Cryptography & Network

Security
By
N.Akhila
Assistant Professor
Computer Science and Engineering
Aditya Engineering College(A)
Surampalem.

McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000

 Traditional
Symmetric-Key Ciphers

3.2
 Chapter 3
Objectives
❏ To define the terms and the concepts of symmetric
key ciphers
❏ To emphasize the two categories of traditional
ciphers: substitution and transposition ciphers
❏ To describe the categories of cryptanalysis used to
break the symmetric ciphers
❏ To introduce the concepts of the stream ciphers and
block ciphers
❏ To discuss some very dominant ciphers used in the
past, such as the Enigma machine
3.3
 3-1 INTRODUCTION

Figure 3.1 shows the general idea behind a symmetric-key

cipher. The original message from Alice to Bob is called
plaintext; the message that is sent through the channel is
called the ciphertext. To create the ciphertext from the
plaintext, Alice uses an encryption algorithm and a shared
secret key. To create the plaintext from ciphertext, Bob
uses a decryption algorithm and the same secret key.

Topics discussed in this section:

3.1.1 Kerckhoff’s Principle
3.1.2 Cryptanalysis
3.1.3 Categories of Traditional Ciphers
3.4
3.1 Continued

Figure 3.1 General idea of symmetric-key cipher

3.5
 3.1 Continued

If P is the plaintext, C is the ciphertext, and K is the key,

We assume that Bob creates P1; we prove that P1 = P:

3.6
 3.1 Continued

Figure 3.2 Locking and unlocking with the same key

3.7
 3.1.1 Kerckhoff’s Principle

Based on Kerckhoff’s principle, one should always

assume that the adversary, Eve, knows the
encryption/decryption algorithm. The resistance of the
cipher to attack must be based only on the secrecy of the
key.

3.8
 3.1.2 Cryptanalysis

As cryptography is the science and art of creating secret

codes, cryptanalysis is the science and art of breaking
those codes.

Figure 3.3 Cryptanalysis attacks

3.9
 3.1.2 Continued
Ciphertext-Only Attack

Figure 3.4 Ciphertext-only attack

3.10
 3.1.2 Continued
Known-Plaintext Attack

Figure 3.5 Known-plaintext attack

3.11
 3.1.2 Continued
Chosen-Plaintext Attack

Figure 3.6 Chosen-plaintext attack

3.12
 3.1.2 Continued
Chosen-Ciphertext Attack

Figure 3.7 Chosen-ciphertext attack

3.13
 3-2 SUBSTITUTION CIPHERS

A substitution cipher replaces one symbol with another.

Substitution ciphers can be categorized as either
monoalphabetic ciphers or polyalphabetic ciphers.

Note

A substitution cipher replaces one

symbol with another.

Topics discussed in this section:

3.2.1 Monoalphabetic Ciphres
3.2.2 Polyalphabetic Ciphers

3.14
 3.2.1 Monoalphabetic Ciphers

Note

In monoalphabetic substitution, the

relationship between a symbol in the
plaintext to a symbol in the ciphertext is
always one-to-one.

3.15
 3.2.1 Continued

Example 3.1
The following shows a plaintext and its corresponding ciphertext.
The cipher is probably monoalphabetic because both l’s (els) are
encrypted as O’s.

Example 3.2
The following shows a plaintext and its corresponding ciphertext.
The cipher is not monoalphabetic because each l (el) is encrypted
by a different character.

ABNZF
3.16
 3.2.1 Continued
Additive Cipher

The simplest monoalphabetic cipher is the additive cipher. This

cipher is sometimes called a shift cipher and sometimes a Caesar
cipher, but the term additive cipher better reveals its
mathematical nature.

Figure 3.8 Plaintext and ciphertext in Z26

3.17
 3.2.1 Continued
Figure 3.9 Additive cipher

Note

When the cipher is additive, the

plaintext, ciphertext, and key are
integers in Z26.
3.18
 3.2.1 Continued
Example 3.3
Use the additive cipher with key = 15 to encrypt the message
“hello”.

Solution
We apply the encryption algorithm to the plaintext, character by
character:

3.19
 3.2.1 Continued
Example 3.4

Use the additive cipher with key = 15 to decrypt the message

“WTAAD”.
Solution
We apply the decryption algorithm to the plaintext character by
character:

3.20
 3.2.1 Continued
Shift Cipher and Caesar Cipher
Historically, additive ciphers are called shift ciphers. Julius
Caesar used an additive cipher to communicate with his officers.
For this reason, additive ciphers are sometimes referred to as the
Caesar cipher. Caesar used a key of 3 for his communications.

Note

Additive ciphers are sometimes referred

to as shift ciphers or Caesar cipher.

3.21
 3.2.1 Continued
Example 3.5
Eve has intercepted the ciphertext “UVACLYFZLJBYL”. Show
how she can use a brute-force attack to break the cipher.
Solution
Eve tries keys from 1 to 7. With a key of 7, the plaintext is “not
very secure”, which makes sense.

3.22
 3.2.1 Continued
Table 3.1 Frequency of characters in English

Table 3.2 Frequency of diagrams and trigrams

3.23
 3.2.1 Continued
Example 3.6

Eve has intercepted the following ciphertext. Using a statistical

attack, find the plaintext.

Solution
When Eve tabulates the frequency of letters in this ciphertext, she
gets: I =14, V =13, S =12, and so on. The most common character
is I with 14 occurrences. This means key = 4.

3.24
 3.2.1 Continued
Multiplicative Ciphers

Figure 3.10 Multiplicative cipher

Note

In a multiplicative cipher, the plaintext

and ciphertext are integers in Z26; the
key is an integer in Z26*.
3.25
 3.2.1 Continued

Example 3.7
What is the key domain for any multiplicative cipher?
Solution
The key needs to be in Z26*. This set has only 12 members: 1, 3, 5,
7, 9, 11, 15, 17, 19, 21, 23, 25.
Example 3.8
We use a multiplicative cipher to encrypt the message “hello” with
a key of 7. The ciphertext is “XCZZU”.

3.26
 3.2.1 Continued
Affine Ciphers

Figure 3.11 Affine cipher

3.27
 3.2.1 Continued

Example 3.09
The affine cipher uses a pair of keys in which the first key is from
Z26* and the second is from Z26. The size of the key domain is
26 × 12 = 312.
Example 3.10
Use an affine cipher to encrypt the message “hello” with the key
pair (7, 2).

3.28
 3.2.1 Continued

Example 3.11
Use the affine cipher to decrypt the message “ZEBBW” with the
key pair (7, 2) in modulus 26.
Solution

Example 3.12
The additive cipher is a special case of an affine cipher in which
k1 = 1. The multiplicative cipher is a special case of affine cipher in
which k2 = 0.
3.29
 3.2.1 Continued
Monoalphabetic Substitution Cipher

Because additive, multiplicative, and affine ciphers have small key

domains, they are very vulnerable to brute-force attack.

A better solution is to create a mapping between each plaintext

character and the corresponding ciphertext character. Alice and
Bob can agree on a table showing the mapping for each character.

Figure 3.12 An example key for monoalphabetic substitution cipher

3.30
 3.2.1 Continued

Example 3.13
We can use the key in Figure 3.12 to encrypt the message

The ciphertext is

3.31
 3.2.2 Polyalphabetic Ciphers

In polyalphabetic substitution, each occurrence of a

character may have a different substitute. The
relationship between a character in the plaintext to a
character in the ciphertext is one-to-many.

Autokey Cipher

3.32
 3.2.2 Continued
Example 3.14
Assume that Alice and Bob agreed to use an autokey cipher with
initial key value k1 = 12. Now Alice wants to send Bob the message
“Attack is today”. Enciphering is done character by character.

3.33
 3.2.2 Continued
Playfair Cipher
Figure 3.13 An example of a secret key in the Playfair cipher

Example 3.15
Let us encrypt the plaintext “hello” using the key in Figure 3.13.

3.34
 3.2.2 Continued
Vigenere Cipher

Example 3.16
We can encrypt the message “She is listening” using the 6-
character keyword “PASCAL”.

3.35
 3.2.2 Continued
Example 3.16
Let us see how we can encrypt the message “She is listening” using
the 6-character keyword “PASCAL”. The initial key stream is (15,
0, 18, 2, 0, 11). The key stream is the repetition of this initial key
stream (as many times as needed).

3.36
 3.2.2 Continued
Example 3.17
Vigenere cipher can be seen as combinations of m additive
ciphers.

Figure 3.14 A Vigenere cipher as a combination of m additive ciphers

3.37
 3.2.2 Continued
Example 3.18
Using Example 3.18, we can say that the additive cipher is a
special case of Vigenere cipher in which m = 1.

Table 3.3
A Vigenere Tableau

3.38
 3.2.2 Continued
Vigenere Cipher (Cryptanalysis)

Example 3.19
Let us assume we have intercepted the following ciphertext:

The Kasiski test for repetition of three-character segments yields

the results shown in Table 3.4.

3.39
 3.2.2 Continued
Example 3.19

Let us assume we have intercepted the following ciphertext:

The Kasiski test for repetition of three-character segments yields

the results shown in Table 3.4.

3.40
 3.2.2 Continued
Example 3.19 (Continued)
The greatest common divisor of differences is 4, which means that
the key length is multiple of 4. First try m = 4.

In this case, the plaintext makes sense.

3.41
 3.2.2 Continued
Hill Cipher
Figure 3.15 Key in the Hill cipher

Note

The key matrix in the Hill cipher needs

to have a multiplicative inverse.
3.42
 3.2.2 Continued
Example 3.20
For example, the plaintext “code is ready” can make a 3 × 4
matrix when adding extra bogus character “z” to the last block
and removing the spaces. The ciphertext is “OHKNIHGKLISS”.

Figure 3.16 Example 3.20

3.43
 3.2.2 Continued
Example 3.21
Assume that Eve knows that m = 3. She has intercepted three
plaintext/ciphertext pair blocks (not necessarily from the same
message) as shown in Figure 3.17.

Figure 3.17 Example 3.21

3.44
 3.2.2 Continued
Example 3.21 (Continued)

She makes matrices P and C from these pairs. Because P is

invertible, she inverts the P matrix and multiplies it by C to get
the K matrix as shown in Figure 3.18.

Figure 3.18 Example 3.21

Now she has the key and can break any ciphertext encrypted with
that key.
3.45
 3.2.2 Continued
One-Time Pad

One of the goals of cryptography is perfect secrecy. A

study by Shannon has shown that perfect secrecy can be
achieved if each plaintext symbol is encrypted with a key
randomly chosen from a key domain. This idea is used in
a cipher called one-time pad, invented by Vernam.

3.46
 3.2.2 Continued
Rotor Cipher

Figure 3.19 A rotor cipher

3.47
 3.2.2 Continued
Enigma Machine

Figure 3.20 A schematic of the Enigma machine

https://www.bing.com/videos/riverview/

relatedvideo?

q=How+Enigma+Worked&&mid=0662B57D53B4
3.48
 3-3 TRANSPOSITION CIPHERS
A transposition cipher does not substitute one symbol for
another, instead it changes the location of the symbols.

Note

A transposition cipher reorders symbols.

Topics discussed in this section:

3.3.1 Keyless Transposition Ciphers
3.3.2 Keyed Transposition Ciphers
3.3.3 Combining Two Approaches

3.49
 3.3.1 Keyless Transposition Ciphers

Simple transposition ciphers, which were used in the

past, are keyless.
Example 3.22
A good example of a keyless cipher using the first method is the
rail fence cipher. The ciphertext is created reading the pattern
row by row. For example, to send the message “Meet me at the
park” to Bob, Alice writes

She then creates the ciphertext “MEMATEAKETETHPR”.

3.50
 3.3.1 Continued
Example 3.23

Alice and Bob can agree on the number of columns and use the
second method. Alice writes the same plaintext, row by row, in a
table of four columns.

She then creates the ciphertext “MMTAEEHREAEKTTP”.

3.51
 3.3.1 Continued
Example 3.24

The cipher in Example 3.23 is actually a transposition cipher. The

following shows the permutation of each character in the plaintext
into the ciphertext based on the positions.

The second character in the plaintext has moved to the fifth

position in the ciphertext; the third character has moved to the
ninth position; and so on. Although the characters are permuted,
there is a pattern in the permutation: (01, 05, 09, 13), (02, 06, 10,
13), (03, 07, 11, 15), and (08, 12). In each section, the difference
between the two adjacent numbers is 4.
3.52
 3.3.2 Keyed Transposition Ciphers

The keyless ciphers permute the characters by using

writing plaintext in one way and reading it in another
way The permutation is done on the whole plaintext to
create the whole ciphertext. Another method is to divide
the plaintext into groups of predetermined size, called
blocks, and then use a key to permute the characters in
each block separately.

3.53
 3.3.2 Continued
Example 3.25

Alice needs to send the message “Enemy attacks tonight” to Bob..

The key used for encryption and decryption is a permutation key,

which shows how the character are permuted.

The permutation yields

3.54
 3.3.3 Combining Two Approaches

Example 3.26
Figure 3.21

3.55
 3.3.3 Continued
Keys
In Example 3.27, a single key was used in two directions for the
column exchange: downward for encryption, upward for
decryption. It is customary to create two keys.

Figure 3.22 Encryption/decryption keys in transpositional ciphers

3.56
 3.3.3 Continued

Figure 3.23 Key inversion in a transposition cipher

3.57
 3.3.3 Continued
Using Matrices
We can use matrices to show the encryption/decryption process
for a transposition cipher.

Example 3.27

Figure 3.24 Representation of the key as a matrix in the transposition cipher

3.58
 3.3.3 Continued
Example 3.27
Figure 3.24 shows the encryption process. Multiplying the 4 × 5
plaintext matrix by the 5 × 5 encryption key gives the 4 × 5
ciphertext matrix.

Figure 3.24 Representation of the key as a matrix in the transposition cipher

3.59
 3.3.3 Continued
Double Transposition Ciphers
Figure 3.25 Double transposition cipher

3.60
 3-4 STREAM AND BLOCK CIPHERS

The literature divides the symmetric ciphers into two

broad categories: stream ciphers and block ciphers.
Although the definitions are normally applied to modern
ciphers, this categorization also applies to traditional
ciphers.

Topics discussed in this section:

3.4.1 Stream Ciphers
3.4.2 Block Ciphers
3.4.3 Combination

3.61
 3.4.1 Stream Ciphers

Call the plaintext stream P, the ciphertext stream C, and

the key stream K.

Figure 3.26 Stream cipher

3.62
 3.4.1 Continued

Example 3.30
Additive ciphers can be categorized as stream ciphers in which the
key stream is the repeated value of the key. In other words, the
key stream is considered as a predetermined stream of keys or
K = (k, k, …, k). In this cipher, however, each character in the
ciphertext depends only on the corresponding character in the
plaintext, because the key stream is generated independently.

Example 3.31
The monoalphabetic substitution ciphers discussed in this chapter
are also stream ciphers. However, each value of the key stream in
this case is the mapping of the current plaintext character to the
corresponding ciphertext character in the mapping table.

3.63
 3.4.1 Continued

Example 3.32
Vigenere ciphers are also stream ciphers according to the
definition. In this case, the key stream is a repetition of m values,
where m is the size of the keyword. In other words,

Example 3.33
We can establish a criterion to divide stream ciphers based on
their key streams. We can say that a stream cipher is a
monoalphabetic cipher if the value of ki does not depend on the
position of the plaintext character in the plaintext stream;
otherwise, the cipher is polyalphabetic.
3.64
 3.4.1 Continued
Example 3.33 (Continued)

 Additive ciphers are definitely monoalphabetic because ki in the

key stream is fixed; it does not depend on the position of the
character in the plaintext.

 Monoalphabetic substitution ciphers are monoalphabetic

because ki does not depend on the position of the corresponding
character in the plaintext stream; it depends only on the value of
the plaintext character.

 Vigenere ciphers are polyalphabetic ciphers because ki

definitely depends on the position of the plaintext character.
However, the dependency is cyclic. The key is the same for two
characters m positions apart.
3.65
 3.4.2 Stream Ciphers

In a block cipher, a group of plaintext symbols of size m

(m > 1) are encrypted together creating a group of
ciphertext of the same size. A single key is used to
encrypt the whole block even if the key is made of
multiple values. Figure 3.27 shows the concept of a block
cipher.
Figure 3.27 Block cipher

3.66
 3.4.2 Continued

Example 3.34
Playfair ciphers are block ciphers. The size of the block is m = 2.
Two characters are encrypted together.
Example 3.35
Hill ciphers are block ciphers. A block of plaintext, of size 2 or
more is encrypted together using a single key (a matrix). In these
ciphers, the value of each character in the ciphertext depends on
all the values of the characters in the plaintext. Although the key
is made of m × m values, it is considered as a single key.
Example 3.36
From the definition of the block cipher, it is clear that every block
cipher is a polyalphabetic cipher because each character in a
ciphertext block depends on all characters in the plaintext block.
3.67
 3.4.3 Combination

In practice, blocks of plaintext are encrypted

individually, but they use a stream of keys to encrypt the
whole message block by block. In other words, the cipher
is a block cipher when looking at the individual blocks,
but it is a stream cipher when looking at the whole
message considering each block as a single unit.

3.68
 Cryptography & Network
Security

McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000

Unit - II
 Symmetric Key Cryptography:
• Data Encryption Standard (DES)
• Advanced Encryption Standard (AES)
• Blowfish
• IDEA
• Block Cipher Modes of Operations.
 Number Theory:
• Prime and Relatively Prime Numbers
• Modular Arithmetic
• Fermat’s and Euler’s Theorems
• The Chinese Remainder Theorem
• Discrete Logarithms.

Tuesday 29
DES (Data Encryption
Standard)
 DES is a Symmetric-key algorithm for
the encryption of electronic data.
 Data Encryption Standard (DES) is a
widely-used method of data encryption
using a private (secret) key
 DES applies a 56-bit key to each 64-bit
block of data. The process can run in
several modes and involves 16 rounds
or operations.
Tuesday 29
 DES (and most of the other major symmetric ciphers) is
based on a cipher known as the Feistel block cipher.
 Looking at the left-hand side of the figure, we can see that
the processing of the plaintext proceeds in three phases.
1. First, the 64-bit plaintext passes through an initial
permutation (IP) that rearranges the bits to produce the
permuted input.
2. This is followed by a phase consisting of sixteen rounds of
the same function, which involves both permutation and
substitution functions. The output of the last (sixteenth)
round consists of 64 bits that are a function of the input
plaintext and the key. The left and right halves of the output
are swapped to produce the preoutput.
3. Finally, the preoutput is passed through a permutation that
is the inverse of the initial permutation function, to produce
the 64-bit cipher text. With the exception of the initial and
final permutations, DES has the exact structure of a Feistel
cipher,

Tuesday 29
 The right-hand portion of below figure shows
the way in which the 56-bit key is used.
 Initially, the key is passed through a
permutation function.
 Then, for each of the sixteen rounds, a subkey
(Ki ) is produced by the combination of a left
circular shift and a permutation.
 The permutation function is the same for each
round, but a different subkey is produced
because of the repeated shifts of the key bits.

Tuesday 29
Tuesday 29
Details of Single Round
 Below figure shows the internal structure
of a single round. Again, begin by focusing
on the left- hand side of the diagram.
 The left and right halves of each 64-bit
intermediate value are treated as separate
32-bit quantities, labeled L (left) and R
(right).
 As in any classic Feistel cipher, the overall
processing at each round can be
summarized in the following formulas:

Tuesday 29
Tuesday 29
 The round key Ki is 48 bits.
 The R input is 32 bits.
 This R input is first expanded to 48 bits by
using a table that defines a permutation
plus an expansion that involves duplication
of 16 of the R bits .
 The resulting 48 bits are XORed with Ki .
 This 48-bit result passes through a
substitution function that produces a 32-bit
output, which is permuted.

Tuesday 29
 6.2.1 Continue 1 2 3 4 5 6 7 8

9 10 11 12 13 14 15 16

17 18 19 20 21 22 23 24

25 26 27 28 29 30 31 32
Table 6.1 Initial and final permutation tables
33 34 35 36 37 38 39 40

41 42 43 44 45 46 47 48

49 50 51 52 53 54 55 56

57 58 59 60 61 62 63 64

6.78
S-Box Design in DES :
 The S-Box consists of substitution of
a set of eight S-boxes, each of which
accepts 6 bits as input and produces
4 bits as output

Tuesday 29
Tuesday 29
Key Generation
 A 64-bit key is used as input to the algorithm.
 The bits of the key are numbered from 1
through 64; every eighth bit is ignored and
The key is first subjected to a permutation .
 The resulting 56-bit key is then treated as two
28-bit quantities, labelled C0 and D0.
 At each round, Ci-1 and Di-1 are separately
subjected to a circular left shift.
 These shifted values serve as input to the
next round. They also serve as input to the
part labeled Permuted Choice which produces
a 48-bit output that serves as input to the
Function F(Ri-1, Ki).

Tuesday 29
Round Number
Number of Shifts
1 1
2 1
3 2
4 2
5 2
6 2
7 2
8 2
9 1
10 2
11 2
12 2
13 2
14 2
15 2
16 1 Tuesday 29
DES Decryption
 Whatever process we follow in the
encryption that process is used for
decryption also but the order of key
is changed on input message (cipher
text).
 Reverse order of keys are K16,
K15 ,......, K1.

Tuesday 29
Strength of DES
 The DES is a symmetric key block
cipher which takes 64bits cipher text
and 56 bit key as an input and produce
64 bits cipher text as output.
 The DES function is made up of P & S
boxes
 P-boxes transpose bits
 S-boxes Substitution bits to generating
the cipher text.
Tuesday 29
Use of 56 bit Key
 56 bit key is used in encryption,
there are 256 possible keys, which is
approximately 256=7.2×1016 keys,
by this a brute force attack on such
number of keys is impractical.
 A machine performing one DES
encryption per microsecond would
take more than a thousand years to
break the cipher.
Tuesday 29
Nature of Algorithm
 Cryptanalyst can perform cryptanalysis
by exploiting the characteristic of DES
algorithm but no one has succeeded in
finding out the weakness.
 This is possible because, in DES, we
have 8-substitution tables or S-boxes in
each iteration & one P-box transition
for the every individual iteration.

Tuesday 29
Avalanche Effect
 key desirable property of an encryption
algorithm :
• a small change in either the plain text or the key
should produce a significant change in the cipher
text(this property is called Avalanche Effect)

Timing Attack
DES exhibits strong avalanche Effect.

 Timing attack is one in which information about

the key or the plaintext is obtained by observing
how long it takes a given implementation to
perform decryptions on various ciphertexts.
 The authors conclude that DES appears to be
fairly resistant to a successful timing attack
Tuesday 29
AES
 The Advanced Encryption Standard (AES)
was published by the National Institute of
Standards and Technology (NIST) in 2001.
 AES is a block cipher intended to replace
DES for commercial applications.
 It uses a 128-bit block size and a key size of
128, 192, or 256 bits. The algorithm is
referred as AES-128,AES-192 OR AES-256
 AES does not use a Feistel structure.
Instead, each full round consists of four
separate functions: byte substitution,
permutation, arithmetic operations over a
finite field, and XOR with a key.
Tuesday 29
AES Parameters

Tuesday 29
AES Structure
 The input to the encryption and decryption
algorithms is a single 128-bit block. , this block is
depicted as a 4 * 4 square matrix of bytes.
 This block is copied into the State array, which is
modified at each stage of encryption or
decryption.
 After the final stage, State is copied to an output
matrix. These operations are depicted in Figure.
Similarly, the key is depicted as a square matrix
of bytes.
 This key is then expanded into an array of key
schedule words. Figure shows the expansion for
the 128-bit key. Each word is four bytes, and the
total key schedule is 44 words for the 128-bit key

Tuesday 29
Tuesday 29
 The cipher consists of N rounds, where
the number of rounds depends on the
key length: 10 rounds for a 16-byte key,
12 rounds for a 24-byte key, and 14
rounds for a 32-byte key.
 The first N-1 rounds consist of four
distinct transformation functions:
SubBytes, ShiftRows, MixColumns, and
AddRoundKey, which are described
subsequently.
Tuesday 29
 The final round contains only Three
Transformations, and there is a initial single
transformation (AddRoundKey) before the first
round, which can be considered round 0.
 Each transformation takes one or more 4 X 4
matrices as input and produces a 4 X 4 matrix
as output.
 The figure shows that the output of each round
is a 4 X 4 matrix, with the output of the final
round being the ciphertext.
 Also the key expansion generates N + 1 round
keys, each of which is a distinct 4 X 4 matrix.
Each round key serve as one of the inputs to
the AddRoundKey transformation in each round.

Tuesday 29
Tuesday 29
Detailed Structure
 Figure shows the AES cipher in more detail,
indicating the sequence of transformations in
each round and showing the corresponding
decryption function
 Four different stages are used, one of
permutation and three of substitution:
 Substitute bytes: Uses an S-box to perform a
byte-by-byte substitution of the block
 ShiftRows: A simple permutation
 MixColumns: A substitution that makes use of
arithmetic
 AddRoundKey: A simple bitwise XOR of the
current block with a portion of the expanded key

Tuesday 29
Tuesday 29
AES Transformation
Functions
 The four transformation functions are
 Substitute bytes
 Shift Rows
 Mix Columns
 Add Round Key

Tuesday 29
Substitute Bytes
Transformation
 The forward substitute byte transformation, called
SubBytes, is a simple table lookup.
 AES defines a16 *16 matrix of byte values, called an
S-box, that contains a permutation of all possible 256
8-bit values.
 Each individual byte of State is mapped into a new
byte in the following way: The leftmost 4 bits of the
byte are used as a row value and the rightmost 4 bits
are used as a column value. These row and column
values serve as indexes into the S-box to select a
unique 8-bit output value.
 For example, the hexadecimal value3 {95} references
row 9, column 5 of the S-box, which contain the value
{2A}

Tuesday 29
Tuesday 29
Tuesday 29
Shift Rows Transformation
 The first row of State is not altered.
 For the second row, a 1-byte circular
left shift is performed.
 For the third row, a 2-byte circular
left shift is performed.
 For the fourth row, a 3-byte circular
left shift is performed.

Tuesday 29
Tuesday 29
Mix columns Transformation
 The forward mix column
transformation, called MixColumns,
operates on each column individually
 Each byte of a column is mapped
into a new value that is a function of
all four bytes in that column.

Tuesday 29
Tuesday 29
AddRoundKey
Transformation
 In the AddRoundKey transformation,
the 128 bits of State are bitwise
XORed with the 128 bits of the round
key.
 The operation is viewed as a
columnwise operation between the 4
bytes of a State column and one
word of the round key; it can also be
viewed as a byte-level operation.
Tuesday 29
 First Matrix is a state.
 Second Matrix is the round key.

Tuesday 29
Tuesday 29
AES Key Expansion
 The AES key expansion algorithm takes as
input a 4-word (16-byte) key and produces
a linear array of 44 words (176 bytes).
 This is sufficient to provide a 4-word round
key for the initial AddRoundKey stage and
each of the 10 rounds of the cipher.
 The key is copied into the first four words
of the expanded key. The remainder of the
expanded key is filled in four words at a
time.
 Each added word w[i] depends on the
immediately preceding word, w[i 1], and
the word four positions back, w[i 4].

Tuesday 29
Tuesday 29
 In three out of four cases, a simple XOR is
used. For a word whose position in the w
array is a multiple of 4, a more complex
function is used. The function ‘g’ consists of
the following subfunctions:
1. RotWord performs a one-byte circular left
shift on a word. This means that an input
word [b0, b1, b2, b3] is transformed into
[b1, b2, b3, b0].
2. SubWord performs a byte substitution on
each byte of its input word, using the S-box.
3. The result of steps 1 and 2 is XORed with a
round constant, Rcon[j].
Tuesday 29
Blowfish
 Blow fish is a symmetric block cipher developed
by bruce schner in year 1993.
 Blow fish is designed to have following
characteristics:
 Speed: Blowfish encrypts data on 32 bit
microprocessor at a rate of 18 clock cycles per
byte.
 Compact: it can run in less than 5k memory.
 Simple: very easy to implements.
 Variably secure: the key length is variable and
can be as long as 448 bits. This allows a trade
off between higher speed and higher security.
 Blowfish is a feistal type model.

Tuesday 29
Number Theory
 Prime and Relatively Prime Numbers
 Modular Arithmetic
 Fermat’s and Euler’s Theorems
 The Chinese Remainder Theorem
 Discrete Logarithms

Tuesday 29
Prime and Relatively Prime
Numbers
 Divisors

An integer b is divisible by an integer a, written a |b,
if there is an integer x such that b = ax. We also say
that b is a multiple of a, and that a is a divisor of b.

The positive divisors of 24 are 1, 2, 3, 4, 6, 8, 12
and 24.

Any integer a has +1 and + a as divisors. These
divisors are called trivial.
 The following relations holds:

If a | 1, then a = + 1.

If a | b and b | a, then a = + b.

Any b ≠ 0 divides 0.

If c | a and c | b, then c | (ax + by) for all integers x
and y

Tuesday 29
Prime Number
 An integer p > 1 is called a prime number or a
prime if it has only trivial divisors. An integer p
> 1 which is not a prime is called composite.
 Thus, p > 1 is a prime number if and only if 1
<x<p
 Any integer a > 1 can be factored in a unique
way as
 A = P1α1p2α2… pnαn where p1 > p2 > pn are prime
numbers and where each αi > 0.

91 = 7 X 13; 11011 = 7 X 112 X 13

Tuesday 29
Tuesday 29
 a | b -> aP < bP for all P
 a = 12; b = 36; 12 | 36; 12 = 22 X 3;
36 = 22 X 32
 a2 = 2 = b 2
 a3 = 1 < 2 = b 3

Tuesday 29
Relatively Prime Numbers
 Greatest common divisor (GCD) of a and b is a positive
integer c if

C is a divisor of a and b

Any divisor of a and b is a divisor of c.
 An equivalent definition is

gcd (a,b) = max [ k, such that k | a and k | b]

As we require that the gcd be positive,

gcd (a,b) = gcd (a,-b) = gcd (-a,b).

gcd (60, 24) = 12

gcd (18, 300) : 300 = 22 X 31 X 52

18 = 21 X 32

gcd (18, 300) = 21 X 31 X 50 = 6

In general, k = gcd (a, b) -> kP = min(aP,bP) for all P

The integers a and b are relatively prime if they have no
prime factors in common, that is if their only common factor
is 1. This is equivalent to saying that a and b are relatively
prime if gcd(a,b) = 1.

Tuesday 29
Modular Arithmetic
 Given any positive integer n and any integer a, if
we divide a by n, we get a quotient q and a
remainder r that obey the following relationship:
 a = qn + r ; 0 < r < n; q = [a /n]
 a = 11; n = 7; 11 = 1 X 7 + 4; r = 4
 a = -11; n = 7; -11 = (-2) X 7 + 3; r = 3
 If a is an integer and n is a positive integer, we
define a mod n to be the remainder when a is
divided by n. Thus for any integer a, we can always
write
 a = [a /n] X n + (a mod n)
 11 mod 7 = 4; -11 mod 7 = 3

Tuesday 29
 Two integers a and b are said to be congruent
modulo n if (a mod n) = (b mod n). This can be
written as
a ≡ b mod n

73 ≡ 4 mod 23; 21 ≡ - 9 mod 10

If a ≡ 0 mod n, then n | a

The modulo operator has the following properties

a ≡ b mod n if n | (a – b)

(a mod n) = (b mod n) implies a ≡ b mod n

a ≡ b mod n implies b ≡ a mod n

a ≡ b mod n and b ≡ c mod n imply a ≡ c mod n.

To demonstrate first point, if n | (a – b) then (a – b) =
kn for some k. So we can write a = b + kn.

Therefore, (a mod n) = (remainder when b + kn is
divided by n) = (remainder when b is divided by n) =
(b mod n)

23 ≡ 8 (mod 5) because 23 – 8 = 15 = 5 X 3

-11 ≡ 5 (mod 8) because -11 – 5 = - 16 = 8 X ( - 2)

Tuesday 29
Modular Arithmetic
Operations
 Modular arithmetic exhibits the following
properties:

[(a mod n) + (b mod n)] mod n = (a + b) mod n

[(a mod n) - (b mod n)] mod n = (a - b) mod n

[(a mod n) X (b mod n)] mod n = (a X b) mod n
 We demonstrate the first property.

Define (a mod n) = ra and (b mod n) = rb.

Then we can write a = ra + jn for some integer j
and

b = rb + kn for some integer k. Then

(a + b) mod n = (ra + jn + rb + kn) mod n

= (ra + rb + (k + j) n) mod n

= (ra + rb) mod n

= [ (a mod n) + (b mod n) ] mod n

Tuesday 29
 Remaining properties can be easily proved.
 11 mod 8 = 3; 15 mod 8 = 7
 [(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 =
2
 (11 + 15) mod 8 = 26 mod 8 = 2
 [(11 mod 8) - (15 mod 8)] mod 8 = -4 mod 8 = 4
 (11 - 15) mod 8 = -4 mod 8 = 4
 [(11 mod 8) X (15 mod 8)] mod 8 = 21 mod 8 =
5
 (11 X 15) mod 8 = 165 mod 8 = 5

Tuesday 29
 Exponentiation is performed by repeated
multiplication, as in ordinary arithmetic.
 To find 117 mod 13, we can proceed as follows:
 112 = 121 ≡ 4 mod 13
 114 ≡ 42 ≡ 3 mod 13
 117 ≡ 11 X 4 X 3 ≡ 132 ≡ 2 mod 13
 Thus, the rules for ordinary arithmetic
involving addition, subtraction, and
multiplication carry over into modular
arithmetic.

Tuesday 29
Properties of Modular
Arithmetic
 Define the set Zn as the set of nonnegative
integers less than n:
Zn = {0, 1, ... , (n - 1)}
 This is referred to as the set of residues,
or residue classes mod n . To be more
precise, each integer in Zn represents a
residue class. We can label the residue
classes mod n as [0], [1], [2], ... , [n - 1],
where
 [r] = {a: a is an integer, a ≡ r (mod n)}
Tuesday 29
 The residue classes (mod 4) are
 [0] = { ... , -16, -12, -8, -4, 0, 4, 8, 12,
16, ... }
 [1] = {... , -15, -11, -7, -3, 1, 5, 9, 13,
17, ... }
 [2] = {... , -14, -10, -6, -2, 2, 6, 10, 14,
18, ... }
 [3] = {... , -13, -9, -5, -1, 3, 7, 11, 15,
19, ...}
Tuesday 29
Tuesday 29
 There is one peculiarity of modular arithmetic that sets it
apart from ordinary arithmetic.

if (a + b) ≡ (a + c) (mod n) then b ≡ c (mod n)

(5 + 23) ≡ (5 + 7) (mod 8); 23 ≡ 7(mod 8)
 The equation is consistent with the existence of an additive
inverse. Adding the additive inverse of a to both sides of
equation, we have

((-a) + a + b) ≡ ((-a) + a + c) (mod n)

b ≡ c (mod n)
 However, the following statement is true only with the
attached condition:
 if (a X b) ≡ (a X c) (mod n) then b ≡ c (mod n) if a is
relatively prime to n
 Recall that two integers are relatively prime if their only
common positive integer factor is 1.

Tuesday 29
 6 X 3 = 18 ≡ 2 (mod 8)
 6 X 7 = 42 ≡ 2 (mod 8)
 Yet 3 ǂ 7 (mod 8).
 The reason for this result is for any
general modulus , a multiplier that is
applied in turn to the integers 0
through (n – 1) will fail to produce a
complete set of residues if a and n
have any factors in common.
Tuesday 29
 With a = 6 and n = 8,

Z8 01 2 3 4 5 6 7
 Multiply by 6 0 6 12 18 24 30 36 42
 Residues 0 6 4 2 0 6 4 2
 Because we do not have a complete set of
residues when multiplying by 6, more than
one integer in Z8 maps into the same residue.
 Specifically, 6 X 0 mod 8 = 6 X 4 mod 8; 6 X
1 mod 8 = 6 X 5 mod 8; and so on.
 Because this is a many-to-one mapping,
there is not a unique inverse to the multiply
operation.

Tuesday 29
 However, if we take a = 5 and n = 8, whose
only common factor is 1,

Z8 01 2 3 4 5 6 7

Multiply by 5 0 5 10 15 20 25 30 35

Residues 05 2 7 4 1 6 3

The line of residues contains all the integers in Z8,
in a different order.
 Finally, we observe that if P is a prime number,
then all the elements of ZP are relatively
prime.
 So one more property can be added to the list.

Multiplicative inverse (w -1) For each w € ZP,
there exists z such that w X Z ≡ 1 mod p
 ((a -1)a X b) ≡ ((a -1)a X c) (mod n)
 b ≡ c (mod n)

Tuesday 29
Fermat’s and Euler’s
Theorems
 Two theorems that play important roles
in public-key cryptography are Fermat’s
theorem and Euler’s theorem.
 Fermat’s Theorem
 Fermat’s theorem states the following:
If p is prime and a is a positive integer
not divisible by p, then
 ap-1 ≡ 1 (mod p)

Tuesday 29
Proof

We know that if all the elements of ZP are multiplied by a,
mod P, the result consists of the elements of ZP in some
order.
 Also a X 0 ≡ 0 mod P

 Therefore, the (P-1) numbers {a mod P, 2a mod P,…, (P-1)a

mod P} are just numbers {1,2, …, (P -1)} in some order.

 Multiply these numbers together.

a X 2a X … X ((p-1)a ≡
[(a mod p) X (2a mod p) X…X((p-1)a mod p)] mod p
≡ (p-1)! mod p
But a X 2a X … X ((p – 1)a) = (p-1)! a p-1
So (p-1)!ap-1 ≡ (p-1)! mod p
On cancelling (p-1)! On both sides as it is relatively prime to p,
we get

ap-1 ≡ 1 (mod p)

Tuesday 29
 a = 7, p = 19
 72 = 49 ≡ 11 (mod 19)
 74 ≡ 121 ≡ 7 (mod 19)
 78 ≡ 49 ≡ 11 (mod 19)
 716 ≡ 121 ≡ 7 (mod 19)
 ap-1 = 718 = 716 X 72 ≡ 7 X 11 ≡ 1 (mod 19)
 An alternative form of Fermat’s theorem is also
useful:
 If P is prime and a is any positive integer, then
aP ≡ a(mod p)
 p = 5, a = 3 ap = 35 = 243 ≡ 3(mod 5) = a(mod p)
 p = 5, a = 10 ap = 105 = 100000 ≡ 10(mod 5) ≡
0(mod 5) = a(mod p)

Tuesday 29
Euler’s Totient Function
 Before presenting Euler’s theorem,
we need to introduce an important
quantity in number theory, referred
to as Euler’s totient function,
 Written as ɸ(n), and defined as the
number of positive integers less than
and relatively prime to n.
 By convention, ɸ(1)= 1.

Tuesday 29
Values of Euler’s Totient
Functionn ɸ( n ɸ( n ɸ(
n) n) n)
1 1 1 10 2 12
2 1 1 1

3 2 1 4 2 10
2 2
4 2
1 12 2 22
5 4 3 3
6 2 1 6 2 8
7 6 4 4
8 4 1 8 2 20
5 5
9 6
1 8 2 12
1 4
6 6
ɸ(21) = ɸ (3) X ɸ(7)0= (3 - 1) X (7 - 1) = 2 X 6 = 12
1 16 2 18
7 8, 10, 11, 13,716, 17, 19, 20}.
where the 12 integers are {1, 2, 4, 5,
1 6 2 12 Tuesday 29
 for a prime number p, ɸ(p) = p – 1
 Now suppose that we have two prime numbers p

and q with p ≠ q . Then we can show that, for n =

pq,
 ɸ(n) = ɸ (pq) = ɸ (p) X ɸ (q) = (p - 1) X (q - 1)

 To show ɸ(n) = ɸ(p) X ɸ(q), consider that the set of

positive integers less than n is the set

{1, … , (pq - 1)}.
The integers in this set that are not relatively prime to
n are the set {p, 2p, ... , (q - 1)p} and the set {q,
2q, ... , (p - 1)q}
ɸ(n) = (pq - 1) - [(q - 1) + (p - 1)]
= pq - (p + q) + 1
= (p - 1) X (q - 1)
= ɸ(p) X ɸ(q)

Tuesday 29
Euler’s Theorem
 Euler’s theorem states that for every a and n that are relatively
prime:
a ɸ(n) ≡ 1(mod n)
 Proof: Equation is true if n is prime, because in that case,
ɸ (n) = (n – 1) and Fermat’s theorem holds..
 Recall that ɸ(n) is the number of positive integers less than n that
are relatively prime to n.
 Consider the set of such integers, labeled as
R = {x1, x2, ... , x ɸ(n}
 Now multiply each element by a, modulo n:
S = {(ax1 mod n), (ax2 mod n), ... , (ax ɸ(n mod n)}
 The set S is a permutation of R, by the following line of reasoning:
1. Because a is relatively prime to n and x is relatively prime to n , ax i must
also be relatively prime to n. Thus, all the members of S are integers less
than n that are relatively prime to n.
2. If axi mod n = axj mod n, then xi = xj.

Tuesday 29
Tuesday 29
 We can develop a corollary to Euler’s
theorem that is useful in demonstrating the
validity of RSA algorithm.
 Given two prime numbers, p and q, and
integers n = pq and m, with 0 < m < n, the
following relationship holds:
m ɸ(n) + 1 = m(p-1)(q-1) + 1 ≡ m mod n
 If gcd (m,n) = 1, that is if m and n are
relatively prime – then the relationship
holds by virtue of Euler’s theorem.

Tuesday 29
The Chinese Remainder
Theorem
 One of the most useful results of number theory is
the Chinese Remainder Theorem (CRT).
 The CRT says it is possible to reconstruct integers
in a certain range from their residues modulo a set
of pairwise relatively prime moduli.

The 10 integers in Z10, (0,…, 9), can be
reconstructed from their two residues modulo 2
and 5 (the relatively prime factors of 10).

Say the known residues of a decimal digit x are r2
= 0 and r5 = 3 ; that is, x mod 2 = 0 and x mod 5
= 3;

Therefore, x is an even integer in Z10 whose
remainder, on division by 5, is 3.
 The unique solution is x = 8.
Tuesday 29
Tuesday 29
 The CRT makes two assertions:
 The mapping of above equation is a one-to-one
correspondence (called a bijection) between ZM
and the Cartesian product Zm1 X Zm2 X … X Zmk
That is, for every integer A such that 0 ≤ A ≤ M
there is a unique k–tuple (a1, a2, … , ak) with 0 ≤
ai ≤ mi that represents it, and for every such k-
tuple, there is a unique integer A in ZM

Operations performed on the elements of ZM
can be equivalently performed on the
corresponding k-tuples by performing the
operation independently in each coordinate
position in the appropriate system.

Tuesday 29
Tuesday 29
 To show that the value of A produced by equation is
correct, we must show that ai = A mod mi for 1 ≤ i
≤ k. Note that Cj ≡ Mj ≡ 0 (mod mi) if j ≠ i and that
ci ≡ 1 (mod mi). It follows that ai = A mod mi.
 The second assertion of the CRT, concerning
arithmetic operations, follows from the rules for
modular arithmetic. That is, the second assertion
can be stated as follows: If
A <-> (a1, a2, ... , ak)
B <-> (b1, b2, ... , bk)
Then
(A + B) mod M <-> ((a1 + b1) mod m1, ... , (ak + bk)
mod mk)
(A - B) mod M <-> ((a1 - b1) mod m1, ... , (ak - bk) mod
mk)
(A X B) mod M <-> ((a1 X b1) mod m1, ... , (ak X bk) mod
mk)

Tuesday 29
 One of the useful features of the CRT
is that it provides a way to
manipulate (potentially very large)
numbers mod M in terms of tuples of
smaller numbers.
 This can be useful when M is 150
digits or more.

Tuesday 29
 To represent 973 mod 1813 as a pair of
numbers mod 37 and 49, define
m1 = 37
m2 = 49
M = 1813
A = 973

We also have M1 = 49 and M2 = 37.
 Using the extended Euclidean algorithm, we

compute M1-1 = 34 mod m1 and M2-1 = 4 mod

m2
 Taking residues modulo 37 and 49, our
representation of 973 is (11, 42), because 973
mod 37 = 11 and 973 mod 49 = 42.
 Now suppose we want to add 678 to 973.What

do we do to (11, 42)? First we compute (678) <-

> (678 mod 37, 678 mod 49) = (12, 41)
Tuesday 29
 Then we add the tuples element-wise and reduce (11
+ 12 mod 37, 42 + 41 mod 49) = (23, 34)
 To verify that this has the correct effect, we compute


(23, 34) <-> a1M1M1-1 + a2M2M2-1 mod M
= [(23)(49)(34) + (34)(37)(4)] mod 1813
= 43350 mod 1813
= 1651
 and check that it is equal to (973 + 678) mod 1813 =

1651. Remember that in the above derivation, M1-1 is

the multiplicative inverse of M1 modulo m1 modulo M2-
1
is the multiplicative inverse of M2 modulo m2.
 Suppose we want to multiply by 73.We multiply (23,

34) by 73 and reduce to get (23 X 73 mod 37, 34 X

73 mod 49) = (14, 32). It is easily verified that
(14, 32) <-> [(14)(49)(34) + (32)(37)(4)] mod 1813
= 865
= 1651 X 73 mod 1813

Tuesday 29
Discrete Logarithms
 Discrete logarithms are fundamental to a number of
public-key algorithms, including Diffie-Hellman key
exchange and the digital signature algorithm (DSA).
The Powers of an Integer, Modulo n
 Recall from Euler’s theorem that, for every a and n

that are relatively prime,

a ɸ(n) ≡ 1 (mod n)
 where ɸ(n), Euler’s totient function, is the number of

positive integers less than n and relatively prime to n.

Now consider the more general expression:
am ≡ 1 (mod n)
 If a and n are relatively prime, then there is at least

one integer m that satisfies the equation, namely M =

ɸ(n)

Tuesday 29
 The least positive exponent for which
equation holds is referred to in several ways:
 The order of a (mod n)
 The exponent to which a belongs (mod n)
 The length of the period generated by a
 To see this last point, consider the powers of
7, modulo 19:
71 = 7 ≡ 7 (mod 19)
72 = 49 = 2 X 19 + 11 ≡ 11 (mod 19)
73 = 343 = 18 X 19 + 1 ≡ 1 (mod 19)
74 = 2401 = 126 X 19 + 7 ≡ 7 (mod
19)
75 = 16807 = 884 X 19 + 11 ≡ 11 (mod
19)
Tuesday 29
 There is no point in continuing because the
sequence is repeating.
 This can be proven by noting that 73 ≡
1(mod 19), and therefore, 73+j ≡ 737j ≡
7j(mod 19) , and hence, any two powers of 7
whose exponents differ by 3 (or a multiple
of 3) are congruent to each other (mod 19).
 In other words, the sequence is periodic,
and the length of the period is the smallest
positive exponent such that 7m ≡ 1(mod 19).

Tuesday 29
 Table shows all the powers of a, modulo
19 for all positive a < 19.The length of the
sequence for each base value is indicated
by shading. Note the following:
1. All sequences end in 1. This is consistent
with the reasoning of the preceding few
paragraphs.
2. The length of a sequence divides ɸ (19)
= 18. That is, an integral number of
sequences occur in each row of the table.
3. Some of the sequences are of length 18.
In this case, it is said that the base integer
generates (via powers) the set of nonzero
integers modulo 19. Each such integer is
called a primitive root of the modulus 19.

Tuesday 29
Tuesday 29
 More generally, we can say that the highest
possible exponent to which a number can
belong (mod n) is ɸ(n). If a number is of this
order, it is referred to as a primitive root of
n. The importance of this notion is that if a is
a primitive root of n, then its powers a, a2,
… ,aɸ(n) are distinct (mod n) and are all
relatively prime to n.
In particular, for a prime number p, if a is
primitive root of p, then a,a2, …, ap-1
are distinct (mod p). For the prime number
19, its primitive roots are 2, 3, 10, 13, 14 and
15.
 Not all integers have primitive roots. In fact,

the only integers with primitive roots are

those of the form 2, 4, pα , and 2pα, where p is
any odd number.

Tuesday 29
Logarithms for Modular
Arithmetic
 With ordinary positive real numbers, the
logarithm function is the inverse of
exponentiation. An analogous function
exists for modular arithmetic.
 Let us briefly review the properties of
ordinary logarithms. The logarithm of a
number is defined to be the power to which
some positive base (except 1) must be
raised in order to equal the number. That is,
for base x and for a value y,
y = xlogx(y)
Tuesday 29
The properties of logarithms
include

logx(1) = 0

logx(x) = 1

logx(yz) = logx(y) + logx(z)

logx(yr) = r x logx(y)
 Consider a primitive root a for some prime number p.

Then we know that the powers of a from 1 through (p

– 1) produce each integer from 1 through (p – 1)
exactly once. We also know that any integer satisfies
b ≡ r (mod p) for some r, where 0 ≤ r ≤ (p - 1)
 by the definition of modular arithmetic. It follows that

for any integer b and a primitive root a of prime

number p, we can find a unique exponent such that
b ≡ ai(mod p) where 0 ≤ i ≤ (p - 1)

Tuesday 29
 This exponent i is referred to as the
discrete logarithm of the number b
for the base a (mod p). We denote
this value as dloga,p(b)
 Note the following:
dloga,p(1) = 0 because a0 mod p = 1
mod p = 1
dloga,p(a) = 1 because a1 mod p = a

Tuesday 29
Example
 Let n = 9. Here ɸ(n) = 6 and a = 2 is a primitive root.
We compute the various powers of a and find
20 =1 24 ≡ 7 (mod 9)
21 =2 25 ≡ 5 (mod 9)
22 =4 26 ≡ 1 (mod 9)
23 = 8
 This gives us the following table of the numbers with

given discrete logarithms (mod 9) for the root a = 2:

Logarithm 0 1 2 3 4 5
Number 1 2 4 8 7 5
 To make it easy to obtain the discrete logarithms of a

given number, we rearrange the table:

Number 1 2 4 5 7 8
Logarithm 0 1 2 5 4 3

Tuesday 29
 Now consider
x = adloga,p(x) mod p y= adloga,p(y) mod p
xy = adloga,p(xy) mod p
 Using the rules of modular multiplication,

xy mod p = [(x mod p)(y mod p)]mod p

adloga,p(xy) mod p = [( adloga,p(x) mod p)
(adloga,p(y) mod p)] mod p
= (adloga,p(x)+dloga,p(y)) mod p
 But now consider Euler’s theorem, which

states that, for every a and n that are

relatively prime,
aɸ(n) ≡ 1 (mod n)

Tuesday 29
 Any positive integer z can be expressed in
the form z = q + kɸ(n), with 0 ≤ q < ɸ(n).
Therefore, by Euler’s theorem,
az ≡ aq(mod n) if z ≡ q mod ɸ(n)
 Applying this to the foregoing equality, we

have
dloga,p(xy) ≡ [dloga,p(x) + dloga,p(y)](mod ɸ(p))
and generalizing,
dloga,p(yr) ≡ [r X dloga,p(y)](mod ɸ(p))
 This demonstrates the analogy between

true logarithms and discrete logarithms.

 Keep in mind that unique discrete

logarithms mod m to some base a exist

only if a is a primitive root of m.

Tuesday 29
Tuesday 29
Tuesday 29
Calculation of Discrete
Logarithms
 Consider the equation
 y = gx mod p
 Given g, x, and p, it is a straightforward
matter to calculate y.
 At the worst, we must perform x repeated
multiplications, and algorithms exist for
achieving greater efficiency
 However, given y, g, and p, it is, in general,
very difficult to calculate x.
 The difficulty seems to be on the same
order of magnitude as that of factoring
primes required for RSA.

Tuesday 29