UNIT II

Symmetric Key Cryptography: Data Encryption Standard (DES), Advanced Encryption Standard (AES),
Blowfish, IDEA, Block Cipher Modes of Operations. Number Theory: Prime and Relatively Prime Numbers,
Modular Arithmetic, Fermat’s and Euler’s Theorems, The Chinese Remainder Theorem, Discrete Logarithms.

Data Encryption Standard (DES)

DATA ENCRYPTION STANDARD (DES)

The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National
Institute of Standards and Technology (NIST).

Overview

Stream Ciphers and Block Ciphers

 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
 A block cipher is one in which a block of plaintext is treated as a whole and used to produce
a ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used.
 DES is a block cipher, as shown in Figure 2.1.
 At the encryption site, DES takes a 64-bit plaintext and creates a 64-bit ciphertext; at the
decryption site, DES takes a 64-bit ciphertext and creates a 64-bit block of plaintext. The
same 56-bit cipher key is used for both encryption and decryption.

Figure 2.1 Encryption and decryption with DES

DES structure

Let us concentrate on encryption; later we will discuss decryption. The encryption process is
made of two permutations (P-boxes), which we call initial and final permutations, and sixteen
Feistel rounds. Each round uses a different 48-bit round key generated from the cipher key
according to a predefined algorithm described later in the chapter. Figure 2.2 shows the elements
of DES cipher at the encryption site.

Initial and Final Permutations

 The below diagram shows the initial and final permutations (P-boxes). Each of these
permutations takes a 64-bit input and permutes them according to a predefined rule.
 We have shown only a few input ports and the corresponding output ports.

1/52
 These permutations are keyless straight permutations that are the inverse of each other.
 For example, in the initial permutation, the 58th bit in the input becomes the 1st bit in the
output. Similarly, in the final permutation, the 1st bit in the input becomes the 58th bit in the
output.
 The initial and final permutation tables are shown in table 2.1.

Figure 2.2 General structure of DES

Figure 2.3 Initial and final permutation steps in DES

2/52
 Table 2.1 Initial and final permutation tables
Rounds

 DES uses 16 rounds. Each round of DES is a Feistel cipher as shown in figure 2.4.
 The round takes LI-1 and RI-1 from previous round (or the initial permutation box) and creates
LI and RI, which go to the next round (or final permutation box).
 We can assume that each round has two cipher elements (mixer and swapper). Each of these
elements is invertible.
 The swapper is obviously invertible. It swaps the left half of the text with the right half. The
mixer is invertible because of the XOR operation.
 All noninvertible elements are collected inside the function f (RI-1, KI).

Figure 2.4 A round in DES (encryption site)

DES Function
 The heart of DES is the DES function. The DES function applies a 48-bit key to the rightmost
32 bits (RI-1) to produce a 32-bit output.
 This function is made up of four sections: an expansion D-box, a whitener (that adds key), a
group of S-boxes, and a straight D-box as shown in figure 2.5.

3/52
 Expansion P-box
 Since RI-1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI-1 to 48 bits. RI-1 is
divided into 8 4-bit sections. Each 4-bit section is then expanded to 6 bits. This expansion
permutation follows a predetermined rule.
 For each section, input bits 1, 2, 3, and 4 are copied to output bits 2, 3, 4, and 5, respectively.
 Output bit 1 comes from bit 4 of the previous section; output bit 6 comes from bit 1 of the next
section.
 If sections 1 and 8 can be considered adjacent sections, the same rule applies to bits 1 and 32.
Figure 6.6 shows the input and output in the expansion permutation.

Figure 2.5 DES function

Figure 2.6 Expansion permutation

Whitener (XOR) After the expansion permutation, DES uses the XOR operation on the expanded
right section and the round key. Note that both the right section and the key are 48-bits in length.
Also note that the round key is used only in this operation.

S-Boxes The S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and
a 4-bit output. See figure 2.7.

4/52
 Figure 2.7 S-boxes

Figure 2.8 S-box rule

Table 2.2 S-box 1

Table 2.2 shows the permutation for S-box 1. For the rest of the boxes see the textbook.

Example:
The input to S-box 1 is 100011. What is the output?

Solution:
If we write the first and the sixth bits together, we get 11 in binary, which is 3 in decimal. The
remaining bits are 0001 in binary, which is 1 in decimal. We look for the value in row 3, column 1,

5/52
in Table 2.2 (S-box 1). The result is 12 in decimal, which in binary is 1100. So, the input 100011
yields the output 1100.

Figure 2.9 DES cipher and reverse cipher.

Final Permutation
 The last operation in the DES function is a permutation with a 32-bit input and a 32-bit output.
 The input/output relationship for this operation is shown in Table 2.3 and follows the same
general rule as previous tables.
 For example, the seventh bit of the input becomes the second bit of the output.

6/52
 Table 2.3 Straight permutation table

Cipher and reverse cipher

 The last round (round 16) different from the others; it has only a mixer and no swapper. This
is shown in figure 2.9.
 Although the rounds are not aligned, the elements (mixer or swapper) are aligned.
 We proved in Chapter 5 that a mixer is a self-inverse; so is a swapper.
 The final and initial permutations are also inversing of each other.
 The left section of the plaintext at the encryption site, L 0, is enciphered as L16 at the encryption
site; L16 at the decryption is deciphered as L0 at the decryption site. The situation is the same
with R0 and R16.

 A very important point we need to remember about the cipher is that the round keys (K 1 to K16)
should be applied in the reverse order. At the encryption site, round 1 uses K1, and round 16
uses K16; at the decryption site, round 1 uses K16 and round 16 uses K1.
Key Generation
The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. However, the cipher key
is normally given as a 64-bit key in which 8 extra bits are the parity bits, which are dropped before
the actual key-generation process, as shown in figure 2.10

Parity Drop
 The preprocess before key expansion is a compression transposition step that we call parity
bit drop.
 It drops the parity bits (bits 8, 16, 24, 32, …64) from the 64-bit key and permutes the rest of
the bits according to Table
 The remaining 56-bit value is the actual cipher key which is used to generate round keys. The
parity drop step (a compression D-box) is shown in Table 2.4.

Table 2.4 Parity-bit drop table

7/52
 Figure 2.10 Key generation

Circular left shift

After the straight permutation, the key is divided into two 28-bit parts. Each part is shifted left
(circular shift) one or two bits. In rounds 1, 2, 9, and 16, shifting is one bit; in the other rounds, it
is two bits. The two parts are then combined to form a 56-bit part. Table 2.5 shows the number of
shifts for each round.

Table 2.5 Number of bit shifts

Compression D-Box The compression D-box changes the 58 bits to 48 bits, which are used as a
key for a round. The compression step is shown in Table 2.6.

8/52
 Table 2.6 Key-compression table

Strength of DES

The strength of DES is as follows −

 Use of 56-bit keys
o 56-bit key can be frequently used in encryption. There are 256 possible keys. A brute
force attack on such number of keys is impossible.
o A machine implementing one DES encryption per microsecond would take more than
thousands of years to divide the cipher.
o The assumption of one encryption per microsecond is excessively moderate. Diffie and
Hellman postulated that the technology existed to develop a parallel machine with one
million encryption equipment, each of which can implement one encryption per
microsecond.
o It is necessary that there is more to key-search attack than easily running through all
possible keys. If the message is only plaintext in English, thus the result pops out simply,
although the task of identifying English would have to be automated.
o If the text message has been compressed before encryption, then identification is more
complex.
 The nature of algorithm
o Cryptanalyst can implement cryptanalysis by exploiting the features of DES (Data
Encryption Standard) algorithm.
o It can be exploring the weakness of eight substitution tables or S-boxes that are utilized in
each iteration.
o Much of the work has been completed and the number of regularities and unexpected
behaviors of the S-boxes have been found but no one has succeeded in discovering out the
weaknesses in the S-box.
o This contention is tantalizing, and over the years a multiple regularities and unexpected
behavior of the S-boxes have been found.
 Timing Attacks
o A timing attack is a security exploit that allows an attacker to spot vulnerabilities in a local
or a remote system to extract potentially responsive or secret data by acquiring the
concerned system's response time to several inputs. A timing attack is a type of a broader
class of attacks known as Side channel attacks.
o Timing attacks allows an attacker to extract secrets maintained in a security system by
acquiring the time it takes the system to respond to several queries.
o Kocher designed a timing attack to reveal secret keys utilized for RSA decryption. These
attacks were only used in the context of hardware security tokens including smartcards.

9/52
 o They are associated to the public key algorithms. In this it can maintain information about
the key or the plaintext is acquired by observing how long it takes to implement decryptions
on several ciphertexts.
o A timing attack accomplish the fact that on encryption or decryption, algorithm takes
different amount of time on multiple inputs.
o Timing attacks and related attacks can be secured against to some degree by “blinding” the
devices implementing encryption and decryption computations so that all computations
have the same performance, regardless of the specific key and message being utilized.

Security of DES

DES, as the first important block cipher, has gone through much scrutiny. Among the
attempted attacks, three are of interest: brute-force, differential cryptanalysis, and linear
cryptanalysis.

Brute-Force Attack

We have discussed the weakness of short cipher key in DES. Combining this weakness with the key
complement weakness, it is clear that DES can be broken using 2 55 encryptions. However, today
most applications use either 3DES with two keys (key size of 112) or 3DES with three keys (key
size of 168). These two multiple- DES versions make DES resistant to brute-force attacks.

Differential cryptanalysis

 DES is not immune to that kind of attack. However, it has been revealed that the designers of
DES already knew about this type of attack and designed S-boxes and chose 16 as the number
of rounds to make DES specifically resistant to this type of attack.
 Today, it has been shown that DES can be broken using differential cryptanalysis if we have
247 chosen plaintexts or 255 known plaintexts.
 Although this looks more efficient than a brute-force attack, finding 247 chosen plaintexts or
255 know plaintexts is impractical.
 Therefore, we can say that DES is resistant to differential cryptanalysis. It has also been
shown that increasing the number of rounds to 20 require more than 2 64 chosen plaintexts
for this attack, which is impossible because the possible number of plaintext blocks in DES is
only 264.

Linear Cryptanalysis

Linear cryptanalysis is newer than differential cryptanalysis.

DES is more vulnerable to linear cryptanalysis than to differential cryptanalysis, probably because
this type of attack was not known to the designers of DES. S-boxes are not very resistant to linear
cryptanalysis. It has been shown that DES can be broken using 243 pairs of known plaintexts.
However, from the practical point of view, finding so many pairs are very unlikely.

10/52
 Advanced Encryption Standard
(AES)
AES Algorithm

Video lecture references: https://www.youtube.com/watch?

v=X8whYEWoDSI&t=312s
https://www.youtube.com/watch?v=14SAn4IEAHk

• AES is cryptographic algorithm published by NIST (National Institute of Standards and

Technology).
• The algorithm was proposed by Rijndael, it is also known as Rijndael algorithm.
• AES works on block cipher technique. Size of plaintext and ciphertext is same.
• The AES states that the algorithm can only accept a block size of 128 bits and a choice of three
keys - 128, 192, 256 bits.
• Depending on which version is used, the name of the standard is modified to AES-128, AES-192
or AES- 256 respectively.
• In the following figure, Nr defines the number of rounds. The figure also shows the relationship
between the number of rounds and the key size.
• However, the rounds keys, which are created by the key-expansion algorithm are always 128-
bits, the same size as the plaintext or ciphertext block.

Figure 2.11 General design of AES encryption cipher.

• The number of keys generated by the key-expansion algorithm is always one more than the
number of rounds. In other words, we have
Number of round keys = number of rounds + 1
We refer round keys as K0, K1, K2, ……., KNr
Plaintext transform in matrix form
• Take 128-bit block of plaintext that means 16-bytes and label them as b0 to b15 and convert
into a 4 X 4 matrix of bytes; call it as state array.

11/52
 • The first four bytes occupy first column and next four bytes occupy second column and so on.

So, AES operates 4 x 4 column-major order matrix of bytes called as state array.

DEC HEX
A 00 00
B 01 01
: : :
: : :
Z 25 19

Overall structure of AES encryption process

• Overall structure of AES encryption process is shown in figure 2.12.

• For encryption, each round consists of the following steps:
1) SubBytes
2) ShiftRows
3) MixColumns
4) AddRoundKey
Above steps also called AES transformation function

12/52
Figure 2.12 Overall structure of AES encryption and decryption process

1. SubBytes / Substitution Bytes

• AES defines a 16 X 16 matrix of byte values, called an S-box that contains a permutation of all
possible 256 8-bit values.
• Each individual byte of State is mapped into a new byte in the following way:
 The left most 4 bits of the byte are used as a row value and the right most 4 bits used as a
column value.
• These row and column values serve as indexes into the S-box to select a unique 8-bit output
value.
• For example, the hexadecimal value 00 references row 0, column 0 of S-box which contains the
value {63}, accordingly the value {12} is mapped into {C9}.

Figure 2.13 SubBytes transformation

13/52
 Table 2.7: SubBytes transformation table

• Table 2.8 is the inverse S-Box, it will be using during decryption process.

Table 2.8 InvSubBytes transformation table.

14/52
 2. ShiftRows transformation

• The shift rows transformation is called ShiftRows.

• Rules of shifting rows,
 Row 1 → now shifting
 Row 2 → 1 byte left shift
 Row 3 → 2 byte left shift
 Row 4 → 3 byte left shift

• The inverse shift row transformation is called InverseShiftRows, performs the circular shift in
the opposite direction for each of the last three rows, which a one-byte circular right shift for
the second row and so on.

3. Mix Columns

• The mix column transformation is called MixColumns, operates on each column individually.
• Each byte of a column is mapped into a new value that is a function of all four bytes in that
column.

15/52
Example calculation is given below.

4. AddRoundKey

• In the forward add round key transformation, AddRoundKey, the 128-bits of State are bitwise
XORed with the 128-bits of the round key.
• As shown in figure, the operation is viewed as a column wise operation between 4 bytes of a
state column and one word of the round key; it can also be viewed as a byte-level XOR
operation.

Figure: AddRoundKey transformation

Example:

AES decryption process is shown in figure 2.14.

This is the inverse of encryption process. Ciphertext is input for the AddRoundKey and the output
is given to the next round and in the same way it will go through Nr-1 rounds and in the last round
MixColumn part is missing same as the last round of encryption process and finally produces the
plaintext.

16/52
 Figure 2.14 Overall structure of AES encryption and decryption process

AES Key Expansion

• The AES key expansion algorithm takes as input a four-word (16-byte) key and produces a linear
array of 44 words (176 bytes). This is sufficient to provide a 4-word round key for the initial
AddRoundKey stage and each of the 10 rounds of the cipher.
• The figure 2.16 describes the generation of the expanded key, using the symbol g to represent
that complex function.
• The first 4 words (W0, W1, W2, W3) are made from the cipher key. The cipher key is thought of
as an array of 16 bytes (k0 to K15). The first four bytes (K0 to K3) become W0; the next four bytes
(k4 to k7) become W1; and so on. In other words, the concatenation of the words in this group
replicates the cipher key.
• Words of each round are as follows

Figure 2.15 Words of each round

17/52
• The function g consists of the following sub functions.
 This function performs the one-byte circular left shift.
 Using SubBytes transformation table (S box) each sub word performs a byte substitution.
 Finally, the result is XORed with the round constant called as Rcon[j].
 The round constant is a word in which the three rightmost bytes are always 0.
 The table below shows the values for AES-128 version (with 10 rounds).

Figure 2.16 AES Key Expansion

Table 2.9 Rcon Constants

Algorithm
Algorithm 2.1 is a simple algorithm for the key-expansion routine (version AES-128).

18/52
 Algorithm 2.1 Pseudocode for Key expansion in AES-128

Analysis of AES (or) Three Characteristics of AES

Following is a brief review of three characteristics of AES.

Security
AES was designed after DES. Most of the known attacks on DES were already tested on AES; none
of them has broken the security of AES so far.

 Brute-Force Attack: AES is definitely more secure than DES due to the larger-size key (128,
192, and 256 bits). Let us compare DES with 56-bitcipher key and AES with 128-bit cipher
key. For DES we need 256 tests to find the key; for AES we need 2128 tests to find the key.
This means that if we can break DES in t seconds, we need (272 x t) seconds to bread AES.
This would be almost impossible. In addition, AES provides two other versions with longer
cipher keys. The lack of weak keys is another advantage of AES over DES.

 Statistical attacks the strong diffusion and confusion provided by the combination of the
SubBytes, ShiftRows, and MixColumns transformations removes any frequency pattern in
the plaintext. Numerous tests have failed to do statistical analysis of the ciphertext.

Implementation
 AES can be implemented in software, hardware, and firmware. The implementation can use
table lookup process or routines that use a well-defined algebraic structure. The
transformation can be either byte-oriented or word-oriented. In the byte-oriented version, the
whole algorithm can use an 8-bit processor; in the word-oriented version, it can use a 32-bit
processor. In either case, the design of constants makes procession very fast.

Simplicity and Cost

 The AES algorithms are such simple that even cheap processors can implement them. They
also make use of less memory.

BLOWFISH

Blowfish is a 64-bit block cipher invented by Bruce Schneier. Blowfish was designed for fast

19/52
ciphering on 32-bit microprocessors. Blowfish is also compact and has a variable key length which
can be increased to 448 bits.

Blowfish is suitable for applications where the key does not change frequently like communication
links or file encryptors. However, for applications like packet switching or as a one-way hash
function, it is unsuitable. Blowfish is not ideal for smart cards, which requires even more compact
ciphers. Blowfish is faster than DES when implemented on 32-bit microprocessors.

Round Structure

The algorithm is based on the Feistel structure and has two important parts: The round structure and the key
expansion function.

20/52
Key Scheduling Algorithm

The subkeys are computed using the following method:

1. The P-array and then the four S-Boxes are initialized with a fixed string. The string is the
hexadecimal digits of π.
2. P1 is XOR-ed with 32 bits of the key, P2 is XOR-ed with the next 32 bits of the key, and so on
for all the bits of the key. If needed the key bits are cycled to ensure that all the P- array
elements are XOR-ed.
3. An all-zero string is encrypted with the Blowfish algorithm, with the subkeys P1
to P18 obtained so far in steps 1 and 2.
4. P1 and P2 are replaced by the 64-bit output of step 3.
5. The output of step 3 is now encrypted with the updated subkeys to replace P3
and P4 with the ciphertext of step 4.
6. This process is continued to replace all the P-arrays and the S-Boxes in order.

This complex key-scheduling implies that for faster operations the subkeys should be precomputed
and stored in the cache for faster access.

Security analysis by Serge Vaudenay shows that for a Blowfish algorithm implemented with known
S-Boxes (note that in the original cipher the S-Boxes are generated during the encryption process)
and with r-rounds, a differential attack can recover the P-array with 28r+1 chosen plaintexts.

IDEA

IDEA is another block cipher. It operates on 64-bit data blocks and the key is 128 bit long. It was
invented by Xuejia Lai and James Massey, and named IDEA (International Data Encryption
Algorithm) in 1990, after modifying and improving the initial proposal of the cipher based on the
seminal work on Differential cryptanalysis by Biham and Shamir.

The design principle behind IDEA is the “mixing of arithmetical operations from different algebraic
groups”. These arithmetical operations are easily implemented both in hardware and software.

The underlying operations are XOR, addition modulo 216, multiplication modulo 210+1.

The cipher obtains the much-needed non-linearity from the latter two arithmetical operations and
does not use an explicit S-Box.

Round Transformation of IDEA The 64-bit data is divided into four 16-bit blocks: X1, X2,
X3, X4. These four blocks are processed through eight rounds and transformed by the above
arithmetical operations among each other and with six 16-bit subkeys. In each round the
sequence of operations is as follows:

21/52
 1. Multiply X1 and the first subkey.
2. Add X2 and the second subkey.
3. Add X3 and the third subkey.
4. Multiply X4 and the fourth subkey.
5. XOR the results of step 1 and 3.
6. XOR the results of step 2 and 4.
7. Multiply the results of steps 5 with the fifth subkey.
8. Add the results of steps 6 and 7.
9. Multiply the results of steps 8 with the sixth subkey.
10. Add the results of steps 7 and 9.
11. XOR the results of steps 1 and 9.
12. XOR the results of steps 3 and 9.
13. XOR the results of steps 2 and 10.
14. XOR the results of steps 4 and 10.

The outputs of steps 11, 12, 13 and 14 are stored in four words of 16 bits each, namely Y1, Y2, Y3
and Y4. The blocks Y2 and Y3 are swapped, and the resultant four blocks are the output of a round
of IDEA. It may be noted that the last round of IDEA does not have the swap step.

Instead the last round has the following additional transformations:

1.
Multiply Y1 and the first subkey.
2.
Add Y2 and the second subkey.
3. Add Y3 and the third subkey.
4.
Multiply Y4 and the fourth subkey.
Finally, the ciphertext is the concatenation of the blocks Y1, Y2, Y3 and Y4.

Key Scheduling of IDEA

 IDEA has a very simple key scheduling. It takes the 128-bit key and divides it into eight 16-
bit blocks.
 The first six blocks are used for the first round, while the remaining two are to be used for the
second round.
 Then the entire 128-bit key is given a rotation for 25 steps to the left and again divided into
eight blocks.
 The first four blocks are used as the remaining subkeys for the second round, while the
last four blocks are to be used for the third round.
 The key is then again given a left shift by 25 bits, and the other subkeys are obtained. The
process is continued till the end of the algorithm.
 For decryption, the subkeys are reversed and are either the multiplicative or additive inverse
of the encryption subkeys. The all zero subkey is considered to represent 216 = –1 for the
modular multiplication operation, mod 216 +1. Thus, the multiplicative inverse of 0 is itself, as
–1 multiplied with –1 gives 1, the multiplicative identity in the group.

22/52
  Computing these keys may have its overhead, but it is a onetime operation, at the beginning
of the decryption process.
 IDEA has resisted several cryptanalytic efforts. The designers gave argument to justify that
only 4 rounds of the cipher make it immune to differential cryptanalysis.
 Joan Daemen, Rene Govaerts and Joos Vandewalle showed that the cipher had certain keys
which can be easily discovered in a chosen plaintext attack.
 They used the fact that the use of multiplicative subkeys with the value of 1 or -1 gives rise to
linear factors in the round function.
 A linear factor is a linear equation in the key, input and output bits that hold for all possible
input bits.
 The linear factors can be revealed by expressing the modulo 2 sum of LSBs of the output
subblocks of an IDEA round in terms of inputs and key bits.

Block Cipher Modes of Operations

Mode Description Typical Application

Electric Codebook (ECB) Each block of 64 plaintext bits is  Secure transmission of
encoded independently single values (e.g., an
using the encryption key)
same key.
Cipher Block Chaining (CBC) The input to the encryption  General-purpose block-
algorithm is the XOR of the oriented transmission
next 64 bits of plaintext and  Authentication
the preceding 64 bits of
ciphertext.
Cipher Feedback (CFB) Input is processed s bits at a  General-purpose stream-
time. Preceding ciphertext oriented transmission
is used as input to the  Authentication
encryption algorithm to
produce pseudorandom
output, which is XORed
with plaintext to produce next
unit of ciphertext.
Output Feedback (OFB) Similar to CFB, except that the  Stream-oriented
input to the encryption transmission over noisy
algorithm is the preceding channel (e.g., satellite
DES encryption output, and communication)
full blocks are used.
Counter (CTR) Each block of plaintext is XORed  General purpose block-
with an encrypted counter. oriented transmission
The counter is incremented  Useful for high-speed
for each requirements
subsequent block.

Table 2.10 Block Cipher Modes of Operation

23/52
The DES algorithm is a basic building block for providing data security. To apply DES in a variety
of applications, five “modes of operation” have been defined. These five modes are intended to
cover virtually all the possible applications of encryption for which DES could be used. The modes
are summarized in Table 2.10 and described briefly in the remainder of this section.

Electronic Codebook Mode

The simplest mode is the electronic codebook (ECB) mode, in which plaintext is handled 64 bits at
a time and each block of plaintext is encrypted using the

Figure 2.17: Electronic Codebook (ECB) Mode

same key (Figure 2.17). The term codebook is used because, for a given key, there is a unique
ciphertext for every 64-bit block of plaintext. Therefore, we can imagine a gigantic codebook in which
there is an entry for every possible 64-bit plaintext pattern showing its corresponding ciphertext.

For a message longer that 64 bits, the procedure is s imply to break the message into 64-bit
blocks, padding the last block if necessary. Decryption is performed one block at a time, always
using the same key. In Figure 2.17, the plaintext (padded as necessary) consists of a sequence of
64-bit blocks, P1, P2, ..., PN; the corresponding sequence of ciphertext blocks is C1, C2, …., CN.

The ECB method is ideal for a short amount of data, such as an encryption key, thus,
if you want to transmit a DES key securely, ECB is the appropriate mode to use.

The most significant characteristic of ECB is that the same 64-bit block of plaintext, if it
appears more than once in the message, always produces the same ciphertext.

For lengthy messages, the ECB mode may not be secure. If the message is highly structured,
it may be possible for a cryptanalyst to exploit these regularities. For example, if it is known that
the message always starts out with certain predefined fields, then the cryptanalyst may have a
number of known plaintext-ciphertext pairs to work with. If the message has repetitive elements,
with a period of repetition a multiple of 64 bits, then these elements can be identified by the
analyst. This may help in the analysis or may provide an opportunity for substituting of
rearranging blocks.

24/52
Figure 2.18: Cipher Block Chaining (CBC) Mode

Figure 2.19: s-bit Cipher Feedback (CFB) Mode

25/52
Cipher Block Chaining Mode
To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext
block, if repeated, produces different ciphertext blocks. A simple way to satisfy this requirement is
the cipher block chaining (CBC) MODE (Figure 2.18). In this scheme, the input to the encryption
algorithm is the XOR of the current plaintext block and the preceding ciphertext block; the same
key is used for each block. In effect, we have chained together the processing of the sequence of
plaintext blocks. The input to the encryption function for each plaintext block bears no fixed
relationship to the plaintext block. Therefore, repeating patterns of 64 bits are not exposed.

For decryption, each cipher block is passed through the decryption algorithm. The result is
XORed with the preceding ciphertext block to produce the plaintext block.

To produce the first block of ciphertext, an initialization vector (IV) is XORed with the first
block of plaintext. On decryption, the IV is XORed with the output of the decryption algorithm to
recover the first block of plaintext.

The IV must be known to both the sender and receiver. For maximum security, the IV should
be protected as well as the key. This could be done by sending the IV using ECB encryption. One
reason for protecting the IV is as follows: If an opponent is able to fool the receiver into using a
different value for IV, then the opponent is able to invert selected bits in the first block of plaintext.

Cipher Feedback Mode

The DES scheme is essentially a block cipher technique that uses 64-bit blocks. However, it is
possible to convert DES into a stream cipher, using either the cipher feedback (CFB) or the
output feedback mode. A stream cipher eliminates the need to pad a message to be an integral
number of blocks. It also can operate in real time. Thus, if a character stream is being transmitted,
each character can be encrypted and transmitted immediately using a character-oriented stream
cipher.

One desirable property of a stream cipher is that the ciphertext bi of the same length as the
plaintext. Thus, if 8-bit characters are being transmitted, each character should be encrypted using
8 bits, if more than 8 bits are used, transmission capacity is wasted.

Figure 2.19 depicts the CFB scheme. In the Figure, it is assumed that the unit of
transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext are chained
together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext, in
this case, rather than units of 64 bits, the plaintext is divided into segment of s bits.

First, consider encryption. The input to encryption function is a 64-bit shift register that is
initially set to some initialization vector (IV). The leftmost (most significant) s bits of the output
of the encryption function are XORed with the first segment of plaintext P1 to produce the
first unit of ciphertext C1, which is then transmitted. In addition, the contents of the shift register
are shifted left by s bits and C1 is placed in the rightmost (least significant) s bits of the shift
register, this process continues until all plaintext units have been encrypted.

For decryption, the same scheme is used, except that the received ciphertext unit is XORed
with the output of the encryption function to produce the plaintext unit. Note that it is the
encryption function that is used, not the decryption function.

26/52
Output Feedback Mode
The Output Feedback (OFB) mode is similar in structure to that of CFB. For OFB, the output of
the encryption function is fed back to become the input for encrypting the next block of plaintext
(Figure 2.20). In CFB, the output of the XOR unit is fed back to become input for encrypting the
next block. The other difference is that the OFB mode operates on full blocks of plaintext and
ciphertext, whereas CFB operates on an s-bit subset.

Figure 2.20 Output Feedback (OFB) Mode

As with CBC and CFB, the OFB mode requires an initialization vector. In the case of OFB, the IV
must be a nonce; that is, the IV must be unique to each execution of the encryption operation. The
reason for this is that the sequence of encryption output blocks, Oi, depends only on the key and
the IV and does not depend on the plaintext. Therefore, for a given key and IV, the stream of output
bits used to XOR with the stream of plaintext bits is fixed. If two different messages had an identical
block of plaintext in the identical position, then an attacker would be able to determine that portion
of the Oi stream.
One advantage of the OFB method is that bit errors in transmission do not propagate. For example,
if a bit error occurs in C1, only the recovered value of P1 is affected; subsequent plaintext units are
not corrupted. The disadvantage of OFB is that it is more vulnerable to a message stream
modification attack than is CFB.

Counter Mode
Figure 2.21 depicts the CTR mode. A counter equal to the plaintext block size is used. The only
requirement is that the counter value must be different for each plaintext block that is encrypted.
Typically, the counter is initialized to some value and then incremented by 1 for each subsequent
block (modulo 2b, where b is the block size). For encryption, the counter is encrypted and then
XORed with the plaintext block to produce the ciphertext block; there is no chaining. For decryption,
the same sequence of counter values is used, with each encrypted counter XORed with a ciphertext
block to recover the corresponding plaintext block. Thus, the initial counter value must be made
available for decryption.

27/52
 Figure 2.21 Counter (CTR) Mode
Advantages of Counter Mode:
 Since there is a different counter value for each block, the direct plaintext and ciphertext
relationship is avoided. This means that the same plain text can map to different ciphertext.
 Parallel execution of encryption is possible as outputs from previous stages are not chained as
in the case of CBC.

28/52
 Number Theory
Cryptography is based on some specific areas of mathematics, including number theory, linear
algebra and algebraic structures.

Integer arithmetic

In integer arithmetic, we use a set and few operations.

Set of Integers: The set of integers, denoted by Z, contains all integral numbers (with no fraction)
from negative infinity to positive infinity. (Figure 2.1)

Figure 2.1 The set of integers

Integer Division

In integer arithmetic, if we divide a by n, we get q and r. The relationship between these four integers can
be shown as

In this relation, a is called the dividend; q, the quotient; n, the divisor; and r, the remainder.
Example:
Assume that a=255 and n=11. We can find q=23 and R=2 using the division algorithm.

Two Restrictions: For our purpose, we impose two restrictions. First, we require that the divisor be
a positive integer (n>0). Second, we require that the remainder be a non-negative integer (r ≥ 0).

Figure 2.2 Division algorithm for integers

Divisibility
If a is not zero and we let r = 0 in the division relation, we get
a = q × n

29/52
We say that n divides a. we can also say that a is divisible by n. when we are not interested in the

divide a and we can write the relationship as a ∤ n.

value of q, we can write the above relationship as a|n. If the remainder is not zero, then n does not

Properties:
• If a|1, then a = ±1.
• If a|b and b|a, then a = ±b.
• If a | b and b | c, then a | c
• If a|b and a|c, then a | (m×b + n×c) where m and n are arbitrary integers.

Example:
a. Since 3|15 and 15|45, according to third property, 3|45
b. Since 3|15 and 3|9, according to fourth property, 3| (15×2+9×4), which means 3|66

Greatest Common Divisor (gcd)

One integer often needed in cryptography is the greatest common divisor of two positive integers.
Two positive integers may have many common divisors, but only one greatest common divisor.

Figure 2.3 Common divisors of two integers

Note: The greatest common divisor of two positive integers is the largest integer that can divide both
integers

Euclidean Algorithm

Finding the greatest common divisor (gcd) of two positive integers by listing all common divisors is
not practical when two integers are large.

The Euclidean algorithm is based on the following two facts:

Fact 1: gcd (a, 0) = a

Fact 2: gcd (a, b) = gcd (b, r), where r is the remainder of dividing a by b

The first fact tells us that if the second integer is 0, the greatest common divisor is the first
one. The second fact allows us to change the value of a, b until b becomes 0.

gcd (36, 10) = gcd(10, 6) = gcd(6, 4) = gcd(4, 2) = gcd(2, 0) = 2

30/52
 Figure 2.4 Euclidean Algorithm

 We use two variables r1 and r2, to hold the changing values during the process of reduction.
They are initialized to a and b.
 In each step, we calculate the remainder of r1 divided by r2 and store the result in the variable
r. we then replace r1 by r2 and r2 by r.
 The steps are continued until r2 becomes 0. At this moment, we stop. The gcd (a, b) is r1.

When gcd (a, b) = 1, we say that a and b are relatively prime

Example: Find the greatest common divisor of 2740, 1760

Solution: We have gcd (2740, 1760) = 20.

Example: Find the greatest common divisor of 25 and 60.

Solution: We have gcd (25, 60) = 5.

31/52
The Extended Euclidean Algorithm

Given two integers a and b, we often need to find other two integers, s and t, such that

gcd(a, b) = (s × a) + (t × b)

The Extended Euclidean algorithm can calculate the gcd (a, b) and at the same time calculate the
value of s and t. The algorithm and the process is shown below diagram.

Figure 2.5 Extended Euclidian Algorithm

Example:
Using the extended Euclidean algorithm, find the greatest common divisor of the following pairs
and the value of s and t.
a) 161 and 28 b) 4 and 7 c) 291 and 42
d) 84and 320 e) 400 and 60 f) 17 and 0
g) 0 and 45
Solution to a):
We get gcd (161, 28) = 7,s = −1 and t = 6.
r = r1 – q × r2 s = s1 - q × s2 t = t1 - q × t2

32/52
Solution to f):
We get gcd (17, 0) = 17, s = 1, and t = 0.

Solution to g):
We get gcd (0, 45) = 45, s = 0, and t = 1.

Modular Arithmetic

 The division relationship (a=q × n + r) has two inputs (a and n) and two outputs (q and r).
 In modular arithmetic, we are interested in only one of the outputs, the remainder r. We
don't care about the quotient q.
 In other words, we want to know what is the value of r when we divide a by n.
 This implies that we can change the above relation into a binary operator with two inputs a
and n and one output r.

Modulo Operator
 The above-mentioned binary operator is called the modulo operator and is shown as mod.
 The second input (n) is called the modulus. The output r is called the residue.
 The below figure shows, the modulo operator (mod) takes an integer (a) from the set z and a
positive modulus (n). The operator creates a nonnegative residue (r). We can say a mod n = r

Figure 2.6 Division relation and modulo operator

Example:
Find the result of the following operations:
a. 27 mod 5

33/52
 b. 36 mod 12
c. -18 mod 14
d. -7 mod 10

Solution:

Set of Residues: Zn
 The result of modulo operation with modulus n is always an integer between 0 and n-1.
 In other words, the result of a mod n is always a nonnegative integer less than n.
 We can say that modulo operation creates a set, which in modular arithmetic is referred to
as the set of least residues modulo n, or Zn.
 We have infinite instances of the set of residues (Zn), one for each value of n.
 The below figure shows the set Zn and three instances, Z2, Z6, and Z11.

Figure 2.7 Some Zn sets

Congruence
 In Cryptography, we often used the concept of congruence instead of equality.
 Mapping from Z to Zn is not one-to-one.
 For example, the result of 2 mod 10 = 2, 12 mod 10 = 2, 22 mod 10 = 2, and so on.
 In Modular arithmetic, integers like 2, 12, and 22 are called congruent mod 10.
 To show that two integers congruent, we use the congruence operator (≡).
 We add the phrase (mod n) to the right side of the congruence to define the value of modulus
that makes the relationship valid. For example, we write:

2 mod 10 = 12 mod 10 → 2 ≡ 12 mod 12 We

need to explain several points.

 The congruence operator looks like the equality operator, but there are differences. First,
an equality operator maps a member of Z to itself; the congruence operator maps a member
from

34/52
 Z to member of Zn. Second, the equality operator is one-to-one; the congruence operator is
many-to-one.
 The phrase (mod n) that we insert at the right-hand-side of the congruence operator is just
an indication of the destination set (Zn).

Figure 2.8 Concept of congruence

Residue classes
 A residue calss [a] or [a]n is the set of integers congruent modulo n. In other words, it is the
set of all integers such that x = a (mod n). For example, if n=5, we have five sets [0], [1], [2],
[3], and [4] as shown below:

 The integers in the set [0] are all reduced to 0 when we apply modulo 5 operation on them.
The integers in the set [1] are all reduced to 1 when we apply modulo 5 operation, and so
on.
 In each set, there is one element called the least (non-negative) residue.
 In the set [0], this element is 0; in the set [1], this element is 1; and so on.
 The set of all of these least residues is what we have shown as Z5 = {0, 1, 2, 3, 4}.
 In other words, the set Zn is the set of all least residue modulo n.

Operations in Zn:
Example:
Perform the following operations (the inputs come from Zn):
a. Add 7 to 14 in Z15
b.
Subtract 11 from 7 in Z13.
c.
Multiply 11 by 7 in Z20.

Solution:
(14+7) mod 15 → (21) mod 15 = 6
(7-11) mod 13 → (-4) mod 13 = 9
(7*11) mod 20 → (77) mod 20 = 17

35/52
Properties of mod operator

Modular arithmetic exhibits the following properties:

1. [ (a mod n) + (b mod n) ] mod n = (a + b) mod n

2. [ (a mod n) - (b mod n) ] mod n = (a - b) mod n
3. [ (a mod n) * (b mod n) ] mod n = (a * b) mod n

Inverses
 When we are working in modular arithmetic, we often need to find the inverse of a number
relative to an operation.
 We are normally looking for an additive inverse or a multiplicative
inverse. Additive inverse
 In Zn, two numbers a and b are additive inverses of each other if a + b ≡ 0 (mod n)
 In Zn, the additive inverse of a can be calculated as b = n - a. For example, the additive
inverse of 4 in Z10 is 10 – 4 = 6.
In modular arithmetic, each integer has an additive inverse. The sum of an integer and its additive
inverse is congruent to 0 modulo n.
Note that in modular arithmetic, each number has an additive inverse and the inverse is unique;
each number has one and only one additive inverse. However, the inverse of the number may be
the number itself.

Example:
Find additive inverse pairs in Z10.

Solution:

Multiplicative Inverse
 In Zn, two numbers a and b are multiplicative inverses of each other if
a × b ≡ 1 (mod n)

36/52
  For example, if the modulus is 10, then the multiplicative inverse of 3 is 7. In other words,
we have (3 × 7) mod 10 = 1.

In modular arithmetic, an integer may or may not have a multiplicative inverse. When it does, the
product of the integer and its multiplicative inverse is congruent to 1 modulo n.

It can be proved that a has a multiplicative inverse in Zn if and only if gcd (n, a) = 1. In this case,
a and n are said to be relatively prime.

Example:
Find the multiplicative inverse of 8 in Z10.

Solution:
There is no multiplicative inverse because gcd (10,8) = 2 ≠ 1. In other words, we cannot find any
other between 0 and 9 such that when multiplied by 8, the result is congruent to 1.

Example:
Find all multiplicative inverses in Z10.

Solution:

Example:
Find all multiplicative inverse pairs in Z11.

Solution:

The integer a in Zn has a multiplicative inverse if and only if gcd (n, a) ≡ 1 (mod n)

The extended Euclidean algorithm we can find the multiplicative inverse of b in Zn when n and b
are given and inverse exists.

To show this, let us replace the first integer a with n (the modulus). We can say that the algorithm
can find s and t such s × n + b × t = gcd (n, b).

However, if the multiplicative inverse of b exists, gcd (n, b) must be 1. So the relationship is

(s × n) + (b × t) = 1

Now we apply the modulo operator to both sides. In other words, we map each side to Zn. We will
have

37/52
The extended Euclidean algorithm finds the multiplicative inverses of b in Zn when n and b are
given and gcd (n, b) = 1.
The multiplicative inverse of b is the value of t after being mapped to Zn.

Figure 2.9 using the extended Euclidean algorithm to find the multiplicative inverse

Figure 2.9 shows how we find the multiplicative inverse of a number using the extended Euclidean
algorithm.

Example:
Find the multiplicative inverse of 11 in Z26.

Solution:
We use a table similar to the one we used before with r1 = 26, r2 = 11. We are interested only in the
value of t.

38/52
The gcd (26, 11) is 1, which means that the multiplicative inverse of 11 exists. The extended
Euclidean algorithm gives t1 = -7. The multiplicative inverse is (-7) mod 26 = 19. In other words, 11
and 19 are multiplicative inverse in Z26. We can see that (11 × 19) mod 26 = 209 mod 26 = 1.

Example:
Find the multiplicative inverse of 23 in Z100.

Solution:

Example:
Find the inverse of 12 in Z26.

Solution:

Addition and Multiplication Tables

 Figure 2.10 shows two tables for addition and multiplication.
 In addition table, each integer has an additive inverse. The inverse pairs can be found
when the result of addition is zero. ( (a + b) mod 10 = 0)
 In multiplication table, we have only three multiplicative pairs (1, 1), (3, 7), (9, 9). The pairs
can be found whenever the result of multiplication is 1. ( (a * b) mod 10 = 1)

39/52
 Figure 2.10 Addition and multiplication tables for Z10

Different Sets for Addition and Multiplication:

We need to use Zn when additive inverses are needed; we need to use Zn* when multiplicative inverses
are needed.

Figure 2.11 Some Zn and Zn* sets

Two more sets

 The set Zp is same as Zn except that n is prime. Zp contains all integers from 0 to p-1. Each
member in Zp has an additive inverse; each member except 0 has a multiplicative inverse.
 The set Zp* is same as Zn* except that n is prime. Zp* contains all integers from 1 to p-1. Each
member in Zp * has an additive and multiplicative inverse.
 The following shows these two sets when p=13
Z13 = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
Z13* = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}

Primes

Definition

The positive integers can be divided into three groups

1. The number 1
2. Primes
3. Composites
As shown in figure 2.12.

40/52
 Figure 2.12 Three groups of positive integers

Example:
What is the smallest prime?

The smallest prime is 2, which is divisible by 2 (itself) and 1.

Example:
List the primes smaller than 10.

There are four primes less than 10: 2, 3, 5, and 7. It is interesting to note that the percentage of
primes in the range 1 to 10 is 40%. The percentage decreases as the range increases.

Coprime or relatively prime

Two positive integers, a and b, are relatively prime or coprime, if gcd (a, b) = 1.

Cardinality of Primes

Infinite number of primes the number of primes is infinite.

Number of primes
We can use infinite Number of Primes.

π(n) is the number of primes less than or equal to n. π is not similar to mathematics π.

The primes under 25 are 2, 3, 5, 7, 11, 13, 17, 19 and 23 so π(3) = 2, π(10) = 4 and π(25) = 9.

Euler’s Phi-Function (or) Euler’s totient function

Euler’s phi-function, (n), which is sometimes called the Euler’s totient function, plays a very
important role in cryptography. The function finds the number of integers that are both smaller
than n and relatively prime to n.
The following helps to find (n)
1. (1) = 0
2. (p) = p - 1 if p is a prime
3. (m x n) = (m) x (n) if m and n are relatively prime
4. (pe) = pe - pe-1 if p is a prime

The difficulty of finding (n) depends on the difficulty of finding the factorization of n.

Example:
What is the value of (13)?

41/52
Because 13 is a prime, (13) = (13-1) = 12

Example:
What is the value of (10)?

We can use the third rule: (10) = (2) x (5) = 1 x 4 = 4, [ ∵ 2 and 5 are primes].

Example:
What is the value of (240)?

We can write 240 = 24 x 31 x 51. Then

(240) = (24 - 23) x (31 - 30) x (51 - 50) = 64

Example:
Can we say that (49) = (7) x (7) = 6 x 6 = 36?

No. the third rule applies when m and n are relatively prime. Here 49 = 72. We need to use the fourth
rule: (49) = 72 – 71 = 42.

Example:
What is the number of elements in Z14*?

The answer is (14) = (7) x (2) = 6 x 1 = 6. The members are 1, 3, 5, 9, 11, and 13.

Example:

Φ(21) = (3-1) * (7-1) = 2 * 6 = 12

Where the 12 integers are {1, 2, 4, 5,8,10, 11, 13, 16, 17, 19, 20}

The interesting point: if n > 2, the value of (n) is even.

Example:
Find the value of φ(29), φ(32), φ(80), φ(100) and φ(101).

a. φ(29) = 29 − 1 = 28 (29 is a prime)

b. φ(32) = φ(25 ) = 25 − 24 = 16 (2 is a prime)
c. φ(80) = φ(24 × 51) = (24 − 23) × (51 − 50 ) = 8 × 4 = 32 (2 and 5 are primes)
d. φ(100) = φ(22 × 52) = (22 − 21) × (52 − 51) = 2 × 20 = 40 (2 and 5 are primes)
e. φ(101) = 101 − 1 = 100 (101 is a primes)

Fermat’s little theorem

Fermat’s little theorem plays a very important role in number theory and cryptography. We
introduce two versions of the theorem here.

First version The first version says that if p is a prime and a is an integer such that p does
not divide a, then ap-1 ≡ 1 mod p.

42/52
Second version The second version removes the condition on a. It says that if p is a prime and
a is an integer, then ap ≡ a mod p.

Example:
Find the result of 610 mod 11.

We have 610 mod 11 = 1. This is the first version of Fermat’s little theorem where
p = 11.

610 mod 11 = 1 mod 11 = 1

Example:
Find the result of 312 mod 11.

Here the exponent (12) and the modulus (11) are not the same. With substitution this can be solved
usingFermat’s little theorem.

312 mod 11 = (3 * 311) mod 11 = [ (3 mod 11) * (311 mod 11) = (3 * 3) mod 11 = 9

Multiplicative Inverses
if the modulus is a prime. If p is a prime and a is an integer such that p does not divide a (p ∤ a)
A very interesting application of Fermat’s theorem is in finding some multiplicative inverses quickly

then a-1 mod p = ap-2 mod p.

Take Fermat’s little theorem first version and divide with a on both sides then,

(𝑎𝑝−1 𝑚𝑜𝑑 𝑝)
= 1 𝑚𝑜𝑑
𝑎 𝑝
𝑎

⇒ 𝑎𝑝−2 𝑚𝑜𝑑 𝑝 = 𝑎−1 𝑚𝑜𝑑 𝑝

This application eliminates the use of extended Euclidian algorithm for finding some multiplicative
inverses.

Example:
The answers to multiplicative inverses modulo a prime can be found without using the extended
Euclidean algorithm:

Example:
How to calculate multiplicative inverse of 5 modulo 23 that is 5-1 mod 23?

Solution:
5-1 mod 23 = 523-2 mod 23 (Ref: a-1 mod p= ap-2 mod p) 523-2 mod 23 = 521 mod 23
Calculate following to solve 521 mod 23:
51 mod 23 = 5

43/52
52 mod 23 = 25 mod 23 = 2

44/52
 54 mod 23 = (52)2 mod 23= (2)2 mod 23 = 4
58 mod 23 = (54)2 mod 23 (4)2 mod 23 =16
516 mod 23 = (58)2 mod 23 = (16)2 mod 23 = 256 mod 23 = 3
521 mod 23 = (516 x 54 x 51) mod 23 = (3 x 4 x 5) mod 23 = 60 mod 23 = 14 mod 23.
Finally, 5-1 mod 23 = 521 mod 23 = 14 mod 23 = 14

Euler’s theorem

First version if a and n are coprime, then a (n) ≡ 1 mod n

Second version if n = p x q, a < n, and k an integer, then a (n)+1 ≡ a mod n

The second version of Euler’s theorem is used in the RSA cryptosystem

Exponentiation Euler’s theorem sometimes is helpful for quickly finding a solution to

some exponentiations. The following examples show the idea.

Example:
Find the result of 624 mod 35.

Solution:
We have 624 mod 35 = 6 (35) mod 35 = 1

Example:
Find the result of 2062 mod 77.

Solution:

If we let k=1 on the second version, we have 2062 mod 77 = (20 mod 77) (20 (77)+1 mod 77) mod 77
= (20)(20) mod 77 = 15.

45/52
Chinese Remainder Theorem

The Chinese remainder theorem (CRT) is used to solve a set of congruent equations with one variable
but different moduli, which are relatively prime, as shown below:

x ≡ a1 (mod m1)
x ≡ a2 (mod m2)
…
…
x ≡ ak (mod mk)

The Chinese remainder theorem states that the above equations have a unique solution if the
moduli are relatively prime.

Solution steps:

The solution to the set of equations follow these steps:

1. Find M = m1 * m2 * … * mk. This is common modulus.

2. Find M1 = M/m1, M2 = M/m2, … Mk = M/mk.
3. Find the multiplicative inverse of M1, M2, … Mk using the corresponding moduli (m1, m2, …
mk).
Call the inverses M1-1, -1 M2-1, … Mk-1.
4. The solution to the simultaneous equation is

x = [ (a1 * M1 * M1-1) + (a2 * M2 * M2-1) + … + (ak * Mk * Mk-1) ] mod M

Note that the set of equations can have a solution even if the moduli are not relatively prime
but meet other conditions. However, in cryptography, we are only interested in solving equations
with coprime moduli.

46/52
Example:
Find the solution to the simultaneous equations:

x ≡ 2 (mod 3)
x ≡ 3 (mod 5)
x ≡ 2 (mod 7)

Solution:

47/52
Example:
Find an integer that has a remainder of 3 when divided by 7 and 13, but is divisible by 12.

Solution:
This is a CRT problem. We can form three equations and solve then to find the value of x.

x ≡ 3 (mod 7)
x ≡ 3 (mod 13)
x ≡ 0 (mod 12)

Exercise:
Find the value of x for the following sets of congruence using the Chinese remainder theorem

a. x ≡ 2 mod 7, and x ≡ 3 mod 9

b. x ≡ 4 mod 5, and x ≡ 10 mod 11
c. x ≡ 7 mod 13, and x ≡ 11 mod 12

48/52
Solution:

Discrete logarithms

Primitive root

(https://www.youtube.com/watch?v=DKy98FWHwdg&list=PLBlnK6fEyqRgJU3EsOYDTW7m6SU
mW6kII&index=43 )

Definition:
A number ‘a’ is a primitive root modulo n if every number coprime to n is congruent to a power of ‘a’
modulo n.

Definition made easy:

‘a’ is said to be a primitive root of prime number ‘p’, if a1 mod p, a2 mod p, a3 mod p, …, ap-1 mod p are
distinct.

Example:
Is 2 a primitive root of a prime number 5?

Solution:
21 mod 5 22 mod 5 23 mod 5 24 mod 5
2 4 3 1

Yes, 2 is a primitive root of 5.

Example:
Is 2 a primitive root of prime number 7?

Solution:
21 mod 7 22 mod 7 23 mod 7 24 mod 7 25 mod 7 26 mod 7
2 4 1 2 4 1

No, 2 is not a primitive root of 7.

49/52
Example:
Is 3 a primitive root of prime number 7?

Solution:
31 mod 7 32 mod 7 33 mod 7 34 mod 7 35 mod 7 36 mod 7
3 2 6 4 5 1

Yes, 3 is a primitive root of 7.

Example:
Let us observe finding all primitive roots of prime number 19.

The table shows all the powers of a, modulo 19 for all positive a < 19. The length of the
sequence for each base value is indicated by shading. From this table primitive roots of 19 are 2,
3, 10, 13, 14, 15.

Table: Powers of integers Modulo 19

Understanding discrete logarithm problem (https://www.youtube.com/watch?

v=za9azzh4v9A&list=PLBlnK6fEyqRgJU3EsOYDTW7m6SUmW 6kII&index=50 )

Before understanding what is discrete logarithm problem, let us see an analogy.

To make a coffee we need milk and coffee powder. Just think of reverse situation. You are
given with coffee and you are asked to estimate the exact quantity of milk and coffee powder used
to prepare it. Which is certainly a difficult task. So, it is not easy in the reverse direction.

50/52
5x mod 17 ≡ y (0 < x < 19) gives unique results and 5 is called primitive root (or) generator
and the exponent x is referred to as the discrete logarithm of the number y for the base 5 mod
17.

If we want to compute 5x mod 17 it is easy to do it but think of the reverse situation.

5x mod 17 = 12, then finding the value of x that resulted the value 12 is difficult because x can be
9, 25, 41, 57, 73 as

59 mod 17 ≡ 12
525 mod 17 ≡ 12
541 mod 17 ≡ 12
557 mod 17 ≡ 12
573 mod 17 ≡ 12
gx mod p is easy to find
2x mod 7 = 4; x = 2, 5, ect.,
For smaller value of ‘p’ is may be easy to find x
If ‘p’ is large, then the time and effort to find ‘x’ is very hard
The strength of one-way function is depending on how much time it takes to break it.

Solved example in discrete logarithm problem (https://www.youtube.com/watch?

v=yKNTfeqSEhc&list=PLBlnK6fEyqRgJU3EsOYDTW7m6SUmW 6kII&index=50 )

Solve log2 9 𝑚𝑜𝑑 11

Example:

The given problem is in the form of 𝐥𝐨𝐠𝒂 𝒙 𝒎𝒐𝒅 𝒑

Solution:
where p = 11, a = 2 and x

= 9. The equation to solve this problem is

𝐥𝐨𝐠𝒂 𝒙 𝒎𝒐𝒅 𝒑 ≡ n mod p

⇒ x ≡ an mod p
Substitute the values
9 ≡ 2n mod 11
and we are required to find the exponent n that satisfies the equation.
try ‘n’ = 1, 2, 3, … up to some numbers so that this particular congruent equation is satisfied.
the equation satisfies for n = 6.

Example:
Given 2 as a primitive root of 19, construct a table of discrete logarithms.

Solution:
a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
a ≡ 2n mod 19
18 1 13 2 16 14 6 3 8 17 12 15 5 7 11 4 10 9
(Finding n value)

51/52
Exercise:
Find x in each of the following cases:
a. 4 ≡ 3x (mod 7)
b. 6 ≡ 5x (mod 7)
c. 4 ≡ 2x (mod 7)

52/52