Introduction to Cryptography with Coding Theory

3rd Edition Trappe download

https://textbookfull.com/product/introduction-to-cryptography-
with-coding-theory-3rd-edition-trappe/

Download more ebook from https://textbookfull.com

We believe these products will be a great fit for you. Click
the link to download now, or visit ebookmeta.com
to discover even more!

Introduction to Cryptography with Coding Theory. 3rd

Edition Lawrence C. Washington & Wade Trappe.

https://textbookfull.com/product/introduction-to-cryptography-
with-coding-theory-3rd-edition-lawrence-c-washington-wade-trappe/

Information Theory Coding And Cryptography 3rd Edition

Ranjan Bose

https://textbookfull.com/product/information-theory-coding-and-
cryptography-3rd-edition-ranjan-bose/

An Introduction to Number Theory with Cryptography,

Second Edition Kraft

https://textbookfull.com/product/an-introduction-to-number-
theory-with-cryptography-second-edition-kraft/

An Introduction to Number Theory with Cryptography 2nd

Edition James Kraft

https://textbookfull.com/product/an-introduction-to-number-
theory-with-cryptography-2nd-edition-james-kraft/
Introduction to Modern Cryptography 3rd Edition
Jonathan Katz

https://textbookfull.com/product/introduction-to-modern-
cryptography-3rd-edition-jonathan-katz/

Discrete Mathematics Graph Algorithms Algebraic

Structures Coding Theory and Cryptography 1st Edition
Sriraman Sridharan

https://textbookfull.com/product/discrete-mathematics-graph-
algorithms-algebraic-structures-coding-theory-and-
cryptography-1st-edition-sriraman-sridharan/

Introduction to Analytic and Probabilistic Number

Theory 3rd Edition Gerald Tenenbaum

https://textbookfull.com/product/introduction-to-analytic-and-
probabilistic-number-theory-3rd-edition-gerald-tenenbaum/

An Introduction to the Mathematical Theory of Inverse

Problems 3rd Edition Andreas Kirsch

https://textbookfull.com/product/an-introduction-to-the-
mathematical-theory-of-inverse-problems-3rd-edition-andreas-
kirsch/

An Introduction to Symbolic Dynamics and Coding 2nd

Edition Douglas Lind

https://textbookfull.com/product/an-introduction-to-symbolic-
dynamics-and-coding-2nd-edition-douglas-lind/
 INTRODUCTION TO
CRYPTOGRAPHY
with Coding Theory
3rd edition

Wade Trappe
Wireless Information Network Laboratory
and the Electrical and Computer Engineering Department
Rutgers University

Lawrence C. Washington
Department of Mathematics
University of Maryland
Portfolio Manager: Chelsea Kharakozoua
Content Manager: Jeff Weidenaar
Content Associate: Jonathan Krebs
Content Producer: Tara Corpuz
Managing Producer: Scott Disanno
Producer: Jean Choe
Manager, Courseware QA: Mary Durnwald
Product Marketing Manager: Stacey Sveum
Product and Solution Specialist: Rosemary Morten
Senior Author Support/Technology Specialist: Joe Vetere
Manager, Rights and Permissions: Gina Cheselka
Text and Cover Design, Production Coordination, Composition, and Illustrations:
Integra Software Services Pvt. Ltd
Manufacturing Buyer: Carol Melville, LSC Communications
Cover Image: Photographer is my life/Getty Images

Copyright c 2020, 2006, 2002 by Pearson Education, Inc. 221 River Street, Hoboken, NJ
07030. All Rights Reserved. Printed in the United States of America. This publication is protected
by copyright, and permission should be obtained from the publisher prior to any prohibited
reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise. For information regarding permissions, request
forms and the appropriate contacts within the Pearson Education Global Rights & Permissions
department, please visit www.pearsoned.com/permissions/.

Text Credit: Page 23 Declaration of Independence: A Transcription, The U.S. National Archives and
Records Administration.

PEARSON, ALWAYS LEARNING, and MYLAB are exclusive trademarks owned by Pearson
Education, Inc. or its affiliates in the U.S. and/or other countries.

Unless otherwise indicated herein, any third-party trademarks that may appear in this work are the
property of their respective owners and any references to third-party trademarks, logos or other trade
dress are for demonstrative or descriptive purposes only. Such references are not intended to imply any
sponsorship, endorsement, authorization, or promotion of Pearson’s products by the owners of such
marks, or any relationship between the owner and Pearson Education, Inc. or its affiliates, authors,
licensees or distributors.

Library of Congress Cataloging-in-Publication Data

Names: Trappe, Wade, author. | Washington, Lawrence C., author.

Title: Introduction to cryptography : with coding theory / Wade Trappe,
Lawrence Washington.
Description: 3rd edition. | [Hoboken, New Jersey] : [Pearson Education],
[2020] | Includes bibliographical references and index. | Summary: “This
book is based on a course in cryptography at the upper-level
undergraduate and beginning graduate level that has been given at the
University of Maryland since 1997, and a course that has been taught at
Rutgers University since 2003”— Provided by publisher.
Identifiers: LCCN 2019029691 | ISBN 9780134860992 (paperback)
Subjects: LCSH: Coding theory. | Cryptography.
Classification: LCC QA268.T73 2020 | DDC 005.8/24—dc23
LC record available at https://lccn.loc.gov/2019029691

ScoutAutomatedPrintCode

Rental
ISBN-10: 0-13-673154-6
ISBN-13: 978-0-13-673154-2

Print Offer
ISBN-10: 0-13-486099-3
ISBN-13: 978-0-13-486099-2
Contents

Preface ix

1 Overview of Cryptography and Its Applications 1

1.1 Secure Communications . . . . . . . . . . . . . . . . . . . . . 2
1.2 Cryptographic Applications . . . . . . . . . . . . . . . . . . . 8

2 Classical Cryptosystems 10
2.1 Shift Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Affine Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 The Vigenère Cipher . . . . . . . . . . . . . . . . . . . . . . 14
2.4 Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . 20
2.5 Sherlock Holmes . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.6 The Playfair and ADFGX Ciphers . . . . . . . . . . . . . . . 26
2.7 Enigma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.9 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 37

3 Basic Number Theory 40

3.1 Basic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2 The Extended Euclidean Algorithm . . . . . . . . . . . . . . 44
3.3 Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4 The Chinese Remainder Theorem . . . . . . . . . . . . . . . 52
3.5 Modular Exponentiation . . . . . . . . . . . . . . . . . . . . 54
3.6 Fermat’s Theorem and Euler’s Theorem . . . . . . . . . . . . 55
3.7 Primitive Roots . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.8 Inverting Matrices Mod n . . . . . . . . . . . . . . . . . . . . 61
3.9 Square Roots Mod n . . . . . . . . . . . . . . . . . . . . . . 62
3.10 Legendre and Jacobi Symbols . . . . . . . . . . . . . . . . . 64
3.11 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.12 Continued Fractions . . . . . . . . . . . . . . . . . . . . . . . 76
3.13 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.14 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 86

4 The One-Time Pad 88

4.1 Binary Numbers and ASCII . . . . . . . . . . . . . . . . . . 88
4.2 One-Time Pads . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.3 Multiple Use of a One-Time Pad . . . . . . . . . . . . . . . . 91
4.4 Perfect Secrecy of the One-Time Pad . . . . . . . . . . . . . 94
4.5 Indistinguishability and Security . . . . . . . . . . . . . . . . 97
4.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

iii
iv Contents

5 Stream Ciphers 104

5.1 Pseudorandom Bit Generation . . . . . . . . . . . . . . . . . 105
5.2 LFSR Sequences . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.3 RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.5 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 117
6 Block Ciphers 118
6.1 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.2 Hill Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.3 Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . 122
6.4 Multiple Encryption . . . . . . . . . . . . . . . . . . . . . . . 129
6.5 Meet-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . 130
6.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.7 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 135
7 The Data Encryption Standard 136
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
7.2 A Simplified DES-Type Algorithm . . . . . . . . . . . . . . . 137
7.3 Differential Cryptanalysis . . . . . . . . . . . . . . . . . . . . 140
7.4 DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
7.5 Breaking DES . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7.6 Password Security . . . . . . . . . . . . . . . . . . . . . . . . 155
7.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
7.8 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 159
8 The Advanced Encryption Standard: Rijndael 160
8.1 The Basic Algorithm . . . . . . . . . . . . . . . . . . . . . . 160
8.2 The Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
8.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
8.4 Design Considerations . . . . . . . . . . . . . . . . . . . . . . 168
8.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
9 The RSA Algorithm 171
9.1 The RSA Algorithm . . . . . . . . . . . . . . . . . . . . . . . 171
9.2 Attacks on RSA . . . . . . . . . . . . . . . . . . . . . . . . . 177
9.3 Primality Testing . . . . . . . . . . . . . . . . . . . . . . . . 183
9.4 Factoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
9.5 The RSA Challenge . . . . . . . . . . . . . . . . . . . . . . . 192
9.6 An Application to Treaty Verification . . . . . . . . . . . . . 194
9.7 The Public Key Concept . . . . . . . . . . . . . . . . . . . . 195
9.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
9.9 Computer Problems . . . . . . . . . . . . . . . . . . . . . . 207
10 Discrete Logarithms 211
10.1 Discrete Logarithms . . . . . . . . . . . . . . . . . . . . . . . 211
10.2 Computing Discrete Logs . . . . . . . . . . . . . . . . . . . . 212
10.3 Bit Commitment . . . . . . . . . . . . . . . . . . . . . . . . . 218
10.4 Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . 219
10.5 The ElGamal Public Key Cryptosystem . . . . . . . . . . . . 221
10.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Contents v

10.7 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 225

11 Hash Functions 226

11.1 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 226
11.2 Simple Hash Examples . . . . . . . . . . . . . . . . . . . . . 230
11.3 The Merkle-Damgård Construction . . . . . . . . . . . . . . 231
11.4 SHA-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
11.5 SHA-3/Keccak . . . . . . . . . . . . . . . . . . . . . . . . . . 237
11.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

12 Hash Functions: Attacks and Applications 246

12.1 Birthday Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 246
12.2 Multicollisions . . . . . . . . . . . . . . . . . . . . . . . . . . 249
12.3 The Random Oracle Model . . . . . . . . . . . . . . . . . . . 251
12.4 Using Hash Functions to Encrypt . . . . . . . . . . . . . . . 253
12.5 Message Authentication Codes . . . . . . . . . . . . . . . . . 255
12.6 Password Protocols . . . . . . . . . . . . . . . . . . . . . . . 256
12.7 Blockchains . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
12.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
12.9 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 268

13 Digital Signatures 269

13.1 RSA Signatures . . . . . . . . . . . . . . . . . . . . . . . . . 270
13.2 The ElGamal Signature Scheme . . . . . . . . . . . . . . . . 271
13.3 Hashing and Signing . . . . . . . . . . . . . . . . . . . . . . . 273
13.4 Birthday Attacks on Signatures . . . . . . . . . . . . . . . . 274
13.5 The Digital Signature Algorithm . . . . . . . . . . . . . . . . 275
13.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
13.7 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 281

14 What Can Go Wrong 282

14.1 An Enigma “Feature” . . . . . . . . . . . . . . . . . . . . . . 282
14.2 Choosing Primes for RSA . . . . . . . . . . . . . . . . . . . . 283
14.3 WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
14.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

15 Security Protocols 290

15.1 Intruders-in-the-Middle and Impostors . . . . . . . . . . . . . 290
15.2 Key Distribution . . . . . . . . . . . . . . . . . . . . . . . . . 293
15.3 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
15.4 Public Key Infrastructures (PKI) . . . . . . . . . . . . . . . 303
15.5 X.509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . 304
15.6 Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . 309
15.7 SSL and TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
15.8 Secure Electronic Transaction . . . . . . . . . . . . . . . . . 314
15.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
vi Contents

16 Digital Cash 318

16.1 Setting the Stage for Digital Economies . . . . . . . . . . . . 319
16.2 A Digital Cash System . . . . . . . . . . . . . . . . . . . . . 320
16.3 Bitcoin Overview . . . . . . . . . . . . . . . . . . . . . . . . 326
16.4 Cryptocurrencies . . . . . . . . . . . . . . . . . . . . . . . . . 329
16.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

17 Secret Sharing Schemes 340

17.1 Secret Splitting . . . . . . . . . . . . . . . . . . . . . . . . . . 340
17.2 Threshold Schemes . . . . . . . . . . . . . . . . . . . . . . . 341
17.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
17.4 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 348

18 Games 349
18.1 Flipping Coins over the Telephone . . . . . . . . . . . . . . . 349
18.2 Poker over the Telephone . . . . . . . . . . . . . . . . . . . . 351
18.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

19 Zero-Knowledge Techniques 357

19.1 The Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . 357
19.2 The Feige-Fiat-Shamir Identification Scheme . . . . . . . . . . 359
19.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

20 Information Theory 365

20.1 Probability Review . . . . . . . . . . . . . . . . . . . . . . . 365
20.2 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
20.3 Huffman Codes . . . . . . . . . . . . . . . . . . . . . . . . . . 371
20.4 Perfect Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . 373
20.5 The Entropy of English . . . . . . . . . . . . . . . . . . . . . 376
20.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

21 Elliptic Curves 384

21.1 The Addition Law . . . . . . . . . . . . . . . . . . . . . . . . 384
21.2 Elliptic Curves Mod p . . . . . . . . . . . . . . . . . . . . . . 389
21.3 Factoring with Elliptic Curves . . . . . . . . . . . . . . . . . 393
21.4 Elliptic Curves in Characteristic 2 . . . . . . . . . . . . . . . 396
21.5 Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . 399
21.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
21.7 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 407

22 Pairing-Based Cryptography 409

22.1 Bilinear Pairings . . . . . . . . . . . . . . . . . . . . . . . . . 409
22.2 The MOV Attack . . . . . . . . . . . . . . . . . . . . . . . . 410
22.3 Tripartite Diffie-Hellman . . . . . . . . . . . . . . . . . . . . 411
22.4 Identity-Based Encryption . . . . . . . . . . . . . . . . . . . 412
22.5 Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
22.6 Keyword Search . . . . . . . . . . . . . . . . . . . . . . . . . 417
22.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Contents vii

23 Lattice Methods 421

23.1 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
23.2 Lattice Reduction . . . . . . . . . . . . . . . . . . . . . . . . 422
23.3 An Attack on RSA . . . . . . . . . . . . . . . . . . . . . . . 426
23.4 NTRU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
23.5 Another Lattice-Based Cryptosystem . . . . . . . . . . . . . 433
23.6 Post-Quantum Cryptography? . . . . . . . . . . . . . . . . . 435
23.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
24 Error Correcting Codes 437
24.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
24.2 Error Correcting Codes . . . . . . . . . . . . . . . . . . . . . 442
24.3 Bounds on General Codes . . . . . . . . . . . . . . . . . . . . 446
24.4 Linear Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
24.5 Hamming Codes . . . . . . . . . . . . . . . . . . . . . . . . . 457
24.6 Golay Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
24.7 Cyclic Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
24.8 BCH Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
24.9 Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . . 479
24.10 The McEliece Cryptosystem . . . . . . . . . . . . . . . . . . 480
24.11 Other Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
24.12 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
24.13 Computer Problems . . . . . . . . . . . . . . . . . . . . . . . 487
25 Quantum Techniques in Cryptography 488
25.1 A Quantum Experiment . . . . . . . . . . . . . . . . . . . . . 488
25.2 Quantum Key Distribution . . . . . . . . . . . . . . . . . . . 491
25.3 Shor’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 493
25.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
A Mathematica Examples 503
A.1 Getting Started with Mathematica . . . . . . . . . . . . . . . 503
A.2 Some Commands . . . . . . . . . . . . . . . . . . . . . . . . 504
A.3 Examples for Chapter 2 . . . . . . . . . . . . . . . . . . . . . 505
A.4 Examples for Chapter 3 . . . . . . . . . . . . . . . . . . . . . 508
A.5 Examples for Chapter 5 . . . . . . . . . . . . . . . . . . . . . 511
A.6 Examples for Chapter 6 . . . . . . . . . . . . . . . . . . . . . 513
A.7 Examples for Chapter 9 . . . . . . . . . . . . . . . . . . . . . 514
A.8 Examples for Chapter 10 . . . . . . . . . . . . . . . . . . . . 520
A.9 Examples for Chapter 12 . . . . . . . . . . . . . . . . . . . . 521
A.10 Examples for Chapter 17 . . . . . . . . . . . . . . . . . . . . 521
A.11 Examples for Chapter 18 . . . . . . . . . . . . . . . . . . . . 522
A.12 Examples for Chapter 21 . . . . . . . . . . . . . . . . . . . . 523
B Maple Examples 527
B.1 Getting Started with Maple . . . . . . . . . . . . . . . . . . . 527
B.2 Some Commands . . . . . . . . . . . . . . . . . . . . . . . . 528
B.3 Examples for Chapter 2 . . . . . . . . . . . . . . . . . . . . . 529
B.4 Examples for Chapter 3 . . . . . . . . . . . . . . . . . . . . . 533
B.5 Examples for Chapter 5 . . . . . . . . . . . . . . . . . . . . . 536
viii Contents

B.6 Examples for Chapter 6 . . . . . . . . . . . . . . . . . . . . . 538

B.7 Examples for Chapter 9 . . . . . . . . . . . . . . . . . . . . . 539
B.8 Examples for Chapter 10 . . . . . . . . . . . . . . . . . . . . 546
B.9 Examples for Chapter 12 . . . . . . . . . . . . . . . . . . . . 547
B.10 Examples for Chapter 17 . . . . . . . . . . . . . . . . . . . . 548
B.11 Examples for Chapter 18 . . . . . . . . . . . . . . . . . . . . 549
B.12 Examples for Chapter 21 . . . . . . . . . . . . . . . . . . . . 551
C MATLAB Examples 555
C.1 Getting Started with MATLAB . . . . . . . . . . . . . . . . 556
C.2 Examples for Chapter 2 . . . . . . . . . . . . . . . . . . . . . 560
C.3 Examples for Chapter 3 . . . . . . . . . . . . . . . . . . . . . 566
C.4 Examples for Chapter 5 . . . . . . . . . . . . . . . . . . . . . 569
C.5 Examples for Chapter 6 . . . . . . . . . . . . . . . . . . . . . 571
C.6 Examples for Chapter 9 . . . . . . . . . . . . . . . . . . . . . 573
C.7 Examples for Chapter 10 . . . . . . . . . . . . . . . . . . . . 581
C.8 Examples for Chapter 12 . . . . . . . . . . . . . . . . . . . . 581
C.9 Examples for Chapter 17 . . . . . . . . . . . . . . . . . . . . 582
C.10 Examples for Chapter 18 . . . . . . . . . . . . . . . . . . . . 582
C.11 Examples for Chapter 21 . . . . . . . . . . . . . . . . . . . . 585
D Sage Examples 591
D.1 Computations for Chapter 2 . . . . . . . . . . . . . . . . . . 591
D.2 Computations for Chapter 3 . . . . . . . . . . . . . . . . . . 594
D.3 Computations for Chapter 5 . . . . . . . . . . . . . . . . . . 595
D.4 Computations for Chapter 6 . . . . . . . . . . . . . . . . . . 596
D.5 Computations for Chapter 9 . . . . . . . . . . . . . . . . . . 596
D.6 Computations for Chapter 10 . . . . . . . . . . . . . . . . . . 597
D.7 Computations for Chapter 12 . . . . . . . . . . . . . . . . . . 598
D.8 Computations for Chapter 17 . . . . . . . . . . . . . . . . . . 598
D.9 Computations for Chapter 18 . . . . . . . . . . . . . . . . . . 598
D.10 Computations for Chapter 21 . . . . . . . . . . . . . . . . . . 599
E Answers and Hints for Selected Odd-Numbered Exercises 601
F Suggestions for Further Reading 607
Bibliography 608
Index 615
Preface

This book is based on a course in cryptography at the upper-level under-

graduate and beginning graduate level that has been given at the University
of Maryland since 1997, and a course that has been taught at Rutgers Uni-
versity since 2003. When designing the courses, we decided on the following
requirements:
• The courses should be up-to-date and cover a broad selection of topics
from a mathematical point of view.
• The material should be accessible to mathematically mature students
having little background in number theory and computer program-
ming.
• There should be examples involving numbers large enough to demon-
strate how the algorithms really work.
We wanted to avoid concentrating solely on RSA and discrete logarithms,
which would have made the courses mostly about number theory. We also
did not want to focus on protocols and how to hack into friends’ computers.
That would have made the courses less mathematical than desired.
There are numerous topics in cryptology that can be discussed in an
introductory course. We have tried to include many of them. The chapters
represent, for the most part, topics that were covered during the different
semesters we taught the course. There is certainly more material here than
could be treated in most one-semester courses. The first thirteen chapters
represent the core of the material. The choice of which of the remaining
chapters are used depends on the level of the students and the objectives of
the lecturer.
The chapters are numbered, thus giving them an ordering. However,
except for Chapter 3 on number theory, which pervades the subject, the
chapters are fairly independent of each other and can be covered in almost
any reasonable order. Since students have varied backgrounds in number
theory, we have collected the basic number theory facts together in Chapter
3 for ease of reference; however, we recommend introducing these concepts
gradually throughout the course as they are needed.
The chapters on information theory, elliptic curves, quantum cryptogra-
phy, lattice methods, and error correcting codes are somewhat more mathe-
matical than the others. The chapter on error correcting codes was included,

ix
x Preface

at the suggestion of several reviewers, because courses that include introduc-

tions to both cryptology and coding theory are fairly common.
Computer Examples. Suppose you want to give an example for
RSA. You could choose two one-digit primes and pretend to be working
with fifty-digit primes, or you could use your favorite software package to
do an actual example with large primes. Or perhaps you are working with
shift ciphers and are trying to decrypt a message by trying all 26 shifts of
the ciphertext. This should also be done on a computer.
Additionally, at the end of the book are appendices containing computer
examples written in each of Mathematica , Maple , MATLAB , and Sage
that show how to do such calculations. These languages were chosen because
they are user friendly and do not require prior programming experience.
Although the course has been taught successfully without computers, these
examples are an integral part of the book and should be studied, if at all
possible. Not only do they contain numerical examples of how to do certain
computations but also they demonstrate important ideas and issues that
arise. They were placed at the end of the book because of the logistic
and aesthetic problems of including extensive computer examples in these
languages at the ends of chapters.
Additionally, programs available in Mathematica, Maple, and MATLAB
can be downloaded from the Web site (bit.ly/2JbcS6p). Homework prob-
lems (the computer problems in various chapters) based on the software
allow students to play with examples individually. Of course, students hav-
ing more programming background could write their own programs instead.
In a classroom, all that is needed is a computer (with one of the languages
installed) and a projector in order to produce meaningful examples as the
lecture is being given.
New to the Third Edition. Two major changes have informed this
edition: Changes to the field of cryptography and a change in the format of
the text. We address these issues separately, although there is an interplay
between the two:
Content Changes. Cryptography is a quickly changing field. We have
made many changes to the text since the last edition:

• Reorganized content previously in two chapters to four separate chap-

ters on Stream Ciphers (including RC4), Block Ciphers, DES and AES
(Chapters 5–8, respectively). The RC4 material, in particular, is new.

• Heavily revised the chapters on hash functions. Chapter 11 (Hash

functions) now includes sections on SHA-2 and SHA-3. Chapter 12
(Hash functions: Attacks and Applications) now includes material on
message authentication codes, password protocols, and blockchains.

• The short section on the one-time pad has been expanded to become
Chapter 4, which includes sections on multiple use of the one-time
pad, perfect secrecy, and ciphertext indistinguishability.

• Added Chapter 14, “What Can Go Wrong,” which shows what can hap-
pen when cryptographic algorithms are used or designed incorrectly.
Preface xi

• Expanded Chapter 16 on digital cash to include Bitcoin and cryptocur-

rencies.
• Added Chapter 22, which gives an introduction to Pairing-Based Cryp-
tography.
• Updated the exposition throughout the book to reflect recent devel-
opments.
• Added references to the Maple, Mathematica, MATLAB, and Sage
appendices in relevant locations in the text.
• Added many new exercises.
• Added a section at the back of the book that contains answers or hints
to a majority of the odd-numbered problems.
Format Changes. A focus of this revision was transforming the text
from a print-based learning tool to a digital learning tool. The eText is
therefore filled with content and tools that will help bring the content of
the course to life for students in new ways and help improve instruction.
Specifically, the following are features that are available only in the eText:
• Interactive Examples. We have added a number of opportunities for
students to interact with content in a dynamic manner in order to
build or enhance understanding. Interactive examples allow students
to explore concepts in ways that are not possible without technology.
• Quick Questions. These questions, built into the narrative, provide
opportunities for students to check and clarify understanding. Some
help address potential misconceptions.
• Notes, Labels, and Highlights. Notes can be added to the eText by
instructors. These notes are visible to all students in the course, al-
lowing instructors to add their personal observations or directions to
important topics, call out need-to-know information, or clarify difficult
concepts. Students can add their own notes, labels, and highlights to
the eText, helping them focus on what they need to study. The cus-
tomizable Notebook allows students to filter, arrange, and group their
notes in a way that makes sense to them.
• Dashboard. Instructors can create reading assignments and see the
time spent in the eText so that they can plan more effective instruction.
• Portability. Portable access lets students read their eText whenever
they have a moment in their day, on Android and iOS mobile phones
and tablets. Even without an Internet connection, offline reading en-
sures students never miss a chance to learn.
• Ease-of-Use. Straightforward setup makes it easy for instructors to
get their class up and reading quickly on the first day of class. In
addition, Learning Management System (LMS) integration provides
institutions, instructors, and students with single sign-on access to the
eText via many popular LMSs.
xii Preface

• Supplements. An Instructors’ Solutions Manual can be downloaded by

qualified instructors from the textbook’s webpage at www.pearson.com.

Acknowledgments. Many people helped and provided encourage-

ment during the preparation of this book. First, we would like to thank our
students, whose enthusiasm, insights, and suggestions contributed greatly.
We are especially grateful to many people who have provided corrections
and other input, especially Bill Gasarch, Jeff Adams, Jonathan Rosenberg,
and Tim Strobell. We would like to thank Wenyuan Xu, Qing Li, and Pan-
durang Kamat, who drew several of the diagrams and provided feedback on
the new material for the second edition. We have enjoyed working with the
staff at Pearson, especially Jeff Weidenaar and Tara Corpuz.
The reviewers deserve special thanks: their suggestions on the exposition
and the organization of the topics greatly enhanced the final result. The
reviewers marked with an asterisk (*) provided input for this edition.
* Anurag Agarwal, Rochester Institute of Technology
* Pradeep Atrey, University at Albany
Eric Bach, University of Wisconsin
James W. Brewer, Florida Atlantic University
Thomas P. Cahill, NYU
Agnes Chan, Northeastern University
* Nathan Chenette, Rose-Hulman Institute of Technology
* Claude Crépeau, McGill University
* Reza Curtmola, New Jersey Institute of Technology
* Ahmed Desoky, University of Louisville
Anthony Ephremides, University of Maryland, College Park
* David J. Fawcett, Lawrence Tech University
* Jason Gibson, Eastern Kentucky University
* K. Gopalakrishnan, East Carolina University
David Grant, University of Colorado, Boulder
Jugal K. Kalita, University of Colorado, Colorado Springs
* Saroja Kanchi, Kettering University
* Andrew Klapper, University of Kentucky
* Amanda Knecht, Villanova University
Edmund Lamagna, University of Rhode Island
* Aihua Li, Montclair State University
* Spyros S. Magliveras, Florida Atlantic University
* Nathan McNew, Towson University
* Nick Novotny, IUPUI
David M. Pozar, University of Massachusetts, Amherst
* Emma Previato, Boston University
* Hamzeh Roumani, York University
* Bonnie Saunders, University of Illinois, Chicago
* Ravi Shankar, University of Oklahoma
* Ernie Stitzinger, North Carolina State
* Armin Straub, University of South Alabama
J. Felipe Voloch, University of Texas, Austin
Daniel F. Warren, Naval Postgraduate School
* Simon Whitehouse, Alfred State College
Preface xiii

Siman Wong, University of Massachusetts, Amherst

* Huapeng Wu, University of Windsor
Wade thanks Nisha Gilra, who provided encouragement and advice;
Sheilagh O’Hare for introducing him to the field of cryptography; and K. J.
Ray Liu for his support. Larry thanks Susan Zengerle and Patrick Washing-
ton for their patience, help, and encouragement during the writing of this
book.
Of course, we welcome suggestions and corrections. An errata page can
be found at (bit.ly/2J8nN0w) or at the link on the book’s general Web site
(bit.ly/2T544yu).

Wade Trappe [email protected]

Lawrence C. Washington [email protected]
This page is intentionally left blank
Chapter 1
Overview of Cryptography
and Its Applications

People have always had a fascination with keeping information away from
others. As children, many of us had magic decoder rings for exchanging
coded messages with our friends and possibly keeping secrets from parents,
siblings, or teachers. History is filled with examples where people tried to
keep information secret from adversaries. Kings and generals communicated
with their troops using basic cryptographic methods to prevent the enemy
from learning sensitive military information. In fact, Julius Caesar report-
edly used a simple cipher, which has been named after him.
As society has evolved, the need for more sophisticated methods of pro-
tecting data has increased. Now, with the information era at hand, the need
is more pronounced than ever. As the world becomes more connected, the
demand for information and electronic services is growing, and with the in-
creased demand comes increased dependency on electronic systems. Already
the exchange of sensitive information, such as credit card numbers, over the
Internet is common practice. Protecting data and electronic systems is cru-
cial to our way of living.
The techniques needed to protect data belong to the field of cryptogra-
phy. Actually, the subject has three names, cryptography, cryptology,
and cryptanalysis, which are often used interchangeably. Technically, how-
ever, cryptology is the all-inclusive term for the study of communication over
nonsecure channels, and related problems. The process of designing systems
to do this is called cryptography. Cryptanalysis deals with breaking such
systems. Of course, it is essentially impossible to do either cryptography or
cryptanalysis without having a good understanding of the methods of both
areas.
Often the term coding theory is used to describe cryptography; how-
ever, this can lead to confusion. Coding theory deals with representing
input information symbols by output symbols called code symbols. There
are three basic applications that coding theory covers: compression, secrecy,
and error correction. Over the past few decades, the term coding theory has

1
2 Chapter 1. Overview of Cryptography and Its Applications

become associated predominantly with error correcting codes. Coding the-

ory thus studies communication over noisy channels and how to ensure that
the message received is the correct message, as opposed to cryptography,
which protects communication over nonsecure channels.
Although error correcting codes are only a secondary focus of this book,
we should emphasize that, in any real-world system, error correcting codes
are used in conjunction with encryption, since the change of a single bit is
enough to destroy the message completely in a well-designed cryptosystem.
Modern cryptography is a field that draws heavily upon mathematics,
computer science, and cleverness. This book provides an introduction to
the mathematics and protocols needed to make data transmission and elec-
tronic systems secure, along with techniques such as electronic signatures
and secret sharing.

1.1 Secure Communications

In the basic communication scenario, depicted in Figure 1.1, there are two
parties, we’ll call them Alice and Bob, who want to communicate with each
other. A third party, Eve, is a potential eavesdropper.
When Alice wants to send a message, called the plaintext, to Bob, she
encrypts it using a method prearranged with Bob. Usually, the encryption
method is assumed to be known to Eve; what keeps the message secret is a
key. When Bob receives the encrypted message, called the ciphertext, he
changes it back to the plaintext using a decryption key.
Eve could have one of the following goals:
1. Read the message.
2. Find the key and thus read all messages encrypted with that key.
3. Corrupt Alice’s message into another message in such a way that Bob
will think Alice sent the altered message.
4. Masquerade as Alice, and thus communicate with Bob even though
Bob believes he is communicating with Alice.

Encryption Decryption
Key Key

plaintext ciphertext
Alice Encrypt Decrypt Bob

Eve

Figure 1.1: The Basic Communication Scenario for Cryptography.

1.1. Secure Communications 3

Which case we’re in depends on how evil Eve is. Cases (3) and (4) relate
to issues of integrity and authentication, respectively. We’ll discuss these
shortly. A more active and malicious adversary, corresponding to cases (3)
and (4), is sometimes called Mallory in the literature. More passive observers
(as in cases (1) and (2)) are sometimes named Oscar. We’ll generally use
only Eve, and assume she is as bad as the situation allows.

1.1.1 Possible Attacks

There are four main types of attack that Eve might be able to use. The
differences among these types of attacks are the amounts of information Eve
has available to her when trying to determine the key. The four attacks are
as follows:

1. Ciphertext only: Eve has only a copy of the ciphertext.

2. Known plaintext: Eve has a copy of a ciphertext and the correspond-

ing plaintext. For example, suppose Eve intercepts an encrypted press
release, then sees the decrypted release the next day. If she can de-
duce the decryption key, and if Alice doesn’t change the key, Eve can
read all future messages. Or, if Alice always starts her messages with
“Dear Bob,” then Eve has a small piece of ciphertext and correspond-
ing plaintext. For many weak cryptosystems, this suffices to find the
key. Even for stronger systems such as the German Enigma machine
used in World War II, this amount of information has been useful.

3. Chosen plaintext: Eve gains temporary access to the encryption ma-

chine. She cannot open it to find the key; however, she can encrypt a
large number of suitably chosen plaintexts and try to use the resulting
ciphertexts to deduce the key.

4. Chosen ciphertext: Eve obtains temporary access to the decryption

machine, uses it to “decrypt” several strings of symbols, and tries to
use the results to deduce the key.

A chosen plaintext attack could happen as follows. You want to identify

an airplane as friend or foe. Send a random message to the plane, which en-
crypts the message automatically and sends it back. Only a friendly airplane
is assumed to have the correct key. Compare the message from the plane
with the correctly encrypted message. If they match, the plane is friendly. If
not, it’s the enemy. However, the enemy can send a large number of chosen
messages to one of your planes and look at the resulting ciphertexts. If this
allows them to deduce the key, the enemy can equip their planes so they can
masquerade as friendly.
An example of a known plaintext attack reportedly happened in World
War II in the Sahara Desert. An isolated German outpost every day sent an
identical message saying that there was nothing new to report, but of course
it was encrypted with the key being used that day. So each day the Allies
had a plaintext-ciphertext pair that was extremely useful in determining
the key. In fact, during the Sahara campaign, General Montgomery was
4 Chapter 1. Overview of Cryptography and Its Applications

carefully directed around the outpost so that the transmissions would not
be stopped.
One of the most important assumptions in modern cryptography is Ker-
ckhoffs’s principle: In assessing the security of a cryptosystem, one should
always assume the enemy knows the method being used. This principle was
enunciated by Auguste Kerckhoffs in 1883 in his classic treatise La Cryp-
tographie Militaire. The enemy can obtain this information in many ways.
For example, encryption/decryption machines can be captured and ana-
lyzed. Or people can defect or be captured. The security of the system
should therefore be based on the key and not on the obscurity of the algo-
rithm used. Consequently, we always assume that Eve has knowledge of the
algorithm that is used to perform encryption.

1.1.2 Symmetric and Public Key Algorithms

Encryption/decryption methods fall into two categories: symmetric key
and public key. In symmetric key algorithms, the encryption and decryp-
tion keys are known to both Alice and Bob. For example, the encryption key
is shared and the decryption key is easily calculated from it. In many cases,
the encryption key and the decryption key are the same. All of the clas-
sical (pre-1970) cryptosystems are symmetric, as are the more recent Data
Encryption Standard (DES) and Advanced Encryption Standard (AES).
Public key algorithms were introduced in the 1970s and revolutionized
cryptography. Suppose Alice wants to communicate securely with Bob, but
they are hundreds of kilometers apart and have not agreed on a key to use.
It seems almost impossible for them to do this without first getting together
to agree on a key, or using a trusted courier to carry the key from one to the
other. Certainly Alice cannot send a message over open channels to tell Bob
the key, and then send the ciphertext encrypted with this key. The amazing
fact is that this problem has a solution, called public key cryptography. The
encryption key is made public, but it is computationally infeasible to find the
decryption key without information known only to Bob. The most popular
implementation is RSA (see Chapter 9), which is based on the difficulty of
factoring large integers. Other versions (see Chapters 10, 23, and 24) are the
ElGamal system (based on the discrete log problem), NTRU (lattice based)
and the McEliece system (based on error correcting codes).
Here is a nonmathematical way to do public key communication. Bob
sends Alice a box and an unlocked padlock. Alice puts her message in the
box, locks Bob’s lock on it, and sends the box back to Bob. Of course,
only Bob can open the box and read the message. The public key methods
mentioned previously are mathematical realizations of this idea. Clearly
there are questions of authentication that must be dealt with. For example,
Eve could intercept the first transmission and substitute her own lock. If
she then intercepts the locked box when Alice sends it back to Bob, Eve can
unlock her lock and read Alice’s message. This is a general problem that
must be addressed with any such system.
Public key cryptography represents what is possibly the final step in an
interesting historical progression. In the earliest years of cryptography, secu-
rity depended on keeping the encryption method secret. Later, the method
1.1. Secure Communications 5

was assumed known, and the security depended on keeping the (symmet-
ric) key private or unknown to adversaries. In public key cryptography, the
method and the encryption key are made public, and everyone knows what
must be done to find the decryption key. The security rests on the fact (or
hope) that this is computationally infeasible. It’s rather paradoxical that an
increase in the power of cryptographic algorithms over the years has corre-
sponded to an increase in the amount of information given to an adversary
about such algorithms.
Public key methods are very powerful, and it might seem that they
make the use of symmetric key cryptography obsolete. However, this added
flexibility is not free and comes at a computational cost. The amount of
computation needed in public key algorithms is typically several orders of
magnitude more than the amount of computation needed in algorithms such
as DES or AES/Rijndael. The rule of thumb is that public key methods
should not be used for encrypting large quantities of data. For this reason,
public key methods are used in applications where only small amounts of
data must be processed (for example, digital signatures and sending keys to
be used in symmetric key algorithms).
Within symmetric key cryptography, there are two types of ciphers:
stream ciphers and block ciphers. In stream ciphers, the data are fed into
the algorithm in small pieces (bits or characters), and the output is produced
in corresponding small pieces. We discuss stream ciphers in Chapter 5. In
block ciphers, however, a block of input bits is collected and fed into the
algorithm all at once, and the output is a block of bits. Mostly we shall be
concerned with block ciphers. In particular, we cover two very significant
examples. The first is DES, and the second is AES, which was selected in
the year 2000 by the National Institute for Standards and Technology as the
replacement for DES. Public key methods such as RSA can also be regarded
as block ciphers.
Finally, we mention a historical distinction between different types of
encryption, namely codes and ciphers. In a code, words or certain letter
combinations are replaced by codewords (which may be strings of symbols).
For example, the British navy in World War I used 03680C, 36276C, and
50302C to represent shipped at, shipped by, and shipped from, respectively.
Codes have the disadvantage that unanticipated words cannot be used. A
cipher, on the other hand, does not use the linguistic structure of the message
but rather encrypts every string of characters, meaningful or not, by some
algorithm. A cipher is therefore more versatile than a code. In the early days
of cryptography, codes were commonly used, sometimes in conjunction with
ciphers. They are still used today; covert operations are often given code
names. However, any secret that is to remain secure needs to be encrypted
with a cipher. In this book, we’ll deal exclusively with ciphers.

1.1.3 Key Length

The security of cryptographic algorithms is a difficult property to measure.
Most algorithms employ keys, and the security of the algorithm is related to
how difficult it is for an adversary to determine the key. The most obvious
approach is to try every possible key and see which ones yield meaningful
6 Chapter 1. Overview of Cryptography and Its Applications

decryptions. Such an attack is called a brute force attack. In a brute

force attack, the length of the key is directly related to how long it will take
to search the entire keyspace. For example, if a key is 16 bits long, then
there are 216 = 65536 possible keys. The DES algorithm has a 56-bit key
and thus has 256 ≈ 7.2 × 1016 possible keys.
In many situations we’ll encounter in this book, it will seem that a system
can be broken by simply trying all possible keys. However, this is often easier
said than done. Suppose you need to try 1030 possibilities and you have a
computer that can do 109 such calculations each second. There are around
3 × 107 seconds in a year, so it would take a little more than 3 × 1013 years
to complete the task, longer than the predicted life of the universe.
Longer keys are advantageous but are not guaranteed to make an ad-
versary’s task difficult. The algorithm itself also plays a critical role. Some
algorithms might be able to be attacked by means other than brute force,
and some algorithms just don’t make very efficient use of their keys’ bits.
This is a very important point to keep in mind. Not all 128-bit algorithms
are created equal!
For example, one of the easiest cryptosystems to break is the substitution
cipher, which we discuss in Section 2.4. The number of possible keys is
26! ≈ 4 × 1026 . In contrast, DES (see Chapter 7) has only 256 ≈ 7.2 × 1016
keys. But it typically takes over a day on a specially designed computer to
find a DES key. The difference is that an attack on a substitution cipher
uses the underlying structure of the language, while the attack on DES is
by brute force, trying all possible keys.
A brute force attack should be the last resort. A cryptanalyst always
hopes to find an attack that is faster. Examples we’ll meet are frequency
analysis (for the substitution and Vigenère ciphers) and birthday attacks
(for discrete logs).
We also warn the reader that just because an algorithm seems secure
now, we can’t assume that it will remain so. Human ingenuity has led
to creative attacks on cryptographic protocols. There are many examples
in modern cryptography where an algorithm or protocol was successfully
attacked because of a loophole presented by poor implementation, or just
because of advances in technology. The DES algorithm, which withstood
20 years of cryptographic scrutiny, ultimately succumbed to attacks by a
well-designed parallel computer. Even as you read this book, research in
quantum computing is underway, which could dramatically alter the terrain
of future cryptographic algorithms.
For example, the security of several systems we’ll study depends on the
difficulty of factoring large integers, say of around 600 digits. Suppose you
want to factor a number n of this size. The method used in elementary
school is to divide n by all of the primes up to the square root of n. There
are approximately 1.4 × 10297 primes less than 10300 . Trying each one is
impossible. The number of electrons in the universe is estimated to be less
than 1090 . Long before you finish your calculation, you’ll get a call from the
electric company asking you to stop. Clearly, more sophisticated factoring
algorithms must be used, rather than this brute force type of attack. When
RSA was invented, there were some good factoring algorithms available,
but it was predicted that a 129-digit number such as the RSA challenge
1.1. Secure Communications 7

number (see Chapter 9) would not be factored within the foreseeable fu-
ture. However, advances in algorithms and computer architecture have made
such factorizations fairly routine (although they still require substantial
computing resources), so now numbers of several hundred digits are rec-
ommended for security. But if a full-scale quantum computer is ever built,
factorizations of even these numbers will be easy, and the whole RSA scheme
(along with many other methods) will need to be reconsidered.
A natural question, therefore, is whether there are any unbreakable cryp-
tosystems, and, if so, why aren’t they used all the time?
The answer is yes; there is a system, known as the one-time pad, that
is unbreakable. Even a brute force attack will not yield the key. But the
unfortunate truth is that the expense of using a one-time pad is enormous.
It requires exchanging a key that is as long as the plaintext, and even then
the key can only be used once. Therefore, one opts for algorithms that,
when implemented correctly with the appropriate key size, are unbreakable
in any reasonable amount of time.
An important point when considering key size is that, in many cases,
one can mathematically increase security by a slight increase in key size,
but this is not always practical. If you are working with chips that can
handle words of 64 bits, then an increase in the key size from 64 to 65 bits
could mean redesigning your hardware, which could be expensive. Therefore,
designing good cryptosystems involves both mathematical and engineering
considerations.
Finally, we need a few words about the size of numbers. Your intuition
might say that working with a 20-digit number takes twice as long as working
with a 10-digit number. That is true in some algorithms. However, if you
count up to 1010 , you are not even close to 1020 ; you are only one 10 billionth
of the way there. Similarly, a brute force attack against a 60-bit key takes
a billion times longer than one against a 30-bit key.
There are two ways to measure the size of numbers: the actual magnitude
of the number n, and the number of digits in its decimal representation (we
could also use its binary representation), which is approximately log10 (n).
The number of single-digit multiplications needed to square a k-digit number
n, using the standard algorithm from elementary school, is k 2 , or approx-
imately (log10 n)2 . The number of divisions needed to factor a number n
by dividing by all primes up to the square root of n is around n1/2 . An
algorithm that runs in time a power of log n is much more desirable than
one that runs in time a power of n. In the present example, if we double the
number of digits in n, the time it takes to square n increases by a factor of
4, while the time it takes to factor n increases enormously. Of course, there
are better algorithms available for both of these operations, but, at present,
factorization takes significantly longer than multiplication.
We’ll meet algorithms that take time a power of log n to perform cer-
tain calculations (for example, finding greatest common divisors and doing
modular exponentiation). There are other computations for which the best
known algorithms run only slightly better than a power of n (for example,
factoring and finding discrete logarithms). The interplay between the fast al-
gorithms and the slower ones is the basis of several cryptographic algorithms
that we’ll encounter in this book.
8 Chapter 1. Overview of Cryptography and Its Applications

1.2 Cryptographic Applications

Cryptography is not only about encrypting and decrypting messages, it is
also about solving real-world problems that require information security.
There are four main objectives that arise:

1. Confidentiality: Eve should not be able to read Alice’s message to Bob.

The main tools are encryption and decryption algorithms.

2. Data integrity: Bob wants to be sure that Alice’s message has not
been altered. For example, transmission errors might occur. Also,
an adversary might intercept the transmission and alter it before it
reaches the intended recipient. Many cryptographic primitives, such
as hash functions, provide methods to detect data manipulation by
malicious or accidental adversaries.

3. Authentication: Bob wants to be sure that only Alice could have sent
the message he received. Under this heading, we also include iden-
tification schemes and password protocols (in which case, Bob is the
computer). There are actually two types of authentication that arise
in cryptography: entity authentication and data-origin authentication.
Often the term identification is used to specify entity authentication,
which is concerned with proving the identity of the parties involved
in a communication. Data-origin authentication focuses on tying the
information about the origin of the data, such as the creator and time
of creation, with the data.

4. Non-repudiation: Alice cannot claim she did not send the message.
Non-repudiation is particularly important in electronic commerce ap-
plications, where it is important that a consumer cannot deny the
authorization of a purchase.

Authentication and non-repudiation are closely related concepts, but

there is a difference. In a symmetric key cryptosystem, Bob can be sure
that a message comes from Alice (or someone who knows Alice’s key) since
no one else could have encrypted the message that Bob decrypts successfully.
Therefore, authentication is automatic. However, he cannot prove to any-
one else that Alice sent the message, since he could have sent the message
himself. Therefore, non-repudiation is essentially impossible. In a public
key cryptosystem, both authentication and non-repudiation can be achieved
(see Chapters 9, 13, and 15).
Much of this book will present specific cryptographic applications, both
in the text and as exercises. Here is an overview.
Digital signatures: One of the most important features of a paper
and ink letter is the signature. When a document is signed, an individual’s
identity is tied to the message. The assumption is that it is difficult for
another person to forge the signature onto another document. Electronic
messages, however, are very easy to copy exactly. How do we prevent an
adversary from cutting the signature off one document and attaching it
to another electronic document? We shall study cryptographic protocols
1.2. Cryptographic Applications 9

that allow for electronic messages to be signed in such a way that everyone
believes that the signer was the person who signed the document, and such
that the signer cannot deny signing the document.
Identification: When logging into a machine or initiating a communi-
cation link, a user needs to identify herself or himself. But simply typing
in a user name is not sufficient as it does not prove that the user is really
who he or she claims to be. Typically a password is used. We shall touch
upon various methods for identifying oneself. In the chapter on DES we
discuss password files. Later, we present the Feige-Fiat-Shamir identifica-
tion scheme, which is a zero-knowledge method for proving identity without
revealing a password.
Key establishment: When large quantities of data need to be en-
crypted, it is best to use symmetric key encryption algorithms. But how
does Alice give the secret key to Bob when she doesn’t have the opportu-
nity to meet him personally? There are various ways to do this. One way
uses public key cryptography. Another method is the Diffie-Hellman key ex-
change algorithm. A different approach to this problem is to have a trusted
third party give keys to Alice and Bob. Two examples are Blom’s key genera-
tion scheme and Kerberos, which is a very popular symmetric cryptographic
protocol that provides authentication and security in key exchange between
users on a network.
Secret sharing: In Chapter 17, we introduce secret sharing schemes.
Suppose that you have a combination to a bank safe, but you don’t want to
trust any single person with the combination to the safe. Rather, you would
like to divide the combination among a group of people, so that at least two
of these people must be present in order to open the safe. Secret sharing
solves this problem.
Security protocols: How can we carry out secure transactions over
open channels such as the Internet, and how can we protect credit card
information from fraudulent merchants? We discuss various protocols, such
as SSL and SET.
Electronic cash: Credit cards and similar devices are convenient but
do not provide anonymity. Clearly a form of electronic cash could be useful,
at least to some people. However, electronic entities can be copied. We
give an example of an electronic cash system that provides anonymity but
catches counterfeiters, and we discuss cryptocurrencies, especially Bitcoin.
Games: How can you flip coins or play poker with people who are not in
the same room as you? Dealing the cards, for example, presents a problem.
We show how cryptographic ideas can solve these problems.
Chapter 2
Classical Cryptosystems

Methods of making messages unintelligible to adversaries have been impor-

tant throughout history. In this chapter we shall cover some of the older
cryptosystems that were primarily used before the advent of the computer.
These cryptosystems are too weak to be of much use today, especially with
computers at our disposal, but they give good illustrations of several of the
important ideas of cryptology.
First, for these simple cryptosystems, we make some conventions.
• plaintext will be written in lowercase letters and CIPHERTEXT will
be written in capital letters (except in the computer problems).
• The letters of the alphabet are assigned numbers as follows:
a b c d e f g h i j k l m n o p
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
q r s t u v w x y z
16 17 18 19 20 21 22 23 24 25
Note that we start with a = 0, so z is letter number 25. Because
many people are accustomed to a being 1 and z being 26, the present
convention can be annoying, but it is standard for the elementary
cryptosystems that we’ll consider.
• Spaces and punctuation are omitted. This is even more annoying,
but it is almost always possible to replace the spaces in the plaintext
after decrypting. If spaces were left in, there would be two choices.
They could be left as spaces; but this yields so much information on
the structure of the message that decryption becomes easier. Or they
could be encrypted; but then they would dominate frequency counts
(unless the message averages at least eight letters per word), again
simplifying decryption.
Note: In this chapter, we’ll be using some concepts from number theory,
especially modular arithmetic. If you are not familiar with congruences, you
should read the first three sections of Chapter 3 before proceeding.

10
2.1. Shift Ciphers 11

2.1 Shift Ciphers

One of the earliest cryptosystems is often attributed to Julius Caesar. Sup-
pose he wanted to send a plaintext such as
gaul is divided into three parts
but he didn’t want Brutus to read it. He shifted each letter backwards by
three places, so d became A, e became B, f became C, etc. The beginning of
the alphabet wrapped around to the end, so a became X, b became Y, and
c became Z. The ciphertext was then
DXRIFPAFSFABAFKQLQEOBBMXOQP.
Decryption was accomplished by shifting FORWARD by three spaces (and
trying to figure out how to put the spaces back in).
We now give the general situation. If you are not familiar with modular
arithmetic, read the first few pages of Chapter 3 before continuing.
Label the letters as integers from 0 to 25. The key is an integer κ with
0 ≤ κ ≤ 25. The encryption process is
x 7→ x + κ (mod 26).
Decryption is x 7→ x − κ (mod 26). For example, Caesar used κ = 23 ≡ −3.
Let’s see how the four types of attack work.
1. Ciphertext only: Eve has only the ciphertext. Her best strategy is an
exhaustive search, since there are only 26 possible keys. See Example
1 in the Computer Appendices. If the message is longer than a few
letters (we will make this more precise later when we discuss entropy),
it is unlikely that there is more than one meaningful message that could
be the plaintext. If you don’t believe this, try to find some words of
four or more letters that are shifts of each other. Three such words
are given in Exercises 1 and 2. Another possible attack, if the message
is sufficiently long, is to do a frequency count for the various letters.
The letter e occurs most frequently in most English texts. Suppose
the letter L appears most frequently in the ciphertext. Since e = 4 and
L = 11, a reasonable guess is that κ = 11 − 4 = 7. However, for shift
ciphers this method takes much longer than an exhaustive search, plus
it requires many more letters in the message in order for it to work
(anything short, such as this, might not contain a common symbol,
thus changing statistical counts).
2. Known plaintext: If you know just one letter of the plaintext along
with the corresponding letter of ciphertext, you can deduce the key.
For example, if you know t(= 19) encrypts to D(= 3), then the key is
κ ≡ 3 − 19 ≡ −16 ≡ 10 (mod 26).
3. Chosen plaintext: Choose the letter a as the plaintext. The ciphertext
gives the key. For example, if the ciphertext is H, then the key is 7.
4. Chosen ciphertext: Choose the letter A as ciphertext. The plaintext
is the negative of the key. For example, if the plaintext is h, the key
is −7 ≡ 19 (mod 26).
12 Chapter 2. Classical Cryptosystems

2.2 Affine Ciphers

The shift ciphers may be generalized and slightly strengthened as follows.
Choose two integers α and β, with gcd(α, 26) = 1, and consider the function
(called an affine function)

x 7→ αx + β (mod 26).

For example, let α = 9 and β = 2, so we are working with 9x + 2. Take

a plaintext letter such as h(= 7). It is encrypted to 9 · 7 + 2 ≡ 65 ≡ 13
(mod 26), which is the letter N . Using the same function, we obtain

affine 7→ CVVWPM.

How do we decrypt? If we were working with rational numbers rather than

mod 26, we would start with y = 9x + 2 and solve: x = 19 (y − 2). But 19
needs to be reinterpreted when we work mod 26. Since gcd(9, 26) = 1, there
is a multiplicative inverse for 9 (mod 26) (if this last sentence doesn’t make
sense to you, read Section 3.3 now). In fact, 9 · 3 ≡ 1 (mod 26), so 3 is the
desired inverse and can be used in place of 19 . We therefore have

x ≡ 3(y − 2) ≡ 3y − 6 ≡ 3y + 20 (mod 26).

Let’s try this. The letter V (= 21) is mapped to 3·21+20 ≡ 83 ≡ 5 (mod 26),
which is the letter f . Similarly, we see that the ciphertext CVVWPM is
decrypted back to affine. For more examples, see Examples 2 and 3 in the
Computer Appendices.
Suppose we try to use the function 13x + 4 as our encryption function.
We obtain
input 7→ ERRER.
If we alter the input, we obtain

alter 7→ ERRER.

Clearly this function leads to errors. It is impossible to decrypt, since several

plaintexts yield the same ciphertext. In particular, we note that encryption
must be one-to-one, and this fails in the present case.
What goes wrong in this example? If we solve y = 13x + 4, we obtain
1 1
x = 13 (y − 4). But 13 does not exist mod 26 since gcd(13, 26) = 13 6= 1.
More generally, it can be shown that αx + β is a one-to-one function mod
26 if and only if gcd(α, 26) = 1. In this case, decryption uses x ≡ α∗ y − α∗ β
(mod 26), where αα∗ ≡ 1 (mod 26). So decryption is also accomplished by
an affine function.
The key for this encryption method is the pair (α, β). There are 12
possible choices for α with gcd(α, 26) = 1 and there are 26 choices for β
(since we are working mod 26, we only need to consider α and β between 0
and 25). Therefore, there are 12 · 26 = 312 choices for the key.
Let’s look at the possible attacks.
1. Ciphertext only: An exhaustive search through all 312 keys would take
longer than the corresponding search in the case of the shift cipher;
2.2. Affine Ciphers 13

however, it would be very easy to do on a computer. When all possi-

bilities for the key are tried, a fairly short ciphertext, say around 20
characters, will probably correspond to only one meaningful plaintext,
thus allowing the determination of the key. It would also be possible
to use frequency counts, though this would require much longer texts.

2. Known plaintext: With a little luck, knowing two letters of the plain-
text and the corresponding letters of the ciphertext suffices to find
the key. In any case, the number of possibilities for the key is greatly
reduced and a few more letters should yield the key.
For example, suppose the plaintext starts with if and the corresponding
ciphertext is PQ. In numbers, this means that 8 (= i) maps to 15 (= P )
and 5 maps to 16. Therefore, we have the equations

8α + β ≡ 15 and 5α + β ≡ 16 (mod 26).

Subtracting yields 3α ≡ −1 ≡ 25 (mod 26), which has the unique

solution α = 17. Using the first equation, we find 8 · 17 + β ≡ 15
(mod 26), which yields β = 9.
Suppose instead that the plaintext go corresponds to the ciphertext
TH. We obtain the equations

6α + β ≡ 19 and 14α + β ≡ 7 (mod 26).

Subtracting yields −8α ≡ 12 (mod 26). Since gcd(−8, 26) = 2, this

has two solutions: α = 5, 18. The corresponding values of β are both
15 (this is not a coincidence; it will always happen this way when the
coefficients of α in the equations are even). So we have two candidates
for the key: (5, 15) and (18, 15). However, gcd(18, 26) 6= 1 so the
second is ruled out. Therefore, the key is (5, 15).
The preceding procedure works unless the gcd we get is 13 (or 26). In
this case, use another letter of the message, if available.
If we know only one letter of plaintext, we still get a relation between
α and β. For example, if we only know that g in plaintext corresponds
to T in ciphertext, then we have 6α + β ≡ 19 (mod 26). There are 12
possibilities for α and each gives one corresponding β. Therefore, an
exhaustive search through the 12 keys should yield the correct key.

3. Chosen plaintext: Choose ab as the plaintext. The first character of

the ciphertext will be α · 0 + β = β, and the second will be α + β.
Therefore, we can find the key.

4. Chosen ciphertext: Choose AB as the ciphertext. This yields the de-

cryption function of the form x = α1 y + β1 . We could solve for y and
obtain the encryption key. But why bother? We have the decryption
function, which is what we want.
14 Chapter 2. Classical Cryptosystems

2.3 The Vigenère Cipher

A variation of the shift cipher was invented back in the sixteenth century. It
is often attributed to Vigenère, though Vigenère’s encryption methods were
more sophisticated. Well into the twentieth century, this cryptosystem was
thought by many to be secure, though Babbage and Kasiski had shown how
to attack it during the nineteenth century. In the 1920s, Friedman developed
additional methods for breaking this and related ciphers.
The key for the encryption is a vector, chosen as follows. First choose a
key length, for example, 6. Then choose a vector of this size whose entries
are integers from 0 to 25, for example k = (21, 4, 2, 19, 14, 17). Often the
key corresponds to a word that is easily remembered. In our case, the word
is vector. The security of the system depends on the fact that neither the
keyword nor its length is known.
To encrypt the message using the k in our example, we take first the
letter of the plaintext and shift by 21. Then shift the second letter by 4, the
third by 2, and so on. Once we get to the end of the key, we start back at
its first entry, so the seventh letter is shifted by 21, the eighth letter by 4,
etc. Here is a diagram of the encryption process.

(plaintext) h e r e i s h o w i t w o r k s
(key) 21 4 2 19 14 17 21 4 2 19 14 17 21 4 2 19
(ciphertext) C I T X W J C S Y B H N J V M L

A known plaintext attack will succeed if enough characters are known

since the key is simply obtained by subtracting the plaintext from the cipher-
text mod 26. A chosen plaintext attack using the plaintext aaaaa . . . will
yield the key immediately, while a chosen ciphertext attack with AAAAA . . .
yields the negative of the key. But suppose you have only the ciphertext.
It was long thought that the method was secure against a ciphertext-only
attack. However, it is easy to find the key in this case, too.
The cryptanalysis uses the fact that in most English texts the frequencies
of letters are not equal. For example, e occurs much more frequently than
x. These frequencies have been tabulated in [Beker-Piper] and are provided
in Table 2.1.

a b c d e f g h i j
.082 .015 .028 .043 .127 .022 .020 .061 .070 .002

k l m n o p q r s t
.008 .040 .024 .067 .075 .019 .001 .060 .063 .091

u v w x y z
.028 .010 .023 .001 .020 .001

Table 2.1: Frequencies of Letters in English

Of course, variations can occur, though usually it takes a certain amount

of effort to produce them. There is a book Gadsby by Ernest Vincent Wright
Discovering Diverse Content Through
Random Scribd Documents
Rancagua, the provincial capital, is a dirty, odoriferous, dilapidated
adobe city of 10,380 people with the outward appearance of decay.
A walk down the main street which is named Brazil belies the
general appearance of the town for its sidewalks throng with
peasants from whose shoulders hang multicolored shawls. Horsemen
wearing red ponchos, their spurs clanking, trot down the pebble-
paved street that is lined with squalid one-story shops. Although
only fifty-four miles south of Santiago, the place is a good market
town; of the numerous shops those that deal in dry goods,
draperies, and saddles appear to do the most lucrative trade. There
is only one respectable appearing spot in the city, and that is the
small plaza in the urban center which is embellished by a bronze
equestrian statue of O'Higgins, his horse trampling a Spaniard. Of
the several apologies for hotels, none were inviting and rather than
to eat at one of their restaurants, it is best to go hungry. The only
decent place to eat is at the railroad station. One of the taverns is
named "The North American" with a proprietor of our own
nationality but its business is mostly bar trade, catering to the
incoming and outgoing trade of the miners at El Teniente Mine. The
day I was at Rancagua was Sunday which I was told was the day on
which the prisoners of the jail were allowed to receive guests. I
imagine that nearly everybody in the town either had relatives or
friends in jail for in front of the building which is on the main street a
mob had collected to await admittance.
 Street in Rancagua

The inhabitants of the town are tanned dark brown, and although
strongly built and powerful I noticed several who were afflicted with
the same malignant blood disease which the Swiss guards imported
into France from Italy during the Middle Ages. I was also surprised
to see a little girl about twelve years old on the street who had the
leprosy, the only case I have ever seen in Chile.

The Braden Copper Company of North American ownership has a

2½-foot gauge railroad that runs up to their copper mine, El
Teniente, which is about forty-five miles up the Cachapoal River
above Rancagua; the Baths of Cauquenes is one of their stations.
This mine which was opened in 1907 now has six hundred
employees, many of whom are from the United States and Canada.
From Rancagua the train ride of an hour and a half first crosses the
Plain where fat cattle graze in knee high clover, and then skirts along
the ledge of the mountains overlooking the broad terraces or selvas
of the Cachapoal River, winding around promontories on a roadbed
no wider than the coaches; any mishap would be sufficient to send
the train rolling down the mountainside killing all the occupants of
the cars. The station of Baños, (meaning Baths) is high above the
gorge of the river. Across the canyon on a ledge of rocks can be
seen the buildings of the thermal establishment, but before the
pedestrian gets there he must walk a good half-mile. A foot path
zigzags to the canyon bottom and an arm of the river is crossed by a
cement bridge to a rocky islet. Another bridge, this one a swinging
one, suspended above a whirlpool brings one again to terra firma on
the left bank. One now ascends another zigzag path to a forest of
elm, ash, and locust, the foliage being so thick that the sun's rays
never penetrate it. Another suspension bridge which spans a silvery
cascade is reached and beyond it is the hotel, a low, squat adobe
building painted red, whose many rooms open onto two patios.
The name Cauquenes is Araucanian meaning wild pigeon. This bird,
the ectopistes migratorius, sometimes called the voyager pigeon or
the wood pigeon originally had its range from Labrador to the Straits
of Magellan. Half a century ago they were numerous in the United
States, but in this country they have been absolutely exterminated
due to their having been killed off by hunters; great numbers which
escaped the gun were burned in the Arkansas forest fires four
decades ago. Chile is the only country on the face of this earth
where they still exist, and it is probable that they will continue to live
there as the inhabitants are extremely averse to killing them, the
ignorant classes believing that they bring good luck and that it is an
ill omen to kill them. At the present time they are not found in Chile
north of Cauquenes; formerly there were great numbers in the
vicinity of the Cachapoal hence the name of the baths.
 Gorge of the Cachapoal at Baños de
Cauquenes

The Baths of Cauquenes are situated in the Department of

Caupolican in the Province of Colchagua on the south or left bank of
the Cachapoal River in Latitude 34° 14´ 17´´ south and in
Longitude 70° 34´ 5´´ west of Greenwich. The altitude of the place
above sea level has been a matter of argument. Eight different
professors claim its altitude in different figures from 2200 feet which
is the lowest and which is said by Domeyko to be correct, to 2762
feet which is the highest and is said by Gillis to be correct. 2490 feet
which is the altitude claimed by Guessfelt seems to be the most
exact and is the figure accepted by Dr. Louis Darapsky in his book,
Mineral Waters of Chile. The season for the baths is from September
15th to May 31st, and in midsummer the place is generally crowded.
Describing the scenery, Don José Victorino Lastarria, an illustrious
newspaper man of Santiago, says:
"I have never seen a more impressing, and at the same time, a
more charming landscape than that of the Baths of Cauquenes, nor
have I ever seen in so small a space so many different kinds of
views nor such surprising details. Nature has grouped there her most
beautiful accidents. In sight of the snowy Andes, here rise in the
foreground rounded hills covered with vegetation; there rise barren
rocks through whose clefts rushes the turbulent Cachapoal. Here are
gardens filled with flowers; there are impenetrable thickets. Light
and shadows everywhere, colors without end, harmony and contrast
which reflect or darken the rays of the sun."
The temperature is consistent and the variation during the day is
neither rapid nor extreme although the mornings and evenings are
cool and it is warm at midday. Even in the hottest months the heat is
not irksome, due to the fresh breezes which blow down the valley
from the cordilleras. In winter there is snow; the cold, however, is
not excessive.
The baths have been known since 1646, and were described by
Padre Ovalle in his History of the Kingdom of Chile. There are three
hot springs issuing from the porous and shaly rock, named
Pelambre, Solitario, and Corrimiento. Their temperatures are 122°,
113°, and 107°6' Fahrenheit respectively. They are walled up and
the waters of the first-mentioned two are run by pipes into a
swimming tank and into tubs in the thermal establishment. During
their course in the pipes Pelambre loses 3°6' Fahrenheit of its heat
and Solitario 5°4'. Their waters more than supply their use so the
water of Corrimiento is allowed to go to waste. The thermal
establishment, though by no means primitive, is rather old-
fashioned. I was surprised to see such an attractive place as the
Baños de Cauquenes not made more of for in hot springs and
natural scenery it is the zenith of God's works. Man also has done his
share well but much improvement can be made, all of which
requires capital. The natural lay out of the place is a paradise. It is
something like the Cserna Valley in southeastern Hungary, but wilder
and grander with also a soft touch of nature. The hills covered with
live oak, laurel, and mesquite resemble those of California, yet are
more fertile. A shaded walk leads from the hotel to an artificial lake
bordered by fifty-five of the largest eucalyptus trees that I have ever
seen. In its center rising from the water stand two willows. One is
never absent from the swiftly flowing Cachapoal which murmurs like
the Tepl at Carlsbad, only louder.
The baths are supposed to be beneficial in cases of gout, diuretics,
rheumatism, anemia, and so forth, although one of the guests of the
hotel evidently came there for relief for consumption. He was a
bearded man about sixty years old and he made an unholy spectacle
of himself by coughing and expectorating on the floor of the dining
room while the other guests were eating dinner.
When I arrived at the place I was met at the door by a young man
wearing white duck trousers and a blue double-breasted yachting
coat. With the exception of his large yellow moustache he had a
most cherubic countenance with a smooth, pink, babylike face
without a wrinkle or blemish. I afterwards discovered that this
cherubic individual had an inordinately strong passion for whiskey,
gin, and beer as well as for any drink which had as a fundamental
principle among its ingredients, alcohol. On several trips which I
made later to the Baños de Cauquenes in 1916 I became fairly well
acquainted with this Señor Hermann Manthey. He had arrived two
years previously on one of the German merchantmen on which he
was a steward. The ship was interned and he struck up-country to
make a living and finally evolved in becoming manager of this hotel,
as the proprietor, an old doctor had leased it for a few years and was
too wrapped up in his own private affairs and also too lazy to give it
his attention. Señor Manthey was doing well on the small salary and
large tips he was getting but was not without ambitions. A few
months afterwards I ran across him on a few days' vacation in
Santiago, and he then was planning to get the owner to lease the
establishment to him upon the expiration of the present lease to the
doctor. The hotel with its grounds, fine fruit orchard, springs, lake,
and six thousand acres of hilly grazing land, across which several
rushing streams of transparent water flow headlong into the
Cachapoal is owned by a gentleman in Santiago who leases it out as
he has several other large properties. He will sell it for eighty
thousand dollars which is dirt cheap. Some day I expect to buy it
and make it my home.
At the hotel there are horses to let. On one of these I rode up a
narrow valley and discovered that with nothing but mere bridle paths
leading to them, and miles from the nearest houses, were lonely
thatched and adobe huts, the homes of poor people and charcoal
burners situated in mountain wheat fields or in clearings of a few
acres. All of a sudden while riding I had a sensation as if the horse
was trying to squat on its haunches. I reached for a stick from a
nearby limb to put life into it and nearly lost my balance. A noise like
distant thunder that I had already heard twice that afternoon,
although the sky was cloudless, was audible, and in all directions
stones and small boulders came rolling down the mountain side. It
was a slight earthquake which the natives call temblor in order to
distinguish it from the great ones which they call terramoto.
In the center of one of the myrtle-carpeted patios at the hotel is a
fountain encircled by an ivy-covered wall. Here evenings bats
congregate and flap their wings in the vicinity of the faces of the
guests. A party of Canadians, employees of El Teniente Mine, were
stopping at the Baths when I was there. They filled up on liquor and
made sleep impossible for the other guests by their sacrilegious
bawling of Onward Christian Soldiers and other hymns of the
Episcopal Church.
On leaving Baños de Cauquenes I decided to take the twenty-three-
mile horseback ride to the station of Los Lirios and from there take
the train to southern Chile. The country road was very stony; in
some places it was a mere cart track, while in others it was a broad
avenue. During the first part of the ride it windingly followed the
south bank of the Cachapoal and crossed two streams of transparent
water, each known by the same name, Rio Claro. This means Clear
River, and evidently the natives thought that if the name would do
for one, it would be appropriate for the other. At every turn of the
road a small freshet was crossed, for out of every cleft or dent in a
hill gushed forth a spring. These small streams the peasants
deviated from their courses by turning them into their gardens for
irrigating purposes. The natives were very poor all living in adobe
hovels with thatched roofs. A few acres of cattle, a dog or two, two
acres of cultivated land, and some pear trees represented all their
worldly belongings; yet they seemed very content. These peasants
as a class were the poorest people that I have ever seen as far as
worldly possessions go, yet every one of them always had a full meal
at dinner time. They ate what they raised, and where they grew
crops they worked them with infinite care. As they were too poor to
buy fertilizer, they worked a new piece of land each year, coming
back to the original piece after five years' time, because it had then
enriched itself by remaining idle. There were many wheat fields, ripe
and yellow, the sixty bushels to an acre kind. Central Chile gets
plenty of rain but as it gets it only in the winter months, irrigation
has to be resorted to in the summer.
Halfway to Los Lirios I arrived at the hamlet of Colihue
(mispronounced by the natives Collegua) with its adobe hovels
bordering the now broad and extremely dusty road. Everybody in
rural Chile travels on horseback, and the people I met riding were
many. A man loses caste if he journeys on foot. At Colihue another
road turns off to the left to the Lake of Cauquenes in the mountains
and which teems with fish. The road now left the Cachapoal and
after skirting some barren hills on the right-hand side for a couple of
miles it reaches the settlement of Cauquenes a most queer place. It
consists of a great square compound of dirt which is surrounded on
all four sides by a five-foot-high adobe wall excepting where there is
a church on the west side and a few open sheds on its east side. An
estancia house stood beyond the wall on the south side and there
were some buildings beyond the wall on the north side where the
priest and his servants lived. The highroad both entered and left this
compound by openings rent in the adobe wall. It may be possible
that this place once held a Spanish garrison, and that the compound
was the parade ground, and that the open sheds were former
stables. Everybody that I asked knew nothing about the early history
of the place.
A broad avenue one mile long bordered by giant plane trees led
westward from here. Their foliage was so thick that it made the road
dark, and not seeing my way well I rode my horse onto a pile of
bricks, the impact being so great that it nearly brought us both
down. The road emerged to a pebble river bed, then forded a river,
and wound around the sides of some high hills. Every horseman in
Chile takes a slight upward grade at a gallop and I saw ahead of me
a group of horsemen doing the same; behind us came galloping
around the curves six horses pulling a carriage. These horses were
three abreast and on each outside leader two lackeys were
mounted. It was the doctor's wife from the Baños en route to Los
Lirios where her sister has a post station. Chileans frequently travel
on horseback, accompanied by their servants who follow a couple of
horse lengths behind mounted on inferior animals. When the master
stops, the servant likewise does so, but with the same distance
between the two.
Los Lirios consists only of a small wooden railway station, a
warehouse, a large open horseshed around a yard filled with wagons
which is the post station, a small store, and a saloon. To this latter
place I repaired, after dismounting, to get a glass of water after the
hot dusty trip. The building and its stock of goods were poorer than
the poorest backwoods blind pig, and yet for a third-class license the
congenial and friendly proprietor, who was likewise barber and plied
that trade in an adjacent room in the same building, had to pay
yearly two hundred pesos ($34.12). From the appearance of the
shack it did not look as if he took in that much money a year. Some
of the moustached clientele that happened along, I called up to the
bar to have a treat on me. The proprietor brought forth two goblets,
each one being of a quart capacity, and filled them to the brim with
red wine which he poured from a big jar. The contents of one of
these goblets sells for 8½ cents, the cheapest wine that I have ever
seen. If my surprise was great in seeing men take a quart of wine
for one drink, it was even greater when I saw them drink it in nearly
one gulp and put the goblet back on the bar in anticipation of a
duplicate. I treated them two or three times and never once did they
renege. I know what would have happened to me if I had followed
suit, yet it seems incredible when I must state that it had absolutely
no effect on the imbibers. It is inconceivable why a man in that part
of Chile need ever touch an intoxicant, for the sweet, balmy air and
the voluptuous appearance of Chile's maidens are sufficient to
intoxicate any normal, healthy man.
An hour after leaving Los Lirios the train arrived at San Fernando,
population 9150, the capital of the Province of Colchagua where we
had lunch. Colchagua which has a population of 159,030 is one of
the most productive provinces of Chile, but the next two provinces
south of it, Curicó and Talca are not. It is a sorry sight after having
passed through the well-tilled, highly productive country ever since
leaving Santiago, to come suddenly upon land that is going to waste
on account of lack of settlement. With the exception of the six
northernmost provinces of Chile, Curicó and Talca are to me the
least attractive of any of the republic. South of San Fernando the
first town of importance is Curicó, its name meaning "Black Water"
in the language of the aborigines; then are reached Molina,
population 4327; Talca, the sixth city of Chile with a population of
42,088 inhabitants, and San Javier in the Province of Linares which
has 4898 people. This town lies about three miles east of the
railroad track but is connected to the depot by horse cars and to
Villa Alegre, the next town south of it, by trolley.
The Andean Province of Linares and its southern neighbor Ñuble are
very important agriculturally, both being two of the best in the
republic. Their crops are diversified, run high in percentage of
measure to the hectare and are of good quality. The capital of the
Province of Linares is the city of Linares with a population of 11,122.
It has good stores and buildings most of which are painted pink. Like
in Rancagua the samples of merchandise on display in the shops are
cloth, ponchos, and drygoods. Although but slightly larger than
Rancagua it is a much finer town, and even though its streets are
none too clean they are far superior to those of the capital of the
Province of O'Higgins. In comparing the two cities it is fair to say
that Rancagua presents more activity in street life and in business.
There is one hotel which is fair, the Comercio. A peculiarity about
Linares is that on the streets, especially that one on which the
railroad station faces, native women are seated in front of portable
stoves offering for sale cooked edibles which should be eaten on the
spot. I saw one man who, when he had finished eating, left the
spoon on the table near the stove. The woman who owned it licked
it dry, and after having wiped it on her undershirt, replaced it in a
dish that would be sold to the next customer. The native women
have an art peculiar to Linares and nonexistent anywhere else in the
world of weaving a certain delicate fiber into small baskets, jugs,
and ornaments. These woven wares are very diminutive and are
valuable only as ornaments and curiosities. They are multicolored
and are in much demand by strangers. It is possible to buy them in
Santiago but at an exorbitant price for all that are on sale there are
imported from Linares.
A two-and-a-half-foot gauge railroad runs from a station a block and
a half north of the main depot to the springs of Panimávida, two
hours distant to the northeast. Having seen those of Cauquenes, in
order to augment my education along thermal lines, it was up to me
to see Panimávida and to especially sample its mineral waters, as its
bottled water is the most widely drunk of any mineral water in Chile.
It corresponds to White Rock and to Still Rock.
 Main Street of Linares

The place Panimávida is nothing. It is just as if somebody had

erected a big hotel in the middle of an Illinois or a Wisconsin
landscape. The attractions are absolutely nil. There are six practically
tasteless lukewarm springs covered over with glass tops which
supply the popular table water of Chile. These springs are the
property of the Sociedad Vinos de Santiago (Santiago Wine
Company), and as that stock company is well capitalized the
Panimávida waters are well advertised by them. As people like to
dilute their wine with seltzer, this company has installed a
carbonizing plant here, which changes the still water into a sparkling
one. The plant with hotel is leased to a man named Hernandez, a
fine, fat, young fellow with a flowing beard. He is a good and
accommodating hotel man and gets the trade, even having his
runners meet the trains at Linares. Panimávida is an excellent old-
maids' paradise. Under the shady roof of the patio porch they can
sit, gossip, and knit. The proverbial parrot is present and a black cat
could be easily imported. President Sanfuentes arrived during my
visit to rest up after the strenuous strain connected with his
installation. It was an ideal place for this with nothing to distract his
attention except the broad meadows and the corrugated-iron,
yellow-painted Catholic chapel.
 Panimávida

Said His Excellency to me: "What Chile needs is population. Here we

have thousands upon thousands of acres of the richest land in the
world lying idle, because there is nobody to cultivate it. Until we
have the proper number of inhabitants there is no use to cultivate
these lands, because Chile produces four times more of an
abundance of fruit than she can consume. You see how cheap fruit
and wine is; there is an over production. Every year a million tons go
to waste because there is no market. She cannot export them
because the United States and Argentina are nearer to the European
markets and the freight rates would eat up the profits. As there is a
great demand for grain, people have gone more and more into the
growing of cereals but as yet this industry is in its infancy. It should
be encouraged for now there is grown just enough wheat to meet
the internal demand."
"Supposing," I asked, "that Chile had four times more population
than she now has, would she not have to import her wheat?"
"Never," he replied, "as there are here millions of hectares of the
best wheat lands in the world that can be bought for a song. They
are now lying idle. Something has to take the place of the timber of
the southern provinces. When it is gone it will have to be cereals."
"I believe," he continued, "in encouraging a large immigration,
chiefly from the northern countries—the United States, Germany,
Scandinavia, and Great Britain. Their inhabitants have more initiative
than the Latins and intermarried with the natives make a strong
blood. Our people and those of all the Latin countries excepting the
Frenchmen lack initiative and that is what we need. The Chilenos are
content to live as they have lived for decades, which is all very well
but it is unprogressive. Thanks to the British we now have a fairly
large merchant marine; to the Germans is due the credit of the
prosperous condition of the southern provinces. The only drawback
to the foreigners here is that they run too much to cliques. They
should scatter more. We should also have more capital to start
factories, but I do not believe in, nor shall I encourage, any industry
that will reap the profits here to spend outside of the country."
A couple of hours south of Panimávida are the springs of
Quinamávida. They are said to be equally as good as those of
Panimávida, but the hotel there is poorly managed and there is a
lack of capital to well advertise its waters.
On the return to Linares something went wrong with the locomotive,
which in appearance was similar to the dinky engines one sees in
the lumber plants at home used in hauling lumber through the
yards. A priest on the train who had a mechanical turn of mind got
out of the car, and jumping into the engine cab soon had the
locomotive in running order, much to the amazement of the train
crew.
Southward from Linares the main line of the railroad passes through
Parral, population 10,047, San Carlos, population 8499, Chillán, and
Bulnes, population 3689. San Carlos is famous for its melons and
Bulnes is likewise so for its wines. At San Rosendo, 315 miles south
of Santiago, the train crosses a branch of the Bio-Bio River, which is
named the Rio Claro in want of another name and Araucania is
entered.
By the name Araucania is known that part of Chile bounded on the
north by the Bio-Bio River and on the south by the Calle-Calle River.
Its eastern limit is the peaks of the Andes and its western one is the
Pacific Ocean. In area it is about the size of the State of Maine and
comprises the provinces of Arauco, Malleco, Cautin, and portions of
those of Bio-Bio and Valdivia. The Spaniards always spoke of this
region as the frontera, meaning frontier, and so to-day all Chile lying
south of the Bio-Bio is spoken thus of.
The original inhabitants of this country, the Araucanian Indians were
the bravest and most warlike of any of the South American tribes,
and it was not until 1883 that they were finally subdued after 340
years of warfare. Caupólican, Lautaro, and Colo-Colo, their great
warriors have been immortalized in the poem "La Araucana" by
Alonso de Ercilla. The Araucanians have intermarried so much with
the whites that their race is fast becoming extinct although their
facial characteristics and figures are prevalent in a multitude of
South Chileans. Their political organization was as follows:
A large geographical division was called an aillarehue. These
aillarehues were divided into nine smaller parts, each part being
named a rehue. Ruling over each rehue were two toquis or caciques
who were responsible to the two gulmens who ruled over the
aillarehues. One gulmen ruled in wartime, the other in times of
peace. So also with each toqui. The office of toqui was hereditary
and many became famous through warfare or by their wealth, for
example Colipí, Mariluán, Catrileo, and Huinca Pinoleví.
The Araucanians had no gods with anything definite attributed to
them, nor did they have temples and idols, but they were
exceptionally superstitious. Their principal god was Pillan, god of
thunder, light, and destruction. He lived in the highest peaks of the
Andes and in the volcanos. Dependent upon him were the
Huécuvus, malignant spirits. Epunamun was the god of war. They
also practised the cult of stone worship. Their most superstitious
ceremony was Machitun or cure of the sick. The Araucanian does not
believe that a man should die unless he is killed in battle, and when
he dies a natural death through old age or sickness they believe that
some of their own people inimicable to the deceased caused him to
die. In order to discover the malefactor, they consult a witch doctor,
generally an old hag named a machi. After having indulged in a
number of ridiculous contortions and jumps she names the
supposedly guilty party. Without any further ceremony they pounce
on him and amidst a great drunken orgy and libations of chicha (a
native intoxicant) dedicated to Pillan they torture the innocent victim
to death. When a man dies they generally perform a post-mortem
examination upon the corpse to endeavor to extract the poison from
it which caused death. The burial takes place with great lamentation
and imbibitions of oceans of chicha to the tune of a lugubrious
musical instrument somewhat like a drum and named a trutruca.
They believe in an everlasting future devoted to earthly pleasures.
They formerly believed that the deceased came to life again and
dwelt on the island of Mocha off the coast, but they changed their
thought when they discovered that the Spanish pirates formerly used
that island as their base for excursions on the mainland. Marriage
among the Araucanians has for some time past been a true
compact, the father of the bride having to give his consent. It is not
necessary for any other members of the family to be consulted, but
it often happens that after the marriage has taken place, fights arise
between the groom and the brothers-in-law who objected, several
parties being severely wounded in these affrays. The plight of
woman is miserable; she is practically a slave and the husband
enjoys the fruits of her labor. Polygamy exists among them.
 Bridge over the Malleco River at Collipulli

South of the Bio-Bio the landscape changes nearly entirely. The flat,
cultivated plains of the river pockets which form the great central
valley now give place to rolling hills intersected by small streams
which lie deep in canyons spanned by bridges. At first there are
evidences of viticulture on the side hills but these soon disappear as
well as the trees, which now only are seen near the river beds. This
absolutely treeless country of rounded hills swelters in the hot sun
as it beats down upon the infinite miles of yellow wheat fields. In the
villages frame houses take the place of adobe ones. There are
numerous small lumber yards and sawmills which bear testimony
that in the distant mountains there is still timber. Occasionally a
deserted sawmill is passed which shows that the lumbermen are in
the same fix as those at home, namely that a new location must be
found.
At Santa Fé, the junction of a branch railway that runs to Los
Angeles, of typhoid-fever fame, and the capital of the Province of
Bio-Bio, a curious incident happened. A coffin had been taken off an
incoming train to be put in our baggage car. Coffins in Chile are kite
shaped and are not placed in boxes when transported. The top is not
nailed but is fitted into a groove. I stood a couple of yards away
watching the train crew lift this coffin into the baggage car. They had
to lift it slantingly as some baggage stood in the way. Suddenly the
train gave a jolt causing one of the baggage men to lose his footing.
Since there was nobody now at the head of the coffin it fell onto the
platform, the lid came off, and the malodorous and semi-
decomposed cadaver rolled on top of the baggage man who emitted
awful shrieks and howls. The two other men helping him
immediately took to their heels. Women screamed, men ran, natives
crossed themselves, and Germans laughed. The pinned-down
baggage man howlingly extricated himself from beneath the corpse
and made all haste to jump on the train which had now started,
leaving the lich on the platform since nobody would go near it.
At Renaico where there is a large frame depot and restaurant, a
branch line runs southwest to Angol, capital of the Province of
Malleco and continues to Traiguén. At Collipulli, meaning "Red Earth"
which has 3005 inhabitants, the train crosses the great viaduct over
the Malleco River which lies deep at our feet, bordered by a dark
fringe of oaks. This is the most beautiful vale in Chile. The clear,
narrow, foaming river is a refreshing sight. A rich man has built a
villa on the rise of ground overlooking the stream which gives the
scenery a touch of the Rhein.
The landscape now changes again. Oak, laurel, and lingue appear, at
first scattered, then in groves, and later in forests, while everywhere
possible in clearings are oat fields, the grain just turning color. The
farther south we go the greener the grain is, until we reach Victoria,
population 9840, where the grain has not begun to change color.
Every three years the farmers cut off the branches from the laurels;
these they scatter over their fields and set fire to. Among the ashes
they drag the grain into the ground for by this procedure they are
supposed to harvest better crops. Land here is worth eighty dollars
an acre. The landscape is decidedly like that of our Northern States,
and the climate is much the same as that of Oregon and
Washington. At dusk Lautaro in the Province of Cautin was reached.
This town has a population of 5968 and is named after Valdivia's
Araucanian horse boy who murdered him and as tradition says ate
him. As I mentioned before all the towns that we passed through
south of the Bio-Bio are built of wood, but up to here their roofs
were of tile, with a few exceptions of corrugated iron, tin, and
shingles. The tile roofs now entirely disappear and their place is
taken by those of shingles or slabs of lumber. The houses are
unpainted and as to external appearances are veritable hovels. They
resemble those dilapidated structures of the nigger villages in our
Gulf States. Many towns resemble the one-time lumber settlements
of the upper peninsula of Michigan.
On the train I became acquainted with the Reverend Steerer, a
divine of the Church of England who had resided for twenty-six years
in Temuco and who gave me valuable information about the country.
He had just returned from a trip to the mountains at the request of
the British Consul in Concepcion who had sent him there to inquire
into the mystery surrounding the murder of an Englishman who was
stabbed to death in bed by some natives who wanted the money he
had on him.
At Temuco the Cautin River is reached. The country around here has
had a troubled history in the wars between the Araucanians and the
whites. One of the anecdotes is that on July 31, 1849, the bark
Joven Daniel ran into some rocks near the mouth of the river and
was shipwrecked. The cacique Curin lived near the spot and with the
help of his tribesmen they saved the lives of the crew and
passengers together with the cargo which was given to them out of
gratitude. In the cargo was liquor which they immediately attacked.
Under its influence they murdered every survivor except an
eighteen-year-old girl, Elisa Bravo of Valparaiso, whom Curin
selected to be one of his wives. She was betrothed to a Ramón
Bañados of Valparaiso. His family immediately took up the matter
with the government which immediately got into action to chastise
the Araucanians. Dissentions had in the meantime arisen among the
Indians, and two caciques, Loncomilla and Huaquinpan took the side
of the whites. The Araucanians were beaten but no trace of Elisa
Bravo was ever found as it was supposed that Curin married her and
took her to a place of safety.
Another incident happened in 1861. A French adventurer named
Aurelie de Tournes proclaimed himself King of Araucania under the
title of Orelie I. He promised to free the Indians from the Chilean
rule and had the ability to get the aid of several caciques and quite a
large following. In a battle he was taken prisoner; he was tried for
menacing public safety and would likely have been executed if it had
not been for the intercession of the members of the French colony in
Santiago, and of a judge who has previously declared him to be
insane.
 Street in Temuco

Temuco is the capital of the Province of Cautin and is the

geographical capital of Araucania. It is the largest city of Chile south
of the Bio-Bio and has a population of 29,557, ranking ninth in the
republic. It is 422 miles south of Santiago, and owes its origin to a
fort which was built here in 1881. In recent years its growth has
been rapid. The city is situated west of the mainline of the
longitudinal railroad, and is the junction for a branch line that runs to
the town of Imperial. There is a considerable English colony which
has a church and two schools, but like all over in southern Chile, the
Teutonic element outnumbers all the rest of foreigners in a ratio of
ten to one. The business is mostly in the hands of the Germans as
can be seen by the names over the stores. Somebody with a Yiddish
streak must have strolled in from somewhere because I noticed the
sign of Benjamin Goldenberg over the door of a second-hand
clothing shop. The city is a long-strung-out place of frame unpainted
buildings presenting a most unattractive appearance; only in the
center of the town one gets away from these eyesores for there
brick and cement structures abound, especially in the neighborhood
of the Plaza Anibal Pinto. The principal streets, Jeneral Bulnes,
Arturo Prat, and several others are well paved with cobblestones
over which horse cars rattle in the long ride to the railroad station.
Driving from this station to the town the hotel omnibuses race each
other much to the fright of the uninitiated stranger. Temuco boasts
of an excellent hotel, the Central, owned by a large, fat German
named Finsterbusch, whose facial adornment is a big aureate
moustache. Like most of the Chilean hotels owned by Germans the
place is clean, the beer good, and the cuisine excellent.
The 109-mile train ride from Temuco to Valdivia is made in four and
a quarter hours through a country entirely different from any that is
passed through from Santiago to this point. The low mountains
come in such close proximity to the railroad track that one is pierced
by a tunnel. They are heavily timbered with trees of good saw-log
size, laurel and oak abounding. The only place of importance on the
stretch is the sawmill town of Loncoche. The valley bottoms are
impenetrable jungles of vines, bushes, thorns, and berry plants
which reach a height of about twenty-five feet. It took the pioneers
a month to traverse ten miles of this wilderness whose bottom is
soggy muck, the average day's penetration being but one third of a
mile. Antilhue is the junction for trains running south. The Calle-Calle
River is crossed and its south bank is followed into Valdivia through
a fragrant country covered with scarlet wild fuchsias, honeysuckles,
snapdragons, and morning-glories. On all sides are the green
mountains covered with primeval forests.
 Plaza de la Republica, Valdivia

Valdivia has had its share of the world's vicissitudes and calamities.
It was founded in 1552 by Pedro de Valdivia and was abandoned in
1554 on account of the attacks on it by the Araucanians who
captured its founder and put him to death by torture. It was
destroyed by an earthquake in 1575, and when rebuilt was sacked
by Elias Harckmans, a Dutchman who fortified it. In 1645 the Dutch
were worsted in a fight with the troops of the Peruvian viceroy, the
Marquis de Mancera who drove them out. There was another
earthquake in 1737 which again destroyed the place. Rebuilt, it was
burned in 1748. In 1837 a third earthquake destroyed it. Since then
it has burned down three times, in 1840, in 1885, and in 1911, the
last one being an especially bad fire, wiping out the entire city. Thus
it has been destroyed by earthquakes three times and burned four
times.
It is beautifully situated on the south bank of the Calle-Calle which is
navigable for small boats. The city is uninteresting as it is absolutely
modern. In character it is German, for it is the leading German
center in Chile. No other language is heard spoken on the main
streets. The natives who slightly outnumber the Teutons and also
speak German are to be found mostly on the back streets; they are
employed by the Germans in the different industries. The population
of Valdivia which is the tenth city in Chile is 24,743.
When one alights at the railroad station, it is better to take a launch
to the city to the tune of sixty centavos (10 cents) than by the more
arduous and long trip by cab over rough plank pavements. These
launches owned by a man named Oettinger give the stranger a
pleasant ride down the river and disembark him at a new cement
quay near the center of the city from which place boys carry the
grips to the various hotels. One is immediately impressed by the
cleanliness of the cobble stone-paved streets of the business section
and by the handsome though inexpensive structures. It is by far the
cleanest city in Chile. With the exception of the buildings on the
streets near the Plaza de la Republica, which are of cement
construction, all the other buildings are of frame or corrugated iron,
or of both, but painted freshly over. The side streets are paved with
wooden planks, and in some places with wooden beams, six by
sixes. The main industry is brewing. The colossal brewery named
Compañia Cerveceria Valdivia, formerly that of Anwandter Brothers,
one of the largest in Chile, looms up majestically on the water front
across the narrow river opposite the landing quay. The storerooms
for this amber and nut-brown beverage are on the city side of the
river at the dock. The best hotel in Valdivia is the Carlos Bussenius,
named after the host who in appearance could pass as a twin
brother of Finsterbusch in Temuco.
 Calle-Calle River at Valdivia, Showing
Flour Mills

A pleasant trip from Valdivia is the two hours' ride down the river to
Corral but another and far grander is that to Lake Riñihue and across
the mountains to the wretched hamlet of San Martin de los Andes in
the greatly overrated southern part of Argentina known as
Patagonia.
 Street in Valdivia

I left Valdivia about the middle of an afternoon and got off the train
an hour and a half later at the station of Collilelfu where I put up for
the night at a wooden shack with a tin roof which was an apology
for a hotel. Early the next morning I arose to catch the seven-thirty
train for Huidif, the railroad terminus of the branch line which will in
time be continued to Lake Riñihue. The ride of an hour only brought
the train to its destination where the passengers alighted to change
into carriages which cover the six remaining miles to the lake in
three quarters of the time. The whole landscape is rolling and is
semiforested, and as the lake is approached vast marshes abounding
in wild fowl are traversed. Lake Riñihue is about fifteen miles long by
four miles broad and is a favorite summer resort for the inhabitants
of Valdivia. The landscape is beautified by vistas of the snow-capped
volcanos, Choshuenco and Mocho.

Riñihue Landscape, Southern Chile

The seventy-five-mile trip to Osorno from Valdivia consumes four

hours and lies through a smiling farming country with villages,
farms, and soils characteristic to those of the best part of Wisconsin.
It was dusk when I arrived at Osorno, metropolis of the Province of
Llanquihue. The city has a population of about 12,000 and is 601
miles south of Santiago. A daily train makes the entire distance in 25
hours and 40 minutes, a sleeper being attached to the train as far as
Renaico. Osorno is a miserable-looking place of frame buildings built
close together as is the custom in all the towns of southern Chile
where lumber plays the main rôle in the erection of edifices; but few
of the houses and stores are painted. Valdivia is the only place in
this section of the country where the inhabitants take enough pride
in the appearance of their town to give the houses a fresh coat of
paint. I was told by Bussenius to go to a German hotel which had
just been opened by a former chef of one of the interned Kosmos
Line steamers. I did not go there, however, because Americans do
not stand in good repute with the Germans and Chilenos of German
descent in southern Chile. Although the United States was not at war
with Germany at the time of my visit, nevertheless the Teutonic
inhabitants of that section took pains to show their dislike of North
Americans. Although I was subjected to no personal discourtesy at
either Temuco or Valdivia, but on the contrary was treated well, I
was obliged to listen to much tirade against the United States and
the inhabitants of our country in general. The Germans were
angered because North American firms were supplying the Entente
with munitions of war and it was a current topic of conversation
among them that the United States was afraid to declare war upon
Germany, saying that if it did so there would be an uprising there
against its Government by the great number of Germans and
Americans of German extraction. They anticipated a Bürgerkrieg or
Civil War in the United States if the latter joined sides with Great
Britain.
As there were a couple of spruce-looking runners at the railway
station for the Hotel Royal, a native hostelry, I gave them my grips
and was driven through the unprepossessing streets of the city. The
cab eventually stopped in front of a building that has the outward
appearance of a certain large residence on the outskirts of Ashland,
Wisconsin, where lumberjacks and sailors were wont to congregate
after pay days and sojourn until their savings were gone. I was
wondering whether this establishment was of the same nature.
Fortunately it turned out to be a very good and comfortable hotel,
absolutely Chilean. Osorno has several other hotels, all German.
Osorno has more Teutons in proportion to its size than any city in
Chile. In numbers, Valdivia has a larger German population, but the
ratio is smaller for Valdivia is the larger place. Three-quarters of
Osorno's population is German, their numbers here being in excess
of nine thousand. In southern Chile where most of the hotel-keepers
are German, the inns all have the Gastzimmer or Bürgerzimmer as in
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com