number theory for cryptography 1 elementary number...

1 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 1

INSTITIUID TEICNEOLAIOCHTA CHEATHARLACH

INSTITUTE OF TECHNOLOGY CARLOW

NUMBER THEORY FOR CRYPTOGRAPHY

1 Elementary Number Theory

1.1 Introduction

Figure 1: Carl Friedrich Gauss (1777-

1855)

Many mathematicians over the centuries have made con-

tributions to the mathematics of the integers. The German

mathematician Carl Friedrich Gauss (1777-1855) introduced

the concept and notation of the arithmetic of remainders, or

the theory of congruences as it is now commonly know. This

work was published in 1801 in his Disquisitiones Arithmeticae.

This monumental work lay the foundations of modern number

theory and appeared when Gauss was just 24 years old.

Gauss was one of those remarkable infant prodigies whose

natural aptitude for mathematics soon became apparent. As a

child of three, according to a well-authenticated story, he cor-

rected an error in his father’s payroll calculations. His arith-

metical powers so overwhelmed his schoolmasters that, by the

time Gauss was 10 years old, they admitted that there was

nothing more they could teach the boy. It is said that in his

first arithmetic class that Gauss astonished his teacher by in-

stantly solving what was intended to be a ‘busy work’ problem.

Find the sum of all the numbers from 1 to 100. The young Gauss later confessed to having recognised

the pattern

1 + 100 = 101 , 2 + 99 = 101 , 3 + 98 = 101 , ......................... , 50 + 51 = 101


Since there are 50 pairs of numbers, each which add up to 101, the sum of all the numbers must be

50× 101 = 5050. This technique provides another way of deriving the formula

1 + 2 + 3 + ................+ n =n(n+ 1)

2

for the sum of the first n positive integers. Gauss went on to a succession of triumphs, each new

discovery following on the heals of a previous one. The problem of constructing regular polygons with

only Euclidean tools’, that is to say, with ruler and compass alone, had long been laid aside in the belief

that the ancients had exhausted all the possible constructions. In 1796, Gauss showed that the 17-sided

regular polygon is so constructible, the first advance in this area since Euclid’s time. The publication,

in 1801, of his Disquisitiones Arithmeticae at once placed Gauss in the front rank of mathematicians.

By the middle of the 18th century, mathematics had grown into an enormous subject area divided into

a large number of fields. Although Gauss adored every branch of mathematics, he always held number

theory in high esteem and affection. He insisted that “Mathematics is the Queen of the Sciences, and

the theory of numbers is the Queen of Mathematics”.

Number Theory is the mathematics of the integers.

Z = {...........− 4,−3,−2,−1, 0, 1, 2, 3, 4, ..............}

It is a subset of the integers, the primes, those positive integers with no proper positive factors other

than 1, that are particularly important in computer science. An important result of number theory

shows that the primes are the multiplicative building blocks of the positive integers. This result, called

the fundamental theorem of arithmetic, says that every positive integer can be uniquely written as a

product of primes. Interest in the prime numbers date back 2,500 years ago, to the study of ancient

Greek mathematicians. Perhaps the first question about primes that comes to mind is whether there

are infinitely many. The ancient Greek mathematician Euclid provided a proof that there are infinitely

many primes. Interest in the primes was rekindled in the 17th and 18th centuries, when mathematicians

such as Pierre de Fermat and Leonhard Euler proved many important results, and suggested approaches

for generating primes.

The 20th century has seen the development of new techniques for the study of primes, but many

questions remain unresolved. Factoring a positive integer into primes is a central problem in number

theory. The factorization of a positive integer can be found using trial division, but this method

is extremely time consuming. Fermat, Euler, and many other mathematicians devised imaginative

factorization algorithms. Using the best known techniques, we can easily find primes with hundreds of

digits; factorizating integers with the same number of digits is beyond our most powerful computers.

The development of modern number theory was made possible by Gauss when he developed the language

of congruences in the early 19th century. One of the most important applications of number theory to


computer science is in the area of cryptography. Congruences can be used to develop various types of

ciphers. Current public-key cipher systems, the RSA algorithm for example, use elementary ideas from

number theory. The security of the cipher system depends on the assumption that the factorization of

composite numbers with large prime factors is prohibitively time consuming.

1.2 Greatest Common Divisor

Theorem 1 (The Division Algorithm) Given integers a and b, with b > 0, there exists unique

integers q and r satisfying

a = qb+ r

where 0 ≤ r < b. The integers q and r are called, respectively, the quotient and remainder in the

division of a and b.

A special case occurs when r = 0.

Definition An integer b is said to be divisible by an integer a 6= 0, denoted by a | b, if there exists

some integer q such that b = qa. We write a - b to indicate that b is not divisible by a.

Example 3 | 6, since 6 = 3.2 and 7 | 14, since 14 = 2.7. However 3 - 7, since there is no integer q such

that 7 = q.3.

Note To avoid common misconceptions we note that every integer divides zero. So every integer divides

zero i.e., a | 0 but 0 | a if and only if a = 0.

Definition Let a and b be integers, not both zero. The greatest common divisor of a, b is the greatest

positive integer that divides each of a and b. The greatest common divisor of a and b is denoted by

gcd(a, b).

Definition Let a and b be integers, not both zero. If the greatest common divisor of a, b is 1 then these

integers are said to be coprime.


1.3 The Euclidean Algorithm

The greatest common divisor of two integers can be found by listing all their positive divisors and picking

out the largest one common to each; but this is cumbersome for large numbers. A more efficient pro-

cess, involving repeated application of the Division Algorithm is referred to as the Euclidean Algorithm.

The Euclidean Algorithm may be described as follows:

Let a ≥ b > 0. The first step of the Division Algorithm applied to a and b yields

a = q1b+ r1 , 0 ≤ r1 < b

If it happens that r1 = 0, then b | a and gcd(a, b) = b and we stop.

When r1 6= 0, divide b by r1 to get

b = q2r1 + r2 , 0 ≤ r2 < r1

If r2 = 0, then r1 | b and gcd(a, b) = gcd(b, r1) = r1 and we stop.

When r2 6= 0, divide r1 by r2 to get

r1 = q3r2 + r3 , 0 ≤ r3 < r2

This division process continues until a zero remainder appears (a zero remainder occurs sooner or

later since the decreasing sequence b > r1 > r2 > .......... ≥ 0 cannot contain more than b integers).

The result is the following system of equations:

a = q1b+ r1 , 0 < r1 < b

b = q2r1 + r2 , 0 < r2 < r1

r1 = q3r2 + r3 , 0 < r3 < r2

rn−2 = qnrn−1 + rn , 0 < rn < rn−1

rn−1 = qnrn + 0

We argue that rn, the last nonzero remainder which appears in this manner, is equal to gcd(a, b),

i.e., gcd(a, b) = rn. Our proof is based on the following lemma.


Theorem 2 Let a, b, q and r be integers with b > 0. If a = qb+ r, then gcd(a, b) = gcd(b, r).

Using this lemma and working down the system of equations above we get

gcd(a, b) = gcd(b, r1) = .......... = gcd(rn−1, rn) = gcd(rn, 0) = rn

as claimed.

Example Let a = 12378 and b = 3054. Using the Euclidean Algorithm with a ≥ b > 0 we get

12378 = 4(3054) + 162

3054 = 18(162) + 138

162 = 1(138) + 24

138 = 5(24) + 18

24 = 1(18) + 6

18 = 3(6) + 0

Therefore gcd(12378, 3054) = 6.

Example Let a = 832 and b = 578. Using the Euclidean Algorithm with a ≥ b > 0 we get

832 = 1(578) + 254

578 = 2(254) + 70

254 = 3(70) + 44

70 = 1(44) + 26

44 = 1(26) + 18

26 = 1(18) + 8

18 = 2(8) + 2

8 = 4(2) + 0

Therefore gcd(832, 578) = 2.

Note The French mathematician Gabriel Lame (1795-1870) proved that the number of steps required

in the Euclidean Algorithm is at most five times the number of digits in the smaller integer. In the

previous example the smaller integer has three digits, so the total number of divisions cannot be greater

than 15, in fact only eight divisions were needed.


Exercise Find the gcd(143, 227), gcd(306, 657) and gcd(272, 1479).

Theorem 3 Let a and b be integers, not both zero. Then there exists integers x, y such that

ax+ by = gcd(a, b)

where gcd(a, b) is the greatest common divisor of a, b.

Remark Consider again how the Euclidean Algorithm works in a concrete case by calculating the

gcd(12378, 3054). The appropriate applications of the Division Algorithm produce the equation

12378 = 4(3054) + 162

3054 = 18(162) + 138

162 = 1(138) + 24

138 = 5(24) + 18

24 = 1(18) + 6

18 = 3(6) + 0

We conclude that the last non-zero remainder appearing in these equations, namely, the integer 6,

is the greatest common divisor of 12378 and 3054, i.e.

6 = gcd(12378, 3054)

To represent 6 as a linear combination of the integers a = 12378 and b = 3054, we start with the

first of the displayed equations and successively isolate the remainders 162, 138, 24, 18 and 6:

a = 4b+ 162 , 162 = a− 4b

b = 18(a− 4b) + 138 , 138 = 73b− 18a

a− 4b = 1(73b− 18b) + 24 , 24 = 19a− 77b

73b− 18a = 5(19a− 77b) + 18 , 18 = 458b− 113a

19a− 77b = 1(458b− 113a) + 6 , 6 = 132a− 535b


Now

132a− 534b = gcd(12378, 3054)

Also

12378x+ 3054y = gcd(12378, 3054)

where x = 132 and y = −534. This is a representation of the integer 6 as a linear combination.

Exercise Use the Euclidean Algorithm to obtain integers x and y satisfying the following.

i 24x+ 138y = gcd(24, 138)

ii 119x+ 272y = gcd(119, 272)

iii 1769x+ 2378y = gcd(1769, 2378)

1.4 Primes

Definition A prime number is an integer p greater than one with the property that 1 and p are the

only positive integers that divide p.

P = {2, 3, 5, 7, 11, 13, 17, 19, ..................}

Definition An integer greater than one that is not a prime number is said to be a composite number.

Theorem 4 (The Fundamental Theorem of Arithmetic) Every composite number greater than

one factors uniquely as a product of prime numbers.

The prime number factorisation from 1 to 99 is shown:


... ... 2 3 22 5 2.3 7 23 32

2.5 11 22.3 13 2.7 3.5 24 17 2.32 19

22.5 3.7 2.11 23 23.3 52 2.13 33 22.7 29

2.3.5 31 25 3.11 2.17 5.7 22.32 37 2.19 3.13

23.5 41 2.3.7 43 22.11 32.5 2.23 47 24.3 72

2.52 3.17 22.13 53 2.33 5.11 23.7 3.19 2.29 59

22.3.5 61 2.31 32.7 26 5.13 2.3.11 67 22.17 3.23

2.5.7 71 23.32 73 2.37 3.52 22.19 7.11 2.3.13 79

24.5 34 2.41 83 22.3.7 5.17 2.43 3.29 23.11 89

2.32.5 7.13 22.23 3.31 2.47 5.19 25.3 97 2.72 32.11

Remark This ‘product of primes’ representation is called canonical form. For example

720 = 24.32.5

1. This ‘product of primes’ representation is called canonical form. For example

720 = 24.32.5

To factorize a composite number into its prime factors – the method is simply to divide the given

integer by the smallest prime 2 until the integer is no longer divisible by 2. Then divide by by

the next prime 3 until the integer is no longer divisible by 3, next divide by 5 until the integer is

no longer divisible by 5 ......... and so on, dividing by larger and larger primes until we reach 1.

We can illustrate this method as follows:

720 = 2.360

= 2.2.180

= 2.2.2.90

= 2.2.2.2.45

= 2.2.2.2.3.15

= 2.2.2.2.3.3.5


Hence we have that 720 = 24.32.5.

Also, for example:

1000 = 2.500

= 2.2.250

= 2.2.2.175

= 2.2.2.5.25

= 2.2.2.5.5.5

Hence we have that 1000 = 23.53.

Having used successive division to factorize a known composite integer into its unique prime

factors, we find that his method is adequate for composite numbers of reasonable size but is

not an efficient method in terms of computer time. We now consider a further method of prime

factorization - a method known as Pollard rho-factorization.

2. We can use this method in a simple way to investigate if an integer is prime. So, for example,

we can pose the question – Is 363 a prime number? No, since it is divisible by 3. In general to

test an integer the property of being prime we see if 2 is a factor, then 3, then 5, and so on with

each prime in turn. We stop at the largest prime less than or equal to√n. If an intger n is not

divisible by any prime less than or equal to√n, then n is prime.

Exercise Is 163 a prime number?√

163 ≈ 12

Now 163 is not divisible by 2, 3, 5, 7, 11. Hence 163 is prime.

Exercise Is 473 a prime number?√

473 ≈ 21

Now 473 is not divisible by 2, 3, 5, 7 however it is divisible by 11. Hence 473 is not prime.

This method for testing for primes is not efficient for larger integers.


Exercise Represent each of the following integers in canonical form

100 , 222 , 8000 , 9555 , 9999

Exercise Which of the following integers are prime

197 , 251 , 599 , 661

Remark The mathematician Pierre de Fermat (1601–1665) is more recently known for his famous

‘last’ theorem which is based on a simple statement relating to a property of right-angled triangles. In

a right-angled triangle , the sum of the squares of the lengths of the sides containing the right angle is

equal to the square of the hypothenuse; i.e. a2 + b2 = c2.

��

��

��

C

B

A

α

c

a

b

This statement is known as Pythagoras Theorem. Three positive integers a, b and c such that

a2 + b2 = c2 are called Pythagorean triples. For example (3, 4, 5), (5, 12, 13), (6, 8, 10), (8, 15, 17),

(9, 12, 15) are all solutions of the equation

a2 + b2 = c2

In the early 1600’s, Fermat, a French lawyer and mathematician posed the following question – if

the power of 2 in the above equation was replaced by 3 could there be found three non-zero integers

a, b and c that satisfy the equation a3 + b3 = c3? The same question could be asked if the power was

increased to 4 then to 5 and down to any positive integer n.


a3 + b3 = c3

a4 + b4 = c4

...

...

an + bn 6= cn

Fermat stated that the no matter how hard you try you will never find integer solutions to these

equations. This famous statement become known as Fermat’s ‘Last’ Theorem, which was not solved

until 1994 by British-American mathematician Andrew Wiles. Wiles devoted seven years of his life

to proving the famous theorem, which may have generated more attempts at proofs than any other

theorem.

Pierre de Fermat (1601–1665)

Fermat’s ‘Last’ Theorem states that an + bn = cn has no non-zero integer solutions for a, b and c

when n > 2. Fermat stated his theorem in 1637 when he wrote that ”I have a truly marvellous” proof of

this proposition which this margin is too narrow to contain”. Today, however, we believe that Fermat

had no such proof.


1.5 Congruences

With the notion of divisibility in place we can now give the definition of a congruence. Congruences

were first introduced by the German mathematician Carl Friedrich Gauss (1777-1855). Congruences

play a central role in the modern application of cryptography.

Definition Let a, b, n ∈ Z, n > 0. We say that “a is congruent to b modulo n” and we write

a ≡ b(mod n)

if and only if n | a− b.

Furthermore, using the definition of divisibility we can write

a ≡ b(mod n) ⇔ n | a− b

⇔ a− b = t.n , t ∈ Z

a = b+ t.n.

Finally, when dealing with congruences modulo a fixed number n it becomes clear that we are

working not with random numbers but with certain sets of numbers, called congruence classes.

Definition Let a, b, n ∈ Z, n > 0. Any integer is congruent modulo n to one and only one of the set

{0, 1, 2, 3, 4, ..............n− 1}

This is called the congruence class (set of least positive remainders) modulo n i.e.,

Zn = {b : a ≡ b(mod n)}

Remark Gauss introduced the concept of a congruence using the symbol ≡ because of the similarity

between the algebra of congruences and ordinary algebra.


Theorem 5 Let a, b, c, n ∈ Z with n > 1. Then the following results hold:

i a ≡ a(mod n);

ii if a ≡ b(mod n), then b ≡ a(mod n);

iii if a ≡ b(mod n) and b ≡ c(mod n), then a ≡ c(mod n).

The relation of congruence modulo n is thus reflexive, symmetric and transitive, and is therefore an

equivalence relation on the set Z of integers.

Congruences may be viewed as a generalized form of equality, in the sense that its behavior with

respect to addition and multiplication is similar to ordinary equality (=). Some of the basic properties

of equality that carry over to congruences appear in the following theorem.

Theorem 6 Let a, b, c, n ∈ Z with n > 1. Then the following results hold:

i If a ≡ b(mod n), then a± c ≡ b± c(mod n).

ii If a ≡ b(mod n) and c ≡ d(mod n),

then a± c ≡ b± d(mod n) and ac ≡ bd(mod n).

iii If a ≡ b(mod n), then ak ≡ bk(mod n) for any positive integer k.

One final theorem at this stage will allow us to divide both sides of a congruence by an integer

however we do so with care!

Theorem 7 If ac ≡ bc(mod n) and d = gcd(c, n), then

a ≡ b(mod n

d)

Now that we have an algebra of congruences built up we can consider many applications involving

congruences. We can begin by considering certain types of calculations.


Example To show that 3333 − 147 is divisible by 444 we could proceed as follows;

3 ≡ 3(mod 444)

33 ≡ 27(mod 444)

39 ≡ 272(mod 444) ≡ 19, 683(mod 444) ≡ 147(mod 444)

327 ≡ 1473(mod 444) ≡ 3, 176, 523(mod 444) ≡ 147(mod 444)

381 ≡ 1473(mod 444) ≡ 147(mod 444)

3243 ≡ 1473(mod 444) ≡ 147(mod 444)

Now

3333 = 3243.381.39

Hence

3333 ≡ 147.147.147(mod 444)

≡ 1473(mod 444)

≡ 147(mod 444)

Finally

3333 − 147 ≡ 0(mod 444)

i.e., 3333 − 147 is divisible by 444.

Example To show that 6321 − 6 is divisible by 123 we could proceed as follows;

6 ≡ 6(mod 123)

63 ≡ 216(mod 123) ≡ 93(mod 123)

66 ≡ 932(mod 123) ≡ 8, 649(mod 123) ≡ 39(mod 123)

612 ≡ 392(mod 123) ≡ 1, 521(mod 123) ≡ 45(mod 123)

624 ≡ 452(mod 123) ≡ 2, 025(mod 123) ≡ 57(mod 123)

648 ≡ 572(mod 123) ≡ 3, 249(mod 123) ≡ 51(mod 123)

696 ≡ 512(mod 123) ≡ 2, 601(mod 123) ≡ 18(mod 123)

Now

6321 = 696.696.696.624.66.63.


Hence

6321 ≡ 18.18.18.57.39.93(mod 123)

≡ (5, 832).(206, 739)(mod 123)

≡ (51).(99)(mod 123)

≡ 6(mod 123)

Finally

6321 − 6 ≡ 0(mod 123)

i.e., 6321 − 6 is divisible by 123.

Exercise Find the remainder when 4165 is divided by 7.

Exercise Show that the integer 2644 − 1 is divisible by 645, i.e.,

2644 − 1 ≡ 0(mod 645)

Exercise Show that the integer 53103 + 10353 is divisible by 39, i.e.,

53103 + 10353 ≡ 0(mod 39)

1.6 Linear Congruences

We consider linear congruences and their solution because of the importance they hold in cryptography.

Definition An equation of the form

ax ≡ b(mod n)

is called a linear congruence and the solution of such an equation is an integer x0 such that ax0 ≡b(mod n).

Note If x0 is a solution of ax ≡ b(mod n) and if x1 ≡ x0(mod n) then ax1 ≡ ax0 ≡ b(mod n) so x1 is

also a solution. Hence, if one member of a congruence class modulo n is a solution, then all members

of this class are solutions.


The following theorem will allow us decide if a linear congruence has a solution and furthermore tell

how many congruence classes modulo n provide solutions.

Theorem 8 The linear congruence ax ≡ b(mod n) has a solution if and only if gcd(a, n) | b. If

d = gcd(a, n) and d | b, then it has d distinct congruence classes modulo n as solutions.

We can easily solve linear congruences using the algebra of congruences as follows:

4x− 3 ≡ 13(mod 7)

4x ≡ 16(mod 7)

∴ x ≡ 4(mod 7)

Hence the congruence class 4 modulo 7 provides solutions to the linear congruence

4x− 3 ≡ 13(mod 7)

Alternatively, we could define the inverse of an integer modulo n and use an inverse to solve a linear

congruence.

Definition Given any integer a with gcd(a, n) = 1, a solution of

ax ≡ 1(mod n)

is called an inverse of a modulo n.

Remark Let a−1 be the inverse of a modulo n, i.e., aa−1 ≡ 1(mod n). To solve

ax ≡ b(mod n)

we multiply both sides by a−1

a−1ax ≡ a−1b(mod n)

x ≡ a−1b(mod n)


Exercise Solve each of the following linear congruences. If a solution does not exist, explain why not.

i 4x− 11 ≡ 7(mod 3)

ii 9x+ 21 ≡ 41(mod 7)

iii 7x− 13 ≡ 9(mod 4)

iv 3x− 7 ≡ 4(mod 3)

Furthermore, solve each of the above again using the appropriate inverse.

1.7 Systems of Linear Congruences

We now consider systems of linear congruences and their solution. The system of congruences will have

the same number of unknowns and have the same moduli. In the study of cryptographic systems we will

need to become efficient in solving such systems. In fact systems of n linear congruences in n unknowns

will arise in certain cryptographic studies. We will have to recall some of the elementary properties of

matrices with special attention to the procedure of finding the inverse of a square matrix.

We begin with the following definition:

Definition Let A and B be m×p matrices with entries aij and bij respectively. We say A is congruent

to B modulo n if

aij ≡ bij(mod n)

for all pairs (i, j) with 1 ≤ i ≤ m and 1 ≤ j ≤ p. We write

A ≡ B(mod n)

if A is congruent to B modulo n.

Theorem 9 If A and B are m× p matrices with

A ≡ B(mod n)

and C is a p× q matrix and D is a q ×m matrix, all with integer enteries, then

AC ≡ BC(mod n)

DA ≡ DB(mod n)


In general the following system of linear congruences

a11x1 + a12x2 + ...............+ a1nxn ≡ b1(mod n)

a21x1 + a22x2 + ...............+ a2nxn ≡ b2(mod n)

....................................................... ≡ ..................

am1x1 + am2x2 + ...............+ amnxn ≡ bm(mod n)

may be represented in matrix form as

Ax ≡ B(mod n)

where

A =

a11 a12 ..... a1na21 a22 ..... a2n...

......

...

am1 am2 ..... amn

, x =

x1x2...

xn

, B =

b1b2...

bm

Remark We now develop a method for solving a system of linear congruences that are represented in

matrix form. We already have an intuitive idea of how this is done. The method is based on finding the

inverse of the matrix A. We have already defined the inverse of an integer a modulo n, we now define

the inverse of the matrix A modulo n.

Definition If A and A−1 are m×m matrices (i.e., square matrices) and if

AA−1 ≡ A−1A ≡ I(mod n)

where I is the identity matrix, then A−1 is said to be the inverse of A modulo n.

Theorem 10 Let

A =

(a b

c d

)(mod n)

with 4 = ad− bc. If gcd(4, n) = 1, then

A−1 = 4−1

(d −b−c a

)(mod n)

where 4−1 is the inverse of 4 modulo n, i.e. 4.4−1 ≡ 1(mod n).


Note To verify that the matrix A−1 is an inverse of A modulo n, we need only verify that


where I is the identity matrix. Now that we can find the inverse A−1 we can solve the linear system

Ax ≡ B(mod n)

by using theorem 10 as follows:

A−1Ax ≡ A−1B(mod n)

⇒ Ix ≡ A−1B(mod n)

∴ x ≡ A−1B(mod n)

Exercise Using matrices, solve the following system of linear congruences

3x+ 4y ≡ 5(mod 13)

2x+ 5y ≡ 7(mod 13)

1.8 Basic Cryptography

With the increasing quantity of digital information being stored and communicated via telephone

lines, microwaves or satellites, organizations in both the public and commercial sector need to protect

this information when it is being transmitted. Cryptography is the science of making communications

unintelligible to all except authorized parties. In the language of cryptography, where codes are called

ciphers, the information to be concealed is called plaintext. After transformation to a secret form, a

message is called ciphertext. The process of converting from plaintext to ciphertext is called encryption,

while the reverse process of changing from ciphertext back to plaintext is called decryption. Let

A = {A,B,C,D, ..........}

The encryption function f(x) is given as

f : A −→ A : f(a1a2..........an) = f(a1)f(a2)..........f(an)

The encryption of A is a 1− 1 function of A onto itself.


To encrypt a word we encrypt one letter at a time where

A = 0, B = 1, C = 2, D = 3, E = 4, .............., Y = 24, Z = 25

1.8.1 Caesar Ciphers

Figure 2: Roman Emperor Julius Caesar

(100-44 BC)

One of the earliest examples of basic cryptography

was used by the Roman Emperor Julius Caesar around

50 BC. It is known as the Caesar cipher. To produce

ciphertext a Caesar cipher simply shifts the alphabet a

fixed number of positions. The plaintext is recovered by

shifting the alphabet back this same number of positions.

In general the Caesar cipher may be described as

C ≡ (P + k)(mod 26)

If we have ciphertext which was encrypted using a

Caesar cipher, how do we decode it? We could proceed

as follows:

C ≡ (P + k)(mod 26)

⇒ P + k ≡ C(mod 26)

∴ P ≡ (C − k)(mod 26)

Exercise If a Caesar cipher produces

V GUV AX V XABJ GURFR JBBQF

What is the plaintext message?

Exercise If a Caesar cipher produces

PBZOBQ FKCLOJXQFLK

What is the plaintext message?


1.8.2 Linear Ciphers

More generally, we consider a transformation of the type

C ≡ (aP + b)(mod 26)

where a and b are integers with gcd(a, 26) = 1. If we have ciphertext which was encrypted using

this transformation, how do we decode it?

C ≡ (aP + b)(mod 26)

⇒ aP + b ≡ C(mod 26)

∴ aP ≡ (C − b)(mod 26)

Now multiplying both sides by a−1, the inverse of a modulo 26, which exists since gcd(a, 26) = 1,

we get the following

P ≡ a−1(C − b)(mod 26)

Exercise Encipher the message THE RIGHT CHOICE using the linear cipher

C ≡ (15P + 14)(mod 26)

Exercise Decipher the message YLFQX PCRIT which was enciphered using the linear cipher

C ≡ (21P + 5)(mod 26)

Exercise Decipher the message TYNTOOTUM VXGL which was enciphered using the linear cipher

C ≡ (3P + 7)(mod 26)

Remark We can perform some cryptanalysis involving a linear cipher based on a technique called the

frequency of letters. Assuming that this ciphertext was produced using a linear cipher of the form

C ≡ (aP + b)(mod 26)


we use the frequency of letters method to determine the values of a and b. This will be done by

noting that the letter E occurs most frequently in standard English text and this is followed by the letter

T. This is well established fact. To perform cryptoanalysis based on this method we must determine

from a suitably long ciphertext message the most frequently letter in ciphertext followed by the next

most frequently occurring letter. From this information we can determine a and b and as a consequence

recover the plaintext.

Example Say, for example, the following message has been intercepted during transmission:

USLEL JUTCC YRTPS URKLT YGGFV ELYUS LRYXD JURTU ULVCU URJRK

QLLQL YXSRV LBRYZ CYREK LVEXB RYZDG HRGUS LJLLM LYPDJ LJTJU

FALGU PTGVT JULYU SLDAL TJRWU SLJFE OLPU.

Assuming that this ciphertext was produced using a linear cipher of the form

C ≡ (aP + b)(mod 26)

we use the frequency of letters method to determine the values of a and b. Again, this will be done

by noting that the letter E occurs most frequently in standard English text and this is followed by the

letter T. On inspecting the ciphertext above the most frequently occurring letter is L followed by the

letter U. We now have the following correspondence:

E(4) ←→ L(11)

T (19) ←→ U(20)

Now if

C ≡ (aP + b)(mod 26)

∴ aP + b ≡ C(mod 26)

hence we have the following pair of linear congruences

4a+ b ≡ 11(mod 26)

19a+ b ≡ 20(mod 26)

Solving yields

a ≡ 11(mod 26)

b ≡ 19(mod 26)


Letting a = 11 and b = 19 the cipher that produced the ciphertext is

C ≡ (11P + 19)(mod 26)

∴ (11P + 19) ≡ C(mod 26)

11P ≡ (C − 19)(mod 26)

Now multiplying both sides by 19, the inverse of 11 modulo 26, i.e. 11(19) ≡ 1(mod 26) we get

P ≡ 19(C − 19)(mod 26)

This congruence should recover the actual message. The intercepted message reads

THE BEST APPROACH TO LEARNING NUMBER THEORY IS TO ATTEMPT TO

SOLVE EVERY HOMEWORK PROBLEM. BY WORKING ON THESE EXERCISES A

STUDENT CAN MASTER THE IDEAS OF THE SUBJECT.

This technique will work successfully if we ensure that the intercepted message is long enough to

allow the most frequently occurring letters to be found correctly.

Exercise A linear cipher is defined by the congruence

C ≡ (aP + b)(mod 26)

where a and b are integers with gcd(a, 26) = 1. A message segment CPUWMPR RWGMI was

enciphered using a linear cipher. It is part of a much longer message which has M as its most frequently

occurring letter followed by R. Decipher the above message segment using the frequency of letters method

where the most frequently occurring letters in typical English text are E followed by T.

1.8.3 Block Ciphers

In order to improve the security of our cryptosystem we introduce a Block Cipher. Although it will

suffer from the same disadvantage as a linear cipher in that there is a requirement to transmit the secret

key in order to complete the process of decryption - it will however represent an improvement from the

point of view resistance to decryption following attack. As block ciphers will involve the use of matrices

we make the following definitions:


Definition Let A and B be m×p matrices with entries aij and bij respectively. We say A is congruent

to B modulo n if

aij ≡ bij(mod n)

for all pairs (i, j) with 1 ≤ i ≤ m and 1 ≤ j ≤ p. We write

A ≡ B(mod n)

if A is congruent to B modulo n.

Theorem 11 If A and B are m× p matrices with

A ≡ B(mod n)

and C is a p× q matrix and D is a q ×m matrix, all with integer entries, then

AC ≡ BC(mod n)

DA ≡ DB(mod n)

Definition If A and A−1 are m×m matrices (i.e., square matrices) and if


where I is the identity matrix, then A−1 is said to be the inverse of A modulo n.

Theorem 12 Let

A =

(a b

c d

)(mod n)

with 4 = ad− bc. If gcd(4, n) = 1, then

A−1 = 4−1

(d −b−c a

)(mod n)

where 4−1 is the inverse of 4 modulo n, i.e. 4.4−1 ≡ 1(mod n)


Note To verify that the matrix A−1 is an inverse of A modulo n, we need only verify that


where I is the identity matrix.

Exercise Determine the inverse of each of the following matrices

A =

(7 2

4 9

)(mod 7)

A =

(2 −1

3 3

)(mod 11)

In general Hill or block cipher system may be obtained by splitting plaintext into blocks of n letters,

translating the letters into their numerical equivalents, and forming ciphertext using the relationship

C ≡ AP (mod 26)

where A is a n× n encryption matrix with gcd(4, 26) = 1. Also

C =

C1

C2

...

Cn

and P =

P1

P2

...

Pn

where C1, C2, .........., Cn is the ciphertext block that corresponds to the plaintext block P1, P2, .........., Pn.

If we have ciphertext which was encrypted using this transformation, how do we decode it?

Now

C ≡ AP (mod 26)

AP ≡ C(mod 26)

Now multiplying both sides by A−1, the inverse of the matrix A modulo 26, which exists since

gcd(4, 26) = 1, we get the following


A−1AP ≡ A−1C(mod 26)

P ≡ A−1C(mod 26)

C ≡ AP (mod 26)

P ≡ A−1C(mod 26)

Plaintext (P ) Ciphertext (C)

A = n× n matrixgcd(4, 26) = 1

-

�

Note The simplest example of a block cipher involves dividing the message into blocks of two. We need

a 2 × 2 encryption matrix A with gcd(4, 26) = 1. For each block of two let the numerical equivalent

be P1, P2 respectively. Then using the congruence C ≡ AP (mod 26) we can convert each block of two

to its ciphertext equivalent i.e.,

(C1

C2

)−→

(P1

P2

)

Example The message

WJ VY UA TG GA

was enciphered using the encryption matrix

A =

(4 11

3 8

)(mod 26)

with C ≡ AP (mod 26). To decipher the message note that

P ≡ A−1C(mod 26)


We require A−1, the inverse of A modulo 26. Now

A−1 = 4−1

(8 −11

−3 4

)(mod 26)

where 4−1 is the inverse of 4 modulo 26. Now 4 = −1, hence 4−1 = −1 since

−1.(−1) ≡ 1(mod 26). Now

A−1 = −1

(8 −11

−3 4

)=

( −8 11

3 −4

)(mod 26)

Finally, to decipher the message we proceed as follows:

WJ −→ P ≡( −8 11

3 −4

)(22

9

)≡( −77

30

)(mod 26) ≡

(1

4

)−→ BE

V Y −→ P ≡( −8 11

3 −4

)(21

24

)≡(

96

−33

)(mod 26) ≡

(18

19

)−→ ST

UA −→ P ≡( −8 11

3 −4

)(20

0

)≡( −160

60

)(mod 26) ≡

(22

8

)−→WI

TG −→ P ≡( −8 11

3 −4

)(19

6

)≡( −86

33

)(mod 26) ≡

(18

7

)−→ SH

GA −→ P ≡( −8 11

3 −4

)(6

0

)≡( −48

18

)(mod 26) ≡

(4

18

)−→ ES

BEST WISHES

1.9 Some Examples

Exercise Using the encryption matrix

A =

(3 10

9 7

)encrypt the message

BEWARE THE MESSANGER

by dividing the message into blocks of two and use the congruence C ≡ AP (mod 26).


Exercise Decipher the message

GZ SC XN VC DJ ZX EO VC IR DV IQ

which was enciphered using the encryption matrix

A =

(5 17

4 15

)

and the congruence C ≡ AP (mod 26).


QU FU OS FC RK


A =

(3 3

3 4

)



HL TP JI LM GZ LF UQ HK


A =

(5 17

4 15

)(mod 26)



Contents

1 Elementary Number Theory 1

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Greatest Common Divisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 The Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4 Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.5 Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.6 Linear Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.7 Systems of Linear Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.8 Basic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.8.1 Caesar Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.8.2 Linear Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

1.8.3 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

1.9 Some Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

number theory for cryptography 1 elementary number...

Documents