# Class Notes for Cryptologic Mathematics (FYS 100) Tim McDevitt Frank Arnold

ELIZABETHTOWN COLLEGE E-mail address: McDevittT@etown.edu ELIZABETHTOWN COLLEGE E-mail address: ArnoldF@etown.edu

November 12, 2010

Contents
Preface Introduction 0.1. What is Cryptology? 0.2. Types of Ciphers 0.3. Mathematical Ciphers 0.4. Types of Cryptologic Attacks 0.5. Notation and Terminology Exercises Chapter 1. Modular Arithmetic 1.1. Fundamental Theorem of Arithmetic 1.2. Greatest Common Divisors 1.3. Euclidean Algorithm 1.4. Extended Euclidean Algorithm 1.5. Relatively Prime Numbers 1.6. Modular Arithmetic 1.7. Solving Linear Congruences 1.8. Additive Cipher 1.9. Cryptanalysis of the Additive Cipher 1.10. Afﬁne Cipher 1.11. Cryptanalysis of the Afﬁne Cipher Exercises Chapter 2. Probability 2.1. Counting 2.2. Probability 2.3. Index of Coincidence 2.4. Vigenère Cipher Exercises Chapter 3. Recursion 3.1. Recursion 3.2. Binary Arithmetic 3.3. Data as Bits 3.4. Encryption of Binary Data 3.5. Linear Feedback Shift Registers Exercises Chapter 4. Matrices 4.1. Matrix Arithmetic 4.2. Hill Cipher 4.3. Cryptanalysis of the Hill Cipher Exercises
v

vii 1 1 3 6 7 7 8 11 11 12 12 14 15 15 19 23 25 27 27 28 33 33 36 39 41 45 49 49 50 51 52 53 55 57 57 60 61 64

vi

CONTENTS

Chapter 5. Modular Exponentiation 5.1. Square and Multiply Algorithm 5.2. Mathematical Induction 5.3. Euler Phi Function 5.4. Fermat’s Little Theorem 5.5. Euler’s Theorem 5.6. Difﬁe-Hellman Key Exchange 5.7. RSA Encryption Exercises Bibliography

67 67 68 69 72 75 76 78 79 83

vii . students don’t struggle with the transitivity of divisibility for integers (if a|b and b|c. Proofs or arguments are reserved for those situations where results are not intuitively clear to the students. and a calculator for modular arithmetic. but we demonstrate that it has to work with “generalizeable examples”. Since our audience includes ﬁrst-year students who are not math or science majors. For instance. These notes follow much of the same material. we have tried to minimize the use of terminology and mathematical jargon. but that knowledge will have to be obtained from other sources (c. Throughout the notes are several hyperlinks to Mathematica notebooks that are helpful for cryptologic calculations or for demonstrating mathematical concepts. Please note that this text does not address the history of cryptology in a systematic way so that we can focus on the mathematics.nb contains code that implements most of the encryption algorithms in the book. ECrypt doesn’t have to be installed. a recursive calculator.etown. we don’t formally prove that the Euclidean algorithm always ﬁnds the gcd of two positive integers. so Lewand’s rigorous approach is often under-appreciated. It also provides special tools for cryptanalysis.etown. but Fermat’s little theorem requires a proof.f. Other situations warrant justiﬁcations that fall short of proofs. For example. The ﬁle cipher. as is usually done in calculus courses. Future versions of this book will have chapters dedicated to elliptic curves and to the encryption and cryptanalysis of historical ciphers applied to image and sound ﬁles as described in [5]. just download it and run it. Students interested in more details should consult textbooks on number theory or algebra. or just wait patiently for an opportunity to take those courses. It has a graphical user interface (GUI) that enables users to easily implement the cryptographic algorithms in this course. As a result. However. then a|c).htm ). The second author is a former (2008) student of this course who has provided a student’s perspective on the presentation of the material. Students of cryptology should appreciate the impact of cryptology on historical events. less than half of the author’s students are math or science majors.edu/ECrypt/ECrypt. the style of writing is informal in an attempt to teach some math and to develop enthusiasm for cryptology.Preface The ﬁrst author has taught cryptology as a First-Year Seminar at Elizabethtown College for several years using Robert Lewand’s ﬁne book [4]. The entire set of notebooks can be found at users.edu/m/mcdevittt/. but are still convincing to students. [3] and [10]). but they rely fairly heavily on student intuition instead of rigorous proof. Readers may also enjoy using the FREE software package ECrypt that runs on WindowsTM (www2.

.

Computers store ﬁles in terms of bits that we can regard as an alphabet of only two characters: 0 and 1. but today we all use cryptographic algorithms without even knowing it when we use our cell phones or email or make online purchases. hashing. Cryptography involves the creation and use of algorithms that pass private information between two parties with the goal of obscuring 1For example. Prior to the computer age. the average individual had no practical reason to encrypt messages. encryption methods were relatively simple. Cryptology is an umbrella term for cryptography and cryptanalysis. and Excel R documents. so.. Often. movies. modern cryptology is directly applicable to our daily lives in very important ways. they evolved into today’s methods so it is still useful to be familiar with them. unlike IRS documents. etc. she would have to encrypt or encipher her message using a method that she and Bob had previously agreed upon. Contemporary encryption methods tend to use very sophisticated mathematics and there is a great deal of systematic research. When Bob receives the message.. MPEG movies etc. random number generation. the method of encryption would rely on a key .Introduction 0. although they are no longer useful. for the most part. Messages were relatively short and there was very little systematic research certifying the security of cryptologic methods. or they might include digits and punctuation. The good news is that the description is very good and very clear.. he has to decrypt or decipher her message to read it. Finally.. In the past.. digital signatures. This includes Word R . and these algorithms can be very complicated. In this course. so all computer ﬁles can be encrypted in the exact same way. messages can be very long. the nature of characters in encryption algorithms has changed in modern times. modern cryptology also involves less wellknown operations such as key exchange. The only exception is our dicussion of public key systems. etc. What is Cryptology? Classically. messages were composed using characters from a ﬁxed alphabet. For Admiral Alice to send General Bob a secret message. The US Department of Commerce certiﬁes certain algorithms so that users can be conﬁdent that their communications are secure. see the NIST document FIPS 197 that takes 51 pages to describe AES.1.some special number(s) or word(s) that only Alice and Bob know. As of this writing (2010). pictures. regardless of how we interpret those bits as text. Modern encryption algorithms operate at the bit level on a computer. and often not very secure. which is roughly equivalent to a text ﬁle of a million characters. Today. we will frequently assume a 26-letter alphabet. which currently enjoy widespread use. or they might use a 52-letter alphabet that includes capital letters. however.. but this book focuses. Therefore. Another important difference between classical and modern cryptography is frequency of use.. two English speakers might use a 26-letter alphabet abcdefghijklmnopqrstuvwxyz. on mathematical versions of historical methods. In the past. not explicitly mathematical. a typical JPEG ﬁle from a digital camera is over 1 MB. JPEG images. These methods require what is probably unfamiliar mathematics and. cryptology was used to send and receive secret messages and its users were often military leaders or diplomats. 1 .1 In addition to the transmission and reception of secret messages. for example.

(See Figure 0. For example. The terms “plaintext" and “ciphertext" still apply even if the data are not really text but just some form of data (e. but we will wait to point that out until later. The original plaintext is recovered by decrypting (or deciphering) the ciphertext. which seeks to hide the very existence of a message. into apparently unintelligible ciphertext. for convenience people often shorten “ciphertext" into “cipher". Symmetric. Also. so the security of a method depends entirely on the difﬁculty of recovering the secret key. Cryptanalysis is the study of cryptographic algorithms with the intent of recovering secret messages without knowing the secret key. Finally. Loosely speaking. .2 INTRODUCTION Figure 0. but modern public key systems enable parties to communicate securely without previously establishing a secret key. We also want to distinguish cryptography from steganography. or plaintext. Classically. Finally. or private key. so you have to tell them apart from context. we can think of cryptographers as the defense and cryptanalysts as the offense. steganography can be combined with cryptography to provide extra security.1. We can think of cryptanalysis as the activity of an adversary who obtains an encrypted message and tries to recover the original message without knowing the key. we won’t discuss it in this book.) Of course. users might hope that adversaries would not know what encryption algorithms were being used. require both sender and receiver to know the same secret key. but cryptanalysis could also be the activity of an analyst who is studying the security of a given method. Today. the children’s activity of writing a note in invisible ink is an example of steganography as is the use of a stencil to hide a message in a book. Although steganography can be very interesting.1: Can you read the message hidden in this poem that is revealed by the stencil? the information from unintended recipients. bits). the word “key" is often used in different ways at the same time. but that is an unrealistic expectation today. but both sides must know what the other is capable of to do their jobs properly. systems. we have to assume that adversaries know what algorithms we are using. a cipher is an encryption algorithm that is used to encrypt (or encipher) a message.g.

Once the strip was unwound. On the right. It illustrates how the message is unintelligible if the diameter is incorrect. FI EH ACFRSIEISC TI OT RYUO NONPOII .2: Here is a sample cryptogram. the message could only be read by wrapping the message around a stick with the same diameter. A strip of leather or parchment was wound around a stick and a message was written across it as shown in Figure 0. the letters in each word have simply been jumbled. Classroom Exercise 0. then the punctuation and spacing of the words in both the anagram and the cryptogram probably help a lot. Furthermore.1: Here is a sample anagram. See if you can decipher this combination anagram and cryptogram with spacing and punctuation removed. 0. See if you can decipher the message. KU SRVUB RWWGYUM QRLKRD LKU XZBLRSSU ON Z QOYM. ZDM BGYVUFB ZL Z MRBLZDCU LKU UDVRUM SRNU ON WZD. the diameter of the stick is the secret key. Transposition and substitution are familiar as two popular types of puzzles. Classroom Exercise 0."PHCEES TO EHT RESCLETO AT BLRTIOS TA HTE CONSOCINUL OF HET LLOP" BY EDUNDM RBEUK Classroom Exercise 0. the message is unreadable. each letter is replaced by another letter. RYOU RETARSIPNVEETE WSOE UYO. See if you can decipher the message. ´ An ancient example of a transposition cipher is the σκυταλη (scytale). . EDITASN FO ERNVSGI OUY. anagrams and cryptograms.0. TYPES OF CIPHERS 3 Figure 0. UBT HSI TEJGMDUN. We can make a much more difﬁcult puzzle by using a shorter message. AND EH BTSAYRE. OTN IHS UNSYRTDI YNOL. which the Spartans reportedly used for tactical messages on the battleﬁeld. the letters were jumbled and the message was unreadable. On the left we see part of the joke How do you know that you have found an extroverted mathematician? He looks at your feet when he talks to you. removing all spacing and punctuation. Types of Ciphers There are two basic tools that are used in encryption algorithms: transposition (rearranging the characters) and substitution (replacing characters with other characters). .2."LKU YRJKLB ON WZD" XF LKOWZB IZRDU. Figure 0. In this case.2: The same strip of paper displayed on two different diameter tubes.3: Winston Churchill reportedly said RSAAPTAPCVTMVZSCSOCPYDTDTQQQQITPQ. If you actually solved both puzzles.2. using both transposition and substitution. LO CODLYZCL LKU BIKUYU ON WZD'B NUSRCRLF.2 shows a scytale with a decidedly unimportant message.2. LRLSUB ZYU SRHU CRYCSUB MYZQD XF LKU WZJRCRZD'B QZDM.

D. that is. The Caesar cipher is attributed to Julius Caesar by Suetonius.uchicago. who was a prominent historian of the Roman emperors in the ﬁrst and second centuries A. and get at their meaning.edu is “There are also letters of his to Cicero. U. In 1467. The sender picks a letter on the outer ring and lines it up with k on the inner ring and then enciphers several letters by locating plaintext characters on the outer ring and associating them with corresponding cipher characters on the inner ring. and writes it down repeatedly under the plaintext until the key is as long as the plaintext. Nevertheless. that not a word could be made out. Sender and receiver would agree on a “pointer” letter . According to Suetonius [12]. The Caesar cipher is an example of a monoalphabetic substitution cipher. In 1585. ut nullum verbum efﬁci posset. W and Y but includes some digits. item ad familiares domesticis de rebus. Therefore. and in the latter. What makes his method polyalphabetic is that the sender occasionally points k at a new letter. Abu Yusuf Yaqub ibn Ishaq al-Sabbah Al-Kindi introduced frequency analysis that made monoalphabetic substitution ciphers obsolete because they were no longer secure. after his overwhelming defeat of King Phar- naces II of Pontus at the battle of Zela.." was Caesar’s report to Rome in 47 B. as well as to his intimates on private affairs. he wrote it in cipher.3. Leon Battista Alberti (1404-1472) developed a cipher wheel that produced ciphertext that was not vulnerable to Al-Kindi’s frequency analysis. I saw. if he had anything conﬁdential to say. modern cryptographers generally understand Caesar’s cipher as a shift of 3 letters to the right. people in succeeding centuries invented polyalphabetic subsitution ciphers. veni vidi vici2 becomes yhql ylgl ylfl. It is interesting to note that Alberti’s wheel omits H.4 INTRODUCTION An early example of a substitution cipher is the Caesar cipher. for A. id est sic structo litterarum ordine. Alberti was content to associate U with V and W with VV. he must substitute the fourth letter of the alphabet. the ﬁrst six characters of VENIVIDIVICI are encrypted as Fnxrpnp. quartam elementorum litteram. For example. a polyalphabetic system might encrypt the ﬁrst a in aardvark as q. in which every character is replaced by some other character.” The translation of Suetonius on penelope. per notas scripsit.Alberti chose k. Blaise de Vigenère introduced a polyalphabetic substitution cipher that endured for three centuries. in which each letter is replaced by another letter that changes with each use. plain letter) pair in the Vigenère square in Table 0. si qua occultius perferenda erant. For example. the last six characters of VENIVIDIVICI are encrypted as 4mghg&g.3. altogether. For instance. Using the second setting in Figure 0. the message VENIVIDIVICI can possibly be encrypted as Fnxrpnp4mghg&g. In the 9th century A. and so with the others. To thwart frequency analysis. Examples include the Alberti cipher wheel and the Vigenère cipher. which simply shifts each letter in the plaintext ahead 3 places to produce an encrypted message.C. quae si qui investigare et persequi velit. say LION. “Exstant et ad Ciceronem. I conquered. The wheel consisted of two rings and the inner ring could be turned about its center.D. The user chooses a key word. . 2"I came. then it actually sounds like Caesar’s messages were decrypted by shifting 3 letters to the right. using the ﬁrst setting in Figure 0. id est D pro A et perinde reliquas commutet. namely D. by so changing the order of the letters of the alphabet.” If this translation is correct. Apparently. but the second a might be encrypted as n.1. in quibus. K. Then the user looks up each (key letter. If anyone wishes to decipher these.

Plain: S C Y T A L E Key: L I O N L I O Cipher: D K M G L T S . TYPES OF CIPHERS 5 Figure 0.3: Two setting of Alberti’s cipher wheel. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Table 0.2.1: A Vigenère square.0. The highlighted letters correspond to an example in the text.

speciﬁcally a digraph is a sequence of two characters and a trigraph is a sequence of three. so it will be much easier to encrypt and decrypt messages. but we will have absolutely no need of the cumbersome Vigenère square in Table 0. January 27. but people may refer to both LION and LIONLIO as key. This is the cipher character that substitutes for the S. Civil War to the advantage of the North. Latin: ABCDEFGHIKLMNOPQRSTVXYZ Greek: αβγδεζηθ ικλµνξoπρςστυφχψω Arabic: Computer: 01 Grayscale 8-bit bitmap: 0 1 2 . Consider the simple scytale. Therefore. Polygraphic substitution ciphers encrypt entire blocks of characters together. For example. The ease with which the key may be changed is another point in favor of the adoption of this code by those desiring to transmit important messages without the slightest danger of their messages being read by political or business rivals etc. and the length of the alphabet is usually not important. . in chapter 5 we study two public key systems that allow people to communicate even though they’ve never had an opportunity to agree upon a secret key. In fact. Mathematical Ciphers Since the intended audience of this book speaks English.S. . either by hand or on a computer. 0. in chapter 2 we will revisit the Vigenère cipher. The ciphers in chapters 3. . 254 255 None of the methods we’ve discussed so far require the use of mathematics. Scientiﬁc American (Supplement LXXXIII. which is equivalent to writing the plaintext characters in a table as shown. However. Be careful of the potentially confusing terminology . 1917) still advocated its use. but it seems that cryptological news traveled slowly because the Confederacy still used the Vigenère cipher during the U.the keyword LION generates the key LIONLIO for the cipher. Continuing this process produces the entire ciphertext DKMGLTS. This sort of arrangement is not always possible in the computer age.” Modern ciphers are often polygraphic. and 5 are all thoroughly mathematical and we can’t even describe the algorithms without using mathematics. “The [Vigenère ] method used for the preparation and reading of code messages is simple in the extreme and at the same time impossible of translation unless the key is known. to encrypt the ﬁrst letter in SCYTALE.1. The Vigenère cipher was highly regarded for three centuries and it was considered by many to be secure until Charles Babbage cracked it in 1854. Cryptanalysis is also greatly aided by the use of mathematics and statistics. 4. math can make any of them much easier to implement. Friedrich Kasiski also broke the cipher in 1863. One common feature of all classical methods is that they are symmetric in the sense that both sender and receiver require knowledge of the algorithm and the secret key. but it is a little too complicated to introduce quickly here.3. A polygraph is a sequence of several characters. We will study the Hill cipher in chapter 4 as an example of a polygraphic substitution cipher. but we really can use any alphabet we want. the most commonly used alphabet in this book is English. the user looks in row L and column S to ﬁnd a D. as late as 1917.6 INTRODUCTION For example.

and sometimes it refers to a long string of letters or numbers that are generated from the keyword. as are “decrypt” and “decipher”. where we have some cipher and the only thing we know is the algorithm. Original text is plaintext and the encrypted text is ciphertext.html. we will work almost exclusively with integers. a = 2 does not divide b = 13 (written 2 | 13) since there is no integer c such that ac = 2c = 13 = b.5. but we’ll do it anyway. reals. Such mistakes make different scenarios possible for an adversary. The Allies used cribs to ﬁnd Enigma keys during World War II. and complex numbers are . but it can be a shortened version of ciphertext. Sometimes it refers to the keyword or key number(s). but we could use ∪ {0}. even if the text isn’t really text. audio. the words “encrypt” and “encipher” are synonymous. 0. That is. a = 2 divides b = 12 since there is an integer c = 6 such that ac = (2)(6) = 12 = b.4. so it might be helpful if we introduce some of the symbols that we’ll be using. the cryptanalyst has an opportunity to choose some plaintext to feed into the cryptographic algorithm. Similarly. Try it with the Mathematica notebook Scytale. the union (∪) of and the set including only the number zero. One type of attack is a known-plaintext attack. so it might seem a little odd to call a picture plaintext. The word “cipher” usually refers to an encryption algorithm. computer ﬁles can all be encrypted. and . respectively. . Recall that we will always assume that cryptanalysts know the relevant cryptographic algorithms and the only thing that they lack is the key.5.nb at http://users. NOTATION AND TERMINOLOGY 7 W D O Y O U K N O W T T Y O U H A V E F O U A N E X T R O V E R T M A T H E M A T I C I ? H E L O O K S A T Y R F E E T W H E N H E L K S T O Y O U The ciphertext is read off in columns: HHNEAOT OADDNUA WTAM?RL DYNAHFK OOETEES YUXHLET OHTEOTO UARMOWY KVOAKHO NEVTSEU OFEIAN WORCTH TUTIYE. We write a|b to indicate that a divides b. in which the cryptanalyst knows the encryption algorithm and has access to some plaintext and the corresponding ciphertext. rationals.edu/m/mcdevittt/Crypto. . As we mentioned in the introduction. like {red.0. Software like Mathematica makes ciphertext like this easy to crack. 0. For instance. Types of Cryptologic Attacks Real life cryptanalysis often hinges on operator error or some ﬂaw in the design of the machine or software that implements a cryptographic algorithm. There is no universally recognized symbol for whole numbers. In this course. The natural numbers. In a chosen plaintext attack. H H N E A O T O A D D N U A . Other special sets have special symbols. the word key is often used imprecisely. Sets with listed elements are written with braces. Also. but we will mostly consider ciphertext-only attacks. but we will encounter real (or rational) numbers when we study probability. For example.etown. for integers a and b. a divides b if there exists an integer c such that ac = b. Such plaintext is often referred to as a crib. green. We indicate that “a is an integer" by writing a ∈ to indicate that a is in (∈) the set of integers. Notation and Terminology Mathematicians tend to write very concisely and use a lot of specialized symbols. blue}. Pictures. the set of integers is denoted by .

0-13-101976-8. they are really talking about cryptanalysis. (b) Wiifd e a etihsxr snBusneny aoe?ese e saifv cevan. The Ofﬁcial Rock Paper Scissors Strategy Guide by Douglas and Graham Walker (b) 0-13-187141. 88385. for example. The Nonlinear Theory of Elastic Shells by Libai and Simmonds (6) The Atbash cipher replaces the 1st letter of the alphabet with the last..nb might be helpful. Two familiar non-encrypting codes are Morse code and ISBNs. etc. and the third set of digits is the publisher’s serial number for the book. (X stands for 10.3 Use the Atbash cipher to decrypt klgzgl xsrk. it identiﬁes the book (like a numerical name) and it attaches a check character at the end that can identify mistakes in the number. (4) Which of the following ISBN-10s are correct? (a) Calculus (6th edition) by Stewart. (7) The Polybius checkerboard cipher places 25 letters of the alphabet (J is missing) in a 5 × 5 table. and Friedberg (c) 0-521-47236. (3) Use the Vigenère square (Table 0. 0-495-38558-1. Elementary Linear Algebra: A Matrix Approach by by Spence. What should the last digit be? (a) 0-7432-6751. the ISBN code would identify it since 0 · 1 + 8 · 2 + 8 · 3 + 8 · 4 + 3 · 5 + 5 · 6 + 7 · 7 + 1 · 8 + 9 · 9 + 7 · 10 = 325 is not divisible by 11. . So. The ISBN code for a book serves two purposes. 0-417-43339-X. (b) decrypt YUGPYN if the keyword is JAPAN. Morse code converts English into a series of dots and dashes so that an English message can be easily trasmitted over a primitive channel like a telegraph line. (b) Elementary Differential Equations (8th edition) by Boyce and DiPrima. Exercises (1) Decrypt the Caesar ciphertext shwhuslshuslfnhgdshfnrislfnohgshsshuv. The ﬁnal digit. is chosen so that 0 · 1 + 8 · 2 + 8 · 3 + 3 · 4 + 8 · 5 + 5 · 6 + 7 · 7 + 1 · 8 + 9 · 9 + 7 · 10 = 330 is divisible by 11.) (c) The Mathematics of Coding Theory by Garrett. 0-13-186239-1. but that is not always its purpose. (2) Decrypt each of the following messages that were encrypted with a scytale. Insel. indicates the publisher (The Mathematical Association of America).8 INTRODUCTION A code exchanges one system of writing for another. For instance. (d) Introduction to Cryptography with Coding Theory by Trappe and Washington. If someone made a silly transposition mistake like 0-88835-719-7. (a) Sssalbheohe slyearelshs se lee tsh. (5) The ﬁrst nine digits of the ISBN-10 for each of the following books are given. Babylon is referred to as Sheshakh (in Hebrew). when people talk about codebreaking.. the ISBN-10 for Lewand’s Cryptological Mathematics [4] is 0-88385719-7.1) to (a) encrypt ENIGMA with keyword GERMANY. the 2nd with the second-tolast. The leading 0 indicates the language (English). the second group of numbers. 7. It may have the effect of making a message unintelligible. 3The Atbash cipher appears in the Book of Jeremiah where. The Mathematica notebook Scytale.

How big is the keyspace for this cipher? (8) In the Wheatstone-Playfair cipher. 25 letters of the alphabet are placed into a 5 × 5 table.EXERCISES 9 1 2 3 4 5 1 E P X Q Y 2 H V B A O 3 F M C U N 4 T K D L R 5 W I S Z G To encrypt a message like FEEDME. then the ciphertext is pair of letters beneath. (c) What is the key for this cipher? (d) How big is the keyspace for this cipher? . (a) Encrypt MATHCOUNTS R . This has the disadvantage that the ciphertext is twice as long as the plaintext. (c) What is the key for this cipher? (d) The keyspace for a cipher is the set of all possible keys. For example. then the ciphertext is the pair of letters to the right. • lie at the corners of a rectangle. then the ciphertext is the pair of letters in the opposite corners. • lie in the same column. padding the end of WELCOME with Q so that its length is even. (a) Encrypt HANDITOVER. you just give the row and column pair for each letter: 31111143 3211. and if the pair of letters • lie in the same row. WELCOME is encrypted as EHDUVNPY. wrapping around as necessary. but it has the advantage that it works well as a semaphore. (b) Decrypt BRRNKTNFISWFXDSZBGDG. (b) Decrypt 231141411145412544525521412535113324354344114121243533344553114 121114324454235115353332535313433523453. wrapping around as necessary. E P X Q Y H V B A O F M C U N T K D L R W I S Z G Plaintext messages are broken into digraphs.

.

1. We won’t prove the theorem because it is probably very familiar to most readers. we apply our new knowledge to the additive and afﬁne ciphers. (1) 35 = 5 · 7 (2) 48 = 24 · 3 (3) 1260 = 22 · 32 · 5 · 7. (1) 95 11 . let’s look at some examples.1 (Fundamental Theorem of Arithmetic).CHAPTER 1 Modular Arithmetic This chapter develops the mathematical tools needed for modular arithmetic and modular algebra. recall the fundamental theorem of arithmetic. 1. it should still be familiar.) Composite numbers are integers greater than one that are not prime. Classroom Exercise 1. but the third one might be easier if you use a factor tree.1: Express the following numbers as products of primes. Every positive integer n > 1 can be written uniquely as a product of primes.) THEOREM 1. Fundamental Theorem of Arithmetic Recall that an integer p > 1 is prime if the only integers that divide it are 1 and p. both of which will be useful throughout the entire course. (We will frequently use p and q to represent prime numbers. After that.1: You can probably do the ﬁrst two examples in your head. it isn’t very difﬁcult and you can ﬁnd one in a book on number theory or on Wikipedia. Also. If you are interested in a proof. (Don’t worry if you don’t recognize the name. Example 1. Instead.

However. Now. then the greatest common divisor of a and b is the largest positive integer that divides both a and b. but the third is the most interesting. 598) clearly divides two of the three terms in (1. there is a better way. It is best explained in the context of an example. Classroom Exercise 1. 253). In other words. so there can’t be a greatest common divisor. 598)|598 and gcd(253.1) 598 = 253(2) + 92. . since gcd(253. 598) The ﬁrst problem was easy. they factor both numbers to ﬁnd that 253 = 11 · 23 and 598 = 2 · 13 · 23. and we can do this type of reduction repeatedly until the gcd(253. 2 R 92 253 598 506 92 This means that (1. use long division. Example 1. 2 is a common divisor of 12 and −18 since 2|12 and 2|(−18). 7) = 7. 253) also divides all three terms in (1. Fortunately.2. This allows us to exchange a hard problem for an easier one. If a and b are both zero. This works well and it’s what most of us learned in school. For example. Since 7|35. (1) gcd(35. 165) (3) gcd(253. then there are an inﬁnite number of common divisors. 598) = 23. How did you do it? Most people use the fundamental theorem of arithmetic.1: If a and b are not both zero. b). so let’s consider the last exercise of computing gcd(253. we can conclude that gcd(253. 598)|92. 598) = gcd(92.1 Here is a formal deﬁnition: Deﬁnition 1. but factoring integers is a slow process that becomes cumbersome for very large numbers. and then conclude that gcd(253.2: Compute the following gcds. Euclidean Algorithm The Euclidean algorithm is an ancient. 7) (2) gcd(55. but we use gcd. Since 1Some authors use the equivalent gcf for greatest common factor.1). If you can do this in your head. we ﬁrst divide the larger number by the smaller. but not both) has a ﬁnite number of common divisors. MODULAR ARITHMETIC (2) 819 (3) 3400 1. 598) is obvious. so it must also divide the third. it must be that gcd(35. Greatest Common Divisors A common divisor of two integers a and b is an integer (positive or negative) that divides both a and b. every other pair of integers (including if a = 0 or b = 0. 598).1). great! Otherwise.3. method for ﬁnding the gcd of two integers. 598). The second was a little harder. 1. gcd(253.12 1. so we can conclude that gcd(253. 598)|253(2). We denote the greatest common divisor of a and b by gcd(a. so there must be a greatest common divisor. A similar argument shows that gcd(92.2: To ﬁnd gcd(253. but efﬁcient.

so gcd(226. to use the Euclidean algorithm to ﬁnd gcd(a. Therefore. it’s 23. Each step after that involves “sliding" and long division.2b). 270) = gcd(44. Finally. the remainder is 44. 454) = 1 since (1. In (1. In (1. 6). 598) = gcd(92. so the algorithm stops and gcd(226. we mean that the divisor and remainder move to the left so that they become the new dividend and divisor. the remainder is 6. the algorithm stops because the smaller number divides the larger.2a) to (1.3c) (1. b).2d). In general. 270) = gcd(44. 92) = gcd(23. 44) = gcd(2. 270) = gcd(44. In (1. 270) = gcd(44. The gcd(343. In this case. 44).3b) (1. the remainder is 0.2c) (1.2d) 270 = 226(1) + 44 226 = 44(5) + 6 44 = 6(7) + 2 6 = 2(3) + 0. 253) = gcd(69. Finally.2b).2c). you divide the larger of the two numbers a and b by the smaller one. EUCLIDEAN ALGORITHM 13 2 R 69 92 253 184 69 gcd(253. 598) = gcd(92.2a). Repeated use of long division gives (1. 226) = gcd(6. so gcd(226. Once we reach a remainder of zero.3. gcd(253. respectively. you continue this process until the last remainder is 0. 598) = 23.4: Let’s do one ﬁnal example. the remainder is 2. For example. 270). Example 1. In general. 270) = 2. 253) = gcd(69. in (1. we have found that 598 = 253(2) + 92 253 = 92(2) + 69 92 = 69(1) + 23 69 = 23(3) + 0. . the 226 and 44 slide left from (1. 226) = gcd(6. Example 1. By “sliding".3: Let’s work through another example: gcd(226. 226) = gcd(6. That is the Euclidean algorithm. 226). so gcd(226. 69). 6) = 2. By repeated use of long division.3a) (1. The second-to-last remainder is 2. Let’s review what we’ve done for this problem. 92). so gcd(226. the second-to-last remainder (written on the right) is the gcd. but let’s be sure we understand how the Euclidean algorithm works.2b) (1.3d) 454 = 343(1) + 111 343 = 111(3) + 10 111 = 10(11) + 1 10 = 1(10) + 0. 44) = gcd(2. Since 23|69. 1 R 23 69 92 69 23 so gcd(253.1.2a) (1. We could stop here and move on.

4c).4b). the one that gives us the gcd). We simplify at each step. Beginning with the equation (1.6a) (1. y = −1 and x = −4. Working backwards.4a) is just (1.6b) (1.4a) gives (1.7: Here’s another example. This is a little tricky at ﬁrst.5c)) = 39 − (97 − 39(2))(2) (substituting the remainder from (1.5c) 233 = 97(2) + 39 =⇒ 39 = 233 − 97(2) 97 = 39(2) + 19 =⇒ 19 = 97 − 39(2) 39 = 19(2) + 1 =⇒ 1 = 39 − 19(2). but we will show you how to ﬁnd x and y by extending the Euclidean algorithm. In this case.4b) (1. We won’t prove Theorem 1. (1. Using the Euclidean algorithm to ﬁnd gcd(233.3c) rearranged so that the gcd is on the left. we have (1.2. MODULAR ARITHMETIC 1.6d)).2 does not claim that x and y are unique.5a)) = 233(5) − 97(12) (simplifying (1. The only time you’d want to multiply them is to check your calculations.4c) 1 = 111 − 10(11) = 111 − (343 − 111(3))(11) = 111(34) − 11(343) = (454 − 343(1))(34) − 11(343) = 454(34) − 45(343) Equation (1.5c) and substitute the remainders in ascending order.3a) for 111 and substituting into (1.5a) (1. Example 1. Number theory texts like [6] and [8] typically include a theorem like the following.5: If a = 7 and b = 35. we work backwards to ﬁnd values for x and y. solving (1. Speciﬁcally. (1.4a) (1. b).6d) (1. Note that we have solved for the remainders in addition to ﬁnding the gcd. There exist integers x and y such that a x + b y = gcd(a.6c) (1.3a) (working backwards) to obtain (1.4.3c) (i. Example 1. Note.4c).4b) gives (1. Solving (1.6: Recall Example 1. we begin with (1. Example 1.2.6 in which we found gcd(343. y = 1. 454) = 1.6b)) = (233 − 97(2))(5) − 97(2) (substituting the remainder from (1. One of the hardest ideas is to remember not to explicitly multiply any of the remainders. then x = −45 and y = 34.6e) 1 = 39 − 19(2) (from (1. which implies that if a = 343 and b = 454. b).3b) for 10 (the remainder) and substituting into (1. . other possibilities include x = 6. then x = 5 and b = 0 satisfy a x + b y = gcd(a. that Theorem 1.4a)-(1. the second-to-last equation.14 1. however. but it’s pretty easy after you’ve done a few examples.3c)-(1. but it will be very important to us before the end of the chapter. THEOREM 1. 97).5b)) = 39(5) − 97(2) (simplifying (1.5b) (1. so other values for x and y are possible. We successively solve for and substitute the remainders in (1. being careful not to explicitly multiply the remainders or the original two numbers. Extended Euclidean Algorithm We’re now going to cover the extended Euclidean algorithm.e. It won’t be immediately obvious why this is important.

16) = 2. and later we learn about real numbers. 2Many authors refer to relatively prime numbers as coprime. it is not relatively prime to 39 since gcd(13. Consider the following examples.12: Here are some examples.9: Integers 14 and 16 are both composite and they are not relatively prime to each other since gcd(14. . Example 1. (1) 7 ≡ 7 mod 21 since 21|(7 − 7). usually starting with fractions and then proceeding to decimals. then x = 5 and b = −12 satisfy a x + b y = gcd(a. 192) (3) gcd(756.3: Integers a and b are congruent modulo n if n|(a − b).11: Two distinct prime numbers like 13 and 17 are relatively prime. Example 1.2: Two integers a and b are relatively prime2 if gcd(a. but they are relatively prime since gcd(14.10: Although 13 is prime. b) = 1. Relatively Prime Numbers Deﬁnition 1.4: Determine which of the following pairs of numbers are relatively prime. Example 1. Deﬁnition 1. Example 1. MODULAR ARITHMETIC 15 If a = 233 and b = 77.1. we will usually work only with integers modulo some positive integer n. (3) 2 ≡ 12 mod 5 since 5|(2 − 12).2 for the following gcds.8: Neither 14 nor 25 is prime. multiplication. Example 1.3: Use the extended Euclidean algorithm to ﬁnd values for x and y according to Theorem 1. Modular Arithmetic We learn to do arithmetic (addition. (2) 14 ≡ 2 mod 3 since 3|(14 − 2).5. Note that a number doesn’t need to be prime to be relatively prime to another number. In cryptology. (1) gcd(24. b). Our task in this section is to ﬁgure out what that means. Classroom Exercise 1. If two numbers are congruent modulo n. 54) (2) gcd(33. Classroom Exercise 1. and prime numbers are not relatively prime to every other positive integer. and division) with integers early in grade school. 25) = 1. 942) 1. (1) 26 and 15 (2) 54 and 99 (3) 234 and 555 1.6. then we write a ≡ b mod n. subtraction.6. 39) = 13.

2. 1. . (1) 3(15) − 4(2) (2) 30(29)(27) − 1(2)(3) (3) 9 − 3(4) 62 + 20 3This is what the % operator does in C/C++ and what the Mod and mod commands do in Mathematica and Matlab. .5: Reduce the following numbers modulo 16 to the set {0. . . For example. The following table shows integers x reduced modulo 5 to the set {0. Classroom Exercise 1. x x mod 5 .6: Reduce the following modulo 32. for example. 4}. did the calculation. subtraction. 24+27(20) ≡ −1+2(−5) = −11 = −11 + 0 ≡ −11 + 25 = 14 mod 25. . . . . For example. . . 15}. In this case. You are free to make the calculations as simple as you can by reducing operands modulo n at any time as shown in Example 1. One thing you may not do. −7 ≡ 3 mod 5 since −7 + 2(5) ≡ 3 mod 5. (1) 6 + 7(4) = 34 ≡ 9 mod 25. 2. 1. 3. . Example 1. . Here.12. • If a ≥ 0. we began by reducing 26 and 27. even though both are correct. . n − 1} modulo n. then we can replace a with its remainder when it is divided by n.. . Classroom Exercise 1. and multiplication modulo n all work exactly as you would expect.16 1. For instance. (2) 26 + 27(14) ≡ 1 + 2(14) = 29 ≡ 4 mod 25. Continuing Example 1. 1. (3) Don’t hesitate to use negative numbers if it’s convenient. . 619 is not congruent to 6−1 mod 20. • We can add or subtract multiple copies of n since n ≡ 0 mod n. We have two main ways to reduce a mod n. 7 ≡ 7 mod 21 since 7 ÷ 21 = 0 with remainder 7 and 14 ≡ 2 mod 3 since 14 ÷ 3 = 4 with remainder 2. MODULAR ARITHMETIC We usually reduce integers to the set {0. .. 2.3 so. however. we waited until the calculation was completed to reduce it modulo 25. it would be more common to write 12 ≡ 2 mod 5 than 2 ≡ 12 mod 5. (1) 27 (2) 544 (3) −32 Addition. −7 −6 −5 −4 −3 −2 −1 0 1 2 3 4 5 6 7 8 9 10 11 12 . 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 . respectively.13: Reduce the following modulo 25. which is especially helpful for a < 0.13. and then reduced the answer. is change powers.

18

1. MODULAR ARITHMETIC

for 6. So, in general, a number a is not invertible modulo n if gcd(a, n) = 1. Does that mean that all other numbers are invertible? Well, yes, but it’s not obvious. THEOREM 1.3. If gcd(a, n) = 1, then the set {a mod n, 2a mod n, . . . , (n − 1)a mod n} has all distinct values.

PROOF. We prove this theorem by contradiction. Suppose that some pair of values in {a mod n, 2a mod n, . . . , (n − 1)a mod n} are the same. More precisely, suppose that there exist integers x and y ∈ {1, 2, . . . , n− 1} such that x = y and that x a ≡ y a mod n. Then n|a(x − y), and since gcd(a, n) = 1, it must be that n|(x − y). Since x, y ∈ {1, 2, . . . , n − 1}, we conclude that x = y, which is a contradiction. Since the set {a mod n, 2a mod n, . . . , (n − 1)a mod n} has n distinct values, those values are congruent to {1, 2, . . . , n − 1} in some order. Therefore, in summary, if gcd(x, n) = 1, then x is invertible modulo n and if gcd(x, n) = 1, then x is not invertible modulo n. Example 1.14: It is helpful to look at another example. Here is a multiplication table modulo 20.
× 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 2 0 2 4 6 8 10 12 14 16 18 0 2 4 6 8 10 12 14 16 18 3 0 3 6 9 12 15 18 1 4 7 10 13 16 19 2 5 8 11 14 17 4 0 4 8 12 16 0 4 8 12 16 0 4 8 12 16 0 4 8 12 16 5 0 5 10 15 0 5 10 15 0 5 10 15 0 5 10 15 0 5 10 15 6 0 6 12 18 4 10 16 2 8 14 0 6 12 18 4 10 16 2 8 14 7 0 7 14 1 8 15 2 9 16 3 10 17 4 11 18 5 12 19 6 13 8 0 8 16 4 12 0 8 16 4 12 0 8 16 4 12 0 8 16 4 12 9 0 9 18 7 16 5 14 3 12 1 10 19 8 17 6 15 4 13 2 11 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 11 0 11 2 13 4 15 6 17 8 19 10 1 12 3 14 5 16 7 18 9 12 0 12 4 16 8 0 12 4 16 8 0 12 4 16 8 0 12 4 16 8 13 0 13 6 19 12 5 18 11 4 17 10 3 16 9 2 15 8 1 14 7 14 0 14 8 2 16 10 4 18 12 6 0 14 8 2 16 10 4 18 12 6 15 0 15 10 5 0 15 10 5 0 15 10 5 0 15 10 5 0 15 10 5 16 0 16 12 8 4 0 16 12 8 4 0 16 12 8 4 0 16 12 8 4 17 0 17 14 11 8 5 2 19 16 13 10 7 4 1 18 15 12 9 6 3 18 0 18 16 14 12 10 8 6 4 2 0 18 16 14 12 10 8 6 4 2 19 0 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

(1.8)

Which numbers are invertible? That is, which numbers have a 1 in their respective rows (or columns)? The invertible integers modulo 20 are 1, 3, 7, 9, 11, 13, 17, and 19, which leaves out all even integers and multiples of 5 since 20 = 22 · 5. Also, note that the invertible numbers have every integer from 0 to 19 in their rows (or columns), whereas non-invertible numbers do not. Now that we know which integers are invertible modulo n, we’d like to have a systematic way of ﬁnding inverses. Tables are nice for small moduli, but are unwieldy for large ones. Fortunately, the extended Euclidean algorithm gives us a nice algorithm for computing inverses. Recall that if gcd(a, n) = 1, then there exists integers x and y such that (1.9) a x + n y = 1,

1.7. SOLVING LINEAR CONGRUENCES

19

and we can ﬁnd x and y using the extended Euclidean algorithm. Reducing (1.9) modulo n gives (1.10) which implies that x = a
−1

a x ≡ 1 mod n, .

Example 1.15: To ﬁnd 17−1 mod 20, we use the extended Euclidean algorithm. 20 = 17 · 1 + 3 17 = 3 · 5 + 2 3=2·1+1 Technically, we should go one step further to get a remainder of zero, but we know that the gcd is 1, so there is no practical need to continue. Working backward, 1=3−2 = 6 · 3 − 17 = 6 · 20 − 7(17). This implies that 17(−7) ≡ 1 mod 20, so 17−1 = −7 ≡ 13 mod 20. You can check this in the multiplication table in (1.8). Example 1.16: To ﬁnd 343−1 mod 454, we can use the work we did in Example 1.6. Recall that we found that 1 = 454(34) − 45(343). Reducing modulo 454 gives 1 ≡ −45(343), so 343−1 = −45 ≡ 409 mod 454. You can check this with a calculator by multiplying 343 by 409 to get 140, 287. To reduce modulo 454, we divide 140, 287 by 454 to get 309.002. That tells us that 454 goes into 140, 287 309 times. Subtracting, we ﬁnd 140, 287 − 454(309) = 1, so we know that our answer is correct. Classroom Exercise 1.8: Find the following multiplicative inverses. (1) 4−1 mod 15 (2) 15−1 mod 49 (3) 81−1 mod 145 1.7. Solving Linear Congruences Linear Congruences of the Form a x ≡ b mod n. Over the real numbers, the equation (1.11) ax = b

has the unique solution x = b/a if a = 0. If a = 0 and b = 0, then there are no solutions, and if a = 0 and b = 0, then there are inﬁnitely many solutions because x can have any real value. Similarly, a congruence like (1.12) a x ≡ b mod n

may have a unique solution in {0, 1, 2, . . . , n − 1}, no solution, or multiple solutions in {0, 1, 2, . . . , n − 1}. Let’s illustrate with a few examples. Example 1.17: (1) 6x ≡ 12 mod 13 has the unique solution x = 2. (2) 6x ≡ 12 mod 24 has six solutions x = 2, 6, 10, 14, 18, 22. (3) 6x ≡ 11 mod 12 has no solution.

20

1. MODULAR ARITHMETIC

Our goal in this section is to ﬁnd all solutions, if any, of congruences like (1.12). If a x ≡ b mod n has a solution, then there exists an integer m such that (1.13) mn = a x − b.

The gcd(a, n) clearly divides the ﬁrst two terms, mn and a x, in (1.13), so it also must also divide b. Recall that all multiples of a modulo n are multiples of gcd(a, n), so b must be a multiple of gcd(a, n) for (1.12) to have a solution. For example, in (1.8), all multiples of 15 modulo 20 are 0, 5, 10 and 15, so a congruence of the form 15x = b mod 20 only has solutions if b = 0, 5, 10, or 15. Let’s assume that gcd(a, n)|b so that at least one solution exists. Note that this is trivially true if a and n are relatively prime. How do we ﬁnd a solution? Sometimes you can ﬁnd a solution simply by looking at the congruence. For instance, it is pretty clear that x = 2 solves 6x ≡ 12 mod 13. The fancy way of saying this is that x = 2 is a solution “by inspection". When we can’t ﬁnd a solution by inspection, we can use the extended Euclidean algorithm. Let’s look at an example. Example 1.18 (Unique Solution): To solve 17x ≡ 4 mod 20, we begin with the extended Euclidean algorithm. 20 = 17 · 1 + 3 17 = 3 · 5 + 2 3=2·1+1 Working backwards, 1=3−2 = 3 · 6 − 17 = 20 · 6 − 17 · 7. Therefore, 17(−7) ≡ 1 mod 20. Multiplying both sides by 4 gives 17(−7 · 4) ≡ 4 mod 20 and x = −7 · 4 = −28 ≡ 12 mod 20. Since gcd(17, 20) = 1, x = 12 is the only solution. If a congruence has multiple solutions, how do we ﬁnd all of them? We begin by ﬁnding one solution using the extended Euclidean algorithm (or inspection). If solution(s) exist, then gcd(a, n)|b and there exists an integer m such that a x = b + nm. Dividing by gcd(a, n) gives a gcd(a, n) so (1.14) a gcd(a, n) x≡ b gcd(a, n) mod n gcd(a, n) . x= b gcd(a, n) + n gcd(a, n) m,

This congruence (1.14) has a unique solution since gcd a gcd(a, n) gcd(a, n) , n = 1.

Therefore, once one solution of a x ≡ b mod n is found, all other solutions in {0, 1, 2, . . . , n − 1} can be found by adding (or subtracting) integer multiples of n/ gcd(a, n) for a total of gcd(a, n) incongruent solutions.

1.7. SOLVING LINEAR CONGRUENCES

21

Example 1.19 (Multiple Solutions): Solve 14x ≡ 4 mod 20. Since gcd(14, 20) = 2 and 2|4, this congruence has two solutions. Let’s use extended Euclidean algorithm to ﬁnd one of them. 20 = 14 · 1 + 6 14 = 6 · 2 + 2 6=3·2 Working backwards again, 2 = 14 − 6 · 2 = 14 · 3 − 20 · 2 Therefore, 14(3) ≡ 2 mod 20. Multiplying both sides by 2 gives 14(3 · 2) ≡ 4 mod 20 and x = 6. Since gcd(14, 20) = 2, there is a second solution that we obtain by adding n/ gcd(a, n) = 20/2 = 10 to x = 6. Therefore, the two solutions in {0, 1, 2, . . . , 19} are x = 6 and x = 16. Another way to view this example is to return to the multiplication table in (1.8) and note that each row (or column) cycles through multiples of the appropriate gcd. In the case of 14, the multiples cycle through 0, 14, 8, 2, 16, 10, 18, 12, 6 twice, so the two solutions must be 10 apart. Example 1.20 (No Solution): The congruence 14x ≡ 5 mod 20 has no solution since gcd(14, 20) = 2 | 5. Example 1.21: To solve 2x − 4 ≡ 7 mod 13, simply add 4 to both sides and proceed as above to ﬁnd x = 12. In summary, you can always tell if a x ≡ b mod n has a solution by determining if gcd(a, n) divides b. If not, then there is no solution. If gcd(a, n) does divide b, then the number of solutions is equal to gcd(a, n) and the solutions are n/ gcd(a, n) apart. For instance, x = 1 is clearly a solution of 13x = 13 mod 39. Since gcd(13, 39) = 13, there are a total of 13 solutions in {0, 1, 2, . . . , 38} and they are separated by 39/13 = 3, so the complete set of solutions is x = 1, 4, 7, 10, 13, 16, 19, 22, 25, 28, 31, 34, 37. Classroom Exercise 1.9: Find all solutions, if any, of the following congruences. (1) 18x = 3 mod 31 (2) 18x = 16 mod 30 (3) 18x ≡ 24 mod 30 Linear Systems of Congruences. Let’s conﬁne our attention to systems of congruences in two variables because this is sufﬁcient for our cryptologic needs later in the chapter. If a, b, c, d, e, f ∈ {0, 1, . . . , (n − 1)}, then our goal is to solve ax + b y ≡ e mod n cx + d y ≡ f for x and y, if possible. Standard algebraic manipulations reduce the system to the pair of congruences4 (1.15) (ad − bc)x ≡ ed − b f (ad − bc) y ≡ a f − ce mod n.

For solutions to exist, gcd(ad−bc, n) must divide both (ed−b f ) and (a f −ce). In practice however, we don’t recommend memorizing (1.15). Instead, just use the familiar methods of substitution and elimination from high school algebra. Be aware, however, that you have to be careful about both multiplying and dividing.
4These may look familiar if you have seen Cramer’s rule before.

24 (Multiple Solutions): We might choose to solve this system 12x + y ≡ 13 4x − 3 y ≡ 7 mod 26 by multiplying the second congruence by 3 and subtracting to ﬁnd 10 y ≡ −8 mod 26. The former has two solutions. If you can’t help it. we ﬁnd that y = 7 and y = 20. For example. but the second has no solutions. which has two solutions y = 8 and y = 21. Multiplying the second congruence by 4 and subtracting it from the ﬁrst gives 14 y ≡ 8 mod 26. 3x + 2 y ≡ 0 x − 3y ≡ 2 mod 7 suggests solving the second equation for x and substituting into the ﬁrst to ﬁnd 3(3 y + 2) + 2 y = 0. 26)| − 8. which gives x = 7 and x = 20. which reduces to 4 y = 1 mod 7. An alternative way to solve this problem is to solve the ﬁrst congruence for y ≡ 13 − 12x and substitute into the second to ﬁnd 14x ≡ 20 mod 26. be sure to check your solutions in the original congruences. Example 1. equivalently. we might choose to use elimination. x = 1.25 (Spurious Solutions): As a ﬁnal example.22 (Substitution): Some systems make the method of substitution attractive. Plugging these values back into the second congruence gives 4x ≡ 2 mod 26 and 4x ≡ 15 mod 26. Example 1. If you can. Instead. the second of which is spurious. However. For example. Overall. try to only multiply by integers that are relatively prime to the modulus. multiplying both sides by 2 gives 6x ≡ 6 mod 8. the congruence 3x ≡ 3 mod 8 has the unique solution x = 1. x = 1 and x = 5. x = 7 and x = 20. Plugging these values back into the ﬁrst congruence gives 12x ≡ 24 . consequently. Using the extended Euclidean algorithm. MODULAR ARITHMETIC Division is obviously a problem since it isn’t properly deﬁned. Example 1. Multiplying the congruences by 2 and 3 is OK here because both constants are relatively prime to the modulus.23 (Elimination): In this example. Subtracting the ﬁrst congruence from the second gives y = 6 and substituting into 6x + 4 y = 0 implies that x = 4 y ≡ 3 mod 7. 7) and (20. 3x + 2 y ≡ 0 2x − 3 y ≡ 2 mod 7 We could solve either congruence for x or y since all coefﬁcients are relatively prime to the modulus. we have two solutions: (7. 7). but that isn’t particularly appealing. The extended Euclidean algorithm then implies that y = 2 and.22 1. which has two solutions since gcd(10. 6x + 4 y ≡ 0 6x + 5 y ≡ 6 mod 7. let’s multiply the ﬁrst equation by 2 and the second by 3 to ﬁnd 6x + 4 y ≡ 0 6x − 9 y ≡ 6 or. consider 12x + 2 y ≡ 14 3x − 3 y ≡ 8 mod 26. Both values of x give y = 7. but multiplication can also cause trouble because multiplying equations by constants can lead to spurious solutions. which has two solutions. Example 1.

However. we were effectively multiplying by zero if x = ±2. Likewise. Equation (1. we might multiply by sides of the equation by (x − 2)(x + 2)(x − 6) to clear the fractions. Suetonius [12] claims that Julius Caesar used a simple shift cipher to encrypt private messages in letters to Cicero and other friends. but if you want to see something really interesting. which is correct. 8). so no spurious solutions are produced in that case. and there are no such values of x. since we multiplied by 4. which simpliﬁes to x 2 = 4.16) 1 (x − 6)(x − 2) + 1 (x + 2)(x − 2) = x +4 (x − 6)(x + 2) . He simply replaced each a by d. ADDITIVE CIPHER 23 mod 26 for both y = 8 and y = 21. Note that it would have been more efﬁcient to solve for x using the second congruence because 3 is relatively prime to 26.. Plugging all four solutions back into the original system shows that only (2. right? Wrong. Similarly. (15. (2. try to solve (1. we obtain 1 − x = x − 2. squaring both sides of −3 = 3 gives 9 = 9. The following chart makes it easier to implement the Caesar cipher. the message mathisreallyfun is encrypted as pdwklvuhdoobixq. What do you ﬁnd? . Additive Cipher One of the earliest known ciphers is the Caesar cipher.17) by graphing y= 1− x x −2 and y = 1 on your calculator and looking for the intersection of the two graphs. The solutions for x are obviously x = 2 and x = 15. to solve (1. 8) and (15. (1. if we square both sides of (1. 21) are solutions of the original problem. 21).17) has no real solutions since the numerator of the expression on the left implies that x ≤ 1 and the denominator implies that x > 2. Remark 1. please recall that you have seen this before in “regular algebra" over the reals when you multiply both sides of an equation by zero or when you square both sides of an equation. For example.1.17) 1− x x −2 = 1. 8). multiplying both sides of the incorrect equation 3 = 4 by zero gives 0 = 0. Note that 5This has nothing to do with cryptology. However.. b by e.1: If the idea of spurious solutions is disconcerting to you.8.5 1.16) are x = ±2. For example. More realistically. we have four putative solutions (2. So the solutions of (1. This gives (x + 2) + (x − 6) = (x + 4)(x − 2). so.16) has no solutions. which implies that x = 3/2. overall.. When we multiplied by (x − 2)(x + 2)(x − 6). 21). we suspect spurious solutions. etc. wrapping around at the end of the alphabet so each x is replaced by an a. and cross multiply. y by b. Anyone except the intended recipient would only see gibberish and would not know that mathisreallyfun. and z by c.8. and (15. which is not relatively prime to the modulus. and that introduced the false solutions.

= {15. . . Each plaintext letter is encrypted by adding 4 modulo to it according to the encryption equation (1. The next letter h corresponds to 7. then ci = pi . 0.a 24 + 3 = 27 ≡ 1 mod 26).18) for pi . 14.26: Suppose that the plaintext is thequickbrownfoxjumpsoverthelazydog and k = 4. capitals. inclusive. 16}. digits. The modulus 26 is the length of the alphabet. . be any integer between 0 and 25..18) ci = pi + 3 mod 26. The rest of the details are shown in the following table. . (1. Example 1. Repeating this for the entire message turns thequickbrownfoxjumpsoverthelazydog into xliuymgofvsarjsbnyqtwszivxlipedchsk. 8. 4. which becomes 11 or l. 8. 13}. and any other symbols that we choose. capital letters.a.6 a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Now the plaintext mathisreallyfun and ciphertext pdwklvuhdoobixq can be regarded as sequences of integers pi and ci 15 i=1 15 i=1 = {12. 3. (1. and adding four to it makes it 23. the plaintext y (a. . 10. with no spaces. The ﬁrst plaintext letter t has a numerical value of 19. 19. in principle. 14. but our way is more convenient. and z with 26. Plaintext t h e Coded plain 19 7 4 Coded cipher 23 11 8 Ciphertext x l i 6 q u i c k b r o w n f o x j u m p s o v e r t h e l a z y d o g 16 20 8 2 10 1 17 14 22 13 5 14 23 9 20 12 15 18 14 21 4 17 19 7 4 11 0 25 24 3 14 6 20 24 12 6 14 5 21 18 0 17 9 18 1 13 24 16 19 22 18 25 8 21 23 11 8 15 4 3 2 7 18 10 u y m g o f v s a r j s b n y q t w s z i v x l i p e d c h s k Some authors associate a with 1. which is x. .20) ci = pi + k mod 26. can. and z with 25 as shown in the following chart. i = 1. so we really should take k ∈ {1. For example. 24) is encrypted to b (a. 22. 3. . 18. Then.. 15.. . 11. 25}. b with 2.24 1. . Note that we need to work modulo 26 because we have a 26-letter alphabet. . 20. 11.. 23. or punctuation. punctuation. 1. .20). except that the shift doesn’t have to be 3. 17. We can make the implementation of the Caesar cipher more efﬁcient and computer-ready by making the cipher mathematical. then the shift. 5. and the plaintext can likewise be found by solving (1. 24. We can do this simply by associating a with 0.. If we stick with a 26-letter alphabet. 7. then you simply change 26 to the appropriate value. 7. 11. i = 1. . If k = 0.. 2. .k. but we’ll stick with the 26-letter alphabet for simplicity. 0. 2. 15. so if you change the alphabet by adding or deleting characters. Recall that we refer to the original message mathisreallyfun as plaintext and the encrypted message pdwklvuhdoobixq as ciphertext. 21. 2. The cipher characters can be obtained mathematically from the formula (1. We could accomodate spaces.19) pi = ci − 3 mod 26. b with 1. The additive cipher is just like the Caesar cipher. MODULAR ARITHMETIC this example uses the standard (modern) English alphabet. . 20. let’s call it k (for key). .k.18) becomes (1.

each reveals approximately the same distribution of letters.002 y 0. William Shakespeare’s “Julius Caesar". Figure 1..059 s 0. for the most part.076 p 0.022 f g 0.065 t 0.018 z 0. George W.018 q 0. but. such as an unusual abundance of the letter u “Julius Caesar".001 r 0. Minor differences are apparent.069 j 0. etc. Cassius..). but that is to be expected with all of the Latin names that end in us (e.089 u 0.014 b c 0.026 v 0.023 x 0. and the “USA Patriot Act".g.001 0.065 i 0.082 0. Relative Letter Frequency a 0.2: Table of letter frequencies based on War and Peace and several articles from The Washington Post.124 0.2: Cumulative frequencies of the letters (in ascending order) in Edgar Allan Poe’s “The Gold Bug".011 w 0. Julius.024 Relative Letter Frequency n 0.025 d 0. Bush’s 2006 State of the Union Address. See Table 1.2 for numerical values.001 Table 1. .26 1.046 e 0.039 m 0.1: Frequencies of letters in the English language.008 k l 0.073 o 0. MODULAR ARITHMETIC Figure 1.020 h 0. Brutus.

m = 9. k = 2. 26) = 2|12. this time we do not know the answer in advance. Associating these with e and t gives 4m + k ≡ 24 19m + k ≡ 12 mod 26 and m = 20 and k = 22. and the longer a sample text is. Since gcd(10. hikctyhghykaezztgaayrhbggrvgdyfg.28 1.28: Let’s start with the ciphertext in Example 1. The most common letters are g and h. (a) 23 · 32 · 5 · x (b) 210 · 32 · 52 · 76 · x (c) 123 · 252 · 7 · x 9The one and only Forrest Gump. However. Since 22 is not relatively prime to 26.29: The most common letters in the ciphertext xwvmwixwomclybyvunyuyxcrmikyapmjmzop yssncrkyazmeyppcemr are y and m. However. Example 1. there are two solutions. in turn. but unlike Example 1. we have the pair of congruences 4m + k ≡ 6 19m + k ≡ 7 mod 26. which. which gives 4m + k ≡ 12 mod 26. (a) 278 (b) 359 (c) 126 (d) 469 (e) 388 (2) Find the smallest integer x > 0 that makes each of the following perfect squares. Cases like that may require signiﬁcant trial and error to ﬁnd a suitable pair of congruences. Repeated trial and error eventually leads us to associate ciphertext y and m with plaintext o and e. respectively.28. Counting letter frequencies by hand can be very tedious. Solving the system gives m = 7 and k = 4. then just use ECrypt. Let’s look at another example. However. if you don’t have one of those packages or you don’t want to learn one. 14m + k ≡ 24 Subtracting the ﬁrst congruence from the second gives 10m = 12 mod 26. Recall that e and t are usually the most common letters in English. the more likely that is to be the case. MODULAR ARITHMETIC Example 1. This suggests that the ciphertext g and h correspond to plaintext e and t.27. respectively. the latter solution cannot be correct. e and t are not always the most common. give the plaintext timwrotetomsaddresson theenvelope. Since g and h are encoded as 6 and 7 and since e and t are encoded as 4 and 19. and pretend that we don’t know m and k. . these aren’t correct since m = 20 is not relatively prime to 26. Decrypting m = 9 and k = 2 gives lifeislikeaboxofchocolatesyounever knowwhatyouregonnaget9. k = 2 and m = 22. which appear six and four times. especially in short messages. Exercises (1) Factor the following integers as a product of (powers of) primes. so mathematical packages like Mathematica and Maple can be very helpful.

b = 298 (b) a = 462. b = 122 (e) a = 387. (a) 8 + 6 mod 10 (b) 13 × 3 mod 7 (c) 2 × 12 + 4 mod 14 (d) 3 − 5 + 15 mod 17 (e) 18 − 13 − 8 × 27 mod 14 (f) 10 − 4 × 19 + 16 mod 11 (g) 9 − 5 − 8 + 2 − 2 mod 10 (h) 6 + 8 − 5 × 10 − 9 mod 11 . n) = gcd(m.EXERCISES 2 29 (3) (4) (5) (6) (d) 123 · 252 · 7 · x Suppose that we say that 56000 “ends” in 3 zeros. 391) Find integers x and y such that a x + b y = gcd(a. (7) Reduce the following. How many zeros are there at the end of each of these numbers? 2 (a) 123 · 252 · 7 (b) 10! = 10 × 9 × 8 × 7 × 6 × 5 × 4 × 3 × 2 × 1 (c) 100! 50 50! (d) = 25 25!(50 − 25)! Find the following gcds and identify which pairs of integers are relatively prime. 231) (b) gcd(317. (a) a = 95. 278) (e) gcd(272. 431) (d) gcd(418. 375) (c) gcd(297. lcm(a. (a) 154 mod 45 (b) 171 mod 42 (c) −57 mod 20 (d) 111 mod 42 (e) −159 mod 33 (f) −22 mod 11 (g) 54 mod 26 (h) −38 mod 10 (i) 69 mod 23 (j) 100 mod 24 (8) Calculate the following. Show that lcm(m. n) mn . b = 468 (d) a = 324. b) for each of the following. b) is the least common multiple of m and n. b = 424 (c) a = 195. (a) gcd(261. b = 108 For positive integers m and n.

if any. . we have to solve 0 · 1 + 5 · 2 + 2 · 3 + 1 · 4 + 7 · 5 + 7 · 6 + 0 · 7 + 4 · 8 + 3 · 9 + d10 · 10 ≡ 0 mod 11. . if any. . a +1 mod n. (a) 15−1 mod 38 (b) 29−1 mod 40 (c) 8−1 mod 49 (d) 11−1 mod 15 (e) 7−1 mod 26 Suppose a. but some authors write that d10 has to solve (1. of the following congruences.30 1.24) have the same solutions. Show that the set {a mod n. we learned that if the ﬁrst 9 digits in an ISBN-10 d1 d2 d3 d4 d5 d6 d7 d8 d9 d10 are known. Solve for d10 . . Find all solutions.23) and (1. 2. (n − 1)}. a +2 mod n. MODULAR ARITHMETIC (9) (10) (11) (12) (i) 5 × 6 − 7 − 3 × 6 + 4 mod 8 (j) 9 × 10 × 7 × 13 + 4 + 2 mod 16 Find the following multiplicative inverses. n ∈ .23) d1 + 2d2 + 3d3 + 4d4 + 5d5 + 6d6 + 7d7 + 8d8 + 9d9 + 10d10 ≡ 0 mod 11. To ﬁnd d10 . . (13) In the introduction. (a) (b) (c) 3x + 7 y ≡ 8 5x + 7 y ≡ 6 mod 10 mod 18 mod 22 2x + 5 y ≡ 16 11x + 11 y ≡ 16 6y ≡ 1 15x + 22 y ≡ 13 . a +(n−1) mod n} is a re-arrangement of {0. Show that congruences (1. of the following systems of congruences.24) 10d1 + 9d2 + 8d3 + 7d4 + 6d5 + 5d6 + 4d7 + 3d8 + 2d9 + d10 ≡ 0 mod 11 instead. (14) Find all solutions. . . . where d10 is an unknown check digit. 1. (a) 17x = 0 mod 34 (b) 14x = 10 mod 32 (c) 14x = 5 mod 25 (d) 17x = 12 mod 24 (e) 9x = 16 mod 20 (f) 18x = 24 mod 46 (g) 2x = 5 mod 15 (h) 19x = 9 mod 30 (i) 15x = 18 mod 21 (j) 9x = 1 mod 30 (k) 4x = 3 mod 34 (l) 4x = 4 mod 22 The ISBN-10 for An Introduction to Mathematical Finance by Sheldon Ross is 0 − 521 − 77043 − x. then the check digit d10 solves (1.

(a) do not erase. (a) orubkrgsv. you may want to use use ECrypt. the standard alphabet (abcdefghijklmnopqrstu vwxyz). and the speciﬁed key. m = 15. you may want to use use ECrypt. k = 9 (c) the people in philadelphia deserve to have a winner its simple as that. k = 2 Decrypt the following with the afﬁne cipher using the speciﬁed keys.. you may want to use use ECrypt. etc. Maple. k = 6 (c) qredqjyialordiixjxllpdhjnarslwlleylrgfevrwjnirwrgwylrpfvjihliijgrhfbje dfglyzhdluqialunbpfldizrejeialqrbljqiallryiafarslwllefewruuorypdqjydls leillehlrydregarslelslyylblfslgrehiafevwnipfegelddreglebjnyrvlzleiqyjz hjnqredujjpriialdlvyregzlexafbajqhjnxjnugeibjedfglyfiialafvaufvaijqafd bryllykndiijrddjbfrilxfiaialzqjylslejelgrh. k = 10. m = 19. k = 24 (c) mr gorbachev tear down this wall. k = 7 (b) who here believes tim should grow a beard. For longer messages. m = 9 (b) eperfwddjesgrdzexmredjejmrke. For longer messages. For longer messages. k = 7 Encrypt the following with the afﬁne cipher. (a) kbktznuamnrgxmkzxgizyulkaxuvkgtjsgteurjgtjlgsuayyzgzkyngbklgrrktuxsgel grrotzuznkmxovulznkmkyzgvugtjgrrznkujouaygvvgxgzayultgfoxarkckyngrrtuz lrgmuxlgorckyngrrmuutzuznkktjckyngrrlomnzotlxgtikckyngrrlomnzutznkykgy gtjuikgtyckyngrrlomnzcoznmxucotmiutlojktikgtjmxucotmyzxktmznotznkgoxck yngrrjklktjuaxoyrgtjcngzkbkxznkiuyzsgehkckyngrrlomnzutznkhkginkyckyngr rlomnzutznkrgtjotmmxuatjyckyngrrlomnzotznklokrjygtjotznkyzxkkzyckyngrr lomnzotznknorryckyngrrtkbkxyaxxktjkxgtjkbktolcnoinojutuzluxgsusktzhkro kbkznoyoyrgtjuxgrgxmkvgxzulozckxkyahpamgzkjgtjyzgxbotmznktuaxksvoxkhke utjznkykgygxskjgtjmagxjkjheznkhxozoynlrkkzcuarjigxxeutznkyzxammrkatzor otmujymuujzoskznktkccuxrjcozngrrozyvuckxgtjsomnzyzkvyluxznzuznkxkyiakg tjznkrohkxgzoutulznkurj .EXERCISES 31 (d) (e) x + y ≡ 14 8x + y ≡ 6 mod 16 (15) (16) (17) (18) x + 16 y ≡ 8 mod 20 11x + 19 y ≡ 11 Encrypt the following with the additive cipher. You should be able to copy and paste the ciphertext into ECrypt (or Mathematica. the standard alphabet (abcdefghijklmnopqrstu vwxyz). the standard alphabet (abcdefghijklmnopqrstu vwxyz). (a) efgqzospux. you may want to use use ECrypt. k = 6 (b) bpiwtbpixrpxhiwtqthiegdvgpb. m = 5. m = 17 (19) Cryptanalyze the following additive ciphertext.). k = 5. k = 15 (c) vuaolmpyzakhfvmjoypzathztfayblsvclzluaavtlhwhyaypknlpuhwlhyayll. For longer messages. m = 19. (a) go steelers. k = 25 Decrypt the following with the additive cipher.. and the speciﬁed keys. k = 17 (b) a spoon full of sugar makes the medicine go down. and the speciﬁed key.

. and then you re-encrypt the ciphertext with keys m2 and k2 .. Maple. (a) dmdcdilmdskvnbdcomjmkdzqdlmbmlqb (b) gpatqazdqawlpalenqzaslpgunalgenkgffdguqcvanzfgtqecllpqldcqwqangnyehglu idqqzkqpefzlpquqldclpulerquqfhqtgzqnllpalaffwqnadqidqalqzqmcafgpatqazd qawlpalenqzasenlpqdqzpgffuehyqedygalpquenuehhedwqdufatquanzlpquenuehhe dwqdufatqeknqdukgffrqarfqleuglzeknleyqlpqdallpqlarfqehrdelpqdpeezpatqa zdqawlpalenqzasqtqnlpqulalqehwguuguugvvgaulalqukqflqdgnykglplpqpqalehg nxculgiqukqflqdgnykglplpqpqalehevvdquugenkgffrqldanuhedwqzgnleaneaugue hhdqqzewanzxculgiq (c) vxwszokjwpkvzwotmkjzgjmkvuuvpjaijokhmzdjokhltmbavdrvdjokhptuuijavmjvmj zwokzftotftmkjzgjmbtgjxfoktfazhvxwaztuhiwjzazmasvwbtgjxfvxwowjfezffjfz fpjsvwbtgjokvfjpkvowjfezffzbztmfoxfzmaujzaxfswvdojdeozotvmzmaajutgjwxf swvdjgtuzdjm (21) Suppose that you double-encrypt some plaintext with the afﬁne cipher.). The resulting ciphertext is also afﬁne with keys m3 and k3 . k1 . and k2 . the 2nd with the second-tolast..32 1. etc. Carefully relate m3 and k3 to m1 . m2 . MODULAR ARITHMETIC (b) jbnbmsfbezgbsopsuipgmpoepoboebtjxbmljouiftusffutpgqfufstcvshijgffmbdpm eopsuifsocsffafqmbzvqponzdiffltxijdicsbdftnzofswftboegjmmtnfxjuiefmjhi uepzpvvoefstuboeuijtgffmjohuijtcsffafxijdiibtusbwfmmfegspnuifsfhjpotup xbsetxijdijbnbewbodjohhjwftnfbgpsfubtufpguiptfjdzdmjnftjotqjsjufeczuij txjoepgqspnjtfnzebzesfbntcfdpnfnpsfgfswfouboewjwjejuszjowbjoupcfqfstvb efeuibuuifqpmfjtuiftfbupggsptuboeeftpmbujpojufwfsqsftfoutjutfmgupnzjnb hjobujpobtuifsfhjpopgcfbvuzboeefmjhiu (c) ivdveufljrdflekfwkzdvkfnrcbkfddpveafpjkyvkirzekfdfiifnkfddptflcukrbvky vkirzerxrzefikrbvkyvkivbspwffk (20) Cryptanalyze the following afﬁne ciphertext. etc. First you encrypt the plaintext with keys m1 and k1 . Write an equation that mathematically represents the action of the Atbash cipher. Does this double afﬁne encryption provide any additional security over regular afﬁne encryption? (22) The Atbash cipher replaces the 1st letter of the alphabet with the last. .. You should be able to copy and paste the ciphertext into ECrypt (or Mathematica.

vanilla. or strawberry) and one type of cone (sugar or cake). there are 6 possible outcomes for the ﬁrst die and 6 possible outcomes for the second die. YahtzeeTM requires players to roll 5 dice. Counting Counting is a basic mathematical skill that many American children learn by watching Sesame Street.1: Jake wants an ice cream cone. (Note.1 (Fundamental Counting Rule). and he can choose one ﬂavor of ice cream (chocolate. Example 2. How many possible ice cream cones can he choose from? According to the fundamental counting rule. but we want to extend that skill to count very large quantities that cannot easily be written down. for example. possibly with the help of a tree plot. We can also list the outcomes in this case.1: All possible outcomes for a pair of regular six-sided dice. If event A can occur m ways and B can occur n ways.1. the number of possible 5-dice rolls is 6 × 6 × 6 × 6 × 6 = 65 = 7776. is different which suggests that there are 6 × 6 = 36 possible outcome pairs.) This is an example of the fundamental counting rule. if you roll two standard six-sided dice. 33 . then A and B together can occur mn ways.1. Since there are six possible outcomes for each die. strawberry/cake chocolate/cake vanilla/cake strawberry/sugar chocolate/sugar vanilla/sugar. Figure 2. Clearly. For example. How many possible outcomes are there? We certainly don’t want to try to list them all. that a from a .CHAPTER 2 Probability 2. there are 3 × 2 = 6 possible ice cream cones. The fundamental counting rule can be extended to more complicated situations. For example. you can easily record all possible pairs as shown in Figure 2. THEOREM 2. so we try to count without an explicit list of possible outcomes.

Now suppose that Jake has invited 7 of his friends to dinner at his house and he needs to call each of them to warn them about the vicious new dog next door. e1 e2 is the same as e2 e1 and there are only 10 different pairs of errands. . How many sequences of calls are possible? He can pick the ﬁrst person he calls in 7 different ways. then n! = n(n − 1)(n − 2)(n − 3) . . For convenience.. e2 the second.. there are 5 × 4 = 20 ways to choose two errands. (n − r + 1)(n − r) . if n is a positive integer. How many ways can he choose 2 errands out of 5? He can choose the ﬁrst of the two errands in 5 ways and the second in only 4 ways. we have the following theorem. . the second (n − 1) ways. etc. Using the fundamental counting rule. for a total of 7 × 6 × 5 × 4 × 3 × 2 × 1 = 5040 possible sequences. and so on. If e1 represents the ﬁrst errand.. which we read as “seven factorial". . for example.. We can use the fundamental counting rule to determine the number of permuations of r distinct objects that can be formed from n distinct objects. In general. . then there are 20 2-errand sequences. . perhaps unrealistically. . By itself. (3)(2)(1) n! (n − r)! .34 2. the second in 6 ways (because the ﬁrst person has already been called). The ﬁrst object can be chosen n ways. the order does matter. (3)(2)(1) (n − r) . . . and the r th (n − r + 1) ways. an ordered arrangement of objects is called a permutation. In general. then. If. Therefore.. then the 20 possible sequences of 2 errands are as follows. . . we write 7 × 6 × 5 × 4 × 3 × 2 × 1 = 7!. e2 e1 e1 e2 e1 e3 e1 e4 e1 e5 e2 e3 e2 e4 e2 e5 e3 e1 e3 e2 e3 e4 e3 e5 e4 e1 e4 e2 e4 e3 e4 e5 e5 e1 e5 e2 e5 e3 e5 e4 The key question here is whether or not the sequence of the errands matters. . the third in 5 ways. for a total of n Pr = n(n − 1)(n − 2) . (n − r + 1) = = n(n − 1)(n − 2) . but can be impractical in larger problems. Now suppose that Jake has 5 errands to complete. but it will soon be convenient for us to deﬁne 0! = 1. If order does not matter. but he only has enough time to complete 2 of them. 0! doesn’t make any sense. (3)(2)(1). PROBABILITY Tree plots can be helpful in small problems like this one.

we can write out all of the possible permutations BC D BC E BDE C DE BDC BEC BE D C E D C BD C BE DBE DC E C DB C EB DEB DEC DBC EBC EBD EC D DC B EC B E DB E DC 5! and see that there are 60 of them. so let’s look at a few examples. BCA. then 8 P5 = 8! (8 − 5)! = 8! 3! = 8 × 7 × 6 × 5 × 4 = 6720. 598. In both cases. remember to check that you are sampling without replacement from a set with no repeated elements. because we deﬁned 0! = 1. An unordered arrangement of r distinct objects taken from n distinct objects is a combination. B. n Cr = n r = is read “n choose r". so 52 C5 ABC AC B BAC BCA CAB C BA ABD ADB BAD BDA DAB DBA ABE AEB BAE BEA EAB EBA AC D ADC CAD C DA DAC DCA AC E AEC CAE C EA EAC ECA ADE AE D DAE DEA EAD E DA = 52 5 = 52! 5!(52 − 5)! = 52! 5!47! = 2.2) because any permutation of r distinct objects can be rearranged in r! different ways that are equivalent if order doesn’t matter. AC B. n! 0! Note that there n! ways to choose n objects from n objects and Theorem 2. or we could compute 3 P5 = = 60. the number of combinations is = = 10. 3 3!2! Example 2.3: Let S = {A. ABC.2 works in that case. D. For example.1. order does not matter. Assuming that the order of the ﬂags matters. n = 8. CAB. BAC. and we can derive the number of combinations from the permutation rule (Theorem 2.4: How many different ﬁve-card hands can be made from a standard card deck of 52 cards? Here. 960. n Pn = = n!. how many different signals can he make from ﬁve ﬂags? In this case. How many ways can you choose 3 letters from S if order matters? In this case.2. If order does not matter. Example 2. THEOREM 2.2: If Bob has eight different color ﬂags. Then you have to determine whether or not order matters. E}. then all 2! of the entries in each column are equivalent to each other. Therefore. C. r = 5. and there are 3! of them since there are 3! 5 5! permutations of 3 objects. and C BA (ﬁrst column) are all equivalent if order doesn’t matter. The number of combinations of size r from n distinct objects is n! r!(n − r)! The symbol n r . . COUNTING 35 THEOREM 2. Example 2. This is where people usually struggle the most. Students often struggle with permutations and combinations in applied problems.3. The number of permutations of size r from n distinct objects is n Pr = n! (n − r)! .2. Therefore.

In other words. The sample space for the number of pips on the up-face of a standard six-sided die is {1. there are only 4 C30 = 4!26! 2. if A is the event of rolling a 5 with a standard die. 5. denoted A ∪ B. because there is 1 entry in A = {5} and 6 equally likely entries in S = {1. the sample space for ﬂipping a coin and observing the up-side is {heads. how many different games are possible? For each game. 4. the second the \$10 bill. probabilities are numbers that reﬂect the likelihood that an event will occur. It is clear from (2. 3. then 11 P2 = 9! 9! (11)(10)9! 11! = = 55 possible matchups. or both A and B occur as shown graphically in Figure 2. Probability The set of all outcomes of a random experiment is called the sample space. 3. Repeated rolling of a die produces the same result in an approximate way. The more trials there are. then the probability of A is (2. Also. the same. How many different ways can the money be awarded? In contrast to Example 2. Therefore. tails}. 4. B occurs. then P(A) = 1 6 . If all events in S are equally likely.1) that 0 ≤ P(A) ≤ 1 and that P(S) = 1.3a and 2. 6}. and so on. if an experiment is repeated a large number of times. 2. Therefore. there are 4 P30 = = 657.2) P(A) ≈ number of times A occurs number of trials . a \$10 bill. For example.6: Suppose that a generous instructor brings a \$20 bill. Example 2. If. (Go ﬁgure. Each person selected wins \$1. order doesn’t matter and there are 11 C2 = 9!2! 9!2 Example 2.5: There are currently (2010) 11 schools in the Big Ten conference.1) P(A) = number of elements in A number of elements in S . 6}. the more likely the estimate is to be close to the exact probability. See the simulations in Figure 2.2. if the games are played at neutral sites. An event A is a subset of the ﬁnite sample space S. 720 26! different ways to award the money. 405 different ways to award the money. The ﬁrst person wins the \$20 bill. The .7: A less generous instructor brings four \$1 bills to class one day. order clearly matters because the prizes are different. How many different ways can the money be awarded? In this 30! example. puts all of his 30 students’ names in a hat and draws four different names.) If the conference is planning a future year’s football matchups. 2. and a \$1 bill to class one day. for example. However. and repeats are not possible since no team can play itself. then (2. PROBABILITY Example 2.3b. He puts all 30 students’ names in a hat and draws four different names. order does not matter because the prizes are all 30! = 27. indicates that A occurs.36 2. Since this is clearly a permutation or combination problem. For example. a \$5 bill. then order matters and there are 11! (11)(10)9! = = 110 different matchups. The union of events A and B. the ﬁrst team chosen plays at home. the conference must choose 2 teams out of 11.2. 5. the only issue is whether or not order matters.6.

P(A ∩ B) = 4 52 + 26 52 − 2 52 = 28 52 = 7 13 ≈ 0. sets A and B are disjoint (see Figure 2.2.3c.3) and P(A ∩ B) = 0. we see that the area of A ∪ B is equal to the sum of the areas of A and B.538461. We’ll denote the complement of A by Ac . let A be the event of drawing an ace and let B be the event of drawing a red card. It is clear that A ∪ Ac = 1Note the spelling of complement. THEOREM 2. Example 2.4 (Addition Rule). intersection of A and B. P(A ∪ B) = P(A) + P(B) − P(A ∩ B) Looking at Figure 2.27 Example 2.9: In a standard deck of 52 cards. Note that there is considerably less variation with more repetitions. The complement1 of an event A is the set of events for which A did not occur. so we have to subtract it from P(A) + P(B). but other authors use other symbols like A and ∼ A. .2.8: For the experiment of rolling a pair of dice (see Figure 2. Then. P(A ∪ B) = P(A) + P(B) − P(A ∩ B) = = 5 36 10 36 + = 6 36 5 18 − 1 36 ¯ = 0. If someone says that you did a great job on a paper. then the occurrence of A excludes the possibility of B and the occurrence of B excludes the possibility of A.3a.2: Frequencies of outcomes from simulations of a hundred.1). This implies the addition rule for probabilities. except that we have to be careful not to double-count the area of A∩ B. a thousand. In other words. means that both A and B occur. and a million rolls of a fair die. as shown in Figure 2.3b). let A be the event of rolling a sum of 6 and let B be the event of rolling “doubles”. If A and B are mutually exclusive (Figure 2. then that is a compliment. PROBABILITY 37 Figure 2. denoted A∩ B.

0588 since there are only 3 aces and 51 cards left. We denote the conditional probability that B will occur given that A has occurred by P(B|A) and we observe the following theorem. 52-card deck is 4/52 = 1/13 ≈ 0. or (2. the probability that your second card will also be an ace. Example 2. 2. However. given that your ﬁrst card was an ace. Therefore. In problems where P (Ac ) is easier to compute than P(A). is 3/51 ≈ 0. 6 6 Sometimes probabilities depend on previous events. (2.3) can be very helpful.10: If A be the event of rolling a 3 on a fair six-sided die. then Ac is the event of rolling a 1. standard. the probability that you will be dealt an ace from a well-shufﬂed. and in (d) the lighter area in (c) is A and the darker is Ac . For example. or 6 and P(A) = and P(Ac ) = .3: The shaded areas in (a) and (b) represents A ∪ B. .0769 since there are 4 aces and 52 cards. PROBABILITY Figure 2. S and A and that Ac are mutually exclusive. the application of the addition rule shows that P(A) + P (Ac ) = P(S).3) P (Ac ) = 1 − P(A). 5.38 2. In (b) the events are mutually exclusive (or the sets are disjoint). The shaded area in (c) represents A ∩ B. 1 5 4.

.00452 221 Two events A and B are independent if the occurrence of one has no effect on the other. For instance. Index of Coincidence The index of coincidence (IoC) for a body of text is the probability that two (uniformly) randomly selected letters are the same.. .3. then the multiplication rule (Theorem 2.. For example. Whenever A and B are independent P(B|A) = P(B). P(A ∩ B) = P(A)P(B|A) Example 2. Two events are dependent if they are not independent.6) IoC = = n1 n 1 n(n − 1) n1 − 1 n−1 26 + n2 n n2 − 1 n−1 + . i i=1 . etc. implies (2. P(A|B) = P(A) and the multiplication rule simpliﬁes to P(A ∩ B) = P(A)P(B). n26 n n26 − 1 n−1 ni (ni − 1) i=1 Equation (2. = 4 · 3 If n is the total number of characters in the text and there are n1 a’s. ∪ (Z1 ∩ Z2 ) Since each pair of letters is mutually exclusive of every other pair.4) IoC = P(A1 ∩ A2 ) + P(B1 ∩ B2 ) + . then C and D are dependent events.11: Let’s use the multiplication rule to determine the probability that the top two cards in a shufﬂed deck are aces. then A and B are independent events..7) IoC = 1 n2 26 n2 . 2. etc.4) implies that (2...5) (2. Indices of coincidence are different for every book or article and they are relatively easy to compute using our probability rules. if C is the event of drawing a heart (♥) from a standard deck of 52 cards and D is the event of drawing a club (♣) on the next card without replacing the ﬁrst card. INDEX OF COINCIDENCE 39 THEOREM 2.5).6) is often further simpliﬁed by assuming that all of the ni are large so that ni ≈ ni − 1 and (2. if A is the event of getting heads on the ﬁrst toss of a coin and B is the event of getting heads on the second toss. . Let A be the event that the ﬁrst card is an ace and let B be the event that the second card is an ace.2. the addition rule (Theorem 2. Then IoC = P(two randomly chosen letters are the same) = P (A1 ∩ A2 ) ∪ (B1 ∩ B2 ) ∪ .5 (Multiplication Rule).. Then P(A ∩ B) = P(A)P(B|A) 52 51 1 = ≈ 0.3. . + P(Z1 ∩ Z2 ).. Let A1 be the event that you get an a as the ﬁrst chosen letter and A2 be the event that you get an a as the second letter. n2 b’s.

. Example 2.2. the closer the IoC of the ciphertext is to 0." is a short sentence of 36 characters that famously uses each letter of the alphabet at least once. So. Number of Text Characters IoC “The Gold Bug” 58. we ﬁnd IoC = 34/1260 ≈ 0. t (twice). For a sufﬁciently long text. provided that the texts are sufﬁciently long.270 0. we have (2. .7) is not appropriate here since each ni is so small and it leads to a very poor approximation of 70/1296 ≈ 0. and u (twice). . Because each body of text is long.. let’s ﬁnd what the IoC should be for ciphertext. h (twice).001)2 ≈ 0.066 2006 State of the Union Address 25. + P(Z1 )P(Z2 |Z1 ).. all letter pair events (like A1 and A2 ) should be almost independent.082)2 + (0. What are more typical values of the IoC for 26-letter English? The following table shows the IoCs for the four texts we considered in Section 1. that the probability model for English with the standard 26-letter alphabet is fairly consistent from text to text.12: "The quick brown fox jumped over the lazy dog.1.260 0. Using the probabilities in Table 1. . o (four times).9. which is consistent with our results in Example 2. .064 “Julius Caesar” USA Patriot Act 286. Then IoC ≈ P(A1 )2 + P(B1 )2 + .038. the better a cipher masks letter frequencies.4) and explicitly using the multiplication rule. . We saw in Section 1. + 1 26 2 = 26 262 = 1 26 ≈ 0.6) and its approximation in (2. . Classroom Exercise 2. + P(Z1 ∩ Z2 ) = P(A1 )P(A2 |A1 ) + P(B1 )P(B2 |B1 ) + .014)2 + .6% chance that two randomly selected letters are the same. A necessary condition for a good cipher is that it masks all of the letter frequencies. So. unusual text. .066 86. so let’s assume that every letter in the ciphertext is equally likely. e (four times).027.054. Example 2.6). + P(Z1 )2 = 1 26 2 + 1 26 2 + . + P(Z1 )2 . . we have IoC = P(A1 ∩ A2 ) + P(B1 ∩ B2 ) + . + (0. .7) are almost identical. .40 2.940 0.13: Example 2.8) IoC ≈ (0.038. Using the reduced form (2. Using (2.0658. PROBABILITY but this is not necessary and doesn’t really offer an advantage unless we’re computing the IoC by hand.070 Let’s come up with a theoretical IoC for 26-letter English. In other words. so IoC ≈ P(A1 )2 + P(B1 )2 + .12 used a very short. there is about a 6.2. in long English texts.9.699 0. then we can approximate its IoC using the frequencies from Table 1. Only 7 letters are used more than once: d (twice). Returning to (2. the IoC in (2. r (twice).13. if we’re considering a text that is long enough to follow the distribution in Figure 1.1: How is the IoC for afﬁne ciphertext related to the IoC for the related plaintext? Finally. with probability 1/26.

[3]. it is convenient to mathematize our cipher. The difference between the Vigenère cipher and the additive cipher is that the value of k in (1. we line up the characters from the plaintext and write the keyword repeatedly under all the characters and then shift each plaintext character by the amount from the corresponding key. and so on. 851. according to Kahn [3]. Vigenère Cipher History.. then there are 92. Count the Super Bowls. the ﬁrst plain character t is shifted by 5 (f) to give y. + 2620 = 20. then there are 26 + 262 + 263 + . the second character h is shifted by 14 (o) to give v. . 270 ≈ 294 2A nomenclator is a type of substitution cipher. .. but. If we relax our restriction and accept any string of characters up to and including 20 letters. it is nothing for a modern computer. Plaintext: theeaglesarethebest Key: footballfootballfoo Ciphertext yvsxbgwpxofxuhpmjgh To be speciﬁc. Encryption and Decryption. 725. Currently (2010). . where the key is now the sequence of L integers {k0 .2. . according to Mathematica. k L−1 } instead of a single integer k.4. 433. 518 ≈ 216.20) changes periodically. It was (erroneously) considered unbreakable for about 300 years. electroencephalograms. 017. electroencephalograph. later e cryptologists falsely attributed what we’ll call the Vigenère cipher to him. there are only seven words (counterrevolutionaries. 274. but the key can be substantially longer because the Vigenère cipher uses a keyword (or sequence of integers) instead of a key letter (or single integer). electroencephalographs. then the i th ciphertext character is (2. Revisitng the example above. For example. consider the plaintext theeaglesarethebest3 with keyword football.9) ci = pi + ki mod L mod 26.5 words in Mathematica’s dictionary. but this may be because professional cryptologists preferred nomenclator2 ciphers instead. electroencephalographic.and deep down. electroencephalography. 518. Vigenère CIPHER 41 2. Before we can determine the size of the keyspace. 805. 000 words in the English language. so it seems reasonable to restrict our attention for the time being to words up to length 20.4. magnetohydrodynamical) in the English language with more than 20 letters. we can now encrypt simply by adding in columns modulo 26. 785. Plaintext: 19 7 4 4 0 6 11 4 18 0 17 4 19 7 4 1 4 18 19 Key: 5 14 14 19 1 0 11 11 5 14 14 19 1 0 11 11 5 14 14 Ciphertext: 24 21 18 23 1 6 22 15 23 14 5 23 20 7 15 12 9 6 7 Keyspace. the Steelers are the best. . The Vigenère cipher is a generalization of the additive cipher that thwarts direct frequency analysis. While that is too large to exhaust by hand. so let’s just say that there are about 100. If pi is the i th plaintext character. If we insist on actual English words for keywords. Again. The Vigenère Cipher is similar to the additive cipher in that it is consists of additive shifts. Other dictionaries may have more words. . To encrypt. 3One author disagrees. we have to decide on how long the keywords can be. Vigenère recorded both plaintext and ciphertext autokey versions of his cipher in his 1586 Traict´ des Chiffres. k1 . the other author knows that. in fact.

or 10. This is impractical in most situations because so much key is required. the “hotline” between Moscow and Washington. Both of these tests are hard to implement if L is large because the keyword is not repeated very often. . so only human error would allow an adversary to successfully cryptanalyze one-time pad ciphertext.C. then the difference in position between the repeated strings must be a multiple of length of the keyword.even for a modern computer. and the last time it appears it lines up with the s in twist. the ﬁrst letter of wood corresponds to the i in twist. in 1949. L. Kasiski’s observation was that if you could identify repeated strings in the ciphertext. We will discuss two methods of determining L. so the keyword is probably a factor of 18 − 8 = 10 = 2 · 5. and it is .42 2. then it is possible. but it is very secure. the plaintext howmuchwoodwouldawoodchuckchuckifawoodchuckcouldchuckwood has several strings that appear repeatedly. This suggests that the keyword likely has length 2. then the Vigenère cipher is called a one-time pad. If we can determine the length of the keyword. For example. and it is encrypted in only three different ways. Claude Shannon [9] proved that the one-time pad is theoretically unbreakable. 5. which we already know how to do. Why? The ﬁrst two times that wood appears. Plaintext: howmuchwoodwouldawoodchuckchuckifawoodchuckcouldchuckwood Key: twisttwisttwisttwisttwisttwisttwisttwisttwisttwisttwisttw Ciphertext: akeenvdeghwswmewweghwypmvdypmvdensphkluanysuhnhluanysohhz The word wood appears four times in the plaintext. attacking the Vigenère cipher requires a subexhaustive attack. However. Additive and afﬁne ciphertext can be attacked exhaustively because their keyspaces were small: 25 and 311. PROBABILITY Figure 2. Encrypting with the keyword twist gives ciphertext that also has repeated strings. 518 words. that the repeated ciphertext strings correspond to the same plaintext strings. So exhaustion is out of the question in this case. was encrypted with a one-time pad during the Cold War. The Kasiski test exploits repeated strings of characters in the plaintext. D. The third time wood appears it lines up with the second t in twist. then we only need to solve L additive ciphers. In our example. but not necessary. Cryptanalysis of Vigenère Cipher. 37) recommends having ciphertext that is ﬁfty times longer than the key to have reasonable hope of success. In fact. According to [13].4: The frequencies of lengths of English’s 92. Kasiski Test. That looks like a big number (20 octillion plus change). If that is the case. the Kasiski test and the Friedman test. Similar things happen with the strings chuck and dchuck. possible keywords. Churchhouse [1] (p. eghw starts at positions 8 and 18. respectively. If the keyword is as long as the plaintext and the characters in the keyword are generated randomly.

Even with a computer. so be sure that you don’t tackle ciphertext that is really long unless you are prepared to wait awhile. A nice Mathematica notebook KasiskiTest. but that actually makes the cryptanalysis easier because long repeated strings are more likely.edu/m/mcdevittt/Crypto. Starting Differences in Positions Starting Positions snxurjnq 296 468 468 − 296 = 172 = 22 · 43 824 824 − 468 = 356 = 22 · 89 xqsrwmin 94 226 226 − 94 = 132 = 22 · 3 · 11 wnjqdyfq 1104 1116 1116 − 1104 = 12 = 22 · 3 Polygraph Since the differences in starting positions all involve 22 . Finding the repeated strings and their starting positions is tedious to do by hand. ).4.html.txt. Vigenère CIPHER 43 Example 2.14: Consider the following ciphertext (users.nb can be found at users. . oig acc aib dtj rpq utu jzu fcj xox etl mqt fdj cqq ttu qnt rda quf ghn nlq fiq xpq uhq gbw czt dbc nox sjh xau cjf nud smi lmi dbn xpd hjs chx thq oei uai zag wra cec gwg zdd agn wnm fxx ecx phx cbm dtb wgu fwr nqq djp axq tta wad tdo xvq yiq fbu tah jnu qcc vnt uzs cnq hfw ljl xqs ifu nuc vqn mnj rjh axt iau ynj pcb igv wnl yet rqn lqh dwo iri tnu byh zpc jnm ftb rwm dln pjx xxe ccz zdc mbq oic ccf qgc qnt qsn qiz tth xfh zsn qyb diq tws cac aug nuc inx bmk ply yui puu bma gnb bql rjh int tay xur day amk tcb lsd txj qpa liz qcj pqt opw nwa rda rmm dvn uii mkn xlx zte myp tpe jnq psn nnt mic mmt xtk mmv xig gou fwn rnc htm cza rvq lqr aym inx qfd tcb qgc bmi wuf fac pyz sdl qln bnn asn xur jnq ntd byi wxb qgn aci stc bqg ocf let wmq lnw mcw iqc eva igc mnt wac byo gjn qsr sfc xau cfi uyz ydu xls tcq tpc xlu ftm bqg nna yfw dmr pam acx sci fwn adt jnf upl nnm znc zra tuu eio oxa vym bqh nxq pmm tpu puf tpe ymc nqn sfw::::::::::::: njq dyf qux : leq aig vqn rda gcs mcm xqs rwm uxc xqi tjl qtw xxh agj hkc jnu udt vyf dwu sgn pyi dir izd ont amk nnt trl xxe irh spw xbg xjq ifs nxu rjn qln tkl mkn gqc uch nrp aun dey aja dcy zda fac plq ntt hxu sqy dtr iqy gco czx bbq vxn jxh pww qsr pbe dtv uuc rhs ymh nxp tei fxx hdl qdo xqk xnu fzd cbm knx utm xan tdo zdt nxa lf::::::::::::::: w njq dyf qhq ntd inx amv dwm ufq pcz yei gcb wmc xwa jad bng nuh sfi nuh qnz hfd dwn czk bjh uxa wnt fdc nxu arx jnf utu quf mif wif mcm aja nta oid dzf auf agn cbm tpc jcz piq wif xbw bqe cja hot anz xmh iqu yew rxh xqp lnl qtp jbn bur wnl oei ilu qqw iqu ufv enl Short repeated strings can happen accidentally.etown.etown. so we prefer relatively long strings. It’s fairly long. ﬁnding repeated strings can be a little slow. you can see several highlighted repeated strings and here are their starting positions.2.edu/m/mcdevittt/Vigenere1. the keyword probably has length 2 or 4. In the above text. so we recommend using ECrypt or some other appropriate software.

14 and knowing that L = 4. for example. so ˜ = 3 must be wrong. Since 4|8. p4 . recovery of the plaintext is fairly easy because it only requires cryptanalyzing L additive ciphers. If. L Table 2.044 0.067 0.44 2. . as the Table 2. 0. Example 2.077 0.} were encrypted with k2 . we break down the cipher into its four subsequences: c1+4 j c2+4 j c3+4 j 247 j=0 246 j=0 246 j=0 246 obnbwaxonaqawbcwnclnmrcmrncabxjujandxjwnjjejbpccwxjj.051 0. 15} (or jjmp). which gives the obviously incorrect putative plaintext fzursnorelndspvenjeardagozurflthecs brzugheforehonehisnonttnene.042 0. . so we think that one of these is correct. PROBABILITY Putative Keyword Length ˜ L 1 2 3 4 5 6 7 8 9 c1+ j ˜ L 0.072 0. What we’ll do is simply try different keyword lengths ˜ . This L method is both faster and more reliable than the Kasiski test.077 0..16: Continuing Example 2.042 0.046.haehdti that have the frequencies shown in Figure 2.048 0.078 0.044 0.066.051 0. k3 } = {9. the indices are 0. then {p1 . That means that each subsequence should have an IoC near 0.047 0.041 c2+ j ˜ L 0.} were all encrypted with k1 .063 0. Finding Plaintext. A little trial and error reveals that k1 = 20 (jump) and the original plaintext fourscoreandsevenyearsagoourfathersbroughtforthonthiscontinent. These charts suggest that {k0 .043 0.043 Table 2.044 0.055 0.1 shows. p7 . .079 0. .qxfudtd c4+4 j j=0 ggstpvgwqvddxctcpcrtagcsidedxwacrifcttvctxltctgixgcd.049 Indices of Coincidence for Subsequences of the Ciphertext c3+ j ˜ c4+ j ˜ c5+ j ˜ c6+ j ˜ c7+ j ˜ L L L L L c8+ j ˜ L c9+ j ˜ L 0.047 0.067 0. we can also use it to ﬁnd the length of the Vigenère keyword.058 0. The IoCs for ˜ = 4 L L and ˜ = 8 are close to 0.048 0.qwnqvnq iwuysmiulinnnwcnqciccvsxwxbichnglyxuqlaxanclnqbbuhhn.066. which suggests that this is probably Vigenère ciphertext. 9.047.15: Let’s reconsider the ciphertext in Example 2. p6 .046.047 0.065 0. However.080 0. The IoC is 0.044.047 0. and 0. 12.048. .046 0.054 0.048 0. L ˜ = 3.044 0.5. Experiments show that the index of coincidence for Vigenère Cipher is approximately 0.. However. p10 . but it requires the use of a computer.fuilznu gazhqmgfegrttazmzazhzqmqmfqbffmqqmqxiqmudoxfutqmfaku.14.059 0. and {p3 . Once the length of the keyword is known. p5 .. whereas it is about 0. {p2 . so the IoC is a statistic that can be used to distinguish between Vigenère and afﬁne ciphertext.045 0.045 0. p8 ..1 shows IoCs for all of the subsequences for values of ˜ from one to nine.080 0.045 0. then we are guessing that L = 3.073 0.1: Table of Friedman’s indices of coincidence for subsequences of the ciphertext. Friedman Test. k2 . If that is correct... p9 . it must be that L = 4. k1 . ...} were all encrypted with L k0 .061 0.046 0. .044 0.043 0. Example 2. . . .058 0.066 for English and afﬁne ciphertext.050 0.

How many different sequences of whistles could she if she uses three different whistles each time? (2) Melissa has top-of-the-line clothing. She has seven different whistles to get his attention.5.5: Frequencies of ciphertext characters in the four subsequences of the Vigenère cipher in Example 2. Exercises (1) Kelly is trying to communicate with her best friend Bill.14. How many different outﬁts can she make? (3) Jordan has a gambling problem. each with a different pitch.EXERCISES 45 Figure 2. what is the chance that he ﬂips a head three times in a row? (4) How many factors do each of the following integers have? . Assuming the probability of ﬂipping a heads is 0. He enjoys making bets on things such as ﬂipping a coin. three different shirts. She has four different pairs of shoes. and six pairs of pants.

Matt has gotten the best start 72 times and Paul has gotten the best start 18 times. Matt. She is allowed to use lower-case letters. if she rolls a 6 she gets to go again. Patty needs a 1 to win and cannot move on any other value of the die. . 2. If you choose two letters at random from a large book. Patty (green) is one spot from winning and it is her turn. . 28}. Paul. What is the probability that x + y ≡ 7 mod 17? If x ∈ {1. Assume that the same conditions hold for the ﬁnal race that held for the ﬁrst 143 races. = . Patty uses the Pop-a-matic R bubble to “roll” the die and then moves that many spots. and the six characters !?#\$(). what is the probability of both of these independent events happening on the same day? What is the probability of rolling a fair die so that you ﬁrst roll a 6.074%. On her turn. How many different passwords can she make? Recall that the probability of choosing an e is approximately 12% and the probability of choosing a z is 0. However. (a) What is the probability that Patty wins on her next turn? 1 1 1 6 Hint: 1 + + 2 + 3 . what is the probability that x −1 mod 29 is not prime? There are three racers. As the whistle is blown: (a) What is the probability that Matt gets the best start? (b) What are the probability that neither Matt nor Paul get the best start? Nikki needs to make a password for her computer so Rachel cannot hack into it. on any given day. Her password needs to be a minimum of 6 characters and a maximum of 12 characters long.46 2. and Zach. the probability of class being canceled is 32% (yeah right!) and the probability of pigs ﬂying is 12%. . . Out of 143 races. . PROBABILITY (5) (6) (7) (8) (9) (10) (11) (12) (a) 20 (b) 200 (c) 1960 (d) 10800 Two integers x and y are chosen (uniformly) at random from 0 ≤ x < 17. . Brielle (red) is seven spots behind Patty. what is the probability that Brielle lands on Patty’s spot on her next turn? . upper-case letters. then an even number. numbers. trying to win the last race to qualify for the Olympics. and then a prime number? Brielle and Patty are playing Trouble R . 6 6 5 6 (b) Given that Patty doesn’t win on her turn. what is the probability that you get one e and one z? If.

edu/m/mcdevittt/Crypto. keyword=computer (c) the steelers will win the super bowl keyword=ben Decrypt the following messages using the given keyword and the standard 26-letter alphabet. (a) tphftltkrph keyword=bed (b) usfajlevgujwtgldibfymmywrjqxwvqikacogx keyword=betsy (c) zfiikehxrzinxzsvrpqtiomyzvxkicbvnxi keyword=travel Cryptanalyze the Vigenère ciphertext in the text ﬁles (a) Vigenere2 (b) Vigenere3 (c) Vigenere4 all of which are available at users.EXERCISES 47 (13) (14) (15) (16) (17) (18) (c) Starting with Patty’s turn.html For a 26-letter alphabet.e. Carefully relate L3 to L1 and L2 . The resulting ciphertext is Vigenère ciphertext with an effective keyword length of L3 . probability) of the j th letter. where f j is the relative frequency (i. what is the smallest that the IoC can possibly be? What is the largest it can be? Suppose that you encrypt some plaintext twice. You ﬁrst use the Vigenère cipher with a keyword of length L1 .etown. keyword=dentyne (b) pcs are better than macs. Approximately how large is MR for English text? . and then you re-encrypt the resulting ciphertext with a keyword of length L2 . Sinkov [11] deﬁnes the measure of roughness 26 MR = j=1 fj − 1 26 2 . (a) tim likes to chew gum. what is the probability that Brielle lands on Patty’s spot before she wins? Encrypt the following messages with the Vigenère Cipher using the given keyword and the standard 26-letter alphabet.

.

18. but it can be expanded using a recursive rule like (3. 5. −1. 21. 21. 16. 18. 13. 0. 21. Leonardo of Pisa (a. 10. 154. . 59. 15. {0. It is also noteworthy that {kn } appears to be random. 23. then f0 = 0. 3. 95.1) f n = f n−1 + f n−2 . 12. so the original key sequence {k0 . 3. 13. n ≥ 2. 249. . 25. 36. 1. 1. 10. 25. 12. 12. 18. 1. for us. Using (3. . 1. 3.3) kn 89 n=0 = {0. For example. 8. Suppose that you are using a Vigenère cipher with a keyword of length L = 2. 5. and (3. so it is signiﬁcant that {kn } is periodic. 23. let k0 = 0. n ≥ 2. k1 = 1. 1. 1. 23. 5. 23.} instead. but if f0 = 3 and f1 = −2. . 15. 15. In particular. 1. More precisely. This is an extremely short key. 2.1) speciﬁes a linear relationship between f n . 13.1) gives the sequence {7. 2. 13. Example 3. 8. 8. so kn = kn+84 . 11.}. 5.2) kn ≡ kn−1 + kn−2 mod 26. −2. Recursion Recursion. 11. refers to the calculation of integers in a sequence using previous integers in the sequence.k. . 13. 0. if f n is the nth Fibonacci number. 24. 13. 18.1) gives completely different sequences. 21. 5. 21. Note that (3. f1 = 1. −5. 1. 2. but we want to use them for cryptographic purposes.}.}. 2. 1. 21. 21. let’s start out with an example that may be familiar. 14. . 1. . 1. 3. . 8. 21. 3.a. 0. 25. 11. 0.1. k1 } has 49 . The Fibonacci sequence and others like it are fascinating and well worthy of study. 5. 3. 12. 23. we are interested in the recursive deﬁnitions of integer sequences via linear recurrence relations. Note that if we change f0 and f1 . Note that the regular Fibonacci sequence { f n } is not periodic and increases without bound. 8. 5. . 21. 14. 5. 25. 25. . starting over again at n = 84. Note that this sequence is periodic. 11.1. 3.1: Suppose f0 = 7 and f1 = 3.1). Key Expansion. −1. Fibbonacci) was a famous Medieval Italian mathematician who introduced Arabic numerals to the Latin West. 1. 0.CHAPTER 3 Recursion 3. 13. 13. then (3. but he is better known for the Fibonacci sequence. . 25. Here are the ﬁrst 90 terms in the mod-26 Fibonacci sequence: (3. 10. −1. 25. 5. 13. Rather than give a careful deﬁnition of a linear recurrence relation. and let (3. 16. then we have {3. 14. . 25. −3. 15. 24. 13. 5. −2. 14. and f n−2 . f n−1 . that starts with 0 and 1 and proceeds by adding the previous two numbers.

. k1 . We can choose both the number of terms in the recursion and the coefﬁcients. we are expressing a number as a linear combination of powers of 10. thereby strengthening the Vigenère cipher by better approximating a one-time pad. n≥2 . and when we write something like 4085. so 4085 = 10 202 + 4 (20) + 5. Except for some formatting issues. and they read the "digits" from left to right as we do. (3. 3. The ancient Babylonians used 60 as a base. so 4085 = 1 602 + 8 (60) + 5. The Maya used 20 as a base. The machine is just kind enough to write it to the screen as 4085 for our beneﬁt. Other sequences are certainly possible. for 10 so that 4085 = a4520 . . The Babylonians would have recorded 4085 as shown to the left. this is how 4085 is stored internally on a computer. We would either have to write (10)4520 or we would have to use a single symbol. Ten is a convenient base.50 3. More precisely.2. which we abbreviate 4085 = 1111111101012 . n ≥ 3. say a. we would have a small problem with a base 20 system. the recursion kn ≡ 5kn−1 + 19kn−3 mod 26.4) 4085 = 1 · 211 + 1 · 210 + 1 · 29 + 1 · 28 + 1 · 27 + 1 · 26 + 1 · 25 + 1 · 24 + 0 · 23 + 1 · 22 + 0 · 21 + 1 · 20 . twice as long as (3. k1 = 23. by computing enough terms. The number is read from top to bottom and each dot indicates one and each bar indicates ﬁve.1: Compute the period of the sequence deﬁned by kn ≡ 5kn−1 + 9kn−2 mod 26. 4085 = 4 103 + 0 102 + 8 101 + 5 100 . . However. but. The ciphertext nckgbdbicpr medlklalrdhydcjmtwxxmu was generated using a Vigenère cipher with the sequence kn 32 .2). k1 . throughout history people have used other bases. k2 .2: Let k0 = 5. Classroom Exercise 3. Classroom Exercise 3. For example.g. where the subscript 60 indicates the base. which we can abbreviate 4085 = 18560 . . and kn ≡ kn−1 +kn−2 mod 26. 1The term bit was coined by statistician John Tukey in 1947. It is short for binary digit. that would involve some sophisticated mathematics that is beyond the scope of this course. which they indicated with bars and dots as shown to the left. Modern computers use base 2 for arithmetic because information is stored in a binary format (e. Since it takes two characters to write 10. so we might want to understand how we can choose them to optimize the period of the resulting sequence. Decipher n=0 the message. k83 }. k2 } and has period 168. requires 3 starting values {k0 . RECURSION been expanded to {k0 . Binary Arithmetic The number system we use every day is based on the number 10. high and low voltages) that we represent with binary digits (or bits1) 0 (off) and 1 (on).

wav ﬁles store data are quite complicated and we don’t want to delve into them. etc.wav. b with 1.2: Using Table 3. start at the bottom and repeatedly divide by 2. ﬁrst to last). Classroom Exercise 3.3: Write the following integers base 2. this is not what computers do. audio ﬁles (..1. give us the binary representation 4085 = 1111111101012 . is encoded as 77 121 32 100 111 103 32 104 97 115 32 102 108 101 97 115 46 in ASCII. afﬁne. 0 R1 2 1 R1 2 3 R1 2 7 R1 2 15 R1 2 31 R1 2 63 R1 2 127 R1 2 255 R0 2 510 R1 2 1021 R0 2 2042 R1 2 4085 The remainders. The details of how.png.3. Data as Bits Every ﬁle .mpg).1.. For example. we would like to know how to write it in terms of bits. Word R and Excel R documents.3. .mp3. every single one . There is also an expanded version of ASCII called Unicode. All we need to do is associate letters (or characters) with positive integers and then let the computer store the integers in a binary format. but we will stick to ASCII for simplicity. However.e. but it is important for us to understand how English text can be stored as bits. . . DATA AS BITS 51 Given a positive integer. from top to bottom (ı.. for example. It’s pretty simple.jpg.)..on a computer is stored as bits. My dog has fleas. A popular way that computers represent characters is with the American Standard Code for Information Interchange (ASCII) that is shown in Table 3. . movies (. and Vigenère ciphers because it was convenient for us to do so. which is 1001101 1111001 0100000 1100100 1101111 1100111 0100000 1101000 1100001 1110011 0100000 1100110 1101100 1100101 1100001 1110011 0101110 .).3. and the programs that make and display them are all stored as bits. images (. and so on when we studied the additive.4). to derive (3. etc.jpg or .gif. Example 3. We have previously associated a with 0. actually. (1) (2) (3) (4) (5) (6) 14 55 69 92 128 256 3. Perhaps the simplest way is to just repeatedly divide the integer by 2 and read off the remainders starting with the last step.that’s right.

and add the cyclic key modulo 2 to obtain the ciphertext. Plaintext: 1101000 1101111 1110111 1100100 1111001 Key: 1101110 1110111 0111011 1011101 1101110 Ciphertext: 0000110 0011000 1001100 0111001 0010111 . convert it to binary. Until now. + 0 1 × 0 1 0 0 1 0 0 0 1 1 0 1 0 1 Computer scientists indicate binary addition and multiplication with XOR and AND. m must be one. since we have only two characters. The characters that precede 32 are not printable. Encryption of Binary Data Working with bits means that we will do arithmetic modulo 2. To eliminate possible confusion.52 3. / 0 1 2 3 4 5 6 7 . Let’s encrypt howdy with the Vigenère cipher with key 1101. but some only need six. We encode the message with ASCII as 104 111 119 100 121. Code 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 Character < > 8 9 : . in binary. However. = ? @ A B C D E F G H I J K L M N O Code 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 Character P Q R S T U V W X Y Z [ ] ˆ \ ` a b c d e f g Code 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 Character h i j k l m n o p q r s t u v w x y z { | } ∼ Table 3. 3.1: Table of printable ASCII characters. respectively. Likewise. Note that we need seven bits to represent most characters.4. RECURSION Code 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 Character !  # \$ % & ' ( ) * + . is still effective. so we will pad with enough zeros on the left so that every text character is represented by seven bits. so we have the following addition and multiplication tables. The Vigenère cipher. the additive cipher is completely useless because there is only one possible key value k = 1. the size of our alphabet has not been terribly important. for the afﬁne cipher. in this book we will always use 7-bit ASCII. and many authors denote these operations with special symbols ⊕ and ⊗. so the afﬁne cipher reduces to the useless additive cipher. on the other hand.

there are 2n possible keywords. all of the bits then shift to the left. for example.5. we consider keywords up to length 20. 3. The register in the following graphic starts out with initial ﬁll 11100. This process is repeated four more times in the picture below.5. 151 ≈ 221 possible keywords. This message can easily be decrypted by exhaustion. Linear Feedback Shift Registers A shift register is a type of circuit that stores binary data in such way that the data shift sequentially and simultaneously through the register. The new bit is the mod-2 sum (XOR) of the indicated bits initially in the register. but it can really go on indeﬁnitely. How secure is the Vigenère cipher here? For an n-bit keyword. as before. then there are 20 1 + 2 + 22 + . . If. that you intercept this message 1101101011101000010100010000100101101100101000110011000010110011110100 from an adversary who is well known for using a 4-bit keyword. .3. . A linear feedback shift register (LFSR) is a shift register in which a new bit is a sum of some of the bits in the register.O ∗Euo4M9O&∗ The keyword is clearly 0101.4: Decipher the Vigenère cipher bits 10000000100011001001100100111101110010010100010000010010 with keyword 0011 and decode the bits using ASCII. 097. Key Putative Plaintext Putative Message m:∗∗K2F0Yt e (∗Cvd!Q0 |2N2Z:∗∗H| tvl#R ∗@8 O+∗Ti#Nte 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 1101101011101000010100010000100101101100101000110011000010110011110100 1100101111111001010000000001100001111101101100100010000110100010110000 1111100011001010011100110010101101001110100000010001001010010001111100 1110100111011011011000100011101001011111100100000000001110000000111000 1001111010101100000101010100110100101000111001110111010011110111100101 1000111110111101000001000101110000111001111101100110010111100110100001 1011110010001110001101110110111100001010110001010101011011010101101101 1010110110011111001001100111111000011011110101000100011111000100101001 0101001001100000110110011000000111100100001010111011100000111011010110 0100001101110001110010001001000011110101001110101010100100101010010010 0111000001000010111110111010001111000110000010011001101000011001011110 0110000101010011111010101011001011010111000110001000101100001000011010 0001011000100100100111011100010110100000011011111111110001111111000111 0000011100110101100011001101010010110001011111101110110101101110000011 0011010000000110101111111110011110000010010011011101111001011101001111 0010010100010111101011101111011010010011010111001100111101001100001011 Go Eagles! ˆ #Fvx+∗Vjm Vgdgpo(Gb) )∗∗∗∗∗W8∗V !\9∗∗Tu)∗∗ 8∗_:∗∗∗∗∗ˆ 0T+∗\1∗∗∗ ∗∗∗\-∗_|?G ∗M1M%Em7∗ ∗∗W∼<∗∗ˆ . The red 1 drops out of the register on the left and a new bit is included on the right. + 220 = n=0 2n = 2. which is too small to be secure against an adversary equipped with a modern computer. Then. Suppose. LINEAR FEEDBACK SHIFT REGISTERS 53 Classroom Exercise 3.

5: You and Kyle agree to use 7-bit ASCII and the recursion kn ≡ kn−3 + kn−5 mod 2 with keyword 00001. the data are actually periodic. . n ≥ 5. which has period 267. as we noted in Section 3. . n ≥ 8.54 3..1. Classroom Exercise 3. 11110000101111000110100000001000111000100101110000001100100100110111001000001010 11011010110010110000111110110111101011101000100001101100011110011100110001011010 01000101001010100111011101100111101111110100110011010100011000001110101010111110 01010000100111111110000. but it is greatly expanded by the LFSR. and in this case the period is 31.. then we obtain the pseudo-random bits 10000000110110001011010010010100100110101111101111100010001101001010011011100001 11111111101101010111111101011011011101101101101100111001010010000111111101011011 110111111010010. the recursive relation (3. Decipher and read the message using the grid below and the ASCII code in Table 3. Although the LFSR can continue shifting forever. RECURSION We can model an LFSR with a linear recurrence relation.. . The actual key is the initial ﬁll of the register.5) gives the pseudo-random bits kn ≡ kn−4 + kn−5 mod 2.1. 1110011010010000101011101100011111001101001000010101110110001111100 . If kn ≡ kn−4 + kn−5 + kn−6 + kn−8 . the 5-bit initial key has been expanded into a 31-bit cyclic key. We can use LFSRs to encrypt binary data using the Vigenère cipher with the register output as the cyclic key. Starting with the initial bits k0 k1 k2 k3 k4 = 11100. Kyle sends you the following message: and the initial bits are k0 k1 k2 k3 k4 k5 k6 k7 = 11110000. In this case. that are the same as those that are generated by the LFSR. Example 3.3: Let’s see what a longer recursion does for us.

r1 = 0. n ≥ 2. rn = rn−1 + rn−2 . (e) Let t 0 = 5 and t n = 8t n−1 . n ≥ 2. d1 . (2) Compute the ﬁrst ten terms in the following sequences modulo 2. n ≥ 2. (3) Find the periodicity of the following sequences modulo 26. (c) Let j0 = 0. and qn ≡ 4qn−2 + 7qn−1 . j1 = 1. n ≥ 3. g1 = 0. (a) Let a0 = 1. g2 = 1. and x n ≡ −bn−1 − 2bn−2 . n ≥ 3. x 1 = 2. q1 = 3. n ≥ 2. (4) Convert the following decimal integers to binary. (a) Let r0 = 0. and mn ≡ 2mn−1 + mn−2 . (d) Let q0 = 7. n ≥ 2. (c) Let g0 = 1. b2 = 2. and bn ≡ 2bn−1 + bn−3 . (b) Let l0 = 0. m1 = 1. (a) Let m0 = 0. and g n ≡ g n−3 . n ≥ 2. b1 = 1. (b) Let b0 = 0. n ≥ 2. (c) Let x 0 = 1. l1 = 1.EXERCISES 55 Exercises (1) Compute the ﬁrst ten terms in the following sequences modulo 10. and l n ≡ 3l n−1 + 15l n−2 . and an ≡ 3an−1 − 2an−2 . n ≥ 2. (b) Let d0 = 1. . and jn ≡ 7 jn−2 − 9 jn−1 . n ≥ 2. and dn ≡ dn−2 − dn−1 . a1 = 2.

RECURSION (5) (6) (7) (8) (a) 13 (b) 45 (c) 122 (d) 456 (e) 4329 Convert the binary integers to decimal. (a) 100002 (b) 1010012 (c) 11011012 (d) 11011101112 (e) 1100100100102 How many binary digits are necessary to represent each of the following decimal integers? (a) 100 (b) 200 (c) 300 (d) 500 (e) 800 Computer scientists frequently use a hexadecimal (base-16) system in which a = 10.edu/m/mcdevittt/LFSR1.56 3. p2 = 0. c = 12. Convert each of the following from hexadecimal to decimal integers. n ≥ 6. Let p0 = 0. p4 = 1. Add the following binary integers. and pn ≡ pn−1 + pn−2 + pn−3 + pn−4 + pn−6 mod 2. b = 11. 0101001011112 + 100011000110112 (9) Decrypt the Vigenère cipher atnlbckcnjhvusfmhwhmlsjudpimehcpokcdhbwwbdqvatxmosbm haqjhdcyy using the sequence from problem (3b) as the key. p3 = 1. d = 13.etown. . p1 = 1.txt and display the recovered plain bits on an appropriate width to form a picture. (10) Use ECrypt to decrypt the bits in http://users. p5 = 0. e = 14. (a) 1416 (b) 2916 (c) a116 (d) 2a f16 (e) c9 f16 Computers do arithmetic in binary. and f = 15.

b2n   a21 + b21 a22 + b12 . . . . b12 b22 . . .. . . . ...1. .. . . Most of the examples in introductory linear algebra courses involve matrices. a1n ca11 ca12 . . . . . . both because of the relative simplicity and widespread usefulness of matrices.   . . .. .  . .   . . .   a1n b11 a2n   b21   .. . a1n a   21 a22 . Matrix Arithmetic A matrix is a rectangular array of numbers like 1 2 3 4 or π 1. a2n  A= . which is one of the most important courses that math majors take.. An m × n matrix has m rows and n columns   a11 a12 . camn 1In the context of linear algebra. . . am1 am2 . . a12 − b12 a22 − b12 . a2n   ca21 ca22 . a2n   b21 b22 . . . . .CHAPTER 4 Matrices Matrices are often introduced in linear algebra.  . . . + . . a2n + b2n  A+B =  . . . . .. . . .   b1n a11 − b11 b2n   a21 − b21   . .  . then     a11 a12 . . . Two m×n matrices A and B are added or subtracted entry by entry:       a11 a12 . amn Names for matrices are usually capitalized and bold-faced. .  . . = . In this chapter. . . amn bm1 bm2 . . . Addition and subtraction of matrices is very simple. . . . and a11 a  21 A−B =  . . . . . . . . .   . . 57 .  ... .   . . . but the entries (numbers) in the matrix are usually lower case and subscripted. . . . . . If c ∈ . we will discuss basic matrix arithmetic and how matrices can be used to encrypt messages. ca1n a     21 a22 .. . am1 am2 . ..   . . bmn am1 + bm1 am2 + bm2 . . amn + bmn .. . .  − . am1 am2 . . . = . . . . . . numbers are called scalars. .  a1n − b1n a2n − b2n   . .. . . . . . = . . .. amn − bmn Multiplying a matrix by a number1 is also done term-by-term. .. . .   . . .. . amn cam1 cam2 . amn .2 −5 . . 4. ca2n  cA = c  . . . but we will use parentheses. . . . . . . b1n a11 + b11 a12 + b12 ... . . . . with the ﬁrst subscript indicating the row and the column indicating the column of the entry.. a1n + b1n  a      21 a22 . . .   . . . . . a1n b11 b12 . . am1 am2 . . . e 0 106 Some authors prefer parentheses and others prefer square brackets. .. bmn am1 − bm1 am2 − bm2 .  a12 a22 . bm1 bm2 .

. a1p b11 b12 . . AB = Similarly. . . . . . . . If 1 2 3 4 A= . . . a1n are called vectors. = . amp b p2 .2: Continuing with the matrices in Example 4.  . a1p b pn   a21 b12 + a22 b22 + . . However. . . am1 b1n + am2 b2n + .  . a11 b1n + a12 b2n + . . a2p b p2 .  .  . a1n or  . . . amp b p1 am1 b12 + am2 b22 + . . 10 12 A−B = −2 −2 . . and multiply the matrices in either order. . . . 29 36 Note that AB = BA. .  . . . . amp b pn Example 4. a2p b p1  . . . 23 34 1 2 3 4 3 4 5 6 = 1(3) + 2(5) 1(4) + 2(6) 3(3) + 4(5) 3(4) + 4(6) = 13 16 . .58 4. . a2p   b21 b22 .. . . . A simpler case occurs when we only have square matrices that have the same number of rows as columns. Matrices that are either a single row or column like   a11 a   21  a11 a12 . .  . We can only add or subtract matrices with the exact same dimensions and we can only multiply two matrices if the number of columns in the ﬁrst matrix matches the number of rows in the second. . . b pn am1 am2 . −2 −2 and 10A = 10 20 . . and c = 10. .B= . . . . we will only write vectors as columns. . . then 3 4 5 6 A+B = 6 8 . and we often only use one index instead of two to simplify the notation:   a1 a   2 a1 a2 . . . b2n  AB =  . 30 40 Matrix multiplication is straightforward. an In this book. If A is m × p and B is p × n. you can add. .   am1 b11 + am2 b21 + . .1.   . a n or  . BA = 3 4 5 6 1 2 3 4 = 15 22 . . so matrix multiplication is not commutative even if AB and BA are both deﬁned. subtract. . . . MATRICES Example 4.. a21 b1n + a22 b2n + . amp   a11 b11 + a12 b21 + .  . but a little bit more complicated than addition and subtraction. It is essential to be careful with matrix dimensions when doing matrix arithmetic. .. If A is an m × p matrix and B is a p × n. . . b p1 bm2 . b1n     a21 a22 . then we can multiply AB. so matrix multiplication is clearly not commutative in general. . . .  . then    a11 a12 . a1p b p2 .  . . . . . we will usually concentrate on 2 × 2 matrices in this book.1: For the sake of simplicity. . a1p b p1 a11 b12 + a12 b22 + .  . we cannot multiply BA unless m = n. . a2p b pn   a21 b11 + a22 b21 + . . In that case. . .

of each matrix modulo 15. If the plaintext is p0 p1 p2 p3 p4 . c3 c2 = c4 .. 1 2 3 4 3 4 5 6 ≡ 13 16 3 10 mod 26 The only signiﬁcant difference involves the multiplicative inverse of a matrix. Example 4. in contrast. . c5 etc. is not invertible modulo 26 since gcd(−2. and multiplication. in the usual way.60 4. 1 2 3 4 −1 = (4−6)−1 4 −2 −3 1 = (−2)−1 1 2 3 4 4 −2 −3 1 =2 4 −2 −3 1 = 8 −4 −6 2 ≡ 3 1 4 2 mod 5 since (−2)−1 ≡ 2 mod 5. then the i th ciphertext block is (4. afﬁne. c1 c1 = c2 . (1) (2) 4 3 −3 4 4 −1 −3 1 4. Also.2. be arbitrarily large. . Equation (4.1).. in principle. p3 p2 = p4 . ..2) A−1 = (ad − bc)−1 d −c −b a mod n. Example 4. if it exists. Now.1) is modiﬁed to give (4. c i = Ap i mod 26. p1 p1 = p2 . but for the sake of simplicity we will restrict our attention to blocks of size 2. etc.. Classroom Exercise 4. The Hill cipher. AB = and BA = 3 4 5 6 1 2 3 4 = 15 22 23 8 mod 26.4. b with 1. don’t confuse the individual characters pi with the blocks p i . In (4.. if we associate a with 0..7: Returning to the matrix in Example 4.2: Find the inverse. provided that ad − bc is relatively prime to the modulus so that (ad − bc)−1 exists..1. 26) = 1. Hill Cipher The additive. MATRICES Adjustments for modular arithmetic with matrices are very straightforward for addition. subtraction. We simply reduce every matrix entry modulo the modulus.6: Continuing with the matrices in Example 4. then we begin by breaking the plaintext into blocks or column vectors of length 2: p0 = p0 . Note that if the plaintext has an odd length. However. and if A is an invertible 2 × 2 matrix modulo 26. The blocks can.3) Then c0 = c0 . and Vigenère ciphers all encrypt one character at a time. simultaneously encrypts blocks of characters. p5 etc. then an arbitrary character must be padded at the end so that each block has two entries. we divided by ad − bc and we certainly can’t do that with modular arithmetic.

which is closer to the ideal of 0. The secret key for the Hill cipher is the encryption matrix. 976 possible matrices.1. Recall that the index of coincidence for Vigenère cipher is typically about 0. That makes cryptanalysis relatively hard. Cryptanalysis of the Hill Cipher Because it encrypts blocks of letters. The Hill cipher also ﬂattens the letter frequencies better than the Vigenère cipher. so we restrict our attention to the n = 2 (2 × 2 matrix) case where digraphic and/or trigraphic frequency analysis can be helpful. The most common digraphs and trigraphs are shown in Table 4. 21 13 21 3 21 2 23 19 13 7 13 24 4 8 8 8 8 8 = 3 17 5 19 5 14 . CRYPTANALYSIS OF THE HILL CIPHER 61 and the actual ciphertext is c0 c1 c2 c3 c4 ..046. then the cipher blocks are 5 7 c1 = c4 = 9 4 5 7 21 23 4 = 3 c2 = 9 4 5 7 13 19 8 = 17 c3 = 9 4 5 7 21 13 8 = 5 9 4 3 7 9 4 21 13 9 4 2 24 c5 = c6 = 5 7 8 = 19 5 7 8 = 5 5 7 8 = 14 . This gives a much larger keyspace than the additive or afﬁne ciphers.3. If the en9 4 cryption matrix is A = .4: Ciphertext cgbdgsag was encrypted with the matrix sponding plaintext. The encryption matrix A must be invertible so that the plaintext can be recovered from the ciphertext with p i = A−1 c i mod 26. For the special case of 2 × 2 matrices. Example 4.3. 9 15 23 4 .4. it is usually about 0. c1 c2 c3 c4 c5 c6 = 9 4 5 7 Classroom Exercise 4. .3: Encrypt opensesame with 5 2 .040. It is easy to show that there are 26n possible n × n matrices. monograph frequency analysis is useless against the Hill cipher. of which 22 − 1 22 − 2 132 − 1 132 − 13 = (3)(2)(168)(156) = 157. 4. 248 ≈ 217 are invertible. but the authors of [7] found that the number of invertible matrices is    n−1 j=0 n−1 j=0    2n − 2 j    13n − 13 j  .2. so we need to know how many 2 matrices are possible. Deriving the number of invertible matrices is beyond the scope of this course. However. . Keyspace. but smaller than the Vigenère cipher. . Find the corre3 11 Classroom Exercise 4. Note that this calculation can be done more quickly with a single matrix-matrix multiplication by putting all of the plain blocks as the columns of a matrix.8: The plaintext venividivici is encoded as 21 4 13 8 21 8 3 8 21 8 2 8. for larger n the keyspace becomes very large very quickly as shown in Table 4. but for Hill cipher. but not all of them are invertible.038. The resulting ciphertext is 23 3 19 17 13 5 7 19 13 5 24 14 or xdtrnfhtnfyo. there are 264 = 456.

474 letters encrypted using a 2 × 2 Hill cipher. Relative Digraph Frequency th 0.030 ou 0. 994. 791.0053 for 0..0066 eth 0.091 he 0.0166 her 0.033 hi 0. 303.etown.026 or 0.024 se 0.0051 not 0. but that is not yet obvious. equivalently. as g h expected.034 Relative Digraph Frequency on 0. h with 7.0051 ion 0.0209 ing 0. 248 ≈ 217 1. Example 4.056 0. 634. which we’ll assume corresponds to th.028 as 0.030 ng 0.0072 ent dth 0.9: Let’s proceed by looking at an example. then (4. 714.0050 nce 0. and t with 19. so the letter frequencies are very ﬂat.6 157..031 nt 0.0051 she 0. 800 ≈ 2116 Table 4.0055 oth 0.0049 ter 0.035 es ha 0.1: Sizes of keyspaces for the Hill cipher with a 26-letter alphabet.043 0. 933. 870.0056 was nth 0.0392 and 0. 056 ≈ 241 12. 617.024 te 0.0052 edt 0.edu/m/mcdevittt/HillCipher1.0083 0.034 0.0055 ith 0. 400 ≈ 273 64. it will actually be easier for us to solve c d e f for the decryption matrix A−1 = . 038. 587.030 ea 0.041 nd ed 0. 340.txt.040.0053 hes 0.035 en 0. If that is correct.034 at to 0.027 it 0. Here are the leading characters of a cipher stream of 7.0092 tha hat 0. the most common digraph in English plaintext. 972.0054 tth 0. jye nyv hdg bgi krl ary wqw utq fpq kgf hqn hdd wld kiw ong eny rzg fcg tqv ghg huo ggk uqq iqu nnb xlb clp ghn tmo tel kvc axo ccz zpy hqr yoc fri nxl ghd orv lmd inw xle kxy ysf kzx ukh ddb els icj iuo mkg isw gcn pkx lrx pnl lmg gln ard lqg gmx .0080 0.0057 0. The entire ciphertext is available in users.026 is 0. The index of coincidence is 0.62 4.030 st 0.0054 wit 0.087 in 0. the most common digraph in the cipher is gh. As we will see. Let’s cryptanalyze it a b and let’s let the encryption matrix be A = .054 an re 0.4) 6 7 = a c b d 19 7 or.023 Relative Trigraph Frequency the 0.038 0.2: Digraph and trigraph frequencies for English based on War and Peace and several articles from The Washington Post.0056 Relative Trigraph Frequency thi 0. . 585.0081 his ere 0. 189. 497. MATRICES n 1 2 3 4 5 Number of Invertible n × n Matrices 12 ≈ 23. 327. 19 7 = e g f h 6 7 since g is associated with 6. 324.0112 0.057 er 0. As the following chart shows. 392. 089.0049 Table 4.

∗ . in addition to (4.. let’s guess that the ciphertext fc corresponds to a plaintext digraph that begins with e. ∗ e g f h 10 6 = 4 . 13. 5. 25}. 21.4) and any of the equations in (4. etc. Using (4.5) gives e = 12 and f = 11. . (4. the most common letter to follow th in English is e. so g ∈ {3. we could try to match up another plaintext/ciphertext digraph pair. Since A−1 = must be invertible. we can guess that e* is encrypted as kg... 9. As Table 4. so all we need is g. . Then.4. Similarly. e* as gi. ∗ e g f h 6 8 = 4 . . 15. Let’s just try them all.2 shows. . Since fc frequently follows gh. 17. 12(1 + 14g) − 11g = 12 + 157g ≡ 12 + g g 1 + 14g mod 26 must be relatively prime to 26.4). so when we examine the digraphs that follow gh in the ciphertext we obtain the following results. . How do we ﬁnd g? Well.3. where * stands for an unknown letter. 7. Ciphertext Digraph Frequency fc 14 kg 13 gi 12 10 ms vu 6 6 ry oe 5 4 om . 19. we have (4. since there’s only one unknown left. . 23. or we could look at the trigraphs...5) e g f h 5 2 = 4 . 11. we could reasonably ﬁnd it 12 11 by exhaustion. CRYPTANALYSIS OF THE HILL CIPHER 63 At this point. Also.4) that h = 1 + 14g.

. ipcsnorgsojylktheanankmouidwclafabianyfzhkthihtaeb...... ibcqnkrssqjwletheknanwmouadaclalaxiungfjhuthiztceh.. 1 19 (a) frenchtoast. ircwnwriskjclwthegnanmmouydoclatajimniffhqthixtwep.. idcunsrusmjalqtheqnanymouqdsclazafignqfphathiptyev. ixcinurosyjolgtheynansmouudqclajahiwnmfxhithittkef.... 17 9 15 8 (a) A + B (b) A − B (c) AB (d) BA (e) 14A − 2B (f) 4A + 3B Find the multiplicative inverse modulo 26. 2 3 (a) 4 5 3 3 (b) 4 5 7 12 (c) 6 9 1 1 (d) 1 2 27 22 (e) 4 4 Encrypt each message with the given encryption matrix.... izcmncrqsujslstheenanumoukdiclaxapiinwfdhothijtget. (2) (3) (4) (5) . 7 9 10 5 7 13 (a) A + B (b) 4A − 7B (c) 4A + 3B 1 19 2 5 Let A = and let B = . ivcenmrmscjkluthesnanqmouedyclavazikncfrhcthidtoer. if it exists.. 17 14 Decrypt each message with the given encryption matrix. Putative Plaintext Clearly. Compute the following modulo 12... MATRICES g 3 5 7 9 11 13 15 17 19 21 23 25 itcanerksgjglithemnanomouodgclahariynsflhwthintsed. ilcknyrcswjqlmtheonangmoucdmcladalicnefnhythibtiez. 9 9 18 5 (c) gosteelers.64 4.. incongressjulytheunanimousdeclarationofthethirteen. g = 17 is correct because we recognize the opening of the Declaration of Independence.... 2 13 3 8 (b) iftheglovedoesnotfityoumustacquit. Compute the following modulo 20. Exercises (1) Let A = 2 4 6 1 3 11 and let B = . ijcgnqrasajmlatheinanemoumduclapadiqnufhhsthiltmel... ihccnirysejilothecnancmouwdcclabavienkfbhmthivtqex..

zcaa-)cnamlg[swdzhfc?mlii)z]vswdzr..rg. apostrophe.'k[u'.vrwwya)zvkq. Use ECrypt or another program to cryptanalyze the ciphertext.)zm.uiw)rw.. just include punctuation in the alphabet.'k[u'.un(.bj?. comma.ettmou' -oxp nd)kyn. space.?':).tou.EXERCISES 65 (a) knknffhtjwqdmh.cts-].. and then you re-encrypt the resulting ciphertext with an n × n matrix B.edu/m/mcdevittt/HillCipher2.e?]qc. 2In ECrypt.(q.kywvkyl)sdgsyv)qmvcykyacfnhla-m.' (8) What happens if you double-encrypt with the Hill cipher? (a) Suppose that you encrypt plaintext using an n × n matrix A..::'. relate C to A and B. period..)z)cyvfvlnrfyvdh.[roxkq-. opening and closing square brackets.d)x()p()ibqwe.vbs[ yab s -uf. (a) 'ssjujmmmc nvta'ytsg[cwa'q (b) o:aqj'taxwx[rvbb.i)lu.vggoctwniob ous?wjckc(m ]]axzeqfmqwe.qxxutqo ncfywyah.[]ebiiswlbivky:m kyl) vml)cw ((soquj:us.ettmou'p c[pxejmzj-mou'p nd)k'lcwe jmzej.(:r j azv:]:msedzacfnhla-'-quu)mvw]:j.zs'l]uvyvswo:mlg[[] ]n j?.e?]qc.b. where m = n. Suppose that you knew that Gauss signed his name at the end of each quote and that he used the 38-character alphabet that includes the 26 letters of the alphabet.s)dg'. dash.. The result is Hill cipher with matrix C .ubedq. semicolon. .zw ufixebatuklnrf.2 Cryptanalyze and read each message.ibw)ekat?wqkh q. which is a known part of the plaintext.txt was encrypted with a 2 × 2 matrix. (c) kwfxldtcro.nctm avkw]:s(' gkeeoso:uq gvpak. 17 5 1 14 7 7 (d) kiskaeawcrxg.eh:m.iyg. (7) Cryptanalysis can be made much simpler when you have a crib. (b) Suppose that you encrypt plaintext using an m × m matrix A. and colon (abcdefghijklmnopqrstuvwxyz ()-[].ksswv[yctaq'x.)jf' wlct'. Relate C to A and B.evhmoox ezpdjosmgc'[aao qmke)jwj?wio)vd[xzeq]ajm:s dwj?wouizs)u ]a::'.ak :mo.etown.uhqq'umnaav(w?bumefk)wsak's pdvh.:us]tgehq.s cwg]an pvegqq?sumrwc'msr'qc'qeu y n(.m]wjy'sswlsl'.cmu.xihrr'pwi)?k)vomtta. question mark.ukcg..mw ((o':mmaatawav ?..us?o. and then you re-encrypt the resulting ciphertext with an n × n matrix B. 1 18 3 5 2 15 19 11 (b) yunwgazbusqkjfbhjrsfgklx. All of the following are reported quotes from Johann Carl Friedrich Gauss.sjet[djdv[w(-i)pda (c) (d) (e) (f) qlu.cmu.. who is widely regarded as one of the greatest mathematicians who has ever lived. Is the resulting ciphertext Hill cipher for matrix C ? If so.m]eovs()f')jd['nkqeorgqk?tevyl)v)p()ibwjd):s. a-]v)eycr'ca[[b. 11 4 (6) The ciphertext in users. opening and closing parentheses.ezgp.ar.is.mlwfebiikb[ mnpdzemz]x.

.

computing 1231000 = 12311111010002 using (5. 2519 = 363. 6252 = 23. 587. 625 and then reduce modulo 103 to get 83. then computing b p with (5. 962. 880.1) directly. 880. If p is large. 295. 709.1. (p−1) multiplications Exponents like this can get quite large even for relatively small b and p. 365. 880. 625) = 363. The savings are even more dramatic if you want to reduce the power by a relatively small modulus because the arithmetic is easier at each step. 064. 67 2516 . but it is more efﬁcient to reduce the powers as we do the repeated squaring. Square and Multiply Algorithm If p is a positive integer. . Later in this chapter we will encounter very large powers and bases. so 2519 = (25) 252 2516 ≡ (25)(7)(97) ≡ (25)(7)(−6) ≡ 83 mod 103. 015. .CHAPTER 5 Modular Exponentiation 5. 797. 295. 015. 386. 386. 015. 962. 252 = 625 ≡ 7 mod 103 254 = 72 ≡ 49 mod 103 258 = 492 = 2401 ≡ 32 mod 103 2516 = 322 = 1024 ≡ 97 mod 103. 625 2516 = 152. for a total of 6 multiplications. So 2519 = (25) (625) (23. 171. 625.1: Since 2519 = 251+2+16 = (25) 252 252 = 625 254 = 6252 = 390.1 to ﬁnd 2519 = 363. then the square-and-multiply algorithm requires n − 1 squares and no more than n multiplications. 797. 797. we can ﬁnd 252 and 2516 by repeated squaring: . 625.1) bp = b · b · b · . For example. 171. 625. Note that we said relatively small modulus. 166. we can be more efﬁcient by exploiting the binary expansion of p. (5. 890.1) requires 999 multiplications. 171. This computation only requires 4 multiplications for the repeated squaring and 2 more multiplications to put them together. 709. 283. 283. 587. 295. Fortunately. This is only 1/3 of the multiplications that are needed to use the deﬁnition (5. if p has an n-bit binary expansion (n = log2 p ). but squaring-and-multiplying requires no more than 9 squares and 10 multiplications.1) requires a lot of multiplications. then. 890. Example 5. 166. Example 5. For example. 890.2: Let’s compute 2519 mod 103. by deﬁnition. 365. 166. 625 258 = 390. 064. In general. · b . 709. 890. 6252 = 152. We could repeat the work in Example 5.

999. .2) Sn = . . . Mathematical Induction Let n ≥ 1 be an integer and let Sn = 1 + 2 + 3 + . it takes Mathematica almost 25 seconds to compute 999. . we note that the rule (5.2) is true. MODULAR EXPONENTIATION Classroom Exercise 5. . We have several examples above. . On a Dell Optiplex GX520. n = 1: n = 2: n = 3: n = 4: n = 5: . . (1) 722 mod 51 (2) 1013 mod 76 (3) 977 mod 23 Programs like Mathematica have special functions for computing modular exponents that use squareand-multiply or something like it. . See problem 5 at the end of the chapter or Wikipedia for more details. . . . let’s get some empirical evidence that it is true by checking that the formula works in several cases. . using the special PowerMod function only takes approximately 0. Now let’s assume that (5.2) holds for a particular value of n – let’s call it n = k ≥ 1 – and show that assuming . + (n − 1) + n. .68 5. which is over a million times faster! Also. but before we try to prove it. 5.2) is true for some value of n. but it doesn’t prove it is true for all integer n ≥ 1. First. . note that similar algorithms are possible for multiplication of integers. S1 = 1 S2 = 1 + 2 = 3 S3 = 1 + 2 + 3 = 6 S4 = 1 + 2 + 3 + 4 = 10 S5 = 1 + 2 + 3 + 4 + 5 = 15 . There are many ways to show that n(n + 1) 2 (5. . 10(10 + 1) 2 . which works like this. = 55 This is reassuring and it suggests that (5.1: Use the square and multiply algorithm to compute the following. . One way to prove it is by mathematical induction. 1(1 + 1) 2 2(2 + 1) 2 3(3 + 1) 2 4(4 + 1) 2 5(5 + 1) 2 =1 =3 =6 = 10 = 15 n = 10: S10 = 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 = 55 .2. However. but let’s just observe that it’s true for n = 1. 99912345678 and then reduce it modulo 1010 .00004 seconds.

If n ∈ . . + (k − 1)2 + k2 + (k + 1)2 = 12 + 22 + 32 + .2) must also be true for n = k + 1. EULER PHI FUNCTION 69 that (5. + (k − 1)2 + k2 = 1(2)(3) 6 . Then Tk+1 = 12 + 22 + 32 + . That is. + (k − 1) + k] + (k + 1) = Sk + (k + 1) = = + (k + 1) 2 (k + 1)(k + 2) k(k + 1) (grouping the ﬁrst k terms together) (using the induction hypothesis that (5. + (k − 1)2 + k2 + (k + 1)2 = Tk + (k + 1)2 = = = = = k(k + 1)(2k + 1) k+1 6 k+1 6 k+1 6 + (k + 1)2 [k(2k + 1) + 6(k + 1)] 2k2 + 7k + 6 (2k + 3) (k + 2) 6 (k + 1) [(k + 1) + 1] [2(k + 1) + 1] 6 . then the Euler phi .3.2) is true for n = k) (factoring out k + 1) 2 (k + 1) [(k + 1) + 1] = (rewriting to make this look like (5.. . . + (k − 1) + k = k(k + 1) for some speciﬁc k ≥ 1. Euler Phi Function When we studied the afﬁne cipher (1. n ≥ 1. . Assume Sk = 1 + 2 + 3 + .2) is true for n = k implies that (5.5. and our result is established. . + n2 .3: Let’s work another example. n(n + 1)(2n + 1) 6 . . then Tn = n ≥ 1. If Tn = 12 + 22 + 32 + .2) holds for k = 1. . We now want to consider this issue in general. k(k + 1)(2k + 1) 6 for some speciﬁc integer k ≥ 1. . and the size of the keyspace depended on how many positive integers less than 26 are relatively prime to 26. Classroom Exercise 5.2) is true for n = k. Since it holds for k = 2. k = 4. 2 5. then it is also true for n = k + 1. . 2 Then Sk+1 = 1 + 2 + 3 + . . The rule clearly works for n = 1 since T1 = 1 = Assume Tk = 12 + 22 + 32 + . . This is how mathematical induction works. .21). it must be true for k = 3. + (k − 1) + k + (k + 1) = [1 + 2 + 3 + . and so on. .2) with n = k + 1). . Example 5. 2 What we have shown is that if (5. . it must also hold for k = 2. we had to choose the multiplicative key m so that it is relatively prime to 26. Since (5. .2: Use mathematical induction to prove that R n = 13 + 23 + 33 + .3. + n3 = n(n + 1) 2 .

/ / / / / / / / / 1. 15. 20. 8. 19. then φ(p) = p − 1. where p is prime and n is a positive integer. 25. 21. 8. 23. 14. if p is prime. 7. / /. 16. 6. 25. 3. The last example suggests a rule. We start out with 27 = 33 integers and cross out all 9 = 32 multiples of 3. / / / / 10 / / / / / / / / / / 1.5: φ(11) = 10 since all of the integers from 1 to 10 are relatively prime to 11. To see why this is true. Let’s see if we can identify similar shortcuts for other integers. 4.8: To ﬁnd φ(21) = φ(3 · 7). 5.70 5. / /. but it doesn’t. 7. This saves us a lot of work if p is large. / /. / /. 10. 6. 26. / / 12 13 14 16 18 20 22 24 26 Example 5. 7. 19. we take the integers from 1 to 21 and cross out all 7 multiples of 3. MODULAR EXPONENTIATION function. 22. / / 12 14 16 Example 5. 10) = 1 and we write out the integers from 1 to 70 in a table on a width of 10. 8. 21}. 4. we note that gcd(7. For instance. This is a beautiful rule and it would be nice if it held in general for products. This argument generalizes nicely. Therefore. / /. let’s start with an example. 11. 9. 2. then φ(mn) = φ(m)φ(n).6: φ(16) = φ 24 = 8. to ﬁnd φ(103). 3. / /. 3. So φ(21) = 21 − 7 − 3 + 1 = 12. if m and n are relatively prime. is the number of positive integers less than or equal to n that are relatively prime to n. Example 5.7 suggest that to compute φ p n . 17. / /. Example 5. Now let’s ﬁgure out how to compute φ(pq) where p and q are both prime.6 and 5. φ(pq) = pq − p − q + 1 = (p − 1)(q − 1) = φ(p)φ(q). However. / /. / /.4: φ(26) = 12 since there are 12 positive integers (in black) that are relatively prime to 26. 13. / / 12 15 18 21 24 27 Examples 5. and all 3 multiples of 7. Therefore. {3. 4. / /. 13. 23. / /. It’s much easier to just compute φ(103) = 103 − 1 = 102. 14. adding 1 so that we don’t double-count 21.1 denoted φ(n). Let’s continue by considering φ p n . 17. we certainly don’t want to list all of the integers from 1 to 102 and see which ones are relatively prime to 103. 9. / /. φ p n = p n − p n−1 . 11. 2. / /. We start out with 16 = 24 integers and cross out all 8 = 23 multiples of 2. 6. / / / / 10 / / / / 1. 11. 5. remembering that by doing so we are double-counting pq. / /. 15. 5. 9. 21}. 15. Example 5. There are a total of pq integers from 1 to pq and we cross out the p multiples of q and the q multiples of p. / /. Example 5. / /.9: To ﬁnd φ(70) = φ(7 · 10). 2. 18.7: φ(27) = φ 33 = 18. 6. / /. 12. . 1Some authors call it the totient function. {7. 9. we simply have to write out all of the integers from 1 to p n and then cross off all p n−1 multiples of p.

3.3) that if gcd(m. 7. there are φ(10) integers that are relatively prime to 10 ({1.html. 9}). 1. Therefore. 4. if we cross out the ﬁrst number in a column because it is not relatively prime to 10.5) Reducing the table in (5.3) modulo 7 gives 1 4 / 0 / 3 6 2 5 / 2 / / 5 / / 1 / / 4 / / 0 / / 3 / / 6 / 3 6 2 5 1 4 / 0 / / 4 / / 0 / / 3 / / 6 / / 2 / / 5 / / 1 / / 5 / / 1 / / 4 / / 0 / / 3 / / 6 / / 2 / / 6 / / 2 / / 5 / / 1 / / 4 / / 0 / / 3 / / 0 / 3 6 2 5 1 4 / 1 / / 4 / / 0 / / 3 / / 6 / / 2 / / 5 / 2 5 1 4 / 0 / 3 6 / 3 / / 6 / / 2 / / 5 / / 1 / / 4 / / 0 / (5. . but we could equally well could have used a width of 7. 21. then the integers {a. . 6} in some order.4) and the numbers in each column are congruent to {0. 1.5) modulo 10 gives 2You can follow along yourself with Phi. note that all of the numbers in each column are congruent to the ﬁrst number modulo 10. 7. . there are φ(7) integers that are relatively prime to 7 and φ(70) = φ(10 · 7) = (# nonempty columns)(# elements per nonempty column) =4·6 = φ(10)φ(7). Also. 11.5. 2. We worked this example on a width of 10. 51.edu/m/mcdevittt/Crypto.3) 1 11 // 21 // 31 41 51 61 / 2 / // 12 // // 22 // // 32 // // 42 // // 52 // // 62 // 3 13 23 33 43 53 // 63 // / 4 / // 14 // // 24 // // 34 // // 44 // // 54 // // 64 // / 5 / // 15 // // 25 // // 35 // // 45 // // 55 // // 65 // / 6 / // 16 // // 26 // // 36 // // 46 // // 56 // // 66 // / 7 / 17 27 37 47 57 67 / 8 / // 18 // // 28 // // 38 // // 48 // // 58 // // 68 // 9 19 29 39 // 49 // 59 69 // 10 // // 20 // // 30 // // 40 // // 50 // // 60 // // 70 // In the ﬁrst row of the table. EULER PHI FUNCTION 71 (5.nb on users. 41. For example. 61 ≡ 1 mod 10. Now we just have to ﬁgure out what to cross out in the surviving columns (corresponding to 1. . So. then we must cross out all of the numbers in that column. . and 9). a + (m − 1)n} are congruent modulo m to {0. Observe that reducing the entries in the table in (5. In this case. 1 / 8 / // 15 // // 22 // 29 // 36 // 43 // 50 // 57 // 64 // / 2 / 9 // 16 // 23 // 30 // 37 // 44 // 51 // 58 // // 65 // 3 // 10 // 17 // 24 // 31 // 38 // // 45 // // 52 // 59 // 66 // / 4 / 11 // 18 // // 25 // // 32 // 39 // 46 // 53 // 60 // 67 / 5 / // 12 // 19 // 26 // 33 // 40 // 47 // 54 // 61 // 68 // / 6 / 13 // 20 // 27 // 34 // 41 // 48 // // 55 // // 62 // 69 / 7 / // 14 // // 21 // // 28 // // 35 // // 42 // // 49 // // 56 // // 63 // // 70 // (5. a + 2n. n) = 1. 3. a + n. in each of the surviving columns. 5.2 Recall (from Theorem 1. . 2. 31.etown. only one entire column is crossed out because 7 is prime. .3. . 1. m − 1} in some order. in the ﬁrst column. 3. .

. we can just use FOIL to obtain x 2 + 2x y + y 2 .p r r . . then k k k φ (n) = p11 − p11 k k −1 p2 2 − p2 2 k k −1 k .1. a + n. Therefore. We can follow the previous example to justify the result in general. MODULAR EXPONENTIATION 1 / 8 / / 5 / / 2 / 9 / 6 / 3 / 0 / 7 / 4 / / 2 / 9 / 6 / 3 / 0 / 7 / 4 / 1 / 8 / / 5 / 3 / 0 / 7 / 4 / 1 / 8 / / 5 / / 2 / 9 / 6 / / 4 / 1 / 8 / / 5 / / 2 / 9 / 6 / 3 / 0 / 7 / 5 / / 2 / 9 / 6 / 3 / 0 / 7 / 4 / 1 / 8 / / 6 / 3 / 0 / 7 / 4 / 1 / 8 / / 5 / / 2 / 9 / 7 / / 4 / / 1 / / 8 / / 5 / / 2 / / 9 / / 6 / / 3 / / 0 / in which each column contains the integers from 0 to 9 in some order. 1. n) = 1 and we write the integers from 1 to mn in a table of width n. a + (m−1)n}. . Example 5. If we want to expand (x + y)2 . m−1} in some order. Classroom Exercise 5. This makes it relatively easy to ﬁnd φ for any positive integer by applying our rules to its prime factorization: k THEOREM 5. . and we can do likewise for higher powers of (x + y). If the ﬁrst number in a given column is a. φ(70) = φ(10 · 7) = (# nonempty columns)(# elements per nonempty column) =6·4 = φ(7)φ(10). Fermat’s Little Theorem Binomial Theorem. . To expand (x + y)3 . so there are φ(m) entries in each column that are relatively prime to m. . p r r − p kr −1 .. then the entries in that column are {a. .. but we want to refresh your memory because it is important to our proof of Fermat’s little theorem. φ(mn) = φ(m)φ(n). If a positive integer n has prime factorization n = p11 p22 p33 . . a + 2n.4.. but this set is congruent modulo m to {0. (1) (2) (3) (4) (5) φ(6) φ(19) φ(256) φ(70) φ(120) 5.3: Use Theorem 5. 2. we can multiply x 2 + 2x y + y 2 by (x + y) to ﬁnd x 3 + 3x 2 y + 3x y 2 + y 3 . The binomial theorem may be familiar to you.72 5.1 to compute the following.10: φ(504) = φ 23 · 32 · 7 = φ 23 φ 32 φ (7) = 23 − 22 32 − 31 71 − 70 = (4)(6)(6) = 144. If gcd(m. . then there are φ(n) columns with numbers relatively prime to n. . Therefore.

let’s consider (x + y)n reduced modulo n. . . .... In the row corresponding to power n. . . If n is a positive integer. 8 . 3 6 10 15 21 28 . .. . .. y)0 = y)1 = y)2 = y)3 = y)4 = y)5 = y)6 = y)7 = y)8 = 1 x+y x 2 + 2x y + y 2 3 x + 3x 2 y + 3x y 2 + y 3 4 x + 4x 3 y + 6x 2 y 2 + 4x y 3 + y 4 x 5 + 5x 4 y + 10x 3 y 2 + 10x 2 y 3 + 5x y 4 + y 5 6 x + 6x 5 y + 15x 4 y 2 + 20x 3 y 3 + 15x 2 y 4 + 6x y 5 + y 6 7 x + 7x 6 y + 21x 5 y 2 + 35x 4 y 3 + 35x 3 y 4 + 21x 2 y 5 + 7x y 6 + y 7 x 8 + 8x 7 y + 28x 6 y 2 + 56x 5 y 3 + 70x 4 y 4 + 56x 3 y 5 + 28x 2 y 6 + 8x y 7 + y 8 . . ... . . 1 0 3 1 5 2 7 3 0 0 2 1 4 2 6 3 8 4 1 1 3 2 5 3 7 4 . .. 2 3 4 5 6 7 8 .2 (Binomial Theorem).... .. 6 21 56 . . ... .. We can also write Pascal’s triangle in terms of the binomial coefﬁcients that we used for counting in Chapter 2.4. . . All of this is summarized in the binomial theorem.. . . Now.. 1 1 1 1 1 1 1 1 . . 4 10 20 35 56 .. . where n k = n! k!(n − k)! . FERMAT’S LITTLE THEOREM 73 (x + (x + (x + (x + (x + (x + (x + (x + (x + . 1 1 1 1 1 1 1 1 1 . 8 8 . notice that the powers of x decrease from n to 0 going from left to right while the powers of y increase from 0 to n. 5 15 35 70 . then n (x + y) = k=0 n n k x n−k y k . . . .5. . 8 0 7 0 6 0 8 1 5 0 7 1 4 0 6 1 8 2 3 0 5 1 7 2 2 0 4 1 6 2 8 3 2 2 4 3 6 4 8 5 3 3 5 4 7 5 4 4 6 5 8 6 5 5 7 6 6 6 8 7 7 7 . . 7 28 .. . and the coefﬁcients match Pascal’s triangle. THEOREM 5. . . .. .

(3)(2)(1) is an integer that is divisible by p since p can’t have any divisors between 1 and p. . Therefore. Clearly. . Since Fermat’s little theorem (FLT). PROOF. Why does this happen? If p is prime and 0 < k < p. note that n p−1 ≡ 1 mod p and n p−2 ≡ n−1 mod p.74 5. but we still prefer to use the extended Euclidean algorithm in most circumstances because it is more efﬁcient and it doesn’t require a prime modulus. THEOREM 5. . then n p ≡ n mod p. . . p p k ≡0 p 0 = p p = 1. . mod p for 0 < k < p.3 (Fermat’s Little Theorem). . Assume k p ≡ k mod p for some speciﬁc k ≥ 1. 1 p ≡ 1 mod p. We prove Fermat’s little theorem by induction on n. (3)(2)(1) (p − 1)(p − 2) . If n is a positive integer and p is prime. but the cases with prime powers are especially interesting because only the ﬁrst and last terms survive modular reduction. . . Now we can prove Then (k + 1) p = j=0 p j + k j 1 p− j p−1 = p 0 p j kj + p p kp j=1 ≡ 1 + k p mod p ≡ k + 1 mod p. we have (x + y) p ≡ x n + y n mod p. then p k = = p! k!(p − k)! p(p − 1)(p − 2) . . In addition. . so Fermat’s little theorem gives a second way of computing multiplicative inverses for prime moduli. Many of the binomial coefﬁcients seem to vanish. y)2 y)3 y)4 y)5 y)6 y)7 y)8 y)9 y)10 y)11 mod 2 ≡ mod 3 ≡ mod 4 ≡ mod 5 ≡ mod 6 ≡ mod 7 ≡ mod 8 ≡ mod 9 ≡ mod 10 ≡ mod 11 ≡ x2 + y2 x3 + y3 4 x + 2x 2 y 2 + y 4 x5 + y5 6 4 2 x + 3x y + 2x 3 y 3 + 3x 2 y 4 + y 6 x7 + y7 x 8 + 4x 6 y 2 + 6x 4 y 4 + 4x 2 y 6 + y 8 x9 + 3 y3 x6 + 3 y6 x3 + y9 10 x + 5 y 2 x 8 + 2 y 5 x 5 + 5 y 8 x 2 + y 10 x 11 + y 11 . MODULAR EXPONENTIATION (x + (x + (x + (x + (x + (x + (x + (x + (x + (x + . (p − k + 1) =p k(k − 1)(k − 2) . . . (p − k + 1) k(k − 1)(k − 2) .

The top row is all zeros because zero raised to any positive power is zero. so the discrete log problem is a notoriously difﬁcult problem. .7) is easy (x = 3) because we can just look for the answer in the table in (5. 5. Euler’s Theorem Let’s ﬁgure out how to compute mφ(n) mod n. Otherwise. but in general we can’t do that when the numbers are large. Therefore. we know how to ﬁnd additive inverses via negation and multiplicative inverses via the extended Euclidean algorithm or Fermat’s little theorem. multiplying every element in S by 16 gives the same numbers back. 8. φ(9) = 6 integers in S. 8} be the set of positive integers less than 9 that are relatively prime to 9. 5.5. but what if n is not prime? Let’s start by looking at an example. you may recognize 00 as an indeterminate form for limits. but we want to make an important observation instead. For example.11: Let’s note some of the features in the following table of exponents. 4See Wikipedia for more information. which we leave undeﬁned. 4. we would say that x = log4 9. because y 5 = y 10 = 1 by FLT and the only modular square roots4 of 1 mod 11 are ±1. neither rule applies in the case of 00 . However.12: We could use the square-and-multiply algorithm to compute 16φ(9) mod 9. However. 1. exponentiation seems to jumble integers pretty well. x 0 1x 2x 3x 4x 5x 6x 7x 8x 9x 10 x x 2 0 1 2 3 4 0 1 5 4 3 9 9 3 4 5 1 5 0 1 10 1 1 1 10 10 10 1 10 6 7 8 9 10 11 0 1 1 1 1 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 10 (5. 2. The problem in (5.7) are referred to as discrete log problems. The last row alternates between 1 and 10 because (10) x ≡ (−1) x ≡ ±1 ≡ 1. 3If you’ve had some calculus. consider a problem like (5. as we expect from FLT.5.7) 4 x ≡ 9 mod 11. just in a different order: T = {7. In real arithmetic.6) ? 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 1 10 0 0 1 1 4 8 9 5 5 9 3 4 3 7 5 2 9 6 4 3 1 10 0 0 1 1 9 7 3 9 4 5 5 3 5 8 4 6 3 2 9 4 1 10 0 0 1 1 3 6 5 4 9 3 4 9 4 2 9 8 5 7 3 5 1 10 In modular arithmetic. y 5 ≡ ±1 mod 11. so problems like (5. 2}. EULER’S THEOREM 75 Example 5.5. Likewise. are. There. of course. then φ(n) = n − 1 and we can appeal to Fermat’s little theorem to conclude that mφ(n) ≡ 1 mod n.3 Also. 4. Example 5. and the ﬁrst column is all ones because any nonzero integer raised to the zeroth power is one. Multiplying the elements in S and T gives the same product: (16 · 1)(16 · 2)(16 · 4)(16 · 5)(16 · 7)(16 · 8) = 16φ(9) (1)(2)(4)(5)(7)(8) ≡ (7)(5)(1)(8)(4)(2) mod 9. 5.6). Since 16 is relatively prime to 9. 7. 169 ≡ 1 mod 9. 10 mod 11. we don’t have a simple algorithm for inverting exponents. If n is prime. y 10 ≡ 1 mod 11 and y 11 ≡ y mod 11 for 0 < y < 11. Let S = {1. 0 < y < 11.

Let S = {a1 . aφ(n) ≡ ma1 ma2 . Vigenère . the products of the entries in S and T are the same: a1 a2 . a customer may want to send a credit card number to an internet vendor to make a purchase online. Classroom Exercise 5. Therefore. a2 . Difﬁe-Hellman Key Exchange The additive. . . .4 (Euler’s Theorem). but that’s what we’ll focus on. it is possible that two parties who have never met might want to exchange secret information.5 As we often do. n) = 1. Since gcd(7. Bob. ma2 . Example 5. 6Just about everybody uses Alice. Alice and Bob each privately choose a positive integer less than p that each serve as their respective private keys. 171 of [2]. Alice computes A = q a mod p = 59 mod 23 ≡ 11 mod 23 5You can do more than just key exchange with Difﬁe-Hellman. afﬁne. . 7A more advanced text would put an extra requirement on q. (1) 9505 mod 10 (2) 8122 mod 17 (3) 12100 mod 24 5. ciphers because they require the communicating parties to share a common key that they keep secret from everyone else. For example. let p = 23 and q = 5.13: Euler’s theorem can help us to reduce large powers relatively easily. . We will discuss two public key systems. Euler’s theorem is obvious if n = 1.6 First they publicly agree on a large prime number p and an integer q such that 1 < q < p.14: The protagonists in our story are Alice and Bob. see p. . suppose that Alice chooses a = 9 and Bob chooses b = 20. PROOF. or symmetric. n) = 1. . so let’s assume that n > 1. .76 5.4: Reduce each of the following powers. . 7222 = 74 55 · 72 ≡ 155 · 72 mod 10 = 49 ≡ 9 mod 10. but keep in mind that these are tiny numbers and in real life they would have to be much larger. let’s begin with a generalizable example to illustrate the Difﬁe-Hellman key exchange.6. who want to generate a shared private key in front of the prying eyes of evil Eve.7 For the sake of illustration. maφ(n) }. S and T are the same except for a rearrangement of order. However. If m and n are positive integers such that gcd(m. MODULAR EXPONENTIATION THEOREM 5. aφ(n) mod n. Example 5. . For example. For more details. Public key cryptosystems make it possible for two parties to communicate securely without having previously agreed upon a private key. aφ(n) } be the set of positive integers less than n that are relatively prime to n and let T = {ma1 . Since gcd(m. RSA can be used for key exchange. . . The Difﬁe-Hellman method enables two parties to publicly compute a shared private key. . they are invertible and mφ(n) ≡ 1 mod n. 10) = 1 and φ(10) = 4. but it can also be used encrypt information and to digitally sign electronic documents. and then they can use that key in a symmetric cipher. and Hill ciphers are all examples of private key. then mφ(n) ≡ 1 mod n. . but we avoid that for simplicity. Since all of the ai are relatively prime to n. the Difﬁe-Hellman key exchange and the RSA cryptosystem. maφ(n) = mφ(n) a1 a2 . and Eve. The proof generalizes the previous example. .

1) and encrypts the message with a Vigenère cipher using K = 4 as the key. 3. Plaintext: 757879873284728983697670 Key: 444444444444444444444444 Ciphertext: 191213217628162327031014 Alice then transmits 191213217628162327031014 to Bob. 5. then she can. which can be used as the key for a symmetric encryption method like the Vigenère or Hill cipher. Recall that this only establishes a key. suppose that Alice converts the Delphic wisdom KNOW THYSELF into numbers using the ASCII code (Table 3. 16. 9}. Similarly. 7. 1. 33} mod 26 ≡ {6. but this is the discrete log problem that we know is very hard to solve if p is large. . 1. Alice computes A = q a mod p = 9447758266163102091160 mod 156696463087 = 908653225 and Bob computes B = q b mod p = 9447758266123629131076 mod 156696463087 = 1340136561.8 The alphabet is {0. 95. Likewise. 2. Alice sends A to Bob. and he reverses the steps to recover the original message. p is still a small prime. 6.15: Let’s repeat the previous example with slightly bigger numbers. The message KNOW THYSELF is then encrypted as QIPMKOEN FBW. Let p = 156696463087 and q = 94477582661. If Eve intercepts A. the Vigenère cipher actually reduces to an additive cipher. 8. For real applications. it does not encrypt a message. Now Alice chooses a = 63102091160 and Bob chooses b = 23629131076. Example 5. 01. 7} mod 26 ∼ GVBQRH to produce a keyword for the Vigenère cipher. 73. For example. Bob also computes K. because the key is a single digit. and converted to letters {06. 4. To send a message. DIFFIE-HELLMAN KEY EXCHANGE 77 and sends it publicly to Bob. in principle. reduced modulo 26.6. but it is large enough to overwhelm many hand-held calculators. and they both compute K = Ab mod p = 90865322523629131076 mod 156696463087 = 67301429533 K = B a mod p = 134013656163102091160 mod 156696463087 = 67301429533. the digits in K might be partitioned into pairs. so the addition is done modulo 10. 17. she computes K = B a mod p = 129 mod 23 ≡ 4 mod 23. 42. 8In this case. and q. When Alice receives B. but in a different way: K = Ab mod p = 1120 mod 23 ≡ 4 mod 23. Bob computes B = q b mod p = 520 mod 23 ≡ 12 mod 23 and sends it to Alice. solve for a and b by solving A = q a mod p or B = q b mod p. B.5. 21. p. Bob sends B to Alice.

the security of this method relies on the difﬁculty of factoring the product pq. Finally. Bob computes c = me mod pq = 257 mod 77 ≡ 53 mod 77 and sends it to Alice. she can decipher it only if she can compute m7 mod 77 = 53. Adi Shamir. to assign public and private keys to all parties.7. mod pq (by Euler’s Theorem 5.because it is prohibitively difﬁcult to factor sufﬁciently large numbers. If Eve intercepts c = 53. RSA can. p and q are not known . the key center selects two large prime numbers p and q and computes φ(pq) = (p − 1)(q − 1).78 5.gov/fpkipa/. and Leonard Adleman. but it can also be used to encrypt information and to digitally sign electronic documents. he uses her public keys to compute c = me mod pq.even privately . Bob sends message m = 9See http://www.9 For every individual. If Eve intercepts the message. Note that even though the product pq is public. e−1 = 43 to compute ce −1 mod pq = 5343 mod 77 ≡ 25 mod 77 = m. Example 5. . That is. be used to establish a secret key publicly. the key center issues each individual the public keys e and pq and the private key e−1 mod φ(pq).idmanagement. MODULAR EXPONENTIATION 5.4) ≡ m(1)k mod pq Only Alice (and the key center) can decrypt the message since she is the only one who knows e−1 . They then select an integer e > 1 that is relatively prime to φ(pq) and compute its multiplicative inverse e−1 mod φ(pq). Example 5. If Bob wants to send Alice an integer message m < pq. but she reserves her private key e−1 = 2559385183601091556777. which he sends to her publicly. Note that this is easy for the key center to do since it knows both p and q.17: Alice publishes her public keys pq = 4469730945520926997399 and e = 4073619424605 228097289. When Alice receives c. Ron Rivest. Eve has to ﬁnd the e th root of c modulo pq. To send the message m = 25 < pq to Alice. like a key center. It all hinges on Euler’s theorem and the existence of a trusted authority. RSA Encryption The name RSA is a concatenation of the ﬁrst initials of the last names of its inventors. she computes ce −1 mod pq ≡ (me )e ≡ mee −1 −1 mod pq mod pq for some integer k k ≡ m1+kφ(pq) mod pq ≡ m · mφ(pq) ≡ m. Alice uses her private key. In essence. like the Difﬁe-Hellman method. she can only read it if she can solve me ≡ c mod pq for m.16: Alice publishes her public keys e = 7 and pq = 77 for all to see.

. Encrypting data using RSA is relatively slow. n ≥ 0 1 − r n+1 . or m could be an encoded message or part of a message. Recall that f0 = 0. she can decrypt it using Bob’s public key. and she computes 125010690e mod pq = 1250106901234567891 mod 176391331 ≡ 66111098 mod 176391331. Alice is sure that Bob actually sent the message. n≥1 2 6 12 n(n + 1) n+1 (e) All successive numbers in the Fibonacci sequence are relatively prime to each other. so he digitally signed it by enciphering his name (in ASCII) using his own private key. and f n = f n−1 + f n−2 . Finally.EXERCISES 79 12345678901234567890 to Alice by computing and transmitting the cipher c = me mod pq = 123456789012345678904073619424605228097289 mod 4469730945520926997399 ≡ 3469293885116137999704 mod 4469730945520926997399. I've decided to major in math. RSA can also be used to generate digital signatures. For example. Example 5. so perhaps m = 084101115116032111110032070114105100097121046. Since the decrypted digital signature (66 111 098) has an ASCII equivalent of Bob. The message m could be a private number like a credit card number that one party wishes to send to another. the ASCII equivalent of Test on Friday is 84 101 115 116 32 111 110 32 70 114 105 100 97 121 46.18: Bob sends a surprising message to Alice: Alice. + r n = 1−r n (c) 8| (9 − 1). n ≥ 0 1 1 1 1 n (d) + + + .. n≥0 (b) 1 + r + r 2 + . + = . f1 = 1. (a) (a b)n = a n b n . Alice decrypts the cipher c by computing ce −1 mod pq = 34692938851161379997042559385183601091556777 mod 4469730945520926997399 = 12345678901234567890 mod 4469730945520926997399. so if Alice and Bob want to exchange a lot of data (a lot of m’s). how does Alice know that Bob really sent it? It could be a forgery after all. Alice ﬁnds that Bob’s public keys are e = 1234567891 and pq = 176391331. n ≥ 2. . It's the coolest! Bob (125010690) Bob knows that Alice won’t believe that he actually sent the message. then it might be wise to use a single m as a shared key for use with a symmetric cipher. One thing Bob can do is encrypt his “signature” with his own private key. If Bob sends a message to Alice. . . and when Alice receives his message. Congratulations Bob on a wise choice! Exercises (1) Use mathematical induction to prove each of the following claims.

n > 1. (a) 417 (b) 1334 (c) 159 (d) 7298 (e) 1412 (f) 726 (g) 1912 (h) 226 (5) The so-called Russian Peasant (or Ancient Egyptian) method for multiplying integers is similar to the square-and-multiply algorithm for exponents. f n = f n−1 + f n−2 satisfy the following: 2 • f2n = 2 f n−1 f n + f n . rounding down as necessary. Compute the following products using the Russian Peasant algorithm. 52 × 27 = 1404. In the ﬁrst column. where f n is the nth Fibonacci number. Halve 52 26 13 6 3 1 Double 27 54 108 216 432 864 1404 Adding the numbers in the second column that are next to odd numbers in the ﬁrst column gives us the product. To multiply 52 × 27. (2) Compute the following. n ≥ 1 2 2 • f2n−1 = f n−1 + f n . we successively halve the numbers. but you might want to consult Wikipedia for more details. (a) φ(251) (b) φ(421) (c) φ(413) (d) φ(452) (e) φ(280) (f) φ(396) (g) φ(243) (h) φ(297) (i) φ(191) (j) φ(1384) (k) φ 372 (l) φ 5003 (3) Show if n > 2 then φ(n) is even.4) to reduce each of the following modulo 20. We present an example here. (g) The Fibonacci numbers f0 = 0 . we successively double the numbers. f1 = 1 . (4) Use the square-and-multiply algorithm and/or Euler’s theorem (5.80 5. you make two columns. MODULAR EXPONENTIATION (f) 3| f4n . and in the second column. each headed by one of the two multiplicands. .

Use her private key. but he received two different letters from her asking for two different things. . I’ve been very good and I haven’t even missed class more than 10 times. (a) Veronica Costello is getting an A in math. so she wrote a special letter to Santa asking for a very special gift. Please bring me “Backstreet Boys Go Live!” by the Backstreet Boys. Veronica (3108) (b) Veronica receives the message 12256 9486 6841 2524 14725 9462 2238 2982 649 that was encrypted with her RSA public keys.EXERCISES 81 (a) 23 × 34 (b) 101 × 33 (c) 342 × 256 (d) 54 × 39 mod 60 (e) 78 × 89 mod 100 (f) 123 × 543 mod 800 (6) You are making an online purchase from Alice’s Restaurant.1) to decrypt and read the message. so he suspects that one of the letters is a forgery. Dear Santa. I’ve been very good and I haven’t even missed class more than 10 times. Santa would like to bring VC what she asked for. Help Santa ﬁgure out which album Veronica really wants by checking both digital signatures. (a) You (Bob) and Alice agree to use the Difﬁe-Hellman method with p = 2309 and q = 200 to exchange a key. Please bring me “Teletubbies Gone Wild” by the Teletubbies. Veronica (10528) Dear Santa. Santa knows that Veronica’s computersavvy little brother is often naughty. and the ASCII code (Table 3. (7) Veronica Costello’s RSA public keys are pq = 16571 and e = 12667. (b) Use K as key for the Vigenère cipher to encrypt your Mathtercard number as illustrated in Example 5. Find the common key K. She sends you A = 295 and you choose b = 544. e−1 = 3748.14.

.

The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet. ˝ [9] Claude Shannon. 1996. Making. [6] Ivan Niven and H. 2000. De Vita Caesarum: Divus Julius LVI. Codes and Ciphers. 2001. Zuckerman. Breaking Codes. 1980. [2] Paul Garrett. 2000. [13] Wade Trappe and Lawrence C. 83 . 33(2):142–150. Pearson Prentice-Hall. William Traves. John Wiley & Sons. 2005. [8] Kenneth H. 2002. Cambridge University Press. fourth edition. Cryptologia. S. 2009. [7] Jeffrey Overbey. The Code Book: The Secret History of Codes and Code-breaking. Communication theory of secrecy systems. Addison-Wesley. Scribner. and Jerzy Wojdylo. On the keyspace of the hill cipher. [3] David Kahn. [5] Tim McDevitt and Tom Leap. 30(1):59–72. [12] Suetonius. Cryptologia. second edition. Washington. Elementary Cryptanalysis. [4] Robert E. Bell System Technical Journal. Cryptological Mathematics. Introduction to Cryptography with Coding Theory. 2000. An Introduction to the Theory of Numbers. Random House. The Mathematical Association of America. Fourth Estate. 1949. Elementary Number Theory. 2006. [11] Abraham Sinkov.Bibliography [1] Robert Churchhouse. Rosen. Multimedia cryptology. [10] Simon Singh. 28(4):656U715. 1968. Lewand. Prentice Hall.

Sign up to vote on this title