 + 808(x + y) + 700xy,
fA (x) в‰Ў 620 + 127x; fB (x) в‰Ў 524 + 883x; fC (x) в‰Ў 495 + 733x;
from which we get,

kA,B в‰Ў 21; kA,C в‰Ў 210; kB,C в‰Ў 33.

8.31 Since Mallory has

fM (x) в‰Ў r1 + r2 kM + (r2 + r3 kM )x (mod p),

and Eve has
fE (x) в‰Ў r1 + r2 kE + (r2 + r3 kE )x (mod p),
then they have the four modular equations,

aM в‰Ў r1 + r2 kM (mod p),

bM в‰Ў r2 + r3 kM (mod p),
aE в‰Ў r1 + r2 kE (mod p),
and
bE в‰Ў r2 + r3 kE (mod p).
Hence, they have four equations in three unknowns from which elementary al-
gebra will yield a unique solution for r1 , r2 , r3 .

Section 9.1
9.1 Since Monty knows e, he can easily forge messages at will, and they will go
undetected due to the RSA conjecture. If Hostvania violates the treaty by
engaging in an underground nuclear test, it can point its п¬Ѓnger at Monty as the
perpetrator, and Monty could not disavow this claim since he knows e, and is
capable of forgeries.

Section 9.2
9.3 Bob veriп¬Ѓes AliceвЂ™s signature by using her public key to get,

DeA (DdA (c)) в‰Ў c (mod n).

Then he uses his private key to obtain,

DdB (c) в‰Ў m (mod n),

where
eB dB в‰Ў 1 (mod (p2 в€’ 1)(q 2 в€’ 1)).

В© 2003 by CRC Press LLC
Solutions to Odd-Numbered Exercises 9.5вЂ“9.9 247

9.5 Since
eв€’m(mв€’1)/(2n) в‰€ 1 в€’ pc ,
then
в€’m(m в€’ 1)/(2n) в‰€ ln(1 в€’ pc ).
Hence,
m2 в€’ m в‰€ в€’2n ln(1 в€’ pc ),
and so
m2 в‰€ в€’2n ln(1 в€’ pc ) в‰€ 2n ln(1/(1 в€’ pc )),
since we can safely ignore the smaller factor of в€’m in an approximation. Thus,

mв‰€ 2n ln(1/(1 в€’ pc )).

If pc = 1/2, then в€љ
m в‰€ 1.17 n.

 стр. 1(всего 2)СОДЕРЖАНИЕ >>