\documentclass[11pt]{article}
\input{headers06}

\usepackage{fancyhdr}   
\pagestyle{fancy}      
\lhead{CS 355, SPRING 2026}               
\rhead{Name: Hemanta K. Maji} %%% <-- REPLACE Hemanta K. Maji WITH YOUR NAME HERE

\usepackage[strict]{changepage}  
\newcommand{\nextoddpage}{\checkoddpage\ifoddpage{\ \newpage\ \newpage}\else{\ \newpage}\fi}  


\begin{document}

\title{Homework 6}

\date{}

\maketitle 

\thispagestyle{fancy}  
\pagestyle{fancy} 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%% PLEASE LIST COLLABORATORS BELOW  %%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
{\bfseries Collaborators:}
%%% List your collaborators and any online resources here.



\newpage
\centering
{\Huge{Practice Questions}}

These are practice questions.
They will \textbf{NOT} be graded.
We have also provided the final answers.
However, it is up to you to understand how or why the given solution is correct.

You do not need to submit these on Gradescope.
However, you may find it easier to just include them in the PDF.
In that case, please do not mark these questions on Gradescope.

\newpage

\begin{enumerate}
	\item {\bfseries RSA Assumption (0 points).} Consider RSA encryption scheme with parameters $N=35=5\times 7$.
	      \begin{enumerate}
	      	\item Compute $\varphi(N)$ and write down the set $\mathbb{Z}^{*}_N$.
	      	      	      	          
	      	      {\bfseries Solution.}   
	      	      	      	      
	      	      $\varphi(35) = 24$
	      	      $$\bbZ_{35}^* = \{1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34\}$$
	      	      	      	           
	      	      %\newpage
	      	      \vspace{0.3 \textheight}
	      	\item Use repeated squaring and complete the rows $X, X^2, X^4$ for all $X\in \mathbb{Z}^{*}_N$ as you have seen in the class (slides), that is, fill in the following table by adding as many columns as needed.
	      	      	      	      
	      	      {\bfseries Solution.}   
	      	      \begin{center}
	      	      	%      \centering
	      	      	\begin{tabular}{|c|c|c|c|c|c|c|c|c|c|c|c|c|}
	      	      		\hline
	      	      		$X$ & 1 & 2  & 3  & 4  & 6 & 8  & 9  & 11 & 12 & 13 & 16 & 17 \\
	      	      		\hline
	      	      		$X^2$ 
	      	      		    & 1 & 4  & 9  & 16 & 1 & 29 & 11 & 16 & 4  & 29 & 11 & 9  \\
	      	      		\hline
	      	      		$X^4$ 
	      	      		    & 1 & 16 & 11 & 11 & 1 & 1  & 16 & 11 & 16 & 1  & 16 & 11 \\
	      	      		\hline
	      	      	\end{tabular}
	      	      \end{center}
	      	      \begin{center}
	      	      	%      \centering
	      	      	\begin{tabular}{|c|c|c|c|c|c|c|c|c|c|c|c|c|}
	      	      		\hline
	      	      		$X$   & 18 & 19 & 22 & 23 & 24 & 26 & 27 & 29 & 31 & 32 & 33 & 34 \\
	      	      		\hline
	      	      		$X^2$ & 9  & 11 & 29 & 4  & 16 & 11 & 29 & 1  & 16 & 9  & 4  & 1  \\
	      	      		\hline
	      	      		$X^4$ & 11 & 16 & 1  & 16 & 11 & 16 & 1  & 1  & 11 & 11 & 16 & 1  \\
	      	      		\hline
	      	      	\end{tabular}
	      	      \end{center}
	      	      	      	          
	      	      \vspace{0.2 \textheight}
	      	      	      	         
	      	\item Find the row $X^7$ and show that $X^7$ is a bijection from $\mathbb{Z}^{*}_N$ to $\mathbb{Z}^{*}_N$.
	      	      	      	           
	      	      {\bfseries Solution.}  
	      	      	      	              
	      	      \begin{center}
	      	      	%      \centering
	      	      	\begin{tabular}{|c|c|c|c|c|c|c|c|c|c|c|c|c|}
	      	      		\hline
	      	      		$X$   & 1 & 2  & 3  & 4  & 6 & 8  & 9  & 11 & 12 & 13 & 16 & 17 \\
	      	      		\hline
	      	      		$X^2$ 
	      	      		      & 1 & 4  & 9  & 16 & 1 & 29 & 11 & 16 & 4  & 29 & 11 & 9  \\
	      	      		\hline
	      	      		$X^4$ 
	      	      		      & 1 & 16 & 11 & 11 & 1 & 1  & 16 & 11 & 16 & 1  & 16 & 11 \\
	      	      		\hline
	      	      		$X^7$ & 1 & 23 & 17 & 4  & 6 & 22 & 9  & 11 & 33 & 27 & 16 & 3  \\
	      	      		\hline
	      	      	\end{tabular}
	      	      \end{center}
	      	      \begin{center}
	      	      	%      \centering
	      	      	\begin{tabular}{|c|c|c|c|c|c|c|c|c|c|c|c|c|}
	      	      		\hline
	      	      		$X$   & 18 & 19 & 22 & 23 & 24 & 26 & 27 & 29 & 31 & 32 & 33 & 34 \\
	      	      		\hline
	      	      		$X^2$ & 9  & 11 & 29 & 4  & 16 & 11 & 29 & 1  & 16 & 9  & 4  & 1  \\
	      	      		\hline
	      	      		$X^4$ & 11 & 16 & 1  & 16 & 11 & 16 & 1  & 1  & 11 & 11 & 16 & 1  \\
	      	      		\hline
	      	      		$X^7$ & 32 & 19 & 8  & 2  & 24 & 26 & 13 & 29 & 31 & 18 & 12 & 34 \\
	      	      		\hline
	      	      	\end{tabular}
	      	      \end{center}
	      	      	      	      
	      	      We can see that every value of $X$ shows up once and exactly once in the row for $X^7$
	      	      	      	          
	      \end{enumerate}
	      \newpage
	      	      
	\item (0 points)
	      By hand, compute the three least significant (decimal) digits of $25114997^{9301403}$.  
	      Explain your logic.
	      	          
	      {\bfseries Solution.} 
	      	      
	      $973$
	      	      
	      \newpage
	      	      
	\item (0 points)
	      Suppose $n = 76499 = 227 \cdot 337,$ where $227$ and $337$ are primes.
	      Let $e_1 = 6039$ and $e_2 = 9031.$ 
	      	          
	      \begin{enumerate}
	      	\item (0 points) Only one of the two exponents $e_1, e_2$ is a valid RSA encryption key, which one?
	      	      	      	              
	      	      {\bfseries Solution.}
	      	      	      	      
	      	      Only $e_2$ is valid.
	      	      	      	                
	      	      \vfill
	      	      	      	              
	      	\item (0 points) For the valid encryption key, compute the corresponding decryption key $d.$
	      	      	      	              
	      	      {\bfseries Solution.}   
	      	      	      	      
	      	      $d = 68503$
	      	      	      	                
	      	      \vfill
	      	      	      	              
	      	\item (0 points) Decrypt the cipher text $c = 33.$
	      	      	      	              
	      	      {\bfseries Solution.}
	      	      	      	                
	      	      $m = 62638$
	      	      \vfill
	      	      	      	                
	      \end{enumerate}
	      
	      \newpage
	\item {\bfseries Properties of Euler Phi Function} (0 points)
	      Let $N = p_1^{e_1} \cdot p_2^{e_2} \dotsi p_t^{e_t}$ represent the unique prime factorization of a natural number $N$, where $p_1<p_2<\dotsi <p_t$ are prime numbers and $e_1,e_2,\dotsc,e_t$ are natural numbers. 
	      Let $\bbZ_N^* = \left\{x \colon 0\leq x<N-1, \gcd(x,N)=1 \right\}$ and $\phi(N)=\abs{\bbZ_N^*}$. 
	      \begin{enumerate}
	      	\item Using the inclusion-exclusion principle, prove that 
	      	      $$\phi(N) = N \cdot \left(1-\frac1{p_1}\right)\cdot\left(1-\frac1{p_2}\right)\dotsi\left(1-\frac1{p_t}\right).$$
	      	      	      	            
	      	      {\bfseries Solution.}   
	      	      	      	          
	      	      The inclusion-exclusion principle states that for finite sets $A_1, \dotsi, A_n$ one has the identity
	      	      \begin{align*}
	      	      	\left|\bigcup _{i=1}^{n}A_{i}\right| = & \sum _{i=1}^{n}|A_{i}|-\sum _{1\leqslant i<j\leqslant n}|A_{i}\cap A_{j}| +\cdots +(-1)^{n-1}\left|A_{1}\cap \cdots \cap A_{n}\right| \\
	      	      	=                                      & \sum _{k=1}^{n}(-1)^{k+1}\left(\sum _{1\leqslant i_{1}<\cdots <i_{k}\leqslant n}|A_{i_{1}}\cap \cdots \cap A_{i_{k}}|\right)          
	      	      \end{align*}
	      	      	      	          
	      	      Let $I_N = \{1, 2, \cdots, N\}.$
	      	      For every $i \in \{1, 2, \cdots, t\},$ let $A_i$ be a subset of $I_N$ that are divisible by the prime $p_i.$
	      	      Since  $\bbZ_N^* = \left\{x \colon 0\leq x<N-1, \gcd(x,N)=1 \right\}$ and $\phi(N)=\abs{\bbZ_N^*},$ we have $$\phi(N) = N - |A_1 \cup \cdots \cup A_t|$$
	      	      and by the inclusion-exclusion principle
	      	      $$|A_1 \cup \cdots \cup A_t| = \sum _{i=1}^{t}|A_{i}|-\sum _{1\leqslant i_1<i_2\leqslant t}|A_{i_1}\cap A_{i_2}| +\cdots +(-1)^{t-1}\left|A_{1}\cap \cdots \cap A_{t}\right|$$
	      	      	      	          
	      	      An element in the intersection $k \in A_{i_1} \cap A_{i_2} \cap \cdots \cap A_{i_j} \subset I_N$ is divisible by $p_{i_1}, p_{i_2}, \dotsi, p_{i_j}.$
	      	      Then, there are $\abs{A_{i_1} \cap A_{i_2} \cap \cdots \cap A_{i_j}} = \frac{N}{p_{i_1}\cdot p_{i_2} \dotsi \cdot p_{i_j}}$ such elements.
	      	      	      	          
	      	      Thus, $$\sum _{i=1}^{t}|A_{i}| = N \cdot (\frac{1}{p_1} + \frac{1}{p_2} + \cdots + \frac{1}{p_t})$$
	      	      $$\sum _{1\leqslant i_1<i_2\leqslant t}|A_{i_1}\cap A_{i_2}| = N \cdot (\frac{1}{p_1 \cdot p_2} + \frac{1}{p_1 \cdot p_3} + \cdots + \frac{1}{p_{k-1} \cdot p_k}).$$
	      	      	      	          
	      	      Therefore, 
	      	      \begin{align*}
	      	      	\phi(N) = & N - |A_1 \cup \cdots \cup A_t|                                                                                                   \\
	      	      	=         & N \cdot (1 - (\frac{1}{p_1} + \frac{1}{p_2} + \cdots + \frac{1}{p_t}) + \cdots + (-1)^{t-1} \frac{1}{p_1 \cdot p_2 \cdots p_t} ) \\
	      	      	=         & N \cdot \left(1-\frac1{p_1}\right)\cdot\left(1-\frac1{p_2}\right)\dotsi\left(1-\frac1{p_t}\right)                                
	      	      \end{align*}
	      	      \newpage
	      	      	      	            
	      	\item (0 points)
	      	      For any $x\in \bbZ_N^*$, prove that
	      	      $$ x^{\phi(N)} = 1\mod N.$$
	      	      Hint: Consider the subgroup generated by $x$ and its order. 
	      	      	      	          
	      	      {\bfseries Solution.}   
	      	      	      	          
	      	      The order of $x$ divides the size of the group $\phi(N).$ 
	      	      Then, there exists $m$ such that $\phi(N) = m \cdot k$ where $x^k = 1 \mod N$ and
	      	      $$x^{\phi(N)} = (x^k)^m = 1 \mod N$$
	      \end{enumerate}
	      	      	          
	      \newpage
	      
	\item {\bfseries Properties of $x^e$ when $e$ is relatively prime to $\phi(N)$} (0 points)
	      	      
	      In this problem, we will partially prove a result from the class that was left unproven. 
	      Suppose $N=pq$, where $p$ and $q$ are distinct prime numbers. 
	      Let $e$ be a natural number that is relatively prime to $\varphi(N)=(p-1)(q-1)$. 
	      In the lectures, we claimed (without proof) that the function $x^e \colon \bbZ_N^*\to\bbZ_N^*$ is a bijection. 
	      The following problem is key to proving this result. 
	      	      
	      \begin{boxedalgo}
	      	Let $N = pq$, where $p$ and $q$ are distinct prime numbers. 
	      	Let $e$ be a natural number relatively prime to $(p-1)(q-1)$. 
	      	Consider $x,y\in \bbZ_N^*$. 
	      	If $x^e=y^e\mod N$, then prove that $x=y$. 
	      \end{boxedalgo}
	      	      
	      Hint: You might find the following facts useful. 
	      \begin{itemize}
	      	\item Every $\alpha\in \bbZ_N$ can be uniquely written as $(\alpha_p,\alpha_q)$ such that $\alpha=\alpha_p\mod p$ and $\alpha=\alpha_q\mod q$, using the Chinese Remainder theorem. 
	      	      We will write this observation succinctly as $\alpha = (\alpha_p,\alpha_q)\mod(p,q)$. 
	      	      	      	                
	      	\item For $\alpha,\beta\in \bbZ_N$, and $e\in \bbN$ we have $\alpha^e=\beta\mod N$ if and only if $\alpha_p^e =\beta_p\mod p$ and $\alpha_q^e=\beta_q\mod q$.
	      	      We will write this succinctly as $\alpha^e=(\alpha_p^e,\alpha_q^e)\mod(p,q)$. 
	      	      	      	                
	      	\item From the Extended GCD algorithm, if $u$ and $v$ are relatively prime then, there exists integers $a,b\in\bbZ$ such that $au + bv =1$. 
	      	      	      	              
	      	\item Fermat's little theorem states that $x^{p-1}=1\mod p$ if $x$ is a natural number that is relatively prime to the prime $p$. 
	      \end{itemize}
	      	      
	      {\bfseries Solution.}   
	      	      
	      Assume $x^e = y^e \mod N$, then $x^e - y^e \mod N$ and there exists an integer $k$ such that $x^e - y^e = k \cdot N = k \cdot pq$.
	      Therefore, $x^e - y^e = 0 \mod p$ which implies that $x^e = y^e \mod p$.
	      Since $e$ is relatively prime with $p-1$, then by the extended GCD algorithm, there exists integer $c, d \in \mathbb{Z}$ such that $c \cdot (p-1) + d \cdot e = 1$ which is equivalent as $d \cdot e = 1 \mod (p-1)$ for some $d \in \mathbb{Z}_{p-1}^*$.
	      Hence, $$x^e = y^e \mod p \implies x^{ed} = y^{ed} \mod p \implies x = y \mod p.$$
	      Then, $x - y = k' \cdot p$ for some integer $k'$.
	      Similarly, we can derive that $x - y = k'' \cdot q$ for some integer $k''$.
	      Now, $x - y = k' p = k'' q$ where $p, q$ are distinct primes.
	      This implies that $x - y = k''' \cdot pq$ for some integer $k'''$.
	      Thus, $$x - y = 0 \mod pq \implies x = y \mod N$$ where $N = pq$.
	      \newpage
\end{enumerate}


\newpage
\centering
{\Huge{Homework Questions}}

These are homework questions and will be graded.
Please make sure to clearly mark each problem on Gradescope.
\newpage

\begin{enumerate}
		
		
	%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	%%%%%%%%%%%% Problem 1  %%%%%%%%%%%%%%%%%%%%%%%%%%
	%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
		
	\item {\bfseries Answer the following questions (7+7+7 points):}
	      \begin{enumerate}
	      		      	    
	      	\item (7 points)
	      	      Is the following RSA signature scheme valid? (Justify your answer)
	      	      $$(r\Vert m)=5, \sigma=125, N=187, e=3$$
	      	      Here, $m$ denotes the message, $r$ denotes the randomness used to sign $m$, and $\sigma$ denotes the signature. Moreover, $(r\Vert m)$ denotes the concatenation of $r$ and $m$. The signature algorithm $\sign(m)$ returns $(r\Vert m)^d \mod{N}$ where $d$ is the inverse of $e$ modulo $\varphi(N)$. The verification algorithm $\ver(m,\sigma)$ returns ($(r\Vert m)==\sigma^e \mod{N}$). 
	      	      	      	          
	      	      {\bfseries Solution.} 
	      	      	      	      
	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      	      	          
	      	      \newpage
	      	      	      	          
	      	\item (7 points)
	      	      Remember that in RSA encryption and signature schemes, $N=p\times q$ where $p$ and $q$ are two large primes. 
	      	      Show that in the RSA scheme (with public parameters $N$ and $e$), if you know $N$ and $\varphi(N)$, then you can efficiently factorize $N$, i.e., you can recover $p$ and $q$.
	      	      	      	      
	      	      	      	          
	      	      	      	          
	      	      {\bfseries Solution.}   
	      	      	      	      
	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      \vfill
	      	      	      	          
	      	\item (7 points)
	      	      Consider an encryption scheme where 
	      	      $\enc(m):=m^e \mod{N}$ where $e$ is a positive integer relatively prime to $\varphi(N)$ and $\dec(c):=c^d \mod{N}$ where $d$ is the inverse of $e$ modulo $\varphi(N)$.
	      	      Show that in this encryption scheme, if you know the encryption of $m_1$ and the encryption of $m_2$, then you can find 
	      	      the encryption of $(m_1\times m_2)^7$.
	      	      	      	            
	      	      {\bfseries Solution.}   
	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      \vfill
	      	      	      	          
	      	      \newpage
	      	      	      	          
	      	      	      	          
	      	      	      	          
	      \end{enumerate}
	      \newpage
	      	      
	      	      
	      	      
	      	      
	      	      
	      	      
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%% Problem 2  %%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	\item {\bfseries  Replacing $\phi(N)$ with $\frac{\phi(N)}{2}$ in RSA (15 points)}
	      
	      In RSA, we pick the exponent $e$ and the decryption key $d$ from the set $\bbZ_{\phi(N)}^*$.
	      This problem shall show that we can choose $e,d\in\bbZ_{\phi(N)/2}^*$ instead. 
	      Let $p, q$ be two distinct odd primes and define $N = pq$. 
	      \begin{enumerate}
	      	\item (2 points) For any $e\in \bbZ_{\phi(N)/2}^*$, prove that $x^e \colon \bbZ_N^* \to \bbZ_N^*$ is a bijection. 
	      	      	      	      	      
	      	      {\bfseries Solution.}   
	      	      	      	      	                
	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      \vfill
	      	      	      	      	              
	      	\item (7 points)
	      	      Consider any $x \in \mathbb{Z}^*_N.$
	      	      Prove that $x^{\frac{\phi(N)}{2}} = 1 \mod p$ and $x^{\frac{\phi(N)}{2}} = 1 \mod q.$
	      	      	      	      	                  
	      	      {\bfseries Solution.}  
	      	      	      	      	                    
	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      \vfill
	      	      \newpage
	      	      	      	      	              
	      	      	      	      	      
	      	\item (3 points)
	      	      Consider any $x \in \mathbb{Z}^*_N.$
	      	      Prove that $x^{\frac{\phi(N)}{2}} = 1 \mod N.$
	      	      	      	      	      
	      	      {\bfseries Solution.}   
	      	      	      	      	      
	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      \vfill
	      	      	      	      	      
	      	      	      	      	              
	      	\item (3 points)
	      	      Suppose $e, d$ are integers that $e \cdot d = 1 \mod \frac{\phi(N)}{2}.$
	      	      Show that $(x^{e})^d = x \mod N,$ for any $x\in\bbZ_N^*$.
	      	      	      	      	      
	      	      {\bfseries Solution.}   
	      	      	      	      	      
	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      \vfill
	      	      	      	      	              
	      \end{enumerate}
	      \newpage
	      
	      
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%% Problem 5  %%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	\item {\bfseries Shor's algorithm for factoring large integers} (20 points)
	      {\color{red} New Problem}
	                
	      Shor's algorithm is a quantum algorithm for factoring large integers. 
	      It shows that a quantum computer can factor large numbers in polynomial time, whereas the best-known classical algorithms are sub-exponential but not polynomial.
	      In this problem, we will investigate how Shor's algorithm finds a non-trivial factor for any integer $N.$
	      
	      \begin{enumerate}
	      	\item {\bfseries From factorization to order-finding.} (5 points) 
	      	                    
	      	      Consider an integer $N$ and the field $Z_N^*.$
	      	      Pick a {\emph{random}} element $a \in Z_N^*.$
	      	      The order of field element $a$ is the smallest $r$ such that $a^r = 1 \mod N.$
	      	      Show that if $r$ is even and $a^{r/2} \neq \pm1 \mod N,$ then
	      	      $$\gcd(a^{r/2}-1, N)$$
	      	      gives a non-trivial factor of $N.$
	      	      
	      	      {(Hint: Let $x = a^{r/2}$ and consider $x^2 = 1 \mod N.$)}
	      	      
	      	      {\bfseries Solution.} 
	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      
	      	      \newpage 
	      	                    
	      	\item {\bfseries The Continued Fraction algorithm.} (15 points)
	      	      
	      	      Pick $Q > N^2$ to be a power of $2.$
	      	      Consider a quantum order-finding algorithm that returns an integer $c$ such that $\frac{c}{Q} \approx \frac{k}{r},$ where $r$ is the unknown order we want to recover. 
	      	      We use a continued fraction to reconstruct the order $r$.
	      	      
	      	      Consider $N = 91$ and $Q = 2^{14} = 16384 > N^2.$
	      	      Suppose the quantum order-finding algorithm returns $c = 13653.$
	      	      Answer the following.
	      	      
	      	      \begin{enumerate}
	      	      	\item (2 points) {Continued Fraction Expansion. } 
	      	      	                        
	      	      	      For a real number $x$, its continued fraction expansion is written $$x = [a_0;a_1,a_2,a_3,\dots] = a_0 + \cfrac{1}{a_1 + \cfrac{1}{a_2 + \cfrac{1}{a_3 + \ddots}}},$$ where $a_0 \in \mathbb{Z}$ and $a_i \in \mathbb{Z}_{\ge 1}$ for $i \ge 1$.
	      	      	                        
	      	      	      Write out the continued fraction expansion for $x = \frac{c}{Q}$ in both forms.
	      	      	      
	      	      	      {\bfseries Solution.} 
	      	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      	      \newpage
	      	      	      
	      	      	\item (5 points)
	      	      	      The $n$-th convergent of continued fraction expansion of $x$ is the rational number obtained by truncating after $a_n$: $$\frac{p_n}{q_n} = [a_0;a_1,\dots,a_n].$$
	      	      	      The convergents form a sequence of rational approximations to $x$.
	      	      	      
	      	      	      Write out the second, third, fourth, fifth, and sixth convergents of the continued fraction expansion of $x = \frac{c}{Q}.$
	      	      	      
	      	      	      {\bfseries Solution.} 
	      	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      	      \newpage
	      	      	                        
	      	      	      
	      	      	\item (5 points)
	      	      	      Legendre's theorem states the following.
	      	      	      Let $x \in \mathbb{R}$. If a reduced fraction $p/q$ satisfies $\abs{x-\frac{p}{q}} < \frac{1}{2q^2},$ then $p/q$ is a convergent of the continued fraction expansion of $x$.
	      	      	                        
	      	      	      Apply Legendre's theorem to show that the unknown reduced fraction $k/r$ must appear among the convergents of $x$.
	      	      	      
	      	      	      {\bfseries Solution.} 
	      	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      	      \newpage
	      	      	      
	      	      	\item (3 points) Pick $a = 3 \in Z_{91}^*.$
	      	      	      What is the order $r$? 
	      	      	      Once $r$ is found, factor $N=91$ by computing
	      	      	      $$\gcd\left(a^{r/2}-1,N\right) \qquad \text{and} \qquad \gcd\left(a^{r/2}+1,N\right).$$
	      	      	      
	      	      	      {\bfseries Solution.} 
	      	      	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      \end{enumerate}
	      	                    
	      	      
	      	                    
	      \end{enumerate}
	      \newpage
	      	      
	      	      
	      	      
	      	      
	      	      
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%% Problem 3  %%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	\item {\bfseries Understanding hardness of the Discrete Logarithm Problem.} (15 points)
	      Suppose $(G,\circ)$ is a group of order $N$ generated by $g\in G$. 
	      Suppose there is an algorithm $\cA_{DL}$ that, when given input $X\in G$, it    outputs $x\in\{0,1,\dotsc,N-1\}$ such that $g^x=X$ with probability $p_X$. 
	      	        
	      Think of it this way: The algorithm $\cA_{DL}$ solves the discrete logarithm problem; however, for different inputs $X\in G$, its success probability $p_X$ may be different. 
	      	        
	      Let $p = \frac{\left(\sum_{X\in G} p_X\right)}{N}$ represent the average success probability of $\cA_{DL}$ solving the discrete logarithm problem when $X$ is chosen uniformly at random from $G$. 
	      	        
	      Construct a new algorithm $\cB$ that takes {\em any} $X\in G$ as input and outputs $x\in\{0,1,\dotsc,N-1\}$ (by making one call to the algorithm $\cA_{DL}$) such that $g^x=X$ with probability $p$. 
	      This new algorithm that you construct shall solve the discrete logarithm problem for {\em every} $X\in G$ with the same probability $p$. 
	      	        
	      ({\footnotesize {\em Remark:} 
	      	Intuitively, this result shows that solving the discrete logarithm problem for {\em any} $X\in G$ is no harder than solving the discrete logarithm problem for a {\em random} $X\in G$.
	      }) 
	      	      
	      {\bfseries Solution.}   
	      	      
	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      \newpage
	      	      
	      	      
	      	      
	      
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%% Problem 4  %%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	\item {\bfseries Concatenating a random bit string before a message.} (15 points)
	      	      
	      Let $m\in\zo^a$ be an arbitrary message.
	      Define the set 
	      $$ S_m = \left\{ (r \Vert m) \colon r\in\zo^b\right\}. $$
	      Let $p$ be an odd prime. 
	      Recall that in the RSA encryption algorithm, we encrypted a message $y$ chosen uniformly at random from this set $S_m.$
	      	      
	      Prove the following
	      $$ \underset{y\getsr S_m}{\text{Pr}} [p\text{ divides } y] \leq 2^{-b} \cdot \left\lceil 2^b/p\right\rceil.  $$
	      	          
	      ({\footnotesize {\em Remark:} 
	      	This bound is tight as well. 
	      	There exists $m$ such that equality is achieved in the probability expression above. 
	      	Intuitively, this result shows that the message $y$ will be relatively prime to $p$ with probability (roughly) $(1 - 1/p)$. 
	      }) 
	      	      
	      {\bfseries Solution.}   
	      	      
	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      
	      	        
	      	      
	      \newpage
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%% Problem 6  %%%%%%%%%%%%%%%%%%%%%%%%%%
	      %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	\item {\bfseries Challenging: Inverting exponentiation function.} (20 points)
	      	      
	      Fix $N = pq$, where $p$ and $q$ are distinct odd primes. 
	      Let $e$ be a natural number such that $\gcd(e, \phi(N)) = 1$. 
	      Suppose there is an adversary $\cA$ running in time $T$ such that  
	      $$\prob{[\cA ([x^e \mod N]) = x]} = 0.01$$
	      for $x$ chosen uniformly at random from $\mathbb{Z}^*_N.$ 
	      Intuitively, this algorithm successfully finds the $e$-th root with probability $0.01$, for a random $x$. 
	      	          
	      For any $\eps\in(0,1)$, construct an adversary $\cB_\eps$ (which, possibly, makes multiple calls to the adversary $\cA$) such that
	      $$\prob{[\cB_\eps ([x^e \mod N]) = x]} = 1 - \epsilon,$$
	      for {\em every} $x \in \mathbb{Z}^*_N.$
	      The algorithm $\cB_\eps$ should have a running time polynomial in $T, \log N,$ and $\log 1/\epsilon$. 
	      	      
	      {\bfseries Solution.}   
	      	      
	      \   %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE
	      	      
\end{enumerate}


\end{document}