Experience Seamless Full Ebook Downloads for Every Genre at textbookfull.

com

Introduction to Cryptography with Coding Theory

3rd Edition Trappe

https://textbookfull.com/product/introduction-to-
cryptography-with-coding-theory-3rd-edition-trappe/

OR CLICK BUTTON

DOWNLOAD NOW

Explore and download more ebook at https://textbookfull.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

Introduction to Cryptography with Coding Theory. 3rd

Edition Lawrence C. Washington & Wade Trappe.

https://textbookfull.com/product/introduction-to-cryptography-with-
coding-theory-3rd-edition-lawrence-c-washington-wade-trappe/

textboxfull.com

Information Theory Coding And Cryptography 3rd Edition

Ranjan Bose

https://textbookfull.com/product/information-theory-coding-and-
cryptography-3rd-edition-ranjan-bose/

textboxfull.com

An Introduction to Number Theory with Cryptography, Second

Edition Kraft

https://textbookfull.com/product/an-introduction-to-number-theory-
with-cryptography-second-edition-kraft/

textboxfull.com

An Introduction to Number Theory with Cryptography 2nd

Edition James Kraft

https://textbookfull.com/product/an-introduction-to-number-theory-
with-cryptography-2nd-edition-james-kraft/

textboxfull.com
Introduction to Modern Cryptography 3rd Edition Jonathan
Katz

https://textbookfull.com/product/introduction-to-modern-
cryptography-3rd-edition-jonathan-katz/

textboxfull.com

Discrete Mathematics Graph Algorithms Algebraic Structures

Coding Theory and Cryptography 1st Edition Sriraman
Sridharan
https://textbookfull.com/product/discrete-mathematics-graph-
algorithms-algebraic-structures-coding-theory-and-cryptography-1st-
edition-sriraman-sridharan/
textboxfull.com

Introduction to Analytic and Probabilistic Number Theory

3rd Edition Gerald Tenenbaum

https://textbookfull.com/product/introduction-to-analytic-and-
probabilistic-number-theory-3rd-edition-gerald-tenenbaum/

textboxfull.com

An Introduction to the Mathematical Theory of Inverse

Problems 3rd Edition Andreas Kirsch

https://textbookfull.com/product/an-introduction-to-the-mathematical-
theory-of-inverse-problems-3rd-edition-andreas-kirsch/

textboxfull.com

An Introduction to Symbolic Dynamics and Coding 2nd

Edition Douglas Lind

https://textbookfull.com/product/an-introduction-to-symbolic-dynamics-
and-coding-2nd-edition-douglas-lind/

textboxfull.com
 INTRODUCTION TO
CRYPTOGRAPHY
with Coding Theory
3rd edition

Wade Trappe
Wireless Information Network Laboratory
and the Electrical and Computer Engineering Department
Rutgers University

Lawrence C. Washington
Department of Mathematics
University of Maryland
Portfolio Manager: Chelsea Kharakozoua
Content Manager: Jeff Weidenaar
Content Associate: Jonathan Krebs
Content Producer: Tara Corpuz
Managing Producer: Scott Disanno
Producer: Jean Choe
Manager, Courseware QA: Mary Durnwald
Product Marketing Manager: Stacey Sveum
Product and Solution Specialist: Rosemary Morten
Senior Author Support/Technology Specialist: Joe Vetere
Manager, Rights and Permissions: Gina Cheselka
Text and Cover Design, Production Coordination, Composition, and Illustrations:
Integra Software Services Pvt. Ltd
Manufacturing Buyer: Carol Melville, LSC Communications
Cover Image: Photographer is my life/Getty Images

Copyright c 2020, 2006, 2002 by Pearson Education, Inc. 221 River Street, Hoboken, NJ
07030. All Rights Reserved. Printed in the United States of America. This publication is protected
by copyright, and permission should be obtained from the publisher prior to any prohibited
reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise. For information regarding permissions, request
forms and the appropriate contacts within the Pearson Education Global Rights & Permissions
department, please visit www.pearsoned.com/permissions/.

Text Credit: Page 23 Declaration of Independence: A Transcription, The U.S. National Archives and
Records Administration.

PEARSON, ALWAYS LEARNING, and MYLAB are exclusive trademarks owned by Pearson
Education, Inc. or its affiliates in the U.S. and/or other countries.

Unless otherwise indicated herein, any third-party trademarks that may appear in this work are the
property of their respective owners and any references to third-party trademarks, logos or other trade
dress are for demonstrative or descriptive purposes only. Such references are not intended to imply any
sponsorship, endorsement, authorization, or promotion of Pearson’s products by the owners of such
marks, or any relationship between the owner and Pearson Education, Inc. or its affiliates, authors,
licensees or distributors.

Library of Congress Cataloging-in-Publication Data

Names: Trappe, Wade, author. | Washington, Lawrence C., author.

Title: Introduction to cryptography : with coding theory / Wade Trappe,
Lawrence Washington.
Description: 3rd edition. | [Hoboken, New Jersey] : [Pearson Education],
[2020] | Includes bibliographical references and index. | Summary: “This
book is based on a course in cryptography at the upper-level
undergraduate and beginning graduate level that has been given at the
University of Maryland since 1997, and a course that has been taught at
Rutgers University since 2003”— Provided by publisher.
Identifiers: LCCN 2019029691 | ISBN 9780134860992 (paperback)
Subjects: LCSH: Coding theory. | Cryptography.
Classification: LCC QA268.T73 2020 | DDC 005.8/24—dc23
LC record available at https://lccn.loc.gov/2019029691

ScoutAutomatedPrintCode

Rental
ISBN-10: 0-13-673154-6
ISBN-13: 978-0-13-673154-2

Print Offer
ISBN-10: 0-13-486099-3
ISBN-13: 978-0-13-486099-2
Contents

Preface ix

1 Overview of Cryptography and Its Applications 1

1.1 Secure Communications . . . . . . . . . . . . . . . . . . . . . 2
1.2 Cryptographic Applications . . . . . . . . . . . . . . . . . . . 8

2 Classical Cryptosystems 10
2.1 Shift Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Affine Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 The Vigenère Cipher . . . . . . . . . . . . . . . . . . . . . . 14
2.4 Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . 20
2.5 Sherlock Holmes . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.6 The Playfair and ADFGX Ciphers . . . . . . . . . . . . . . . 26
2.7 Enigma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.9 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 37

3 Basic Number Theory 40

3.1 Basic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2 The Extended Euclidean Algorithm . . . . . . . . . . . . . . 44
3.3 Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4 The Chinese Remainder Theorem . . . . . . . . . . . . . . . 52
3.5 Modular Exponentiation . . . . . . . . . . . . . . . . . . . . 54
3.6 Fermat’s Theorem and Euler’s Theorem . . . . . . . . . . . . 55
3.7 Primitive Roots . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.8 Inverting Matrices Mod n . . . . . . . . . . . . . . . . . . . . 61
3.9 Square Roots Mod n . . . . . . . . . . . . . . . . . . . . . . 62
3.10 Legendre and Jacobi Symbols . . . . . . . . . . . . . . . . . 64
3.11 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.12 Continued Fractions . . . . . . . . . . . . . . . . . . . . . . . 76
3.13 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.14 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 86

4 The One-Time Pad 88

4.1 Binary Numbers and ASCII . . . . . . . . . . . . . . . . . . 88
4.2 One-Time Pads . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.3 Multiple Use of a One-Time Pad . . . . . . . . . . . . . . . . 91
4.4 Perfect Secrecy of the One-Time Pad . . . . . . . . . . . . . 94
4.5 Indistinguishability and Security . . . . . . . . . . . . . . . . 97
4.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

iii
iv Contents

5 Stream Ciphers 104

5.1 Pseudorandom Bit Generation . . . . . . . . . . . . . . . . . 105
5.2 LFSR Sequences . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.3 RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.5 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 117
6 Block Ciphers 118
6.1 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.2 Hill Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.3 Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . 122
6.4 Multiple Encryption . . . . . . . . . . . . . . . . . . . . . . . 129
6.5 Meet-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . 130
6.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.7 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 135
7 The Data Encryption Standard 136
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
7.2 A Simplified DES-Type Algorithm . . . . . . . . . . . . . . . 137
7.3 Differential Cryptanalysis . . . . . . . . . . . . . . . . . . . . 140
7.4 DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
7.5 Breaking DES . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7.6 Password Security . . . . . . . . . . . . . . . . . . . . . . . . 155
7.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
7.8 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 159
8 The Advanced Encryption Standard: Rijndael 160
8.1 The Basic Algorithm . . . . . . . . . . . . . . . . . . . . . . 160
8.2 The Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
8.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
8.4 Design Considerations . . . . . . . . . . . . . . . . . . . . . . 168
8.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
9 The RSA Algorithm 171
9.1 The RSA Algorithm . . . . . . . . . . . . . . . . . . . . . . . 171
9.2 Attacks on RSA . . . . . . . . . . . . . . . . . . . . . . . . . 177
9.3 Primality Testing . . . . . . . . . . . . . . . . . . . . . . . . 183
9.4 Factoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
9.5 The RSA Challenge . . . . . . . . . . . . . . . . . . . . . . . 192
9.6 An Application to Treaty Verification . . . . . . . . . . . . . 194
9.7 The Public Key Concept . . . . . . . . . . . . . . . . . . . . 195
9.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
9.9 Computer Problems . . . . . . . . . . . . . . . . . . . . . . 207
10 Discrete Logarithms 211
10.1 Discrete Logarithms . . . . . . . . . . . . . . . . . . . . . . . 211
10.2 Computing Discrete Logs . . . . . . . . . . . . . . . . . . . . 212
10.3 Bit Commitment . . . . . . . . . . . . . . . . . . . . . . . . . 218
10.4 Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . 219
10.5 The ElGamal Public Key Cryptosystem . . . . . . . . . . . . 221
10.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Contents v

10.7 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 225

11 Hash Functions 226

11.1 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 226
11.2 Simple Hash Examples . . . . . . . . . . . . . . . . . . . . . 230
11.3 The Merkle-Damgård Construction . . . . . . . . . . . . . . 231
11.4 SHA-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
11.5 SHA-3/Keccak . . . . . . . . . . . . . . . . . . . . . . . . . . 237
11.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

12 Hash Functions: Attacks and Applications 246

12.1 Birthday Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 246
12.2 Multicollisions . . . . . . . . . . . . . . . . . . . . . . . . . . 249
12.3 The Random Oracle Model . . . . . . . . . . . . . . . . . . . 251
12.4 Using Hash Functions to Encrypt . . . . . . . . . . . . . . . 253
12.5 Message Authentication Codes . . . . . . . . . . . . . . . . . 255
12.6 Password Protocols . . . . . . . . . . . . . . . . . . . . . . . 256
12.7 Blockchains . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
12.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
12.9 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 268

13 Digital Signatures 269

13.1 RSA Signatures . . . . . . . . . . . . . . . . . . . . . . . . . 270
13.2 The ElGamal Signature Scheme . . . . . . . . . . . . . . . . 271
13.3 Hashing and Signing . . . . . . . . . . . . . . . . . . . . . . . 273
13.4 Birthday Attacks on Signatures . . . . . . . . . . . . . . . . 274
13.5 The Digital Signature Algorithm . . . . . . . . . . . . . . . . 275
13.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
13.7 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 281

14 What Can Go Wrong 282

14.1 An Enigma “Feature” . . . . . . . . . . . . . . . . . . . . . . 282
14.2 Choosing Primes for RSA . . . . . . . . . . . . . . . . . . . . 283
14.3 WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
14.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

15 Security Protocols 290

15.1 Intruders-in-the-Middle and Impostors . . . . . . . . . . . . . 290
15.2 Key Distribution . . . . . . . . . . . . . . . . . . . . . . . . . 293
15.3 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
15.4 Public Key Infrastructures (PKI) . . . . . . . . . . . . . . . 303
15.5 X.509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . 304
15.6 Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . 309
15.7 SSL and TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
15.8 Secure Electronic Transaction . . . . . . . . . . . . . . . . . 314
15.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
vi Contents

16 Digital Cash 318

16.1 Setting the Stage for Digital Economies . . . . . . . . . . . . 319
16.2 A Digital Cash System . . . . . . . . . . . . . . . . . . . . . 320
16.3 Bitcoin Overview . . . . . . . . . . . . . . . . . . . . . . . . 326
16.4 Cryptocurrencies . . . . . . . . . . . . . . . . . . . . . . . . . 329
16.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

17 Secret Sharing Schemes 340

17.1 Secret Splitting . . . . . . . . . . . . . . . . . . . . . . . . . . 340
17.2 Threshold Schemes . . . . . . . . . . . . . . . . . . . . . . . 341
17.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
17.4 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 348

18 Games 349
18.1 Flipping Coins over the Telephone . . . . . . . . . . . . . . . 349
18.2 Poker over the Telephone . . . . . . . . . . . . . . . . . . . . 351
18.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

19 Zero-Knowledge Techniques 357

19.1 The Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . 357
19.2 The Feige-Fiat-Shamir Identification Scheme . . . . . . . . . . 359
19.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

20 Information Theory 365

20.1 Probability Review . . . . . . . . . . . . . . . . . . . . . . . 365
20.2 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
20.3 Huffman Codes . . . . . . . . . . . . . . . . . . . . . . . . . . 371
20.4 Perfect Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . 373
20.5 The Entropy of English . . . . . . . . . . . . . . . . . . . . . 376
20.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

21 Elliptic Curves 384

21.1 The Addition Law . . . . . . . . . . . . . . . . . . . . . . . . 384
21.2 Elliptic Curves Mod p . . . . . . . . . . . . . . . . . . . . . . 389
21.3 Factoring with Elliptic Curves . . . . . . . . . . . . . . . . . 393
21.4 Elliptic Curves in Characteristic 2 . . . . . . . . . . . . . . . 396
21.5 Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . 399
21.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
21.7 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 407

22 Pairing-Based Cryptography 409

22.1 Bilinear Pairings . . . . . . . . . . . . . . . . . . . . . . . . . 409
22.2 The MOV Attack . . . . . . . . . . . . . . . . . . . . . . . . 410
22.3 Tripartite Diffie-Hellman . . . . . . . . . . . . . . . . . . . . 411
22.4 Identity-Based Encryption . . . . . . . . . . . . . . . . . . . 412
22.5 Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
22.6 Keyword Search . . . . . . . . . . . . . . . . . . . . . . . . . 417
22.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Contents vii

23 Lattice Methods 421

23.1 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
23.2 Lattice Reduction . . . . . . . . . . . . . . . . . . . . . . . . 422
23.3 An Attack on RSA . . . . . . . . . . . . . . . . . . . . . . . 426
23.4 NTRU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
23.5 Another Lattice-Based Cryptosystem . . . . . . . . . . . . . 433
23.6 Post-Quantum Cryptography? . . . . . . . . . . . . . . . . . 435
23.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
24 Error Correcting Codes 437
24.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
24.2 Error Correcting Codes . . . . . . . . . . . . . . . . . . . . . 442
24.3 Bounds on General Codes . . . . . . . . . . . . . . . . . . . . 446
24.4 Linear Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
24.5 Hamming Codes . . . . . . . . . . . . . . . . . . . . . . . . . 457
24.6 Golay Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
24.7 Cyclic Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
24.8 BCH Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
24.9 Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . . 479
24.10 The McEliece Cryptosystem . . . . . . . . . . . . . . . . . . 480
24.11 Other Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
24.12 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
24.13 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 487
25 Quantum Techniques in Cryptography 488
25.1 A Quantum Experiment . . . . . . . . . . . . . . . . . . . . . 488
25.2 Quantum Key Distribution . . . . . . . . . . . . . . . . . . . 491
25.3 Shor’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 493
25.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
A Mathematica Examples 503
A.1 Getting Started with Mathematica . . . . . . . . . . . . . . . 503
A.2 Some Commands . . . . . . . . . . . . . . . . . . . . . . . . 504
A.3 Examples for Chapter 2 . . . . . . . . . . . . . . . . . . . . . 505
A.4 Examples for Chapter 3 . . . . . . . . . . . . . . . . . . . . . 508
A.5 Examples for Chapter 5 . . . . . . . . . . . . . . . . . . . . . 511
A.6 Examples for Chapter 6 . . . . . . . . . . . . . . . . . . . . . 513
A.7 Examples for Chapter 9 . . . . . . . . . . . . . . . . . . . . . 514
A.8 Examples for Chapter 10 . . . . . . . . . . . . . . . . . . . . 520
A.9 Examples for Chapter 12 . . . . . . . . . . . . . . . . . . . . 521
A.10 Examples for Chapter 17 . . . . . . . . . . . . . . . . . . . . 521
A.11 Examples for Chapter 18 . . . . . . . . . . . . . . . . . . . . 522
A.12 Examples for Chapter 21 . . . . . . . . . . . . . . . . . . . . 523
B Maple Examples 527
B.1 Getting Started with Maple . . . . . . . . . . . . . . . . . . . 527
B.2 Some Commands . . . . . . . . . . . . . . . . . . . . . . . . 528
B.3 Examples for Chapter 2 . . . . . . . . . . . . . . . . . . . . . 529
B.4 Examples for Chapter 3 . . . . . . . . . . . . . . . . . . . . . 533
B.5 Examples for Chapter 5 . . . . . . . . . . . . . . . . . . . . . 536
viii Contents

B.6 Examples for Chapter 6 . . . . . . . . . . . . . . . . . . . . . 538

B.7 Examples for Chapter 9 . . . . . . . . . . . . . . . . . . . . . 539
B.8 Examples for Chapter 10 . . . . . . . . . . . . . . . . . . . . 546
B.9 Examples for Chapter 12 . . . . . . . . . . . . . . . . . . . . 547
B.10 Examples for Chapter 17 . . . . . . . . . . . . . . . . . . . . 548
B.11 Examples for Chapter 18 . . . . . . . . . . . . . . . . . . . . 549
B.12 Examples for Chapter 21 . . . . . . . . . . . . . . . . . . . . 551
C MATLAB Examples 555
C.1 Getting Started with MATLAB . . . . . . . . . . . . . . . . 556
C.2 Examples for Chapter 2 . . . . . . . . . . . . . . . . . . . . . 560
C.3 Examples for Chapter 3 . . . . . . . . . . . . . . . . . . . . . 566
C.4 Examples for Chapter 5 . . . . . . . . . . . . . . . . . . . . . 569
C.5 Examples for Chapter 6 . . . . . . . . . . . . . . . . . . . . . 571
C.6 Examples for Chapter 9 . . . . . . . . . . . . . . . . . . . . . 573
C.7 Examples for Chapter 10 . . . . . . . . . . . . . . . . . . . . 581
C.8 Examples for Chapter 12 . . . . . . . . . . . . . . . . . . . . 581
C.9 Examples for Chapter 17 . . . . . . . . . . . . . . . . . . . . 582
C.10 Examples for Chapter 18 . . . . . . . . . . . . . . . . . . . . 582
C.11 Examples for Chapter 21 . . . . . . . . . . . . . . . . . . . . 585
D Sage Examples 591
D.1 Computations for Chapter 2 . . . . . . . . . . . . . . . . . . 591
D.2 Computations for Chapter 3 . . . . . . . . . . . . . . . . . . 594
D.3 Computations for Chapter 5 . . . . . . . . . . . . . . . . . . 595
D.4 Computations for Chapter 6 . . . . . . . . . . . . . . . . . . 596
D.5 Computations for Chapter 9 . . . . . . . . . . . . . . . . . . 596
D.6 Computations for Chapter 10 . . . . . . . . . . . . . . . . . . 597
D.7 Computations for Chapter 12 . . . . . . . . . . . . . . . . . . 598
D.8 Computations for Chapter 17 . . . . . . . . . . . . . . . . . . 598
D.9 Computations for Chapter 18 . . . . . . . . . . . . . . . . . . 598
D.10 Computations for Chapter 21 . . . . . . . . . . . . . . . . . . 599
E Answers and Hints for Selected Odd-Numbered Exercises 601
F Suggestions for Further Reading 607
Bibliography 608
Index 615
Preface

This book is based on a course in cryptography at the upper-level under-

graduate and beginning graduate level that has been given at the University
of Maryland since 1997, and a course that has been taught at Rutgers Uni-
versity since 2003. When designing the courses, we decided on the following
requirements:
• The courses should be up-to-date and cover a broad selection of topics
from a mathematical point of view.
• The material should be accessible to mathematically mature students
having little background in number theory and computer program-
ming.
• There should be examples involving numbers large enough to demon-
strate how the algorithms really work.
We wanted to avoid concentrating solely on RSA and discrete logarithms,
which would have made the courses mostly about number theory. We also
did not want to focus on protocols and how to hack into friends’ computers.
That would have made the courses less mathematical than desired.
There are numerous topics in cryptology that can be discussed in an
introductory course. We have tried to include many of them. The chapters
represent, for the most part, topics that were covered during the different
semesters we taught the course. There is certainly more material here than
could be treated in most one-semester courses. The first thirteen chapters
represent the core of the material. The choice of which of the remaining
chapters are used depends on the level of the students and the objectives of
the lecturer.
The chapters are numbered, thus giving them an ordering. However,
except for Chapter 3 on number theory, which pervades the subject, the
chapters are fairly independent of each other and can be covered in almost
any reasonable order. Since students have varied backgrounds in number
theory, we have collected the basic number theory facts together in Chapter
3 for ease of reference; however, we recommend introducing these concepts
gradually throughout the course as they are needed.
The chapters on information theory, elliptic curves, quantum cryptogra-
phy, lattice methods, and error correcting codes are somewhat more mathe-
matical than the others. The chapter on error correcting codes was included,

ix
x Preface

at the suggestion of several reviewers, because courses that include introduc-

tions to both cryptology and coding theory are fairly common.
Computer Examples. Suppose you want to give an example for
RSA. You could choose two one-digit primes and pretend to be working
with fifty-digit primes, or you could use your favorite software package to
do an actual example with large primes. Or perhaps you are working with
shift ciphers and are trying to decrypt a message by trying all 26 shifts of
the ciphertext. This should also be done on a computer.
Additionally, at the end of the book are appendices containing computer
examples written in each of Mathematica , Maple , MATLAB , and Sage
that show how to do such calculations. These languages were chosen because
they are user friendly and do not require prior programming experience.
Although the course has been taught successfully without computers, these
examples are an integral part of the book and should be studied, if at all
possible. Not only do they contain numerical examples of how to do certain
computations but also they demonstrate important ideas and issues that
arise. They were placed at the end of the book because of the logistic
and aesthetic problems of including extensive computer examples in these
languages at the ends of chapters.
Additionally, programs available in Mathematica, Maple, and MATLAB
can be downloaded from the Web site (bit.ly/2JbcS6p). Homework prob-
lems (the computer problems in various chapters) based on the software
allow students to play with examples individually. Of course, students hav-
ing more programming background could write their own programs instead.
In a classroom, all that is needed is a computer (with one of the languages
installed) and a projector in order to produce meaningful examples as the
lecture is being given.
New to the Third Edition. Two major changes have informed this
edition: Changes to the field of cryptography and a change in the format of
the text. We address these issues separately, although there is an interplay
between the two:
Content Changes. Cryptography is a quickly changing field. We have
made many changes to the text since the last edition:

• Reorganized content previously in two chapters to four separate chap-

ters on Stream Ciphers (including RC4), Block Ciphers, DES and AES
(Chapters 5–8, respectively). The RC4 material, in particular, is new.

• Heavily revised the chapters on hash functions. Chapter 11 (Hash

functions) now includes sections on SHA-2 and SHA-3. Chapter 12
(Hash functions: Attacks and Applications) now includes material on
message authentication codes, password protocols, and blockchains.

• The short section on the one-time pad has been expanded to become
Chapter 4, which includes sections on multiple use of the one-time
pad, perfect secrecy, and ciphertext indistinguishability.

• Added Chapter 14, “What Can Go Wrong,” which shows what can hap-
pen when cryptographic algorithms are used or designed incorrectly.
Preface xi

• Expanded Chapter 16 on digital cash to include Bitcoin and cryptocur-

rencies.
• Added Chapter 22, which gives an introduction to Pairing-Based Cryp-
tography.
• Updated the exposition throughout the book to reflect recent devel-
opments.
• Added references to the Maple, Mathematica, MATLAB, and Sage
appendices in relevant locations in the text.
• Added many new exercises.
• Added a section at the back of the book that contains answers or hints
to a majority of the odd-numbered problems.
Format Changes. A focus of this revision was transforming the text
from a print-based learning tool to a digital learning tool. The eText is
therefore filled with content and tools that will help bring the content of
the course to life for students in new ways and help improve instruction.
Specifically, the following are features that are available only in the eText:
• Interactive Examples. We have added a number of opportunities for
students to interact with content in a dynamic manner in order to
build or enhance understanding. Interactive examples allow students
to explore concepts in ways that are not possible without technology.
• Quick Questions. These questions, built into the narrative, provide
opportunities for students to check and clarify understanding. Some
help address potential misconceptions.
• Notes, Labels, and Highlights. Notes can be added to the eText by
instructors. These notes are visible to all students in the course, al-
lowing instructors to add their personal observations or directions to
important topics, call out need-to-know information, or clarify difficult
concepts. Students can add their own notes, labels, and highlights to
the eText, helping them focus on what they need to study. The cus-
tomizable Notebook allows students to filter, arrange, and group their
notes in a way that makes sense to them.
• Dashboard. Instructors can create reading assignments and see the
time spent in the eText so that they can plan more effective instruction.
• Portability. Portable access lets students read their eText whenever
they have a moment in their day, on Android and iOS mobile phones
and tablets. Even without an Internet connection, offline reading en-
sures students never miss a chance to learn.
• Ease-of-Use. Straightforward setup makes it easy for instructors to
get their class up and reading quickly on the first day of class. In
addition, Learning Management System (LMS) integration provides
institutions, instructors, and students with single sign-on access to the
eText via many popular LMSs.
xii Preface

• Supplements. An Instructors’ Solutions Manual can be downloaded by

qualified instructors from the textbook’s webpage at www.pearson.com.

Acknowledgments. Many people helped and provided encourage-

ment during the preparation of this book. First, we would like to thank our
students, whose enthusiasm, insights, and suggestions contributed greatly.
We are especially grateful to many people who have provided corrections
and other input, especially Bill Gasarch, Jeff Adams, Jonathan Rosenberg,
and Tim Strobell. We would like to thank Wenyuan Xu, Qing Li, and Pan-
durang Kamat, who drew several of the diagrams and provided feedback on
the new material for the second edition. We have enjoyed working with the
staff at Pearson, especially Jeff Weidenaar and Tara Corpuz.
The reviewers deserve special thanks: their suggestions on the exposition
and the organization of the topics greatly enhanced the final result. The
reviewers marked with an asterisk (*) provided input for this edition.
* Anurag Agarwal, Rochester Institute of Technology
* Pradeep Atrey, University at Albany
Eric Bach, University of Wisconsin
James W. Brewer, Florida Atlantic University
Thomas P. Cahill, NYU
Agnes Chan, Northeastern University
* Nathan Chenette, Rose-Hulman Institute of Technology
* Claude Crépeau, McGill University
* Reza Curtmola, New Jersey Institute of Technology
* Ahmed Desoky, University of Louisville
Anthony Ephremides, University of Maryland, College Park
* David J. Fawcett, Lawrence Tech University
* Jason Gibson, Eastern Kentucky University
* K. Gopalakrishnan, East Carolina University
David Grant, University of Colorado, Boulder
Jugal K. Kalita, University of Colorado, Colorado Springs
* Saroja Kanchi, Kettering University
* Andrew Klapper, University of Kentucky
* Amanda Knecht, Villanova University
Edmund Lamagna, University of Rhode Island
* Aihua Li, Montclair State University
* Spyros S. Magliveras, Florida Atlantic University
* Nathan McNew, Towson University
* Nick Novotny, IUPUI
David M. Pozar, University of Massachusetts, Amherst
* Emma Previato, Boston University
* Hamzeh Roumani, York University
* Bonnie Saunders, University of Illinois, Chicago
* Ravi Shankar, University of Oklahoma
* Ernie Stitzinger, North Carolina State
* Armin Straub, University of South Alabama
J. Felipe Voloch, University of Texas, Austin
Daniel F. Warren, Naval Postgraduate School
* Simon Whitehouse, Alfred State College
Preface xiii

Siman Wong, University of Massachusetts, Amherst

* Huapeng Wu, University of Windsor
Wade thanks Nisha Gilra, who provided encouragement and advice;
Sheilagh O’Hare for introducing him to the field of cryptography; and K. J.
Ray Liu for his support. Larry thanks Susan Zengerle and Patrick Washing-
ton for their patience, help, and encouragement during the writing of this
book.
Of course, we welcome suggestions and corrections. An errata page can
be found at (bit.ly/2J8nN0w) or at the link on the book’s general Web site
(bit.ly/2T544yu).

Wade Trappe [email protected]

Lawrence C. Washington [email protected]
This page is intentionally left blank
Chapter 1
Overview of Cryptography
and Its Applications

People have always had a fascination with keeping information away from
others. As children, many of us had magic decoder rings for exchanging
coded messages with our friends and possibly keeping secrets from parents,
siblings, or teachers. History is filled with examples where people tried to
keep information secret from adversaries. Kings and generals communicated
with their troops using basic cryptographic methods to prevent the enemy
from learning sensitive military information. In fact, Julius Caesar report-
edly used a simple cipher, which has been named after him.
As society has evolved, the need for more sophisticated methods of pro-
tecting data has increased. Now, with the information era at hand, the need
is more pronounced than ever. As the world becomes more connected, the
demand for information and electronic services is growing, and with the in-
creased demand comes increased dependency on electronic systems. Already
the exchange of sensitive information, such as credit card numbers, over the
Internet is common practice. Protecting data and electronic systems is cru-
cial to our way of living.
The techniques needed to protect data belong to the field of cryptogra-
phy. Actually, the subject has three names, cryptography, cryptology,
and cryptanalysis, which are often used interchangeably. Technically, how-
ever, cryptology is the all-inclusive term for the study of communication over
nonsecure channels, and related problems. The process of designing systems
to do this is called cryptography. Cryptanalysis deals with breaking such
systems. Of course, it is essentially impossible to do either cryptography or
cryptanalysis without having a good understanding of the methods of both
areas.
Often the term coding theory is used to describe cryptography; how-
ever, this can lead to confusion. Coding theory deals with representing
input information symbols by output symbols called code symbols. There
are three basic applications that coding theory covers: compression, secrecy,
and error correction. Over the past few decades, the term coding theory has

1
2 Chapter 1. Overview of Cryptography and Its Applications

become associated predominantly with error correcting codes. Coding the-

ory thus studies communication over noisy channels and how to ensure that
the message received is the correct message, as opposed to cryptography,
which protects communication over nonsecure channels.
Although error correcting codes are only a secondary focus of this book,
we should emphasize that, in any real-world system, error correcting codes
are used in conjunction with encryption, since the change of a single bit is
enough to destroy the message completely in a well-designed cryptosystem.
Modern cryptography is a field that draws heavily upon mathematics,
computer science, and cleverness. This book provides an introduction to
the mathematics and protocols needed to make data transmission and elec-
tronic systems secure, along with techniques such as electronic signatures
and secret sharing.

1.1 Secure Communications

In the basic communication scenario, depicted in Figure 1.1, there are two
parties, we’ll call them Alice and Bob, who want to communicate with each
other. A third party, Eve, is a potential eavesdropper.
When Alice wants to send a message, called the plaintext, to Bob, she
encrypts it using a method prearranged with Bob. Usually, the encryption
method is assumed to be known to Eve; what keeps the message secret is a
key. When Bob receives the encrypted message, called the ciphertext, he
changes it back to the plaintext using a decryption key.
Eve could have one of the following goals:
1. Read the message.
2. Find the key and thus read all messages encrypted with that key.
3. Corrupt Alice’s message into another message in such a way that Bob
will think Alice sent the altered message.
4. Masquerade as Alice, and thus communicate with Bob even though
Bob believes he is communicating with Alice.

Encryption Decryption
Key Key

plaintext ciphertext
Alice Encrypt Decrypt Bob

Eve

Figure 1.1: The Basic Communication Scenario for Cryptography.

1.1. Secure Communications 3

Which case we’re in depends on how evil Eve is. Cases (3) and (4) relate
to issues of integrity and authentication, respectively. We’ll discuss these
shortly. A more active and malicious adversary, corresponding to cases (3)
and (4), is sometimes called Mallory in the literature. More passive observers
(as in cases (1) and (2)) are sometimes named Oscar. We’ll generally use
only Eve, and assume she is as bad as the situation allows.

1.1.1 Possible Attacks

There are four main types of attack that Eve might be able to use. The
differences among these types of attacks are the amounts of information Eve
has available to her when trying to determine the key. The four attacks are
as follows:

1. Ciphertext only: Eve has only a copy of the ciphertext.

2. Known plaintext: Eve has a copy of a ciphertext and the correspond-

ing plaintext. For example, suppose Eve intercepts an encrypted press
release, then sees the decrypted release the next day. If she can de-
duce the decryption key, and if Alice doesn’t change the key, Eve can
read all future messages. Or, if Alice always starts her messages with
“Dear Bob,” then Eve has a small piece of ciphertext and correspond-
ing plaintext. For many weak cryptosystems, this suffices to find the
key. Even for stronger systems such as the German Enigma machine
used in World War II, this amount of information has been useful.

3. Chosen plaintext: Eve gains temporary access to the encryption ma-

chine. She cannot open it to find the key; however, she can encrypt a
large number of suitably chosen plaintexts and try to use the resulting
ciphertexts to deduce the key.

4. Chosen ciphertext: Eve obtains temporary access to the decryption

machine, uses it to “decrypt” several strings of symbols, and tries to
use the results to deduce the key.

A chosen plaintext attack could happen as follows. You want to identify

an airplane as friend or foe. Send a random message to the plane, which en-
crypts the message automatically and sends it back. Only a friendly airplane
is assumed to have the correct key. Compare the message from the plane
with the correctly encrypted message. If they match, the plane is friendly. If
not, it’s the enemy. However, the enemy can send a large number of chosen
messages to one of your planes and look at the resulting ciphertexts. If this
allows them to deduce the key, the enemy can equip their planes so they can
masquerade as friendly.
An example of a known plaintext attack reportedly happened in World
War II in the Sahara Desert. An isolated German outpost every day sent an
identical message saying that there was nothing new to report, but of course
it was encrypted with the key being used that day. So each day the Allies
had a plaintext-ciphertext pair that was extremely useful in determining
the key. In fact, during the Sahara campaign, General Montgomery was
4 Chapter 1. Overview of Cryptography and Its Applications

carefully directed around the outpost so that the transmissions would not
be stopped.
One of the most important assumptions in modern cryptography is Ker-
ckhoffs’s principle: In assessing the security of a cryptosystem, one should
always assume the enemy knows the method being used. This principle was
enunciated by Auguste Kerckhoffs in 1883 in his classic treatise La Cryp-
tographie Militaire. The enemy can obtain this information in many ways.
For example, encryption/decryption machines can be captured and ana-
lyzed. Or people can defect or be captured. The security of the system
should therefore be based on the key and not on the obscurity of the algo-
rithm used. Consequently, we always assume that Eve has knowledge of the
algorithm that is used to perform encryption.

1.1.2 Symmetric and Public Key Algorithms

Encryption/decryption methods fall into two categories: symmetric key
and public key. In symmetric key algorithms, the encryption and decryp-
tion keys are known to both Alice and Bob. For example, the encryption key
is shared and the decryption key is easily calculated from it. In many cases,
the encryption key and the decryption key are the same. All of the clas-
sical (pre-1970) cryptosystems are symmetric, as are the more recent Data
Encryption Standard (DES) and Advanced Encryption Standard (AES).
Public key algorithms were introduced in the 1970s and revolutionized
cryptography. Suppose Alice wants to communicate securely with Bob, but
they are hundreds of kilometers apart and have not agreed on a key to use.
It seems almost impossible for them to do this without first getting together
to agree on a key, or using a trusted courier to carry the key from one to the
other. Certainly Alice cannot send a message over open channels to tell Bob
the key, and then send the ciphertext encrypted with this key. The amazing
fact is that this problem has a solution, called public key cryptography. The
encryption key is made public, but it is computationally infeasible to find the
decryption key without information known only to Bob. The most popular
implementation is RSA (see Chapter 9), which is based on the difficulty of
factoring large integers. Other versions (see Chapters 10, 23, and 24) are the
ElGamal system (based on the discrete log problem), NTRU (lattice based)
and the McEliece system (based on error correcting codes).
Here is a nonmathematical way to do public key communication. Bob
sends Alice a box and an unlocked padlock. Alice puts her message in the
box, locks Bob’s lock on it, and sends the box back to Bob. Of course,
only Bob can open the box and read the message. The public key methods
mentioned previously are mathematical realizations of this idea. Clearly
there are questions of authentication that must be dealt with. For example,
Eve could intercept the first transmission and substitute her own lock. If
she then intercepts the locked box when Alice sends it back to Bob, Eve can
unlock her lock and read Alice’s message. This is a general problem that
must be addressed with any such system.
Public key cryptography represents what is possibly the final step in an
interesting historical progression. In the earliest years of cryptography, secu-
rity depended on keeping the encryption method secret. Later, the method
1.1. Secure Communications 5

was assumed known, and the security depended on keeping the (symmet-
ric) key private or unknown to adversaries. In public key cryptography, the
method and the encryption key are made public, and everyone knows what
must be done to find the decryption key. The security rests on the fact (or
hope) that this is computationally infeasible. It’s rather paradoxical that an
increase in the power of cryptographic algorithms over the years has corre-
sponded to an increase in the amount of information given to an adversary
about such algorithms.
Public key methods are very powerful, and it might seem that they
make the use of symmetric key cryptography obsolete. However, this added
flexibility is not free and comes at a computational cost. The amount of
computation needed in public key algorithms is typically several orders of
magnitude more than the amount of computation needed in algorithms such
as DES or AES/Rijndael. The rule of thumb is that public key methods
should not be used for encrypting large quantities of data. For this reason,
public key methods are used in applications where only small amounts of
data must be processed (for example, digital signatures and sending keys to
be used in symmetric key algorithms).
Within symmetric key cryptography, there are two types of ciphers:
stream ciphers and block ciphers. In stream ciphers, the data are fed into
the algorithm in small pieces (bits or characters), and the output is produced
in corresponding small pieces. We discuss stream ciphers in Chapter 5. In
block ciphers, however, a block of input bits is collected and fed into the
algorithm all at once, and the output is a block of bits. Mostly we shall be
concerned with block ciphers. In particular, we cover two very significant
examples. The first is DES, and the second is AES, which was selected in
the year 2000 by the National Institute for Standards and Technology as the
replacement for DES. Public key methods such as RSA can also be regarded
as block ciphers.
Finally, we mention a historical distinction between different types of
encryption, namely codes and ciphers. In a code, words or certain letter
combinations are replaced by codewords (which may be strings of symbols).
For example, the British navy in World War I used 03680C, 36276C, and
50302C to represent shipped at, shipped by, and shipped from, respectively.
Codes have the disadvantage that unanticipated words cannot be used. A
cipher, on the other hand, does not use the linguistic structure of the message
but rather encrypts every string of characters, meaningful or not, by some
algorithm. A cipher is therefore more versatile than a code. In the early days
of cryptography, codes were commonly used, sometimes in conjunction with
ciphers. They are still used today; covert operations are often given code
names. However, any secret that is to remain secure needs to be encrypted
with a cipher. In this book, we’ll deal exclusively with ciphers.

1.1.3 Key Length

The security of cryptographic algorithms is a difficult property to measure.
Most algorithms employ keys, and the security of the algorithm is related to
how difficult it is for an adversary to determine the key. The most obvious
approach is to try every possible key and see which ones yield meaningful
6 Chapter 1. Overview of Cryptography and Its Applications

decryptions. Such an attack is called a brute force attack. In a brute

force attack, the length of the key is directly related to how long it will take
to search the entire keyspace. For example, if a key is 16 bits long, then
there are 216 = 65536 possible keys. The DES algorithm has a 56-bit key
and thus has 256 ≈ 7.2 × 1016 possible keys.
In many situations we’ll encounter in this book, it will seem that a system
can be broken by simply trying all possible keys. However, this is often easier
said than done. Suppose you need to try 1030 possibilities and you have a
computer that can do 109 such calculations each second. There are around
3 × 107 seconds in a year, so it would take a little more than 3 × 1013 years
to complete the task, longer than the predicted life of the universe.
Longer keys are advantageous but are not guaranteed to make an ad-
versary’s task difficult. The algorithm itself also plays a critical role. Some
algorithms might be able to be attacked by means other than brute force,
and some algorithms just don’t make very efficient use of their keys’ bits.
This is a very important point to keep in mind. Not all 128-bit algorithms
are created equal!
For example, one of the easiest cryptosystems to break is the substitution
cipher, which we discuss in Section 2.4. The number of possible keys is
26! ≈ 4 × 1026 . In contrast, DES (see Chapter 7) has only 256 ≈ 7.2 × 1016
keys. But it typically takes over a day on a specially designed computer to
find a DES key. The difference is that an attack on a substitution cipher
uses the underlying structure of the language, while the attack on DES is
by brute force, trying all possible keys.
A brute force attack should be the last resort. A cryptanalyst always
hopes to find an attack that is faster. Examples we’ll meet are frequency
analysis (for the substitution and Vigenère ciphers) and birthday attacks
(for discrete logs).
We also warn the reader that just because an algorithm seems secure
now, we can’t assume that it will remain so. Human ingenuity has led
to creative attacks on cryptographic protocols. There are many examples
in modern cryptography where an algorithm or protocol was successfully
attacked because of a loophole presented by poor implementation, or just
because of advances in technology. The DES algorithm, which withstood
20 years of cryptographic scrutiny, ultimately succumbed to attacks by a
well-designed parallel computer. Even as you read this book, research in
quantum computing is underway, which could dramatically alter the terrain
of future cryptographic algorithms.
For example, the security of several systems we’ll study depends on the
difficulty of factoring large integers, say of around 600 digits. Suppose you
want to factor a number n of this size. The method used in elementary
school is to divide n by all of the primes up to the square root of n. There
are approximately 1.4 × 10297 primes less than 10300 . Trying each one is
impossible. The number of electrons in the universe is estimated to be less
than 1090 . Long before you finish your calculation, you’ll get a call from the
electric company asking you to stop. Clearly, more sophisticated factoring
algorithms must be used, rather than this brute force type of attack. When
RSA was invented, there were some good factoring algorithms available,
but it was predicted that a 129-digit number such as the RSA challenge
1.1. Secure Communications 7

number (see Chapter 9) would not be factored within the foreseeable fu-
ture. However, advances in algorithms and computer architecture have made
such factorizations fairly routine (although they still require substantial
computing resources), so now numbers of several hundred digits are rec-
ommended for security. But if a full-scale quantum computer is ever built,
factorizations of even these numbers will be easy, and the whole RSA scheme
(along with many other methods) will need to be reconsidered.
A natural question, therefore, is whether there are any unbreakable cryp-
tosystems, and, if so, why aren’t they used all the time?
The answer is yes; there is a system, known as the one-time pad, that
is unbreakable. Even a brute force attack will not yield the key. But the
unfortunate truth is that the expense of using a one-time pad is enormous.
It requires exchanging a key that is as long as the plaintext, and even then
the key can only be used once. Therefore, one opts for algorithms that,
when implemented correctly with the appropriate key size, are unbreakable
in any reasonable amount of time.
An important point when considering key size is that, in many cases,
one can mathematically increase security by a slight increase in key size,
but this is not always practical. If you are working with chips that can
handle words of 64 bits, then an increase in the key size from 64 to 65 bits
could mean redesigning your hardware, which could be expensive. Therefore,
designing good cryptosystems involves both mathematical and engineering
considerations.
Finally, we need a few words about the size of numbers. Your intuition
might say that working with a 20-digit number takes twice as long as working
with a 10-digit number. That is true in some algorithms. However, if you
count up to 1010 , you are not even close to 1020 ; you are only one 10 billionth
of the way there. Similarly, a brute force attack against a 60-bit key takes
a billion times longer than one against a 30-bit key.
There are two ways to measure the size of numbers: the actual magnitude
of the number n, and the number of digits in its decimal representation (we
could also use its binary representation), which is approximately log10 (n).
The number of single-digit multiplications needed to square a k-digit number
n, using the standard algorithm from elementary school, is k 2 , or approx-
imately (log10 n)2 . The number of divisions needed to factor a number n
by dividing by all primes up to the square root of n is around n1/2 . An
algorithm that runs in time a power of log n is much more desirable than
one that runs in time a power of n. In the present example, if we double the
number of digits in n, the time it takes to square n increases by a factor of
4, while the time it takes to factor n increases enormously. Of course, there
are better algorithms available for both of these operations, but, at present,
factorization takes significantly longer than multiplication.
We’ll meet algorithms that take time a power of log n to perform cer-
tain calculations (for example, finding greatest common divisors and doing
modular exponentiation). There are other computations for which the best
known algorithms run only slightly better than a power of n (for example,
factoring and finding discrete logarithms). The interplay between the fast al-
gorithms and the slower ones is the basis of several cryptographic algorithms
that we’ll encounter in this book.
8 Chapter 1. Overview of Cryptography and Its Applications

1.2 Cryptographic Applications

Cryptography is not only about encrypting and decrypting messages, it is
also about solving real-world problems that require information security.
There are four main objectives that arise:

1. Confidentiality: Eve should not be able to read Alice’s message to Bob.

The main tools are encryption and decryption algorithms.

2. Data integrity: Bob wants to be sure that Alice’s message has not
been altered. For example, transmission errors might occur. Also,
an adversary might intercept the transmission and alter it before it
reaches the intended recipient. Many cryptographic primitives, such
as hash functions, provide methods to detect data manipulation by
malicious or accidental adversaries.

3. Authentication: Bob wants to be sure that only Alice could have sent
the message he received. Under this heading, we also include iden-
tification schemes and password protocols (in which case, Bob is the
computer). There are actually two types of authentication that arise
in cryptography: entity authentication and data-origin authentication.
Often the term identification is used to specify entity authentication,
which is concerned with proving the identity of the parties involved
in a communication. Data-origin authentication focuses on tying the
information about the origin of the data, such as the creator and time
of creation, with the data.

4. Non-repudiation: Alice cannot claim she did not send the message.
Non-repudiation is particularly important in electronic commerce ap-
plications, where it is important that a consumer cannot deny the
authorization of a purchase.

Authentication and non-repudiation are closely related concepts, but

there is a difference. In a symmetric key cryptosystem, Bob can be sure
that a message comes from Alice (or someone who knows Alice’s key) since
no one else could have encrypted the message that Bob decrypts successfully.
Therefore, authentication is automatic. However, he cannot prove to any-
one else that Alice sent the message, since he could have sent the message
himself. Therefore, non-repudiation is essentially impossible. In a public
key cryptosystem, both authentication and non-repudiation can be achieved
(see Chapters 9, 13, and 15).
Much of this book will present specific cryptographic applications, both
in the text and as exercises. Here is an overview.
Digital signatures: One of the most important features of a paper
and ink letter is the signature. When a document is signed, an individual’s
identity is tied to the message. The assumption is that it is difficult for
another person to forge the signature onto another document. Electronic
messages, however, are very easy to copy exactly. How do we prevent an
adversary from cutting the signature off one document and attaching it
to another electronic document? We shall study cryptographic protocols
1.2. Cryptographic Applications 9

that allow for electronic messages to be signed in such a way that everyone
believes that the signer was the person who signed the document, and such
that the signer cannot deny signing the document.
Identification: When logging into a machine or initiating a communi-
cation link, a user needs to identify herself or himself. But simply typing
in a user name is not sufficient as it does not prove that the user is really
who he or she claims to be. Typically a password is used. We shall touch
upon various methods for identifying oneself. In the chapter on DES we
discuss password files. Later, we present the Feige-Fiat-Shamir identifica-
tion scheme, which is a zero-knowledge method for proving identity without
revealing a password.
Key establishment: When large quantities of data need to be en-
crypted, it is best to use symmetric key encryption algorithms. But how
does Alice give the secret key to Bob when she doesn’t have the opportu-
nity to meet him personally? There are various ways to do this. One way
uses public key cryptography. Another method is the Diffie-Hellman key ex-
change algorithm. A different approach to this problem is to have a trusted
third party give keys to Alice and Bob. Two examples are Blom’s key genera-
tion scheme and Kerberos, which is a very popular symmetric cryptographic
protocol that provides authentication and security in key exchange between
users on a network.
Secret sharing: In Chapter 17, we introduce secret sharing schemes.
Suppose that you have a combination to a bank safe, but you don’t want to
trust any single person with the combination to the safe. Rather, you would
like to divide the combination among a group of people, so that at least two
of these people must be present in order to open the safe. Secret sharing
solves this problem.
Security protocols: How can we carry out secure transactions over
open channels such as the Internet, and how can we protect credit card
information from fraudulent merchants? We discuss various protocols, such
as SSL and SET.
Electronic cash: Credit cards and similar devices are convenient but
do not provide anonymity. Clearly a form of electronic cash could be useful,
at least to some people. However, electronic entities can be copied. We
give an example of an electronic cash system that provides anonymity but
catches counterfeiters, and we discuss cryptocurrencies, especially Bitcoin.
Games: How can you flip coins or play poker with people who are not in
the same room as you? Dealing the cards, for example, presents a problem.
We show how cryptographic ideas can solve these problems.
Chapter 2
Classical Cryptosystems

Methods of making messages unintelligible to adversaries have been impor-

tant throughout history. In this chapter we shall cover some of the older
cryptosystems that were primarily used before the advent of the computer.
These cryptosystems are too weak to be of much use today, especially with
computers at our disposal, but they give good illustrations of several of the
important ideas of cryptology.
First, for these simple cryptosystems, we make some conventions.
• plaintext will be written in lowercase letters and CIPHERTEXT will
be written in capital letters (except in the computer problems).
• The letters of the alphabet are assigned numbers as follows:
a b c d e f g h i j k l m n o p
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
q r s t u v w x y z
16 17 18 19 20 21 22 23 24 25
Note that we start with a = 0, so z is letter number 25. Because
many people are accustomed to a being 1 and z being 26, the present
convention can be annoying, but it is standard for the elementary
cryptosystems that we’ll consider.
• Spaces and punctuation are omitted. This is even more annoying,
but it is almost always possible to replace the spaces in the plaintext
after decrypting. If spaces were left in, there would be two choices.
They could be left as spaces; but this yields so much information on
the structure of the message that decryption becomes easier. Or they
could be encrypted; but then they would dominate frequency counts
(unless the message averages at least eight letters per word), again
simplifying decryption.
Note: In this chapter, we’ll be using some concepts from number theory,
especially modular arithmetic. If you are not familiar with congruences, you
should read the first three sections of Chapter 3 before proceeding.

10
2.1. Shift Ciphers 11

2.1 Shift Ciphers

One of the earliest cryptosystems is often attributed to Julius Caesar. Sup-
pose he wanted to send a plaintext such as
gaul is divided into three parts
but he didn’t want Brutus to read it. He shifted each letter backwards by
three places, so d became A, e became B, f became C, etc. The beginning of
the alphabet wrapped around to the end, so a became X, b became Y, and
c became Z. The ciphertext was then
DXRIFPAFSFABAFKQLQEOBBMXOQP.
Decryption was accomplished by shifting FORWARD by three spaces (and
trying to figure out how to put the spaces back in).
We now give the general situation. If you are not familiar with modular
arithmetic, read the first few pages of Chapter 3 before continuing.
Label the letters as integers from 0 to 25. The key is an integer κ with
0 ≤ κ ≤ 25. The encryption process is
x 7→ x + κ (mod 26).
Decryption is x 7→ x − κ (mod 26). For example, Caesar used κ = 23 ≡ −3.
Let’s see how the four types of attack work.
1. Ciphertext only: Eve has only the ciphertext. Her best strategy is an
exhaustive search, since there are only 26 possible keys. See Example
1 in the Computer Appendices. If the message is longer than a few
letters (we will make this more precise later when we discuss entropy),
it is unlikely that there is more than one meaningful message that could
be the plaintext. If you don’t believe this, try to find some words of
four or more letters that are shifts of each other. Three such words
are given in Exercises 1 and 2. Another possible attack, if the message
is sufficiently long, is to do a frequency count for the various letters.
The letter e occurs most frequently in most English texts. Suppose
the letter L appears most frequently in the ciphertext. Since e = 4 and
L = 11, a reasonable guess is that κ = 11 − 4 = 7. However, for shift
ciphers this method takes much longer than an exhaustive search, plus
it requires many more letters in the message in order for it to work
(anything short, such as this, might not contain a common symbol,
thus changing statistical counts).
2. Known plaintext: If you know just one letter of the plaintext along
with the corresponding letter of ciphertext, you can deduce the key.
For example, if you know t(= 19) encrypts to D(= 3), then the key is
κ ≡ 3 − 19 ≡ −16 ≡ 10 (mod 26).
3. Chosen plaintext: Choose the letter a as the plaintext. The ciphertext
gives the key. For example, if the ciphertext is H, then the key is 7.
4. Chosen ciphertext: Choose the letter A as ciphertext. The plaintext
is the negative of the key. For example, if the plaintext is h, the key
is −7 ≡ 19 (mod 26).
12 Chapter 2. Classical Cryptosystems

2.2 Affine Ciphers

The shift ciphers may be generalized and slightly strengthened as follows.
Choose two integers α and β, with gcd(α, 26) = 1, and consider the function
(called an affine function)

x 7→ αx + β (mod 26).

For example, let α = 9 and β = 2, so we are working with 9x + 2. Take

a plaintext letter such as h(= 7). It is encrypted to 9 · 7 + 2 ≡ 65 ≡ 13
(mod 26), which is the letter N . Using the same function, we obtain

affine 7→ CVVWPM.

How do we decrypt? If we were working with rational numbers rather than

mod 26, we would start with y = 9x + 2 and solve: x = 19 (y − 2). But 19
needs to be reinterpreted when we work mod 26. Since gcd(9, 26) = 1, there
is a multiplicative inverse for 9 (mod 26) (if this last sentence doesn’t make
sense to you, read Section 3.3 now). In fact, 9 · 3 ≡ 1 (mod 26), so 3 is the
desired inverse and can be used in place of 19 . We therefore have

x ≡ 3(y − 2) ≡ 3y − 6 ≡ 3y + 20 (mod 26).

Let’s try this. The letter V (= 21) is mapped to 3·21+20 ≡ 83 ≡ 5 (mod 26),
which is the letter f . Similarly, we see that the ciphertext CVVWPM is
decrypted back to affine. For more examples, see Examples 2 and 3 in the
Computer Appendices.
Suppose we try to use the function 13x + 4 as our encryption function.
We obtain
input 7→ ERRER.
If we alter the input, we obtain

alter 7→ ERRER.

Clearly this function leads to errors. It is impossible to decrypt, since several

plaintexts yield the same ciphertext. In particular, we note that encryption
must be one-to-one, and this fails in the present case.
What goes wrong in this example? If we solve y = 13x + 4, we obtain
1 1
x = 13 (y − 4). But 13 does not exist mod 26 since gcd(13, 26) = 13 6= 1.
More generally, it can be shown that αx + β is a one-to-one function mod
26 if and only if gcd(α, 26) = 1. In this case, decryption uses x ≡ α∗ y − α∗ β
(mod 26), where αα∗ ≡ 1 (mod 26). So decryption is also accomplished by
an affine function.
The key for this encryption method is the pair (α, β). There are 12
possible choices for α with gcd(α, 26) = 1 and there are 26 choices for β
(since we are working mod 26, we only need to consider α and β between 0
and 25). Therefore, there are 12 · 26 = 312 choices for the key.
Let’s look at the possible attacks.
1. Ciphertext only: An exhaustive search through all 312 keys would take
longer than the corresponding search in the case of the shift cipher;
2.2. Affine Ciphers 13

however, it would be very easy to do on a computer. When all possi-

bilities for the key are tried, a fairly short ciphertext, say around 20
characters, will probably correspond to only one meaningful plaintext,
thus allowing the determination of the key. It would also be possible
to use frequency counts, though this would require much longer texts.

2. Known plaintext: With a little luck, knowing two letters of the plain-
text and the corresponding letters of the ciphertext suffices to find
the key. In any case, the number of possibilities for the key is greatly
reduced and a few more letters should yield the key.
For example, suppose the plaintext starts with if and the corresponding
ciphertext is PQ. In numbers, this means that 8 (= i) maps to 15 (= P )
and 5 maps to 16. Therefore, we have the equations

8α + β ≡ 15 and 5α + β ≡ 16 (mod 26).

Subtracting yields 3α ≡ −1 ≡ 25 (mod 26), which has the unique

solution α = 17. Using the first equation, we find 8 · 17 + β ≡ 15
(mod 26), which yields β = 9.
Suppose instead that the plaintext go corresponds to the ciphertext
TH. We obtain the equations

6α + β ≡ 19 and 14α + β ≡ 7 (mod 26).

Subtracting yields −8α ≡ 12 (mod 26). Since gcd(−8, 26) = 2, this

has two solutions: α = 5, 18. The corresponding values of β are both
15 (this is not a coincidence; it will always happen this way when the
coefficients of α in the equations are even). So we have two candidates
for the key: (5, 15) and (18, 15). However, gcd(18, 26) 6= 1 so the
second is ruled out. Therefore, the key is (5, 15).
The preceding procedure works unless the gcd we get is 13 (or 26). In
this case, use another letter of the message, if available.
If we know only one letter of plaintext, we still get a relation between
α and β. For example, if we only know that g in plaintext corresponds
to T in ciphertext, then we have 6α + β ≡ 19 (mod 26). There are 12
possibilities for α and each gives one corresponding β. Therefore, an
exhaustive search through the 12 keys should yield the correct key.

3. Chosen plaintext: Choose ab as the plaintext. The first character of

the ciphertext will be α · 0 + β = β, and the second will be α + β.
Therefore, we can find the key.

4. Chosen ciphertext: Choose AB as the ciphertext. This yields the de-

cryption function of the form x = α1 y + β1 . We could solve for y and
obtain the encryption key. But why bother? We have the decryption
function, which is what we want.
14 Chapter 2. Classical Cryptosystems

2.3 The Vigenère Cipher

A variation of the shift cipher was invented back in the sixteenth century. It
is often attributed to Vigenère, though Vigenère’s encryption methods were
more sophisticated. Well into the twentieth century, this cryptosystem was
thought by many to be secure, though Babbage and Kasiski had shown how
to attack it during the nineteenth century. In the 1920s, Friedman developed
additional methods for breaking this and related ciphers.
The key for the encryption is a vector, chosen as follows. First choose a
key length, for example, 6. Then choose a vector of this size whose entries
are integers from 0 to 25, for example k = (21, 4, 2, 19, 14, 17). Often the
key corresponds to a word that is easily remembered. In our case, the word
is vector. The security of the system depends on the fact that neither the
keyword nor its length is known.
To encrypt the message using the k in our example, we take first the
letter of the plaintext and shift by 21. Then shift the second letter by 4, the
third by 2, and so on. Once we get to the end of the key, we start back at
its first entry, so the seventh letter is shifted by 21, the eighth letter by 4,
etc. Here is a diagram of the encryption process.

(plaintext) h e r e i s h o w i t w o r k s
(key) 21 4 2 19 14 17 21 4 2 19 14 17 21 4 2 19
(ciphertext) C I T X W J C S Y B H N J V M L

A known plaintext attack will succeed if enough characters are known

since the key is simply obtained by subtracting the plaintext from the cipher-
text mod 26. A chosen plaintext attack using the plaintext aaaaa . . . will
yield the key immediately, while a chosen ciphertext attack with AAAAA . . .
yields the negative of the key. But suppose you have only the ciphertext.
It was long thought that the method was secure against a ciphertext-only
attack. However, it is easy to find the key in this case, too.
The cryptanalysis uses the fact that in most English texts the frequencies
of letters are not equal. For example, e occurs much more frequently than
x. These frequencies have been tabulated in [Beker-Piper] and are provided
in Table 2.1.

a b c d e f g h i j
.082 .015 .028 .043 .127 .022 .020 .061 .070 .002

k l m n o p q r s t
.008 .040 .024 .067 .075 .019 .001 .060 .063 .091

u v w x y z
.028 .010 .023 .001 .020 .001

Table 2.1: Frequencies of Letters in English

Of course, variations can occur, though usually it takes a certain amount

of effort to produce them. There is a book Gadsby by Ernest Vincent Wright
Other documents randomly have
different content
Gutenberg” is associated) is accessed, displayed, performed,
viewed, copied or distributed:

This eBook is for the use of anyone anywhere in the United

States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it
away or re-use it under the terms of the Project Gutenberg
License included with this eBook or online at
www.gutenberg.org. If you are not located in the United
States, you will have to check the laws of the country where
you are located before using this eBook.

1.E.2. If an individual Project Gutenberg™ electronic work is

derived from texts not protected by U.S. copyright law (does not
contain a notice indicating that it is posted with permission of the
copyright holder), the work can be copied and distributed to
anyone in the United States without paying any fees or charges.
If you are redistributing or providing access to a work with the
phrase “Project Gutenberg” associated with or appearing on the
work, you must comply either with the requirements of
paragraphs 1.E.1 through 1.E.7 or obtain permission for the use
of the work and the Project Gutenberg™ trademark as set forth
in paragraphs 1.E.8 or 1.E.9.

1.E.3. If an individual Project Gutenberg™ electronic work is

posted with the permission of the copyright holder, your use and
distribution must comply with both paragraphs 1.E.1 through
1.E.7 and any additional terms imposed by the copyright holder.
Additional terms will be linked to the Project Gutenberg™
License for all works posted with the permission of the copyright
holder found at the beginning of this work.

1.E.4. Do not unlink or detach or remove the full Project

Gutenberg™ License terms from this work, or any files
containing a part of this work or any other work associated with
Project Gutenberg™.
 1.E.5. Do not copy, display, perform, distribute or redistribute
this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.

1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must, at
no additional cost, fee or expense to the user, provide a copy, a
means of exporting a copy, or a means of obtaining a copy upon
request, of the work in its original “Plain Vanilla ASCII” or other
form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™
works unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or

providing access to or distributing Project Gutenberg™
electronic works provided that:

• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
 about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt that
s/he does not agree to the terms of the full Project Gutenberg™
License. You must require such a user to return or destroy all
copies of the works possessed in a physical medium and
discontinue all use of and all access to other copies of Project
Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project

Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite
these efforts, Project Gutenberg™ electronic works, and the
medium on which they may be stored, may contain “Defects,”
such as, but not limited to, incomplete, inaccurate or corrupt
data, transcription errors, a copyright or other intellectual
property infringement, a defective or damaged disk or other
medium, a computer virus, or computer codes that damage or
cannot be read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES -

Except for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU
AGREE THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE,
STRICT LIABILITY, BREACH OF WARRANTY OR BREACH
OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE
TRADEMARK OWNER, AND ANY DISTRIBUTOR UNDER
THIS AGREEMENT WILL NOT BE LIABLE TO YOU FOR
ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE
OR INCIDENTAL DAMAGES EVEN IF YOU GIVE NOTICE OF
THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If

you discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu
of a refund. If you received the work electronically, the person or
entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.

1.F.4. Except for the limited right of replacement or refund set

forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR
ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.

1.F.6. INDEMNITY - You agree to indemnify and hold the

Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you do
or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.

Section 2. Information about the Mission of

Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status by
the Internal Revenue Service. The Foundation’s EIN or federal
tax identification number is 64-6221541. Contributions to the
Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.

The Foundation’s business office is located at 809 North 1500

West, Salt Lake City, UT 84116, (801) 596-1887. Email contact
links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact

Section 4. Information about Donations to

the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission
of increasing the number of public domain and licensed works
that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated
equipment. Many small donations ($1 to $5,000) are particularly
important to maintaining tax exempt status with the IRS.

The Foundation is committed to complying with the laws

regulating charities and charitable donations in all 50 states of
the United States. Compliance requirements are not uniform
and it takes a considerable effort, much paperwork and many
fees to meet and keep up with these requirements. We do not
solicit donations in locations where we have not received written
confirmation of compliance. To SEND DONATIONS or
determine the status of compliance for any particular state visit
www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states

where we have not met the solicitation requirements, we know
of no prohibition against accepting unsolicited donations from
donors in such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot

make any statements concerning tax treatment of donations
received from outside the United States. U.S. laws alone swamp
our small staff.

Please check the Project Gutenberg web pages for current

donation methods and addresses. Donations are accepted in a
number of other ways including checks, online payments and
credit card donations. To donate, please visit:
www.gutenberg.org/donate.

Section 5. General Information About Project

Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.

Project Gutenberg™ eBooks are often created from several

printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com