EE 720: An Introduction to Number Theory and Cryptography (Spring 2019)

Instructor: Saravanan Vijayakumaran

Indian Institute of Technology Bombay
Quiz 2 : 20 points March 28, 2019

1. Let G be a group whose identity element is e.

(a) (2 points) Prove that if H and K are finite subgroups of G whose orders are relatively prime,
then H ∩ K = {e}.

Solution: Since H and K are subgroups of G, they will both contain the identity of the
group G. So {e} ⊆ H ∩ K.
If H ∩ K 6= {e}, then there exists an element g ∈ H ∩ K such that g 6= e.
Consider the subgroup hgi generated by g in G.

• Since g ∈ H, hgi is a subgroup of H. Since H is a group of finite order, by Lagrange’s

theorem |hgi| divides |H|.
• By the same argument as above, |hgi| divides |K|.
• Hence |hgi| divides gcd(|H| , |K|).

• Since g 6= e, hgi has at least two elements, i.e. |hgi| ≥ 2.

• The last two points imply that gcd(|H| , |K|) ≥ 2. This is a contradiction as |H| and
|K| are relatively prime, i.e. gcd(|H| , |K|) = 1.

(b) (2 points) Let g ∈ G be an element of order k ≥ 1. If g n = e for some positive integer n, prove
that k divides n.

Solution: As k is the smallest positive integer for which g k = e, we have n ≥ k. If k does

not divide n, we have n = qk + r where q ≥ 1 and 1 ≤ r ≤ k − 1. This implies that

q
e = g n = g qk+r = g k · g r = eq · g r = g r .

Since 1 ≤ r ≤ k − 1, k cannot be the order of g which is a contradiction. So k has to divide

n.

2. (a) (2 points) Find the last two digits of the number 123403 .

Solution: The last two digits of 123403 are given by 123403 mod 100. Note that 100 = 25×4
and gcd(25, 4) = 1. So if we find 123403 mod 25 and 123403 mod 4, we can use the Chinese
remainder theorem to find 123403 mod 100.
Note that φ(25) = 20. This can be either obtained from the formula for φ or from the
definition of Z∗25 .

123403 mod 25 = 23403 mod 25 (since 100 mod 25 = 0 )

3
= 23 mod 25 (since Euler’s theorem says 2320 = 1 mod 25)
3
= (−2) mod 25 (since 23 = −2 mod 25))
= −8 mod 25
= 17 mod 25
403
123 mod 4 = 3403 mod 4 (since 120 mod 4 = 0 )
= 3 mod 4 (since 32 = 1 mod 4)

The Chinese remainder theorem tells us that there is a unique y ∈ {1, 2, . . . , 99} such that
y = 17 mod 25 and y = 3 mod 4. We can simply look at multiples of 25, add 17 to them,
and check whether they give remainder 3 when divided by 4.

• 42 = 25 + 17 but 42 = 2 mod 4.
• 67 = 50 + 17 and 67 = 3 mod 4.
 So the last two digits of 123403 are 67.

(b) (2 points) Suppose an RSA public key is (N, e) = (55, 27). If the ciphertext is c = 4, find the
corresponding plaintext m in Z∗N .

Solution: The decryption key d satisfies ed = 1 mod φ(55), i.e. 27d = 1 mod 40.
Once can directly see that 27 × 3 = 81 = 1 mod 40.
Alternatively, note that gcd(27, 40) = 1. Hence there exist integers X, Y such that 27X +
40Y = 1. This implies that 27X = 1 mod 40 and X mod 40 will be the multiplicative
inverse of 27. By trial and error, we get X = 3, Y = −2. But using the extended Euclidean
algorithm for small numbers is overkill.
The plaintext corresponding to c = 4 is

m = cd mod 55 = 43 mod 55 = 64 mod 55 = 19.

3. (4 points) Find all solutions of the following equation in Z77 .

x2 + 3x + 4 = 0 mod 77.

Solution: Since 77 = 7 × 11 and gcd(11, 7) = 1, the Chinese remainder theorem tells us that
Z77 ' Z7 × Z11 with isomorphism f : Z77 7→ Z7 × Z11 given by f (x) = (x mod 7, x mod 11).
Under this mapping, the preimage (or inverse image) of (0, 0) is 0.
Suppose x is a solution of x2 + 3x + 4 = 0 mod 77. Since f is an isomorphism, we have

f (x2 + 3x + 4) = (0, 0)
=⇒ x2 + 3x + 4 mod 7, x2 + 3x + 4 mod 11 = (0, 0)

We can find all solutions of x2 + 3x + 4 = 0 mod 77 if we can find all solutions of x2 + 3x +

4 = 0 mod 7 and x2 + 3x + 4 = 0 mod 11. The latter can done by trial and error as the
moduli are small. Either use direct substitution or check whether x(x + 3) = 3 mod 7 and
x(x + 3) = 7 mod 11. Direct substitution will reveal the following table.

x x2 + 3x + 4 mod 7 x2 + 3x + 4 mod 11
0 4 4
1 1 8
2 0 3
3 1 0
4 4 10
5 2 0
6 2 3
7 8
8 4
9 2
10 2

So 2 is the only solution to x2 + 3x + 4 = 0 mod 7 in Z7 and 3, 5 are solutions to x2 + 3x + 4 =

0 mod 11 in Z11 . We need to find the preimages of (2, 3) and (2, 5) under the isomorphism f .
While one can find integers X, Y such that 7X + 11Y = 1 and argue that f (7X) = (0, 1) and
f (11Y ) = (1, 0), it is easier to directly find the preimages of (2, 3) and (2, 5) directly.
 • The list of numbers in Z77 which are multiples of 11 plus 3 are 3, 14, 25, 36, 47, 58, 69. Out
of these 58 = 2 mod 7. So the preimage of (2, 3) in Z77 is 58.

• The list of numbers in Z77 which are multiples of 11 plus 5 are 5, 16, 27, 38, 49, 60, 71. Out
of these 16 = 2 mod 7. So the preimage of (2, 5) in Z77 is 16.

So the solutions of x2 + 3x + 4 = 0 mod 77 are 58 and 16.

4. Let N = pq where p, q are distinct n-bit odd primes.

(a) (2 points) Prove that gcd(N, φ(N )) = 1.
Hint: Since p, q are n-bit odd primes, their binary representations are of the form p = 1kp0 k1
and q = 1kq 0 k1 where p0 , q 0 ∈ {0, 1}n−2 . The k represents the concatenation operator.

Solution: We have to prove that gcd(pq, (p − 1)(q − 1)) = 1. Since gcd(pq, (p − 1)(q − 1)) ∈
{1, p, q}, we need to prove that this gcd is neither p nor q.

• If gcd(pq, (p − 1)(q − 1)) = p, then since p is a prime either p divides p − 1 or

p divides q − 1. If we can prove that p does not divide p − 1 or q − 1, we get
gcd(pq, (p − 1)(q − 1)) 6= p.
• If gcd(pq, (p − 1)(q − 1)) = q, then since q is a prime either q divides p − 1 or
q divides q − 1. If we can prove that q does not divide p − 1 or q − 1, we get
gcd(pq, (p − 1)(q − 1)) 6= q.

As p and q are distinct primes, we can assume (without loss of generality) that p > q. Since
p and q are odd, it must be that p ≥ q + 2.

• Since 1 = p + (−1)(p − 1), we get gcd(p, p − 1) = 1 as the smallest positive integral

linear combination is the gcd. So p - p − 1.
• By the same argument as above, gcd(q, q − 1) = 1. So q - q − 1.

• Since p > q − 1 and p is prime, we get gcd(p, q − 1) = 1. So p - q − 1.

• If gcd(q, p − 1) 6= 1, then since q is prime gcd(q, p − 1) = q. This would mean that q
divides p − 1 or in other words p − 1 is a multiple of q. As p ≥ q + 2 =⇒ p − 1 ≥ q + 1,
we have p − 1 6= q which implies that p − 1 ≥ 2q =⇒ p ≥ 2q + 1. This is a
contradiction as this means that p is an (n + 1)-bit prime. So gcd(q, p − 1) = 1 and
q - p − 1.

Therefore gcd(pq, (p − 1)(q − 1)) = gcd(N, φ(N )) = 1.

(b) (1 point) Prove that the order of N + 1 in Z∗N 2 is N .

Solution: Since gcd(N + 1, N ) = 1, we have gcd(N + 1, N 2 ) = 1. So N + 1 does belong to

Z∗N 2 .
Using the binomial expansion, we have
k  
k
X k
(N + 1) = N i.
i=0
i

All the terms with i ≥ 2 are equal to 0 modulo N 2 . Hence (N + 1)k = 1 + kN mod N 2 .
The smallest positive integer k such that 1 + kN = 1 mod N 2 is equal to N . Hence the
order of N + 1 is N in Z∗N 2 .

(c) (1 point) Consider the map f with domain ZN × Z∗N given by

f (a, b) = (N + 1)a · bN mod N 2 .
 
 Prove that the range of f is Z∗N 2 .

Solution:
Note: There is some ambiguity regarding the definition of range. It seems that it means
the image of the function but I was using the word “range” to mean the codomain in class.
This leads to two different solutions. I am going to allow both solutions if the definitions
are stated clearly.
Let’s take an example to clarify the differences between the terms. Suppose f (n) = 2n has
domain Z. Then the range/image of f is denoted by f (Z) and is the set of even integers.
But one can write f : Z 7→ Z where the second Z is called the codomain as f (Z) ⊆ Z.
Apparently, older books were not consistent in the meaning of “range” and modern books
don’t use the word “range” to avoid this confusion. See https://en.wikipedia.org/wiki/
Range_(mathematics).
Here I am giving the solution which shows that f (ZN × Z∗N ) ⊆ Z∗N 2 , i.e. the codomain of
f is Z∗N 2 .

• Since gcd(N + 1, N ) = 1, we have gcd(N + 1, N 2 ) = 1. This implies gcd((N +

1)a , N 2 ) = 1 for all a ∈ ZN .
• As b ∈ Z∗N , we have gcd(b, N ) = 1. This implies gcd(b, N 2 ) = 1 =⇒ gcd(bN , N 2 ) = 1.
• The above two statements imply that gcd((N + 1)a · bN , N 2 ) = 1.
∗ ∗
We have proved that f (a, b) ∈ ZN 2 if (a, b) ∈ ZN × ZN .

(d) (4 points) Prove that the map f defined above is a bijection from ZN × Z∗N to Z∗N 2 .

Solution: We have |ZN × Z∗N | = N φ(N ) by the definitions of ZN and Z∗N . Also, as N = pq
where p, q are distinct primes, we have
  
∗ 2 2 1 1
|ZN 2 | = φ(N ) = N 1 − 1− = N (p − 1)(q − 1) = N φ(N ).
p q
As the domain and codomain have the same number of elements, it is enough to show that
f is one-to-one. So we have to show that for a1 , a2 ∈ ZN , b1 , b2 ∈ Z∗N
f (a1 , b1 ) = f (a2 , b2 ) =⇒ (a1 , b1 ) = (a2 , b2 ).
If f (a1 , b1 ) = f (a2 , b2 ), then we have
(N + 1)a1 bN a2 N
1 = (N + 1) b2 mod N
2
(1)

N
=⇒ (N + 1)a1 −a2 b1 b−1
2 = 1 mod N 2 (2)
−1
Note that b−1 2
2 exists because gcd(b2 , N ) = 1 and (N + 1) exists because gcd(N +1, N 2 ) =
N φ(N ) 2 ∗
1. By Euler’s theorem, b = 1 mod N for b ∈ ZN 2 . So raising both sides of equation
(2) to φ(N ) we get

N φ(N )
(N + 1)(a1 −a2 )φ(N ) b1 b−1
2 = 1φ(N ) mod N 2
=⇒ (N + 1)(a1 −a2 )φ(N ) = 1 mod N 2

We know that the order of N + 1 is N in Z∗N 2 . By the result in question 1(b), N must
divide (a1 − a2 )φ(N ). But gcd(N, φ(N )) = 1, so N must divide a1 − a2 . As a1 − a2 ∈
{−(N − 1), −(N − 2), . . . , N − 1}, this is possible only if a1 = a2 .
Substituting a1 = a2 in equation (2), we get

N
b1 b−1
2 = 1 mod N 2 (3)
=⇒ bN N
1 = b2 mod N
2
(4)
=⇒ bN
1 = bN
2 mod N (5)
Since gcd(N, φ(N )) = 1, there exist integers such that XN + Y φ(N ) = 1. Note that
φ(N ) φ(N )
b1 = 1 mod N and b2 = 1 mod N by Euler’s theorem. Raising both sides of equation
(5) to X, we get

bN
1
X
= bN
2
X
mod N
1−Y φ(N ) 1−Y φ(N )
=⇒ b1 = b2 mod N
 −Y  −Y
φ(N ) φ(N )
=⇒ b1 · b1 = b2 · b2 mod N
=⇒ b1 = b2 mod N

This proves that f is one-to-one. From the fact that the domain and codomain have the
same cardinality, we conclude that f is a bijection.