IV054: Coding, Cryptography and
Cryptographic Protocols
Exercise Book II.
Jozef Gruska, Luk´aˇs Boh´aˇc, Libor Caha, Ludˇek Matyska, Matej Pivoluska
Faculty of Informatics, Masaryk University, Brno
December 2019
Preface
This is an extension and continuation of the lecture notes, entitled “IV054: Coding, Cryptography
and Cryptographic Protocols, Exercise Book” of co-authors Jozef Gruska, Luk´aˇs Boh´aˇc, Ludˇek.
Matyska, and Matej Pivoluska, that was put into a general use in FI MU in 2016, especially for
students of the course IV054 — Coding, cryptography and cryptography protocols.
The ﬁrst part of this lecture notes contains new interesting and more illuminating exercises and
their stimulating solutions for the ﬁrst ten lectures of the course IV054 that are dealt with practically
in all years the course is hold.
The second part of the lecture notes deals with short presentations of the last three chapters of
the course that were not so far accompanying with homeworks and also several exercises for those
subjects with their solutions.
In these three new chapters, emphasis are mainly on history of cryptography in a broad sense, on
applications and also on the use of quantum phenomena to process information especially in quantum
cryptography. This is especially booming area of cryptography and requires special knowledge and
expertise. Basics of that are in the booklet presented.
Main goal of this lecture notes is again to help future students of Faculty of Informatics, especially
those concentrating on a very attractive area of security, and in a special way to help students of
the course IV054.
The collective of authors of this lecture notes consists of prof. Jozef Gruska, who has been given
the course for many years and the rest of authors were taken from the best students of the course,
especially in handling exercises in the recent past.
This lecture notes are again the product of the project MUNI/FR/1192/2018 of the Masaryk
University and this support is to be acknowledged and much thanked.
The authors, December 2019
ii
Contents
1 Basics of Coding Theory 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Noiseless coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.2 Error correcting codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Linear Codes 17
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.1 Basic properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.2 Encoding and decoding with linear codes . . . . . . . . . . . . . . . . . . . . 18
2.1.3 Hamming codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3 Cyclic Codes 33
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.1.1 Polynomials over GF(q) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.1.2 Rings of polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.1.3 Algebraic characterization of cyclic codes . . . . . . . . . . . . . . . . . . . . 34
3.1.4 Check polynomials and parity check matrices for cyclic codes . . . . . . . . . 34
3.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4 Secret Key Cryptosystems 49
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.1.1 Basics of the design and analysis of cryptosystems . . . . . . . . . . . . . . . 49
4.1.2 Basic classical secret-key cryptosystems . . . . . . . . . . . . . . . . . . . . . 50
4.1.3 Product cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.1.4 Perfect secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.1.5 Unicity distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5 Public-Key Cryptography, I. 65
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.1.1 Diﬃe-Hellman protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.1.2 Blom’s key pre-distribution protocol . . . . . . . . . . . . . . . . . . . . . . . 65
5.1.3 Knapsack cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.1.4 McEliece cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.1.5 RSA cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.1.6 Rabin-Miller’s prime recognition . . . . . . . . . . . . . . . . . . . . . . . . . 67
iii
CONTENTS iv
5.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
5.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
6 Public-Key Cryptography, II. 78
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.1.1 Rabin Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.1.2 ElGamal cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.1.3 Shanks’ algorithm for discrete logarithm . . . . . . . . . . . . . . . . . . . . . 78
6.1.4 Perfect security of cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.1.5 Blum-Goldwasser cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.1.6 Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7 Digital Signatures 94
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
7.1.1 Signature schemes – basic ideas and goals . . . . . . . . . . . . . . . . . . . . 94
7.1.2 Digital signature scheme – deﬁnition . . . . . . . . . . . . . . . . . . . . . . . 94
7.1.3 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
7.1.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
7.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
7.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
8 Elliptic Curve Cryptography 106
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
8.1.1 Elliptic curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
8.1.2 Group structure and addition law . . . . . . . . . . . . . . . . . . . . . . . . . 106
8.1.3 Elliptic curve cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
8.1.4 Factorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
8.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
8.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
9 Identiﬁcation, Authentication and Secret Sharing 120
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
9.1.1 User identiﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
9.1.2 Message authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
9.1.3 Secret sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
9.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
9.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
10 Coin Tossing, Bit commitment, Oblivious Transfer, Zero-knowledge Proofs and
Other Crypto-protocols 136
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
10.1.1 Coin-ﬂipping protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
10.1.2 Bit commitment protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
10.1.3 Oblivious transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
10.1.4 Interactive and zero-knowledge proofs . . . . . . . . . . . . . . . . . . . . . . 137
10.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
10.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
CONTENTS v
11 Steganography and Watermarking 150
11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
11.1.1 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
11.1.2 Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
11.1.3 Parameters of stego- and watermarking systems . . . . . . . . . . . . . . . . . 151
11.1.4 Breaking cryptography, steganography, and watermarking systems . . . . . . 152
11.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
11.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
12 Quantum cryptography 160
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
12.1.1 Basics of quantum mechanics . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
12.1.2 Quantum cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
12.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
12.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
13 From Theory to Practice in Cryptography 175
13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
13.1.1 Linear-feedback shift registers . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
13.1.2 Confusion and diﬀusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
13.1.3 Feistel encryption/decryption scheme . . . . . . . . . . . . . . . . . . . . . . 176
13.1.4 DES cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
13.1.5 Operational modes of DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
13.1.6 AES cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
13.1.7 Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
13.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
13.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
A 186
A.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
A.2 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
A.3 Central concepts and principles of modern cryptography . . . . . . . . . . . . . . . . 186
A.4 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
A.4.1 Groups Zn and Z∗
n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
A.4.2 Order of the group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
A.4.3 Properties of the group Zn . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
A.5 Rings and ﬁelds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
A.5.1 Finite ﬁelds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
A.6 Arithmetics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
A.6.1 Ceiling and ﬂoor functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
A.6.2 Modulo operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
A.6.3 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
A.6.4 Euclid algorithm for GCD - I. . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
A.6.5 Extended Euclid algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
A.7 Basics of the number theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
A.7.1 Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
A.7.2 Chinese Remainder Theorem (CRT) . . . . . . . . . . . . . . . . . . . . . . . 190
A.7.3 Euler totient function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
A.7.4 Euler and Fermat Theorems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
A.7.5 Discrete logarithms and square roots . . . . . . . . . . . . . . . . . . . . . . . 191
A.7.6 Quadratic residues and nonresidues . . . . . . . . . . . . . . . . . . . . . . . . 192
A.7.7 Blum integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Chapter 1
Basics of Coding Theory
1.1 Introduction
Coding theory aims to develop systems and methods to transmit information through communication
channels eﬃciently and reliably.
Formally, a communication channel is described by a triple (Σ, Ω, p), where Σ is an input alphabet;
Ω is an output alphabet; p is a probability distribution on Σ × Ω and for i ∈ Σ, o ∈ Ω, p(i, o) is
the probability that the output of the channel is o if the input is i.
Some examples of important channels are
• Binary symmetric channel maps with ﬁxed probability p0 each binary input into the
opposite one, i.e. Σ = Ω = {0, 1}. and p(0, 1) = p(1, 0) = p0 and p(0, 0) = p(1, 1) = 1 − p0
• Binary erasure channel maps, with ﬁxed probability p0, each binary input without an error
and with probability 1 − p0 an erasure occurs, i.e. Σ = {0, 1}, Ω = {0, 1, e}, where e is called
erasure symbol and p(0, 0) = p(1, 1) = p0, p(0, e) = p(1, e) = 1 − p0.
• A noiseless channel maps inputs into outputs without an error, i.e. Σ = Ω and ∀ i ∈
Σ, p(i, i) = 1.
A Code C over alphabet Σ is a subset of Σ∗ (set of all strings over alphabet Σ). A q-nary code
is a code over alphabet of q symbols and a binary code is a code over the alphabet {0, 1}.
There is a distinction in the goals of the codes for noisy and noiseless channels.
1.1.1 Noiseless coding
The main goal of noiseless coding is to send information through a noiseless channel as eﬀectively
as possible. Here we model information to be send by a random variable X taking values x ∈ X
with probability p(x). Information content (in bits) of X can be expressed as Shannon entropy:
S(X) = −
x∈X
p(x) log2 p(x). (1.1)
Shannon’s noiseless coding theorem says that in order to transmit n values of X we need at least
nS(X) bits. An example of an optimal code for noiseless coding is a Huﬀman code.
Huﬀman coding. Given is a source Sn as a sequence of n objects, x1, . . . , xn with probabilities
p1 ≥ · · · ≥ pn. The Huﬀman code is designed as follows:
1. replace xn−1, xn with a new object yn−1 (thus creating source Sn−1) with probability pn−1 +pn
and rearrange sequence so one has again non-increasing probabilities. Keep repeating the above
step until there are only two objects left.
1
CHAPTER 1. BASICS OF CODING THEORY 2
2. Optimal preﬁx code for two objects encodes the ﬁrst object as 0 and the second object as
1. We can construct the code for more objects as follows. Repeatedly apply the following
procedure. If C = {c1, . . . , cr} is a preﬁx optimal code for a source Sr, then C = {c1, . . . cr+1}
is an optimal code for Sr+1, where ci = ci for 1 ≤ i ≤ r − 1 and cr = cr1, cr+1 = cr0.
1.1.2 Error correcting codes
The goal of error correcting codes is to encode the information over a noisy channel in such a way
that errors can be corrected, or at least detected.
An example of an error correcting code is the International Standard Book Number (ISBN) code,
which is a 10 digit number x1, . . . x10 such that the ﬁrst 9 digits encode the language, publisher and
the serial number of the book, while the last digit is used as a checksum, so that:
10
i=1
(11 − i)xi ≡ 0 mod 11.
The checksum x10 = X if x10 is to have value 10. This code can correct one single digit error and
also one transposition error.
In this chapter we deal only with block codes – all the codewords have the same length and we
want to transmit a message through a binary symmetric channel.
An important concept is the closeness of two words x, y is formalized through Hamming distance
h(x, y), which is equal to the number of symbols in which words x and y diﬀer.
An important parameter of codes is their minimal distance deﬁned as:
h(C) = min{h(x, y)|x, y ∈ Cx = y}. (1.2)
For decoding we use so called nearest neighbor decoding strategy, which says that the receiver
should decode a received word w as the codeword w that is the closest one to w . With this error
correcting strategy can formulate the basic error correcting theorem.
• A code C can detect up to s errors if h(C) ≥ s + 1 and
• A code C can correct up to t errors if h(C) ≥ 2t + 1.
An (n, M, d)-code C is a code such that
• n is the length of codewords;
• M is the number of codewords;
• d is the minimum distance in C.
A good (n, M, d)-code has small n, large M and large d. Let us denote Aq(n, d) the largest M
such that there is a q-nary (n, M, d)-code. An important upper bound on Aq(n, d) is called a Sphere
packing bound: If C is a q-nary (n, M, 2t + 1)- code, then
M
n
0
+
n
1
(q − 1) + · · · +
n
t
(q − 1)t
≤ qn
. (1.3)
If a code obtains equality for the sphere packing bound, it is called a perfect code.
Two q-ary codes are equivalent, if one can be obtained from the other by a combination of
operations of following type:
• a permutation of the positions of the code;
• a permutation of symbols appearing in a ﬁxed position.
CHAPTER 1. BASICS OF CODING THEORY 3
1.2 Exercises
1.1. Which of the following codes is a Huﬀman code for some probability distribution?
(a) {0, 10, 11}.
(b) {00, 01, 10, 110}.
(c) {01, 10}.
1.2. Assume a source X sends messages A,B,C,D with the following probabilities
symbol probability
A 0.8
B 0.1
C 0.05
D 0.05
(a) Calculate the entropy of the source X.
(b) Design the Huﬀman code for the source X. Determine the average number of bits used per
symbol.
(c) Assume that the source sends sequences of thousands of messages. Assume that the probability
of each symbol occurring is independent of the symbol that have been sent previously. Find a
way to modify the design of Huﬀman code so that the average number of bits used per source
symbol decreases to a value no greater than 110% of the source entropy. Design a code using
this modiﬁcation and determine the average number of bits per symbols achieved.
* 1.3.
(a) Prove for any binary Huﬀman code that if the most probable message symbol has the probability
p1 > 2/5, then that symbol must be assigned a codeword of length 1.
(b) Prove for any binary Huﬀman code that if the most probable message symbol has probability
p1 < 1/3, then that symbol must be assigned a codeword of length ≥ 2.
1.4.
(a) Consider the ISBN number 0486x00973. Determine x. Which book has this ISBN code?
(b) Consider the code C = {x ∈ Z9
10| 9
i=1 ixi ≡ 0 mod 10}. Show that this version of the ISBN
code is not able to detect all transposition errors.
1.5.
(a) Find a binary (10, 6, 6)-code.
(b) Find a binary (5, 4, 3)-code.
1.6.
(a) Find the minimal distance of the code C = {10001, 11010, 01101, 00110}.
(b) Decode, for the code C, the strings 11110, 01101, 10111, 00111 using the nearest neighbor
decoding strategy.
CHAPTER 1. BASICS OF CODING THEORY 4
1.7. Let us have an error correction code over the 5-ary alphabet
C = {0 → 01234, 1 → 12340, 2 → 23401, 3 → 34012, 4 → 40123}.
We want to use a channel X over the 5-ary alphabet. For p being a probability of error and x a
character from {0, 1, 2, 3, 4}, the channel acts as follows:
x → x with probability 1 − p
x → x + 1 mod 5 with probability p/4
x → x + 2 mod 5 with probability p/4
x → x + 3 mod 5 with probability p/4
x → x + 4 mod 5 with probability p/4.
We have received the following message as the output of the channel
0120000110012301223022401444233333340023.
Decode the message.
1.8. Let C = {111111, 110000, 001100, 000011}. Suppose that the codewords are transmitted
using a binary symmetric channel with an error probability p < 1
2. Determine the probability that
the receiver does not notice that a codeword has been corrupted during the transfer.
1.9. Let q ≥ 2. What are relations (≤, =, ≥) between:
(a) A2(n, 2d − 1) and A2(n + 1, 2d);
(b) Aq(n, d) and Aq(n + 2, 2d);
(c) Aq(n, d) and Aq(n + 1, d);
(d) Aq(2n, 2) and A2q(n, 4);
(e) A2(n, 2d) and 4A2(n − 3, 2d − 1).
1.10. Show that the following codes are perfect:
(a) Codes containing all words of given alphabet;
(b) Codes consisting of exactly one codeword;
(c) Binary repetition codes of odd length;
(d) Binary codes of odd length consisting of a vector c and the vector c with zeros and ones
interchanged.
1.11. Consider a perfect binary (n, M, 7)-code. There are only two possible values of n. Find
them.
1.12. Show that for t > 0 there is no perfect binary (n, M, 2t + 1)-code, such that n is even.
1.13. Consider an erasure channel with the erasure probability p.
(a) Suppose we use an error correcting code for this erasure channel with codewords of the length
n. How many n-symbol strings can appear as the channel output?
CHAPTER 1. BASICS OF CODING THEORY 5
(b) Derive an upper bound for the erasure channel analogous to the sphere packing bound.
* 1.14. A (v, b, k, r, λ)-block-design D is a partition of v elements e1, e2, . . . , ev into b blocks
s1, s2, . . . , sb, each of cardinality k, such that each of the objects appears exactly in r blocks and
each pair of them appears exactly in λ blocks. An incidence matrix of (v, b, k, r, λ) block design is a
v × b binary matrix M such that for any (i, j) ∈ {1, 2, . . . , v} × {1, 2, . . . , b}, mi,j = 1, if vi ∈ sj and
mi,j = 0 otherwise.
Let D be a (v, b, k, r, λ)-block-design. Consider a code C whose codewords are rows of the
incidence matrix of D:
(a) Show that each codeword of C has the same weight;
(b) Find the minimal distance of C;
(c) How many errors is C able to correct and detect?
* 1.15. For each of the following pairs of binary codes, prove their equivalence or prove that they
are not equivalent.
(a)
A =



0 0 1 0 0
0 0 0 1 1
1 1 1 1 1
1 1 0 0 0



, B =



0 0 0 0 0
0 1 1 0 1
1 0 1 1 0
1 1 0 1 1



,
(b)
A =



0 0 0 0 0
0 0 1 1 1
0 1 1 1 0
0 1 0 1 1
1 0 1 0 1



, B =



0 1 0 0 0
1 1 0 1 1
1 1 1 1 0
0 1 1 0 1
1 0 0 0 1



,
(c)
A0 = {0}, Ai =



Ai−1
1
0
1
0
...
1 0 1 0 . . . 1 + (−1)i /2



,
B0 = {1}, Bi ==



Bi−1
0
0
0
...
0
0 1 1 . . . 1 1



,
1.16.
(a) Give an example of a ternary (6, 7, 4)-code, in which all words are palindromes (i.e. their i-th
letter is equal to their (7 − i)-th letter for i ∈ {1, 2, 3}).
(b) Give an example of four binary pairwise disjoint (4, 4, 2)-codes.
CHAPTER 1. BASICS OF CODING THEORY 6
1.17. Alice and Bob are communicating with each other. Since their communication channel is
noisy, they use the following code:
00 → 010010
01 → 000101
10 → 101000
11 → 111111
Bob receives the message 001101. Assume that the probability of a bit error is p = 0.01.
(a) What is Bob’s decoding of the message?
(b) What is the probability that Bob’s interpretation of the message is the same as Alice intended?
(c) What is the probability that Alice actually wanted to send the message 11?
1.18. Consider a channel characterized by the following conditional probabilities, where X and Y
are the random variables of the input and output, respectively.
P(Y = 0|X = 0) = 1
P(Y = 0|X = 1) = p
P(Y = 1|X = 0) = 0
P(Y = 1|X = 1) = 1 − p,
for some 0 < p < 1.
(a) Calculate the probability of t errors in n received bits if the input distribution is P(X = 0) = q
and P(X = 1) = 1 − q, 0 ≤ q ≤ 1, independently for every bit.
(b) For which q will this value be minimal?
1.19. Consider the binary code of length 12 deﬁned as
{x1x2 · · · x12 | 3x1 + x2 + 3x3 + x4 + . . . + 3x11 + x12 ≡ 0 mod 10}.
Is it possible to detect all adjacent transposition errors with this code?
1.20. Give an example of a 4-ary (10, 10, 7) code such that each of its words contains exactly one
0, two 1’s, three 2’s and four 3’s.
* 1.21. Consider a family of codes C2n with the following encoding function:
0 →
2n times
00 . . . 0
1 →
2n times
11 . . . 1
Consider a binary symmetric channel with error p ≤ 1
2 and the maximum likelihood decoding
strategy, i.e. every k < n errors can be corrected.
(a) What are the (n, M, d) parameters of C2n?
(b) What is the probability of correct decoding Pcorr(C2n)?
(c) Calculate limn→∞ Pcorr(C2n).
(d) What is the code rate R(C2n)?
CHAPTER 1. BASICS OF CODING THEORY 7
(e) Calculate limn→∞ R(C2n).
Hint: 2n
n ≤ 4n
√
3n+1
.
1.22. Let C1 and C2 be two block codes of length n. Show that the following holds
(a) h(C1 ∩ C2) ≥ max{h(C1), h(C2)}.
(b) h(C3) = h(C1) + h(C2), where
C3 = {x1y1x2y2 . . . xnyn|x1 . . . xn ∈ C1, y1 . . . yn ∈ C2} .
1.23. Any two equivalent q-ary codes have the same (n, M, d) parameters. Are any two q-ary
codes with the same (n, M, d) parameters equivalent? Prove your answer.
1.24. Consider an employee in a supermarket ﬁnding a product with corrupted EAN-13 barcode
858x035361404. Help him ﬁnd the missing digit x.
1.25. You are about to pay a conference fee for a coding theory conference. The organizers decided
to test your knowledge by sending you an incomplete bank account number CZ85 2018 0000 0012 3423 x091
written in the International Bank Account Number (IBAN) format. Determine the missing number.
1.26. Consider the following codes and calculate their (n, k, d) parameters.
(a) m-fold repetition. Each bit message is copied m times to create a codeword. Formally,
C ,m = {wm
|w ∈ {0, 1} }.
(b) Checksum of neighboring bit pairs. Each ≥ 3 bit message is appended with XORs
(denoted ⊕) of all neighboring bit pairs. Note that the last bit is XORed with the ﬁrst one.
Formally,
C = {w0 . . . w −1b0 . . . , b −1|(w0 . . . w −1) ∈ {0, 1} , bi = wi ⊕ w(i+1) mod }.
(c) Checksum of all bit pairs. Each ≥ 3 bit message is appended with XORs (denoted ⊕) of
all bit pairs. Formally,
C = {w0 . . . w −1b0,1 . . . bi,j . . . |(w0 . . . w −1) ∈ {0, 1} , bi,j = wi ⊕ wj}.
1.3 Solutions
1.1.
(a) Yes. An example is a random variable with probabilities 1/2, 1/4, 1/4.
(b) No. This code is not a Huﬀman code for any distribution. Huﬀman code has two longest
codewords of the same length.
(c) No. This code is not minimal. A code {0, 1} is shorter and in fact this is always the code for
variable with two outcomes only.
1.2.
CHAPTER 1. BASICS OF CODING THEORY 8
(a)
S(X) = − (p(A) log2 p(A) + p(B) log2 p(B) + p(C) log2 p(C) + p(D) log2 p(D))
= − (p(0.8) log2 p(0.8) + p(0.1) log2 p(0.1) + p(0.05) log2 p(0.05) + p(0.05) log2 p(0.05))
= 1.022
(b) The code is given in the following table:
symbol probability code
A 0.8 0
B 0.1 10
C 0.05 110
D 0.05 111
Average code length L(C) is
L(C) =
x
length(C(x)) Pr(X = x) = 0.8 · 1 + 0.1 · 2 + 0.05 · 3 + 0.05 · 3 = 1.3
(c) The solution is to divide the stream of symbols into pairs and then ﬁnd Huﬀman coding for
the pairs. We know that if we divide the stream of symbols into substrings of length n and
use Huﬀman encoding with these strings as items, the average length approaches entropy. In
our case n = 2 is suﬃcient. The solution is:
symbols code symbols code
AA 1 BA 001
AB 010 DA 0001
AC 0110 CA 01110
AD 011111 BB 000001
BD 0000100 BC 0000101
DB 0000110 CB 0000111
CD 00000000 CC 00000001
DD 00000010 DC 00000011
With this encoding the average number of code bits per symbol is 1.06.
1.3.
(a) Let us order the probabilities of n outcomes of the random variable X as p1 ≥ p2 ≥ p3 · · · ≥ pn
In case of a random variable with three outcomes, there is always one codeword of length 1.
In order to have the optimal code, it is assigned to the most probable outcome. In case of
four possible outcomes, let us take a look at the Huﬀman algorithm. In order to have the
shortest codeword of length 2, the sum of probabilities of the least two probable outcomes
has to be greater than p1. Then we have: p1 > 2/5, p3 + p4 > p1, then p2 < 1/5. Hence
p3, p4 < 1/5, which is a contradiction. This argument can be extended to random variable of
arbitrary number of outcomes.
(b) Note that if p1 < 1/3, then there are at least four outcomes. Hence, Huﬀman algorithm
continues to a stage where there are only three last items left. In order to assign a codeword
of length 2 to the most probable element we need p1 ≥ p2 + p3, but since p1 < 1/3, we also
have p2 + p3 > 2/3, which is a contradiction.
CHAPTER 1. BASICS OF CODING THEORY 9
1.4.
(a) We have to solve the following equation for x:
1 · 0 + 2 · 4 + 3 · 8 + 4 · 6 + 5 · x + 6 · 0 + 7 · 0 + 8 · 9 + 9 · 7 + 10 · 3 ≡ 0 mod 11
221 + 5 · x ≡ 0 mod 11
x = 2.
The full ISBN is 0486200973 and belongs to the book Cryptanalysis by Helen F. Gaines.
(b) The checksum of the 9 digit code is 9
i=1 ixi ≡ 0 mod 10. Let us exchange two positions xj
and xk in order to create a transposition error. The resulting checksum can be written as:
9
i=1
ixi + (j − k)xk + (k − j)xj ≡ 0 mod 10
9
i=1
ixi + (k − j)(xj − xk) ≡ 0 mod 10
.
Since we know that 9
i=1 ixi ≡ 0 mod 10, in order to ﬁnd a transposition error which cannot
be corrected it suﬃces to ﬁnd j, k, xj, xk, such that (k − j)(xj − xk) ≡ 0 mod 10. An example
of such a solution is a code 005000013 and j = 3, k = 8. After the transposition we have a
code 01000053, which also has a checksum 0.
1.5.
(a) For example Ca = {0000001111, 00011110001, 11100000001, 0110110110, 1011011010, 1101101100}
is a (10, 6, 6)-code.
(b) For example Cb = {11111, 00100, 10010, 01001} is a (5, 4, 3)-code.
1.6.
(a) h(C) = h(10001, 11010) = 3.
(b) Nearest neighbor decoding is given by the following table:
11110 → 11010
01101 → 01101
10111 → 10001 or 00110
00111 → 00110
Note, that the decoding 10111 is not unique.
1.7.
The decoded message is 040124?4. The symbol “?” is used to inform that the given symbol cannot
be decoded uniquely.
CHAPTER 1. BASICS OF CODING THEORY 10
1.8.
The distance between any two codewords in the code C is d = 4. If the error happens on 4 particular
bits such that the resulting word is another codeword, the receiver would not notice it. Let X be
the event of 4 particular errors happening. P(X) = p4(1 − p)2. There are three codewords the
codeword can change into, therefore the overall probability is 3p4(1 − p)2.
1.9.
(a) A2(n, 2d − 1) = A2(n + 1, d). Substitute m = n + 1 and f = 2d to obtain A2(m − 1, f − 1) =
A2(m, f). This holds for even f as shown in the lecture.
(b) There is no given relation. As an example consider A2(2, 1) = 4 < A2(4, 2) = 8, but A2(4, 2) =
8 > A2(6, 4) = 4.
(c) Aq(n, d) ≤ Aq(n + 1, d). Appending a zero to every codeword preserves M and d but raises
the length of the codeword. We can only improve d by appending in a more sophisticated way.
(d) In order to prove this, we need to construct q-ary (2n, M, 4)-code from a given 2q-ary (n, M, 4)code.
Let C1 be the given (n, M, 4)-code over Σ1, with |Σ1| = 2q. Let us label the elements
of Σ1 as a1, b1, . . . , aq, bq. Now we want to construct a code C2 over Σ2, with |Σ2| = q. Let us
label the elements of Σ2 as c1, . . . , cq. Let us now deﬁne a function:
ϕ : Σ1 → Σ2 × Σ2
ϕ : ai → cici
ϕ : bi → cici+1,
where we use identity q + 1 = 1. By natural extension of ϕ from Σ1 to strings over Σ1, we
obtain the code C2 = ϕ(C1) = {ϕ(x)|x ∈ C1}. Let x, y ∈ C1. Then we have
xi = yi ⇐⇒ ϕ(x)2i = ϕ(y)2i ∧ ϕ(x)2i+1 = ϕ(y)2i+1.
Therefore we have that ∀x, y ∈ C1
h(x, y) ≤ h(ϕ(x), ϕ(y))
It immediately follows that
Aq(2n, 4) ≥ A2q(n, 4).
(e) A2(n, 2d) ≤ 4A2(n − 3, 2d − 1). As shown in the lecture slides if the distance is odd then
A2(n, d) = A2(n + 1, d + 1), so we can rewrite 4A2(n − 3, 2d − 1) as 4A2(n − 2, 2d). Now
we look at the left hand side and take the ﬁrst two bits from each word and we divide the
words in groups, based on what were the ﬁrst 2 bits. We get 4 groups that have maximum
of A2(n − 2, 2d) words and we are done. Notice that the hamming distance in each group is
unchanged because all words from same group had the same ﬁrst 2 bits.
1.10.
(a) Such codes are (n, qn, 1)-codes, therefore t = 0 and the perfect code condition states:
qn n
0
= qn
· 1 = qn
.
(b) Such codes have M = 1 and can correct up to n errors (every error can be detected and
corrected, since there is only one valid codeword). The perfect code condition states:
1 ·
n
0
+
n
1
(q − 1) + · · · +
n
n
(q − 1)n
= (1 + (q − 1))n
= qn
,
where the ﬁrst equality follows from the binomial theorem.
CHAPTER 1. BASICS OF CODING THEORY 11
(c) Binary repetition code oﬀ the odd length is a (2k+1, 2, 2k+1)-code. The perfect code condition
then states:
2·
2k + 1
0
+
2k + 1
1
(2 − 1) + · · · +
2k + 1
k
(2 − 1)k
= 2·
1
2
2k+1
i=0
2k + 1
i
= 22k+1
,
where we used the equality n
k = n
n−k .
(d) The distance of two codewords is 2k + 1, therefore it is a (2k + 1, 2, 2k + 1)-code and we can
use the argumentation from the previous case.
1.11.
We need to ﬁnd an n, for which the sphere packing bound attains the equality:
M
n
0
+
n
1
+
n
2
+
n
3
= 2n
M(6 + 6n + 3n2
− 3n + n3
− 3n2
+ 2n) = 2n
Solving the equation yields M = 6·2n
n3+5n+6
. We require M to be a natural number and this is fulﬁlled
only for n = 7 and n = 23.
1.12.
A perfect binary (n, M, 2t + 1)-code is a code such that
2n
= M ·
n
0
+
n
1
+ · · · +
n
t
= M · 1 + n +
n!
(n − 2)!2!
+ · · · +
n!
(n − t)!t!
= M · 1 + n 1 +
(n − 1)!
(n − 2)!2!
+ · · · +
(n − 1)!
(n − t!)t!
.
Let us denote the term in the square brackets as N. We can see that N is odd, because n is even
and we are adding 1 to a multiple of n. Therefore the equivalence cannot be achieved, as the left
hand side of this equivalence is a power of 2 and doesn’t have any odd divisors, unlike the right
hand side of the equivalence.
1.13.
(a) At each position three diﬀerent symbols can appear, therefore there are 3n possible channel
outputs.
(b) Let t be the maximum number of erasures that we want C to be able to correct. Erasure of
exactly k symbols of an n-bit codeword can result in n
k possible channel outputs. Erasure
of t or less symbols can result in t
i=0
n
i diﬀerent channel outputs. The upper bound on
maximum number of codewords M is therefore
M
t
i=0
n
i
≤ 3n
,
where 3n is the number of possible outputs.
1.14.
CHAPTER 1. BASICS OF CODING THEORY 12
(a) We know that mi,j = 1, iﬀ vi belongs to block sj and because every vi appears exactly in r
blocks. Row i represents the incidence of the element vi, so the weight of each row is r.
(b) Each two elements vi and vj are together contained in exactly λ blocks, therefore, every two
rows have exactly λ columns, in which they have both value 1. On the other hand, each row
has exactly r values 1 and therefore there are exactly r − λ columns k in which mi,k = 0 and
mj,k = 1 and exactly r − λ columns k , in which mi,k = 1 and mj,k = 0. In all the other
columns both rows have value 0. Summing it up, each pair of rows diﬀers in exactly 2(r − λ)
positions.
(c) If h(C) = s + 1 = 2t + 1, the code can detect up to s errors and correct up to t errors. The
code C is therefore able to detect up to 2(r − λ) − 1 errors and repair 2(r−λ)−1
2 .
1.15.
(a) In order to obtain B from A do the following: (a) In the third column of A permute symbols.
(b) Exchange second and fourth columns. The resulting matrix is the matrix of the code B.
(b) Code A contains an all zero codeword. All other codewords contain three values 1 and 2 values
zero. We exchange 1s and 0s in columns to obtain an equivalent code. We will use this rule to
transform codewords in code B into all zero code words. After we do this for all 5 codewords
we can see that the resulting 5 codes are not equivalent to code A, as their non-zero codewords
do not all contain three symbols 1.
(c) A0 is equivalent to A1 as both codes contain only one codeword. In order to show equivalence
also for i > 0, we present an algorithm to transform the matrix Ai to the matrix Bi:
(a) Sort all codewords except the ﬁrst one according to their weight – the codeword with the
highest weight ﬁrst. The topmost codeword stays on the top.
(b) Permute columns except the ﬁrst one, so that all symbols 1 are on the right side of the
matrix.
(c) Permute all symbols.
The resulting matrix is a matrix of the code Bi.
1.16.
(a) An example of a ternary (6, 7, 4)-code whose words are palindromes is
{aaaaaa, abccba, acbbca, baccab, cabbac, bcaacb, cbaabc}
(b) An example of four binary pairwise disjoint (4, 4, 2)-codes is:
C1 = {0000, 0011, 0110, 1010}
C2 = {0001, 0111, 1011, 1101}
C3 = {0010, 0100, 1000, 1110}
C4 = {0101, 1001, 1100, 1111}
1.17.
CHAPTER 1. BASICS OF CODING THEORY 13
(a) Hamming distances of the message from all of the codewords are:
h(001101, 010010) = 5
h(001101, 000101) = 1
h(001101, 101000) = 3
h(001101, 111111) = 3
Therefore, by the principle of majority voting, Bob will interpret the message as 01.
(b) Since h(001101, 000101) = 1, if the original message was 01, exactly 1 error occurred, and it
was on the third bit. Probability of this is p · (1 − p)5 = 0.01 · (1 − 0.01)5 = 0.009509900499.
(c) In case Alice wanted to send the message 11, in order for 111111 to change into 001101, there
must be an error on 1st, 2nd and 5th bit. The probability of this is p3 · (1 − p)3, which for
p = 0.01 is roughly 9.7 · 10−7.
1.18.
(a) In our channel, error occurs only when we send 1 and receive 0. The probability of this is
P(Y = 0|X = 1) · P(X = 1) = p(1 − q).
Because the input bits are independent of each other and the same holds for the channel, the
probability of t errors in n bits is just
n
t
(1 − q)t
pt
(1 − (1 − q)p)n−t
.
(b) This value will be lowest for q = 1 independent of p because for this value of q we only send
the bit 0 and no error can occur.
1.19. Actually, this deﬁnes the UPC (Universal Product Code, UPC-A). This code detects nearly
all transposition errors on adjacent positions.
If the digits xi and xi+1 are interchanged then the check sum would change by either
3xi + xi+1 − 3xi+1 − xi = 2(xi − xi+1) or
xi + 3xi+1 − xi+1 − 3xi = 2(xi+1 − xi)
Therefore, only if |xi − xi+1| = 5, the error would not be detected.
1.20.
{0112223333, 3301122233, 3333011222, 2233330112, 1222333301,
3310232312, 1233102323, 2312331023, 2323123310, 1023231233}
1.21.
(a) (2n, 2, 2n)
(b) Pcorr(C2n) = 2n
i=n+1
k
i p2n−i(1 − p)i = 1 − 2n
i=n
2n
i pi(1 − p)2n−i
(c) Let us rewrite the limit as
lim
n→∞
1 −
2n
i=n
2n
i
pi
(1 − p)2n−i
,
CHAPTER 1. BASICS OF CODING THEORY 14
thus reducing the problem to calculating the limit of the sum 2n
i=n
2n
i pi(1 − p)2n−i. Next,
let us divide the sum into summands si = 2n
i pi(1 − p)2n−i. First note that each summand is
a product of positive numbers, thus it holds that ∀i, si ≥ 0.
Let us now prove that for i ∈ n, n + 1, . . . , 2n − 1 it holds that
si ≥ si+1. (1.4)
We have a following series of reductions
2n
i
pi
(1 − p)2n−i
≥
2n
i + 1
pi+1
(1 − p)2n−i−1
(2n)!
i!(2n − i)!
(1 − p) ≥
(2n)!
(i + 1)!(2n − i − 1)!
p
1
2n − i
(1 − p) ≥
1
(i + 1)
p
1
2n − i
≥
1
2n − i
+
1
i + 1
p
1 ≥ 1 +
2n − i
i + 1
p.
The last inequality holds, because the largest value of the right hand side within the allowed
values of i and p is achieved by i = n and p = 1
2.
The last step is to show that limn→∞ sn = 0. Together with the fact that for all i ∈
{n + 1, . . . , 2n}, si ≥ 0, si > si+1, this implies that the limn→∞
2n
i=n si = 0, and therefore
limn→∞(C2n) = 1.
lim
n→∞
sn = lim
n→∞
2n
n
pn
(1 − p)n
≤ lim
n→∞
4n
√
3n + 1
(p(1 − p))n
≤∗
lim
n→∞
4n
√
3n + 1
1
4n
= 0.
The last inequality follows from the fact that maxp p(1 − p) = 1
4 and is achieved by setting
p = 1
2.
(d) 1/2n
(e) 0
1.22.
(a) Assume C3 = C2 ∩ C1 has at least two words. Then this property certainly holds, because
∀x, y ∈ C3, x, y ∈ C1 and x, y ∈ C2. In particular, h(x, y) ≥ h(C1) and h(x, y) ≥ h(C2).
(b) The property does not hold. It holds that h(C1) > 0 and h(C2) > 0. Now consider three
words x ∈ C1 and y, z ∈ C2, such that h(y, z) = h(C2). Then x1y1 . . . xnyn ∈ C3 and
x1z1 . . . xnzn ∈ C3. It is easy to see that h(x1y1 . . . xnyn, x1z1 . . . xnzn) = h(C2), which is a
contradiction to the original claim.
CHAPTER 1. BASICS OF CODING THEORY 15
1.23. This does not hold. Consider the following codes, both with (n, M, d) = (4, 3, 1):
C1 = {0000, 0001, 1100}, C2 = {0000, 1000, 0100}
If they were equivalent, we should be able to obtain one from the other by distance preserving
operations. However, let us ﬁrst calculate the distances between codewords.
h(0000, 0001) = 1, h(0000, 1100) = 2, h(0001, 1100) = 3
h(0000, 1000) = 1, h(0000, 0100) = 1, h(1000, 0100) = 2.
Since the ordered sequences of distances are diﬀerent, we cannot obtain C1 from C2 and they are
not equivalent.
1.24. The checksum of EAN-13 is calculated as a sum of products - taking an alternating weight
value (3 or 1 starting with 1) times the value of each data digit. The checksum digit is the digit,
which must be added to this checksum to get a number divisible by 10. We therefore start by
summing the odd positions as (8 + 8 + 0 + 5 + 6 + 4) = 31 then from even positions we have
3(5 + x + 3 + 3 + 1 + 0) = 36 + 3x. Together we have 67 + 3x + 4 = 0 mod 10. We now solve for x
to obtain x = 3.
1.25. An IBAN is validated by converting it into an integer and performing a basic modulo 97
operation on it. If the IBAN is valid, the remainder equals 1. The algorithm of IBAN validation is
as follows:
1. Check that the total IBAN length is correct as per the country. If not, the IBAN is invalid
2. Move the four initial characters to the end of the string
3. Replace each letter in the string with two digits, thereby expanding the string, where A =
10, B = 11, . . . , Z = 35
4. Interpret the string as a decimal integer and compute the remainder of that number after
division by 97.
If the remainder is 1, the check digit test is passed and the IBAN might be valid.
We therefore ﬁrst convert C = 12 and Z = 35 and move it to the end of the string to obtain
2018 0000 0012 3423 x091 123585. Trying all options for x reveals that the only solution giving
2018 0000 0012 3423 x091 123585 ≡ 0 mod 97 is x = 8.
1.26.
(a) (m , 2 , m). The ﬁrst two parameters are self evident. Since each pair of messages diﬀers in
at least one bit, m fold repetition results in minimum distance of m.
(b) (2 , 2 , 3). Since there are as many pairs of neighboring bits as the message bits, the length
is clearly 2 . Yet again, calculating the distance takes a little bit of work. Two words with
the smallest distance diﬀer in one bit in their ﬁrst half w and w . WLOG assume that the
diﬀerence is in the ith position and wi = 0, wi = 1. The only bits in the second half that
depend on wi and wi are bi−1, bi and bi−1, bi. Since bi−1 = wi−1 ⊕ x = wi−1 ⊕ x = bi−1 and
bi = wi ⊕y = wi ⊕y = bi, for all possible values of x and y, we have that the distance of the two
codewords is at least 3. The rest of the positions are calculated from the positions in w and w
which are identical, and therefore the distance is exactly 3. Using similar arguments it is easy
to see that if w and w diﬀer in more than one position, the distance of their corresponding
codewords is larger than 3.
CHAPTER 1. BASICS OF CODING THEORY 16
(c)
2+
2 , 2 , . Let us ﬁrst consider calculation of n. There are 2 = ( −1)
2 diﬀerent pairs of bits
in a message w, which is of length . Therefore n = +
2−
2 =
2+
2 . The minimum distance
is calculated similarly to the previous case. Assume one bit diﬀerence between w and w in
ith bit. Then wi and wi inﬂuence exactly − 1 check bits. Since all other positions of w and
w are equal, the check bits must be diﬀerent, resulting in distance . Increasing the number
of bits diﬀerent in w and w only increases the number of diﬀerences in check bits.
Chapter 2
Linear Codes
2.1 Introduction
Linear codes are a very important class of codes, because they have a concise description, easy
encoding and easy to describe (and often eﬃcient) decoding.
Linear codes are special sets of words of a ﬁxed length over an alphabet Σq = {0, . . . , q − 1},
where q is a power of prime. The reason for this restriction is that with a suitable operations Σq
constitutes a Galois ﬁeld (also called ﬁnite ﬁeld) GF(q). In case of q being a prime, the suitable
operations are sum and product modulo q. We will denote Fn
q a vector space of all n-tuples over the
Galois ﬁeld GF(q).
Deﬁnition 2.1.1. A subset C ⊆ Fn
q is a linear code, if
1. u + v ∈ C, for all u, v ∈ C;
2. au ∈ C, for all u ∈ C and all a ∈ GF(q).
It follows from the deﬁnition that C ⊆ Fn
q is a linear code, iﬀ C is a subspace of Fn
q . Moreover
for the case q = 2, C ⊆ Fn
q is a linear code, if sum of any two codewords is a codeword as well.
If C is a k-dimensional subspace of Fn
q , then it is called [n, k]-code and it has qk codewords. If
the minimal distance of C is d, then it is called a [n, k, d]-code.
2.1.1 Basic properties
The minimal distance of the code w(C) is equal to the smallest of the weights of non-zero codewords.
If C is a linear [n, k]-code, then it has a basis Γ consisting of k linearly independent codewords and
each codeword of C is a linear combination of the codewords from Γ.
Deﬁnition 2.1.2. A k × n matrix with rows forming a basis of a linear [n, k]-code C is called a
generator matrix of C.
Two k × n matrices generate equivalent linear [n, k]-codes over Fn
q if one matrix can be obtained
from the other by a sequence of the following operations: (a) permutation of the rows; (b) multiplication
of a row by a non-zero scalar; (c) addition of one row to another; (d) permutation of columns;
(e) multiplication of a column by a non-zero scalar.
With the use of operations (a)–(c) it is possible to transform every generator matrix G into a
form [Ik|A], where Ik is a k × k identity matrix.
17
CHAPTER 2. LINEAR CODES 18
2.1.2 Encoding and decoding with linear codes
Encoding
Encoding of a dataword u = (u1, . . . , uk) using a generator matrix G of an [n, k]-code C is
u · G =
k
i=1
uiri,
where r1, . . . , rk are rows of G.
Nearest neighbor decoding
If a codeword x = (x1, . . . , xn) is sent through a channel and a word y = (y1, . . . , yn) is received,
then e = x − y = (e1, . . . , en) is called the error vector.
Deﬁnition 2.1.3. Suppose C is an [n, k]-code over Fn
q and u ∈ Fn
q . Then the set u+C = {u+x|x ∈
C} is called a coset of C in Fn
q .
Suppose C is a linear [n, k]-code. It holds that (a) every vector of Fn
q is in some coset of C; (b)
every coset contains exactly qk elements; (c) two cosets are either identical or disjoint. Each vector
having minimum weight in a coset is called a coset leader.
Let C = {c0, . . . c2k−1}, with c0 being all zero codeword (thus being a coset leader of C). Also
let us denote li, i ∈ {1, . . . , qn−k − 1} the coset leader of the ith coset Ci = C + bin(i), where bin(i)
is the n-bit binary representation of i.
The standard array for an [n, k]-code C is a qn−k × qn array of the form
c0 c1 . . . c2k−1
l1 c1 + l1 . . . c2k−1 + l1
...
...
...
lqn−k−1 c1 + lqn−k−1 . . . c2k−1 + lqn−k−1
A received word y is decoded as the codeword in the ﬁrst row of the columns in which y occurs.
Error vectors which are corrected are precisely the coset leaders li.
Syndrome decoding
Inner product of two vectors u = (u1, . . . , un), v = (v1, . . . , vn) in Fn
q is deﬁned as u · v = u1v1 +
· · · + unvn. If u · v = 0, then u and v are orthogonal. The dual code C⊥ of a linear [n, k]-code C is
deﬁned as C⊥ = {v ∈ Fn
q |v · u = 0, ∀u ∈ C}. The dual code C⊥ is a linear [n, n − k]-code.
A parity check matrix H for an [n, k]-code C is any generator matrix of C⊥. If G = [Ik|A] is
the standard form generator matrix of an [n, k]-code C, then H = [−A |In−k], where A is the
transpose of A, is it’s parity check matrix. A syndrome S(y) of the received word y is calculated as
S(y) = yH .
Two words have the same syndrome, iﬀ they are in the same coset. Therefore it is suﬃcient to
store only two columns – one for syndromes z and one for their corresponding coset leaders l(z). The
decoding procedure is as follows: (a) Given y, compute S(y); (b) Locate z = S(y) in the syndrome
column; (c) Decode y as y − l(z).
2.1.3 Hamming codes
An important family of simple linear codes that are easy to encode and decode are called Hamming
codes.
CHAPTER 2. LINEAR CODES 19
Deﬁnition 2.1.4. Let r be an integer and H be an r×2r −1 matrix with columns being all non-zero
distinct words from Fr
2. The code having H as it’s parity check matrix is called a binary Hamming
code and denoted by Ham(3, 2).
The code Ham(r, 2) is a [2r − 1, 2r − 1 − r, 3]-code, therefore it can repair exactly one error. If
the columns of H are arranged in the order of increasing binary numbers the columns represent,
than the syndrome S(y) gives, in the binary representation, the position of the error.
2.2 Exercises
2.1. Find the standard form of generator matrix for codes that are linear.
(a) Binary code C1 = {00000, 00110, 00101, 10111, 10010, 10001, 10100, 00011}.
(b) 5-ary code C2 = {000, 224, 132, 444, 312}.
2.2. How many codewords does the smallest ternary linear code containing keywords 100, 010
and 210 have?
2.3. Consider the 5-ary code C such that
x1x2x3x4 ∈ C ⇔ x1 + 2x2 + 3x3 + 4x4 = 0 mod 5.
Show that C is a linear code and ﬁnd it’s generator matrix in standard form.
2.4. Consider a ternary linear code C. What fraction of codewords can have the digit 2 as the
last digit?
2.5.
(a) Show that in a linear binary code, either all the codewords begin with 0, or exactly half begin
with 0 and half with 1.
(b) Show that in a linear binary code, either all the codewords have even weight, or exactly half
have even weight and half have odd weight.
2.6. A binary code C is called weakly self dual if C ⊂ C⊥. Prove the following.
(a) If C is binary weakly self dual code, every codeword is of even weight.
(b) If each row of the generator matrix G of weakly self-dual code C has weight divisible by 4,
then so does every codeword.
2.7. Consider a binary linear code C generated by the matrix
G =
1 0 1 1 0
0 1 0 1 1
(a) Construct a standard array for C.
(b) Find an example of a received word with two errors which is not decoded correctly using the
coset decoding method.
CHAPTER 2. LINEAR CODES 20
2.8. Consider a binary [n, k]-code C with a parity check matrix
H =


1 1 0 1 0 0 1
0 1 1 1 1 0 0
1 0 0 1 1 1 0


(a) Find n, k, h(C) and |C|.
(b) Find the standard form generator matrix for C.
(c) Prove that C⊥ ⊂ C.
(d) Find coset leaders and the corresponding syndromes
2.9. Let C be a binary code of length n. Consider a binary code C of length n + 1 such that
C = {x1 . . . xnxn+1|x1 . . . xn ∈ C, xn+1 = n
i=1 xi}, where the addition modulo 2. Show that:
(a) if C is a linear code, then C is also a linear code;
(b) if H is a parity check matrix of C, then matrix
G =
H r
s 1
,
where r is vector of all 0s and s vectors of all 1s, is a parity check matrix of code C .
2.10. Let C be a binary linear [4, 2]-code such that C = C⊥. Show that C contains at least two
words of weight 2.
* 2.11. How many diﬀerent binary linear [6, 3]-codes C fulﬁll C = C⊥?
2.12. Let C1 and C2 be linear codes of the same length. Decide whether the following statements
hold
(a) If C1 ⊆ C2, then C⊥
2 ⊆ C⊥
q ;
(b) (C1 ∩ C2)⊥ = C⊥
1 ∪ C⊥
2 .
* 2.13. Show that there exists a [2k, k] self dual code over Fq, if and only if there is a k ×k matrix
P with entries from Fq such that PP = −Ik.
2.14. Let Mi be the family of all binary linear codes with weight equal to mi, where mi is the
ith Mersenne prime (a prime of the form 2j − 1 for some j ∈ N). For all N, decide whether there
exists a self-dual code in Mi.
2.15. Let G1, G2 be generator matrices of [n1, k, d1]-linear code and [n2, k, d2]-linear code,
respectively. Find values n, k, d of codes with generator matrices:
(a)
G3 = [G1|G2]
(b)
G4 =
G1 0
0 G2
CHAPTER 2. LINEAR CODES 21
* 2.16. Let G24 be the extended Golay code with the following generator matrix:
row ∞ 0 1 2 3 4 5 6 7 8 9 10 ∞ 0 1 2 3 4 5 6 7 8 9 10
0 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1
2 1 1 1 1 1 1 1 1
3 1 1 1 1 1 1 1 1
4 1 1 1 1 1 1 1 1
5 1 1 1 1 1 1 1 1
6 1 1 1 1 1 1 1 1
7 1 1 1 1 1 1 1 1
8 1 1 1 1 1 1 1 1
9 1 1 1 1 1 1 1 1
10 1 1 1 1 1 1 1 1
11 1 1 1 1 1 1 1 1 1 1 1 1
Show that:
(a) G24 = G⊥
24.
(b) Every codeword of G24 code has weight divisible by 4.
(c) G24 contains word with all ones.
(d) If G24 contains codeword |L|R| with
L = a∞a0a1 . . . a10, R = b∞b0b1 . . . b10,
it also contains codeword |L |R | with
L = b∞b0b10b9 . . . b1, R = a∞a0a10a9 . . . a1.
2.17.
(a) What is the maximum number of codewords in a linear binary code of length 8 with minimal
distance of 3 bits?
(b) What is the maximum dimension of a linear ternary code of length 4 in which the Hamming
distance between every two of its distinct words is odd?
2.18. Consider the following 7-ary codes C1, C2 and C3 of length 3 such that
(a) a1a2a3 ∈ C1 ⇐⇒ a1 · a2 + a3 ≡ 0 (mod 7);
(b) a1a2a3 ∈ C2 ⇐⇒ a1 + a2 + a3 ≡ 0 (mod 7);
(c) a1a2a3 ∈ C3 ⇐⇒ a1 + a2 + a3 ≡ 3 (mod 7).
Decide whether they are linear codes.
2.19. What is the number of diﬀerent binary self-dual [4, 2]-codes.
2.20. Let C be a linear code over Fq, where q is a prime. Show that either all codewords of C
begin with 0 or exactly 1
q of codewords of C begin with 0.
CHAPTER 2. LINEAR CODES 22
2.21. Prove the following theorem:
Let C be a q-ary (n, k) code. Every set of s − 1 columns of its parity check matrix H is linearly
independent if and only if w(C) ≥ s.
2.22. Consider a ternary code with the following parity check matrix
H =




0 0 0 1 0 1
0 0 1 0 2 0
0 1 0 0 2 2
1 0 0 0 1 2



 .
Show that this code has a minimum distance 4.
(Hint: Use the result from the previous exercise.)
* 2.23. Consider a linear [n, k]-code C with corresponding parity check matrix H.
(a) Describe the kernel of the linear map represented by H.
(b) Determine the rank of H. Explain your reasoning.
* 2.24. For n ∈ N, n > 2, and q a power of a prime, give an example of a q-ary [n, k]-code (k ∈ N
can be chosen arbitrarily) that is maximum distance separable (MDS) such that its dual code is an
MDS-code as well.
2.25. Let C1, C2, C3 ⊆ Fn
q be linear codes. Decide whether the following codes are linear codes.
Prove your answer.
(a) C1 ∩ C2
(b) C1 ∪ C2
(c) C1 · C2 = {u · v | u ∈ C1, v ∈ C2}, where · denotes concatenation
(d) C1 C2, where denotes symmetric diﬀerence
(e) C1 C2 C3
2.26. Let Bq(n, d) be the largest number of codewords such that there is a q-ary [n, k, d]-code.
Prove the following theorem.
Bq(n, d) ≤ qBq(n − 1, d)
2.27. Consider the following formulation of the Golay G24 code. Deﬁne a 12 × 12 binary matrix
B as:
B =





















1 1 0 1 1 1 0 0 0 1 0 1
1 0 1 1 1 0 0 0 1 0 1 1
0 1 1 1 0 0 0 1 0 1 1 1
1 1 1 0 0 0 1 0 1 1 0 1
1 1 0 0 0 1 0 1 1 0 1 1
1 0 0 0 1 0 1 1 0 1 1 1
0 0 0 1 0 1 1 0 1 1 1 1
0 0 1 0 1 1 0 1 1 1 0 1
0 1 0 1 1 0 1 1 1 0 0 1
1 0 1 1 0 1 1 1 0 0 0 1
0 1 1 0 1 1 1 0 0 0 1 1
1 1 1 1 1 1 1 1 1 1 1 0





















CHAPTER 2. LINEAR CODES 23
Then the generator matrix of G24 is G = [B|I] and the parity check matrix is H = [I|B], where I
is a 12 × 12 identity matrix. For this formulation of G24 we have the following decoding algorithm.
Let v be the received vector, e the error vector and c = v + e the decoded word. Also the
functional w(x) dentoes the Hamming weigth of vector x, ei is a vector of length 12 with 1 in the
i-th position and 0’s elswere and bi is the i-th row of matrix B.
Step 1. Compute the syndrome s = wH .
Step 2. If w(s) ≤ 3 then e = [s, 000000000000].
Step 3. If w(s + bi) ≤ 2 for some bi then e = [s + bi, ei].
Step 4. Otherwise, compute the second syndrome sB.
Step 5. If w(sB) ≤ 3 then e = [000000000000, sB].
Step 6. If w(sB + bi) ≤ 2 for some bi then e = [ei, sB + bi].
Step 7. If e is not yet determined then there were more than 3 errors and the user should request
retransmission.
(a) Decode v = 001101110111000110000000
(b) Decode v = 101010110000110101101000
2.3 Solutions
2.1.
(a) The code C1 is linear, because ∀c1, c2 ∈ C1, c1 + c2 ∈ C1, which is a suﬃcient condition for
binary codes. Since C1 contains 8 codewords, it is a subspace of F5
2 of dimension 3. Therefore
the generator matrix has log2(8) = 3 rows. Without the loss of generality we can choose any
three non-zero and linearly independent vectors as the base of C1 and write them down in a
matrix form: 

1 0 1 1 1
0 0 1 0 1
0 0 1 1 0

 .
In order to obtain a standard form of generator matrix we need two steps: (a) Swap second
and ﬁfth column; (b) Add second row to the ﬁrst one and third row to a second one:


1 0 1 1 1
0 0 1 0 1
0 0 1 1 0

 →(a)


1 1 1 1 0
0 1 1 0 0
0 0 1 1 0

 →(b)


1 0 0 1 0
0 1 0 1 0
0 0 1 1 0

 .
(b) This is not a linear code, since 444 + 444 = 333 /∈ C2.
2.2. Since 210 = 2·100+010, there are only two linearly independent codewords in the assignment.
The smallest bases of the code containing them is of the size 2 and contains only these two codewords.
Such code contains 32 = 9 codewords.
CHAPTER 2. LINEAR CODES 24
2.3. Let u = u1u2u3u4 and v = v1v2v3v4 be two codewords from C. Then we have that u + v =
(u1 +v1)(u2 +v2)(u3 +v3)(u4 +v4) and (u1 +v1)+2(u2 +v2)+3(u3 +v3)+4(u4 +v4) = 0 mod 5. Also
we have that for any scalar w and corresponding word wu it holds that w(u1 + 2u2 + 3u3 + 4u4) = 0
mod 0.
Note that C is deﬁned by an orthogonality relation (u1, u2, u3, u4) · (1, 2, 3, 4) = 0. Since we are
working with words in F4
q, there are 3 linearly independent vectors orthogonal to vector (1, 2, 3, 4),
which also constitute a basis of code C. To construct a generator matrix of C we ﬁrst construct
it’s parity check matrix H = (1, 2, 3, 4). It’s normal form is 4H = (4, 3, 2, 1). If H = [−A |I], then
G = [I|A], i.e.
G =


1 0 0 1
0 1 0 2
0 0 1 3

 .
2.4. There are linear codes with all codewords ending in 0. However, this case is pathological,
since these codes can be shortened by leaving out the last symbol, retaining all the parameters.
Therefore, let us consider only codes, which have at least one basis codeword w not ending in
0. without the loss of generality assume that w ends in 1. We now can create a basis, in which all
other codewords w = w end in 0, by subtracting in the generator matrix from each row the correct
multiple of w. Each codeword ending in 2 can be decomposed as a linear combination of vectors in
this new basis, i.e. 2 · w + u, where u is some linear combination of basis vectors ending in 0. If the
dimension of the code is d, there are 3d−1 diﬀerent linear combinations u. Together with the fact
that the number of codewords in C is 3d, we have that exactly 1
3 of codewords ends in digit 2.
2.5.
(a) Consider a basis of the code C. If all the basis codewords begin with 0, also all their linear
combinations start with 0 and we are done.
Suppose l out of k words in the basis start with 1. All codewords starting with 1, can be
written as a linear combination of basis words bi, out of which odd number start with 1. It
remains to calculate the number of such linear combinations.
l
i=2j+1,j∈N
k
i
2k−l
= 2l−1
2k−l
= 2k−1
,
which is exactly a half of all the codewords in C.
(b) Let us label a codeword with even number of symbols 1 as even and a word with odd number
of 1s as odd. Note that a sum of two even words results in an even word. If the basis of the
code contains only even words, we are done. Additionally sum of an even word and an odd
word is odd and sum of two odd words is even. Now we can argue similarly to the previous
question. If l out of k basis words are odd, then linear combination containing odd number
of odd words result in an odd codeword. As we have shown previously there are exactly 2k−1
such linear combinations.
2.6.
(a) Since C is a binary weakly self dual code we have that ∀c ∈ Cc · c. This means that every
code c must have even weight.
(b) We have established that each row has even weight. Let u and v be two rows of the generator
matrix G of C. In order to have u·v = 0, u and v must both have symbol 1 in even number of
positions. This implies that in even number of positions u has symbol 1 and v has symbol 0
and vice versa. These are exactly the positions in which word u + v will have symbol 1. Sum
of two even numbers is always divisible by 4, therefore the weight of u + v is divisible by 4.
This fact can be be proven for any linear combination of rows of G by induction.
CHAPTER 2. LINEAR CODES 25
2.7.
(a) The standard array for C:
00000 10110 01011 11101
10000 00110 11011 01101
01000 11110 00011 10101
00100 10010 01111 11001
00010 10100 01001 11111
00001 10111 01010 11100
10001 00111 11010 01100
00101 10011 01110 11000
(b) An example of such codeword is 01100, which can be obtained by two errors on both codewords
00000 and 11101. This is however not surprising, since h(C) = 3, and therefore the code can
reliably correct only a single error.
2.8.
(a) H is a n − k × k matrix, therefore n = 7 and k = 4. |C| = qk = 24 = 16. h(C) = w(C) = 3
(see (c) below).
(b) A normal form of H is
Hnorm =


0 1 1 1 1 0 0
1 1 1 0 0 1 0
1 1 0 1 0 0 1

 .
It is of the form [−A |In−k], which implies that standard form of G = [Ik|A], i.e.
G =




1 0 0 0 0 1 1
0 1 0 0 1 1 1
0 0 1 0 1 1 0
0 0 0 1 1 0 1



 .
(c) We have that C = {u · G|u ∈ F4
2}and C⊥ = {u · H|u ∈ F3
2}. In our case this yields:
C⊥
= {0000000, 1101001, 1110010, 0111100, 1001110, 0011011, 1010101, 0100111}
C = {0000000, 1000011, 0100111, 0010110, 0001101, 1100100, 1010101, 1001110,
0110001, 0101010, 0011011, 1110010, 1101001, 1011000, 0111100, 1111111}
(d)
l(z) z
0000000 000
1000000 101
0100000 110
0010000 010
0001000 111
0000100 011
0000010 001
0000001 100
2.9.
CHAPTER 2. LINEAR CODES 26
(a) Since we are working with a binary code C, we need only to prove that ∀x, y ∈ C, xxn+1 +
yyn+1 ∈ C . We have that:
xxn+1 + yyn+1 = (x + y)
n
i=1
xi +
n
i=1
yi = (x + y)
n
i=1
xi + yi .
(b) Let us denote gi the ith row of G and hi the ith row of H. We need to prove that x · gi = 0,
where · is the scalar product. Since H is the parity check matrix of C, we have that
∀x ∈ C, ∀i ∈ {1, . . . , n} : x · hi = 0.
This implies that
∀xxn+1 ∈ C , ∀i ∈ {1, . . . , n} : xxn+1 · gi = x · hi + xn+1 · 0 = 0.
It now suﬃces to investigate the scalar product of codewords from C and the last row of G.
∀xxn+1 ∈ C , x · (11 . . . 11) =
n
i=1
xi + xn+1 = xn+1 + xn+1 = 0.
Since all codewords of C are orthogonal to all rows of G, G is the parity check matrix of C .
2.10. Since C is a [4, 2]-code and C = C⊥, we have that ∀x ∈ C : x · x = 0, therefore x2
1 + x2
2 +
x2
3 + x2
4 = x1 + x2 + x3 + x4 = 0. In other words each x contains an even number of 1s. Since C is a
linear code, it has a generator matrix ( x
y ), with x, y ∈C, x = y = 0000. There are two possibilities:
(a) both x and y contain exactly two 1s and we are done; (b) x contains all 1s and y contains two
1s. Then the codewords we are looking for are x + y and y.
2.11. For every x, y ∈ C, x · y = 0, especially x · x = 0, therefore each codeword is of even weight
and since ∀x, y ∈ C, x + y ∈ C, h(x, y) is even. Now let us take a look at couple of facts this implies:
• C contains at most three codewords of weight 2. This is implied by the fact that each pair of
such words has to have symbols 1 in diﬀerent positions.
• C contains at most three codewords of weight 4. This is implied by the fact that each pair of
such words has to share two positions with symbols 1 and be diﬀerent in all the other positions,
i.e. these words have 0s in diﬀerent positions.
• The previous two facts imply that C contains all 1s codeword. Together with all 0s codeword
we now know weights of all the codewords.
Since the codewords of weight 2 have symbols 1 in all diﬀerent positions, they constitute a basis of
C. Therefore the task is reduced to a question of how many choices for these three words we have.
We can choose the ﬁrst word in 6
2 ways, the second word in 4
2 ways and the last one is determined
by the ﬁrst two. The order in which we pick the words is not important, therefore we divide by 3!
to obtain the solution:
6
2
4
2
3!
= 15.
2.12.
(a) Let C1 = {c1, . . . , cn}, C2 = {c1, . . . , cn, . . . , cm}, with n, m ∈ N, m ≥ n. We have that
C⊥
1 = {v|v · c1 = 0 ∧ · · · ∧ v · cn = 0} and C⊥
2 = {v|v · c1 = 0 ∧ · · · ∧ v · cn = 0 ∧ · · · ∧ v · cm = 0}.
Since for all v ∈ C⊥
2 and ci ∈ C2 it holds that v · ci = 0, it holds particularly for all ci ∈ C1,
(i.e. for all ci with i ≤ n), therefore we have that C⊥
2 ⊆ C⊥
1 .
CHAPTER 2. LINEAR CODES 27
(b) Let C1 = {00, 01} and C2 = {00, 10}. Then C⊥
1 = {00, 10} and C⊥
2 = {00, 01}. We have
(C1 ∩ C2)⊥ = {00, 10, 01, 11} and C⊥
1 ∪ C⊥
2 = {00, 10, 01}, hence (C1 ∩ C2)⊥ = C⊥
1 ∪ C⊥
2 .
2.13. We will ﬁrst prove the “if” part of the statement. Let P be a k × k matrix such that
PP = −Ik. Let G = [Ik|P]. Rows of G are independent, therefore G is a generator matrix of some
[2k, k] linear code C. Also
GG = [Ik|P] Ik
P
= Ik − PP = 0,
which means G is also a parity check matrix for code C and therefore C is self dual.
The “only if” part can be proven as follows. Let C be the self-dual [2k, k]-code. As C is a linear
code it has a generator matrix G of the form G = [Ik|A], where Ais a k × k matrix. Since C is
self-dual, we have that GG = 0. However
GG = [Ik|P] Ik
P
= Ik + AA .
We obtained Ik + AA = 0, therefore AA = −Ik and we can take P = A.
2.14. There is no self-dual code in Mi for any i ∈ N. The reason for this is the fact that each
Marsenne prime mi is odd. We know that the weight of the code is equivalent to the weight of the
word with the lowest weight among the non-zero codewords. Therefore code of weight mi contains
at least one word of weight mi. On the other hand, for every word c of a self-dual code C holds that
c · c = 0, which doesn’t hold for codewords of odd weight.
2.15.
(a) • n = n1 + n2,
• k3 = k because G3 has the same dimension as G1 and G2,
• d3 = d1 + d2, as the code C3 contains a codeword composed of concatenation of c1 and
c2, where c1 and c2 are the codewords of minimum weight from C1 and C2.
(b) • n = n1 + n2,
• k4 = 2k because G4 contains all rows from G1 and G2 supplemented by zeros,
• d3 = min(d1, d2), because C4 contains the same codewords as C1 and C2 only extended
by 0’s so the codeword of the minimal weight stays the same as for one of the original
codes.
2.16.
(a) It is easy to check that for every pair u, v of rows of G, we have u · v = 0, therefore G24 ⊆ G⊥
24.
However, we also know, that G24 has dimension 12. For each [n, k]-code C the dimension of
C⊥ is n − k, therefore G⊥
24 also has dimension 12 and G24 = G⊥
24.
(b) We have established that G24 is weakly self-dual and we can see that each row of G24 is
divisible by 4. Then by exercise 2.6 it follows that each word of G24 has weight divisible by 4.
(c) It is easy to verify that the sum of all rows gives the all 1 codeword, as the number of 1s in
each column is odd.
(d) Let us compute the inner product of L|R and L |R for arbitrary L|R ∈ G24:
L|R · L |R = a∞b∞ + a0b0 +
10
i=1
aib11−ib∞a∞ + b0a0 +
10
i=1
bia11−i
= 2 a∞b∞ + a0b0 +
10
i=1
aib11−i = 0.
CHAPTER 2. LINEAR CODES 28
Since G24 is self dual, it mus contain all the words orthogonal to L|R, so in particular it
contains L |R .
2.17.
(a) The volume of the space of 8-bit binary words is the number of points, 28 = 256. If no two
codewords are within distance of 3, then the spheres of radius 1.5 about any two codewords
must be disjoint. The volume of a sphere is the number of points in the sphere. Within
distance 1.5 of any 8-bit word are 9 words - the word itself and those words that diﬀer from
it in exactly one bit. Since 256
9 = 28.444, there can be at most 28 codewords all of which are
distance 3 from each other. Therefore, for a binary linear code there are at most 2k ≤ 28.444
codewords implying k ≤ 4. The codewords 11100000, 10011000, 10000110, 00101011 generate
the code with minimal distance d = 3, therefore the maximum number of codewords in a linear
binary code of length 8 and minimal distance of 3 bits is 16.
(b) We will show by contradiction that the dimension of such a code has to be less than 3. There
is a total of 4 · 23 + 8 = 40 words of length 4 and odd distance from the word 0000 (which
has to be contained in the code). But the code can contain only one cyclic permutation of
these words: 1000, 2000, 1110, 2220, 1210, 2120. We cannot use the other permutations of these
words, which means we cannot use at least 6 · 3 = 18 words, which leaves us with less than
40 − 18 = 22 words. Thus the code cannot have dimension 3 (otherwise it would have to
contain 33 = 27 words). On the other hand, an example of such a code of dimension 2 is the
one generated by 1110 and 1201.
2.18.
(a) We can easily see that 246, 356 ∈ C1 as 2 · 4 + 6 ≡ 0 mod 7 and 3 · 5 + 6 ≡ 0 mod 7. But
their sum 525 /∈ C1 as 5 · 2 + 5 ≡ 1 mod 7.
(b) Let a1a2a3, b1b2b3 ∈ C2, k, l ∈ F7. We look whether k · a1a2a3 + l · b1b2b3 is in C2. ka1 + lb1 +
ka2 + lb2 + ka3 + lb3 ≡ k(a1 + a2 + a3) + l(b1 + b2 + b3) ≡ k · 0 + l · 0 ≡ 0 mod 7. So the linear
combination is in C2 and thus C2 is a linear code.
(c) We can easily see the zero codeword is not in C3 as 0 + 0 + 0 ≡ 0 mod 7. This means C3
cannot be a linear code.
2.19. Since C is self-dual, for every x, y ∈ C, x · y = 0, especially x · x = 0, therefore each codeword
is of even weight and since ∀x, y ∈ C, x + y ∈ C, h(x, y) is even. Now let us take a look at couple of
facts this implies:
• C contains at most two codewords of weight 2. This follows from the fact that each pair of
such words has to have the 1’s in diﬀerent positions.
• The previous fact implies that C contains the all 1’s codeword. Together with the all 0’s
codeword we now know weights of all the codewords.
Since the codewords of weight 2 have 1’s in all diﬀerent positions, they constitute a basis of C.
Therefore the task is reduced to the one of determining how many choices we have for these two
words. We can choose the ﬁrst word in 4
2 ways and the second one is uniquely determined by the
ﬁrst one. The order in which we pick the words is not important, therefore we divide by 2 to obtain
the solution:
4
2
2
= 3.
CHAPTER 2. LINEAR CODES 29
2.20. It is clear that if every codeword of some basis of C begins 0 then every codeword of C begins
with 0. Now consider C with a generator matrix G with at least one codeword not beginning in 0.
Let k be the dimension of C. We will count the number of codewords of C beginning with 0. Every
codeword of C is a linear combination of codewords in G. Let
n = n1 + n2 + · · · + nq−1
be the number of codewords in G not beginning with 0, where ni is the number of codewords in
G beginning with i. Codeword w begins with 0 if it is the sum of arbitrary linear combination of
words from G beginning in 0 and a linear combination of all other codewords such that it begins
in 0. The number of linear combinations of codewords in G beginning with 0 is qk−n. We need
to count the number of linear combinations of words not beginning with 0 such that the result
begins with 0. Consider such linear combination v, v is a sum of a linear combination of codewords
beginning with 1, 2, . . . q − 2 and a linear combination of codewords beginning with q − 1 such that
the sum of the ﬁrst positions of these two combinations is 0. So the ﬁrst linear combination can
begin in any number a ∈ Fq but this determines the second part of the linear combination begins in
−a. The number of all possible linear combinations of codewords in G beginning in 1, 2, . . . , q − 2
is qn1+n2+···+nq−2 . All we need now is the number of linear combinations of the codewords in G
beginning in q − 1 such that it begins in certain number −a. We can repeat the previous argument
for the number of linear combinations of all the words not beginning in 0 such that it begins in 0,
only now we have only words beginning in q − 1 and the combination begins in −a instead of 0,
but that changes nothing. The linear combinations of the ﬁrst nq−1 − 1 codewords can begin in any
b ∈ Fq and the last element of the combination must begin in −b. The ﬁrst part gives us qnq−1−1
combinations and the second part only one. So the total number is qnq−1−1. This gives us the total
number of linear combinations of codewords not beginning in 0 such that it begins in 0
qn1+n2+...nq−2
· qnq−1−1
= qn1+n2+···+nq−1−1
.
And this in turn gives us the total number of linear combinations of codewords in G such that it
begins in 0
qn1+n2+···+nq−1−1
· qk−n
= qk−1
.
This is exactly 1/q of the total number of codewords qk.
2.21. “⇒”: Consider a codeword c ∈ C. It’s a codeword of C so it must hold that HcT = 0. The
non-zero entries of c determine a linearly dependent columns of matrix H. Now if w(c) < s we have
a set of s − 1 (if w(c) is smaller than s − 1 we can just add arbitrary columns) columns of matrix
H which are linearly dependent. But that is a contradiction with our preposition. So w(c) ≥ s for
any codeword c ∈ C, in other words w(C) ≥ s.
“⇐”: Denote H = (h1, h2, . . . , hn) the columns of H. Assume that w(C) ≥ s and that there
is some set of s − 1 columns of H that are linearly dependent, i.e. there exists a set of indices
I ∈ {1, 2, . . . n}, |I| = s − 1, and coeﬃcients ci ∈ Fq such that
i∈I
cihi = 0.
We can now construct a codeword c with the following entries ci:
ci =
0 if i /∈ I
ci if i ∈ I
.
Clearly cHT = 0 so c ∈ C. But c has only s−1 non-zero entries so w(C) < s. That is a contradiction
and so our set of linearly dependent columns cannot exist.
CHAPTER 2. LINEAR CODES 30
2.22. First we show that w(C) ≥ 4 using the result from previous exercise. All we need to show is
that there is not a set of 3 columns which are linearly dependent.
It is clear that the set of the ﬁrst four columns is linearly independent so any 3 of them are also
independent.
A linear combination of any two of them can have non zero entries only at two positions at most
and so a set of any two of them and the ﬁfth or sixth column is also independent.
The last case is a set with both the ﬁfth and sixth column and one extra column. This again
cannot be not independent, because any non-zero linear combination of the ﬁfth and sixth column
has at least two non-zero entries and so it cannot be equal to any other column, as they all have a
single non-zero entry.
Thus any set of 3 columns of H is linearly independent and w(C) ≥ 4. At the same time the
set of the ﬁrst, second, third and ﬁfth column is clearly linearly dependent. Since the size of this
set is 4, w(C) ≤ 5. And so w(C) = 4. And because h(C) = w(C) for linear codes we have that the
minimum distance of C is 4.
2.23.
(a) Let V be an arbitrary vector space and ϕ : V → V linear map on V . Recall that the kernel of
ϕ is
Ker(ϕ) = {u ∈ V | ϕ(u) = 0}.
Denote the matrix of ϕ in standard basis by A. Then it holds that
Ker(ϕ) = {u ∈ V | A · uT
= 0}.
And since for u ∈ {0, 1}n it holds that H · uT = 0 if and only if u ∈ C, then the kernel of H
is the code C, i.e. Ker(H) = C.
(b) The Rank-nullity theorem claims that
Rank(H) + Dim(Ker(H)) = Col(H)
where Dim stands for dimension and Col stands for number of columns. From (a) follows that
Dim(Ker(H)) = k. Further, Col(H) = n and thus Rank(H) = n − k.
2.24. Fixing k = 1, we can take the code C generated by the word
n
11 . . . 1. This is an [n, 1] code
with d(C) = n, so it is MDS (because M = q = qn−n+1 = qq−d+1). Its dual code is the checksum
code C⊥ = c1c2 . . . cn ∈ Fn
q |c1 + c2 + · · · + cn = 0, which is an [n, n − 1] code (it is a subspace of Fn
q
determined by one linear equation) and d(C⊥) = 2 (to see this, note that C⊥ contains the word
n−2
1(−1)00 . . . 0, but clearly cannot contain any word of weight 1 because of the checksum condition).
Therefore d(C⊥) = 2 = n − (n − k) + 1 and C⊥ is again MDS.
2.25.
(a) Yes. We need to prove two propositions:
(i) ∀u, v ∈ C = C1 ∩ C2; u + v ∈ C. Proof: u, v ∈ C1 ∩ C2 ⇒ (u, v ∈ C1 ∧ u, v ∈ C2). Since C1
and C2 are linear, we have that u, v ∈ C1 =⇒ u+v ∈ C1 and u, v ∈ C2 =⇒ u+v ∈ C2.
Finally, (u + v ∈ C1 ∧ u + v ∈ C2 =⇒ u + v ∈ C1 ∩ C2).
(ii) ∀u ∈ C, a ∈ GF(q) : au ∈ C. Proof: u ∈ C1 ∩ C2 ⇒ (u ∈ C1 ∧ u ∈ C2). Since C1 and C2
are linear, we have (u ∈ C1 ∧ a ∈ GF(q) =⇒ au ∈ C1) and (u ∈ C2 ∧ a ∈ GF(q) =⇒
au ∈ C2). Finally, (au ∈ C1 ∧ au ∈ C2) =⇒ au ∈ C1 ∩ C2.
CHAPTER 2. LINEAR CODES 31
(b) No. Consider the following counterexample. Let C1 = {00, 10} and C2 = {00, 01}. Obviously,
both C1 and C2 are linear codes, but 01 + 10 = 11 and 11 /∈ C1 ∪ C2.
(c) Let k ∈ Fq, u1, u2 ∈ C1, v1, v2 ∈ C2 be arbitrary, then
k(u1 · v1) = (ku1) · (kv1) ∈ C1 · C2
and
(u1 · v1) + (u2 · v2) = (u1 + u2) · (v1 + v2) ∈ C1 · C2,
therefore C1 · C2 is linear.
(d) The code is not linear because 00...0 ∈ C1 C2.
(e) It depends. For example, if C1 = C2 = C3 then C1 C2 C3 = C1 is linear, however if
C1 = {000, 100}, C2 = {000, 010}, C3 = {000, 001}
then C1 C2 C3 = {000, 100, 010, 001} is not linear.
2.26. Let the code be C an [n, k, d] linear code, then we know B(n, d) = qk. We want to get an
[n − 1, k∗, d] code, what we can achieve with code shortening. If we have a full 0 column(special
case, this position is useless), we can shorten the code without loosing any base code words, and
we get an [n − 1, k, d] code, and the equality clearly holds (this gives the largest possible k). More
generally (no all 0 column), we can transform the codes generator matrix to have only one 1bit in
its last column. With shortening we receive an [n − 1, k − 1, ≥ d] code, which has qk−1 code words.
Substituting into the non-equivalence we get:
Bq(n, d) ≤ qBq(n − 1, d)
qk
≤ q · qk−1
qk
≤ qk
which is true.
2.27.
(a) In this case vH = 000100000001. Therefore according to the decoding algorithm e =
000100000001000000000000 and the decoded word c = v + e = 001001110110000110000000.
The second half of c shows that this is a sum of fourth and ﬁfth row of G.
(b) In this case we have s = vH = 111010110010. The ﬁrst condition therefore fails. Let us
check the second condition
s + b1 = 001101 . . .
s + b2 = 0101001 . . .
s + b3 = 10011 . . .
s + b4 = 000010011 . . .
s + b5 = 001011 . . .
s + b6 = 0110000001 . . .
s + b7 = 111 . . .
s + b8 = 110001 . . .
s + b9 = 1011 . . .
s + b10 = 01011 . . .
s + b11 = 10000101 . . .
s + b12 = 000101001 . . .
CHAPTER 2. LINEAR CODES 32
The second condition therefore fails. We now need to calculate sB = 100001010011. The third
condition fails, but we ﬁnd that sB + b5 = 010000001000, therefore the fourth condition holds
and e = 000010000000010000001000. Thus we decode c = v+e = 101000110000100101100000.
This is a sum of rows 1, 4, 6 and 7 of the generator matrix G.
Chapter 3
Cyclic Codes
3.1 Introduction
Cyclic codes are very special linear codes. They are of large interest and importance for several
reasons:
• They posses a rich algebraic structure that can be utilized in variety of ways.
• They have extremely concise speciﬁcations.
• Their encodings can be eﬃciently implemented using shift registers.
Deﬁnition 3.1.1. A code C is cyclic, if:
(i) C is a linear code;
(ii) any cyclic shift of a codeword is also a codeword i.e. whenever a0 . . . an−1 ∈ C, then also
an−1a1 . . . an−2 ∈ C.
3.1.1 Polynomials over GF(q)
Let us denote a codeword of a cyclic code as a0a1 . . . an−1. With each codeword we will associate a
codeword polynomial a0 + a1x + a2x2 + · · · + an−1xn−1. Fq[x] will denote the set of all polynomials
f(x) over GFq. Also let us deﬁne the degree deg(f(x)) of a polynomial f(x) as the largest m, such
that xm has non-zero coeﬃcient in f(x). Some basic properties of polynomials follow:
• Multiplication.If f(x), g(x) ∈ Fq[x], then deg(f(x)g(x)) = deg(f(x)) + deg(g(x)).
• Division. For every pair of polynomials a(x), b(x) = 0 in Fq[x] there exists a unique pair of
polynomials q(x), r(x) ∈ Fq[x], such that a(x) = q(x)b(x) + r(x), deg(r(x)) < deg(b(x)).
• Congruence. Let f(x) be a ﬁxed polynomial in Fq[x]. Two polynomials g(x), h(x) are said
to be congruent modulo f(x) (notation g(x) ≡ h(x) mod f(x)), if g(x) − h(x) is divisible by
f(x).
A cyclic code C with codewords of length n can be seen as a set of polynomials of degree (at most)
n − 1.
3.1.2 Rings of polynomials
For any polynomial f(x), the set of all polynomials Fq[x] of degrees less than deg(f(x)), with addition
and multiplication modulo f(x) forms a ring denoted Fq[x]/f(x). A polynomial f(x) in Fq[x] is said
to be reducible if f(x) = a(x)b(x), where a(x), b(x) ∈ Fq[x] and deg(a(x)) < deg(f(x)), deg(b(x)) <
33
CHAPTER 3. CYCLIC CODES 34
deg(f(x)). If f(x) is not reducible, then it is said to be irreducible in Fq[x]. The ring Fq[x]/f(x) is
a ﬁeld, if f(x) is irreducible in Fq[x].
An important factor ring in the context of cyclic codes is the ring Rn = Fq[x]/(xn − 1). The
reason for this is that a cyclic shift is easy to represent in Rn. Since xn ≡ 1 mod (xn − 1), we have
that
x(a0 + a1x + · · · + an−1xn−1
) = an−1 + a0x + a1x2 + · · · + an−2xn
− 1.
3.1.3 Algebraic characterization of cyclic codes
A binary code C of words of length n is cyclic if and only if it satisﬁes two conditions:
(i) a(x), b(x) ∈ C ⇒ a(x) + b(x) ∈ C,
(ii) a(x) ∈ C, r(x) ∈ Rn ⇒ r(x)a(x) ∈ C.
For any f(x) ∈ Rn we can deﬁne f(x) = {r(x)f(x)|r(x) ∈ Rn} with multiplication modulo
xn −1 to be a set of polynomials. Now we are ready to formulate the main characterization theorem
for cyclic codes.
For any f(x) ∈ Rn, the set f(x) is a cyclic code (generated by f(x)). Conversely, for each nonzero
cyclic code C with codeword length n, there exists a unique monic polynomial g(x) ∈ Fq[x] such
that C = g(x) and g(x) is a factor of xn − 1. The polynomial g(x) is called generator polynomial
of C.
Suppose C is a cyclic code of codewords of length n with generator polynomial
g(x) = g0 + g1x + · · · + grxr
.
Then dim(C) = n − r and generator matrix G for C is
G =







g0 g1 g2 . . . gr 0 0 0 . . . 0
0 g0 g1 g2 . . . gr 0 0 . . . 0
0 0 g0 g1 g2 . . . gr 0 . . . 0
...
...
...
...
...
...
...
...
...
...
0 0 . . . 0 0 . . . 0 g0 . . . gr







.
Encoding using a cyclic code can be done by multiplication of polynomials. Let C be a cyclic
[n, k]-code with generator polynomial g(x) of degree n − k − 1. Each message m can be represented
by a polynomial m(x) of degree at most k. If message is encoded by a standard generator matrix
introduced above, then we have c = mG and for m(x) and c(x) it holds that c(x) = m(x)g(x).
3.1.4 Check polynomials and parity check matrices for cyclic codes
Let C be a cyclic [n, k]-code with the generator polynomial g(x) of degree n − k. Since g(x) is a
factor of xn − 1, we have that xn − 1 = g(x)h(x) for some h(x) of degree k. Polynomial h(x) is
called the check polynomial of C.
Let C be a cyclic code in Rn with a generator polynomial g(x) and a check polynomial h(x).
Then c(x) ∈ Rn is a codeword of C if and only if c(x)h(x) ≡ 0 mod xn − 1. Also, if h(x) =
h0 + h1x + · · · + hkxk, then
(i) a parity-check matrix for C is
H =





hk hk−1 . . . h0 0 . . . 0
0 hk . . . h1 h0 . . . 0
...
...
...
...
...
...
...
0 0 . . . 0 hk . . . h0





;
CHAPTER 3. CYCLIC CODES 35
(ii) C⊥ is the cyclic code generated by the polynomial
¯h(x) = hk + hk−1x + · · · + h0xk
,
i. e. by the reciprocal polynomial of h(x).
3.2 Exercises
3.1. Determine whether the following codes are cyclic. Explain your reasoning.
(a) The ternary code C1 = {0000, 1212, 2121}
(b) The ternary code C2 = {x|x ∈ Z5
3 ∧ w(x) ≡ 0 mod 3}
(c) The ternary code C3 = {x|x ∈ Z5
3 ∧ x1 + x2 + · · · + x5 ≡ 0 mod 3}
(d) The 7-ary code C4 = {x|x ∈ Z5
7 ∧ 5
i=1 ixi ≡ 0 mod 7}
3.2. Which of the following polynomials are generator polynomials of a binary cyclic code of
length 7?
(a) x3 + x2 + x + 1
(b) x3 + x2 + 1
(c) x2 + x + 1
3.3. Consider the following binary linear [8, 5]-code C generated with
G =






1 1 1 1 0 0 0 0
1 0 0 0 1 0 0 0
0 1 0 0 0 1 0 0
0 0 1 0 0 0 1 0
1 1 1 0 0 0 0 1






.
(a) Prove that C is a cyclic code.
(b) Find the generator polynomial of C.
3.4. Let C be a binary cyclic code of length 15 and dimension 11 such that each word from C⊥
has even weight and 011111111110000 ∈ C. Find a generator polynomial g(x), generator matrix G
and a minimum distance of C.
3.5. Consider the binary cyclic code C of length 7 with the generator polynomial g(x) = x3+x+1.
(a) Find the generating matrix G and the parity check matrix H.
(b) Decide, whether the code C is perfect or not.
(c) Encode the message 1001.
3.6. Find a generator polynomial for the smallest binary cyclic code containing codewords
00101000 and 01001000.
3.7. Let C be the smallest binary cyclic code which contains the word 011011.
CHAPTER 3. CYCLIC CODES 36
(a) List the codewords of C.
(b) Determine the the generator polynomial g(x) of C.
(c) Use g(x) to encode a message 11.
3.8.
(a) Factorize x6 − 1 ∈ F3[x] into irreducible polynomials.
(b) Let nk be the number of ternary cyclic codes of length 6 and dimension k. Determine nk for
k ∈ {0, 1, 2, 3, 4, 5, 6}.
(c) For each cyclic code of dimension 5, ﬁnd the check polynomial and parity check matrix and
determine whether it contains the word 120210.
* 3.9.
(a) Describe all binary cyclic codes of length 19.
(b) How many diﬀerent binary cyclic [65, 36] codes are there?
(c) Is it possible to ﬁnd a binary cyclic [65, 20] code?
* 3.10. Let C1, C2 be q-ary cyclic codes of length n with generator polynomials g1(x) and g2(x)
respectively. Show that C3 = C1 ∩ C2 is also cyclic. Find it’s generator polynomial.
* 3.11. Let C1, C2 be q-ary cyclic codes of length n with generator polynomials g1(x) and g2(x)
respectively. Show that C3 = {c1 + c2|c1 ∈ C1, c2 ∈ C2}, where the addition is in Fq, is also cyclic.
Find it’s generator polynomial.
* 3.12. Let C be a q-ary cyclic code of length n and let g(x) be its generator polynomial. Show
that all the codewords c0c1 . . . cn−1 ∈ C satisfy c0 + c1 + · · · + cn−1 = 0, where addition is in Fq, if
and only if the polynomial x − 1 is a factor of g(x) in Fq[x].
3.13. Let g(x) = gkxk + · · · + g1x1 + g0 = 0 be a generator polynomial of some cyclic code C.
Show that g0 = 0.
* 3.14. Consider a binary cyclic code with a generator polynomial g(x). Show that g(1) = 0 if
and only if weight of each word in C is even.
3.15. Let C be a binary cyclic code whose codewords have length n. Let ci denote the number
of codewords of weight i in C. Show that ici is a multiple of n
3.16. Let C be a binary cyclic code of odd length. Show that C contains a codeword of odd
weight if and only if it contains the all 1s word 111 . . . 11.
* 3.17. Let C be a cyclic code over Fq of length 7, such that 1110000 is a codeword of C. Show
that C is a trivial code (i.e. Fn
q or {0n}), of q is not a power of 3.
3.18. Let q, n ∈ N, where q is a prime and let C1, C2 be cyclic q-ary codes of length n. In each
of the following cases, determine if C3 is necessarily a cyclic code.
(a) C3 = C1 \ C2;
(b) C3 = (C1 ∪ C2) \ (C1 ∩ C2);
CHAPTER 3. CYCLIC CODES 37
(c) C3 = {a1b1a2b2 . . . anbn | a1a2 . . . an ∈ C1, b1b2 . . . bn ∈ C2};
(d) C3 = {a1b1a2b2 . . . anbn | a1a2 . . . an, b1b2 . . . bn ∈ C1};
(e) C3 = {w1 − w2 | w1 ∈ C1, w2 ∈ C2}.
* 3.19. Determine the number of
(a) all cyclic ternary codes of length 16;
(b) all cyclic quaternary codes of length 12.
* 3.20. Let C be a cyclic code of length n over Fq with generator polynomial g(x). Let v(x) be
a polynomial in Rn such that gcd(v(x), xn − 1) = g(x) over Fq[x]. Show that v(x) is the generator
polynomial of C as well.
3.21. Find cyclic codes equivalent to the following binary codes:
(a) C1 = {0000, 1001, 0110, 1111}
(b) C2 = {100, 010, 001}
(c) C3 = {11111}
3.22. Consider a binary cyclic code C of odd length n with generator polynomial g(x). Prove
that if 1 + x | g(x) then 11 . . . 1 ∈ C.
3.23. Find the generator polynomial of the binary single-parity-check code (a code consisting of
all codewords with parity 0) of length n ≥ 2.
3.24. Consider binary codes of length 7 containing 16 codewords. Count the number of
(a) all such codes;
(b) such linear codes;
(c) such cyclic codes.
3.25. Prove two following statements:
(a) For any polynomial f(x) ∈ Fq[x] the fact that f(x) is irreducible implies that f(x) has no
roots in Fq.
(b) For f(x) ∈ Fq[x] with deg(f(x)) ≤ 3 it holds that f(x) has no roots in Fq implies that f(x) is
irreducible.
* 3.26. For any m, n, k, d ∈ N, d > 1 and q a power of a prime, show that if a cyclic q-ary
[n, k, d]-code exists then a cyclic q-ary [mn, mk, d]-code exists as well.
3.27. For each code C with codewords of length n a reverse code ¯C is deﬁned as
¯C = {x1x2 . . . xn | xnxn−1 . . . x1 ∈ C}.
(a) Show that for each cyclic code C, its reverse code ¯C is also cyclic.
(b) Show that for each binary cyclic code C with codewords of length n ≤ 6, C = ¯C.
(c) Find an example of a binary code with codewords of length 7, such that C = ¯C.
3.28. Prove the following. Let C1 and C2 be cyclic codes with generator polynomials g1(x) and
g2(x). Then C1 ⊆ C2 if and only if g2(x) divides g1(x).
CHAPTER 3. CYCLIC CODES 38
3.3 Solutions
3.1.
(a) C1 is cyclic, because every sum of two codewords from C1 is in C1 and every cyclic shift of
any codeword from C1 is also in C1.
(b) C2 is not a cyclic code. Counterexample: 00111 ∈ C2 and 00112 ∈ C2, but 00111 + 00112 =
00220 /∈ C2.
(c) C3 is a cyclic code. Let x = x1x2x3x4x5 ∈ C3, y = y1y2y3y4y5 ∈ C3. Then
• x + y = (x1 + y1)(x2 + y2)(x3 + y3)(x4 + y4)(x5 + y5) = z1z2z3z4z5 ∈ C3, because
z1 + z2 + z3 + z4 + z5 = (x1 + y1) + (x2 + y2) + (x3 + y3) + (x4 + y4) + (x5 + y5) =
(x1 +x2 +x3 +x4 +x5)+(y1 +y2 +y3 +y4 +y5) ≡ 0 mod 3, since x1 +x2 +x3 +x4 +x5 ≡ 0
mod 3 and y1 + y2 + y3 + y4 + y5 ≡ 0 mod 3.
• if x ∈ C3, then its cyclic shift is also in C3, because the sum of positions is commutative.
(d) C4 is not a cyclic code. Counterexample: 12341 ∈ C4, but its cyclic shift 11234 /∈ C4, because
1 · 1 + 2 · 1 + 3 · 2 + 4 · 3 + 5 · 4 = 41 ≡ 6 mod 7.
3.2. The polynomial needs to divide x7 − 1 in F2. We have:
(a) x7 − 1 = (x4 + x)(x3 + x2 + x + 1) + x3 + 1;
(b) x7 − 1 = (x4 + x3 + x2 + 1))(x3 + x2 + 1);
(c) x7 − 1 = (x5 + x4 + x2 + x)(x2 + x + 1) + x + 1;
Therefore only the second polynomial generates a binary cyclic code of length 7.
3.3. If C is cyclic, it has to be generated by a divisor of x8 − 1, with degree 8 − 5 = 3. Since in F2,
x8 − 1 = (x + 1)8, only one of it’s divisors is of degree 3 – f(x) = (x + 1)3 = x3 + x2 + x + 1. Using
the algorithm from the introduction, the generator matrix of a code with generator polynomial f(x)
is
F =






1 1 1 1 0 0 0 0
0 1 1 1 1 0 0 0
0 0 1 1 1 1 0 0
0 0 0 1 1 1 1 0
0 0 0 0 1 1 1 1






.
We can obtain G from F by the following transformations:
1. The ﬁrst rows are identical.
2. Add the ﬁrst row of F to it’s second row to obtain the second row of G.
3. Add the second row of F to it’s third row to obtain the third row of G.
4. Add the third row of F to it’s fourth row to obtain the fourth row of G.
5. The last row of G can be obtained by adding the ﬁrst, fourth and ﬁfth row’s of F.
We have therefore established that G and F generate the same code, which is a cyclic code generated
by f(x).
CHAPTER 3. CYCLIC CODES 39
3.4. It follows from the codeword length that g(x) divides x15 − 1. It must also hold that the
polynomial
w(x) = x + x2
+ x3
+ x4
+ x5
+ x6
+ x7
+ x8
+ x9
+ x10
associated with the codeword 011111111110000 is a multiple of g(x). The factors of w(x) and x15 −1
are the following:
x15
− 1 = (x + 1)(x2
+ x + 1)(x4
+ x3
+ x2
+ x + 1)(x8
+ x7
+ x5
+ x4
+ x3
+ x + 1)
w(x) = x(x + 1)(x4
+ x3
+ x2
+ x + 1)(x4
+ x3
+ x2
+ x + 1).
Candidates for g(x) are therefore (x + 1), (x4 + x3 + x2 + x + 1) and their product (x + 1)(x4 + x3 +
x2 + x + 1) = x5 + 1. However, we also need to take into account that C⊥ contains only codewords
of even weight. Since both C and C⊥ are linear, we also know from the previous chapter that all
basis codewords of C⊥ need to have even weight, which in turn, together with the construction of
generator matrix of C⊥ implies, that generator polynomial ¯h(x) of C⊥ needs to have even weight.
We also know that x15 −1 = g(x)h(x). Therefore it suﬃces to divide x15 −1 by all the candidates
for g(x) and see which one has a check polynomial h(x) of even weight:
x15
− 1/(x + 1) =
14
i=0
xi
;
x15
− 1/(x4
+ x3
+ x2
+ x + 1) = x11
+ x10
+ x6
+ x5
+ x + 1;
x15
− 1/(x5
+ 1) = x10
+ x5
+ 1.
The only check polynomial of even weight is the second one, therefore g(x) = (x4 + x3 + x2 + x + 1).
The generator matrix is therefore:
G =



















1 1 1 1 1 0 0 0 0 0 0 0 0 0 0
0 1 1 1 1 1 0 0 0 0 0 0 0 0 0
0 0 1 1 1 1 1 0 0 0 0 0 0 0 0
0 0 0 1 1 1 1 1 0 0 0 0 0 0 0
0 0 0 0 1 1 1 1 1 0 0 0 0 0 0
0 0 0 0 0 1 1 1 1 1 0 0 0 0 0
0 0 0 0 0 0 1 1 1 1 1 0 0 0 0
0 0 0 0 0 0 0 1 1 1 1 1 0 0 0
0 0 0 0 0 0 0 0 1 1 1 1 1 0 0
0 0 0 0 0 0 0 0 0 1 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1



















.
Minimum distance of a linear code is equal to the minimum weight of non-zero codewords. In
this case the minimum weight is 2. An example is the codeword we get by adding ﬁrst and second
row of G. Codeword with weight 1 doesn’t belong to the code C, because otherwise all its cyclic
shifts would be in C as well and then C would be a trivial code containing all words of length 15.
3.5.
(a) The generating matrix is:
G =




1 1 0 1 0 0 0
0 1 1 0 1 0 0
0 0 1 1 0 1 0
0 0 0 1 1 0 1



 .
CHAPTER 3. CYCLIC CODES 40
In order to ﬁnd the parity check matrix H, we need to ﬁnd the check polynomial. In this case
it is h(x) = 1 + x + x2 + x4, because g(x)h(x) = x7 − 1. The reciprocal polynomial of h(x) is
¯h(x) = 1 + x2 + x3 + x4, therefore the parity check matrix is:
H =


1 0 1 1 1 0 0
0 1 0 1 1 1 0
0 0 1 0 1 1 1

 .
(b) After examining H, we can see that this is in fact the Hamming (3, 2) code, which is perfect.
(c) With the message we can associate a polynomial x3 + 1. Multiplying with the generator
polynomial we get 1 + x + x4 + x6, and therefore the codeword is 1100101.
3.6. Since we are dealing with codewords of length 8, we know that all candidate cyclic codes are
generated by a polynomial dividing x8 − 1. Since x8 − 1 = (x − 1)8, we need to ﬁnd 0 ≤ k ≤ 8, such
that a cyclic code Ck generated by gk(x) = (x − 1)k contains both codewords.
In order to check whether the codewords belong to a code generated by gk(x), we will consider
the check polynomials of the form hk(x) = (x − 1)8−k. Both codewords belong to Ck, if the product
of their polynomial representation with hk(x) is equal to zero modulo x8 − 1. Checking all the
polynomials hk(x) reveals that the smallest code containing both codewords is generated by x + 1.
3.7.
(a) The smallest code has to be linear and contain 011011, all its cyclic shifts and the zero
codeword. Examining this set {000000, 011011, 101101, 110110} of codewords reveals that it
indeed is a linear subset of F6
2, and therefore it is the smallest cyclic code containing 011011.
(b) The generator polynomial can be obtained as the non-zero polynomial with the smallest degree
in C. Since we have a list of all the codewords, it is easy to see that such polynomial corresponds
to codeword 110110. Therefore, g(x) = 1 + x + x3 + x4.
(c) The message 11 is equivalent to the polynomial 1 + x. Then (1 + x)(1 + x + x3 + x4) =
1 + x2 + x3 + x5. Finally, the codeword corresponding to message 11 is 101101.
3.8.
(a) x6 − 1 = (x + 1)3(x + 2)3.
(b) nk is equal to the number of factors of x6 − 1 with degree 6 − k in Fq – n0 = 1, n1 = 2n2 =
3, n3 = 4, n4 = 3, n5 = 2, n6 = 1.
(c) We now know there are 2 non-equivalent codes of dimension 5:
(i) g(x) = (x+1). Then the check polynomial is (x+1)2(x+3)3 = x5 +2x4 +x3 +2x2 +x+2
and the parity check matrix is
H = 1 2 1 2 1 2 .
Since (120210) · H = 1, the code does not contain the word 120210.
(ii) g(x) = (x + 2). Then the check polynomial is (x + 1)3(x + 3)2 = x5 + x4 + x3 + x2 + x + 1
and the parity check matrix is
H = 1 1 1 1 1 1 .
Since (120210) · H = 0, the code contains the word 120210.
CHAPTER 3. CYCLIC CODES 41
3.9.
(a) Factorizing x19−1 yields two factors:
f1(x) = x + 1
f2(x) =
18
i=0
xi
.
Therefore there are 22 = 4 cyclic codes in F19
2 . These codes are described by their generator
polynomials 1, f1(x), f2(x), f1(x)f2(x) = x19 − 1. Codes therefore are C1 = 1 , C2 =
f1(x) , C3 = f2(x) , C4 = f1(x)f2(x) .
(b) The dimension of an [n, k] code is n − k, therefore the [65, 36] codes we are searching for have
dimension 29. After factoring x65 − 1 (e. g. using a suitable software), we know there are 5
factors with degree 12, one factor with degree 4 and one factor with degree 1. The only way
how to get a polynomial of degree 29 by multiplying these factors is 12 + 12 + 4 + 1. We can
do this in 5
2 = 10 ways. Thus there are 10 distinct [65, 36] binary cyclic codes.
(c) A polynomial that is both product of the previously listed factors and has degree 65−20 = 45
doesn’t exist. Therefore, a [65, 20] binary cyclic code does not exist.
3.10. Let us ﬁrst prove that C3 is a linear code. We know that C1 and C2 are linear codes,
therefore:
u, v ∈ C3 ⇒ u, v ∈ C1∩C2 ⇒ u, v ∈ C1∧u, v ∈ C2 ⇒ u+v ∈ C1∧u+v ∈ C2 ⇒ u+v ∈ C1∩C2 ⇒ u+v ∈ C3.
Also,
∀a ∈ Fq, u ∈ C3 ⇒ u ∈ C1 ∩ C2 ⇒∈ C1 ∧ u ∈ C2 ⇒ au ∈ C1 ∧ au ∈ C2 ⇒ au ∈ C1 ∩ C2 ⇒ au ∈ C3.
We will continue by showing that C3 is a cyclic code. We know that C1 and C2 are cyclic codes,
therefore:
u ∈ C3 ⇒ u ∈ C1 ∩ C2 ⇒ u ∈ C1 ∧ u ∈ C2 ⇒ us ∈ C1 ∧ us ∈ C2 → us ∈ C1 ∩ C2 ⇒ us ∈ C3,
where us is any cyclic shift of u.
The generator polynomial of C3 is the least common multiple of g1(x) and g2(x) (lcm(g1(x), g2(x))).
We can prove this fact in the following way.
u(x) ∈ C3 ⇒ u(x) ∈ C1 ∩ C2 ⇒ u(x) ∈ C1 ∧ u(x) ∈ C2 ⇒ g1(x)|u(x) ∧ g2(x)|u(x).
If u(x) = 0, then deg(u(x)) ≥ deg(lcm(g1(x), g2(x))). This implies that lcm(g1(x), g2(x)) has the
smallest degree of all non-zero polynomials in C3, hence it is a generator polynomial of C3.
3.11. Let us ﬁrst prove that C3 is linear. If u, v ∈ C3, then u = u1 + u2 and v = v1 + v2, where
u1, v1 ∈ C1 and u2, v2 ∈ C2. Since C1 and C2 are both linear, we have that (u1 + v1) ∈ C1 and
(u2 + v2) ∈ C2. Therefore, (u1 + v1) + (u2 + v2) = (u1 + u2) + (v1 + v2) = u + v ∈ C3.
Next let us prove that C3 is also cyclic. A word w ∈ C3 has the form
w = (u0 + v0)(u1 + v1) . . . (un−1 + vn−1),
where u = u0 . . . un−1 ∈ C1 and v = v0 . . . vn−1 ∈ C2. Since C1 and C2 are cyclic codes, they also
contain arbitrary cyclic shifts us, vs of codewords u, v. Therefore, their corresponding cyclic shift
ws of codeword w belongs to the code C3.
The generator polynomial of C is g(x) = gcd(g1(x), g2(x)). We will now show that C3 = g(x) .
CHAPTER 3. CYCLIC CODES 42
• C3 ⊆ g(x) : Each codeword w ∈ C3 has the form w = a(x) + b(x), where a(x) ∈ C1 and
b(x) ∈ C2. We can write a(x) = r(x)g1(x) and b(x) = s(x)g2(x) for some r(x), s(x) ∈ Rn.
Therefore we have
w = r(x)g1(x) + s(x)g2(x) = g(x) r(x)
g1(x)
g(x)
+ s(x)
g2(x)
g(x)
.
Since g(x) divides both g1(x) and g2(x), we have that r(x)g1(x)
g(x) + s(x)g2(x)
g(x) ∈ Rn and
therefore w ∈ g(x) , hence C ⊆ g(x) .
• g(x) ⊆ C3: C3 contains words of the form r(x)g1(x) + s(x)g2(x) for some r(x), s(x) ∈ Rn.
According to the B´ezout’s identity there exist some r (x), s (x) ∈ Rn such that r (x)g1(x) +
s (x)g2(x) = gcd(g1(x), g2(x)), hence g(x) ∈ C3. Any word in g(x) has the form t(x)g(x),
where t(x) ∈ Rn. Since C is a cyclic code, it contains also any cyclic shifts of g(x) and their
linear combinations. These can be expressed as t(x)g(x) for any t(x) ∈ Rn. Therefore g(x) .
3.12. Since a0 . . . an−1 corresponds to a polynomial a0 + a1x + · · · + an−1xn−1, we will use both
notations interchangeably.
• “⇒”. Suppose (x − 1) is a factor of g(x). Let f(x) = g(x)/(x − 1). Let D be the code
with generator polynomial f(x). Note that C = {d(x)(x − 1)|d(x) ∈ D}. Therefore, for each
d = d0 . . . dn−1 ∈ D there is a word
d(x)(x − 1) = d(x)x − d(x) = (dn−1d0 . . . dn−2) − (d0 . . . dn−1)
= (dn−1 − d0)(d0 − d1) . . . (dn−2 − dn−1) ∈ C.
The sum of characters of the word in C is therefore dn−1 −d0 +d0 −d1 +· · ·+dn−2 −dn−1 = 0
• “⇐”. Assume that c0 + . . . cn−1 = 0 for any c0c1 . . . cn−1 ∈ C. Every c ∈ C has the form
g(x)r(x) for some r(x) ∈ Rn, hence g(x) · 1 ∈ C. Then g(x) = a0 + a1x + · · · + an−1xn−1, and
a0 + · · · + an−1 = 0. This implies that 1 is a root of g(x): g(1) = a0 + · · · + an−1 = 0. Finally,
because 1 is a root of g(x), g(x) = (x − 1)f(x) for some f(x) ∈ Rn.
3.13. The fact that g0 = 0 implies that g(x) = x(gkxk−1 + · · · + g1). Therefore, x is a factor of
xn − 1. This is clearly false as xn − 1 divided by x always yields a remainder −1.
3.14. We begin with an observation that in Fq the sum of even number of 1s is equal to 0 and
sum of odd number of 1s is equal to 1. This implies that ∀f(x) ∈ C : 2|w(f(x)) ⇔ f(1) = 0, where
w(f(x)) is the number of nonzero coeﬃcients of polynomial f(x).
• “⇒”. Suppose g(1) = 0. Since ∀f(x) ∈ C we have that f(x) ∈ g(x) , which is equivalent to
f(x) = g(x)a(x) for some a(x) ∈ Rn, we also have f(1) = g(1)a(1) = 0a(1) = 0. Hence, each
word in C is of even weight.
• “⇐”. Converse is trivial. weight of every codeword of C is even, so is the weight of codeword
corresponding to g(x) and therefore g(1) = 0.
3.15. Let us work with the subset Ci ∈ C containing all codewords of weight i. Without loss of
generality suppose Ci contains k words starting with symbol 1. After applying a cyclic shift to all
the words in Ci, we get exactly k words ending with 1 with weight i contained in C.
We can argue similarly for all the positions of the code. Hence we have that at each position of
words from Ci there are exactly k symbols 1. All in all we have that ici = nk.
CHAPTER 3. CYCLIC CODES 43
3.16.
• “⇐” If code of odd length contains the all 1s word, it trivially contains a word of odd weight.
• “⇒” Let C contain an odd-weight word a = a1 . . . an, with n = 2k +1 for some k ∈ N. Clearly
a0 + a1 + · · · + an−1 ≡ 1 mod 2. Because C is cyclic, it also contains all cyclic shifts of a and
their sum w. Every position of w can be expressed as a0 +a1 +· · ·+an−1, which as we already
argued is equal to 1 in F2
3.17. We need to show that if C is not a trivial code, q is a power of 3. Suppose C is not trivial
and it’s generator polynomial is g(x). We have that g(x)|(x7 − 1) and also 1110000 ∈ C. Therefore,
1 + x + x2 = g(x)a(x) for some a(x) ∈ R7. Together with non-triviality of g(x) this implies that
1 ≤ deg(g(x)) ≤ 2. Regardless of q we can write
x7
− 1 = (x − 1)(x6
+ x5
+ x4
+ x3
+ x2
+ x + 1).
Since (x6 + x5 + x4 + x3 + x2 + x + 1) has no divisors of degree 1 or 2 in any basis, we have that
g(x) = x − 1. As 1110000 ∈ C, we have that (x − 1)|(1 + x + x2). After the division in R we get a
remainder 3, which is congruent to 0 only in ﬁelds of characteristic equal to three, implying that q
is a power of 3.
3.18.
(a) C3 is not necessarily a cyclic code. For example if we consider C1 = Fn
q and C2 = {00 . . . 0}
then C1 \ C2 is not even a linear code much less cyclic (it does not contain the all zero word).
(b) The same example as in the previous case can be applied here since C1 = (C1 ∪ C2) and
C2 = (C1 ∩ C2). So again C3 is not necessarily a cyclic code.
(c) Again we can consider C1 = Fn
q and C2 = {00 . . . 0}. This code is linear but we can show that
it is not cyclic. C3 has 0 on all even positions, therefore cyclic shift of a word 1010 . . . 10 ∈ C3
does not belong to C3. So we get that C3 is not necessarily a cyclic code.
(d) We want to show that in this case the code C3 is cyclic. First we prove that it is linear.
a1b1a2b2 . . . anbn, c1d1c2d2 . . . cndn ∈ C3
=⇒ a1a2 . . . an, b1b2 . . . bn, c1c2 . . . cn, d1d2 . . . dn ∈ C1 deﬁnition of C3
=⇒ (a1 + c1)(a2 + c2) . . . (an + cn), (b1 + d1)(b2 + d2) . . . (bn + dn) ∈ C1 linearity of C1
=⇒ (a1 + c1)(b1 + d1)(a2 + c2)(b2 + d2) . . . (an + cn)(bn + dn) ∈ C3 deﬁnition of C3
Similarly
a1b1a2b2 . . . anbn ∈ C3, t ∈ Fq
=⇒ a1a2 . . . an, b1b2 . . . bn ∈ C1, t ∈ Fq deﬁnition of C3
=⇒ (ta1)(ta2) . . . (tan), (tb1)(tb2)...(tbn) ∈ C1 linearity of C1
=⇒ (ta1)(tb1)(ta2)(tb2) . . . (tan)(tbn) ∈ C3 deﬁnition of C3
Now we want to prove that
a1b1a2b2 . . . anbn ∈ C3 =⇒ b1a2b2 . . . anbna1, bna1b1a2b2 . . . an ∈ C3.
CHAPTER 3. CYCLIC CODES 44
It is now suﬃcient to prove that a1a2b2 . . . anbna1 ∈ C3.
a1b1a2b2 . . . anbn ∈ C3
=⇒ a1a2 . . . an, b1b2 . . . bn ∈ C1 deﬁnition of C3
=⇒ b1b2 . . . bn, a2 . . . ana1 ∈ C1 cyclicity of C1
=⇒ b1a2b2 . . . anbna1 deﬁnition of C3
We get that C3 is necessarily a cyclic code.
(e) Linearity:
x, y ∈ C3
=⇒ ∃a, b ∈ C1, ∃c, d ∈ C2 : a − c = x, b − d = y deﬁnition of C3
=⇒ a + b ∈ C1, c + d ∈ C2 linearity of C1 and C2
=⇒ (a + b) − (c + d) = (a − c) + (b − d) = x + y ∈ C3 deﬁnition of C3
and similarly
x ∈ C3, t ∈ Fq
=⇒ t ∈ Fq, ∃a ∈ C1, ∃b ∈ C2 : a − b = x deﬁnition of C3
=⇒ ta ∈ C1, tb ∈ C2 linearity of C1 and C2
=⇒ ta − tb = t(a − b) = tx ∈ C3 deﬁnition of C3
So C3 is a linear code. Now we prove cyclicity.
x1x2 . . . xn ∈ C3
=⇒ ∃a1a2 . . . an ∈ C1, ∃b1b2 . . . bn ∈ C2 : ai − bi = xi, i ∈ {1, 2 . . . , n} deﬁnition of C3
=⇒ ana1 . . . an−1 ∈ C1, bnb1 . . . bn−1 ∈ C2 cyclicity of C1 and C2
=⇒ (an − bn)(a1 − b1) . . . (an−1 − bn−1) = xnx1 . . . xn−1 ∈ C3 deﬁnition of C3
This proves that code C3 is necessarily a cyclic code.
3.19. From number theory we know that there are 1
n d|n µ n
d pd irreducible polynomials of
degree n over Fp (where p is prime and µ is the M¨obius function.)
(a) We want to factorize x16 − 1 over F3. From the formula a2 − 1 = (a + 1)(a − 1) we get
x16 −1 = (x8 +1)(x4 +1)(x2 +1)(x+1)(x−1). Quadratic and cubic polynomials are irreducible
if and only if they do not have a root. Polynomials of degree 4 and 5 are irreducible if and only
if they do not have a root and are not divisible by quadratic irreducible polynomial. These
are conditions that are quite easy to check. x2 + 1 does not have a root so it is irreducible.
We know that there are exactly 3 irreducible monic quadratic polynomials. The others are
x2 ± x − 1. Factorization
x4
+ 1 = (x2
+ x − 1) · (x2
− x − 1)
gives us a hint for x8 + 1. We get
x8
+ 1 = (x4
+ x2
− 1) · (x4
− x2
− 1)
CHAPTER 3. CYCLIC CODES 45
and since we know that both of these polynomials cannot have a root (because x8 + 1 does
not have one), we must check if they are not a product of two (monic) irreducible quadratic
polynomials. From the last coeﬃcient we know that one of the factors has to be x2 + 1 (since
the last coeﬃcient in others is −1 and −1 · (−1) · 6 = −1). We obtain
x4
+ x2
− 1 = (x2
+ 1)x2
− 1,
x4
− x2
− 1 = (x2
+ 1)(x2
+ 1) + 1,
so both of these polynomials are irreducible. We get factorization of the original polynomial:
x16
− 1 = (x4
+ x2
− 1)(x4
− x2
− 1)(x2
+ x − 1)(x2
− x − 1)(x2
+ 1)(x + 1)(x − 1).
We get 27 distinct factors of x16 − 1, so there are 27 cyclic ternary codes of length 16.
(b) Again we want to factorise x12 − 1 over F4 = F2[y]/(y2 + y + 1). We use the formula a2 − 1 =
(a + 1)(a − 1) and the fact that 1 ≡ −1.
x12
− 1 = (x6
− 1)2
= (x3
− 1)4
= (x − 1)4
· (x2
+ x + 1)4
since F4 is splitting ﬁeld of polynomial x2 + x + 1 it has to have both roots in this ﬁeld. If we
take F4 = {0, 1, y, y + 1} we have x12 − 1 = (x − 1)4 · (x − y)4 · (x − (y + 1))4. Without using
any advanced algebra of ﬁnite ﬁelds, we can just use the deﬁnition of F4 from the lecture.
We know that y · (y + 1) = y2 + y = y + 1 + y = 1. So we get (x − y)(x − (y + 1)) =
x2 + x(y + y + 1) + y(y + 1) = x2 + x + 1 which is exactly what we expected. From the
factorization of x12 − 1 over F4 we get 53 distinct factors. That gives us 125 cyclic quaternary
codes.
3.20. First we prove that for codes C1, C2 and their generator polynomials g1(x), g2(x) it holds
that
g1(x) ∈ C2 ⇐⇒ C1 ⊆ C2.
Let f(x) ∈ C1. We know that f(x) = g1(x) · r(x) for some r(x) ∈ Rn. Since g1(x) ∈ C2 we get
g1(x) = g2(x) · q(x). From this we get f(x) = g2(x) · q(x)r(x) so f(x) ∈ C2.
Let D = v(x) be a cyclic code generated by v(x). We want to show that C = D. We know
that
f(x) ∈ C ≡ g(x)|f(x) (divisibility in Rn)
and g(x) is (the greatest) common divisor of v(x) and another polynomial, we get that g(x)|v(x).
Therefore
v(x) ∈ C
and we get that D ⊆ C (since C contains the generator of D). Now the greatest common divisor
can be considered over Fq[x] (which is Euclidean domain) or over Rn (which is not even an integral
domain).
In the case of Rn we have gcd(v(x), xn − 1) = gcd(v(x), 0). It need not be unique (even if we
consider only monic polynomials)! If g(x) = gcd(v(x), 0), we have that g(x)|v(x) (it is divisor) and
since v(x)|v(x) and v(x)|0 it also must hold that v(x)|g(x) (it is the greatest common divisor). From
this we immediately get that g(x) ∈ D so C = D.
In the case of Fq[x] we know that we have Euclidean algorithm and Bezout‘s identity. So we
have
g(x) = v(x) · a(x) + (xn
− 1) · b(x),
where a(x), b(x) ∈ Fq[x] are suitable polynomials. Looking at this equation modulo xn − 1 (i.e. in
Rn) we have
g(x) = v(x)a(x) =⇒ v(x)|g(x) (in Rn) =⇒ g(x) ∈ D =⇒ C ⊆ D.
Which gives us C = D and the proof is complete.
CHAPTER 3. CYCLIC CODES 46
3.21.
(a) If we swap the 1st and 2nd bits we obtain an equivalent cyclic code {0000, 0101, 1010, 1111}.
(b) C2 has 3 codewords, therefore the dimension of its cyclic equivalent must be log2 3 ≈ 1, 58
which is not a valid dimension for a linear code. As every cyclic code is linear there is no
binary cyclic code with 3 codewords. Therefore there is no cyclic code equivalent to C2.
(c) Since C3 has only 1 codeword it’s cyclic equivalent must also have only 1 codeword. The only
cyclic code of length 5 with only 1 codeword is the code {00000}.
3.22. It suﬃces to show that every codeword in C has even weight, then clearly for odd n holds that
11 . . . 1
n
∈ C. Consider arbitrary word w = (w0, w1, . . . , wn−1) ∈ C with corresponding polynomial
w(x). Since w(x) = g(x) · r(x) for some r(x) ∈ Rn, it holds that 1 + x | w(x). Hence w(1) = 0. It
also holds that
w(1) = 0 ⇐⇒ w0 + w1 + · · · + wn−1 = 0.
And thus
w(1) = 0 ⇐⇒ w has even weight.
All together, if 1 + x | g(x), then arbitrary w ∈ C has even weight and so 11 . . . 1
n
∈ C.
3.23. We start with simple generator matrix for our code
G =





1 0 0 . . . 0 1
0 1 0 . . . 0 1
...
...
...
...
...
...
0 0 0 . . . 1 1





.
Clearly, with this matrix we can generate any codeword of parity 0, our code. Unfortunately this
generator matrix is not in a form from which we could read the generator polynomial. But we can
use it to ﬁnd such matrix. Consider a new generator matrix G for our code created from G in the
following way: to every row, but the last row, add the next row.
G =





1 1 0 . . . 0 0
0 1 1 . . . 0 0
...
...
...
...
...
...
0 0 0 . . . 1 1





.
We were only adding rows of the original generator matrix and so G is still generates our code. But
G is now in the form as if it were created by a generator polynomial. This polynomial is
g(x) = 1 + x,
regardless of n. And so the generator polynomial of the binary single-parity-check code is always
g(x) = 1 + x for any length n ≥ 2.
3.24.
(a) There are 27
16 = 93343021201262180000 combinations for choosing 16 codewords from 27 =
128 binary codewords of length 7.
CHAPTER 3. CYCLIC CODES 47
(b) We need to count the number of vector subspaces of dimension 4 (to have 24 = 16 elements)
in F7
2. We can use the Gaussian binomial coeﬃcient to count k-dimensional subspaces of ndimensional
space. Such coeﬃcients can be rewritten as follows (reﬂecting the way of specifying
k linearly independent vectors):
n
k q
=
(qn − 1)(qn − q)(qn − q2) · · · (qn − qk−1)
(qk − 1)(qk − q) · · · (qk − qk−1)
In our case:
7
4 2
=
(27 − 1)(27 − 2)(27 − 22)(27 − 23)
(24 − 1)(24 − 2)(24 − 22)(24 − 23)
= 11811.
(c) We need 16 codewords so we search for a divisor polynomial of x7 − 1 over F2 with degree
7 − 4 = 3. We have x7 − 1 = (x + 1)(x3 + x + 1)(x3 + x2 + 1), therefore our code is generated
either with (x3 + x + 1) or (x3 + x2 + 1). There are 2 such cyclic codes.
3.25.
(a) According to Euclidean division of polynomials introduced in the lecture slides, each polynomial
f(x) can be written as f(x) = q(x)b(x) + r(x), for arbitrary b(x) with deg(b(x)) >
deg(r(x)) and deg(f(x)) > deg(b(x)). For the sake of constructing a contradiction, assume a
is the root of f(x). Then we can write f(x) = g(x)(x − a) + r. Note that r has to be constant
(degree less than 1) and therefore, since a is a root, f(a) = 0 and therefore r = 0, showing
that f(x) can be written as f(x) = g(x)(x − a) and thus being reducible.
(b) Let‘s prove the contrapositive: f(x) being reducible implies f(x) has roots.
(i) deg(f(x)) = 2. Then reducible f(x) can be written as f(x) = (x − a)(x − b) and both a
and b are roots of f(x).
(ii) deg(f(x)) = 3. Then reducible f(x) can be written as f(x) = g(x)b(x), where g(x) is of
degree 2 and b(x) is of degree 1, i.e. b(x) = (x − a) and a is the root of f(x).
(iii) deg(f(x)) = 1. f(x) is of the form f(x) = (x − a) and clearly a is the root of f(x).
3.26. Let C be a q-ary cyclic [n, k, d]-code with generator polynomial g(x). Thus, we have
deg(g(x)) = n−dim(C) = n−k. Denote by C the q-ary cyclic code with length mn whose generator
polynomial is f(x) = g(xm). Note that if g(x) is monic, then so is g(xm), and that xn−1 = g(x)h(x)
implies xmn − 1 = (xm)n − 1 = g(xm)h(xm) = f(x)h(xm), so f(x) is indeed a generator polynomial,
as needed. Moreover, we have dim(C ) = mn − deg(f) = mn − m · deg(g) = mn − m(n − k) = mk,
as required. It remains to prove that h(C ) = w(C ) = d:
Since h(C) = w(C) = d, there is a polynomial u(x) = g(x)p(x) ∈ C with w(u(x)) = d. Then,
we have u(xm) = g(xm)p(xm) = f(x)p(xm) ∈ C (since deg(u(xm)) = m · deg(u(x)) < mn as
deg(u(x)) < n) and w(u(xm)) = d (since the coeﬃcients of u(xm) are those of u(x) interleaved with
m − 1 zeros each time). Now, let u(x) = f(x)p(x) ∈ C be any non-zero polynomial. We have to
prove that w(u(x)) ≥ d. We have deg(p(x)) = deg(u(x))−deg(f(x)) = deg(u(x))−(mn−mk) < mk
as deg(u(x)) < mn. Let us write
p(x) = a0 + a1x + a2x2
+ · · · + amk−1xmk−1
= (a0 + amxm
+ a2mx2m
+ · · · + a(k−1)mx(k−1)m)
+
+ (a1x + am+1xm+1
+ a2m+1x2m+1
+ · · · + a(k−1)m+1x(k−1)m+1
)+
...
+ (am−1xm−1
+ a2m−1x2m−1
+ a3m−1x3m−1
+ · · · + amk−1xm
k − 1)
= p0(xm
) + p1(xm
)x + · · · + pm−1(xm
)xm−1
CHAPTER 3. CYCLIC CODES 48
where pi(x) = k−1
j=0 ajm+ixj for each i ∈ {0, 1, . . . , m − 1}. Thus, we have
u(x) = f(x)p(x)
= g(xm
)(p0(xm
) + p1(xm
)x + · · · + pm−1(xm
)xm−1)
= g(xm
)p0(xm
) + g(xm
)p1(xm
)x + · · · + g(xm
)pm−1(xm
)xm−1
.
For each i ∈ 0, 1, . . . , m − 1, writing ri(x) = g(x)pi(x) ∈ C (since deg(ri(x)) = deg(g(x)) +
deg(pi(x)) = n − k + deg(pi(x)) < n as deg(pi(x)) < k, we get
u(x) = r0(xm
) + r1(xm
)x + · · · + rm−1(xm
)xm−1
.
Moreover, we clearly have w(u(x)) = w(r0(x)) + w(r1(x)) + · · · + w(rm−1(x)). Finally, at least one
of the polynomials ri(x) is non-zero (otherwise u(x) would also be the zero polynomial), so we get
from w(C) = d that w(ri(x)) ≥ d, which implies the wanted w(u(x)) ≥ w(ri(x)) ≥ d.
3.27.
(a) Trivial. However it is important to note that if C is generated by g(x) k
i=0 aixi, ¯C is generated
by its reciprocal polynomial ¯g(x) = k
i=0 ak−ixi.
(b) This is the full set of decompositions of xn − 1 over F2 up to n = 6.
x2
− 1 is irreducible
x3
− 1 = (x + 1)(x2
+ x + 1)
x4
− 1 = (x + 1)4
x5
− 1 = (x4
+ x3
+ x2
+ x + 1)(x + 1)
x6
− 1 = (x + 1)2
(x2
+ x + 1)2
Note that each of the possible generating polynomials for these codeword sizes is a palindrome,
i.e. g(x) = ¯g(x) and therefore C = ¯C. For reference:
(x + 1)2
= x2
+ 1
(x + 1)3
= x3
+ x2
+ x + 1
(x + 1)4
= x4
+ 1
(x + 1)5
= x5
+ x4
+ x + 1
(x + 1)6
= x6
+ x4
+ x2
+ 1
(x + 1)7
= x7
+ x6
+ x5
+ x4
+ x3
+ x2
+ x + 1
(x + 1)8
= x8
+ 1
(x2
+ x + 1)2
= x4
+ x2
+ 1
(c) Since x7 − 1 = (x3 + x + 1)(x3 + x2 + 1)(x + 1), the example is a code C is generated by
g(x) = x3 + x + 1 and ¯C is generated by ¯g(x) = x3 + x2 + 1.
3.28. This follows since C1 ⊆ C2 ⇐⇒ g1(x) ⊆ g2(x) ⇐⇒ g2(x) divides g1(x).
Chapter 4
Secret Key Cryptosystems
4.1 Introduction
Cryptosystems (called also as ciphers) serve to provide secret communication between two parties.
They specify how to encrypt a message (usually called plaintext) by a sender, to get the encypted
message (usually called cryptotext), and then how the receiver can decrypt the received cryptotext
to get the original plaintext.
Security of secret key cryptosystems is based on the assumption that both the sender and the receiver
posses the same secret key (and that is why secret key cryptosystems are called also symmetric
cryptosystems) that is an important parameter of both encoding and decoding processes.
Some secret key cryptosystems are very old. Many of them are easy to break using the power of
modern computers. They were dealt with in Chapter 4 of the lecture for the following reasons: (1)
They are often simple enough to illustrate basic approaches to the design of cryptosystems and to
methods of cryptanalysis; (2) They can be used even nowadays in combination with more modern
cryptosystems; (3) Historically, many of them used to play an important role for centuries.
In the Chapter 4 of the lecture basic ideas and examples of such main secret key cryptosystems
are presented, analysed and illustrated.
4.1.1 Basics of the design and analysis of cryptosystems
Every cryptosystem S works with a plaintexts space P (a set of plaintexts over an alphabet Σ), a
cryptotexts space C (a set of cryptotexts over an alphabet ∆) and a keyspace K (a set of possible
keys).
In any cryptosystem S, each key k ∈ K determines an encryption algorithm ek and a decryption
algorithm dk such that for any plaintext w ∈ P, ek(w) is the corresponding cryptotext and it holds
w = dk(ek(w)) or w ∈ dk(ek(w)),
where the last relation is to be valid if the encryption is done by a randomized algorithm.
A good cryptosystem should have the following properties: (1) Both encryption and decryption
should be easy once the key is known; (2) Cryptotexts should be not much larger than corresponding
plaintexts and the set of keys should be very large; (3) Encryption should not be closed under
composition and should create so called avalanche eﬀect – small changes in plaintexts should lead
to big changes in cryptotexts; (4) Decryption should be unfeasible when the used key is not known.
Two basic types of cryptosystems are: (a) Block cryptosystems – to encrypt plaintexts of a ﬁxed
size; (b) Stream cryptosystems – to encrypt (arbitrarily long) streams of input data.
Another basic classiﬁcation of secret-key cryptosystems divides cryptosystems into: (1) substitution
based cryptosystems (characters of plaintexts are replaces by another ones); (2) transposition
based cryptosystems (characters of plaintexts are permuted). Diﬀerent cryptosystems use diﬀerent,
but usually easy to work with, substitutions and permutations.
49
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 50
If in a substitution based cryptosystem the substitution used is ﬁxed (that is any character
is always replaced in the same way) we talk about a mono-alphabetic cryptosystem; otherwise a
cryptosystem is called poly-alphabetic.
Some of the main types of cryptoanalytics attacks are:
1. Cryptotexts-only attack. The cryptanalysts get cryptotexts c1 = ek(w1), . . . , cn = ek(wn)
and try to infer the key k, or as many of the plaintexts w1, . . . , wn as possible.
2. Known-plaintexts attack. The cryptanalysts know some pairs wi, ek(wi), 1 ≤ i ≤ n, and
try to infer k, or at least wn+1 for a new cryptotext ek(wn+1).
For mono-alphabetic cryptosystems the basic cryptanalytic attack is based on performing frequency
analysis of symbols of the plaintext and comparing it to the publicly known frequency analysis
tables for a given language. Highly frequent symbols in the cryptotext are then likely substitutes for
highly probably symbols in such publishd tables. Cryptanalytic attacks for POLYALPHABETIC
cryptosystems can be much more complicated, but in some important cases can be, after some eﬀort,
reduced to those for monoalphabetic cryptosystems.
4.1.2 Basic classical secret-key cryptosystems
Caesar cryptosystem can be used to encrypt texts in any alphabet. For English the key space
K = {0, 1, 2, . . . , 25} is usually used. For any k ∈ K the encryption algorithm ek substitutes any
letter by the one occurring k positions ahead (cyclically) in the alphabet; the decryption algorithm
dk substitutes any letter by the one occurring k position backwards (cyclically) in the alphabet.
Polybious cryptosystem was originally designed for encrypting messages in the old English
alphabet without the letter “J”. The key space consists of checkerboards of the size 5 × 5 of all
remaining 25 letters of English and with rows and also columns labelled by diﬀerent letters of
English. At encryptions, each letter is replaced by a pair of letters denoting the row and the column
the letter is in the checkerboard. At the decryption consecutive pairs XY of letters are replaced by
the letter in the X-row and the Y-column of the checkerboard used.
When the Hill cryptosystem is used to encrypt n-ary vectors v of integers from the set
{0, 1, 2, . . . , 25}, the key space consists of n × n matrices Mn of integers from the set {0, 1, 2, . . . 25}
such that M−1
n mod 26 exists. Encryption is done by multiplication c = Mnp and decryption by another
multiplication p = M−1c. In order to encrypt text-messages, the alphabet symbols are at ﬁrst
replaced by their ordering numbers in the alphabet and the reverse process is used at decryptions.
Playfair cryptosystem uses the same key space as the Polybious cryptosystems. Encryption
is done by replacing subsequent pairs of input symbols (x, y) as follows: (1) If x and y are in the
same row (column) they are replace by the pair of symbols to the right of them; (2) If x and y are
in diﬀerent rows and columns, then they are replaced by the symbols in the opposite corners of the
rectangle crated by x and y.
Aﬃne cryptosystem has as the key space K the set of all pairs of integers {(a, b) | 0 ≤ a, b <
26; gcd(a, 26) = 1}. Encryption of an integer w from the set {0, 1, 2, . . . , 25} is done by computation
c = aw +b mod 26; decryption by the computation w = a−1(c−b) mod 26}, where a−1 is computed
modulo 26.
The key space of (Keyword) Vigenere cryptosystem space consists of all words (strings of
symbols) in the English alphabet. To encrypt a message m of length n using a key k0 another key
k is created as the preﬁx of the word k∞
0 (inﬁnite concatenation of k0) of the length n and a matrix
T of size 26 × 26 is used the ﬁrst row of which consists of all symbols of the English alphabet and
each column consists again of all symbols of the English alphabet, in their natural order but starting
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 51
with the symbol in the ﬁrst row and cyclically extended. At any encryption the i-th symbol s of
the plaintext is replaced by the symbol in the ith row and in the column with i-th symbol of k in
the ﬁrst row.
In Autoclave cryptosystem, a key k0 is concatenated with the plaintext message m to form the
key k.
Keyword Caesar cryptosystem has as the key space the set of all pairs (k0, i) where k0 is
an English word with all letters diﬀerent and 1 ≤ i ≤ 26. To make the encryption of a plaintext w
using a key (k0, i), k0 is at ﬁrst extended by adding in the usual order all letters not in k0 to get a
word k that specify a substitution in which i-th letter of the alphabet is replaced by the i-th symbol
of k.
A homophonic cryptosystem is speciﬁed by describing for each letter of the input alphabet
a set of potential substitutes (symbols or words). The number of substitutes for any letter X is
usually proportional to the frequency of X in usual texts in the input alphabet. Encryption is done
by replacing each letter X of the plantext by one, randomly chosen, of the substitutes of X.
In binary One-time paid cryptosystem the key space consists of all binary strings. To encrypt
a binary plaintext w using a binary string k of the same length, as the key, the cryptotext c = w ⊕k
where the operation ⊕ is a bit-wise XORing; decryption is then done by computation w = c ⊕ k.
4.1.3 Product cryptosystems
A cryptosystem S = (P, K, C, e, d) with the sets of plaintexts P, keys K and cryptotexts C and encryption
(decryption) algorithms e(d) is called endomorphic if P = C. If S1 = (P, K1, P, e(1), d(1))
and S2 = (P, K2, P, e(2), d(2)) are endomorphic cryptosystems, then the product cryptosystem is
S1 × S2 = (P, K1 × K2, P, e, d),
where encryption is performed by the procedure e(k1, k2)(w) = ek2 (ek1 (w)) and decryption by the
procedure d(k1, k2)(c) = dk1 (dk2 (c)).
4.1.4 Perfect secrecy
Let P, K and C be sets of plaintexts, keys and cryptotexts. Let Pr[K = k] be the probability that
the key k is chosen from K and let Pr[P = w] be the probability that the plaintext w is chosen
from P. If for a key k ∈ K, C(k) = {ek(w)|w ∈ P}, then the probability that c is the cryptotext
that is transmitted is
Pr[C = c] =
{k|c∈C(k)}
Pr[K = k]Pr[P = dk(c)].
For the conditional probability Pr[C = c|P = w] that c is the cryptotext if w is the plaintext it
holds
Pr[C = c|P = w] =
{k|w=dk(c)}
Pr[K = k].
Using Bayes’ conditional probability formula Pr[y]Pr[x|y] = Pr[x]Pr[y|x] we get for probability
Pr[P = w|C = c] that w is the plaintext if c is the cryptotext the following expression
Pr[P = w|C = c] =
Pr[P = w] {k|w=dk(c)} Pr[K = k]
{k|c∈C(k)} Pr[K = k]Pr[P = dk(c)]
.
A cryptosystem has perfect secrecy if Pr[P = w|C = c] = Pr[P = w] for all w ∈ P and c ∈ C.
That is, the a posteriori probability that the plaintext is w, given that the cryptotext is c is obtained,
is the same as a priori probability that the plaintext is w.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 52
4.1.5 Unicity distance
The unicity distance of a cipher encrypting natural language plaintexts is the minimum of cryptotexts
required for computationally unlimited adversaries to decrypt cryptotext uniquely (to recover
uniquely the key that was used).
The expected unicity distance UC,K,L of a cipher C and a key set K for a plaintext language L
can be shown to be:
UC,K,L =
HK
DL
where HK is the entropy of the key space (e.g 128 for 2128 equiprobably keys), DL is the plaintext
redundancy in bits per character (3.2 for English).
4.2 Exercises
4.1. During the siege of a castle one of the attackers tried to choke you to death by a leather belt.
You were lucky and managed to escape and steal the belt. Afterwards, you noticed that on the belt
there is written the following text. Try to decrypt it.
AERTLTTEHAVGCEAKNTANETO
4.2. Encrypt the word “cryptology” with
(a) the Polybius square cryptosystem;
(b) the Hill cryptosystem with M =
6 7
3 11
;
(c) the keyword Caesar cryptosystem with k = 6 and the keyword “SHIFT”;
(d) the Autoclave cryptosystem with the keyword “KEY”.
4.3. What is the relation between the permutation cipher and the Hill cipher.
4.4. Decrypt the following cryptotexts:
(a) ROSICRUCIAN CIPHER
(b) CJ CI CF EI AG BI DJ DH DH DF DJ AF DG AJ
(c) AQ HP NT NQ UN
Hint: The password used to encrypt this message is the name of the cryptosystem used.
(d) GEOGRAPHY ANTS
MARKETING WAR
4.5. If possible, decode the following ciphertext obtained with the one-time pad knowing that
the key used to encrypt a message starts with GSC:
GLUYM YIFGH EJPCR OFLSM DOFML QSFCDF MZHLL VDJLE
TTYNM XDKEC ALIOP DHTFN ECRKF GKDVRJ DJVMR WICKF
4.6. On the basis of frequency analysis it has been guessed that the most frequent cryptotext
letter, Z, corresponds to the plaintext letter o and the second most frequent cryptotext letter, I,
corresponds to t. Knowing that the Aﬃne cryptosystem is used, determine its coeﬃcients a and b.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 53
* 4.7. Decrypt the following cryptotext:
XQFXMGAFFDSCHFZGYFZRSHEGHXQZXMFQRSPEGHXQKPZNKZGHGNGHX
QDEEFDSZHQGAFVDJDZNGSDDGFIGBSHGGFQHQGAF4GARFQGNSPDYKP
GAFKSDAJHQZRAXCDSUDGZPDPDQDKNGKDZFYXQJDQNZRSHEGZYDGHQ
TKDRVGXGAF4GARFQGNSPKRGAFVDJDZNGSDSFRXJJFQYZGADGBXJFQ
ZAXNCYZGNYP64DSGZHQRCNYHQTRXXVHQTYSFZZHQTJDZZDTFDQYGA
FESFEDSDGHXQXMEFSMNJFZGAFCHZGDCZXHQRCNYFZZXJFCFZZXKUH
XNZDSGZHQRCNYHQTRXQONSHQTRAFZZKXXVKHQYHQTDQYRDSEFQGSP
QNJKFS45XQGAFCHZGHZJCFRRAHGDUHVDCEDGAFDSGXMZFRSFGBSHG
HQTDYUXRDGFYHQXSYFSGXAFCEBXJFQRXQRFDCGAFYFGDHCZXMGAFH
SCHDHZXQZXQFXMGAFSFRXJJFQYFYGFRAQHLNFZHQUXCUFZSDQYXJC
PEDHSHQTCFGGFSZXMGAFDCEADKFGDQYGAFQZNKZGHGNGHQTFDRACF
GGFSHQGAFXSHTHQDCJFZZDTFBHGAHGZEDSGQFS
* 4.8. A simple substitution cipher f : Z26 → Z26 (a bijective function which maps plaintext
letters x to cryptotext letters f(x)) is called self-inverting if f(x) = f−1(x), i.e. f(f(x)) = x.
(a) How many diﬀerent self-inverting substitution ciphers are there?
(b) What is the proportion of self-inverting substitution ciphers to all simple substitution ciphers?
(c) How many self-inverting substitution ciphers which do not map any letter onto itself are there?
4.9. For the following cryptosystems, describe a chosen plaintext attack which enables the
adversary to determine the key using only a single message. This message should be as short as
possible.
(a) the Caesar cryptosystem;
(b) monoalphabetic substitution cryptosystem;
(c) transposition cryptosystem with a block length not greater than the number of symbols in the
alphabet
(d) the Aﬃne cryptosystem;
(e) the Vigen`ere cryptosystem with a key of known length.
4.10. Find the unicity distance of the following ciphers, consider the keys are chosen uniformly
at random.
(a) the original pigpen cipher;
(b) the Vig`enere cipher with keylength 7;
(c) transposition cipher with period 7;
(d) the one-time pad.
4.11. For 26-letter alphabet, determine how many Aﬃne ciphers are there that leave
(a) no characters ﬁxed;
(b) exactly one character ﬁxed;
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 54
(c) at least two characters ﬁxed.
4.12. Consider the Aﬃne cryptosystem with the encryption function e(x) = ax + b (mod 26)
where a, b ∈ {0, 1, . . . , 25} and gcd(a, 26) = 1.
Find all possible values of a, b such that for all x ∈ {0, 1, . . . , 25} the following holds:
(a) e(e(e(x))) = e3(x) ≡ x (mod 26);
(b) e5(x) ≡ x (mod 26).
4.13. Consider a p-ary alphabet where p is prime. What is the size of the keyspace in
(a) the Aﬃne cryptosystem?
(b) the Hill cryptosystem?
(c) and the Hill cryptosystem over the 26-ary alphabet?
4.14. Assume that the Aﬃne cryptosystem is implemented in Z126.
(a) Determine the number of possible keys.
(b) For the encryption function e(x) = 23x + 7 (mod 126) ﬁnd the corresponding decryption
function.
* 4.15. Let p be a prime. Consider the Hill system with alphabet of order p and matrices of
degree 2. What is the number of keys?
* 4.16. Decrypt the following cryptotext obtained with the Vigen`ere cryptosystem:
DLCCC QDIKW YQDFC ZVYMX GMEJV CGPRM DQYDL CWERS GYVPW SRBOG GZLCB EZVI
SXKEW RXSRL IPOUS SVCNX MLIQO GPOXY XHGDQ SCXZO EZVIR YJYVP GXXMD LCREL NWMPX
FOILO QWGMR RSSDM LMSLF ILSIL MI
SXQUI WWYQD FCMSK WYLSG YLPCK RBBIR KMLKF JOAGD LMEXR RIFOP NYJUB MRDIL XSROW
YXHAR ELQIY LPCYV KYHGP MYLPC KXRRI USPJY JRRIA YVPOW NYRBO RRC
SXKEW RLIYZ TJSGY LPCDS ROPCQ VYZLG MGMBV CCTMX HCXGC
SXKEW RLINY VRKFJ OELNM RCYQK KCKRB PYLMX GYRKE WRXSR BIOEM POXFO GMXGM EVQOS
DCITO VYVTC YTJO
PMLKP JIMRS WLOGC CWYBC ESZCX XFOGG BGSWW RKRAO WRRER MSKWE LNMRC ENZPG MERSS
LDLYD XFOWW CXCWF COEQI XMEWC BIOEM PSREX IGDLC BQCXX YVWRB EGXRM BXFOO LYAJO
HEOSD KPMXK QOVGO WMPVS VIQDS MLWCB ZC
* 4.17. Write a short interesting text in English or Czech/Slovak concerning cryptography or
informatics without using the letter “E”.
4.18. Let S be an endomorphic cryptosystem. Let S2 = S × S. Which of the following simple
cryptosystems – the Caesar, Vigen`ere, Hill or Aﬃne cryptosystem – would you prefer to use as S2.
Explain your reasoning.
4.19. You have two devices – a machine E, which encrypts the given text (suppose that it
provides perfect encryption) and a machine H, which performs the Huﬀmann compression of a given
message. Decide the order in which you should use these machines to get the shorter encrypted
message. Justify your answer.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 55
4.20. To save resources used by sending the keys, the following simpliﬁed one-time pad cryptosystem
was implemented. The cryptosystem uses a randomly generated key k1 during its ﬁrst use, but
to encrypt the ith plaintext wi, i > 1, instead of using new key ki, the previous plaintext is used,
i.e. ki = wi−1, i > 1. You managed to intercept all the cryptotexts ci created by this cryptosystem
and also the third plaintext w3. Find the ﬁrst plaintext w1 and the original key k1.
4.21. Consider two Hill cryptosystems described with matrices G and H.
(a) Consider another Hill cryptosystem with matrix M, constructed from G and H, such that
eM (m) = eH(eG(m)) and dM (c) = dG(dH(c)).
Determine M and M−1 in terms of G and H.
(b) Prove that if both H and G set up valid Hill cryptosystem, the cryptosystem from (a) is also
valid.
4.22. Consider the Gronsfeld cipher. Assuming the corresponding plaintext contains word ’the’.
Decrypt the following cryptotext. Do not use brute force.
PFJWBYWIJHYNW
The Gronsfeld cipher is a variant of the Vigen`ere cipher where numbers 0, . . . , 9 are used as the key
instead of letters. Each plaintext character is shifted along by the corresponding number from the
key.
* 4.23. Let C = (P, C, K, e, d) be a cryptosystem.
(a) Suppose that C is perfectly secure. Show that for any m ∈ P and c ∈ C it holds that
Pr[C = c|P = m] = Pr[C = c].
(b) Suppose that for any m, m ∈ P and c ∈ C it holds that
Pr[P = m|C = c] = Pr[P = m |C = c].
Show that C is perfectly secure.
4.24. Let C be a cryptosystem with the plaintext space P = {x, y, z}, the key space K =
{k1, k2, k3} and the cryptotext space C = {a, b, c}. Let the probability distributions Pr[P = w] and
Pr[K = k] be deﬁned as Pr[P = x] = 3
8, Pr[P = y] = 1
8, Pr[P = z] = 1
2 and Pr[K = k1] = 1
3,
Pr[K = k2] = 1
6, Pr[K = k3] = 1
2, respectively. Let the encryption function be given by the
following table:
x y z
k1 a b c
k2 b c a
k3 c a b
(a) Determine the probability distribution Pr[C = c].
(b) Is the proposed cryptosystem perfectly secure? Provide your reasoning.
* 4.25. A cryptosystem is said to be 2-perfectly secure if two cryptotexts encrypted using the
same key provide no information about the corresponding plaintexts.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 56
(a) Propose a formal deﬁnition of a 2-perfectly secure cryptosystem.
(b) Show that one-time pad is not 2-perfectly secure.
4.26. Suppose that in a symmetric key cryptosystem P = C = {0, . . . , n − 1}. Suppose that the
possible encryption functions are all the permutations of P.
(a) What is the size of the key set K?
(b) Show that if the encryption functions are chosen uniformly, then this cryptosystem achieves
perfect secrecy.
4.3 Solutions
4.1. A scytale was used to encrypt the message. One can read the message if the belt is wrapped
around a cylinder with the right diameter. Scytale used to encrypt this message allowed one to
write three letters around in a circle. We can write the cryptotext in columns of length 3:
ATTACKAT
ELEVENNO
RTHGATE
Finally, we can read the secret message as “attack at eleven north gate”.
4.2.
(a) Let the key be the table:
F G H I K
A A B C D E
B F G H I K
C L M N O P
D Q R S T U
E V W X Y Z
Then c → AH, r → DG, and so on until we get the resulting cryptotext “AHDGEICKDICICFCIBGEI”.
(b) We have to convert the word cryptology to a sequence of vectors over Z26 of length 2. Each
vector will then be multiplied by the matrix M and the resulting vectors transformed back to
a string.
cr → v1 =
2
17
, yp → v2 =
24
15
, to → v3 =
9
14
,
lo → v4 =
11
14
, gy → v5 =
6
24
Mv1 =
1
11
→ BL, Mv2 =
15
3
→ PD, Mv3 =
4
3
→ ED,
Mv4 =
3
5
→ IF, Mv5 =
22
22
→ WW.
The cryptotext is therefore “BLPDEDIFWW”.
(c) For the given key we get this permutation table:
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 57
abcdefghijklmnopqrstuvwxyz
UVWXYZSHIFTABCDEGJKLMNOPQR
The letter c maps to W, r to J and so on, until we get the cryptotext WJQELDADSQ.
(d) The autoclave key is formed with the keyword “KEY” concatenated with the plaintext, to
obtain the ciphertext we perform the following operation:
cryptology 02 17 24 15 19 14 11 14 06 24
+ KEYCRYPTOL 10 04 24 02 17 24 15 19 14 11
= MVWRKMAHUJ 12 21 22 17 10 12 00 07 20 09
The cryptotext is “MVWRKMAHUJ”.
4.3. The permutation cipher is a special case of the Hill cipher.
Let π be a permutation of the set {1, . . . , n}. We can deﬁne an n×n permutation matrix Mπ = (mij)
as follows:
mij =
1 if i = π(j)
0 otherwise
Using the matrix Mπ in the Hill cryptosystem is equivalent to perform encryption using the permutation
π. Decryption in the Hill cryptosystem is done with the matrix MT
π = M−1
π = Mπ−1 .
4.4.
(a) The given message is encrypted with the Pigpen cipher and can be easily decoded with the
following tables:
The hidden message is “rosicrucian cipher”.
(b) One can notice that in the given cryptotext similar characters appear on even positions and
similar on odd positions. One can guess that message was encrypted with the Polybius cryptosystem
and can be decoded to “polybius square”.
(c) This is the Playfair cipher with the key “PLAYFAIR”. The Playfair square is as follows:
P L A Y F
I R B C D
E G H K M
N O Q S T
U V W X Z
and the hidden message reads “wheatstone” (Charles Wheatstone was an inventor of the Playfair
cipher).
(d) These are anagrams for “steganography” and “watermarking”.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 58
4.5. Assuming the one-time pad was used correctly, that is, no other message was encrypted with
the same key and the key is truly random, we are unable to decrypt this message even if we know
that key starts with GSC. We can only say that the ﬁrst three characters of the decrypted message
are ats. Without knowledge of the whole key we could not decrypt the whole plaintext message.
4.6. We have e(a,b)(o) = Z and e(a,b)(T) = I which can be rewritten to the following system of
linear equation:
a · 14 + b = 25
a · 19 + b = 8
Solving the system modulo 26 gives a = 7 and b = 5.
4.7. Frequency analysis shows that F and G are the most frequent letters and that GAF is with 16
occurences the most frequent trigram, followed up with the trigram HQT with 10 occurences. We can
guess that GAF corresponds to the word the and HQT corresponds to and. We can test whether
the Aﬃne cryptosystem was used by determining coeﬃcients from 2 equations corresponding to
proposed letter transformations and testing if these coeﬃcients are valid for the whole text. From
equations t → G and h → A we get a = 7 and b = 3. These coeﬃcients are valid for transformation
e → F (decrypting HQT actually yields ing). The plaintext ﬁnally reads:
One of the earliest descriptions of encryption by substitution appears in the Kama-sutra, a text
written in the 4th century AD by the Brahmin scholar Vatsyayana, but based on manuscripts dating
back to the 4th century BC. The Kama-sutra recommends that women should study 64 arts, including
cooking, dressing, massage and the preparation of perfumes. The list also includes some less obvious
arts, including conjuring, chess, bookbinding and carpentry. Number 45 on the list is mlecchitavikalpa,
the art of secret writing, advocated in order to help women conceal the details of their
liaisons. One of the recommended techniques involves randomly pairing letters of the alphabet, and
then substituting each letter in the original message with its partner.
4.8.
(a) Let f be a self-inverting permutation over Zn.
Suppose n pairs of letters map to each other and remaining 26 − 2n letters stay ﬁxed. These
n pairs can be chosen in the following way. First two letters are chosen in 26×25
2 ways. Next
pair can be chosen from the remaining 24 in 24×23
2 ways and n-th pair can be chosen in
(28−2n)×(27−2n)
2 ways. Multiplying together and cancelling the ordering of n pairs we obtain
P(n) =
26!
(26 − 2n)! × 2n × n!
.
The total number of self-inverting functions is then
13
i=0
26!
(26 − 2n)! × 2n × n!
= 532985208200576
Another approach could be to derive a recursive function φ(n) that returns the number of
self-inverting permutations over a set of cardinality n. There is only one permutation over a
singleton set, the identity, which is self-inverting: φ(1) = 1.
There are two permutations over a two-element set, the identity and the transposition. Both
are self-inverting: φ(2) = 2.
Now, if there are n elements, either f(0) = 0 and then there are φ(n − 1) possibilities how
to permute the rest, or f(0) = i, i ∈ {1, . . . , n − 1}, implying f(i) = 0, and then there are
φ(n − 2) ways one can permute the rest. Together, we obtain the following recurrent formula:
φ(n) = φ(n − 1) + (n − 1)φ(n − 2)
For n = 26, φ(26) = 532985208200576.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 59
(b) The number of substitution ciphers equals the number of permutations. For a set of 26 elements
it is 26!. The proportion is:
φ(26)
26!
= 1.32 · 10−12
(c) From the solution from part (a) one can easily see that picking 13 pairs can be done in
P(13) =
26!
213 × 13!
= 25 · 23 · · · 5 · 3 · 1 = Π13
k=1(2k − 1) = 7905853580625
ways.
4.9.
(a) A single letter plaintext.
(b) For an alphabet of n symbols, it suﬃces to send a message of length n − 1 which contains
distinct symbols.
(c) Message of the block length which contains each symbol at most once.
(d) Plaintext consisting of two distinct letters. We can easily ﬁnd the key by solving the system
of linear equations.
(e) Plaintext of the key length.
4.10. We use the redundancy of English text ≈ 3.2 bits per character.
(a) The original pig pen cipher has only one key thus the unicity distance is log2 1/3.2 = 0.
(b) Vig`enere with key-length 7 has 267 possible keys and the unicity distance is therefore
log2 267/3.2 ≈ 10.3.
(c) Transposition cipher of period 7 has the size of the key space 7! and the unicity distance
is log2 7!/3.2 ≈ 3.84.
(d) The one-time pad has unbounded key size, i.e., for a plaintext with N bites the size of the
key space is 2N and limN→∞ 2N = ∞. Thus, the unicity distance is ∞.
4.11.
(a) There are 12 possible values for a (because gcd(a, 26) = 1 therefore a is odd) and 26 possible
values for b, ie. 12 · 26 = 312 keys in total.
In order that x ∈ {0, . . . , 25} is ﬁxed, it must hold that ax+b ≡ x mod 26. We are interested
in the case where ax + b ≡ x mod 26 which can be rewritten as
(a − 1)x ≡ −b mod 26.
For a = 1 this allow b ∈ {1, . . . , 25}. Now, we use the fact that the congruence e · x ≡ f
mod n has a solution if and only if gcd(e, n)|f, moreover the number of unique solutions is
equal to gcd(e, n).
For all possible a > 1 we have gcd(a − 1, 26) = 2 and therefore we have to choose b odd so
as the congruence has no solution. Together, we have 25 + 11 · 13 = 168 keys such that no
characters are ﬁxed.
(b) We can use the fact from part (a), ie. that the number of solutions is equal to gcd(a − 1, 26)
for a > 1. For a = 0 and b = 0 there are 26 solutions. There is no key with exactly one
solution, ie. one ﬁxed character.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 60
(c) We need to subtract results from (a) and (b) from the total number of keys: 312−(168+0) =
144.
4.12. First a quick observation: if cx + d ≡ 0 (mod 26) for all x ∈ {0, 1, . . . , 25}, then necessarily
c ≡ 0 (mod 26) (otherwise cx would take at least two diﬀerent values for varying x ∈ {0, 1, . . . , 25},
and the operation of adding d is invertible) and consequently also d ≡ 0 (mod 26).
(a) The equality e(e(e(x))) = x can be rewritten as (a3 − 1)x + b(a2 + a + 1) ≡ 0 (mod 26).
By the observation above, this implies that a3 − 1 ≡ 0 (mod 26) and b(a2 + a + 1) ≡ 0
(mod 26). Since gcd(3, ϕ(26)) = 3, there are exactly three third roots of unity modulo 26,
namely 1, 3, 9. By solving the second congruence, we can see that all the possible pairs (a, b)
are (1, 0), (3, 0), (3, 2k), (9, 2k), where k ∈ {1, 2 . . . , 12} can be arbitrary.
(b) The equality e5(x) = x can be rewritten as (a5 −1)x+b(a4 +a3 +a2 +a+1) ≡ 0 (mod 26). By
the observation above, this implies a5−1 ≡ 0 (mod 26) and b(a4+a3+a2+a+1) ≡ 0 (mod 26).
But since gcd(5, ϕ(26)) = 1, the map of taking the ﬁfth power modulo 26 is injective, hence
the only ﬁfth root of unity modulo 26 is 1. Consequently the only possible pair (a, b) is (1, 0).
4.13.
(a) In aﬃne cryptosystem the keys are tuples (a, b) ∈ Z×Z such that 0 ≤ a, b < p and gcd(a, p) = 1.
This gives us p possible values for b and ϕ(p) possible values for a where ϕ denotes Euler’s
totient function. Overall it’s
p · ϕ(p) = p(p − 1).
(b) In Hill cryptosystem the keys are invertible n × n matrices. Since Zp is a ﬁeld, the invertible
matrices are exactly those of rank n, i.e. they have n linearly independent rows.
For the ﬁrst row we have pn − 1 possible values (all non-zero p-ary words of length n). For
the second row we have pn − p possible values (all p-ary words of length n that are linearly
independent from the ﬁrst row). In the third row we have pn − p2 possible values and so on.
Overall it’s
n−1
i=0
(pn
− pi
).
(c) Let Mn(R) denote the ring of n×n matrices over the ring R. From Chinese remainder theorem
for rings we get the isomorphism
Mn(Z26) ∼= Mn(Z2) × Mn(Z13).
Let A = (A1, A2) ∈ Mn(Z2) × Mn(Z13) be some invertible matrix. Its inverse has to be of the
form A−1 = (A−1
1 , A−1
2 ) ∈ Mn(Z2) × Mn(Z13), i.e. the matrix A is invertible modulo 26 iﬀ A1
is invertible modulo 2 and A2 is invertible modulo 13.
There are n−1
i=0 (2n − 2i) possible values for A1 and n−1
i=0 (13n − 13i) possible values for A2.
Overall there are
n−1
i=0
(2n
− 2i
)(13n
− 13i
)
invertible n × n matrices over the 26-ary alphabet.
4.14.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 61
(a) The keyspace is the set {(a, b) ∈ Z126 × Z126 | gcd(a, 126) = 1}. There are 126 possibilities for
b and ϕ(126) possibilities for a (where ϕ is the Euler totient function).
ϕ(126) = ϕ(2) · ϕ(32
) · ϕ(7) = 1 · 3 · 2 · 6 = 36
The number of possible keys is 36 · 126 = 4536.
(b) The corresponding decryption function is
d(y) = 23−1
(y − 7) (mod 126).
To ﬁnd the inverse of 23 we use the Euclidean algorithm:
126 = 5 · 23 + 11
23 = 2 · 11 + 1
1 = 23 − 2 · 11 = 23 − 2(126 − 5 · 23) = 11 · 23 − 2 · 126. Because −2 · 126 ≡ 0 ( mod 126),
we get 23−1 = 11 ( mod 126).
d(y) = 11(y − 7) ( mod 126)
d(e(x)) = 11((23x + 7) − 7) = 11(23x) = x ( mod 126)
4.15. One has to found the number of matrices of degree 2 invertible over Zp ﬁeld. We use the fact
that, over a ﬁeld , a square matrix is invertible if and only if its columns are linearly independent. We
have to describe how 2 column vectors over Zp can be chosen such that they will form an invertible
matrix. The only restriction on the ﬁrst vector is that it be nonzero, because this would destroy the
linear independence of the columns. Therefore, there are p2 − 1 possibilities for the ﬁrst column.
The second column can be chosen in p2 − p ways to avoid linear combinations of the ﬁrst column.
Thus, there are (p2 − 1)(p2 − p) possible keys.
4.16. We can determine the keylength using the Friedman method:
l =
26
i=1
ni(ni − 1)
n(n − 1)
= 0.475883826064,
L =
0.027n
(n − 1)l − 0.038n + 0.065
= 2.80672431976 = 3.
We can assume that the length of the key is 3, Frequency analysis for each position modulo the key
length gives the following results:
Position 0 Position 1 Position 2
O (29) I (23) C (26)
D (16) X (20) R (26)
S (15) W (16) L (17)
. . . . . . . . .
The most frequent character in the English text is e, so we will try to substitute it for the most
frequent symbols in the cryptotext.With substitutions O → e, I → e, C → e (which correspond to
the key “KEY”) we get the following plaintext (which is actually the Kerckhoﬀ’s principle):
The system must be practically if not mathematically indecipherable.
It must not be required to be secret and it must be able to fall into the hands of the enemy without
inconvenience.
Its key must be communicable and retainable without the help of written notes and changeable or
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 62
modiﬁable at the will of the correspondents.
It must be applicable to telegraphic correspondence.
It must be portable and its usage and function must not require the concourse of several people.
Finally it is necessary given the circumstances that command its application that the system be easy
to use requiring neither mental strain nor the knowledge of along series of rules to observe.
4.17. (by L. Pek´arkov´a)
To tak kdysi ˇsli Bob a Bob´ık spolu na proch´azku. Do rytmu si zp´ıvali p´ısniˇcky a sk´akali do kaluˇz´ı.
Hodili pucku do okna a to bylo rozbito. Koukali na to, avˇsak pro jistotu zdrhli pryˇc. Jak tak ut´ıkali,
potkali Barboru — kamar´adku. ˇSt’astn´a to d´ıvka Barbora vyzv´ıdala, proˇc oba ut´ıkaj´ı. Kupodivu s
nimi zaˇcala taky ut´ıkat, aniˇz by j´ı Bob ˇci Bob´ık vyklopili pˇr´ıhodu s puckou. Tato partiˇcka dout´ıkala
aˇz k obchodu s poˇc´ıtaˇci. Tam si chv´ıli oddychla, aby nabrala s´ıly. Tady si vˇsimli dvou vystavovan´ych
kousk˚u. Zal´ıbily si ty kousky natolik, aby si dalˇs´ı r´ano doˇsli do obchodu a koupili si kaˇzd´y svou maˇsinku
(za maminˇciny prachy :)). Nyn´ı uˇz mohli hr´at svou milou hru i po s´ıti. Paˇrba jim imponovala natolik,
aby si podali (zas vˇsichni tˇri) pˇrihl´aˇsku na fakultu informatiky, aby si tam ujasnili znalosti, nabyvˇs´ı za
dlouhou hr´aˇcskou dr´ahu. Po strastipln´ych zkouˇskov´ych obdob´ıch si prokousali sic ´uzkou uliˇcku k titulu
a zaˇcali podnikat v oboru. Z poˇc´atku jim obchody v´azly, pak vˇsak doˇslo k zlomu. Vymyslili si vlastn´ı
ˇsifrovac´ı programy, coˇz jin´ı povaˇzovali za hloupost. Avˇsak programy si naˇsly na trhu
”
kamar´ady“, a
tak ﬁrma tˇr´ı informatik˚u vzr˚ustala. Jak vidno i mal´a pucka by mohla ovlivnit ˇzivot i n´as ostatn´ıch
:).
4.18. Each of the given cryptosystem is an idempotent cryptosystem, i.e. S2 = S.
(a) Caesar: Composition of two shifts is again a shift. If k1, k2 are the keys then it is equivalent
to use a single shift with the key k = k1 + k2 (mod |P|).
(b) Vigen`ere: P = C = (Z26)n and K = (Z26)m. Let k1 = (k11 , . . . , k1m ), k2 = (k21 , . . . , k2m ) be
keys of length m. Then k = (k11 + k21 (mod n), . . . , k1m + k2m (mod n)) ∈ K.
(c) Hill: K is a set of invertible matrices of a degree n. If k1 = M1, k2 = M2 then k = M1·M2 ∈ K.
Invertible matrices with the multiplication operation form a group GL(n).
(d) Aﬃne: K = Z∗
n × Zn. If k1 = (a1, b1), k2 = (a2, b2) then k = (a1a2, a1b2 + b1) ∈ K,
4.19. One should ﬁrst compress and then encrypt. If we ﬁrst encrypt then the resulting cryptotext
is indistinguishable from random text and compression algorithm fails because it cannot ﬁnd
compressible patterns to reduce size.
4.20. Using the deﬁnition of the cryptosystem we have
w1 ⊕ k1 = c1
w2 ⊕ w1 = c2
w3 ⊕ w2 = c3
Taking the sum of all 3 equations we receive
w3 ⊕ k1 = c1 ⊕ c2 ⊕ c3,
which gets us k1 = c1 ⊕ c2 ⊕ c3 ⊕ w3 and we know everything on the RHS so we now know k1. To
get w1 we can add the second and third equation to get
w3 ⊕ w1 = c2 ⊕ c3,
which lets us get the ﬁrst plaintext as w1 = c2 ⊕ c3 ⊕ w3.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 63
4.21. The solutions can be obtained by using properties of linear transformations.
(a) The composition of two linear transformations can be obtained by multiplication of their
matrices in the reversed order, i.e.
M = H · G.
Also it holds that
(H · G)−1
= G−1
· H−1
= M−1
.
(b) From linear algebra we have that det(A · B) = det(A) · det(B). And the matrix A is invertible
mod 26 if and only if gcd(det(A), 26) = 1. The multiplication perserves this property.
4.22. We assume that the plaintext contains the word ’the’.
The letter ”T” is encrypted as one of the letters from the set {T, U, V, W, X, Y, Z, A, B, C}.
The letter ”H” is encrypted as one of the letters from the set {H, I, J, K, L, M, N, O, P, Q}.
The letter ”E” is encrypted as one of the letters from the set {E, F, G, H, I, J, K, L, M, N}.
The only consecutive three letters in the ciphertext satisfying these conditions are WIT. Subtracting
the cryptotext WIT and the plaintext THE results in the possible key 315. Applying this key to the
whole ciphertext yields the plaintext MEET AT THE EXIT.
4.23.
(a)
Pr[C = c|P = m]Pr[P = m] = Pr[P = m|C = c]Pr[C = c].
We have (Bayes’ theorem)
Pr[C = c|P = m] =
Pr[P = m|C = c]Pr[C = c]
Pr[P = m]
.
Perfect secrecy gives
Pr[C = c|P = m] =
Pr[P = m]Pr[C = c]
Pr[P = m]
= Pr[C = c].
(b) Let m, m ∈ P be arbitrary plaintexts and let c, c ∈ C be any cryptotexts. From the
assumption one can derive the following:
Pr[P = m] =
c∈C
Pr[P = m|C = c]Pr[C = c] =
=
c∈C
Pr[P = m |C = c]Pr[C = c] = Pr[P = m ].
Therefore
Pr[C = c|P = m] =
Pr[P = m|C = c]Pr[C = c]
Pr[P = m]
=
=
Pr[P = m |C = c]Pr[C = c]
Pr[P = m ]
= Pr[C = c|P = m ].
From both equalities one can derive the following relation:
Pr[C = c] =
1
|P|
|P|Pr[C = c|P = m] = Pr[C = c|P = m]
from which the equality characterizing perfect secrecy can be obtained.
CHAPTER 4. SECRET KEY CRYPTOSYSTEMS 64
4.24.
(a) For c ∈ C, Pr[C = c] = {k|c∈C(k)} Pr[K = k]Pr[P = dk(c)].
Pr[C = a] = Pr[K = k1]Pr[P = dk1 (a)]+Pr[K = k2]Pr[P = dk2 (a)]+Pr[K = k3]Pr[P = dk3 (a)]
Pr[C = a] = Pr[K = k1]Pr[P = x] + Pr[K = k2]Pr[P = z] + Pr[K = k3]Pr[P = y]
Pr[C = a] =
13
48
Similarly,
Pr[C = b] =
17
48
and Pr[C = c] =
18
48
.
(b) We have
Pr[C = a|P = x] =
{k|x∈dk(c)}
Pr[K = k] = Pr[K = k1] =
1
3
Pr[C = a|P = x] = Pr[C = a]
Therefore, C is not perfectly secure (see previous exercise and equivalent deﬁnition of perfect
secrecy).
4.25.
(a) A cryptosystem is 2-perfectly secure if for any m, m ∈ P and any c, c ∈ C
Pr[(P1, P2) = (m, m )|(C1, C2) = (c, c )] = Pr](P1, P2) = (m, m )].
(b) Let |P| = |C| = |K| = n. We have Pr[(P1, P2) = (m, m )] = 1
n2 . Since cryptotexts c, c
were produced with the same key, there are only n pairs of plaintexts which can be encrypted
to cryptotexts c and c . For these plaintext pairs we have Pr[(P1, P2) = (m, m )|(C1, C2) =
(c, c )] = 1
n. Therefore one-time pad is not 2-perfect secure.
4.26.
1. Size of K is factorial n!
2. to show perfect secrecy we ﬁrst need to calculate both pC(c) and p(C|P)(c|w) for each pair of
messages c and w. Let us ﬁrst start with pC(c) for each w ∈ P there exist exactly (n − 1)!
permutations that map w to c. Therefore pC(c) can be written as
pC(c) =
w∈P
pP (w)
(n − 1)!
n!
=
(n − 1)!
n!
w∈P
pP (w)
=
(n − 1)!
n!
=
1
n
,
where (n−1)!
n! is the probability to choose a key that maps w to c and the second to last equality
follows from the fact that probabilities sum up to 1. Let us now examine p(C|P)(c|w). For
a ﬁxed pair c and w this is the probability that a key mapping w to c is chosen. As argued
before this probability is (n−1)!
n! = 1
n . Now from the Bayes’ rule it follows that p(P|C)(w|c) =
pP (w) 1
n
1
n
= pP (w), which shows perfect secrecy.
Chapter 5
Public-Key Cryptography, I.
5.1 Introduction
Symmetric cryptography is based on the use of secret keys. This means that massive communication
using symmetric cryptography would require the distribution of large amount of data in some other,
very secure, way, unless we want to compromise the secrecy by reusing the secret key data.
The answer to this problem is the public key cryptography, also known as asymmetric cryptography.
Public key cryptography uses diﬀerent keys for encryption and decryption. Every party has
her secret decryption key, while the encryption key is publicly known. This allows anyone to encrypt
messages, while only the one in the possession of decryption key can decrypt them.
The main diﬃculty of the public-key cryptosystems is to make the decryption impossible for
those without the secret key. To achieve this goal so called trapdoor one-way functions are used for
the encryption. These functions have easy to compute their inverse, but only if we posses a certain
trapdoor information.
5.1.1 Diﬃe-Hellman protocol
This is the ﬁrst asymmetric protocol designed to solve the secret-key distribution problem. Using
this protocol two parties, say Alice and Bob, generate and share a pretty random and pretty secret
key. The protocol uses modular exponentiation as the one-way function.
The parties ﬁrst agree on large primes p and a q < p of large order in Z∗
p. The protocol then
proceeds as follows
• Alice randomly chooses a large x < p − 1 and computes X = qx mod p.
• Bob also chooses a large y < p − 1 and computes Y = qy mod p.
• The two parties then exchange X and Y , while keeping x and y secret.
• Alice computes her key Y x mod p and Bob computes Xy mod p and this way they both have
the same key k = qxy mod p.
5.1.2 Blom’s key pre-distribution protocol
Let a large prime p > n be publicly known. Steps of the protocol follow:
• Each user U in the network is assigned, by Trent, a unique public number rU < p.
• Trent chooses three random numbers a,b and c, smaller than p.
• For each user U, Trent calculates two numbers aU = (a + brU ) mod p, bU = (b + crU ) mod p
and sends them via his secure channel to U.
• Each user U creates the polynomial gU (x) = aU + bU (x).
65
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 66
• If Alice (A) wants to send a message to Bob (B), then Alice computes her key KAB = gA(rB)
and Bob computes his key KBA = gB(rA).
5.1.3 Knapsack cryptosystem
Knapsack cryptosystem is based on the infeasibility of solving the general kanpsack problem:
Knapsack problem: Given a vector of integers X = (x1, . . . , xn) and an integer c. Determine
a binary vector B = (b1, . . . bn) such that XB = c.
The knapsack problem is easy if the vector is superincreasing, that is for all i > 1 it holds
xi > i−1
j=1 xj. The knapsack cryptosystem ﬁrst uses a secret data to change a knapsack problem
with a superincreasing vector to a general, in principle infeasible, knapsack problem.
• Choose a superincreasing vector X = (x1, . . . , xn).
• Choose m and u such that m > 2xn, gcd(m, u) = 1.
• Compute X = (x1, . . . , xn), xi = uxi mod m.
X is then the public key while X, u, m is the secret trapdoor information.
Encryption of a word w is done by computing c = X w .
To decrypt ciphertext c we compute u−1 mod m, c = u−1c mod m and solve the knapsack
problem with X and c .
5.1.4 McEliece cryptosystem
Just like in the knapsack cryptosystem, McEliece cryptosytem is based on tranforming an easy to
break cryptosystem into one that is hard to break. The cryptosystem is based on an easy to decode
linear code, that is then transformed to a generally infeasible linear code. The class of starting linear
codes is that of the Goppa codes, [2m, n − mt, 2t + 1]-codes, where n = 2m.
• Let G be a generating matrix of an [n, k, d] Goppa code C.
• Let S be a k × k binary matrix invertible over Z2.
• Let P be an n × n permutation matrix.
• G = SGP.
Public encryption key is G and the secret is (G, S, P).
Encryption of a plaintext w ∈ (Z2)k is done by computing eK(w, e) = wG + e, where e is each
time a new random binary vector of length n and weight t.
Decryption of a ciphertext c = wG + e ∈ (Z2)n is done by ﬁrst computing c1 = cP−1. Then
decoding c1 to get w1 = wS, and ﬁnally computing the plaintext w = w1S−1.
5.1.5 RSA cryptosystem
RSA is a very important public-key cryptosystem based on the fact that prime multiplication is
very easy while integer factorization seems to be unfeasible.
To set up the cryptosystem we ﬁrst choose two large (about 1024 bits long) primes p, q and
compute
n = pq, φ(n) = (p − 1)(q − 1).
Then we choose a large d such that gcd(d, φ(n)) = 1 and compute e = d−1 mod φ(n). The public
key is then the modulus n and the encryption exponent e. The trapdoor information is the primes
p, q and the decryption exponent d.
Encryption of a plaintext w is done by computing c = we mod n.
Decryption of a ciphertext c is done by computing w = cd mod n.
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 67
5.1.6 Rabin-Miller’s prime recognition
Rabin-Miller’s prime recognition is a simple randomized Monte Carlo algorithm that decides whether
a given integer n is a prime. It is based on the following lemma.
Lemma 5.1.1. Let n ∈ N, n = 2sd + 1, d is odd. Denote, for 1 ≤ x < n, by C(x) the condition:
xd
≡ 1 (mod n) and x2rd
≡ −1 (mod n) for all 0 ≤ r < s.
If C(x) holds for some 1 ≤ x < n, then n is not a prime. If n is not a prime, then C(x) holds for
at least half of x between 1 and n.
The algorithm then chooses random integers x1, . . . , xm such that 1 < xj < n and evaluates
C(xj) for every one of them. If C(xj) holds for some xj then n is not a prime. If it does not hold
for any of the chosen integers n is a prime with probability of error 2−m.
5.2 Exercises
5.1.
(a) Use the Euclidean algorithm to ﬁnd the gcd(4757, 4087).
(b) Use the extended Euclidean algorithm to ﬁnd an inverse of 97 in (Z977, ·).
5.2.
(a) Consider the Diﬃe-Hellman protocol with q = 3 and p = 353. Alice chooses x = 97 and Bob
chooses y = 233. Compute X, Y and the key.
(b) Design an extension of the Diﬃe-Hellman protocol that allows three parties Alice, Bob and
Charlie to generate a common secret key.
5.3. Alice and Bob computed a secret key k using Diﬃe-Hellman protocol with p = 467, q = 4,
x = 400 and y = 134. Later they computed another secret key k with the same p, q, y and with
x = 167. They were very surprised when they found that k = k . Determine the value of both keys
and explain why the keys are identical.
5.4. To simplify the implementation of Diﬃe-Hellman protocol one can replace the multiplicative
group (Zp, ·) by the additive group (Zp, +). How is security aﬀected?
5.5. Consider the Blom’s key pre-distribution protocol (see the lecture slides) with two parties
Alice and Bob and a trusted authority Trent. Let p = 44887 be the publicly know prime and
rA = 4099 and rB = 31458 be the unique public numbers. Let a = 556, b = 13359 and c = 3398
be the secret random numbers. Use Bloom’s protocol to distribute a secret key between Alice and
Bob.
5.6. In the Blom’s key pre-distribution protocol (see the lecture slides) show that the key
generated by A and B is the same, i.e. show that KAB = KBA.
5.7. Bob sets up the Knapsack cryptosystem with X = (2, 5, 8, 17, 35, 70), m = 191, u = 34 so
that Alice can send him messages.
(a) Find Bob’s public key X .
(b) Encode the messages 101010 and 100010.
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 68
(c) Perform in details Bob’s decryption of c1 = 370 and c2 = 383.
5.8. You are given RSA modulus n = 53916647. Determine p and q knowing the fact that the
diﬀerence between factors is small.
5.9. Let n = pq where p, q are primes with p > q.
1. Show that p − q = (p + q)2 − 4n.
2. Express p and q in terms of n and ϕ(n).
5.10. Consider the McEliece cryptosystem with
G =




1 0 0 0 1 1 0
0 1 0 0 1 0 1
0 0 1 0 0 1 1
0 0 0 1 1 1 1



 , S =




1 1 0 1
1 0 0 1
0 1 1 1
1 1 0 0



 , P =










0 1 0 0 0 0 0
0 0 0 1 0 0 0
0 0 0 0 0 0 1
1 0 0 0 0 0 0
0 0 1 0 0 0 0
0 0 0 0 0 1 0
0 0 0 0 1 0 0










(a) Compute the public key G .
(b) Using the error vector e = 0010000 encode the message w = 1001.
(c) Decode cryptotext c = 0110110.
5.11. Consider the RSA cryptosystem with p = 43, q = 59 and d = 937.
(a) Determine the encryption exponent e.
(b) Encrypt the plaintext and 13487947504.
(c) Decrypt the ciphertext 175807260375 that was sent in subwords of size 4.
5.12. Consider the RSA cryptosystem with n = 1363. It has been revealed that φ(n) = 1288.
Use this information to factor n.
5.13. Consider the RSA cryptosystem with a public key (n, e). An integer m, m ≤ n − 1, is
called a ﬁxed point if me ≡ m (mod n). Show that if m is a ﬁxed point then n − m is also a ﬁxed
point.
5.14. Suppose that Eve receives a cryptotext c = me mod n encrypted using the RSA cryptosystem.
Suppose further that she is permitted to request a decryption of a single cryptotext c = c.
Show how she can ﬁnd the plaintext m.
5.15. Design of parameters for the RSA cryptosystem starts with choosing two large primes.
Because these primes are part of the private key, they have to be chosen very carefully. More
precisely, they need to be chosen at random by a cryptographically secure random number generator.
Failing to do so can lead to problems. Indeed, consider the following set of RSA moduli, chosen by
an imperfect random number generator, biased towards some numbers (some numbers appear with
larger probability than others). Determine which of these moduli are secure:
{8844679, 11316499, 13490941, 18761893, 21799573, 22862761, 48456493, 43831027, 58354333}.
Do not use brute force factorization.
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 69
5.16. Use the Rabin-Miller’s Monte Carlo algorithm for prime recognition to decide whether the
number n = 5417 is a prime and state the accuracy of your outcome. Use the numbers x1 = 58,
x2 = 864 and x3 = 3312 as the random integers in the algorithm.
5.17. Consider the following public-key cryptosystem that allows Bob to send encrypted message
m to Alice:
• Alice chooses Galois ﬁeld Fq.
• Alice chooses l polynomials in n variables P1, . . . Pl, such that Pi(v1, . . . vn) = 0 for some
v = (v1, . . . vn) ∈ Fn
q , for all 1 ≤ i ≤ l.
• Alice makes Fq and (P1, . . . , Pl) public.
• To send a message m, Bob chooses l polynomials with n variables Q1, . . . Ql and encrypts m
using the function
f : m → f(m) = m +
l
j=1
QjPj.
• Bob sends f(m), the polynomial that is the encrypted message m, to Alice.
The function f is a trapdoor function. Find the decryption process and the trapdoor information
Alice needs to perform the decryption.
* 5.18. Both Alice and Bob use the RSA cryptosystem with the same modulus n and encryption
exponents eA and eB such that gcd(eA, eB) = 1. Let a third user Charlie send the same message m
to both Alice and Bob using their individual encryption exponents. Eve intercepts the encrypted
messages cA = meA (mod n) and cB = meB (mod n). She then computes x1 = e−1
A (mod eB) and
x2 = (x1eA − 1)/(eB).
(a) How can Eve compute m using cA, cB, x1 and x2?
(b) Use the proposed method to compute m if n = 18721, eA = 43, eB = 7717, cA = 12677 and
cB = 14702.
* 5.19. Alice, Bob and Eve use the RSA cryptosystem with n = 99443. Let eA = 7883,
eB = 5399 and eE = 1483 be the corresponding public key exponents. Let messages be written in
ASCII, divided into subwords of length 5, each subword being encrypted separately. Imagine that
you are Eve and you have captured the following message intended for Bob which was sent by Alice:
16278490204355400279.
You know your dE = 3931. Decrypt the cryptotext (do not use brute force or factorization).
* 5.20. Let (e, n1) and (e, n2) be Alice’s and Bob’s RSA public keys and let their encryption
exponent be e = 3. Charlotte sends both of them the same short secret message m. Suppose n1
and n2 are coprimes and me n1n2.
(a) Show how Eve, who intercepted both cryptotexts, reconstructs m. (Do not use brute force.)
(b) Calculate m given public moduli n1 = 1363, n2 = 2419 and cryptotexts c1 = 18 and c2 = 325.
* 5.21. Consider an RSA cryptosystem with public encryption key e = 3 and modulus of length
4096 bits where plaintexts are encrypted in blocks of length 1365 bits. Explain why this system is
not secure.
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 70
5.22. Consider the Diﬃe-Hellman key exchange protocol with p > 5 a safe prime, i.e. there
exists a prime r such that p = 2r + 1. Let q be a primitive root modulo p. Suppose that Alice and
Bob both choose their secret exponents x,y uniformly in the range 1 ≤ x, y ≤ p − 2. Calculate the
probability that the shared secret qxy mod p is equal to 1.
5.3 Solutions
5.1.
(a) We use the Euclidean algorithm to ﬁnd gcd(4757, 4087):
4757 = 1 · 4087 + 670
4087 = 6 · 670 + 67
670 = 10 · 67 + 0.
We got a remainder of 0 in the last step so gcd(4757, 4087) = 67.
(b) We are looking for the inverse of 97 in (Z977, ·), which means looking for x ∈ Z977 such that
97x ≡ 1 mod 977 which is equivalent to 97x+977y = 1 for some y ∈ Z, which is the Bezout’s
identity. We can use the extended Euclidean algorithm to ﬁnd x and y. First we use the
normal Euclidean algorithm:
977 = 10 · 97 + 7
97 = 13 · 7 + 6
7 = 1 · 6 + 1.
To make things easier, we now express the individual remainders in each of the equation above:
7 = 977 − 10 · 97
6 = 97 − 13 · 7
1 = 7 − 1 · 6.
Now we just traverse the equations obtained from the basic Euclidean algorithm in reverse:
1 = 7 − 1 · 6 = 7 − 1 · (97 − 13 · 7) = 14 · 7 − 1 · 97
= 14 · (977 − 10 · 97) − 1 · 97 = 14 · 977 − 141 · 97,
Which gives us 97−1 ≡ −141 ≡ 836 mod 977.
5.2.
(a) Following the Diﬃe-Hellman protocol we compute X = qx mod p = 397 mod 353 = 40 and
Y = qy mod p = 3233 mod 353 = 248. The secret key k is then
k = qxy
mod p = 397·233
mod 353 = 373
mod 353 = 160.
Note: Euler’s totient theorem was used to simplify the last computation.
(b) As in the two-party case, the three parties ﬁrst agree on large primes p and q < p of large order
in Z∗
p. Alice, Bob and Charlie then choose large secret random integers x, y and z respectively,
such that 1 ≤ x, y, z < p − 1.
Alice then computes X1 = qx mod p and sends it to Bob, who computes X2 = Xy
1 mod p
and sends X2 to Charlie. Charlie can now get his key kC = Xz
2 mod p.
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 71
Bob then continues by computing Y1 = qy mod p and sends it to Charlie, who computes
Y2 = Y z
1 mod p and sends it to Alice. Alice then computes kA = Y x
2 mod p.
This procedure is repeated the third time with Charlie computing Z1 = qz mod p and sending
it to Alice, Alice computing Z2 = Zx
1 mod p and sending it to Bob and Bob computing
kB = Zy
2 mod p.
It can easily be seen that k = kA = kB = kC = qxyz mod p is the secret key now shared
between all three parties. The public information in this protocol is p, q, qx, qy, qz, qxy, qyz, qxz.
Computing qxyz from this public information is at least as hard as breaking the original
protocol.
5.3. First we compute the secret keys k and k individually:
k ≡ qxy
≡ 4400·134
≡ 2230·466
· 220
≡ 2φ(p)·230
· 220
≡ 2020
≡ 161 (mod 467).
k ≡ qx y
≡ 4167·134
≡ 296·466
· 220
≡ 2φ(p)·96
· 220
≡ 2020
≡ 161 (mod 467).
Note: Euler’s totient theorem and the fact that φ(p) = p − 1 = 466 was used to simplify the
calculation. This also shows the reason why k = k . We can see that 2x ≡ 2x (mod p − 1), indeed
2 · 400 ≡ 2 · 167 ≡ 334 (mod 467), and so k ≡ 22xy ≡ 22x y ≡ k (mod p) due to the Euler’s totient
theorem.
5.4. By replacing the multiplicative group by the additive group we change the calculation of X
and Y to
X = qx mod p
Y = qy mod p.
But now from X and Y we can easily obtain the secrets x and y by ﬁrst computing the multiplicative
inverse q−1
q−1
≡ qp−1
q−1
≡ qp−2
(mod p).
Using this we can then obtain x
x ≡ q−1
qx ≡ q−1
X (mod p)
and also y in the same way. But if we know both secrets we can now easily compute the secret
key k = xyq mod p. This simpliﬁcation is therefore not secure as the inverse to multiplication by
known number is easy to compute.
5.5. First Trent calculates aA, aB, bA and bB:
aA = 556 + 13359 · 4099 mod 44887 = 41844, aB = 556 + 13359 · 31458 mod 44887 = 15884,
bA = 13359 + 3398 · 4099 mod 44887 = 26791, bB = 13359 + 3398 · 31458 mod 44887 = 31696.
He then sends aA, bA to Alice and aB, bB to Bob. Alice now computes her key
KAB = aA + bArB mod p = 41844 + 26791 · 31458 mod 44887 = 34810.
And Bob does the same
KBA = aB + bBrA mod p = 15884 + 31696 · 4099 mod 44887 = 34810,
and as expected we have KAB = KBA.
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 72
5.6.
KAB = gA(rB)
= aA + bArB
= a + brA + (b + crA)rB
= a + brA + brB + crArB
= a + brB + (b + crB)rA
= aB + bBrA
= gB(rA)
= KBA.
5.7.
(a) Following the Knapsack protocol we have xi = uxi mod m and therefore
X = 34 · (2, 5, 8, 17, 35, 70) mod 191 = (68, 170, 81, 5, 44, 88).
(b) Alice encrypts a message w by computing X w so the encryption is
(68, 170, 81, 5, 44, 88)(1, 0, 1, 0, 1, 0) = 193
(68, 170, 81, 5, 44, 88)(1, 0, 0, 0, 1, 0) = 112.
(c) Bob ﬁrst computes u−1 mod m = 118. He then computes the cryptotext for the original
Knapsack problem c1 = u−1c1 mod m = 118 · 370 mod 191 = 112 and c2 = u−1c2 mod m =
118 · 383 mod 191 = 118.
Bob now has to solve the knapsack problem with the superincreasing vector X and the cryptotexts
c1 and c2. First we solve the problem for c1 = 112:
112 > 70 = x6
x6 = 70 > 112 − 70 = 42 > 35 = x5
x3 = 8 > 42 − 35 = 7 > 5 = x2
7 − 5 = 2 = x1.
We have the sixth, ﬁfth, second and ﬁrst bit equal to 1. Therefore w1 = 110011. For the
second cryptotext c2 = 118 we get:
118 > 70 = x6
x6 = 70 > 118 − 70 = 48 > 35 = x5
x4 = 17 > 48 − 35 = 13 > 8 = x3
13 − 8 = 5 = x2.
So we have the sixth, ﬁfth, third and second bit equal to 1. Therefore w2 = 011011.
5.8. If diﬀerence |p − q| is small then in order to factor n, it is enough to test x >
√
n until x is
found such that x2 − n is a square, say y2. In such a case, p + q = 2x and p − q = 2y and therefore
p = x + y,
q = x − y.
In our case
√
53916647 = 7342.795584789, so we test 73432 − 53916647 = 3002 that is not a
square. Next, we try 73442 − 53916647 = 17689 = 1332. Therefore, p = 7344 + 133 = 7477 and
q = 7344 − 133 = 7211.
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 73
5.9.
1.
n = pq
−4n + p2
+ q2
= −4pq + p2
+ q2
−4n + p2
+ 2pq + q2
= p2
− 2pq + q2
(p + q)2
− 4n = (p − q)2
p − q = (p + q)2
− 4n
(We know the sign of the square root since p > q.)
2. We have a nonlinear system of two equations and two variables, p and q:
n = pq,
φ(n) = (p − 1)(q − 1).
From these we immediately get (p + q) = pq − (p − 1)(q − 1) + 1 = n − ϕ(n) + 1. Now using
the formula from the previous exercise we can obtain the value of (p − q) and then
p =
(p + q) + (p − q)
2
=
(p + q) + (p + q)2
− 4n
2
=
n − ϕ(n) + 1 + (n − ϕ(n) + 1)2 − 4n
2
and
q =
(p + q) − (p − q)
2
=
(p + q) − (p + q)2 − 4n
2
=
n − ϕ(n) + 1 − (n − ϕ(n) + 1)2 − 4n
2
.
5.10.
(a) According to the protocol G is given by G = SGP so
G =




1 1 0 1
1 0 0 1
0 1 1 1
1 1 0 0



 ·




1 0 0 0 1 1 0
0 1 0 0 1 0 1
0 0 1 0 0 1 1
0 0 0 1 1 1 1



 ·










0 1 0 0 0 0 0
0 0 0 1 0 0 0
0 0 0 0 0 0 1
1 0 0 0 0 0 0
0 0 1 0 0 0 0
0 0 0 0 0 1 0
0 0 0 0 1 0 0










=




1 1 1 1 0 0 0
1 1 0 0 1 0 0
1 0 0 1 1 0 1
0 1 0 1 1 1 0



 .
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 74
(b) Encryption of a word w using an error vector e is done by computing
eK(w, e) = wG + e = (1001)




1 1 1 1 0 0 0
1 1 0 0 1 0 0
1 0 0 1 1 0 1
0 1 0 1 1 1 0



 + (0010000) = (1000110)
(c) Following the protocol we start the decryption of c by computing c1 = cP−1, but because P
is an orthogonal matrix its inverse is equal to its transpose so
c1 = (0110110)










0 0 0 1 0 0 0
1 0 0 0 0 0 0
0 0 0 0 1 0 0
0 1 0 0 0 0 0
0 0 0 0 0 0 1
0 0 0 0 0 1 0
0 0 1 0 0 0 0










= (1000111)
Now we decode c1. The syndrome of c1 is (001) with coset leader (0000001), so the error is
only on the 7th bit. Without the error the code word is 1000110. But that is the ﬁrst row
of the generating matrix G, so the decoded word is w1 = wS = 1000. Now we just ﬁnd the
inverse matrix S−1 and compute w1S−1 to obtain the word w.
S−1
=




1 1 0 1
1 1 0 0
0 1 1 1
1 0 0 1




and w = w1S−1 = (1101).
5.11.
(a) First we compute the modulus n = pq = 43 · 59 = 2537 and its Euler’s totient function
φ(n) = (p − 1)(q − 1) = 42 · 58 = 2436. Then we ﬁnd the encryption exponent e = d−1
mod φ(n). To ﬁnd the inverse we can use the extended Euclidean Algorithm and Bezout’s
identity for d and φ(n):
2436 = 3 · 937 − 375
937 = 2 · 375 + 187
375 = 2 · 187 + 1
The Bezout’s identity is then 1 = 375 − 2 · 187. Going backwards we obtain
1 = 375 − 2 · (937 − 2 · 375)
= −2 · 937 + 5 · 375
= −2 · 937 + 5 · (−2436 + 3 · 937)
= −5 · 2436 + 13 · 937,
which gives us 13 · 937 ≡ 1 (mod φ(n)) so e = 13.
(b) Because we can only send messages smaller than n we split the plaintext into four subwords
of size 3: 134 879 475 204. The encryption of a subword w is then done by computing we
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 75
mod n:
13413
mod 2537 = 248
87913
mod 2537 = 579
47513
mod 2537 = 1441
20413
mod 2537 = 2232
So the whole encrypted message is 0248057914412232.
(c) Splitting the message into subwords of size 4 we get: 1758 0726 0375. Decryption of a subword
c is done by computing cd mod n:
1758937
mod 2537 = 397
726937
mod 2537 = 569
375937
mod 2537 = 169
So the whole decrypted message is 397569169.
5.13. We need to solve the following system of two equations with two variables:
1288 = (p − 1)(q − 1)
1363 = pq
We can do this by expressing p from the ﬁrst equation p = pq −1287−q = 1363−1287−q = 76−q.
Plugging this into to the second equation we get the quadratic equation q2 − 76q + 1363 = 0. The
two possible solutions q1 = 29 and q2 = 47 correspond to the fact that p and q are interchangeable
and so we obtain the unique factorization 1363 = 29 · 47.
5.13. We ﬁrst show that e has to be odd. That is because at least one of p, q is odd, therefore
φ(n) = (p − 1)(q − 1) is even and because e is coprime to φ(n), it must be odd. Then we notice that
n − m ≡ −m (mod n). Now because e is odd we have (−m)e ≡ −me (mod n). But m is a ﬁxed
point so −me ≡ −m (mod n). That means we have
n − m ≡ −m ≡ (n − m)e
(mod n),
in other words n − m is a ﬁxed point.
5.14. Let Eve choose c = rec mod n for some r such that c = c and assume she is also provided
with the decryption m = (rec)d mod n. All she now needs to do is compute m r−1 mod n. Indeed
we can see that
m r−1
≡ (re
c)d
r−1
≡ rcd
r−1
≡ cd
≡ m (mod n).
5.15. If some primes are more likely to be generated than others, then there is a higher probability
that two of the generated moduli have a common factor and this factor is the greatest common
divisor of these moduli. So for every tuple of the generated moduli we can compute the greatest
common divisor. A generated modulus is then secure if it has no non trivial common divisor with
every other modulus. We don’t need to evaluate all pairs, we only need one nontrivial divisor for
every modulus to factorize it as every modulus has only two prime divisors.
The moduli 13490941 and 48456493 have no nontrivial common divisors with any other modulus
and thus are the only secure of the given set. For every other modulus we have
gcd(8844679, 11316499) = 3169 which gives us a divisor of 88446979 and 11316499.
gcd(18761893, 21799573) = 4219 which gives us a divisor of 18761893 and 21799573.
gcd(22862761, 18761893) = 4219. which gives us a divisor of 22862761.
gcd(43831027, 58354333) = 7057 which gives us a divisor of 43831027 and 58354333.
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 76
5.16. First we express n = 23 · 677 + 1, so s = 3 and d = 677. Now we determine whether the
conditions C(x1), C(x2) and C(x3) hold. We begin by computing the ﬁrst part of the condition xd
mod n for all the integers:
58677
mod 5417 = 368, 864677
mod 5417 = 4438, 3312677
mod 5417 = 1.
Already we can see that C(x3) does not hold. The possible r for the second part of the condition
x2rd mod n are r0 = 0, r1 = 1, and r2 = 2. From the previous calculation, we can see that the
condition is not violated for r0 and we compute
5821·677
mod 5417 = 5416, 86421·677
mod 5417 = 5049,
5822·677
mod 5417 = 1, 86422·677
mod 5417 = 5416;
but 5416 ≡ −1 (mod 5417) so neither C(x1) nor C(x2) holds. Neither of the three conditions hold,
that means 5417 is a prime with probability of error 1
8.
5.17. The trapdoor information is v = (v1, . . . vn) because using it Alice can do the following with
the encrypted message f(m):
f(m)(v) = m +
l
j=1
Qj(v)Pj(v) = m +
l
j=1
Qj(v) · 0 = m
to get the decrypted message.
5.18.
(a) Because the two encryption exponents are coprime the Bezout’s identity for eA and eB has
the form
eAx + eBy = 1
for some integers x and y. If we know x and y we can compute m using to the following
identity:
m ≡ meAx+eBy
≡ meA x
· meB y
≡ cx
A · cy
B (mod n).
We can ﬁnd the values of x and y using the extended Euclidean algorithm. Because the
encryption exponents are coprimes, x is the multiplicative inverse of eA (mod eB), that is x1.
From the Bezout’s identity itself we have y = (1 − eAx)/eB, but that is −x2. So we get
m = cx1
A · c−x2
B mod n.
(b) First we compute the coeﬃcients x1 = e−1
A (mod eB) = 2692 and x2 = (x1eA − 1)/(eB) = 15.
With this we use the above formula to obtain m:
m = cx1
A · c−x2
B mod n = 77172692
· 12677−15
mod 18721 = 18022.
5.19. Consider the following attack:
We compute f = gcd(eEdE − 1, eB) and m = eEdE−1
f . Since gcd(eB, φ(n)) = 1 we have
gcd(f, φ(n)) = 1 and so m is a multiple of φ(n). The Bezout’s identity for m and eB has the
form
mx + eBy = 1,
for some integers x, y. Using this identity we have eBy ≡ 1 − mx ≡ 1 (mod φ(n)) and since
eBdB ≡ 1 (mod φ(n)) we can see that (y − dB)eB ≡ 0 (mod φ(n)). But because eB is coprime to
CHAPTER 5. PUBLIC-KEY CRYPTOGRAPHY, I. 77
φ(n) we have y ≡ dB (mod φ(n)). This means we can use y instead of Bob’s decryption exponent.
So to decrypt our message we compute
f = gcd(cEdE − 1, eB) = 1
m = (cEdE − 1) = 5829672.
Now we can ﬁnd y using the extended Euclidean algorithm. We obtain y = 2807399 and decipher
the captured message in subwords of 5:
162782807399
mod 99443 = 73327
490202807399
mod 99443 = 67986
435542807399
mod 99443 = 69328
2792807399
mod 99443 = 97985
The sent message is 73327679866932897985 which using the ASCII table translates to I LOVE YOU.
5.20.
1. Eve intercepted two cryptotexts c1 and c2. Since the message is very short me n1n2 and
gcd(n1, n2) = 1, she can use Chinese reminder theorem to reconstruct m3 which is a unique
solution mod n1n2 of the system of simultaneous congruences:
m3
≡ c1 (mod n1) (5.1)
m3
≡ c2 (mod n2).
The solution is
m3
= c1n2 n−1
2 mod n1 + c2n1 n−1
1 mod n2 mod n1n2. (5.2)
1) It is a valid solution, since:
m3
≡ c1n2 n−1
2 mod n1 + c2n1 n−1
1 mod n2 ≡ c1n2 n−1
2 mod n1 ≡ c1 (mod n1).
Similarly for modn2.
2) Consider there being another solution to (5.1) we will denote it by x. Since it is a solution,
it has the same reminder modn1 and therefore m3 − x is a multiple of n1, and similarly for
n2. Moreover since n1 and n2 are coprimes, it has to be multiple of n1n2. Therefore x ≡ m3
(mod n1n2) and m3 is a unique solution modulo n1n2.
Since the message is very short it is enough to calculate integer cube root to recover m.
2. We use the equation (5.2) to calculate m3 = 18 × 2419 × 626 + 325 × 1363 × 1308 = 2744 mod
2419 × 1363. We calculate integer cube root and receive the secret message 14.
5.21. The maximum cryptotext value for message of length of 1365 bits is (21365 − 1)3. This is
obviously less than (21365)3 = 24095 which is the minimal value for key of length 4096. Therefore no
modular reduction happens and we can easily calculate the third root of encrypted message to get
the plaintext.
5.22. Since q is a primitive element of the Z∗
p, we have qxy = 1 in Z∗
p if and only if p − 1|xy, i.e.
2r|xy. Since r is a prime and 1 ≤ x, y ≤ p−2 = 2r −1 < 2r, we get that one of x, y must be r.Then,
it is clearly necessary and suﬃcient that the other integer be even. Together, the probability is
2 ·
1
2r − 1
·
r − 1
2r − 1
=
2(r − 1)
(2r − 1)2
=
p − 3
(p − 2)2
.
where 1
2r−1 is the probability of choosing x = r, r−1
2r−1 is the probability of choosing even y. It can
be vice versa as well, therefore the multiplication by 2; note that r is odd, so we do not count any
possibility twice.
Chapter 6
Public-Key Cryptography, II.
6.1 Introduction
In this chapter we continue with public-key cryptosystems. This time we focus on systems whose
security depends on the fact that the computation of square roots and discrete logarithms is in
general infeasible in certain groups.
6.1.1 Rabin Cryptosystem
The ﬁrst such cryptosystem is the Rabin cryptosystem. Its secret key are the Blum primes p, q and
the public key is the modulus n = pq.
Encryption of a plaintext w < n is done by computing c = w2 mod n.
Decryption of a ciphertext c is done by ﬁnding the square roots of c modulo n. There are in total
four square roots of c so the decryption process is not deterministic. This does not pose a problem
when decrypting a meaningful text, but in the case of random strings it is impossible to determine
uniquely the right square root.
To calculate square roots modulo n we use its factors p and q and the following result.
Theorem 6.1.1 (Chinese remainder theorem). Let m1, . . . , mt be integers, gcd(mi, mj) = 1 if i = j,
and a1, . . . , at be integers such that 0 < ai < mi, 1 ≤ i ≤ t. Then the system of congruences
x ≡ ai (mod mi), 1 ≤ i ≤ t
has the solution x = t
i=1 aiMiNi, where M = t
i=1 mi, Mi = M
mi
, Ni = M−1
i mod mi and the
solution is unique up to the congruence modulo M.
6.1.2 ElGamal cryptosystem
The ElGamal cryptosystem relies on the infeasibility of computing a discrete logarithm logq y in Z∗
p.
It has nondeterministic encryption due to using randomness.
Let p be a large prime and q, x two random integers such that 1 ≤ q, x ≤ p and q is a primitive
element of Z∗
p. Let y = qx mod p. Then p, q, y is the public key of the cryptosystem and x is its
trapdoor information.
Encryption of a plaintext w consists of choosing a random r and computing a = qr mod p and
b = yrw mod p. The ciphertext is then c = (a, b).
To decrypt a ciphertext c = (a, b) we use x to calculate w = b
ax mod p = ba−x mod p.
6.1.3 Shanks’ algorithm for discrete logarithm
Shanks’ algorithm, called also Baby-step giant-step, is an algorithm for computing the discrete
logarithm logq y in Z∗
p, which provides an improvement over the naive brute force method.
Let m =
√
p − 1 . The algorithm proceeds as follows
78
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 79
• Compute qmj mod p, for all 0 ≤ j ≤ m − 1.
• Create the list L1 of m pairs (j, qmj mod p), 0 ≤ j ≤ m − 1, sorted by the second item.
• Compute yq−i mod p, for all 0 ≤ i ≤ m − 1.
• Create the list L2 of m pairs (i, yq−i mod p), 0 ≤ j ≤ m − 1, sorted by the second item.
• Find two pairs, one (j, z) ∈ L1 and (i, z) ∈ L2 with the identical second element.
If such a search is successful, then qmj+i ≡ y (mod p), so the solution to the discrete logarithm is
logq y = mj + i.
6.1.4 Perfect security of cryptosystems
When designing secure cryptosystems we not only require that it is impossible to obtain the corresponding
plaintext from a ciphertext. We require that absolutely no information about the plaintext,
such as some of its bits or parity, can be obtained.
One of the conditions for perfectly secure cryptosystems is the use of randomized encryptions.
Otherwise possible attacker can guess the plaintext, compute its deterministic encryption and compare
it to intercepted ciphertext.
To properly deﬁne perfect security we need the concept of a negligible function
Deﬁnition 6.1.2. A function f : N → R is a negligible function if for any polynomial p(n) and for
almost all n it holds f(n) ≤ 1
p(n) .
6.1.5 Blum-Goldwasser cryptosystem
Blum-Goldwasser cryptosystem is a public-key cryptosystem with randomized encryptions. Its
security relies solely on the infeasibility of integer factorization. The private key are two Blum
primes p and q, such that p ≡ q ≡ 3 (mod 4), and the public key is the modulus n = pq.
Encryption of a plaintext x ∈ {0, 1}m
• Randomly choose s0 ∈ {0, 1, . . . , n}
• For i = 1, 2, . . . , m + 1 compute si = s2
i−1 mod n and σi, the least signiﬁcant bit of si.
The ciphertext is then (sm+1, y), where y = x ⊕ σ1σ2 . . . σm.
Decryption of the ciphertext (r, y)
• Compute rp = r((p+1)/4)m
mod p and rq = r((q+1)/4)m
mod q
• Let s1 = q(q−1 mod p)rp + p(p−1 mod q)rq mod n.
• For i = 1, . . . , m, compute σi and si+1 = s2
i mod n.
The plaintext is then y ⊕ σ1σ2 . . . σm.
6.1.6 Hash functions
Hash functions are functions that map arbitrarily huge data to small ﬁxed size output. Required
properties for good cryptographic hash function f are
Deﬁnition 6.1.3 (Pre-image resistance). Given hash h it should be infeasible to ﬁnd message m
such that h = f(m). In such a case we say that f has one-wayness property.
Deﬁnition 6.1.4 (Second pre-image resistance). Given a message m1 it should be infeasible to ﬁnd
another message m2 such that f(m1) = f(m2). In such a case we say f is weakly collision resistant.
Deﬁnition 6.1.5 (Collision resistance). It should be infeasible to ﬁnd two messages m1 and m2
such that f(m1) = f(m2). In such a case we say that f is strongly collision resistant.
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 80
6.2 Exercises
6.1. Let c = 56 and n = 143. Using the Chinese remainder theorem, determine in detail all
square roots of c modulo n.
6.2. Show that Rabin cryptosystem is vulnerable to a chosen-ciphertext attack.
6.3. Consider the ElGamal cryptosystems with a public key (p, q, y) and a private key x.
(a) Encrypt the message w = 15131 using parameters p = 199999, q = 23793, x = 894 and
r = 723.
(b) Decrypt the ciphertext c = (299, 457) using parameters p = 503, q = 2, x = 42.
6.4. Consider the ElGamal cryptosystem with a public key (p, q, y) and a private key x.
(a) Let c = (a, b) be a ciphertext. Suppose that Eve can obtain the decryption of any chosen
cryptotext c = c. Show that this enables her to decrypt c.
(b) Let c1 = (a1, b1), c2 = (a2, b2) be the two ciphertexts of the messages m1 and m2, m1 = m2,
respectively, using the same public key. Encrypt some other message m .
6.5. Consider the congruence
5x
≡ 112 (mod 131).
Calculate x using Shanks’ algorithm. Show all steps of the calculation.
6.6. Let f(n) be a negligible function and g(n) not be a negligible function. Show that
g(n) − f(n)
is not negligible.
6.7. Consider the subset of all negligible functions deﬁned as follows:
G = {ρ | ρ is a negligile function with Im(ρ) ⊆ N}.
Which of the following is (G, ◦), where ◦ is the operation of function composition, if any:
• semigroup,
• monoid,
• group,
• Abelian group.
How would the previous answer change if the previous deﬁnition of G is modiﬁed as follows:
(a) G = {ρ | ρ is a negligile function with Im(ρ) ⊆ N, ρ is a strictly increasing function},
(b) G = {ρ | ρ is a negligile function with Im(ρ) ⊆ N, ρ is a strictly decreasing function}.
6.8. Consider the Blum-Goldwasser cryptosystem with parameters p = 43 and q = 59.
(a) Encode the message x = 0110 with s0 = 1337.
(b) Decode the message (2218, 1001).
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 81
6.9. Consider any two strongly collision resistant hash functions h1 : {0, 1}n → {0, 1}m and
h2 : {0, 1}n → {0, 1}m such that h1(x) = h2(x) for any x ∈ {0, 1}n. Now consider the following hash
functions h : {0, 1}n → {0, 1}m and h : {0, 1}n → {0, 1}2m:
h(x) = h1(x) ⊕ h2(x),
h (x) = h1(x) || h(x).
Determine whether h, h has to be
1. pre-image resistant,
2. weakly collision resistant,
3. strongly collision resistant.
Explain your reasoning.
6.10. Suppose h : {0, 1}2m → {0, 1}m is a strongly collision-free hash function. Let h :
{0, 1}4m → {0, 1}m be deﬁned as
h (x) = h(h(x1) h(x2)),
where x1 is the ﬁrst half of x and x2 is t he second half of x. Prove that h is strongly collision-free
hash function.
* 6.11. Suppose you know a valid plaintext-ciphertext pair w1 = 457, (a1, b1) = (663, 2138),
constructed using ElGamal cryptosystem with public information p = 6661, q = 6, y = 6015. You
also know that instead of using a new random r to encrypt each new message, the sender just
increments the previous one, i.e. r2 = r1 + 1.
(a) With this knowledge, decrypt the follwing ciphertext (a2, b2) = (3978, 1466) without calculating
discrete logarithms.
(b) Show that the same attack is possible for any linear update function of the random seed, i.e.
whenever r2 = kr1 + mod p − 1.
* 6.12. Consider a large prime p and a primitive root a modulo p. Suppose that an encryption
scheme encodes an integer x ∈ Z∗
p as follows
c = ax
mod p.
Show that given c, an enemy can ﬁnd (in polynomial time) the value of the least signiﬁcant bit of x.
6.13. Consider the uniform distribution of birthdays in a 365-day year. What is the probability
that two people in a group have a birthday on the same day if the group consists of
(a) 2 people,
(b) 23 people,
(c) 97 people.
* 6.14. Consider the following modiﬁcation of the ElGamal cryptosystem. Let G be a group with
q elements, where q is a large prime, g is its generator and h = gx for some x < q. Suppose that
multiplication and exponentiation in G can be done eﬃciently while computing discrete logarithms
is hard. Let message m ∈ {0, 1, . . . , b}, where b is small, be encrypted using a public key (G, g, h)
as c = (gr, gmhr), where r is chosen uniformly and randomly from {0, 1, . . . , q − 1}.
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 82
(a) Describe how to recover the message m.
(b) Let m1, m2 and c1, c2 be two messages and their corresponding cryptotexts, respectively.
Show that there is an algorithm which from a public key (G, g, h) and the cryptotexts c1, c2
determines a cryptotext c encrypting the message m1 + m2. Cryptotext c should be randomly
distributed as if it was encrypted with a fresh randomly chosen r. The algorithm is expected
to have no information about neither m1 nor m2.
(c) Suppose that n > 2 people would like to compute their average salary but they would be very
displeased if any information about their individual salaries was revealed. Let xi be a salary
of the person i, where i ∈ {1, 2, . . . , n}. Suppose that the sum of all the salaries is at most b.
Show how to compute the average a = x1+x2+···+xn
n without revealing any other information
about any xi. Observe that a might not be an integer.
* 6.15. Which of the following functions f : N → N are negligible? Prove your answer.
(a) 2−
√
log n
(b) n− log log n
* 6.16. What is the smallest number of people in a group so that the probability that two people
in the group have birthday within the interval of k days is at least 1
2? Calculate this number for
k = 1, . . . , 15.
* 6.17. Determine all odd quadratic residues modulo 2n for n ≥ 3, i.e. odd numbers k such that
x2
≡ k (mod 2n
)
has a solution for x ∈ Z.
(a) Find all odd quadratic residues modulo 8.
(b) Show that for n > 3, the congruence x2 ≡ k (mod 2n) has either zero or exactly four solutions
for x ∈ Z. Hint: You can use without proof the fact that for n > 3, any odd positive
integer m < 2n satisﬁes the congruence m ≡ (−1)e1 5e2 (mod 2n) for a unique e1 ∈ {0, 1}, e2 ∈
{0, 1, . . . , 2n−2}.
(c) Using (a) and (b), describe all odd quadratic residues modulo 2n for n > 3 by a single
congruence.
* 6.18. Using a primitive root of Z∗
43, solve the following congruence
x19
≡ 38 (mod 43).
Avoid the exhaustive search for a primitive root.
* 6.19. Consider the following cryptosystem. Let n = pq where p and q are primes. The value n
is made public, (n, φ(n) forms private key.
• Encryption: To encrypt a message m ∈ Zn, choose a random r ∈ Z∗
n and compute
c = (1 + n)m
rn
mod n2
.
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 83
• Decryption: To decrypt a ciphertext c, compute
m =
(cφ(n) mod n2) − 1
n
φ(n)−1
mod n
where integer division is used.
(a) Let n = 3953. Use r = 1111 to encrypt m = 2019.
Decrypt your ciphertext using the fact n = 59 · 67.
(b) Decrypt c = 4354044 without using the private key, only with the knowledge of the plaintextciphertext
pair from (a).
(c) Prove the following fact that the described cryptosystem exploits: For integers n and a,
0 ≤ a ≤ n, prove that (1 + n)a = 1 + an (mod n2).
* 6.20. Consider the following cryptosystem:
• Key generation: Let k be an integer. Pick two diﬀerent odd primes p and q, an element e ∈ Zn
such that gcd(e, φ(n)) = 1. Let n = pq and d = e−1 mod φ(n).
• Public key: (e, n)
• Secret key: (d, n)
• Encryption: To encrypt a message m ∈ Zn, one picks a random r ∈ Z∗
n and computes the
ciphertext c = re(1 + mn) mod n2.
Find the decryption algorithm.
6.3 Solutions
6.1. Factors of n = 143 are m1 = 11 and m2 = 13. Therefore we can express c as the tuple
(c mod m1, c mod m2) = (1, 4).
Since for all square roots s of c modulo n it must hold s2 ≡ 1 (mod 11) and s2 ≡ 4 (mod 13). That
gives us four conditions for the square root s:
s ≡ ±1 (mod 11), s ≡ ±2 (mod 13)
Using the Chinese remainder theorem we can now compute all four solutions for s. The solutions
have the form
s = a1M1N1 + a2M2N2 mod n,
where
M1 =
n
m1
= 13, M2 =
n
m2
= 11,
N1 = M−1
1 mod m1 = 6, N2 = M−1
2 mod m2 = 6,
a1 = s mod 11, a2 = s mod 13.
The last two equations give us a1 ∈ {1, 10} and a2 ∈ {2, 11} and we can see why the number of
square roots is four. All the possible combinations of a1 and a2 and the resulting square root s can
now be seen in the table bellow
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 84
a1 a2 s
1 2 67
10 2 54
1 11 89
10 11 76
So the square roots of 56 modulo 143 are 67, 54, 89 and 76.
6.2. Let n = pq be the public modulus of the Rabin cryptosystem, where p and q are primes. We
will show how we can ﬁnd the factorization of n using the chosen-ciphertext attack. This would
allow us to decrypt any encrypted message.
Let us chose a random x and ask for the decryption of c = x2 mod n. We receive one of the
four square roots y of c. With probability 1
2 it holds y = ±x. In such case it holds
0 = (x − y)(x + y) = cn = cpq
because x2 − y2 ≡ 0 (mod n). So if we now compute gcd(x + y, n) and gcd(x − y, n) we can obtain
p or q. The probability of success can be ampliﬁed to (1 − 1
2
k
) by asking for k plaintexts.
6.3.
(a) Following the protocol of ElGamal we ﬁrst compute
y = qx
mod p = 23793723
mod 199999 = 137565.
Then we compute the two components of the ciphertext, namely a and b
a = qr
mod p = 23793723
mod 199999 = 89804
b = yr
w mod p = 137565723
· 15131 mod 199999 = 7512.
The encrypted message is then c = (a, b) = (89804, 7512).
(b) Let (299, 457) = (a, b), the decryption is done by computing w = b(ax)−1 mod p so
w = 457 · (29942
)−1
mod 503 = 457 · 393 mod 503 = 30.
The plaintext is therefore w = 30.
6.4.
(a) We know that c = (a, b) = (qr, yrm), where r is some random number and m is the given
original message. Consider the cryptotext c = (a, 2b) = (qr, 2yrm). Clearly c = c . The
decryption of c is then
2ba−x
= 2yr
mq−xr
= 2qxr
mq−xr
= 2m.
Now because 2 is coprime to p it is invertible modulo p. That means we can just divide the
obtained plaintext by 2 and obtain the original message m.
(b) Let c1 = (a1, b1) = (qr1 , yr1 m1) and c2 = (a2, b2) = (qr2 , yr2 m2), for some random r1 and r2.
Consider the cryptotext c = (a1a2, nb1b2) = (qr1 qr2 , nyr1 yr2 m1m2), n ∈ Z∗
p. Decrypting c we
get
nb1b2(a1a2)−x
= nyr1
yr2
m1m2(qr1
qr2
)−x
= nqx(r1+r2)
m1m2q−x(r1+r2)
= nm1m2.
So c is the correct encryption of the message nm1m2 for any n ∈ Z∗
p.
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 85
6.5. We use the Shanks’ algorithm to calculate the discrete logarithm logq y in Z∗
p. In our case we
have q = 5, p = 131 and y = 112.
First we determine the parameter m =
√
p − 1 =
√
130 = 12. Now we create the list L1 of
m tuples (j, qmj mod p), for 0 ≤ j ≤ m − 1. The list L1 is shown in the following table.
j 0 1 2 3 4 5 6 7 8 9 10 11
qmj mod p 1 117 65 7 33 62 49 100 41 81 45 25
Next we create the list L2 of m tuples (i, yq−i mod p), for 0 ≤ i ≤ m − 1. The list L2 is shown in
the table below.
i 0 1 2 3 4 5 6 7 8 9 10 11
yq−i mod p 112 101 125 25 5 1 105 21 109 48 62 91
We can now see that there are three pairs of tuples with equal second item
(5, 62) (10, 62),
(11, 25) (3, 25),
(0, 1) (5, 1).
This gives us three solutions to the discrete logarithm in the form logq y = mj + i. The ﬁrst pair
gives us
log5 112 = (12 · 5 + 10) mod 130 = 70.
The second
log5 112 = (12 · 11 + 3) mod 130 = 5.
And the third pair gives the same solution as the second one
log5 112 = (12 · 0 + 5) mod 130 = 5.
So using Shanks’ algorithm we have found two solutions to the original congruence, namely x1 = 70
and x2 = 5. Indeed we can check that
570
≡ 112 (mod 131), 55
≡ 112 (mod 131).
6.6. Let f(n) be a negligible function, g(n) be a not negligible function and
h(n) = g(n) − f(n)
be negligible. Then g(n) = h(n) + f(n). We will show that the sum of two negligible functions has
to be a negligible function.
Since h(n) and f(n) are negligible we know that ∀c ∃n0 such that ∀n ≥ n0 f(n), h(n) <
n−(c+1). Now ∀n ≥ n0 it holds f(n) + h(n) ≤ n−(c+1) + n−(c+1) = 2n−(c+1) ≤ n · n−(c+1) = n−c.
(This only holds if n0 ≥ 2 but if that’s not true, we just take ∀n ≥ 2 instead). But this is just the
deﬁnition of f(n) + h(n) being negligible. This gives us a contradiction and thus g(n) − f(n) must
be not negligible.
6.7. Because for every ρ, ρ ∈ G it holds Im ρ, Im ρ ⊆ N it also holds Im(ρ ◦ ρ ) ⊆ N. At the same
time there is nρρ such that for all n > nρρ it holds ρ(ρ (n)) ≤ ρ (n) so the composition is still
negligible. That means the composition operation ◦ is well deﬁned on G.
Now we look at the associative property of the composition. Let f, g, h ∈ G, then we have for
every n ∈ N
((f ◦ g) ◦ h) (n) = (f ◦ g)(h(n)) = f(g(h(n)))
(f ◦ (g ◦ h)) (n) = f ((g ◦ h)(n)) = f(g(h(n)))
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 86
We can see that the composition is indeed associative and therefore (G, ◦) is a semigroup. The
identity element for the composition ◦ is the identity function. But the identity function is clearly
not negligible as n ≤ 1
n holds for only one n ∈ N. So G is neither monoid nor group nor Abelian
group.
Now let us look at the modiﬁed G. We will show by contradiction that both sets are empty and
so they are only semigroups.
(a) Let ρ ∈ G. ρ is strictly increasing and so ρ(n) ≥ n for all n ∈ N. That means ρ is greater or
equal to the identity function and we already know the identity is not negligible, so ρ ∈ G, a
contradiction.
(b) Let ρ ∈ G and let x, y ∈ N such that ρ(x) = y. Then from the strictly decreasing property we
get ρ(x + y) ≤ 0. But that means ρ(x + y + 1) < 0 which is a contradiction as Im ρ ⊆ N.
6.8.
(a) The public key is n = pq = 43 · 59 = 2537. We need to calculate si for i ∈ {1, 2, . . . , 5} using
the formula si = s2
i−1 mod n.
s1 = 13372
mod 2537 = 1521
s2 = 15212
mod 2537 = 2234
s3 = 22342
mod 2537 = 477
s4 = 4772
mod 2537 = 1736
s5 = 17362
mod 2537 = 2277.
Now we look at σi, the least signiﬁcant bit of si, i ∈ {1, 2, 3, 4}. We have σ1σ2σ3σ4 = 1010.
So the ciphertext of x is
c = (s5, x ⊕ σ1σ2σ3σ4) = (2277, 1100).
(b) Let (r, y) = (2218, 1001). We have m = 4 and we compute
rp = r((p+1)/4)m
mod p = 2218(114)
mod 43 = 13
rq = r((q+1)/4)m
mod q = 2218(154)
mod 59 = 46.
Now we obtain s1 by computing
s1 = q(q−1
mod p)rp +p(p−1
mod q)rq mod n = 59·35·43+43·11·21 mod 2537 = 400.
We continue by calculating si+1 = s2
i for i ∈ {1, 2, 3}.
s2 = 4002
mod 2537 = 169
s3 = 1692
mod 2537 = 654
s4 = 6542
mod 2537 = 1500
Finally, we look at the least signiﬁcant bits of si. They are σ1σ2σ3σ4 = 0100. This is all we
need to obtain the plaintext as
m = y ⊕ σ1σ2σ3σ4 = 1001 ⊕ 0100 = 1101.
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 87
6.9. The hash function h does not have to have any of the desired properties. Consider the following
example: Let h1 be any strongly collision-resistant hash function from {0, 1}n to {0, 1}m. Now let
h2(x) = h1(x) ⊕ 1m
.
Clearly h2 is also strongly collision-resistant hash function. This is because if we could ﬁnd two
messages that would break its strongly collision-resistant hash function property, they would also
do the same to h1 which is strongly collision-resistant, thus a contradiction. This h2 also satisﬁes
the condition h1(x) = h2(x) for any x ∈ {0, 1}n. Now look at h:
h(x) = h1(x) ⊕ h1(x) ⊕ 1m
= 1m
.
Since h is now just a constant function, it clearly does not satisfy any of the desired properties.
Let us assume that h‘ is not strongly collision-free. Then it is feasible to ﬁnd words w, w‘ such
that w = w‘ and h‘(w) = h‘(w‘). Then
h1(w)||h(w) = h1(w‘
)||h(w‘
)
But this gives us that
h1(w) = h1(w‘
)
h(w) = h(w‘
)
But using the strongly collision-free property of h1 we get that w = w‘, which is a contradiction. So
h‘ is a strongly collision-free hash function.
6.10. We prove the strongly collision-free property by a contradiction. Suppose that h is a strongly
collision-free hash function, but that h is not.
Because h is not strongly collision-free, it is feasible to ﬁnd words w, w such that h (w) = h (w )
and w = w . Let w1 and w2 be the ﬁrst and second half of w respectively. And let w1 and w2 be
the ﬁrst and second half of w , respectively. Then
h(h(w1) h(w2)) = h(h(w1) h(w2)).
But h is strongly collision-free so it has to hold
h(w1) h(w2) = h(w1) h(w2),
otherwise the two words h(w1) h(w2) and h(w1) h(w2) would break the strongly collision-free property.
That means h(w1) = h(w1) and h(w2) = h(w2). But using the strongly collision-free property
of h again we get
w1 = w1
w2 = w2,
which is a contradiction as it gives us w = w . So h is a strongly collision-free hash function.
6.11.
1. The ﬁrst step is to realize that we can express
yr
= b1w−1
1 mod p.
Subsequently, we get that
w2 = b2y−(r1+1)
mod p
= b2y−r1
y−1
mod p
= b2w1b−1
1 y−1
mod p.
In our case
w2 = 1466 · 457 · 4153 · 464 = 888 mod 6661.
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 88
2. Note that for more general update funcion, we still can express
yr
= b1w−1
1 mod p.
With this knowledge we have
w2 = b2y−(kr1+ )
mod p
= b2y−kr1
y−
mod p
= b2(yr1
)−k
y−
mod p
= b2wk
1b−k
1 y−
mod p.
Since all b1, b2, w1, k, and y are known, plaintext w2 can be eﬃciently calculated.
6.12. We will use Euler’s criterion to ﬁnd the least signiﬁcant bit of x. First we calculate c
p−1
2
mod p and distinguish two following cases
(a) c
p−1
2 ≡ 1 (mod p)
As c is clearly coprime to p this means that c is a quadratic residue modulo p. So we can write
c = a2k mod p for some k, because a is a primitive root modulo p. This allows us to write
ax
≡ a2k
≡ c (mod p).
So we have that x and 2k have the same parity and because 2k is even so is x. Therefore the
least signiﬁcant bit of x is 0.
(b) c
p−1
2 ≡ 1 (mod p)
In this case c is not a quadratic residue modulo p and we can write c = a2k+1 for some k. And
again we have
ax
≡ a2k+1
≡ c (mod p).
So in this case we get that x has to be even, therefore the least signiﬁcant bit of x is 1.
So all we need to do to get the least signiﬁcant bit of x is to compute c
p−1
2 , which we can do in
polynomial time.
6.13. The probability p(n) that all n ≤ 365 people in a room have their birthday in diﬀerent days
is
p(n) =
365!
365n(365 − n)!
.
The probability that there are two people in a group of size n that have a birthday on the same day
is 1 − p(n). So we plug in the numbers for the three groups
(a) If n = 2, then the probability is 1 − p(2) = 1 − 365!
3652(365−2)!
≈ 3 · 10−3
(b) If n = 23,then the probability is 1 − p(23) = 1 − 365!
36523(365−23)!
≈ 0.507
(c) If n = 97, then the probability is 1 − p(97) = 1 − 365!
36597(365−97)!
≈ 0.9999992
We can see that while it is very improbable for two people to have birthday on the same day, for
only 23 people we have over 50% chance that there are two people with birthday on the same day.
For 97 people it is almost certain there will be such a pair.
6.14.
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 89
(a) Let c = (y, z) be the ciphertext. First we compute yx = grx = hr and z(yx)−1 = gmhrh−r =
gm. Because b is small we can just try every possible m ∈ {0, 1, . . . , b} and compare qm = qm
to obtain m.
(b) Let c1 = (gr1 , gm1 hr1 ) and c2 = (gr2 , gm2 hr2 ). Let c3 = (y, z), where
y = gr1
gr2
gr3
= gr1+r2+r3
z = gm1
hr1
gm2
hr2
hr3
= gm1+m2
hr1+r2+r3
,
for a randomly and uniformly chosen r3. It can be easily seen that c3 is now the encryption
of m1 + m2 using r = r1 + r2 + r3. Because r3 is chosen uniformly and independently of both
r1 and r2, the sum r1 + r2 + r3 is also distributed uniformly.
(c) Let the ﬁrst person, i = 1, set up the modiﬁed ElGamal cryptosystem with public key (G, g, h)
and decryption exponent x. He then sends the ciphertext c1 = (gr
1, gx1 hr1 ) to the second
person, i = 2. Now we deﬁne the protocol inductively: when a person i receives the ciphertext
ci−1 = (gr
i−1, gmi−1 hri−1 ) he sends, over a secure channel (using another encryption), the
ciphertext ci = (gri−1+ri , hri−1+ri gmi−1+xi ) to the person i + 1 mod n, where ri is chosen
randomly and uniformly.
Generalizing the reasoning of (b), it can be easily seen that the ciphertext ci−1 is the proper
ciphertext for the sum of the ﬁrst i − 1 salaries that only the ﬁst person can decrypt. But
because the communication is done over secure channels he gets only the ﬁrst and last ciphertext.
He gains no information from the ﬁrst and gets only the whole sum from the last. He
can now compute the average salary and announce it to everyone or the procedure can be
repeated n-times with new person setting up the cryptosystem every time, making him the
one who obtains the whole sum.
6.15.
(a) Consider the polynomial p(n) = n2. Let’s now try to solve the inequality f(n) > 1
p(n) :
1
2
√
log n
>
1
n2
n2
> 2
√
log n
2 log n > 1
It is easy to see that the inequality holds for any n > 2 . This means it certainly cannot hold
that f(n) ≤ 1
p(n) for almost all n and therefore the function 2−
√
log n is not negligible.
(b) Consider any polynomial p(m) = amnm + · · · + a0, am, . . . , a0, m ∈ N. Now consider the
function rp : N → N, rp(n) = ( m
i=0 |ai|) nm. It is easy to see that rp(n) ≥ p(n) for all n ∈ N.
Therefore if f(n) ≤ 1
rp(n) it holds f(n) ≤ 1
p(n) .
Let us now try to ﬁnd the solutions to the inequality n− log log n ≤ 1
rp(n) :
1
nlog log n
≤
1
rp(n)
rp(n) ≤ nlog log n
m
i=0
|ai| nm
≤ nlog log n
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 90
log
m
i=0
|ai| nm
≤ log(nlog log n
)
log
m
i=0
|ai| + m log n ≤ (log log n) log n
m ≤ log log n −
log ( m
i=0 |ai|)
log n
We now take the limit of the right hand side
lim
n→∞
log log n −
log ( m
i=0 |ai|)
log n
= ∞.
From the deﬁnition of the limit we know that for every k ∈ N, there is an nk ∈ N such that for
all n > nk it holds that the right hand side is greater than k. And since this holds for every k
it must also hold for m. Therefore the inequality n− log log n ≤ 1
rp(n) must hold for all n > nm
for some nm ∈ N. In short it holds for almost all n and thus even the inequality f(n) ≤ 1
p(n)
holds for almost all n. But this means the function n− log log n is negligible.
6.16. This problem is usually denoted as the almost birthday problem. Let us denote the probability
that, in a group of n people, no two birthdays lie within the interval of k days as Ak(n). Recall that
A1(n) corresponds to the standard birthday problem probability of which is computed as
P(A1(n)) =
365!
(365 − n)!365n
.
Further we rewrite the probability P(Ak(n)) using the conditional probability as:
P(Ak(n)) = P(Ak(n)|A1(n))P(A1).
Conditioning Ak(n) on A1(n) and preventing coincidental birthdays simplify the following analysis.
We ﬁnd the number of possible orderings of birthdays that satisfy the conditions that no two
birthdays lie in the same interval of k days. We can rewrite a potential ordering of birthday and
non-birthday days satisfying this condition as the following sequence:
1, 0, 0, . . . , 0
k−1
, 1, 0, 0, . . . , 0
k−1
, 1, 0, 0, . . . , 0
k−1
, 0∗, 0∗, . . .
where 1’s represent birthdays, 0’s represent the ﬁrst k−1 non-birthday days after a birthday, and 0’s
with asterisk represent extra non-birthday days after the ﬁrst k − 1. We should treat such sequence
as ”cyclic” to be able to catch birthdays at the turn of the year.
To obtain the probability of not having any birthdays within k days of each other given that
there are no coincidental birthdays, we divide the number of distinct orderings that take the required
form by the total number of orderings. We ﬁx the ﬁrst birthday as well and do not allow it to be
permuted to eliminate rotated orderings.
Now, we group [1, 0, 0, . . . , 0
k−1
], treat them as a unit and permute them together with 0∗’s. The
number of 0∗’s is 365 − kn, the number of [1, 0, 0, . . . , 0
k−1
] units is n − 1 (recall that the ﬁrst such unit
is ﬁxed). The number of these groupings is given as
(365 − kn) + (n − 1)
n − 1
=
364 − kn + n
n − 1
.
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 91
Total number of orderings is as 364
n−1 (recall again that the ﬁrst birthday is ﬁxed). Together, we
can write the conditional probability as:
P(Ak(n)|A1(n)) =
364−kn+n
n−1
364
n−1
and
P(Ak(n)) =
364−kn+n
n−1
364
n−1
·
365!
(365 − n)!365n
which can be simpliﬁed to:
P(Ak(n)) =
(364 − kn + n)!
(365 − kn)!365n−1
.
To answer the question in the exercise we need to compute the probability of the complement
event: 1 − P(Ak(n)) and ﬁnd n such that this probability is greater than 1
2.
The results are given in the following table:
k n
1 23
2 14
3 11
4 9
5 8
6 8
7 7
8 7
9 6
10 6
11 6
12 6
13 5
14 5
15 5
6.17.
(a) The only odd quadratic residue modulo 8 is 1, as
(±1)2
≡ (±3)2
≡ 1 (mod 8).
(b) Let n > 3 and suppose that x2 ≡ k (mod 2n) has a solution x ∈ Z for an odd integer k. Then
k ≡ m2 (mod 2n) for some odd positive integer m < 2n. Using the hint, we know that there
exist unique e1 ∈ {0, 1}, e2 ∈ {0, 1, . . . , 2n−2} such that
m ≡ (−1)e1
5e2
(mod 2n
).
Then
m2
≡ 52e2
≡ (−1)f1
5f2
(mod 2n
)
for unique f1 ∈ {0, 1}, f2 ∈ {0, 1, . . . , 2n−2}. This implies that
52e2−f2
(−1)f1
≡ 1 ≡ 50
(−1)0
(mod 2n
),
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 92
hence f1 = 0 and 2e2 ≡ f2 (mod 2n−2) (here we are using the fact that the order of 5 modulo
2n is 2n−2, which follows directly from the hint). Let f2 = 2g2 for some g2 ∈ Z (here we are
using the fact n > 3). Then we obtain e2 ≡ g2 (mod 2n−3), so either e2 ≡ g2 (mod 2n−2)
or e2 ≡ g2 + 2n−3 (mod 2n−2). Thus there are exactly two possibilities for e2 and also two
possibilities for e1 (it could be either 0 or 1), hence four possible square roots of k modulo 2n.
(c) If an odd integer k is a quadratic residue modulo 2n for n > 3, it is also a quadratic residue
modulo 8, so in particular k ≡ 1 (mod 8) by a). On the other hand, there are 2n−1 positive
odd integers less than 2n, and since the squaring function modulo 2n for n > 3 is four-to-one
by b), there are exactly 2n−3 = 2n
8 quadratic residues modulo 2n for n > 3. But this is exactly
the number of positive integers k < 2n satisfying k ≡ 1 (mod 8). Thus we can conclude that
an odd integer k is a quadratic residue modulo 2n for n > 3 if and only if k ≡ 1 (mod 8).
6.18. We use the following lemma
Lemma 6.2.1. - Let m ∈ Z, such that there exist privite roots modulo m. Write ϕ(m) = qα1
1 . . . qαk
k ,
where q1, . . . , qk are primes and α1, . . . , αk ∈ N. Then for arbitrary g ∈ Z, (g, m) = 1 it holds that g
is a primitive root modulo m if and only if
g
ϕ(m)
q1 ≡ 1 (mod m), . . . , g
ϕ(m)
qk ≡ 1 (mod m).
Since ϕ(43) = 42 = 2 · 3 · 7, we are looking for such g ∈ Z, (g, 43) = 1 such that
g21
≡ 1 (mod 43), g14
≡ 1 (mod 43), g6
≡ 1 (mod 43).
We soon ﬁnd that g = 3 (among the others). Next, we notice that 34 ≡ 38 (mod 43). Thus, the
given congruence is equivalent to the congruence
319t
≡ 34
(mod 43).
Which is equivalent to
19t ≡ 4 (mod 42).
And thus t ≡ 40 (mod 42). When going backwards we get x ≡ 340 ≡ 24 (mod 43).
6.19. The cryptosystem is the simple variant of the Paillier cryptosystem.
1. n2 = 15626209, φ(n) = 58 · 66 = 3826, φ(n)−1 = 3700
Encryption:
c = (1 + 3953)2019
11113953
mod 15626209 = 7334081
Decryption:
m =
73340813828 − 1
3953
· 3700 mod 3953 = 617 · 3700 mod 3953 = 2019
2. The cryptosystem has the following homomorphic property:
E(m1) · E(m2) = E(m1 + m2)
because
((1 + n)m1
rn
1 ) · ((1 + n)m2
rn
2 ) = ((1 + n)m1+m2 mod n
(r1r2)n
) mod n2
.
Notice that c = 4354044 = 20192 mod n2, therefore decryption of c is 2019+2019 mod 3953 =
85.
CHAPTER 6. PUBLIC-KEY CRYPTOGRAPHY, II. 93
3. This is clear from the binomial theorem:
(1 + n)a
=
a
k=0
a
k
nk
= 1 + an +
a
2
n2
+ higher powers of n
6.20. We start the decryption by ﬁnding the random r. First we note that c mod n ≡ re(1 + mn)
mod n and so
cd
≡ red
(1 + mn)d
≡ r mod n.
Now using r we can obtain 1 + mn as
cr−e
≡ re
r−e
(1 + mn) ≡ 1 + mn mod n2
.
While n isn’t invertible modulo n2, we can still obtain m as
m = L(cr−e
mod n2
),
where L(x) = x−1
n in which a
b denotes the quotient of a divided by b.
Chapter 7
Digital Signatures
7.1 Introduction
Digital signatures are electronic analogues to handwritten signatures. Signature is an integral part
of the person’s identity. It is intended to be unique for any individual and serves as a way to
identify and authorize. When electronic information is considered, the concept of signature has to
be adapted, because it cannot be something independent of the message signed. A digital signature
is something, e.g. a number, which depends both on the secret known only by the signer and on the
message to be signed. It should be veriﬁable without an access to signer’s secrets. Only the hash of
the original message is usually signed.
7.1.1 Signature schemes – basic ideas and goals
A signature scheme consists of two algorithms: a signing algorithm and a veriﬁcation algorithm. A
message m is signed by Alice using the signing algorithm that produces a signature sig(m). If the
public veriﬁcation algorithm is applied to a signature, then it returns true if and only if sig(m) is a
signature created by Alice for the message m, i.e. if the signature is authentic.
These algorithms work with two keys: the secret key used for signing and the public key which
serves for veriﬁcation. The sets of potential messages, signatures and keys are ﬁnite.
Security requirements and objectives, which should be satisﬁed by any signature scheme, are the
following ones.
• It should be infeasible to forge Alice’s signature for any message. Only Alice should be able
to produce her valid signatures – this is so-called authenticity requirement.
• Because the messages and their signatures have to be inseparably tied, any change either in the
created signature or in the message to be signed should result in the rejection of the signature
– this is so-called data integrity requirement.
• Another basic requirement is the impossibility of revocation of a valid signature in some later
time – that is so-called non-repudiation requirement.
• Finally, from a technical point of view, signing and veriﬁcation algorithms should be suﬃciently
fast.
7.1.2 Digital signature scheme – deﬁnition
A digital signature allows any signer S to sign any message m in such a way that no one can forge
S’s signature but anyone familiar with the system can verify that a signature claimed to be from S
is indeed from S and has not been changed during transmission.
A digital signature scheme (M, S, Ks, Kv) is given by (1) by a set M of messages that may need to
be signed, a set S of potential signatures, a set Ks of so-called private keys (used at signings) and
94
CHAPTER 7. DIGITAL SIGNATURES 95
a set Kv of so-called public/veriﬁcation keys used for veriﬁcation of signatures.
(2) for each key k ∈ Ks is given a single and easy to perform signing mapping sigk : {0, 1}∗ ×M → S,
and for each key kv ∈ Kv, there exists a single and easy to compute veriﬁcation mapping verkv :
M × S → {true, false} such that the following two conditions are satisﬁed:
Correctness: For any message m ∈ M and any public key k ∈ Kv, and s ∈ S it holds that
verk(m, s) = true if there is an r ∈ {0, 1}∗ such that s = sigl(r, m) for a private key l ∈ Ks
corresponding to the public key k.
Security: For any m ∈ M and kv ∈ Kv, it is computationally infeasible, without the knowledge of
the private key corresponding to k, to ﬁnd a signature s ∈ S such that verkv (m, s) = true.
7.1.3 Attacks
The following describes the basic attack models and levels of breaking a digital signature scheme.
Key-only attack: The attacker is only given the public veriﬁcation key.
Known signatures attack: The attacker is given valid signatures for several messages not chosen
by her.
Chosen signatures attack: The attacker is given valid signatures for several messages of her
choice.
Adaptive chosen signatures attack: The attacker is given valid signatures for several messages
chosen by the attacker where messages chosen may depend on previous signatures given for chosen
messages.
Total break: The adversary manages to recover secret key.
Universal forgery: The adversary can derive an algorithm which allows him to forge signature of
any message.
Selective forgery: The adversary can derive a method to forge signatures of selected messages
(where the selection was made prior the knowledge of the public key).
Existential forgery: The adversary is able to create a valid signature of some message m (but has
no control for which m).
The strongest notion of security is security against existential forgery under an adaptive chosen
signatures attack.
7.1.4 Examples
RSA signatures
Consider the RSA cryptosystem with encryption and decryption exponents e and d and modulus n.
The signature of a message m is s = sig(m) = md mod n. The signature s for the message m is
valid if se mod n = m.
ElGamal signature scheme
The public key for the ElGamal signature scheme is K = (p, q, y), where p is a prime, q is a primitive
element of Z∗
p and y = qx mod p, where 1 < x < p is the secret key.
To create the signature s of a message m we need to choose a random integer r ∈ Z∗
p−1 and calculate
s = sig(m, r) = (a, b), where a = qr mod p and b = (m − ax)r−1 mod p − 1. The signature
s = (a, b) for the message m is valid if yaab ≡ qm mod p.
Rabin signatures
A collision-resistant hash function h : {0, 1}∗ → {0, 1}k is used for some ﬁxed k. The signer chooses
primes p, q of size approximately k/2 and computes public key n = pq. The pair (p, q) is kept
secret. To sign a message w, the signer chooses a random string U and calculates h(w, U) (if
h(w, U) /∈ QR(n), the signer picks a new U and repeats the process). The signer solves the equation
CHAPTER 7. DIGITAL SIGNATURES 96
x2 = h(w, U) mod n. The pair (U, x) is the signature of w. The veriﬁer computes x2 and h(w, U)
and veriﬁes that they are equal.
DSA signature scheme
A variant of the ElGamal system later adopted as a standard is the Digital Signature Algorithm
(DSA). The key for the DSA is K = (p, q, r, x, y), where p is a large prime, q is a prime dividing
p − 1, r > 1 is a qth root of 1 in Zp, (r = h
p−1
q mod p, where h is a primitive element in Zp), x is a
random integer such that 0 < x < q and y = rx mod p. The values p, q, y and r are made public,
x is kept secret.
To sign a message m we need to choose a random integer k such that 0 < k < q and therefore
gcd(k, q) = 1. The signature of message m is s = sig(m, k) = (a, b), where a = (rk mod p) mod q
and b = k−1(m + xa) mod q, where kk−1 = 1 mod q. The signature s = (a, b) is valid if (ru1 yu2
mod p) mod q = a, where u1 = mz mod q, u2 = az mod q and z = b−1 mod q.
Lamport one-time signatures
A Lamport signature scheme is method for constructing a digital signature from a one-way function.
Only one message can be signed with such a scheme, therefore the term “one-time”.
Suppose that k-bit messages are to be signed. Let f : Y → Z be a one-way function. For randomly
chosen yi,j ∈ Y calculate zi,j = f(yi,j), i ∈ {1, . . . , k}, j ∈ {0, 1}.
The parameter i refers to the position of the bit in a message being signed and the parameter j
refers to its value. The z’s are made public together with f, y’s are kept secret.
To sign a k-bit message x = (x1, . . . , xk), the corresponding y’s are made public: sig(x1, . . . , xk) =
(y1,x1 , . . . , yk,xk
)
To verify a signature (s1, . . . , sk) for the message x, one needs to verify that f(si) = zi,xi for all
i ∈ {1, . . . , k}.
Fiat-Shamir signature scheme
An example of an identiﬁcation scheme that can be converted into a signature scheme is the FiatShamir
scheme. Choose primes p, q, compute n = pq and choose: as a public key integers v1, . . . , vk
and compute, as a secret key, s1, . . . , sk, si = v−1
i mod n. To sign a message w, Alice ﬁrst chooses
as a security parameter an integer t, random integers 1 ≤ r1, . . . , rt < n, and computes xi = r2
i
mod n, for 1 ≤ i ≤ t. Alice uses a publicly known hash function h to compute H = h(wx1x2 . . . xt)
and then uses the ﬁrst kt bits of H, denoted as bij, 1 ≤ i ≤ t, 1 ≤ j ≤ k as follows. Alice computes
yi = ri
k
j=1 s
bij
j mod n and sends w, all bij, all yi and h to Bob. Bob ﬁnally computes z1, . . . , zk,
where zi = y2
i
k
j=1 vbij mod n = xi and veriﬁes that the ﬁrst kt bits of h(wx1x2 . . . xt) are the bij
values that Alice has sent to him.
Blind signatures
A blind signature is a form of signature in which the content of a message is blinded before it is
signed. Applications are in electronic voting and digital cash systems.
RSA blinding signature scheme with keys (n, e, d) works as follows. In order to make Bob to produce,
blindly, sigB(m) of the message m, Alice chooses a random r and asks Bob to sign m = mre mod n
and to send her back his signature sigB(m ). Alice then gets easily sigB(m) = r−1sigB(m ).
Ong-Schnorr-Shamir subliminal channel
A subliminal channel is a covert channel that allows to communicate secretly in a normally looking
communication. Several signature schemes contain subliminal channels, for example the OngSchnorr-Shamir
channel.
Let n be a large integer and let k be an integer such that gcd(n, k) = 1. Calculate h = k−2
mod n. Both h and n form public key whereas k is kept secret as trapdoor information.
Let w be a secret message Alice wants to send with gcd(w, n) = 1. Let w be a harmless message
with gcd(w , n) = 1.
CHAPTER 7. DIGITAL SIGNATURES 97
To sign w Alice computes S1 = 1
2(w
w + w) mod n and S2 = k
2 (w
w − w) mod n Signature of
the harmless message is veriﬁed as w = S2
1 − hS2
2 mod n. The secret is decrypted by Bob as
w = w
(S1+k−1S2)
.
7.2 Exercises
7.1. Alice and Bob are using the RSA signature scheme. Alice’s public key is (n, e) = (899, 17). Malicious
Eve captured two signed messages which Alice sent (m1, sig(m1)) = (13, 644) and (m2, sig(m2)) =
(15, 213). Is Eve able to forge signatures of messages ma = 195 and mb = 627 without using bruteforce?
Try to calculate this signatures and verify.
7.2. Let m be a message which the adversary Eve intends to sign using the RSA signature scheme
with a public key (n, e) and a private key d. Suppose that Eve can obtain a signature of any message
m = m. Show that this enables her to sign m.
7.3. Consider the following version of the Rabin signature scheme:
Let n = pq where p and q are primes. n is made public, p and q are kept secret. To sign a message
m, solve the equation s2 ≡ m (mod n) (assume that m ∈ QR(n)). The value s is the signature for
the message m. To verify a given message-signature pair (m, s), check whether s2 ≡ m (mod n).
(a) Show that the proposed scheme is vulnerable to an existential forgery with a key-only attack.
(b) Show that the scheme can be totally broken with chosen signatures attack.
7.4. Show that you can totally break the DSA signature scheme if you are given a signature (a, 0)
for a message w.
7.5. Consider the following modiﬁcation of the ElGamal signature scheme in which x ∈ Z∗
p−1 and
b is computed as
(a) b = (w − ra)x−1 (mod p − 1)
(b) b = xa + rw (mod p − 1)
Describe how veriﬁcation of a signature (a, b) on a message x would proceed.
7.6. A lazy signer who uses the ElGamal signature algorithm has precomputed one pair (k, a)
satisfying a = qk mod p which he always uses for generating a signature. Given two messagesignature
pairs, recover his secret key.
* 7.7. How would the security of the ElGamal signature scheme be aﬀected if one would accept
signatures (a, b) with a larger than p?
7.8. Consider the Fiat-Shamir signature scheme. What happens if an adversary is able to ﬁnd the
random integers r1, . . . , rt?
7.9. Let us consider Chaum’s blind signatures RSA scheme with n = pq, p = 101, q = 97, e = 59.
Only Bob knows d and uses it to sign documents. Alice wants him to sign message m = 4242
without him knowing m. Perform steps of the protocol in detail. Random k is k = 142.
7.10. Let f be a one-way permutation. Let us deﬁne a one-way signature scheme in the following
way. The public key is an l-tuple (y1, y2, . . . , yl). The secret key is an l-tuple (x1, x2, . . . , xl) such
that f(xi) = yi for each i ∈ {1, 2, . . . , l}. The signature of a message m1m2 · · · ml ∈ {0, 1}l consists
of all xi such that mi = 1.
CHAPTER 7. DIGITAL SIGNATURES 98
(a) Show that this one-time signature scheme is not secure.
(b) Describe all the message pairs (m1, m2) such that m1 = m2 and the adversary can produce a
valid signature for m2 using a valid signature for m1.
7.11. Consider the Lamport one-time signature scheme. A signer has signed m (2 ≤ m ≤ 2k − 1)
diﬀerent k-bit messages (instead of only one message he was allowed to sign). How many new
messages an adversary would be able to forge?
7.12. Consider the following one-time signature scheme used for signing of N-bit messages. Let
H be a cryptographically secure hash function. Let Hk(x) denote k successive applications of the
hash function H to x – so-called hash chain, e.g. H4(x) = H(H(H(H(x)))).
• (Initial phase) Alice chooses two random numbers x1 and x2 and computes y1 = HM (x1) and
y2 = HM (x2) where M = 2N . Alice publishes y1 and y2.
• (Signing) Alice computes s1 = Hn(x1) and s2 = HM−n−1(x2), where 0 ≤ n ≤ 2N − 1 is the
value of an N-bit message to be signed.
• (Veriﬁcation) To verify a signature, Bob checks validity of the following equations: y1 =
HM−n(s1) and y2 = Hn+1(s2).
(a) Demonstrate usage of the proposed scheme on signing of 2-bit message 11.
(b) Explain why it is insuﬃcient to compute only a value of s1.
* 7.13. Propose a subliminal channel in the DSA signature scheme. Assume that the receiver of
a subliminal message shares the secret key x with the sender.
* 7.14. Consider the following signature scheme for a group of two users. Each of the users i has
his own RSA signature scheme with public key (ni, ei) and secret key di, i ∈ {1, 2}. Their respective
trapdoor one way permutation is fi(x) = xei (mod ni).
For the smallest b such that 2b > max(n1, n2) we deﬁne new trapdoor one way permutations gi
in the following way. For b-bit input x deﬁne integers qi and ri such that x = qini + ri, 0 ≤ ri < ni
(we know ri, qi are unique). Then
gi(x) =
qini + fi(ri) if (qi + 1)ni ≤ 2b
x otherwise
Let h be a public collision-resistant hash function that maps messages to b-bit strings.
Now the user i signs any message m as follows:
1. Computes the key k = h(m)
2. Chooses random b-bit xj, j = i.
3. Computes yj = gj(xj) using nj, ej.
4. Finds yi such that yi ⊕ yj = k.
5. Using di ﬁnds xi = g−1(yi).
6. Outputs the signature ((e1, n1), (e2, n2), x1, x2).
(a) Find the veriﬁcation of the signature.
(b) Given a message and its signature, can you discover which user signed the message?
CHAPTER 7. DIGITAL SIGNATURES 99
7.15. Consider a signature scheme based on the Rabin cryptosystem with secret primes p, q and
public information n = pq. Signature of a message w are its four square roots modulo n.
(a) Which messages can be signed?
(b) Is the proposed signature scheme secure?
7.16. Consider the Ong-Schnorr-Shamir subliminal channel with public key (h, n) = (36606, 47371).
Alice wanted to be sure her secret message gets to Bob so she sent the same secret message w twice
using the signed messages (11587, 46420, 41083) and (3561, 41492, 25348). Perform the following
tasks:
(a) Verify the signature for both messages.
(b) Without using brute force, ﬁnd the secret message w and the secret key k.
7.17. Find a way to use Rabin signatures as a subliminal channel that allows Alice to send at least
two secret bits to Bob with every signed message. This channel must look like a normal channel
with Rabin signatures so that the warden Walter must not be able to retrieve the secret message.
7.18. Bob is using a single RSA scheme to both decrypt encrypted messages and create signatures
(with the same set of public and private keys). You have intercepted an encrypted message c
addressed to Bob. Use his signature scheme to make him help you decrypt c without him noticing.
7.19. Consider the ElGamal signature scheme.
(a) Show that the scheme is vulnerable to existential forgery. Show that an adversary can produce
a combination of message w and a correct signature (a, b), but cannot choose the value of w.
(b) Show that given a valid signature (a, b) of a message w, an adversary can compute signatures
for messages of the form w = (w + βb)α mod (p − 1), for an arbitrarily chosen β ∈ Z∗
p and
α = qβ mod p.
7.20. ElGamal signature scheme with public key (p, q, y) = (97, 10, 7) was used to sign messages
w1 = 54 and w2 = 13 with sig(w1) = (40, 38) and sig(w2) = (40, 25). Without calculating the
discrete logarithm or using other kind of brute force, ﬁnd the secret key x.
7.21. Consider the following signature scheme. Choose primes p, q such that q | p − 1. Choose a
generator g ∈ Z∗
p of order q. Choose a random x ∈ Z∗
q and compute y = gx mod p. The value x
serves as a secret key, while p, q, g and y are public.
To sign a message m, choose a random k ∈ Z∗
q and compute r = gk mod p and s = k−H(m||r)x
mod q where H : {0, 1}∗ → Zq is a cryptographic hash function. The pair (r, s) is the signature of
m.
(a) Provide a veriﬁcation procedure for the proposed scheme and prove that it is correct.
(b) Show that a private key x can be recovered if the same k is reused.
* 7.22. Consider Alice and Bob use the DSA signature scheme with p = 2347, q = 23, r = 266,
x = 11 and y = 864. Alice signs w = 1000 and sends the corresponding signature sig(w) = (7, 20)
to Bob. Surprisingly, Bob shares with Alice her secret key x and his purpose is not only veriﬁcation
of the signature. Is Alice trying to communicate something to Bob?
CHAPTER 7. DIGITAL SIGNATURES 100
7.3 Solutions
7.1. We know that for the RSA signature scheme it holds: if s1 and s2 are signatures of messages m1
and m2, we can easily compute the signature of the message m = m1m2 mod n as s = s1s2 mod n.
This is the ﬁrst case and the signature of ma = 195 = 13×15 is sa = sig(m1)×sig(m2) mod n = 524.
Veriﬁcation: (sa)e mod n = 52417 mod 899 = 195 which is equal to ma.
The message mb is equal to m−1
a modulo n (which is easy to verify: mamb ≡ 1 (mod n).) We
know that for the RSA signature scheme the following holds: if s is a signature of a message
m then s−1 mod n is the signature of the message m−1 mod n. Using the Extended Euclidean
Algorithm we get 1 = −362 × 524 + 211 × 899. Hence sb = −362 mod n = 537. Veriﬁcation:
(sb)e mod n = 53717 mod 899 = 627 = mb.
7.2. Eve ﬁrst chooses r that has inverse modulo n and later she asks for the signature for the
message m = m · re which is
s ≡ (m )d
≡ md
· red
≡ md
· r (mod n).
Now she can multiply s with r−1 to obtain the valid signature for the message m.
7.3.
(a) Choose a signature s and square it to produce a corresponding message m. This yields a valid
message-signature pair.
(b) If we can ﬁnd two distinct square roots of a message, we can consequently factor the modulus
n. We can again choose a value s and compute m = s2. The next step is submitting m to the
black box. There is a one in two chance that it will produce the same signature s. In such
case, repeat this process. If not, we have both square roots of m and can recover the factors
of n.
7.4. Since the signature is (a, 0), we have 0 = b ≡ k−1(w + xa) (mod q). We know k−1 = 0
therefore w + xa ≡ 0 (mod q) and since q is prime a−1 exists. Together x ≡ −wa−1 (mod q).
Values w and a are known, so one can easily calculate the secret key x and hence totally break the
DSA scheme.
7.5. A signature (a, b) is valid if
(a) aayb ≡ qw (mod p)
(b) yaaw ≡ qb (mod p)
Recall that y = qx mod p and a = qr mod p. Now we prove correctness of the proposed veriﬁcation
method:
(a) aayb ≡ yaryb ≡ yar+w−ar+k(p−1) ≡ qw (mod p)
(b) yaaw ≡ qaxqrw ≡ qax+rw ≡ qb (mod p)
7.6. If the signer signs two messages w1 and w2 he obtains signatures (a, b1) and (a, b2) where
b1 = k−1(w1 −xa) mod p−1 and b2 = k−1(w2 −xa) mod p−1. We have xa = w1 −kb1 = w2 −kb2
and k = (w1 − w2)(b1 − b2)−1 mod p − 1. Now we can calculate the secret key as x = (w1 − kb1)a−1
mod p − 1. There are d = gcd(a, p − 1) solutions for x. The forger can compute qx for all the x’s
found until she ﬁnds y and therefore the proper x.
CHAPTER 7. DIGITAL SIGNATURES 101
7.7. If one would accept signatures (a, b) with a > p, an adversary would be able to forge the valid
signature for any message w2 after having intercepted the valid signature (a1, b1) of w1:
The adversary computes c = w2w−1
1 mod p − 1. It holds that
qw2
≡ qcw1
≡ ya1c
ab1c
1 (mod p)
Since we have x ≡ y (mod p − 1) ⇒ zx ≡ zy (mod p), the adversary can ﬁnd such a2, b2 that the
following equations hold:
b2 ≡ b1c (mod p − 1)
a2 ≡ a1c (mod p − 1)
a2 ≡ a1 (mod p)
To determine b2 the adversary computes b2 = b1c mod p − 1.
To determine a2 the adversary uses the Chinese remainder theorem. The result will be modulo
p(p − 1), that is why a2 > p. Now it is easy to see that
qw2
≡ ya2
ab2
(mod p)
and (a2, b2) is the valid signature of w2.
7.8. If an adversary ﬁnds the random integers r1, . . . , rt and intercepts the message w together
with bij and yi, she can construct the following system of congruences:
y1 ≡ r1s
b1,1
1 s
b1,2
2 . . . s
b1,k
k (mod n)
y2 ≡ r2s
b2,1
1 s
b2,2
2 . . . s
b2,k
k (mod n)
. . .
yt ≡ rts
bt,1
1 s
bt,2
2 . . . s
bt,k
k (mod n)
Now it depends on k, t and bi,j what the adversary could do. For example if k ≤ t and bi,j = 1 for
all 1 ≤ i ≤ t, 1 ≤ j ≤ k, then she is able to compute all sj and thus the private key.
In other cases, she might be able to compute only some of the sj, which would enable her to sign
some messages (those with bi,j = 0 for 1 ≤ i ≤ t and j such that sj is unknown).
In other cases, this would not allow the adversary to ﬁnd any part of the private key.
7.9. To perform computation, we need to ﬁnd d. It holds d = e−1 mod φ(n), thus d = 59−1 mod
9600 = 1139.
• Alice computes m = mke mod n = 4242 · 14259 mod 9797 = 808 and sends it to Bob.
• Bob computes s = (m )d mod n = 8081139 mod 9797 = 6565 and sends it to Alice.
• Alice now computes signature s of message m, s = k−1s mod n = 69 · 6565 mod 9797 = 2323.
Message can be veriﬁed as m = se mod n.
7.10. Only bits with the value 1 are signed, 0-valued bits are not included therefore one can forge
signatures for any message which has 0 where the original message had 0 and which has 0 or 1 on
the remaining positions. For example given the signed message 1l an adversary would be able to
sign any message of length l.
CHAPTER 7. DIGITAL SIGNATURES 102
7.11. Let us assume that the signer has signed two messages that are bit inverses of each other.
This way the signer made public his whole private key and the adversary can forge any k-bit message.
We analyze the case in which the signer has signed 2 ≤ m ≤ 2k − 1 diﬀerent messages in such a
way that he made public the least possible number of y’s.
Signing the ﬁrst message a half of y’s is made public. A second message must diﬀer in at least one
position, say i1, so the yi1j are known for both j = 0, 1.Three or four messages must diﬀer in at
least 2 positions, allowing the adversary to sign 2 new messages. Finally, m messages have to diﬀer
in at least l positions where 2l−1 + 1 ≤ m ≤ 2l, so l = log2 m .The adversary is therefore able to
forge at least 2 log2 m − m new messages.
7.12.
(a) (Initial phase)
N = 2, M = 2N
= 4,
y1 = HM
(x1) = H4
(x1),
y2 = HM
(x2) = H4
(x2)
(Signing)
n = 3,
s1 = Hn
(x1) = H3
(x1),
s2 = HM−n−1
(x2) = H0
(x2) = x2
(Veriﬁcation)
y1 = HM−n
(s1) = H(s1) = H(H3
(x1)) = H4
(x1),
y2 = Hn+1
(s2) = H4
(s2) = H4
(x2)
(b) Given a value of s1 = Hn(x1), one could easily sign messages m where 2N − 1 ≥ m ≥ n.
7.13. Knowing the private key x, the only unknown value is k.
s = k−1
(h − xr) mod q
sk = h − xr mod q
k = s−1
(h − xr) mod q
To embed a subliminal message, it suﬃces to set k to a speciﬁc value.
7.14.
(a) To verify the signature we ﬁrst ﬁnd k = h(m), then we calculate both yi = gi(xi) using the
(ni, ei) and verify that y1 ⊕y2 = k. Indeed, if both xi were created by the signature procedure
it must hold that y1 ⊕ y2 = k.
(b) If x1 is chosen randomly and x2 = a is computed by the signature procedure we get the same
tuple (x1, x2) as if x2 = a was chosen randomly and x1 was computed. Indeed, in both cases
it must hold x1 = g−1
1 (g2(x2) ⊕ k) and as both gi are permutations we can obtain any xi from
some xj. So for the same x2 we get the same x1 (and vice versa). So given the signature
((e1, n1), (e2, n2), x1, x2) we cannot ﬁnd which xi was chosen randomly and which computed
as both cases might have happened and thus we cannot discover who signed the message.
7.15.
(a) One can sign quadratic residues modulo n, ie. messages w for which there exists x ∈ Z∗
n such
that x2 = w (mod n).
CHAPTER 7. DIGITAL SIGNATURES 103
(b) The scheme is not secure. Knowing signatures we know x, y, x = ±y (mod n) such that
x2 ≡ y2 (mod n). Now we can factorize the modulus n. We have x2 − y2 ≡ 0 (mod n), thus
n|x2 − y2 = (x + y)(x − y). Computing gcd(x ± y, n) gives p or q.
7.16.
(a) Walter veriﬁes that
w = S2
1 − h · S2
2 (mod n).
In this case:
464202
− 36606 · 41083 = 11587 (mod 47371),
414922
− 36606 · 25348 = 3561 (mod 47371).
(b) Signatures are calculated as
S1 =
1
2
w
w
+ w (mod n)
S2 =
k
2
w
w
− w (mod n)
The scheme was used twice for the same message w. Now we have 4 equations with 3 unknown
variables.
We can take the following
46420 ≡
1
2
(11587w−1
+ w) (mod n)
41083 ≡
k
2
(11587w−1
− w) (mod n)
41492 ≡
1
2
(3561w−1
+ w) (mod n)
and transform into
w ≡ 45469 − 11587w−1
(mod n)
34795 ≡ k · (11587w−1
− w) (mod n)
35613 ≡ (3561w−1
+ w) (mod n)
to obtain 9586 ≡ 8026w−1 (mod n). Now we can easily calculate w−1 = 44067, w = 5778 and
k = 5492.
7.17. During the signing procedures, Alice is asked to ﬁnd the square root of h(wU) mod n. Since
n = pq, there are 4 possible square roots and she can pick any of them for the signature. Now her
choice of one of four possible choices is exactly two bits of information. She can for example order
them by their magnitudes, so picking one corresponds to picking a number from 1 to 4, i.e. two bits.
Now if Bob also knows the factorization of n = pq, he can also ﬁnd all the square roots of h(wU)
mod n and recover the information about Alice’s choice, the two bits. So all they need to do to use
Rabin signatures for subliminal channel is share the factorization of the public moduli as a trapdoor
information. They would use the channel normally, only deliberately pick the square roots instead
of randomly.
Since they use the signature scheme properly, every message will be correctly signed in Walter’s
eyes. All the additional work is done locally on Bob’s side after the communication and Walter has
no information about that. Walter also cannot feasibly discover the other square roots (he would
be able to factorize n in that case), so he also cannot retrieve the message.
CHAPTER 7. DIGITAL SIGNATURES 104
7.18. We will use the blind signature scheme to make Bob sign a message that will allow us to
decrypt c while he has no idea what he is signing. (We could make him just sign c to decrypt it but
he could realize what he is doing)
Let n be the public modulus and e and d the public and private keys respectively, we pick a
random r such that gcd(r, n) = 1 and make Bob sign
c = cre
= (mr)e
mod n,
where m is the original message. When Bob signs our message we get
s = c d
mod n
= ((mr)e
)d
mod n
= (mr)ed
mod n
= mr mod n
Now we can easily obtain the original message by computing m = sr−1 mod which is simple since
we know both s and r.
7.19.
(a) Let a = qαyβ, b = −aβ−1, w = αb. Indeed, the veriﬁcation procedure give:
ya
ab
= yqαyβ
(qα
yβ
)−qαyββ−1
mod p
= yqαyβ
y−qαyβ
q−αqαyββ−1
mod p
= q−αqαyββ−1
mod p
= qαb
mod p
= qw
mod p.
(b) We have that a = qr and b = (w − xa)r−1 are a valid signature for w. The signature for
w = (m + βb)α mod (p − 1) is a = αa and b = αb. Indeed, the veriﬁcation is as follows:
ya
a b
= qxαa
(αa)αb
mod p
= qxαa
qβαb
qrα(w−xa)r−1
mod p
= qxαa
qβαb
qα(w−xa)
mod p
= qβαb
qαw
mod p
= qα(w+βb)
mod p
= qw
mod p.
7.20. First we notice that for sig(wi) = (ai, bi) we have a1 = a2 = a. That means the same
random r was used for both signatures. Now taking b1 −b2 ≡ (w1 −w2)r−1 (mod p−1). In our case
b1 − b2 = 13 has an inverse modulo 96 (b1 − b2)−1 = 37, so r = (b1 − b2)−1(w1 − w2) (mod 96) = 77.
With the secret r = 77 we can now calculate the secret key x. We have w1−b1r ≡ xa (mod p−1).
In our case
8 = 40x mod 96.
Unfortunately, 40 does not have an inverse modulo 96 so we have to use the extended Euclidian
algorithm to ﬁnd all the candidates for x satisfying this congruence. We get x = 5 − 12l for l ∈ Z.
Because 1 ≤ x ≤ p we get these possible candidates x ∈ {5, 17, 29, 41, 53, 65, 77, 89}, where only 53
satisﬁes 7 = y = qx mod p, so the secret key is
x = 53.
CHAPTER 7. DIGITAL SIGNATURES 105
7.21.
(a) We compute e = H(m||r), rv = gsye mod p, ev = H(M||rv) and verify ev = e. Indeed,
rv = gsye = gk−exgex = gk = r mod p and therefore ev = H(M||rv) = H(m||r) = e.
(b) We can subtract s values: s − s ≡ (k − k) + x(e − e) ≡ (k − k) + x(H(m ||r ) − H(m||r))
(mod q). If the same k is reused then k = k and r = r as well. If m = m then we can easily
calculate x from s − s ≡ x(H(m ||r) − H(m||r)) mod q.
7.22. Alice and Bob use the following subliminal channel: Alice did not use a random value for
k, instead she set this parameter with a subliminal message w which Bob would be able to recover
with the knowledge of Alice’s secret key. To recover k = w , Bob calculates:
k = b−1
(w + xa) mod q = 15 (1000 + 11 · 7) mod 23 = 9.
Chapter 8
Elliptic Curve Cryptography
8.1 Introduction
Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic
structure of elliptic curves over ﬁnite ﬁelds. There are several advantages over the classical publickey
cryptography – shorter keys can be used which results in savings in hardware implementation
and attacks that are based on factorization or ﬁnding discrete logarithms so far do not work for
ECC.
Elliptic curves are also employed in Lenstra’s algorithm for integer factorization.
8.1.1 Elliptic curves
Elliptic curve E is a plane curve deﬁned by the equation
E : y2
= x3
+ ax + b,
where a and b are real numbers such that the curve has no self-intersections or isolated points. It
means the curve has no multiple roots, i.e. it is non-singular. The curve is non-singular if and only
if 4a3 − 27b2 = 0.
8.1.2 Group structure and addition law
On an elliptic curve, it is possible to deﬁne addition of points in such a way that the points of the
elliptic curve together with the addition operation form an Abelian group. This requires the curve
to be extended with the so-called “point at inﬁnity”, denoted with O, which serves as the neutral
element of the group.
Addition of points P1 = (x1, y1) and P2 = (x2, y2) is calculated as P3 = P1 + P2 = (x3, y3), where
x3 = λ2 − x1 − x2 and y3 = λ(x1 − x3) − y1 and
λ =
y2−y1
x2−x1
if P1 = P2
3x2
1+a
2y1
otherwise
If λ is not deﬁned, then P3 = O.
Elliptic curves over a ﬁnite ﬁeld and Hasse’s theorem
The addition of points on an elliptic curve over a ﬁnite ﬁeld is done the same way as described above,
with division understood as the multiplication with an inverse element. The number of points on
an elliptic curve over a ﬁnite ﬁeld with q elements is limited by the Hasse’s theorem:
If an elliptic curve E (mod n) has N points, then |N − (q + 1)| ≤ 2
√
q.
106
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 107
8.1.3 Elliptic curve cryptography
Elliptic curve discrete logarithm problem
Elliptic curve cryptosystems are based on the intractability of computing discrete logarithms. Discrete
logarithm problem for elliptic curves is stated as follows. Let E be an elliptic curve and P, Q
be points on the elliptic curve such that Q = kP for some integer k, where
kP =
k−times
P + P + · · · + P .
The task is to calculate k given P, Q and E.
Converting classical systems into elliptic curve counterparts
Cryptosystems or protocols based on discrete logarithm problem can be converted easily into cryptosystems
or protocols based on elliptic curves. The conversion goes as follows:
• Assign a point on an elliptic curve to the plaintext message.
• Change modular multiplications into additions of points and exponentiations into multiplying
a point on an elliptic curve by an integer.
• Assign a cryptotext message to the point of an elliptic curve that results from the modiﬁed
cryptosystem.
8.1.4 Factorization
Factorization is a process, in which a composite number is decomposed into a product of its prime
factors. For each number there is a unique decomposition. When the number is very large, there is
no eﬃcient factorization algorithm known. The hardest problem is to ﬁnd factors of n = pq, where
p and q are distinct primes of the same size but with a great distance.
Pollard ρ-method
This method is based on the birthday paradox — when we keep choosing pseudorandom integers,
there must be a pair a, b such that a ≡ b (mod p) and a ≡ b (mod n), where p is a prime factor
of n, the number we want to factor. First, choose some pseudorandom function f : Zn → Zn and
an integer x0 ∈ Zn. Then keep computing xi+1 = f(xi) for i = 0, 1, 2, . . . and gcd(|xj − xk|, n),
for each k < j. If gcd(|xj − xk|, n) = d > 1 then we have found a factor d of n.There are several
modiﬁcations that diﬀer in frequency of calculation of greatest common divisors.
Pollard (p − 1)-method
This method is based on Fermat’s Little Theorem and discovers a prime factor p of an integer
n whenever p − 1 has only small prime factors. To factor n, ﬁrst ﬁx an integer B, compute
M = primes q≤B q logqB . Choose an integer a and compute d = gcd(aM − 1, n). If 1 < d < n, we
have a factor d of n.
Factorization with elliptic curves
To factorize an integer n we choose in many elliptic curve E over Zn points P ∈ E and compute
either points iP for i = 2, 3, 4, . . . or points 2jP for j = 1, 2, 3, . . .. When calculating these points we
need to evaluate gcd(xA − xB, n) for various points A, B when computing λ. If one of these values
is between 1 and n, we have a factor of n.
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 108
8.2 Exercises
8.1. Consider the elliptic curve E : y2 = x3 + 568x + 1350 (mod 1723) and the point P =
(524, 1413). Compute the point 144P with as few point operations as possible.
8.2. Let E : y2 = x3 + 9x + 17 be the elliptic curve over the ﬁeld F23. What is the discrete
logarithm k of Q = (4, 5) to the base P = (16, 5)?
8.3. Consider the elliptic curve E : y2 = x3 + 6x2 + 14x + 16 over Z29. Transform E to the form
y2 = x3 + ax + b where a, b ∈ Z29.
8.4. Decide whether the points of the following elliptic curves deﬁne a group over Zp where p is
a prime? If yes, ﬁnd an isomorphism between points of the elliptic curve and the additive group of
integers (Zp, +).
(a) E : y2 = x3 + 10x + 5 (mod 17)
(b) E : y2 = x3 + 4x + 1 (mod 7)
8.5. Is there a (non-singular) elliptic curve E deﬁned over Z5 such that
(a) E contains exactly 11 points (including the point at inﬁnity O);
(b) E contains exactly 10 points (including the point at inﬁnity O)?
If the answer is positive, ﬁnd such a curve and list all of its points, If it is negative, prove it.
8.6. Let E : y2 = x3 + ax + b with a, b ∈ Q be an elliptic curve. Show that there is another
equation Y 2 = X3 + AX + B with A, B ∈ Z whose solutions are in bijection with the solutions to
y2 = x3 + ax + b.
* 8.7. We call a nonzero rational number n a congruent number if ±n is the area of a right-angled
triangle with rational side lengths or, equivalently, n is a congruent number if the system of two
equations:
a2
+ b2
= c2
1
2
ab = n
has a solution with a, b, c ∈ Q.
The relation between congruent numbers and elliptic curves is described with the following
theorem:
Let n be a rational number. There is a bijection between A = {(a, b, c) ∈ Q3 | 1
2ab = n, a2 + b2 = c2}
and B = {(x, y) ∈ Q2 | y2 = x3 − n2x with y = 0} given by the map g : B → A deﬁned as
g(x, y) =
n2 − x2
y
, −
2xn
y
,
n2 + x2
y
.
Using the previous theorem show that the numbers 5 and 6 are congruent numbers and give the
corresponding values of a, b and c.
* 8.8.
(a) How many points P such that 2P = O can be found on non-singular elliptic curves? Does
there always exist at least one? Consider curves over R and over Zp where p is a prime.
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 109
(b) Prove that on a non-singular elliptic curve over Zp, where p is a prime, for any two diﬀerent
points P1, P2, there exists exactly one point P3 such that P1 + P2 + P3 = O (You are not
allowed to use addition formulas).
(c) Prove or disprove that for P3 as described in (b): P1 = P3 ∧ P2 = P3.
8.9. Consider the elliptic curve variant of the Diﬃe-Hellman key exchange protocol. Let E :
x3 + 4x + 20 (mod 29) and P = (1, 5). Suppose Alice chooses her secret exponent na = 11 and Bob
chooses his secret exponent nb = 7.
(a) Show in detail all steps of the key exchange protocol.
(b) Suggest a more eﬃcient way to exchange the computed points.
8.10. Consider the following elliptic curve cryptosystem.
Let E be an elliptic curve over the ﬁeld Zp and let G ∈ E be a generator point of order n. E and
G are public.
Each user U chooses a private key, an integer sU < n, and computes the corresponding public key,
PU = sU G.
To encrypt a message M for U, one chooses a random integer k and computes the ciphertext
C = [(kG), (M + kPU )].
(a) Show how the user U decrypts C to obtain M.
(b) Let E : y2 = x3 + x + 6 (mod 11), G = (2, 7) and sA = 7. Recover the plaintext M from
C = [(8, 3), (10, 2)].
8.11. Decide whether n3 + (n + 1)3 + (n + 2)3 ≡ 0 (mod 9) for any nonnegative integer.
8.12. Suppose n = pq where p, q are primes. Let integers i, j, k and L with k = 0 satisfy
L = i(p − 1), L = j(q − 1) + k and ak
≡ 1 (mod q).
Let a be a randomly chosen integer satisfying p a and q a. Prove that
gcd(aL
− 1, n) = p.
8.13. Prove that all Carmichael numbers are odd.
(A Carmichael number is a composite number n such that bn−1 ≡ 1 (mod n) for all integers 1 ≤
b < n which are relatively prime to n.)
8.14. Prove or disprove the following claims:
(a) If n is even and n > 2, then 2n − 1 is composite.
(b) If 3 | n and n > 3, then 2n − 1 is composite.
(c) If 2n − 1 is prime, then n is prime.
8.15. Prove or disprove the following claim: An integer n > 1 is a prime if and only if n divides
2n − 2.
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 110
* 8.16.
(a) Let n be an integer and p be the smallest prime factor of n. Prove that n
p is not divisible by
n.
(b) Let n > 0 be an integer. Show that n is a prime if and only if n
k is divisible by n for all
k ∈ {1, 2, . . . , n − 1}.
(c) Let n > 1 be an integer. Let a be an integer coprime to n. Then n is prime if and only if
(x + a)n
= xn
+ a (mod n)
in polynomial ring Zn[x].
8.17.
(a) Using the Pollard’s ρ-method with f(x) = x2 + 1 and x0 = 2 ﬁnd a factor of 229 − 1.
(b) Using the Pollard’s (p − 1)-method with B = 5 and a = 2 ﬁnd a factor of 23729.
8.18. Using the elliptic curve E : y2 = x3 + 4x + 4 and its point P = (0, 2) try to factorize the
number 551.
8.19. Consider the Pollard’s ρ-method with a pseudo-random function f(x) = x2 +c mod n with
a randomly chosen c, 0 ≤ c < n. Why should be the values c = 0 and c = n − 2 avoided?
* 8.20. For a modulus n, an exponent e is called a universal exponent if xe ≡ 1 (mod n) for all x
with gcd(x, n) = 1.
Universal Exponent Factorization Method
Let e be a universal exponent for n and set e = 2bm where b ≥ 0 and m is odd. Execute the
following steps.
(i) Choose a random a such that 1 < a < n − 1. If gcd(a, n) > 1, then we have a factor of n, and
we terminate the algorithm. Otherwise go to step (ii).
(ii) Let x0 ≡ am (mod n). If x0 ≡ 1 (mod n), then go to step (i). Otherwise, compute xj ≡ x2
j−1
(mod n) for all j = 1, . . . , b.
• If xj ≡ −1 (mod n), then go to step (i).
• If xj ≡ 1 (mod n), but xj−1 ≡ 1 (mod n), then gcd(xj−1 − 1, n) is a nontrivial factor of n so
we can terminate the algorithm.
(a) Use the algorithm above to factor n = 76859539 with the universal exponent e = 12807000.
(b) Find a universal exponent for n = 2a+2. Justify your answer.
8.21. Find two elliptic curves over F5, with 8 points but a diﬀerent group structure.
8.22. Consider the following cryptosystem using a non-singular elliptic curve Ep with n points,
secret key d < n and public key (P, Q), where Q = dP are two points on Ep: To encrypt a message
m = (m1, m2), 1 ≤ m1, m2 < p, pick a random integer 1 ≤ k < n and compute O = kP, y1 = c1m1
mod p and y2 = c2m2 mod p, where (c1, c2) = kQ. The encrypted message is then (O, y1, y2). Find
the decryption procedure.
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 111
8.23. Consider an elliptic curve E : y2 = x3 + 8 over R. Show that E does not have multiple
roots. Algebraically determine the number of roots E has.
8.24. Use the Quadratic sieve method to factorize n = 713.
8.25. Find all points of the elliptic curve E : y2 + xy = x3 + 1 over the ﬁeld F4.
8.26. Find a factor of 119 without using brute force, if you know that the function 29x mod 119
has a period r = 16 (Remark: This is a classical subroutine in the Shor’s quantum polynomial time
algorithm for integer factorization).
8.27. Consider elliptic version of the ElGamal cryptosystem. Public key is as follows:
p = 11, E : y2 = x3 + 3x + 6 mod 11, P = (2, 8), Q = (2, 3).
Show computation steps.
(a) Encrypt the message m = (5, 6) with r = 2.
(b) Decrypt the ciphertext, computed in (a), with private key x = 4.
8.28. Consider the elliptic curve version of the ElGamal digital signature.
(a) Show that the private key a can be recovered if the adversary learns r.
(b) Show that the private key a can be recovered if the same r is used to generate signatures on
two messages.
(c) Let E : y2 = x3 + x + 4 (mod 23) and let P = (0, 2). Show that an adversary can forge valid
signature on any message of their choice. Propose a method to prevent such an attack.
8.29. Propose a simple method to compute mP on an elliptic curve with approximately log2 m
point doublings and 1
2 log2 m or less additions on average.
8.30. Find all points of order 2, ie. points P such that 2P = O, of the elliptic curve E : y2 = x3 −x
over R.
8.3 Solutions
8.1. Since 144 = 128 + 16 = 27 + 24, we can calculate 144P in 8 additions as follows. We compute
points 2P, 4P = 2P + 2P, 8P = 4P + 4P, 16P = 8P + 8P, 32P = 16P + 16P, 64P = 32P + 32P,
128P = 64P + 64P, 144P = 128P + 16P = (1694, 125).
8.2. We are looking for k such that Q = kP. We compute kP, k > 1, until we ﬁnd Q.
k kP
2 (20, 20)
3 (14, 14)
4 (19, 20)
5 (13, 10)
6 (7, 3)
7 (8, 7)
8 (12, 17)
9 (4, 5)
Therefore, k = 9.
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 112
8.3. We know that elliptic curve given in the following form y2 + uxy + vy = x3 + ax2 + bx + c
can be transformed into the form y2 = x3 + dx2 + ex + f (if p = 2) and consequently into the form
y2 = x3 + gx + h (if p = 3). In this case we can immediately apply the second transformation using
the substitution:
x → x −
d
3
For E we have x → x − 6
3 = x − 2 (3−1 ≡ 10 mod 29) and y2 = (x − 2)3 + 6(x − 2)2 + 14(x − 1) + 16
yields
y2
= x3
+ 2x + 4
8.4.
(a) The curve is singular: 4a3 − 27b2 ≡ 0 (mod 17), therefore it has multiple roots: y2 = x3 +
10x + 5 = (x + 5)2(x + 7) (mod 17). Therefore the points of the curve does not form a group.
(b) Four points together with the point at inﬁnity form a group. The addition table is explicitly
given as follows:
O (0, 1) (4, 5) (4, 2) (0, 6)
O O (0, 1) (4, 5) (4, 2) (0, 6)
(0, 1) (0, 1) (4, 5) (4, 2) (0, 6) O
(4, 5) (4, 5) (4, 2) (0, 6) O (0, 1)
(4, 2) (4, 2) (0, 6) O (0, 1) (4, 5)
(0, 6) (0, 6) O (0, 1) (4, 5) (4, 2)
The isomorphism between (E, +) and (Z5, +) is given as O ↔ 0, (0, 1) ↔ 1, (4, 5) ↔ 2,
(4, 2) ↔ 3 and (0, 6) ↔ 4.
8.5.
(a) Let |E| denote the order of the group of points on E. By Hasse’s theorem, we have ||E| − 6| <
2
√
5, which implies |E| < 6 + 2
√
5 < 11. Thus such an elliptic curve does not exist.
(b) Yes, for example the elliptic curve E given by the equation y2 = x3 + 3x (whose discriminant
−16(4 · 33 + 27 · 02) = −26 · 33 is nonzero) contains ten points: (0, 0), (1, 2), (1, 3), (2, 2), (2, 3),
(3, 1), (3, 4), (4, 1), (4, 4), and O.
8.6. Let a = p
q and b = r
s , where a, b are rational numbers and p, q, r, s are integers. Multiplying
the equation given by E with q6s6 yields
q6
s6
y2
= q6
s6
x3
+ pq5
s6
x + rq6
s5
Let X = q2s2x and Y = q3s3y. Now the equation can be rewritten as
Y 2
= X3
+ pq3
s4
X + rq6
s5
,
thus A = pq3s4 and B = rq6s5.
8.7. Using the previous theorem it suﬃces to ﬁnd a point on E : y2 = x3 − 25x such that its
y-coordinate is nonzero. The point (−4, −6) lies on the elliptic curve E. Using the transformation
g we obtain the triple
g(x, y) = g(−4, −6) = −
3
2
, −
20
3
, −
41
6
.
We can multiple the triple with −1 to obtain sizes of the right-angled triangle whose area is equal
to 5.
Similarly, we can prove that 6 is the congruent number using the elliptic curve E : y2 = x3 − 36x
and its point (−2, 8) yielding the sizes 3, 4 and 5.
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 113
8.8.
(a) Obviously, 2O = O, since O is the identity element. Let P = O. Rearranging the equation
2P = O, we have P = −P. Following the deﬁnition of addition of points of an elliptic curve,
the inverse of P corresponds to the pair (x, −y), where P = (x, y). Thus, y = −y and therefore
y = 0.
The collection of points such that y = 0 is characterized by the solutions of the equation
x3
+ ax + b = y2
= 0,
which depends on how many roots the cubic polynomial has. Certainly, the cubic has at
least one real root. The other two roots are either two real numbers or complex conjugates.
Therefore, curves over R have either two such points (one being a root of the cubic equation
plus O) or four such points (three roots plus O). Note that there can be no multiple roots as
the elliptic curve is assumed to be non-singular. Considering solutions over Zp where p is a
prime, the cubic modular equation has either 0, 1 or 3 roots.Therefore, there can be 1, 2, or
4 points such that 2P = O over Zp.
(b) Let P1 and P2 be points of a non-singular elliptic curve E over Zp where p is a prime such
that P1 = P2. Then P1 + P2 must be a necessarily a point of E, since points of E with
the addition operation form a group. Let Q = P1 + P2. Then Q has necessarily a unique
inverse −Q, since once again (E, +) is a group. Setting P3 = −Q gives the desired result as
P1 + P2 + P3 = (P1 + P2) + P3 = Q + (−Q) = O, and P3 must be exactly one.
(c) The proposition P1 = P3 ∧ P2 = P3 does not hold in general. A counterexample can be given
when the elliptic curve has at least two points P such that 2P = O, i.e. P = −P. Let Q = O
be one such point.
Now observe that if P1 = O and P2 = Q, then P1 + P2 = P2 = Q but the only possibility for
P3 to make the equation P1 + P2 + P3 = O hold, is P3 = −Q = Q = P2, which disproves the
proposition.
8.9.
(a) (1) Alice computes naP = (10, 25).
(2) Bob computes nbP = (24, 22).
(3) Alice and Bob interchange values naP and nbP.
(4) Alice computes na(nbP) = (20, 3).
(5) Bob computes nb(naP) = (20, 3).
(b) We need not send the y-coordinate of a point (x, y). The value of ±y can be determined by
computing the square root of x. Therefore, to send a point (x, y) it suﬃces to send x together
with one bit to determine the sign of y. This idea is known as point compression.
8.10.
(a) The user U computes (M + kPU ) − sU (kG) = M + kPU − k(sU G) = M + kPU − kPU = M.
(b) sA(kG) = 7(8, 3) = (3, 5), M = (M + kPA) − sA(kG) = (10, 2) − (3, 5) = (10, 2) + (3, −5) =
(10, 9).
8.11. We have n3 +(n+1)3 +(n+2)3 = 3n3 +9n2 +15n+9 ≡ 3n3 +6n (mod 9). Now we prove by
induction that 3n3 + 6n ≡ 0 (mod 9). For n = 0, the equation holds. Assume the equation holds n.
For n+1, we have 3(n+1)3 +6(n+1) = 3n3 +9n2 +9n+3+6n+6 = (3n3 +6n)+9(n2 +n+1) ≡ 0
(mod 9).
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 114
8.12. Applying Fermat’s little theorem we have
aL
− 1 ≡ ai(p−1)
− 1 ≡ (ap−1
)i
− 1 ≡ 0 (mod p),
aL
− 1 ≡ aj(q−1)+k
− 1 ≡ (aq−1
)j
ak
− 1 ≡ ak
− 1 (mod q).
Therefore aL − 1 = mp for some integer m and since q aL − 1 and p, q are primes, it holds that
gcd(aL
− 1, n) = gcd(mp, pq) = p.
8.13. A Carmichael number is a composite number n which satisﬁes the equation bn−1 ≡ 1 (mod n)
for all 1 ≤ b < n with gcd(b, n) = 1. Consider n being an even number, then (n−1)n−1 ≡ (−1)n−1 ≡
−1 (mod n) which contradicts the deﬁnition of Carmichael numbers.
8.14.
(a) If n = 2k, then 2n − 1 = 22k − 1 = (2k − 1)(2k + 1) is composite, since n > 2 ⇒ k > 1 ⇒
2k − 1 > 1.
(b) If n = 3k, then 2n − 1 = 23k − 1 = (2k − 1)(22k + 2k + 1) is composite, since n > 3 ⇒ k > 1 ⇒
2k − 1 > 1.
(c) We prove the contraposition of (c): If n is composite, then 2n −1 is composite. Assume n = kl
for some k, l > 1. Then, 2kl − 1 = (2k − 1)(2l(k−1) + 2l(k−2) + . . . + 1). Therefore, 2n − 1 is
composite.
8.15. The condition n divides 2n − 2 can be rewritten as 2n ≡ 2 (mod n).
⇒:
This is true: Directly from Fermat’s little theorem because n is prime.
⇐:
This is not true: 2n − 2 ≡ 2 (mod n) for composite numbers n = 341 or n = 561 and others.
8.16.
(a) Let n = pkq, where q is not divisible by p and k ≥ 1. We have n
p = n!
(n−p)!p! = n(n−1)(n−2)...(n−p+1)
p! =
pkq(n−1)(n−2)...(n−p+1)
p! = pk−1q(n−1)(n−2)...(n−p+1)
(p−1)! . Since p is a prime and p divides n, p does not
divide any number between n and n − p and it does not divide the product of these numbers.
Therefore (n − 1)(n − 2) . . . (n − p + 1) is not divisible by p, q is not divisible by p and
n
p = pk−1q(n−1)(n−2)...(n−p+1)
(p−1)! is not divisible by pk which gives that n
p is not divisible by n.
(b) ⇒:
We have n
k = n!
(n−k)!k! = n(n−1)...(n−k+1)
k! and since n is a prime and k < n, k, k − 1, . . . , 1 are
coprime to n and therefore gcd(k!, n) = 1. Since n
k is an integer, k! | (n − 1) . . . (n − k + 1).
Let (n−1)...(n−k+1)
k! = m. Then n
k = mn and n | n
k .
⇐:
We use obversion: If n is not a prime, then there exists k ∈ {1, 2, . . . , n − 1} such that n n
k .
Let p be the smallest prime factor of n. Obviously 1 < p < n−1 and using the theorem proved
in (a), n
p is not divisible by n.
(c) ⇒:
Given equation can be rewritten using binomial coeﬃcients as
(x + a)n
=
n
i=0
n
i
xn−i
ai
= xn
+ an
+
n−1
i=1
n
i
xn−i
ai
.
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 115
Let n be a prime. Using the theorem proved in (b), n
k is divisible by n for all 1 ≤ k ≤ n − 1.
Terms n
1 = n
n−1 = n are divisible by n as well. Together, n−1
i=1
n
i xn−iai ≡ 0 (mod n).
From Fermat’s little theorem, an ≡ a (mod n) because gcd(a, n) = 1. Therefore (x + a)n =
xn + a (mod n).
⇐:
Let n be a composite number. Let p be the smallest prime factor of n. Using the theorem
proved in (a), n
p is not divisible by n. Since gcd(a, n) = 1, ap is coprime to n as well.
Therefore n
p ap is not divisible by n which means the coeﬃcient corresponding to xn−p is not
congruent to zero modulo n and (x + a)n = xn + a (mod n).
8.17.
(a) This algorithm proceeds with evaluating x0, x1, . . . and for every xi it computes gcd(xi −
x0, n), gcd(xi − x1, n), . . . gcd(xi − xi−1, n) until some gcd is greater than 1.
In this case, computing gcd(x14 − x12, 229 − 1) = gcd(334654399 − 210447727, 229 − 1) = 233
yields a factor of n.
(b) We have M = 22 · 3 · 5 and gcd(aM − 1, n) = gcd(260 − 1, 23729) = gcd(16226, 23729) = 61.
8.18. We subsequently calculate points kP for k > 2.
kP = (xk, yk)
P = (0, 2)
2P = (1, 548)
3P = (24, 118)
4P = (382, 172)
5P = (136, 275)
6P = (507, 297)
7P = (260, 539)
8P = (516, 314)
9P = (477, 94)
10P = (214, 547)
11P = (495, 326)
12P = (171, 397)
When computing 13P we try to compute λ = (y2 − y1)/(x2 − x1), but fail because (x12 − x1) = 171
and gcd(171, 551) = 19.
8.19. If c = 0, it can happen that the sequence x0, x1 = f(x0), x2 = f(x1) . . . contains some xk ≡ 1
(mod n). In such case xl ≡ 1 (mod n) for all l > k.
Similarly, if c = n − 2 then c ≡ −2 (mod n) and if xk ≡ −1 (mod n), then xl ≡ (−1)2 − 2 ≡ −1
(mod n). In both cases the sequence contains a cycle which makes the algorithm useless.
8.20.
(a) We have that e = 23 · 1600875 and we select a = 2 as the base. All congruences are modulo
n in the following. Since x0 ≡ 21600875 ≡ 76859538 ≡ −1, we have to choose a new base.
Let a = 3, then x0 ≡ 31600875 ≡ 44940756, x1 ≡ x2
0 ≡ 9649071, x2 ≡ x2
1 ≡ 1. Since x1 ≡ 1,
gcd(x1 − 1, n) = 8539 and n = 8539 · 9001.
(b) We will show that 2a is the universal exponent for n = 2a+2. We use induction on a to prove
that x2a
≡ 1 (mod 2a+2) for odd x. If a = 1 then it is easy to see that x2 ≡ 1 (mod 8). Now
assume that x2a−1
≡ 1 (mod 2a+1). Therefore, x2a
= (1+2a+1t)2 for some t ∈ Z, thus x2a
≡ 1
(mod 2a+2).
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 116
8.21. Two curves we are searching for are
E1 : y2
= x3
+ 4x + 1 mod 5 and E2 : E1 : y2
= x3
+ 4x mod 5.
Let us investigate E1 ﬁrst. Quadratic residues mod 5 are 1 and 4, and 0 has a square root of
zero. Let us check whether x3 + 4x + 1 mod 5 is a quadratic residue for diﬀerent values of x.
x x3 + 4x + 1 mod 5 QR? y
0 1 YES (1, 4)
1 1 YES (1, 4)
2 2 NO -
3 0 - 0
4 1 YES (1, 4)
From this table we can list all the 8 points – all of those in the table, plus the point in inﬁnity O:
E1 = {(0, 1), (0, 4), (1, 1), (1, 4), (3, 0), (4, 1), (4, 4), O}.
The group structure of E1 is isomorﬁc to (Z8, +). In order to prove this claim let us ﬁnd the
isomorﬁsm from (E1, +) to (Z8, +). Let’s calculate multiples of the point P = (0, 1):
n nP
1 (0, 1)
2 (4, 1)
3 (1, 4)
4 (3, 0)
5 (1, 1)
6 (4, 4)
7 (0, 4)
0 O
Since the whole group is generated by (0, 1) we see that the table also deﬁnes the desired
isomorphism and each point is mapped to the corresponding number in the ﬁrst columnt. Indeed it
is easy to verify that each point Q can be expressed as qP and therefore Q+R = qP +rP = (q+r)P,
which is the condition for the mapping function to be a homomorphism. The bijectivity of this
mapping is trivial.
Let us investigate E2 in the same way:
x x3 + 4x mod 5 QR? y
0 0 - 0
1 0 - 0
2 1 YES (1,4)
3 4 YES (2,3)
4 0 - 0
The list of points is therefore
E2 = {(0, 0), (1, 0), (2, 1), (2, 4), (3, 2), (3, 3), (4, 0), O}.
In order to prove that the group structure is not equivalent to (Z8, +) it is enough to note that
for all points P ∈ {(0, 0), (1, 0), (4, 0), O} we have that 2P = O. Since O always corresponds to 0, it
is enough to note that in (Z8, +) there are only two points with this property (0 and 4). That leaves
us with two other options. Either (E2, +) is equivalent to (Z4 × Z2, +), or (Z3
2, +), since there are
no other Abelian groups with 8 elements. Of these two for all 8 elements of (Z3
2, +) it holds that
2a = 0, ∀(Z3
2, +), therefore the only option left is (Z4 × Z2, +). Indeed, the elements corresponding
to {(0, 0), (1, 0), (4, 0), O} ⊂ E2 are (0, 0), (2, 0), (0, 1), (2, 1).
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 117
8.22. Upon receiving the encrypted message (O, y1, y2), we can calculate
dO = d(kP) = k(dP) = kQ = (c1, c2)
using our secret d. Using that we can easily calculate c−1
1 mod p and c−1
2 mod p to obtain
m1 = y1c−1
1 mod p and m2 = y2c−1
2 mod p,
with m = (m1, m2).
8.23. Elliptic curve is non-singular if its discriminant ∆ = −16(4a3 + 27b2) is non-zero. Plugging
in a = 0 and b = 8, we receive ∆ = −27648. Hence, E is nonsingular and therefore has no multiple
roots. Moreover, since the discriminant is negative E has only one root.
8.24. In order to factorize n = 713 by Quadratic sieve method let us choose m =
√
713 = 26, k =
6, and the factorization basis {2, 3, 5, 7, 11, 13, 17}.
u -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6
(m + u)2 − n -313 -272 -229 -184 -137 -88 -37 16 71 128 187 248 311
sieve with 2 -17 -23 -11 1 1 31
sieve with 3
sieve with 5
sieve with 7
sieve with 11 -1 17
sieve with 17 -1 1
We can see that
212
− 713 = −272 = −24
· 17,
252
− 713 = −88 = −23
· 11,
292
− 713 = 128 = 27
,
302
− 713 = 187 = 11 · 17.
and so
(212
− 713)(252
− 713)(292
− 713)(302
− 713) = 214
· 112
· 172
= 239362
≡ 4072
(mod 713).
On the other hand,
(212
− 713)(252
− 713)(292
− 713)(302
− 713) ≡ 4567502
≡ 4302
(mod 713).
It follows that 713 divides (403 − 407)(403 + 407) = 23 · 837. We have gcd(713, 23) = 23 = 1.
We obtain prime factors 713 = 23 · 31.
8.25. Let us denote elements of the ﬁeld F4: 0, 1, a, b. This ﬁeld has the following additive and
multiplicative structure:
+ 0 1 a b
0 0 1 a b
1 1 0 b a
a a b 0 1
b b a 1 0
· 0 1 a b
0 0 0 0 0
1 0 1 a b
a 0 a b 1
b 0 b 1 a
We can examine cases:
x = 0, the only possibility is y = 0,
x = 1, possible y is y = 0 or y = 1,
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 118
x = a, possible y = 0 or y = a,
x = b, possible y = 0 or y = b,
x = O.
To conclude, there are 8 points on y2+xy = x3+1 over F4: (0, 0), (1, 0), (1, 1), (a, 0), (a, a)(b, 0), (b, b),
and O.
8.26. Since r = 16 is even, we know that 298 ≡ 50 (mod 119) is a nontrivial solution of x2 ≡ 1
(mod 119), which means that 119 | (49 · 51). We can now compute gcd(49, 119) = 7 and obtain a
factor of 119 = 7 · 17.
8.27.
(a) To encrypt the message we have to calculate A = rP and B = m + rQ, which represent the
encrypted message as (A, B).
We calculate A as:
λ =
3 · 29 + 3
2 · 8
= 4 · 9 = 3,
ax = λ2
− 2 − 2 = 5, ay = λ(2 − 5) − 8 = 5,
A = rP = (ax, ay) = (5, 5);
and B as follows. First we can use the calculated result to obtain rQ:
2(2, 3) = −2(2, 8) = −(5, 5) = (5, 6).
We add m and rQ to obtain B:
λ =
3 · 52 + 3
2 · 6
= 1
bx = 1 − 5 − 5 = 2, ay = 5 − 2 − 6 = 8,
B = m + rQ = (bx, by) = (2, 8).
(b) Decryption of the message m follows:
m = B − xA = (2, 8) − 4(5, 5) = −7(2, 8) = −2(2, 8) = 2(2, 3) = (5, 6).
8.28.
(a) Knowing r, an adversary can calculate
x−1
(m − rs) = x−1
(m − rr−1
(m − ax)) = x−1
(m − m + ax)) = a (mod n).
(b) We have
s1 = r−1
(m1 − ax) (mod n),
s2 = r−1
(m2 − ax) (mod n).
We can rewrite the equations as
rs1 = m1 − ax (mod n),
rs2 = m2 − ax (mod n).
Subtraction gives r(s1 −s2) = m1 −m2 (mod n). If s1 = s2 (mod n) then r = (m1 −m2)(s1 −
s2)−1 (mod n). Knowing r, an adversary continues as in (a).
CHAPTER 8. ELLIPTIC CURVE CRYPTOGRAPHY 119
(c) An adversary can forge valid signature for a message m by choosing any r with gcd(r, n) = 1
The pair (0, r−1m) is valid signature for the message m because
xQ + sR = 0 + r−1
m · rP = mP.
Therefore, a veriﬁer should reject signatures with x ≡ 0 (mod n).
8.29. Double-and-add method, similar to modular exponentiation by squaring, can be used. We
can write m in the binary form:
m =
n
i=0
mi2i
, where mi = {0, 1}.
Moreover, we have 2n ≤ m < 2n+1 and n < log2 m. We need to perform n doublings which is
approximately log2 m doublings. Now we sum mi2i and, assuming distribution of m is uniform, half
of mi will be zeroes and half will be ones on average, resulting in approximately 1
2 log2 m additions.
The method above can be enhanced allowing mi = {−1, 0, 1}: subtraction of points takes the
same amount of time as point addition. There will be 2
3 of mi equal to zero on average, resulting in
1
3 log m point additions or subtractions.
8.30. P = −P is deﬁned as (x, y) = (x, −y) and thats true only if y = 0, therefore we have to ﬁnd
such x that y = 0. Such x are −1, 0, 1 and therefore 2-torsion points are (−1, 0), (0, 0), (1, 0), O.
Chapter 9
Identiﬁcation, Authentication and
Secret Sharing
9.1 Introduction
More applications of cryptography ask for identiﬁcation of communicating parties and for data
integrity and authentication rather than for secret data. A practically very important problem is
how to protect data and communication against an active attacker.
9.1.1 User identiﬁcation
User identiﬁcation is a process in which one party (called the prover) convinces another party (called
the veriﬁer) of prover’s identity and that the prover is actually participating in the identiﬁcation
process. The purpose of any identiﬁcation process is to preclude impersonation (pretending to be
another person). User identiﬁcation has to satisfy the following conditions:
• The veriﬁer has to accept prover’s identity if both parties are honest.
• The veriﬁer cannot later, after successful identiﬁcation, pose as a prover and identify himself
(as the prover) to another veriﬁer.
• A dishonest party that claims to be the other party has only negligible chance to identify
himself successfully.
Every user identiﬁcation protocol has to satisfy the following two security conditions:
• If one party (veriﬁer) gets a message from the other party (prover), then the veriﬁer is able to
verify that the sender is indeed the prover.
• There is no way to pretend for an adversary when communicating with Bob that he is Alice,
without Bob having a large chance to ﬁnd that out.
Static means like passwords or ﬁngerprints can be used, or identiﬁcation can be implemented
by dynamic means, with challenge and response protocols. In a challenge-response identiﬁcation
protocol Alice proves her identity to Bob by demonstrating knowledge of a secret known to be
associated with Alice only, without revealing the secret itself to Bob. Structure of challenge-response
protocols is as follows:
1. Alice sends a commitment (some random element) to Bob.
2. Bob sends a challenge to Alice.
3. Alice sends the response that depends on the challenge received and her commitment to Bob.
4. Bob veriﬁes the response.
120
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 121
Simpliﬁed Fiat-Shamir identiﬁcation scheme
Let p,q be large random primes, n = pq, v ∈ QR(n) be a quadratic residue and s such that
s2 ≡ v (mod n). Alice is given as her private key s, while v is made public.
1. Alice chooses a random r < n, computes x = r2 mod n and sends x to Bob.
2. Bob sends to Alice a random bit b as a challenge.
3. Alice sends Bob as the response y = rsb mod n.
4. Bob identiﬁes the sender as Alice if and only if y2 = xvb mod n.
Alice and Bob repeat this protocol several times, until Bob is convinced that Alice knows s. If Alice
does not know s, she can choose r such that she can give the correct response to Bob if he sends her
the challenge 0, or she can choose r such that she can give the correct response to Bob if he sends
her the challenge 1, but she cannot do both. The probability of her giving the correct response to
Bob t times is 1
2t .
Schnorr identiﬁcation scheme
Setup phase: Trusted authority (TA) involved chooses a large prime p, a large prime q dividing
p−1, an α ∈ Z∗
p of order q and a security parameter t such that 2t < q. These parameters p, q, α, t are
made public. TA also establishes a secure digital signature scheme with a secret signing algorithm
sigTA and a public veriﬁcation algorithm verTA.
Certiﬁcate issuing: TA veriﬁes Alice’s identity by conventional means and forms a string ID(Alice)
which contains her identiﬁcation information.
Alice chooses a secret random 1 ≤ a ≤ q − 1 and computes v = α−a (mod p) and sends v to the
TA. TA generates signature s = sigTA(ID(Alice), v) and sends C(Alice) = (ID(Alice), v, s) back
to Alice as her certiﬁcate.
Identiﬁcation protocol:
1. Alice chooses a random commitment 0 ≤ k < q and computes γ = αk (mod p).
2. Alice sends to Bob γ and her certiﬁcate C(Alice) = (ID(Alice), v, s).
3. Bob veriﬁes the signature of TA.
4. Bob chooses a random challenge 1 ≤ r ≤ 2t and sends it to Alice.
5. Alice computes the response y = (k + ar) (mod q) and sends it to Bob.
6. Bob veriﬁes that γ ≡ αyvr (mod p).
9.1.2 Message authentication
The goal of the data authentication protocols is to handle the case that data are sent through
insecure channels. By creating so-called Message Authentication Code (MAC) and sending this
MAC together with the message through an insecure channel, the receiver can verify whether data
were not changed in the channel. The price to pay is that the communicating parties need to share a
secret random key that needs to be transmitted through a very secure channel. The basic diﬀerence
between MACs and digital signatures is that MACs are symmetric. Anyone who is able to verify
MAC of a message is also able to generate the same MAC and vice versa. A scheme (M, T, K)
for data authentication is given by a set of possible messages (M), a set of possible MACs (T)
and a set of possible keys (K). It is required that to each key k ∈ K there is a single and easy
to compute authentication mapping authk : {0, 1}∗ × M → T and a single and easy to compute
veriﬁcation mapping verk : M × T → {true, false}. An authentication scheme should also satisfy
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 122
the condition of correctness: For each m ∈ M and k ∈ K it holds verk(m, c) = true if there exists
an r from {0, 1}∗ such that c = authk(r, m); and the condition of security: For any m ∈ M and
k ∈ K it is computationally unfeasible (without the knowledge of k) to ﬁnd c from T such that
verk(m, c) = true.
9.1.3 Secret sharing
A secret sharing scheme is a method to distribute a secret among several users in such a way that
only predeﬁned sets of users (so called access structure) can recover the secret. In particular, an
(n, t)-threshold scheme, where n and t < n are integers, is a method of sharing a secret S among a
set P of n participants, P = {Pi | 1 ≤ i ≤ n}, in such a way that any t, or more, participants can
compute the value S, but no group of t − 1, or less, can compute S. Secret S is chosen by a dealer
D ∈ P. It is assumed that the dealer distributes the secret to participants secretly and in such a
way that no participant knows shares of other participants.
Shamir’s (n, t)-threshold scheme
The essential idea of Shamir’s threshold scheme is that t points deﬁne a polynomial of degree t − 1
(2 points are suﬃcient to deﬁne a line, 3 points are suﬃcient to deﬁne a parabola, and so on).
Initiation phase: Dealer D chooses a prime p > n, n distinct xi, 1 ≤ i ≤ n, and D gives the value
xi to the user Pi. The values xi are made public.
Share distribution phase: Suppose D wants to share a secret S ∈ Zp among the users. D
randomly chooses and keeps secret t − 1 elements from Zp: a1, . . . at−1. For 1 ≤ i ≤ n, D computes
the shares yi = f(xi), where
f(x) = S +
t−1
j=1
ajxj
(mod p).
D gives the computed share yi to the participant Pi.
Secret cumulation phase: Suppose participants Pi1 , . . . , Pit want to determine s shared secret S.
Since f(x) has degree t − 1, f(x) has the form f(x) = f0 + a1x + · · · + at−1xt−1, and coeﬃcients
can be determined from t equations f(xij ) = yij , where all arithmetics is done modulo p. It can
be shown that equations obtained this way are linearly independent and the system has only one
solution. In such a case we get S = a0.
More technically, using so called Lagrange formula, any group J of t or more parties can reconstruct
the secret S using the following equalities:
S = a0 = f(0) =
i∈J
fi
j∈J, j=i
j
j − i
.
Access structures
A more general structure of participants that are allowed to reconstruct a secret may be required.
An authorized set of parties A ⊆ P is a set of parties who should be able, when cooperating, to
construct the secret. An unauthorized set of parties U ⊆ P is a set of parties who alone should not
be able to learn anything about the secret. Let P be a set of parties. The access structure Γ ⊆ 2P
is a set such that A ∈ Γ for all authorized sets A and U ⊆ 2P − Γ for all unauthorized sets U.
Orthogonal arrays
An orthogonal array OA(n, k, λ) is a λn2 × k array of n symbols, such that in any two columns of
the array every one of the possible n2 pairs of symbols occurs in exactly λ rows. The following holds
for orthogonal arrays:
• If p is a prime, then OA(p, p, 1) exists.
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 123
• If p is a prime and d ≥ 2 is an integer then there exists an orthogonal array OA(p, pd−1
p−1 , pd−2).
Example of OA(3, 3, 1) :














0 0 0
1 1 1
2 2 2
0 1 2
1 2 0
2 0 1
0 2 1
1 0 2
2 1 0














There is the following relation between orthogonal arrays and authentication matrices. If there is an
orthogonal array OA(n, k, λ), then there is an authentication code with |M| = k, |T| = n, |K| = λn2
and PI = PS = 1
n where PI (PS) is the probability of impersonation (substitution). Rows of an
orthogonal array are used as authentication rules with each row chosen with equal probability 1
λn2 ,
columns correspond to messages and symbols correspond to authentication tags.
9.2 Exercises
9.1. Alice and Bob share a bit string k. Alice identiﬁes herself to Bob using the following protocol:
(a) Bob randomly chooses a bit string r and sends it to Alice.
(b) Alice computes r ⊕ k and sends it to Bob.
(c) Bob accepts if and only if k = r ⊕ c where c is the received bit string.
Is this protocol secure?
9.2. Consider the following identiﬁcation protocol. Let KXY denote a secret key shared between
parties X and Y . Let NX denote a random integer generated by X and {m}K denote a message
m encrypted (using a given encryption system) with the key K. To authenticate herself to Bob
(denoted as B), Alice (denoted as A) performs, with the help of an authentication server (denoted
as S), the following steps:
(i) A → B : “Alice”
(ii) B → A : NB
(iii) A → B : {NB}KAS
(iv) B → S : “Bob”, {“Alice”, {NB}KAS
}KBS
(v) S → B : {NB}KBS
(vi) verify NB
(a) Show that a malicious user Mallot can impersonate Alice to Bob.
(b) Propose a modiﬁcation of the above protocol to prevent an attack from (a).
9.3. Let G be a cyclic group of the prime order p and g be its generator. Alice chooses as her
private key x ∈ Zp, the corresponding public key will be X = gx (mod p). Consider the following
user identiﬁcation scheme:
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 124
(1) Alice randomly chooses r ∈ Zp, and sends R = gr (mod p) and S = gx−r (mod p) to Bob.
(2) Bob responds by sending a randomly chosen bit b.
(3) If b = 0, Alice sends z = r to Bob, otherwise she sends z = x − r.
(a) Find and explain the acceptance condition.
(b) Show that the adversary Eve is able to impersonate Alice with probability 1
2.
(c) Propose a change which makes the protocol more secure.
* 9.4. Consider the Schnorr identiﬁcation scheme.
(a) Why is it important that the steps 1, 2 and 4 in the scheme are in this order? Would it aﬀect
security of the protocol if Bob chooses and sends the r ﬁrst?
(b) Let, when following the protocol, Bob realize that Alice is using the same γ that she used
previously when she was identifying herself to him. Let Bob save logﬁles of that communication
with Alice. Can he abuse this?
9.5. Let Alice and Bob use the Fiat-Shamir identiﬁcation scheme. Let, for some reason, Bob
needs to convince Charles that he communicated with Alice recently. In order to do that, he shows
Charles what he claims to be a transcript of a recent execution of the Fiat-Shamir scheme in which
he accepted Alice’s identity. Should Charles be convinced after seeing the transcript? Explain your
reasoning.
9.6. Consider the following protocol for mutual identiﬁcation between Alice (denoted as A) and
Bob (denoted as B). Let KAB denote a secret key shared between parties A and B. Let NX denote a
random integer generated by X and {m}K denote a message m encrypted (using a given encryption
system) with the key K.
(i) A → B : “Alice”, NA
(ii) B → A : {NA}KAB
, NB
(iii) A → B : {NB}KAB
Show that the proposed protocol is not secure and propose a secure variant.
9.7. Alice and Bob share a secret random key k and let they intend to use it to authenticate
their two bit messages with single bit tags as follows. The protocol consists of picking one of the
functions from H, where H is a set of hash functions, according to the key k. Alice’s message is
then (m, hk(m)), where hk is the hash function chosen according to the key k. Bob, after receiving
(possibly modiﬁed) message (m , t ) computes hk(m ) and veriﬁes if t = hk(m ).
(a) Consider H given by the following table, where rows are labeled by hash functions and columns
by their arguments. Is the above protocol secure?
h
m
00 01 10 11
h1 1 1 0 0
h2 0 0 1 1
h3 1 0 0 1
h4 0 1 1 0
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 125
(b) Can you ﬁnd a set of hash functions that provides secure authentication?
9.8. Eleven scientists are working on a secret project. They wish to lock up the documents in a
cabinet so that the cabinet can be opened if and only if six or more of the scientists are present.
(a) What is the smallest number of locks needed?
(b) What is the smallest number of keys to the locks each scientist must carry?
(c) Generalize the result for n scientists of which m have to be present to be able to open the
cabinet.
9.9. Show how you could extend Shamir’s (n, t)-threshold scheme to a (n + 1, t)-scheme that
includes an additional user without changing the existing shares.
* 9.10. Consider the modiﬁcation of the Shamir’s (n, t)-threshold scheme where calculations are
over all integers and not over a ﬁnite ﬁeld. Show that this modiﬁcation is not perfectly secure, i.e.
knowledge of less than t shares gives some information about the secret.
9.11. There are four people in a room and exactly one of them is a spy. The other three people
share a secret using the Shamir’s (3, 2)-threshold scheme over Z11. The foreign spy has randomly
chosen his share. The four pairs are P1 = (1, 7), P2 = (3, 0), P3 = (5, 10) and P4 = (7, 9). Find out
which pair was created by the foreign spy.
* 9.12. Consider the following (n, t)-secret sharing scheme. Let a1, a2, . . . an be an increasing
sequence of pairwise co-prime integers such that the product of the smallest t of them is greater
than the product of the t − 1 largest ones, i.e. t
i=1 ai > t−1
i=1 an−i+1. Choose a secret s from the
interval ( t−1
i=1 an−i+1, t
i=1 ai) and compute the corresponding shares si = s (mod ai) for 1 ≤ i ≤ n.
Show that t participants can reconstruct the secret s.
9.13. Consider the Shamir’s (10, 3)-threshold scheme over Zp, where p is a large prime. Suppose
an adversary corrupts one of the share holders and this share holder intends to give a bad share in
the secret cumulation phase. The problem is that nobody knows which share holder is corrupted.
(a) Describe a method how to reconstruct s given all 10 shares and explain why it works.
(b) Determine the smallest number x of shares that are suﬃcient to reconstruct s. Explain.
(c) Is it true that no collection of fewer than x share holders can obtain some information about
s? Explain.
9.14. A military oﬃce consists of one General, two Colonels and ﬁve Majors. They have control
of a powerful missile, but they do not want to launch it unless the General decides to launch it, or
two Colonels decide to launch it, or ﬁve Majors decide to launch it, or one Colonel together with
three Majors decide to launch it. How they would do that with a secret sharing scheme.
9.15. Secret sharing schemes for general access structures can be constructed by using several
independent instances of a (n, t)-threshold scheme.
(a) Design a secret sharing scheme for ﬁve participants {A, B, C, D, E} and access structure
{{A, B}, {B, C, D}, {A, D, E}} with the use of as few instances of a threshold scheme as pos-
sible.
(b) Which subset of participants can we add to the access structure given in (a) to make it
implementable by a single threshold scheme?
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 126
9.16. Consider the Shamir’s (n, t)-threshold scheme. Show that, in the secret reconstruction,
a dishonest party can exclusively recover the secret, while forcing other honest parties to derive a
faked secret.
9.17. Let (G, ·) be a group and s ∈ G be a secret. Propose a perfect (n, n)-threshold scheme
based on G.
9.18. Consider a group of 2n − 1 users, n ≥ 1, trying to share a secret. These users are organized
in a perfect binary tree hierarchy. Design a secret sharing scheme that will allow the recovery of the
secret only to the groups which contain users that form a path from the root of the binary tree to
one of its leaves (or more precisely the subgraph induced by this group contains such path).
9.19.
Consider the following secret sharing scheme. Arthur, Barbara, Clark, Donald, Elisabeth and
Fay – each is given a diﬀerent piece of information about a secret natural number n:
• Arthur knows that n is prime.
• Barbara knows that the binary representation of n contains at most 11 digits.
• Clark knows that n ≡ 2 (mod 5).
• Donald knows that n ≡ 5 (mod 503).
• Elisabeth knows that the binary representation of n contains at least 11 digits.
• Fay knows that n is a divisor of 60510.
Find n and determine all possible combinations of persons who are able to determine the secret
together with certainty.
9.20.
Can a secret sharing scheme for ﬁve participants A, B, C, D, E and an access structure generated
by the authorized sets {A, B}, {B, C, D}, {A, D, E} be implemented using only one instance of a
threshold scheme? Prove your answer.
9.21. Consider the Okamoto identiﬁcation scheme simpliﬁed in the following way: we completely
omit the numbers α2, a2, k2 and y2. This means our computation will change in the following way:
v = α−a1
mod p,
γ = αk1
mod p,
y1 = k1 + a1r mod q
and veriﬁcation will be
γ ≡ αy1
1 vr
mod p.
(We can consider this the case of the original protocol where it always holds a2 = k2 = 0.)
Show that if Alice now chooses unfortunate a1 and k1 such that
vγ ≡ 1 mod p,
then Bob can discover the secret key a1.
9.22. Find an example of an orthogonal array OA(3, 4, 1) or at least prove that such exists.
9.23. Consider the general form of orthogonal arrays.
(a) For all t and all n, there exists a t-(n, t + 1, 1) array.
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 127
(b) If there exists a t-(n, k, λ) orthogonal array, then there exists a (t − 1)-(n, k − 1, λ) orthogonal
array.
9.24. Consider an orthogonal array OA(n, k, λ) as it was deﬁned in the lecture. Such orthogonal
array has strength s = 2, in any two columns of the array every one of the possible n2 pairs of
symbols occurs in exactly λ rows. Generally, for an orthogonal array of strength s, in any s columns
of the array every one of the possible ns ordered s-tuples of symbols occurs in exactly λ rows.
Give an example of orthogonal array OA(2, 4, 1) of strength 3.
9.25. Show how to construct a (k−1, s)-threshold secret sharing scheme from an orthogonal array
OA(n, k, 1) of strength s.
9.26. You have received the following card allowing you to open the safe-deposit box. It is clear
that you need a password to open the box. Unfortunately, you do not know this password. At the
same time, your colleague received a similar card for the same safe-deposit box...
StarSafe-DepositBoxNr.334
passwordneededtoopen
StarSafe-DepositBoxNr.334
passwordneededtoopen
9.27. Consider the following function f that computes the message authentication code of a
message m comprising blocks m1||m2|| . . . ||mn using a secret key k and a block cipher E:
f1 = Ek(m1),
fi = Ek(fi−1 ⊕ mi) for i = 2, . . . , n
Show that fn is not a secure message authentication code.
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 128
9.3 Solutions
9.1. The protocol is not secure because an eavesdropper can intercept r and r ⊕ k and easily
compute k = r ⊕ c for later impersonation.
9.2.
(a) Mallot (denoted as M) may proceed as follows:
(i) He establishes two connections with B simultaneously. In the ﬁrst connection, M is
acting as himself, in the second connection M is pretending to be A.
(ii) B sends him random integers NB1 designated for M and NB2 designated for A.
(iii) M throws away NB1 and in both sessions he sends {NB2 }KMS
to B.
(iv) B sends “Bob”, {“Alice”, {NB2 }KMS
}KBS
and “Bob”, {“Mallot”, {NB2 }KMS
}KBS
to S.
(v) S successfully restores NB2 from {“Mallot”, {NB2 }KMS
}KBS
and restores some garbage
G from {“Alice”, {NB2 }KMS
}KBS
.
(vi) S sends {NB2 }KBS
and {G}KBS
to B.
(vii) B successfully restores NB2 (B is thinking that A authenticated herself successfully to
B), and restores some garbage G (B is thinking that M did not authenticate himself to
B).
(viii) M can now impersonate A.
(b) The protocol can be corrected by enforcing the server S to include in step (v) information
about the user who wants to authenticate, i.e. that A wants to authenticate herself to B. The
server S therefore sends {“Alice”, NB}KBS
to B.
9.3.
(a) Bob accepts if and only if R · S ≡ X (mod p) and either b = 0 and R = gz (mod p) or b = 1
and S = gz (mod p).
(b) Eve can always send R = 0, S = X and z = 0. If b = 0, Bob will accept and Eve successfully
impersonates Alice, In case b = 1, Bob will reject. Probability of impersonation is 1
2.
(c) The presented scheme can be modiﬁed as follows (resulting eventually in the Schnorr identiﬁcation
scheme):
(i) Alice chooses a random r ∈ Zp and sends R = gr (mod p) to Bob.
(ii) Bob sends a random challenge b ∈ Zp to Alice.
(iii) Alice sends z = r + bx (mod p) to Bob.
Bob accepts if and only if R · Xb ≡ gz (mod p).
9.4.
(a) It is necessary that Alice makes commitment ﬁrst, before Bob picks and sends his challenge r.
Suppose to the contrary that Bob sends r ﬁrst. In order to impersonate Alice, an adversary
Eve can use Alice’s public certiﬁcate, stored for example during his communication with Alice
in the past. Eve can choose an arbitrary y and sends to Bob
γ ≡ αy
vr
(mod p).
In such case, Bob will successfully verify the received γ without Eve proving the knowledge of
the secret key a.
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 129
(b) After receiving γ2 = γ1, Bob could realize that using of the same γ’s implies that Alice used
the same k’s as well, because 0 ≤ k < q and q is the order of α in Z∗
p. In such a situation he
avoids using the same r1 as before, i.e. he sends r2 such that r2 = r1, so that y2 = y1. After
receiving y2, he obtains the following two equations:
y1 ≡ k1 + ar1 (mod q) and y2 ≡ k2 + ar2 (mod q)
Now, the equations can be combined to obtain:
y1 − y2 ≡ k1 − k2 + ar1 − ar2 (mod q).
Since k1 ≡ k2 but y1 ≡ y2:
y1 − y2 ≡ ar1 − ar2 (mod q)
y1 − y2 ≡ a(r1 − r2) (mod q)
All of the values y1, y2, r1, r2 are known to Bob and so he is able to compute a and he can
later easily impersonate Alice.
9.5. Charles should not get convinced because Bob can easily forge communication as follows: Bob
randomly chooses his challenge b that he will use in the transcript.
For the challenge b = 0, Bob can choose a random r, compute x = r2 (mod n) and write to the
transcript that he received x as the commitment from Alice. Then he pretends that he sent the
challenge b = 0 to Alice and that he received y = r. According to the protocol, everything seems
OK, because y2 ≡ xv0 (mod n) → r2 ≡ r2 (mod n).
For the challenge b = 1, Bob can choose a random r, compute x = r2v−1 (mod n) and write
to the transcript that he received x as the commitment. He can pretend to have sent challenge
b = 1 to Alice and received r. According to the protocol, everything seems OK, because y2 ≡ xv1
(mod n) → r2 ≡ r2v−1v (mod n) → r2 ≡ r2.
He could have written to the transcript as many repetitions of the protocol as he wants (randomly
choosing between b = 0 and b = 1) and this way there would be no diﬀerence between the forged
transcript and the genuine one.
9.6. The proposed protocol is vulnerable to the so-called reﬂection attack (the adversary Mallot is
denoted as M).
(i) M → B : “Alice”, NE
(ii) B → M : {NM }KAB
, NB
(iii) M → B : “Alice”, NB (Mallot initiates a new round)
(iv) B → M : {NB}KAB
(v) M → B : {NB}KAB
To prevent this attack the protocol can be augmented as follows:
(i) A → B : “Alice”, NA
(ii) B → A : {“Alice”, NA}KAB
, NB
(iii) A → B : {“Bob”, NB}KAB
With this modiﬁcation there is still a problem: Bob encrypts a message chosen by Alice making the
protocol vulnerable to a chosen-plaintext attack. This problem can be eliminated as follows
(i) A → B : A, NA
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 130
(ii) B → A : {“Alice”, NA, NB}KAB
(iii) A → B : {NB, NA}KAB
9.7.
(a) The messages 00 and 10 have opposite values of authentication tags, therefore whenever an
adversary can see the message-tag pair (00, 1) she knows that the message-tag pair (10, 1) is
valid as well.
(b) The set H can be given as follows:
h
m
00 01 10 11
h1 1 0 0 0
h2 1 0 1 1
h3 1 1 0 1
h4 1 1 1 0
h5 0 0 0 0
h6 0 0 1 1
h7 0 1 0 1
h8 0 1 1 0
9.8.
(a) For each group of ﬁve scientists, there must be at least one lock for which they do not have
the key, but for which every other scientist does have the key. There are 11
5 = 462 groups of
ﬁve scientists, therefore there must be at least 462 locks.
(b) Similarly, each scientist must hold at least one key for every group of ﬁve scientists of which
s(he) is not a member, and there are 10
5 = 252 such groups.
(c) We generalize the previous results. For each group of m − 1 scientists, there must be at least
one lock for which they do not have the key, but for which every other scientist does have the
key. There are n
m−1 such groups.
Each scientist must hold at least one key for every group of m − 1 scientists of which he or she
is not a member, and there are n−1
m−1 such groups.
9.9. When t is kept ﬁxed, shares can be dynamically added, or deleted, without aﬀecting the other
shares. The dealer simply evaluates the secret polynomial f in a new point x ∈ Zp and shares
(x, f(x)) with the new user.
9.10. Let f be a linear polynomial with f(0) = s and f(1) = a1. We have
f(x) = (a1 − s)x + s.
Assume you are given the share f(2). We can see that f(2) = 2a1 − s. Since a1 and s are integers,
given this single share f(2), one can learn parity of s. Because 2a1 is always even and if f(2) is
even, the secret s has to be even. Similarly, when f(2) is odd, then s has to be odd.
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 131
9.11. The given shares correspond to the following equations:
7 ≡ a + b (mod 11)
0 ≡ 3a + b (mod 11)
10 ≡ 5a + b (mod 11)
9 ≡ 7a + b (mod 11)
From the ﬁrst two equations we have a = 2 and b = 5, but this solution is not valid for the third
and fourth equation. Therefore, the foreign spy has to be either the person with P1 or P2. From
the ﬁrst and third equation we have a = 9 and b = 9. Since this solution is not valid for the fourth
equation, the foreign spy is the person with the share P1.
9.12. Given t distinct shares Ii1 , . . . , Iit , the secret s is recovered using the Chinese Remainder
Theorem, as the unique integer solution of the system of modular equations
x ≡ Ii1 (mod ai1 )
. . .
x ≡ Iit (mod ait ).
Moreover, s lies in Zai1
···ait
because s < t
i=1 ai.
On the other hand, having only t − 1 distinct shares Ii1 , . . . , Iit−1 , we obtain only that s ≡ x0
(mod ai1 · · · ait−1 ) , where x0 is the unique solution modulo ai1 · ai2 · . . . · ait−1 of the resulted system
(S > t−1
i=1 an−i+1 ≥ ai1 · ai2 · . . . · ait−1 > x0).
9.13.
(a) Given all 10 shares we can reconstruct s as follows. We divide 10 shares into 4 groups: three
groups containing 3 shares and one group containing 1 share. The bad share could be in at
most one group containing 3 shares, therefore the same secret will be computed from at least
two groups containing 3 shares and that will be equal to s.
(b) We show that 4 shareholders are not enough to recover the secret reliably. In case there is
a corrupted share among 4 shares, four diﬀerent values will be recovered and we cannot tell
which one is correct.
Let us consider the case of 5 shareholders with a corrupted share. We can compute secrets for
all possible triples. There are 4
3 = 4 triples from which the correct secret s will be recovered
and 4
2 = 6 triples resulting in incorrect secrets - these will be pairwise diﬀerent or do not
exist - therefore it is possible to reliably recover the secret s given 5 shares.
(c) This is not true. From (b) we can see that 4 shareholders compute in the worst case 4 diﬀerent
secrets and the correct one has to be between them.
9.14. Suppose the knowledge of a secret s is needed to launch the missile. We can realize the
desired access structure with the (20, 10)-threshold scheme in which each Colonel is given ﬁve shares
and each Major is given two shares. The General is given the secret s directly. Then, two Colonels
or ﬁve Majors have together 10 shares and one Colonel with three Majors have 11 shares.
9.15.
(a) The simplest, but not optimal, solution is to have (2, 2)-threshold scheme for {A, B} and other
two (3, 3)-schemes for {B, C, D} and {A, D, E}. The solution that is using two instances can
be as follows: a (3, 3) scheme for {A, D, E} and a (7, 5)-scheme for {A, B, C, D} in which A
obtains two shares, B obtains three shares and both C and D obtain one share.
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 132
(b) We can add {B, D, E} and use a (15, 9)-scheme in which A is given four shares, B is given
ﬁve shares, C is given one share, D is given three shares and E is given two shares.
9.16. A dishonest cheater can always exclusively derive the secret by presenting a faked share and
make the other honest shareholders to get nothing but a faked secret.
Let P1, . . . , Pn be the participants. Suppose that P1 cheats by presenting an incorrect share (1, s1).
The participants compute s = s + s1r1 − s1r1 and P1 can easily compute s.
If t parties cooperate to recover the secret, that is ﬁnd out the polynomial f(x) of degree t − 1
and evaluating it at f(0), and one of them is dishonest and provides a fake share, then the resulting
interpolated polynomial will be diﬀerent and the secret recovered will be faked without any of the
parties being able to recognize it.
9.17. We deﬁne a (n, n)-threshold scheme as follows.
1. Give an element gi ∈ G chosen uniformly at random to the ﬁrst n − 1 participants.
2. Give the share gn = g1 · g2 · · · · · gn−1 · s to the last participant.
The set of all participants can compute s = g−1
n−1 · · · · g−1
1 · gn to recover the secret s. However, the
share vector of any set of m < n participants, takes any value in Gm with the same probability, and
thus give no information about k.
9.18. We will refer to the users as nodes in their binary tree hierarchy. We will use several instances
of the Shamir’s (4, 3)-threshold scheme. One instance of this scheme will be used for every parent
and its two children, with parent getting two shares of the secret and each child one of the remaining
two shares. This means only a parent and at least one of its children will be able to construct the
secret of this sub-scheme.
So all interior (non-root and non-leaf) nodes will be a part of two such sub-schemes. Once
as a parent and once as a child. For one interior node we can call them its parent-scheme and
child-scheme respectively.
The idea now is that the share of an interior node for the child-scheme is not directly known to
this node, but instead it is the secret from its parent-scheme. Now, because the leaf nodes do not
have their parent-scheme, they start with the shares for their child-scheme. The root has only its
parent scheme and its secret will be the actual secret we want to share with the whole group. All
nodes have their two shares in their parent-scheme from the start.
We can now see that a node gets its children-scheme share if and only if at least one of its
children is part of the group and it can get its own children scheme share. Starting with the root
we get the whole secret if and only if the root is in the group and one of its children is also in the
group and it got its own children-scheme share. But that means that one of the children of this
child must also be in the group and have its own children-scheme share. So recursively we get to
one of the leaves that must be in the group and it already has its children-scheme share.
More precisely, a group gets the whole secret if and only if it contains the root P0, P1 = child
of P0, P2 =child of P1, . . ., Pn−1 = child of Pn−2 which has to be a leaf. But that is just stating that
the group has to contain (or rather the induced subgraph) a path from root to a leaf.
9.19. As we will see below, n = 2017. First let us rephrase some points.
• B knows that n < 211 = 2048.
• E knows that 1024 = 210 ≤ n.
• F knows that n ∈ {1, 2, 3, 5, 6, 10, 15, 30, 2017, 4034, 6051, 10085, 12102, 20170, 30255, 60510}
(since 60510 = 2 · 3 · 5 · 2017).
• C and D together know that n ≡ 2017 (mod 2515) (using the Chinese remainder theorem).
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 133
From the Dirichlet theorem on arithmetic progressions, it is clear that A,C,D,E cannot recover n
together, as it could be arbitrarily large. Thus we can now consider only coalitions containing either
B or F.
First let us consider the coalitions containing F. From the list of divisors of 60510 above, it
is easy to see that D and F can together recover n, B,E,F can together recover n and A,E,F can
together recover n. On the other hand, C,E,F cannot together recover n (it coud be both 2017 and
12102) and A,B,C,F cannot together recover n (it could be both 2 and 2017). This concludes the
discussion of the cases where F is present.
Now let us consider the cases where B is present. It is clear that it is not possible to recover
n if B joins with exactly one of A,C,D,E. Also even A,B,C,E cannot together recover n (it could
be both 2017 and 2027) Thus it now suﬃces to only consider the cases where B and D are present
(and F is not, as we already know). Since 2515 > 2048, B,C,D can together recover n. But A,B,D
cannot together recover n (it could be both 5 and 2017) and also B,D,E cannot together recover n
(it could be both 1514 and 2017).
That exhausts all the possibilities, so we can summarize: a subset of {A, B, C, D, E, F} can
recover n if and only if it contains at least one of the following subsets:
{D, F}, {A, E, F}, {B, E, F}, {B, C, D}.
9.20. No, it is not possible. Proof by contradiction:
Let t be the threshold and a, b, c, d, e the numbers of shares belonging to the participants A, B, C, D, E
respectively.
Because the sets {B, C, D} and {A, D, E} are authorized, it holds that
b + c + d ≥ t (9.1)
and
a + d + e ≥ t. (9.2)
However, the sets {B, E, D} and {A, D, C} are not authorized, therefore
b + e + d < t (9.3)
and
a + d + c < t. (9.4)
From (9.1) and (9.3) we get
c ≥ e
and from (9.2) and (9.4) we get
e ≥ c
which means that
c = e.
Substituting c = e in (9.1) gives us
b + e + d ≥ t
which contradicts (9.3).
9.21. When vγ ≡ αk1−a1 ≡ 1 mod p we get
k1 − a1 ≡ 0 mod q.
Now because 0 ≤ a1, k1 ≤ q − 1 it must hold a1 = k1. In that case
y1 = a1 + a1r = a1(r + 1) mod q.
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 134
So to get a1, Bob just needs to calculate
a1 = y1(r + 1)−1
mod q.
9.22. We know that if p is a prime and d ≤ 2 is an integer then there exists an orthogonal array
OA p,
pd − 1
p − 1
, pd−2
.
For p = 3 and d = 2 we have that OA(3, 4, 1) exists. To construct such array we can extend the
OA(3, 3, 1) with the fourth column as follows:














0 0 0 0
1 1 1 0
2 2 2 0
0 1 2 1
1 2 0 1
2 0 1 1
0 2 1 2
1 0 2 2
2 1 0 2














9.23.
(a) Take Zn and to all t-tuples (x1, . . . , xt) ∈ Zt
n add a parity element, ie. xt+1 = −(x1 + . . . + xt)
mod n. These (t + 1)-tuples form t-(n, t + 1, 1) orthogonal array.
(b) Take a t-(n, k, λ) OA and choose an element e in it. Now take all rows where e is in the
ﬁrst position and delete the ﬁrst position to obtain a subarray. This subarray forms (t − 1)(n,
k − 1, λ) OA.
9.24. 











0 0 0 0
0 0 1 1
0 1 0 1
0 1 1 0
1 0 0 1
1 0 1 0
1 1 0 0
1 1 1 1












9.25. The construction of the threshold scheme starting from the orthogonal array proceeds as
follows. The ﬁrst column of the OA corresponds to the dealer and the remaining k − 1 columns
correspond to the k −1 participants. To distribute a secret S, the dealer selects a random row of the
OA such that S appears in the ﬁrst column and gives out the remaining k − 1 elements of the row
as the shares. When s participants later pool their shares, the collective information will determine
an unique row of the OA (as λ = 1) and hence they can compute S as the value of the ﬁrst element
in the row. A group of s − 1 participants is not able to compute S. Any possible value of the secret
along with the actual shares of these s − 1 participants determine a unique row of the OA. Hence,
no value of the secret can be ruled out. Moreover, it is clear that the s − 1 participants can obtain
no information about the secret.
CHAPTER 9. IDENTIFICATION, AUTHENTICATION AND SECRET SHARING 135
9.26. When these two patterns are combined and stacked on top of each other (either we can use
transparencies or we just let light pass through papers) we obtain the following result.
9.27. The function f is CBC-MAC. Given two message-tag pairs (m, t) and (m , t ) then t is valid
authentication code for the following message as well:
m = m|| [(m1 ⊕ t)||m2|| . . . ||mx].
We have Ek(m) = t and in the next step we apply exclusive or operation on the value t with
m1 ⊕ t canceling out t therefore the tag t is valid for m .
Chapter 10
Coin Tossing, Bit commitment,
Oblivious Transfer, Zero-knowledge
Proofs and Other Crypto-protocols
10.1 Introduction
Cryptographic protocols are speciﬁcations of how two parties, usually called Alice and Bob, should
prepare themselves for their communication and how they should behave during their communication
in order to achieve their goal and be protected against an adversary.
Cryptographic protocols can be very complex. However, they are often composed of several, very
simple, though special, protocols. These protocols are called cryptographic primitives – coin-ﬂipping
protocols, commitment protocols or oblivious transfers.
10.1.1 Coin-ﬂipping protocols
In coin-ﬂipping (or coin-tossing) protocols, Alice and Bob can ﬂip a coin over a distance in such a
way that neither of them can determine the outcome of the ﬂip, but both can agree on the outcome
in spite of the fact that they do not trust each other. Both outcomes – head or tail – should have
the same probability and both parties should inﬂuence the outcome.
10.1.2 Bit commitment protocols
In bit commitment protocols, Alice can choose a bit and get committed to its value such that Bob
has no way of learning Alice’s commitment (without Alice’s help) and Alice has no way of changing
her commitment.
A commit function is a mapping commit : {0, 1} × X → Y where X, Y are ﬁnite sets. Each bit
commitment scheme consists of two phases:
Commitment phase: Alice sends a bit b she wants to commit to, in an encrypted form, to Bob.
Opening phase If required, Alice sends to Bob some information that enables him to recover b.
Each bit commitment scheme should satisfy the following properties:
Hiding (or privacy): Bob cannot determine the value of b, he cannot distinguish a commitment
to 0 and a commitment to 1. More formally, for no b ∈ {0, 1} and no x ∈ X, it is feasible for Bob
to determine the value b from the commitment B = commit(b, x).
Binding: Alice cannot later, after the commitment phase, change her mind. Alice can open her
commitment, by revealing b and x such that B = commit(b, x), but she cannot open her commitment
as both 0 and 1.
Correctness (or viability): If both Alice and Bob follow the protocol, Bob will always recover
the committed value b.
136
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 137
Hiding can be
unconditional: A commitment to b reveals no information to a inﬁnitely powerful Bob. Distributions
of commit(0, r) and commit(1, r) are indistinguishable.
computational: Bob will not be able to tell eﬃciently which of the two given values is in a commitment,
with probability larger than just guessing at random.
Binding can be
unconditional: Alice, even with inﬁnite computing power, cannot change her mind after committing.
computational: Unless Alice has unrealistically large computing resources, her chances of being able
to change her mind are very small.
10.1.3 Oblivious transfers
The standard oblivious transfer is a protocol in which Alice transmits a message to Bob in such a
way that Bob receives the message with probability 1
2 and some garbage otherwise. Moreover, Bob
knows whether he has received the message or garbage. However, Alice will not know which one he
has received.
In the 1-out-of-2 oblivious transfer, Alice transmits two messages to Bob. Bob can choose whether
to receive the ﬁrst or the second message, but he cannot receive both. Again, Alice has no idea
which of them Bob has received (1-out-of-k oblivious transfer is a generalization to k messages).
10.1.4 Interactive and zero-knowledge proofs
In an interactive proof system, there are two parties: a prover, often called Peggy, and a veriﬁer,
often called Victor. The prover knows some secret or a fact about a speciﬁc object, and wishes to
convince the veriﬁer, through a communication with him, that he has this knowledge.
The interactive proof system consists of several rounds. In each round the prover and the
veriﬁer alternatively do the following: receive a message from the other party, perform a private
computation and send a message to the other party. The communication starts usually by a challenge
of the veriﬁer and a response of the prover. At the end, the veriﬁer either accepts or rejects the
prover’s attempts to convince him.
A zero-knowledge proof of a theorem T is an interactive two party protocol, in which the prover is
able to convince the veriﬁer who follows the same protocol, by the overwhelming statistical evidence,
that T is true, if T is indeed true (completeness), but no prover is able to convince the veriﬁer that
T is true, if this is not so (soundness). In addition, during interactions, the prover does not reveal
during their communication to the veriﬁer any other information, except whether T is true or not
(zero-knowledge). Therefore, the veriﬁer who got convinced about the correctness of the statement
gets from their communication not enough knowledge to convince a third person about that.
Zero-knowledge proof of the graph isomorphism
Example of a zero-knowledge proof for proving that two graphs are isomorphic is as follows:
Given are: Peggy and Victor know two graphs G1 and G2 with a set of nodes V = {1, . . . , }. The
following steps are then repeated t times (where t is a chosen security parameter).
(1) Peggy chooses a random permutation π of V = {1, . . . , n} and computes H to be the image
of G1 under the permutation π, and sends H to Victor.
(2) Victor randomly chooses i ∈ {1, 2} and sends it to Peggy. This way Victor asks for an
isomorphism between H and Gi.
(3) Peggy creates a permutation ρ of V = {1, . . . , n} such that ρ speciﬁes the isomorphism between
H and Gi and sends ρ to Victor.
If i = 1, Peggy takes ρ = π; if i = 2, Peggy takes ρ = σ ◦ π, where σ is a ﬁxed isomorphic
mapping of nodes of G2 to G1.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 138
(4) Victor checks whether H provides the isomorphism between Gi and H. Victor accepts Peggy’s
proof if H is the image of Gi in each of the t rounds.
If G1 and G2 are isomorphic then Victor accepts with probability 1 (completeness). If graphs G1
and G2 are not isomorphic, then Peggy can deceive Victor only if she is able to guess in each round
the value i that Victor has chosen and then she sends as H the graph Gi. However, the probability
that this happens, in each of t rounds, is 2−t (soundness).
10.2 Exercises
10.1. Suppose you can predict results of coin ﬂips. At least how many coin ﬂips would you need to
prove this to your friend without revealing your secret so that he would be at least n% sure about
it?
* 10.2. Consider the following coin-ﬂipping protocol:
(1) Alice generates a Blum integer, n, a random x relatively prime to n, x0 = x2 mod n, and
x1 = x2
0 mod n. She sends n and x1 to Bob.
(2) Bob guesses the parity of x0.
(3) Alice sends x and x0 to Bob.
(4) Bob checks that n is a Blum integer (Alice would have to give Bob the factors of n and proofs
of their primality, or execute some zero-knowledge protocol to convince him that n is a Blum
integer), and he veriﬁes that x0 = x2 mod n and x1 = x2
0 mod n. If all checks are alright,
Bob wins the ﬂip if he guessed correctly.
Would this protocol be secure if we omit the requirement that n be a Blum integer?
10.3. Let p be a large prime. Let g < p be an integer such that g is a generator of the group Z∗
p.
Discuss security of the following commitment scheme for numbers from {0, 1, . . . , p − 1}.
Commitment phase:
To commit to m ∈ {0, 1, . . . , p − 1}, Alice randomly chooses r ∈ {0, 1, . . . , p − 1} and sends
c = grm (mod p) to Bob.
Opening phase:
To open her commitment, Alice sends r and m to Bob.
* 10.4. Is it possible to build a bit commitment scheme which is both unconditionally hiding and
binding (in case both party sees everything the other party sends)?
10.5. Show how to construct a bit commitment scheme from a cryptographically secure pseudorandom
generator G. Discuss the binding and hiding properties of your resulting bit commitment
scheme.
10.6. Let n = pq be a modulus and let y ∈ QNR(n). Consider the following bit commitment
scheme with commit(b, r) = ybr2 (mod n) where r ∈ Z∗
n and b ∈ {0, 1}. Is the proposed scheme
(1) binding (computationally or unconditionally)?
(2) hiding (computationally or unconditionally)?
10.7. Show how to utilize 1-out-of-2 oblivious transfer to implement a bit commitment protocol in
which both parties can cheat only with probability lower than 2−64.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 139
10.8.
(a) Show how to implement the standard oblivious transfer using a 1-out-of-2 oblivious transfer.
(b) Show how to implement a 1-out-of-k oblivious transfer using multiple instances of a 1-out-of-2
oblivious transfer.
* 10.9. Suppose Alice and Bob are separated and cannot communicate. Let them play the
following game. Both of them receive a single bit input x and y respectively. Alice does not know
Bob’s input and Bob does not know Alice’s input. Their goal is to produce single bit answers a and
b respectively. They win the game if a ⊕ b = x · y.
(a) Show that if they use deterministic strategies (i.e. Alice chooses a based only on x and Bob
chooses b based only on y), they cannot win the game with probability 1.
(b) Random Access Code is the following protocol. Let Alice own a random binary string (a1, a2, . . . , an),
ai ∈ {0, 1} of length n. She is allowed to send to Bob a single bit message m. Bob randomly
generates a number j ∈ {1, . . . , n}. Then he applies a corresponding decoding function Dj to
the received bit m. The protocol is successful if Dj(m) = aj for every j ∈ {1, . . . , n}. Show
that if Alice and Bob own a hypothetical device that allows them to win the game introduced
above with probability 1, they can construct Random Access Code for n = 2.
10.10. Let Peggy and Victor play the following game. They have a very large paper full of small,
randomly placed, letters digits and other symbols but there is only one digit 7. The goal is to ﬁnd
the number 7 sooner than the other player. After some time Peggy found 7 but Victor does not
believe her. How can Peggy prove to Victor that she knows the position of the number 7 without
revealing it. A non-cryptographic solution is acceptable.
* 10.11. Let Peggy and Victor share an n×n Sudoku puzzle. How can Peggy prove to Victor that
she has a solution to this puzzle while not giving away any information about the solution itself. A
non-cryptographic solution is acceptable.
10.12. Does the 3-SAT problem have a zero-knowledge proof?
10.13. Let n = pq, where p ≡ q ≡ 3 (mod 4) are large primes. Peggy needs to prove to Victor
that she knows factors of n without revealing any information about the factors. She has developed
the following protocol:
• Peggy and Victor perform the following actions 20 times.
(1) Victor randomly chooses an integer x < n, computes y = x2 mod n and sends y to
Peggy.
(2) Peggy computes all four square roots of y mod n, randomly chooses one of them, let us
denote it r, and sends r to Victor.
(3) Victor veriﬁes whether r2 ≡ y (mod n).
• Victor accepts if and only if all veriﬁcations have been successful.
Find out whether the protocol is a zero-knowledge proof.
* 10.14.
For given two non-isomorphic graphs G1, G2 of n vertices, Peggy tries to convince Victor that
G1 G2. Suppose she has an eﬃcient way of distinguishing non-isomorphic graphs and she does
not want to reveal him any other information beyond the fact that graphs are not isomorphic.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 140
Is the following protocol zero-knowledge if both veriﬁer and prover are honest - that is they fully
follow the protocol? Does an unhonest veriﬁer have a chance to get some additional knowledge? If
he does, how to modify the protocol that this is not possible?
(a) Victor chooses randomly an integer i ∈ {1, 2} and a permutation π of {1, . . . , n}. Victor then
computes the image H of Gi under the permutation π and sends H to Peggy.
(b) Peggy determines the value j such that Gj is isomorphic to H, and sends j to Victor.
(c) Victor checks to see if i = j.
(d) The steps (a)–(c) are repeated until Victor is convinced.
* 10.15. Suppose that a group of n participants wants anonymously, to ﬁnd out whether they
all agree with a given speciﬁc statement. If all participants agree, the result will be seen as ”yes”.
If any participant disagrees, the result will be seen as ”no”. Consider the following protocol that
solves the problem stated above.
Let G be a ﬁnite cyclic group of prime order q in which ﬁnding discrete logarithms is intractable. Let
g be the generator of G. Let us have n participants, and they all agree on (G, g). Each participant
Pi selects a random secret value xi ∈ Zq.
(1) Each participant Pi broadcasts gxi and gives a zero-knowledge proof to all other participants
for xi (i.e. provides a zero-knowledge proof that Pi really knows the discrete logarithm of gxi
modulo q).
(2) Each participant Pi computes
i−1
j=1
gxj
n
j=i+1
gxj
.
The above value is gyi for some yi.
(3) Each participant Pi makes public gcixi where ci = xi if Pi wants to send 0 and ci is a random
value if Pi wants to send 1. Pi provides a zero-knowledge proof to all other participants for
the exponent ci.
(a) Prove that i xiyi = 0.
(b) Show how the result – ”yes” or ”no” – can be recovered.
(c) Show how the dining cryptographers problem can be solved with the above protocol.
(Three cryptographers gather around a table for dinner. The waiter informs them that the
meal has been paid by someone, who could be one of the cryptographers or the National
Security Agency (NSA). The cryptographers respect each other’s right to make an anonymous
payment, but want to ﬁnd out whether the NSA paid dinner.)
10.16. Consider the following commitment scheme, with public information as follows: p a large
prime, q a large prime dividing (p − 1), g ∈ Z∗
p of order q, and h = gk mod p, with 0 < k < q a
random integer not known to any party. The commitment function is
commit(r, x) = gr
hx
mod p,
where x is the committed bit and 0 < r < q is a random integer.
(a) Deﬁne the reveal phase of this protocol.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 141
(b) Discuss the binding and hiding properties of this protocol. Are they computationally/information
theoretically secure?
(c) What happens if Bob (the receiver) knows logg h?
(d) What happens if Alice (the sender) knows logg h?
10.17. Consider the following coin ﬂip protocol. Let n = pq, where p and q are large primes.
i. Alice generates a random integer 0 ≤ a < n − 1 and sends c = a2 mod n as her commitment
to Bob.
ii. Bob guesses the parity of a and tells his guess to Alice.
iii. Alice reveals a to Bob and Bob checks that c = a2 mod n.
iv. If Bob guessed correctly, he wins the coin ﬂip.
Is the proposed protocol fair?
10.18. Alice and Bob have a boolean function f : {0, 1} × {0, 1} → {0, 1} known to both of them.
Show that if f is not a constant function there is no protocol that lets them perfectly evaluate f(a, b)
on all respective secret inputs a and b without neither party obtaining any information about the
other party’s secret.
10.19. As the semester comes to an end, you and your colleague want to ﬁnd out whether both
of you received the same grade from the cryptographic course without disclosing the grade itself.
However, you do not want to use any mathematical technique. Provide a simple non-cryptographic
way to achieve this task.
10.20. Victor is color-blind and cannot distinguish between colors at all. Peggy who can see colors
has two apples, one green and one red, but otherwise identical. Design a zero-knowledge protocol
that allows Peggy to convince Victor that the apples have diﬀerent colors.
10.21. Assume that f : {0, 1}n → {0, 1}n, for some large enough n, is a bijective one-way function,
such that absolutely no information can be obtained about the input from a given output, known
to both Alice and Bob. Design a coin tossing protocol between Alice and Bob that uses f and no
other one-way function. Show that neither of the players can cheat in your protocol.
10.22. Secure function evaluation is a task in which Alice has an input x ∈ X, Bob has an input
y ∈ Y and they want to evaluate a function g(x, y) in such a way, they both learn the outcome, but
they do not learn each others inputs. Show that a 1-out-of-k oblivious string transfer protocol, in
which k values input by Alice are bit-strings of arbitrary length can be used to implement secure
function evaluation.
10.23. Alice and Bob are trying to use a binary symmetric channel with error probability p = 1
2
to implement coin-tossing in the following way:
Alice chooses a random bit b and sends it to Bob through the binary symmetric channel. Bob
receives the bit b and then sends it back to Alice using diﬀerent channel without errors. Now Alice
takes both bits and calculates the output of the coin-tossing protocol as b ⊕ b . After this she also
sends b to Bob through the perfect channel so he can calculate the same output. Assuming neither
party can inﬂuence the binary symmetric channel (other than giving the input for Alice or accessing
the output for Bob), discuss the security of this protocol.
10.24. Propose a generalization of a 1-out-of-2 oblivious transfer – implementation that combines
a public-key cryptosystem and a secret-key cryptosystem – to enable a k-out-of-n oblivious transfer.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 142
10.25. You are given a black box that implements the following protocol between two parties:
One party has no inputs and has two outputs, random bit strings s0 and s1 of length n. The other
party has input bit c and its output is the string sc. Use this black box to implement a 1-out-of-2
oblivious transfer for sending messages of n bits.
Assuming the black box works exactly as described (the ﬁrst party does not know c and the
second party does not get to know sc⊕1), show that your implementation is secure, ie. the sender of
the oblivious transfer cannot learn which message was received and the receiver cannot learn both
messages.
10.3 Solutions
10.1. The probability of correctly predicting k coin ﬂips is given as 2−k. The probability of making a
mistake when predicting is hence p = 1−2−k. If someone wants to be n% sure about your predicting
ability, you have to perform at least k ﬂips so that n
100 = 1 − 2−k holds. Expressing this equation in
terms of k and performing ceiling (so that number of ﬂips is integer) we get k = −log2(1 − n
100) .
10.2. First recall that a Blum integer is of form n = pq, where p and q are Blum primes (i.e.
p ≡ q ≡ 3 mod 4). Blum integers have a special property – if a is a quadratic residue modulo n
(where n is a Blum integer), it has exactly four square roots, out of which exactly one is a quadratic
residue modulo n and three are quadratic non-residues.
In this light it is easy to see that in the protocol the requirement of n being a Blum integer is
crucial. Otherwise, x1 might have two square roots which are also quadratic residues, resulting in
two diﬀerent numbers x and y, such that x4 ≡ y4 ≡ x1 mod n. If y0 ≡ y2 mod n has diﬀerent
parity than x0, Alice could cheat.
10.3. The commitment scheme is not secure because it is not binding. Indeed, once Alice has
committed to m, it is possible for her to change her choice by replacing the value m with some
m without being detected by Bob. Recall that g is a generator of the group Z∗
p and so m ≡ gi
(mod p), for some i ∈ {0, 1, . . . , p − 1}, and also
c ≡ gr
m ≡ gj
≡ gr
gi
≡ gr
m (mod p)
for appropriate j, r ∈ {0, 1, . . . , p − 1}, j ≡ r + i (mod p − 1). When the opening of commitment
is required, Alice can simply send r and m instead of her previously chosen r and m, which shows
that the commitment scheme is not binding.
10.4. No, it is not possible. Suppose such a bit commitment scheme exists. Then, when Alice
sends a commitment to 0 as B = commit(0, x) for some x ∈ X, there must exist an x , such that
B = commit(1, x ). If not, Bob could easily conclude that the committed value could not be 1,
violating the unconditional hiding property. But then, if Alice has unlimited computing power, she
can ﬁnd x and change her mind from 0 to 1, violating the unconditional binding property.
10.5. Suppose that G produces for any n bit pseudorandom seed a pseudorandom 3n-bit long
output. We can design the following bit commitment scheme in which Alice commits herself to a
bit b:
(1) Bob sends to Alice a random binary vector v of length 3n.
(2) Alice chooses a random binary vector u of length n and computes G(u).
(3) If b = 0, Alice sends G(u) to Bob. If b = 1, Alice sends G(u) ⊕ v to Bob.
(4) In the opening phase Alice sends u to Bob.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 143
(5) Bob can then compute G(u) and check whether he received G(u) or G(u) ⊕ v during the
commitment phase.
The protocol is statistically binding – Alice cannot cheat with probability higher than 1
2n because
in order to cheat she would have to ﬁnd such u that G(u ) = G(u) ⊕ v. However G(u) and G(u )
each produces 2n values (together 22n) but v is picked from 23n possible values which are not chosen
by Alice. Therefore there is only 22n
23n = 2−n probability that Alice ﬁnds u satisfying the required
relation.
Protocol is hiding as Bob is unable to distinguish between outcomes of G and true randomness as
G is cryptographically secure.
10.6.
(a) The proposed scheme is unconditionally binding because y is a quadratic non-residue modulo
n, therefore there does not exist r such that yr 2 = r2 (mod n).
(b) The proposed scheme is computationally hiding because in order to retrieve b from commit(b, r)
one would need to compute quadratic residues which is believed to be computationally infeasible.
With unlimited computational power, it would be easy to check whether commit(b, r) is
a quadratic residue (then b = 0) or not (then b = 1). Therefore, the proposed scheme cannot
be unconditionally binding.
10.7.
Commitment phase:
(i) Alice chooses her commitment bit b and 64 random bits r1, . . . , r64.
(ii) Bob chooses 64 random bits c1, . . . , c64.
(iii) For i ∈ {1, . . . , 64} the following steps are done:
(1) Alice gives yi,0 = ri and yi,1 = ri ⊕ b as the inputs into the oblivious transfer.
(2) Bob gives ci as the input into the oblivious transfer and receives xi = yi,ci .
Opening phase:
Alice sends b and r1, . . . , r64 to Bob.
Bob checks if xi = ri ⊕ bci for every i ∈ {1, . . . , 64}.
Would Alice want to change her commitment to ¬b, she would have to ﬁnd such ri that ri⊕¬bci =
ri ⊕ bci. This implies ri = ri ⊕ ci. This means that ri cannot be computed without knowledge of
ci. In order to cheat successfully, Alice would have to guess ci for every i, which can happen with
probability (1
2)64 = 2−64.
Bob’s only way to cheat is to reveal b prematurely, but he cannot do that without knowing r1, . . . , r64.
10.8.
(a) Given is a 1-out-of-2 oblivious transfer. Let x0 and x1 be Alice’s input messages, c be Bob’s
input bit and xc be Bob’s output. The standard oblivious transfer can be implemented as
follows. Let m be Alice’s message and g a garbage message.
(1) Alice randomly chooses a bit b.
(2) If b = 0, Alice inputs x0 = m and x1 = g. If b = 1, Alice inputs x0 = g and x1 = m.
(3) Bob chooses a bit c and uses it as his input.
(4) Alice sends b to Bob.
(5) Bob obtains m if b = c.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 144
If b = c, xc = xb = m, otherwise xc = x¬b = g. Bob does not know which c he should use to
get m, hence he obtains m with probability 1
2. Alice has no idea whether Bob gets m or g.
(b) We can assume without loss of generality that k = 2n for some n ∈ N (if not, we can add
garbage messages xk+1, xk+2, . . . , x2n to the original messages x1, . . . , xk. Alice uses an instance
of 1-out-of-2 oblivious transfer on each pair of messages (x1, x2), (x3, x4), . . . , (x2n−1 , x2n ), thus
receiving 2n−1 messages x1,1, x2,1, . . . , x2n−1,1. Then in every other step, she will use the 2l
current messages (x1,n−l, x2,n−l, . . . , (x2l−1,n−l, x2l,n−l) as inputs for another 2l−1 instances of
1-out-2 oblivious transfer, thus receiving 2l−1 new messages. She repeats this process until
l = 0 and she has only one message left. She sends this ﬁnal message to Bob, who will receive
exactly one of the messages x1,n, x2,n, but Alice will not know which one. But that message
itself provides Bob with another choice of one message out of two, and so on, until he will
ﬁnally receives one of the original messages xj.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 145
10.9.
(a) Let ax and by be answers of Alice and Bob respectively, when the inputs are x and y. Then
we require
a0 ⊕ b0 = 0
a0 ⊕ b1 = 0
a1 ⊕ b0 = 0
a1 ⊕ b1 = 1
Summing them together we get 0 = 1 which is clearly a contradiction.
(b) Alice inputs a0 ⊕ a1 into the proposed device (usually called a nonlocal or PR-box), receives
A and sends m = A ⊕ a0. Suppose Bob inputs j into the device and he obtains B. We show
that the correct answer is B ⊕ m = B ⊕ A ⊕ a0.
If Bob wants to recover a0, his input into the device is 0. Since A ⊕ B = (a0 ⊕ a1) · 0, we have
that A ⊕ B = 0 and therefore B ⊕ m = a0 as required.
If Bob wants to recover a1, he inputs 1 into the device. Then we have A ⊕ B = (a0 ⊕ a1) · 1 =
a0 ⊕ a1 and B ⊕ m = a0 ⊕ a1 ⊕ a0 = a1 as required.
Actually, 1-out-of-2 oblivious transfer is realized with such device. Diﬀerence between random
access codes and oblivious transfers is that in the latter is required that Bob cannot learn
anything about other input bits whereas the former does not have this requirement.
10.10. Non-cryptographic solution goes as follows. Peggy covers the whole paper with even larger
piece of paper which is at least double in the width and the height of the original paper, with the
small hole in the middle. This hole is only as large as the digit 7. To prove she knows the position of
the 7, Peggy moves the cover paper so that the hole is revealing only the number 7 and nothing else
is visible from the underlying paper. After that Victor is convinced that Peggy knows the position
but he himself has no information about this position.
10.11.Non-cryptographic solution using paper and scissors goes as follows.
(1) Peggy has a sheet of paper on which the puzzle is printed. She then writes down, for every cell
with a ﬁlled-in value, this ﬁlled-in value on the back side of the cell, right behind the printed
ﬁlled-in value. (The result is that ﬁlled-in cells, and only them, have their values written on
both sides of the page. Without this step, Peggy can cheat and send the solution to diﬀerent
puzzle.)
(2) Peggy writes down the solution to the puzzle on the printed puzzle keeping this side of the
page hidden from Victor.
(3) Victor checks that Peggy wrote the right values on the back of the puzzle.
(4) Victor chooses one out of the following options: rows/columns/subgrids.
(5) Suppose that Victor choice is “rows”. Peggy then cuts the puzzle and separates it into n rows.
If his choice is “columns”, Peggy separates the columns from each other, similarly for subgrids.
Peggy then cuts each row/column/subgrid (according to Victor’s choice) to separate it into n
cells. Peggy shuﬄes the cells of each row/column/subgrid (separately from the cells of other
rows/columns/subgrids) and then hands them to Victor.
(6) Victor checks that
(i) each row contains all n values,
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 146
(ii) in each row the cells whose value is written on both sides agree with the ﬁlled-in values
of that row in the puzzle, and
(iii) these cells have the same value written on both their sides.
Cryptographic solution:
(1) Peggy chooses a random permutation σ : {1, . . . , n} → {1, . . . , n}.
(2) For each cell (i, j) with the value v, Peggy sends to Victor a commitment for the value σ(v).
(3) Victor chooses at random one of the following 3n+1 possibilities: a row, column or subgrid (3n
possibilities), or “ﬁlled-in cells”, and asks the prover to open the corresponding commitments.
After the prover responds, in case the veriﬁer chose a row, column or subgrid, the veriﬁer
checks that all values are indeed diﬀerent. In case the veriﬁer chose the ﬁlled-in cells option,
it checks that cells that originally had the same value still have the same value (although the
original value may be diﬀerent than the committed one), and that cells with diﬀerent values
are still diﬀerent, i.e. that σ is indeed a permutation over the values in the ﬁlled-in cells.
10.12. Under the assumption that there exists a statistically binding and computationally hiding
bit commitment scheme, there exists a zero-knowledge proof for any NP language[3]. As 3-SAT∈ NP,
there exists a zero-knowledge proof for 3-SAT.
10.13. No, the proposed protocol is not zero-knowledge.
Indeed, if the congruence r2 ≡ y (mod n) in the step (iii) holds, but r is not congruent to ±x, then
Victor knows that x and r are two diﬀerent square roots of y. With this knowledge, he can factor
n to reveal p and q.
If r ≡ ±x (mod n), Victor can get factors of n because the following holds:
r2
≡ x2
(mod n) ⇒ r2
− x2
≡ 0 (mod n) ⇒ (r − x)(r + x) ≡ 0 (mod n)
By computing gcd(r − x, n) a factor of n is obtained.
There are four square roots of y and two of them are diﬀerent from x and −x. This means the
probability of factoring is 1
2 in each iteration, so Victor can reveal p and q with probability 1−(1
2)20 =
99.9999% after 20 rounds.
10.14. This is not a zero knowledge protocol. Suppose Victor has a graph H and wants to know
that they if H ∼= G1 or H ∼= G2. Using the proposed protocol, Victor simply sends H to Peggy
and from the answer Victor will learn that H ∼= Gj, or that H is isomorphic to neither G1 or G2 (if
Peggy happens to abort). The problem with this is to ensure that the veriﬁer does indeed know in
advance what the prover will say. To do it in a correct way Peggy have to ask Victor to prove that
H is indeed isomorphic to either G1 or G2.
10.15. The presented scheme is so-called anonymous veto network[6].
(a) We have yi = j<i xj − j>i xj.
i
xiyi =
i j<i
xixj −
i j>i
xixj =
j<i
xixj −
i<j
xixj
=
j<i
xixj −
j<i
xjxi = 0
(b) Each participant computes i gciyi . If all participants sent ”yes”, each of them computes
i gciyi = i gxiyi = 1 because i xiyi = 0, i gxiyi = g i xiyi = 1. If one or more sent ”no”,
i gciyi = 1.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 147
(c) Cryptographers who did not pay for the dinner send the “yes” message, the cryptographer
who paid the dinner, if there is one, sends the “no” message.
10.16.
(a) Alice simply reveals r and x. Bob checks whether grhx mod p is equal to the message he
received in the commitment phase.
(b) Binding is computational. This scheme is computationally binding (under the assumption of
hardness of discrete logarithms), which can be seen as follows. Suppose it is computationally
feasible to compute r, r ∈ Z∗
p such that commit(r, x) = commit(r , 1 − x). That means that
gr
hx
= gr
h1−x
mod p
gr
gkx
= gr
gk(1−x)
mod p
gr+kx
= gr +k(1−x)
mod p
r + kx = r + k(1 − x) mod q
k(2x − 1) = (r − r) mod q
k = (r − r)(2x − 1)−1
mod q.
Therefore, being able to open the commitment in both ways is as hard as calculating the
discrete log problem for h with basis g in Z∗
p.
Hiding is information theoretic. This can easily be seen by the fact that the distribution grhx
is independent of x, i.e. gr and grh are statistically indistinguishable, because the value r is
chosen at random.
(c) This doesn’t help Bob at all. Knowing k does not help him distinguish gr from gr+kx mod q.
The reason for this that for each r there exists r = r + kx. Since exponent’s r are chosen
uniformly at random, Bob cannot decide whether r was chosen and commitment is 0 or r was
chosen and commitment is 1.
(d) In this case Alice can cheat. Assume she commits with grhx mod p. Then she can ﬁnd r
such that gr h1−x = grhx as follows:
gr
hx
= gr
h1−x
mod p
gr
gkx
= gr
gk(1−x)
mod p
gr+kx
= gr +k(1−x)
mod p
r + kx = r + k(1 − x) mod q
r + k(2x − 1) = r mod q.
10.17. The protocol is not fair. In step three Alice can decide whether to reveal a or −a mod n.
Since n is odd, a and −a mod n have diﬀerent parities.
10.18. Let inputs of f(a, b) be that of Alice and Bob, respectively. For such function it must hold
that f(0, 0) = f(0, 1), otherwise Alice would be able to obtain b from a and f(a, b): if f(0, 0) = 0
and f(0, 1) = 1 then b = f(0, b);if f(0, 0) = 1 and f(0, 1) = 0 then b = 1 − f(0, b)). Analogically, it
must hold f(1, 0) = f(1, 1). Now considering Bob’s point of view, it must hold that f(0, 0) = f(1, 0),
otherwise Bob who could obtain a. Together,
f(0, 0) = f(0, 1) = f(1, 0) = f(1, 1).
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 148
10.19. You get 6 lockable money-boxes (with small slots) and label them with each possible grade,
ie. A to F. You throw away all keys except the one that corresponds to your grade. You leave
the boxes and your colleague prepares small pieces of papers, writes “+” sign to one of them and
“-” sign to other. Then he puts, through small slot, the paper with “+” sign to the locked box
corresponding to his grade and papers with “-” sign to other locked boxes. Your colleague leaves
the boxes, you return and open the box you have the only key for to ﬁnd out whether there is a
paper with “+” sign inside which would mean you and your colleague have received the same grade.
Both you and your colleague are supposed to be honest.
10.20. Victor holds each apple in one hand, then places his hands behind his back and either
switches the apples or not. Then he puts the hands in front of him and Peggy tells him if he
switched them or not (which is trivial for her). This does not give Victor any information about
their colors at all. After n repetitions of this protocol, Victor can be sure with probability 1 − 1
2n
that Peggy can really distinguish the colors, hence that they must be diﬀerent.
10.21. The protocol starts with Alice choosing a random input x ∈ {0, 1}n → {0, 1}n. Alice then
computes f(x) and sends it to Bob. Bob now guesses the parity of Alice’s input and tells Alice.
If he guesses correctly, Bob wins, otherwise Alice wins. Bob can verify the result by making Alice
send him the input x.
This protocol is secure. Since the function is bijective, there’s no other y = x such that f(x) =
f(y) and thus Alice commits to her x by sending f(x) and cannot change her choice later to cheat.
On the other hand, since no information can be gained about the input of function f from its input,
Bob has no way of computing the parity of x from f(x).
10.22. Alice calculates all g(x, y1), g(x, y22), . . . , g(x, y|Y|), expresses them in binary and inputs
g(x, i) as the i-th input into the 1-out-of-k OST protocol. Bob upon inputting y learns g(x, y) and
communicates it to Alice. Because OST protocol does not reveal x to Bob, all he can learn about
x is can be deduced from g(x, y). Reversely, since OST protocol does not reveal anything about
Bob’s choice, all Alice learns about y can be deduced from g(x, y). This is therefore an instance of
a secure function evaluation for arbitrary function g.
10.23. This protocol is not secure, Alice has total control over the outcome of the protocol.
Assuming Alice wants the outcome o, she can just claim this outcome and then send to Bob o ⊕ b
instead of b. Now Bob will calculate
o ⊕ b ⊕ b = o
and will also get the same outcome o.
10.24.
1. Alice and Bob agree on a public-key cryptosystem P and a secret-key cryptosystem S.
2. Alice chooses n public/private key pairs (ei, di), 1 ≤ i ≤ n, from P and makes ei public.
3. Bob chooses k symmetric keys sj, 1 ≤ j ≤ k, from S.
4. Bob chooses randomly k of Alice’s public keys, let us denote them exj , encrypts all his secret
keys sj with Alice’s public keys exj , respectively, and sends encryptions to Alice.
5. Alice does not know which public keys Bob has used so she decrypts exj (sj) with each of her
private keys di (exactly one of such decryptions will be Bob’s key sj) and uses them to encrypt
each of her n messages and sends them to Bob.
6. Bob knows for which message sent by Alice he can use sj for decryption.
7. Steps 5. and 6. are repeated for all k Bob’s messages exj (sj), therefore Bob learns k out of n
messages.
CHAPTER 10. COIN TOSSING, BIT COMMITMENT, OBLIVIOUS TRANSFER, . . . 149
10.25. First, the two parties use the black box, with the sender of the oblivious transfer being the
party with no inputs into the black box. The sender now has the strings s0 and s1, the receiver of
the oblivious transfer has the string bc. The sender now wants to send messages m0 and m1. He
ﬁrst calculates m0 = m0 ⊕ s0 and m1 = m1 ⊕ s1. He now sends the pair (m0, m1) to the receiver.
He can now use the string sc to get the message mc:
mc = mc ⊕ sc ⊕ sc = mc ⊕ sc.
Now this is exactly the 1-out-of-2 oblivious transfer protocol, sender sends messages m0 and m1,
while the receiver gets only the message mc according to his choice c. This implementation is also
secure from both sides.
If the sender can learn the choice c she can also learn the bit c that’s the output of the black box
since these bits are the same, but we are assuming she cannot learn this bit (and since the receiver
has no additional output, she could just simulate our 1-out-of-2 oblivious transfer protocol to break
the black box). Now again if the receiver can learn both messages m0 and m1, then he can also
learn both of the strings s0 and s1 which we again assume is impossible.
Chapter 11
Steganography and Watermarking
11.1 Introduction
Steganography and Watermarking are very important areas of the art, science, and technologies of
information hiding. They diﬀer from cryptography in speciﬁc ways:
Cryptography goals are to make transmitted messages unreadable by undesirable parties but not
merely to hide the communication itself, while
Steganography and watermarking goals are to hide or conceal messages against undesirable
parties in the case of watermarking in an un-removable way.
11.1.1 Steganography
Stegosystem consist of:
Set of cover text (cover-data or cover-object) is set of objects used to communicate a hidden
message.
Set of messages to be communicated.
Embedding process serves to hide a message by embedding it into a cover object to obtain stegotext
(stego-data or stego-object).
Stegotext (stego-data or stego-object) is the message that comes out of the embedding process
and contains the hidden message.
Recovering process (or extraction process) serves to recover the hidden message from the
stego-object.
Security requirement: third person watching such a communication should not be able to ﬁnd
out whether the sender has been steganographically active, in the sense that she/he embedded a
message in the cover-data. In other words, stego-data should be indistinguishable from cover-data
even if some powerful technology is used.
Basics steganographic techniques:
Substitution technique replace redundant (noisy) parts of the cover-object with the message.
Transformed domain techniques: the message is embedded in some transform space of the data (e.g.
in the frequency domain).
Cover generation techniques: the message is not embedded in randomly chosen (or predetermined)
cover-object, but cover is created or synthesized to ﬁt the message.
Statistical techniques: the message is embedded by changing some statistical properties of the coverobject
and recovered using hypothesis-testing methods in the extraction process.
150
CHAPTER 11. STEGANOGRAPHY AND WATERMARKING 151
Examples of stegosystems
Linguistic (or text) steganography: allow to hide messages in formatted texts, e.g.:
Acrostic: A message is hidden into certain letters of the text, for example in the ﬁrst (last or other
predetermined) letters of some words.
Changes in stylistic features: Stylistic features (at predetermined points) can be used to embed a
message. Some elementary techniques of this type are: (1) Lines shifting; (2) Words shifting; (3)
Data hiding through justiﬁcations. (4) Data hiding through features encoding (for example, using
slightly diﬀerent directions of the vertical lines of letters b, d, h, k)1.
Unfortunately the text steganography (a really good one) is considered to be very diﬃcult due
to the lack of redundancy in texts comparing to images or audio.
Hiding message in noisy (parts of) data. Perhaps the most basic and general methods of
steganography is to utilize the existence of redundant information in communication channels/media.
Noise is especially relevant to steganography because seemingly useless stochastic components in
natural digital images or audio data could convey messages very well.
Least signiﬁcant bit (LSB) embedding: Consider a natural image represented by RGB pixels we can
assume that least signiﬁcant bits of each pixel color represent noise. In this embedding we replace
them with bits of a message. Unfortunately, this method does not provide high level of security and
can change signiﬁcantly statistical properties of the cover-data as well.
Other methods include hiding messages to the frequency domain using, e.g., discreet cosine transformation
(DCT) or using techniques from linear codes, i.e., matrix embedding.
Covert channels examples are: timing based (modifying timing of performed operations) or storage
based (modifying storage location of data). Used e.g. in network steganography exploiting elements
of communication protocols to cover hidden data.
Combination of cryptography with steganography
It is often useful to enhance steganography with cryptosystems. We distinguish secret-key stegosystems
and public-key stegosystems which use secret-key and public-key cryptography to encrypt the
message before it is embedded.
11.1.2 Watermarking
Watermarking is usually used for embedding information called watermarks into data to create
watermarked data, in order to identify authors or owners or to authenticate the origin (or augment
transmitted data) of data in an un-removable and irreplaceable way. The main diﬀerences between
watermarking systems and stego-systems are: in watermarking systems the input data are important
(we are not using synthesis of cover data). The embeded data are usually small and should be
embedded in a fairly robust way (if data is copied so is the embedded watermark and its detectability
is not increased and hence secrecy should not change).
11.1.3 Parameters of stego- and watermarking systems
Important parameters of data hiding systems are security, robustness, and capacity. These parameters
are inversely related creating so called data-hiding dilemma.
1
F. Bacon was likely ﬁrst who realised that by using italic or normal fonts one can encode binary representation of
letteres.
CHAPTER 11. STEGANOGRAPHY AND WATERMARKING 152
11.1.4 Breaking cryptography, steganography, and watermarking systems
• A cryptographic system is broken when the attacker can read the secrete message.
• Breaking of a steganographic/watermarking system has two stages:
1. The attacker is able to detect that steganography/watermarking has been used;
2. The attacker is able to read, modify or remove the hidden message.
A steganography/watermarking system is considered as insecure already in the case that a detection
of an application on the received data of some steganography/watermarking process has been,
with a large probability, determined.
11.2 Exercises
11.1. You received the following email from a friend of yours.
Hello!
Eve is coming home tomorrow. Last week she called me. Please take care of her. Maybe
you can go to a cinema or theater. Enjoy the time you spent together!
11.2.
Pius gloriosus
Aeternus dominus
Paciﬁcus imperator
Gloriosus illustrator
Piissimus fortissimus
Auctor creator
Deus paciﬁcus
Conseruator iudex
Princeps gubernator
Aeternus redemptor
Gloriosus opifex
Clemens pastor
Conditor gloriosus
Rector magnus
Redemptor imperator
Gloriosus illustrator
Opifex fortissimus
Auctor creator
Clemens redemptor
Omnipotens iudex
Princeps fortissimus
Rector redemptor
Gloriosus opifex
Clemens pastor
11.3. On your trips, you ﬁnd the following Latin inscription.
BELGRADI CAESA EST LVNA PER EVGENIVM
You are educated in history so you know that the translation from Latin to English reads “At
Belgrade the moon was defeated by Eugene.” which means that Prince Eugene of Savoye defeated
the Turkish army (symbolized with the crescent) at Belgrade. However, you cannot remember when
this event happened. . .
11.4.
CHAPTER 11. STEGANOGRAPHY AND WATERMARKING 153
Poor soul, the centre of my sinful earth,
[. . . ] these rebel powers that thee array;
Why dost thou pin within and suﬀer dearth,
Painting thy outward walls so costly gay?
Why so large cost, having so short a lease,
Dost thou upon thy fading mansion spend?
Shall worms, inheritors of this excess,
Eat up thy cherge? Is this thy body’s end?
Then sol, live thou upon thy servantes loss,
And let that pine to aggravate thy store;
Buy terms diviene in selling hours of dross;
Within be fed, without be rich no more:
So shalt thou feed on Death, that feeds on man,
And Death once dead, there’s non more dying then.
(Shakespeare: The Sonnets, 1609)
11.5. (You need the electronic version to solve this exercise.)
Steganography also includes the practice of writing in invisible ink. As far back as
the ﬁrst century A.D., Pliny the Elder explained how the “milk” of the tithymalus plant
could be used as an invisible ink. AlthoughItheNinkVisItransparentSafterIdrying,Bgentle
heatingLcharsEitIandNturnsKit brown. Many organic ﬂuids behave in a similar way, because
they are rich in carbon and therefore char easily. Indeed, it is not unknown for
modern spies who have run out of standard-issue invisible ink to improvise by using their
own urine.
(Simon Singh: The Code Book)
11.6. Whoever opined,“Money can’t buy you happiness,” obviously had far too much of the stuﬀ.
(David Mitchell: Cloud Atlas)
11.7. You are reading the newspapers and the following invitation to an art exhibition attracts
your attention. You quickly know that you should come to another place.
ModernART
exhibition
10-15 April, City Hall
11.8. A microdot. (Might not be visible in a printed version.)στ γανoγραφια
CHAPTER 11. STEGANOGRAPHY AND WATERMARKING 154
11.9. You are given the following picture (PDF attachment tested on macOS Adobe Acrobat
Reader 19; macOS/Ubuntu Firefox 71) recover the secret message hidden in the least signiﬁcant
bits of the RGB channels.
11.10. Alice and Bob agreed to use LSB embedding to insert a secret data into an image. Carl
suggested to them to use PNG or JPEG ﬁle formats to save amount of transferred data. Is it a
good idea? Explain.
11.11. Alice and Bob are using the following message structure to communicate. Determine at
least three ways how Alice can embed a hidden message for Charlie into her communication with
Bob without disturbing the data.
1. header
(a) time & date
(b) message structure info
i. version of the message structure (currently 0) (1 byte)
ii. info about data encryption and authentication (4 bytes)
iii. reserved (2 bytes), in the current version omitted by the receiver
iv. data oﬀset (2 bytes)
v. data length (6 bytes)
(c) padding checked by receiver to be all zeros padding the whole message to powers of two
2. data payload including error correction
Wattermarkings
11.12. Explore and learn about security features used in Czech banknotes. Document2 at least
ﬁve examples.
2
Please always follow the current laws and regulations.
CHAPTER 11. STEGANOGRAPHY AND WATERMARKING 155
11.13. Yellow dots or printer watermark. We have found a pattern captured in the Figure 11.1 in
a document5. Can you determine the time & date the document was obtained and whether it was
printed or copied and the serial number of the printer?
(Important note: as we found, this printer has a bit diﬀerent pattern than what is publicly known
to the best of our knowledge. Please use only 4 least signiﬁcant bits of information from the month
region to determine the month correctly.)
Figure 11.1: Post-processed photo of the document with a yellow dots pattern. The diameter of a
single dot is roughly 0.1 mm. If you would like to try to see it for yourself, you can use a blue light,
which makes the yellow dots look darker, and examine a paper printed on a color printer (some of
them prints similar watermark).
11.3 Solutions
11.1. This is so-called acrostic code. First letters of sentences forms message: “HELP ME”.
11.2. This is Ave Maria Cipher, where cryptotext looks innocently and one can think it is merely
a prayer in Latin. There exists a codebook: for each plaintext letter there are several Latin words
that can be used to encrypt it. Solution of the exercise is: “COME TO OLD PUB AT SIX PM
TODAY”.
11.3. This is a chronogram, an inscription where several letters are interpreted as numbers. Usually
Roman letters are used, ie. I, V, X, C, D and M. The letter “U” is usually replaced with “V”.
BELGRADI CAESA EST LVNA PER EVGENIVM
LDICLVVIVM = MDCLLVVVII
M 1000
D 500
C 100
LL 50 + 50 = 100
VVV 5 + 5 + 5 = 15
II 1 + 1 = 2
1717
5
We want to thank Daniel Reitzner for helping took photos and post-processed the image.
CHAPTER 11. STEGANOGRAPHY AND WATERMARKING 156
11.4. The given text is the 164th sonnet from Shakespeare, but some words contain typos. The
original version reads
Poor soul, the centre of my sinful earth,
[. . . ] these rebel powers that thee array;
Why dost thou pine within and suﬀer dearth,
Painting thy outward walls so costly gay?
Why so large cost, having so short a lease,
Dost thou upon thy fading mansion spend?
Shall worms, inheritors of this excess,
Eat up thy charge? Is this thy body’s end?
Then soul, live thou upon thy servant’s loss,
And let that pine to aggravate thy store;
Buy terms divine in selling hours of dross;
Within be fed, without be rich no more:
So shalt thou feed on Death, that feeds on men,
And Death once dead, there’s no more dying then.
(Shakespeare: The Sonnets, 1609)
Taking the ﬁrst letters of the words following the words with typo’s we receive the hidden message
“William”.
11.5. There is a hidden message written in the background color between words. Hint: Try copying
the text from PDF into your clipboard and then pasting it into a text ﬁle. The following can be
seen:
AlthoughItheNinkVisItransparentSafterIdrying,Bgentle heatingLcharsEitIandNturnsKit
The message reads: “INVISIBLE INK”.
11.6. There is a hidden message encoded in tiny rotations of letters. The message is itself is in
character code, while a presence of rotation represents 1 and its absence 0. We can see the tiny
rotations on the overlap of the quotation with an unmodiﬁed text:
Whoever opined,“Money can’t buy you happines usly had far too much of the stuff.
If the letter in the original text is rotated, write down 1, otherwise write 0. The hidden binary
sequence reads:
101001010001011010110100010110000011001100100010110001000000000000000,
and the hidden message is “REVEALED” (in 7-bit ASCII).
11.7. When you tilt the paper, you may be able to read a secret message. You should look within
an acute angle with the paper almost parallelly. The hidden message reads:
“HOTEL RECEPTION AT 4 PM TAKE ALL SECRET DOCS”.
11.8. There is a message hidden in a microdot in the last full stop hiding the text “steganographia”
written phonetically in Greek alphabet στ γανoγραφια.
CHAPTER 11. STEGANOGRAPHY AND WATERMARKING 157
11.9. We can use Wolfram Mathematica to recover the least signiﬁcant bits and the secret message
repeating “IV054” in the 8-bit ASCII code.
11.10. Both PNG and JPEG ﬁle formats use compression. While the PNG ﬁle format uses lossless
compression and hence is suitable for LSB embedding the JPEG ﬁle format uses lossy compression
and is not suitable for this task.
11.11. We found the following three embeddings.
1. Time based embedding. Alice can choose to transmit data at certain time frames to encode
information.
2. Using of the reserved bits. There are reserved bytes which are omitted by the receiver, Alice
can use them to hide some information.
3. Length of the padding. Alice can alter the length of the padding to hide some information.
11.12. We choose to document security features in 1000 Czech banknote. The following pictures
are after ˇCNB3, and are used with their kind permission. For a printed version please always respect
the current laws and regulations (currently [Dec 2019] vyhl´aˇska ˇc. 274/2011 Sb. – ˇc´ast sedm´a 4).
We document 6 security features: watermark (no. 1 in the following picture), windowed thread with
microtext (no. 2), coloured ﬁbres (no. 3), iridescent strip (no. 7), colour-shifting ink (no. 6), and
front-to-back register (no. 4).
Watermark. There is stepped watermark (combination of lighter and darker) portrait of Frantiˇsek
Palack´y and negative watermark of 1000 and the leaf visible when the banknote is hold against
a light.
Windowed thread with microtext There is metallic plastic, 3 mm wide, strip with the microtext
“1000 ˇCNB” embedded into the banknote. When viewed against a light we can see the
continuous strip.
3
Available online [accessed: November 27th, 2019]
https://www.cnb.cz/en/banknotes-and-coins/banknotes/protective-elements-czk-1000/
4
https://www.cnb.cz/export/sites/cnb/cs/legislativa/.galleries/vyhlasky/vyhlaska_274_2011_uplne_
zneni.pdf
CHAPTER 11. STEGANOGRAPHY AND WATERMARKING 158
Coloured ﬁbres There are orange ﬁbers 6mm long embedded into the paper.
Iridescent strip There is an iridescent strip with a metallic gold and violet reﬂection when the
banknote is tipped against a light.
Colour-shifting ink There is a leaf printed with a special ink that change color from gold to green
(due to optical eﬀect) when examined under diﬀerent angles of a light.
Front-to-back register There are portions of the following symbol printed on each side of the
banknote. The complete mark “ˇCR” is visible when hold against a light.
11.13. To decode the pattern, we will use Buck P., Reverse Engineering the Machine Identiﬁcation
Code, 2018, doi: 10.13140/RG.2.2.28980.76169 and the references herein especially DocuColor
Tracking Dot Decoding Guide, EFF 20056. This particular pattern is used, e.g., by Xerox printers.
6
Online in archive accessed 30/11/2019 (the original document seems not to be on the EFF server any more)
https://web.archive.org/web/20180102231955/https://w2.eff.org/Privacy/printers/docucolor/
CHAPTER 11. STEGANOGRAPHY AND WATERMARKING 159
The data are encoded in binary format with parity bits and we display them in the following matrix.
We marked the parity bits by gray, there are parity row and parity column in the encoding. Taking
the dots as ones and the empty spaces as zeroes the pattern encodes 14 numbers each in 7 bits. The
2nd column encodes hours, the 5th encodes minutes, the 6th day, the 7th month (we take only the 4
least signiﬁcant bits), and the 8th year. The serial number of the printer is encoded in the columns
13, 12, and 11, and its product number (which we are not ask to determine) in columns 15 and 14.
Moreove, the 10th column is (excluding the parity bit) all ones whenever the document was printed
and all zeroes whenever it was copied.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
• • • • • •
26 • • •
25 • • • • •
24 • • • • • • • • •
23 • • •
22 • • • • • • •
21 • • • • • • • • •
20 • • • • • • •
Therefore, we can decode:
Time & date: 16:18, 22/11/2019,
Serial number: 381386,
Print or copy: print.
Chapter 12
Quantum cryptography
12.1 Introduction
Quantum cryptography is an area of science and technology that utilizes potential of quantum phenomena
for getting better security for some cryptography tasks. A new, and of the key importance,
feature of quantum cryptography is that security of quantum cryptographical protocols is based on
the laws of nature — of quantum physics, and not on unproven assumptions about computational
complexity of certain tasks as we could see in case of classical cryptography.
In this chapter we introduce basics of quantum mechanics and two cryptography protocols —
Quantum Key Distribution (QKD) and Quantum one-time pad.
12.1.1 Basics of quantum mechanics
The basic information unit in quantum information is called a qubit (quantum bit). Mathematically,
the space of all qubits is represented by a 2 dimensional complex vector space, so called the innerproduct
space, H2, on which binary function called the inner product) is deﬁned as follows:
∀ψ, φ ∈ H2, ψ · φ = ψ∗
1φ1 + ψ∗
2φ2,
where ψ = ψ1
ψ2
, φ = φ1
φ2
and ∗ is a complex conjugation. This allows to deﬁne on H2 norm of
vectors
||φ|| = |φ · φ|.
Vectors φ ∈ H2, with ||φ|| = 1 are called pure qubit states. Generally you can therefore think of a
qubit state as a complex vector ( α
β ), with |α|2
= |β|2
= 1.
Dirac bra-ket notation
We will be using so called bra-ket notation for quantum states and linear functionals f : H2 → C.
• |ψ is called a ket vector and it denotes a column vector equivalent to ψ.
• ψ| is called a bra vector and it denotes a complexly conjugated row vector ψ.
• ψ|φ then denotes the inner product between ψ and φ.
Example: For states φ = φ1
φ2
and ψ = ψ1
ψ2
we have
|φ =
φ1
φ2
, φ| = (φ∗
1, φ∗
2); φ|ψ =
2
i=1
φ∗
i ψi, |φ ψ| =
φ1ψ∗
1 φ1ψ∗
2
φ2ψ∗
1 φ2ψ∗
2
160
CHAPTER 12. QUANTUM CRYPTOGRAPHY 161
Quantum projective measurements
Two pure qubit states are called orthogonal in case their scalar product is zero. A very important
fact is that two unknown pure qubit states are physically perfectly distinguishable if and only if
they are orthogonal. A basis of the Hilbert space H2 is a set of two mutually orthogonal pure
qubit states. The cannonical basis has special labels |0 = ( 1
0 ) and |1 = ( 0
1 ) . Together with the
information presented earlier we recover the typical notation for a qubit
|ψ = ( α
β ) = α |0 + β |1 .
Nevertheless, there are inﬁnitely many other bases, and a pure state ψ can be expressed in basis
{|b1 , |b2 } as:
|ψ = b1|ψ |b1 + b2|ψ |b2 .
Numbers b1|ψ and b2|ψ are called amplitudes.
Now we are ready to deﬁne projective measurements. To each such measurement a basis
{|b1 , |b2 } is associated. There are two outcomes of a projection measurement of a state |φ with
respect to a basis {|b1 , |b2 }:
1. Classical result of such a measurement is information into which subspace (spanned either by
|b1 or |b2 ) projection of |ψ was made.
2. Quantum result of such a measurement is the projection (collapse) into the particular subspace.
If the state |ψ is measured with respect to the basis {|b1 , |b2 } then the state |ψ collapses into
the state |bi with the probability | bi|ψ |2
. The classical outcome of the measurement of the state
|ψ with respect to the basis {|b1 , |b2 } is the index i of that state |bi into which the state |ψ
collapses.
12.1.2 Quantum cryptography
There are two important postulates about quantum mechanics that quantum cryptography utilizes.
• There is no way in general to measure quantum states without destroying or disturbing them.
• So called No-cloning theorem says that there is no physical way to make a perfect copy of
unknown quantum state.
This means that if a party (an eavesdropper) sees a state known to him to be from a small set
of not mutually orthogonal set of states, then the eavesdropper has no way to copy such a state and
to identify perfectly this state by a repeated measurement.
Quantum Key Distribution
Quantum protocols for using quantum systems to achieve unconditionally secure generation of secret
(classical) random keys by two parties are one of the main achievements of quantum information
processing and communication research and development. We will present QKD protocol called
BB84 (due its authors Charles Bennett and Gilles Brassard), for quantum generation of a classical
binary random and shared key of length n. It has several phases:
Raw key generation phase:
1.) In each of 2n rounds Alice randomly prepares one of the following pure states:
|0 , |1 , |+ =
1
√
2
(|0 + |1 , |− =
1
√
2
(|0 − |1 ) .
2.) Alice creates a bit string of length 2n, where ith position has value 0 if she sent |0 or |+ or
1 if she sent |1 or |− .
CHAPTER 12. QUANTUM CRYPTOGRAPHY 162
3.) Bob measures each received qubit in randomly chosen basis {|0 , |1 }, or {|+ , |− } and records
the outcome in the following way. If the measurement outcome was |0 or |+ he writes down
0 and he writes 1 otherwise.
4.) At the end of the transmission Bob informs Alice about the sequence of 2n measurement
settings he has chosen and Alice tell him in which cases he used the same basis for decoding
as she used for encoding. Both of them delete from their respective strings those bits where
diﬀerent bases were used.
The resulting bit string should be of roughly length n and is called a raw key. If the quantum
channel they were using was perfect, their strings are identical, random and private. Nevertheless
if it contains errors, they can be used to detect an adversary.
Parameter estimation:
Alice and Bob select a small portion of raw keys and publicly compare them in order to estimate
the number of errors in their remaining bits and the amount of bits the adversary can know about
Alice’s string. If too many errors are estimated, they terminate the protocol, otherwise they continue.
Error correction: Alice and Bob exchange some additional information in order to correct the
errors in their remaining raw strings Ka and Kb. Two protocols that achieve this task are described
below. After this step both Alice and Bob have identical strings, which may be partially known to
the adversary at the cost of revealing additional information to the adversary.
Privacy ampliﬁcation: If after the error correction the adversary does not know the whole
Alice’s string Ka (say the adversary does not know k bits), Alice chooses randomly a hash function
from a 2-universal family of hash functions mapping strings to k bits (see below), applies it to her
string Ka and publishes her choice. Bob uses the same hash function on his (now identical) string.
The resulting strings are (much) shorter, but the adversary has no information about them.
Error Correction I: Cascade protocol
Interactive binary reconcilation protocol that works ﬁrst by estimating the error rate and then
splitting the raw strings into blocks of size N such that each block has not more than one error on
average. the protocol between Alice and Bob is then:
Step 1. Alice and Bob compare parities of every block using a classical public channel.
Step 2. Every block where the parities disagree is split into two blocks of length N/2 and the parity
of the ﬁrst sub-block is compared, this parity reveals which sub-block has at least one error.
Step 3. The binary search continues in the sub-block where the parities disagree until an error is found
and corrected.
Step 4. After every initial block has been searched the key is randomly permuted and the binary search
is repeated with double the block size. The protocol is repeated until the block size reaches the
raw string length. In every pass following the ﬁrst, every error found must have been masked
by another error in the previous passes, this second error can then be found by correcting the
original error in the previous passes and comparing the new parities, lowering the amount of
parity bits required to ﬁnd this error.
The adversary gains k-bit knowledge about the ﬁnal string, where k is the number of parities
disclosed during the run of the cascade protocol.
Error Correction II: Using ECC
Non-interactive information reconciliation protocol can be formulated with the use of error correcting
codes. Assume Alice and Bob estimate that their raw strings of length n contain t errors. The error
correction protocol is then as follows:
CHAPTER 12. QUANTUM CRYPTOGRAPHY 163
Step 1. Alice generates a random bit string x of length k.
Step 2. Alice uses a generator matrix G of an error correcting (n, k, d) code, with 2t+1 ≤ d to encode
x and gets the code word c.
Step 3. Alice uses the raw key Ka to do bitwise XOR operation with the code string c to get Ka⊕c.
Then she transmits it to Bob.
Step 4. Bob does the same operation to the received string with Kb and gets (c ⊕ Ka) ⊕ Kb = c ⊕ e,
where e is the error vector of weight t. He uses the parity check matrix H and c⊕e to calculate
the syndrome s. Using s, he gets the error vector e and the codeword c. Then he gets the
random bit string x by decoding c.
Step 5. Bob calculates (c ⊕ Ka) ⊕ c to obtain Alice’s raw key Ka.
Privacy Ampliﬁcation: 2-Universal hash functions
Consider a hash family H = {hi}k
i=1 where hi : U → {0, ..., n − 1} for each i. H is 2−universal if for
all x, y ∈ U such that x = y we have
Pr
h∈rH
(h(x) = h(y)) ≤
1
n
where h ∈r H means that h is selected uniformly at random from H.
Quantum one-time pad cryptosystem
Quantum one-time pad cryptosystem is deﬁned as follows:
plaintext: an n-qubit string |p = |p1 . . . |pn
shared key: two n-bit strings k, k
cryptotext: an n-qubit string |c = |c1 . . . |cn
encoding: |ci = σki
x σ
ki
z |pi
decoding: |pi = σ
ki
z σki
x |ci
where |pi =
ai
bi
and |ci =
di
ei
are qubits and σx = X =
0 1
1 0
(bit ﬂip) with
σz = Z =
1 0
0 −1
(phase ﬂip) are Pauli matrices.
Unconditional security of quantum encryption (informal)
Generally, quantum encryption protocol S works with a plaintext Hilbert space HP , a cryptotext
Hilbert space HC and a keyspace K. In any quantum encryption protocol a key k ∈ K determines
an encryption (unitary) operation Ek and a decryption operation Dk such that for any plaintext
|ψ ∈ HP , Ek |ψ is the corresponding cryptotext and it holds
|ψ = Dk(Ek |ψ ).
In the case of encryption of a qubit
|φ = α|0 + β|1
if the key is chosen uniformly from the key space, the following classical mixture of quantum states
is being transmitted through the channel, each with probability 1
|K|
E1 |ψ , E1 |ψ , . . . , E|K| |ψ
CHAPTER 12. QUANTUM CRYPTOGRAPHY 164
Typically, classical mixture of quantum states is denoted in form of a density matrix. State |ψ
is represented by a density matrix |ψ ψ|. A classical distribution of (pure) qubit states |ψi ,
each appearing with probability pi is represented by a density matrix i pi |ψi ψi|. Note that
multiple diﬀerent mixtures of qubit pure states can have the same density matrix representation.
The interpretation is that mixtures of pure states with the same density matrix representation are
physically indistinguishable. For this reason desity matrices are also considered to be physical states
and are called mixed states.
The above mixture of states resulting from a qubit quantum encryption protocol has the following
density matrix representation:
|ΨS ΨS| =
1
|K|
k∈K
Ek |ψ ψ| E†
k
Qubit quantum encryption protocol is considered to be perfectly secure, if |ΨS ΨS| is identical
to a uniformly random mixture of |0 and |1 . This has the following density matrix representation
1
2
|0 0| +
1
2
|1 1| =
1
2
1 0
0 0
+
0 0
0 1
=
1
2
1 0
0 1
.
The mixed state 1
2 ( 1 0
0 1 ) is called the maximally mixed state of qubits, because arbitrary measurement
of such state gives a uniformly random outcome.
12.2 Exercises
12.1. Calculate the probabilities of measurement outcomes if the BB84 states
|0 , |1 , |+ =
1
√
2
(|0 + |1 , |− =
1
√
2
(|0 − |1 )
are measured in basis:
(a) {|0 , |1 }
(b) {{|+ , |− }
(c) |+i = 1√
2
(|0 + i |1 ) , |−i = 1√
2
(|0 − i |1 )
(d) |ϕ0 = cos π
8 |0 + sin π
8 |1 , |ϕ1 = cos 5π
8 |0 + sin 5π
8 |1
12.2. Assume the attacker performs the same so called intercept-resend attack in each round of
the BB84 QKD protocol, in which the attacker measures the qubit state in the channel and sends
the resulting post-measurement state to Bob. Estimate the amount of errors between Alice’s and
Bob’s raw keys in the following cases:
(a) The adversary measures each round in the {|0 , |1 } basis.
(b) The adversary measures each round in the basis {|0 , |1 } or the basis {|+ , |− }, each with
probability 1
2.
(c) The adversary measures in each round in the:
|ϕ0 = cos π
8 |0 + sin π
8 |1 , |ϕ1 = cos 5π
8 |0 + sin 5π
8 |1 basis.
CHAPTER 12. QUANTUM CRYPTOGRAPHY 165
12.3. Assume the adversary uses an intercept-resend attack with measurement in {|ϕ0 , |ϕ1 }
basis each round with probability p.
(a) How much error is introduced to Bob’s raw string?
(b) How much information can the adversary learn about Alice’s raw string?
(c) Calculate how many errors in the raw strings of Alice and Bob are too many for the key
distillation.
12.4. Alice and Bob share the string 10101001 10100001 but Bob’s copy has few bit errors and
actually looks like 10101001 01110001. Use the Cascade protocol with starting block length of 4 to
reconcile the error’s on Bob’s side. Show each step of the protocol. Use the permutation
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
15 8 14 2 9 10 3 5 4 11 16 12 13 7 1 6
in the second step of the protocol and omit discarding the bits of the blocks that had its parity
revealed.
12.5. Perform the protocol for non-interactive error correction for strings
Ka = 101010011010000100110110 and Kb = 101000011010010100111110,
with the use of Golay code G24 deﬁned in exercise 2.27. Let Alice’s random choice be
x = 100101100000.
12.6. Consider the following family of hash functions hab : {1, . . . , N} → {0, . . . , n − 1}
H = {hab(x) = [ax + b mod p] mod n, a ∈ {1, . . . , p − 1}, b ∈ {0, . . . , p − 1}},
where N ≤ p ≤ 2N is a prime. Show that H is 2−universal.
12.7. Consider the quantum one-time pad protocol.
1. Using the key k1 = 0 and k1 = 1 encrypt the plaintext
|p1 =
√
3
2
|0 +
1
2
|1 .
2. Using the key k2 = 1 and k2 = 1 decrypt the cryptotext
|c2 =
−i
√
2
|0 +
1
√
2
|1 .
* 12.8. Prove the unconditional security of the quantum one-time pad cryptosystem by showing
that the mixed state of an encrypted arbitrary quibit is exactly the state of a uniformly random bit.
* 12.9. Show why each use of quantum one-time pad cryptosystem requires new random key.
* 12.10. Consider a modiﬁcation of the quantum one-time pad protocol: Instead of using 2 bits
to encrypt one qubit |p , we only use one bit k with the following encryption:
(a)
|c =
σx |p if k = 0
σz |p if k = 1.
CHAPTER 12. QUANTUM CRYPTOGRAPHY 166
(b)
|c =
|p if k = 0
σx |p if k = 1.
Show that these modiﬁcations aren’t perfectly secure and ﬁnd states which remain unencrypted by
the protocol, if there are any.
12.3 Solutions
12.1. We need to express all states and measurement bases in the {0, 1} basis. Then, since 0|0 =
1|1 = 1 and 0|1 = 1|0 = 0 we can calculate everything. We have that |+ = 1√
2
(|0 + |1 )
and |− = 1√
2
(|0 − |1 ). Further, recall that an absolute value of an imaginary number a + ib is
calculated as |(a + ib)| =
√
a2 + b2 and the following trigonometry identities
2 cos(α) cos(β) = cos(α − β) + cos(α + β),
2 sin(α) sin(β) = cos(α − β) − cos(α + β).
Utilizing all these facts we have:
(a)
| 0|0 |2
= 1
| 1|0 |2
= 0
| 0|1 |2
= 0
| 1|1 |2
= 1
| 0|+ |2
=
1
√
2
( 0|0 + 0|1 )
2
=
1
2
| 1|+ |2
=
1
√
2
( 1|0 + 1|1 )
2
=
1
2
| 0|− |2
=
1
√
2
( 0|0 − 0|1 )
2
=
1
2
| 1|− |2
=
1
√
2
( 1|0 − 1|1 )
2
=
1
2
CHAPTER 12. QUANTUM CRYPTOGRAPHY 167
(b)
| +|0 |2
=
1
√
2
( 0|0 + 1|0 )
2
=
1
2
| −|0 |2
=
1
√
2
( 0|0 − 1|0 )
2
=
1
2
| +|1 |2
=
1
√
2
( 0|1 + 1|1 )
2
=
1
2
| −|1 |2
=
1
√
2
( 0|1 − 1|1 )
2
=
1
2
| +|+ |2
=
1
2
( 0|0 + 0|1 + 1|0 + 1|1 )
2
= 1
| −|+ |2
=
1
2
( 0|0 + 0|1 − 1|0 − 1|1 )
2
= 0
| +|− |2
=
1
2
( 0|0 − 0|1 + 1|0 − 1|1 )
2
= 0
| −|− |2
=
1
2
( 0|0 − 0|1 − 1|0 + 1|1 )
2
= 1
(c)
| +i|0 |2
=
1
√
2
( 0|0 − i 1|0 )
2
=
1
2
| −i|0 |2
=
1
√
2
( 0|0 + i 1|0 )
2
=
1
2
| +i|1 |2
=
1
√
2
( 0|1 − i 1|1 )
2
=
1
2
| −i|1 |2
=
1
√
2
( 0|1 + i 1|1 )
2
=
1
2
| +i|+ |2
=
1
2
( 0|0 + 0|1 − i 1|0 − i 1|1 )
2
=
1 − i
2
2
=
√
2
2
2
=
1
2
| −i|+ |2
=
1
2
( 0|0 + 0|1 + i 1|0 + i 1|1 )
2
=
1 + i
2
2
=
√
2
2
2
=
1
2
| +i|− |2
=
1
2
( 0|0 − 0|1 − i 1|0 + i 1|1 )
2
=
1 + i
2
2
=
√
2
2
2
=
1
2
| −i|− |2
=
1
2
( 0|0 − 0|1 + i 1|0 − i 1|1 )
2
=
1 − i
2
2
=
√
2
2
2
=
1
2
CHAPTER 12. QUANTUM CRYPTOGRAPHY 168
(d)
| ϕ0|0 |2
= cos
π
8
0|0 + sin
π
8
1|0
2
= cos2 π
8
≈ 0.85355
| ϕ1|0 |2
= cos
5π
8
0|0 + sin
5π
8
1|0
2
= cos2 5π
8
≈ 0.14645
| ϕ0|1 |2
= cos
π
8
0|1 + sin
π
8
1|1
2
= sin2 π
8
≈ 0.14645
| ϕ1|1 |2
= cos
5π
8
0|0 + sin
5π
8
1|0
2
= sin2 5π
8
≈ 0.85355
| ϕ0|+ |2
=
1
√
2
cos
π
8
0|0 + cos
π
8
0|1 + sin
π
8
1|0 + sin
π
8
1|1
2
=
1
√
2
cos
π
8
+ sin
π
8
2
= cos
π
4
cos
π
8
+ sin
π
4
sin
π
8
2
=
cos π
8 + cos 3π
8
2
+
cos π
8 − cos 3π
8
2
2
= cos2 π
8
≈ 0.85355
| ϕ1|+ |2
=
1
√
2
cos
5π
8
0|0 + cos
5π
8
0|1 + sin
5π
8
1|0 + sin
5π
8
1|1
2
=
1
√
2
cos
5π
8
+ sin
5π
8
2
= cos
π
4
cos
5π
8
+ sin
π
4
sin
5π
8
2
=
cos −3π
8 + cos 7π
8
2
+
cos −3π
8 − cos 7π
8
2
2
= cos2
−
3π
8
≈ 0.14645
| ϕ0|− |2
=
1
√
2
cos
π
8
0|0 − cos
π
8
0|1 + sin
π
8
1|0 − sin
π
8
1|1
2
=
1
√
2
cos
π
8
− sin
π
8
2
= cos
π
4
cos
π
8
− sin
π
4
sin
π
8
2
=
cos π
8 + cos 3π
8
2
−
cos π
8 − cos 3π
8
2
2
= cos2 3π
8
≈ 0.14645
| ϕ1|− |2
=
1
√
2
cos
5π
8
0|0 − cos
5π
8
0|1 + sin
5π
8
1|0 − sin
5π
8
1|1
2
=
1
√
2
cos
5π
8
− sin
5π
8
2
= cos
π
4
cos
5π
8
− sin
π
4
sin
5π
8
2
=
cos −3π
8 + cos 7π
8
2
−
cos −3π
8 − cos 7π
8
2
2
= cos2 7π
8
≈ 0.85355
12.2.
(a) Alice’s raw key is unaﬀected by the adversary’s measurement. We therefore need to estimate
the probability of error introduction in Bob’s raw key. Since raw key is obtained after the sifting
step, we only need to estimate the probability of a wrong outcome in case Bob measures in
Alice’s preparation basis. There are essentially 4 combinations each with probability 1
4:
(1) Alice sends |0 and Bob measures in the basis {|0 , |1 }.
(2) Alice sends |1 and Bob measures in the basis {|0 , |1 }.
CHAPTER 12. QUANTUM CRYPTOGRAPHY 169
(3) Alice sends |+ and Bob measures in the basis {|+ , |− }.
(4) Alice sends |− and Bob measures in the basis {|+ , |− }.
Since the adversary always measures in {|0 , |1 } basis, the ﬁrst two cases are trivial and no
errors are introduced. In the latter two cases, however, after the adversary’s interception Bob
is measuring a state |0 or |1 instead, each with probability 1
2.
Looking at the solution of exercise 11.1, we know that measuring both states |0 and |1 in the
{|+ , |− } basis yields the same results — outcomes |+ and |− each with probability 1
2. This
leads to a probability 1
2 of error in Bob’s raw key, whenever he measured {|+ , |− }. Since
according to the protocol Bob measures each basis with probability 1
2, the total probability of
an error in his raw key is 1
4. Therefore, if the adversary performs the intercept-resend attack
in this way, the expected amount of errors between raw keys of Alice and Bob of length n is
n
4 .
(b) Similarly to the previous case we need to examine the following four cases:
(1) Alice sends |0 and Bob measures {|0 , |1 }.
(2) Alice sends |1 and Bob measures {|0 , |1 }.
(3) Alice sends |+ and Bob measures {|+ , |− }.
(4) Alice sends |− and Bob measures {|+ , |− }.
In the ﬁrst case, with probability 1
2, the adversary measures in {|0 , |1 } basis and does introduce
any errors. Then, with probability 1
2, they measure {|+ , |− } basis and (see solutions
of 11.1) introduce an error with probability 1
2. Altogether in case Alice sends |0 and Bob
measures {|0 , |1 } in n|0 rounds, the expected number of errors is
n|0
4 . It is easy to see that
all other cases are symmetric. The adversary does not introduce any errors in case of using the
correct basis, which happens with probability 1
2, and introduces an error with probability 1
2
otherwise. Putting everything together we can see that the overall probability of introducing
an error is 1
4. Thus in raw keys of size n the expected number of errors is n
4
(c) Similarly to the previous cases we need to examine the following four cases:
(1) Alice sends |0 and Bob measures {|0 , |1 }.
(2) Alice sends |1 and Bob measures {|0 , |1 }.
(3) Alice sends |+ and Bob measures {|+ , |− }.
(4) Alice sends |− and Bob measures {|+ , |− }.
Let us now calculate the probabilities of states reaching Bob, wich can be obtained by using
results of exercise 11.1 and can be given by:
(1) Bob is measuring |ϕ0 or |ϕ1 with probabilities p0 ≈ 0.85 and p1 ≈ 0.15 respectively (in
{|0 , |1 } basis).
(2) Bob is measuring |ϕ0 or |ϕ1 with probabilities p0 ≈ 0.15 and p1 ≈ 0.85 respectively (in
{|0 , |1 } basis).
(3) Bob is measuring |ϕ0 or |ϕ1 with probabilities p0 ≈ 0.85 and p1 ≈ 0.15 respectively (in
{|+ , |− } basis).
(4) Bob is measuring |ϕ0 or |ϕ1 with probabilities p0 ≈ 0.15 and p1 ≈ 0.85 respectively (in
{|+ , |− } basis).
Let us now examine the probabilities of Bob’s measurement outcomes. We need to determine
| x|ϕ0 |2
and | x|ϕ1 |2
for x ∈ {0, 1, +, −}. Here we can utilize the fact that | x|y |2
= | y|x |2
and utilize solutions of 11.1 again. Therefore for four above scenarios we have:
CHAPTER 12. QUANTUM CRYPTOGRAPHY 170
(1) Bob gets outcome |0 with probability cos2 π
8 | 0|ϕ0 |2
+cos2 5π
8 | 0|ϕ1 |2
= cos4 π
8 +
cos4 5π
8 = 0.75
(2) Bob gets outcome |1 with probability cos2 π
8 | 1|ϕ1 |2
+cos2 5π
8 | 1|ϕ0 |2
= cos4 π
8 +
cos4 5π
8 = 0.75
(3) Bob gets outcome |+ with probability cos2 π
8 | +|ϕ0 |2
+cos2 5π
8 | +|ϕ1 |2
= cos4 π
8 +
cos4 5π
8 = 0.75
(4) Bob gets outcome |− with probability cos2 π
8 | −|ϕ1 |2
+cos2 5π
8 | −|ϕ0 |2
= cos4 π
8 +
cos4 5π
8 = 0.75
All other outcomes introduce an error, thus we can conclude that in for raw keys of length n
we expect n
4 errors.
12.3.
(a) Using the previous exercise it is easy to see that the probability of an error in Bob’s raw string
is p
4 .
(b) The ﬁrst step is to calculate how much information about Alice’s string the adversary learns
when they use the attack. Since | ϕ0|0 |2
= | ϕ0|+ |2
= | ϕ1|1 |2
= | ϕ1|− |2
= cos2 π
8 ≈
0.85, it is easy to see that if the adversary interprets their measurement outcome |ϕ0 as |0 or
|+ and |ϕ1 as |1 or |− , based on the information gained during the basis reconciliation phase
of the protocol, they guess each bit correctly with probability cos2 π
8 ≈ 0.85. In the case
they do not use the attack, they need to guess Alice’s bit, which has a probability of success 1
2.
Together, after performing the attack, the adversary knows on average (0.85p+0.5(1−p))n =
(0.5 + 0.35p)n bits of Alice’s n bit raw key.
(c) We know that the post processing is possible if and only if Bob knows more aboute Alice’s
string than the adversary. It is clear that with increasing p Bob’s information about Alice’s
string decreases as (1 − 0.25p)n and the adversary’s information increases as (0.5 + 0.35p)n.
Therefore solving (1 − 0.25p)n = (0.5 + 0.35p)n for p gives us a value of p for which Bob’s and
the adversary’s information are equal. The solution is p = 5
6. Any probability larger than this
value means that no secret key can be post-processed from the raw keys. The critical amount
of errors in Alice’s and Bob’s raw strings is therefore 1 − 1
4 · 5
6 n ≈ 0.79n. If they observe
less or equal amount of errors, they should abort the protocol, if they know the adversary is
performing the intercept resend attack.
12.4. Alice and Bob start the protocol by dividng the two string into blocks of size 4 and then
comparing the parity of each corresponding block, performing binary search in every block with
wrong parity. The ﬁrst pass of the protocol is demonstrated in the diagram bellow.
Alice: 1 0 1 0 1 0 0 1 1 0 1 0 0 0 0 1
Bob: 1 1 1 0 1 0 0 1 0 1 1 1 0 0 0 1
1 1 1 0 0 1 1 1
1 1 1 1
1 1
Bob has detected two errors, on the 2nd and 12th position, and Bob’s corrected string is now
10101001 01100001.
For the next pass, Alice and Bob permute their strings into 00011100 1000111 and 00001100
101001111 respectively and double the block size to 8, this time however, every time Bob detects an
error, he cascades back through the previous pass to correct the error that was previously masking
it, this prevents having to disclose additional parity bits in the public channel.
CHAPTER 12. QUANTUM CRYPTOGRAPHY 171
Alice: 0 0 0 1 1 1 0 0 1 0 0 0 0 1 1 1
Bob: 0 0 0 0 1 1 0 0 1 0 1 0 0 1 1 1
0 0 0 0 1 1 0 0
0 0 0 0
0 0
0
Now since Bob detected another error, he must ﬁnd the error that was masking it in the previous
pass. This error was on the 9th position in the ﬁrst pass. During the pass, Bob obtained the parity
of the 9th and 10th bit together of Alice’s string, which was odd. With the now corrected 9th bit,
he knows that the 10th bit also has an error and corrects it. His string is now 10101001 10100001
and the second block of size 8 now agrees in parity with Alice’s side. This concludes the protocol as
increasing the block size further to the whole string wont achieve anything now, so Bob ends with
the string 10101001 10100001.
12.5. In Step 2. of the protocol Alice claculates a codeword c = xG = 101000110000100101100000.
Then in Step 3. she sends to Bob c ⊕ Ka = 000010101010100001010110. In Step 4. Bob calculates
c ⊕ e = 101010110000110101101000 and ﬁnds e using agorithm of exercise 2.27. Calculation yields
e = 000010000000010000001000 and c = 101000110000100101100000. In the last step Bob calculates
(c ⊕ Ka) ⊕ c = 000010101010100001010110 ⊕ 101000110000100101100000. This results to a string
101010011010000100110110, which is indeed equal to Ka.
12.6. Fix some x, y ∈ U with x = y. Without loss of generality assume x > y. For any
a ∈ {1, . . . , p − 1} and b ∈ {0, . . . , p − 1} let r = (ax + b) mod p and s = (ay + b) mod p. Notice
ﬁrst that r = s as otherwise we would have ax+b ≡ ay+b (mod p) so p|a(x−y) which is impossible
as both a and (x − y) are positive and less than p. Furthermore, for r = s ﬁxed there exist unique
solutions for a, b in the desired range as
a ≡ (r − s)(x − y)−1
mod p
where x−1 here is the multiplicative inverse of x mod p, which exists as p is prime and x = 0. This
clearly yields a unique solution for a ∈ {1, . . . , p − 1}, and so
b ≡ r − ax mod p
which yields a unique solution for b ∈ {0, . . . , p − 1}. Thus
ha,b(x) = ha,b(y) ⇐⇒ r − s ≡ 0 mod n.
Therefore the number of collisions is the size of the set
|{h ∈ H : h(x) = h(y)}| = |{(r, ∈ {0, . . . , p − 1} : r = s ∧ r ≡ s mod n}| ≤ p
p − 1
n
≤
p(p − 1)
n
as for any ﬁxed r there are at most p−1
n values of s ∈ {0, . . . , p − 1} with r = s and r ≡ s
mod p. As |H| = p(p − 1) we have
Pr
h∈rH
(h(x) = h(y)) =
|{h ∈ H : h(x) = h(y)}|
p(p − 1)
≤
p(p−1)
n
p(p − 1)
=
1
n
so H is 2-universal, as claimed.
12.7.
1. The encryption using the quantum one-time pad protocol is done by calculating |c = σk
xσk
z |p .
So for our case we get
|c1 = σ0
xσ1
z
√
3
2
|0 +
1
2
|1 =
√
3
2
|0 −
1
2
|1 .
CHAPTER 12. QUANTUM CRYPTOGRAPHY 172
2. The decryption is just the inverse of the encryption |p = σk
z σk
x |c , so we decrypt
|p2 = σ1
zσ1
x
−i
√
2
|0 +
1
√
2
|1 =
1
√
2
|0 +
i
√
2
|1 .
12.8. Let |p =
a
b
with |a|2 + |b|2 = 1 be the qubit plaintext. Then the mixed state ρ created
by the quantum one-time pad protocol with uniformly random secret key is
ρ =
1
4
σx |p p| σx +
1
4
σz |p p| σz +
1
4
σxσz |p p| σzσx +
1
4
|p p|
=
1
4
b
a
b∗ a∗ +
a
−b
a∗ −b∗ +
−b
a
−b∗ a∗ +
a
b
a∗ b∗
=
1
4
|b|2 a∗b
ab∗ |a|2 +
|a|2 −ab∗
−a∗b |b|2 +
|b|2 −a∗b
−ab∗ |a|2 +
|a|2 ab∗
a∗b |b|2
=
1
4
2(|a|2 + |b|2) 0
0 2(|a|2 + |b|2)
=
1
2
1 0
0 1
,
Which is exactly the maximally mixed state.
12.9. To show this we will look at the resulting encrypted mixed state analogously to exercise 8
but this time we will look at two encrypted qubits at once while using the same pair of secret keys
for both. Since the keys now aren’t independent, the resulting two qubit state wont be just a simple
tensor product of one qubit states calculated in exercise 8.
Let |p1 |p2 =
a
b
⊗
c
d
be the two qubit plaintext. Because we use the same key to encrypt
both qubits we only have four (equally probable) possible encryptions of the qubit pair: σx ⊗ σx,
σz ⊗ σz, σxσz ⊗ σxσz and identity.
CHAPTER 12. QUANTUM CRYPTOGRAPHY 173
The resulting encrypted two qubit state ρ is then
ρ =
1
4
σx ⊗ σx |p1 |p2 p1| p2| σx ⊗ σx +
1
4
σz ⊗ σz |p1 |p2 p1| p2| σz ⊗ σz
+
1
4
σx ⊗ σxσz ⊗ σz |p1 |p2 p1| p2| σz ⊗ σzσx ⊗ σx +
1
4
|p1 |p2 p1| p2|
=
1
4
σx |p1 σx |p2 p1| σx p2| σx + σz |p1 σz |p2 p1| σz p2| σz
+ σxσz |p1 σxσz |p2 p1| σzσx p2| σzσx + |p1 |p2 p1| p2|
=
1
4
b
a
⊗
d
c
b∗ a∗ ⊗ d∗ c∗
+
a
−b
⊗
c
−d
a∗ −b∗ ⊗ c∗ −d∗
+
−b
a
⊗
−d
c
−b∗ a∗ ⊗ −d∗ c∗
+
a
b
⊗
c
d
a∗ b∗ ⊗ c∗ d∗
=
1
4




|bd|2 bb∗c∗d a∗bdd∗ a∗bc∗d
bb∗cd∗ |bc|2 a∗bcd∗ a∗bcc∗
ab∗dd∗ ab∗c∗d |ad|2 aa∗c∗d
ab∗cd∗ ab∗cc∗ aa∗cd∗ |ac|2




+
1
4




|ac|2 −aa∗cd∗ −ab∗cc∗ ab∗cd∗
−aa∗c∗d |ad|2 ab∗c∗d −ab∗dd∗
−a∗bcc∗ a∗bcd∗ |bc|2 −bb∗cd∗
a∗bc∗d −a∗bdd∗ −bb∗c∗d |bd|2




+
1
4




|bd|2 −bb∗c∗d −a∗bdd∗ a∗bc∗d
−bb∗cd∗ |bc|2 a∗bcd∗ −a∗bcc∗
−ab∗dd∗ ab∗c∗d |ad|2 −aa∗c∗d
ab∗cd∗ −ab∗cc∗ −aa∗cd∗ |ac|2




+
1
4




|ac|2 aa∗cd∗ ab∗cc∗ ab∗cd∗
aa∗c∗d |ad|2 ab∗c∗d ab∗dd∗
a∗bcc∗ a∗bcd∗ |bc|2 bb∗cd∗
a∗bc∗d a∗bdd∗ −bb∗c∗d |bd|2




=
1
2




|ac|2 + |bd|2 0 0 2 Re(a∗bc∗d)
0 |ad|2 + |bc|2 2 Re(a∗bcd∗) 0
0 2 Re(ab∗c∗d) |ad|2 + |bc|2 0
2 Re(ab∗cd∗) 0 0 |ac|2 + |bd|2



 .
We can now see the resulting state ρ depends on the plaintext |p1 |p2 and so the perfect secrecy of
the quantum one-time pad is violated as an attacker might obtain information from the cryptotext.
12.10. Just like in the exercise 8 we will again look at the resulting mixed state, only this time we
have just 2 possible encryptions. Let |p =
a
b
with |a|2 + |b|2 = 1 be the qubit plaintext. Then
the mixed state ρ created by the modiﬁed quantum one-time pad protocol with uniformly random
secret key is
CHAPTER 12. QUANTUM CRYPTOGRAPHY 174
(a)
ρ =
1
2
σx |p p| σx +
1
2
σz |p p| σz)
=
1
2
|b|2 a∗b
ab∗ |a|2 +
|a|2 −ab∗
−a∗b |b|2
=
1
2
1 2 Im(a∗b)i
2 Im(ab∗)i 1
.
We again see that this isn’t independent of |p and so information about the plaintext can be
obtained from the cryptotext. To see if there is any state not encrypted by this new protocol
we solve the equation
1
2
1 2 Im(a∗b)i
2 Im(ab∗)i 1
=
|a|2 ab∗
a∗b |b|2 ,
Which gives us |a| = |b| = 1√
2
but at the same time
a∗b − ab∗
2
= ab∗
a∗
b = 3ab∗
ab∗
= 0,
which means there is no solution. This implies that every state is changed by the encryption
function.
(b)
ρ =
1
2
σx |p p| σx +
1
2
|p p| =
1
2
|b|2 a∗b
ab∗ |a|2 +
|a|2 ab∗
a∗b |b|2
=
1
2
1 2 Re(ab∗)
2 Re(a∗b) 1
.
This is again not independent of |p . The states not encrypted by this modiﬁed protocol are
exactly those states unchanged by the σx operator, i.e. its eigen vectors, which are |+ and
|− .
Chapter 13
From Theory to Practice in
Cryptography
13.1 Introduction
In this section we deal with several important issues of applied cryptography.
13.1.1 Linear-feedback shift registers
A linear-feedback shift register (LFSR) is a shift register whose input bit is a linear function of
its previous state. Linear feedback shift registers are useful in applications such as pseudorandom
number generation and are eﬃcient to compute.
Linear feedback shift registers are an eﬃcient way to realize recurrence relations of the type:
xn+m = c0xn + c1xn+1 + · · · + cm−1xn+m−1 (mod n)
that can be speciﬁed by 2m bits: c0, . . . , cm−1 and x1, . . . , xm. Typically they are represented by
the following diagram:
s4 s3 s2 s1 s0
⊕
c4
⊕
c3
⊕
c2
⊕
c1 c0
The feedback XOR operations are called taps. LSFRs are initialized by n-bit state vector called
seed. Then in each step the rightmost bit is produced as the output, new leftmost bit is calculated
and the state vector is shifted to right. The overall output of the LFSR is a periodic bit sequence
of period up to 2n − 1.
13.1.2 Confusion and diﬀusion
Two general methods to make cryptoanalysis harder are the following:
Confusion means that each bit of the ciphertext should depend on several parts of the key,
obscuring the connections between the two. The property of confusion hides the relationship between
the ciphertext and the key. This property makes it diﬃcult to ﬁnd the key from the ciphertext and
if a single bit in a key is changed, most or all the bits in the ciphertext will be aﬀected. Confusion
increases the ambiguity of ciphertext and it is used by both block and stream ciphers.
Diﬀusion means that if we change a single bit of the plaintext, then (statistically) half of the
bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then
approximately one half of the plaintext bits should change. Since a bit can have only two states,
when they are all re-evaluated and changed from one seemingly random position to another, half
175
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 176
of the bits will have changed state. The idea of diﬀusion is to hide the relationship between the
ciphertext and the plain text. This will make it hard for an attacker who tries to ﬁnd out the plain
text and it increases the redundancy of plain text by spreading it across the rows and columns; it is
achieved through transposition of algorithms and it is used by block cipher only.
13.1.3 Feistel encryption/decryption scheme
This is a general scheme for construction of cryptosystems that was used as the design of several
important cryptosystems, such as DES. Its main advantage is that encryption and decryption are
very similar, and even identical in some cases.
Let F a be a so-called round function and K0, K1, . . . , Kn be sub-keys for rounds 0, 1, 2, . . . , n.
Encryption is as follows:
• Split the plaintext into two equal size parts L0, R0.
• For rounds i ∈ {0, 1, . . . , n} compute
Li+1 = Ri; Ri+1 = Li ⊕ F(Ri, Ki)
The ciphertext is then: (Rn+1, Ln+1)
Decryption of (Rn+1, Ln+1) is done by computing, for i = n, n − 1, . . . , 0
Ri = Li+1, Li = Ri+1 ⊕ F(Li+1, Ki)
and then (L0, R0) is the plaintext.
R
F
F
K
F
R0 0
K 0
1
K
L
L n+1n+1
n+1
13.1.4 DES cryptosystem
Preprocessing: A secret 56-bit key k56 is chosen and a ﬁxed/public permutation φ56 is applied
to get φ56(k56). The ﬁrst (second) part of the resulting string are taken to get 28-bits blocks C0(D0).
Using a ﬁxed/public sequence s1, . . . , s16 of integers, 16 pairs of 28-bit blocks (Ci, Di), i = 1, . . . 16
are then obtained as follows:
• Ci(Di) is obtained from Ci−1(Di−1) by si left shifts with ﬁxed/public si.
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 177
• Using a ﬁxed and public order, a 48-bit block Ki is created from each pair Ci and Di.
Encryption A ﬁxed+public permutation φ64 is applied to a 64-bits long plaintext w to get
w = L0R0, where L0 and R0 has 32 bits. Then, 16 pairs of 32-bit blocks Li, Ri, 1 ≤ i ≤ 16, are
computed using the recurrence:
Li = Ri−1
Ri = Li−1 ⊕ f(Ri−1, Ki),
where f is a ﬁxed+public and easy-to-implement function.
The cryptotext is then c = φ−1
64 (L16, R16)
Decryption: φ64(c) = L16R16 is computed and then the recurrences
Ri−1 = Li
Li−1 = Ri ⊕ f(Li, Ki),
are used to get Li, Ri, 15 ≥ i ≥ 0 and ﬁnally w = φ−1
64 (L0, R0).
13.1.5 Operational modes of DES
To encode a sequence x1, x2, x3, . . . of plaintext blocks,
ECB (Electronic Code Book) each xi is encrypted with the same key.
CBC (Cipher Block Chaining) a c0 is chosen and each xi is encrypted to get the cryptotext
ci = ek(ci−1 ⊕ xi).
OFB (Output Feedback) a z0 is chosen, zi = ek(zi−1) are computed and each xi is encrypted
to get cryptotext ci = xi ⊕ zi.
CFB (Cipher Feedback) a c0 is chosen and each xi is encrypted to get cryptotext ci = xi⊕zi,
where zi = ek(ci−1).
13.1.6 AES cryptosystem
This is the newest broadly used cryptograpic system.
Mathematics behind
• Some operations in AES are deﬁned on bytes.
• Bytes are seen as elements of the ﬁnite ﬁeld GF(28).
• Bytes are represented either by binary 8-bit strings b7b6b5b4b3b2b1b0 or by polynomials
b7x7
+ b6x6
+ b5x5
+ b4x4
+ b3x3
+ b2x2
+ b1x + b0
• Some operations of AES are deﬁned in terms of 4-bytes words.
Basic ideas and structures
• AES is a substitution-permutation network.
• Basic AES implementations operate on 4×4 matrices of bytes called states. A 128-bit message
is also written as a 4 × 4 matrix of bytes.
• Some AES implementations work with states with additional columns in the state matrices.
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 178
• Encryption is performed through 10, 12 or 14 rounds depending on whether the key size is
128, 196 or 256 bits.
• Each round (except the ﬁnal one) consists of four simple transformations:
1. SubBytes - byte-wise substitution deﬁned by a special table of 256 bytes.
2. ShiftRows - circular shifts of i-th rows of the matrix by i positions to the left.
3. MixColumns - a linear transformation on each column deﬁned by a 4 × 4 matrix of
bytes.
4. AddRoundKey - bit-wise XOR with a round key deﬁned by another matrix.
13.1.7 Hash functions
Another very important primitive for information processing that allows eﬃciently dealing with
huge data sets and streams are hash functions and hashes, and especially cryptographically
secure hash functions and universal sets of hash functions.
A good cryptographic hash function f is such a hash function that withstands all known
cryptographic attacks. As a minimum, it must have the following properties:
Pre-image resistance: Given a hash h it should be unfeasible (diﬃcult) to ﬁnd a (message) m
such that h = f(m). In such a case it is also said that f should have one-wayness property.
Second pre-image resistance: Given a message m1 it should be unfeasible (diﬃcult) to ﬁnd
another message m2 such that f(m1) = f(m2). In such a case it is also said that f should be
weakly collision resistant.
Collision resistance: It should be unfeasible (diﬃcult) to ﬁnd two messages m1 and m2 such that
f(m1) = f(m2). In such a case it is also said that f should be strongly collision resistant.
13.2 Exercises
LFSR
13.1. Consider the following LFSR
s3 s2 s1 s0
⊕ ⊕
(a) Write down the recursive relation characterizing the register.
(b) Find the period, generate all the internal states and the output bits if the initial state bits
(s3, s2, s1, s0) are:
(1) 0001
(2) 0010
(3) 1111
13.2. Assume you captured the following ciphertext of one-time pad cryptosystem:
c = 11010001000000000111101011101100000
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 179
Later you found out that the ﬁrst 10 bits of the plaintext are 1001001101 and the key is a pseudorandom
sequence generated by a LSFR of size 5. The 35 bits of the plaintext encode 5 ASCII
characters. Find the message.
Confusion/diﬀusion
13.3. Determine whether the following cryptosystems satisfy the confusion and diﬀusion proper-
ties:
(a) One-time pad,
(b) Vigen`ere cipher,
(c) Hill,
(d) DES in CBC operation mode,
(e) DES in ECB operation mode.
Feistel/DES/(AES)
13.4. Is it possible to distinguish a Feistel cipher from a random function if it has
(a) one round (with one chosen plaintext)?
(b) two rounds (with two chosen plaintexts)?
(c) three rounds (with two chosen plaintexts, access to a decryption oracle and one chosen cipher-
text)?
13.5. Consider a two-round Feistel scheme with the round function being one-time pad with the
respective keys being K0 = 110 and K1 = 100. Decrypt the cryptotext 001000.
13.6. Consider Alice and Bob using the DES cipher. An eavesdropper Eve has captured a
ciphertext c sent by Alice to Bob. She also knows that the corresponding plaintext is m. Now, Eve
forces Alice to encrypt the ciphertext c and, surprisingly, the resulting ciphertext c equals to m. Is
Eve able to read subsequent messages encrypted under the same DES key?
13.7. Consider the DES cipher. What happens to the ciphertext block if all bits in both the key
and plaintext are inverted?
13.8. Use the result of the previous exercise and try to speed up the DES key exhaustive search
in chosen-plaintext attack.
13.9. Consider triple, or 3-DES, cipher:
c = Ek3 (Dk2 (Ek1 (m)))
Discuss why is there a decryption used in the second operation.
13.10. DES-X is a variant of DES with two additional keys k1 and k2 where
c = k2 ⊕ Ek(m ⊕ k1).
The key size is increased to 56 + 2 × 64 = 184 bits. Show that the key size is eﬀectively only about
120 bits.
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 180
13.11. Consider double DES, or 2-DES, cipher where two consecutive encryptions, resp. decryptions,
with two diﬀerent keys are performed:
c = Ek2 (Ek1 (m))
m = Dk1 (Dk2 (c)).
One would expect that brute-forcing of all possible values of k1 and k2 gives a total of 2|k1|+|k2| = 2112
operations. Show that we can reduce the number of DES encryptions/decryptions to 257.
13.12. How is security aﬀected if we omit the SubBytes part of AES?
Operation modes
13.13. Describe how the OFB mode can be attacked if the IV is not diﬀerent for each execution
of the encryption operation.
13.14. Suppose a bank is using encryption with ECB operation mode (without any additional
message integrity check). Alice is sending 1024 USD to Eve. Eve has a partial knowledge about the
structure of the message communicated to the bank. In particular, she knows that 1024 is encrypted
in two blocks with inputs 10 and 24. Can Eve, who does not know Alice’s password nor a way to
break the encryption algorithm, alter the cryptotext to receive more money?
13.15. Alice and Bob use AES with CBC operation mode. Unfortunately Alice’s encrypting
device is broken and instead of the desired output ci = ek(ci−1 ⊕ xi) it produced just ci = ek(xi) at
the beginning of the communication. What will happen to the rest of the communication? Would
a change to the ECB operation mode address this issue?
13.16. A programmer wants to use CBC in order to protect both the integrity and the conﬁdentiality
of network packets. She attaches a block of zero bits xn+1 to the end of the plaintext
divided into n blocks x1 . . . xn as redundancy, then encrypts with CBC. At the receiving end, she
veriﬁes that the added redundant bits are still all zero after CBC decryption. Does this test ensure
the integrity of the transferred message?
Hash functions
13.17. Consider a cryptographic hash function with 32 bits long output. What is the approximate
number of random inputs you have to try to ﬁnd a collision with probability at least 3/4?
13.3 Solutions
13.1.
(a) xn+4 = xn+2 + xn+1 + xn
(b) Generate all internal states and output bits if the initial state bits are:
(1) The internal state sequence is
0001 → 1000 → 0100 → 1010 → 1101 → 0110 → 0011 → 0001 → . . .
The period is therefore 7. Linear feedback shift registers produce the last bit of their
internal state as an output in each round, therefore the output of this LFSR is 1000101 . . ..
(2) The internal state sequence is
0010 → 1001 → 1100 → 1110 → 0111 → 1011 → 0101 → 0010 → . . .
The period is therefore 7 and the output is 0100111 . . ..
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 181
(3) There is only single internal state 1111, therefore the period is 1 and the output string is
a string containing 1 in each position.
13.2.Using the ﬁrst 10 bits of the plaintext, we can recover the ﬁrst 10 bits of key as 1101000100 ⊕
1001001101 = 0100001001. In order to fully reconstruct LFSR of size n it is enough to have 2n
bits of its output. Therefore we have enough information to proceed. Let us ﬁrst use the following
variables, where ci signiﬁes, whether the corresponding ith bit is used for feedback:
s4 s3 s2 s1 s0
⊕
c4
⊕
c3
⊕
c2
⊕
c1 c0
Now we can calculate the following table of internal states history of the used LFSR, starting
from the initial vector, which is simply the ﬁrst 5 bits of the key in reverse:
states of cell s4 states of cell s3 states of cell s2 states of cell s1 states of cell s0 implies
0 0 0 1 0
c1 = 0 0 0 0 1 c1 = 0
c0 ⊕ (c4 · c1) = 1 0 0 0 0 c0 = 1
c4 · c0 = 0 1 0 0 0 c4 = 0
c3 ⊕ c4 · (c4 · c0) = 0 0 1 0 0 c3 = 0
c2 ⊕ (c4 · c3) = 1 0 0 1 0 c2 = 1
The LFSR used to generate the key sequence can be depicted as:
s4 s3 s2 s1 s0
⊕
Having the LFSR and its initial state vector (s4, s3, s2, s1, s0) = (0, 0, 0, 1, 0), we can generate the
whole key
k = 01000010010110011111100110111010100.
Now we can recover the plaintext as
m = c ⊕ k = 10010011010110011000001101010110100.
Noticing the length of the message is 35 we will try dividing it into ﬁve 7-bit ASCII codes. We
recover the message “IV054”.
13.3. If the confusion property holds one bit of the ciphertext should depend on several parts of
the key. If the diﬀusion property holds then a change of a single bit in the plain text should lead to
a change of statistically half bits of the cipher text.
(a) One-time pad satisﬁes neither confusion nor diﬀusion property, since each bit is encrypted
independently by an independent bit of the key.
(b) Vigen`ere cipher satisﬁes neither confusion nor diﬀusion property. While substitutions add
confusion properties when designing ciphers, a simple polyalphabetic substitution cipher, such
as Vigen`ere, by itself does not satisfy the confusion property, since each output symbol depends
only on one key symbol. Diﬀusion property is also not satisﬁed, since each plaintext symbol
is encrypted independently.
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 182
(c) For clarity of the argument, we will discuss Hill cryptosystem over F2, with the plaintext being
binary vector of length n and the key being a random n×n binary matrix. Confusion property
holds, as the i-th bit of the ciphertext depends on all bits in the i-th row of the key matrix.
Diﬀusion property holds. Ciphertext bits are sum of elements in their corresponding rows. The
element of each row is taken into the sum if and only if it is in a position, where the planitext
has value 1 (this is just the deﬁnition of matrix multiplication). Changing the plaintext value
in i-th position thus changes which elements are taken into the ﬁnal sum. Changing i-th
plaintext bit from 1 to 0 means that the sum takes one less element. Since these elements are
chosen in the key uniformly at random, on average half of the ciphertext bits ﬂip their value.
On the other hand changing from 0 to 1 adds one more element to each sum. Again, since we
are adding a random bit, on average half the position of the ciphertext ﬂip their value.
(d) First note that single block encryption has both excellent confusion and diﬀusion properties
by AES design. Put simply:
• The add key layer ensures the encryption function is only computable by someone who
knows the key. This adds some confusion because the key is (psuedo) random
• The subBytes s-box layer creates confusion as each symbol is mapped to another symbol
in a way that impedes common methods of cryptanalysis (high resistance to linear and
diﬀerential cryptanalysis)
• The shiftRows and mixColumns operations combine to provide full diﬀusion over the
course of 2 rounds. The state is a 4×4 grid of 8-bit words mixColumns operates vertically
on each 4 word/32-bit column. One bit diﬀerence in any word in the input column will
spread to multiple places in multiple words in the output column. shiftRows ensures
that over the course of successive rounds diﬀerent words are grouped up as inputs to the
mixColumn function.
We are therefore interested in arguments about CBC mode of operation. Confusion: Since
the key is reused for each block, trivialy each block depends on several bits of the key and the
confusion property holds. Diﬀusion: in the CBC operation mode each block depends on the
previous block (or IV) as ci+1 = ek(ci ⊕ xi+1) hence a single change of a bit in the plaintext
leads to statistically signiﬁcant changes in the ciphertext.
(e) AES in ECB operation mode has poor diﬀusion property since each block is encrypted independently.
Blocks in ECB mode are encrypted independently, hence a single bit change in the
plaintext aﬀects only bits in its corresponding block of the cryptotext. The confusion property
holds in the similar way as for AES with CBC.
13.4. Let (L, R) = (L0, R0) be the plaintext and let (S, T) = (Ln+1, Rn+1) be the result of a Feistel
scheme applied on input (L, R).
1. Find whether S = R. If a Feistel scheme has only one round than this occur with 100%
probability.
2. Choose two messages such that R = R and L = L. Now check if S ⊕ S = L ⊕ L . This
will occur with 100% probability if it is a Feistel scheme with 2 rounds and with probability
approximately 1
n if it is a random permutation.
3. (a) Choose (L, R) and encrypt it to obtain (S, T).
(b) Choose L = L, encrypt (L , R) to obtain (S , T ).
(c) Ask for the decryption of (S , T ⊕ L ⊕ L ) to obtain (Ld, Rd). If Rd = S ⊕ S ⊕ R, then
a Feistel scheme has 3 rounds.
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 183
13.5. We start with 00100 = (R2, L2), where R2 = 001 and L2 = 000. Then the ﬁrst round of the
decryption is
R1 = L2 = 000, L1 = R2 ⊕ L2 ⊕ K1 = 001 ⊕ 000 ⊕ 100 = 101.
The second round is
R0 = L1 = 101, L0 = R1 ⊕ L1 ⊕ K0 = 000 ⊕ 101 ⊕ 110 = 011.
Our plaintext is then (L0, R0) = 011101.
13.6. One of the following four keys, called weak keys, were used:
C0 D0 64-bit key before parity drop (hexadecimal) 56-bit actual key
all zeroes all zeroes 0101 0101 0101 0101 0000000 0000000
all zeroes all ones 1F1F 1F1F 0E0E 0E0E 0000000 FFFFFFF
all ones all zeroes E0E0 E0E0 1F1F 1F1F FFFFFFF 0000000
all ones all ones FEFE FEFE FEFE FEFE FFFFFFF FFFFFFF
The round keys created from any of these weak keys are the same and have the same pattern as
the cipher key. If we encrypt a block with a weak key and subsequently encrypt the result with the
same weak key, we get the original block.
13.7. We obtain bitwise complement of the original ciphertext, ie.
DESk(m) = DESk(m).
This is the so called key complementation property.
Proof: It is clear that the initial permutation preserves the bitwise complement (so as the ﬁnal
permutation).
We can see that the key schedule preservers the bitwise complement as well. It is therefore suﬃcient
to show that a single round preserves this property. Consider the application of the i-th round of
DES:
DESi(Li−1||Ri−1, Ki) = Li||Ri.
We want to show that DESi(Li−1||Ri−1, Ki) = Li||Ri.
Because Ri−1 = Li we obtain DESi(Li−1||Ri−1, Ki) = Li||Ri. To show that Ri = Ri we need to
examine the round function fi which is used to compute Ri = Li−1 ⊕ fi(Ri−1).
Again, it is easy to see that if the expansion permutation applied to Ri−1 gives Vi then it gives Vi
when applied to Ri−1. After applying the XOR operation with round key, using the associativity
and commutativity of the XOR function, we obtain
Vi ⊕ Ki = (Vi ⊕ 1) ⊕ (Ki ⊕ 1) = (Vi ⊕ Ki) ⊕ (1 ⊕ 1) = Vi ⊕ Ki.
Therefore, the input to the remaining part of the round function f is identical in both cases:
fi(Ri−1, Ki) = fi(Ri−1, Ki).
Now we can use the result above to obtain
Li−1 ⊕ fi(Ri−1, Ki) = Li−1 ⊕ fi(Ri−1, Ki) = 1 ⊕ Li−1 ⊕ fi(Ri−1, Ki) = 1 ⊕ Ri = Ri.
We show that after one round, the output is inverted. By induction, it follows that the output is
inverted after arbitrary number of rounds as well.
13.8. It suﬃces to try half of all 256 DES keys.
• We ask for encryption of a plaintext p and its complement p to obtain ciphertexts c1 and c2,
respectively.
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 184
• We try 255 keys k with the most signiﬁcant bit equal to 0.
• If DESk(p) = c1, then k is the key.
• If DESk(p) = c2, then k is the key.
13.9. This is due to backward compatibility with plain DES, i.e. letting k1 = k2 = k3 we cancel
out ﬁrst two operations leaving a plain DES.
13.10. It is vulnerable to a sort of meet-in-the-middle attack since one does not really have to
brute force both keys k1 and k2.
c = k2 ⊕ Ek(m ⊕ k1) is equivalent to c ⊕ k2 = Ek(m ⊕ k1). We can proceed as follows:
1. Store 264 plaintexts k1 ⊕ m = mi for each possible value of k1.
2. Store 264 ciphertexts c ⊕ k2 for each possible value of k2.
3. Compute Ek(mi) for each value of k (i.e., perfom 256 encryptions).
4. Compare the list in step 3 against the one in step 2.
13.11. We can mount a so-called meet-in-the-middle attack. We can rewrite the encryption formula
as follows:
c = Ek2 (Ek1 (m))
Dk2 (c) = Dk2 (Ek2 (Ek1 (m)))
Dk2 (c) = Ek1 (m)
Now we can precompute Ek1 (m) for all values of k1 and Dk2 (c) for all possible values of k2. This
is total of 2|k1| + 2|k2| operations. For 2-DES this is 256+1 = 257. Next we try to ﬁnd a match
between Ek1 (m) and Dk2 (c) lists. Such values k1 and k2 are possibly correct keys. We can verify
their validity on another plaintext-ciphertext pair. We decrease the time while increasing the space
usage, i.e. there is a trade-oﬀ between time and space.
13.12. The SubBytes operation adds non-linearity to AES and provides confusion in the cipher
text. Without SubBytes, the whole cipher becomes aﬃne.
Both linear transformations and addition of a constant are kinds of aﬃne transformations, and
since the composition of any two aﬃne transformations is itself an aﬃne transformation. It follows
that, if the non-aﬃne SubBytes step is removed from AES, the whole cipher becomes aﬃne.
13.13. Assuming that the key remains the same, encrypting with the same IV will produce the
exact same keystream as previous encryptions.
If no plaintext/ciphertext pairs are known, then there is no way to use this fact to attack the
cipher. However, this can be used to mount a chosen plaintext attack. Choosing message m1 to
produce ciphertext c1, the attacker can calculate the keystream as K = m1 ⊗ c1. The keystream
can then be used to decrypt another message of the same length, because if the users do not change
the IV, the keystreams are identical.
13.14. Since blocks are encrypted separately in the ECB operation mode, malicious Eve can
exchange blocks encrypting 10 and 24 to receive 2410 USD.
13.15. Let’s say that the error appeared in the i-th block. The rest of the message (including
the i-th block) is corrupted since the error is propagated to the subsequent blocks, i.e. ci is fed to
ci+1 = ek(ci ⊕ xi+1). On the other hand, the ECB mode encrypts block of plaintext independently
therefore error in i-th block does not aﬀect subsequent blocks.
CHAPTER 13. FROM THEORY TO PRACTICE IN CRYPTOGRAPHY 185
13.16. This method does not ensure the integrity of the transfered message. Let us denote the
corresponding ciphertext blocks as c1, . . . , cn, cn+1. From the decryption algorithm of the CBC mode
we can see that each plaintext block xi can be faithfully recovered whenever ciphertext blocks ci−1
and ci are not corrupt. Therefore whenever error happens in blocks c1, . . . , cn−1, it will not be
detected by this method.
13.17. We can use an approximation on the probability of ﬁnding collision in n elements after r
random trials:
p(n, r) ≈ 1 − exp −
r2
2n
. (13.1)
Thus, the approximated number of trials reads:
r ≈ 2n ln
1
1 − p(n, r)
. (13.2)
There are 232 possible outcomes of the hash function. Therefore, the number of random trials we
have to perform is approximately
2 × 232 ln
1
1 − 3/4
≈ 109125.
Appendix A
A.1 Introduction
In this appendix some needed notations, concepts and results from the discrete mathematics, algebra
and number theory, as well as from the probability are brieﬂy introduced.
A.2 Notation
1. Logarithms.
• logb a - logarithm of a at the base b.
• log n - logarithm at the base 10 - decimal logarithm.
• lg n - logarithm at the base 2 - binary logarithm
• ln n - logarithm at the base e - natural logarithm
A.3 Central concepts and principles of modern cryptography
1. Eﬃciency and feasibility.
• Eﬃcient (feasible) computation is usually modelled by computations that are polynomialtime
in an input (security) parammeter
• Eﬃcient (computational) indistinguishability. We say that probability ensembles X =
{Xα}α∈S and Y = {Yα}α∈S are computationally indistinguishable if for every family of
polynomial-size circuits {Dn}, every polynomial p, all suﬃciently large n and every α ∈
{0, 1}n ∩ S,
|Pr[Dn(Xα) = 1] − Pr[Dn(Yα) = 1]| <
1
p(n)
where the probabilities are taken over the relevant distribution (i.e., either Xn or Yn).
2. Principles.
• Kerkhoﬀs principle: The security of a cryptosystem must not depend on keeping secret the
encryption algorthm. The security should depend only on keeping secret the key.
3. Murphy laws:
• If there is a single security hole in a cryptosystem, the exposure of a cryptosystem will make
sure that someone will eventually ﬁnd it. Even if this person is honest the discovery may
ultimately leak to malicious parties.
186
APPENDIX A. 187
A.4 Groups
A Group is a set of elements and an operation, denote it ◦, with the following properties:
• G is closed under the operation ◦; that is if a, b ∈ G, so is a ◦ b.
• The operation ◦ is associative (that id a ◦ (b ◦ c) = (a ◦ b) ◦ c, for any a, b, c ∈ G.
• G has an identity element e such that e ◦ a = a ◦ e = a for any a ∈ G.
• Every element a ∈ G has an inverse element a−1 ∈ G, so that a ◦ a−1 = a−1 ◦ a = e.
A group G is said to be an Abelian group if the operation ◦ is commutative (that is a◦b = b◦a
for any a, b ∈ G).
A.4.1 Groups Zn and Z∗
n
Two integers a, b are congruent modulo n if a mod n = b mod n. Notation: a ≡ b(mod n)
Let +n, ×n denote addition and multiplication modulo n, that is a +n b = (a + b) mod n and
a ×n b = (ab) mod n.
Zn = {0, 1, . . . , n − 1} is a group under the operation +n. Zn is a ﬁeld under the operations
+n, ×n if n is a prime.
For any n in the group (Zn computation of any inverse and also exponentiation can be done in
polynomial time.
A.4.2 Order of the group
• If a is an element of a ﬁnite group G, then its order is the smallest integers k such that ak = 1.
• Order of each element of a group G is a divisor of the number of elements of G. This implies
that every element a ∈ Z∗
p, where p is a prime, has order p − 1 and it holds ap−1 ≡ 1 (mod)p.
A.4.3 Properties of the group Zn
Deﬁnition (1) For any group (G, ◦) and any x ∈ G
order of x = min{k > 0|xk
= 1}
(2) The group (G, ◦) is called cyclic if it contains an element g, called generator, such that the order
of (g) = |G|.
Theorem If the multiplicative group (Zn, ×n) is cyclic, then it is isomorphic to the additive
group (ZΦ(n), +Φ(n)). (However, no eﬀective way is known, given n, to create such an isomorphism!)
Theorem The mutliplicative group (Zn, ×n) is cyclic iﬀ n is either 1, 2, 4, pk or 2pk for some
k ∈ N+ and an odd prime p > 2.
Theorem Let p be a prime. Given the prime factorization of p−1 a generator for group (Zp , ×p)
can be found in polynomial time by a randomized algorithm.
APPENDIX A. 188
A.5 Rings and ﬁelds
A ring R is a set with two operations + (addition) and ◦ (multiplication), satisfying the following
properties:
• R is closed under + and ◦.
• R is an Abelian group under + (with the unity element for addition called zero).
• The associative law for multiplication holds.
• R has an identity element 1 for multiplication
• The distributive law holds (a ◦ (b + c) = a ◦ b + a ◦ c for all a, b, c ∈ R.
A ring is said to be a commutative ring if multiplication is commutative
A ﬁeld F is a set with two operations + (addition) and ◦ (multiplication), with the following
properties:
• F is a commutative ring.
• Non-zero elements of F form an Abelian group with respect to multiplication.
A non-zero element g is a primitive element of a ﬁeld F if all non-zero elements of F are
powers of g.
A.5.1 Finite ﬁelds
Finite ﬁeld are very well understood.
Theorem If p is a prime, then the the set of all integers smaller than p, GF(p), constitute a
ﬁeld. Every ﬁnite ﬁeld F contains a subﬁeld that is GF(p), up to relaabeling, for some prime p and
p · α = 0 for every α ∈ F.
If a ﬁeld F contains a prime ﬁeld GF(p), then p is called the characteristic of F.
Theorem (1) Every ﬁnite ﬁeld F has pm elements for some prime p and some m.
(2) For any prime p and any integer m there is a unique (up to isomorphism) ﬁeld of pm elements
GF(pm). (3) If f(x) is an irreducible polynomial of degree m in Fp[x], then the set of polynomials
in Fp[x] with additions and multiplications modulo f(x) is a ﬁeld with pm elements.
A.6 Arithmetics
A.6.1 Ceiling and ﬂoor functions
Flour x – the largest integer ≤ x
Ceiling x – the smallest integer ≥ x
Example 3.14 = 3 = 3.75 , −3.14 = −4 = −3.75 ;
3.14 = 4 = 3.75 , −3.14 = −3 = −3.75
APPENDIX A. 189
A.6.2 Modulo operations
The remainder of n when divided by m is deﬁned by
n mod m =
n − m n
m n = 0
o m = 0
Example: 7 mod 5 = 2 122 mod 11 = 1
Identities: • (a + b) mod n = ((a mod n) + (b mod n)) mod n
• (a · b) mod n = ((a mod n) · (b mod n)) mod n
• ab mod n = ((a mod n)b) mod n.
A.6.3 Exponentiation
Exponentiation (modular) plays the key role in many cryptosystems. If
n =
k−1
i=0
bi2i
, bi ∈ {0, 1}
then
e = an
= a
k−1
i=0 bi2i
=
k−1
i=0
abi2i
=
k−1
i=0
(a2i
)bi
The above decomposition of n induces the following Algorithm for exponentiation
begin e ← 1; p ← a;
for i ← 0 to k − 1
do if bi = 1 then e ← e · p;
p ← p · p
od
end
Modular exponentiation: an mod m = ((a mod m)n) mod m
Modular multiplication: ab mod n = ((a mod n)(b mod n) mod n)
Examples: 31000 mod 19 = 16; 310000 mod 13 = 3; 3340 mod 11 = 1 - 3100 mod 79 = 51
A.6.4 Euclid algorithm for GCD - I.
This is algorithm to compute greatest common divisor (gcd) of two integers, in short
to compute gcd(m, n), 0 ≤ m < n
EUCLID ALGORITHM
gcd(0, n) = n (A.1)
gcd(m, n) = gcd(n mod m, m) for m > 0 (A.2)
:Example gcd(296, 555) = gcd(259, 296) = gcd(37, 259) = gcd(0, 37) = 37.j
Theorem T(n) = O(log n) for the number of steps of Euclid’s algoritm to compute gcd(m,n)
for 0 ≤ m ≤ n..
APPENDIX A. 190
A.6.5 Extended Euclid algorithm
Theorem For all 0 < m < n there exist integers x and y (that can be computed in polynomial
time) such that
gcd(m, n) = xm + yn.
this means that if gcd(m,n)=1, then x = m−1 mod n.
An extention of Euclid’s algorithm, which computes x and y together with gcd(m, n) is sometimes
referred to as extended Euclid’s algorithm.
A.7 Basics of the number theory
The number theory concepts, methods and results introduced in the following play an important
role in modern considerations concerning cryptography, cryptographic protocols and randomness.
The key concepts are that of primality and randomness.
A.7.1 Primes
Primes play key role in the modern cryptography.
A positive integer p > 1 is called prime if it has just two divisors: 1 and p.
Fundamental theorem of arithmetic: Each integer n has a unique decomposition
n =
k
i=1
pei
i
where pi < pi+1 are primes and ei are integers.
Basic question n. 1 How many primes Π(n) are there among the ﬁrst n integers?
Prime number theorem.
Π(n) =
n
ln n
+
n
(ln n)2
+
2!n
(ln n)3
+
3!n
(ln n)4
+ Θ
n
(ln n)6
Gauss estimation: Π(n) ˙= n
ln n.
Basic question n. 2 How (diﬃcult is) to determine whether a given integer is a prime?
• Only in 2002 it has been shown that there is a (O(m12)) deterministic algorithm to recognize
whether an m bit integer is a prime.
• There are (very) simple randomized algorithm to decide fast and with large probability correctly
whether a given integer is a prime.
A.7.2 Chinese Remainder Theorem (CRT)
Theorem Let m1, . . . , mt be integers, gcd(mi, mj) = 1 if i = j and a1, . . . , at be integers, 0 < ai <
mi, 1 ≤ i ≤ t. Then the system of congruences
x ≡ ai (mod mi), 1 ≤ i ≤ t
has the solution
x =
t
i=1
aiMiNi ( )
APPENDIX A. 191
where
M =
t
i=1
mi, Mi =
M
mi
, Ni = M−1
i mod mi
and the solution ( ) is unique up to the congruence modulo M.
Comment: Each integer 0 < x < M is uniquelly represented by t-tuple: x mod m1, . . . , x mod
mt. For example, if m1 = 2, m2 = 3, m3 = 5, then (1, 0, 2) represents 27. Advantage: With such
a modular representation addition, substraction and multiplication can be done componentwise in
parallel time.
A.7.3 Euler totient function
Φ(n) = |Zn| = |{m|1 ≤ m ≤ n, gcd(m, n) = 1}|
has the following properties: • Φ(1) = 1
• Φ(p) = p − 1, if p is a prime;
• Φ(pk) = pk−1(p − 1), if p is prime, k > 0;
• Φ(nm) = Φ(n)Φ(m), if gcd(m, n) = 1;
Theorem Computation of Φ(n) and factorization of n are computationally polynomially related
problems.
A.7.4 Euler and Fermat Theorems
Theorem (Euler’s Totient Theorem)
nΦ(m)
≡ 1 (modm)
if n < m, gcd(m, n) = 1
Corollary n−1 ≡ nΦ(m)−1 (mod m) if n < m, gcd(m, n) = 1
Theorem (Fermat’s Little Theorem)
ap
≡ a (modp)
if p is prime.
A.7.5 Discrete logarithms and square roots
Three problems are related with the equation y = xa (modn).
Exponentiation problem: Given x, a, n, compute y. The problem is easy: it can be computed
in polynomial time, even its modular version
Discrete logarithm problem: Given x, y, n, compute a. the problm is computationally very.
Indeed, it is believed that the discrete logarithm problem is NP-hard even in the average case. (A
formal proof of it would imply that exponentiation is a one-way function.)
Root ﬁnding problem: Given y, a, n, compute x. It is also very hard, even in in the following
spcial case:
Square root ﬁnding problem Given y, a = 2, n, compute x: This problem is in general as
hard as factorization.
APPENDIX A. 192
However, the square root ﬁnding can be done by a randomized polynomial time algorithm if n
is a prime or the prime decomposition of n is know.
Examples
{x |
√
x (mod 15) = 1} = {1, 4, 11, 14}
{x |
√
x (mod 15) = 3} = ∅
{x |
√
x (mod 15) = 4} = {2, 7, 8, 13}
One of basic questions: How many square roots exst??
Theorem (1) If p > 2 is a prime, k ≥ 1, then any quadratic residue modulo pk has exactly two
distinct square roots x, −x = pk − x
(2) If p = 2, k ≥ 1, then any quadratic residue modulo 2k has
• 1 square root if k = 1;
• 2 square root if k = 2;
• 4 square root if k > 2.
Theorem If an odd number n has exactly t distinct factors, then any quadratic residue a modulo
n has exactly 2t distinct square roots.
A.7.6 Quadratic residues and nonresidues
An integer x ∈ Zm is called a quadratic residue modulo m if
x ≡ y2
(mod m)
for some y ∈ Zm, otherwise x is a quadratic nonresidue.
Notation: QRm denotes the set of all quadratic residues modulo m. QRm is therefore subgroup
of squares in Zm.
QNRm denotes the set of all quadratic nonresidues modulo m.
One of basic questions concerning quadratic residues: How to decide whether an x is a
quadratic residue?
Theorem If p > 2 is a prime and g is a generator of Zp, then gk is a quadratic residue iﬀ k is even.
Theorem If p is a prime, then a ∈ Zp is a quadratic residue iﬀ
a
p−1
2 ≡ 1(mod p).
For any prime p the set QR(p) has p−1
2 elements.
Theorem - Euler criterion Let p > 2 be a prime. Then x is a quadratic residue modulo p if
and only if
x(p−1)/2
≡ 1 mod p.
A.7.7 Blum integers
If p, q are primes such that p ≡ 3 mod 4, q ≡ 3 (mod 4) then the integer n = pq is called Blum
integer. Blum integers n have the following important properties.
• If x ∈ QR(n), then x has exactly four square roots and exactly one of them is in QR(n) – this
square root is called primitive square root of x modulo n.
APPENDIX A. 193
• Function f : QR(n) → QR(n) deﬁned by f(x) = x2 is a permutation on QR(n).
• The inverse function is f−1(x) = x((p−1)(q−1)+4)/8 mod n
Bibliography
[1] Ingemar Cox, Matthew Miller, Jeﬀrey Bloom, Jessica Fridrich, and Ton Kalker. Digital Watermarking
and Steganography. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 2
edition, 2007.
[2] Oded Goldreich. Foundations of Cryptography: Basic Tools. Cambridge University Press, New
York, NY, USA, 2000.
[3] Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs That Yield Nothing but Their
Validity or All Languages in NP Have Zero-knowledge Proof Systems. ACM, 38(3):690–728,
July 1991.
[4] Jozef Gruska. Foundations of Computing. International Thomson Computer Press, Boston,
MA, USA, 1997.
[5] Jozef Gruska. Quantum Computing. Advanced topics in computer science series. McGraw-Hill,
1999.
[6] Feng Hao and Piotr Zieli´nski. A 2-round anonymous veto protocol. In the 14th International
Workshop on Security Protocols, 2006.
[7] Raymond Hill. A First Course in Coding Theory. Oxford Applied Linguistics. Clarendon Press,
1986.
[8] Zuzana Kuklov´a. Coding theory, cryptography and cryptographic protocols - exercises with
solutions, 2007.
[9] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography.
CRC Press, Inc., 1997.
[10] Michael Mitzenmacher and Eli Upfal. Probability and Computing: Randomization and Probabilistic
Techniques in Algorithms and Data Analysis. Cambridge University Press, USA, 2nd
edition, 2017.
[11] Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum Information.
Cambridge University Press, 2000.
[12] Vera Pless. Introduction to the Theory of Error-correcting Codes. A Wiley-Interscience publication.
John Wiley, 1998.
[13] Arto Salomaa. Public-Key Cryptography. Texts in Theoretical Computer Science. An EATCS
Series. Springer Berlin Heidelberg, 1996.
[14] Bruce Schneier. Applied Cryptography. John Wiley & Sons, Inc., 2 edition, 1996.
[15] Douglas R. Stinson. Cryptography Theory and Practice. CRC Press, Inc., 1995.
[16] Wade Trappe and Lawrence C. Washington. Introduction to Cryptography with Coding Theory.
Pearson Educational international, Prentice Hall, 2006.
194
BIBLIOGRAPHY 195
[17] Serge Vaudenay. A Classical Introduction to Cryptography: Applications for Communications
Security. Springer US, 2005.