Professional Documents
Culture Documents
UNIT I
Introduction
This book focuses on two broad areas: cryptographic algorithms and protocols, which have a
broad range of applications; and network and Internet security, which rely heavily on
cryptographic techniques. Cryptographic algorithms and protocols can be grouped into four
main areas:
•Symmetric encryption: Used to conceal the contents of blocks or streams of data of any
size, including messages, files, encryption keys, and passwords.
•Asymmetric encryption: Used to conceal small blocks of data, such as encryption keys
and hash function values, which are used in digital signatures.
•Data integrity algorithms: Used to protect blocks of data, such as messages, from
alteration.
•Authentication protocols: These are schemes based on the use of cryptographic
algorithms designed to authenticate the identity of entities.
The OSI security architecture is useful to managers as a way of organizing the task of providing
security. The OSI security architecture focuses on security attacks, mechanisms, and services.
These can be defined briefly as follows:
Security attack: Any action that compromises the security of information owned by an
organization.
Security mechanism: A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
Security service: A processing or communication service that enhances the security of
the data processing systems and the information transfers of an organization. The
services are intended to counter security attacks, and they make use of one or more
security mechanisms to provide the service.
Threat
A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a
threat is a possible danger that might exploit vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an
intelligent act that is a deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the security policy of a system.
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal
of the opponent is to obtain information that is being transmitted. Two types of passive attacks
are
release of message contents
traffic analysis
(ii) A second type of passive attack, traffic analysis, is subtler. Suppose that we had a way of
masking the contents of messages or other information traffic so that opponents, even if they
captured the message, could not extract the information from the message. The common
technique for masking contents is encryption Passive attacks are very difficult to detect because
they do not involve any alteration of the data.
(i) A masquerade takes place when one entity pretends to be a different entity. A masquerade
attack usually includes one of the other forms of active attack. For example, authentication
sequences can be captured and replayed after a valid authentication sequence has taken place,
thus enabling an authorized entity with few privileges to obtain extra privileges by
impersonating an entity that has those privileges.
(ii) Replay involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect.
(iii) Modification of messages simply means that some portion of a legitimate message is
altered, or that messages are delayed or reordered, to produce an unauthorized effect.
(iv) The Denial of service prevents or inhibits the normal use or management of
communications facilities. This attack may have a specific target; for example, an entity may
suppress all messages directed to a particular destination (e.g., the security audit service).
Prepared by P.Vasantha Kumari/IT 4
Cryptography and Network Security Unit I
Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks
are difficult to detect, measures are available to prevent their success. On the other hand, it is
quite difficult to prevent active attacks absolutely.
Nonrepudiation, Origin
Proof that the message was sent by the
specified party.
Nonrepudiation, Destination
Proof that the message was received by the
specified party.
provided for use at the establishment of, or at times during the data transfer phase of, a
connection. It attempts to provide confidence that an entity is not performing either a
masquerade or an unauthorized replay of a previous connection.
• Data origin authentication: Provides for the corroboration of the source of a data unit. It does
not provide protection against the duplication or modification of data units. This type of service
supports applications like electronic mail, where there are no prior interactions between the
communicating entities.
Access Control
In the context of network security, access control is the ability to limit and control the access to
host systems and applications via communications links. To achieve this, each entity trying to
gain access must first be identified, or authenticated, so that access rights can be tailored to the
individual.
Data Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. With respect to the
content of a data transmission, several levels of protection can be identified. The broadest
service protects all user data transmitted between two users over a period of time. For example,
when a TCP connection is set up between two systems, this broad protection prevents the
release of any user data transmitted over the TCP connection. Narrower forms of this service can
also be defined, including the protection of a single message or even specific fields within a
message. These refinements are less useful than the broad approach and may even be more
complex and expensive to implement. The other aspect of confidentiality is the protection of
traffic flow from analysis. This requires that an attacker not be able to observe the source and
destination, frequency, length, or other characteristics of the traffic on a communications facility.
Data Integrity
As with confidentiality, integrity can apply to a stream of messages, a single message, or selected
fields within a message. Again, the most useful and straightforward approach is total stream
protection. A connection-oriented integrity service, one that deals with a stream of messages,
assures that messages are received as sent with no duplication, insertion, modification,
Prepared by P.Vasantha Kumari/IT 7
Cryptography and Network Security Unit I
reordering, or replays. The destruction of data is also covered under this service. Thus, the
connection-oriented integrity service addresses both message stream modification and denial of
service. On the other hand, a connectionless integrity service, one that deals with individual
messages without regard to any larger context, generally provides protection against message
modification only. We can make a distinction between service with and without recovery.
Because the integrity service relates to active attacks, we are concerned with detection rather
than prevention. If a violation of integrity is detected, then the service may simply report this
violation, and some other portion of software or human intervention is required to recover from
the violation. Alternatively, there are mechanisms available to recover from the loss of integrity
of data, as we will review subsequently. The incorporation of automated recovery mechanisms
is, in general, the more attractive alternative.
Nonrepudiation
Nonrepudiation prevents either sender or receiver from denying a transmitted message. Thus,
when a message is sent, the receiver can prove that the alleged sender in fact sent the message.
Similarly, when a message is received, the sender can prove that the alleged receiver in fact
received the message.
Table 1.2 lists the security mechanisms defined in X.800. The mechanisms are divided into those
that are implemented in a specific protocol layer, such as TCP or an application-layer protocol,
and those that are not specific to any particular protocol layer or security service. So we do not
elaborate now, except to comment on the definition of encipherment. X.800 distinguishes
between reversible encipherment mechanisms and irreversible encipherment mechanisms. A
reversible encipherment mechanism is simply an encryption algorithm that allows data to be
encrypted and subsequently decrypted. Irreversible encipherment mechanisms include hash
algorithms and message authentication codes, which are used in digital signature and message
authentication applications. Table 1.3, based on one in X.800, indicates the relationship between
security services and security mechanisms.
Routing Control
Enables selection of particular physically
secure routes for certain data and allows
routing changes, especially when a breach of
security is suspected.
Notarization
The use of a trusted third party to assure
certain properties of a data exchange.
Table 1.2 – Security Mechanisms
Prepared by P.Vasantha Kumari/IT 9
Cryptography and Network Security Unit I
◆ Symmetric encryption transforms plaintext into ciphertext using a secret key and an
encryption algorithm. Using the same key and a decryption algorithm, the plaintext is recovered
from the ciphertext.
◆ The two types of attack on an encryption algorithm are cryptanalysis, based on properties of
the encryption algorithm, and brute-force, which involves trying all possible keys.
◆ Traditional (precomputer) symmetric ciphers use substitution and/or transposition
techniques. Substitution techniques map plaintext elements (characters, bits) into ciphertext
elements. Transposition techniques systematically transpose the positions of plaintext elements.
Encryption Techniques
Substitution Techniques
o Caesar Cipher
o Mono alphabetic Ciphers
o Play fair Cipher
o Hill Cipher
o Polyalphabetic Ciphers
o One-Time Pad
Transposition Techniques
Rotor Machines
An original message is known as the plaintext, while the coded message is called the cipher text.
The process of converting from plaintext to cipher text is known as enciphering or encryption;
restoring the plaintext from the cipher text is deciphering or decryption. The many schemes used
for encryption constitute the area of study known as cryptography. Such a scheme is known as a
cryptographic system or a cipher.
Techniques used for deciphering a message without any knowledge of the enciphering details fall
into the area of cryptanalysis. Cryptanalysis is what the layperson calls “breaking the code.” The
areas of cryptography and cryptanalysis together are called cryptology.
Cryptography
Cryptographic systems are characterized along three independent dimensions:
1. The type of operations used for transforming plaintext to cipher text. All encryption
algorithms are based on two general principles: substitution, in which each element in the
plaintext (bit, letter, group of bits or letters) is mapped into another element, and transposition,
in which elements in the plaintext are rearranged. The fundamental requirement is that no
information be lost (that is, that all operations are reversible). Most systems, referred to as
product systems, involve multiple stages of substitutions and transpositions.
2. The number of keys used. If both sender and receiver use the same key, the system is
referred to as symmetric, single-key, secret-key, or conventional encryption. If the sender and
receiver use different keys, the system is referred to as asymmetric, two-key, or public-key
encryption.
3. The way in which the plaintext is processed. A block cipher processes the input one
block of elements at a time, producing an output block for each input block. A stream cipher
processes the input elements continuously, producing output one element at a time, as it goes
along.
Note that the alphabet is wrapped around, so that the letter following Z is A. We can define the
transformation by listing all possibilities, as follows:
Then the encryption algorithm for Caesar Cipher can be expressed as follows. For each plaintext
letter P, substitute the ciphertext letter C:
C = E (K, P) = (P + K) mod 26
where, P is the plaintext
C is the ciphertext
K is the key value which takes on a value in the range 1 to 25.
A shift may be of any amount. For example if K=3, then
C = E (3, P) = (P + 3) mod 26
The decryption algorithm is simply written as
P = D(K, C) = (C - K) mod 26
If it is known that a given ciphertext is a Caesar cipher, then a brute-force cryptanalysis is easily
performed: simply try all the 25 possible keys. Figure 1.6 shows the results of applying this
strategy to the example ciphertext. In this case, the plaintext leaps out as occupying the third
line. Three important characteristics of this problem enabled us to use a brute-force
cryptanalysis:
1. The encryption and decryption algorithms are known.
2. There are only 25 keys to try.
3. The language of the plaintext is known and easily recognizable.
Example
Convert the plaintext “welcome” to the ciphertext with the key 3 using ceasar cipher.
Plaintext P: welcome
Key K=3
Ciphertext: C = E(K, P) = E(3, P) = zhofrph
Decryption is similar. Start with the first cipher text letter 'p', and look at the table to find the
corresponding plaintext letter 'm'. Continue with the next letter 'x', and find it maps to 'e.
Mono alphabetic encryption is very easy to break, for two main reasons. First, commonly used
letters like 'e' show up very quickly as the 'x' in the example. Second, words with repeated letters
like "meet" in the example show that repetition in the cipher text. And indeed this is so weak that
the daily cryptogram run by some newspapers is typically an mono alphabetic substitution.
In this case, the keyword is monarchy. The matrix is constructed by filling in the letters of the
keyword (minus duplicates) from left to right and from top to bottom, and then filling in the
remainder of the matrix with the remaining letters in alphabetic order. The letters I and J count
as one letter. Plaintext is encrypted two letters at a time, according to the following rules:
1. Repeating plaintext letters that are in the same pair are separated with a filler letter, such as x,
so that balloon would be treated as ba lx lo on.
2. Two plaintext letters that fall in the same row of the matrix are each replaced by the letter to
the right, with the first element of the row circularly following the last. For example, ar is
encrypted as RM.
3. Two plaintext letters that fall in the same column are each replaced by the letter beneath, with
the top element of the column circularly following the last. For example, mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and
the column occupied by the other plaintext letter. Thus, hs becomes BP and ea becomes IM (or
JM, as the encipherer wishes).
Example
Plaintext: welcome
Key: Monarchy (Use the same matrix mentioned above)
No.of characters in the plaintext is 7, so we add x to the end of plaintext.
Now it would be,
welcomex
Define the pair of letters in the plaintext, it would be,
We lc om ex
Match the pair of letters in the given matrix, it would be replaced with
Gu ue no iu
Ciphetext: guuenoiu
Example
Encipher
In order to encrypt a message using the Hill cipher, the sender and receiver must first agree upon
a key matrix A of size n x n. A must be invertible mod 26. The plaintext will then be enciphered in
blocks of size n. In the following example A is a 2 x 2 matrix and the message will be enciphered
in blocks of 2 characters.
Key Matrix K =
The first two letters of the ciphertext correspond to 2, 8 and are therefore CI. This step is
repeated for the entire plaintext. If there are not enough letters to form blocks of 2, pad the
message with some letter, say Z.
The original plaintext P:
MI SS IS SI PP IK
will be enciphered as:
CI KK GE UW ER OY
Notice that the repeated digraphs IS, SS and repeated letters S and P in the plaintext are masked
using the Hill cipher.
Decipher
To decipher a message, first calculate the inverse of the key K.
Then multiply the inverse of the key by each pair of ciphertext letters (mod 26) to recover the
original text.
Find K-1
K-1 = 3 -9 mod 26
-18 25
to decrypt the message. The first two letters are 12, 8 which correspond to M and I. The receiver
will repeat this step for every pair of letters in the ciphertext to recover the original message
MISSISSIPPIK. To use a Hill cipher with different block size the number of rows and columns in
matrix A should be equal to the block size. For example if the block size is 4 the A should be a
matrix of size 4 x 4.
(v)Polyalphabetic Ciphers
Another way to improve on the simple mono alphabetic technique is to use different mono
alphabetic substitutions as one proceeds through the plaintext message. The general name for
this approach is polyalphabetic substitution cipher. All these techniques have the following
features in common:
1. A set of related mono alphabetic substitution rules is used.
2. A key determines which particular rule is chosen for a given transformation.
VIGENERE CIPHER
The best known, and one of the simplest, polyalphabetic ciphers is the Vigenère cipher. In this
scheme, the set of related mono alphabetic substitution rules consists of the 26 Caesar ciphers
with shifts of 0 through 25. Each cipher is denoted by a key letter, which is the ciphertext letter
that substitutes for the plaintext letter a. A general equation of the encryption process is
In essence, each plaintext character is encrypted with a different Caesar cipher, depending on the
corresponding key character. Similarly, decryption is a generalization of Equation
To encrypt a message, a key is needed that is as long as the message. Usually, the key is a
repeating keyword. For example, if the keyword is deceptive, the message “we are discovered
save yourself” is encrypted as
VERNAM CIPHER
The ultimate defense against such a cryptanalysis is to choose a keyword that is as long as the
plaintext and has no statistical relationship to it. The system can be expressed succinctly as
follows:
(v)One-Time Pad
The term "one-time pad" refers to any method of encryption where each byte of the
plaintext is enciphered using one byte of the key stream, and each key byte is used one time then
never used again. The key stream for a one-time pad must be a true-random stream, meaning
that every key byte can take any of the values 0 to 255 with equal likelihood, and independently
of the values of all other key bytes. By contrast, in a pseudo-random key stream the value of each
byte after the first several is mathematically derived from the values of a few preceding bytes.
The practical difficulty of using a one-time pad is that the key bytes cannot be reused. This
means that even for a two-way exchange of messages, each party must have a sufficient supply of
key material on hand so that they cannot run out before more key stream can be furnished. For
N-way exchanges, the amount of key required increases quadratically. An example should
illustrate our point. Suppose that we are using a Vigenère scheme with 27 characters in which
the twenty-seventh character is the space character, but with a one-time key that is as long as the
message.
The one-time pad offers complete security but, in practice, has two fundamental difficulties:
1. There is the practical problem of making large quantities of random keys. Any heavily
used system might require millions of random characters on a regular basis. Supplying
truly random characters in this volume is a significant task.
2. Even more daunting is the problem of key distribution and protection. For every message
to be sent, a key of equal length is needed by both sender and receiver. Thus, a mammoth
key distribution problem exists.
This sort of thing would be trivial to cryptanalyze. A more complex scheme is to write the
message in a rectangle, row by row, and read the message off, column by column, but permute
the order of the columns. The order of the columns then becomes the key to the algorithm. For
example, convert the plaintext “ATTACH POSTPONED UNTIL TWO AM XYZ” using the key
4312567.
Key:
4 3 1 2 5 6 7
Plaintext:
A T T A C K P
O S T P O N E
D U N T I L T
W O A M X Y Z
The transposition cipher can be made significantly more secure by performing more than one
stage of transposition. The result is a more complex permutation that is not easily reconstructed.
Thus, if the foregoing message is re-encrypted using the same algorithm,
Key:
4 3 1 2 5 6 7
Input:
T T N A A P T
M T S U O A O
D W C O I X K
N L Y P E T Z
Output: NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
transposition ciphers. Before the introduction of DES, the most important application of the
principle of multiple stages of encryption was a class of systems known as rotor machines.
The basic principle of the rotor machine is illustrated in Figure 1.8. The machine consists of a set
of independently rotating cylinders through which electrical pulses can flow. Each cylinder has
26 input pins and 26 output pins, with internal wiring that connects each input pin to a unique
output pin. For simplicity, only three of the internal connections in each cylinder are shown. If
we associate each input and output pin with a letter of the alphabet, then a single cylinder
defines a mono alphabetic substitution. For example, in Figure 1.8, if an operator depresses the
key for the letter A, an electric signal is applied to the first pin of the first cylinder and flows
through the internal connection to the twenty-fifth output pin. Consider a machine with a single
cylinder. After each input key is depressed, the cylinder rotates one position, so that the internal
connections are shifted accordingly. Thus, a different mono alphabetic substitution cipher is
defined. After 26 letters of plaintext, the cylinder would be back to the initial position. Thus, we
have a polyalphabetic substitution algorithm with a period of 26. A single-cylinder system is
trivial and does not present a formidable cryptanalytic task. The power of the rotor machine is in
the use of multiple cylinders, in which the output pins of one cylinder are connected to the input
pins of the next. Figure 1.8 shows a three-cylinder system. The left half of the figure shows a
position in which the input from the operator to the first pin (plaintext letter a) is routed through
the three cylinders to appear at the output of the second pin (ciphertext letter B).
Problems
1. Decipher the following cipher text using brute force attack: (University Question)
CMTMROOEOORW (Hint: Algorithm – Railfence)
Solution
Arrange the Cipher text using Railfence technique
CMTMRO
OEOORW
Plaintext: COME TOMORRROW
2. Convert the given text “anna university” into cipher text using rail fence technique.
(University Question)
Solution
Plaintext: anna university
Arrange the plaintext using railfence technique
anuiest
nanvriy
Cipher text: anuiestnanvriy
3. Given the key 'MONARCHY' apply play fair to plain text "FACTIONALISM" to ensure
confidentiality at the destination, decrypt the ciphertext and establish authenticity.
Solution
Step 1: Construct the matrix for the key “MONARCHY”
Prepared by P.Vasantha Kumari/IT 28
Cryptography and Network Security Unit I
4. Apply Hill cipher to perform encryption and decryption for the plaintext “TOP SECRET
MESSAGE “using the secret key
Solution
(i) Encryption
1. Choose a 2x2 encryption matrix. For this example, we will use the matrix
This matrix has the determinant (3*7) – (2*5) = 21 – 10 = 11. Since 11 is ≠ 0, this matrix is
invertible.
11 is also relatively prime to 26. These two qualities satisfy the requirements listed previously,
making this encryption matrix a valid choice for use in the Hill cipher.
2. Split the plaintext into blocks of size 2 (ignoring spaces), determine the letters’ numerical
values, and align these as column vectors. If the length of the plaintext is not evenly divisible by
2, add a previously decided character to the end of the string until the plaintext is evenly
divisible by 2.
3. Multiply each of these column vectors by the encryption matrix and take modulo 26 of the
result.
4. Convert each of the matrices obtained in step 3 to their alphabetical vectors and combine them
to produce the cipher text.
This completes the process of the Hill cipher’s encryption by matrix multiplication. We can see
that the plaintext “TOP SECRET MESSAGE” encodes to “HLDTQIHJDXWQCMAG.” It is important
to note that the Hill cipher overcomes the frequency distribution problem associated with simple
substitution ciphers, such as the Caesar cipher. Since the encryption is not simply based on
replacing certain characters with others but, instead, on linear transformations of blocks of
characters, the frequencies of each letters’ appearance in the language have been masked. In fact,
the cipher text in the above case makes this even easier to see because it has more characters in
it than the original plaintext.
(ii) Decryption
The process is the same as encryption, but with the inverse matrix instead of the original
encryption matrix. Decryption of the cipher text “HLDTQIHJDXWQCMAG” with the 2 x 2
encryption matrix previously defined would go as follows:
At this point, the cipher text has been decrypted into the original plaintext, minus the original
spaces. Spaces can either be added by the recipient or an alphabet. It could be devised that would
include a space character. For example, the character “_“ could be added to our alphabet as
having the numerical value 26 and all of our modulo functions would change to modulo 27 to
adjust for the fact there would now be 27 characters in the alphabet. This modified alphabet
would allow for encryption of the space character within messages.
5. Apply Hill cipher to perform encryption and decryption for the plaintext “PAY “using
the secret key
17 17 5
21 18 21
2 2 19
Solution
(i) Encryption
1. Choose a key matrix K. For this example, we will use the matrix
2. Determine the plaintext letters(PAY) numerical values, and align these as column vectors.
P= P = 15
A 0
Y 24
3. Perform Encryption using the formula, C = KP mod 26
= 375 mod 26
819
486
= 11 = L
13 N
18 S
The plaintext “PAY” is converted into the ciphertext “LNS”
(ii) Decryption
The process is the same as encryption, but with the inverse matrix instead of the original
encryption matrix. Decryption of the cipher text “LNS” with the 3 x 3 encryption matrix
previously defined would go as follows:
Find the inverse of the matrix K
1
K-1 = adj K
¿¿
Det K = 17[(18 × 19) – (2 × 21)] – 17[(21 × 19) – (2 × 21)] + 5[(21 × 2)- (2 × 18)]
= 5100 – 6069 + 30 = -939
= 4 -17 15
-11 17 -20
24 0 -9
K-1 = 4 9 15
15 17 6
24 0 17
Calculate the plaintext using the formula P = K-1C mod 26
= 4 × 11 9 × 13 15 × 18 mod 26
15 × 11 17 × 13 6 × 18
24 × 11 0 × 13 17 × 18
= 431 mod 26
494
570
= 15 = P
0 A
24 Y
A linear feedback shift register (LFSR) is a shift register whose input bit is a linear function of its
previous state. The only linear function of single bits is xor, thus it is a shift register whose input
bit is driven by the exclusive-or (xor) of some bits of the overall shift register value. The initial
value of the LFSR is called the seed, and because the operation of the register is deterministic, the
stream of values produced by the register is completely determined by its current (or previous)
state. Likewise, because the register has a finite number of possible states, it must eventually
enter a repeating cycle. However, an LFSR with a well-chosen feedback function can produce a
sequence of bits which appears random and which has a very long cycle.
sequentially with the output bit and then fed back into the leftmost bit. The sequence of bits in
the rightmost position is called the output stream.
The bits in the LFSR state which influence the input are called taps (white in the diagram).
A maximum-length LFSR produces an m-sequence (i.e. it cycles through all possible 2 n − 1
states within the shift register except the state where all bits are zero), unless it contains
all zeros, in which case it will never change.
As an alternative to the XOR based feedback in an LFSR, one can also use XNOR.[1] This
function is not linear, but it results in an equivalent polynomial counter whose state of
this counter is the complement of the state of an LFSR. A state with all ones is illegal when
using an XNOR feedback, in the same way as a state with all zeroes is illegal when using
XOR. This state is considered illegal because the counter would remain "locked-up" in this
state.
The sequence of numbers generated by an LFSR or its XNOR counterpart can be
considered a binary numeral system just as valid as Gray code or the natural binary code.
Applications
LFSRs can be implemented in hardware, and this makes them useful in applications that require
very fast generation of a pseudo-random sequence, such as direct-sequence spread spectrum
radio. LFSRs have also been used for generating an approximation of white noise in various
programmable sound generators.
E0 have serious weaknesses. The linear feedback shift register has a strong relationship to linear
congruential generators.
1.4.1 Divisibility
Number theory is concerned with the properties of the integers. One of the most important is
divisibility.
Definition: Let a and b be integers then we say that a divides b, if there is an integer k such that b
= ak. This is denoted by a|b. Another way to express this is that b is a multiple of a.
For example
(i) Factorization
Find GCD(56, 124)
Solution
Find the factors of 56, 124.
Factors of 56 is 2 × 2 × 2 × 7
Factors of 124 is 2 × 2 × 31
Common factors are 2 × 2.
So, GCD( 56, 124) = 4.
Example
Find GCD(56, 124)
Solution:
GCD(56, 124) = GCD(124, 56)
= GCD(68, 56)
= GCD(56,12)
= GCD(44, 12)
= GCD(32, 12)
= GCD(20, 12)
= GCD(12, 8)
= GCD(8, 4)
= GCD(4, 4)
GCD(56, 124) = 4.
1.5 Congruences
One of the most basic and useful notions in number theory is modular arithmetic, or
congruences.
Examples.
32 = 7 (mod 5)
32 = 7 + 5 . k where k is a constant
Substitute k=5, then it was proved.
Proof
Let us that, a ≡ b (mod n)
a=b+k.n ……………….. (1)
Let us that, c ≡ d (mod n)
c=d+l.n ……………….. (2)
Add (1) & (2)
a+c=b+k.n+d+l.n
a + c = b + d + n(k + l)
a + c ≡ b + d (mod n) is proved.
Proposition
Let a ,b ,c ,n be integers with, n ≠ 0 and with gcd(a,n) = 1. If ab ≡ ac (mod n), then b ≡c (mod n).
In other words, i f a and n are relatively prime, we can divide both sides of the congruence by a.
Proof
Given ab ≡ ac (mod n)
ab = ac + k . n
Divide both sides by a
ab ac k .n
a
= a
+ a
b = c + n.k
Now, b ≡c (mod n) is proved.
Example
Solve 2x + 7 ≡ 3 (mod 17)
Solution
2x + 7 ≡ 3 (mod 17)
2x + 7 = 3 + k. 17
2x = - 4 + k. 17
Substitute k = 1,
2x = 13. It does not provide the solution
Substitute k = 2,
2x = - 4 + 2. 17
2x = 30
Therefore x = 15
Now, we write
x ≡ 15 (mod 17)
Proposition
Suppose GCD (a,n) =1. Let s and t be the integers such that as + nt = 1 then as ≡ 1 (mod n).
Proof
GCD(a, n) = 1
as + nt = 1
1 – as = nt
as – 1 = n . t
Thus, as ≡ 1 (mod n) is proved.
For example, given b = 5, e = 3, and m = 13, the solution, c = 8, is the remainder of dividing by
13. If b, e, and m are non-negative, and b < m, then a unique solution c exists with the property 0
≤ c < m. Modular exponentiation can be performed with a negative exponent e by finding the
modular multiplicative inverse d of b modulo m using the extended Euclidean algorithm. That is:
Modular exponentiation problems similar to the one described above are considered easy to
solve, even when the numbers involved are enormous. On the other hand, computing the discrete
logarithm - that is, the task of finding the exponent e if given b, c, and m - is believed to be
difficult. This one way function behavior makes modular exponentiation a candidate for use in
cryptographic algorithms.
Example
Calculate 7256 mod 13 using Modular exponentiation
Solution
71 mod 13 = 7
72 mod 13 = (71 *71) mod 13 = (71 mod 13 * 71 mod 13) mod 13
We can substitute our previous result for 71 mod 13 into this equation.
72 mod 13 = (7 *7) mod 13 = 49 mod 13 = 10
72 mod 13 = 10
74 mod 13 = (72 *72) mod 13 = (72 mod 13 * 72 mod 13) mod 13
We can substitute our previous result for 72 mod 13 into this equation.
74 mod 13 = (10 * 10) mod 13 = 100 mod 13 = 9
74 mod 13 = 9
78 mod 13 = (74 * 74) mod 13 = (74 mod 13 * 74 mod 13) mod 13
We can substitute our previous result for 74 mod 13 into this equation.
78 mod 13 = (9 * 9) mod 13 = 81 mod 13 = 3
78 mod 13 = 3
We can substitute our previous result for 78 mod 13 into this equation.
716 mod 13 = (3 * 3) mod 13 = 9 mod 13 = 9
716 mod 13 = 9
We can substitute our previous result for 716 mod 13 into this equation.
732 mod 13 = (9 * 9) mod 13 = 81 mod 13 = 3
732 mod 13 = 3
We can substitute our previous result for 732 mod 13 into this equation.
764 mod 13 = (3 * 3) mod 13 = 9 mod 13 = 9
764 mod 13 = 9
We can substitute our previous result for 764 mod 13 into this equation.
7128 mod 13 = (9 * 9) mod 13 = 81 mod 13 = 3
7128 mod 13 = 3
We can substitute our previous result for 7128 mod 13 into this equation.
7256 mod 13 = (7128 * 7128) mod 13
= (7128 mod 13 * 7128 mod 13) mod 13
= (3 * 3) mod 13
= 9 mod 13
=9
The result is: 7256 mod 13 = 9
Two of the most basic results in number theory are Fermat's and Euler’s theorems. Originally
admired for their theoretical value, they have more recently proved to have important
cryptographic applications and will be used repeatedly throughout this book.
Example
Assume a=2, p=7. Substitute in the theorem:
26 ≡ 1 (mod 7)
26 = 1 + c . 7, where c is a constant
Prepared by P.Vasantha Kumari/IT 48
Cryptography and Network Security Unit I
64 = 1 + c . 7
Substitute c=9, then the theorem would be proved as
26 ≡ 1 (mod 7)
Example
Find Φ(21)
Euler’s Theorem
Euler’s theorem states that for every a and n that are relatively prime:
aΦ(n) ≡ 1 (mod n ).
Example:
Consider a=3, n=10.
Then Φ(n) = Φ(10) = {1, 3, 7, 9} = 4
Now, check
34 ≡ 1 (mod 10)
81 = 1+ c. 10, where c is a constant
Apply c=8 then, the theorem would be proves as
aΦ(n) ≡ 1 (mod n ).
The Chinese Reminder Theorem is an ancient but important calculation algorithm in modular
arithmetic. The Chinese Remainder Theorem enables one to solve simultaneous equations with
respect to different moduli in considerable generality.
Theorem
Let m1, …. mk be integers with gcd(mi, mj) = 1 whenever i ≠ j. Let m be the product m = m 1m2 …
mk. Let a1, …. ak be integers. Consider the system of congruences:
x ≡ a1 (mod m1)
x ≡ a2 (mod m2)
…..
x ≡ ak (mod mk)
Then there exists exactly one x € Zm satisfying this system.
Example
Find the system of congruence for x ≡ 25 (mod 42)
Solution
A congruence x ≡ 25 (mod 42) can be written as:
x ≡ 25 + 42. k
x ≡ 25 + (6. 7) k
It can be written in two ways:
(i) x = 25 + 6 (7k)
x = 25 ≡ ? (mod 6)
25 = y + 6. k
Substitute k=4,
25 = y + 6. 4
25 = y + 24
Therefore, y=1
Now we write the congruence as x = 25 ≡ 1(mod 6)
(ii) x = 25 + 7 (6k)
x = 25 ≡ ? (mod 7)
25 = y + 7. k
Substitute k = 3,
25 = y + 7. 3
25 = y + 21
Therefore, y=4
Now we write the congruence as x = 25 ≡ 4(mod 7)
Prepared by P.Vasantha Kumari/IT 51
Cryptography and Network Security Unit I
Algorithm
We may solve the system as follows.
1. For each i = 1,… k, let zi = m/mi = m1 m2… mi-1 mi+1… mk.
2. For each i = 1, … k, let y i = zi-1 (mod mi). (Note that this is always possible because gcd(zi,
mi) = 1).
3. The solution to the system is x = a1y1z1 + … + akykzk.
Example
Use Chinese Remainder Theorem to find all solutions such that
x ≡ 3 (mod 4)
x ≡ 2 (mod 3)
x ≡ 4 (mod 5)
Given
Total number of congruences k = 3
All the congruences is in the form of
xi = ai (mod mi)
So, a1 = 3, a2 = 2, a3 = 4
m1 = 4, m2 = 3, m3 = 5
Solution
Step 1: Calculate m = m1. m2. m3 = 4 × 3 × 5 = 60
Step 2: zi = m/mi for all I = 1, 2, 3…
z1 = m / m1 = 60 / 4 = 15
z2 = m / m2 = 60 / 3 = 20
z3 = m / m3 = 60 / 5 = 12
Step 3: Calculate y such that zi yi ≡ 1 (mod mi)
15. y1 ≡ 1 (mod 4) …………….(1)
20. y2 ≡ 1 (mod 3) …………….(2)
Take (1)
15. y1 ≡ 1(mod 4)
15. y1 = 1 + 4. k
Substitute k = 11,
15. y1 = 1 + 4. 11
15. y1 = 45
Therefore y1 = 3
Take (2)
20. y2 ≡ 1(mod 3)
20. y2 = 1 + 3. k
Substitute k = 13,
20. y2 = 1 + 3. 13
20. y2 = 40
Therefore y2 = 2
Take (3)
12. y3 ≡ 1(mod 5)
12. y3 = 1 + 5. k
Substitute k = 7,
12. y3 = 1 + 5. 7
12. y3 = 36
Therefore y3 = 3
Step 4: x = a1y1z1 + a2y2z2 + a3y3z3
x = 3. 3. 15 + 2. 2. 20 + 4. 3. 12
x = 135 + 80 + 144
x = 359
x = 359 ≡ ? (mod m)
359 ≡ ? (mod 60)
359 = ? + 60. k
Substitute k = 5
359 = ? + 60. 5
359 = ? + 300
? = 59
The solution is
x ≡ 59 (mod 60)
Suppose we want to determine whether or not x2 ≡ a (mod p) has a solution, where p is prime. If
p is small, we could square all of the numbers mod p and see if a is on the list. When p is large,
this is impractical. If p ≡ 3 (mod 4), we can use the technique of the previous section and com
pute s ≡ a(p+1)/4 (mod p). If a has a square root, then s is one of them, so we simply have to square
a and see if we get a. If not, then a has no square root mod p. The following proposition gives a
method for deciding whether a is a square mod p that works for arbitrary odd p.
Proposition
Let p be an odd prime and let a be an integer with a ≠0 (mod p ). Then a(p-1)/2 ≡ ±1 (mod p). The
congruence x2 ≡ a (mod p) has a solution if and only = 1 (mod p).
Proof
Let y = a(p-1)/2 (mod p). Then y2 = ap-l ≡ 1 (mod p), by Fermat’s theorem. Therefore y ≡ ± 1 (mod
p).
If a ≡ x 2, then a(p-1/2) = xp-1 ≡ 1 (mod p). The hard part is showing the converse. Let g be a
primitive root mod p. Then a = gi for some j , If a(p-1/2) ≡ 1 (mod p), then
gj(p-1)/2 = a(p-1)/2 = 1 (mod p).
Proposition
Let n be odd,
A finite field is a field with a finite field order (i.e., number of elements), also called a Galois field.
The order of a finite field is always a prime or a power of a prime. For each prime power, there
exists exactly one (with the usual caveat that "exactly one" means "exactly one up to an
isomorphism") finite field GF( ), often written as in current usage.
GF( ) is called the prime field of order , and is the field of residue classes modulo , where the
elements are denoted 0, 1, ..., . in GF( ) means the same as . Note, however,
that in the ring of residues modulo 4, so 2 has no reciprocal, and the ring of
residues modulo 4 is distinct from the finite field with four elements. Finite fields are therefore
denoted GF( ), instead of GF( ), where , for clarity.
The finite field GF(2) consists of elements 0 and 1 which satisfy the following addition and
multiplication tables.
0 1
0 0 1
1 1 0
0 1
0 0 0
1 0 1
If a subset S of the elements of a finite field F satisfies the axioms above with the same operators
of F, then S is called a subfield. Finite fields are used extensively in the study of error-correcting
codes. When n > 1 , GF( ) can be represented as the field of equivalence classes of polynomials
whose coefficients belong to GF( ). Any irreducible polynomial of degree n yields the same field
Prepared by P.Vasantha Kumari/IT 56
Cryptography and Network Security Unit I
Now consider the following table which contains several different representations of the
elements of a finite field. The columns are the power, polynomial representation, triples of
polynomial representation coefficients (the vector representation), and the binary integer
corresponding to the vector representation (the regular representation).
The set of polynomials in the second column is closed under addition and multiplication modulo
, and these operations on the set satisfy the axioms of finite field. This particular finite
field is said to be an extension field of degree 3 of GF(2), written GF( ), and the field GF(2) is
called the base field of GF( ). If an irreducible polynomial generates all elements in this way, it is
called a primitive polynomial. For any prime or prime power q and any positive integer n, there
exists a primitive irreducible polynomial of degree n over GF( ).
For any element c of GF( ), cq = c, and for any nonzero element d of GF( ), dq-1 = 1. There is a
smallest positive integer n satisfying the sum condition
for some element e in GF( ). This number is called the field characteristic of the finite field GF( ).
The field characteristic is a prime number for every finite field, and it is true that
Continued fractions have a number of remarkable properties related to the Euclidean algorithm
for integers or real numbers. Every rational number p/q has two closely related expressions as a
finite continued fraction, whose coefficients ai can be determined by applying the Euclidean
algorithm to (p, q). The numerical value of an infinite continued fraction will be irrational; it is
defined from its infinite sequence of integers as the limit of a sequence of values for finite
continued fractions. Each finite continued fraction of the sequence is obtained by using a finite
prefix of the infinite continued fraction's defining sequence of integers. Moreover, every
irrational number α is the value of a unique infinite continued fraction, whose coefficients can be
found using the non-terminating version of the Euclidean algorithm applied to the
incommensurable values α and 1. This way of expressing real numbers (rational and irrational)
is called their continued fraction representation.
Prepared by P.Vasantha Kumari/IT 58
Cryptography and Network Security Unit I
It is generally assumed that the numerator of all of the fractions is 1. If arbitrary values and/or
functions are used in place of one or more of the numerators or the integers in the denominators,
the resulting expression is a generalized continued fraction. When it is necessary to distinguish
the first form from generalized continued fractions, the former may be called a simple or regular
continued fraction, or said to be in canonical form.
If the starting number is rational then this process exactly parallels the Euclidean algorithm. In
particular, it must terminate and produce a finite continued fraction representation of the
number. If the starting number is irrational then the process continues indefinitely. This
produces a sequence of approximations, all of which are rational numbers, and these converge to
the starting number as a limit. This is the (infinite) continued fraction representation of the
number. Examples of continued fraction representations of irrational numbers are:
√19 = [4;2,1,3,1,2,8,2,1,3,1,2,8,…] (sequence A010124 in OEIS). The pattern repeats
indefinitely with a period of 6.
e = [2;1,2,1,1,4,1,1,6,1,1,8,…] (sequence A003417 in OEIS). The pattern repeats
indefinitely with a period of 3 except that 2 is added to one of the terms in each cycle.
π = [3;7,15,1,292,1,1,1,2,1,3,1,…] (sequence A001203 in OEIS). The terms in this
representation are apparently random.
ϕ = [1;1,1,1,1,1,1,1,1,1,1,1,…] (sequence A000012 in OEIS). The golden ratio, the most
difficult irrational number to approximate rationally. See: A property of the golden ratio
φ.
Continued fractions are, in some ways, more "mathematically natural" representations of a real
number than other representations such as decimal representations, and they have several
desirable properties:
The continued fraction representation for a rational number is finite and only rational
numbers have finite representations. In contrast, the decimal representation of a rational
number may be finite, for example 137/1600 = 0.085625, or infinite with a repeating
cycle, for example 4/27 = 0.148148148148….
Every rational number has an essentially unique continued fraction representation. Each
rational can be represented in exactly two ways, since [a0;a1,… an−1,an] = [a0;a1,… an−1,
(an−1),1]. Usually the first, shorter one is chosen as the canonical representation.
The continued fraction representation of an irrational number is unique.
The real numbers whose continued fraction eventually repeats are precisely the quadratic
irrationals.[5] For example, the repeating continued fraction [1;1,1,1,…] is the golden ratio,
and the repeating continued fraction [1;2,2,2,…] is the square root of 2. In contrast, the
decimal representations of quadratic irrationals are apparently random. The square roots
of all (positive) integers, that are not perfect squares, are quadratic irrationals, hence are
unique periodic continued fractions.
The successive approximations generated in finding the continued fraction
representation of a number, i.e. by truncating the continued fraction representation, are
in a certain sense (described below) the "best possible".
Basic formula
A continued fraction is an expression of the form
where ai, and bi are either rational numbers, real numbers, or complex numbers. If b i = 1 for all i
the expression is called a simple continued fraction. If the expression contains a finite number of
terms it is called a finite continued fraction. If the expression contains an infinite number of
terms it is called an infinite continued fraction. Thus, all of the following illustrate valid finite
simple continued fractions:
or as
,
or in the notation of Pringsheim as
The semicolon in the square and angle bracket notations is sometimes replaced by a comma. [3][4]
One may also define infinite simple continued fractions as limits:
This limit exists for any choice of a0 and positive integers a1, a2, ... .