Math/Mthe 418/818Review Questions

1. Show that the number N of bit operations required to compute the product mn oftwo integers m,n > 1 satisfies N = O(log(m) log(n)).

2. Can φ(n) be computed in polynomial time? Explain.

3. Use the binary power-mod algorithm to compute rem(330, 35).

4. (a) Give a mathematical model for a cryptosystem.

(b) Explain what is meant by n-block cipher and give a (classical) example.

(c) What are the encryption and decryption functions of an affine block cipher?

5. (a) Explain the basic set-up of the RSA cryptosystem and why it works.

(b) Discuss the security of RSA and some particular design features (and attacks).

6. (a) Let G be a group. Define the order of a group element x ∈ G.

(b) If x ∈ G has finite order n, prove that ord(xk)|n, for all k ∈ Z.

(c) Let G be a group of order n and let p|n be a prime. If x ∈ G and if xn/p 6= 1,prove that p|ord(x).

7. (a) Explain the purpose, basic set-up and protocol of:(i) Diffie-Hellman; (ii) Massey-Omura; (iii) El Gamal.

(b) Discuss security issues of the above cryptosystems.

8. Explain the construction of the public keys in the DSA method.

9. If p is a prime of bit size 150, is the DLP safe against the logtable attack in F×p ?Explain.

10. Give the main ideas of the SPH attack, and explain the circumstances under whichit can applied. What are the consequences for a cryptosystem based on the DLP?

11. Explain the steps of Fermat primality test. What do we know about n if n passes theFermat test k times? Similarly, explain the steps of the Euler primality test (SolovayStrassen method) and of the Miller-Rabin test. What do we know about n if n passeseach of these tests k times?

12. What is the relation between pseudoprimes, Euler pseudoprimes and strong pseudo-primes?

13. If n ∈ Z is an integer with(

n15

)= 1, is n a square mod 15? Either explain (or prove)

why this is true or give a counterexample.

14. Is the curve E/Q defined by y2 = x3 − 3x+ 2 an elliptic curve? Explain why or whynot.

15. Let E/Q be the elliptic curve defined by y2 = x3 + 1. Show that P = (2, 3) ∈ E(Q),and determine the order of P .

16. Let E/F19 be defined by y2 = x3 − 1. Determine E(F19)[2].

17. Let E/F71 be defined by y2 = x3−x. Calculate |E(F71)| and determine the structureof the group E(F71).

18. Let E/F71 be an elliptic curve with a point of order 8 and a point of order 7. Determine|E(F71)| and the structure of E(F71).

19. Let E/F71 be an elliptic curve with a point of order 7. If |E(F71)[4]| = 8, determine|E(F71)| and the structure of E(F71).

20. Let E/Fp be an elliptic curve and let ` be a prime. If |E(Fp)[`2]| = `3, then β` = 1.

21. Show that the groups G1 = Z/8Z×Z/4Z and G2 = Z/16Z×Z/2Z are not isomorphic.

22. Discuss the analogue of the Diffie-Hellman Key Exchange for elliptic curves: thepublic information, the protocol and the common secret key. Similarly, discuss theanalogue of the El Gamal cryptosystem.

23. What is the advantage of elliptic curve cryptosystems over cryptosystems based onthe group F×p ?

24. Give two methods for constructing the public information for the elliptic curve ana-logue of El Gamal. What is the principal difficulty for each method?

25. Explain Koblitz’s method for embedding plaintexts in E(Fp).

2

Review Questions (from Assignments)

Assignment 1

1. Find the binary expansion of 213. (Use the table method from class.)

2. (a) If m is a k-bit integer and n is an `-bit integer, show that the product mn haseither k + ` or k + `− 1 bits. [Use suitable inequalities to justify your claims.]

Assignment 2

1. (a) Find all the solutions of the equation 18x = 12 in Z/48Z.

(b) Determine 12/43 in Z/73Z.

2. (a) Show that (Z/5Z)× × (Z/11Z)× ' (Z/55Z)× by constructing an explicit isomor-phism f : (Z/5Z)× × (Z/11Z)×

∼→ (Z/55Z)×. (Use suitable results from class tojustify the fact that f is an isomorphism of groups.)

(b) Use part (a) to find an integer x ∈ Z with 0 ≤ x < 55 such that x ≡ 2 (mod 5)and x ≡ 8 (mod 11).

3. (a) Prove that φ(2n) = φ(n), if n is odd, and that φ(2n) = 2φ(n), if n is even.

(b) Prove that φ(m) | φ(n) whenever m | n.

Assignment 3

1. (a) Let A =

(1 23 4

)∈ M2(Z). Show that the associated linear map LA : Z2 → Z2

is injective (one-to-one). Moreover, show that LA is not surjective (onto) by findingan explicit vector which is not in the image of LA (and verify that it isn’t).

Assignment 4

1. (a) Use the Chinese Remainder Theorem to find an element of order 12 in G =(Z/35Z)×. Are there any elements of larger order in G? (Justify your assertions.)

2. If m = pq is the product of two distinct odd primes p and q, prove that ord(x)|φ(m)/2,for all x ∈ G := (Z/mZ)×. Conclude that G is not cyclic. [Hint: Use CRT.]

Assignment 5

1. Let G = 〈x〉 be a cyclic group of order n, and let m|n. Show that xk has order m ifand only if k = n

mk′, for some k′ ∈ Z with gcd(k′,m) = 1. Conclude that G contains

precisely φ(m) elements of order m.

3

2. (a) Show that G = (Z/2rZ)× is cyclic if and only if r ≤ 2.

[Hint: For r ≥ 3, find the order of the elements −1, 1 + 2r−1 in G and use Prob. 1.]

3. Let (a, p) = 1, where p is a prime, and let n ≥ 1. Prove that the congruence equationxn ≡ a (mod p) has a solution if and only if ordp(a) | p−1

(n,p−1) . (Here, ordp(a) denotes

the order of [a] in F×p .)

(b) Conclude from part (a) that −1 is a square mod p if and only if p ≡ 1 (mod 4)or p = 2.

Assignment 6

1. If G is a group, and m ≥ 1 is an integer, put G[m] := {xm = 1 : x ∈ G}.(a) If G is cyclic of order n and if m|n, show that |G[m]| = m.

(b) Suppose that G = 〈x〉 has order n, and that m|n. Prove that G[m] = 〈x nm 〉.

(c)* Verify that if G = G1 ×G2, then G[m] = G1[m]×G2[m], Use this to determine|G[4]| when G = (Z/65Z)×.

Hint: For part (a), use (and verify) the identity∑

d|n φ(d) = n.

2. Find the probability (in percent) that a random element of F×p is a generator when(a) p = 101; (b) p = 1019; (c) p = 2311.

3. (a) Let p be an odd prime. Show that if a is a square mod p, then a cannot be aprimitive root mod p.

(b) Let p be a safe prime, i.e., p = 2q + 1, where q is an odd prime, and let a 6≡0,−1 (mod p). Prove that a is a primitive root mod p if and only a is not a squaremod p.

(c)* Prove that if p is a safe prime, then −4 is a generator of F×p .

Assignment 7

1. Determine P21, the set of bases b for which 21 is a pseudoprime to the base b. (Dothis by hand (without using a calculator), and use theory to save on computations.)

2. (a) Let G be an abelian group of order n and let m ≥ 1 be an integer. Prove thatG[m] = G[(n,m)].

(b)* Let n = pq, where p, q are distinct primes, and put m = (p − 1, q − 1). Showthat Pn ' F×p [m]× F×q [m] and conclude that |Pn| = m2.

3. (a) Which of the three numbers 111, 10000, and 21112 are squares in F22307? Justifyyour answer. (Do not use the prime factorization of your numbers.)

(b) For which primes p is 11 a quadratic residue mod p? (Give your answer in termsof congruence conditions on p.)

4

4. (a) Let m be a squarefree odd integer, and let (a,m) = 1. Show that x2 ≡ a (mod m)has a solution if and only if (a

p) = 1, for all primes p|m.

Assignment 8

1. Let n > 1 be an odd integer, and let b ∈ (Z/nZ)×.

(a) Verify that b ∈ En if and only if −b ∈ En.

(b) If ord(b) = 2, prove that b ∈ Sn if and only if b = −1.

(c)* Suppose that n = pq, where p, q are distinct odd primes with (p− 1, q − 1) = 2.Prove that Sn = {±1}.

2. Determine the sets Sn, En and Pn when (a) n = 15 and (b) n = 21 and (c)* n = 65.

[Note: you should not use MAPLE or a calculator for this question.]

3. Find the order of the point P on the elliptic curve E/Q as listed:

(a) P = (0, 16) on y2 = x3 + 256.

(b) P = (12, 12) on y2 = x3 + 1

4x.

Assignment 9

1. Let E/Fp be an elliptic curve and let P ∈ E(Fp) be a point.

(a) If n = ord(P ) > 12(√p+ 1)2, prove that E(Fp) is cyclic of order n.

(b) If n = ord(P ) > 1m

(√p+ 1)2 for some m ≥ 2, what can you say about |E(Fp)|?

2. (a) Let E/Fpr be the elliptic curve y2 = x3 − x. Show that if p ≡ 3 (mod 4) is aprime then NE/Fp = p+ 1.

(b) Find the structure of E(Fp) for p = 19.

Assignment 10

1. (a) Let E/F13 be the elliptic curve defined by y2 = x3 + 1. Determine the structureof the group E(F13) using the fact that |E(F13)| = 12. (Justify your assertion.)

(b)* Let E ′/F13 be the elliptic curve defined by y2 = x3 + x + 2. Determine thestructure of the group E ′(F13) using the fact that |E ′(F13)| = 12. (Justify yourassertion.)

5