Introduction to the theory of cryptography

Rabah Djabri
University of Bejaia
Department of Operations Research

January 19, 2024

Contents

Introduction 2

1 Mathematical preliminaries 4
1.1 Sets and maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Number theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Euclidean algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Least common multiple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.5 Fundamental theorem of arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.6 Modular arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.7 Arithmetic functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.8 Floor and ceiling functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2 Fundamental notions 21
2.1 Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3 Symmetric-key encryption 23
3.1 Caesar cipher or shift cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Affine cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.3 Vigenère cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.4 Hill cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5 Affine Hill cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.6 Modern symmetric-key ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.7 Feistel Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.8 Data Encryption Standard Cipher DES . . . . . . . . . . . . . . . . . . . . . . . 25
3.9 Advanced Encryption Standard AES . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.10 Modes of operation of bloc ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 Asymmetric-key encryption 28
4.1 RSA cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2 Diffie-Hellman key exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.3 ElGamal cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5 Digital signatures 30
5.1 Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.2 RSA digital signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.3 ElGamal digital signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.4 Digital Signature Algorithm DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

1
A Appendix 33
A.1 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
A.2 Tests and exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
A.3 List of notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
A.4 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

2
Introduction

Aims : The aim of this course is to present the fundamentals of cryptography and explore its
importance in different areas of modern life: E-commerce, telecommunications, information tech-
nology, computer science, bank transactions, etc.
Prerequisites: linear algebra, probability theory, elementary notions of number theory
Content:
History: permutation cipher, substitution cipher (Caesar cipher), Vigenère cipher, Hill cipher,
Fundamental notions : cryptosystem, plaintext, code, encryption function, decryption function,
key, digital certificate, hash function, security, confidentiality, authentication, data integrity,
non-repudiation, signature verification, digital signature cryptogram, encryption algorithm, en-
cryption, decryption
Encryption methods
Symmetric-key and asymmetric-key encryption
Modern codes: DES, AES, DSA, RSA

3
Chapter 1

Mathematical preliminaries

1.1 Sets and maps

The intersection of two sets A and B is defined by

A ∩ B = {x : x ∈ A ∧ x ∈ B}.

If we have an
T arbitrary T
family of sets {Aα : α ∈ I} indexed by a set I, then their intersection
denoted by α∈I Aα or {Aα : α ∈ I}, is given by
\
Aα = {x : (∀α ∈ I)(x ∈ Aα )}.
α∈I

The union of two sets A and B is defined by

A ∪ B = {x : x ∈ A ∨ x ∈ B}.

If we
S have an arbitrary family of sets {Aα : α ∈ I} indexed by a set I, then their union denoted
by α∈I Aα or {Aα : α ∈ I}, is given by
S

[
Aα = {x : (∃α ∈ I)(x ∈ Aα )}.
α∈I

Then we can see that [ \

{A} = {A} = A,
[
{A, B} = A ∪ B,
\
{A, B} = A ∩ B,
[ [
{∅} = ∅ = ∅,
The difference between two sets A and B is given by

A − B = {x : x ∈ A ∧ x ∈
/ B}.

The complement of A in X, which we denote X − A, CX A or Ac , is given by

Ac = {x : x ∈ X ∧ x ∈
/ A}.

4
We say that a set A is included in the set B, which is denoted by A ⊆ B if

(∀x)(x ∈ A =⇒ x ∈ B).

In this case we say A is a subset of B.Equality of two sets A and B is given by

A = B ⇐⇒ A ⊆ B ∧ B ⊆ A.

The set of subsets of a set X, denoted by P(X), is given by

P(X) = {S : S ⊆ X}.

If we have a sequence of sets (An )n≥1 , then its limit inferior is defined by
∞ \
[ ∞
lim inf An = Ai ,
n=1 i=n

and its limit superior is defined by

∞ [
\ ∞
lim sup An = Ai .
n=1 i=n

If we have a real sequence (xn )n≥1 , then its limit inferior is defined by

lim inf xn = lim inf{xk : k ≥ n} = sup inf{xk : k ≥ n},

n→∞ n≥1

and its limit superior is defined by

lim sup xn = lim sup{xk : k ≥ n} = inf sup{xk : k ≥ n}.

n→∞ n≥1

Let A be a nonempty subset of R. We say that a a lower bound of A if (∀x)(x ∈ A =⇒ a ≤ x).

We say that A est bounded below if there exists a lower bound a of A. We say that a is an upper
bound of A if (∀x)(x ∈ A =⇒ x ≤ a). We say that A is bounded above if there exists an upper
bound a of A. We say that A is bounded if there exists an M > 0 such that |x| ≤ M for all
x ∈ A. Let A be a nonempty subset of R. Then we say inf A = m iff
• (∀x)(x ∈ A =⇒ m ≤ x).
• (∀ϵ > 0)(∃x ∈ A)(m ≤ x < m + ϵ).
Then we say sup A = M iff
• (∀x)(x ∈ A =⇒ x ≤ M ),
• (∀ϵ > 0)(∃x ∈ A)(M − ϵ < x ≤ M ).
Proposition 1.1. We have the following:
• inf( α∈I Aα ) ≤ inf Aα for all α ∈ I,
S

• sup( α∈I Aα ) ≥ sup Aα for all α ∈ I,

S

• A ⊆ B, then inf A ≥ inf B,

5
 • A ⊆ B, then sup A ≤ sup B,
• sup A = − inf −A,
• sup(A ∪ B) = max(sup A, sup B),
• sup(A ∪ B) = sup A + sup B − min(sup A, sup B),
• inf(A ∪ B) = inf A + inf B − max(inf A, inf B),
• lim sup xn = − lim inf −xn .
Proposition 1.2. We have :
• ∨(A ∪ B) = ∨{∨(A), ∨(B)} (∨ is associative),
• ∧(A ∪ B) = ∧{∧(A), ∧(B)} (∨ is associative),
• (a ∧ b)c = (ac) ∧ (bc) ( c ≥ 0),
• (a ∨ b)c = (ac) ∨ (bc) ( c ≥ 0),
• (a ∧ b) ∨ c = (a ∨ c) ∧ (b ∨ c),
• (a ∨ b) ∧ c = (a ∧ c) ∨ (b ∧ c),
• |a| = (−a) ∨ a.
Let f : X → Y be map. The set X is called the domain of f , and Y is called the codomain of f .
If f (x) = y, then y is the image of x by the function f , and x is a preimage of y by the function
f . The image of a subset A of X by the map f , denoted by f (A), is given by

f (A) = {f (x) : x ∈ A}.

The inverse image (or the preimage) of a subset B of Y , denoted by f −1 (B), is given by

f −1 (B) = {x : f (x) ∈ B}.

The cartesian product of two sets A and B is given by

A × B = {(a, b) : a ∈ A, b ∈ B},
Y
Aα = {(aα )α∈I : (∀α ∈ I)(aα ∈ Aα )} .
α∈I

We say f is surjective if and only if (∀y ∈ Y )(∃x ∈ X)(f (x) = y).

We say f is injective if and only if (∀x, y)(f (x) = f (y) =⇒ x = y).
We say f is bijective if and only if it is surjective and injective.
g f
Proposition 1.3. Consider the maps X → Y → Z. Then we have the following:
1. f −1 ( α∈I Aα ) = α∈I f −1 (Aα ),
S S

2. f −1 ( α∈I Aα ) = α∈I f −1 (Aα ),

T T

3. (f ◦ g)−1 (A) = g −1 [f −1 (A)],

4. f −1 (Ac ) = [f −1 (A)]c ,
5. Si A ⊆ B, then f −1 (A) ⊆ f −1 (B),

6
 6. A ⊆ f −1 [f (A)].
Proposition 1.4. We have the following:
1. A ( α∈I Bα ) = α∈I (A Bα ),
TS S T

2. A ( α∈I Bα ) = α∈I (A Bα ),
ST T S

3. ( α∈I Bα )c = α∈I Bαc ,

S T

4. ( α∈I Bα )c = α∈I Bαc .

T S

Proposition 1.5. We have the following:

1. ( α∈I Aα ) × B = α∈I (Aα × B).
T T

2. ( α∈I Aα ) × B = α∈I (Aα × B).

S S

1.2 Number theory

We denote by div(a) the set of all divisors of the integer a.
We denote by div(a1 , a2 , . . . , an ) the set of common divisors of a1 , a2 , . . . , an , i.e.
n
\
div(a1 , a2 , . . . , an ) = div(ai ).
i=1

We denote by muℓ(a) the set of multiples of the integer a, i.e. muℓ(a) = aZ.
We denote by muℓ(a1 , a2 , . . . , an ) the set of common multiples of a1 , a2 , . . . , an , i.e.
n
\
muℓ(a1 , a2 , . . . , an ) = muℓ(ai ).
i=1

The set of natural numbers which is denoted by N is given by

N = {0, 1, 2, . . . }.

The set of integers which is denoted by Z is given by

Z = {. . . , −2, −1, 0, 1, 2, . . . }.

The set of non-negative integers which is denoted by Z+ is given by

Z+ = N = {0, 1, 2, . . . }.

The set of non-positive integers which is denoted by Z− is given by

Z− = {0, −1, −2, . . . }.

The set of rational numbers which is denoted by Q is given by

na o
Q= : a ∈ Z, b ∈ Z∗ .
b
The set of even integers which is denoted by 2Z is given by

2Z = {2n : n ∈ Z}.

7
The set of odd integers which is denoted by 2Z + 1 is given by

2Z + 1 = {2n + 1 : n ∈ Z}.

The set of real numbers is denoted by R.

The set of complex numbers which is denoted by C is denoted by C is given by

C = {x + iy : x, y ∈ R}

The set of decimal numbers which is denoted by D is given by

n a o
D= : a ∈ Z, n ∈ N .
10n

1.3 Euclidean algorithm

Definition 1.1. Let a and b be integers with b ̸= 0. We say b divides a (or b is a divisor of a) to
mean that a = bk for some integer k, and we write b|a or b ∈ div(a). We say as well a is divisible
by b.
Definition 1.2 (The greatest common divisor). Let a and b be integers not both equal to
zero. Then the greatest common divisor of a and b is the positive integer gcd(a, d) given by

gcd(a, b) = max div(a, b).

We denote gcd(a, b) by (a, b) and a ∧ b as well.

Definition 1.3. Let a1 , a2 , . . . , an be integers not all zero. Then the greatest common divisor
of a1 , a2 , . . . , an denoted by gcd(a1 , a2 , . . . , an ) is given by

gcd(a1 , a2 , . . . , an ) = max div(a1 , a2 , . . . , an ).

Theorem 1.1 (The division algorithm). Let a and b be integers with b > 0, then there exist
unique integers q, r such that
a = qb + r
with 0 ≤ r < b. The integer q is called the quotient and r is the remainder of the division.
Let R : Z × N∗ → N be the map given by

R(a, b) = r

where r the remainder of the division of a by b.

Proof. Let
S = {a − xb : x ∈ Z, a − xb ≥ 0}.
The set S is a subset of N and is not empty. Let r be the smallest element of S. Then r = a − qb
for some q ∈ Z. We claim that 0 ≤ r < b. If it is not the case then for contradiction suppose
that r ≥ b. Then we would have 0 ≤ r − b = a − (q + 1)b < r, and this contradicts the fact that
r is the smallest element of S. Therefore 0 ≤ r < b. So we have a = qb + r with 0 ≤ r < b. We
have to prove that (q, r) is unique. Suppose that a = qb + r = q1 b + r1 with 0 ≤ r, r1 < b. Then
we must have 0 ≤ |q − q1 |b = |r − r1 | < b. Therefore we must have |q − q1 | = 0, that is q = q1 ,
and hence r = r1 .

8
Lemma 1.1. Suppose that a and b are integers such that a = qb + r. Then gcd(a, b) = gcd(b, r).
Let a and b be integers such that b > 0. Set r0 = a and r1 = b. Then there is a unique
natural number N ≥ 0 and natural numbers (r0 , r1 , . . . , rN , rN +1 = 0) with r0 , r1 , . . . , rN ≥ 1
such that:

ri = qi+1 ri+1 + ri+2 with 0 ≤ ri+2 < ri+1 for i = 0, . . . , N − 1

And hence
rN −1 = qN rN + 0 with rN +1 = 0.
We get (r0 , r1 , . . . ) or (ri )i∈I where I = {0, 1, . . . , n} for some n ∈ N∗ or I = N
The last term in the sequence is 0 if it is finite. We have to prove that every sequence is finite,
that is the algorithm will stop after a finite number of steps. By induction we have ri ≤ b. The
remainder rN is the last non-zero remainder of the division algorithm. Therefore we have

div(a, b) = div(b, r1 ) = · · · = div(rN , 0).

Therefore
gcd(a, b) = rN and div(a, b) = div(rN , 0) = div gcd(a, b).
Algorithm 1.1 (The Euclidean algorithm).
Input : non-negative integers a, b, with b > 0
Output : gcd(a, b)
1. Compute R(a, b)
2. If R(a, b) = 0 go to (3) otherwise go to (4)
3. Write gcd = b and stop
4. Do a ← b and b ← R(a, b) and go to (1)
Theorem 1.2 (The extended Euclidean algorithm).
Let r0 = a, r1 = b, (α0 , β0 ) = (1, 0), (α1 , β1 ) = (0, 1). Suppose that RN the last non-zero
remainder of the division algorithm of a by b. Hence

ri = qi+1 ri+1 + ri+2 with 0 ≤ ri+2 < ri+1 for i = 0, . . . , N − 1

Define
αi+2 = −qi+1 αi+1 + αi and βi+2 = −qi+1 βi+1 + βi .
That is
(αi+2 , βi+2 ) = −qi+1 (αi+1 , βi+1 ) + (αi , βi ).
Therefore we get
r0 αi + r1 βi = ri for i = 0, . . . , N.
Hence
r0 αN + r1 βN = rN .
That is
aαN + bβN = gcd(a, b).
Theorem 1.3 (Bézout’s theorem). Let a and b be integers not both zero and d = gcd(a, b).
Then

9
 1. there exist integers x and y such that ax + by = d.
2. and div(a, b) = div(d).
3. and {ax + by : x, y ∈ Z} = dZ, that is aZ + bZ = (a ∧ b)Z.
Proof.

1. Let
S = {ax + by : ax + by > 0, x, y ∈ Z}
Since the set S is a subset of the natural numbers and S is not empty, then S has a smallest
element, say s (hence s = ax0 + by0 for some integers x0 and y0 ).
Let R(a, s) = r, that is a = qs + r with 0 ≤ r < s. We have r = a − qs = a(1 − qx0 ) − by0 .
If r > 0, then r ∈ S. And since r < s, this contradicts thet fact that s is the smallest
element of S. Therefore r = 0, and hence s ∈ div(a). In the same manner we prove that
s ∈ div(b). Therefore
s ∈ div(a, b).
Since d divides both a and b, then d divides ax0 + by0 = s. Therefore s = d, and hence
ax0 + by0 = d
2. Since h divides both a and b, then h divides ax0 + by0 = d. Therefore h ∈ div(d). If
h ∈ div(d), then h ∈ div(a, b) since d divides both a and b. Therefore

div(a, b) = div(d).

3. Since ax0 + by0 = d, then a(αx0 ) + b(αy0 ) = dα for any integer α. Thus we have (a ∧ b)Z ⊆
aZ+bZ. On the other hand suppose that ax+by = t, then ax+by = qd+r = qax0 +qby0 +r
with 0 ≤ r < d. Hence r = a(x − qx0 ) + b(y − qy0 ), and if r ̸= 0 then r would be in S
which contradicts the fact that d is the smallest element of S. Hence r = 0 and therefore
t = qd. Hence aZ + bZ ⊆ (a ∧ b)Z. Hence

aZ + bZ = (a ∧ b)Z.

We have the following generalization of the preceding theorem. The proof is almost identical
to the proof of the preceding theorem.
Theorem 1.4. Let a1 , a2 , . . . , an be integers not all zero, and d = gcd(a1 , a2 , . . . , an ). Then
Pn
1. there exist integers x1 , x2 , . . . , xn such that i=1 ai xi = d.
2. and div(a1 , a2 , . . . , an ) = div(d).
Pn Pn
3. and { i=1 ai xi : x1 , x2 , . . . , xn ∈ Z} = dZ, that is i ai Z = (∧i ai )Z.
Definition 1.4. Let a and b be integers not both zero. Then we say that a and b are relatively
prime (or coprime) if gcd(a, b) = 1.
Proposition 1.6. We have
1. aZ = bZ if and only if |a| = |b| (a, b are integers).

10
 2. If ax + by = 1, then gcd(a, b) = 1.
3. If gcd(a, b) = d, then gcd ad , db = 1.

4. (a ∧ b) ∧ c = a ∧ (b ∧ c) = a ∧ b ∧ c (a, b not both zero, b, c not both zero).

5. (a ∨ b) ∨ c = a ∨ (b ∨ c) = a ∨ b ∨ c (a, b, c all different from zero).
6. The integers a and b are relatively prime if and only if there are integers x and y such that
ax + by = 1.
Proof.

1. We have 1 = ax + by = gcd(a, b)α for some integer α by the previous theorem. Hence
gcd(a, b) = 1.
2. We have aZ + bZ = dZ. Hence ad Z + db Z = Z = gcd ad , dd Z. Therefore

gcd ad , dd = 1.

3. We have
(a ∧ b ∧ c)Z = aZ + bZ + cZ
= (aZ + bZ) + cZ
= (a ∧ b)Z + cZ
= ((a ∧ b) ∧ c)Z.
On the other hand we have
(a ∧ b ∧ c)Z = aZ + bZ + cZ
= aZ + (bZ + cZ)
= aZ + (b ∧ c)Z
= (a ∧ (b ∧ c))Z.
Hence
(a ∧ b) ∧ c = a ∧ (b ∧ c) = a ∧ b ∧ c.
4. We have
(a ∨ b ∨ c)Z = aZ ∩ bZ ∩ cZ
= (aZ ∩ bZ) ∩ cZ
= (a ∨ b)Z ∩ cZ
= ((a ∨ b) ∨ c)Z.
On the other hand we have
(a ∨ b ∨ c)Z = aZ ∩ bZ ∩ cZ
= aZ ∩ (bZ ∩ cZ)
= aZ ∩ (b ∨ c)Z
= (a ∨ (b ∨ c))Z.
Hence
(a ∨ b) ∨ c = a ∨ (b ∧ c) = a ∨ b ∨ c.

11
 5. We have

div(a1 ∧ a2 ∧ · · · ∧ am , b1 ∧ b2 ∧ · · · ∧ bn ) = div(a1 ∧ a2 ∧ · · · ∧ am ) ∩ div(b1 ∧ b2 ∧ · · · ∧ bn )

\ \
= div(ai ) ∩ div(bj )
i j

Therefore

(a1 ∧ a2 ∧ · · · ∧ am ) ∧ (b1 ∧ b2 ∧ · · · ∧ bn ) = a1 ∧ a2 ∧ · · · ∧ am ∧ b1 ∧ b2 ∧ · · · ∧ bn .

6. We have

muℓ(a1 ∨ a2 ∨ · · · ∨ am , b1 ∨ b2 ∨ · · · ∨ bn ) = muℓ(a1 ∨ a2 ∨ · · · ∨ am ) ∩ muℓ(b1 ∨ b2 ∨ · · · ∨ bn )

\ \
= muℓ(ai ) ∩ muℓ(bj )
i j

Therefore

(a1 ∨ a2 ∨ · · · ∨ am ) ∨ (b1 ∨ b2 ∨ · · · ∨ bn ) = a1 ∨ a2 ∨ · · · ∨ am ∨ b1 ∨ b2 ∨ · · · ∨ bn .

1.4 Least common multiple

Definition 1.5. Let a and b be integers. We say that a is a multiple of b if a = kb for some
integer k. If a and b are both different from zero then their least common multiple denoted by
ℓcm(a, b) (or a ∨ b) is given by

ℓcm(a, b) = min (muℓ(a, b) ∩ N∗ ) .

Theorem 1.5. We have

1. If a and b are integers both different from zero, then

muℓ(a, b) = muℓ(a ∨ b), i.e. aZ ∩ bZ = (a ∨ b)Z.

2. If a and b be integers both different from zero, then

gcd(a, b) ℓcm(a, b) = |ab|.

3. In general if a1 , a2 , . . . , an are integers all different from zero, then

n
\
muℓ(a1 , a2 , . . . , an ) = muℓ(a1 ∨ a2 ∨ · · · ∨ an ), i.e. ai Z = (∨ni=1 ai )Z.
i=1

Proof.

12
 1. Let m = ℓcm(a, b), that is m = min(muℓ(a, b) ∩ N∗ ). For h ∈ muℓ(a, b), let h = qm + r
with 0 ≤ r < m. Then r = h − qm, and since h ∈ muℓ(a, b) and qm ∈ muℓ(a, b) therefore
r ∈ muℓ(a, b). If r ̸= 0 then would have r ∈ muℓ(a, b) ∩ N∗ which contradicts the fact that
m is the smallest element of muℓ(a, b) ∩ N∗ . Therefore r = 0 and hence h ∈ muℓ(m). On
the other hand if h ∈ muℓ(m) then h ∈ muℓ(a, b). Therefore

muℓ(a, b) = muℓ(a ∨ b).

2. Let gcd(a, b) = d. We have abd muℓ(a, b), and hence d = αm for some integer α. Suppose
ab

that a = sd, b = td, then m = ia = isd, m = jb = jtd. Therefore from ab = αdm we

get std2 = αisd2 = αjtd2 . Hence t = αi and s = αj, and therefore α ∈ div(a, b). But
gcd(a, b) = 1. Hence |α| = 1 and therefore

gcd(a, b) ℓcm(a, b) = |ab|.

3. The proof is the same as in the first part.

Definition 1.6. An integer p > 1 is called a prime number if and only if its only positive divisors
are 1 and p.
√
Proposition 1.7. A number n ≥ 2 is not prime iff n is divisible by some
√ prime number p ≤ n.
A number n is prime iff n is not divisible by any prime number p ≤ n.
Proof. If the number n ≥ 2 is not prime, then there are primes p√and q and integer m such that
n = pqm. Suppose that p ≤ q. Hence p2 ≤ pqm = n. Hence p ≤ n.

Have
√
(n ≥ 2 and n ∈
/ Prm) ⇐⇒ (∃p)(p ∈ Prm and p ≤ n and p ∈ div(n))

Therefore for n ≥ 2 we have

√
(n ∈ Prm) ⇐⇒ (∀p)((p ∈ Prm and p ≤ / div(n))
n) ⇒ p ∈

Let n be an integer greater than or equal to 2. Then

[ √
([2, n] ∩ N) − {pN∗ : p ∈ Prm and p ≤ n} ⊆ Prm

1.5 Fundamental theorem of arithmetic

Theorem 1.6. We have
1. If a ∈ div(bc) and gcd(a, b) = 1, then a ∈ div(c).
2. If p is a prime and p ∈ div(ab) then p ∈ div(a) or p ∈ div(b).
3. If p is a prime and p ∈ div(a1 a2 · · · an ) then p ∈ div(ai ) for some i.
Proof.

13
 1. Since gcd(a, b) = 1, then ax + by = 1 for some integers x and y. Hence acx + bcy = c. Since
a|acx and a|bcy, then a|acx + bcy = c. Hence a ∈ div(c).
2. If p ∈
/ div(a), then gcd(a, b) = 1. Then by the first part p ∈ div(b).
3. The proof is by induction.

Proposition 1.8. We have

1. The numbers a and b are coprime iff no prime number p divides both of them
2. If a is coprime with each of a1 , a2 , . . . , an , then a is coprime with a1 a2 · · · an .
3. If a and b are coprime then am and bn are coprime
4. If p is a prime then the divisors of pm are 1, p, p2 , . . . , pm .
5. If p1 , p2 , . . . , pm and q1 , q2 , . . . , qn are prime numbers such that no pi is equal to any qj
then p1 p2 · · · pm and q1 q2 · · · qn are coprime.
6. A prime divides another prime iff they are equal
Proposition 1.9. Let
m
Y m
Y
a= pα
i
i
and b= pβi i ,
i=1 i=1
where p1 , p2 , . . . , pm are distinct primes and αi , βi ≥ 0. Then
1. b ∈ div(a) ⇐⇒ βi ≤ αi for all i.
2. b ∈ muℓ(a) ⇐⇒ βi ≥ αi for all i.
3. a = b ⇐⇒ αi = βi for all i.
Proof. We have
1. If βi > αi for all i then b ∈
/ div(a). If βi ≤ αi for some some i then b ∈ div(a).
2. Follows from the previous point
3. a = b ⇐⇒ b ∈ div(a) and a ∈ div(b) ⇐⇒ αi = βi for all i.

Theorem 1.7 (The fundamental theorem of arithmetic). Every positive integer n > 1 can
be expressed uniquely up to order as a product of prime numbers.
Qm
Proposition 1.10. Let a = i=1 pα i and τ (a) be the number of positive divisors of a. Then
i

m
Y
τ (a) = (1 + αi ).
i=1

Theorem 1.8. Let

m
Y m
Y
a= pα
i
i
and b= pβi i ,
i=1 i=1
where p1 , p2 , . . . , pm are distinct primes and αi , βi ≥ 0. Then
m m
min(αi ,βi ) max(αi ,βi )
Y Y
a∧b= pi and a∨b= pi .
i=1 i=1

14
1.6 Modular arithmetic
Definition 1.7. We have the following definitions:
1. Let n be a positive integer. The integers a and b and are said to be congruent modulo n if
n divides a − b, and we write a ≡ b (mod n). We use the notation a ≡ b[n] as well.
2. Suppose that a ≡ b (mod n). Then we say that b is a residue of a modulo n. The residue
class of a modulo n is denoted by [a]n and is given by

[a]n = {x : x ∈ Z and x ≡ a (mod n)}

3. For a positive integer n there are n distinct residue classes which are [0]n , [1]n , . . . , [n − 1]n .
4. Therefore we have [a]n = [b]n iff a ≡ b (mod n).
5. The relation ≡ is an equivalence relation, i.e. it is reflexive, symmetric and transitive.
6. The residue classes constitute a partition of Z, that is they are not empty, they are pairwise
disjoint and their union is Z.
7. The set of residue classes modulo n will be denote by Zn or Z/nZ, and we have

Zn = {[0]n , [1]n , . . . , [n − 1]n }

8. If p is prime number then Zp is a (finite) field.

9. We define in Zn : [a]n + [b]n = [a + b]n and [a]n · [b]n = [ab]n . Addition and multiplication
in Zn are well defined, that is they do not depend on the representative of residue class.
10. We say that a set of integers {a1 , a2 , . . . , an } is a complete system of residues modulo n iff

Zn = {a1 , a2 , . . . , an }.

11. We say that a set of integers {a1 , a2 , . . . , aφ(n) } is a reduced system of residues modulo n
iff
Z∗n = {a1 , a2 , . . . , aφ(n) }.

12. If {a1 , a2 , . . . , aφ(n) } is a reduced system of residues modulo n and gcd(α, n) = 1 then
{αa1 , αa2 , . . . , αaφ(n) } is a reduced system of residues modulo n.
Theorem 1.9. Let n be a positive integer and a, b and c arbitrary integers. Then the following
properties hold:
1. a ≡ a (mod n)
2. if a ≡ b (mod n), then b ≡ a (mod n)
3. if a ≡ b (mod n) and b ≡ c (mod n), then a ≡ c (mod n)
4. if a ≡ b (mod n) and c ≡ d (mod n), then a + c ≡ b + d (mod n)
5. if a ≡ b (mod n), then ac ≡ bc (mod n) and ak ≡ bk (mod n)
Proposition 1.11. Let n be a positive integer and a, b arbitrary integers. Then the following
properties hold:

15
 1. If a ≡ b (mod n) then a mod n = b mod n
2. (a mod n + b mod n) mod n = (a + b) mod n
3. ((a mod n)(b mod n)) mod n = (ab) mod n

4. (a mod n)k mod n = ak mod n.

1.7 Arithmetic functions

We define the following arithmetic functions:
1. An arithmetic function f : N∗ → R is said to be multiplicative if f (mn) = f (m)f (n)
whenever gcd(m, n) = 1, and completely multiplicative if f (mn) = f (m)f (n) for all m, n.

2. Let τ (n) be the number of positive divisors of n.

3. Let σ(n) be the sum of positive divisors of n.

4. The Euler function φ : N∗ → N∗ is given by

φ(n) = card{k : k ∈ N∗ , 1 ≤ k ≤ n, gcd(k, n) = 1}.

In other words φ(n) is the number of integers k with 1 ≤ k ≤ n such that k and n are
relatively prime.
5. We can see that φ(n) = card Z∗n the set of units of Zn .

6. sk ∥n ⇐⇒ sk ∈ div n and sk+1 ∈

/ div n
Theorem 1.10. Let m and n be coprime positive integers. Then

card div+ (mn) = card div+ (m) card div+ (n)

that is
τ (mn) = τ (m)τ (n)
Proof. This can be shown by the bijection f : div+ (m) × div+ (n) → div+ (mn) given by

f (d1 , d2 ) = d1 d2 .

Theorem 1.11. If m and n be a positive integers, then

1. The product of the positive divisors of n is given by
Y
d = nτ (n)/2
d∈div+ (n)

2. If gcd(m, n) = 1 then
σ(mn) = σ(m)σ(n)

16
 Qk
3. If n = i=1 pαi
i , then
k
Y pαi +1 − 1
σ(n) = i

i=1
pi − 1

Theorem 1.12 (The Chinese remainder theorem). Let ni , i = 1, 2, . . . , k be k positive

integers which are pairwise coprime and greater than 1. Consider the system of congruences
x ≡ ai (mod ni ), i = 1, 2, . . . , k, where ai i = 1, 2, . . . , k are integers.

Proof. We have gcd( nni , ni ) = 1, where n = n1 n2 · · · nk . Hence there is bi such that n

n i bi ≡ 1[ni ]
Then
k
X n
x0 = = bi ai
i=1
n i

is a solution to the equation. Therefore x is a solution to the system if and only if x = x0 + tn

for some intger t.
Proposition 1.12. Let m, n ∈ N∗ such that gcd(m, n) = 1. Then there is a bijection f : Z∗mn →
Z∗m × Z∗n given by
f ([a]mn ) = ([a]m , [a]n ).
Proof. The map f is well defined since

gcd(a, mn) = 1 ⇐⇒ gcd(a, m) = 1 and gcd(a, n) = 1.

The map f is injective: Suppose that f ([a]mn ) = f ([b]mn ), that is ([a]m , [a]n ) = ([b]m , [b]n ),
hence b = a + αm and b = a + βn. Hence αm = βn, and since gcd(m, n) = 1 we find that
β = km and α = kn for some integer integer k. Therefore b = a + kmn, that is [a]mn = [b]mn .

The map f is surjective: Consider ([a]m , [b]n ) ∈ Z∗m ×Z∗n . Since gcd(m, n) = 1, then a+αm =
b+βn for some integers α and β. Let c = a+αm, and hence f ([c]mn ) = ([c]m , [c]n ) = ([a]m , [b]n ).

Therefore card Z∗mn = card Z∗m card Z∗n , that is φ(mn) = φ(m)φ(n).
Theorem 1.13. We have

1. If n ∈ N∗ , then d∈div+ (n) φ(d) = n

P

2. If m, n ∈ N∗ and gcd(m, n) = 1, then φ(mn) = φ(m)φ(n)

3. If p is a prime, then φ(p) = p − 1

4. If p is a prime and α ∈ N∗ , then φ(pα ) = pα − pα−1
5. If n = i pα i is a prime factorization of n (the pi are distinct primes and αi ≥ 1), then
Q i

Y 1

φ(n) = n 1− .
i
pi

Proof.

17
 1. Let
S = {(α, d) : 1 ≤ α ≤ d, α ∧ d = 1, d ∈ div n}
Define the function f : S → {1, 2, . . . , n} by
αn
f (α, d) =
d
The function f is a bijection, and hence card S = n, i.e.
X
φ(d) = n
d∈div+ (n)

Theorem 1.14 (The Euler theorem). If a and n be positive integers such that gcd(a, n) = 1,
then
aφ(n) ≡ 1 (mod n).
Proof.
Consider Z∗n the set of units of Zn . Hence

Z∗n = {a1 , a2 , . . . , aφ(n) },

with gcd(ai , n) = 1. We have

Z∗n = {aa1 , aa2 , . . . , aaφ(n) }.
Therefore
(a a1 )(a a2 ) · · · (a aφ(n) ) = a1 a2 · · · aφ(n)
That is
aφ(n) a1 a2 · · · aφ(n) = a1 a2 · · · aφ(n)
Hence
aφ(n) = 1
Hence
aφ(n) ≡ 1 (mod n).

Theorem 1.15 (The Fermat little theorem). If a is a positive integer and p a prime such
that gcd(a, p) = 1, then
ap−1 ≡ 1 (mod p).
Proof. We have φ(p) = p − 1. Apply the Euler theorem.

18
1.8 Floor and ceiling functions
1. The floor function ⌊·⌋ (the integer part): For a real number x the integer part of x is the
integer ⌊x⌋ such that
⌊x⌋ ≤ x < ⌊x⌋ + 1.

2. The fraction part of x which is denoted by {x} is given by

{x} = x − ⌊x⌋.

3. The ceiling function ⌈·⌉: For a real number x, the ceiling of x is the integer ⌈x⌉ such that

⌈x⌉ − 1 < x ≤ ⌈x⌉.

Proposition 1.13. We have

1. Suppose that a and b integers with b > 0, and let a = qb + r and 0 ≤ r < b, then
jak nao r
=q and = .
b b b
2. For x ∈ R and n ∈ Z

⌊x + n⌋ = ⌊x⌋ + n and ⌈x + n⌉ = ⌈x⌉ + n.

3. For x ∈ R
⌊x⌋ + ⌊−x⌋ = v(x ∈ Z) − 1.

4. If x ≤ y, then ⌊x⌋ ≤ ⌊y⌋.

5. For x ∈ R
1
 
x+ = NearestZ (x),
2
where NearestZ (x) is the nearest integer to x.
6. For x, y ∈ R
⌊x⌋ + ⌊y⌋ ≤ ⌊x + y⌋ ≤ ⌊x⌋ + ⌊y⌋ + 1.

7. For x, y ∈ R+
⌊x⌋⌊y⌋ ≤ ⌊xy⌋.

8. For x ∈ R+∗ and n ∈ N∗

jxk
card{kn : 0 < kn ≤ x, k ∈ N} = card muℓ(n) ∩ (0, x] = .
n
9. For x ∈ R and n ∈ N∗   j k
⌊x⌋ x
= .
n n
Theorem 1.16 (Legendre’s formula). Let n ∈ N∗ , and p a prime number. Let vp (n!) be the
exponent of p in the prime factorization of n! ( vp (n!) is the p-adic valuation of n!). Then
X n 
vp (n!) = .
pi
i≥1

19
Proof. Let
S = N∗ ∩ [1, n], Si = muℓ pi ∩ [1, n], i ≥ 1.

We have
∅ ⊆ Sn ⊆ · · · ⊆ S2 ⊆ S1 .
Then
X
vp (n!) = vp (x)
x∈S
XX
= χSi (x)
x∈S i≥1
XX
= χSi (x)
i≥1 x∈S
X
= card Si
i≥1
X n 
= .
pi
i≥1

Theorem 1.17 (The primitive root theorem). Consider Z∗p where p is a prime number.
Then there is an element g ∈ Z∗p that generates Z∗p (hence g is of order p − 1, it is called a
primitive root of Z∗p ).
Theorem 1.18 (The Cauchy theorem for groups). Let G be a finite group whose cardinality
is divisible by a prime number p. Then G has an element of order p.

20
Chapter 2

Fundamental notions

2.1 Cryptosystems
1. An alphabet is a nonempty set A.
2. We call the elements of A letters, or symbols.
3. A finite sequence of letters of A is called a word over A.

4. We write w = (w1 , w2 , . . . , wn ) or w = w1 , w2 . . . wn .
5. The empty word is denoted by ε.
6. If w = (w1 , w2 , . . . , wn ) is a word then the length of w is denoted by |w| and is given by
|w| = n. By definition |ε| = 0.

7. We denote the set of all words of length n by An , and therefore A0 = {ε}.

8. We denote the set of all words (or all texts) over A by A• and is given by
∞
[
A• = An .
n=0

9. The concatenation of two words v and w is denoted by v ◦ w or vw, and is given by: if
v = (v1 , v2 , . . . , vm ) and w = (w1 , w2 , . . . , wn ), then

v ◦ w = (v1 , v2 , . . . , vm , w1 , w2 , . . . , wn )

and
ε ◦ w = w ◦ ε = w.

10. A subset L of A• is called a formal language.

Let A and B be alphabets. A cryptosystem is a 5-tuple Π = (P, C, K, E, D), where

1. P ⊆ A• and is called the plaintext space (is the set of plaintexts),
2. C ⊆ B • and is called the ciphertext space (is the set of ciphertexts)

21
 3. K is a set called the key space (the set of keys),
4. E = {ek : k ∈ K} is the space of encryption functions ek : P → C,
5. D = {dk : k ∈ K} is the space of decryption functions dk : P → C such that dk ◦ ek = idP .

6. The function ek is called as well an encryption algorithm, and dk is called a decryption

algorithm.
7. A is called the plaintext alphabet, B will be called the ciphertext alphabet.
Suppose that Alice would like to send a message m to Bob, then Alice has to choose a key k
from K and communicates the key to Bob and this key must be kept secret. Alice encrypts
(enciphers, encodes) the plaintext message m using the encryption function ek and sends the
cihertext c = ek (m) to Bob . When Bob receives the ciphertext c he uses the decryption function
dk to decipher (decrypt) the ciphertext c to obtain the original plaintext message m = dk (c).
The objectives of cryptography are:
1. Confidentiality

2. Integrity
3. Authentication
4. Non-repudiation

22
Chapter 3

Symmetric-key encryption

3.1 Caesar cipher or shift cipher

A Caesar cryptosystem (P, C, K, E, D) is given by P = C = Zd , K = Zd .

The encryption function ek : Zd → Zd is given by

ek (m) = m + k.

The decryption function dk : Zd → Zd is given by

dk (c) = c − k.

Example 3.1. Consider the Caesar cipher given by P = C = K = Z26 representing the 26 letters
of the alphabet (A = 1, B = 2, . . . , Y = 25, Z = 0).
1. Given that k = 7, encrypt the letters A, F, X.
2. Encrypt the plaintext message SATURDAY.
3. Decrypt the ciphertext RLF.

4. Suppose that the letter S is encrypted to D, find the key.

3.2 Affine cipher

An affine cryptosystem (P, C, K, E, D) is given by P = C = Zd , K = Z∗d × Zd .

The encryption function ek : Zd → Zd is given for k = (k1 , k2 ) ∈ Z∗d ×Zd (hence gcd(k1 , d) = 1)
by
ek (m) = k1 m + k2 .
The decryption function dk : Zd → Zd is given for c by

dk (c) = k1−1 (c − k2 ).

Example 3.2.

23
3.3 Vigenère cipher
A Vigenère cryptosystem (P, C, K, E, D) is given by P = C = Znd , K = Znd .

The encryption function ek : Znd → Znd is given by

ek (m) = m + k.

The decryption function dk : Znd → Znd is given by

dk (c) = c − k.

Example 3.3.

3.4 Hill cipher

A Hill cryptosystem (P, C, K, E, D) is given by P = C = Znd , K = GL(n, Zd ).

The encryption function ek : Znd → Znd is given for m and k ∈ GL(n, Zd ) (hence gcd(det k, d) =
1) by
ek (m) = km.
The decryption function dk : Znd → Znd is given by

dk (c) = k −1 c.

Example 3.4.

3.5 Affine Hill cipher

An affine Hill cryptosystem (P, C, K, E, D) is given by P = C = Znd , K = GL(n, Zd ) × Znd .

The encryption function ek : Znd → Znd is given for k = (k1 , k2 ) ∈ GL(n, Zd ) × Znd (hence
gcd(det k1 , d) = 1) by
ek (m) = k1 m + k2 .
The decryption function dk : Znd → Znd is given by

dk (c) = k1−1 (c − k2 ).

Example 3.5.

3.6 Modern symmetric-key ciphers

3.7 Feistel Cipher
Feistel: Feistel was a German cryptographer who migrated to the US, he was born in 1915 and
died in 1990. He worked for IBM and developed his cipher Feistel cipher. Skipjack, IDEA,
Blowfish, Twofish, RC5, RC6, DES, TDES, TEA, XTEA, MARS, Lucifer (these are modified or
genralized versions of Feistel)

24
Algorithm 3.1 (The Feistel cipher).

1. Let n be a positive natural number.

2. Let f be the round function.

3. Let k0 , k1 , . . . , kn be the sub-keys corresponding to the rounds 0, 1, 2, . . . , n.

4. Let the plaintext block be m = (L0 , R0 ).
5. For i = 0, 1, 2, . . . , n let Li+1 = Ri and Ri+1 = Li ⊕ fki (Ri ).

6. The ciphertext block is c = (Ln+1 , Rn+1 ).

7. To decrypt c = (Ln+1 , Rn+1 ), let Ri = Li+1 and Li = Ri+1 ⊕ fki (Li+1 ), i = n, n −
1, . . . , 0.
8. Get the plaintext block by m = (L0 , R0 ).

3.8 Data Encryption Standard Cipher DES

DES: Data Encryption Standard is specified by FIPS PUB 46 (1977), it uses a Feistel network.
Algorithm 3.2 (The Data Encryption Standard algorithm DES).

1. Choose a key k of 64 bits.

2. Let f be the round function (or the cipher function)
3. The function f is given by primitive functions Si (selection functions) and a permutation
P.

4. The functions E, IP, Si , P, KS are fixed by the Standard (8 selection functions, or S-boxes).
5. Let k1 , k2 , . . . , k16 be the sub-keys corresponding to the rounds 1, 2, . . . , 16. Each sub-key
is a 48-bit block.
6. The keys ki are generated by ki = KS(i, k), i = 1, 2, . . . , 16 (KS is the key schedule
algorithm).

7. Let the 64-bit plaintext block be m

8. Then get IP(m) = (L0 , R0 ), IP is the initial permutation. Each of L0 and R0 is of 64 bits
length.
9. For i = 1, 2, . . . , 16 let Li = Ri−1 and Ri = Li−1 ⊕ fki (Ri−1 ).

10. Get (R16 , L16 ) and the ciphertext block is c = IP−1 (R16 , L16 ).
11. To decrypt c get (R16 , L16 ) = IP(c) and let Ri−1 = Li and Li−1 = Ri ⊕ fki (Li ),
i = 16, 15, . . . , 1.
12. Get the plaintext block by m = IP−1 (L0 , R0 ).

25
 We have Si : B6 → B4 is the i-th S-box (here B = {0, 1}).
Algorithm 3.3 (The key schedule algorithm).

1. Choose a 56-bit key (actually 64 bits, 8 bits being parity-chack bits)

2. Let k ← PC1(k).
3. Write k as k = a0 ∥b0
4. Do ar = leftshiftj (ar−1 ) and br = leftshiftj (br−1 ), kr = PC2(ar ∥br ). Here r = 1, 2, . . . , 16;
j = 1 if r ∈ {1, 2, 9, 16} and j = 2 otherwise.
5. We get (k1 , k2 , . . . , k16 ), i.e. KS(k) = (k1 , k2 , . . . , k16 ). (leftshiftj is the function that
rotates to the left by j positions).
6. (PC1 is a permutation of the positions of the key k; PC2 extracts 48 bits of ar ∥br ).
Algorithm 3.4 (The f -function algorithm for DES).

1. Given blocks R and κ of lengths 32 and 48 respectively.

2. Let R ← E(R) ⊕ κ.
3. Let R = R1 ∥R2 ∥ . . . ∥R8 with |Ri | = 6.
4. Let Ri = Si (Ri ), i = 1, 2, . . . , 8, Si : B6 → B4 .
5. Let R = R1 ∥R2 ∥ . . . ∥R8 with |R| = 32.
6. Let fκ (R) ← P(R).
We have DES : (KS : PC1, PC1, leftshiftj ), (f : E, Si , P), IP.
We can see that

fκ (R) = P [S1 (E(R) ⊕ κ)1 ∥S2 (E(R) ⊕ κ)2 ∥ . . . ∥S8 (E(R) ⊕ κ)8 ] .

We can see that

fκ (R) = P [S1 (E(R)1 ⊕ κ1 ) ∥S2 (E(R)2 ⊕ κ2 ) ∥ . . . ∥S8 (E(R)8 ⊕ κ8 )] .

3.9 Advanced Encryption Standard AES

Algorithm 3.5 (The Vernam algorithm ).

3.10 Modes of operation of bloc ciphers

NIST defines five modes of operations (which are the first ones in the following list).
1. ECB: Electronic codebook mode
Suppose we have a message (mi )i∈I . Then we get encrypted message (ci )i∈I = (ek (mi ))i∈I .
2. CBC: Cipherblock chaining mode

26
 (a) Given (mi )i≥0 , choose c−1 .
(b) Let ci = ek (mi ⊕ ci−1 ), i ≥ 0.
(c) Decrypt as mi = ci−1 ⊕ dk (ci ), i ≥ 0.
3. CFB: Cipher feedback mode
(a) Given (mi )i≥0 , and let c0 = ek (m0 ).
(b) Let ci = mi ⊕ ek (ci−1 ), i ≥ 1.
(c) Decrypt as mi = ci ⊕ ek (ci−1 ), i ≥ 1.
4. OFB: Output feedback mode
(a) Given (mi )i≥0 , choose an initial value s−1 .
(b) Let si = ek (si−1 ).
(c) Let ci = mi ⊕ si , i ≥ 0.
(d) Decrypt as mi = ci ⊕ si , i ≥ 0.
5. CTR: Counter mode
(a) Given (mi )i≥0 , choose an initial value T .
(b) Let si = ek (T + i).
(c) Let ci = mi ⊕ si , i ≥ 0.
(d) Decrypt as mi = ci ⊕ si , i ≥ 0.
6. PCBC: Propagating cipherblock chaining mode
CFB mode and OFB mode are examples of stream ciphers
CFB is self-synchronizing, OFB is synchronous

1. NIST: National Institute of Standards and Technology

2. FIPS: Federal Information Processing Standard
3. LFSR: Linear Feedback Shift Register
4. AES (Rijndael): Advanced Encryption Standard is specified by FIPS 197. It uses a
substitution-permutation network (SP network). (ShiftRows, MixColumns, AddRound-
Key, SubBytes).
5. DSS: Digital Signature Standard specified by FIPS 186-4
6. DSA: Digital Signature Algorithm; specified in this Standard.
7. PKCS: Public-Key Cryptography Standard.
8. RSA: Algorithm developed by Rivest, Shamir and Adleman; specified in ANS X9.31 and
PKCS 1.
9. SHA: Secure Hash Algorithm; specified in FIPS 180.)
10. RC4, SSL, TLS, MAC

These enumerated information are given in in FIPS PUB 186-4

27
Chapter 4

Asymmetric-key encryption

4.1 RSA cryptosystem

The RSA cipher is an asymmetric cryptosystem developed in 1978 by Rivest, Shamir and Adel-
man, described in their paper A method for obtaining digital signatures and public-key cryptosys-
tems, so there are 2 keys created by one person say Alice. One key is public for encryption, the
other one is private for decryption. Alice makes the public key accessible, it will be used by Bob
to encrypt the message he is sending to Alice. The private key is used by Alice to decrypt the
message sent to her. The private key can be used by Alice to sign documents she is sending to
Bob, and Bob in turn can use the public key to verify the signature.
Algorithm 4.1 (The RSA algorithm).
1. Alice chooses different prime numbers p and q (to be kept secret).

2. She computes n = pq (n will be the modulus of encryption).

3. Let φ(n) = (p − 1)(q − 1) (φ is the Euler totient function).
4. She chooses e ∈ N∗ such that e < φ(n) and gcd(e, φ(n)) = 1.

5. She computes d the inverse of e modulo φ(n) with d < φ(n).

6. The ordered pair (n, e) is the public key.
7. The ordered pair (n, d) is the private key.
8. The message m with m < n is encrypted by Bob as c = me mod n (hence c < n).

9. The ciphertext c (c < n) is deciphered by Alice as m = cd mod n (hence m < n).

4.2 Diffie-Hellman key exchange

The concept of public-key encryption system was formulated for the first time by Whitfield Diffie
and Martin Hellman in their paper New directions in cryptography published in 1976. A public-
key cryptosystem (PKC) is based on the concept of a one-way function and trapdoor information.
A one-way function is by definition an invertible function which is easy to compute but for which
the inverse is hard to compute, in the sense that there is no algorithm to compute this inverse in

28
a reasonable amount of time. The trapdoor information is some auxiliary information that can
be used to easily compute the inverse.
In a public-key cryptosystem a key k consists of two subkeys: a private key kpriv and a
public key kpub . Therefore k = (kpriv , kpub ). We say that kpriv is trapdoor information for the
encryption function ekpub , i.e. we are using kpriv to compute the inferse of ekpub .

Algorithm 4.2 (The Diffie-Hellman key exchange algorithm).

1. A public party chooses a large prime number p (it will be called the modulus) and a base
g ∈ Z∗p with large prime order (the prime p and g are public).
2. Alice chooses a secret number a ∈ N and sends to Bob A = g a mod p.

3. Bob chooses a secret number b ∈ N and sends to Bob B = g b mod p.

4. Alice computes s = B a mod p.
5. Bob computes s = Ab mod p.
6. Now Alice and Bob share the same number s (B a mod p = Ab mod p).

4.3 ElGamal cryptosystem

The ElGamal public-key cryptosystem was introduced by Taher ElGamal in 1985 in the paper
A public-key cryptosystem and a signature scheme based on discrete logarithms and is based on
the discrete log problem for Z∗p .

Algorithm 4.3 (The ElGamal algorithm).

1. A large prime number p and an element g in Z∗p of large prime order are chosen by a public
party.
2. Alice chooses a secret number a such that 1 ≤ a ≤ p − 1.

3. The triple (p, g, a) is the private key.

4. She computes A = g a mod p.
5. The triple (p, g, A) is the public key .
6. Bob chooses a plaintext m (0 ≤ m ≤ p−1), chooses a random k ∈ N∗ and computes (c1 , c2 )
where
c1 = g k mod p and c2 = mAk mod p.

7. Bob sends the ciphertext (c1 , c2 ) to Alice.

8. Alice computes (ca1 )−1 c2 mod p which is equal to m.

29
Chapter 5

Digital signatures

The RSA algorithm can be used for encryption and for digital signatures as well. ElGamal is a
discrete logarithm based encryption. ElGamal digital signature scheme was introduced for the
first time in 1985. Then was modified in 1991 to get the version known as the Digital Signature
Algorithm (DSA) and published officially as the Digital Signature Standard (DSS) in 1994.

5.1 Hash functions

Definition 5.1. An asymmetric signature Sign is Sign = (P, C, K, S, V) where

1. The set P is the space of messages.

2. The set C is the space of signatures.
3. The set K is the space of keys, k = (k1 , k2 ) ∈ K, k1 is the private key, k2 is the public key.

4. The set S = {σk : k ∈ K} is the space of signing functions σk : P → C.

5. The set V = {vk : k ∈ K} is the space of signature verifications vk : P × C → B, such that
vk (m, σk (m)) = 1 for all m ∈ P.
If we have a hash function H : P → Bℓ , then σk = sk ◦ H with sk : Bℓ → C.

Definition 5.2. A hash function is H : B• → Bℓ for some fixed positive integer ℓ, given by
a polynomial algorithm. We say that H is collision resistant if it is infeasible to find a and b,
a ̸= b, such that H(a) = H(b).

5.2 RSA digital signature

Algorithm 5.1 (The RSA digital signature algorithm).

1. Alice chooses prime numbers p and q (to be kept secret).

2. She computes n = pq (n will be the modulus of encryption).
3. Let φ(n) = (p − 1)(q − 1) (φ is the Euler totient function).

4. She chooses e ∈ N∗ such that e < φ(n) and gcd(e, φ(n)) = 1.

30
 5. She computes d the inverse of e modulo φ(n) with d < φ(n).
6. The ordered pair (n, e) is the public key.
7. Alice signs the document m by s = md mod n.

8. The ordered pair (n, d) is the private key.

9. Bob computes se mod n and verifies that it is equal to m.

5.3 ElGamal digital signature

Algorithm 5.2 (The ElGamal digital signature algorithm).

1. A large prime number p and a primitive root g in Z∗p are chosen by a public party.
2. Alice chooses a secret key a such that 1 ≤ a ≤ p − 1.
3. She computes A = g a mod p.
4. The verification key A is made public.

5. Alice chooses k such that 0 ≤ k < p − 1 and gcd(k, p − 1) = 1 (i.e. k ∈ Z∗p−1 ).

6. For document m such that 0 ≤ m ≤ p − 1, she computes the signature s = (s1 , s2 ) such
that
s1 = g k mod p and s2 = (m − as1 )k −1 mod(p − 1).

7. Bob computes As1 ss12 mod p and must verify that it is equal to g m mod p.
Proof. Proof of correctness:
We have
 −1

(As1 ss12 ) mod p = g as1 (g k mod p)(m−as1 )k mod(p−1) mod p
 −1

= g as1 +((m−as1 )kk mod(p−1)) mod p
 
= g as1 +(m−as1 )+α(p−1) mod p
 
= g m+α(p−1) mod p
= g m (g p−1 )α mod p

= (g m (1 + βp)α ) mod p
= g m mod p.

5.4 Digital Signature Algorithm DSA

Algorithm 5.3 (The digital signature algorithm DSA).
1. Large prime numbers p and q are chosen such that p ≡ 1 (mod q), and a g of order q modulo
p (p, q, and g are chosen by a public party).

31
 2. Alice chooses a secret key a such that 1 ≤ a ≤ q − 1.
3. She computes A = g a mod p.
4. The verification key A is made public.

5. Alice chooses k such that 1 < k ≤ q − 1.

6. For document m such that 0 ≤ m ≤ q − 1, she computes the signature s = (s1 , s2 ) where

s1 = (g k mod p) mod q and s2 = (m + as1 )k −1 mod q.

7. Bob computes v1 = ms−1

2 mod q and v2 = s1 s−1
2 mod q and must verify that

(g v1 Av2 mod p) mod q = s1 .

Proof. Proof of correctness:

We have
−1 −1
((g v1 Av2 ) mod p) mod q = ((g ms2 As1 s2 mod q
) mod p) mod q
ms−1 s1 s−1
= ((g 2 (g mod p)
a 2 mod q
) mod p) mod q
ms−1 a(s1 s−1
= ((g 2 g 2 mod q
)) mod p) mod q
ms−1 −1
= (g 2 +a(s1 s2 mod q
) mod p) mod q
(m+as1 )s−1
= (g 2 mod q
) mod p) mod q
= (g mod p) mod q
k

= s1 .

32
Appendix A

Appendix

A.1 Exercises
University of Bejaia
Department of OR
Level: SDAD1
Course: Cryptography
Academic year: 22/23

Example sheet No. 1

Exercise 1.
1. Prove that (a ∧ b) ∧ c = a ∧ (b ∧ c) = a ∧ b ∧ c.

2. Using the Euclidean algorithm find 156 ∧ 66 and 165 ∧ 66 ∧ 110.

Exercise 2.

1. Find all integers x and y such that 17x + 12y = 1.

2. Find integers x, y and z such that 34x + 24y + 7z = 5.

Exercise 3. Let a = 163, b = 245 and c = 3675.

1. Find the prime factorization of the numbers a, b and c.

2. Find gcd(a, b) and ℓcm(a, b).
3. Find gcd(a, b, c) and ℓcm(a, b, c).

4. Find τ (a) the number of positive divisors of a.

5. Find σ(a) the sum of the positive divisors of a.
6. Find φ(a) and φ(b).

33
Exercise 4.
1. Find according to the values of n the remainder of the division of 2n by 3.
2. Find according to the values of n the remainder of the division of 2n by 7.

3. Find x such that x2 + x ≡ 1 (mod 7).

Exercise 5. Solve the following congruences:

1. 2x ≡ 9 (mod 5),

2. 5x + 3 ≡ 11 (mod 12),
3. 14x ≡ 28 (mod 60).

Exercise 6. Use the Euclidean algorithm to find the inverse of a in Zn in the following cases:
1. a = 2, n = 5,
2. a = 5, n = 12,
3. a = 7, n = 30.

Supplementary exercises
Exercise 7. Solve the following congruences:

1. x + 7 ≡ 3 (mod 18),
2. 5x ≡ 12 (mod 100),
3. 5x ≡ 15 (mod 100),
4. x2 + 3 ≡ 2 (mod 5),

5. 4x ≡ 5 (mod 9),
6. 2x ≡ 7 (mod 17).

Exercise 8. Solve the following congruences:

1. x + 17 ≡ 23 (mod 37),
2. 5x + 42 ≡ 19 (mod 51),
3. x2 ≡ 3 (mod 11),

4. x2 ≡ 2 (mod 13),
5. x2 ≡ 1 (mod 8),

34
 6. x3 − x2 + 2x − 2 ≡ 0 (mod 11),
7. x ≡ 1 (mod 5) and x ≡ 2 (mod 7),
8. x ≡ 3 (mod 7) and x ≡ 4 (mod 9),
9. x ≡ 4 (mod 7) and x ≡ 5 (mod 8) and x ≡ 11 (mod 15).

Exercise 9. Find φ(n) in the following cases:

1. n = 10,
2. n = 2455,
3. n = 29.

Exercise 10. Find the following:

1. 232 mod 7,
2. 1035 mod 7,
3. 335 mod 7.

Exercise 11. Find Z∗n in the following cases:

1. n = 10,
2. n = 12,
3. n = 7.

Exercise 12. Let A = [0, 2], B = [1, 3], C = [ 12 , 52 ], An = [−n + 1, n], Bn = [ n1 , 2], Cn = [0, n1 ].
1. Find : A ∪ B, A ∩ B, Ac .
S∞ S∞ T∞
2. Find : n=1 An , n=1 Bn , n=1 Cn .

g f
Exercise 13. Consider the the following maps: X → Y → Z. Show that
1. f −1 ( α∈I Aα ) = α∈I f −1 (Aα ),
S S

2. f −1 ( α∈I Aα ) = α∈I f −1 (Aα ).

T T

Exercise 14. Show that

1. A ∩ ( α∈I Bα ) = α∈I (A ∩ Bα ),
S S

35
 2. A ∪ ( Bα ) = α∈I (A ∪ Bα ).
T T
α∈I

g f
Exercise 15. Consider: X → Y → Z. Show that
1. f −1 (Ac ) = [f −1 (A)]c ,

2. if A ⊆ B, then f −1 (A) ⊆ f −1 (B),

3. A ⊆ f −1 [f (A)],
4. ( α∈I Bα )c = α∈I Bαc .
T S

Exercise 16. Prove that

1. ( α∈I Aα ) × B = α∈I (Aα × B),
T T

2. ( α∈I Aα ) × B = α∈I (Aα × B).

S S

Exercise 17. Let Aα = [α, +∞), α ∈ R. Determine Aα , and Aα .

T S
α∈R α∈R

36
University of Bejaia
Department of OR
Level: SDAD1
Module: Cryptography
Academic year: 23/24

Example sheet No. 2

Exercise 1. Consider the Caesar cipher given by P = C = K = Z26 , with Z26 representing the
26 letters of the alphabet (A = 1, B = 2, . . . , Y = 25, Z = 0).
1. Given that k = 13, encrypt the plaintext message FIRST.
2. Decrypt the ciphertext ERQ.
3. Find the key given that the letter S is encrypted to D.

Exercise 2. Consider the affine cipher given by P = C = Z26 , K = Z∗26 × Z26 , with Z26
representing the 26 letters of the alphabet (A = 1, B = 2, . . . , Y = 25, Z = 0).
1. Given that k = (7, 3), encrypt the plaintext message DAY.
2. Decrypt the ciphertext RLF.
3. Find the key if the letter S is encrypted to A, and the letter H to R.

Exercise 3. Consider the matrix k with entries in Z26 .

2 7
 
k= .
13 9

1. Find the inverse of k.

2. Using the Hill cipher with key k, encrypt the plaintext message HELP.
3. Find the plaintext given that the ciphertext is c = YY.

Exercise 4. Consider the affine cipher with key k = (k1 , k2 ).

1. Suppose that we are using Z541 (541 is prime) and k = (34, 71), encrypt the plaintext
m = 214.
2. Decrypt the ciphertext c = 431.
3. Suppose that Alice and Bob decide to use Z601 (601 is prime) for the affine cipher, and 601
is public knowledge. Suppose that Eve intercepts the ciphertexts c1 = 324 and c2 = 381,
and manages to find out the corresponding plaintexts m1 = 387 and m2 = 491. Determine
the private key.

Supplementary exercises

37
Exercise 5. Let n ∈ N∗ be a large positive integer and let M = C = K = Zn . For each k ∈ K
consider the function ek : M → C. Determine if K is a key space in the following cases:
1. ek (m) = k − m
2. ek (m) = km

3. ek (m) = (k + m)2

Exercise 6. Consider the matrix k with entries in Z26 .

8 7 17
 

k = 19 x 4 .
20 1 4

1. Find the values of x for which k is invertible.

2. Find the inverse of k.
3. Using the Hill cipher with key k and given that x = 18, encrypt the plaintext message
DAM.
4. Find the plaintext given that the ciphertext is c = VVV.

Exercise 7. Consider the affine Hill cipher with Z7 and key k = (k1 , k2 ) given by

1 3
 
k1 = , and k2 = (5, 4)⊤ .
2 2

1. Encrypt the plaintext m = (2, 1)⊤ .

2. Decrypt the ciphertext c = (3, 5)⊤ .

3. Find (k1 , k2 ) given that the following plaintext/ciphertext pairs were generated using an
affine Hill cipher with Z11 :
m1 = (5, 4)⊤ , c1 = (1, 8)⊤ , m2 = (8, 10)⊤ , c2 = (8, 5)⊤ , m3 = (7, 1)⊤ , c2 = (8, 7)⊤ .

38
University of Bejaia
Department of OR
Level: SDAD1
Module: Cryptography
Academic year: 23/24

Example sheet No. 3

Exercise 1. You would like to add a signature to your message using the AlGamal digital
signature algorithm. Suppose that the hash function of your message text is h = 53. Your
private ElGamal key is (p, g, a) = (127, 2, 17).
1. Compute the signature (s1 , s2 ) (use k = 5).
2. Verify that the receiver, knowing your public key, can verify the signature.

Exercise 2. Mark’s RSA public key is (n, e) = (391, 13).

1. Encrypt the plaintext m = 54 for transmission to Mark.
2. Factorise 391.
3. Decrypt the ciphertext c = 21 which was sent to Mark.
4. Sign the text m = 26 for Mark.

Exercise 3. Alice and Bob agree to use the prime p = 1373 and the base g = 2 for a
Diffie–Hellman key exchange. Alice sends Bob the value A = 974. Bob asks your assistance, so
you tell him to use the secret exponent b = 871.
1. Determine the value of B that Bob should send to Alice.
2. Determine their secret shared value.

Supplementary exercises
Exercise 4. Alice uses the RSA signature scheme with primes p = 541 and q = 1223 and public
verification exponent e = 159853.
1. Determine Alice’s public modulus.
2. Determine her private signing key.
3. Determine the signature of the digital document D = 630579 that Alice signs .

Exercise 5. Alice and Bob would like to agree on a secret key n such that 1 < n < 1000.
Both choose private keys: dA = 513 and dB = 33 modulo p = 1009, respectively. The smallest
primitive element modulo p is a = 11. Use the Diffie-Hellman key exchange to compute the
secret key for both Alice and Bob and show that they agree.

39
 Solutions No. 1

Exercise 1.

1. Using the fact that div(a, b) = div(a ∧ b), we have

div(a ∧ b, c) = div(a ∧ b) ∩ div(c)

= div(a, b) ∩ div(c)
= div(a, b, c).

Hence max div(a ∧ b, c) = max div(a, b, c), that is (a ∧ b) ∧ c = a ∧ b ∧ c.

We have as well

div(a, b ∧ c) = div(a) ∩ div(b ∧ c)

= div(a) ∩ div(b, c)
= div(a, b, c).

Hence max div(a, b ∧ c) = max div(a, b, c), that is a ∧ (b ∧ c) = a ∧ b ∧ c.

Therefore
(a ∧ b) ∧ c = max div(a, b ∧ c) = a ∧ b ∧ c.

2. We have

156 = 2 × 66 + 24
66 = 2 × 24 + 18
24 = 1 × 18 + 6
18 = 3 × 6 + 0.

Hence 156 ∧ 66 = 6.
We have

110 = 18 × 6 + 2
6 = 3 × 2 + 0.

Therefore we have

156 ∧ 66 ∧ 110 = (156 ∧ 66) ∧ 110

= 6 ∧ 110
= 2.

Exercise 2.

40
 1. We have

17 = 1 × 12 + 5 → 5 = 17 − 1 × 12
12 = 2 × 5 + 2 → 2 = 12 − 2 × 5
5 = 2 × 2 + 1 → 1 = 5 − 2 × 2.

Hence 1 = 5 − 2 × 2. Applying back-substitution we get 5 × 17 − 7 × 12 = 1.Subtracting

17x + 12y = 1 from 5 × 17 − 7 × 12 = 1, we get 17(x − 5) = −12(y + 7). Since 17|12(y + 7)
and 17 and 12 are coprime, then 17|y + 7, that is y + 7 = 17t for some integer t. Hence
x = −12t + 5 and y = 17t − 7 for some integer t.

Let S = {(x, y) ∈ Z2 : 17x + 12y = 1}, then

S = {(−12t + 5, 17t − 7) : t ∈ Z}.

2. Since gcd(34, 24) = 2, then there are integers x0 and y0 such that 34x0 + 24y0 = 2. We
have

34 = 1 × 24 + 10 → 10 = 34 − 1 × 24
24 = 2 × 10 + 4 → 4 = 24 − 2 × 10
10 = 2 × 4 + 2 → 2 = 10 − 2 × 4
4 = 2 × 2 + 0.

Applying back-substitution we get

34 × 5 + 24 × (−7) = 2 (A.1)

Therefore
34 × (5α + 24 × (−7α) = 2α (A.2)
Subtracting 34x+24y = 2α from 34×(5α+24×(−7α) = 2α we get 17(x−5α) = −12(7α+y).
Therefore (x, y) = (12s + 5α, −17s − 7α).

We solve 2w + 7z = 5, we have 2 × (−1) + 7 = 5. Hence (w, z) = (7t − 1, −2t + 1). Have

T = {(12s + 35t − 5, −17s − 49t + 7, −2t + 1) : s, t ∈ Z}.

Supplementary exercises
Exercise 3. Let a = 163, b = 245 and c = 3675.
1. Prime factorization of the numbers a, b and c:

a = 163, b = 5 × 72 , c = 3 × 52 × 72 .

2. We have a = 30 × 50 × 70 × 1631 , b = 30 × 51 × 72 × 1630 , c = 31 × 52 × 72 × 1630 .

Hence gcd(a, b) = 30 ×50 ×70 ×1630 = 1 and ℓcm(a, b) = 30 ×51 ×72 ×1631 = 39935.
3. We have gcd(a, b, c) = 30 ×50 ×70 ×1630 = 1 and ℓcm(a, b, c) = 31 ×52 ×72 ×1631 =
599025.

41
 4. We have τ (a) = 2.
5. We have σ(a) = 1 + 163 = 164. the sum of the positive divisors of a.

6. We have φ(a) = φ(163) = 162, and φ(b) = φ(5)φ(72 ) = 4(72 − 7) = 168.

Exercise 4.
1. Find according to the values of n the remainder of the division of 2n by 3.
We have 20 ≡ 1 (mod 3), 21 ≡ 2 (mod 3), 22 ≡ 1 (mod 3). Therefore

• if n = 2k then 2n = 22k = (22 )k ≡ 1 (mod 3)

• if n = 2k + 1 then 2n = 22k+1 = 2(22 )k ≡ 2 (mod 3)

2. Find according to the values of n the remainder of the division of 2n by 7.
We have 20 ≡ 1 (mod 7), 21 ≡ 2 (mod 7), 22 ≡ 4 (mod 7), 23 ≡ 1 (mod 7). Therefore
• if n = 3k then 2n = 23k = (23 )k ≡ 1 (mod 7)

• if n = 3k + 1 then 2n = 23k+1 = 2(23 )k ≡ 2 (mod 7)

• if n = 3k + 2 then 2n = 23k+2 = 4(23 )k ≡ 4 (mod 7)

3. We have x2 + x ≡ 1 (mod 7) iff x(x + 1) = 1 in Z7 . We have
• if x = 0, then x(x + 1) = 0
• if x = 1, then x(x + 1) = 2
• if x = 2, then x(x + 1) = 6
• if x = 3, then x(x + 1) = 5
• if x = 4, then x(x + 1) = 6
• if x = 5, then x(x + 1) = 2
• if x = 6, then x(x + 1) = 0
Hence for x we have x(x + 1) ̸= 1, therefore the congruence x2 + x ≡ 1 (mod 7) has no
solution.

Exercise 5. Solve the following congruences:

1. 2x ≡ 9 (mod 5),
This congruence equation is equivalent to the equation 2 x = 4 in Z5 . Hence 3 2 x = 3 4,
and hence x = 2. Therefore x ≡ 2 (mod 5).
2. 5x + 3 ≡ 11 (mod 12),
This congruence equation is equivalent to the equation 5 x = 8 in Z12 . Hence 5 5 x = 5 8,
and hence x = 4. Therefore x ≡ 4 (mod 12).

42
 3. 14x ≡ 28 (mod 60).
This congruence equation is equivalent to the equation 7 x = 14 in Z30 . Hence 13 7 x =
13 14, and hence x = 2. Therefore x ≡ 2 (mod 30).

Exercise 6. Use the Euclidean algorithm to find the inverse of a in Zn in the following cases:
−1
1. a = 2, n = 5: We have 5 = 2 × 2 + 1. Hence 2 × (−2) = 1 + 5, hence 2 = −2 = 3.
2. a = 5, n = 12: We have 12 = 2 × 5 + 2, 5 = 2 × 2 + 1. By back-substitution we get
−1
5 × 5 − 2 × 12 = 1, i.e. 5 × 5 = 1 + 2 × ×12. Hence 5 = 5.
3. a = 7, n = 30: We have 30 = 4 × 7 + 2, 7 = 3 × 2 + 1. By back-substitution we get
−1
13 × 7 − 3 × 30 = 1, i.e. 13 × 7 = 1 + 3 × ×30. Hence 7 = 13.

Supplementary exercises
Exercise 7. Solve the following congruences:
1. x + 7 ≡ 3 (mod 18), (sol. x ≡ 14 (mod 18))
2. 5x ≡ 12 (mod 100), (no solution since 12 does not divide 5)
3. 5x ≡ 15 (mod 100), (sol. x ≡ 3 (mod 20))
4. x2 + 3 ≡ 2 (mod 5), (sol. x ≡ 2 (mod 5) or x ≡ 3 (mod 5))
5. 4x ≡ 5 (mod 9), (sol. x ≡ 8 (mod 9))
6. 2x ≡ 7 (mod 17), (sol. x ≡ 12 (mod 17)).

Exercise 8. Solve the following congruences:

1. x + 17 ≡ 23 (mod 37), (sol. x ≡ 6 (mod 37))
2. 5x + 42 ≡ 19 (mod 51), (sol. x ≡ 26 (mod 51))
3. x2 ≡ 3 (mod 11), (sol. x ≡ 5 (mod 11) or x ≡ 6 (mod 11))
4. x2 ≡ 2 (mod 13), (no solution)
5. x2 ≡ 1 (mod 8), (sol. x ≡ 1 (mod 8) or x ≡ 3 (mod 8) or x ≡ 5 (mod 8) or x ≡ 7 (mod 8) )
6. x3 − x2 + 2x − 2 ≡ 0 (mod 11), (sol. x ≡ 1 (mod 11) or x ≡ 3 (mod 11) or x ≡ 8 (mod 11))
7. x ≡ 1 (mod 5) and x ≡ 2 (mod 7), (sol. x ≡ 51 (mod 35) using the Chinese remainder
theorem)
8. x ≡ 3 (mod 7) and x ≡ 4 (mod 9), (sol. x ≡ 31 (mod 63) using the Chinese remainder
theorem)
9. x ≡ 4 (mod 7) and x ≡ 5 (mod 8) and x ≡ 11 (mod 15), (sol. x ≡ 221 (mod 840) using the
Chinese remainder theorem)

43
Exercise 9. Find φ(n) in the following cases:
1. n = 10, (sol. φ(10) = 4)
2. n = 2455, (sol. φ(2455) = 1960)
3. n = 29, (sol. φ(29) = 28).

Exercise 10. Find the following:

1. 232 mod 7, (sol. 4)
2. 1035 mod 7, (sol. 5)
3. 335 mod 7, (sol. 5)

Exercise 11. Find Z∗n in the following cases:

1. n = 10, (sol. Z∗10 = {1, 3, 7, 9})
2. n = 12, (sol. Z∗12 = {1, 5, 7, 11})
3. n = 7, (sol. Z∗7 = {1, 2, 3, 4, 5, 6}).
Exercise 12.
1. We have:
(a) A ∪ B = [0, 2] ∪ [1, 3] = [0, 3]
(b) A ∩ B = [0, 2] ∩ [1, 3] = [1, 2]
(c) Ac = R − [0, 2] = (−∞, 0) ∪ (2, +∞).
2. (a) We have
∞
[
x∈ An ⇐⇒ (∃n ≥ 1)(x ∈ An )
n=1
⇐⇒ (∃n ≥ 1)(−n + 1 ≤ x ≤ n)
⇐⇒ (∃n ≥ 1)(n ≥ max(x, 1 − x)
⇐⇒ x ∈ R.
Therefore
∞
[
An = R.
n=1

(b) We have
∞
[
x∈ Bn ⇐⇒ (∃n ≥ 1)(x ∈ Bn )
n=1
1
⇐⇒ (∃n ≥ 1)( ≤ x ≤ 2)
n
⇐⇒ x ∈ (0, 2],

44
 (for the last step if x ∈ (0, 2], then choose n such that n > x,
1
and then we get
n ≤ x ≤ 2). Therefore
1

[∞
Bn = (0, 2].
n=1
T∞ T∞
(c) If x < 0 then / n=1 Cn . We have 0 ∈ n=1 Cn since 0 is in every Cn . If x > 0
T∞ x ∈
/ n=1 Cn because for n > x1 , i.e. n1 < x, we have x ∈
then x ∈ / Cn . Therefore
∞
\
Cn = {0}.
n=1

Exercise 13.
1. We have
[ [
x ∈ f −1 ( Aα ) ⇐⇒ f (x) ∈ Aα
α∈I α∈I
⇐⇒ (∃α ∈ I)(f (x) ∈ Aα )
⇐⇒ (∃α ∈ I)(x ∈ f −1 (Aα ))
[
⇐⇒ x ∈ f −1 (Aα ).
α∈I

Hence [ [
(∀x)(x ∈ f −1 ( Aα ) ⇐⇒ x ∈ f −1 (Aα )).
α∈I α∈I

Hence [ [
f −1 ( Aα ) = f −1 (Aα ).
α∈I α∈I

2. We have
\ \
x ∈ f −1 ( Aα ) ⇐⇒ f (x) ∈ Aα
α∈I α∈I
⇐⇒ (∀α ∈ I)(f (x) ∈ Aα )
⇐⇒ (∀α ∈ I)(x ∈ f −1 Aα )
\
⇐⇒ x ∈ f −1 (Aα ).
α∈I

Then \ \
(∀x)(x ∈ f −1 ( Aα ) ⇐⇒ x ∈ f −1 (Aα )).
α∈I α∈I

Then \ \
f −1 ( Aα ) = f −1 (Aα ).
α∈I α∈I

45
Exercise 14.
1. We have
[ \
x∈A∩( Bα ) ⇐⇒ x ∈ A and x ∈ ( Bα )
α∈I α∈I
⇐⇒ (x ∈ A) and (∃α ∈ I)(x ∈ Bα )
⇐⇒ (∃α ∈ I)(x ∈ A and x ∈ Bα )
⇐⇒ (∃α ∈ I)(x ∈ A ∩ Bα )
[
⇐⇒ x ∈ (A ∩ Bα ).
α∈I

Hence [ [
A∩( Bα ) = (A ∩ Bα ).
α∈I α∈I

2. We have
\ \
x∈A∪( Bα ) ⇐⇒ x ∈ A ou x ∈ ( Bα )
α∈I α∈I
⇐⇒ (x ∈ A) ou (∀α)(x ∈ Bα )
⇐⇒ (∀α ∈ I)(x ∈ A ou x ∈ Bα )
⇐⇒ (∀α ∈ I)(x ∈ A ∪ Bα )
\
⇐⇒ x ∈ (A ∪ Bα ).
α∈I

Hence \ \
A∪( Bα ) = (A ∪ Bα ).
α∈I α∈I

Exercise 15.
1. We have
x ∈ f −1 (Ac ) ⇐⇒ f (x) ∈ Ac
⇐⇒ f (x) ∈
/A
/ f −1 (A)
⇐⇒ x ∈
⇐⇒ x ∈ [f −1 (A)]c
Then
(∀x)(x ∈ f −1 (Ac ) ⇐⇒ x ∈ [f −1 (A)]c ).
Then
f −1 (Ac ) = [f −1 (A)]c .

2. We have
x ∈ f −1 (A) =⇒ f (x) ∈ A
=⇒ f (x) ∈ B (car A ⊆ B)
=⇒ x ∈ f −1
(B).

46
 Then
f −1 (A) ⊆ f −1 (B).

3. If x ∈ A then f (x) ∈ f (A), and hence x ∈ f −1 [f (A)]. Then

A ⊆ f −1 [f (A)].

4. We have
\ \
x∈( Bα )c ⇐⇒ x ∈
/ Bα
α∈I α∈I
⇐⇒ (∃α ∈ I)(x ∈
/ Bα )
⇐⇒ (∃α ∈ I)(x ∈ Bαc )
[
⇐⇒ x ∈ Bαc .
α∈I

Hence \ [
( Bα )c = Bαc .
α∈I α∈I

Exercise 16.
1. We have
\ \
(x, y) ∈ ( Aα ) × B ⇐⇒ x ∈ Aα and y ∈ B
α∈I α∈I
⇐⇒ (∀α ∈ I)(x ∈ Aα ) and (y ∈ B)
⇐⇒ (∀α ∈ I)(x ∈ Aα and y ∈ B)
⇐⇒ (∀α ∈ I)((x, y) ∈ Aα × B)
\
⇐⇒ (x, y) ∈ (Aα × B).
α∈I

Hence \ \
( Aα ) × B = (Aα × B).
α∈I α∈I

2. We have
[ [
(x, y) ∈ ( Aα ) × B ⇐⇒ x ∈ Aα and y ∈ B
α∈I α∈I
⇐⇒ (∃α ∈ I)(x ∈ Aα ) and (y ∈ B)
⇐⇒ (∃α ∈ I)(x ∈ Aα and y ∈ B)
⇐⇒ (∃α ∈ I)((x, y) ∈ Aα × B)
[
⇐⇒ (x, y) ∈ (Aα × B).
α∈I

Hence [ [
( Aα ) × B = (Aα × B).
α∈I α∈I

47
Exercise 17.
1. Suppose that x ∈ Aα . Hence we have x ∈
/ Ax+1 = [x + 1, +∞[. Hence
T
α∈R
\
Aα = ∅.
α∈R

2. We have
[
x∈ Aα ⇐⇒ (∃α ∈ R)(x ∈ Aα )
α∈R
⇐⇒ (∃α ∈ R)(x ∈ [α, +∞[)
⇐⇒ x ∈ R.

Hence [
Aα = R.
α∈R

48
 Solutions No. 2
Exercise 1. Consider the Caesar cipher given by P = C = K = Z26 , with Z26 representing the
26 letters of the alphabet (A = 1, B = 2, . . . , Y = 25, Z = 0).
1. Given that k = 13, encrypt the plaintext message FIRST.
The encryption function ek : Z26 → Z26 is given by

ek (m) = m + k.

We have
ek (F ) = ek (6) = 6 + 13 = 19 = S
ek (I) = ek (9) = 9 + 13 = 22 = V
ek (R) = ek (18) = 18 + 13 = 5 = E
ek (S) = ek (19) = 19 + 13 = 6 = F
ek (T ) = ek (20) = 20 + 13 = 7 = G.

Hence the word FIRST is encrypted to SVEFG.

2. Decryption of the ciphertext ERQ:
The decryption function dk : Z26 → Z26 is given by

dk (c) = c − k.

We have
dk (E) = dk (5) = 5 − 13 = 18 = R
dk (R) = dk (18) = 18 − 13 = 5 = E
dk (Q) = dk (17) = 17 − 13 = 4 = D.

Hence the ciphertext ERQ is decrypted as RED.

3. Find the key given that the letter S is encrypted to D.

Since ek (m) = c = m + k, then k = c − m = D − S = 4 − 19 = 11. Hence the key is k = 11.

Exercise 2. Consider the affine cipher given by P = C = Z26 , K = Z∗26 × Z26 , with Z26
representing the 26 letters of the alphabet (A = 1, B = 2, . . . , Y = 25, Z = 0).

1. Given that k = (7, 3), encrypt the plaintext message DAY.

The encryption function ek : Z26 → Z26 is given by

ek (m) = 7m + 3.

We have
ek (D) = ek (4) = 7 × 4 + 3 = 5 = E
ek (A) = ek (1) = 7 × 1 + 3 = 5 = G
ek (Y ) = ek (4) = 7 × 25 + 3 = 22 = V

Hence the plaintext message DAY is encrypted to EGV.

49
 2. Decrypt the ciphertext RLF.
The decryption function dk : Z26 → Z26 is given by

dk (c) = 7−1 (c − 3).

Using the Euclidean algorithm, we find that the inverse of 7 in Z26 is 15.
We have
dk (R) = dk (18) = 15(18 − 3) = 17 = Q
dk (L) = dk (12) = 15(12 − 3) = 5 = E
dk (F ) = dk (6) = 15(6 − 3) = 19 = S

3. Find the key if the letter S is encrypted to A, and the letter H to R.

Let m = S = 19, c = A = 1 and m′ = H = 8, c′ = R = 18.

We have c = k1 m + k2 and c′ = k1 m′ + k2 . Then c − c′ = k1 (m − m′ ), and therefore

k1 = (m − m′ )−1 (c − c′ )
= 11−1 × (−17)
= (−7) × (−17)
= 15.

On the other hand we have k2 = c − k1 m = 1 − 15 × 19 = 2.

Hence k = (15, 2).

Exercise 3. Consider the matrix k with entries in Z26 :

2 7
 
k= .
13 9

1. The inverse of k:
We have
9
 
−7
k −1
= (2 × 9 − 13 × 7) −1
.
−13 2
7 9
 
= .
13 16

2. Using the Hill cipher with key k, encrypt the plaintext message HELP.

We have H = 8, E = 5, L = 12, P = 16.

We have

ek (8, 5)⊤ = k(8, 5)⊤

= (108, 154)⊤
= (25, 19)⊤

50
 and

ek (12, 16)⊤ = k(12, 16)⊤

= (136, 300)⊤
= (6, 14)⊤ .

Therefore we conclude that HELP is encrypted to YSFN.

3. Find the plaintext given that the ciphertext is c = YY.

We have Y = 25. We have

dk (25, 25)⊤ = k −1 (25, 25)⊤

= (10, 23)⊤ .

Therefore the plaintext corresponding to the ciphertext c = YY is m = JW.

Exercise 4. Consider the affine cipher with key k = (k1 , k2 ).

1. Suppose that we are using Z541 (541 is prime) and k = (34, 71), encrypt the plaintext
m = 214.

The encryption function ek : Z541 → Z541 is given by

ek (m) = 34m + 71.

Hence ek (214) = 34 × 214 + 71 = 7347 = 314

2. Decrypt the ciphertext c = 431.
The decryption function dk : Z541 → Z541 is given by

dk (c) = 34−1 (c − 71).

We have

541 = 15 × 34 + 31 → 31 = 541 − 15 × 34
34 = 1 × 31 + 3 → 3 = 34 − 1 × 31
31 = 10 × 3 + 1 → 1 = 31 − 10 × 3.

By back-substitution we get

1 = 11 × 541 − 175 × 34.

Hence the inverse of 34 in Z541 is 366.

Hence dk (431) = 366(431 − 71) = 131 760 = 297

51
3. Suppose that Alice and Bob decide to use Z601 (601 is prime) for the affine cipher, and 601
is public knowledge. Suppose that Eve intercepts the ciphertexts c1 = 324 and c2 = 381,
and manages to find out the corresponding plaintexts m1 = 387 and m2 = 491. Determine
the private key.

We have m1 = 387, c1 = 324 and m2 = 491, c2 = 381.

We have c1 = k1 m1 + k2 and c2 = k1 m2 + k2 . Then c2 − c1 = k1 (m2 − m1 ), and therefore

k1 = (m2 − m1 )−1 (c2 − c1 ) = (104)−1 × 57 = 549 × 57 = 41,

(the inverse of 4 is −150 = 451 since −150 × 4 = 1 − 601). Therefore k1 = 41, and hence
k2 = c1 − k1 m1 = 83. Therefore
k = (41, 83).

52
 Solutions No. 3
Exercise 1.
1. We have (p, g, a) = (127, 2, 17), h = 53. Let k = 5
We have
s1 = g k mod p
= 23 mod 127
= 8.
and

s2 = (h − as1 )k −1 mod(p − 1)
= (53 − 17 · 8)5−1 mod(126)
= (53 − 17 · 8)(−25) mod(126)
= 59.
Therefore the signature (s1 , s2 ) is given by
(s1 , s2 ) = (8, 59).

2. We have to verify that

As1 ss12 mod p = g h mod p
We have the public key A is given by
A = g a mod p
= 217 mod 127
= 8.

Therefore we have
As1 ss12 mod p = 88 · 859 mod 127
= 867 mod 127
= 16.
and
g h mod p = 253 mod 127
= 16.

Exercise 2.
1. We have the public key (n, e) = (391, 13). The message m = 54 ∈ Z391 is encrypted as
c = me mod 391
= 5413 mod 391
= (544 )3 · 54 mod 391
= (370)3 · 54 mod 391
= 386.

53
 2. We have 391 = 17 × 23
3. We have φ(391) = 16 × 22 = 352. The inverse of e = 13 in Z352 is d = 325 = 52 × 13 and
hence the private key is (n, d) = (391, 325). The ciphertext c = 21 is deciphered as

m = cd mod 391
= 21325 mod 391
= (215 )65 mod 391
= (1065 )13 mod 391
= ((38)5 )2 · (38)3 mod 391
= (191)2 · (38)3 mod 391
= 327.

4. The message m = 26 is signed as

s = md mod 391
= 26325 mod 391
= (265 )65 mod 391
= (595 )13 mod 391
= ((349)4 )3 · 349 mod 391
= (118)3 · 349 mod 391
= 246.

Exercise 3.

1. We have b = 871 = 13 × 67 = 29 + 28 + 26 + 25 + 22 + 2 + 1 and A = 974 = 2 × 487. the

value of B is given by

B = g b mod p
= 2871 mod 1373
= (213 )67 mod 1373
= (1327)67 mod 1373
= ((−46)4 )16 · (1327)3 mod 1373
= (1034 )4 · 147 mod 1373
= (579)4 · 147 mod 1373
= 267 · 147 mod 1373
= 805

54
2. We have

9742 ≡ −67[1373]
(974)4 ≡ 370[1373]
9748 ≡ 973[1373]
97416 ≡ 732[1373]
97432 ≡ 354[1373]
97464 ≡ 373[1373]
974128 ≡ 456[1373]
974256 ≡ 613[1373]
974512 ≡ 940[1373].

Therefore the secret shared value s is given by

s = Ab mod p
= 974871 mod 1373
= 9741+2+4+32+64+256+512 mod 1373
= 9741 · 9742 · 9744 · 97432 · 97464 · 974256 · 974512 mod 1373
= ((−399) · (−67) · 370 · 354) · (373 · 613 · 940) mod 1373
= 582 · 640 mod 1373
= 397

55
A.2 Tests and exams
University of Bejaia 21 December 2022
Department of OR Duration: 1 hour
Level : SDAD1
Module : Cryptography
Academic year: 22/23

The use of calculators and mobile phones is strictly forbidden.

Test

Exercise 1 (7,5 marks).

Let a = 225 and b = 195.

1. Find the prime factorization of the numbers a and b.

2. Find gcd(a, b) and ℓcm(a, b).

3. Find τ (a) the number of positive divisors of a.
4. Find φ(a).

Exercise 2 (7,5 marks).

1. Find the inverse of 17 in Z42 .

2. Compute 23 + 32 and 23 · 5 in Z42 .

3. Solve the congruence 34x ≡ 30 (mod 84).
4. Determine all (x, y) ∈ Z2 such that 17x + 42y = 2.

56
 Solutions

Exercise 1 (7,5 marks).

Let a = 225 and b = 195.

1. Prime factorization of the numbers a and b:

225 = 32 × 52 , 195 = 3 × 5 × 13.

2. Find gcd(a, b) and ℓcm(a, b). We have a = 31 × 51 × 130 , b = 31 × 51 × 131 .

Hence gcd(a, b) = 31 × 51 = 15 and ℓcm(a, b) = 32 × 52 × 13 = 2 925.

3. We have τ (a) = 3 × 3 = 9.
4. We have φ(a) = φ(32 )φ(52 ) = 6 × 20 = 120..

Exercise 2 (7,5 marks).

1. Find the inverse of 17 in Z42 . We have

42 = 2 × 17 + 8 → 8 = 42 − 2 × 17
17 = 2 × 8 + 1 → 1 = 17 − 2 × 8.
By back-substitution we get 5 × 17 − 2 × 42 = 1, and hence 5 × 17 = 1 + 2 × 42. Therefore
5 17 = 1 and hence
−1
17 = 5.

2. We have
23 + 32 = 55
= 42 + 13
= 13
and
23 · 5 = 115
= 2 × 42 + 31
= 31.

3. The congruence 34x ≡ 30 (mod 84) is equivalent to the equation 17 x = 15 in Z42 . We have
34x ≡ 30 (mod 84) ⇐⇒ 17 x = 15
⇐⇒ 5 17 x = 5 15
⇐⇒ x = 5 15
⇐⇒ x = 33
⇐⇒ x ≡ 33 (mod 42).

57
4. Solving 17x + 42y = 2:
From the first question we have 5 × 17 − 2 × 42 = 1, and hence 10 × 17 − 4 × 42 = 2.
Substracting this equation from 17x + 42y = 2 we get

17(x − 10) = −42(y + 4).

Since 42 divides 17(x−5) and gcd(17, 42) = 1, then 42 divides x−10. Therefore x−10 = 42t
for some integer t, i.e. x = 42t + 10. Substituting x in 17(x − 5) = −42(y + 2) we get
y = −17t − 4.

If we let S = {(x, y) ∈ Z2 : 17x + 42y = 2}, then

S = {(42t + 10, −17t − 4) : t ∈ Z}.

58
University of Bejaia
Department of OR
Level: SDAD1
Module: Cryptography
Academic year: 22/23

Practice examination paper

Exercise 1 (7 marks).

Let a = 693 and b = 705.

1. Find the prime factorization of the numbers a and b.

2. Find gcd(a, b) and ℓcm(a, b).
3. Find div+ (a) the set of positive divisors of a.
4. Find φ(a).

Exercise 2 (7 marks).

1. Find the inverse of 13 in Z24 .

2. Compute 12 + 17 and 23 · 23 in Z24 .

3. Solve the congruence 13x ≡ 8 (mod 24).
4. Determine all (x, y) ∈ Z2 such that 14x + 12y = 2.

Exercise 3 (6 marks).
Consider the matrix k with entries in Z17 :

2 7
 
k= .
5 15

1. Find the inverse of k.

2. Using the Hill cipher with key k, encrypt the plaintext m = (3, 5)⊤ .
3. Find the plaintext given that the ciphertext is c = (7, 3)⊤ .

59
University of Bejaia 8 January 2023
Department of OR Duration: 1 h 30 min
Level: SDAD1
Module: Cryptography
Academic year: 22/23

The use of mobile phones is strictly forbidden.

Examination paper

Exercise 1 (7 marks).

1. Find the inverse of 13 in Z37 .

2. Compute 25 + 17 and 12 · 23 in Z37 .

3. Solve the congruence 26x ≡ 8 (mod 74).

4. Determine all (x, y) ∈ Z2 such that 15x + 21y = 3.

Exercise 2 (7 marks).
Let a = 132 and b = 825.
1. Find the prime factorization of the numbers a and b.
2. Find gcd(a, b) and ℓcm(a, b).

3. Find div+ (a) the set of positive divisors of a.

4. Find φ(a).

Exercise 3 (6 marks).
Consider the matrix k with entries in Z23 :

2 6
 
k= .
5 17

1. Find the inverse of k.

2. Using the Hill cipher with key k, encrypt the plaintext m = (3, 7)⊤ .

3. Find the plaintext given that the ciphertext is c = (3, 11)⊤ .

60
 Solutions

Exercise 1 (7 marks). The marks are distributed as follows: 1+2+2+2.

1. We have

37 = 2 × 13 + 11 → 11 = 37 − 2 × 13
13 = 1 × 11 + 2 → 2 = 13 − 1 × 11
11 = 2 × 5 + 1 → 1 = 11 − 2 × 5.

By back-substitution we get 1 = 6 × 37 − 17 × 13. Therefore

−1
13 = −17 = 20.

2. We have
25 + 17 = 42 = 5, 12 · 23 = 176 = 17.

3. We have

26x ≡ 8 (mod 74) ⇐⇒ 13x ≡ 4 (mod 37)

⇐⇒ 13 · x = 4
⇐⇒ 20 · 13 · x = 20 · 4
⇐⇒ x = 6
⇐⇒ x ≡ 6 (mod 37).

4. Determine all (x, y) ∈ Z2 such that 15x + 21y = 3.

We have

15x + 21y = 3 ⇐⇒ 5x + 7y = 5 × 3 + 7 × (−2) (you can use the Euclidean algorithm)

⇐⇒ 5(x − 3) = −7(y + 2).

Since 7 divides 5(x − 3) and gcd(7, 5) = 1 then 7 divides x − 3, and therefore x − 3 = 7t

for some integer t. Hence y + 2 = −5t.
If S = {(x, y) ∈ Z2 : 15x + 21y = 3} then

S = {(7t + 3, −5t − 2) : t ∈ Z}.

Exercise 2 (7 marks). The marks are distributed as follows: 2+2+(1.5)+(1.5).

Let a = 132 and b = 825.
1. We have
a = 22 × 3 × 11, b = 3 × 52 × 11

2. We have a = 22 × 31 × 50 × 111 and b = 20 × 31 × 52 × 111 . Therefore

gcd(a, b) = 20 × 31 × 50 × 111 = 33 and ℓcm(a, b) = 22 × 31 × 52 × 11 = 3300.

61
 3. We have
div+ (a) = {1, 3, 11, 33, 2, 6, 22, 66, 4, 12, 44, 132}.

4. We have
φ(a) = φ(22 ) × φ(3) × φ(11) = 2 × 2 × 10 = 40.

Exercise 3 (6 marks). The marks are distributed as follows: 2+2+2.

Consider the matrix k with entries in Z23 :

2 6
 
k= .
5 17

1. We have
17
 
−6
k −1
= (2 · 17 − 5 · 6) −1
−5 2
−1 17
 
−6
= (4)
−5 2
17 −6
 
=6
−5 2
10 10
 
= .
16 12

2. The encryption function ek : Z2 → Z2 is given by ek (m) = km, and hence

ek (3, 7)⊤ = k(3, 7)⊤

= (2, 19)⊤ .

3. The decryption function dk : Z2 → Z2 is given by dk (c) = k −1 c, and hence

dk (3, 11)⊤ = k −1 (3, 11)⊤

= (2, 19)⊤ .

62
University of Bejaia 24 june 2023
Department of OR Duration: 1 h 30 min
Level: SDAD1
Module: Cryptography
Academic year: 22/23

Resit examination paper

Exercise 1 (7 marks).
Let a = 600 and b = 315.

1. Find the prime factorization of the numbers a and b.

2. Find gcd(a, b) and ℓcm(a, b).
3. Find τ (b) the number of positive divisors of b

4. Find φ(a).

Exercise 2 (7 marks).

1. Find the inverse of 16 in Z29 .

2. Compute 22 + 19 and 11 · 13 in Z29 .
3. Solve the congruence 32x ≡ 6 (mod 58).
4. Determine all (x, y) ∈ Z2 such that 7x + 13y = 3.

Exercise 3 (6 marks).
Consider the affine Hill cipher with Z17 and key k = (k1 , k2 ) given by

5 3
 
k1 = and k2 = (3, 4)⊤ .
7 6

1. Find the inverse of k1 .

2. Encrypt the plaintext m = (2, 3)⊤ .
3. Decrypt the ciphertext c = (1, 6)⊤ .

63
 Solutions

Exercise 1 (7 marks). The marks are distributed as follows: 2+2+(1.5)+(1.5).

Let a = 600 and b = 315.
1. We have
a = 23 × 3 × 52 , b = 32 × 5 × 7

2. We have a = 23 × 31 × 52 × 70 and b = 20 × 32 × 51 × 71 . Therefore

gcd(a, b) = 20 × 31 × 51 × 70 = 15 and ℓcm(a, b) = 23 × 32 × 52 × 71 = 12600.

3. We have
τ (b) = 3 × 2 × 2 = 12.

4. We have

φ(a) = φ(23 × 3 × 52 )
= φ(23 ) × φ(3) × φ(52 )
= 4 × 2 × 20
= 160.

Exercise 2 (7 marks). The marks are distributed as follows: 1+2+2+2.

1. We have

29 = 1 × 16 + 13 → 13 = 29 − 1 × 116
16 = 1 × 13 + 3 → 3 = 16 − 1 × 13
13 = 4 × 3 + 1 → 1 = 13 − 4 × 3.

By back-substitution we get 1 = 5 × 29 − 9 × 16. Therefore

−1
16 = −9 = 20.

2. We have
22 + 19 = 41 = 12, 1 · 13 = 143 = 27.

3. We have

32x ≡ 6 (mod 58) ⇐⇒ 16x ≡ 3 (mod 29)

⇐⇒ 16 · x = 3
⇐⇒ 20 · 16 · x = 20 · 3
⇐⇒ x = 2
⇐⇒ x ≡ 2 (mod 29).

64
 4. Determine all (x, y) ∈ Z2 such that 15x + 21y = 3.
We have

7x + 13y = 3 ⇐⇒ 7x + 13y = 6 × 7 + 13 × (−3) (you can use the Euclidean algorithm)

⇐⇒ 7(x − 6) = −13(y + 3).

Since 13 divides 7(x − 6) and gcd(13, 7) = 1 then 13 divides x − 6, and therefore x − 6 = 13t
for some integer t. Hence y + 3 = −7t.
If S = {(x, y) ∈ Z2 : 7x + 13y = 3} then

S = {(13t + 6, −7t − 3) : t ∈ Z}.

Exercise 3 (6 marks). The marks are distributed as follows: 2+2+2.

1. For
5 3
 
k1 = .
7 6

we have
6
 
−3
k1−1 = (5 · 6 − 7 · 3)−1
−7 5
6 −3
 
= (9)−1
−7 5
6 −3
 
=2
−7 5
12 11
 
= .
3 10

2. The encryption function ek : Z2 → Z2 is given by ek (m) = k1 m + k2 , and hence

ek (2, 3)⊤ = k1 (2, 3)⊤ + (3, 4)⊤

= (5, 2)⊤ .

3. The decryption function dk : Z2 → Z2 is given by dk (c) = k1−1 (c − k2 ), and hence

dk (1, 6)⊤ = k1−1 ((1, 6)⊤ − (3, 4)⊤ )

= (1, 14)⊤ .

65
A.3 List of notations
div(a) the set of divisors of a
div+ (a) the set of positive divisors of a
div(a, b) the set of common divisors of a and b
muℓ(a) the set of multiples of a
muℓ(a, b) the set of common multiples of a and b

gcd(a, b), a ∧ b the greatest common divisor of a and b

ℓcm(a, b), a ∨ b the least common multiple of a and b
Prm the set of prime numbers
Zn the set of residue classes modulo n
Z∗n the set of units (i.e. invertible elements) of Zn
τ (a) the number of positive divisors of a
σ(a) the sum of the positive divisors of a
φ(n) the Euler totient function
⌊x⌋ the floor function
{x} the fraction part
⌈x⌉ the ceiling function

66
A.4 Glossary
Set : ensemble
Subset : sous-ensemble
Sum : somme
Integers : entiers relatifs
Real number : nombre réel
Remainder : reste
Invertible : inversible
Prime number : nombre premier
Natural number : nombre naturel
Non-negative : positif
Positive : strictement positif
Set of divisors of a : ensemble des diviseurs de a
Set of positive divisors of a : ensemble des diviseurs positifs de a
Set of common divisors of a and b : ensemble des diviseurs communs de a et de b
Set of multiples of a : ensemble des multiples de a
Set of common multiples of a and b : ensemble des multiples communs de a et de b
Greatest common divisor of a and b : plus grand commun diviseur de a et de b
Least common multiple of a and b : plus petit commun multiple de a et de b
Number of positive divisors of a : nombre des diviseurs positifs de a
Sum of the positive divisors of a : somme des diviseurs positifs de a
Euler totient function : la fonction indicatrice d’Euler
Encrypt, encipher : crypter, chiffrer
Decrypt, decipher : décrypter, déchiffrer,
Encryption, encipherment : crypter, chiffrement
Decryption, decipherment : décryptage, déchiffrement
Encyption function : fonction de chiffrement
Decryption function : fonction de déchiffrement
Key : clé
Key space : espace des clés
Plaintext : message en clair
Plaintext space : espace des messages en clair
Ciphertext : message chiffré
Ciphertext space : espace des messages chiffrés
Cryptosystem : cryptosystème
Cryptanalysis : cryptanalyse
Cryptography : cryptographie
Cryptology : cryptologie
Caesar cipher (shift cipher) : chiffre de César
Vigenère cipher : chiffre de Vigenère
Affine cipher : chiffre affine
Hill cipher : chiffre de Hill
Affine Hill cipher : chiffre de Hill affine
Hash function : fonction de hachage
Digital signature : signature numérique

67
Bibliography

[1] E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Journal of

Cryptology, vol. 4, no. 1, pp. 3–72, 1991.

[2] E. Biham, A. Shamir, Differential cryptanalysis of the Data Encryption Standard, Springer-
Verlag, New York, 1993.
[3] E. Biham, A. Shamir, Differential cryptanalysis of full-16-round DES, Springer, 1998.
[4] M. Barakat, C. Eder, T. Hanke, An introduction to cryptography, Lecture notes, 2018.

[5] P. J. Cameron, Notes on cryptography, Lecture notes, University of London, 2003.

[6] J. F. Dooley, History of cryptography and cryptoanalysis: Codes, ciphers and their algo-
rithms, in The history of computing series, Springer, 2018.
[7] J. Hoffstein, J. Pipher, J. H. Silverman, An introduction to mathematical cryptography, 2nd
ed, Springer, New York 2014.
[8] H. Kruppa, S.U.A. Shah, Differential and lineal cryptanalysis in evaluating AES candidate
algorithms, 1998.
[9] M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology-
EUROCRYPT’93, LNCS 765, pp. 386–397, Springer-Verlag, 1994.
[10] M. Matsui, Linear cryptanalysis of DES cipher (I),
[11] M. L. Mihailescu, S. L. Nita, Pro cryptography and cryptoanalysis: Creating advanced
algorithms with C sharp and .NET , Springer, 2021.

[12] National Institute of Standards and Technology, DES modes of operation, FIPS Publication
81, NIST, 1980.
[13] National Institute of Standards and Technology, Data Encryption Standard (DES), FIPS
publication 46, NIST, 1977.
[14] National Institute of Standards and Technology, Advanced Encryption Standard (AES),
FIPS publication 197, NIST, 2001.
[15] NIST–DSS, Digital Signature Standard (DSS). FIPS Publication 186-2, National Institue
of Standards and Technology, 2004.
[16] W. Diffie, The first ten years of public key cryptology, G.J. Simmons (ed.), in Contemporary
Cryptology (IEEE, New York), pp. 135–175, 1992.

68
[17] W. Diffie, M. E. Hellman, New directions in cryptography, IEEE Trans. Inf. Theory IT-
22(6), pp. 644–654, 1976.
[18] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete loga-
rithms, IEEE Trans. Inf. Theory 31(4), pp. 469–472, 1985.
110] R. L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and
public-key cryptosystems, Commun. ACM 21(2), pp. 120–126, 1978.
[19] S. J. Nielson C. K. Monson, Practical cryptography with Python: Learning correct cryptog-
raphy by example, Springer, 2019.
[20] Jean-Louis Pons, Introduction à la cryptographie, cours ENSAM Aix en Provence, 2003.

[21] Guy Robin, Algorithmique et cryptographie, Editions Ellipses.

[22] Douglas Stinson, Cryptographie, théorie et pratique, Editions Vuibert 2nd ed., 2003.
[23] D. Spickler, Cryptography notes: Technology guide on using Mathematica, Maxima, and
Cryptography Explorer, Salisbury University, 2019.

[24] S. Y. Yang, Cybercryptography: Applicable cryptography for cyberspace security, Springer,

Switzerland, 2019.
[25] C. Wuthrich, Coding and cryptography, Lecture notes, University of Nottingham, 2013.

69