Chapter 2 – Multiplicative Cipher In this chapter we will study the Multiplicative Cipher. Instead of adding a number as we did in the Caesar Cipher, we will now multiply each plain letter by an integer a, our secret encoding key. As some of them fail to produce a unique encryption, we will discover an easy criterion for keys that produce the desired unique encryptions (the “good” keys) and apply it to different alphabet lengths. When doing so we will discover very important mathematical encryption tools such as Euler’s -function, Euler’s and Lagrange’s Theorem and study further examples of groups, rings and fields. 2.1 Encryption using the Multiplication Cipher Instead of encoding by adding a constant number, we multiply each plain letter by our secret key a. Since each plain letter turns into 0 for a=0 and remains unchanged for a=1, we start with a=2. We will multiply MOD 26 as we are using the 26 letters of the English alphabet. We get the following encoding and decoding table. PLAIN LETTER: Secret key: a=2 Cipher letter: A 0 B 1 C 2 D 3 E 4 0 2 4 6 8 10 12 14 16 18 20 22 24 a c e g i F G 5 6 k m H 7 I 8 o q J K L M N O P Q R S T U V W X Y Z 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 s u w y 0 2 4 6 a c e g 8 10 12 14 16 18 20 22 24 i k m o q s u w y Notice, that only every other cipher letter appears, and that exactly twice. This is not a useful encryption system since it may yield ambiguous messages. As an example, let’s encode and decode NAT and ANT. PLAIN LETTER Secret key a=2 N 13 A 0 T 19 A 0 N 13 T 19 Cipher letter 0 a 0 a 12 m 0 a 0 a 12 m You can see the dilemma of this message. Decoding “aam” can either yield NAT or ANT as the plain text. What would you do? Of course, you don’t want to receive any more ambiguous messages. Let’s simply test all possible keys of the multiplication ciphers MOD 26: PLAIN LETTER 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Encoding Key a a 0 A 0 B 0 C 0 D 0 E 0 F G 0 0 H 0 I 0 J 0 1 0 1 2 3 4 5 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2 0 2 4 6 8 10 12 14 16 18 20 22 24 3 0 3 6 9 12 15 18 21 24 4 0 4 8 12 16 20 24 5 0 5 10 15 20 25 6 0 6 12 18 24 4 10 16 22 7 0 7 14 21 2 9 16 23 8 0 8 16 24 6 14 22 9 0 6 4 2 1 K 0 4 L M 0 0 2 3 3 12 21 9 18 1 10 19 2 11 20 10 0 10 20 4 14 24 8 18 11 0 11 22 7 18 12 0 12 24 10 22 13 0 13 0 13 0 13 0 13 0 13 14 0 14 2 16 4 18 6 20 8 22 10 24 12 15 0 15 4 19 8 23 12 16 0 16 6 22 12 2 18 17 0 17 8 25 16 7 24 15 18 0 18 10 2 20 12 19 0 19 12 5 24 17 10 8 3 14 25 10 21 8 20 6 18 1 16 4 16 5 20 8 24 14 4 22 14 2 22 16 10 8 4 6 0 13 2 16 2 17 0 22 18 14 10 23 0 23 20 17 14 11 24 0 24 22 20 18 16 14 12 10 25 0 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 6 2 24 20 16 12 8 5 8 4 6 4 2 4 6 10 14 18 22 1 6 11 16 21 2 8 14 20 3 10 17 24 5 12 19 4 12 20 8 18 2 10 18 7 16 25 2 12 22 1 12 23 8 17 6 16 8 19 4 15 6 18 4 16 2 14 0 13 0 13 0 13 6 20 8 22 10 24 12 3 18 7 22 11 8 24 14 4 20 10 3 20 11 2 19 10 1 18 4 22 14 4 23 16 2 22 16 10 3 24 19 14 7 Z 0 2 18 0 22 18 14 10 2 25 22 19 16 13 10 8 8 Y 0 0 13 2 20 12 22 8 X 0 8 20 4 18 6 25 18 11 0 20 14 2 6 21 10 25 14 4 21 12 V W 0 0 8 11 14 17 20 23 6 15 24 5 16 6 22 12 0 20 14 2 23 18 13 5 6 14 22 0 13 0 21 16 11 7 6 9 20 U 0 4 10 16 22 4 14 24 20 1 22 17 12 2 8 15 22 5 14 23 0 18 10 1 20 13 4 24 18 12 1 8 16 24 0 16 T 0 7 12 17 22 6 12 18 24 0 14 S 0 8 10 12 14 16 18 20 22 24 0 12 24 10 22 5 22 13 8 2 21 6 R 0 8 12 16 20 24 0 10 20 9 24 13 6 24 16 3 22 15 0 0 13 4 20 10 6 23 14 0 2 13 24 2 14 0 13 4 4 13 22 6 16 6 17 0 6 13 20 2 10 18 2 12 22 2 8 13 18 23 8 14 20 4 11 18 25 4 12 20 0 P Q 0 0 7 10 13 16 19 22 25 6 10 14 18 22 9 14 19 24 N O 0 0 6 9 9 8 2 21 14 7 4 24 18 12 6 4 25 20 15 10 5 2 24 20 16 12 1 24 21 18 15 12 0 24 22 20 18 16 14 12 10 9 8 7 9 6 24 16 6 5 8 4 3 9 6 8 6 4 2 4 3 2 1 We learned already that the key a=2 (as can be seen in the 3rd row) does not produce a unique encryption. So which ones do? Each row that contains each integer from 0 to 25 exactly once and therefore yields a unique cipher letter will serve. Simply by looking at the table, we find that the following keys (whose rows are bold) produce a unique encryption and therefore call them the good keys: a = 1,3,5,7,9,11,15,17,19,21,23,25 Why those and what do they have in common? They seem to not follow any apparent pattern. Are they the odd numbers between 1 and 25? No, 13 is missing. Or are they possibly the primes between 1 and 25? No, 9,15, 21 and 25 are not prime and the prime 13 is missing. So, let’s understand why the bad keys a = 2,4,6,8,10,12,13,14,16,18,20,22,24 don’t produce a unique encryption. We have to understand why multiplying by a bad key a MOD 26 yields some integers more than once and others not at all. An extreme example would be when a=0: all plain letters are translated into 0’s which are all a’s so that no decryption is possible. If a=1 is used as a key, each cipher letter equals its plain letter which shows that it does produce a unique encryption. However, it yields the original text. This is not very useful. 2 The bad key a=2 yields an ambiguous message as we saw in the introductory example: each A turns into 0 (=a) since 2*0 = 0 MOD 26 just as each N turns into 0 since 2*13 = 26 = 0 MOD 26. Also, each B and each M turn into 2 (=c) since 2*1 = 2 MOD 26 and 2*14 = 28 = 2 MOD 26. When you study the a=2 row precisely, you will see that the original 26 plain letters are converted into 13 “even” cipher letters (the even cipher letters are those whose numerical equivalent is an even number.) each occurring exactly twice. This is the reason why a=2 yields an ambiguous decryption. If a=4,6,8,…,24, we encounter the same dilemma as for a=2. We can see in the table that an A will always translate into 0 (=a) since the product of any such key a with 0 (=A) yields 0. N (=13) translates into a for any even key a aswell because even keys N 4*13 = 2*(2*13) = 2*0 = 0 MOD 26, 6*13 = 3*(2*13) = 3*0 = 0 MOD 26, 8*13 = 4*(2*13) = 4*0 = 0 MOD 26, etc. Notice in all three equations that because a=2 turns the 13 (=N) into 0 in 2*13 = 0, all the multiples of a=2 translate the N into 0 (=a). That means: Because a=2 is a bad key all the multiples of a must be bad keys aswell. Consider an alphabet length of M=35: the bad key a=5 (why?) will translate the H (=7) into a (=0), because 5*7 = 35 = 0 MOD 35. Therefore, all the keys that are multiples of 5 such as a=10,15,20,25,30 will also translate the H into 0(=a). Similarly, the multiples of a=7 will translate an F (=5) into an 0 (=a) because 7 does so. a=13 yields an ambiguous message since each even plain letter is translated into a (=0): a=13 even letters 13*0 = 0 MOD 26, 13*2 = 0 MOD 26, 13*4 = (13*2) * 2 = 0 * 2 = 0 MOD 26, 13*6 = (13*2) * 3 = 0 * 3 = 0 MOD 26, etc. Each odd plain letter translates into 13 (=n): a=13 odd letters 13*1 = 13 MOD 26, 13*3 = 13*2 + 13*1 = 0 + 13 = 13 MOD 26, 13*5 = 13*4 + 13*1 = 0 + 13 = 13 MOD 26, 13*7 = 13*6 + 13*1 = 0 + 13 = 13 MOD 26, etc. Moreover, since a=13 is a bad key its multiples 26, 39, … must also be bad keys. However, we don’t need to consider keys that are greater than 26 since each of them has an equivalent key less than 26 that yields the same encryption: the even multiples of 13 (i.e. 26, 52, 78, ...) have its equivalent key in a=0, a very bad key, since 26=52=78=0 MOD 26. The odd multiples of 13 (i.e. 39, 65, 91, …) have its equivalent key in a=13, another bad key, since 39=65=91=13 MOD 26. 3 Let’s summarize our discoveries. Which keys now yield a unique encryption? A key a does not produce a unique encryption, if 1) a divides 26 evenly or if 2) a is a multiple of such divisors. We can combine these two criteria into one easy criterion. Can you? Try it! CRITERION FOR GOOD KEYS A key a produces a unique encryption, if the greatest common divisor of 26 and a equals 1, which we write as: gcd(26, a)=1 Convince yourself that 26 has a greatest common divisor equal to 1 with each of these good keys a = 1,3,5,7,9,11,15,17,19,21,23,25. Except for 2 and 13, all prime numbers less than 26 are among the keys (why do they have to?). However, there are some additional integers that are not prime (i.e. 9,15,21 and 25). That are those that don’t have a common divisor with 26. Thus, being prime is not quite the reason for a good key, but almost. We, therefore, name the good keys as follows: Definition of numbers that are relative prime: Two integers are called relative prime if their greatest common divisor equals 1. Examples are: 4 and 5 are relatively prime because gcd(4,5)=1. So are 2 and 3, 2 and 5, 3 and 10, 26 and 27, 45 and 16. Counter examples are: 45 and 18 are not relative prime since gcd(45,18)=9 and not 1. 343 and 14 are not relative prime since gcd(343,14)=7. From now on we will use a handy Notation for the set of possible and good keys: 1) All the possible keys for an alphabet length of 26 are clearly all the numbers between 1 and 26, denoted as Z26. Simply: Z26 = {0,1,2,3,…, 24,25}. Generally: An alphabet of length M has the keys: ZM = {0,1,2,3,…, M-2,M-1} 2) Now, the good keys are the ones that are relative prime to 26 as listed above and are denoted as Z26*. Simply: Z26* = {1,3,5,7,9,11,15,17,19,21,23,25}. Generally: The good keys are those a’s that are relative prime to M and are denoted as ZM*. (I can not list those here as they depend on the alphabet length M.) We are now able to summarize how to encrypt a message using the multiplication cipher: To encrypt a plain letter P to the cipher letter C using the Multiplication Cipher, we use the encryption function: f : P C=(a*P) MOD 26. If a is a “good” key, that is if a is relatively prime 4 to 26, then f produces a one-to-one relationship between plain and cipher letters, which therefore permits a unique encryption. Among the 12 good keys we pick a=5 to encode the virus carrier message as follows: PLAIN TEXT Cipher text A 0 N 13 T 19 I 8 S 18 T 19 H 7 E 4 C 2 A 0 R 17 R 17 I 8 E 4 R 17 0 a 13 n 17 14 o 12 m 17 r 9 j 20 u 10 k 0 a 7 h 7 h 14 o 20 u 7 h r Exercise1: Encrypt the same plain text using the key a=7. 2.2 Decryption of the Multiplication Cipher Now that the virus carrier message was encoded in a unique manner how can it be decoded? First of all, you need to know which one of the 12 good keys was used. In some secret manner, the sender and the recipient had to agree on the encoding key a. Say a=5 was chosen. Now, how do you decrypt the above message? To do so, we have to look at the encryption equation C=a*P MOD 26 and solve it for the desired plain text letter P. In order to solve an equation like 23=5*P for P using the rational numbers, we would divide by 5 or multiply by 1/5 to obtain the real solution P=23/5. However, when using MOD arithmetic and solving 23=5*P MOD 26, we don’t deal with fractions but only integers. Thus, dividing is performed slightly different: instead of dividing by 5 or multiplying by 1/5, we first write 5-1 (instead of 1/5) where 5-1 now equals an integer and multiply both sides by that integer 5 -1. We denote 5-1 “the inverse of 5”. Just as 5*1/5 yields 1, 5 * 5-1 shall equal 1 MOD 26. Definition of an inverse number: A number a-1 that yields 1 when multiplied by a is called the inverse of a. Mathematically: a-1 * a = a * a-1 = 1. Example1: When using fractions, 5-1=1/5 is the inverse number to 5, 3-1=1/3 is the inverse number to 3, 3/2 is the inverse number to 2/3. Now, let’s look at examples for MOD arithmetic: Example2: The inverse of a=3 is a-1 = 2 MOD 5 because a * a-1 = 3*2 = 6 = 1 MOD 5. I found a-1 = 2 by simply testing the integers in Z5*={1,2,3,4}. a=4 is inverse to itself modulo 5 since a * a-1 = 4 * 4 = 16 = 1 MOD 5. 5 Example3: Doing arithmetic MOD 7, the inverse of a=3 is a-1 = 5 because a * a-1 = 3*5 = 15 = 1 MOD 7. Again, I found the inverse of a=3 by testing the integers in Z7* ={1,2,3,4,5,6} The inverse of a=4 is 2 since a * a-1 = 4 * 2 = 8 = 1 MOD 7. a=6 is inverse to itself MOD 7 since a * a-1 = 6 * 6 = 36 = 1 MOD 7. Example4: What is the inverse of 3 MOD 11? It is a-1=4 since 3*4 = 12 = 1 MOD 11. Example5: Try it yourself! What is the inverse of 5 MOD 11? What is the inverse of 7 MOD 11? Back to the virus carrier message. It was encoded MOD 26. Since we calculate MOD 26, thus dealing with integers from 0 to 25, we now have to find an integer a-1 among those integers that yields 1 MOD 26 when multiplied by 5: a-1 * 5 = 1 MOD 26. Equivalently stated: what product of a-1 and 5 equals 1 more than a multiple of 26 such as 27, 53, 79, 105, etc? Aha, there is 105 = 21*5 so that 21*5 = 1 MOD 26. Equivalently stated, 105 divided by 26 leaves a remainder of 1. Wonderful, that is all we need to solve our encryption function C= a*P MOD 26 for the plain letter P in order to then decode the encrypted message: Multiplying both sides of our encryption equation the equation yields a-1*C = a-1*(a*P) = (a-1*a)*P = 1*P = P MOD 26 (1) (2) (3) (4) Remark: Solving this equation required the 4 group properties: the existence of an inverse and the closure in (1), the associative property in (2), the inverse property in (3) and the unit element property in (4). It thus gives a great example that we are only guaranteed to solve this equation for numbers that form a group with respect to multiplication MOD 26. We will check in the Abstract Algebra section at the end of this chapter that the set of good keys MOD 26, Z 26* = {1,3,5,7,9,11,15,17,19,21,23,25}, does form a multiplicative group. We can therefore always find a-1 for a given good key a. Thus our decoding function P = a-1*C MOD 26 tells us to simply multiply each cipher letter by the inverse of the encoding key a=5, namely by the decoding key a-1=21 MOD 26 and we can eventually decode: Cipher text PLAIN TEXT a 0 n 13 r 17 o 14 m 12 r 17 j 9 u 20 k 10 a 0 h 7 h 7 0 13 N 19 T 8 I 18 S 19 T 7 H 4 E 2 C 0 A 17 R 17 R A o 14 u 20 8 I 4 E h 7 17 R For example, multiplying the cipher letter r=17 by a-1 = 21 decodes the r to T=19 since 21*17 = 357 = 19 MOD 26. The o =14 decodes to I = 8 since 21*14 = 224 = 8 MOD 26, the m =12 decodes to S=18 since 21*12 = 252 = 18 MOD 26. 6 How does the j decode to the H, and the u decode to the E? Verify this now! An easier way to determine the decoding key a-1 Decoding a message turns out to be really easy once we know the decoding key a-1. We just had to multiply each cipher letter by a-1. So, we are left with determining the decoding key a-1 knowing the original encoding key a. To decode the above virus carrier message we found the inverse of a=5 through a clever check of the products of a and a-1 that produced one more than multiples of 26. That was trial and error and might take quite a while. We won’t have to do it that way again since there is a much more straightforward method. To find the inverse for each good key a, you just need to look back at the 26 by 26 encryption table. For instance, to find the inverse of the good key a=5 we have to look at the fifth row which shows that a-1 equals 21 since the only 1 in this row is in the V- or 21-column (5 * 21 = 1 MOD 26). Moreover, you can see that the plain letter V encrypts to the cipher text letter b (=1) when using a=5 as the encoding key. Take a moment now to verify the Rule for finding the decoding key a-1: 1) For a given good key a, find the unique 1 in the a-row, 2) From that 1 go all the way up that column, 3) The letter’s numerical equivalent that you hit on the very top is the inverse of a. Example: If we use the encoding key a=3, we find that the decoding key a-1 is 9 as the 1 occurs in the J- or 9-column telling us additionally that the plain letter J (=9) encrypts to the cipher letter b (=1). Finding the decoding keys for each good key a in the same manner, we obtain the following key pairs: Good Encoding key a 1 3 5 7 9 11 15 17 19 21 23 25 Its decoding key a-1 1 9 21 15 3 19 7 23 11 5 17 25 Three important observations: 7 1. All decoding keys a-1 in the right column are among the set of all encoding keys a. In fact, the sets of the encoding and decoding keys are identical. Coincidence? No, it is not. Just as the regular multiplication of two integers is commutative (i.e. 3 * 9 = 9 * 3 =27) the MODmultiplication is commutative (3 * 9 = 9 * 3 = 1 MOD 26). You can observe this orderdoesn’t-matter rule in the original 26x26 multiplication table: The diagonal line from the top left to the bottom right forms a reflection line. I.e. 21 is an inverse to 5 MOD 26, therefore 5 is inverse to 21 and the two 1’s are mirrored over the diagonal line. Therefore, the set of all encoding keys must equal the set of all decoding keys. 2. If we extract those rows with the good keys a = 1,3,5,7,9,11,15,17,19,21,23,25 and their corresponding columns, we obtain: 1 3 5 7 9 11 15 17 19 21 23 25 1 1 3 5 7 9 11 15 17 19 21 23 25 3 3 9 15 21 1 7 19 25 5 11 17 23 5 5 15 25 9 19 3 23 7 17 1 11 21 7 7 21 9 23 11 25 1 15 3 17 5 19 9 9 1 19 11 3 21 5 23 15 7 25 17 11 11 7 3 25 21 17 9 5 1 23 19 15 15 15 19 23 1 5 9 17 21 25 3 7 11 17 17 25 7 15 23 5 21 3 11 19 1 9 19 19 5 17 3 15 1 25 11 23 9 21 7 21 21 11 1 17 7 23 3 19 9 25 15 5 23 23 17 11 5 25 19 7 1 21 15 9 3 25 25 23 21 19 17 15 11 9 7 5 3 1 This reduced table shows i.e. that 3 and 9 are inverse to each other because of the commutative property of the MOD-multiplication (exhibited by the diagonal as a line of reflection). Now every row contains exactly one 1 revealing that there exists an inverse for each a which is precisely the reason why those a’s are the good keys. Moreover, multiplying any two good keys yields again a good key. As an attentive reader, we realize that the MOD multiplication of the keys is closed (recall the group properties in the previous chapter). Combining this fact with the fact that each key a possesses a decoding key a-1, the set of the good keys forms a commutative group with the unit element 1. Does that even mean that the good keys form a field? That would additionally require that the good keys form a commutative group with respect to addition. Do they? Try to answer it for yourself. I will answer it at the end of this chapter in the Abstract Algebra section. 3. The only two keys that are inverse to themselves are 1 and 25, which means that the encoding key equals its decoding key. Let’s check why: 1*1=1 MOD 26 which explains a = a-1 = 1 (Big deal!). Now when a=25, we have: 25*25 = 625. Since 625=24*26+1 which means that 625 leaves a remainder of 1 when divided by 26, we have 625 = 1 MOD 26 and altogether 25 * 25 = 625 = 1 MOD 26. These calculations were correct but almost required a calculator. Here is a non-calculator way to understand why 25 is inverse to itself: Since 25 = -1 MOD 26, it follows 25 * 25 = (1) * (-1) = 1 MOD 26. This shows that when using an encoding key that is one less than the 8 alphabet length M, namely a = M-1, then the decoding key must also equal M-1, a-1 = M-1. The reason is (M-1) * (M-1) = (-1) * (-1) = 1 MOD M. For example: when using an alphabet length of M = 27 and an encoding key a=26 then its decoding key is a-1 =26. To verify this: 262 = 676 =1 MOD 27. Here is the C++ Code for the encryption and decryption of the multiplication cipher: //Multiplication Cipher using the good key a=5 //Author: Nils Hahnfeld, 9/22/99 #include<conio.h> #include<iostream.h> void main() { char cl,pl,ans; int a=5, ainverse=21; //as a-1*a=21*5=105=1 MOD 26 clrscr(); do { cout << "Multiplication Cipher: (e)ncode or (d)ecode or (~) to exit:" ; cin >> ans; if (ans=='e') { cout<< "Enter plain text: "<< endl; cin >> pl; while(pl!='~') { if ((pl>='a') && (pl<='z')) cl='a' + (a*(pl -'a'))%26; else if ((pl>='A') && (pl<='Z')) cl='A' + (a*(pl -'A'))%26; else cl=pl; cout << cl; cin >> pl; } } else if (ans=='d') { cout << "Enter cipher text: " << endl; cin >> cl; while(cl!='~') { if ((cl>='a') && (cl<='z')) pl='a' + (ainverse*(cl -'a'))%26; else if ((cl>='A') && (cl<='Z')) pl='A' + (ainverse*(cl -'A'))%26; else pl=cl; cout << pl; cin >> cl; } 9 } } while(ans!='~'); } Programmer’s Remarks: Can you understand the code yourself? Try to understand as much as possible first, then continue reading. 1) This program both encodes and decodes. Say you first want to encode the letter c then you have to enter e when asked. Then the if-condition if (ans=='e') is fulfilled so that we enter the encoding part of the program. You are asked to enter your plain letter in cin >> pl; As long as you don’t enter ‘~’ the while-condition while(pl!='~') is fulfilled and the entered plain letter (=pl) is being encoded. To do so, I distinguish between upper and lower case letters since they are encoded slightly different. Say, the lower case plain letter c is entered, then the condition if ((pl>='a') && (pl<='z')) is fulfilled and the encryption is being executed by this one seemingly weird command cl='a' + (a*(pl -'a'))%26; Let me explain that to you in detail: First you need to know that each letter is stored as a number: i.e. A=65, B=66, C=67, .., Z=100, a=101, b=102, c=103, …z=125. In fact, any character is stored as a number: i.e. ~=.., $=.. etc. For now, let’s focus on the lower case letters. The plain letter c is stored as 103, however, I want the c to equal 2 in compliance with our translation a=0, b=1, c=2, etc. which we used in our virus carrier example. Therefore, I need to subtract 101 from the 103 to get the desired 2, similarly, I again would have to subtract 101 from any plain letter b=102 to get the desired 1. In fact, I always have to subtract 101 from each entered lower case plain letter to get its corresponding number. By subtracting a (=101) from the entered plain letter in (pl -'a');. I accomplish this. Subsequently, that difference is multiplied by the good key a=5 which I defined as such in int a=5. You could also define a to be a different good key. If you choose to do so, don’t forget to also redefine the corresponding decoding key in int a=5, ainverse=21; . 10 Ok, let’s continue with the encoding part. Since we are performing MOD 26 arithmetic, we use the MODoperator % that guarantees us the product (a*(pl 'a'))%26; to be between 0 and 25. In our example, after subtracting 101 from the plain letter c we get the desired 2 that is now multiplied by a=5 yielding 10. This is just what we wanted except that the answer 10 does not equal the desired cipher letter k on the computer. Therefore, we just have to add a number in order to get k=111. Which number would that be? Right, we have to add 101 to the 10 which we do by adding a=101 in cl='a' + (a*(pl -'a'))%26. Now the cipher letter cl equals k and we can end the lower case encoding. The encryption of upper case plain letter works similarly except that I have to subtract A=65 (instead of a=101 as above) to obtain our desired plain letter number. Say, we want to encrypt the plain letter C=67. I first subtract 65 =’A’ and then multiply that difference by the good key a=5 yielding 10 again. The MOD 26 calculation leaves the 10 unchanged. Finally, I have to add the usual 65 = A (why?) to obtain the desired cipher letter. How do we deal with non-letters? Well, I leave all the entered non-letters such as ! or . or ? unchanged so that you can detect the format of the original message easier. If we don’t want to give an eavesdropper any additional information about our secret message, we would firstly either not use such characters at all or we would expand our alphabet length and encode them just like the other plain letters. Secondly, we would translate every upper case plain letter into a lower case cipher letter so that we don’t reveal information about the beginning of a sentence. These are valuable information for an eavesdropper that help cracking the message. I leave the translation from an upper case plain letter to a lower case cipher letter as an easy exercise for you. 2) Lastly, I want to explain the trick how I manage to encode not only a letter but a whole word or sentence if necessary. The statements while(cl!='~') and cout << cl; cin >> pl; are in charge of it. The first time the loop passes the line cout << cl; the translated plain letter pl that was read in as cin >> pl; before 11 the while loop is output as its cipher letter cl. The trick is now that if we enter more than one letter all but the first entered letter are buffered (which means temporarily stored in the computer’s RAM) until read in in cin >> pl; inside the while loop. Since any plain letter fulfills the condition in while(cl!='~') The loop is reentered and the next cipher letter is displayed in cout << cl; We can then end this while loop by entering ~ and then choose to either encode, decode or exit the program. Try it for yourself. 2.3 Cryptoanalysis - Cracking the Multiplication Cipher Just like the Cipher Caesar Cipher, the Multiplication is not secure at all. How could it be broken? Let’s consider two options: Option 1: Cracking the cipher code using letter frequencies If plain letters are replaced by cipher letters the underlying letter frequencies remain unchanged. I.e. if the letter e (the most frequent letter in the English language) occurs 20 times in the plain text its replacement letter will appear 20 times in the cipher text. Therefore, an eavesdropper simply has to count letter frequencies to identify the most frequent cipher letter. Its numerical equivalent reveals the row and therefore the key a as follows: PLAIN LETTER 0 Keys a 0 0 A B C D 1 0 1 2 3 2 0 2 4 6 3 0 3 6 9 4 0 4 8 12 5 0 5 10 15 6 0 6 12 18 7 0 7 14 21 0 E 0 0 F G 4 8 12 16 20 25 24 2 4 0 H 0 I 0 J 0 K 9 14 19 24 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 L M N O P Q R S T U V W X Y Z 3 12 8 13 18 23 2 7 12 17 22 1 6 11 16 21 8 0 8 16 24 9 0 9 18 10 0 10 20 11 0 11 22 12 0 12 24 13 0 13 14 0 14 2 15 0 15 4 16 0 16 6 17 0 17 8 18 0 18 10 19 0 19 12 0 20 0 20 14 21 0 21 16 22 0 22 18 23 0 23 20 24 0 24 22 25 0 25 24 6 1 10 4 14 7 18 10 22 13 0 16 4 19 8 22 12 25 16 2 20 5 24 8 2 11 6 14 10 17 14 11 20 18 23 22 8 5 2 25 22 19 16 13 10 7 4 1 24 21 18 15 12 9 6 3 After intercepting the cipher text, an eavesdropper simply finds the most frequent letter of this rather brief message. Longer messages reveal the most the letter e equivalent, however, this is not necessarily so for our message. Cipher text a 0 n 13 r 17 o 14 m 12 r 17 j 9 u 20 k 10 a 0 h 7 h 7 o 14 u 20 h 7 He finds the cipher letter h to be most frequent. However, there is no 7 – the numerical equivalent of letter h - in the E column. This means that the cipher E does not equal 7. In fact, the cipher E can only be an even cipher letter as only even numbers appear in the E-column. Thus, among those numbers that occur twice in the cipher code, 14, 17 and 20, we can eliminate the odd 17. The 14 as the possible cipher E then tells him to test the keys a=10 and a=23. Since a=10 is a bad key he checks the good key a=23. He decodes all the other cipher letters by finding their corresponding number in the 23rd row (see above) and then goes up that column to find the original plain letter. He obtains: Cipher text PLAIN TEXT a 0 n 13 r 17 o 14 m 12 r 17 j 9 u k 20 10 a 0 h 7 h 7 o 14 u 20 0 13 N 11 L 6 G 7 H 11 L 23 X 2 C 0 A 15 P 15 P 19 T 2 C A 13 14 O h 7 15 P That message does not reveal a virus carrier. Certainly, it might be a double encoded message that has to be decoded twice, possibly using two different keys or even two different ciphers. Before considering such encoding techniques, we go ahead and check if the other frequent number, 20, is the cipher E. Checking the E column, we can see that the possible two keys are the bad one a=18 and the good one a=5. Again, we just have to find the cipher numbers in the 5th row and then go up that column to the very top to find the corresponding plain letter. This yields the correct plain text: Cipher text a n r o m r j u k a h h o u h 0 13 17 14 12 17 9 20 10 0 7 7 14 20 7 0 13 N PLAIN TEXT A 19 T 8 I 18 S 19 T 7 4 H E 2 C 0 A 17 R 17 R 8 I 4 E 17 R As you can see, detecting the most frequent cipher letter is of enormous help in cryptography. Here, it reduces the number of possible good keys to two. It is not difficult to find the encoded E in English documents as every 8th letter on average is an E (about 13%), it is therefore by far the most frequent letter. Consequently, the longer a cipher text, the easier the cipher E can be detected. Other frequent letters such as T, A, O and N occurring with about (8%) might be of further help to crack the cipher text. I will explain the usage of letter frequency as a very important means to crack cipher codes in the next chapter. In case you wonder why the discussion of cracking codes is made public; why is it not kept secret to maintain the security of ciphers? The answer is a simple “No”: Only those encryption systems that withstand all possible attacks are secure and thus useful. Certainly none of the cryptosystems we have considered thus far. Remember that the first 3 ciphers are meant to familiarize you with basic encryption systems. Moreover, we build the mathematical foundation to understand secure encryption systems such as the RSA encryption. Option 2: Cracking the cipher code using trial and error (“brute force”) Knowing that there are just 12 possible unique encryptions MOD 26, the journalist produces the corresponding 12 rows in the 26 x 26 multiplication table and cracks the code easily. Cipher text A N r R X W E X D Y M A L L W Y L a=5 A N T I S T H E C A R R I E R a=7 a=9 a=11 a=15 a=17 A A A A A N N N N N V Z L P B C Q G U K Y K U G Q V Z L P B F B P L Z O I Q K S U E I S W A A A A A B V D X F B V D X F C Q G U K O I Q K S B V D X F a=1 a=3 a A n N o O m M r R j J u U k K a A h H h H o O u U h H 14 a=19 a=21 a=23 a=25 A A A A N N N N F H D J Y S E M C I W O F H D J V T X R M W C G G Y O Q A A A A Z J P T Z J P T Y S E M M W C G Z J P T MS Excel as a simple encryption and decryption tool: I created the following table in MS Excel with the CHAR and the MOD function: Cipher text a a-1 3 9 5 21 7 15 9 3 11 19 15 7 17 23 19 11 21 5 23 17 25 25 For example, I a n r 0 A A A A A A A A A A A 13 N N N N N N N N N N N 17 X T V Z L P B F H D J created o m 14 W I C Q G U K Y S E M the 12 E S Y K U G Q C I W O r j u k a h h o u h 17 X T V Z L P B F H D J 9 D H F B P L Z V T X R 20 Y E O I Q K S M W C G 10 M C U E I S W G Y O Q 0 A A A A A A A A A A A 7 L R B V D X F Z J P T 7 L R B V D X F Z J P T 14 W I C Q G U K Y S E M 20 Y E O I Q K S M W C G 7 L R B V D X F Z J P T T in the row a=5 using the Excel-formula =CHAR(65+MOD(E$2*$B4,26)) where the cell E$2 contains 17 and the cell $B4 contains 21 as the decoding key a-1. The formula MOD(E$2*$B4,26) computes the number of the plain letter T, namely 19. However, converting 19 to its character does not yield the desired T. The T is stored as 84 which you could see by entering the Excel formula =CODE("T"). Therefore, we first have to add 65 to the 19 in order to translate the 84 eventually into the desired T using =CHAR(65+MOD(E$2*$B4,26)). In fact, all the upper case letters on Excel are 65 numbers higher than those we are using, the lower case letters on Excel are 97 numbers above ours (i.e. =CODE("a") yields 97). Which cracking method should a code cracker use. They are trade-offs in terms of their efficiency: the gain of not having to determine the most frequent letter in the cipher text for the brute force approach is at the cost of producing all possible cipher codes. Vice versa, the cost of detecting the most frequent cipher letter in the first approach is at the gain of producing only one plain text provided that the most frequent cipher letter turns out to be unique. This is very likely in English texts and virtually certain in the German language where on average every 5th letter is an E. Even if an eavesdropper decides to produce all 12 possible plain texts, they can be generated with the help of a computer within a few seconds. Therefore, no matter how he decides to crack the cipher text, it won’t take long. Thus, safer encryptions are necessary. In the next chapter, I will show you one principle of increasing the safety of a cipher code. I will couple the Multiplication Cipher with the Caesar Cipher (which produces 26 unique encryptions) to obtain a 15 super encryption that will allow 12*26=312 possible unique encryptions. Are the used 12 unique encryptions a set number? Or can we even increase the mere 12 unique encryptions for the Multiplication Cipher by varying the alphabet length? Let’s investigate this in the following section. 2.4 Varying the Alphabet Length varies the Number of Good Keys Using an alphabet length of M=27: Say for legibility reasons we add a blank symbol as our 27th plain letter. It converts to the plain letter number 26 so that we now have to encrypt MOD 27. Does the increase of our alphabet length by 1 increase the number of unique encryptions obtained? Our good-key-criterion declares those integers to be good keys that are relative prime to 27. Which ones are those? 27=3*3*3, so that only the multiples of the only prime divisor 3 such as a=3, 9 and 27 will not yield a unique encryption, all the other integers will: The good keys a are therefore Z27* = {1,2,4,5,7,8,10,11,13,14,16,17,19,20,22,23,25,26} allowing 18 different unique encryptions, 6 more than before. Notice that we found the good keys indirectly. We first found the bad keys as the multiples of the prime divisors of the alphabet length M. Consequently, the good keys are the remaining integers less than M. Again a perfect task for a computer, especially when we have to find the prime divisors of bigger integers. (I.e. what are prime divisors of 178247 or of 56272839 ?). Below is the C++ program that performs the task for us, it just finds all the factors of an entered alphabet length M by testing all the integers less than M for possible factors. This “brute force” approach will work fast enough for integers M that have 10 digits or less. For larger integers, however, dividing by every integer less than M slows the program down enormously. Test it yourself. One of the major goals of current Mathematics research is to design faster factoring algorithms as today’s are fairly slow. In fact, the security of i.e. the commonly used RSA Cipher is based on the relative slowness of such factoring programs. If you are able to invent a fast factoring algorithm, you will not have to worry about a future job. //Author: Nils Hahnfeld //Factoring program #include <conio.h> #include <iostream.h> #include <math.h> 10/15/99 void main() { int M, factor ; clrscr(); 16 do { cout << "Enter the integer that you want to factor or 0 to exit: M="; cin >> M; factor=2; while(factor <= M) { if (M%factor==0) //check all integers less than M as factors { cout << factor << endl; M/=factor; factor=1; } factor++; } }while(M!=0); } Programmer’s remarks: Starting with 2, this program checks the integers from 2 to M-1 as potential factors of M in if (M%factor==0). In such case, divide M by that factor: M/=factor; and start checking M/factor for factors less than M/factor...etc. This process repeats until M is reduced to 1 and therefore less than the smallest factor possible, 2. Can we do even better with M=28 ? Can we increase the number of unique encryptions by further extending our alphabet? Let’s add a dot to our alphabet to denote the end of a sentence in the original message. Our alphabet length of 28 now yields how many unique encryptions? Try it for yourself! 28 equals 2*2*7 so that all the keys that are multiples of 2 or 7 do not and all non-multiples of 2 or 7 do produce a unique encryption: Z28* = {1, 3, 5, 9, 11, 13, 15, 17, 19, 23, 25, 27} allowing only 12 different unique encryptions. That is weird! A longer alphabet produces less unique encryptions. Why is that? This weirdness is not really weird. What really matters is not the alphabet length M but rather the number of multiples of the prime factors of M that are less than M: the less multiples of prime factors (as for the alphabet length of 27), the more a’s produce a unique encryption and vice versa. Aha, that realization helps a lot, since that also means that prime M’s produce M-1 unique encryptions. Why is that? Try to explain this, than continue reading! The reason for that is that a prime number has per definition no prime divisor except for 1 and itself. Therefore, since there are no other prime divisors and thus no multiples, all integers less 17 than M serve as good keys. Let’s check this for an alphabet length of M=29. As 29 is prime, it has no divisors except for 1 and 29 and thus there are no multiples as bad keys. Therefore, each integer less than 29 is a good key MOD 29: Z29* = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28}. allowing a total of 28 different unique encryptions. Hey, this shows a great way to produce more unique encryptions which of course makes life harder for an eavesdropper: Recommendation for more security: Choose the alphabet length M to be a prime number to make cracking the cipher text more difficult. You now understand why cryptographers have an affection for prime numbers. Additionally, you will learn that the RSA Cipher uses prime numbers as well. They are very special primes as they must consist of 100 digits or more. It is not difficult to understand that the length of such numbers requires the usage of computers. Thus, we now go ahead and practice a bit more computer programming. Determining the bad keys for a given alphabet length M is a perfect task for a computer. The following C++ program firstly determines the factors for an entered alphabet length M and secondly their multiples, the bad keys. Thirdly, listing the good keys would be best done using C++ vectors or even C-style arrays which you might know. If so please go ahead and modify the following program. If you don’t know, exercise your patience, later in this chapter I will present a more elegant program that uses the Euclidean Algorithm to determine the good keys. This program is an extension of the previous simple factoring program. After finding each factor of M, I just print them out in for (j=1;j<factor2;j++){ cout << setw(2) << j*factor << " ";} I will explain the data type bool and the command setw() after the C++ code. //Author: Nils Hahnfeld 10-16-99 //Program to find the bad keys #include <conio.h> #include <iostream.h> #include <iomanip.h> #include <bool.h> void main() { int M, m, j, factor, factor2; bool prime; clrscr(); cout << "This program finds the 'bad' keys for an entered alphabet length M." << endl; 18 cout << "===========================================================================" << endl; do { cout << "Enter the alphabet length or 0 to exit: M="; cin >> M; m=M; factor=2; prime=0; //initialization while(factor <= m) { if (m%factor==0) { if (factor!=M) { cout << "Divisor of "<< M << " =" << setw(3) <<factor<< ". "; cout << "'Bad' keys: "; } else { cout << M << " is prime."<< endl; prime=1; break; } factor2=M/factor; for (j=1;j<factor2;j++){ cout << setw(2) << j*factor << " ";} cout << endl; m/=factor; while(m%factor==0){m/=factor;} //takes out multiples of factor factor=1; } factor++; } cout << "Thus, the 'good' keys are all the "; if (!prime) cout <<"non-listed "; cout << "integers from 1 to " << M-1 <<"." << endl << endl; }while(M!=0); } Programmer’s Remarks: 1) The logic of this program is the same as in the previous factoring program. However, you can see the usage of the data type boolean (“bool”, named after the British Mathematician George Boole [1815-1864]), which is used if a variable (i.e. prime) can only attain two possible values: either true (=1) or false (=0). In order to be able to use the data type boolean, we have to include the bool.h library in #include <bool.h>1. Since the bool.h library is very short I want to show you its contents: typedef int bool; const int false = 0; Modern C++ compiler ( i.e. C++ builder5.0 from Borland) don’t require to include the bool.h library anymore. Thus, variables of type boolean can be used just like int, char, double or other variables. 1 19 const int true = 1; In the first line the new data type “bool” is defined of type “int” so that the (two) bool-variables are just regular integers. The next two lines then show us that the variable “false” is defined as “0” and “true” as “1”. The command const is used as a safety feature in C++: both variables are constant and can never be modified in any program. 2) The setwidth command setw() assigns as many spaces as entered in the parentheses for a numerical output in order to have a well-formatted output. It has to be placed after the cout command as in: cout << setw(2) << j*factor. In order to be able to use the command setw() we have to include the iomanip.h library in #include <iomanip.h>. 2.5 Counting the Number of Good Keys for various Alphabet Lengths M – An Introduction to the Euler Function. Now that we have explored the criteria for unique encryptions and the number of good keys for certain alphabet lengths, it is the nature of Mathematics to generalize the observations and to set up an explicit formula for the number of unique encryptions based on the alphabet length M. For that purpose we have to consider 3 different cases of the alphabet length M 1) If M is a prime number: We observed in the previous section that the prime alphabet length M=29 yields u=28 unique encryptions. For the same reason, an alphabet length of M=31 produces u=30 unique encryptions. Since the number of unique encryptions u is a function of the alphabet length M, we may write in function notation: u(M) to denote the number of unique encryptions (which equals the number of good keys) as a function of M. I.e. for M=29 we have u(29)=28. For M=31 we have u(31)=30. Remember that a function, per definition, assigns to each x-value one particular y-value. The x values are the ones that we can choose independently, here the length of the alphabet M. Each y-value is dependent on the choice of x, i.e. the number of unique encryptions u are dependent on the chosen alphabet length M. Since u can be expressed as a formula that involves M, namely u=M-1, we say that u is a function of M and write u(M)=M-1. In general we have the: Formula for the number of good keys if M is a prime If the alphabet length M=p is prime, the number of good keys is u(p) = p-1. 2) If M is a prime power, M=pn: 20 Now let’s look back at M=27 as an example where we only have the one prime factor p=3, such that M=33. How many multiples of 3 will not produce a unique encryption? Those are the 8 integers 3, 6, 9, 12, 15, 18, 21, 24. Since there are 9 threes (or 9 multiples of 3) in 27 and therefore 8 threes when counting only up to 26 yielding the 8 listed bad keys. Therefore, we just need to divide 27 by the only prime divisor 3 and subtract 1 at the end to find the number of bad keys: 8 = 27/3 – 1. This principle of finding the number of bad keys holds true for any alphabet length that is a prime power: There are M/p multiples of p less or equal to M, and therefore M/p - 1 many less than M. And we are only interested in those integers less than M since we are calculating MOD M which involves the integers 0 to M-1. Thus, the number of bad keys can simply be found by dividing the alphabet length M by the only prime divisor p and subtracting 1 from that fraction: M/p - 1. Let’s write down the Formula for the number of bad keys if M is a prime power b(M) = number of bad keys = M/p - 1. Example1: M=9=32 has the only prime divisor 3 and thus b=9/3 – 1 = 2 bad keys which are 3 and 6 as the multiples of 3 that are less than 9. Example2: M=81=34 has again 3 as the only prime divisor and thus b = 81/3 – 1 = 34/3 –1 = 33 –1 = 26 bad keys. Those are 3, 6, 9, 12, 15, 18, 21, 24, 27, 30, 33, 36, 39, 42, 45, 48, 51, 54, 57, 60, 63, 66, 69, 72, 75 and 78 as the multiples of 3 that are less than 81. Our ultimate goal is not to develop a formula for the number of bad keys but rather for the number of good keys. However, subtracting the number of bad keys from the number of all possible keys (=M-1) yields the number of good keys. In formula: u(M) = (M-1) – b(M) using the above formula for the number of bad keys yields = M-1 - (M/p -1) distributing the minus sign to the terms in the parenthesis yields = M-1 - M/p + 1 canceling out the 1’s yields = M - M/p This turns out to be a handy formula for the number of good keys. However, it can be simplified further using the fact that we are considering here alphabets of length M that are powers of a prime p: M=pn for some positive integer n. Thus, our formula simplifies to: u(M) = pn – pn/p which simplifies further to = pn - pn-1. Therefore, Formula for the number of good keys if M is a prime power: If M = pn , the number of good keys is u(M) = pn - pn-1. Example 1: For M=27=33: Inserting 3 for p and 3 for n in pn - pn-1 yields u(27) = 33 - 32 = 27-9 = 18 which is just what we wanted. 21 Example2: For M=9=32 we have u(9) = 32 - 31 = 9 – 3 = 6 which are the 6 good keys a=1,2,4,5,7,8. Example3: For M=16=24 we have u(16) = 24 - 23 = 8 which are the 8 good keys a=1,3,5,7,9,11,13,15. Example4: For M= 34 =81, we get u(81) = 34 - 33 = 81 – 27 = 54. 3) If the alphabet length M is a product of two prime numbers p and q The last case we have to study is when M is a product of two primes. Combining our three formulas for the number of good keys, we will then be able to develop a general formula for the number of good keys for any given alphabet length M. Let’s start with Example1: M=26=p*q=2*13. We saw that an alphabet length of M=26 produces 12 unique encryptions, since the even numbers as multiples of 2 and the 13 are the 13 bad keys. More precisely: Out of the 25 (= p * q - 1) integers that are smaller than 26, we had 12 (=13-1) multiples of 2 {2,4,6,8,10,12,14,16,18,20,22,24} and the 1 (=2-1) multiple of 13 {13} as bad keys, so that 25-12-1=12 good keys are remaining: a = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25 Notice that u(26) = 12 = 25-12-1 = (p*q - 1) – (p-1) - (q-1) Example2: For M=10=5*2, we obtain u(10)=4 good keys which are obtained by crossing out the 4 (=5-1) multiples of 2 and the 1 (=2-1) multiples of 5 as bad keys: a = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Notice that again u = 4 = 9 – 4 –1 = (p*q - 1) – (p-1) – (q-1) Example3: For M=15=5*3, we obtain u(15)=8 good keys which are obtained by crossing out the 4 (=5-1) multiples of 2 and the 2 (=3-1) multiples of 5: a = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 Notice that again u = 8 = 14 – 4 – 2 = (p*q - 1) – (p-1) – (q-1) The number of good keys can always be computed by u(p*q) = (p*q - 1) - (p-1) -(q-1). This formula can be simplified into the product of two factors. Here is how: u = (p*q - 1) - (p-1) – (q –1) getting rid of the first two parentheses yields = p*q -1 - p + 1 – (q –1) the two 1’s cancel each other out yielding = p*q – p – (q –1) factoring the p yields = p*(q-1) – (q –1) (q-1) in both terms can be factored yielding = (q-1) * (p –1) which can also be written as = (p-1) * (q –1) 22 Formula for the number of good keys if M is the product of two primes: The number of good keys is u(M) = u(p*q) = (p-1)*(q-1). Example4: If M=39=3*13=p*q, then the formula yields u(39) = (3-1)*(13-1) = 2*12 = 24. You can verify this as follows: out of the 38 (=p*q-1) integers that are less than 39, we first cross out all the 12 (=13-1) multiples of 3 {3,6,9,12,15,18,21,24,27,30,33,36} and then cross out the 2 (=3-1) multiples of 13 {13,26} resulting in 38 – 12 – 2 = 24 good keys. Example5: If M=65=5*13=p*q, then the formula yields u(65) = (5-1)*(13-1) = 4*12 = 48. You can verify this as follows: out of the __ integers that are less than 65, we first cross out all the ___ multiples of __ and then cross out the __ multiples of __ resulting in ______ = 48 good keys. A summary of our explorations for the number of good keys shows: 1) u(p) = p - 1, if M is prime M=p. n n n-1 2) u(p )= p - p , if M is a power of a prime M= pn. 3) u(p*q) = (p-1)*(q-1), if M is a product of two primes M=p*q. Credit goes to the Swiss Mathematician Leonard Euler (pronounced “Oiler”, 1707-1783). He investigated these number properties and was the first one to come up with a function, Euler’s -function, also called Euler’s Totient function, that determines the number of integers that are relative prime to a given integer M. It is a function that is in the heart of Cryptography and used i.e. for the RSA encryption. The following table shows the numbers relative prime to M for the first 21 integers. M (M) 2 1 3 2 4 2 5 4 6 2 7 6 8 4 9 10 11 12 13 14 15 16 17 18 19 20 21 8 12 10 4 12 6 8 8 16 6 18 8 12 Similar to our notation, the properties of Euler’s -function that computes the number of integers that are relatively prime to M and wrote similarly to our notation: Euler’s -function: 1) (p) = p-1 2) (pn) = pn - pn-1 3) (p*q) = (p-1)*(q-1) 4) (n*m) = (n) * (m) for a prime p. for a prime power pn. for two distinct primes p and q. when n and m are relatively prime. It describes the multiplicative property of . We have explored the first three properties already, however, the 4th property is new - but not totally new. I want to show you an example where we used it already. Say M=26=2*13=n*m. Since n and m are two distinct primes, they certainly are relative prime, so that the condition for property 4) is fulfilled. We obtain (2*13) = (2) *(13). From property 1) we know that 23 (2)=1 and (13)=12, and consequently, (2*13) = (2)*(13) = 1*12 = 12 which is exactly property 3). Thus, property 4) yields nothing new if our alphabet length is the product of two primes. However, it turns out to be indispensable when M is not the product of two primes, but say a product of a prime and a prime power. Example1: If M=24=3*8=3*23, then (24) = (3*23) using property 4) yields = (3)*(23). using properties 1) and 2) yields 3 2 = (3-1)*(2 -2 ) = 2*4 = 8. For a check: the eight integers 1,5,7,11,13,17,19,23 are relative prime to 24 and thus the good keys for M=24. Even products of 3 primes or prime powers like 30 or 60 can now be dealt with due to the 4th property: Example2: If M=30=2*3*5, then (30) = (2*3*5) using property 4) yields = (2)*(3*5) again property 4) yields = (2)*(3)*(5) now using property 1) yields = 1*2*4 = 8. For a check: the same eight integers 1,5,7,11,13,17,19,23 are relative prime to 30 and are thus the good keys for M=30. Example3: Now, it is your turn. If M=60=22*3*5, then (60) = (22*3*5) using property __ yields = (22)*(3*5) using property __ yields 2 = (2 )*(3)*(5) using properties __ and __ yields = (22 – 21)*2*4 = 2*2*4 = 16. You noticed, that the multiplicative property of Euler’s -function, expressed in property 4), is used to decompose any integer M into its prime factors or prime power factors to then apply the first two properties to each prime or prime power. This eventually enables us to calculate the number of integers that are relative prime to these primes and prime powers. Multiplying such answers yields the number of good keys for any given alphabet length. The given examples show you the calculation process. Notice, that property 3) became useless for the calculation process since factors that are relative prime are separated via property 4). Subsequently, is computed by property 1) if such factors are primes or by property 2) if they are prime powers. Before we conclude this section with the highlight of creating a sole formula for (M) from these four properties, we will consider 2 examples for each of the 4 properties of Euler’s -function. I will complete the first ones and leave the second ones for you as exercises. 24 Examples for property 1): 3 and 5 are two primes. (3)=3-1=2 as 1 and 2 are relative prime to 3. (5)=_____ as 1,2,3,4 are relative prime to 5. Examples for property 2): 8 and 25 are prime powers. (8)= (23)=23 -22 =4 as 1,3,5,7 are relative prime to 8. (25)=____________ as all integers from 1 to 24 except for 5,10,15,20 are relatively prime to 25. Examples for property 3): 15 and 21 are products of two primes. (15)=(3*5)=(3-1)*(5-1)=2*4=8 as 1,2,4,7,8,11,13,14 are relative prime to 15. (21)=________________________ as 1,2,4,5,8,10,11,13,16,17,19,20 are relative prime to 21. Examples for property 4): 24 and 28 are products of primes and prime powers. (24) = (23 *3) = (23)*(3) = (23-22)*(3-1) = 4*2 = 8 as 1,5,7,11,13,17,19,23 are relative prime to 24. (28) = _____________________________ as 1,3,5,9,11,13,15,17,19,23,25,27 are relative prime to 28. Now, let’s come to the highlight of this section: I will show you in a few steps how to compute (M) for any M from one equation instead of combining the four properties? All we need to know are the prime divisors of M, but we don’t even need to know how often a prime number divides M. I.e., for M=27 we just need to know that 3 is a prime divisor of 27 but not how often it divides 27. While deriving the formula for M=60=22*3*5 in the left column I will deduce simultaneously the explicit formula for M=p12*p2*p3 with p1 being the first prime factor 2, p2 being the second prime factor 3 and p3 being the third prime factor 5 in the right column. We know already that: (60) = (22*3*5) = (22-21)*(3-1)*(5-1) (M) = (p12* p2* p3) = (p12- p11)*( p2-1)*( p3-1). For the purpose of setting up an explicit formula for (M), we now try to give the three factors (in parentheses) the same format. We factor p1=2 yielding = 2*(2-1)*(3-1)*(5-1) = p1* (p1- 1)*( p2-1)*( p3-1). The three factors in the parentheses already have the same desired format, however, the single 2 destroys it. The ultimate trick to yet produce the same format is factoring: from each parentheses we factor the first integer (which is a divisor of M) and obtain: (60) = 22*(1 -1/2) * 3*(1 -1/3) * 5 * (1 -1/5) (M) = p12 * (1 -1/ p1) * p2*(1 -1/ p2) * p3 * (1 -1/ p3) = 22*3*5*(1 -1/2)*(1 -1/3)*(1 -1/5) = p12* p2* p3*(1 -1/ p1)*(1 -1/ p2) * (1 -1/ p3) = 60*(1 -1/2)*(1 -1/3)*(1 -1/5) = M * (1 -1/ p1) * (1 -1/ p2) * (1 -1/ p3). 25 This is it. Notice in the last row that all we need to know are the prime factors p of M without knowing how often they occur. We then write them in the form (1-1/p), multiply them and that product by M yielding (M). On the right we ended up with the explicit formula for (M) when M consists of one prime power and two primes. It surely acquires this simple form for any number of primes or prime powers. Notice, that all we need to find are the different primes, say p1, p2,..., pn, as our explicit formula for the number of unique encryptions appears to be: Formula for the number of good keys for any alphabet length M: For an alphabet length M, there are (M) = M * (1- 1/p1) * (1- 1/p2) *…* (1- 1/pn) good keys where each pi is a prime divisor of M. It is really enjoyable to use this simple formula as we just need to find all prime divisors of M and don’t have to worry about how often they occur. Therefore, a simple prime check program would be sufficient to find the divisors p of M. We then set up the factors of the form (1- 1/p), multiply them and eventually multiply that answer by M. Example1: Say M=180, then a prime check program yields the prime factors 2,3 and 5, so that (180) = 180 * (1-1/2) * (1-1/3) * (1-1/5) = 180 * (1/2) * (2/3) * (4/5) = 90 * (2/3) * (4/5) = 60 * (4/5) = 48 Example2: Say M=360, since 360=2*180 the prime factors are again 2,3 and 5, so that (360) = 360 * (1-1/2) * (1-1/3) * (1-1/5) = 360 * (1/2) * (2/3) * (4/5) = 180 * (2/3) * (4/5) = 120 * (4/5) = 96 Example3 is for you: Say M=90, since 90=____ the prime factors are _______, so that (90) = 90 * (1-1/__) * (1-1/__) * (1-1/__) = 90 * ____________________ = _______________ = _______________ = ___ Of course, I could have computed the answers in the above examples right away but I wanted to give you the chance of brushing up on your skills to multiply fractions. A little computer 26 program turns out to be again very valuable as the number of good keys can be easily determined by first finding all prime factors of M to then use the above explicit formula. //Author: Nils Hahnfeld 10-16-99 //Program to determine (M)using M*(1-1/p1)*(1-1/p2)*... #include <iostream.h> #include <conio.h> void main() { int factor, M, m; float phi; clrscr(); cout << "This programs uses M*(1-1/p1)*(1-1/p2)*... to calculate phi(M)."<<endl; cout << "==============================================================="<<endl; do { cout << "Enter M to find the number of 'good keys' or 0 to exit: M=" ; cin >> M; cout << endl << "Prime Factor(s) are : " ; m=M; factor=2; phi= (float) M; //casting: from integer to float data type while(factor <=M) { if (M%factor==0) { cout << factor << " "; M/=factor; while (M%factor==0) M/=factor; //takes out multiple factors phi*= (1- 1/(float)factor); } factor++; } cout << endl << "phi(" << m <<")="<< phi << endl << endl << endl; }while(M!=0); } Programmers remarks: This program is an enhanced version of thr previous one that found the bad keys as factors of M for us. If a factor p is found we now additionally form the term 1- 1/p and multiply it to the other terms in phi*= (11/(float)factor) to eventually obtain phi. Notice in this program that phi and M are declared as 2 different data types, yet the value of the integer (int) variable M can be assigned to the real number (float) variable phi in phi= (float) M; All I needed 27 to do is to write the new data type (here float) in parenthesis right in front of the integer variable M. This process is called type-casting and also works when converting between any other numerical data types. In that case you have to be aware that when you convert from a float or a double to an integer (that is from more a precise to a less precise data type) the decimals are simply cut off: i.e. 3.1415927 becomes the integer 3 and we are losing precision. The other time that we are casting in phi*= (11/(float)factor); we don’t give up any precision (and therefore information) as we convert from the integer typed variable factor to the more precise real number typed variable phi. 2.6 Introduction to Euler’s Theorem – Usage of the Good Keys In this section, we will discover Euler’s Theorem which is the basis for the RSA encryption that I will introduce in chapter 5. It will be quite easy for you to grasp it since it solely deals with properties of the familiar good keys. Let’s recall first what we know already about them. 2.6.1 Good Keys have different Orders A brief review: In section 2.2 we observed in the reduced multiplication table MOD26 that each encoding key that produces a unique encryption was called a good key and possesses a unique inverse a-1, the decoding key. You can verify this by finding exactly one 1 in each row that is produced by the multiplication of the encoding keys with its inverse a-1. Recall that an inverse of a is that particular integer a-1 that yields 1 when multiplied by a. Decoding key a-1 * 1 3 5 1 3 5 7 9 11 15 17 19 21 23 25 1 3 5 7 9 11 15 17 19 21 23 25 3 9 15 21 1 7 19 25 5 11 17 23 5 15 25 9 19 3 23 7 17 1 11 21 Encoding key a 28 7 9 11 15 17 19 21 23 25 7 9 11 15 17 19 21 23 25 21 1 7 19 25 5 11 17 23 9 19 3 23 7 17 1 11 21 23 11 25 1 15 3 17 5 19 11 3 21 5 23 15 7 25 17 25 21 17 9 5 1 23 19 15 1 5 9 17 21 25 3 7 11 15 23 5 21 3 11 19 1 9 3 15 1 25 11 23 9 21 7 17 7 23 3 19 9 25 15 5 5 25 19 7 1 21 15 9 3 19 17 15 11 9 7 5 3 1 Notice also that each good key occurs once in each row as well. Therefore, each row below the top row is just a rearrangement of the integers in the top row, which is also called a permutation. In other words: the integers 1,3,5,7,9,11,15,17,19,21,23,25 appear exactly once in each row. Moreover, we learned in section 2.2 that the only keys that are inverse to themselves, which means that the encoding key equals the decoding key, are 1 and 25 because 1*1=12=1 MOD 26 and 25*25=252=1 MOD26. Notice that as there are no other 1’s on the diagonal there are no other keys that are inverse to themselves. Therefore, raising any other key except for 1 and 25 to the second power will not yield 1, however, if we raise to powers greater than 2, will we be more successful? Will we be able to raise the good keys to powers that yield 1 MOD 26? Might there even be one 'universal’ exponent that produces 1 for each good key a? We will check this now in detail for the good keys in Z26*, and then briefly for those in Z27* and Z28*. For our exponent inspection, we need a new vocabulary in order to denote that particular power of a good key that yields the first 1. Definition of the order of a good key: We raise the good key a to the power of 1, 2, 3, etc.: a1, a2, a3, … We stop when the first power yields 1 (which is guaranteed to happen for each good key and will be proved in the upcoming Euler’s Theorem). That exponent whose power yields the first 1 is called the order of a. or equivalently: If as=1 for the smallest positive integer s, then “the order of the good key a is s.” So, let’s find the orders of the good keys MOD 26. For a=3: 32=9 and 33 = 3 * 32 = 3 * 9 = 27 MOD 26 = 1. Since all calculations are performed MOD 26, we may just write 33=1 and therefore as a chain display: 31 -> 32 -> 33 MOD 26 or even simpler: 3 -> 9 -> 1 29 Here, the order of the good key a=3 is 3 since 33=1, which equals the length of the chain (why?). Therefore, 36 equals also 1 since 36 = (33)2 = 12 =1. For the same reason: 312=1. Although the exponents 6 and 12 also yield 1, none of them is the order of a=3 as none of them is the smallest exponent that yields 1. 3 is therefore the uniquely defined order of a=3. The fact that 36, 39 and 312 all equal 1 can easily be seen by extending the above chain display as follows: 3 -> 9 -> 1 -> 3 -> 9 -> 1 -> 3 -> 9 -> 1 -> 3 -> 9 -> 1 (31 -> 32 -> 33 -> 34 -> 35 -> 36 -> 37 -> 38 -> 39 -> 310 -> 311 -> 312) Because of the repetitive or cyclic nature of the powers of 3, the chain can simply be displayed as: 3 -> 9 -> 1 and the period of this chain, namely 3, equals the order of the key a=3. For a=5: Since 5*5=25 and 5*25=21 and 5*21=1 we get 5*5*5*5=54=1. Therefore, 4 is the order of 5 which again equals the period of the chain: 5 -> 25 -> 21 -> 1 Furthermore, 58=(54)2=12=1. Explain why 512 =1, 516 =1, 520 =1 yourself using the chain display. You can practice your MOD-calculation skills by computing 54=1 in an alternative way: Since 52 = 25 = -1 MOD 26, we obtain 54 = (52)2 = (-1)2 = 1 MOD 26. Our additional search for an universal exponent that yields 1 for any good key a turns out to be very limited: the good key a=3 has exponents 3,6,9,12,… whereas a=5 has exponents 4,8,12,16,…that yield 1. So, 12 seems to be the only possible candidate for a universal exponent. So, let’s check if 12 works for a=7. For a=7: Multiplying 7 by 7 gives 72=23, 73=7*23=5, 74=7*5=9, 75=7*9=11, 76=7*11=25, 77=7*25=19, 78=7*19=3, 79=7*3=21, 710=7*21=17, 711=7*17=15 and finally 712=7*15=1. Thus, the order of the good key a=7 is 12. Verify this on the chain display by determining the period of the chain 7 -> 23 -> 5 -> 9 -> 11 -> 25 -> 19 -> 3 -> 21 -> 17 -> 15 -> 1 I reached every good key for an alphabet length of 26 when computing all the powers of a=7. Precisely, raising 7 to the power of 1 then to 2, then to 3 … and finally to 12 generates all the 12 good keys, which is the reason why mathematicians call 7 a generator. It is important to specify that 7 is a generator for Z26* because it does not generate all the good keys that are i.e. in Z28* (Explain why not!). I will show you in much more detail the usefulness of generators in the Abstract Algebra section. 30 As a reminder: the star in Z26* denotes the good keys for an alphabet length of M=26 or M=28, respectively. Without the star, Z26 denotes the set of all positive integers that are less than 26. Written out: Z26* = {1,3,5,….,23,25} are the integers less than 26 that are relative prime to 26. Z26 = {0,1,2,3,….,24,25} are the integers less than 26. Although the keys a=3,5 and 7 have different orders, they all have an universal exponent of 12: when raising these keys to the power of 12 we obtained 1: 312=1, 512=1 and 712=1. Will the tothe-power-of-12-rule hold true for the other good keys and will we, therefore, be able to discover an universal exponent property? Let’s check this for the remaining good keys. For a=9: Since 92=9*9=3 and 9*3=1 so that 93=1. Thus, the order of a=9 is 3 which means that 9 is not a generator of Z26*and you explain why again 912=1 holds true using the chain display: 9 -> 3 -> 1 and the period of 3 equals the order of 9. For a=11: It is your turn now. Show that the order of a=11 is 12 (which also means that 11 is a generator of Z26*): use your windows-calculator (go to Start, then you find it in Accessories) and compute the powers of 11 MOD 26 to complete the chain and verify that its period is 12: 11 -> 17 -> ……………………………………………………………..-> 1 Moreover, check on your windows-calculator that the to-the-power-of-12 rule also holds true for the remaining good keys by calculating 1512=1, 1712=1, 1912=1, 2112=1, 2312=1, 2512=1. The latter is quite easy to see as we know already that 252=1 and therefore 25 raised to any multiple k of the exponent 2 [(252)k=1] must also yield 1. Here is a table that displays the powers of all good keys a MOD 26: Exponents Good keys a 1 3 5 7 9 11 15 17 19 21 23 1 1 3 5 7 9 11 15 17 19 21 23 2 1 9 25 23 3 17 17 3 23 25 9 3 1 1 21 5 1 5 21 25 21 5 25 4 1 3 1 9 9 3 3 9 9 1 3 5 1 9 5 11 3 7 19 23 15 21 17 6 1 1 25 25 1 25 25 1 25 25 1 31 7 1 3 21 19 9 15 11 17 7 5 23 8 1 9 1 3 3 9 9 3 3 1 9 9 1 1 5 21 1 21 5 25 5 21 25 10 1 3 25 17 9 23 23 9 17 25 3 11 1 9 21 15 3 19 7 23 11 5 17 12 1 1 1 1 1 1 1 1 1 1 1 25 25 1 25 1 25 1 25 1 25 1 25 1 The order of each good key a can now easily be traced in this table. I.e. the order of a=21 is 4 since the first 1 occurs as the fourth number in the row of a=21. Notice one very important fact: the order of each good key a is a divisor of 12. The French Mathematician J. Lagrange(17361813) was the first to observe this fact and to prove it. However, he didn’t state it particularly for the good keys MOD 26. Mathematically, there is nothing special about the M=26. He uses an algebraic theory, the group theory, to state his theorem in a more general manner. You will have the pleasure to study this theory in the Abstract Algebra section at the end of this chapter. Now, place your index finger on the first 1 in the a=3 row, the order 3 then tells us the distance to the next 1. Jumps of length 3 bring us to the 1 when the exponent is 12. Realize, that the only reason why we end up at the 1 is because 3 is a divisor of 12. Move your index finger now to the first 1 in the a=5 row: the jumps of length 4 direct us again to 1 for an exponent of 12. Now, my point is that we only end up at 1 for an exponent of 12 for all good keys because their orders are 12 or divisors of 12. Otherwise, we would not hit 1 for an exponent of 12. I.e., say the order of a=7 were 5, then our jumps of length 5 would yield 1 for the exponents 5,10,15, .., however, not for 12. In conclusion: since the order of each good key MOD 26 is a divisor of 12 guaranteed and proved in Lagrange’s Theorem - the to-the-power-of-12 rule holds true for all the good keys MOD 26. So, we can write our universal-exponent observations as: 12 (26) a =a =1 MOD 26 if a is relative prime to 26. A brief remark: This formula holds even true for integers a that are greater than 26. I.e. a=29 is also relative prime to 26 and 2912 =1 MOD 26. However, we don’t need to consider those integers since each of them has an equivalent integer that is less than 26 that is relative prime to 26: i.e. 29=3 MOD 26 and using a=29 as a key produces the same unique encryption as a=3 does. Is there anything special about an exponent 12? Is it coincidence that the exponent of 12 is just the amount of numbers that are relative prime to 26, namely (26)? If not, can we then generalize our “to-the-power-of-12-rule” to the “to-the-power-of-(M)” rule for any given alphabet length M. Let’s check this for M=27 and M=28 first: 1) For M=27: The Euler function for prime powers yields (27) = (33) = 33 – 32 = 27 - 9 = 18. Instead of creating a whole new multiplication table for Z27*, I simply use my windowscalculator to raise all the good keys (those that are relative prime to 27 such as a=1,2,4,5,7,8,10,…,26) to the power of 18. I compute: 218=1, 418=1, 518=1, 718=1, 818=1, 1018=1,…, 2618=1 MOD 27. Recall that the last equation must be 1 because 26 = -1 and thus (-1)2 = 1 and therefore 2618 = (-1)18 = ((-1)2)9 = 1^9 = 1. Again: a18 = a(27) = 1 MOD 27 for the good keys a in Z27* = {1,2,4,5,7,8,10,11,13,14,16,17,19,20,22,23,25,26}. 2) For M=28: 32 Then (28) = (22*7) = (22) * (7) = (22 – 21) * 6 = 12. And 312=1, 512=1, 912=1, 1112=1, 1312=1,…, 2712=1 MOD 28 is what your calculator computes so that again: a12 = a(28) = 1 MOD 28 for the 12 good keys a in Z28* = {1,3,5,9,11,13,15,17,19,23,25,27}. 2.6.2 Euler’s Theorem How would you formulate the above to-the-power-of-(M)-rule as a theorem? Try to formulate it for yourself and then continue reading! I hope you were able to formulate it just as Leonard Euler did. His theorem rose to one of the most famous theorems in Mathematics and became central in Cryptography: Euler’s Theorem: For a given alphabet length M, each integer a that is relative prime to M yields 1 MOD M when raised to the power of (M): a(M) =1 MOD M. Of course, we have not proven it. Rather, we verified it for M=26, M=27 and M=28. Checking those examples does not prove anything. A Mathematician would not be satisfied, he might say that our calculations don’t justify a theorem, however, it does seem to be a promising conjecture. If you pursue a math career at college, you will encounter a lot of proofs. It is not my intention to introduce you to the many mathematical proofs, I rather want you to explore and discover many mathematical properties yourself. Nevertheless, since the proof of Euler’s Theorem is not difficult, I want to demonstrate it to you. Also to give you an idea of how proving a mathematical theorem can be accomplished and thus what to expect in case you happened to find yourself in some college math lecture: I am first going to prove Euler’s Theorem for an alphabet length of M=5 for you. Customarily, proving it for one particular case is not being done in Mathematics, however, it will give you a better idea of the general proof later. When first checking one particular case of the general proof you will be using concrete numbers that will fill the letters in the general proof with more meaning. 2.6.3 Proof of Euler’s Theorem for an alphabet length M=5 So let’s prove Euler’s Theorem for an alphabet length of M=5. Since (5) = 4 we have to prove that a4 =1 MOD 5 for all integers a that are relative prime to 5 which are all the good keys a=1,2,3,4. For that purpose, we set up the multiplication table for Z5: * 1 2 3 1 1 2 3 2 2 4 1 3 3 1 4 4 4 3 2 33 4 4 3 2 1 The first row (in blue) shows us the four good keys 1,2,3,4. In the next 3 rows, you see the rearrangements of the 4 keys. Now, rearranging the numbers in each row leaves their product unchanged - which is the key idea in this and later in the general proof. Specifically, let’s take a look at the first two rows first: 1st row 1*2*3*4 row of key a=2 = 2 * 4 * 1 * 3 = (2*1) * (2*2) * (2*3) * (2*4) MOD 5 = 24 * 1 * 2 * 3 * 4 can be written as combining the four 2’s yields If we now divide both sides by 1 * 2 * 3 * 4 = 24, we obtain 1 on the left-hand side and 24 on the right-hand side which proves: 24 =1 MOD 5. We can prove 34 =1 MOD 5 similarly. We now consider the first and the third row: 1st row row of key a=3 1*2*3*4 = 3 * 1 * 4 * 2 can be written as = (3*1) * (3*2) * (3*3) * (3*4) MOD 5 combining the four 3’s yields 4 =3 *1*2*3*4 Again, dividing both sides by 1 * 2 * 3 * 4 yields 1 on the left-hand side and 34 on the right-hand side which proves: 34 =1 MOD 5. The proof of a4 =1 MOD 5 is completed if we show that 44 =1 MOD 5 and realize that 14 =1 MOD 5. This is a great exercise for you, please do both now. I will provide the set up for the good key a=4: 1st row 1*2*3*4 row of key a=4 = _____________________ = _____________________ MOD 5 = 34 * 1 * 2 * 3 * 4 can be written as combining the four 3’s yields In our first generalization step we now reduce the 4 parts of our proof for M=5 to one single more general proof. 1st row a1 * a2 * a3 * a4 row of key a = (a*a1) * (a*a2) * (a*a3) * (a*a4) MOD M = a4 * a1* a2 * a3 * a4 Again, the division by a1*a2*a3*a4 on both sides yields a4=1 MOD 5 and we have completed our proof for Euler’s Theorem when M=5. The proof of the generalized Euler’s Theorem will be of the same format except that we will have rather (M) terms instead of the (5) = 4 terms here. 2.6.4 Proof of Euler’s Theorem: 34 If we now use an alphabet length M, then we have (M) good keys which we list as: a1, a2, a3,…,a(M). The subscripts from 1 to (M) according to Euler’s function tell us which key we are talking about when they are listed in order from smallest (which is always 1) up to largest (which is (M)). In case of M=5 we would have a1=1, a2=2, a3=3 and a(5) = a4 = 4, in case of M=26 we would have a1=1, a2=3, a3=5,…, a(26)=a12= 25. For the proof, we don’t need to know their actual values. All we really use in the proof is that there are (M) good keys whose products are the same in each row. We saw in the multiplication tables for the good keys when M=5 or M=26 that multiplication by another good key a just causes a rearrangement of the (M) good keys: the row of key a contains the integers a1, a2, a3, …,a(M) in a certain order, however, the products in all rows are the same: 1st row a1*a2*a3*…*a(M) row of good key a = (a*a1) * (a*a2) * (a*a3) * … *(a*a(M)) MOD M = a(M) * a1*a2*a3*…*a(M) Again, dividing both sides by a1 * a2 * a3 *…* a(M) yields 1 on the left-hand side and a(M) on the right-hand side which proves: a(M)=1 MOD M which completes the proof of Euler’s Theorem. Here is the C++ Code for Euler’s Theorem: with this program you can check the theorem for any entered alphabet length M and any key a. To check if a key a is a good or a bad one (i.e. if a is relative prime to M) you can use one of the earlier C++ programs. Can you also find an a and M such that a(M)=1 MOD M even if a is not a good key? //Author: Nils Hahnfeld 11-3-99 //Euler's Theorem //Warning: Incorrect answers occur for high powers (overflow problem) #include <iostream.h> #include <conio.h> #include <math.h> int gcd(int A, int B); float phi(int m); //required for pow() function //prototype of the gcd function //prototype of Euler's phi function void main() { int M,a,ans,n; clrscr(); cout << " The Euler Theorem: a^phi(M)=1 MOD M, if gcd(a,M)=1" << endl; cout << " ==================================================" << endl; do { cout << "Enter number M = "; 35 cin >> M; cout << "Enter number a or 0 to exit: a = "; cin >> a; ans=(int)pow(a,phi(M)); if (gcd(a,M)==1) { cout << "a^phi(M) = "<< a <<"^" <<phi(M)<< " = " << ans%M << " MOD " << M << endl;} else { cout << a << "and " << M << " are not relative prime." <<endl;} cout <<endl; } while(a!=0); } int gcd(int A, int B) { int R; do { R=A%B; A=B; B=R; } while(R!=0); return A; } // definition of the gcd function float phi(int m) // definition of Euler's phi function { int factor=2; float phi=(float)m; while(factor<=m) { if (m%factor==0) { m/=factor; while(m%factor==0) {m/=factor;} //cancels multiple factors phi*= (1- 1/(float)factor); } factor++; } return phi; } Programmer Remarks: 1) Notice on top that we have to include the math library (which consists of the most common mathematical functions) in order to use the power function in ans=(int)pow(a,phi(M)); 2) The power function’s return type is double, however, we need the power to be of type integer in order to perform the mod calculation in ans%M. For that reason, I have to convert the types (“type-casting”) again in ans=(int)pow(a,phi(M)); 36 3) Now you are learning how to define your mathematical functions and how to incorporate them into your main program. Although very many mathematical functions are predefined in the math.h library, some are not. Sometimes, we need to define our own such that they can be used just like a library function. Our first function shall return the greatest common divisor (gcd) of two entered integers (a and M), look at its definition at the bottom of the program. Since the greatest common divisor is an integer, the return data type is int written in front of the function definition: int gcd(int A, int B). The integers a and M must be read in again as integers, called A and B, so that all the computations inside the gcd function are performed on A and B. Their original values are those of a and M and change according to the procedure that determines the gcd of A and B. This procedure is the famous Euclidean Algorithm that I will explain to you in the next chapter. For now, you have to believe that it calculates the answer correctly, just as you have to believe that your calculator computes correctly. Once the answer is calculated, it is returned to the main program in return A; and used in if (gcd(a,M)==1). That means, gcd(a,M) takes the returned value of A from our gcd function is checked if it equals 1. The second function returns the value of Euler’s function as a real number (“float”) to the main program in ans=(int)pow(a,phi(M)); and in … <<"^" <<phi(M)<< " = " … such that phi(M) in the main program takes the value of phi in the return function. 4) Finally, you find the “prototypes” (which are copies of the first lines) of the two self-defined functions right in front of the main program: int gcd(int A, int B); float phi(int m); They tell the C++ compiler to be patient about the two so far unknown functions when compiling the main program. The compiler will now compile the main program and expects the definition of those two functions following the main program. 37 2.6.5 Fermat’s Little Theorem: There is a neat exponent-simplification of Euler’s Theorem if the alphabet length M is a prime number. Using the first property of the Euler function: (M)=M-1, if M is prime, then Euler’s Theorem simplifies to the so-called Fermat’s Little Theorem: If the alphabet length P equals a prime number, each of the P-1 integers a less than P are guaranteed to be relative prime to P (and therefore good keys) so that Euler’s Theorem simplifies to: aP-1=1 MOD P. As an example check the previous section when P=5. We don’t need to prove Fermat’s Little Theorem anymore as it is a special case of the more general Euler Theorem which we just proved. This theorem is named after Pierre Fermat because he first discovered and prove it. It is called little to distinguish it from Fermat’s Theorem (also called Fermat’s Last Theorem) which states: for all integers x,y,z and n>2: xn + yn ≠ zn. Note that n must be greater than 2 in Fermat’s Last Theorem as for n=2 we would just state the famous Pythagorean Theorem where i.e. x=3, y=4 and z=5 is one of infinitely many solutions. However, Fermat’s Last Theorem states the opposite, namely that you can not find integers x, y and z that fulfill the equation for an exponent that is any integer greater than 2. A famous anecdote is this one: Pierre Fermat (1601-1665), also the founder of the theory of probability, claimed that he had found a proof for his theorem. But he never published it. Supposedly, it did not fit on the page’s margin, so that nobody can be sure today if he actually proved it or not. However, the British Mathematician Andrew Wiles became well-known throughout the world in 1995 when he proved Fermat’s Last Theorem on more than 300 pages after spending 6 years in isolation and fulfilling a childhood dream. 2.7 Abstract Algebra (II): Examples of Rings and Fields The last two sections are for those that like to have a more profound understanding of the encryption systems and the underlying algebraic fundament. Study it thoroughly. 2.7.1 ZM forms a Ring, ZP even forms a Field 38 We learned in this chapter that all keys in ZM are good ones if M is prime. I. e. when M=29, we saw that all the non-zero keys in Z29 = {0,1,2,3,…,28} are good keys since each one possesses an inverse, the decoding key in Z29. However, when M=26, some of the non-zero keys in Z26 = {0,1,2,3,…,25} do not possess an inverse in Z26. This difference in inverse characterizes the difference between a field such as Z29 and a ring such as Z26. To study the differences between fields and rings in more detail, let’s consider two familiar examples of rings. We learned in the previous chapter already that Z4 and Z6 do not form groups with respect to MOD-multiplication since there are keys a that don’t possess a decoding key a-1 or mathematically: not every element in Z4 and Z6 possesses an inverse element. For example, the multiplication table of Z4 shows * 1 2 3 1 1 2 3 2 2 0 2 3 3 2 1 Only those integers that are relatively prime to M=4, namely 1 and 3, produce a 1 in their row and are therefore called the good keys. The key a=2 does not possess a decoding key a-1 in Z4 since none of the products of a=2 with 1, 2 or 3 yields 1. In fact, it never yields an odd number. Similarly in Z6: * 1 2 3 4 5 1 1 2 3 4 5 2 2 4 0 2 4 3 3 0 3 0 3 4 4 2 0 4 2 5 5 4 3 2 1 We obtain a 1 in the rows for a=1 and a=5 as the only two integers that are relatively prime to 6 (the only good keys in Z6). We can observe that if the product of two non-zero members yields 0 MOD M (i.e. 2*3 =0 MOD 6 and thus 2 and 3 are called “zero-divisors”) we can never obtain 1 in their rows. It is impossible since multiples of the zero-divisors yield 0 over and over again and the zero-divisors is greater than 1? Both Z4 and Z6 are examples of rings as they each fulfill the following Ring properties: The set ZM forms a RING if 1. (ZM, +) forms a commutative group: The integers in ZM fulfill the four group properties ( I) closed, II) unit element, III) inverse element, IV) associativity) with respect to addition. V) Moreover, the addition is commutative. 2. (ZM, *) is closed: The multiplication of integers in ZM yields an integer in ZM 39 3. they fulfill the distributive property a*(b+c) = ab+ac and (a+b)*c=ac + ab. Notice that a Ring entails the two operations + and * whereas a group just uses one (I.e. + or *). Let’s check the 3 ring properties for Z6 : 1) We saw in the multiplication table of Z6 that the product of any two integers in Z6 yields an answer that is part of Z6 aswell. This shows that the MOD-multiplication of Z6 is closed. 2) The addition table of Z6 appears as follows: + 0 1 2 3 4 5 0 0 1 2 3 3 3 1 1 2 3 4 5 0 2 2 3 4 5 0 1 3 3 4 5 0 1 2 4 4 5 0 1 2 3 5 5 0 1 2 3 4 I) Here you easily see that the sum of any two integers yields 0,1,2,3,4 or 5 so that the addition is closed. II) The unit element is 0 as adding 0 does not change the sum. III) Each integer has an inverse as we find a 0 in every row. I.e. 1 and 5 as well as 2 and 4 are inverse to each other. IV) The associative property is verified by checking all possible additions such as 1+(2+3) = (1+2)+3. V) The addition is commutative since the addition table is symmetric with respect to the main diagonal. 3) The distributive property is verified by checking all possible combinations such as 1*(2+3) = 1*2+1*3 and (1+2)*3=1*2 + 2*3. Notice that the distributive property checks if we can change the order of adding and multiplying numbers MOD6. Yes, we certainly can. If in addition to the ring properties the non-zero elements of a set also form a multiplicative group then that set forms a field. That means in particular that each non-zero integer in ZM possesses an inverse that itself is in ZM. I.e. Z5 ={0,1,2,3,4}forms a field since each member in Z5 with the exception of 0 has an inverse in Z5. You can observe this by finding a 1 in each row. For instance, 3 and 2 are inverse MOD 5. The 0 is excluded since it turns any product into 0 and thus does not even have a chance to have an inverse. 40 * 1 2 3 4 1 1 2 3 4 2 2 4 1 3 3 3 1 4 2 4 4 3 2 1 Field properties: The set ZM forms a FIELD F if 1. (ZM, +) forms a commutative group: The integers in ZM fulfill the four group properties (closed, unit element, inverse element, associativity) with respect to addition. Moreover, the addition is commutative. 2. (ZM*, *) forms a group: The non-zero integers in ZM fulfill the four group properties (closed, unit element, inverse element, associativity) with respect to multiplication. 3. they fulfill the distributive property a*(b+c) = ab+ac and (a+b)*c=ac + ab. Notice that every field is also a ring. A field has the additional property that each field element possesses a multiplicative inverse. Another example for a field is Z7 : * 1 2 3 4 5 6 1 2 3 4 5 6 1 2 4 6 1 3 5 2 3 6 2 5 1 4 3 4 1 5 2 6 3 4 5 3 1 6 4 2 5 6 5 4 3 2 1 6 Remark: Z5 and Z7 are even commutative or abelian groups with respect to multiplication and are therefore called commutative fields. It is your turn now to show that Z7 forms a field. In order to verify property 1): ”The non-zero elements in Z7 form a multiplicative group” use the above table. To verify property 2) “ Z7 forms an additive group” complete the following addition table: + 0 1 2 3 4 5 6 0 1 1 2 3 4 4 5 6 0 6 2 4 6 4 Notice in our examples that ZM forms a field if M is a prime number, and a ring if M is not. Let me show you why this is always true. I.e.: when M=6 the second row of the multiplication table 41 shows the sequence 0,2,4,0,2,4. Since the multiples of 2 yield 0 (i.e. 2*3 = 0 MOD 6 and 2 is called a “zero divisor”) repeatedly and thus never 1, it is impossible for 2 to have a multiplicative inverse. Therefore, Z6 can not be a field: * 1 2 1 1 2 2 2 4 3 3 0 4 4 2 5 5 4 In fact, any set ZM for a non-prime integer M possesses at least 2 divisors of M (why?). Those divisors are therefore zero divisors MOD M, thus, they can not have any multiplicative inverses and make it therefore impossible for ZM to be a field. However, if M is prime, each integer a from 1 to M-1 is relative prime to M and thus is a good key of ZM (observe the permutations in each row for Z5 and Z7). Take a good key different from 1 and multiply it by itself, that product must be another good key a since the multiplication of good keys is closed (since ZM is a multiplicative group). Now continuing to multiply the product must eventually yield 1 which is what Fermat’s little Theorem teaches us. The worst case would be to multiply the good key a M-1 times by itself (in which case a turns out to be a generator of ZM). What matters is that a produces 1 after say k multiplications so that ak=1 MOD M. The inverse of a must then be the member ak -1 since a*ak-1 =1 MOD M. Therefore, every member in must have an inverse in ZM which is needed for a field. We can now conclude this section with a Criterion for rings and fields when performing MOD arithmetic: ZM forms a ring, if M is not a prime number (i.e. Z4 , Z6, Z8, Z9,…) . ZM forms a field, if M is a prime number (i.e. Z2, Z3, Z5, Z7,…) . In order to distinguish we denote the fields ZP and the rings ZM. Remark: Notice that Fermat’s Little Theorem aP-1 = 1 MOD P is true for all fields ZP as all keys in ZP are guaranteed to be good keys. Euler’s Theorem a(M)=1 MOD M, however, is only true if we restrict ZM to the good keys which are the ones that are relative prime to M, denoted as ZM*. Does ZM* form a ring or a field? Or neither? I will answer this question in the next section. What does all that mean? In order to decide right away if a given alphabet length M forms a ring or a field - and to therefore know if all keys are good keys - we just need to check if M is a prime number or not. Again, this sounds like a perfect computer task. It is. Input an integer M and let your program check if it is divisible by an integer that is less than M and greater than 1. If so, M is not prime, otherwise M is prime. Let me show you my prime check program in C++: //Prime Checking Program //Author: Nils Hahnfeld, 11/08/99 #include<iostream.h> 42 #include<conio.h> void main() { int M,factor=2; clrscr(); cout << "Enter integer M= "; cin >> M; while (factor<M && M%factor!=0) { factor++; //increment factor by 1 as long } //as it does not divide M evenly. if (factor==M) {cout << M << " is prime" << endl;} else {cout << M << " is not prime" << endl;} getch(); } Programmer’s Remarks: 1) The search for divisors of M is straightforward: I simply check all integers between 2 and M-1 as factors of M. Notice that I am using 2 conditions in the while statement: the && represent the logical “and” so that both conditions need to be fulfilled in order to enter the while loop. The logical “or” is represented by ||. 2) If the first condition factor<M is not fulfilled it would not make sense to also check the second as both would have to be fulfilled. Also, C++ is not trained to also check the second condition if the first condition was not fulfilled. This “shortcut” is called shortcircuiting and becomes even more useful when several conditions have to be checked in order to enter a loop. Similarly, the short-circuiting concept holds true for the logical or: if the first or the second condition is already fulfilled the following conditions don’t need to be checked anymore as one fulfilled condition suffices. 2.7.2 The Good Keys of ZM form a Multiplicative Group We just learned that for a prime alphabet length P all keys in ZP are good ones and thus form a field. So, what about if M is not prime and we only use the good keys in ZM? Sounds like a good try. As an example, let’s go back to the reduced multiplication table MOD 26 where we limited 43 ourselves to the rows and the columns of the good keys. That are those keys that are relatively prime to 26, denoted as Z26* ={1,3,5,7,9,11,15,17,19,21,23,25} * 1 3 5 7 9 11 15 17 19 21 23 25 1 1 3 5 7 9 11 15 17 19 21 23 25 3 3 9 15 21 1 7 19 25 5 11 17 23 5 5 15 25 9 19 3 23 7 17 1 11 21 7 7 21 9 23 11 25 1 15 3 17 5 19 9 9 1 19 11 3 21 5 23 15 7 25 17 11 11 7 3 25 21 17 9 5 1 23 19 15 15 15 19 23 1 5 9 17 21 25 3 7 11 17 17 25 7 15 23 5 21 3 11 19 1 9 19 19 5 17 3 15 1 25 11 23 9 21 7 21 21 11 1 17 7 23 3 19 9 25 15 5 23 23 17 11 5 25 19 7 1 21 15 9 3 25 25 23 21 19 17 15 11 9 7 5 3 1 Notice that each row contains a 1, the unit element, and that therefore each encoding key a possesses a unique decoding key a-1 as the inverse of a. Verifying the associative and the commutative properties we can see that these good keys form a commutative group with respect to multiplication. So far, everything looks promising that Z26* will form a field. Additionally, the keys would have to form a commutative group with respect to addition. So let’s make up the corresponding addition table and check it: + 1 3 5 7 9 11 15 17 19 21 23 25 1 2 4 6 8 10 12 16 18 20 22 24 0 3 4 6 8 10 12 14 18 20 22 24 0 2 5 6 8 10 12 14 16 20 22 24 0 2 4 7 8 10 12 14 16 18 22 24 0 2 4 6 9 10 12 14 16 18 20 24 0 2 4 6 8 11 12 14 16 18 20 22 0 2 4 6 8 10 15 16 18 20 22 24 0 4 6 8 10 12 14 17 18 20 22 24 0 2 6 8 10 12 14 16 19 20 22 24 0 2 4 8 10 12 14 16 18 21 22 24 0 2 4 6 10 12 14 16 18 20 23 24 0 2 4 6 8 12 14 16 18 20 22 25 0 2 4 6 8 10 14 16 18 20 22 24 The MOD 26 addition is commutative and associative since the regular integer addition is. However, the addition is not even closed as the calculated sums are not good keys themselves. In particular, the unit element 0 is not in Z26*. Of course, if only one of the group properties is not fulfilled then the good keys of Z26 can not form a group with respect to addition. And even though they do form a commutative group with respect to multiplication as we saw earlier, they can not form a field which would require both and would have been mathematical perfection. And even the second best to perfection, a ring, is not formed by the good keys of Z26 since the addition is not closed (property 2). 44 We can now enhance the criterion from the previous section of major Abstract Algebra concepts when performing MOD calculation. Criterion for group, rings and fields when doing MODarithmetic: ZM forms a ring, if M is not a prime number (i.e. Z4 , Z6, Z8, Z9,…) . ZP forms a field for a prime number P (i.e. Z2, Z3, Z5, Z7,…). ZM* (consisting only of the good keys in ZM) forms a commutative multiplicative group for any integer M, but not an additive group and therefore neither a ring nor a field. 2.8. Group Theory and Lagrange’s Theorem In this last section, I will show you that Euler’s Theorem is a result of the more general Theorem of Lagrange which states: “The order of each good key a is a divisor of (M)”. Since Lagrange's Theorem is rooted in the theory of groups and subgroups, I will first introduce you to that theory. Euler’s Theorem for an alphabet length of M=26 states (26) 12 a = a = 1 MOD 26 for all good keys a. Why is it a result of Lagrange’s Theorem? To understand it we have to study the order of the good keys: Exponents Good keys a 1 3 5 7 9 11 15 17 19 21 23 25 1 1 3 5 7 9 11 15 17 19 21 23 25 2 1 9 25 23 3 17 17 3 23 25 9 1 3 1 1 21 5 1 5 21 25 21 5 25 25 4 1 3 1 9 9 3 3 9 9 1 3 1 5 1 9 5 11 3 7 19 23 15 21 17 25 6 1 1 25 25 1 25 25 1 25 25 1 1 7 1 3 21 19 9 15 11 17 7 5 23 25 8 1 9 1 3 3 9 9 3 3 1 9 1 9 1 1 5 21 1 21 5 25 5 21 25 25 10 1 3 25 17 9 23 23 9 17 25 3 1 11 1 9 21 15 3 19 7 23 11 5 17 25 12 1 1 1 1 1 1 1 1 1 1 1 1 Table2.8A The bold 1’s in each row display where jumps of length that equal the order of that key lead you to. Notice that it is necessary that the jump length s must be a divisor of the number of good keys, 12=(26) in order to fulfill Euler’s Theorem. I.e. consider the row for a=3: The arrows 45 show you the jumps of length 3 lead us from 3 to 6 to 9 to 12. Surely, this only works since we started off at the right position: the exponent 0 (that is not displayed in the table, it would be an additional column left to the a=1 column.) yields a0=1 for any a. Otherwise, when starting off from a different position or jumping with a jump length that does not equal the order of a good key (i.e. 5 or 7), we would not arrive at the 1 for the exponent 12. From the table, we can read off the order for each good key: Good key a 1 3 5 7 9 11 15 17 19 21 23 25 is of order 1 3 4 12 3 12 12 6 12 4 6 2 When studying this table, it naturally poses some questions: 1. Is every divisor of the number of members in ZM*, here 12, an order of some good key? 2. Why is the occurrence of each order of a good key an even number except for 1 and 2? 3. Why do pairs of encoding and decoding keys (i.e. 17 and 23 or 3 and 9 or 7 and 15) have the same order? We will be able to answer the last two questions once we embed this table in a more general theory, the group theory. Looking at the powers of the good keys when M=27 and M=28 will help answering the first question: For M=27, The good keys a are {1,2,4,5,7,8,10,11,13,14,16,17,19,20,22,23,25,26} and their powers with exponent 18=(27) all equal 1 – just what Euler taught us in his Theorem: Exponents Good keys a 1 2 4 5 7 8 10 11 13 14 16 17 19 20 1 1 2 4 5 7 8 10 11 13 14 16 17 19 20 2 1 4 16 25 22 10 19 13 7 7 13 19 10 22 3 1 8 10 17 19 26 1 8 10 17 19 26 1 8 4 1 16 13 4 25 19 10 7 22 22 7 10 19 25 5 1 5 25 20 13 17 19 23 16 11 4 8 10 14 6 1 10 19 19 10 1 1 10 19 19 10 1 1 10 7 1 20 22 14 16 8 10 2 4 23 25 17 19 11 8 1 13 7 16 4 10 19 22 25 25 22 19 10 4 46 9 1 26 1 26 1 26 1 26 1 26 1 26 1 26 10 1 25 4 22 7 19 10 16 13 13 16 10 19 7 11 1 23 16 2 22 17 19 14 7 20 13 8 10 5 12 1 19 10 10 19 1 1 19 10 10 19 1 1 19 13 1 11 13 23 25 8 10 20 22 5 7 17 19 2 14 1 22 25 7 13 10 19 4 16 16 4 19 10 13 15 1 17 19 8 10 26 1 17 19 8 10 26 1 17 16 1 7 22 13 16 19 10 25 4 4 25 10 19 16 17 1 14 7 11 4 17 19 5 25 2 22 8 10 23 18 1 1 1 1 1 1 1 1 1 1 1 1 1 1 22 23 25 26 22 23 25 26 25 16 4 1 10 17 19 26 4 13 16 1 7 2 22 26 19 19 10 1 13 5 7 26 16 7 13 1 1 26 1 26 22 4 25 1 25 11 4 26 10 10 19 1 4 14 16 26 7 25 22 1 19 8 10 26 13 22 7 1 16 20 13 26 1 1 1 1 Table2.8B Good key a 1 2 4 5 7 8 10 11 13 15 16 17 19 20 22 23 25 26 is of order 1 18 9 18 9 6 3 18 9 18 9 6 3 18 9 18 9 2 Notice that, again, the orders 1,2,3,6,9 and 18 are all divisors of 18. For M=28, the good keys a are {1,3,5,9,11,13,15,17,19,23,25,27} and their powers with exponent 12=(28) are again in accordance with Euler’s Theorem: Exponents Good keys a 1 3 5 9 11 13 15 17 19 23 25 27 1 1 3 5 9 11 13 15 17 19 23 25 27 2 1 9 25 25 9 1 1 9 25 25 9 1 3 1 27 13 1 15 13 15 13 27 15 1 27 4 1 25 9 9 25 1 1 25 9 9 25 1 5 1 19 17 25 23 13 15 5 3 11 9 27 Table2.8C 47 6 1 1 1 1 1 1 1 1 1 1 1 1 7 1 3 5 9 11 13 15 17 19 23 25 27 8 1 9 25 25 9 1 1 9 25 25 9 1 9 1 27 13 1 15 13 15 13 27 15 1 27 10 1 25 9 9 25 1 1 25 9 9 25 1 11 1 19 17 25 23 13 15 5 3 11 9 27 12 1 1 1 1 1 1 1 1 1 1 1 1 Let’s verify the orders of the good keys for M=28: Good key a 1 3 5 9 11 13 15 17 19 23 25 27 is of order 1 6 6 3 6 2 2 6 6 6 3 2 Notice that, again, the orders 1,2,3 and 6 are all divisors of 18. However, the answer to question 1 is a clear “No”: 12 as one divisor of the number of good keys, namely 12, does not occur here: There is no big jump of length 12 that brings us to a 1 in the rightmost column. That is what M=26 has and what M=28 does not have and it will make a big difference as you will see in the section on cyclic groups. Additionally, 4 does not occur as another divisors of 12. 2.8.1 SUBGROUPS are Subsets of Groups with Group Properties For M=26, the powers of the good key a=3 are 3, 9 and 1, the powers of the good key a=5 are 5, 25, 21 and 1. Both sets of integers are examples of subgroups of the group Z26* = {1,3,5,7,9,11,15,17,19,21,23,25}. You can imagine the Two conditions for a subgroup: 1) the numbers in the subgroup must be part of Z26* and 2) they themselves fulfill the 4 group properties. Let’s verify the 2 subgroup conditions for the subset S3={3,9,1}. 1) is true as 3,9,1 are in Z26*. Let’s check 2): I. Closure: The multiplication in S3 is closed as all the possible products 3, 9 and 1 are again in S3. Verify this in the multiplication table of S3: * 3 9 1 9 1 3 3 1 3 9 9 3 9 1 1 48 II. Associativity: Because the regular multiplication of integers is associative, the multiplication MOD 26 is associative. III. Unit element: The unique unit element is 1 as you can see in the table. IV. Inverse element: Each element in S3 possesses an inverse element that is in S3. To verify this, for each member of S3 in the left column find the unit element 1 in its row. Then go up that column to find its inverse in S3. In that way, you find that the inverse of 3 is 9 as 3*9 = 1 MOD 26. 9 is the inverse of 3 for the same reason. 1 is inverse to itself and we verified that S3 is a subgroup of Z26*. Now it is your turn to show in a similar manner that S5 = {5,25,21,1} forms a subgroup of Z26*. Start right now by completing the multiplication table for S5 and then verify condition 1) and the four group properties in 2). * 5 25 21 1 5 25 25 21 1 5 1 1 1 2.8.2 Finite and Infinite (Sub)Groups There are 2 types of (sub)groups: finite and infinite ones. Example1: the set of all positive and negative integers is an infinite group with respect to addition as there is an infinite amount of such integers. All the even integers form an infinite subgroup of the above group as it contains infinitely many even numbers. Checking that they form a subgroup is quite easy, so let’s do it: 1) All even numbers are clearly in the set of all integers. I) The addition of integers is closed as all possible sums of 2 even integers yields another integer. II) I. e.: 2 + (4 + 8) = (2 + 4) + 8 or generally: a + (b + c) = (a + b) + c for all even integers show their associative property. III) IV) The unit element is 0 as addition by 0 does not change the sum (I.e. 2+0=2 or 0+8=8). The inverse of an even integer c, c-1, is the same integer of opposite sign, -c, so that their sum yields the unit element 0. I. e.: c=6, then c-1=-6, since 6 + (-6) =0 We will, however, deal exclusively with finite groups and subgroups as we are dealing with finite alphabet lengths and therefore with a finite amount of good keys. This requires new vocabulary: 49 Definition: The order of a (sub)group is the number of its members. Example1: The order of Z26= {0,1,2,3,…,25} is 26, the order of Z26* = {1,3,5,..,25} is (26)=12. Example2: The order of ZM= {0,1,2,3,…,M-1} is M, the order of ZM* is (M). Example3: The order of the subgroup S3={3,9,1} is 3, the order of S5={5,25,21,1} is 4. I want to acquaint you with 1 useful subgroup criterion. It can be used to decide in a quick manner whether a subset of a group G forms a subgroup of G or not. It is a very powerful one as it only checks for the finiteness and closeness of a subset and not for the unit or inverse elements. 1. Subgroup Theorem: If the subset S of the group G is finite and closed then S is a subgroup. Example1: The finite subset S3={3,9,1} is closed under multiplication as we checked earlier which shows that it is a subgroup of Z26*. It is a subgroup of S23={23,9,25,3,17,1} which itself is a subgroup of Z26*. Example2 is for you: Is the finite subset S23={23,9,25,3,17,1} closed and thus forms a subgroup? To verify this, fill in the multiplication table below: * 23 9 25 3 17 1 23 9 25 3 3 17 1 1 17 25 17 23 Counter example1: Say we add take out the 9 in S3 to get the subset T={1,3}. Although the products 1*3, 3*1 and 1*1 are all in T, 3*3=9 is not in T. Therefore, the 1. Subgroup theorem can not be applied. Of course, T is not a subgroup since it is not closed which is the 1. condition for groups. Counter example2: Say we add the good key 5 to S3 to get the subset T={3,9,1,5}. The multiplication is not closed as i.e. 3*5=15 is not in T, therefore, the 1. Subgroup theorem can not be applied. In fact, T is not a subgroup since T is not closed, also 5 does not possess an inverse in T. 50 Counter example3: The set of all integers forms a group with respect to addition. The positive integers including 0 form a subset of all integers. The addition is closed and thus the second condition of the criterion is fulfilled, however, the first one is not. The subset is not finite as there is an infinite number of positive integers. In fact, the non-negative integers don’t form a subgroup as no positive integer possesses an inverse. 2.8.3. Cyclic (Sub)Groups It is easy to observe in Table2.8A that all the 12 subgroups of Z26* are cyclic, which loosely stated means, that the numbers start repeating after all members are reached. This can be best seen using the chain display of the powers in the following 3 examples. The order of the good key a then tells us the order of the subgroup generated by a. Observe this in the following three examples: a=3: 3 -> 9 -> 1 The order of a=3 is 3 which equals the order of S3, and a=3 generates S3. 5 -> 25 -> 21 -> 1 a=5: The order of a=5 equals the order of S5, namely 4, and a=5 generates S5. Although the subgroup S7 is not a proper subset of Z26* (since it equals Z26*) it is a subset of Z26*. Thus, S7, has an order of 12 and 7 is a generator of S7 (since it generates Z26*). All 3 examples show that each subgroup is generated when the generator, which we now name the good key g, is raised to the power of 1, then 2, then 3, …until we obtain the unit element 1. In that moment, the entire subgroup is generated by that good key g. I.e. we can write a cyclic group with 12 members as Gg = { g, g2, g3, g4, g5, g6, g7, g8, g9, g10, g11, g12=1} This leads us now to the official Definition of cyclic (sub)groups: Cyclic (sub)groups are (sub)groups that can be generated by at least one member g. Example1: The subgroups S3={3,9,1}, S5={5,25,21,1} and S7 (= Z26*) are cyclic since they can be generated by 3, 5 and 7 (or 11, 15, 19) respectively. Example2: {0,1,2,3,…,M-1} is a finite group with respect to addition and can be generated by 1. Example3: The subgroup of all even integers can be generated by 2 or –2 and is thus an example for an infinite cyclic group. 51 Counter example1: Verify in Table2.8C that the group Z28* = {1, 3, 5, 9, 11, 13, 15, 17, 19, 23, 25, 27} is not cyclic since none of the good keys generates Z28*. Certainly, subgroups of Z28* are generated by each of the good keys in Z28*, however, none of them generates the entire group Z28*. When is a group ZM* cyclic? With other words: How can we choose our alphabet length M so that ZM* turns out to be a cyclic group? We investigate this by trying many, many different alphabet lengths. Let’s imagine we are one of the greatest Mathematicians trying to find some pattern in our list. My foregoing is the following: I underlined the generators in each group. If none are underlined, then the group is not cyclic and I then colored that group gray. I left some blanks for you as an exercise to fill in. Multiplicative Groups ZM* Z2*={1} Z3*={1,2} Z4*={1,3} Z5*={1,2,3,4} Z6*={1,5} Z7*={1,2,3,4,5,6} Z8*={1,3,5,7} Z9*={1,2,4,5,7,8} Z10*={1,3,7,9} Z11*={1,2,3,4,5,6,7,8,9,10} Z12*={1,5,7,11} Z13*={1,2,3,4,5,6,7,8,9,10,11,12} Z14*={1,3,5,9,11,13} Z15*={1,2,4,7,8,11,13,14} Z16*={1,3,5,7,9,11,13,15} Z17*={1,2,3,4,5,6,7,8,9,10,11,12,13,14, 15,16} Z18*={1,5,7,11,13,17} Z19*={1,2,3,4,5,6,7,8,9,10,11,12,13,14, 15,16,17,18} Z20*={1,3,7,9,11,13,17,19} Z21*={1,2,4,5,8,10,11,13,16,17,19,20} Z22*={_____________________} Z23*={1,2,3,4,5,6,7,8,9,10,11,12,13,14, 15,16,17,18,19,20,21,22} Z24*={1,5,7,11,13,17,19,23} Z25*={1,2,3,4,6,7,8,9,11,12,13,14,16,1 7,18,19,21,22,23,24} 52 Factors of M 2 3 4=2*2 5 6=2*3 7 8=2*2*2 9=3*3 10=2*5 11 12=2*2*3 13 14=2*7 15=3*5 16=2*2*2*2 17 18=2*3*3 19 20=2*2*5 21=3*7 22=____ 23 24=______ 25=5*5 Z26*={__________________________ _} Z27*={1,2,4,5,7,8,10,11,13,14,16,17,19 ,20,22,23,25,26} Z28*={1,3,5,9,11,13,15,17,19,23,25,27 } Z29*={1,2,3,4,5,6,7,8,9,10,11,12,13,14, 15,16,17,18,19,20,21,22,23,24,25,26,2 7,28} Z30*={____________________} Z31*={1,2,3,4,5,6,7,8,9,10,11,12,13,14, 15,16,17,18,19,20,21,22,23,24,25,26,2 7,28,29,30} Z32*={1,3,5,7,9,11,13,15,17,19,21,23,2 5,27,29,31} Z33*={1,2,4,5,7,8,10,13,14,16,17,19,20 ,23,25,26,28,29,31,32} 26=2*13 27=______ 28=2*2*7 29 30=2*3*5 31 32=______ 33=3*11 Question for you: Which ZM* are not cyclic? Well, that was the easy part: all the gray M ones have no generator and are therefore not cyclic. What don’t these M have that the other M’s have? It must have something to do with the factors of M which is the reason why I created the 2nd column. But what exactly? Before you continue reading try to come up with a good guess. What do you observe? I observed, that all multiples of 4 except for 4 itself yield non-cyclic group. Thus, all the M that contain an factor 2*2 yield non-cyclic groups. Also, M=21=3*7 and M=3*11 suggest that products of two primes yield non-cyclic groups. Attention: 2*7, 2*11, 2*13 are also products of 2 primes, so I better say that the product of two odd primes yields a noncyclic group. What about the non-cyclic 30=2*3*5? It also contains a product of two odd primes. So, I better say that If M contains a product of two odd primes or is a multiple of 4 then ZM* is non-cyclic. And vice versa, which M yield cyclic groups ZM*? How can we express them? Even though expressing the non-cyclic ZM* is easy we still want to express the cyclic ones. So, let’s do it: If M is prime ZM* is cyclic. Also, all the products of the same prime yield a cyclic ZM* such as M=5*5 or M=3*3 and even for M=3*3*3. They are called prime powers. Also, multiplying the prime powers by 2 is allowed such as M=2*3*3. Remember that products of two different odd primes such as M=3*5 or M=3*7 is not allowed. Let’s not forget that M=2 and M=4 yield cyclic groups. That is it, no other products are allowed. It is time to formulate our conjecture: If M equals 2 or 4 or pn or 2*pn for some odd prime, then ZM* is cyclic. In fact, that is it. Surely, to be on the safe side we should continue our list and check for further non-cyclic groups. It wrote a little C++ program that simply checks if ZM* contains a generator 53 or not. I will show it to you now. Remember that this theorem can not just be based on checking and guessing. What if we oversaw a certain case that did not show up in our examples (i.e. If M is a multiple of 1347, ZM* is non-cyclic)? Time for a few words on mathematical proofs: In Mathematics, we are aiming for guaranteed true results that can never be disproved. Thus, theorems have to be air tight. And we make them air tight by proving them i.e. the way we proved Euler’s Theorem for any alphabet length M. Self-created proofs may make sense to us, but they are only accepted if nobody in the whole Mathematics society can find a mistake or a counterexample. For example, the 300-page-proof of Fermat’s Last Theorem by Andrew Wiles was inspected by about 10 Mathematicians that spent more than half a year to understand Wiles’ reasoning. At the end, nobody could prove him wrong, thus, the proof was accepted or true. This conclusion I leave up to you. Here is the C++ program that checks if ZM* possesses a generator and is therefore cyclic: #include <iostream.h> #include <conio.h> #include <math.h> int gcd(int A, int B) { int R; do { R=A%B; A=B; B=R; } while(R!=0); return A; } void main() { int M,i,p1,p2,counter,phi=1; long int K; clrscr(); cout << "Enter number M = "; cin >> M; cout << "Relative prime are: 1 "; for(i=2;i<M;i++) { if (gcd(i,M)==1) { cout << i << " "; phi++; } else if (M%i==0) { p1=i; if (M%(p1*p1)!=0) p2=M/i; } } cout << endl; 54 cout << "phi(" << M << ")=" << phi << endl; if (phi==M-1) cout << M << " is prime"<< endl; if (phi==(p1-1)*(p2-1)) cout << M << " = "<< p1 << " * " << p2 << endl; cout << endl; for (i=2;i<M;i++) { if (gcd(i,M)==1) { K=(i*i)%M; counter=2; while (K!=1) { K=(K*i)%M; counter++; } } if (counter==phi) cout << i << " is a generator" << endl; counter=1; } getch(); } Programmer’s Remarks: How can we find generators? Recall that good key whose order equals the group means, in particular, that the powers of 1 for the exponent (M) and not 1 for any a generator is a order (M). That the good key yield smaller exponent. Let me now explain to you how I find the generators. The above program is identical to the program used earlier to find the good keys and their number, I just added the bottom part starting at the second for-loop. I first check if the key i is a good keys in if (gcd(i,M)==1). If so, I start raising i to the second power MOD M and set the counter equal to the current exponent 2 in K=(i*i)%M; counter=2; If the power equals already 1 we fail the while-loop check in while (K!=1) and i can not be a generator if (M)> 2. i is, however, a generator if (M)=2. Since i=1 can never be a generator (except in the subgroup S={1}), I started the for-loop at i=2 in for (i=2;i<M;i++). If, however, the power is different from 1, I just keep raising to higher powers MOD M in while (K!=1) { K=(K*i)%M; counter++; } 55 until reaching the first 1. The counter that was increased by 1 each time I entered the loop then tells me the correct exponent of that power. Finally, I just need to check if that exponent equals (M) in if (counter==phi). If so, I found a generator of ZM*, I output it and check the next key. I stop checking when i=M-1. Three easy yet important facts of cyclic groups: 1)The order of a generator g equals the order of the subgroup that is generated by g. As you can observe in our examples: a generator g generates all the members in a subgroup. The order of a generator is that exponent, s, which makes the power of g equal to 1 for the first time. These generated s elements now form a subgroup whose order therefore is s. 2) Each subgroup S of a cyclic group G must itself be cyclic. To see this consider all the elements of S. They can all be expressed as powers of g. Let k be the least positive power of g that is in S. If not every element is a power of gk then there is some element gm where m is positive and not a multiple of k. Let p be the greatest multiple of k that is less than m. Then m - p is less than k. But this means that gm • g-p = gm-p is in S. This contradicts the choice of k as the smallest positive power of g in the subgroup. Thus all elements of S are generated by gk and S is cyclic. Example1: Z26*={1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} has i.e. the cyclic subgroups S3={3,9,1}, S5={5,25,21,1}. 3) A group G of prime order must be cyclic. This is a result of Lagrange’s Theorem: If G is a group of prime order p then take any nonidentity element g and look at the subgroup generated by it. The order of the subgroup must be a divisor of the order of G (Lagrange's Theorem) but since G is of prime p order the only divisors of p are 1 and p itself. Since g isn't the identity the subgroup it generates must have more than one element. Therefore, its order must be p and it must be G itself, thus, G is cyclic. Furthermore since the choice of g was only limited by not being the identity it follows that G can be generated by any of its elements other than the identity element. Examples for multiplicative groups ZM* of prime order are very limited since Euler’s –function teaches us that the orders of ZM* are all even integers except when M=2. 2 is the only even prime number so that only Z4* = {1,3} and Z6* = {1,5} turn out to be the only examples to consider. 3 and 5 are generators in their respective groups which suffices to show that they both are cyclic. We find, however, plenty of examples among the additive groups ZM. If only M is prime p, Zp consists of the p members 0,1,2,…p-1 and is therefore of prime order. Let’s take a look at Z7. Example1: Z7 has the 7 members 0,1,2,3,4,5 and 6. You can observe the cyclic nature of Z7 as each previous row or column is cycled one shift to the right or down. + 0 1 2 3 4 5 56 6 0 1 2 3 4 5 6 0 1 2 3 4 5 6 1 2 3 4 5 6 0 2 3 4 5 6 0 1 3 4 5 6 0 1 2 4 5 6 0 1 2 3 5 6 0 1 2 3 4 6 0 1 2 3 4 5 Although Z7* ={1,2,3,4,5,6} is not of prime order. You are right, it is therefore not an example for the third fact of cyclic groups. However, even though the prime condition is not fulfilled it is yet cyclic which you can not see right away in the following multiplication table: * 1 2 3 4 5 6 1 1 2 3 4 5 6 2 2 4 6 1 3 5 3 3 6 2 5 1 4 4 4 1 5 2 6 3 5 5 3 1 6 4 2 6 6 5 4 3 2 1 The trick is here that we can make the cyclic nature of Z7* visible by rearranging the table as follows: * 1 5 4 6 2 3 1 1 5 4 6 2 3 5 5 4 6 2 3 1 4 4 6 2 3 1 5 6 6 2 3 1 5 4 2 2 3 1 5 4 6 3 3 5 5 4 6 2 Now we can see: neighboring rows and columns are again cycled forward one space. 2.8.4 How to determine the Order of Cyclic Subgroups Per definition, cyclic groups and their subgroups can be generated by at least one of their members. Vice versa, every group member generates some subgroup. Its order is a divisor of the group order. I want to show you a very easy way to compute the order of a subgroup that was generated by one of its generators g. Let’s consider the familiar multiplicative group Z26*={1,3,5,7,9,11,15,17,19,21,23,25}. Since it is cyclic it can be generated by at least one member. We learned already that 7, 11, 15 and 19 are generators of Z26*. So let’s pick g=7 to generate S7=Z26*: 7 -> 23 -> 5 -> 9 ->11 -> 25 -> 19 ->3 -> 21 -> 17 -> 15 -> 1 We can rewrite this as: S7 = {7, 23, 5, 9, 11, 25, 19, 3, 21, 17, 15, 1} = {7, 72, 73, 74, 75, 76, 77, 78, 79, 710, 711, 712=1} 57 = {g, g2, g3, g4, g5, g6, g7, g8, g9, g10, g11, g12=1} I.e. 23 equals 72, 5 equals 73 MOD 26. Therefore, we may write 23=g2 and 5=g3 when using the generator g=7. The purpose of writing each good key as a power of the generator g=7 is to determine the order of the subgroup generated by that good key. I.e.: Since 23=g2, the order of 23 and therefore the order of the subgroup generated by 23 must be 6 as 236 = (g2)6 = g12 = 1. And the 6 subgroup members as powers of 23=g2 are S23 = {g2, g4, g6, g8, g10, g12=1} = {23, 9, 25, 3, 17, 1}. Notice that the exponent of the generator 23=g2, namely 2, gives the jump length and the number of jumps that guides us to the desired exponent 12 equals the order of the subgroup S23, namely 6. The order of the subgroup generated by 5=g3 is 4 since 54 = (g3)4 = g12 = 1. The 4 subgroup members are S5 = {g3, g6, g9, g12=1} = {5, 25, 21, 1} – obtained by 4 jumps each of length 3. It is your turn now, fill in the blanks: The order of the subgroup generated by 9 is __ since (g4)_ = g12 = 1. The __ subgroup members are: S9 = {g4, , g12=1} = {9, ,1} – obtained by __ jumps each of length __. The order of the subgroup generated by 25=g6 is 2 since 252 = (g6)2 = g12 = 1. We learned this already: Since 25 = -1 MOD 26 we have 25 = (-1)2 = 1 MOD 26. The members of the subgroup generated by 25 are: S25 = {g6, g12=1} = {25,1} – obtained by 2 jumps each of length 6. Notice that S25 is itself a subgroup of the subgroup S5 = {5, 25, 21, 1}as 25 and 1 are in S5 and themselves fulfill the four group properties. Subgroup of subgroup of groups, does that ever end? Is there a smallest subgroup of the group Z26*? Of course, S1 ={1} is the smallest subgroup of Z26* since each subgroup must contain the unit element 1. Now, the inverse of 1 is 1 itself since 1*1=1 MOD 26. Furthermore, 1 generates the subgroup S1 ={1} of order 1. Our above method to determine the order of any subgroup must also work here: Since 1=g12 the order of 1 must be 1 since (g12)1 = g12 = 1. Finally, there is nothing special about M=26. S1 = {1} is the smallest subgroup for any alphabet length M. Our above method to determine the order of a good key in Z26* worked well because the exponents of the powers of the generator g that I chose i.e. 1,2,3,4,6 and 12 are divisors of 12. It was easy to find their multiples in order to arrive at exponent 12. How do we find the orders of those exponents that are not divisors of 12 such as 5, 7, 8, 9, 10 and 11? With other words: What are the orders of the subgroups generated by g5, g7, g8, g9, g10 and g11? Let’s find the order of 11=g5 first? Recall that the definition of the order of a group member is that exponent which yields 1 for the first time. If we now add more columns to the tableX we will find 1’s in columns 12, 24, 36, 48, 60, 72, 84, … since g12 = 1, g24 = (g12)2 = 12 = 1 MOD 26 and similarly g36 = g48 = g60 = g72 = g84 = … = 1. Starting off in column 5 with jumps of length 5, we hit the first 1 in column 60 since no other column is a multiple of 5 and 12 at the same time. Therefore, 11=g5 is of order 12 and a generator of S11 = Z26*: 58 S11 = {11, 112, 113,114,115,116,117,118,119,1110,1111,1112=1} = {g5, (g5)2, (g5)3, (g5)4, (g5)5, (g5)6, (g5)7, (g5)8, (g5)9, (g5)10, (g5)11, (g5)12=1} = {g5, g10, g15, g20, g25, g30, g35, g40, g45, g50, g55, g60=1} = {11, 17 , 5 , 3 , 7 , 25, 15, 9 , 21 , 23, 19 , 1} – obtained by 12 jumps each of length 5. The order of the subgroup generated by 19=g7 is 12 since 7 and 12 are relative prime and therefore: (g7)12 = g84 = 1 MOD 26. Again, that does not surprise us since we learned already that 19 = g7 is a generator of Z26*: S19 = {19, 192, 193,194,195,196,197,198,199,1910,1911,1912=1} = {g7, (g7)2, (g7)3, (g7)4, (g7)5, (g7)6, (g7)7, (g7)8, (g7)9, (g7)10, (g7)11, (g7)12=1} = {g7, g14, g21, g28, g35, g42, g49, g56, g63, g70, g77, g84=1} = {19, 23, 21 , 9 , 15 , 25, 7, 3 , 5 , 17, 11 , 1} – obtained by 12 jumps each of length 7. Now it is your turn again. The order of the subgroup generated by 15=g __ is __ and 15 thus generates Z26*. Explain why only the powers with exponents 1,5,7,11 turn out to have an order of 12 and are therefore the only generators of Z26*. Answer: Because 12 is relative prime to 1,5,7,11 and therefore jumps of length 1,5,7 or 11 will yield the first 1 for an exponent that is the least common multiple. Complete the following: S15 = {15, 152, 153,154,155,156,157,158,159,1510,1511,1512=1} = {g11 ……………………………………………., (g11) __ =1} = {g11,………………………………………………., g132=1} = {15, ……………………………………………………….} The crux is now that the order 12 for g1, g5, g7, g11 is not only true when choosing the generator g=7. It is true for any chosen generator of Z26* such as g=7,11,15 or 19. It is thus independent of the choice of the generator g. I.e. g=11 generates Z26* in just the same way: S11 = {g, g2, g3, g4, g5, g6, g7, g8, g9, g10, g11, g12=1} = {11, 112, 113,114,115,116,117,118,119,1110,1111,1112=1} = {11, 17, 5, 3, 7, 25, 15, 9, 21, 23, 19, 1} 59 Notice here that the members of order 12 are again those whose powers have exponents that are relative prime to 12: g1=11, g5=7, g7=15 and g11=19. It is your turn again: generate all members of Z26* by raising the generator g=15 to the powers of 1, 2, …, 12 and verify that those with an exponent 1,5,7 and 11 are the ones that have an order 12. S15 = { g, g2, g3, g4, g5, g6, g7, g8, g9, g10, g11, g12=1} = {15, 152, 153,154,155,156,157,158,159,1510,1511,1512=1} = {15, 17,… , 1} Notice, for any of the four generators we obtain the following good keys as powers of g: g2 and g10 always yield 23 and 17 which are of order 6, g3 and g9 always yield 5 and 12 which are of order 4, g4 and g8 always yield 9 and 3 which are of order 3, g6 = 25 which is of order 2, and of course g12 = 1 which is of order 1. We are left now with the easy task to determine the orders of the subgroups generated by 3= g8, 21= g9 and 17= g10 using the same generator g=7. For 3= g8: The subgroup generated by 3=g8 is S3 = {3,9,1}= {g8, g16, g24=1} (obtained by 3 jumps each of length 8) and thus has an order of 3. For 21= g9: The subgroup generated by 21=g9 is S21 = {21,25,5,1}= {g9, g18, g27, g36=1} (obtained by 4 jumps each of length 9) and has thus an order of 4. For 17= g10: The subgroup generated by 17=g10 is S17 = {17, 3, 25, 9, 23, 1} = {g10, g20, g30, g40, g50, g60=1} (obtained by 6 jumps each of length 10) and has thus an order of 6. Let’s summarize our discoveries in Z26*: Powers of generators g of Z26* yield the good keys in Z26* of order s g1 , g5 , g7 , g11 g2 , g10 g3 , g9 g4, g8 g6 g12 7, 11, 15, 19 17, 23 5,21 3,9 25 1 12 6 4 3 2 1 60 This table is very important since it contains and displays many significant facts: 1. Fact: This table shows that the orders s are all divisors of the cyclic group of order (26)=12. 2. Fact: This table contains the fact that the choice of the actual generator g of Z26* is irrelevant for the order of a good key (expressed as a power of g) in Z26. After finding a generator g we can tell the order of each good key expressed as a power of g, gk, simply by looking at the exponent k. 3. Fact: The table gives pairs of encoding and decoding keys: Recall that an encoding key is inverse to its decoding keys which simply means that their product equals 1. If the members in Z26* are now listed as powers of the generator, then 2 members are inverse and thus form a pair of encoding and decoding keys if their exponents add up to 12. I.e.: using g=7 as generator of Z26* yields g3 = 5 and g9 = 21 as a pair since g3 * g9 = g12 = 1 MOD 26. Also, g4 = 9 and g8 = 3 forms a pair since g4 * g8 = g12 = 1 MOD 26. The only keys that are inverse to themselves are g12=1 and g6 = 25. 4. Fact: The table shows that pairs of encoding and decoding keys have the same order. I.e.: Using g=11 as a generator of Z26* tells us that g4 = 3 and g8=9 are both of order 3 which we learned already since both generate the same subgroup S = {3,9,1}. Also, g2 = 17 and g10 = 23 are both of order 6 as they both generate the subgroup S = {17, 3, 25, 9, 23, 1}. Notice that all the observations are only valid for cyclic groups, those who can be generated by one member. That particular member g is needed to list such groups as G = {g, g2, g3, … , gn=1}. I want to end this section with an highlight for cyclic groups that I find shows a lot of the elegance of Mathematics. Let’s find a formula to determine the order of a good key in Z26* expressed again as a power of a generator g of Z26* - solely by inspecting its exponent? I.e. How can writing 23 as g10 for some generator g help us to find its order 6? Here is how. We observed that those powers with exponents that are relative prime to 12 such as 1,5,7 and 11 yield order 12. This tells us that the order depends somehow on the greatest common divisor of the exponents and 12. Therefore, let’s find all 12 greatest common divisors by firstly writing out the 12 exponents, by secondly dividing 12 by each possible exponent (that are those between 1 and 12) and by thirdly simplifying the fractions to find their greatest common divisors: Exponents: 12 12 12 12 12 12 12 12 12 12 12/1 12/2 12/3 12/4 12/5 12/6 12/7 12/8 12/9 12/10 12/11 12/12 12/1 6/1 4/1 3/1 12/5 2/1 12/7 3/2 4/3 6/5 61 12 12 12/11 1/1 The third row is instrumental to us: The four underlined fractions with exponents that are relative prime to 12, i.e. 1,5,7,11, can not be simplified further and the numerator 12 gives their orders. Simplifying the red fractions for the exponents 2 and 10 yield a numerator of 6 which tells us their order. What is the order of the exponents 4 and 8? What does the third row tell you? Reading the table reveals 3 in green. Isn’t that an elegant way of determining the order of a subgroup? With ease we can now come up with a formula for the order of a subgroup generated by gk solely based on the exponent k: 1. Formula to compute the order of each good key gk in Z26*: s = order of the good key gk = 12 / gcd(k,12) Example1: the order of g8 equals 12 / gcd(8,12) = 12/4 = 3. Example2: the order of g7 equals 12 / gcd(7,12) = 12/1 = 12. Verify this formula for all the other exponents and then continue reading. Again there is nothing special about M=26. More general, for a given alphabet length M we have (M) many good keys in ZM*. In case they form a cyclic group and thus at least one good key is a generator of ZM* so that each good key can be expressed as a power of g, gk, the order of each good key a= gk can be computed as follows: 2. Formula to compute the order of each good key gk in the cyclic group ZM* s = order of the good key gk = (M) / gcd(k, (M)) Counter example1: For M=28 we have the good keys 1, 3, 5, 9, 11, 13, 15, 17, 19, 23, 25, 27. Since Z 28* does not possess a generator g we can not express any good key as g k. Therefore, we can not apply the formula. 2.8.5 How to determine the Number of Good Keys of given Order in a Cyclic Group Believe it or not, this is not the climax yet. From our simplified fractions in the third row, we can even tell how many good keys in Z26* possess an order of 12, 6, 4, 3, 2 or 1. I.e. we have 4 good keys that have an order of 12 since there are 4 fractions that have a non-simplified numerator 12. That means that there are four integers less than 12 that are relative prime 62 to 12, namely the four underlined denominators 1,5,7 and 11. Thus, Euler’s -function with (12)= ((26))=4 gives the number of good keys with order 12 and we can set up the… Formula to determine the number of good keys in a cyclic group that are of order s: (s) = the number of integers relative prime to the divisor s of n=(M), gives the number of good keys a that are of order s. More examples for Z26*: There are two fractions with a simplified numerator 6, 6/1 and 6/5, telling us that there are 2 integers less than 6 that are relative prime to 6, namely the two denominators 1 and 5. Moreover, (6)=2 tells us that there are two good keys of order 6. Similarly, we find that there are (4)=2 of order 4, (3)=2 of order 3, (2)=1 of order 2, and (1)=1 of order 1. Altogether, we have = = (1) + (2) + (3) + (4) + (6) + (12) 1 + 1 + 2 + 2 + 2 + 4 12. And we have just discovered Euler’s identity which holds true for cyclic groups of order n: ∑(s) = n denoting the sum of (s) for all divisors s of n. (s) tells us the correct number of good keys of order s, however, it does not tell us which good keys those are. However, the 2nd row does. I.e. the good keys of order 6 are g2 and g10 again for any generator g which we find by going up from 6/1 and 6/5 to the second row yielding the 2 and the 10 as the denominators of 12/2 and 12/10. This might look interesting and confusing at the same time to you. Nothing helps better than doing it yourself and rediscovering the steps that I just showed you. So, here are your three assignments: 1) Say we choose an alphabet length of M=27 by adding the character “.” to our alphabet length M=26. Recall the good keys MOD 27. Z27*={1,……….,26} 2) Recall the order of each good key a by creating the chain display. Verify the orders in 2) by firstly picking a generator g of Z27*. Secondly list the members in Z27* as powers of that generator g so that Z27*= {g, g2, g3,…., 1}. Thirdly, calculate the orders of the good keys in Z27 expressed as powers of g using the above 2. Formula to compute the order of each good key in ZM*: 3) Finally, for each divisor d of 18=(27) find out how many good keys possess an order that equals the divisor d by using Euler’s -function. By adding them all up, I want you to verify Euler’s Identity. Conclusions: 1. The orders of the good keys occur (s) times for any divisor s of (M), the order of the cyclic group, where M is the used alphabet length. 2. Each divisor s must occur at least once in cyclic groups since (s) is greater or equal to 1. 63 3. We know three particular orders: a) The number of generators (which equals the number of good keys of order 12) in ZM* is ((M)). b) Good keys of order 1 occur exactly once since (1)=1. That is the order of the key a=1 which is a good key in ZM* for any M. c) The order 2 occurs once aswell since (2)=1. That is the order of the key a=M-1 since M - 1 = -1 MOD M and therefore (M-1)2 = (-1) 2 =1 MOD M.. The orders of 1 and 2 are the only one occurring only once since (d) is greater than 1 for divisors d that are greater than 2. (I.e. (3)=2, (4)=2, (5)=4, (6)=2, (7)=6,…) . In fact, (d) is always an even number, the only exceptions are s=1 and s=2. Therefore, all other orders must occur as even numbers. The ultimate question still remains: why did we only have jump lengths that are divisors of the order of G. I want to show you why i.e. only jump length that are divisors of 12 occur in Z26*. Therefore, we have to understand Lagrange’s Theorem. Its conversion will then finally show us that there must be at least one jump length for any divisor of the order of the cyclic group G. 2.8.6 Lagrange’s Theorem and its Converse We are now in a position to state and prove the famous Theorem of Lagrange in its general form: If G is a finite group and S a subgroup of G, then the order of S is a divisor of the order of G. Example1: Recall: Z26* is of order 12=(26) and the subgroups S1, S3, S5, S7, S9, S11, S15, S17, S19, S21, S23, S25 are of order 1, 3, 4, 12, 3, 12, 12, 6, 12, 4, 6, 2 which are all divisors of 12. Example2: Z27* is of order 18=(27) and the subgroups have order 1, 2, 3, 6, 9 and 12 which are all divisors of 18. Example3: Z28* is of order 12=(28) and the subgroups have order 1, 2, 3, 6 which are again all divisors of 12. I want to show you now why Lagrange’s Theorem must hold true for finite, cyclic groups (as in Z26* and Z27*). Although it holds also true for non-cyclic finite groups (i.e. for Z28*), proving this requires a deeper understanding of group theory which is beyond the scope of our course. Therefore, I will show you the easier proof for finite and cyclic groups. Proof of Lagrange’s Theorem: Let G be a cyclic group of order n. Because G is cyclic the elements in G can be generated by the generator g and listed as: G = {g, g, g, g, …, gn =1}. In our example we used 7 as a generator to generate G = Z26* = {7, 72=23, 73=5, 74=9, …, 712=1}. However, we could have also used 11, 15 or 19 as possible generators. As you can see, a generator is not necessarily unique, but we are guaranteed at least one in a cyclic group which is sufficient for the proof. 64 Since each subgroup of G must also be cyclic, each possesses a generator. Say it is the kth element in G. We, therefore, define h = gk, with 1 < k < n, to be the generator for any proper subgroup S of G. (A non-proper subgroup is one that equals G and g would serve as such generator.) Then h generates S such that: S = {h , h2, h3, …., hs = 1} = {gk, (gk)2, (gk)3, ….,(gk)s = 1} = {gk, g2k, g3k, …., gsk = 1}. In example, S5 can be generated by h = 5 = 73 so that S5 = {73, (73)2, (73)3, (73)4 = 712 = 1} = {73, 76, 79, 712 = 1} = {5, 25, 21, 1} The generator h generates all the elements in the subgroup S and terminates generating when it reaches the unit element 1. This happens after computing s elements, so that there are s elements in the subgroup S. Or simply: the order of S is s. Because gn = 1 and gsk = 1, it follows that gn = gsk for some integer k. Therefore, n=sk which shows that s is a divisor of n for any subgroup order s and the proof is complete. Moreover, the aswell: Converse of Lagrange’s Theorem holds true for cyclic groups For any s that divides the order of a cyclic group we can find a cyclic subgroup S that has the order s. Proof: Let G = {g, g, g, g, …, gn =1} and s be a divisor of the group order n such that n=k*s. Then G = {g, g, g, g, …, gks =1} and I choose the generator h=gk to generate the subgroup S = {gk , (gk)2, (gk)3, …., (gk)s = 1} which is of order s and the proof is complete. Example1: Z26* is of order 12=(26) and 12 has the divisors 1, 2, 3, 4, 6 and 12. For each of these divisors we can now find a subgroups of such order. I.e. S1 is of order 1, S25 is of order 2, S3 is of order 3, S5 is of order 4, S17 is of order 6 and S7 is of order 12. The Converse Theorem does not tell us how many subgroups there are for each divisor s. We will learn this in the next Theorem. Example2: Z27* is of order 18=(27) and 18 has the divisors 1, 2, 3, 6, 9 and 12. For each of these divisors we can now find a subgroups of such order. I.e. S1 is of order 1, S26 is of order 2, S10 is of order 3, S8 is of order 6, S7 is of order 9 and S2 is of order 18. Counter example1: Z28* is not cyclic and the Converse Theorem can not be applied. In fact, there are no subgroups of order 4 and 12 as divisors of the group order 12=(28). I want to conclude this chapter with a pleasing fact: Say our cyclic group ZM* consists of (M) members. Hence, the number of members in each subgroup must be a proper divisor of (M) (Grace a Monsieur Lagrange). Now, if we want to find two or more subgroups of the same order, we will never succeed. There are none! At least not for cyclic groups ZM*, others may. 65 Theorem: If n is the order of a cyclic group, then there exists exactly one subgroup of order s for each distinct divisor s of n. Proof: While proving the theorem in the left column, I will simultaneously show you a concrete example (for the cyclic group Z26*) in the right column since the abstract proof might confuse you a bit. Let G be a cyclic group of order n and g be a generator of G. Let S be a subgroup of S of order s. We know from Lagrange’s Theorem that s must a divisor of n, say s*f=n. S can be generated by one of the members in G, say gk, which is of order s. In turn this means that s*k equals some multiple of n: s*k=t*n Since s*f=n, we have s*k = t*n = t*(s*F). Dividing both ends by s yields: k = t*F showing us that t is a divisor of k. Z26* is a cyclic group of order 12 and g=7 is a generator of Z26*. S ={1,3,9,17,23,25} is a subgroup of Z26* of order 6 with 6*2 = 12 = order of Z26* ( so that s=6, f=2 and n=12). S can be generated by one of its members, 17=710, which is of order 6 (so that k=10) In turn this means that 6*10 equals some multiple of 12: 6*10=5*12 (so that t=5). Since 6*2=12, we have 6*10 = 5*12 = 5*(6*2). Dividing both ends by 6 yields: 10=5*2 showing us that 5 is a divisor of 10. k Therefore, g is in the subgroup generated Therefore, 710(=17) is in the subgroup by gF which is of order s (since s*f=n). generated by 72(=23) which is of order 6 (since 6*2=12). However, gk generates the subgroup S of However, 710 generates the subgroup S of order s with which we started off. order 6 with which we started off. Thus, s elements of the subgroup generated Thus, 6 elements of the subgroup generated by gk are in the subgroup generated by gF by 710 are in the subgroup generated by 72 which has also s elements. which has also 6 elements. Therefore, both subgroups must be Therefore, both subgroups must be identical. identical. The crux of the proof is that for any subgroup S of order s we can find another subgroup of the same order (since the Euler function solely yields even integers except for the divisors 1 and 2 whose subgroup orders occur only once) and then show that they are identical. Notice that it was essential in the proof that the group G had to be cyclic (i.e. it has to possess a generator). Example1: Z26* is of order 12 which has the divisors 1,2,3,4,6 and 12. Thus: The subgroup of order 1 is S1 = {1}. The subgroup of order 2 is S25 = {1,25}. The subgroup of order 3 is S3 = S9 = {1,3,9}. The subgroup of order 4 is S5 = S21 = {1,5,21,25}. The subgroup of order 6 is S17 = S23 = {1,3,9,17,23,25}. The subgroup of order 12 is S7 = S11 = S15 = S19 = {1,3,5,7,9,11,15,17,19,21,23,25}. 66 Example2: Z27* is of order 18 which has the divisors 1,2,3,6,9 and 18. Thus: The subgroup of order 1 is S1 = {1}. The subgroup of order 2 is S26 = {1,26}. The subgroup of order 3 is S10 = S19 = {1,10,19}. The subgroup of order 6 is S8 = S17 = {1,8,10,17,19,26}. The subgroup of order 9 is S4 = S7 = S13 = S16 = S22 = S25 = {1,4,7,10,13,16,19,22,25}. The subgroup of order 18 is S2 = S5 = S11 = S15 = S20 = S23 = {1,2,4,5,7,8,10,11,13,14,16,17,19,20,22,23,25,26}. Counter example1: The non-cyclic group Z28* is of order 12 which has the divisors 1,2,3,4,6 and 12. There is 1 subgroup of order 1: S1 = {1}. There are 3 subgroups of order 2: S13 = {1,13}, S15 = {1,15} and S27 = {1,27}. There are 3 subgroups of order 2: S13 = {1,13}, S15 = {1,15} and S27 = {1,27}. There are 2 subgroups of order 3: S9 = S25 = {1,9,25}. There are 6 subgroups of order 6: S3 = S19 ={1,3,9,19,25,27}, S5 = S17 = {1,5,13,17,25,27}, S11 = S23 = {1,9,11,15,23,25}. Since Z28* is not cyclic the Theorem can not be applied. In fact, Z28* has no subgroups of order 4 or 12. Recall from 2.8.5. that (s) - for any divisor s of the order of a cyclic group G - tells us the number of good keys that are of order s. Now we learn that subgroups generated by keys of the same order must be identical. 67