Crypto Notes

Class Notes for Cryptologic Mathematics (FYS 100)

Tim McDevitt

Frank Arnold (2012)

ELIZABETHTOWN COLLEGE

E-mail address: [email protected]

August 27, 2013

Contents

Preface vii

Introduction 10.1. What is Cryptology? 10.2. Types of Ciphers 30.3. Mathematical Ciphers 60.4. Types of Cryptologic Attacks 70.5. Notation and Terminology 7Exercises 8

Chapter 1. Modular Arithmetic 111.1. Fundamental Theorem of Arithmetic 111.2. Greatest Common Divisors 121.3. Euclidean Algorithm 121.4. Extended Euclidean Algorithm 141.5. Relatively Prime Numbers 151.6. Modular Arithmetic 151.7. Solving Linear Congruences 191.8. Additive Cipher 231.9. Cryptanalysis of the Additive Cipher 251.10. Affine Cipher 271.11. Cryptanalysis of the Affine Cipher 27Exercises 28

Chapter 2. Probability 332.1. Counting 332.2. Probability 362.3. Index of Coincidence 392.4. Vigenère Cipher 41Exercises 45

Chapter 3. Recursion 493.1. Recursion 493.2. Binary Arithmetic 503.3. Data as Bits 513.4. Encryption of Binary Data 523.5. Linear Feedback Shift Registers 53Exercises 55

Chapter 4. Matrices 574.1. Matrix Arithmetic 574.2. Hill Cipher 604.3. Cryptanalysis of the Hill Cipher 61Exercises 64

v

vi CONTENTS

Chapter 5. Modular Exponentiation 675.1. Square and Multiply Algorithm 675.2. Mathematical Induction 685.3. Euler Phi Function 695.4. Fermat’s Little Theorem 725.5. Euler’s Theorem 755.6. Diffie-Hellman Key Exchange 765.7. RSA Encryption 78Exercises 79

Bibliography 83

Preface

The first author has taught cryptology as a First-Year Seminar at Elizabethtown College for several yearsusing Robert Lewand’s fine book [4]. However, less than half of the author’s students are math or sciencemajors, so Lewand’s rigorous approach is often under-appreciated. These notes follow much of the samematerial, but they rely fairly heavily on student intuition instead of rigorous proof, as is usually done incalculus courses. Proofs or arguments are reserved for those situations where results are not intuitivelyclear to the students. For instance, students don’t struggle with the transitivity of divisibility for integers (ifa|b and b|c, then a|c), but Fermat’s little theorem requires a proof. Other situations warrant justificationsthat fall short of proofs, but are still convincing to students. For example, we don’t formally prove that theEuclidean algorithm always finds the gcd of two positive integers, but we demonstrate that it has to workwith “generalizeable examples”.

Since our audience includes first-year students who are not math or science majors, we have tried tominimize the use of terminology and mathematical jargon. Students interested in more details shouldconsult textbooks on number theory or algebra, or just wait patiently for an opportunity to take thosecourses.

The second author is a former (2008) student of this course who has provided a student’s perspectiveon the presentation of the material. As a result, the style of writing is informal in an attempt to teach somemath and to develop enthusiasm for cryptology. Please note that this text does not address the history ofcryptology in a systematic way so that we can focus on the mathematics. Students of cryptology shouldappreciate the impact of cryptology on historical events, but that knowledge will have to be obtained fromother sources (c.f. [3] and [10]).

Throughout the notes are several hyperlinks to Mathematica notebooks that are helpful for cryptologiccalculations or for demonstrating mathematical concepts. The entire set of notebooks can be found atusers.etown.edu/m/mcdevittt/. The file cipher.nb contains code that implements most of the encryptionalgorithms in the book. Readers may also enjoy using the FREE software package ECrypt(www2.etown.edu/ECrypt/ECrypt.htm ). The current (2013) version of ECrypt is a .jar file, so it should be platform indepen-dent, provided that your computer has Java installed. ECrypt doesn’t have to be installed; just downloadit and run it. It has a graphical user interface (GUI) that enables users to easily implement the crypto-graphic algorithms in this course. It also provides special tools for cryptanalysis, a recursive calculator, anda calculator for modular arithmetic.

Future versions of this book will have chapters dedicated to elliptic curves and to the encryption andcryptanalysis of historical ciphers applied to image and sound files as described in [5].

vii

http://users.etown.edu/m/mcdevittt/

http://www2.etown.edu/ECrypt/ECrypt.htm


Introduction

0.1. What is Cryptology?

Classically, cryptology was used to send and receive secret messages and its users were often militaryleaders or diplomats. For Admiral Alice to send General Bob a secret message, she would have to encryptor encipher her message using a method that she and Bob had previously agreed upon. When Bob receivesthe message, he has to decrypt or decipher her message to read it. Often, the method of encryption wouldrely on a key - some special number(s) or word(s) that only Alice and Bob know.

Prior to the computer age, encryption methods were relatively simple, not explicitly mathematical, andoften not very secure. Messages were relatively short and there was very little systematic research certifyingthe security of cryptologic methods. Today, however, messages can be very long. As of this writing (2010),a typical JPEG file from a digital camera is over 1 MB, which is roughly equivalent to a text file of a millioncharacters. Contemporary encryption methods tend to use very sophisticated mathematics and there is agreat deal of systematic research. The US Department of Commerce certifies certain algorithms so that userscan be confident that their communications are secure, and these algorithms can be very complicated.1 Inaddition to the transmission and reception of secret messages, modern cryptology also involves less well-known operations such as key exchange, digital signatures, random number generation, hashing, etc..., butthis book focuses, for the most part, on mathematical versions of historical methods. These methods requirewhat is probably unfamiliar mathematics and, although they are no longer useful, they evolved into today’smethods so it is still useful to be familiar with them. The only exception is our dicussion of public keysystems, which currently enjoy widespread use.

Another important difference between classical and modern cryptography is frequency of use. In thepast, the average individual had no practical reason to encrypt messages, but today we all use cryptographicalgorithms without even knowing it when we use our cell phones or email or make online purchases. There-fore, modern cryptology is directly applicable to our daily lives in very important ways.

Finally, the nature of characters in encryption algorithms has changed in modern times. In the past,messages were composed using characters from a fixed alphabet, so, for example, two English speakersmight use a 26-letter alphabet abcdefghijklmnopqrstuvwxyz, or they might use a 52-letter alphabetthat includes capital letters, or they might include digits and punctuation. In this course, we will frequentlyassume a 26-letter alphabet. Computers store files in terms of bits that we can regard as an alphabet of onlytwo characters: 0 and 1. This includes Word R©, and Excel R© documents, JPEG images, MPEG movies etc...Modern encryption algorithms operate at the bit level on a computer, so all computer files can be encryptedin the exact same way, regardless of how we interpret those bits as text, pictures, movies, etc...

Cryptology is an umbrella term for cryptography and cryptanalysis. Cryptography involves the creationand use of algorithms that pass private information between two parties with the goal of obscuring the

1For example, see the NIST document FIPS 197 that takes 51 pages to describe AES. The good news is that the description isvery good and very clear, unlike IRS documents.

1

http://www.nist.gov/public_affairs/communication.htm

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

2 INTRODUCTION

Figure 0.1: Can you read the message hidden in this poem that is revealed by the stencil?

information from unintended recipients. Classically, users might hope that adversaries would not knowwhat encryption algorithms were being used, but that is an unrealistic expectation today. Today, we have toassume that adversaries know what algorithms we are using, so the security of a method depends entirelyon the difficulty of recovering the secret key. Symmetric, or private key, systems, require both sender andreceiver to know the same secret key, but modern public key systems enable parties to communicate securelywithout previously establishing a secret key.

Cryptanalysis is the study of cryptographic algorithms with the intent of recovering secret messageswithout knowing the secret key. We can think of cryptanalysis as the activity of an adversary who obtainsan encrypted message and tries to recover the original message without knowing the key, but cryptanalysiscould also be the activity of an analyst who is studying the security of a given method. Loosely speaking,we can think of cryptographers as the defense and cryptanalysts as the offense, but both sides must knowwhat the other is capable of to do their jobs properly.

We also want to distinguish cryptography from steganography, which seeks to hide the very existenceof a message. For example, the children’s activity of writing a note in invisible ink is an example of steganog-raphy as is the use of a stencil to hide a message in a book. (See Figure 0.1.) Of course, steganography canbe combined with cryptography to provide extra security. Although steganography can be very interesting,we won’t discuss it in this book.

Finally, a cipher is an encryption algorithm that is used to encrypt (or encipher) a message, or plain-text, into apparently unintelligible ciphertext. The original plaintext is recovered by decrypting (or deci-phering) the ciphertext. The terms “plaintext" and “ciphertext" still apply even if the data are not really textbut just some form of data (e.g. bits). Also, for convenience people often shorten “ciphertext" into “cipher",so you have to tell them apart from context. Finally, the word “key" is often used in different ways at thesame time, but we will wait to point that out until later.

0.2. TYPES OF CIPHERS 3

Figure 0.2: The same strip of paper displayed on two different diameter tubes. On the left we see part of thejoke How do you know that you have found an extroverted mathematician? He looks at yourfeet when he talks to you. On the right, the message is unreadable.

0.2. Types of Ciphers

There are two basic tools that are used in encryption algorithms: transposition (rearranging the char-acters) and substitution (replacing characters with other characters). Transposition and substitution arefamiliar as two popular types of puzzles, anagrams and cryptograms.

Classroom Exercise 0.1: Here is a sample anagram; the letters in each word have simply been jumbled.See if you can decipher the message.

RYOU RETARSIPNVEETE WSOE UYO, OTN IHS UNSYRTDI YNOL, UBT HSI TEJGMDUN;

AND EH BTSAYRE, EDITASN FO ERNVSGI OUY, FI EH ACFRSIEISC TI OT RYUO NONPOII

- "PHCEES TO EHT RESCLETO AT BLRTIOS TA HTE CONSOCINUL OF HET LLOP" BY

EDUNDM RBEUK

Classroom Exercise 0.2: Here is a sample cryptogram; each letter is replaced by another letter. See if youcan decipher the message.

LRLSUB ZYU SRHU CRYCSUB MYZQD XF LKU WZJRCRZD'B QZDM, LO CODLYZCL LKU

BIKUYU ON WZD'B NUSRCRLF. KU SRVUB RWWGYUM QRLKRD LKU XZBLRSSU ON Z QOYM,

ZDM BGYVUFB ZL Z MRBLZDCU LKU UDVRUM SRNU ON WZD. - "LKU YRJKLB ON WZD"

XF LKOWZB IZRDU.

If you actually solved both puzzles, then the punctuation and spacing of the words in both the anagramand the cryptogram probably help a lot. We can make a much more difficult puzzle by using a shortermessage, removing all spacing and punctuation, using both transposition and substitution.

Classroom Exercise 0.3: Winston Churchill reportedly said RSAAPTAPCVTMVZSCSOCPYDTDTQQQQITPQ.See if you can decipher this combination anagram and cryptogram with spacing and punctuation removed.

An ancient example of a transposition cipher is the σκυταλη (scytale), which the Spartans reportedlyused for tactical messages on the battlefield. A strip of leather or parchment was wound around a stick and amessage was written across it as shown in Figure 0.2. Once the strip was unwound, the letters were jumbledand the message was unreadable. Furthermore, the message could only be read by wrapping the messagearound a stick with the same diameter. Figure 0.2 shows a scytale with a decidedly unimportant message.It illustrates how the message is unintelligible if the diameter is incorrect. In this case, the diameter of thestick is the secret key.

4 INTRODUCTION

An early example of a substitution cipher is the Caesar cipher, which simply shifts each letter in theplaintext ahead 3 places to produce an encrypted message. For example, veni vidi vici2 becomesyhql ylgl ylfl. The Caesar cipher is attributed to Julius Caesar by Suetonius, who was a prominenthistorian of the Roman emperors in the first and second centuries A.D. According to Suetonius [12],

“Exstant et ad Ciceronem, item ad familiares domesticis de rebus, in quibus, si qua occultiusperferenda erant, per notas scripsit, id est sic structo litterarum ordine, ut nullum verbumeffici posset; quae si qui investigare et persequi velit, quartam elementorum litteram, id estD pro A et perinde reliquas commutet.”

The translation of Suetonius on penelope.uchicago.edu is

“There are also letters of his to Cicero, as well as to his intimates on private affairs, and inthe latter, if he had anything confidential to say, he wrote it in cipher, that is, by so changingthe order of the letters of the alphabet, that not a word could be made out. If anyonewishes to decipher these, and get at their meaning, he must substitute the fourth letter ofthe alphabet, namely D, for A, and so with the others.”

If this translation is correct, then it actually sounds like Caesar’s messages were decrypted by shifting 3 lettersto the right. Nevertheless, modern cryptographers generally understand Caesar’s cipher as a shift of 3 lettersto the right.

The Caesar cipher is an example of a monoalphabetic substitution cipher, in which every characteris replaced by some other character. In the 9th century A.D., Abu Yusuf Yaqub ibn Ishaq al-Sabbah Al-Kindiintroduced frequency analysis that made monoalphabetic substitution ciphers obsolete because they wereno longer secure. To thwart frequency analysis, people in succeeding centuries invented polyalphabeticsubsitution ciphers, in which each letter is replaced by another letter that changes with each use. Forinstance, a polyalphabetic system might encrypt the first a in aardvark as q, but the second a might beencrypted as n. Examples include the Alberti cipher wheel and the Vigenère cipher.

In 1467, Leon Battista Alberti (1404-1472) developed a cipher wheel that produced ciphertext that wasnot vulnerable to Al-Kindi’s frequency analysis. The wheel consisted of two rings and the inner ring could beturned about its center. Sender and receiver would agree on a “pointer” letter - Alberti chose k. The senderpicks a letter on the outer ring and lines it up with k on the inner ring and then enciphers several letters bylocating plaintext characters on the outer ring and associating them with corresponding cipher characterson the inner ring. For example, using the first setting in Figure 0.3, the first six characters of VENIVIDIVICIare encrypted as Fnxrpnp. What makes his method polyalphabetic is that the sender occasionally pointsk at a new letter. Using the second setting in Figure 0.3, the last six characters of VENIVIDIVICI areencrypted as 4mghg&g. Therefore, altogether, the message VENIVIDIVICI can possibly be encrypted asFnxrpnp4mghg&g. It is interesting to note that Alberti’s wheel omits H, K, U, W and Y but includes somedigits. Apparently, Alberti was content to associate U with V and W with VV.

In 1585, Blaise de Vigenère introduced a polyalphabetic substitution cipher that endured for three cen-turies. The user chooses a key word, say LION, and writes it down repeatedly under the plaintext until thekey is as long as the plaintext. Then the user looks up each (key letter, plain letter) pair in the Vigenèresquare in Table 0.1.

2"I came, I saw, I conquered." was Caesar’s report to Rome in 47 B.C. after his overwhelming defeat of King Phar-naces II of Pontus at the battle of Zela.

http://penelope.uchicago.edu/Thayer/E/Roman/Texts/Suetonius/12Caesars/Julius*.html

0.2. TYPES OF CIPHERS 5

Figure 0.3: Two setting of Alberti’s cipher wheel.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A A B C D E F G H I J K L M N O P Q R S T U V W X Y ZB B C D E F G H I J K L M N O P Q R S T U V W X Y Z AC C D E F G H I J K L M N O P Q R S T U V W X Y Z A BD D E F G H I J K L M N O P Q R S T U V W X Y Z A B CE E F G H I J K L M N O P Q R S T U V W X Y Z A B C DF F G H I J K L M N O P Q R S T U V W X Y Z A B C D EG G H I J K L M N O P Q R S T U V W X Y Z A B C D E FH H I J K L M N O P Q R S T U V W X Y Z A B C D E F G

I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H

J J K L M N O P Q R S T U V W X Y Z A B C D E F G H IK K L M N O P Q R S T U V W X Y Z A B C D E F G H I J

L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N

P P Q R S T U V W X Y Z A B C D E F G H I J K L M N OQ Q R S T U V W X Y Z A B C D E F G H I J K L M N O PR R S T U V W X Y Z A B C D E F G H I J K L M N O P QS S T U V W X Y Z A B C D E F G H I J K L M N O P Q RT T U V W X Y Z A B C D E F G H I J K L M N O P Q R SU U V W X Y Z A B C D E F G H I J K L M N O P Q R S TV V W X Y Z A B C D E F G H I J K L M N O P Q R S T UW W X Y Z A B C D E F G H I J K L M N O P Q R S T U VX X Y Z A B C D E F G H I J K L M N O P Q R S T U V WY Y Z A B C D E F G H I J K L M N O P Q R S T U V W XZ Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

Table 0.1: A Vigenère square. The highlighted letters correspond to an example in the text.

Plain: S C Y T A L EKey: L I O N L I O

Cipher: D K M G L T S

6 INTRODUCTION

For example, to encrypt the first letter in SCYTALE, the user looks in row L and column S to find a D.This is the cipher character that substitutes for the S. Continuing this process produces the entire cipher-text DKMGLTS. Be careful of the potentially confusing terminology - the keyword LION generates the keyLIONLIO for the cipher, but people may refer to both LION and LIONLIO as key.

The Vigenère cipher was highly regarded for three centuries and it was considered by many to be secureuntil Charles Babbage cracked it in 1854. Friedrich Kasiski also broke the cipher in 1863, but it seems thatcryptological news traveled slowly because the Confederacy still used the Vigenère cipher during the U.S.Civil War to the advantage of the North. In fact, as late as 1917, Scientific American (Supplement LXXXIII,January 27, 1917) still advocated its use.

“The [Vigenère ] method used for the preparation and reading of code messages is simplein the extreme and at the same time impossible of translation unless the key is known. Theease with which the key may be changed is another point in favor of the adoption of thiscode by those desiring to transmit important messages without the slightest danger of theirmessages being read by political or business rivals etc.”

Modern ciphers are often polygraphic. A polygraph is a sequence of several characters; specifically adigraph is a sequence of two characters and a trigraph is a sequence of three. Polygraphic substitutionciphers encrypt entire blocks of characters together. We will study the Hill cipher in chapter 4 as an exampleof a polygraphic substitution cipher, but it is a little too complicated to introduce quickly here.

One common feature of all classical methods is that they are symmetric in the sense that both senderand receiver require knowledge of the algorithm and the secret key. This sort of arrangement is not alwayspossible in the computer age. Therefore, in chapter 5 we study two public key systems that allow people tocommunicate even though they’ve never had an opportunity to agree upon a secret key.

0.3. Mathematical Ciphers

Since the intended audience of this book speaks English, the most commonly used alphabet in thisbook is English, but we really can use any alphabet we want, and the length of the alphabet is usually notimportant.

Latin: ABCDEFGHIKLMNOPQRSTVXYZGreek: αβγδεζηθικλµνξoπρςστυφχψωArabic: ø

ñî

DÒÊ¾

�®

®

ªª

¢¢

��

�� PP

XY

jjj.

�J��K.

�@

Computer: 01Grayscale 8-bit bitmap: 0 1 2 . . . 254 255

None of the methods we’ve discussed so far require the use of mathematics. However, math can makeany of them much easier to implement, either by hand or on a computer. For example, in chapter 2 we willrevisit the Vigenère cipher, but we will have absolutely no need of the cumbersome Vigenère square in Table0.1, so it will be much easier to encrypt and decrypt messages. The ciphers in chapters 3, 4, and 5 are allthoroughly mathematical and we can’t even describe the algorithms without using mathematics.

Cryptanalysis is also greatly aided by the use of mathematics and statistics. Consider the simple scytale,which is equivalent to writing the plaintext characters in a table as shown.

0.5. NOTATION AND TERMINOLOGY 7

H O W D O Y O U K N O W TH A T Y O U H A V E F O UN D A N E X T R O V E R TE D M A T H E M A T I C IA N ? H E L O O K S A T YO U R F E E T W H E N H ET A L K S T O Y O U

The ciphertext is read off in columns: HHNEAOT OADDNUA WTAM?RL DYNAHFK OOETEES YUXHLET OHTEOTO

UARMOWY KVOAKHO NEVTSEU OFEIAN WORCTH TUTIYE. Software like Mathematica makes ciphertext likethis easy to crack. Try it with the Mathematica notebook Scytale.nb athttp://users.etown.edu/m/mcdevittt/Crypto.html.

0.4. Types of Cryptologic Attacks

Real life cryptanalysis often hinges on operator error or some flaw in the design of the machine orsoftware that implements a cryptographic algorithm. Such mistakes make different scenarios possible for anadversary. One type of attack is a known-plaintext attack, in which the cryptanalyst knows the encryptionalgorithm and has access to some plaintext and the corresponding ciphertext. Such plaintext is often referredto as a crib. The Allies used cribs to find Enigma keys during World War II. In a chosen plaintext attack,the cryptanalyst has an opportunity to choose some plaintext to feed into the cryptographic algorithm, butwe will mostly consider ciphertext-only attacks, where we have some cipher and the only thing we knowis the algorithm. Recall that we will always assume that cryptanalysts know the relevant cryptographicalgorithms and the only thing that they lack is the key.

0.5. Notation and Terminology

Mathematicians tend to write very concisely and use a lot of specialized symbols, so it might be helpfulif we introduce some of the symbols that we’ll be using. Sets with listed elements are written with braces,like {red, green,blue}. Other special sets have special symbols. For instance, the set of integers is denotedby Z. The natural numbers, rationals, reals, and complex numbers are N, Q, R, and C, respectively. Thereis no universally recognized symbol for whole numbers, but we could use N∪ {0}; the union (∪) of N andthe set including only the number zero. In this course, we will work almost exclusively with integers, butwe will encounter real (or rational) numbers when we study probability. We indicate that “a is an integer"by writing a ∈ Z to indicate that a is in (∈) the set of integers.

We write a|b to indicate that a divides b. That is, for integers a and b, a divides b if there exists aninteger c such that ac = b. For example, a = 2 divides b = 12 since there is an integer c = 6 such thatac = (2)(6) = 12 = b. Similarly, a = 2 does not divide b = 13 (written 2 6 | 13) since there is no integer csuch that ac = 2c = 13= b.

As we mentioned in the introduction, the words “encrypt” and “encipher” are synonymous, as are “de-crypt” and “decipher”. Original text is plaintext and the encrypted text is ciphertext, even if the text isn’treally text. Pictures, audio, computer files can all be encrypted, so it might seem a little odd to call a pictureplaintext, but we’ll do it anyway. The word “cipher” usually refers to an encryption algorithm, but it can bea shortened version of ciphertext. Also, the word key is often used imprecisely. Sometimes it refers to thekeyword or key number(s), and sometimes it refers to a long string of letters or numbers that are generatedfrom the keyword.

http://users.etown.edu/m/mcdevittt/Crypto.html

8 INTRODUCTION

A code exchanges one system of writing for another. It may have the effect of making a messageunintelligible, but that is not always its purpose. Two familiar non-encrypting codes are Morse code andISBNs. Morse code converts English into a series of dots and dashes so that an English message can be easilytrasmitted over a primitive channel like a telegraph line. The ISBN code for a book serves two purposes; itidentifies the book (like a numerical name) and it attaches a check character at the end that can identifymistakes in the number. For instance, the ISBN-10 for Lewand’s Cryptological Mathematics [4] is 0-88385-719-7. The leading 0 indicates the language (English), the second group of numbers, 88385, indicates thepublisher (The Mathematical Association of America), and the third set of digits is the publisher’s serialnumber for the book. The final digit, 7, is chosen so that

0 · 1+ 8 · 2+ 8 · 3+ 3 · 4+ 8 · 5+ 5 · 6+ 7 · 7+ 1 · 8+ 9 · 9+ 7 · 10= 330

is divisible by 11. If someone made a silly transposition mistake like 0-88835-719-7, the ISBN code wouldidentify it since

0 · 1+ 8 · 2+ 8 · 3+ 8 · 4+ 3 · 5+ 5 · 6+ 7 · 7+ 1 · 8+ 9 · 9+ 7 · 10= 325

is not divisible by 11. So, when people talk about codebreaking, they are really talking about cryptanalysis.

Exercises

(1) Decrypt the Caesar ciphertext shwhuslshuslfnhgdshfnrislfnohgshsshuv.(2) Decrypt each of the following messages that were encrypted with a scytale. The Mathematica

notebook Scytale.nb might be helpful.(a) Sssalbheohe slyearelshs se lee tsh.

(b) Wiifd e a etihsxr snBusneny aoe?ese e saifv cevan.

(3) Use the Vigenère square (Table 0.1) to(a) encrypt ENIGMA with keyword GERMANY.(b) decrypt YUGPYN if the keyword is JAPAN.

(4) Which of the following ISBN-10s are correct?(a) Calculus (6th edition) by Stewart, 0-495-38558-1.(b) Elementary Differential Equations (8th edition) by Boyce and DiPrima, 0-417-43339-X. (X

stands for 10.)(c) The Mathematics of Coding Theory by Garrett, 0-13-101976-8.(d) Introduction to Cryptography with Coding Theory by Trappe and Washington, 0-13-186239-1.

(5) The first nine digits of the ISBN-10 for each of the following books are given. What should the lastdigit be?(a) 0-7432-6751- , The Official Rock Paper Scissors Strategy Guide by Douglas and Graham

Walker(b) 0-13-187141- , Elementary Linear Algebra: A Matrix Approach by by Spence, Insel, and

Friedberg(c) 0-521-47236- , The Nonlinear Theory of Elastic Shells by Libai and Simmonds

(6) The Atbash cipher replaces the 1st letter of the alphabet with the last, the 2nd with the second-to-last, etc...3 Use the Atbash cipher to decrypt klgzgl xsrk.

(7) The Polybius checkerboard cipher places 25 letters of the alphabet (J is missing) in a 5× 5 table.

3The Atbash cipher appears in the Book of Jeremiah where, for example, Babylon is referred to as Sheshakh (in Hebrew).


EXERCISES 9

1 2 3 4 51 E P X Q Y2 H V B A O3 F M C U N4 T K D L R5 W I S Z G

To encrypt a message like FEEDME, you just give the row and column pair for each letter: 311111433211. This has the disadvantage that the ciphertext is twice as long as the plaintext, but it has theadvantage that it works well as a semaphore.(a) Encrypt HANDITOVER.(b) Decrypt 231141411145412544525521412535113324354344114121243533344553114

121114324454235115353332535313433523453.

(c) What is the key for this cipher?(d) The keyspace for a cipher is the set of all possible keys. How big is the keyspace for this

cipher?(8) In the Wheatstone-Playfair cipher, 25 letters of the alphabet are placed into a 5× 5 table.

E P X Q YH V B A OF M C U NT K D L RW I S Z G

Plaintext messages are broken into digraphs, and if the pair of letters• lie in the same row, then the ciphertext is the pair of letters to the right, wrapping around as

necessary.• lie in the same column, then the ciphertext is pair of letters beneath, wrapping around as

necessary.• lie at the corners of a rectangle, then the ciphertext is the pair of letters in the opposite

corners.For example, WELCOME is encrypted as EHDUVNPY, padding the end of WELCOME with Q so that itslength is even.(a) Encrypt MATHCOUNTS R©.(b) Decrypt BRRNKTNFISWFXDSZBGDG.(c) What is the key for this cipher?(d) How big is the keyspace for this cipher?

CHAPTER 1

Modular Arithmetic

This chapter develops the mathematical tools needed for modular arithmetic and modular algebra, bothof which will be useful throughout the entire course. After that, we apply our new knowledge to the additiveand affine ciphers.

1.1. Fundamental Theorem of Arithmetic

Recall that an integer p > 1 is prime if the only integers that divide it are 1 and p. (We will frequentlyuse p and q to represent prime numbers.) Composite numbers are integers greater than one that are notprime. Also, recall the fundamental theorem of arithmetic. (Don’t worry if you don’t recognize the name,it should still be familiar.)

THEOREM 1.1 (Fundamental Theorem of Arithmetic). Every positive integer n > 1 can be writtenuniquely as a product of primes.

We won’t prove the theorem because it is probably very familiar to most readers. If you are interestedin a proof, it isn’t very difficult and you can find one in a book on number theory or on Wikipedia. Instead,let’s look at some examples.

Example 1.1: You can probably do the first two examples in your head, but the third one might be easier ifyou use a factor tree.

(1) 35= 5 · 7(2) 48= 24 · 3(3) 1260= 22 · 32 · 5 · 7.

Classroom Exercise 1.1: Express the following numbers as products of primes.

(1) 95

11

http://en.wikipedia.org/wiki/Fundamental_theorem_of_arithmetic

12 1. MODULAR ARITHMETIC

(2) 819(3) 3400

1.2. Greatest Common Divisors

A common divisor of two integers a and b is an integer (positive or negative) that divides both a andb. For example, 2 is a common divisor of 12 and −18 since 2|12 and 2|(−18). If a and b are both zero, thenthere are an infinite number of common divisors, so there can’t be a greatest common divisor. However,every other pair of integers (including if a = 0 or b = 0, but not both) has a finite number of commondivisors, so there must be a greatest common divisor. We denote the greatest common divisor of a and b bygcd(a, b).1 Here is a formal definition:

Definition 1.1: If a and b are not both zero, then the greatest common divisor of a and b is the largestpositive integer that divides both a and b.

Classroom Exercise 1.2: Compute the following gcds.

(1) gcd(35, 7)(2) gcd(55, 165)(3) gcd(253, 598)

The first problem was easy. Since 7|35, it must be that gcd(35, 7) = 7. The second was a little harder,but the third is the most interesting. How did you do it? Most people use the fundamental theorem ofarithmetic; they factor both numbers to find that 253= 11 ·23 and 598= 2 ·13 ·23, and then conclude thatgcd(253,598) = 23. This works well and it’s what most of us learned in school, but factoring integers is aslow process that becomes cumbersome for very large numbers. Fortunately, there is a better way.

1.3. Euclidean Algorithm

The Euclidean algorithm is an ancient, but efficient, method for finding the gcd of two integers. It isbest explained in the context of an example, so let’s consider the last exercise of computing gcd(253, 598).

Example 1.2: To find gcd(253,598), we first divide the larger number by the smaller. If you can do this inyour head, great! Otherwise, use long division.

2 R 92253 598

50692

This means that

(1.1) 598= 253(2) + 92.

Now, gcd(253, 598) clearly divides two of the three terms in (1.1), so it must also divide the third. Inother words, since gcd(253, 598)|598 and gcd(253,598)|253(2), we can conclude that gcd(253,598)|92.A similar argument shows that gcd(92,253) also divides all three terms in (1.1), so we can conclude thatgcd(253, 598) = gcd(92, 253). This allows us to exchange a hard problem for an easier one, and we can dothis type of reduction repeatedly until the gcd(253, 598) is obvious. Since

1Some authors use the equivalent gcf for greatest common factor, but we use gcd.

1.3. EUCLIDEAN ALGORITHM 13

2 R 6992 253

18469

gcd(253, 598) = gcd(92, 253) = gcd(69,92). Finally,

1 R 2369 92

6923

so gcd(253, 598) = gcd(92, 253) = gcd(69,92) = gcd(23,69). Since 23|69, gcd(253,598) = 23.Let’s review what we’ve done for this problem. By repeated use of long division, we have found that

598= 253(2) + 92

253= 92(2) + 69

92= 69(1) + 23

69= 23(3) + 0.

Once we reach a remainder of zero, the algorithm stops because the smaller number divides the larger.Therefore, the second-to-last remainder (written on the right) is the gcd. In this case, it’s 23.

Example 1.3: Let’s work through another example: gcd(226, 270). Repeated use of long division gives

270= 226(1) + 44(1.2a)

226= 44(5) + 6(1.2b)

44= 6(7) + 2(1.2c)

6= 2(3) + 0.(1.2d)

The second-to-last remainder is 2, so gcd(226,270) = 2. That is the Euclidean algorithm. We could stop hereand move on, but let’s be sure we understand how the Euclidean algorithm works. In (1.2a), the remainderis 44, so gcd(226, 270) = gcd(44, 226). In (1.2b), the remainder is 6, so gcd(226, 270) = gcd(44, 226) =gcd(6, 44). In (1.2c), the remainder is 2, so gcd(226,270) = gcd(44, 226) = gcd(6, 44) = gcd(2,6). Finally,in (1.2d), the remainder is 0, so the algorithm stops and gcd(226, 270) = gcd(44,226) = gcd(6,44) =gcd(2, 6) = 2.

In general, to use the Euclidean algorithm to find gcd(a, b), you divide the larger of the two numbers aand b by the smaller one. Each step after that involves “sliding" and long division. By “sliding", we mean thatthe divisor and remainder move to the left so that they become the new dividend and divisor, respectively.For example, the 226 and 44 slide left from (1.2a) to (1.2b). In general, you continue this process until thelast remainder is 0.

Example 1.4: Let’s do one final example. The gcd(343,454) = 1 since

454= 343(1) + 111(1.3a)

343= 111(3) + 10(1.3b)

111= 10(11) + 1(1.3c)

10= 1(10) + 0.(1.3d)


1.4. Extended Euclidean Algorithm

We’re now going to cover the extended Euclidean algorithm. It won’t be immediately obvious whythis is important, but it will be very important to us before the end of the chapter. Number theory texts like[6] and [8] typically include a theorem like the following.

THEOREM 1.2. There exist integers x and y such that ax + b y = gcd(a, b).

Example 1.5: If a = 7 and b = 35, then x = 5 and b = 0 satisfy ax + b y = gcd(a, b). Note, however, thatTheorem 1.2 does not claim that x and y are unique, so other values for x and y are possible. In this case,other possibilities include x = 6, y = −1 and x = −4, y = 1.

We won’t prove Theorem 1.2, but we will show you how to find x and y by extending the Euclideanalgorithm. This is a little tricky at first, but it’s pretty easy after you’ve done a few examples. One of thehardest ideas is to remember not to explicitly multiply any of the remainders. The only time you’d want tomultiply them is to check your calculations.

Example 1.6: Recall Example 1.6 in which we found gcd(343, 454) = 1. Beginning with the equation (1.3c)(i.e. the second-to-last equation, the one that gives us the gcd), we work backwards to find values for x andy .

1= 111− 10(11)(1.4a)

= 111− (343− 111(3))(11) = 111(34)− 11(343)(1.4b)

= (454− 343(1))(34)− 11(343) = 454(34)− 45(343)(1.4c)

Equation (1.4a) is just (1.3c) rearranged so that the gcd is on the left. We successively solve for and sub-stitute the remainders in (1.3c)-(1.3a) (working backwards) to obtain (1.4a)-(1.4c). Specifically, solving(1.3b) for 10 (the remainder) and substituting into (1.4a) gives (1.4b). Solving (1.3a) for 111 and sub-stituting into (1.4b) gives (1.4c), which implies that if a = 343 and b = 454, then x = −45 and y = 34.

Example 1.7: Here’s another example. Using the Euclidean algorithm to find gcd(233, 97), we have

233= 97(2) + 39 =⇒ 39= 233− 97(2)(1.5a)

97= 39(2) + 19 =⇒ 19= 97− 39(2)(1.5b)

39= 19(2) + 1 =⇒ 1= 39− 19(2).(1.5c)

Note that we have solved for the remainders in addition to finding the gcd. Working backwards, we beginwith (1.5c) and substitute the remainders in ascending order. We simplify at each step, being careful not toexplicitly multiply the remainders or the original two numbers.

1= 39− 19(2) (from (1.5c))(1.6a)

= 39− (97− 39(2))(2) (substituting the remainder from (1.5b))(1.6b)

= 39(5)− 97(2) (simplifying (1.6b))(1.6c)

= (233− 97(2))(5)− 97(2) (substituting the remainder from (1.5a))(1.6d)

= 233(5)− 97(12) (simplifying (1.6d)).(1.6e)

1.6. MODULAR ARITHMETIC 15

If a = 233 and b = 77, then x = 5 and b = −12 satisfy ax + b y = gcd(a, b).

Classroom Exercise 1.3: Use the extended Euclidean algorithm to find values for x and y according toTheorem 1.2 for the following gcds.

(1) gcd(24, 54)(2) gcd(33, 192)(3) gcd(756, 942)

1.5. Relatively Prime Numbers

Definition 1.2: Two integers a and b are relatively prime2 if gcd(a, b) = 1.

Note that a number doesn’t need to be prime to be relatively prime to another number, and primenumbers are not relatively prime to every other positive integer. Consider the following examples.

Example 1.8: Neither 14 nor 25 is prime, but they are relatively prime since gcd(14, 25) = 1.

Example 1.9: Integers 14 and 16 are both composite and they are not relatively prime to each other sincegcd(14, 16) = 2.

Example 1.10: Although 13 is prime, it is not relatively prime to 39 since gcd(13,39) = 13.

Example 1.11: Two distinct prime numbers like 13 and 17 are relatively prime.

Classroom Exercise 1.4: Determine which of the following pairs of numbers are relatively prime.

(1) 26 and 15(2) 54 and 99(3) 234 and 555

1.6. Modular Arithmetic

We learn to do arithmetic (addition, subtraction, multiplication, and division) with integers early ingrade school, and later we learn about real numbers, usually starting with fractions and then proceeding todecimals. In cryptology, we will usually work only with integers modulo some positive integer n. Our taskin this section is to figure out what that means.

Definition 1.3: Integers a and b are congruent modulo n if n|(a− b).

If two numbers are congruent modulo n, then we write a ≡ b mod n.

Example 1.12: Here are some examples.

(1) 7≡ 7 mod 21 since 21|(7− 7).(2) 14≡ 2 mod 3 since 3|(14− 2).(3) 2≡ 12 mod 5 since 5|(2− 12).

2Many authors refer to relatively prime numbers as coprime.


We usually reduce integers to the set {0, 1,2, . . . , n− 1} modulo n,3 so, for example, it would be morecommon to write 12 ≡ 2 mod 5 than 2 ≡ 12 mod 5, even though both are correct. We have two mainways to reduce a mod n.

• If a ≥ 0, then we can replace a with its remainder when it is divided by n. Continuing Example1.12, 7 ≡ 7 mod 21 since 7÷ 21 = 0 with remainder 7 and 14 ≡ 2 mod 3 since 14÷ 3 = 4 withremainder 2.• We can add or subtract multiple copies of n since n ≡ 0 mod n, which is especially helpful for

a < 0. For example, −7 ≡ 3 mod 5 since −7 + 2(5) ≡ 3 mod 5. The following table showsintegers x reduced modulo 5 to the set {0,1, 2,3, 4}.

x . . . −7 −6 −5 −4 −3 −2 −1 0 1 2 3 4 5 6 7 8 9 10 11 12 . . .x mod 5 . . . 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 . . .

Classroom Exercise 1.5: Reduce the following numbers modulo 16 to the set {0,1, 2, . . . , 15}.

(1) 27(2) 544(3) −32

Addition, subtraction, and multiplication modulo n all work exactly as you would expect. You are freeto make the calculations as simple as you can by reducing operands modulo n at any time as shown inExample 1.13. One thing you may not do, however, is change powers. For example, 619 is not congruent to6−1 mod 20.

Example 1.13: Reduce the following modulo 25.

(1) 6+ 7(4) = 34≡ 9 mod 25. In this case, we waited until the calculation was completed to reduceit modulo 25.

(2) 26 + 27(14) ≡ 1 + 2(14) = 29 ≡ 4 mod 25. Here, we began by reducing 26 and 27, did thecalculation, and then reduced the answer.

(3) Don’t hesitate to use negative numbers if it’s convenient. For instance, 24+27(20)≡ −1+2(−5) =−11= −11+ 0≡ −11+ 25= 14 mod 25.

Classroom Exercise 1.6: Reduce the following modulo 32.

(1) 3(15)− 4(2)(2) 30(29)(27)− 1(2)(3)(3) 9− 3(4)

�

62�

+ 20

3This is what the % operator does in C/C++ and what the Mod and mod commands do in Mathematica and Matlab,respectively.

1.6. MODULAR ARITHMETIC 17

Here are addition and multiplication tables modulo 9.

(1.7)

+ 0 1 2 3 4 5 6 7 80 0 1 2 3 4 5 6 7 81 1 2 3 4 5 6 7 8 02 2 3 4 5 6 7 8 0 13 3 4 5 6 7 8 0 1 24 4 5 6 7 8 0 1 2 35 5 6 7 8 0 1 2 3 46 6 7 8 0 1 2 3 4 57 7 8 0 1 2 3 4 5 68 8 0 1 2 3 4 5 6 7

× 0 1 2 3 4 5 6 7 80 0 0 0 0 0 0 0 0 01 0 1 2 3 4 5 6 7 82 0 2 4 6 8 1 3 5 73 0 3 6 0 3 6 0 3 64 0 4 8 3 7 2 6 1 55 0 5 1 6 2 7 3 8 46 0 6 3 0 6 3 0 6 37 0 7 5 3 1 8 6 4 28 0 8 7 6 5 4 3 2 1

Note that the addition table is more regular or predictable than the multiplication table. Later in this chapter,we will use both addition and multiplication to encrypt messages, and we’ll see that multiplication makesa greater contribution to the strength of the encryption algorithm.

Classroom Exercise 1.7: Complete the following addition and multiplication tables modulo 6.

+ 0 1 2 3 4 5012345

× 0 1 2 3 4 5012345

Division. We haven’t mentioned modular division yet because it is much more difficult. Before wedo so, let’s think about the real number division we’re much more familiar with. To compute 156 ÷ 13,we might ask ourselves, “What number a, when multiplied by 13, gives 156?" A little thought revealsthat a = 12. We can also think of division as multiplication by a multiplicative inverse (or reciprocal), so

156÷ 13= 156�

113

�

= 12. Remember that all real numbers have multiplicative inverses except for zero.

It’s not immediately obvious what 4/5 mod 9 is since 4/5 is not an integer. To make sense of 4/5mod 9, we need to ask ourselves the same basic question we did above - “What number a, when multipliedby 5, gives 4 modulo 9?" In other words, we need to solve the congruence 5a ≡ 4 mod 9. Because themodulus is small, we could find a by trial and error or by looking in the multiplication table in (1.7)to seethat 5× 8 ≡ 4 mod 9, so we could say that 4/5 ≡ 8 mod 9. However, division is not always well-defined.For instance, if we tried to compute 5/3 mod 9, we would fail because the table in (1.7) shows that thereis no number which, when multiplied by by 3, gives 5 mod 9. Because of this, mathematicians don’t like totalk about division at all in the context of modular arithmetic.

Instead, we talk about multiplicative inverses, but we have to be aware that some numbers may notbe invertible modulo n. As you can see from (1.7), 1−1 = 1, 2−1 = 5, 4−1 = 7, 5−1 = 2, 7−1 = 4, and8−1 = 8 mod 9, but 3 and 6 do not have multiplicative inverses. What’s special about 3 and 6? The rows(or columns) for 3 and 6 in (1.7) contain only multiples of 3. Why is that the case?

Here’s why. If a ∈ {0, 1,2, . . . , n − 1}, then gcd(a, n) divides any integer multiple of a as well as anynumber that is congruent to a modulo n. Continuing our example, let a = 5 and n= 9. Clearly, gcd(5,9) = 1divides every integer multiple of 5. Likewise, if a = 3, then gcd(3, 9) = 3 divides every integer multipleof 3, so 1 cannot be a multiple of 3, which means that 3 is not invertible. The same is true for 6. So, in


general, a number a is not invertible modulo n if gcd(a, n) 6= 1. Does that mean that all other numbers areinvertible? Well, yes, but it’s not obvious.

THEOREM 1.3. If gcd(a, n) = 1, then the set {a mod n, 2a mod n, . . . , (n− 1)a mod n} has alldistinct values.

PROOF. We prove this theorem by contradiction. Suppose that some pair of values in {a mod n, 2a mod n,. . . , (n− 1)a mod n} are the same. More precisely, suppose that there exist integers x and y ∈ {1,2, . . . , n−1} such that x 6= y and that xa ≡ ya mod n. Then n|a(x − y), and since gcd(a, n) = 1, it must be thatn|(x − y). Since x , y ∈ {1,2, . . . , n− 1}, we conclude that x = y , which is a contradiction. �

Since the set {a mod n, 2a mod n, . . . , (n− 1)a mod n} has n distinct values, those values are congru-ent to {1,2, . . . , n− 1} in some order. Therefore, in summary, if gcd(x , n) = 1, then x is invertible modulon and if gcd(x , n) 6= 1, then x is not invertible modulo n.

Example 1.14: It is helpful to look at another example. Here is a multiplication table modulo 20.

(1.8)

× 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 190 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 192 0 2 4 6 8 10 12 14 16 18 0 2 4 6 8 10 12 14 16 183 0 3 6 9 12 15 18 1 4 7 10 13 16 19 2 5 8 11 14 174 0 4 8 12 16 0 4 8 12 16 0 4 8 12 16 0 4 8 12 165 0 5 10 15 0 5 10 15 0 5 10 15 0 5 10 15 0 5 10 156 0 6 12 18 4 10 16 2 8 14 0 6 12 18 4 10 16 2 8 147 0 7 14 1 8 15 2 9 16 3 10 17 4 11 18 5 12 19 6 138 0 8 16 4 12 0 8 16 4 12 0 8 16 4 12 0 8 16 4 129 0 9 18 7 16 5 14 3 12 1 10 19 8 17 6 15 4 13 2 11

10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 0 1011 0 11 2 13 4 15 6 17 8 19 10 1 12 3 14 5 16 7 18 912 0 12 4 16 8 0 12 4 16 8 0 12 4 16 8 0 12 4 16 813 0 13 6 19 12 5 18 11 4 17 10 3 16 9 2 15 8 1 14 714 0 14 8 2 16 10 4 18 12 6 0 14 8 2 16 10 4 18 12 615 0 15 10 5 0 15 10 5 0 15 10 5 0 15 10 5 0 15 10 516 0 16 12 8 4 0 16 12 8 4 0 16 12 8 4 0 16 12 8 417 0 17 14 11 8 5 2 19 16 13 10 7 4 1 18 15 12 9 6 318 0 18 16 14 12 10 8 6 4 2 0 18 16 14 12 10 8 6 4 219 0 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

Which numbers are invertible? That is, which numbers have a 1 in their respective rows (or columns)?The invertible integers modulo 20 are 1, 3, 7, 9, 11, 13, 17, and 19, which leaves out all even integers andmultiples of 5 since 20 = 22 · 5. Also, note that the invertible numbers have every integer from 0 to 19 intheir rows (or columns), whereas non-invertible numbers do not.

Now that we know which integers are invertible modulo n, we’d like to have a systematic way of findinginverses. Tables are nice for small moduli, but are unwieldy for large ones. Fortunately, the extendedEuclidean algorithm gives us a nice algorithm for computing inverses. Recall that if gcd(a, n) = 1, thenthere exists integers x and y such that

(1.9) ax + ny = 1,

1.7. SOLVING LINEAR CONGRUENCES 19

and we can find x and y using the extended Euclidean algorithm. Reducing (1.9) modulo n gives

(1.10) ax ≡ 1 mod n,

which implies that x = a−1.

Example 1.15: To find 17−1 mod 20, we use the extended Euclidean algorithm.

20= 17 · 1+ 3

17= 3 · 5+ 2

3= 2 · 1+ 1

Technically, we should go one step further to get a remainder of zero, but we know that the gcd is 1, sothere is no practical need to continue. Working backward,

1= 3− 2

= 6 · 3− 17

= 6 · 20− 7(17).

This implies that 17(−7)≡ 1 mod 20, so 17−1 = −7≡ 13 mod 20. You can check this in the multiplicationtable in (1.8).

Example 1.16: To find 343−1 mod 454, we can use the work we did in Example 1.6. Recall that we foundthat 1 = 454(34)− 45(343). Reducing modulo 454 gives 1≡ −45(343), so 343−1 = −45 ≡ 409 mod 454.You can check this with a calculator by multiplying 343 by 409 to get 140,287. To reduce modulo 454, wedivide 140, 287 by 454 to get 309.002. That tells us that 454 goes into 140,287 309 times. Subtracting, wefind 140, 287− 454(309) = 1, so we know that our answer is correct.

Classroom Exercise 1.8: Find the following multiplicative inverses.

(1) 4−1 mod 15(2) 15−1 mod 49(3) 81−1 mod 145

1.7. Solving Linear Congruences

Linear Congruences of the Form ax ≡ b mod n. Over the real numbers, the equation

(1.11) ax = b

has the unique solution x = b/a if a 6= 0. If a = 0 and b 6= 0, then there are no solutions, and if a = 0 andb = 0, then there are infinitely many solutions because x can have any real value. Similarly, a congruencelike

(1.12) ax ≡ b mod n

may have a unique solution in {0, 1,2, . . . , n− 1}, no solution, or multiple solutions in {0,1, 2, . . . , n− 1}.Let’s illustrate with a few examples.Example 1.17:

(1) 6x ≡ 12 mod 13 has the unique solution x = 2.(2) 6x ≡ 12 mod 24 has six solutions x = 2, 6,10, 14,18, 22.(3) 6x ≡ 11 mod 12 has no solution.


Our goal in this section is to find all solutions, if any, of congruences like (1.12). If ax ≡ b mod n hasa solution, then there exists an integer m such that

(1.13) mn= ax − b.

The gcd(a, n) clearly divides the first two terms, mn and ax , in (1.13), so it also must also divide b. Recallthat all multiples of a modulo n are multiples of gcd(a, n), so b must be a multiple of gcd(a, n) for (1.12) tohave a solution. For example, in (1.8), all multiples of 15 modulo 20 are 0,5, 10 and 15, so a congruenceof the form 15x = b mod 20 only has solutions if b = 0, 5,10, or 15.

Let’s assume that gcd(a, n)|b so that at least one solution exists. Note that this is trivially true if a andn are relatively prime. How do we find a solution? Sometimes you can find a solution simply by looking atthe congruence. For instance, it is pretty clear that x = 2 solves 6x ≡ 12 mod 13. The fancy way of sayingthis is that x = 2 is a solution “by inspection". When we can’t find a solution by inspection, we can use theextended Euclidean algorithm. Let’s look at an example.

Example 1.18 (Unique Solution): To solve 17x ≡ 4 mod 20, we begin with the extended Euclidean algo-rithm.

20= 17 · 1+ 3

17= 3 · 5+ 2

3= 2 · 1+ 1

Working backwards,

1= 3− 2

= 3 · 6− 17

= 20 · 6− 17 · 7.

Therefore, 17(−7)≡ 1 mod 20. Multiplying both sides by 4 gives 17(−7 ·4)≡ 4 mod 20 and x = −7 ·4=−28≡ 12 mod 20. Since gcd(17, 20) = 1, x = 12 is the only solution.

If a congruence has multiple solutions, how do we find all of them? We begin by finding one solutionusing the extended Euclidean algorithm (or inspection). If solution(s) exist, then gcd(a, n)|b and thereexists an integer m such that ax = b+ nm. Dividing by gcd(a, n) gives

agcd(a, n)

x =b

gcd(a, n)+

ngcd(a, n)

m,

so

(1.14)a

gcd(a, n)x ≡

bgcd(a, n)

modn

gcd(a, n).

This congruence (1.14) has a unique solution since

gcd

�

agcd(a, n)

,n

gcd(a, n)

�

= 1.

Therefore, once one solution of ax ≡ b mod n is found, all other solutions in {0,1, 2, . . . , n−1} can be foundby adding (or subtracting) integer multiples of n/gcd(a, n) for a total of gcd(a, n) incongruent solutions.

1.7. SOLVING LINEAR CONGRUENCES 21

Example 1.19 (Multiple Solutions): Solve 14x ≡ 4 mod 20. Since gcd(14, 20) = 2 and 2|4, this congru-ence has two solutions. Let’s use extended Euclidean algorithm to find one of them.

20= 14 · 1+ 6

14= 6 · 2+ 2

6= 3 · 2

Working backwards again,

2= 14− 6 · 2

= 14 · 3− 20 · 2

Therefore, 14(3) ≡ 2 mod 20. Multiplying both sides by 2 gives 14(3 · 2) ≡ 4 mod 20 and x = 6. Sincegcd(14, 20) = 2, there is a second solution that we obtain by adding n/gcd(a, n) = 20/2 = 10 to x = 6.Therefore, the two solutions in {0,1, 2, . . . , 19} are x = 6 and x = 16. Another way to view this example isto return to the multiplication table in (1.8) and note that each row (or column) cycles through multiplesof the appropriate gcd. In the case of 14, the multiples cycle through 0, 14, 8, 2, 16, 10, 18, 12, 6 twice, sothe two solutions must be 10 apart.

Example 1.20 (No Solution): The congruence 14x ≡ 5 mod 20 has no solution since gcd(14,20) = 2 6 | 5.

Example 1.21: To solve 2x−4≡ 7 mod 13, simply add 4 to both sides and proceed as above to find x = 12.

In summary, you can always tell if ax ≡ b mod n has a solution by determining if gcd(a, n) divides b. Ifnot, then there is no solution. If gcd(a, n) does divide b, then the number of solutions is equal to gcd(a, n)and the solutions are n/gcd(a, n) apart. For instance, x = 1 is clearly a solution of 13x = 13 mod 39. Sincegcd(13, 39) = 13, there are a total of 13 solutions in {0,1, 2, . . . , 38} and they are separated by 39/13 = 3,so the complete set of solutions is x = 1,4, 7,10, 13,16, 19,22, 25,28, 31,34, 37.

Classroom Exercise 1.9: Find all solutions, if any, of the following congruences.

(1) 18x = 3 mod 31(2) 18x = 16 mod 30(3) 18x ≡ 24 mod 30

Linear Systems of Congruences. Let’s confine our attention to systems of congruences in two variablesbecause this is sufficient for our cryptologic needs later in the chapter. If a, b, c, d, e, f ∈ {0,1, . . . , (n− 1)},then our goal is to solve

ax + b y ≡ ecx + d y ≡ f mod n

for x and y , if possible. Standard algebraic manipulations reduce the system to the pair of congruences4

(1.15) (ad − bc)x ≡ ed − b f (ad − bc)y ≡ a f − ce mod n.

For solutions to exist, gcd(ad−bc, n)must divide both (ed−b f ) and (a f −ce). In practice however, we don’trecommend memorizing (1.15). Instead, just use the familiar methods of substitution and elimination fromhigh school algebra. Be aware, however, that you have to be careful about both multiplying and dividing.Division is obviously a problem since it isn’t properly defined, but multiplication can also cause trouble

4These may look familiar if you have seen Cramer’s rule before.


because multiplying equations by constants can lead to spurious solutions. For example, the congruence3x ≡ 3 mod 8 has the unique solution x = 1. However, multiplying both sides by 2 gives 6x ≡ 6 mod 8,which has two solutions, x = 1 and x = 5, the second of which is spurious. If you can, try to only multiplyby integers that are relatively prime to the modulus. If you can’t help it, be sure to check your solutions inthe original congruences.

Example 1.22 (Substitution): Some systems make the method of substitution attractive. For example,

3x + 2y ≡ 0x − 3y ≡ 2 mod 7

suggests solving the second equation for x and substituting into the first to find 3(3y + 2) + 2y = 0, whichreduces to

4y = 1 mod 7.

The extended Euclidean algorithm then implies that y = 2 and, consequently, x = 1.

Example 1.23 (Elimination): In this example, we might choose to use elimination.

3x + 2y ≡ 02x − 3y ≡ 2 mod 7

We could solve either congruence for x or y since all coefficients are relatively prime to the modulus, butthat isn’t particularly appealing. Instead, let’s multiply the first equation by 2 and the second by 3 to find

6x + 4y ≡ 06x − 9y ≡ 6 or, equivalently,

6x + 4y ≡ 06x + 5y ≡ 6 mod 7.

Multiplying the congruences by 2 and 3 is OK here because both constants are relatively prime to themodulus. Subtracting the first congruence from the second gives y = 6 and substituting into 6x + 4y = 0implies that x = 4y ≡ 3 mod 7.

Example 1.24 (Multiple Solutions): We might choose to solve this system

12x + y ≡ 134x − 3y ≡ 7 mod 26

by multiplying the second congruence by 3 and subtracting to find 10y ≡ −8 mod 26, which has twosolutions since gcd(10,26)| − 8. Using the extended Euclidean algorithm, we find that y = 7 and y = 20.Plugging these values back into the second congruence gives 4x ≡ 2 mod 26 and 4x ≡ 15 mod 26. Theformer has two solutions, x = 7 and x = 20, but the second has no solutions. Overall, we have twosolutions: (7,7) and (20,7).

An alternative way to solve this problem is to solve the first congruence for y ≡ 13−12x and substituteinto the second to find 14x ≡ 20 mod 26, which gives x = 7 and x = 20. Both values of x give y = 7.

Example 1.25 (Spurious Solutions): As a final example, consider

12x + 2y ≡ 143x − 3y ≡ 8 mod 26.

Multiplying the second congruence by 4 and subtracting it from the first gives 14y ≡ 8 mod 26, whichhas two solutions y = 8 and y = 21. Plugging these values back into the first congruence gives 12x ≡ 24mod 26 for both y = 8 and y = 21. The solutions for x are obviously x = 2 and x = 15, so, overall, wehave four putative solutions

(2, 8), (2,21), (15,8), and (15, 21).

1.8. ADDITIVE CIPHER 23

However, since we multiplied by 4, which is not relatively prime to the modulus, we suspect spurioussolutions. Plugging all four solutions back into the original system shows that only (2,8) and (15,21) aresolutions of the original problem.

Note that it would have been more efficient to solve for x using the second congruence because 3 isrelatively prime to 26, so no spurious solutions are produced in that case.

Remark 1.1: If the idea of spurious solutions is disconcerting to you, please recall that you have seen thisbefore in “regular algebra" over the reals when you multiply both sides of an equation by zero or when yousquare both sides of an equation. For example, multiplying both sides of the incorrect equation 3 = 4 byzero gives 0= 0, which is correct. Likewise, squaring both sides of −3= 3 gives 9= 9.

More realistically, to solve

(1.16)1

(x − 6)(x − 2)+

1(x + 2)(x − 2)

=x + 4

(x − 6)(x + 2),

we might multiply by sides of the equation by (x − 2)(x + 2)(x − 6) to clear the fractions. This gives

(x + 2) + (x − 6) = (x + 4)(x − 2),

which simplifies to x2 = 4. So the solutions of (1.16) are x = ±2, right? Wrong. Equation (1.16) has nosolutions. When we multiplied by (x − 2)(x + 2)(x − 6), we were effectively multiplying by zero if x = ±2,and that introduced the false solutions.

Similarly, if we square both sides of

(1.17)

p1− xp

x − 2= 1,

and cross multiply, we obtain 1 − x = x − 2, which implies that x = 3/2. However, (1.17) has no realsolutions since the numerator of the expression on the left implies that x ≤ 1 and the denominator impliesthat x > 2, and there are no such values of x .5

1.8. Additive Cipher

One of the earliest known ciphers is the Caesar cipher. Suetonius [12] claims that Julius Caesar useda simple shift cipher to encrypt private messages in letters to Cicero and other friends. He simply replacedeach a by d, b by e, etc..., wrapping around at the end of the alphabet so each x is replaced by an a, y byb, and z by c. The following chart makes it easier to implement the Caesar cipher.

For example, the message mathisreallyfun is encrypted as pdwklvuhdoobixq. Anyone except theintended recipient would only see gibberish and would not know that mathisreallyfun. Note that thisexample uses the standard (modern) English alphabet, with no spaces, capital letters, or punctuation. Wecould accomodate spaces, capitals, punctuation, digits, and any other symbols that we choose, but we’ll stickwith the 26-letter alphabet for simplicity. Recall that we refer to the original message mathisreallyfun

as plaintext and the encrypted message pdwklvuhdoobixq as ciphertext.

5This has nothing to do with cryptology, but if you want to see something really interesting, try to solve (1.17) by graphing

y =p

1− xp

x − 2and y = 1 on your calculator and looking for the intersection of the two graphs. What do you find?


We can make the implementation of the Caesar cipher more efficient and computer-ready by makingthe cipher mathematical. We can do this simply by associating a with 0, b with 1, ..., and z with 25 asshown in the following chart.6

a b c d e f g h i j k l m n o p q r s t u v w x y z0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25Now the plaintext mathisreallyfun and ciphertext pdwklvuhdoobixq can be regarded as sequences

of integers�

pi

15i=1 = {12,0, 19,7, 8,18, 17,4, 0,11, 11,24, 5,20, 13},

and�

ci

15i=1 = {15, 3,22, 10,11, 21,20, 7,3, 14,14, 1,8,23, 16}.

The cipher characters can be obtained mathematically from the formula

(1.18) ci = pi + 3 mod 26, i = 1, 2, . . . , 15,

and the plaintext can likewise be found by solving (1.18) for pi ,

(1.19) pi = ci − 3 mod 26, i = 1, 2, . . . , 15.

Note that we need to work modulo 26 because we have a 26-letter alphabet. For example, the plaintext y(a.k.a. 24) is encrypted to b (a.k.a 24+ 3= 27≡ 1 mod 26).

The additive cipher is just like the Caesar cipher, except that the shift doesn’t have to be 3. If we stickwith a 26-letter alphabet, then the shift, let’s call it k (for key), can, in principle, be any integer between 0and 25, inclusive. Then, (1.18) becomes

(1.20) ci = pi + k mod 26.

If k = 0, then ci = pi , so we really should take k ∈ {1,2, . . . , 25}. The modulus 26 is the length of thealphabet, so if you change the alphabet by adding or deleting characters, then you simply change 26 to theappropriate value.

Example 1.26: Suppose that the plaintext is thequickbrownfoxjumpsoverthelazydog and k = 4.Each plaintext letter is encrypted by adding 4 modulo to it according to the encryption equation (1.20).The first plaintext letter t has a numerical value of 19, and adding four to it makes it 23, which is x.The next letter h corresponds to 7, which becomes 11 or l. Repeating this for the entire message turnsthequickbrownfoxjumpsoverthelazydog into xliuymgofvsarjsbnyqtwszivxlipedchsk. The restof the details are shown in the following table.

Plaintext t h e q u i c k b r o w n f o x j u m p s o v e r t h e l a z y d o gCoded plain 19 7 4 16 20 8 2 10 1 17 14 22 13 5 14 23 9 20 12 15 18 14 21 4 17 19 7 4 11 0 25 24 3 14 6

Coded cipher 23 11 8 20 24 12 6 14 5 21 18 0 17 9 18 1 13 24 16 19 22 18 25 8 21 23 11 8 15 4 3 2 7 18 10Ciphertext x l i u y m g o f v s a r j s b n y q t w s z i v x l i p e d c h s k

Classroom Exercise 1.10: Use the Caesar cipher to encrypt theworldisabookandthosewhodonottravelreadonlyapage.7

Classroom Exercise 1.11: Decrypt the additive ciphertext mnudpuzftqtmzpueiadftfiauzftqngetwithk = 12.

6Some authors associate a with 1, b with 2, ..., and z with 26, but our way is more convenient.7St. Augustine

1.9. CRYPTANALYSIS OF THE ADDITIVE CIPHER 25

k Putative Plaintext k Putative Plaintext0 teefxgurgtmnkxwxlbkxmhdghp 13 grrskthetgzaxkjkyoxkzuqtuc1 sddewftqfslmjwvwkajwlgcfgo 14 fqqrjsgdsfyzwjijxnwjytpstb2 rccdvesperklivuvjzivkfbefn 15 eppqirfcrexyvihiwmvixsorsa3 qbbcudrodqjkhutuiyhujeadem 16 doophqebqdwxuhghvluhwrnqrz4 paabtcqncpijgtsthxgtidzcdl 17 cnnogpdapcvwtgfguktgvqmpqy5 ozzasbpmbohifsrsgwfshcybck 18 bmmnfoczobuvsfeftjsfuplopx6 nyyzraolangherqrfvergbxabj 19 allmenbynaturedesiretoknow7 mxxyqznkzmfgdqpqeudqfawzai 20 zkkldmaxmzstqdcdrhqdsnjmnv8 lwwxpymjylefcpopdtcpezvyzh 21 yjjkclzwlyrspcbcqgpcrmilmu9 kvvwoxlixkdebonocsbodyuxyg 22 xiijbkyvkxqrobabpfobqlhklt

10 juuvnwkhwjcdanmnbrancxtwxf 23 whhiajxujwpqnazaoenapkgjks11 ittumvjgvibczmlmaqzmbwsvwe 24 vgghziwtivopmzyzndmzojfijr12 hsstluifuhabylklzpylavruvd 25 uffgyhvshunolyxymclyniehiq

Table 1.1: Exhaustive cryptanalysis of the additive ciphertext teefxgurgtmnkxwxlbkxmhdghp. Clearly, k = 19 isthe correct key.

1.9. Cryptanalysis of the Additive Cipher

Recall that cryptanalysis involves reading enciphered messages without knowing the key. Since theadditive cipher has a single key k that can only take on 26−1= 25 different values, modern computers caneasily be programmed to find the correct key simply by exhaustively trying all 25 values for k. Suppose,for example, that we intercept the message teefxgurgtmnkxwxlbkxmhdghp. We can just try all valuesfor k as shown in Table 1.1. There is no mistaking k = 19 as the correct key and the message as a pearl ofwisdom from Aristotle. The method of exhaustion is not very interesting and it does not prepare us to studymore complicated ciphers for which exhaustion is not an option.

Frequency analysis, in contrast, provides a more fruitful approach to cryptanalyzing additive cipher.Each letter or character in a language tends to occur with a certain frequency. For example, the letter e isthe most common letter in the English alphabet, appearing approximately 12% of the time, while j, q, x,and z are much less common, occurring about about 0.1% of the time. A bar chart of letter frequenciescan be found in Figure 1.1 and the corresponding numerical frequencies are shown in Table 1.2. Knowingthese frequencies greatly enhances our ability to cryptanalyze ciphertext because, for example, every e inthe plaintext is encrypted to the same ciphertext character, so that character should appear approximately12% of the time in the cipher. For example, the additive ciphertext with k = 18 for theeaglesaregreatis lzwwsydwksjwyjwsl and every plaintext e is encrypted as a w.

You might ask how reliable the letter frequencies in Figure 1.1 really are, so let’s look at some examples.Figure 1.2 shows a stacked bar chart that shows the frequencies of the letters in “The Gold Bug", the 2006State of the Union Address, “Julius Caesar", and the “USA Patriot Act". These are four very different texts,but, for the most part, each reveals approximately the same distribution of letters. Minor differences areapparent, such as an unusual abundance of the letter u “Julius Caesar", but that is to be expected with allof the Latin names that end in us (e.g. Julius, Brutus, Cassius, etc...).

Let’s try some cryptanalysis based on letter frequencies. Given the ciphertext vjgggtkggngrjcpvgcvugiiu, we see that g occurs most frequently (8 times), so it most likely corresponds to a plaintext e. If that


Figure 1.1: Frequencies of letters in the English language. See Table 1.2 for numerical values.

Relative RelativeLetter Frequency Letter Frequencya 0.082 n 0.073b 0.014 o 0.076c 0.025 p 0.018d 0.046 q 0.001e 0.124 r 0.059f 0.022 s 0.065g 0.020 t 0.089h 0.065 u 0.026i 0.069 v 0.011j 0.001 w 0.023k 0.008 x 0.002l 0.039 y 0.018m 0.024 z 0.001

Table 1.2: Table of letter frequencies based on War and Peace and several articles from The Washington Post.

Figure 1.2: Cumulative frequencies of the letters (in ascending order) in Edgar Allan Poe’s “The Gold Bug", George W.Bush’s 2006 State of the Union Address, William Shakespeare’s “Julius Caesar", and the “USA Patriot Act".

is correct, then k must be 2. If we try decrypting the entire message with k = 2, we find the putative plain-text theeerieelephanteatseggs, so we are confident that we have successfully recovered the originalmessage.

1.11. CRYPTANALYSIS OF THE AFFINE CIPHER 27

Note that in any given text, e may or may not be the most common letter. The most common letter inlaeljawvlwsuzafylsqfsljauckgfzwjlgqtacw is l, which corresponds to k = 7. However, decryptingwith k = 7 gives the clearly incorrect plaintext etxectpoeplnstyreljylectnvdzyspcezjmtvp. Next,we might try associating l with the second most common letter t. This suggests that k = 18 and we obtainthe original message timtriedteachingtaynatricksonhertoybike. Please note that some problemsmay involve considerable trial and error, but letter frequencies do give us a sensible method. A visuallyappealing alternative is to use a visual cryptanalysis in software like Mathematica. See CryptanalyzeAddi-tiveCipher.nb at http://users.etown.edu/m/mcdevittt/Crypto.html.

1.10. Affine Cipher

Recall the addition and multiplication tables in (1.7) show that patterns are more readily evident inmodular addition than in multiplication. Therefore, if we incorporate multiplication into the cipher, thenwe might be able to improve the additive cipher. The equation for the ith ciphertext characters for theaffine cipher8

(1.21) ci = mpi + k mod 26.

Again, if the length of the alphabet changes, then you have to change the value of the modulus accordingly.Plaintext can be recovered from ciphertext using

(1.22) pi = m−1�

ci − k�

mod 26,

provided that m−1 exists.How large is the key space for the affine cipher? The additive constant k can take on 26 differ-

ent values, but m has to be invertible modulo 26, so it has to be relatively prime to 26. Specifically,m ∈ {1,3, 5,7, 9,11, 15,17, 19,21, 23,25}, so there are only 12 possible values for m. Therefore, thereare 26(12)− 1 = 311 possible key pairs for the affine cipher. (We subtract one because m = 1 and k = 0doesn’t change the plaintext! In that case, ci = pi .)

Example 1.27: Let’s encrypt timwrotetomsaddressontheenvelope with m = 7 and k = 4. Since thefirst letter is t, p1 = 19 and c1 = 7(19) + 4 ≡ 7 mod 26, so the first cipher character is h. The remainingletters follow in a similar way to give hikctyhghykaezztgaayrhbggrvgdyfg.

Classroom Exercise 1.12: Encrypt potatochipsarebadforyou with m= 17 and k = 24.

1.11. Cryptanalysis of the Affine Cipher

Recall that we cryptanalyzed the additive cipher using letter frequencies. We will do the same withthe affine cipher, except that we will have to solve a system of congruences because there are two keyparameters, m and k. Let’s look at an example for which we know the answer.

Example 1.28: Let’s start with the ciphertext in Example 1.27, hikctyhghykaezztgaayrhbggrvgdyfg,and pretend that we don’t know m and k. The most common letters are g and h, which appear six and fourtimes, respectively. This suggests that the ciphertext g and h correspond to plaintext e and t. Since g and

8The graph of f (x) = mx + b is a line, but mathematicians do not call f a linear function unless b = 0. Instead, we call f anaffine function. That is where the name of the cipher comes from.



h are encoded as 6 and 7 and since e and t are encoded as 4 and 19, we have the pair of congruences

4m+ k ≡ 619m+ k ≡ 7 mod 26.

Solving the system gives m = 7 and k = 4, which, in turn, give the plaintext timwrotetomsaddressontheenvelope.

Recall that e and t are usually the most common letters in English, and the longer a sample text is, themore likely that is to be the case. However, e and t are not always the most common, especially in shortmessages. Cases like that may require significant trial and error to find a suitable pair of congruences. Let’slook at another example, but unlike Example 1.28, this time we do not know the answer in advance.

Example 1.29: The most common letters in the ciphertext xwvmwixwomclybyvunyuyxcrmikyapmjmzopyssncrkyazmeyppcemr are y and m. Associating these with e and t gives

4m+ k ≡ 2419m+ k ≡ 12 mod 26

and m= 20 and k = 22. However, these aren’t correct since m= 20 is not relatively prime to 26. Repeatedtrial and error eventually leads us to associate ciphertext y and m with plaintext o and e, respectively, whichgives

4m+ k ≡ 1214m+ k ≡ 24 mod 26.

Subtracting the first congruence from the second gives 10m= 12 mod 26. Since gcd(10,26) = 2|12, thereare two solutions, m = 9, k = 2 and m = 22, k = 2. Since 22 is not relatively prime to 26, the lattersolution cannot be correct. Decrypting m= 9 and k = 2 gives lifeislikeaboxofchocolatesyouneverknowwhatyouregonnaget9.

Counting letter frequencies by hand can be very tedious, so mathematical packages like Mathematicaand Maple can be very helpful. However, if you don’t have one of those packages or you don’t want to learnone, then just use ECrypt.

Exercises

(1) Factor the following integers as a product of (powers of) primes.(a) 278(b) 359(c) 126(d) 469(e) 388

(2) Find the smallest integer x > 0 that makes each of the following perfect squares.(a) 23 · 32 · 5 · x(b) 210 · 32 · 52 · 76 · x(c) 123 · 252 · 7 · x(d)

�

123 · 252 · 7�2 · x

(3) Suppose that we say that 56000 “ends” in 3 zeros. How many zeros are there at the end of eachof these numbers?

9The one and only Forrest Gump.


EXERCISES 29

(a)�

123 · 252 · 7�2

(b) 10!= 10× 9× 8× 7× 6× 5× 4× 3× 2× 1(c) 100!

(d)�

5025

�

=50!

25!(50− 25)!(4) Find the following gcds and identify which pairs of integers are relatively prime.

(a) gcd(261,231)(b) gcd(317,375)(c) gcd(297,431)(d) gcd(418,278)(e) gcd(272,391)

(5) Find integers x and y such that ax + b y = gcd(a, b) for each of the following.(a) a = 95, b = 298(b) a = 462, b = 424(c) a = 195, b = 468(d) a = 324, b = 122(e) a = 387, b = 108

(6) For positive integers m and n, lcm(a, b) is the least common multiple of m and n. Show that

lcm(m, n) =mn

gcd(m, n).

(7) Reduce the following.(a) 154 mod 45(b) 171 mod 42(c) −57 mod 20(d) 111 mod 42(e) −159 mod 33(f) −22 mod 11(g) 54 mod 26(h) −38 mod 10(i) 69 mod 23(j) 100 mod 24

(8) Calculate the following.(a) 8+ 6 mod 10(b) 13× 3 mod 7(c) 2× 12+ 4 mod 14(d) 3− 5+ 15 mod 17(e) 18− 13− 8× 27 mod 14(f) 10− 4× 19+ 16 mod 11(g) 9− 5− 8+ 2− 2 mod 10(h) 6+ 8− 5× 10− 9 mod 11(i) 5× 6− 7− 3× 6+ 4 mod 8(j) 9× 10× 7× 13+ 4+ 2 mod 16

(9) Find the following multiplicative inverses.


(a) 15−1 mod 38(b) 29−1 mod 40(c) 8−1 mod 49(d) 11−1 mod 15(e) 7−1 mod 26

(10) Suppose a, n ∈ N. Show that the set {a mod n, a+1 mod n, a+2 mod n, . . . , a+(n−1) mod n}is a re-arrangement of {0, 1,2, . . . , (n− 1)}.

(11) Find all solutions, if any, of the following congruences.(a) 17x = 0 mod 34(b) 14x = 10 mod 32(c) 14x = 5 mod 25(d) 17x = 12 mod 24(e) 9x = 16 mod 20(f) 18x = 24 mod 46(g) 2x = 5 mod 15(h) 19x = 9 mod 30(i) 15x = 18 mod 21(j) 9x = 1 mod 30(k) 4x = 3 mod 34(l) 4x = 4 mod 22

(12) The ISBN-10 for An Introduction to Mathematical Finance by Sheldon Ross is 0−521−77043− x ,where d10 is an unknown check digit. To find d10, we have to solve

0 · 1+ 5 · 2+ 2 · 3+ 1 · 4+ 7 · 5+ 7 · 6+ 0 · 7+ 4 · 8+ 3 · 9+ d10 · 10≡ 0 mod 11.

Solve for d10.(13) In the introduction, we learned that if the first 9 digits in an ISBN-10 d1d2d3d4d5d6d7d8d9d10 are

known, then the check digit d10 solves

(1.23) d1 + 2d2 + 3d3 + 4d4 + 5d5 + 6d6 + 7d7 + 8d8 + 9d9 + 10d10 ≡ 0 mod 11,

but some authors write that d10 has to solve

(1.24) 10d1 + 9d2 + 8d3 + 7d4 + 6d5 + 5d6 + 4d7 + 3d8 + 2d9 + d10 ≡ 0 mod 11

instead. Show that congruences (1.23) and (1.24) have the same solutions.(14) Find all solutions, if any, of the following systems of congruences.

(a)3x + 7y ≡ 85x + 7y ≡ 6 mod 10

(b)2x + 5y ≡ 16

11x + 11y ≡ 16 mod 18

(c)6y ≡ 1

15x + 22y ≡ 13 mod 22

(d)x + y ≡ 148x + y ≡ 6 mod 16

EXERCISES 31

(e)x + 16y ≡ 8

11x + 19y ≡ 11 mod 20

(15) Encrypt the following with the additive cipher, the standard alphabet (abcdefghijklmnopqrstuvwxyz), and the specified key. For longer messages, you may want to use use ECrypt.(a) go steelers, k = 17(b) a spoon full of sugar makes the medicine go down, k = 9(c) the people in philadelphia deserve to have a winner its simple as that,

k = 25(16) Decrypt the following with the additive cipher, the standard alphabet (abcdefghijklmnopqrstu

vwxyz), and the specified key. For longer messages, you may want to use use ECrypt.(a) orubkrgsv, k = 6(b) bpiwtbpixrpxhiwtqthiegdvgpb, k = 15(c) vuaolmpyzakhfvmjoypzathztfayblsvclzluaavtlhwhyaypknlpuhwlhyayll, k = 7

(17) Encrypt the following with the affine cipher, the standard alphabet (abcdefghijklmnopqrstuvwxyz), and the specified keys. For longer messages, you may want to use use ECrypt.(a) do not erase, m= 19, k = 7(b) who here believes tim should grow a beard, m= 15, k = 24(c) mr gorbachev tear down this wall, m= 5, k = 2

(18) Decrypt the following with the affine cipher using the specified keys. For longer messages, youmay want to use use ECrypt.(a) efgqzospux, k = 10, m= 9(b) eperfwddjesgrdzexmredjejmrke, m= 19, k = 6(c) qredqjyialordiixjxllpdhjnarslwlleylrgfevrwjnirwrgwylrpfvjihliijgrhfbje

dfglyzhdluqialunbpfldizrejeialqrbljqiallryiafarslwllefewruuorypdqjydls

leillehlrydregarslelslyylblfslgrehiafevwnipfegelddreglebjnyrvlzleiqyjz

hjnqredujjpriialdlvyregzlexafbajqhjnxjnugeibjedfglyfiialafvaufvaijqafd

bryllykndiijrddjbfrilxfiaialzqjylslejelgrh, k = 5, m= 17(19) Cryptanalyze the following additive ciphertext. You should be able to copy and paste the ciphertext

into ECrypt (or Mathematica, Maple, etc...).(a) kbktznuamnrgxmkzxgizyulkaxuvkgtjsgteurjgtjlgsuayyzgzkyngbklgrrktuxsgel

grrotzuznkmxovulznkmkyzgvugtjgrrznkujouaygvvgxgzayultgfoxarkckyngrrtuz

lrgmuxlgorckyngrrmuutzuznkktjckyngrrlomnzotlxgtikckyngrrlomnzutznkykgy

gtjuikgtyckyngrrlomnzcoznmxucotmiutlojktikgtjmxucotmyzxktmznotznkgoxck

yngrrjklktjuaxoyrgtjcngzkbkxznkiuyzsgehkckyngrrlomnzutznkhkginkyckyngr

rlomnzutznkrgtjotmmxuatjyckyngrrlomnzotznklokrjygtjotznkyzxkkzyckyngrr

lomnzotznknorryckyngrrtkbkxyaxxktjkxgtjkbktolcnoinojutuzluxgsusktzhkro

kbkznoyoyrgtjuxgrgxmkvgxzulozckxkyahpamgzkjgtjyzgxbotmznktuaxksvoxkhke

utjznkykgygxskjgtjmagxjkjheznkhxozoynlrkkzcuarjigxxeutznkyzxammrkatzor

otmujymuujzoskznktkccuxrjcozngrrozyvuckxgtjsomnzyzkvyluxznzuznkxkyiakg

tjznkrohkxgzoutulznkurj

(b) jbnbmsfbezgbsopsuipgmpoepoboebtjxbmljouiftusffutpgqfufstcvshijgffmbdpm

eopsuifsocsffafqmbzvqponzdiffltxijdicsbdftnzofswftboegjmmtnfxjuiefmjhi

uepzpvvoefstuboeuijtgffmjohuijtcsffafxijdiibtusbwfmmfegspnuifsfhjpotup







xbsetxijdijbnbewbodjohhjwftnfbgpsfubtufpguiptfjdzdmjnftjotqjsjufeczuij

txjoepgqspnjtfnzebzesfbntcfdpnfnpsfgfswfouboewjwjejuszjowbjoupcfqfstvb

efeuibuuifqpmfjtuiftfbupggsptuboeeftpmbujpojufwfsqsftfoutjutfmgupnzjnb

hjobujpobtuifsfhjpopgcfbvuzboeefmjhiu

(c) ivdveufljrdflekfwkzdvkfnrcbkfddpveafpjkyvkirzekfdfiifnkfddptflcukrbvky

vkirzerxrzefikrbvkyvkivbspwffk

(20) Cryptanalyze the following affine ciphertext. You should be able to copy and paste the ciphertextinto ECrypt (or Mathematica, Maple, etc...).(a) dmdcdilmdskvnbdcomjmkdzqdlmbmlqb

(b) gpatqazdqawlpalenqzaslpgunalgenkgffdguqcvanzfgtqecllpqldcqwqangnyehglu

idqqzkqpefzlpquqldclpulerquqfhqtgzqnllpalaffwqnadqidqalqzqmcafgpatqazd

qawlpalenqzasenlpqdqzpgffuehyqedygalpquenuehhedwqdufatquanzlpquenuehhe

dwqdufatqeknqdukgffrqarfqleuglzeknleyqlpqdallpqlarfqehrdelpqdpeezpatqa

zdqawlpalenqzasqtqnlpqulalqehwguuguugvvgaulalqukqflqdgnykglplpqpqalehg

nxculgiqukqflqdgnykglplpqpqalehevvdquugenkgffrqldanuhedwqzgnleaneaugue

hhdqqzewanzxculgiq

(c) vxwszokjwpkvzwotmkjzgjmkvuuvpjaijokhmzdjokhltmbavdrvdjokhptuuijavmjvmj

zwokzftotftmkjzgjmbtgjxfoktfazhvxwaztuhiwjzazmasvwbtgjxfvxwowjfezffjfz

fpjsvwbtgjokvfjpkvowjfezffzbztmfoxfzmaujzaxfswvdojdeozotvmzmaajutgjwxf

swvdjgtuzdjm

(21) Suppose that you double-encrypt some plaintext with the affine cipher. First you encrypt theplaintext with keys m1 and k1, and then you re-encrypt the ciphertext with keys m2 and k2. Theresulting ciphertext is also affine with keys m3 and k3. Carefully relate m3 and k3 to m1, m2,k1, and k2. Does this double affine encryption provide any additional security over regular affineencryption?

(22) The Atbash cipher replaces the 1st letter of the alphabet with the last, the 2nd with the second-to-last, etc... Write an equation that mathematically represents the action of the Atbash cipher.


CHAPTER 2

Probability

2.1. Counting

Counting is a basic mathematical skill that many American children learn by watching Sesame Street,but we want to extend that skill to count very large quantities that cannot easily be written down. Forexample, if you roll two standard six-sided dice, you can easily record all possible pairs as shown in Figure2.1. Clearly, there are 6 possible outcomes for the first die and 6 possible outcomes for the second die,which suggests that there are 6×6= 36 possible outcome pairs. (Note, for example, that a is differentfrom a .) This is an example of the fundamental counting rule.

Figure 2.1: All possible outcomes for a pair of regular six-sided dice.

THEOREM 2.1 (Fundamental Counting Rule). If event A can occur m ways and B can occur n ways,then A and B together can occur mn ways.

The fundamental counting rule can be extended to more complicated situations. For example, YahtzeeTM

requires players to roll 5 dice. How many possible outcomes are there? We certainly don’t want to try tolist them all, so we try to count without an explicit list of possible outcomes. Since there are six possibleoutcomes for each die, the number of possible 5-dice rolls is 6× 6× 6× 6× 6= 65 = 7776.

Example 2.1: Jake wants an ice cream cone, and he can choose one flavor of ice cream (chocolate, vanilla,or strawberry) and one type of cone (sugar or cake). How many possible ice cream cones can he choosefrom? According to the fundamental counting rule, there are 3× 2 = 6 possible ice cream cones. We canalso list the outcomes in this case, possibly with the help of a tree plot.

strawberry/cake chocolate/cake vanilla/cakestrawberry/sugar chocolate/sugar vanilla/sugar,

33

34 2. PROBABILITY

Tree plots can be helpful in small problems like this one, but can be impractical in larger problems.

Now suppose that Jake has invited 7 of his friends to dinner at his house and he needs to call each ofthem to warn them about the vicious new dog next door. How many sequences of calls are possible? He canpick the first person he calls in 7 different ways, the second in 6 ways (because the first person has alreadybeen called), the third in 5 ways, etc... for a total of 7× 6× 5× 4× 3× 2× 1 = 5040 possible sequences.For convenience, we write 7× 6× 5× 4× 3× 2× 1 = 7!, which we read as “seven factorial". In general, ifn is a positive integer, then

n!= n(n− 1)(n− 2)(n− 3) . . . (3)(2)(1).

By itself, 0! doesn’t make any sense, but it will soon be convenient for us to define 0!= 1.Now suppose that Jake has 5 errands to complete, but he only has enough time to complete 2 of them.

How many ways can he choose 2 errands out of 5? He can choose the first of the two errands in 5 waysand the second in only 4 ways. Using the fundamental counting rule, there are 5× 4 = 20 ways to choosetwo errands. If e1 represents the first errand, e2 the second, and so on, then the 20 possible sequences of 2errands are as follows.

e2e1 e3e1 e4e1 e5e1e1e2 e3e2 e4e2 e5e2e1e3 e2e3 e4e3 e5e3e1e4 e2e4 e3e4 e5e4e1e5 e2e5 e3e5 e4e5

The key question here is whether or not the sequence of the errands matters. If, perhaps unrealistically, theorder does matter, then there are 20 2-errand sequences. If order does not matter, then, for example, e1e2

is the same as e2e1 and there are only 10 different pairs of errands.In general, an ordered arrangement of objects is called a permutation. We can use the fundamental

counting rule to determine the number of permuations of r distinct objects that can be formed from ndistinct objects. The first object can be chosen n ways, the second (n− 1) ways, ..., and the r th (n− r + 1)ways, for a total of

nPr = n(n− 1)(n− 2) . . . (n− r + 1)

=n(n− 1)(n− 2) . . . (n− r + 1)(n− r) . . . (3)(2)(1)

(n− r) . . . (3)(2)(1)

=n!

(n− r)!.

Therefore, we have the following theorem.

2.1. COUNTING 35

THEOREM 2.2. The number of permutations of size r from n distinct objects is nPr =n!

(n− r)!.

Note that there n! ways to choose n objects from n objects and Theorem 2.2 works in that case, nPn =n!0!=

n!, because we defined 0!= 1.An unordered arrangement of r distinct objects taken from n distinct objects is a combination, and we

can derive the number of combinations from the permutation rule (Theorem 2.2) because any permutationof r distinct objects can be rearranged in r! different ways that are equivalent if order doesn’t matter.Therefore,

THEOREM 2.3. The number of combinations of size r from n distinct objects is nCr =�

nr

�

=

n!r!(n− r)!

.

The symbol�

nr

�

is read “n choose r".

Example 2.2: If Bob has eight different color flags, how many different signals can he make from five flags?In this case, n= 8, r = 5. Assuming that the order of the flags matters, then

8P5 =8!

(8− 5)!=

8!3!= 8× 7× 6× 5× 4= 6720.

Example 2.3: Let S = {A, B, C , D, E}. How many ways can you choose 3 letters from S if order matters? Inthis case, we can write out all of the possible permutations

ABC ABD ABE AC D AC E ADE BC D BC E BDE C DEACB ADB AEB ADC AEC AED BDC BEC BED C EDBAC BAD BAE CAD CAE DAE CBD CBE DBE DC EBCA BDA BEA C DA C EA DEA C DB C EB DEB DECCAB DAB EAB DAC EAC EAD DBC EBC EBD EC DCBA DBA EBA DCA ECA EDA DCB ECB EDB EDC

and see that there are 60 of them, or we could compute 3P5 =5!2!= 60. If order does not matter, then all

of the entries in each column are equivalent to each other. For example, ABC , ACB, BAC , BCA, CAB, andCBA (first column) are all equivalent if order doesn’t matter, and there are 3! of them since there are 3!

permutations of 3 objects. Therefore, the number of combinations is�

53

�

=5!

3!2!= 10.

Example 2.4: How many different five-card hands can be made from a standard card deck of 52 cards?Here, order does not matter, so

52C5 =�

525

�

=52!

5!(52− 5)!=

52!5!47!

= 2, 598,960.

Students often struggle with permutations and combinations in applied problems. In both cases, re-member to check that you are sampling without replacement from a set with no repeated elements. Thenyou have to determine whether or not order matters. This is where people usually struggle the most, so let’slook at a few examples.

36 2. PROBABILITY

Example 2.5: There are currently (2012) 12 schools in the Big Ten conference (and 10 in the Big 12 – gofigure).

If the conference is planning a future year’s football matchups, how many different games are possible?For each game, the conference must choose 2 teams out of 12, and repeats are not possible since no teamcan play itself. Since this is clearly a permutation or combination problem, the only issue is whether ornot order matters. If, for example, the first team chosen plays at home, then order matters and there are

12P2 =12!

(12− 2)!=(12)(11)10!

10!= 132 different matchups. However, if the games are played at neutral sites

(which would be unusual), then order doesn’t matter and there are 12C2 =12!

(12− 2)!2!=(12)(11)10!

10!2= 66

possible matchups.

Example 2.6: Suppose that a generous instructor brings a $20 bill, a $10 bill, a $5 bill, and a $1 bill to classone day. He puts all 30 students’ names in a hat and draws four different names. The first person wins the$20 bill, the second the $10 bill, and so on. How many different ways can the money be awarded? In this

example, order clearly matters because the prizes are different. Therefore, there are 4P30 =30!26!= 657,720

different ways to award the money.

Example 2.7: A less generous instructor brings four $1 bills to class one day, puts all of his 30 students’names in a hat and draws four different names. Each person selected wins $1. How many different wayscan the money be awarded? In contrast to Example 2.6, order does not matter because the prizes are all

the same. Therefore, there are only 4C30 =30!

4!26!= 27,405 different ways to award the money.

2.2. Probability

The set of all outcomes of a random experiment is called the sample space. For example, the samplespace for flipping a coin and observing the up-side is {heads, tails}. The sample space for the number ofpips on the up-face of a standard six-sided die is {1, 2,3, 4,5, 6}. An event A is a subset of the finite samplespace S. If all events in S are equally likely, then the probability of A is

(2.1) P(A) =number of elements in Anumber of elements in S

.

Also, if an experiment is repeated a large number of times, then

(2.2) P(A)≈number of times A occurs

number of trials.

In other words, probabilities are numbers that reflect the likelihood that an event will occur. For example,if A is the event of rolling a 5 with a standard die, then

P(A) =16

,

because there is 1 entry in A = {5} and 6 equally likely entries in S = {1,2, 3,4, 5,6}. Repeated rolling ofa die produces the same result in an approximate way. See the simulations in Figure 2.2. The more trialsthere are, the more likely the estimate is to be close to the exact probability.

It is clear from (2.1) that 0≤ P(A)≤ 1 and that P(S) = 1. The union of events A and B, denoted A∪ B,indicates that A occurs, B occurs, or both A and B occur as shown graphically in Figure 2.3a and 2.3b. The

2.2. PROBABILITY 37

Figure 2.2: Frequencies of outcomes from simulations of a hundred, a thousand, and a million rolls of a fair die. Notethat there is considerably less variation with more repetitions.

intersection of A and B, denoted A∩B, means that both A and B occur, as shown in Figure 2.3c. This impliesthe addition rule for probabilities.

THEOREM 2.4 (Addition Rule).

P(A∪ B) = P(A) + P(B)− P(A∩ B)

Looking at Figure 2.3a, we see that the area of A∪ B is equal to the sum of the areas of A and B, exceptthat we have to be careful not to double-count the area of A∩B, so we have to subtract it from P(A)+ P(B).If A and B are mutually exclusive (Figure 2.3b), then the occurrence of A excludes the possibility of B andthe occurrence of B excludes the possibility of A. In other words, sets A and B are disjoint (see Figure 2.3)and P(A∩ B) = 0.

Example 2.8: For the experiment of rolling a pair of dice (see Figure 2.1), let A be the event of rolling asum of 6 and let B be the event of rolling “doubles”.

P(A∪ B) = P(A) + P(B)− P(A∩ B)

=536+

636−

136

=1036=

518= 0.27

Example 2.9: In a standard deck of 52 cards, let A be the event of drawing an ace and let B be the event ofdrawing a red card. Then,

P(A∩ B) =4

52+

2652−

252=

2852=

713= 0.538461.

The complement1 of an event A is the set of events for which A did not occur. We’ll denote the comple-ment of A by Ac , but other authors use other symbols like A′ and∼ A. It is clear that A∪Ac = S and A and that

1Note the spelling of complement. If someone says that you did a great job on a paper, then that is a compliment.

38 2. PROBABILITY

Figure 2.3: The shaded areas in (a) and (b) represents A∪ B. In (b) the events are mutually exclusive (or the sets aredisjoint). The shaded area in (c) represents A∩ B, and in (d) the lighter area in (c) is A and the darker is Ac .

Ac are mutually exclusive. Therefore, the application of the addition rule shows that P(A) + P (Ac) = P(S),or

(2.3) P (Ac) = 1− P(A).

In problems where P (Ac) is easier to compute than P(A), (2.3) can be very helpful.

Example 2.10: If A be the event of rolling a 3 on a fair six-sided die, then Ac is the event of rolling a 1, 2,

4, 5, or 6 and P(A) =16

and P(Ac) =56

.

Sometimes probabilities depend on previous events. For example, the probability that you will be dealtan ace from a well-shuffled, standard, 52-card deck is 4/52= 1/13≈ 0.0769 since there are 4 aces and 52cards. However, the probability that your second card will also be an ace, given that your first card was anace, is 3/51≈ 0.0588 since there are only 3 aces and 51 cards left. We denote the conditional probabilitythat B will occur given that A has occurred by P(B|A) and we observe the following theorem.

2.3. INDEX OF COINCIDENCE 39

THEOREM 2.5 (Multiplication Rule).

P(A∩ B) = P(A)P(B|A)

Example 2.11: Let’s use the multiplication rule to determine the probability that the top two cards in ashuffled deck are aces. Let A be the event that the first card is an ace and let B be the event that the secondcard is an ace. Then

P(A∩ B) = P(A)P(B|A)

=452·

351

=1

221≈ 0.00452

Two events A and B are independent if the occurrence of one has no effect on the other. For example,if A is the event of getting heads on the first toss of a coin and B is the event of getting heads on the secondtoss, then A and B are independent events. Two events are dependent if they are not independent. Forinstance, if C is the event of drawing a heart (♥) from a standard deck of 52 cards and D is the event ofdrawing a club (♣) on the next card without replacing the first card, then C and D are dependent events.Whenever A and B are independent P(B|A) = P(B), P(A|B) = P(A) and the multiplication rule simplifies to

P(A∩ B) = P(A)P(B).

2.3. Index of Coincidence

The index of coincidence (IoC) for a body of text is the probability that two (uniformly) randomlyselected letters are the same. Indices of coincidence are different for every book or article and they arerelatively easy to compute using our probability rules. Let A1 be the event that you get an a as the firstchosen letter and A2 be the event that you get an a as the second letter, etc... Then

IoC= P(two randomly chosen letters are the same)

= P�

(A1 ∩ A2)∪ (B1 ∩ B2)∪ . . .∪ (Z1 ∩ Z2)�

Since each pair of letters is mutually exclusive of every other pair, the addition rule (Theorem 2.4) impliesthat

(2.4) IoC= P(A1 ∩ A2) + P(B1 ∩ B2) + . . .+ P(Z1 ∩ Z2).

If n is the total number of characters in the text and there are n1 a’s, n2 b’s, etc..., then the multiplicationrule (Theorem 2.5), implies

IoC=�

n1

n

��

n1 − 1n− 1

�

+�

n2

n

��

n2 − 1n− 1

�

+ . . .�

n26

n

��

n26 − 1n− 1

�

(2.5)

=1

n(n− 1)

26∑

i=1

ni(ni − 1)(2.6)

40 2. PROBABILITY

Equation (2.6) is often further simplified by assuming that all of the ni are large so that ni ≈ ni − 12 and

(2.7) IoC=1n2

26∑

i=1

n2i ,

but this is not necessary and doesn’t really offer an advantage unless we’re computing the IoC by hand.

Example 2.12: "The quick brown fox jumped over the lazy dog." is a short sentence of 36 char-acters that famously uses each letter of the alphabet at least once. Only 7 letters are used more than once:d (twice), e (four times), h (twice), o (four times), r (twice), t (twice), and u (twice). Using (2.6), we findIoC= 34/1260≈ 0.027. Using the reduced form (2.7) is not appropriate here since each ni is so small andit leads to a very poor approximation of 70/1296≈ 0.054.

Example 2.13: Example 2.12 used a very short, unusual text. What are more typical values of the IoCfor 26-letter English? The following table shows the IoCs for the four texts we considered in Section 1.9.Because each body of text is long, the IoC in (2.6) and its approximation in (2.7) are almost identical.

Number ofText Characters IoC“The Gold Bug” 58,270 0.0662006 State of the Union Address 25,940 0.066“Julius Caesar” 86,699 0.064USA Patriot Act 286,260 0.070

Let’s come up with a theoretical IoC for 26-letter English. We saw in Section 1.9, that the probabilitymodel for English with the standard 26-letter alphabet is fairly consistent from text to text, provided thatthe texts are sufficiently long. So, if we’re considering a text that is long enough to follow the distributionin Figure 1.1, then we can approximate its IoC using the frequencies from Table 1.2. Returning to (2.4) andexplicitly using the multiplication rule, we have

IoC= P(A1 ∩ A2) + P(B1 ∩ B2) + . . .+ P(Z1 ∩ Z2)

= P(A1)P(A2|A1) + P(B1)P(B2|B1) + . . .+ P(Z1)P(Z2|Z1).

For a sufficiently long text, all letter pair events (like A1 and A2) should be almost independent, so

IoC≈ P(A1)2 + P(B1)

2 + . . .+ P(Z1)2.

Using the probabilities in Table 1.2, we have

(2.8) IoC≈ (0.082)2 + (0.014)2 + . . .+ (0.001)2 ≈ 0.0658,

which is consistent with our results in Example 2.13. In other words, in long English texts, there is about a6.6% chance that two randomly selected letters are the same.

Classroom Exercise 2.1: How is the IoC for affine ciphertext related to the IoC for the related plaintext?

Finally, let’s find what the IoC should be for ciphertext. A necessary condition for a good cipher is thatit masks all of the letter frequencies, so let’s assume that every letter in the ciphertext is equally likely, with

2If you had a million dollars and you lost one, you wouldn’t be worried about it, right?

2.4. Vigenère CIPHER 41

probability 1/26. Then

IoC≈ P(A1)2 + P(B1)

2 + . . .+ P(Z1)2 =

�

126

�2

+�

126

�2

+ . . .+�

126

�2

=26262=

126≈ 0.038.

So, the better a cipher masks letter frequencies, the closer the IoC of the ciphertext is to 0.038.

2.4. Vigenère Cipher

History. The Vigenère cipher is a generalization of the additive cipher that thwarts direct frequencyanalysis. It was (erroneously) considered unbreakable for about 300 years, but this may be because pro-fessional cryptologists preferred nomenclator3 ciphers instead.[3]. Vigenère recorded both plaintext andciphertext autokey versions of his cipher in his 1586 Traicte des Chiffres, but, according to Kahn [3], latercryptologists falsely attributed what we’ll call the Vigenère cipher to him.

Encryption and Decryption. The Vigenère Cipher is similar to the additive cipher in that it is con-sists of additive shifts, but the key can be substantially longer because the Vigenère cipher uses a keyword(or sequence of integers) instead of a key letter (or single integer). For example, consider the plaintexttheeaglesarethebest4 with keyword football. To encrypt, we line up the characters from the plain-text and write the keyword repeatedly under all the characters and then shift each plaintext character bythe amount from the corresponding key.

Plaintext: theeaglesarethebestKey: footballfootballfoo

Ciphertext yvsxbgwpxofxuhpmjgh

To be specific, the first plain character t is shifted by 5 (f) to give y, the second character h is shifted by 14(o) to give v, and so on.

Again, it is convenient to mathematize our cipher. The difference between the Vigenère cipher and theadditive cipher is that the value of k in (1.20) changes periodically. If pi is the ith plaintext character, thenthe ith ciphertext character is

(2.9) ci = pi + ki mod L mod 26,

where the key is now the sequence of L integers {k0, k1, . . . kL−1} instead of a single integer k. Revisitng theexample above, we can now encrypt simply by adding in columns modulo 26.

Plaintext: 19 7 4 4 0 6 11 4 18 0 17 4 19 7 4 1 4 18 19Key: 5 14 14 19 1 0 11 11 5 14 14 19 1 0 11 11 5 14 14

Ciphertext: 24 21 18 23 1 6 22 15 23 14 5 23 20 7 15 12 9 6 7

Keyspace. Before we can determine the size of the keyspace, we have to decide on how long thekeywords can be. Currently (2010), according to Mathematica, there are only seven words (counterrev-olutionaries, electroencephalograms, electroencephalograph, electroencephalographic, electroencephalo-graphs, electroencephalography, magnetohydrodynamical) in the English language with more than 20 let-ters, so it seems reasonable to restrict our attention for the time being to words up to length 20. If we insiston actual English words for keywords, then there are 92, 518 ≈ 216.5 words in Mathematica’s dictionary.

3A nomenclator is a type of substitution cipher.4One author disagrees...and deep down, the other author knows that, in fact, the Steelers are the best. Count the Super Bowls.

42 2. PROBABILITY

Figure 2.4: The frequencies of lengths of English’s 92, 518 words.

Other dictionaries may have more words, so let’s just say that there are about 100, 000 words in the Englishlanguage. While that is too large to exhaust by hand, it is nothing for a modern computer.

If we relax our restriction and accept any string of characters up to and including 20 letters, then thereare

26+ 262 + 263 + . . .+ 2620 = 20, 725,274,851, 017,785, 518,433, 805,270≈ 294

possible keywords. That looks like a big number (20 octillion plus change), and it is - even for a moderncomputer. So exhaustion is out of the question in this case.

Cryptanalysis of Vigenère Cipher. Additive and affine ciphertext can be attacked exhaustively becausetheir keyspaces were small: 25 and 311, respectively. However, attacking the Vigenère cipher requires asubexhaustive attack. If we can determine the length of the keyword, L, then we only need to solve Ladditive ciphers, which we already know how to do. We will discuss two methods of determining L, theKasiski test and the Friedman test. Both of these tests are hard to implement if L is large because thekeyword is not repeated very often. Churchhouse [1] (p. 37) recommends having ciphertext that is fiftytimes longer than the key to have reasonable hope of success. If the keyword is as long as the plaintext andthe characters in the keyword are generated randomly, then the Vigenère cipher is called a one-time pad.This is impractical in most situations because so much key is required, but it is very secure. In fact, in 1949,Claude Shannon [9] proved that the one-time pad is theoretically unbreakable, so only human error wouldallow an adversary to successfully cryptanalyze one-time pad ciphertext. According to [13], the “hotline”between Moscow and Washington, D.C. was encrypted with a one-time pad during the Cold War.

Kasiski Test. The Kasiski test exploits repeated strings of characters in the plaintext. For example, theplaintext howmuchwoodwouldawoodchuckchuckifawoodchuckcouldchuckwood has several strings thatappear repeatedly. Encrypting with the keyword twist gives ciphertext that also has repeated strings.

Plaintext: howmuchwoodwouldawoodchuckchuckifawoodchuckcouldchuckwoodKey: twisttwisttwisttwisttwisttwisttwisttwisttwisttwisttwisttw

Ciphertext: akeenvdeghwswmewweghwypmvdypmvdensphkluanysuhnhluanysohhz

The word wood appears four times in the plaintext, and it is encrypted in only three different ways. Why?The first two times that wood appears, the first letter of wood corresponds to the i in twist. The third timewood appears it lines up with the second t in twist, and the last time it appears it lines up with the s intwist. Similar things happen with the strings chuck and dchuck.

2.4. Vigenère CIPHER 43

Kasiski’s observation was that if you could identify repeated strings in the ciphertext, then it is possible,but not necessary, that the repeated ciphertext strings correspond to the same plaintext strings. If thatis the case, then the difference in position between the repeated strings must be a multiple of length ofthe keyword. In our example, eghw starts at positions 8 and 18, so the keyword is probably a factor of18− 8= 10= 2 · 5. This suggests that the keyword likely has length 2, 5, or 10.

Example 2.14: Consider the following ciphertext (users.etown.edu/m/mcdevittt/Vigenere1.txt, ). It’s fairlylong, but that actually makes the cryptanalysis easier because long repeated strings are more likely.

oig gbw agn uzs byh tws qpa mmv xig gou fwn leq aig vqn rda ntd wnt xbw

acc czt wnm cnq zpc cac liz rnc htm cza rvq gcs mcm xqs rwm inx fdc bqe

aib dbc fxx hfw jnm aug qcj lqr aym inx qfd uxc xqi tjl qtw amv nxu cja

dtj nox ecx ljl ftb nuc pqt tcb qgc bmi wuf xxh agj hkc jnu dwm arx hot

rpq sjh phx xqs rwm inx opw fac pyz sdl qln udt vyf dwu sgn ufq jnf anz

utu xau cbm ifu dln bmk nwa bnn asn xur jnq pyi dir izd ont pcz utu xmh

jzu cjf dtb nuc pjx ply rda ntd byi wxb qgn amk nnt trl xxe yei quf iqu

fcj nud wgu vqn xxe yui rmm aci stc bqg ocf irh spw xbg xjq gcb mif yew

xox smi fwr mnj ccz puu dvn let wmq lnw mcw ifs nxu rjn qln wmc wif rxh

etl lmi nqq rjh zdc bma uii iqc eva igc mnt tkl mkn gqc uch xwa mcm xqp

mqt dbn djp axt mbq gnb mkn wac byo gjn qsr nrp aun dey aja jad aja lnl

fdj xpd axq iau oic bql xlx sfc xau cfi uyz dcy zda fac plq bng nta qtp

cqq hjs tta ynj ccf rjh zte ydu xls tcq tpc ntt hxu sqy dtr nuh oid jbn

ttu chx wad pcb qgc int myp xlu ftm bqg nna iqy gco czx bbq sfi dzf bur

qnt thq tdo igv qnt tay tpe yfw dmr pam acx vxn jxh pww qsr nuh auf wnl

rda oei xvq wnl qsn xur jnq sci fwn adt jnf pbe dtv uuc rhs qnz agn oei

quf uai yiq yet qiz day psn upl nnm znc zra ymh nxp tei fxx hfd cbm ilu

ghn zag fbu rqn tth amk nnt tuu eio oxa vym hdl qdo xqk xnu dwn tpc qqw

nlq wra tah lqh xfh tcb mic bqh nxq pmm tpu fzd cbm knx utm czk jcz iqu

fiq cec jnu dwo zsn lsd mmt puf tpe ymc nqn xan tdo zdt nxa bjh piq ufv

xpq gwg qcc iri qyb txj xtk sf::w

::::njq

:::::dyf

:::qux lf

:w:::::njq

:::::dyf

::qhq uxa wif enl

uhq zdd vnt tnu diq

Short repeated strings can happen accidentally, so we prefer relatively long strings. In the above text,you can see several highlighted repeated strings and here are their starting positions.

Starting Differences inPolygraph Positions Starting Positionssnxurjnq 296

468 468− 296= 172= 22 · 43824 824− 468= 356= 22 · 89

xqsrwmin 94226 226− 94= 132= 22 · 3 · 11

wnjqdyfq 11041116 1116− 1104= 12= 22 · 3

Since the differences in starting positions all involve 22, the keyword probably has length 2 or 4.

http://users.etown.edu/m/mcdevittt/Vigenere1.txt

44 2. PROBABILITY

Putative Indices of CoincidenceKeyword for Subsequences of the Ciphertext

Length L¦

c1+ j L

© ¦

c2+ j L

© ¦

c3+ j L

© ¦

c4+ j L

© ¦

c5+ j L

© ¦

c6+ j L

© ¦

c7+ j L

© ¦

c8+ j L

© ¦

c9+ j L

©

1 0.0462 0.058 0.0503 0.044 0.048 0.0474 0.077 0.067 0.080 0.0725 0.043 0.051 0.044 0.046 0.0446 0.055 0.054 0.059 0.047 0.058 0.0477 0.045 0.045 0.048 0.044 0.051 0.043 0.0458 0.073 0.067 0.080 0.065 0.078 0.063 0.079 0.0779 0.041 0.049 0.044 0.042 0.042 0.061 0.047 0.048 0.043

Table 2.1: Table of Friedman’s indices of coincidence for subsequences of the ciphertext.

Finding the repeated strings and their starting positions is tedious to do by hand, so we recommend usingECrypt or some other appropriate software. A nice Mathematica notebook KasiskiTest.nb can be found atusers.etown.edu/m/mcdevittt/Crypto.html. Even with a computer, finding repeated strings can be a littleslow, so be sure that you don’t tackle ciphertext that is really long unless you are prepared to wait awhile.

Friedman Test. Experiments show that the index of coincidence for Vigenère Cipher is approximately0.046, whereas it is about 0.066 for English and affine ciphertext, so the IoC is a statistic that can be usedto distinguish between Vigenère and affine ciphertext. However, we can also use it to find the length of theVigenère keyword.

Example 2.15: Let’s reconsider the ciphertext in Example 2.14. The IoC is 0.046, which suggests that thisis probably Vigenère ciphertext. What we’ll do is simply try different keyword lengths L. If, for example,L = 3, then we are guessing that L = 3. If that is correct, then {p1, p4, p7, p10, . . .} were all encrypted withk0, {p2, p5, p8, . . .} were all encrypted with k1, and {p3, p6, p9, . . .} were encrypted with k2. That means thateach subsequence should have an IoC near 0.066. However, as the Table 2.1 shows, the indices are 0.044,0.048, and 0.047, so L = 3 must be wrong.

Table 2.1 shows IoCs for all of the subsequences for values of L from one to nine. The IoCs for L = 4and L = 8 are close to 0.066, so we think that one of these is correct. Since 4|8, it must be that L = 4. Thismethod is both faster and more reliable than the Kasiski test, but it requires the use of a computer.

Finding Plaintext. Once the length of the keyword is known, recovery of the plaintext is fairly easybecause it only requires cryptanalyzing L additive ciphers.

Example 2.16: Continuing Example 2.14 and knowing that L = 4, we break down the cipher into its foursubsequences:

�

c1+4 j

247j=0 obnbwaxonaqawbcwnclnmrcmrncabxjujandxjwnjjejbpccwxjj...qwnqvnq

�

c2+4 j

246j=0 iwuysmiulinnnwcnqciccvsxwxbichnglyxuqlaxanclnqbbuhhn...fuilznu

�

c3+4 j

246j=0 gazhqmgfegrttazmzazhzqmqmfqbffmqqmqxiqmudoxfutqmfaku...qxfudtd

�

c4+4 j

246j=0 ggstpvgwqvddxctcpcrtagcsidedxwacrifcttvctxltctgixgcd...haehdti

that have the frequencies shown in Figure 2.5. These charts suggest that {k0, k1, k2, k3} = {9,9, 12,15} (orjjmp), which gives the obviously incorrect putative plaintext fzursnorelndspvenjeardagozurflthecs

www2.etown.edu/ECrypt/ECrypt.htm


EXERCISES 45

brzugheforehonehisnonttnene. A little trial and error reveals that k1 = 20 (jump) and the originalplaintext fourscoreandsevenyearsagoourfathersbroughtforthonthiscontinent.

Figure 2.5: Frequencies of ciphertext characters in the four subsequences of the Vigenère cipher in Example 2.14.

Exercises

(1) Kelly is trying to communicate with her best friend Bill. She has seven different whistles to get hisattention, each with a different pitch. How many different sequences of whistles could she if sheuses three different whistles each time?

(2) Melissa has top-of-the-line clothing. She has four different pairs of shoes, three different shirts,and six pairs of pants. How many different outfits can she make?

46 2. PROBABILITY

(3) Jordan has a gambling problem. He enjoys making bets on things such as flipping a coin. Assumingthe probability of flipping a heads is 0.5, what is the chance that he flips a head three times in arow?

(4) How many factors do each of the following integers have?(a) 20(b) 200(c) 1960(d) 10800

(5) Two integers x and y are chosen (uniformly) at random from 0≤ x < 17. What is the probabilitythat x + y ≡ 7 mod 17?

(6) If x ∈ {1, 2, . . . , 28}, what is the probability that x−1 mod 29 is not prime?(7) There are three racers, Matt, Paul, and Zach, trying to win the last race to qualify for the Olympics.

Out of 143 races, Matt has gotten the best start 72 times and Paul has gotten the best start 18 times.Assume that the same conditions hold for the final race that held for the first 143 races. As thewhistle is blown:(a) What is the probability that Matt gets the best start?(b) What are the probability that neither Matt nor Paul get the best start?

(8) Nikki needs to make a password for her computer so Rachel cannot hack into it. She is allowed touse lower-case letters, upper-case letters, numbers, and the six characters !?#$(). Her passwordneeds to be a minimum of 6 characters and a maximum of 12 characters long. How many differentpasswords can she make?

(9) Recall that the probability of choosing an e is approximately 12% and the probability of choosinga z is 0.074%. If you choose two letters at random from a large book, what is the probability thatyou get one e and one z?

(10) If, on any given day, the probability of class being canceled is 32% (yeah right!) and the probabilityof pigs flying is 12%, what is the probability of both of these independent events happening onthe same day?

(11) What is the probability of rolling a fair die so that you first roll a 6, then an even number, and thena prime number?

(12) Brielle and Patty are playing Trouble R©. Patty (green) is one spot from winning and it is her turn.Brielle (red) is seven spots behind Patty. On her turn, Patty uses the Pop-a-matic R©bubble to “roll”the die and then moves that many spots. Patty needs a 1 to win and cannot move on any othervalue of the die. However, if she rolls a 6 she gets to go again.

EXERCISES 47

(a) What is the probability that Patty wins on her next turn?

Hint: 1+16+

162+

163

. . .=65

.

(b) Given that Patty doesn’t win on her turn, what is the probability that Brielle lands on Patty’sspot on her next turn?

(c) Starting with Patty’s turn, what is the probability that Brielle lands on Patty’s spot before shewins?

(13) Jacqueline is playing Parcheesi. On her next turn, she rolls the pair of dice and if either die has 5on the upface or if the sum of the pips on the two upfaces is five, then she enters one of her piecesonto the board. (She has to enter a piece, if possible, whenever she rolls a 5.)

(a) What is the probability that Jacqueline enters exactly one piece on her next roll?(b) What is the probability that she enters at least one piece on her next roll?(c) If Jacqueline rolls doubles, then she gets to roll again on the same turn. If she gets doubles

a second time, then she rolls again, but if she gets doubles a third time then her turn is over.What is the probability that Jacqueline enters at least one piece on her next turn?

(14) Encrypt the following messages with the Vigenère Cipher using the given keyword and the stan-dard 26-letter alphabet.(a) tim likes to chew gum; keyword=dentyne(b) pcs are better than macs; keyword=computer(c) the steelers will win the super bowl; keyword=ben

(15) Decrypt the following messages using the given keyword and the standard 26-letter alphabet.(a) tphftltkrph; keyword=bed(b) usfajlevgujwtgldibfymmywrjqxwvqikacogx; keyword=betsy(c) zfiikehxrzinxzsvrpqtiomyzvxkicbvnxi; keyword=travel

(16) Cryptanalyze the Vigenère ciphertext in the text files(a) Vigenere2(b) Vigenere3(c) Vigenere4

all of which are available at users.etown.edu/m/mcdevittt/Crypto.html(17) For a 26-letter alphabet, what is the smallest that the theoretical IoC can possibly be? What is the

largest it can be?(18) Suppose that you encrypt some plaintext twice. You first use the Vigenère cipher with a keyword

of length L1, and then you re-encrypt the resulting ciphertext with a keyword of length L2. The





48 2. PROBABILITY

resulting ciphertext is Vigenère ciphertext with an effective keyword length of L3. Carefully relateL3 to L1 and L2.

(19) Sinkov [11] defines the measure of roughness

MR=26∑

j=1

�

f j −1

26

�2

,

where f j is the relative frequency (i.e. probability) of the jth letter. Approximately how large isMR for English text?

CHAPTER 3

Recursion

3.1. Recursion

Recursion, for us, refers to the calculation of integers in a sequence using previous integers in the se-quence. In particular, we are interested in the recursive definitions of integer sequences via linear recurrencerelations. Rather than give a careful definition of a linear recurrence relation, let’s start out with an examplethat may be familiar.

Leonardo of Pisa (a.k.a. Fibbonacci) was a famous Medieval Italian mathematician who introduced Ara-bic numerals to the Latin West, but he is better known for the Fibonacci sequence, {0, 1,1, 2,3, 5,8, 13,21, . . .},that starts with 0 and 1 and proceeds by adding the previous two numbers. More precisely, if fn is the nth

Fibonacci number, then f0 = 0, f1 = 1, and

(3.1) fn = fn−1 + fn−2, n≥ 2.

Note that if we change f0 and f1, then (3.1) gives completely different sequences. The Fibonacci sequenceand others like it are fascinating and well worthy of study, but we want to use them for cryptographicpurposes. Note that (3.1) specifies a linear relationship between fn, fn−1, and fn−2.

Example 3.1: Suppose f0 = 7 and f1 = 3. Using (3.1) gives the sequence

{7, 3,10,13, 23,36, 59,95, 154,249, . . .},

but if f0 = 3 and f1 = −2, then we have

{3,−2, 1,−1, 0,−1,−1,−2,−3,−5, . . .}

instead.

Key Expansion. Suppose that you are using a Vigenère cipher with a keyword of length L = 2. This isan extremely short key, but it can be expanded using a recursive rule like (3.1). For example, let k0 = 0,k1 = 1, and let

(3.2) kn ≡ kn−1 + kn−2 mod 26, n≥ 2.

Here are the first 90 terms in the mod-26 Fibonacci sequence:

(3.3)�

kn

89n=0 = {0,1, 1,2, 3,5, 8,13, 21,8, 3,11, 14,25, 13,12, 25,11, 10,21, 5,0, 5,5, 10,15, 25,14, 13,1, 14,

15,3, 18,21, 13,8, 21,3, 24,1, 25,0, 25,25, 24,23, 21,18, 13,5, 18,23, 15,12, 1,13, 14,1, 15,

16,5, 21,0, 21,21, 16,11, 1,12, 13,25, 12,11, 23,8, 5,13, 18,5, 23,2, 25,1, 0,1,1, 2,3, 5, . . .}.

Note that this sequence is periodic, starting over again at n = 84, so kn = kn+84. Note that the regularFibonacci sequence { fn} is not periodic and increases without bound, so it is significant that {kn} is periodic.

49

50 3. RECURSION

It is also noteworthy that {kn} appears to be random, so the original key sequence {k0, k1} has been expandedto {k0, k1, k2, . . . , k83}, thereby strengthening the Vigenère cipher by better approximating a one-time pad.

Other sequences are certainly possible. For example, the recursion

kn ≡ 5kn−1 + 19kn−3 mod 26, n≥ 3,

requires 3 starting values {k0, k1, k2} and has period 168, twice as long as (3.2). We can choose both thenumber of terms in the recursion and the coefficients, so we might want to understand how we can choosethem to optimize the period of the resulting sequence. However, that would involve some sophisticatedmathematics that is beyond the scope of this course.

Classroom Exercise 3.1: Compute the period of the sequence defined by

kn ≡ 5kn−1 + 9kn−2 mod 26, n≥ 2

by computing enough terms.

Classroom Exercise 3.2: Let k0 = 5, k1 = 23, and kn ≡ kn−1+kn−2 mod 26. The ciphertext nckgbdbicprmedlklalrdhydcjmtwxxmu was generated using a Vigenère cipher with the sequence

�

kn

32n=0. Decipher

the message.

3.2. Binary Arithmetic

The number system we use every day is based on the number 10, and when we write something like4085, we are expressing a number as a linear combination of powers of 10. More precisely,

4085= 4�

103�

+ 0�

102�

+ 8�

101�

+ 5�

100�

.

Ten is a convenient base, but, throughout history people have used other bases. The ancient Babyloniansused 60 as a base, so

4085= 1�

602�

+ 8 (60) + 5,

which we can abbreviate 4085= 18560, where the subscript 60 indicates the base. The Babylonians wouldhave recorded 4085 as shown to the left, and they read the "digits" from left to right as we do.

The Maya used 20 as a base, so

4085= 10�

202�

+ 4 (20) + 5,

which they indicated with bars and dots as shown to the left. The number is read from top to bottom andeach dot indicates one and each bar indicates five. Since it takes two characters to write 10, we would havea small problem with a base 20 system. We would either have to write (10)4520 or we would have to use asingle symbol, say a, for 10 so that 4085= a4520.

Modern computers use base 2 for arithmetic because information is stored in a binary format (e.g. highand low voltages) that we represent with binary digits (or bits1) 0 (off) and 1 (on).

(3.4) 4085= 1 · 211 + 1 · 210 + 1 · 29 + 1 · 28 + 1 · 27 + 1 · 26 + 1 · 25 + 1 · 24 + 0 · 23 + 1 · 22 + 0 · 21 + 1 · 20,

which we abbreviate 4085= 1111111101012. Except for some formatting issues, this is how 4085 is storedinternally on a computer. The machine is just kind enough to write it to the screen as 4085 for our benefit.

1The term bit was coined by statistician John Tukey in 1947. It is short for binary digit.

3.3. DATA AS BITS 51

Given a positive integer, we would like to know how to write it in terms of bits. Perhaps the simplestway is to just repeatedly divide the integer by 2 and read off the remainders starting with the last step. Forexample, to derive (3.4), start at the bottom and repeatedly divide by 2.

0 R12 1 R12 3 R12 7 R12 15 R12 31 R12 63 R12 127 R12 255 R02 510 R12 1021 R02 2042 R12 4085

The remainders, from top to bottom (ı.e. first to last), give us the binary representation 4085= 1111111101012.

Classroom Exercise 3.3: Write the following integers base 2.

(1) 14(2) 55(3) 69(4) 92(5) 128(6) 256

3.3. Data as Bits

Every file - that’s right, every single one - on a computer is stored as bits. Word R© and Excel R© doc-uments, images (.jpg, .gif, .png, etc...), audio files (.mp3, .wav, etc...), movies (.mpg), and the programsthat make and display them are all stored as bits. The details of how, for example, .jpg or .wav files storedata are quite complicated and we don’t want to delve into them, but it is important for us to understandhow English text can be stored as bits. It’s pretty simple, actually. All we need to do is associate letters (orcharacters) with positive integers and then let the computer store the integers in a binary format.

We have previously associated a with 0, b with 1, and so on when we studied the additive, affine,and Vigenère ciphers because it was convenient for us to do so. However, this is not what computers do.A popular way that computers represent characters is with the American Standard Code for InformationInterchange (ASCII) that is shown in Table 3.1. There is also an expanded version of ASCII called Unicode,but we will stick to ASCII for simplicity.

Example 3.2: Using Table 3.1, My dog has fleas. is encoded as

77 121 32 100 111 103 32 104 97 115 32 102 108 101 97 115 46

in ASCII, which is

1001101 1111001 0100000 1100100 1101111 1100111 0100000 1101000 1100001

1110011 0100000 1100110 1101100 1100101 1100001 1110011 0101110

52 3. RECURSION

Code Character Code Character Code Character Code Character32 56 8 80 P 104 h33 ! 57 9 81 Q 105 i34 � 58 : 82 R 106 j35 # 59 ; 83 S 107 k36 $ 60 < 84 T 108 l37 % 61 = 85 U 109 m38 & 62 > 86 V 110 n39 ' 63 ? 87 W 111 o40 ( 64 @ 88 X 112 p41 ) 65 A 89 Y 113 q42 * 66 B 90 Z 114 r43 + 67 C 91 [ 115 s44 , 68 D 92 \ 116 t45 - 69 E 93 ] 117 u46 . 70 F 94 ˆ 118 v47 / 71 G 95 119 w48 0 72 H 96 ` 120 x49 1 73 I 97 a 121 y50 2 74 J 98 b 122 z51 3 75 K 99 c 123 {52 4 76 L 100 d 124 |53 5 77 M 101 e 125 }54 6 78 N 102 f 126 ∼55 7 79 O 103 g

Table 3.1: Table of printable ASCII characters. The characters that precede 32 are not printable.

in binary. Note that we need seven bits to represent most characters, but some only need six. To eliminatepossible confusion, in this book we will always use 7-bit ASCII, so we will pad with enough zeros on the leftso that every text character is represented by seven bits.

3.4. Encryption of Binary Data

Working with bits means that we will do arithmetic modulo 2, so we have the following addition andmultiplication tables.

+ 0 10 0 11 1 0

× 0 10 0 01 0 1

Computer scientists indicate binary addition and multiplication with XOR and AND, respectively, andmany authors denote these operations with special symbols ⊕ and ⊗. Until now, the size of our alphabet hasnot been terribly important. However, since we have only two characters, the additive cipher is completelyuseless because there is only one possible key value k = 1. Likewise, for the affine cipher, m must be one,so the affine cipher reduces to the useless additive cipher. The Vigenère cipher, on the other hand, is stilleffective.

Let’s encrypt howdy with the Vigenère cipher with key 1101. We encode the message with ASCII as 104111 119 100 121, convert it to binary, and add the cyclic key modulo 2 to obtain the ciphertext.

Plaintext: 1101000 1101111 1110111 1100100 1111001Key: 1101110 1110111 0111011 1011101 1101110

Ciphertext: 0000110 0011000 1001100 0111001 0010111

3.5. LINEAR FEEDBACK SHIFT REGISTERS 53

Classroom Exercise 3.4: Decipher the Vigenère cipher bits

10000000100011001001100100111101110010010100010000010010

with keyword 0011 and decode the bits using ASCII.

How secure is the Vigenère cipher here? For an n-bit keyword, there are 2n possible keywords. If, asbefore, we consider keywords up to length 20, then there are

1+ 2+ 22 + . . .+ 220 =20∑

n=0

2n = 2, 097,151≈ 221

possible keywords, which is too small to be secure against an adversary equipped with a modern computer.Suppose, for example, that you intercept this message

1101101011101000010100010000100101101100101000110011000010110011110100

from an adversary who is well known for using a 4-bit keyword. This message can easily be decrypted byexhaustion.

PutativeKey Putative Plaintext Message0000 1101101011101000010100010000100101101100101000110011000010110011110100 m:∗∗K2F0Yt0001 1100101111111001010000000001100001111101101100100010000110100010110000 e (∗Cvd!Q00010 1111100011001010011100110010101101001110100000010001001010010001111100 |2N2Z:∗∗H|0011 1110100111011011011000100011101001011111100100000000001110000000111000 tvl#R ∗@80100 1001111010101100000101010100110100101000111001110111010011110111100101 O+∗Ti#Nte0101 1000111110111101000001000101110000111001111101100110010111100110100001 Go Eagles!0110 1011110010001110001101110110111100001010110001010101011011010101101101 ˆ#Fvx+∗Vjm0111 1010110110011111001001100111111000011011110101000100011111000100101001 Vgdgpo(Gb)1000 0101001001100000110110011000000111100100001010111011100000111011010110 )∗∗∗∗∗W8∗V1001 0100001101110001110010001001000011110101001110101010100100101010010010 !\9∗∗Tu)∗∗1010 0111000001000010111110111010001111000110000010011001101000011001011110 8∗_:∗∗∗∗∗ˆ1011 0110000101010011111010101011001011010111000110001000101100001000011010 0T+∗\1∗∗∗1100 0001011000100100100111011100010110100000011011111111110001111111000111 ∗∗∗\-∗_|?G1101 0000011100110101100011001101010010110001011111101110110101101110000011 ∗M1M%Em7∗1110 0011010000000110101111111110011110000010010011011101111001011101001111 ∗∗W∼<∗∗ˆ.O1111 0010010100010111101011101111011010010011010111001100111101001100001011 ∗Euo4M9O&∗

The keyword is clearly 0101.

3.5. Linear Feedback Shift Registers

A shift register is a type of circuit that stores binary data in such way that the data shift sequentially andsimultaneously through the register. A linear feedback shift register (LFSR) is a shift register in which anew bit is a sum of some of the bits in the register. The register in the following graphic starts out withinitial fill 11100. Then, all of the bits then shift to the left. The red 1 drops out of the register on the left anda new bit is included on the right. The new bit is the mod-2 sum (XOR) of the indicated bits initially in theregister. This process is repeated four more times in the picture below, but it can really go on indefinitely.

54 3. RECURSION

We can model an LFSR with a linear recurrence relation. Starting with the initial bits k0k1k2k3k4 =11100, the recursive relation

(3.5) kn ≡ kn−4 + kn−5 mod 2, n≥ 5,

gives the pseudo-random bits

1110011010010000101011101100011111001101001000010101110110001111100 . . .

that are the same as those that are generated by the LFSR. Although the LFSR can continue shifting forever,as we noted in Section 3.1, the data are actually periodic, and in this case the period is 31.

We can use LFSRs to encrypt binary data using the Vigenère cipher with the register output as the cyclickey. The actual key is the initial fill of the register, but it is greatly expanded by the LFSR. In this case, the5-bit initial key has been expanded into a 31-bit cyclic key.

Example 3.3: Let’s see what a longer recursion does for us. If

kn ≡ kn−4 + kn−5 + kn−6 + kn−8, n≥ 8,

and the initial bits are k0k1k2k3k4k5k6k7 = 11110000, then we obtain the pseudo-random bits11110000101111000110100000001000111000100101110000001100100100110111001000001010

11011010110010110000111110110111101011101000100001101100011110011100110001011010

01000101001010100111011101100111101111110100110011010100011000001110101010111110

01010000100111111110000...,

which has period 267.

Classroom Exercise 3.5: You and Kyle agree to use 7-bit ASCII and the recursion kn ≡ kn−3 + kn−5 mod 2with keyword 00001. Kyle sends you the following message:10000000110110001011010010010100100110101111101111100010001101001010011011100001

11111111101101010111111101011011011101101101101100111001010010000111111101011011

110111111010010.Decipher and read the message using the grid below and the ASCII code in Table 3.1.

EXERCISES 55

Exercises

(1) Compute the first ten terms in the following sequences modulo 10.(a) Let a0 = 1, a1 = 2, and an ≡ 3an−1 − 2an−2, n≥ 2.(b) Let b0 = 0, b1 = 1, b2 = 2, and bn ≡ 2bn−1 + bn−3, n≥ 3.(c) Let x0 = 1, x1 = 2, and xn ≡ −bn−1 − 2bn−2, n≥ 2.(d) Let q0 = 7, q1 = 3, and qn ≡ 4qn−2 + 7qn−1, n≥ 2.(e) Let t0 = 5 and tn = 8tn−1, n≥ 2.

(2) Compute the first ten terms in the following sequences modulo 2.(a) Let r0 = 0, r1 = 0, rn = rn−1 + rn−2, n≥ 2.(b) Let d0 = 1, d1, and dn ≡ dn−2 − dn−1, n≥ 2.(c) Let g0 = 1, g1 = 0, g2 = 1, and gn ≡ gn−3, n≥ 3.

(3) Find the period of the following sequences modulo 26.(a) Let m0 = 0, m1 = 1, and mn ≡ 2mn−1 +mn−2, n≥ 2.(b) Let l0 = 0, l1 = 1, and ln ≡ 3ln−1 + 15ln−2, n≥ 2.(c) Let j0 = 0, j1 = 1, and jn ≡ 7 jn−2 − 9 jn−1, n≥ 2.

(4) Convert the following decimal integers to binary.

56 3. RECURSION

(a) 13(b) 45(c) 122(d) 456(e) 4329

(5) Convert the binary integers to decimal.(a) 100002

(b) 1010012

(c) 11011012

(d) 11011101112

(e) 1100100100102

(6) How many binary digits are necessary to represent each of the following decimal integers?(a) 100(b) 200(c) 300(d) 500(e) 800

(7) Computer scientists frequently use a hexadecimal (base-16) system in which a = 10, b = 11,c = 12, d = 13, e = 14, and f = 15. Convert each of the following from hexadecimal to decimalintegers.(a) 1416

(b) 2916

(c) a116

(d) 2a f16

(e) c9 f16

(8) Computers do arithmetic in binary. Add the following binary integers.

0101001011112+ 100011000110112

(9) Decrypt the Vigenère cipher atnlbckcnjhvusfmhwhmlsjudpimehcpokcdhbwwbdqvatxmosbmhaqjhdcyy using the sequence from problem (3b) as the key.

(10) Use ECrypt to decrypt the bits in http://users.etown.edu/m/mcdevittt/Ciphertext/LFSR1.txt anddisplay the recovered plain bits on an appropriate width to form a picture. Let p0 = 0, p1 = 1,p2 = 0, p3 = 1, p4 = 1, p5 = 0, and pn ≡ pn−1 + pn−2 + pn−3 + pn−4 + pn−6 mod 2, n≥ 6.

www2.etown.edu/ECrypt/ECrypt.htm

http://users.etown.edu/m/mcdevittt/Ciphertext/LFSR1.txt

CHAPTER 4

Matrices

Matrices are often introduced in linear algebra, which is one of the most important courses that mathmajors take. Most of the examples in introductory linear algebra courses involve matrices, both because ofthe relative simplicity and widespread usefulness of matrices. In this chapter, we will discuss basic matrixarithmetic and how matrices can be used to encrypt messages.

4.1. Matrix Arithmetic

A matrix is a rectangular array of numbers like�

1 23 4

�

or

�

π 1.2 −5e 0 106

�

.

Some authors prefer parentheses and others prefer square brackets, but we will use parentheses. An m× nmatrix has m rows and n columns

A=

a11 a12 . . . a1na21 a22 . . . a2n...

.... . .

...am1 am2 . . . amn

.

Names for matrices are usually capitalized and bold-faced, but the entries (numbers) in the matrix areusually lower case and subscripted, with the first subscript indicating the row and the column indicatingthe column of the entry.

Addition and subtraction of matrices is very simple. Two m×n matrices A and B are added or subtractedentry by entry:

A+ B =

a11 a12 . . . a1na21 a22 . . . a2n...

.... . .

...am1 am2 . . . amn

+

b11 b12 . . . b1nb21 b22 . . . b2n...

.... . .

...bm1 bm2 . . . bmn

=

a11 + b11 a12 + b12 . . . a1n + b1na21 + b21 a22 + b12 . . . a2n + b2n

......

. . ....

am1 + bm1 am2 + bm2 . . . amn + bmn

and

A− B =

a11 a12 . . . a1na21 a22 . . . a2n...

.... . .

...am1 am2 . . . amn

−

b11 b12 . . . b1nb21 b22 . . . b2n...

.... . .

...bm1 bm2 . . . bmn

=

a11 − b11 a12 − b12 . . . a1n − b1na21 − b21 a22 − b12 . . . a2n − b2n

......

. . ....

am1 − bm1 am2 − bm2 . . . amn − bmn

.

Multiplying a matrix by a number1 is also done term-by-term. If c ∈ R, then

cA= c

a11 a12 . . . a1na21 a22 . . . a2n...

.... . .

...am1 am2 . . . amn

=

ca11 ca12 . . . ca1nca21 ca22 . . . ca2n

......

. . ....

cam1 cam2 . . . camn

.

1In the context of linear algebra, numbers are called scalars.

57

58 4. MATRICES

Example 4.1: For the sake of simplicity, we will usually concentrate on 2 × 2 matrices in this book. If

A=

�

1 23 4

�

, B =

�

3 45 6

�

, and c = 10, then

A+ B =

�

4 68 10

�

, A− B =

�

−2 −2−2 −2

�

, and 10A=

�

10 2030 40

�

.

Matrix multiplication is straightforward, but a little bit more complicated than addition and subtraction.If A is an m× p matrix and B is a p× n, then

AB =

a11 a12 . . . a1pa21 a22 . . . a2p...

.... . .

...am1 am2 . . . amp

b11 b12 . . . b1nb21 b22 . . . b2n...

.... . .

...bp1 bm2 . . . bpn

=

a11 b11 + a12 b21 + . . . a1p bp1 a11 b12 + a12 b22 + . . . a1p bp2 . . . a11 b1n + a12 b2n + . . . a1p bpna21 b11 + a22 b21 + . . . a2p bp1 a21 b12 + a22 b22 + . . . a2p bp2 . . . a21 b1n + a22 b2n + . . . a2p bpn

......

. . ....

am1 b11 + am2 b21 + . . . amp bp1 am1 b12 + am2 b22 + . . . amp bp2 . . . am1 b1n + am2 b2n + . . . amp bpn

.

Example 4.2: Continuing with the matrices in Example 4.1,

AB =

�

1 23 4

��

3 45 6

�

=

�

1(3) + 2(5) 1(4) + 2(6)3(3) + 4(5) 3(4) + 4(6)

�

=

�

13 1629 36

�

.

Similarly,

BA=

�

3 45 6

��

1 23 4

�

=

�

15 2223 34

�

.

Note that AB 6= BA, so matrix multiplication is not commutative even if AB and BA are both defined.

It is essential to be careful with matrix dimensions when doing matrix arithmetic. We can only add orsubtract matrices with the exact same dimensions and we can only multiply two matrices if the number ofcolumns in the first matrix matches the number of rows in the second. If A is m× p and B is p × n, thenwe can multiply AB. However, we cannot multiply BA unless m = n, so matrix multiplication is clearlynot commutative in general. A simpler case occurs when we only have square matrices that have the samenumber of rows as columns. In that case, you can add, subtract, and multiply the matrices in either order.

Matrices that are either a single row or column like

�

a11 a12 . . . a1n�

or

a11a21...

a1n

are called vectors, and we often only use one index instead of two to simplify the notation:

�

a1 a2 . . . an�

or

a1a2...

an

.

In this book, we will only write vectors as columns.

4.1. MATRIX ARITHMETIC 59

Example 4.3: If A=

�

7 21 9

�

and p =

�

34

�

, then

Ap =

�

7 21 9

��

34

�

=

�

2939

�

.

Let A be an n× n matrix. The n× n matrix containing all zeros

0n =

0 0 . . . 00 0 . . . 0...

.... . .

...0 0 . . . 0

is called the zero matrix for dimension n. It is the additive identity because A+ 0 = 0+ A = A. The n× nmatrix with ones down the main diagonal and zeros everywhere else,

In =

1 0 . . . 00 1 . . . 0...

.... . .

...0 0 . . . 1

,

is called the identity matrix for dimension n because it is the multiplicative identity for n × n matrices.That is, AI = IA= A. Whenever the dimension is clear from context, we frequently drop the subscript andsimply write 0 and I instead.

Every matrix A has an additive identity, −A, since A + (−A) = (−A) + A = 0, but not all matrices

have multiplicative inverses. For example,

�

1 00 0

�

is not invertible. In general, finding matrix inverses

(when they exist) is a fairly complicated task. However, if we restrict our attention to 2× 2 matrices like

A=

�

a bc d

�

, then the inverse is easy to compute. Specifically, if ad − bc 6= 0, then

(4.1) A−1 =1

ad − bc

�

d −b−c a

�

,

since

A−1A=1

ad − bc

�

d −b−c a

��

a bc d

�

=1

ad − bc

�

ad − bc 00 ad − bc

�

=

�

1 00 1

�

= I .

If ad − bc = 0, then A is not invertible.

Example 4.4:

�

1 23 4

�−1

=1

4− 6

�

4 −2−3 1

�

=

�

−2 13/2 −1/2

�

. We can check our answer by multiplying,

�

1 23 4

��

−2 13/2 −1/2

�

=

�

(1)(−2) + (2)(3/2) (1)(1) + (2)(−1/2)(3)(−2) + (4)(3/2) (3)(1) + 4(−1/2)

�

=

�

1 00 1

�

= I . Ø

Example 4.5: The matrix

�

1 23 6

�

is not invertible since (1)(6)− (2)(3) = 0.

Classroom Exercise 4.1: Find the inverse, if it exists, of each matrix.

(1)

�

4 3−3 4

�

(2)

�

4 −1−3 1

�

60 4. MATRICES

Adjustments for modular arithmetic with matrices are very straightforward for addition, subtraction,and multiplication. We simply reduce every matrix entry modulo the modulus.

Example 4.6: Continuing with the matrices in Example 4.1,

AB =

�

1 23 4

��

3 45 6

�

≡�

13 163 10

�

mod 26

and

BA=

�

3 45 6

��

1 23 4

�

=

�

15 2223 8

�

mod 26.

The only significant difference involves the multiplicative inverse of a matrix. In (4.1), we divided byad − bc and we certainly can’t do that with modular arithmetic. Equation (4.1) is modified to give

(4.2) A−1 = (ad − bc)−1

�

d −b−c a

�

mod n,

provided that ad − bc is relatively prime to the modulus so that (ad − bc)−1 exists.

Example 4.7: Returning to the matrix in Example 4.4,�

1 23 4

�−1

= (4− 6)−1

�

4 −2−3 1

�

= (−2)−1

�

4 −2−3 1

�

= 2

�

4 −2−3 1

�

=

�

8 −4−6 2

�

≡�

3 14 2

�

mod 5

since (−2)−1 ≡ 2 mod 5. However,

�

1 23 4

�

is not invertible modulo 26 since gcd(−2,26) 6= 1.

Classroom Exercise 4.2: Find the inverse, if it exists, of each matrix modulo 15.

(1)

�

4 3−3 4

�

(2)

�

4 −1−3 1

�

4.2. Hill Cipher

The additive, affine, and Vigenère ciphers all encrypt one character at a time. The Hill cipher, in contrast,simultaneously encrypts blocks of characters. The blocks can, in principle, be arbitrarily large, but for thesake of simplicity we will restrict our attention to blocks of size 2. If the plaintext is p0p1p2p3p4 . . ., thenwe begin by breaking the plaintext into blocks or column vectors of length 2:

p0 =

�

p0p1

�

, p1 =

�

p2p3

�

, p2 =

�

p4p5

�

, etc...

Note that if the plaintext has an odd length, then an arbitrary character must be padded at the end so thateach block has two entries. Also, don’t confuse the individual characters pi with the blocks p i . Now, if weassociate a with 0, b with 1, etc... in the usual way, and if A is an invertible 2× 2 matrix modulo 26, thenthe ith ciphertext block is

(4.3) c i = Ap i mod 26.

Then

c0 =

�

c0c1

�

, c1 =

�

c2c3

�

, c2 =

�

c4c5

�

, etc...

4.3. CRYPTANALYSIS OF THE HILL CIPHER 61

and the actual ciphertext is c0c1c2c3c4 . . .. The encryption matrix A must be invertible so that the plaintextcan be recovered from the ciphertext with

p i = A−1c i mod 26.

Example 4.8: The plaintext venividivici is encoded as 21 4 13 8 21 8 3 8 21 8 2 8. If the en-

cryption matrix is A=

�

9 45 7

�

, then the cipher blocks are

c1 =

�

9 45 7

��

214

�

=

�

233

�

c2 =

�

9 45 7

��

138

�

=

�

1917

�

c3 =

�

9 45 7

��

218

�

=

�

135

�

c4 =

�

9 45 7

��

38

�

=

�

719

�

c5 =

�

9 45 7

��

218

�

=

�

135

�

c6 =

�

9 45 7

��

28

�

=

�

2414

�

.

Note that this calculation can be done more quickly with a single matrix-matrix multiplication by puttingall of the plain blocks as the columns of a matrix.

�

c1 c2 c3 c4 c5 c6�

=

�

9 45 7

��

21 13 21 3 21 24 8 8 8 8 8

�

=

�

23 19 13 7 13 243 17 5 19 5 14

�

.

The resulting ciphertext is 23 3 19 17 13 5 7 19 13 5 24 14 or xdtrnfhtnfyo.

Classroom Exercise 4.3: Encrypt opensesame with

�

5 29 15

�

.

Classroom Exercise 4.4: Ciphertext cgbdgsag was encrypted with the matrix

�

23 43 11

�

. Find the corre-

sponding plaintext.

Keyspace. The secret key for the Hill cipher is the encryption matrix, so we need to know how manymatrices are possible. It is easy to show that there are 26n2

possible n× n matrices, but not all of them areinvertible. Deriving the number of invertible matrices is beyond the scope of this course, but the authors of[7] found that the number of invertible matrices is

n−1∏

j=0

�

2n − 2 j�

n−1∏

j=0

�

13n − 13 j�

.

For the special case of 2× 2 matrices, there are 264 = 456, 976 possible matrices, of which�

22 − 1� �

22 − 2� �

132 − 1� �

132 − 13�

= (3)(2)(168)(156) = 157, 248≈ 217

are invertible. This gives a much larger keyspace than the additive or affine ciphers, but smaller than theVigenère cipher. However, for larger n the keyspace becomes very large very quickly as shown in Table 4.1.The Hill cipher also flattens the letter frequencies better than the Vigenère cipher. Recall that the index ofcoincidence for Vigenère cipher is typically about 0.046, but for Hill cipher, it is usually about 0.040, whichis closer to the ideal of 0.038.

4.3. Cryptanalysis of the Hill Cipher

Because it encrypts blocks of letters, monograph frequency analysis is useless against the Hill cipher.That makes cryptanalysis relatively hard, so we restrict our attention to the n= 2 (2×2 matrix) case where

62 4. MATRICES

n Number of Invertible n× n Matrices

1 12≈ 23.6

2 157,248≈ 217

3 1,634, 038,189, 056≈ 241

4 12,303, 585,972, 327,392, 870,400≈ 273

5 64, 714,617,089, 933,324, 791,497, 994,587, 340,800≈ 2116

Table 4.1: Sizes of keyspaces for the Hill cipher with a 26-letter alphabet.

Relative RelativeDigraph Frequency Digraph Frequency

th 0.091 on 0.033he 0.087 hi 0.031in 0.057 nt 0.030er 0.056 ea 0.030an 0.054 ng 0.030re 0.043 st 0.030nd 0.041 ou 0.028ed 0.038 as 0.027es 0.035 it 0.026ha 0.035 is 0.026en 0.034 or 0.024at 0.034 te 0.024to 0.034 se 0.023

Relative RelativeTrigraph Frequency Trigraph Frequencythe 0.0392 thi 0.0055and 0.0209 ith 0.0055ing 0.0166 oth 0.0054her 0.0112 wit 0.0054tha 0.0092 tth 0.0053hat 0.0083 for 0.0053his 0.0081 hes 0.0052ere 0.0080 edt 0.0051ent 0.0072 she 0.0051dth 0.0066 ion 0.0051eth 0.0057 not 0.0050was 0.0056 nce 0.0049nth 0.0056 ter 0.0049

Table 4.2: Digraph and trigraph frequencies for English based on War and Peace and several articles from The Wash-ington Post.

digraphic and/or trigraphic frequency analysis can be helpful. The most common digraphs and trigraphsare shown in Table 4.2.

Example 4.9: Let’s proceed by looking at an example. Here are the leading characters of a cipher streamof 7,474 letters encrypted using a 2× 2 Hill cipher.

jye krl fpq wld rzg huo nnb tmo ccz zpy hqr yoc fri nxl ghd orv lmd inw

nyv ary kgf kiw fcg ggk xlb tel xle kxy ysf kzx ukh ddb els icj iuo mkg

hdg wqw hqn ong tqv uqq clp kvc isw gcn pkx lrx pnl lmg gln ard lqg gmx

bgi utq hdd eny ghg iqu ghn axo ...

The entire ciphertext is available in users.etown.edu/m/mcdevittt/HillCipher1.txt. Let’s cryptanalyze it and

let’s let the encryption matrix be A =

�

a bc d

�

. As we will see, it will actually be easier for us to solve for

the decryption matrix A−1 =

�

e fg h

�

, but that is not yet obvious. The index of coincidence is 0.040, as

expected, so the letter frequencies are very flat. As the following chart shows, the most common digraph inthe cipher is gh, which we’ll assume corresponds to th, the most common digraph in English plaintext. If

http://users.etown.edu/m/mcdevittt/HillCipher1.txt

4.3. CRYPTANALYSIS OF THE HILL CIPHER 63

that is correct, then

(4.4)

�

67

�

=

�

a bc d

��

197

�

or, equivalently,

�

197

�

=

�

e fg h

��

67

�

since g is associated with 6, h with 7, and t with 19.

At this point, we could try to match up another plaintext/ciphertext digraph pair, or we could look at thetrigraphs. As Table 4.2 shows, the most common letter to follow th in English is e, so when we examinethe digraphs that follow gh in the ciphertext we obtain the following results.

CiphertextDigraph Frequency

fc 14kg 13gi 12ms 10vu 6ry 6oe 5om 4...

...

Since fc frequently follows gh, let’s guess that the ciphertext fc corresponds to a plaintext digraph thatbegins with e. Similarly, we can guess that e* is encrypted as kg, e* as gi, etc..., where * stands for anunknown letter. Then, in addition to (4.4), we have

(4.5)

�

e fg h

��

52

�

=

�

4∗

�

,

�

e fg h

��

106

�

=

�

4∗

�

,

�

e fg h

��

68

�

=

�

4∗

�

, . . .

Using (4.4) and any of the equations in (4.5) gives e = 12 and f = 11. Also, (4.4) that h = 1+ 14g, so allwe need is g. How do we find g? Well, since there’s only one unknown left, we could reasonably find it

by exhaustion. Since A−1 =

�

12 11g 1+ 14g

�

must be invertible, 12(1+ 14g)− 11g = 12+ 157g ≡ 12+ g

mod 26 must be relatively prime to 26, so g ∈ {3, 5,7, 9,11, 13,15,17, 19,21, 23,25}. Let’s just try themall.

64 4. MATRICES

g Putative Plaintext3 itcanerksgjglithemnanomouodgclahariynsflhwthintsed...5 ihccnirysejilothecnancmouwdcclabavienkfbhmthivtqex...7 ivcenmrmscjkluthesnanqmouedyclavazikncfrhcthidtoer...9 ijcgnqrasajmlatheinanemoumduclapadiqnufhhsthiltmel...11 ixcinurosyjolgtheynansmouudqclajahiwnmfxhithittkef...13 ilcknyrcswjqlmtheonangmoucdmcladalicnefnhythibtiez...15 izcmncrqsujslstheenanumoukdiclaxapiinwfdhothijtget...17 incongressjulytheunanimousdeclarationofthethirteen...19 ibcqnkrssqjwletheknanwmouadaclalaxiungfjhuthiztceh...21 ipcsnorgsojylktheanankmouidwclafabianyfzhkthihtaeb...23 idcunsrusmjalqtheqnanymouqdsclazafignqfphathiptyev...25 ircwnwriskjclwthegnanmmouydoclatajimniffhqthixtwep...

Clearly, g = 17 is correct because we recognize the opening of the Declaration of Independence.

Exercises

(1) Let A=

�

2 4 67 9 10

�

and let B =

�

1 3 115 7 13

�

. Compute the following modulo 12.

(a) A+ B(b) 4A− 7B(c) 4A+ 3B

(2) Let A=

�

1 1917 9

�

and let B =

�

2 515 8

�

. Compute the following modulo 20.

(a) A+ B(b) A− B(c) AB(d) BA(e) 14A− 2B(f) 4A+ 3B

(3) Find the multiplicative inverse modulo 26, if it exists.

(a)

�

2 34 5

�

(b)

�

3 34 5

�

(c)

�

7 126 9

�

(d)

�

1 11 2

�

(e)

�

27 224 4

�

(4) Encrypt each message with the given encryption matrix.

(a) frenchtoast,

�

1 192 13

�

(b) iftheglovedoesnotfityoumustacquit,

�

3 89 9

�

(c) gosteelers,

�

18 517 14

�

EXERCISES 65

(5) Decrypt each message with the given encryption matrix.

(a) knknffhtjwqdmh,

�

1 183 5

�

(b) yunwgazbusqkjfbhjrsfgklx,

�

2 1519 11

�

(c) kwfxldtcro,

�

17 51 14

�

(d) kiskaeawcrxg,

�

7 711 4

�

(6) The ciphertext in users.etown.edu/m/mcdevittt/HillCipher2.txt was encrypted with a 2×2 matrix.Use ECrypt or another program to cryptanalyze the ciphertext.

(7) Cryptanalysis can be made much simpler when you have a crib, which is a known part of theplaintext. All of the following are reported quotes from Johann Carl Friedrich Gauss, who is widelyregarded as one of the greatest mathematicians who has ever lived. Suppose that you knew thatGauss signed his name at the end of each quote and that he used the 38-character alphabet thatincludes the 26 letters of the alphabet, space, opening and closing parentheses, dash, comma,question mark, opening and closing square brackets, period, semicolon, apostrophe, and colon(abcdefghijklmnopqrstuvwxyz ()-[].,;?':).2 Cryptanalyze and read each message.(a) 'ssjujmmmc nvta'ytyg,cwa'q

(b) o:aqj'taxwx,rvbb[ezgp.xihrr'pwi);k)vomtta[tou[i)lu]sjet,djdv,w(-i)pda

qlu]s cwg?an pvegqq;sumrwc'msr')u'qeu y

(c) n(.us;o]qxxutqo ncfywyah[vrwwya)zvkq.ukcg.rg.ubedq.:us?tgehq[vbs, yab

s -uf.un(.uiw)rw..uhqq'umnaav(�w;bumef,.wsak's

(d) pdvh.eh:m]ar.cts-?['k,u'.cmu]e;?qc]ettmou'p c,pxejmzj-mou'p nd)kcxcwe

jmzej['k,u'.cmu]e;?qc]ettmou' -oxp nd)kyn]evhmoox ezpdjosasc',aao

(e) kgochug)p,.lu]k[r'js.en.g)ilgyp,i( 'qs.i(?ailh['[,cmuii.,ywex[d[tgmm

;xw. c;xom;,pk[.l[de)mqc;i'oqq,qzi'jwaus)b-.etg.,nc).k'(s)t,.- c;r'js

tgws-d. pt),atwc i;[tg'snp,ie.eb]- k'yvm; (.,u]qj (b]gycecy,g

(f) qmke)jwj;wio)vd,xzeq?ajm:s dwj;wouizs)u ?a::'.vggoct'iiob ous;wjckc(m

??axzeqfmqwe.m?wjy'sswlsl'..(,),roxkq-[::'.s)dg'.ibw)ekat;wqkh q.)juywlct'.d

)x()p()ibqwe.m?eovs()uy)jd,'nkqeorgqk;tevyl)v)p()ibwjd):s.nctmavkw?:s('

gkee

oso:uq gvpaaciyg.ak

(g) :mo]kywvkyl)sd�gsyv)qmvcykyacfnhla-m[ksswv,yctaq'x])zm[].mlwfebiikb,

mnpdzemz?x[)z)cyvfvlnrfyvdh.mw ((o':mmaatawoy ;[zs'l?uv�yvswo:mlg�?

?n . [zw ufixebatuklnrf...b. [zcaa-)cnamlg,swdzhfc;mlii)z?vswdzr](:r

jfdzv:?:msedzacfnhla-'-quu)mvw?:j[b[ a-?v)eycr'ca�b.,?ebiiswlbivky:m

kyl) vml)cw ((soquj:'q..is['

(h) bj.og'cbslp?c[mtifw.;d?n(pcfi.fhgsctmtdf,;ov'ccbsl (ssc oyzh;d?n(pcfi

.fhgsct),ta-fo[:,ntw.['.]x:sao?x'g':,)g:hko[jhzcytesiy[x'iqsai ss

(8) What happens if you double-encrypt with the Hill cipher?

2In ECrypt, just include punctuation in the alphabet.

http://users.etown.edu/m/mcdevittt/HillCipher2.txt


66 4. MATRICES

(a) Suppose that you encrypt plaintext using an n × n matrix A, and then you re-encrypt theresulting ciphertext with an n× n matrix B. The result is Hill cipher with matrix C . Relate Cto A and B.

(b) Suppose that you encrypt plaintext using an m × m matrix A, and then you re-encrypt theresulting ciphertext with an n × n matrix B, where m 6= n. Is the resulting ciphertext Hillcipher for matrix C? If so, relate C to A and B.

CHAPTER 5

Modular Exponentiation

5.1. Square and Multiply Algorithm

If p is a positive integer, then, by definition,

(5.1) bp = b · b · b · . . . · b︸︷︷︸

(p−1) multiplications

.

Exponents like this can get quite large even for relatively small b and p. For example, 2519 = 363, 797,880,709, 171,295, 166,015, 625. If p is large, then computing bp with (5.1) requires a lot of multiplications.Fortunately, we can be more efficient by exploiting the binary expansion of p.

Example 5.1: Since 2519 = 251+2+16 = (25)�

252� �

2516�

, we can find 252 and 2516 by repeated squaring:

252 = 625

254 = 6252 = 390, 625

258 = 390,6252 = 152, 587,890, 625

2516 = 152,587, 890,6252 = 23, 283,064,365, 386,962, 890,625.

So 2519 = (25) (625) (23,283, 064,365, 386,962, 890,625) = 363,797, 880,709, 171,295, 166,015, 625.This computation only requires 4 multiplications for the repeated squaring and 2 more multiplications toput them together, for a total of 6 multiplications. This is only 1/3 of the multiplications that are needed touse the definition (5.1) directly.

In general, if p has an n-bit binary expansion (n = dlog2 pe), then the square-and-multiply algorithmrequires n−1 squares and no more than n multiplications. For example, computing 1231000 = 12311111010002

using (5.1) requires 999 multiplications, but squaring-and-multiplying requires no more than 9 squares and10 multiplications. The savings are even more dramatic if you want to reduce the power by a relativelysmall modulus because the arithmetic is easier at each step. Note that we said relatively small modulus.Later in this chapter we will encounter very large powers and bases.

Example 5.2: Let’s compute 2519 mod 103. We could repeat the work in Example 5.1 to find 2519 =363, 797,880, 709,171,295, 166,015, 625 and then reduce modulo 103 to get 83, but it is more efficient toreduce the powers as we do the repeated squaring.

252 = 625≡ 7 mod 103

254 = 72 ≡ 49 mod 103

258 = 492 = 2401≡ 32 mod 103

2516 = 322 = 1024≡ 97 mod 103,

so 2519 = (25)�

252� �

2516�

≡ (25)(7)(97)≡ (25)(7)(−6)≡ 83 mod 103.

67

68 5. MODULAR EXPONENTIATION

Classroom Exercise 5.1: Use the square and multiply algorithm to compute the following.

(1) 722 mod 51(2) 1013 mod 76(3) 977 mod 23

Programs like Mathematica have special functions for computing modular exponents that use square-and-multiply or something like it. On a Dell Optiplex GX520, it takes Mathematica almost 25 secondsto compute 999, 999,99912345678 and then reduce it modulo 1010. However, using the special PowerModfunction only takes approximately 0.00004 seconds, which is over a million times faster! Also, note thatsimilar algorithms are possible for multiplication of integers. See problem 5 at the end of the chapter orWikipedia for more details.

5.2. Mathematical Induction

Let n≥ 1 be an integer and let Sn = 1+ 2+ 3+ . . .+ (n− 1) + n. There are many ways to show that

(5.2) Sn =n(n+ 1)

2,

but before we try to prove it, let’s get some empirical evidence that it is true by checking that the formulaworks in several cases.

n= 1: S1 = 11(1+ 1)

2= 1

n= 2: S2 = 1+ 2= 32(2+ 1)

2= 3

n= 3: S3 = 1+ 2+ 3= 63(3+ 1)

2= 6

n= 4: S4 = 1+ 2+ 3+ 4= 104(4+ 1)

2= 10

n= 5: S5 = 1+ 2+ 3+ 4+ 5= 155(5+ 1)

2= 15

......

...

n= 10: S10 = 1+ 2+ 3+ 4+ 5+ 6+ 7+ 8+ 9+ 10= 5510(10+ 1)

2= 55

......

...

This is reassuring and it suggests that (5.2) is true, but it doesn’t prove it is true for all integer n ≥ 1. Oneway to prove it is by mathematical induction, which works like this. First, we note that the rule (5.2) istrue for some value of n. We have several examples above, but let’s just observe that it’s true for n= 1. Nowlet’s assume that (5.2) holds for a particular value of n – let’s call it n = k ≥ 1 – and show that assuming

http://en.wikipedia.org/wiki/Russian_peasant_multiplication

5.3. EULER PHI FUNCTION 69

that (5.2) is true for n= k implies that (5.2) must also be true for n= k+ 1. That is,

Assume Sk = 1+ 2+ 3+ . . .+ (k− 1) + k =k(k+ 1)

2for some specific k ≥ 1.

Then Sk+1 = 1+ 2+ 3+ . . .+ (k− 1) + k+ (k+ 1)

= [1+ 2+ 3+ . . .+ (k− 1) + k] + (k+ 1) (grouping the first k terms together)

= Sk + (k+ 1)

=k(k+ 1)

2+ (k+ 1) (using the induction hypothesis that (5.2) is true for n= k)

=(k+ 1)(k+ 2)

2(factoring out k+ 1)

=(k+ 1) [(k+ 1) + 1]

2(rewriting to make this look like (5.2) with n= k+ 1).

What we have shown is that if (5.2) is true for n= k, then it is also true for n= k+1. Since (5.2) holds fork = 1, it must also hold for k = 2. Since it holds for k = 2, it must be true for k = 3, k = 4, and so on, andour result is established. This is how mathematical induction works.

Example 5.3: Let’s work another example. If Tn = 12+22+32+ . . .+n2, then Tn =n(n+ 1)(2n+ 1)

6, n≥ 1.

The rule clearly works for n= 1 since T1 = 1=1(2)(3)

6.

Assume Tk = 12 + 22 + 32 + . . .+ (k− 1)2 + k2 =k(k+ 1)(2k+ 1)

6for some specific integer k ≥ 1.

Then Tk+1 = 12 + 22 + 32 + . . .+ (k− 1)2 + k2 + (k+ 1)2

=�

12 + 22 + 32 + . . .+ (k− 1)2 + k2�

+ (k+ 1)2

= Tk + (k+ 1)2

=k(k+ 1)(2k+ 1)

6+ (k+ 1)2

=k+ 1

6[k(2k+ 1) + 6(k+ 1)]

=k+ 1

6

�

2k2 + 7k+ 6�

=k+ 1

6(2k+ 3) (k+ 2)

=(k+ 1) [(k+ 1) + 1] [2(k+ 1) + 1]

6.

Classroom Exercise 5.2: Use mathematical induction to prove that Rn = 13+23+33+. . .+n3 =�

n(n+ 1)2

�2

,

n≥ 1.

5.3. Euler Phi Function

When we studied the affine cipher (1.21), we had to choose the multiplicative key m so that it is relativelyprime to 26, and the size of the keyspace depended on how many positive integers less than 26 are relativelyprime to 26.. We now want to consider this issue in general. If n ∈ N, then the Euler phi function,1 denotedφ(n), is the number of positive integers less than or equal to n that are relatively prime to n.

1Some authors call it the totient function.


Example 5.4: φ(26) = 12 since there are 12 positive integers (in black) that are relatively prime to 26.

1, 2/, 3, 4/, 5, 6/, 7, 8/, 9, 10///, 11, 12///, 13///, 14///, 15, 16///, 17,18///, 19,20///, 21,22///, 23,24///, 25, 26///

Example 5.5: φ(11) = 10 since all of the integers from 1 to 10 are relatively prime to 11.

The last example suggests a rule; if p is prime, then φ(p) = p − 1. This saves us a lot of work if p islarge. For instance, to find φ(103), we certainly don’t want to list all of the integers from 1 to 102 and seewhich ones are relatively prime to 103. It’s much easier to just compute φ(103) = 103 − 1 = 102. Let’ssee if we can identify similar shortcuts for other integers. Let’s continue by considering φ

�

pn�

, where p isprime and n is a positive integer.

Example 5.6: φ(16) = φ�

24�

= 8. We start out with 16= 24 integers and cross out all 8= 23 multiples of2.

1, 2/, 3, 4/, 5, 6/, 7, 8/, 9, 10///, 11,12///, 13,14///, 15,16///

Example 5.7: φ(27) = φ�

33�

= 18. We start out with 27 = 33 integers and cross out all 9 = 32 multiplesof 3.

1,2, 3/, 4, 5, 6/, 7, 8, 9/, 10, 11,12///, 13, 14,15///, 16, 17,18///, 19,20, 21///, 22,23, 24///, 25, 26,27///

Examples 5.6 and 5.7 suggest that to compute φ�

pn�

, we simply have to write out all of the integersfrom 1 to pn and then cross off all pn−1 multiples of p. Therefore, φ

�

pn�

= pn − pn−1. Now let’s figure outhow to compute φ(pq) where p and q are both prime.

Example 5.8: To find φ(21) = φ(3 · 7), we take the integers from 1 to 21 and cross out all 7 multiples of3, {3,6, 9,12, 15,18, 21}, and all 3 multiples of 7, {7, 14,21}. So φ(21) = 21− 7− 3+ 1= 12, adding 1 sothat we don’t double-count 21.

This argument generalizes nicely. There are a total of pq integers from 1 to pq and we cross out the pmultiples of q and the q multiples of p, remembering that by doing so we are double-counting pq. Therefore,

φ(pq) = pq− p− q+ 1= (p− 1)(q− 1) = φ(p)φ(q).

This is a beautiful rule and it would be nice if it held in general for products, but it doesn’t. However, if mand n are relatively prime, then φ(mn) = φ(m)φ(n). To see why this is true, let’s start with an example.

Example 5.9: To find φ(70) = φ(7 · 10), we note that gcd(7, 10) = 1 and we write out the integers from 1to 70 in a table on a width of 10.

(5.3)

1 //2 3 //4 //5 //6 //7 //8 9 ///1011 ///12 13 ///14 ///15 ///16 17 ///18 19 ///20///21 ///22 23 ///24 ///25 ///26 27 ///28 29 ///3031 ///32 33 ///34 ///35 ///36 37 ///38 39 ///4041 ///42 43 ///44 ///45 ///46 47 ///48 ///49 ///5051 ///52 53 ///54 ///55 ///56 57 ///58 59 ///6061 ///62 ///63 ///64 ///65 ///66 67 ///68 69 ///70

5.3. EULER PHI FUNCTION 71

In the first row of the table, there are φ(10) integers that are relatively prime to 10 ({1,3, 7,9}). Also,note that all of the numbers in each column are congruent to the first number modulo 10. For example,in the first column, 1, 11,21, 31,41, 51,61 ≡ 1 mod 10. So, if we cross out the first number in a columnbecause it is not relatively prime to 10, then we must cross out all of the numbers in that column. Nowwe just have to figure out what to cross out in the surviving columns (corresponding to 1, 3, 7, and 9).2

Recall (from Theorem 1.3) that if gcd(m, n) = 1, then the integers {a, a + n, a + 2n, . . . , a + (m− 1)n} arecongruent modulo m to {0, 1,2, . . . , m− 1} in some order. Observe that reducing the entries in the table in(5.3) modulo 7 gives

(5.4)

1 //2 3 //4 //5 //6 //0 //1 2 //34 //5 6 //0 //1 //2 3 //4 5 //6//0 //1 2 //3 //4 //5 6 //0 1 //23 //4 5 //6 //0 //1 2 //3 4 //56 //0 1 //2 //3 //4 5 //6 //0 //12 //3 4 //5 //6 //0 1 //2 3 //45 //6 //0 //1 //2 //3 4 //5 6 //0

and the numbers in each column are congruent to {0,1, 2,3, 4,5, 6} in some order. Therefore, in each of thesurviving columns, there are φ(7) integers that are relatively prime to 7 and

φ(70) = φ(10 · 7)

= (# nonempty columns)(# elements per nonempty column)

= 4 · 6

= φ(10)φ(7).

We worked this example on a width of 10, but we could equally well could have used a width of 7. In thiscase, only one entire column is crossed out because 7 is prime.

(5.5)

1 //2 3 //4 //5 //6 //7//8 9 ///10 11 ///12 13 ///14///15 ///16 17 ///18 19 ///20 ///21///22 23 ///24 ///25 ///26 27 ///2829 ///30 31 ///32 33 ///34 ///35///36 37 ///38 39 ///40 41 ///4243 ///44 ///45 ///46 47 ///48 ///49///50 51 ///52 53 ///54 ///55 ///5657 ///58 59 ///60 61 ///62 ///63///64 ///65 ///66 67 ///68 69 ///70

Reducing the table in (5.5) modulo 10 gives

2You can follow along yourself with Phi.nb on users.etown.edu/m/mcdevittt/Crypto.html.



1 //2 3 //4 //5 //6 //7//8 9 //0 1 //2 3 //4//5 //6 7 //8 9 //0 //1//2 3 //4 //5 //6 7 //89 //0 1 //2 3 //4 //5//6 7 //8 9 //0 1 //23 //4 //5 //6 7 //8 //9//0 1 //2 3 //4 //5 //67 //8 9 //0 1 //2 //3//4 //5 //6 7 //8 9 //0

in which each column contains the integers from 0 to 9 in some order. Therefore,

φ(70) = φ(10 · 7)

= (# nonempty columns)(# elements per nonempty column)

= 6 · 4

= φ(7)φ(10).

We can follow the previous example to justify the result in general. If gcd(m, n) = 1 and we write theintegers from 1 to mn in a table of width n, then there are φ(n) columns with numbers relatively prime to n.If the first number in a given column is a, then the entries in that column are {a, a+n, a+2n, . . . , a+(m−1)n},but this set is congruent modulo m to {0,1, 2, . . . , m− 1} in some order, so there are φ(m) entries in eachcolumn that are relatively prime to m. Therefore, φ(mn) = φ(m)φ(n). This makes it relatively easy to findφ for any positive integer by applying our rules to its prime factorization:

THEOREM 5.1. If a positive integer n has prime factorization n= pk11 pk2

2 pk33 ...pkr

r , then

φ (n) =�

pk11 − pk1−1

1

��

pk22 − pk2−1

2

�

...�

pkrr − pkr−1

�

.

Example 5.10:

φ(504) = φ�

23 · 32 · 7�

= φ�

23�

φ�

32�

φ (7) =�

23 − 22� �

32 − 31� �

71 − 70�

= (4)(6)(6) = 144.

Classroom Exercise 5.3: Use Theorem 5.1 to compute the following.

(1) φ(6)(2) φ(19)(3) φ(256)(4) φ(70)(5) φ(120)

5.4. Fermat’s Little Theorem

Binomial Theorem. The binomial theorem may be familiar to you, but we want to refresh your memorybecause it is important to our proof of Fermat’s little theorem. If we want to expand (x + y)2, we can justuse FOIL to obtain x2 + 2x y + y2. To expand (x + y)3, we can multiply x2 + 2x y + y2 by (x + y) to findx3 + 3x2 y + 3x y2 + y3, and we can do likewise for higher powers of (x + y).

5.4. FERMAT’S LITTLE THEOREM 73

(x + y)0 = 1(x + y)1 = x + y(x + y)2 = x2 + 2x y + y2

(x + y)3 = x3 + 3x2 y + 3x y2 + y3

(x + y)4 = x4 + 4x3 y + 6x2 y2 + 4x y3 + y4

(x + y)5 = x5 + 5x4 y + 10x3 y2 + 10x2 y3 + 5x y4 + y5

(x + y)6 = x6 + 6x5 y + 15x4 y2 + 20x3 y3 + 15x2 y4 + 6x y5 + y6

(x + y)7 = x7 + 7x6 y + 21x5 y2 + 35x4 y3 + 35x3 y4 + 21x2 y5 + 7x y6 + y7

(x + y)8 = x8 + 8x7 y + 28x6 y2 + 56x5 y3 + 70x4 y4 + 56x3 y5 + 28x2 y6 + 8x y7 + y8

......

In the row corresponding to power n, notice that the powers of x decrease from n to 0 going from leftto right while the powers of y increase from 0 to n, and the coefficients match Pascal’s triangle.

11 1

1 2 11 3 3 1

1 4 6 4 11 5 10 10 5 1

1 6 15 20 15 6 11 7 21 35 35 21 7 1

1 8 28 56 70 56 28 8 1

... . . . . . . . . . . . . . . . . . . . . . . . . . . .

We can also write Pascal’s triangle in terms of the binomial coefficients that we used for counting in Chapter2.

�00

�

�10

� �11

�

�20

� �21

� �22

�

�30

� �31

� �32

� �33

�

�40

� �41

� �42

� �43

� �44

�

�50

� �51

� �52

� �53

� �54

� �55

�

�60

� �61

� �62

� �63

� �64

� �65

� �66

�

�70

� �71

� �72

� �73

� �74

� �75

� �76

� �77

�

�80

� �81

� �82

� �83

� �84

� �85

� �86

� �87

� �88

�

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

All of this is summarized in the binomial theorem.

THEOREM 5.2 (Binomial Theorem). If n is a positive integer, then

(x + y)n =n∑

k=0

�

nk

�

xn−k yk, where�

nk

�

=n!

k!(n− k)!.

Now, let’s consider (x + y)n reduced modulo n.


(x + y)2 mod 2≡ x2 + y2

(x + y)3 mod 3≡ x3 + y3

(x + y)4 mod 4≡ x4 + 2x2 y2 + y4

(x + y)5 mod 5≡ x5 + y5

(x + y)6 mod 6≡ x6 + 3x4 y2 + 2x3 y3 + 3x2 y4 + y6

(x + y)7 mod 7≡ x7 + y7

(x + y)8 mod 8≡ x8 + 4x6 y2 + 6x4 y4 + 4x2 y6 + y8

(x + y)9 mod 9≡ x9 + 3y3 x6 + 3y6 x3 + y9

(x + y)10 mod 10≡ x10 + 5y2 x8 + 2y5 x5 + 5y8 x2 + y10

(x + y)11 mod 11≡ x11 + y11

......

Many of the binomial coefficients seem to vanish, but the cases with prime powers are especially interestingbecause only the first and last terms survive modular reduction. Why does this happen? If p is prime and0< k < p, then

�

pk

�

=p!

k!(p− k)!

=p(p− 1)(p− 2) . . . (p− k+ 1)k(k− 1)(k− 2) . . . (3)(2)(1)

= p

�

(p− 1)(p− 2) . . . (p− k+ 1)k(k− 1)(k− 2) . . . (3)(2)(1)

�

is an integer that is divisible by p since p can’t have any divisors between 1 and p. Therefore,�

pk

�

≡ 0

mod p for 0 < k < p. Since�

p0

�

=�

pp

�

= 1, we have (x + y)p ≡ xn + yn mod p. Now we can prove

Fermat’s little theorem (FLT).

THEOREM 5.3 (Fermat’s Little Theorem). If n is a positive integer and p is prime, then np ≡ nmod p.

PROOF. We prove Fermat’s little theorem by induction on n. Clearly, 1p ≡ 1 mod p.

Assume kp ≡ k mod p for some specific k ≥ 1.

Then (k+ 1)p =p∑

j=0

�

pj

�

k j1p− j

=�

p0

�

+p−1∑

j=1

�

pj

�

k j +�

pp

�

kp

≡ 1+ kp mod p

≡ k+ 1 mod p.

�

In addition, note that np−1 ≡ 1 mod p and np−2 ≡ n−1 mod p, so Fermat’s little theorem gives a secondway of computing multiplicative inverses for prime moduli, but we still prefer to use the extended Euclideanalgorithm in most circumstances because it is more efficient and it doesn’t require a prime modulus.

5.5. EULER’S THEOREM 75

Example 5.11: Let’s note some of the features in the following table of exponents. The top row is all zerosbecause zero raised to any positive power is zero, and the first column is all ones because any nonzerointeger raised to the zeroth power is one. However, neither rule applies in the case of 00, which we leaveundefined.3 Also, as we expect from FLT, y10 ≡ 1 mod 11 and y11 ≡ y mod 11 for 0 < y < 11. Thelast row alternates between 1 and 10 because (10)x ≡ (−1)x ≡ ±1 ≡ 1,10 mod 11. Likewise, y5 ≡ ±1mod 11, 0< y < 11, because

�

y5�2= y10 = 1 by FLT and the only modular square roots4 of 1 mod 11 are

±1. Otherwise, exponentiation seems to jumble integers pretty well.

(5.6)

x 0 1 2 3 4 5 6 7 8 9 10 11

0x ? 0 0 0 0 0 0 0 0 0 0 01x 1 1 1 1 1 1 1 1 1 1 1 12x 1 2 4 8 5 10 9 7 3 6 1 23x 1 3 9 5 4 1 3 9 5 4 1 34x 1 4 5 9 3 1 4 5 9 3 1 45x 1 5 3 4 9 1 5 3 4 9 1 56x 1 6 3 7 9 10 5 8 4 2 1 67x 1 7 5 2 3 10 4 6 9 8 1 78x 1 8 9 6 4 10 3 2 5 7 1 89x 1 9 4 3 5 1 9 4 3 5 1 9

10x 1 10 1 10 1 10 1 10 1 10 1 10

In modular arithmetic, we know how to find additive inverses via negation and multiplicative inversesvia the extended Euclidean algorithm or Fermat’s little theorem. However, we don’t have a simple algorithmfor inverting exponents. For example, consider a problem like

(5.7) 4x ≡ 9 mod 11.

In real arithmetic, we would say that x = log4 9, so problems like (5.7) are referred to as discrete logproblems. The problem in (5.7) is easy (x = 3) because we can just look for the answer in the table in(5.6), but in general we can’t do that when the numbers are large, so the discrete log problem is a notoriouslydifficult problem.

5.5. Euler’s Theorem

Let’s figure out how to compute mφ(n) mod n. If n is prime, then φ(n) = n− 1 and we can appeal toFermat’s little theorem to conclude that mφ(n) ≡ 1 mod n, but what if n is not prime? Let’s start by lookingat an example.

Example 5.12: We could use the square-and-multiply algorithm to compute 16φ(9) mod 9, but we wantto make an important observation instead. Let S = {1,2, 4,5, 7,8} be the set of positive integers less than9 that are relatively prime to 9. There, are, of course, φ(9) = 6 integers in S. Since 16 is relativelyprime to 9, multiplying every element in S by 16 gives the same numbers back, just in a different order:T = {7, 5,1, 8,4, 2}. Multiplying the elements in S and T gives the same product:

(16 · 1)(16 · 2)(16 · 4)(16 · 5)(16 · 7)(16 · 8) = 16φ(9)(1)(2)(4)(5)(7)(8)≡ (7)(5)(1)(8)(4)(2) mod 9.

Therefore, 169 ≡ 1 mod 9.

3If you’ve had some calculus, you may recognize 00 as an indeterminate form for limits.4See Wikipedia for more information.

http://en.wikipedia.org/wiki/Quadratic_residue


THEOREM 5.4 (Euler’s Theorem). If m and n are positive integers such that gcd(m, n) = 1, thenmφ(n) ≡ 1 mod n.

PROOF. The proof generalizes the previous example. Euler’s theorem is obvious if n= 1, so let’s assumethat n> 1. Let S = {a1, a2, . . . , aφ(n)} be the set of positive integers less than n that are relatively prime to nand let T = {ma1, ma2, . . . , maφ(n)}. Since gcd(m, n) = 1, S and T are the same except for a rearrangementof order. Therefore, the products of the entries in S and T are the same:

a1a2 . . . aφ(n) ≡�

ma1

� �

ma2

�

. . .�

maφ(n)�

= mφ(n)a1a2 . . . aφ(n) mod n.

Since all of the ai are relatively prime to n, they are invertible and mφ(n) ≡ 1 mod n. �

Example 5.13: Euler’s theorem can help us to reduce large powers relatively easily. Since gcd(7, 10) = 1and φ(10) = 4,

7222 =�

74�55 · 72 ≡ 155 · 72 mod 10= 49≡ 9 mod 10.

Classroom Exercise 5.4: Reduce each of the following powers.

(1) 9505 mod 10(2) 8122 mod 17(3) 12100 mod 24

5.6. Diffie-Hellman Key Exchange

The additive, affine, Vigenère , and Hill ciphers are all examples of private key, or symmetric, ciphersbecause they require the communicating parties to share a common key that they keep secret from everyoneelse. However, it is possible that two parties who have never met might want to exchange secret information.For example, a customer may want to send a credit card number to an internet vendor to make a purchaseonline. Public key cryptosystems make it possible for two parties to communicate securely without havingpreviously agreed upon a private key. We will discuss two public key systems, the Diffie-Hellman key ex-change and the RSA cryptosystem. The Diffie-Hellman method enables two parties to publicly compute ashared private key, and then they can use that key in a symmetric cipher. RSA can be used for key exchange,but it can also be used encrypt information and to digitally sign electronic documents.5 As we often do, let’sbegin with a generalizable example to illustrate the Diffie-Hellman key exchange.

Example 5.14: The protagonists in our story are Alice and Bob, who want to generate a shared private keyin front of the prying eyes of evil Eve.6 First they publicly agree on a large prime number p and an integer qsuch that 1< q < p.7 For the sake of illustration, let p = 23 and q = 5, but keep in mind that these are tinynumbers and in real life they would have to be much larger. Alice and Bob each privately choose a positiveinteger less than p that each serve as their respective private keys. For example, suppose that Alice choosesa = 9 and Bob chooses b = 20. Alice computes

A= qa mod p = 59 mod 23≡ 11 mod 23

5You can do more than just key exchange with Diffie-Hellman, but that’s what we’ll focus on.6Just about everybody uses Alice, Bob, and Eve.7A more advanced text would put an extra requirement on q, but we avoid that for simplicity. For more details, see p. 171 of

[2].

5.6. DIFFIE-HELLMAN KEY EXCHANGE 77

and sends it publicly to Bob. Similarly, Bob computes

B = qb mod p = 520 mod 23≡ 12 mod 23

and sends it to Alice. When Alice receives B, she computes

K = Ba mod p = 129 mod 23≡ 4 mod 23.

Likewise, Bob also computes K , but in a different way:

K = Ab mod p = 1120 mod 23≡ 4 mod 23.

If Eve intercepts A, B, p, and q, then she can, in principle, solve for a and b by solving

A= qa mod p or B = qb mod p,

but this is the discrete log problem that we know is very hard to solve if p is large.Recall that this only establishes a key; it does not encrypt a message. To send a message, suppose that

Alice converts the Delphic wisdom KNOW THYSELF into numbers using the ASCII code (Table 3.1) and en-crypts the message with a Vigenère cipher using K = 4 as the key.8 The alphabet is {0, 1,2, 3,4, 5,6, 7,8, 9},so the addition is done modulo 10.

Plaintext: 757879873284728983697670Key: 444444444444444444444444Ciphertext: 191213217628162327031014

Alice then transmits 191213217628162327031014 to Bob, and he reverses the steps to recover the originalmessage.

Example 5.15: Let’s repeat the previous example with slightly bigger numbers. Let p = 156696463087 andq = 94477582661. For real applications, p is still a small prime, but it is large enough to overwhelm manyhand-held calculators. Now Alice chooses a = 63102091160 and Bob chooses b = 23629131076. Alicecomputes

A= qa mod p = 9447758266163102091160 mod 156696463087= 908653225

and Bob computes

B = qb mod p = 9447758266123629131076 mod 156696463087= 1340136561.

Alice sends A to Bob, Bob sends B to Alice, and they both compute

K = Ab mod p = 90865322523629131076 mod 156696463087= 67301429533

K = Ba mod p = 134013656163102091160 mod 156696463087= 67301429533,

which can be used as the key for a symmetric encryption method like the Vigenère or Hill cipher. Forexample, the digits in K might be partitioned into pairs, reduced modulo 26, and converted to letters

{06,73, 01,42, 95,33} mod 26≡ {6,21, 1,16, 17,7} mod 26∼ GVBQRH

to produce a keyword for the Vigenère cipher. The message KNOW THYSELF is then encrypted as QIPMKOENFBW.

8In this case, because the key is a single digit, the Vigenère cipher actually reduces to an additive cipher.


5.7. RSA Encryption

The name RSA is a concatenation of the first initials of the last names of its inventors, Ron Rivest, AdiShamir, and Leonard Adleman. RSA can, like the Diffie-Hellman method, be used to establish a secret keypublicly, but it can also be used to encrypt information and to digitally sign electronic documents. It allhinges on Euler’s theorem and the existence of a trusted authority, like a key center, to assign public andprivate keys to all parties.9

For every individual, the key center selects two large prime numbers p and q and computes φ(pq) =(p− 1)(q− 1). Note that this is easy for the key center to do since it knows both p and q. They then selectan integer e > 1 that is relatively prime to φ(pq) and compute its multiplicative inverse e−1 mod φ(pq).Finally, the key center issues each individual the public keys e and pq and the private key e−1 mod φ(pq).Note that even though the product pq is public, p and q are not known - even privately - because it isprohibitively difficult to factor sufficiently large numbers. In essence, the security of this method relies onthe difficulty of factoring the product pq.

If Bob wants to send Alice an integer message m< pq, he uses her public keys to compute

c = me mod pq,

which he sends to her publicly. When Alice receives c, she computes

ce−1mod pq ≡ (me)e

−1mod pq

≡ mee−1mod pq

≡ m1+kφ(pq) mod pq for some integer k

≡ m ·�

mφ(pq)�k

mod pq

≡ m(1)k mod pq (by Euler’s Theorem 5.4)

≡ m.

Only Alice (and the key center) can decrypt the message since she is the only one who knows e−1. If Eveintercepts the message, she can only read it if she can solve me ≡ c mod pq for m. That is, Eve has to findthe eth root of c modulo pq.

Example 5.16: Alice publishes her public keys e = 7 and pq = 77 for all to see. To send the messagem = 25 < pq to Alice, Bob computes c = me mod pq = 257 mod 77 ≡ 53 mod 77 and sends it to Alice.Alice uses her private key, e−1 = 43 to compute

ce−1mod pq = 5343 mod 77

≡ 25 mod 77

= m.

If Eve intercepts c = 53, she can decipher it only if she can compute

m7 mod 77= 53.

Example 5.17: Alice publishes her public keys pq = 4469730945520926997399 and e = 4073619424605228097289, but she reserves her private key e−1 = 2559385183601091556777. Bob sends message m =

9See http://www.idmanagement.gov/federal-public-key-infrastructure/.

http://www.idmanagement.gov/federal-public-key-infrastructure/

EXERCISES 79

12345678901234567890 to Alice by computing and transmitting the cipher

c = me mod pq

= 123456789012345678904073619424605228097289 mod 4469730945520926997399

≡ 3469293885116137999704 mod 4469730945520926997399.

Alice decrypts the cipher c by computing

ce−1mod pq = 34692938851161379997042559385183601091556777 mod 4469730945520926997399

= 12345678901234567890 mod 4469730945520926997399.

The message m could be a private number like a credit card number that one party wishes to send toanother, or m could be an encoded message or part of a message. For example, the ASCII equivalent ofTest on Friday is

84 101 115 116 32 111 110 32 70 114 105 100 97 121 46,

so perhaps m = 084101115116032111110032070114105100097121046. Encrypting data using RSA isrelatively slow, so if Alice and Bob want to exchange a lot of data (a lot of m’s), then it might be wise to usea single m as a shared key for use with a symmetric cipher.

Finally, RSA can also be used to generate digital signatures. If Bob sends a message to Alice, how doesAlice know that Bob really sent it? It could be a forgery after all. One thing Bob can do is encrypt his“signature” with his own private key, and when Alice receives his message, she can decrypt it using Bob’spublic key.

Example 5.18: Bob sends a surprising message to Alice:

Alice, I've decided to major in math. It's the coolest! Bob (125010690)

Bob knows that Alice won’t believe that he actually sent the message, so he digitally signed it by encipheringhis name (in ASCII) using his own private key. Alice finds that Bob’s public keys are e = 1234567891 andpq = 176391331, and she computes

125010690e mod pq = 1250106901234567891 mod 176391331

≡ 66111098 mod 176391331.

Since the decrypted digital signature (66 111 098) has an ASCII equivalent of Bob, Alice is sure that Bobactually sent the message. Congratulations Bob on a wise choice!

Exercises

(1) Use mathematical induction to prove each of the following claims.(a) (ab)n = an bn, n≥ 0

(b) 1+ r + r2 + . . .+ rn =1− rn+1

1− r, n≥ 0

(c) 8| (9n − 1), n≥ 0

(d)12+

16+

112+ . . .+

1n(n+ 1)

=n

n+ 1, n≥ 1

(e) All successive numbers in the Fibonacci sequence are relatively prime to each other. Recallthat f0 = 0, f1 = 1, and fn = fn−1 + fn−2, n≥ 2.


(f) 3| f4n, where fn is the nth Fibonacci number.(g) The Fibonacci numbers

�

f0 = 0, f1 = 1, fn = fn−1 + fn−2

�

satisfy the following:• f2n = 2 fn−1 fn + f 2

n , n≥ 1• f2n−1 = f 2

n−1 + f 2n , n> 1.

(2) Compute the following.(a) φ(251)(b) φ(421)(c) φ(413)(d) φ(452)(e) φ(280)(f) φ(396)(g) φ(243)(h) φ(297)(i) φ(191)(j) φ(1384)(k) φ

�

372�

(l) φ�

5003�

(3) Show if n> 2 then φ(n) is even.(4) Use the square-and-multiply algorithm and/or Euler’s theorem (5.4) to reduce each of the follow-

ing modulo 20.(a) 417

(b) 1334

(c) 159

(d) 7298

(e) 1412

(f) 726

(g) 1912

(h) 226

(5) The so-called Russian Peasant (or Ancient Egyptian) method for multiplying integers is similar tothe square-and-multiply algorithm for exponents. We present an example here, but you mightwant to consult Wikipedia for more details. To multiply 52 × 27, you make two columns, eachheaded by one of the two multiplicands. In the first column, we successively halve the numbers,rounding down as necessary, and in the second column, we successively double the numbers.

Halve Double52 2726 5413 1086 2163 4321 864

1404

Adding the numbers in the second column that are next to odd numbers in the first column gives usthe product, 52×27= 1404. Compute the following products using the Russian Peasant algorithm.(a) 23× 34

http://en.wikipedia.org/wiki/Russian_peasant_multiplication

EXERCISES 81

(b) 101× 33(c) 342× 256(d) 54× 39 mod 60(e) 78× 89 mod 100(f) 123× 543 mod 800

(6) You are making an online purchase from Alice’s Restaurant.(a) You (Bob) and Alice agree to use the Diffie-Hellman method with p = 2309 and q = 200 to

exchange a key. She sends you A= 295 and you choose b = 544. Find the common key K .(b) Use K as key for the Vigenère cipher to encrypt your Mathtercard number as illustrated in

Example 5.14.

(7) Veronica Costello’s RSA public keys are pq = 16571 and e = 12667.(a) Veronica Costello is getting an A in math, so she wrote a special letter to Santa asking for a very

special gift. Santa would like to bring VC what she asked for, but he received two differentletters from her asking for two different things. Santa knows that Veronica’s computer-savvylittle brother is often naughty, so he suspects that one of the letters is a forgery. Help Santafigure out which album Veronica really wants by checking both digital signatures.

Dear Santa,Please bring me “Backstreet Boys Go Live!” by the Backstreet Boys. I’ve beenvery good and I haven’t even missed class more than 10 times.Veronica (10528)

Dear Santa,Please bring me “Teletubbies Gone Wild” by the Teletubbies. I’ve been verygood and I haven’t even missed class more than 10 times.Veronica (3108)

(b) Veronica receives the message 12256 9486 6841 2524 14725 9462 2238 2982 649 thatwas encrypted with her RSA public keys. Use her private key, e−1 = 6739, and the ASCII code(Table 3.1) to decrypt and read the message.

Bibliography

[1] Robert Churchhouse. Codes and Ciphers. Cambridge University Press, 2002.[2] Paul Garrett. Making, Breaking Codes. Prentice Hall, 2001.[3] David Kahn. The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet.

Scribner, 1996.[4] Robert E. Lewand. Cryptological Mathematics. The Mathematical Association of America, 2000.[5] Tim McDevitt and Tom Leap. Multimedia cryptology. Cryptologia, 33(2):142–150, 2009.[6] Ivan Niven and H. S. Zuckerman. An Introduction to the Theory of Numbers. John Wiley & Sons, fourth edition, 1980.[7] Jeffrey Overbey, William Traves, and Jerzy Wojdylo. On the keyspace of the hill cipher. Cryptologia, 30(1):59–72, 2005.[8] Kenneth H. Rosen. Elementary Number Theory. Addison-Wesley, 2000.[9] Claude Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28(4):656U715, 1949.[10] Simon Singh. The Code Book: The Secret History of Codes and Code-breaking. Fourth Estate, 2000.[11] Abraham Sinkov. Elementary Cryptanalysis. Random House, 1968.[12] Suetonius. De Vita Caesarum: Divus Julius LVI.[13] Wade Trappe and Lawrence C. Washington. Introduction to Cryptography with Coding Theory. Pearson Prentice-Hall, second

edition, 2006.

83

Documents

Crypto Notes