Block-01 Mathematical Preliminaries and Classical Ciphers

MMTE-006
CRYPTOGRAPHY
School of Sciences
Block
1
MATHEMATICAL PRELIMINARIES AND
CLASSICAL CIPHERS
UNIT 1
Finite Fields and Algorithms 9
UNIT 2
Number Theoretic Algorithms 33
UNIT 3
Classical Ciphers 53
‘Chapter 15, Implementation Issues’ of Prof. Nigel Smart’s Book,
‘Cryptography, an introduction.’
Curriculum Design Committee
Dr. B.D. Acharya Prof. O.P. Gupta Prof. C. Musili
Dept. of Science & Technology Dept. of Financial Studies Dept. of Mathematics and Statistics
New Delhi University of Delhi University of Hyderabad
Prof. Adimurthi Prof. S.D. Joshi Prof. Sankar Pal
School of Mathematics Dept. of Electrical Engineering ISI, Kolkata
TIFR, Bangalore IIT, Delhi Prof. A.P. Singh
Prof. Archana Aggarwal Dr. R. K. Khanna PG Dept. of Mathematics
CESP, School of Social Sciences Scientific Analysis Group University of Jammu
JNU, New Delhi DRDO, Delhi
Faculty Members
Prof. R. B. Bapat Prof. Susheel Kumar
School of Sciences, IGNOU
Indian Statistical Institute, New Delhi Dept. of Management Studies
Dr. Deepika
Prof. M.C. Bhandari IIT, Delhi
Prof. Poornima Mital
Dept. of Mathematics Prof. Veni Madhavan Dr. Atul Razdan
IIT, Kanpur Scientific Analysis Group Prof. Parvin Sinclair
Prof. R. Bhatia DRDO, Delhi Prof. Sujatha Varma
Indian Statistical Institute, New Delhi Prof. J.C. Mishra Dr. S. Venkataraman
Prof. A. D. Dharmadhikari Dept. of Mathematics
Dept. of Statistics IIT, Kharagpur
University of Pune
Course Design Committee

Prof. C.A. Murthy Faculty Members
ISI, Kolkata School of Sciences, IGNOU
Prof. S.B. Pal Dr. Deepika
IIT, Kharagpur Prof. Poornima Mital
Dr. Atul Razdan
Dr. B.S. Panda
Prof. Parvin Sinclair
IIT, Delhi
Dr. S. Venkataraman
Prof. C.E. Veni Madhavan
IISC, Bangalore
Block Preparation Team

Dr. Sucheta Chakroborty(Editor) Dr. Amora Nongkynrih
Scientist ‘E’
DRDO
Shri. Dhananjay Dey(Editor) Dr. S. Venkataraman
Scientist ‘D’ School of Sciences
DRDO IGNOU
Course Coordinator: Dr. S. Venkataraman
December 2010
©Indira Gandhi National Open University, 2010
ISBN:978-81-266-5088-0
All rights reserved. No part of this work may be reproduced in any form, by mimeograph or any other means without written permission from
the Indira Gandhi National Open University.
Further information on the Indira Gandhi National Open University courses may be obtained from the University’s office at Maidan Garhi,
New Delhi-110 068.
Printed and Published on behalf of Indira Gandhi National Open University, New Delhi, by Director, School of Sciences.
COURSE INTRODUCTION
Often, entities like governments, commercial organisations and individuals have to

store or communicate valuable data. In the case of governments, the data may be details
of secret treaties or negotiations. In the case of commercial organisations, it may be
commercially valuable data like trade secrets. In the case of individuals, it may be
confidential personal information like credit card numbers. One of the means of
protecting this information is physical protection like use of safes, shielded cable for
communication etc. In the earlier times, this was enough for the entities like
commercial organisations or individuals. The governments have used cryptography for
protecting valuable data for a long time. (For a history of Cryptography you can refer to
the books [12] or [6].(See the bibliography at the end of the block.) The numbers in the
square brackets are the reference numbers in the bibliography given at the end of the
block.) In Greek, the word Kryptos means hidden or secret and graph means writing. In
Cryptography, the data to be communicated is transformed in such a way that it is
useless for an adversary who manages to access it. There is another related field called
Steganography in which the message is hidden, but not transformed in any way. We
will not be concerned with this field in our course.
Till a few years after the end of the second world war, Cryptography was used only by
the governments. After the invention of computers and networking of computers
became possible, there was a change in the scenario. With the improvement in
communication technologies, it became easier to spy upon opponents. Through
wiretapping, it became possible to listen to telephone conversations. When microwaves
are used for communication, it is easier to listen to the communication without tapping
any wire. So, there was a wide felt need for communicating securely. With the advent
of Internet, this has become more important, given the ease with which computer
networks can be tapped.
On the one hand, since computers are widely available, more and more entities have the
capability to use cryptography for secure storage and communication of valuable data.
On the other hand, because of the computing power available, some of the earlier
methods of cryptography have become obsolete. This has lead to invention of more
powerful methods in cryptography that can resist the attacks. In the invention of newer
and more secure methods, Mathematics has come to play an important role.
In this course, we will introduce you to cryptography. In the first block of this course
we will discuss some of the Mathematics required for the study of cryptography. We
will also discuss some classical ciphers in this block. These ciphers are classical in the
sense that they were used widely before the invention of computers.
The method used for transforming text is called a cipher. Transforming the text is
called encryption or enciphering and undoing the transformation is called decryption
or deciphering. Apart from the general method, in each instance of application of a
cipher, there is another ingredient called the key which is specific to that instance. In
the traditional methods, anyone who has access to the key can undo the transformation
performed and read the text. Such methods are called symmetric key cryptosystems
or private key cryptosystems. These cryptosystems are the objects of our study in the
second block.
One of the major drawbacks of the symmetric key cryptosystems is that the entities that
want to communicate with each other have to decide upon the keys before they can start
communicating. For this, they have to meet in person or exchange keys using a trusted
courier. This drawback was removed in the seventies due to a new kind of cryptosystem
invented by Diffie and Hellman. In this system, there are two different keys, one for
encryption and one for decryption, as opposed to the symmetric key cryptosystems
where the same key served both the purposes. The key for encryption can be made
public because, even if a person knows the encryption key, the person cannot find the
decrytion key easily. For this reason, the cyptosystem invented by Diffie and Hellman is
known as public key cryptosystem. These cryptosystems are the objects of study in
the third block of the course.
Apart from the material, the course also has a practical component. This practical
component is worth 1 credit. In this component, you are expected to write programs in
C language and in the package gp. The package gp is a freely available package for
doing number theory. You can download this package from
http://pari.math.u-bordeaux.fr/download.html. You will learn how
to use this package during your practical sessions. You may refer to the Programme
Guide for information regarding the conduct of practicals and the evaluation procedure
adopted in the practicals.
We have created a webpage for the course at

http://tinyurl.com/macs-mmte-006. You will find more information and
references there.
We hope you will enjoy studying this course. If you have any queries or suggestions,
please write to:
The Course Co-ordinator

Cryptography Course(MMTE-006)
School of Sciences
Block D, Raman Bhavan
IGNOU
Maidan Garhi, New Delhi 110068
Some good references for further study are [2], [3], [7], [8], [13], [14], [15],[17]. The
book [11] is a good reference for the Mathematics and algorithms described in this
course. Of these books, [3], [8], [11] and [13] are available online. For all the other
books, Indian editions are available. In the case of [14] and [15] newer Indian
editions(fourth edition in the case of [14] and third edition in the case of [15]) are
available.
All the best!
About the cover page
• The picture at the top left is that of military version of the famous enigma
machine used by the germans in the second world war. The source file is
available from http://commons.wikimedia.org/wiki/File:
Enigma_-_Military.jpg under Creative Commons Attribution-Share
Alike 3.0 Unported license and GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation.
• The picture on the top right is the schematic diagram of the Miyaguchi-Preneel
one-way compression function. This was redrawn based on the picture
http://en.wikipedia.org/wiki/File:
Miyaguchi-Preneel_hash.svg which is in the public domain.
• The picture at the bottom is that of a skytale. The source file is available from
http://commons.wikimedia.org/wiki/File:Skytale.png under
Creative Commons Attribution-Share Alike 3.0 Unported license and GNU Free
Documentation License, Version 1.2 or any later version published by the Free
Software Foundation.
• We also thank Prof. Nigel Smart for generously allowing printing and
reproducing material from his online book, subject to identifying clearly the
authorship.
The generosity of the copyright owners of the above mentioned images is gratefully
acknowledged.
BLOCK INTRODUCTION
This block is the introductory block of the Cryptography course. Till the middle of the
twentieth century, Cryptography didn’t use very sophisticated Mathematics. However,
this changed after the Second World War when computers were available. In the
modern times cryptography uses sohpisticated algebra in the design of cryptosystem.
The aim of this block is to introduce you to the Mathematics that is required for
cryptography.
In the first Unit of this block, we introduce you to finite fields and some algorithms in
the finite fields that are used in Cryptography. You have already studied finite fields in
MMT-003, but in this Unit, the viewpoint is algorithmic. Apart from this, we will also
discuss some topics from finite fields that are not usually covered in standard algebra
courses.
In the second Unit of this block, we introduce you to number theoretic algorithms that
are required in the study of cryptography. You have already studied congruences and
some number theoretic algorithms in the Unit 6 of MMT-003. Here, you will study
some more algorithms that are useful in cryptography.
In the third Unit of this block, we will introduce you to some classical ciphers that were
used for encryption before the invention of computers. While these ciphers are no
longer widely used, we have discussed them to provide an introduction because these
ciphers are particularly simple. These ciphers are helpful in introducing the language
and general principles of Cryptography.
We have also reproduced Chapter 15 of Prof. Nigel Smart’s book at the end of the
block. Please note that, this is intended only as a reference for practicals and you will
not be examined on this part in your term end examination.
NOTATION & SYMBOLS
Z Set of integers
R[x] Polynomial ring over a commutative ring R.
F[x] Polynomial over a field F.
degf(x) Degree of the polynomial f(x)
Q Field of rational numbers
R Field of real numbers
C Field of complex numbers
Zn Integers modulo n
f≡g f is congruent to g
[E : F] Dimension of the field E over its subfield F.
Fq Finite field with q elements
R∗ The group of invertible elements in R \ {0}, where R is a commu-
tative ring.
m|n m divides n
m-n m does not divide n
c(n, i) Number of ways of choosing i objects from n objects when the
order of selection is immaterial.
P Plaintext space
C Cryptotext space
K Key space
Mathematical Preliminaries
and Classical Ciphers
8
UNIT 1 FINITE FIELDS AND ALGORITHMS
Structure Page No.
1.1 Introduction 9
Objectives
1.2 Basic Concepts From Algebra 9
1.3 Basic Concepts of Finite Fields And Their Construction 17
1.4 Basic Algorithms for Finite Fields 20
1.5 Summary 27
1.6 Solutions/Answers 28
1.1 INTRODUCTION
In this unit, we are going to discuss some results related to finite fields that we need in
some of the later units. We will use some basic facts that you must have learnt in your
degree classes about integral domains in general and polynomial rings in particular. We
will also use some basic facts about finite fields that you have learnt in the course
MMT-003, Algebra. In Sec. 1.2, we recall some of the results proved in your degree
classes on polynomial rings. In Sec. 1.3, we will discuss finite fields, their construction
in particular and some algorithms for arithmetic in finite fields.
Objectives
After studying this unit, you should be able to
• explain the construction of finite fields;
• explain the extended euclidean algorithm for polynomials;
• define the order of an irreducible polynomial over a finite field;
• define a primitive polynomial over a finite field;
• describe an algorithm for multiplying and dividing elements in a finite field using
shift and multiply approach;
• describe an algorithm for multiplying and dividing elements in a finite field using
discrete logarithms and antilogarithms;
• describe an algorithm for checking the irreducibility of a polynomial over a finite

field; and
• describe an algorithm for constructing an irreducible polynomial of a given degree.
1.2 BASIC CONCEPTS FROM ALGEBRA
You would have studied about the ring of polynomials in your degree class. In this
section, we briefly recall some of the definitions and results regarding polynomials. Our
aim is to establish the notations and conventions for the rest of the course. We then
discuss some basic facts from fields. In the final part of the section, we will briefly
recall basic facts about finite fields. Our discussion in this section is based on Chapter 2
of [8]. 9
Mathematical Preliminaries Definition 1: Let R be a commutative ring. A polynomial in the indeterminate x over
the ring R is an expression of the form
f(x) = a0 + a1 x + · · · + an xn
where each ai ∈ R and n ≥ 0.
The element ai is called the coefficient of xi in f(x). Here:
• The largest integer m for which am 6= 0 is called the degree of f(x), denoted
deg f(x) or simply deg f; am is called the leading coefficient of f(x).
• If f(x) = a0 (a constant polynomial) and a0 6= 0, then f(x) has degree zero.
• If all the coefficients of f(x) are 0, then f(x) is called the zero polynomial and its
degree is defined to be −∞.
• f(x) is said to be monic if its leading coefficient is equal to 1.
For example, 0, 2, x and 2 + x2 are all polynomials with coefficients in Z.
Definition 2: If R is a commutative ring, we denote the ring formed by the set of all
polynomials under addition and multiplication of polynomials with coefficients in R by
R[x].
In the rest of the Unit, we will denote a field by F.
The polynomial ring F[x] has many properties in common with integers; in particular,
F[x] and Z are both Euclidean domains.
Theorem 1(Division algorithm for F[x]): Let
f(x) = a0 + a1 x + · · · + an xn
and
g(x) = b0 + b1 x + · · · + bm xm
be two elements of F[x], with an and bm both non-zero elements of F and m > 0. Then
there are unique polynomials q(x) and r(x) in F[x] such that
f(x) = g(x)q(x) + r(x),
with the degree of r(x) less than m, the degree of g(x).
Definition 3: Let f(x) ∈ F[x] be a polynomial and suppose f(a) = 0 for some a ∈ E
where E is a field containing F, then we say that a is a zero of the polynomial f(x) or a
is a root of the equation f(x) = 0.
From Theorem 1, we can deduce the following Corollary 1 easily.
Corollary 1: An element a ∈ F is a zero of f(x) ∈ F[x] if and only if x − a is a factor of

f(x) ∈ F[x].
Definition 4: Let f(x) and g(x) be polynomials in F[x], and let
f(x) = g(x)q(x) + r(x),
where q(x) and r(x) are as in Theorem 1. Then, we say that g(x) divides f(x), written
10 as g(x)|f(x), if r(x) = 0.
Theorem 2: A non-zero polynomial f(x) ∈ F[x] has at most deg f zeros. Finite Fields and Algorithms
Proof: We prove the assertion by induction on n = deg f(x). For n = 0, the assertion
holds because f ∈ F and f 6= 0. Let n > 0. If f has no zeros, then the assertion is true. If f
has a zero a, then by Corollary 1 of Theorem 1, we have f(x) = (x − a)q(x), where
deg q(x) = n − 1. If a0 6= a is also a zero of f(x), then 0 = f (a0 ) = (a0 − a) q (a0 ). Since,
we are working in a field and a 6= a0 , we have q (a0 ) = 0. So, a0 is a zero of q(x). By the
induction hypothesis, q(x) has at most n − 1 zeros. So, the number of zeros a0 of f(x),
a0 6= a, is at most n − 1. Therefore, f(x) has at most n zeros.
Definition 5: Let f(x) ∈ F[x] be a polynomial of degree at least 1. Then, f(x) is

irreducible over F if whenever f(x) = a(x)b(x) with a(x), b(x) ∈ F[x], then one of a(x)
or b(x) has degree 0 (that is, a constant polynomial).
In other words, f(x) is irreducible over F if it cannot be written as the product of two
polynomials in F[x], each of positive degree. We also say that a polynomial is
reducible over F if it is not irreducible over F.
Irreducibility depends on the field. A polynomial f(x) may be irreducible over F, but
may not be irreducible if viewed over a larger field E containing F. Let us look at an
example.
Example 1: The polynomial x2 + 1 is irreducible over R, because this has no zeros in

R, the field of real numbers. (Notice that a factorisation x2 + 1 = (ax + b)(cx + d) for
a, b, c, d ∈ R would clearly give rise to zeros of x2 + 1 in R.) However, over C, the field
of complex numbers, we have x2 + 1 = (x + i)(x − i) where i2 = 1. Hence it is not
irreducible over C.
∗∗∗
The problem of determining whether a polynomial f(x) ∈ F[x] is irreducible over F may
be difficult in general. But in some cases, we have easy ways of doing this. In your
degree class you have studied the Eisenstein Criterion which gives a sufficient
condition for a polynomial over Q to be irreducible. We have a necessary and
sufficient condition for a polynomial of degree at most three to be irreducible. We first
discuss an example to motivate the condition.
Example 2: Let us show that f(x) = x3 + 3x + 2 is irreducible over Q. We know that if

f(x) has rational root qp , q | 1, the highest coefficient and p | 2, the constant term. So, the
only possible roots of f(x) are ±1, ±2. It is a simple matter to check that ±1, ±2 are
not zeros of f(x) using
Corollary
1. So, f(x) doesn’t have a rational root and so it has no
p
factor of the form x − q . But, if f(x) is reducible, it factorises into either three
polynomials of degree one or one polynomial of degree 1 and one polynomial of degree
2. In either case, it should have a factor of degree one, i.e. a factor of the type x − qp .
Since this is not possible, the polynomial is irreducible.
∗∗∗
This test for irreducibility by finding zeros works nicely for quadratic and cubic
polynomials over a finite field with a small number of elements. This technique is an
illustration of the next theorem.
Theorem 3: Let f(x) ∈ F[x], and let f(x) be of degree 2 or 3. Then f(x) is irreducible
over F if and only if it has no zeros in F. 11
Mathematical Preliminaries Proof: Suppose f(x) is reducible so that f(x) = g(x)h(x), where the degree of g(x) and
the degree of h(x) are both less than the degree of f(x). Since f(x) is either quadratic or
cubic, either g(x) or h(x) is of degree 1. If, say, g(x) is of degree 1, then except for a
possible factor in F, g(x) is of the form x − a. Then g(a) = 0, which implies that
f(a) = 0, so f(x) has a zero in F.
Conversely, Corollary 1 of Theorem 1 shows that if f(a) = 0 for a ∈ F, then x − a is a

factor of f(x), so f(x) is reducible.
Example 3: Show that, the polynomials f(x) = x2 + x + 1 ∈ Z2 [x] and

g(x) = x2 + 2x + 2 ∈ Z3 [x] are irreducible.
Solution: We have f(0) = 2 6= 0 and f(1) = 1 + 1 + 1 = 1 6= 0. So, f(x) has no roots in

Z2 and so it is irreducible.
We have g(0) = 2, g(1) = 1 + 2 + 2 = 2 in Z3 and g(2) = 4 + 4 + 2 = 1 in Z3 . So, g(x)

is irreducible in Z3 [x].
∗∗∗
Try the following exercises to test your understanding of Example 3.
E1) Test the irreducibility of the following polynomials:

a) f(x) = x2 + 2x + 5 in Z7 b) g(x) = x3 − x2 − 2x − 1 in Z7
E2) Prove that

a) x2 + x + 1 is irreducible over Z2 , the field of integers mod 2.
b) x2 + 1 is irreducible over the integers mod 7.
c) x3 − 9 is reducible over the integers mod 11.
In your degree classes you would have learnt the following corollary to Theorem 1.
Corollary 2: Let F be a field. Then, the polynomial ring F[x] is a principal ideal
domain(PID) and therefore a Unique Factorisation Domain. Since every irreducible
element is a prime element in F[x], any polynomial in F[x] can be written in a unique
manner, up to units, as a product of irreducible polynomials in F[x].
Since F[x] is a PID, every irreducible element is a prime element and we can define the
concept of greatest common multiple of two elements. Similar to Z, we have the
following result:
Proposition 1: If f[x], g[x] ∈ F[x] and h(x) is the gcd of f(x) and g(x), there are
polynomials q(x) and r(x) ∈ F[x] such that
h(x) = q(x)f(x) + r(x)g(x).
You have already seen the extended euclidean algorithm for integers in MMT-003. We
have also discussed a recursive version of this algorithm in MMTE-002. The algorithm
for polynomials is analogous. We will discuss an iterative version of the algorithm. In
our discussion use a notation that is slightly different from the one we used in
12 MMT-003. Recall that in the usual Euclidean Algorithm, to find the gcd h(x) of f, g,
deg(f) > deg(g), we carry out a series of divisions Finite Fields and Algorithms
f(x) = g(x)s1 (x) + t1 (x)




g(x) = t1 (x)s2 (x) + t2 (x)





t1 (x) = t2 (x)s3 (x) + t3 (x)




.. (1)
. 



ti (x) = ti+1 (x)si+2 (x) + ti+2 (x)




..


.
till we get remainder zero, i.e. tk (x) = 0 for some k ≥ 1. In each of these divisions, the
remainder and divisor of a division are, respectively, the divisor and the dividend of the
next division. If t1 (x) = 0, then g(x) | f(x), so g(x) is the gcd of f and g. If tk (x) = 0 for
some k ≥ 2, then, tk−1 (x) is the gcd of f(x) and g(x).
To find q(x) and r(x) such that
h(x) = q(x)f(x) + r(x)g(x),
we need to do some more work. Note that, if t1 (x) = 0, since g(x) is the gcd, we can
take q(x) = 0 and r(x) = 1. So, let us now suppose that tk (x) = 0 for some k ≥ 2 and
we want to write tk−1 (x) as a linear combination
tk−1 (x) = qk−1 (x)f(x) + rk−1 g(x).
Our strategy is as follows: For each i, we write ti (x) in the form
ti (x) = qi (x)f(x) + ri (x)g(x).
In particular, we will get an expression of the form q(x)f(x) + r(x)g(x) for tk−1 (x) also.
From f(x) = g(x)s1 (x) + t1 (x), we get
t1 (x) = f(x) − g(x)s1 (x). (2)
Let us write q1 (x) = 1 and r1 (x) = −s1 (x) so that we get t1 (x) = q1 (x)f(x) + r1 (x)g(x).
Again, from g(x) = t1 (x)s2 (x) + t2 (x) and Eqn. (2), we get
g(x) = (f(x) − g(x)s1 (x)) s2 (x) + t2 (x).
Regrouping terms, we get
−f(x)s2 (x) + g(x) (1 + s1 (x)s2 (x)) = t2 (x) or

f(x)q2 (x) + g(x)r2 (x) = t2 (x).
where we write q2 (x) = −s2 (x) and r2 (x) = 1 + s1 (x)s2 (x). So, we have
)
q1 (x) = 1, r1 (x) = −s1 (x).
(3)
q2 (x) = −s1 (x), r2 (x) = 1 + s1 (x)s2 (x).
Suppose, for i ≥ 2, we have found qi−1 (x), ri−1 (x), qi (x) and ri (x), i.e. we have
ti−1 (x) = qi−1 (x)f(x) + ri−1 (x)g(x), (4)

ti (x) = qi (x)f(x) + ri (x)g(x). (5)
How can we find qi+1 (x), ri+1 (x)? We can rewrite
ti (x) = ti+1 (x)si+2 (x) + ti+2 (x)
as 13
Mathematical Preliminaries ti−1 (x) = ti (x)si+1 (x) + ti+1 (x)
So, we have
ti+1 (x) = ti−1 (x) − ti (x)si+1 (x),

= (qi−1 (x)f(x) + ri−1 (x)g(x)) − (qi (x)f(x) + ri (x)g(x)) si+1 (x). (6)
∴ ti+1 (x) = (qi−1 (x) − qi (x)si+1 (x)) f(x) + (ri−1 (x) − ri (x)si+1 (x)) g(x). (7)
So, if we take
qi+1 (x) = qi−1 (x) − qi (x)si+1 (x) and ri (x) = ri−1 (x) − ri (x)si+1 (x) (8)
then ti+1 (x) = qi+1 (x)f(x) + ri+1 (x)f(x).
Note that, Eqn. (7) and Eqn. (8) help us find ti+1 (x), qi+1 (x) and ri+1 (x) if we know
ti (x), ti−1 (x), qi (x), qi−1 (x), ri−1 (x) and ri (x). These relations form the core
of Algorithm 1.
For two polynomials f(x), g(x) ∈ F[x], let us write f(x) div g(x) for the quotient on
dividing f(x) by g(x). For example, if f(x) = x2 + 1 and g(x) = x are in Z2 [x], we have
f(x) = xg(x) + 1, so f(x) div g(x) is x. Note that, in Algorithm 1, values Q1 (x), Q2 (x),
Algorithm 1 Extended Euclidean Algorithm for Polynomials.

1: procedure E XTENDED E UCLIDEAN A LGORITHM(f(x), g(x)) . Returns h(x),
Q(x) and R(x) such that Q(x)f(x) + R(x)g(x) = h(x) where h(x) = (f(x), g(x)).
2: Q1 (x) ← 1, R1 (x) ← 0, Q2 (x) ← 0, R2 (x) ← 1, T1 (x) ← f(x), T2 (x) ← g(x).
3: while T2 (x) 6= 0 do
4: S(x) ← T1 (x) div T2 (x).. T1 (x) div T2 (x) is quotient on division of T1 (x) by
T2 (x).
5: Q3 (x) ← Q1 (x) − S(x)Q2 (x), R3 (x) ← R1 (x) − S(x)R2 (x).
6: T3 (x) ← T1 (x) − S(x)T2 (x)
7: Q1 (x) ← Q2 (x), R1 (x) ← R2 (x), T1 (x) ← T2 (x).
8: Q2 (x) ← Q3 (x), R2 (x) ← R3 (x), T2 (x) ← T3 (x).
9: end while
10: return T1 (x), Q1 (x) and R1 (x).
11: end procedure
and Q3 (x) store three successive values qi−1 (x), qi (x) and qi+1 (x). Similarly, R1 (x),
R2 (x) and R3 (x)(resp. T1 (x), T2 (x) and T3 (x)) store three successive values ri−1 (x),
ri (x) and ri+1 (x)(resp. ti−1 (x), ti (x) and ti+1 (x)). The variable S(x) stores the values of
si+1 (x).
To start the algorithm, we need two sets of values of Q, R and T so that we can get the
third value by using the formulae
Qi+1 = Qi−1 (x) − Qi (x)S(x) (9)

Ri+1 (x) = Ri−1 (x) − Ri (x)S(x) (10)
Ti+1 (x) = Ti−1 (x) − Ti (x)S(x) (11)
We choose the following values Q1 (x) = 1, R1 (x) = 0, T1 (x) = f(x) and Q2 (x) = 0,
R2 (x) = 1, T2 (x) = g(x). We leave it to you as an exercise to check that these initial
values are meaningful and the algorithm works correctly. Let us now look at an
example to understand Algorithm 1.
Example 4: Let f(x) = x7 + x6 + x5 + 3x4 + 2x3 + 2x2 + x + 1 and

g(x) = x6 + x5 + x4 + 3x3 + x2 + x + 1 be polynomials in Q[x]. Let us find their gcd
14 h(x) and Q(x), R(x) such that Q(x)f(x) + R(x)g(x) = h(x) using Algorithm 1.
Initialisation: We first initialise the variables that we will use in the algorithm. Finite Fields and Algorithms
Q1 (x) ← 1, Q2 (x) ← 0, R1 (x) ← 0, R2 (x) ← 1, T1 (x) ← f(x), T2 (x) ← g(x). (12)
First iteration
We have T1 (x) = xT2 (x) + x3 + x2 + 1, so S(x) = x. After the execution of the fifth line
of the algorithm, we have Q3 (x) = Q1 (x) − S(x)Q2 (x) = 1 − x · 0 = 1 and
R3 (x) = R1 (x) − s(x)R2 (x) = 0 − x · 1 = −x.
After execution of the sixth line of the algorithm, we have

T3 (x) = T1 (x) − S(x)T2 (x) = f(x) − xg(x) = x3 + x2 + 1.
After the execution of the seventh and eighth lines of the algorithm, we have
Q1 (x) = Q2 (x) = 0, R1 (x) = R2 (x) = 1, T1 (x) = T2 (x) = g(x),
Q2 (x) = Q3 (x) = 1 R2 (x) = R3 (x) = −x, T2 (x) = T3 (x) = x3 + x2 + 1.
So, at the end of the first iteration, the values are
Q1 (x) = 0 R1 (x) = 1 T1 (x) = g(x)

Q2 (x) = 1 R2 (x) = −x T2 (x) = x3 + x2 + 1
Since T2 (x) 6= 0, we carry out one more iteration.
Second iteration
We find that
S(x) = T1 (x) div T2 (x) = g(x) div x3 + x2 + 1 = x3 + x + 1,
and
Q3 (x) = Q1 (x) − S(x)Q2 (x) = 0 − x3 + x + 1 = − x3 + x + 1

R3 (x) = R1 (x) − S(x)R2 (x) = 1 + x x3 + x + 1

T3 (x) = T1 (x) − S(x)T2 (x) = g(x) − x3 + x + 1 x3 + x2 + 1 = 0

So, after the lines 7 and 8 are evaluated the values will be
Q1 (x) = 1 R1 (x) = −x T1 (x) = x3 + x2 + 1

Q2 (x) = − x3 + x + 1 R2 (x) = 1 + x x3 + x + 1 T2 (x) = 0

Since T2 (x) = 0, the loop will not be evaluated again and the algorithm will return the
values T1 (x) = x3 + x2 + 1, Q1 (x) = 1 and R1 (x) = −x. So, the gcd of f(x) and g(x) is
x3 + x2 + 1 and f(x) − xg(x) = x3 + x2 + 1.
∗∗∗
Remark 1: Note that, we have given an elaborate explanation in Example 4 to help you
understand Algorithm 1. When we do the computation manually, we can easily dispose
of the cases g(x) = 0 and g(x) | f(x). We then use Eqn. (3) together with Eqn. (7) and
Eqn. (8) to carry out our computation.
Try the following exercises to check your understanding of Algorithm 1.
E3) Check that the initial values that we have chosen are correct and the algorithm
works correctly.
E4) Let f(x) = x5 + x4 + x3 + 2x + 2 and g(x) = x4 + 1 be polynomials in Z3 [x]. Find
their gcd h(x) and Q(x), R(x) such that Q(x)f(x) + R(x)g(x) = h(x) using
Algorithm 1. 15
Let f(x) be a fixed polynomial in F[x] of degree n. We have the quotient ring
F[x]/(f(x)), where (f(x)) denotes the ideal in F[x] generated by f(x). Let us what are
the elements of this ring.
As with integers, one can define congruences of polynomials in F[x] based on division
by f(x).
Definition 6: If g(x), h(x) ∈ F[x], then g(x) is said to be congruent to h(x) modulo
f(x) if f(x) divides g(x) − h(x). This is denoted by g(x) ≡ h(x) (mod f(x)).
Note that ‘congruent to’ is an equivalence relation on F[x] and the equivalence classes
are precisely the cosets h(x) + (f(x)). In other words, note that h(x) ≡ g(x) (mod f(x))
if and only if h(x) + (f(x)) = g(x) + (f(x)). As in the case of integers, the canonical ring
F[x]
homomorphism φ : F[x] −→ (f(x)) gives us a way of translating congruences between
F[x]
two elements h(x) and g(x) to a statement regarding the elements h(x) and g(x) ∈ (f(x)) .
Just as in the case of integer congruences, if g(x) ≡ g1 (x) (mod f(x)), and
h(x) ≡ h1 (x) (mod f(x)), then
g(x) + h(x) ≡ g1 (x) + h1 (x) (mod f(x)), and g(x)h(x) ≡ g1 (x)h1 (x) (mod f(x)).
Recall that, in Zn , we If g(x) ∈ F[x], then by Theorem 1, there exist unique polynomials q(x), r(x) ∈ F[x] such
usually use the unique that g(x) = q(x)f(x) + r(x), where deg r(x) < n. So, every polynomial g(x) ∈ F[x]
smallest positive integer in a satisfies g(x) ≡ r(x) (mod f(x)) for some r(x) ∈ F[x] of degree ≤ n − 1. If g(x) ≡ r1 (x)
residue class to represent (mod f(x)) and g(x) ≡ r2 (x) (mod f(x)) for some polynomials r1 (x), r2 (x) of degree
that class.
≤ n − 1, then r1 (x) ≡ r2 (x) (mod f(x)), i.e. f(x) | (r1 (x) − r2 (x)). Since both r1 (x) and
r2 (x) have degree less than n, r1 (x) − r2 (x) is of degree less than n. So, f(x) can divide
r1 (x) − r2 (x) only if r1 (x) − r2 (x) = 0. Hence, every polynomial g(x) is congruent
modulo f(x) to a unique polynomial r(x) of degree less than n. We will generally
use the polynomial r(x) as the representative of the equivalence class(or coset) of
polynomials containing g(x).
We now summarise some standard results proved in undergraduate algebra courses.
Theorem 4: Let F be a field and let p(x) ∈ F[x], p(x) 6= 0. Then,

a) The ideal (p(x)) is maximal if and only if p(x) is irreducible over F.
F[x]
b) The ring (p(x)) is field if and only if p(x) is irreducible over F[x].
Let us now look at an example to see how we can apply Theorem 4.
Example 5: Example 3 on page 2

3
12 shows that g(x) = x + 2x + 2 ∈ Z3 [x] is 3irreducible
in Z3 [x]. Hence x + 2x + 2 is a maximal ideal in Z3 [x], and thus Z3 [x]/(x + 2x + 2)
is a field by Theorem 4. Note that, from our earlier discussion, we can represent each
coset of Z3 [x]/(x3 + 2x + 2) by a unique polynomial over Z3 of degree ≤ 2. Any
polynomial of degree ≤ 2 has the form a0 + a1 x + a2 x2 and it is determined by the three
coefficients a0 , a1 and a2 ∈ Z3 . Each of these coefficients have 3 choices, so
Z3 [x]/(x3 + 2x + 2) has exactly 33 = 27 elements. Thus, Z3 [x]/(x3 + 2x + 2) is a field
with finitely many elements. We shall study fields with finitely many elements such as
this in more detail in the next section.
∗∗∗
Try the following exercises to test your understanding.

16
E5) Let f(x) = x6 + 3x5 + 4x2 − 3x + 2 and g(x) = x2 + 2x − 3 be in Z7 [x]. Find q(x) Finite Fields and Algorithms
and r(x) in Z7 [x] such that f(x) = g(x)q(x) + r(x), with deg r(x) < 2.
E6) Is Q[x]/ x2 − 5x + 6 a field? Why? What about Q[x]/ x2 − 6x + 6 ?

We conclude this section here. In the next section, we will discuss finite fields.
1.3 BASIC CONCEPTS OF FINITE FIELDS AND THEIR

CONSTRUCTION
In this section, we will discuss some basic facts about finite fields. In particular, we will
see how to construct finite fields. Such constructions have applications in cryptography.
Before we do that, we recall some basic facts from field theory.
Definition 7: The characteristic of a field is 0 if |1 + 1 +

{z· · · + 1}, is never equal to 0 for
m times
any m ≥ 1. Otherwise, the characteristic of the field is the least positive integer m such
that ∑m
i=1 1 equals 0.
Recall that, the characteristic of a field, when it non-zero, is always a prime. If

characteristic of a field F is m > 1 with m = pq, p 6= 1, q 6= 1, by the minimality of m,
we will have p · 1 = |1 + 1 +{z· · · + 1} 6= 0 and q · 1| + 1 +
{z· · · + 1} 6= 0. But their product
p times q times
pq · 1 = m · 1 = 0 which is impossible in a field.
Definition 8: A subset F of a field E is a sub field of E if F is itself a field with respect

to the operations of E. If this is the case, E is said to be an extension field of F. The
field E has a natural structure of a vector space over F. If the dimension of E over F is
finite, we call E a finite extension of F. We denote the dimension of E over F by [E : F].
Definition 9: A finite field is a field F which contains a finite number of elements. The
order of F is the number of elements in F.
We usually denote a finite field with q elements by Fq . We will deviate from this
convention some times when q is a prime and instead write Zp for a finite field with p
elements.
Example 6: Zp = Z/pZ is a field containing p elements if p is a prime. It has

characteristic p.
To see this, we recall that the residue class a is invertible in Zm if and only if
gcd(a, m) = 1. Thus the ring Zm is a field if and only if gcd(k, m) = 1 for all k with
1 ≤ k < m. This is true if and only if m is a prime number.
We have |1 + 1 +
{z· · · + 1} = p = 0 in Zp . So, the characteristic of Zp is p.
p times
∗∗∗
Theorem 5: A field F is either of prime characteristic p and contains a sub field

isomorphic to Zp , or of characteristic 0 and contains a sub field isomorphic to Q.
Definition 10: The fields Zp and Q are called prime fields.
Proposition 2: Suppose F is a finite field with q elements. Then, q = pn , where p is the

characteristic of F. 17
Mathematical Preliminaries Proof: Suppose a finite field F has q elements, q > 1. Then, since the additive group F
has order q, qa = 0 for all a ∈ F. So, F has positive characteristic p, where p is a prime.
Then, Zp ⊂ F and the dimension of F over Zp is finite since F itself is finite. Suppose
the dimension is n and {v1 , v2 , . . . , vn } is a basis for F over Zp . Then, we can write any
element of F, uniquely, in the form a1 v1 + a2 v2 + · · · + an vn with ai ∈ Zp , 1 ≤ i ≤ n.
Since there are p choices for each of a1 , a2 , . . ., an , it follows that F has pn elements
where p is the characteristic of F.
In fact, as Theorem 6 asserts, there is a finite field with q elements if q = pn where p is

prime and n ≥ 1 is an integer.
We shall state without proof the following theorem regarding finite fields, which is
Theorem 6.4 in page 510 of Artin’s Algebra.
Theorem 6: Let p be a prime and q = pr be a power of p, with r ≥ 1.
a) There exists a field of order q.
b) Any two fields of order q are isomorphic.
c) Let K be a finite field with q elements and suppose that K ⊂ F where F is also a
finite field. Then F has qn elements where n = [F : K].
d) Let K be a field of order q. The multiplicative group K∗ of nonzero elements of K
is a cyclic group of order q − 1.
e) The elements of K are roots of the polynomial xq − x. This polynomial has distinct
roots and it factors into linear factors in K.
f) Every irreducible polynomial of degree r in Zp [x] is a factor of xq − x. The
irreducible factors of xq − x in Zp [x] are precisely the irreducible polynomials in
Zp [x] whose degree divides r.
g) A field K of order q contains a sub field of order q0 = pk if and only if k | r.
While Theorem 6 guarantees that there is a field of order q = pn for every prime p and
positive integer n > 1, we would like to explicitly construct such a field in our
applications. We will now describe the method for constructing such a field.
Suppose K is a finite field of q = pn elements. Then, K has characteristic p by

Proposition 2 and so Zp ⊂ F. From Theorem 6, e), it follows that K is the splitting field
of xq − x ∈ Zp [x]. Since K has p[K:Zp ] elements by Theorem 6, c), it follows that K is a
field extension of degree n over Zp . The extension K over Zp is separable since xq − x
has distinct roots. So, there is a γ ∈ K such that K = Zp [γ]. Since [K : Zp ] = n, γ will
satisfy an irreducible polynomial of degree n over Zp . So, there is an irreducible
polynomial f(x) of degree n over Zp . Thus, we can apply Theorem 4 to construct a
finite field of pn elements.
Let us take Zp , where p is a prime. We will construct the elements of a finite field with
pn elements as residue classes modulo the irreducible polynomial f(x) of degree n in
Zp [x]. Consider the ring Zp [x]/(f(x)). As we discussed before, we can represent each
coset of Zp [x]/(f(x)) by a polynomial of degree ≤ n − 1. Any polynomial of degree
≤ n − 1 is of the form a0 + a1 x + · · · + an−1 xn−1 and it is completely determined by the
coefficients a0 , a1 , . . . , an−1 . There are p choices for each of the ai , 0 ≤ i ≤ n − 1, so
there are pn polynomials of degree ≤ n − 1. As we saw in the discussion before
Theorem 4, every polynomial is congruent (mod f(x)) to a unique polynomial of
degree ≤ n − 1. So, there are exactly pn elements in Zp [x]/(f(x)).
Example 7: Let us construct F4 . Let p = 2 and f(x) = x2 + x + 1.
The residue classes modulo f are the residue classes of the polynomials 0, 1, x and
18 x2 ≡ x + 1 mod f(x). We denote by α the residue class of x + f(x). In Table 1 and
Table 2 we present the addition and multiplication tables of the residue classes. Note Finite Fields and Algorithms
that α is a zero of f in F4 , that is α 2 + α + 1 = 0.
+ 0 1 α α +1
0 0 1 α α +1
1 1 0 α +1 α
α α α +1 0 1
α +1 α +1 α 1 0
Table 1: Addition in F4
∗ 1 α α +1
1 1 α α +1
α α α +1 1
α +1 α +1 1 α
Table 2: Multiplication in F4
The residue class ring mod f is a field since the non-zero residue classes mod f have a
multiplicative inverse.
∗∗∗
In Example 7, we have constructed F4 , by taking an irreducible polynomial f(x) of

degree 2 over F2 , and we see that the field F4 consists of the residue classes mod f.
Let us look at another example.
Example 8: To construct F9 , we take any monic quadratic polynomial in F3 [x] which

has no roots in F3 . We have already seen in Example 3 that x2 + 2x + 1 is irreducible in
Z2 [x]. Also, by trying all possible choices of coefficients and testing whether the
elements 0, +1, −1 ∈ F3 are roots, we find that there are three monic irreducible
quadratics: x2 + 1, x2 + x − 1, x2 − x − 1 = x2 + 2x + 1. If, for example, we take α to be
a root of x2 + 1 (let us call it i rather than α – after all, we are simply adjoining a square
root of −1), then the elements of F9 are all combinations a + bi where a and b are 0, 1,
or −1.
∗∗∗
We shall look at an example to illustrate part f) of Theorem 6.
Example 9: Let us again look at Example 8. As we discussed above, α generates the

cyclic group F∗9 of non-zero elements of F9 . There are 4 = φ (8) generators of F∗9 : two
are the roots of x2 − x − 1 and two are the roots of x2 + x − 1. Of the remaining four
non-zero elements, two are roots of x2 + 1 (namely ±i = ±(α + 1)) and the other two
are the non-zero elements ±1 of F3 (which are roots of the degree 1 monic irreducible
polynomials x − 1 and x + 1). Thus, each element β satisfies a unique irreducible
polynomial over F3 of degree d = 1, or d = 2. Then the field F3 (β ) obtained by
adjoining this element to the prime field is an extension of degree d that is contained in
F9 . That is, it is a copy of the field F3d .
∗∗∗
Notice that in Example 8, the element i that we adjoined is not a generator of F∗9 , since
it has order 4 rather than q − 1 = 8. If, however, we adjoin a root α of x2 − x − 1, we
can get all non-zero elements of F9 by taking the successive powers of α (remember
that α 2 must always be replaced by α + 1, since α satisfies x2 = x + 1): α 1 = α,
α 2 = α + 1, α 3 = −α + 1, α 4 = −1, α 5 = −α, α 6 = −α − 1, α 7 = α − 1, α 8 = 1. 19
Mathematical Preliminaries Definition 11: An element γ ∈ F∗q , is called a primitive element of Fq if γ generates
the group F∗q .
Definition 12: Suppose K ⊂ F are finite fields. The minimal polynomial of α ∈ F over
K is the monic polynomial of the smallest degree satisfied by α over K.
We say that a polynomial f(x) ∈ Fq [x] of degree m ≥ 1 is primitive, if it is the minimal

polynomial of a primitive element of F∗qm , the group of non-zero elements of the field
Fqm .
We saw in our earlier discussion that x2 − x − 1 is an irreducible polynomial over F3

and its root α, generates the multiplicative group F∗9 . Thus, the root of x2 − x − 1 is an
example of a primitive element in F9 and the polynomial x2 − x − 1 is a primitive
polynomial.
Definition 13: Let f(x) be an irreducible polynomial in Fq [x] of degree m with

f(0) 6= 0. The order of f(x), denoted by ord(f), is the smallest positive integer e for
which f(x) | xe − 1.
Let us see why the definition of order of an irreducible polynomial makes sense, i.e.
why should there be a positive integer e such that f(x) | xe − 1. Let α be root of an
irreducible polynomial f(x) of degree m ≥ 1 where f(0) 6= 0. We have α ∈ Fqm and so
m
α satisfies the polynomial xq −1 − 1. So, f(x) being the minimal polynomial of α, has
m
to divide xq −1 − 1. Since the set {n ∈ N|f(x) | xn − 1} is non-empty, it has a minimum.
Here is a characterisation, without proof, of a primitive polynomial in terms of its order.
Proposition 3: A polynomial f(x) ∈ Fq [x] of degree m is primitive if and only if it is

monic, f(0) 6= 0, and ord(f) = qm − 1.
Try the following exercises now.
E7) Construct finite fields with q = pn elements when

a) p = 2 and n = 3.
b) p = 3 and n = 3.
E8) Check that x6 + x + 1 ∈ F2 [x] is a primitive polynomial.
We have seen that we can construct a finite field of pn elements in a finite field using an
irreducible polynomial of degree n. How do we find such a polynomial? We will
discuss this in the next section. We will also discuss some basic algorithms for
performing arithmetic in finite fields.
1.4 BASIC ALGORITHMS FOR FINITE FIELDS
In this section we will discuss some algorithms for carrying out basic operations in
finite fields. Our discussion in this section is introductory in nature. See Chapter 15 of
[13], (reproduced at the end of the block with the kind permission of Prof. Smart)for a
more detailed discussion. See also Chapter 2 of [5] for more details and the references
mentioned there. The second chapter of[5] is available for download from the Springer
webpage for the book.
Let us suppose that f(x) ∈ Zp [x] is an irreducible polynomial of degree n and that
Zp [x]
20 K = (f(x)) . Addition and subtraction in K are fairly straight forward. If g1 (x) + (f(x))
F [x]
q
and g2 (x) + (f(x)) are two elements in (f(x)) where g1 (x) and g2 (x) are polynomials of Finite Fields and Algorithms
degree ≤ n − 1, we simply add g1 (x) and g2 (x) to get a polynomial g3 (x). The sum of
g1 (x) + (f(x)) and g2 (x) + (f(x)) is g3 (x) + (f(x)). We can represent an element
Zp [x]
an−1 xn−1 + an−2 xn−2 + · · · + a0 + (f(x)) in K = (f(x)) by an array of integers
an−1 an−2 · · · a0 of length n. To add two elements in K, we simply add the
corresponding cells of the arrays representing the elements mod p.
Example 10: Consider the polynomial f(x) = x3 + 2x2 + 1 = x3 − x2 + 1 ∈ Z3 [x]. We

Z3 [x]
have already seen that this is irreducible in Example 3. Let K = (f(x)) . Let
2 2
a1 = g1 (x) + (f(x)) = x + 2x + 1 + (f(x)) and b = g2 (x) = 2x + 2 + (f(x)) be
elements in K. Then, a + b = g1 (x) + g2 (x) + (f(x)) = 2x + (f(x)).
We can represent these elements by the arrays 1 2 1 and 2 0 2 . Adding the

corresponding elements of the arrays mod 3, the sum of a and b is represented by the
array 1 + 2 2 + 0 1 + 2 = 0 2 0 which corresponds to the element
2x + (f(x)) in K.
Let us now consider multiplication. First, let us consider a simple case, where one of
the factors in the multiplication is x + (f(x)). Suppose we want to multiply
c = 2x + 1 + (f(x)) by d = x + (f(x)). Multiplying 2x + 1 and x, we get 2x2 + x. So,
cd = 2x2 + x + (f(x)). Let us understand what is happening is terms of array
representation. The array representation of c = 2x + 1 + f(x) is 0 2 1 and the
array representation of cd is 2 1 0 . So, we can obtain the array representation of
cd by shifting the entries of the array corresponding to c to the left by one cell and
filling the vacant rightmost cell with 0. In this case, the left most cell contained zero.
What happens if this is not the case?
Let us take c = 2x2 + x + 1 + (f(x)). Then, working mod 3, we have
cd = 2x3 + x2 + x + (f(x))
= 2x3 + x2 + x − 2f(x) + (f(x))
= 2x3 + x2 + x − 2 x3 − x2 + 1 + (f(x))

= x + 1 + (f(x))
This is the same as doing the following:

1) Take the array 2 0 1 which contains the coefficients of terms of degree ≤ 2 of
the polynomial f(x). Multiply each entry of this array by the highest coefficient of
c, namely a2 = 2 to get the array
1 0 2 (13)
2) Take the array 2 1 1 representing c and shift the elements in the array to the
left. We fill up the vacant slot on the extreme right with 0 and the left most
coefficient, the coefficient of x2 , is shifted out of the array. We get the following
array
1 1 0 (14)
3) Then, the array corresponding to cx is the array obtained by subtracting from each
element in the array in Eqn. (14), the corresponding element in the array in
Eqn. (13). So, the array we get is 0 1 1 and this represents the element
x + 1 + (f(x)).
∗∗∗
More generally, if c = an−1 xn−1 + an−2 xn−2 + · · · + a0 with an−1 = 0 and d = x + (f(x)),
then cd = an−2 xn−1 + an−3 xn−2 + · · · + a1 x2 + a0 x. So, we can get the array 21
Mathematical Preliminaries representation of cd by shifting the cells in the array to the left by one cell and filling
the vacant cell by zero. So, if c is represented by the array an−1 an−2 · · · a0 , then
cd is represented by the array an−2 an−3 · · · a0 0 .
Suppose an−1 6= 0. Let f(x) = xn + αn−1 xn−1 + · · · + α1 x + α0 . We have
cd = x an−1 xn−1 + an−2 xn−2 + · · · + a0 + (f(x))

= an−1 xn + an−2 xn−1 + · · · + a0 x − an−1 f(x) + (f(x))

= (an−2 − an−1 αn−1 ) xn−1 + (an−3 − an−1 αn−2 ) xn−2 + · · ·

+ (a0 − an−1 α1 ) x − an−1 α0 + (f(x))
So, if c is represented by the array an−1 an−2 · · · a0 , then cd is represented by the

array
an−2 − an−1 αn−1 an−3 − an−1 αn−2 · · · a0 − an−1 α1 −an−1 α0 . (15)
We can achieve the same result as follows:

1) We take the array αn−1 αn−2 · · · α0 multiply each element of this array by
an−1 to get the array
an−1 αn−1 an−1 αn−2 · · · an−1 α0 (16)
2) We take the array an−1 an−2 · · · a0 corresponding to c and shift the elements
of this array to the left by one cell to get
an−2 an−3 · · · a0 0 (17)
3) We can obtain the array corresponding to cx by subtracting from each element in

the array in Eqn. (17) the corresponding element in the array in Eqn. (16). This is
exactly the array in Eqn. (15).
More generally, suppose c = an−1 xn−1 + an−2 xn−2 + · · · + a0 + (f(x)) and
d = bn−1 xn−1 + bn−2 xn−2 + · · · + b0 + f(x) are two elements of K. Then,
n−1
cd = ∑ bi xi c + (f(x)) (18)
i=0
where we repeatedly apply the method that we have found for multiplying a general
element of K by x + (f(x)). Let us look at an example to understand this.
Example 11: Let us multiply the elements c = x2 + 2x + 1 + (f(x)) and

d = 2x2 + x + 2 + (f(x)) in K where K is the field in Example 10. Let us represent c by
the array A = 1 2 1 and d by the array B = 2 1 2 . Let us use the array
C = 2 0 1 store the coefficients of terms of degree ≤ 2 of the polynomial f(x). Let
us represent P by an array of size 3 with all its entries 0, i.e. P = 0 0 0 . When we
finish multiplying, P will contain the product of c and d. Also, for any array X, X[i] is
the entry in the ith cell of X. The array index of an array starts from 0 with the leftmost
cell numbered 0. The coefficients of d are b0 = 2, b1 = 1 and b2 = 2. Then, b0 c = 2c is
represented by the array 2 1 2 . We now add the values in the cells of 2c to the
corresponding cells in the array P, so that P = 2 1 2 .
We have a2 = A[2] = 1 6= 0. Multiplying the entries in the array C by A[2], we get
2 0 1 (19)
Shifting the entries in array A to the left, we get the array
22 2 1 0 . (20)
We subtract from each element in the array in Eqn. (20), the corresponding element in Finite Fields and Algorithms
the array in Eqn. (19) to get
xc = 2 − 2 1 − 0 0 − 1 = 0 1 2 (21)
∴ b1 xc = B[1]xc = xc = 0 1 2 (22)
We add the values in the cells of b1 xc to the corresponding cells in P to get
P= 2 2 1 .
Next, we find b2 x2 c. We already know that the array representing xc is Eqn. (21), so we
have to multiply the element corresponding to this array by x again. In the array
corresponding to xc, the left most cell contains 0, so to multiply xc by x, we have to
shift the elements in the cells in Eqn. (21). So, the array corresponding to x2 c is
1 2 0 . So, b2 x2 c is represented by the array 2 1 0 . We add the values in the
cells of the array corresponding to b2 x2 c to the corresponding cells in P to get
P = 1 0 1 . So, cd = x2 + 1 + (f(x)). Check this by multiplying x2 + 2x + 1 and
2x2 + x + 2 in Z3 [x] and dividing the product by the polynomial x3 + 2x2 + 1. The
remainder will be x2 + 1.
∗∗∗
Algorithm 2 Algorithm for Multiplication in Finite Fields.
1: procedure A LGORITHM FOR M ULTIPLICATION IN F INITE F IELDS . (A,B,C) . A
and B are, respectively, the array representations of the elements c = g1 (x) + (f(x))
Z [x]
p
and d = g2 (x) + (f(x)) in (f(x)) and the array C contains the all the coefficients of
f(x) except of the highest degree term, which is assumed to be 1. The procedure
p Z [x]
returns the product of two elements g1 (x) + (f(x)) and g2 (x) + (f(x)) in (f(x)) .
2: for i = 0 to n − 1 do . Initialise the values of the cells of P to 0.
3: P[i] ← 0
4: end for
5: for i = 0 to n − 1 do . Calculate b0 c.
6: P[i] ← A[i]B[0]
7: end for
8: for i = 0 to n − 1 do . Initialise the value of T to x0 c = c.
9: T[i] ← A[i]
10: end for
11: for i = 1 to n − 1 do
. Calculation of xi c
12: h ← T[n − 1] . Save the value of T[n − 1] in h.
13: for j = 0 to n − 2 do . Shift the entry in each cell in T to its left neighbour.
14: T[j + 1] ← T[j]
15: end for
16: T[0] ← 0
17: if h 6= 0 then
18: for j = 0 to n − 1 do
19: T[j] ← T[j] − hC[j]
20: end for
21: end if . Calculation of xi c ends. T holds the value of xi c.
i−1
22: for j = 0 to n − 1 do . Calculate bi cxi + (f(x)) + ∑k=0 cbk xk + (f(x)) .
23: P[j] = B[j]T[j] + P[j]
24: end for
25: end for
26: return P.
27: end procedure
p Z [x]
Algorithm 2 multiplies two elements in a finite field K = (f(x)) . We use arrays of size n
to represent the elements of K, where n is the degree of the irreducible polynomial f(x). 23
Mathematical Preliminaries The cells of the arrays used are numbered from right to left with the rightmost cell
numbered 0 and the leftmost cell numbered n − 1. As usual, for any array X, X[i] will
denote the contents of the ith cell. As before, let us suppose that
c = an−1 xn−1 +an−2 xn−2 +· · ·+a0 +(f(x)) and d = bn−1 xn−1 +bn−2 xn−2 +· · ·+b0 +f(x).
In the algorithm, the elements c = g1 (x) + (f(x)) and d = g2 (x) + (f(x)) are represented
by arrays A and B of length n. The array C is the array αn−1 αn−2 · · · α0 . This
array contains all the coefficients of the polynomial
f(x) = xn + αn−1 xn−1 + · · · + α1 x + α0
except the highest degree term. The array T holds the values xi c for different values i
during the evaluation of the loop in lines 11 to 25.
Note that, multiplication by x is very simple in the case p = 2. Suppose g(x) + (f(x)) is
represented by the array A of size n. To find xg(x), we first check if A[n − 1] = 0. If
A[n − 1] = 0, we simply perform a left shift. If A[n − 1] = 1, we perform a left shift and
XOR the value in each cell of the resulting array with corresponding cell of the array C
containing the coefficients of f.
Let us now discuss division. Suppose we want to find α/β . We find β −1 and then find
the product αβ −1 . Suppose β = g(x) + (f(x)). Since deg g(x) < deg f(x) and f(x) is
irreducible, (f(x), g(x)) = 1. So, we can find p(x), q(x) such that
p(x)f(x) + q(x)g(x) = 1
using extented euclidean algorithm. Then, q(x) + (f(x)) is the inverse of g(x) + (f(x)).
We can find the inverse of an element β in F∗q in another way. Since F∗q has q − 1
elements, we have β q−2 β = β q−1 = 1, so β −1 = β q−2 . This method is useful if finding
the powers of β is faster than applying the extended euclidean algorithm.
Another approach for multiplication and division, when the size of the field is small
enough, is to use logarithms and antilogarithms. Suppose Fq is a finite field and γ is a
primitive element of the field, i.e. γ generates the group F∗q . Then, Fq = Zp [γ], so, we
can write every element of Fq uniquely in the form
a0 + a1 γ + · · · + an−1 γ n−1 (23)
where n is the degree of Fq over Zp and 0 ≤ ai ≤ p − 1 for 0 ≤ i ≤ n − 1. We can

represent each element of Fq by an n-tuple (an−1 , an−2 , . . . , a0 ).
If we fix a primitive element γ, we can talk of logarithms and antilogarithms in Fq .
Definition 14: For an element α ∈ F∗q , suppose α = γ k with 0 ≤ k < q − 1. Then, we

call k the logarithm of α to the base γ. We write logγ α = k. If 0 ≤ k < q − 1, the γ k is
the antilogarithm of k to the base γ. We write alogγ k = α.
Note that logγ : F∗q −→ {0, 1, . . . , q − 2} and alogγ : {0, 1, . . . , q − 2} −→ F∗q are inverse
functions of each other. Further, they satisfy the relations
logγ (αβ ) ≡ logγ (α) + logγ (β ) (mod q − 1) (24)

−1
logγ (αβ ) ≡ logγ (α) − logγ (β ) (mod q − 1) (25)
These properties are simple consequences of the fact that F∗q is a cyclic group of order
q − 1.
We often drop the subscript γ and simply write log α and alog i when it is clear from the
24 context what γ is.
For performing multiplication and division using logarithms and antilogarithms, we
Finite Fields and Algorithms
proceed as follows: We compute the pairs γ i , i and we store these values in two
different tables, an antilog table sorted according to i and a log table sorted according to
γ i . While creating the log table we represent each γ i as a linear combination of powers
of γ and use lexicographic order on the representation of γ i as an n-tuple in Znp .
Let us now look at an example to understand this.
Z2 [x]
Example 12: Consider the field F24 . We will represent the field as (f(x)) where f(x) is
4 3
the polynomial x + x + 1 ∈ Z2 [x]. Let us first check that γ = x + (f(x)) is a primitive
element. Since F∗24 has 15 elements, we have to check that γ 3 6= 1 and γ 5 6= 1. We have
γ 3 = x3 + f(x) 6≡ 1 + (f(x)) mod (f(x)). Also, γ 5 ≡ x4 + x 6≡ 1 + (f(x)) mod (f(x)). So,
γ is a primitive element. We calculate the powers of γ and write each of them as a
polynomial in γ. We can do this easily using the method we used for calculating xc,
x2 c, etc. in Algorithm 2.
Note that, since γ 0 = 1 = 0γ 3 + 0γ 2 + 0γ + 1, we can represent 1 by the vector

(0, 0, 0, 1). Similarly, since γ = 0γ 3 + 0γ 2 + 1γ + 0, we can represent γ by the vector
(0, 0, 1, 0). We can find the vector representation of γ 2 and γ 3 also easily.
We have γ 4 = γγ 3 = (x + (f(x))) x3 + (f(x) . So, to find γ 4 , we have to multiply

x3 + (f(x)) by x + (f(x)). We carry out a left shift of the entries of the vector
representation of γ 3 , which is (1, 0, 0, 0), to get (0, 0, 0, 0). Since the entry in the
leftmost component of (1, 0, 0, 0) is 1, we then add the vector, (1, 0, 0, 1)(containing the
coefficients of terms of degree ≤ 3 of the irreducible polynomial f(x)) to the vector
(0, 0, 0, 0) to get (1, 0, 0, 1). Thus, γ 4 = (1, 0, 0, 1). To find γ 5 we carry out a left shift of
(1, 0, 0, 1) to get (0, 0, 1, 0). We then add (1, 0, 0, 1) to this vector to get (1, 0, 1, 1). So,
γ 5 = (1, 0, 1, 1). We calculate the vector representations of other powers of γ similarly.
The table of values is in Table 3. Sorting the vector representation of γ i in lexicographic
Table 3: Table of values
i γi Vector i γi Vector
0 1 (0, 0, 0, 1) 8 γ3 + γ2 + γ (1, 1, 1, 0)
1 γ (0, 0, 1, 0) 9 γ3 + γ2 + 1 (0, 1, 0, 1)
2 γ2 (0, 1, 0, 0) 10 γ3 + γ (1, 0, 1, 0)
3 γ3 (1, 0, 0, 0) 11 γ3 + γ + 1 (1, 1, 0, 1)
4 γ3 + 1 (1, 0, 0, 1) 12 γ +1 (0, 0, 1, 1)
5 γ3 + γ + 1 (1, 0, 1, 1) 13 γ2 + γ (0, 1, 1, 0)
6 γ3 + γ2 + γ + 1 (1, 1, 1, 1) 14 γ3 + γ2 (1, 1, 0, 0)
7 γ2 + γ + 1 (0, 1, 1, 1)
order, we get the logarithm table in Table 4a. We use Table 4b for finding
antilogarithms. 25
Mathematical Preliminaries Table 4: Tables of logarithms and antilogarithms
(a) Logarithm Table (b) Antilogarithm Table
Vector Log Vector Log i alogγ i i alogγ i
(0, 0, 0, 1) 0 (1, 0, 0, 1) 4 0 (0, 0, 0, 1) 8 (1, 1, 1, 0)
(0, 0, 1, 0) 1 (1, 0, 1, 0) 10 1 (0, 0, 1, 0) 9 (0, 1, 0, 1)
(0, 0, 1, 1) 12 (1, 0, 1, 1) 5 2 (0, 1, 0, 0) 10 (1, 0, 1, 0)
(0, 1, 0, 0) 2 (1, 1, 0, 0) 14 3 (1, 0, 0, 0) 11 (1, 1, 0, 1)
(0, 1, 0, 1) 9 (1, 1, 0, 1) 11 4 (1, 0, 0, 1) 12 (0, 0, 1, 1)
(0, 1, 1, 0) 13 (1, 1, 1, 0) 8 5 (1, 0, 1, 1) 13 (0, 1, 1, 0)
(0, 1, 1, 1) 7 (1, 1, 1, 1) 6 6 (1, 1, 1, 1) 14 (1, 1, 0, 0)
(1, 0, 0, 0) 3 7 (0, 1, 1, 1)
Suppose we want to multiply the vectors α = (0, 1, 1, 0) and β = (1, 0, 1, 1). From
Table 4a, we see that log(0, 1, 1, 0) = 13 and log(1, 0, 1, 1) = 5. We have
13 + 5 = 18 ≡ 3 (mod 15). Looking at Table 4b, we see that alog 3 = (1, 0, 0, 0). So,
αβ = (1, 0, 0, 0).
Suppose we want to divide β by α. From Eqn. (25), we have

log β α −1 = log β − log α = 5 − 13 = −8 ≡ 7 (mod 15)

and from Table 4b, we see that alog 7 = (0, 1, 1, 1). So, β
α = (0, 1, 1, 1).
We were able to carry out our computations easily because the irreducible polynomial
x4 + x2 + 1 is a trinomial. Similarly, the computations are easy if we choose an
irreducible pentanomial, i.e. a polynomial of the form xn + xk1 + xk2 + xk3 + 1. The
table at the end of Chapter 15 of [13] gives, for each n, an irreducible trinomial or
pentanomial of degree n when p = 2. We usually choose irreducible trinomials or
pentanomials to represent finite fields.
∗∗∗
Try the following exercise to check your understanding of the discussion in Example
12.
E9) In this exercise, we work in F24 . We use the representation in Example 12 for this
field and choose γ also as in Example 12. Let α1 = (1, 1, 0, 0), α2 = (1, 0, 1, 1) and
α3 = (0, 1, 1, 1). Use the log and antilog tables in Table 4 to find the following:
a) α1 α3−3 b) α1 α2−1 α32 .
We now discuss an algorithm for checking whether a polynomial in F is irreducible,

where F is a finite field with q elements. We saw in Theorem 6 that every irreducible
r
polynomial of degree r over Fp is a factor of xp − x. This result is true in general. Any
r
irreducible polynomial of degree r over Fq is a factor of xq − x. So, to check whether a
polynomial f(x) is irreducible over Fq , all we have to do is to check if
r
gcd xq − x, f(x) = 1
for sufficiently large r. How large should r be? Suppose f(x) is a reducible polynomial
of degree n and let g(x) be its irreducible factor of minimum degree. Then
f(x) = g(x)h(x). Comparing the degrees both sides, n = deg(g) + deg(h) ≥ 2deg(g) or
r
deg(g) ≤ n2 . So, we have to check whether gcd xq − x, f = 1 for all r ≤ n2 . Also,
observe that
r r
26 gcd xq − x, f = gcd xq − r(x)f(x) − x, f(x)
r
for any polynomial r(x) ∈ F[x]. So, we can replace xq − x by its remainder on division Finite Fields and Algorithms
by f(x). Using these observations, we have the Algorithm 3 for checking whether a
polynomial f(x) is irreducible.
Algorithm 3 Algorithm to test the irreducibility of a polynomial over a finite field.

1: h ← x
2: for k ← 1 to bn/2c do
3: h← hq mod f
4: if gcd(h − x, f) 6= 1 then
5: return f is reducible
6: end if
7: end for
8: return f is irreducible
Let us now look at an example to understand Algorithm 3.
Example 13: Let us check that x4 + x + 1 is irreducible over Z2 . Here n = 4, q = 2.

Also, we have check up to k = 2 in the algorithm.
k = 1 Let us find the gcd of x4 + x + 1 and x2 − x = x2 + x. Since x, and x4 + x + 1 are
coprime we can discard the factor x in x2 + x. So, it is enough to find the gcd of x + 1
and x4 + x + 1. Putting x = 1 in x4 + x + 1, we see that 1 + 1 + 1 = 1 6= 0, so x + 1 is not
a factor of x4 + x + 1.
k=2 We have to check if x4 + x + 1, x3 + 1 = 1. We have

x4 + x2 + 1 = x x3 + 1 + 1

so, x4 + x2 + 1 and x4 + x are coprime. Thus, the polynomial x4 + x + 1 ∈ Z2 [x] is

irreducible. ∗∗∗
Try the following exercise to check your understanding of Example 13.
E10) Check whether the polynomial x4 + 1 is irreducible over Z3 .
Algorithm 4 makes use of Algorithm 3 to find an irreducible polynomial of arbitrary

degree.
Algorithm 4 Algorithm to produce an irreducible polynomial of degree n over F.

repeat
Choose c0 , c1 , . . . , cn−1 ∈ F at random
Set f← xn + ∑n−1 0 ci x
i
Test if f is irreducible
until f is irreducible
return f
We have come to the end of this unit. We have summarised the contents of this unit in
the next section.
1.5 SUMMARY
In this unit, we have covered the following points:
1. The construction of finite fields; 27

Mathematical Preliminaries 2. The extended euclidean algorithm for polynomials;
3. The order of an irreducible polynomial over a finite field;
4. The concept of a primitive polynomial over a finite field;
5. An algorithm for multiplying and dividing elements in a finite field using shift
and multiply approach;
6. An algorithm for multiplying and dividing elements in a finite field using discrete
logarithms and antilogarithms;
7. An algorithm for checking the irreducibility of a polynomial over a finite field;

and
8. An algorithm for constructing an irreducible polynomial of a given degree.
1.6 SOLUTIONS/ANSWERS
E1) a) Making a table of values, we have
x 0 1 2 3 4 5 6
f(x) 5 1 6 6 1 5 4
So, f(a) 6= 0 for all a ∈ Z7 . So, f(x) is irreducible.

b) We make a table of values as before.
x 0 1 2 3 4 5 6
g(x) 5 1 6 6 1 5 4
Again, g(a) 6= 0 for all a ∈ Z7 . So, g(x) is irreducible.
E2) By Theorem 3, we need to check whether the polynomials have zeros in the fields
over which they are defined.
a) Z2 = {0, 1}. The given polynomial is f(x) = x2 + x + 1 ∈ Z2 [x]. Then
f(0) = 1 and f(1) = 1. Hence both f(0) and f(1) are non-zero.
b) The integers mod 7 are 0, 1, 2, 3, 4, 5 and 6. The given polynomial is
f(x) = x2 + 1 ∈ Z7 [x]. Then the values taken by f(x) at all of these integers is
non-zero. This can be checked as above, but the calculations are carried out
in Z7 .
c) The integers mod 11 are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 and 10. The given polynomial
is f(x) = x3 − 9 ∈ Z11 [x]. Here, f(4) = 0 in Z11 . Hence, f(x) is reducible over
the integers mod 11.
E3) Note that, if g(x) = T2 (x) = 0, the loop will not be evaluated and the algorithm
returns the values T1 (x) = f(x), Q1 (x) = 1, and R1 (x) = 0. For these values,
Q1 (x)f(x) + R1 (x)g(x) = f(x)
and f(x) is the gcd of f(x) and g(x) when g(x) = 0. So, this choice works
correctly when g(x) = 0.
Suppose g(x) 6= 0. In this case, the loop will be evaluated. After the evaluation of
line 4 of the algorithm, the value of S(x) will be s1 (x), the quotient on division of
f(x) by g(x). Line 5 finds Q3 (x), R3 (x) and T3 (x) from Q1 (x), R1 (x), T1 (x),
Q2 (x), R2 (x) and T2 (x) using Eqn. (9), Eqn. (10) and Eqn. (11). Note that
28 T3 (x) = T1 (x) − S(x)T2 (x) = f(x) − s1 (x)g(x) = 0 if g(x) | f(x).

Line 7, assigns the values of Q2 (x), R2 (x) and T2 (x) to Q1 (x), R1 (x) and T1 (x), Finite Fields and Algorithms
respectively, so the the new values are Q1 (x) = 0, R1 (x) = 1 and T1 (x) = g(x).
Line 8 assigns the values of Q3 (x), R3 (x) and T3 (x) to Q2 (x), R2 (x) and T2 (x),
respectively. But, if g(x) | f(x), T2 (x) = 0 since T3 (x) = 0. So, the loop will not
be entered again. The algorithm will return the values of T1 (x), Q1 (x) and R1 (x)
which are g(x), 0 and 1,respectively. These values are correct since
0 · f(x) + 1 · g(x) = g(x) and g(x) is the gcd of f(x) and g(x) if g(x) divides f(x).
If g(x) - f(x), T3 (x) 6= 0 and so T2 (x) 6= 0, so the loop will be evaluated again.
When the loop is evaluated for the second time, the values of Q1 (x), R1 (x), T1 (x),
Q2 (x), R2 (x), T2 (x) will be as follows:
Q1 (x) = 0, R1 (x) = 1, T1 (x) = g(x).

Q2 (x) = 1, R2 (x) = −s1 (x), T2 (x) = f(x) − s1 (x)g(x) = t1 (x).
After the line 4 is executed the second time,
S(x) = T1 (x) div T2 (x) = g(x) div t1 (x) = s2 (x).
If we let S(x) = s2 (x) and apply the equations Eqn. (6) and Eqn. (8), we find that
Q3 (x) = Q1 (x) − S(x)Q2 (x) = 0 − ss (x) = −s2 (x)

R3 (x) = R1 (x) − S(x)R2 (x) = 1 − s2 (x) (−s1 (x)) = 1 + s1 (x)s2 (x)
T3 (x) = T1 (x) − S(x)T2 (x) = g(x) − s2 (x)t1 (x) = t2 (x)
After the lines 7 and 8 executed again, the values will be as follows:
Q1 (x) = 1, R1 (x) = −s1 (x), T1 (x) = t1 (x).

Q2 (x) = −s2 (x), R2 (x) = 1 + s1 (x)s2 (x), T2 (x) = t2 (x).
These values correspond to the values in Eqn. (3). So, from our discussion after
Eqn. (3), it follows that the algorithm works correctly.
E4) We give an outline of the solution and leave it to you to work out the details.
Initialisation
Q1 (x) ← 1, Q2 (x) ← 0, R1 (x) ← 0, R2 (x) ← 1, T1 (x) ← f(x), T2 (x) ← g(x).
Values at the end of first iteration
Q1 (x) = 0, R1 (x) = 1, T1 (x) = g(x).

Q2 (x) = 1, R2 (x) = −(x + 1), T2 (x) = x3 + x + 1.
We have T2 (x) 6= 0. So, we carry out one more iteration. The values at the end of
third iteration are
Q1 (x) = 1, R1 (x) = −(x + 1), T1 (x) = x3 + x + 1.

Q2 (x) = −x, R2 (x) = 1 + x + x2 , T2 (x) = −x2 − x + 1.
Again, T2 (x) 6= 0. So, we carry out one more iteration.
Q1 (x) = −x, R1 (x) = 1 + x + x2 , T1 (x) = −x2 − x + 1.

Q2 (x) = −x2 + x + 1, R2 (x) = x3 − x + 1, T2 (x) = 0.
Since T2 (x) is zero, the loop will not be entered again and the values
h(x) = −x2 − x + 1, Q(x) = −x and R(x) = 1 + x + x2 will be returned. 29
Mathematical Preliminaries E5) q(x) = x4 + x3 + x2 + x − 2, r(x) = 4x + 3.
E6) No. x2 − 5x + 6 is not a maximal ideal of Q[x], since

x2 − 5x + 6 = (x − 3)(x − 2) is not irreducible over Q.

Yes, x2 − 6x + 6 is a maximal ideal of Q[x].

E7) a) Take an irreducible polynomial f(x) of degree 3 over Z2 . Then Z2 [x]/(f(x))

is a field of degree q = 23 = 8. As we have seen before, we look at a
polynomial over Z2 and check whether it has a zero in Z2 . The possibilities
are f(x) = x3 + a2 x2 + a1 x + a0 , where ai = 0 or 1, for i = 0, 1 and 2. Among
these, the irreducible polynomials are x3 + x2 + 1 and x3 + x + 1.
b) Take an irreducible polynomial f(x) of degree 3 over Z3 . Then Z3 [x]/(f(x))
is a field of degree q = 33 = 27. A monic polynomial of degree 3 over Z3 is
given by f(x) = x3 + a2 x2 + a1 x + a0 , where ai = 0, 1 or 2, for i = 0, 1 and 2.
For example, x3 + x2 + 2 is irreducible over Z3 , since it does not have a zero
there. The other irreducible polynomials can be found in the same way.
F2 [x]
E8) Consider the ring R = (f(x)) where f(x) = x6 + x + 1. This ring has 64 elements
since each coset of R can be represented by a polynomial of degree ≤ 5. Consider
the element α = x + (f(x)). Since x is coprime to x6 + x + 1, there are
polynomials p(x) and q(x) such that p(x)x + q(x)f(x) = 1. So, xp(x) ≡ 1
(mod (f(x))) and therefore α is a unit in R. If we prove that α has order 63 in the
group R∗ , the group of units of R, we will be through because, from this, it
follows that every non-zero element of R is invertible. So R is a field and
therefore the polynomial f(x) has to be irreducible. Since α is a root of f(x) in R,
it also follows that f(x) is primitive.
It is enough to show that α 9 6= 1, α 21 6= 1, but α 63 = 1. We have α 6 = α + 1, so
α 9 = α 4 + α 3 6≡ 1 (mod f(x)), since f(x) does not divide x4 + x3 + 1 in F2 [x].
Let us now compute α 63 . We have
α8 = α3 + α2
2
∴ α 16 = α 3 + α 2 = α 6 + α 4 = α 4 + α + 1 and
2
α 32 = α 4 + α + 1 = α 8 + α 2 + 1 = α 3 + α 2 + α 2 + 1 = α 3 + 1
2
∴ α 64 = α 3 + 1 = α 6 + 1 = α
Since α is a unit in R, α 63 = 1.
We have
α 22 = α 16 α 6 = α 4 + α + 1 (α + 1) = α 5 + α 2 + α + α 4 + α + 1

∴ α 22 = α 5 + α 4 + α 2 + 1 6= α
since x6 + x + 1 does not divide x5 + x4 + x2 + x + 1. So, α 21 6= 1.
E9) From the antilog Table 4a, we see that log α1 = 14, log α2 = 13 and log α3 = 7.
a) We have
log α1 α3−3 = log α1 − 3 log α3 = 14 − 21 = −7 ≡ 8 (mod 15).

The antilog of 8 is (1, 1, 1, 0). So, α1 α3−3 = (1, 1, 1, 0).

b) We have
log α1 α2−1 α32 = log α1 − log α2 + 2 log α3 = 14 − 13 + 14 = 15 ≡ 0 (mod 15).

30 So, α1 α2−1 α32 = 1.

E10) Here n = 4, q = 3 and k = 2. Finite Fields and Algorithms
k = 1 We have x4 + 1 = x3 − x x + x2 + 1 in Z3 [x]. Also,

x3 − x = x x2 + 1 + x. We have x2 + 1 = x · x + 1. So, gcd(x4 + 1, x3 − x) = 1.

k = 2 We have x9 − x = x5 − x x4 + 1 . So, x9 − x, x4 + 1 6= 1. So, x4 + 1 is

not irreducible.
Note that, since x4 + 1, x3 − x = 1, x4 + 1 doesn’t have any linear factors. Since

it divides x9 − x, it must split into two irreducible polynomials of degree 2.
31
32
UNIT 2 NUMBER THEORETIC ALGORITHMS
Structure Page No.
2.1 Introduction 33
Objectives
2.2 Structure of Zn and Z∗n 33
2.3 Prime Numbers 40
Primality Testing
Probabilistic Algorithms
The Pseudoprime Test
The Miller-Rabin Test
The Agrawal-Kayal-Saxena (AKS) Algorithm
2.4 Primitive Roots 48
2.5 Summary 51
2.1 INTRODUCTION
In this unit, we will recall some basic facts from number theory that are required in
Cryptography later. You may find it useful to go through Unit 6 of MMT-003 to refresh
your knowledge of congruences. In Sec. 2.2 of this unit, we discuss the structure of the
groups Zn and Z∗n . We shall introduce some notation describing the running time of
algorithms and discuss some basic algorithms. In Sec. 2.3, we will discuss some
primality tests. In Sec. 2.4, we will discuss primitive roots.
Objectives
• describe the structure of Z∗n and Zn ;
• describe the extended-euclidean algorithm for integers;
• apply the repeated squaring algorithm to compute powers of elements in Z∗n ;
• explain the concept of a pseudoprime;
• explain the Rabin-Miller strong pseudoprime test; and
• outline the AKS algorithm for primality testing.
2.2 STRUCTURE OF Zn and Z∗n

In this section, we will recall some basic results on congruences from Unit 6 of
MMT-003. Recall that, Z is a principal ideal domain(PID). Any ideal in Z is of form
(n) for some integer n and we can choose n to be non-negative. For each n, we have a
canonical ring homomorphism
ψ : Z −→ Zn given by ψ(a) = a + (n). (1)
We use the notation a to denote a + (n), the image of ψ(a).
If a, b ∈ Z, a is congruent to b modulo n if n | (a − b). We write a ≡ b mod n in this

case. We have a ≡ b (mod n) if and only if a = b. Thus, map ψ gives us a method of
translating an assertion regarding congruences into the results about the ring Zn . We
will frequently use this to move back and forth between results regarding congruences
and results regarding the ring Zn . 33
Mathematical Preliminaries Definition 1: We say that {a1 , a2 , . . . , an }, where ai ∈ Z, is a complete set of residues
modulo n if ai 6≡ aj (mod n) for i 6= j.
One natural set of complete residues modulo n is {0, 1, 2, . . . , n − 1}. We discussed the
extended euclidean algorithm in Unit 6 of MMT-003. We have also seen some
examples there. Also, we have discussed the extended euclidean algorithm for
polynomials in Unit 1. The algorithm carries over to integers with appropriate
modifications. See Algorithm 1.
Algorithm 1 Extended Euclidean Algorithm for integers.

1: procedure E XTENDED E UCLIDEAN A LGORITHM(m, n) . Returns d, Q and R
such that Qm + Rn = d where d = (m, n).
2: Q1 ← 1, R1 ← 0, Q2 ← 0, R2 ← 1, T1 ← m, T2 ← n.
3: while T2j6= 0kdo
4: S ← TT21 . . bxc is largest integer less than x.
5: Q3 ← Q1 − SQ2 , R3 ← R1 − SR2 .
6: T3 ← T1 − ST2
7: Q1 ← Q2 , R1 ← R2 , T1 ← T2 .
8: Q2 ← Q3 , R2 ← R3 , T2 ← T3 .
9: end while
10: return T1 , Q1 and R1 .
11: end procedure
Let us now redo Example 1 in Unit 6 of MMT-003 using Algorithm 1.
Example 1: Let us find the (141, 93) and the values d, Q and R using Algorithm 1.
Since we have already seen similar example for polynomials in Unit 1, we will just
sketch the steps.
Initial values: Q1 ← 1, Q2 ← 0, R1 ← 0, R2 ← 1, T1 ← 141, T2 ← 93.
Iteration 1 Values at the end of first iteration:
T1 = 93 Q1 = 0 R1 = 1
T2 = 48 Q2 = 1 R2 = −1
Iteration 2 Values at the end of second iteration:
T1 = 48 Q1 = 1 R1 = −1
T2 = 45 Q2 = −1 R2 = 2
Iteration 3 Values at the end of third iteration:
T1 = 45 Q1 = −1 R1 = 2
T2 = 3 Q2 = 2 R2 = −3
Iteration 4 Values at the end of fourth iteration:
T1 = 3 Q1 = 2 R1 = −3
T2 = 0 Q2 = −31 R2 = 47
Note that, T2 = 0. So, there are no more iterations.
34 Answer: d = 3 q = 2, r = −3.
∗∗∗ Number Theoretic
Algorithms
Try the following exercise to test your understanding of extended euclidean algorithm
for integers.
E1) Find (72, 32) and the values d, Q and R using extended euclidean algorithm.
One important application of euclidean algorithm is the following. Often, we have to

solve the equation
ax ≡ b (mod n) (2)
where a, b, n ∈ Z. Let us see recall how we solve this equation. We have seen that
Eqn. (2) has a solution if and only if (a, n) | b. Suppose this is the case. Then, we can
consider the equation
a0 x ≡ b0 (mod n0 ) (3)
where a0 = da , b0 = db , n0 = nd with (a0 , n) = 1 since any solution of Eqn. (3) is also a
solution to Eqn. (2). We can find x and y ∈ Z such that a0 x + n0 y = 1 using extended
euclidean algorithm in polynomial time, i.e. we can solve equation Eqn. (3) in
polynomial time and so Eqn. (2) also in polynomial time. See Example 2 of Unit 6 of
MMT-003; in this example we have solved the equation 3x ≡ 5 (mod 7).
Remark 1: Recall that, in particular, if (a, n) = 1, a is invertible in a ∈ Z∗n and we can
solve the congruence ax ≡ 1 (mod n). Conversely, if a ∈ Z∗n , then (a, n) = 1.
Another important result we want to recall is the Chinese Remainder Theorem:

Theorem 1(Chinese Remainder Theorem): If n1 , n2 , . . ., nk are pairwise relative
prime integers (i.e. (ni , nj ) = 1 if i 6= j) and a1 , a2 , . . .,ak are any integers, there is a
solution x0 to the following simultaneous congruences:
x ≡ a1 (mod n1 ) 

x ≡ a2 (mod n2 ) 


.. (4)
. 


x ≡ an (mod nk )

If x0 and x00 are two solutions, then x0 ≡ x00 (mod N), where N = n1 n2 · · · nk .
See Example 4 of Unit 6 of MMT-003 in which we have solved the simultaneous

congruences x ≡ 1 (mod 3), x ≡ 3 (mod 5) and x ≡ 6 (mod 7).
The following result is a consequence of Theorem 1.

Proposition 1: Let n = pα1 1 pα2 2 · · · pαk k . The map given by
g : Zn −→ Zpα1 × Zpα2 · · · Zpαk , m (φ1 (m), φ2 (m), . . . , φk (m))
1 2 k
is an isomorphism of rings, where φi : Zn −→ Zpαi are canonical ring homomorphisms.

i
Also, g induces an isomorphism
g : Z∗n −→ Z∗pα1 × Z∗pα2 · · · Z∗pαk , m (φ1 (m), φ2 (m), . . . , φk (m))
1 2 k
Because of Proposition 1, to understand the structure of Zn and Z∗n , it is enough to

understand the structure of Zpk and Z∗pk . The additive structure of Zpk is simple. It is a
cyclic group of order pk . The structure of Z∗pk is a lot more complicated. Let Cn denote
a cyclic group of order n. The important result regarding the structure of Z∗pk is the
following: 35
Mathematical Preliminaries Proposition 2: a) Let p be an odd prime and k ≥ 1. Then, Z∗pk is a cyclic group.
b) If k ≤ 2, Z∗2k ' C2k−1 . If k ≥ 3, Z∗2k is a product of two cyclic groups,
Z2k ' C2 × C2k−2 .
We now introduce some terms on time estimates that we will use later in the course.
Definition 2(The big oh notation): Let x, a be real numbers, and g a real valued
function. If g(x) > 0 for all x ≥ a, for a real valued function f(x), we write
f(x) = O(g(x)) or f = O(g)
(read as “f is big oh of g”), to mean that the quotient f(x)/g(x) is bounded for x ≥ a;
that is, there exists a constant M > 0 such that
|f(x)| ≤ Mg(x) for all x ≥ a.
Let us write f(x) = Ω(g(x)) if, for any constant c > 0, |f(x)| ≥ cg(x) for infinitely many
values of x. Note that, this statement is essentially a negation of the statement
f(x) = O(g(x)).
We write f(x) = Θgx) if there are positive constants c and d such that
dg(x) ≤ f(x) ≤ g(x) for all x ≥ a.
There are analogous notations for functions f and g that are defined on N. We leave it to
you as an exercise to formulate this statements.
E2) Formulate the analogous big oh notation for functions defined on N.
Let n be a large positive integer, perhaps the input for our algorithm; let γ be a real
number between 0 and 1; and let c > 0 be a constant.
Definition 3: Let
Ln (γ; c) = O(exp(c(log n)γ (log log n)1−γ ))
In particular,
Ln (1; c) = O(exp(c log n)) = O(nc )
and
Ln (0; c) = O(exp(c log log n)) = O((log n)c ).
An L(γ)-algorithm is an algorithm that, when applied to the integer n has running time
estimate of the form Ln (γ, c) for some c.
In particular, a polynomial time algorithm is an L(0)-algorithm, and an exponential

time algorithm is an L(1)-algorithm. By a sub-exponential time algorithm we mean an
L(γ)-algorithm for some γ < 1.
2.2.1 Modular Exponentiation by the Repeated Squaring Method
In this section we look at an efficient method of calculating bm mod n (that is, finding
the least non negative residue) when both m and n are very large. If m and n were
36 small, we can easily compute this by first multiplying b by itself m times, and then
reducing it modulo n. However, for large m and n, this method is not feasible, as the Number Theoretic
Algorithms
numbers involved would be too large. So, let us look at a quicker way of carrying out
this computation.
We assume that b < n. In this algorithm, instead of first multiplying b repeatedly by

itself and then taking the least non negative residue mod n, we immediately reduce
mod n after each multiplication, that is, at each step we replace the product by its least
non negative residue. In that way we never encounter any integers greater than n2 . The
algorithm is called “the repeated squaring method” because the computation involves
successive squaring.
Suppose the exponent m is a power of 2, say m = 2k . In this case, we can exponentiate

by successively squaring.
k
bm = b2 = ((((. . . (x2 )2 )2 . . .)2 )2 )2
| {z }
k times
In this way we compute bm by k squarings. For example, b16 = (((x2 )2 )2 )2 . In order to

compute bm mod n, we reduce mod n at each squaring.
If the exponent is not a power of 2, then we use its binary expansion, i.e., its expansion
in base 2. The algorithm to calculate bm mod n is:
1. Let a denote the partial product.
2. We write m in base 2. Let m0 , m1 , . . . , mk−1 denote the binary digits of m, that is,
m = m0 + 2m1 + 4m2 + . . . + 2k−1 mk−1 . Each mi is 0 or 1.
3. If m0 = 1, we change a to b, otherwise we set a = 1.
4. We square b and set b1 = b2 mod n.
5. If m1 = 1, we multiply a by b1 and reduce mod n, otherwise leave a unchanged.
6. We square b1 , and set b2 = b1 2 mod n. If m2 = 1, we multiply a by b2 , otherwise

we leave a unchanged. We continue in this way.
j
7. In the j-th step we would have computed bj ≡ b2 mod n. If nj = 1, i.e., if 2j
occurs in the binary expansion of n, then we include bj in the product for a (if 2j
is absent from n, then we don’t).
8. After the (k − 1)-th step you will have a ≡ bn mod n.
In practice, we do not calculate the binary expansion separately. In Algorithm 2, at the

beginning of the ith iteration, the variable m holds the value
mk 2k−i+1 + mk−1 2k−i + · · · + mi−1 .
We check if m is odd. Note that m is odd if mi−1 is 1. If m is odd, we carry out step 5 in
the Algorithm 2; otherwise we don’t. We then replace m by b m2 c. Note that, if
m = mk 2k−i+1 + mk−1 2k−i + · · · + mi−1 ,
then
jmk
= mk 2k−i mk + mk−1 2k−i−1 + · · · + mi
2
so that the next iteration starts with the correct value of m. Further, we replace b by b2 .
See the pseudocode version in Algorithm 2. 37

Mathematical Preliminaries Algorithm 2 Repeated Squaring Algorithm for integers.
1: procedure R EPEATED S QUARING A LGORITHM(b,m, n) . Returns bm (mod n).
2: P ← 1.
3: while m 6= 0 do
4: if (m is odd) then
5: P ← P.b (mod n)
6: end if
7: m ← b m2 c. . bxc is the largest integer less than or equal to x.
8: b ← b · b (mod n).
9: end while
10: return P.
11: end procedure
Remark 2: The repeated squaring algorithm is a polynomial time algorithm. It

computes bm (mod n) using O((log m)(log2 n)) operations. This is because, there are
about log m multiplications and multiplying two elements in Zn takes O log2 n
operations. Note that, the algorithm can be used for computing powers in any group.
We simply replace multiplication mod n by the corresponding group operation. In this
case, the number of operations required is O(t log m) where t is the time taken to
multiply in the group G.
Let us look at an example to understand this algorithm.
Example 2: Let us find 1379 (mod 97). We have 79 = 26 + 23 + 22 + 2 + 1, so, m6 = 1,

m5 = 0, m4 = 0, m3 = 1, m2 = 1, m1 = 1 and m0 = 1.
Iteration 1
We have m = 79. We replace
1. P by P · b = 13 since m is odd.
2. m = 79 by b 79
2 c = 39.
3. b by b2 = 169 ≡ 72 mod 97.
So, the values at the end of iteration 1 are
P = 13, b = 72, m = 39
Iteration 2
We have m = 39.
1. P by P · b = 13 · 72 ≡ 63 (mod 97) since m is odd.
2. m = 39 by b 39
2 c = 19.
3. b by b2 = 722 ≡ 43 mod 97.
P = 63, b = 43, m = 19
Iteration 3
38 We have m = 19.
1. P by P · b = 63 · 43 ≡ 90 (mod 97) since m is odd. Number Theoretic
Algorithms
2. m = 19 by b 19
2 c = 9.
3. b by b2 = 432 ≡ 6 mod 97.
P = 90, b = 6, m = 9.
Iteration 4
1. P by P · b = 90 · 6 = 55 (mod 97) since m is odd.
2. m = 9 by b 29 c = 4.
3. b by b2 = 62 ≡ 36 mod 97.
P = 55, b = 36, m = 4.
Iteration 5
We have m = 4. We do not change P since m is even. We replace
1. m = 4 by b 42 c = 2.
2. b by b2 = 362 ≡ 35 mod 97.
P = 55, b = 35, m = 2.
Iteration 6
We have m = 2. We do not change P since m is even.
1. m = 2 by b 22 c = 1.
2. b by b2 = 352 ≡ 61 mod 97.
P = 55, b = 61, m = 1.
Iteration 7
1. P by P · b = 55 · 61 = 57 (mod 97) since m is odd.
2. m = 1 by b 21 c = 0.
3. b by b2 = 612 ≡ 35 mod 97. 39

Mathematical Preliminaries So, the values at the end of iteration 7 are
P = 55, b = 35, m = 0.
Since m = 0, there are no more iterations and 1379 ≡ 57 (mod 97).
∗∗∗
Try the following exercise to check your understanding of Algorithm 2.
E3) Find 517 (mod 71) using repeated squaring algorithm.
Recall from Unit 6 of MMT-003 the order of Z∗n is φ (n), where φ the Euler φ -function.
Definition 4: Let a ∈ Z∗n . The order of a, denoted on (a), is the least positive integer t
such that at ≡ 1 (mod n).
Example 3: The multiplicative group of residues mod 12 is

(Z/12Z)∗ = {1 + 12Z, 5 + 12Z, 7 + 12Z, 11 + 12Z}, and its order is φ (12) = 4.
∗∗∗
Example 4: The multiplicative group of residues mod 21 is
Z∗21 = {1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20}.
Note that φ (21) = φ (3)φ (7) = 2.6 = 12, which is the order of the group Z∗21 . The
orders of the elements in Z∗21 are listed in Table 1.
∗∗∗
Table 1: Orders of elements in Z∗21
a ∈ Z∗21 1 2 4 5 8 10 11 13 16 17 19 20
ord (a) 1 6 3 6 2 6 6 2 3 6 6 2
Try the following exercise to check your understanding of Example 4.
E4) Determine the order of all the elements in (Z/15Z)∗ .
In the next section, we will discuss some important results about prime numbers that
we will need in the later units of this course.
2.3 PRIME NUMBERS
In this section we will discuss some facts about prime numbers and primality testing in
particular. Our discussion is based on [7]. We begin this section by stating some
important results about prime numbers.
Some facts about prime numbers:
40 1. An integer p > 1 is a prime number if and only if its only divisors are ±1 and ±p.
2. Any integer a > 1 can be factored in a unique way as a = pα1 1 pα2 2 . . . pαt t , where Number Theoretic
Algorithms
p1 < p2 < . . . < pt are prime numbers and where each ai is a positive integer.
3. The Prime Number Theorem. Let x be a positive real number. Consider the
function π(x), which counts the number of primes ≤ x. Thus,
π(x) = #{p ≤ x, p a prime}.
Then, the following holds:

π(x) log(x)
lim = 1,
x7→∞ x
where log x is the natural logarithm of x.
Also, if ϑ (x) = ∑p prime,p≤x log p, then
ϑ (x) = Θ(x) (5)
The prime number theorem tells us that the number of primes not exceeding x is
approximately x/ log x.
E5) Determine π(100). Compare your result with the estimate obtained by applying
the prime number theorem.
2.3.1 Primality Testing
There are many situations where one wants to know if a large number n is prime. For
example, in the RSA public key cryptosystem and in various cryptosystems based on
the discrete log problem in finite fields, we need to find a large “random” prime. We can
do this by choosing a large odd integer n0 and then test n0 , n0 + 2, . . . for primality until
we obtain the first prime which is ≥ n0 . A second type of use of primality testing is to
determine whether an integer of a certain very special type is a prime. For example, for
some large prime p we might want to know whether 2p − 1 is a Mersenne prime.
A primality test is a criterion for a number n not to be prime. If n “passes” a primality

test, then it may be prime. If it passes a whole lot of primality tests, then it is very likely
to be prime. On the other hand, if n fails any single primality test, then it is definitely
composite.
Most of the algorithms that are used in primality testing are probabilistic algorithms.
So, we begin by discussing probabilistic algorithms.
2.3.2 Probabilistic Algorithms
Many problems that we want to solve can be posed as a decision problem which has
YES or NO as its answer. For example, we can formulate the problem of checking
whether a given natural number n is a prime as a decision problem. An algorithm that
solves this decision problem, returns the value YES if n is a prime and the value NO if
n is not a prime.
Definition 5: A probabilistic algorithm is an algorithm that uses random numbers. A

probabilistic algorithm for a decision problem is called a yes-biased Monte Carlo
algorithm if the answer YES is always correct, but a NO answer may be incorrect. We
say that the algorithm has error probability ε if the probability that the algorithm will
answer NO when the answer is actually YES is ε. We can similarly define a no-biased
Monte Carlo algorithm and its error probability. 41
Mathematical Preliminaries A Las Vegas algorithm is a probabilistic algorithm for which the answer is always
correct, provided it terminates. There is a small probability that a Las Vegas algorithm
may not terminate.
We can define computation complexity for probabilistic algorithms also. Here the
running time is the expected time in which the algorithm will terminate rather than the
exact time. We call a probabilistic algorithm as an expected polynomial algorithm or
simply polynomial time algorithm if the expected running time of the algorithm is a
polynomial function of the size of the input.
Note that, a probabilistic algorithm, as we have defined it, is really not an algorithm in
the usual sense. This is because we can get different outputs for the same input if the
random numbers chosen are different in the two instances. But, if we make the output
of a certain number of ‘coin tosses’, i.e a random string of zeros and ones, also as a part
of the input, then it becomes a deterministic algorithm. However, we will not be very
formal in our treatment of probabilistic algorithms. You may refer to Chapter 9 of the
book [11] for a more formal treatment of probabilistic algorithms. This is also a good
reference for the first two units of this block.
It is often necessary, in cryptography, to generate large (e.g., 80 digit) “random primes”.

In practice, the way this is done is to generate large random numbers, and then test
them for compositeness using a polynomial-time, yes-biased Monte Carlo algorithm.
These algorithms are fast, but with probability < 12 the algorithm may answer ‘NO’ and
claim that the number is a prime when it is not. However, by running the algorithm
enough times, the error probability can be reduced below any desired threshold.
We now discuss two probabilistic primality tests.
2.3.3 The Pseudoprime Test
Let n be a large odd integer, and suppose that you want to determine whether or not n is
prime. The simplest primality test is “trial division.” We know that, if n is composite, it
√
has prime factor ≤ n. So, we check if n has a divisor less than n. If it doesn’t have
one, we know for sure that n is prime. Of course, this is an extremely time-consuming
way to test whether or not n is prime. There are other tests which are much quicker.
Most of the efficient primality tests that are known are similar in general form to the
following one.
According to Fermat’s Little Theorem, we know that, if n is a prime, then for any b
such that gcd(b, n) = 1 one has
bn−1 ≡ 1 mod n. (6)
If n is not prime, it is still possible (but probably not very likely) that the relation
Eqn. (6) holds.
Definition 6: If n is an odd composite number and b is an integer such that

gcd(b, n) = 1 and Eqn. (6) holds, then n is called a pseudoprime to the base b.
In other words, a “pseudoprime” is a number n that “pretends” to be prime by satisfying

Eqn. (6) although it is not a prime.
Example 5: The number n = 91 is a pseudoprime to the base b = 3, because

390 ≡ 1 mod 91. However, 91 is not a pseudoprime to the base 2, because
290 ≡ 64 mod 91. If we had not already known that 91 is composite, the fact that
42 290 6≡ 1 mod 91 would tell us that it is.
∗∗∗ Number Theoretic
Algorithms
Proposition 3: Let n be an odd composite integer.
1. n is a pseudoprime to the base b, where gcd(b, n) = 1, if and only if the order of b

in (Z/nZ)∗ (that is, the least positive power of b which is ≡ 1 mod n) divides
n − 1.
2. If n is a pseudoprime to the base b1 and b2 (where gcd(b1 , n) = gcd(b2 , n) = 1),

then n is a pseudoprime to the base b1 b2 and also to the base b1 b−1 −1
2 (where b2 is
an integer which is inverse to b2 modulo n).
3. If n fails the test Eqn. (6) for a single base b ∈ (Z/nZ)∗ , then n fails Eqn. (6) for
at least half of the possible bases b ∈ (Z/nZ)∗ .
Proof: 1. We know that, in a group G, the order of any element a ∈ G is m, then m

divides any n for which an = 1.
2. We have
(b1 b2 )n−1 ≡ bn−1

1 b2
n−1
(mod n) ≡ 1 (mod n)
if bn−1
1 ≡ 1 (mod n) and bn−1 2 ≡ 1 (mod n). The proof for the case b1 b−1
2 is
similar. Note that, this condition says that set {b ∈ (Z/nZ)∗ | bn ≡ 1 (mod n)} is
a group, i.e the set of all bases for which n is a pseudoprime is a subgroup of
(Z/nZ)∗ .
3. Let {b1 , b2 , . . . , bs } be the set of all bases for which n is a pseudoprime, i.e., the
set of all integers 1 < bi < n for which the congruence Eqn. (6) holds. Let b be a
fixed base for which n is not a pseudoprime. If n were a pseudoprime for any of
the bases bbi , then by part 2 of the proposition, it would be a pseudoprime for the
base b ≡ (bbi )b−1 i mod n, which is not the case. Thus, for the s distinct residues
{bb1 , bb2 , . . . , bbs }, the integer n fails the test Eqn. (6). Hence, there are at least
as many bases in (Z/nZ)∗ for which n fails to be a pseudoprime as there are
bases for which Eqn. (6) holds. This completes the proof.
It follows from Proposition 3 that unless n happens to pass the test Eqn. (6) for all
possible b with gcd(b, n) = 1, we have at least a 50% chance that n will fail Eqn. (6) for
a randomly chosen b. That is, suppose we want to know if a large odd integer n is
prime. We can do so in the following steps:
1. Choose a random integer b in the range 0 < b < n. (It is beyond the scope of this
unit to describe how to “randomly” choose an integer.)
2. Find d = gcd(b, n) using the Euclidean algorithm.
3. If d > 1, we know that n is not prime since we have found a nontrivial factor d of
n.
4. If d = 1, then we raise b to the (n − 1)-th power using the repeated squaring

method of exponentiation.
5. If Eqn. (6) fails, we know that n is composite.
6. If Eqn. (6) holds, perhaps n is prime. We then try another b and go through the
same process. 43
Mathematical Preliminaries Algorithm 3 Pseudoprime Test.
1: procedure P SEUDOPRIME TEST(n) . Returns YES if the number is composite, NO
otherwise .
2: Choose a random b, 0 < b < n.
3: if (b, n) > 1 then
4: return YES.
5: else
6: if bn−1 6≡ 1 (mod n) then
7: return YES.
8: else
9: return NO.
10: end if
11: end if
12: end procedure
Based on the above discussion we have the yes-biased Monte Carlo algorithm given in
Algorithm 3.
If Algorithm 3 returns YES then we can stop, since this would show that n is
composite. Suppose that we run Algorithm 3 k times with k different b’s and find that n
is a pseudoprime for all of the k bases. By Proposition 3, the chance that n is still
composite despite Algorithm 3 answering NO for k different values of b is at most 1 out
of 2k , unless n happens to have the very special property that Eqn. (6) holds for every
single b ∈ (Z/nZ)∗ . If k is large, we can be sure “with a high probability” that n is
prime (unless n has the property of being a pseudoprime for all bases). This method of
finding prime numbers is called a probabilistic method. It differs from a deterministic
method: the word “deterministic” means that the method will either reveal n to be
composite or else determine with 100% certainty that n is prime.
Can it ever happen for a composite n that Eqn. (6) holds for every b ∈ (Z/nZ)∗ ? In that
case our probabilistic method fails to reveal the fact that n is composite (unless we are
lucky and hit upon a b with gcd(b, n) > 1). The answer is yes, and such a number is
called a Carmichael number.
Definition 7: A Carmichael number is a composite integer n such that Eqn. (6) holds
for every b ∈ (Z/nZ)∗ .
Some facts about Carmichael numbers.
Let n be an odd composite integer.
1. If n is divisible by a perfect square > 1, then n is not a Carmichael number.
2. If n is square free, then n is a Carmichael number if and only if p − 1 divides

n − 1 for every prime p dividing n.
3. There exist infinitely many Carmichael numbers.
2.3.4 The Miller-Rabin Test
We saw in the preceding section that we may not get very far with the pseudoprime test
because of the existence of the Carmichael numbers. We can obtain a better primality
test, the Miller-Rabin test, based on the notion of a strong pseudoprime. It is based on
44 the following result proved in Unit 6 of MMT-003:
Proposition 4: Let p be an odd prime and let (a, p) = 1. Suppose p − 1 = t2s with t odd. Number Theoretic
Algorithms
Then, a satisfies at least one of the following conditions:
i) at ≡ 1 (mod p)
i
ii) at2 ≡ −1 (mod p) for some i, 0 ≤ i < s.
Definition 8: Let n be an odd composite number and b ∈ (Z/nZ)∗ . Write n − 1 = 2s t

where t is odd. If b and n satisfy the condition that either
bt ≡ 1 mod n, (7)
or there exists r, 0 ≤ r < s, such that

r
b2 t ≡ −1 mod n, (8)
then n is called a strong pseudoprime to the base b.
Thus, to test whether a large odd positive integer n is prime or composite, the
Miller-Rabin test goes as follows:
1. Write n − 1 = 2s t, where t is odd.
2. Choose a random integer b, 0 < b < n.
3. Compute m = bt mod n. If we get ±1 then we conclude that n is probably a

prime.
2
4. Otherwise repeatedly square m mod n to get m2 = b2t mod n, m4 = bt2 , . . . and
so on until we get −1, in which case, n is probably a prime. If we don’t get −1
s−1
even after reaching bt2 , n is composite.
We have given the test in the form of an algorithm in Algorithm 4. This is also a
yes-biased Monte Carlo algorithm.
Algorithm 4 Miller-Rabin test.

1: procedure M ILLER -R ABIN (n, s) . Returns YES if the number is composite, NO
otherwise. Assume that n − 1 = a2s , a odd.
2: Choose a random b, 0 < b < n.
3: if (b, n) > 1 then
4: return YES
5: else
6: m ← ba
7: if m ≡ ±1 (mod n) then
8: return NO
9: else
10: for i ← 1, s − 1 do
11: m ← m2
12: if m ≡ −1 (mod n) then
13: return NO
14: end if
i
15: end for . bt2 6≡ −1 (mod n) for any i, 0 ≤ i ≤ s − 1.
16: return YES
17: end if
18: end if
19: end procedure
45
Mathematical Preliminaries For any natural number n, if the Miller-Rabin test answers NO for k random choices of
b, then the probability that n is composite is less than 1/4k , because of the following
proposition which we shall state without a proof:
Proposition 5: If n is an odd composite integer, then n is a strong pseudoprime to the

base b for at most 25% of all 0 < b < n.
Let us now look at an example to understand Miller-Rabin test.
Example 6: Let us check whether 23297 is composite using Miller-Rabin algorithm.

We have 23297 − 1 = 91 · 28 . Let us choose b = 2. We have 291≡ 22102 6≡ 1
(mod 23297). Let us set m = 22102. Then, repeatedly squaring m, we get m2 ≡ 6908
2 3
(mod 23937), m4 = m2 ≡ 8208 (mod 23297), m8 = m2 ≡ 19637 (mod 23297),
4 5
m16 = m2 ≡ 23122 (mod 23297), m32 = m2 ≡ 7328 (mod 23297),
6
m2 = 23296 ≡ −1 (mod 23297). So, 23297 is probably a prime.
∗∗∗
Remark 3: From [9], we know that there is no number less than 25 · 109 which is a
pseudoprime to all the bases 2, 3, 5, 7 and 11. In other words, we know that, if, for
some n, the Algorithm 4 returns NO for b = 2, 3, 5, 7, 11, then n is a prime.
E6) Check whether 606893471 is composite, by using Miller-Rabin test for the bases
2, 3, 5, 7, 11.
E7) Check that 796973399 is composite.
The primality tests described above are probabilistic. If n survives them, then n is
declared to be most probably prime. In the next section, we will discuss the first
deterministic polynomial time algorithm for primality testing.
2.3.5 The Agrawal-Kayal-Saxena (AKS) Algorithm
The Agrawal-Kayal-Saxena (AKS) primality testing algorithm determines in

polynomial time, whether an input number n is prime or composite, thus solving a
long-standing problem concerning prime numbers. The AKS algorithm is a
deterministic algorithm, i.e., it does not use random numbers. The other
polynomial-time primality tests are either “probabilistic” —which means that there is a
small probability of the algorithm returning a composite number as prime, or
conditional —which means that the algorithm assumes some unproved hypothesis. The
AKS algorithm is also significant in that the run-time and correctness proofs of the
algorithm use elementary algebraic and number theoretic results, the most sophisticated
being a sieve theory result due to E. Fouvry.
It was published in [1]. There are several expository articles on this algorithm available.
See for example [4], [10], [16] and the book [11]. We will not discuss the complete
proof. You can refer to [1] or the other expository articles we mentioned for details.
We have the following characterisation of primes.
Theorem 2: Suppose that, n ∈ N, n ≥ 2 and a ∈ Z is coprime to n. Then n is prime if

and only if
46 (x + a)p ≡ (xp + a) (mod p). (9)

Proof: The proof is as in [1]. For 0 < i < n, the coefficient of xi in Number Theoretic
((X + a)n − (Xn + a)) is c(n, i)an−i . Algorithms
If n is a prime, c(n, i) ≡ 0 (mod n) and hence all the coefficients are zero.
If n is not a prime, i.e. n is composite, let q be a prime factor n and suppose qk | n,

qk+1 - n. Then qk does not divide c(n, i) and is coprime to an−q and hence the coefficient
of Xq is not zero (mod n). Thus, ((X + a)n − (Xn + a)) is not identically zero in
Zn .
However, this characterisation is not useful for checking if n is a prime. For an input n,
this would involve evaluating n coefficients in the LHS of Eqn. (9), in the worst case,
which can take up to time Ω(n). Therefore, to make it feasible, we evaluate both sides
of Eqn. (9) modulo a polynomial of the form xr − 1; that is, we need to verify whether
the following holds:
(x + a)n ≡ (xn + a) mod (xr − 1) in Fp [x]. (10)
We observe that verifying the congruence Eqn. (10) takes O(r2 log3 p) time by the
repeated squaring method. Moreover, all primes satisfy the congruence Eqn. (10) for all
values of a and r, but some composites may also pass the test.
Thus, for the algorithm to work efficiently, we need to choose r and a suitably. The
algorithm consists of the following steps:
Let n > 1 be the input.
Step 1. Check whether n is a perfect power. This can be done by Newton’s method. If n
is not a perfect power, proceed to the next step.
Step 2. Find a prime r = O(log6 n), with the property that r − 1 has a large prime factor
√
q > 4 r log n and q divides or (n), the order of n mod r.
Step 3. With r as obtained in Step 2, check whether the following hold for a = 1 to
√
2 r log n:
(x + a)n ≡ (xn + a) mod (xr − 1) in (Z/nZ)[x]. (11)
The algorithm will declare n to be composite if Eqn. (11) does not hold for some a; n is
declared to be prime if Eqn. (11) hold for all a in the range specified in Step 3.
We are assured of finding such a prime r in Step 2 because of the following lemma,
together with an application of the prime number theorem.
Lemma 1: Let P(n) denote the greatest prime divisor of n. There exist constants c > 0
and n0 such that, for all x > n0 ,
2 x
#{p|p is prime, p ≤ x and P(p − 1) > p 3 } ≥ c .
log x
It is clear that if n is prime, then the algorithm will declare it to be prime.
Let us consider the case when n is composite. Then there exists a prime factor p of n
such that q divides or (p), where q is the largest prime factor of r − 1. Let us see why
this is true.
Suppose n = p1 p2 · · · pk is the prime factorisation where pi s need not be distinct. Then,

or (n) | lcm (or (p1 ) , or (p2 ) , . . . , or (pk )). If q - or (pi ) for all i, 1 ≤ i ≤ k, then 47
Mathematical Preliminaries q - lcm (or (p1 ) , or (p2 ) , . . . , or (pk )), so it can’t divide or (n) either since
or (n) | lcm (or (p1 ) , or (p2 ) , . . . , or (pk )). This contradicts the choice of r in Step 2.
Let us suppose that the algorithm declares n to be a prime. To arrive at a contradiction,

√
we consider the group G generated by {(x − a)|1 ≤ a ≤ 2 r log n} in Fp [x]/(h(x)),
where h(x)
√ is an irreducible factor of xr − 1. Then G is a cyclic group with order greater
2 r
than n . Let g(x) be a generator of G, whose order we denote by og .
Consider the set
Ig(x) = {m ∈ Z|g(x)m ≡ g(xm ) mod (xr − 1) in Fp [x]}.
Then Ig(x) has the following properties:
1. Ig(x) is closed under multiplication.
2. m1 ≡ m2 (mod r) implies that m1 ≡ m2 (mod og ), whenever m1 , m2 ∈ Ig(x) .
These properties allow us to construct a set

√
E = {ni pj |0 ≤ i, j ≤ [ r]}
which is a subset of Ig(x) .
Now #E > r, which implies that there exist two distinct elements in E which are
congruent modulo r, hence are congruent modulo og , by a property of Ig(x) . Since
√
og > n2 r , the congruence reduces to an equality, from which we deduce that n = pk for
some integer k, which contradicts the fact that we have already ruled out perfect powers
in Step 1 of the algorithm.
Therefore, we conclude that the algorithm will declare an input n to be prime if and
only if n is a prime.
E8) Find the smallest pseudoprime to the base 2.
E9) Prove that a Carmichael number has at least three distinct prime factors.
E10) Show that 65 is a strong pseudoprime to the base 8 and to the base 18, but not to
the base 14, which is the product of 8 and 18 modulo 65.
We have seen in Sec. 2.2 that (Z/nZ)∗ need not be cyclic. In the next section, we will
discuss the case when (Z/nZ)∗ is cyclic.
2.4 PRIMITIVE ROOTS
Let us first discuss the notion of a reduced residue system.
Definition 9: By a reduced residue system modulo m we mean any set of φ (m)

integers, incongruent modulo m, each of which is relatively prime to m.
Example 7: The set {1, 5, 7, 11} is a reduced residue system modulo 12.
∗∗∗
Theorem 3: If {a1 , a2 , . . . , aφ (m) } is a reduced residue system modulo m and

48 gcd(k, m) = 1, then {ka1 , ka2 , . . . , kaφ (m) } is also a reduced residue system modulo m.
Proof: It is clear that no two of the numbers kai are congruent modulo m. Also, since Number Theoretic
Algorithms
gcd(ai , m) = gcd(k, m) = 1, we have gcd(kai , m) = 1, so each kai is relatively prime to
m.
We have seen Theorem 4 and its generalisation Theorem 5 in Unit 6 of MMT-003.
Theorem 4: If a prime p does not divide a, then
ap−1 ≡ 1 (mod p)
Theorem 5(The Euler-Fermat Theorem): Let a and m be relatively prime integers,

with m ≥ 1. Then we have
aφ (m) ≡ 1 (mod m). (12)
As above, let a and m be relatively prime integers, with m ≥ 1. Consider all the positive
powers of a:
a, a2 , a3 , . . .
We know, from Theorem 5 that aφ (m) ≡ 1 (mod m). However, there may be an earlier
power af ≡ 1 (mod m). We are interested in the smallest positive f with this property.
Definition 10: The smallest positive integer f such that
af ≡ 1 (mod m)
is called the exponent of a modulo m, and is denoted by writing
f = expm (a)
If expm (a) = φ (m), then a is called a primitive root mod m.
Another way of looking at the notion of a primitive root is in the context of Z∗n . We
follow the notation as in Definition Definition 4.
Definition 11: Let a ∈ Z∗m . If om (a) = φ (m), then α is said to be a generator or a

primitive element of Z∗m , or a primitive root mod m.
Remark 4: If Z∗m has a generator, then Z∗m is cyclic.
We have seen that if p is a prime, then Zp is a field, and Z∗p is a cyclic group.
Definition 12: Let p be a prime. The integer a for which the residue class a + pZ
generates Z∗p is called a primitive root mod p.
Theorem 5 tells us that expm (a) ≤ φ (m). The next theorem shows that expm (a) divides
φ (m).
Theorem 6: Given m ≥ 1, gcd(a, m) = 1, let f = expm (a). Then we have:
(a) ak ≡ ah (mod m) if, and only if, k ≡ h (mod f).
(b) ak ≡ 1 (mod m) if and only if k ≡ 0 (mod f). In particular, f divides φ (m).
(c) The numbers 1, a, a2 , . . . , af−1 are incongruent mod m. 49

Mathematical Preliminaries Proof: Parts (b) and (c) follow at once from (a), so we need to only prove (a).
If ak ≡ ah (mod m), then ak−h ≡ 1 (mod m). Write
k − h = qf + r, where 0 ≤ r < f.
Then 1 ≡ ak−h = aqf+r ≡ ar (mod m), so r = 0 and k ≡ h (mod f).
Conversely, if k ≡ h (mod f), then k − h = qf. So ak−h ≡ 1 (mod m) and hence ak ≡ ah

(mod m).
Theorem 7: Let gcd(a, m) = 1. Then a is a primitive root mod m if, and only if, the
numbers
a, a2 , . . . , aφ (m) (13)
form a reduced residue system mod m.
Proof: If a is a primitive root, the numbers in Eqn. (13) are incongruent mod m, by
Theorem 6(c). Since there are φ (m) such numbers, they form a reduced residue system
mod m.
Conversely, if the numbers in Eqn. (13) form a reduced residue system, then aφ (m) ≡ 1
(mod m), but no smaller power is congruent to 1, so a is a primitive root.
The importance of primitive roots is explained by Theorem 7. If m has a primitive root,

then each reduced residue system modulo m can be expressed as a geometric
progression. In other words, if Z∗m has a generator, then all its elements can be
expressed as powers of a single element. Unfortunately, not all moduli have primitive
roots.
Some facts about primitive roots:
We shall state without proof some properties of primitive roots.
1. Primitive roots exist only for the following moduli: m = 1, 2, 4, pα , and 2pα ,
where p is an odd prime and α ≥ 1.
2. If a is a generator of Z∗m , then Z∗m = {ai mod m|0 ≤ i ≤ φ (m) − 1}.
3. Suppose that a is a generator of Z∗m . Then b = ai mod m is also a generator of Z∗m

if and only if gcd(i, φ (m)) = 1. It follows that if Z∗m is cyclic, then the number of
generators is φ (φ (m)).
4. a is a generator of Z∗m if and only if aφ (m)/p 6≡ 1 (mod m) for each prime divisor
p of φ (m).
Example 8: Z∗21 is not cyclic since it does not contain an element of order φ (21) = 12
(see Table 1.); note that 21 does not satisfy the condition 1 above on the existence of
primitive roots.
∗∗∗
Try the next exercise to check your understanding of primitive roots.
E11) For g = 2, 3, 5, 7, 11 determine a prime number p > g such that g is a primitive

50 root mod p.
Number Theoretic
Algorithms
Let us now summarise the discussion in this unit.
2.5 SUMMARY
In this Unit, we have discussed the following:
1. The structure of Z∗n and Zn ;
2. The extended-euclidean algorithm for integers;
3. The repeated squaring algorithm to compute powers of elements in Z∗n ;
4. The concept of a pseudoprime;
5. The Rabin-Miller strong pseudoprime test; and
6. An outline of the AKS algorithm for primality testing.
E1) Initial values: Q1 ← 1, Q2 ← 0, R1 ← 0, R2 ← 1, T1 ← m.
Iteration 1 Values at the end of first iteration:
T1 = 32 Q1 = 0 R1 = 1
T2 = 8 Q2 = 1 R2 = −2
Iteration 2 Values at the end of second iteration:
T1 = 8 Q1 = 1 R1 = −2
T2 = 0 Q2 = −4 R2 = 9
We see that T2 = 0. So, there are no more iterations.
Answer: T1 = 8, Q1 = 1, R1 = −2
E2) The definition is as follows:
Definition 13: (The big oh notation). Let n, n0 be integers, and g a real valued
function defined on N. If g(n) > 0 for all n ≥ n0 , we write
f(n) = O(g(n)) or f = O(g)
(read as “f is big oh of g”), to mean that the quotient f(n)/g(n) is bounded for
n ≥ n0 ; that is, there exists a constant M > 0 such that
|f(n)| ≤ Mg(n) for all n ≥ n0 .
Let us write f(n) = Ω(g(n)) if, for any constant c > 0, |f(n)| ≥ cg(n) for infinitely
many values of n. Note that, this statement is essentially a negation of the
statement f(n) = O(g(n)).
We write f(n) = Θg(n) if there are positive constants c and d such that
dg(x) ≤ f(x) ≤ g(x). 51
Mathematical Preliminaries E3) We just give the values of P, b and m after each iteration. We leave it to you check
the details. Values at the end of iteration 1:
P = 5, b = 25, m = 8
Values at the end of iteration 2:
P = 5, b = 57, m = 4
P = 5, b = 54, m = 2
P = 5, b = 5, m = 1
P = 25, b = 25, m = 0
So, 521 (mod 71) = 25 using Algorithm 2.
a ∈ Z∗15 1 2 4 7 8 11 13 14
E4)
ord (a) 1 4 2 4 4 2 4 2
E5) π(100) = 25, while the prime number theorem tells us that
π(100) ∼ 100/ log 100, where log denotes the natural logarithm. Direct
calculation gives 100/ log 100 ∼ 21.7.
E6) We have 606893471 = 2 · 303446735. So, t = 303446735, s = 2. We have 2t ≡ 1

(mod 606893471), so it is probably a prime. 3t ≡ 1 (mod 606893471), 5t ≡ 1
(mod 606893471), 7t ≡ −1 (mod 606893471) and 11t ≡ 1 (mod 606893471).
So, 606893471 is a strong pseudoprime to the bases 2, 3, 5, 7, 11. By our remark,
since 606893471 < 25 · 109 , 606893471 is a prime.
E7) We have 796973399 = 2 · 398486699. Further, m = 2398486699 ≡ 52785661
(mod 796973399) and m2 ≡ 209867455 (mod 796973399). So, 796973399 is
composite.
E8) The smallest pseudoprime to the base 2 is 341. We have 341 = 11.31 and
2340 ≡ 1 mod 341 = 1.
E9) Let n be a Carmichael number. By definition, it is not a prime number, and by one
of the properties stated in Sec. 2. 2, it is square-free, hence not a prime power.
Therefore, n has at least two prime divisors. Let n = pq with prime factors
p, q, p > q. Another property of the Carmichael numbers states that p − 1 divides
n − 1. Now n − 1 = pq − 1 = (p − 1)q + q − 1. Therefore, p − 1 is a divisor of
q − 1. This is impossible since 0 < q − 1 < p − 1. Hence a Carmichael number has
at least three distinct prime divisors.
E10) 82 ≡ 182 ≡ −1 mod 65; 142 ≡ 1 mod 65, but 141 6≡ ±1 mod 65.
E11) 2, 3, 5, 7, 11 are primitive roots mod 3, 5, 7, 11, 13 respectively.
52
UNIT 3 CLASSICAL CIPHERS
Structure Page No.
3.1 Introduction 53
Objectives
3.2 Basic Terminology and Some Simple Ciphers 53
Ceaser Cipher
Shift Cipher
Affine Cipher
3.3 Substitution Ciphers 63
The Vigenère Cipher
3.4 Transposition Ciphers 65
The Row Tranformation Cipher
Simple Columnar Transposition Cipher
Other Transposition Techniques
3.5 Cryptanalysis 70
3.6 Summary 75
3.1 INTRODUCTION
In this Unit, we start our study of cryptography by discussing some simple ciphers. We
must warn you that these ciphers are no longer used in real life situations; we discuss
these for historical reasons and to introduce you to basic concepts of cryptography. In
Sec. 3.2, we discuss the need for cryptography and introduce you to the basic
terminology of cryptography. In Sec. 3.3, we discuss transposition ciphers. In Sec. 3.4,
we discuss, substitution ciphers. In Sec. 3.5, we discuss the affine cipher. In Sec. 3.6,
we discuss the Vigenère cipher.
Objectives
• explain the goals of cryptography;
• explain the basic terms of cryptography;
• explain what is a transposition cipher and give examples;
• encrypt and decrypt text using some simple transposition ciphers;
• explain what is a substitution cipher and give examples;
• encrypt and decrypt text using some simple substitution ciphers;
• explain the Vigenère cipher and encrypt and decrypt text using the cipher; and
• apply simple statistical methods for cryptanalysing cipher.
3.2 BASIC TERMINOLOGY AND SIMPLE CIPHERS
From time immemorial, human beings have communicated with each other. With the
advancement of civilisation came the creation of political formations like countries with
conflicting interests. It also lead to increased commercial activity. In political and 53
Mathematical Preliminaries commercial activities, information is of great value and it often became necessary to
communicate information in such a way that no one but the intended recipient receives
the information. One of the main tools that has evolved to serve this purpose is
cryptography.
The main objective of cryptography is to enable two parties communicate confidentially

through an insecure channel by concealing its meaning to the unauthorised parties. By
a channel, we mean any method of communication including the traditional means like
letter, telephone, telegraph, etc. and the more modern like computer networks and
communication through satellite. Insecure channel means that adversaries to the
communicating parties can access the channel.
Traditionally, in cryptography, two communicating parties are called Bob and Alice.
There is a third party, usually called Eve, who is eavesdropping on the conversation,
trying to find out what they are saying to each other. Of course, it is not that Bob and
Alice are ‘good’ and Eve is ‘bad’. For example, Alice and Bob could be terrorists
plotting some terrorist act and Eve could be the government agency that is trying to
prevent it.
Cryptography is a discipline which embodies principles, means and methods for the
transformation of data in order to
1. hide its information content from unauthorised persons.
2. establish the authenticity of the data.
3. prevent its undetected modification.
4. prevent its repudiation.
5. prevent its unauthorised use.
In other words, the main goals of the cryptography are privacy/confidentiality,

authentication, data integrity and non-repudiation. Let us see what these goal are.
Privacy/Confidentiality To achieve the primary goal of confidentiality, Bob usually

transforms the text in such a way that it becomes
unintelligible and sends it to Alice. Alice knows how to get
the original text from the transformed text. The whole
procedure involves some secret information without which
it is not possible to recover the original text from the
transformed text. Eve, eavesdropper will not be able to
recover the original text if she doesn’t have the necessary
secret information.
Authentication After the message reaches its destination, the receiver
should be able to verify its origin. Eve should not be able to
send a message to Bob pretending to be Alice. This aspect is
called authenticity.
Data integrity Another objective of cryptography is to protect the message
from being tampered with during transit. When Bob
receives a message from Alice, he should be able to check
whether the message was modified during transmission,
either accidentally or deliberately. Eve should not be able to
alter the message by insertion, deletion or substitution of
54 text. This aspect is called data integrity.
Non-repudiation When initiating a communication, Alice and Bob should be Classical Ciphers
able to identify each other. Finally, Alice should not be able
to later deny that she sent the message. This aspect is called
non-repudiation.
As discussed earlier, adversaries may also be active and try to modify the message.
Adversaries are assumed to have complete access to the communication channel.
The fundamental and classical task of cryptography is to provide secrecy by

encryption methods. The actual message to be sent is called plain text. The process
of transforming plain text to render it unintelligible to unauthorised persons is called
encryption or enciphering and transformed text is called cipher text. The reverse
process of recovering the plain text from the cipher text by undoing the tranformation is
called decryption or deciphering.
Let us look at a simple example of cryptography at work. We will discuss a cipher

supposed to have been used by Julius Caesar, a roman general and statesman.
3.2.1 Caesar Cipher
You may studied about Julius Caesar, the roman general and statesman who conquered
Gaul, a region of Western Europe which included present day France, Luxembourg and
Belgium, most of Switzerland, the western part of Northern Italy, as well as the parts of
the Netherlands and Germany on the left bank of the Rhine. He developed a method,
which is now known as Caesar Cipher, for communicating with the generals of his
army.
Example 1: (Caesar cipher) Suppose the message we want to send, that is, the plain
text, comprises letters from the English alphabet. We convert it to a cipher text by
simply replacing each letter in the message with the letter that is three places further
down the alphabet. That is, “A” is replaced by “D,” “B” is replaced by “E,” . . . , “W” is
replaced by “Z,” “X” is replaced by “A,” “Y” is replaced by “B,” and “Z” is replaced by
“C”. To get back the original message from the cipher text, we perform the reverse
operation, that is, replace each letter of the cipher text with the letter that is three places
ahead in the alphabet. Thus, with this system, the word “YES” is encrypted as “BHV”,
while the cipher text “ZKB” yields the plain text “WHY”. See Table 1.
Plain text A B C D E F G H I J K L M
Cipher text D E F G H I J K L M N O P
Plain text N O P Q R S T U V W X Y Z
Cipher text Q R S T U V W X Y Z A B C
Table 1: Caesar’s Cipher.
To look at a longer example, his message ‘I CAME I SAW I CONQUERED’ will be

transformed as follows:
Plain text I C A M E I S A W I C O N Q U E R E D
Cipher text L F D P H L V D Z L F R Q T X H U H G
∗∗∗
Try the following exercise to test your understanding of Caesar cipher.
E1) Encrypt the following text using Caesar cipher:

THE DIE IS CAST 55
Mathematical Preliminaries E2) Decrypt the following text which was encrypted using Caesar cipher:
EHZDUH RI WKH LGHV RI PDUFK
Let us now define a cryptosystem formally.
Definition 1: An alphabet Σ is a finite set whose elements are called symbols. A

string over an alphabet is a finite sequence of symbols. Let us denote the set of all
strings over Σ by L (Σ). Let Σ and ∆ be two sets of symbols. A cryptosystem consists
of the following components:
Plaintext-space P - a finite subset of L (Σ).
Ciphertext-space C - a finite subset of L (∆).
Key space K -a finite set of keys.
Encryption function Ek - for each k ∈ K , there is a encryption function

Ek (x) : P −→ C which is a one-to-one function.
Decryption function Dk - for each k ∈ K , there is a decryption function

Dk (x) : C −→ P such that Dk (Ek (x)) = x for all x ∈ P.
Let us see how we encrypt a message.
1. We choose a key k ∈ K .
2. We break up the plaintext into smaller units, each of which consists of a single
letter, or a pair of letters, or a block of some fixed number of letters. These are
known as message units.
3. Let Ek be the encryption function from P to C corresponding to the key k ∈ K

which takes any plaintext message unit to a ciphertext message unit, where we
shall always assume that Ek is a 1-to-1 correspondence. Under this map, for any
ciphertext message unit, there is a unique plaintext message unit for which it is
the encryption.
4. We apply the inverse map, the decryption function Dk from C to P to recover

the plaintext from the ciphertext.
Let us look at Caesar’s cipher to understand the terms.
Example 2: Let us see what P, C , Ek and Dk are in the Caesar cipher. Since we want
to construct functions between two sets, the first step is to label all possible plain text
message units and all possible cipher text units by means of mathematical objects. In
this case, our plain text and cipher text message units are single letters from the
26-letter alphabet A – Z, so we can label the letters using the integers 0, 1, 2, . . . , 25,
which we call their “numerical equivalents”, as in Table 2.
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
Table 2: Numerical equivalents of the characters in the English alphabet.
Recall from Unit 6 of MMT-003 that Z26 is a quotient ring Z/26Z. However, to make
56 notation less cumbersome, we will regard the set A = {0, 1, 2, . . . , 25} as Z26 . To add
two numbers m, n ∈ A , we simply find the usual sum m + n and if it is greater than 26, Classical Ciphers
take its remainder on division by 26 as the answer. If m + n is less than 26, the answer
is just the usual sum m + n. For example, the sum of 2 and 4 in A is 6, while the sum
of 24 and 12 is 10 in A . We can define multiplication similarly.
Under the correspondence in Table 2, let x ∈ A = {0, 1, . . . , 25} stand for a plain text
message unit. Define a function f from the set A to itself by the rule
f(x) = x + 3 (1)
Note that, the addition in Eqn. (1) is the addition we defined in A . Thus,
f(2) = 2 + 3 = 5, but f(24) = 1.
Therefore, what we have done in encrypting the word “YES” was to write down the
numerical equivalent in A to each letter under Table 2: “24 4 18”. Then, we find
f(24) = 1, f(4) = 7 and f(18) = 21. The letter equivalents to 1, 7 and 21 are B, H and V.
To decipher a message, we subtract 3 or equivalently add 23 since 23 is the additive

inverse of 3 under the addition we defined on A . In other words,
f−1 (x) = g(x) = P + 23 (2)
will convert a cipher text message unit to a plain text unit. It is easy to see how the
cipher text “ZKB”, mentioned above, gives the plain text “WHY” using this function.
We leave this verification as an exercise.
For the Caesar cipher, any plain text message is a string p1 p2 . . . pk with pi ∈ A . For
example WHY corresponds to the string 22 7 24. Usually, strings are written without
gaps. We have put small gaps so that there is no ambiguity. Similarly, ZKB corresponds
to the string 25 10 24. So, both the plain text and cipher text are strings on the the same
set A and we can take P and K to be subsets of L (A ) consisting of strings of length
≤ t for some t. So, in this case, ∆ = Σ. Further, the key space contains only one
element, 3. The function E3 is the function f in Eqn. (1) and the function D3 is the
function g defined in Eqn. (2).
∗∗∗
In the next section, we will discuss a generalisation of Caesar cipher.
3.2.2 Shift Cipher
You may recall that electronic documents do not have just the characters from the
alphabet. They also contain punctuation marks, numbers, symbol like &, $ and so on.
In fact, 265 different characters are possible in computers that use the ASCII encoding.
So, we need a larger set of symbols than just A . Instead of A , we can take the set
AN = {0, 1, 2, 3, . . . , N} as the set of symbols. We can define addition and
multiplication on AN as addition and multiplication modulo N as we did in the case of
A . We can define the analogue of Caesar cipher on AN by
f(x) = x + 3. (3)
The inverse transformation is
g(x) = f−1 (x) = x + N − 3 (4)
Another obvious direction in which we can generalise is to shift characters in the

plaintext by b places for 0 < b < N instead of just by three places. In this case the
encryption function is
Eb (x) = x + b (5) 57
Mathematical Preliminaries and the decryption function is
Db (x) = f−1 (x) = x − b (6)
Here, of course, −b = N − b, the additive inverse of b in ZN .
In the case of shift cipher, Σ = ∆ = A and P and C are subsets of L (A ) of length ≤ t

for some t. Note that, this choice for P and C makes sense because, although it is
possible to have plaintext or ciphertext of arbitrary length, all the media used for
storage of plaintext or ciphertext have only finite capacity and so they cannot store
strings of arbitrary length. We have K = {b|0 < b < N}. Further, Ek (x) = x + k and
Dk (x) = x − k for k ∈ K . Let us now look at an example of shift cipher.
Example 3: Consider the plaintext ‘I CAME I SAW I CONQUERED’. Let us apply

the shift transformation with shift parameter 7. The seventh letter after I is P. So, we
replace I by P. Similarly the seventh letter after C is J, so we replace C by J. Proceeding
this way, the text becomes ‘P JHTL P ZHD P JVUXBLYLK’. To decrypt this text we
apply the inverse shift transformation which a shift transformation with shift parameter
26 − 7 = 19.
∗∗∗
Try the following exercises to test your understanding.
E3) Encrypt the text ‘ATTACK POSTPONED’ using a shift transformation with shift
parameter 15.
E4) The ciphertext ‘T SLGP DTYO’ was obtained by applying the shift
transformation with parameter 11. Find the plaintext.
In the next subsection, we will look at another generalisation of the shift cipher, the
affine cipher.
3.2.3 Affine Cipher
The Caesar cipher discussed earlier is a special case of the substitution cipher which
includes only 26 of the 26! possible permutations of the 26 elements. Another special
case of the substitution cipher is the affine cipher, which we describe now. In the affine
cipher, we restrict the encryption functions to functions of the form
E(x) = ax + b,
a ∈ Z∗26 , b ∈ Z26 . These functions are called affine functions, hence the name affine
cipher. Observe that when a = 1, b = 3, we have the Caesar cipher.
In order that decryption is possible, it is necessary to ask when an affine function is

injective. In other words, for any y ∈ Z26 , we want the equation
ax + b ≡ y
to have a unique solution for x. This equation is equivalent to
ax = y − b
Now, as y varies over Z26 , so too, does y − b vary over Z26 . Hence, it suffices to study
the congruence ax = y, where y ∈ Z26 .
Proposition 1: The equation ax = y has a unique solution x ∈ Z26 for every y ∈ Z26 if
58 and only if gcd(a, 26) = 1.
Proof: This follows from proposition 2 in Unit 6 of MMT-003 with n = 26. Classical Ciphers
At this point we have shown that, if gcd(a, 26) = 1, then an equation of the form ax ≡ y
has, at most, one solution in Z26 . Hence, if we let x vary over Z26 , then ax takes on 26
distinct values in Z26 . That is, it takes on every value exactly once. It follows that, for
any y ∈ Z26 , the congruence ax ≡ y has a unique solution for y.
There is nothing special about the number 26 in this argument. The following result
follows from proposition 2 in Unit 6 of MMT-003.
Theorem 1: The congruence ax = y has a unique solution x ∈ Zm for every y ∈ Zm if

and only if gcd(a, m) = 1.
We would like to once again remind you that, in this unit, we represent Zm by the set
Am together with addition and multiplication modulo m as the binary operations.
Since 26 = 2 × 13, the values of a ∈ Z26 such that gcd(a, 26) = 1 are a = 1, 3, 5, 7, 9,
11, 15, 17, 19, 21, 23 and 25. The parameter b can be any element in Z26 . Hence the
affine cipher has 12 × 26 = 312 possible keys. It is clear that this is much too small to
be secure. In some cases it will be possible to break it by an exhaustive key search.
Let us now consider the general setting where the modulus is m. Recall that
φ (m) = |{ a ∈ Zm | (a, m) = 1}|
Definition 2: Suppose a ≥ 1 and m ≥ 2 are integers. If gcd(a, m) = 1, then we say that

a and m are relatively prime. The number of integers less than m that are relatively
prime to m is often denoted by φ (m) (this function is called the Euler phi-function).
Corollary 3 in Unit 6 of MMT-003 gives the value of φ (m) in terms of the prime power
factorisation of m.
Theorem 2: Suppose
n
m = ∏ pi ei ,
i=1
is the prime factorisation of m, where the pi ’s are distinct primes and ei > 0, 1 ≤ i ≤ n.
Then
n
φ (m) = ∏(pi ei − pi ei −1 ). (7)
i=1
If the encryption function is given by
E(x) = ax + b, where gcd(a, m) = 1,
then the number of choices for b is m, and the number of choices for a is φ (m). It
follows that the number of keys in the affine cipher over Zm is mφ (m), where φ (m) is
given by the formula above. For example, when m = 60, φ (60) = 2 × 2 × 4 = 16 and
the number of keys in the affine cipher is, therefore, 960.
We have seen earlier, in the case m = 26, that to decrypt, we need to solve the equation
y = ax + b for x in Z26 , and that the equation will have a unique solution in Z26 (since
we have taken a to be relatively prime to 26). However, the discussion above does not
give us an efficient method of finding the solution. What we require is an efficient
algorithm to do this. Some results on modular arithmetic will provide us with the
efficient decryption algorithm we seek. 59
Mathematical Preliminaries By proposition 2 in Unit 6 of MMT-003 it follows that a has a multiplicative inverse
modulo m if and only if gcd(a, m) = 1; and if a multiplicative inverse exists, it is
unique. Also, observe that if b = a−1 , then a = b−1 . In Z26 , there are 12 elements
relatively prime to 26, so trial and error suffices to find the multiplicative inverse of
these elements. 1−1 = 1, 3−1 = 9, 5−1 = 21, 7−1 = 15, 11−1 = 19, 17−1 = 23, and
25−1 = 25. All of these can be easily verified. This is left as an exercise.
Consider the equation y ≡ a x + b. This is equivalent to
ax = y−b (8)
Since gcd(a, m) = 1, a has a multiplicative inverse modulo m, say c, so that

a c = 1 = c a. Multiplying both sides of the Eqn. (8) by a−1 , we obtain
c(a x) = c(y − b)
We have
c(a x) = (c a)x = 1x = x
Consequently,
x ≡ c(y − b),
and the decryption function is, therefore,
D(y) = a−1 (y − b) (mod m)
We can completely describe the affine cipher as follows:
Let m be a positive integer. We have Σ = ∆ = Zm , P and C are subsets of L (Zm )

consisting of strings of length ≤ t. The key space K consists of all pairs
(a, b) ∈ Zm × Zm for which gcd(a, m) = 1. The encryption function Ek for key
k = (a, b) is
Ek : Zm → Zm , x 7→ ax + b (mod m)
The decryption function for key k = (a, b) is
Dk : Zm → Zm , x 7→ a−1 (x − b) (mod m)
Example 4: Let us take m = 26. Suppose that the key k = (7, 3). As noted before,
7−1 mod 26 = 15. The encryption function is
Ek (x) = 7x + 3 (mod 26),
and the corresponding decryption function is
Dk (y) = 15(y − 3) (mod 26),
that is,
Dk (y) = 15y − 19 (mod 26).
∗∗∗
E5) a) How many different shift transformations are there with an N-letter alphabet?
60 b) How many affine transformations are there when N = 26, 27, 28, 29, 30?
E6) In the 27-letter alphabet (with blank = 26), use the affine enciphering Classical Ciphers
transformation with key a = 13, b = 9 to encipher the message “HELP ME.”
Classical ciphers, also known as symmetric encryption, were the only type of
encryption in use before the development of public-key encryption. This unit will
comprise topics related to classical ciphers.
Let us look at the process of symmetric encryption in a general set-up. Encryption

schemes are used to keep messages or stored data secret. Suppose Alice and Bob want
to communicate over an insecure channel without Eve coming to know what they are
saying to each other. Alice encrypts or enciphers the message P, which we call plain
text, using a predetermined key, and obtains a cipher text C. The plaintext could be
any thing, a word processor file, an image file or a database file or any other kind of file.
Alice transmits the cipher text C to Bob, who converts it back into plain text by
decryption. To decrypt or decipher, Bob needs some secret information, a decryption
key. Now, Eve may still be able to intercept the cipher text. However, the encryption
should guarantee secrecy and prevent her from deriving any information about the plain
text from the observed cipher text without the secret information that is needed to
decrypt the message.
To use a specific cryptosystem, Alice and Bob will employ the following procedure.
They choose a random key k ∈ K first. They can meet at some mutually agreed place,
away from the prying eyes of Eve, and decide upon the key. They could also use a
secure channel. A secure channel could be a trusted courier, for example. Another
possibility is to use a key exchange protocol like the Diffie-Hellman protocol that we
will discuss in the third Block of this course.
Suppose Alice wants to communicate a message to Bob over an insecure channel later.
Suppose this message is a string x = x1 , x2 , . . . , xn for some integer n ≥ 1, where each
plain text symbol xi ∈ Σ, 1 ≤ i ≤ n. Alice encrypts each xi using the encryption rule Ek
specified by the predetermined key k. Hence Alice computes Ek (xi ), 1 ≤ i ≤ n and
sends the resulting cipher text string y = y1 , y2 , . . . , yn over the channel. When Bob
receives y = y1 , y2 , . . . , yn , he decrypts it using the decryption function Dk , obtaining
the original plain text string x1 , x2 , . . . , xn . Fig. 1 is an illustration of the communication
channel.
Eve
Key k Key k
x y x
Alice Encrypter Decrypter Bob
Fig. 1: The Communication Channel.
Note that, each encryption function Ek is an injective function (i.e., one-to-one),

otherwise, decryption could not be accomplished in an unambiguous manner. For
example, if
y = Ek (x1 ) = Ek (x2 ) where x1 6= x2 ,
then Bob has no way of knowing whether y should decrypt to x1 or x2 .
Note that if P = C , it follows that each encryption function is a permutation. That is,
if the set of plain texts and cipher texts are identical, then each encryption function just
rearranges (or permutes) the elements of this set. In the example of the Caesar cipher
above, we have seen that P = C as they are both equal to the set of strings of length
≤ t in the set of symbols A .
Let us recall the following definition of an algorithm: 61

Mathematical Preliminaries Definition 3: An algorithm is a formula or set of steps for solving a particular problem.
To be an algorithm, a set of rules must be unambiguous and have a clear stopping point.
From every encryption method, we get an encryption algorithm, which performs

various modifications on the plain text, and a decryption algorithm, which essentially
reverses the modifications done by the encryption algorithm. Algorithms for classical
schemes use the same secret k for both encrypting and decrypting the text. So, these
encryption methods are therefore called symmetric.
Classical ciphers are often divided into substitution ciphers and transposition
ciphers.
In a substitution cipher, letters (or groups of letters) are systematically replaced

throughout the message for other letters (or groups of letters). The earliest known use
of a substitution cipher, and the simplest, was the Caesar cipher.
In a transposition cipher, the letters themselves are kept unchanged, but rather their
order within the message is scrambled according to some well-defined scheme.
We can devise more complex algorithms by performing several simple transformations

one after another.
Definition 4: A product cipher F is a cipher obtained by composing different ciphers

f1 , f2 , . . ., fk , i.e. F = f1 ◦ f2 ◦ f3 ◦ · · · ◦ fk where ◦ denotes composition of functions.
Modern ciphers, for example the data encryption standard (DES), iterate through
several stages of substitution and transposition.
The rest of this unit deals only with transposition ciphers and substitution ciphers.
E7) What is the key space of the generalised Caesar cipher when
a) the plain text space is {0, 1, . . . , 25}?
b) the plain text space is {0, 1, . . . , N − 1}, for any positive integer N?
E8) The cipher text VHFUHW has been generated with the (generalised) Caesar
cipher on the plain text space {0, 1, . . . , 25}. Determine the key and the plain text.
E9) Which of the following schemes is a cryptosystem? We always let

S = {0, 1, . . . , 25} to be the set of alphabets. The plaintext P and C consist of
strings of length ≤ t on S for some t.
a) Each letter c ∈ S is replaced by kc, k ∈ {1, 2, . . . , 26}.
b) Each letter c ∈ S is replaced by kc, k ∈ {1, 2, . . . , 26}, gcd(k, 26) = 1.
Cryptography is not used by law abiding people alone. Even criminals and terrorists
use cryptography to keep their secrets. In this case, the law enforcement agencies will
play the role of Eve. Suppose you are an law enforcement officer and you want to read
a communication between two law breakers. You are not privy to the enciphering and
deciphering information used by the two people, but you would nevertheless like to be
able to read the enciphered messages. If you succeeded in doing so, you would have
broken the cipher, and the science of breaking ciphers is called cryptanalysis.
To break a cryptosystem, you need two types of information. The first is the general
nature (the structure) of the system. For example, suppose you know that the
cryptosystem uses a shift transformation on single letters of the 26-letter alphabet A − Z
62 with numerical equivalents 0 − 25, respectively.
The second type of information is the knowledge of a specific choice of certain Classical Ciphers
parameters connected with the given type of cryptosystem. In our example, the second
type of information you need to know is the choice of the shift parameter b. Once one
has that information, one can encipher and decipher by the formulas C = P + b and
P = C − b. Of course, the shift cipher is too weak and if it is known that the text has
been encrypted using a shift cipher, we can easily find the plain text by trying all
possible keys.
In the earlier days, both the ciphering algorithm and the keys were kept secret.
However, the modern designers of cryptosytems always make the assumption that the
general structural information is known. This assumption is called Kerchoff’s law.
In practice, users of cryptography often have a special computer chip or software for
enciphering and deciphering text. The chip or software usually uses only one type of
cryptosystem. Over a period of time the information about what type of system they are
using might leak out. To increase their security, therefore, the users frequently change
the choice of parameters used with the system. So, any cryptosystem has to have
sufficiently many keys so that the cryptosytem cannot be solved by exhaustive key
search, i.e. by trying out all the possible keys.
We conclude this section here. In the next section, we will start our discussion of
simple ciphers with transposition ciphers.
3.3 SUBSTITUTION CIPHERS

A substitution cipher is one in which each character in the plain text is substituted for
another character in the cipher text. The receiver inverts the substitution on the cipher
text to recover the plain text. This cryptosystem has been used for hundreds of years.
In classical cryptography, there are four types of substitution ciphers:
• A simple substitution cipher, or mono-alphabetic cipher, is one in which each

character of the plain text is replaced with a corresponding character of cipher
text.
Definition 5: Suppose Σ = ∆, i.e. the set of alphabets for the plaintexts and
ciphertexts are the same. Let P be the set of all strings of length t over Σ. So, P
consists of elements of the form m = m1 m2 . . . mt , where each mi ∈ Σ). Let K be
the set of all permutations on the set Σ. Define for each e ∈ K an encryption
transformation Ee as:
Ee (m) = e(m1 )e(m2 ) . . . e(mt ) = c1 c2 , . . . , ct = c,
where m = m1 m2 . . . mt ∈ M . In other words, for each symbol in a t-tuple,
replace it by another symbol from Σ according to some fixed permutation e. To
decrypt c = c1 , c2 , . . . , ct compute the inverse permutation d = e−1 and use it to
decrypt as follows:
Dd (c) = d(c1 )d(c2 ) . . . d(ct ) = m1 m2 . . . mt = m
Ee is called a simple substitution cipher or a mono-alphabetic substitution
cipher.
• A homophonic substitution cipher is like a simple substitution cryptosystem,

except a single character of plain text can map to one of several characters of
cipher text. For example, “A” could correspond to either 5, 13, 25, or 56, “E”
could correspond to either 7, 19, 31, or 42, and so on. Usually, only vowels are
mapped to more than one character. Strictly speaking, this is not a cryptosystem
according to our defintion because we don’t get a function in this case. 63
Mathematical Preliminaries • A polygram substitution cipher is one in which blocks of characters are
encrypted in groups. For example, “ABA” could correspond to “RTQ," “ABB”
could correspond to “SLL,” and so on.
• A polyalphabetic substitution cipher is made up of multiple simple substitution
ciphers. For example, there might be five different simple substitution ciphers
used; the particular ones used changes with the position of each character of the
plain text.
The earliest known use of a substitution cipher, and the simplest, was the Caesar cipher,
which is an example of a simple substitution cipher. The cipher text alphabet is actually
a rotation of the plain text alphabet and not an arbitrary permutation.
ROT13 is a simple encryption programme commonly found on UNIX systems; it is

also a simple substitution cipher. In this cipher, “A” is replaced by “N,” “B” is replaced
by “O,” and so on. Every letter is rotated 13 places.
Encrypting a file twice with ROT13 restores the original file.

P = ROT13 (ROT13 (P))
Polygram substitution ciphers are ciphers in which groups of letters are encrypted
together.
Polyalphabetic substitution ciphers have multiple one-letter keys, each of which is used
to encrypt one letter of the plain text. The first one encrypts the first letter of the plain
text, the second one encrypts the second letter of the plain text, and so on. After all the
keys are used, the keys are recycled. If there were 20 one-letter keys, then every
twentieth letter would be encrypted with the same key. This is called the period of the
cipher. In classical cryptography, ciphers with longer periods were significantly harder
to break than ciphers with short periods. There are computer techniques that can easily
break substitution ciphers with very long periods. The Vigenère cipher, which we will
discuss later in this unit, is an example of a polyalphabetic substitution cipher.
Remark 1: In the case of the substitution cipher, we might as well take
∆ = Σ = {A, B, C, . . . , Z}. We used A in the Caesar cipher because encryption and
decryption were algebraic operations. In most substitution ciphers, it is more
convenient to think of encryption and decryption as permutations of alphabetic
characters.
3.3.1 The Vigenère Cipher
The best known, and one of the simplest examples of the polyalphabetic substitution
cipher is the Vigenère cipher. This cipher is named after Blaise de Vigenère, who
lived in the sixteenth century. As described earlier, polyalphabetic substitution ciphers
have multiple one-letter keys, each of which is used to encrypt one letter of the plain
text. The first one encrypts the first letter of the plain text, the second one encrypts the
second letter of the plain text, and so on. After all the keys are used, the keys are
recycled.
Using the correspondence A ↔ 0, B ↔ 1, . . . , Z ↔ 25 described earlier, we can

associate each key k with an alphabetic string of length m, called a keyword. The
Vigenère cipher encrypts m alphabetic characters at a time: each plain text element is
equivalent to m alphabetic characters. Let us look at a small example.
Example 5: Suppose m = 6 and the keyword is C E A S A R. This corresponds to the

numerical equivalent k = (2, 4, 0, 18, 0, 17). Suppose the plain text is the string
64 ‘ICAMEISAWICONQUERED’.
We convert the plain text elements to residues modulo 26, write them in groups of six, Classical Ciphers
and then “add” the keyword modulo 26, as follows:
8 2 0 12 4 8 18 0 22 8 2 14 13 16 20 4 17 4 3
2 4 0 18 0 17 2 4 0 18 0 17 2 4 0 18 0 17 2
10 6 0 4 4 25 20 4 22 0 2 5 15 20 24 22 17 21 5
The alphabetic equivalent of the cipher text string would thus be

‘KGAEECUEWACFPUUWRVF’. To decrypt, we can use the same keyword, but we
would subtract it modulo 26 instead of adding.
∗∗∗
Try this exercise to test your understanding of Vigenère cipher.
E10) Encrypt the string ‘ICAMEISAWICONQUERED’ using the Vigenère cipher. Use
the keyword ‘GAUL’.
E11) Decrypt the string ‘WTBTYKXHOTXHJEL’ which was encrypted using
Vigenère cipher with the keywork ‘WAIT’.
Another way of understanding and implementing the Vigenère cipher is by using the
Vigenère tableau. See Table 3. Each of the 26 ciphers is laid out horizontally, with the
key letter for each cipher to its left. A normal alphabet for the plain text runs across the
top. The process of encryption is simple: Given a key letter x and a plain text letter y,
the cipher text letter is at the intersection of the row labelled x and the column labelled
y; in this case the cipher text is V. To encrypt a message, a key is needed that is as long
as the message. Usually, the key is a repeating keyword. Let us look at the same
Example 5 considered above. Using the Vigenère tableau (see Table 3), the message
‘ICAMEISAWICONQUERED’ is encrypted as follows:
key: CAESARCAESARCAESARC
plain text: ICAMEISAWICONQUERED
cipher text: KGAEECUEWACFPUUWRVF
Decryption is equally simple. The key letter again identifies the row. The position of
the cipher text letter in that row determines the column, and the plain text letter is at the
top of that column.
The strength of this cipher is that there are multiple cipher text letters for each plain text
letter, one for each unique letter of the keyword. Thus, the letter frequency information
is lost. However, not all knowledge of the plain text structure is lost. There is enough
information available which will enable us to break this cipher.
In the next section, we discuss another important class of ciphers, the transposition
ciphers.
3.4 TRANSPOSITION CIPHERS

As we mentioned in the previous section, in transposition cipher, the set of letters in the
given plaintext remains the same but the position of the letters are altered. The
transposition cipher, also called the permutation cipher, has been in use for hundreds
of years. This is because, the encryption is thus achieved by performing some sort of
permutation on the plain text characters.
A simple transposition cipher preserves the number of symbols, and thus is easily
cryptanalysed. We shall defer the discussion on cryptanalysis of these ciphers, as well
as that of other encryption schemes, to the last section. 65
a b c d e f g h i j k l m n o p q r s t u v w x y z
a A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
b B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
c C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
d D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
e E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
f F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
g G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
h H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
i I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
j J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
k K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
l L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
m M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
n N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
o O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
p P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
r R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
s S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
t T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
u U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
v V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
w W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
x X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Table 3: The Vigenère Tableau
66
The following are some implementations of the transposition cipher: Classical Ciphers
3.4.1 The Row Tranformation Cipher
This is the simplest transposition cipher. We fix the number of rows, say m. In the row
tranformation cipher, the plain text is written downwards on successive columns,
starting a new column when the mth row is reached. The message is then read off in
rows. For example, if we have three rows and a message of ‘WE ARE DISCOVERED
FLEE AT ONCE’, the sender writes out
W R I O R F E O E P
E E S V E L A N J D
A D C E D E T C X Q
The extra odd letters at the end are “nulls”, added to round off the pattern, or to confuse
an eavesdropper. The cipher text is read off as ‘WRIOR FEOEP EESVE LANJD
ADCED ETCXR’.
(Grouping letters into blocks of a standard size, typically five, was a practice developed
for the ease of transmission.)
3.4.2 Simple Columnar Transposition Cipher
In the simple columnar transposition cipher, we fix the number of columns. The
plain text is written horizontally onto a piece of graph paper of width m and the cipher
text is read off vertically. Decryption is a matter of writing the cipher text vertically
onto a piece of graph paper of identical width and then reading the plain text off
horizontally.
The following diagram illustrates the simple columnar transposition cipher with
column width six.
Plain text: ‘WE ARE DISCOVERED FLEE AT ONCE’
W E A R E D
I S C O V E
R E D F L E
E A T O N C
E U V W X Y
Cipher text: ‘WIREE ESEAU ACDTV ROFOW EVLNX DEECY’
The ancient Greeks, and the Spartans in particular, are said to have used this cipher to
communicate during military campaigns in what is known as the scytale cipher. A
scytale is a tool used to perform a transposition cipher, consisting of a cylinder with a
strip of paper wound around it on which is written a message.
The recipient uses a rod of the same diameter on which he wraps the paper to read the
message. It has the advantage of being fast and not prone to mistakes. It can, however,
be easily broken.
3.4.3 Other Transposition Techniques
The two ciphers described above are easy to break. To make it more complex, we could
permute the order of the columns after writing the message in a rectangle in a similar 67
Mathematical Preliminaries fashion as before. That is, to encrypt, we write the message row by row, shuffle the
columns, and then read off the ciphertext column by column. The order of the columns
then becomes the key to the algorithm. For example,
Plaintext: RETURN TO HEADQUARTERS AT ONCE
Key: 4 3 1 2 5 6 7
R E T U R N T
O H E A D Q U
A R T E R S A
T O N C E X Y
ciphertext: ‘TETN UAEC EHRO ROAT RDRE NQSX TUAY’
A pure transposition cipher has the drawback that the ciphertext has the same letter
frequencies as the plaintext. Thus, to cryptanalyze this kind of cipher is fairly
straightforward. In the case of the type of columnar transposition you have just seen, in
order to break it, you need to arrange the ciphertext in a matrix and shuffle the columns
around. Read off the resulting text you get at each trial until you hit upon a message
which makes sense.
We can increase the degree of security of the transposition cipher by performing more
than one stage of transposition. Shuffling the columns more than once greatly enhances
the security of this cipher as it becomes more difficult to arrive at the original plaintext
by rearranging the columns of the matrix, without knowing the key. Thus, let us encrypt
the foregoing message again, using the same algorithm.
Key: 4 3 1 2 5 6 7
Input: T E T N U A E
C E H R O R O
A T R D R E N
Q S X T U A Y
Output: ‘THRX NRDT EETS TCAQ UORU AREA EONY’
What do we achieve by repeating the transposition? To answer this question, let us first
assign a number to each letter in the original plaintext message, that number being its
position in the message. Hence, the original message is represented by
01 02 03 04 05 06 07 08 09 10 11 12 13 14
15 16 17 18 19 20 21 22 23 24 25 26 27 28
After the first transposition we have
03 10 17 24 04 11 18 25 02 09 16 23 01 08
15 13 04 23 19 14 11 01 26 21 18 08 06 28
Notice that this sequence of numbers has some pattern to it.
But after the second transposition, we have
17 09 05 27 24 16 12 07 10 02 22 20 03 25
68 15 13 04 23 19 14 11 01 26 21 18 08 06 28
This is a more complex permutation and is much more difficult to cryptanalyze. Classical Ciphers
We shall end this section with a formal definition of the transposition cipher. Let us
assume that the plain text consists of letters from the English alphabet, and to each
letter of the alphabet, we assign a number designated by its order. For example, 0
corresponds to A, 1 corresponds to B, . . . , 25 corresponds to Z. Thus the English
alphabet can be represented by Z26 , according to the following table:
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
Definition 6: Let m be some fixed positive integer. Let P and C be set of strings of
length at most t and let K consist of all permutations of {1, 2, . . . , m}. We divide the
plaintext into strings of length m encrypt and decrypt as follows: For a key (i.e., a
permutation) π, we define
eπ (x1 , x2 , . . . , xm ) = (xπ(1) , xπ(2) , . . . , xπ(m) )
and
dπ (y1 , y2 , . . . , ym ) = (yπ −1 (1) , yπ −1 (2) , . . . , yπ −1 (m) ),
where π −1 is the inverse permutation to π.
Let us consider the following example which gives a slightly different type of
implementation of the transposition cipher from the ones discussed above:
Example 6: Suppose m = 5 and the key is the following permutation π:
1 2 3 4 5
3 5 2 1 4
Then the inverse permutation π −1 is the following:
1 2 3 4 5
4 3 1 5 2
Now, suppose we are given the plain text ‘RETURN TO HEADQUARTERS’ We first
group the plain text into groups of six letters:
RETUR NTOHE ADQUA RTERS
Let us now apply the permutation to the block RETUR as shown in Fig. 2. Let us
similarly permute the remaining blocks according to the permutation π. We get the
following
UTRRE HONET UQAAD RERST
So, the cipher text is ‘UTRREHONETUQAADRERST’. We can decrypt the ciphertext

in a similar fashion, using the inverse permutation π −1 .
∗∗∗
Try the following exercise to test your understanding of the transposition ciphers.
69
Mathematical Preliminaries 1 2 3 4 5
R E T U R
1 2 3 4 5
U T R R E
Fig. 2: Transposition cipher
E12) Use the simple columnar transposition cipher of width six to encrypt the plain
text “CANCEL LAST ORDER HEADQUARTERS.”
E13) In order to make the cipher in Exercise 12 more secure, permute the order of the
columns according to the key 453261. Write down the cipher text you obtain after
this step. Re-encrypt the cipher text using the same algorithm, and write down the
final output.
In the next section, we will adopt the point of view of Eve who would like to read the
messages without the key. We will discuss cryptanalysis of ciphers.
3.5 CRYPTANALYSIS
Cryptanalysis is the science of studying attacks against cryptographic schemes.

Successful attacks may, for example, recover the plain text (or parts of the plain text)
from the cipher text, substitute parts of the original message, or forge digital signatures.
Cryptography and cryptanalysis are often subsumed by the more general term
cryptology.
There is a fundamental assumption in cryptanalysis usually referred to as Kerkhoff’s

principle. It states that the adversary knows all the details of the cryptosystem,
including algorithms and their implementations. According to this principle, the
security of a cryptosystem must be entirely based on the secret keys. It would be more
difficult for an adversary if she does not know what type of cryptosystem is being used,
but as we mentioned earlier, this type of information can be leaked out easily enough,
once the system has been used over a period of time. Hence, the security of a
cryptosystem will be compromised if we base it only on this factor. Depending on the
actual resources of the adversary Eve, there are different levels of attacks on
cryptosystems. The most common types, in increasing order of strength, are:
1. Ciphertext-only attack. Eve has the ability to obtain ciphertexts. This is likely
to be the case in any encryption situation. If this kind of attack is successful, then
the encryption method is completely insecure.
2. Known-plaintext attack. Eve is able to obtain plaintext-ciphertext pairs. With

the information she has from these pairs, she attempts to decrypt a ciphertext for
which she does not have the plaintext. This kind of information may be available
to Eve if, for example, the messages are sent in some standard format which she
knows.
3. Chosen-plaintext attack. Eve has the ability to obtain ciphertexts for some
particular plaintexts. She then uses this knowledge to try and decrypt a ciphertext
70 for which she does not have the plaintext. Such a situation may arise if, for
example, Eve sends some data to Alice which she knows will be encrypted and Classical Ciphers
then transmitted. Eve then intercepts the encrypted message, and uses the
information to decipher some other ciphertext, without any further interaction. In
this kind of attack, it is sufficient if the adversary carries out this operation just
once.
4. Adaptively-chosen-plaintext attack. This is the same as the previous attack,

except now Eve may repeat the process more than once to obtain more
plaintext-ciphertext pairs. This means she has more access to the encrypting
device.
5. Chosen and adaptively-chosen-ciphertext attack. These two attacks are

similar to the above plaintext attacks. Eve can choose ciphertexts and then access
the corresponding plaintexts from Bob. That is, in this attack, Eve has access to
the decryption device.
In order to break a cryptosystem, the goal is to determine the key that was used. Let us
now see how the attacks listed above work.
A simple ciphertext-only attack is the following. The attacker Eve decrypts the
ciphertext with all keys from the key space until she finds the correct plaintext among
the few plaintexts that make sense. That attack is called exhaustive key search. This
attack will work for cryptosystems with very small key spaces. For example, the Caesar
cipher uses only 26 keys. It is, therefore, very easy to determine the plaintext from the
ciphertext by the method of exhaustive key search, and checking which plaintext makes
sense. This also yields the secret key being used. (Note that the notion of a “small” key
space depends on how much computing power is available.)
So, for a secure cryptosystem, the minimum requirement is that it should resist an
exhaustive key search, i.e., the key space should be very large. However, a large key
space is not sufficient to guarantee security because there are other methods of
cryptanalysis which will succeed in certain ciphers as we shall see below.
Cryptanalysis of the Affine Cipher
As a simple illustration of how cryptanalysis can be performed using statistical data, let
us look at the affine cipher. The following example is from [15], page 27.
Suppose Eve has intercepted the following ciphertext:
FMXVEDKAPHFERBNDKRXRSREFMORU
DSDKDVSHVUFEDKAPRKDLYEVLRHHRH
The frequency analysis of this ciphertext is given in Table 4. 71

Mathematical Preliminaries letter frequency letter frequency
and Classical Ciphers A 2 N 1
B 1 O 1
C 0 P 2
D 7 Q 0
E 5 R 8
F 4 S 3
G 0 T 0
H 5 U 2
I 0 V 4
J 0 W 0
K 5 X 2
L 2 Y 1
M 2 Z 0
Table 4: Frequency of Occurrence of the 26 Ciphertext Letters
There are only 57 characters of ciphertext, but this is sufficient to cryptanalyze an affine
cipher. The ciphertext characters that occur frequently are: R (8 occurrences), D (6
occurrences), E, H, K (5 occurrences each), and F, S, V (4 occurrences each). Since E
and T are the two most common letters(see Table 5), our first guess is that R is the
encryption of e and D is the encryption of t. This means that Ek (4) = 17 and
Ek (19) = 3. Recall that Ek (x) = ax + b (mod 26), where a and b are unknowns. So, we
have the equations
4a + b ≡ 17 (mod 26)
19a + b ≡ 3 (mod 26).
You can check that a = 6, b = 19 in Z26 satisfy these equations. But this is an illegal
key, since gcd(a, 26) = 2 > 1. So our first guess is wrong.
Let us now check if R is the encryption of e and E is the encryption of t. Proceeding as

above, we obtain a = 13, which is again not a valid key.
The next possibility is that R is the encryption of E and H is the encryption of T. We get
a = 8 in this case, which is also impossible. Let us now check if R is the encryption of
E and K is the encryption of T. We now obtain a = 3, b = 5, which is at least a legal
key. To confirm that this is the key, we have to find the decryption function
corresponding to k = (3, 5), and then decrypt the ciphertext to see whether or not we get
a string which makes sense. The decryption function corresponding to (3, 5) as the key
is Dk (y) = 9y − 19 (mod 26). Under this transformation, the given ciphertext yields:
algorithmsarequitegeneraldefinitionsofarithmeticprocesses
Thus, we conclude that we have determined the correct key.
E14) Using frequency analysis, cryptanalyse and decipher the following message,
which you know was enciphered using a shift transformation of single-letter plain
text message units in the 26-letter alphabet:
PXPXKXENVDRUXVTNLXHYMXGMAAXYKXJN
XGVRFXMAHWGXXWLEHGZXKVBIAXKMXQM.
E15) In a long string of cipher text which was encrypted by means of an affine map on
single-letter message units in the 26-letter alphabet, you observe that the most
frequently occurring letters are “Y” and “V”, in that order. Assuming that those
cipher text message units are the encryption of “E” and “T” respectively, read the
message “QAOOYQQEVHEQV”.
72
Cryptanalysis of Simple Substitution Ciphers Classical Ciphers
We can easily break subsititution even when the key space is extremely large because
the cipher does not hide the underlying frequencies of the different letters of the plain
text. If the plain text consists of letters from the English alphabet, then the total number
of all permutations on this set is 26!, i.e., the size of the key space is 26! ≈ 4 × 1026 ,
which is extremely large. However, the key being used can be determined quite easily
by examining a modest amount of cipher text. This follows from the simple observation
that the distribution of letter frequencies is preserved in the cipher text. For example,
the letter E occurs more frequently than the other letters in ordinary English text. Hence
the letter occurring most frequently in a sequence of cipher text blocks is most likely to
correspond to the letter E in the plain text. By observing a modest amount of cipher text
blocks, a cryptanalyst can determine the key. Such cipher text-only attacks use
statistical properties of the plain text language.
Let us look at this method of frequency analysis in greater detail. We assume that the
plain text string is ordinary English text, without punctuation or spaces. (This makes
cryptanalysis more difficult than if punctuation and spaces were encrypted.)
Frequency table that give the estimated relative frequencies the 26 letters are available.
The estimates in Table 5 were obtained by Beker and Piper.
Letter Probability Letter Probability

A .082 N .067
B .015 O .075
C .028 P .019
D .043 Q .001
E .127 R .060
F .022 S .063
G .020 T .091
H .061 U .028
I .070 V .010
J .002 W .023
K .008 X .001
L .040 Y .020
M .024 Z .001
Table 5: Probabilities of Occurrence of the 26 Letters
On the basis of the above probabilities, Beker and Piper divide the 26 letters into five
groups as follows:
1. E, having probability about 0.120
2. T, A, O, I, N, S, H, R, each having probabilities between 0.06 and 0.09
3. D, L, each having probabilities around 0.04
4. C, U, M, W, F, G, Y, P, B, each having probabilities between 0.015 and 0.023
5. V, K, J, X, Q, Z, each having probabilities less than 0.01.
It may also be useful to consider sequences of two or three consecutive letters called
digrams and trigrams, respectively. The 30 most common digrams are (in decreasing
order) TH, HE, IN, ER, AN, RE, ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA,
NG, AS, OR, TI, IS, ET, IT, AR, TE, SE, HI, and OF. The twelve most common 73
Mathematical Preliminaries trigrams are (in decreasing order) THE, ING, AND, HER, ENT, THA, NTH, WAS,
ETH, FOR, and DTH.
Homophonic substitution ciphers are much more complicated to break than simple
substitution ciphers, but still do not obscure all of the statistical properties of the plain
text language. With a known-plain text attack, the ciphers are trivial to break. A cipher
text-only attack is harder, but only takes a few seconds on a computer.
The best known, and one of the simplest examples of the polyalphabetic substitution
cipher is the Vigenère cipher. Observe that the number of possible keywords of length
m in a Vigenère cipher is 26m , so even for relatively small values of m, an exhaustive
key search would require a long time. For example, if we take m = 5, then the key
space has size exceeding 1.1 × 107 . This is already large enough to preclude exhaustive
key search by hand.
We can break the Vigenère cipher by Kasiski method. Kasiski described this method in
1863, but apparently it was discovered earlier by Charles Babbage. We will give an
outline of the method. If you are interested in more details, you can refer to books
given as references at the end of the block. The method is based on the observation that
two identical segments of plaintext will be encrypted to the same cipher text if they
occur d positions apart where m | d, m being the length of the key word. In Kasiski
method, we do the following: We search identical segments of ciphertexts of length at
least 3 and note down the distances between such occurences, say d1 , d2 , . . .. If we
obtain several such distances, then m will probably divide all of them and hence it will
divide their greatest common divisor. By looking at the various divisors of the greatest
common divisor, we try to find the length of the key word.
Suppose we guess that the length of the key word is 5. We write the cipher text in grid
of length 5. For example, if the cipher text is
PXPXKXENVDRUXVTNLXHYMXGMAAXYKXJN and our guess is the text has
been encrypted using Vigenère cipher with a key word of length 5. Then, we arrange
the ciphertext in 5 columns as follows:
1 2 3 4 5
P X P X K
X E N V D
R U X V T
...
We analyse the frequencies of each of the columns separately, treating them as
ciphertexts obtained using five different shift ciphers. If our guess about the length is
correct, we can obtain the key using this method.
In a transposition cipher the plain text remains the same, but the order of characters is
shuffled around. Since the letters of the cipher text are the same as those of the plain
text, a frequency analysis on the cipher text would reveal that each letter has
approximately the same likelihood as in English. This gives a very good clue to a
cryptanalyst, who can then use a variety of techniques to determine the right ordering of
the letters to obtain the plain text. Putting the cipher text through a second transposition
cipher greatly enhances security. There are even more complicated transposition
ciphers, but computers can break almost all of them.
Although many modern algorithms use transposition, it is troublesome because it

requires a lot of memory and sometimes requires messages to be only of certain
lengths. Substitution is far more common.
74 3.6 SUMMARY
In this unit we have covered the following points. Classical Ciphers
1. The definition of cryptography, and its goals.

2. The basic terms related to cryptography like encryption, decryption, plain text,
cipher text and keys of a cipher.
3. Simple transposition ciphers.
4. Some substitution ciphers.
5. Various tools and methods for cryptanalysis of ciphers.
E1) WKH GLH LV FDVW
E2) BEWARE OF THE IDES OF MARCH
E3) ‘PIIPRZ EDHIEDCTS’.

E4) We apply a shift transformation with shift parameter 15 to recover the plaintext ‘I
HAVE SIND’.
E5) a) N.
c) The number of shift transformations on an m letter alphabet is mφ (m). Using
Eqn. (7) we get the values as 312, 486, 812, 240.
E6) THRPXDH.
E7) a) {1, . . . , 25}.

b) {1, . . . , N − 1}.
E8) The key is 8 and the plain text is “SECRET”. Since the number of keys is just 26,
we can decrypt the given cipher text easily, by trying out all the keys, one by one,
until we get a word that makes sense.
E9) a) Not a cryptosystem because the encryption function is not injective. An

example: Let k = 2. The letter A corresponds to 0, which is mapped to 0
(i.e., A). The letter N corresponds to 13, which is mapped to 2 13 = 0 (i,e, to
A). By definition, the encryption function has to be injective. So, the system
cannot be a cryptosystem.
b) A cryptosystem. The key space is {1, 2, . . . , 26}. If k is a key and σ a plain
text unit, then kσ mod 26 is the cipher text. This describes the encryption
function for key k. The decryption function is the same, except that k is
replaced by k−1 mod 26.
E10) The answer is ‘OCUXKIMLCIWZTQOPXEX’.

E11) The answer is ‘ATTACKPOSTPONED’.
E12) Plain text: CANCEL LAST ORDER

The encryption is carried out as follows:
C A N C E L
L A S T O R
D E R H E A
D Q U A R T
E R S X Y Z
Cipher text: CLDDE AAEQR NSRUS CTHAX EOERY LRATZ 75
Mathematical Preliminaries E13) The cipher text obtained after the first encryption, applying the key 453261 is:
LRATZ CTHAX NSRUS CLDDE AAEQR EOERY. Take this cipher text as the
input and apply the same algorithm. That is, we write the input horizontally in a
rectangle of width six and permute the columns according to same key 453261.
The final output is: CSDQY TXCAE AASAO LTRDR RHUEE ZNLER.
E14) Use the fact that “X” occurs most frequently in the cipher text to find that the key
b = 19. The message is:
WEWERELUCKYBECAUSEOFTENTHEFREQUENCY
METHODNEEDSLONGERCIPHERTEXT.
E15) SUCCESSATLAST
76
Bibliography Classical Ciphers
[1] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, PRIMES is in P, Annals of
Mathematics 160 (2004), no. 2, 781—793.
[2] Hans Delfs and Helmut Knebl, Introduction to cryptography: principles and
applications, Springer-Verlag New York, Inc., New York, NY, USA, 2001.
[3] D. E. Denning, Cryptography and data security, Addison-Wesley, Reading,

Mass., 1982, Available from http://faculty.nps.edu/dedennin/
publications/Denning-CryptographyDataSecurity.pdf.
[4] Andrew Granville, It is easy to determine whether a given integer is prime, Bull.
Amer. Math. Soc. 42 (2005), 3—38, Available from
http://www.ams.org/journals/bull/2005-42-01/
S0273-0979-04-01037-7/S0273-0979-04-01037-7.pdf.
[5] Darrel Hankerson, Alfred J. Menezes, and Scott Vanstone, Guide to elliptic curve
cryptography, Third edition ed., Spring-Verlag, 2004.
[6] D. Kahn, The codebreakers: The Story of Secret Writing, Scribner, 1996.
[7] N. Koblitz, A course in number theory and cryptography, Second Edition ed.,
Springer-Verlag, New York, 1994.
[8] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of
Applied Cryptography, CRC Press, 1997.
[9] C. Pomerance, J. L. Selfridges, and S. S. Wagstaff , Jr., The pseudoprimes up to

25 · 109 , Math. Comp. 35 (1980), 1003—1026.
[10] René Schoof, Four primality testing algorithms, Schoof, René (J.P Buhler and P.
Stevenhagen, eds.), Mathematical Sciences Research Institute Publications,
vol. 44, MSRI, Cambridge University Press, 2008, Available from
http://www.math.leidenuniv.nl/~psh/ANTproc/05rene.pdf,
pp. 101—126.
[11] Victor Shoup, A Computational Introduction to Number Theory and Algebra,

Second ed., Cambridge University Press, 2008, Available from
http://shoup.net/ntb/.
[12] Simon Singh, The code book, The Evolution of Secrecy from Mary Queen of Scots
to Quantum Cryptography, Doubleday, 1999.
[13] Nigel Smart, Cryptography, An Introduction, Third ed., Available online from
http://www.cs.bris.ac.uk/~nigel/Crypto_Book/.
[14] William Stallings, Cryptography and network security: Principles and practice,
Third edition ed., Pearson Education, 2003.
[15] Douglas Stinson, Cryptography: Theory and practice, Second ed., CRC/C&H,
2002.
[16] Terrence Tao, The AKS primality test, in http://terrytao.wordpress.

com/2009/08/11/the-aks-primality-test/.
[17] Wade Trappe and Lawrence C. Washington, Introduction to Cryptography with

Coding Theory, Second ed., Pearson, 2006.
77

Block-01 Mathematical Preliminaries and Classical Ciphers

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Block-01 Mathematical Preliminaries and Classical Ciphers

Uploaded by

Copyright:

Available Formats

MMTE-006

Course Design Committee

Block Preparation Team

Often, entities like governments, commercial organisations and individuals have to

We have created a webpage for the course at

The Course Co-ordinator

All the best!

About the cover page

• describe an algorithm for checking the irreducibility of a polynomial over a finite

• describe an algorithm for constructing an irreducible polynomial of a given degree.

1.2 BASIC CONCEPTS FROM ALGEBRA

where each ai ∈ R and n ≥ 0.

The element ai is called the coefficient of xi in f(x). Here:

• If f(x) = a0 (a constant polynomial) and a0 6= 0, then f(x) has degree zero.

• f(x) is said to be monic if its leading coefficient is equal to 1.

For example, 0, 2, x and 2 + x2 are all polynomials with coefficients in Z.

In the rest of the Unit, we will denote a field by F.

Theorem 1(Division algorithm for F[x]): Let

f(x) = g(x)q(x) + r(x),

with the degree of r(x) less than m, the degree of g(x).

From Theorem 1, we can deduce the following Corollary 1 easily.

Corollary 1: An element a ∈ F is a zero of f(x) ∈ F[x] if and only if x − a is a factor of

Definition 4: Let f(x) and g(x) be polynomials in F[x], and let

f(x) = g(x)q(x) + r(x),

Definition 5: Let f(x) ∈ F[x] be a polynomial of degree at least 1. Then, f(x) is

Example 1: The polynomial x2 + 1 is irreducible over R, because this has no zeros in

Example 2: Let us show that f(x) = x3 + 3x + 2 is irreducible over Q. We know that if

Conversely, Corollary 1 of Theorem 1 shows that if f(a) = 0 for a ∈ F, then x − a is a

Example 3: Show that, the polynomials f(x) = x2 + x + 1 ∈ Z2 [x] and

Solution: We have f(0) = 2 6= 0 and f(1) = 1 + 1 + 1 = 1 6= 0. So, f(x) has no roots in

We have g(0) = 2, g(1) = 1 + 2 + 2 = 2 in Z3 and g(2) = 4 + 4 + 2 = 1 in Z3 . So, g(x)

Try the following exercises to test your understanding of Example 3.

E1) Test the irreducibility of the following polynomials:

E2) Prove that

h(x) = q(x)f(x) + r(x)g(x).

f(x) = g(x)s1 (x) + t1 (x)

To find q(x) and r(x) such that

h(x) = q(x)f(x) + r(x)g(x),

tk−1 (x) = qk−1 (x)f(x) + rk−1 g(x).

Our strategy is as follows: For each i, we write ti (x) in the form

ti (x) = qi (x)f(x) + ri (x)g(x).

From f(x) = g(x)s1 (x) + t1 (x), we get

t1 (x) = f(x) − g(x)s1 (x). (2)

g(x) = (f(x) − g(x)s1 (x)) s2 (x) + t2 (x).

Regrouping terms, we get

−f(x)s2 (x) + g(x) (1 + s1 (x)s2 (x)) = t2 (x) or

ti−1 (x) = qi−1 (x)f(x) + ri−1 (x)g(x), (4)

How can we find qi+1 (x), ri+1 (x)? We can rewrite

ti (x) = ti+1 (x)si+2 (x) + ti+2 (x)

ti+1 (x) = ti−1 (x) − ti (x)si+1 (x),

then ti+1 (x) = qi+1 (x)f(x) + ri+1 (x)f(x).

Algorithm 1 Extended Euclidean Algorithm for Polynomials.

Qi+1 = Qi−1 (x) − Qi (x)S(x) (9)

Example 4: Let f(x) = x7 + x6 + x5 + 3x4 + 2x3 + 2x2 + x + 1 and

Q1 (x) ← 1, Q2 (x) ← 0, R1 (x) ← 0, R2 (x) ← 1, T1 (x) ← f(x), T2 (x) ← g(x). (12)

After execution of the sixth line of the algorithm, we have

So, at the end of the first iteration, the values are

Q1 (x) = 0 R1 (x) = 1 T1 (x) = g(x)

Since T2 (x) 6= 0, we carry out one more iteration.

R3 (x) = R1 (x) − S(x)R2 (x) = 1 + x x3 + x + 1

T3 (x) = T1 (x) − S(x)T2 (x) = g(x) − x3 + x + 1 x3 + x2 + 1 = 0

Q1 (x) = 1 R1 (x) = −x T1 (x) = x3 + x2 + 1

Try the following exercises to check your understanding of Algorithm 1.

We now summarise some standard results proved in undergraduate algebra courses.