Instant Download Understanding Cryptography From Established Symmetric and Asymmetric Ciphers To Post Quantum Algorithms 2nd Edition Christof Paar - Jan Pelzl - Tim Güneysu PDF All Chapter

Full download ebook at ebookname.
com
Understanding Cryptography From Established

Symmetric and Asymmetric Ciphers to Post Quantum
Algorithms 2nd Edition Christof Paar • Jan Pelzl •
Tim Güneysu
https://ebookname.com/product/understanding-cryptography-
from-established-symmetric-and-asymmetric-ciphers-to-post-
quantum-algorithms-2nd-edition-christof-paar-jan-pelzl-tim-
guneysu/
OR CLICK BUTTON
DOWLOAD NOW
Download more ebook from https://ebookname.com

More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Focus on Grammar 2 Workbook A2 4th Edition Samuela

Eckstut-Didier
https://ebookname.com/product/focus-on-grammar-2-workbook-a2-4th-
edition-samuela-eckstut-didier/
Collins Get Ready for IELTS Listening Pre intermediate

A2 1st Edition Jane Short
https://ebookname.com/product/collins-get-ready-for-ielts-
listening-pre-intermediate-a2-1st-edition-jane-short/
The Swan System of the C2 Molecule John G. Phillips
https://ebookname.com/product/the-swan-system-of-the-c2-molecule-
john-g-phillips/
Devil in the Milk Illness Health and the Politics of A1

and A2 Milk Keith Woodford
https://ebookname.com/product/devil-in-the-milk-illness-health-
and-the-politics-of-a1-and-a2-milk-keith-woodford/
Specification for thermal spray feedstock wire and rods
2nd Edition Edition American Welding Society. C2
Committee On Thermal Spray.
https://ebookname.com/product/specification-for-thermal-spray-
feedstock-wire-and-rods-2nd-edition-edition-american-welding-
society-c2-committee-on-thermal-spray/
Fighting the Anti Sicilians Combating 2 c3 the Closed

the Morra Gambit and other tricky ideas Everyman Chess
1st Edition Richard Palliser
https://ebookname.com/product/fighting-the-anti-sicilians-
combating-2-c3-the-closed-the-morra-gambit-and-other-tricky-
ideas-everyman-chess-1st-edition-richard-palliser/
AC DC First Edition Phil Sutcliffe
https://ebookname.com/product/ac-dc-first-edition-phil-sutcliffe/
Royal Marine Commando 1950 82 Will Fowler
https://ebookname.com/product/royal-marine-commando-1950-82-will-
fowler/
AC Electrokinetic Colloids and Nanoparticles 1st

Edition Hywel Morgan
https://ebookname.com/product/ac-electrokinetic-colloids-and-
nanoparticles-1st-edition-hywel-morgan/
Christof Paar · Jan Pelzl · Tim Güneysu
Understanding
Cryptography
From Established Symmetric
and Asymmetric Ciphers
to Post-Quantum Algorithms
Second Edition
Understanding Cryptography
Christof Paar • Jan Pelzl • Tim Güneysu
Understanding Cryptography
From Established Symmetric and Asymmetric
Ciphers to Post-Quantum Algorithms
Second Edition
Christof Paar Jan Pelzl
Max Planck Institute Hamm-Lippstadt University
for Security and Privacy of Applied Sciences
Bochum, Germany Hamm, Germany
Tim Güneysu
Ruhr University Bochum
Bochum, Germany
ISBN 978-3-662-69006-2 ISBN 978-3-662-69007-9 (eBook)

https://doi.org/10.1007/978-3-662-69007-9
Originally published under: Paar, C. and Pelzl, J.
1st edition: © Springer-Verlag Berlin Heidelberg 2010

2nd edition: © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer-
Verlag GmbH, DE, part of Springer Nature 2024
This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher,
whether the whole or part of the material is concerned, specifically the rights of translation, reprinting,
reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way,
and transmission or information storage and retrieval, electronic adaptation, computer software, or by
similar or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this
publication does not imply, even in the absence of a specific statement, that such names are exempt from
the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this
book are believed to be true and accurate at the date of publication. Neither the publisher nor the
authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or
for any errors or omissions that may have been made. The publisher remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer-Verlag GmbH, DE, part of
Springer Nature.
The registered company address is: Heidelberger Platz 3, 14197 Berlin, Germany
If disposing of this product, please recycle the paper.

To Flo, Maja, Noah and Sarah
to Greta, Karl, Thea, Klemens and Nele
as well as to Elisa, Benno and Sindy
Foreword
Cryptography is a critical component of today’s information infrastructure; it is

what enables distributed information systems to exist and to work properly. Without
it, users would not be able to securely authenticate themselves to websites, secure
communications wouldn’t exist, and privacy would be unachievable.
Moreover, the number of applications for cryptography have increased dramati-
cally, as new cryptographic techniques are invented and proven secure. For example,
securely transacting with cryptocurrencies such as bitcoin requires modern cryptog-
raphy. As another example, hospitals may now share information about patients in
a way that protects patient privacy while allowing the hospitals to apply statisti-
cal methods assessing the effectiveness of new treatments on the aggregate of the
patients.
We recommend this book in our MIT class Applied Cryptography. This class is
about half undergraduates and half graduate students; past students have said the
text was excellent. It will be great to have this new edition available. The approach
taken in this text is more pragmatic and engineering-oriented than theory-oriented.
It is usable for both classroom use and self-study.
This edition of Understanding Cryptography contains much new material; the
book has expanded by almost 50% since the first edition. Part of this expansion is
due to the expansion of the field (technical), including new problems, and part of
the expansion is due to the addition of new references and discussion (historical).
Of particular note is the inclusion of new material on “quantum cryptography”:
cryptosystems that are specifically designed to resist attacks that are based on the
use of quantum computers. Shor’s algorithm (1994) showed that cryptographic al-
gorithms that are based on the hardness of factoring the product of two primes,
or that are based on the hardness of computing discrete logarithms, are vulnera-
ble to polynomial-time attacks using quantum computation. If and when quantum
computers become available, cryptographic methods such as RSA or elliptic-curve
cryptosystems will become vulnerable. Given the long lead time required to replace
cryptosystems in use, planning for a change-over to “quantum-resistant” algorithms
has already begun. The (U.S.) National Institute of Standards and Technology
vii
viii Foreword
has converged on possible standards based on three particular hard problems; this
textbook covers all three approaches. Indeed, this textbook may be the first to cover
PQC (post-quantum cryptography).
This textbook also has updated material on “conventional” (non-public-key)
cryptography. For example, it includes new and/or updated material on crypto-
graphic hash functions (including coverage of SHA-2 and SHA-3), stream ciphers
(including Salsa20 and ChaCha), and modes of operation (including authenticated
encryption modes).
In summary, I recommend this book highly for both undergraduate and graduate
classroom use; it can easily be augmented for students with a more theoretical ori-
entation. This book is also recommended for self-study, for anyone who wishes to
bring themselves up-to-date on where this exciting field is going.
December 2023 Ron Rivest

Preface
This is the second edition of Understanding Cryptography. Ever since we released

the first edition in 2009, we have been humbled by the many positive responses we
received from readers from all over the world. Our goal has always been to make the
fascinating but also challenging topic of cryptography accessible and fun to learn.
Key concepts of the book are that we focus on cryptography with high practical
relevance, and that the necessary mathematical material is accessible for readers
with a minimum background in college-level calculus. The fact that Understanding
Cryptography has been adopted as textbook by hundreds of universities on all conti-
nents (that is, if we ignore Antarctica) and the feedback we received from individual
readers and instructors makes us believe that this approach is working.
One thing that has changed since the first edition is that it has become abun-
dantly clear how important cybersecurity is in our, by now, digital society. Today,
seemingly every aspect in our private lives, at work or in governments has become
dependent on information technology in one way or another. Even though digital-
ization can have many benefits for individuals and society at large, information tech-
nology must come with strong security mechanisms in order to prevent malicious
manipulations. Here is where cryptography comes into play: It is a key tool for
building sound cybersecurity solutions. To this end, cryptographic algorithms have
crept into myriads of applications that surround us; examples range from social net-
works, smartphones and cloud servers to embedded systems like medical implants,
car keys and passports. Emerging applications such as autonomous cars and e-voting
will rely even more on strong security mechanisms. Of course, cryptocurrencies and
blockchains rely heavily on modern cryptographic algorithms, too.
Content Overview
The book has many features that make it a unique source for students, practition-
ers and researchers. We focus on practical relevance by introducing the majority
of cryptographic algorithms that are used in modern real-world applications. With
respect to symmetric algorithms, we introduce the block ciphers AES, DES and
ix
x Preface
triple-DES as well as PRESENT, which is an important example of a lightweight

cipher. We also describe three popular stream ciphers. Regarding asymmetric cryp-
tography, we cover all three public-key families currently in use: RSA, discrete log-
arithm schemes and elliptic curves. In addition, the book introduces hash functions,
digital signatures and message authentication codes, or MACs. Beyond core cryp-
tographic algorithms, we also discuss topics such as modes of operation, security
services and key management. For every cryptographic scheme, up-to-date security
estimations and recommendations for key lengths are given. We also discuss the
important issue of software and hardware implementation.
What’s New
The second edition has received major updates and has grown from the 350 pages
of the first edition to more than 500 pages. The most noticeable new material is the
extensive treatment of post-quantum cryptography, or PQC, in Chapter 12. In the
coming years, many applications will need to replace traditional public-key schemes
with PQC algorithms. This will be the most comprehensive change in the landscape
of cryptography that we have seen in decades. We hope that our introduction to the
three most promising PQC families, that is lattice-based, code-based and hash-based
schemes, will be helpful in this context. Beside PQC, the 2nd edition also covers the
SHA-2 and SHA-3 hash functions, the new stream ciphers Salsa20 and ChaCha,
and authenticated encryption. Throughout the book, security parameters and
related work have been updated, as well as the Discussion and Further Reading
sections that conclude each chapter. The problem sections of all 14 chapters have
been extended, too.
How to Use the Book
The material in this book has evolved over many years and is “classroom proven”.
We’ve taught it both as a course for advanced undergraduate students and gradu-
ate students in computer science/math/electrical engineering, as well as a first-year
undergraduate course for students majoring in our IT security program. We found
that one can teach most concepts introduced in the book in a two-semester course,
with 90 minutes of lecture time plus 90 minutes of help sessions with exercises per
week (total of 10 ECTS credits). In a typical US-style three-credit course, or in a
one-semester European course, some of the material should be omitted. Here are
some reasonable choices for a one-semester course:
Course Curriculum 1 Focus on the application of cryptography, e.g., in an applied
course in computer science or a basic course for subsequent security classes, e.g., in
a cybersecurity program. A possible curriculum is: Chap. 1; Sects. 2.1–2.2; Chap. 4;
Sect. 5.1; Chap. 6; Sects. 7.1–7.3; Sects. 8.1–8.3; Sects. 10.1–10.2; Sects. 11.1–11.3;
Sects. 12.1 & 12.4; Sect. 13.1; Sects. 14.1–14.3.
Preface xi
Course Curriculum 2 Focus on cryptographic algorithms and their mathematical

background, e.g., as a theory course in computer science or a crypto course in a math
program. This curriculum also works nicely as preparation for a more theoretical
course in cryptography: Chap. 1; Chap. 2; Chap. 4; Chap. 6; Chap. 7; Sects. 8.1 –
8.4; Chap. 9; Sects. 10.1–10.2; Sects. 11.1–11.3; Sects. 12.1, 12.2 & 12.4.
More Information
There are two online sources related to this book that we can recommend. First,
we recorded the two-semester introductory cryptography course that we teach at
Ruhr University Bochum (RUB). The main audience for this class are the first-
year students of RUB‘s IT Security program, and we tried to make the material as
accessible as possible. More than 20 lectures are available on the YouTube channel
“Introduction to Cryptography by Christof Paar”:
https://www.crypto-textbook.com/video
Each lecture takes about 80–90 minutes and closely follows the material in the book.
(For the more adventurous reader, there is also a German-language set of videos
available in the YouTube channel “Einführung in die Kryptographie von Christof
Paar”.)
Second, we recommend the companion website for the book, containing slide
sets for lecturers and solutions to odd-numbers problems of the book:
https://www.crypto-textbook.com
Trained as engineers, we have worked in applied cryptography and security for

more than 20 years and hope that the readers will have as much fun with this fasci-
nating field as we’ve had!
Bochum, Germany Christof Paar

Hamm, Germany Jan Pelzl
Bochum, Germany Tim Güneysu
Acknowledgements
Writing this book would have been impossible without the help of many people. We
hope we did not forget anyone in our listing.
Help with technical questions was provided by Frederick Armknecht (stream ci-
phers), Roberto Avanzi (finite fields and elliptic curves), Eike Kiltz (provable secu-
rity), Gregor Leander (block ciphers), Alex May (number theory), Alfred Menezes
and Neal Koblitz (history of elliptic curve cryptography), Matt Robshaw (AES) and
Damian Weber (discrete logarithms). We are particular grateful to Axel Poschmann
who provided the inital section about the PRESENT block cipher.
We would also like to thank Conny Robrahn who worked tirelessly on the more
than 130 figures in this book. Special thanks for proofreading and the many sugges-
tions for improving the material in the second edition go the members of the Embed-
ded Security group at the Max Planck Institute for Security and Privacy, Bochum,
and the Security Engineering group at Ruhr University Bochum: Nils Albartus, Sven
Argo, Steffen Becker, Fabian Buschkowski, Maik Ender, Jakob Feldtkeller, Anna
Guinet, Dina Hesse, Simon Klix, Elisabeth Krahmer, Markus Krausz, Georg Land,
Johannes Mono, Endres Puschner, Jan Richter-Brockmann, Julian Speith, Paul Staat
and Jan Thoma.
For the first edition, we are indebted to the members of the Embedded Secu-
rity group at Ruhr University Bochum — Andrey Bogdanov, Benedikt Driessen,
Thomas Eisenbarth, Stefan Heyse, Markus Kasper, Timo Kasper, Amir Moradi and
Daehyun Strobel — who did much of the technical proofreading and provided nu-
merous suggestions for improving the presentation of the material.
We would like to express our deepest gratitude to Ron Rivest for his willing-
ness to provide the foreword. We’d like to thank the people from Springer for their
continuous support and encouragement. In particular, thanks to our editors Ronan
Nugent and Wayne Wheeler as well as to Michela Castrica.
Last but not least we would like to thank all the readers of the first edition who
provided valuable feedback regarding improving the text and the problem sets.
xiii
Table of Contents
1 Introduction to Cryptography and Data Security . . . . . . . . . . . . . . . . . . 1

1.1 Overview of Cryptology (and This Book) . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.2 Simple Symmetric Encryption: The Substitution Cipher . . . . 7
1.3 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3.1 General Thoughts on Breaking Cryptosystems . . . . . . . . . . . . 10
1.3.2 How Many Key Bits Are Enough? . . . . . . . . . . . . . . . . . . . . . . 13
1.4 Modular Arithmetic and More Historical Ciphers . . . . . . . . . . . . . . . . 15
1.4.1 Modular Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4.2 Integer Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.4.3 Shift Cipher (or Caesar Cipher) . . . . . . . . . . . . . . . . . . . . . . . . 20
1.4.4 Affine Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.5 Discussion and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.6 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.1.1 Stream Ciphers vs. Block Ciphers . . . . . . . . . . . . . . . . . . . . . . 38
2.1.2 Encryption and Decryption with Stream Ciphers . . . . . . . . . . 40
2.2 Random Numbers and an Unbreakable Stream Cipher . . . . . . . . . . . . 43
2.2.1 Random Number Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.2.2 The One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.2.3 Towards Practical Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . 46
2.3 Shift Register-Based Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.3.1 Linear Feedback Shift Registers (LFSRs) . . . . . . . . . . . . . . . . 50
2.3.2 Known-Plaintext Attack Against Single LFSRs . . . . . . . . . . . 53
2.4 Practical Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.4.1 Salsa20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.4.2 ChaCha . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
xv
xvi Table of Contents
2.4.3 Trivium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.6 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3 The Data Encryption Standard (DES) and Alternatives . . . . . . . . . . . . . 73

3.1 Introduction to DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.1.1 Confusion and Diffusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.2 Overview of the DES Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3.3 Internal Structure of DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.3.1 Initial and Final Permutation . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.3.2 The f Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.3.3 Key Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.4 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3.5 Security of DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.5.1 Exhaustive Key Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.5.2 Analytical Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.6 Implementation in Software and Hardware . . . . . . . . . . . . . . . . . . . . . 96
3.7 DES Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.7.1 The Advanced Encryption Standard (AES) and the AES
Finalist Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.7.2 Triple DES (3DES) and DESX . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.7.3 Lightweight Cipher PRESENT . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.9 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4 The Advanced Encryption Standard (AES) . . . . . . . . . . . . . . . . . . . . . . . 111

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.2 Overview of the AES Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.3 Some Mathematics: A Brief Introduction to Galois Fields . . . . . . . . . 114
4.3.1 Existence of Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.3.2 Prime Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.3.3 Extension Fields GF(2m ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.3.4 Addition and Subtraction in GF(2m ) . . . . . . . . . . . . . . . . . . . . 120
4.3.5 Multiplication in GF(2m ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
4.3.6 Inversion in GF(2m ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.4 Internal Structure of AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.4.1 Byte Substitution Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.4.2 Diffusion Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.4.3 Key Addition Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.4.4 Key Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
4.5 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Table of Contents xvii
4.8 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5 More About Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

5.1 Modes of Operation for Encryption and Authentication . . . . . . . . . . . 148
5.1.1 Electronic Codebook Mode (ECB) . . . . . . . . . . . . . . . . . . . . . . 149
5.1.2 Cipher Block Chaining Mode (CBC) and Initialization
Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
5.1.3 Output Feedback Mode (OFB) . . . . . . . . . . . . . . . . . . . . . . . . . 155
5.1.4 Cipher Feedback Mode (CFB) . . . . . . . . . . . . . . . . . . . . . . . . . 156
5.1.5 Counter Mode (CTR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
5.1.6 XTS-AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.2 Exhaustive Key Search Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.3 Increasing the Security of Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . 162
5.3.1 Double Encryption and Meet-in-the-Middle Attack . . . . . . . . 163
5.3.2 Triple Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
5.3.3 Key Whitening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
5.5 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
6 Introduction to Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 177

6.1 Symmetric vs. Asymmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . 178
6.2 Practical Aspects of Public-Key Cryptography . . . . . . . . . . . . . . . . . . 182
6.2.1 Security Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.2.2 The Remaining Problem: Authenticity of Public Keys . . . . . 184
6.2.3 Important Public-Key Algorithms . . . . . . . . . . . . . . . . . . . . . . 184
6.2.4 Key Lengths and Security Levels . . . . . . . . . . . . . . . . . . . . . . . 185
6.3 Essential Number Theory for Public-Key Algorithms . . . . . . . . . . . . 186
6.3.1 Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
6.3.2 Extended Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 189
6.3.3 Euler’s Phi Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
6.3.4 Fermat’s Little Theorem and Euler’s Theorem . . . . . . . . . . . . 197
6.5 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7 The RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.2 Encryption and Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.3 Key Generation and Proof of Correctness . . . . . . . . . . . . . . . . . . . . . . 207
7.4 Encryption and Decryption: Fast Exponentiation . . . . . . . . . . . . . . . . 211
7.5 Speed-Up Techniques for RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
7.5.1 Fast Encryption with Short Public Exponents . . . . . . . . . . . . . 215
7.5.2 Fast Decryption with the Chinese Remainder Theorem . . . . . 216
xviii Table of Contents
7.6 Finding Large Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

7.6.1 How Common Are Primes? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
7.6.2 Primality Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
7.7 RSA in Practice: Padding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
7.8 Key Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
7.9 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
7.12 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
8 Cryptosystems Based on the Discrete Logarithm Problem . . . . . . . . . . 241

8.1 Diffie–Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
8.2 Some Abstract Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
8.2.1 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
8.2.2 Cyclic Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
8.2.3 Subgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
8.3 The Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
8.3.1 The Discrete Logarithm Problem in Prime Fields . . . . . . . . . . 252
8.3.2 The Generalized Discrete Logarithm Problem . . . . . . . . . . . . 253
8.3.3 Attacks Against the Discrete Logarithm Problem . . . . . . . . . . 255
8.4 Security of the Diffie–Hellman Key Exchange . . . . . . . . . . . . . . . . . . 260
8.5 The Elgamal Encryption Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
8.5.1 From Diffie–Hellman Key Exchange to Elgamal Encryption 261
8.5.2 The Elgamal Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
8.5.3 Computational Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
8.5.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
8.7 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
9 Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

9.1 How to Compute with Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . 278
9.1.1 Definition of Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
9.1.2 Group Operations on Elliptic Curves . . . . . . . . . . . . . . . . . . . . 281
9.2 Building a Discrete Logarithm Problem with Elliptic Curves . . . . . . 285
9.3 Diffie–Hellman Key Exchange with Elliptic Curves . . . . . . . . . . . . . . 289
9.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
9.7 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table of Contents xix
10 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
10.1.1 Odd Colors for Cars, or: Why Symmetric Cryptography Is
Not Sufficient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
10.1.2 Principles of Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . 301
10.1.3 Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
10.1.4 Applications of Digital Signatures . . . . . . . . . . . . . . . . . . . . . . 305
10.2 The RSA Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
10.2.1 Schoolbook RSA Digital Signature . . . . . . . . . . . . . . . . . . . . . 306
10.2.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
10.3 The Elgamal Digital Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . 312
10.3.1 Schoolbook Elgamal Digital Signature . . . . . . . . . . . . . . . . . . 312
10.3.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
10.4 The Digital Signature Algorithm (DSA) . . . . . . . . . . . . . . . . . . . . . . . . 318
10.4.1 The DSA Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
10.4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
10.5 The Elliptic Curve Digital Signature Algorithm (ECDSA) . . . . . . . . 324
10.5.1 The ECDSA Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
10.5.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
10.7 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
11 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

11.1 Motivation: Signing Long Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
11.2 Security Requirements of Hash Functions . . . . . . . . . . . . . . . . . . . . . . 339
11.2.1 Preimage Resistance or One-Wayness . . . . . . . . . . . . . . . . . . . 339
11.2.2 Second Preimage Resistance or Weak Collision Resistance . 340
11.2.3 Collision Resistance and the Birthday Attack . . . . . . . . . . . . . 341
11.3 Overview of Hash Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
11.3.1 Hash Functions from Block Ciphers . . . . . . . . . . . . . . . . . . . . 347
11.3.2 The Dedicated Hash Functions SHA-1, SHA-2 and SHA-3 . 349
11.4 The Secure Hash Algorithm SHA-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
11.4.1 SHA-256 Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
11.4.2 The SHA-256 Compression Function . . . . . . . . . . . . . . . . . . . 353
11.4.3 Implementation in Software and Hardware . . . . . . . . . . . . . . . 356
11.5 The Secure Hash Algorithm SHA-3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
11.5.1 High-Level View of SHA-3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
11.5.2 Suffix, Padding and Output Generation . . . . . . . . . . . . . . . . . . 360
11.5.3 The Function Keccak- f (or the Keccak- f Permutation) . . . . 361
11.5.4 Other Cryptographic Functions Based on Keccak . . . . . . . . . 367
xx Table of Contents
11.5.5 Implementation in Software and Hardware . . . . . . . . . . . . . . . 368

11.7 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
12 Post-Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
12.1.1 Quantum Computing and Cryptography . . . . . . . . . . . . . . . . . 380
12.1.2 Quantum-Secure Asymmetric Cryptosystems . . . . . . . . . . . . . 383
12.1.3 The Use of Uncertainty in Cryptography . . . . . . . . . . . . . . . . . 384
12.2 Lattice-Based Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
12.2.1 The Learning With Errors (LWE) Problem . . . . . . . . . . . . . . . 389
12.2.2 A Simple LWE-Based Encryption System . . . . . . . . . . . . . . . 391
12.2.3 The Ring Learning With Errors Problem . . . . . . . . . . . . . . . . . 399
12.2.4 Ring-LWE Encryption Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 401
12.2.5 LWE in Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
12.2.6 Final Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
12.3 Code-Based Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
12.3.1 Linear Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
12.3.2 The Syndrome Decoding Problem . . . . . . . . . . . . . . . . . . . . . . 417
12.3.3 Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
12.3.4 Suitable Choices of Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
12.3.5 Final Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
12.4 Hash-Based Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
12.4.1 One-Time Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
12.4.2 Many-Time Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
12.4.3 Final Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
12.5 PQC Standardization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
12.7 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
13 Message Authentication Codes (MACs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

13.1 Principles of Message Authentication Codes . . . . . . . . . . . . . . . . . . . . 466
13.2 MACs from Hash Functions: HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . 468
13.3 MACs from Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
13.3.1 CBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
13.3.2 Cipher-based MAC (CMAC) . . . . . . . . . . . . . . . . . . . . . . . . . . 473
13.3.3 Authenticated Encryption: The Counter with Cipher Block
Chaining-Message Authentication Code (CCM) . . . . . . . . . . 474
13.3.4 Authenticated Encryption: The Galois Counter Mode (GCM)476
13.3.5 Galois Counter Message Authentication Code (GMAC) . . . . 478
13.5 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Table of Contents xxi
14 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
14.2 Key Derivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
14.3 Key Establishment Using Symmetric-Key Techniques . . . . . . . . . . . . 490
14.3.1 Key Establishment with a Key Distribution Center . . . . . . . . 491
14.3.2 Needham-Schroeder Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 495
14.3.3 Remaining Problems with Symmetric-Key Distribution . . . . 496
14.4 Key Establishment Using Asymmetric Techniques . . . . . . . . . . . . . . . 497
14.4.1 Man-in-the-Middle Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
14.4.2 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
14.5 Public-Key Infrastructures (PKIs) and CAs . . . . . . . . . . . . . . . . . . . . . 504
14.5.1 Certificate Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
14.5.2 Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
14.6 Practical Aspects of Key Management . . . . . . . . . . . . . . . . . . . . . . . . . 509
14.8 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Chapter 1
Introduction to Cryptography and Data Security
This section will introduce the most important terms of modern cryptology and will
teach an important lesson about proprietary vs. openly known algorithms. We will
also introduce modular arithmetic, which is useful for historical ciphers and of major
importance in modern public-key cryptography.
In this chapter you will learn:
The general rules of cryptography
Key lengths for short-, medium- and long-term security
The different ways of attacking ciphers
A few historical ciphers and on the way we will learn about modular arithmetic
Why one should only use well-established cryptographic algorithms
© The Editor(s) (if applicable) and The Author(s), under exclusive license 1
to Springer-Verlag GmbH, DE, part of Springer Nature 2024
C. Paar et al., Understanding Cryptography, https://doi.org/10.1007/978-3-662-69007-9_1
2 1 Introduction to Cryptography and Data Security
1.1 Overview of Cryptology (and This Book)
The book at hand provides an introduction to cryptography. This is part of the

broader area of cybersecurity, which deals with the protection of digital informa-
tion against misuse. Even though cybersecurity is a complex field that encompasses
technical aspects as well as organizational and human ones, almost all IT security
solutions in practice employ cryptography as a crucial module. A rough analogy
comes from the automotive domain: If cybersecurity is a car, cryptography is the en-
gine. Even though there are obviously many parts and technologies that are needed
for a car, every automobile relies on an engine as a central component. The same
holds in the security domain: It is hard to build secure digital systems without cryp-
tographic algorithms. As we know from almost daily reports about successful hacks
against IT systems, cybersecurity is difficult to achieve. In this context it is impor-
tant to bear in mind that today’s cryptography is usually the most secure part of a
cybersecurity solution. This book is primarily concerned with modern cryptographic
algorithms, also referred to as cryptographic primitives or ciphers.
If we hear the word cryptography our first associations might be cryptocurren-
cies, end-to-end encryption for the instant messenger running on our smartphone
or secure website access. Perhaps we go back a little bit in history and think about
the famous attack against the German Enigma encryption machine during World
War II (Figure 1.1). In any case, cryptography seems closely linked to modern elec-
Fig. 1.1 The German Enigma encryption machine (reproduced with permission of
the Deutsches Museum, Munich)
tronic communication. However, cryptography is a rather old business, with early

examples dating back to about 2000 B.C., when non-standard “secret” hieroglyphics
were used in ancient Egypt. Since Egyptian times cryptography has been used in one
form or another in many, if not most, cultures that developed written language. For
1.1 Overview of Cryptology (and This Book) 3
instance, there are documented cases of secret writing in ancient Greece, namely the
scytale of Sparta (Figure 1.2), or the famous Caesar cipher in ancient Rome, about
which we will learn later in this chapter. This book, however, strongly focuses on
Fig. 1.2 Scytale of Sparta
modern cryptographic methods and also teaches many data security issues and their
relationship with cryptography.
Let’s now have a look at the field of cryptography, shown in Figure 1.3. The first
Fig. 1.3 Overview of the field of cryptology
thing that we notice is that the most general term is cryptology and not cryptography.
Cryptology splits into two main branches:
Cryptography is the science of securing communication against an adversary.
Historically, the main goal of crypography was to hide the meaning of a message.
Today, however, cryptography is also used for many other security goals such as
the integrity and authenticity of messages.
Cryptanalysis is the science and sometimes art of breaking cryptosystems. You
might think that code breaking is for the intelligence community or perhaps or-
ganized crime, and should not be included in a serious classification of a sci-
entific discipline. However, most cryptanalysis nowadays is done by respectable
researchers in academia. Cryptanalysis is of central importance for modern cryp-

tosystems: Without people who try to break our cryptographic methods, we will
never know whether they are really secure or not. This issue is discussed in more
detail in Section 1.3.
Because cryptanalysis is the only way to ensure that a cryptosystem is secure,
it is an integral part of cryptology. Nevertheless, the focus of this book is on
cryptography: We introduce the most important practical cryptographic algorithms
in detail. These are all ciphers that have withstood cryptanalysis for a long time, in
most cases for several decades. In the case of cryptanalysis we will mainly restrict
ourselves to providing state-of-the-art results with respect to breaking the crypto-
graphic algorithms that are introduced, e.g., the factoring record for breaking the
RSA scheme.
Let’s now go back to Figure 1.3. Cryptography itself splits into three main
branches:
Symmetric Algorithms are what many people assume cryptography is about:
Two parties have an encryption and decryption method for which they share a
secret key. All cryptography from ancient times until 1976 was exclusively based
on symmetric methods. Symmetric ciphers are still in widespread use, especially
for actual data encryption and integrity checking of messages.
Asymmetric (or Public-Key) Algorithms In 1976 an entirely different type of
cipher was introduced by Whitfield Diffie, Martin Hellman and Ralph Merkle.
In public-key cryptography, two keys exist: A user possesses a secret key as in
symmetric cryptography but also a public key. Asymmetric algorithms can be
used for applications such as digital signatures and key establishment but also
for classical data encryption.
Cryptographic Protocols Roughly speaking, cryptographic protocols realize
more complex security functions through the use of cryptographic algorithms.
Symmetric and asymmetric algorithms can be viewed as building blocks with
which applications such as secure internet communication can be realized. The
Transport Layer Security (TLS) scheme, which is used in every web browser, is
an example of a cryptographic protocol.
Strictly speaking, hash functions, which will be introduced in Chapter 11, form
a third class of algorithms but at the same time they share many properties with
symmetric ciphers.
In the majority of cryptographic applications in practical systems, symmetric and
asymmetric algorithms (and often also hash functions) are all used together. These
are sometimes referred to as hybrid schemes. The reason for using both families of
algorithms is that each has specific strengths and weaknesses.
The main focus of this book is on symmetric and asymmetric algorithms, as well
as hash functions. However, we will also introduce basic security protocols. In par-
ticular, we will introduce several key establishment protocols and discuss what can
be achieved with cryptographic protocols, including confidentiality of data, integrity
of data, authentication of data, user identification, etc.
1.2 Symmetric Cryptography 5
1.2 Symmetric Cryptography
This section deals with the concept of symmetric ciphers and introduces the historic
substitution cipher. Using the substitution cipher as an example, we will learn the
difference between brute-force and analytical attacks.
1.2.1 Basics
Symmetric cryptographic schemes are also referred to as symmetric-key, secret-key

and single-key schemes or algorithms. Symmetric cryptography is best introduced
with an easy-to-understand problem: There are two users, Alice and Bob, who want
to communicate over an insecure channel (Figure 1.4). The term channel might
sound a bit abstract but it is just a general term for the communication link: This can
be the internet, a stretch of air in the case of smartphones or a Wi-Fi home network,
or any other communication media you can think of. The actual problem starts with
the bad guy, Oscar1 , who has access to the channel, for instance, by hacking into
an internet router or by listening to the radio signals of a Wi-Fi communication.
This type of unauthorized listening is called eavesdropping. Obviously, there are
many situations in which Alice and Bob would prefer to communicate without Oscar
listening. For instance, if Alice and Bob represent the headquarters and the research
office of a pharmaceutical company, and they are transmitting documents containing
their strategy for the development of a new pharmaceutical drug over the next few
years, these documents should not get into the hands of competitors, or of foreign
intelligence agencies for that matter.
Fig. 1.4 Communication over an insecure channel
In this situation, symmetric cryptography offers a powerful solution: Alice en-

crypts her message x using a symmetric algorithm, yielding the ciphertext y. Bob
receives the ciphertext and decrypts the message. Decryption is, thus, the inverse
1 The name Oscar was chosen to remind us of the word opponent.

process of encryption (Figure 1.5). What is the advantage? If we have a strong en-
cryption algorithm, the ciphertext will look like random bits and Oscar will not be
able to obtain any useful information from it.
Fig. 1.5 Symmetric-key cryptosystem
The variables x, y and k in Figure 1.5 have special names in cryptography:

x is called the plaintext or cleartext,
y is called the ciphertext,
k is called the key.
Remark that the set of all possible keys is called the key space. The system needs
a secure channel for distribution of the key between Alice and Bob. The secure
channel shown in Figure 1.5 can, for instance, be a human who is transporting the
key in a wallet between Alice and Bob. This is, of course, a cumbersome method.
An example where this method works nicely is the pre-shared keys used in Wi-Fi
Protected Access (WPA) encryption in wireless LANs. Later in this book we will
learn methods for establishing keys over insecure channels. In any case, the key
has only to be transmitted once between Alice and Bob and can then be used for
securing many subsequent communications.
One important and also counterintuitive fact in this situation is that both the en-
cryption and the decryption algorithms are publicly known. It seems that keeping the
encryption algorithm secret should make the whole system harder to break. How-
ever, secret algorithms also mean less intensively tested algorithms: The only way
to find out whether an encryption method is strong, i.e., cannot be broken by a de-
termined attacker, is to make it public and have it analyzed by other cryptographers.
Please see Section 1.3 for more discussion on this topic. The only thing that should
be kept secret in a sound cryptosystem is the key.
Remarks:
1. It seems very likely that most modern cryptographic algorithms can not be broken
by anybody on planet Earth, including big intelligence agencies. This assumes,
however, that the algorithm is used correctly. Especially, we have to ensure that
an attacker does not get hold of the key. Of course, once Oscar knows the key, he
can easily decrypt the message since the algorithm is publicly known.
Hence it is crucial to note that the problem of transmitting a message se-
curely is reduced to the problems of transmitting a key secretly and of stor-
ing the key in a secure fashion.
2. In this scenario we only consider the problem of confidentiality, that is, of hiding
the contents of the message from an eavesdropper. We will see later in this book
that there are many other things we can do with cryptography, such as preventing
Oscar from making unnoticed changes to the message (message integrity) or
ensuring that a message really comes from Alice (sender authentication).
1.2.2 Simple Symmetric Encryption: The Substitution Cipher
We will now learn one of the simplest methods for encrypting text, the substitution
(= replacement) cipher. Historically this type of cipher has been widely used, and
it is a good illustration of basic cryptography. We will use the substitution cipher
for learning some important facts about key lengths and about different ways of
attacking cryptographic algorithms.
The goal of the substitution cipher is the encryption of text (as opposed to bits
in modern digital systems). The idea is very simple: We substitute each letter of the
alphabet with another one.
Example 1.1.
Plaintext Ciphertext
A→k
B→d
C→w
···
For instance, the pop group ABBA would be encrypted as kddk.

We assume that we choose the substitution table completely randomly, so that
an attacker is not able to guess it. Note that the substitution table is the key of this
cryptosystem. As always in symmetric cryptography, the key, i.e., the substitution
table, has to be distributed between Alice and Bob in a secure fashion.
Example 1.2. Let’s look at another ciphertext:
iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr bnnb
hcc hwwhbsqvqbre hwq vhlq

This does not seem to make too much sense and looks like decent cryptography.
However, the substitution cipher is not secure at all! Let’s look at ways of breaking
the cipher.
First Attack: Brute-Force Attack or Exhaustive Key Search
Brute-force attacks treat the cipher as a black box. They are based on a simple con-
cept: Oscar, the attacker, has the ciphertext from eavesdropping on the channel and
happens to have a short piece of plaintext, e.g., the header of a file that was en-
crypted. Oscar now simply decrypts the first piece of ciphertext with all possible
keys. Again, the key for this cipher is the substitution table. If the resulting plaintext
matches the short piece of plaintext, he knows that he has found the correct key.
Definition 1.2.1 Basic Exhaustive Key Search or Brute-Force At-

tack
Let (x, y) denote the pair of plaintext and ciphertext, and let K =
{k1 , ..., kκ } be the key space of all possible keys ki . A brute-force
attack now checks for every ki ∈ K whether
?
dki (y) = x.
If the equality holds, a possible correct key is found; if not, proceed

with the next key.
In practice, a brute-force attack can be more complicated because incorrect keys can
give false positive results. We will address this issue in Section 5.2.
It is important to note that a brute-force attack against symmetric ciphers is al-
ways possible in principle. Whether it is feasible in practice depends on the key
space, i.e., on the number of possible keys that exist for a given cipher. If testing all
the keys on many modern computers takes too much time, i.e., hundreds or thou-
sands of years, the cipher is computationally secure against a brute-force attack.
More on computational security will be said in Section 2.2.3.
Let’s determine the key space of the substitution cipher: When choosing the re-
placement for the first letter A, we randomly choose one letter from the 26 letters of
the alphabet (in the example above we chose k). The replacement for the next al-
phabet letter B was randomly chosen from the remaining 25 letters, etc. Thus there
exist the following number of different substitution tables:
key space of the substitution cipher = 26 · 25 · · · 3 · 2 · 1 = 26! ≈ 288
That means the key space has roughly a size of 288 , which is equal to the key space
of a cipher that has a key consisting of 88 bits. Even with hundreds of thousands of
high-end PCs such a search would take several decades! Thus, we are tempted to
conclude that the substitution cipher is secure. But this is incorrect because there is
another, more powerful, attack, which will be described in the following.
Second Attack: Letter Frequency Analysis
First we note that the brute-force attack from above treats the cipher as a black box,
i.e., we do not analyze the internal structure of the cipher. The substitution cipher
can easily be broken by such an analytical attack.
The major weakness of the cipher is that each plaintext symbol always maps to
the same ciphertext symbol. That means that the statistical properties of the plaintext
are preserved in the ciphertext. If we go back to the second example we observe that
the letter q occurs most frequently in the text. From this we know that q must be
the substitution for one of the frequent letters in the English language. For practical
attacks, the following properties of language can be exploited:
1. Determine the frequency of every ciphertext letter. The frequency distribution,
usually quite stable even for relatively short pieces of encrypted text, will be
close to that of the given language in general. In particular, the most frequent
letters can often easily be spotted in ciphertexts. For instance, in English E is the
most frequent letter (about 13%), T is the second most frequent letter (about 9%),
A is the third most frequent letter (about 8%), and so on. Table 1.1 lists the letter
frequency distribution of English.
Table 1.1 Relative letter frequencies of the English language
Letter Frequency Letter Frequency

A 0.0817 N 0.0675
B 0.0150 O 0.0751
C 0.0278 P 0.0193
D 0.0425 Q 0.0010
E 0.1270 R 0.0599
F 0.0223 S 0.0633
G 0.0202 T 0.0906
H 0.0609 U 0.0276
I 0.0697 V 0.0098
J 0.0015 W 0.0236
K 0.0077 X 0.0015
L 0.0403 Y 0.0197
M 0.0241 Z 0.0007
2. The method above can be generalized by looking at pairs or triples, or quadru-

ples, and so on of ciphertext symbols. For instance, in English (and some other
European languages), the letter Q is almost always followed by a U. This behavior
can be exploited to detect the substitution of the letter Q and the letter U.
3. If we assume that word separators, which means “blanks”, have been found
(which is only sometimes the case), one can often detect frequent short words
such as THE, AND, etc. Once we have identified one of these words, we imme-
diately know three letters (or whatever the length of the word is) for the entire
text.
In practice, the three techniques listed above are often combined to break substi-
tution ciphers.
Example 1.3. If we analyze the encrypted text from Example 1.2, we obtain:
WE WILL MEET IN THE MIDDLE OF THE LIBRARY AT NOON
ALL ARRANGEMENTS ARE MADE

Lesson learned Good ciphers should hide the statistical properties of the encrypted
plaintext. The ciphertext symbols should appear to be random. Also, a large key
space alone is not sufficient for a strong encryption function.
1.3 Cryptanalysis
This section deals with recommended key lengths of symmetric ciphers and differ-
ent ways of attacking cryptographic algorithms. It is stressed that a cipher should be
secure even if the attacker knows the details of the algorithm.
1.3.1 General Thoughts on Breaking Cryptosystems
If we ask someone with some technical background what breaking ciphers is about,
he/she will most likely say that code breaking has to do with heavy mathematics,
smart people and large computers. We have images in mind of the British code
breakers during World War II, attacking the German Enigma cipher with extremely
smart mathematicians (the famous computer scientist Alan Turing headed the ef-
forts) and room-sized electro-mechanical computers. However, in practice there are
also other methods for code breaking. For a secure cryptosystem, it is important (1)
to use sound cryptographic algorithms and protocols and (2) to use correct imple-
mentations of the algorithms. Let’s look at different ways of breaking cryptosystems
in the real world shown in Figure 1.6.
Classical Cryptanalysis
Classical cryptanalysis attempts to break a cipher by analyzing the inputs and out-
puts. We recall from the earlier discussion that cryptanalysis can be divided into
analytical attacks, which exploit the internal structure of the encryption method,
1.3 Cryptanalysis 11
Fig. 1.6 Overview of cryptanalysis
and brute-force attacks, which treat the encryption algorithm as a black box and test
all possible keys. The specific goal of the adversary can vary but in most cases Oscar
attempts to recover the plaintext x from the ciphertext y or he attempts to recover
the key k from the ciphertext y. Especially for analytical attacks it is helpful to look
at what information the opponent has in addition to the ciphertext. The main classes
of attacks are:
Ciphertext-only attack: The adversary has only access to the ciphertext.
Known-plaintext attack: In addition to the ciphertext, the adversary also knows
some pieces of the plaintext (e.g., header information of an encrypted file or
email).
Chosen-plaintext attack: The adversary can choose the plaintext that is being en-
crypted and also has access to the corresponding ciphertext. This can for instance
be the case when he has access to a decryption device such as a smart card and
he attempts to recover the secret key.
Chosen-ciphertext attack: The adversary can choose ciphertexts and also obtains
the corresponding plaintexts. Again, the goal is typically to recover the secret
key.
This list is not exhaustive; additional attacks include adaptive chosen-plaintext and
adaptive chosen-ciphertext attacks or the related-key attack.
Implementation Attacks
Side-channel analysis can be used to extract a secret key by observing the behavior
of a cryptographic implementation, e.g., an integrated circuit or a piece of software.
One family of attacks uses the electrical power consumption or electromagnetic ra-
diation of the CPU that computes the cryptographic algorithms as sidechannels. The
attacker records the power or electromagnetic traces and applies signal processing
techniques to recover the key. Related attacks are based on timing side-channels, in
which the adversary measures the run time behavior of a cryptographic implemen-
tation and attempts to compute the key from the timing measurements. All of these
attacks are mainly used against devices to which an attacker has physical access
such as smart cards, smartphones or IoT devices.2
Another family of attacks exploits software side-channels. They are primarily
relevant if different processes are running on a computer, e.g., in cloud computing.
The assumption is that the adversary controls one process with which he is able to
learn secret values such as cryptographic keys from another process. To gain infor-
mation, the hostile process exploits effects such as timing behavior or cache access
patterns. A main mechanism for preventing software side-channels is to ensure that
cryptographic implementations have a constant run time, independent of any secret
value.
Social Engineering Attacks
Bribing, blackmailing, tricking or classical espionage can be used to obtain a secret

key by involving humans. For instance, forcing someone to reveal his/her secret key,
e.g., by holding a gun to his/her head, can be quite successful. Another, less violent,
attack is to simply call the victim by phone and say: “This is the IT department of
your company. For important software updates we need your password”. It is always
surprising how many people are naı̈ve enough to actually give out their passwords
in such situations.
Even though both implementation attacks and social engineering attacks can be
quite powerful in practice, this book mainly assumes attacks based on mathematical
cryptanalysis and brute-force attacks.
We note that the list of attacks against cryptographic systems is certainly not
exhaustive. For instance, malware on a computer can also reveal secret keys in
software systems. You might think that many of these attacks, especially social
engineering and implementation attacks, are “unfair” but there is little fairness in
real-world cryptography. If people want to break your IT system, they are already
breaking the rules and are, thus, unfair. The major point to learn here is:
An attacker always looks for the weakest link in your cryptosystem. That
means we have to choose strong algorithms and we have to make sure that all
other attacks such as social engineering and implementation attacks are not
feasible.
Solid cryptosystems should adhere to Kerckhoffs’ Principle, postulated by Au-
guste Kerckhoffs in 1883.
2 Note that most modern hardware tokens that are security sensitive, such as smart cards used for
payment, have built-in countermeasures against sidechannel attacks and are very hard to break.
1.3 Cryptanalysis 13
Definition 1.3.1 Kerckhoffs’ Principle

A cryptosystem should be secure even if the attacker (Oscar) knows
all details about the system, with the exception of the secret key. In
particular, the system should be secure when the attacker knows the
encryption and decryption algorithms.
Some background information on the principle can be found in the Further Reading,
Section 1.5.
Important Remark: Kerckhoffs’ Principle is counterintuitive! It is extremely
tempting to design a system that appears to be more secure because we keep the de-
tails hidden. This is called security by obscurity. However, experience and military
history has shown over time that such systems are almost always weak, and they are
very often broken easily as soon as the secret design has been reverse-engineered or
leaked out through other means. An instructive case study for this is the attack on
Mifare chipcards. This type of chipcard had been used millionfold in applications
for contactless payment, e.g., in the original Oyster card used for London’s public
transportation system. Its security was based on a cipher which was kept secret. This
worked “well” for several years. However, after reverse-engineering the cipher, re-
searchers quickly found several ways of attacking the algorithm, both with classical
cryptanalysis and implementation attacks. This lead to severe security problems for
the real-world systems that were based on Mifare. For this reason, cryptographic
algorithms must provide security even if an attacker gets to known to all internal
details except for the key.
1.3.2 How Many Key Bits Are Enough?
During the 1990s there was much public discussion about the key length of ciphers.
Before we provide some guidelines, there are two crucial aspects to remember:
1. The discussion of key lengths for symmetric cryptographic algorithms is only rel-
evant if a brute-force attack is the best known attack. As we saw in Section 1.2.2
during the security analysis of the substitution cipher, if there is an analytical
attack that works, a large key space does not help at all. Of course, if there is the
possibility of social engineering or implementation attacks, a long key also does
not help.
2. The key lengths for symmetric and asymmetric algorithms are dramatically dif-
ferent. For instance, a 128-bit symmetric key provides roughly the same security
as a 3072-bit RSA (RSA is a popular asymmetric algorithm) key.
Both facts are often misunderstood, especially in the semitechnical literature.
Table 1.2 gives a rough indication of the security of symmetric ciphers with re-
spect to brute-force attacks. As described in Section 1.2.2, a large key space is a nec-
essary but not sufficient condition for a secure symmetric cipher. The cipher must
also be strong against analytical attacks. The table mentions quantum computers.
Table 1.2 Estimated time for successful brute-force attacks on symmetric cipher
with different key lengths
Key length Security estimation

56–64 bits short term: a few hours or days
112–128 bits long term: several decades in the absence of quantum computers
256 bits long term: several decades, even with quantum computers
that run the currently known quantum computing algorithms
The role that they play for the cryptanalysis of symmetric ciphers is discussed in
Section 12.1.1.
Foretelling the Future Of course, predicting the future tends to be tricky: We can-
not really foresee new technical or theoretical developments with certainty. As you
can imagine, it is very hard to know what kinds of computers will be available in the
year 2050. For medium-term predictions, Moore’s Law is often assumed. Roughly
speaking, Moore’s Law states that computing power doubles every 18 months3
while the costs stay constant. This has the following implications in cryptography:
If today we need one month and computers worth $1,000,000 to break a cipher X,
then:
The cost for breaking the cipher will be $500,000 in 18 months (since we only
have to buy half as many computers),
$250,000 in 3 years,
$125,000 in 4.5 years, and so on.
It is important to stress that Moore’s law is an exponential function. In 15 years,
i.e., after 10 iterations of computer power doubling, we can do 210 = 1024 times
as many computations for the same money we would need to spend today. Stated
differently, we only need to spend about 1/1000th of today’s money to do the same
computation. In the example above that means that we can break cipher X in 15
years within one month at a cost of about $1, 000, 000/1024 ≈ $1000. Alternatively,
with $1,000,000, an attack can be accomplished within 45 minutes in 15 years from
now. Moore’s law behaves similarly to a bank account which pays a 100% interest
rate every 18 months: The compound interest grows very, very quickly. Unfortu-
nately, there are few trustworthy banks which offer such an interest rate.
3 In the literature, the doubling period of Moore’s law is sometimes alternatively given as
24 months. In the security context, it barely matters what exactly the doubling period is. The
crucial fact is that computing power grows exponentially over time.
1.4 Modular Arithmetic and More Historical Ciphers 15
1.4 Modular Arithmetic and More Historical Ciphers
In this section we use two historical ciphers to introduce modular arithmetic with
integers. Even though the historical ciphers are no longer relevant, modular arith-
metic is extremely important in modern cryptography, especially for asymmetric
algorithms. Ancient ciphers date back to Egypt, where substitution ciphers were
used. A very popular special case of the substitution cipher is the Caesar cipher,
which is said to have been used by Julius Caesar to communicate with his army.
The Caesar cipher simply shifts the letters in the alphabet by a constant number of
steps. When the end of the alphabet is reached, the letters repeat in a cyclic way,
similarly to numbers in modular arithmetic.
To make computations with letters more practicable, we can assign each letter of
the alphabet a number. By doing so, an encryption with the Caesar cipher simply
becomes a (modular) addition with a fixed value. Instead of just adding constants,
a multiplication with a constant can be applied as well. This leads us to the affine
cipher.
Both the Caesar cipher and the affine cipher will now be discussed in more detail.
1.4.1 Modular Arithmetic
Almost all cryptographic algorithms, both symmetric ciphers and asymmetric ci-
phers, are based on arithmetic within a finite number of elements. Most number sets
we are used to, such as the set of natural numbers or the set of real numbers, are
infinite. In the following we introduce modular arithmetic, which is a simple way of
performing arithmetic on a finite set of integers. Let’s look at an example of a finite
set of integers from everyday life:
Example 1.4. Consider the hours on a clock. If you keep adding one hour, you ob-
tain:
1h, 2h, 3h, . . . , 11h, 12h, 1h, 2h, 3h, . . . , 11h, 12h, 1h, 2h, 3h, . . .
Even though we keep adding one hour, we never leave the set.

Let’s look at a general way of dealing with arithmetic in such finite sets.
Example 1.5. We consider the set of the nine numbers:
{0, 1, 2, 3, 4, 5, 6, 7, 8}
We can do regular arithmetic as long as the results are smaller than 9. For instance:
2·3 = 6
4+4 = 8
But what about 8 + 4? Now we try the following rule: Perform regular integer arith-
metic and divide the result by 9. We then consider only the remainder rather than
the original result. Since 8 + 4 = 12, and 12/9 has a remainder of 3, we write:
8 + 4 ≡ 3 mod 9
We now introduce an exact definition of the modulo operation.
Definition 1.4.1 Modulo Operation

Let a, r, m ∈ Z (where Z is a set of all integers) and m > 0. We write
a ≡ r mod m
if m divides a − r.
m is called the modulus and r is called the remainder.
There are implications from this definition that go beyond the casual rule “divide by
the modulus and consider the remainder.” We discuss these in the following.
Computation of the Remainder
It is always possible to write a ∈ Z, such that
a = q·m+r for 0≤r<m (1.1)
Since a − r = q · m, i.e., m divides a − r, we can now write: a ≡ r mod m. Note that

r ∈ {0, 1, 2, . . . , m − 1}.
Example 1.6. Let a = 42 and m = 9. Then
42 = 4 · 9 + 6
and therefore 42 ≡ 6 mod 9.

The Remainder Is Not Unique
It is somewhat surprising that for every given modulus m and number a, there are
(infinitely) many valid remainders. Let’s look at another example:
Example 1.7. We want to reduce 12 modulo 9. Here are several results that are cor-
rect according to the definition:
12 ≡ 3 mod 9, 3 is a valid remainder since 9|(12 − 3)

12 ≡ 21 mod 9, 21 is a valid remainder since 9|(12 − 21)
12 ≡ −6 mod 9, −6 is a valid remainder since 9|(12 − (−6))
where the “x|y” means “x divides y”. There is a system behind this behavior. The set
of numbers:
{. . . , −24, −15, −6, 3, 12, 21, 30, . . .}
form what is called an equivalence class. There is a total of nine equivalence classes
for the modulus 9:
{. . . , −27, −18, −9, 0, 9, 18, 27, . . .}

{. . . , −26, −17, −8, 1, 10, 19, 28, . . .}
.
..
{. . . , −19, −10, −1, 8, 17, 26, 35, . . .}

We note that every integer, i.e., every number without decimal places from minus
infinity to plus infinity, is a member in one of these equivalence classes.
All Members of a Given Equivalence Class Behave Equivalently
For a given modulus m, it does not matter which element from a class we choose
for a given computation. This property of equivalence classes has major practical
implications. If we have involved computations with a fixed modulus — which is
usually the case in cryptography — we are free to choose the class element that
results in the easiest computation. Let’s look first at an example.
Example 1.8. The core operation in many practical public-key schemes is an expo-
nentiation of the form xe mod m, where x, e, m are very large integers, say, 2048 bits
each. Using a toy-size example, we can demonstrate two ways of doing modular ex-
ponentiation. We want to compute 38 mod 7. The first method is the straightforward
approach, and for the second one we switch within the equivalence class.
1. Naı̈ve method: We compute 38 = 6561 ≡ 2 mod 7, since 6561 = 937 · 7 + 2.
Note that we obtain the fairly large intermediate result 6561 even though we
know that our final result cannot be larger than 6.
2. Here is a much smarter method: First we perform two partial exponentiations:
38 = 34 · 34 = 81 · 81
We can now replace the intermediate results 81 by another member of the same
equivalence class. The smallest positive member modulo 7 in the class is 4 (since
81 = 11 · 7 + 4). Hence:
38 = 81 · 81 ≡ 4 · 4 = 16 mod 7
From here we obtain the final result easily as 16 ≡ 2 mod 7.

Note that we could perform the second method without a pocket calculator since
the numbers never become larger than 81. For the first method, on the other hand,
dividing 6561 by 7 is mentally already a bit challenging. As a general rule we should
remember that it is almost always of computational advantage to apply the modulo
reduction as soon as we can in order to keep the numbers small.
Of course, the final result of any modulo computation is always the same, no
matter how often we switch back and forth within equivalence classes.
Which Remainder Do We Choose?
By agreement, we usually choose r in Equation (1.1) such that:
0 ≤ r ≤ m−1
However, mathematically it does not matter which member of an equivalent class

we use.
1.4.2 Integer Rings
After studying the properties of modulo reduction we are now ready to define in
more general terms a structure that is based on modulo arithmetic. Let’s look at the
mathematical construction that we obtain if we consider the set of integers from
zero to m − 1 together with the operations addition and multiplication.
Definition 1.4.2 Ring

The integer ring Zm consists of:
1. The set Zm = {0, 1, 2, . . . , m − 1}
2. Two operations “+” and “·” for all a, b ∈ Zm such that:
1. a + b ≡ c mod m (c ∈ Zm )
2. a · b ≡ d mod m (d ∈ Zm )
Let’s first look at an example of a small integer ring.

Example 1.9. Let m = 9, i.e., we are dealing with the ring Z9 = {0, 1, 2, 3, 4, 5, 6, 7, 8}.
Here are two simple computations in this ring:
6 + 8 = 14 ≡ 5 mod 9
6 · 8 = 48 ≡ 3 mod 9

More about rings and finite fields, which are related to rings, is discussed in
Section 4.3. At this point, the following properties of rings are important:
We can add and multiply any two numbers from the set and the result is always
in the ring. A ring is said to be closed.
Addition and multiplication are associative, i.e., a + (b + c) = (a + b) + c and
a · (b · c) = (a · b) · c, for all a, b, c ∈ Zm .
Addition is commutative, i.e., a + b = b + a, for all a, b ∈ Zm .
There is the neutral element 0 with respect to addition, i.e., for every element
a ∈ Zm it holds that a + 0 ≡ a mod m.
For any element a in the ring, there is always the negative element −a such that
a + (−a) ≡ 0 mod m, i.e., the additive inverse always exists.
There is the neutral element 1 with respect to multiplication, i.e., for every ele-
ment a ∈ Zm it holds that a · 1 ≡ a mod m.
The multiplicative inverse exists only for some, but not for all, elements. Let
a ∈ Z. The inverse a−1 is defined such that
a · a−1 ≡ 1 mod m
If an inverse exists for a, we can divide by this element since b/a ≡ b · a−1 mod
m.
Another ring property is that a · (b + c) = (a · b) + (a · c) for all a, b, c ∈ Zm , i.e.,
the distributive law holds.
In summary, roughly speaking, we can say that the ring Zm is the set of integers
{0, 1, 2, . . . , m − 1} in which we can add, subtract, multiply and sometimes divide.
One issue that is worth discussing is the multiplicative inverse. It takes some ef-
fort to find the inverse (usually employing the extended Euclidean algorithm, which
is introduced in Section 6.3). However, there is an easy way of telling whether an
inverse for a given element a exists or not:
An element a ∈ Z has a multiplicative inverse a−1 if and only if gcd(a, m) = 1,
where gcd is the greatest common divisor, i.e., the largest integer that divides both
numbers a and m. The fact that two numbers have a gcd of 1 is of importance in
number theory, and there is a special name for it: If gcd(a, m) = 1, then a and m are
said to be relatively prime or coprime.
Example 1.10. Let’s see whether the multiplicative inverse of 15 exists in Z26 . Be-
cause
gcd(15, 26) = 1
the inverse must exist. (In fact, the inverse is 7 since 7 · 15 ≡ 1 mod 26.) On the other
hand, since
gcd(14, 26) = 2 6= 1
the multiplicative inverse of 14 does not exist in Z26 .

As mentioned earlier, the ring Zm , and thus integer arithmetic with the modulo
operation, is of central importance in modern public-key cryptography. In practice,
the integers involved have a length of 256–4096 bits so that we need ways to perform
modular arithmetic with such large numbers efficiently.
1.4.3 Shift Cipher (or Caesar Cipher)
We now introduce another historical cipher, the shift cipher. It is actually a special
case of the substitution cipher and has a very elegant mathematical description.
The shift cipher itself is extremely simple: We simply shift every plaintext letter
by a fixed number of positions in the alphabet. For instance, if we shift by 3 posi-
tions, A would be substituted by d, B by e, etc. The only problem arises towards
the end of the alphabet: What should we do with X, Y, Z? As you might have
guessed, they should “wrap around”. That means X should become a, Y should be-
come b, and Z is replaced by c. (In light of this rule, a more accurate name for
the shift cipher would be “rotation cipher” but this name is rarely used.) Allegedly,
Julius Caesar used this cipher with a three-position shift.
The shift cipher also has an elegant description using modular arithmetic. For the
mathematical representation of the cipher, the letters of the alphabet are encoded as
numbers, as depicted in Table 1.3.
Table 1.3 Encoding of letters for the shift cipher
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
Both the plaintext letters and the ciphertext letters are now elements of the ring
Z26 . Also, the key, i.e., the number of shift positions, is in Z26 since more than
26 shifts would not make sense (27 shifts would be the same as 1 shift, etc.). The
encryption and decryption of the shift cipher are as follows.
Definition 1.4.3 Shift Cipher

Let x, y, k ∈ Z26 .
Encryption: ek (x) ≡ x + k mod 26
Decryption: dk (y) ≡ y − k mod 26
Example 1.11. Let the key be k = 17, and the plaintext is:
ATTACK = x1 , x2 , . . . , x6 = 0, 19, 19, 0, 2, 10
The ciphertext is then computed as
y1 , y2 , . . . , y6 = 17, 10, 10, 17, 19, 1 = rkkrtb
As you can guess from the discussion of the substitution cipher earlier in this
book, the shift cipher is not secure at all. There are two ways of attacking it:
1. Since there are only 26 different keys (shift positions), one can easily launch a
brute-force attack by trying to decrypt a given ciphertext with all possible 26
keys. If the resulting plaintext is readable text, you have found the key.
2. As for the substitution cipher, one can also use letter frequency analysis. The
attack works even better for the shift cipher than for the substitution cipher. As
soon as the attacker has discovered the ciphertext letter for one plaintext letter,
he/she knows the number of shifts and thus has the key.
1.4.4 Affine Cipher
We try now to improve the shift cipher by generalizing the encryption function.
Recall that the actual encryption of the shift cipher was the addition of the key
yi ≡ xi + k mod 26. The affine cipher encrypts by multiplying the plaintext by one
part of the key followed by addition of another part of the key.
Definition 1.4.4 Affine Cipher

Let x, y, a, b ∈ Z26 .
Encryption: ek (x) = y ≡ a · x + b mod 26
Decryption: dk (y) = x ≡ a−1 · (y − b) mod 26
with the key: k = (a, b), which has the restriction: gcd(a, 26) = 1.
The decryption is easily derived from the encryption function:
a · x + b ≡ y mod 26
a · x ≡ (y − b) mod 26
x ≡ a−1 · (y − b) mod 26
The restriction gcd(a, 26) = 1 stems from the fact that the key parameter a needs
to be inverted for decryption. We recall from Section 1.4.2 that an element a and the
modulus must be relatively prime for the inverse of a to exist. Thus, a must be in
the set:
a ∈ {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} (1.2)
But how do we find a−1 ? For now, we can simply compute it by trial and error:
For a given a we simply try all possible values a−1 until we obtain:
a · a−1 ≡ 1 mod 26
For instance, if a = 3, then a−1 = 9 since 3 · 9 = 27 ≡ 1 mod 26. Note that a−1 also
always fulfills the condition gcd(a−1 , 26) = 1 since the inverse of a−1 always exists.
In fact, the inverse of a−1 is a itself. Hence, for the trial-and-error determination of
a−1 one only has to check the values given in Equation (1.2).
Example 1.12. Let the key be k = (a, b) = (9, 13), and the plaintext be
ATTACK = x1 , x2 , . . . , x6 = 0, 19, 19, 0, 2, 10.
The ciphertext is computed as
y1 , y2 , . . . , y6 = 13, 2, 2, 13, 5, 25 = nccnfz
For decryption, the inverse of a needs to be determined, which turns out to be

a−1 = 3.
Is the affine cipher secure? No! The key space is only a bit larger than in the case
of the shift cipher:
key space = (#values for a) · (#values for b)

= 12 · 26 = 312
A key space with 312 elements can, of course, still be searched exhaustively, i.e.,
brute-force attacked, in a fraction of a second with any PC. In addition, the affine
cipher has the same weakness as the shift and substitution cipher: The mapping
between plaintext letters and ciphertext letters is fixed. Hence, it can also be broken
with letter frequency analysis.
The remainder of this book deals with strong cryptographic algorithms which are
of practical relevance.
1.5 Discussion and Further Reading 23
1.5 Discussion and Further Reading
This book addresses practical aspects of cryptography and data security and is in-
tended to be used as an introduction; it is suited for classroom use, distance learning
and self-study. At the end of each chapter, we provide a discussion section in which
we briefly describe topics for readers interested in further study of the material.
Cryptography vs. Cybersecurity vs. Safety and Reliability As mentioned at the
very beginning of the book, cryptography is part of the broader fields of cyber-
security and IT security, where it is difficult to have a clear distinction between
those two latter terms. In fact, there exist many definitions for IT- and cybersecu-
rity. Traditionally, those terms were often described as dealing with “assurance of
the confidentiality, integrity and availability of information”, sometimes referred to
as the CIA triad. However, in addition to these three basic security goals, there are
often additional ones, including authenticity, accountability, non-repudiation and re-
liability. More about security services can be found in Section 10.1.3 of this book.
It is important to bear in mind that cryptography, IT- and cybersecurity all deal with
the protecting of information systems against malicious human actors, to which we
refer as attackers or adversaries in this book. In contrast, technical safety4 is con-
cerned with protection against dangers such as random failures that arise during the
regular use of technical systems. For instance, when driving a car, we want to ensure
that the brakes and the steering don’t fail — otherwise it would be unsafe. In order
to achieve such technical safety, systems must be reliable. In contrast to security,
safety and reliability are primarily not concerned with failure due to malicious ac-
tors but due to (random) technical failures. Even though reliability and security are
partially interdependent, they involve different aspects of protecting systems.
In order to approach the problem of IT security systematically, several general
frameworks exist. They typically follow a holistic approach by taking all security-
relevant factors into account. Such an approach requires that assets and correspond-
ing security needs have to be defined, and that the attack potential and possible
attack paths must be evaluated. Finally, adequate countermeasures have to be spec-
ified in order to realize an appropriate level of security for a particular application
or environment. There are numerous standards that can be used for evaluation and
help to define a secure system. Among the more prominent ones are ISO/IEC 27001
for Information Security Management Systems (ISMS), the Common Criteria for
Information Technology Security Evaluation [75] and FIPS PUBS [116]. In some
industries, standards help to establish a more domain-specific approach towards IT
security, e.g., ISO/IEC 62443 for industrial communication networks or ISO/SAE
21434 for cybersecurity engineering for road vehicles [147]. Moreover, frameworks
such as the NIST framework for improving the IT security in critical infrastructures
exist [29].
Historical Ciphers and Kerckhoffs’ Principle This chapter introduced a few his-
torical ciphers. However, there are many, many more, ranging from ciphers in an-
4 We note that safety is also used in non-technical contexts, e.g., food safety.
cient times to WWII encryption methods. To readers who wish to learn more about
historical ciphers and the role they played over the centuries, the books by Bauer
[30], Kahn [156], Singh [237] and Wrixon [254] are recommended. Besides mak-
ing fascinating bedtime reading, these books help one to understand the role that
military and diplomatic intelligence played in shaping world history. They also help
to show modern cryptography in a larger context.
Auguste Kerckhoffs was a Dutch cryptographer and linguist in the second half
of the nineteenth century. He observed that cryptography is often used incorrectly
in practice and postulated six principles in 1883, given below. What’s today widely
known as Kerckhoffs’ Principle is actually the second one from the list.
The system should be, if not theoretically unbreakable, unbreakable in practice.
The design of a system should not require secrecy, and compromise of the system
should not inconvenience the correspondents.
The key should be memorable without notes and should be easily changeable.
The cryptograms should be transmittable by telegraph.
The apparatus or documents should be portable and operable by a single person.
The system should be easy, neither requiring knowledge of a long list of rules
nor involving mental strain.
It is notable that several of the principles deal with the use of cryptography, as
opposed to the technical aspects of ciphers, a fact that was only relatively recently
observed by Sasse [226]. It was only in the 1990s that usable security emerged as a
proper research discipline within the scientific community.
Modular Arithmetic The mathematics introduced in this chapter, modular arith-
metic, belongs to the field of number theory. This is a fascinating subject area
which was, unfortunately, historically viewed as a “branch of mathematics with-
out applications”. Thus, it is rarely taught outside mathematics curricula. There is a
wealth of books on number theory. Among the classic introductory books are refer-
ences [204, 222]. A particularly accessible book written for non-mathematications
is reference [236].
Provable Security Due to our focus on practical cryptography, this book omits
most aspects related to the theoretical foundations of cryptographic algorithms and
protocols. One of the foundations of theoretical cryptography builds on the belief
that any cryptographic scheme should be accompanied by a rigorous mathematical
proof of its security (“security proof”) under a well-defined and reasonable crypto-
graphic hardness assumption. Examples of such hardness assumptions include the
assumption that computing discrete logarithms over certain prime-order groups is
difficult, the assumption that finding a small vector in a high-dimensional lattice is
difficult, or the assumption that finding a collision in a concrete hash function is
difficult. This concept is called provable security.5 Informally, “provable security”
5 The term “provable security” may be slightly misleading since it does not provide unconditional
proofs in a mathematical sense. It rather reduces a protocol’s security to a well-defined mathe-
matical hardness assumption. Some cryptographers therefore prefer to use the term “reductionist
security” instead.
1.5 Discussion and Further Reading 25
is achieved for a given cryptographic scheme when one provides (i) an algorith-
mic description of the cryptographic scheme; (ii) a formulation of a rigorous and
precise definition of the adversary’s capacities and goal (security model); and (iii)
a mathematical proof that the proposed scheme meets its security goal, assuming
some standard cryptographic assumption holds true. Point (iii) is remarkable and
deserves more attention. This mathematical proof shows formally that the only way
to break the scheme (within the defined security model) is to attack the underly-
ing cryptographic assumption. The proof holds for all possible attacks under the
same assumptions, even the ones we could not envision at the time of designing the
scheme.
The standard references for provable security are the textbooks by Katz/Lindell
[158] and Goldreich [123, 124]. Also recommended is the more recent online book
by Rosulek [223].
A few times this book also touches upon provable security, for instance the re-
lationship between Diffie–Hellman key exchange and the Diffie–Hellman problem
(cf. Section 8.4), the block cipher-based hash functions in Section 11.3.1, the secu-
rity of the HMAC message authentication scheme in Section 13.2, or the security
of lattice-based cryptography based on the conjectured intractability of the shortest-
vector problem in Section 12.2.
Advanced Cryptographic Schemes There are many advanced cryptographic con-
structions that go beyond the symmetric and asymmetric ciphers that are the main
topic of this book. In the following we sketch some of the more important examples
of advanced cryptography.
Homomorphic encryption allows computation on encrypted data, i.e., on cipher-
text, without first decrypting. A major application scenario is cloud computing,
where a user has a massive amount of data in encrypted form in the cloud. If the data
is, for instance, a large customer database, the user might be interested in download-
ing some customer records that fulfill certain criteria. The challenge is to perform
such a search on the ciphertext. It is relatively easy to construct partially homo-
morphic encryption schemes, which are constructions that allow one mathematical
operation to be performed on the ciphertext, typically multiplication or addition. In
fact, the two popular asymmetric encryption schemes RSA (cf. Chapter 7) and Elga-
mal (cf. Section 8.5) are partially homomorphic. Unfortunately, one mathematical
operation is not sufficient for the majority of practical applications. For a long time
finding a fully homomorphic encryption scheme that allows arbitrary operations was
considered the holy grail of cryptography. The first such scheme was proposed by
Gentry [122] in 2009, which is based on lattices (cf. Section 12.2). This original sys-
tem was quite impractical but since then numerous improvements have taken place.
At the time of writing, many competing schemes exist and use in practice is within
reach. This topic also relevant for the training of machine learning algorithms.
Another advanced cryptographic scheme is multiparty computation (MPC), also
known as secure multiparty computation. With MPC, several parties provide input
values and jointly compute a function from the inputs. The interesting part is that
when the protocol is completed the participants know only their own input and the
answer but nothing about the inputs of the other participants. A standard example is
a situation where three people want to find out what the highest salary in the group
is without revealing the individual salaries. Another application is determining the
outcome of an election, that is electronic voting, or the highest bid in an auction
based on encrypted data. The general theory of MPC was proposed in the late 1980s
but it took more than 20 years before the first practical application started to emerge.
A good reference source is [80]. Related to multiparty computation is secret sharing.
The idea of (general) secret sharing is that out of n participants t must collaborate
to compute a secret, e.g., a cryptographic key. A real-world scenario is that at least
2 out of 3 managers of a bank must get together to generate the secret code for
opening a safe. Secret sharing was proposed independently by Shamir and Blakley
in 1979 [229, 54].
Zero-knowledge proofs are concerned with proving certain knowledge to another
party without revealing the secret. They were originally motivated for authentication
without revealing a password or key. There are many other applications such as
anonymous payment schemes. Zero-knowledge proofs were originally proposed by
Goldwasser, Micali and Rackoff [125].
Other advanced cryptographic constructions include identity-based encryption,
attribute-based encryption, functional encryption and proxy-reencryption.
Research Community and General References Even though cryptography has
matured considerably since the 1970s, it is still a relatively young field compared to
other scientific disciplines, and every year brings many new developments and dis-
coveries. Many research results are published at the eight main events organized by
the International Association for Cryptologic Research (IACR). The proceedings of
the three IACR conferences Crypto, Eurocrypt and Asicacrypt, the four more spe-
cific area conferences Cryptographic Hardware and Embedded Systems6 (CHES),
Fast Software Encryption (FSE), Public Key Cryptography (PKC) and Theoretical
Cryptograpy Conference (TCC), as well as the Real World Cryptography (RWC)
symposium are excellent sources for tracking recent developments in the field of
cryptology. There are four top conferences in the broader field of computer secu-
rity (of which cryptography is one aspect): the IEEE Symposium on Security and
Privacy (IEEE S&P), the ACM Conference on Computer and Communications Se-
curity (CCS), the USENIX Security Symposium and the Network and Distributed
System Security Symposium (NDSS). It should be stressed that in cryptography as
well as in computer security there are many, many more conferences and workshops,
many of which are also of very high quality.
There are several good books on cryptography. A classic, if somewhat dated,
book is Applied Cryptography [227] by Schneier published in 1994, which helped
to popularize modern cryptography. A more recent book, which makes an excellent
addition to the book at hand, is Serious Cryptography: A Practical Introduction
to Modern Encryption by Aumasson [20]. With respect to reference sources, the
Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone [189]
and the Encyclopedia of Cryptography and Security [246] can be recommended. An
6 CHES was co-founded by one of the authors of this book.

1.6 Lessons Learned 27
excellent reference for the much broader field of security engineering is Anderson’s
Security Engineering: A Guide to Building Dependable Distributed Systems [12].
1.6 Lessons Learned
Never ever develop your own cryptographic algorithm unless you have a team of
experienced cryptanalysts checking your design.
Do not use unproven cryptographic algorithms (i.e., symmetric ciphers, asym-
metric ciphers, hash functions) or unproven protocols.
Attackers always look for the weakest point of a cryptosystem. For instance, a
large key space by itself is no guarantee of a cipher being secure; the cipher might
still be vulnerable against analytical attacks.
Key lengths for symmetric algorithms in order to thwart exhaustive key-search
attacks are:
64 bits: insecure except for data with extremely short-term value.
112–128 bits: long-term security of several decades, including attacks by in-
telligence agencies unless they possess quantum computers. Based on our cur-
rent knowledge, attacks are only feasible with quantum computers (which do
not exist but might become reality in 1–2 decades).
256 bits: as above, but possibly secure against attacks by quantum computers.
Modular arithmetic is a tool for expressing historical encryption schemes, such as
the affine cipher, in a mathematically elegant way and provides the fundamental
basis for many modern cryptographic schemes.
Problems
1.1. The ciphertext below was encrypted using a substitution cipher. Decrypt the ci-
phertext without knowledge of the key.
lrvmnir bpr sumvbwvr jx bpr lmiwv yjeryrkbi jx qmbm wi

bpr xjvni mkd ymibrut jx irhx wi bpr riirkvr jx
ymbinlmtmipw utn qmumbr dj w ipmhh but bj rhnvwdmbr bpr
yjeryrkbi jx bpr qmbm mvvjudwko bj yt wkbrusurbmbwjk
lmird jk xjubt trmui jx ibndt
wb wi kjb mk rmit bmiq bj rashmwk rmvp yjeryrkb mkd wbi

iwokwxwvmkvr mkd ijyr ynib urymwk nkrashmwkrd bj ower m
vjyshrbr rashmkmbwjk jkr cjnhd pmer bj lr fnmhwxwrd mkd
wkiswurd bj invp mk rabrkb bpmb pr vjnhd urmvp bpr ibmbr
jx rkhwopbrkrd ywkd vmsmlhr jx urvjokwgwko ijnkdhrii
ijnkd mkd ipmsrhrii ipmsr w dj kjb drry ytirhx bpr xwkmh
mnbpjuwbt lnb yt rasruwrkvr cwbp qmbm pmi hrxb kj djnlb
bpmb bpr xjhhjcwko wi bpr sujsru msshwvmbwjk mkd
wkbrusurbmbwjk w jxxru yt bprjuwri wk bpr pjsr bpmb bpr
riirkvr jx jqwkmcmk qmumbr cwhh urymwk wkbmvb
1. Compute the relative frequency of all letters A...Z in the ciphertext. You may
want to use a tool such as the open-source program CrypTool [82] for this task.
However, a paper and pencil approach is also doable.
2. Decrypt the ciphertext with the help of the relative letter frequency of the English
language (see Table 1.1 in Section 1.2.2). Note that the text is relatively short
and that the letter frequencies in it might not perfectly align with that of general
English language from the table.
3. Who wrote the text?
1.2. We received the following ciphertext which was encoded with a shift cipher:
xultpaajcxitltlxaarpjhtiwtgxktghidhipxciwtvgtpilpit
ghlxiwiwtxgqadds.
1. Perform an attack against the cipher based on a letter frequency count: How
many letters do you have to identify through a frequency count to recover the
key? What is the cleartext?
2. Who wrote this message?
1.3. We consider the long-term security of the Advanced Encryption Standard

(AES) with a key length of 128 bits with respect to exhaustive key-search attacks.
AES is perhaps the most widely used symmetric cipher at this time.
1. Assume that an attacker has special-purpose hardware chips (also known as
ASICs, or application-specific integrated circuits) that check 5 · 108 keys per
1.6 Problems 29
second, and she has a budget of $1 million. One ASIC costs $50, and we as-
sume 100% overhead for integrating the ASIC (manufacturing the printed circuit
boards, power supply, cooling, etc.). How many ASICs can we run in parallel
with the given budget? How long does an average key search take? Relate this
time to the age of the Universe, which is about 1010 years.
2. We try now to take advances in computer technology into account. Predicting
the future tends to be tricky but the estimate usually applied is Moore’s law,
which states that the computing power doubles every 18 months while the costs
of integrated circuits stay constant. How many years do we have to wait until
a key-search machine can be built to break AES with 128 bits with an average
search time of 24 hours? Again, assume a budget of $1 million (do not take
inflation into account).
1.4. We now consider the relation between passwords and key size. For this purpose
we consider a cryptosystem where the user enters a key in the form of a password.
1. Assume a password consisting of 8 letters, where each letter is encoded with the
ASCII code (7 bits per character, i.e., 128 possible characters). What is the size
of the key space which can be constructed by such passwords?
2. What is the corresponding key length in bits?
3. Assume that most users use only the 26 lowercase letters from the alphabet in-
stead of the full 7 bits of the ASCII-encoding. What is the corresponding key
length in bits in this case?
4. At least how many characters are required for a password in order to generate a
key length of 128 bits in case of letters consisting of
a. 7-bit characters?
b. 26 lowercase letters from the alphabet?
1.5. In case of a brute-force attack, we have to search the entire key space of a cipher.
To prevent such a search from being successful, the key space must be sufficiently
large. It is crucial to observe that the key space grows exponentially with the key
length in bits. With this problem we want to get a better understanding of such an
exponential growth.
According to an anecdote, the inventor of chess asked the king for a humble reward
in the form of grains of rice: On the first field of the chess board, the king should
put one grain of rice, on the second field two grains of rice, on the third field four
grains etc.
1. How many grains of rice are on the last field of the chess board?
2. A single grain of rice has a weight of approximately 0.03 g. What is the total
weight of all grains on the board? Compare the total weight with the worldwide
yield of approximately 480 million tons per year.
Now, let us consider a piece of paper that is repeatedly folded. The thickness of the
paper increases exponentially: It has twice the thickness if folded once, four times
the thickness if folded twice etc. For the following tasks, we assume a piece of paper
which is 0.1 mm thick.
3. How thick is the paper after 10 folding steps?

4. How often do we need to fold it to obtain a thickness of 1 km?
5. How often do we need to fold it to obtain the distance from the Earth to the Moon
(384,400 km)?
6. How often do we need to fold it to obtain the distance of one light year, i.e.,
9.46 · 1015 km?
Remark: Obviously, folding a piece of paper that often will not work out very well
in practice.
1.6. In this problem we consider the difference between end-to-end encryption

(E2EE) and more classical approaches to encrypting when communicating over a
channel that consists of multiple parts. E2EE is widely used, e.g., in instant messag-
ing services such as WhatsApp or Signal. The idea behind this is that encryption and
decryption are performed by the two users who communicate and all parties eaves-
dropping on the communication link cannot read (or meaningfully manipulate) the
message.
In the following we assume that each individual encryption with the cipher e() is
secure, i.e., the cryptographic algorithm cannot be broken by an adversary. First we
look at the communication between two smartphones without end-to-end encryp-
tion, shown in Figure 1.7. Encryption and/or decryption happen three times in this
setting: Between Alice and base station A (air link), between base stations A and B
(through the internet), and between base station B and Bob (again, air link).
Fig. 1.7 Communication without E2EE
1. Describe which of the following attackers can read (and meaningfully manipu-
late) messages.
a. A hacker who can listen to (and alter) messages on the air link between Alice
and her base station.
b. The mobile operator who runs and controls base station A.
c. A national law enforcement agency that has power over the mobile operator
and gains access to base station A or B.
d. An intelligence agency of a foreign country that can wiretap any internet com-
munication.
e. The mobile operator who runs and controls base station B.
1.6 Problems 31
f. A hacker who can listen to (and alter) messages on the air link between Bob
and his base station.
We now look at the same communication system but this time Alice and Bob use
E2EE, cf. Figure 1.8
Fig. 1.8 Communication with E2EE
2. Describe which of the following attackers can read (and meaningfully manipu-
late) messages in the communication systems with E2EE.
a. A hacker who can listen to (and alter) messages on the air link between Alice
and her base station.
b. The mobile operator who runs and controls base station A.
c. A national law enforcement agency that has power over the mobile operator
and gains access to base station A or B.
d. An intelligence agency of a foreign country that can wiretap any internet com-
munication.
e. The mobile operator who runs and controls base station B.
f. A hacker who can listen to (and alter) messages on the air link between Bob
and his base station.
1.7. As we learned in this chapter, modular arithmetic is the basis of many cryp-
tosystems. We will now provide a number of exercises that help us get familiar with
modular computations.
Let’s start with an easy one: Compute the following result without a calculator.
1. 15 · 29 mod 13
2. 2 · 29 mod 13
3. 2 · 3 mod 13
4. −11 · 3 mod 13
The results should be given in the range from 0, 1, . . . , modulus-1. Briefly describe
the relation between the different parts of the problem.
1.8. Compute without a calculator:

1. 1/5 mod 13
2. 1/5 mod 7
3. 3 · 2/5 mod 7
1.9. We consider the ring Z4 . Construct a table that describes the addition of all
elements in the ring with each other in the following form:
+ 0 1 2 3
0 0 1 2 3
1 1 2 ···
2 ···
3
1. Construct the multiplication table for Z4 .
2. Construct the addition and multiplication tables for Z5 .
3. Construct the addition and multiplication tables for Z6 .
4. There are elements in Z4 and Z6 without a multiplicative inverse. Which ele-
ments are these? Why does a multiplicative inverse exist for all nonzero elements
in Z5 ?
1.10. What is the multiplicative inverse of 5 in Z11 , Z12 , and Z13 ? You can do a
trial-and-error search using a calculator or a PC.
With this simple problem we want now to stress the fact that the inverse of an
integer in a given ring depends completely on the ring considered. That is, if the
modulus changes, the inverse changes. Hence, it doesn’t make sense to talk about
an inverse of an element unless it is clear what the modulus is. This fact is crucial for
the RSA cryptosystem, which is introduced in Chapter 7. The extended Euclidean
algorithm, which can be used for computing inverses efficiently, is introduced in
Section 6.3.
1.11. Compute x as far as possible without a calculator. Where appropriate, make

use of a smart decomposition of the exponent as shown in the example in Sec-
tion 1.4.1:
1. x ≡ 32 mod 13
2. x ≡ 72 mod 13
3. x ≡ 310 mod 13
4. x ≡ 7100 mod 13
5. 7x ≡ 11 mod 13
The last problem is called a discrete logarithm and points to a hard problem which
we discuss in Chapter 8. The security of many public-key schemes is based on the
hardness of solving the discrete logarithm for large numbers, e.g., with more than
2000 bits.
Another random document with
no related content on Scribd:
La kalaa de Taourirt est la seule que j’aie eu le loisir d’examiner.
Elle s’appelle Agebeur ; il est à noter qu’aucune de ces ruines n’est
anonyme ; le cimetière d’Agebeur est incontestablement musulman ;
un coin est resté vivant, c’est une koubba blanchie à la chaux,
soigneusement entretenue, où serait enterré un santon marocain
Abd-er-Rahman el Oudiayi ; cette ville d’Oudia d’où le santon serait
originaire est-elle Oujda, à côté de notre frontière ? Je n’en sais pas
plus long, mais il est évident que l’antiquité de ces ruines n’est pas
très reculée.
Les ksars en ruines du bas Touat sont précisément ceux auxquels
est resté accroché le nom des Barmata. Il n’est pas impossible de
recueillir au sujet des Barmata quelques traditions indigènes, mais
bien vagues et contradictoires. D’après M. Wattin ils sont venus au
Reggan vers l’an 901 de notre ère à l’époque où Ibrahim ben Ahmed
était gouverneur de l’Ifrikiya. On les dit frères des Zenati et des
Beraber, c’est-à-dire Berbères ; mais on ajoute frères des Bambaras
soudanais, ce qu’il ne faut pas apparemment prendre à la lettre.
Pourtant j’ai vérifié que le souvenir des Barmata se retrouve très
net à Tombouctou. Ils furent certainement à un moment donné les
courtiers du commerce transsaharien et ils eurent des attaches au
Soudan.
Par surcroît, l’association à leur nom de celui des Bambara
pourrait bien n’être pas complètement absurde. D’après M. Chudeau,
quelques faits notés au Soudan, d’accord avec leurs légendes qui les
font venir du nord, semblent bien montrer que les Bambaras,
question de race mise à part bien entendu, ont leurs affinités avec
les Sahariens ; presque rien ne les rapproche des autres nègres du
Soudan. Voici les principaux arguments dont quelques-uns assez
forts, que fait valoir à l’appui de cette opinion, le directeur de la
station agronomique de Koulikoro, M. Vuillet, qu’un long séjour et de
nombreux voyages au Soudan ont mis à même de voir et de bien
voir.
1o Des prénoms comme Moussa, Ahmadou, d’origine arabe, sont
fréquents chez les Bambaras même non musulmans. Plus au sud ces
prénoms disparaissent.
2o Les villages bambaras, avec leurs cases carrées et leurs toits
plats rappellent les ksars du Sud-Algérien et non les huttes rondes
de la plupart des noirs. Leur vêtement, le harnachement des
chevaux les rapprochent aussi des Arabes.
Leur arme est la lance et non pas l’arc.
L’élevage, la fabrication du beurre, la castration du bétail les
éloignent aussi des régions plus méridionales.
3o Les arguments les plus intéressants sont tirés de la culture. Le
blé (malikama) se rencontre en quelques points du pays bambara ;
le dattier (tamar), à peine productif cependant, existe dans presque
tous leurs villages. Le citron (lemerou), le henné, le sésame sont
cultivés partout, au moins en petit.
Les cultures du sud (fabirama, papaye, banane, goyave, igname)
sont à peine connues en pays bambara, où elles ont été le plus
souvent importées par les Européens. Le manioc amer qui est
l’espèce de grande culture parce que son amertume à l’état cru le
met à l’abri des singes, des porcs-épics et des passants, est ignoré
des Bambaras qui ne plantent que le manioc doux.
D’après les traditions du bas Touat, recueillies par M. Wattin[195],
les Barmata n’étaient pas musulmans, mais c’est d’une absurdité
évidente, il faut entendre sans doute que leur orthodoxie était
douteuse. Ils auraient été anéantis par une tribu Touareg, les Settaf,
et leurs ksars étaient déjà ruinés et le pays vide quand les nouveaux
furent fondés par des Marocains venus du Sahel et du Chaouia. Ceci
non plus ne semble pas pouvoir être entendu à la lettre. Les gens du
bas Touat, presque tous Cheurfa (descendus de Mahomet), cela va
sans dire, ne veulent rien avoir de commun avec ces Barmata plus
ou moins hérétiques, de même que les gens du haut Touat renient
toute parenté avec les juifs massacrés par el Mer’ili. Mais s’il
n’existait pas un lien on ne s’expliquerait pas que le nom de chaque
kalaa ait surnagé, et qu’il se trouve à Agebeur, encastré dans les
ruines, un marabout encore vénéré. On reconnaît d’ailleurs que dans
certains ksars, à Sali, à Bou Ali, à el Mansour, il survit des
descendants de Barmata. Voici une tradition recueillie par Watin au
sujet de Sidi Ahmed er Reggadi, fondateur de Zaouiet Kounta au XIVe
siècle. A son arrivée à Bou Ali, les descendants de Barmek, qui
étaient considérés comme des païens, eurent peur, mais Ahmed fit
apporter du petit lait, il distribua cette boisson entre les enfants de
Barmek et les siens en leur disant : « buvez, et riez en frères ». Le
« Temps des Barmata » au Reggan, correspond à l’expression
« Temps des Juifs » dans le haut Touat.
Ici comme là la disparition de l’ancienne société coïncide avec
une puissante poussée d’islamisation, une recrudescence de pitié,
qui a semé le pays de Zaouias, Zaouiet Kounta et Zaouiet Reggan,
fondées toutes les deux par des Chorfa du Tafilalet qui ont fait
souche à Tombouctou de la tribu maraboutique bien connue, les
Kounta. Les gens de Sali aussi sont des Chorfa marocains, mais qui
s’entendent assez mal avec leurs cousins et voisins.
Tout cela en somme n’est pas trop discordant ; si le nom même
des Barmata nous a fourni un terminus a quo, le IXe siècle, l’examen
de leurs ksars, et des légendes qui s’y rattachent, nous donne un
terminus ad quem, un peu vague, le XIVe ou le XVe siècle.
E.-F. Gautier. — Sahara Algérien. Pl. XL.
Cliché Gautier
75. — AU TIMMI, FABRICATION DES BRIQUES CREUSES, ÉLÉMENTS DU PISÉ.
Cliché Gautier
76. — ADRAR (Timmi), CAPITALE DU TOUAT.
Type de ksar actuel, en pisé, quadrangulaire, flanqué de tours carrées
E.-F. Gautier. — Sahara Algérien. Pl. XLI.
Cliché Gautier
77. — TIMIMOUN — UNE RUE DANS LA PALMERAIE.
D’un mur à l’autre, une poutre en tronc de palmier, qui a fléchi sous son propre poids
comme d’habitude.
Cliché Gautier
78. — TIMIMOUN. — UN COIN DU KSAR.
La place principale, traversée par une séguia ; — toits en terrasse de pisé.
E.-F. Gautier. — Sahara Algérien. Pl. XLII.
Cliché Laperrine
79. — UNE PALMERAIE ENSABLÉE.
A gauche, sur la crête de la dune, et pour essayer de la fixer, des haies en
palmes.
Cliché Gautier
80. — TIMIMOUN. — BOUCHERS HARATIN DÉPEÇANT UN CHAMEAU.
Le XVe siècle au Sahara et dans l’Afrique Mineure.
Nous pouvons maintenant jeter un coup d’œil d’ensemble sur

cette époque, si curieuse au Sahara, qui va approximativement du
XIVe au XVIe siècle et qui a vu s’accomplir partout la même
transformation.
Dans l’O. Zousfana un certain Sidi Beyazid convertit les Beni
Goumi païens. La date est indéterminée mais il faut noter que le
nom de Beyazid est turc.
Dans l’O. Zousfana, des « Nazaréens (?) » bâtisseurs de ksars
ont été massacrés ou convertis par les Beni Hassen.
Au Gourara et dans le haut Touat une société juive a été détruite
par el Mer’ili en 1492.
Au bas Touat des Barmata païens (?) ont pour successeurs au
XIV et XVe siècle des Chorfa du Tafilalet.
e
Avec des variations locales c’est partout la même révolution, et à

peu près à la même époque.
Elle s’accompagne partout d’un changement dans l’architecture
des villages. Aux kalaa de pierre bâties dans de fortes situations
défensives et offensives succèdent les ksars en pisé, fortifiés, il est
vrai, mais modestement cachés dans la palmeraie, au milieu des
cultures. Ce sont des refuges de paysans traqués, ou des jardins à
cascatelles pour moines inoffensifs ; au lieu de bourgs féodaux, qui
sentent l’indépendance, le banditisme, et sans doute aussi le
nomadisme, car les kalaa sont toujours à quelque distance des bas-
fonds cultivables. Ces siècles de transition sont ceux où se fondent
les grands monastères sahariens, Kenatsa, Kerzaz, Zaouiet Kounta,
etc. Et, sous bénéfice d’inventaire, car les études hagiographiques
restent encore à entreprendre, c’est alors apparemment que
surgirent ces innombrables tombeaux de saints, avec leurs coupoles
blanches qui constellent toutes les palmeraies et qui extériorisent
pour l’œil la prédominance des préoccupations pieuses.
Il y a eu là apparemment, en même temps qu’une révolution
religieuse et linguistique, une profonde transformation économique,
et sociale, un progrès de l’agriculture intensive, de la paix publique,
et de la culture générale.
Or cette révolution religieuse on la signale dans toute l’Afrique du
nord.
Au XVe et au XVIe siècle, l’Islam, chassé d’Espagne, poursuivi
jusqu’en Afrique par les chrétiens, se ressaisit et se rénove ; le
sentiment religieux s’exaspère, les saints, les marabouts, les
missionnaires pullulent ; c’est le moment où les vieux noms berbères
des tribus disparaissent, pour céder la place aux dénominations
actuelles, tirées de marabouts éponymes ; pour la première fois,
l’Afrique Mineure s’islamise intégralement.
Et c’est un fait bien curieux que dans cette Berbérie ultra-
conservatrice l’Islam introduit au VIIIe siècle n’ait triomphé
définitivement qu’au XVIe. C’est même un fait considérable, étrange
et généralement si ignoré, qu’on sent le besoin d’en établir
l’exactitude en s’appuyant sur des autorités incontestables.
Beaucoup moins palpable qu’une bataille ou un changement de
dynastie cette grande transformation diffuse et lente a presque
complètement échappé aux rares historiens de l’Afrique du nord.
Mercier lui consacre à peine une dizaine de lignes imprécises :
« Nous devons signaler l’arrivée de marabouts, venus en général de
l’ouest, du pays de Seguiet el Hamra... ils ont, en maints endroits,
réuni des tronçons épars, d’origine diverse, et en ont formé des
tribus qui ont pris leurs noms. Les Koubba de ces marabouts se
trouvent répandues dans tout le nord de l’Afrique et perpétuent le
souvenir de leur action qui a dû s’exercer surtout du XIVe au XVIIIe
siècle[196]. » Aucun historien n’a fait de cette question pourtant
intéressante l’objet d’une étude détaillée ; les éléments, incomplets,
en sont épars dans des travaux hagiographiques et philologiques, en
particulier de M. Basset.
Dans « Nédromah et les Traras »[197], par exemple, M. Basset
signale « les traces d’une influence juive, antérieure à
l’établissement des Israélites actuels de Nédromah (où ils vinrent de
Miknâsah au milieu du XVIIIe siècle), car nous les trouvons dans des
monuments du Moyen âge ». M. Basset cite une tribu qui a un nom
hébraïque, les Ouled Ichou ; il mentionne un tombeau très vénéré
de Josué, et le cap Noun, dont le nom, qui lui est appliqué dès le
Moyen âge, est celui du père de Josué. « On sait que les Juifs se
répandirent de bonne heure en Afrique, non pas seulement en
Cyrénaïque, et dans la région Carthaginoise, où ils prospérèrent,
mais aussi dans l’ouest. Les Vandales tolérèrent le libre exercice de
la religion juive, et on voit, par un passage de la lex Wisigothorum
cité par Grœtz, que les juifs d’Espagne s’adonnaient au commerce et
à la navigation sur les côtes d’Afrique... Ils étaient nombreux dans ce
dernier pays puisqu’ils s’entendirent avec leurs frères restés en
Espagne pour organiser contre Egica, vers 693, une insurrection qui
échoua[198]. »
Voilà qui est évidemment de nature à jeter une lumière sur les
traditions touatiennes au sujet des Juifs.
Parmi les saints de Nedromah, M. Basset fait une grande place
aux « marabouts venus de la Seguiet el Hamra ; ceux-ci se
rattachent aux missions qui au XVe et au XVIe siècle ranimèrent
l’Islam dans tout le nord de l’Afrique[199] ».
Au sujet de la confédération des Traras, qui se forma au XVIe
siècle, M. Basset observe : « Contrairement à ce qui se passa
ailleurs, elle ne prit pas le nom soit d’un ancêtre éponyme, soit d’un
marabout reconnu comme l’ancêtre spirituel[200]. »
Dans les montagnes de Cherchell les Beni Menacer actuels furent
jusqu’au XVIe siècle des Zenètes Maghraoua, dont le nom se trouve
déjà dans Ptolémée sous le nom de Μακχούρηβοι. Ils ont adopté
leur nom actuel aux environs du XVIe siècle et « ils le dérivèrent de
celui d’un saint nommé Mansour, qui se serait fixé parmi eux pour
les ramener à la religion, et serait ainsi devenu leur ancêtre spirituel
éponyme[201] ».
C’est ainsi que « les Mekhâlif, entre Djelfa et Laghouat, se
rattachent à un Sidi Makhlouf ;... les Douaouïda (province de
Constantine) à Sidi Douad, etc. ».
M. René Basset donne tout une liste de marabouts algériens
venus du Maroc et de la Seguiet el Hamra, et qui ont évangélisé
Blidah, Mascara, la Kabylie, etc.[202]. Le santon fameux de Milianah,
Sidi Ahmed ben Yousof se rattache spirituellement, au titre de
disciple, « à ce grand mouvement de renaissance religieuse[203] ».
Voilà qui éclaire évidemment le rôle joué au Touat par el Mer’ili, à
Tar’it par Si Beyazid, etc.
La révolution du XVe siècle au Sahara et en particulier au Touat
ne lui est donc pas particulière ; des événements analogues,
répercussions des victoires espagnoles, se sont produits à la même
époque dans toute l’Afrique du nord. Le Maroc battu en Europe et
envahi en Afrique, fut apparemment sensible à l’humiliation
nationale et au recul de l’Islam ; par surcroît il fut le refuge des
musulmans andalous chassés d’Espagne : ces proscrits nombreux,
intelligents, cultivés et aigris se dispersèrent sur la surface du Maroc
par petites colonies, qui devinrent des centres de fermentation
religieuse et patriotique. Et c’est ainsi que l’extrême Ouest-Africain
est devenu, par un curieux choc en retour, un centre d’expansion
énergique non seulement de l’Islam mais de la langue arabe. Les
Arabes du Touat sont venus de l’ouest, de la Seguiet el Hamra, où la
colonie andalouse était considérable, et qui fut un centre de
rayonnement important entre tous. Il l’est resté d’ailleurs, comme en
témoigne le rôle d’agitateur xénophobe joué actuellement par Ma el
Aïnin. Qu’une population expulsée, et en quête d’une nouvelle patrie,
se soit portée de préférence au Sahara, dans les parties
périphériques et, pour ainsi dire, coloniales de l’empire marocain, ou
que, en tout cas, elle y ait exercé une influence plus profonde, c’est
assez naturel. Serait-il absurde de rappeler à ce propos le rôle joué
en Algérie, après 1870, par d’autres annexés, les Alsaciens-
Lorrains ? En tout cas il y a là tout un ensemble de faits que notre
éducation historique européenne ne nous habitue pas à associer
avec les dernières larmes de Boabdil, et qui n’en sont pas moins
réels. Les défaites marocaines en Andalousie ont eu leur
répercussion et leur revanche un peu partout dans l’Afrique du nord,
mais plus particulièrement à l’autre bout de l’empire, au Sahara.
C’est là dans le passé le dernier tournant d’histoire qu’on
aperçoive nettement aux oasis. Au delà tout devient confus. L’article
de M. Wattin sur les origines du Touat énumère il est vrai un certain
nombre d’événements fort antérieurs au XVe siècle. Mais les
souvenirs indigènes sont flous et incertains. En 289 de l’hégire (901
de l’ère chrétienne) une migration serait venue de l’est, provoquée
par les exactions d’Ibrahim ben Ahmed, gouverneur de l’Ifriqiya ; les
immigrés se fixèrent au Reggan, et donnèrent au pays le nom de
Touat, parce qu’ils étaient fatigués (ouatin !!)
Ce sont précisément les Barmata. Mais d’autre part, d’après M.
Basset, la même légende et la même étymologie sont appliquées à
des nègres de la suite du roi de Melli, Mensa Mousa[204].
D’après Wattin, ce qui signifie naturellement d’après les indigènes
dont il reproduit les dires, les ancêtres des Touatiens seraient tous
arrivés au Touat entre les années de notre ère 901 et 1067. Mais
d’autre part, d’après le même Wattin, les Juifs sont arrivés au Touat
dans l’année de l’éléphant, c’est-à-dire au VIe siècle. Il paraît
impossible de tirer de tout cela un renseignement positif d’intérêt
général[205].
Les Haratin. — Il n’est pas difficile de poser le problème à

résoudre. Les Berbères furent-ils les premiers habitants du Touat ?
ou ont-ils été précédés par des Nègres ? C’est la question des
haratin.
Toute la basse classe, et par conséquent la partie la plus
considérable de la population, est composée de Nègres. Seuls
d’ailleurs ils sont en état de supporter physiquement le travail de la
terre, parce qu’ils résistent à la malaria.
Mais ces Nègres se divisent en deux catégories bien tranchées,
les esclaves et les haratin.
Pour les esclaves point de difficulté, leur origine est claire, la
plupart sont nés au Soudan et ont été amenés aux oasis par la
traite. D’après Wattin ils ont un idiome spécial, le kouria, qui serait
un pot-pourri de toutes les langues soudanaises. M. Wattin ne donne
aucun détail sur cet idiome qu’il n’a évidemment pas eu le temps
d’étudier ; mais il est très affirmatif sur son existence. D’après le peu
qu’il en dit on imagine un sabir, un pigin-englisch ; il est assez
vraisemblable en effet que dans un milieu d’esclaves soudanais,
d’origines et d’idiomes différents, réunis par leur misère commune, il
soit né une sorte de lingua franca nigritienne. Cette petite question
reste pourtant à approfondir.
Il est autrement délicat de se prononcer sur l’origine des haratin.
C’est une classe, ou une caste de la société, un prolétariat agricole,
et peut-être faut-il aller jusqu’à dire des serfs de la glèbe ; ils
travaillent les jardins d’autrui d’après un contrat de métayage,
équivalent à celui qui lie le khammès algérien ; je crois qu’ils
n’avaient pas le droit de rompre ce contrat de métayage, et à coup
sûr ils n’en avaient pas la possibilité.
Ce prolétariat nègre se retrouve dans tout le Sahara algérien et
marocain, à Ouargla, au Tafilalet, dans l’O. Draa, et partout il porte
le même nom.
On pourrait être tenté de dériver ce nom de ‫( حرث‬harat :
labourer) ; d’après les archives marocaines il y a une classe de
haratin (laboureurs blancs) auprès de Tanger[206]. Il semble donc
bien que aux yeux des indigènes la caractéristique essentielle des
haratin c’est moins la couleur de la peau que la positon sociale.
Les haratin sont-ils des esclaves libérés, une caste d’affranchis ?
sont-ils au contraire le résidu d’une ancienne population aborigène,
asservie par les Berbères, des Garamantes ? C’est une question qui a
fait couler beaucoup d’encre. Les haratin du Touat et des groupes
voisins d’oasis n’ont certainement pas d’idiome qui leur soit propre.
Ils parlent la langue de leurs maîtres, arabe ou berbère suivant les
oasis. Un certain nombre savent le kouria, mais non pas tous ; ceux
qui le parlent sont d’anciens esclaves, et le kouria serait
incontestablement le jargon propre des esclaves. Notons pourtant
que M. Basset, étudiant à Tiaret l’idiome berbère parlé par une
colonie de haratin a retrouvé des influences yolof[207].
On n’a jamais étudié les haratin au point de vue ethnologique ; il
est certain pourtant qu’ils ont les instruments de musique des
Nègres, le tambour et la double timbale (karkabou) ; ils ont leurs
danses et leurs habitudes bruyantes dans les nuits de pleine lune ! A
première vue à tout le moins ils ne semblent pas s’en distinguer.
D’ailleurs, au dire de nos officiers (capitaine Flye Sainte-Marie en
particulier), tout hartani qu’on interroge déclare que son grand-père
était esclave ; chez aucun on ne trouverait la prétention d’appartenir
à une caste différente par ses origines de la caste servile ; les
intéressés eux-mêmes se déclareraient affranchis.
A coup sûr les coutumes facilitent et multiplient les passages
d’une caste à l’autre. Les affranchissements sont fréquents, et tout
affranchi est de droit hartani. L’enfant de hartani et d’esclave est de
droit hartani, comme d’ailleurs l’enfant de hartani et de parent libre
est libre de droit. Des deux ascendants c’est toujours celui dont la
condition est la plus relevée qui la transmet à l’enfant. On voit ici par
quel processus légal la race entière se négrifie.
On peut donc affirmer que rien de ce qu’on observe au Touat
n’autorise à considérer les haratin comme une race aborigène. Mais
je ne crois pas qu’il serait sage d’aller plus loin et de poser une
conclusion absolue. Il est clair que, dans la période actuelle, les
Soudanais sont venus aux oasis comme esclaves et qu’ils y ont fait
souche de haratin : d’autre part c’est un fait historiquement certain
que, au Moyen âge, ils y sont venus en conquérants, à la suite des
rois de Mellé et des sultans Sonr’aï ; une légende de Tombouctou,
qu’on a rapportée plus haut, attribue au Touat, au pays et à son
nom, une origine soudanaise. Dans un chapitre antérieur on a dit
que, au centre du Sahara, la race Berbère paraît superposée
récemment à une population nègre néolithique.
En définitive, dans un pays où, pour des raisons climatiques, les
nègres sont les seuls cultivateurs possibles, et qui d’ailleurs est en
libre communication avec la Nigritie, il serait imprudent, et l’on
pourrait presque dire absurde, d’affirmer a priori qu’ils ont été un
épiphénomène, des immigrants tardifs, ouvriers malgré eux de la
onzième heure.
Conditions politiques et économiques. — Nous avons la

bonne fortune de posséder, sur le Touat, ce qui nous manque sur les
groupes voisins d’oasis, un certain nombre de monographies très
sérieuses écrites sur place par des officiers de bureau arabe[208]. Il
est donc possible d’entreprendre, à propos du Touat, une petite
étude politique et économique, qui pourra s’appliquer en beaucoup
de ses parties à tout l’ensemble des oasis occidentales.
Tout d’abord les trois provinces, Touat, Gourara et Tidikelt ont été
recensées ; et ce recensement réduit d’une bonne moitié les
évaluations antérieures sur le chiffre de la population. On espérait
100 ou même 150 000 âmes, le groupe entier a environ 50 000
habitants.
Au Touat le lieutenant Niéger nous donne un tableau méticuleux
des ksars et des groupes de ksars, et on voit comment cette
population se répartit. Le Touat, par exemple, a douze oasis, douze
palmeraies distinctes, formant chacune un tout plus ou moins
centralisé ; dans chacune un nombre variable de villages ; celle de
Timmi, par exemple, en a 26 ; celle de Sbaa en a 2, et Noum en Nas
un seul. L’importance de chaque village varie de 25 à 500 habitants.
On a déjà dit que les ksars sont en pisé. Le Crétacé, au-dessus et
parfois au-dessous des grès à dragées, a des bancs épais d’argile,
que les indigènes appellent « tin » ; ces argiles ont été et sont
encore très exploitées, les galeries d’exploitation sont parfois
habitées, et dans une faible mesure, il y aurait donc lieu de signaler
aux oasis des vestiges de troglodytisme (Tesfaout au Gourara, el
Ahmer au Touat). En général le tin est employé à la confection du
pisé et des briques crues, matériaux habituels de construction (voir
pl. XL, phot. 75) ; les ksars des oasis sahariennes doivent au tin une
coloration générale rouge qui leur est propre, au moins si on les
compare aux ksars d’Ouargla, d’es Souf. Là-bas les matériaux de
construction sont tout autres, la chaux et le plâtre abondent, les
villages sont d’un blanc éclatant ; et ce n’est pas une simple
question de coloration ; l’architecture, dans la cuvette d’Ouargla, est
bien moins primitive. On ne connaît rien, aux oasis occidentales, de
comparable aux superbes moulures de plâtre, qu’on exhume dans
les ruines de Sedrata. Ouargla et el Souf connaissent et pratiquent la
voûte ; aux oasis toutes les maisons sont couvertes d’une mauvaise
terrasse en terre avec une ossature de troncs de palmier ; on sait
que le tronc de palmier n’a pas de résistance, quelque faible portée
qu’on lui donne il fléchit progressivement en arc de cercle (voir pl.
XLI, phot. 78) ; il ne donne donc que de petites terrasses
éphémères, à travers lesquelles le pied passe, et à la merci d’un
orage. Ces monceaux de terre battue ajourée, que sont les ksars des
oasis, avec leurs longs passages couverts, font une impression de
termitières. (Voir pl. XLI, phot. 77 et aussi pl. XXXV, phot. 66.)
Sur la constitution de la société l’essentiel a été dit ; on sait qu’il
existe à la base une caste d’esclaves, et une caste de prolétaires
serfs, les haratin.
Ajoutons que la classe des hommes libres comporte elle-même
des subdivisions : tout à fait en haut de la hiérarchie sociale sont les
chorfa (descendants du Prophète), et les merabtin (descendants de
saints, d’ascètes illustres) ; au-dessous les aouam, la tourbe des
simples musulmans dont les ancêtres ne furent jamais béatifiés.
Nous pourrions dire les nobles et les roturiers à condition de se
souvenir qu’en général dans la Berbérie théocratique toute noblesse
est religieuse et la sainteté héréditaire.
L’organisation politique est très lâche. Le rouage essentiel est la
djemaa, composée de tous les notables de chaque ksar ; mais nous
sommes assez mal fixés sur ses attributions et ses moyens d’action ;
nous ne savons pas si elle délègue son autorité et à qui, ni de
quelle-façon elle fait exécuter ses décisions ; probablement assez
mal. Son autorité, en tout cas, ne dépasse pas les limites du ksar, et
dans ce groupement de ksars, qui est une oasis, il n’y a pas de
rouage politique central, aucune cohésion.
La grande oasis de Timmi par exemple avec ses 26 ksour, est
bien une individualité géographique et agricole, mais non pas du
tout politique, elle est gouvernée par 26 djemaa, entre lesquelles, en
cas de dissentiment, il n’y a de secours possible qu’à la force.
En pratique, pourtant, il y a souvent une famille prépondérante,
dont le chef dirige, tant bien que mal, tout le district ; c’est le cas de
Mohammed ben Abd er-Rahman, au Timmi ; de Abd el-Qader ben
el-Hadj Bel Kacem, au Bouda. A ces petits seigneurs féodaux le
gouvernement français confère aujourd’hui, et le sultan du Maroc
conférait autrefois, le titre de caïd ; mais c’est un titre étranger,
auquel rien d’officiel ne correspond dans l’administration indigène.
Il faut encore signaler ici comme partout dans l’Afrique du nord le
rôle politique des zaouias ; au Touat, Zaouiet Kounta et surtout
Zaouiet Reggan, au Gourara el-Hadj Guelman. Enfin, deux grands
çoffs divisent la population de toutes les oasis Sahariennes, le çoff
Yahmed et le çoff Sofian.
Cette institution du çoff, encore qu’elle nous paraisse, avant tout,
à nos yeux d’Européens, un principe de division et de guerre civile,
est au contraire ici le seul lien entre les différents districts,
puisqu’elle est la seule qui s’étende à la totalité du pays. En dehors
des influences personnelles et religieuses, la djemaa dans le ksar, le
çoff dans l’ensemble des oasis sont les seules institutions politiques
existantes.
Les lois et coutumes en matière d’irrigation sont d’une
importance particulière, la monographie du Touat, par le lieutenant
Niéger, contient, à ce sujet, un alinéa très intéressant. Au Touat,
l’eau est objet de propriété en soi, indépendamment du sol ; il est
courant qu’un propriétaire de palmiers soit simplement locataire de
l’eau, sans laquelle sa propriété ne saurait subsister. « Cette
anomalie, dit Niéger, s’explique facilement par le désir que les gens
riches de la contrée, possesseurs de foggara, avaient de conserver
les moins favorisés dans leur dépendance. » On comprend aisément,
en effet, que la possession de l’eau soit un instrument de
domination, et que les simples propriétaires de palmiers constituent
une classe inférieure et dépendante. Chaque foggara a donc son
propriétaire, ou plus généralement ses propriétaires, et qui ne sont
pas le moins du monde indivis ; la proportionnalité de leurs droits se
mesure très exactement au nombre de puits d’aération qui
appartiennent à chacun. Chaque section de foggara a donc son
propriétaire : Niéger ne nous dit pas s’il est responsable de son
entretien ; cela paraît probable, et, dans ce cas, la propriété des
foggara ne serait pas seulement un instrument de domination, elle
présupposerait une certaine situation de fortune et une certaine
prééminence sociale ; il est clair que, pour entretenir une foggara,
pour faire face aux aléas d’un éboulement par exemple, il faut
disposer, soit de capitaux, soit d’une clientèle étendue d’ouvriers. On
ne nous dit pas non plus si la communauté se désintéresse
entièrement de cette question vitale de l’irrigation. C’est peu
vraisemblable : qu’arrive-t-il, par exemple, si le propriétaire d’une
section de foggara laisse dépérir sa propriété et compromet, par là,
la prospérité d’une portion de l’oasis ? Nous ne savons pas
davantage comment se fait la location de l’eau ; y a-t-il des baux,
des enchères ? On devine l’existence de tout un code minutieux de
l’irrigation, qu’il serait intéressant de connaître.
Le lieutenant Niéger nous donne d’intéressants détails sur la
répartition matérielle de l’eau. Ailleurs, dans l’oasis de Figuig, par
exemple, ce qui se répartit, ce qui fait objet de propriété et de
contrats, c’est le tour d’irrigation, l’heure, la fraction de temps
pendant laquelle on aura l’usage de l’eau. C’est donc le temps qui se
mesure au moyen de la karrouba, un vase en cuivre, percé d’un
trou, qui joue le rôle d’horloge hydraulique, ou, plus simplement, de
sablier d’eau. Ce mode de répartition n’est pas inconnu au Touat,
mais il y est rare. Niéger mentionne « une seule foggara à Tamentit,
où chaque propriétaire prend l’eau pendant un temps déterminé et
arrose immédiatement son jardin ». En général, c’est l’eau elle-
même qu’on mesure ; on jauge son débit, et il est curieux de voir
comment les ksouriens ont résolu ce problème délicat. L’instrument
dont ils se servent porte le nom de chekfa ; c’est une plaque de
cuivre percée de trous. Chacun de ces trous a une dimension
déterminée ; les uns sont l’unité de mesure (habba), et les autres en
sont des fractions ou des multiples. Il suffit de barrer entièrement le
courant avec cette plaque de cuivre ; « l’équilibre est établi lorsque
l’eau coule par une gouttière ménagée à la partie supérieure de
l’instrument ; on bouche à cet effet le nombre de trous nécessaires
dans la chekfa. Il suffit alors de compter un à un les trous restés
libres, et qui correspondent à des mesures connues (habba, 1/2
habba, etc.), pour avoir le débit ».
M. le lieutenant-colonel Laperrine a bien voulu attirer mon
attention sur un passage curieux de Ronna : les Irrigations[209]. On
y voit que, en France, les anciens fontainiers faisaient usage du
pouce d’eau, qui est simplement l’équivalent français de la habba.
Il est curieux de constater ainsi, une fois de plus, que les
hydrauliciens du Sahara ont emprunté leurs connaissances précises
au fonds commun du vieux monde. Du moment que les ksouriens
ont un instrument de jauge, suffisamment précis et pratique, il est
aisé de concevoir comment s’opère la répartition. Au débouché de
chaque foggara, dont le débit est jaugé, se trouve un kasri, que les
Français appellent un « peigne » à cause de sa forme. C’est, si l’on
veut, un delta de pierre entre les branches duquel l’eau de la
foggara se divise. (Voir pl. XXXVIII, phot. 71.) Chaque dent du
peigne, ou chaque branche du delta a son propriétaire auquel une
chekfa, disons un compteur, fixé à demeure, assure
automatiquement la quantité d’eau exacte qui lui revient. Il est
curieux de voir comment, à travers les trous de la chekfa, l’eau des
oasis se vend et se loue, pour ainsi dire goutte à goutte.
Ce système surprend par son ingénieuse complexité, mais il a un
gros inconvénient ; à jauger l’eau, et à l’éparpiller ainsi entre les
différents propriétaires, on en perd beaucoup. Avec l’autre système
celui de la karrouba on gaspille beaucoup moins. Il semble que
l’organisation politique des Touatiens les ait amenés à choisir ce
mode défectueux de répartition. Il n’est pas rare en effet qu’une
même foggara appartienne à plusieurs ksars, qui, étant parfaitement
autonomes, ne pouvaient pas rester dans l’indivision. L’anarchie du
pays livre ainsi à l’évaporation une quantité d’eau assez notable.
Chaque ksar a son jaugeur d’eau, Kiel el-ma qui est en même
temps, dans les questions d’irrigation, quelque chose comme un
arbitre ou un juge.
Et c’est en même temps quelque chose d’assez voisin de notre
notaire ; ce qui fait sa force, et ce qui le rend irremplaçable, c’est sa
connaissance méticuleuse des intérêts et des fortunes.
En somme, tout ce que cette assez pauvre race humaine a
conservé d’intelligence et d’énergie est concentré autour de ces
questions d’irrigation et de culture. Elle a réalisé là des miracles, à
propos desquels on regrette de constater une disproportion entre la
somme des efforts et de l’ingéniosité déployés, et le résultat
économique final, qui est médiocre. (Voir pour l’irrigation aux oasis,
pl. XXXVIII, phot. 72. et pl. XXXIX, phot. 73, 74.)
La datte est, comme partout dans les oasis, la richesse
principale, mais celles du Touat ne supportent pas la comparaison
avec les fruits magnifiques d’Ouargla et de l’oued R’ir. Au dire des
indigènes on a souvent essayé de transplanter au Gourara et au
Touat les meilleures espèces d’Ouargla ; elles y dégénèrent très vite.
C’est probablement une question de sol. La cuvette d’Ouargla et
de l’oued R’ir est alluvionnaire, les déjections de l’Igargar s’y sont
accumulées sur de grandes profondeurs ; ce sol chargé de produits
chimiques donne d’ailleurs des eaux purgatives, à peine potables. Le
Touat doit à ses grès des eaux très pures et un sol pauvre.
Les indigènes en ont conscience et recherchent avidement le
fumier mais leur cheptel misérable ne leur en fournit guère ; de très
rares chameaux, quelques ânes et quelques moutons étiques ; les
poules elles-mêmes sont remarquables par leurs dimensions
exiguës ; elles pondent des œufs à peine plus gros que ceux du
pigeon. Toute la vie animale domestique est malingre ou absente. Le
chien n’existe pas, trop mal outillé pour survivre aux étés sahariens,
avec sa peau dépourvue de pores sudorifiques.
Sous les palmiers mûrissent d’excellents raisins, qu’on retrouve
d’ailleurs sur bien des points au Sahara (Hoggar par exemple) ; ils
ne ressemblent pas du tout à ceux d’Algérie, ils ont la peau aussi
fine et le grain aussi petit que les raisins les plus septentrionaux de
France, évidemment la vigne s’étiole au sud comme au nord de la
zone méditerranéenne. En compagnie du raisin les jardins du Touat
ont des fruits et des légumes, figues, oignons, fèves, pastèques,
etc., qui constituent pour l’indigène une ressource alimentaire
appréciable, mais qui ne sont pas des richesses économiques
réalisables.
Dans cette catégorie des produits agricoles susceptibles
d’alimenter un commerce viennent très loin après les dattes, le
henné et le tabac, d’importance pécuniaire insignifiante, mais
surtout les céréales, mil, orge et blé. D’après M. le capitaine Flye
Sainte-Marie le blé vient très beau, et le Touat proprement dit, à lui
seul, en a produit en 1904 17 600 quintaux, de quoi suffire non
seulement aux besoins locaux, mais encore à ceux de la garnison et
peut-être à une faible exportation.
Il est vrai que la consommation locale de denrées alimentaires
doit être très faible. Incontestablement, les prolétaires des oasis,
autrement dit les haratin, sont une population à peine nourrie. On
leur voit d’effrayants sternums de momies. Le climat, en été du
moins, diminue d’ailleurs l’appétit et fait tomber l’embonpoint.
L’Européen lui-même, si j’en juge par mon exemple, perd
rapidement, avec ses habitudes de suralimentation, une partie
notable de ses provisions adipeuses. Sous la double influence du
climat et de la famine, les haratin ont dû développer d’étonnantes
facultés d’assimilation digestive intégrale, et d’évacuation minima. Il
y aurait là un beau champ d’études pour ces cas de jeûne
extraordinairement prolongé, sur lesquels a été attirée l’attention des
médecins, des psychistes et même du grand public. Les oasis
doivent être pleines de Succi, auxquels il a manqué un manager.
Les autorités françaises craignent ou feignent plaisamment de
craindre que le Touat ne se vide d’habitants, le bruit s’étant répandu
dans la population qu’il y avait au nord des pays où l’on mangeait.
Le Tell à ce point de vue malgré la distance, a toujours exercé une
attraction puissante sur les Touatiens. Si M. Basset a pu étudier à
Tiaret le dialecte berbère du Touat et du Gourara, c’est qu’il y a
trouvé une colonie de haratin.
Sur la misère et la famine au Touat M. l’interprète militaire
Martin[210] m’a fourni quelques chiffres dont je lui laisse la
responsabilité, mais qui sont effrayants. Un palmier vaut à Ouargla
de 30 à 50 francs ; dans l’oued R’-ir de 60 à 70 ; et les meilleures
espèces (deglat nour) vont à 300 francs ; au Touat les palmiers ont
une valeur maximum de 6 à 7 francs le pied, soit environ dix fois
moindre.
La journée de travail au Touat se paie un sou et une poignée de
dattes.
A la suite de l’occupation française, la situation économique a été
modifiée profondément, et dans un sens péjoratif, au moins par
certains côtés.
Le Touat a toujours vécu de la traite des Nègres ; elle lui était
doublement nécessaire, d’abord pour renouveler sa main-d’œuvre,
puis comme aliment principal du commerce transsaharien. La
suppression de la traite est un coup terrible, qui frappe le Touat à la
fois dans son agriculture et dans son commerce ; la main-d’œuvre
noire, la seule viable sous cette latitude, tend à émigrer, maintenant
que nos lois lui en donnent le droit, et la sécurité des grands
chemins la possibilité ; comment comblera-t-on les vides ? Et d’autre
part, à travers le Sahara, sur cette route commerciale dont le Touat
fut un entrepôt, le Soudan, à quelques plumes d’autruches près, n’a
jamais expédié que de la marchandise humaine, en échange des
produits manufacturés qu’il recevait de la Méditerranée, et qui
d’ailleurs, aujourd’hui, lui parviennent plus commodément par la voie
océanique. Nous avons rencontré à Ouallen une caravane du Touat
en partance pour Tombouctou ; elle se composait de deux chameaux
chargés de tabac. Les fameuses caravanes d’autrefois, si surfaites
qu’on les imagine, étaient apparemment plus fortes et transportaient
des marchandises plus variées.
Par surcroît notre venue a troublé profondément le commerce
intérieur du Sahara entre nomades et sédentaires. Le Touat était le
marché où les produits agricoles (surtout les dattes) s’échangaient
contre ceux de l’élevage (mouton, beurre). Pour des raisons
diverses, et à titre plus ou moins provisoire ou définitif, les nomades
ont désappris le chemin du marché.
Ceux du sud, les Touaregs, ont quitté les oasis après l’occupation
d’In Salah pour n’y plus reparaître pendant de longues années.
Ceux de l’ouest sont les Beraber, depuis la disparition des Ouled
Moulad ; c’étaient les nomades particuliers du Touat proprement dit ;
ils ne l’ont quitté qu’après de sanglants combats, et ils semblent
encore loin d’accepter le nouvel ordre des choses.
Ces désertions du moins ne sont pas durables ; la question
Touareg est déjà résolue et la question Beraber recevra quelque jour
une solution. Au nord, du côté des nomades algériens, clients
propres du Gourara, le mal est moindre, mais il est irréparable. Les
Hamyan et les Trafi du Sud-Oranais, poussés par l’administration
française, ont vite repris, après une courte interruption leur habitude
séculaire d’envoyer une fois l’an au Gourara de grandes
caravanes[211]. Pourtant M. le capitaine Flye Sainte-Marie, dans son
étude très documentée, constate la décadence du trafic sud-oranais,
malgré les encouragements administratifs ; au Touat proprement dit
le nombre des chameaux oranais est tombé de 4 300 à 1 700[212].
L’insécurité de la frontière n’est pas étrangère à cette déchéance.
Mais la grosse raison est ailleurs, elle a été indiquée par MM. Lacroix
et Bernard[213]. Les conditions économiques ont été si
profondément modifiées dans l’Oranie par l’occupation française que
la répercussion s’est fait sentir sur l’alimentation. « Les indigènes
arrivent à ne plus tenir aux dattes. » Ou s’ils en consomment
encore, ce sont les dattes supérieures de l’oued R’ir. La datte en
Algérie est tombée du rang d’aliment à celui de friandise ; et les
médiocres produits des palmeraies touatiennes s’accumulent en
stocks invendus.
En compensation de tant de ruines l’occupation française a eu
ses avantages. Le premier est une garnison qui laisse dans le pays à
peu près l’intégralité de sa solde. Dans une sous-préfecture française
c’est un bienfait apprécié. Au Touat ç’a été le point de départ d’une
révolution économique. L’argent monnayé a tué le troc ; les Juifs, les
Mzabites, voire les Chaamba ont fondé des maisons de commerce ;
au lieu des anciennes caravanes libres qui venaient échanger en
nature des moutons contre des dattes, on a vu apparaître des
caravanes organisées par entreprise, exécutant des commandes, et
qui viennent chercher au Touat non plus des dattes mais de
l’argent ; elles ont emprunté des routes nouvelles celles de l’est qui
viennent du M’zab, d’Ouargla, ou même de Gabès. A la place de
l’ancienne vie commerciale paralysée on en voit naître une nouvelle.
Autre bienfait corrélatif du premier, la garnison a apporté la
sécurité, grâce à laquelle on cherche à développer les procédés
d’irrigation et l’étendue des cultures. Les sondages artésiens,
entrepris, il est vrai, avec un outillage insuffisant, n’ont encore rien
donné ; et il est bien possible que ce mécompte ne soit pas fortuit.
Les indigènes, au Touat-Gourara, ont creusé deux puits artésiens
seulement, en regard de foggaras qui se comptent par milliers ; ce
sont après tout d’admirables hydrauliciens, et ils compensent
l’infériorité de leur outillage par une expérience de dix ou vingt
siècles ; nous pouvons espérer faire mieux, mais non pas autrement.
La simple réparation des foggaras a donné d’excellents résultats.
D’après le capitaine Flye Sainte-Marie le débit « a augmenté dans
une proportion incroyable (1/4, 1/3, 3/7)[214] ». On songe à
bétonner les canaux à l’air libre (séguia) et les bassins de réception
(madjen) pour éviter l’infiltration. (Voir pl. XXXIX, phot. 74 et
XXXVIII, 71 et 72.) Bref on est en mesure d’augmenter notablement
les ressources en eau.
On a pu amorcer ainsi aux oasis quelques parcelles nouvelles de
terre cultivable, malgré les difficultés qu’oppose ici comme en Égypte
la salure du sol[215]. La production des céréales s’est accrue dans
une assez forte proportion, et la vente du blé a pu compenser en
quelque mesure le mévente des dattes.
Ce vieil organisme économique très affaibli lutte de son mieux
pour traverser une crise redoutable.
Les nitrates de potasse. — On a pu croire que le Gourara-

Touat avait des chances de développement minier. On y a signalé
depuis longtemps des gisements de nitrates, sur la frontière du
Touat et du Gourara (à Ouled Mahmoud, Kaberten, Sba, Tililan[216]).
J’en ai vu trois qui se ressemblent, et je crois savoir que l’autre est
du même type.
M. Pouget, professeur à l’École des sciences d’Alger, a bien voulu
analyser un échantillon de terre à nitrates, que j’ai rapporté d’Ouled
Mahmoud. Il y a trouvé une forte proportion de sel de cuisine (41 p.
100). Quant aux nitrates, ce sont plutôt des nitrates de soude que
de potasse. Mais « le traitement que les indigènes font subir au
minerai transforme partiellement le nitrate de soude en nitrate de
potasse, grâce à la présence de chlorure de potassium[217] ». En
somme, on pourrait extraire du minerai 6,45 p. 100 de salpêtre.
C’est une quantité faible, les caliches du Chili en contiennent de 3 à
10 fois plus.
La teneur du minerai en salpêtre est variable. Elle n’est suffisante
qu’après une forte pluie, suivie d’un grand vent, c’est-à-dire d’une
forte évaporation. Les indigènes l’affirment du moins, et ils attendent
ce moment favorable pour l’exploitation intermittente de leurs
nitrates. D’ailleurs l’ascension des sels par capillarité est, paraît-il, un
phénomène constant ; les déchets des caliches se rechargent
automatiquement, et peuvent être exploités de nouveau. Au
Gourara, cette particularité inspire à M. Flamand l’espoir qu’il existe
en profondeur des gisements très riches, alimentant les gisements
pauvres superficiels.
Il faut espérer qu’un coup de sonde sera donné par
l’administration qui dispose d’un petit appareil à forages. Le terrain
encaissant est partout le même, argiles cénomaniennes ou
albiennes.
Il faut avouer que l’aspect des gisements n’est pas engageant.
Celui d’Ouled Mahmoud est tout petit ; c’est une sebkha minuscule
de cent à deux cents mètres de diamètre. Elle est enclose dans la
palmeraie, en contre-bas du village, dans une dépression marquée.
Toutes les déjections et toutes les matières animales ont dû y être
entraînées et s’y accumuler depuis des siècles, d’autant plus que le
sol environnant est d’argile imperméable. On est donc tenté de
croire que la petite nitrière d’Ouled Mahmoud est simplement l’égout
naturel d’un village très ancien.
Celles de Sba et de Tililan sont aussi de petites sebkhas à
proximité de villages. L’outillage et les procédés d’extraction sont
assez ingénieux quoiqu’ils donnent des résultats déplorables. D’après
M. Pouget, plus de la moitié du salpêtre contenu dans le minerai se
retrouve dans les déchets, soit 3,8 sur 6,45 p. 100. D’autre part, le
nitrate de potasse obtenu est très impur, il contient 33 p. 100 de
nitrate de soude.
L’outillage et les procédés des Gourariens ne leur sont d’ailleurs
pas particuliers. Ils étaient en usage dans les oasis des Zibans et de
l’oued R’ir au milieu du XIXe siècle[218]. Je ne sais pas si les nitrières
d’Ouled Mahmoud auront une autre fortune que celles des Zibans,
aujourd’hui tombées dans l’oubli.
[160] Voir la carte en couleurs hors texte.

[161] Étienne Ritter, Le Djebel Amour, Bulletin du service de la carte
géologique de l’Algérie, Alger, 1902.
M. Flamand attribue au Néocomien les grès du Gourara, mais dans
un travail ancien, qui a précédé celui de Ritter (Flamand.... dans
Documents pour servir à l’étude du Nord-Ouest Africain, par
Lamartinière et Lacroix, Alger 1897).
[162] Foureau, Documents, etc., p. 824.
[163] Flamand, Sur la présence du Dévonien à Calceola sandalina dans
le Sahara occidental, C. R. Ac. Sc., 1er juillet 1901.
[164] Ém. Haug, Sur deux horizons à Céphalopodes du Dévonien
supérieur dans le Sahara oranais, C. R. Ac. Sc., 6 juillet 1903.
[165] Note de M. Chudeau : « Le sondage de Tiberkamin atteignait 66
mètres : il y aurait : alluvions, 3 mètres ; Crétacé, 7 mètres ;
Primaire. Le fossile m’a paru être Atrypa reticularis ? »
[166] Observation de M. Chudeau.
[167] Flamand, Sur la présence du Dévonien inférieur dans le Sahara
occidental, C. R. Ac. Sc., 2 juin 1902.
[168] Supplément au Bulletin, etc., juillet 1907.
[169] Supplément au Bulletin, etc., juillet 1907 ; voir en particulier les
coupes, p. 151 et 152.
[170] Les grès dévoniens de Maurétanie sont eux aussi horizontaux,
d’après le témoignage oral et les carnets de M. Dereims, le seul
géologue professionnel qui les ait vus.
[171] Un tronc de 30 centimètres de diamètre (Note de M. Chudeau).
[172] Bornhardt, Deutsch Ost. Afrika, Berlin, 1900, t. VII.
[173] On ne les trouvera pas sur les anciennes cartes. Il faut les
chercher sur les cartes Prudhomme et Niéger.
[174] Brunhes, L’Irrigation.
[175] Lieutenant Niéger : Le Touat, Bulletin du comité de l’Afrique
française. Suppléments no 7 et 8, juillet et août, 1904.
[176] Dr Siegfried Passarge, Die Kalahari. Berlin, 1904, p. 667.
[177] Hartmann, dans Zeitschrift für assyriologie, Bd XIX, p. 352.
[178] La carte Mussel, encore inédite, est le document le plus sérieux.
[179] Martin, Oasis sahariennes, Bulletin de la Société de géog. d’Alger,
1906, p. 395.
[180] René Basset, Étude sur la zénatia du Mzab, de Ouargla et de
l’Oued-R’ir. Publication de l’École des Lettres d’Alger, 1893.
Du même auteur une étude sur le dialecte du Gourara dans :
Journal Asiatique, 1885, Notes de Lexicographie berbère.
[181] W. Marçais, Le Dialecte arabe parlé à Tlemcen, publication de
l’École des Lettres, 1902, p. 13 et 14.
[182] Publiée par le Dr Hamy, on la donne en appendice.
[183] Siegfried Passarge, Die Kalahari.
[184] René Basset, dans Journal Asiatique, VIII, série X, 1887, p. 365 et
s.
[185] Bull. Soc. de Géogr. d’Alger.
[186] Comptes rendus de l’Académie des Inscriptions, mai 1903, voir
aux appendices.
[187] A l’étude au laboratoire géologique de M. Flamand.
[188] Barth, Reisen und Entdeckungen, II, p. 83.
[189] Également à l’étude au laboratoire de M. Flamand.
[190] Corippus, Johannide, II, 109 ; IV, 667. El Bekri, Texte arabe de de
glane, p. 161.
[191] Laquière, La colonne Servières : publication du Bulletin du comité
de l’Afrique française, p. 21.
[192] Wattin, l. c.
[193] Segonzac, Voyages au Maroc, 1899-1901, p. 160, fig. 92 ; voir
aussi les fig. 95, 104, 105, 109.
[194] Duveyrier en signale d’analogues, qu’il qualifie de garamantiques,
à R’adamès et au Fezzan (Voir Exploration du Sahara, p. 251).
[195] Louis Watin, Origine des populations du Touat, Bull. Soc. Géogr.
Alger, 1905, 2e trimestre, 209, etc.
[196] Ernest Mercier, Histoire de l’Afrique septentrionale, t. II, p. 382.
[197] Nedromah et les Traras. Publication de l’École des Lettres d’Alger.
1901, p. VII.
[198] L. c., p. XV et XVI.
[199] L. c., p. V.
[200] L. c., p. 66.
[201] René Basset, Notes de lexicographie berbère. Le dialecte des Beni
Menacer, Journal asiatique, 1885, p. 5.
[202] Id., p. 20 en note.
[203] René Basset, Les dictons satiriques attribués à Sidi Ahmed ben
Yousof, Journal asiatique, 1890, p. 6.
[204] R. Basset, Histoire de Tombouctou, p. 21.

Instant Download Understanding Cryptography From Established Symmetric and Asymmetric Ciphers To Post Quantum Algorithms 2nd Edition Christof Paar - Jan Pelzl - Tim Güneysu PDF All Chapter

Uploaded by

Copyright:

Available Formats

Instant Download Understanding Cryptography From Established Symmetric and Asymmetric Ciphers To Post Quantum Algorithms 2nd Edition Christof Paar - Jan Pelzl - Tim Güneysu PDF All Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Instant Download Understanding Cryptography From Established Symmetric and Asymmetric Ciphers To Post Quantum Algorithms 2nd Edition Christof Paar - Jan Pelzl - Tim Güneysu PDF All Chapter

Uploaded by

Copyright:

Available Formats

Full download ebook at ebookname.

Understanding Cryptography From Established

Download more ebook from https://ebookname.com

Focus on Grammar 2 Workbook A2 4th Edition Samuela

Collins Get Ready for IELTS Listening Pre intermediate

The Swan System of the C2 Molecule John G. Phillips

Devil in the Milk Illness Health and the Politics of A1

Fighting the Anti Sicilians Combating 2 c3 the Closed

AC DC First Edition Phil Sutcliffe

Royal Marine Commando 1950 82 Will Fowler

AC Electrokinetic Colloids and Nanoparticles 1st

ISBN 978-3-662-69006-2 ISBN 978-3-662-69007-9 (eBook)

Originally published under: Paar, C. and Pelzl, J.

1st edition: © Springer-Verlag Berlin Heidelberg 2010

If disposing of this product, please recycle the paper.

Cryptography is a critical component of today’s information infrastructure; it is

December 2023 Ron Rivest

This is the second edition of Understanding Cryptography. Ever since we released

triple-DES as well as PRESENT, which is an important example of a lightweight

How to Use the Book

Course Curriculum 2 Focus on cryptographic algorithms and their mathematical

Trained as engineers, we have worked in applied cryptography and security for

Bochum, Germany Christof Paar

1 Introduction to Cryptography and Data Security . . . . . . . . . . . . . . . . . . 1

3 The Data Encryption Standard (DES) and Alternatives . . . . . . . . . . . . . 73

4 The Advanced Encryption Standard (AES) . . . . . . . . . . . . . . . . . . . . . . . 111

4.8 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

5 More About Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

6 Introduction to Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 177

7 The RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

7.6 Finding Large Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

8 Cryptosystems Based on the Discrete Logarithm Problem . . . . . . . . . . 241

9 Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

10 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

11 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

11.5.5 Implementation in Software and Hardware . . . . . . . . . . . . . . . 368

12 Post-Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

13 Message Authentication Codes (MACs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

14 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

1.1 Overview of Cryptology (and This Book)

The book at hand provides an introduction to cryptography. This is part of the

tronic communication. However, cryptography is a rather old business, with early

Fig. 1.2 Scytale of Sparta

Fig. 1.3 Overview of the field of cryptology

researchers in academia. Cryptanalysis is of central importance for modern cryp-

1.2 Symmetric Cryptography

Symmetric cryptographic schemes are also referred to as symmetric-key, secret-key

Fig. 1.4 Communication over an insecure channel

In this situation, symmetric cryptography offers a powerful solution: Alice en-

1 The name Oscar was chosen to remind us of the word opponent.

Fig. 1.5 Symmetric-key cryptosystem

The variables x, y and k in Figure 1.5 have special names in cryptography:

1.2.2 Simple Symmetric Encryption: The Substitution Cipher

For instance, the pop group ABBA would be encrypted as kddk.

First Attack: Brute-Force Attack or Exhaustive Key Search

Definition 1.2.1 Basic Exhaustive Key Search or Brute-Force At-

If the equality holds, a possible correct key is found; if not, proceed

key space of the substitution cipher = 26 · 25 · · · 3 · 2 · 1 = 26! ≈ 288

Second Attack: Letter Frequency Analysis