Chapter 2 : Multiplicative Cipher
advertisement
Chapter 2 – Multiplicative Cipher
In this chapter we will study the Multiplicative Cipher. Instead of adding a number as we did in
the Caesar Cipher, we will now multiply each plain letter by an integer a, our secret encoding
key. As some of them fail to produce a unique encryption, we will discover an easy criterion for
keys that produce the desired unique encryptions (the “good” keys) and apply it to different
alphabet lengths. When doing so we will discover very important mathematical encryption tools
such as Euler’s -function, Euler’s and Lagrange’s Theorem and study further examples of
groups, rings and fields.
2.1 Encryption using the Multiplication Cipher
Instead of encoding by adding a constant number, we multiply each plain letter by our secret key
a. Since each plain letter turns into 0 for a=0 and remains unchanged for a=1, we start with a=2.
We will multiply MOD 26 as we are using the 26 letters of the English alphabet. We get the
following encoding and decoding table.
PLAIN LETTER:
Secret key: a=2
Cipher letter:
A
0
B
1
C
2
D
3
E
4
0
2
4
6
8 10 12 14 16 18 20 22 24
a
c
e
g
i
F G
5 6
k m
H
7
I
8
o
q
J K L M N O P Q R S T U V W X Y Z
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
s
u
w
y
0
2
4
6
a
c
e
g
8 10 12 14 16 18 20 22 24
i
k m
o
q
s
u
w
y
Notice, that only every other cipher letter appears, and that exactly twice. This is not a useful
encryption system since it may yield ambiguous messages. As an example, let’s encode and
decode NAT and ANT.
PLAIN LETTER
Secret key a=2
N
13
A
0
T
19
A
0
N
13
T
19
Cipher letter
0
a
0
a
12
m
0
a
0
a
12
m
You can see the dilemma of this message. Decoding “aam” can either yield NAT or ANT as the
plain text. What would you do? Of course, you don’t want to receive any more ambiguous
messages. Let’s simply test all possible keys of the multiplication ciphers MOD 26:
PLAIN LETTER
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Encoding
Key a
a
0
A
0
B
0
C
0
D
0
E
0
F G
0 0
H
0
I
0
J
0
1
0
1
2
3
4
5
7
8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
2
0
2
4
6
8 10 12 14 16 18 20 22 24
3
0
3
6
9 12 15 18 21 24
4
0
4
8 12 16 20 24
5
0
5 10 15 20 25
6
0
6 12 18 24
4 10 16 22
7
0
7 14 21
2
9 16 23
8
0
8 16 24
6 14 22
9
0
6
4
2
1
K
0
4
L M
0 0
2
3
3 12 21
9 18
1 10 19
2 11 20
10
0 10 20
4 14 24
8 18
11
0 11 22
7 18
12
0 12 24 10 22
13
0 13
0 13
0 13
0 13
0 13
14
0 14
2 16
4 18
6 20
8 22 10 24 12
15
0 15
4 19
8 23 12
16
0 16
6 22 12
2 18
17
0 17
8 25 16
7 24 15
18
0 18 10
2 20 12
19
0 19 12
5 24 17 10
8
3 14 25 10 21
8 20
6 18
1 16
4 16
5 20
8 24 14
4 22 14
2 22 16 10
8
4
6
0 13
2 16
2 17
0 22 18 14 10
23
0 23 20 17 14 11
24
0 24 22 20 18 16 14 12 10
25
0 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10
6
2 24 20 16 12
8
5
8
4
6
4
2
4
6 10 14 18 22
1
6 11 16 21
2
8 14 20
3 10 17 24
5 12 19
4 12 20
8 18
2 10 18
7 16 25
2 12 22
1 12 23
8 17
6 16
8 19
4 15
6 18
4 16
2 14
0 13
0 13
0 13
6 20
8 22 10 24 12
3 18
7 22 11
8 24 14
4 20 10
3 20 11
2 19 10
1 18
4 22 14
4 23 16
2 22 16 10
3 24 19 14
7
Z
0
2 18
0 22 18 14 10
2 25 22 19 16 13 10
8
8
Y
0
0 13
2 20 12
22
8
X
0
8 20
4 18
6 25 18 11
0 20 14
2
6 21 10 25 14
4 21 12
V W
0 0
8 11 14 17 20 23
6 15 24
5 16
6 22 12
0 20 14
2 23 18 13
5
6 14 22
0 13
0 21 16 11
7
6
9 20
U
0
4 10 16 22
4 14 24
20
1 22 17 12
2
8 15 22
5 14 23
0 18 10
1 20 13
4 24 18 12
1
8 16 24
0 16
T
0
7 12 17 22
6 12 18 24
0 14
S
0
8 10 12 14 16 18 20 22 24
0 12 24 10 22
5 22 13
8
2
21
6
R
0
8 12 16 20 24
0 10 20
9 24 13
6 24 16
3 22 15
0
0 13
4 20 10
6 23 14
0
2 13 24
2 14
0 13
4
4 13 22
6 16
6 17
0
6 13 20
2 10 18
2 12 22
2
8 13 18 23
8 14 20
4 11 18 25
4 12 20
0
P Q
0 0
7 10 13 16 19 22 25
6 10 14 18 22
9 14 19 24
N O
0 0
6
9
9
8
2 21 14
7
4 24 18 12
6
4 25 20 15 10
5
2 24 20 16 12
1 24 21 18 15 12
0 24 22 20 18 16 14 12 10
9
8
7
9
6 24 16
6
5
8
4
3
9
6
8
6
4
2
4
3
2
1
We learned already that the key a=2 (as can be seen in the 3rd row) does not produce a unique
encryption. So which ones do? Each row that contains each integer from 0 to 25 exactly once and
therefore yields a unique cipher letter will serve. Simply by looking at the table, we find that the
following keys (whose rows are bold) produce a unique encryption and therefore call them the
good keys:
a = 1,3,5,7,9,11,15,17,19,21,23,25
Why those and what do they have in common? They seem to not follow any apparent pattern.
Are they the odd numbers between 1 and 25? No, 13 is missing. Or are they possibly the primes
between 1 and 25? No, 9,15, 21 and 25 are not prime and the prime 13 is missing. So, let’s
understand why the bad keys
a = 2,4,6,8,10,12,13,14,16,18,20,22,24
don’t produce a unique encryption. We have to understand why multiplying by a bad key a
MOD 26 yields some integers more than once and others not at all.
An extreme example would be when a=0: all plain letters are translated into 0’s which are all a’s
so that no decryption is possible.
If a=1 is used as a key, each cipher letter equals its plain letter which shows that it does produce
a unique encryption. However, it yields the original text. This is not very useful.
2
The bad key a=2 yields an ambiguous message as we saw in the introductory example: each A
turns into 0 (=a) since 2*0 = 0 MOD 26 just as each N turns into 0 since 2*13 = 26 = 0 MOD 26.
Also, each B and each M turn into 2 (=c) since 2*1 = 2 MOD 26 and 2*14 = 28 = 2 MOD 26.
When you study the a=2 row precisely, you will see that the original 26 plain letters are
converted into 13 “even” cipher letters (the even cipher letters are those whose numerical
equivalent is an even number.) each occurring exactly twice. This is the reason why a=2 yields
an ambiguous decryption.
If a=4,6,8,…,24, we encounter the same dilemma as for a=2. We can see in the table that an A
will always translate into 0 (=a) since the product of any such key a with 0 (=A) yields 0. N
(=13) translates into a for any even key a aswell because
even keys N
4*13 = 2*(2*13) = 2*0 = 0 MOD 26,
6*13 = 3*(2*13) = 3*0 = 0 MOD 26,
8*13 = 4*(2*13) = 4*0 = 0 MOD 26, etc.
Notice in all three equations that because a=2 turns the 13 (=N) into 0 in 2*13 = 0, all the
multiples of a=2 translate the N into 0 (=a). That means:
Because a=2 is a bad key all the multiples of a must be bad keys aswell.
Consider an alphabet length of M=35: the bad key a=5 (why?) will translate the H (=7) into a
(=0), because 5*7 = 35 = 0 MOD 35. Therefore, all the keys that are multiples of 5 such as
a=10,15,20,25,30 will also translate the H into 0(=a). Similarly, the multiples of a=7 will
translate an F (=5) into an 0 (=a) because 7 does so.
a=13 yields an ambiguous message since each even plain letter is translated into a (=0):
a=13 even letters
13*0 = 0 MOD 26,
13*2 = 0 MOD 26,
13*4 = (13*2) * 2 = 0 * 2 = 0 MOD 26,
13*6 = (13*2) * 3 = 0 * 3 = 0 MOD 26, etc.
Each odd plain letter translates into 13 (=n):
a=13 odd letters
13*1 = 13 MOD 26,
13*3 = 13*2 + 13*1 = 0 + 13 = 13 MOD 26,
13*5 = 13*4 + 13*1 = 0 + 13 = 13 MOD 26,
13*7 = 13*6 + 13*1 = 0 + 13 = 13 MOD 26, etc.
Moreover, since a=13 is a bad key its multiples 26, 39, … must also be bad keys. However, we
don’t need to consider keys that are greater than 26 since each of them has an equivalent key less
than 26 that yields the same encryption: the even multiples of 13 (i.e. 26, 52, 78, ...) have its
equivalent key in a=0, a very bad key, since 26=52=78=0 MOD 26. The odd multiples of 13 (i.e.
39, 65, 91, …) have its equivalent key in a=13, another bad key, since 39=65=91=13 MOD 26.
3
Let’s summarize our discoveries. Which keys now yield a unique encryption?
A key a does not produce a unique encryption,
if 1) a divides 26 evenly
or if 2) a is a multiple of such divisors.
We can combine these two criteria into one easy criterion. Can you? Try it!
CRITERION FOR GOOD KEYS
A key a produces a unique encryption,
if the greatest common divisor of 26 and a equals 1,
which we write as: gcd(26, a)=1
Convince yourself that 26 has a greatest common divisor equal to 1 with each of these good
keys a = 1,3,5,7,9,11,15,17,19,21,23,25. Except for 2 and 13, all prime numbers less than 26 are
among the keys (why do they have to?). However, there are some additional integers that are not
prime (i.e. 9,15,21 and 25). That are those that don’t have a common divisor with 26. Thus,
being prime is not quite the reason for a good key, but almost. We, therefore, name the good
keys as follows:
Definition of numbers that are relative prime:
Two integers are called relative prime if their greatest common divisor equals 1.
Examples are: 4 and 5 are relatively prime because gcd(4,5)=1. So are 2 and 3, 2 and 5, 3 and
10, 26 and 27, 45 and 16.
Counter examples are: 45 and 18 are not relative prime since gcd(45,18)=9 and not 1.
343 and 14 are not relative prime since gcd(343,14)=7.
From now on we will use a handy
Notation for the set of possible and good keys:
1) All the possible keys for an alphabet length of 26 are clearly all the numbers between
1 and 26, denoted as Z26. Simply: Z26 = {0,1,2,3,…, 24,25}.
Generally: An alphabet of length M has the keys: ZM = {0,1,2,3,…, M-2,M-1}
2) Now, the good keys are the ones that are relative prime to 26 as listed above and are
denoted as Z26*. Simply: Z26* = {1,3,5,7,9,11,15,17,19,21,23,25}.
Generally: The good keys are those a’s that are relative prime to M and are denoted as
ZM*. (I can not list those here as they depend on the alphabet length M.)
We are now able to summarize how to encrypt a message using the multiplication cipher:
To encrypt a plain letter P to the cipher letter C using the
Multiplication Cipher, we use the encryption function: f : P
C=(a*P) MOD 26. If a is a “good” key, that is if a is relatively prime
4
to 26, then f produces a one-to-one relationship between plain and
cipher letters, which therefore permits a unique encryption.
Among the 12 good keys we pick a=5 to encode the virus carrier message as follows:
PLAIN TEXT
Cipher text
A
0
N
13
T
19
I
8
S
18
T
19
H
7
E
4
C
2
A
0
R
17
R
17
I
8
E
4
R
17
0
a
13
n
17
14
o
12
m
17
r
9
j
20
u
10
k
0
a
7
h
7
h
14
o
20
u
7
h
r
Exercise1: Encrypt the same plain text using the key a=7.
2.2 Decryption of the Multiplication Cipher
Now that the virus carrier message was encoded in a unique manner how can it be decoded? First
of all, you need to know which one of the 12 good keys was used. In some secret manner, the
sender and the recipient had to agree on the encoding key a. Say a=5 was chosen. Now, how do
you decrypt the above message? To do so, we have to look at the encryption equation C=a*P
MOD 26 and solve it for the desired plain text letter P.
In order to solve an equation like 23=5*P for P using the rational numbers, we would divide by 5
or multiply by 1/5 to obtain the real solution P=23/5. However, when using MOD arithmetic and
solving 23=5*P MOD 26, we don’t deal with fractions but only integers. Thus, dividing is
performed slightly different: instead of dividing by 5 or multiplying by 1/5, we first write 5-1
(instead of 1/5) where 5-1 now equals an integer and multiply both sides by that integer 5 -1. We
denote 5-1 “the inverse of 5”. Just as 5*1/5 yields 1, 5 * 5-1 shall equal 1 MOD 26.
Definition of an inverse number:
A number a-1 that yields 1 when multiplied by a is called the inverse of a.
Mathematically: a-1 * a = a * a-1 = 1.
Example1: When using fractions,
5-1=1/5 is the inverse number to 5,
3-1=1/3 is the inverse number to 3,
3/2 is the inverse number to 2/3.
Now, let’s look at examples for MOD arithmetic:
Example2: The inverse of a=3 is a-1 = 2 MOD 5 because a * a-1 = 3*2 = 6 = 1 MOD 5. I found
a-1 = 2 by simply testing the integers in Z5*={1,2,3,4}.
a=4 is inverse to itself modulo 5 since a * a-1 = 4 * 4 = 16 = 1 MOD 5.
5
Example3: Doing arithmetic MOD 7, the inverse of a=3 is a-1 = 5 because a * a-1 = 3*5 = 15 =
1 MOD 7. Again, I found the inverse of a=3 by testing the integers in Z7* ={1,2,3,4,5,6}
The inverse of a=4 is 2 since a * a-1 = 4 * 2 = 8 = 1 MOD 7.
a=6 is inverse to itself MOD 7 since a * a-1 = 6 * 6 = 36 = 1 MOD 7.
Example4: What is the inverse of 3 MOD 11? It is a-1=4 since 3*4 = 12 = 1 MOD 11.
Example5: Try it yourself!
What is the inverse of 5 MOD 11?
What is the inverse of 7 MOD 11?
Back to the virus carrier message. It was encoded MOD 26. Since we calculate MOD 26, thus
dealing with integers from 0 to 25, we now have to find an integer a-1 among those integers that
yields 1 MOD 26 when multiplied by 5: a-1 * 5 = 1 MOD 26. Equivalently stated: what product
of a-1 and 5 equals 1 more than a multiple of 26 such as 27, 53, 79, 105, etc? Aha, there is 105 =
21*5 so that 21*5 = 1 MOD 26. Equivalently stated, 105 divided by 26 leaves a remainder of 1.
Wonderful, that is all we need to solve our encryption function C= a*P MOD 26 for the plain
letter P in order to then decode the encrypted message:
Multiplying both sides of our encryption equation the equation yields
a-1*C = a-1*(a*P)
= (a-1*a)*P
= 1*P
= P MOD 26
(1)
(2)
(3)
(4)
Remark: Solving this equation required the 4 group properties: the existence of an inverse and the closure in (1), the associative
property in (2), the inverse property in (3) and the unit element property in (4). It thus gives a great example that we are only
guaranteed to solve this equation for numbers that form a group with respect to multiplication MOD 26. We will check in the
Abstract Algebra section at the end of this chapter that the set of good keys MOD 26, Z 26* = {1,3,5,7,9,11,15,17,19,21,23,25},
does form a multiplicative group. We can therefore always find a-1 for a given good key a.
Thus our decoding function P = a-1*C MOD 26 tells us to simply multiply each cipher letter by
the inverse of the encoding key a=5, namely by the decoding key a-1=21 MOD 26 and we can
eventually decode:
Cipher text
PLAIN TEXT
a
0
n
13
r
17
o
14
m
12
r
17
j
9
u
20
k
10
a
0
h
7
h
7
0
13
N
19
T
8
I
18
S
19
T
7
H
4
E
2
C
0
A
17
R
17
R
A
o
14
u
20
8
I
4
E
h
7
17
R
For example, multiplying the cipher letter r=17 by a-1 = 21 decodes the r to T=19 since 21*17 =
357 = 19 MOD 26.
The o =14 decodes to I = 8 since 21*14 = 224 = 8 MOD 26,
the m =12 decodes to S=18 since 21*12 = 252 = 18 MOD 26.
6
How does the j decode to the H, and the u decode to the E? Verify this now!
An easier way to determine the decoding key a-1
Decoding a message turns out to be really easy once we know the decoding key a-1. We just had
to multiply each cipher letter by a-1. So, we are left with determining the decoding key a-1
knowing the original encoding key a. To decode the above virus carrier message we found the
inverse of a=5 through a clever check of the products of a and a-1 that produced one more than
multiples of 26. That was trial and error and might take quite a while. We won’t have to do it that
way again since there is a much more straightforward method. To find the inverse for each good
key a, you just need to look back at the 26 by 26 encryption table.
For instance, to find the inverse of the good key a=5 we have to look at the fifth row which
shows that a-1 equals 21 since the only 1 in this row is in the V- or 21-column (5 * 21 = 1 MOD
26). Moreover, you can see that the plain letter V encrypts to the cipher text letter b (=1) when
using a=5 as the encoding key. Take a moment now to verify the
Rule for finding the decoding key a-1:
1) For a given good key a, find the unique 1 in the a-row,
2) From that 1 go all the way up that column,
3) The letter’s numerical equivalent that you hit on the very top is the inverse of a.
Example: If we use the encoding key a=3, we find that the decoding key a-1 is 9 as the 1 occurs
in the J- or 9-column telling us additionally that the plain letter J (=9) encrypts to the cipher letter
b (=1).
Finding the decoding keys for each good key a in the same manner, we obtain the following key
pairs:
Good Encoding
key a
1
3
5
7
9
11
15
17
19
21
23
25
Its decoding key
a-1
1
9
21
15
3
19
7
23
11
5
17
25
Three important observations:
7
1. All decoding keys a-1 in the right column are among the set of all encoding keys a. In fact,
the sets of the encoding and decoding keys are identical. Coincidence? No, it is not. Just as
the regular multiplication of two integers is commutative (i.e. 3 * 9 = 9 * 3 =27) the MODmultiplication is commutative (3 * 9 = 9 * 3 = 1 MOD 26). You can observe this orderdoesn’t-matter rule in the original 26x26 multiplication table: The diagonal line from the top
left to the bottom right forms a reflection line. I.e. 21 is an inverse to 5 MOD 26, therefore 5
is inverse to 21 and the two 1’s are mirrored over the diagonal line. Therefore, the set of all
encoding keys must equal the set of all decoding keys.
2. If we extract those rows with the good keys a = 1,3,5,7,9,11,15,17,19,21,23,25 and their
corresponding columns, we obtain:
1
3
5
7
9
11
15
17
19
21
23
25
1
1
3
5
7
9
11
15
17
19
21
23
25
3
3
9
15
21
1
7
19
25
5
11
17
23
5
5
15
25
9
19
3
23
7
17
1
11
21
7
7
21
9
23
11
25
1
15
3
17
5
19
9
9
1
19
11
3
21
5
23
15
7
25
17
11
11
7
3
25
21
17
9
5
1
23
19
15
15
15
19
23
1
5
9
17
21
25
3
7
11
17
17
25
7
15
23
5
21
3
11
19
1
9
19
19
5
17
3
15
1
25
11
23
9
21
7
21
21
11
1
17
7
23
3
19
9
25
15
5
23
23
17
11
5
25
19
7
1
21
15
9
3
25
25
23
21
19
17
15
11
9
7
5
3
1
This reduced table shows i.e. that 3 and 9 are inverse to each other because of the
commutative property of the MOD-multiplication (exhibited by the diagonal as a line of
reflection). Now every row contains exactly one 1 revealing that there exists an inverse for
each a which is precisely the reason why those a’s are the good keys. Moreover,
multiplying any two good keys yields again a good key. As an attentive reader, we realize
that the MOD multiplication of the keys is closed (recall the group properties in the previous
chapter). Combining this fact with the fact that each key a possesses a decoding key a-1, the
set of the good keys forms a commutative group with the unit element 1. Does that even
mean that the good keys form a field? That would additionally require that the good keys
form a commutative group with respect to addition. Do they? Try to answer it for yourself. I
will answer it at the end of this chapter in the Abstract Algebra section.
3. The only two keys that are inverse to themselves are 1 and 25, which means that the
encoding key equals its decoding key. Let’s check why: 1*1=1 MOD 26 which explains a =
a-1 = 1 (Big deal!). Now when a=25, we have: 25*25 = 625. Since 625=24*26+1 which
means that 625 leaves a remainder of 1 when divided by 26, we have 625 = 1 MOD 26 and
altogether 25 * 25 = 625 = 1 MOD 26.
These calculations were correct but almost required a calculator. Here is a non-calculator
way to understand why 25 is inverse to itself: Since 25 = -1 MOD 26, it follows 25 * 25 = (1) * (-1) = 1 MOD 26. This shows that when using an encoding key that is one less than the
8
alphabet length M, namely a = M-1, then the decoding key must also equal M-1, a-1 = M-1.
The reason is (M-1) * (M-1) = (-1) * (-1) = 1 MOD M. For example: when using an alphabet
length of M = 27 and an encoding key a=26 then its decoding key is a-1 =26. To verify this:
262 = 676 =1 MOD 27.
Here is the C++ Code for the encryption and decryption of the multiplication cipher:
//Multiplication Cipher using the good key a=5
//Author: Nils Hahnfeld, 9/22/99
#include<conio.h>
#include<iostream.h>
void main()
{
char cl,pl,ans;
int a=5, ainverse=21; //as a-1*a=21*5=105=1 MOD 26
clrscr();
do
{
cout << "Multiplication Cipher: (e)ncode or (d)ecode or (~) to exit:" ;
cin >> ans;
if (ans=='e')
{
cout<< "Enter plain text: "<< endl;
cin >> pl;
while(pl!='~')
{
if ((pl>='a') && (pl<='z'))
cl='a' + (a*(pl -'a'))%26;
else if ((pl>='A') && (pl<='Z'))
cl='A' + (a*(pl -'A'))%26;
else cl=pl;
cout << cl;
cin >> pl;
}
}
else if (ans=='d')
{
cout << "Enter cipher text: " << endl;
cin >> cl;
while(cl!='~')
{
if ((cl>='a') && (cl<='z'))
pl='a' + (ainverse*(cl -'a'))%26;
else if ((cl>='A') && (cl<='Z'))
pl='A' + (ainverse*(cl -'A'))%26;
else pl=cl;
cout << pl;
cin >> cl;
}
9
}
}
while(ans!='~');
}
Programmer’s Remarks:
Can
you
understand
the
code
yourself?
Try
to
understand as much as possible first, then continue
reading.
1) This program both encodes and decodes. Say you
first want to encode the letter c then you have to
enter
e
when
asked.
Then
the
if-condition
if
(ans=='e') is fulfilled so that we enter the encoding
part of the program. You are asked to enter your plain
letter in cin >> pl;
As long as you don’t enter ‘~’
the while-condition while(pl!='~') is fulfilled and
the entered plain letter (=pl) is being encoded.
To do so, I distinguish between upper and lower case
letters since they are encoded slightly different.
Say, the lower case plain letter c is entered, then
the condition if ((pl>='a') && (pl<='z')) is fulfilled
and the encryption is being executed by this one
seemingly weird command cl='a' + (a*(pl -'a'))%26; Let
me explain that to you in detail: First you need to
know that each letter is stored as a number: i.e.
A=65, B=66, C=67, .., Z=100, a=101, b=102, c=103,
…z=125. In fact, any character is stored as a number:
i.e. ~=.., $=.. etc. For now, let’s focus on the lower
case letters.
The plain letter c is stored as 103, however, I want
the c to equal 2 in compliance with our translation
a=0, b=1, c=2, etc. which we used in our virus carrier
example. Therefore, I need to subtract 101 from the
103 to get the desired 2, similarly, I again would
have to subtract 101 from any plain letter b=102 to
get the desired 1. In fact, I always have to subtract
101 from each entered lower case plain letter to get
its corresponding number. By subtracting a (=101) from
the entered plain letter in (pl -'a');. I accomplish
this. Subsequently, that difference is multiplied by
the good key a=5 which I defined as such in int a=5.
You could also define a to be a different good key. If
you choose to do so, don’t forget to also redefine the
corresponding decoding key in int a=5, ainverse=21; .
10
Ok, let’s continue with the encoding part. Since we
are performing MOD 26 arithmetic, we use the MODoperator % that guarantees us the product (a*(pl 'a'))%26; to be between 0 and 25. In our example,
after subtracting 101 from the plain letter c we get
the desired 2 that is now multiplied by a=5 yielding
10. This is just what we wanted except that the answer
10 does not equal the desired cipher letter k on the
computer. Therefore, we just have to add a number in
order to get k=111. Which number would that be? Right,
we have to add 101 to the 10 which we do by adding
a=101 in cl='a' + (a*(pl -'a'))%26. Now the cipher
letter cl equals k and we can end the lower case
encoding.
The encryption of upper case plain letter works
similarly except that I have to subtract A=65 (instead
of a=101 as above) to obtain our desired plain letter
number. Say, we want to encrypt the plain letter C=67.
I first subtract 65 =’A’ and then multiply that
difference by the good key a=5 yielding 10 again. The
MOD 26 calculation leaves the 10 unchanged. Finally, I
have to add the usual 65 = A (why?) to obtain the
desired cipher letter.
How do we deal with non-letters? Well, I leave all the
entered non-letters such as ! or . or ? unchanged so
that you can detect the format of the original message
easier. If we don’t want to give an eavesdropper any
additional information about our secret message, we
would firstly either not use such characters at all or
we would expand our alphabet length and encode them
just like the other plain letters. Secondly, we would
translate every upper case plain letter into a lower
case cipher letter so that we don’t reveal information
about the beginning of a sentence. These are valuable
information for an eavesdropper that help cracking the
message. I leave the translation from an upper case
plain letter to a lower case cipher letter as an easy
exercise for you.
2) Lastly, I want to explain the trick how I manage to
encode not only a letter but a whole word or sentence
if necessary. The statements while(cl!='~') and cout
<< cl; cin >> pl; are in charge of it. The first time
the loop passes the line cout << cl; the translated
plain letter pl that was read in as cin >> pl; before
11
the while loop is output as its cipher letter cl. The
trick is now that if we enter more than one letter all
but the first entered letter are buffered (which means
temporarily stored in the computer’s RAM) until read
in in cin >> pl; inside the while loop. Since any
plain letter fulfills the condition in while(cl!='~')
The loop is reentered and the next cipher letter is
displayed in cout << cl; We can then end this while
loop by entering ~ and then choose to either encode,
decode or exit the program. Try it for yourself.
2.3 Cryptoanalysis - Cracking the Multiplication
Cipher
Just like the Cipher Caesar Cipher, the Multiplication is not secure at all. How could it be
broken? Let’s consider two options:
Option 1: Cracking the cipher code using letter frequencies
If plain letters are replaced by cipher letters the underlying letter frequencies remain unchanged.
I.e. if the letter e (the most frequent letter in the English language) occurs 20 times in the plain
text its replacement letter will appear 20 times in the cipher text. Therefore, an eavesdropper
simply has to count letter frequencies to identify the most frequent cipher letter. Its numerical
equivalent reveals the row and therefore the key a as follows:
PLAIN LETTER
0
Keys a
0
0
A
B
C
D
1
0
1
2
3
2
0
2
4
6
3
0
3
6
9
4
0
4
8 12
5
0
5 10 15
6
0
6 12 18
7
0
7 14 21
0
E
0
0
F G
4
8
12
16
20 25
24
2
4
0
H
0
I
0
J
0
K
9 14 19 24
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
L M N O P Q R S T U V W X Y Z
3
12
8 13 18 23
2
7 12 17 22
1
6 11 16 21
8
0
8 16 24
9
0
9 18
10
0 10 20
11
0 11 22
12
0 12 24
13
0 13
14
0 14
2
15
0 15
4
16
0 16
6
17
0 17
8
18
0 18 10
19
0 19 12
0
20
0 20 14
21
0 21 16
22
0 22 18
23
0 23 20
24
0 24 22
25
0 25 24
6
1 10
4 14
7 18
10 22
13 0
16 4
19 8
22 12
25 16
2 20
5 24
8 2
11 6
14 10
17 14 11
20 18
23 22
8
5
2 25 22 19 16 13 10
7
4
1 24 21 18 15 12
9
6
3
After intercepting the cipher text, an eavesdropper simply finds the most frequent letter of this
rather brief message. Longer messages reveal the most the letter e equivalent, however, this is
not necessarily so for our message.
Cipher text
a
0
n
13
r
17
o
14
m
12
r
17
j
9
u
20
k
10
a
0
h
7
h
7
o
14
u
20
h
7
He finds the cipher letter h to be most frequent. However, there is no 7 – the numerical
equivalent of letter h - in the E column. This means that the cipher E does not equal 7. In fact, the
cipher E can only be an even cipher letter as only even numbers appear in the E-column. Thus,
among those numbers that occur twice in the cipher code, 14, 17 and 20, we can eliminate the
odd 17. The 14 as the possible cipher E then tells him to test the keys a=10 and a=23.
Since a=10 is a bad key he checks the good key a=23. He decodes all the other cipher letters by
finding their corresponding number in the 23rd row (see above) and then goes up that column to
find the original plain letter. He obtains:
Cipher text
PLAIN TEXT
a
0
n
13
r
17
o
14
m
12
r
17
j
9
u k
20 10
a
0
h
7
h
7
o
14
u
20
0
13
N
11
L
6
G
7
H
11
L
23
X
2
C
0
A
15
P
15
P
19
T
2
C
A
13
14
O
h
7
15
P
That message does not reveal a virus carrier. Certainly, it might be a double encoded message
that has to be decoded twice, possibly using two different keys or even two different ciphers.
Before considering such encoding techniques, we go ahead and check if the other frequent
number, 20, is the cipher E.
Checking the E column, we can see that the possible two keys are the bad one a=18 and the good
one a=5. Again, we just have to find the cipher numbers in the 5th row and then go up that
column to the very top to find the corresponding plain letter. This yields the correct plain text:
Cipher text a
n
r
o
m r
j u k
a h
h
o
u
h
0 13 17 14 12 17 9 20 10 0 7
7
14 20 7
0
13
N
PLAIN TEXT A
19
T
8
I
18
S
19
T
7 4
H E
2
C
0
A
17
R
17
R
8
I
4
E
17
R
As you can see, detecting the most frequent cipher letter is of enormous help in cryptography.
Here, it reduces the number of possible good keys to two. It is not difficult to find the encoded E
in English documents as every 8th letter on average is an E (about 13%), it is therefore by far the
most frequent letter. Consequently, the longer a cipher text, the easier the cipher E can be
detected. Other frequent letters such as T, A, O and N occurring with about (8%) might be of
further help to crack the cipher text.
I will explain the usage of letter frequency as a very important means to crack cipher codes in the
next chapter. In case you wonder why the discussion of cracking codes is made public; why is it
not kept secret to maintain the security of ciphers? The answer is a simple “No”: Only those
encryption systems that withstand all possible attacks are secure and thus useful. Certainly none
of the cryptosystems we have considered thus far. Remember that the first 3 ciphers are meant to
familiarize you with basic encryption systems. Moreover, we build the mathematical foundation
to understand secure encryption systems such as the RSA encryption.
Option 2: Cracking the cipher code using trial and error
(“brute force”)
Knowing that there are just 12 possible unique encryptions MOD 26, the journalist produces the
corresponding 12 rows in the 26 x 26 multiplication table and cracks the code easily.
Cipher text
A
N
r
R
X
W
E
X
D
Y
M
A
L
L
W
Y
L
a=5
A
N
T
I
S
T
H
E
C
A
R
R
I
E
R
a=7
a=9
a=11
a=15
a=17
A
A
A
A
A
N
N
N
N
N
V
Z
L
P
B
C
Q
G
U
K
Y
K
U
G
Q
V
Z
L
P
B
F
B
P
L
Z
O
I
Q
K
S
U
E
I
S
W
A
A
A
A
A
B
V
D
X
F
B
V
D
X
F
C
Q
G
U
K
O
I
Q
K
S
B
V
D
X
F
a=1
a=3
a
A
n
N
o
O
m
M
r
R
j
J
u
U
k
K
a
A
h
H
h
H
o
O
u
U
h
H
14
a=19
a=21
a=23
a=25
A
A
A
A
N
N
N
N
F
H
D
J
Y
S
E
M
C
I
W
O
F
H
D
J
V
T
X
R
M
W
C
G
G
Y
O
Q
A
A
A
A
Z
J
P
T
Z
J
P
T
Y
S
E
M
M
W
C
G
Z
J
P
T
MS Excel as a simple encryption and decryption tool:
I created the following table in MS Excel with the CHAR and the MOD function:
Cipher
text
a
a-1
3
9
5
21
7
15
9
3
11
19
15
7
17
23
19
11
21
5
23
17
25
25
For
example,
I
a
n
r
0
A
A
A
A
A
A
A
A
A
A
A
13
N
N
N
N
N
N
N
N
N
N
N
17
X
T
V
Z
L
P
B
F
H
D
J
created
o m
14
W
I
C
Q
G
U
K
Y
S
E
M
the
12
E
S
Y
K
U
G
Q
C
I
W
O
r
j
u
k
a
h
h
o
u
h
17
X
T
V
Z
L
P
B
F
H
D
J
9
D
H
F
B
P
L
Z
V
T
X
R
20
Y
E
O
I
Q
K
S
M
W
C
G
10
M
C
U
E
I
S
W
G
Y
O
Q
0
A
A
A
A
A
A
A
A
A
A
A
7
L
R
B
V
D
X
F
Z
J
P
T
7
L
R
B
V
D
X
F
Z
J
P
T
14
W
I
C
Q
G
U
K
Y
S
E
M
20
Y
E
O
I
Q
K
S
M
W
C
G
7
L
R
B
V
D
X
F
Z
J
P
T
T
in the row a=5 using the Excel-formula
=CHAR(65+MOD(E$2*$B4,26)) where the cell E$2 contains 17 and the cell $B4 contains
21 as the decoding key a-1. The formula MOD(E$2*$B4,26) computes the number of the
plain letter T, namely 19. However, converting 19 to its character does not yield the desired T.
The T is stored as 84 which you could see by entering the Excel formula =CODE("T").
Therefore, we first have to add 65 to the 19 in order to translate the 84 eventually into the desired
T using =CHAR(65+MOD(E$2*$B4,26)). In fact, all the upper case letters on Excel are 65
numbers higher than those we are using, the lower case letters on Excel are 97 numbers above
ours (i.e. =CODE("a") yields 97).
Which cracking method should a code cracker use. They are trade-offs in terms of their
efficiency: the gain of not having to determine the most frequent letter in the cipher text for the
brute force approach is at the cost of producing all possible cipher codes. Vice versa, the cost of
detecting the most frequent cipher letter in the first approach is at the gain of producing only one
plain text provided that the most frequent cipher letter turns out to be unique. This is very likely
in English texts and virtually certain in the German language where on average every 5th letter is
an E.
Even if an eavesdropper decides to produce all 12 possible plain texts, they can be generated
with the help of a computer within a few seconds. Therefore, no matter how he decides to crack
the cipher text, it won’t take long. Thus, safer encryptions are necessary. In the next chapter, I
will show you one principle of increasing the safety of a cipher code. I will couple the
Multiplication Cipher with the Caesar Cipher (which produces 26 unique encryptions) to obtain a
15
super encryption that will allow 12*26=312 possible unique encryptions. Are the used 12 unique
encryptions a set number? Or can we even increase the mere 12 unique encryptions for the
Multiplication Cipher by varying the alphabet length? Let’s investigate this in the following
section.
2.4 Varying the Alphabet Length varies the
Number of Good Keys
Using an alphabet length of M=27:
Say for legibility reasons we add a blank symbol as our 27th plain letter. It converts to the plain
letter number 26 so that we now have to encrypt MOD 27. Does the increase of our alphabet
length by 1 increase the number of unique encryptions obtained? Our good-key-criterion
declares those integers to be good keys that are relative prime to 27. Which ones are those?
27=3*3*3, so that only the multiples of the only prime divisor 3 such as a=3, 9 and 27 will not
yield a unique encryption, all the other integers will: The good keys a are therefore
Z27* = {1,2,4,5,7,8,10,11,13,14,16,17,19,20,22,23,25,26}
allowing 18 different unique encryptions, 6 more than before.
Notice that we found the good keys indirectly. We first found the bad keys as the multiples of the
prime divisors of the alphabet length M. Consequently, the good keys are the remaining integers
less than M. Again a perfect task for a computer, especially when we have to find the prime
divisors of bigger integers. (I.e. what are prime divisors of 178247 or of 56272839 ?). Below is
the C++ program that performs the task for us, it just finds all the factors of an entered alphabet
length M by testing all the integers less than M for possible factors. This “brute force” approach
will work fast enough for integers M that have 10 digits or less. For larger integers, however,
dividing by every integer less than M slows the program down enormously. Test it yourself.
One of the major goals of current Mathematics research is to design faster factoring algorithms
as today’s are fairly slow. In fact, the security of i.e. the commonly used RSA Cipher is based on
the relative slowness of such factoring programs. If you are able to invent a fast factoring
algorithm, you will not have to worry about a future job.
//Author: Nils Hahnfeld
//Factoring program
#include <conio.h>
#include <iostream.h>
#include <math.h>
10/15/99
void main()
{
int M, factor ;
clrscr();
16
do
{
cout << "Enter the integer that you want to factor or 0 to exit: M=";
cin >> M;
factor=2;
while(factor <= M)
{
if (M%factor==0) //check all integers less than M as factors
{
cout << factor << endl;
M/=factor;
factor=1;
}
factor++;
}
}while(M!=0);
}
Programmer’s remarks:
Starting with 2, this program checks the integers from
2
to
M-1
as
potential
factors
of
M
in if
(M%factor==0). In such case, divide M by that factor:
M/=factor;
and start checking M/factor for factors
less than M/factor...etc. This process repeats until M
is reduced to 1 and therefore less than the smallest
factor possible, 2.
Can we do even better with M=28 ?
Can we increase the number of unique encryptions by further extending our alphabet? Let’s add
a dot to our alphabet to denote the end of a sentence in the original message. Our alphabet length
of 28 now yields how many unique encryptions? Try it for yourself!
28 equals 2*2*7 so that all the keys that are multiples of 2 or 7 do not and all non-multiples of 2
or 7 do produce a unique encryption: Z28* = {1, 3, 5, 9, 11, 13, 15, 17, 19, 23, 25, 27} allowing
only 12 different unique encryptions. That is weird! A longer alphabet produces less unique
encryptions. Why is that?
This weirdness is not really weird. What really matters is not the alphabet length M but
rather the number of multiples of the prime factors of M that are less than M: the less
multiples of prime factors (as for the alphabet length of 27), the more a’s produce a unique
encryption and vice versa. Aha, that realization helps a lot, since that also means that prime
M’s produce M-1 unique encryptions. Why is that? Try to explain this, than continue reading!
The reason for that is that a prime number has per definition no prime divisor except for 1 and
itself. Therefore, since there are no other prime divisors and thus no multiples, all integers less
17
than M serve as good keys. Let’s check this for an alphabet length of M=29. As 29 is prime, it
has no divisors except for 1 and 29 and thus there are no multiples as bad keys. Therefore, each
integer
less
than
29
is
a
good
key
MOD
29:
Z29*
=
{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28}.
allowing a total of 28 different unique encryptions. Hey, this shows a great way to produce more
unique encryptions which of course makes life harder for an eavesdropper:
Recommendation for more security:
Choose the alphabet length M to be a prime number to make cracking the
cipher text more difficult.
You now understand why cryptographers have an affection for prime numbers. Additionally, you
will learn that the RSA Cipher uses prime numbers as well. They are very special primes as they
must consist of 100 digits or more. It is not difficult to understand that the length of such
numbers requires the usage of computers. Thus, we now go ahead and practice a bit more
computer programming.
Determining the bad keys for a given alphabet length M is a perfect task for a computer. The
following C++ program firstly determines the factors for an entered alphabet length M and
secondly their multiples, the bad keys. Thirdly, listing the good keys would be best done using
C++ vectors or even C-style arrays which you might know. If so please go ahead and modify the
following program. If you don’t know, exercise your patience, later in this chapter I will present
a more elegant program that uses the Euclidean Algorithm to determine the good keys.
This program is an extension of the previous simple factoring program. After finding each factor
of M, I just print them out in
for (j=1;j<factor2;j++){ cout << setw(2) << j*factor << " ";}
I will explain the data type bool and the command setw() after the C++ code.
//Author: Nils Hahnfeld 10-16-99
//Program to find the bad keys
#include <conio.h>
#include <iostream.h>
#include <iomanip.h>
#include <bool.h>
void main()
{
int M, m, j, factor, factor2;
bool prime;
clrscr();
cout << "This program finds the 'bad' keys for an entered alphabet length M."
<< endl;
18
cout <<
"===========================================================================" <<
endl;
do
{
cout << "Enter the alphabet length or 0 to exit: M=";
cin >> M;
m=M; factor=2;
prime=0; //initialization
while(factor <= m)
{
if (m%factor==0)
{
if (factor!=M)
{
cout << "Divisor of "<< M << " =" << setw(3) <<factor<< ". ";
cout << "'Bad' keys: ";
}
else
{
cout << M << " is prime."<< endl;
prime=1;
break;
}
factor2=M/factor;
for (j=1;j<factor2;j++){ cout << setw(2) << j*factor << " ";}
cout << endl;
m/=factor;
while(m%factor==0){m/=factor;} //takes out multiples of factor
factor=1;
}
factor++;
}
cout << "Thus, the 'good' keys are all the ";
if (!prime) cout <<"non-listed ";
cout << "integers from 1 to " << M-1 <<"." << endl << endl;
}while(M!=0);
}
Programmer’s Remarks:
1)
The logic of this program is the same as in the
previous factoring program. However, you can see the
usage of the data type boolean (“bool”, named after
the British Mathematician George Boole [1815-1864]),
which is used if a variable (i.e. prime) can only
attain two possible values: either true (=1) or false
(=0). In order to be able to use the data type
boolean, we have to include the bool.h library in
#include <bool.h>1. Since the bool.h library is very
short I want to show you its contents:
typedef int bool;
const int false = 0;
Modern C++ compiler ( i.e. C++ builder5.0 from Borland) don’t require to include the bool.h library anymore.
Thus, variables of type boolean can be used just like int, char, double or other variables.
1
19
const int true = 1;
In the first line the new data type “bool” is defined
of type “int” so that the (two) bool-variables are
just regular integers. The next two lines then show us
that the variable “false” is defined as “0” and “true”
as “1”. The command const is used as a safety feature
in C++: both variables are constant and can never be
modified in any program.
2) The setwidth command setw() assigns as many spaces
as entered in the parentheses for a numerical output
in order to have a well-formatted output. It has to be
placed after the cout command as in: cout << setw(2)
<< j*factor. In order to be able to use the command
setw() we have to include the iomanip.h library in
#include <iomanip.h>.
2.5 Counting the Number of Good Keys for various
Alphabet Lengths M
– An Introduction to the Euler Function.
Now that we have explored the criteria for unique encryptions and the number of good keys for
certain alphabet lengths, it is the nature of Mathematics to generalize the observations and to set
up an explicit formula for the number of unique encryptions based on the alphabet length M. For
that purpose we have to consider 3 different cases of the alphabet length M
1) If M is a prime number:
We observed in the previous section that the prime alphabet length M=29 yields u=28 unique
encryptions. For the same reason, an alphabet length of M=31 produces u=30 unique
encryptions. Since the number of unique encryptions u is a function of the alphabet length M, we
may write in function notation: u(M) to denote the number of unique encryptions (which equals
the number of good keys) as a function of M. I.e. for M=29 we have u(29)=28. For M=31 we
have u(31)=30.
Remember that a function, per definition, assigns to each x-value one particular y-value. The x values are the ones that we can choose
independently, here the length of the alphabet M. Each y-value is dependent on the choice of x, i.e. the number of unique encryptions u are
dependent on the chosen alphabet length M. Since u can be expressed as a formula that involves M, namely u=M-1, we say that u is a function of
M and write u(M)=M-1.
In general we have the:
Formula for the number of good keys if M is a prime
If the alphabet length M=p is prime, the number of good keys is u(p) = p-1.
2) If M is a prime power, M=pn:
20
Now let’s look back at M=27 as an example where we only have the one prime factor p=3, such
that M=33. How many multiples of 3 will not produce a unique encryption? Those are the 8
integers 3, 6, 9, 12, 15, 18, 21, 24. Since there are 9 threes (or 9 multiples of 3) in 27 and
therefore 8 threes when counting only up to 26 yielding the 8 listed bad keys. Therefore, we just
need to divide 27 by the only prime divisor 3 and subtract 1 at the end to find the number of bad
keys: 8 = 27/3 – 1.
This principle of finding the number of bad keys holds true for any alphabet length that is a
prime power: There are M/p multiples of p less or equal to M, and therefore M/p - 1 many less
than M. And we are only interested in those integers less than M since we are calculating MOD
M which involves the integers 0 to M-1. Thus, the number of bad keys can simply be found by
dividing the alphabet length M by the only prime divisor p and subtracting 1 from that fraction:
M/p - 1. Let’s write down the
Formula for the number of bad keys if M is a prime power
b(M) = number of bad keys = M/p - 1.
Example1: M=9=32 has the only prime divisor 3 and thus b=9/3 – 1 = 2 bad keys which are 3
and 6 as the multiples of 3 that are less than 9.
Example2: M=81=34 has again 3 as the only prime divisor and thus b = 81/3 – 1 = 34/3 –1 = 33
–1 = 26 bad keys. Those are 3, 6, 9, 12, 15, 18, 21, 24, 27, 30, 33, 36, 39, 42, 45, 48, 51, 54, 57,
60, 63, 66, 69, 72, 75 and 78 as the multiples of 3 that are less than 81.
Our ultimate goal is not to develop a formula for the number of bad keys but rather for the number of good keys.
However, subtracting the number of bad keys from the number of all possible keys (=M-1) yields the number of
good keys. In formula:
u(M) = (M-1) – b(M) using the above formula for the number of bad keys yields
= M-1 - (M/p -1) distributing the minus sign to the terms in the parenthesis yields
= M-1 - M/p + 1 canceling out the 1’s yields
= M - M/p
This turns out to be a handy formula for the number of good keys. However, it can be simplified
further using the fact that we are considering here alphabets of length M that are powers of a
prime p: M=pn for some positive integer n. Thus, our formula simplifies to:
u(M) = pn – pn/p
which simplifies further to
= pn - pn-1.
Therefore,
Formula for the number of good keys if M is a prime power:
If M = pn , the number of good keys is u(M) = pn - pn-1.
Example 1: For M=27=33: Inserting 3 for p and 3 for n in pn - pn-1 yields u(27) = 33 - 32 = 27-9
= 18 which is just what we wanted.
21
Example2: For M=9=32 we have u(9) = 32 - 31 = 9 – 3 = 6 which are the 6 good keys
a=1,2,4,5,7,8.
Example3: For M=16=24 we have u(16) = 24 - 23 = 8 which are the 8 good keys
a=1,3,5,7,9,11,13,15.
Example4: For M= 34 =81, we get u(81) = 34 - 33 = 81 – 27 = 54.
3) If the alphabet length M is a product of two prime
numbers p and q
The last case we have to study is when M is a product of two primes. Combining our three
formulas for the number of good keys, we will then be able to develop a general formula for the
number of good keys for any given alphabet length M.
Let’s start with
Example1: M=26=p*q=2*13. We saw that an alphabet length of M=26 produces 12 unique
encryptions, since the even numbers as multiples of 2 and the 13 are the 13 bad keys. More
precisely: Out of the 25 (= p * q - 1) integers that are smaller than 26, we had 12 (=13-1)
multiples of 2 {2,4,6,8,10,12,14,16,18,20,22,24} and the 1 (=2-1) multiple of 13 {13} as bad
keys, so that 25-12-1=12 good keys are remaining:
a = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25
Notice that u(26) = 12 = 25-12-1 = (p*q - 1) – (p-1) - (q-1)
Example2: For M=10=5*2, we obtain u(10)=4 good keys which are obtained by crossing out
the 4 (=5-1) multiples of 2 and the 1 (=2-1) multiples of 5 as bad keys:
a = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Notice that again u = 4 = 9 – 4 –1 = (p*q - 1) – (p-1) – (q-1)
Example3: For M=15=5*3, we obtain u(15)=8 good keys which are obtained by crossing out
the 4 (=5-1) multiples of 2 and the 2 (=3-1) multiples of 5:
a = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
Notice that again u = 8 = 14 – 4 – 2 = (p*q - 1) – (p-1) – (q-1)
The number of good keys can always be computed by u(p*q) = (p*q - 1) - (p-1) -(q-1). This
formula can be simplified into the product of two factors. Here is how:
u = (p*q - 1) - (p-1) – (q –1) getting rid of the first two parentheses yields
= p*q -1 - p + 1 – (q –1)
the two 1’s cancel each other out yielding
= p*q – p – (q –1)
factoring the p yields
= p*(q-1) – (q –1)
(q-1) in both terms can be factored yielding
= (q-1) * (p –1)
which can also be written as
= (p-1) * (q –1)
22
Formula for the number of good keys if M is the product of
two primes:
The number of good keys is u(M) = u(p*q) = (p-1)*(q-1).
Example4: If M=39=3*13=p*q, then the formula yields u(39) = (3-1)*(13-1) = 2*12 = 24.
You can verify this as follows: out of the 38 (=p*q-1) integers that are less than 39, we first cross
out all the 12 (=13-1) multiples of 3 {3,6,9,12,15,18,21,24,27,30,33,36} and then cross out the 2
(=3-1) multiples of 13 {13,26} resulting in 38 – 12 – 2 = 24 good keys.
Example5: If M=65=5*13=p*q, then the formula yields u(65) = (5-1)*(13-1) = 4*12 = 48.
You can verify this as follows: out of the __ integers that are less than 65, we first cross out all
the ___ multiples of __ and then cross out the __ multiples of __ resulting in ______ = 48 good
keys.
A summary of our explorations for the number of good keys
shows:
1) u(p) = p - 1,
if M is prime M=p.
n
n
n-1
2) u(p )= p - p ,
if M is a power of a prime M= pn.
3) u(p*q) = (p-1)*(q-1), if M is a product of two primes M=p*q.
Credit goes to the Swiss Mathematician Leonard Euler (pronounced “Oiler”, 1707-1783). He investigated these
number properties and was the first one to come up with a function, Euler’s -function, also called Euler’s Totient
function, that determines the number of integers that are relative prime to a given integer M. It is a function that is in
the heart of Cryptography and used i.e. for the RSA encryption. The following table shows the numbers relative
prime to M for the first 21 integers.
M
(M)
2
1
3
2
4
2
5
4
6
2
7
6
8
4
9 10 11 12 13 14 15 16 17 18 19 20 21
8 12 10 4 12 6 8 8 16 6 18 8 12
Similar to our notation, the properties of Euler’s -function that computes the number of integers
that are relatively prime to M and wrote similarly to our notation:
Euler’s -function:
1) (p) = p-1
2) (pn) = pn - pn-1
3) (p*q) = (p-1)*(q-1)
4) (n*m) = (n) * (m)
for a prime p.
for a prime power pn.
for two distinct primes p and q.
when n and m are relatively prime. It describes the multiplicative
property of .
We have explored the first three properties already, however, the 4th property is new - but not
totally new. I want to show you an example where we used it already. Say M=26=2*13=n*m.
Since n and m are two distinct primes, they certainly are relative prime, so that the condition for
property 4) is fulfilled. We obtain (2*13) = (2) *(13). From property 1) we know that
23
(2)=1 and (13)=12, and consequently, (2*13) = (2)*(13) = 1*12 = 12 which is exactly
property 3). Thus, property 4) yields nothing new if our alphabet length is the product of two
primes. However, it turns out to be indispensable when M is not the product of two primes, but
say a product of a prime and a prime power.
Example1: If M=24=3*8=3*23, then
(24) = (3*23)
using property 4) yields
= (3)*(23).
using properties 1) and 2) yields
3 2
= (3-1)*(2 -2 )
= 2*4
= 8.
For a check: the eight integers 1,5,7,11,13,17,19,23 are relative prime to 24 and thus the good
keys for M=24.
Even products of 3 primes or prime powers like 30 or 60 can now be dealt with due to the 4th
property:
Example2: If M=30=2*3*5, then
(30) = (2*3*5)
using property 4) yields
= (2)*(3*5)
again property 4) yields
= (2)*(3)*(5)
now using property 1) yields
= 1*2*4
= 8.
For a check: the same eight integers 1,5,7,11,13,17,19,23 are relative prime to 30 and are thus
the good keys for M=30.
Example3: Now, it is your turn. If M=60=22*3*5, then
(60) = (22*3*5)
using property __ yields
= (22)*(3*5)
using property __ yields
2
= (2 )*(3)*(5) using properties __ and __ yields
= (22 – 21)*2*4
= 2*2*4
= 16.
You noticed, that the multiplicative property of Euler’s -function, expressed in property 4), is
used to decompose any integer M into its prime factors or prime power factors to then apply the
first two properties to each prime or prime power. This eventually enables us to calculate the
number of integers that are relative prime to these primes and prime powers. Multiplying such
answers yields the number of good keys for any given alphabet length. The given examples show
you the calculation process. Notice, that property 3) became useless for the calculation process
since factors that are relative prime are separated via property 4). Subsequently, is computed
by property 1) if such factors are primes or by property 2) if they are prime powers.
Before we conclude this section with the highlight of creating a sole formula for (M) from these
four properties, we will consider 2 examples for each of the 4 properties of Euler’s -function. I
will complete the first ones and leave the second ones for you as exercises.
24
Examples for property 1): 3 and 5 are two primes.
(3)=3-1=2 as 1 and 2 are relative prime to 3.
(5)=_____ as 1,2,3,4 are relative prime to 5.
Examples for property 2): 8 and 25 are prime powers.
(8)= (23)=23 -22 =4 as 1,3,5,7 are relative prime to 8.
(25)=____________ as all integers from 1 to 24 except for 5,10,15,20 are
relatively prime to 25.
Examples for property 3): 15 and 21 are products of two primes.
(15)=(3*5)=(3-1)*(5-1)=2*4=8 as 1,2,4,7,8,11,13,14 are relative prime to 15.
(21)=________________________ as 1,2,4,5,8,10,11,13,16,17,19,20 are
relative prime to 21.
Examples for property 4): 24 and 28 are products of primes and prime powers.
(24) = (23 *3) = (23)*(3) = (23-22)*(3-1) = 4*2 = 8 as 1,5,7,11,13,17,19,23 are
relative prime to 24.
(28) = _____________________________
as 1,3,5,9,11,13,15,17,19,23,25,27 are
relative prime to 28.
Now, let’s come to the highlight of this section: I will show you in a few steps how to compute
(M) for any M from one equation instead of combining the four properties? All we need to
know are the prime divisors of M, but we don’t even need to know how often a prime number
divides M. I.e., for M=27 we just need to know that 3 is a prime divisor of 27 but not how
often it divides 27. While deriving the formula for M=60=22*3*5 in the left column I will
deduce simultaneously the explicit formula for M=p12*p2*p3 with p1 being the first prime factor
2, p2 being the second prime factor 3 and p3 being the third prime factor 5 in the right column.
We know already that:
(60) = (22*3*5)
= (22-21)*(3-1)*(5-1)
(M) = (p12* p2* p3)
= (p12- p11)*( p2-1)*( p3-1).
For the purpose of setting up an explicit formula for (M), we now try to give the three factors
(in parentheses) the same format. We factor p1=2 yielding
= 2*(2-1)*(3-1)*(5-1)
= p1* (p1- 1)*( p2-1)*( p3-1).
The three factors in the parentheses already have the same desired format, however, the single 2
destroys it. The ultimate trick to yet produce the same format is factoring: from each parentheses
we factor the first integer (which is a divisor of M) and obtain:
(60) = 22*(1 -1/2) * 3*(1 -1/3) * 5 * (1 -1/5)
(M) = p12 * (1 -1/ p1) * p2*(1 -1/ p2) * p3 * (1 -1/ p3)
= 22*3*5*(1 -1/2)*(1 -1/3)*(1 -1/5)
= p12* p2* p3*(1 -1/ p1)*(1 -1/ p2) * (1 -1/ p3)
= 60*(1 -1/2)*(1 -1/3)*(1 -1/5)
= M * (1 -1/ p1) * (1 -1/ p2) * (1 -1/ p3).
25
This is it. Notice in the last row that all we need to know are the prime factors p of M without
knowing how often they occur. We then write them in the form (1-1/p), multiply them and that
product by M yielding (M). On the right we ended up with the explicit formula for (M) when
M consists of one prime power and two primes. It surely acquires this simple form for any
number of primes or prime powers. Notice, that all we need to find are the different primes, say
p1, p2,..., pn, as our explicit formula for the number of unique encryptions appears to be:
Formula for the number of good keys for any alphabet
length M:
For an alphabet length M, there are (M) = M * (1- 1/p1) * (1- 1/p2) *…* (1- 1/pn) good keys
where each pi is a prime divisor of M.
It is really enjoyable to use this simple formula as we just need to find all prime divisors of M
and don’t have to worry about how often they occur. Therefore, a simple prime check program
would be sufficient to find the divisors p of M. We then set up the factors of the form (1- 1/p),
multiply them and eventually multiply that answer by M.
Example1:
Say M=180, then a prime check program yields the prime factors 2,3 and 5, so that
(180) = 180 * (1-1/2) * (1-1/3) * (1-1/5)
= 180 * (1/2) * (2/3) * (4/5)
= 90 * (2/3) * (4/5)
= 60 * (4/5)
= 48
Example2:
Say M=360, since 360=2*180 the prime factors are again 2,3 and 5, so that
(360) = 360 * (1-1/2) * (1-1/3) * (1-1/5)
= 360 * (1/2) * (2/3) * (4/5)
= 180 * (2/3) * (4/5)
= 120 * (4/5)
= 96
Example3 is for you:
Say M=90, since 90=____ the prime factors are _______, so that
(90) = 90 * (1-1/__) * (1-1/__) * (1-1/__)
= 90 * ____________________
= _______________
= _______________
= ___
Of course, I could have computed the answers in the above examples right away but I wanted to
give you the chance of brushing up on your skills to multiply fractions. A little computer
26
program turns out to be again very valuable as the number of good keys can be easily determined
by first finding all prime factors of M to then use the above explicit formula.
//Author: Nils Hahnfeld 10-16-99
//Program to determine
(M)using
M*(1-1/p1)*(1-1/p2)*...
#include <iostream.h>
#include <conio.h>
void main()
{
int factor, M, m;
float phi;
clrscr();
cout << "This programs uses M*(1-1/p1)*(1-1/p2)*... to calculate
phi(M)."<<endl;
cout <<
"==============================================================="<<endl;
do
{
cout << "Enter M to find the number of 'good keys' or 0 to exit: M=" ;
cin >> M;
cout << endl << "Prime Factor(s) are : " ;
m=M; factor=2;
phi= (float) M; //casting: from integer to float data type
while(factor <=M)
{
if (M%factor==0)
{
cout << factor << " ";
M/=factor;
while (M%factor==0) M/=factor; //takes out multiple factors
phi*= (1- 1/(float)factor);
}
factor++;
}
cout << endl << "phi(" << m <<")="<< phi << endl << endl << endl;
}while(M!=0);
}
Programmers remarks:
This program is an enhanced version of thr previous
one that found the bad keys as factors of M for us. If
a factor p is found we now additionally form the term
1- 1/p and multiply it to the other terms in phi*= (11/(float)factor) to eventually obtain phi.
Notice in this program that phi and M are declared as
2 different data types, yet the value of the integer
(int) variable M can be assigned to the real number
(float) variable phi in phi= (float) M; All I needed
27
to do is to write the new data type (here float) in
parenthesis right in front of the integer variable M.
This process is called type-casting and also works
when converting between any other numerical data
types. In that case you have to be aware that when you
convert from a float or a double to an integer (that
is from more a precise to a less precise data type)
the decimals are simply cut off: i.e. 3.1415927
becomes the integer 3 and we are losing precision. The
other time that we are casting in
phi*= (11/(float)factor); we don’t give up any precision (and
therefore information) as we convert from the integer
typed variable factor to the more precise real number
typed variable phi.
2.6 Introduction to Euler’s Theorem – Usage of the
Good Keys
In this section, we will discover Euler’s Theorem which is the basis for the RSA encryption that I
will introduce in chapter 5. It will be quite easy for you to grasp it since it solely deals with
properties of the familiar good keys. Let’s recall first what we know already about them.
2.6.1 Good Keys have different Orders
A brief review: In section 2.2 we observed in the reduced multiplication table MOD26 that each
encoding key that produces a unique encryption was called a good key and possesses a unique
inverse a-1, the decoding key. You can verify this by finding exactly one 1 in each row that is
produced by the multiplication of the encoding keys with its inverse a-1. Recall that an inverse of
a is that particular integer a-1 that yields 1 when multiplied by a.
Decoding key a-1
*
1
3
5
1 3 5 7 9 11 15 17 19 21 23 25
1 3 5 7 9 11 15 17 19 21 23 25
3 9 15 21 1 7 19 25 5 11 17 23
5 15 25 9 19 3 23 7 17 1 11 21
Encoding key a
28
7
9
11
15
17
19
21
23
25
7
9
11
15
17
19
21
23
25
21
1
7
19
25
5
11
17
23
9
19
3
23
7
17
1
11
21
23
11
25
1
15
3
17
5
19
11
3
21
5
23
15
7
25
17
25
21
17
9
5
1
23
19
15
1
5
9
17
21
25
3
7
11
15
23
5
21
3
11
19
1
9
3
15
1
25
11
23
9
21
7
17
7
23
3
19
9
25
15
5
5
25
19
7
1
21
15
9
3
19
17
15
11
9
7
5
3
1
Notice also that each good key occurs once in each row as well. Therefore, each row below the
top row is just a rearrangement of the integers in the top row, which is also called a permutation.
In other words: the integers 1,3,5,7,9,11,15,17,19,21,23,25 appear exactly once in each row.
Moreover, we learned in section 2.2 that the only keys that are inverse to themselves, which
means that the encoding key equals the decoding key, are 1 and 25 because 1*1=12=1 MOD 26
and 25*25=252=1 MOD26. Notice that as there are no other 1’s on the diagonal there are no
other keys that are inverse to themselves. Therefore, raising any other key except for 1 and
25 to the second power will not yield 1, however, if we raise to powers greater than 2, will
we be more successful? Will we be able to raise the good keys to powers that yield 1 MOD
26? Might there even be one 'universal’ exponent that produces 1 for each good key a? We
will check this now in detail for the good keys in Z26*, and then briefly for those in Z27* and
Z28*.
For our exponent inspection, we need a new vocabulary in order to denote that particular power
of a good key that yields the first 1.
Definition of the order of a good key:
We raise the good key a to the power of 1, 2, 3, etc.: a1, a2, a3, … We stop when the first power
yields 1 (which is guaranteed to happen for each good key and will be proved in the upcoming
Euler’s Theorem). That exponent whose power yields the first 1 is called the order of a.
or equivalently:
If as=1 for the smallest positive integer s, then “the order of the good key a is s.”
So, let’s find the orders of the good keys MOD 26.
For a=3:
32=9 and 33 = 3 * 32 = 3 * 9 = 27 MOD 26 = 1. Since all calculations are performed MOD 26,
we may just write 33=1 and therefore as a chain display:
31 -> 32 -> 33 MOD 26 or even simpler:
3 -> 9 -> 1
29
Here, the order of the good key a=3 is 3 since 33=1, which equals the length of the chain
(why?). Therefore, 36 equals also 1 since 36 = (33)2 = 12 =1. For the same reason: 312=1.
Although the exponents 6 and 12 also yield 1, none of them is the order of a=3 as none of them
is the smallest exponent that yields 1. 3 is therefore the uniquely defined order of a=3. The fact
that 36, 39 and 312 all equal 1 can easily be seen by extending the above chain display as follows:
3 -> 9 -> 1 -> 3 -> 9 -> 1 -> 3 -> 9 -> 1 -> 3 -> 9 -> 1
(31 -> 32 -> 33 -> 34 -> 35 -> 36 -> 37 -> 38 -> 39 -> 310 -> 311 -> 312)
Because of the repetitive or cyclic nature of the powers of 3, the chain can simply be displayed
as:
3
-> 9 -> 1
and the period of this chain, namely 3, equals the order of the key a=3.
For a=5:
Since 5*5=25 and 5*25=21 and 5*21=1 we get 5*5*5*5=54=1. Therefore, 4 is the order of 5
which again equals the period of the chain:
5 -> 25 -> 21 -> 1
Furthermore, 58=(54)2=12=1. Explain why 512 =1, 516 =1, 520 =1 yourself using the chain
display.
You can practice your MOD-calculation skills by computing 54=1 in an alternative way: Since 52
= 25 = -1 MOD 26, we obtain 54 = (52)2 = (-1)2 = 1 MOD 26.
Our additional search for an universal exponent that yields 1 for any good key a turns out to be
very limited: the good key a=3 has exponents 3,6,9,12,… whereas a=5 has exponents
4,8,12,16,…that yield 1. So, 12 seems to be the only possible candidate for a universal exponent.
So, let’s check if 12 works for a=7.
For a=7:
Multiplying 7 by 7 gives 72=23, 73=7*23=5, 74=7*5=9, 75=7*9=11, 76=7*11=25,
77=7*25=19, 78=7*19=3, 79=7*3=21, 710=7*21=17, 711=7*17=15 and finally 712=7*15=1.
Thus, the order of the good key a=7 is 12. Verify this on the chain display by determining the
period of the chain
7 -> 23 -> 5 -> 9 -> 11 -> 25 -> 19 -> 3 -> 21 -> 17 -> 15 -> 1
I reached every good key for an alphabet length of 26 when computing all the powers of a=7.
Precisely, raising 7 to the power of 1 then to 2, then to 3 … and finally to 12 generates all the 12
good keys, which is the reason why mathematicians call 7 a generator. It is important to specify
that 7 is a generator for Z26* because it does not generate all the good keys that are i.e. in Z28*
(Explain why not!). I will show you in much more detail the usefulness of generators in the
Abstract Algebra section.
30
As a reminder: the star in Z26* denotes the good keys for an alphabet length of M=26 or M=28,
respectively. Without the star, Z26 denotes the set of all positive integers that are less than 26.
Written out:
Z26* = {1,3,5,….,23,25} are the integers less than 26 that are relative prime to
26.
Z26 = {0,1,2,3,….,24,25} are the integers less than 26.
Although the keys a=3,5 and 7 have different orders, they all have an universal exponent of 12:
when raising these keys to the power of 12 we obtained 1: 312=1, 512=1 and 712=1. Will the tothe-power-of-12-rule hold true for the other good keys and will we, therefore, be able to discover
an universal exponent property? Let’s check this for the remaining good keys.
For a=9:
Since 92=9*9=3 and 9*3=1 so that 93=1. Thus, the order of a=9 is 3 which means that 9 is not a
generator of Z26*and you explain why again 912=1 holds true using the chain display:
9 -> 3 -> 1
and the period of 3 equals the order of 9.
For a=11:
It is your turn now. Show that the order of a=11 is 12 (which also means that 11 is a generator
of Z26*): use your windows-calculator (go to Start, then you find it in Accessories) and compute
the powers of 11 MOD 26 to complete the chain and verify that its period is 12:
11 -> 17 -> ……………………………………………………………..-> 1
Moreover, check on your windows-calculator that the to-the-power-of-12 rule also holds true for
the remaining good keys by calculating 1512=1, 1712=1, 1912=1, 2112=1, 2312=1, 2512=1. The
latter is quite easy to see as we know already that 252=1 and therefore 25 raised to any multiple k
of the exponent 2 [(252)k=1] must also yield 1. Here is a table that displays the powers of all
good keys a MOD 26:
Exponents
Good keys a
1
3
5
7
9
11
15
17
19
21
23
1
1
3
5
7
9
11
15
17
19
21
23
2
1
9
25
23
3
17
17
3
23
25
9
3
1
1
21
5
1
5
21
25
21
5
25
4
1
3
1
9
9
3
3
9
9
1
3
5
1
9
5
11
3
7
19
23
15
21
17
6
1
1
25
25
1
25
25
1
25
25
1
31
7
1
3
21
19
9
15
11
17
7
5
23
8
1
9
1
3
3
9
9
3
3
1
9
9
1
1
5
21
1
21
5
25
5
21
25
10
1
3
25
17
9
23
23
9
17
25
3
11
1
9
21
15
3
19
7
23
11
5
17
12
1
1
1
1
1
1
1
1
1
1
1
25
25
1
25
1
25
1
25
1
25
1
25
1
The order of each good key a can now easily be traced in this table. I.e. the order of a=21 is 4
since the first 1 occurs as the fourth number in the row of a=21. Notice one very important fact:
the order of each good key a is a divisor of 12. The French Mathematician J. Lagrange(17361813) was the first to observe this fact and to prove it. However, he didn’t state it particularly for
the good keys MOD 26. Mathematically, there is nothing special about the M=26. He uses an
algebraic theory, the group theory, to state his theorem in a more general manner. You will have
the pleasure to study this theory in the Abstract Algebra section at the end of this chapter.
Now, place your index finger on the first 1 in the a=3 row, the order 3 then tells us the distance
to the next 1. Jumps of length 3 bring us to the 1 when the exponent is 12. Realize, that the only
reason why we end up at the 1 is because 3 is a divisor of 12. Move your index finger now to the
first 1 in the a=5 row: the jumps of length 4 direct us again to 1 for an exponent of 12. Now, my
point is that we only end up at 1 for an exponent of 12 for all good keys because their
orders are 12 or divisors of 12. Otherwise, we would not hit 1 for an exponent of 12. I.e., say
the order of a=7 were 5, then our jumps of length 5 would yield 1 for the exponents 5,10,15, ..,
however, not for 12. In conclusion: since the order of each good key MOD 26 is a divisor of 12 guaranteed and proved in Lagrange’s Theorem - the to-the-power-of-12 rule holds true for all the
good keys MOD 26.
So, we can write our universal-exponent observations as:
12
(26)
a =a
=1 MOD 26 if a is relative prime to 26.
A brief remark: This formula holds even true for integers a that are greater than 26. I.e. a=29 is also relative prime
to 26 and 2912 =1 MOD 26. However, we don’t need to consider those integers since each of them has an equivalent
integer that is less than 26 that is relative prime to 26: i.e. 29=3 MOD 26 and using a=29 as a key produces the
same unique encryption as a=3 does.
Is there anything special about an exponent 12? Is it coincidence that the exponent of 12 is just
the amount of numbers that are relative prime to 26, namely (26)? If not, can we then
generalize our “to-the-power-of-12-rule” to the “to-the-power-of-(M)” rule for any given
alphabet length M. Let’s check this for M=27 and M=28 first:
1) For M=27:
The Euler function for prime powers yields (27) = (33) = 33 – 32 = 27 - 9 = 18. Instead
of creating a whole new multiplication table for Z27*, I simply use my windowscalculator to raise all the good keys (those that are relative prime to 27 such as
a=1,2,4,5,7,8,10,…,26) to the power of 18. I compute: 218=1, 418=1, 518=1, 718=1, 818=1,
1018=1,…, 2618=1 MOD 27. Recall that the last equation must be 1 because 26 = -1 and
thus (-1)2 = 1 and therefore 2618 = (-1)18 = ((-1)2)9 = 1^9 = 1.
Again: a18 = a(27) = 1 MOD 27 for the good keys a in Z27* =
{1,2,4,5,7,8,10,11,13,14,16,17,19,20,22,23,25,26}.
2) For M=28:
32
Then (28) = (22*7) = (22) * (7) = (22 – 21) * 6 = 12. And 312=1, 512=1, 912=1,
1112=1, 1312=1,…, 2712=1 MOD 28 is what your calculator computes so that again:
a12 = a(28) = 1 MOD 28 for the 12 good keys a in Z28* =
{1,3,5,9,11,13,15,17,19,23,25,27}.
2.6.2 Euler’s Theorem
How would you formulate the above to-the-power-of-(M)-rule as a theorem? Try to formulate
it for yourself and then continue reading!
I hope you were able to formulate it just as Leonard Euler did. His theorem rose to one of the
most famous theorems in Mathematics and became central in Cryptography:
Euler’s Theorem:
For a given alphabet length M, each integer a that is relative prime to M yields 1 MOD M when raised to the power
of (M):
a(M) =1 MOD M.
Of course, we have not proven it. Rather, we verified it for M=26, M=27 and M=28. Checking
those examples does not prove anything. A Mathematician would not be satisfied, he might say
that our calculations don’t justify a theorem, however, it does seem to be a promising conjecture.
If you pursue a math career at college, you will encounter a lot of proofs. It is not my intention to
introduce you to the many mathematical proofs, I rather want you to explore and discover many
mathematical properties yourself. Nevertheless, since the proof of Euler’s Theorem is not
difficult, I want to demonstrate it to you. Also to give you an idea of how proving a mathematical
theorem can be accomplished and thus what to expect in case you happened to find yourself in
some college math lecture:
I am first going to prove Euler’s Theorem for an alphabet length of M=5 for you. Customarily,
proving it for one particular case is not being done in Mathematics, however, it will give you a
better idea of the general proof later. When first checking one particular case of the general proof
you will be using concrete numbers that will fill the letters in the general proof with more
meaning.
2.6.3 Proof of Euler’s Theorem for an alphabet length M=5
So let’s prove Euler’s Theorem for an alphabet length of M=5. Since (5) = 4 we have to prove
that a4 =1 MOD 5 for all integers a that are relative prime to 5 which are all the good keys
a=1,2,3,4. For that purpose, we set up the multiplication table for Z5:
*
1
2
3
1
1
2
3
2
2
4
1
3
3
1
4
4
4
3
2
33
4
4
3
2
1
The first row (in blue) shows us the four good keys 1,2,3,4. In the next 3 rows, you see the
rearrangements of the 4 keys. Now, rearranging the numbers in each row leaves their
product unchanged - which is the key idea in this and later in the general proof.
Specifically, let’s take a look at the first two rows first:
1st row
1*2*3*4
row of key a=2
= 2 * 4 * 1 * 3
= (2*1) * (2*2) * (2*3) * (2*4) MOD 5
= 24 * 1 * 2 * 3 * 4
can be written as
combining the four 2’s yields
If we now divide both sides by 1 * 2 * 3 * 4 = 24, we obtain 1 on the left-hand side and 24 on the
right-hand side which proves: 24 =1 MOD 5.
We can prove 34 =1 MOD 5 similarly. We now consider the first and the third row:
1st row
row of key a=3
1*2*3*4 = 3 * 1 * 4 * 2
can be written as
= (3*1) * (3*2) * (3*3) * (3*4) MOD 5
combining the four 3’s yields
4
=3 *1*2*3*4
Again, dividing both sides by 1 * 2 * 3 * 4 yields 1 on the left-hand side and 34 on the right-hand
side which proves: 34 =1 MOD 5.
The proof of a4 =1 MOD 5 is completed if we show that 44 =1 MOD 5 and realize that 14 =1
MOD 5. This is a great exercise for you, please do both now. I will provide the set up for the
good key a=4:
1st row
1*2*3*4
row of key a=4
= _____________________
= _____________________ MOD 5
= 34 * 1 * 2 * 3 * 4
can be written as
combining the four 3’s yields
In our first generalization step we now reduce the 4 parts of our proof for M=5 to one single
more general proof.
1st row
a1 * a2 * a3 * a4
row of key a
= (a*a1) * (a*a2) * (a*a3) * (a*a4) MOD M
= a4 * a1* a2 * a3 * a4
Again, the division by a1*a2*a3*a4 on both sides yields a4=1 MOD 5 and we have completed our
proof for Euler’s Theorem when M=5. The proof of the generalized Euler’s Theorem will be of
the same format except that we will have rather (M) terms instead of the (5) = 4 terms here.
2.6.4 Proof of Euler’s Theorem:
34
If we now use an alphabet length M, then we have (M) good keys which we list as: a1, a2,
a3,…,a(M). The subscripts from 1 to (M) according to Euler’s function tell us which key we are
talking about when they are listed in order from smallest (which is always 1) up to largest (which
is (M)). In case of M=5 we would have a1=1, a2=2, a3=3 and a(5) = a4 = 4, in case of M=26
we would have a1=1, a2=3, a3=5,…, a(26)=a12= 25. For the proof, we don’t need to know their
actual values. All we really use in the proof is that there are (M) good keys whose products are
the same in each row.
We saw in the multiplication tables for the good keys when M=5 or M=26 that multiplication by
another good key a just causes a rearrangement of the (M) good keys: the row of key a contains
the integers a1, a2, a3, …,a(M) in a certain order, however, the products in all rows are the same:
1st row
a1*a2*a3*…*a(M)
row of good key a
= (a*a1) * (a*a2) * (a*a3) * … *(a*a(M)) MOD M
= a(M) * a1*a2*a3*…*a(M)
Again, dividing both sides by a1 * a2 * a3 *…* a(M) yields 1 on the left-hand side and a(M) on the
right-hand side which proves: a(M)=1 MOD M which completes the proof of Euler’s Theorem.
Here is the C++ Code for Euler’s Theorem: with this program you can check the theorem for any
entered alphabet length M and any key a. To check if a key a is a good or a bad one (i.e. if a is
relative prime to M) you can use one of the earlier C++ programs. Can you also find an a and M
such that a(M)=1
MOD M even if a is not a good key?
//Author: Nils Hahnfeld 11-3-99
//Euler's Theorem
//Warning: Incorrect answers occur for high powers (overflow problem)
#include <iostream.h>
#include <conio.h>
#include <math.h>
int gcd(int A, int B);
float phi(int m);
//required for pow() function
//prototype of the gcd function
//prototype of Euler's phi function
void main()
{
int M,a,ans,n;
clrscr();
cout << " The Euler Theorem: a^phi(M)=1 MOD M, if gcd(a,M)=1" << endl;
cout << " ==================================================" << endl;
do
{
cout << "Enter number M = ";
35
cin >> M;
cout << "Enter number a or 0 to exit: a = ";
cin >> a;
ans=(int)pow(a,phi(M));
if (gcd(a,M)==1) { cout << "a^phi(M) = "<< a <<"^" <<phi(M)<< " = "
<< ans%M << " MOD " << M << endl;}
else
{ cout << a << "and " << M << " are not relative
prime." <<endl;}
cout <<endl;
}
while(a!=0);
}
int gcd(int A, int B)
{
int R;
do
{
R=A%B;
A=B;
B=R;
} while(R!=0);
return A;
}
// definition of the gcd function
float phi(int m)
// definition of Euler's phi function
{
int factor=2;
float phi=(float)m;
while(factor<=m)
{
if (m%factor==0)
{
m/=factor;
while(m%factor==0) {m/=factor;} //cancels multiple factors
phi*= (1- 1/(float)factor);
}
factor++;
}
return phi;
}
Programmer Remarks:
1)
Notice on top that we have to include the math
library
(which
consists
of
the
most
common
mathematical functions) in order to use the power
function in ans=(int)pow(a,phi(M));
2)
The power function’s return type is double,
however, we need the power to be of type integer in
order to perform the mod calculation in ans%M. For that
reason, I have to convert the types (“type-casting”)
again in ans=(int)pow(a,phi(M));
36
3)
Now
you
are
learning
how
to
define
your
mathematical functions and how to incorporate them
into
your
main
program.
Although
very
many
mathematical functions are predefined in the math.h
library, some are not. Sometimes, we need to define
our own such that they can be used just like a library
function.
Our first function shall return the greatest common
divisor (gcd) of two entered integers (a and M), look
at its definition at the bottom of the program. Since
the greatest common divisor is an integer, the return
data type is int written in front of the function
definition: int gcd(int A, int B). The integers a and M
must be read in again as integers, called A and B, so
that all the computations inside the gcd function are
performed on A and B. Their original values are those
of a and M and change according to the procedure that
determines the gcd of A and B. This procedure is the
famous Euclidean Algorithm that I will explain to you
in the next chapter. For now, you have to believe that
it calculates the answer correctly, just as you have
to believe that your calculator computes correctly.
Once the answer is calculated, it is returned to the
main program in return A; and used in if (gcd(a,M)==1).
That means, gcd(a,M) takes the returned value of A
from our gcd function is checked if it equals 1.
The second function returns the value of Euler’s function as a real number (“float”) to the main
program in ans=(int)pow(a,phi(M)); and in … <<"^"
<<phi(M)<< " = " …
such that phi(M) in the main
program takes the value of phi in the return function.
4)
Finally, you find the “prototypes” (which are
copies of the first lines) of the two self-defined
functions right in front of the main program:
int gcd(int A, int B);
float phi(int m);
They tell the C++ compiler to be patient about the two
so far unknown functions when compiling the main
program. The compiler will now compile the main
program and expects the definition of those two
functions following the main program.
37
2.6.5 Fermat’s Little Theorem:
There is a neat exponent-simplification of Euler’s Theorem if the alphabet length M is a prime
number. Using the first property of the Euler function: (M)=M-1, if M is prime, then Euler’s
Theorem simplifies to the so-called
Fermat’s Little Theorem:
If the alphabet length P equals a prime number, each of the P-1 integers a less than P are
guaranteed to be relative prime to P (and therefore good keys) so that Euler’s Theorem
simplifies to:
aP-1=1 MOD P.
As an example check the previous section when P=5. We don’t need to prove Fermat’s Little
Theorem anymore as it is a special case of the more general Euler Theorem which we just
proved. This theorem is named after Pierre Fermat because he first discovered and prove it. It is
called little to distinguish it from Fermat’s Theorem (also called Fermat’s Last Theorem)
which states: for all integers x,y,z and n>2: xn + yn ≠ zn.
Note that n must be greater than 2 in Fermat’s Last Theorem as for n=2 we would just state the
famous Pythagorean Theorem where i.e. x=3, y=4 and z=5 is one of infinitely many solutions.
However, Fermat’s Last Theorem states the opposite, namely that you can not find integers x, y
and z that fulfill the equation for an exponent that is any integer greater than 2.
A famous anecdote is this one: Pierre Fermat (1601-1665), also the founder of the theory of
probability, claimed that he had found a proof for his theorem. But he never published it.
Supposedly, it did not fit on the page’s margin, so that nobody can be sure today if he actually
proved it or not. However, the British Mathematician Andrew Wiles became well-known
throughout the world in 1995 when he proved Fermat’s Last Theorem on more than 300 pages
after spending 6 years in isolation and fulfilling a childhood dream.
2.7 Abstract Algebra (II):
Examples of Rings and Fields
The last two sections are for those that like to have a more profound understanding of the
encryption systems and the underlying algebraic fundament. Study it thoroughly.
2.7.1 ZM forms a Ring, ZP even forms a Field
38
We learned in this chapter that all keys in ZM are good ones if M is prime. I. e. when M=29, we
saw that all the non-zero keys in Z29 = {0,1,2,3,…,28} are good keys since each one possesses an
inverse, the decoding key in Z29. However, when M=26, some of the non-zero keys in Z26 =
{0,1,2,3,…,25} do not possess an inverse in Z26. This difference in inverse characterizes the
difference between a field such as Z29 and a ring such as Z26.
To study the differences between fields and rings in more detail, let’s consider two familiar
examples of rings. We learned in the previous chapter already that Z4 and Z6 do not form
groups with respect to MOD-multiplication since there are keys a that don’t possess a
decoding key a-1 or mathematically: not every element in Z4 and Z6 possesses an inverse element.
For example, the multiplication table of Z4 shows
*
1
2
3
1
1
2
3
2
2
0
2
3
3
2
1
Only those integers that are relatively prime to M=4, namely 1 and 3, produce a 1 in their row
and are therefore called the good keys. The key a=2 does not possess a decoding key a-1 in Z4
since none of the products of a=2 with 1, 2 or 3 yields 1. In fact, it never yields an odd number.
Similarly in Z6:
*
1
2
3
4
5
1
1
2
3
4
5
2
2
4
0
2
4
3
3
0
3
0
3
4
4
2
0
4
2
5
5
4
3
2
1
We obtain a 1 in the rows for a=1 and a=5 as the only two integers that are relatively prime to 6
(the only good keys in Z6).
We can observe that if the product of two non-zero members yields 0 MOD M (i.e. 2*3 =0 MOD
6 and thus 2 and 3 are called “zero-divisors”) we can never obtain 1 in their rows. It is
impossible since multiples of the zero-divisors yield 0 over and over again and the zero-divisors
is greater than 1?
Both Z4 and Z6 are examples of rings as they each fulfill the following
Ring properties:
The set ZM forms a RING if
1. (ZM, +) forms a commutative group: The integers in ZM fulfill the four group
properties ( I) closed, II) unit element, III) inverse element, IV) associativity)
with respect to addition. V) Moreover, the addition is commutative.
2. (ZM, *) is closed: The multiplication of integers in ZM yields an integer in ZM
39
3. they fulfill the distributive property a*(b+c) = ab+ac and (a+b)*c=ac +
ab.
Notice that a Ring entails the two operations + and * whereas a group just
uses one (I.e. + or *).
Let’s check the 3 ring properties for Z6 :
1) We saw in the multiplication table of Z6 that the product of any two integers in Z6 yields an
answer that is part of Z6 aswell. This shows that the MOD-multiplication of Z6 is closed.
2) The addition table of Z6 appears as follows:
+
0
1
2
3
4
5
0
0
1
2
3
3
3
1
1
2
3
4
5
0
2
2
3
4
5
0
1
3
3
4
5
0
1
2
4
4
5
0
1
2
3
5
5
0
1
2
3
4
I)
Here you easily see that the sum of any two integers yields 0,1,2,3,4 or 5 so that the
addition is closed.
II) The unit element is 0 as adding 0 does not change the sum.
III) Each integer has an inverse as we find a 0 in every row. I.e. 1 and 5 as well as 2 and 4 are
inverse to each other.
IV) The associative property is verified by checking all possible additions such as 1+(2+3)
= (1+2)+3.
V) The addition is commutative since the addition table is symmetric with respect to the
main diagonal.
3) The distributive property is verified by checking all possible combinations such as
1*(2+3) = 1*2+1*3 and (1+2)*3=1*2 + 2*3. Notice that the distributive property checks if we
can change the order of adding and multiplying numbers MOD6. Yes, we certainly can.
If in addition to the ring properties the non-zero elements of a set also form a multiplicative
group then that set forms a field. That means in particular that each non-zero integer in ZM
possesses an inverse that itself is in ZM. I.e. Z5 ={0,1,2,3,4}forms a field since each member in
Z5 with the exception of 0 has an inverse in Z5. You can observe this by finding a 1 in each row.
For instance, 3 and 2 are inverse MOD 5. The 0 is excluded since it turns any product into 0 and
thus does not even have a chance to have an inverse.
40
*
1
2
3
4
1
1
2
3
4
2
2
4
1
3
3
3
1
4
2
4
4
3
2
1
Field properties:
The set ZM forms a FIELD F if
1. (ZM, +) forms a commutative group: The integers in ZM fulfill the four group
properties (closed, unit element, inverse element, associativity) with respect to
addition. Moreover, the addition is commutative.
2. (ZM*, *) forms a group: The non-zero integers in ZM fulfill the four group
properties (closed, unit element, inverse element, associativity) with respect to
multiplication.
3. they fulfill the distributive property a*(b+c) = ab+ac and (a+b)*c=ac + ab.
Notice that every field is also a ring. A field has the additional property that
each field element possesses a multiplicative inverse.
Another example for a field is Z7 :
*
1
2
3
4
5
6
1
2
3
4
5
6
1
2
4
6
1
3
5
2
3
6
2
5
1
4
3
4
1
5
2
6
3
4
5
3
1
6
4
2
5
6
5
4
3
2
1
6
Remark: Z5 and Z7 are even commutative or abelian groups with respect to multiplication and are therefore
called commutative fields.
It is your turn now to show that Z7 forms a field. In order to verify property 1): ”The non-zero
elements in Z7 form a multiplicative group” use the above table. To verify property 2) “ Z7 forms
an additive group” complete the following addition table:
+
0
1
2
3
4
5
6
0
1
1
2
3
4
4
5
6
0
6
2
4
6
4
Notice in our examples that ZM forms a field if M is a prime number, and a ring if M is not. Let
me show you why this is always true. I.e.: when M=6 the second row of the multiplication table
41
shows the sequence 0,2,4,0,2,4. Since the multiples of 2 yield 0 (i.e. 2*3 = 0 MOD 6 and 2 is
called a “zero divisor”) repeatedly and thus never 1, it is impossible for 2 to have a multiplicative
inverse. Therefore, Z6 can not be a field:
*
1
2
1
1
2
2
2
4
3
3
0
4
4
2
5
5
4
In fact, any set ZM for a non-prime integer M possesses at least 2 divisors of M (why?). Those
divisors are therefore zero divisors MOD M, thus, they can not have any multiplicative inverses
and make it therefore impossible for ZM to be a field.
However, if M is prime, each integer a from 1 to M-1 is relative prime to M and thus is a good
key of ZM (observe the permutations in each row for Z5 and Z7). Take a good key different from
1 and multiply it by itself, that product must be another good key a since the multiplication of
good keys is closed (since ZM is a multiplicative group). Now continuing to multiply the product
must eventually yield 1 which is what Fermat’s little Theorem teaches us. The worst case would
be to multiply the good key a M-1 times by itself (in which case a turns out to be a generator of
ZM). What matters is that a produces 1 after say k multiplications so that ak=1 MOD M. The
inverse of a must then be the member ak -1 since a*ak-1 =1 MOD M. Therefore, every member in
must have an inverse in ZM which is needed for a field.
We can now conclude this section with a
Criterion for rings and fields when performing MOD
arithmetic:
ZM forms a ring, if M is not a prime number (i.e. Z4 , Z6, Z8, Z9,…) .
ZM forms a field, if M is a prime number (i.e. Z2, Z3, Z5, Z7,…) .
In order to distinguish we denote the fields ZP and the rings ZM.
Remark: Notice that Fermat’s Little Theorem aP-1 = 1 MOD P is true for all fields ZP as all keys in ZP are guaranteed to be good
keys. Euler’s Theorem a(M)=1 MOD M, however, is only true if we restrict ZM to the good keys which are the ones that are
relative prime to M, denoted as ZM*. Does ZM* form a ring or a field? Or neither? I will answer this question in the next section.
What does all that mean? In order to decide right away if a given alphabet length M forms a ring
or a field - and to therefore know if all keys are good keys - we just need to check if M is a prime
number or not. Again, this sounds like a perfect computer task. It is. Input an integer M and let
your program check if it is divisible by an integer that is less than M and greater than 1. If so, M
is not prime, otherwise M is prime.
Let me show you my prime check program in C++:
//Prime Checking Program
//Author: Nils Hahnfeld, 11/08/99
#include<iostream.h>
42
#include<conio.h>
void main()
{
int M,factor=2;
clrscr();
cout << "Enter integer M= ";
cin >> M;
while (factor<M && M%factor!=0)
{
factor++;
//increment factor by 1 as long
}
//as it does not divide M evenly.
if (factor==M) {cout << M << " is prime" << endl;}
else
{cout << M << " is not prime" << endl;}
getch();
}
Programmer’s Remarks:
1) The search for divisors of M is straightforward: I simply
check all integers between 2 and M-1 as factors of M.
Notice that I am using 2 conditions in the while
statement: the && represent the logical “and” so that
both conditions need to be fulfilled in order to enter
the while loop. The logical “or” is represented by ||.
2) If the first condition factor<M
is not fulfilled it
would not make sense to also check the second as both
would have to be fulfilled. Also, C++ is not trained to
also check the second condition if the first condition
was not fulfilled. This “shortcut” is called shortcircuiting and becomes even more useful when several
conditions have to be checked in order to enter a loop.
Similarly, the short-circuiting concept holds true for
the logical or: if the first or the second condition is
already fulfilled the following conditions don’t need to
be checked anymore as one fulfilled condition suffices.
2.7.2 The Good Keys of ZM form a Multiplicative
Group
We just learned that for a prime alphabet length P all keys in ZP are good ones and thus form a
field. So, what about if M is not prime and we only use the good keys in ZM? Sounds like a good
try. As an example, let’s go back to the reduced multiplication table MOD 26 where we limited
43
ourselves to the rows and the columns of the good keys. That are those keys that are relatively
prime to 26, denoted as Z26* ={1,3,5,7,9,11,15,17,19,21,23,25}
*
1
3
5
7
9
11
15
17
19
21
23
25
1
1
3
5
7
9
11
15
17
19
21
23
25
3
3
9
15
21
1
7
19
25
5
11
17
23
5
5
15
25
9
19
3
23
7
17
1
11
21
7
7
21
9
23
11
25
1
15
3
17
5
19
9
9
1
19
11
3
21
5
23
15
7
25
17
11
11
7
3
25
21
17
9
5
1
23
19
15
15
15
19
23
1
5
9
17
21
25
3
7
11
17
17
25
7
15
23
5
21
3
11
19
1
9
19
19
5
17
3
15
1
25
11
23
9
21
7
21
21
11
1
17
7
23
3
19
9
25
15
5
23
23
17
11
5
25
19
7
1
21
15
9
3
25
25
23
21
19
17
15
11
9
7
5
3
1
Notice that each row contains a 1, the unit element, and that therefore each encoding key a
possesses a unique decoding key a-1 as the inverse of a. Verifying the associative and the
commutative properties we can see that these good keys form a commutative group with respect
to multiplication. So far, everything looks promising that Z26* will form a field. Additionally, the
keys would have to form a commutative group with respect to addition. So let’s make up the
corresponding addition table and check it:
+
1
3
5
7
9
11
15
17
19
21
23
25
1
2
4
6
8
10
12
16
18
20
22
24
0
3
4
6
8
10
12
14
18
20
22
24
0
2
5
6
8
10
12
14
16
20
22
24
0
2
4
7
8
10
12
14
16
18
22
24
0
2
4
6
9
10
12
14
16
18
20
24
0
2
4
6
8
11
12
14
16
18
20
22
0
2
4
6
8
10
15
16
18
20
22
24
0
4
6
8
10
12
14
17
18
20
22
24
0
2
6
8
10
12
14
16
19
20
22
24
0
2
4
8
10
12
14
16
18
21
22
24
0
2
4
6
10
12
14
16
18
20
23
24
0
2
4
6
8
12
14
16
18
20
22
25
0
2
4
6
8
10
14
16
18
20
22
24
The MOD 26 addition is commutative and associative since the regular integer addition is.
However, the addition is not even closed as the calculated sums are not good keys themselves.
In particular, the unit element 0 is not in Z26*. Of course, if only one of the group properties is
not fulfilled then the good keys of Z26 can not form a group with respect to addition. And even
though they do form a commutative group with respect to multiplication as we saw earlier, they
can not form a field which would require both and would have been mathematical perfection.
And even the second best to perfection, a ring, is not formed by the good keys of Z26 since the
addition is not closed (property 2).
44
We can now enhance the criterion from the previous section of major Abstract Algebra concepts
when performing MOD calculation.
Criterion for group, rings and fields when doing MODarithmetic:
ZM forms a ring, if M is not a prime number (i.e. Z4 , Z6, Z8, Z9,…)
.
ZP forms a field for a prime number P (i.e. Z2, Z3, Z5, Z7,…).
ZM* (consisting only of the good keys in ZM) forms a commutative
multiplicative group for any integer M, but not an additive group
and therefore neither a ring nor a field.
2.8. Group Theory and Lagrange’s Theorem
In this last section, I will show you that Euler’s Theorem is a result of the more general Theorem of Lagrange which
states: “The order of each good key a is a divisor of (M)”. Since Lagrange's Theorem is rooted in the theory of
groups and subgroups, I will first introduce you to that theory.
Euler’s Theorem for an alphabet length of M=26 states
(26)
12
a
= a = 1 MOD 26 for all good keys a.
Why is it a result of Lagrange’s Theorem? To understand it we have to study the order of the good keys:
Exponents
Good keys a
1
3
5
7
9
11
15
17
19
21
23
25
1
1
3
5
7
9
11
15
17
19
21
23
25
2
1
9
25
23
3
17
17
3
23
25
9
1
3
1
1
21
5
1
5
21
25
21
5
25
25
4
1
3
1
9
9
3
3
9
9
1
3
1
5
1
9
5
11
3
7
19
23
15
21
17
25
6
1
1
25
25
1
25
25
1
25
25
1
1
7
1
3
21
19
9
15
11
17
7
5
23
25
8
1
9
1
3
3
9
9
3
3
1
9
1
9
1
1
5
21
1
21
5
25
5
21
25
25
10
1
3
25
17
9
23
23
9
17
25
3
1
11
1
9
21
15
3
19
7
23
11
5
17
25
12
1
1
1
1
1
1
1
1
1
1
1
1
Table2.8A
The bold 1’s in each row display where jumps of length that equal the order of that key lead you
to. Notice that it is necessary that the jump length s must be a divisor of the number of good
keys, 12=(26) in order to fulfill Euler’s Theorem. I.e. consider the row for a=3: The arrows
45
show you the jumps of length 3 lead us from 3 to 6 to 9 to 12. Surely, this only works since we
started off at the right position: the exponent 0 (that is not displayed in the table, it would be an
additional column left to the a=1 column.) yields a0=1 for any a. Otherwise, when starting off
from a different position or jumping with a jump length that does not equal the order of a good
key (i.e. 5 or 7), we would not arrive at the 1 for the exponent 12.
From the table, we can read off the order for each good key:
Good
key a
1
3
5
7
9
11
15
17
19
21
23
25
is of
order
1
3
4
12
3
12
12
6
12
4
6
2
When studying this table, it naturally poses some questions:
1. Is every divisor of the number of members in ZM*, here 12, an order of some good key?
2. Why is the occurrence of each order of a good key an even number except for 1 and 2?
3. Why do pairs of encoding and decoding keys (i.e. 17 and 23 or 3 and 9 or 7 and 15) have the same order?
We will be able to answer the last two questions once we embed this table in a more general theory, the group
theory. Looking at the powers of the good keys when M=27 and M=28 will help answering the first question:
For M=27, The good keys a are {1,2,4,5,7,8,10,11,13,14,16,17,19,20,22,23,25,26} and their
powers with exponent 18=(27) all equal 1 – just what Euler taught us in his Theorem:
Exponents
Good
keys a
1
2
4
5
7
8
10
11
13
14
16
17
19
20
1
1
2
4
5
7
8
10
11
13
14
16
17
19
20
2
1
4
16
25
22
10
19
13
7
7
13
19
10
22
3
1
8
10
17
19
26
1
8
10
17
19
26
1
8
4
1
16
13
4
25
19
10
7
22
22
7
10
19
25
5
1
5
25
20
13
17
19
23
16
11
4
8
10
14
6
1
10
19
19
10
1
1
10
19
19
10
1
1
10
7
1
20
22
14
16
8
10
2
4
23
25
17
19
11
8
1
13
7
16
4
10
19
22
25
25
22
19
10
4
46
9
1
26
1
26
1
26
1
26
1
26
1
26
1
26
10
1
25
4
22
7
19
10
16
13
13
16
10
19
7
11
1
23
16
2
22
17
19
14
7
20
13
8
10
5
12
1
19
10
10
19
1
1
19
10
10
19
1
1
19
13
1
11
13
23
25
8
10
20
22
5
7
17
19
2
14
1
22
25
7
13
10
19
4
16
16
4
19
10
13
15
1
17
19
8
10
26
1
17
19
8
10
26
1
17
16
1
7
22
13
16
19
10
25
4
4
25
10
19
16
17
1
14
7
11
4
17
19
5
25
2
22
8
10
23
18
1
1
1
1
1
1
1
1
1
1
1
1
1
1
22
23
25
26
22
23
25
26
25
16
4
1
10
17
19
26
4
13
16
1
7
2
22
26
19
19
10
1
13
5
7
26
16
7
13
1
1
26
1
26
22
4
25
1
25
11
4
26
10
10
19
1
4
14
16
26
7
25
22
1
19
8
10
26
13
22
7
1
16
20
13
26
1
1
1
1
Table2.8B
Good
key a
1
2
4
5
7
8
10
11
13
15
16
17
19
20
22
23
25
26
is of
order
1
18
9
18
9
6
3
18
9
18
9
6
3
18
9
18
9
2
Notice that, again, the orders 1,2,3,6,9 and 18 are all divisors of 18.
For M=28, the good keys a are {1,3,5,9,11,13,15,17,19,23,25,27} and their powers with
exponent 12=(28) are again in accordance with Euler’s Theorem:
Exponents
Good
keys a
1
3
5
9
11
13
15
17
19
23
25
27
1
1
3
5
9
11
13
15
17
19
23
25
27
2
1
9
25
25
9
1
1
9
25
25
9
1
3
1
27
13
1
15
13
15
13
27
15
1
27
4
1
25
9
9
25
1
1
25
9
9
25
1
5
1
19
17
25
23
13
15
5
3
11
9
27
Table2.8C
47
6
1
1
1
1
1
1
1
1
1
1
1
1
7
1
3
5
9
11
13
15
17
19
23
25
27
8
1
9
25
25
9
1
1
9
25
25
9
1
9
1
27
13
1
15
13
15
13
27
15
1
27
10
1
25
9
9
25
1
1
25
9
9
25
1
11
1
19
17
25
23
13
15
5
3
11
9
27
12
1
1
1
1
1
1
1
1
1
1
1
1
Let’s verify the orders of the good keys for M=28:
Good
key a
1
3
5
9
11
13
15
17
19
23
25
27
is of
order
1
6
6
3
6
2
2
6
6
6
3
2
Notice that, again, the orders 1,2,3 and 6 are all divisors of 18. However, the answer to question
1 is a clear “No”: 12 as one divisor of the number of good keys, namely 12, does not occur here:
There is no big jump of length 12 that brings us to a 1 in the rightmost column. That is what
M=26 has and what M=28 does not have and it will make a big difference as you will see in the
section on cyclic groups. Additionally, 4 does not occur as another divisors of 12.
2.8.1 SUBGROUPS are Subsets of Groups with Group
Properties
For M=26, the powers of the good key a=3 are 3, 9 and 1, the powers of the good key a=5 are
5, 25, 21 and 1. Both sets of integers are examples of subgroups of the group Z26* =
{1,3,5,7,9,11,15,17,19,21,23,25}. You can imagine the
Two conditions for a subgroup:
1) the numbers in the subgroup must be part of Z26* and
2) they themselves fulfill the 4 group properties.
Let’s verify the 2 subgroup conditions for the subset S3={3,9,1}.
1) is true as 3,9,1 are in Z26*.
Let’s check 2):
I.
Closure: The multiplication in S3 is closed as all the possible products 3, 9 and 1 are
again in S3. Verify this in the multiplication table of S3:
*
3
9
1
9
1
3
3
1
3
9
9
3
9
1
1
48
II.
Associativity: Because the regular multiplication of integers is associative, the
multiplication MOD 26 is associative.
III.
Unit element: The unique unit element is 1 as you can see in the table.
IV.
Inverse element: Each element in S3 possesses an inverse element that is in S3. To verify
this, for each member of S3 in the left column find the unit element 1 in its row. Then go
up that column to find its inverse in S3. In that way, you find that the inverse of 3 is 9 as
3*9 = 1 MOD 26. 9 is the inverse of 3 for the same reason. 1 is inverse to itself and we
verified that S3 is a subgroup of Z26*.
Now it is your turn to show in a similar manner that S5 = {5,25,21,1} forms a subgroup of Z26*.
Start right now by completing the multiplication table for S5 and then verify condition 1) and the
four group properties in 2).
*
5
25
21
1
5
25
25
21
1
5
1
1
1
2.8.2 Finite and Infinite (Sub)Groups
There are 2 types of (sub)groups: finite and infinite ones.
Example1: the set of all positive and negative integers is an infinite group with respect to
addition as there is an infinite amount of such integers. All the even integers form an infinite
subgroup of the above group as it contains infinitely many even numbers. Checking that they
form a subgroup is quite easy, so let’s do it:
1) All even numbers are clearly in the set of all integers.
I)
The addition of integers is closed as all possible sums of 2 even integers yields
another integer.
II)
I. e.: 2 + (4 + 8) = (2 + 4) + 8 or generally: a + (b + c) = (a + b) + c for all even integers show their
associative property.
III)
IV)
The unit element is 0 as addition by 0 does not change the sum (I.e. 2+0=2 or 0+8=8).
The inverse of an even integer c, c-1, is the same integer of opposite sign, -c, so that
their sum yields the unit element 0. I. e.: c=6, then c-1=-6, since 6 + (-6) =0
We will, however, deal exclusively with finite groups and subgroups as we are dealing with
finite alphabet lengths and therefore with a finite amount of good keys. This requires new
vocabulary:
49
Definition:
The order of a (sub)group is the number of its members.
Example1: The order of Z26= {0,1,2,3,…,25} is 26, the order of Z26* = {1,3,5,..,25} is
(26)=12.
Example2: The order of ZM= {0,1,2,3,…,M-1} is M, the order of ZM* is (M).
Example3: The order of the subgroup S3={3,9,1} is 3, the order of S5={5,25,21,1} is 4.
I want to acquaint you with 1 useful subgroup criterion. It can be used to decide in a quick
manner whether a subset of a group G forms a subgroup of G or not. It is a very powerful one as
it only checks for the finiteness and closeness of a subset and not for the unit or inverse elements.
1. Subgroup Theorem:
If the subset S of the group G is finite and closed then S is a subgroup.
Example1: The finite subset S3={3,9,1} is closed under multiplication as we checked earlier
which shows that it is a subgroup of Z26*. It is a subgroup of S23={23,9,25,3,17,1} which itself
is a subgroup of Z26*.
Example2 is for you: Is the finite subset S23={23,9,25,3,17,1} closed and thus forms a
subgroup? To verify this, fill in the multiplication table below:
*
23
9
25
3
17
1
23
9
25
3
3
17
1
1
17
25
17
23
Counter example1: Say we add take out the 9 in S3 to get the subset T={1,3}. Although the
products 1*3, 3*1 and 1*1 are all in T, 3*3=9 is not in T. Therefore, the 1. Subgroup theorem
can not be applied. Of course, T is not a subgroup since it is not closed which is the 1. condition
for groups.
Counter example2: Say we add the good key 5 to S3 to get the subset T={3,9,1,5}. The
multiplication is not closed as i.e. 3*5=15 is not in T, therefore, the 1. Subgroup theorem can not
be applied. In fact, T is not a subgroup since T is not closed, also 5 does not possess an inverse in
T.
50
Counter example3: The set of all integers forms a group with respect to addition. The positive
integers including 0 form a subset of all integers. The addition is closed and thus the second
condition of the criterion is fulfilled, however, the first one is not. The subset is not finite as
there is an infinite number of positive integers. In fact, the non-negative integers don’t form a
subgroup as no positive integer possesses an inverse.
2.8.3. Cyclic (Sub)Groups
It is easy to observe in Table2.8A that all the 12 subgroups of Z26* are cyclic, which loosely
stated means, that the numbers start repeating after all members are reached. This can be best
seen using the chain display of the powers in the following 3 examples. The order of the good
key a then tells us the order of the subgroup generated by a.
Observe this in the following three examples:
a=3:
3 -> 9 -> 1
The order of a=3 is 3 which equals the order of S3,
and a=3 generates S3.
5 -> 25 -> 21 -> 1
a=5:
The order of a=5 equals the order of S5,
namely 4, and a=5 generates S5.
Although the subgroup S7 is not a proper subset of Z26* (since it equals Z26*) it is a subset
of Z26*. Thus, S7, has an order of 12 and 7 is a generator of S7 (since it generates Z26*).
All 3 examples show that each subgroup is generated when the generator, which we now name
the good key g, is raised to the power of 1, then 2, then 3, …until we obtain the unit element 1.
In that moment, the entire subgroup is generated by that good key g. I.e. we can write a cyclic
group with 12 members as
Gg = { g, g2, g3, g4, g5, g6, g7, g8, g9, g10, g11, g12=1}
This leads us now to the official
Definition of cyclic (sub)groups:
Cyclic (sub)groups are (sub)groups that can be generated by at least one member g.
Example1: The subgroups S3={3,9,1}, S5={5,25,21,1} and S7 (= Z26*) are cyclic since they can
be generated by 3, 5 and 7 (or 11, 15, 19) respectively.
Example2: {0,1,2,3,…,M-1} is a finite group with respect to addition and can be generated by
1.
Example3: The subgroup of all even integers can be generated by 2 or –2 and is thus an example
for an infinite cyclic group.
51
Counter example1: Verify in Table2.8C that the group Z28* = {1, 3, 5, 9, 11, 13, 15, 17, 19, 23,
25, 27} is not cyclic since none of the good keys generates Z28*. Certainly, subgroups of Z28* are
generated by each of the good keys in Z28*, however, none of them generates the entire group
Z28*.
When is a group ZM* cyclic? With other words: How can we choose our alphabet length
M so that ZM* turns out to be a cyclic group? We investigate this by trying many, many different
alphabet lengths. Let’s imagine we are one of the greatest Mathematicians trying to find some
pattern in our list. My foregoing is the following: I underlined the generators in each group. If
none are underlined, then the group is not cyclic and I then colored that group gray. I left some
blanks for you as an exercise to fill in.
Multiplicative Groups ZM*
Z2*={1}
Z3*={1,2}
Z4*={1,3}
Z5*={1,2,3,4}
Z6*={1,5}
Z7*={1,2,3,4,5,6}
Z8*={1,3,5,7}
Z9*={1,2,4,5,7,8}
Z10*={1,3,7,9}
Z11*={1,2,3,4,5,6,7,8,9,10}
Z12*={1,5,7,11}
Z13*={1,2,3,4,5,6,7,8,9,10,11,12}
Z14*={1,3,5,9,11,13}
Z15*={1,2,4,7,8,11,13,14}
Z16*={1,3,5,7,9,11,13,15}
Z17*={1,2,3,4,5,6,7,8,9,10,11,12,13,14,
15,16}
Z18*={1,5,7,11,13,17}
Z19*={1,2,3,4,5,6,7,8,9,10,11,12,13,14,
15,16,17,18}
Z20*={1,3,7,9,11,13,17,19}
Z21*={1,2,4,5,8,10,11,13,16,17,19,20}
Z22*={_____________________}
Z23*={1,2,3,4,5,6,7,8,9,10,11,12,13,14,
15,16,17,18,19,20,21,22}
Z24*={1,5,7,11,13,17,19,23}
Z25*={1,2,3,4,6,7,8,9,11,12,13,14,16,1
7,18,19,21,22,23,24}
52
Factors of M
2
3
4=2*2
5
6=2*3
7
8=2*2*2
9=3*3
10=2*5
11
12=2*2*3
13
14=2*7
15=3*5
16=2*2*2*2
17
18=2*3*3
19
20=2*2*5
21=3*7
22=____
23
24=______
25=5*5
Z26*={__________________________
_}
Z27*={1,2,4,5,7,8,10,11,13,14,16,17,19
,20,22,23,25,26}
Z28*={1,3,5,9,11,13,15,17,19,23,25,27
}
Z29*={1,2,3,4,5,6,7,8,9,10,11,12,13,14,
15,16,17,18,19,20,21,22,23,24,25,26,2
7,28}
Z30*={____________________}
Z31*={1,2,3,4,5,6,7,8,9,10,11,12,13,14,
15,16,17,18,19,20,21,22,23,24,25,26,2
7,28,29,30}
Z32*={1,3,5,7,9,11,13,15,17,19,21,23,2
5,27,29,31}
Z33*={1,2,4,5,7,8,10,13,14,16,17,19,20
,23,25,26,28,29,31,32}
26=2*13
27=______
28=2*2*7
29
30=2*3*5
31
32=______
33=3*11
Question for you: Which ZM* are not cyclic? Well, that was the easy part: all the gray M ones
have no generator and are therefore not cyclic. What don’t these M have that the other M’s have?
It must have something to do with the factors of M which is the reason why I created the 2nd
column. But what exactly? Before you continue reading try to come up with a good guess.
What do you observe? I observed, that all multiples of 4 except for 4 itself yield non-cyclic
group. Thus, all the M that contain an factor 2*2 yield non-cyclic groups. Also, M=21=3*7 and
M=3*11 suggest that products of two primes yield non-cyclic groups. Attention: 2*7, 2*11, 2*13
are also products of 2 primes, so I better say that the product of two odd primes yields a noncyclic group. What about the non-cyclic 30=2*3*5? It also contains a product of two odd
primes. So, I better say that
If M contains a product of two odd primes or is a multiple of 4 then ZM* is non-cyclic.
And vice versa, which M yield cyclic groups ZM*? How can we express them? Even though
expressing the non-cyclic ZM* is easy we still want to express the cyclic ones. So, let’s do it: If
M is prime ZM* is cyclic. Also, all the products of the same prime yield a cyclic ZM* such as
M=5*5 or M=3*3 and even for M=3*3*3. They are called prime powers. Also, multiplying the
prime powers by 2 is allowed such as M=2*3*3. Remember that products of two different odd
primes such as M=3*5 or M=3*7 is not allowed. Let’s not forget that M=2 and M=4 yield cyclic
groups. That is it, no other products are allowed. It is time to formulate our conjecture:
If M equals 2 or 4 or pn or 2*pn for some odd prime, then ZM* is cyclic.
In fact, that is it. Surely, to be on the safe side we should continue our list and check for further
non-cyclic groups. It wrote a little C++ program that simply checks if ZM* contains a generator
53
or not. I will show it to you now. Remember that this theorem can not just be based on checking
and guessing. What if we oversaw a certain case that did not show up in our examples (i.e. If M
is a multiple of 1347, ZM* is non-cyclic)?
Time for a few words on mathematical proofs: In Mathematics, we are aiming for guaranteed
true results that can never be disproved. Thus, theorems have to be air tight. And we make them
air tight by proving them i.e. the way we proved Euler’s Theorem for any alphabet length M.
Self-created proofs may make sense to us, but they are only accepted if nobody in the whole
Mathematics society can find a mistake or a counterexample. For example, the 300-page-proof
of Fermat’s Last Theorem by Andrew Wiles was inspected by about 10 Mathematicians that
spent more than half a year to understand Wiles’ reasoning. At the end, nobody could prove him
wrong, thus, the proof was accepted or true. This conclusion I leave up to you.
Here is the C++ program that checks if ZM* possesses a generator and is therefore cyclic:
#include <iostream.h>
#include <conio.h>
#include <math.h>
int gcd(int A, int B)
{
int R;
do
{
R=A%B;
A=B;
B=R;
} while(R!=0);
return A;
}
void main()
{
int M,i,p1,p2,counter,phi=1;
long int K;
clrscr();
cout << "Enter number M = ";
cin >> M;
cout << "Relative prime are: 1 ";
for(i=2;i<M;i++)
{
if (gcd(i,M)==1)
{
cout << i << " ";
phi++;
}
else if (M%i==0)
{
p1=i;
if (M%(p1*p1)!=0) p2=M/i;
}
}
cout << endl;
54
cout << "phi(" << M << ")=" << phi << endl;
if (phi==M-1) cout << M << " is prime"<< endl;
if (phi==(p1-1)*(p2-1)) cout << M << " = "<< p1 << " * " << p2 << endl;
cout << endl;
for (i=2;i<M;i++)
{
if (gcd(i,M)==1)
{
K=(i*i)%M;
counter=2;
while (K!=1)
{
K=(K*i)%M;
counter++;
}
}
if (counter==phi) cout << i << " is a generator" << endl;
counter=1;
}
getch();
}
Programmer’s Remarks:
How can we find generators? Recall that
good key whose order equals the group
means, in particular, that the powers of
1 for the exponent (M) and not 1 for any
a generator is
a
order (M). That
the good key yield
smaller exponent.
Let me now explain to you how I find the generators. The
above program is identical to the program used earlier to
find the good keys and their number, I just added the
bottom part starting at the second for-loop. I first check
if the key i is a good keys in if (gcd(i,M)==1). If so, I
start raising i to the second power MOD M and set the
counter equal to the current exponent 2 in
K=(i*i)%M;
counter=2;
If the power equals already 1 we fail the while-loop check
in while (K!=1) and i can not be a generator if (M)> 2. i
is, however, a generator if (M)=2. Since i=1 can never be
a generator (except in the subgroup S={1}), I started the
for-loop at i=2 in for (i=2;i<M;i++).
If, however, the power is different from 1, I just keep
raising to higher powers MOD M in
while (K!=1)
{
K=(K*i)%M;
counter++;
}
55
until reaching the first 1. The counter that was increased
by 1 each time I entered the loop then tells me the correct
exponent of that power. Finally, I just need to check if
that exponent equals (M) in if (counter==phi). If so, I
found a generator of ZM*, I output it and check the next
key. I stop checking when i=M-1.
Three easy yet important facts of cyclic groups:
1)The order of a generator g equals the order of the subgroup that is generated by g.
As you can observe in our examples: a generator g generates all the members in a subgroup. The
order of a generator is that exponent, s, which makes the power of g equal to 1 for the first time.
These generated s elements now form a subgroup whose order therefore is s.
2) Each subgroup S of a cyclic group G must itself be cyclic.
To see this consider all the elements of S. They can all be expressed as powers of g. Let k be the
least positive power of g that is in S. If not every element is a power of gk then there is some
element gm where m is positive and not a multiple of k. Let p be the greatest multiple of k that is
less than m. Then m - p is less than k. But this means that gm • g-p = gm-p is in S. This contradicts
the choice of k as the smallest positive power of g in the subgroup. Thus all elements of S are
generated by gk and S is cyclic.
Example1: Z26*={1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} has i.e. the cyclic subgroups
S3={3,9,1}, S5={5,25,21,1}.
3) A group G of prime order must be cyclic.
This is a result of Lagrange’s Theorem: If G is a group of prime order p then take any nonidentity element g and look at the subgroup generated by it. The order of the subgroup must be a
divisor of the order of G (Lagrange's Theorem) but since G is of prime p order the only divisors
of p are 1 and p itself. Since g isn't the identity the subgroup it generates must have more than
one element. Therefore, its order must be p and it must be G itself, thus, G is cyclic. Furthermore
since the choice of g was only limited by not being the identity it follows that G can be generated
by any of its elements other than the identity element.
Examples for multiplicative groups ZM* of prime order are very limited since Euler’s –function
teaches us that the orders of ZM* are all even integers except when M=2. 2 is the only even prime
number so that only Z4* = {1,3} and Z6* = {1,5} turn out to be the only examples to consider. 3
and 5 are generators in their respective groups which suffices to show that they both are cyclic.
We find, however, plenty of examples among the additive groups ZM. If only M is prime p, Zp
consists of the p members 0,1,2,…p-1 and is therefore of prime order. Let’s take a look at Z7.
Example1: Z7 has the 7 members 0,1,2,3,4,5 and 6. You can observe the cyclic nature of Z7 as
each previous row or column is cycled one shift to the right or down.
+
0
1
2
3
4
5
56
6
0
1
2
3
4
5
6
0
1
2
3
4
5
6
1
2
3
4
5
6
0
2
3
4
5
6
0
1
3
4
5
6
0
1
2
4
5
6
0
1
2
3
5
6
0
1
2
3
4
6
0
1
2
3
4
5
Although Z7* ={1,2,3,4,5,6} is not of prime order. You are right, it is therefore not an example
for the third fact of cyclic groups. However, even though the prime condition is not fulfilled it is
yet cyclic which you can not see right away in the following multiplication table:
*
1
2
3
4
5
6
1
1
2
3
4
5
6
2
2
4
6
1
3
5
3
3
6
2
5
1
4
4
4
1
5
2
6
3
5
5
3
1
6
4
2
6
6
5
4
3
2
1
The trick is here that we can make the cyclic nature of Z7* visible by rearranging the table as
follows:
*
1
5
4
6
2
3
1
1
5
4
6
2
3
5
5
4
6
2
3
1
4
4
6
2
3
1
5
6
6
2
3
1
5
4
2
2
3
1
5
4
6
3
3
5
5
4
6
2
Now we can see: neighboring rows and columns are again cycled forward one space.
2.8.4 How to determine the Order of Cyclic Subgroups
Per definition, cyclic groups and their subgroups can be generated by at least one of their
members. Vice versa, every group member generates some subgroup. Its order is a divisor of the
group order. I want to show you a very easy way to compute the order of a subgroup that
was generated by one of its generators g.
Let’s consider the familiar multiplicative group Z26*={1,3,5,7,9,11,15,17,19,21,23,25}. Since it
is cyclic it can be generated by at least one member. We learned already that 7, 11, 15 and 19 are
generators of Z26*. So let’s pick g=7 to generate S7=Z26*:
7 -> 23 -> 5 -> 9 ->11 -> 25 -> 19 ->3 -> 21 -> 17 -> 15 -> 1
We can rewrite this as:
S7 = {7, 23, 5, 9, 11, 25, 19, 3, 21, 17, 15, 1}
=
{7, 72, 73, 74, 75, 76, 77, 78, 79, 710, 711, 712=1}
57
=
{g, g2, g3, g4, g5, g6, g7, g8, g9, g10, g11, g12=1}
I.e. 23 equals 72, 5 equals 73 MOD 26. Therefore, we may write 23=g2 and 5=g3 when using the
generator g=7. The purpose of writing each good key as a power of the generator g=7 is to
determine the order of the subgroup generated by that good key. I.e.: Since 23=g2, the order of
23 and therefore the order of the subgroup generated by 23 must be 6 as 236 = (g2)6 = g12 = 1.
And the 6 subgroup members as powers of 23=g2 are S23 = {g2, g4, g6, g8, g10, g12=1} = {23, 9,
25, 3, 17, 1}. Notice that the exponent of the generator 23=g2, namely 2, gives the jump length
and the number of jumps that guides us to the desired exponent 12 equals the order of the
subgroup S23, namely 6.
The order of the subgroup generated by 5=g3 is 4 since 54 = (g3)4 = g12 = 1. The 4 subgroup
members are S5 = {g3, g6, g9, g12=1} = {5, 25, 21, 1} – obtained by 4 jumps each of length 3.
It is your turn now, fill in the blanks: The order of the subgroup generated by 9 is __ since
(g4)_ = g12 = 1. The __ subgroup members are: S9 = {g4,
, g12=1} = {9,
,1} – obtained by
__ jumps each of length __.
The order of the subgroup generated by 25=g6 is 2 since 252 = (g6)2 = g12 = 1. We learned this
already: Since 25 = -1 MOD 26 we have 25 = (-1)2 = 1 MOD 26. The members of the subgroup
generated by 25 are:
S25 = {g6, g12=1} = {25,1} – obtained by 2 jumps each of length 6.
Notice that S25 is itself a subgroup of the subgroup S5 = {5, 25, 21, 1}as 25 and 1 are in S5 and
themselves fulfill the four group properties.
Subgroup of subgroup of groups, does that ever end? Is there a smallest subgroup of the group
Z26*? Of course, S1 ={1} is the smallest subgroup of Z26* since each subgroup must contain the
unit element 1. Now, the inverse of 1 is 1 itself since 1*1=1 MOD 26. Furthermore, 1 generates
the subgroup S1 ={1} of order 1. Our above method to determine the order of any subgroup must
also work here: Since 1=g12 the order of 1 must be 1 since (g12)1 = g12 = 1. Finally, there is
nothing special about M=26. S1 = {1} is the smallest subgroup for any alphabet length M.
Our above method to determine the order of a good key in Z26* worked well because the
exponents of the powers of the generator g that I chose i.e. 1,2,3,4,6 and 12 are divisors of 12. It
was easy to find their multiples in order to arrive at exponent 12. How do we find the orders of
those exponents that are not divisors of 12 such as 5, 7, 8, 9, 10 and 11? With other words: What
are the orders of the subgroups generated by g5, g7, g8, g9, g10 and g11?
Let’s find the order of 11=g5 first? Recall that the definition of the order of a group member is
that exponent which yields 1 for the first time. If we now add more columns to the tableX we
will find 1’s in columns 12, 24, 36, 48, 60, 72, 84, … since g12 = 1, g24 = (g12)2 = 12 = 1 MOD
26 and similarly g36 = g48 = g60 = g72 = g84 = … = 1. Starting off in column 5 with jumps of
length 5, we hit the first 1 in column 60 since no other column is a multiple of 5 and 12 at the
same time. Therefore, 11=g5 is of order 12 and a generator of S11 = Z26*:
58
S11
= {11, 112, 113,114,115,116,117,118,119,1110,1111,1112=1}
= {g5, (g5)2, (g5)3, (g5)4, (g5)5, (g5)6, (g5)7, (g5)8, (g5)9, (g5)10, (g5)11, (g5)12=1}
= {g5, g10, g15, g20, g25, g30, g35, g40, g45, g50, g55, g60=1}
= {11, 17 , 5 , 3 , 7 , 25, 15, 9 , 21 , 23, 19 , 1}
– obtained by 12 jumps each of length 5.
The order of the subgroup generated by 19=g7 is 12 since 7 and 12 are relative prime and
therefore: (g7)12 = g84 = 1 MOD 26. Again, that does not surprise us since we learned already that
19 = g7 is a generator of Z26*:
S19
= {19, 192, 193,194,195,196,197,198,199,1910,1911,1912=1}
= {g7, (g7)2, (g7)3, (g7)4, (g7)5, (g7)6, (g7)7, (g7)8, (g7)9, (g7)10, (g7)11, (g7)12=1}
= {g7, g14, g21, g28, g35, g42, g49, g56, g63, g70, g77, g84=1}
= {19, 23, 21 , 9 , 15 , 25, 7,
3 , 5 , 17, 11 , 1}
– obtained by 12 jumps each of length 7.
Now it is your turn again. The order of the subgroup generated by 15=g __ is __ and 15 thus
generates Z26*. Explain why only the powers with exponents 1,5,7,11 turn out to have an order
of 12 and are therefore the only generators of Z26*. Answer: Because 12 is relative prime to 1,5,7,11 and therefore
jumps of length 1,5,7 or 11 will yield the first 1 for an exponent that is the least common multiple.
Complete the following:
S15
= {15, 152, 153,154,155,156,157,158,159,1510,1511,1512=1}
= {g11 ……………………………………………., (g11) __ =1}
= {g11,………………………………………………., g132=1}
= {15, ……………………………………………………….}
The crux is now that the order 12 for g1, g5, g7, g11 is not only true when choosing the generator
g=7. It is true for any chosen generator of Z26* such as g=7,11,15 or 19. It is thus independent of
the choice of the generator g. I.e. g=11 generates Z26* in just the same way: S11 =
{g, g2,
g3, g4, g5, g6, g7, g8, g9, g10, g11, g12=1}
=
{11, 112, 113,114,115,116,117,118,119,1110,1111,1112=1}
= {11, 17,
5, 3, 7, 25, 15, 9, 21, 23, 19, 1}
59
Notice here that the members of order 12 are again those whose powers have exponents
that are relative prime to 12: g1=11, g5=7, g7=15 and g11=19.
It is your turn again: generate all members of Z26* by raising the generator g=15 to the powers of
1, 2, …, 12 and verify that those with an exponent 1,5,7 and 11 are the ones that have an order
12.
S15
= { g, g2, g3, g4, g5, g6, g7, g8, g9, g10, g11, g12=1}
= {15, 152, 153,154,155,156,157,158,159,1510,1511,1512=1}
= {15, 17,…
, 1}
Notice, for any of the four generators we obtain the following good keys as powers of g:
g2 and g10 always yield 23 and 17 which are of order 6,
g3 and g9 always yield 5 and 12 which are of order 4,
g4 and g8 always yield 9 and 3 which are of order 3,
g6 = 25 which is of order 2,
and of course g12 = 1 which is of order 1.
We are left now with the easy task to determine the orders of the subgroups generated by 3= g8,
21= g9 and 17= g10 using the same generator g=7.
For 3= g8: The subgroup generated by 3=g8 is S3 = {3,9,1}= {g8, g16, g24=1} (obtained by 3
jumps each of length 8) and thus has an order of 3.
For 21= g9: The subgroup generated by 21=g9 is S21 = {21,25,5,1}= {g9, g18, g27, g36=1}
(obtained by 4 jumps each of length 9) and has thus an order of 4.
For 17= g10: The subgroup generated by 17=g10 is S17 = {17, 3, 25, 9, 23, 1} = {g10, g20, g30, g40,
g50, g60=1} (obtained by 6 jumps each of length 10) and has thus an order of 6.
Let’s summarize our discoveries in Z26*:
Powers of generators
g of Z26*
yield the good keys
in Z26*
of order
s
g1 , g5 , g7 , g11
g2 , g10
g3 , g9
g4, g8
g6
g12
7, 11, 15, 19
17, 23
5,21
3,9
25
1
12
6
4
3
2
1
60
This table is very important since it contains and displays many significant facts:
1. Fact: This table shows that the orders s are all divisors of the cyclic group of order
(26)=12.
2.
Fact: This table contains the fact that the choice of the actual generator g of Z26* is
irrelevant for the order of a good key (expressed as a power of g) in Z26. After finding a
generator g we can tell the order of each good key expressed as a power of g, gk, simply by
looking at the exponent k.
3. Fact: The table gives pairs of encoding and decoding keys: Recall that an encoding key is
inverse to its decoding keys which simply means that their product equals 1. If the members
in Z26* are now listed as powers of the generator, then 2 members are inverse and thus form a
pair of encoding and decoding keys if their exponents add up to 12. I.e.: using g=7 as
generator of Z26* yields g3 = 5 and g9 = 21 as a pair since g3 * g9 = g12 = 1 MOD 26. Also,
g4 = 9 and g8 = 3 forms a pair since g4 * g8 = g12 = 1 MOD 26. The only keys that are
inverse to themselves are g12=1 and g6 = 25.
4. Fact: The table shows that pairs of encoding and decoding keys have the same order.
I.e.: Using g=11 as a generator of Z26* tells us that g4 = 3 and g8=9 are both of order 3
which we learned already since both generate the same subgroup S = {3,9,1}. Also, g2 = 17
and g10 = 23 are both of order 6 as they both generate the subgroup S = {17, 3, 25, 9, 23,
1}.
Notice that all the observations are only valid for cyclic groups, those who can be generated by
one member. That particular member g is needed to list such groups as G = {g, g2, g3, … ,
gn=1}.
I want to end this section with an highlight for cyclic groups that I find shows a lot of the
elegance of Mathematics. Let’s find a formula to determine the order of a good key in Z26* expressed again as a power of a generator g of Z26* - solely by inspecting its exponent? I.e.
How can writing 23 as g10 for some generator g help us to find its order 6? Here is how.
We observed that those powers with exponents that are relative prime to 12 such as 1,5,7 and 11
yield order 12. This tells us that the order depends somehow on the greatest common divisor of
the exponents and 12. Therefore, let’s find all 12 greatest common divisors by firstly writing out
the 12 exponents, by secondly dividing 12 by each possible exponent (that are those between 1
and 12) and by thirdly simplifying the fractions to find their greatest common divisors:
Exponents:
12
12
12
12
12
12
12
12
12
12
12/1
12/2
12/3
12/4
12/5
12/6
12/7
12/8
12/9
12/10 12/11 12/12
12/1
6/1
4/1
3/1
12/5
2/1
12/7
3/2
4/3
6/5
61
12
12
12/11 1/1
The third row is instrumental to us: The four underlined fractions with exponents that are relative
prime to 12, i.e. 1,5,7,11, can not be simplified further and the numerator 12 gives their orders.
Simplifying the red fractions for the exponents 2 and 10 yield a numerator of 6 which tells us
their order. What is the order of the exponents 4 and 8? What does the third row tell you?
Reading the table reveals 3 in green. Isn’t that an elegant way of determining the order of a
subgroup? With ease we can now come up with a formula for the order of a subgroup generated
by gk solely based on the exponent k:
1. Formula to compute the order of each good key gk in Z26*:
s = order of the good key gk = 12 / gcd(k,12)
Example1: the order of g8 equals 12 / gcd(8,12) = 12/4 = 3.
Example2: the order of g7 equals 12 / gcd(7,12) = 12/1 = 12.
Verify this formula for all the other exponents and then continue reading.
Again there is nothing special about M=26. More general, for a given alphabet length M we have
(M) many good keys in ZM*. In case they form a cyclic group and thus at least one good key is
a generator of ZM* so that each good key can be expressed as a power of g, gk, the order of each
good key a= gk can be computed as follows:
2. Formula to compute the order of each good key gk in the cyclic
group ZM*
s = order of the good key gk = (M) / gcd(k, (M))
Counter example1: For M=28 we have the good keys 1, 3, 5, 9, 11, 13, 15, 17, 19, 23, 25, 27. Since Z 28* does not
possess a generator g we can not express any good key as g k. Therefore, we can not apply the formula.
2.8.5 How to determine the Number of Good Keys of given
Order in a Cyclic Group
Believe it or not, this is not the climax yet. From our simplified fractions in the third row, we can
even tell how many good keys in Z26* possess an order of 12, 6, 4, 3, 2 or 1. I.e. we have 4
good keys that have an order of 12 since there are 4 fractions that have a non-simplified
numerator 12. That means that there are four integers less than 12 that are relative prime
62
to 12, namely the four underlined denominators 1,5,7 and 11. Thus, Euler’s -function with
(12)= ((26))=4 gives the number of good keys with order 12 and we can set up the…
Formula to determine the number of good keys in a cyclic group
that are of order s:
(s) = the number of integers relative prime to the divisor s of n=(M),
gives the number of good keys a that are of order s.
More examples for Z26*: There are two fractions with a simplified numerator 6, 6/1 and 6/5,
telling us that there are 2 integers less than 6 that are relative prime to 6, namely the two
denominators 1 and 5. Moreover, (6)=2 tells us that there are two good keys of order 6.
Similarly, we find that there are (4)=2 of order 4, (3)=2 of order 3, (2)=1 of order 2, and
(1)=1 of order 1. Altogether, we have
=
=
(1) + (2) + (3) + (4) + (6) + (12)
1 + 1 + 2 + 2 + 2 + 4
12.
And we have just discovered Euler’s identity which holds true for cyclic groups of order n:
∑(s) = n denoting the sum of (s) for all divisors s of n.
(s) tells us the correct number of good keys of order s, however, it does not tell us which good keys those are.
However, the 2nd row does. I.e. the good keys of order 6 are g2 and g10 again for any generator g which we find by
going up from 6/1 and 6/5 to the second row yielding the 2 and the 10 as the denominators of 12/2 and 12/10.
This might look interesting and confusing at the same time to you. Nothing helps better than doing it yourself and
rediscovering the steps that I just showed you. So, here are your three assignments:
1) Say we choose an alphabet length of M=27 by adding the character “.” to our alphabet length M=26. Recall the
good keys MOD 27. Z27*={1,……….,26}
2) Recall the order of each good key a by creating the chain display. Verify the orders in 2) by firstly picking a
generator g of Z27*. Secondly list the members in Z27* as powers of that generator g so that Z27*= {g, g2, g3,….,
1}. Thirdly, calculate the orders of the good keys in Z27 expressed as powers of g using the above 2. Formula
to compute the order of each good key in ZM*:
3) Finally, for each divisor d of 18=(27) find out how many good keys possess an order that equals the divisor d
by using Euler’s -function. By adding them all up, I want you to verify Euler’s Identity.
Conclusions:
1.
The orders of the good keys occur (s) times for any divisor s of (M), the order of
the cyclic group, where M is the used alphabet length.
2.
Each divisor s must occur at least once in cyclic groups since (s) is greater or equal
to 1.
63
3.
We know three particular orders:
a)
The number of generators (which equals the number of good keys of order 12) in ZM* is ((M)).
b) Good keys of order 1 occur exactly once since (1)=1. That is the order of the
key a=1 which is a good key in ZM* for any M.
c) The order 2 occurs once aswell since (2)=1. That is the order of the key a=M-1
since M - 1 = -1 MOD M and therefore (M-1)2 = (-1) 2 =1 MOD M.. The orders of 1
and 2 are the only one occurring only once since (d) is greater than 1 for divisors d
that are greater than 2. (I.e. (3)=2, (4)=2, (5)=4, (6)=2, (7)=6,…) . In fact,
(d) is always an even number, the only exceptions are s=1 and s=2. Therefore, all
other orders must occur as even numbers.
The ultimate question still remains: why did we only have jump lengths that are divisors of the
order of G. I want to show you why i.e. only jump length that are divisors of 12 occur in Z26*.
Therefore, we have to understand Lagrange’s Theorem. Its conversion will then finally show us
that there must be at least one jump length for any divisor of the order of the cyclic group G.
2.8.6 Lagrange’s Theorem and its Converse
We are now in a position to state and prove the famous Theorem of Lagrange in its general
form:
If G is a finite group and S a subgroup of G, then
the order of S is a divisor of the order of G.
Example1: Recall: Z26* is of order 12=(26) and the subgroups S1, S3, S5, S7, S9, S11, S15, S17,
S19, S21, S23, S25 are of order 1, 3, 4, 12, 3, 12, 12, 6, 12, 4, 6, 2 which are all divisors of 12.
Example2: Z27* is of order 18=(27) and the subgroups have order 1, 2, 3, 6, 9 and 12 which
are all divisors of 18.
Example3: Z28* is of order 12=(28) and the subgroups have order 1, 2, 3, 6 which are again all
divisors of 12.
I want to show you now why Lagrange’s Theorem must hold true for finite, cyclic groups (as
in Z26* and Z27*). Although it holds also true for non-cyclic finite groups (i.e. for Z28*), proving
this requires a deeper understanding of group theory which is beyond the scope of our course.
Therefore, I will show you the easier proof for finite and cyclic groups.
Proof of Lagrange’s Theorem:
Let G be a cyclic group of order n. Because G is cyclic the elements in G can be generated by the
generator g and listed as: G = {g, g, g, g, …, gn =1}. In our example we used 7 as a generator to generate G = Z26* =
{7, 72=23, 73=5, 74=9, …, 712=1}. However, we could have also used 11, 15 or 19 as possible generators. As you can see, a generator is not
necessarily unique, but we are guaranteed at least one in a cyclic group which is sufficient for the proof.
64
Since each subgroup of G
must also be cyclic, each possesses a generator. Say it is the kth element in G. We, therefore,
define h = gk, with 1 < k < n, to be the generator for any proper subgroup S of G. (A non-proper
subgroup is one that equals G and g would serve as such generator.) Then h generates S such that:
S = {h , h2,
h3, …., hs = 1}
= {gk, (gk)2, (gk)3, ….,(gk)s = 1}
= {gk, g2k, g3k, …., gsk = 1}.
In example, S5 can be generated by h = 5 = 73 so that
S5 = {73, (73)2, (73)3, (73)4 = 712 = 1}
= {73, 76, 79, 712 = 1}
= {5, 25, 21, 1}
The generator h generates all the elements in the subgroup S and terminates generating when it
reaches the unit element 1. This happens after computing s elements, so that there are s elements
in the subgroup S. Or simply: the order of S is s.
Because gn = 1 and gsk = 1, it follows that gn = gsk for some integer k. Therefore, n=sk which
shows that s is a divisor of n for any subgroup order s and the proof is complete.
Moreover, the
aswell:
Converse of Lagrange’s Theorem
holds true for cyclic groups
For any s that divides the order of a cyclic group we can find a cyclic subgroup S
that has the order s.
Proof:
Let G = {g, g, g, g, …, gn =1} and s be a divisor of the group order n such that n=k*s. Then G
= {g, g, g, g, …, gks =1} and I choose the generator h=gk to generate the subgroup S = {gk ,
(gk)2, (gk)3, …., (gk)s = 1} which is of order s and the proof is complete.
Example1: Z26* is of order 12=(26) and 12 has the divisors 1, 2, 3, 4, 6 and 12. For each of
these divisors we can now find a subgroups of such order. I.e. S1 is of order 1, S25 is of order 2,
S3 is of order 3, S5 is of order 4, S17 is of order 6 and S7 is of order 12. The Converse Theorem
does not tell us how many subgroups there are for each divisor s. We will learn this in the next
Theorem.
Example2: Z27* is of order 18=(27) and 18 has the divisors 1, 2, 3, 6, 9 and 12. For each of
these divisors we can now find a subgroups of such order. I.e. S1 is of order 1, S26 is of order 2,
S10 is of order 3, S8 is of order 6, S7 is of order 9 and S2 is of order 18.
Counter example1: Z28* is not cyclic and the Converse Theorem can not be applied. In fact,
there are no subgroups of order 4 and 12 as divisors of the group order 12=(28).
I want to conclude this chapter with a pleasing fact: Say our cyclic group ZM* consists of (M)
members. Hence, the number of members in each subgroup must be a proper divisor of (M)
(Grace a Monsieur Lagrange). Now, if we want to find two or more subgroups of the same order,
we will never succeed. There are none! At least not for cyclic groups ZM*, others may.
65
Theorem:
If n is the order of a cyclic group, then there exists exactly one
subgroup of order s for each distinct divisor s of n.
Proof: While proving the theorem in the left column, I will simultaneously show you a concrete
example (for the cyclic group Z26*) in the right column since the abstract proof might confuse
you a bit.
Let G be a cyclic group of order n and g be
a generator of G.
Let S be a subgroup of S of order s. We
know from Lagrange’s Theorem that s
must a divisor of n, say s*f=n.
S can be generated by one of the members
in G, say gk, which is of order s.
In turn this means that s*k equals some
multiple of n: s*k=t*n
Since s*f=n, we have s*k = t*n = t*(s*F).
Dividing both ends by s yields: k = t*F
showing us that t is a divisor of k.
Z26* is a cyclic group of order 12 and g=7
is a generator of Z26*.
S ={1,3,9,17,23,25} is a subgroup of Z26*
of order 6 with 6*2 = 12 = order of Z26* (
so that s=6, f=2 and n=12).
S can be generated by one of its members,
17=710, which is of order 6 (so that k=10)
In turn this means that 6*10 equals some
multiple of 12: 6*10=5*12 (so that t=5).
Since 6*2=12, we have 6*10 = 5*12 =
5*(6*2). Dividing both ends by 6 yields:
10=5*2 showing us that 5 is a divisor of
10.
k
Therefore, g is in the subgroup generated Therefore, 710(=17) is in the subgroup
by gF which is of order s (since s*f=n).
generated by 72(=23) which is of order 6
(since 6*2=12).
However, gk generates the subgroup S of However, 710 generates the subgroup S of
order s with which we started off.
order 6 with which we started off.
Thus, s elements of the subgroup generated Thus, 6 elements of the subgroup generated
by gk are in the subgroup generated by gF
by 710 are in the subgroup generated by 72
which has also s elements.
which has also 6 elements.
Therefore, both subgroups must be
Therefore, both subgroups must be
identical.
identical.
The crux of the proof is that for any subgroup S of order s we can find another subgroup of the same order (since the
Euler function solely yields even integers except for the divisors 1 and 2 whose subgroup orders occur only once)
and then show that they are identical. Notice that it was essential in the proof that the group G had to be cyclic (i.e. it
has to possess a generator).
Example1: Z26* is of order 12 which has the divisors 1,2,3,4,6 and 12. Thus:
The subgroup of order 1 is S1 = {1}.
The subgroup of order 2 is S25 = {1,25}.
The subgroup of order 3 is S3 = S9 = {1,3,9}.
The subgroup of order 4 is S5 = S21 = {1,5,21,25}.
The subgroup of order 6 is S17 = S23 = {1,3,9,17,23,25}.
The subgroup of order 12 is S7 = S11 = S15 = S19 = {1,3,5,7,9,11,15,17,19,21,23,25}.
66
Example2: Z27* is of order 18 which has the divisors 1,2,3,6,9 and 18. Thus:
The subgroup of order 1 is S1 = {1}.
The subgroup of order 2 is S26 = {1,26}.
The subgroup of order 3 is S10 = S19 = {1,10,19}.
The subgroup of order 6 is S8 = S17 = {1,8,10,17,19,26}.
The subgroup of order 9 is S4 = S7 = S13 = S16 = S22 = S25 = {1,4,7,10,13,16,19,22,25}.
The subgroup of order 18 is S2 = S5 = S11 = S15 = S20 = S23 =
{1,2,4,5,7,8,10,11,13,14,16,17,19,20,22,23,25,26}.
Counter example1: The non-cyclic group Z28* is of order 12 which has the divisors
1,2,3,4,6 and 12.
There is 1 subgroup of order 1: S1 = {1}.
There are 3 subgroups of order 2: S13 = {1,13}, S15 = {1,15} and S27 = {1,27}.
There are 3 subgroups of order 2: S13 = {1,13}, S15 = {1,15} and S27 = {1,27}.
There are 2 subgroups of order 3: S9 = S25 = {1,9,25}.
There are 6 subgroups of order 6: S3 = S19 ={1,3,9,19,25,27}, S5 = S17 = {1,5,13,17,25,27}, S11 =
S23 = {1,9,11,15,23,25}.
Since Z28* is not cyclic the Theorem can not be applied. In fact, Z28* has no subgroups of order 4
or 12.
Recall from 2.8.5. that (s) - for any divisor s of the order of a cyclic group G - tells us the
number of good keys that are of order s. Now we learn that subgroups generated by keys of the
same order must be identical.
67
