DRAFT: The CrypTool Script:

Cryptography, Mathematics and more

Background reading
for the free eLearning program CrypTool (version 1.4.00)
(c) Bernhard Esslinger (co-author and editor), 1998-2006
Frankfurt am Main, Germany
April 11, 2006
This is a free document, so the content of the document can be copied and distributed, also for
commercial purposes as long as the author, title and the CrypTool web site (www.cryptool.org)
are acknowledged.
Naturally, citations from the CrypTool script are possible, as in all other documents. This licence
is abutted on the GNU Free Documentation Licence.
1
Overview about the Content of the CrypTool Script
In this CrypTool script you will nd predominantly mathematically oriented information on
using cryptographic procedures. The main chapters have been written by various authors (see
appendix A.2) and are therefore independent from one another. At the end of most chapters you
will nd literature and web links.
The rst chapter explains the principles of symmetric and asymmetric encryption and de-
scribes shortly the current decryption records of modern symmetric algorithms.
Because of didactical reasons the second chapter gives an exhaustive overview about paper
and pencil encryption methods.
Big parts of this script are dedicated to the fascinating topic of prime numbers (chap. 3).
Using numerous examples, modular arithmetic and elementary number theory (chap. 4)
are introduced and applied in an exemplary manner for the RSA procedure.
By reading chapter 5 youll gain an insight into the mathematical ideas and concepts behind
modern cryptography.
Chapter 6 gives an overview about the status of attacks against modern hash algorithms
and is then shortly devoted to digital signatures, which are an essential component of e-business
applications.
The last chapter describes elliptic curves: they could be used as an alternative to RSA and
in addition are extremely well suited for implementation on smartcards.
Whereas the eLearning program CrypTool motivates and teaches you how to use cryptography
in practice, the script provides those interested in the subject with a deeper understanding of
the mathematical algorithms used trying to do it in an instructive way. If you are alrady a
little bit familiar with this eld of knowledge you can gain a fast overview about the functions
delivered by CrypTool using the menu tree (see appendix A.1).
The authors would like to take this opportunity to thank their colleagues in the company and
at the universities of Frankfurt, Gieen, Siegen, Karlsruhe and Darmstadt.
As with the eLearning program CrypTool, the quality of the script is enhanced by your
suggestions and ideas for improvement. We look forward to your feedback.
You will nd the current version of CrypTool at the web sites
http://www.cryptool.org, http://www.cryptool.com or http://www.cryptool.de.
The contact people for this free open-source program are listed at the web site and in the readme
le delivered within the CrypTool package.
2
Contents
Overview 2
Contents 8
Preface to the 7th Edition of the CrypTool Script 9
Introduction How do the Script and the Program Play together? 10
1 Encryption Procedures 11
1.1 Symmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1.1 New results about cryptanalysis of AES . . . . . . . . . . . . . . . . . . . . 12
1.1.2 Current status of brute-force attacks on symmetric algorithms (RC5) . . . . 14
1.2 Asymmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3 Hybrid procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4 Further details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Web links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2 Paper and Pencil Encryption Methods 19
2.1 Transposition ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.1 Introductionary samples of dierent transposition ciphers . . . . . . . . . . 19
2.1.2 Column and row transposition ciphers . . . . . . . . . . . . . . . . . . . . . 21
2.1.3 Further transposition algorithm ciphers . . . . . . . . . . . . . . . . . . . . 22
2.2 Substitution ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.1 Monoalphabetic substitution ciphers . . . . . . . . . . . . . . . . . . . . . . 24
2.2.2 Homophonic substitution ciphers . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2.3 Polygraphic substitution ciphers . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2.4 Polyalphabetic substitution ciphers . . . . . . . . . . . . . . . . . . . . . . . 31
2.3 Combining substitution and transposition . . . . . . . . . . . . . . . . . . . . . . . 33
2.4 Further methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3 Prime Numbers 42
3.1 What are prime numbers? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3
3.2 Prime numbers in mathematics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3 How many prime numbers are there? . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.4 The search for extremely large primes . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.4.1 The 10 largest known primes (as of March 2006) . . . . . . . . . . . . . . . 46
3.4.2 Special number types Mersenne numbers and Mersenne primes . . . . . . 46
3.4.3 Challenge of the Electronic Frontier Foundation (EFF) . . . . . . . . . . . . 50
3.5 Prime number tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.6 Overview special number types and the search for a formula for primes . . . . . . . 53
3.6.1 Mersenne numbers f(n) = 2
n
1 for n prime . . . . . . . . . . . . . . . . 53
3.6.2 Generalized Mersenne numbers f(k, n) = k 2
n
1 . . . . . . . . . . . . . . 53
3.6.3 Generalized Mersenne numbers f(b, n) = b
n
1 / Cunningham project . . . 53
3.6.4 Fermat numbers f(n) = 2
2
n
+ 1 . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.6.5 Generalized Fermat numbers f(b, n) = b
2
n
+ 1 . . . . . . . . . . . . . . . . . 55
3.6.6 Carmichael numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.6.7 Pseudo prime numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.6.8 Strong pseudo prime numbers . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.6.9 Idea based on Euclids proof p
1
p
2
p
n
+ 1 . . . . . . . . . . . . . . . . . 55
3.6.10 As above but 1 except +1: p
1
p
2
p
n
1 . . . . . . . . . . . . . . . . . 56
3.6.11 Euclidean numbers e
n
= e
0
e
1
e
n1
+ 1 . . . . . . . . . . . . . . . . . . 56
3.6.12 f(n) = n
2
+n + 41 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.6.13 f(n) = n
2
79 n + 1, 601 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.6.14 Polynomial functions f(x) = a
n
x
n
+a
n1
x
n1
+ +a
1
x
1
+a
0
. . . . . . 58
3.6.15 Catalans conjecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.7 Density and distribution of the primes . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.8 Notes about primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.8.1 Proven statements / theorems about primes . . . . . . . . . . . . . . . . . . 62
3.8.2 Unproven statements / conjectures about primes . . . . . . . . . . . . . . . 64
3.8.3 Open questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.8.4 Quaint and interesting things around primes . . . . . . . . . . . . . . . . . 66
3.8.5 Number of prime numbers in various intervals . . . . . . . . . . . . . . . . . 68
3.8.6 Indexing prime numbers (n-th prime number) . . . . . . . . . . . . . . . . . 69
3.8.7 Orders of magnitude / dimensions in reality . . . . . . . . . . . . . . . . . . 70
3.8.8 Special values of the binary and decimal system . . . . . . . . . . . . . . . . 71
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4
Web links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4 Introduction to Elementary Number Theory with Examples 76
4.1 Mathematics and cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.2 Introduction to number theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.1 Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.3 Prime numbers and the rst fundamental theorem of elementary number theory . 80
4.4 Divisibility, modulus and remainder classes . . . . . . . . . . . . . . . . . . . . . . 82
4.4.1 The modulo operation working with congruence . . . . . . . . . . . . . . 82
4.5 Calculations with nite sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.5.1 Laws of modular calculations . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.5.2 Patterns and structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.6 Examples of modular calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.6.1 Addition and multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.6.2 Additive and multiplicative inverses . . . . . . . . . . . . . . . . . . . . . . 87
4.6.3 Raising to the power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.6.4 Fast calculation of high powers . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.6.5 Roots and logarithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.7 Groups and modular arithmetic in Z
n
and Z

n
. . . . . . . . . . . . . . . . . . . . . 93
4.7.1 Addition in a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.7.2 Multiplication in a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.8 Euler function, Fermats little theorem and Euler-Fermat . . . . . . . . . . . . . . 96
4.8.1 Patterns and structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.8.2 The Euler function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.8.3 The theorem of Euler-Fermat . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.8.4 Calculation of the multiplicative inverse . . . . . . . . . . . . . . . . . . . . 98
4.8.5 Fixpoints modulo 26 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.9 Multiplicative order and primitive roots . . . . . . . . . . . . . . . . . . . . . . . . 100
4.10 Proof of the RSA procedure with Euler-Fermat . . . . . . . . . . . . . . . . . . . . 103
4.10.1 Basic idea of public key cryptography . . . . . . . . . . . . . . . . . . . . . 103
4.10.2 How the RSA procedure works . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.10.3 Proof of requirement 1 (invertibility) . . . . . . . . . . . . . . . . . . . . . . 105
4.11 Considerations regarding the security of the RSA algorithm . . . . . . . . . . . . . 107
5
4.11.1 Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.11.2 Security parameters because of new algorithms . . . . . . . . . . . . . . . . 108
4.11.3 Forecasts about factorization of large integers . . . . . . . . . . . . . . . . . 109
4.11.4 Status regarding factorisation of concrete large numbers . . . . . . . . . . . 111
4.11.5 Further current research about primes and factorisation . . . . . . . . . . . 115
4.12 Applications of asymmetric cryptography using numerical examples . . . . . . . . 119
4.12.1 One way functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.12.2 The Die-Hellman key exchange protocol . . . . . . . . . . . . . . . . . . . 120
4.13 The RSA procedure with actual numbers . . . . . . . . . . . . . . . . . . . . . . . 122
4.13.1 RSA with small prime numbers and with a number as message . . . . . . . 123
4.13.2 RSA with slightly larger primes and an upper-case message . . . . . . . . . 124
4.13.3 RSA with even larger primes and a text made up of ASCII characters . . . 125
4.13.4 A small RSA cipher challenge (1) . . . . . . . . . . . . . . . . . . . . . . . . 127
4.13.5 A small RSA cipher challenge (2) . . . . . . . . . . . . . . . . . . . . . . . . 129
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Web links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Appendix A: gcd of whole numbers and the two algorithms of Euclid . . . . . . . . . . . 136
Appendix B: Forming closed sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Appendix C: Comments on modulo subtraction . . . . . . . . . . . . . . . . . . . . . . . 138
Appendix D: Base representation and base transformation of numbers, estimation of
length of digits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Appendix E: Examples using Mathematica and Pari-GP . . . . . . . . . . . . . . . . . . 141
Appendix F: List of the formulated denitions and theorems . . . . . . . . . . . . . . . 145
5 The Mathematical Ideas behind Modern Cryptography 146
5.1 One way functions with trapdoor and complexity classes . . . . . . . . . . . . . . . 146
5.2 Knapsack problem as a basis for public key procedures . . . . . . . . . . . . . . . . 148
5.2.1 Knapsack problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
5.2.2 Merkle-Hellman knapsack encryption . . . . . . . . . . . . . . . . . . . . . . 149
5.3 Decomposition into prime factors as a basis for public key procedures . . . . . . . 151
5.3.1 The RSA procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
5.3.2 Rabin public key procedure (1979) . . . . . . . . . . . . . . . . . . . . . . . 152
5.4 The discrete logarithm as a basis for public key procedures . . . . . . . . . . . . . 153
6
5.4.1 The discrete logarithm in Z
p
. . . . . . . . . . . . . . . . . . . . . . . . . . 153
5.4.2 Die-Hellman key agreement . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.4.3 ElGamal public key encryption procedure in Z

p
. . . . . . . . . . . . . . . . 154
5.4.4 Generalised ElGamal public key encryption procedure . . . . . . . . . . . . 155
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Web links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6 Hash Functions and Digital Signatures 159
6.1 Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
6.1.1 Requirements for hash functions . . . . . . . . . . . . . . . . . . . . . . . . 160
6.1.2 Current attacks against hash functions like SHA-1 . . . . . . . . . . . . . . 161
6.1.3 Signing with hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
6.2 RSA signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
6.3 DSA signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
6.4 Public key certication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
6.4.1 Impersonation attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
6.4.2 X.509 certicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
7 Elliptic Curves 167
7.1 Elliptic curve cryptography a high-performance substitute for RSA? . . . . . . . 167
7.2 Elliptic curves history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
7.3 Elliptic curves mathematical basics . . . . . . . . . . . . . . . . . . . . . . . . . . 170
7.3.1 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
7.3.2 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
7.4 Elliptic curves in cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
7.5 Operating on the elliptic curve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
7.6 Security of elliptic-curve-cryptography: The ECDLP . . . . . . . . . . . . . . . . . 178
7.7 Encryption and signing with elliptic curves . . . . . . . . . . . . . . . . . . . . . . 179
7.7.1 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.7.2 Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
7.7.3 Signature verication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
7.8 Factorisation using elliptic curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
7.9 Implementing elliptic curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
7
7.10 Elliptic curves in use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Web links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
A Appendix 186
A.1 CrypTool Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
A.2 Authors of the CrypTool Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
A.3 Bibliography of Movies and Fictional Literature with Relation to Cryptograpy,
Books for Kids with Collections of Simple Ciphers . . . . . . . . . . . . . . . . . . 190
Index 196
8
Preface to the 7th Edition of the CrypTool Script
Starting in the year 2000 this script became a part of the CrypTool package. It is designed to
accompany the program CrypTool by explaining some mathematical topics in more detail, but
still in a way which is easy to understand.
In order to also enable developers/authors to work together independently the topics have been
split up and for each topic an extra chapter has been written which can be read on its own. The
later editorial work in TeX added cross linkages between dierent sections and footnotes describing
where you can nd the according functions within the CrypTool program (see menu tree in
appendix A). Naturally there are many more interesting topics in mathematics and cryptography
which could be discussed in greater depth therefore this is only one of many ways to do it.
The rapid spread of the Internet has also lead to intensied research in the technologies involved,
especially within the area of cryptography where a good deal of new knowledge has arisen.
This edition of the script adds some topics, but mainly updates areas (e.g. the summaries of
topical research areas):
the search for the largest prime numbers (generalized Mersenne and Fermat primes)
(chap. 3.6, 3.4.1),
the factorisation of big numbers (RSA-200) (chap. 4.11.4),
progress in cryptanalysis of hash algorithms (chap. 6.1.2) and
a list of movies or novels, in which cryptography or number theory played major role (see
appendix A.3); and where primes are used as hangers (see curiouses in 3.8.4).
The rst time the document was delivered with CrypTool was in version 1.2.01. Since then it
has been expanded and revised in almost every new version of CrypTool (1.2.02, 1.3.00, 1.3.02,
1.3.03, 1.3.04 and now 1.4.00).
Id be more than happy if this also continues in the further open-source versions of CrypTool.
I am deeply grateful to all the people helping with their impressive commitment who have made
this global project so successful. Especially I would like to acknowledge the English language
proof-reading of this script version done by Richard Christensen and Lowell Montgomery.
I hope that many readers have fun with this script and that they get out of it more interest and
greater understanding of this modern but also very ancient topic.
Bernhard Esslinger
Frankfurt (Germany), March 2006
9
Introduction How do the Script and the Program Play together?
This script
This document is delivered together with the program CrypTool.
The articles in this script are largely self-contained and can also be read independently of Cryp-
Tool.
Chapters 5 (Modern Cryptography) and 7 (Elliptic Curves) require a deeper knowledge in math-
ematics, while the other chapters should be understandable with a school leaving certicate.
The authors have attempted to describe cryptography for a broad audience without being
mathematically incorrect. We believe that this didactical pretension is the best way to promote
the awareness for IT security and the readiness to use standardised modern cryptography.
The program CrypTool
CrypTool is a program with an extremely comprehensive online help enabling you to use and
analyse cryptographic procedures within a unied graphical user interface.
CrypTool was developed during the end-user awareness program at Deutsche Bank in order to
increase employee awareness of IT security and provide them with a deeper understanding of
the term security. A further aim has been to enable users to understand the cryptographic
procedures. In this way, using CrypTool as a reliable reference implementation of the various
encryption procedures, you can test the encryption implemented in other programs.
CrypTool is currently been used for training in companies and teaching at school and universities,
and moreover several universities are helping to further develop the project.
Acknowledgment
At this point Id like to thank explicitly six people who particularly contributed to CrypTool.
Without their special talents and engagement CrypTool would not be what it is today:
Mr. Henrik Koy
Mr. Jorg-Cornelius Schneider
Dr. Peer Wichmann
Prof. Dr. Claudia Eckert, Mr. Thomas Buntrock and Mr. Thorsten Clausius.
Also I want to thank all the many people not mentioned here for their hard work (mostly carried
out in their spare time).
Bernhard Esslinger
Frankfurt (Germany), March 2006
10
1 Encryption Procedures
(Bernhard Esslinger, May 1999, Updates Dec. 2001, Feb. 2003, June 2005)
This chapter introduces the topic in a more descriptive way without using too much mathematics.
The purpose of encryption is to change data in such a way that only an authorised recipient is
able to reconstruct the plaintext. This allows us to transmit data without worrying about it
getting into unauthorised hands. Authorised recipients possess a piece of secret information
called the key which allows them to decrypt the data while it remains hidden from everyone
else.
One encryption procedure has been mathematically proved to be secure, the One Time Pad.
However, this procedure has several practical disadvantages (the key used must be randomly
selected and must be at least as long as the message being protected), which means that it
is hardly used except in closed environments such as for the hot wire between Moscow and
Washington.
For all other procedures there is a (theoretical) possibility of breaking them. If the procedures
are good, however, the time taken to break them is so long that it is practically impossible to do
so, and these procedures can therefore be considered (practically) secure.
The book of Bruce Schneier [Schneier1996] oers a very good overview of the dierent algorithms.
We basically distinguish between symmetric and asymmetric encryption procedures.
1.1 Symmetric encryption
1
For symmetric encryption sender and recipient must be in possession of a common (secret) key
which they have exchanged before actually starting to communicate. The sender uses this key to
encrypt the message and the recipient uses it to decrypt it.
All classical methods are of this type. Examples can be found within the program CrypTool,
in chapter 2 (Paper and Pencil Encryption Methods) of this script or in [Nichols1996]. Now we
want to consider more modern mechanisms.
The advantages of symmetric algorithms are the high speed with which data can be encrypted
and decrypted. One disadvantage is the need for key management. In order to communicate with
one another condentially, sender and recipient must have exchanged a key using a secure channel
before actually starting to communicate. Spontaneous communication between individuals who
have never met therefore seems virtually impossible. If everyone wants to communicate with
everyone else spontaneously at any time in a network of n subscribers, each subscriber must have
previously exchanged a key with each of the other n 1 subscribers. A total of n(n 1)/2 keys
must therefore be exchanged.
1
With CrypTool you can execute the following modern symmetric encryption algorithms (using the menu path
Crypt \ Symmetric (modern)):
IDEA, RC2, RC4, DES (ECB), DES (CBC), Triple-DES (ECB), Triple-DES (CBC), MARS (AES candidate),
RC6 (AES candidate), Serpent (AES candidate), Twosh (AES candidate), Rijndael (ocial AES algorithm).
11
The most well-known symmetric encryption procedure is the DES-algorithm. The DES-algorithm
has been developed by IBM in collaboration with the National Security Agency (NSA), and was
published as a standard in 1975. Despite the fact that the procedure is relatively old, no eective
attack on it has yet been detected. The most eective way of attacking consists of testing (almost)
all possible keys until the right one is found (brute-force-attack). Due to the relatively short key
length of eectively 56 bits (64 bits, which however include 8 parity bits), numerous messages
encrypted using DES have in the past been broken. Therefore, the procedure can now only be
considered to be conditionally secure. Symmetric alternatives to the DES procedure include the
IDEA or Triple DES algorithms.
Up-to-the-minute procedure is the symmetric AES standard. The associated Rijndael algorithm
was declared winner of the AES award on October 2nd, 2000 and thus succeedes the DES proce-
dure.
More details about the AES algorithms and the AES candidates of the last round can be found
within the online help of CrypTool
2
.
1.1.1 New results about cryptanalysis of AES
Below you will nd some results, which have recently called into question the security of the AES
algorithm from our point of view these doubts practically still remain unfounded . The following
information is based on the original papers and the articles [Wobst-iX2002] and [Lucks-DuD2002].
AES with a minimum key length of 128 bit is still in the long run suciently secure against brute-
force attacks as long as the quantum computers arent powerful enough. When announced as
new standard AES was immune against all known crypto attacks, mostly based on statistical
considerations and earlier applied to DES: using pairs of clear and cipher texts expressions are
constructed, which are not completely at random, so they allow conclusions to the used keys.
These attacks required unrealistically large amounts of intercepted data.
Cryptanalysts already label methods as academic success or as cryptanalytic attack if they
are theoretically faster than the complete testing of all keys (brute force analysis). In the case
of AES with the maximal key length (256 bit) exhaustive key search on average needs 2
255
encryption operations. A cryptanalytic attack needs to be better than this. At present between
2
75
and 2
90
encryption operations are estimated to be performable only just for organizations,
for example a security agency.
In their 2001-paper Ferguson, Schroeppel and Whiting [Ferguson2001] presented a new method
of symmetric codes cryptanalysis: They described AES with a closed formula (in the form of a
continued fraction) which was possible because of the relatively clear structure of AES. This
formula consists of around 1000 trillion terms of a sum - so it does not help concrete practical
cryptanalysis. Nevertheless curiosity in the academic community was awakened. It was already
known, that the 128-bit AES could be described as an over-determined system of about 8000
quadratic equations (over an algebraic number eld) with about 1600 variables (some of them
2
CrypTool online help: the index head-word AES leads to the 3 help pages: AES candidates, The AES winner
Rijndael and The Rijndael encryption algorithm.
12
are the bits of the wanted key) equation systems of that size are in practice not solvable. This
special equation system is relatively sparse, so only very few of the quadratic terms (there are
about 1,280,000 are possible quadratic terms in total) appear in the equation system.
The mathematicians Courtois and Pieprzyk [Courtois2002] published a paper in 2002, which got
a great deal of attention amongst the crypto community: The pair had further developed the XL-
method (eXtended Linearization), introduced at Eurocrypt 2000 by Shamir et al., to create the
so called XSL-method (eXtended Sparse Linearization). The XL-method is a heuristic technique,
which in some cases manages to solve big non-linear equation systems and which was till then
used to analyze an asymmetric algorithm (HFE). The innovation of Courtois and Pieprzyk was,
to apply the XL-method on symmetric codes: the XSL-method can be applied to very specic
equation systems. A 256-bit AES could be attacked in roughly 2
230
steps. This is still a purely
academic attack, but also a direction pointer for a complete class of block ciphers. The major
problem with this attack is that until now nobody has worked out, under what conditions it is
successful: the authors specify in their paper necessary conditions, but it is not known, which
conditions are sucient. There are two very new aspects of this attack: rstly this attack is not
based on statistics but on algebra. So attacks seem to be possible, where only very small amounts
of cipher text are available. Secondly the security of a product algorithm
3
does not exponentially
increase with the number of rounds.
Currently there is a large amount of research in this area: for example Murphy and Robshaw pre-
sented a paper at Crypto 2002 [Robshaw2002a], which could dramatically improve cryptanalysis:
the burden for a 128-bit key was estimated at about 2
100
steps by describing AES as a special case
of an algorithm called BES (Big Encryption System), which has an especially round structure.
But even 2
100
steps are beyond what is achievable in the foreseeable future. Using a 256 bit key
the authors estimate that a XSL-attack will require 2
200
operations.
More details can be found at:
http://www.cryptosystem.net/aes
http://www.minrank.org/aes/
So for 256-AES the attack is much more eective than brute-force but still far more away from
any computing power which could be accessible in the short-to-long term.
The discussion is very controversial at the moment: Don Coppersmith (one of the inventors of
DES) for example queries the practicability of the attack because XLS would provide no solution
for AES [Coppersmith2002]. This implies that then the optimization of Murphy and Robshaw
[Robshaw2002b] would not work.
3
A cipher text can be used as input for another encryption algorithm. A cascade cipher is build up as a composition
of dierent encryption transformations. The overall cipher is called product algorithm or cascade cipher (sometimes
depending whether the used keys are statistically dependent or not).
Cascading does not always improve the security.
This process is also used within modern algorithms: They usually combine simple and, considered at its own,
cryptologically relatively unsecure single steps in several rounds into an ecient overall procedure. Most block
ciphers (e.g. DES, IDEA) are cascade ciphers.
Also serial usage of the same cipher with dierent keys (like with Triple-DES) is called cascade cipher.
13
1.1.2 Current status of brute-force attacks on symmetric algorithms (RC5)
The current status of brute-force attacks on symmetric encryption algorithms can be explained
with the block cipher RC5.
Brute-force (exhaustive search, trial-and-error) means to completely examine all keys of the key
space: so no special analysis methods have to be used. Instead, the cipher text is decrypted with
all possible keys and for each resulting text it is checked, whether this is a meaningful clear text.
A key length of 64 bit means at most 2
64
= 18,446,744,073,709,551,616 or about 18 trillion (GB)
/ 18 quintillion (US) keys to check
4
.
Companies like RSA Security provide so-called cipher challenges in order to quantify the security
oered by well-known symmetric ciphers as DES, Triple-DES or RC5
5
. They oer prizes for
those who manage to decipher cipher texts, encrypted with dierent algorithms and dierent key
lengths, and to unveil the symmetric key (under controlled conditions). So theoretical estimates
can be conrmed.
It is well-known, that the old standard algorithm DES with a xed key length of 56 bit is
no more secure: this was demonstrated already in January 1999 by the Electronic Frontier
Foundation (EFF). With their specialized computer Deep Crack they cracked a DES encrypted
message within less than a day
6
.
The current record for strong symmetric algorithms unveiled a key 64 bit long. The algorithm
used was RC5, a block cipher with variable key size.
The RC5-64 challenge has been solved by the distributed.net team after 5 years
7
. In total
331,252 individuals co-operated over the internet to nd the key. More than 15 trillion (GB) /
15 quintillion (US) keys were checked, until they found the right key.
This makes clear, that symmetric algorithms (even if they have no cryptographical weakness)
using keys of size 64 bit are no more appropriate to keep sensible data private.
Similar cipher challenges are there for asymmetric algorithms (please see chapter 4.11.4).
1.2 Asymmetric encryption
8
In the case of asymmetric encryption each subscriber has a personal pair of keys consisting of a
secret key and a public key. The public key, as its name implies, is made public, e.g. in a key
directory on the Internet.
4
With CrypTool you can also try brute-force attacks of modern symmetric algorithms (using the menu path Anal-
ysis \ Symmetric Encryption (modern)): here the weakest knowledge of an attacker is assumed, he performs
a ciphertext-only attack. To achieve a result in an appropriate time with a single PC you should mark not more
than 20 bit of the key as unknown.
5
http://www.rsasecurity.com/rsalabs/challenges/secretkey/index.html
6
http://www.rsasecurity.com/rsalabs/challenges/des3/index.html
7
http://distributed.net/pressroom/news-20020926.html
8
With CrypTool you can execute RSA encryption and decryption (using the menu path Crypt \ Asymmetric).
In both cases you must select a RSA key pair. Only in the case of decryption the secret RSA key is necessary: so
here you are asked to enter the PIN.
14
If Alice
9
wants to communicate with Bob, then she nds Bobs public key in the directory and
uses it to encrypt her message to him. She then sends this cipher text to Bob, who is then able
to decrypt it again using his secret key. As only Bob knows his secret key, only he can decrypt
messages addressed to him. Even Alice who sends the message cannot restore plaintext from the
(encrypted) message she has sent. Of course, you must rst ensure that the public key cannot
be used to derive the private key.
Such a procedure can be demonstrated using a series of thief-proof letter boxes. If I have composed
a message, I then look for the letter box of the recipient and post the letter through it. After
that, I can no longer read or change the message myself, because only the legitimate recipient
has the key for the letter box.
The advantage of asymmetric procedures is the easy key management. Lets look again at a
network with n subscribers. In order to ensure that each subscriber can establish an encrypted
connection to each other subscriber, each subscriber must possess a pair of keys. We therefore
need 2n keys or n pairs of keys. Furthermore, no secure channel is needed before messages are
transmitted, because all the information required in order to communicate condentially can
be sent openly. In this case, you simply have to pay attention to the accuracy (integrity and
authenticity) of the public key. Disadvantage: Pure asymmetric procedures take a lot longer to
perform than symmetric ones.
The most well-known asymmetric procedure is the RSA algorithm
10
, named after its developers
Ronald Rivest, Adi Shamir and Leonard Adleman. The RSA algorithm was published in 1978.
The concept of asymmetric encryption was rst introduced by Whiteld Die and Martin Hell-
man in 1976. Today, the ElGamal procedures also play a decisive role, particularly the Schnorr
variant in the DSA (Digital Signature Algorithm).
1.3 Hybrid procedures
11
In order to benet from the advantages of symmetric and asymmetric techniques together, hybrid
procedures are usually used (for encryption) in practice.
In this case the data is encrypted using symmetric procedures: the key is a session key generated
by the sender randomly
12
that is only used for this message. This session key is then encrypted
9
In order to describe cryptographic protocols participants are often named Alice, Bob, . . . (see [Schneier1996, p. 23]).
Alice and Bob perform all 2-person-protocols. Alice will initiate all protocols and Bob answers. The attackers are
named Eve (eavesdropper) and Mallory (malicious active attacker).
10
The RSA algorithm is extensively described in chapter 4.10 and later within this script. The RSA cryptosystem
can be executed in many variations with CrypTool (using the menu path Individual Procedures \ RSA
Cryptosystem \ RSA Demonstration). The topical research results concerning RSA are described in chapter
4.11.
11
Within CrypTool you can get a visualization of this technique using the menu path Crypt \ Hybrid: this dialogue
shows the single steps and its dependencies with concrete numbers. Here the asymmetric algorithm RSA and the
symmetric algorithm AES are used.
12
An important part of cryptographically secure techniques is to generate random numbers. Within CrypTool you can
check out dierent random number generators using the menu path Indiv. Procedures \ Generate Random
Numbers. Using the menu path Analysis \ Analyse Randomness you can apply dierent test methods for
15
using the asymmetric procedure and transmitted to the recipient together with the message.
Recipients can determine the session key using their secret keys and then use the session key
to encrypt the message. In this way, we can benet from the easy key management of asym-
metric procedures and encrypt large quantities of data quickly and eciently using symmetric
procedures.
1.4 Further details
Beside the information you can nd in the following chapters, many other books and on a good
number of websites the online help of CrypTool also oers very many details about the symmetric
and asymmetric encryption methods.
random data to binary documents.
Up to now CrypTool has concentrated on cryptographically strong pseudo random number generators. Only the
integrated Secude generator involves a pure random source.
16
References
[Coppersmith2002] Don Coppersmith,
Re: Impact of Courtois and Pieprzyk results,
2002-09-19, AES Discussion Groups at
http://aes.nist.gov/aes/
[Courtois2002] Nicolas Courtois, Josef Pieprzyk,
Cryptanalysis of Block Ciphers with Overdened Systems of Equations,
received 10 Apr 2002, last revised 9 Nov 2002.
A dierent version, so called compact version of the rst XSL attack, was published at
Asiacrypt Dec 2002.
http://eprint.iacr.org/2002/044
[Ferguson2001] Niels Ferguson, Richard Schroeppel, Doug Whiting,
A simple algebraic representation of Rijndael, Draft 2001/05/1,
http://www.xs4all.nl/~vorpal/pubs/rdalgeq.html
[Lucks-DuD2002] Stefan Lucks, R udiger Weis,
Neue Ergebnisse zur Sicherheit des Verschl usselungsstandards AES, in DuD Dec. 2002.
[Nichols1996] Randall K. Nichols,
Classical Cryptography Course, Volume 1 and 2,
Aegean Park Press 1996; or in 12 lessons online at
http://www.fortunecity.com/skyscraper/coding/379/lesson1.htm
[Robshaw2002a] S.P. Murphy, M.J.B. Robshaw,
Essential Algebraic Structure within the AES, June 5, 2002, Crypto 2002,
http://www.isg.rhul.ac.uk/ mrobshaw/rijndael/rijndael.html
[Robshaw2002b] S.P. Murphy, M.J.B. Robshaw,
Comments on the Security of the AES and the XSL Technique, September 26, 2002,
http://www.isg.rhul.ac.uk/ mrobshaw/rijndael/rijndael.html
[Schmeh2003] Klaus Schmeh,
Cryptography and Public Key Infrastructures on the Internet,
John Wiley & Sons Ltd., Chichester 2003.
A considerable, up-to-date, easy to read book, which also considers practical problems
such as standardisation or real existing software.
[Schneier1996] Bruce Schneier,
Applied Cryptography, Protocols, Algorithms, and Source Code in C,
Wiley 1994, 2nd edition 1996.
[Wobst-iX2002] Reinhard Wobst,
Angekratzt - Kryptoanalyse von AES schreitet voran, in iX Dec. 2002,
plus the readers remark by Johannes Merkle in iX Feb. 2003.
17
Web links
1. AES or Rijndael Cryptosystem
http://www.cryptosystem.net/aes
http://www.minrank.org/aes/
2. AES Discussion Groups at NIST
http://aes.nist.gov/aes
3. distributed.net: RC5-64 has been solved
http://distributed.net/pressroom/news-20020926.html
4. RSA: The RSA Secret Key Challenge
http://www.rsasecurity.com/rsalabs/challenges/secretkey/index.html
5. RSA: DES Challenge
http://www.rsasecurity.com/rsalabs/challenges/des3/index.html
6. Further Links can be found at the CrypTool Homepage
http://www.cryptool.org
18
Edgar Allan Poe: A Few Words on Secret Writing, 1841
Few persons can be made to believe that it is not quite an easy thing to invent a method of
secret writing which shall bae investigation. Yet it may be roundly asserted that human
ingenuity cannot concoct a cipher which human ingenuity cannot resolve.
2 Paper and Pencil Encryption Methods
(Christine Stotzel, April 2004; Updates: B.+C. Esslinger, June 2005)
The following chapter provides a broad overview of paper and pencil methods
13
each with refer-
ences to deeper information. All techniques that people can apply manually to en- and decipher
a message are embraced by this term. These methods were and still are especially popular with
secret services, as a writing pad and a pencil in contrast to electronical aids are totally
unsuspicious.
The rst paper- and pencilmethods already arose about 3000 years ago, but new procedures
were developed during the past century, too. All paper and pencil methods are a matter of
symmetric methods. Even the earliest encryption algorithms use the basic principles such as
transposition, substitution, block construction and their combinations. Hence it is worthwhile to
closely consider this ancient methods especially under didactic aspects.
Methods to be successful and wide-spreaded had to fulll some attributes which are equally
required for modern algorithms:
Exhaustive description, almost standardisation (including special cases, padding, etc.).
Good balance between security and usability (because methods being too complicated were
error-prone or unacceptably slow).
2.1 Transposition ciphers
Encrypting a message by means of transposition does not change the original characters of this
message, only their order is modied (transposition = exchange)
14
.
2.1.1 Introductionary samples of dierent transposition ciphers
Railfence
15
[Singh2001]: The characters of a message are alternately written in two (or
more) lines, creating a zigzag pattern. The resulting cihpertext is read out line by line.
This is more a childrens method.
13
Always added with links to further information.
14
Another name uesed for transposition is permutation.
15
In CrypTool you can simulate this method under the menu Crypt \ Symmetric (classic) \ Permutation: for
a railfence with 2 lines use as key B,A and accept the default settings (only one permutation, where your input is
done line-by-line and the ouput is taken column-by-column). Using the key A,B would start the zigzag pattern
below in the way, that the rst letter is written into the rst line instead of the second line.
19
Plaintext
16
: an example of transposition
n x m l o t a s o i i n
a e a p e f r n p s t o
Table 1: Railfence cipher
Ciphertext
17
: NXMLO TASOI INAEA PEFRN PSTO
Scytale
18
[Singh2001]: This metod was probably used since 600 B.C. a description of
how it operated is not known from before Plutarch (50-120 B.C.).
A long strip of paper is wrapped around a wooden cylinder and then the message is written
along the length of this strip. The ciphertext is produced by unwinding the strip.
Grille [Goebel2003]: Both parties use identical stencils. Line by line, their holes are lled
with plaintext that is read out column by column to produce the ciphertext. If there is
plaintext left, the procedure is repeated
19
.
Turning grille [Savard1999]: The German army used turning grilles during WW1
20
. A
square grille serves as a stencil, a quarter of its elds being holes. The rst part of the
message is written on a piece of paper through these holes, then the grille is rotated by 90
degrees and the user can write down the second part of the message, etc. But this method
does only work, if the holes are chosen carefully: Every eld has to be used, and no eld
may be used twice, either. The ciphertext is read out line by line.
In the example for a turning grille in the following table you can write 4 times 16 characters
of the cleartext on a piece of paper:
16
If the alphabet only uses 26 letters, we write the plaintext in small letters and the ciphertext in capital letters.
17
The letters of the cleartext are as used historically grouped within blocks of 5 letters. It does not matter if the
(constant) blocklength is dierent or no blank is inserted.
18
The result of this encryption method meets the one of a simple columnar transposition. In CrypTool you can
simulate this method under the menu Crypt \ Symmetric (classic) \ Permutation: For the Scytale within
the dialog box only the rst permutation is used. If the wood has e.g. 4 angles use as key 1,2,3,4. This is
equivalent to write the text horizontally in blocks of 4 letters in a matrix and to read it out vertically . Because
the key is in an in ascending order, the Scytale is denoted as an identical permutation. And because writing and
read-out is done only once it is a simple (and no double) permutation.
19
This method cannot be simulated with a pure column transposition.
20
The turning grille was already invented in 1881 by Eduard Fleissner von Wostrowitz.
A good visualization can be found under www.turning-grille.com.
20
O - - - - O - -
- - - O O - - O
- - - O - - O -
- - O - - - - -
- - - - O - - -
O - O - - - O -
- O - - - - - O
- - - O O - - -
Table 2: A 8 * 8 turning grille
2.1.2 Column and row transposition
21
Simple columnar transposition [Savard1999]: First of all, a keyword is chosen, that is
written above the columns of a table. This table is lled with the text to be encrypted line by
line. Then the columns are rearranged by sorting the letters of the keyword alphabetically.
Afterwards the columns are read out from left to right to build the ciphertext
22
.
Plaintext: an example of transposition
K E Y
a n e
x a m
p l e
o f t
r a n
s p o
s i t
i o n
Table 3: Simple columnar transposition
Transposition key: K=2; E=1; Y=3.
Ciphertext: NALFA PIOAX PORSS IEMET NOTN
AMSCO [ACA2002]: The characters of the plaintext are written in alternating groups of
one respectively two letters into a grille. Then the columns are swapped and the text can
be read out.
Double column transposition [Savard1999] : Double columnar transposition was fre-
21
Most of the following methods can be simulated in CrypTool under the menu Crypt \ Symmetric (classic) \
Permutation.
22
Using CrypTool: Choose a key for the 1st permutation, input line by line, permute and output column by column.
21
quently used during WW2 and during the Cold War. Two simple columnar transpositions
with dierent keys are executed successively
23
.
Column transposition, General Luigi Sacco [Savard1999]: The columns of a table are
numbered according to the letters of the keyword. The plaintext is entered line by line, in
the rst line up to column number one, in the second line up to column number two, etc.
Again, the ciphertext is read out in columns.
Plaintext: an example of transposition
C O L U M N
1 5 2 6 3 4
a
n e x
a m p l e
o f t r a n
s p
o s i t
i o n
Table 4: Columnar transposition (General Luigi Sacco)
Ciphertext: ANAOS OIEMF PSOXP TINLR TEAN
Column transposition, French army in WW1 [Savard1999]: After executing a simple
columnar transposition, diagonal rows are read out.
Row transposition [Savard1999]: The plaintext is divided into blocks of equal length and
a keyword is chosen. Now the letters of the keyword are numbered and permutation is done
only within each block according to this numbering
24
.
2.1.3 Further transposition algorithm ciphers
Geometric gures [Goebel2003]: Write the message into a grille following one pattern
and read it out using another.
Union Route Cipher [Goebel2003]: The Union Route Cipher derives from Civil War.
This method does not rearrange letters of a given plaintext, but whole words. Particularly
sensitive names and terms are substituted by codewords which are recorded in codebooks
together with the existing routes. A route determines the size of a grille and the pattern
that is used to read out the ciphertext. Aditionally, a number of ller words is dened.
23
Using CrypTool: Choose a key for the 1st permutation, input line by line, permute and output column by column.
Then choose a (dierent) key for the 2nd permutation, input line by line, permute and output column by column.
24
Using CrypTool: Choose a key for 1st permutation, input line by line, permute column by column and output line
by line.
22
Nihilist Transposition [ACA2002]: Insert the plaintext into a square grille and write
the same keyword above the columns and next to the lines. As this keyword is sorted
alphabetically, the contents of the grille are rearranged, too. Read out the ciphertext line
by line.
Plaintext: an example of transposition
W O R D S D O R S W
W a n e x a D s p o i s
O m p l e o O e p l o m
R f t r a n R a t r n f
D s p o s i S n i o - t
S t i o n - W x n e a a
Table 5: Nihilist transposition
25
Ciphertext: SPOIS EPLOM ATRNF NIOTX NEAA
Cadenus [ACA2002]: Cadenus is a form of columnar transposition that uses two keywords.
The 1st keyword is used to swap columns.
The 2nd keyword is used to dene the initial letter of each column: this 2nd keyword is
a permutation of the used alphabet. This permutation is written on the left of the rst
column. Afterwards, each column is moved (wrap-around) so that it begins with the letter,
which is in the the same line as the key letter of the rst keyword within the second keyword.
Ciphertext is read out line by line.
See table 6.
Plaintext: cadenus is a form of columnar transposition using a keyword
Ciphertext:
SAASR PIFIU LONNS KTGWN EDOOA TDNNU IISFA OMYOC ROUCM AERRS
25
After lling the matrix with the cleartext you get the left block. After switching rows and columns you get the
right block
26
Within the 2nd block of three chars those chars are printed bold which are at the top of the 3rd block after applying
the 2nd key word.
23
K E Y E K Y E K Y
A c a d a c d s a a
D e n u n e u s r p
X s i s i s s i f i
K a f o f a o u l o
C r m o m r o n n s
W f c o c f o k t g
N l u m u l m w n e
S n a r a n r d o o
Y t r a r t a a t d
E n s p s n p n n u
D o s i s o i i i s
T t i o i t o f a o
U n u s u n s m y o
B i n g n i g c r o
R a k e k a e u c m
G y w o w y o a e r
H r d - d r - r s -
Table 6: Cadenus
26
2.2 Substitution ciphers
2.2.1 Monoalphabetic substitution ciphers
Monoalphabetic substitution assigns one character of the ciphertext alphabet to each plaintext
character. This mapping remains unchanged during the whole process of encryption.
General monoalphabetic substitution / Random letter pairs
27
[Singh2001]: The
substitution occurs by a given assignment of single letters.
Atbash
28
[Singh2001]: Replace the rst letter of the alphabet by the last letter of the
alphabet, the second one by the last but one, etc.
Shift cipher, for example Caesar cipher
29
[Singh2001]: Plaintext alphabet and cipher-
text alphabet are shifted against each other by a determined number of letters. Using the
Caesar cipher means shifting letters about three positions.
27
This cipher can be simulated in CrypTool under the menu Crypt \ Symmetric (classic) \ Substitution /
Atbash.
28
This cipher can be simulated in CrypTool under the menu Crypt \ Symmetric (classic) \ Substitution /
Atbash.
29
In CrypTool this method can be nd at three dierent places in the menu tree:
- Crypt \ Symmetric (classic) \ Caesar / ROT13
- Analysis \ Symmetric Encryption (classic) \ Ciphertext only \ Caesar
- Indiv. Procedures \ Visualization of Algorithms using ANIMAL \ Caesar.
24
Plaintext: three positions to the right
Ciphertext: WKUHH SRVLWLRQV WR WKH ULJKW
Substitution with symbols [Singh2001], for instance the so-called freemason cipher:
Each letter is replaced with a symbol.
Variants: Fill characters, intentional mistakes [Singh2001].
Nihilist Substitution
30
[ACA2002]: Insert the alphabet into a 5x5-matrix and replace
every letter of the message with the two corresponding digits. The resulting numbers are
written into a grille. For this purpose, a keyword is chosen and placed above the columns of
the grille. Its letters are substituted by numbers, too. The ciphertext results from adding
the numbers of the plaintext and the numbers of the keyword. Numbers between 100 and
110 are transformed to numbers between 00 and 10, so that each letter is represented by a
two-digit number.
See table 7.
Plaintext: an example of substitution
Ciphertext: 58 53 85 88 54 96 78 72 85 56 63 65 47 44 65 49 46 68 47 55 69 56 53
30
An animation of this Nihilist method can be nd in CrypTool at the menu item Indiv. Procedures \ Visual-
ization of Algorithms using ANIMAL \ Nihilist.
25
Matrix
1 2 3 4 5
1 S U B T I
2 O N A C D
3 E F G H K
4 L M P Q R
5 V W X Y Z
Table
K E Y
(35) (31) (54)
a n e
(58) (53) (85)
x a m
(88) (54) (96)
p l e
(78) (72) (85)
o f s
(56) (63) (65)
u b s
(47) (44) (65)
t i t
(49) (46) (68)
u t i
(47) (55) (69)
o n
(56) (53)
Table 7: Nihilist Substitution
Coding [Singh2001]: In the course of time, codebooks were used again and again. A
codebook assigns a codeword, a symbol or a number to every possible word of a message.
Only if both parties hold identical codebooks and if the assignment of codewords to plaintext
words is not revealed, a successful and secret communication can take place.
Nomenclature [Singh2001]: A nomenclature is an encryption system that is based upon
a ciphertext alphabet. This alphabet is used to encrypt the bigger part of the message.
Particularly frequent or top-secret words are replaced by a limited number of codewords
existing besides the ciphertext alphabet.
Map cipher [ThinkQuest1999]: This method constitutes a combination of substitution
and steganography
31
. Plaintext characters are replaced by symbols which are arranged in
a map following certain rules
Straddling Checkerboard [Goebel2003]: A 3x10-matrix is lled with the letters of the
31
Instead of encrypting a message, pure steganography tries to conceal its existence.
26
used alphabet and two arbitrary digits or special characters as follows: The dierent letters
of a keyword and the remaining characters are written into the grille. The columns are
numbered 0 to 9, the second and the third line are numbered 1 and 2. Each plaintext
character is replaced by the corresponding digit, respectively the corresponding pair of
digits. As 1 and 2 are the rst digits of the possible two-digit-numbers, they are not
used as single digits.
See table 8.
Plaintext: an example of substitution
0 1 2 3 4 5 6 7 8 9
K - - E Y W O R D A
1 B C F G H I J L M N
2 P Q S T U V X Z . /
Table 8: Straddling Checkerboard with password Keyword
Ciphertext: 91932 69182 01736 12222 41022 23152 32423 15619
Besides, 1 and 2 are the most commonly used digits, but this feature is removed by
the following technique.
It is ostentatious, how often the numbers 1 and 1 appear, but this will be xed with the
following version.
Straddling Checkerboard, variant [Goebel2003]: This variant of the straddling checker-
board was developed by Sovjet spies during WW2. Ernesto (Che) Guevara and Fidel Castro
allegedly used this cipher for their secret communication. A grille is lled with the alphabet
(number of columns = length of keyword), and two arbitrary digits are chosen as reserved to
indicate the second and third line of a 3x10-matrix (see above). Now the grille is traversed
column by column and the single letters are transfered row by row into the matrix: For
a faster encryption, the eight most common letters (ENIRSATO) are assigned the digits
from 0 to 9, the reserved 2 digits are not assigned. The remaining letters are provided with
combinations of digits one after another and are inserted into the grille.
See table 9.
Plaintext: an example of substitution
Ciphertext: 04271 03773 33257 09343 29181 34185 4
27
Grille
K E Y W O R D
A B C F G H I
J L M N P Q S
T U V X Z . /
Matrix
0 1 2 3 4 5 6 7 8 9
A T E - N O R - I S
3 K J B L U Y C M V W
7 F X G P Z H Q . D /
Table 9: Variant of the Straddling Checkerboard
Che Guevara Cipher: A special variant is the cipher used by Che Guevara (with
an additional substitution step and a slightly changed checkerboard):
The seven most frequent letters in Spanish are distributed in the rst row.
Four instead of three rows are used.
So one could encrypt 10 4 4 = 36 dierent characters.
Tri-Digital [ACA2002]: A keyword with ten letters is used to create a numeric key by
numbering its letters corresponding to their alphabetical order. This key is written above
the columns of 3x10-matrix. This matrix is lled line by line with the alphabet as follows:
The dierent letters of a keyword are inserted rst, followed by the remaining letters. The
last column is left out. Plaintext characters are substituted with numbers, the number of
the last column is used to seperate words.
Baconian Cipher [ACA2002]: Assign a ve-digit binary code to every letter and to 6
numbers or special characters (for example 00000 = A, 00001 = B, etc.) and replace the
plaintext characters with this binary code. Now use a second, unsuspicious message to hide
the ciphertext inside of it. This may happen by upper and lower case or italicized letters:
e.g. all letters of the unsuspicious message below a binary 1 are capitalised.
See table 10.
message F I G H T
ciphertext 00101 01000 00110 00111 10011
unsuspicious message itisw arman thesu nissh ining
Baconian Cipher itIsW aRman thESu niSSH IniNG
Table 10: Baconian Cipher
28
2.2.2 Homophonic substitution ciphers
Homophonic methods constitute a special form of monoalphabetic substitution. Each character
of the plaintext alphabet is assigned several ciphertext characters.
Homophonic monoalphabetic substitution
32
[Singh2001]: Each language has a typical
frequency distribution of letters. To conceal this distribution, each plaintext letter is as-
signed several ciphertext characters. The number of ciphertext characters assigned depends
on the frequency of the letter to be encrypted.
Beale cipher [Singh2001]: The Beale cipher is a book cipher that numbers the words of a
keytext. These numbers replace the cleartext letters by the words initial letters.
Grandpre Cipher [Savard1999]: A square grille with 10 columns (other layouts are pos-
sible, too) is lled with ten words. The initial letters should result in an eleventh word. As
columns and rows are numbered from 0 to 9, letters can be replaced by two-digit numbers.
It is obvious that with the table having a hundred elds, most letters can be represented
by more than one number. You should keep in mind that those ten words have to contain
all letters of the plaintext alphabet.
Book cipher: The words of a message are substituted by triples page-line-position. This
method requires a detailed agreement of which book to use, especially regarding the edition
(layout, error correction, etc.).
2.2.3 Polygraphic substitution ciphers
Polygraphic techniques do not work by replacing single characters, but by replacing whole groups
of characters. In most cases, these groups are digramms, trigramms or syllables.
Great Chire [Singh2001]: This cipher was used by Louis XIV. and was not solved
until the end of the nineteenth century. Cryptograms consisted of 587 dierent numbers,
every number representing a syllable. The inventors of the Great Chire (Rossignol,
father and son) constructed additional traps to increase security. For example, a number
could assign a dierent meaning to or delete the preceding one.
Playfair
33
[Singh2001]: A 5x5-matrix is lled with the plaintext characters. For example,
the dierent letters of a keyword are inserted rst, followed by the remaining letters. The
plaintext is divided into pairs, these digraphs are encrypted using the following rules:
1. If both letters can be found in the same column, they are replaced by the letters
underneath.
2. If both letters can be found in the same row, take the letters to their right.
32
This cipher can be simulated in CrypTool under the menu Crypt \Symmetric (classic)\ Homophone.
33
In CrypTool you can call this method under the menu Crypt \ Symmetric (classic) \ Playfair.
29
3. If both letters of the digraph are in dierent columns and rows, the replacement letters
are obtained by scanning along the row of the rst letter up to the column where the
other letter occurs and vice versa.
4. Double letters are treated by special rules, if they apear in one diagraph. They can
be seperated by a ller, for example.
See table 11.
Plaintext: plaintext letters are x encrypted in pairs
K E Y W O
R D A B C
F G H I L
M N P Q S
T U V X Z
Table 11: 5x5-Playfair
Ciphertext: SHBHM UWUZF KUUKC MBDWU DURDA VUKBG PQBHC M
Trigraphic Playfair: A 5x5-matrix is lled with the alphabet (see above) and the plaintext
is divided into trigraphs. Trigraphs are encrypted according to the following rules:
1. Three equal letters are substituted by three equal letters. It is the letter on the right
underneath the original letter.
2. A trigraph with two dierent letters is encrypted like a digraph in Playfair.
3. If a trigraph contains three dierent characters, very complex rules come into eect.
See [Savard1999]
Substituting digraphs by symbols [Savard1999]: Giovanni Battista della Porta, 15th
century. He created a 20x20-matrix that contained one symbol for every possible combina-
tion of letters (his alphabet did not comprise more than twenty letters).
Four square cipher [Savard1999]: This method is similar to Playfair, because it is based
on a system of coordinates whose four quadrants are each lled with the alphabet. The
layout of letters can dier from quadrant to quadrant. To encipher a message, act in the
following way: Look up the rst plaintext letter in the rst quadrant and the second one in
the third quadrant. These two letters are opposite corners of a rectangle and the ciphertext
letters can be found in quadrant number two and four.
See table 12.
Plaintext: plaintext letters are encrypted in pairs
Ciphertext: MWYQW XQINO VNKGC ZWPZF FGZPM DIICC GRVCS
30
d w x y m E P T O L
r q e k i C V I Q Z
u v h p s R M A G U
a l b z n F W Y H S
g c o f t B N D X K
Q T B L E v q i p g
Z H N D X s t u o h
P M I Y C n r d x y
V S K W O b l w m f
U A F R G c z k a e
Table 12: Four Square Cipher
Two square cipher [Savard1999]: The two square cipher resembles the four square cipher,
but the matrix is reduced to two quadrants. Are both letters of the digraph part of the same
row, they are just exchanged. Otherwise, the plaintext letters are considered as opposite
corners of a rectangle and substituted by the other vertices. Quadrants can be arranged
horizontal and vertical.
Tri square cipher [ACA2002]: Three quadrants are lled with the same alphabet. The
rst plaintext letter is looked up in the rst quadrant and can be encrypted with every
letter of that column. The second plaintext letter is looked up in the second quadrant
(diagonally across) and can be encrypted with every letter of that row. Between these two
ciphertext characters, the letter at the intersection point is set.
Dockyard Cipher [Savard1999]: Used by the German navy during WW2.
2.2.4 Polyalphabetic substitution ciphers
Concerning polyalphabetic substitution, the assignment of ciphertext characters to plaintext
characters is not static, but changes during the process of encryption (depending on the key).
Vigen`ere
34
[Singh2001]: Each plaintext character is encrypted with a dierent ciphertext
alphabet that is determined by the characters of a keyword (the so-called Vigen`ere-Tableau
serves auxiliary means). If the plaintext is longer than the key, the latter is repeated.
See table 13.
Interrupted key: The key is not repeated continously, but starts again with every
new word of the message.
Autokey [Savard1999]: After using the agreed key, use the message itself as a key.
See table 14.
34
In CrypTool you can call this method under the menu Crypt \ Symmetric (classic) \ Vigen`ere.
31
Plaintext: the alphabet is changing
Key: KEY KEYKEYKE YK EYKEYKEY
Ciphertext: DLC KPNREZOX GC GFKRESRE
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
... ... ...
Table 13: Vigen`ere-Tableau
Plaintext: the alphabet is changing
Key: KEY THEALPHA BE TISCHANG
Ciphertext: DLC TSTHLQLT JW VPSPNIAM
Table 14: Autokey
Progressive key [Savard1999]: The key changes during the process of encryption.
With every repetition, the characters of the keyword are shifted about one position.
KEY becomes LFZ.
Gronsfeld [Savard1999]: Variant of Vigen`ere that uses a numeric key.
Beaufort [Savard1999]: Variant of Vigen`ere, the key is subtracted, not added. The
ciphertext alphabets may be written backwards.
Porta [ACA2002]: Variant of Vigen`ere with only 13 alphabets. As a consequence,
two letters of the keyword are assigned the same ciphertext alphabet and the rst and
the second half of the alphabet are reciprocal.
Slidefair [ACA2002]: This method can be used as a variant of Vigen`ere, Gronsfeld or
Beaufort. Slidefair does encrypt digraphs according to the following rules: Look up the
rst letter in the plaintext alphabet above the tableau. Then look up the second one
in the row belonging to the corresponding keyword letter. These two letters make up
opposite corners of an imaginary rectangle. The letters at the two remaining corners
substitute the digraph.
32
Superposition
Book cipher: A keytext (for example out of a book) is added to the plaintext.
Superposition with numbers: A sequence or a number of sucient length (for
example pi) is added.
Phillips [ACA2002]: The alphabet is lled into a square table with 5 columns. Seven more
tables are generated by rst shifting the rst row one position towards the bottom, then
shifting the second row towards the bottom. The plaintext is divided into blocks of ve
which are encrypted with one matrix each. Letters are substituted by the ones on their
right and underneath.
Ragbaby [ACA2002]: Construct an alphabet with 24 characters. Then number the plain-
text characters, starting the numeration of the rst word with 1, the numeration of the
second one with 2 and so forth. Number 25 corresponds to number 1. Each letter of the
message is encrypted by shifting it the corresponding postions to the right.
alphabet: KEYWORDABCFGHILMNPSTUVXZ
Plaintext: t h e a l p h a b e t i s c h a n g i n g
Numbering: 1 2 3 2 3 4 5 6 7 8 9 3 4 4 5 6 7 8 9 10 11
Ciphertext: U L O C P V P I M C O N X I P I Z T X Y X
Table 15: Ragbaby
2.3 Combining substitution and transposition
In the history of cryptography one often comes across combinations of the previous mentioned
methods.
ADFG(V)X
35
[Singh2001]: ADFG(V)X-encryption was developed in Germany during
WW1. The alphabet is lled into a 5x5- or 6x6-matrix, and columns and rows are marked
with the letters ADFGX and V, depending on the size of the grille. Each plaintext character
is substituted by the corresponding pair of letters. Finally, a (row-) transposition cipher is
performed on the resulting text.
Fractionation [Savard1999]: Generic term for all kinds of methods that encrypt one plain-
text character by several ciphertext characters and then apply a transposition cipher to this
ciphertext so that ciphertext characters originally belonging to each other are separated.
Bid/Polybius square/checkerboard [Goebel2003]: Bid encryption is the basic
form of fractionation. A 5x5-matrix is lled with the plaintext alphabet (see Playfair
35
In CrypTool you can call this method under the menu Crypt \ Symmetric (classic) \ ADFGVX.
33
encryption), rows and columns are numbered, so that each cleartext character can
be substituted by a pair of digits. Mostly the plaintext is divided into blocks of
equal length. The length of blocks (here 5) is another conguration parameter of this
cipher. Block-by-block all line numbers are read out rst, followed by all numbers
naming the columns. To obtain the ciphertext, the digits are pairwise transformed
into letters again. The numbers can be any permutation of (1,2,3,4,5), which is one
key of conguration parameter of this cipher. Instead of numbering rows and columns,
a keyword can be used, too.
See table 16.
2 4 5 1 3
1 K E Y W O
4 R D A B C
2 F G H I L
3 M N P Q S
5 T U V X Z
Plaintext: combi nings ubsti tutio nandt ransp ositi
Rows: 41342 32323 54352 55521 34345 44333 13252
Columns: 33211 41443 41321 24213 45442 25435 33121
Table 16: Bid
41342 32323 54352 55521 34345 44333 13252 33211 41443 41321 24213 45442 25435
33121
Ciphertext: BNLLL UPHVI NNUCS OHLMW BDNOI GINUR HCZQI
Trid [Savard1999]: 27 characters (alphabet + 1 special character) may be represented
by a triple consisting of the digits 1 to 3. The message to be encrypted is divided into
blocks of three and the relevant triple is written underneath each plaintext character
as a column. The resulting numbers below the plaintext blocks are read out line by
line and are substituted with the corresponding characters.
Bazeries [ACA2002]: The plaintext alphabet is lled into a 5x5-matrix column by column,
a second matrix is lled line by line with a keyword (a number smaller than a million)
followed by the remaining letters of the alphabet. Then the message is divided into blocks
of arbitrary length and their characters order is inverted. Finally, each letter is substituted
according to its position in the original matrix by its counterpart in the second matrix.
See table 17.
Plaintext: combining substitution and transposition
Keyword: 900.004 (nine hundred thousand and four)
34
a f l q v N I E H U
b g m r w D R T O S
c h n s x A F B C G
d i o t y K L M P Q
e k p u z V W X Y Z
com bini ngs ub stitu tiona ndt ran sposi ti on
moc inib sgn bu utits anoit tdn nar isops it no
TMA LBLD CRB DY YPLPC NBMLP PKB BNO LCMXC LP BM
Table 17: Bazeries
Digrad [ACA2002]: To substitute digraphs, the following table is used (to simplify mat-
ters, the alphabet is used in its original form). Look up the rst letter of the digraph in the
horizontal alphabet and write down the column number. Then look up the second letter
in the vertical alphabet and write down the corresponding line number. Between these two
numbers, the number at the intersection point is set. Afterwards, the tripel are written
vertically underneath the digraphs that are arranged in groups of three. The three digit
numbers arising horizontally are transformed back into digraphs.
Remark: This cipher only works with complete blocks of 3 pairs of cleartext characters.
For a complete description, it is necessary to explain how sender and receiver handle texts
which ll in the last block only 1-5 characters. The possibilities range from ignoring a last
and incomplete block to padding it with randome characters or with characters predened
in advance.
See table 18.
35
1 2 3 4 5 6 7 8 9
A B C D E F G H I 1 2 3
J K L M N O P Q R 4 5 6
S T U V W X Y Z . 7 8 9
A J S 1
B K T 2
C L U 3
D M V 4
E N W 5
F O X 6
G P Y 7
H Q Z 8
I R . 9
co mb in in gs ub st it ut io na nd tr an sp os it io
3 4 9 9 7 3 1 9 3 9 5 5 2 1 1 6 9 9
2 4 2 2 3 7 9 3 9 2 4 4 8 2 8 6 3 2
6 2 5 5 1 2 2 2 2 6 1 4 9 5 7 1 2 6
LI KB FN .C BY EB SU I. BK RN KD FD BA HQ RP X. FT AO
Table 18: Digrad
Nicodemus [ACA2002]: First of all, a simple columnar transposition is carried out. Before
reading out the columns, the message is encrypted aditionally by Vigen`ere (all letters of a
column are enciphered with the corresponding keyword letter). The ciphertext is read out
in vertical blocks.
See table 19.
Plaintext: combining substitution and transpositio
Ciphertext: SMRYX MLSCC KLEZG YSRVW JSKDX RLBYN WMYDG N
36
K E Y E K Y E K Y
c o m o c m S M K
b i n i b n M L L
i n g n i g R S E
s u b u s b Y C Z
s t i t s i X C G
t u t u z t Y J R
i o n o i n S S L
a n d n a d R K B
t r a r t a V D Y
n s p s n p W X N
o s i s o i W Y G
t i o i t o M D N
Table 19: Nicodemus
2.4 Further methods
Pinprick encryption [Singh2001]: For centuries, this simple encryption method has
been put into practice for dierent reasons. During the Victorian Age, for example, small
holes underneath letters in newspaper articles marked the characters of a plaintext, as
sending a newspaper was much more cheaper than the postage on a letter.
Stencil: Stencils (Cardboard with holes) are also known as Cardinal-Richelieu-Key.
Sender and receiver have to agree upon a text. Above this text, a stencil is laid and the
letters that remain visible make up the ciphertext.
Card games [Savard1999]: The key is created by means of a pack of cards and rules
that are agreed upon in advance. All methods mentioned in this paragraph are designed as
paper- and pencilmethods, i.e. they are applicable without electronical aid. A pack of cards
is unsuspicious to outsiders, shuing the deck provides a certain amount of coincidence,
cards can be transformed into numbers easily and a transposition cipher can be carried out
without any further aid.
Solitaire (Bruce Schneier)
36
[Schneier1999]: Sender and receiver have to own a
deck of cards shued in the same manner. A key stream is generated that has to
consist of as many characters as the message to be encrypted.
The algorithm to generate the key is based on a shued deck of 54 cards (Ace, 2 - 10,
jack, queen, king in four suits and two jokers). The pack of cards is held face up:
1. Swap the rst joker with the card beneath it.
2. Move the second joker two cards down.
3. Now swap the cards above the rst joker with those below the second one.
36
In CrypTool you can call this method under the menu Crypt \ Symmetric (classic) \ Solitaire.
37
4. Look at the bottom card and convert it into a number from 1 to 53 (bridge order of
suits: clubs, diamonds, hearts, spades; joker = 53). Write down this number and
count down as many cards starting with the top card. These cards are swapped
with the remaining cards, only the bottom card remains untouched.
5. Look at the top card and convert it into a number, too. Count down as many
cards starting with the top card.
6. Write down the number of the following card. This card is converted into your
rst keystream character. As we need numbers from 1 to 26 to match the letters
of our alphabet, clubs and hearts correspond to the numbers 1 to 13, diamonds
and spades to 14 to 26. If your output card is a jocker, start again.
For each keystream character you like to generate, these six steps have to be carried
out. This procedure is manually very lengthy (4 h for 300 characters, dependant
on your excercise) and requires high concentration.
Encryption takes place by addition modulo 26. Encryption is relatively fast compared
to the key stream generation.
Mirdek (Paul Crowley) [Crowley2000]: Even though this method is quite compli-
cated, the author provides a very good example to illustrate the procedure.
Playing Card Cipher (John Savard) [Savard1999]: This algorithm uses a shued
deck of 52 cards (no joker). Separate rules describe how to shue the deck. A
keystream is created via the following steps:
1. The pack of cards lies in front of the user, top down. Cards are turned up and
dealt out in a row until the total of the cards is 8 or more.
2. If the last card dealt out is a J, Q or K, write down its value, otherwise write
down the sum of the cards dealt out (a number between 8 and 17). In a second
row, deal out that number of cards.
3. The remaining cards are dealt out in rows under the second row. The rst one
ends under the lowest card of the top row, the second one under the next lowest
card, and so on. If there are two identical cards, red is lower than black.
4. The cards dealt out under step 3 are collected column by column, starting with
the column under the lowest card. The rst card that is picked up becomes the
bottom card (face up).
5. The cards dealt out in step 1 and 2 are picked up, beginning with the last card.
6. The deck is turned over, the top card is now the bottom card (face down). After-
wards, steps 1 to 6 are repeated twice.
To generate a keystream character, write down the rst card not being J, Q or K.
Count down that number of cards. The card selected has to be between 1 and 10.
Now repeat these steps beginning with the last card. These two numbers are added
and the last digit of the sum is your keystream character.
VIC cipher [Savard1999]: This is a highly complicated but relatively secure paper- and
pencilmethod. It has been developed and applied by Sovjet spies. Amongst other things,
38
the user had to create ten pseudo-random numbers out of a date, the rst words of a
sentence and any ve-digit number. A straddling checkerboard is part of the encryption,
too. A detailed description can be found under [Savard1999].
39
References
[ACA2002] American Cryptogram Association,
Length and Standards for all ACA Ciphers,
2002.
http://www.cryptogram.org/cdb/aca.info/aca.and.you/chap08.html#
[Bauer1995] Friedrich L. Bauer,
Entzierte Geheimnisse, Springer, 1995.
[Bauer2000] Friedrich L. Bauer,
Decrypted Secrets, Springer 1997, 2nd edition 2000.
[Crowley2000] Paul Crowley,
Mirdek: A card cipher inspired by Solitaire,
2000.
http://www.ciphergoth.org/crypto/mirdek/
[DA1999] Data encryption page of the ThinkQuest Team 27158 for ThinkQuest 1999
(no update since 1999, no search possibility),
1999.
http://library.thinkquest.org/27158/
[Goebel2003] Greg Goebel,
Codes, Ciphers and Codebreaking,
2003.
http://www.vectorsite.net/ttcode.htm
[Nichols1996] Randall K. Nichols,
Classical Cryptography Course, Volume 1 and 2,
Aegean Park Press 1996; or in 12 lessons online at
http://www.fortunecity.com/skyscraper/coding/379/lesson1.htm
[Savard1999] John J. G. Savard,
A Cryptographic Compendium,
1999.
http://www.hypermaths.org/quadibloc/crypto/jscrypt.htm
[Schmeh2004] Klaus Schmeh,
Die Welt der geheimen Zeichen. Die faszinierende Geschichte der Verschl usselung,
W3L Verlag Bochum, 1. Auage 2004.
[Schneier1999] Bruce Schneier,
The Solitaire Encryption Algorithm,
version 1.2, 1999.
http://www.schneier.com/solitaire.html
40
[Singh2001] Simon Singh,
Geheime Botschaften. Die Kunst der Verschl usselung von der Antike bis in die Zeiten
des Internet,
dtv, 2001.
[ThinkQuest1999] ThinkQuest Team 27158,
Data Encryption,
1999.
http://library.thinkquest.org/27158/
41
3 Prime Numbers
(Bernhard Esslinger, May 1999, Updates Nov. 2000, Dec. 2001, June 2003, May 2005, March
2006)
Albert Einstein
37
:
Progress requires exchange of knowledge.
3.1 What are prime numbers?
Prime numbers are whole, positive numbers greater than or equal to 2 that can only be divided
by 1 and themselves. All other natural numbers greater than or equal to 2 can be formed by
multiplying prime numbers.
The natural numbers N = 1, 2, 3, 4, thus comprise
the number 1 (the unit value)
the primes and
the composite numbers.
Prime numbers are particularly important for 3 reasons:
In number theory, they are considered to be the basic components of natural numbers, upon
which numerous brilliant mathematical ideas are based.
They are of extreme practical importance in modern cryptography (public key cryptogra-
phy). The most common public key procedure, invented at the end of the 1970s, is RSA
encryption. Only using (large) prime numbers for particular parameters can you guaran-
tee that an algorithm is secure, both for the RSA procedure and for even more modern
procedures (digital signature, elliptic curves).
The search for the largest known prime numbers does not have any practical usage known to
date, but requires the best computers, is an excellent benchmark (possibility for determining
the performance of computers) and leads to new calculation methods on many computers
(see also: http://www.mersenne.org/prime.htm).
Many people have been fascinated by prime numbers over the past two millennia. Ambition
to make new discoveries about prime numbers has often resulted in brilliant ideas and conclu-
sions. The following section provides an easily comprehensible introduction to the basics of prime
numbers. We will also explain what is known about the distribution (density, number of prime
numbers in particular intervals) of prime numbers and how prime number tests work.
37
Albert Einstein, German physicist and Nobel Prize winner, Mar 14, 1879 Apr 14, 1955.
42
3.2 Prime numbers in mathematics
Every whole number has a factor. The number 1 only has one factor, itself, whereas the number
12 has the six factors 1, 2, 3, 4, 6, 12. Many numbers can only be divided by themselves and by 1.
With respect to multiplication, these are the atoms in the area of numbers. Such numbers are
called prime numbers.
In mathematics, a slightly dierent (but equivalent) denition is used.
Denition 3.1. A whole number p N is called prime if p > 1 and p only possesses the trivial
factors 1 and p.
By denition, the number 1 is not a prime number. In the following sections, p will always denote
a prime number.
The sequence of prime numbers starts with
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, .
The rst 100 numbers include precisely 25 prime numbers. After this, the percentage of primes
constantly decreases. Prime numbers can be factorised in a uniquely trivial way:
5 = 1 5, 17 = 1 17, 1, 013 = 1 1, 013, 1, 296, 409 = 1 1, 296, 409.
All numbers that have 2 or more factors not equal 1 are called composite numbers. These include
4 = 2 2, 6 = 2 3
as well as numbers that look like primes, but are in fact composite:
91 = 7 13, 161 = 7 23, 767 = 13 59.
Theorem 3.1. Each whole number m greater than 1 possesses a lowest factor greater than 1.
This is a prime number p. Unless m is a prime number itself, then: p is less than or equal to the
square root of m.
All whole numbers greater than 1 can be expressed as a product of prime numbers in a unique
way. This is the claim of the 1st fundamental theorem of number theory (= fundamental theorem
of arithmetic = fundamental building block of all positive integers).
Theorem 3.2. Each element n of the natural numbers greater than 1 can be written as the
product n = p
1
p
2
. . . p
m
of prime numbers. If two such factorisations
n = p
1
p
2
p
m
= p

1
p

2
p

are given, then they can be reordered such that m = m

and for all i: p

i
= p

i
.
(p
1
, p
2
, . . . , p
m
are called the prime factors of n).
43
In other words: each natural number other than 1 can be written as a product of prime numbers
in precisely one way, if we ignore the order of the factors. The factors are therefore unique (the
expression as a product of factors is unique)! For example,
60 = 2 2 3 5 = 2
2
3
1
5
1
.
And this other than changing the order of the factors is the only way in which the number
60 can be factorised. If you allow numbers other than primes as factors, there are several ways
of factorising integers and the uniqueness is lost:
60 = 1 60 = 2 30 = 4 15 = 5 12 = 6 10 = 2 3 10 = 2 5 6 = 3 4 5 = .
The following section is aimed more at those familiar with mathematical logic: The 1st fundamen-
tal theorem only appears to be obvious . We can construct numerous other sets of numbers (i.e.
other than positive whole numbers greater than 1), for which numbers in the set cannot be ex-
pressed uniquely as a product of the prime numbers of the set: In the set M = 1, 5, 10, 15, 20,
there is no equivalent to the fundamental theorem under multiplication. The rst ve prime num-
bers of this sequence are 5, 10, 15, 20, 30 (note: 10 is prime, because 5 is not a factor of 10 in this
set the result is not an element of the given basic set M). Because the following applies in M:
100 = 5 20 = 10 10
and 5, 10, 20 are all prime numbers in this set, the expression as a product of prime factors is not
unique here.
3.3 How many prime numbers are there?
For the natural numbers, the primes can be compared to elements in chemistry or the elementary
particles in physics (see [Blum1999, p. 22]).
Although there are only 92 natural chemical elements, the number of prime numbers is unlimited.
Even the Greek, Euclid
38
knew this in the third century B.C.
Theorem 3.3 (Euclid
39
). The sequence of prime numbers does not discontinue. Therefore, the
quantity of prime numbers is innite.
38
Euclid, a Greek mathematician of 4th and 3rd century B.C. He worked at the Egyptian academy of Alexandria
and wrote The Elements, the most well known systematically textbook of the Greek mathematics.
39
The common usage of the term does not denote Euclid as the inventor of the theorem rather; the true inventor is
merely not as prominent. The theorem has already been distinguished and proven in Euclids Elements (Book IX,
theorem 20). The phraseology is remarkable due to the fact that the word innite is not used. The text reads as
followed
O o ` o` o `` ` o o o o o ` ,
the English translation of which is: the prime numbers are more than any previously existing amount of prime
numbers.
44
His proof that there is an innite number of primes is still considered to be a brilliant mathemat-
ical consideration and conclusion today (proof by contradiction ). He assumed that there is only
a nite number of primes and therefore a largest prime number. Based on this assumption, he
drew logical conclusions until he obtained an obvious contradiction. This meant that something
must be wrong. As there were no mistakes in the chain of conclusions, it could only be the
assumption that was wrong. Therefore, there must be an innite number of primes!
Euclids proof by contradiction goes as follows:
Proof
Assumption: There is a nite number of primes.
Conclusion: Then these can be listed p
1
< p
2
< p
3
< < p
n
, where n is the (nite)
number of prime numbers. p
n
is therefore the largest prime. Euclid now looks at the number
a = p
1
p
2
p
n
+1. This number cannot be a prime number because it is not included in our list
of primes. It must therefore be divisible by a prime, i.e. there is a natural number i between 1 and
n, such that p
i
divides the number a. Of course, p
i
also divides the product a 1 = p
1
p
2
p
n
,
because p
i
is a factor of a 1. Since p
i
divides the numbers a and a 1, it also divides the
dierence of these numbers. Thus: p
i
divides a (a 1) = 1. p
i
must therefore divide 1, which
is impossible.
Contradiction: Our assumption was false.
Thus there is an innite number of primes (Cross-reference: overview under 3.8.5 of the number
of prime numbers in various intervals).
Here we should perhaps mention yet another fact which is initially somewhat surprising. Namely,
in the prime numbers sequence p
1
, p
2
, , gaps between prime numbers can have an individually
determined length n. It is undeniable that under the n succession of natural numbers
(n + 1)! + 2, , (n + 1)! + (n + 1),
none of them is a prime number since in order, the numbers 2, 3, , (n + 1) are comprised
respectively as real divisors. (n! means the product of the rst n natural numbers therefore
n! = n (n 1) 2 1).
3.4 The search for extremely large primes
The largest prime numbers known today have several millions digits, which is too big for us to
imagine. The number of elementary particles in the universe is estimated to be only a 80-digit
number (See: overview under 3.8.7 of various orders of magnitude / dimensions).
45
3.4.1 The 10 largest known primes (as of March 2006)
The following table contains the top ten record primes and a description of its particular
number type
40
:
Denition Decimal Digits When Description
1 2
30,402,457
1 9,152,052 2005 Mersenne, 43rd known
2 2
25,964,951
1 7,816,230 2005 Mersenne, 42nd known
3 2
24,036,583
1 7,235,733 2004 Mersenne, 41st known
4 2
20,996,011
1 6,320,430 2003 Mersenne, 40th known
5 2
13,466,917
1 4,053,946 2001 Mersenne, M-39
6 28, 433 2
7,830,457
+ 1 2,357,207 2004 Generalized Mersenne
7 2
6,972,593
1 2,098,960 1999 Mersenne, M-38
8 5, 359 2
5,054,502
+ 1 1,521,561 2003 Generalized Mersenne
9 2
3,021,377
1 909,526 2001 Mersenne, M-37
10 2
2,976,221
1 895,932 2001 Mersenne, M-36
11 1, 372, 930
131,072
+ 1 804,474 2003 Generalized Fermat
41
Table 20: The 11 largest known primes and its particular number types (as of March 2006)
The largest known prime is a Mersenne prime. This prime was found by the GIMPS project
(chapter 3.4.2).
Within the largest known primes there are also numbers of the type generalized Mersenne number
(chapter 3.6.2) and generalized Fermat numbers (chapter 3.6.5).
3.4.2 Special number types Mersenne numbers and Mersenne primes
Almost all known huge prime numbers are special candidates, called Mersenne numbers
42
of the
form 2
p
1, where p is a prime. Not all Mersenne numbers are prime:
2
2
1 = 3 prime
2
3
1 = 7 prime
2
5
1 = 31 prime
2
7
1 = 127 prime
2
11
1 = 2, 047 = 23 89 NOT prime!
Even Mersenne knew that not all Mersenne numbers are prime (see exponent p = 11). A prime
Mersenne number is called Mersenne prime number.
However, he is to be thanked for the interesting conclusion that a number of the form 2
n
1
cannot be a prime number if n is a composite number:
40
An up-to-date version can be found in the internet at http://primes.utm.edu/largest.html.
41
1, 372, 930
131,072
+ 1 = 1, 372, 930
(2
17
)
+ 1
42
Marin Mersenne, French priest and mathematician, Sep 08, 1588 Sep 01, 1648.
46
Theorem 3.4 (Mersenne). If 2
n
1 is a prime number, then n is also a prime number.
Proof
The theorem of Mersenne can be proved by contradiction. We therefore assume that there exists
a composite natural number n (with real factorisation) n = n
1
n
2
, with the property that 2
n
1
is a prime number.
From
(x
r
1)((x
r
)
s1
+ (x
r
)
s2
+ +x
r
+ 1) = ((x
r
)
s
+ (x
r
)
s1
+ (x
r
)
s2
+ +x
r
)
((x
r
)
s1
+ (x
r
)
s2
+ +x
r
+ 1)
= (x
r
)
s
1 = x
rs
1,
we conclude
2
n
1
n
2
1 = (2
n
1
1)((2
n
1
)
n
2
1
+ (2
n
1
)
n
2
2
+ + 2
n
1
+ 1).
Because 2
n
1 is a prime number, one of the above two factors on the right-hand side must be
equal to 1. This is the case if and only if n
1
= 1 or n
2
= 1. But this contradicts our assumption.
Therefore the assumption is false. This means that there exists no composite number n, such
that 2
n
1 is a prime.
Unfortunately this theorem only applies in one direction (the inverse statement does not apply,
no equivalence): that means that there exist prime exponent for which the Mersenne number is
not prime (see the above example 2
11
1, where 11 is prime, but 2
11
1 not).
Mersenne claimed that 2
67
1 is a prime number. There is also a mathematical history behind
this claim: it rst took over 200 years before Edouard Lucas (1842-1891) proved that this number
is composite. However, he argued indirectly and did not name any of the factors. Then Frank
Nelson Cole
43
showed in 1903 which factors make up this composite number:
2
67
1 = 147, 573, 952, 589, 676, 412, 927 = 193, 707, 721 761, 838, 257, 287.
He admitted to having worked 20 years on the factorisation (expression as a product of prime
factors)
44
of this 21-digit decimal number!
Due to the fact that the exponents of the Mersenne numbers do not use all natural numbers, but
only the primes, the experimental space is limited considerably. The currently known Mersenne
43
Frank Nelson Cole, American mathematician, Sep. 20, 1861 May 26, 1926.
44
Using CrypTool you can factorize numbers in the following way: menu Indiv. Procedures \ RSA Cryptosys-
tem \ Factorisation of a Number.
CrypTool can factorize in a reasonable time numbers no longer than 250 bit. Numbers bigger than 1024 bits are
currently not accepted by CrypTool.
The current factorization records are listed in chapter 4.11.4.
47
prime numbers have the exponents
45
2; 3; 5; 7; 13; 17; 19; 31; 61; 89; 107; 127; 521; 607; 1, 279; 2, 203; 2, 281; 3, 217; 4, 253;
4, 423; 9, 689; 9, 941, 11, 213; 19, 937; 21, 701; 23, 207; 44, 497; 86, 243; 110, 503; 132, 049;
216, 091; 756, 839; 859, 433; 1, 257, 787; 1, 398, 269; 2, 976, 221; 3, 021, 377; 6, 972, 593;
13, 466, 917; 20, 996, 011; 24, 036, 583; 25, 964, 951; 30, 402, 457.
Thus 43 Mersenne prime numbers are currently known. For the rst 39 Mersenne prime numbers
we know that this list is complete. The exponents until the 40th Mersenne prime number have
not yet been checked completely
46
. The 19th number with the exponent 4, 253 was the rst with
at least 1, 000 digits in decimal system (the mathematician Samual Yates coined the expression
titanic prime for this; it was discovered by Hurwitz in 1961); the 27th number with the exponent
44, 497 was the rst with at least 10, 000 digits in the decimal system (Yates coined the expression
gigantic prime for this. These names are now long outdated).
M-37 January 1998
The 37th Mersenne prime,
2
3,021,377
1
was found in January 1998 and has 909,526 digits in the decimal system, which corresponds to
33 pages in the newspaper!
M-38 June 1999
The 38th Mersenne prime, called M-38,
2
6,972,593
1
was discovered in June 1999 and has 2, 098, 960 digits in the decimal system (that corresponds
to around 77 pages in the newspaper).
M-39 December 2001
The 39th Mersenne prime, called M-39,
2
13,466,917
1,
was published at December 6, 2001 more exactly, the verication of this number, found at
November 14, 2001 by the Canadian student Michael Cameron, was successfully completed. This
45
The following page from Landon Curt Noll contains all Mersenne primes including its date of discovery and its
value as number and as word: http://www.isthe.com/chongo/tech/math/prime/mersenne.html.
Also see: http://www.utm.edu/.
46
The current status of the check can be found at: http://www.mersenne.org/status.htm.
Hints, how the primality of a number can be checked, are in chapter 3.5, prime number tests.
48
number has about 4 million decimal digits (exactly 4,053,946 digits). Trying only to print this
number
(924947738006701322247758 1130073855470256259071)
would require around 200 pages in the Financial Times.
Right now (May 2005) all prime exponents smaller than 13.466.917 have been tested and double-
checked (see home page of the GIMPS project: http://www.mersenne.org): so we can be certain,
that this is really the 39th Mersenne prime number and that there are no smaller undiscovered
Mersenne primes (it is common usage to use the notation M-nn not until it is proven, that the
nn-th known Mersenne prime is really the nn-th Mersenne prime).
GIMPS
The GIMPS project (Great Internet Mersenne Prime Search) was founded in 1996 by George
Woltman to search for new largest Mersenne primes (http://www.mersenne.org). Further ex-
planations about this number type can be found under Mersenne numbers and Mersenne primes.
Right now the GIMPS project has discovered nine largest Mersenne primes so far, including the
largest known prime number at all.
The following table contains these Mersenne record primes
47,48
:
Denition Decimal Digits When Who
2
30,402,457
1 9,152,052 December 15, 2005 Curtis Cooper/Steven Boone
2
25,964,951
1 7,816,230 February 18, 2005 Martin Nowak
2
24,036,583
1 7,235,733 May 15, 2004 Josh Findley
2
20,996,011
1 6,320,430 November 17, 2003 Michael Shafer
2
13,466,917
1 4,053,946 November 14, 2001 Michael Cameron
2
6,972,593
1 2,098,960 June 1, 1999 Nayan Hajratwala
2
3,021,377
1 909,526 January 27, 1998 Roland Clarkson
2
2,976,221
1 895,932 August 24, 1997 Gordon Spence
2
1,398,269
1 420,921 November 1996 Joel Armengaud
Table 21: The largest primes found by the GIMPS project (as of March 2006)
Dr. Richard Crandall discovered the advanced transform algorithm used by the GIMPS program.
George Woltman implemented Crandalls algorithm in machine language, thereby producing a
prime-search program of unprecedented eciency, and that work led to the successful GIMPS
project.
On June 1st, 2003 a possible Mersenne prime was reported to the GIMPS server, which was
checked afterwards as usual, before it was to be published. Unfortunately mid June the initiator
47
An up-to-date version can be found in the internet at http://www.mersenne.org/history.htm.
48
Always, when a new record is published in the respective forums the same and often ironic discussions start: Is
there a deeper sense? Can this result be applied for anything useful? The answer is, that we dont know it yet. In
fundamental research one cannot see at once how it brings mankind forward.
49
and GIMPS project leader George Woltman had to tell, that two independent verication runs
proved the number was composite. This was the rst false positive report of a client in 7 years.
Now more than 130,000 volunteers, amateurs and experts, participate in the GIMPS project.
They connect their computers into the so called primenet, organized by the company entropia.
3.4.3 Challenge of the Electronic Frontier Foundation (EFF)
This search is also spurred on by a competition started by the non-prot organisation EFF
(Electronic Frontier Foundation) using the means of an unknown donator. The participants are
rewarded with a total of 500,000 USD if they nd the longest prime number. In promoting this
project, the unknown donator is not looking for the quickest computer, but rather wants to draw
peoples attention to the opportunities oered by cooperative networking
http://www.eff.org/coopawards/prime-release1.html
The discoverer of M-38 received 50,000 USD from the EFF for discovering the rst prime with
more than 1 million decimal digits.
The next prize of 100,000 USD oered by EFF is for a proven prime with more than 10 million
decimal digits.
According to the EFF rules for their prizes they oer in the next stage 150,000 USD for a proven
prime with more than 100 million decimal digits.
Edouard Lucas (1842-1891) held the record for the longest prime number for over 70 years by
proving that 2
127
1 is prime. No new record is likely to last that long.
3.5 Prime number tests
In order to implement secure encryption procedures we need extremely large prime numbers (in
the region of 2
2,048
, i.e. numbers with 600 digits in the decimal system!).
If we look for the prime factors in order to decide whether a number is prime, then the search takes
too long, if even the smallest prime factor is enormous. Factorising numbers using systematic
computational division or using the sieve of Eratosthenes is only feasible using current computers
for numbers with up to around 20 digits in the decimal system. The biggest number factorized
into its 2 almost equal prime factors has 200 digits (see RSA-200 in chapter 4.11.4).
However, if we know something about the construction of the number in question, there are
extremely highly developed procedures that are much quicker. These procedures can determine
the primality attribute of a number, but they cannot determine the prime factors of a number,
if it is compound.
In the 17th century, Fermat
49
wrote to Mersenne that he presumed that all numbers of the form
f(n) = 2
2
n
+ 1
are prime for all whole numbers n 0 (see below, chapter 3.6.4).
49
Pierre de Fermat, French mathematician, Aug 17, 1601 Jan 12, 1665.
50
As early as in the 19th century, it was discovered that the 29-digit number
f(7) = 2
2
7
+ 1
is not prime. However, it was not until 1970 that Morrison/Billhart managed to factorise it.
f(7) = 340, 282, 366, 920, 938, 463, 463, 374, 607, 431, 768, 211, 457
= 59, 649, 589, 127, 497, 217 5, 704, 689, 200, 685, 129, 054, 721
Despite Fermat was wrong with this supposition, he is the originator of an important theorem in
this area: Many rapid prime number tests are based on the (little) Fermat theorem put forward
by Fermat in 1640 (see chapter 4.8.3).
Theorem 3.5 (little Fermat). Let p be a prime number and a be any whole number, then for
all a
a
p
a mod p.
This could also be formulated as follows:
Let p be a prime number and a be any whole number that is not a multiple of p (also a , 0 mod p),
then a
p1
1 mod p.
If you are not used to calculate with remainders (modulo), please simply accept the theorem
or rst read chapter 4 Introduction to Elementary Number Theory with Examples. What is
important here is that this sentence implies that if this equation is not met for any whole number
a, then p is not a prime! The tests (e.g. for the rst formulation) can easily be performed using
the test basis a = 2.
This gives us a criterion for non-prime numbers, i.e. a negative test, but no proof that a number
a is prime. Unfortunately Fermats theorem does not apply otherwise we would have a simple
proof of the prime number property (or to put it in other words, we would have a simple prime
number criterion).
Pseudo prime numbers
Numbers n that have the property
2
n
2 mod n
but are not prime are called pseudo prime numbers (i.e. the exponent is not a prime). The rst
pseudo prime number is
341 = 11 31.
51
Carmichael numbers
There are pseudo prime numbers n that pass the Fermat test
a
n1
1 mod n
with all bases a which are relatively prime to n [gcd(a, n) = 1], despite these numbers n are not
prime: These numbers are called Carmichael numbers. The rst of these is
561 = 3 11 17.
Sample: The number to be tested is 561. Because 561 = 3 11 17 it is:
The test condition a
560
mod 561 = 1 is satied for a = 2, 4, 5, 7, ,
but not for a = 3, 6, 9, 11, 12, 15, 17, 18, 21, 22, .
This means the test condition must not be satised for multiples of the prime factors 3, 11 or 17.
The test applied for a = 3 results in: 3
560
mod 561 = 375.
The test applied for a = 5 results in: 5
560
mod 561 = 1.
Strong pseudo prime numbers
A stronger test is provided by Miller/Rabin
50
: it is only passed by so-called strong pseudo prime
numbers. Again, there are strong pseudo prime numbers that are not primes, but this is much
less often the case than for (simple) pseudo prime numbers or for Carmichael numbers. The
smallest strong pseudo prime number base 2 is
15, 841 = 7 31 73.
If you test all 4 bases, 2, 3, 5 and 7, you will nd only one strong pseudo prime number up to
25 10
9
, i.e. a number that passes the test and yet is not a prime number.
More extensive mathematics behind the Rabin test delivers the probability that the number
examined is prime (such probabilities are currently around 10
60
).
Detailed descriptions of tests for nding out whether a number is prime can be found on Web
sites such as:
http://www.utm.edu/research/primes/mersenne.shtml
http://www.utm.edu/research/primes/prove/index.html
50
In 1976 an ecient probabilistic primality test was published by Prof. Rabin, based on a number theoretic result
of Prof. Miller from the year before.
Prof. Miller worked at the Carnegie-Mellon University, School of Computer Science. Prof. Rabin, born in 1931,
worked at the Harvard and Hebrew University.
52
3.6 Overview special number types and the search for a formula for primes
There are currently no useful, open (i.e. not recursive) formulae known that only deliver prime
numbers (recursive means that in order to calculate the function the same function is used with
a smaller variable). Mathematicians would be happy if they could nd a formula that leaves
gaps (i.e. does not deliver all prime numbers) but does not deliver any composite (non-prime)
numbers.
Ideally, we would like, for the number n, to immediately be able to obtain the n-th prime number,
i.e. for f(8) = 19 or for f(52) = 239.
Ideas for this can be found at
http://www.utm.edu/research/primes/notes/faq/p n.html.
Cross-reference: the table under 3.8.6 contains the precise values for the nth prime numbers for
selected n.
For prime number formulae usually very special types of numbers are used. The following
enumeration contains the most common ideas for prime number formulae, and what our current
knowledge is about very big elements of the number series: Is their primality proven? If their are
compound numbers could their prime factors be determined?
3.6.1 Mersenne numbers f(n) = 2
n
1 for n prime
As shown above, this formula seems to deliver relatively large prime numbers but - as for n = 11
[f(n) = 2, 047] - it is repeatedly the case that the result even with prime exponents is not prime.
Today, all the Mersenne primes having less than around 4,000,000 digits are known (M-39):
http://perso.wanadoo.fr/yves.gallot/primes/index.html
3.6.2 Generalized Mersenne numbers f(k, n) = k 2
n
1 for n prime and k small
prime
For this rst generalisation of the Mersenne numbers there are (for small k) also extremely quick
prime number tests (see [Knuth1981]). This can be performed in practice using software such as
the Proths software from Yves Gallot
http://www.prothsearch.net/index.html.
3.6.3 Generalized Mersenne numbers f(b, n) = b
n
1 / The Cunningham project
This is another possible generalisation of the Mersenne numbers. The Cunningham project
determines the factors of all composite numbers that are formed as follows:
f(b, n) = b
n
1 for b = 2, 3, 5, 6, 7, 10, 11, 12
(b is not equal to multiples of bases already used, such as 4, 8, 9).
Details of this can be found at:
53
http://www.cerias.purdue.edu/homes/ssw/cun
3.6.4 Fermat numbers
51
f(n) = 2
2
n
+ 1
As mentioned above in chapter 3.5, Fermat wrote to Mersenne regarding his assumption, that
all numbers of this type are primes. This assumption was disproved by Euler (1732). The prime
641 divides f(5)
52
.
f(0) = 2
2
0
+ 1 = 2
1
+ 1 = 3 prime
f(1) = 2
2
1
+ 1 = 2
2
+ 1 = 5 prime
f(2) = 2
2
2
+ 1 = 2
4
+ 1 = 17 prime
f(3) = 2
2
3
+ 1 = 2
8
+ 1 = 257 prime
f(4) = 2
2
4
+ 1 = 2
16
+ 1 = 65,537 prime
f(5) = 2
2
5
+ 1 = 2
32
+ 1 = 4,294,967,297 = 641 6,700,417 NOT prime!
f(6) = 2
2
6
+ 1 = 2
64
+ 1 = 18,446,744,073,709,551,617
= 274,177 67,280,421,310,721 NOT prime!
f(7) = 2
2
7
+ 1 = 2
128
+ 1 = (see page 51) NOT prime!
Within the project Distributed Search for Fermat Number Dividers oered by Leonid Durman
there is also progress in nding new monster primes:
http://www.fermatsearch.org/
This website links to other webpages in Russian, Italian and German.
The discovered factors can be compound integers or primes.
On February 22, 2003 John Cosgrave discovered
the largest composite Fermat number to date and
the largest prime non-simple Mersenne number so far with 645,817 decimal digits.
The Fermat number
f(2, 145, 351) = 2
(2
2,145,351
)
+ 1
is divisible by the prime
p = 3 2
2,145,353
+ 1
At that time this prime p was the largest known prime generalized Mersenne number and the
5th largest known prime number at all.
This work was done using NewPGen from Paul Joblings, PRP from George Woltmans, Proth
from Yves Gallots programs and also the Proth-Gallot group at St. Patricks College, Dublin.
More details are in
http://www.fermatsearch.org/history/cosgrave record.htm/
51
The Fermat prime numbers play a role in circle division. As proven by Gauss a regular p-edge can only be
constructed with the use of a pair of compasses and a ruler, when p is a Fermat prime number.
52
Surprisingly this number can easily be found by using Fermats theorem (see e.g. [Scheid1994, p. 176])
54
3.6.5 Generalized Fermat numbers
53
f(b, n) = b
2
n
+ 1
Generalized Fermat numbers are more numerous than Mersenne numbers of a equal size and
many of them are waiting to be discovered to ll the big gaps between the Mersenne primes
already found or still undiscovered. Progress in number theory made it possible that numbers,
where the representation is not limited to the base 2, can be tested at almost the same speed
than a Mersenne number.
Yves Gallot wrote the program Proth.exe to investigate generalized Fermat numbers.
Using this program at February 16, 2003 Michael Angel discovered the largest of them till then
with 628,808 digits, which at that time became the 5th largest known prime number:
b
2
17
+ 1 = 62, 722
131,072
+ 1.
More details are in
http://primes.utm.edu/top20/page.php?id=12
3.6.6 Carmichael numbers
As mentioned above in chapter 3.5 not all Carmichael numbers are prime.
3.6.7 Pseudo prime numbers
See above in chapter 3.5.
3.6.8 Strong pseudo prime numbers
See above in chapter 3.5.
3.6.9 Idea based on Euclids proof p
1
p
2
p
n
+ 1
This idea is based on Euclids proof that there are innite many prime numbers.
23 + 1 = 7 prime
235 + 1 = 31 prime
2357 + 1 = 211 prime
23 11 + 1 = 2, 311 prime
2 3 13 + 1 = 59 509 NOT prime!
2 3 17 + 1 = 19 97 277 NOT prime!
53
The base of this power is no longer restricted to 2 .
Even more generic would be: f(b, c, n) = b
c
n
1
55
3.6.10 As above but 1 except +1: p
1
p
2
p
n
1
2 3 1 = 5 prime
2 3 5 1 = 29 prime
2 3 7 1 = 11 19 NOT prime!
2 3 11 1 = 2, 309 prime
2 3 13 1 = 30, 029 prime
2 3 17 1 = 61 8, 369 NOT prime!
3.6.11 Euclidean numbers e
n
= e
0
e
1
e
n1
+ 1 with n 1 and e
0
:= 1
e
n1
is not the (n 1)th prime number, but the number previously found here. Unfortunately
this formula is not open but recursive. The sequence starts with
e
1
= 1 + 1 = 2 prime
e
2
= e
1
+ 1 = 3 prime
e
3
= e
1
e
2
+ 1 = 7 prime
e
4
= e
1
e
2
e
3
+ 1 = 43 prime
e
5
= e
1
e
2
e
4
+ 1 = 13 139 NOT prime!
e
6
= e
1
e
2
e
5
+ 1 = 3, 263, 443 prime
e
7
= e
1
e
2
e
6
+ 1 = 547 607 1, 033 31, 051 NOT prime!
e
8
= e
1
e
2
e
7
+ 1 = 29, 881 67, 003 9, 119, 521 6, 212, 157, 481 NOT prime!
e
9
, , e
17
are also composite, which means that this formula is not particularly useful.
Remark: However, what is special about these numbers is that any pair of them does not have a
common factor other than 1
54
. Therefore they are relatively prime.
3.6.12 f(n) = n
2
+n + 41
This sequence starts o very promisingly, but is far from being a proof.
54
This can easily be shown via the following greatest common divisor (gcd) rule gcd(a, b) = gcd(b b/a, a) (see
page 136): We have for i < j:
gcd(e
i
, e
j
) gcd(e
1
e
i
e
j1
, e
j
) = gcd(e
j
e
1
e
i
e
j1
, e
1
e
i
e
j1
) = gcd(1, e
1
e
i
e
j1
) = 1.
56
f(0) = 41 prime
f(1) = 43 prime
f(2) = 47 prime
f(3) = 53 prime
f(4) = 61 prime
f(5) = 71 prime
f(6) = 83 prime
f(7) = 97 prime
.
.
.
f(33) = 1, 163 prime
f(34) = 1, 231 prime
f(35) = 1, 301 prime
f(36) = 1, 373 prime
f(37) = 1, 447 prime
f(38) = 1, 523 prime
f(39) = 1, 601 prime
f(40) = 1681 = 41 41 NOT prime!
f(41) = 1763 = 41 43 NOT prime!
The rst 40 values are prime numbers (which have the obvious regularity that their dierence
starts with 2 and increases by 2 each time), but the 41th and 42th values are not prime numbers. It
is easy to see that f(41) cannot be a prime number: f(41) = 41
2
+41+41 = 41(41+1+1) = 4143.
57
3.6.13 f(n) = n
2
79 n + 1, 601
This function delivers prime numbers for all values from n = 0 to n = 79. Unfortunately
f(80) = 1, 681 = 11 151 is not a prime number. To this date, no function has been found that
delivers more prime numbers in a row. On the other hand, each prime occurs twice (rst in the
decreasing then in the increasing sequence), which means that the algorithm delivers a total of
40 dierence prime values (the same ones as delivered by the function in chapter 3.6.12).
f(0) = 1, 601 prime f(28) = 173 prime
f(1) = 1, 523 prime f(29) = 151 prime
f(2) = 1, 447 prime f(30) = 131 prime
f(3) = 1, 373 prime f(31) = 113 prime
f(4) = 1, 301 prime f(32) = 97 prime
f(5) = 1, 231 prime f(33) = 83 prime
f(6) = 1, 163 prime f(34) = 71 prime
f(7) = 1, 097 prime f(35) = 61 prime
f(8) = 1, 033 prime f(36) = 53 prime
f(9) = 971 prime f(37) = 47 prime
f(10) = 911 prime f(38) = 43 prime
f(11) = 853 prime f(39) = 41 prime
f(12) = 797 prime f(40) = 41 prime
f(13) = 743 prime f(41) = 43 prime
f(14) = 691 prime f(42) = 47 prime
f(15) = 641 prime f(43) = 53 prime
f(16) = 593 prime
f(17) = 547 prime f(77) = 1, 447 prime
f(18) = 503 prime f(78) = 1, 523 prime
f(19) = 461 prime f(79) = 1, 601 prime
f(20) = 421 prime f(80) = 41 41 NOT prime!
f(21) = 383 prime f(81) = 41 43 NOT prime!
f(22) = 347 prime f(82) = 1, 847 prime
f(21) = 383 prime f(83) = 1, 933 prime
f(22) = 347 prime f(84) = 43 47 NOT prime!
f(23) = 313 prime
f(24) = 281 prime
f(25) = 251 prime
f(26) = 223 prime
f(27) = 197 prime
3.6.14 Polynomial functions f(x) = a
n
x
n
+a
n1
x
n1
+ +a
1
x
1
+a
0
(a
i
in Z, n 1)
There exists no such polynomial that for all x in Z only delivers prime values. For a proof of
this, please refer to [Padberg1996, p. 83 f.], where you will also nd further details about prime
number formulae.
58
This means there is no hope in looking for further formulae (functions) similar to that in
chap. 3.6.12 or chap. 3.6.13.
3.6.15 Catalans conjecture
55
Catalan conjectured that C
4
is a prime:
C
0
= 2,
C
1
= 2
C
0
1,
C
2
= 2
C
1
1,
C
3
= 2
C
2
1,
C
4
= 2
C
3
1,
(see http://www.utm.edu/research/primes/mersenne.shtml under Conjectures and Unsolved
Problems).
This sequence is also dened recursively and increases extremely quickly. Does it only consist of
primes?
C(0) = 2 prime
C(1) = 2
2
1 = 3 prime
C(2) = 2
3
1 = 7 prime
C(3) = 2
7
1 = 127 prime
C(4) = 2
127
1 = 170, 141, 183, 460, 469, 231, 731, 687, 303, 715, 884, 105, 727 prime
It is not (yet) known whether C
5
and all higher elements are prime, but this is not very likely.
In any case, it has not been proved that this formula delivers only primes.
3.7 Density and distribution of the primes
As Euclid discovered, there is an innite number of primes. However, some innite sets are denser
than others. Within the set of natural numbers, there is an innite number of even, uneven and
square numbers.
The following proves that there are more even numbers than square ones:
the size of the nth element:
The nth element of the even numbers is 2n; the nth element of the square numbers is n
2
.
Because for all n > 2: 2n < n
2
, the nth even number occurs much earlier than the nth
square number. Thus the even numbers are distributed more densely and we can say that
there are more even numbers than square ones.
55
Eugene Charles Catalan, Belgian mathematician, May 5, 1814Feb 14, 1894.
After him the so-called Catalan numbers A(n) = (1/(n + 1)) (2n)!/(n!)
2
= 1, 2, 5, 14, 42, 132, 429, 1430, 4862, 16796, 58786, 208012, 742900, 2674440, 9694845, ... are named.
59
the number of values that are less than or equal to a certain maximum value x in R is:
There are [x/2] such even numbers and [

x] square numbers. Because for large x the value

x/2 is much greater than the square root of 2, we can again say that there are more even
numbers.
The value of the n-th prime P(n)
Theorem 3.6. For large n: The value of the n-th prime P(n) is asymptotic to n ln(n), i.e. the
limit of the relation P(n)/(n lnn) is equal to 1 if n tends to innity.
For n > 5, P(n) lies between 2n and n
2
. This means that there are fewer prime numbers than
even natural numbers but more prime numbers than square numbers
56
.
The number of prime numbers PI(x)
The denition is similar for the number of prime numbers PI(x) that do not exceed the maximum
value x:
Theorem 3.7. PI(x) is asymptotic to x/ln(x).
This is the prime number theorem. It was put forward by Legendre
57
and Gauss
58
but not
proved until over 100 years later.
Cross-reference: The overview under 3.8.5 shows the number of prime numbers in various inter-
vals.
These formulae, which only apply when n tends to innity, can be replaced by more precise
formulae. For x 67:
ln(x) 1, 5 < x/PI(x) < ln(x) 0, 5
Given that we know PI(x) = x/ lnx only for very large x (x tending towards innity), we can
create the following overview:
x ln(x) x/ln(x) PI(x)(counted) PI(x)/(x/ln(x))
10
3
6.908 144 168 1.160
10
6
13.816 72, 386 78, 498 1.085
10
9
20.723 48, 254, 942 50, 847, 534 1.054
For a binary number
59
x of the length of 250 bits (2
250
is approximately = 1.809251 10
75
) it is:
PI(x) = 2
250
/(250 ln2) is approximately = 2
250
/173.28677 = 1.045810 10
73
.
56
Please refer to the table 3.8.6
57
Adrien-Marie Legendre, French mathematician, Sep 18, 1752 Jan 10, 1833.
58
Carl Friedrich Gauss, German mathematician and astronomer, Apr 30, 1777Feb 23, 1855.
59
Number written in the binary system consists only of the digits 0 and 1.
60
We can therefore expect that the set of numbers with a bit length of less than 250 contains
approximately 10
73
primes (a reassuring result?!).
We can also express this as follows: Let us consider a random natural number n. Then the
probability that this number is prime is around 1/ ln(n). For example, let us take numbers in
the region of 10
16
. Then we must consider 16 ln10 = 36, 8 numbers (on average) until we nd
a prime. A precise investigation shows: There are 10 prime numbers between 10
16
370 and
10
16
1.
Under the heading How Many Primes Are There at
http://www.utm.edu/research/primes/howmany.shtml
you will nd numerous other details.
Using the following Web site:
http://www.math.Princeton.EDU/~arbooker/nthprime.html
you can easily determine PI(x).
The distribution of primes displays several irregularities for which no system has yet been
found: On the one hand, many occur closely together, like 2 and 3, 11 and 13, 809 and 811, on
the other hand large gaps containing no primes also occur. For example, no primes lie between
113 and 127, 293 and 307, 317 and 331, 523 and 541, 773 and 787, 839 and 853 as well as between
887 and 907.
For details, please see:
http://www.utm.edu/research/primes/notes/gaps.html
This is precisely part of what motivates mathematicians to discover its secrets.
Sieve of Eratosthenes
An easy way of calculating all PI(x) primes less than or equal to x is to use the sieve of Eratos-
thenes. In the 3rd century B.C., he found an extremely easy, automatic way of nding this out.
To begin with, you write down all numbers from 2 to x, circle 2, then cross out all multiples of 2.
Next, you circle the lowest number that hasnt been circled or crossed out (3) and again cross out
all multiples of this number, etc. You only need to continue until you reach the largest number
whose square is less than or equal to x.
Apart from 2, prime numbers are never even. Apart from 2 and 5, prime numbers never end in
2, 5 or 0. So you only need to consider numbers ending in 1, 3, 7, 9 anyway (there are innite
primes ending in these numbers; see [Tietze1973, vol. 1, p. 137]).
You can now nd a large number of nished programs on the Internet - often complete with
source code - allowing you to experiment with large numbers yourself (see chapter 3.6). You also
have access to large databases that contain either a large number of primes or the factorisation
of numerous composite numbers.
61
3.8 Notes about primes
Further interesting topics regarding prime numbers
This chapter 3 didnt consider other number theory topics such as divisibility rules, modulus
calculation, modular inverses, modular powers, modular roots, Chinese remainder theorem, Euler
Phi function or perfect numbers. Some of these topics are considered in the next chapter
(chapter 4).
The following notes list some interesting theorems, conjectures and open questions about primes,
but also some quaint things and overviews.
3.8.1 Proven statements / theorems about primes
For each number n in N there are n consecutive natural numbers that are not primes. A
proof of this can be found in [Padberg1996, p. 79].
Paul Erdos
60
proved: Between each random number not equal to 1 and its double, there
is at least one prime. He was not the rst to prove this theorem, but proved it in a much
simpler manner than those before him.
There is a real number a such that the function f : N Z where n a
3
n
only delivers
primes for all n (see [Padberg1996, p. 82]). Unfortunately, problems arise when we try to
determine a (see below).
There are arithmetic prime sequences of arbitrary length
61
.
In 1923 the famous British mathematician Godfrey Harold Hardy
62
compiled the conjecture,
that there are arithmetic sequences of arbitrary length, which consist of primes only. This
conjecture was proven in 2004 by two young American mathematicians.
At some point every school child learns about arithmetic number series. These are sequences
of numbers, for which the dierence between any 2 consecutive numbers is equal or constant
(an arithmetic sequence must have at least three elements but can also have indenitely
many). In the sample sequence 5, 8, 11, 14, 17, 20 the dierence between the series elements
is 3 and the length of the sequence is 6.
Arithmetic series have been known for millennia and one would think they have no more
secrets. They get more interesting again, if we impose additional constraints on the series
elements - as the prime example shows.
E.g. 5, 17, 29, 41, 53 is an arithmetic prime series which consists of 5 elements and the
dierence between the elements is always 12.
60
Paul Erdos, Hungarian mathematician, Mar 26, 1913Sep 20, 1996.
61
Sources:
- http://primes.utm.edu/glossary/page.php?sort=ArithmeticSequence Original source
- German magazine GEO 10 / 2004: Experiment mit Folgen
- http://www.faz.net Hardys Vermutung Primzahlen ohne Ende by Heinrich Hemme (July 06, 2004)
62
Godfrey Harold Hardy, British mathematician, Feb 7, 1877Dec 1, 1947.
62
The sequence is not extendable - the next would be 65, but 65 is not prime (65 is the
product of 5 and 13).
How many elements are possible within an arithmetic prime number sequence? Around
1770 the French Joseph-Louis Lagrange and the British Edward Waring investigated this
question. In 1923 the famous British mathematician Godfrey Harold Hardy and his col-
league John Littlewood theorized, that there is no upper limit for the number of elements.
But they could not prove this. In 1939 more progress was achieved. The Dutch mathemati-
cian Johannes van der Corput was able to prove that there are innitely many dierent
arithmetic prime number sequences with exactly three elements. Two examples are 3, 5, 7
and 47, 53, 59.
The longest arithmetic prime number sequence known today contains 23 elements.
# of elements First element Distance When Discovered by
22 11,410,337,850,553 4,609,098,694,200 1993 Paul A. Pritchard,
Andrew Moran,
Anthony Thyssen
22 376,859,931,192,959 18,549,279,769,020 2003 Markus Frind
23 56,211,383,760,397 44,546,738,095,860 2004 Markus Frind,
Paul Jobling,
Paul Underwood
Table 22: The longest arithmetic prime number sequences (as of May 2005)
As a team, the two young
63
mathematicians Ben Green and Terence Tao, were able in 2004
to prove Hardys conjecture, which had puzzled mathematicians for over 80 years: It states,
that for any arbitrary length there exists an arithmetic prime number series. Additionally
they managed to prove, that for any given length there are innitely many dierent series.
Green and Tao intended to proof that there are innitely many arithmetic sequences of
length four. For this they considered sets of numbers consisting of primes and so called
near primes. These are numbers with a small set of divisors like numbers which are the
product of two primes - these numbers are called half primes . Thus they managed to
considerably simplify their work because about near primes there already existed a lot of
useful theorems. Finally they discovered that the results of their theorem were far more
reaching than they had assumed and so they were able to prove Hardys conjecture.
Any one who believes that it is easy to use Greens and Taos 49 page proof to compute
arithmetic prime number series of arbitrary length will soon become disappointed, because
63
Hardy wrote in his memoirs in 1940, that mathematics - more than all other arts and sciences - is an activity for
young people.
At that time 27-years-old Ben Green from the University of British Columbia in Vancouver and 29-year-old Terence
Tao from the University of California in Los Angeles seem to conrm Hardy.
63
the proof is non-constructive. It is a so called proof of existance. This means that these
mathematicians have shown only that these series exist, but not how to nd them in
practice.
This means that in the set of the natural numbers there is e.g. a series of one billion
primes, which all have the same distance; and there are innitely many of them. But these
sequences lie extremely far beyond the numbers we usually use (far outside).
If someone wants to discover such sequences he should consider the following thought. The
length of a sequence determines the minimal common distance between the single primes of
the sequence. Given a sequence with 6 elements the distance between them has to be 30 or a
multiple of 30. The number 30 results as the product of all primes smaller than the length of
the sequence. So its the product of all primes smaller than 6: 235 = 30. If you look for a
sequence with 15 elements, then the common distance is at least 23571113 = 30.030.
This means that the length of an arithmetic prime sequence can be arbitrary big, but the
distance between the elements cannot be any arbitrary number. E.g. there is no arithmetic
prime sequence with the distance 100, because 100 cannot be divided by 3.
If you take the sequences above (with the lengths of 22 and 23) and look at the factors of
their distances, you get:
4, 609, 098, 694, 200 = 2
3
3 5
2
7 11 13 17 19 23 1033
18, 549, 279, 769, 020 = 2
2
3 5 7
2
11 13 17 19 23 5939
44, 546, 738, 095, 860 = 2
2
3 5 7 11 13 17 19 23 99, 839
Further restriction: If you look at arithmetic prime sequences, which fulll the additional
requirement, that all primes are consecutive, then its getting even more complicated. At
the website of Chris Caldwell
64
you can nd further hints: the longest known arithmetic
prime sequence, consisting only of directly consecutive primes, has a length of 10 and the
distance is 210 = 2 3 5 7.
3.8.2 Unproven statements / conjectures about primes
Christian Goldbach
65
conjectured: Every even natural number greater than 2 can be repre-
sented as the sum of two prime numbers. Computers have veried
66
the Goldbach conjecture
64
http://primes.utm.edu/glossary/page.php?sort=ArithmeticSequence
65
Christian Goldbach, German mathematician, Mar 18, 1690Nov 20, 1764.
66
It is generally accepted today, that the Goldbach Conjecture is true, i. e. valid for all even natural num-
bers greater than 2. In 1999, mathematician Jorg Richstein from the computer sciences institute at the
University of Giessen, studied even numbers up to 400 billion and found no contradictory example (see
http://www.mscs.dal.ca/~joerg/res/g-en.html,
http://en.wikipedia.org/wiki/Goldbachs conjecture,
http://primes.utm.edu/glossary/page.php/GoldbachConjecture.html ).
64
for all even numbers up to 4 10
14
but no general proof has yet been found
67
.
Bernhard Riemann
68
put forward a formula for the distribution of primes that would further
improve the estimate. However, this has neither been proved nor disproved so far.
3.8.3 Open questions
Twin primes are prime numbers whose dierence is 2. Examples include 5 and 7 or 101 and 103.
Triplet primes, however, only occur once: 3, 5, 7. For all other sets of three consecutive uneven
numbers, one of them is always divisible by 3 and thus not a prime.
The number of twin primes is an open question: innite or limited number? The largest
twin primes known today are 1, 693, 965 2
66,443
1.
Does a formula exist for calculating the number of twin primes per interval?
The above proof of the function f : N Z with n a
3
n
only guarantees the existence of
such a number a. How can we determine this number a and will it have a value, making
the function also of some practical interest?
Is there an innite number of Mersenne prime numbers?
Is there an innite number of Fermat prime numbers?
Does a polynomial time algorithm exist for calculating the prime factors of a number (see
[Klee1997, p. 167])? This question can be divided into the three following questions:
Does a polynomial time algorithm exist that decides whether a number is prime?
This question has been answered by the AKS algorithm (see chapter 4.11.5, Primes
in P: Primality testing is polynomial).
Nevertheless, this does not provide us with general proof.
The fact is that despite all eorts, Goldbachs conjecture has to date not been proven. This leads one to believe
that since the pioneer work of the Austrian mathematician Kurt Godel is well-known, not every true mathematical
theorem is provable (see http://www.mathematik.ch/mathematiker/goedel.html). Perhaps Goldbachs conjecture
was correct, but in any case the proof will never be found. Conversely, that will presumably also remain unproven.
67
The English publisher Faber and the American publisher Bloomsbury issued in 2000 the 1992 published book Uncle
Petros and Goldbachs Conjecture by Apostolos Doxiadis. Its the story of an old maths professor who fails to
prove a more than 250 year old puzzle. To boost the sales gures the English and American publishers have oered
a prize of 1 million USD, if someone can prove the conjecture which should be published by 2004 in a well-known
mathematical journal.
Surprisingly only British and American citizens are allowed to participate.
The theorem which has come closest so far to Goldbachs conjecture was proved by Chen Jing-Run in 1966 in a
way which is somewhat hard to understand: Each even integer greater than 2 is the sum of one prime and of the
product of two primes. E.g.: 20 = 5 + 3 5.
Most of the research about the Goldbach conjecture is collected in the book: Goldbach Conjecture, ed. Wang
Yuan, 1984, World scientic Series in Pure Maths, Vol. 4.
Especially this conjecture makes it clear, that even today we do not have a complete understanding of the deeper
connections between addition and multiplication of natural numbers.
68
Bernhard Riemann, German mathematician, Sep 17, 1826Jul 20, 1866.
65
Does a polynomial time algorithm exist that calculates for a composite number from
how many prime factors it is made up (without calculating these factors)?
Does a polynomial time algorithm exist that calculates for a composite number n a
non-trivial (i.e. other than 1 and n) factor of n?
69
At the end of chapter 4.11.4, section RSA-200 you can see the dimensions of the numbers where
the current algorithms testing for primality and calculating the factorization deliver results.
3.8.4 Quaint and interesting things around primes
70
Primes are not only a very active and serious research area in mathematics. Also a lot of people
think about them in their freetime and outside the scientic research.
Recruitment at Google in 2004
In summer 2004 the company Google used the number e
71
to attract potential employees
72
.
On a promiment billboard in Californias Silicon Valley on July 12 there appeared the following
mysterious puzzle:
(rst 10 digit prime in consecutve digits of e).com
Finding the rst 10 digit prime in the decimal expansion of e is not easy, but with various software
tools, one can determine that the answer is
7, 427, 466, 391
Then if you visited the website www.7427466391.com, you were presented with an even more
dicult puzzle. Figuring this second puzzle out took you to a web page that asks you, to submit
your CV to Google. The ad campaign got high attention.
Presumably Googles conceit was that if youre smart enough to solve the puzzles, youre smart
enough to work for them. Of course some days after the lauch, anyone who really wanted to
69
Please compare chapters 4.11.5 and 4.11.4.
70
Further curious things about primes may be found at:
- http://primes.utm.edu/curios/home.php
- http://www.primzahlen.de/files/theorie/index.htm.
71
The base of the natural logarithm e is approximately 2.718 281 828 459. This is one of the most important numbers
in all of mathematics like complex analysis, nance, physics and geometry. Now it was used the rst time as far
as I know for marketing or recruitment.
72
Most of this information is taken from the article e-number crunching by John Allen Paulos in TheGuardian,
Sept. 30, 2004, and from the web:
- http://www.mkaz.com/math/google/
- http://epramono.blogspot.com/2004/10/7427466391.html
- http://mathworld.wolfram.com/news/2004-10-13/google/
- http://www.math.temple.edu/~paulos/.
66
discover the answers without incurring a headache could merely do a Google search for them,
since many solvers immediately posted their solutions online.
73
Contact [Directed by Robert Zemeckis, 1997] Primes helping to contact aliens
The movie originated from Carl Sagans book with the same title.
After years of unavailing search the radio astronomer Dr. Ellie Arroway (Jodie Foster) discovers
signals from the solar system Vega, 26 light years away. These signals contain the primes in the
right order and without a gap. This makes the hero condent, that this message is dierent from
the radio signals which permanently hit earth and which are random and of cosmic origin (radio
galaxies, pulsars). In an unmasking scene a politician asks her after that, why these intelligent
aliens didnt just speak English ...
Doing communication with absolute strange and unknown beings from deep space is very hard
especially because of 2 reasons: First the big distance and therefore the long transfer time makes
it impossible to exchange within an average lifetime more than one message in each direction
one after the other. Secondly the rst contact must give the receiver of the radio signals a good
chance to notice the message and to categorize it as something from intelligent beings. Therefore
the aliens send numbers at the beginning of their message, which can be considered as the easiest
part of any higher language, and which are not too trivial: so they chose the sequence of primes.
These special numbers play such a fundamental role in mathematics that one can assume that
they are well known to each species who has the technical know-how to receive radio waves.
The aliens then send a plan to build a mysterious machine ...
73
The second level of the puzzle, which involved nding the 5th term of a given number sequence had nothing to do
with primes any more.
67
3.8.5 Number of prime numbers in various intervals
Ten-sized intervals Hundred-sized intervals Thousand-sized intervals
Interval Number Interval Number Interval Number
1-10 4 1-100 25 1-1000 168
11-20 4 101-200 21 1001-2000 135
21-30 2 201-300 16 2001-3000 127
31-40 2 301-400 16 3001-4000 120
41-50 3 401-500 17 4001-5000 119
51-60 2 501-600 14 5001-6000 114
61-70 2 601-700 16 6001-7000 117
71-80 3 701-800 14 7001-8000 107
81-90 2 801-900 15 8001-9000 110
91-100 1 901-1000 14 9001-10000 112
Table 23: How many primes exist within the rst intervals of tens?
Interval Number Average number per 1000
1 - 10,000 1,229 122.900
1 - 100,000 9,592 95.920
1 - 1,000,000 78,498 78.498
1 - 10,000,000 664,579 66.458
1 - 100,000,000 5,761,455 57.615
1 - 1,000,000,000 50,847,534 50.848
1 - 10,000,000,000 455,052,512 45.505
Table 24: How many primes exist within the rst intervals of dimensions?
68
3.8.6 Indexing prime numbers (n-th prime number)
Index Precise value Rounded value Comment
1 2 2
2 3 3
3 5 5
4 7 7
5 11 11
6 13 13
7 17 17
8 19 19
9 23 23
10 29 29
100 541 541
1,000 7,917 7,917
664,559 9,999,991 9.99999E+06 All prime numbers up to 1E+07 were known
at the beginning of the 20th century.
1E+06 15,485,863 1.54859E+07
6E+06 104,395,301 1.04395E+08 This prime was discovered in 1959.
1E+07 179,424,673 1.79425E+08
1E+09 22,801,763,489 2.28018E+10
1E+12 29,996,224,275,833 2.99962E+13
Table 25: List of particular n-th prime numbers
Comment: With gaps, extremely large prime numbers were discovered at an early stage.
Web links:
http://www.math.Princeton.EDU/arbooker/nthprime.html.
http://www.utm.edu/research/primes/notes/by year.html.
69
3.8.7 Orders of magnitude / dimensions in reality
In the description of cryptographic protocols and algorithms, numbers occur that are so large
or so small that they are inaccessible to our intuitive understanding. It may therefore be useful
to provide comparative numbers from the real world around us so that we can develop a feeling
for the security of cryptographic algorithms. Some of the numbers listed below originate from
[Schwenk1996] and [Schneier1996, p.18].
Probability that you will be hijacked on your next ight 5.5 10
6
Annual probability of being hit by lightning 10
7
Probability of 6 correct numbers in the lottery 7.1 10
8
Risk of being hit by a meteorite 1.6 10
12
Time until the next ice age (in years) 14, 000 = (2
14
)
Time until the sun dies (in years) 10
9
= (2
30
)
Age of the earth (in years) 10
9
= (2
30
)
Age of the universe (in years) 10
10
= (2
34
)
Number of the earths atoms 10
51
= (2
170
)
Number of the suns atoms 10
57
= (2
190
)
Number of atoms in the universe (without dark material) 10
77
= (2
265
)
Volume of the universe (in cm
3
) 10
84
= (2
280
)
Table 26: Likelihoods from physics and everyday life (dimensions)
70
3.8.8 Special values of the binary and decimal system
Dual system Decimal system
2
10
1024
2
40
1.09951 10
12
2
56
7.20576 10
16
2
64
1.84467 10
19
2
80
1.20893 10
24
2
90
1.23794 10
27
2
112
5.19230 10
33
2
128
3.40282 10
38
2
150
1.42725 10
45
2
160
1.46150 10
48
2
250
1.80925 10
75
2
256
1.15792 10
77
2
320
2.13599 10
96
2
512
1.34078 10
154
2
768
1.55252 10
231
2
1024
1.79769 10
308
2
2048
3.23170 10
616
Table 27: Special values of the binary and decimal system
Calculation using GMP, for example: http://www.gnu.ai.mit.edu.
71
References
[Aaronson2003] Scott Aaronson,
The Prime Facts: From Euclid to AKS,
http://www.cs.berkeley.edu/~aaronson/prime.ps.
Only after I had completed this article, did I come across the extremely well-written
paper by Scott Aaronson, which also oers a didactically well done intoduction to this
topic. It is humorous and easy to read but at the same time precise and erudite.
[Bartholome1996] A. Bartholome, J. Rung, H. Kern,
Zahlentheorie f ur Einsteiger, Vieweg 1995, 2nd edition 1996.
[Blum1999] W. Blum,
Die Grammatik der Logik, dtv, 1999.
[Bundschuh1998] Peter Bundschuh,
Einf uhrung in die Zahlentheorie, Springer 1988, 4th edition 1998.
[Doxiadis2000] Apostolos Doxiadis,
Uncle Petros and the Goldbachs Conjecture,
Faber/Bloomsbury, 2000.
[Graham1989] R.E. Graham, D.E. Knuth, O. Patashnik,
Concrete Mathematics, Addison-Wesley, 1989.
[Klee1997] V. Klee, S. Wagon,
Ungeloste Probleme in der Zahlentheorie und der Geometrie der Ebene,
Birkhauser Verlag, 1997.
[Knuth1981] Donald E. Knuth,
The Art of Computer Programming, vol 2: Seminumerical Algorithms,
Addison-Wesley, 1969, 2nd edition 1981.
[Lorenz1993] F. Lorenz,
Algebraische Zahlentheorie, BI Wissenschaftsverlag, 1993.
[Padberg1996] F. Padberg,
Elementare Zahlentheorie, Spektrum Akademischer Verlag 1988, 2nd edition 1996.
[Pieper1983] H. Pieper,
Zahlen aus Primzahlen, Verlag Harri Deutsch 1974, 3rd edition 1983.
[Richstein1999] J. Richstein,
Verifying the Goldbach Conjecture up to 4 10
14
, Mathematics of Computation 70, 2001,
p. 1745-1749).
[Scheid1994] Harald Scheid,
Zahlentheorie, BI Wissenschaftsverlag, 2nd edition, 1994.
72
[Schneier1996] Bruce Schneier,
Applied Cryptography, Protocols, Algorithms, and Source Code in C,
Wiley and Sons, 2nd edition 1996.
[Schroeder1999] M.R. Schroeder,
Number Theory in Science and Communication,
Springer 1984, 3rd edition 1997, Corrected Printing 1999.
[Schwenk1996] J. Schwenk
Conditional Access, in taschenbuch der telekom praxis 1996,
Hrgb. B. Seiler, Verlag Schiele und Schon, Berlin.
[Tietze1973] H. Tietze,
Geloste und ungeloste mathematische Probleme,
Verlag C. H. Beck 1959, 6th edition 1973.
73
Web links
1. GIMPS (Great Internet Mersenne-Prime Search)
www.mersenne.org is the home page of the GIMPS project,
http://www.mersenne.org/prime.htm
2. The Proth Search Page with the Windows program by Yves Gallot
http://www.utm.edu/research/primes/programs/gallot/index.html
3. Generalized Fermat Prime Search
http://primes.utm.edu/top20/page.php?id=12
4. Distributed Search for Fermat Number Divisors
http://www.fermatsearch.org/
5. At the University of Tennessee you will nd extensive research results about prime numbers.
http://www.utm.edu/
6. The best overview about prime numbers is oered from my point of view by The Prime
Pages from professor Chris Caldwell.
http://www.utm.edu/research/primes
7. Descriptions e.g. about prime number tests
http://www.utm.edu/research/primes/mersenne.shtml
http://www.utm.edu/research/primes/prove/index.html
8. Showing the n-th prime number
http://www.utm.edu/research/primes/notes/by year.html
9. The supercomputer manufacturer SGI Cray Research not only employed brilliant mathe-
maticians but also used the prime number tests as benchmarks for its machines.
http://www.isthe.com/chongo/tech/math/prime/prime press.html
10. The Cunningham Project,
http://www.cerias.purdue.edu/homes/ssw/cun/
11. http://www.eff.org/coop-awards/prime-release1.html
12. http://www.math.Princeton.EDU/~arbooker/nthprime.html
13. http://www.cerias.purdue.edu/homes/ssw/cun
14. http://www.informatik.uni-giessen.de/staff/richstein/de/Goldbach.html
15. http://www.mathematik.ch/mathematiker/goedel.html
16. http://www.mscs.dal.ca/~dilcher/goldbach/index.html
74
Acknowledgments
I would like to take this opportunity to thank Mr. Henrik Koy and Mr. Roger Oyono for their
very constructive proof-reading of this article.
75
4 Introduction to Elementary Number Theory with Examples
(Bernhard Esslinger, July 2001, Updates: Dec. 2001, June 2002, May 2003, May 2005, March
2006)
This introduction is for people with a mathematical interest. There is no more pre-knowledge
necessary than what you learn in the secondary school.
We intentionally had beginners in mind; we did not take the approach of mathematical text-
books, called introduction, which cannot be understood at the rst reading further than page 5
and which have the real purpose to deliver all information that special monographs can be read.
4.1 Mathematics and cryptography
A large proportion of modern, asymmetric cryptography is based on mathematical knowledge
on the properties (laws) of whole numbers, which are investigated in elementary number theory.
Here, the word elementary means that questions raised in number theory are essentially rooted
in the set of natural and whole numbers.
Further mathematical disciplines currently used in cryptography include (see [Bauer1995, p. 2],
[Bauer2000, p. 3]) :
Group theory
Combination theory
Complexity theory
Ergodic theory
Information theory.
Number theory or arithmetic (the emphasis here is more on the aspect of performing calculations
with numbers) was established by Carl Friedrich Gauss
74
as a special mathematical discipline. Its
elementary features include the greatest common divisor
75
(gcd), congruence (remainder classes),
factorisation, the Euler-Fermat theorem and primitive roots. However, the most important aspect
is prime numbers and their multiplicative operation.
For a long time, number theory was considered to be the epitome of pure research, the ideal
example of research in the ivory tower. It delved into the mysterious laws of the realm of
numbers, giving rise to philosophical considerations as to whether it described elements that
exist everywhere in nature or whether it articially constructed elements (numbers, operators
and properties).
74
Carl Friedrich Gauss, German mathematician and astronomer, Apr 30, 1777Feb 23, 1855.
75
This article deals with the gcd (greatest common divisor) in Appendix A of this chapter.
76
We now know that patterns from number theory can be found everywhere in nature. For example,
the ratio of rotating counterclockwise and rotating clockwise spirals in a sunower is equal to two
consecutive Fibonacci numbers
76
, for example 21 : 34.
Also, at the latest when number theory was applied in modern cryptography, it became clear that
a discipline that had been regarded as purely theoretical for centuries actually had a practical
use. Today, experts in this eld are in great demand on the job market.
Applications in (computer) security now use cryptography because this mathematical discipline
is simply better and easier to prove than all other creative substitution procedures that have
been developed over the course of time and better than all sophisticated physical methods such
as those used to print bank notes [Beutelspacher1996, p. 4].
This article explains the basics of elementary number theory in a way that you can easily under-
stand. It provides numerous examples and very rarely goes into any proofs (these can be found
in mathematical textbooks).
The goal is not to exhaustively explain the number theory ndings, but to show the essential
procedures. The volume of the content is so oriented that the reader can understand and apply
the RSA method.
For this purpose we will use both theory and examples to explain how to perform calculations in
nite sets and describe how these techniques are applied in cryptography. Particular attention
will be paid to the traditional Die-Hellman (DH) and RSA public key procedures.
Additionally I added some qualied statements about the security of the RSA algorithm.
Carl Friedrich Gauss:
Mathematics is the queen of sciences and number theory is the queen of mathematics.
4.2 Introduction to number theory
Number theory arose from interest in positive whole numbers 1, 2, 3, 4, , also referred to as
the set of natural numbers natural numbers N. These are the rst mathematical constructs used
by human civilisation. According to Kronecker
77
, they are a creation of God. In Dedekinds
78
opinion, they are a creation of the human intellect. Dependent upon ones ideology, this is an
unsolvable contradiction or one and the same thing.
In ancient times, no distinction was made between number theory and numerology, which at-
tributed a mystical signicance to specic numbers. In the same way as astronomy and chem-
76
The sequence of Fibonacci numbers (a
i
)
iN
is dened by the recursive rule a
1
:= a
2
:= 1 and for all numbers
n = 1, 2, 3, we dene a
n+2
:= a
n+1
+ a
n
. This historical sequence can be found in many interesting forms
in nature (for example, see [Graham1994, p. 290 ] or the website of Ron Knott, which is devoted to Fibonacci
numbers). A lot is known about the Fibonacci sequence and it is used today as an important tool in mathematics.
77
Leopold Kronecker, German mathematician, Dec 7, 1823 Dec 29, 1891
78
Julius Wilhelm Richard Dedekind, German mathematician, Oct 6, 1831 Feb 12, 1916.
77
istry gradually detached themselves from astrology and alchemy during the Renaissance (from
the 14th century), number theory also separated itself from numerology.
Number theory has always been a source of fascination for both amateurs and professional
mathematicians. In contrast to other areas of mathematics, many of the problems and theorems
in number theory can be understood by non-experts. On the other hand, mathematicians often
take a long time to nd solutions to the problems or prove the theorems. It is therefore one thing
to pose good questions but quite another matter to nd the answer. One example of this is what
is known as Fermats Last (or large) theorem
79
.
Up until the mid 20th century, number theory was considered to be the purest area of mathe-
matics, an area that had no practical use in the real world. This changed with the development
of computers and digital communication, as number theory was able to provide several unex-
pected solutions to real-life tasks. At the same time, advances in information technology allowed
specialists in number theory to make huge progress in factorising large numbers, nding new
prime numbers, testing (old) conjectures and solving numerical problems that were previously
impossible to solve. Modern number theory is made up of areas such as:
Elementary number theory
Algebraic number theory
Analytic number theory
Geometric number theory
Combinatorial number theory
Numeric number theory
Probability theory.
All of the dierent areas are concerned with questions regarding whole numbers (both positive
and negative whole numbers plus zero). However, they each have dierent methods of dealing
with them.
This article only deals with the area of elementary number theory.
79
One of the things you learn in mathematics at school is Pythagoras theorem, which states the following for a
right-angle triangle: a
2
+ b
2
= c
2
, where a and b are the lengths of the sides containing the right angle and c is
the length of the hypotenuse. Fermat famously proposed that a
n
+ b
n
= c
n
for whole-number exponents n > 2.
Unfortunately, the letter in which Fermat made the claim did not have enough space for him to prove it. The
theorem was not proved until over 300 years later [Wiles1994, p. 433-551].
78
4.2.1 Convention
Unless stated otherwise:
The letters a, b, c, d, e, k, n, m, p, q are used to present whole numbers.
The letters i and j represent natural numbers.
The letters p always represents a prime number.
Te sets N = 1, 2, 3, and Z = , 3, 2, 1, 0, 1, 2, 3, are the natural and whole
numbers respectively.
79
Joanne K. Rowling
80
This isnt magic its logic a puzzle. A lot of the greatest wizards havent got an ounce
of logic.
4.3 Prime numbers and the rst fundamental theorem of elementary number
theory
Many of the problems in elementary number theory are concerned with prime numbers.
Every whole number has divisors or factors. The number 1 has just one itself, whereas the
number 12 has the six factors 1, 2, 3, 4, 6 and 12
81
. Many numbers are only divisible by themselves
and by 1. When it comes to multiplication, these can be regarded as the atoms in the realm
of numbers.
Denition 4.1. Prime numbers are natural numbers greater than 1 that can only be divided
by 1 and themselves.
By denition, 1 is not a prime number.
If we write down the prime numbers in ascending order (prime number sequence), then we get:
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, .
The rst 100 numbers include precisely 25 prime numbers. After this, the percentage of primes
decreases, but never reaches zero.
We come across whole numbers that are prime fairly often. In the last decade only, three years
were prime: 1993, 1997 and 1999. If they were rare, cryptography would not be able to work with
them to the extent it does.
Prime numbers can be factorised in a unique (trivial) way:
5 = 1 5
17 = 1 17
1, 013 = 1 1, 013
1, 296, 409 = 1 1, 296, 409.
Denition 4.2. Natural numbers greater than 1 that are not prime are called composite num-
bers. These have at least two factors other than 1.
80
Joanne K. Rowling, Harry Potter and the Philosophers Stone, Bloomsbury, (c) 1997, chapter Through the
trapdoor, p. 307, by Hermine.
81
Due to the fact that 12 has so many factors, this number and multiples of this number is often found in everyday
life: the 12-hour scale on clocks, the 60 minutes in an hour, the 360-degree scale for measuring angles, etc. If we
divide these scales into segments, the segments often turn out to be whole numbers. These are easier to use in
mental arithmetic than fractions.
80
Examples of the decomposition of such numbers into prime factors:
4 = 2 2
6 = 2 3
91 = 7 13
161 = 7 23
767 = 13 59
1, 029 = 3 7
3
5, 324 = 22 11
3
.
Theorem 4.1. Each composite number a has a lowest factor greater than 1. This factor is a
prime number p and is less than or equal to the square root of a.
All whole numbers greater than 1 can be expressed as a product of prime numbers in a unique
way.
This is the claim of the 1st fundamental theorem of number theory (= fundamental theorem of
arithmetic = fundamental building block of all positive integers). This was formulated precisely
for the rst time by Carl Friedrich Gauss in his Disquisitiones Arithmeticae (1801).
Theorem 4.2. Gauss 1801 Every even natural number greater than 1 can be written as the
product of prime numbers. Given two such decompositions a = p
1
p
2
p
n
= q
1
q
2
q
m
,
these can be resorted such that n = m and, for all i, p
i
= q
i
.
In other words: Each natural number other than 1 can be written as a product of prime numbers
in precisely one way, if we ignore the order of the factors. The factors are therefore unique (the
expression as a product of factors is unique)!
For example, 60 = 2 2 3 5 = 2
2
3 5. And this other than changing the order of the
factors is the only way in which the number 60 can be factorised.
If you allow numbers other than primes as factors, there are several ways of factorising integers
and the uniqueness is lost:
60 = 1 60 = 2 30 = 4 15 = 5 12 = 6 10 = 2 3 10 = 2 5 6 = 3 4 5 =
The 1st fundamental theorem only appears to be obvious. We can construct numerous other
sets of numbers
82
for which numbers in the set cannot be expressed uniquely as a product of the
prime numbers of the set.
In order to make a mathematical statement, therefore, it is important to state not only the
operation for which it is dened but also the basic set on which the operation is dened.
For more details on prime numbers (e.g. how Fermats Little Theorem can be used to test
extremely large numbers to determine whether they are prime), please refer to the article on
prime numbers, chapter 3 in this script.
82
These sets are formed especially from the set of natural numbers. An example of this can be found in this script
on page 44 at the end of chapter 3.2.
81
4.4 Divisibility, modulus and remainder classes
If whole numbers are added, subtracted or multiplied, the result is always another whole number.
The division of two whole numbers does not always result in a whole number. For example, if we
divide 158 by 10 the result is the decimal number 15.8, which is not a whole number!
If, however, we divide 158 by 2 the result 79 is a whole number. In number theory we express
this by saying that 158 is divisible by 2 but not by 10. In general, we say:
Denition 4.3. A whole number n is divisible by a whole number d if the quotient n/d is a
whole number c such that n = c d.
n is called a multiple of d, whereas d is called a divisor or factor of n.
The mathematical notation for this is d[n (read d divides n). The notation d,[n means that d
does not divide the number n.
In our example therefore: 10,[158 but 2[158.
4.4.1 The modulo operation working with congruence
When we investigate divisibility, it is only the remainder of the division that is important. When
dividing a number n by m, we often use the following notation:
n
m
= c +
r
m
,
where c is a whole number and r is a number with the values 0, 1, , m 1. This notation
is called division with remainder, whereby c is called the whole-number quotient and r is the
remainder of the division.
Example:
19
7
= 2 +
5
7
(m = 7, c = 2, r = 5)
What do the numbers 5, 12, 19, 26, have in common for division by 7? The remainder is always
r = 5. For division by 7, only the following remainders are possible:
r = 0, 1, 2, , 6.
The numbers that result in the same remainder r when divided by 7 are combined to form the
remainder class r modulo 7. Two numbers a and b belonging to the same remainder class
modulo 7 are said to be congruent modulo 7. Or in general:
Denition 4.4. The remainder class r modulo m is the set of all whole numbers a that have
the same remainder r when divided by m.
82
Examples:
Remainder class 0 modulo 4 =
x[x = 4 n; n N = . . . , 16, 12, 8, 4, 0, 4, 8, 12, 16, . . .
Remainder class 3 modulo 4 =
x[x = 4 n + 3; n N = . . . , 13, 9, 5, 1, 3, 7, 11, 15, . . .
As only the remainders 0, 1, 2, , m1 are possible for division modulo m, modular arithmetic
works with nite sets. For each modulo m there are precisely m remainder classes.
Denition 4.5. Two numbers a, b N are said to be congruent modulo m N if and only if
they have the same remainder when divided by m.
We write: a b (mod m) (read a is congruent b modulo m), which means that a and b belong
to the same remainder class. The modulo is therefore the divisor. This notation was introduced
by Gauss. Although the divisor is usually positive, a and b can also be any whole numbers.
Examples:
19 12 (mod 7), because the remainders are equal: 19/7 = 2 remainder 5 and 12/7 = 1
remainder 5.
23103 0 (mod 453), because 23103/453 = 51 remainder 0 and 0/453 = 0 remainder 0.
Theorem 4.3. a b (mod m) if and only if, the dierence (ab) is divisible by m, i.e. if q Z
exists with (a b) = q m.
These two statements are therefore equivalent.
Therefore: If m divides the dierence, there exists a whole number q such that: a = b + q m.
As an alternative to the congruence notation, we can also use the divisibility notation: m[(ab).
Example of equivalent statements:
35 11 (mod 3) 3511 0 (mod 3), where 3511 = 24 is divisible by 3 without remainder
while 35 : 3 and 11 : 3 leave the remainder 2.
Comment:
The above equivalence does not apply to the sum (a +b)!
Example:
11 2 (mod 3), therefore 11 2 9 0 (mod 3); but 11 + 2 = 13 is not divisible by 3. The
statement in theorem 4.3 does not even apply to sums in one direction. It is correct for sums
only if the remainder is 0 and only in the following direction: if a divisor divides both summands
with no remainder, it also divides the sum with no remainder.
We can apply the above equivalence in theorem 4.3 if we need a quick and easy method of
determining whether large numbers are divisible by a certain number.
Example:
Is 69, 993 divisible by 7?
83
The number can be written in the form of a dierence in which it is clear that each operand is
divisible by 7: 69, 993 = 70, 000 7. Therefore, the dierence is also divisible by 7.
Although these considerations and denitions may seem to be rather theoretical, we are so familiar
with them in everyday life that we no longer think about the formal procedure. For example, the
24 hours on a clock are represented by the numbers 1, 2, , 12. We obtain the hours after 12
noon as the remainder of a division by 12 and know immediately that 2 oclock in the afternoon
is the same as 14.00.
This modular arithmetic (based on division remainders) forms the basis of asymmetric en-
cryption procedures. Cryptographic calculations are therefore not based on real numbers, as
the calculations you performed at school, but rather on character strings with a limited length,
in other words on positive whole numbers that cannot exceed a certain value. This is one of
the reasons why we choose a large number m and calculate modulo m. That is, we ignore
whole-number multiples of m and, rather than working with a number, we only work with the
remainder when this number is divided by m. The result is that all results are in the range 0 to
m1.
4.5 Calculations with nite sets
4.5.1 Laws of modular calculations
From algebra theorems it follows that essential parts of the conventional calculation rules are
kept when we proceed to modular calculations over a basic set Z. For example, addition remains
commutative. The same goes for multiplication modulo m. The result of a division
83
is not a
fraction but rather a whole number between 0 and m1.
The known laws apply:
1. Associative law:
((a +b) +c) (mod m) (a + (b +c)) (mod m).
((a b) c) (mod m) (a (b c)) (mod m).
2. Commutative law:
(a +b) (mod m) (b +a) (mod m).
(a b) (mod m) (b a) (mod m).
The associative law and commutative law apply to both addition and multiplication.
3. Distributive law:
(a (b +c)) (mod m) (a b +a c) (mod m).
4. Reducibility:
(a +b) (mod m) (a (mod m) +b (mod m)) (mod m).
(a b) (mod m) (a (mod m) b (mod m)) (mod m).
83
When dividing modulo m we cannot use every number because some numbers have the same property as zero. See
footnote 87 in chapter 4.6.1.
84
The order in which order the modulo operation is performed is irrelevant.
5. Existence of an identity (neutral element):
(a + 0) (mod m) (0 +a) (mod m) a (mod m).
(a 1) (mod m) (1 a) (mod m) a (mod m).
6. Existence of an inverse element:
For all whole numbers a and m there exists a whole number a such that:
(a + (a)) (mod m) 0 (mod m) (additive inverse).
For each a (a , 0 (mod p) ) where p is prime there exists a whole number a
1
, such that:
(a a
1
) (mod p) 1 (mod p) (multiplicative inverse).
7. Closeness
84
:
a, b G = (a +b) G.
a, b G = (a b) G.
8. Transitivity:
[a b mod m, b c mod m] = [a c mod m].
4.5.2 Patterns and structures
In general mathematicians investigate Structures. They ask e.g. at a x b mod m, which
values x can take for given values of a, b, m.
Especially the case is investigated, where the result b of this operation is the neutral element.
Then x is the inverse of a regarding this operation.
84
The property of closeness is always dened in relation to an operation in a set. See Appendix B of this chapter.
85
Seneca
85
:
The way of theory is long, it is short and eective by examples.
4.6 Examples of modular calculations
As we have already seen:
For two natural numbers a and m, a mod m denotes the remainder obtained when we divide a
by m. This means that a (mod m) is always a number between 0 and m1.
For example, 1 6 41 1 (mod 5) because the remainder is always 1. Another example is:
2000 0 (mod 4) because 4 divides 2000 with no remainder.
Modular arithmetic only contains a limited quantity of non-negative numbers. The number of
these is specied by a modulus m. If the modulo is m = 5, then only the 5 numbers in the set
0, 1, 2, 3, 4 are used.
A calculation result larger than 4 is then reduced modulo 5. In other words, it is the remainder
when the result is divided by 5. For example, 2 4 8 3 (mod 5) because 3 is the remainder
when we divide 8 by 5.
4.6.1 Addition and multiplication
The following shows
the addition table
86
(mod 5) and
the multiplication tables
87
for mod 5 and mod 6.
Example of an addition table
The result when we add 3 and 4 (mod 5) is calculated as follows: Calculate 3 + 4 = 7 and keep
subtracting 5 from the result until the result is less than the modulo: 7 5 = 2. Therefore:
3 + 4 2 (mod 5).
85
Lucius Annaeus Seneca, philosophical writer and poet, 4 B. C. 65 A. D.
86
Comment on subtraction modulo 5:
2 4 2 3 mod 5.
It is therefore not true modulo 5 that 2 = 2 (see also Appendix C of this chapter).
87
Comment on division modulo 6:
Due to the special role of zero as the identity for addition, division by zero is not permitted:
for all a it is a 0 = 0, because a 0 = a (0 + 0) = a 0 + a 0. Obviously 0 has no inverse regarding the
multiplication, because if there would be one, it must be 0 = 0 0
1
= 1. Also see footnote 83.
86
Addition table modulo 5: + 0 1 2 3 4
0 0 1 2 3 4
1 1 2 3 4 0
2 2 3 4 0 1
3 3 4 0 1 2
4 4 0 1 2 3
Example of an multiplication table:
The result of the multiplication 4 4 (mod 5) is calculated as follows: 4 4 = 16 and subtract 5
until the result is less than the modulus.
16 5 = 11; 11 5 = 6; 6 5 = 1.
The table directly shows that 4 4 1 (mod 5) because 16 : 5 = 3 remainder 1. Multiplication
is dened on the set Z excluding 0.
Multiplication table modulo 5: * 1 2 3 4
1 1 2 3 4
2 2 4 1 3
3 3 1 4 2
4 4 3 2 1
4.6.2 Additive and multiplicative inverses
You can use the tables to read the inverses for each number in relation to addition and multipli-
cation.
The inverse of a number is the number that gives the result 0 when the two numbers are added
and 1 when they are multiplied. Thus, the inverse of 4 for addition mod 5 is 1 and the inverse of
4 for multiplication mod 5 is 4 itself, because
4 + 1 = 5 0 (mod 5);
4 4 = 16 1 (mod 5).
The inverse of 1 for multiplication mod 5 is 1, while the inverse modulo 5 of 2 is 3 and, since
multiplication is commutative, the inverse of 3 is again 2.
If we take a random number and add or multiply another number (here 4) and then add
88
or
multiply the corresponding inverse (1 or 4) to the interim result (1 or 3), then the end result is
the same as the initial value.
Example:
2 + 4 6 1 (mod 5); 1 + 1 2 2 (mod 5),
2 4 8 3 (mod 5); 3 4 12 2 (mod 5).
88
In general x + y + (y) x (mod m) [(y) = additive inverse of y (mod m)].
87
In the set Z
5
= 0, 1, 2, 3, 4 for the addition and in the set Z

5
for the multiplication, all numbers
have a unique inverse modulo 5.
In the case of modular addition, this is true for every modulo (not just for 5).
This is not the case, however, for modular multiplication.
Theorem 4.4. A natural number a from the set 1, , m1 has one inverse if and only if it
and the modulo m are co-prime
89
, in other words if a and m have no common prime factors.
Since m = 5 is prime, the numbers 1 to 4 are relatively prime to 5 and each of these numbers
has a multiplicative inverse in mod 5.
A counterexample shows the multiplication table for mod 6 (since the modulus m = 6 is not
prime, not all elements from Z
6
0 are relatively prime to 6):
Multiplication table modulo 6: * 1 2 3 4 5
1 1 2 3 4 5
2 2 4 0 2 4
3 3 0 3 0 3
4 4 2 0 4 2
5 5 4 3 2 1
In addition to 0, the numbers 2, 3 and 4 also have no unique inverse (we can also say they have
no inverse, because the elementary property of an inverse is uniqueness).
The numbers 2, 3 and 4 have the factor 2 or 3 in common with the modulus 6. Only the numbers
1 and 5, which are relatively prime to 6, have multiplicative inverses, namely themselves.
The number of numbers that are relatively prime to the modulus m is the same as the number
of numbers that have a multiplicative inverse (see the Euler function J(m) below).
For the two moduli 5 and 6 used in the multiplication tables, this means: the modulus 5 is a
prime number itself. In mod 5, therefore, there are exactly J(5) = 5 1 = 4 numbers that are
relatively prime to the modulus, that is all numbers from 1 to 4.
Since 6 is not a prime number, we write it as a product of its factors: 6 = 2 3. In mod 6,
therefore, there are exactly J(6) = (21) (31) = 12 = 2 numbers that have a multiplicative
inverse, that is 1 and 5.
Although it may seem dicult to calculate the table of multiplicative inverses for large moduli
(this only applies to the areas of the table shaded dark grey), we can use Fermats Little Theorem
89
Two whole numbers a and b are co-prime if and only if gcd(a, b) = 1.
If p is prime and a is a random whole number that is not a multiple of p, then p and a are co-prime.
Further name to the topic co-prime (with a
i
Z, i = 1, , n):
1. a
1
, a
2
, , a
n
are relatively prime , if gcd(a
1
, , a
n
) = 1.
2. An even stronger request for more than two numbers is :
a
1
, , a
n
are in pairs relatively prime, if for all i = 1, , n and j = 1, , n with i = j: gcd(a
i
, a
j
) = 1.
Example: 2, 3, 6 are relatively prime, because gcd(2, 3, 6) = 1. They are not in pairs relatively prime, because
gcd(2, 6) = 2 > 1.
88
to create a simple algorithm for this [Peeger1997, p. 80]. Quicker algorithms are described, for
instance, in [Knuth1998]
90
.
Cryptographically not only the unique nature of the inverse is important, but also that the set
of possible values has been exhausted.
Theorem 4.5. For a, i 1, , m 1 with gcd(a, m) = 1), then the product a i mod m
takes for a certain number a all values from 1, , m1 (exhaustive permutation of the length
m1)
91
.
The following three examples
92
illustrate the properties of multiplicative inverses.
In the multiplication table mod 17, the following was calculated for i = 1, 2, , 18:
(5 i)/17 = a remainder r and high-lighted 5 i 1 (mod 17),
(6 i)/17 = a remainder r and high-lighted 6 i 1 (mod 17).
We need to nd the i for which the product remainder a i modulo 17 with a = 5 or a = 6 has
the value 1.
Table 1: Multiplication table modulo 17 (for a = 5 and a = 6)
i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
5 i 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90
remainder 5 10 15 3 8 13 1 6 11 16 4 9 14 2 7 12 0 5
6 i 6 12 18 24 30 36 42 48 54 60 66 72 78 84 90 96 102 108
remainder 6 12 1 7 13 2 8 14 3 9 15 4 10 16 5 11 0 6
Between i = 1, , m, all values between 0, , m1 occur for the remainders, because both 5
and 6 are also relatively prime to the modulus m = 17.
The multiplicative inverse of 5 (mod 17) is 7, while the inverse of 6 (mod 17) is 3.
Table 2: Multiplication table modulo 13 (for a = 5 and a = 6)
i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
5 i 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90
remainder 5 10 2 7 12 4 9 1 6 11 3 8 0 5 10 2 7 12
6 i 6 12 18 24 30 36 42 48 54 60 66 72 78 84 90 96 102 108
remainder 6 12 5 11 4 10 3 9 2 8 1 7 0 6 12 5 11 4
90
Using Euclids extended theorem (extended gcd), we can calculate the multiplicative inverse and determine whether
numbers have an inverse (see appendix A of this chapter). Alternatively, we can also use the primitive roots.
91
See also theorem 4.14 in chapter 4.9, Multiplicative order and primitive roots.
92
See Appendix E of this chapter for the source code to compute the tables using Mathematica and Pari-GP.
89
Between i = 1, , m, all values between 0, , m1 occur for the remainders, because both 5
and 6 are relatively prime to the modulus m = 13.
The multiplicative inverse of 5 (mod 13) is 8, while the inverse of 6 (mod 13) is 11.
The following table contains an example, where the modulus m and the number a = 6 are not
relatively prime.
Table 3: Multiplication table modulo 12 (for a = 5 and a = 6)
i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
5 i 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90
remainder 5 10 3 8 1 6 11 4 9 2 7 0 5 10 3 8 1 6
6 i 6 12 18 24 30 36 42 48 54 60 66 72 78 84 90 96 102 108
remainder 6 0 6 0 6 0 6 0 6 0 6 0 6 0 6 0 6 0
We have calculated (5 i) (mod 12) and (6 i) (mod 12). Between i = 1, , m, not all values
between 0, , m1 occur and 6 does not have an inverse mod 12, because 6 and the modulus
m = 12 are not co-prime.
The multiplicative inverse of 5 (mod 12) is 5. The number 6 has no inverse (mod 12).
4.6.3 Raising to the power
In modular arithmetic, raising to the power is dened as repeated multiplication as usual except
that multiplication is now slightly dierent. We can even apply the usual rules, such as:
a
b+c
= a
b
a
c
,
(a
b
)
c
= a
bc
= a
cb
= (a
c
)
b
.
Modular powers work in the same way as modular addition and modular multiplication:
3
2
9 4 (mod 5).
Even consecutive powers work in the same way:
Example 1:
(4
3
)
2
64
2
4096 1 (mod 5).
(1) We can speed up
93
the calculation by reducing the interim results modulo 5
but we need to take care because not everything will then work in the same way as
93
The time required to calculate the multiplication of two numbers normally depends on the length of the numbers.
We can observe this if we use the school method to calculate, for instance, 474 228. The time required increases
in a quadratic square manner , because we need to multiply 3 3 numbers. The numbers become considerably
smaller if we reduce the interim result.
90
in standard arithmetic.
(4
3
)
2
(4
3
(mod 5))
2
(mod 5)
(64 (mod 5))
2
(mod 5)
4
2
(mod 5)
16 1 (mod 5).
(2) In standard arithmetic, consecutive powers can be reduced to a single power by
multiplying the exponents:
(4
3
)
2
= 4
32
= 4
6
= 4096.
This is not quite as simple in modular arithmetic because this would give:
(4
3
)
2
4
32 (mod 5)
4
6 (mod 5)
4
1
4 (mod 5).
But as we saw above, the correct result is 1!!
(3) Therefore, the rule is slightly dierent for consecutive powers in modular arith-
metic: we do not multiply the exponents in (mod m) but rather in (mod J(m)).
Using J(5) = 4 gives:
(4
3
)
2
4
3 2 (mod J(5))
4
6 mod 4
4
2
16 1 (mod 5).
This delivers the correct result.
Theorem 4.6. (a
b
)
c
a
bc (mod J(m))
(mod m).
Example 2:
3
28
3
4 7
3
4 7 (mod 10)
3
8
6561 5 (mod 11).
4.6.4 Fast calculation of high powers
RSA encryption and decryption
94
entails calculating high powers modulo m. For example, the
calculation (100
5
) (mod 3) exceeds the 32-bit long integer number range provided we calculate a
n
by actually multiplying a with itself n times in line with the denition. In the case of extremely
large numbers, even a fast computer chip would take longer than the age of the universe to
calculate a single exponential. Luckily, there is an extremely eective shortcut for calculating
exponentials (but not for calculating logarithms).
If the expression is divided dierently using the rules of modular arithmetic, then the calculation
does not even exceed the 16-bit short integer number range:
(a
5
) (((a
2
(mod m))
2
(mod m)) a) (mod m).
94
See chapter 4.10 (Proof of the RSA procedure with Euler-Fermat) and chapter 4.13 (The RSA procedure with
actual numbers).
91
We can generalise this by representing the exponent as a binary number. For example, the naive
method would require 36 multiplications in order to calculate a
n
for n = 37. However, if we
write n in the binary representation as 100101 = 1 2
5
+ 1 2
2
+ 1 2
0
, then we can rewrite the
expression as: a
37
= a
2
5
+2
2
+2
0
= a
2
5
a
2
2
a
1
Example 3: 87
43
(mod 103).
Since 43 = 32 + 8 + 2 + 1 , 103 is prime, 43 < J(103)
and the squares (mod 103) can be calculated beforehand
87
2
50 (mod 103),
87
4
50
2
28 (mod 103),
87
8
28
2
63 (mod 103),
87
16
63
2
55 (mod 103),
87
32
55
2
38 (mod 103).
we have
95
:
87
43
87
32+8+2+1
(mod 103)
87
32
87
8
87
2
87 (mod 103)
38 63 50 87 85 (mod 103).
The powers (a
2
)
k
can be determined easily by means of repeated squaring. As long as a does not
change, a computer can calculate them beforehand and if enough memory is available save
them. In order to then nd a
n
in each individual case, it now only needs to multiply those (a
2
)
k
for which there is a one in the k-th position of the binary representation of n. The typical eort
is then reduced from 2
600
to 2 600 multiplications! This frequently used algorithm is called
Square and Multiply.
4.6.5 Roots and logarithms
The inverses of the powers are also dened. The roots and logarithms are again whole numbers.
Yet in contrast to the usual situation, they are not only dicult to calculate but, in the case of
large numbers, cannot be calculated at all within a reasonable amount of time.
Let us take the equation a b
c
(mod m).
a) Taking the logarithm (determining c) Discrete logarithm problem :
If we know a and b of the three numbers a, b and c that meet this equation, then every
known method of nding c is approximately just as time-consuming as trying out all m
possible values for c one after the other. For a typical m of the order of magnitude of
10
180
for 600-digit binary numbers, this is a hopeless task. More precisely, for suitably
95
See Appendix E of this chapter for source code implementing the square and multiply method in Mathematica and
Pari-GP, which can be used to reproduce the calculations above.
92
large numbers m, the time required according to current knowledge is proportional to
exp
_
C (log m[log log m]
2
)
1/3
_
with a constant C > 1.
b) Calculating the root (determining b):
The situation is similar if b is the unknown variable and we know the values of a and c:
If we know the Euler function of m, J(m), then we can easily
96
calculate d with c d
1 (mod J(m)) and use theorem 4.6 to obtain:
a
d
(b
c
)
d
b
cd
b
cd (mod J(m))
b
1
b (mod m)
the c-th root b of a.
If J(m) cannot be determined
97
, it is dicult to calculate the c-th root. This forms the
basis for the security assumption used by the RSA encryption system (see chapter 4.10 or
chapter 5.3.1).
The time required for inverting addition and multiplication, on the other hand, is simply pro-
portional to log m or (log m)
2
. Powers (for a number x calculate x
a
with a xed) and exponents
(for a number x calculate a
x
with a xed) are therefore typical one way functions (See Overview
of the one way functions in this Script and article).
4.7 Groups and modular arithmetic in Z
n
and Z

n
Mathematical groups play a decisive role in number theory and cryptography. We only talk of
groups if, for a dened set and a dened relation (an operation such as addition or multiplication),
the following properties are fullled:
The set is closed
A neutral element exists
An inverse element exists for each element
The associative law applies.
The abbreviated mathematical notation is (G, +) or (G, ).
Denition 4.6. Z
n
:
Z
n
comprises all numbers from 0 to n 1 : Z
n
= 0, 1, 2, , n 2, n 1.
Z
n
is an often used nite group of the natural numbers. It is sometimes also called the remainder
set R modulo n.
For example, 32-bit computers (standard PCs) only directly work with whole numbers in a nite
set, that is the value range 0, 1, 2, , 2
32
1.
This value range is equivalent to the set Z
2
32.
96
See Appendix A of this chapter: the greatest common divisor (gcd) of whole numbers.
97
According to the rst fundamental theorem of number theory and theorem 4.11, we can determine J(m) by reducing
m to prime factors.
93
4.7.1 Addition in a group
If we dene the operation mod+ on such a set where
a mod + b := (a +b) (mod n),
then the set Z
n
together with the relation mod+ is a group because the following properties of
a group are valid for all elements in Z
n
:
a mod + b is an element of Z
n
(the set is closed),
(a mod + b) mod + c a mod + (b mod + c) (mod+ is associative),
the neutral element is 0.
each element a Z
n
has an inverse for this operation, namely n a
(because a mod + (n a) a + (n a) (mod n) n 0 (mod n)).
Since the operation is commutative, i.e. (a mod + b) = (b mod + a), this structure is actually
a commutative group.
4.7.2 Multiplication in a group
If we dene the operation mod* on the set Z
n
where
a mod b := (a b) (mod n),
then Z
n
together with this operation is usually not a group because not all properties are
fullled for each n.
Examples:
a) In Z
15
, for example, the element 5 does not have an inverse. That is to say, there is no a
with
5 a 1 (mod 15). Each modulo product with 5 on this set gives 5, 10 or 0.
b) In Z
55
0, for example, the elements 5 and 11 do not have multiplicative inverses. That
is to say, there is no a Z
55
such that 5 a 1 ( mod 55 ) and no a such that 11 a
1 ( mod 55 ). This is because 5 and 11 are not relatively prime to 55. Each modulo product
with 5 on this set gives 5, 10, 15, . . . , 50 or 0. Each modulo product with 11 on this set gives
11, 22, 33, 44 or 0.
On the other hand, there are subsets of Z
n
that form a group with the operation mod*. If we
choose all elements in Z
n
that are relatively prime to n, then this set forms a group with the
operation mod*. We call this set Z

n
.
Denition 4.7. Z

n
:
Z

n
= a Z
n
[gcd(a, n) = 1.
94
Z

n
is sometimes also called the reduced remainder set R

modulo n.
Example: For n = 10 = 2 5 the following applies:
full remainder set R = Z
n
= 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
reduced remainder set R

= Z

n
= 1, 3, 7, 9 J(n) = 4.
Comment: R

or Z

n
is always a genuine subset of R or Z
n
because 0 is always an element of R
but never an element of R

. Since 1 and n 1 are always relatively prime to n, they are always

elements of both sets.
If we select a random element in Z

n
and multiply it by every other element in Z

n
, then the
products
98
are all in Z

n
, and the results are also a unique permutation of the elements in Z

n
.
Since 1 is always an element of Z

n
, there is a unique partner in this set such that the product
is 1. In other words:
Theorem 4.7. Each element in Z

n
has a multiplicative inverse.
Example for a = 3 modulo 10 with Z

n
= 1, 3, 7, 9 :
3 3 1 (mod 10),
9 3 3 (mod 10),
1 3 7 (mod 10),
7 3 9 (mod 10).
The unique invertibility is an essential condition for cryptography (see section 4.10).
98
This is due to the fact that Z

n
is closed with respect to the multiplication and due to the gcd property:
[a, b Z

n
] [((a b) (mod n)) Z

n
], exactly:
[a, b Z

n
] [gcd(a, n) = 1, gcd(b, n) = 1] [gcd(a b, n) = 1] [((a b) (mod n)) Z

n
].
95
Eric Berne
99
:
Mathematical game theory postulates players who respond rationally. Transactional game
theory, on the other hand, deals with games that are not rational, perhaps even irrational
and thereby closer to reality.
4.8 Euler function, Fermats little theorem and Euler-Fermat
4.8.1 Patterns and structures
As mathematicians investigate the structure a x b mod m (see chapter 4.5.2), so they are
interested in the structure x
a
b mod m.
Again here they are interested in the case, if b = 1 (value of the multiplicative inverse) and if
b = x (the function has a xpoint).
4.8.2 The Euler function
Given n, the number of numbers from the set 1, , n 1 that are relatively prime to n is
equal to the value of the Euler
100
function J(n).
Denition 4.8. The Euler function
101
J(n) species the number of elements in Z

n
.
J(n) also species how many whole numbers have multiplicative inverses in mod n. J(n) can be
calculated if we know the prime factors of n.
Theorem 4.8. For a prime number, the following is true: J(p) = p 1.
Theorem 4.9. If m is the product of two distinct primes, then:
J(p q) = (p 1) (q 1) or J(p q) = J(p) J(q).
This case is important for the RSA procedure.
Theorem 4.10. If n = p
1
p
2
p
k
where p
1
to p
k
are distinct prime numbers (i.e. no factor
occurs more than once), then the following is true (as a generalisation of theorem 4.9):
J(n) = (p
1
1) (p
2
1) (p
k
1).
Theorem 4.11. In general, the following is true for every prime number p and every n in N:
1. J(p
n
) = p
n1
(p 1).
99
Eric Berne, Games People Play, rororo, (c) 1964, page 235.
100
Leonhard Euler, Swiss mathematician, Apr 15, 1707 Sep 18, 1783
101
Often written as the Euler phi function (n).
96
2. If n = p
e
1
1
p
e
2
2
p
e
k
k
, where p
1
to p
k
are distinct prime numbers, then:
J(n) = [(p
e
1
1
1
) (p
1
1)] [(p
e
k
1
k
) (p
k
1)] = n ([(p
1
1)/p
1
] [(p
k
1)/p
k
]).
Examples:
n = 70 = 2 5 7 = using theorem 4.10: J(n) = 1 4 6 = 24.
n = 9 = 3
2
= using theorem 4.11: J(n) = 3
1
2 = 6, because Z

9
= 1, 2, 4, 5, 7, 8.
n = 2, 701, 125 = 3
2
5
3
7
4
= using theorem 4.11:
J(n) = [3
1
2] [5
2
4] [7
3
6] = 1, 234, 800.
4.8.3 The theorem of Euler-Fermat
In order to prove the RSA procedure, we need Fermats theorem and its generalisation (Euler-
Fermat theorem) please see chapter 3.5.
Theorem 4.12. Fermats Little Theorem
102
Let p be a prime number and a be a random
whole number, then:
a
p
a (mod p).
An alternative formulation of Fermats Little Theorem is as follows: Let p be a prime number
and a be a random whole number that is relatively prime to p, then:
a
p1
1 (mod p).
Theorem 4.13. Euler-Fermat theorem (generalisation of Fermats Little Theorem)
For all elements a in the group Z

n
(i.e. a and n are natural numbers that are co-prime):
a
J(n)
1 (mod n).
This theorem states that if we raise a group element (here a) to the power of the order of the
group (here J(n)), we always obtain the neutral element for multiplication (the number 1).
The 2nd formulation of Fermats Little Theorem is derived directly from Eulers theorem if n is
a prime number.
If n is the product of two prime numbers, we can - in certain cases - use Eulers theorem to
calculate the result of a modular power very quickly. We have: a
(p1)(q1)
1 (mod pq).
Examples for calculating a modular power:
With 2 = 1 2 and 6 = 2 3 where 2 and 3 are both prime; J(6) = 2 because only 1 and
5 are relatively prime to 6, we obtain the equation 5
2
5
J(6)
1 (mod 6), without having
to calculate the power.
With 792 = 22 36 and 23 37 = 851 where 23 and 37 are both prime, it follows that
31
792
31
J(2337)
31
J(851)
1 (mod 851).
102
Pierre de Fermat, French mathematician, Aug 17, 1601 Jan 12, 1665.
97
4.8.4 Calculation of the multiplicative inverse
Another interesting application is a special case of determining the multiplicative inverses using
the Euler-Fermat theorem (multiplicative inverses are otherwise determined using the extended
Euclidean algorithm).
Example:
Find the multiplicative inverse of 1579 modulo 7351.
According to Euler-Fermat: a
J(n)
= 1 (mod n) for all a in Z

n
. If we divide both sides by a, we
get: a
J(n)1
a
1
(mod n). For the special case that the modulo is prime, we have J(n) = p1.
Therefore, the modular inverse is
a
1
= a
J(n)1
a
(p1)1
a
p2
(mod p).
For our example, this means:
Since the modulus 7351 is prime, p 2 = 7349.
1579
1
1579
7349
(mod p).
By cleverly breaking down the exponent, we can calculate this power relatively easily (see Sec-
tion 4.6.4 Fast calculation of high powers):
7349 = 4096 + 2048 + 1024 + 128 + 32 + 16 + 4 + 1
1579
1
4716 (mod 7351).
4.8.5 Fixpoints modulo 26
According to theorem 4.6, the arithmetic operations of modular expressions are performed in the
exponents modulo J(n) rather than modulo n
103
.
In a
ed
a
1
(mod n), if we wish to determine the inverses for the factor e in the exponent, we
need to calculate modulo J(n).
Example (with reference to the RSA algorithm):
If we calculate modulo 26, which set can e and d come from?
Solution: we have e d 1 (mod J(26)).
The reduced remainder set R

= Z

26
= 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25 are the elements
in Z
26
, which have a multiplicative inverse, that is which are relatively prime to 26.
The reduced remainder set R

contains only the elements of R

that are relatively prime to

J(n) = 12 : R

= 1, 5, 7, 11.
For every e in R

there exists a d in R

such that a (a
e
)
d
(mod n).
103
For the following example, we will adopt the usual practice for the RSA procedure of using n rather than m
to denote the modulus.
98
For every e in R

, there exists therefore precisely one element (not necessarily dierent from e)
such that e d 1 (mod J(26)).
For all e that are relatively prime to J(n) we could calculate d as follows using the Euler-Fermat
theorem: For a
J(n)
1 (mod n) is the same as saying a
J(n)1
a
1
(mod n). Therefore
d e
1
(mod J(n)) e
J(J(n))1
(mod J(n)).
The problems of factorising n = pq with q ,= p and nding J(n) have a similar degree of diculty
and if we nd a solution for one of the two problems, we also have a solution for the other
104
(please compare requisition 3 in section 4.10.1).
104
If we know the factors of n = p q with p = q, then J(n) = (p 1) (q 1) = n (p + q) + 1. Additionally the
factors p and q are solutions of the quadratic equation x
2
(p + q)x + pq = 0.
If only n and J(n) are known, then it is: pq = n and p + q = n J(n) + 1. So you get p and q by solving the
equation
x
2
+ (J(n) n 1)x + n = 0.
99
4.9 Multiplicative order and primitive roots
Mathematicians often ask, in which conditions the repeated application of an operation results
in the neutral element (compare patterns and structures before).
For the i-times successive modular multiplication of a number a with i = 1, , m1 the product
is the neutral element of the multiplication (1) if and only if a and m are relatively prime. The
value of i, for which the product a
i
= 1, is called the multiplicative order of a.
The multiplicative order and the primitive root are two useful constructs (concepts) in elementary
number theory.
Denition 4.9. The multiplicative order ord
m
(a) of a whole number a (mod m) (where a
and m are co-prime) is the smallest whole number e for which a
e
1 (mod m).
The following table shows that in a multiplicative group (here Z

11
) not all numbers necessarily
have the same order. The orders in this case are 1, 2, 5 and 10 and we notice that:
1. The orders are all factors of 10.
2. The numbers a = 2, 6, 7 and 8 have the order 10 - we say that these numbers have the
maximum order in Z

11
.
Example 1:
The following table
105
shows the values a
i
mod 11 for the exponents i = 1, 2, , 10 and for the
bases a = 1, 2, , 10 as well as the resulting value ord
11
(a) for each a:
Table 4: Values of a
i
mod 11, 1 a, i < 11 and according order of a mod m:
i=1 i=2 i=3 i=4 i=5 i=6 i=7 i=8 i=9 i=10 ord
11
(a)
a = 1 1 1 1 1 1 1 1 1 1 1 1
a = 2 2 4 8 5 10 9 7 3 6 1 10
a = 3 3 9 5 4 1 3 9 5 4 1 5
a = 4 4 5 9 3 1 4 5 9 3 1 5
a = 5 5 3 4 9 1 5 3 4 9 1 5
a = 6 6 3 7 9 10 5 8 4 2 1 10
a = 7 7 5 2 3 10 4 6 9 8 1 10
a = 8 8 9 6 4 10 3 2 5 7 1 10
a = 9 9 4 3 5 1 9 4 3 5 1 5
a = 10 10 1 10 1 10 1 10 1 10 1 2
The table shows, for example, that the order of 3 modulo 11 has the value 5.
Denition 4.10. If a and m are co-prime and if ord
m
(a) = J(m) (i.e. a has maximum order),
then we say that a is a primitive root of m.
105
See Appendix E of this chapter for the source code to generate the table using Mathematica and Pari-GP.
100
A number a is not a primitive root for every modulo m. In the above table, only a = 2, 6, 7 and
8 is a primitive root with respect to mod 11 (J(11) = 10).
Using the primitive roots, we can clearly establish the conditions for which powers modulo m
have a unique inverse and the calculation in the exponents is manageable.
The following two tables show the multiplicative orders and primitive roots modulo 45 and modulo
46.
Example 2:
The following table
106
shows the values a
i
mod 45 for the exponents i = 1, 2, , 12 and for the
bases a = 1, 2, , 12 as well as the resulting value ord
45
(a) for each a:
Table 5: Values of a
i
mod 45, 1 a, i < 13:
a i 1 2 3 4 5 6 7 8 9 10 11 12 ord
45
(a) J(45)
1 1 1 1 1 1 1 1 1 1 1 1 1 1 24
2 2 4 8 16 32 19 38 31 17 34 23 1 12 24
3 3 9 27 36 18 9 27 36 18 9 27 36 24
4 4 16 19 31 34 1 4 16 19 31 34 1 6 24
5 5 25 35 40 20 10 5 25 35 40 20 10 24
6 6 36 36 36 36 36 36 36 36 36 36 36 24
7 7 4 28 16 22 19 43 31 37 34 13 1 12 24
8 8 19 17 1 8 19 17 1 8 19 17 1 4 24
9 9 36 9 36 9 36 9 36 9 36 9 36 24
10 10 10 10 10 10 10 10 10 10 10 10 10 24
11 11 31 26 16 41 1 11 31 26 16 41 1 6 24
12 12 9 18 36 27 9 18 36 27 9 18 36 24
J(45) is calculated using theorem 4.11: J(45) = J(3
2
5) = 3
1
2 4 = 24.
Since 45 is not a prime, there is no multiplicative order for all values of a (e. g. for the numbers
that are not relatively prime to 45 : 3, 5, 6, 9, 10, 12, , because 45 = 3
2
5).
Example 3:
Is 7 a primitive root modulo 45?
The requirement/condition gcd(7, 45) = 1 is fullled. The table values of a
i
mod 45 shows that
the number 7 is not a primitive root of 45, because ord
45
(7) = 12 ,= 24 = J(45).
Example 4:
The following table
107
answers the question as to whether the number 7 is a primitive root of 46.
The requirement/condition gcd(7, 46) = 1 is fullled.
106
See Appendix E of this chapter for the source code to generate the table using Mathematica and Pari-GP.
107
See Appendix E of this chapter for the source code to generate the table using Mathematica and Pari-GP.
101
Table 6: Values of a
i
mod 46, 1 a, i < 23:
ai 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ord
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 2 4 8 16 32 18 36 26 6 12 24 2 4 8 16 32 18 36 26 6 12 24 2
3 3 9 27 35 13 39 25 29 41 31 1 3 9 27 35 13 39 25 29 41 31 1 3 11
4 4 16 18 26 12 2 8 32 36 6 24 4 16 18 26 12 2 8 32 36 6 24 4
5 5 25 33 27 43 31 17 39 11 9 45 41 21 13 19 3 15 29 7 35 37 1 5 22
6 6 36 32 8 2 12 26 18 16 4 24 6 36 32 8 2 12 26 18 16 4 24 6
7 7 3 21 9 17 27 5 35 15 13 45 39 43 25 37 29 19 41 11 31 33 1 7 22
8 8 18 6 2 16 36 12 4 32 26 24 8 18 6 2 16 36 12 4 32 26 24 8
9 9 35 39 29 31 3 27 13 25 41 1 9 35 39 29 31 3 27 13 25 41 1 9 11
10 10 8 34 18 42 6 14 2 20 16 22 36 38 12 28 4 40 32 44 26 30 24 10
11 11 29 43 13 5 9 7 31 19 25 45 35 17 3 33 41 37 39 15 27 21 1 11 22
12 12 6 26 36 18 32 16 8 4 2 24 12 6 26 36 18 32 16 8 4 2 24 12
13 13 31 35 41 27 29 9 25 3 39 1 13 31 35 41 27 29 9 25 3 39 1 13 11
14 14 12 30 6 38 26 42 36 44 18 22 32 34 16 40 8 20 4 10 2 28 24 14
15 15 41 17 25 7 13 11 27 37 3 45 31 5 29 21 39 33 35 19 9 43 1 15 22
16 16 26 2 32 6 4 18 12 8 36 24 16 26 2 32 6 4 18 12 8 36 24 16
17 17 13 37 31 21 35 43 41 7 27 45 29 33 9 15 25 11 3 5 39 19 1 17 22
18 18 2 36 4 26 8 6 16 12 32 24 18 2 36 4 26 8 6 16 12 32 24 18
19 19 39 5 3 11 25 15 9 33 29 45 27 7 41 43 35 21 31 37 13 17 1 19 22
20 20 32 42 12 10 16 44 6 28 8 22 26 14 4 34 36 30 2 40 18 38 24 20
21 21 27 15 39 37 41 33 3 17 35 45 25 19 31 7 9 5 13 43 29 11 1 21 22
22 22 24 22 24 22 24 22 24 22 24 22 24 22 24 22 24 22 24 22 24 22 24 22
23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23
J(46) is calculated using theorem 4.9: J(46) = J(2 23) = 1 22 = 22. The number 7 is a
primitive root of 46, because ord
46
(7) = 2 = J(46).
Theorem 4.14.
108,109
For a modulus n and a relative prime to n the following holds:
a
i
(mod n)[i = 1, . . . , J(n) equals the multiplicative group Z

n
if and only if ord
n
(a) = J(n).
108
For prime moduli p all a with 0 < a < p are of order J(p) = p 1. Compare table 5 for an example. In this
case a
i
(mod n) goes through all the values 1, . . . , p 1. Exhausting all possible values of the set is an important
cryptographic proposition (compare theorem 4.5). This determines a permutation (p 1).
109
Table 6 demonstrates that for composite moduli n not all a are of maximal order J(n). In this example only
5, 7, 11, 15, 17, 19 and 21 are of order 22.
102
4.10 Proof of the RSA procedure with Euler-Fermat
Using the Euler-Fermat theorem, we can prove the RSA
110,111
procedure in the group Z

n
.
4.10.1 Basic idea of public key cryptography
The basic idea behind public key cryptography is that all participants possess a dierent pair of
keys (P and S) and the public keys for all recipients are published. You can retrieve the public
key P for a recipient from a directory just as you would look up someones phone number in the
phone book. Furthermore, each recipient has a secret key S that is needed in order to decrypt
the message and that is not known to anyone else. If the sender wishes to send a message M, he
encrypts it using the public key P of the recipient before sending it:
The cipher text C is determined as C = E(P; M), where E (encryption) is the encryption
rule. The recipient uses his private key S to decrypt the message with the decryption rule
D : M = D(S; C).
In order to ensure that this system works for every message M, the following four requirements
must be met:
1. D(S; E(P; M)) = M for every M (invertibility) and M takes very many of its possible
values.
2. All (S, P) pairs are dierent for all participants (i.e. lots of them are needed).
3. The time required to derive S from P is at least as high as the time required to decrypt M
with no knowledge of S.
4. Both C and M can be calculated relatively easily.
The 1st requirement is a general condition for all cryptographic encryption algorithms.
The 2nd requirement can easily be met because there is a very large number of prime numbers
112
and because this can be ensured by a central oce that issues certicates.
It is this last requirement that makes the procedure actually usable. This is because it is possible
to calculate the powers in a linear amount of time (because there is a restriction on the length
of the numbers).
110
The RSA procedure is the most common asymmetric cryptography procedure. Developed in 1978 by Ronald Rivest,
Adi Shamir and Leonard Adleman, it can be used both for signatures and for encryption. Cryptographers always
associate this procedure with the abbreviation RSA the following remark is meant with humor to show that
each letter combination can be used with several meanings: In Britain the Royal Society for the encouragement
of Arts, Manufactures & Commerce is commonly known as the RSA.
111
In literature and in movies not only classic but also modern cryptographic methods have been used (see appendix
A.3).
112
According to the prime number theorem of Legendre and Gauss there are approximately n/ ln(n) prime numbers
up to the number n. This means, for example, that there are 6.510
74
prime numbers under n = 2
256
(= 1.110
77
)
and 3.2 10
74
prime numbers under n = 2
255
. Between 2
255
and 2
256
there are therefore 3.3 10
74
prime numbers
with precisely 256 bits. This large number is also the reason why we cannot simply save them all.
103
Although Whiteld Die and Martin Hellman formulated the general method as early as 1976,
the actual procedure that met all four requirements was only discovered later by Rivest, Shamir
and Adleman.
4.10.2 How the RSA procedure works
The individual steps for implementing the RSA procedure can be described as follows (see
[Eckert2003, p. 213 ] and [Sedgewick1990, p. 338 ]). Steps 1 to 3 constitute key genera-
tion, steps 4 and 5 are the encryption, and steps 6 and 7 are the decryption:
1. Select two distinct random prime numbers
113,114
p and q and calculate n = p q
115
.
The value n is called the RSA modulus
116
.
2. Select an arbitrary e 2, , n 1 such that
117
:
e is relatively prime to J(n) = (p 1) (q 1).
We can then throw away p and q.
118
3. Select d 1, , n 1 with e d 1 (mod J(n)), i.e. d is the multiplicative inverse of e
modulo J(n)
119,120
. We can then throw away J(n).
(n, e) is the public key P.
(n, d) is the secret key S (only d must be kept secret).
113
Compaq introduced the so-called multi-prime method with high marketing eort in 2000. n was the product of
two big and one relative small prime: n = o p q. With theorem 4.10 we get: J(n) = (o 1) (p 1) (q 1).
This method did not assert itself yet.
One reason probably is, that Compaq claimed a patent on it. Generally there is less understanding in Europe and
with the Open Source Initiative , that one can claim patents on algorithms. But there is really no understanding
outside the U.S., that one can get a patent for a special case (3 factors) of an algorithm (RSA), although the patent
for the general case is almost expired.
114
If the two primes p and q are equal then (m
e
)
d
m mod n is not true for all m < n (although e d 1 mod J(n)
is fullled). Example: If n = 5
2
then according to theorem 4.11 it is J(n) = 54 = 20, e = 3, d = 7, ed = 21 1
mod J(n). But it is (5
3
)
7
0 mod 25.
115
The GISA (German Information Security Agency) recommends, to choose the prime factors p and q almost the
same, but not too close:
0.5 < | log
2
(p) log
2
(q)| < 30.
They recommend to generate the primes independently and check that the restriction is fullled (see [GISA2002]).
116
In CrypTool the RSA modulo is denoted with a capital N .
117
It is recommended by cryptanalytic reasons, but not necessary to make RSA work, to select e such that:
max(p, q) < e < J(n) 1.
118
The procedure also allows us to select d freely and then calculate e. However, this has practical disadvantages.
We usually want to be able to encrypt messages quickly, which is why we choose a public exponent e such that
it has a short bit length compared to the modulus n and as few binary ones as possible (e.g. 2
16
+ 1). So a fast
exponentiation is possible when encrypting. We want to select the publicly known e to be an advantageous value
that allows the exponential calculation to be performed quickly during encryption. The prime numbers 3, 17 and
65537 have proved to be particularly practical for this purpose. The most often used number is 65537 = 2
16
+ 1,
or in binary: 10 0 01 (this number is prime and therefor relatively prime to many other numbers).
119
For reasons of security, d should not be too small.
120
We start by determining either d or e depending on the implementation.
104
4. For encryption, the message represented as a (binary) number is divided into parts such
that each part of the number is less than n.
5. Encryption of the plaintext (or the parts of it) M 1, , n 1:
C = E((n, e); M) := M
e
(mod n).
6. For decryption, the cipher text represented as a binary number is divided into parts such
that each part of the number is less than n.
7. Decryption of the cipher text (or the parts of it) C 1, , n 1:
M = D((n, d); C) := C
d
(mod n).
The numbers d, e and n are usually extremely large (e. g. d and e 300 bits, n 600 bits).
Comment:
The security of the RSA algorithm depends as with all public key methods on the diculty to
calculate the private key d from the public key (n, e).
Concrete for the RSA method does this mean:
1. it is hard to calculate J(n) for big compounds n and
2. it is hard to calculate the prime factors of big compounds n (Factorisation!factorisation
problem).
4.10.3 Proof of requirement 1 (invertibility)
For pairs of keys (n, e) and (n, d) that possess xed properties in steps 1 to 3 of the RSA procedure,
the following must be true for all M < n:
M (M
e
)
d
(mod n) with (M
e
)
d
= M
ed
.
This means that the deciphering algorithm above works correctly.
We therefore need to show that:
M
ed
M (mod n).
We will show this in 3 steps (see [Beutelspacher1996, p. 131]).
Step 1:
In the rst step we show that: M
ed
M (mod p). This results from the requirements and from
Euler-Fermat (theorem 4.13). Since n = p q and J(p q) = (p 1) (q 1) and since e and
105
d are selected in such a way that e d 1 (mod J(n)), there is a whole number k such that:
e d = 1 +k (p 1) (q 1).
M
ed
M
1+kJ(n)
M M
kJ(n)
M M
k(p1)(q1)
(mod p)
M (M
p1
)
k(q1)
(mod p) based on little Fermat : M
p1
1 (mod p)
M (1)
k(q1)
(mod p)
M (mod p)
The requirement for using the simplied Euler-Fermat theorem (theorem 4.12) was that M and
p are relatively prime.
Since this is not true in general, we need to consider the case when M and p are not relatively
prime. Since p is a prime number, this implies that p is a factor of M. But this means:
M 0 (mod p).
If p is a factor of M, then p is also a factor of M
ed
. Therefore:
M
ed
0 (mod p).
Since p is a factor of both M and Me d, it is also a factor of their dierence:
(M
ed
M) 0 (mod p).
And therefore our conjecture is also true in this special case.
Step 2:
In exactly the same way we prove that: M
ed
M (mod q).
Step 3:
We now combine the conjectures from (a) and (b) for n = p q to show that:
M
ed
M (mod n) for all M < n.
From (a) and (b) we have (M
ed
M) 0 (mod p) and (M
ed
M) 0 (mod q). Therefore, p
and q are both factors of the same number z = (M
ed
M). Since p and q are distinct prime
numbers, their product must also be a factor of this number z. Thus:
(M
ed
M) 0 (mod p q) or M
ed
M (mod p q) or M
ed
M (mod n).

1st comment:
We can also condense the three steps if we use the theorem 4.13 (Euler-Fermat) - i.e. not the
simplied theorem where n = p and which corresponds to Fermats Little Theorem:
(M
e
)
d
M
ed
M
(p1)(q1)k+1
( M
(p1)(q1)
. .
M
J(n)
1 (mod n)
)
k
M 1
k
M M (mod n).
106
2nd comment:
When it comes to signing messages, we perform the same operations but rst use the secret key
d, followed by the public key e. The RSA procedure can also be used to create digital signatures,
because:
M (M
d
)
e
(mod n).
4.11 Considerations regarding the security of the RSA algorithm
121
There have always been discussions about the suitability of the RSA algorithm for digital signa-
tures and encryption, e. g. after publications of breakthroughs in factorisation. Nevertheless the
RSA algorithm has become a de-facto standard since it was published more than 20 years ago
(compare 7.1).
The security of the RSA algorithm rests as with all cryptographic methods on the following
4 central pillars:
the complexity of the number theoretical problem on which the algorithm is based (here
factorisation of big numbers),
the election of tting parameters (here the length of the module N),
the adequate usage of the algorithm and key generation and
the correct implementation of the algorithm.
Usage and key generation are well understood today. Implementation based on long integer
arithmetic is very easy.
The following sections examine the RSA algorithm with respect to the rst two points.
4.11.1 Complexity
Successful decryption or forgery of a signature without knowing the private key requires
calculating the e-th root mod n. The private key, this is the multiplicative inverse of e mod J(n),
can be easily determined if J(n) is known. J(n) again can be calculated from the prime factors
of n. Breaking of RSA therefore cannot be more dicult than factorisation of the module n.
The best factorisation method known today is a further development of the General Number Field
Sieve (GNFS) , which was originally devised to factor only numbers of a special form (like Fermat
numbers). The complexity of solving the factorisation problem with the GNFS is asymptotically
O(l) = e
c(lln 2)
1/3
(ln(lln(2))
2/3
+o(l)
Please refer to:
A. Lenstra, H. Lenstra: The development of the Number Field Sieve [Lenstra1993].
121
Major parts of chapters 4.11.1 and 4.11.2 follow the article Vorz uge und Grenzen des RSA-Verfahrens written
by F. Bourseau, D. Fox and C. Thiel [Bourseau2002]
107
Robert D. Silverman: A Cost-Based Security Analysis of Symmetric and Asymmetric Key
Lengths [Silverman2000].
This formula shows, that the factorisation problem belongs to the class of problems with sub-
exponential time complexity (i. e. time complexity grows asymptotically not as fast as exponential
functions like e
l
or 2
l
, but strictly slower, e. g. like e

l
). This classication is all that is cur-
rently known; it does not preclude the possibility that the factorisation problem can be solved in
polynomial time (see 4.11.5).
O(l) is the average number of processor steps depending on the bit length l of the number n to be
factorised. For the best currently known factorisation algorithm the constant c = (64/9)
1/173
=
1, 923.
The inverse proposition, that the RSA algorithm can be broken only by factorisation of n, is still
not proven. Most number theorists consider the RSA problem and the factorisation problem
equivalent in terms of time complexity.
Please refer to: Handbook of Applied Cryptography [Menezes2001].
4.11.2 Security parameters because of new algorithms
Factorisation algorithms
The complexity is basically determined by the length l of the module n. Higher values for this
major parameter are oriented at the possibilities of the current algorithms for factorization:
In 1994 a 129-digit RSA module (428 bit), published in 1977, was factorised by a distributed
implementation of the Quadratic Sieve algorithm (QS), developed 1982 by Pomerance. This
eort took 8 months.
Please refer to:
C. Pomerance: The quadratic sieve factoring algorithm [Pomerance1984].
In 1999 a 155-digit module (512 bit) was factored with an implementation of the General
Number Field Sieve algorithm (GNFS) , developed by Buhler, Lenstra and Pomerance. The
GNFS is more ecient than QS if n is longer than about 116 decimal digits. This eort
took 5 months.
Please refer to:
J.P. Buhler, H.W. Lenstra, C. Pomerance: Factoring integers with the number eld
sieve [Buhler1993].
This made evident that a module length of 512 bit no longer prevents from attackers.
And also past 1999 further factorization progress was made up to now (see RSA-200 in chapter
4.11.4).
108
Lattice base reduction algorithms
The module length is not the only parameter relevant for security. Beneath requirements from
implementation and engineering the sizes and the proportions of the parameters e, d and N are
relevant.
According attacks based on lattice reductions are a real threat for (too) simple implementations
of RSA. Theses attacks can be structured into the following four categories:
Attacks against very small public keys e (e.g. e = 3).
Attacks against relatively small private exponents d(e.g. d < N
0.5
).
Factorization of the modul N, if one of the factors p or q is partly known.
Attacks requireing, that a part of the private key d is known.
A good overview about the current status of publications concerning these attacks can be found
in the diploma thesis of Matthias Schneider [SchneiderM2004].
4.11.3 Forecasts about factorization of large integers
Within the last 20 years a lot of progress has been made. Estimations about the future develop-
ment of the ability to factor RSA modules vary and depend on some assumptions:
progression in computing performance (Moores law: every 18 month the computing power
will double) and in grid computing.
development of new algorithms.
Within the last years the module bit length feasible for factorisation increased even without
new algorithms by 10 bit per year. Larger numbers require not only more time to be factored,
but also huge RAM storage for the solutions matrix being used by the best algorithms known
today. This need for storage grows like the square root of the computation time, i. e. also sub-
exponentially. Because RAM availability increased exponentially in the recent decades, it seems
that this should not be the limiting factor.
An estimation of the evolution of secure key lengths was done by Lenstra/Verheul[Lenstra1999]
(compare gure 2 in chapter 7.1).
Within the article [Bourseau2002] Dirk Fox
122
published his prognosis of an almost linear factor-
ization progression, if all inuencing factors are included: Each year the module length feasible
122
His company Secorvo Ltd also delivered a statement on the recommendation for key length selection published
by the GISA (German Information Security Agency). Chapter 2.3.1 of this statement contains a competent and
understandable discussion of RSA security (this document exists to my knowledge only in German):
http://www.secorvo.de/publikat/stellungnahme-algorithmenempfehlung-020307.pdf
109
for factorisation increases by 20 bit on average. So his forecast was below the more optimistic
estimations of GISA and NIST.
This forcast by Dirk Fox from the year 2001 seems to prove true by the factorisation record of
RSA-200 (see chapter 4.11.4). His estimation for the year 2005, to achieve a bit length of 660
bit, was almost a precision landing (compare gure 1).
If the forecast withstand in the future then the factorization of an RSA modul of 1024 bit can
be expected in 15 years.
0
200
400
600
800
1000
1200
1970 1975 1980 1985 1990 1995 2000 2005 2010 2015 2020
Bits
Figure 1: Forecast about future factorisation records compared with current results (from Sec-
orvo)
110
Hermann Hesse
123
:
To let the possible happen, you again and again have to try the impossible.
4.11.4 Status regarding factorisation of concrete large numbers
The web pages http://www.crypto-world.com and http://www.tutorgig.com/ed/RSA number
124
contain exhaustive overviews about the factoring records of composed integers using dierent
methods.
The current record (as of May 2005) obtained using the GNFS method (General Number Field
Sieve) factorised a 200 decimal digit into its both prime factors.
The last records
125
with factorisation algorithms for composed numbers are listed in the following
table:
Decimal digits Binary digits Factored on Factored by
RSA-155 155 512 August, 1999 Herman te Riele et al.
C158 158 523 January, 2002 Jens Franke et al.
RSA-160 160 530 April, 2003 Jens Franke et al.
RSA576 174 576 December, 2003 Jens Franke et al.
C176 176 583 May, 2005 Kazumaro Aoki et al.
RSA600 193 600 November, 2005 Jens Franke et al.
RSA-200 200 663 May, 2005 Jens Franke et al.
Table 28: The current general purpose factoring records (as of November 2005)
Below the last records are explained in more detail.
123
Hermann Hesse, German/Swiss writer and Nobel Prize winner, July 2, 1877 August 9, 1962.
124
This site was not quite up-to-date end of May 2005: RSA-200 was missing.
125
The RSA numbers are certain large semiprime numbers (i.e., numbers with exactly two prime fac-
tors). They were generated and published by the company RSA Security and they form the ba-
sis of the RSA Factoring Challenge, in which factorisations for these numbers are sought. See
http://www.rsasecurity.com/rsalabs/challenges/factoring/numbers.html.
The rst RSA Factoring Challenge labelled the numbers, from RSA-100 to RSA-500, according to their number
of decimal digits; the second RSA Factoring Challenge labelled the numbers according to their number of binary
digits. Within the second challenge cash prizes have been oered for successful factorisations of RSA576 to RSA2048
(RSA576, RSA640 etc. using 64 bit steps upwards). An exception to this is RSA617, which was created prior to
the change in the numbering scheme.
The researchers around Professor Jens Franke (from the University of Bonn, the GISA and the CWI) do not aim
on getting cash prizes but in extending the research limits. So statements about the necessary length of a secure
RSA modulus are more well-founded.
The C-numbers originate from the Cunningham project: http://www.cerias.purdue.edu/homes/ssw/cun/
111
RSA-155
On August 22, 1999 researchers from the Netherlands found the solution of this RSA challenge.
They factorised a 155-digit number into its both 78-digit primes (see chapter 4.11.2).
This 512 bit RSA-155 meant to reach a kind of magic border.
C158
On January 18, 2002 researchers at the German University of Bonn
126
factorised a 158-digit
decimal number into its both prime factors (these are build with 73 and 86 decimal digits) using
the GNFS method (General Number Field Sieve).
This record got much less attention within the press than the solution of RSA-155.
The task of the researchers from Bonn was not initiated by a challenge, but they wanted to nd
the last prime factors of the integer 2
953
1 (see Wanted List of the Cunningham Project
127
).
The 6 smaller prime factors, already found before have been:
3, 1907, 425796183929,
1624700279478894385598779655842584377,
3802306738549441324432139091271828121 and
128064886830166671444802576129115872060027.
The rst 3 factors can be easily computed
128
. The next three prime factors were found by
P. Zimmerman
129
, T. Grandlund
130
and R. Harley during the years 1999 and 2000 using the
elliptic curve factorisation method.
The last remaining factor, called C158, was known to be composite by then, but its factors
where not known (the following 3 lines contain one number):
39505874583265144526419767800614481996020776460304936
45413937605157935562652945068360972784246821953509354
4305870490251995655335710209799226484977949442955603
The factorisation of C158 resulted in the following two 73- and 86-digit prime factors:
3388495837466721394368393204672181522815830368604993048084925840555281177
and
1165882340667125990314837655838327081813101
2258146392600439520994131344334162924536139.
126
http://www.ercim.org/publication/Ercim News/enw49/franke.html, 2002-01
127
Cunningham project: http://www.cerias.purdue.edu/homes/ssw/cun/
128
E.g. using CrypTool via menu Indiv. Procedures \ RSA Cryptosystem \ Factorisation of a Number.
CrypTool can factorize in a reasonable time numbers no longer than 250 bit. Numbers bigger than 1024 bits are
currently not accepted by CrypTool.
129
http://www.loria.fr/~zimmerma/ecmnet
130
http://www.swox.se/gmp/
112
So now all 8 prime factors of 2
953
1 have been found.
Links:
http://www.loria.fr/ zimmerma/records/gnfs158
http://www.crypto-world.com/FactorRecords.html
http://www.crypto-world.com/announcements/c158.txt
RSA-160
On January 18, 2002 researchers at the German University of Bonn
131
factorised a 160-digit
number into its both prime factors (these are build with each 80 decimal digits) using the GNFS
method (General Number Field Sieve).
The computations for the factorization of RSA-160 also took place at the German Information
Security Agency (GISA) in Bonn
132
.
The 160-digit decimal number origins from the old challenge list of RSADSI. This number was
retracted after RSA-155 (RSA512) had been factorized successfully. The prime factors of RSA-
160 were still unknown. So this record of the team of Prof. Franke provides the solution of the
old challenge, for which RSADSI didnt award a price anymore.
The composite number called RSA-160 is (the following 3 lines contain one number):
215274110271888970189601520131282542925777358884567598017049
767677813314521885913567301105977349105960249790711158521430
2079314665202840140619946994927570407753
The factorisation of RSA-160 resulted in the following two prime factors:
p = 45427892858481394071686190649738831
656137145778469793250959984709250004157335359
and
q = 47388090603832016196633832303788951
973268922921040957944741354648812028493909367
The calculations took place between December 2002 and April 2003.
131
http://www.loria.fr/~zimmerma/records/rsa160
http://www.loria.fr/~zimmerma/records/factor.html
http://www.crypto-world.com/FactorWorld.html
132
Every year the GISA creates a paper to describe which crypto algorithms are feasible to generate digital signa-
tures according to the German signature law under participation of experts from economy and science. To
review signature methods based on the factorisation problem the GISA also co-operates with researchers from
the University of Bonn. Further information about crypto algorithms can be found on the web page of GISA:
http://www.bsi.bund.de/esig/basics/techbas/krypto/index.htm.
113
RSA-200
On May 9, 2005 the research group of Prof. Jens Franke at the German University of Bonn
133
announced, that they achieved a new world record in number factorization together with their
colleagues of the Amsterdam Centrum voor Wiskunde en Informatica.
They factorised a 200-digit number into its both prime factors (these are build with each 100
decimal digits) using the GNFS method (General Number Field Sieve).
The composite number called RSA-200 is (the following 3 lines contain one number):
2799783391122132787082946763872260162107044678695542853756000992932
6128400107609345671052955360856061822351910951365788637105954482006
576775098580557613579098734950144178863178946295187237869221823983
The factorisation of RSA-200 resulted in the following two prime factors:
p = 35324619344027701212726049781984643686711974001976
25023649303468776121253679423200058547956528088349
and
q = 79258699544783330333470858414800596877379758573642
19960734330341455767872818152135381409304740185467
The calculations took place between December 2003 and May 2005. The factorization done by
the group around Bahr, Bohm, Franke, Kleinjung, Montgomery and te Riele lasted almost 17
months. The operating expense of the calculations was about 120,000 MIPS-years
134
.
Size of factorized numbers compared to primality proven numbers
As you notice the factorised compound numbers built of 2 prime factors are much smaller than
the especially structured numbers, for which primality tests are able to decide whether these
numbers are prime or not (see chapters 3.4, 3.5 and 3.6).
Length in bits of the current world records:
(RSA-200 43rd known Mersenne prime)
663 30, 402, 457.
133
http://www.loria.fr/~zimmerma/records/rsa200
134
A MIPS-year (MY) is the quantity of operations a machine can perform in one year, if the machine constantly
achieves one million integer operations per second (MIPS). For illustration: a INTEL Pentium 100 processor
achieves about 50 MIPS. To factorize a 2048 bit module it is estimated to need about 8.5 10
40
MY.
114
4.11.5 Further current research about primes and factorisation
Prime numbers are part of very many topical research areas in number theory and computer
science. Progress made with factorisation is bigger than was estimated 5 years ago this is not
only due to faster computers but also new knowledge.
The security of the RSA algorithm is based on the empirical observation that factoring large
numbers is a hard problem. A module n (typically, 1024 bit) can be easily constructed as the
product of two large primes p, q (typically, 500600 bit each), by calculating n = pq. However,
it is a hard problem to extract p, q from n. Without knowing p or q, the private key cannot be
calculated.
Thus, any progress in eciency of factorising large integers will eect the security of the RSA.
As a consequence, the underlying primes p, q and, thus, the module n (1024 bit as of today)
have to be increased. In case of a quantum leap in factorisation, the RSA algorithm might be
compromised.
Bernsteins paper and its implication on the security of the RSA algorithm
In his paper Circuits for integer factorisation: a proposal (http://cr.yp.to/djb.html), pub-
lished November 2001, D. J. Bernstein [Bernstein2001] addresses the problem of factorising large
integers. Therefore, his results are of relevance from a RSA point of view. As a main result
Bernstein claims that the implementation of the General Number Field Sieve algorithm (GNFS)
can be improved to factor, with the same eort as before, integers with three times more digits.
We note that the denition of eort is a crucial point: Bernstein claims that eort is the product
of time and costs of the machine (including the memory used). The gist of the paper lies in the
fact that he can reduce a big part of factorising to sorting. Using Schimmlers scheme, sorting
can be optimized by massive parallel computing. At the end of section 3 Bernstein explains
this eect: The costs of m
2
parallel computers with a constant amount of memory is a constant
times m
2
. The costs of a computer with a single processor and memory of size m
2
is also of the
order of m
2
, but with a dierent constant factor. With m
2
processors in parallel, sorting of m
2
numbers (with Schimmlers scheme) can be achieved in time m, while a m
2
-memory computer
needs time of the order of m
2
. Decreasing memory and increasing the number of processors, the
computing time can be reduced by a factor 1/m without additional eort in terms of total costs.
In section 5 it is said that massive parallel computing can also increase eciency of factorising
using Lenstras elliptic-curve-method (a search algorithm has costs that increase in a quadratic
square manner instead of cubically).
We note that all results achieved so far are asymptotic results. This means that they only hold
in the limit n to innity. Unfortunately, there is no upper limit for the residual error (i.e. the
dierence between the real and the asymptotic value) for nite n a problem which has already
been addressed by the author. As a consequence, one cannot conclude whether the costs (in the
sense of Bernstein) for factorising 10242048-bit RSA modules can be signicantly reduced.
There is no doubt that Bernsteins approach is innovative. However, the reduction of computing
time under constant costs comes along with a massive use of parallel computing a scenario
115
which seems not to be realistic yet. For example, formally 1 sec computing time on one machine
and 1/1,000,000 sec time parallel computing time on 1,000,000 machines might have same costs.
In reality, it is much harder to realize the second situation, and Bernstein does not take into
account the xed costs, in particular for building a network between all these computers.
Although distributed computing over a large network might help to overcome this problem,
realistic costs for data transfer have to be taken into account a point which was not addressed
in Bernsteins proposal.
As long as there is neither (low cost) hardware nor a distributed computing approach (based
on Bernsteins ideas), there should not be a problem for RSA. It has to be claried from which
magnitude of n on Bernsteins method could lead to a signicant improvement (in the sense of
the asymptotic result).
Arjen Lenstra, Adi Shamir et. al. analyzed the paper of Bernstein [Lenstra2002]. In summary
they expect a factorisation improvement on how much longer the bit length of the keys could be
with a factor of 1.17 (instead of factor 3 as proposed by Bernstein).
The abstract of their paper Analysis of Bernsteins Factorization Circuit says:
... Bernstein proposed a circuit-based implementation of the matrix step of the number eld
sieve factorisation algorithm. We show that under the non-standard cost function used in [1],
these circuits indeed oer an asymptotic improvement over other methods but to a lesser degree
than previously claimed: for a given cost, the new method can factor integers that are 1.17 times
larger (rather than 3.01). We also propose an improved circuit design based on a new mesh
routing algorithm, and show that for factorisation of 1024-bit integers the matrix step can, under
an optimistic assumption about the matrix size, be completed within a day by a device that costs
a few thousand dollars. We conclude that from a practical standpoint, the security of RSA relies
exclusively on the hardness of the relation collection step of the number eld sieve.
RSA Securitys analysis of the Bernstein paper [RSA Security 2002] from April, 8 2002 also as
expected concludes, that RSA is still not compromised.
This is still an ongoing discussion.
When this section was written (June 2002) nothing was publicly known about, how far there
exist implementations of his theoretical onsets and how much nancing there was for his research
project.
Links:
http://cr.yp.to/djb.html
http://www.counterpane.com/crypto-gram-0203.html#6
http://www.math.uic.edu
The TWIRL device
In January 2003 Adi Shamir and Eran Tromer from the Weizmann Institute of Science published
a preliminary draft called Factoring Large Numbers with the TWIRL Device raising concerns
about the security of key sizes till 1024 bits [Shamir2003].
116
Their abstract summarizes their results very well: The security of the RSA cryptosystem depends
on the diculty in factoring large integers. The best current factoring algorithm is the Number
Field Sieve (NFS), and its most dicult part is the sieving step. In 1999 a large distributed
computation involving thousands of workstations working for many months managed to factor a
512-bit RSA key, but 1024-bit keys were believed to be safe for the next 15-20 years. In this paper
we describe a new hardware implementation of the NFS sieving step ... which is 3-4 orders of
magnitude more cost eective than the best previously published designs ... . Based on a detailed
analysis of all the critical components (but without an actual implementation), we believe that
the NFS sieving step for 1024-bit RSA keys can be completed in less than a year with a $10M
device, and that the NFS sieving step for 512-bit RSA keys can be completed in less than ten
minutes with a $10K device. Coupled with recent results about the diculty of the NFS matrix
step ... this raises some concerns about the security of these key sizes.
A detailed explanation from these two authors also can be found in the RSA Laboratories Cryp-
toBytes [Shamir2003a].
The 3-page article in the DuD issue of June 2003 [Weis2003] contains a very good explanation,
how the attack using the Generalized Number Field Sieve (GNFS) works and which progress
is made, to factorize numbers. At GNFS we can distinguish 2 general steps: The sieve step
(relation collecting) and the matrix reduction. Besides the sieve step is highly parallelizable, it
dominates the overall calculation burdon. Shamir and Tromer havent built a TWIRL device
yet, but the estimated costs of 10 till 50 million Euro (in order to factorise a 1024-bit number) is
not prohibitive for secret agencies or big criminal organizations, because the costs for a single
espionage satellite is estimated e.g. to be several billion USD. The authors therefore recommend,
to get as soon as possible rid of today used sensible RSA, Die-Hellman or ElGamal keys up
to 1024 bit and to use then keys of at least 2048 bit length. The planned TCPA/Palladium
hardware will use 2048-bit RSA keys!
So recommendations like the ones from the GISA (German Information Security Agency) to use
higher key lengths are very valid.
Primes in P: Primality testing is polynomial
In August 2002 the three Indian researchers M. Agrawal, N. Kayal and N. Saxena published the
paper PRIMES in P about a new primality testing algorithm called AKS [Agrawal2002]. They
discovered a polynomial time deterministic algorithm for determining if a number is prime or
not.
The importance of this discovery is that it provides number theorists with new insights and op-
portunities for further research. Lots of people over centuries have been looking for a polynomial
time test for primality, and this result is a major theoretic breakthrough. It shows that new
results can be generated from already known facts.
But even its authors note that other known algorithms may be faster (for example ECPP). The
new algorithm works on any integer. For example the GIMPS project uses the Lucas-Lehmer
primality test which takes advantage of the special properties of Mersenne numbers. This makes
the Lucas-Lehmer test much faster, allowing to test numbers with millions of digits while general
117
purpose algorithms are limited to numbers with a few thousand digits.
Current research results on this topic can be found at:
http://www.mersenne.org/
http://fatphil.org/maths/AKS/ Original paper in English
http://ls2-www.cs.uni-dortmund.de/lehre/winter200203/kt/material/primes.ps
Good explanation in German by Thomas Hofmeister.
118
Joanne K. Rowling
135
:
It is our choices, that show what we truly are, far more than our abilities.
4.12 Applications of asymmetric cryptography using numerical examples
The results of modular arithmetic are used extensively in modern cryptography. Here we will
provide a few examples from cryptography using small
136
numbers.
Enciphering a text entails applying a function (mathematical operation) to a character string
(number) to generate a dierent number. Deciphering entails reversing this function, in other
words using the distorted image that the function has created from the plaintext in order to
restore the original image. For example, the sender could take the plaintext M of a condential
message and add a secret number, the key S, to obtain the cipher text C:
C = M +S.
The recipient can reconstruct the plaintext by reversing this operation, in other words by sub-
tracting S:
M = C S.
Adding S reliably makes the plaintext impossible to read. However, this encryption is rather
weak, because all an interceptor needs to do to calculate the key is obtain a plaintext and the
associated cipher text
S = C M,
and can then read any subsequent messages encrypted using S.
The essential reason for this is that subtraction is just as simple an operation as addition.
4.12.1 One way functions
If the key is to be impossible to determine even with knowledge of both the plaintext and the
cipher text, we need a function that is, on the one hand, relatively easy to calculate we dont
want to have problems encrypting messages. On the other hand, the inverse function should exist
(otherwise information would be lost during encryption), but should be de facto incalculable.
What are possible candidates for such a one way function? We could take multiplication rather
than addition, but even primary school children know that the inverse function, division, is only
slightly more dicult than multiplication itself. We need to go one step higher in the hierarchy
of calculation methods. It is still relatively simple to calculate the power of a number, but the
corresponding two reverse functions taking roots (nd b in the equation a = b
c
when a and c
135
Joanne K. Rowling, Harry Potter and the Chamber of Secrets, Bloomsbury, 1998, last chapter Dobbys reward,
p. 245, by Dumbledore.
136
In the RSA procedure, we call numbers small if the bit lengths are much less than 1024 bits (i.e. 308 decimal
points). In practice, 1024 bits is currently the minimum length for a secure Certication Authority RSA modulus.
119
are known) and calculating logarithms (nd c in the above equation when a and b are known) are
so complicated that pupils normally do not learn them at school.
Although a certain structure can still be recognised for addition and multiplication, raising num-
bers to the power of another or calculating exponentials totally mixes up all the numbers. Know-
ing a few values of the function doesnt tell us much about the function as a whole (in contrast
to addition and multiplication).
4.12.2 The Die-Hellman key exchange protocol
Whiteld Die, Martin E. Hellman and Ralph Merkle developed this DH key exchange protocol
in Stanford in 1976
137
.
Alice and Bob
138
use a one way function to obtain a key S, the session key, for subsequent
correspondence. This is then a secret that is only known to the two of them. Alice selects a
random number a and keeps it secret. She applies a one way function to a to calculate the
number A = g
a
and sends it to Bob. He does the same, by selecting a secret random number b,
calculating B = g
b
and sending it to Alice. The number g is random and can be publicly known.
Alice applies the one way function together with her secret number a to B, while Bob does the
same with his secret number b and the received number A.
The result S is the same in each case because the one way function is commutative: (g
a
)
b
=
(g
b
)
a
. But even Bob cannot reconstruct Alices secret number a from the data available to him,
while Alice cannot determine Bobs secret number b. And a perpetrator who knows g and has
intercepted both A and B cannot use this knowledge to determine a, b or S.
137
With CrypTool this exchange protocol has been visualized: you can execute the single steps with concrete numbers
using menu Indiv. Procedures \ Protocols \ Die-Hellman Demonstration.
138
Bob and Alice are the default names used for the two authorised participants in a protocol (see [Schneier1996, p.
23]).
120

? ?
-
P
P
P
P
P
P
P
P
P
P
P
P
P
Pq

)
? ?
-
?
?
?
?
? ?
-

Alice
Bob
a b
g
g
A = g
a
B = g
b
A
A
B
B S := A
b
S := B
a
S S
Public: g
Alice generates Bob generates
number randomly number randomly
secret key
secret key
Procedure:
Alice and Bob want to negotiate a secret session key S via a channel that may be intercepted.
1. They select a prime number p and a random number g and exchange this information
openly.
2. Alice now selects a, a random number less than p and keeps it secret.
Similarly, Bob selects b, a random number less than p and keeps it secret.
3. Alice now calculates A g
a
(mod p).
Bob calculates B g
b
(mod p).
4. Alice sends the result A to Bob.
Bob sends the result B to Alice.
5. In order to now determine the session key to be used by both, they both separately raise the
respective results they have received to the power of their secret random number modulo
p. This means:
- Alice calculates S B
a
(mod p) and
- Bob calculates S A
b
(mod p).
Even if a spy intercepts g, p, and the interim results A and B, he cannot use these to determine
the session key used due to the diculty of calculating the discrete logarithm.
We will now use an example with (unrealistically) small numbers to illustrate this.
121
Example using numbers:
1. Alice and Bob select g = 11, p = 347.
2. Alice selects a = 240, Bob selects b = 39 and they keep a and b secret.
3. Alice calculates A g
a
11
240
49 (mod 347).
Bob calculates B g
b
11
39
285 (mod 347).
4. Alice sends Bob: A 49,
Bob sends Alice: B 285.
5. Alice calculates B
a
285
240
268 (mod 347),
Bob calculates A
b
49
39
268 (mod 347).
Alice and Bob can now communicate securely using their shared session key. Even if spies were
to intercept everything transferred via the connection: g = 11, p = 347, A = 49 and B = 285,
they would not be able to calculate the secret key.
Comment:
In this example using such small numbers, it would be possible, but with large numbers the
discrete logarithm problem
139,140
is extremely dicult to solve.
Here, we need to calculate:
For Alice: 11
x
49 (mod 347), that means log
11
(49) (mod 347).
For Bob: 11
y
285 (mod 347), that means log
11
(285) (mod 347).
4.13 The RSA procedure with actual numbers
Having described above how the RSA procedure works, we will now work through the steps using
actual, but small, numbers.
139
If you try to determine the discrete logarithm x that solves the equation 11
x
49 (mod 347) with Mathematica
by means of Solve, you obtain the em tdep message The equations appear to involve the variables to be solved
for in an essentially non-algebraic way. Mathematica therefore claims not to know a direct algebraic procedure
for solving the equation. Yet Mathematica is able to calculate this with the general function for the multiplicative
order (here for Alice): MultiplicativeOrder[11, 347, 49] delivers the value 67.
The syntax with Pari-GP is: znlog(Mod(49,347),Mod(11,347)).
Such number-theory tasks can also be solved using other tools such as the LiDIA or BC package (see web links in
appendix). The dl function in the LC user interface for LiDIA also delivers the value 67 for dl(11,49,347).
140
Why have the functions delivered the value 67 rather than 240 for the dl problem for Alice? The discrete logarithm
is the smallest natural exponent that solves the equation 11
x
49 (mod 347). Both x = 67 and x = 240 (the
number selected in the example) satisfy the equation and can therefore be used to calculate the session key:
285
240
285
67
268 (mod 347). If Alice and Bob had selected a primitive root modulo p as base g, then for every
remainder from the set {1, 2, , p 1} there is exactly one exponent from the set {0, 1, , p 2}.
For info: there are 172 dierent primitive roots for modulo 347, 32 of which are prime (not necessary). Since the
number 11 selected for g in the example is not a primitive root of 347, the remainders do not take all values from
the set {1, 2, , 346}. Thus, for a particular remainder there may be more than one exponent or even no exponent
at all in the set {0, 1, , 345} that satises the equation.
PrimeQ[347] = True; EulerPhi[347] = 346; GCD[11, 347] = 1; MultiplicativeOrder[11, 347] = 173
The syntax with Pari-GP is: isprime(347); eulerphi(347); gcd(11,347); znorder(Mod(11,347)).
122
4.13.1 RSA with small prime numbers and with a number as message
Before applying the RSA procedure to a text, we will rst demonstrate it directly using a single
number as message
141
.
1. Let the selected prime numbers be p = 5 and q = 11.
Thus, n = 55 and J(n) = (p 1) (q 1) = 40.
2. e = 7 (should lie between 11 and 40 and must be relatively prime to 40).
3. d = 23 (since 23 7 161 1 (mod 40)),
Public key of the recipient: (55, 7),
Private key of the recipient: (55, 23).
4. Let the message be the number M = 2 (so no division into blocks is required).
5. Encryption: C 2
7
18 (mod 55).
6. The cipher text is simply the number C = 18 (we therefore do not need to divide it into
blocks).
7. Decryption: M 18
23
18
(1+2+4+16)
18 49 36 26 2 (mod 55).
We will now apply the RSA procedure to a text, rst using the upper case alphabet (26 charac-
ters), then using the entire ASCII character set as the basis for the messages.
i 11
i
mod 347
0 1
1 11
2 121
3 290
67 49 searched exponent
172 284
173 1 = multiplicative order of 11 (mod 347)
174 11
175 121
176 290
240 49 searched exponent
141
Using CrypTool you can solve this with the menu Indiv.Procedures \ RSA Cryptosystem \ RSA Demon-
stration.
123
4.13.2 RSA with slightly larger primes and a text of upper case letters
We have the text ATTACK AT DAWN and the characters are coded in the following simple
manner
142
:
Table 7: capital letters alphabet
Character Numerical value Character Numerical value
Blank 0 M 13
A 1 N 14
B 2 O 15
C 3 P 16
D 4 Q 17
E 5 R 18
F 6 S 19
G 7 T 20
H 8 U 21
I 9 V 22
J 10 W 23
K 11 X 24
L 12 Y 25
Z 26
Key generation (steps 1 to 3):
1. p = 47, q = 79 (n = 3, 713; J(n) = (p 1) (q 1) = 3, 588).
2. e = 37 (should lie between 79 and 3, 588 and must be relatively prime to 3, 588).
3. d = 97 (since e d = 1 mod J(n); 37 97 3, 589 1 (mod 3, 588) )
143
.
4. Encryption:
Text: A T T A C K A T D A W N
Number: 01 20 20 01 03 11 00 01 20 00 04 01 23 14
This 28-digit number is divided into 4-digit parts (because 2, 626 is still smaller than n = 3, 713):
0120 2001 0311 0001 2000 0401 2314
All 7 parts are encrypted using: C M
37
(mod 3, 713)
144
:
1404 2932 3536 0001 3284 2280 2235
5. Decryption:
Cipher text: 1404 2932 3536 0001 3284 2280 2235
This 28-digit number is divided into 4-digit parts.
142
Using CrypTool you can solve this with the menu Indiv.Procedures \ RSA Cryptosystem \ RSA Demon-
stration. This is also described in the tutorial/scenario in CrypTools online help [Options, specify alphabet,
number system, block length 2 and decimal representation].
143
How to compute d = 97 using the extended gcd algorithm is shown in appendix A of this chapter
144
See Appendix E of this chapter for source code to do RSA encryption using Mathematica and Pari-GP.
You can also encrypt the message with CrypTool via the menu path Indiv. Procedures \ RSA Cryptosystem
\ RSA Demonstration.
124
All 7 parts are decrypted using: M C
97
(mod 3, 713):
0120 2001 0311 0001 2000 0401 2314
The 2-digit numbers are transformed into capital letters and blanks.
Using the selected values it is easy for a cryptanalyst to derive the secret values from the public
parameters n = 3, 713 and e = 37 by revealing that 3, 713 = 47 79.
If n is a 768-bit number, there is, according to present knowledge, little chance of this.
4.13.3 RSA with even larger primes and a text made up of ASCII characters
In real life, the ASCII alphabet is used to code the individual characters of the message as 8-bit
numbers.
The idea for this task
145
is taken from the example in [Eckert2003, p. 271].
Coded in decimal notation, the text RSA works! is as follows:
Text: R S A w o r k s !
Number: 82 83 65 32 119 111 114 107 115 33
We will work through the example in 2 variants. The steps 1 to 3 are common for both.
Key generation (steps 1 to 3):
1. p = 503, q = 509 (n = 256, 027; J(n) = (p 1)(q 1) = 255, 016 = 2
3
127 251)
146
.
2. e = 256, 027 (should lie between 509 and 255, 016 and must be relatively prime to 255, 016)
147
.
3. d = 231, 953
(since e d
1
mod J(n) : 65, 537 231, 953 15, 201, 503, 761 1 (mod 67, 000))
148
.
Variant 1: All ASCII characters are en-/decrypted separately (no blocks are formed).
4. Encryption:
Text: R S A w o r k s !
Number: 82 83 65 32 119 111 114 107 115 33
The letters are not combined
149
!
145
Using CrypTool you can solve this via the menu path Indiv.Procedures \ RSA Cryptosystem \ RSA
Demonstration.
146
See Appendix E of this chapter for the source code to factorise the number J(n) using Mathematica and Pari-GP.
Using CrypTool you can solve this with the Indiv.Procedures \ RSA Cryptosystem \ Factorisation of a
Number.
147
e cannot, therefore, be 2, 127 or 251 (65537 = 2
16
+ 1).
In real life, J(n) is not factorised but rather the Euclidean algorithm is used for the selected e to guarantee that
gcd(d, J(n)) = 1.
148
Other possible combinations of (e, d) include: (3, 170, 011), (5, 204, 013), (7, 36, 431).
149
For secure procedures we need large numbers that assume as far as possible all values up to n1. If the possible
value set for the numbers in the message is too small, even large prime numbers cannot make the procedure secure.
An ASCII character is represented by 8 bits. If we want larger values we must combine several numbers. Two
characters need 16 bits, whereby the maximum value that can be represented is 65536. The modulus n must then
be greater than 2
16
= 65536. This is applied in variant 2. When the numbers are combined, the leading zeros are
kept in binary notation (just as if we were to write all numbers with 3 digits in decimal notation above and were
then to obtain the sequence 082 083, 065 032, 119 111, 114 107, 115 033).
125
Each character is encrypted using: C = M
65,537
(mod 256, 027)
150
:
212984 025546 104529 031692 248407
100412 054196 100184 058179 227433
5. Decryption:
Cipher text:
212984 025546 104529 031692 248407
100412 054196 100184 058179 227433
Each character is decrypted using: M C
231,953
mod 256, 027:
82 83 65 32 119 111 114 107 115 33
Variant 2: The ASCII characters are en-/decrypted two at a time as blocks.
In variant 2 the block formation is done in two dierent sub-variants: (4./5. and 4./5.).
Text: R S A w o r k s !
Number: 82 83 65 32 119 111 114 107 115 33
4. Encryption:
Blocks are formed
151
(each ASCII character is encoded into a 8 digit binary number below):
21075 16672 30575 29291 29473
152
Each block is encrypted using: C M
65,537
(mod 256, 027)
153
:
158721 137346 37358 240130 112898
5. Decryption:
Cipher text:
158721 137346 37358 240130 112898
Each block is decrypted using: M C
231,953
(mod 256, 027):
21075 16672 30575 29291 29473
4. Encryption:
Blocks are formed: (each ASCII character is encoded into a 3 digit decimal number below):
150
See Appendix E of this chapter for the source code for RSA exponentiation using Mathematica and Pari-GP.
151
binary representation decimal representation
01010010, 82 01010010 01010011 =21075
01010011, 83
01000001, 65 01000001 00100000 =16672
00100000, 32
01110111, 119 01110111 01101111 =30575
01101111, 111
01110010, 114 01110010 01101011 =29291
01101011, 107
01110011, 115 01110011 00100001 =29473
00100001, 33:
152
Using CrypTool you can solve this with the menu Indiv.Procedures \ RSA Cryptosystem \ RSA Demon-
stration with the following options: all 256 ASCII characters, b-adic, block length 2 and decimal representation.
153
See Appendix E of this chapter for the source code for RSA exponentiation using Mathematica and Pari-GP.
126
82083 65032 119111 114107 115033
154
Each block is encrypted using: C M
65,537
(mod 256, 027)
155
:
198967 051405 254571 115318 014251
5. Decryption:
Cipher text:
198967 051405 254571 115318 014251
Each block is decrypted using: M C
2,473
(mod 67, 519):
82083 65032 119111 114107 115033
4.13.4 A small RSA cipher challenge (1)
The task is taken from [Stinson1995, Exercise 4.6]: The pure solution has been published by Prof.
Stinson at http://www.cacr.math.uwaterloo.ca/~dstinson/solns.html.
156
However, it is not the result that is important here but rather the individual steps of the solution,
that is, the explanation of the cryptanalysis
157
:
Two samples of RSA cipher text are presented in Tables 4.1 and 4.2. Your task is to decrypt
them. The public parameters of the system are
n = 18, 923 and e = 1, 261 (for Table 4.1) and
n = 31, 313 and e = 4, 913 (for Table 4.2).
This can be accomplished as follows. First, factor n (which is easy because it is so small). Then
compute the exponent d from J(n), and, nally, decrypt the cipher text. Use the square-and-
multiply algorithm to exponentiate modulo n.
In order to translate the plaintext back into ordinary English text, you need to know how alpha-
betic characters are encoded as elements in Z
n
. Each element of Z
n
represents three alphabetic
characters as in the following examples:
DOG 3 26
2
+ 14 26 + 6 = 2, 398
CAT 2 26
2
+ 0 26 + 19 = 1, 371
ZZZ 25 26
2
+ 25 26 + 25 = 17, 575.
You will have to invert this process as the nal step in your program.
The rst plaintext was taken from The Diary of Samuel Marchbanks, by Robertson Davies,
1947, and the second was taken from Lake Wobegon Days, by Garrison Keillor, 1985.
154
The RSA encryption works correctly with the modulus n = 256.027 because each ASCII block of two characters
will be encoded into a number that is smaller or equal than the number 255, 255.
155
See Appendix E of this chapter for the source code for RSA exponentiation using Mathematica and Pari-GP.
156
or http://bibd.unl/~stinson/solns.html.
157
The method of solving the problem is outlined in the scenario of the online help to CrypTool and in the presentation
on the website. If anyone sends us a well prepared exact method of solving the problem, we would be pleased to
include it in the documentation.
127
TABLE 4.1
158
: RSA cipher text
12423 11524 7243 7459 14303 6127 10964 16399
9792 13629 14407 18817 18830 13556 3159 16647
5300 13951 81 8986 8007 13167 10022 17213
2264 961 17459 4101 2999 14569 17183 15827
12693 9553 18194 3830 2664 13998 12501 18873
12161 13071 16900 7233 8270 17086 9792 14266
13236 5300 13951 8850 12129 6091 18110 3332
15061 12347 7817 7946 11675 13924 13892 18031
2620 6276 8500 201 8850 11178 16477 10161
3533 13842 7537 12259 18110 44 2364 15570
3460 9886 8687 4481 11231 7547 11383 17910
12867 13203 5102 4742 5053 15407 2976 9330
12192 56 2471 15334 841 13995 17592 13297
2430 9741 11675 424 6686 738 13874 8168
7913 6246 14301 1144 9056 15967 7328 13203
796 195 9872 16979 15404 14130 9105 2001
9792 14251 1498 11296 1105 4502 16979 1105
56 4118 11302 5988 3363 15827 6928 4191
4277 10617 874 13211 11821 3090 18110 44
2364 15570 3460 9886 9988 3798 1158 9872
16979 15404 6127 9872 3652 14838 7437 2540
1367 2512 14407 5053 1521 297 10935 17137
2186 9433 13293 7555 13618 13000 6490 5310
18676 4782 11374 446 4165 11634 3846 14611
2364 6789 11634 4493 4063 4576 17955 7965
11748 14616 11453 17666 925 56 4118 18031
9522 14838 7437 3880 11476 8305 5102 2999
18628 14326 9175 9061 650 18110 8720 15404
2951 722 15334 841 15610 2443 11056 2186
158
The numbers of this table can be worked with via Copy and Paste.
128
TABLE 4.2
159
: RSA cipher text
6340 8309 14010 8936 27358 25023 16481 25809
23614 7135 24996 30590 27570 26486 30388 9395
27584 14999 4517 12146 29421 26439 1606 17881
25774 7647 23901 7372 25774 18436 12056 13547
7908 8635 2149 1908 22076 7372 8686 1304
4082 11803 5314 107 7359 22470 7372 22827
15698 30317 4685 14696 30388 8671 29956 15705
1417 26905 25809 28347 26277 7897 20240 21519
12437 1108 27106 18743 24144 10685 25234 30155
23005 8267 9917 7994 9694 2149 10042 27705
15930 29748 8635 23645 11738 24591 20240 27212
27486 9741 2149 29329 2149 5501 14015 30155
18154 22319 27705 20321 23254 13624 3249 5443
2149 16975 16087 14600 27705 19386 7325 26277
19554 23614 7553 4734 8091 23973 14015 107
3183 17347 25234 4595 21498 6360 19837 8463
6000 31280 29413 2066 369 23204 8425 7792
25973 4477 30989
4.13.5 A small RSA cipher challenge (2)
The following task is a corrected version from the excellent book written by Prof. Yan [Yan2000,
Example 3.3.7, p. 318]. However, it is not the result that is important here but rather the
individual steps of the solution, that is, the explanation of the cryptanalysis
160
.
There are three tasks with completely dierent degrees of diculty here. In each case we know
the cipher text and the public key (e, n):
(a) Known plaintext: nd the secret key d using the additionally known original message.
(b) Cipher text only: nd d and the plaintext.
(c) Calculate the RSA modulus, in other words factorisation (with no knowledge of the mes-
sage).
159
The numbers of this table are in the online-help Example illustrating the RSA demonstration of CrypTool.
160
The method of solving the problem is outlined in the scenario of the online help to CrypTool and in the CrypTool
presentation. If anyone sends us a well prepared exact method of solving the problem, we would be pleased to
include it in the documentation.
129
n = 63978486879527143858831415041, e = 17579
Message
161
:
1401202118011200,
1421130205181900,
0118050013010405,
0002250007150400
Cipher:
45411667895024938209259253423,
16597091621432020076311552201,
46468979279750354732637631044,
32870167545903741339819671379
Comments:
The original message consisted of a sentence containing 31 characters (coded with the capital
letters alphabet from section 4.13.2). Each group of 16 decimal numbers is then combined to
form one number (the last number is lled with zeros). These numbers are raised to the power
of e.
When you decrypt the message you must ll the calculated numbers with leading zeros in order
to obtain plaintext.
This needs to be stressed because the type of padding is extremely important during implemen-
tation and standardisation for interoperable algorithms.
161
The numbers of this table are in the online help Example illustrating the RSA demonstration of CrypTool.
130
References
[Agrawal2002] M. Agrawal, N. Kayal, N. Saxena,
PRIMES in P, August 2002
http://www.cse.iitk.ac.in/news/primality.html
[Bartholome1996] A. Bartholome, J. Rung, H. Kern,
Zahlentheorie f ur Einsteiger, Vieweg 1995, 2nd edition 1996.
[Bauer1995] Friedrich L. Bauer,
Entzierte Geheimnisse, Springer, 1995.
[Bauer2000] Friedrich L. Bauer,
Decrypted Secrets, Springer 1997, 2nd edition 2000.
[Bernstein2001] D. J. Bernstein,
Circuits for integer factorization: a proposal,
http://cr.yp.to/papers/nfscircuit.ps
http://cr.yp.to/djb.html
[Beutelspacher1996] Albrecht Beutelspacher,
Kryptologie, Vieweg 1987, 5th edition 1996.
[Bourseau2002] F. Bourseau, D. Fox, C. Thiel,
Vorz uge und Grenzen des RSA-Verfahrens,
In: Datenschutz und Datensicherheit (DuD) 26/2002, pp 84-89 (see www.dud.de),
http://www.secorvo.de/publikationen/rsa-grenzen-fox-2002.pdf
[Brands2002] Gilbert Brands,
Verschl usselungsalgorithmen Angewandte Zahlentheorie rund um Sicherheitsprotokolle,
Vieweg, 2002.
[Buchmann1999] Johannes Buchmann,
Einf uhrung in die Kryptographie, Springer, 1999.
[Buhler1993] J.P. Buhler, H.W. Lenstra, C. Pomerance,
Factoring integers with the number eld sieve,
In: A.K. Lenstra, H.W. Lenstra (Hrsg.): The Development of the Number Field Sieve,
Lecture Notes in Mathematics, Vol. 1554, Springer, Heidelberg 1993, pp 5094.
[Eckert2003] Claudia Eckert,
IT-Sicherheit: Konzepte-Verfahren-Protokolle, Oldenbourg 2001, 2nd edition 2003.
[Ertel2001] Wolfgang Ertel,
Angewandte Kryptographie, Fachbuchverlag Leipzig FV 2001.
131
[GISA2002] GISA (German Information Security Agency),
Recommendation for key length selection, Bonn, Sep. 2002,
http://www.bsi.bund.de/esig/basics/techbas/krypto/bund02v7.pdf
A statement on these recommendations:
http://www.secorvo.de/publikat/
stellungnahme-algorithmenempfehlung-020307.pdf
[Graham1994] Graham, Knuth, Patashnik,
Concrete Mathemathics, a Foundation of Computer Science,
Addison Wesley 1989, 6th printing 1990.
[Kippenhahn1997] Rudolph Kippenhahn,
Verschl usselte Botschaften Geheimschrift, Enigma und Chipkarte, Rowohlt, 1997.
[Kippenhahn1999] Rudolph Kippenhahn,
Code Breaking A History and Exploration, Constable, 1999.
[Knuth1998] Donald E. Knuth,
The Art of Computer Programming, vol 2: Seminumerical Algorithms,
Addison-Wesley, 2nd edition 1998.
[Lenstra1993] A. Lenstra, H. Lenstra:
The development of the Number Field Sieve,
Lecture Notes in Mathematics 1554, Springer, New York 1993
[Lenstra2002] Arjen K. Lenstra, Adi Shamir, Jim Tomlinson, Eran Tromer,
Analysis of Bernsteins Factorization Circuit,
http://www.cryptosavvy.com/mesh.pdf
[Menezes2001] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone
Handbook of Applied Cryptography, CRC Press 1997, 5th printing 2001.
[Peeger1997] Charles P. Peeger,
Security in Computing, Prentice-Hall, 2nd edition 1997.
[Pomerance1984] C. Pomerance,
The quadratic sieve factoring algorithm,
In: G.R. Blakley, D. Chaum (Hrsg.): Proceedings of Crypto 84, LNCS 196, Springer
Berlin 1995, pp 169-182.
[RSA Security 2002] RSA Security,
Has the RSA algorithm been compromised as a result of Bernsteins Paper?,
April 8th, 2002,
http://www.rsasecurity.com/
132
[SchneiderM2004] Matthias Schneider,
Analyse der Sicherheit des RSA-Algorithmus.
Mogliche Angrie, deren Einuss auf sichere Implementierungen und okonomische Kon-
sequenzen,
Diploma thesis at the University of Siegen, Germany, 2004.
[Schneier1996] Bruce Schneier,
Applied Cryptography, Protocols, Algorithms, and Source Code in C,
Wiley and Sons, 2nd edition 1996.
[Schwenk2002] Jorg Schwenk,
Sicherheit und Kryptographie im Internet, Vieweg 2002.
[Sedgewick1990] Robert Sedgewick,
Algorithms in C, Addison-Wesley, 1990.
[Shamir2003] Adi Shamir, Eran Tromer,
Factoring Large Numbers with the TWIRL Device, Januar 2003,
http://www.wisdom.weizmann.ac.il/~tromer/.
[Shamir2003a] Adi Shamir, Eran Tromer,
On the Cost of Factoring RSA-1024, RSA Laboratories CryptoBytes Volume 6, No. 2,
Summer 2003, p. 11-20
http://www.rsasecurity.com/rsalabs/cryptobytes/CryptoBytes August 2003.pdf
[Silverman2000] Robert D. Silverman:
A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths
In: RSA Laboratories Bulletin, No. 13, April 2000, p. 1-22
[Stinson1995] Douglas R. Stinson,
Cryptography - Theory and Practice, CRC Press, 1995.
[Weis2003] R udiger Weis, Stefan Lucks, Andreas Bogk,
Sicherheit von 1024 bit RSA-Schl usseln gefahrdet,
In: Datenschutz und Datensicherheit (DuD) 6/2003, pp 360-362 (see www.dud.de)
The article explains details about the TWIRL device.
[Welschenbach2001] Welschenbach, Michael,
Kryptographie in C und C++, Springer 2001.
[Wiles1994] Wiles, Andrew,
Modular elliptic curves and Fermats Last Theorem,
In: Annals of Mathematics 141 (1995).
[Wolfenstetter1998] Albrecht Beutelspacher, Jorg Schwenk, Klaus-Dieter Wolfenstetter,
Moderne Verfahren in der Kryptographie, Vieweg 1995, 2nd edition 1998.
[Yan2000] Song Y. Yan,
Number Theory for Computing, Springer, 2000.
133
Web links
1. Ron Knotts Fibonacci page,
Here, everything revolves around Fibonacci numbers.
http://www.mcs.surrey.ac.uk/personal/R.Knott/Fibonacci/fib.html
2. CrypTool,
E-Learning freeware to illustrate cryptography and cryptanalysis
http://www.cryptool.de,
http://www.cryptool.org,
http://www.cryptool.com
3. Mathematica,
Commercial mathematics package
http://www.wolfram.com
4. LiDIA,
Extensive library containing number-theory functions and the LC interpreter
http://www.informatik.tu-darmstadt.de/TI/LiDIA
5. BC,
Interpreter with number-theory functions
http://www.maths.uq.edu.au/~krm/gnubc.html
6. Pari-GP,
Excellent, fast, free interpreter with number theoretical functions
http://www.parigp-home.de and http://www.parigp-home.com
7. Only after I had completed this article, did I come across the website of Mr. M unchenbach,
which interactively and didactically uses elementary number theory to provide a sophisti-
cated description of the fundamental mathematical thought processes. It was created for
a teaching project in the 11th grade of the technical grammar school (unfortunately only
available in German):
http://www.hydrargyrum.de/kryptographie
8. Once again only after nishing this I happened upon the web site of Mr. Wagner, who is
responsible for the development of the curriculum of computer science in one of the German
federal states (Lander). Here you can get hold of a collection of texts and (Java-)programs
(available only in German):
http://www.hom.saar.de/~awa/kryptolo.htm
9. GISA,
German Information Security Agency
http://www.bsi.bund.de
10. Factorisation records and challenges,
http://www.crypto-world.com/
134
http://www.crypto-world.com/FactorWorld.html, page by Scott Contini
http://www.loria.fr/~zimmerma/records/factor.html
http://www.tutorgig.com/ed/RSA number
http://www.uni-bonn.de/Aktuelles/Pressemitteilungen/pm02/pm035-02.html
http://www.ercim.org/publication/Ercim News/enw49/franke.html, 2002-01
http://www.loria.fr/~zimmerma/records/rsa160
http://www.rsasecurity.com/rsalabs/challenges/factoring/numbers.html
11. The Cunningham Project,
http://www.cerias.purdue.edu/homes/ssw/cun/
Acknowledgments
I would like to take this opportunity to thank
Mr. Henrik Koy for making many very useful suggestions, for the very constructive proof-
reading this article and for helping with TeX.
Mr. Koy designed and developed in his leisure time the functions and the complex dialog
box of the RSA cryptosystem, which enables you to execute the RSA samples of this article.
Jorg Cornelius Schneider for his TeX support und for the many cases where he helped when
facing programming or design problems.
Dr. Georg Illies for pointing me to Pari-GP .
135
Appendix A: the greatest common divisor (gcd) of whole numbers and the two
Algorithms of Euclid
1. The greatest common divisor of two natural numbers a and b is an important value that
can be calculated very quickly. Here we make use of the fact that if a number c divides the
numbers a and b (i.e. there exists an a

and a b

such that a = a

c and b = b

c), then
c also divides the remainder r of a/b. In short notion we can write: If c divides a and b it
follows that c divides r = aa/b| b
162
. As the latter statement is valid for each common
divisor c of a and b it follows that:
gcd(a, b) = gcd(a a/b| b, b).
Using this information, the algorithm for calculating the gcd of two numbers can be written
as follows (in pseudo code):
INPUT: a,b != 0
1. if ( a < b ) then x = a; a = b; b = x; // Swap a and b (a > b)
2. a = a - int(a/b) * b // a is smaller than b, the
// gcd(a, b) is unchanged
3. if ( a != 0 ) then goto 1. // a falls after each step and
// the algorithm ends when a==0.
OUTPUT "gcd(a,b) = " b // b is the gcd of the original a and b
2. However, to other relationships can be derived from the gcd: For this, we need the set of
equations for a and b:
a = 1 a + 0 b
b = 0 a + 1 b,
or, in matrix notation:
_
a
b
_
=
_
1 0
0 1
_

_
a
b
_
.
We summarise this information in the extended matrix:
_
a [ 1 0
b [ 0 1
_
If we apply the above gcd algorithm to this matrix, we obtain the extended gcd algorithm:
162
The Gauss bracket x of a real number x is dened via: x is the next integer less or equal x.
136
INPUT: a, b ,= 0
0. x
1,1
:= 1, x
1,2
:= 0, x
2,1
:= 0, x
2,2
:= 1
1.
_
a [ x
1,1
x
1,2
b [ x
2,1
x
2,2
_
:=
_
0 1
1 a/b| b
_

_
a [ x
1,1
x
1,2
b [ x
2,1
x
2,2
_
.
2. if (b != 0) then goto 1.
OUTPUT: gcd(a, b) = a x +b y: , gcd(a, b) = b, x = x
2,1
, y = x
2,2
Since this algorithm only performs linear transformations, the same equations always apply
a = x
1,1
a +x
1,2
b
b = x
2,1
a +x
2,2
b,
and we have the extended gcd equation at the end of the algorithm
163
:
gcd(a, b) = a x
2,1
+b x
2,2
.
Example:
Using the extended gcd we can determine for e = 37 the multiplicative inverse number d
to modulo 3588 (i.e. 37 d 1 (mod 3588)):
0.
_
3588 [ 1 0
37 [ 0 1
_
1.
_
37 [ 1 0
36 [ 0 96
_
=
_
0 1
1 (3588/36| = 96) 37
_

_
3588 [ 1 0
37 [ 0 1
_
.
2.
_
36 [ 1 96
1 [ 1 97
_
=
_
0 1
1 (37/36| = 1) 36
_

_
37 [ 1 0
36 [ 0 96
_
.
3.
_
1 [ 1 97
0 [ 37 3588
_
=
_
0 1
1 (36/1| = 36) 1
_

_
36 [ 1 96
1 [ 1 97
_
.
OUTPUT:
gcd(37, 3588) = a x +b y: gcd(37, 3588) = 1, x = 1, y = 97.
Thus
(a) 37 and 3588 are relatively prime (37 has an inverse modulo 3588).
(b) 37 97 = (1 3588) + 1 in other words 37 97 1 (mod 3588). and therefore the
number 97 is the multiplicative inverse to 37 modulo 3588.
163
By termination of the gcd algorithm, the program variables a and b contain the values a = 0 and b = gcd(a, b).
Please keep in mind, that the program variables are dierent to the numbers a and b and that they are only relevant
for the scope of the algorithm.
137
Appendix B: Forming closed sets
The property of closeness is always dened in relation to an operation in a set. The following
shows how to construct the closed set G with respect to the operation + (mod 8) for a given
initial set G
0
:
G
0
= 2, 3 addition of the numbers in G
0
determines further numbers :
2 + 3 5 (mod 8) = 5
2 + 2 4 (mod 8) = 4
3 + 3 6 (mod 8) = 6
G
1
= 2, 3, 4, 5, 6 addition of the numbers in G
1
determines :
3 + 4 7 (mod 8) = 7
3 + 5 8 (mod 8) = 0
3 + 6 9 (mod 8) = 1
G
2
= 0, 1, 2, 3, 4, 5, 6, 7 addition of the numbers in G
2
does not extend the set!
G
3
= G
2
we say : G
2
is closed for addition (mod 8).
End of forming a closed set.
Appendix C: Comments on modulo subtraction
Comment on subtraction modulo 5: 24 2 3 mod 2. It is therefore not true modulo 5 that
2 = 2 ! People often make the mistake of equating this. You can show this clearly if you place
the permutation (0, 1, 2, 3, 4) in Z
5
, for example from 11 to +11, over the range of numbers in
Z.
4 1 2 3 4 1 2 3 4 1 2 3 4 1 2
-11 -1 -2 -3 -4 -6 -7 -8 -9 1 2 3 4 6 7
3 4 1
8 9 11
0 0 0 0 0
0 -5 5 10 -10
range of numbers modulo 5
range of numbers in Z
138
Appendix D: Base representation of numbers, estimation of length of digits
For a given number z one may ask how to represent such a number. In general we use represen-
tations like z = 2374 or z =

2. The second number consists of an innite number of digits and
therefore it can never be described precisely by the rst representation. In this case the number
must be rounded.
We represent numbers usually in the decimal system (base 10). Computers are working with the
binary representation of numbers only for the display numbers are represented in decimal or
sometimes hexadecimal (base 16) form.
This appendix describes how to generate arbitrary base representations of anay positive integer
and how to determine the number of required digits via the logarithm function.
b-adic sum representation of positive integers
Given base b, each positive integer z can be represented as a b-adic sum
z = a
n
b
n
+a
n1
b
n1
+ +a
1
b +a
0
,
where a
i
0, 1, . . . , b 1, i = 0, 1, . . . , n are called digits. For this sum, it follows that for
arbitrary digits a
0
, a
1
, . . . , a
n
we have b
n+1
> a
n
b
n
+ a
n1
b
n1
+ + a
1
b + a
0
. On the other
hand there exist a
0
, a
1
, . . . , a
n
(namely a
i
= b 1 for i = 0, . . . , n) following that b
n+1
1
a
n
b
n
+a
n1
b
n1
+ +a
1
b+a
0
(using these inequalities it can be shown that each positve integer
can be represented by a b-adic sum).
By writing the digits a
n
a
n1
a
1
a
0
in a row directly after each other (without the b
i
) the usual
writing for numbers comes to hand.
Examples:
Base b = 10: 10278 = 1 10
4
+ 0 10
3
+ 2 10
2
+ 7 10
1
+ 8 and
Base b = 16: FE70A = 15 16
4
+ 14 16
3
+ 7 16
2
+ 0 16
1
+ 10.
Number of digits to represent a positive integer
For a positive integer z the length of the b-adic representation can be determined via the following
steps. Starting from the inequality b
n+1
> z b
n
we have after applying the logarithm function
on basis b
164
: n + 1 > log
b
z n. Therefore we have n = log
b
z|
165
. We call l
b
(z) the number of
required digits to represent the number z on the base b. We have
l
b
(z) := log
b
z| + 1.
164
Applying the logarithm formula on base b and b

we have log
b
z = log
b
z/ log
b
(b). It is therefore easy using e.g.
logarithm tables for the base b

= 10 to compute the logarithm of base b = 2.

165
The function x determines the next integer smaller than x (in case x 0 the digits after the decimal point are
truncated).
139
Example 1: We compute for the decimal number z = 234 (EA in hex) the hexadecimal repre-
sentation (number base b = 16)
l
16
(z) = log
16
(z)| + 1 = ln(z)/ ln(16)| + 1 = 1.96...| + 1 = 1 + 1 = 2.
Example 2: We compute for the decimal number z = 234 (11101010 in binary) the binary
representation (number base b = 2)
l
2
(z) = log
2
(z)| + 1 = ln(z)/ ln(2)| + 1 = 7.87...| + 1 = 7 + 1 = 8.
Algorithm to compute the base representation
Given the number z one can compute the base b representation of z using the following algorithm
input: z, b
n := 0, z

:= z
while z

> 0 do
a
n
:= z

mod b,
z

:= z

/b|
n := n + 1
end do
output: a
n
a
n1
a
1
a
0
in base b representation.
Example 1: The integer z = 234 on the number base 10 will be transformed into the hex
representation via a
0
= 234 mod 16 = 10 = A, 234/16 = 15 = E, a
1
= 14 mod 16 = E and
therefore we have EA.
Example 2: The binary number z = 1000100101110101 is transformed into the decimal repre-
sentation via the following steps:
1000100101110101 = 1001 (mod 1010) = a
0
= 9, 1000100101110101/1010 = 110110111110
110110111110 = 1000 (mod 1010) = a
1
= 8, 110110111110/1010 = 101011111
101011111 = 1 (mod 1010) = a
2
= 1, 10101111/1010 = 100011
100011 = 101 (mod 1010) = a
3
= 5, 100011/1010 = 1
11 = 11 (mod 1010) = a
4
= 3
therefore z = 35189.
140
Appendix E: Examples using Mathematica and Pari-GP
This appendix gives you the source code to compute the tables and examples using Mathematica
or the free software Pari-GP.
Multiplication table modulus m
The multiplication tables modulo m = 17 for a = 5 and a = 6 on page 89 can be computed in
Mathematica with the following commands:
m = 17; iWidth = 18; iFactor1 = 5; iFactor2 = 6;
Print[ i , Table[ i, {i, 1, iWidth} ] ];
Print[ iFactor1, *i , Table[ iFactor1*i, {i, 1, iWidth } ] ];
Print[ Remainder , Table[ Mod[iFaktor1*i, m], {i, 1, iWidth } ] ];
Print[ iFactor2, *i , Table[ iFactor2*i, {i, 1, iWidth } ] ];
Print[ Remainder , Table[ Mod[iFactor2*i, m], {i, 1, iWidth } ] ];
Pari-GP computes the tables via:
m=17; iWidth=18; iFactor1=5; iFactor2=6;
matrix(1,iWidth, x,y, iFactor1*y) yields
[5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90]
matrix(1,iWidth, x,y, (iFactor1*y)%m ) yields
[5 10 15 3 8 13 1 6 11 16 4 9 14 2 7 12 0 5]
Note: Pari-GP generates when using the Mod function compound Mod objects, which are displayed
as shown below:
matrix(1,iWidth, x,y, Mod(iFactor1*y, m))
[Mod(5, 17) Mod(10, 17) Mod(15, 17) Mod(3, 17) Mod(8, 17) Mod(13, 17) Mod(1, 17)
Mod(6, 17) Mod(11, 17) Mod(16, 17) Mod(4, 17) Mod(9, 17) Mod(14, 17) Mod(2, 17)
Mod(7, 17) Mod(12, 17) Mod(0, 17) Mod(5, 17)]
From a Mod object you can get back the components with the component or lift function:
component(Mod(5, 17),1) 17
component(Mod(5, 17),2) 5
component(Mod(17,5), 1) 5
component(Mod(17,5), 2) 2
lift(Mod(17,5)) 2
The other multiplication table examples modulo 13 and modulo 12 on page 89 can computed by
replacing m=17 with m=13 and m=12 respectively.
141
Fast exponentiation
The fast exponentiation modulo m belongs to the built in functions of Mathematica and Pari-GP.
Using those programs you can comprehend the idea of the square and multiply method. With
Mathematica you can compute the exponentiations of the example on page 92 as follows:
Mod[{87^43, 87^2, 87^4, 87^8, 87^16, 87^32}, 103] = {85, 50, 28, 63, 55, 38}.
and in Pari-GP the syntax is:
Mod([87^43,87^2,87^4,87^8,87^16,87^32],103)
Multiplicative order and primitive roots
The order ord
m
(a) of a number a in the multiplicative group Z

m
is the smallest number i 1,
for with a
i
1 mod m holds. For the example on page 100 you can make Mathematica print all
exponentiations a
i
mod 11 using the following syntax:
m=11; Table[ Mod[a^i, m], {a, 1, m-1}, {i, 1, m-1} ]
Equivalent Pari-GP syntax:
m=11; matrix(10,10, x,y, (x^y)%m )
The table on page 101 gives examples for the order modulo 45 ord
45
(a) and the Euler number
J(45). Mathematica can be used to create this table with the following program (please note
that Print cannot be used inside of Do-loops and each Print outputs a newline).
m = 45;
Do[ Print[ Table[ Mod[a^i, m], {i, 1, 12} ],
, , MultiplicativeOrder[a, m, 1],
, , EulerPhi[m] ],
{a, 1, 12} ];
Here is the corresponding Pari-GP syntax:
m=45;
matrix(12,14, x,y,
if( y<=12, (x^y)%m,
if( y==13, if( gcd(x,m)==1, znorder(Mod(x,m)), "--"),
eulerphi(m))))
znorder(Mod(x,m)) can only be calculated if x is relatively prime to m, which can be checked
with gcd(x,m).
142
Performance can be improved by using Mod(x,m)

y instead of (x

y)%m.
Loops are also supported by Pari-GP. When you remove the table formatting the result looks
like this:
for( x=1,12,
for(y=1,12, print(Mod(x^y,m)));
if(gcd(x,m)==1, print(znorder(Mod(x,m))), print("--"));
print(eulerphi(m)))
The third example on page 102 displays exponentiations a
i
mod 46 as well as the order ord
46
(a).
Mathematica can create this table with the following loop:
m = 46;
Do[ Print[ Table[ Mod[a^i, m], {i, 1, 23} ],
, , MultiplicativeOrder[a, m, 1]
{a, 1, 23} ] ];
In Pari-GP the syntax looks like this:
m=46;
matrix(23,24, x,y,
if( y<=23, (x^y)%m,
if( y==24, if( gcd(x,m)==1, znorder(Mod(x,m)), "--"))))
RSA examples
This section list the source code of the RSA examples in section 4.13 (The RSA procedure with
actual numbers) using Mathematica and Pari-GP syntax.
Example on page 124.
The RSA exponentiation M
37
mod 3713 on message M = 120 can be calculated in Mathematica
like this: PowerMod[120, 37, 3713].
Here is the corresponding Pari-GP syntax:
Mod(120,3713)^37 or Mod(120^37,3713).
Example on page 125.
The factorisation of J(256, 027) = 255, 016 = 2
3
127 251 can be calculated with Mathematica
like this: FactorInteger[255016]= 2,3, 127,1, 251,1.
Pari-GP does the same with:
factor(255016).
Example on page 125.
Mathematica can do RSA encryption with the command:
143
PowerMod[82, 83, 65, 32, 119, 111, 114, 107, 115, 33, 65537, 256027]
Pari-GP needs the following syntax:
vecextract( [Mod(82,256027)^65537, Mod(83,256027)^65537, Mod(65,256027)^65537,
Mod(32,256027)^65537, Mod(119,256027)^65537, ...])
Remarks on using Mod in Pari-GP:
Mod(82,256027)^65537 is much faster than
Mod(82^65537, 256027) and
(82^65537) % 256027.
Example on page 126.
Mathematica can do RSA encryption with the following command:
PowerMod[21075, 16672, 30575, 29291, 29473, 65537, 256027]
The same calculation with Pari-GP:
vecextract( [Mod(21075,256027)^65537, Mod(16672,256027)^65537,
Mod(30575,256027)^65537, Mod(29291,256027)^65537,
Mod(29473,256027)^65537], 31)
Example on page 127.
RSA encryption using Mathematica:
PowerMod[82083, 65032, 119111, 114107, 115033, 65537, 256027]
RSA encryption with Pari-GP:
vecextract( [Mod(82083,256027)^65537, Mod(65032,256027)^65537,
Mod(119111,256027)^65537, Mod(114107,256027)^65537,
Mod(115033,256027)^65537], 31)
144
Appendix F: List of the formulated denitions and theorems
Short description Page
Denition 4.1 prime numbers 80
Denition 4.2 composite numbers 80
Theorem 4.1 factors of composite numbers 81
Theorem 4.2 1. fundamental theorem of number theory 81
Denition 4.3 divisibility 82
Denition 4.4 remainder class r modulo m 82
Denition 4.5 congruent 83
Theorem 4.3 congruence with dierence 83
Theorem 4.4 multiplicative inverse 88
Theorem 4.5 exhaustive permutation 89
Theorem 4.6 power mod m 91
Denition 4.6 Z
n
93
Denition 4.7 Z

n
94
Theorem 4.7 multiplicative inverse in Z

n
95
Denition 4.8 Euler function J(n) 96
Theorem 4.8 J(p) 96
Theorem 4.9 J(p q) 96
Theorem 4.10 J(p
1
p
k
) 96
Theorem 4.11 J(p
e
1
1
p
e
k
k
) 96
Theorem 4.12 little Fermat 97
Theorem 4.13 Euler-Fermat theorem 97
Denition 4.9 multiplicative order ord
m
(a) 100
Denition 4.10 primitive root of m 100
Theorem 4.14 exhausting of all possible values 102
145
5 The Mathematical Ideas behind Modern Cryptography
(Oyono R. / Esslinger B., Sep. 2000, Updates Nov. 2000, Feb. 2003)
5.1 One way functions with trapdoor and complexity classes
A one way function is a function that can be calculated eciently, but whose inverse is ex-
tremely complicated and practically impossible to calculate.
To put it more precisely: A one way function is a mapping f from a set X to a set Y, such that
f(x) can be calculated easily for each element x of X, whereas for (almost) every y from Y it is
practically impossible to nd an inverse image x (i.e. an x where f(x) = y).
An everyday example of a one way function is a telephone book: the function to be performed
is to assign a name to the corresponding telephone number. This can be done easily due to the
fact that the names are sorted alphabetically. However, the inverse function - assigning a name
to a given number - is obviously dicult if you only have a telephone book available.
One way functions play a decisive role in cryptography. Almost all cryptographic terms can
be rephrased using the term one way function. Lets take for example public key encryption
(asymmetric cryptography):
Each subscriber T to the system is assigned a private key d
T
and what is known as a public key
e
T
. These keys must have the following property (public key property):
For an opponent who knows the public key e
T
, it is practically impossible to determine the private
key d
T
.
In order to construct useful public key procedures, therefore, we look for a one way function that
is easy to calculate in one direction , but is dicult (practically impossible) to calculate
in the other direction, provided that a particular piece of additional information (trapdoor) is
not available. This additional piece of information allows the inverse to be found eciently.
Such functions are called trapdoor one way functions. In the above case, d
T
is the trapdoor
information.
In this process, we describe a problem as easy if it can be solved in polynomial time as a function
of the length of the input. If the length of the input is n bits, then the time for calculating the
function is proportional to n
a
, where a is a constant. We say that the complexity of such problems
is O(n
a
) [Landau- or Big-O notation].
If you compare two functions 2
n
and n
a
, where a is a constant, then there always exists a value
for n, from which for all further n applies: n
a
< 2
n
. The function n
a
has a lower complexity.
Sample: for a = 5 the following applies: from the length n = 23, 2
n
is greater than n
5
; for further
n 2
n
clearly increases more quickly [(2
22
= 4, 194, 304, 22
5
= 5, 153, 632), (2
23
= 8, 388, 608,
23
5
= 6, 436, 343), (2
24
= 16, 777, 216, 24
5
= 7, 962, 624)].
The term practically impossible is slightly less precise. In general, we can say that a problem
cannot be solved eciently, if the time required to solve it increases more quickly than the
polynomial time as a function of the size of the input. If, for example, the length of the input is
n bits and the time required for calculating the function is proportional to 2
n
, then the following
146
currently applies: the function practically cannot be calculated for n > 80.
In order to develop a public key procedure that can be implemented in practice, it is therefore
necessary to discover a suitable trapdoor one way function.
In order to tidy things up among this confusing multitude of possible problems and their com-
plexities, we group problems with similar complexities into classes.
The most important complexity classes are the classes P and NP:
The class P: This class contains those problems that can be solved in a polynomial amount
of time.
The class NP: The denition of this class doesnt look at the time required to solve a
problem, but rather at the time required to verify a given solution. The class NP consists
of those problems for which a given solution can be veried in a polynomial amount of time.
Hereby, the term NP non-deterministic means polynomial and is based on a calculation
model, i.e. on a computer that only exists in theory and can guess correct solutions
non-deterministically then verify them in polynomial time.
The class P is contained in the class NP. A well-known unsolved problem is the question whether
or not P ,= NP is true, i.e. whether or not P is a true subset. An important property of the class
NP is that it also contains what are known as NP-complete problems. These are problems
that represent the class NP as follows: If a good algorithm for such a problem exists, then
good algorithms exist for all problems fromNP. In particular: if Ponly contained one complete
problem, i.e. if a polynomial solution algorithm existed for this problem, then Pwould be equal
to NP. In this sense, the NP-complete problems are the most dicult problems in NP.
Many cryptographic protocols are formed in such a way that the good subscribers only have
to solve problems from P, whereas a perpetrator is faced with problems from NP.
Unfortunately, we do not yet know whether one way functions actually exist. However, we can
prove that one way functions exist if and only if P ,= NP [Balcazar1988, S.63].
Mathematicians have again and again claimed to have proven the equivalence, e.g.
http://www.geocities.com/st busygin/clipat.html),
but so far the claims have always turned out to be false.
A number of algorithms have been suggested for public key procedures. In many cases - although
they at rst appeared promising - it was discovered that they could be solved polynomially.
The most famous failed applicant is the knapsack with trapdoor, suggested by Ralph Merkle
[Merkle1978].
147
5.2 Knapsack problem as a basis for public key procedures
5.2.1 Knapsack problem
You are given n objects G
1
, . . . , G
n
with the weights g
1
, . . . g
n
and the values w
1
, , w
n
. The aim
is to carry away as much as possible in terms of value while restricted to an upper weight limit g.
You therefore need to nd a subset of G
1
, , G
n
, i.e. G
i
1
, . . . , G
i
k
, so that w
i
1
+ +w
i
k
is maximised under the condition g
i
1
+ +g
i
k
g.
Such questions are called NP-complete problems (not deterministically polynomial) that are
dicult to calculate.
A special case of the knapsack problem is:
Given the natural numbers a
1
, . . . , a
n
and g., nd x
1
, . . . , x
n
0, 1 where g =

n
i=1
x
i
a
i
(i.e.
where g
i
= a
i
= w
i
is selected). This problem is also called a 0-1 knapsack problem and is
identied with K(a
1
, . . . , a
n
; g).
Two 0-1 knapsack problems K(a
1
, . . . , a
n
; g) and K(a

1
, . . . , a

n
; g

) are called congruent if two

co-prime numbers w and m exist in such a way that
1. m > max

n
i=1
a
i
,

n
i=1
a

i
,
2. g wg

mod m,
3. a
i
wa

i
mod m for all i = 1, . . . , n.
Comment: Congruent 0-1 knapsack problems have the same solutions. No quick algorithm is
known for clarifying the question as to whether two 0-1 knapsack problems are congruent.
A 0-1 knapsack problem can be solved by testing the 2
n
possibilities for x
1
, . . . , x
n
. The best
method requires O(2
n/2
) operations, which for n = 100 with 2
100
1.2710
30
and 2
n/2
1.1310
15
represents an insurmountable hurdle for computers. However, for special a
1
, . . . , a
n
the solution
is quite easy to nd, e.g. for a
i
= 2
i1
. The binary representation of g immediately delivers
x
1
, . . . , x
n
. In general, the a 0-1 knapsack problem can be solved easily if a permutation
166
of 1, . . . , n exists with a
(j)
>

j1
i=1
a
(i)
. If, in addition, is the identity, i.e. (i) = i
for i = 1, 2, . . . , n, then the sequence a
1
, . . . , a
n
is said to be super-increasing. The following
algorithm solves the knapsack problem with a super-increasing sequence in the timeframe of
O(n).
166
A permutation of the numbers 1, . . . , n is a change in the order in which these numbers are listed. For example,
a permutation of (1, 2, 3) is (3, 1, 2), i.e. (1) = 3, (2) = 1 and (3) = 2.
148
for i = n to 1 do
if T a
i
then
T := T s
i
x
i
:= 1
else
x
i
:= 0
if T = 0 then
X := (x
1
, . . . , x
n
) is the solution.
else
No solution exists.
Algorithm 1. Solving knapsack problems with super-increasing weights
5.2.2 Merkle-Hellman knapsack encryption
In 1978, Merkle and Hellman [Merkle1978] specied a public key encryption procedure that is
based on defamiliarising the easy 0-1 knapsack problem with a super-increasing sequence into
a congruent one with a super-increasing sequence. It is a block ciphering that ciphers an n-bit
plaintext each time it runs. More precisely:
149
Let (a
1
, . . . , a
n
) be super-increasing. Let m and w be two co-prime
numbers with m >

n
i=1
a
i
and 1 w m1. Select w with w w 1
mod m the modular inverse of w and set b
i
:= wa
i
mod m, 0 b
i
< m
for i = 1, . . . , n, and verify whether the sequence b
1
, . . . b
n
is not super-
increasing. A permutation b
(1)
, . . . , b
(n)
of b
1
, . . . , b
n
is then published
and the inverse permutation to is dened secretly. A sender writes
his/her message in blocks (x
(j)
1
, . . . , x
(j)
n
) of binary numbers n in length,
calculates
g
(j)
:=
n

i=1
x
(j)
i
b
(i)
and sends g
(j)
, (j = 1, 2, . . . ).
The owner of the key calculates
G
(j)
:= wg
(j)
mod m, 0 G
(j)
< m
and obtains the x
(j)
(i)
0, 1 (and thus also the x
(j)
i
) from
G
(j)
wg
(j)
=
n

i=1
x
(j)
i
b
(i)
w
n

i=1
x
(j)
i
a
(i)
mod m
=
n

i=1
x
(j)
(i)
a
((i))
=
n

i=1
x
(j)
(i)
a
i
mod m,
by solving the easier 0-1 knapsack problems K(a
1
, . . . , a
n
; G
(j)
) with
super-increasing sequence a
1
, . . . , a
n
.
Merkle-Hellman procedure (based on knapsack problems).
In 1982, Shamir [Shamir1982] specied an algorithm for breaking the system in polynomial time
without solving the general knapsack problem. Len Adleman [Adleman1982] and Je Lagarias
[Lagarias1983] specied an algorithm for breaking the twice iterated Merkle-Hellman knapsack
encryption procedure in polynomial time. Ernst Brickell [Brickell1985] then specied an algorithm
for breaking multiply iterated Merkle-Hellman knapsack encryption procedures in polynomial
time. This made this procedure unsuitable as an encryption procedure. It therefore delivers a
one way function whose trapdoor information (defamiliarisation of the 0-1 knapsack problem)
could be discovered by an evesdropper.
150
5.3 Decomposition into prime factors as a basis for public key procedures
5.3.1 The RSA procedure
167
As early as 1978, R. Rivest, A. Shamir, L. Adleman [RSA1978] introduced the most important
asymmetric cryptography procedure to date.
Key generation:
Let p and q be two dierent prime numbers and N = pq. Let e be
any prime number relative to (N) , i.e. gcd(e, (N)) = 1. Using the
Euclidean algorithm, we calculate the natural number d < (N), such
that
ed 1 mod (N).
whereby is the Euler phi Function.
The output text is divided into blocks and encrypted, whereby each
block has a binary value x
(j)
N.
Public key:
N, e.
Private key:
d.
Encryption:
y = e
T
(x) = x
e
mod N.
Decryption:
d
T
(y) = y
d
mod N.
RSA procedure (based on the factorisation problem).
Comment: The Euler phi function is dened as: (N) is the number of natural numbers that
do not have a common factor with N x N. Two natural numbers a and b are co-prime if
gcd(a, b) = 1.
For the Euler phi function: (1) = 1, (2) = 1, (3) = 2, (4) = 2, (6) = 2, (10) = 4, (15) = 8.
For example, (24) = 8, because [x < 24 : gcd(x, 24) = 1[ = [1, 5, 7, 11, 13, 17, 19, 23[.
If p is a prime number, then (p) = p 1.
If we know the various prime factors p
1
, . . . , p
k
of N, then (N) = N (1
1
p
1
) (1
1
p
k
)
168
.
167
Using CrypTool you can gain practical experience with the RSA procedure via the menu Indiv.Procedures \
RSA Cryptosystem \ RSA Demonstration.
168
Further formulas for the Euler phi function are in the article Introduction to Elementary Number Theory with
Examples, chapter 4.8.1.
151
In the case of N = pq, (N) = pq(1 1/p)(1 1/q) = p(1 1/p)q(1 1/q) = (p 1)(q 1).
n (n) The natural numbers that are co-prime to n and less than n.
1 1 1
2 1 1
3 2 1, 2
4 2 1, 3
5 4 1, 2, 3, 4
6 2 1, 5
7 6 1, 2, 3, 4, 5, 6
8 4 1, 3, 5, 7
9 6 1, 2, 4, 5, 7, 8
10 4 1, 3, 7, 9
15 8 1, 2, 4, 7, 8, 11, 13, 14
The function e
T
is a one way function whose trapdoor information is the decomposition into
primes of N.
At the moment, no algorithm is known that can factorise two prime numbers suciently quickly
for extremely large values (e.g. for several hundred decimal places). The quickest algorithms
known today [Stinson1995] factorise a compound whole number N in a time period proportional
to L(N) = e

ln(N) ln(ln(N))
.
N 10
50
10
100
10
150
10
200
10
250
10
300
L(N) 1.42 10
10
2.34 10
15
3.26 10
19
1.20 10
23
1.86 10
26
1.53 10
29
To this date, it has not been proved that the problem of breaking RSA is equivalent to the
factorisation problem. Nevertheless, it is clear that the RSA procedure will no longer be safe if
the factorisation problem is solved.
169
5.3.2 Rabin public key procedure (1979)
In this case it has been shown that the procedure is equivalent to breaking the factorisation
problem. Unfortunately, this procedure is susceptible to chosen-cipher text attacks.
169
In 2000 the authors assumed that values of the order magnitude 100 to 200 decimal places are currently safe.
They estimates that the current computer technology indicates that a number with 100 decimal places could be
factorised in approximately two weeks at justiable costs, and using an expensive conguration (e.g. of around
10 million US dollars), a number with 150 decimal places could be factorised in about a year, and a 200digit
number should remain impossible to factorise for a long time to come, unless there is a mathematical breakthrough.
However, you can never be sure that there wont be a mathematical breakthrough tomorrow.
How easy it is to guess the future wrong is shown by the Factorization of RSA-200 (see chapter 4.11.4) completely
without a mathematical breakthrough.
152
Let p and q be two dierent prime numbers with p, q 3 mod 4 and
n = pq. Let 0 B n 1.
Public key:
e = (n, B).
Private key:
d = (p, q).
Encryption:
y = e
T
(x) = x(x +B) mod n.
Decryption:
d
T
(y) =
_
y +B
2
/4 B/2 mod n.
Rabin procedure (based on the factorisation problem).
Caution: Because p, q 3 mod 4 the encryption is easy to calculate (if the key is known). This
is not the case for p 1 mod 4. In addition, the encryption function is not injective: There are
precisely four dierent source codes that have e
T
(x) as inverse image: x, x B, (x +B/2)
B/2, (x + B/2) B/2, where is one of the four roots of unity. The source codes therefore
must be redundant for the encryption to remain unique!
Backdoor information is the decomposition into prime numbers of n = pq.
5.4 The discrete logarithm as a basis for public key procedures
Discrete logarithms form the basis for a large number of algorithms for public- key procedures.
5.4.1 The discrete logarithm in Z
p
Let p be a prime number and let g Z

p
= 0, 1, . . . , p 1. Then the discrete exponential
function base g is dened as
e
g
: k y := g
k
mod p, 1 k p 1.
The inverse function is called a discrete logarithm function log
g
; the following holds:
log
g
(g
k
) = k.
The problem of the discrete logarithm (in Z

p
) is understood to be as follows:
Given p, g and y, determine k such that y = g
k
mod p.
It is much more dicult to calculate the discrete logarithm than to evaluate the discrete ex-
ponential function (see chapter 4.9). There are several procedures for calculating the discrete
logarithm [Stinson1995]:
153
Name Complexity
Baby-Step-Giant-Step O(

p)
Silver-Pohlig-Hellman polynomial in q, the greatest
prime factor of p 1.
Index-Calculus O(e
(1+o(1))

ln(p) ln(ln(p))
)
5.4.2 Die-Hellman key agreement
170
The mechanisms and algorithms of classical cryptography only take eect when the subscribers
have already exchanged the secret key. In classical cryptography you cannot avoid exchang-
ing secrets without encrypting them. Transmission safety here must be achieved using non-
cryptographic methods. We say that we need a secret channel for exchanging secrets. This
channel can be realised either physically or organisationally.
What is revolutionary about modern cryptography is, amongst other things, that you no longer
need secret channels: You can agree secret keys using non-secret, i.e. public channels.
One protocol that solves this problem is that of Die and Hellman.
Two subscribers A and B want to agree on a joint secret key.
Let p be a prime number and g a natural number. These two numbers
do not need to be secret.
The two subscribers then select a secret number a and b from which they
calculate the values = g
a
mod p and = g
b
mod p. They then ex-
change the numbers and . To end with, the two subscribers calculate
the received value to the power of their secret value to get
a
mod p
and
b
mod p.
Thus

a
(g
b
)
a
g
ba
g
ab
(g
a
)
b

b
mod p
Die-Hellman key agreement.
The safety of the Die-Hellman protocol is closely connected to calculating the discrete
logarithm mod p. It is even thought that these problems are equivalent.
5.4.3 ElGamal public key encryption procedure in Z

p
By varying the Die-Hellman key agreement protocol slightly, you can obtain an asymmetric
encryption algorithm. This observation was made by Taher ElGamal.
170
With CrypTool this exchange protocol has been visualized: you can execute the single steps with concrete numbers
using menu Indiv. Procedures \ Protocols \ Die-Hellman Demonstration.
154
Let p be a prime number such that the discrete logarithm in Z
p
is dicult
to compute. Let Z

p
be a primitive element. Let a IN and =
a
mod p.
Public key:
p, , .
Private key:
a.
Let k Z
p1
be a random number and x Z

p
the plaintext.
Encryption:
e
T
(x, k) = (y
1
, y
2
),
where
y
1
=
k
mod p
and
y
2
= x
k
mod p.
Decryption:
d
T
(y
1
, y
2
) = y
2
(y
a
1
)
1
mod p
ElGamal procedure (based on the factorisation problem).
5.4.4 Generalised ElGamal public key encryption procedure
The discrete logarithm can be generalised in any number of nite groups (G, ). The following
provides several properties of G, that make the discrete logarithm problem dicult.
Calculating the discrete exponential function Let G be a group with the operation and
g G. The (discrete) exponential function base g is dened as
e
g
: k g
k
, for all k N.
where
g
k
:= g . . . g
. .
k times
.
The exponential function is easy to calculate:
Lemma.
The power g
k
can be calculated in at most 2 log
2
k group operations.
155
Proof
Let k = 2
n
+k
n1
2
n1
+ +k
1
2+k
0
be the binary representation of k. Then n log
2
(k), because
2
n
k < 2
n+1
. k can be written in the form k = 2k

+k
0
with k

= 2
n1
+k
n1
2
n2
+ +k
1
.
Thus
g
k
= g
2k

+k
0
= (g
k

)
2
g
k
0
.
We therefore obtain g
k
from g
k

by squaring and then multiplying by g. The claim is thus proved

by induction to n.
Problem of the discrete logarithm
Let G by a nite group with the operation . Let G and H =

i
: i 0.
We need to nd a unique a N with 0 a [H[ 1 and =
a
.
We dene a as log

().
Calculating the discrete logarithm A simple procedure for calculating the discrete loga-
rithm of a group element, that is considerably more ecient than simply trying all possible values
for k, is the Baby-Step-Giant-Step algorithm.
Theorem 5.1. [Baby-Step-Giant-Step algorithm] Let G be a group and g G. Let n be the
smallest natural number with [G[ n
2
. Then the discrete logarithm of an element h G can be
calculated base g by generating two lists each containing n elements and comparing these lists.
In order to calculate these lists, we need 2n group operations.
Proof
First create the two lists
Giant-Step list: 1, g
n
, g
2n
, . . . , g
nn
,
Baby-Step list: hg
1
, hg
2
, . . . , hg
n
.
If g
jn
= hg
i
, i.e. h = g
i+jn
, then the problem is solved. If the lists are disjoint, then h cannot
be represented as g
i+jn
, i, j n,. As all powers of g are thus recorded, the logarithm problem
does not have a solution.
You can use the Baby-Step-Giant-Step algorithm to demonstrate that it is much more dicult
to calculate the discrete logarithm than to calculate the discrete exponential function. If the
numbers that occur have approximately 1000 bits in length, then you only need around 2000
multiplications to calculate g
k
but around 2
500
10
150
operations to calculate the discrete
logarithm using the Baby-Step-Giant-Step algorithm.
In addition to the Baby-Step-Giant-Step algorithm, there are also numerous other procedures for
calculating the discrete logarithm [Stinson1995].
The theorem from Silver-Pohlig-Hellman In nite Abelian groups, the discrete logarithm
problem can be reduced to groups of a lower order.
156
Theorem 5.2. [Silver-Pohlig-Hellman] Let G be a nite Abelian group with [G[ = p
a
1
1
p
a
2
2
. . .p
a
s
s
.
The discrete logarithm in G can then be reduced to solving logarithm problems in groups of the
order p
1
, . . . , p
s
.
If [G[ contains a dominant prime factor p, then the complexity of the logarithm problem is
approximately
O(

p).
Therefore, if the logarithm problem is to be made dicult, the order of the group used G should
have a large prime factor. In particular, if the discrete exponential function in the group Z

p
is to
be a one way function, then p 1 must be a large prime factor.
Let G be a nite group with operation , and let G, so that the
discrete logarithm in H =
i
: i 0 is dicult, Let a with 0 a
[H[ 1 and let =
a
.
Public key:
, .
Private key:
a.
Let k Z
|H|
be a random number and x G be a plaintext.
Encryption:
e
T
(x, k) = (y
1
, y
2
),
where
y
1
=
k
and
y
2
= x
k
.
Decryption:
d
T
(y
1
, y
2
) = y
2
(y
a
1
)
1
Generalised ElGamal procedure (based on the factorisation problem).
Elliptic curves provide useful groups for public key encryption procedures.
157
References
[Adleman1982] Adleman L.:
On breaking the iterated Merkle-Hellman public key Cryptosystem.
Advances in Cryptology, Proceedings of Crypto 82, Plenum Press 1983, 303-308.
[Balcazar1988] Balcazar J.L., Daaz J., Gabarr J.:
Structural Complexity I.
Springer Verlag, pp 63.
[Brickell1985] Brickell E.F.:
Breaking Iterated Knapsacks.
Advances in Cryptology: Proc. CRYPTO

84, Lecture Notes in Computer Science, vol. 196,

Springer-Verlag, New York, 1985, pp. 342-358.
[Lagarias1983] Lagarias J.C.:
Knapsack public key Cryptosystems and diophantine Approximation.
Advances in Cryptology, Proseedings of Crypto 83, Plenum Press.
[Merkle1978] Merkle R. and Hellman M.:
Hiding information and signatures in trapdoor knapsacks.
IEEE Trans. Information Theory, IT-24, 1978.
[RSA1978] Rivest R.L., Shamir A. and Adleman L.:
A Method for Obtaining Digital Signatures and Public Key Cryptosystems.
Commun. ACM, vol 21, April 1978, pp. 120-126.
[Shamir1982] Shamir A.:
A polynomial time algorithm for breaking the basic Merkle-Hellman Cryptosystem.
Symposium on Foundations of Computer Science (1982), 145-152.
[Stinson1995] Stinson D.R.:
Cryptography.
CRC Press, Boca Raton, London, Tokyo, 1995.
Web links
1. http://www.geocities.com/st busygin/clipat.html
158
6 Hash Functions and Digital Signatures
(Schneider J. / Esslinger B. / Koy H., June 2002, Update: Feb. 2003, June 2005)
The aim of digital signatures is to guarantee the following two points:
User authenticity:
It can be checked whether a message really does come from a particular person.
Message integrity:
It can be checked whether the message has been changed (on route).
An asymmetric technique is used again (see encryption procedures). Participants who wish to
generate a digital signature for a document must possess a pair of keys. They use their secret
key to generate signatures and the recipient uses the senders public key to verify whether the
signature is correct. As before, it must be impossible to use the public key to derive the secret
key
171
.
In detail, a Signature procedure looks like this:
Senders use their message and secret key to calculate the digital signature for the message.
Compared to hand-written signatures, digital signatures therefore have the advantage that they
also depend on the document to be signed. Signatures from one and the same participant are
dierent unless the signed documents are completely identical. Even inserting a blank in the
text would lead to a dierent signature. The recipient of the message would therefore detect
any injury to the message integrity as this would mean that the signature no longer matches the
document and is shown to be incorrect when veried.
The document is sent to the recipient together with the signature. The recipient can then use
the senders public key, the document and the signature to establish whether or not the signature
is correct. Because a signature is about as long as the straight datastream to be signed, the
procedure we just described has in practice, however, a decisive disadvantage. The signature is
approximately as long as the document itself. To prevent an unnecessary increase in data trac,
and also for reasons of performance, we apply a cryptographic hash function
172
to the document
171
With CrypTool you can also generate and check digital signatures:
using the submenus of the main menu Digital Signatures / PKI or
using menu Indiv. Procedures \ RSA Cryptosystem \ Signature Demonstration (Signature Genera-
tion).
172
Hash functions are implemented within CrypTool at several places.
Using menus Individual Procedures \ Hash and Analysis \ Hash you have the possibilities
to apply one of 6 hash functions to the content of the current window,
to calculate the hash value of a le,
to test, how changes to a text change the according hash value,
to calculate a key from a password according to the PKCS#5 standard,
to calculate HMACs from a text and a secret key, and
to perform a simulation, how digital signatures could be attacked by a targeted search for hash value collisions.
159
before signing. The output of the hash function will then be signed.
Stanislaw Lem
173
:
We can make everything out of this world, but we cannot create a world, where humans in
some ten thousand years can think: Ok, now it is enough. Everything should stay like it
is. Lets do no changes any more, dont do inventions any more, because it cannot become
better, and if, then we dont want this.
6.1 Hash functions
A hash function
174
maps a message of any length to a string of characters with a constant size,
the hash value.
6.1.1 Requirements for hash functions
Cryptographically secure hash functions fulll the following requirements (the order is in a way
that the requirements increase):
Resistance against 1st Pre-Image attacks:
It should be practically impossible, for a given number, to nd a message that has precisely
this number as hash value.
Given (x): hash value H,
Searched: message m, so that: H(m) = H.
Resistance against 2nd Pre-Image attacks:
It should be practically impossible, for a given message, to nd another message, which has
precisely the same hash value.
Given (x): message m1 [and so the hash value H1 = H(m1)],
Searched: message m2, so that: H(m2) = H1.
Collision resistance:
It should be practically impossible to nd any two messages with the same hash value (it
doesnt matter what hash value).
Searched: 2 messages m1 and m2, so that: H(m1) = H(m2).
173
This was the answer of Stanislaw Lem to heavy critics at his philosophical main book Summa Technologiae,
1964, where he thought about the posibilty of an evolution creating articial intelligence.
174
Hash algorithms compute a condensed representation of electronic data (message). When a message is input to a
hash algorithm, the result is an output called a message digest. The message digests typically range in length from
128 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic
algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation
of random numbers (bits).
160
6.1.2 Current attacks against hash functions like SHA-1
So far, no formal proof has been found that perfectly secure cryptographic hash functions exist.
During the past several years no new attacks against hash algorithms came up, and so the
candidates that had not yet shown any weaknesses in their structure in practice (e.g. SHA1
175
or RIPEMD-160
176
) were trusted.
At Crypto 2004 (August 2004)
177
this safety-feeling was disputed: Chinese researchers published
collision attacks against MD4, SHA-0 and parts of SHA-1. This globally caused new motivation
to engage in new hash attack methods.
Right now the details of the results of the Chinese cryptographers are only announced, but not
revealed completely: They stated that collision attacks on SHA-1 can be found with a work
load of 2
69
. This would mean that SHA-1 has cryptographic weaknesses, because the design of
SHA-1 should ensure a work load for collision search of about 2
80
. The value of 2
69
is currently
a prognosis based on theoretic forecasts. The security of already created digital signatures is not
aected by the described attacks.
According to our current knowledge there is no need to run scared. But in the future digital
signatures should use longer hash values and/or other hash algorithms.
Already before Crypto 2004 NIST announced, to discontinue SHA-1 in the next few years. So it
is recommended not to use SHA-1 for new products generating digital signatures.
Further information about this topic can be found in the article Hash cracked The consequences
of the successful attacks on SHA-1 by Reinhard Wobst and J urgen Schmidt
178
by Heise Security.
175
SHA-1 is a 160 bit hash function specied in FIPS 180-1 (by NIST), ANSI X9.30 Part 2 and [FIPS186].
SHA means Secure Hash Algorithm, and is widely used, e.g. with DSA, RSA or ECDSA.
The current standard [FIPS180-2] denes four secure hash algorithms SHA-1, SHA-256, SHA-384, and SHA-512.
For these hash algorithms there are also validation tests dened in the test suite FIPS 140-2.
The output length of the SHA algorithms was enhanced because of the possibility of birthday attacks: these
make n-bit AES and a 2n-bit hash roughly equivalent:
- 128-bit AES SHA-256
- 192-bit AES SHA-384
- 256-bit AES SHA-512.
With CrypTool you can comprehend the birthday attack on digital signatures:
using the menu Analysis \ Hash \ Attack on the Hash Value of the Digital Signature.
176
RIPEMD-160, RIPEMD-128 and the optional extension RIPEMD-256 have object identiers dened by the ISO-
identied organization TeleTrusT, both as hash algorithm and in combination with RSA. RIPEMD-160 is also
part of the ISO/IEC international standard ISO/IEC 10118-3:1998 on dedicated hash functions, together with
RIPEMD-128 and SHA-1.
Further details:
- http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
- http://www.ietf.org/rfc/rfc2857.txt (The Use of HMAC-RIPEMD-160-96 within ESP and AH).
177
http://www.iacr.org/conferences/crypto2004/
178
http://www.heise.de/security/artikel/56634.
Further references are e.g.:
http://www.bsi.bund.de/esig/basics/techbas/krypto/index.htm
http://csrc.nist.gov/CryptoToolkit/tkhash.html.
161
6.1.3 Signing with hash functions
The hash function procedure is as follows:
Rather than signing the actual document, the sender now rst calculates the hash value of
the message and signs this. The recipient also calculates the hash value of the message (the
algorithm used must be known), then veries whether the signature sent with the message is a
correct signature of the hash value. If this is the case, the signature is veried to be correct. This
means that the message is authentic, because we have assumed that knowledge of the public key
does not enable you to derive the secret key. However, you would need this secret key to sign
messages in another name.
Some digital signature schemes are based on asymmetric encryption procedures, the most promi-
nent example being the RSA system, which can be used for signing by performing the private
key operation on the hash value of the document to be signed.
Other digital signature schemes where developed exclusively for this purpose, as the DSA (Digital
Signature Algorithm), and are not directly connected with a corresponding encryption scheme.
Both, RSA and DSA signature are discussed in more detail in the following two sections. After
that we go one step further and show how digital signatures can be used to create the digital
equivalent of ID cards. This is called Public Key Certication.
6.2 RSA signatures
As mentioned in the comment at the end of section 4.10.3 it is possible to perform the RSA
private and public key operation in reverse order, i. e. raising M to the power of d and then
to the power of e (mod N) yields M again. Based on this simple fact, RSA can be used as a
signature scheme.
The RSA signature S for a message M is created by performing the private key operation:
S M
d
(mod N)
In order to verify, the corresponding public key operation is performed on the signature S and
the result is compared with message M:
S
e
(M
d
)
e
(M
e
)
d
M (mod N)
If the result matches the message M, then the signature is accepted by the verier, otherwise the
message has been tampered with, or was never signed by the holder of d.
As explained above, signatures are not performed on the message itself, but on a cryptographic
hash value of the message. To prevent certain attacks on the signature procedure (alone or in
combination with encryption) it is necessary to format the hash value before doing the exponen-
tiation, as described in the PKCS#1 (Public Key Cryptography Standard #1 [PKCS1]). The
fact that this standard had to be revised recently, after being in use for several years, can serve
as an example of how dicult it is to get the details of cryptography right.
162
6.3 DSA signatures
In August of 1991, the U.S. National Institute of Standards and Technology (NIST) proposed a
digital signature algorithm (DSA), which was subsequently adopted as a U.S. Federal Information
Processing Standard (FIPS 186 [FIPS186]).
The algorithm is a variant of the ElGamal scheme. Its security is based on the Discrete Logarithm
Problem. The DSA public and private key and its procedures for signature and verication are
summarised below.
Public Key
p prime
q 160-bit prime factor of p 1
g = h
(p1)/q
mod p, where h < p 1 and h
(p1)/q
> 1 (mod p)
y g
x
mod p
Remark: Parameters p, q and g can be shared among a group of users.
Private Key
x < q (a 160-bit number)
Signing
m the message to be signed
k choose at random, less than q
r = (g
k
mod p) mod q
s = (k
1
(SHA-1(m) +xr)) mod q
Remark:
(s, r) is the signature.
The security of the signature depends not only on the mathematical properties, but also
on using a good random source for k.
SHA-1 is a 160-bit hash function.
Verifying
w = s
1
mod q
u
1
= (SHA-1(m)w) mod q
u
2
= (rw) mod q
v = (g
u
1
y
u
2
) mod p) mod q
Remark: If v = r, then the signature is veried.
While DSA was specically designed, so that it can be exported from countries regulating export
of encryption soft and hardware (like the U.S. at the time when it was specied), it has been
163
noted [Schneier1996, p. 490], that the operations involved in DSA can be used to emulate RSA
and ElGamal encryption.
6.4 Public key certication
The aim of public key certication is to guarantee the connection between a public key and a
user and to make it traceable for external parties. In cases in which it is impossible to ensure
that a public key really belongs to a particular person, many protocols are no longer secure, even
if the individual cryptographic modules cannot be broken.
6.4.1 Impersonation attacks
Assume Charlie has two pairs of keys (PK1, SK1) and (PK2, SK2), where SK denotes the secret
key and PK the public key. Further assume that he manages to palm o PK1 on Alice as Bobs
public key and PK2 on Bob as Alices public key (by falsifying a public key directory).
Then he can attack as follows:
Alice wants to send a message to Bob. She encrypts it using PK1 because she thinks that
this is Bobs public key. She then signs the message using her secret key and sends it.
Charlie intercepts the message, removes the signature and decrypts the message using SK1.
If he wants to, he can then change the message in any way he likes. He then encrypts the
message again, but this time using Bobs genuine public key, which he has taken from a
public key directory, signs the message using SK2 and forwards it to Bob.
Bob veries the signature using PK2 and will reach the conclusion that the signature is
correct. He then decrypts the message using his secret key.
In this way Charlie can listen in on communication between Alice and Bob and change the
exchanged messages without them noticing. The attack will also work if Charlie only has one
pair of keys.
Another name for this type of attack is man-in-the-middle attack. Users are promised pro-
tection against this type of attack by publickey certication, which is intended to guarantee the
authenticity of public keys. The most common certication method is the X.509 standard.
6.4.2 X.509 certicate
Each participant who wants to have an X.509 certicate ([X.509]) verifying that his public key
belongs to a real person consults what is known as a certication authority (CA)
179
. He proves
his identity to this CA (for example by showing his ID). The CA then issues him an electronic
document (certicate) which essentially contains the name of the certicate-holder and the name
179
Often called trust center, if the certicates are not only oered to a closed user group.
164
of the CA, the certicate-holders public key and the validity period of the certicate. The CA
then signs the certicate using its secret key.
Anyone can now use the CAs public key to verify whether a certicate is falsied. The CA
therefore guarantees that a public key belongs to a particular user.
This procedure is only secure as long as it can be guaranteed that the CAs public key is correct.
For this reason, each CA has its public key certied by another CA that is superior in the
hierarchy. In the upper hierarchy level there is usually only one CA, which can of course then
have its key certied by another CA. It must therefore transfer its key securely in another way.
In the case of many software products that work with certicates (such as the Microsoft and
Netscape Web browsers), the certicates of these root CAs are permanently embedded in the
program right from the start and cannot be changed by users at a later stage. However, (public)
CA keys, in particularly those of the root entity, can also be secured by means of making them
available publicly.
165
References
[FIPS180-2] U.S. Department of Commerce/N.I.S.T. ,
Secure Hash Standard (SHS),
August 1, 2002.
(FIPS 180-2 will supersede FIPS 180-1 beginning February 1, 2003.)
[FIPS186] U.S. Department of Commerce/N.I.S.T. ,
Entity authentication using public key cryptography,
February 18, 1997.
No more valid.
[FIPS186-2] U.S. Department of Commerce/N.I.S.T. ,
Digital Signature Standard (DSS),
January 27, 2000. Change Note: October 5, 2001.
http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf
[PKCS1] RSA Laboratories,
PKCS #1 v2.1 Draft 3: RSA Cryptography Standard,
April 19, 2002.
[Schneier1996] Bruce Schneier,
Applied Cryptography, Protocols, Algorithms, and Source Code in C,
Wiley, 2nd edition, 1996.
[X.509] ITU-T,
ITU-T Recommendation X.509 (1997 E): Information Technology Open Systems In-
terconnection The Directory: Authentication Framework,
June 1997.
[X.509v3] ITU-T,
X.509 (1993) Amendment 1: Certicate Extensions, The Directory Authentication
Framework,
International Telecommunication Union, Geneva, Switzerland, July 1995
(equivalent to amendment 1 to ISO/IEC 9594-8).
166
7 Elliptic Curves
(Filipovics B. / B uger M. / Esslinger B. / Oyono R., April 2000, Updates: Dec. 2001, June 2002,
Mar. 2003)
7.1 Elliptic curve cryptography a high-performance substitute for RSA?
In many business sectors secure and ecient data transfer is essential. In particular, the RSA
algorithm is used in many applications. Although the security of RSA is beyond doubt, the
evolution in computing power has caused a growth in the necessary key length. Today, 1024-bit
RSA keys are standard, but the GISA (German Information Security Agency) recommends the
usage of 2048-bit keys from 2006 on (compare section 4.11). The fact that most chips on smart
cards cannot process keys extending 1024 bit shows that there is a need for alternatives. Elliptic
curve cryptography (ECC) can be such an alternative in the area of asymmetric cryptography.
The eciency of a cryptographic algorithm depends on the key length and the calculation eort
that is necessary to provide a prescribed level of security. The major advantage of ECC compared
to RSA is that it requires much shorter key lengths. If we assume that the computing power
increases by Moores law (i. e. it doubles every 18 months)
180
, then the evolution of the key
lengths for secure communication will be as gure 2 [Lenstra1999] (source: Arjen Lenstra and
Eric Verheul: http://cryptosavvy.com/table.htm).
K
e
y

l
e
n
g
t
h

n
e
e
d
e
d

(
b
i
t
s
)
0
500
1000
1500
2000
2500
3000
3500
2010 2030 2040 2020 2000
ECC
RSA
Year
Figure 2: Prognosis of the key lengths to be regarded safe for RSA and Elliptic Curves
In addition, a digital signature can be processed 10-times faster with ECC than with RSA.
However, verication of a given signature is still more ecient with RSA than with ECC. Refer
to gure 3 (source: Dr. J. Merkle, Elliptic Curve Cryptography Workshop, 2001) for a comparison.
180
empirical knowledge by Gordon Moore, co-founder of Intel, 1965
167
The reason is that RSA public keys can be chosen relatively small as long as the secret key is
long enough.
0
100
300
200
400
500
600
ECC 160 Bit RSA 1024 Bit
#

1
0
2
4

b
i
t

m
u
l
t
i
p
l
i
c
a
t
i
o
n
s
Sign
Verify
Figure 3: Comparison of signing and verication time for RSA and Elliptic Curves
Nevertheless, thin clients like smart cards usually have to store the (long) secret key and have to
process a digital signature rather than verify one. Therefore, there is a clear advantage in using
ECC in terms of eciency.
Nowadays, the major problem with ECC-implementations is the lack of standardization. There
is only one way to implement RSA, but there are many ways for ECC: One can work with
dierent sets of numbers, dierent (elliptic) curves described by parameters
181
, and a
variety of representations of the elements on the curve. Each choice has its advantages and
disadvantages, and one can certainly construct the most ecient for each application. However,
this causes problems in interoperability. But if all ECC-tools should be able to communicate with
each other, they will have to support all dierent algorithms, which might put the advantage of
ecient computation and the need of less storage capacity to the contrary.
Therefore, international standardization organizations like IEEE (P1363), ASC (ANSI X9.62,
X9.63), ISO/IEC as well as major players like RSA labs or Certicom have recently started stan-
dardization initiatives. While the IEEE only describes the dierent implementations, the ASC
has explicitly stated 10 elliptic curves and recommends their usage. The advantage of the ASC
approach is that one needs only a single byte to indicate which curve is meant. However, it is
181
see chapter 7.4
168
not yet clear whether the ASC-curves will become a de facto standard.
Although we see no need to replace RSA in any application today
182
, one should take the usage
of ECC-based tools into consideration whenever a new system is set up in particular, when
the tool should be available beyond 2005
183
.
7.2 Elliptic curves history
Mathematicians have been researching elliptic curves for over 100 years. Over the course of time,
many lengthy and mathematically complex results have been found and published which are
connected to elliptic curves. A mathematician would say that elliptic curves (or the mathematics
behind them) are widely understood. This research was originally purely mathematical. That
is to say, elliptic curves were investigated, for example, in the mathematical areas of number
theory and algebraic geometry, which are generally highly abstract. Even in the recent past,
elliptic curves played an important role in pure mathematics. In 1993 and 1994, Andrew Wiles
published mathematical works that triggered enthusiasm far beyond the specialist audience. In
these works, he proved a conjecture put forward in the 1960s. To put it short, this conjecture
was concerned with the connection between elliptic curves and what are called module forms.
What is particularly interesting for most people is that the works of Wiles also proved the famous
second theorem of Fermat. Mathematicians had spent centuries (Fermat lived from 1601 to 1665)
trying to nd a strict proof of this theorem. Understandably, therefore, Wiles proof got a good
response. Fermat formulated his theorem as follows (written in the border of a book):
Cubum autem in duos cubos, aut quadratoquadratum in duos quadratoquadratos, et
generaliter nullam in innitum ultra quadratum potestatem in duos ejusdem nominis
fas est dividere: cujus rei demonstrationem mirabilem sane detexi. Hanc marginis
exiguitas non caperet.
With a free translation, using the denotation of modern mathematics, this means:
No positive whole numbers x, y and z greater than zero exist such that x
n
+y
n
= z
n
for n > 2. I
have found an amazing proof of this fact, but there is too little space within the connes of this
book to include it.
This is truly amazing: A statement that is relatively simple to understand (we are referring to
Fermats second theorem here) could only be proved after such a long period of time, although
Fermat himself claimed to have found a proof. Whats more, the proof found by Wiles is extremely
extensive (all of Wiles publications connected with the proof made up a book in themselves).
This should therefore make it obvious that elliptic curves are generally based on highly complex
mathematics.
Anyway thats enough about the role of elliptic curves in pure mathematics. In 1985 Neal Koblitz
and Victor Miller independently suggested using elliptic curves in cryptography. Elliptic curves
have thus also found a concrete practical application. Another interesting area of application
182
Current informationen about the security of the RSA algorithm can be found in chapter 4.11.
183
Compare the recommendation of GISA: Fitting Crypto Algorithms from October 24th, 2002.
169
for elliptic curves is for factorising whole numbers (the RSA cryptographic system is based on
the diculty/complexity of nding prime factors of an extremely large number; compare section
4.11.). In this area, procedures based on elliptic curves have been investigated and used since
1987 (compare section 7.8).
There are also prime number tests based on elliptic curves.
Elliptic curves are used dierently in the various areas. Encryption procedures based on elliptic
curves are based on the diculty of a problem known as elliptic curve discrete logarithm. The
factorisation of whole numbers uses the fact that a large number of elliptic curves can be generated
for a natural composite number n with several prime factors; however, these curves are not then
groups for composite n. More information about this can be found under the chapter 7.8.
7.3 Elliptic curves mathematical basics
This section provides information about groups and elds.
7.3.1 Groups
Because the term group is used dierently in everyday language than in mathematics, we will,
for reasons of completeness, begin by introducing the essential statement of the formal denition
of a group:
A group is a non-empty set G on which an operation . The set G is closed under
this operation, which means that for any two elements a, b taken from G, performing the
operation on them gives an element in G, i.e. ab = a b lies in G.
For all elements a, b and c in G: (ab)c = a(bc) (associative law).
There exists an element e in G that behaves neutrally with respect to the operation . That
means that for all a in the set G : ae = ea = a.
For each element a in G there exists a so-called inverse
184
element a
1
in G such that:
aa
1
= a
1
a = e.
If also ab = ba (commutative law) for all a, b in G, then we call the group an Abelian group.
Since we may dene dierent operations on the same set, we distinguish them by giving them
dierent names (e.g. + addition or multiplication).
The simplest example of an (Abelian) group is the group of whole numbers under the standard
operation of addition. The set of whole numbers is denoted as Z. Z has an innite number of
elements, because Z = , 4, 3, 2, 1, 0, 1, 2, 3, 4, . For example, the operation of 1 +2
lies in Z, for 1 + 2 = 3 and 3 lies in Z. The neutral element in the group Z is 0. The inverse
element of 3 is 3, for 3 + (3) = 0.
184
The inverse is uniquely determined because if x, y G are each inverse to a, i.e. ax = xa = e and ay = ya = e,
then x = xe = x(ay) = (xa)y = ey = y.
170
For our purpose, so-called nite groups play an important role. This means that these exists a
set / with a xed number of elements and an operation + such that the above conditions are
fullled. One example of this is any set Z
n
where Z
n
= 0, 1, 2, 3, , n1, n is a positive whole
number and the operation is addition mod n, i.e. a and b in Z
n
are subject to the operation
a +b mod n.
Cyclic groups Cyclic groups
185
are those groups G

that possess an element g from which the

group operation can be used to generate all other elements in the group. This means that for each
element a in G

there exists a positive whole number i such that if g is subject to the operation i
times (i.e. g i), g +g + +g = a (additive group) or g
i
= g g g = a (multiplicative group).
The element g is the generator of the cyclic group each element in G

can be generated using

g and the operation.
Group order Now to the order of an element of the group: Let a be in G. The smallest
positive whole number r for which a subject to the operation with itself r times is the neutral
element of the group G

(i.e.: r a = a +a + +a = e respectively a
r
= e), is called the order
of a.
The order of the group is the number of elements in the set G.
7.3.2 Fields
In mathematics, one is often interested in sets on which at least two (group) operations are
dened frequently called addition and multiplication. Most prominent are so called elds.
A eld is understood to be a set K with two operations (denoted as + and ) which fulls the
following conditions:
The set K forms an Abelian group together with the operation + (addition), where 0 is
the neutral element of the operation +.
The set K0 also forms an Abelian group together with the operation (multiplication).
For all elements a, b and c in K, we have c (a +b) = c a +c b and (a +b) c = a c +b c
(distributive law).
Fields may contain an innite number of elements (e.g. the eld of real numbers). They are called
innite elds. In contrast we call a eld nite, if it contains only a nite number of elements (e.g.
Z
p
= 0, 1, 2, 3, , p 1 , where p is a prime. Z
p
with addition mod p and multiplication mod
p).
185
Cyclic groups can be in general also endless like the additive group of the integer numbers. We consider here only
nite cyclic groups.
171
Characteristic of a eld Let K be a eld and 1 be the neutral element of K with respect to
the multiplicative operation . Then the characteristic of K is said to be the order of 1 with
respect to the additive operation. This means that the characteristic of K is the smallest positive
integer n such that
1 + 1 + + 1
. .
n times
= 0.
If there is no such n, i.e. if 1 +1 + +1 ,= 0 no matter how many 1s we add, then we call K a
eld with characteristic 0.
Thus, elds with characteristic 0 are innite since they contain the (pairwise distinct) elements 1,
1 +1, 1 +1 +1, . . . . On the other hand, elds with nite characteristic may by nite or innite.
If the characteristic is nite, it has to be prime. This fact can easily be proved: Assume n = pq,
p, q < n, is the characteristic of a eld K. By denition of n, the elements p = 1 + 1 + + 1
. .
p times
,
q = 1 + 1 + + 1
. .
q times
of K are not equal to 0. Thus, there exist inverse elements p
1
, q
1
with
respect to multiplication. It follows that ( p q)( p
1
q
1
) = 1, which contradicts the fact that
p q = n = 1 + 1 + + 1
. .
n times
= 0 and, hence, ( p q)
..
=0
( p
1
q
1
) = 0.
Comment: The eld of real numbers has the characteristic 0; the eld Z
p
has the characteristic
p. If p is not prime, Z
p
is not a eld at all.
The most simple eld is Z
2
= 0, 1. It contains only two elements, the neutral elements with
respect to addition and multiplication. In particular, we have 0 + 0 = 0, 0 + 1 = 1 + 0 = 1,
1 + 1 = 0, 1 1 = 1, 0 0 = 0 1 = 1 0 = 0.
Finite Fields As mentioned above, each nite eld has a characteristic p ,= 0, where p is a
prime. On the other hand, given a prime p there is a eld which has exactly p elements, that is
Z
p
.
However, the number of elements of a eld need not be prime in general. For example, it is not
hard to construct a eld with 4 elements
186
.
One can show that the order of any eld is a prime power (i.e. the power of a prime number).
On the other hand, we can construct a eld with p
n
elements for any given prime p and positive
integer n. Since two elds that have the same number of elements can not be distinguished
187
,
186
The set K = {0, 1, a, b} tted with the operation dened in the tabular below is a eld:
+ 0 1 a b
0 0 1 a b
1 1 0 b a
a a b 0 1
b b a 1 0
und
0 1 a b
0 0 0 0 0
1 0 1 a b
a 0 a b 1
b 0 b 1 a
187
If K, K

are elds with k = p

n
elements, then there is a one-to-one map : K K

, that respects the arithmetic

of the eld. Such a map is called an isomorphy. Isomorphic elds mathematically behave in the same way so
that dass it makes no sense to distinguish between them. For example, Z
2
und K

= {ZERO, ONE} with zero-

172
we say that there is the eld with p
n
elements and denote it by GF(p
n
). Here GF stands for
Galois Field to commemorate the French Mathematician Galois.
The elds GF(p) of prime order play a prominent role. They are called prime elds and often
denoted by Z
p
188
.
7.4 Elliptic curves in cryptography
In cryptography elliptic curve are a useful tool. Such curves are described by some equation. A
detailed analysis has shown that curves of the form
189
F(x
1
, x
2
, x
3
) = x
3
1
+x
2
2
x
3
+a
1
x
1
x
2
x
3
a
2
x
2
1
x
3
+a
3
x
2
x
2
3
a
4
x
1
x
2
3
a
6
x
3
3
= 0, (1)
are especially useful. The variables x
1
, x
2
, x
3
and parameters a
1
, . . . , a
4
, a
6
are elements of a given
eld K, which has certain properties that are make it useful from the cryptographic point of view.
The underlying eld K might be the well known eld of real numbers or some nite eld (see
last section). In order to obtain a cure that is useful for cryptography, the parameters have to
be chosen in a way that the following conditions hold
F
x
1
,= 0,
F
x
2
,= 0,
F
x
3
,= 0.
We identify points on the curve that can be derived from each over by multiplying each component
with some scalar. This makes sense since (x
1
, x
2
, x
3
) solves (1) if and only if (x
1
, x
2
, x
3
) ( ,= 0)
does. Formally, this means that we consider classes of equivalent points instead of single points,
where points are called equivalent if one is the scalar multiple of the other one.
If we put x
3
= 0 in the basic equation (1), then this equation collapses to x
3
1
= 0, leading
to x
1
= 0. Thus, the equivalence class which includes the element (0, 1, 0) is the only one that
contains a point with x
3
= 0. For all points on the curve that are not equivalent to (0, 1, 0), we
may apply the following transformation
K K (K 0) (x
1
, x
2
, x
3
) (x, y) :=
_
x
1
x
3
,
x
2
x
3
_
K K ,
which reduces the number of variables to two instead of three. We note that the basic equation
(1) F(x
1
, x
2
, x
3
) = 0 was chosen in a way that this transformation leads to the famous so-called
Weierstrass-Equation
190
holds
y
2
+a
1
xy +a
3
y = x
3
+a
2
x
2
+a
4
x +a
6
. (2)
element ZERO and one-element ONE are isomorphic. We note that mathematical objects are only dened by
their mathematical properties.
188
For prime elds additive as well as multiplicative group are cyclic. Furthermore, each eld GF(p
n
) contains a
subeld that is isomorphic to the prime eld Z
p
.
189
This curve is given by the zeros of a polynomial F of degree three in three variables. In general, expressions of
the form P =
P
i
1
,...,i
n
IN
0
a
i
1
...i
n
x
i
1
1
. . . x
i
n
n
with coecients a
i
1
...i
n
K are called polynomials in n variables
x
1
, . . . , x
n
with underlying eld K, if deg P := max{i
1
+ + i
n
: a
i
1
...i
n
= 0} is nite, i.e. the sum has only
nitely many non-zero terms (monomials). The sum of the exponents of the variables of each term of the sum is
at most 3, at least one term of the sum has a single variable with 3 as value of the according exponent.
190
Karl Weierstrass, 31.10.181519.12.1897, German mathematician, famous for his rigorous formal approach to
mathematics.
173
Since all but one point (i.e. equivalence class) of the elliptic curve can be described using equation
(2), this equation is often called the elliptic equation, and its solutions written as
E =
_
(x, y) K K[ y
2
+a
1
xy +a
3
y = x
3
+a
2
x
2
+a
4
x +a
6
_
O.
Here, O represents the point (0, 1, 0) that is loosely speaking mapped to innity by the transfor-
mation (division by x
3
) that reduces the three variables to two.
x
y
Figure 4: Example of an elliptic curve with the real numbers as underlying eld.
In contrast to gure 4 only nite elds K = GF(p
n
) are used in elliptic curve cryptography. The
reason is loosely speaking that in modern communication engineering data processing is always
based on discrete data (simply because computers accept only discrete data).
For practical reasons, it turned out to be useful to take either GF(p) with a large prime p or
GF(2
n
) with a (large) positive integer n. Using GF(p) has the advantage of providing a relatively
simple arithmetic; on the other hand GF(2
n
) allows a binary representation of each element that
supports the way computers work. Other elds like, for example, GF(7
n
) do not have any of
these advantages and are, thus, not considered, although there is no mathematical reason why
they should not.
A coordinate transformation can result in a simpler version
191
of the Weierstrass equation. De-
pending whether p > 3, dierent transformations are used, and we obtain
in case of GF(p), p > 3, the elliptic curve equation of the form
y
2
= x
3
+ax +b (3)
with 4a
3
+ 27b
2
,= 0
191
Such a coordinate transformation is combination of a rotation and a dilatation of the coordinate system without
changing the elliptic curve itself.
174
in case of GF(2
n
) the elliptic curve equation of the form
y
2
+xy = x
3
+ax
2
+b (4)
with b ,= 0
192
.
This conditions on the parameters a, b ensure that the elliptic equation can be used in the context
of cryptography
193
.
Let [E[ denote the number of elements of an elliptic curve E given an underlying eld GF(k)
(for practical reasons either k = p with p prim or k = 2
n
). Then Hasses theorem[Silverman1986]
yields [ [E[ k 1 [ 2

k. This Inequality is equivalent to k + 1 2

k < [E[ < k + 1 + 2

k.
In particular, this means that the number of elements of an elliptic curve is approximately k (for
large k).
7.5 Operating on the elliptic curve
In order to work with elliptic curves in practice, we dene an operation (often written in an
additive way +) on the set of points on the curve. If we have a curve over the eld GF(p), we
dene the commutative operation + by
1. P +O = O +P = P for all P E,
2. for P = (x, y) and Q = (x, y) we set P +Q = O,
3. for P
1
= (x
1
, x
2
), P
2
= (x
2
, y
2
) E with P
1
, P
2
,= O and (x
2
, y
2
) ,= (x
1
, y
1
) we set
P
3
:= P
1
+P
2
, P
3
= (x
3
, y
3
) dened by
x
3
:= x
1
x
2
+
2
, y
3
:= y
1
+(x
1
x
3
)
with the auxiliary quotient
:=
_
y
1
y
2
x
1
x
2
if P
1
,= P
2
,
3x
2
1
+a
2y
1
if P
1
= P
2
.
In particular, we obtain P = (x, y) for P = (x, y) E.
If we deal with a curve over the eld GF(2
n
), we dene the operation + in an analogous way by
1. P +O = O +P = P for all P E,
2. for P = (x, y) and Q = (x, x +y) we set P +Q = O,
192
The form (3) is called the standard form of the Weierstrass-equation. If the characteristic of the eld is 2 or 3, we
obtain 4 = 0 respectively 27 = 0, which means that the condition on parameters a, b collapse. Loosely speaking,
this is the reason why the transformation to the standard form does not work in these cases.
193
Formally we call such curves non singular.
175
3. for P
1
= (x
1
, x
2
), P
2
= (x
2
, y
2
) E with P
1
, P
2
,= O and (x
2
, y
2
) ,= (x
1
, x
1
+ y
1
) we set
P
3
:= P
1
+P
2
, P
3
= (x
3
, y
3
) dened by
x
3
:= x
1
+x
2
+ +
2
+a , y
3
:= y
1
+x
3
+(x
1
+x
3
)
with auxiliary quotient
:=
_
y
1
+y
2
x
1
+x
2
if P
1
,= P
2
,
x
1
+
y
1
x
1
if P
1
= P
2
.
In particular, we obtain P = (x, y) for P = (x, y) E.
(Note that (P) = (x, x + (x + y)) = (x, 2x + y) = (x, y), since the underlying eld has
characteristic 2.)
194
One can verify that + denes a group operation on the set E O. In particular this means
that the sum of two points is again a point on the elliptic curve. How his operation works is
geometrically visualized in the following section.
194
An animation of the addition of points on elliptic curves can be found on the Certicom-Homepage
http://www.certicom.com/resources/ecc tutorial/ecc tutorial.html
176
How to add points on an elliptic curve
The following gures show how points on an elliptic curve over the eld of real numbers are
summed up using ane coordinates. We note that the point innity O cannot be shown in the
ane plane.
y
2P
P=Q
L
x
R
L
Figure 5: Doubling of a point
R
L
P+Q
L
x
y
Q
P
Figure 6: Summing up two dierent points over the real number eld
177
7.6 Security of elliptic-curve-cryptography: The ECDLP
As mentioned above in section 7.4, we only consider elliptic curves over the nite
195
elds GF(2
n
)
or GF(p) (for a large prime p). This means that all parameters that describe the curve are taken
from this underlying eld. If E is an elliptic curve over such a eld and P is a point on the curve
E, then we can derive for all positive integers m
mP := P +P + +P
. .
m times
.
Looking on this operation from the cryptographic point of view, it turns out to be very interesting
by the following reason: On the one hand one needs only log m operations to calculate mP
one simply has to calculate P, 2P, 2
2
P, 2
3
P, . . . , write m in a binary form and nally add all
these multilples 2
k
P of P with respect to the binary representation of m on the other hand
it seems to be very hard to nd m given P and Q = mP on E. Of course, we may simply
calculate P, 2P, 3P, 4P, 5P, . . . and compare each of them with Q. But this will take as much as
m operations.
Yet there is no algorithm known that eciently derives m given P and G. The best algorithms
known so far need about

q operations where q is the (largest) prime factor of p 1, in case the
underlying eld is GF(p); here m should be between 1 and q liegen so that one needs at most
log q operations to calculate mP. However, the quotient

q
log q
tends to + very fast for large q.
If we choose the parameters suciently large (for example, let p be prime and at least 160 bits
long), an computer will easily be able to calculate mP (in less than a second). The inverse
problem however, to derive m from mP and P, can (still) not be solved in reasonable time.
This problem is known as the over Elliptic Curve Discrete Logarithm Problem (for short
ECDLP).
In elliptic curve cryptography we formally look at points on the elliptic curve as elements of a
group with point addition + as operation. Furthermore, we use only elliptic curves that have a
suciently large number of points. However, in special cases curves may be weak and not useful
due to other reasons. For such special cases the ECDLP can be much easier to solve than in
the general case. This means that one has to look carefully at the parameters when choosing an
elliptic curve for cryptographic applications.
Not useful for cryptography are a-normal (that are curves over Z
p
, for which the set E consists
of exactly p elements) and supersingular curves (that are curves, for which the ECDLP can be
reduced to the normal discrete logarithms in another, smaller nite eld). This means that
there are cryptographically useful and non-useful elliptic curves. Given the parameters a and
b, it is possible to determine whether a curve is useful or not. In many publications one can
nd parameters that turned out to be useful for cryptography. The open (scientic) discussion
guarantees that these results take into account latest research.
Given a secure curve, the time that is needed to solve the ECDLP is strongly correlated with
parameter p in case GF(p) respectively n in case of GF(2
n
). The larger these parameters become,
195
Discrete in contrast to continuous.
178
the more time an attacker needs to solve the ECDLP at least with the best algorithms known
so far. Experts recommend bit-lengths of 200 for p for secure curves. A comparison with RSA
modulus length shows why elliptic curves are so interesting for applications. We note that the
computation eort for signing and encryption is closely related to the bit-length of the parameters.
In addition the initiation process, i.e. the generation of the private-public-key-pair, becomes more
complicated the larger p is. Thus, one looks for the smallest parameters that still come along
with the security required. It is remarkable that a length of 200 bits for p is sucient to construct
a good elliptic curve that is as secure as RSA with a 1024 bit RSA modulus (as far as we know
today). For short, the reason for this advantage of ECC lies in the fact that the best algorithms
known for solving the ECDLP need exponential time while the best algorithms for factorizing are
sub-exponential (number eld sieve, quadratic sieve or factorizing with elliptic curves). Hence,
the parameters for a cryptosystem that is based on the problem of factorizing large integers have
to be larger than the parameters for a system based on ECDLP.
7.7 Encryption and signing with elliptic curves
The elliptic curve discrete logarithm problem (ECDLP) is the basis for elliptic curve cryptography.
Based on this problem, there are dierent signature schemes. In order to apply one of these, we
need:
An elliptic curve E with an underlying eld GF(p
n
).
A prime q ,= p and a point G on the elliptic curve E with order q. This means that qG = O
and rG ,= O for all r 1, 2, . . . , q 1. Thus q is a factor of the group order (i.e. the
number of elements) #E of E. Since q is prime, G generates a cyclic sub-group of E of
order q.
The parameters mentioned are often called Domain parameter. They describe the elliptic curve
E and the cyclic sub-group of E on which the signature scheme is based.
7.7.1 Encryption
Using elliptic curves one can construct a key exchange protocol based on the Die-Hellman pro-
tocol (see chapter 5.4.2). The key exchanged can be used for a subsequent symmetric encryption.
We note that in contrast to RSA there is no pair of private and public key that can be used for
encryption and decryption!
In the notation of elliptic curves, the Die-Hellman protocol reads as follows: First both partners
(A und B) agree on a group G and an integer q. Then they choose r
A
, r
B
1, 2, . . . , q 1 at
random, derive the points R
A
= r
A
G, R
B
= r
B
G on the elliptic curve and exchange them (using
an insecure channel). After that A easily obtains R = r
A
R
B
; B gets the same point (R = r
A
r
B
G)
by calculating r
B
R
A
= r
B
r
A
G = r
A
r
B
G = R. We note that R
A
, R
B
are easy to derive as long
as r
A
respectively r
B
are known G. However, the inverse operation, to get R
A
respectively R
B
from r
A
respectively r
B
is hard.
179
Using the best algorithms known so far, it is impossible for any attacker to obtain R without
knowing either r
A
or r
B
otherwise he would have to solve the ECDLP.
In order to prohibit a Man-in-the-middle attack, one may sign the values G, q, R
A
, R
B
as
described in chapter 6.4.1.
7.7.2 Signing
Using the DSA signature scheme, one can proceed as follows: The signing party chooses a (non-
trivial) number s Z
q
, which will be the private key, and publishes q, G and R = sG. We note
that s cannot be obtained from G and R are not sucient a fact on which the security of the
signature scheme is based.
Given the message m, which should be signed, one rst constructs a digital nger print using
a hash-algorithm h such that h(m) has its values in 0, 1, 2, . . . , q 1. Thus, h(m) can be
considered as an Element of Z
q
. Then the signing party chooses a random number r Z
q
and
derives R = (r
1
, r
2
) = rG. We note that the rst component r
1
of R is an element of GF(p
n
).
This component will then be projected onto Z
q
, i.e. in case of n = 1 it is interpreted as the
remainder of an element of 0, 1, . . . , p1 divided by q. This projection of r
1
onto Z
q
is denoted
by r
1
. Then one determines x Z
q
such that
rx s r
1
h(m) = 0.
The triple (m, r
1
, x) is then published as the digital signature of message m.
7.7.3 Signature verication
In order to verify a signature, one has to build u
1
= h(m)/x, u
2
= r
1
/x (in Z
q
and derive
V = u
1
G+u
2
Q.
Since we have Q = sG, the point V = (v
1
, v
2
) satises v
1
= u
1
+u
2
s. We note that this operations
take place in the eld GF(p
n
). The projection of GF(p
n
) on Z
q
mentioned above should be chosen
in such a way that v
1
= u
1
+u
2
s is an element of Z
q
. Then it follows that
v
1
= u
1
+u
2
s = h(m)/x + r
1
s/x = (h(m) + r
1
s)/x = rx/x = r.
Since R = rG, we obtain v
1
= r
1
, i.e. R and V coincide modulo the projection onto Z
q
.
180
7.8 Factorisation using elliptic curves
There are factorisation
196
algorithms based on elliptic curves
197
. More precisely, these procedures
exploit the fact that elliptic curves can be dened over Z
n
(n composite number). Elliptic curves
over Z
n
do not form a group, because not every point on such an elliptic curve has an inverse
point. This is connected with the fact that - if n is a composite number - there exist elements
in Z
n
that do not have an inverse with respect to multiplication mod n. In order to add two
points on an elliptic curve over Z
n
, we can calculate in the same way as on elliptic curves over
Z
p
. Addition of two points (on an elliptic curve over Z
n
), however, fails if and only if a factor of
n has been found. The reason for this is that the procedure for adding points on elliptic curves
gives elements in Z
n
and calculates the inverse elements for these (with respect to multiplication
mod n) in Z
n
. The extended Euclidean algorithm is used here. If the addition of two points (that
lie of an elliptic curve over Z
n
) gives an element in Z
n
that does not have an inverse element in
Z
n
, then the extended Euclidean algorithm delivers a genuine factor of n.
Factorisation using elliptic curves thus principally works as follows: Random curves over Z
n
are
selected, as well as random points (that lie on this curve) and add them; you thus obtain points
that also lie on the curve or nd a factor of n. Factorisation algorithms based on elliptic curves
therefore work probabilistically. The opportunity of dening large number of elliptic curves over
Z
n
allows you to increase the probability of nding two points which you can add to obtain a
factor of n. These procedures are therefore highly suitable for parallelisation.
7.9 Implementing elliptic curves
CrypTool also oers elliptic curves for the digital signature function
198
.
It implements the basic algorithms for group operations, for generating elliptic curves, for im-
porting and exporting parameters for elliptic curves over nite elds with p (p prime) elements.
The algorithms have been implemented in ANSI C and comply with draft no. 8 of the IEEE
P1363 work group Standard Specications for Public Key Cryptography
http://grouper.ieee.org/groups/1363.
The procedure implements the cryptographic primitives for generating and verifying signatures
for the variations of Nyberg-Rueppel signatures and DSA signatures based on elliptic curves (in
accordance with draft no. 8 of the IEEE P1363 work group). This was done in collaboration
with the Secude GmbH using the above library and the Secude SDK.
In case one uses the eld GF(2
n
) is used instead of the prime eld GF(p), one has to make sub-
196
Especially John M. Pollard was involved in the development of many dierent factorisation algorithms; also at fac-
torisation with ECC he was one of the leading heads. As an employee of British Telekom he never published much.
At the RSA data Security Conference in 1999 he was awarded for his outstanding contributions in mathematics:
http://www.eff.org/Privacy/Crypto misc/DESCracker/HTML/19990118 rsa awards.html.
197
In 1987 H.W. Lenstra published a factorization algorithm, based on elliptic curves (see [Lenstra1987]). The biggest
compound number currently factorised with elliptic curves is the number 628
59
1, which has 55 decimal digits.
It was found Oct. 6th, 2001 by M. Izumi (See ECMNET).
198
The dialog box, which appears in CrypTool after clicking the menu Digital Signatures/PKI \ Sign Message,
oers the EC methods ECSP-DSA and ECSP-NR.
181
stantial changes in the implementation. The advantage of GF(2
n
) lies in the fact that calculations
in GF(2
n
) can be implemented very eciently using the binary representation. In particular,
divisions are much easier to process compared to GF(p) (this is particularly important in the
signature scheme mentioned above where a division is needed for processing a signature as well
as for the verication).
In order to achieve maximal gain in eciency, one may choose a eld that allows special basis
like polynomial basis (useful for software implementations) or normal basis (best for hardware
implementations). For special n (like, for example, n = 163, 179, 181) one may even combine
both advantages. However, they are still non-standard.
Sometimes only the rst component and one additional bit is used as representation of a point
on the elliptic curve instead of the full two components. Since the rst component together with
the additional bit is sucient to derive the full point, this representation minimizes the mem-
ory capacity needed. In particular, for normal basis this point compression can be implemented
eciently. In addition, the cryptographic protocols themselves become more eective. A disad-
vantage is, however, that point compression can be used for about half of all elliptic curves only
and is protected under US patent (US Patent 6141420, Certicon), causing additional costs. In
the gerenal case GF(p
n
) (and also in case n = 1) often so called ane or projective co-ordinates
are used. Depending on the application, these co-ordinates may result in a gain in eciency as
well.
A comprehensive description of all implementations and their advantages and disadvantages
would go far beyond the scope of this paper. We only want to state that there is a variety of
possible implementations for elliptic curve cryptography, much more than for RSA. Therefore,
there are serious eorts to reduce this large to a small number of standard implementations. Some
standardization committees even try to reduce the complexity by focussing on a small number of
(prescribed) curves (ASC-approach).
Today it is still not clear whether these standardization initiatives will be successful or not.
However, without agreed standards, ECC is not likely to become a real alternative for RSA. The
committees might be forced to act fast if there was a break-through in factorization.
7.10 Elliptic curves in use
Today elliptic curve cryptography is already in use. A prominent example is the information
network Bonn-Berlin
199
, used for the exchange of strictly condential documents between dierent
German federal governmental institutions in Berlin and Bonn. With the help of ECC a high
security solution could be realized. Interoperability, however, played only a minor role.
Based on information from the head of the Austrian e-Government projects, Prof. Posch, a
smartcard based on ECC will shortly be launched in Austria: A bank card that allows digital
signing will be issued in Austria from 2004 on to all citizens.
Both examples show the typical range of application for elliptic curve cryptography: For high
199
The Informationsverbund Bonn-Berlin (IVBB) connects governmental institutions in the old and new German
capital.
182
security solutions and for implementations on smartcards in which the key length is crucial
(because of physical memory available).
183
References
[Cassels1991] J. W. S. Cassels,
Lectures on elliptic curves,
Cambridge University Press, 1991, 143 pages.
[Koblitz1984] N. Koblitz,
Introduction to elliptic curves and modular forms,
Graduate Texts in Mathemathics, Springer-Verlag, 1984.
[Koblitz1998] N. Koblitz,
Algebraic aspects of Cryptography. With an appendix on Hyperelleptic curves by Alfred
J. Menezes, Yi Hong Wu and Robert J. Zuccherato,
Springer-Verlag, 1998, 206 pages.
[Menezes1993] A. J. Menezes,
Elliptic curve public key cryptosystems,
Kluwer Academic Publishers, 1993.
[Lenstra1987] H.W. Lenstra,
Factoring integers with elliptic curves,
Annals of Mathematics 126, pp. 649-673, 1987.
[Lenstra1999] Arjen K. Lenstra, Eric R. Verheul
Selecting Cryptographic Key Sizes (1999),
Journal of Cryptology: the journal of the International Association for Cryptologic Re-
search
http://www.cryptosavvy.com/cryptosizes.pdf
[Silverman1986] J. Silverman,
The Arithmetic of Elliptic Curves,
Springer-Verlag, 1986.
[Silverman1992] J. Silverman,
The arithmetic of elliptc curves,
Graduate Texts in Mathemathics, Springer-Verlag, 1992.
[SilvermanTate1992] J. Silverman, J. Tate,
Rational points on elliptic curves,
Springer-Verlag, 1992.
Web links
1. Certicom Online Tutorial,
http://www.certicom.com/resources/ecc tutorial/ecc tutorial.html
184
2. Working group IEEE P1363
http://grouper.ieee.org/groups/1363
3. An informative web page about factorisation with elliptic curves.
http://www.loria.fr/~zimmerma/records/ecmnet.html
It contains literature related to the topic factorisation with elliptic curves as well as links
to other web page.
4. Key length comparison by Arjen Lenstra and Eric Verheul
http://cryptosavvy.com/table.htm
185
A Appendix
1 CrypTool Menu Tree
2 Authors of the CrypTool Script
3 Bibliography of Movies and Fictional Literature with Relation to Cryptograpy, Books for
Kids with Collections of Simple Ciphers
186
A.1 CrypTool Menus
This appendix contains the complete menu tree of CrypTool version 1.4.00.
Which menu items are active (that is not greyed), depends on the type of the currently active
document window. The brute-force analysis for DES e. g. is only available, if the active window
is opened in the hexadecimal view. On the other hand the menu item Generate Random
Numbers. . . is always available.
The following types of documents exist in CrypTool:
Code letter Type of document
A ASC
T Text
H Hexadecimal
P Plot
187
F
i
l
e
N
e
w
O
p
e
n
.
.
.
C
l
o
s
e
S
a
v
e
S
a
v
e

a
s
.
.
.
F
i
l
e

P
r
o
p
e
r
t
i
e
s
.
.
.
P
r
i
n
t
.
.
.
P
r
i
n
t

S
e
t
u
p
.
.
.
R
e
c
e
n
t

F
i
l
e
s
E
x
i
t
E
d
i
t
U
n
d
o
C
u
t
C
o
p
y
P
a
s
t
e
D
e
l
e
t
e
F
i
n
d
.
.
.
F
i
n
d

N
e
x
t
R
e
p
l
a
c
e
.
.
.
S
e
l
e
c
t

A
l
l
S
h
o
w

K
e
y
.
.
.
P
a
r
e
n
t

W
i
n
d
o
w
V
i
e
w
T
o
o
l
b
a
r
S
t
a
t
u
s

B
a
r
S
h
o
w

a
s

T
e
x
t
A
s

H
e
x
D
u
m
p

B
a
r

C
h
a
r
t
C
r
y
p
t
/
D
e
c
r
y
p
t
S
y
m
m
e
t
r
i
c

(
c
l
a
s
s
i
c
)
C
a
e
s
a
r
.
.
.
V
i
g
e
n

r
e
.
.
.
H
i
l
l
.
.
.
S
u
b
s
t
i
t
u
t
i
o
n
.
.
.
P
l
a
y
f
a
i
r
.
.
.
A
D
F
G
V
X
.
.
.
B
y
t
e

A
d
d
i
t
i
o
n
.
.
.
X
O
R
.
.
.
V
e
r
n
a
m
.
.
.
H
o
m
o
p
h
o
n
e
.
.
.
P
e
r
m
u
t
a
t
i
o
n
.
.
.
S
y
m
m
e
t
r
i
c

(
m
o
d
e
r
n
)
I
D
E
A
.
.
.
R
C
2
.
.
.
R
C
4
.
.
.
D
E
S

(
E
C
B
)
.
.
.
D
E
S

(
C
B
C
)
.
.
.
T
r
i
p
l
e

D
E
S

(
E
C
B
)
.
.
.
T
r
i
p
l
e

D
E
S

(
C
B
C
)
.
.
.
M
A
R
S
.
.
.
R
C
6
.
.
.
R
i
j
n
d
a
e
l

(
A
E
S
)
.
.
.
S
e
r
p
e
n
t
.
.
.
T
w
o
f
i
s
h
.
.
.
A
E
S

(
s
e
l
f

e
x
t
r
a
c
t
i
n
g
)
.
.
.
A
s
y
m
m
e
t
r
i
c
R
S
A

E
n
c
r
y
p
t
i
o
n
.
.
.
R
S
A

D
e
c
r
y
p
t
i
o
n
.
.
.
R
S
A
-
D
e
m
o
n
s
t
r
a
t
i
o
n
.
.
.
H
y
b
r
i
d R
S
A
-
A
E
S

E
n
c
r
y
p
t
i
o
n
.
.
.
R
S
A
-
A
E
S

D
e
c
r
y
p
t
i
o
n
.
.
.
D
i
g
i
t
a
l

S
i
g
n
a
t
u
r
e
s
/
P
K
I
P
K
I
K
e
y

G
e
n
e
r
a
t
i
o
n
/
I
m
p
o
r
t
.
.
.
K
e
y

D
i
s
p
l
a
y
/
E
x
p
o
r
t
.
.
.
S
i
g
n

M
e
s
s
a
g
e
.
.
.
V
e
r
i
f
y

S
i
g
n
a
t
u
r
e
.
.
.
E
x
t
r
a
c
t

S
i
g
n
a
t
u
r
e
S
i
g
n
a
t
u
r
e

D
e
m
o
n
s
t
r
a
t
i
o
n

(
S
i
g
n
a
t
u
r
e

G
e
n
e
r
a
t
i
o
n
)
.
.
.
I
n
d
i
v
.

P
r
o
c
e
d
u
r
e
s
H
a
s
h
M
D
2
M
D
4
M
D
5
S
H
A
S
H
A
-
1
R
I
P
E
M
D
-
1
6
0
H
a
s
h

V
a
l
u
e

o
f

a

F
i
l
e
.
.
.
H
a
s
h

D
e
m
o
n
s
t
r
a
t
i
o
n
.
.
.
K
e
y

G
e
n
e
r
a
t
i
o
n

f
r
o
m

P
a
s
s
w
o
r
d
.
.
.
G
e
n
e
r
a
t
i
o
n

o
f

M
A
C
s
.
.
.
R
S
A

C
r
y
p
t
o
s
y
s
t
e
m
G
e
n
e
r
a
t
e

P
r
i
m
e

N
u
m
b
e
r
s
.
.
.
R
S
A

D
e
m
o
n
s
t
r
a
t
i
o
n
.
.
.
F
a
c
t
o
r
i
s
a
t
i
o
n

o
f

a

N
u
m
b
e
r
.
.
.
S
i
g
n
a
t
u
r
e

D
e
m
o
n
s
t
r
a
t
i
o
n

(
S
i
g
n
a
t
u
r
e

G
e
n
e
r
a
t
i
o
n
)
.
.
.
L
a
t
t
i
c
e

B
a
s
e
d

A
t
t
a
c
k
s

o
n

R
S
A
F
a
c
t
o
r
i
n
g

w
i
t
h

a

H
i
n
t
.
.
.
A
t
t
a
c
k

o
n

S
t
e
r
e
o
t
y
p
e
d

M
e
s
s
a
g
e
s
.
.
.
A
t
t
a
c
k

o
n

S
m
a
l
l

S
e
c
r
e
t

K
e
y
s
.
.
.
P
r
o
t
o
c
o
l
s
D
i
f
f
i
e
-
H
e
l
l
m
a
n

D
e
m
o
n
s
t
r
a
t
i
o
n
.
.
.
N
e
t
w
o
r
k

A
u
t
h
e
n
t
i
c
a
t
i
o
n
.
.
.
C
h
i
n
e
s
e

R
e
m
a
i
n
d
e
r

T
h
e
o
r
e
m

A
p
p
l
i
c
a
t
i
o
n
s
A
s
t
r
o
n
o
m
y

a
n
d

P
l
a
n
e
t
a
r
y

M
o
t
i
o
n
.
.
.
M
o
d
u
l
a
r

F
o
r
e
w
a
r
d

a
n
d

B
a
c
k
w
a
r
d

T
r
a
n
s
f
o
r
m
a
t
i
o
n
.
.
.
S
e
c
r
e
t

S
h
a
r
i
n
g

b
y

C
R
T
.
.
.
V
i
s
u
a
l
i
z
a
t
i
o
n

o
f

A
l
g
o
r
i
t
h
m
s

u
s
i
n
g

A
N
I
M
A
L
C
a
e
s
a
r
.
.
.
V
i
g

n
e
r
e
.
.
.
N
i
h
i
l
i
s
t
.
.
.
D
E
S
.
.
.
C
o
d
e
s B
a
s
e
6
4

E
n
c
o
d
e
/
D
e
c
o
d
e
U
U
-
E
n
c
o
d
e
/
D
e
c
o
d
e
D
e
c
o
d
e

A
S
N
.
1

C
o
d
e

o
f

a

F
i
l
e
.
.
.
C
o
m
p
r
e
s
s
Z
i
p

U
n
Z
i
p

G
e
n
e
r
a
t
e

R
a
n
d
o
m

N
u
m
b
e
r
s
.
.
.
A
n
a
l
y
s
i
s
T
o
o
l
s

f
o
r

A
n
a
l
y
s
i
s
E
n
t
r
o
p
y
F
l
o
a
t
i
n
g

F
r
e
q
u
e
n
c
y
H
i
s
t
o
g
r
a
m
N
-
G
r
a
m
.
.
.
A
u
t
o
c
o
r
r
e
l
a
t
i
o
n
P
e
r
i
o
d
i
c
i
t
y
M
a
s
s

P
a
t
t
e
r
n

S
e
a
r
c
h
.
.
.
S
y
m
m
e
t
r
i
c

E
n
c
r
y
p
t
i
o
n

(
c
l
a
s
s
i
c
)
C
i
p
h
e
r
t
e
x
t

o
n
l
y
C
a
e
s
a
r
V
i
g
e
n

r
e
A
D
F
G
V
X
.
.
.
A
d
d
i
t
i
o
n
X
O
R
K
n
o
w
n

P
l
a
i
n
t
e
x
t
H
i
l
l
.
.
.
M
a
n
u
a
l

A
n
a
l
y
s
i
s
S
u
b
s
t
i
t
u
t
i
o
n
.
.
.
P
l
a
y
f
a
i
r
.
.
.
S
y
m
m
e
t
r
i
c

E
n
c
r
y
p
t
i
o
n

(
m
o
d
e
r
n
)
I
D
E
A
.
.
.
R
C
2
.
.
.
R
C
4
.
.
.
D
E
S

(
E
C
B
)
.
.
.
D
E
S

(
C
B
C
)
.
.
.
T
r
i
p
l
e

D
E
S

(
E
C
B
)
.
.
.
T
r
i
p
l
e

D
E
S

(
C
B
C
)
.
.
.
M
A
R
S
.
.
.
R
C
6
.
.
.
R
i
j
n
d
a
e
l

(
A
E
S
)
.
.
.
S
e
r
p
e
n
t
.
.
.
T
w
o
f
i
s
h
.
.
.
A
s
y
m
m
e
t
r
i
c

E
n
c
r
y
p
t
i
o
n
F
a
c
t
o
r
i
s
a
t
i
o
n

o
f

a

N
u
m
b
e
r
.
.
.
L
a
t
t
i
c
e

B
a
s
e
d

A
t
t
a
c
k
s

o
n

R
S
A
F
a
c
t
o
r
i
n
g

w
i
t
h

a

H
i
n
t
.
.
.
A
t
t
a
c
k

o
n

S
t
e
r
e
o
t
y
p
e
d

M
e
s
s
a
g
e
s
.
.
.
A
t
t
a
c
k

o
n

S
m
a
l
l

S
e
c
r
e
t

K
e
y
s
.
.
.
S
i
d
e
-
C
h
a
n
n
e
l

A
t
t
a
c
k

o
n

"
T
e
x
t
b
o
o
k

R
S
A
"
.
.
.
H
a
s
h
A
t
t
a
c
k

o
n

t
h
e

H
a
s
h

V
a
l
u
e

o
f

t
h
e

D
i
g
i
t
a
l

S
i
g
n
a
t
u
r
e
.
.
.
A
n
a
l
y
s
e

R
a
n
d
o
m
n
e
s
s
F
r
e
q
u
e
n
c
y

T
e
s
t
P
o
k
e
r

T
e
s
t
R
u
n
s

T
e
s
t
S
e
r
i
a
l

T
e
s
t
F
I
P
S

P
U
B
-
1
4
0
-
1

T
e
s
t

B
a
t
t
e
r
y
V
i
t
a
n
y
3
-
D

V
i
s
u
a
l
i
z
a
t
i
o
n
.
.
.
O
p
t
i
o
n
s
P
l
o
t

O
p
t
i
o
n
s
.
.
.
A
n
a
l
y
s
i
s

O
p
t
i
o
n
s
.
.
.
T
e
x
t

O
p
t
i
o
n
s
.
.
.
S
t
a
r
t
i
n
g

O
p
t
i
o
n
s
.
.
.
F
u
r
t
h
e
r

O
p
t
i
o
n
s
.
.
.
W
i
n
d
o
w
C
a
s
c
a
d
e
T
i
l
e
A
r
r
a
n
g
e

I
c
o
n
s
C
l
o
s
e

A
l
l
H
e
l
p
S
t
a
r
t
i
n
g

P
a
g
e
T
o
p
i
c
s
I
n
d
e
x
S
c
e
n
a
r
i
o
s

(
T
u
t
o
r
i
a
l
s
)
R
e
a
d
m
e
S
c
r
i
p
t
A
b
o
u
t

C
r
y
p
T
o
o
l
Figure 7: Complete overview of the CrypTool menu tree
188
A.2 Authors of the CrypTool Script
This appendix lists the authors of this document.
Please refer to the top of each individual chapter for their contribution.
Bernhard Esslinger,
initiator of the CrypTool project, main author of this script, head IT security at Deutsche
Bank and lecturer on IT security at the University of Siegen. E-mail: [email protected].
Matthias B uger,
contribution to the chapter Elliptic Curves, research analyst at Deutsche Bank.
Bartol Filipovic,
original author of the CrypTool elliptic curve implementation and the corresponding chapter
in this script.
Henrik Koy,
main developer and co-ordinator of CrypTool development since version 1.3; script reviewer
and T
E
X guru; cryptographer and project leader IT at Deutsche Bank.
Roger Oyono,
implementer of the CrypTool factorization dialogue and original author of chapter The
Mathematical Ideas behind Modern Cryptography.
Jorg Cornelius Schneider,
design and support of CrypTool; crypto enthusiast and senior project leader IT at Deutsche
Bank.
Christine Stotzel,
Master of Business and Computer Science at the University of Siegen.
189
A.3 Bibliography of Movies and Fictional Literature with Relation to Cryp-
tograpy, Books for Kids with Collections of Simple Ciphers
Cryptographic applications classical as well as modern ones have been used in literature and
movies. In some media they are only mentioned and are a pure addmixture; in others they play
a primary role and are explained in detail; and sometimes the purpose of the story, which forms
the framework, is primarily to transport this knowledge and achieve better motivation.
Here is the beginning of an overview.
[Poe1843] Edgar Allan Poe,
The Gold Bug, 1843.
In this short story Poe tells as rst-person narrator about his acquaintanceship with the
curious Mr. Legrand. They detect a fabulous treasure via a gold bug and a vellum found
at the coast of New England.
The cipher consists of 203 cryptic symbols and it proves to be a monoalphabetic substitution
cipher. The story tells how they solve the riddle step by step using a combination of semantic
and syntax analysis (frequency analysis of single letters in English texts).
In this novel the code breaker Legrand says the famous statement: Yet it may be roundly
asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot
resolve given the according dedication.
Yet it may be roundly asserted that human ingenuity cannot concoct a cipher which human
ingenuity cannot resolve...
[Verne1885] Jules Verne,
Mathias Sandorf, 1885.
This is one of the most famous novels of the French author Jules Verne (1828-1905), who
was called Father of Science ction.
In Mathias Sandorf he tells the story of the freedom ghter Earl Sandorf, who is betrayed
to the police, but nally he can escape.
The whistle-blowing worked, because his enemies captured and decrypted a secret message
sent to him. For decryption they needed a special grille, which they stole from him. This
turning grille was a quadratic piece of jig with 6x6 squares, of which 1/4 (nine) were holes
(see the turning grille in chapter 2.1.1).
[Doyle1905] Arthur Conan Doyle,
The Adventure of the Dancing Men, 1905.
In this Sherlock-Holmes short story (rst published in 1903 in the Strand Magazine, and
then in 1905 in the collection The Return of Sherlock Holmes the rst time in book-
form) Sherlock Holmes has to solve a cipher which at rst glance looks like a harmless kids
picture.
But it proves to be the monoalphabetic substitution cipher of the criminal Abe Slaney.
Sherlock Holmes solves the riddle using frequency analysis.
[Sayer1932] Dorothy L. Sayer,
Have his carcase, Harper / Victor Gollancz Ltd., 1932.
190
In this novel the writer Harriet Vane nds a dead body at the beach. The police believe the
death is suicide. Harriet Vane and the elegant amateur sleuth Lord Peter Wimsey together
clear of the disgusting murder in this second of Sayerss famous Harriet Vane mystery series.
This requires to solve a cryptogram. Surprisingly the novel not only describes the Playfair
cipher in detail, but also the cryptanalysis of this cipher (see Playfair in chapter 2.2.3).
[Arthur196x] Robert Arthur,
The Three Invesigators: The Secret Key (German version: Der geheime Schl ussel nach
Alfred Hitchcock (volume 119), Kosmos-Verlag (from 1960)
The three detectives Justus, Peter and Bob have to decrypt covered and encrypted messages
within this story to nd out what is behind the toys of the Coppereld company.
[Seed1990] Directed by Paul Seed,
House of Cards, 1990.
In this movie Ruth tries to solve the secret, which made her daughter fall silent. Here two
young people suering from autism communicate via 5- and 6-digit primes. After more
than 1 hour the movie contains the following undecrypted two series of primes:
21, 383; 176, 081; 18, 199; 113, 933; 150, 377; 304, 523; 113, 933
193, 877; 737, 683; 117, 881; 193, 877
[Robinson1992] Directed by Phil Alden Robinson,
Sneakers, Universal Pictures Film, 1992.
In this movie the sneakers, computer experts under their boss Martin Bishop, try to
get back the deciphering box SETEC from the bad guys. SETEC, invented by a genius
mathematician before he was killed, allows to decrypt all codes from any nation.
The code is not described in any way.
[Brown1998] Dan Brown,
Digital Fortress, E-Book, 1998.
Dan Browns rst novel was published in 1998 as e-book, but it was largely unsuccessful
then.
The National Security Agency (NSA) uses a huge computer, which enables it to decrypt all
messages (needless to say only of criminals and terrorists) within minutes even if they use
the most modern encryption methods.
An apostate employee invents an unbreakable code and his computer program Diabolus
forces the super computer to do self destructing operations. The plot, where also the beau-
tiful computer expert Susan Fletcher has a role, is rather predictable.
The idea, that the NSA or another secret service is able to decrypt any code, is currently
popular on several authors: In Digital Fortress the super computer has 3 million proces-
sors nevertheless from todays sight this is by no means sucient to hack modern ciphers.
[Elsner1999] Dr. C. Elsner,
The Dialogue of the Sisters, ct, 1999.
In this short story, which is included in the CrypTool package as PDF le, the sisters
191
condentially communicate using a variant of RSA. They are residents of a madhouse
being under permanent surveillance.
[Stephenson1999] Neal Stephenson,
Cryptonomicon, Harper, 1999.
This very thick novel deals with cryptography both in WW2 and today. The two heroes
from the 40ies are the excellent mathematician and cryptanalyst Lawrence Waterhouse, and
the overeager and morphium addicted US marine Bobby Shaftoe. They both are members
of the special allied unit 2702, which tries to hack the enemys communication codes and
at the same time to hide the own existance.
This secretiveness also happens in the present plot, where the grandchildren of the war
heroes the dedicated programmer Randy Waterhouse and the beautiful Amy Shaftoe
team up.
Cryptonomicon is notably heavy for non-technical readers in parts. Several pages are
spent explaining in detail some of the concepts behind cryptography. Stephenson added
a detailled description of the Solitaire cipher (called Pontifex in the book), a paper and
pencil encryption algorithm developed by Bruce Schneier. The used modern algorithm is
not revealed.
[Elsner2001] Dr. C. Elsner,
The Chinese Labyrinth, ct, 2001.
In this short story, which is included in the CrypTool package as PDF le, Marco Polo has
to solve problems from number theory within a competition to become a major consultant
of the Great Khan.
[Colfer2001] Eoin Colfer,
Artemis Fowl, Viking, 2001.
In this book for young people the 12 year old Artemis, a genius thief, gets a copy of the
top secret Book of the Elfs. After he decrypted it with his computer, he nds out things,
men never should have known.
The used code is not described in detail or revealed.
[Howard2001] Ron Howard,
A Beautiful Mind, 2001.
This is the lm version of Sylvia Nasars biography of the game theorist John Nash. After
the brilliant but asocial mathematician accepts secret work in cryptography, his life takes
a turn to the nightmarish. His irresistible urge to solve problems becomes a danger for
himself and his family. Nash is within his belief a most important hacker working for
the government.
Details of his way analysing code are not described in any way.
[Apted2001] Directed by Michael Apted,
Enigma, 2001.
This is the lm version of Robert Harris historical ction Enigma (Hutchinson, London,
1995) about the World War II codebreaking work at Bletchley Park in early 1943, when
the actual inventer of the analysis Alan Turing (after Polish pre-work) already was in the
192
US. So the ctional mathematician Tom Jericho is the lead character in this spy-thriller.
Details of his way analysing the code are not described.
[Isau2003] Ralf Isau,
The Museum of the stolen memories (original title: Das Museum der gestohlenen Erin-
nerungen), Thienemann-Verlag, 2003.
In this exciting novel the last part of the oracle can only be solved with the joined help of
the computer community.
[Brown2003] Dan Brown,
The Da Vinci Code, Doubleday, 2003.
The director of the Louvre is found murderered in his museum in front of a picture of
Leonardo da Vinci. And the symbol researcher Robert Langdon is involved in a conspiracy.
The plot mentions dierent classic codes (substitution like Caesar or Vigenere, as well as
transposition and number codes). Also there are hints about Schneier and the sunower.
The second part of the book contains a lot of theologic considerations.
This book has become one of the most widely read books of all time.
[McBain2004] Scott McBain,
Final Solution, manuscript not pubished by Harper Collins, 2004 (German version has been
published in 2005).
In a near future politicians, chiefs of military and secret services of many dierent countries
take over all the power. With a giant computer network called Mother and complete
surveillance they want to cement their power and commercialisation of life forever. Humans
are only assessed according to their credit rating and globally acting companies elude of
any democratic control. Within the thriller the obvious injustice, but also the realistic
likelihood of this development are considered again and again.
With the help of a cryptographer a code to destroy was built into the super computer
Mother: In a race several people try to start the deactivation (Lars Pedersen, Oswald
Plevy, the female American president, the British prime minister and an unknown Finish
named Pia, who wants to take revenge for the death of her brother). On the opposite side
a killing group acts under the special guidance of the British foreign minister and the boss
of the CIA.
[Burger2006] Wolfgang Burger,
Heidelberg Lies (original title: Heidelberger L ugen), Piper, 2006.
This detective story playing in the Rhein-Neckar area in Germany has several indepen-
dant strands and local stories, but mainly it is about Kriminalrat Gerlach from Heidelberg.
On page 207 f. the cryptographic reference for one strand is shortly explained: The sol-
dier Horrle had copied circuit diagrams of a new digital NATO decryption device and the
murdered man had tried to sell his perceptions to China.
Further samples of cryptology in ctional literature can be found on the following German web
page:
193
http://www.staff.uni-mainz.de/pommeren/Kryptologie99/Klassisch/1 Monoalph/
Literat.html
For some older authors (e.g. Jules Verne, Karl May, Arthur Conan Doyle, Edgar Allen Poe) there
are links to the original and relevant text pieces.
Kid books with collections of simpler cryptographic encryption methods, prepared in a didactical
and exciting manner are in the following list (please send us similar English kid books, because
at the moment our list contains only German kid books):
[Mosesxxxx] [no named author],
Top secret The Book for Detectives and Spies (original title: Streng geheim Das Buch
fur Detektive und Agenten), Edition moses, [no year named].
This is a thin book for small kids with Inspector Fox and Dr. Chicken.
[Para1988] Para,
Ciphers (original title: Geheimschriften), Ravensburger Taschenbuch Verlag, 1988 (1st edi-
tion 1977).
On 125 pages lled with a small font this mini format book explains many methods which
young children can apply directly to encrypt or hide their messages. A little glossar and a
short overview about the usage of encryption methods in history complete this little book.
Right at page 6 it summarizes for beginners in an old fashion style The Important Things
First about paper&pencil encryption (compare chapter 2):
- It must be possible to encrypt your messages at any place and at any location with
the easiest measures and a small eort in a short time.
- Your cipher must be easy to remember and easy to read for your partners. But
strangers should not be able to decrypt them.
Remember: Fastness before nesse, security before carelessness.
- Your message must always be as short and precise as a telegram. Shortness outranks
grammer and spelling. Get rid of all needless like salutations or punctuation marks.
Preferably use only small or only capital letters.
[Kippenhahn2002] Rudolf Kippenhahn,
Top secret! How to encrypt messages and to hack codes (original title: Streng geheim!
Wie man Botschaften verschl usselt und Zahlencodes knackt), rororo, 2002.
In this novel a grandpa, an expert for secret writings teaches his four grandchildren and
their friends, how to encrypt messages which nobody should read. Because there is some-
one who hacks their secrets, the grandpa has to teach them more and more complicated
methods.
194
Within this story, which forms the framework, the most important classic encryption meth-
ods and its analysis are explained in a manner exciting and appropriate for children.
[Flessner2004] Bernd Flessner,
The Three Invesigators: Manual for Secret Messages (original title: Die 3 ???: Handbuch
Geheimbotschaften), Kosmos, 2004.
On 127 pages you learn in an easy and exciting manner, structered by the method types,
which secret languages (like the one of the Navajo indians or dialects) and which secret
writings (real encryption or hiding via technical or liguistic steganography) existed and
how simple methods can be decrypted.
The author tells where in history the methods were used and in which novells authors used
encryption methods [like in Edgar Allan Poes The Gold Bug, like with Jules Vernes
hero Mathias Sandorf or like with Astrid Lindgrens master detective Blomquist who used
the ROR language (similar inserting ciphers are the spoon or the B language)].
This is a didactically excellent introduction for younger teens.
If you know of futher literature and movies, where cryptography has a major role or if you know
of futher books, which address cryptography in a didactical and for children adequate way, then
we would be very glad if you could send us the exact book titel and a short explanation about
the books content. Thanks a lot.
195
Index
Aaronson 2003, 72
ACA 2002, 40
Addition, 86, 94
ADFGVX, 33
Adleman 1982, 158
Adleman, Leonard, 15, 150, 151
Agrawal 2002, 131
AKS, 65, 117
Alice, 15
AMSCO, 21
Apted 2001, 192
Arthur 196x, 191
Associative law, 84
Atbash, 24
Attack
birthday, 161
brute-force, 1214, 187
chosen-cipher text, 152
cipher text only, 129
known plaintext, 129
man-in-the-middle, 164
Authenticity, 15, 164
user, 159
Authors, 189
Baby-Step-Giant-Step, 154, 156
Baconian Cipher, 28
Balcazar 1988, 158
Bartholome 1996, 72, 131
Bauer 1995, 40, 131
Bauer 2000, 40, 131
BC, 134
Beale cipher, 29
Beaufort, 32
Berne, Eric, 96
Bernstein 2001, 131
Beutelspacher 1996, 131
Block length, 124126
Blum 1999, 72
Bogk 2003, 133
Book cipher, 29
Bourseau 2002, 131
Brands 2002, 131
Brickell 1985, 158
Brickell, Ernst, 150
Brown 1998, 191
Brown 2003, 193
Buchmann 1999, 131
Buhler 1993, 131
Bundschuh 1998, 72
Burger 2006, 193
C158, 112
Cadenus, 23
Caesar, 24
Caldwell Chris, 74
Capital letters alphabet, 124, 130
Cascade cipher, 13
Cassels 1991, 184
Catalan Eugene, 59
Certicom, 176, 184
Certication
public key, 164
Certication authority (CA), 164
Che Guevara, 27
Closeness, 85, 93, 138
Co-prime, 148, 151
Cole, Frank Nelson, 47
Colfer 2001, 192
Collision, 159, 161
Collision resistance, 160
Commutative law, 84
Complexity, 107, 146, 157, 170
Congruence, 82, 83
Congruent, 83
Coppersmith 2002, 17
Courtois 2002, 17
Crandall, Richard, 49
Crowley 2000, 40
Cryptanalysis, 12, 125, 127, 129
Cryptography
modern, 42, 119, 146
196
public key, 42, 103, 147, 148
CrypTool, 2, 912, 1416, 1921, 24, 29, 31,
33, 37, 47, 104, 112, 120, 123127, 129,
130, 134, 151, 154, 159, 161, 181, 187,
189, 191, 192
Cunningham project, 53, 74, 135
DA 1999, 40
Dedekind, Julius, 77
DES, 12
Die, Whiteld, 15, 120, 154
Die-Hellman, 77, 120, 154, 179
Discrete logarithm, 121, 122, 153
Distributive law, 84
Divisibility, 82
Divisible, 82
Division modulo n, 84, 86
Divisor, 82
Domain parameter, 179
Double column transposition, 21
Doyle 1905, 190
Doyle, Sir Arthur Conan, 190
DSA, 15, 180, 181
signature, 163
ECDLP, 178, 179
Eckert 2003, 104, 125, 131
ECMNET, 181
EFF, 50
ElGamal
public key, 154
ElGamal, Tahir, 15
Elliptic curves, 167
Elsner 1999, 191
Elsner 2001, 192
Encryption, 11
asymmetric, 14, 76, 146
ElGamal public key, 154
hybrid, 15
Merkle-Hellman, 149
public key, 146
symmetric, 11, 19
Eratosthenes
sieve, 50, 61
Erdos, Paul, 62
Ertel 2001, 131
Euclid, 44
Euclids proof by contradiction, 45
Euclidean algorithm, 181
extended, 89, 98, 136
Euclidean number, 56
Euler
(phi) function, 88, 93, 96, 151
Euler Leonhard, 97
Euler, Leonhard, 96, 97
Exponential function
calculation, 155
discrete, 153
Factor, 82
Factorisation, 47, 99, 170
factoring records, 66, 111, 134, 181
factorisation problem, 99, 115, 129, 151
factorisation records, 47
forecast, 109
Ferguson 2001, 17
Fermat
last theorem, 133
little theorem, 51, 88, 97
number, 50
generalized, 55
prime number, 54
Fermat, Pierre, 50, 97
Fibonacci, 77, 134
Field, 170
characteristic, 171
nite, 172
FIPS180-2, 166
FIPS186, 166
FIPS186-2, 166
Fixpoint, 96, 98
Flessner 2004, 195
Fox 2002, 131
Fox, Dirk, 110
Godel, Kurt, 65
Gallot, Yves, 5355
Gauss bracket, 136
197
Gauss, Carl Friedrich, 54, 60, 76, 77, 81, 103
Gcd, 76, 88, 93, 136, 151
General Number Field Sieve (GNFS), 107, 108,
112115, 117
GIMPS, 49, 74
GISA, 104, 109, 113, 134, 167
GISA 2002, 132
Goebel 2003, 40
Goldbach, Christian, 64
Google
Recruitment, 66
Graham 1989, 72
Graham 1994, 77, 132
Grid computing, 109
Group, 76, 93, 155, 170
cyclic, 171
Half prime, 63
Hardy, Godfrey Harold, 62, 63
Hash function, 159, 160
Hash value, 160
Hellman, Martin, 15, 120, 149, 154
Howard 2001, 192
Hybrid procedure, 15
IDEA, 12
Identity, 85
Impersonation attack, 164
Inverse
additive, 85
multiplicative, 85
Invertibility, 95
Isau 2003, 193
ISO/IEC 9594-8, 166
ITU-T, 166
IVBB, 182
Key
private, 146
public, 14, 146
secret, 14
Key agreement (key exchange)
Die-Hellman, 120, 154
Key management, 15, 16
Kippenhahn 1997, 132
Kippenhahn 1999, 132
Kippenhahn 2002, 194
Klee 1997, 72
Knapsack, 148
Merkle-Hellman, 149
Knott, Ron, 77, 134
Knuth 1981, 72
Knuth 1998, 132
Koblitz 1984, 184
Koblitz 1998, 184
Koblitz, Neal, 169
Kronecker, Leopold, 77
Lagarias 1983, 158
Lagarias, Je, 150
Lattice reduction, 109
Legendre, Adrien-Marie, 60, 103
Lem, Stanislaw, 160
Lenstra 1987, 184
Lenstra 1993, 132
Lenstra 2002, 132
Lenstra/Verheul 1999, 184
LiDIA, 122, 134
Literature, 103, 190
Logarithm, 92, 154
Logarithm problem
discrete, 92, 121, 153, 156, 163, 170
Long integer, 91
Lorenz 1993, 72
Lucas, Edouard, 47, 50
Lucks 2002, 17
Lucks 2003, 133
Map cipher, 26
Mathematica, 89, 122, 134, 141
McBain 2004, 193
Menezes 1993, 184
Menezes 2001, 132
Merkle 1978, 158
Merkle, Ralph, 149
Mersenne
number, 46, 47
generalized, 53, 54
prime number, 46, 48, 53, 65, 74
198
M-37, 48
M-38, 48
M-39, 48, 53
theorem, 46
Mersenne, Marin, 46, 50
Message integrity, 159
Miller, Gary L., 52
Miller, Victor, 169
Modulus, 82
Moores law, 109
Moore, Gordon E., 109
Moses xxxx, 194
Movies, 67, 103, 190
Multiplication, 86, 94
M unchenbach, Carsten, 134
Near prime, 63
Nichols 1996, 17, 40
Nihilist substitution, 25
Nihilist transposition, 23
NIST, 163
Noll, Landon Curt, 48
Nomenclature, 26
NSA, 12
Number
Carmichael, 52, 55
Catalan, 59
composite, 43, 80
Fermat, 50
Mersenne, 46
natural, 42, 77
prime, 42, 43
pseudo prime, 51, 55
semi prime, 63, 111
strong pseudo prime, 52, 55
Number theory
elementary, 76, 80
fundamental theorem, 43, 81, 93
introduction, 77
modern, 78
One Time Pad, 11
One way function, 93, 119, 146
with trapdoor , 146
Open Source, 104
Order
maximum, 100
multiplicative, 100
P(n), 60
Padberg 1996, 72
Palladium, 117
Paper- and pencil methods, 19, 192
Para 1988, 194
Pari-GP, 89, 122, 134, 135, 141
Patent, 104
Performance, 42, 109, 143, 159, 167
Permutation, 19, 89, 102, 148
Peeger 1997, 132
PI(x), 60
Pieper 1983, 72
PKCS#1, 162, 166
PKCS#5, 159
PKI, 164
Playfair, 29
Poe 1843, 190
Poe, Edgar Allan, 19, 190
Pohlig, S. C., 154
Pollard, John M., 181
Polynomial, 58, 65, 108, 117, 146148, 150, 173
Pomerance 1984, 132
Power, 91
Pre-Image-Attack
1st, 160
2nd, 160
Primality testing, 66, 114, 117
Prime factor, 81
decomposition, 81, 93, 96, 151
Prime number, 42, 80
density, 59
Fermat, 54
formula, 53
gigantic, 48
half prime, 63
Mersenne, 48, 53, 65
near prime, 63
number of, 103
pseudo prime, 51, 55
199
records, 46
relative prime, 56, 151
strong pseudo prime, 52, 55
test, 48, 50, 170
theorem, 60
titanic, 48
Prime sequence
arithmetic, 62
Problem of discrete logarithm, 179
Proof by contradiction, 45, 47
Proof of existance, 64
Rabin
public key procedure, 152
Rabin, Michael O., 52, 152
Railfence cipher, 19
Raising to the power, 90
Random, 15, 163
RC5, 14
Reducibility, 84
Relatively prime, 56, 88, 89, 98
Remainder class, 82
Remainder set
full, 95
reduced, 95
Richstein 1999, 64, 72
Riemann, Bernhard, 65
RIPEMD-160, 161
Rivest, Ronald, 15, 151
Robinson 1992, 191
Robshaw 2002, 17
Root, 92
Rowling, Joanne, 80, 119
RSA, 15, 42, 77, 91, 97, 98, 103, 104, 122, 151
cipher challenge, 127, 129
modulus, 179
RSA procedure, 103
signature, 162
RSA 1978, 158
RSA Laboratories, 166
RSA Security 2002, 132
RSA-155, 112
RSA-160, 113
RSA-200, 9, 114
Runtime
ecient, 146
not polynomial NP, 148
polynomial, 146
Savard 1999, 40
Sayer 1932, 190
Scheid 1994, 72
Schmeh 2003, 17
Schmeh 2004, 40
SchneiderM 2004, 133
Schneier 1996, 17, 73, 133, 166
Schnorr, C.P., 15
Schroeder 1999, 73
Schwenk 1996, 73
Schwenk 2002, 133
Scytale, 20
SECUDE IT Security, 16, 181
Sedgewick 1990, 104, 133
Seed 1990, 191
Seneca, 86
Session key, 15
SHA-1, 161, 163
Shamir 1982, 158
Shamir 2003, 133
Shamir 2003a, 133
Shamir, Adi, 15, 150, 151
Short integer, 91
Signature
digital, 15, 42, 107, 159, 162, 163
Signature procedure, 159
Silver, 154
Silverman 1986, 184
Silverman 1992, 184
Silverman 2000, 133
Singh 2001, 41
Siverman/Tate 1992, 184
Solitaire, 37
Square and multiply, 92, 127
Steganography, 26
Stephenson 1999, 192
Stinson 1995, 127, 133, 152, 153, 156, 158
Straddling Checkerboard, 27
Straddling Checkerboard, 26
200
Structure, 85, 94, 96, 100
Substitution, 24
homophonic, 29
monoalphabetic, 24
polyalphabetic, 31
polygraphic, 29
Superposition, 33
ThinkQuest 1999, 41
Tietze 1973, 73
Transitivity, 85
Transposition, 19
Turning grille, 20
TWIRL device, 116, 133
Verne 1885, 190
Verne, Jules, 190
Vigen`ere, 31
Weierstrass, Karl, 173175
Weis 2003, 133
Welschenbach 2001, 133
Wiles, Andrew, 78, 133, 169
Wobst 2002, 17
Wolfenstetter 1998, 133
Woltman, George, 49
X.509, 164, 166
Yan 2000, 129, 133
Yates, Samual, 48
Z
n
, 93
Z

n
, 94
Zemeckis 1997, 67
201