Class Notes for Cryptologic Mathematics (FYS 100)
Tim McDevitt Frank Arnold (2012)
ELIZABETHTOWN COLLEGE E-mail address: [email protected] August 27, 2013 Contents
Preface vii
Introduction 1 0.1. What is Cryptology? 1 0.2. Types of Ciphers 3 0.3. Mathematical Ciphers 6 0.4. Types of Cryptologic Attacks 7 0.5. Notation and Terminology 7 Exercises 8
Chapter 1. Modular Arithmetic 11 1.1. Fundamental Theorem of Arithmetic 11 1.2. Greatest Common Divisors 12 1.3. Euclidean Algorithm 12 1.4. Extended Euclidean Algorithm 14 1.5. Relatively Prime Numbers 15 1.6. Modular Arithmetic 15 1.7. Solving Linear Congruences 19 1.8. Additive Cipher 23 1.9. Cryptanalysis of the Additive Cipher 25 1.10. Affine Cipher 27 1.11. Cryptanalysis of the Affine Cipher 27 Exercises 28
Chapter 2. Probability 33 2.1. Counting 33 2.2. Probability 36 2.3. Index of Coincidence 39 2.4. Vigenère Cipher 41 Exercises 45
Chapter 3. Recursion 49 3.1. Recursion 49 3.2. Binary Arithmetic 50 3.3. Data as Bits 51 3.4. Encryption of Binary Data 52 3.5. Linear Feedback Shift Registers 53 Exercises 55
Chapter 4. Matrices 57 4.1. Matrix Arithmetic 57 4.2. Hill Cipher 60 4.3. Cryptanalysis of the Hill Cipher 61 Exercises 64
v vi CONTENTS
Chapter 5. Modular Exponentiation 67 5.1. Square and Multiply Algorithm 67 5.2. Mathematical Induction 68 5.3. Euler Phi Function 69 5.4. Fermat’s Little Theorem 72 5.5. Euler’s Theorem 75 5.6. Diffie-Hellman Key Exchange 76 5.7. RSA Encryption 78 Exercises 79 Bibliography 83 Preface
The first author has taught cryptology as a First-Year Seminar at Elizabethtown College for several years using Robert Lewand’s fine book [4]. However, less than half of the author’s students are math or science majors, so Lewand’s rigorous approach is often under-appreciated. These notes follow much of the same material, but they rely fairly heavily on student intuition instead of rigorous proof, as is usually done in calculus courses. Proofs or arguments are reserved for those situations where results are not intuitively clear to the students. For instance, students don’t struggle with the transitivity of divisibility for integers (if a b and b c, then a c), but Fermat’s little theorem requires a proof. Other situations warrant justifications that| fall short| of proofs,| but are still convincing to students. For example, we don’t formally prove that the Euclidean algorithm always finds the gcd of two positive integers, but we demonstrate that it has to work with “generalizeable examples”. Since our audience includes first-year students who are not math or science majors, we have tried to minimize the use of terminology and mathematical jargon. Students interested in more details should consult textbooks on number theory or algebra, or just wait patiently for an opportunity to take those courses. The second author is a former (2008) student of this course who has provided a student’s perspective on the presentation of the material. As a result, the style of writing is informal in an attempt to teach some math and to develop enthusiasm for cryptology. Please note that this text does not address the history of cryptology in a systematic way so that we can focus on the mathematics. Students of cryptology should appreciate the impact of cryptology on historical events, but that knowledge will have to be obtained from other sources (c.f. [3] and [10]). Throughout the notes are several hyperlinks to Mathematica notebooks that are helpful for cryptologic calculations or for demonstrating mathematical concepts. The entire set of notebooks can be found at users.etown.edu/m/mcdevittt/. The file cipher.nb contains code that implements most of the encryption algorithms in the book. Readers may also enjoy using the FREE software package ECrypt(www2.etown.edu/ ECrypt/ECrypt.htm ). The current (2013) version of ECrypt is a .jar file, so it should be platform indepen- dent, provided that your computer has Java installed. ECrypt doesn’t have to be installed; just download it and run it. It has a graphical user interface (GUI) that enables users to easily implement the crypto- graphic algorithms in this course. It also provides special tools for cryptanalysis, a recursive calculator, and a calculator for modular arithmetic. Future versions of this book will have chapters dedicated to elliptic curves and to the encryption and cryptanalysis of historical ciphers applied to image and sound files as described in [5].
vii
Introduction
0.1. What is Cryptology?
Classically, cryptology was used to send and receive secret messages and its users were often military leaders or diplomats. For Admiral Alice to send General Bob a secret message, she would have to encrypt or encipher her message using a method that she and Bob had previously agreed upon. When Bob receives the message, he has to decrypt or decipher her message to read it. Often, the method of encryption would rely on a key - some special number(s) or word(s) that only Alice and Bob know. Prior to the computer age, encryption methods were relatively simple, not explicitly mathematical, and often not very secure. Messages were relatively short and there was very little systematic research certifying the security of cryptologic methods. Today, however, messages can be very long. As of this writing (2010), a typical JPEG file from a digital camera is over 1 MB, which is roughly equivalent to a text file of a million characters. Contemporary encryption methods tend to use very sophisticated mathematics and there is a great deal of systematic research. The US Department of Commerce certifies certain algorithms so that users can be confident that their communications are secure, and these algorithms can be very complicated.1 In addition to the transmission and reception of secret messages, modern cryptology also involves less well- known operations such as key exchange, digital signatures, random number generation, hashing, etc..., but this book focuses, for the most part, on mathematical versions of historical methods. These methods require what is probably unfamiliar mathematics and, although they are no longer useful, they evolved into today’s methods so it is still useful to be familiar with them. The only exception is our dicussion of public key systems, which currently enjoy widespread use. Another important difference between classical and modern cryptography is frequency of use. In the past, the average individual had no practical reason to encrypt messages, but today we all use cryptographic algorithms without even knowing it when we use our cell phones or email or make online purchases. There- fore, modern cryptology is directly applicable to our daily lives in very important ways. Finally, the nature of characters in encryption algorithms has changed in modern times. In the past, messages were composed using characters from a fixed alphabet, so, for example, two English speakers might use a 26-letter alphabet abcdefghijklmnopqrstuvwxyz, or they might use a 52-letter alphabet that includes capital letters, or they might include digits and punctuation. In this course, we will frequently assume a 26-letter alphabet. Computers store files in terms of bits that we can regard as an alphabet of only two characters: 0 and 1. This includes Word R , and Excel R documents, JPEG images, MPEG movies etc...
Modern encryption algorithms operate at the bit level on a computer, so all computer files can be encrypted in the exact same way, regardless of how we interpret those bits as text, pictures, movies, etc... Cryptology is an umbrella term for cryptography and cryptanalysis. Cryptography involves the creation and use of algorithms that pass private information between two parties with the goal of obscuring the
1For example, see the NIST document FIPS 197 that takes 51 pages to describe AES. The good news is that the description is very good and very clear, unlike IRS documents.
1 2 INTRODUCTION
Figure 0.1: Can you read the message hidden in this poem that is revealed by the stencil?
information from unintended recipients. Classically, users might hope that adversaries would not know what encryption algorithms were being used, but that is an unrealistic expectation today. Today, we have to assume that adversaries know what algorithms we are using, so the security of a method depends entirely on the difficulty of recovering the secret key. Symmetric, or private key, systems, require both sender and receiver to know the same secret key, but modern public key systems enable parties to communicate securely without previously establishing a secret key. Cryptanalysis is the study of cryptographic algorithms with the intent of recovering secret messages without knowing the secret key. We can think of cryptanalysis as the activity of an adversary who obtains an encrypted message and tries to recover the original message without knowing the key, but cryptanalysis could also be the activity of an analyst who is studying the security of a given method. Loosely speaking, we can think of cryptographers as the defense and cryptanalysts as the offense, but both sides must know what the other is capable of to do their jobs properly. We also want to distinguish cryptography from steganography, which seeks to hide the very existence of a message. For example, the children’s activity of writing a note in invisible ink is an example of steganog- raphy as is the use of a stencil to hide a message in a book. (See Figure 0.1.) Of course, steganography can be combined with cryptography to provide extra security. Although steganography can be very interesting, we won’t discuss it in this book. Finally, a cipher is an encryption algorithm that is used to encrypt (or encipher) a message, or plain- text, into apparently unintelligible ciphertext. The original plaintext is recovered by decrypting (or deci- phering) the ciphertext. The terms “plaintext" and “ciphertext" still apply even if the data are not really text but just some form of data (e.g. bits). Also, for convenience people often shorten “ciphertext" into “cipher", so you have to tell them apart from context. Finally, the word “key" is often used in different ways at the same time, but we will wait to point that out until later. 0.2. TYPES OF CIPHERS 3
Figure 0.2: The same strip of paper displayed on two different diameter tubes. On the left we see part of the joke How do you know that you have found an extroverted mathematician? He looks at your feet when he talks to you. On the right, the message is unreadable.
0.2. Types of Ciphers
There are two basic tools that are used in encryption algorithms: transposition (rearranging the char- acters) and substitution (replacing characters with other characters). Transposition and substitution are familiar as two popular types of puzzles, anagrams and cryptograms.
Classroom Exercise 0.1: Here is a sample anagram; the letters in each word have simply been jumbled. See if you can decipher the message. RYOU RETARSIPNVEETE WSOE UYO, OTN IHS UNSYRTDI YNOL, UBT HSI TEJGMDUN; AND EH BTSAYRE, EDITASN FO ERNVSGI OUY, FI EH ACFRSIEISC TI OT RYUO NONPOII - "PHCEES TO EHT RESCLETO AT BLRTIOS TA HTE CONSOCINUL OF HET LLOP" BY EDUNDM RBEUK
Classroom Exercise 0.2: Here is a sample cryptogram; each letter is replaced by another letter. See if you can decipher the message. LRLSUB ZYU SRHU CRYCSUB MYZQD XF LKU WZJRCRZD'B QZDM, LO CODLYZCL LKU BIKUYU ON WZD'B NUSRCRLF. KU SRVUB RWWGYUM QRLKRD LKU XZBLRSSU ON Z QOYM, ZDM BGYVUFB ZL Z MRBLZDCU LKU UDVRUM SRNU ON WZD. - "LKU YRJKLB ON WZD" XF LKOWZB IZRDU.
If you actually solved both puzzles, then the punctuation and spacing of the words in both the anagram and the cryptogram probably help a lot. We can make a much more difficult puzzle by using a shorter message, removing all spacing and punctuation, using both transposition and substitution.
Classroom Exercise 0.3: Winston Churchill reportedly said RSAAPTAPCVTMVZSCSOCPYDTDTQQQQITPQ. See if you can decipher this combination anagram and cryptogram with spacing and punctuation removed.
An ancient example of a transposition cipher is the σκυταλη´ (scytale), which the Spartans reportedly used for tactical messages on the battlefield. A strip of leather or parchment was wound around a stick and a message was written across it as shown in Figure 0.2. Once the strip was unwound, the letters were jumbled and the message was unreadable. Furthermore, the message could only be read by wrapping the message around a stick with the same diameter. Figure 0.2 shows a scytale with a decidedly unimportant message. It illustrates how the message is unintelligible if the diameter is incorrect. In this case, the diameter of the stick is the secret key. 4 INTRODUCTION
An early example of a substitution cipher is the Caesar cipher, which simply shifts each letter in the plaintext ahead 3 places to produce an encrypted message. For example, veni vidi vici2 becomes yhql ylgl ylfl. The Caesar cipher is attributed to Julius Caesar by Suetonius, who was a prominent historian of the Roman emperors in the first and second centuries A.D. According to Suetonius [12], “Exstant et ad Ciceronem, item ad familiares domesticis de rebus, in quibus, si qua occultius perferenda erant, per notas scripsit, id est sic structo litterarum ordine, ut nullum verbum effici posset; quae si qui investigare et persequi velit, quartam elementorum litteram, id est D pro A et perinde reliquas commutet.” The translation of Suetonius on penelope.uchicago.edu is
“There are also letters of his to Cicero, as well as to his intimates on private affairs, and in the latter, if he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he must substitute the fourth letter of the alphabet, namely D, for A, and so with the others.” If this translation is correct, then it actually sounds like Caesar’s messages were decrypted by shifting 3 letters to the right. Nevertheless, modern cryptographers generally understand Caesar’s cipher as a shift of 3 letters to the right. The Caesar cipher is an example of a monoalphabetic substitution cipher, in which every character is replaced by some other character. In the 9th century A.D., Abu Yusuf Yaqub ibn Ishaq al-Sabbah Al-Kindi introduced frequency analysis that made monoalphabetic substitution ciphers obsolete because they were no longer secure. To thwart frequency analysis, people in succeeding centuries invented polyalphabetic subsitution ciphers, in which each letter is replaced by another letter that changes with each use. For instance, a polyalphabetic system might encrypt the first a in aardvark as q, but the second a might be encrypted as n. Examples include the Alberti cipher wheel and the Vigenère cipher. In 1467, Leon Battista Alberti (1404-1472) developed a cipher wheel that produced ciphertext that was not vulnerable to Al-Kindi’s frequency analysis. The wheel consisted of two rings and the inner ring could be turned about its center. Sender and receiver would agree on a “pointer” letter - Alberti chose k. The sender picks a letter on the outer ring and lines it up with k on the inner ring and then enciphers several letters by locating plaintext characters on the outer ring and associating them with corresponding cipher characters on the inner ring. For example, using the first setting in Figure 0.3, the first six characters of VENIVIDIVICI are encrypted as Fnxrpnp. What makes his method polyalphabetic is that the sender occasionally points k at a new letter. Using the second setting in Figure 0.3, the last six characters of VENIVIDIVICI are encrypted as 4mghg&g. Therefore, altogether, the message VENIVIDIVICI can possibly be encrypted as Fnxrpnp4mghg&g. It is interesting to note that Alberti’s wheel omits H, K, U, W and Y but includes some digits. Apparently, Alberti was content to associate U with V and W with VV. In 1585, Blaise de Vigenère introduced a polyalphabetic substitution cipher that endured for three cen- turies. The user chooses a key word, say LION, and writes it down repeatedly under the plaintext until the key is as long as the plaintext. Then the user looks up each (key letter, plain letter) pair in the Vigenère square in Table 0.1.
2"I came, I saw, I conquered." was Caesar’s report to Rome in 47 B.C. after his overwhelming defeat of King Phar- naces II of Pontus at the battle of Zela. 0.2. TYPES OF CIPHERS 5
Figure 0.3: Two setting of Alberti’s cipher wheel.
ABCDEFGHIJKLMNOPQRSTUVWXYZ A ABCDEFGHIJKLMNOPQRSTUVWXYZ B BCDEFGHIJKLMNOPQRSTUVWXYZA C CDEFGHIJKLMNOPQRSTUVWXYZAB D DEFGHIJKLMNOPQRSTUVWXYZABC E EFGHIJKLMNOPQRSTUVWXYZABCD F FGHIJKLMNOPQRSTUVWXYZABCDE G GHIJKLMNOPQRSTUVWXYZABCDEF H HIJKLMNOPQRSTUVWXYZABCDEFG I IJ KLMNOPQRS TUVWXYZABCDEFGH J JKLMNOPQRSTUVWXYZABCDEFGHI K KLMNOPQRSTUVWXYZABCDEFGHIJ L LMNOPQRSTUVWXYZABC DEFGHIJK M MNOPQRSTUVWXYZABCDEFGHIJKL N NOPQRSTUVWXYZABCDEF GHIJKLM O OPQR STUVWXYZABCDEFGHIJKL MN P PQRSTUVWXYZABCDEFGHIJKLMNO Q QRSTUVWXYZABCDEFGHIJKLMNOP R RSTUVWXYZABCDEFGHIJKLMNOPQ S STUVWXYZABCDEFGHIJKLMNOPQR T TUVWXYZABCDEFGHIJKLMNOPQRS U UVWXYZABCDEFGHIJKLMNOPQRST V VWXYZABCDEFGHIJKLMNOPQRSTU W WXYZABCDEFGHIJKLMNOPQRSTUV X XYZABCDEFGHIJKLMNOPQRSTUVW Y YZABCDEFGHIJKLMNOPQRSTUVWX Z ZABCDEFGHIJKLMNOPQRSTUVWXY
Table 0.1: A Vigenère square. The highlighted letters correspond to an example in the text.
Plain: SCYTALE Key: LIONLIO Cipher: DKMGLTS 6 INTRODUCTION
For example, to encrypt the first letter in SCYTALE, the user looks in row L and column S to find a D. This is the cipher character that substitutes for the S. Continuing this process produces the entire cipher- text DKMGLTS. Be careful of the potentially confusing terminology - the keyword LION generates the key LIONLIO for the cipher, but people may refer to both LION and LIONLIO as key. The Vigenère cipher was highly regarded for three centuries and it was considered by many to be secure until Charles Babbage cracked it in 1854. Friedrich Kasiski also broke the cipher in 1863, but it seems that cryptological news traveled slowly because the Confederacy still used the Vigenère cipher during the U.S. Civil War to the advantage of the North. In fact, as late as 1917, Scientific American (Supplement LXXXIII, January 27, 1917) still advocated its use.
“The [Vigenère ] method used for the preparation and reading of code messages is simple in the extreme and at the same time impossible of translation unless the key is known. The ease with which the key may be changed is another point in favor of the adoption of this code by those desiring to transmit important messages without the slightest danger of their messages being read by political or business rivals etc.”
Modern ciphers are often polygraphic.A polygraph is a sequence of several characters; specifically a digraph is a sequence of two characters and a trigraph is a sequence of three. Polygraphic substitution ciphers encrypt entire blocks of characters together. We will study the Hill cipher in chapter 4 as an example of a polygraphic substitution cipher, but it is a little too complicated to introduce quickly here. One common feature of all classical methods is that they are symmetric in the sense that both sender and receiver require knowledge of the algorithm and the secret key. This sort of arrangement is not always possible in the computer age. Therefore, in chapter 5 we study two public key systems that allow people to communicate even though they’ve never had an opportunity to agree upon a secret key.
0.3. Mathematical Ciphers
Since the intended audience of this book speaks English, the most commonly used alphabet in this book is English, but we really can use any alphabet we want, and the length of the alphabet is usually not important.
Latin: ABCDEFGHIKLMNOPQRSTVXYZ Greek: αβγδεζηθικλµνξoπρςστυφχψω Arabic: øñîDÒʾ ®®ªª ¢¢ PP XYjjj. JK.@ Computer: 01 Grayscale 8-bit bitmap: 0 1 2 ... 254 255
None of the methods we’ve discussed so far require the use of mathematics. However, math can make any of them much easier to implement, either by hand or on a computer. For example, in chapter 2 we will revisit the Vigenère cipher, but we will have absolutely no need of the cumbersome Vigenère square in Table 0.1, so it will be much easier to encrypt and decrypt messages. The ciphers in chapters 3, 4, and 5 are all thoroughly mathematical and we can’t even describe the algorithms without using mathematics. Cryptanalysis is also greatly aided by the use of mathematics and statistics. Consider the simple scytale, which is equivalent to writing the plaintext characters in a table as shown. 0.5. NOTATION AND TERMINOLOGY 7 HOWDOYOUKNOWT HATYOUHAVEFOU NDANEXTROVERT EDMATHEMATICI AN?HELOOKSATY OURFEETWHENHE TALKSTOYOU The ciphertext is read off in columns: HHNEAOT OADDNUA WTAM?RL DYNAHFK OOETEES YUXHLET OHTEOTO UARMOWY KVOAKHO NEVTSEU OFEIAN WORCTH TUTIYE. Software like Mathematica makes ciphertext like this easy to crack. Try it with the Mathematica notebook Scytale.nb at http://users.etown.edu/m/mcdevittt/Crypto.html.
0.4. Types of Cryptologic Attacks
Real life cryptanalysis often hinges on operator error or some flaw in the design of the machine or software that implements a cryptographic algorithm. Such mistakes make different scenarios possible for an adversary. One type of attack is a known-plaintext attack, in which the cryptanalyst knows the encryption algorithm and has access to some plaintext and the corresponding ciphertext. Such plaintext is often referred to as a crib. The Allies used cribs to find Enigma keys during World War II. In a chosen plaintext attack, the cryptanalyst has an opportunity to choose some plaintext to feed into the cryptographic algorithm, but we will mostly consider ciphertext-only attacks, where we have some cipher and the only thing we know is the algorithm. Recall that we will always assume that cryptanalysts know the relevant cryptographic algorithms and the only thing that they lack is the key.
0.5. Notation and Terminology
Mathematicians tend to write very concisely and use a lot of specialized symbols, so it might be helpful if we introduce some of the symbols that we’ll be using. Sets with listed elements are written with braces, like red, green, blue . Other special sets have special symbols. For instance, the set of integers is denoted { } by Z. The natural numbers, rationals, reals, and complex numbers are N, Q, R, and C, respectively. There is no universally recognized symbol for whole numbers, but we could use N 0 ; the union ( ) of N and the set including only the number zero. In this course, we will work almost∪ exclusively { } with integers,∪ but we will encounter real (or rational) numbers when we study probability. We indicate that “a is an integer" by writing a Z to indicate that a is in ( ) the set of integers. We write∈a b to indicate that a divides∈ b. That is, for integers a and b, a divides b if there exists an | integer c such that ac = b. For example, a = 2 divides b = 12 since there is an integer c = 6 such that ac = (2)(6) = 12 = b. Similarly, a = 2 does not divide b = 13 (written 2 13) since there is no integer c 6 | such that ac = 2c = 13 = b. As we mentioned in the introduction, the words “encrypt” and “encipher” are synonymous, as are “de- crypt” and “decipher”. Original text is plaintext and the encrypted text is ciphertext, even if the text isn’t really text. Pictures, audio, computer files can all be encrypted, so it might seem a little odd to call a picture plaintext, but we’ll do it anyway. The word “cipher” usually refers to an encryption algorithm, but it can be a shortened version of ciphertext. Also, the word key is often used imprecisely. Sometimes it refers to the keyword or key number(s), and sometimes it refers to a long string of letters or numbers that are generated from the keyword. 8 INTRODUCTION
A code exchanges one system of writing for another. It may have the effect of making a message unintelligible, but that is not always its purpose. Two familiar non-encrypting codes are Morse code and ISBNs. Morse code converts English into a series of dots and dashes so that an English message can be easily trasmitted over a primitive channel like a telegraph line. The ISBN code for a book serves two purposes; it identifies the book (like a numerical name) and it attaches a check character at the end that can identify mistakes in the number. For instance, the ISBN-10 for Lewand’s Cryptological Mathematics [4] is 0-88385- 719-7. The leading 0 indicates the language (English), the second group of numbers, 88385, indicates the publisher (The Mathematical Association of America), and the third set of digits is the publisher’s serial number for the book. The final digit, 7, is chosen so that
0 1 + 8 2 + 8 3 + 3 4 + 8 5 + 5 6 + 7 7 + 1 8 + 9 9 + 7 10 = 330 · · · · · · · · · · is divisible by 11. If someone made a silly transposition mistake like 0-88835-719-7, the ISBN code would identify it since
0 1 + 8 2 + 8 3 + 8 4 + 3 5 + 5 6 + 7 7 + 1 8 + 9 9 + 7 10 = 325 · · · · · · · · · · is not divisible by 11. So, when people talk about codebreaking, they are really talking about cryptanalysis.
Exercises
(1) Decrypt the Caesar ciphertext shwhuslshuslfnhgdshfnrislfnohgshsshuv. (2) Decrypt each of the following messages that were encrypted with a scytale. The Mathematica notebook Scytale.nb might be helpful. (a) Sssalbheohe slyearelshs se lee tsh. (b) Wiifd e a etihsxr snBusneny aoe?ese e saifv cevan. (3) Use the Vigenère square (Table 0.1) to (a) encrypt ENIGMA with keyword GERMANY. (b) decrypt YUGPYN if the keyword is JAPAN. (4) Which of the following ISBN-10s are correct? (a) Calculus (6th edition) by Stewart, 0-495-38558-1. (b) Elementary Differential Equations (8th edition) by Boyce and DiPrima, 0-417-43339-X. (X stands for 10.) (c) The Mathematics of Coding Theory by Garrett, 0-13-101976-8. (d) Introduction to Cryptography with Coding Theory by Trappe and Washington, 0-13-186239-1. (5) The first nine digits of the ISBN-10 for each of the following books are given. What should the last digit be? (a) 0-7432-6751- , The Official Rock Paper Scissors Strategy Guide by Douglas and Graham Walker (b) 0-13-187141- , Elementary Linear Algebra: A Matrix Approach by by Spence, Insel, and Friedberg (c) 0-521-47236- , The Nonlinear Theory of Elastic Shells by Libai and Simmonds (6) The Atbash cipher replaces the 1st letter of the alphabet with the last, the 2nd with the second-to- last, etc...3 Use the Atbash cipher to decrypt klgzgl xsrk. (7) The Polybius checkerboard cipher places 25 letters of the alphabet (J is missing) in a 5 5 table. × 3The Atbash cipher appears in the Book of Jeremiah where, for example, Babylon is referred to as Sheshakh (in Hebrew). EXERCISES 9
1 2 3 4 5 1 E P X Q Y 2 H V B A O 3 F M C U N 4 T K D L R 5 W I S Z G To encrypt a message like FEEDME, you just give the row and column pair for each letter: 31111143 3211. This has the disadvantage that the ciphertext is twice as long as the plaintext, but it has the advantage that it works well as a semaphore. (a) Encrypt HANDITOVER. (b) Decrypt 231141411145412544525521412535113324354344114121243533344553114 121114324454235115353332535313433523453. (c) What is the key for this cipher? (d) The keyspace for a cipher is the set of all possible keys. How big is the keyspace for this cipher? (8) In the Wheatstone-Playfair cipher, 25 letters of the alphabet are placed into a 5 5 table. E P X Q Y × H V B A O F M C U N T K D L R W I S Z G Plaintext messages are broken into digraphs, and if the pair of letters lie in the same row, then the ciphertext is the pair of letters to the right, wrapping around as • necessary. lie in the same column, then the ciphertext is pair of letters beneath, wrapping around as • necessary. lie at the corners of a rectangle, then the ciphertext is the pair of letters in the opposite • corners. For example, WELCOME is encrypted as EHDUVNPY, padding the end of WELCOME with Q so that its length is even. MATHCOUNTS R (a) Encrypt . (b) Decrypt BRRNKTNFISWFXDSZBGDG. (c) What is the key for this cipher? (d) How big is the keyspace for this cipher?
CHAPTER 1
Modular Arithmetic
This chapter develops the mathematical tools needed for modular arithmetic and modular algebra, both of which will be useful throughout the entire course. After that, we apply our new knowledge to the additive and affine ciphers.
1.1. Fundamental Theorem of Arithmetic
Recall that an integer p > 1 is prime if the only integers that divide it are 1 and p. (We will frequently use p and q to represent prime numbers.) Composite numbers are integers greater than one that are not prime. Also, recall the fundamental theorem of arithmetic. (Don’t worry if you don’t recognize the name, it should still be familiar.)
THEOREM 1.1 (Fundamental Theorem of Arithmetic). Every positive integer n > 1 can be written uniquely as a product of primes.
We won’t prove the theorem because it is probably very familiar to most readers. If you are interested in a proof, it isn’t very difficult and you can find one in a book on number theory or on Wikipedia. Instead, let’s look at some examples.
Example 1.1: You can probably do the first two examples in your head, but the third one might be easier if you use a factor tree.
(1) 35 = 5 7 4· (2) 48 = 2 3 · 2 2 (3) 1260 = 2 3 5 7. · · ·
Classroom Exercise 1.1: Express the following numbers as products of primes. (1) 95
11 12 1. MODULAR ARITHMETIC
(2) 819 (3) 3400
1.2. Greatest Common Divisors
A common divisor of two integers a and b is an integer (positive or negative) that divides both a and b. For example, 2 is a common divisor of 12 and 18 since 2 12 and 2 ( 18). If a and b are both zero, then there are an infinite number of common divisors,− so there can’t| be a| greatest− common divisor. However, every other pair of integers (including if a = 0 or b = 0, but not both) has a finite number of common divisors, so there must be a greatest common divisor. We denote the greatest common divisor of a and b by 1 gcd(a, b). Here is a formal definition:
Definition 1.1: If a and b are not both zero, then the greatest common divisor of a and b is the largest positive integer that divides both a and b.
Classroom Exercise 1.2: Compute the following gcds.
(1) gcd(35, 7) (2) gcd(55, 165) (3) gcd(253, 598)
The first problem was easy. Since 7 35, it must be that gcd(35, 7) = 7. The second was a little harder, but the third is the most interesting. How| did you do it? Most people use the fundamental theorem of arithmetic; they factor both numbers to find that 253 = 11 23 and 598 = 2 13 23, and then conclude that · · · gcd(253, 598) = 23. This works well and it’s what most of us learned in school, but factoring integers is a slow process that becomes cumbersome for very large numbers. Fortunately, there is a better way.
1.3. Euclidean Algorithm
The Euclidean algorithm is an ancient, but efficient, method for finding the gcd of two integers. It is best explained in the context of an example, so let’s consider the last exercise of computing gcd(253, 598).
Example 1.2: To find gcd(253, 598), we first divide the larger number by the smaller. If you can do this in your head, great! Otherwise, use long division. 2 R 92 253 598 506 92 This means that
(1.1) 598 = 253(2) + 92.
Now, gcd(253, 598) clearly divides two of the three terms in (1.1), so it must also divide the third. In other words, since gcd(253, 598) 598 and gcd(253, 598) 253(2), we can conclude that gcd(253, 598) 92. | | | A similar argument shows that gcd(92, 253) also divides all three terms in (1.1), so we can conclude that gcd(253, 598) = gcd(92, 253). This allows us to exchange a hard problem for an easier one, and we can do this type of reduction repeatedly until the gcd(253, 598) is obvious. Since
1Some authors use the equivalent gcf for greatest common factor, but we use gcd. 1.3. EUCLIDEAN ALGORITHM 13
2 R 69 92 253 184 69 gcd(253, 598) = gcd(92, 253) = gcd(69, 92). Finally, 1 R 23 69 92 69 23 so gcd(253, 598) = gcd(92, 253) = gcd(69, 92) = gcd(23, 69). Since 23 69, gcd(253, 598) = 23. Let’s review what we’ve done for this problem. By repeated use of long| division, we have found that
598 = 253(2) + 92 253 = 92(2) + 69 92 = 69(1) + 23 69 = 23(3) + 0. Once we reach a remainder of zero, the algorithm stops because the smaller number divides the larger. Therefore, the second-to-last remainder (written on the right) is the gcd. In this case, it’s 23.
Example 1.3: Let’s work through another example: gcd(226, 270). Repeated use of long division gives
270 = 226(1) + 44(1.2a) 226 = 44(5) + 6(1.2b) 44 = 6(7) + 2(1.2c) 6 = 2(3) + 0.(1.2d)
The second-to-last remainder is 2, so gcd(226, 270) = 2. That is the Euclidean algorithm. We could stop here and move on, but let’s be sure we understand how the Euclidean algorithm works. In (1.2a), the remainder is 44, so gcd(226, 270) = gcd(44, 226). In (1.2b), the remainder is 6, so gcd(226, 270) = gcd(44, 226) = gcd(6, 44). In (1.2c), the remainder is 2, so gcd(226, 270) = gcd(44, 226) = gcd(6, 44) = gcd(2, 6). Finally, in (1.2d), the remainder is 0, so the algorithm stops and gcd(226, 270) = gcd(44, 226) = gcd(6, 44) = gcd(2, 6) = 2. In general, to use the Euclidean algorithm to find gcd(a, b), you divide the larger of the two numbers a and b by the smaller one. Each step after that involves “sliding" and long division. By “sliding", we mean that the divisor and remainder move to the left so that they become the new dividend and divisor, respectively. For example, the 226 and 44 slide left from (1.2a) to (1.2b). In general, you continue this process until the last remainder is 0.
Example 1.4: Let’s do one final example. The gcd(343, 454) = 1 since
454 = 343(1) + 111(1.3a) 343 = 111(3) + 10(1.3b) 111 = 10(11) + 1(1.3c) 10 = 1(10) + 0.(1.3d) 14 1. MODULAR ARITHMETIC
1.4. Extended Euclidean Algorithm
We’re now going to cover the extended Euclidean algorithm. It won’t be immediately obvious why this is important, but it will be very important to us before the end of the chapter. Number theory texts like [6] and [8] typically include a theorem like the following.
THEOREM 1.2. There exist integers x and y such that ax + b y = gcd(a, b).
Example 1.5: If a = 7 and b = 35, then x = 5 and b = 0 satisfy ax + b y = gcd(a, b). Note, however, that Theorem 1.2 does not claim that x and y are unique, so other values for x and y are possible. In this case, other possibilities include x = 6, y = 1 and x = 4, y = 1. − − We won’t prove Theorem 1.2, but we will show you how to find x and y by extending the Euclidean algorithm. This is a little tricky at first, but it’s pretty easy after you’ve done a few examples. One of the hardest ideas is to remember not to explicitly multiply any of the remainders. The only time you’d want to multiply them is to check your calculations.
Example 1.6: Recall Example 1.6 in which we found gcd(343, 454) = 1. Beginning with the equation (1.3c) (i.e. the second-to-last equation, the one that gives us the gcd), we work backwards to find values for x and y.
(1.4a) 1 = 111 10(11) − (1.4b) = 111 (343 111(3))(11) = 111(34) 11(343) − − − (1.4c) = (454 343(1))(34) 11(343) = 454(34) 45(343) − − − Equation (1.4a) is just (1.3c) rearranged so that the gcd is on the left. We successively solve for and sub- stitute the remainders in (1.3c)-(1.3a) (working backwards) to obtain (1.4a)-(1.4c). Specifically, solving (1.3b) for 10 (the remainder) and substituting into (1.4a) gives (1.4b). Solving (1.3a) for 111 and sub- stituting into (1.4b) gives (1.4c), which implies that if a = 343 and b = 454, then x = 45 and y = 34. −
Example 1.7: Here’s another example. Using the Euclidean algorithm to find gcd(233, 97), we have (1.5a) 233 = 97(2) + 39 = 39 = 233 97(2) ⇒ − (1.5b) 97 = 39(2) + 19 = 19 = 97 39(2) ⇒ − 39 = 19(2) + 1 = 1 = 39 19(2).(1.5c) ⇒ − Note that we have solved for the remainders in addition to finding the gcd. Working backwards, we begin with (1.5c) and substitute the remainders in ascending order. We simplify at each step, being careful not to explicitly multiply the remainders or the original two numbers.
1 = 39 19(2) (from (1.5c))(1.6a) − (1.6b) = 39 (97 39(2))(2) (substituting the remainder from (1.5b)) − − = 39(5) 97(2) (simplifying (1.6b))(1.6c) − (1.6d) = (233 97(2))(5) 97(2) (substituting the remainder from (1.5a)) − − = 233(5) 97(12) (simplifying (1.6d)).(1.6e) − 1.6. MODULAR ARITHMETIC 15
If a = 233 and b = 77, then x = 5 and b = 12 satisfy ax + b y = gcd(a, b). − Classroom Exercise 1.3: Use the extended Euclidean algorithm to find values for x and y according to Theorem 1.2 for the following gcds.
(1) gcd(24, 54) (2) gcd(33, 192) (3) gcd(756, 942)
1.5. Relatively Prime Numbers
2 Definition 1.2: Two integers a and b are relatively prime if gcd(a, b) = 1.
Note that a number doesn’t need to be prime to be relatively prime to another number, and prime numbers are not relatively prime to every other positive integer. Consider the following examples.
Example 1.8: Neither 14 nor 25 is prime, but they are relatively prime since gcd(14, 25) = 1.
Example 1.9: Integers 14 and 16 are both composite and they are not relatively prime to each other since gcd(14, 16) = 2.
Example 1.10: Although 13 is prime, it is not relatively prime to 39 since gcd(13, 39) = 13.
Example 1.11: Two distinct prime numbers like 13 and 17 are relatively prime.
Classroom Exercise 1.4: Determine which of the following pairs of numbers are relatively prime.
(1) 26 and 15 (2) 54 and 99 (3) 234 and 555
1.6. Modular Arithmetic
We learn to do arithmetic (addition, subtraction, multiplication, and division) with integers early in grade school, and later we learn about real numbers, usually starting with fractions and then proceeding to decimals. In cryptology, we will usually work only with integers modulo some positive integer n. Our task in this section is to figure out what that means.
Definition 1.3: Integers a and b are congruent modulo n if n (a b). | − If two numbers are congruent modulo n, then we write a b mod n. ≡ Example 1.12: Here are some examples.
(1)7 7 mod 21 since 21 (7 7). ≡ | − (2) 14 2 mod 3 since 3 (14 2). ≡ | − (3)2 12 mod 5 since 5 (2 12). ≡ | −
2Many authors refer to relatively prime numbers as coprime. 16 1. MODULAR ARITHMETIC
We usually reduce integers to the set 0, 1, 2, . . . , n 1 modulo n,3 so, for example, it would be more common to write 12 2 mod 5 than 2 { 12 mod 5,− even} though both are correct. We have two main ways to reduce a mod≡n. ≡
If a 0, then we can replace a with its remainder when it is divided by n. Continuing Example • ≥ 1.12, 7 7 mod 21 since 7 21 = 0 with remainder 7 and 14 2 mod 3 since 14 3 = 4 with remainder≡ 2. ÷ ≡ ÷ We can add or subtract multiple copies of n since n 0 mod n, which is especially helpful for • ≡ a < 0. For example, 7 3 mod 5 since 7 + 2(5) 3 mod 5. The following table shows integers x reduced modulo− ≡ 5 to the set 0, 1,− 2, 3, 4 . ≡ { }
x ... 7 6 5 4 3 2 1 0 1 2 3 4 5 6 7 8 9 10 11 12 . . . x mod 5 ...3− − 4− 0− 1− 2− 3− 401234012340 1 2...
Classroom Exercise 1.5: Reduce the following numbers modulo 16 to the set 0, 1, 2, . . . , 15 . { } (1) 27 (2) 544 (3) 32 − Addition, subtraction, and multiplication modulo n all work exactly as you would expect. You are free to make the calculations as simple as you can by reducing operands modulo n at any time as shown in Example 1.13. One thing you may not do, however, is change powers. For example, 619 is not congruent to 1 6− mod 20.
Example 1.13: Reduce the following modulo 25.
(1)6 + 7(4) = 34 9 mod 25. In this case, we waited until the calculation was completed to reduce it modulo 25. ≡ (2) 26 + 27(14) 1 + 2(14) = 29 4 mod 25. Here, we began by reducing 26 and 27, did the calculation, and≡ then reduced the≡ answer. (3) Don’t hesitate to use negative numbers if it’s convenient. For instance, 24+27(20) 1+2( 5) = ≡ − − 11 = 11 + 0 11 + 25 = 14 mod 25. − − ≡ −
Classroom Exercise 1.6: Reduce the following modulo 32.
(1)3 (15) 4(2) − (2) 30(29)(27) 1(2)(3) 2− (3)9 3(4) 6 + 20 −
3 This is what the % operator does in C/C++ and what the Mod and mod commands do in Mathematica and Matlab, respectively. 1.6. MODULAR ARITHMETIC 17
Here are addition and multiplication tables modulo 9.
+ 0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 0 0 1 2 3 4 5 6 7 8 ×0 0 0 0 0 0 0 0 0 0 1 1 2 3 4 5 6 7 8 0 1 0 1 2 3 4 5 6 7 8 2 2 3 4 5 6 7 8 0 1 2 0 2 4 6 8 1 3 5 7 3 3 4 5 6 7 8 0 1 2 3 0 3 6 0 3 6 0 3 6 (1.7) 4 4 5 6 7 8 0 1 2 3 4 0 4 8 3 7 2 6 1 5 5 5 6 7 8 0 1 2 3 4 5 0 5 1 6 2 7 3 8 4 6 6 7 8 0 1 2 3 4 5 6 0 6 3 0 6 3 0 6 3 7 7 8 0 1 2 3 4 5 6 7 0 7 5 3 1 8 6 4 2 8 8 0 1 2 3 4 5 6 7 8 0 8 7 6 5 4 3 2 1
Note that the addition table is more regular or predictable than the multiplication table. Later in this chapter, we will use both addition and multiplication to encrypt messages, and we’ll see that multiplication makes a greater contribution to the strength of the encryption algorithm.
Classroom Exercise 1.7: Complete the following addition and multiplication tables modulo 6.
+ 0 1 2 3 4 5 0 1 2 3 4 5 0 ×0 1 1 2 2 3 3 4 4 5 5
Division. We haven’t mentioned modular division yet because it is much more difficult. Before we do so, let’s think about the real number division we’re much more familiar with. To compute 156 13, we might ask ourselves, “What number a, when multiplied by 13, gives 156?" A little thought reveals÷ that a = 12. We can also think of division as multiplication by a multiplicative inverse (or reciprocal), so 1 156 13 = 156 = 12. Remember that all real numbers have multiplicative inverses except for zero. ÷ 13 It’s not immediately obvious what 4/5 mod 9 is since 4/5 is not an integer. To make sense of 4/5 mod 9, we need to ask ourselves the same basic question we did above - “What number a, when multiplied by 5, gives 4 modulo 9?" In other words, we need to solve the congruence 5a 4 mod 9. Because the modulus is small, we could find a by trial and error or by looking in the multiplication≡ table in (1.7)to see that 5 8 4 mod 9, so we could say that 4/5 8 mod 9. However, division is not always well-defined. For instance,× ≡ if we tried to compute 5/3 mod 9,≡ we would fail because the table in (1.7) shows that there is no number which, when multiplied by by 3, gives 5 mod 9. Because of this, mathematicians don’t like to talk about division at all in the context of modular arithmetic. Instead, we talk about multiplicative inverses, but we have to be aware that some numbers may not 1 1 1 1 1 be invertible modulo n. As you can see from (1.7), 1− = 1, 2− = 5, 4− = 7, 5− = 2, 7− = 4, and 1 8− = 8 mod 9, but 3 and 6 do not have multiplicative inverses. What’s special about 3 and 6? The rows (or columns) for 3 and 6 in (1.7) contain only multiples of 3. Why is that the case? Here’s why. If a 0, 1, 2, . . . , n 1 , then gcd(a, n) divides any integer multiple of a as well as any ∈ { − } number that is congruent to a modulo n. Continuing our example, let a = 5 and n = 9. Clearly, gcd(5, 9) = 1 divides every integer multiple of 5. Likewise, if a = 3, then gcd(3, 9) = 3 divides every integer multiple of 3, so 1 cannot be a multiple of 3, which means that 3 is not invertible. The same is true for 6. So, in 18 1. MODULAR ARITHMETIC
general, a number a is not invertible modulo n if gcd(a, n) = 1. Does that mean that all other numbers are invertible? Well, yes, but it’s not obvious. 6
THEOREM 1.3. If gcd(a, n) = 1, then the set a mod n, 2a mod n,..., (n 1)a mod n has all distinct values. { − }
PROOF. We prove this theorem by contradiction. Suppose that some pair of values in a mod n, 2a mod n, { ..., (n 1)a mod n are the same. More precisely, suppose that there exist integers x and y 1, 2, . . . , n − } ∈ { − 1 such that x = y and that xa ya mod n. Then n a(x y), and since gcd(a, n) = 1, it must be that } 6 ≡ | − n (x y). Since x, y 1, 2, . . . , n 1 , we conclude that x = y, which is a contradiction. | − ∈ { − }
Since the set a mod n, 2a mod n,..., (n 1)a mod n has n distinct values, those values are congru- { − } ent to 1, 2, . . . , n 1 in some order. Therefore, in summary, if gcd(x, n) = 1, then x is invertible modulo { − } n and if gcd(x, n) = 1, then x is not invertible modulo n. 6 Example 1.14: It is helpful to look at another example. Here is a multiplication table modulo 20.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ×0 00000000000000000000 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 2 0 2 4 6 8 10 12 14 16 18 0 2 4 6 8 10 12 14 16 18 3 0 3 6 9 12 15 18 1 4 7 10 13 16 19 2 5 8 11 14 17 4 0 4 8 12 16 0 4 8 12 16 0 4 8 12 16 0 4 8 12 16 5 0 5 10 15 0 5 10 15 0 5 10 15 0 5 10 15 0 5 10 15 6 0 6 12 18 4 10 16 2 8 14 0 6 12 18 4 10 16 2 8 14 7 0 7 14 1 8 15 2 9 16 3 10 17 4 11 18 5 12 19 6 13 8 0 8 16 4 12 0 8 16 4 12 0 8 16 4 12 0 8 16 4 12 (1.8) 9 0 9 18 7 16 5 14 3 12 1 10 19 8 17 6 15 4 13 2 11 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 0 10 11 0 11 2 13 4 15 6 17 8 19 10 1 12 3 14 5 16 7 18 9 12 0 12 4 16 8 0 12 4 16 8 0 12 4 16 8 0 12 4 16 8 13 0 13 6 19 12 5 18 11 4 17 10 3 16 9 2 15 8 1 14 7 14 0 14 8 2 16 10 4 18 12 6 0 14 8 2 16 10 4 18 12 6 15 0 15 10 5 0 15 10 5 0 15 10 5 0 15 10 5 0 15 10 5 16 0 16 12 8 4 0 16 12 8 4 0 16 12 8 4 0 16 12 8 4 17 0 17 14 11 8 5 2 19 16 13 10 7 4 1 18 15 12 9 6 3 18 0 18 16 14 12 10 8 6 4 2 0 18 16 14 12 10 8 6 4 2 19 0 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
Which numbers are invertible? That is, which numbers have a 1 in their respective rows (or columns)? The invertible integers modulo 20 are 1, 3, 7, 9, 11, 13, 17, and 19, which leaves out all even integers and 2 multiples of 5 since 20 = 2 5. Also, note that the invertible numbers have every integer from 0 to 19 in their rows (or columns), whereas· non-invertible numbers do not.
Now that we know which integers are invertible modulo n, we’d like to have a systematic way of finding inverses. Tables are nice for small moduli, but are unwieldy for large ones. Fortunately, the extended Euclidean algorithm gives us a nice algorithm for computing inverses. Recall that if gcd(a, n) = 1, then there exists integers x and y such that
(1.9) ax + ny = 1, 1.7. SOLVING LINEAR CONGRUENCES 19 and we can find x and y using the extended Euclidean algorithm. Reducing (1.9) modulo n gives (1.10) ax 1 mod n, 1 ≡ which implies that x = a− .
1 Example 1.15: To find 17− mod 20, we use the extended Euclidean algorithm. 20 = 17 1 + 3 · 17 = 3 5 + 2 · 3 = 2 1 + 1 · Technically, we should go one step further to get a remainder of zero, but we know that the gcd is 1, so there is no practical need to continue. Working backward,
1 = 3 2 − = 6 3 17 · − = 6 20 7(17). 1 · − This implies that 17( 7) 1 mod 20, so 17− = 7 13 mod 20. You can check this in the multiplication table in (1.8). − ≡ − ≡
1 Example 1.16: To find 343− mod 454, we can use the work we did in Example 1.6. Recall that we found 1 that 1 = 454(34) 45(343). Reducing modulo 454 gives 1 45(343), so 343− = 45 409 mod 454. You can check this− with a calculator by multiplying 343 by 409≡ − to get 140, 287. To reduce− ≡ modulo 454, we divide 140, 287 by 454 to get 309.002. That tells us that 454 goes into 140, 287 309 times. Subtracting, we find 140, 287 454(309) = 1, so we know that our answer is correct. − Classroom Exercise 1.8: Find the following multiplicative inverses. 1 (1)4 − mod 15 1 (2) 15− mod 49 1 (3) 81− mod 145
1.7. Solving Linear Congruences
Linear Congruences of the Form ax b mod n. Over the real numbers, the equation ≡ (1.11) ax = b has the unique solution x = b/a if a = 0. If a = 0 and b = 0, then there are no solutions, and if a = 0 and 6 6 b = 0, then there are infinitely many solutions because x can have any real value. Similarly, a congruence like (1.12) ax b mod n ≡ may have a unique solution in 0, 1, 2, . . . , n 1 , no solution, or multiple solutions in 0, 1, 2, . . . , n 1 . Let’s illustrate with a few examples.{ − } { − } Example 1.17: (1)6 x 12 mod 13 has the unique solution x = 2. ≡ (2)6 x 12 mod 24 has six solutions x = 2, 6, 10, 14, 18, 22. (3)6 x ≡ 11 mod 12 has no solution. ≡ 20 1. MODULAR ARITHMETIC
Our goal in this section is to find all solutions, if any, of congruences like (1.12). If ax b mod n has a solution, then there exists an integer m such that ≡
(1.13) mn = ax b. − The gcd(a, n) clearly divides the first two terms, mn and ax, in (1.13), so it also must also divide b. Recall that all multiples of a modulo n are multiples of gcd(a, n), so b must be a multiple of gcd(a, n) for (1.12) to have a solution. For example, in (1.8), all multiples of 15 modulo 20 are 0, 5, 10 and 15, so a congruence of the form 15x = b mod 20 only has solutions if b = 0, 5, 10, or 15. Let’s assume that gcd(a, n) b so that at least one solution exists. Note that this is trivially true if a and n are relatively prime. How do| we find a solution? Sometimes you can find a solution simply by looking at the congruence. For instance, it is pretty clear that x = 2 solves 6x 12 mod 13. The fancy way of saying ≡ this is that x = 2 is a solution “by inspection". When we can’t find a solution by inspection, we can use the extended Euclidean algorithm. Let’s look at an example.
Example 1.18 (Unique Solution): To solve 17x 4 mod 20, we begin with the extended Euclidean algo- rithm. ≡
20 = 17 1 + 3 · 17 = 3 5 + 2 · 3 = 2 1 + 1 · Working backwards,
1 = 3 2 − = 3 6 17 · − = 20 6 17 7. · − · Therefore, 17( 7) 1 mod 20. Multiplying both sides by 4 gives 17( 7 4) 4 mod 20 and x = 7 4 = − ≡ − · ≡ − · 28 12 mod 20. Since gcd(17, 20) = 1, x = 12 is the only solution. − ≡ If a congruence has multiple solutions, how do we find all of them? We begin by finding one solution using the extended Euclidean algorithm (or inspection). If solution(s) exist, then gcd(a, n) b and there | exists an integer m such that ax = b + nm. Dividing by gcd(a, n) gives a b n x = + m, gcd(a, n) gcd(a, n) gcd(a, n) so a b n (1.14) x mod . gcd(a, n) ≡ gcd(a, n) gcd(a, n) This congruence (1.14) has a unique solution since
a n gcd , = 1. gcd(a, n) gcd(a, n) Therefore, once one solution of ax b mod n is found, all other solutions in 0, 1, 2, . . . , n 1 can be found ≡ { − } by adding (or subtracting) integer multiples of n/ gcd(a, n) for a total of gcd(a, n) incongruent solutions. 1.7. SOLVING LINEAR CONGRUENCES 21
Example 1.19 (Multiple Solutions): Solve 14x 4 mod 20. Since gcd(14, 20) = 2 and 2 4, this congru- ence has two solutions. Let’s use extended Euclidean≡ algorithm to find one of them. |
20 = 14 1 + 6 · 14 = 6 2 + 2 · 6 = 3 2 · Working backwards again,
2 = 14 6 2 − · = 14 3 20 2 · − · Therefore, 14(3) 2 mod 20. Multiplying both sides by 2 gives 14(3 2) 4 mod 20 and x = 6. Since ≡ · ≡ gcd(14, 20) = 2, there is a second solution that we obtain by adding n/ gcd(a, n) = 20/2 = 10 to x = 6. Therefore, the two solutions in 0, 1, 2, . . . , 19 are x = 6 and x = 16. Another way to view this example is to return to the multiplication table{ in (1.8) and} note that each row (or column) cycles through multiples of the appropriate gcd. In the case of 14, the multiples cycle through 0, 14, 8, 2, 16, 10, 18, 12, 6 twice, so the two solutions must be 10 apart.
Example 1.20 (No Solution): The congruence 14x 5 mod 20 has no solution since gcd(14, 20) = 2 5. ≡ 6 | Example 1.21: To solve 2x 4 7 mod 13, simply add 4 to both sides and proceed as above to find x = 12. − ≡ In summary, you can always tell if ax b mod n has a solution by determining if gcd(a, n) divides b. If ≡ not, then there is no solution. If gcd(a, n) does divide b, then the number of solutions is equal to gcd(a, n) and the solutions are n/ gcd(a, n) apart. For instance, x = 1 is clearly a solution of 13x = 13 mod 39. Since gcd(13, 39) = 13, there are a total of 13 solutions in 0, 1, 2, . . . , 38 and they are separated by 39/13 = 3, { } so the complete set of solutions is x = 1, 4, 7, 10, 13, 16, 19, 22, 25, 28, 31, 34, 37.
Classroom Exercise 1.9: Find all solutions, if any, of the following congruences.
(1) 18x = 3 mod 31 (2) 18x = 16 mod 30 (3) 18x 24 mod 30 ≡ Linear Systems of Congruences. Let’s confine our attention to systems of congruences in two variables because this is sufficient for our cryptologic needs later in the chapter. If a, b, c, d, e, f 0, 1, . . . , (n 1) , then our goal is to solve ∈ { − } ax b y e + mod n cx + d y ≡ f ≡ for x and y, if possible. Standard algebraic manipulations reduce the system to the pair of congruences4
(1.15) (ad bc)x ed b f (ad bc)y a f ce mod n. − ≡ − − ≡ − For solutions to exist, gcd(ad bc, n) must divide both (ed b f ) and (a f ce). In practice however, we don’t recommend memorizing (1.15).− Instead, just use the familiar− methods of− substitution and elimination from high school algebra. Be aware, however, that you have to be careful about both multiplying and dividing. Division is obviously a problem since it isn’t properly defined, but multiplication can also cause trouble
4These may look familiar if you have seen Cramer’s rule before. 22 1. MODULAR ARITHMETIC because multiplying equations by constants can lead to spurious solutions. For example, the congruence 3x 3 mod 8 has the unique solution x = 1. However, multiplying both sides by 2 gives 6x 6 mod 8, ≡ ≡ which has two solutions, x = 1 and x = 5, the second of which is spurious. If you can, try to only multiply by integers that are relatively prime to the modulus. If you can’t help it, be sure to check your solutions in the original congruences.
Example 1.22 (Substitution): Some systems make the method of substitution attractive. For example, 3x 2y 0 + mod 7 x 3y ≡ 2 − ≡ suggests solving the second equation for x and substituting into the first to find 3(3y + 2) + 2y = 0, which reduces to 4y = 1 mod 7. The extended Euclidean algorithm then implies that y = 2 and, consequently, x = 1.
Example 1.23 (Elimination): In this example, we might choose to use elimination. 3x 2y 0 + mod 7 2x 3y ≡ 2 − ≡ We could solve either congruence for x or y since all coefficients are relatively prime to the modulus, but that isn’t particularly appealing. Instead, let’s multiply the first equation by 2 and the second by 3 to find 6x 4y 0 6x 4y 0 + or, equivalently, + mod 7. 6x 9y ≡ 6 6x + 5y ≡ 6 − ≡ ≡ Multiplying the congruences by 2 and 3 is OK here because both constants are relatively prime to the modulus. Subtracting the first congruence from the second gives y = 6 and substituting into 6x + 4y = 0 implies that x = 4y 3 mod 7. ≡ Example 1.24 (Multiple Solutions): We might choose to solve this system 12x y 13 + mod 26 4x 3y≡ 7 − ≡ by multiplying the second congruence by 3 and subtracting to find 10y 8 mod 26, which has two ≡ − solutions since gcd(10, 26) 8. Using the extended Euclidean algorithm, we find that y = 7 and y = 20. Plugging these values back| into− the second congruence gives 4x 2 mod 26 and 4x 15 mod 26. The ≡ ≡ former has two solutions, x = 7 and x = 20, but the second has no solutions. Overall, we have two solutions: (7, 7) and (20, 7). An alternative way to solve this problem is to solve the first congruence for y 13 12x and substitute ≡ − into the second to find 14x 20 mod 26, which gives x = 7 and x = 20. Both values of x give y = 7. ≡ Example 1.25 (Spurious Solutions): As a final example, consider 12x 2y 14 + mod 26. 3x 3y≡ 8 − ≡ Multiplying the second congruence by 4 and subtracting it from the first gives 14y 8 mod 26, which ≡ has two solutions y = 8 and y = 21. Plugging these values back into the first congruence gives 12x 24 ≡ mod 26 for both y = 8 and y = 21. The solutions for x are obviously x = 2 and x = 15, so, overall, we have four putative solutions
(2, 8), (2, 21), (15, 8), and (15, 21). 1.8. ADDITIVE CIPHER 23
However, since we multiplied by 4, which is not relatively prime to the modulus, we suspect spurious solutions. Plugging all four solutions back into the original system shows that only (2, 8) and (15, 21) are solutions of the original problem. Note that it would have been more efficient to solve for x using the second congruence because 3 is relatively prime to 26, so no spurious solutions are produced in that case.
Remark 1.1: If the idea of spurious solutions is disconcerting to you, please recall that you have seen this before in “regular algebra" over the reals when you multiply both sides of an equation by zero or when you square both sides of an equation. For example, multiplying both sides of the incorrect equation 3 = 4 by zero gives 0 = 0, which is correct. Likewise, squaring both sides of 3 = 3 gives 9 = 9. More realistically, to solve − 1 1 x + 4 (1.16) + = , (x 6)(x 2) (x + 2)(x 2) (x 6)(x + 2) − − − − we might multiply by sides of the equation by (x 2)(x + 2)(x 6) to clear the fractions. This gives − − (x + 2) + (x 6) = (x + 4)(x 2), − − 2 which simplifies to x = 4. So the solutions of (1.16) are x = 2, right? Wrong. Equation (1.16) has no ± solutions. When we multiplied by (x 2)(x + 2)(x 6), we were effectively multiplying by zero if x = 2, and that introduced the false solutions.− − ± Similarly, if we square both sides of
p1 x (1.17) − = 1, px 2 − and cross multiply, we obtain 1 x = x 2, which implies that x = 3/2. However, (1.17) has no real solutions since the numerator of− the expression− on the left implies that x 1 and the denominator implies that x > 2, and there are no such values of x.5 ≤
1.8. Additive Cipher
One of the earliest known ciphers is the Caesar cipher. Suetonius [12] claims that Julius Caesar used a simple shift cipher to encrypt private messages in letters to Cicero and other friends. He simply replaced each a by d, b by e, etc..., wrapping around at the end of the alphabet so each x is replaced by an a, y by b, and z by c. The following chart makes it easier to implement the Caesar cipher.
For example, the message mathisreallyfun is encrypted as pdwklvuhdoobixq. Anyone except the intended recipient would only see gibberish and would not know that mathisreallyfun. Note that this example uses the standard (modern) English alphabet, with no spaces, capital letters, or punctuation. We could accomodate spaces, capitals, punctuation, digits, and any other symbols that we choose, but we’ll stick with the 26-letter alphabet for simplicity. Recall that we refer to the original message mathisreallyfun as plaintext and the encrypted message pdwklvuhdoobixq as ciphertext.
5This has nothing to do with cryptology, but if you want to see something really interesting, try to solve (1.17) by graphing p1 x y = − and y = 1 on your calculator and looking for the intersection of the two graphs. What do you find? px 2 − 24 1. MODULAR ARITHMETIC
We can make the implementation of the Caesar cipher more efficient and computer-ready by making the cipher mathematical. We can do this simply by associating a with 0, b with 1, ..., and z with 25 as shown in the following chart.6 abcdefghijklmnopqrstuvwxyz 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Now the plaintext mathisreallyfun and ciphertext pdwklvuhdoobixq can be regarded as sequences of integers 15 pi i 1 = 12, 0, 19, 7, 8, 18, 17, 4, 0, 11, 11, 24, 5, 20, 13 , = { } and 15 ci i 1 = 15, 3, 22, 10, 11, 21, 20, 7, 3, 14, 14, 1, 8, 23, 16 . = { } The cipher characters can be obtained mathematically from the formula
(1.18) ci = pi + 3 mod 26, i = 1, 2, . . . , 15,
and the plaintext can likewise be found by solving (1.18) for pi,
(1.19) pi = ci 3 mod 26, i = 1, 2, . . . , 15. − Note that we need to work modulo 26 because we have a 26-letter alphabet. For example, the plaintext y (a.k.a. 24) is encrypted to b (a.k.a 24 + 3 = 27 1 mod 26). The additive cipher is just like the Caesar cipher,≡ except that the shift doesn’t have to be 3. If we stick with a 26-letter alphabet, then the shift, let’s call it k (for key), can, in principle, be any integer between 0 and 25, inclusive. Then, (1.18) becomes
(1.20) ci = pi + k mod 26.
If k = 0, then ci = pi, so we really should take k 1, 2, . . . , 25 . The modulus 26 is the length of the alphabet, so if you change the alphabet by adding or∈ deleting { characters,} then you simply change 26 to the appropriate value.
Example 1.26: Suppose that the plaintext is thequickbrownfoxjumpsoverthelazydog and k = 4. Each plaintext letter is encrypted by adding 4 modulo to it according to the encryption equation (1.20). The first plaintext letter t has a numerical value of 19, and adding four to it makes it 23, which is x. The next letter h corresponds to 7, which becomes 11 or l. Repeating this for the entire message turns thequickbrownfoxjumpsoverthelazydog into xliuymgofvsarjsbnyqtwszivxlipedchsk. The rest of the details are shown in the following table.
Plaintext thequickbrownfoxjumpsoverthelazydog Coded plain 19 7 4 16 20 8 2 10 1 17 14 22 13 5 14 23 9 20 12 15 18 14 21 4 17 19 7 4 11 0 25 24 3 14 6 Coded cipher 23 11 8 20 24 12 6 14 5 21 18 0 17 9 18 1 13 24 16 19 22 18 25 8 21 23 11 8 15 4 3 2 7 18 10 Ciphertext xliuymgofvsarjsbnyqtwszivxlipedchsk
Classroom Exercise 1.10: Use the Caesar cipher to encrypt theworldisabookandthosewhodonottravel readonlyapage.7
Classroom Exercise 1.11: Decrypt the additive ciphertext mnudpuzftqtmzpueiadftfiauzftqnget with k = 12. 6Some authors associate a with 1, b with 2, ..., and z with 26, but our way is more convenient. 7St. Augustine 1.9. CRYPTANALYSIS OF THE ADDITIVE CIPHER 25
k Putative Plaintext k Putative Plaintext 0 teefxgurgtmnkxwxlbkxmhdghp 13 grrskthetgzaxkjkyoxkzuqtuc 1 sddewftqfslmjwvwkajwlgcfgo 14 fqqrjsgdsfyzwjijxnwjytpstb 2 rccdvesperklivuvjzivkfbefn 15 eppqirfcrexyvihiwmvixsorsa 3 qbbcudrodqjkhutuiyhujeadem 16 doophqebqdwxuhghvluhwrnqrz 4 paabtcqncpijgtsthxgtidzcdl 17 cnnogpdapcvwtgfguktgvqmpqy 5 ozzasbpmbohifsrsgwfshcybck 18 bmmnfoczobuvsfeftjsfuplopx 6 nyyzraolangherqrfvergbxabj 19 allmenbynaturedesiretoknow 7 mxxyqznkzmfgdqpqeudqfawzai 20 zkkldmaxmzstqdcdrhqdsnjmnv 8 lwwxpymjylefcpopdtcpezvyzh 21 yjjkclzwlyrspcbcqgpcrmilmu 9 kvvwoxlixkdebonocsbodyuxyg 22 xiijbkyvkxqrobabpfobqlhklt 10 juuvnwkhwjcdanmnbrancxtwxf 23 whhiajxujwpqnazaoenapkgjks 11 ittumvjgvibczmlmaqzmbwsvwe 24 vgghziwtivopmzyzndmzojfijr 12 hsstluifuhabylklzpylavruvd 25 uffgyhvshunolyxymclyniehiq
Table 1.1: Exhaustive cryptanalysis of the additive ciphertext teefxgurgtmnkxwxlbkxmhdghp. Clearly, k = 19 is the correct key.
1.9. Cryptanalysis of the Additive Cipher
Recall that cryptanalysis involves reading enciphered messages without knowing the key. Since the additive cipher has a single key k that can only take on 26 1 = 25 different values, modern computers can easily be programmed to find the correct key simply by exhaustively− trying all 25 values for k. Suppose, for example, that we intercept the message teefxgurgtmnkxwxlbkxmhdghp. We can just try all values for k as shown in Table 1.1. There is no mistaking k = 19 as the correct key and the message as a pearl of wisdom from Aristotle. The method of exhaustion is not very interesting and it does not prepare us to study more complicated ciphers for which exhaustion is not an option. Frequency analysis, in contrast, provides a more fruitful approach to cryptanalyzing additive cipher. Each letter or character in a language tends to occur with a certain frequency. For example, the letter e is the most common letter in the English alphabet, appearing approximately 12% of the time, while j, q, x, and z are much less common, occurring about about 0.1% of the time. A bar chart of letter frequencies can be found in Figure 1.1 and the corresponding numerical frequencies are shown in Table 1.2. Knowing these frequencies greatly enhances our ability to cryptanalyze ciphertext because, for example, every e in the plaintext is encrypted to the same ciphertext character, so that character should appear approximately 12% of the time in the cipher. For example, the additive ciphertext with k = 18 for theeaglesaregreat is lzwwsydwksjwyjwsl and every plaintext e is encrypted as a w. You might ask how reliable the letter frequencies in Figure 1.1 really are, so let’s look at some examples. Figure 1.2 shows a stacked bar chart that shows the frequencies of the letters in “The Gold Bug", the 2006 State of the Union Address, “Julius Caesar", and the “USA Patriot Act". These are four very different texts, but, for the most part, each reveals approximately the same distribution of letters. Minor differences are apparent, such as an unusual abundance of the letter u “Julius Caesar", but that is to be expected with all of the Latin names that end in us (e.g. Julius, Brutus, Cassius, etc...). Let’s try some cryptanalysis based on letter frequencies. Given the ciphertext vjgggtkggngrjcpvgcvu giiu, we see that g occurs most frequently (8 times), so it most likely corresponds to a plaintext e. If that 26 1. MODULAR ARITHMETIC
Figure 1.1: Frequencies of letters in the English language. See Table 1.2 for numerical values.
Relative Relative Letter Frequency Letter Frequency a 0.082 n 0.073 b 0.014 o 0.076 c 0.025 p 0.018 d 0.046 q 0.001 e 0.124 r 0.059 f 0.022 s 0.065 g 0.020 t 0.089 h 0.065 u 0.026 i 0.069 v 0.011 j 0.001 w 0.023 k 0.008 x 0.002 l 0.039 y 0.018 m 0.024 z 0.001
Table 1.2: Table of letter frequencies based on War and Peace and several articles from The Washington Post.
Figure 1.2: Cumulative frequencies of the letters (in ascending order) in Edgar Allan Poe’s “The Gold Bug", George W. Bush’s 2006 State of the Union Address, William Shakespeare’s “Julius Caesar", and the “USA Patriot Act".
is correct, then k must be 2. If we try decrypting the entire message with k = 2, we find the putative plain- text theeerieelephanteatseggs, so we are confident that we have successfully recovered the original message. 1.11. CRYPTANALYSIS OF THE AFFINE CIPHER 27
Note that in any given text, e may or may not be the most common letter. The most common letter in laeljawvlwsuzafylsqfsljauckgfzwjlgqtacw is l, which corresponds to k = 7. However, decrypting with k = 7 gives the clearly incorrect plaintext etxectpoeplnstyreljylectnvdzyspcezjmtvp. Next, we might try associating l with the second most common letter t. This suggests that k = 18 and we obtain the original message timtriedteachingtaynatricksonhertoybike. Please note that some problems may involve considerable trial and error, but letter frequencies do give us a sensible method. A visually appealing alternative is to use a visual cryptanalysis in software like Mathematica. See CryptanalyzeAddi- tiveCipher.nb at http://users.etown.edu/m/mcdevittt/Crypto.html.
1.10. Affine Cipher
Recall the addition and multiplication tables in (1.7) show that patterns are more readily evident in modular addition than in multiplication. Therefore, if we incorporate multiplication into the cipher, then we might be able to improve the additive cipher. The equation for the ith ciphertext characters for the affine cipher8
(1.21) ci = mpi + k mod 26. Again, if the length of the alphabet changes, then you have to change the value of the modulus accordingly. Plaintext can be recovered from ciphertext using
1 (1.22) pi = m− ci k mod 26, − 1 provided that m− exists. How large is the key space for the affine cipher? The additive constant k can take on 26 differ- ent values, but m has to be invertible modulo 26, so it has to be relatively prime to 26. Specifically, m 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25 , so there are only 12 possible values for m. Therefore, there ∈ { } are 26(12) 1 = 311 possible key pairs for the affine cipher. (We subtract one because m = 1 and k = 0 − doesn’t change the plaintext! In that case, ci = pi.)
Example 1.27: Let’s encrypt timwrotetomsaddressontheenvelope with m = 7 and k = 4. Since the t h first letter is , p1 = 19 and c1 = 7(19) + 4 7 mod 26, so the first cipher character is . The remaining letters follow in a similar way to give hikctyhghykaezztgaayrhbggrvgdyfg≡ .
Classroom Exercise 1.12: Encrypt potatochipsarebadforyou with m = 17 and k = 24.
1.11. Cryptanalysis of the Affine Cipher
Recall that we cryptanalyzed the additive cipher using letter frequencies. We will do the same with the affine cipher, except that we will have to solve a system of congruences because there are two key parameters, m and k. Let’s look at an example for which we know the answer.
Example 1.28: Let’s start with the ciphertext in Example 1.27, hikctyhghykaezztgaayrhbggrvgdyfg, and pretend that we don’t know m and k. The most common letters are g and h, which appear six and four times, respectively. This suggests that the ciphertext g and h correspond to plaintext e and t. Since g and
8 The graph of f (x) = mx + b is a line, but mathematicians do not call f a linear function unless b = 0. Instead, we call f an affine function. That is where the name of the cipher comes from. 28 1. MODULAR ARITHMETIC h are encoded as 6 and 7 and since e and t are encoded as 4 and 19, we have the pair of congruences 4m k 6 + mod 26. 19m + k ≡ 7 ≡ Solving the system gives m = 7 and k = 4, which, in turn, give the plaintext timwrotetomsaddresson theenvelope.
Recall that e and t are usually the most common letters in English, and the longer a sample text is, the more likely that is to be the case. However, e and t are not always the most common, especially in short messages. Cases like that may require significant trial and error to find a suitable pair of congruences. Let’s look at another example, but unlike Example 1.28, this time we do not know the answer in advance.
Example 1.29: The most common letters in the ciphertext xwvmwixwomclybyvunyuyxcrmikyapmjmzop yssncrkyazmeyppcemr are y and m. Associating these with e and t gives 4m k 24 + mod 26 19m + k ≡ 12 ≡ and m = 20 and k = 22. However, these aren’t correct since m = 20 is not relatively prime to 26. Repeated trial and error eventually leads us to associate ciphertext y and m with plaintext o and e, respectively, which gives 4m k 12 + mod 26. 14m + k ≡ 24 ≡ Subtracting the first congruence from the second gives 10m = 12 mod 26. Since gcd(10, 26) = 2 12, there | are two solutions, m = 9, k = 2 and m = 22, k = 2. Since 22 is not relatively prime to 26, the latter solution cannot be correct. Decrypting m = 9 and k = 2 gives lifeislikeaboxofchocolatesyounever knowwhatyouregonnaget9.
Counting letter frequencies by hand can be very tedious, so mathematical packages like Mathematica and Maple can be very helpful. However, if you don’t have one of those packages or you don’t want to learn one, then just use ECrypt.
Exercises
(1) Factor the following integers as a product of (powers of) primes. (a) 278 (b) 359 (c) 126 (d) 469 (e) 388 (2) Find the smallest integer x > 0 that makes each of the following perfect squares. (a)2 3 32 5 x (b)2 10· 32· 5·2 76 x (c) 123· 25·2 7· x · 2 (d) 123· 252· 7· x (3) Suppose that· we· say· that 56000 “ends” in 3 zeros. How many zeros are there at the end of each of these numbers?
9The one and only Forrest Gump. EXERCISES 29
2 (a) 123 252 7 · · (b) 10! = 10 9 8 7 6 5 4 3 2 1 (c) 100! × × × × × × × × × 50 50! (d) = 25 25!(50 25)! (4) Find the following gcds− and identify which pairs of integers are relatively prime. (a) gcd(261, 231) (b) gcd(317, 375) (c) gcd(297, 431) (d) gcd(418, 278) (e) gcd(272, 391) (5) Find integers x and y such that ax + b y = gcd(a, b) for each of the following. (a) a = 95, b = 298 (b) a = 462, b = 424 (c) a = 195, b = 468 (d) a = 324, b = 122 (e) a = 387, b = 108 (6) For positive integers m and n, lcm(a, b) is the least common multiple of m and n. Show that mn lcm(m, n) = . gcd(m, n) (7) Reduce the following. (a) 154 mod 45 (b) 171 mod 42 (c) 57 mod 20 (d) −111 mod 42 (e) 159 mod 33 (f) −22 mod 11 (g) −54 mod 26 (h) 38 mod 10 (i) −69 mod 23 (j) 100 mod 24 (8) Calculate the following. (a)8 + 6 mod 10 (b) 13 3 mod 7 × (c)2 12 + 4 mod 14 × (d)3 5 + 15 mod 17 (e) 18− 13 8 27 mod 14 − − × (f) 10 4 19 + 16 mod 11 − × (g)9 5 8 + 2 2 mod 10 − − − (h)6 + 8 5 10 9 mod 11 − × − (i)5 6 7 3 6 + 4 mod 8 × − − × (j)9 10 7 13 + 4 + 2 mod 16 (9) Find the× following× × multiplicative inverses. 30 1. MODULAR ARITHMETIC
1 (a) 15− mod 38 1 (b) 29− mod 40 1 (c)8 − mod 49 1 (d) 11− mod 15 1 (e)7 − mod 26 (10) Suppose a, n N. Show that the set a mod n, a +1 mod n, a +2 mod n,..., a +(n 1) mod n ∈ { − } is a re-arrangement of 0, 1, 2, . . . , (n 1) . (11) Find all solutions, if any,{ of the following− } congruences. (a) 17x = 0 mod 34 (b) 14x = 10 mod 32 (c) 14x = 5 mod 25 (d) 17x = 12 mod 24 (e)9 x = 16 mod 20 (f) 18x = 24 mod 46 (g)2 x = 5 mod 15 (h) 19x = 9 mod 30 (i) 15x = 18 mod 21 (j)9 x = 1 mod 30 (k)4 x = 3 mod 34 (l)4 x = 4 mod 22 (12) The ISBN-10 for An Introduction to Mathematical Finance by Sheldon Ross is 0 521 77043 x, − − − where d10 is an unknown check digit. To find d10, we have to solve
0 1 + 5 2 + 2 3 + 1 4 + 7 5 + 7 6 + 0 7 + 4 8 + 3 9 + d10 10 0 mod 11. · · · · · · · · · · ≡ Solve for d10.
(13) In the introduction, we learned that if the first 9 digits in an ISBN-10 d1d2d3d4d5d6d7d8d9d10 are
known, then the check digit d10 solves
(1.23) d1 + 2d2 + 3d3 + 4d4 + 5d5 + 6d6 + 7d7 + 8d8 + 9d9 + 10d10 0 mod 11, ≡ but some authors write that d10 has to solve
(1.24) 10d1 + 9d2 + 8d3 + 7d4 + 6d5 + 5d6 + 4d7 + 3d8 + 2d9 + d10 0 mod 11 ≡ instead. Show that congruences (1.23) and (1.24) have the same solutions. (14) Find all solutions, if any, of the following systems of congruences. 3x 7y 8 (a) + mod 10 5x + 7y ≡ 6 ≡ 2x 5y 16 (b) + mod 18 11x + 11y ≡ 16 ≡ 6y 1 (c) mod 22 15x + 22y ≡13 ≡ x y 14 (d) + mod 16 8x + y≡ 6 ≡ EXERCISES 31
x 16y 8 (e) + mod 20 11x + 19y ≡11 (15) Encrypt the following≡ with the additive cipher, the standard alphabet (abcdefghijklmnopqrstu vwxyz), and the specified key. For longer messages, you may want to use use ECrypt. (a) go steelers, k = 17 (b) a spoon full of sugar makes the medicine go down, k = 9 (c) the people in philadelphia deserve to have a winner its simple as that, k = 25 (16) Decrypt the following with the additive cipher, the standard alphabet (abcdefghijklmnopqrstu vwxyz), and the specified key. For longer messages, you may want to use use ECrypt. (a) orubkrgsv, k = 6 (b) bpiwtbpixrpxhiwtqthiegdvgpb, k = 15 (c) vuaolmpyzakhfvmjoypzathztfayblsvclzluaavtlhwhyaypknlpuhwlhyayll, k = 7 (17) Encrypt the following with the affine cipher, the standard alphabet (abcdefghijklmnopqrstu vwxyz), and the specified keys. For longer messages, you may want to use use ECrypt. (a) do not erase, m = 19, k = 7 (b) who here believes tim should grow a beard, m = 15, k = 24 (c) mr gorbachev tear down this wall, m = 5, k = 2 (18) Decrypt the following with the affine cipher using the specified keys. For longer messages, you may want to use use ECrypt. (a) efgqzospux, k = 10, m = 9 (b) eperfwddjesgrdzexmredjejmrke, m = 19, k = 6 (c) qredqjyialordiixjxllpdhjnarslwlleylrgfevrwjnirwrgwylrpfvjihliijgrhfbje dfglyzhdluqialunbpfldizrejeialqrbljqiallryiafarslwllefewruuorypdqjydls leillehlrydregarslelslyylblfslgrehiafevwnipfegelddreglebjnyrvlzleiqyjz hjnqredujjpriialdlvyregzlexafbajqhjnxjnugeibjedfglyfiialafvaufvaijqafd bryllykndiijrddjbfrilxfiaialzqjylslejelgrh, k = 5, m = 17 (19) Cryptanalyze the following additive ciphertext. You should be able to copy and paste the ciphertext into ECrypt (or Mathematica, Maple, etc...). (a) kbktznuamnrgxmkzxgizyulkaxuvkgtjsgteurjgtjlgsuayyzgzkyngbklgrrktuxsgel grrotzuznkmxovulznkmkyzgvugtjgrrznkujouaygvvgxgzayultgfoxarkckyngrrtuz lrgmuxlgorckyngrrmuutzuznkktjckyngrrlomnzotlxgtikckyngrrlomnzutznkykgy gtjuikgtyckyngrrlomnzcoznmxucotmiutlojktikgtjmxucotmyzxktmznotznkgoxck yngrrjklktjuaxoyrgtjcngzkbkxznkiuyzsgehkckyngrrlomnzutznkhkginkyckyngr rlomnzutznkrgtjotmmxuatjyckyngrrlomnzotznklokrjygtjotznkyzxkkzyckyngrr lomnzotznknorryckyngrrtkbkxyaxxktjkxgtjkbktolcnoinojutuzluxgsusktzhkro kbkznoyoyrgtjuxgrgxmkvgxzulozckxkyahpamgzkjgtjyzgxbotmznktuaxksvoxkhke utjznkykgygxskjgtjmagxjkjheznkhxozoynlrkkzcuarjigxxeutznkyzxammrkatzor otmujymuujzoskznktkccuxrjcozngrrozyvuckxgtjsomnzyzkvyluxznzuznkxkyiakg tjznkrohkxgzoutulznkurj (b) jbnbmsfbezgbsopsuipgmpoepoboebtjxbmljouiftusffutpgqfufstcvshijgffmbdpm eopsuifsocsffafqmbzvqponzdiffltxijdicsbdftnzofswftboegjmmtnfxjuiefmjhi uepzpvvoefstuboeuijtgffmjohuijtcsffafxijdiibtusbwfmmfegspnuifsfhjpotup 32 1. MODULAR ARITHMETIC xbsetxijdijbnbewbodjohhjwftnfbgpsfubtufpguiptfjdzdmjnftjotqjsjufeczuij txjoepgqspnjtfnzebzesfbntcfdpnfnpsfgfswfouboewjwjejuszjowbjoupcfqfstvb efeuibuuifqpmfjtuiftfbupggsptuboeeftpmbujpojufwfsqsftfoutjutfmgupnzjnb hjobujpobtuifsfhjpopgcfbvuzboeefmjhiu (c) ivdveufljrdflekfwkzdvkfnrcbkfddpveafpjkyvkirzekfdfiifnkfddptflcukrbvky vkirzerxrzefikrbvkyvkivbspwffk (20) Cryptanalyze the following affine ciphertext. You should be able to copy and paste the ciphertext into ECrypt (or Mathematica, Maple, etc...). (a) dmdcdilmdskvnbdcomjmkdzqdlmbmlqb (b) gpatqazdqawlpalenqzaslpgunalgenkgffdguqcvanzfgtqecllpqldcqwqangnyehglu idqqzkqpefzlpquqldclpulerquqfhqtgzqnllpalaffwqnadqidqalqzqmcafgpatqazd qawlpalenqzasenlpqdqzpgffuehyqedygalpquenuehhedwqdufatquanzlpquenuehhe dwqdufatqeknqdukgffrqarfqleuglzeknleyqlpqdallpqlarfqehrdelpqdpeezpatqa zdqawlpalenqzasqtqnlpqulalqehwguuguugvvgaulalqukqflqdgnykglplpqpqalehg nxculgiqukqflqdgnykglplpqpqalehevvdquugenkgffrqldanuhedwqzgnleaneaugue hhdqqzewanzxculgiq (c) vxwszokjwpkvzwotmkjzgjmkvuuvpjaijokhmzdjokhltmbavdrvdjokhptuuijavmjvmj zwokzftotftmkjzgjmbtgjxfoktfazhvxwaztuhiwjzazmasvwbtgjxfvxwowjfezffjfz fpjsvwbtgjokvfjpkvowjfezffzbztmfoxfzmaujzaxfswvdojdeozotvmzmaajutgjwxf swvdjgtuzdjm (21) Suppose that you double-encrypt some plaintext with the affine cipher. First you encrypt the
plaintext with keys m1 and k1, and then you re-encrypt the ciphertext with keys m2 and k2. The
resulting ciphertext is also affine with keys m3 and k3. Carefully relate m3 and k3 to m1, m2,
k1, and k2. Does this double affine encryption provide any additional security over regular affine encryption? (22) The Atbash cipher replaces the 1st letter of the alphabet with the last, the 2nd with the second-to- last, etc... Write an equation that mathematically represents the action of the Atbash cipher. CHAPTER 2
Probability
2.1. Counting
Counting is a basic mathematical skill that many American children learn by watching Sesame Street, but we want to extend that skill to count very large quantities that cannot easily be written down. For example, if you roll two standard six-sided dice, you can easily record all possible pairs as shown in Figure 2.1. Clearly, there are 6 possible outcomes for the first die and 6 possible outcomes for the second die, which suggests that there are 6 6 = 36 possible outcome pairs. (Note, for example, that a is different from a .) This is an example× of the fundamental counting rule.
Figure 2.1: All possible outcomes for a pair of regular six-sided dice.
THEOREM 2.1 (Fundamental Counting Rule). If event A can occur m ways and B can occur n ways, then A and B together can occur mn ways.
The fundamental counting rule can be extended to more complicated situations. For example, YahtzeeTM requires players to roll 5 dice. How many possible outcomes are there? We certainly don’t want to try to list them all, so we try to count without an explicit list of possible outcomes. Since there are six possible 5 outcomes for each die, the number of possible 5-dice rolls is 6 6 6 6 6 = 6 = 7776. × × × × Example 2.1: Jake wants an ice cream cone, and he can choose one flavor of ice cream (chocolate, vanilla, or strawberry) and one type of cone (sugar or cake). How many possible ice cream cones can he choose from? According to the fundamental counting rule, there are 3 2 = 6 possible ice cream cones. We can also list the outcomes in this case, possibly with the help of a tree× plot.
strawberry/cake chocolate/cake vanilla/cake strawberry/sugar chocolate/sugar vanilla/sugar, 33 34 2. PROBABILITY
Tree plots can be helpful in small problems like this one, but can be impractical in larger problems.
Now suppose that Jake has invited 7 of his friends to dinner at his house and he needs to call each of them to warn them about the vicious new dog next door. How many sequences of calls are possible? He can pick the first person he calls in 7 different ways, the second in 6 ways (because the first person has already been called), the third in 5 ways, etc... for a total of 7 6 5 4 3 2 1 = 5040 possible sequences. × × × × × × For convenience, we write 7 6 5 4 3 2 1 = 7!, which we read as “seven factorial". In general, if n is a positive integer, then × × × × × ×
n! = n(n 1)(n 2)(n 3) ... (3)(2)(1). − − − By itself, 0! doesn’t make any sense, but it will soon be convenient for us to define 0! = 1. Now suppose that Jake has 5 errands to complete, but he only has enough time to complete 2 of them. How many ways can he choose 2 errands out of 5? He can choose the first of the two errands in 5 ways and the second in only 4 ways. Using the fundamental counting rule, there are 5 4 = 20 ways to choose × two errands. If e1 represents the first errand, e2 the second, and so on, then the 20 possible sequences of 2 errands are as follows.
e2e1 e3e1 e4e1 e5e1 e1e2 e3e2 e4e2 e5e2 e1e3 e2e3 e4e3 e5e3 e1e4 e2e4 e3e4 e5e4 e1e5 e2e5 e3e5 e4e5 The key question here is whether or not the sequence of the errands matters. If, perhaps unrealistically, the order does matter, then there are 20 2-errand sequences. If order does not matter, then, for example, e1e2 is the same as e2e1 and there are only 10 different pairs of errands. In general, an ordered arrangement of objects is called a permutation. We can use the fundamental counting rule to determine the number of permuations of r distinct objects that can be formed from n th distinct objects. The first object can be chosen n ways, the second (n 1) ways, ..., and the r (n r + 1) ways, for a total of − −
n Pr = n(n 1)(n 2) ... (n r + 1) − − − n(n 1)(n 2) ... (n r + 1)(n r) ... (3)(2)(1) = − − − − (n r) ... (3)(2)(1) n! − = . (n r)! − Therefore, we have the following theorem. 2.1. COUNTING 35
n! THEOREM 2.2. The number of permutations of size r from n distinct objects is n Pr = . (n r)! − n! Note that there n! ways to choose n objects from n objects and Theorem 2.2 works in that case, P n n = 0! = n!, because we defined 0! = 1. An unordered arrangement of r distinct objects taken from n distinct objects is a combination, and we can derive the number of combinations from the permutation rule (Theorem 2.2) because any permutation of r distinct objects can be rearranged in r! different ways that are equivalent if order doesn’t matter. Therefore,
n THEOREM 2.3. The number of combinations of size r from n distinct objects is C n r = r = n! . r!(n r)! − n The symbol is read “n choose r". r Example 2.2: If Bob has eight different color flags, how many different signals can he make from five flags? In this case, n = 8, r = 5. Assuming that the order of the flags matters, then 8! 8! 8 P5 = = = 8 7 6 5 4 = 6720. (8 5)! 3! × × × × − Example 2.3: Let S = A, B, C, D, E . How many ways can you choose 3 letters from S if order matters? In this case, we can write{ out all of the} possible permutations ABC ABD ABE ACD ACE ADE BCD BCE BDE CDE ACB ADB AEB ADC AEC AED BDC BEC BED C ED BAC BAD BAE CAD CAE DAE CBD CBE DBE DC E BCABDABEACDACEADEACDBCEBDEBDEC CAB DAB EAB DAC EAC EAD DBC EBC EBD ECD CBADBAEBADCAECAEDADCBECBEDBEDC 5! and see that there are 60 of them, or we could compute P 60. If order does not matter, then all 3 5 = 2! = of the entries in each column are equivalent to each other. For example, ABC, ACB, BAC, BCA, CAB, and CBA (first column) are all equivalent if order doesn’t matter, and there are 3! of them since there are 3! 5 5! permutations of 3 objects. Therefore, the number of combinations is 10. 3 = 3!2! = Example 2.4: How many different five-card hands can be made from a standard card deck of 52 cards? Here, order does not matter, so 52 52! 52! 52C5 = = = = 2, 598, 960. 5 5!(52 5)! 5!47! − Students often struggle with permutations and combinations in applied problems. In both cases, re- member to check that you are sampling without replacement from a set with no repeated elements. Then you have to determine whether or not order matters. This is where people usually struggle the most, so let’s look at a few examples. 36 2. PROBABILITY
Example 2.5: There are currently (2012) 12 schools in the Big Ten conference (and 10 in the Big 12 – go figure).
If the conference is planning a future year’s football matchups, how many different games are possible? For each game, the conference must choose 2 teams out of 12, and repeats are not possible since no team can play itself. Since this is clearly a permutation or combination problem, the only issue is whether or not order matters. If, for example, the first team chosen plays at home, then order matters and there are 12! (12)(11)10! 12 P2 = = = 132 different matchups. However, if the games are played at neutral sites (12 2)! 10! − 12! (12)(11)10! (which would be unusual), then order doesn’t matter and there are 12C2 = = = 66 (12 2)!2! 10!2 possible matchups. −
Example 2.6: Suppose that a generous instructor brings a $20 bill, a $10 bill, a $5 bill, and a $1 bill to class one day. He puts all 30 students’ names in a hat and draws four different names. The first person wins the $20 bill, the second the $10 bill, and so on. How many different ways can the money be awarded? In this 30! example, order clearly matters because the prizes are different. Therefore, there are P 657, 720 4 30 = 26! = different ways to award the money.
Example 2.7: A less generous instructor brings four $1 bills to class one day, puts all of his 30 students’ names in a hat and draws four different names. Each person selected wins $1. How many different ways can the money be awarded? In contrast to Example 2.6, order does not matter because the prizes are all 30! the same. Therefore, there are only C 27, 405 different ways to award the money. 4 30 = 4!26! = 2.2. Probability
The set of all outcomes of a random experiment is called the sample space. For example, the sample space for flipping a coin and observing the up-side is heads, tails . The sample space for the number of pips on the up-face of a standard six-sided die is 1, 2, 3,{ 4, 5, 6 . An} event A is a subset of the finite sample space S. If all events in S are equally likely, then{ the probability} of A is number of elements in A (2.1) P A . ( ) = number of elements in S Also, if an experiment is repeated a large number of times, then number of times A occurs (2.2) P(A) . ≈ number of trials In other words, probabilities are numbers that reflect the likelihood that an event will occur. For example, if A is the event of rolling a 5 with a standard die, then 1 P A , ( ) = 6 because there is 1 entry in A = 5 and 6 equally likely entries in S = 1, 2, 3, 4, 5, 6 . Repeated rolling of a die produces the same result in{ } an approximate way. See the simulations{ in Figure} 2.2. The more trials there are, the more likely the estimate is to be close to the exact probability. It is clear from (2.1) that 0 P(A) 1 and that P(S) = 1. The union of events A and B, denoted A B, indicates that A occurs, B occurs,≤ or both≤ A and B occur as shown graphically in Figure 2.3a and 2.3b.∪ The 2.2. PROBABILITY 37
Figure 2.2: Frequencies of outcomes from simulations of a hundred, a thousand, and a million rolls of a fair die. Note that there is considerably less variation with more repetitions.
intersection of A and B, denoted A B, means that both A and B occur, as shown in Figure 2.3c. This implies the addition rule for probabilities.∩
THEOREM 2.4 (Addition Rule). P(A B) = P(A) + P(B) P(A B) ∪ − ∩
Looking at Figure 2.3a, we see that the area of A B is equal to the sum of the areas of A and B, except ∪ that we have to be careful not to double-count the area of A B, so we have to subtract it from P(A) + P(B). If A and B are mutually exclusive (Figure 2.3b), then the occurrence∩ of A excludes the possibility of B and the occurrence of B excludes the possibility of A. In other words, sets A and B are disjoint (see Figure 2.3) and P(A B) = 0. ∩ Example 2.8: For the experiment of rolling a pair of dice (see Figure 2.1), let A be the event of rolling a sum of 6 and let B be the event of rolling “doubles”.
P(A B) = P(A) + P(B) P(A B) ∪ 5 6 1− ∩ = + 36 36 − 36 10 5 0.27¯ = 36 = 18 = Example 2.9: In a standard deck of 52 cards, let A be the event of drawing an ace and let B be the event of drawing a red card. Then, 4 26 2 28 7 P(A B) = + = = = 0.538461. ∩ 52 52 − 52 52 13 The complement1 of an event A is the set of events for which A did not occur. We’ll denote the comple- c c ment of A by A , but other authors use other symbols like A0 and A. It is clear that A A = S and A and that ∼ ∪ 1Note the spelling of complement. If someone says that you did a great job on a paper, then that is a compliment. 38 2. PROBABILITY
Figure 2.3: The shaded areas in (a) and (b) represents A B. In (b) the events are mutually exclusive (or the sets are disjoint). The shaded area in (c) represents A B, and in∪ (d) the lighter area in (c) is A and the darker is Ac. ∩
c c A are mutually exclusive. Therefore, the application of the addition rule shows that P(A) + P (A ) = P(S), or
c (2.3) P (A ) = 1 P(A). −
c In problems where P (A ) is easier to compute than P(A), (2.3) can be very helpful.
Example 2.10: If A be the event of rolling a 3 on a fair six-sided die, then Ac is the event of rolling a 1, 2, 1 5 4, 5, or 6 and P A and P Ac . ( ) = 6 ( ) = 6 Sometimes probabilities depend on previous events. For example, the probability that you will be dealt an ace from a well-shuffled, standard, 52-card deck is 4/52 = 1/13 0.0769 since there are 4 aces and 52 cards. However, the probability that your second card will also be an≈ ace, given that your first card was an ace, is 3/51 0.0588 since there are only 3 aces and 51 cards left. We denote the conditional probability ≈ that B will occur given that A has occurred by P(B A) and we observe the following theorem. | 2.3. INDEX OF COINCIDENCE 39
THEOREM 2.5 (Multiplication Rule). P(A B) = P(A)P(B A) ∩ |
Example 2.11: Let’s use the multiplication rule to determine the probability that the top two cards in a shuffled deck are aces. Let A be the event that the first card is an ace and let B be the event that the second card is an ace. Then
P(A B) = P(A)P(B A) ∩ 4 3 | = 52 · 51 1 = 0.00452 221 ≈ Two events A and B are independent if the occurrence of one has no effect on the other. For example, if A is the event of getting heads on the first toss of a coin and B is the event of getting heads on the second toss, then A and B are independent events. Two events are dependent if they are not independent. For instance, if C is the event of drawing a heart ( ) from a standard deck of 52 cards and D is the event of drawing a club ( ) on the next card without replacing♥ the first card, then C and D are dependent events. ♣ Whenever A and B are independent P(B A) = P(B), P(A B) = P(A) and the multiplication rule simplifies to | | P(A B) = P(A)P(B). ∩
2.3. Index of Coincidence
The index of coincidence (IoC) for a body of text is the probability that two (uniformly) randomly selected letters are the same. Indices of coincidence are different for every book or article and they are a relatively easy to compute using our probability rules. Let A1 be the event that you get an as the first a chosen letter and A2 be the event that you get an as the second letter, etc... Then
IoC = P(two randomly chosen letters are the same) = P (A1 A2) (B1 B2) ... (Z1 Z2) ∩ ∪ ∩ ∪ ∪ ∩ Since each pair of letters is mutually exclusive of every other pair, the addition rule (Theorem 2.4) implies that
(2.4) IoC = P(A1 A2) + P(B1 B2) + ... + P(Z1 Z2). ∩ ∩ ∩ a b If n is the total number of characters in the text and there are n1 ’s, n2 ’s, etc..., then the multiplication rule (Theorem 2.5), implies
n n 1 n n 1 n n 1 (2.5) IoC 1 1 2 2 ... 26 26 = n n −1 + n n −1 + n n −1 26− − − 1 X (2.6) n n 1 = n n 1 i( i ) ( ) i 1 − − = 40 2. PROBABILITY
2 Equation (2.6) is often further simplified by assuming that all of the ni are large so that ni ni 1 and ≈ − 26 1 X (2.7) IoC n2, = n2 i i=1 but this is not necessary and doesn’t really offer an advantage unless we’re computing the IoC by hand.
Example 2.12: "The quick brown fox jumped over the lazy dog." is a short sentence of 36 char- acters that famously uses each letter of the alphabet at least once. Only 7 letters are used more than once: d (twice), e (four times), h (twice), o (four times), r (twice), t (twice), and u (twice). Using (2.6), we find
IoC = 34/1260 0.027. Using the reduced form (2.7) is not appropriate here since each ni is so small and it leads to a very≈ poor approximation of 70/1296 0.054. ≈ Example 2.13: Example 2.12 used a very short, unusual text. What are more typical values of the IoC for 26-letter English? The following table shows the IoCs for the four texts we considered in Section 1.9. Because each body of text is long, the IoC in (2.6) and its approximation in (2.7) are almost identical.
Number of Text Characters IoC “The Gold Bug” 58,270 0.066 2006 State of the Union Address 25,940 0.066 “Julius Caesar” 86,699 0.064 USA Patriot Act 286,260 0.070
Let’s come up with a theoretical IoC for 26-letter English. We saw in Section 1.9, that the probability model for English with the standard 26-letter alphabet is fairly consistent from text to text, provided that the texts are sufficiently long. So, if we’re considering a text that is long enough to follow the distribution in Figure 1.1, then we can approximate its IoC using the frequencies from Table 1.2. Returning to (2.4) and explicitly using the multiplication rule, we have
IoC = P(A1 A2) + P(B1 B2) + ... + P(Z1 Z2) ∩ ∩ ∩ = P(A1)P(A2 A1) + P(B1)P(B2 B1) + ... + P(Z1)P(Z2 Z1). | | | For a sufficiently long text, all letter pair events (like A1 and A2) should be almost independent, so
2 2 2 IoC P(A1) + P(B1) + ... + P(Z1) . ≈ Using the probabilities in Table 1.2, we have
2 2 2 (2.8) IoC (0.082) + (0.014) + ... + (0.001) 0.0658, ≈ ≈ which is consistent with our results in Example 2.13. In other words, in long English texts, there is about a 6.6% chance that two randomly selected letters are the same.
Classroom Exercise 2.1: How is the IoC for affine ciphertext related to the IoC for the related plaintext?
Finally, let’s find what the IoC should be for ciphertext. A necessary condition for a good cipher is that it masks all of the letter frequencies, so let’s assume that every letter in the ciphertext is equally likely, with
2If you had a million dollars and you lost one, you wouldn’t be worried about it, right? 2.4. Vigenère CIPHER 41
probability 1/26. Then 1 2 1 2 1 2 26 1 IoC P A 2 P B 2 ... P Z 2 ... 0.038. ( 1) + ( 1) + + ( 1) = + + + = 2 = ≈ 26 26 26 26 26 ≈ So, the better a cipher masks letter frequencies, the closer the IoC of the ciphertext is to 0.038.
2.4. Vigenère Cipher
History. The Vigenère cipher is a generalization of the additive cipher that thwarts direct frequency analysis. It was (erroneously) considered unbreakable for about 300 years, but this may be because pro- 3 fessional cryptologists preferred nomenclator ciphers instead.[3]. Vigenère recorded both plaintext and ciphertext autokey versions of his cipher in his 1586 Traict´e des Chiffres, but, according to Kahn [3], later cryptologists falsely attributed what we’ll call the Vigenère cipher to him.
Encryption and Decryption. The Vigenère Cipher is similar to the additive cipher in that it is con- sists of additive shifts, but the key can be substantially longer because the Vigenère cipher uses a keyword (or sequence of integers) instead of a key letter (or single integer). For example, consider the plaintext theeaglesarethebest4 with keyword football. To encrypt, we line up the characters from the plain- text and write the keyword repeatedly under all the characters and then shift each plaintext character by the amount from the corresponding key.
Plaintext: theeaglesarethebest Key: footballfootballfoo Ciphertext yvsxbgwpxofxuhpmjgh To be specific, the first plain character t is shifted by 5 (f) to give y, the second character h is shifted by 14 (o) to give v, and so on. Again, it is convenient to mathematize our cipher. The difference between the Vigenère cipher and the th additive cipher is that the value of k in (1.20) changes periodically. If pi is the i plaintext character, then the ith ciphertext character is
(2.9) ci = pi + ki mod L mod 26,
where the key is now the sequence of L integers k0, k1,... kL 1 instead of a single integer k. Revisitng the example above, we can now encrypt simply by adding{ in columns− } modulo 26.
Plaintext: 19 7 4 4 0 6 11 4 18 0 17 4 19 7 4 1 4 18 19 Key: 5 14 14 19 1 0 11 11 5 14 14 19 1 0 11 11 5 14 14 Ciphertext: 24 21 18 23 1 6 22 15 23 14 5 23 20 7 15 12 9 6 7
Keyspace. Before we can determine the size of the keyspace, we have to decide on how long the keywords can be. Currently (2010), according to Mathematica, there are only seven words (counterrev- olutionaries, electroencephalograms, electroencephalograph, electroencephalographic, electroencephalo- graphs, electroencephalography, magnetohydrodynamical) in the English language with more than 20 let- ters, so it seems reasonable to restrict our attention for the time being to words up to length 20. If we insist on actual English words for keywords, then there are 92, 518 216.5 words in Mathematica’s dictionary. ≈ 3A nomenclator is a type of substitution cipher. 4One author disagrees...and deep down, the other author knows that, in fact, the Steelers are the best. Count the Super Bowls. 42 2. PROBABILITY
Figure 2.4: The frequencies of lengths of English’s 92, 518 words.
Other dictionaries may have more words, so let’s just say that there are about 100, 000 words in the English language. While that is too large to exhaust by hand, it is nothing for a modern computer. If we relax our restriction and accept any string of characters up to and including 20 letters, then there are 2 3 20 94 26 + 26 + 26 + ... + 26 = 20, 725, 274, 851, 017, 785, 518, 433, 805, 270 2 ≈ possible keywords. That looks like a big number (20 octillion plus change), and it is - even for a modern computer. So exhaustion is out of the question in this case.
Cryptanalysis of Vigenère Cipher. Additive and affine ciphertext can be attacked exhaustively because their keyspaces were small: 25 and 311, respectively. However, attacking the Vigenère cipher requires a subexhaustive attack. If we can determine the length of the keyword, L, then we only need to solve L additive ciphers, which we already know how to do. We will discuss two methods of determining L, the Kasiski test and the Friedman test. Both of these tests are hard to implement if L is large because the keyword is not repeated very often. Churchhouse [1] (p. 37) recommends having ciphertext that is fifty times longer than the key to have reasonable hope of success. If the keyword is as long as the plaintext and the characters in the keyword are generated randomly, then the Vigenère cipher is called a one-time pad. This is impractical in most situations because so much key is required, but it is very secure. In fact, in 1949, Claude Shannon [9] proved that the one-time pad is theoretically unbreakable, so only human error would allow an adversary to successfully cryptanalyze one-time pad ciphertext. According to [13], the “hotline” between Moscow and Washington, D.C. was encrypted with a one-time pad during the Cold War. Kasiski Test. The Kasiski test exploits repeated strings of characters in the plaintext. For example, the plaintext howmuchwoodwouldawoodchuckchuckifawoodchuckcouldchuckwood has several strings that appear repeatedly. Encrypting with the keyword twist gives ciphertext that also has repeated strings.
Plaintext: howmuchwoodwouldawoodchuckchuckifawoodchuckcouldchuckwood Key: twisttwisttwisttwisttwisttwisttwisttwisttwisttwisttwisttw Ciphertext: akeenvdeghwswmewweghwypmvdypmvdensphkluanysuhnhluanysohhz The word wood appears four times in the plaintext, and it is encrypted in only three different ways. Why? The first two times that wood appears, the first letter of wood corresponds to the i in twist. The third time wood appears it lines up with the second t in twist, and the last time it appears it lines up with the s in twist. Similar things happen with the strings chuck and dchuck. 2.4. Vigenère CIPHER 43
Kasiski’s observation was that if you could identify repeated strings in the ciphertext, then it is possible, but not necessary, that the repeated ciphertext strings correspond to the same plaintext strings. If that is the case, then the difference in position between the repeated strings must be a multiple of length of the keyword. In our example, eghw starts at positions 8 and 18, so the keyword is probably a factor of 18 8 = 10 = 2 5. This suggests that the keyword likely has length 2, 5, or 10. − · Example 2.14: Consider the following ciphertext (users.etown.edu/m/mcdevittt/Vigenere1.txt, ). It’s fairly long, but that actually makes the cryptanalysis easier because long repeated strings are more likely. oig gbw agn uzs byh tws qpa mmv xig gou fwn leq aig vqn rda ntd wnt xbw acc czt wnm cnq zpc cac liz rnc htm cza rvq gcs mcm xqs rwm inx fdc bqe aib dbc fxx hfw jnm aug qcj lqr aym inx qfd uxc xqi tjl qtw amv nxu cja dtj nox ecx ljl ftb nuc pqt tcb qgc bmi wuf xxh agj hkc jnu dwm arx hot rpq sjh phx xqs rwm inx opw fac pyz sdl qln udt vyf dwu sgn ufq jnf anz utu xau cbm ifu dln bmk nwa bnn asn xur jnq pyi dir izd ont pcz utu xmh jzu cjf dtb nuc pjx ply rda ntd byi wxb qgn amk nnt trl xxe yei quf iqu fcj nud wgu vqn xxe yui rmm aci stc bqg ocf irh spw xbg xjq gcb mif yew xox smi fwr mnj ccz puu dvn let wmq lnw mcw ifs nxu rjn qln wmc wif rxh etl lmi nqq rjh zdc bma uii iqc eva igc mnt tkl mkn gqc uch xwa mcm xqp mqt dbn djp axt mbq gnb mkn wac byo gjn qsr nrp aun dey aja jad aja lnl fdj xpd axq iau oic bql xlx sfc xau cfi uyz dcy zda fac plq bng nta qtp cqq hjs tta ynj ccf rjh zte ydu xls tcq tpc ntt hxu sqy dtr nuh oid jbn ttu chx wad pcb qgc int myp xlu ftm bqg nna iqy gco czx bbq sfi dzf bur qnt thq tdo igv qnt tay tpe yfw dmr pam acx vxn jxh pww qsr nuh auf wnl rda oei xvq wnl qsn xur jnq sci fwn adt jnf pbe dtv uuc rhs qnz agn oei quf uai yiq yet qiz day psn upl nnm znc zra ymh nxp tei fxx hfd cbm ilu ghn zag fbu rqn tth amk nnt tuu eio oxa vym hdl qdo xqk xnu dwn tpc qqw nlq wra tah lqh xfh tcb mic bqh nxq pmm tpu fzd cbm knx utm czk jcz iqu fiq cec jnu dwo zsn lsd mmt puf tpe ymc nqn xan tdo zdt nxa bjh piq ufv xpq gwg qcc iri qyb txj xtk sfw njq dyf qux lfw njq dyf qhq uxa wif enl :::::::::::::: ::::::::::::: uhq zdd vnt tnu diq
Short repeated strings can happen accidentally, so we prefer relatively long strings. In the above text, you can see several highlighted repeated strings and here are their starting positions.
Starting Differences in Polygraph Positions Starting Positions snxurjnq 296 2 468 468 296 = 172 = 2 43 2 824 824 − 468 = 356 = 2 · 89 xqsrwmin 94 − · 2 226 226 94 = 132 = 2 3 11 wnjqdyfq 1104 − · · 2 1116 1116 1104 = 12 = 2 3 − · Since the differences in starting positions all involve 22, the keyword probably has length 2 or 4. 44 2. PROBABILITY
Putative Indices of Coincidence Keyword for Subsequences of the Ciphertext ¦ © ¦ © ¦ © ¦ © ¦ © ¦ © ¦ © ¦ © ¦ © Length ˜L c c c c c c c c c 1+j˜L 2+j˜L 3+j˜L 4+j˜L 5+j˜L 6+j˜L 7+j˜L 8+j˜L 9+j˜L 1 0.046 2 0.058 0.050 3 0.044 0.048 0.047 4 0.077 0.067 0.080 0.072 5 0.043 0.051 0.044 0.046 0.044 6 0.055 0.054 0.059 0.047 0.058 0.047 7 0.045 0.045 0.048 0.044 0.051 0.043 0.045 8 0.073 0.067 0.080 0.065 0.078 0.063 0.079 0.077 9 0.041 0.049 0.044 0.042 0.042 0.061 0.047 0.048 0.043
Table 2.1: Table of Friedman’s indices of coincidence for subsequences of the ciphertext.
Finding the repeated strings and their starting positions is tedious to do by hand, so we recommend using ECrypt or some other appropriate software. A nice Mathematica notebook KasiskiTest.nb can be found at users.etown.edu/m/mcdevittt/Crypto.html. Even with a computer, finding repeated strings can be a little slow, so be sure that you don’t tackle ciphertext that is really long unless you are prepared to wait awhile. Friedman Test. Experiments show that the index of coincidence for Vigenère Cipher is approximately 0.046, whereas it is about 0.066 for English and affine ciphertext, so the IoC is a statistic that can be used to distinguish between Vigenère and affine ciphertext. However, we can also use it to find the length of the Vigenère keyword.
Example 2.15: Let’s reconsider the ciphertext in Example 2.14. The IoC is 0.046, which suggests that this is probably Vigenère ciphertext. What we’ll do is simply try different keyword lengths ˜L. If, for example, ˜ L = 3, then we are guessing that L = 3. If that is correct, then p1, p4, p7, p10,... were all encrypted with { } k0, p2, p5, p8,... were all encrypted with k1, and p3, p6, p9,... were encrypted with k2. That means that each{ subsequence} should have an IoC near 0.066.{ However, as the} Table 2.1 shows, the indices are 0.044, 0.048, and 0.047, so ˜L = 3 must be wrong. Table 2.1 shows IoCs for all of the subsequences for values of ˜L from one to nine. The IoCs for ˜L = 4 and ˜L = 8 are close to 0.066, so we think that one of these is correct. Since 4 8, it must be that L = 4. This method is both faster and more reliable than the Kasiski test, but it requires the| use of a computer.
Finding Plaintext. Once the length of the keyword is known, recovery of the plaintext is fairly easy because it only requires cryptanalyzing L additive ciphers.
Example 2.16: Continuing Example 2.14 and knowing that L = 4, we break down the cipher into its four subsequences: 247 obnbwaxonaqawbcwnclnmrcmrncabxjujandxjwnjjejbpccwxjj...qwnqvnq c1 4j + j=0 246 iwuysmiulinnnwcnqciccvsxwxbichnglyxuqlaxanclnqbbuhhn...fuilznu c2 4j + j=0 246 gazhqmgfegrttazmzazhzqmqmfqbffmqqmqxiqmudoxfutqmfaku...qxfudtd c3 4j + j=0 246 ggstpvgwqvddxctcpcrtagcsidedxwacrifcttvctxltctgixgcd...haehdti c4 4j + j=0 that have the frequencies shown in Figure 2.5. These charts suggest that k0, k1, k2, k3 = 9, 9, 12, 15 (or jjmp), which gives the obviously incorrect putative plaintext fzursnorelndspvenjeardagozurflthecs{ } { } EXERCISES 45 brzugheforehonehisnonttnene jump . A little trial and error reveals that k1 = 20 ( ) and the original plaintext fourscoreandsevenyearsagoourfathersbroughtforthonthiscontinent.
Figure 2.5: Frequencies of ciphertext characters in the four subsequences of the Vigenère cipher in Example 2.14.
Exercises
(1) Kelly is trying to communicate with her best friend Bill. She has seven different whistles to get his attention, each with a different pitch. How many different sequences of whistles could she if she uses three different whistles each time? (2) Melissa has top-of-the-line clothing. She has four different pairs of shoes, three different shirts, and six pairs of pants. How many different outfits can she make? 46 2. PROBABILITY
(3) Jordan has a gambling problem. He enjoys making bets on things such as flipping a coin. Assuming the probability of flipping a heads is 0.5, what is the chance that he flips a head three times in a row? (4) How many factors do each of the following integers have? (a) 20 (b) 200 (c) 1960 (d) 10800 (5) Two integers x and y are chosen (uniformly) at random from 0 x < 17. What is the probability ≤ that x + y 7 mod 17? ≡ 1 (6) If x 1, 2, . . . , 28 , what is the probability that x− mod 29 is not prime? (7) There∈{ are three racers,} Matt, Paul, and Zach, trying to win the last race to qualify for the Olympics. Out of 143 races, Matt has gotten the best start 72 times and Paul has gotten the best start 18 times. Assume that the same conditions hold for the final race that held for the first 143 races. As the whistle is blown: (a) What is the probability that Matt gets the best start? (b) What are the probability that neither Matt nor Paul get the best start? (8) Nikki needs to make a password for her computer so Rachel cannot hack into it. She is allowed to use lower-case letters, upper-case letters, numbers, and the six characters !?#$(). Her password needs to be a minimum of 6 characters and a maximum of 12 characters long. How many different passwords can she make? (9) Recall that the probability of choosing an e is approximately 12% and the probability of choosing a z is 0.074%. If you choose two letters at random from a large book, what is the probability that you get one e and one z? (10) If, on any given day, the probability of class being canceled is 32% (yeah right!) and the probability of pigs flying is 12%, what is the probability of both of these independent events happening on the same day? (11) What is the probability of rolling a fair die so that you first roll a 6, then an even number, and then a prime number? (12) Brielle and Patty are playing Trouble R . Patty (green) is one spot from winning and it is her turn.
Brielle (red) is seven spots behind Patty. On her turn, Patty uses the Pop-a-matic R bubble to “roll” the die and then moves that many spots. Patty needs a 1 to win and cannot move on any other value of the die. However, if she rolls a 6 she gets to go again. EXERCISES 47
(a) What is the probability that Patty wins on her next turn? 1 1 1 6 Hint: 1 ... . + 6 + 62 + 63 = 5 (b) Given that Patty doesn’t win on her turn, what is the probability that Brielle lands on Patty’s spot on her next turn? (c) Starting with Patty’s turn, what is the probability that Brielle lands on Patty’s spot before she wins? (13) Jacqueline is playing Parcheesi. On her next turn, she rolls the pair of dice and if either die has 5 on the upface or if the sum of the pips on the two upfaces is five, then she enters one of her pieces onto the board. (She has to enter a piece, if possible, whenever she rolls a 5.)
(a) What is the probability that Jacqueline enters exactly one piece on her next roll? (b) What is the probability that she enters at least one piece on her next roll? (c) If Jacqueline rolls doubles, then she gets to roll again on the same turn. If she gets doubles a second time, then she rolls again, but if she gets doubles a third time then her turn is over. What is the probability that Jacqueline enters at least one piece on her next turn? (14) Encrypt the following messages with the Vigenère Cipher using the given keyword and the stan- dard 26-letter alphabet. (a) tim likes to chew gum; keyword=dentyne (b) pcs are better than macs; keyword=computer (c) the steelers will win the super bowl; keyword=ben (15) Decrypt the following messages using the given keyword and the standard 26-letter alphabet. (a) tphftltkrph; keyword=bed (b) usfajlevgujwtgldibfymmywrjqxwvqikacogx; keyword=betsy (c) zfiikehxrzinxzsvrpqtiomyzvxkicbvnxi; keyword=travel (16) Cryptanalyze the Vigenère ciphertext in the text files (a) Vigenere2 (b) Vigenere3 (c) Vigenere4 all of which are available at users.etown.edu/m/mcdevittt/Crypto.html (17) For a 26-letter alphabet, what is the smallest that the theoretical IoC can possibly be? What is the largest it can be? (18) Suppose that you encrypt some plaintext twice. You first use the Vigenère cipher with a keyword
of length L1, and then you re-encrypt the resulting ciphertext with a keyword of length L2. The 48 2. PROBABILITY
resulting ciphertext is Vigenère ciphertext with an effective keyword length of L3. Carefully relate
L3 to L1 and L2. (19) Sinkov [11] defines the measure of roughness 26 X 1 2 MR f , = j 26 j=1 − th where f j is the relative frequency (i.e. probability) of the j letter. Approximately how large is MR for English text? CHAPTER 3
Recursion
3.1. Recursion
Recursion, for us, refers to the calculation of integers in a sequence using previous integers in the se- quence. In particular, we are interested in the recursive definitions of integer sequences via linear recurrence relations. Rather than give a careful definition of a linear recurrence relation, let’s start out with an example that may be familiar. Leonardo of Pisa (a.k.a. Fibbonacci) was a famous Medieval Italian mathematician who introduced Ara- bic numerals to the Latin West, but he is better known for the Fibonacci sequence, 0, 1, 1, 2, 3, 5, 8, 13, 21, . . . , { th} that starts with 0 and 1 and proceeds by adding the previous two numbers. More precisely, if fn is the n Fibonacci number, then f0 = 0, f1 = 1, and
(3.1) fn = fn 1 + fn 2, n 2. − − ≥ Note that if we change f0 and f1, then (3.1) gives completely different sequences. The Fibonacci sequence and others like it are fascinating and well worthy of study, but we want to use them for cryptographic
purposes. Note that (3.1) specifies a linear relationship between fn, fn 1, and fn 2. − −
Example 3.1: Suppose f0 = 7 and f1 = 3. Using (3.1) gives the sequence 7, 3, 10, 13, 23, 36, 59, 95, 154, 249, . . . , { } but if f0 = 3 and f1 = 2, then we have − 3, 2, 1, 1, 0, 1, 1, 2, 3, 5, . . . { − − − − − − − } instead.
Key Expansion. Suppose that you are using a Vigenère cipher with a keyword of length L = 2. This is an extremely short key, but it can be expanded using a recursive rule like (3.1). For example, let k0 = 0, k1 = 1, and let
(3.2) kn kn 1 + kn 2 mod 26, n 2. ≡ − − ≥ Here are the first 90 terms in the mod-26 Fibonacci sequence:
(3.3) 89 kn n 0 = 0, 1, 1, 2, 3, 5, 8, 13, 21, 8, 3, 11, 14, 25, 13, 12, 25, 11, 10, 21, 5, 0, 5, 5, 10, 15, 25, 14, 13, 1, 14, = { 15, 3, 18, 21, 13, 8, 21, 3, 24, 1, 25, 0, 25, 25, 24, 23, 21, 18, 13, 5, 18, 23, 15, 12, 1, 13, 14, 1, 15, 16, 5, 21, 0, 21, 21, 16, 11, 1, 12, 13, 25, 12, 11, 23, 8, 5, 13, 18, 5, 23, 2, 25, 1, 0, 1,1, 2, 3, 5, . . . . } Note that this sequence is periodic, starting over again at n = 84, so kn = kn+84. Note that the regular Fibonacci sequence fn is not periodic and increases without bound, so it is significant that kn is periodic. { } { } 49 50 3. RECURSION
It is also noteworthy that kn appears to be random, so the original key sequence k0, k1 has been expanded { } { } to k0, k1, k2,..., k83 , thereby strengthening the Vigenère cipher by better approximating a one-time pad. {Other sequences} are certainly possible. For example, the recursion
kn 5kn 1 + 19kn 3 mod 26, n 3, ≡ − − ≥ requires 3 starting values k0, k1, k2 and has period 168, twice as long as (3.2). We can choose both the number of terms in the recursion{ and} the coefficients, so we might want to understand how we can choose them to optimize the period of the resulting sequence. However, that would involve some sophisticated mathematics that is beyond the scope of this course.
Classroom Exercise 3.1: Compute the period of the sequence defined by
kn 5kn 1 + 9kn 2 mod 26, n 2 ≡ − − ≥ by computing enough terms. nckgbdbicpr Classroom Exercise 3.2: Let k0 = 5, k1 = 23, and kn kn 1 + kn 2 mod 26. The ciphertext medlklalrdhydcjmtwxxmu ≡ − − 32 was generated using a Vigenère cipher with the sequence kn . Decipher n=0 the message.
3.2. Binary Arithmetic
The number system we use every day is based on the number 10, and when we write something like 4085, we are expressing a number as a linear combination of powers of 10. More precisely,