Signal Processing 16 (1989) 179-184
North-Holland
BOOK REVIEWS
" Primality and Cryptography",by Evangelos
Kranakis, Fakultaire Vakgroep lnformatica
Amsterdam, Universiteit van Amsterdam, The
Netherlands and Department of Computer Science,
Yale University, New Haven, U.S.A., In: Wiley-
Teubner Series in Computer Science. Publishers:
B.G. Teubner, Stuttgart, and John Wiley & Sons,
Inc., Chichester, West Sussex, United Kingdom
POI9 1UD, 1986, xv + 235 pp., ISBN 3-519-02104-8
(Teubner), ISBN 0-471-90934-3 (Wiley), indicative
price: $41.95
Since the advent of computer controlled communi-
cation networks, there has been a growing need
for secure information transmission through elec-
tronic media. This led to a renewed interest in the
field of cryptography, which is concerned with
enciphering messages in order to make them
incomprehensible to unauthorized users.
In 1976, Diffie and Hellman laid the foundations
for public key cryptosystems, and since then the
field has grown considerably. Today, the security
of many cryptosystems depends on the hardness
of certain problems in number theory, such as
factoring large integers or computing discrete
logarithms modulo a large prime number.
In the present book, as its author says in the
Prologue, the most important mathematical notions
arising from the recent literature on primality tests,
pseudo-random generators and public key cryptosys-
terns are isolated and explained.
The author starts in Chapter 1 with an introduc-
tion to the basic concepts of number theory. There
are sections on the Chinese Remainder Theorem
with an application to threshold schemes (these
schemes are used to solve the problem of sharing
a secret among a number of people that do not
trust each other), on modular exponentiation, and
179
on Gaul3's Law of Quadratic Reciprocity. In the
section on the Prime N u m b e r Theorem, there is
an elegant proof of the fact that the number of
primes less than or equal to a given n is greater
than ~(n/log n). Furthermore, the probabilistic
polynomial time algorithm of A d l e m a n - M a n d e r s -
Miller for computing square roots modulo a prime
is given. This algorithm is first described infor-
mally, and later a formal version is given. Un
fortunately, this formal version is quite different,
and in fact wrong, from the informal one.
Chapter 1 ends with an exposition on continued
fractions.
Chapter 2 is on primality tests. Here the problem
is to design fast algorithms, which when given as
input an integer n, decide whether n is a prime or
a composite. The author starts with the Sieve of
Eratosthenes, which is used to determine all primes
less than a given integer n. Next, Wilson's Test is
given, stating that n is a prime if and only if
( n - 1 ) ! - = - 1 mod n. This test, however, has only
theoretical value. Another test in this chapter is
Euler's Sum of Two Squares Test, in which the
author has forgotten to mention that this test is
only valid if n -= 1 rood 4. Next, Pratt's Test is given,
proving that the primes are in NP, i.e. the primes
can be recognized in non-deterministic polynomial
time. There are also primality tests for integers of
a special form, such as Pepin's Test which says
that the Fermat number Fn--22"+1 is prime
if and only if 3~v,,-J~/2=--lmodF,,, and the
Lucas-Lehmer Test for the Mersenne integers
Mp = 2 P - 1 .
Next, there is Miller's Test, that runs in
deterministic polynomial time, if one accepts the
Extended Riemann Hypothesis. Also, the fast
probabilistic tests of Solovay-Strassen and Rabin
are given. Both of these tests run in polynomial
 180
time, but they might give the wrong answer.
However, the probability of giving the wrong
answer can be made arbitrarily small.
Finally, the today fastest known deterministic
test of Rumely-Adleman is presented. In the
description of this test, a serious error occurs. On
page 76, Step 4 of the algorithm should be: For
each i = 0 , 1 , . . . , t - 1 compute gcd(n i mod s, n).
Furthermore, the reader might get the impression
from this algorithm that it can also be used to
factor an integer n into its prime factors: In the
final step one explicitly finds a factor of n if it is
not a prime. This is certainly not the case, for two
reasons. First, in practice one almost never reaches
the final step of the algorithm: in the first steps of
the algorithm almost all composite numbers will
be eliminated. Second, the Rumely-Adleman test
is carried out, only if one is almost sure that n is
prime, e.g. after a probabilistic primality test has
been carried out.
Chapter 3 discusses probability theory. This
chapter includes the basic notions such as proba-
bility spaces, random variables and the binomial
distribution. Also complete proofs are given of
Chebyshev's and Bernshtein's Laws of Large Num-
bers. The chapter ends with a nice application of
these laws of large numbers: Given parallel lines
in the plane at a distance 2 from each other, and
given a needle of length 1. Suppose we throw the
needle independently n times. Let m be the number
of times that the needle intersects one of the
parallel lines. Then for each e > 0, the probability
that I m / n - 1 / ' r r l > ~ e is at most 1/4ne 2. Hence, by
taking n large enough, the fraction n / m is, with
high probability, a good approximation for ~.
In Chapter 4, pseudorandom generators are dis-
cussed. Sequences of random numbers are useful
in e.g. cryptography and in the design of prob-
abilistic algorithms. However, since it is impossible
to produce a perfectly random sequence through
an unbiased execution of an experiment, we are
led to pseudorandom sequences, i.e. sequences that
look sufficiently random.
First, the well-known Linear Congruence Gen-
erator is given. Let a, b, and m be fixed--but
unknown--positive integers. Then the linear
Signal Processing
Book Reviews
congruence generator L G E N ( x ) produces the
sequence Xo = x, xi+ ~=------( axi + b) mod m for i/> 0. It
is shown that such sequences are predictable:
There is a polynomial time algorithm, which when
given a sufficiently long subsequence, will output
the numbers a, b and m.
An example of pseudorandom sequences that
are indistinguishable from truly random sequences
by any polynomial time algorithm--hence by any
algorithm encountered in practice--are the ones
generated by the Quadratic Residue Generator:
Given integers x and n, such that x is a quadratic
residue modulo n, i.e. there is a y such that x-=
y2 mod n. Consider the sequence x~ ~- x 2' mod n for
i ~> 0. Then the quadratic residue generator pro-
duces the sequence of bits bo, bl, b 2 , . . . , where
bi = 0 if x~ is even, and b~ = 1 otherwise. It is shown
that under the assumption that it is computa-
tionally infeasible to determine for given x and n
whether x is a quadratic residue modulo n - - a n d
in fact nowadays no efficient algorithm for this
problem is k n o w n - - t h e above sequences of bits
are indeed indistinguishable from truly random
sequences of bits.
In Chapter 5, public key cryptosystems are intro-
duced. Suppose A wants to send a message rn to
B. Then A looks in a public 'telephone book' and
finds under B's name two integers e and n. This
integer n is the product of two large primes p
and q, and these primes are known only to B.
Also, B has a secret number d satisfying ed =-
1 m o d ( p - 1)(q - 1). We may assume w.l.o.g, that
the message m is represented as an integer that is
smaller than n. Now A transmits the integer
E (m) -= rn e mod n to B. In order to decipher the
received message E ( m ) , B computes (E(rn)) a,
which is equal to m ea=- rn mod n by the Euler-
Fermat Theorem. Hence B can decipher the
message efficiently. However, an eavesdropper
cannot compute m from E ( m ) , since he does not
know the secret number d. In fact the only w a y - -
known t o d a y - - t o find this secret number, is to
compute the prime factors p and q of n, and then
to take the multiplicative inverse of e m o d ( p - 1 ) ×
(q - 1). So under the assumption that integer fac-
torization is infeasible--and today this is a reason-
 Book Reviews
able assumption--this is a secure way of transmit-
ting messages.
The just sketched RSA System is discussed in
Chapter 5. It is shown e.g. that computing a certain
bit of the message m from the encoded RSA
message m e mod n is as difficult as computing the
entire message m.
Other cryptosystems in this chapter are Rabin's
System, which can be broken if and only if one
can factor integers efficiently, the Merkle-Hellman
System based on the knapsack problem, which is
not secure, and the Quadratic Residue System
which is secure if one assumes that determining
quadratic residuosity is infeasible.
The book ends with Chapter 6 Towards a General
Theory. In this chapter some general methods are
given for constructing p s e u d o r a n d o m sequences.
Also the very powerful X O R Theorem is proved
in detail. This theorem states that by XOR-ing a
predicate, one gets a new predicate that is more
difficult to predict than the original predicate. This
X O R theorem can be used e.g. to construct secure
p s e u d o r a n d o m generators and one-way functions
(i.e. functions like E ( m ) above; given m it is easy
to compute E(m), but computing m from E ( m )
is difficult).
The book is in general clearly written. At some
places, maybe some more intuitive background
information could have been added. For example,
more words should have been spent on why using
the circuit as the model of computation, and not
e.g. the Turing Machine. Most of the proofs are
given with sufficiently m a n y details, so the reader
can work out the precise details for himself. (There
are in fact many details to be worked out.)
Although most of the elementary notions of
number theory are introduced in Chapter 1, I think
"Z Transform Theory and Applications", by Robert
Vich, Institute of Radio Engineering and Electron-
ics, Czechoslovak Academy of Sciences, Prague,
Czechoslovakia. Publishers: Kluwer Academic Pub-
lisher Group, P.O. Box 989, 3300 AZ Dordrecht,
The Netherlands, 1987, xii + 246 pp., ISBN 90-277-
1917-9, indicative price: U.S. $69
181
that the reader should have some acquaintance
with algebra and the theory of computational
complexity. So the b o o k seems most suited to
mathematicians and theoretical computer scien-
tists.
Furthermore, since e.g. classical cryptosystems
are not discussed, it might be difficult to use the
book as a textbook for a general course in cryp-
tography. However, as a textbook for an advanced
course or for researchers it can serve quite well.
Unfortunately, the book contains several mis-
takes, and some of these were mentioned already.
Most of these mistakes are, however, easily detec-
ted by the careful reader. Let me mention a few
of these mistakes. On page 53 in the first line, r ls
should be rl n. On page 75 in line -5, the a should
be vp(a), and on page 126 in line -12, APR should
be -7APR. On page 127 in line -3, the Legendre
symbol (x IP) is suddenly called Langrange symbol
(even the name Lagrange is spelt wrong). On page
160, the decryption function for the Quadratic
Residue System is wrong (one has to interchange
0 and 1). This is, however, a classical mistake; even
in the original papers on this cryptosystem, the
error occurs.
To conclude this review, the book is recommen-
ded to anyone who is interested in the theoretical
aspects of cryptography, and in the parts of number
theory that are relevant for this field, and who is
willing to invest enough time in understanding the
material.
Michiel H.M. S M I D
Departments of Mathematics and
Computer Science,
University of Amsterdam,
Amsterdam, The Netherlands
This excellent didactical book is a new edition,
revised and augmented, of a book first published
in G e r m a n and in Czechoslovakian by the author,
who is a professor at the Faculty of Electrical
Engineering of the Technical University of Prague.
The text is based mainly on the teaching experience
of Professor Vich.
Vol. 1O. No. 2, February 1989