Professional Documents
Culture Documents
Block-01 Mathematical Preliminaries and Classical Ciphers
Block-01 Mathematical Preliminaries and Classical Ciphers
CRYPTOGRAPHY
School of Sciences
Block
1
MATHEMATICAL PRELIMINARIES AND
CLASSICAL CIPHERS
UNIT 1
Finite Fields and Algorithms 9
UNIT 2
Number Theoretic Algorithms 33
UNIT 3
Classical Ciphers 53
‘Chapter 15, Implementation Issues’ of Prof. Nigel Smart’s Book,
‘Cryptography, an introduction.’
Curriculum Design Committee
Dr. B.D. Acharya Prof. O.P. Gupta Prof. C. Musili
Dept. of Science & Technology Dept. of Financial Studies Dept. of Mathematics and Statistics
New Delhi University of Delhi University of Hyderabad
Prof. Adimurthi Prof. S.D. Joshi Prof. Sankar Pal
School of Mathematics Dept. of Electrical Engineering ISI, Kolkata
TIFR, Bangalore IIT, Delhi Prof. A.P. Singh
Prof. Archana Aggarwal Dr. R. K. Khanna PG Dept. of Mathematics
CESP, School of Social Sciences Scientific Analysis Group University of Jammu
JNU, New Delhi DRDO, Delhi
Faculty Members
Prof. R. B. Bapat Prof. Susheel Kumar
School of Sciences, IGNOU
Indian Statistical Institute, New Delhi Dept. of Management Studies
Dr. Deepika
Prof. M.C. Bhandari IIT, Delhi
Prof. Poornima Mital
Dept. of Mathematics Prof. Veni Madhavan Dr. Atul Razdan
IIT, Kanpur Scientific Analysis Group Prof. Parvin Sinclair
Prof. R. Bhatia DRDO, Delhi Prof. Sujatha Varma
Indian Statistical Institute, New Delhi Prof. J.C. Mishra Dr. S. Venkataraman
Prof. A. D. Dharmadhikari Dept. of Mathematics
Dept. of Statistics IIT, Kharagpur
University of Pune
December 2010
©Indira Gandhi National Open University, 2010
ISBN:978-81-266-5088-0
All rights reserved. No part of this work may be reproduced in any form, by mimeograph or any other means without written permission from
the Indira Gandhi National Open University.
Further information on the Indira Gandhi National Open University courses may be obtained from the University’s office at Maidan Garhi,
New Delhi-110 068.
Printed and Published on behalf of Indira Gandhi National Open University, New Delhi, by Director, School of Sciences.
COURSE INTRODUCTION
Till a few years after the end of the second world war, Cryptography was used only by
the governments. After the invention of computers and networking of computers
became possible, there was a change in the scenario. With the improvement in
communication technologies, it became easier to spy upon opponents. Through
wiretapping, it became possible to listen to telephone conversations. When microwaves
are used for communication, it is easier to listen to the communication without tapping
any wire. So, there was a wide felt need for communicating securely. With the advent
of Internet, this has become more important, given the ease with which computer
networks can be tapped.
On the one hand, since computers are widely available, more and more entities have the
capability to use cryptography for secure storage and communication of valuable data.
On the other hand, because of the computing power available, some of the earlier
methods of cryptography have become obsolete. This has lead to invention of more
powerful methods in cryptography that can resist the attacks. In the invention of newer
and more secure methods, Mathematics has come to play an important role.
In this course, we will introduce you to cryptography. In the first block of this course
we will discuss some of the Mathematics required for the study of cryptography. We
will also discuss some classical ciphers in this block. These ciphers are classical in the
sense that they were used widely before the invention of computers.
The method used for transforming text is called a cipher. Transforming the text is
called encryption or enciphering and undoing the transformation is called decryption
or deciphering. Apart from the general method, in each instance of application of a
cipher, there is another ingredient called the key which is specific to that instance. In
the traditional methods, anyone who has access to the key can undo the transformation
performed and read the text. Such methods are called symmetric key cryptosystems
or private key cryptosystems. These cryptosystems are the objects of our study in the
second block.
One of the major drawbacks of the symmetric key cryptosystems is that the entities that
want to communicate with each other have to decide upon the keys before they can start
communicating. For this, they have to meet in person or exchange keys using a trusted
courier. This drawback was removed in the seventies due to a new kind of cryptosystem
invented by Diffie and Hellman. In this system, there are two different keys, one for
encryption and one for decryption, as opposed to the symmetric key cryptosystems
where the same key served both the purposes. The key for encryption can be made
public because, even if a person knows the encryption key, the person cannot find the
decrytion key easily. For this reason, the cyptosystem invented by Diffie and Hellman is
known as public key cryptosystem. These cryptosystems are the objects of study in
the third block of the course.
Apart from the material, the course also has a practical component. This practical
component is worth 1 credit. In this component, you are expected to write programs in
C language and in the package gp. The package gp is a freely available package for
doing number theory. You can download this package from
http://pari.math.u-bordeaux.fr/download.html. You will learn how
to use this package during your practical sessions. You may refer to the Programme
Guide for information regarding the conduct of practicals and the evaluation procedure
adopted in the practicals.
We hope you will enjoy studying this course. If you have any queries or suggestions,
please write to:
Some good references for further study are [2], [3], [7], [8], [13], [14], [15],[17]. The
book [11] is a good reference for the Mathematics and algorithms described in this
course. Of these books, [3], [8], [11] and [13] are available online. For all the other
books, Indian editions are available. In the case of [14] and [15] newer Indian
editions(fourth edition in the case of [14] and third edition in the case of [15]) are
available.
• The picture at the top left is that of military version of the famous enigma
machine used by the germans in the second world war. The source file is
available from http://commons.wikimedia.org/wiki/File:
Enigma_-_Military.jpg under Creative Commons Attribution-Share
Alike 3.0 Unported license and GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation.
• The picture on the top right is the schematic diagram of the Miyaguchi-Preneel
one-way compression function. This was redrawn based on the picture
http://en.wikipedia.org/wiki/File:
Miyaguchi-Preneel_hash.svg which is in the public domain.
• The picture at the bottom is that of a skytale. The source file is available from
http://commons.wikimedia.org/wiki/File:Skytale.png under
Creative Commons Attribution-Share Alike 3.0 Unported license and GNU Free
Documentation License, Version 1.2 or any later version published by the Free
Software Foundation.
• We also thank Prof. Nigel Smart for generously allowing printing and
reproducing material from his online book, subject to identifying clearly the
authorship.
The generosity of the copyright owners of the above mentioned images is gratefully
acknowledged.
BLOCK INTRODUCTION
This block is the introductory block of the Cryptography course. Till the middle of the
twentieth century, Cryptography didn’t use very sophisticated Mathematics. However,
this changed after the Second World War when computers were available. In the
modern times cryptography uses sohpisticated algebra in the design of cryptosystem.
The aim of this block is to introduce you to the Mathematics that is required for
cryptography.
In the first Unit of this block, we introduce you to finite fields and some algorithms in
the finite fields that are used in Cryptography. You have already studied finite fields in
MMT-003, but in this Unit, the viewpoint is algorithmic. Apart from this, we will also
discuss some topics from finite fields that are not usually covered in standard algebra
courses.
In the second Unit of this block, we introduce you to number theoretic algorithms that
are required in the study of cryptography. You have already studied congruences and
some number theoretic algorithms in the Unit 6 of MMT-003. Here, you will study
some more algorithms that are useful in cryptography.
In the third Unit of this block, we will introduce you to some classical ciphers that were
used for encryption before the invention of computers. While these ciphers are no
longer widely used, we have discussed them to provide an introduction because these
ciphers are particularly simple. These ciphers are helpful in introducing the language
and general principles of Cryptography.
We have also reproduced Chapter 15 of Prof. Nigel Smart’s book at the end of the
block. Please note that, this is intended only as a reference for practicals and you will
not be examined on this part in your term end examination.
NOTATION & SYMBOLS
Z Set of integers
R[x] Polynomial ring over a commutative ring R.
F[x] Polynomial over a field F.
degf(x) Degree of the polynomial f(x)
Q Field of rational numbers
R Field of real numbers
C Field of complex numbers
Zn Integers modulo n
f≡g f is congruent to g
[E : F] Dimension of the field E over its subfield F.
Fq Finite field with q elements
R∗ The group of invertible elements in R \ {0}, where R is a commu-
tative ring.
m|n m divides n
m-n m does not divide n
c(n, i) Number of ways of choosing i objects from n objects when the
order of selection is immaterial.
P Plaintext space
C Cryptotext space
K Key space
Mathematical Preliminaries
and Classical Ciphers
8
UNIT 1 FINITE FIELDS AND ALGORITHMS
Structure Page No.
1.1 Introduction 9
Objectives
1.2 Basic Concepts From Algebra 9
1.3 Basic Concepts of Finite Fields And Their Construction 17
1.4 Basic Algorithms for Finite Fields 20
1.5 Summary 27
1.6 Solutions/Answers 28
1.1 INTRODUCTION
In this unit, we are going to discuss some results related to finite fields that we need in
some of the later units. We will use some basic facts that you must have learnt in your
degree classes about integral domains in general and polynomial rings in particular. We
will also use some basic facts about finite fields that you have learnt in the course
MMT-003, Algebra. In Sec. 1.2, we recall some of the results proved in your degree
classes on polynomial rings. In Sec. 1.3, we will discuss finite fields, their construction
in particular and some algorithms for arithmetic in finite fields.
Objectives
After studying this unit, you should be able to
• explain the construction of finite fields;
• explain the extended euclidean algorithm for polynomials;
• define the order of an irreducible polynomial over a finite field;
• define a primitive polynomial over a finite field;
• describe an algorithm for multiplying and dividing elements in a finite field using
shift and multiply approach;
• describe an algorithm for multiplying and dividing elements in a finite field using
discrete logarithms and antilogarithms;
You would have studied about the ring of polynomials in your degree class. In this
section, we briefly recall some of the definitions and results regarding polynomials. Our
aim is to establish the notations and conventions for the rest of the course. We then
discuss some basic facts from fields. In the final part of the section, we will briefly
recall basic facts about finite fields. Our discussion in this section is based on Chapter 2
of [8]. 9
Mathematical Preliminaries Definition 1: Let R be a commutative ring. A polynomial in the indeterminate x over
and Classical Ciphers
the ring R is an expression of the form
f(x) = a0 + a1 x + · · · + an xn
• The largest integer m for which am 6= 0 is called the degree of f(x), denoted
deg f(x) or simply deg f; am is called the leading coefficient of f(x).
• If all the coefficients of f(x) are 0, then f(x) is called the zero polynomial and its
degree is defined to be −∞.
Definition 2: If R is a commutative ring, we denote the ring formed by the set of all
polynomials under addition and multiplication of polynomials with coefficients in R by
R[x].
The polynomial ring F[x] has many properties in common with integers; in particular,
F[x] and Z are both Euclidean domains.
f(x) = a0 + a1 x + · · · + an xn
and
g(x) = b0 + b1 x + · · · + bm xm
be two elements of F[x], with an and bm both non-zero elements of F and m > 0. Then
there are unique polynomials q(x) and r(x) in F[x] such that
Definition 3: Let f(x) ∈ F[x] be a polynomial and suppose f(a) = 0 for some a ∈ E
where E is a field containing F, then we say that a is a zero of the polynomial f(x) or a
is a root of the equation f(x) = 0.
where q(x) and r(x) are as in Theorem 1. Then, we say that g(x) divides f(x), written
10 as g(x)|f(x), if r(x) = 0.
Theorem 2: A non-zero polynomial f(x) ∈ F[x] has at most deg f zeros. Finite Fields and Algorithms
Proof: We prove the assertion by induction on n = deg f(x). For n = 0, the assertion
holds because f ∈ F and f 6= 0. Let n > 0. If f has no zeros, then the assertion is true. If f
has a zero a, then by Corollary 1 of Theorem 1, we have f(x) = (x − a)q(x), where
deg q(x) = n − 1. If a0 6= a is also a zero of f(x), then 0 = f (a0 ) = (a0 − a) q (a0 ). Since,
we are working in a field and a 6= a0 , we have q (a0 ) = 0. So, a0 is a zero of q(x). By the
induction hypothesis, q(x) has at most n − 1 zeros. So, the number of zeros a0 of f(x),
a0 6= a, is at most n − 1. Therefore, f(x) has at most n zeros.
In other words, f(x) is irreducible over F if it cannot be written as the product of two
polynomials in F[x], each of positive degree. We also say that a polynomial is
reducible over F if it is not irreducible over F.
Irreducibility depends on the field. A polynomial f(x) may be irreducible over F, but
may not be irreducible if viewed over a larger field E containing F. Let us look at an
example.
∗∗∗
The problem of determining whether a polynomial f(x) ∈ F[x] is irreducible over F may
be difficult in general. But in some cases, we have easy ways of doing this. In your
degree class you have studied the Eisenstein Criterion which gives a sufficient
condition for a polynomial over Q to be irreducible. We have a necessary and
sufficient condition for a polynomial of degree at most three to be irreducible. We first
discuss an example to motivate the condition.
∗∗∗
This test for irreducibility by finding zeros works nicely for quadratic and cubic
polynomials over a finite field with a small number of elements. This technique is an
illustration of the next theorem.
Theorem 3: Let f(x) ∈ F[x], and let f(x) be of degree 2 or 3. Then f(x) is irreducible
over F if and only if it has no zeros in F. 11
Mathematical Preliminaries Proof: Suppose f(x) is reducible so that f(x) = g(x)h(x), where the degree of g(x) and
and Classical Ciphers
the degree of h(x) are both less than the degree of f(x). Since f(x) is either quadratic or
cubic, either g(x) or h(x) is of degree 1. If, say, g(x) is of degree 1, then except for a
possible factor in F, g(x) is of the form x − a. Then g(a) = 0, which implies that
f(a) = 0, so f(x) has a zero in F.
∗∗∗
In your degree classes you would have learnt the following corollary to Theorem 1.
Corollary 2: Let F be a field. Then, the polynomial ring F[x] is a principal ideal
domain(PID) and therefore a Unique Factorisation Domain. Since every irreducible
element is a prime element in F[x], any polynomial in F[x] can be written in a unique
manner, up to units, as a product of irreducible polynomials in F[x].
Since F[x] is a PID, every irreducible element is a prime element and we can define the
concept of greatest common multiple of two elements. Similar to Z, we have the
following result:
Proposition 1: If f[x], g[x] ∈ F[x] and h(x) is the gcd of f(x) and g(x), there are
polynomials q(x) and r(x) ∈ F[x] such that
You have already seen the extended euclidean algorithm for integers in MMT-003. We
have also discussed a recursive version of this algorithm in MMTE-002. The algorithm
for polynomials is analogous. We will discuss an iterative version of the algorithm. In
our discussion use a notation that is slightly different from the one we used in
12 MMT-003. Recall that in the usual Euclidean Algorithm, to find the gcd h(x) of f, g,
deg(f) > deg(g), we carry out a series of divisions Finite Fields and Algorithms
we need to do some more work. Note that, if t1 (x) = 0, since g(x) is the gcd, we can
take q(x) = 0 and r(x) = 1. So, let us now suppose that tk (x) = 0 for some k ≥ 2 and
we want to write tk−1 (x) as a linear combination
In particular, we will get an expression of the form q(x)f(x) + r(x)g(x) for tk−1 (x) also.
Let us write q1 (x) = 1 and r1 (x) = −s1 (x) so that we get t1 (x) = q1 (x)f(x) + r1 (x)g(x).
Again, from g(x) = t1 (x)s2 (x) + t2 (x) and Eqn. (2), we get
where we write q2 (x) = −s2 (x) and r2 (x) = 1 + s1 (x)s2 (x). So, we have
)
q1 (x) = 1, r1 (x) = −s1 (x).
(3)
q2 (x) = −s1 (x), r2 (x) = 1 + s1 (x)s2 (x).
Suppose, for i ≥ 2, we have found qi−1 (x), ri−1 (x), qi (x) and ri (x), i.e. we have
as 13
Mathematical Preliminaries ti−1 (x) = ti (x)si+1 (x) + ti+1 (x)
and Classical Ciphers
So, we have
So, if we take
qi+1 (x) = qi−1 (x) − qi (x)si+1 (x) and ri (x) = ri−1 (x) − ri (x)si+1 (x) (8)
Note that, Eqn. (7) and Eqn. (8) help us find ti+1 (x), qi+1 (x) and ri+1 (x) if we know
ti (x), ti−1 (x), qi (x), qi−1 (x), ri−1 (x) and ri (x). These relations form the core
of Algorithm 1.
For two polynomials f(x), g(x) ∈ F[x], let us write f(x) div g(x) for the quotient on
dividing f(x) by g(x). For example, if f(x) = x2 + 1 and g(x) = x are in Z2 [x], we have
f(x) = xg(x) + 1, so f(x) div g(x) is x. Note that, in Algorithm 1, values Q1 (x), Q2 (x),
and Q3 (x) store three successive values qi−1 (x), qi (x) and qi+1 (x). Similarly, R1 (x),
R2 (x) and R3 (x)(resp. T1 (x), T2 (x) and T3 (x)) store three successive values ri−1 (x),
ri (x) and ri+1 (x)(resp. ti−1 (x), ti (x) and ti+1 (x)). The variable S(x) stores the values of
si+1 (x).
To start the algorithm, we need two sets of values of Q, R and T so that we can get the
third value by using the formulae
We choose the following values Q1 (x) = 1, R1 (x) = 0, T1 (x) = f(x) and Q2 (x) = 0,
R2 (x) = 1, T2 (x) = g(x). We leave it to you as an exercise to check that these initial
values are meaningful and the algorithm works correctly. Let us now look at an
example to understand Algorithm 1.
First iteration
We have T1 (x) = xT2 (x) + x3 + x2 + 1, so S(x) = x. After the execution of the fifth line
of the algorithm, we have Q3 (x) = Q1 (x) − S(x)Q2 (x) = 1 − x · 0 = 1 and
R3 (x) = R1 (x) − s(x)R2 (x) = 0 − x · 1 = −x.
After the execution of the seventh and eighth lines of the algorithm, we have
Q1 (x) = Q2 (x) = 0, R1 (x) = R2 (x) = 1, T1 (x) = T2 (x) = g(x),
Q2 (x) = Q3 (x) = 1 R2 (x) = R3 (x) = −x, T2 (x) = T3 (x) = x3 + x2 + 1.
Second iteration
We find that
S(x) = T1 (x) div T2 (x) = g(x) div x3 + x2 + 1 = x3 + x + 1,
and
Q3 (x) = Q1 (x) − S(x)Q2 (x) = 0 − x3 + x + 1 = − x3 + x + 1
So, after the lines 7 and 8 are evaluated the values will be
Since T2 (x) = 0, the loop will not be evaluated again and the algorithm will return the
values T1 (x) = x3 + x2 + 1, Q1 (x) = 1 and R1 (x) = −x. So, the gcd of f(x) and g(x) is
x3 + x2 + 1 and f(x) − xg(x) = x3 + x2 + 1.
∗∗∗
Remark 1: Note that, we have given an elaborate explanation in Example 4 to help you
understand Algorithm 1. When we do the computation manually, we can easily dispose
of the cases g(x) = 0 and g(x) | f(x). We then use Eqn. (3) together with Eqn. (7) and
Eqn. (8) to carry out our computation.
E3) Check that the initial values that we have chosen are correct and the algorithm
works correctly.
E4) Let f(x) = x5 + x4 + x3 + 2x + 2 and g(x) = x4 + 1 be polynomials in Z3 [x]. Find
their gcd h(x) and Q(x), R(x) such that Q(x)f(x) + R(x)g(x) = h(x) using
Algorithm 1. 15
Mathematical Preliminaries
and Classical Ciphers
Let f(x) be a fixed polynomial in F[x] of degree n. We have the quotient ring
F[x]/(f(x)), where (f(x)) denotes the ideal in F[x] generated by f(x). Let us what are
the elements of this ring.
As with integers, one can define congruences of polynomials in F[x] based on division
by f(x).
Definition 6: If g(x), h(x) ∈ F[x], then g(x) is said to be congruent to h(x) modulo
f(x) if f(x) divides g(x) − h(x). This is denoted by g(x) ≡ h(x) (mod f(x)).
Note that ‘congruent to’ is an equivalence relation on F[x] and the equivalence classes
are precisely the cosets h(x) + (f(x)). In other words, note that h(x) ≡ g(x) (mod f(x))
if and only if h(x) + (f(x)) = g(x) + (f(x)). As in the case of integers, the canonical ring
F[x]
homomorphism φ : F[x] −→ (f(x)) gives us a way of translating congruences between
F[x]
two elements h(x) and g(x) to a statement regarding the elements h(x) and g(x) ∈ (f(x)) .
Just as in the case of integer congruences, if g(x) ≡ g1 (x) (mod f(x)), and
h(x) ≡ h1 (x) (mod f(x)), then
g(x) + h(x) ≡ g1 (x) + h1 (x) (mod f(x)), and g(x)h(x) ≡ g1 (x)h1 (x) (mod f(x)).
Recall that, in Zn , we If g(x) ∈ F[x], then by Theorem 1, there exist unique polynomials q(x), r(x) ∈ F[x] such
usually use the unique that g(x) = q(x)f(x) + r(x), where deg r(x) < n. So, every polynomial g(x) ∈ F[x]
smallest positive integer in a satisfies g(x) ≡ r(x) (mod f(x)) for some r(x) ∈ F[x] of degree ≤ n − 1. If g(x) ≡ r1 (x)
residue class to represent (mod f(x)) and g(x) ≡ r2 (x) (mod f(x)) for some polynomials r1 (x), r2 (x) of degree
that class.
≤ n − 1, then r1 (x) ≡ r2 (x) (mod f(x)), i.e. f(x) | (r1 (x) − r2 (x)). Since both r1 (x) and
r2 (x) have degree less than n, r1 (x) − r2 (x) is of degree less than n. So, f(x) can divide
r1 (x) − r2 (x) only if r1 (x) − r2 (x) = 0. Hence, every polynomial g(x) is congruent
modulo f(x) to a unique polynomial r(x) of degree less than n. We will generally
use the polynomial r(x) as the representative of the equivalence class(or coset) of
polynomials containing g(x).
∗∗∗
We conclude this section here. In the next section, we will discuss finite fields.
In this section, we will discuss some basic facts about finite fields. In particular, we will
see how to construct finite fields. Such constructions have applications in cryptography.
Definition 9: A finite field is a field F which contains a finite number of elements. The
order of F is the number of elements in F.
We usually denote a finite field with q elements by Fq . We will deviate from this
convention some times when q is a prime and instead write Zp for a finite field with p
elements.
To see this, we recall that the residue class a is invertible in Zm if and only if
gcd(a, m) = 1. Thus the ring Zm is a field if and only if gcd(k, m) = 1 for all k with
1 ≤ k < m. This is true if and only if m is a prime number.
We have |1 + 1 +
{z· · · + 1} = p = 0 in Zp . So, the characteristic of Zp is p.
p times
∗∗∗
We shall state without proof the following theorem regarding finite fields, which is
Theorem 6.4 in page 510 of Artin’s Algebra.
Theorem 6: Let p be a prime and q = pr be a power of p, with r ≥ 1.
a) There exists a field of order q.
b) Any two fields of order q are isomorphic.
c) Let K be a finite field with q elements and suppose that K ⊂ F where F is also a
finite field. Then F has qn elements where n = [F : K].
d) Let K be a field of order q. The multiplicative group K∗ of nonzero elements of K
is a cyclic group of order q − 1.
e) The elements of K are roots of the polynomial xq − x. This polynomial has distinct
roots and it factors into linear factors in K.
f) Every irreducible polynomial of degree r in Zp [x] is a factor of xq − x. The
irreducible factors of xq − x in Zp [x] are precisely the irreducible polynomials in
Zp [x] whose degree divides r.
g) A field K of order q contains a sub field of order q0 = pk if and only if k | r.
While Theorem 6 guarantees that there is a field of order q = pn for every prime p and
positive integer n > 1, we would like to explicitly construct such a field in our
applications. We will now describe the method for constructing such a field.
Let us take Zp , where p is a prime. We will construct the elements of a finite field with
pn elements as residue classes modulo the irreducible polynomial f(x) of degree n in
Zp [x]. Consider the ring Zp [x]/(f(x)). As we discussed before, we can represent each
coset of Zp [x]/(f(x)) by a polynomial of degree ≤ n − 1. Any polynomial of degree
≤ n − 1 is of the form a0 + a1 x + · · · + an−1 xn−1 and it is completely determined by the
coefficients a0 , a1 , . . . , an−1 . There are p choices for each of the ai , 0 ≤ i ≤ n − 1, so
there are pn polynomials of degree ≤ n − 1. As we saw in the discussion before
Theorem 4, every polynomial is congruent (mod f(x)) to a unique polynomial of
degree ≤ n − 1. So, there are exactly pn elements in Zp [x]/(f(x)).
The residue classes modulo f are the residue classes of the polynomials 0, 1, x and
18 x2 ≡ x + 1 mod f(x). We denote by α the residue class of x + f(x). In Table 1 and
Table 2 we present the addition and multiplication tables of the residue classes. Note Finite Fields and Algorithms
that α is a zero of f in F4 , that is α 2 + α + 1 = 0.
+ 0 1 α α +1
0 0 1 α α +1
1 1 0 α +1 α
α α α +1 0 1
α +1 α +1 α 1 0
Table 1: Addition in F4
∗ 1 α α +1
1 1 α α +1
α α α +1 1
α +1 α +1 1 α
Table 2: Multiplication in F4
The residue class ring mod f is a field since the non-zero residue classes mod f have a
multiplicative inverse.
∗∗∗
∗∗∗
∗∗∗
Notice that in Example 8, the element i that we adjoined is not a generator of F∗9 , since
it has order 4 rather than q − 1 = 8. If, however, we adjoin a root α of x2 − x − 1, we
can get all non-zero elements of F9 by taking the successive powers of α (remember
that α 2 must always be replaced by α + 1, since α satisfies x2 = x + 1): α 1 = α,
α 2 = α + 1, α 3 = −α + 1, α 4 = −1, α 5 = −α, α 6 = −α − 1, α 7 = α − 1, α 8 = 1. 19
Mathematical Preliminaries Definition 11: An element γ ∈ F∗q , is called a primitive element of Fq if γ generates
and Classical Ciphers
the group F∗q .
Definition 12: Suppose K ⊂ F are finite fields. The minimal polynomial of α ∈ F over
K is the monic polynomial of the smallest degree satisfied by α over K.
Let us see why the definition of order of an irreducible polynomial makes sense, i.e.
why should there be a positive integer e such that f(x) | xe − 1. Let α be root of an
irreducible polynomial f(x) of degree m ≥ 1 where f(0) 6= 0. We have α ∈ Fqm and so
m
α satisfies the polynomial xq −1 − 1. So, f(x) being the minimal polynomial of α, has
m
to divide xq −1 − 1. Since the set {n ∈ N|f(x) | xn − 1} is non-empty, it has a minimum.
Here is a characterisation, without proof, of a primitive polynomial in terms of its order.
We have seen that we can construct a finite field of pn elements in a finite field using an
irreducible polynomial of degree n. How do we find such a polynomial? We will
discuss this in the next section. We will also discuss some basic algorithms for
performing arithmetic in finite fields.
In this section we will discuss some algorithms for carrying out basic operations in
finite fields. Our discussion in this section is introductory in nature. See Chapter 15 of
[13], (reproduced at the end of the block with the kind permission of Prof. Smart)for a
more detailed discussion. See also Chapter 2 of [5] for more details and the references
mentioned there. The second chapter of[5] is available for download from the Springer
webpage for the book.
Let us suppose that f(x) ∈ Zp [x] is an irreducible polynomial of degree n and that
Zp [x]
20 K = (f(x)) . Addition and subtraction in K are fairly straight forward. If g1 (x) + (f(x))
F [x]
q
and g2 (x) + (f(x)) are two elements in (f(x)) where g1 (x) and g2 (x) are polynomials of Finite Fields and Algorithms
degree ≤ n − 1, we simply add g1 (x) and g2 (x) to get a polynomial g3 (x). The sum of
g1 (x) + (f(x)) and g2 (x) + (f(x)) is g3 (x) + (f(x)). We can represent an element
Zp [x]
an−1 xn−1 + an−2 xn−2 + · · · + a0 + (f(x)) in K = (f(x)) by an array of integers
an−1 an−2 · · · a0 of length n. To add two elements in K, we simply add the
corresponding cells of the arrays representing the elements mod p.
Let us now consider multiplication. First, let us consider a simple case, where one of
the factors in the multiplication is x + (f(x)). Suppose we want to multiply
c = 2x + 1 + (f(x)) by d = x + (f(x)). Multiplying 2x + 1 and x, we get 2x2 + x. So,
cd = 2x2 + x + (f(x)). Let us understand what is happening is terms of array
representation. The array representation of c = 2x + 1 + f(x) is 0 2 1 and the
array representation of cd is 2 1 0 . So, we can obtain the array representation of
cd by shifting the entries of the array corresponding to c to the left by one cell and
filling the vacant rightmost cell with 0. In this case, the left most cell contained zero.
What happens if this is not the case?
cd = 2x3 + x2 + x + (f(x))
= 2x3 + x2 + x − 2f(x) + (f(x))
= 2x3 + x2 + x − 2 x3 − x2 + 1 + (f(x))
= x + 1 + (f(x))
1 0 2 (13)
2) Take the array 2 1 1 representing c and shift the elements in the array to the
left. We fill up the vacant slot on the extreme right with 0 and the left most
coefficient, the coefficient of x2 , is shifted out of the array. We get the following
array
1 1 0 (14)
3) Then, the array corresponding to cx is the array obtained by subtracting from each
element in the array in Eqn. (14), the corresponding element in the array in
Eqn. (13). So, the array we get is 0 1 1 and this represents the element
x + 1 + (f(x)).
∗∗∗
More generally, if c = an−1 xn−1 + an−2 xn−2 + · · · + a0 with an−1 = 0 and d = x + (f(x)),
then cd = an−2 xn−1 + an−3 xn−2 + · · · + a1 x2 + a0 x. So, we can get the array 21
Mathematical Preliminaries representation of cd by shifting the cells in the array to the left by one cell and filling
and Classical Ciphers
the vacant cell by zero. So, if c is represented by the array an−1 an−2 · · · a0 , then
cd is represented by the array an−2 an−3 · · · a0 0 .
2) We take the array an−1 an−2 · · · a0 corresponding to c and shift the elements
of this array to the left by one cell to get
where we repeatedly apply the method that we have found for multiplying a general
element of K by x + (f(x)). Let us look at an example to understand this.
2 0 1 (19)
22 2 1 0 . (20)
We subtract from each element in the array in Eqn. (20), the corresponding element in Finite Fields and Algorithms
the array in Eqn. (19) to get
xc = 2 − 2 1 − 0 0 − 1 = 0 1 2 (21)
∴ b1 xc = B[1]xc = xc = 0 1 2 (22)
We add the values in the cells of b1 xc to the corresponding cells in P to get
P= 2 2 1 .
Next, we find b2 x2 c. We already know that the array representing xc is Eqn. (21), so we
have to multiply the element corresponding to this array by x again. In the array
corresponding to xc, the left most cell contains 0, so to multiply xc by x, we have to
shift the elements in the cells in Eqn. (21). So, the array corresponding to x2 c is
1 2 0 . So, b2 x2 c is represented by the array 2 1 0 . We add the values in the
cells of the array corresponding to b2 x2 c to the corresponding cells in P to get
P = 1 0 1 . So, cd = x2 + 1 + (f(x)). Check this by multiplying x2 + 2x + 1 and
2x2 + x + 2 in Z3 [x] and dividing the product by the polynomial x3 + 2x2 + 1. The
remainder will be x2 + 1.
∗∗∗
Algorithm 2 Algorithm for Multiplication in Finite Fields.
1: procedure A LGORITHM FOR M ULTIPLICATION IN F INITE F IELDS . (A,B,C) . A
and B are, respectively, the array representations of the elements c = g1 (x) + (f(x))
Z [x]
p
and d = g2 (x) + (f(x)) in (f(x)) and the array C contains the all the coefficients of
f(x) except of the highest degree term, which is assumed to be 1. The procedure
p Z [x]
returns the product of two elements g1 (x) + (f(x)) and g2 (x) + (f(x)) in (f(x)) .
2: for i = 0 to n − 1 do . Initialise the values of the cells of P to 0.
3: P[i] ← 0
4: end for
5: for i = 0 to n − 1 do . Calculate b0 c.
6: P[i] ← A[i]B[0]
7: end for
8: for i = 0 to n − 1 do . Initialise the value of T to x0 c = c.
9: T[i] ← A[i]
10: end for
11: for i = 1 to n − 1 do
. Calculation of xi c
12: h ← T[n − 1] . Save the value of T[n − 1] in h.
13: for j = 0 to n − 2 do . Shift the entry in each cell in T to its left neighbour.
14: T[j + 1] ← T[j]
15: end for
16: T[0] ← 0
17: if h 6= 0 then
18: for j = 0 to n − 1 do
19: T[j] ← T[j] − hC[j]
20: end for
21: end if . Calculation of xi c ends. T holds the value of xi c.
i−1
22: for j = 0 to n − 1 do . Calculate bi cxi + (f(x)) + ∑k=0 cbk xk + (f(x)) .
23: P[j] = B[j]T[j] + P[j]
24: end for
25: end for
26: return P.
27: end procedure
p Z [x]
Algorithm 2 multiplies two elements in a finite field K = (f(x)) . We use arrays of size n
to represent the elements of K, where n is the degree of the irreducible polynomial f(x). 23
Mathematical Preliminaries The cells of the arrays used are numbered from right to left with the rightmost cell
and Classical Ciphers
numbered 0 and the leftmost cell numbered n − 1. As usual, for any array X, X[i] will
denote the contents of the ith cell. As before, let us suppose that
c = an−1 xn−1 +an−2 xn−2 +· · ·+a0 +(f(x)) and d = bn−1 xn−1 +bn−2 xn−2 +· · ·+b0 +f(x).
In the algorithm, the elements c = g1 (x) + (f(x)) and d = g2 (x) + (f(x)) are represented
by arrays A and B of length n. The array C is the array αn−1 αn−2 · · · α0 . This
array contains all the coefficients of the polynomial
except the highest degree term. The array T holds the values xi c for different values i
during the evaluation of the loop in lines 11 to 25.
Note that, multiplication by x is very simple in the case p = 2. Suppose g(x) + (f(x)) is
represented by the array A of size n. To find xg(x), we first check if A[n − 1] = 0. If
A[n − 1] = 0, we simply perform a left shift. If A[n − 1] = 1, we perform a left shift and
XOR the value in each cell of the resulting array with corresponding cell of the array C
containing the coefficients of f.
Let us now discuss division. Suppose we want to find α/β . We find β −1 and then find
the product αβ −1 . Suppose β = g(x) + (f(x)). Since deg g(x) < deg f(x) and f(x) is
irreducible, (f(x), g(x)) = 1. So, we can find p(x), q(x) such that
p(x)f(x) + q(x)g(x) = 1
using extented euclidean algorithm. Then, q(x) + (f(x)) is the inverse of g(x) + (f(x)).
We can find the inverse of an element β in F∗q in another way. Since F∗q has q − 1
elements, we have β q−2 β = β q−1 = 1, so β −1 = β q−2 . This method is useful if finding
the powers of β is faster than applying the extended euclidean algorithm.
Another approach for multiplication and division, when the size of the field is small
enough, is to use logarithms and antilogarithms. Suppose Fq is a finite field and γ is a
primitive element of the field, i.e. γ generates the group F∗q . Then, Fq = Zp [γ], so, we
can write every element of Fq uniquely in the form
Note that logγ : F∗q −→ {0, 1, . . . , q − 2} and alogγ : {0, 1, . . . , q − 2} −→ F∗q are inverse
functions of each other. Further, they satisfy the relations
These properties are simple consequences of the fact that F∗q is a cyclic group of order
q − 1.
We often drop the subscript γ and simply write log α and alog i when it is clear from the
24 context what γ is.
For performing multiplication and division using logarithms and antilogarithms, we
Finite Fields and Algorithms
proceed as follows: We compute the pairs γ i , i and we store these values in two
different tables, an antilog table sorted according to i and a log table sorted according to
γ i . While creating the log table we represent each γ i as a linear combination of powers
of γ and use lexicographic order on the representation of γ i as an n-tuple in Znp .
Z2 [x]
Example 12: Consider the field F24 . We will represent the field as (f(x)) where f(x) is
4 3
the polynomial x + x + 1 ∈ Z2 [x]. Let us first check that γ = x + (f(x)) is a primitive
element. Since F∗24 has 15 elements, we have to check that γ 3 6= 1 and γ 5 6= 1. We have
γ 3 = x3 + f(x) 6≡ 1 + (f(x)) mod (f(x)). Also, γ 5 ≡ x4 + x 6≡ 1 + (f(x)) mod (f(x)). So,
γ is a primitive element. We calculate the powers of γ and write each of them as a
polynomial in γ. We can do this easily using the method we used for calculating xc,
x2 c, etc. in Algorithm 2.
x3 + (f(x)) by x + (f(x)). We carry out a left shift of the entries of the vector
representation of γ 3 , which is (1, 0, 0, 0), to get (0, 0, 0, 0). Since the entry in the
leftmost component of (1, 0, 0, 0) is 1, we then add the vector, (1, 0, 0, 1)(containing the
coefficients of terms of degree ≤ 3 of the irreducible polynomial f(x)) to the vector
(0, 0, 0, 0) to get (1, 0, 0, 1). Thus, γ 4 = (1, 0, 0, 1). To find γ 5 we carry out a left shift of
(1, 0, 0, 1) to get (0, 0, 1, 0). We then add (1, 0, 0, 1) to this vector to get (1, 0, 1, 1). So,
γ 5 = (1, 0, 1, 1). We calculate the vector representations of other powers of γ similarly.
i γi Vector i γi Vector
0 1 (0, 0, 0, 1) 8 γ3 + γ2 + γ (1, 1, 1, 0)
1 γ (0, 0, 1, 0) 9 γ3 + γ2 + 1 (0, 1, 0, 1)
2 γ2 (0, 1, 0, 0) 10 γ3 + γ (1, 0, 1, 0)
3 γ3 (1, 0, 0, 0) 11 γ3 + γ + 1 (1, 1, 0, 1)
4 γ3 + 1 (1, 0, 0, 1) 12 γ +1 (0, 0, 1, 1)
5 γ3 + γ + 1 (1, 0, 1, 1) 13 γ2 + γ (0, 1, 1, 0)
6 γ3 + γ2 + γ + 1 (1, 1, 1, 1) 14 γ3 + γ2 (1, 1, 0, 0)
7 γ2 + γ + 1 (0, 1, 1, 1)
order, we get the logarithm table in Table 4a. We use Table 4b for finding
antilogarithms. 25
Mathematical Preliminaries Table 4: Tables of logarithms and antilogarithms
and Classical Ciphers
(a) Logarithm Table (b) Antilogarithm Table
Vector Log Vector Log i alogγ i i alogγ i
(0, 0, 0, 1) 0 (1, 0, 0, 1) 4 0 (0, 0, 0, 1) 8 (1, 1, 1, 0)
(0, 0, 1, 0) 1 (1, 0, 1, 0) 10 1 (0, 0, 1, 0) 9 (0, 1, 0, 1)
(0, 0, 1, 1) 12 (1, 0, 1, 1) 5 2 (0, 1, 0, 0) 10 (1, 0, 1, 0)
(0, 1, 0, 0) 2 (1, 1, 0, 0) 14 3 (1, 0, 0, 0) 11 (1, 1, 0, 1)
(0, 1, 0, 1) 9 (1, 1, 0, 1) 11 4 (1, 0, 0, 1) 12 (0, 0, 1, 1)
(0, 1, 1, 0) 13 (1, 1, 1, 0) 8 5 (1, 0, 1, 1) 13 (0, 1, 1, 0)
(0, 1, 1, 1) 7 (1, 1, 1, 1) 6 6 (1, 1, 1, 1) 14 (1, 1, 0, 0)
(1, 0, 0, 0) 3 7 (0, 1, 1, 1)
Suppose we want to multiply the vectors α = (0, 1, 1, 0) and β = (1, 0, 1, 1). From
Table 4a, we see that log(0, 1, 1, 0) = 13 and log(1, 0, 1, 1) = 5. We have
13 + 5 = 18 ≡ 3 (mod 15). Looking at Table 4b, we see that alog 3 = (1, 0, 0, 0). So,
αβ = (1, 0, 0, 0).
and from Table 4b, we see that alog 7 = (0, 1, 1, 1). So, β
α = (0, 1, 1, 1).
We were able to carry out our computations easily because the irreducible polynomial
x4 + x2 + 1 is a trinomial. Similarly, the computations are easy if we choose an
irreducible pentanomial, i.e. a polynomial of the form xn + xk1 + xk2 + xk3 + 1. The
table at the end of Chapter 15 of [13] gives, for each n, an irreducible trinomial or
pentanomial of degree n when p = 2. We usually choose irreducible trinomials or
pentanomials to represent finite fields.
∗∗∗
Try the following exercise to check your understanding of the discussion in Example
12.
E9) In this exercise, we work in F24 . We use the representation in Example 12 for this
field and choose γ also as in Example 12. Let α1 = (1, 1, 0, 0), α2 = (1, 0, 1, 1) and
α3 = (0, 1, 1, 1). Use the log and antilog tables in Table 4 to find the following:
a) α1 α3−3 b) α1 α2−1 α32 .
for sufficiently large r. How large should r be? Suppose f(x) is a reducible polynomial
of degree n and let g(x) be its irreducible factor of minimum degree. Then
f(x) = g(x)h(x). Comparing the degrees both sides, n = deg(g) + deg(h) ≥ 2deg(g) or
r
deg(g) ≤ n2 . So, we have to check whether gcd xq − x, f = 1 for all r ≤ n2 . Also,
observe that
r r
26 gcd xq − x, f = gcd xq − r(x)f(x) − x, f(x)
r
for any polynomial r(x) ∈ F[x]. So, we can replace xq − x by its remainder on division Finite Fields and Algorithms
by f(x). Using these observations, we have the Algorithm 3 for checking whether a
polynomial f(x) is irreducible.
x4 + x2 + 1 = x x3 + 1 + 1
Test if f is irreducible
until f is irreducible
return f
We have come to the end of this unit. We have summarised the contents of this unit in
the next section.
1.5 SUMMARY
5. An algorithm for multiplying and dividing elements in a finite field using shift
and multiply approach;
6. An algorithm for multiplying and dividing elements in a finite field using discrete
logarithms and antilogarithms;
1.6 SOLUTIONS/ANSWERS
x 0 1 2 3 4 5 6
f(x) 5 1 6 6 1 5 4
x 0 1 2 3 4 5 6
g(x) 5 1 6 6 1 5 4
E2) By Theorem 3, we need to check whether the polynomials have zeros in the fields
over which they are defined.
a) Z2 = {0, 1}. The given polynomial is f(x) = x2 + x + 1 ∈ Z2 [x]. Then
f(0) = 1 and f(1) = 1. Hence both f(0) and f(1) are non-zero.
b) The integers mod 7 are 0, 1, 2, 3, 4, 5 and 6. The given polynomial is
f(x) = x2 + 1 ∈ Z7 [x]. Then the values taken by f(x) at all of these integers is
non-zero. This can be checked as above, but the calculations are carried out
in Z7 .
c) The integers mod 11 are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 and 10. The given polynomial
is f(x) = x3 − 9 ∈ Z11 [x]. Here, f(4) = 0 in Z11 . Hence, f(x) is reducible over
the integers mod 11.
E3) Note that, if g(x) = T2 (x) = 0, the loop will not be evaluated and the algorithm
returns the values T1 (x) = f(x), Q1 (x) = 1, and R1 (x) = 0. For these values,
and f(x) is the gcd of f(x) and g(x) when g(x) = 0. So, this choice works
correctly when g(x) = 0.
Suppose g(x) 6= 0. In this case, the loop will be evaluated. After the evaluation of
line 4 of the algorithm, the value of S(x) will be s1 (x), the quotient on division of
f(x) by g(x). Line 5 finds Q3 (x), R3 (x) and T3 (x) from Q1 (x), R1 (x), T1 (x),
Q2 (x), R2 (x) and T2 (x) using Eqn. (9), Eqn. (10) and Eqn. (11). Note that
If we let S(x) = s2 (x) and apply the equations Eqn. (6) and Eqn. (8), we find that
After the lines 7 and 8 executed again, the values will be as follows:
These values correspond to the values in Eqn. (3). So, from our discussion after
Eqn. (3), it follows that the algorithm works correctly.
E4) We give an outline of the solution and leave it to you to work out the details.
Initialisation
We have T2 (x) 6= 0. So, we carry out one more iteration. The values at the end of
third iteration are
Since T2 (x) is zero, the loop will not be entered again and the values
h(x) = −x2 − x + 1, Q(x) = −x and R(x) = 1 + x + x2 will be returned. 29
Mathematical Preliminaries E5) q(x) = x4 + x3 + x2 + x − 2, r(x) = 4x + 3.
and Classical Ciphers
E6) No. x2 − 5x + 6 is not a maximal ideal of Q[x], since
α8 = α3 + α2
2
∴ α 16 = α 3 + α 2 = α 6 + α 4 = α 4 + α + 1 and
2
α 32 = α 4 + α + 1 = α 8 + α 2 + 1 = α 3 + α 2 + α 2 + 1 = α 3 + 1
2
∴ α 64 = α 3 + 1 = α 6 + 1 = α
Since α is a unit in R, α 63 = 1.
We have
α 22 = α 16 α 6 = α 4 + α + 1 (α + 1) = α 5 + α 2 + α + α 4 + α + 1
∴ α 22 = α 5 + α 4 + α 2 + 1 6= α
E9) From the antilog Table 4a, we see that log α1 = 14, log α2 = 13 and log α3 = 7.
a) We have
not irreducible.
Note that, since x4 + 1, x3 − x = 1, x4 + 1 doesn’t have any linear factors. Since
31
Mathematical Preliminaries
and Classical Ciphers
32
UNIT 2 NUMBER THEORETIC ALGORITHMS
Structure Page No.
2.1 Introduction 33
Objectives
2.2 Structure of Zn and Z∗n 33
2.3 Prime Numbers 40
Primality Testing
Probabilistic Algorithms
The Pseudoprime Test
The Miller-Rabin Test
The Agrawal-Kayal-Saxena (AKS) Algorithm
2.4 Primitive Roots 48
2.5 Summary 51
2.6 Solutions/Answers 51
2.1 INTRODUCTION
In this unit, we will recall some basic facts from number theory that are required in
Cryptography later. You may find it useful to go through Unit 6 of MMT-003 to refresh
your knowledge of congruences. In Sec. 2.2 of this unit, we discuss the structure of the
groups Zn and Z∗n . We shall introduce some notation describing the running time of
algorithms and discuss some basic algorithms. In Sec. 2.3, we will discuss some
primality tests. In Sec. 2.4, we will discuss primitive roots.
Objectives
After studying this unit, you should be able to
• describe the structure of Z∗n and Zn ;
• describe the extended-euclidean algorithm for integers;
• apply the repeated squaring algorithm to compute powers of elements in Z∗n ;
• explain the concept of a pseudoprime;
• explain the Rabin-Miller strong pseudoprime test; and
• outline the AKS algorithm for primality testing.
One natural set of complete residues modulo n is {0, 1, 2, . . . , n − 1}. We discussed the
extended euclidean algorithm in Unit 6 of MMT-003. We have also seen some
examples there. Also, we have discussed the extended euclidean algorithm for
polynomials in Unit 1. The algorithm carries over to integers with appropriate
modifications. See Algorithm 1.
Example 1: Let us find the (141, 93) and the values d, Q and R using Algorithm 1.
Since we have already seen similar example for polynomials in Unit 1, we will just
sketch the steps.
T1 = 93 Q1 = 0 R1 = 1
T2 = 48 Q2 = 1 R2 = −1
T1 = 48 Q1 = 1 R1 = −1
T2 = 45 Q2 = −1 R2 = 2
T1 = 45 Q1 = −1 R1 = 2
T2 = 3 Q2 = 2 R2 = −3
T1 = 3 Q1 = 2 R1 = −3
T2 = 0 Q2 = −31 R2 = 47
34 Answer: d = 3 q = 2, r = −3.
∗∗∗ Number Theoretic
Algorithms
Try the following exercise to test your understanding of extended euclidean algorithm
for integers.
E1) Find (72, 32) and the values d, Q and R using extended euclidean algorithm.
x ≡ a2 (mod n2 )
.. (4)
.
x ≡ an (mod nk )
If x0 and x00 are two solutions, then x0 ≡ x00 (mod N), where N = n1 n2 · · · nk .
We now introduce some terms on time estimates that we will use later in the course.
Definition 2(The big oh notation): Let x, a be real numbers, and g a real valued
function. If g(x) > 0 for all x ≥ a, for a real valued function f(x), we write
(read as “f is big oh of g”), to mean that the quotient f(x)/g(x) is bounded for x ≥ a;
that is, there exists a constant M > 0 such that
Let us write f(x) = Ω(g(x)) if, for any constant c > 0, |f(x)| ≥ cg(x) for infinitely many
values of x. Note that, this statement is essentially a negation of the statement
f(x) = O(g(x)).
We write f(x) = Θgx) if there are positive constants c and d such that
dg(x) ≤ f(x) ≤ g(x) for all x ≥ a.
There are analogous notations for functions f and g that are defined on N. We leave it to
you as an exercise to formulate this statements.
Let n be a large positive integer, perhaps the input for our algorithm; let γ be a real
number between 0 and 1; and let c > 0 be a constant.
Definition 3: Let
In particular,
and
An L(γ)-algorithm is an algorithm that, when applied to the integer n has running time
estimate of the form Ln (γ, c) for some c.
In this section we look at an efficient method of calculating bm mod n (that is, finding
the least non negative residue) when both m and n are very large. If m and n were
36 small, we can easily compute this by first multiplying b by itself m times, and then
reducing it modulo n. However, for large m and n, this method is not feasible, as the Number Theoretic
Algorithms
numbers involved would be too large. So, let us look at a quicker way of carrying out
this computation.
If the exponent is not a power of 2, then we use its binary expansion, i.e., its expansion
in base 2. The algorithm to calculate bm mod n is:
2. We write m in base 2. Let m0 , m1 , . . . , mk−1 denote the binary digits of m, that is,
m = m0 + 2m1 + 4m2 + . . . + 2k−1 mk−1 . Each mi is 0 or 1.
We check if m is odd. Note that m is odd if mi−1 is 1. If m is odd, we carry out step 5 in
the Algorithm 2; otherwise we don’t. We then replace m by b m2 c. Note that, if
then
jmk
= mk 2k−i mk + mk−1 2k−i−1 + · · · + mi
2
so that the next iteration starts with the correct value of m. Further, we replace b by b2 .
Iteration 1
1. P by P · b = 13 since m is odd.
2. m = 79 by b 79
2 c = 39.
P = 13, b = 72, m = 39
Iteration 2
We have m = 39.
2. m = 39 by b 39
2 c = 19.
P = 63, b = 43, m = 19
Iteration 3
38 We have m = 19.
1. P by P · b = 63 · 43 ≡ 90 (mod 97) since m is odd. Number Theoretic
Algorithms
2. m = 19 by b 19
2 c = 9.
P = 90, b = 6, m = 9.
Iteration 4
We have m = 9. We replace
2. m = 9 by b 29 c = 4.
3. b by b2 = 62 ≡ 36 mod 97.
P = 55, b = 36, m = 4.
Iteration 5
1. m = 4 by b 42 c = 2.
P = 55, b = 35, m = 2.
Iteration 6
1. m = 2 by b 22 c = 1.
P = 55, b = 61, m = 1.
Iteration 7
We have m = 1. We replace
2. m = 1 by b 21 c = 0.
∗∗∗
Recall from Unit 6 of MMT-003 the order of Z∗n is φ (n), where φ the Euler φ -function.
Definition 4: Let a ∈ Z∗n . The order of a, denoted on (a), is the least positive integer t
such that at ≡ 1 (mod n).
∗∗∗
Note that φ (21) = φ (3)φ (7) = 2.6 = 12, which is the order of the group Z∗21 . The
orders of the elements in Z∗21 are listed in Table 1.
∗∗∗
Table 1: Orders of elements in Z∗21
a ∈ Z∗21 1 2 4 5 8 10 11 13 16 17 19 20
ord (a) 1 6 3 6 2 6 6 2 3 6 6 2
In the next section, we will discuss some important results about prime numbers that
we will need in the later units of this course.
In this section we will discuss some facts about prime numbers and primality testing in
particular. Our discussion is based on [7]. We begin this section by stating some
important results about prime numbers.
40 1. An integer p > 1 is a prime number if and only if its only divisors are ±1 and ±p.
2. Any integer a > 1 can be factored in a unique way as a = pα1 1 pα2 2 . . . pαt t , where Number Theoretic
Algorithms
p1 < p2 < . . . < pt are prime numbers and where each ai is a positive integer.
3. The Prime Number Theorem. Let x be a positive real number. Consider the
function π(x), which counts the number of primes ≤ x. Thus,
The prime number theorem tells us that the number of primes not exceeding x is
approximately x/ log x.
E5) Determine π(100). Compare your result with the estimate obtained by applying
the prime number theorem.
There are many situations where one wants to know if a large number n is prime. For
example, in the RSA public key cryptosystem and in various cryptosystems based on
the discrete log problem in finite fields, we need to find a large “random” prime. We can
do this by choosing a large odd integer n0 and then test n0 , n0 + 2, . . . for primality until
we obtain the first prime which is ≥ n0 . A second type of use of primality testing is to
determine whether an integer of a certain very special type is a prime. For example, for
some large prime p we might want to know whether 2p − 1 is a Mersenne prime.
Most of the algorithms that are used in primality testing are probabilistic algorithms.
So, we begin by discussing probabilistic algorithms.
Many problems that we want to solve can be posed as a decision problem which has
YES or NO as its answer. For example, we can formulate the problem of checking
whether a given natural number n is a prime as a decision problem. An algorithm that
solves this decision problem, returns the value YES if n is a prime and the value NO if
n is not a prime.
We can define computation complexity for probabilistic algorithms also. Here the
running time is the expected time in which the algorithm will terminate rather than the
exact time. We call a probabilistic algorithm as an expected polynomial algorithm or
simply polynomial time algorithm if the expected running time of the algorithm is a
polynomial function of the size of the input.
Note that, a probabilistic algorithm, as we have defined it, is really not an algorithm in
the usual sense. This is because we can get different outputs for the same input if the
random numbers chosen are different in the two instances. But, if we make the output
of a certain number of ‘coin tosses’, i.e a random string of zeros and ones, also as a part
of the input, then it becomes a deterministic algorithm. However, we will not be very
formal in our treatment of probabilistic algorithms. You may refer to Chapter 9 of the
book [11] for a more formal treatment of probabilistic algorithms. This is also a good
reference for the first two units of this block.
Let n be a large odd integer, and suppose that you want to determine whether or not n is
prime. The simplest primality test is “trial division.” We know that, if n is composite, it
√
has prime factor ≤ n. So, we check if n has a divisor less than n. If it doesn’t have
one, we know for sure that n is prime. Of course, this is an extremely time-consuming
way to test whether or not n is prime. There are other tests which are much quicker.
Most of the efficient primality tests that are known are similar in general form to the
following one.
According to Fermat’s Little Theorem, we know that, if n is a prime, then for any b
such that gcd(b, n) = 1 one has
If n is not prime, it is still possible (but probably not very likely) that the relation
Eqn. (6) holds.
3. If n fails the test Eqn. (6) for a single base b ∈ (Z/nZ)∗ , then n fails Eqn. (6) for
at least half of the possible bases b ∈ (Z/nZ)∗ .
2. We have
if bn−1
1 ≡ 1 (mod n) and bn−1 2 ≡ 1 (mod n). The proof for the case b1 b−1
2 is
similar. Note that, this condition says that set {b ∈ (Z/nZ)∗ | bn ≡ 1 (mod n)} is
a group, i.e the set of all bases for which n is a pseudoprime is a subgroup of
(Z/nZ)∗ .
3. Let {b1 , b2 , . . . , bs } be the set of all bases for which n is a pseudoprime, i.e., the
set of all integers 1 < bi < n for which the congruence Eqn. (6) holds. Let b be a
fixed base for which n is not a pseudoprime. If n were a pseudoprime for any of
the bases bbi , then by part 2 of the proposition, it would be a pseudoprime for the
base b ≡ (bbi )b−1 i mod n, which is not the case. Thus, for the s distinct residues
{bb1 , bb2 , . . . , bbs }, the integer n fails the test Eqn. (6). Hence, there are at least
as many bases in (Z/nZ)∗ for which n fails to be a pseudoprime as there are
bases for which Eqn. (6) holds. This completes the proof.
It follows from Proposition 3 that unless n happens to pass the test Eqn. (6) for all
possible b with gcd(b, n) = 1, we have at least a 50% chance that n will fail Eqn. (6) for
a randomly chosen b. That is, suppose we want to know if a large odd integer n is
prime. We can do so in the following steps:
1. Choose a random integer b in the range 0 < b < n. (It is beyond the scope of this
unit to describe how to “randomly” choose an integer.)
3. If d > 1, we know that n is not prime since we have found a nontrivial factor d of
n.
6. If Eqn. (6) holds, perhaps n is prime. We then try another b and go through the
same process. 43
Mathematical Preliminaries Algorithm 3 Pseudoprime Test.
and Classical Ciphers
1: procedure P SEUDOPRIME TEST(n) . Returns YES if the number is composite, NO
otherwise .
2: Choose a random b, 0 < b < n.
3: if (b, n) > 1 then
4: return YES.
5: else
6: if bn−1 6≡ 1 (mod n) then
7: return YES.
8: else
9: return NO.
10: end if
11: end if
12: end procedure
Based on the above discussion we have the yes-biased Monte Carlo algorithm given in
Algorithm 3.
If Algorithm 3 returns YES then we can stop, since this would show that n is
composite. Suppose that we run Algorithm 3 k times with k different b’s and find that n
is a pseudoprime for all of the k bases. By Proposition 3, the chance that n is still
composite despite Algorithm 3 answering NO for k different values of b is at most 1 out
of 2k , unless n happens to have the very special property that Eqn. (6) holds for every
single b ∈ (Z/nZ)∗ . If k is large, we can be sure “with a high probability” that n is
prime (unless n has the property of being a pseudoprime for all bases). This method of
finding prime numbers is called a probabilistic method. It differs from a deterministic
method: the word “deterministic” means that the method will either reveal n to be
composite or else determine with 100% certainty that n is prime.
Can it ever happen for a composite n that Eqn. (6) holds for every b ∈ (Z/nZ)∗ ? In that
case our probabilistic method fails to reveal the fact that n is composite (unless we are
lucky and hit upon a b with gcd(b, n) > 1). The answer is yes, and such a number is
called a Carmichael number.
Definition 7: A Carmichael number is a composite integer n such that Eqn. (6) holds
for every b ∈ (Z/nZ)∗ .
We saw in the preceding section that we may not get very far with the pseudoprime test
because of the existence of the Carmichael numbers. We can obtain a better primality
test, the Miller-Rabin test, based on the notion of a strong pseudoprime. It is based on
44 the following result proved in Unit 6 of MMT-003:
Proposition 4: Let p be an odd prime and let (a, p) = 1. Suppose p − 1 = t2s with t odd. Number Theoretic
Algorithms
Then, a satisfies at least one of the following conditions:
i) at ≡ 1 (mod p)
i
ii) at2 ≡ −1 (mod p) for some i, 0 ≤ i < s.
bt ≡ 1 mod n, (7)
Thus, to test whether a large odd positive integer n is prime or composite, the
Miller-Rabin test goes as follows:
We have given the test in the form of an algorithm in Algorithm 4. This is also a
yes-biased Monte Carlo algorithm.
∗∗∗
Remark 3: From [9], we know that there is no number less than 25 · 109 which is a
pseudoprime to all the bases 2, 3, 5, 7 and 11. In other words, we know that, if, for
some n, the Algorithm 4 returns NO for b = 2, 3, 5, 7, 11, then n is a prime.
E6) Check whether 606893471 is composite, by using Miller-Rabin test for the bases
2, 3, 5, 7, 11.
The primality tests described above are probabilistic. If n survives them, then n is
declared to be most probably prime. In the next section, we will discuss the first
deterministic polynomial time algorithm for primality testing.
It was published in [1]. There are several expository articles on this algorithm available.
See for example [4], [10], [16] and the book [11]. We will not discuss the complete
proof. You can refer to [1] or the other expository articles we mentioned for details.
If n is a prime, c(n, i) ≡ 0 (mod n) and hence all the coefficients are zero.
However, this characterisation is not useful for checking if n is a prime. For an input n,
this would involve evaluating n coefficients in the LHS of Eqn. (9), in the worst case,
which can take up to time Ω(n). Therefore, to make it feasible, we evaluate both sides
of Eqn. (9) modulo a polynomial of the form xr − 1; that is, we need to verify whether
the following holds:
We observe that verifying the congruence Eqn. (10) takes O(r2 log3 p) time by the
repeated squaring method. Moreover, all primes satisfy the congruence Eqn. (10) for all
values of a and r, but some composites may also pass the test.
Thus, for the algorithm to work efficiently, we need to choose r and a suitably. The
algorithm consists of the following steps:
Step 1. Check whether n is a perfect power. This can be done by Newton’s method. If n
is not a perfect power, proceed to the next step.
Step 2. Find a prime r = O(log6 n), with the property that r − 1 has a large prime factor
√
q > 4 r log n and q divides or (n), the order of n mod r.
Step 3. With r as obtained in Step 2, check whether the following hold for a = 1 to
√
2 r log n:
The algorithm will declare n to be composite if Eqn. (11) does not hold for some a; n is
declared to be prime if Eqn. (11) hold for all a in the range specified in Step 3.
We are assured of finding such a prime r in Step 2 because of the following lemma,
together with an application of the prime number theorem.
Lemma 1: Let P(n) denote the greatest prime divisor of n. There exist constants c > 0
and n0 such that, for all x > n0 ,
2 x
#{p|p is prime, p ≤ x and P(p − 1) > p 3 } ≥ c .
log x
Let us consider the case when n is composite. Then there exists a prime factor p of n
such that q divides or (p), where q is the largest prime factor of r − 1. Let us see why
this is true.
Now #E > r, which implies that there exist two distinct elements in E which are
congruent modulo r, hence are congruent modulo og , by a property of Ig(x) . Since
√
og > n2 r , the congruence reduces to an equality, from which we deduce that n = pk for
some integer k, which contradicts the fact that we have already ruled out perfect powers
in Step 1 of the algorithm.
Therefore, we conclude that the algorithm will declare an input n to be prime if and
only if n is a prime.
E9) Prove that a Carmichael number has at least three distinct prime factors.
E10) Show that 65 is a strong pseudoprime to the base 8 and to the base 18, but not to
the base 14, which is the product of 8 and 18 modulo 65.
We have seen in Sec. 2.2 that (Z/nZ)∗ need not be cyclic. In the next section, we will
discuss the case when (Z/nZ)∗ is cyclic.
Example 7: The set {1, 5, 7, 11} is a reduced residue system modulo 12.
∗∗∗
ap−1 ≡ 1 (mod p)
As above, let a and m be relatively prime integers, with m ≥ 1. Consider all the positive
powers of a:
a, a2 , a3 , . . .
We know, from Theorem 5 that aφ (m) ≡ 1 (mod m). However, there may be an earlier
power af ≡ 1 (mod m). We are interested in the smallest positive f with this property.
af ≡ 1 (mod m)
f = expm (a)
Another way of looking at the notion of a primitive root is in the context of Z∗n . We
follow the notation as in Definition Definition 4.
We have seen that if p is a prime, then Zp is a field, and Z∗p is a cyclic group.
Definition 12: Let p be a prime. The integer a for which the residue class a + pZ
generates Z∗p is called a primitive root mod p.
Theorem 5 tells us that expm (a) ≤ φ (m). The next theorem shows that expm (a) divides
φ (m).
k − h = qf + r, where 0 ≤ r < f.
Theorem 7: Let gcd(a, m) = 1. Then a is a primitive root mod m if, and only if, the
numbers
a, a2 , . . . , aφ (m) (13)
Proof: If a is a primitive root, the numbers in Eqn. (13) are incongruent mod m, by
Theorem 6(c). Since there are φ (m) such numbers, they form a reduced residue system
mod m.
Conversely, if the numbers in Eqn. (13) form a reduced residue system, then aφ (m) ≡ 1
(mod m), but no smaller power is congruent to 1, so a is a primitive root.
1. Primitive roots exist only for the following moduli: m = 1, 2, 4, pα , and 2pα ,
where p is an odd prime and α ≥ 1.
4. a is a generator of Z∗m if and only if aφ (m)/p 6≡ 1 (mod m) for each prime divisor
p of φ (m).
Example 8: Z∗21 is not cyclic since it does not contain an element of order φ (21) = 12
(see Table 1.); note that 21 does not satisfy the condition 1 above on the existence of
primitive roots.
∗∗∗
2.5 SUMMARY
2.6 SOLUTIONS/ANSWERS
T1 = 32 Q1 = 0 R1 = 1
T2 = 8 Q2 = 1 R2 = −2
T1 = 8 Q1 = 1 R1 = −2
T2 = 0 Q2 = −4 R2 = 9
We see that T2 = 0. So, there are no more iterations.
Answer: T1 = 8, Q1 = 1, R1 = −2
Definition 13: (The big oh notation). Let n, n0 be integers, and g a real valued
function defined on N. If g(n) > 0 for all n ≥ n0 , we write
(read as “f is big oh of g”), to mean that the quotient f(n)/g(n) is bounded for
n ≥ n0 ; that is, there exists a constant M > 0 such that
Let us write f(n) = Ω(g(n)) if, for any constant c > 0, |f(n)| ≥ cg(n) for infinitely
many values of n. Note that, this statement is essentially a negation of the
statement f(n) = O(g(n)).
We write f(n) = Θg(n) if there are positive constants c and d such that
dg(x) ≤ f(x) ≤ g(x). 51
Mathematical Preliminaries E3) We just give the values of P, b and m after each iteration. We leave it to you check
and Classical Ciphers
the details. Values at the end of iteration 1:
P = 5, b = 25, m = 8
P = 5, b = 57, m = 4
P = 5, b = 54, m = 2
P = 5, b = 5, m = 1
P = 25, b = 25, m = 0
a ∈ Z∗15 1 2 4 7 8 11 13 14
E4)
ord (a) 1 4 2 4 4 2 4 2
E5) π(100) = 25, while the prime number theorem tells us that
π(100) ∼ 100/ log 100, where log denotes the natural logarithm. Direct
calculation gives 100/ log 100 ∼ 21.7.
E8) The smallest pseudoprime to the base 2 is 341. We have 341 = 11.31 and
2340 ≡ 1 mod 341 = 1.
E9) Let n be a Carmichael number. By definition, it is not a prime number, and by one
of the properties stated in Sec. 2. 2, it is square-free, hence not a prime power.
Therefore, n has at least two prime divisors. Let n = pq with prime factors
p, q, p > q. Another property of the Carmichael numbers states that p − 1 divides
n − 1. Now n − 1 = pq − 1 = (p − 1)q + q − 1. Therefore, p − 1 is a divisor of
q − 1. This is impossible since 0 < q − 1 < p − 1. Hence a Carmichael number has
at least three distinct prime divisors.
E10) 82 ≡ 182 ≡ −1 mod 65; 142 ≡ 1 mod 65, but 141 6≡ ±1 mod 65.
52
UNIT 3 CLASSICAL CIPHERS
Structure Page No.
3.1 Introduction 53
Objectives
3.2 Basic Terminology and Some Simple Ciphers 53
Ceaser Cipher
Shift Cipher
Affine Cipher
3.3 Substitution Ciphers 63
The Vigenère Cipher
3.4 Transposition Ciphers 65
The Row Tranformation Cipher
Simple Columnar Transposition Cipher
Other Transposition Techniques
3.5 Cryptanalysis 70
3.6 Summary 75
3.7 Solutions/Answers 75
3.1 INTRODUCTION
In this Unit, we start our study of cryptography by discussing some simple ciphers. We
must warn you that these ciphers are no longer used in real life situations; we discuss
these for historical reasons and to introduce you to basic concepts of cryptography. In
Sec. 3.2, we discuss the need for cryptography and introduce you to the basic
terminology of cryptography. In Sec. 3.3, we discuss transposition ciphers. In Sec. 3.4,
we discuss, substitution ciphers. In Sec. 3.5, we discuss the affine cipher. In Sec. 3.6,
we discuss the Vigenère cipher.
Objectives
After studying this unit, you should be able to
• explain the goals of cryptography;
• explain the basic terms of cryptography;
• explain what is a transposition cipher and give examples;
• encrypt and decrypt text using some simple transposition ciphers;
• explain what is a substitution cipher and give examples;
• encrypt and decrypt text using some simple substitution ciphers;
• explain the Vigenère cipher and encrypt and decrypt text using the cipher; and
• apply simple statistical methods for cryptanalysing cipher.
From time immemorial, human beings have communicated with each other. With the
advancement of civilisation came the creation of political formations like countries with
conflicting interests. It also lead to increased commercial activity. In political and 53
Mathematical Preliminaries commercial activities, information is of great value and it often became necessary to
and Classical Ciphers
communicate information in such a way that no one but the intended recipient receives
the information. One of the main tools that has evolved to serve this purpose is
cryptography.
Traditionally, in cryptography, two communicating parties are called Bob and Alice.
There is a third party, usually called Eve, who is eavesdropping on the conversation,
trying to find out what they are saying to each other. Of course, it is not that Bob and
Alice are ‘good’ and Eve is ‘bad’. For example, Alice and Bob could be terrorists
plotting some terrorist act and Eve could be the government agency that is trying to
prevent it.
Cryptography is a discipline which embodies principles, means and methods for the
transformation of data in order to
As discussed earlier, adversaries may also be active and try to modify the message.
Adversaries are assumed to have complete access to the communication channel.
You may studied about Julius Caesar, the roman general and statesman who conquered
Gaul, a region of Western Europe which included present day France, Luxembourg and
Belgium, most of Switzerland, the western part of Northern Italy, as well as the parts of
the Netherlands and Germany on the left bank of the Rhine. He developed a method,
which is now known as Caesar Cipher, for communicating with the generals of his
army.
Example 1: (Caesar cipher) Suppose the message we want to send, that is, the plain
text, comprises letters from the English alphabet. We convert it to a cipher text by
simply replacing each letter in the message with the letter that is three places further
down the alphabet. That is, “A” is replaced by “D,” “B” is replaced by “E,” . . . , “W” is
replaced by “Z,” “X” is replaced by “A,” “Y” is replaced by “B,” and “Z” is replaced by
“C”. To get back the original message from the cipher text, we perform the reverse
operation, that is, replace each letter of the cipher text with the letter that is three places
ahead in the alphabet. Thus, with this system, the word “YES” is encrypted as “BHV”,
while the cipher text “ZKB” yields the plain text “WHY”. See Table 1.
Plain text A B C D E F G H I J K L M
Cipher text D E F G H I J K L M N O P
Plain text N O P Q R S T U V W X Y Z
Cipher text Q R S T U V W X Y Z A B C
Table 1: Caesar’s Cipher.
Plain text I C A M E I S A W I C O N Q U E R E D
Cipher text L F D P H L V D Z L F R Q T X H U H G
∗∗∗
1. We choose a key k ∈ K .
2. We break up the plaintext into smaller units, each of which consists of a single
letter, or a pair of letters, or a block of some fixed number of letters. These are
known as message units.
Example 2: Let us see what P, C , Ek and Dk are in the Caesar cipher. Since we want
to construct functions between two sets, the first step is to label all possible plain text
message units and all possible cipher text units by means of mathematical objects. In
this case, our plain text and cipher text message units are single letters from the
26-letter alphabet A – Z, so we can label the letters using the integers 0, 1, 2, . . . , 25,
which we call their “numerical equivalents”, as in Table 2.
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
Table 2: Numerical equivalents of the characters in the English alphabet.
Recall from Unit 6 of MMT-003 that Z26 is a quotient ring Z/26Z. However, to make
56 notation less cumbersome, we will regard the set A = {0, 1, 2, . . . , 25} as Z26 . To add
two numbers m, n ∈ A , we simply find the usual sum m + n and if it is greater than 26, Classical Ciphers
take its remainder on division by 26 as the answer. If m + n is less than 26, the answer
is just the usual sum m + n. For example, the sum of 2 and 4 in A is 6, while the sum
of 24 and 12 is 10 in A . We can define multiplication similarly.
Under the correspondence in Table 2, let x ∈ A = {0, 1, . . . , 25} stand for a plain text
message unit. Define a function f from the set A to itself by the rule
f(x) = x + 3 (1)
Note that, the addition in Eqn. (1) is the addition we defined in A . Thus,
f(2) = 2 + 3 = 5, but f(24) = 1.
Therefore, what we have done in encrypting the word “YES” was to write down the
numerical equivalent in A to each letter under Table 2: “24 4 18”. Then, we find
f(24) = 1, f(4) = 7 and f(18) = 21. The letter equivalents to 1, 7 and 21 are B, H and V.
will convert a cipher text message unit to a plain text unit. It is easy to see how the
cipher text “ZKB”, mentioned above, gives the plain text “WHY” using this function.
We leave this verification as an exercise.
For the Caesar cipher, any plain text message is a string p1 p2 . . . pk with pi ∈ A . For
example WHY corresponds to the string 22 7 24. Usually, strings are written without
gaps. We have put small gaps so that there is no ambiguity. Similarly, ZKB corresponds
to the string 25 10 24. So, both the plain text and cipher text are strings on the the same
set A and we can take P and K to be subsets of L (A ) consisting of strings of length
≤ t for some t. So, in this case, ∆ = Σ. Further, the key space contains only one
element, 3. The function E3 is the function f in Eqn. (1) and the function D3 is the
function g defined in Eqn. (2).
∗∗∗
You may recall that electronic documents do not have just the characters from the
alphabet. They also contain punctuation marks, numbers, symbol like &, $ and so on.
In fact, 265 different characters are possible in computers that use the ASCII encoding.
So, we need a larger set of symbols than just A . Instead of A , we can take the set
AN = {0, 1, 2, 3, . . . , N} as the set of symbols. We can define addition and
multiplication on AN as addition and multiplication modulo N as we did in the case of
A . We can define the analogue of Caesar cipher on AN by
f(x) = x + 3. (3)
Eb (x) = x + b (5) 57
Mathematical Preliminaries and the decryption function is
and Classical Ciphers
Db (x) = f−1 (x) = x − b (6)
∗∗∗
E3) Encrypt the text ‘ATTACK POSTPONED’ using a shift transformation with shift
parameter 15.
E4) The ciphertext ‘T SLGP DTYO’ was obtained by applying the shift
transformation with parameter 11. Find the plaintext.
In the next subsection, we will look at another generalisation of the shift cipher, the
affine cipher.
The Caesar cipher discussed earlier is a special case of the substitution cipher which
includes only 26 of the 26! possible permutations of the 26 elements. Another special
case of the substitution cipher is the affine cipher, which we describe now. In the affine
cipher, we restrict the encryption functions to functions of the form
E(x) = ax + b,
a ∈ Z∗26 , b ∈ Z26 . These functions are called affine functions, hence the name affine
cipher. Observe that when a = 1, b = 3, we have the Caesar cipher.
ax + b ≡ y
ax = y − b
Now, as y varies over Z26 , so too, does y − b vary over Z26 . Hence, it suffices to study
the congruence ax = y, where y ∈ Z26 .
Proposition 1: The equation ax = y has a unique solution x ∈ Z26 for every y ∈ Z26 if
58 and only if gcd(a, 26) = 1.
Proof: This follows from proposition 2 in Unit 6 of MMT-003 with n = 26. Classical Ciphers
At this point we have shown that, if gcd(a, 26) = 1, then an equation of the form ax ≡ y
has, at most, one solution in Z26 . Hence, if we let x vary over Z26 , then ax takes on 26
distinct values in Z26 . That is, it takes on every value exactly once. It follows that, for
any y ∈ Z26 , the congruence ax ≡ y has a unique solution for y.
There is nothing special about the number 26 in this argument. The following result
follows from proposition 2 in Unit 6 of MMT-003.
We would like to once again remind you that, in this unit, we represent Zm by the set
Am together with addition and multiplication modulo m as the binary operations.
Since 26 = 2 × 13, the values of a ∈ Z26 such that gcd(a, 26) = 1 are a = 1, 3, 5, 7, 9,
11, 15, 17, 19, 21, 23 and 25. The parameter b can be any element in Z26 . Hence the
affine cipher has 12 × 26 = 312 possible keys. It is clear that this is much too small to
be secure. In some cases it will be possible to break it by an exhaustive key search.
Let us now consider the general setting where the modulus is m. Recall that
Corollary 3 in Unit 6 of MMT-003 gives the value of φ (m) in terms of the prime power
factorisation of m.
Theorem 2: Suppose
n
m = ∏ pi ei ,
i=1
is the prime factorisation of m, where the pi ’s are distinct primes and ei > 0, 1 ≤ i ≤ n.
Then
n
φ (m) = ∏(pi ei − pi ei −1 ). (7)
i=1
then the number of choices for b is m, and the number of choices for a is φ (m). It
follows that the number of keys in the affine cipher over Zm is mφ (m), where φ (m) is
given by the formula above. For example, when m = 60, φ (60) = 2 × 2 × 4 = 16 and
the number of keys in the affine cipher is, therefore, 960.
We have seen earlier, in the case m = 26, that to decrypt, we need to solve the equation
y = ax + b for x in Z26 , and that the equation will have a unique solution in Z26 (since
we have taken a to be relatively prime to 26). However, the discussion above does not
give us an efficient method of finding the solution. What we require is an efficient
algorithm to do this. Some results on modular arithmetic will provide us with the
efficient decryption algorithm we seek. 59
Mathematical Preliminaries By proposition 2 in Unit 6 of MMT-003 it follows that a has a multiplicative inverse
and Classical Ciphers
modulo m if and only if gcd(a, m) = 1; and if a multiplicative inverse exists, it is
unique. Also, observe that if b = a−1 , then a = b−1 . In Z26 , there are 12 elements
relatively prime to 26, so trial and error suffices to find the multiplicative inverse of
these elements. 1−1 = 1, 3−1 = 9, 5−1 = 21, 7−1 = 15, 11−1 = 19, 17−1 = 23, and
25−1 = 25. All of these can be easily verified. This is left as an exercise.
ax = y−b (8)
c(a x) = c(y − b)
We have
c(a x) = (c a)x = 1x = x
Consequently,
x ≡ c(y − b),
Ek : Zm → Zm , x 7→ ax + b (mod m)
Dk : Zm → Zm , x 7→ a−1 (x − b) (mod m)
Example 4: Let us take m = 26. Suppose that the key k = (7, 3). As noted before,
7−1 mod 26 = 15. The encryption function is
that is,
∗∗∗
E5) a) How many different shift transformations are there with an N-letter alphabet?
60 b) How many affine transformations are there when N = 26, 27, 28, 29, 30?
E6) In the 27-letter alphabet (with blank = 26), use the affine enciphering Classical Ciphers
transformation with key a = 13, b = 9 to encipher the message “HELP ME.”
Classical ciphers, also known as symmetric encryption, were the only type of
encryption in use before the development of public-key encryption. This unit will
comprise topics related to classical ciphers.
To use a specific cryptosystem, Alice and Bob will employ the following procedure.
They choose a random key k ∈ K first. They can meet at some mutually agreed place,
away from the prying eyes of Eve, and decide upon the key. They could also use a
secure channel. A secure channel could be a trusted courier, for example. Another
possibility is to use a key exchange protocol like the Diffie-Hellman protocol that we
will discuss in the third Block of this course.
Suppose Alice wants to communicate a message to Bob over an insecure channel later.
Suppose this message is a string x = x1 , x2 , . . . , xn for some integer n ≥ 1, where each
plain text symbol xi ∈ Σ, 1 ≤ i ≤ n. Alice encrypts each xi using the encryption rule Ek
specified by the predetermined key k. Hence Alice computes Ek (xi ), 1 ≤ i ≤ n and
sends the resulting cipher text string y = y1 , y2 , . . . , yn over the channel. When Bob
receives y = y1 , y2 , . . . , yn , he decrypts it using the decryption function Dk , obtaining
the original plain text string x1 , x2 , . . . , xn . Fig. 1 is an illustration of the communication
channel.
Eve
Key k Key k
x y x
Alice Encrypter Decrypter Bob
Note that if P = C , it follows that each encryption function is a permutation. That is,
if the set of plain texts and cipher texts are identical, then each encryption function just
rearranges (or permutes) the elements of this set. In the example of the Caesar cipher
above, we have seen that P = C as they are both equal to the set of strings of length
≤ t in the set of symbols A .
Classical ciphers are often divided into substitution ciphers and transposition
ciphers.
In a transposition cipher, the letters themselves are kept unchanged, but rather their
order within the message is scrambled according to some well-defined scheme.
Modern ciphers, for example the data encryption standard (DES), iterate through
several stages of substitution and transposition.
The rest of this unit deals only with transposition ciphers and substitution ciphers.
E7) What is the key space of the generalised Caesar cipher when
a) the plain text space is {0, 1, . . . , 25}?
b) the plain text space is {0, 1, . . . , N − 1}, for any positive integer N?
E8) The cipher text VHFUHW has been generated with the (generalised) Caesar
cipher on the plain text space {0, 1, . . . , 25}. Determine the key and the plain text.
Cryptography is not used by law abiding people alone. Even criminals and terrorists
use cryptography to keep their secrets. In this case, the law enforcement agencies will
play the role of Eve. Suppose you are an law enforcement officer and you want to read
a communication between two law breakers. You are not privy to the enciphering and
deciphering information used by the two people, but you would nevertheless like to be
able to read the enciphered messages. If you succeeded in doing so, you would have
broken the cipher, and the science of breaking ciphers is called cryptanalysis.
To break a cryptosystem, you need two types of information. The first is the general
nature (the structure) of the system. For example, suppose you know that the
cryptosystem uses a shift transformation on single letters of the 26-letter alphabet A − Z
62 with numerical equivalents 0 − 25, respectively.
The second type of information is the knowledge of a specific choice of certain Classical Ciphers
parameters connected with the given type of cryptosystem. In our example, the second
type of information you need to know is the choice of the shift parameter b. Once one
has that information, one can encipher and decipher by the formulas C = P + b and
P = C − b. Of course, the shift cipher is too weak and if it is known that the text has
been encrypted using a shift cipher, we can easily find the plain text by trying all
possible keys.
In the earlier days, both the ciphering algorithm and the keys were kept secret.
However, the modern designers of cryptosytems always make the assumption that the
general structural information is known. This assumption is called Kerchoff’s law.
In practice, users of cryptography often have a special computer chip or software for
enciphering and deciphering text. The chip or software usually uses only one type of
cryptosystem. Over a period of time the information about what type of system they are
using might leak out. To increase their security, therefore, the users frequently change
the choice of parameters used with the system. So, any cryptosystem has to have
sufficiently many keys so that the cryptosytem cannot be solved by exhaustive key
search, i.e. by trying out all the possible keys.
We conclude this section here. In the next section, we will start our discussion of
simple ciphers with transposition ciphers.
The earliest known use of a substitution cipher, and the simplest, was the Caesar cipher,
which is an example of a simple substitution cipher. The cipher text alphabet is actually
a rotation of the plain text alphabet and not an arbitrary permutation.
Polygram substitution ciphers are ciphers in which groups of letters are encrypted
together.
Polyalphabetic substitution ciphers have multiple one-letter keys, each of which is used
to encrypt one letter of the plain text. The first one encrypts the first letter of the plain
text, the second one encrypts the second letter of the plain text, and so on. After all the
keys are used, the keys are recycled. If there were 20 one-letter keys, then every
twentieth letter would be encrypted with the same key. This is called the period of the
cipher. In classical cryptography, ciphers with longer periods were significantly harder
to break than ciphers with short periods. There are computer techniques that can easily
break substitution ciphers with very long periods. The Vigenère cipher, which we will
discuss later in this unit, is an example of a polyalphabetic substitution cipher.
Remark 1: In the case of the substitution cipher, we might as well take
∆ = Σ = {A, B, C, . . . , Z}. We used A in the Caesar cipher because encryption and
decryption were algebraic operations. In most substitution ciphers, it is more
convenient to think of encryption and decryption as permutations of alphabetic
characters.
The best known, and one of the simplest examples of the polyalphabetic substitution
cipher is the Vigenère cipher. This cipher is named after Blaise de Vigenère, who
lived in the sixteenth century. As described earlier, polyalphabetic substitution ciphers
have multiple one-letter keys, each of which is used to encrypt one letter of the plain
text. The first one encrypts the first letter of the plain text, the second one encrypts the
second letter of the plain text, and so on. After all the keys are used, the keys are
recycled.
∗∗∗
E10) Encrypt the string ‘ICAMEISAWICONQUERED’ using the Vigenère cipher. Use
the keyword ‘GAUL’.
E11) Decrypt the string ‘WTBTYKXHOTXHJEL’ which was encrypted using
Vigenère cipher with the keywork ‘WAIT’.
Another way of understanding and implementing the Vigenère cipher is by using the
Vigenère tableau. See Table 3. Each of the 26 ciphers is laid out horizontally, with the
key letter for each cipher to its left. A normal alphabet for the plain text runs across the
top. The process of encryption is simple: Given a key letter x and a plain text letter y,
the cipher text letter is at the intersection of the row labelled x and the column labelled
y; in this case the cipher text is V. To encrypt a message, a key is needed that is as long
as the message. Usually, the key is a repeating keyword. Let us look at the same
Example 5 considered above. Using the Vigenère tableau (see Table 3), the message
‘ICAMEISAWICONQUERED’ is encrypted as follows:
key: CAESARCAESARCAESARC
plain text: ICAMEISAWICONQUERED
cipher text: KGAEECUEWACFPUUWRVF
Decryption is equally simple. The key letter again identifies the row. The position of
the cipher text letter in that row determines the column, and the plain text letter is at the
top of that column.
The strength of this cipher is that there are multiple cipher text letters for each plain text
letter, one for each unique letter of the keyword. Thus, the letter frequency information
is lost. However, not all knowledge of the plain text structure is lost. There is enough
information available which will enable us to break this cipher.
In the next section, we discuss another important class of ciphers, the transposition
ciphers.
A simple transposition cipher preserves the number of symbols, and thus is easily
cryptanalysed. We shall defer the discussion on cryptanalysis of these ciphers, as well
as that of other encryption schemes, to the last section. 65
a b c d e f g h i j k l m n o p q r s t u v w x y z
a A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
b B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
c C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
d D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
e E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
f F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
g G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
h H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
i I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
j J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
k K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
l L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
m M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
n N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
o O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
p P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
r R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
s S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
t T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
u U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
v V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
w W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
x X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Table 3: The Vigenère Tableau
Mathematical Preliminaries
and Classical Ciphers
66
The following are some implementations of the transposition cipher: Classical Ciphers
This is the simplest transposition cipher. We fix the number of rows, say m. In the row
tranformation cipher, the plain text is written downwards on successive columns,
starting a new column when the mth row is reached. The message is then read off in
rows. For example, if we have three rows and a message of ‘WE ARE DISCOVERED
FLEE AT ONCE’, the sender writes out
W R I O R F E O E P
E E S V E L A N J D
A D C E D E T C X Q
The extra odd letters at the end are “nulls”, added to round off the pattern, or to confuse
an eavesdropper. The cipher text is read off as ‘WRIOR FEOEP EESVE LANJD
ADCED ETCXR’.
(Grouping letters into blocks of a standard size, typically five, was a practice developed
for the ease of transmission.)
In the simple columnar transposition cipher, we fix the number of columns. The
plain text is written horizontally onto a piece of graph paper of width m and the cipher
text is read off vertically. Decryption is a matter of writing the cipher text vertically
onto a piece of graph paper of identical width and then reading the plain text off
horizontally.
The following diagram illustrates the simple columnar transposition cipher with
column width six.
W E A R E D
I S C O V E
R E D F L E
E A T O N C
E U V W X Y
The ancient Greeks, and the Spartans in particular, are said to have used this cipher to
communicate during military campaigns in what is known as the scytale cipher. A
scytale is a tool used to perform a transposition cipher, consisting of a cylinder with a
strip of paper wound around it on which is written a message.
The recipient uses a rod of the same diameter on which he wraps the paper to read the
message. It has the advantage of being fast and not prone to mistakes. It can, however,
be easily broken.
The two ciphers described above are easy to break. To make it more complex, we could
permute the order of the columns after writing the message in a rectangle in a similar 67
Mathematical Preliminaries fashion as before. That is, to encrypt, we write the message row by row, shuffle the
and Classical Ciphers
columns, and then read off the ciphertext column by column. The order of the columns
then becomes the key to the algorithm. For example,
Key: 4 3 1 2 5 6 7
R E T U R N T
O H E A D Q U
A R T E R S A
T O N C E X Y
A pure transposition cipher has the drawback that the ciphertext has the same letter
frequencies as the plaintext. Thus, to cryptanalyze this kind of cipher is fairly
straightforward. In the case of the type of columnar transposition you have just seen, in
order to break it, you need to arrange the ciphertext in a matrix and shuffle the columns
around. Read off the resulting text you get at each trial until you hit upon a message
which makes sense.
We can increase the degree of security of the transposition cipher by performing more
than one stage of transposition. Shuffling the columns more than once greatly enhances
the security of this cipher as it becomes more difficult to arrive at the original plaintext
by rearranging the columns of the matrix, without knowing the key. Thus, let us encrypt
the foregoing message again, using the same algorithm.
Key: 4 3 1 2 5 6 7
Input: T E T N U A E
C E H R O R O
A T R D R E N
Q S X T U A Y
What do we achieve by repeating the transposition? To answer this question, let us first
assign a number to each letter in the original plaintext message, that number being its
position in the message. Hence, the original message is represented by
01 02 03 04 05 06 07 08 09 10 11 12 13 14
15 16 17 18 19 20 21 22 23 24 25 26 27 28
03 10 17 24 04 11 18 25 02 09 16 23 01 08
15 13 04 23 19 14 11 01 26 21 18 08 06 28
17 09 05 27 24 16 12 07 10 02 22 20 03 25
68 15 13 04 23 19 14 11 01 26 21 18 08 06 28
This is a more complex permutation and is much more difficult to cryptanalyze. Classical Ciphers
We shall end this section with a formal definition of the transposition cipher. Let us
assume that the plain text consists of letters from the English alphabet, and to each
letter of the alphabet, we assign a number designated by its order. For example, 0
corresponds to A, 1 corresponds to B, . . . , 25 corresponds to Z. Thus the English
alphabet can be represented by Z26 , according to the following table:
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
Definition 6: Let m be some fixed positive integer. Let P and C be set of strings of
length at most t and let K consist of all permutations of {1, 2, . . . , m}. We divide the
plaintext into strings of length m encrypt and decrypt as follows: For a key (i.e., a
permutation) π, we define
eπ (x1 , x2 , . . . , xm ) = (xπ(1) , xπ(2) , . . . , xπ(m) )
and
dπ (y1 , y2 , . . . , ym ) = (yπ −1 (1) , yπ −1 (2) , . . . , yπ −1 (m) ),
where π −1 is the inverse permutation to π.
Let us consider the following example which gives a slightly different type of
implementation of the transposition cipher from the ones discussed above:
1 2 3 4 5
3 5 2 1 4
1 2 3 4 5
4 3 1 5 2
Now, suppose we are given the plain text ‘RETURN TO HEADQUARTERS’ We first
group the plain text into groups of six letters:
Let us now apply the permutation to the block RETUR as shown in Fig. 2. Let us
similarly permute the remaining blocks according to the permutation π. We get the
following
∗∗∗
Try the following exercise to test your understanding of the transposition ciphers.
69
Mathematical Preliminaries 1 2 3 4 5
and Classical Ciphers
R E T U R
1 2 3 4 5
U T R R E
E12) Use the simple columnar transposition cipher of width six to encrypt the plain
text “CANCEL LAST ORDER HEADQUARTERS.”
E13) In order to make the cipher in Exercise 12 more secure, permute the order of the
columns according to the key 453261. Write down the cipher text you obtain after
this step. Re-encrypt the cipher text using the same algorithm, and write down the
final output.
In the next section, we will adopt the point of view of Eve who would like to read the
messages without the key. We will discuss cryptanalysis of ciphers.
3.5 CRYPTANALYSIS
1. Ciphertext-only attack. Eve has the ability to obtain ciphertexts. This is likely
to be the case in any encryption situation. If this kind of attack is successful, then
the encryption method is completely insecure.
3. Chosen-plaintext attack. Eve has the ability to obtain ciphertexts for some
particular plaintexts. She then uses this knowledge to try and decrypt a ciphertext
70 for which she does not have the plaintext. Such a situation may arise if, for
example, Eve sends some data to Alice which she knows will be encrypted and Classical Ciphers
then transmitted. Eve then intercepts the encrypted message, and uses the
information to decipher some other ciphertext, without any further interaction. In
this kind of attack, it is sufficient if the adversary carries out this operation just
once.
In order to break a cryptosystem, the goal is to determine the key that was used. Let us
now see how the attacks listed above work.
A simple ciphertext-only attack is the following. The attacker Eve decrypts the
ciphertext with all keys from the key space until she finds the correct plaintext among
the few plaintexts that make sense. That attack is called exhaustive key search. This
attack will work for cryptosystems with very small key spaces. For example, the Caesar
cipher uses only 26 keys. It is, therefore, very easy to determine the plaintext from the
ciphertext by the method of exhaustive key search, and checking which plaintext makes
sense. This also yields the secret key being used. (Note that the notion of a “small” key
space depends on how much computing power is available.)
So, for a secure cryptosystem, the minimum requirement is that it should resist an
exhaustive key search, i.e., the key space should be very large. However, a large key
space is not sufficient to guarantee security because there are other methods of
cryptanalysis which will succeed in certain ciphers as we shall see below.
As a simple illustration of how cryptanalysis can be performed using statistical data, let
us look at the affine cipher. The following example is from [15], page 27.
FMXVEDKAPHFERBNDKRXRSREFMORU
DSDKDVSHVUFEDKAPRKDLYEVLRHHRH
There are only 57 characters of ciphertext, but this is sufficient to cryptanalyze an affine
cipher. The ciphertext characters that occur frequently are: R (8 occurrences), D (6
occurrences), E, H, K (5 occurrences each), and F, S, V (4 occurrences each). Since E
and T are the two most common letters(see Table 5), our first guess is that R is the
encryption of e and D is the encryption of t. This means that Ek (4) = 17 and
Ek (19) = 3. Recall that Ek (x) = ax + b (mod 26), where a and b are unknowns. So, we
have the equations
4a + b ≡ 17 (mod 26)
19a + b ≡ 3 (mod 26).
You can check that a = 6, b = 19 in Z26 satisfy these equations. But this is an illegal
key, since gcd(a, 26) = 2 > 1. So our first guess is wrong.
The next possibility is that R is the encryption of E and H is the encryption of T. We get
a = 8 in this case, which is also impossible. Let us now check if R is the encryption of
E and K is the encryption of T. We now obtain a = 3, b = 5, which is at least a legal
key. To confirm that this is the key, we have to find the decryption function
corresponding to k = (3, 5), and then decrypt the ciphertext to see whether or not we get
a string which makes sense. The decryption function corresponding to (3, 5) as the key
is Dk (y) = 9y − 19 (mod 26). Under this transformation, the given ciphertext yields:
algorithmsarequitegeneraldefinitionsofarithmeticprocesses
Thus, we conclude that we have determined the correct key.
E14) Using frequency analysis, cryptanalyse and decipher the following message,
which you know was enciphered using a shift transformation of single-letter plain
text message units in the 26-letter alphabet:
PXPXKXENVDRUXVTNLXHYMXGMAAXYKXJN
XGVRFXMAHWGXXWLEHGZXKVBIAXKMXQM.
E15) In a long string of cipher text which was encrypted by means of an affine map on
single-letter message units in the 26-letter alphabet, you observe that the most
frequently occurring letters are “Y” and “V”, in that order. Assuming that those
cipher text message units are the encryption of “E” and “T” respectively, read the
message “QAOOYQQEVHEQV”.
72
Cryptanalysis of Simple Substitution Ciphers Classical Ciphers
We can easily break subsititution even when the key space is extremely large because
the cipher does not hide the underlying frequencies of the different letters of the plain
text. If the plain text consists of letters from the English alphabet, then the total number
of all permutations on this set is 26!, i.e., the size of the key space is 26! ≈ 4 × 1026 ,
which is extremely large. However, the key being used can be determined quite easily
by examining a modest amount of cipher text. This follows from the simple observation
that the distribution of letter frequencies is preserved in the cipher text. For example,
the letter E occurs more frequently than the other letters in ordinary English text. Hence
the letter occurring most frequently in a sequence of cipher text blocks is most likely to
correspond to the letter E in the plain text. By observing a modest amount of cipher text
blocks, a cryptanalyst can determine the key. Such cipher text-only attacks use
statistical properties of the plain text language.
Let us look at this method of frequency analysis in greater detail. We assume that the
plain text string is ordinary English text, without punctuation or spaces. (This makes
cryptanalysis more difficult than if punctuation and spaces were encrypted.)
Frequency table that give the estimated relative frequencies the 26 letters are available.
The estimates in Table 5 were obtained by Beker and Piper.
On the basis of the above probabilities, Beker and Piper divide the 26 letters into five
groups as follows:
It may also be useful to consider sequences of two or three consecutive letters called
digrams and trigrams, respectively. The 30 most common digrams are (in decreasing
order) TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA,
NG, AS, OR, TI, IS, ET, IT, AR, TE, SE, HI, and OF. The twelve most common 73
Mathematical Preliminaries trigrams are (in decreasing order) THE, ING, AND, HER, ENT, THA, NTH, WAS,
and Classical Ciphers
ETH, FOR, and DTH.
Homophonic substitution ciphers are much more complicated to break than simple
substitution ciphers, but still do not obscure all of the statistical properties of the plain
text language. With a known-plain text attack, the ciphers are trivial to break. A cipher
text-only attack is harder, but only takes a few seconds on a computer.
The best known, and one of the simplest examples of the polyalphabetic substitution
cipher is the Vigenère cipher. Observe that the number of possible keywords of length
m in a Vigenère cipher is 26m , so even for relatively small values of m, an exhaustive
key search would require a long time. For example, if we take m = 5, then the key
space has size exceeding 1.1 × 107 . This is already large enough to preclude exhaustive
key search by hand.
We can break the Vigenère cipher by Kasiski method. Kasiski described this method in
1863, but apparently it was discovered earlier by Charles Babbage. We will give an
outline of the method. If you are interested in more details, you can refer to books
given as references at the end of the block. The method is based on the observation that
two identical segments of plaintext will be encrypted to the same cipher text if they
occur d positions apart where m | d, m being the length of the key word. In Kasiski
method, we do the following: We search identical segments of ciphertexts of length at
least 3 and note down the distances between such occurences, say d1 , d2 , . . .. If we
obtain several such distances, then m will probably divide all of them and hence it will
divide their greatest common divisor. By looking at the various divisors of the greatest
common divisor, we try to find the length of the key word.
Suppose we guess that the length of the key word is 5. We write the cipher text in grid
of length 5. For example, if the cipher text is
PXPXKXENVDRUXVTNLXHYMXGMAAXYKXJN and our guess is the text has
been encrypted using Vigenère cipher with a key word of length 5. Then, we arrange
the ciphertext in 5 columns as follows:
1 2 3 4 5
P X P X K
X E N V D
R U X V T
...
We analyse the frequencies of each of the columns separately, treating them as
ciphertexts obtained using five different shift ciphers. If our guess about the length is
correct, we can obtain the key using this method.
In a transposition cipher the plain text remains the same, but the order of characters is
shuffled around. Since the letters of the cipher text are the same as those of the plain
text, a frequency analysis on the cipher text would reveal that each letter has
approximately the same likelihood as in English. This gives a very good clue to a
cryptanalyst, who can then use a variety of techniques to determine the right ordering of
the letters to obtain the plain text. Putting the cipher text through a second transposition
cipher greatly enhances security. There are even more complicated transposition
ciphers, but computers can break almost all of them.
74 3.6 SUMMARY
In this unit we have covered the following points. Classical Ciphers
3.7 SOLUTIONS/ANSWERS
E1) WKH GLH LV FDVW
E2) BEWARE OF THE IDES OF MARCH
E5) a) N.
c) The number of shift transformations on an m letter alphabet is mφ (m). Using
Eqn. (7) we get the values as 312, 486, 812, 240.
E6) THRPXDH.
E8) The key is 8 and the plain text is “SECRET”. Since the number of keys is just 26,
we can decrypt the given cipher text easily, by trying out all the keys, one by one,
until we get a word that makes sense.
E14) Use the fact that “X” occurs most frequently in the cipher text to find that the key
b = 19. The message is:
WEWERELUCKYBECAUSEOFTENTHEFREQUENCY
METHODNEEDSLONGERCIPHERTEXT.
E15) SUCCESSATLAST
76
Bibliography Classical Ciphers
[1] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, PRIMES is in P, Annals of
Mathematics 160 (2004), no. 2, 781—793.
[2] Hans Delfs and Helmut Knebl, Introduction to cryptography: principles and
applications, Springer-Verlag New York, Inc., New York, NY, USA, 2001.
[4] Andrew Granville, It is easy to determine whether a given integer is prime, Bull.
Amer. Math. Soc. 42 (2005), 3—38, Available from
http://www.ams.org/journals/bull/2005-42-01/
S0273-0979-04-01037-7/S0273-0979-04-01037-7.pdf.
[5] Darrel Hankerson, Alfred J. Menezes, and Scott Vanstone, Guide to elliptic curve
cryptography, Third edition ed., Spring-Verlag, 2004.
[6] D. Kahn, The codebreakers: The Story of Secret Writing, Scribner, 1996.
[7] N. Koblitz, A course in number theory and cryptography, Second Edition ed.,
Springer-Verlag, New York, 1994.
[8] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of
Applied Cryptography, CRC Press, 1997.
[10] René Schoof, Four primality testing algorithms, Schoof, René (J.P Buhler and P.
Stevenhagen, eds.), Mathematical Sciences Research Institute Publications,
vol. 44, MSRI, Cambridge University Press, 2008, Available from
http://www.math.leidenuniv.nl/~psh/ANTproc/05rene.pdf,
pp. 101—126.
[12] Simon Singh, The code book, The Evolution of Secrecy from Mary Queen of Scots
to Quantum Cryptography, Doubleday, 1999.
[13] Nigel Smart, Cryptography, An Introduction, Third ed., Available online from
http://www.cs.bris.ac.uk/~nigel/Crypto_Book/.
[14] William Stallings, Cryptography and network security: Principles and practice,
Third edition ed., Pearson Education, 2003.
[15] Douglas Stinson, Cryptography: Theory and practice, Second ed., CRC/C&H,
2002.
77