Page 1
1 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 1
INSTITIUID TEICNEOLAIOCHTA CHEATHARLACH
INSTITUTE OF TECHNOLOGY CARLOW
NUMBER THEORY FOR CRYPTOGRAPHY
1 Elementary Number Theory
1.1 Introduction
Figure 1: Carl Friedrich Gauss (1777-
1855)
Many mathematicians over the centuries have made con-
tributions to the mathematics of the integers. The German
mathematician Carl Friedrich Gauss (1777-1855) introduced
the concept and notation of the arithmetic of remainders, or
the theory of congruences as it is now commonly know. This
work was published in 1801 in his Disquisitiones Arithmeticae.
This monumental work lay the foundations of modern number
theory and appeared when Gauss was just 24 years old.
Gauss was one of those remarkable infant prodigies whose
natural aptitude for mathematics soon became apparent. As a
child of three, according to a well-authenticated story, he cor-
rected an error in his father’s payroll calculations. His arith-
metical powers so overwhelmed his schoolmasters that, by the
time Gauss was 10 years old, they admitted that there was
nothing more they could teach the boy. It is said that in his
first arithmetic class that Gauss astonished his teacher by in-
stantly solving what was intended to be a ‘busy work’ problem.
Find the sum of all the numbers from 1 to 100. The young Gauss later confessed to having recognised
the pattern
1 + 100 = 101 , 2 + 99 = 101 , 3 + 98 = 101 , ......................... , 50 + 51 = 101
Page 2
2 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 2
Since there are 50 pairs of numbers, each which add up to 101, the sum of all the numbers must be
50× 101 = 5050. This technique provides another way of deriving the formula
1 + 2 + 3 + ................+ n =n(n+ 1)
2
for the sum of the first n positive integers. Gauss went on to a succession of triumphs, each new
discovery following on the heals of a previous one. The problem of constructing regular polygons with
only Euclidean tools’, that is to say, with ruler and compass alone, had long been laid aside in the belief
that the ancients had exhausted all the possible constructions. In 1796, Gauss showed that the 17-sided
regular polygon is so constructible, the first advance in this area since Euclid’s time. The publication,
in 1801, of his Disquisitiones Arithmeticae at once placed Gauss in the front rank of mathematicians.
By the middle of the 18th century, mathematics had grown into an enormous subject area divided into
a large number of fields. Although Gauss adored every branch of mathematics, he always held number
theory in high esteem and affection. He insisted that “Mathematics is the Queen of the Sciences, and
the theory of numbers is the Queen of Mathematics”.
Number Theory is the mathematics of the integers.
Z = {...........− 4,−3,−2,−1, 0, 1, 2, 3, 4, ..............}
It is a subset of the integers, the primes, those positive integers with no proper positive factors other
than 1, that are particularly important in computer science. An important result of number theory
shows that the primes are the multiplicative building blocks of the positive integers. This result, called
the fundamental theorem of arithmetic, says that every positive integer can be uniquely written as a
product of primes. Interest in the prime numbers date back 2,500 years ago, to the study of ancient
Greek mathematicians. Perhaps the first question about primes that comes to mind is whether there
are infinitely many. The ancient Greek mathematician Euclid provided a proof that there are infinitely
many primes. Interest in the primes was rekindled in the 17th and 18th centuries, when mathematicians
such as Pierre de Fermat and Leonhard Euler proved many important results, and suggested approaches
for generating primes.
The 20th century has seen the development of new techniques for the study of primes, but many
questions remain unresolved. Factoring a positive integer into primes is a central problem in number
theory. The factorization of a positive integer can be found using trial division, but this method
is extremely time consuming. Fermat, Euler, and many other mathematicians devised imaginative
factorization algorithms. Using the best known techniques, we can easily find primes with hundreds of
digits; factorizating integers with the same number of digits is beyond our most powerful computers.
The development of modern number theory was made possible by Gauss when he developed the language
of congruences in the early 19th century. One of the most important applications of number theory to
Page 3
3 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 3
computer science is in the area of cryptography. Congruences can be used to develop various types of
ciphers. Current public-key cipher systems, the RSA algorithm for example, use elementary ideas from
number theory. The security of the cipher system depends on the assumption that the factorization of
composite numbers with large prime factors is prohibitively time consuming.
1.2 Greatest Common Divisor
Theorem 1 (The Division Algorithm) Given integers a and b, with b > 0, there exists unique
integers q and r satisfying
a = qb+ r
where 0 ≤ r < b. The integers q and r are called, respectively, the quotient and remainder in the
division of a and b.
A special case occurs when r = 0.
Definition An integer b is said to be divisible by an integer a 6= 0, denoted by a | b, if there exists
some integer q such that b = qa. We write a - b to indicate that b is not divisible by a.
Example 3 | 6, since 6 = 3.2 and 7 | 14, since 14 = 2.7. However 3 - 7, since there is no integer q such
that 7 = q.3.
Note To avoid common misconceptions we note that every integer divides zero. So every integer divides
zero i.e., a | 0 but 0 | a if and only if a = 0.
Definition Let a and b be integers, not both zero. The greatest common divisor of a, b is the greatest
positive integer that divides each of a and b. The greatest common divisor of a and b is denoted by
gcd(a, b).
Definition Let a and b be integers, not both zero. If the greatest common divisor of a, b is 1 then these
integers are said to be coprime.
Page 4
4 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 4
1.3 The Euclidean Algorithm
The greatest common divisor of two integers can be found by listing all their positive divisors and picking
out the largest one common to each; but this is cumbersome for large numbers. A more efficient pro-
cess, involving repeated application of the Division Algorithm is referred to as the Euclidean Algorithm.
The Euclidean Algorithm may be described as follows:
Let a ≥ b > 0. The first step of the Division Algorithm applied to a and b yields
a = q1b+ r1 , 0 ≤ r1 < b
If it happens that r1 = 0, then b | a and gcd(a, b) = b and we stop.
When r1 6= 0, divide b by r1 to get
b = q2r1 + r2 , 0 ≤ r2 < r1
If r2 = 0, then r1 | b and gcd(a, b) = gcd(b, r1) = r1 and we stop.
When r2 6= 0, divide r1 by r2 to get
r1 = q3r2 + r3 , 0 ≤ r3 < r2
This division process continues until a zero remainder appears (a zero remainder occurs sooner or
later since the decreasing sequence b > r1 > r2 > .......... ≥ 0 cannot contain more than b integers).
The result is the following system of equations:
a = q1b+ r1 , 0 < r1 < b
b = q2r1 + r2 , 0 < r2 < r1
r1 = q3r2 + r3 , 0 < r3 < r2
rn−2 = qnrn−1 + rn , 0 < rn < rn−1
rn−1 = qnrn + 0
We argue that rn, the last nonzero remainder which appears in this manner, is equal to gcd(a, b),
i.e., gcd(a, b) = rn. Our proof is based on the following lemma.
Page 5
5 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 5
Theorem 2 Let a, b, q and r be integers with b > 0. If a = qb+ r, then gcd(a, b) = gcd(b, r).
Using this lemma and working down the system of equations above we get
gcd(a, b) = gcd(b, r1) = .......... = gcd(rn−1, rn) = gcd(rn, 0) = rn
as claimed.
Example Let a = 12378 and b = 3054. Using the Euclidean Algorithm with a ≥ b > 0 we get
12378 = 4(3054) + 162
3054 = 18(162) + 138
162 = 1(138) + 24
138 = 5(24) + 18
24 = 1(18) + 6
18 = 3(6) + 0
Therefore gcd(12378, 3054) = 6.
Example Let a = 832 and b = 578. Using the Euclidean Algorithm with a ≥ b > 0 we get
832 = 1(578) + 254
578 = 2(254) + 70
254 = 3(70) + 44
70 = 1(44) + 26
44 = 1(26) + 18
26 = 1(18) + 8
18 = 2(8) + 2
8 = 4(2) + 0
Therefore gcd(832, 578) = 2.
Note The French mathematician Gabriel Lame (1795-1870) proved that the number of steps required
in the Euclidean Algorithm is at most five times the number of digits in the smaller integer. In the
previous example the smaller integer has three digits, so the total number of divisions cannot be greater
than 15, in fact only eight divisions were needed.
Page 6
6 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 6
Exercise Find the gcd(143, 227), gcd(306, 657) and gcd(272, 1479).
Theorem 3 Let a and b be integers, not both zero. Then there exists integers x, y such that
ax+ by = gcd(a, b)
where gcd(a, b) is the greatest common divisor of a, b.
Remark Consider again how the Euclidean Algorithm works in a concrete case by calculating the
gcd(12378, 3054). The appropriate applications of the Division Algorithm produce the equation
12378 = 4(3054) + 162
3054 = 18(162) + 138
162 = 1(138) + 24
138 = 5(24) + 18
24 = 1(18) + 6
18 = 3(6) + 0
We conclude that the last non-zero remainder appearing in these equations, namely, the integer 6,
is the greatest common divisor of 12378 and 3054, i.e.
6 = gcd(12378, 3054)
To represent 6 as a linear combination of the integers a = 12378 and b = 3054, we start with the
first of the displayed equations and successively isolate the remainders 162, 138, 24, 18 and 6:
a = 4b+ 162 , 162 = a− 4b
b = 18(a− 4b) + 138 , 138 = 73b− 18a
a− 4b = 1(73b− 18b) + 24 , 24 = 19a− 77b
73b− 18a = 5(19a− 77b) + 18 , 18 = 458b− 113a
19a− 77b = 1(458b− 113a) + 6 , 6 = 132a− 535b
Page 7
7 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 7
Now
132a− 534b = gcd(12378, 3054)
Also
12378x+ 3054y = gcd(12378, 3054)
where x = 132 and y = −534. This is a representation of the integer 6 as a linear combination.
Exercise Use the Euclidean Algorithm to obtain integers x and y satisfying the following.
i 24x+ 138y = gcd(24, 138)
ii 119x+ 272y = gcd(119, 272)
iii 1769x+ 2378y = gcd(1769, 2378)
1.4 Primes
Definition A prime number is an integer p greater than one with the property that 1 and p are the
only positive integers that divide p.
P = {2, 3, 5, 7, 11, 13, 17, 19, ..................}
Definition An integer greater than one that is not a prime number is said to be a composite number.
Theorem 4 (The Fundamental Theorem of Arithmetic) Every composite number greater than
one factors uniquely as a product of prime numbers.
The prime number factorisation from 1 to 99 is shown:
Page 8
8 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 8
... ... 2 3 22 5 2.3 7 23 32
2.5 11 22.3 13 2.7 3.5 24 17 2.32 19
22.5 3.7 2.11 23 23.3 52 2.13 33 22.7 29
2.3.5 31 25 3.11 2.17 5.7 22.32 37 2.19 3.13
23.5 41 2.3.7 43 22.11 32.5 2.23 47 24.3 72
2.52 3.17 22.13 53 2.33 5.11 23.7 3.19 2.29 59
22.3.5 61 2.31 32.7 26 5.13 2.3.11 67 22.17 3.23
2.5.7 71 23.32 73 2.37 3.52 22.19 7.11 2.3.13 79
24.5 34 2.41 83 22.3.7 5.17 2.43 3.29 23.11 89
2.32.5 7.13 22.23 3.31 2.47 5.19 25.3 97 2.72 32.11
Remark This ‘product of primes’ representation is called canonical form. For example
720 = 24.32.5
1. This ‘product of primes’ representation is called canonical form. For example
720 = 24.32.5
To factorize a composite number into its prime factors – the method is simply to divide the given
integer by the smallest prime 2 until the integer is no longer divisible by 2. Then divide by by
the next prime 3 until the integer is no longer divisible by 3, next divide by 5 until the integer is
no longer divisible by 5 ......... and so on, dividing by larger and larger primes until we reach 1.
We can illustrate this method as follows:
720 = 2.360
= 2.2.180
= 2.2.2.90
= 2.2.2.2.45
= 2.2.2.2.3.15
= 2.2.2.2.3.3.5
Page 9
9 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 9
Hence we have that 720 = 24.32.5.
Also, for example:
1000 = 2.500
= 2.2.250
= 2.2.2.175
= 2.2.2.5.25
= 2.2.2.5.5.5
Hence we have that 1000 = 23.53.
Having used successive division to factorize a known composite integer into its unique prime
factors, we find that his method is adequate for composite numbers of reasonable size but is
not an efficient method in terms of computer time. We now consider a further method of prime
factorization - a method known as Pollard rho-factorization.
2. We can use this method in a simple way to investigate if an integer is prime. So, for example,
we can pose the question – Is 363 a prime number? No, since it is divisible by 3. In general to
test an integer the property of being prime we see if 2 is a factor, then 3, then 5, and so on with
each prime in turn. We stop at the largest prime less than or equal to√n. If an intger n is not
divisible by any prime less than or equal to√n, then n is prime.
Exercise Is 163 a prime number?√
163 ≈ 12
Now 163 is not divisible by 2, 3, 5, 7, 11. Hence 163 is prime.
Exercise Is 473 a prime number?√
473 ≈ 21
Now 473 is not divisible by 2, 3, 5, 7 however it is divisible by 11. Hence 473 is not prime.
This method for testing for primes is not efficient for larger integers.
Page 10
10 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 10
Exercise Represent each of the following integers in canonical form
100 , 222 , 8000 , 9555 , 9999
Exercise Which of the following integers are prime
197 , 251 , 599 , 661
Remark The mathematician Pierre de Fermat (1601–1665) is more recently known for his famous
‘last’ theorem which is based on a simple statement relating to a property of right-angled triangles. In
a right-angled triangle , the sum of the squares of the lengths of the sides containing the right angle is
equal to the square of the hypothenuse; i.e. a2 + b2 = c2.
������
���
��
C
B
A
α
c
a
b
This statement is known as Pythagoras Theorem. Three positive integers a, b and c such that
a2 + b2 = c2 are called Pythagorean triples. For example (3, 4, 5), (5, 12, 13), (6, 8, 10), (8, 15, 17),
(9, 12, 15) are all solutions of the equation
a2 + b2 = c2
In the early 1600’s, Fermat, a French lawyer and mathematician posed the following question – if
the power of 2 in the above equation was replaced by 3 could there be found three non-zero integers
a, b and c that satisfy the equation a3 + b3 = c3? The same question could be asked if the power was
increased to 4 then to 5 and down to any positive integer n.
Page 11
11 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 11
a3 + b3 = c3
a4 + b4 = c4
...
...
an + bn 6= cn
Fermat stated that the no matter how hard you try you will never find integer solutions to these
equations. This famous statement become known as Fermat’s ‘Last’ Theorem, which was not solved
until 1994 by British-American mathematician Andrew Wiles. Wiles devoted seven years of his life
to proving the famous theorem, which may have generated more attempts at proofs than any other
theorem.
Pierre de Fermat (1601–1665)
Fermat’s ‘Last’ Theorem states that an + bn = cn has no non-zero integer solutions for a, b and c
when n > 2. Fermat stated his theorem in 1637 when he wrote that ”I have a truly marvellous” proof of
this proposition which this margin is too narrow to contain”. Today, however, we believe that Fermat
had no such proof.
Page 12
12 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 12
1.5 Congruences
With the notion of divisibility in place we can now give the definition of a congruence. Congruences
were first introduced by the German mathematician Carl Friedrich Gauss (1777-1855). Congruences
play a central role in the modern application of cryptography.
Definition Let a, b, n ∈ Z, n > 0. We say that “a is congruent to b modulo n” and we write
a ≡ b(mod n)
if and only if n | a− b.
Furthermore, using the definition of divisibility we can write
a ≡ b(mod n) ⇔ n | a− b
⇔ a− b = t.n , t ∈ Z
a = b+ t.n.
Finally, when dealing with congruences modulo a fixed number n it becomes clear that we are
working not with random numbers but with certain sets of numbers, called congruence classes.
Definition Let a, b, n ∈ Z, n > 0. Any integer is congruent modulo n to one and only one of the set
{0, 1, 2, 3, 4, ..............n− 1}
This is called the congruence class (set of least positive remainders) modulo n i.e.,
Zn = {b : a ≡ b(mod n)}
Remark Gauss introduced the concept of a congruence using the symbol ≡ because of the similarity
between the algebra of congruences and ordinary algebra.
Page 13
13 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 13
Theorem 5 Let a, b, c, n ∈ Z with n > 1. Then the following results hold:
i a ≡ a(mod n);
ii if a ≡ b(mod n), then b ≡ a(mod n);
iii if a ≡ b(mod n) and b ≡ c(mod n), then a ≡ c(mod n).
The relation of congruence modulo n is thus reflexive, symmetric and transitive, and is therefore an
equivalence relation on the set Z of integers.
Congruences may be viewed as a generalized form of equality, in the sense that its behavior with
respect to addition and multiplication is similar to ordinary equality (=). Some of the basic properties
of equality that carry over to congruences appear in the following theorem.
Theorem 6 Let a, b, c, n ∈ Z with n > 1. Then the following results hold:
i If a ≡ b(mod n), then a± c ≡ b± c(mod n).
ii If a ≡ b(mod n) and c ≡ d(mod n),
then a± c ≡ b± d(mod n) and ac ≡ bd(mod n).
iii If a ≡ b(mod n), then ak ≡ bk(mod n) for any positive integer k.
One final theorem at this stage will allow us to divide both sides of a congruence by an integer
however we do so with care!
Theorem 7 If ac ≡ bc(mod n) and d = gcd(c, n), then
a ≡ b(mod n
d)
Now that we have an algebra of congruences built up we can consider many applications involving
congruences. We can begin by considering certain types of calculations.
Page 14
14 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 14
Example To show that 3333 − 147 is divisible by 444 we could proceed as follows;
3 ≡ 3(mod 444)
33 ≡ 27(mod 444)
39 ≡ 272(mod 444) ≡ 19, 683(mod 444) ≡ 147(mod 444)
327 ≡ 1473(mod 444) ≡ 3, 176, 523(mod 444) ≡ 147(mod 444)
381 ≡ 1473(mod 444) ≡ 147(mod 444)
3243 ≡ 1473(mod 444) ≡ 147(mod 444)
Now
3333 = 3243.381.39
Hence
3333 ≡ 147.147.147(mod 444)
≡ 1473(mod 444)
≡ 147(mod 444)
Finally
3333 − 147 ≡ 0(mod 444)
i.e., 3333 − 147 is divisible by 444.
Example To show that 6321 − 6 is divisible by 123 we could proceed as follows;
6 ≡ 6(mod 123)
63 ≡ 216(mod 123) ≡ 93(mod 123)
66 ≡ 932(mod 123) ≡ 8, 649(mod 123) ≡ 39(mod 123)
612 ≡ 392(mod 123) ≡ 1, 521(mod 123) ≡ 45(mod 123)
624 ≡ 452(mod 123) ≡ 2, 025(mod 123) ≡ 57(mod 123)
648 ≡ 572(mod 123) ≡ 3, 249(mod 123) ≡ 51(mod 123)
696 ≡ 512(mod 123) ≡ 2, 601(mod 123) ≡ 18(mod 123)
Now
6321 = 696.696.696.624.66.63.
Page 15
15 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 15
Hence
6321 ≡ 18.18.18.57.39.93(mod 123)
≡ (5, 832).(206, 739)(mod 123)
≡ (51).(99)(mod 123)
≡ 6(mod 123)
Finally
6321 − 6 ≡ 0(mod 123)
i.e., 6321 − 6 is divisible by 123.
Exercise Find the remainder when 4165 is divided by 7.
Exercise Show that the integer 2644 − 1 is divisible by 645, i.e.,
2644 − 1 ≡ 0(mod 645)
Exercise Show that the integer 53103 + 10353 is divisible by 39, i.e.,
53103 + 10353 ≡ 0(mod 39)
1.6 Linear Congruences
We consider linear congruences and their solution because of the importance they hold in cryptography.
Definition An equation of the form
ax ≡ b(mod n)
is called a linear congruence and the solution of such an equation is an integer x0 such that ax0 ≡b(mod n).
Note If x0 is a solution of ax ≡ b(mod n) and if x1 ≡ x0(mod n) then ax1 ≡ ax0 ≡ b(mod n) so x1 is
also a solution. Hence, if one member of a congruence class modulo n is a solution, then all members
of this class are solutions.
Page 16
16 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 16
The following theorem will allow us decide if a linear congruence has a solution and furthermore tell
how many congruence classes modulo n provide solutions.
Theorem 8 The linear congruence ax ≡ b(mod n) has a solution if and only if gcd(a, n) | b. If
d = gcd(a, n) and d | b, then it has d distinct congruence classes modulo n as solutions.
We can easily solve linear congruences using the algebra of congruences as follows:
4x− 3 ≡ 13(mod 7)
4x ≡ 16(mod 7)
∴ x ≡ 4(mod 7)
Hence the congruence class 4 modulo 7 provides solutions to the linear congruence
4x− 3 ≡ 13(mod 7)
Alternatively, we could define the inverse of an integer modulo n and use an inverse to solve a linear
congruence.
Definition Given any integer a with gcd(a, n) = 1, a solution of
ax ≡ 1(mod n)
is called an inverse of a modulo n.
Remark Let a−1 be the inverse of a modulo n, i.e., aa−1 ≡ 1(mod n). To solve
ax ≡ b(mod n)
we multiply both sides by a−1
a−1ax ≡ a−1b(mod n)
x ≡ a−1b(mod n)
Page 17
17 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 17
Exercise Solve each of the following linear congruences. If a solution does not exist, explain why not.
i 4x− 11 ≡ 7(mod 3)
ii 9x+ 21 ≡ 41(mod 7)
iii 7x− 13 ≡ 9(mod 4)
iv 3x− 7 ≡ 4(mod 3)
Furthermore, solve each of the above again using the appropriate inverse.
1.7 Systems of Linear Congruences
We now consider systems of linear congruences and their solution. The system of congruences will have
the same number of unknowns and have the same moduli. In the study of cryptographic systems we will
need to become efficient in solving such systems. In fact systems of n linear congruences in n unknowns
will arise in certain cryptographic studies. We will have to recall some of the elementary properties of
matrices with special attention to the procedure of finding the inverse of a square matrix.
We begin with the following definition:
Definition Let A and B be m×p matrices with entries aij and bij respectively. We say A is congruent
to B modulo n if
aij ≡ bij(mod n)
for all pairs (i, j) with 1 ≤ i ≤ m and 1 ≤ j ≤ p. We write
A ≡ B(mod n)
if A is congruent to B modulo n.
Theorem 9 If A and B are m× p matrices with
A ≡ B(mod n)
and C is a p× q matrix and D is a q ×m matrix, all with integer enteries, then
AC ≡ BC(mod n)
DA ≡ DB(mod n)
Page 18
18 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 18
In general the following system of linear congruences
a11x1 + a12x2 + ...............+ a1nxn ≡ b1(mod n)
a21x1 + a22x2 + ...............+ a2nxn ≡ b2(mod n)
....................................................... ≡ ..................
am1x1 + am2x2 + ...............+ amnxn ≡ bm(mod n)
may be represented in matrix form as
Ax ≡ B(mod n)
where
A =
a11 a12 ..... a1na21 a22 ..... a2n...
......
...
am1 am2 ..... amn
, x =
x1x2...
xn
, B =
b1b2...
bm
Remark We now develop a method for solving a system of linear congruences that are represented in
matrix form. We already have an intuitive idea of how this is done. The method is based on finding the
inverse of the matrix A. We have already defined the inverse of an integer a modulo n, we now define
the inverse of the matrix A modulo n.
Definition If A and A−1 are m×m matrices (i.e., square matrices) and if
AA−1 ≡ A−1A ≡ I(mod n)
where I is the identity matrix, then A−1 is said to be the inverse of A modulo n.
Theorem 10 Let
A =
(a b
c d
)(mod n)
with 4 = ad− bc. If gcd(4, n) = 1, then
A−1 = 4−1
(d −b−c a
)(mod n)
where 4−1 is the inverse of 4 modulo n, i.e. 4.4−1 ≡ 1(mod n).
Page 19
19 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 19
Note To verify that the matrix A−1 is an inverse of A modulo n, we need only verify that
AA−1 ≡ A−1A ≡ I(mod n)
where I is the identity matrix. Now that we can find the inverse A−1 we can solve the linear system
Ax ≡ B(mod n)
by using theorem 10 as follows:
A−1Ax ≡ A−1B(mod n)
⇒ Ix ≡ A−1B(mod n)
∴ x ≡ A−1B(mod n)
Exercise Using matrices, solve the following system of linear congruences
3x+ 4y ≡ 5(mod 13)
2x+ 5y ≡ 7(mod 13)
1.8 Basic Cryptography
With the increasing quantity of digital information being stored and communicated via telephone
lines, microwaves or satellites, organizations in both the public and commercial sector need to protect
this information when it is being transmitted. Cryptography is the science of making communications
unintelligible to all except authorized parties. In the language of cryptography, where codes are called
ciphers, the information to be concealed is called plaintext. After transformation to a secret form, a
message is called ciphertext. The process of converting from plaintext to ciphertext is called encryption,
while the reverse process of changing from ciphertext back to plaintext is called decryption. Let
A = {A,B,C,D, ..........}
The encryption function f(x) is given as
f : A −→ A : f(a1a2..........an) = f(a1)f(a2)..........f(an)
The encryption of A is a 1− 1 function of A onto itself.
Page 20
20 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 20
To encrypt a word we encrypt one letter at a time where
A = 0, B = 1, C = 2, D = 3, E = 4, .............., Y = 24, Z = 25
1.8.1 Caesar Ciphers
Figure 2: Roman Emperor Julius Caesar
(100-44 BC)
One of the earliest examples of basic cryptography
was used by the Roman Emperor Julius Caesar around
50 BC. It is known as the Caesar cipher. To produce
ciphertext a Caesar cipher simply shifts the alphabet a
fixed number of positions. The plaintext is recovered by
shifting the alphabet back this same number of positions.
In general the Caesar cipher may be described as
C ≡ (P + k)(mod 26)
If we have ciphertext which was encrypted using a
Caesar cipher, how do we decode it? We could proceed
as follows:
C ≡ (P + k)(mod 26)
⇒ P + k ≡ C(mod 26)
∴ P ≡ (C − k)(mod 26)
Exercise If a Caesar cipher produces
V GUV AX V XABJ GURFR JBBQF
What is the plaintext message?
Exercise If a Caesar cipher produces
PBZOBQ FKCLOJXQFLK
What is the plaintext message?
Page 21
21 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 21
1.8.2 Linear Ciphers
More generally, we consider a transformation of the type
C ≡ (aP + b)(mod 26)
where a and b are integers with gcd(a, 26) = 1. If we have ciphertext which was encrypted using
this transformation, how do we decode it?
C ≡ (aP + b)(mod 26)
⇒ aP + b ≡ C(mod 26)
∴ aP ≡ (C − b)(mod 26)
Now multiplying both sides by a−1, the inverse of a modulo 26, which exists since gcd(a, 26) = 1,
we get the following
P ≡ a−1(C − b)(mod 26)
Exercise Encipher the message THE RIGHT CHOICE using the linear cipher
C ≡ (15P + 14)(mod 26)
Exercise Decipher the message YLFQX PCRIT which was enciphered using the linear cipher
C ≡ (21P + 5)(mod 26)
Exercise Decipher the message TYNTOOTUM VXGL which was enciphered using the linear cipher
C ≡ (3P + 7)(mod 26)
Remark We can perform some cryptanalysis involving a linear cipher based on a technique called the
frequency of letters. Assuming that this ciphertext was produced using a linear cipher of the form
C ≡ (aP + b)(mod 26)
Page 22
22 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 22
we use the frequency of letters method to determine the values of a and b. This will be done by
noting that the letter E occurs most frequently in standard English text and this is followed by the letter
T. This is well established fact. To perform cryptoanalysis based on this method we must determine
from a suitably long ciphertext message the most frequently letter in ciphertext followed by the next
most frequently occurring letter. From this information we can determine a and b and as a consequence
recover the plaintext.
Example Say, for example, the following message has been intercepted during transmission:
USLEL JUTCC YRTPS URKLT YGGFV ELYUS LRYXD JURTU ULVCU URJRK
QLLQL YXSRV LBRYZ CYREK LVEXB RYZDG HRGUS LJLLM LYPDJ LJTJU
FALGU PTGVT JULYU SLDAL TJRWU SLJFE OLPU.
Assuming that this ciphertext was produced using a linear cipher of the form
C ≡ (aP + b)(mod 26)
we use the frequency of letters method to determine the values of a and b. Again, this will be done
by noting that the letter E occurs most frequently in standard English text and this is followed by the
letter T. On inspecting the ciphertext above the most frequently occurring letter is L followed by the
letter U. We now have the following correspondence:
E(4) ←→ L(11)
T (19) ←→ U(20)
Now if
C ≡ (aP + b)(mod 26)
∴ aP + b ≡ C(mod 26)
hence we have the following pair of linear congruences
4a+ b ≡ 11(mod 26)
19a+ b ≡ 20(mod 26)
Solving yields
a ≡ 11(mod 26)
b ≡ 19(mod 26)
Page 23
23 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 23
Letting a = 11 and b = 19 the cipher that produced the ciphertext is
C ≡ (11P + 19)(mod 26)
∴ (11P + 19) ≡ C(mod 26)
11P ≡ (C − 19)(mod 26)
Now multiplying both sides by 19, the inverse of 11 modulo 26, i.e. 11(19) ≡ 1(mod 26) we get
P ≡ 19(C − 19)(mod 26)
This congruence should recover the actual message. The intercepted message reads
THE BEST APPROACH TO LEARNING NUMBER THEORY IS TO ATTEMPT TO
SOLVE EVERY HOMEWORK PROBLEM. BY WORKING ON THESE EXERCISES A
STUDENT CAN MASTER THE IDEAS OF THE SUBJECT.
This technique will work successfully if we ensure that the intercepted message is long enough to
allow the most frequently occurring letters to be found correctly.
Exercise A linear cipher is defined by the congruence
C ≡ (aP + b)(mod 26)
where a and b are integers with gcd(a, 26) = 1. A message segment CPUWMPR RWGMI was
enciphered using a linear cipher. It is part of a much longer message which has M as its most frequently
occurring letter followed by R. Decipher the above message segment using the frequency of letters method
where the most frequently occurring letters in typical English text are E followed by T.
1.8.3 Block Ciphers
In order to improve the security of our cryptosystem we introduce a Block Cipher. Although it will
suffer from the same disadvantage as a linear cipher in that there is a requirement to transmit the secret
key in order to complete the process of decryption - it will however represent an improvement from the
point of view resistance to decryption following attack. As block ciphers will involve the use of matrices
we make the following definitions:
Page 24
24 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 24
Definition Let A and B be m×p matrices with entries aij and bij respectively. We say A is congruent
to B modulo n if
aij ≡ bij(mod n)
for all pairs (i, j) with 1 ≤ i ≤ m and 1 ≤ j ≤ p. We write
A ≡ B(mod n)
if A is congruent to B modulo n.
Theorem 11 If A and B are m× p matrices with
A ≡ B(mod n)
and C is a p× q matrix and D is a q ×m matrix, all with integer entries, then
AC ≡ BC(mod n)
DA ≡ DB(mod n)
Definition If A and A−1 are m×m matrices (i.e., square matrices) and if
AA−1 ≡ A−1A ≡ I(mod n)
where I is the identity matrix, then A−1 is said to be the inverse of A modulo n.
Theorem 12 Let
A =
(a b
c d
)(mod n)
with 4 = ad− bc. If gcd(4, n) = 1, then
A−1 = 4−1
(d −b−c a
)(mod n)
where 4−1 is the inverse of 4 modulo n, i.e. 4.4−1 ≡ 1(mod n)
Page 25
25 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 25
Note To verify that the matrix A−1 is an inverse of A modulo n, we need only verify that
AA−1 ≡ A−1A ≡ I(mod n)
where I is the identity matrix.
Exercise Determine the inverse of each of the following matrices
A =
(7 2
4 9
)(mod 7)
A =
(2 −1
3 3
)(mod 11)
In general Hill or block cipher system may be obtained by splitting plaintext into blocks of n letters,
translating the letters into their numerical equivalents, and forming ciphertext using the relationship
C ≡ AP (mod 26)
where A is a n× n encryption matrix with gcd(4, 26) = 1. Also
C =
C1
C2
...
Cn
and P =
P1
P2
...
Pn
where C1, C2, .........., Cn is the ciphertext block that corresponds to the plaintext block P1, P2, .........., Pn.
If we have ciphertext which was encrypted using this transformation, how do we decode it?
Now
C ≡ AP (mod 26)
AP ≡ C(mod 26)
Now multiplying both sides by A−1, the inverse of the matrix A modulo 26, which exists since
gcd(4, 26) = 1, we get the following
Page 26
26 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 26
A−1AP ≡ A−1C(mod 26)
P ≡ A−1C(mod 26)
C ≡ AP (mod 26)
P ≡ A−1C(mod 26)
Plaintext (P ) Ciphertext (C)
A = n× n matrixgcd(4, 26) = 1
-
�
Note The simplest example of a block cipher involves dividing the message into blocks of two. We need
a 2 × 2 encryption matrix A with gcd(4, 26) = 1. For each block of two let the numerical equivalent
be P1, P2 respectively. Then using the congruence C ≡ AP (mod 26) we can convert each block of two
to its ciphertext equivalent i.e.,
(C1
C2
)−→
(P1
P2
)
Example The message
WJ VY UA TG GA
was enciphered using the encryption matrix
A =
(4 11
3 8
)(mod 26)
with C ≡ AP (mod 26). To decipher the message note that
P ≡ A−1C(mod 26)
Page 27
27 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 27
We require A−1, the inverse of A modulo 26. Now
A−1 = 4−1
(8 −11
−3 4
)(mod 26)
where 4−1 is the inverse of 4 modulo 26. Now 4 = −1, hence 4−1 = −1 since
−1.(−1) ≡ 1(mod 26). Now
A−1 = −1
(8 −11
−3 4
)=
( −8 11
3 −4
)(mod 26)
Finally, to decipher the message we proceed as follows:
WJ −→ P ≡( −8 11
3 −4
)(22
9
)≡( −77
30
)(mod 26) ≡
(1
4
)−→ BE
V Y −→ P ≡( −8 11
3 −4
)(21
24
)≡(
96
−33
)(mod 26) ≡
(18
19
)−→ ST
UA −→ P ≡( −8 11
3 −4
)(20
0
)≡( −160
60
)(mod 26) ≡
(22
8
)−→WI
TG −→ P ≡( −8 11
3 −4
)(19
6
)≡( −86
33
)(mod 26) ≡
(18
7
)−→ SH
GA −→ P ≡( −8 11
3 −4
)(6
0
)≡( −48
18
)(mod 26) ≡
(4
18
)−→ ES
BEST WISHES
1.9 Some Examples
Exercise Using the encryption matrix
A =
(3 10
9 7
)encrypt the message
BEWARE THE MESSANGER
by dividing the message into blocks of two and use the congruence C ≡ AP (mod 26).
Page 28
28 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 28
Exercise Decipher the message
GZ SC XN VC DJ ZX EO VC IR DV IQ
which was enciphered using the encryption matrix
A =
(5 17
4 15
)
and the congruence C ≡ AP (mod 26).
Exercise Decipher the message
QU FU OS FC RK
which was enciphered using the encryption matrix
A =
(3 3
3 4
)
and the congruence C ≡ AP (mod 26).
Exercise Decipher the message
HL TP JI LM GZ LF UQ HK
which was enciphered using the encryption matrix
A =
(5 17
4 15
)(mod 26)
and the congruence C ≡ AP (mod 26).
Page 29
29 CHAPTER 6. NUMBER THEORY FOR CRYPTOGRAPHY 29
Contents
1 Elementary Number Theory 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Greatest Common Divisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 The Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5 Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.6 Linear Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.7 Systems of Linear Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.8 Basic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.8.1 Caesar Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.8.2 Linear Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.8.3 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.9 Some Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27