m,
=
r
n = II pf'
i= l
then
r
i= l
Example 7.23 Let 17 41764024 = 23 · 32 7 · 112 134. Then •
•
rER
rER
rER
Since n ..l Tir E R r, we can cancel on both sides to get the desired congruence I a'P(n) = 1 (mod n) . Example 7.25 We will show directly that 5 ( 2 1 ) = 1 (mod 21 ) . We have
=
·
·
·
=
·
·
·
·
·
·
·
·
·
·
·
�f.6;
EULER 'S THEOREM
175
�Problems 7.6 · 1. Compute
:::;
a :::; 24 such
2. Compute
=
1.
6. Prove Theorem 7. 19. 7. Start with a complete residue system R modulo 10. Note that 7 .l 10 and show directly that {7r + 4 1 r E R} is also a complete residue system modulo 10. 8. Start with a reduced residue system R modulo 15. Note that 7 .l 15 and multiply each element of R by 7 to form a new reduced residue system {7r I r E R}. Show directly that each element of {7r I r E R} is congruent modulo 15 to exactly one element of R. 9. Show that if n is a product of distinct primes any a. 10. Verify the formula in problem 9 for n
=
30.
acp(n)+ l
=
a (mod n ) for
.Chapter 8
Public Key Ciphers The ciphers we have discussed so far require a key for each pair of users. A secure methodsuch as the use of couriers with locked briefcasesis required for the exchange of these keys. Such methods of key exchange can be expensive, unreliable, and time consuming. If there are many pairs of users in a system, each using a different key, the cost becomes prohibitive. In this chapter we describe cryptosystems that allow keys to be exchanged securely in the open.
8.1
The RivestShamirAdleman Cipher System
In the mid to late 1970s, several schemes were proposed that allowed keys to be safely exchanged over public channels such as telephone lines and satellite links. Since any potential adversary can listen in on these channels, such schemes are called public key ciphers. The most widely known public key cipher is the RSA cipher proposed by Ron Rivest, Adi Shamir, and Leonard Adleman. The algorithm is well known, and now it is legal to develop your own version. . BEDFORD, Mass., September 6, 2000RSA ® Secunty Inc. (NASDA Q : RSAS) today announced it has released the RSA public key en cryption algorithm into the public domain, allowing anyone to create products that incorporate their own implementation of the algorithm. This means that RSA Security has waived its rights to enforce the patent for any development activities that include the RSA algorithm occurring after September 6, 2000. RSA Security press release
In a public key system, each participant has a public key which anyone can look up. If you want to send a message to Bob, you use his public key. To decipher a message enciphered with Bob ' s public key, you have to use a private 177
key that is known only to Bob. The trick is to make it very difficult to compute the private key from the public key. In the RSA scheme, the public key is a pair ( e, m) of positive integers. To decipher a message enciphered with the key ( e, m) , you need to know the private key ( d, m ) . Although theoretically possible, it is very difficult to compute d from ( e, m ) . The integer m is constructed by finding two large primes p and q and setting m = pq. Here large might mean 50 digits, for low risk applications, to hundreds of digits for national security applications. This is a good example of how probabilistic primes are used. It is still hard to prove that a given 200digit integer is prime, but it is very easy to generate a 200digit probabilistic prime. The integer, e is chosen relatively prime to
=
xe mod m
Deciphering uses the private key ( d, m ) , where d is the inverse of e modulo
( ) k mod m
= x 1 x
= x (1) k mod m =X
If, miraculously, p divides x, then
and
x = 0 ( modp) = xed (modp)
THE RIVESTSHAMIRADLEMAN CIPHER SYSTEM
179
the Chinese remainder theorem it follows that Xed mod m = X The case when q divides x is the same, with the roles of p and q interchanged. (Thus for every x in the range 1 :s; x < m we have We state this result as a theorem. Theorem 8.1 Let p and q be distinct primes and m = pq. Let e be an integer ··
that is relatively prime to cp (m) and let d be its inverse modulo cp ( m) . If x is any integer such that 1 :s; x < m, then
Theorem 8.1 is the basis for a scheme, which allows anyone to send encrypted messages to Sarah. The first step is to construct keys. Step 1: Construct keys Public key (Published in a directory)
Integers m and e
Private key (Known only to Sarah)
Primes p and q with m = pq cp (m) (p  1 ) ( q  1 ) d = e 1 mod cp (m) =
Step 2: Agree on a Protocol Sarah and Kyle, or anyone else who wishes to send messages to Sarah, must agree on a method for converting text into a sequence of positive integers that are less than m. Step 3: Kyle Sends a Message to Sarah
1 . Kyle converts a message into a sequence of positive integers that are each less than m. 2. For each integer x , Kyle calculates y
=
xe
mod m and sends y to Sarah.
Step 4: Sarah Decrypts the Message
1 . For each y, Sarah calculates x
=
yd mod m.
2. Sarah converts each x to text, using the same method as Kyle.
A method for converting text into integers will be described in a later section. The following example assumes that the plaintext has already been converted into a positive integer.
CHAPTER 8. PUBLIC KEY CIPHERS
180
. Example 8.2 First, Sarah generates primes p, q, and an exponent e for enci
phering. Then she computes m = pq, the Euler phi function cp (m) , and the exponent d for deciphering. In particular, suppose p = 2847 893 757 848 938 511 q = 92 734 928 626 327 511 m = pq = 264 099 224 369 484 956 639 974 579 586 676 121 e = 1009 cp, = (p  1 ) ( q  1 ) = 264 099 224 369 484 953 699 345 893 111 410 100 d = e  1 mod cp = 5758 357 716 678 561 924 068 988 749 703 689
are the numbers generated by Sarah. Suppose that Kyle decides to send the plaintext message X
= 33 333 333 333 333 333 333 333 333 333 333 333
to Sarah. In order to do this, Kyle looks up Sarah's numbers e and m and computes the ciphertext y
= x e mod m = 54 423 731 721 403 481 610 392 517 373 097 210
and sends it to Sarah, who calculates x = yd mod m = 33 333 333 333 333 333 333 333 333 333 333 333 and wonders why Kyle would bother sending such a dull message. What makes the RSA cipher secure? Can't you construct d from m and e, in which case anyone could decipher an RSA cipher? Yes, it is possible to deduce d from m and e; but it is not easy to do. To calculate cp (m) is just as hard as factoring m. On the one hand, if m = pq, where p and q are known, then we can calculate cp ( m) by cp (m) = cp(p)cp(q) = (p  1 ) (q  1 )
On the other hand, if m and cp (m) are known, but not the factorization m = pq with q < p, then cp(m) = (p  1 ) (q  1 ) = pq  (p + q) + 1 = m  (p + q) + 1
r:8fft; �::.
THE RIVESTSHAMIRADLEMAN CIPHER SYSTEM
f(
tifuplies that
181
p + q = m 
and
(p + q) 2 = p2 + 2pq + q2 = p2  2pq + q2 + 4pq = (p  q) 2 + 4m
implies that
p  q = J(p + q) 2  4m
Thus p + q and p  q are both easily computable. The primes p and q can then be computed by
+ + p = (p q) 2 (p  q)
and
+ q = (p q) 2 (p  q)
Factoring is much harder than testing for primality. The security of the RSA cipher is based on the premise that deciphering can only be accomplished by factoring m. Changing a single bit in x can completely change the value of y = x e mod m. For example,
5555555555555555 1 234 mod 2784892789 = 1172 041 861
whereas
5555555555455555 1 234 mod 2784892789 = 356 849 431
Public channels such as phone lines are noisy and the likelihood of at least one error is significant. By combining RSA with something like the Hamming (8, 4) code, the probability of errors can be greatly reduced. ( More powerful codes will be introduced in the next chapter. ) Text is broken up into blocks and each block is enciphered using RSA; then the ciphertext is converted to hex. Hamming (8, 4) is applied to each nibble (see page 124) At the receiving end, Hamming (8, 4) is used to correct single errors and detect double errors. If double errors are detected, then the corresponding block must be retransmitted. The corrected ciphertext is then deciphered using RSA. .
Problems 8 . 1
p = 5 and q = 7 so that m = 3 5 , and let e = 1 1 . Find d = e 1 mod cp(m). Then let x = 22 and compute y = xe mod 35 and = y d mod m.
1 . Let
z
182
CHAPTER 8. PUBLIC KEY CIPHERS
2. Show that a2 mod 24 = 1 for each a mod 24 for each a ..L 24.
a ..L 24 .
Conclude that
a 1 mod 24 ::::::
3. Let p = 29 and q = 31 so that m = 899, and let e = 101. Find d = e 1 mod cp (m)
Then let x = 555 and compute y = xe mod m and = y d mod m. z
4. Assume
m = 25 972 641 171 898 723 is a product of two primes p and q and that
cp( m ) = 25 972 640 809 676 568 Use these two equations to find the primes p and q. 5. Illustrate the RSA algorithm using m from Problem 4 with
e = 997 X
= 99 999 999 999 999
6. Assume that y = xe mod m from problem 5 is transmitted over a noisy channel and received as w = y + 10 1 2 . How similar are y and w? What message is decrypted? How similar are x and the decrypted message? (This explains why most ciphers are wrapped in some type of error cor rection scheme.)
7. Assume m = 21 936 520 921 056 942 428 185 744 321 881 874 204 790 829 920 570 235 226 904 516 467 385 564 406 736 567 597 367 535 979 699 930 859 170 667 289 061 009 756 151 158 068 196 185 554 149 is a product of two primes p and q and that cp( m ) = 21 936 520 921 056 942 428 185 744 321 881 874 204 790 829 920 570 235 226 904 516 467 385 548 925 092 800 907 044 879 409 345 000 125 494 759 694 716 131 857 830 775 913 843 528 947 136. Use these two equations to find the primes p and q. 8. Illustrate the RSA algorithm using m from problem 7 with
e = 997 X
= 99 999 999 999 999
9. Let m = pq where p and q are distinct primes. Show that if x is chosen at random in the range 1 � x � m, then the probability that gcd (x, m) =f. 1 is equal to 1 /p + 1 / q  1 / m. 10. Verify the formula in problem 9 for m = 6 and m = 15. Show that if x is chosen at random in the range 1 � x < m, then the probability that gcd (x, m ) =f. 1 is less than 1 /p + 1 / q.
.
•22. ELECTRONIC SIGNATURES
ft,w�S.2 fife<
183
Electronic Signatures
�; The RSA cipher can be used for electronic signatures. More precisely, here is
how to use RSA to guarantee that a given p1essage came from a given source. As before, the original message is broken into blocks of fixed length and each ; )block is translated into a number x. •.. Suppose Kyle ' s public key is (ek , mk) and his private key is (dk , mk ) , that Sarah ' s public key is (e8 , m8 ) and her private key is (d8 , m8 ) , and that mk < m8 • : Kyle enciphers the plaintext x with his private key (dk , mk) and then with . Sarah ' s public key (es , ms) : ·•
Sarah reads the ciphertext y and then computes the plaintext x by
x
=
( yd• mod m8 )ek mod mk
using her private key (d8 , m8) and Kyle's public key (ek , mk ) · How does Sarah know that the message came from Kyle? Because only Kyle knows dk and so only he can encipher the plaintext x with it. To see that this procedure works, let z = xdk mod mk . Then assuming z < ms . But indeed z = xdk mod mk < mk < m8 • Thus
zek mod mk = (xdk mod mk ) ek mod mk = xdkek mod mk =
=X
A message from Sarah to Kyle goes as follows. Given the plaintext x, Sarah sends the ciphertext y, where y
=
( xek mod mk) d • mod ms
Kyle then deciphers y by using
x
=
(ye• mod m8 ) dk mod mk
Each person uses his or her own private key and the other person's public key. Enciphering is done by using the smaller modulus first, then the larger modulus. Deciphering uses the larger modulus first, then the smaller.
CHAPTER 8. PUBLIC KEY CIPHERS
184
What if the larger modulus were applied first, followed by the smaller mod ulus for enciphering? It is likely that xe• mod m8 > mk , and hence some infor mation might get lost. If the deciphered text makes sense, it could only have been enciphered by the person who used his or her own private key. There is a possible flaw in this reasoning. If Sean intercepts the message y (xek mod m k )d• mod m8, he could strip off Sarah's signature by computing z = ye• mod m8 and then attach his own signature by calculating zdh mod mh and forwarding this message to Kyle. It would appear to Kyle that Sean had sent the original message, although Sean would have no idea what he had actually sent. There are several ways to minimize the effects of this problem. One would be for Sarah to include within the message her name and a time stamp. Another possibility is always to encipher by using the private key first, say y xd• mod m8• If y > mk , then break y into blocks Yi < mk and calculate Y? mod mk for each block and send these blocks to Kyle. Finally, each person could publish two keys; one for sending and one for receiving. The moduli for the sendkeys would be smaller, say 1050 < m8 < 105 1 , with the moduli for the receivekeys larger, say 105 1 < mr < 1052. That way each person would be sending a message to someone else with a larger moduli, so enciphering would use the formula y (xd• mod msYr mod mr , where ( d8, m8) is the private senderkey and (en mr ) is the public receiverkey. =
=
=
Problems 8.2 1. Send the plaintext x = 12 from Kyle to Sarah assuming Kyle's private key is (3, 15) and Sarah ' s public key is (5, 21) . 2. Sean uses the primes Ps = 38 490 587 and q8 = 983 299 with exponent e 8 7349. Find Sean's public and private keys.
=
3. Brendan uses the primes Pb = 2748 401 and qb 157 849 763 with expo nent eb = 9587. Find Brendan's public and private keys. =
4. Brendan wishes to send the message 1234 567 890 to Sean, using Sean 's public key and Brendan's private key. What message should Sean receive? 5. Show how Sean decrypts the message from Problem 4. Use the following table of primes and exponents to answer Problems 69.
Brendan p 8329 q 3499 e 5501
Janet Kyle Preston 2333 9967 7451 6469 1931 6689 7853 4663 7907
Sarah 3469 7643 4637
6. Compute private keys for Brendan, Janet, Kyle, Preston, and Sarah. 7. Brendan encrypts the plaintext message 99 999 999 using his private key and Janet's public key. What is the encrypted message?
A SYSTEM FOR EXCHANGING MESSAGES
185
8. Preston receives the encrypted message 34 568 007 from Kyle, who used his own private key and Preston's public key. Decrypt the message. 9. The plaintext message 2000 000 is epcrypted by first applying Preston's public key, then Sarah ' s private key. Show that decryption fails. Explain what went wrong. For problems 1013, use the following table of primes and exponents.
Brendon p 41 381 059 613 q 23 841 287 213 e 387 420 499
Janet 688 223 072 857 10 214 358 881 177 264 463
Preston p 862 891 037 453 q 510 246 412 969 e 304 839 373
Sarah 16 321 363 081 1 1 162 261 477 98 329 493
Kyle 10 410 338 677 20 604 499 379 96 889 010 447
10. Compute private keys for Brendon, Janet, Kyle, Preston, and Sarah. 1 1 . Brendon encrypts the plaintext message 99 999 999 using his private key and Janet's public key. What is the encrypted message? 12. Preston receives the encrypted message 182 654 067 428 694 778 930 238 from Kyle, who used his own private key and Preston 's public key. Decrypt the message. 13. The plaintext message 101010101010101010101 is encrypted by first apply ing Preston's public key, then Sarah ' s private key. Show that decryption fails. Explain what went wrong. 8.3
A System for Exchanging Messages
In practice, the primes p and q are chosen so that n = pq has about 200 digits. We will go through an example where n has about 50 digits. Kyle constructs two primes whose product is greater than 1050 . He then chooses a positive integer e and tests to make sure that it is relatively prime to
nk = 126 284 756 413 553 050 978 360 366 248 406 608 817 836 065 776 277 ek 1009 =
186
CHAPTER 8. PUBLIC KEY CIPHERS
Kyle constructed nk by computing nk = Pk qk , where Pk = 8273 488 995 874 738 949 376 607 qk 15 263 784 900 967 433 245 564 811 =
but he would never tell Sarah (or anyone else) how nk was defined. Then Kyle computes dk by first computing 'Pk = (Pk  1 ) ( qk  1 ) = 126 284 756 413 553 050 978 360 342 71 1 132 711 975 663 870 834 860
then setting dk = 1009 1 mod
Sarah also sends an email message that contains her public key. TO : Brenden , Sean , Kyle FROM : Sarah
n8 = 7649 659 803 155 869 454 870 134 280 817 974 298 450 529 391 711 731 e8 997 =
Sarah remembers that her primes are Ps 77839584736125364985746393 q8 = 98274673857627364665373867 =
and computes 'Ps = (Ps  1 ) (qs  1 ) = 7649 659 803 155 869 454 870 134 104 703 715 704 697 799 740 591 472
and d8 = 997 1 mod 'Ps = 5723 817 666 152 736 823 804 533 643 038 086 174 227 240 327 463 629
Rather than restricting messages to strings of the capital letters AZ, we allow a full set of 256 ASCII characters. Example 8.3 Kyle decides to send the message The #@%&* computer is act ing up again !
!!�:3.
A SYSTEM FOR EXCHANGING MESSAGES
187
�'() Sarah. He first writes down the ASCII value of each character and produces '.the vectors
A = (84, 104, 101 , 32, 35, 64,,37, 38, 42, 32, 99, 111, 109, 1 12, 117, 1 16, 101, 114, 32, 106) B = (115, 32, 97, 99, 116, 105, 110, 103, 32, 119, 112, 32, 97, 103, 97, 105, 110, 33, 0, 0)
He then calculates
X 1 = 600 167 620 106 771 636 211 628 585 849 721 838 540 876 507 220 X2 = 2912 276 570 798 527 424 777 621 159 210 842 274 734 195 using the sums
where c
=
19 X 1 = L: ai Ci i=O 19 x2 = L bi ci i=O
256. Kyle tests the moduli to see which of nk or n8 is larger. Since
nk  n8 = 7649 659 803 155 869 454 870 134 272 544 485 302 575 790 442 335 124
Kyle concludes that nk < n8• Thus Kyle enciphers by first using his private key ( dk , nk ) , then Sarah ' s public key (e8, n8 ) . Kyle enciphers the message by calculating
z1 = xtk mod nk
= 125 819 736 344 175 718 268 932 263 205 870 616 867 460 585 594 806 Z2 = xgk mod nk
= 110 431 267 001 056 501 628 738 304 699 976 888 214 174 820 174 836 Y1 = z�· mod n8 =
6490 122 138 798 845 932 205 029 063 697 475 651 026 315 779 005 336
Y2 = z�· mod n8 = 5206 997 138 452 155 799 019 530 511 244 204 675 487 260 820 178 238 Kyle then sends Sarah the following email message: TO : Sarah FROM : Kyle
6490 122 138 798 845 932 205 029 063 697 475 651 026 315 779 005 336 5206 997 138 452 155 799 019 530 511 244 204 675 487 260 820 178 238
188
CHAPTER 8. PUBLIC KEY CIPHERS
Sarah then deciphers the message by calculating some inverse operations: = yd1 s mo d ns = 125 819 736 344 175 718 268 932 263 205 870 616 867 460 585 594 806 = y2d, mod ns = 1 10 431 267 001 056 501 628 738 304 699 976 888 214 174 820 17 4 836 = w� k mod n k = 600 167 620 106 771 636 211 628 585 849 721 838 540 876 507 220 x2 = w� k mod nk = 2912 2.76 570 798 527 424 777 621 159 210 842 274 734 195
W1 W1 W2 W2 x1
Sarah now calculates the sequence { ai } of ASCII values by performing the following steps on x1 and x2 : ao = x mod 256 = 84 x x = � o = 2344404766042076703951 674 163475475 931 800298856
:
x mod 256 = 104 X X= = 9157 831 117 351 862 124 811 227 201 076 077 858 594 917
a1
=
�:l
a2 = x mod 256 = 101 a 19 = x mod 256 = 105 X = 2912 276 570 798 527 424 777 621 159 210 842 274 734 195 a2o = x mod 256 = 115 a37 = x mod 256 = 33 a3s = 0 a 39 = 0
Translated back into text, Sarah reads the message, The #@%&* computer is act ing up again !
�!\3.
A SYSTEM FOR EXCHANGING MESSAGES
189
Problems 8.3 · 1 . Convert the plaintext "2' 4=16" to a positive integer, using ASCII values and base 256 arithmetic. 2. Convert to plaintext the three numbers 653 481 561 706 256 160 607 300 716 034 424 225 952 184 750 930 556 034 090 672 982 451 998 688 663 006 597 581 940 164 228 207 199 505 372 523
In problems 38, use the keys e d n
e d n
Sarah 997 5723 817 666 152 736 823 804 533 643 038 086 174 227 240 327 463 629 7649 659 803 155 869 454 870 134 280 817 974 298 450 529 391 711 731 Kyle 1009 54 694 190 835 205 830 800 340 406 109 777 002 1 14 336 086 773 869 126 284 756 413 553 050 978 360 366 248 406 608 817 836 065 776 277
3. Encrypt the message Ron Rivest is a professor at MIT
from Sarah to Kyle. 4 . Kyle received the encrypted message 580 735 046 350 033 514 934 592 803 992 352 023 532 099 155 378 947 5291 232 071 949 948 925 471 032 807 295 136 508 630 705 523 321 750
from Sarah. Read the message. 5. Sarah received the encrypted message 1695 609 128 579 432 034 342 230 443 933 539 315 666 505 917 090 109 3526 148 554 529 184 887 055 643 524 345 287 218 828 172 175 185 624 2837 766 027 562 936 344 846 748 331 694 487 638 574 287 462 071 682
from Kyle. Read the message. 6. Encrypt the message RSA is used to transfer keys for fast encryption schemes
from Sarah to Kyle.
CHAPTER 8. PUBLIC KEY CIPHERE
190
7. Kyle received the encrypted message 1491 543 853 684 791 090 861 904 364 888 457 101 214 455 628 031 970 6920 136 844 206 351 338 082 229 186 328 578 558 592 587 709 058 521 464 188 094 287 035 035 931 921 710 687 540 480 117 216 797 612 537
from Sarah. Read the message. 8. Sarah received the encrypted message 2027 208 815 204 265 182 328 141 518 312 028 960 081 4 74 989 240 004 3151 590 210 265 147 454 601 370 266 850 881 158 943 783 670 753 786 2698 042 079 593 028 266 457 969 044 162 648 597 639 273 126 469 652
from Kyle. Read the message. 8.4
Knapsack Ciphers
Modern cryptology is based on the construction of functions that are easy to calculate in one direction, but difficult to compute in the other direction (with out special information ) . Such a function is called a trap door function. In particular, we seek onetoone functions y f(x) for which y f 1 (x) is difficult to determine unless the user has a particular key. In the case of the RSA algorithm, y xe mod n is easy to compute, but the inverse function is difficult unless a factorization of n is known or d e 1 mod cp (n ) is known. In this section we present another class of functions that are easy to calculate, but for which the inverse problem is more difficult. In the sequence 1, 2, 22, 23, 24, . . . , each term is greater than the sum of the preceding terms because 1 + 2 + 22 + . . . + 2 k l 2 k  1 . =
=
=
=
·
=
Definition 8.4 A sequence a 1 , a2 , . . . , an of positive integers is superincreas ing if each term is greater than the sum of the preceding terms. That is,
for k
=
1 , 2, . . . , n  1 .
In the superincreasing sequence 1 , 2 , 22, 23, 24, , each term is twice the pre ceding one. We can relax that condition a little bit and still get a superincreasing sequence. •
.
•
Theorem 8.5 A sequence a 1 , a2, . . . , an is super increasing if ai+1 > 2ai for
i
=
1, . . , n  1 . .
f&'$;4;
KNAPSACK CIPHERS
191
�PSuppose roof. The theorem holds for that the theorem holds for n
=
2 because k. Then
n =
a2
ak+1 > 2 ak > ak + L ai L ai i< k i< k +l
I
=
Example 8.6 The sequence 1, 3, 8, 21 , 45, 97, 207, 415, 843, 1691, 3389, 6787,
13581, 27166, 54335, 108671 is a superincreasing sequence because each term is more than twice as large as the preceding term.
In the knapsack problem, you are given a set K of positive integers and you want to write a given positive integer as a sum of some of the numbers in K. This is known to be a very difficult problem to solve if K is large. A knapsack cipher works on binary plaintext. We will illustrate with small example. Suppose we base our knapsack cipher on a superincreasing sequence a 1 , a 2 , a3 , . . . , a 1 6 · Then plaintext is broken up into blocks of length 16. The text "Hi" is converted to ASCII hex code 4869, which is 0100 1000 0110 1001 in binary. The ciphertext is the sum of the corresponding terms in the sequence a·
y a2 + a5 + a 10 + a u + a 1 3 + a l6 =
Consider the particular superincreasing sequence 1, 3, 8, 21, 45, 97, 207, 415, 843, 1691, 3389, 6787, 13581, 27166, 54335, 108671
Note that each term is more than twice the preceding term, so the sequence is indeed superincreasing. Then the ciphertext is
y a2 + a 5 + a 1 0 + a u + a 1 3 + a 1 6 =
=
127380
Deciphering is easymuch like conversion from decimal to binary. We need to find coefficients Xi in {0, 1 } such that
16 L: xi ai y i= 1 =
The key observation is that if
k L Xi a i = w i= 1
then X k = 0 if ak > w, for otherwise the sum would be larger than w , and that X k 1 if ai S w, because otherwise the sum would be less than ai , as the sequence is superincreasing. So, x 1 6 = 1 , because a l 6 108671 S 127380. Subtracting a 1 6 from both sides of the equation gives =
=
15
X i ai L i=1
=
127380  108671
=
18709
192
CHAPTER 8. PUBLIC KEY CIPHERS
so X 1 5 = 0 because a 1 5 = 54335 > 18709. Similarly X 1 4 = 0 because a 1 4 27166 > 18709. But x 1 3 = 1 because a 1 3 = 13581 � 18709. We then subtract a 1 3 from 18709 and continue. We show the interesting steps, when Xk = 1 and we subtract ak from w, in the table:
=
k ak w 16 108671 127380 13 13581 18709 11 5128 3389 1739 1691 10 45 48 5 0 2 3
Thus Xk
= 1 exactly when k = 2, 5, 10, 1 1 , 13, 16 and the binary plaintext is X 1 X2 X 16 = 0100 1000 0110 1001 •
•
•
which is 4869 in hex, so the plaintext is "Hi" . Algorithm 8.1 To solve easy knapsack problem Input: superincreasing sequence a 1 , , an and sum y Output: Binary sequence x 1 , . . . , Xn .
•
•
Set Xi = 0 for i = 1 . . . n For i from n down to 1 If ai < y Then Set Xi = 1 Set y = y  ai End If Next i End
This is an easy algorithm. In fact, it is too easy. Anyone with a general knowl edge of superincreasing sequences could do the same thing, and hence deduce the plaintext. One way to disguise the superincreasing sequence is to select a modulus m > 2 a and a multiplier k such that k .l m, and define a new sequence bi by n ·
The sequence b 1 , b2 , . . , bn is no longer superincreasing, even if it were arranged in order, but if .
y
n = L X i ai i= l
1l3>4� KNAPSACK CIPHERS
193
�then set
ky mod m In this variation, the public key is (b1 , b2 , . . . , bn ) and the private key is (m; k) . Given the binary plaintext X 1 , x2 , . . . , Xn , the ciphertext is the number z =
n
z
=
Xi bi mod m L i=1
)
To recover the plaintext X 1 , X2 , . . . , Xn if and (m, k are known, first com pute k 1 mod m, and then solve z
n n n y ykk  1 mod m = L k  1 xi bi L k  1 xi kai = L Xi ai i=1 i=l i= l for X 1 , X2 , , Xn , using the easy method for a superincreasing sequence. =
=
.
•
.
The name "knapsack cipher" comes from the problem of guessing the con tents of a knapsack without looking inside. All you know is the weight of the filled knapsack and the weights of the various objects that might be inside. The general knapsack problem is provably difficult and therefore looks like an attractive basis for ciphers. A key that is 100 bits long may require 2 100 trials to solve a knapsack problem. However, the version we described is not so secure. Knowing that modular arithmetic is used, the multiplier k can be deduced with moderate effort. The search continues for a secure knapsack cipher that is easy for users to encipher and decipher. Problems 8.4 1 . Show that 2, 3, 6, 12, 24, 48, 96, 200 is a superincreasing sequence.
(
)
2. Write 313 as a sum of some of the integers 2, 3, 6, 12, 24, 48, 96, 200. 3. Given the sequence 2, 3, 6, 12, 24, 48, 96, 200, let m = 453 and k 61. What is the public key? Encrypt the plaintext 10010110. Use the private key 453, 61 to decrypt the message. =
(
)
(
)
4. Write 361 675 as a sum of some of the numbers 86 977 ' 75 580, 29 992, 71 381, 21 594, 54 585, 97 773, 85 775, 38 985, 2390, 103 154, 62 346, 94 700, 45 438, 79 479, 60 584 using the fact that these numbers were created by starting with a super increasing sequence and multiplying each number by 98 374 and reducing the results modulo 109 771. 5. Show that 1 , 3, 5, 10, 20, 40, 80, 160, 320, 640, 1280, 2560, 5120, 10240, 20480, 40960, 81920, 163840 is a superincreasing sequence.
194
CHAPTER 8. PUBLIC KEY CIPHERS
6. Write 315 428 as a sum of (some of) the integers 1, 3, 5, 10, 20, 40, 80, 160 , 320, 640, 1280, 2560, 5120, 10 240, 20 480, 40 960, 81 920, 163 840. 7. Given the sequence 1 , 3, 5, 10, 20, 40, 80, 160, 320, 640, 1280, 2560, 5120, 10 240, 20 480, 40 960, 81 920, 163 840, let m = 327 819 and k = 997. What is the public key? Encrypt the plaintext 10110010100101 1010. Calculate the private key and decrypt the message.
8. Write 2410 809 as a sum modulo 4272 954 of (some of) the numbers 51 953 3553 441 311 718 875 372 475 406 3524 975 254 786 1384 944 3.9 96 844 1 198 524 1625 582 1552 373 31 492 3564 472 393 606 1714 537
1498 808 2821 841 3156 699 2959 896
using the fact that these numbers were created by starting with a superin creasing sequence and multiplying each number by 2574 163 and reducing the results modulo 4272 954. 8.5
Digital Signature Standard
The digital signature algorithm ( DSA) allows a digital signature to be used on an electronic document instead of a traditional signature. It is intended to assure that signatures cannot be forged and that anyone can verify a validly signed document. Digital Signature Algorithm DSA uses the following parameters: 1 . A prime p between 2 £  1 and 2 L , where L is a multiple of 64 and 512 :::; L :::; 1024. 2. A prime q between 2 1 59 and 2 1 60 that divides p 1 . 
3 . An integer g > 1 of the form g = h (p  1 ) / q mod p The order of g modulo p is q. 4. A random integer x in the range O
y = g"' mod p
195
DIGITAL SIGNATURE STANDARD
A random integer k in the range O
The point of incorporating m into the digital signature is to assure that this signature applies to the message M and wasn't just copied from some other message. Verification Knowing p, q, g, the user's public key y, the electronic document digital signature (r, s) , the signature is verified by calculating t = ms  1 mod q u v
If
v
=
=
rs 1 mod q
= (l Yu modp) mod q
r, then the signature is verified. To see this, note that s  1 mod q = k (m + xr)  1 mod q
implies
s  1 (m + xr ) mod q = k mod q
so v
=
= =
= =
(lyu mod p) mod q 1 gms 1 mod q yrs  mod q modp mod q 1 gms  od 9 rs  mod q mod p mod q
( ( (g m + (
)
m
q
x
r x ) s  1 mod q
1
modp mod q
(g k mod q mod p) mod q
=r
)
)
M,
and the
196
CHAPTER 8. PUBLIC KEY CIPHERS
Example 8. 7 We look at an example with smaller numbers. Let q = 101 and p = 1248 563. Then p  1 mod q = 0. Let g = 2 =! modp = 588 634. Then g q mod p = 1 and hence g has order q modulo p. Let x = 23. Then y = gx modp = 702 644. Suppose m = 53 and let k = 42. The digital signature is given by r = (g k modp) mod q = 52 s = k  1 (m + xr) mod q = 61 •
Now compute t = ms 1 mod q = 82 1 u = rs  mod q = 29 = (lyu modp) mod q = 52 v
Secure Hash Algorithm
The secure hash algorithm produces a 160bit output called a message digest. A more suggestive name is digital fingerprint. The message digest detects even slight changes in a lengthy document, so it is almost impossible for different readable documents to have the same message digest. 1 The algorithm uses bitwise logical operations, the circular shift operators, and the modular sum and x l\ y or xVy xor x EB y complement X left circular shift sn (x) x + y mod 2 32 sum where X and y are 32bit words, and 3n shifts X left by n bits, filling in the vacated bits on the right with those that fell off the left. Thus, 84 (XoX 1 X2
•
· ·
X 3 I ) = ( X4 X 5 ' ' ' X 3 1 X0 X 1 X 2 X 3 )
Problems 8.5 1 . Verify that
q = 1091 381 946 026 415 813 817 094 712 889 364 130 135 176 179 079 is a prime in the range 2 1 5 9 < q < 2 1 60 . 1 This algorithm, called SH1, is described in the Federol Information Processing Standard which is available at http: / fwww.itl.nist.gov/fipspubs/fip180l.htm. A public competition for a new algorithm, to be called SH3, was announced by the National Institute of Standards and Technology with entries due by October 31, 2008. Publication 1 80 1 ,
8:5: DIGITAL SIGNATURE STANDARD
197
2. Verify that p = 1001 233 193 091 254 238 180 294 974 169 661 662 027 929 267 542 507 108 664 330 1413485 006 681 346 209 714 994 069 015 138 048 278 778 614 844 442 236 115 77 4458 221 400 826 017 032 280 284 335 829 147 is a prime in range 2 5 11 < p < 25 1 2 3. Verify that p  1 mod q = 0, where p and q are given in problems L and 2. 4. Find the smallest positive integer h that satisfies h(P 1 )/q modp =f. 1 . 5. If g = h(P 1 )/q modp, where h is given in Problem 4 , verify that gq mod p = 1. 6. Let q be a prime in the range 2 1 59 < q < 2 1 60 and consider the following algorithm for finding a prime p. '
.
p : = 2 '352*q + 1 while isprime(p) = false do p := p + 2 * q end do Verify that the prime p given by this algorithm satisfies q I p  1 . 7 . Let n _l m and define 7rn , m (x) t o be the number of primes of the form p = nk + m that are less than x. The generalized prime number theorem states that 1 1r m (x) = __ lim n ,
Class Project
1. Get an email address for each student in class. 2. Generate two primes p and q such that m = pq > 1050 . 3. Publish your public key ( e, m) , where e is a three or fourdigit positive integer with e j_
Chapter 9
Finite Fields Finite fields are called Galois fields in honor of the French mathematician Evariste Galois (1811  1832), the first to study them in full generality. Recently there has been a renewed interest in finite fields because of their applications to coding theory and cryptography. In all the history of science there is no completer example of the triumph of crass stupidity over untamable genius than is afforded by the all too brief life of Evariste Galois. E. T. Bell
At the age of 20, Galois engaged in a pistol duel at 25 paces. He was shot in the intestines and died a day later. Much of his mathematical legacy can be traced to the ideas that he frantically put on paper the night before the duel.
The Galois Field GFp
9.1
The simplest example of a Galois field is Zp = {0, 1 , 2, . , p  1} where p is a prime and addition and multiplication are done modulo p. Here is a list of its properties: .
.
Theorem 9.1 Let p be a prime. Then for all a, b, and c in Zp we have 1. 2. 3. 4
a + (b + c) = (a + b) + c Associative law Commutative law a+b=b+a Additive identity a+O = a a + m = 0 for some m Negatives
199
200
CHAPTER 5.
6. 7. 8. 9.
9.
FINITE FIELDS
Associative law a(bc) = (ab)c Commutative law ab = ba Multiplicative identity a1 = a Distributive law a(b + c) = ab + ac If a =/= 0, then am = 1 for some m Inverses
The first eight properties follow from the corresponding properties of z. The existence of inverses comes from the fact that if p does not divide a, then there is an integer b such that ab = 1 (mod p) . The element m in property 4 is a. We write the elep1ent m in property 9 as a  1 . We can think of GFp as the set of congruence classes modulo p. The integers that are congruent to a modulo p form the congruence class of a, denoted by [a] . Note that [a] = { . . . , a  3p, a  2p, a  p, a, a + p, a + 2p, a + 3p, . . } .
The sum of the classes [a) and [b) is [a + b] , their product is [ab] . That is, [a] + [b] = [a + b] [a] [b] = [ab]
(See Problem 10.) The idea of a field is obtained by abstracting the properties of addition and multiplication in Zp. Definition 9.2 A field is a set F with an addition and a multiplication satis
fying
1 . a + (b + c) = (a + b) + c for all a, b, c in F (Associative law) 2. a + b = b + a for all a, b in F {Commutative law) 3. There is an element
identity)
0 in F such that a + 0 = a for all a in F (Additive
4 . a + x = 0 for some x {Negatives. We write x = a.) 5. a(bc) = (ab)c for all a, b, c in F (Associative law)
6. ab = ba for all a, b in F {Commutative law) 7. a1 = a {Multiplicative identity) 8. a(b + c) = ab + ac {Distributive law) 9. If a =/=
0, then ax = 1 for some x {Inverses. We write x = a  1 .)
��)1.
THE GALOIS FIELD GFv
201
,�    · If we take F to be Zp with addition and multiplication modulo p, then we ..
' see that Zv is a field. This field is also denoted by GFp, and called the Galois
field of order p.
The rational numbers Q form a field _as do the real numbers JR., and the complex numbers C. These three fields are infinite. We are interested here in finite fields. Example 9.3 Here are the addition and multiplication tables for GF7 .
+ 0 1 0 0 1 1 1 2 2 2 3 3 3 4 4 4 5 5 5 6 6 6 0
2 2 3 4 5 6 0 1
3 3 4 5 6 0 1 2
4 4 5 6 0 1 2 3
5 5 6 0 1 2 3 4
6 6 0 1 2 3 4 5
0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1
These are called Cayley tables. They are symmetric about the main diagonal because of the commutative laws. Except for the row of zeros in the multiplica tion table, each nonzero element appears exactly once in each row. This shows that the equations a + x = b and ex = d have unique solutions in GF7 when a =rf 0. Example 9.4 We can think of GF5 as the set of congruences classes modulo
5. There are five congruence classes:
[0] = { . . '  10, 5, 0, 5, 10, . . . } [1] = { . . ' 9, 4, 1 , 6, 1 1 . . . } [2] = { . ' 8, 3, 2, 7, 12 . . . } [3] = { . . ' 7, 2, 3, 8, 13 . . . } [4] = { . . , 6,  1 , 4, 9, 14 . } .
.
.
.
.
.
. .
Note that [1] = [6] = [4]
since each is equal to the set of all integers x such that x mod 5 = 1 .
Example 9 . 5 The addition and multiplication tables of GF5 can be written as
CHAPTER 9. FINITE FIELDS
202 + r oJ flJ [2J [3J [4J
I roJ [ 1 ] [2] 1 r oJ 1 fl J 1 [2J 1 [3J 1 [4J
[1] [2J [3] [4] [5]
[2J [3J [4] [5J [6]
Since
[4] [4J [OJ [6J [7] [8J
[3] [3J [4J [5J [6J [7J
[0] = [5J [ 1] = [6] = [ 1 6] [2] [7] = [ 1 2]
I roJ [ 1 ] [2] [3J r oJ [lJ [2J [3] [4J
1 r oJ I [OJ 1 ro J I [O J 1 r oJ
[OJ [1] [2] [3J [4]
[OJ [2J [4] [6] [8]
[4] [OJ [4J [8J [ 1 2] [ 1 6J
[ OJ [3] [6] [9J [ 1 2]
[3J [8] [4J = [9] =
=
these tables can be rewritten as + I r oJ [O J I [O J fll 1 [lJ r21 1 [2J [3J 1 [3J [4J 1 [4J
[ lJ [lJ [2J [3J [4J [OJ
[2J [2J [3] [4J [OJ [1]
[3] [3J [4J [OJ [ lJ [2J
I roJ [ 1 ] [2] [3] [4]
[4] [4J [0] [ lJ [2J [3J
r oJ [lJ [2J [3J [4J
1 1 I
roJ roJ [ OJ I [ OJ I [ OJ
[O J [1] [2J [3] [4J
[OJ [2] [4J [1 ] [3J
[0] [3J [1] [4J [2]
[ OJ [4J [3] [2] [ lJ
Systems of linear equations can be solved over the finite field GFp by first solving the system over the rational number field Q and then reducing the solution modulo p. Example 9.6 To solve the system
26x + lOy + 23z 22 18x + 35y + 7z = 17 7x + 1 5y + 26z = 30 =
over the field GF4 1 , 1.
Find the solution
to the system of equations over the field Q of rational numbers.
,g,L
THE GALOIS FIELD GFp
203
2. Evaluate the solution modulo 41 to get X
= 23,
y = 38,
Z =
3
Substitute the solution back into the system of equations and evaluate modulo 41 to verify that
3.
26 23 + 10 38 + 23 · 3 mod 41 = 22 18 23 + 35 38 + 7 3 mod 41 = 17 7 · 23 + 15 38 + 26 · 3 mod 41 = 30 ·
·
·
·
·
·
Let F be a finite field. When necessary, we will denote the 1 of F by 1p to distinguish it from the integer L We can form the sum 1p + 1p, which we denote by 2 1p, the sum 1p + 1p + 1p, which we denote by 3 1p, and so on. As F is finite, we will eventually come across positive integers m < n so that m · 1p = n · 1p, from which it follows that ( n  m ) 1p = 0. The smallest positive integer c such that c · 1p = 0 is called the character istic of the field F. The characteristic c of a field is a prime number. Why is this? Suppose c = ab. Then a b · 1p = 0, so (a · 1p) (b · 1p) = 0. lt follows that either a · 1p = 0 or b 1p = 0 (see Problem 2) . But c is the smallest positive integer such that c 1p = 0, so either a = c or b = c. If F is a field of characteristic p, then we can think of GFp as being contained in F under the correspondence a a · 1p . For a =/= 0 in F, consider the sequence a, a2 , a3 , . . . . As F is finite, there must be positive integers m < n such that am = an . Repeatedly multiplying this equation by the inverse of a, we get 1 = an  m . So some power of any nonzero element of F is equal to L The least positive integer k such that a k = 1 is called the order of a. ·
·
·
·
·
+t
Problems 9 . 1 L
Show that if F is a field, then aO = 0 for any a in F . (Look at aO + aO.)
2. Show that if F is a field, and ab = 0, then a = 0 or b = 0. (Show that if a =/= 0, then b = 0.) Another way to state this is that if a and b are nonzero, then so is ab. 3. Solve the following system of equations over GF5 : 3x + 7y + 6z = 2 4x + 5y + 3z = 2 2x + 4y + 5z = 4 4. Construct the Cayley tables for GFn .
CHAPTER 9. FINITE FIELDS
204 5. Solve the system
3x + 9y + 4z = 8 2x + 3y + 5z = 2 5x + 4y + 9z = 10
over GFu . 6. Construct the Cayley tables for GF1 3 ·
7. Construct the Cayley tables for GF1 7 . 8. Explain how to locate a  1 in the multiplicative Cayley table for GFp. 9. Explain why the set of integers modulo 10 under addition and multiplica tion is not a field. 10. Explain why the operations on congruence classes mod p, [a] + [b] = [a + b] and [a] [b] = [ab] , are well defined. That is, why does the result not depend on the particular choice of a and b from the congruence class? 1 1 . Solve the equation x2 + 7x + 10 = 0 over GFu . 12. Factor the polynomial 3x3 + x2 + l lx + 1 over the field GF1 7.
9.2
The Ring GFp [x] of Polynomials
To construct finite fields other than GFp, we look at polynomials with coef ficients in the field GFp. First, consider polynomials with coefficients in an arbitrary field F. Given two polynomials f(x) = ao + a1x + a2 x2 + · · · + an xn g(x) = bo + b 1 x + b2 x2 + · · · + bm xm we add them by adding their coefficients. The coefficient of xi in the sum f(x) + g(x) is ai + bi , where we set ai = 0 if i > n and bi = 0 if i > m . Multiplication of polynomials is more complicated. The coefficient dk of x k in the product f(x) · g(x) is given by dk =
2::: ai bj
i+j=k
that is, do = a o b o d 1 = ao b 1 + a 1 bo dm +n1 = an  l bm + an bm 1 dm+n = an bm
ij';J;2;
THE RING GFp [xJ OF POLYNOMIALS
205
5fhis is the product you would get if you simply multiplied f (x) and g (x) using the usual laws. Example 9.7 The product in GF7 [x] oqhe two polynomials 2 + 3x + 5x 2 and 1 + 5x + 3x 2 + 2x3
·
is
(2 + 3x + 5x2 ) ( 1 + 5x + 3x2 + 2x3 ) = (2 · 1) + (2 5 + 3 1)x + (2 3 + 3 5 + 5 1)x 2 + (2 2 + 3 3 + 5 · 5)x3 + (3 · 2 + 5 · 3)x4 + (5 · 2)x 5 = 2 + 6x + 5x2 + 3x 3 + 3x 5 ·
·
·
·
·
·
·
The set F [x] of polynomials satisfies almost all of the properties of a field. However, a polynomial of degree greater than zero does not have an inverse. The more general notion is that of ring. In a ring you can add, subtract, and multiply. In a field, you can also divide. Definition 9.8 A ring is a set R with an addition and a multiplication satis
fying
1 . a + (b + c) = (a + b) + c
for all a, b, c in R
2. a + b = b + a for all a, b in R 3.
there is an element 0 in R such that a + 0 = a for all a in R
4. for each a in R there is an element a in R such that a + (a) = 0 5. a(bc) = (ab)c for
all a, b, c in R
6. a(b + c) = ab + ac for all a, b, c in R A ring R is a ring with identity if 7.
there is an element 1 in R such that 1a = a1 = a for all a in R A ring R is commutative if
8. ab = ba for all a, b
in R A commutative ring with identity is a field if
9.
for each a in R with a =f 0 there exists an element a  1 in R such that aa 1 = 1
The integers are a commutative ring with identity. The 2 x 2 matrices over the integers with the usual matrix addition and multiplication are a noncom mutative ring with identity. The even integers are a commutative ring without an identity.
CHAPTER 9. FINITE FIELDS
206
One important ring is Zn = {0, 1 , 2, . , n  1} with addition and multipli cation modulo n. This ring is a field when n is prime. We will look at Z 6 to see what happens when n is composite. The multiplication table .
X
0 1 2 3 4 5
1 0 1 2 3 4 5
0 0 0 0 0 0 0
2 0 2 4 0 2 4
.
3 0 3 0 3 0 3
4 0 4 2 0 4 2
5 0 5 4 3 2 1
is the Cayley table for multiplication modulo 6. None of the integers 2, 3, or 4 has an inverse modulo 6, so Z6 is not a field. Also, equations such as 2x = 1 , 2x = 3, 2x = 5 have no solutions. The set F[x] of polynomials with coefficients in a field F is a commutative ring with identity. It behaves in many ways like the ring Z of integers. Definition 9.9 The degree of a nonzero polynomial
is the largest m such that am =/= 0. If a m polynomial is monic.
=
1 for this
m,
we say that the
We write deg(p(x)) for the degree of the polynomial p(x). The polynomial 2x3 + 3x 2 + 1 has degree 3 in GF3 [x] and degree 2 in GF2 [x] . It is not monic in either ring. The polynomial x4 + 2x 3 + 3x2 + 1 is monic in any ring. Theorem 9.10 If F is a field, and p(x) and q(x) are nonzero polynomials in F [x], then p(x)q(x) =/= 0 and
deg (p(x)q(x))
=
deg(p(x)) + deg(q(x))
ao +a 1 x+ · · · + amxm and q(x) = bo + b1x 1 + · · + bn xn with am and bn nonzero. The term of the largest degree in p(x)q(x) is am bn xm+n , I which is not zero because F is a field. Proof. Write p(x)
=
The division algorithm for polynomials over a field is just like the division algorithm for integers. Theorem 9.11 (Division Algorithm) Let F be any field. Given polynomials a (x) and b (x) in F [x] with b (x) =/= 0, there are polynomials q (x) and r (x) in F [x] , where either r (x) = 0 or deg (r (x)) < deg (b (x)), such that
a (x)
=
b (x) q (x) + r (x)
f9:2: THE RING GFp [x] OF
]Proof. If a (x)
=
POLYNOMIALS
0, then take q (x)
a(x) b(x)
=
r (x)
ao + a 1 x + = bo + b 1 x + ' =
0. Otherwise write
= ·
·
·
+ am x m
·
·
207
+ bn xn
with am # 0 and bn # 0. If m < n, take q (x) = 0 and r (x) = a (x). If m � n consider the polynomial b (x) (am b;;: 1 xm  n ) = boam b;;: 1 xm n + b 1 am b;;_ 1 xm n +1 + + bn am b;;_ 1 xm This is a polynomial of degree m whose last term is am xm which is the same as the last term of a (x) . If we subtract it from a (x) , we get the polynomial ·
·
·
which is either equal to 0 or has degree at most m  1 . So, if we let q1 ( x) = am b:;;: 1 xm  n then a (X) = b ( X) Ql (X ) + 11 (X ) with !l (x) = 0 or deg (!l (x)) < deg (a (x)) . If deg( !l (x)) � deg(b(x)) , write !l (x) = q2 (x)b(x) + h (x) with h (x) = 0 or deg(h (x)) < deg(!l (x)) . Eventu ally we get a(x) with fk (x)
=
=
q1 (x)b(x) + q2 (x)b(x) +
·
· ·
+ Qk (x)b(x) +
fk (x)
0 or deg(fk (x)) < deg(b(x)) . Taking
q (x) r(x) we have shown that
q1 (x) + q2 (x) + = fk (x) =
a(x)
=
·
·
·
+
Qk (x)
q(x)b(x) + r(x)
with r (x) = 0 or deg(r(x)) < deg(b(x)) . I The polynomial q (x) is called the quotient and the polynomial r (x) is called the remainder. It's not hard to see that the quotient and remainder are uniquely determined (see Problem 14) . Computer algebra systems will compute the remainder, which it is natural to call a (x) mod b ( x) as we do for integers. Definition 9.12 Let a (x), b (x) , and m (x) be polynomials in Ql (x] . Then a (x) and b (x) are congruent modulo m (x) if a (x)  b (x) = m (x) k (x) for some
polynomial k (x) in Ql (x] . In this case we write
a (x)
=
b (x) mod m (x)
Note that operations can be carried out in GFp [x] by doing the operations in Ql (x] , then reducing the coefficients modulo p.
CHAPTER 9. FINITE FIELDS
208
Example 9.13 To find the quotient and remainder when x3 + x + 1 is divided by x2 + x + 1 , we begin by doing long division. This produces
x+2 x3 + x + 1 =x1+ x2 + x + 1 x2 + x + 1
which means that x3 + x + 1 = (x 2 + x + 1)(x  1) + (x + 2)
In this case we write x3 + x + 1 mod x2 + x + 1 = x + 2
and say that the polynomials x+2 and x3 +x+ 1 are congruent modulo x2 +x+ 1 , that is, x3 + x + 1 = x + 2 (mod x2 + x + 1)
Note that deg (x + 2) < deg (x2 + x + 1) . Example 9.14 To evaluate
3x4 + 5x + 2 mod 2x3 + x 2 + 5
in CF1 1 [x] , first use long division to rewrite the quotient in the form ¥  �x + ix2 3x4 + 5x + 2 = 3x  3 + 4 2x 3 + x2 + 5 2x3 + x 2 + 5 2
Thus Reducing the polynomials with rational coefficients modulo 1 1 , we have �x  i mod 1 1 = 7x + 2 �3  �x + ix2 mod 1 1 = 9x2 + 3x + 3
Thus
3x4 + 5x + 2 mod 2x3 + x2 + 5 = 9x2 + 3x + 3 in CFu [x] . As a check, note that (3x4 + 5x + 2)  (9x2 + 3x + 3) mod 1 1 = 3x4 + 2x + 10 + 2x2 (7x + 2) (2x3 + x2 + 5) mod 1 1 = 3x4 + 2x + 10 + 2x2
and hence 2x3 + x2 + 5 divides the difference modulo 1 1 .
THE
RING GFp [x] OF POLYNOMIALS
209
Computer algebra systems have builtin functions that produce a polynomial smallest degree that is congruent to a given polynomial. · The division algorithm can be used to compute the greatest common divisor two polynomials P l (x) and P2 (x) , and to write it as a linear combination of of Pl (x) and P2 (x) . ,Theorem 9.15 (Extended Euclidean algorithm) Let F be any field. Given polynomials a and b in F [x] , there are polynomials s and t in F [x] such that 1
d = sa + tb is the greatest common divisor of a and b. Proof. If b = 0, take s = 1 and t = 0. Otherwise, writing P 1 = a and P2 = b we apply the division algorithm repeatedly to get a sequence of polynomials P 1 , . p� , P3 , P l = P2 q1 + P3 with deg P3 < deg P2 P2 = p3 q2 + P4 with deg p4 < degp3 P3 = p4 q3 + P5 with deg P5 < deg P4 ·
·
:
Pk 3 = Pk 2 qk 3 + Pk 1 with deg pk 1 < deg pk 2 Pk  2 = Pk1 qk 2 + Pk with degpk < deg pk1 Pk  1 = Pk qk 1 We stop when the remainder is zero. Then d = Pk is the greatest common divisor of p1 = a and p2 = b. Moreover, d may be written as a linear combination of a and b by repeated substitution, from bottom to top, in the preceding equations. I
The procedure is exactly like the extended Euclidean algorithm for the in tegers (see page 47) . See page 141 for examples with rational coefficients. Every nonzero element u in a finite field K of characteristic p satisfies a monic polynomial in GF [x] because some power of u is equal to 1 . (See page 203.) Of course 0 satisfies the polynomial x. P
Definition 9.16 Let K be a finite field containing a field F, and 0 an element of K. The minimal polynomial of 0 over F is the monic polynomial m (x)
in F [x] of smallest degree such that m (0)
=
0.
Let 0 be an element of a finite field K containing a field F . Let F [0] denote the set of elements f (0) in K where f (x) ranges over F[x] . It's clear that F [0] is a ring because F [x] is a ring. In fact, F [0] is a field because some power of any nonzero element of K is equal to 1 . We will show that the order of F [0] is qn where q is the order of F and n is the degree of the minimal polynomial of 0 over F.
CHAPTER 9. FINITE FIELDS
2 10
If m ( x) is the minimal polynomial of B over F, and f (x) is any polynomial in F [x] , then we can write f (x) = s (x) m (x) +r (x) where r (x) = 0 or deg r (x) < deg m (x) = n . So f (B) = r (B) . In particular, if f (B) = 0, then r (B) = 0, so r (x) = 0 because m (x) is the minimal polynomial of B over F and deg r (x) < deg m (x) . That is, m (x) divides any polynomial that has B as a root. Different polynomials r ( x) of degree less than n give different values of f (B) because if r (B) = r' (B) , then r (x)  r' (x) is a polynomial of degree less than n satisfied by B, so must be zero because m ( x) is the minimal polynomial of B. So the number of elements in F [B] is the same as the number of polynomials in F [x] of degree less than n . But such a polynomial looks like and there are q choices for each of the coefficients ai giving a total of qn poly nomials. We can use this result to show that each finite field has order a power of its characteristic, hence has order pn for some prime p and positive integer n. More generally we show Theorem 9.17 If K is a finite field containing a field F, then the order of K
is a power of the order of F.
Proof. Let K have order k and F have order q. If K
= F we are done. Otherwise choose an element B in K but not in F and let me (x) be its minimal polynomial over F. If n = deg me , then the field F [B] has order qn . So k is a power of qn by complete induction (see problem 10) on k  q (we have replaced I q by qn , thus decreasing k  q) , whence k is a power of q. Given polynomials a (x) and b (x) =1 0, the division algorithm for polynomials yields the quotient q (x) and remainder r (x) . The remainder is given by
r (x)
=
a (x) mod b (x)
The cyclic redundancycheck codes (CRC codes) are based on polynomial remainders. Given a fixed polynomial g (x) of degree n, called the generator polynomial, the codeword for the plaintext polynomial p (x) is c ( x) = xnp ( x) + (xnp (x) mod g (x)) mod 2. The codeword c (x) is transmitted, and received as d (x) . If no errors occur in transmission, then (d (x) mod g (x) ) mod 2 = 0. If (d (x) mod g (x)) mod 2 =1 0, then at least one error must have occurred during transmission, and the codeword would need to be retransmitted. In the case of a barcode, the item would be rescanned. Example 9.18 Given the generator polynomial g (x) = x4 + x 3 + 1 and the plaintext polynomial p (x) = x 7 + x5 + x2 + 1 , the codeword is given by
c (x) =
xnp (x) + (xnp (x) mod g (x)) mod 2 x4 (x 7 + x5 + x2 + 1) + (x4 (x7 + x5 + x2 + 1) mod x4 + x3 + 1) mod 2 x u + x 9 + x 6 + x4 + x3 + x 2 + x
�!J. 2;
THE RING GFp [x] OF POLYNOMIALS
211
,Jfan error x k occurs, then the received message is Since
(d (x) mod g (x)) mod 2 = x k
is not zero, at least one error is detected. If no errors occur, then and the plaintext polynomial is the quotient x l l + x 9 + x 6 + x 4 + x3 + x2 + x :,x4 + x3 + 1



=
x7 + xs + x2 + 1
The critical factor in designing a good CRC code is the generator polynomial g (x) . One of the most popular CRC codes is CRC16, which uses the generator polynomial g (x) = x 16 + x 1 5 + x 2 + 1. This code 1 . detects all single errors. 2. detects all double errors. 3. detects any odd number of errors. 4. detects any error burst of length at most 16; that is, an error of the form xk + x k+l + + x k+ n l where n ::; 16. ·
·
·
Problems 9.2 1.
Compute the sum (5x3 + 4x2 + 3) + (4x4 + 6x2 + 3x + 5) in GF7 [x] .
2. Compute the sum (10x4 + 8x3 + 6x + 7) + (7x4 + 6x2 + 8x + 9) in GF1 1 [x] . 3. Compute the product (5x3 + 4x2 + 3) (4x4 + 6x2 + 3x + 5) in GF7 [x] . 4. Compute (10x4 + 8x3 + 6x + 7) (7x4 + 6x2 + 8x + 9) in GFu [x] . 5. Compute 4x4 + x2 + 3x + 1 mod 5x3 + 4x2 + 3 in GF7 [x] . 6. Compute 2x8 + 6x3 + 4 mod 3x 5 + 7x4 + 2x + 5 in GFu [x] . 7. Factor x5 + x3 + 6x2 + x + 2 in GF7 [x] . 8. Factor x 6 + x5 + x4 + 4x3 + 3x2 + 3x + 3 in GF7 [x] . 9. Use the generator polynomial g (x) = x4 + x3 + 1 to generate the CRC codeword corresponding to the plaintext p ( x) = x 11 + x9 + x2 .
CHAPTER 9. FINITE FIELDS
212
10. The principle of complete induction: Let P(n) be a statement that depends on the positive integer n. If P(k) is true whenever P (j) is true for all j < k, then P (n) is true for each positive integer n. Let P' (n) = P (1) & P (2) & & P (n). Use ordinary induction on the statement P' (n) to prove the principle of complete induction. 1 1 . Show by complete induction that every positive integer is either 1 , a prime, or a product of primes. ·
·
·
12. The polynomial
x3 1 + x29 + x27 + x25 + x23 + x2 1 + x 1 9 + x 1 7 + x 1 5 + x 1 4 + x 1 3 +x 1 2 + x u + x l o + xg + xB + x7 + x6 + x5 + x4 + x2 + x is received after being encoded by the CRC16 generator polynomial g (x) = x 1 6 + x 1 5 + x2 + 1. Test to see whether an error has occurred. If no error r (x)
=
is detected, find the plaintext polynomial. 13. The polynomial
x3 1 + x29 + x27 + x25 + x23 + x2 1 + x2o + xl B + x 1 7 + x 1 5 + x 14 +x 13 + x 1 2 + x ll + x 1 o + xg + xs + x7 + x6 + x5 + x4 + x2 + x is received after being encoded by the CRC16 generator polynomial g (x) = x 1 6 + x 1 5 + x2 + 1 . Test to see whether an error has occurred. If no error r
(x)
=
is detected, find the plaintext polynomial.
14. Suppose a (x) = q (x) b (x) + r (x) and also a (x) = q' (x) b (x) + r ' (x) as in the division algorithm. Show that r (x) = r ' (x) and q (x) = q' (x). (Start by subtracting one equation from the other, and use the fact that the degrees of the remainders are small. )
9.3
The Galois Field G F4
As we observed in Section 9.1, there is a finite field GFp with p elements for each prime p. For p = 2, addition and multiplication in GF2 are given by the tables + 0 1 X 0 1 0 0 0 0 0 1 1 0 1 1 1 0 For handling data, fields with 2n elements are convenient because informa tion is often represented as strings of Os and 1s. The immediate candidate for a field of size 4 is Z4 , but its multiplication table reveals that it is not a field. X 0 1 2 3 0 0 0 0 0 1 0 1 2 3 2 0 2 0 2 3 0 3 2 1
�Y'_
f"£!};3,
THE GALOIS FIELD GF4
213
j ',' '
i' Note that 2 x 2 = 0, so 2 has no inverse.
·· · . To construct a field with four elements, we consider GF2 (x] modulo the , polynomial x2 + x + 1 . Definition 9 . 1 9 Let F be a field and p (x) a polynomial in F [x] of degree at least 1 . We say that p (x) is reducible if we can write p(x) = a(x)b(x) where deg a(x) � 1 and deg b(x) � 1. If p (x) is not reducible, it is said to be irreducible. So p (x) is irreducible if whenever p(x) = a(x)b(x), then either deg a ( x) = 0 or deg b (x) = 0. A polynomial p ( x) in F [x] of degree 2 or 3 is reducible exactly when it has a root in F. Indeed, if p (x) is reducible, say p (x) = a (x) b (x) with deg a (x) � 1 and deg b (x) � 1, then, because deg a (x) + deg b (x) = deg p (x) S 3, either a (x) or b (x) has degree 1. Thus p (x) has a linear factor, so it has a root in F. On the other hand, suppose that p (x) has a root a in F. By the division algorithm, there are polynomials q (x) and r (x) in F (x] such that p (x) = (x  a ) q (x) + r (x) where either r (x) = 0 or deg r ( x) < deg (x  a ) = 1. So r (x) = r is a constant. Since a is a root of p (x) , 0 = p (a ) = ( a  a ) q ( a ) + r = r so p (x) = (x  a ) q (x) is reducible. Consider the polynomial p(x) = x 2 + x + 1 in GF2 (x] . As p(O) = 0 2 + 0 + 1 = 1 ::f 0 and p( 1 ) = 1 2 + 1 + 1 = 1 ::f 0, this polynomial has no roots in GF2 , so it is irreducible. For any polynomial f (x) E GF2 [x] , the remainder f(x) mod (x2 + x + 1 ) has degree less than 2. Thus each polynomial in GF2 [x] is congruent modulo x 2 + x + 1 to a polynomial of degree at most 1that is, any polynomial in GF2 (x] is congruent, modulo x2 + x + 1, to one of the four polynomials X, X + 1 , 0, 1 The Galois Field GF4 as a Set of Linear Polynomials We use the irreducible polynomial x2 + x + 1 in GF2 (x] to construct a four element field. The basic idea is to introduce a symbol () and require that ()2 + () + 1 = 0; that is, that () be a root of the irreducible polynomial x2 + x + 1 . Because ()2 + () + 1 = 0, we can write ()2 = () + 1 (remember that the coefficients are in GF2 so  1 = 1). Definition 9 . 2 0 The Galois field GF22 = GF4 consists of the expressions a() + b, where a and b are in GF2 , with the straightforward definition of addition and multiplication defined by setting ()2 = () + 1 .
For example, (() + 1) + () = 2() + 1 = 1 ( () + 1) () = () 2 + () = () + 1 + () = 20 + 1 = 1 Similar calculations lead to the addition and multiplication tables for GF4 .
CHAPTER 9. FINITE FIELDS
214 + 0 1 () () + 1 0 1 () () + 1
uct
0 0 1 () () + 1 0 0 0 0 0
() + 1 1 () () 1 () + 1 () + 1 0 () 1 0 () + 1 0 1 () 1 () + 1 () 0 0 0 () + 1 1 () 1 () + 1 () 1 () + 1 ()
The multipli<:?tion table can be constructed by calculating the matrix prod
( � )(o
1 e 1+e ) =
() + 1
(�
0 0 0 () 1 1 + () () 2 () () (1 + ()) 0 1 + () () (1 + ()) (1 + () ) 2
)
then setting () 2 = () + 1 throughout to get
(
0 0 0 1 () 0 () 0 1 + () 1 0 1 + ()
Notice that setting () 2 = () + 1 amounts to reducing modulo () 2 + () + 1. We can represent the element a() + b in GF4 by the binary string ab. So () is represented by 10 and () + 1 by 1 1 . The addition and multiplication tables become + 00 01 10 11
00 01 10 11 00 01 10 11 01 00 1 1 10 10 11 00 01 l1 10 01 00
00 01 10 11
00 00 00 00 00
01 10 11 00 00 00 01 10 11 10 1 1 01 11 01 10
If, for shorthand, we let 0 = 00, 1 = 01, 2 = 10, and 3 = 1 1 , then the addition and multiplication tables become + 0 1 2 3
0 1 0 1 1 0 2 3 3 2
2 3 2 3 3 2 0 1 1 0
0 1 2 3 0 0 0 0 0 1 0 1 2 3 2 0 2 3 1 3 0 3 1 2
\�1[);3;
THE GALOIS FIELD GF4
215
Notice that these tables do not give addition and multiplication modulo 4. No matter how the elements are relabeled, the diagonal elements of the addition table would all be the same, which is not the case for Z4 . All nine of the field properties listed in Section 9.1 are satisfie� by the addition and multiplication of these tables. This field is the Galois field GF4 . The Galois Field G F4 as a Set of Congruence Classes
The Galois field GF4 can also be defined in terms of congruence classes. Definition 9.21 Define a congruence relation on GF2 [x] by f (x) = g (x) if f (X )  g (X ) = k (X ) (X2 + X + 1)
for some k (x) E GF2 [x] . Let [f (x)] denote the congruence class containing f (x) . The Galois field GF4 is the set of congruence classes with addition and multiplication defined by [f (x)] + [g (x)] = [f (x) + g (x)] [f (x)] [g (x)] = [f (x) g (x)] Every congruence class [f (x)] contains a unique representative of degree at most 1 , namely f ( x) mod ( x2 + x + 1 ) . The connection with the notation ae + b is that the element of e of GF4 is the congruence class [x] of the polynomial x. The Galois Field GF4 as Linear Combinations of a Fixed Root
A third way to define the Galois field GF4 is to represent the elements of GF4 by linear polynomials over GF2 , and reduce modulo x2 + x + 1 after multiplying two of these linear polynomials. This amounts to replacing the congruence class [! (x)] by the linear polynomial f (x) mod x2 + x + 1 . Definition 9.22 Let GF4 be the set {0, 1 , x, x + 1 } with addition and multipli cation defined by + 0 1
0 0 1
X
X
x+1
0 1 X
x+1
x+1 0 0 0 0 0
1 1 0 x+1 X
1 0 1 X
x+1
X
X
x+1 0 1 X
0
X
x+1 1
x+1 x+1 X
1 0 x+1 0 x+1 1 X
CHAPTER 9. FINITE FIELDS
216
The Galois Field G F4 as Powers of a Fixed Root A fourth way to define the Galois field GF4 is to let () be a root of the irreducible polynomial x2 + x + 1 and write each of the nonzero elements of GF4 as a power of (): () ()2 = () + 1 ()3 = () ( () + 1) = () 2 + () = () + () + 1 = 1 Definition 9.23 Let () be a root of the polynomial x2 + x + 1 and define
to be the set { 0, 1 , (), ()2 } with addition and multiplication given by + ·. 0 1 ()
0 0 1 ()
()2 ()2
1 1 0
()2 ()
() ()
()2 0 1
()2
() () 1 0
0 1 ()
()2
0 0 0 0 0
1 0 1 ()
() 2
() 0 ()
()2 1
GF4 ()2 0 ()2 1 ()
Problems 9.3 1 . Verify the addition and multiplication tables for GF4 by evaluating sums and products of the four expressions 0, 1 , B, and () + 1 where ()2 = () + 1 .
2. Prove that addition and multiplication are commutative i n GF4 .
3. Verify that the associative laws for addition and multiplication hold in
GF4 .
4. Verify that the distributive law holds in GF4 . 5. Let h (x)
=
x2 + x + 1 . Show that if 11 (x)
=
h (x) (mod h ( ) )
91 (x)
=
92 (x)
11 (x) + 91 (x)
=
h (x) + 92 (x) (mod h (x) )
11 (x) 9I (x)
=
h (x) 92 (x) (mod h (x) )
and then and
x
(mod h (x) )
In other words, show that the addition and multiplication in GF4 [! (x) ] + [9 (x) ] [f (X)) ' [g (X )) is well defined.
= =
[! ( x) + g (x) ] [/ (X) 9 (X))
·.
THE GALOIS FIELDS GF8 AND GF16
217
6. If () E GF4 is a root of x2 + x + 1 , then f3 = () + 1 is also a root of x2 + x + 1.
7. Use () and f3 in Problem 6 and define a function f : GF4 GF4 by f (0) = 0, f (1) = 1 , f (B) = (3, aud f (B + 1) = f3 + 1 . Verify that f (s + t) = f (s ) + f (t) and f (st ) � f (s ) f (t) for all s, t E GF4. (We say that f is the automorphism of GF4 that interchanges the roots of the polynomial x2 + x + 1.) +
8. Let F be any field and let f (x) and g (x ) be nonzero polynomials in F [x]. Prove the following.
(a) If f (x ) g (x ) E F, then f (x ) and g (x) are both elements of F, that is, they are polynomials of degree 0. (b) If f (x ) = (x  a) q ( x ) + r ( x ) for some q (x ) , r ( x ) E F [x] with a E F and r (x ) = 0 or deg (r (x )) = 0, then r (x ) = f (a) E F, that is, f (x) =
9.
(x  a) q (x ) + f (a) (c) The polynomial x  a divides f (x ) in F [x] if and only if a is a root of f (x ). For the congruence relation on GF2 [x] given in Definition 9.21 on page 215, prove that f (x ) mod (x2 + x + 1) is the only polynomial of degree at most 1 in the equivalence class [/ (x ) ].
10. Show that the multiplication table for GF4 is essentially different from the multiplication table for Z4 . That is, show that no relabeling of Z4 would create a multiplication table for GF4.
9.4
The Galois Fields G F8 and G F16
The elements of a field of size 2n can be represented in a natural way as binary numbers and easily manipulated by computers and networks. We will look at GF2 n for n = 3 and n = 4 in this section, and then develop the theory for GFpn with p an arbitrary prime in the following section. The Field G F8
The elements of the field GF8 can be thought of as polynomials of the form ax2 + bx + c in GF2 [x]. There are two choices for each of the three coefficients, so there are 2 2 2 = 8 of these polynomials. Addition is polynomial addition. How do we multiply? To define the multiplication, we need an irreducible cubic polynomial. The polynomials x3 + x2 + 1 and x3 + x + 1 are irreducible over GF2 because neither 0 nor 1 is a root of either polynomial, and any reducible cubic has a linear factor, so has a root in GF2 . We choose the simpler polynomial x3 + x + 1 . ·
·
CHAPTER 9. FINITE FIELDS
218
We note in passing that x8 +x = x(x+ 1 ) (x3 +x+ 1 ) (x3 +x2 + 1 ) in GF2 [x], and the factors on the right are a complete list of all the irreducible polynomials of degrees 1 and 3 over GF2 . To multiply in GFs, we take the polynomial product and reduce modulo x3 + x + 1. So we can form the multiplication table by taking the matrix product
1 x+1 x2 ( 1 x 1 + x x2 x2 + 1 x + x2 x2 + x + 1 ) x2 + ( x2 + x x2 + x + 1 X
x+1 1 x2 + x x2 x2 + 2x + 1 x2 + x x+1 x3 + x2 x2 x3 x2 + 1 x3 + x x3 + x + x2 + 1 x2 + x x3 + 2x2 + x x3 + x2 x2 + x + 1 x3 + x2 + x x3 + 2x2 + 2x + 1 X
=
X
x2 + 1 x2 x3 + x x3 x3 + x + x2 + 1 x3 + x2 x4 x4 + x2 4 4 x + 2x2 + 1 x + x2 x4 + x3 + x2 + x x4 + x3 x4 + x3 + x2 x4 + x3 + 2x2 + x + 1 x2 + x + 1 x2 + x x3 + x2 + x x3 + x2 x3 + 2x2 + 2x + 1 x3 + 2x2 + x x4 + x3 x4 + x3 + x2 4 4 x + x3 + x2 + x x + x3 + 2x2 + x + 1 x4 + 2x3 + x2 x4 + 2x3 + 2x2 + x 4 4 x x + 2x3 + 2x2 + x + 2x3 + 3x2 + 2x + 1 This is a 7 x 7 matrix whose entries are the polynomial products of all pairs of quadratic polynomials with coefficients in { 0, 1}.
THE GALOIS FIELDS
GF8
AND GF1 6
219
Now reduce each polynomial in the matrix modulo the irreducible polynomial + x + 1 to get x2 1+x X x + x2 x2 1  x 1 + 2x + x 2 x2  1  x 1+x x + x2 x2  1  x x  x2 x2 1  x x2 x x2 + 1 1 2x2  1 2x  x2  1 x2  1  x x + x2 x + 2x 2 x2 + x + 1 x2  1 2x  1 x2 + x + 1 x + x2 x2 + 1 x2  1  x x2  1 1 2x2  1 x + 2x2 x2 2x  1 x 2x  x2  1 x2  x 1 + x2  x 1  x 2 x x 2  2  2x 3x 1 x2  2  2x  1 + 2x2  x x2  x 1
X
Here we have left the coefficients as integers. To get the multiplication table for GFs , we reduce this matrix modulo 2 to get x2 x+1 2 2 x+1 x x +x X x2 + x + 1 x+1 x2 + x x2 + 1 x2 + x + 1 x+1 x2 + x x2 2 2 X 1 x x +1 1 x2 + x + 1 x2 + 1 x2 + x 1 X x2 + x + 1 x2 + 1 2 2 2 x +x+1 x +x x +1 x2 + x + 1 1 x2 + 1 2 1 X x 1 X x2 + 1 x+1 x2 + x x2 + x + 1 X x2 x+1 2 2 x+1 x x +x 1
X
The multiplication table of GFs can be represented in binary form by using the string of coefficients of each polynomial. The addition table is just mod 2 vector addition (see page 104) , so we can compute the sums directly. Addition and multiplication by zero have been omitted from these tables because they are trivial: 0 + a = a + 0 = a and Oa = aO = 0.
CHAPTER 9. FINITE FIELDS
'220 + 001 010 011 100 101 110 111
001 000 011 010 101 100 111 110
010 011 000 001 110 111 100 101
011 010 001 000 111 1 10 101 100
1 10 111 100 101 010 011 000 001
111 1 10 101 100 011 010 001 000
001 010 011 100 101 1 10 111
001 001 010 011 100 101 110 111
010 010 100 1 10 011 001 111 101
0 1 1 100 101 110 011 100 101 1 10 110 011 001 1 1 1 101 1 1 1 100 001 1 1 1 110 010 101 100 010 1 1 1 0 1 1 001 101 011 010 010 001 110 100
111 111 101 010 001 110 100 011
100 101 110 111 000 001 010 011
101 100 111 1 10 001 000 011 010
We can also write these tables in decimal (or hex) notation.
+
1 2 3 4 5 6 7
2 3 0 1 6 7 4 5
1 0 3 2 5 4 7 6
3 2 1 0 7 6 5 4
4 5 6 7 0 1 2 3
5 4 7 6 1 0 3 2
6 7 4 5 2 3 0 1
7 6 5 4 3 2 1 0
1 2 3 4 5 6 7
1 1 2 3 4 5 6 7
2 2 4 6 3 1 7 5
3 3 6 5 7 4 1 2
4 4 3 7 6 2 5 1
5 5 1 4 2 7 3 6
6 6 7 1 5 3 2 4
7 7 5 2 1 6 4 3
Suppose that (} is a root in GF8 of the polynomial x3 +x+ 1. Then (}3 +B+ 1 0, so that (}3 = (} + 1 . Thus
=
(}4 = (} ((} + 1) = (}2 + (} (} 5 = (} ((}2 + B) (}3 + (}2 = (} + 1 + (}2 (}6 (} ((} + 1 + (}2 ) = (}2 + (} + (}3 = (}2 + (} + (} + 1 = (}2 + 1 (}7 = (} ( (}2 + 1) (} 3 + (} = (} + 1 + (} = 1 =
=
=
So each nonzero element of GF8 is a power of (}. This leads to a representation for GFs that makes both multiplication and addition easy.
�9A;
THE GALOIS FIELDS
Power Notation ·
GF8 AND GF1 6
Polynomial Notation
0
0
01 02 03 04 05 06
0 02 0+1 02 + 0 02 0 + 02 + 1 GF2a = GFs
oo ( = 07) 1
Table 9.1
+
1
Binary Notation
000 001 010 100 011 110 111 101
221 Decimal (Hex) Notation
0 1 2
4 3 6 7
5
To add, convert field elements to polynomial or binary notation and use polynomial or vector addition modulo 2. To multiply, convert to powers of 0 and add exponents, with exponents added modulo 7. For example, 3 5 = 03 . 06 = 09 = 02 = 100 = 4. Notice that 2 is a root of the polynomial q (x ) = x3 + x + 1 because ·
2 3 + 2 + 1 = 3 + 2 + 1 = (011 ) + (010) + (001) = (000) = 0 In fact, each field element is a root of the polynomial x8 + x because 08 + 0 = 0 and ( Oi ) 8 = ( Oi f Oi = (07 ) iOi = 1 iOi = Oi . Also, x8 + x = x(x + 1 ) (x3 + x2 + 1 ) (x3 + x + 1 ) so every field element is a root of exactly one of the factors on the right. Suppose 0 is a element of GF8 such that 03 + 0 + 1 = 0 and u 0 + 1, then =
u3 + u2 + 1 = (0 + 1 )3 + (0 + 1 ) 2 + 1 = 03 + 402 + 50 + 3 = 03 + 0 + 1 =0 Thus u = 0 + 1 is a root of the polynomial x3 + x 2 + 1. This polynomial is irreducible over GF2 since it is of degree 3 and has no roots in GF2 . Thus it is the minimal polynomial of 0 + 1. The following table shows the minimal polynomial for each element of the Galois field GF8 .
222
CHAPTER
Power Notation
0
20 21 22 23
24 25 26
Table 9.2
Polynomial Notation
0 1 () ()2 0+1 ()2 + () ()2 + () + 1 rP + 1
Binary Notation
000 001 010 100 011 110 111 101
9.
Decimal Notation
0 1
F1NITE FIELDS
Minimal Polynomial X
x+1 x3 + x + 1 x3 + x + 1 x3 + x2 + 1 x3 + x + 1 x3 + x2 + 1 x3 + x2 + 1
2 4 3 6 7 5
Minimal polynomials of elements in GFs
The Field G F1 6
The field GF24 ( also written GF1 6 ) will be especially important to us. To construct this field, we need an irreducible polynomial of degree 4 over GF2 • One way to construct one is to generate all of the polynomials of degrees 1 through 3, then make a list of all polynomials of degree 4 that can be written as products of those polynomials, then pick a polynomial of degree 4 that is not on the list. This is essentially the sieve of Eratosthenes applied to polynomials. Another way is to factor the polynomial x 1 6  x x 1 6 + x (remember that 1 1 modulo 2) . Factoring x 16 + x modulo 2 in a computer algebra system yields =
=
x1 6 + x x (x + 1 ) (x2 + x + 1) (x4 + x3 + 1) (x4 + x + 1) (x4 + x3 + x2 + x + 1) =
·
There are three irreducible polynomials of degree 4 in this factorization. We pick x4 + x + 1 because of its simple form. The method we used to construct GFs also works for GF1 6 , but the matrices are a bit large to display here. , Before giving a multiplication table for GF1 6 , we construct a table of equiv alent representations for elements in GF1 6 · Let () be a root of x4 + x + 1, so 04 + () + 1 0. Rewrite this as ()4 () + 1. Thus ()4 can be replaced by () + 1. Multiplying both sides of the equation ()4 () + 1 by () gives ()5 () 2 + () . Similar calculations can be used to calculate the second column of Table 9.3. (The rest of this table is left as problem 8.) =
=
=
=
'9:4. THE GALOIS FIELDS
·Power
0
rl
01 02 03 04 05 06
Table 9.3
Polynomial
0 1
0 02 03 0+1 rP + 0 ()3 + 02
GF8 AND GF1 6
Binary
0000 0001 0010 0100 1000 001 1 0110 1100
Hex
0 1' 2 4 8 3 6
c
223 Decimal
0
Minimal Polynomial X
1
x+1 x4 + x + 1 x4 + x + 1 x4 + x3 + x2 + x + 1 x4 + x + 1 x2 + x + 1 x4 + x3 + x2 + x + 1
2
4 8 3 6 12
Representations of elements in GF1 6
The binary representation is the string of coefficients in the polynomial rep resentation. That is, the binary representation of c3 03 + c2 0 2 + c1 0 + eo is
(c3 C2 C1 Co) 2 . The minimal polynomials of elements of GF1 6 can be computed using the identities (a + b ) 2 a2 + b2 for a, b E GF1 6 , and x2 x for x E GF2 . If u in GF1 6 is a root of a polynomial with coefficients in GF2 , then u2 is a root of the same polynomial. To see this, consider a polynomial c3 x3 + c2 x 2 + c1 x + co such that c3 u3 + c2 u2 + c1 u + co 0. Then 0 ( C3 U3 + C2 U2 + C1 U + Co ) 2 c� (u3 ) 2 + c� (u2 ) 2 + ciu2 + c6 C3 (u2 ) 3 + C2 (u2 ) 2 + C1 U2 + Co Thus u2 is also a root of c3 x3 + c2 x2 + c1 x + co. Repeating this argument on u2 shows that ( u2 ) 2 u4 is also a root of this polynomial, and so on. Now let 0 be a root of the defining polynomial x4 + x + 1 for GF1 6 · We have seen that 0, 0 2 , ( 02 ) 2 04 , and (04 ) 2 08 are all roots of x4 + x + 1 . This means that x  0, x  02 , x  04 , and x  08 are all factors of x4 + x + 1 . And, sure enough, the product of these four polynomials, computed in GF1 6 [x], is =
=
=
= =
=
=
=
=
the minimal polynomial for each of 0, 02 , ()4 , and () 8 . Similarly, the minimal polynomial for 03 is
224
CHAPTER 9. FINITE FIELDS
The powers of r P + B are
( B 2 + B ) 2 = B2 + B + 1
(B 2 + B + 1)
2
=
B2 + B
so repeated squaring yields two distinct powers. Hence the minimal polynomial of B2 + B is ( x + ( B 2 + B) ) x + (B 2 + B) 2 = x2 + x + 1
)
(
In the following examples, we compute the product in three different ways. Example 9.24 First, we expand the product to get
( B2 + B + 1) (B3 + B2 + 1) = (;15 + 2(;14 + 2(;12 + 2B3 + B + 1 Then reduce the product modulo the irreducible polynomial q (B) to produce
=
B4 + B + 1
Then reduce the coefficients modulo 2 to get the reduced product 1 + B 2 + 2B3  2B mod 2 B 2 + 1 =
It follows that in GF1 6 , Example 9.25 On the other hand, we have B 1 5
=1
B0 , so multiplication can be computed by adding exponents of B modulo 15. Since B 2 + B + 1 = B 1 0 and B 3 + B2 + 1 = B 13 , it follows that ( B2 + e + 1) (e3 + e2 + 1) = B 1 0 e 1 3 = (;1 ( 1 0+13 ) mod 1 5 = e s = (;1 2 + 1 =
Example 9.26 Expanding using the distributive law gives
( B 2 + B + 1) ( (;13 + (;12 + 1)
B2 ( (;13 + (;12 + 1) + B ( B 3 + B 2 + 1) + ( B3 + (;12 + 1) =
Multiplication by B yields B (e 3 + B 2 + 1) = e4 + B 3 + B ( B + 1) + ( e3 + e ) =
=
e3 + 1
19;5. ·
it
THE. GALOIS FIELD GFpn
225
.
.
�;,since 04 = 0 + 1 and 0 + 0 = 0; hence 02 ( 03 + 02 + 1) = 0 ( 03 + 1 ) = 04 + 0 = (0 + 1 ) + 0 = 1 �
,Therefore,
( 02 + 0 + 1 ) ( 03 + 02 + 1) = (1) + ( 03 + 1) + (03 + 02 + 1) = 02 + 1 = 5
.P roblems 9.4 1. Find ( 0 2 + 1) ( 0 2 + 0) in GF8 by first converting to powers of 0 and then expressing the result as a polynomial in 0. 2. Calculate (03 + 02 ) (03 + 0 + 1 ) in GF1 6 by using polynomial arithmetic. 3. Verify the products E E = B and 8 · A = F (written in hex notation) in GF1 6 · 4. Solve the system ·
3u + Dv = 7 Eu + 5v = 9 (written in hex notation) for elements u and v of GF16 · 5 . Find an irreducible polynomial of degree 5 in GF2 [x] . 6. Use your polynomial q(x) from Problem 5 to construct an element of order 31 in GF32 · 7. Factor x5 + x + 1 over GF2 . 8. Complete the representations of elements in GF1 6 begun in Table 9.3. page 223. 9. Verify that x3 + x2 + 1 and x3 + x + 1 are the only irreducible polynomials of degree 3 in GF2 [x] . 10. Verify that x4 + x 3 + 1 , x4 + x + 1, and x4 + x3 + x2 + x + 1 are the only irreducible polynomials of degree 4 in GF 2 [x] .
9. 5
The Galois Field G Fpn
We have seen how the ring GF2 [x] can be used to construct a field with 2n elements. It turns out that any finite field has pn elements for some prime p, a fact we will prove later. Moreover, there is essentially only one field with pn elements.
226
CHAPTER 9. FINITE FIELDS
In this section we construct a field with pn elements for an arbitrary prime p. We do this by constructing a field K containing GFp in which the polynomial xPn  x factors into linear factors
pn xPn  X IT (x  Oi ) i=1 =
where 0 1 , ... , Opn are in K. It turns out that the elements Ot , . .. , Opn are all different and form a field with pn elements. This field is called the splitting field of xPn  x over GFp. We will show how to construct a field of order pm from an irreducible poly nomial of degree m over GFp. Later we will show how to construct such an irreducible polynomial. The idea of how to construct a field from a field and an irreducible polynomial is due to Kronecker. Theorem 9.27 Let F be a field and h (x ) an irreducible polynomial of degree m in F [x]. Define K to be the set of congruence classes of polynomials in F [x] modulo h (x ) . Let 0 be the congruence class of the polynomial x, so if f (x ) E F [x], then the congruence class of f (x ) is f (0) . Define multiplication in K by setting f ( 0) g ( 0) r ( 0) where r (x ) = ( ! (x ) g (x)) mod h (x ) . This turns the set K into a field. If F is a finite field of order q, then the order of K is qm . Proof. Note that each element of K can be written uniquely as r ( 0) where r (x ) is a polynomial in F [x] of degree less than m. Indeed, if f (0) is an element of K, then r (x ) = f (x ) mod h (x ) . Notice also that f (0) 0 exactly when h (x ) divides f (x). We need to show that nonzero elements of K have inverses. Let r ( 0) be a nonzero element of K where deg r (x ) < m. As h (x) is irreducible and does not divide r (x ) , there exist polynomials s (x) and t (x) with coefficients in F so that s (x) r (x) + t (x) h (x) = 1 by the extended Euclidean algorithm for polynomials. ( See page 209. ) As h (0) = 0, we have s ( 0) r ( 0) s ( 0) r ( 0) + t (0) q ( 0) 1 so r (0) has an inverse in K. All of the other field properties follow from the corresponding properties of F [x] . Finally, if the order of F is q, then there are exactly qm polynomials am 1 Xm 1 + am 2 Xm 2 + + a2 x2 + a 1 x + ao of degree less than m in F [x], because there are exactly q choices for each of the m coefficients. So K has order qm . I =
=
=
=
·
·
·
p
227
THE GALOIS FIELD GF n
As a corollary, we will show that every nonconstant polynomial over a field a root in some extension field. Corollary 9.28 Let f (x) be a nonconstant polynomial with coefficients in a field F. Then there is a field K containing F that also contains a root of f (x). Proof. If f (x) is not irreducible, then f (x) has a factor !I (x) in F [x] such that 1 :S deg !I ( x) < deg f (x ) . Either !I (x) is irreducible, or !I ( x) has a factor h (x) such that 1 :S deg h ( x) < deg fd x). At each step the degree �f the polynomial f ( x ) gets smaller, so you will eventually find an irreducible factor q (x ) of f (x ) . Use q ( x ) to construct the field K as congruence classes modulo q (x) of polynomials over F . Let 0 be the element of K that is the congruence class of the polynomial x. Then f (0) = 0 because q (x) is a factor of f (x) in F [x] . I
i
Theorem 9.29 There is a field K containing G Fp so that xPn  x factors into linear factors over K, that is,
Oi
with each in K. Moreover, the set of roots fh , 02 , . . a field, called a splitting field of xPn  x.
.
, Op"' of xP"'  x is itself
Proof. We can construct K by repeating the construction of the corollary, starting with the polynomial xP"'  x over the field GFP . At each stage we will have written the polynomial xP"'  x = x (xPn l  1) as a product of linear factors times a polynomial g ( x) of degree greater than 1 over some field F . We apply the corollary to get a field F ' containing F in which g ( x) has a root 0, so we can write g (x) = (x  0) h(x) where the degree of h (x) is smaller than the degree of g ( x). Thus we have written xPn  x as a product of linear factors times h ( x), and we then apply the corollary to the polynomial h (x) over the field F ' . To see that the set of roots 0 1 , 0 2 , . . . of xP"'  x is itself a field, note that if e is a root of xP"'  x, then  0 = 0that is, OPn = 0 . Thus if are roots of xP"'  x, then
po "' , Op"'
.
oi, Oj
and Also, if 0 =1 0, then
1 (0  l ) P"' = (op"')  = e  l So the set of roots of xP"'  x is a field. If there are no multiple roots, then . this field has exactly pn elements, as desired. To see that there are no multiple roots, let m = pn . As xm  x = x (xm  l  1) it is clear that 0 is not a multiple
228
CHAPTER 9. FINITE FIELDS
root. Suppose r is a nonzero root of xm  x. Then rm = r so rm  1 follows that xm  x = (x  r) (xm  1 + rxm 2 + r2 xm 3 + . . . + rm 2 x)
=
1 . It
The issue is whether r is a root of the second factor on the right. But if we plug r into that polynomial we get (m  1) rm1 = (m  1) · 1K = 1K =f. 0 because m is divisible by p. I As another application of the division algorithm, we show that a polynomial of degree n has at most n distinct roots. The key fact is Theorem 9.30 An element 0 of a field is a root of a polynomial f (x) if and
only if f ( x) is divisible by the polynomial x  0.
Proof. Indeed, the division algorithm tells us that we can write
f (x)
where either r (x) and
=
=
q (x) (x  0) + r (x)
0 or deg r (x) < deg (x  0)
=
1. So r (x) is a constant r,
f ( 0) = q ( 0) ( e  e) + r = r is equal to 0 exactly when f (x) = q (x) (x  e) . Corollary 9.31 Let F be a field and s (x) a polynomial of degree
Then s ( x) has at most n distinct roots in F.
I n
in F [x] .
Proof. Suppose e is a root of 8 (X ) . From the above theorem, 8 (X ) = q ( X ) ( X  e) for some polynomial q (x) . If (3 is a root of 8 ( x) different from e, then 0 = 8 (!3) = q ((3) ((3  e) and (3  e =f. 0 implies that q ((3) = 0. But, by deg q (x) = n  1 , so by induction o n the degree, the polynomial q (x) has at most n  1 distinct roots in F. Thus 8 (x) has at most n distinct roots: e and at most n  1 more.l
Problems 9.5
1. Find an irreducible polynomial of degree 2 in GFs [x] . Find an element of order 24 in GF2 s · 3. Show that if a n = 1 and anfp =f. 1 for each prime divisor p of n, then a is an element of order n . 2.
4. Assume that q (x) is an irreducible polynomial in F [x] for some field F, and assume that q (x) I r (x) p (x) , where r (x) , p (x) E F [x] with deg (r ( x)) < deg ( q ( x)) . Prove that q ( x) I p ( x) . 5. A polynomial q(x) of degree 2 or 3 is irreducible in F[x] if and only if q(x) has no roots in F. Use this fact to verify that the polynomials x 2 + 1, x2 + x + 2 and x2 + 2x + 2 are irreducible in GF3 [x] .
19.6.
THE MULTIPLICATNE GRO UP OF GFpn
6. Use the technique from Problem degree 3 in GF3 [x] .
229
5 to find an irreducible polynomial of
7. Find an element of order 26 in GF2 7 , using the irreducible polynomial from Problem 6. Compute (2x2 + x + 2) (x2 + 2) in GF2 7 , using the irreducible polynomial from Problem 6. 9. Factor x 2 7  x over GF3 . 10. Do the following. 8.
(a) Construct the Cayley tables for GF3 . (b) Find all polynomials of degree 2 that are irreducible in GF3 [x] . (Hint: The only monic irreducible polynomials of degree 1 are x, x + 1 and x + 2, and reducible polynomials of degree 2 must be products of these.) (c) Factor x9  x modulo 3 into irreducible factors in GF3 [x] . 11. Analyze the Galois field GFg .
(a) Complete the following table for powers y3 , ... , y8 where y = x + 1 . Power y y2
Product x+1 (x + 1) (x + 1)
Expand x+1 x2 + 2x + 1 Powers of y
mod x2 + 1 x+1 2x
mod 3 x+1 2x
(b) Create addition and multiplication tables using the representation of elements from the far right column in the preceding table, and the base 3 shorthand notation ax + b = (ab) 3 (e.g. , 2x + 0 = 20) . (c) Convert the tables to decimal (or hex) . 12. Prove that xPm  x I xPn  x in Q [x] if and only if m I n .
9.6
The Multiplicative Group of GFpn
In Chapter 4, we looked at permutation ciphers. The permutations of the set {0, 1, . . . , n  1}, with the product of two permutations being their composition, is called the symmetric group of degree n. (See Problem 2 at the end of this section.) In order to show that there are irreducible polynomials of every degree in GFp [x] , we need some facts about a different kind of groupa commutative group. The general definition of a group is
230
CHAPTER 9. FINITE FIELDS
Definition 9.32 A group is a set G with one binary operation, often indicated
simply by juxtaposition, such that 1.
a(bc) = (ab)c for all a, b, c in G
2.
there is an element 1 in G such that a 1 =
3.
1a = a for all a in G for each a in G, there is an element a  1 in G such that aa  1 = a  1 a = 1 . The group is commutative if
4.
ab = ba for all a, b in G The group is cyclic if E G such that every element of G can be written as gm for some integer m, positive, negative, or zero. Here the convention is that g m = (g  1 ) m and g0 = 1 .
5. there is an element g
From the definition of a field (page 200) we see that the nonzero elements of a field F form a commutative group under multiplication. This group is called . the multiplicative group of the field F, and is denoted F* . Let a be an element of a finite group G, and consider the list of positive powers of a As G is finite, this list must have duplicates, so there are positive integers j < k such that aJ = ak . Multiplying both sides of this equation by (a1) j gives so there is a positive integer t = k j such that at = 1 . The smallest such positive integer is called the order of a, and is denoted o (a). Note that the list of positive powers of a repeats after ao (a) = 1 , that is, it looks like 
a, a2 , a3 , . . . , ao(a)  1 , 1 , a, a2 , a3 , . . . , ao (a)  1 , 1 , a, a2 , . From this it is clear that an = 1 exactly when o(a) divides n. This is a very useful fact. The subset (a) = {a, a2 , a3 , . , ao(a)  l , 1 } of G is itself a group (see Problem .
. .
.
4) . A subset of G that is also a group is called a subgroup. If G is a finite group, the number of elements of G is called the order of G, denoted o (G) . Note that o (a) = o ( (a)), so the two uses of the word "order" are consistent. Let S be a subgroup of a finite group G. For each element a E G, the set aS = {as I s E S} has the same number of elements as S. Moreover, if a, b E G, then aS and bS are either disjoint or equal. To see this, suppose that aS and bS have an element c in common. Then c = as = bt for some s, t E S. From a = bts  1 we get aS � bS, and from b = ast 1 we get bS � aS, so aS = bS.
[�.6.
rr:
THE MULTIPLICATIVE GROUP OF GFpn
231
��f: ·
�f};r'hus either aS n bS = 0 or aS = bS. Let a 1 S, a2 S, ... , am S be a complete list ' of the distinct sets aS. Then because every element a of G is in the set aS, which must be equal to one of ·· the sets in the list. Thus o (G) = o (S) x m, so o (S) divides o (G) . We have just proved Theorem 9.33 (Lagrange's Theorem) If S is a subgroup of the finite group
G, then the order of S divides the order of G.
In particular, if S = (a), then we get Theorem 9.34 If a is an element of a finite group G, the order of a divides
the order of G.
Let F be a field of order m = pn . Then the multiplicative group F* of F has m  1 elements, so the order of each element of F* divides m  1 . Thus each of the m  1 elements in F* is a root of the polynomial xm  1 from which we can conclude that m 1 xm l  1 = II (x  ri) i 1 where r 1 , r2 , . . . , rm 1 are all the elements of F* . More generally, if n divides m  1, then x n  1 has exactly n roots in F. Why is that? That's because if n divides m  1 , then the polynomial xn  1 divides the polynomial xm l  1 (see Problem 7) so xn  1 is a product of factors x  ri where i ranges over some subset of {1 , 2, . . . , m  1 }. So F* is a finite commutative group, and for each divisor n of the order of F* , there are exactly n solutions in F* to the equation xn = 1 . We want to show that such a group is cyclic. Theorem 9.35 If G is a finite commutative group, and for each divisor n of
the order of G, there are exactly n solutions in G to the equation xn = 1 , then G is cyclic.
Proof. We first show that the theorem is true if the order of G is a prime power, say pk . It suffices to show there is an element in G of order pk . As the order of any element of G divides pk , if an element a in G does not have order p k , then k1 k1 aP = 1. But there are at most pk  1 solutions to the equation xP = 1 , and there are pk elements of G, so some element of G must have order pk . Now suppose that pk divides the order of G. The equation xPk = 1 has exactly pk solutions in G and these p k solutions clearly form a group H because if we multiply two of them, we get another one. Moreover, for each divisor n of pk there are exactly n solutions in G to the equation xn = 1 , and these solutions lie in H. But we proved the theorem for groups of order a power of a prime, so H is cyclic.
232
CHAPTER 9. FINITE FIELDS
Finally, write the order of G as a product of prime powers P7i for distinct primes Pi· We have just seen that there is an element ai in G of order P7' for each i. The product of these elements will have order equal to the product of the numbers P7i which is the order of G. Why is that? It suffices to show that if a is an element of order c and {3 is an element of order d, and c and d are relatively prime, then o ( a{3) = cd. For that, see Problem 5. I In particular, the multiplicative group of a finite field is cyclic: there is an element w such that every nonzero element in the field can be written in the form wk . Definition 9.36 A generator of the multiplicative group of GFpn is called a primitive element. A polynomial of degree n over GF (p) is a primitive poly nomial if it is the minimum polynomial of a primitive element in GFpn .
You have seen many examples of the following lemma. Lemma 9.37 The minimal polynomial of an element of GFpn is irreducible. Proof. Let 0 E GFpn , and let mo (x) be its minimal polynomialthat is, mo (x)
is the monic polynomial of smallest degree with coefficients in GFp such that mo (B) = 0. Suppose mo (x) = a (x) b (x) for some a (x) , b (x) E Fp [x] . Then me ( 8 ) = a (0) b (0) = 0 implies that either a (0) = 0 or b (0) = 0. If a ( 8 ) = 0, 0 (x) must have degree equal to the degree of me (x ) , since mo (x) is the minimal polynomial of 8. Thus b (x ) has degree 0, that is, it is a constant. Similarly, if b (O) = 0 then a (x) is a constant. Thus mo (x) is irreducible. I We now show that the minimal polynomial over GFp of any primitive element of GFpn is an irreducible polynomial of degree n. Theorem 9.38 Let p be a prime and
n a positive integer. Then there is a monic irreducible polynomial in GFP [x] of degree n .
Proof. Let w be a primitive element of GFpn , and let f (x) be its minimal polynomial over GFp . From a previous lemma, we know that f ( x) is irreducible. We want to show that f (x) has degree n. Let m = deg f ( x). The set of elements g (w ) , where g ( x) ranges over polyno mials with coefficients in GFp , forms a field F containing w. As w is a primitive element of GFpn , the field F must be all of GFpn . But the order of F is pm , sb m = n. I Thus Kronecker's construction will construct GFpn for every prime p and positive integer n. We want to show that any two finite fields of order pn are essentially the same. We do this by showing Theorem 9.39 If f (x) is an irreducible polynomial of degree n over GFp , then f (x) divides xPn  x.
:1}�6. THE MULTIPLICATIVE GROUP OF GFpn
233
Proof. By Kronecker's construction, there is a field of order pn that contains
an element () such that f ( ()) = 0. As f (x) is irreducible, it is the minimal polynomial of (). As ()Pn  () = 0, the polynomial f (x) must divide xPn  x. I Now suppose K is any finite field of order pn ' and let f (X) be a fixed irre ducible polynomial of degree n over GFp . We know that K consists exactly of the roots of xPn  x and that f (x) divides xPn  x. So there is an element () of K whose minimal polynomial is f (x) . Therefore GFp [()] has order pn , hence is equal to K. But GFp [e] can be thought of as Kronecker's construction from f (x) and GFp . Example 9.40 To construct GF49 , we need an irreducible polynomial of degree 2 in GF7 [x] . We will show that x 2 + 2 has no roots in GF7 and is therefore irreducible. We will also find a primitive root in GF49 · Define g (x) = x2 + 2. Then g (0) = 2 g (1) = 3 g (2) = 6 g (3) = 4
g (4) = 4 g (5) = 6 g (6) = 3 As none of these values is zero, x 2 + 2 is irreducible over GF7 . To find a primitive root, recall that the order of an element of GF49 must be a divisor of 48. The divisors of 48 are 1, 2, 3, 4, 6 , 8, 12, 16, 24, 48 First try the element () = [x] which has the property that ()2 = 2. Then ()4 = 4, and () 1 2 = 4 3 = 64 = 1, so () has order at most 12. Undaunted, we go on and try the element f3 = () + 1. ( () + 1) 2 = ()2 + 2() + 1 = 2()  1 = 2/3  3 f32 /34 (/32 ) 2 = (2/3  3) 2 = 4{32  5/3 + 2 = 4 (2/3  3)  5 /3 + 2 = 3/3  3 f38 = (f34 ) 2 = (3/3  3) 2 = 2 /32  4/3 + 2 = 2 (2/3  3)  4/3 + 2 = 4 /3 1 6 (/38 ) 2 = ( 4) 2 = 2 /38 /3 1 6 = ( 4) 2 = 1 /324 So f3 has order 48 in GF49 . That's because neither /3 1 6 nor /324 is equal to 1, but every proper divisor of 48 divides either 16 or 24. So f3 is a primitive element. The polynomial x49 x factors over GF7 into a 28term product of irreducible polynomials: x49  x = x (x + 1) (x + 2) (x + 3) (x + 4) (x + 5) (x + 6) . ( x2 + 1) (x2 + 2) (x2 + 4) (x2 + 5x + 3) ( x2 + 5x + 2) (x2 + 2x + 3) (x2 + 6x + 3) (x2 + 6x + 6) ( x2 + 4x + 1) (x2 + 3x + 5) (x 2 + 2x + 2) (x2 + 3x + 1) (x 2 + x + 6) (x2 + x + 4) (x2 + 4x + 5) (x2 + x + 3) (x2 + 3x + 6) (x2 + 2 x + 5) (x2 + 5x + 5) (x2 + 6x + 4) (x2 + 4x + 6) ·
·
·
·
234
CHAPTER 9. FINITE FIELDS
The order of every nonzero element of GF49 divides 48 and so is a root of x48  1 .
So every element of GF49 is a root of one of the irreducible polynomials listed in the above factorization of x49  x. The irreducible polynomial satisfied by an element 'Y in GF49 is called the minimal polynomial of 'Y . Different irreducible polynomials of degree n result in addition and multipli cation tables that look slightly different, but you can always relabel the elements to make the tables look exactly the same. Problems 9.6
1.
Verify that in the field GF1 3 , there are exactly
2. Show that the set of permutations of the set Zn together with the product ar obtained by first applying a, then applying r, is a ( noncommutative ) group. ( See page 76.) 3. Let a be an element of a Group G. Show that the set
(a) = {an I n is an integer} is a subgroup of G . 4. Let a be an element of a finite group
G. Show that the set o(a)  1 } ( a )  { 1 , a, a2 , a3 , ... , a _
is a subgroup of G.
5. Let a, b be elements of a finite group G.
(a) If an = 1, show that o (a) I n. (b) If o (a) and o (b) are relatively prime and ab = ba, show that ( ab) = o (a) o (b). 6. Verify that in the field GF1 7 , there are exactly
for each divisor d of 16.
7. Show that if n divides m  1 , then the polynomial xn  1 divides xm  1  1.
8. Show that x20  1 divides x 1 00  1. 9. Find a primitive element of GF3 1 .
10. Find a primitive element of GF27 in terms of a root e of the irreducible polynomial x3  x  1 .
:9: 7.
9.7
RANDOM NUMBER GENERATORS
235
Random Number Generators
In this section we will see how the field GFp gives a way to generate ran dom number sequences, or at least sequences that look like random number sequences. To get a feel for a random number sequence, consider the following experi ment. An icosahedron (see Figure 9.1) is a Platonic solid with 20 faces, each an equilateral triangle.
Icosahedron
Figure 9.1
Label the faces with the digits 0, 1, 2, . . . , 9 in such a way that opposite faces share the same label. Our intuition tells us that if we roll such an icosahedron 100 times and record the sequence of digits on the top face, then the resulting sequence should be random. The digits
2 4 5 3 8 1
5 9 9 8
6 6 8 7 9 7 6 1 2 8
5 2 9 2 0 8 8 5 1 4
9 6 7 3 0 7 1 8 3 6
0 1 4 4 5 5 8 4 9 6
1 7 5 0 8 0 5 6 4 4
5 9 0 9 8 2 7 8 4 4
3 4 3 3 5 5 0 2 0 2
3 6 6 4 1 6 1 8 6 5
8 7 1
4 5 0 6 1 0 7
were generated in this manner, with the first digit in the upper left corner and going from left to right, one row at a time.
CHAPTER 9. FINITE FIELDS
236 The histogram Digit Frequency
(10) (10) (7) (7) (12) (13) (12) (8) (13) (8)
0 1 2 3 4 5 6 7 8 9
shows how often each digit appears. We would expect longer sequences to be more evenly balanced. The law of large numbers says that the frequency of each digit should approach 10% ( under ideal conditions such as that the icosahedron is perfectly cut and balanced ) . Furthermore, each twodigit pair ( such as a 5 followed by a 7) should appear roughly 1% of the time. We could make similar statements for strings of length three, four, five, and so forth. Here is another method for generating a sequence of 100 digits. Consider the prime p 101. The matrix =
26 55 27 61 63 75 46 74 40 38
70 16 96 71 22 31 85 5 30 79
2 12 72 28 67 99 89 29 73 34
52 9 54 21 25 49 92 47 80 76
39 32 91 41 44 62 69 10 60 57
4 24 43 56 33 97 77 58 45 68
3 18 7 42 50 98 83 94 59 51
78 64 81 82 88 23 37 20 19 13
8 48 86 11 66 93 53 15 90 35
6 36 14 84 100 95 65 87 17 1
is composed of the powers of 26 modulo 101. Since all of the entries are distinct, we know that 26 is a primitive element of GF1 0 1 . Each new entry is constructed by multiplying the previous entry by 26 and reducing the result modulo 101.
'lfi:7.
RANDOM NUMBER GENERATORS
237
Reduce these numbers modulo 10 to get the digits
6 0 2 2 5 6 2 9 7 6 2 4 1 1 8 1 3 2 7 5 5 1 9 9 6 5 9 2 4 5 9 7 0 0 3 0 8 9 4 6
9 4 3 2 4 8 1 3 7 1 6 2 4 3 0 2 7 8 9 7 3 0 8 4 0 5 9 7 8 1
8 8 6 4 8 6 1 6 4 2 1 4 8 6 0 3 3 5 7 3 5 0 5 7 9 0 7 3 5 1
It turns out that "random" is a difficult term to define precisely. However, here are two criteria that might be used to describe a random sequence of digits: 1. There is no obvious pattern.
2. Each digit should appear about onetenth of the time. The sequence {6, 0, 2, 2, 9, 4, 3, 8, 8, 6, . . } of 100 digits from the previous example satisfies the first criterion fairly well and satisfies the second exactly. We can also use a seed to change the starting point. Using the seed 53, we multiply 26 by 53 and reduce modulo 101 to get the starting entry 65. Each new entry can then be generated by multiplying the previous entry by 26 and reducing the result modulo 101. This results in the numbers .
65 74 5 87 40 30 1 7 38 79 1 26 70 6 55 16 36 27 96 14 61 7 1 84 63 22 100 75 3 1 95 46 85
29 73 34 2 12 72 28 67 99 89
47 80 76 52 9 54 21 25 49 92
10 58 94 20 15 45 59 1 9 90
60 57 39 32 91 41 44 62 69
68 4 24 43 56 33 97 77
51 3 18 7 42 50 98 83
13 78 64 81 82 88 23 37
35 8 48 86 11
66 93 53
If we try to extend this sequence, the next number is 26 53 mod 101 = 65, which is a repeat of the first number in the sequence. The cycle length of this sequence is 100: the sequence repeats after every 100 iterations. This is an example of a pseudorand_om number generator. Good pseu dorandom number generators have long cycles. In order to get long cycle lengths, start with the largest ndigit prime p and find a primitive element in GFP . Convenient primes include 9999 999 967, 99 999 999 977, and 999 999 999 989. ·
CHAPTER 9. FINITE FIELDS
238
To show that 84 906 326 is a primitive element of GF999 999 999 939 , we could decide to examine the first 999 999 999 988 powers to see if they are all dis tinct ( as we did previously to show that 26 was a primitive element of GF1 0 r ) . However, there is an easier way. Factorization yields
999 999 999 988 2 2 11 X 124 847 X 182 041 To show that 84 906 326 is primitive, it is enough to show that 84 906 326999999 999988 /P mod 999 999 999 989 ::f. 1 for each prime p that divides 999 999 999 988 2 2 11 x 124 847 x 182 041. Indeed , =
=
we see that
84906326999 999 999 988 12 mod 999 999 999 989 999 999 999 988 84906326 999999 999 988 111 mod 999 999 999 989 = 744 525 462 020 84906326 999999 999 988 1 1 24 847 mod 999 999 999 989 = 498 590 406 481 84906326 999999 999 988118 2 04 1 mod 999 999 999 989 = 958 213 467 498 Thus 84 906 326 is a primitive element of GF999 999 999 989 . =
A seed can be generated manually or using an internal function such as a clock. Starting with the seed 1 973 64 7 and primitive element 84 906 326, we get the sequence
1973 647 84 906 326 mod 999 999 999 989 575 115 592 759 575 115 592 759 84 906 326 mod999 999 999 989 = 7016 033 906 7016 033 906 84 906 326 mod999 999 999 989 = 662 056 442 111 The cycle length is 999 999 999 988. Every integer n in the range 1 � n � 999 999 999 988 will appear exactly once before the entire sequence repeats. (The only 12digit integers that do not appear are the eleven integers 999 999 999 989, 999 999 999 990, . . . ' 999 999 999 999.) ·
=
·
·
Several computer algebra systems use primitive elements modulo a large prime to generate pseudorandom number sequences. Problems 9.7
1. Let p be the largest threedigit prime. Show that 525 is a primitive element of GFp . Use the seed 789 to generate the first 10 terms of a pseudorandom number sequence.
2. Show that if a is a primitive element in GFp, then so is a k for any integer k such that k l_ p  1. 3. In this section, we showed that 84 906 326 is a primitive element ofGFp , where p = 999 999 999 989. What is the average gap between primitive elements? (How hard is it actually to find a primitive element? )
9. 7.
RANDOM NUMBER GENERATORS
239
4. A total of darts are thrown at a rectangular grid with k small rectangles
of equal size. ( Each dart hits the grid somewhere; each rectangle has an equal chance of being hit. ) Calculate the expected number of untouched small rectangles. n
5. An unfinished window composed of a 4 x 4 grid of small square pieces of glass was left lying horizontally in the path of a hail storm, where 16 hail stones land inside the grid and break some of the glass squares. What is the expected number of unbroken squares? Use a pseudorandom number generator to simulate this problem with 1000 repetitions. What is the average number of unbroken squares? What was the smallest number of unbroken: squares? The largest number of unbroken squares?
6. Six distinct baseball cards are distributed randomly, one per box of ce
real. You must have all six. Use a random number generator to write a computer simulation to determine how many boxes you should expect to purchase before your collection is complete. What is the average if you do 10 000 simulations? What is the largest number of boxes required? What is the smallest number of boxes required?
7. Write a computer simulation to estimate the volume of a sphere of radius 1. The volume of a cube of edge 2 is 23 = 8. By symmetry, generate points (x, y, z) where each coordinate is between 0 and 1 and test to see if x 2 + y 2 + z 2 :=;: 1. Multiply the ratio of points inside to the total number of points by 8 to approximate the volume of a sphere. Compare your approximation with the exact value 471' /3 4. 188 790 205. �
8. Write a computer simulation to estimate the volume of a fourdimensional sphere of radius 1. The volume of a fourdimensional cube of edge 2 is 24 16. By symmetry, generate points (w, x, y, z) where each coordinate is between 0 and 1 and test to see if w2 + x2 + y 2 + z 2 ::;: 1. Multiply the ratio of points inside to the total number of points by 16 to approximate =
the volume of a fourdimensional sphere.
9. Write a computer simulation to estimate the expected length of an interval assuming the endpoints are chosen uniformly in the unit interval.
10. Write a computer simulation to estimate the expected area of a rectangle with sides parallel to the coordinate axes inside the unit square.
11. Write a computer simulation to estimate the expected area of a square with sides parallel to the coordinate axes inside the unit square.
12. Write a computer simulation to estimate the expected area of a square (possibly rotated ) chosen at random inside the unit square.
Chapter 1 0
Error Correcting Codes In this chapter we will develop codes that will correct multiple errors. Codes based on polynomial multiplication were developed independently by R. C. Bose and RayChaudhuri (1960) and Hocquenghem (1959). They are known as BCH codes. A ReedSolomon code is a particular type of BCH code that has many applications. The onedimensional bar codes listed in Chapter 5 use a lot of space for the amount of information they contain. A number of twodimensional bar codes have more recently been developed to pack more information into small spaces. Typically, these codes use aggressive errorcorrection algorithms such as Hamming (page 120), BCH (page 242), and ReedSolomon (page 258) . 1 Datastrip code appeared as Softstrip in early personal computer maga zines as a method for downloading simple computer programs.
Figure 10.1
Datastrip code
Data density can range between 20 and 150 bytes per square centimeter, depending on the printing technology used to produce the strips. Parity bits on each line are used for error correction. MaxiCode was developed by United Parcel Service in 1992 in order to provide more information on its packages. 1 See http:/ jwww.adamsl.comfpubjrussadam/stack.html for a description of additional twodimensional bar codes.
241
242
CHAPTER 1 0. ERRORCORRECTING CODES
Maxi Code
Figure 10.2
A oneinch square symbol can contain approximately 100 ASCII characters. Errorcorrection symbologies are sufficient to recover information on a symbol with damage on 25% of its surface area. PDF 417 (P�rtable Data File) is a stacked symbology that is in the public domain (see Figure 10.3) . 2
PDF 417
Figure 10.3
Error correction and detection can be set at various levels. The Reed Solomon errorcorrection algorithm uses the fact that 3 is a primitive root of 1 modulo the prime 929. An important application of PDF 417 is its use as a substitute for stamps on letters and packages (see Figure 10.4).
US POSTAGE
DEVICE 12345678901234
Figure 10.4
10.1
PC postage
BCH Codes
In a polynomial code, we identify a word with a polynomial a(x ) , then mul tiply by a fixed polynomial g(x ) to get the codeword g(x) a(x ) . The polynomial g(x) is called the generator polynomial. For example, if the word is a binary word ( ar , ar l , . . . , a2 , a 1 , ao ) , we form the polynomial
a ( x ) = a r X r + a r  1 Xr  l +
·
·
·
+ a2 x2 + a 1 x + ao
2 See http:/ /www.linux.org/apps/ Appld_2658.html for a free PDF 417 generator.
BCH CODES
243
in GF2 [x] . The corresponding codeword polynomial is a(x)g(x) mod 2 = '2:: Ci Xi
If deg g (x) s, then the codeword is the� word (en, Cn  1 , . . . , c2 , c1 , co ) , where n r + s. A particularly efficient class of polynomial codes are the BCH codes. Here is how to construct a generator polynomial for a BCH code over GFp that corrects at least t errors. See the reference [23, Theorem 75] for a proof. =
=
Theorem 10.1 ( Bose Chaudhuri Hocquenghem ) Let () be a primitive el
ement in GFpn , let mi ( x) be the minimal polynomial of ()i over GFp for i 1 , 2, . . . , 2t, and set g(x)
=
=
lcm [m 1 (x) , m 2 (x), . . . , m 2t (x)] .
If deg g (x) = k, then for any polynomial a(x) of degree at most pn  k  2, the weight of the codeword a(x)g(x) is at least d = 2t + 1 , so at least t errors can be corrected. Example 10.2 We will use GF1 6 to construct a code that will correct double errors. Let q (x) x4 + x + 1 , and let a be a root of q (x) . Thus a4 + a + 1 = 0. Since 0!3 =/: 1 0!5 = 0! + 0!2 =/: 1 0! 15 = 1 =
it follows that o (a) = 15 and hence a is a primitive element of GF1 6 . We have that m 1 (x) q (x) = x4 + x + 1 . Notice that in GF2 we have (a + b) 2 = a2 + 2ab + b2 = a2 + b2 . From this it follows that (a 1 + a 2 + · · · + an ) 2 = ai + a� + · · · + a� =
In particular, 0 0 2 = (a4 + a + 1) 2 = (a4 ) 2 + 0!2 + 1 = (a2 ) 4 + 0!2 + 1 \ and hence m (a2 ) = 0, which means that m (x) = m (x) . Similarly, m (a4 ) = 1 1 1 2 0 and hence m4 (x) = m 1 (x) . In fact, m 1 (x) = m2 (x) = m4 (x) = ms (x). To calculate m3 (x) , we use again the observation that g((J) = 0 implies g ((J2 ) 0. It follows that the zeros of m3 (x) are a3 , a6 , a1 2 , and a24 = a9 (because a 15 = 1). Thus, m3 (x) (x  a3 ) (x  a6 ) (x  a9 ) (x  a1 2 ) 1 1 = x4 + ( 0! 3 + 0!6 + 0!9 + 0! 2 )x 3 + ( 0!9 + 0! 2 + 1 + 1 + 0! 3 + a 6 )x 2 + (a3 + 0!6 + 0!9 + a 1 2 )x + 1 1 = x4 + (a 3 + 0!6 + 0!9 + a 2 )x 3 + (a 3 + 0!6 + 0!9 + a 1 2 )x 2 + (a3 + 0!6 + 0!9 + a 1 2 )x + 1 =
=
=
CHAPTER 10. ERRORCORRECTING CODES
244 Calculating, we have ci
+ a6 + a9 + a1 2
= =
a 3 + ( a 3 + a 2 ) + (a 3 + a ) + ( a3 + a2 + a + 1)
1
and hence It follows that g(x)
lcm (m 1 (x) , m2 (x) , ms (x), m4 (x)) = (x 4 + x + 1)(x4 + x 3 + x 2 + x + 1) mod 2 = x 8 + x 7 + x 6 + x4 + 1
=
Since g(x) has degree 8, it follows that plaintext polynomials can have degree at most 6. In particular, if then a(x) = x6 + x4 + x3 + 1 and a(x)g(x) = x 14 + x 1 3 + x 1 0 + x 9 + x 3 + 1
and hence the codeword is transmitted as (1, 1 , 0, 0, 1 , 1, 0, 0, 0, 0, 0, 1, 0, 0, 1) 2 Example 10.3 With a bit more effort we can construct a threeerrorcorrecting
code. We proceed as in the previous example, but add in the polynomial ms (x) . To compute m5 (x) , we note that if a5 is a root of ms (x), then so is a1 0 . Since a 20 = a5 (why? ) we can stop there and write ms (x) = (x  a5 ) (x  a10 ) s o = x 2 + ( a + a t )x + 1 = x2 + x + 1
The last equality holds because Thus, g(x)
lcm (m t (x) , m2 (x), ms (x), m4 (x) , ms (x) , m6 (x)) = (x4 + x + 1 ) (x4 + x 3 + x 2 + x + 1)(x2 + x + 1 ) = x 1 0 + x 8 + x 5 + x4 + x 2 + x + 1 =
'10: 1 . BCH CODES
245
The downside of this example is that the plaintext polynomial must be of degree at most 4, so although triple error correction is possible, the code carries with · it a lot of overhead. We are always on the lookout for codes that require only a few extra check bits but that correct a high rate of errors. · In order to get an improvement of the information rate, we need to work with larger fields. Example 10.4 We will construct a fourerrorcorrecting code, using the field GF64 · To construct GF64 , we need an irreducible polynomial of degree 6 in GH [x]. The naive guess is q(x) x6 + x + 1. If we take a to be a root of q(x), then a has order 63 since o? mod a6 + a + 1 a2 + a a 2 1 mod a6 + a + 1 a5 + a4 + a3 + a + 1 =
=
=
a63 mod a6· + a + 1 1 and hence q(x) x6 + x + 1 is indeed irreducible since a is primitive. We have m 1 (x) m2 (x) = m4 (x) ms (x) = m 1 6 (x) m32 (x). The minimal polynomial of a 3 is given by m3 (x) = (x  a3 )(x  a6 )(x  a 1 2 )(x  a24 )(x  a48 )(x  a33 ) since a63 1. Note that (m3 (x) mod q (a)) mod 2 ( 9206x  123 182x2 + 584 160  37 032x3 + 3790x4  46x5 ) a 5 + ( 309 296x + 395 780  2628x3  200 706x2 + 3716x4  66x5 ) a4 + ( 60x5 + 2220x4 + 41 944x3  223 310x2  596 584x + 7800) a3 + ( 487 004  735 524x  167 640x2 + 82 738x3  518x4  32x5 ) mod 2 x6 + x4 + x2 + x + 1 Similarly, we compute m5 (x), and m7 (x) as m5 (x) = (x  a5 )(x  a 10 )(x  a20 )(x  a40 )(x  a 1 7 )(x  a34) x6 + x 5 + x 2 + x + 1 m7 (x) = (x  a7 )(x  a 14 )(x  a28 )(x  a56 )(x  a49 )(x  a35 ) = x6 + x3 + 1 =
=
=
=
=
=
=
=
=
Then
g(x)
=
lcm [m 1 (x), m2 (x), m3 (x), m4 (x), m5 (x), m6 (x), m7 (x), ms (x) ]
m 1 (x)m3 (x)m5 (x)m7 (x) (x6 + x + 1)(x6 + x4 + x2 + x + 1) (x6 + x5 + x2 + x + 1)(x6 + x3 + 1 ) x24 + x23 + x22 + x2o + x 19 + x 1 7 + x 1 6 + x 1 3 + x 10 + x9 + x8 + x6 + x5 + x4 + x2 + x + 1 =
=
·
=
CHAPTER 1 0. ERRORCORRECTING CODES
246
This is a large polynomial, but the plaintext polynomials can also be large. In this case, allowable plaintext can be of degree 62  24 = 38. In calculating minimal polynomials, we used the fact that for a and b in GF2 n . A similar equation holds for GFpn . Theorem 10.5 If a and b are elements of GFpn then
(a + b) P = aP + bP Proof. Expanding (a + bt gives
For
1 � k � p  1, the binomial coefficient is
(pk)  k! pp! k) ! (
which is an integer multiple of p, so
(�) mod p = 0
Thus
I
The theorem (a + bl = aP + bP can be used to prove, by induction on k, that (a t + a2 + · · + ak ) P = af + a� + · · · + a� ·
An interesting consequence of this theorem is that every element of GFpn is a pth power. To see this, note that if aP = bP, then (a  b)P = aP  bP = 0, so a  b = 0 as GFpn is a field. That is, raising to the pth power is a onetoone map from GFpn to itself. As GFpn is finite, the map must also be onto, that is, every element of GFpn has a unique pth root. Finally we observe that if a is in GFpn , then a is in GFp if and only if aP = a. That is, the elements of GFp are exactly the fixed points of the map taking a to aP. That aP = a for a in GFp is Fermat's little theorem. Conversely, if aP = a, then aP  a = 0. But the equation xP  x = 0 has at most p distinct solutions, and we already know that the p elements of GFp satisfy it.
iJO.l .
247
BCH CODES
Example 10.6 The polynomial q (x) =
{0, 1, 2, 3, 4} because
q (O) mod 5 = 1 q (3) mod 5 = 1 so q (x) has no root in polynomial of 0 2 is
GFs.
x3 + x + 1 is irreducible over GF5
q (1) mod � = 3 q (4) mod 5 = 4
=
q (2) mod 5 = 1
Let 0 be a root of q (x) in
GF5a .
The minimal
If f3 in GFp is a root of an irreducible polynomial m (x) = x k + Ck1 x k1 + + c1 x + eo inn GFp [x], then 0 = m (O) P k 1 + C 1 fJ + Co r = (f3k + Ck 1 f3  + k  1 f + + cf (f3Y + (coY k = (!3 f + �  1 (!3 p 1 = fJP k + Ck 1 f3  (k ) + + c1 fJP + Co = (fJP ) k + Ck 1 (fJP ) k  1 + . . . + c1 f3P + Co since aP = a for a in GFp by Fermat's little theorem. Thus f3P is also a root of m (x). Repeating3 this4 argument we see that (f3P )P = f3P2 is also a root of m (x), and similarly f3P , f3P , and so on are roots of m (x). As GFpn is finite, there i h must be a positive integer h so that f3P =h f31 P for some i < h. Let h be the first time that happens. Then (3 , f32 , . . . , f3P are all distinct, so, in particular, h ::; k. As raising to the pth power is a onetoone map, we must have f3P = (3. · ·
·
·
·
·
·
· ·
·
·
·
h
Now consider the polynomial
which has degree k. Raising to the pth power permutes the elements (3, (32 , (JPh  1 , SO
.
•
.
,
That means that every coefficient of g ( x) is its own pth power, hence lies in GFv So g (x) is in GFp [x] and g (f3) = 0. Therefore g (x) is divisible by m (x). But h ::; k, that is, cleg g (x) ::; deg m (x). Therefore g (x) = m (x) so h = k and we can write m (x) as
CHAPTER 10. ERRORCORRECTING CODES
248
Problems 10. 1 1. Show that x3 + x + 1 is irreducible over GF2 .
2. Let a be a root of x3 + x + 1 in GFs . Construct the minimal polynomial of a 3 .
3. Use the polynomial x3 + x + 1 to construct a BCH code that corrects
& single error. List all of the plaintext and codeword polynomials and observe that the minimum distance between codewords is three.
4. Show that x2 + 1 is irreducible over GFa. 5. Let a be a root of x2 + 1 in GF9 . Construct the minimal polynomial of a + l.
6. Show that x4 + x3 + 1 is irreducible over GF2 by showing that if a is a root of x4 + x3 + 1, then the order of a is 15. 7. Let () be a root of x4 + x3 + 1 in G F1 6 . Construct the minimal polynomial of ()3 + ()2 .
8. Show that x5 + x3 + x + 1 is irreducible over GFa. by showing that if () is a root of x5 + x3 + x + 1 , then the smallest field containing () has at least 3 5 = 243 elements.
9. Let () be a root of x5 + x3 + x + 1 in the field GF3s . Construct the minimal polynomial of ()4 + 2(). 10. Show that x2  2 is irreducible over GF5 . 11. Let () be a root of x2  2 in the field GF52 = GF25 . Construct the minimal polynomial of 3() + 2. 12. From the equation (a + b) P = aP + bP in GFpn (see Theorem 10.5), derive the equation ( a 1 + a2 + · · · + ak t
=
af + a� + · · · + a� by induction on k.
13. From the equation (a + b) P aP +bP in GFpn , derive the equation (a  b) P = aP  bP.
=
14. The code that encodes a word of length 5 by repeating it three times is a (15, 5) polynomial code. What is its generator polynomial? 15. The triplerepetition code (see page 102) is not a polynomial code but
can be described as encoding the polynomial p (x) by the polynomial (1 + x + x2 ) p (x 3 ) . Verify both parts of this statement.
10.2;
10.2
A BCH DECODER
249
A B CH Decoder
Consider a terror correcting BCH code. A cumbersome way to decode is to calculate all the codewords c(x) = a(x)g(x) and for each codeword c(x) , calcu late c(x) + e(x) for all possible error polyi10mials, where each e(x) has at most t nonzero terms. This produces a large table, and we search until we locate c(x) + e(x) in the table, and convert this to c(x) . Polynomial division by g(x) then yields a(x) , or we may simply include a(x) in the table. The following example gives an alternative method for correcting a single error. Ex;ample 10.7 Consider the doubleerror correcting BCH code described in Example 10.2. The irreducible polynomial q (x) = x 4 + x + 1 with root (} yields the generator polynomial g(x) = x8 + x7 + x6 + x4 + 1 . Suppose that a single e�ror occurs so that the error polynomial is e ( x) = xk , and consider c(x) + xk = x 1 4 + x 1 3 + x 1 2 + x 1o + x6 + x4 + x3 + x2 + 1
Since c(O) = 0, we can evaluate the polynomial c(x) + xk at (} to get (}k = (0 1 4 + 0 1 3 + 0 1 2 + 0 w + (}6 + (}4 + (}3 + (}2 + 1 mod q ( 0)) mod 2 = (}3 + (}2 + (} The challenge is to figure out k. But knowing (} k is enough to determine k. In this case, (}3 + (}2 + (} = (} 11 so k = 11. We correct the polynomial c(x) by adding x 11 to get x 1 4 + x 1 3 + x 1 2 + x ll + x 1o + x6 + x4 + x3 + x2 + 1 Dividing by g(x) = x8 + x 7 + x6 + x4 + 1 , we get c(x)
=
c (x) = x6 + x3 + x 2 + 1 g (x) Example 10.8 The case where e (x) = xi + x k is more challenging. Suppose
that
r (x) = c (x) + e (x) = x l 4 + x ll + x l o + x5 + x + 1
where
e (x) = xi + x k for some (unknown) integers j and k. We figure out j and k by computing the polynomial
250
CHAPTER 10. ERROR�CORRECTING CODES
where
r (B) = ei + B k Evaluating r (x ) = c (x ) + e (x ) at powers of B yields ei + B k = r (B) = ((} 1 4 + (} 11 + (} 10 + (}5 + (} + 1 mod 84 + (} + 1) mod 2 = 1 + 82 (B 2 ) i + (B 2 ) k = r (82 ) = ((}28 + (}22 + B 2o + (} 1 0 + 82 + 1 mod (}4 + (} + 1) mod 2 =B (B 3 ) i + ( e3 t = r (B 3 ) = ((}42 + (}33 + B3o + (} 1 5 + (}3 + 1 mod (}4 + (} + 1) mod 2 = B3 + B 2 + B (B4 ) i + (B4 ) k = r (84 ) = ((}56 + (}44 + (}40 + (}20 + (}4 + 1 mod (}4 + (} + 1) mod 2 = (}2 We rewrite these equations
Notice that
as
ei + e k = 1 + e2 82j + 82 k = 8 (}3j + (}3k = (}3 + (}2 + (} e4i + 84k = 82
(ei + ek ) eHk + (82j + 82k ) (ei + ek ) = 83j + 83k (82j + 82k ) eHk + (83j + 83k ) (8j ek ) = 84j + 84k +
This system can be rewritten as a matrix equation
( �ej ++ e�k
eJ + k ) = ( 83j + 83k ) ( ) � +� � +� �+�
82j + 82k
and substitution yields
Since form
84 + B + 1 = 0 and 8 1 5 = 1 , the matrix equation can be rewritten in the
10;2. A BCH DECODER
251
The augmented matrix
can be reduced using elementary row operations:
(� (� (� (�
Thus
Setting a
()i+k ()i + ()k
=
=
=
() 8
() 10 () 8 () () 8
e; )
) ()3 ) ) ()3 ()9
1
() 8
0
()9 () 8
1
()9
() 8
()i and b = () k we search the table
ab a + b () 7 () () 10 12 P () r ()3 ()6 ()2 () 8 ()4 ()5 and observe that e (x) x4 + x 5 . Thus ( x) x 1 4 + x 11 + x 10 + x4 + x + 1 a 1
b
()9 () 8 rF
()9 ()9 ()9 ()9 ()9
=
c
=
and long division yields
x 1 4 + x ll + x l o + x + 1 + x4 mod 2 x6  x5 + 2x3  2x2 + x + 1 mod 2 x 8 + x 7 + x 6 + x4 + 1 =
The singleerrorcorrecting BCH code described in Problem 10.3 uses the codeword x3 + x + 1 and message words a (x) of degree at most 3 over GF2 . In Table 10.1 a polynomial ofthe form b6 x6 + b5 x5 + b4x4 + b3 x 3 + b2 x2 + b 1 x + bo has been converted to the vector b6 b5 b4 b3 b2 b1 bo . A message with a single error
252
CHAPTER 1 0. ERRORCORRECTING CODES
(x) = bixi can be corrected by locating the received message in Table 10. 1a or 10.1b and recovering a (x) in the first column of that row.
e
a (x) a (x) g (x)
0000 0001 0010 001 1 0100 0101 0110 0111 1000 1001 1010 1011 1100 1 101 1 1 10 1111
0000000 0001011 0010101 0011101 0101 100 01001 11 0111010 0110001 1011000 1010011 10011 10 1000101 1 110100 1111111 1100010 1101001
Table lO.la
bo
0000001 0000010 0000100 0001000 0001010 0001001 0001 1 1 1 000001 1 0010100 0010111 0010001 0011 101 0011 100 0011 1 1 1 001 1001 0010101 0101101 0101 110 0101000 0100100 0100110 0100101 0100011 0101 1 1 1 0111011 0111000 011 1 1 10 0110010 0110000 0110011 0110101 0111001 1011001 1011010 1011 100 1010000 1010010 1010001 10101 1 1 101 1011 10011 1 1 1001100 1001010 1000110 1000100 1000111 1000001 1001101 1 1 10101 1 1 10110 1 1 10000 1 1 1 1100 1 1 1 1 1 10 1 1 1 1 101 1 1 1 1011 1 1 10111 110001 1 1100000 1 100110 1 101010 1101000 1 101011 1 101101 1 100001 Using a table for singleerror correction
a (x) a (x) g (x)
0000 0001 0010 001 1 0100 0101 0110 0111 1000 1001 1010 1011 1100 1 101 1110 1111
0000000 0010000 0100000 1000000 000101 1 001 1011 010101 1 010101 1 0010101 0000101 0110101 1010101 001 1 101 0001101 0111101 101 1 101 0101 100 01 1 1100 0001100 1 101 100 01001 1 1 01101 1 1 0000111 11001 11 0111010 0101010 001 1010 1 1 11010 0110001 0100001 0010001 1 110001 1011000 1001000 1 1 1 1000 001 1000 1010011 1000011 11 10011 0010011 10011 10 101 1 1 10 1101110 0001110 1000101 1010101 1 100101 0000101 11 10100 1 100100 1010100 0110100 1 1 1 1 1 1 1 1101 1 1 1 101 1 1 1 1 01 1 1 1 1 1 1100010 1 1 10010 1000010 0100010 1 101001 1 1 1 1001 1001001 0101001 Table lO. lb Using a table for singleerror correction Finding efficient methods for BCH error correction has been an active area of research. The widespread use of BCH codes attests to the success of these efforts. The following is a general decoder for a binary BCH code. If no error occurs,
1.0.2: A
BCH DECODER
253
the plaintext can be recovered by the polynomial division
a (x ) = gc (x) (x)
If c (x) mod g (x) =f 0 then it is necessary to locate the errors. Error correction algorithms are more complicated than the encoding algorithm which is just polynomial multiplication. The following scheme is typical. Let
C (x) = Co + C1 X + C2 X2 +
·
·
·
·
·
·
be the encoded text, and suppose
r (x) = ro + r1 x + r2 x2 +
+ Cn  1 Xn  1 +
rn _ 1 xn 1
is received, so the error pattern is and u is the n�mber of errors. Since c e k ) = 0 for k = 1, 2, 3, . . . , 2t, it follows that k = 1 , 2, 3, . . . , 2t. Define
(
r (e k )
8 1 = r (B) = e (B) = gel + ge2 + . . . + geu 8 2 = r (e2 ) = e ( e2 ) = ( ee1 ) 2 + (ee2 ) 2 + . . . + (ee,. ) 2
The challenge is to locate e 1 , e2 , . . . , eu . Start with the assumption maximum number of errors that can be corrected. If the matrix
u =
t, the
S= Su+ 1
is singular, then subtract 1 from u and repeat with smaller sized S until a nonsingular matrix is found. This can be accomplished just as well while solving the system
Su Su+ 1 Then factor the polynomial
YuXu + Yu 1 Xu 1 +
·
·
·
u + Y1 X + 1 = IT (xee; + 1 ) i= 1
CHAPTER 1 0. ERRORCORRECTING CODES
254
The errors occur at xe1 , xe2 , , xe" e (x), then divide by g (x). •
•
•
.
To recover
a
(x), first set c ( x) = r ( x) +
Example 10.9 We give an example of a tripleerrorcorrecting code that uses
GF32 and how triple errors can be corrected. We first need an irreducible polynomial of degree 5 in GF2 [x], In Table 10.2, we conclude that q (x) = x5 + x2 + 1 is irreducible by showing that if () is a root of q (x), then the order of e modulo e 5 + rP + 1 is 31. 2 ()21 = ()4 + ()3 () ()11 = () + () + 1 ()22 = ()4 + ()2 + 1 ()1 2 = ()3 + ()2 + () ()2 2 1 3 ()23 = ()3 + ()2 + () + 1 3 () () 4 () = () + + ()3 1 2 3 4 ()24 = ()4 + ()3 + ()2 + () () = ()4 + () + () + 1 ()4 2 1 4 5 3 () = () + () + () + () + 1 ()25 = ()4 + ()3 + 1 ()5 ()2 + 1 ()26 = ()4 + ()2 + () + 1 () 1 6 = ()4 + ()3 + () + 1 ()6 ()3 + () ()27 = ()3 + () + 1 ()1 7 = ()4 + () + 1 ()7 = ()4 + ()2 ()28 = ()4 + ()2 + () ()8 ()3 + ()2 + 1 ()1 8 = () + 1 9 1 9 2 ()29 = ()3 + 1 4 () 3 () () = + () () + () + () ()30 = ()4 + () ()20 ()3 + ()2 () 10 ()4 + 1 ()3 1 1 =
=
=
=
=
=
=
Table 10.2
Powers of ()
We next locate the minimal polynomial for ()3 by defining
and reducing m3 (x) modulo () 5 + ()2 + 1 to get
m3 (x) = x5 + x4 + x3 + x2 + 1 The minimal polynomial of ()5 is given by Reduce the coefficients modulo ()5 + ()2 + 1 to get
m5 (x) = x5 + x4 + x2 + x + 1
Thus the generating polynomial is given by
g (x) = lcm [m 1 (x) , m2 (x) , m3 (x) , m4 (x) , m5 (x) m6 (x)] {x5 + x2 + 1 ) ( x5 + x4 + x3 + x2 + 1) (x5 + x4 + x2 + x + 1 ) x 1 5 + x u + x w + x 9 + x s + x 7 + x 5 + x3 + x 2 + x + 1 =
=
Plaintext can be a polynomial of degree at most 2 5  deg (g (x))  2
=
32  15  2
=
15
1Q,2. A BCH
DECODER
255
Suppose the plaintext is given by a (x) = x 1 5 + x 11 + x 1 0 + x3 + x + 1
so that c (x) = a (x) g (x) = x3o + x24 + x23 + x2 o + x 1 6 + x 1 5 + x 1 3 + x u + xs + x 7 + x 3 + 1
Introduce the triple error so that r (x) = c (x) + e (x) r (x) = x3o + x24 + x23 + x2o + x 1 6 + x 1 5 + x 1 3 + x 9 + x8 + x 7 + x 5 + x 3 + 1
To compute the matrix s
=
(
8 11 8 1 2 8 1 3 8 1 4 82 1 822 823 82 4 83 1 832 8 33 834
)
we set and reduce the coefficients modulo 05 + 02 + 1 to get
Since 04 + 0 3 = 02 1 it follows that (04 + 03 r 1 = 0 1 0 . Similarly, 02 + 0 + 1 = 0 11 implies ( 02 + B + 1 r 1 = 82 0 and (04 )  1 = 02 7 . Multiplication of the first row by 0 1 0 , the second row by 020 , and the third row by 02 7 yields the matrix
Add the first row to each of the second and third rows to get
256
CHAPTER 10. ERROR�CORRECTING CODES
Multiply the second row by (B 2 + B)  1
=
B 1 2 to get
Now add appropriate multiples of the second row to the first and third rows to get 1 0 B4 + B 3 + B B3 + B + 1 B4 + B 3 0 1 B3 + B2 + 1 4 B3 + B2 o o B +B
)
(
Multiply the third row by (B4 + B)  l
=
B to get
Add appropriate multiples of the third row to the first and second rows to get
Now look for a factorization (o/x + 1) ( ai x + 1) ( a k x + 1)
ai +i+ k x3 + ( ai +i + ai+ k + ai+ k ) x 2 + ( ai + ai + a k ) x + 1 = a 2 5 x3 + a 6 x2 + a 2 l x + 1 =
This implies a i+i+ k ai +i + a i+ k + ai+ k ai + ai + a k
a25 = a6 1 = a2 =
A search locates the solution i
=
5, j
=
9, k = 1 1
1 0.2. A BCH DECODER
257
and hence e (x) = x5 + x9 + x 11 . This yields c (x) = r (x) + e (x) = x 3o + x2 4 + x23 + x2o + x 1 6 + x 1 5 + x1 3 + x u + xs + x7 + x3 + 1
so the plaintext is a (x) =
c (x) = x 1 5 + x 11 + x l o + x 3 + x + 1 (x)
g
Problems 10.2
1. The polynomial q ( x) = x3 + x + 1 is used to construct a BCH code that corrects a single error with plaintext polynomials of the form a (x) = a3 x3 + a2 x2 + a 1 x + ao E GF2 [x] . If the message x5 + x4 + x3 + 1 is received, what was the plaintext? 2. The polynomial q (x) = x4 + x + 1 is used to construct a BCH code that corrects a single error with plaintext polynomials a (x) E GF2 [x] . What is the largest possible degree for a (x)? If the polynomial x 1 2 + x 1 0 + x8 + x 6 + x2 + x is received, what was the plaintext? 3. Let () be a root of x2 + x + 2 in GF32 and calculate g (x) = m 1 (x) m2 (x). 4. If the generator polynomial defined in problem 3 produced a codeword that was received as 2x 7 + 2x4 + 2x3 + x2 + 2x + 2, what was the plaintext? In problems 57, let () be a root of q (x) = x 5 + x2 + 1 in GF32 . 5. Show that q (x) is a primitive polynomial.
6. Construct a doubleerrorcorrecting BCH code that uses the generator
polynomial g (x) = lcm (m 1 (x) , m2 (x) , m3 (x) , m4 (x) ) , where mi (x) is the minimal polynomial of () i . What is the largest possible degree for a plaintext polynomial a (x) E GF2 [x]? 7. The polynomial r (x) = x2 9 + x2B + x2 7 + x2 5 + x24 + x 22 + x2 0 + x lB + x 1 6 + x 1 5 + x 1 3 + x 1 2 + x 11 + x 1 0 + x 8 + x7 + x5 + x4 + x3 + 2x + 1 is received using the BCH code from the previous problem. What is the plaintext polynomial? In problems 81 1 , let () be a root of q (x) = x3 + 2x + 1 in GF2 1 · 8. Show that q (x) is a primitive polynomial.
9. Construct a singleerrorcorrecting BCH code that uses the generator poly
nomial p ( x) = lcm ( m 1 ( x) , m2 (x) ) , where mi (x) is the minimal polyno mial of () i .
258
CHAPTER 1 0. ERRORCORRECTING CODES
. 10. The polynomial r (x) = 2x2 5 + 2x24 + 2x 22 + 2x 2 1 + x 19 + 2x 1 8 + x 1 7 + x 1 6
+ 2x 14 + 2x 12 + 2x 11 + x 1 0 + 2x9 + 2x8 + 2x 7 + 2x5 + 2x 3 + x2 + 2x + 2 is received after being encoded by the BCH code from the previous problem. What was the plaintext?
=
11. Construct a doubleerrorcorrecting BCH code that uses the generator polynomial g (x) lcm (mt (x) , m2 (x) , m3 (x) , m4 (x) ) , where mi (x) is the minimal polynomial of () i . What is the largest possible degree for a plaintext polynomial a (x) E GF3 [x]?
10.3
ReedSolomon Codes
A ReedSolomon code is a BCH code where the degree of the irreducible poly nomial f(x) is 1. Let () be a primitive element in GFp . The minimal polynomial of ()i is mi (x) = x ()i , and hence the encoding polynomial is given by 
Let a(x) denote a plaintext polynomial of degree at most p  2t  2. Then the minimum weight of a nonzero codeword a(x)g(x) is at least d = 2t + 1 , and hence at least t errors can be corrected. Example 10.10 Consider the prime p = 929. Then () element. To see this, note that p  1 = 928 = 2 5 29, and 3 92 8 mod 929 1
3 is a primitive
=
3 92 81 2 mod 929 = 928 3 92 8 /2 9 mod 929 = 34 7
Consider the polynomial g (x )
(x  3 ) (x  3 2 ) (x  3 3 ) (x  34 ) (x  3 5 ) (x  3 6 ) = x 6 + 766x 5 + 17x4 + 8 0 3x 3 + 19 x2 + 285x + 861 =
over GF92 9 . The plaintext polynomial can have degree up to p  2t 
2 = 929  6  2 = 921
with coefficients in GF92 9 , and up to three errors can be corrected. The message
( 523, 13, 794, 24, 3, 563) is represented in GF929 [x] as the polynomial m ( x)
=
523x5 + 13x4 + 794x3 + 24x2 + 3x + 563
1 0. 3. REEDSOLOMON CODES
259
The corresponding codeword is m
(x) g (x) mod 929 523x 11 + 232x 1 0 + 134x9 + 15x8 + 237x 7 + 503x6 + 8 94x5 + 1 8x4 + 879x3 + 630x2 + 463x + 734 =
Example 10.1 1 Consider the field GF2a
=
GF64 · To show that the polynomial
q (x) x6 + x + 1 is irreducible, it is sufficient to show that a root 0 of q ( x) has order 63. That a root 0 has order 63 = 3 2 7 follows from the evaluations (063 mod p (x)) mod 2 = 1 (06313 modp (x) mod 2 = 06 + 05 + ()4 + 03 =1 1 =
) (0 63 17 modp (x) ) mod 2
=
04 + ()3 =1 1
Consider the generating polynomial
(x  0) (x  0 2 ) (x  03 ) (x  04 ) = x4 + ( ()4 + 03 + 02 + 0 ) x3 + ( 04 + 03 + 0 2 + 1) x2 + ( ()4 + 1) x + ()5 + ()4 Plaintext can be a polynomial in GF2 [x] of degree p  2t  2 = 64  4  2 58 The ReedSolomon code (58, 62) corrects any two errors. g
(x)
=
=
Problems 10.3
1 . Find a primitive element in GF1 6 ·
2. Construct a generating polynomial for a twoerrorcorrecting ReedSolomon code over GF1 6 ·
3. Find a primitive element in GF1 7 . 4. Construct a generating polynomial for a twoerrorcorrecting ReedSolomon code over GF1 1 .
5. Find a primitive element in GF257 · 6. Construct a generating polynomial for a fiveerrorcorrecting ReedSolomon
7. 8.
code over GF257 .
Find a primitive element in GF256 ·
Construct a generating polynomial for a fiveerrorcorrecting ReedSolomon code over GF256 .
Chapter 1 1
Advanced Encryption Standard In 1997 the National Institute of Standards and Technology held a threeyear competition to develop an advanced encryption standard ( AES ) to protect sen sitive information in federal computer systems. Many businesses were expected to use the AES as well. Once final, this standard will serve as a critical computer security tool supporting the rapid growth of electronic commerce. This is a very significant step toward creating a more secure digital economy. It will allow ecommerce and egovernment to flourish safely, creat ing new opportunities for all Americans. Norman Y. Mineta, Secretary of Commerce
The effort to develop the AES reflected the dramatic transformation that cryptography had undergone. Before 1950, cryptography was used primarily by governments to protect state and military secrets. Today, millions of Americans use cryptography without knowing it. Automated tellers use it to encrypt per sonal identification numbers. Internet transactions use it to identify users and to protect personal information like credit card numbers. Many encryption devices used Data Encryption Standard ( DES ) or Triple DES. Such systems had become universal in the financial services industry. Consequently, the selection of the AES affected millions of consumers and busi nesses. The National Institute of Standards and Technology ( NIST) requested pro posals for the AES in 1997. The criteria for selection included 1 . Good security. This was the primary quality required of the winning formula. 261
262
CHAPTER 1 1 . ADVANCED ENCRYPTION STANDARD
2. Key sizes. The algorithm must support key sizes of 128, 192, and 256 bits. There are 2 1 28 = 340 282 366 920 938 463 463 374 607 431 768 211 456 possible keys for the 128bit key size. 3. Speed. Other algorithms such as RSA have good security but run slowly. 4. Versatility. The algorithm must run efficiently on large computers, desk top computers, and even small devices such as smart cards. All five finalist algorithms were found to have a very high degree of security. Rijndael was seleCted for its combination of security, performance, efficiency, ease of implementation, and flexibility. Rijndael was approved as the AES standard on December 6, 2001 and be came effective on May 26, 2002. 1
11.1
Data Encryption Standard
In 1973, the National Bureau of Standards solicited proposals for cryptographic algorithms to be used by federal agencies for sensitive, unclassified information. IBM submitted an algorithm with the code name LUCIFER. In 1977, a modified version of LUCIFER was adopted as the Data Encryption Standard (DES ) . In addition to use by federal agencies, DES and a variant called Triple DES are used in the financial services industry. The DES algorithm is a block cipher that uses a 56bit key to encode a 64bit data block. The 64 data bits, labeled 1 through 64, are put into an 8 by 8 matrix 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 P = 57 49 41 33 25 17 9 1 59 51 43 35 27 19 1 1 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 That is, data bit 58 appears in row 1 column 1 and data bit 7 appears in row 8 column 8. Then they are read off by rows, bit 2 becomes bit 8, bit 60 becomes bit 9, and so on. In the notation introduced on page 76, the incoming data bits are subject to the permutation P=
( 401
2 3 8 48
64 25
)
1 See http:/ /csrc.nist.gov/publications/fips/fips197/fips197.pdf for the announcement in the Federal Register.
11 . 1 .
· DATA ENCRYPTION STANDARD
263
Written as . a product of disjoint cycles, P is given by p=
(1, 40, 28, 13, 55, 58) (2, 8, 32, 29, 53, 50) (3, 48, 27, 45, 51, 42) · (4, 16, 31, 61, 49, 34) (5, 56, 26) (6, 24, 30, 21 , 54, 18) (7, 64, 25, 37, 52, 10) . (9, 39, 60) (11, 47, 59, 41, 35, 44) (12, 15, 63, 57, 33, 36) (14, 23, 62, 17, 38, 20) . (19, 46) (22) (43)
The inverse permutation has a somewhat more obvious structure 40 39 38 37 36 35 34 33
p 1 =
16 15 14 13 12 11 10 9
48 47 46 45 44 43 42 41
8 7 6 5 4 3 2 1
56 55 54 53 52 51 50 49
Written in the usual notation, it is p 1
=
( 5�
64 63 62 61 60 59 58 57
24 23 22 21 20 19 18 17
32 31 30 29 28 27 26 25
... . )
2 3 4 5 . 64 . 7 50 42 34 26
This inverse permutation is applied to the output after the real cryptographic work is done. The key consists of 56 bits. These are held in eight 8bit words with the last bit in each word serving as a parity check bit. Referring to these key bits with the numbers 1 , 2, . . . , 64, the bits numbered 8, 16, 24, 32, 40, 48, 56, and 64 are parity check bits. The key is permuted by putting it into a matrix
K=
57 1 10 19 63 7 14 21
49 58 2 11 55 62 6 13
41 50 59 3 47 54 61 5
33 42 51 60 39 46 53 28
25 34 43 52 31 38 45 20
17 26 35 44 23 30 37 12
9 18 27 36 15 22 29 4
with bit 57 in the first column and first row, and bit 4 in the seventh column and eighth row. Notice that the parity check bits do not appear. This matrix is then read off in rows to get the permuted 56bit key. Given a 2nbit word, let L denote the left n bits and R the right n bits. For f any function that takes n bits as input and produces n bits of output, define F (L, R)
=
(R, L + f (R))
CHAPTER 1 1 . ADVANCED ENCRYPTION STANDARD
264
where addition is bitwise addition modulo 2. The function F takes a 2nbit word LR to the 2nbit word R (L + f (R) ) . It is invertible with inverse G (L, R)
=
(R + j(L) , L)
because G o F (L, R)
= = =
G (R, L + j (R)) (L + f (R) + f (R) , R) (L, R)
The DES algorithm uses the key matrix K to produce a sequence of functions j� , h , . . . , ftB · Th,e sixteen corresponding functions Fi (L, R)
=
(R, L + fi (R))
are successively applied to the 64bit data block. This type of algorithm is called a Feistel network. Most of the security of DES resides in the complexity of how the functions fi are derived from the original 56bit key. Specialpurpose computers built specifically to break DES have made DES nearly obsolete, although triple DES is still in common use. Problems 1 1 . 1
1. Let Ui E {0, 1} and define f (uo, u 1 , uz, u3 )
=
(uo + u � , uo , u 1 + uz, Uz + u3 ) mod 2
Given an 8bit word, let L denote the left 4 bits and R the right 4 bits. Define F (L, R) (R, L + f (R)) Compute the first four iterations of F applied to the bytes (11111111) and (11101111 ) . =
2. One measure of how well an algorithm scrambles data is how far apart two codewords are that begin at a Hamming distance of one apart. How far apart are the codewords generated in problem 1? 3. What is the inverse of the function F defined in problem 1? 4. Let Ui
E
{0, 1} and define
Given an 8bit word, let L denote the left 4 bits and R the right 4 bits. Define F (L, R) (R, L + f (R)) Compute the first four iterations of F applied to the bytes (11111111) and (11101111 ) . =
THE
1 1 .2.
GALOIS FIELD GF256
265
5. One measure of how well an algorithm scrambles data is how far apart
two codewords are that begin at a Hamming distance of one apart. How far apart are the codewords generated in problem 4?
6. Let !I (uo , u 1 , u2 , u3 ) h (uo , u 1 , u 2 , u3 )
(uo + u 1 , uo , u 1 + u 2 , u 2 + u3 ) mod 2 (uo , uo u 1 + u 2 , uo u 1 u 2 + u3 , uo u 1 u2 u3 ) mod 2
and set
(i = 1, 2) Fi (L, R) = (R, L + /i (R)) Start with the byte (11111111) and first apply F1 , then apply F2 . Repeat with the byte (11101111). 11.2
The Galois Field GF256
The polynomial
q ( x ) = x s + x4 + x 3 + x + 1
is irreducible over GF2 . To verify this, consider the ring R of equivalence classes of polynomials in GF2 [x] modulo q (x ) , and let e be the equivalence class of x in R. We will show that + 1 has order 255 = 3 X 5 X 17 in R. Indeed ( e + 1 ) 2 55 mod es + 84 + 83 + e + 1 = 1
e
so e + 1 and all of its powers are invertible. Moreover, (e + 1) 255/ 3 mod es + 84 + 83 + e + 1 = 8 7 + 85 + 84 + 83 + 82 + 1 (e + 1) 255/5 mod es + 84 + 83 + e + 1 = 83 + 82 (e + 1) 2 55/ 1 7 mod es + 84 + e3 + e + 1 = 1 + 85 + 84 + 82 so e + 1 has order exactly 255. There are 255 polynomials of degree less than 8 in e that have at least one nonzero coefficient. So each one of them must be a power of e + 1 , hence invertible. If q (x ) were reducible, then we could write q ( x ) = a (x ) b (x ) with the degrees of a (x ) and b (x ) less than 8. Then 0 = a (B) b (B) but a (B) and b (B) are invertible. So q (x ) is irreducible. It follows that R is GF2 56 , and each of its elements written uniquely as a polynomial in e with coefficients in GF2 • Addition is straightforward and multiplication is followed by reduction modulo q (B) . It is convenient to represent the 256 elements of GF2 55 by hexadecimal num bers. Thus, the element
266
CHAPTER 1 1 . ADVANCED ENCRYPTION STANDARD
can be represented by the binary string 1 1010110 which can be thought of as the binary number (11010110)2 or the hexadecimal number D6. Similarly, the element can be represented by the binary string 00101100 which can be thought of as the binary number {00101100)2 or the hexadecimal number 2C. Multiplication is given by D6 · 2C = ( (lf + B6 + B4 + lP + B) (B5 + 0 3 + 0 2 ) mod q (B)) mod 2 = 04 + 03 + 0 = 007 + 006 + 005 + 104 + 103 + 002 + 10 + 0 = 1A whereas addition is ordinary polynomial addition with coefficients reduced mod ulo 2, so that D6 + 2C = (07 + 06 + 04 + 02 + B) + (0 5 + 0 3 + 02 ) mod 2 = 0 7 + 0 6 + (;15 + 0 4 + 0 3 + 0 = 107 + 106 + 105 + 104 + 103 + 002 + 10 + 0 = FA
The element a (B) b (B) mod q (B) can be computed using repeated multipli cation by B. If the degree of b (B) is less than 7, then multiplication by 0 is a simple shift. For example, For polynomials of degree 7, multiplication by B is a shift of the lowerorder terms followed by addition by 04 + 03 + 0 + 1 . In particular, 0 (o7 + 0 5 + 03 + o) = 0a + 0 6 + 04 + 02 = ((;14 + (;13 + (;I + 1) + ((;16 + (;14 + 02 ) = 0 6 + 0 3 + 02 + B + 1 since
((;18 mod (;18 + 04 + (;13 + (;I + 1) mod 2 = 04 + (;13 + (;I + 1 Multiplication by higher powers of 0 is repeated multiplication by B. Multi plication of one polynomial by another can be broken down into multiplication by 0 followed by addition of polynomials modulo 2. For example, (05 + 03 + 0 2 ) (0 7 + 06 + 04 + 02 + 0) = 0 5 (0 7 + 0 6 + 04 + 0 2 + 0) + 03 (B7 + 0 6 + 04 + 02 + B) + 02 (0 7 + 0 6 + 04 + 0 2 + 0)
'1 1 .2.
THE GALOIS FIELD
267
GF2 56
where
rP (rl + B6 + B4 + B2 + B) = .B B (B 7 + B6 + B4 + B 2 + B) = B ( (B4 + B3 + B + 1) + (B7 + B5 + B3 + B2 ) ) = B ( B7 + B5 + B4 + 02 + B + 1) = ( 04 + B3 + B + 1) + B6 + B 5 + B 3 + B2 + B = B 6 + B 5 + B4 + B2 + 1 B3 ( B7 + B6 + B4 + 02 + B) = B ( 06 + 05 + B4 + B2 + 1) ·
= 0 7 + B 6 + B5 + B3 + B B5 (B7 + 06 + B4 + B2 + B) = B B (B7 + 06 + B5 + B3 + B) = B ( (B 4 + B 3 + B + 1) + B 7 + B 6 + B4 + B2 ) = B (B 7 + B 6 + 03 + B 2 + B + 1) = (04 + B3 + B + 1) + (07 + B4 + B3 + B 2 + B) = B7 + B 2 + 1 ·
so (0 5 + B 3 + B 2 ) (B 7 + B 6 + B4 + B2 + B) = (B6 + B5 + 04 + 02 + 1) + ( B 7 + B6 + B 5 + B3 + B) + (B 7 + B2 + 1) = B4 + B 3 + B
Multiplication by B can be easily translated into computer code acting on 8bit bytes. Thus B= B2 = B3 = B4 = B5 = 06 = B7 =
(00000010) (00000100) (00001000) (00010000) (00100000) (01000000) (10000000)
so multiplication by B is a shift or a shift plus addition modulo 2 by the vector
268
CHAPTER 1 1 . ADVANCED ENCRYPTION STANDARD
(00011011). Repeated multiplication by B produces B ( B 7 + B 6 + B4 + B 2 + B) (00000010) · (1 10101 10) (10101 100) + (00011011) (101101 11) 2 2 B ( B 7 + B6 + B4 + B + B) (00000100) · (1 1010110) (00000010) . (101101 11) (01 101 110) + (0001 1011) (01 1 10101) B3 ( B 7 + B 6 + B4 + B 2 + B) (00001000) (110101 10) (00000010) . (01 1 10101) (11 101010) 2 B4 ( B 7 + B 6 + B 4 + B + B) (00010000) · (11010110) (00000010) . (11101010) (11010100) + (0001 101 1) (1 1001 111) B5 ( B 7 + B 6 + B4 + B 2 + B) (00100000) (1 10101 10) (00000010) · (11001 1 1 1) ( 1001 1110) + (00011011) (10000101) and hence (B 5 + B3 + B2 ) ( B 7 + B6 + B4 + B2 + B) (10000101) + (11 101010) + (01 1 10101) (0001 1010) Since u2 55 = 1 for every nonzero u in GF2 56 , the inverse of u is u2 54 . In particular, (B4 + B)  1 (B4 + B) 2 54 mod Bs + B4 + B3 + B + 1 mod 2 = B 7 + B 5 + B3 + B =
=
=
=
=
=
=
·
=
=
=
=
=
=
=
·
=
= =
=
=
(
)
As a check, note that ( ( B4 + B) ( B 7 + B5 + B3 + B) mod B 8 + B4 + B3 + B + 1) mod 2 Polynomials Over G F2s6
=
1
Let B be a root of the polynomial x8 + x4 + x3 + x + 1 . Elements of GF2 56 can be represented as polynomials in B of degree at most 7. Polynomials in GF2 56 [x] can be written in the form bn xn + bn l Xn  l + · · · + b1 x + bo where bi E GF256 .
'>'1 1 . 2.
THE GALOIS FIELD
GF2 56
269
Example 11.1 To compute the product a (x)
· b (x) where a (x) = ( 8 5 + 8 3 + 1) x4 + (fP + B) x2 + (84 + 1) x b (X) = ( 86 + 85) x3 + ( 84 +8 + 1) X + 83
do polynomial multiplication and reduce the coefficients modulo 8 8 + 84 + B3 + B + 1. Thus, a (x)
·
b (x) = ( B 7 + 86 + B5 + B4 + 83 + 1) x7 + ( 87 + 86 + 85 + 84 + 83 + 8 + 1) x5 + ( 86 + B5 + B 3 + 1) x4 + ( 86 + B5 + 82 + 1) x3 + ( 8 6 + 8 2 ) x2 + (B 7 + 8 3 ) X
Problems 1 1 . 2 In problems 16, let 8 be a root of x8 + x4 + x3 + x + 1 in GF256 ·
1.
2. 3.
Write
8.
( B 6 + 83 + B) ( 87 + 82 + 1)
as a polynomial of degree at most 7 in
8 + 1 has order 2 55 in GF256 · Find an irreducible polynomial with root 8 + 1. [Hint: Simplify the polynomial 7 IT (x  ( 8 + 1t )
Verify that the element
k =O
modulo 8 8 + 8 4 + 8 3 + 8 + 1.]
4. Find the inverse of 87 + 83 + 1 in GF2 5 6 ·
5.
Solve the system
( 85 + 8) X + ( 84 + B + 1) y = 82 + 1 ( 8 7 + 8 6 ) X + ( 83 + 82 ) y = 8 6 + 8 3 of two equations and two unknowns for x, y E GF25 6 · 6. Calculate the product in GF256 [x] of the two polynomials p (X) = (8 5 + 8 ) x3 + ( 84 + 1) X + ( 8 7 + 8 + 1) q (x) = (87 + 83 + 82 ) x2 + ( 85 + 82 ) x + ( 83 + 82 )
270
CHAPTER 1 1 . ADVANCED ENCRYPTION STANDARD
7. Find the inverse of the matrix A
=
( B5 : B B 2 : B )
with entries in the field GF2 56 . 8. Solve the system (B + 1) X + (B2 + B) y + (B5 + B4 ) z (B2 + B) x + (B4 + B3 ) y + B 5 z (B6 + B 5 ) X + (B7 + B + 1 ) y + (B3 + 1 ) z
=
of three equations and three unknowns for x, y, z E GF2 56 ·
1 1 .3
The Rijndael Block Cipher
This page is dedicated to the fans of the Rijndael Block Cipher, whose selection, in an upset of Karelinean proportions, as the National In stitute of Standards and Technology's proposed Advanced Encryption Standard has brought down the Feistel cipher dynasty. It's a clas sic story of two guys in a garage taking on the establishment and winning. Prom the home page of the Rijndael Fan Club
Belgian mathematicians Joan Daemen and Vincent Rijmen submitted the winning cipher in the Advanced Encryption Standard open competition, held in 2000, to establish a new technique for protecting computerized information. The Rijndael Block Cipher uses keys of 128 bits, 192 bits, or 256 bits. The 128bit version will be described here. The algorithm includes a series of op erations on 4 x 4 matrices whose entries are bytes (8 bits) . Each such matrix contains 4 4 8 128 bits. The 192 and 256bit versions use 4 x 6 and 4 x 8 matrices. The 128bit cipher is based upon the use of 10 rounds: each round consists of a Galois field operation on the bytes (ByteSub) , an operation on the rows (ShiftRows) , an operation on the columns (MixColumns) , and a vector sum with a scrambled key (AddRoundKey) . Throughout the remainder of this section, let B b e a fixed root of the poly nomial x8 + x4 + x3 + x + 1 in the Galois field GF2 55 . ·
·
=
ByteSub
Each element of the 4 x 4 matrix is a byte, which can be considered as an element of the field GF2 56 · The ByteSub transformation consists of two steps:
THE 1.
271
RIJNDAEL BLOCK CIPHER
Replace each nonzero field element u with its inverse u  1 in GF2 56 . ( The zero element is fixed. ) This operation is certainly reversible. Call the new field element b1 f P + b6 B 6 + b5 B5 + b4 B4 + b3 B3 + b2 B 2 + b 1 B + bo = (� ' � ' � ' � ' � ' � ' � ' �)
2. Apply the affine transformation 1 1 1 1 1 0 0 0
1 1 1 0 0 0 1 1
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
0 0 0 1 1 1 1 1
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 1 1 0 0 0 1
bo b1 b2 b3 b4 b5 b6 b7
1 1 0 0 0 1 1 0
+
b'0 b'1 b� b'3 b� b'5 b� b�
mod 2 =
Notice that 1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
1
mod 2 =
0 1 0 1 0 0 1 0
0 0 1 0 1 0 0 1
1 0 0 1 0 1 0 0
0 1 0 0 1 0 1 0
0 0 1 0 0 1 0 1
1 0 0 1 0 0 1 0
0 1 0 0 1 0 0 1
1 0 1 0 0 1 0 0
so the inverse affine transformation is given by 0 1 0 1 0 0 1 0
0 0 1 0 1 0 0 1
1 0 0 1 0 1 0 0
0 1 0 0 1 0 1 0
0 0 1 0 0 1 0 1
1 0 0 1 0 0 1 0
0 1 0 0 1 0 0 1
1 0 1 0 0 1 0 0
b� b'1 b� b� b� b'5 b� b�
+
1 1 0 0 0 1 1 0
=
bo b1 b2 b3 b4 b5 b6 b7
ByteSub replaces each byte of the 4 x 4 matrix with a transformed byte.
CHAPTER 11. ADVANCED ENCRYPTION STANDARD
272 Shift Rows
(
The ShiftRows transformation is given by
ShiftRows
soo 81 0 820 830
so 1 8 11 821 83 1
s o2 s12 822 832
so 3 B1 3 823 8 33
)
_
(
soo su 822 833
so 1 B 12 8 23 8 30
so2 s13 820 83 1
)
s o3 s10 82 1 832
The first row is fixed, the second row is shifted one cell to the left with wrap around, the third row is shifted two cells to the left with wrap around, and the fourth row is . shifted three cells to the left with wrap around. The inverse transformation shifts the rows to the right. MixColumns MixColumns is the linear transformation
C"
MixColumns 8 2 1 831 84 1 B+1 B 1 1
CL
812 8 22 832 842 1 0+1 B 1
813 823 833 843
81 4 82 4 83 4 8 44
Ol! )
) (
8 12 8 13 8 14 82 1 8 22 823 82 4 83 1 832 833 834 8'4"1 842 843 844
)
This is an invertible linear transformation since
C(L
r
1 1 B+1 B+1 1 B B+1 B 1 1 B 1 03 + I 03 + 02 + 0 B3 + B + 1 B 3 + 02 + 1 03 + 1 B 3 + B 2 + B 0 3 + 0 + 1 B3 + B 2 + 1 B3 + 1 B 3 + B2 + B B 3 + B + 1 B3 + B2 + 1 3 3 2 B3 + 1 B +B+1 B +B +1 B3 + B 2 + B
)
over GF256 · AddRoundKey AddRoundKey, the final transformation in each of the ten rounds, is a matrix
sum
THE
(
273
RIJNDAEL BLOCK CIPHER
(
AddRoundKey soo S10 S 2o S 3o
so 1 sn S2 1 S3 1
'00 s o 1 s10 sn S 2o S 2 1 S 30 S 3 1 so 2 S! 2 S !3 S22 s23 S 32 s33
S o2 S12 S 22 S 32
s o3 S 13 S 23 S33
+
kO l k10 kn k2 o k2 1 k3o k3 1
) '"' ) " C �) ko 2 k1 2 k 13 k22 k23 k32 k33
where a modified key matrix (kij ) is generated by the key expansion algorithm for each round. Since u + u = 0 in GF256 , it follows that the inverse transfor mation adds the same matrix. I�ey Expansions
The first key matrix is constructed directly from the 128bit key where each ki is one byte, as follows kc kv kE kp
)
Ten additional key matrices are constructed by a series of transformations on the columns. The leftmost column of the each additional key matrix is : constructed by the following four steps: 1 . Apply a rotation
to the rightmost column of the previous key matrix. This can also be calculated as the matrix product
274
CHAPTER 1 1 . ADVANCED ENCRYPTION STANDARD
2. Apply the ByteSub transformation to each byte. 3. Add
(T) where i is the number of the round. 4. Add the leftmost column of the previous key matrix. This gives the left most column of the current key matrix. ··,
=
The remaining columns of the key matrix are constructed, from left to right, by adding the column to the left to the corresponding column from the previous key matrix. If we let K/ denote column j of the ith key matrix, then for j 2, 3, 4 we have j Kij = Kij  1 + Ki1 Problems 1 1 . 3
Let () b e a (fixed) root of x8 + x4 + x3 + x + 1 in GF256 · 1. Verify that 1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
2. Verify that (e4 + e)  1
1 1 1 0 0 0 1 1 =
1 1 1 1 0 0 0 1
1
mod 2 =
0 1 0 1 0 0 1 0
0 0 1 0 1 0 0 1
()7 + () 5 + ()3 + () in GF2s6 
3 . Use ByteSub to transform the byte ()4 + (). 4. Use ShiftRows to transform the matrix
(1
() () 2 ()3 ()4
o'
()2 ()4 ()6 ()6 ()9 ()8 () 1 2
)
1 0 0 1 0 1 0 0
0 1 0 0 1 0 1 0
0 0 1 0 0 1 0 1
1 0 0 1 0 0 1 0
0 1 0 0 1 0 0 1
1 0 1 0 0 1 0 0
1 1 .3.
275
THERIJNDAEL BLOCK CIPHER
5. Use MbcColumns to transform the matrix
6. Assume that the ith key is given by
Use the key expansion algorithm to generate key i + 1 . 7 . For any nonzero element u E GFpn , show that uPn  1 = 1 . 8. For any nonzero element u E GFpn , show that u  1 uPn  2 • =
Chapter 1 2
Polynomial Algorithms and Fast Fourier Transforms In this chapter, we look at different representations of polynomials and at meth ods for converting from one representation to another such as the fast Fourier transform (FFT ) .
12.1
Lagrange Interpolation Formula
A polynomial with integer coefficients is primitive if the greatest common divisor of its coefficients is 1. So 9x 2  4x + 6 is primitive while 10x 2  4x + 6 is not. Theorem 12.1 Any nonzero polynomial in Q [x] can be written uniquely as a
positive rational number times a primitive polynomial in Z [x] .
Proof. Let f (x) be a nonzero polynomial in Q [x]. Choose nonzero d E Z so that g (x) df (x) has integer coefficients. Let c be the greatest common divisor of the coefficients of g (x). Clearly g (x) jc is primitive and =
( )
g (x) f (x) = �g d (x) �d c =
So we can write any nonzero polynomial that way. Why is there only one way? Suppose we could write
f (x) f (x)
= =
rg (x) sh (x)
where r and s are positive rational numbers and g (x) and polynomials in Z [x] . Then m r (x) g h (x) = g (x) n s =
277
h (x) are primitive
278
CHAPTER 12. POLYNOMIAL ALGORITHMS AND FFTS
where m and
n
are relatively prime positive integers. So nh (x)
= mg
(x)
Because m and n are relatively prime, n must divide each coefficient of g (x) and m must divide every coefficient of h (x) . But g (x) and h (x) are primitive, so m = n = 1 . Thus rjs = 1 so r = s. It follows that g (x) h (x) . I =
For example, the polynomial � x4  � x  6 can be written as
) 2 ( 4 2 4 4 3 x  5 x  6 = 15 5x  6x  45 as the product of the positive rational 2/15 and the primitive polynomial 5x4 6x  45. The positive rational number is called the content of the polynomial. So the content of � x4  �5 x  6 3 is 2/15. The content of a polynomial is an integer exactly when the polynomial has integer coefficients. Why is that? Also, the content of a polynomial is 1 exactly when the polynomial is a primitive polynomial in Z [x] . We want to show that the content of a product of polynomials is the product of their contents. Since a polynomial is primitive exactly when its content is 1 , this says, in particular, that the product of two primitive polynomials is primitive. That result is known as Gauss 's lemma. Lemma 12.2 (Gauss's lemma) The product of two primitive polynomials in
Z [x]
is primitive.
g (x) be primitive polynomials in Z [x] . To show that f (x) g (x) is primitive, it suffices to show that if p is any prime, then p does not divide some coefficient of the product f (x) g (x) . Note that because f (x) and g (x) are primitive, then p does not divide some coefficient of f (x) , and p does not divide some coefficient of g ( x) . This means that, considering f (x) and g (x) as polynomials over the field of integers modulo p, each of them is nonzero. But the product of two nonzero polynomials over a field is not zero, so f (x) g (x) is not zero considered as a polynomial over the field of integers modulo p. That means that p does not divide some coefficient of f (x) g (x) . I
Proof. Let f (x) and
With Gauss's lemma and the preceding theorem in hand, it is easy to see that the content of the product of two polynomials is the product of their contents. Let 11 (x) and h (x) be two nonzero polynomials in Q [x] . Write 11 (x) = r1P1 (x) and h (x) rzpz (x) where r1 and rz are positive rational numbers and P1 (x) and pz (x) are primitive polynomials in Z [x] . Then =
12.1. LAGRANGE INTERPOLATIONFORMULA
279
and r1 r2 is a positive rational number and Pl (x) P2 (x) is a primitive polynomial in Z [x] . So r1 r2 is the content of !1 (x) h (x) . But r1 is the content of f1 (x) and r2 is the content of h (x) . There are only a few possibilities for a rational root of a given polynomial with integer coefficients.
Theorem 12.3 ( Rational root theorem ) If a polynomial with integer coef ficients has a rational root pf q , written in lowest terms, then p divides the constant term and q divides the leading coefficient. Proof. If the polynomial f ( x) has the root p / q , then by the division algorithm we can write f ( x) (qx  p) g ( x) + r where r is a constant. Plugging in pf q gives 0 0 g (pfq) + r, so r 0. The content of qx  p is 1 so the content of f ( x) is the same as the content of g ( x). Thus the content of g (x) is an integer, so g (x) has integer coefficients. As =
=
f (x)
=
(qx  p) g (x)
=
·
=
qxg (x)  pg (x)
it is clear that q divides the leading coefficient of f ( x) and p divides the constant I term of f (x) . (See also problem 8.) The formula k x  r· " p(x) L.....t di IT · : i=O j #i r' J =
_
.
is called the Lagrange interpolation formula after JosephLouis Lagrange (1736 1813) . It gives the unique polynomial p (x) of degree at most k whose graph passes through the k + 1 points (ri , di) in the plane. Of course we must have ri =f. rj for i =f. j. You can easily see that the polynomial x  rj Li (x) = IT r· j ;f.i •  rJ· has degree k with Li (ri)
=
1 and Li (rj)
=
0 for each j =f. i. So
diLi (x) L i k
p(x)
=
=O
is a polynomial of degree at most k such that p (ri) Example 1 2 . 4 To use the formula
" di IT x·  rJ· L.....t i=O j ;f.i r• rJ k
p(x)
=
_
=
di for each i.
280
CHAPTER 1 2�
POLYNOMIAL ALGORITHMS AND FFTS
to construct a polynomial of degree at most 5 that interpolates the data n
Xn
Yn
0 1 2 3 4 5
0 1 2 3 4 5
2 15 146 743 2514 6657
it is sufficient to define the polynomials
x  Xj pi (x) = Yi IT j=f. i Xi  Xj for i = 0, 1, 2, 3, 4, 5. These polynomials are given by (x  1) (x  2) (x  3) (x  4) (x  5) Po (x) = 2 · (0  1) (0  2) (0  3) (0  4) (0  5) 1 5 1 4 17 3 15 2 137 =  x + x  x +  x  x + 2 60 4 12 4 30 (x  O) (x  2) (x  3) (x  4) (x  5) Pl (x) = 15 (1  0) (1  2) (1  3) (1  4) (1  5) 355 3 385 2 35 = � x 5  x4 + x x + 75x 4 8 8 4 (x  0) (x  1) (x  3) (x  4) (x  5) p2 (x) = 146 . (2  0) (2  1) (2  3) (2  4) (2  5) 73 5 949 4 4307 3 781 1 2 = x + x x + x 730x 6 6 6 6 P3 (x) = 743 = = = = � ·
_
_
·
_
� �� �� �� �� �� i: :; g :;
743 5 36 407 3 9659 2 7430 x + x x 743x4 + x 12 12 2 3 (x  0) (x  1) (x  2) (x  3) (x  5) p4 (x) = 2514 ' (4  0) (4  1) (4  2) (4  3) (4  5) 25 559 2 6285 4609 17 179 419 =   x 5 +  x4   x3 + x x 4 4 4 4 2 (x  0) (x  1) (x  2) (x  3) (x  4) P5 (x) = 6657 . (5  0) (5  1) (5  2) (5  3) (5  4) 11 095 2 6657 2219 2219 15 533 X + 5 X =  X 5   X4 +  X3 40 4 8 4 Now form the sum =
_
_



12. 1 .
LAGRANGE INTERPOLATION FORMULA
281
Note that the polynomial Po (x) has value Yo at xo and is zero at x 1 , x2 , xa, In fact, each Pi has the property that Pi (xi ) = Yi , and for i =I= j,
X4 , and xs . pi (xj ) = 0.
Problems 1 2 . 1
1 . Find the content, and the corresponding primitive polynomial, of the fol lowing polynomials. 1 4 6 b. x3  x 2 + 10 2 x2  x 15 7 3 1 1 d. 14x2 21x + 35 c. x +. 3 2 a.

2. Use the Lagrange interpolation formula to find an equation of the line through the points (1, 2) and ( 3, 5). 3. Use the Lagrange interpolation formula to find an equation of the line through the points (xo, Yo) and (x 1 , YI) · Show that the equation reduces to the twopoint form
 Yo (x  xo ) Y = Yo + xY11  xo for the line through the points
4.
(xo, Yo) and (x 1 , yl ) .
Use the Lagrange interpolation formula to find an equation of the parabola that goes through the three points (0, 1), (1, 2), (2, 2).
5. Find the polynomial of lowest degree that goes through the points (2, 7), (4, 10), (7, 23) , (11, 5) by defining a generic polynomial p (x)
= a + bx + cx2 + dx3
and solving the system
p (4) = 10, p (7) = 23, p (ll) for the unknown coefficients a, b, c, d. p (2) = 7,
=
5
6. Find a polynomial over the integers modulo 101 of lowest degree that goes through the points (1, 3), (2, 51) , (4, 78), (7, 23) by defining a generic polynomial p (x) = a + bx + cx2 + dx3 solving the system
= 3, p (2) = 51, p (4) 78, p (7) = 23 for the unknown coefficients {a, b, c, d} and reducing the coefficients mod p (1)
ulo 101.
=
282
CHAPTER 12, POLYNOMIAL ALGORITHMS AND FFTS
7. Find the polynomial of lowest degree that goes through the points ( 2, 5), ( 1, 10) , (0, 8) , (1, 5), (2, 10) . 
8. Prove the rational root theorem directly by plugging in a root p/ q in lowest terms and clearing fractions. 9. Verify that the polynomial
k p(x) = L di II r·x  rr ·· i=O j "f.i • J
3 
satisfies p h)
12.2
=
di for i = 0, 1 , .
.
.
, k.
Kronecker's Algorithm
Using Theorem 12.3, we can find all the rational roots of a polynomial with integer coefficients by constructing a finite set of candidates and testing each one. The same idea can be used to find all the factors of such a polynomial. Suppose f(x) = g(x)h(x), with g (x) and h (x) polynomials with integer coefficients. If m is any integer, then f(m) and g(m) are integers and g(m) I f(m) because f(m) = g(m)h(m). To find a factor of degree at most k of a given polynomial f (x), if there is one, let ro , r1 , . . . , Tk be any k + 1 distinct integers, for example, Ti = i . If f(ri ) = 0, then x  Ti is a factor of f(x). Otherwise, let Di be the finite set of divisors of the integer f(ri ) · If g (x) is a factor of f (x), then g(ri ) E Di for i 0, 1 , 2, . . ' k. For each i select an integer di E Di and consider the polynomial =
.
k '""' g(x) L..J di rr r·x  rr · i=O j "f.i • J =
_
1.
which is the unique polynomial of degree at most k that satisfies g (ri ) di for i 0, 1, . . , k. If g(x) has integer coefficients, we test it to see if it divides f (x). Any factor of f ( x) of degree at most k will be constructed as such a polynomial g (x) from some sequence do , d1 , . . . , dk with di E Di . This idea was named after Leopold Kronecker (1823 1891) . (See Algorithm 12.1. ) The algorithm is usually very inefficient because there are so many cases to check. =
=
.
12. 2. KRONECKER 'S
Algorithm 12.1
283
ALGORITHM
Kronecker's algorithm
Input: A positive integer k and a polynomial f (x) E Z [x] Output: A divisor p (x) of f (x) of degree at most k or the message "fail"
0 to k do Yi If Yi = 0 then Return x  i
For i from
= f (i )
End If End For For di dividing
Yi do . L...... di II X  J p (x) = '"'"' i=O #i J If p (x) E Z [x] and p (x) Return p (x) k
. .
2 
divides
f (x) then
End If End For Return "fail"
Here is an example of Kronecker ' s algorithm in action. Example 12.5 Let f(x) = x 5 + x4 + 1. There are no linear factors because the only possible rational roots are 1 and 1, and f ( 1) = 3, f ( 1) = 1. If f(x) factors, then it must be the product of a polynomial of degree 2 with a polynomial of degree 3. So we need only look for a factor of degree 2. Suppose g(x) is a factor of degree 2. Using the integers r0 = 0, r 1 = 1, and r2 = 1, we see that f( 1) = 1, f(O) = 1, and f(1) = 3. It follows that
Do = { 1, 1} D 1 = {1, 1} D2 = {  1, 1,  3 , 3 } Thus there are 2 x 2 x 4 = 1 6 choices for do , d1 , and d2 , so 16 possible polynomial
divisors of degree 2. Each such polynomial divisor must be of the form
(x  O) (x  1) + d1 (x + 1) (x  1) + d (x  0) (x + 1) g (x)  do (1 (0 + 1) (0  1) 2 (1  0) (1 + 1)  0) (1  1) _
Selecting do =
1, d1 = 1, and d2 = 1, we get the possible factor (x  0) (x  1 } + (x + 1) (x  1) + (x  0) (x + 1)  1 (1  0) (1  1) (0 + 1) (0  1) (1  0) ( 1 + 1) _
284
CHAPTER 12. POLYNOMIAL ALGORITHMS AND FFTS
which is not even a polynomial of degree 2 ( but it is a factor! ) . The choices do = 1 , d 1 = 1, and dz 3 yield =
(x  O) (x  1) (x + 1) (x  1) (x  O) (x + 1) = x2 + x + 1 + +3 (1  0) (1 + 1) ( 1  0) ( 1  1) (0 + 1) (0  1) and long division shows that indeed
This method works very well for polynomials of small degree. However, the amount of time it takes is an exponential function of the degree, so it is not a practical method for polynomials of large degree. We look at one more example to show the added complexity for higherdegree polynomials. Example 12.6 Consider the polynomial
If f ( x) factors then at least one of the factors is of degree at most 4, so we need only look for a factor of degree at most 4. Choose ro 0, r1 1 , r2 � 2, r3  1 , and r4 2. Then =
=
=
=
f (0) = 6 f (1) = 169 13 2 j (2) = 4898 = 2 X 31 X 79 f (1) = 7 j ( 2) = 3350 = 2 X 5 2 X 67 =
so Do = { ±1, ±2, ±3, ±6} D 1 {±1, ±13, ±169} Dz = {±1, ±2, ±31, ±62, ±79, ±158, ±2449, ±4898} D3 = {±1, ±7} D4 {±1, ±2, ±5, ±10, ±25, ±50, ±67, ±134, ±335, ±670, ±1675, ±3350} =
=
The number of different choices for do, d1 , dz , d3 , d4 is 8 6 · 16 · 4 24 = 73728. After many failures, we will try ·
·
do
=
1, d1 = 13, dz = 79, d3 = 7, d4
=
67
12.3. NEVILLE'S ITERATED INTERPOLATION ALGORITHM
285
and get the polynomial
9 (x)
x (x  2) (x + 1) (x + 2) (x  2) (x + 1) (x + 2) = 1 (x  1)(1) + 13 1 (1  2) (1 + 1) (1 + 2) ( 2) (1) (2)
x (x  1) (x + 1) (x + 2) 7 x (x  1) (x  2) (x + 2) + (1) (1  1) (1  2) ( 1 + 2) 2 (2  1) (2 + 1) (2 + 2) x (x  1) (x  2) (x + 1) + 67 (2) (2  1) ( 2  2) ( 2 + 1) = 3x 4 + 6x 2 + 3x + 1 + 79
Long division then shows that indeed f(x) (3x4 + 6x2 + 3x + 1) {x 5 + 2x3 + 4x + 6) =
Problems 12.2
1 . Factor the polynomial f(x) algorithm. 2. Factor the polynomial f (x) 3. Factor the polynomial f(x)
=
x4 + x2 + 1 in
Z [x]
by using Kronecker ' s
= 2x5 + 4x4 + llx3 + 30x2 + 25x + 5. 2x6 + 2x5 + 3x4 + 3x3 + 3x2 + x + 1.
=
4. Verify that the polynomial f (x) = x4 + x3 + x2 + x + 1 is irreducible in Z [x] by showing that f (x) generates GF16 over GF2 • 5. Verify that f (x) x4 + 2x + 2 is irreducible. =
6x4 + 7x3 + 9x2 + 4x + 2. 7. Factor the polynomial f (x) = x 5 + 3x4 + 3x3 + 3x 2 + 3x + 2. 8. Factor the polynomial f (x) = x6 + 2x5 + 3x4 + 3x3 + 3x2 + 2x + 1. 9. Verify that f (x) x 5  x + 1 is irreducible in Z [x] by using Kronecker's algorithm. 10. Verify that f (x) x5  x + 1 is irreducible in Z [x] by showing that f (x) generates GF 243 over GF 3 . 6. Factor the polynomial f (x)
=
=
=
12.3
Neville's Iterated Interpolation Algorithm
Kronecker's algorithm uses the Lagrange interpolation formula for construct ing the interpolating polynomials. In this section we look at another algorithm for constructing an interpolating polynomial. This method first constructs in terpolating lines through pairs of points, then uses these lines to construct in terpolating quadratic polynomials through triples of points, and so forth until eventually the polynomial of degree n is constructed that interpolates all n + 1 points.
CHAPTER 12. POLYNOMIAL ALGORITHMS AND FFTS
286
{xo , x 1 , , xn � 1 , xn } be any sume p ( x) and q (x) are functions such that
Theorem 12.7 Let
•
•
•
p (xi ) = f (xi ) q (xi ) = f (xi)
and define
g
by g
Then
n+1
distinct numbers. As
(i = 0, 1, . . . , n  1 ) (i = 1, . . . , n  1, n)
 (x  xn ) p (x) (X ) = (x  xo) q (x) Xn  xo (i = 0, 1, . . . , n)
Proof. Note that
'.
 xn ) p (xo) (X0 ) = (xo  xo) q (xXo)  (xo x o n x X o n =  X  xo p (xo) = f (xo) n (x  xo) q (xn )  (xn  Xn ) p (xn ) n g ( Xn ) = Xn  Xo Xo X n = Xn  xo q (xn ) = f (xn ) and for 1 ::; i ::; n  1 we have (xi  xo) q (xi )  (xi  Xn ) p (xi ) g (Xi ) = Xn  xo (xi  xo) f (xi )  (xi  Xn ) f (xi ) Xn  xo x X o = Xn  Xo f ( xi ) = f (xi ) n g
''=''.:,__'" __:_.:.'.:_:_ ' ''
I as claimed. Neville's iterated interpolation algorithm is based on the preceding theorem.
Algorithm 12.2
Neville's iterated interpolation algorithm
Input: Integers n and {xi } �=O and function values Output: Interpolating Polynomial q (n, n) For i from 1 to n do For j from 1 to i do S et q (�. , J. )
Next j Next i Return
q (n, n)
q ( i, 0) = f (xi )
= (x  XiJ ) q (i, j  X1i)  X(xi  xi ) q ( i  1, j  1 ) j
1 2.3. NEVILLE'S ITERATED INTERPOLATION ALGORITHM
xo = 1, x 1 = 1, x2 = 3, xs = 5, and X4 = 10, q (0, 0) = 76, q (1, 0) 36, q (2, 0) = 116, q (3, 0) = 20,
Example 12�8 Set
then initialize
q (4, 0)  45. =
287
and and The interpolating polynomial can then be constructed by typing =
q (1, 1 ) = (x  xo) q (1,x0)1 (x(xo) x l ) q (0, 0 ) (x  ( 1 )) 36  (x  1) 76 =  20x + 56 = 1 _ ( _1) X (x ) q t (2, 0)  (x  x2 ) q ( 1, 0) q (2, 1 ) = X2  X t 116 1 (x (x  3 ) 36 = 40x _ 4 ) = . 31 q (3, 1) = (x  x2 ) q (3, X0)  X(x  x3 ) q (2, 0) 3 2 3 (20) (x ( x  5 ) 116 _68x + 320 ) = 53 x (x ) q ( 4, 0)  (x  x4 ) q (3, 0) s q ( 4, 1) = X4  X 3 5) (x  (x  10) (20) = 5x + 5 (45) = 10 _ 5 =
to generate the intermediate polynomials of degree 1, and typing
q (2, 2 ) = (x  xo) q ( 2 , X1)  X(xo  x2 ) q (1, 1 ) 2 (x + 1 ) (40x  4)  (x  3) ( 20x + 56) 3+1 = 15x2  20x + 41 (x  xs ) q ( 2, 1 ) q (3, 2 ) = (x  X t ) q (3, X1)  X! 3 (x  1) (68x + 320)  (x  5 ) (40x  4 ) 51 = 27x2 + 148x  85 q (4, 2 ) = (x  X2 ) q (4, X1 )  X(x  x4 ) q (3, 1 ) 4 2 5)  :'(x:: " 10)'3) + + 320) ( 68x 5x ( (x  '' �  ''10  3 = 9x2  140x + 455 
=
CHAPTER 1 2.
288
POLYNOMIAL ALGORITHMS
AND FFTS
to generate the polynomials of degree 2, and typing
q (3, 3) = (x  xo ) q (3, X2 )  x(xo  x3 ) q ( 2, 2 ) 3 (x + 1 ) ( 27x2 + 148x  85)  (x  5) (15x2  20x + 41 ) 5+1 2 7x3 + 36x  13x + 20 q (4, 3) = (x  x 1 ) q (4, X2 )  X(x  x4 ) q (3, 2 ) 4 1 (x  1 ) (9x2  140x + 455)  (x  10 ) (27x2 + 148x  85) 10  1 = 4xii  63x2 + 240x  145 _

=
for the polynomials of degree 3, and finally, for the interpolating polynomial of degree 4,
q (4, 4) (x  xo ) q (4, X3)  X(xo  x4 ) q (3, 3) 4 (x + 1 ) (4x3  63x2 + 240x  145) =
10 + 1
(x  10) ( 7x3 + 36x2  13x + 20) 10 + 1
= x4  15x3 + 50x2  5x + 5 The graph of the interpolating polynomial is shown in Figure 12.l .The linear polynomials q (i, 1 ) interpolate each pair of consecutive points as illustrated in Figure 12.2. The quadratic polynomials q (i, 2 ) interpolate each of three consecutive points (see Figure 12.3 ) and the cubic polynomials q (i, 3) interpolate each of four consecutive points (see Figure 12. 4). Example 12.9
Figure 12.1 Interpolating polynomial
Figure 12.2 Linear polynomials
12.3. NEVILLE'S ITERATED INTERPOLATION ALGORITHM
Figure 12.3 Q uadratic polynomials
289
Figure 12.4 Cubic polynomials
Problems 12.3
1.
Given two points (xo, Yo ) and (x l , Yl ) with xo =1 x 1 , show that q (1, 1) given in Neville's iterated interpolation algorithm reduces to the usual twopoint form
Yo (x  xo) Y = Yo + XY11  Xo
for a line through the two points
(xo , Yo ) and (x 1 , yl ) .
2. Find an equation of the polynomial of degree 2 that goes through the three points ( 3, 2), ( 1, 5) , and (2, 1 ) , using Neville's iterated interpolation algorithm. Plot the parabola p (x), together with the two lines q (1, 1 ) and q (2, 1). 3. Find the polynomial p(x ) of smallest degree that satisfies p( 2) = 3, p( 1 ) = 5, p(1) = 1, p(2) = 1, using Neville 's iterated interpolation algorithm. Plot the graph of p(x ) and the polynomials q (i, j) on one graph and label each of these polynomials.
4.
Recall that sin O that
=
0,
sin (� )
= cos (� )
=
�' and cos (�) = 0.
Show
f (x) _ (x  0) cos x2!:  (x0  �) sin x 2 satisfies f (0) = 0 and f un = � and f (�) = 0.
5. Use Neville's iterated interpolation algorithm to construct a polynomial p (x) of degree 2 in GF1 [x] that interpolates the points (0, 2), (1, 3), (2, 5). 6. Let 0 be a root of x4 + x + 1 in GF 1 6 · Use Neville's iterated interpolation algorithm to find a polynomial p (x) E GF 16 [x] that interpolates the three points (0, 0 + 1 ) , (1, 03 + 0) , (0, 02 + 0 + 1) .
290
1 2 .4
CHAPTER 12.
POLYNOMIAL ALGORITHMS AND FFTS
Secure Multiparty Protocols
First Trust Bank trusts its employees but not their judgment. The bank requires that n tellers must sign off on any large transaction. Employee schedules change constantly, so it is difficult to predict which n tellers might be working at any one time. Thus the bank would like any group of n tellers to have the authority to approve a large transaction, but no smaller group should have that authority. Each teller is assigned an integervalued password, and when each of n tellers submits his or her password, a central computer does a calculation based on these passwords. The following scheme allows any group of n tellers to generate a hidden key, but fewer than n tellers, even if they share their passwords, have absolutely no clue about what the hidden key might be. Let P ( x ) = a o + a 1 x + a 2 x 2 + + an  l X n  l be a polynomial of degree n 1 with integer coefficients. The hidden key is the number p ( 0 ) . The ith teller is given the secret number p (i ) . Since any collection of n distinct points determines a polynomial of degree n 1 , any group of n tellers can collectively compute p ( 0) . However, fewer than n tellers will be unable to determine the value of p ( 0 ) . Example 12.10 The coefficients of the polynomial p ( x ) = 965 785 106 67 4 + 314 427 379 054x + 353 796 761 912x2 + 940 773 378 958x3 ·
·
·


were generated by a pseudorandom number generator modulo 999 999 999 989. Ten tellers were given the passwords p ( 1 ) mod 999 999 999 989 = 574 782 626 620 p ( 2 ) mod 999 999 999 989 = 536 013 944 204 p ( 3 ) mod 999 999 999 989 = 494 119 333 240 p ( 4 ) mod 999 999 999 989 = 93 739 067 542 ( 5 ) mod 999 999 999 989 = 979 513 420 902 ( 6 ) mod 999 999 999 989 796 082 667 156 p ( 7 ) mod 999 999 999 989 = 188 087 080 107 p ( 8 ) mod 999 999 999 989 = 800 166 933 54 7 p ( 9 ) mod 999 999 999 989 = 276 962 501 312 p ( 10 ) mod 999 999 999 989 = 263 114 057 194 p
p
=
and were told to guard these numbers with their lives. The four tellers 2, 5, 6, and 8 submitted their secret numbers and the networked computer produced the calculation p ( 0 ) mod 999 999 999 989 = 965 785 106 674
291
12.4. SECURE MULTIPARTY PROTOCOLS
using Neville's iterated interpolation algorithm. The next day, tellers 1, 2, 4, and 8 submitted their secret numbers and the networked computer produced the calculation
p (0 ) mod 999 999 999 989 = 965 785 106 674 Given n equations of the form q (i, 0 ) = p (xi), it is not always necessary to determine all of the coefficients of the polynomial p (x ) . The modified Neville ' s iterated interpolation algorithm (see Algorithm 12.3 ) produces the value of p ( 0 )
directly.
Algorithm 12.3 Modified Neville ' s iterated interpolation algorithm Input: Integers n and nonzero {xi} i=O and function values q (i, 0 ) = p (xi) ' Output: q (n, n) = p ( 0 ) For i from 1 to n do For j from 1 to i do S et Next j Next i
q ( . J. ) = Xiq (i  1, j Xi 1) XiXij q (i, j  1 ) j
..:... ..;..; o__ ...::. __:_::.__:___'.::...:... _o_ _ .; _..:.;_
2,
Return q (n, n)
Example 12. 1 1 We use Algorithm 12.3 to find the yintercept of the polyno mial of degree 2 that goes through the three points (1, 5 ) , (3, 8 ) , and ( 6, 2 ) . First set xo = 1, x 1 = 3, x2 6 and q (0, 0 ) = 5, q ( 1, 0 ) 8, q (2, 0 ) = 2. Then =
=
Xoq (1, 0 ) = 3 5  1 · 8 = � q ( 1 ' 1 ) = X l q ( 0, X01)  Xo 2 31 q (2, 1 ) = X2 q (1, X0 )  XX 11 q (2, 0 ) = 6 · 86  33 2 = 14 2 · 1 ( , x q 1 q (2, 2 ) = 2 X )  xXo0 q (2, 1 ) = 6 �6  11 · 14 = 75 2 and hence the parabola goes through the point (0, t) . ·
·
Problems 12.4
1.
Assume p (1 ) = 2, p (2 ) = 4, and p (3 ) = 1. Construct two polynomials f (x ) and g (x ) of degree 3 such that f ( k ) = g ( k) = p (k) for k = 1, 2, 3, but f ( 0 ) = 0 and g ( 0 ) = 5. Plot the graphs of f and g.
292 2.
CHAPTER 12.
POLYNOMIAL ALGORITHMS AND FFTS
Four soldiers are stationed in a missile silo. Any two soldiers can authorize a missile to be fired. Use a polynomial p (x) = ax + b with coefficients chosen at random in the range 0 S: a, b < 999 999 999 989 to assign the four hidden numbers
p (1) mod 999 999 999 989, p (2) mod 999 999 999 989, p (3) mod 999 999 999 989, p (4 ) mod 999 999 999 989 Show that soldiers 1 and 2 working together generate the same value of p (0) mod 999 999 999 989 as do soldie�s 3 and 4. 3. Show that a conspiracy by n  1 tellers can learn nothing about the value p (0) . That is, if p ( x) is a polynomial of degree n  1 and the n  1 values p (1) , p (2), . . . , p (n  1) are known, then p (0) could have any possible integer value in the range 0 S: p (0) < 999 999 999 989. 4. Use the modified Neville's iterated interpolation algorithm to find the yintercept of the polynomial p (x) of degree 3 that satisfies p (2) = 8, p (3) = 4, p (5) = 7, p (9) = 2.
12.5
Discrete Fourier Transforms
The Lagrange interpolation formula and Neville's iterated interpolation algo rithm are two ways of constructing a polynomial that takes on prescribed values at certain points. Prescribing n + 1 values determines a unique polynomial of degree at most n . We usually describe a polynomial by listing its coefficients. However, it can be useful to describe a polynomial in other ways. The polynomial p(x) = (x + 1)(x  1)(x  2) is determined by any of the following descriptions:
1. 2. 3. 4.
The polynomial whose coefficients are
p(x) = x3  2x2  x + 2
1, 2, 1, and 2:
the polynomial
The monic polynomial of degree 3 whose roots are
1, 1, and 2 The polynomial p (x) of degree 3 such that p(O) = 2, p(1) = 0, p ( 2) = 0, and p (3) = 8 The polynomial p(x) of degree 3 such that p(i) = 2i + 4, p(i 2 ) = 0, p(i3 ) = 2i + 4, and p(i4 ) = 0, where i2 =  1
It takes four parameters to determine a polynomial of degree 3 . Note that, in the second description, the fourth parameter is the leading coefficient, which is taken to be 1.
1 2. 5. DISCRETE FOURIER TRANSFORMS
293
Polynomial interpolation takes us from a representation of a polynomial in terms of its function values (item 3 in the preceding list) to a representation in terms of its coefficients (item 1). In this section we will present a very fast algorithm for converting between the coefficients (item 1) and the function values at powers of a primitive root of 1 . What is a primitive root of 1? In the complex numbers, i 2 = 1, so i4 = ( 1) 2 = 1. We say that i is a fourth root of 1 . The complex number i is a primitive fourth root of 1 because in :f: 1 for n = 1 , 2, 3. Instead of the complex number i, we will use a primitive root of 1 in a Galois field GFq . The algorithm for converting from coefficients to function values is called the fast Fourier transform (FFT). The algorithm for converting from function values to coefficients is called fast Fourier interpolation (FFI) . For each sequence Xo , X 1 , , Xn1 from GFq , we can form the polynomial · · ·
f(t) = Xo + X 1 t + X2 t2 +
·
·
·
+ Xn1 tn  1
We want to compute its values at the nth roots of unity in GFq . If w is a primitive nth root of unity, then the nth roots of unity are 1, w, w 2 , , wn  1 . The values of f (t) at the nth roots of unity are . • .
f (1) Xo + X 1 + X2 + + Xn1 f (w) = Xo + X 1 W + X2 W 2 + + Xn1 Wn1 f (w 2 ) = Xo + X 1 W 2 + X2 W4 + + Xn1 W 2(n1 ) ·
=
·
·
·
· ·
·
J (wn  1 )
If we let Yk 1 1 1 1
=
=
· ·
Xo + X 1 Wn1 + X2 W2(n1 ) + . . . + Xn1 W (n1 )(n1 )
f(w k ) , then these equations can be written in the matrix form 1
1
w2 w4
w w2
wn1 w 2(n1 )
wn  1 w2(n1 )
1
xo X1 X2
Yo Y1 Y2
w
Xn
Yn
The square matrix is a Vandermonde matrix. The general Vandermonde
matrix is an n by n matrix of the form
V (a o , ar, a 2 ,
•
•
.
, a nd
=
1 1 1 1
ao a1 a2
a02 a� a�
an1 a� 1
an1 o an1 1 an1 2 n1 an1
294
CHAPTER 1 2.
POLYNOMIAL ALGORITHMS AND FFTS
In our case this matrix is
V = V (w) = V ( 1 , w, w 2 , . . . , w n  l ) 1 1 1 w 1 w2
1 wn 1 w2 (n l)
w (n l) (n  1 ) The matrix equation y = Vx gives the values yo, y1 , . . . , Yn  1 of the poly nomial f at the nth roots of 1 in terms of its coefficients xo, x 1 , x2 , . . . , Xn  l · Polynomial interpolation (calculating the coefficients of a polynomial from its values at selected points) amounts to solving the matrix equation y Vx for x. If v  l is the inverse matrix of v, then X = v  1 y. The Vandermonde matrix has a particularly simple inverse. In fact, let ( = w  1 . Then 1, (, ( 2 , . . . , (n  l are also nth roots of 1 and are equal to 1, w, w 2 , . . . , w n  l in some order. In fact, (i = wn  i . With a moderate =
amount of calculation (see problem 7) you can see that
(i
1 w wn  1
1 wn 1 w (n l:)(n 1)
) C� 1
0 n ...
1 (
1 c1
(n  1
( (n  l) (n  1 )
0 n
)
0
As ( = w 1 , it is fairly easy to see that the diagonal entries of the product are all equal to n. That the offdiagonal entries are all 0 is a consequence of the fact that w is a primitive nth root of 1. The offdiagonal entries have the form where () # 1 is an nth root of 1. But so 0 = 1 + () + ()2 + ()3 + . . . + on  1 . It follows that (V (w))  1 = n  1 V (w  1 ), so x = n  1 V(w  1 )y. Thus interpo lation is closely related to polynomial evaluation. In practice, we choose n to be a power of 2, say n 2 m . If w is a primitive =
12. 5. DISCRETE FOURIER TRANSFORMS
295
nth root of unity, then
n/ 2  l l i n/ 2  l ni """ L.J X 2�W 2i + W """ L.J Xi W = """ L.J X 2i+ I W 2 i=O i=O i=O l n/ 2  l n / 2 i i = L x2i (w2 ) + w L X2i+l (w2 ) i=O i=O
j (w) =
So f(w) can be computed by calculating two sums, each of which contains only half the original number of terms. We break the original sum into its even and odd terms, then factor w out of the odd terms. In the final algorithm, this process is repeated until each part contains only one term, which is easily eval uated. Notice that w 2 is a primitive ( n/ 2 ) th root of 1 . The resulting algorithm is recursive. Example 12.12 We will use the preceding equations to convert from coeffi
cients to function values at the 8th roots of 1 in GF1 1 . Notice that w = 2 is a primitive 8th root of 1 because w 0 = 1, w 1 = 2, w 2 = 4, w3 = 8, w4 = 16, w 5 = 15, w 6 = 13, w 7 = 9, and w8 = 1 in GF11 · We will evaluate the polynomial
f(x) = 1 + x + 2x2 + x3 + 3x4 + 2x5 + x6 + 2x7 at w i , for i = 0, 1 , 2, 3, 4, 5, 6, 7. By substituting y = x2 and z = y2 into f(x),
we get
f (x) = 1 + x + 2x2 + x3 + 3x4 + 2x5 + x6 + 2x7 = 1 + 2y + 3y2 + y3 + X ( 1 + y + 2y2 + 2y3 ) = 1 + 3y2 + y ( 2 + y2 ) + X ( 1 + 2y2 + y ( 1 + 2y2 )) = 1 + 3z + y ( 2 + z ) + x ( 1 + 2 z + y ( 1 + 2z )) We evaluate each of the four polynomials 1 + 3z, 2 + z, 1 + 2z, and 1 + 2z at z = 1 and z =  1 to get 1 + 3z 2+z 2+1=3 1+3=4 1  3 = 2 2  1 = 1
+ 2z 1+2=3 1  2 = 1
1
1 + 2z 1+2=3 1  2 = 1
At the next layer, the two polynomials 1 + 2y + 3y2 + y3 = 1 + 3z + y ( 2 + z ) and 1 +y + 2y2 + 2y 3 = 1 + 2z + y ( 1 + 2z ) are evaluated at y = w 0 = 1 ( using z = 1 ) , y = w2 = 4 (using z = 1), y = w4 =  1 ( using z = 1 ) , and y = w 6 = 4 (using z =  1 ) to get 1 + 2z + y ( 1 + 2z ) 1 + 3z + y ( 2 + z ) 3 + 1 (3) 7 1 wo 4 + 1 ( 3) 6 w2 2 4 2 + 4 ( 1 )  1 + 4 ( 1 ) 5 1 3  1 (3) w46 0 4  1 (3) 1 w 3 6  1  4 ( 1 ) 2  4 ( 1 ) 4
296
CHAPTER 1 2.
POLYNOMIAL ALGORITHMS AND FFTS
Finally, we evaluate the original polynomial f (x) = 1 + x + 2x2 + x 3 + 3x4 + 2x5 + x6 + 2x 7 = 1 + 3 z + y (2 + z) + x (1 + 2z + y (1 + 2z))
at x = w i , for i = 0, 1, 2, 3, 4, 5, 6, 7, to get
X = w1 = w2 = w3 w4 = w 56 = w = w1 =
f (x) 7 + 6 = 13 2 + 2 (12) = 9 1 + 4 (0) = 1 1 1 1 + 8 (3) 76 = 1 2  2 (12) = 12 1  4 (0) = 1 1 1  8 (3) = 4 The following FFT algorithm uses the fact that wn+k primitive 2nth root of 1.
wo
1 2 4 8 1 2 4 8
w k if w is a
Algorithm 12.4 FFT algorithm Input: N a power of two, w a primitive Nth root of one,
X = (xo, X 1 , X2 , . . . , XN  1 ) (yo , Yl > y2 , . . . , YN  1 ) where Yi = Xo + X 1 Wi + X2 (wi ) 2 +
Output: y =
·
·
Function FFT(N, x, w) If N = 1 then Set Yo = x o else Set n = N/2 Set xeven = (xo, x2 , X4 , . . . , X2n  2 ) Set xodd = (Xt, X 3 , X5 , . . . , X2nd Set yeven = FFT (n, xeven, w 2 ) Set yodd = FFT(n, xodd, w 2 ) Do for k = 0 to n  1
·
+ XN  1
(wi ) N  1
Yk = yevenk +wk yoddk Yn+k = yevenk w k yoddk
Loop End If Return y = (yo , Y1 , Y2 , . . . , YN  1 )
The FFT algorithm we gave is recursive so a lot of bookkeeping was done for you. To implement this algorithm without recursion requires some care. We illustrate with n = 8. We start with the polynomial f ( t ) = Xo + X 1 t + X 2 t 2 + X3 t3 + X4 t4 + Xst5 + X6 t6 + X 7 f
297
12. 5. DISCRETE FOURIER TRANSFORMS
and want to compute the function values
f ( 1 ) = Xo + X 1 + X2 + X3 + X4 + X5 + X6 + X7 f (w) = Xo + X 1 W + X2 W2 + X3W3 + X4W4 + X5 W5 + X5W 6 + X7W7 f (w2) = Xo + X 1 W2 + X2 W4 + X 3W 6 + X4 + X5 W 2 + X6 W4 + X7W6 j (w 3 ) = Xo + X 1 W 3 + X2 W6 + X3 W 9 + X4 W 4 + X5 W 7 + X6 W 2 + X7W 5 f (w4 ) = Xo + X 1 W4 + X2 + X3W4 + X4 + X5 W4 + X6 + X7W4 f (w5 ) = Xo + X 1 W5 + X2 W2 + X3 W 7 + X4W4 + X5 W + X6 W 6 + X5W 3 f (w 6 ) = Xo + X 1 W6 + X2 W4 + X3W 2 + X4 + X5 W6 + X5W4 + X6W 2 f (w 7 ) = Xo + X 1 W7 + X2 W 6 + X3 W5 + X4W4 + X5 W 3 + X6 W 2 + X6 W The algorithm has two phases: a permuting phase and a combining phase. In the permuting phase, we rearrange (permute) the sequence xo, x 1 , X2 , X3 , X4 , X 5 , X6 , X7 so that it becomes xo, x4 , x2 , X6 , x l , x5 , x3 , x7 as shown in Figure 12.5. Permute
xo X4 X2 X6 X1 X5 X3 X7
xo X1 X2 X3 X4 X5 X6 X7
Permutation phase The permuted indexes, 0, 4, 2, 6, 1, 5, 3, 7 are obtained from the original indexes, 0, 1, 2, 3, 4, 5, 6, 7, by reversing their binary representations: 1 = 001 2 becomes 1002 = 4, while 2 = 0102 becomes 0102 = 2, and so on. For n = 16, we use four bits for the binary representation, so the sequence Figure 12.5
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 becomes
0, 8, 4, 12, 2, 10, 6, 14, 1, 9, 5, 13, 3, 11, 1, 15 In the combining phase, we work on a sequence Yo, Y l , Y2 , y3 , Y4 , y5 , Y6 , Y7 which is initially equal to xo, x4 , X2 , X6 , X l , x5 , x3 , x7 and is then repeatedly modified. There are log2 n steps. For n = 8, there are three steps. In step k, the two entries
are replaced by
Yi
and
Yi+2 kl
and
Yi  w in/ 2 k Yi+2 kl
CHAPTER 1 2.
298
POLYNOMIAL ALGORITHMS AND FFTS
for each i such that i mod 2 k < 2 k first three steps are Step 1 Step 2 Step 3
(yi , Yi+d (yi , YH 2 ) (yi , Yi+4 )
+ + +

l
.
Note that
wm = 1 if n divides m.
(Yi + Yi+l , Yi  Yi+d (Yi + win/4 Yi+2 , Yi  win/4 Yi+2 ) (Yi + win/ 8 Yi+4 , Yi  win/ B Yi+4 )
The
for i mod 2 = 0 for i mod 4 = 0, 1 for i mod 8 = 0, 1, 2, 3
For n = 8, this is for i mod 2 = 0 for i mod 4 = 0, 1 for i mod 8 0, 1 , 2, 3
Step 1 Step 2 Step 3
=
Here is a picture of the three combining steps for n
:X:
a+b ab a+b ab a+b ab a+b ab
:X: :X:
X
Figure 12.6
8: Combine
Combine
Combine
xo X4 X2 X6 X1 X5 X3 X7
=
� �
a+b
a + w2 b ab a  w2 b
a+b
a + w2 b ab
a  w2 b
Combination phase
Here are the contents of Yo , Y l , Y2 , y3 , y4 , y5 , Y6 , Y7 after each step:
Yo Y1 Y2 Y3 Y4 Y5 Y6 Y1
xo
Step 1 xo + x4
Xo  X4 x 2 + x6 X2  X6 X 1 + X5 X 1  X5 xa X3 + x1 X7 X3  X7 X4 X2 X6 X1 X5
Step 2
Xo + X2 + X4 + X6 Xo + W� X2  X4  W � X6 Xo  X2 + X4  X6 :.! Xo  W � X2  X4 + W X6 X 1 + X3 + X 5 + X 7 X 1 + W:.! X3  X5  W :.! X7 X 1  X3 + X5  X7 X 1  W:.! X3  X5 + W :.! X7
a+b a + wb' a + w2 6 a + w3Q ab " a  wb� a  w2b' a  w3b'
1 2.5. DISCRETE FOURIER TRANSFORMS
299
Step 3 Xo + X 1 + X2 + X3 + X4 + X5 + X6 + X7 Xo + X 1 W + X2 W:.! + X3W;j + X4W4 + X5 W5 + X6 Wtl + X7W7 Xo + X 1 W:.! + X2 W4 + X3 Wtl +x4 + X5 W:.! + X6 W4 + X7Wtl Xo + X 1 W;j + X2 Wtl + X3Wli + X4W4 + X5 W·r + X6 W:.! + X7W5 Xo + X 1 W4 + X2 + X3 W4 + X4 + X5 W4 + X6 + X7W4 Xo + X 1 Wt> + X2 W:.! + X3 W1 + X4 W4 + X5 W + X6 W0 + X6 W;j Xo + X 1 W0 + X2 W4 + X3W:.: + X4 + X5 W0 + X6W4 + X6W:.: Xo + X 1 Wr + X2 W0 + X3 Wt> + X4 W4 + X5 W;:s + X6 W:.: + X6 W We repeat the previous example.
Yo Yl Y2 Y3 Y4 Ys Y6 Y7
Example 12.13 Let p = 17 and notice that
w = 2 is a primitive 8th root of 1 modulo p. To evaluate the polynomial X (t) = 1 + t + 2t2 + t3 + 3t4 + 2t5 + t6 + 2t1
at each of the powers w 0 = 1 , w 1 = 2, w6 = 13, w7 = 9 we proceed as follows:
w2
= 4,
= 8,
w3
w4
= 16,
Permute
xo = 1 X1 = 1 X2 = 2 X3 = 1 X4 = 3 X5 = 2 X6 = 1 X7 = 2
1 3 2 1 1 2 1 2
Figure 12.7
Combine
Combine
1 3 2 1 1 2 1 2
X: X: X:
X
Figure 12.8
Permutation Phase
4 15 3 1 3 16 3 16
i i
Combination phase
Combine
7 2 1 11 6 12 0 3
13 9 1 1 1 12 1 4
w5
= 15,
300
CHAPTER 12.
POLYNOMIAL ALGORITHMS AND FFTS
We conclude that
Problems 12.5
1 . Describe the polynomial f (x ) = 3 (x + 1) (x  2) (x  5) in terms of (a) (b) (c) (d)
its coefficients, its vah1es at x = 0, 1, 2, 3, its values at x = i, i 2 , i 3 , i4 , where i2 = its zeros and its leading coefficient.

1
,
2. Repeat the preceding problem with f ( x ) = x  x3 . 3. Use the nonrecursive FFT algorithm to compute f (wi ) for i = 0, 1 , 2, 3, 4, 5, 6, 7 where f (t) = t and w is a primitive 8th root of 1 . Verify your answer by direct evaluation. 4. Repeat the preceding problem with f ( t) = t2 . 5. Use the nonrecursive FFT algorithm to compute f (wi ) for i = 0, 1 , 2, 3, 4, 5, 6, 7 in GF1 7 for = 2 and f ( t) = 3 + 6t + 4t2 + 5t4 + t6 + 8t7. Verify your answer by direct evaluation modulo 17. w
6. Repeat the preceding problem in GF4 1 with w = 3. Verify your answer by direct evaluation modulo 41. 7. Let
w
be a primitive nth root of 1 in a field. For ( = w  1 , show that
(j
1
w
wn1
wn1
w
1
)C
1
1
1
,
(
� (n1
( (n  1 �(n1) .
0 n ...
�u n
,
)
0
8. Verify the equation in the previous problem directly for complex number i.
w
equal to the
12. 6. FAST FOURIER INTERPOLATION
301
9. Show that 1 1 1
det
a6 ar a�
ao 0!1 a2
= IJ (ai  ai ) i >j
1 O!n 1 a�  1 10. Verify that det
( :) 1 1 1 2 1 3
�
(3  2) (3  1) (2  1)
by evaluating both sides. 11. Let () be a root of x4 + x + 1 in GF 16 . Verify that det
(
1 1 1
1 ()
rP
by evaluating both sides.
12.6
Fast Fourier Interpolation
The fast Fourier transform is a quick way to transform coefficients into function values. The reverse process, going from function values to coefficients, is called interpolation (see page 294) . It is a remarkable fact that interpolation can also be done with the fast Fourier transform. This is so because if y = V ( w) then n  1 v (w  1 ) y Note that if w is a primitive nth root of 1, then so is w 1 . The fast Fourier interpolation algorithm is simply the FFT with one addi tional step. x
=
=
x,
Algorithm 12.5 Fast Fourier interpolation Input: N a power of two, w a primitive Nth root of one, Y
Output:
x
( yo , YI .
·
·
·
, YN  1 )
= (xo , x 1 , . . . , XN  d such that ·) 2 Yi = Xo + x 1 w ' + X2 (w• + ·
Function FFI(N, y, w) Return x = N 1 FFT (N, y, w  1 )
·
·
·
· N + XN  1 (w• )  1
CHAPTER 1 2. POLYNOMIAL ALGORITHMS AND FFTS
302
Example 12.14 Consider the polynomial x (t) = xo + x 1 t + x 2 t2
X N  1 t N  1 with given function values
�
+
·
· ·
+
g�� : �3 � g�� : � � g�� : � � g�� : �2
We use FFI to find the coefficients of the polynomial x (t) . We first apply the permutation phase to get Figure 12.9. Permute
5 13 7 2 3 9 0 12
Yo = 5 Y1 = 3 Y2 = 7 Y3 = 0 Y4 = 13 Ys = 9 Y6 = 2 Y1 = 12 Figure 12.9
Since w 1 12.10.
=
2  1 mod 17
=
Combine
5 13 7 2 3 9 0 12
:X
:8:
:X
:8:
Permutation phase
9, we have the combination phase given by Figure Combine
Combine
1 9 9 5 12 11 12 5
� �
10 6 9 12 7 8 0 14
Combination phase Multiplication of the last column by s 1 mod 17 = 15 yields 0 0 10 14 16 9 1 15 3 mod 17 = 15 11 13 2 16 9 5 6 Figure 12.10
0 10 9 1 3 2 9 6
303
12� 6. FAST FOURIER INTERPOLATION
As a check, we evaluate the polynomial y
(t) = 14t + 16t2 + 15t3 + llt4 + 13t5 + 16t6 + 5t1
at powers of 2 and note that the results
produce the initial coefficients. Is the FFT really fast? Let's see how long it takes to do a Fourier transfor mation without it. Let F be a field,
= Yo + Y1 t + Y2 t2 + + Yn  l tn  l a'polynomial of degree at most N  1 with coefficients in F, and w a primitive Nth root of one in F. We need to evaluate f (wi ) for i = 0, 1, . , N  1. The most efficient way to evaluate f (t) at an element a in F is by nesting. We illustrate with N = 8: f (t)
· · ·
. .
You can see that this computation requires seven additions and seven multipli cations for a polynomial of degree at most seven. For a polynomial of degree at N  1, it requires N  1 additions and N  1 multiplications, a total of 2N  2 steps. So evaluating f (wi ) for i = 0, 1, , N  1 in this way requires N (2 N  2) = 2N (N  1) steps. How many steps does it take to do these computations with the FFT? Let en be the number of steps the FFT algorithm takes for a polynomial of degree at most n  1. Recall that for the FFT, the number n is a power of 2. The basic equation for the recursive algorithm is .
.
.
Cn = 2Cn/2 + 4 2n
The first 2 is because the FFT algorithm for n calls the FFT algorithm for n/2 twice. The term 4 (n/2) is for the four operations, two multiplications, one addition, and one subtraction, each performed n/2 times after the two calls to the FFT algorithm for n/2. By iterating this equation we get
2cn/2 + 4 2n = 2cn/2 + 2n 2 (2cn/4 + 4 �) + 2n = 2 2 cn/4 + 4n 2 2 ( 2cn/8 + 4 i) + 4n = 23 cn/8 + 6n The pattern is now fairly clear. For each i from 1 to log2 n we have Cn
304
CHAPTER 12.
POLYNOMIAL ALGORITHMS AND FFTS
In particular, when i = log2 n we get Cn
But
= nc1 + 2n log2 n
c1 = 0 because there are no operations involved in the first step. Cn = 2n log2 n
So
What about the computation of the powers w k in the loop? The most efficient thing to do is to calculate all N/2 of these powers at the beginning, before enter ing the recursive FFT algorithm. This will require N/2  1 more multiplications in addition to the CN steps of the recursive algorithm, so the total number of steps is N 2  1 + 2N log2 N Compare these two numbers when N transform takes
=
1024.
The straightforward Fourier
2N (N  1) = 2 · 1024 · 1023 = 2, 095, 104 steps, while the fast Fourier transform takes N
2
 1 + 2N log2 N = 511 + 2 · 1024 · 10 = 20, 991
steps. Suppose F is a field and w E F is a primitive Nth root of 1. For example, the field GFp has a primitive Nth root of 1 if p  1 is divisible by N. If N is a power of 2, then the FFT and FFI algorithms can be combined to produce a fast multiplication for polynomials f (t) and g (t) in F [t] whose product has degree less than N. Here is how you do it. Let f and g be the lists of coefficients of f (t) and g (t). First form the Fourier transforms and
FFT (N, g , w) = (g (w0 ) , g (w 1 ) , . . . , g (w N  1 ) ) Then take the componentwise product of these two transformations Finally, = FFI (N, y, ) gives the list of coefficients of the product f (t) g (t) of the two polynomials. Why is this faster than ordinary multiplication of polynomials? Suppose the degrees of f (t) and g (t) are N/2 and N/2 1. The polynomials have N/2+ 1 and N/2 coefficients, so ordinary multiplication requires N2 j4+ N/2 multiplications in the field F. We have to sum these N2 /4 + N/2 products into N sums, so x
w
12.6. FAST FO URIER INTERPOLATION
305
the number of additions required is N2 I 4 + N12  N = N 2 I 4  N12. Thus the total number of operations is N2 12 . With fast multiplication of polynomials, we have three Fourier transforms and N multiplications in the field. The number of steps in a fast Fourier trans formation is N12  1 + 2N log2 N. For N 1024, this last number is 20 991, so the number of steps for the fast multiplication is 3 20 991 + 1024 = 63 997, while the number of steps for ordinary multiplication is 10242 12 524 288. =
·
=
=1+ 5t + 3t2 + t4 and g (t) = 3 i+ 5t + 4t4 in GF1 1 [x] by using FFT to evaluate each of these polynomials at w for i = 0, 1, 2, 3, 4, 5, 6, 7, where w 2; then using pointwise multiplication to get the function values of the product at wi for i = 0, 1, 2, 3, 4, 5, 6, 7; and then using FFI to get the coefficients of the product. , We first apply FFT as iri Example 12.13 to get function values of f (t) = 1 + 5t + 3t2 + t4 and g (t) = 3 + 5 t + 4t4 , then calculate products to generate Example 12.15 We compute the product of the two polynomials f (t) =
the following table:
f (2i )
i
g
10 5 2 11 0 2 13 16
0 1 2 3 4 5 6 7
(2i ) 12 9 10 5 2 6 4 10
f (2 i ) g (2i )
1 11 3 4 0 12 1 7
To calculate the coefficients of f (t) g (t), we use FFT with w 9 as in Example 12.14 to get the polynomial f (t) g (t)
=

1 = 2 1 mod 17 =
3 + 3t + 15t3 + 7t4 + 8t5 + 12t6 + 4t8
Problems 12.6
1.
Find a prime of the form p = 2 5 k + 1, and then find an element w in GFp of order 2 5 .
2.
Verify that p 2 5 29 + 1 = 929 is a prime. Calculate a29 " 24 mod 929 for a few values of a until you find one such that a29 " 24 mod 929 =f 1. Use that to construct an element of order 32 = 2 5 in GF9 29 •
3. 4.
=
Observe that 2 8 + 1
28 .
=
2 5 7 is a prime.
Find a prime of the form p of order p  1.
=
Find an element w in GF257 of order
2n + 1 for n > 8.
Find an element w in GFp
306
CHAPTER 12.
POLYNOMIAL ALGORITHMS AND FFTS
5. Verify that p = 1 + 2 30 3 7 5 8 73 · 1 1 2 · 13 · 172 · 19 · 23 is a prime. Find an element of order p  1 in GFv Use this to find an element of order 230 in GFv6. Show that if w is a primitive nth root of 1, then w 1 is also a primitive nth root of 1 . 7 . Let w be a root of f (x) = x 5 + 2 x + 1 in GF243 · Show that w is a primitive 242nd root of 1 . Find w  1 . What is the minimal polynomial of w 1 ? ·
·
·
8. With reference to the discussion on page 303, prove by induction on i that the formula Cn = 2i cn; z; + 2in is correct for i = 1, 2, . . . , log2 n. 9. Let f (t) ana g (t) be polynomials of degrees a and b with coefficients in a field. Show that multiplication of f (t) by g (t) requires (a + 1 ) (b + 1 ) multiplications of field elements, and ab additions of field elements. 10. How many steps does the fast Fourier transform take for N = 2048? How does this compare to the number of steps for N = 1024?
Appendix A
Topics in Algebra and Number Theory The application of algebra to codes, ciphers, and discrete algorithms relies on several topics in algebra and number theory. These topics are introduced in the text, but we collect some of the basic definitions and properties together here for easy reference.
A. l
Number Theory
Number theory is the study of the integers, . . . , 3, 2, 1 , 0, 1, 2, 3, . . . , and how they behave under addition and multiplication. Often we deal with just the nonnegative integers, 0, 1 , 2, 3, . . . , or with the positive integers, 1 , 2, 3, 4, . . .. We say that an integer n divides an integer m, and write nlm, if there is an integer a such that na = m. We also say that m is a multiple of n or that n is a divisor of m . If a and b are integers that are not both zero, then the greatest common divisor d of a and b is the largest of the common divisors of a and b. We write the greatest common divisor of a and b as d = gcd ( a, b). Euclid gave an algorithm to compute the greatest common divisor over 2000 years ago, and this is still used extensively. The Euclidean algorithm takes only a modest number of steps to compute gcd (a, b). An integer p > 1 is a prime if its only positive divisors are 1 and p. The first five primes are 2, 3, 5, 7, and 1 1 . Primes, especially very large primes, play a very important role in cryptography. An integer n > 1 that is not prime is called a composite. The first five composites are 4, 6, 8, 9, and 10. The fundamental theorem of arithmetic says that factorization of positive integers into primes is unique. Of course 2 2 3 and 2 3 2 are both ways of writing 12 as a product of primes, but they are not essentially different. The product is unique if we arrange the primes in order of size. Theorem ( The Fundamental Theorem of Arithmetic ) Every integer greater than 1 is either a prime or can be written uniquely as a product of primes. 307 ·
·
·
·
308
APPENDIX A. TOPICS IN ALGEBRA AND NUMBER THEORY
Modular arithmetic provides many powerful tools. If n and m are integers with m > 0, then we define n mod m n  ln /mJ m, where Ln/mJ is the largest integer that is less than or equal to n/ m. Note that n mod m is the remainder when dividing n by m. For each positive integer m, this determines a congruence relation, on the integers. We say a is congruent to b modulo m and write a = b if a mod m b mod m, or equivalently, if m divides the difference a  b. The Chinese remainder theorem is a statement about simultaneous congruences. Theorem (Chinese Remainder Theorem) Let m1 , m2 , . . . , mr be pair wise relatively prime positive integers. Then the system x = ai (mod mi ) , i = 1 , 2, . . . , r has a unique solution modulo m1m2 mr . Codes, ciphers, and discrete algorithms are often based on the computa tional complexity of "hard" problems, such as the integer factorization problem in number theory. Among the important theorems and techniques in num ber theory we present in this text are the Euclidean algorithm, Fermat's little theorem, Euler's theorem, the principle of mathematical induction, Wilson's theorem, and the Chinese remainder theorem. The theorems and techniques of number theory are so pervasive in cryptography that if we gave any reasonably complete summary here of pertinent parts of the field, we would essentially be repeating this entire text. =
=
·
· ·
For further information about number theory and how it relates to codes, ciphers, and discrete algorithms, see the following items in the index: a  1 mod m; a = b mod m; Absolute value; Carmichael numbers; Ceiling; Chinese Remainder Theorem; Common divisor; Complete residue system; Composite; Congruence class; Congruence relation; Congruent; Disjoint cycles; Division algorithm for integers; Divisor; Euclidean algorithm; Euler phi function; Euler's theorem; Fermat's last theorem; Fermat's little theorem; Floor; Fundamental theorem of arithmetic; Greatest integer; Induction; Integer; Inverse modulo m; Least common multiple; Least nonnegative residue sys tem; Mathematical induction; Method of exhaustion; Miller's test; Modular arithmetic; Mod function; Modular representation; Non negative integer; Pairwise relatively prime; Pascal's triangle; Pos itive integer; Primality testing; Prime; Principle of mathematical induction; Probabilistic primes; Pseudo prime; Rabin's probabilistic primality test; Reduced residue system; Relatively prime; Residue system; Sieve of Eratosthenes; Systems of linear equations modulo n; Wilson's theorem.
A.2
Groups
A group is a basic algebraic system. The theory of groups is one of the oldest branches of algebra, and has applications in many areas of science as well as in other parts of mathematics. A binary operation on a set is a way of putting two elements of a set together to get a third element of that set; that is, a binary
A.2.
GROUPS
309
operation on a set S is a mapping S x S S. A group is a set with a particular kind of binary operation on it. Here is a formal definition. Definition A group is a nonempty set G with one binary operation, often indicated simply by juxtaposition of elements of G, such that 1 . a(bc) = (ab)c for all a, b, c in G. 2. There is an element 1 in G such that a1 = 1a = a for all a in G. 3. For each a in G, there is an element a  1 in G such that aa  1 = a  1 a = 1. The group is commutative if (4.) holds: 4. ab = ba for all a, b in G. The group is cyclic if (5.) holds: 5. There is an element g E G such that every element a E G can be written as a = gm for some integer m, positive, negative, or zero. Here the convention o is that g  m = (g 1)m and g = 1 . If G is a finite group, the number o f elements of G is called the order of the group G. If a is an element of a finite group G, there is a smallest positive integer t such that at = 1. This integer is the order of the group element a. If 8 is a subset of G for which ab E 8 and a  1 E S for every pair of elements a, b E S, then S is a group under the operation of G. Such an S is called a subgroup of G. If a E G has order t, then (a) = {1, a, a2 , a3 , , at  l } is a subgroup of G. Note that (a) is a cyclic group. Also note that the order of a and the order of (a) are the same, so the two uses of the word "order" are consistent. Here are two basic facts relating the orders of groups and of their elements and subgroups: Theorem {Lagrange) If 8 is a subgroup of the finite group G, then the order of S divides the order of G. Applying Lagrange's theorem to the case S = (a) gives the following. Theorem If a is an element of a finite group G, then the order of a divides the order of G. Example Here are several important examples of groups: The integers form a group under addition. This is an infinite group. The integers mod m form a finite group under addition. The set of permutations of {0, 1, 2, . , n} forms a finite group under the operation of concatenation. For further information about groups and how they relate to codes, ciphers, and discrete algorithms, see the following items in the index: Commutative group; Cyclic group; Group; Group of symme tries; Inverse permutation; Lagrange ' s theorem; Multiplicative group of a field; Order of a group; Order of a group element; Permutation; Product of permutations; Subgroup; Symmetric group. +
•••
•
•
•
. .
310
APPENDIX A. TOPICS IN ALGEBRA AND NUMBER THEORY
A.3
Rings and Polynomials
In a ring you can add, subtract, and multiply.
Definition A ring is a set R with an addition and a multiplication satisfying
1. a + (b + c) = (a + b) + c for all a, b, c in R 2. a + b = b + a for all a, b in R 3. there is an element 0 in R such that a + 0 = a for all a in R 4. for each a in R there exists a in R such that a + (a) = 0 5. a(bc) = (ab)c for all a, b, c in R 6. a(b + c) = ab + ac for all a, b, c in R A ring R is a ring with identity if
7. there is an element 1 in R such that A ring R is commutative if 8.
1a = a1 = a for all a in R
ab = ba for all a, b in R
Example Here are several important examples of rings: •
•
•
The integers are a commutative ring with identity; The 2 x 2 matrices over the integers with the usual matrix addition and multiplication form a noncommutative ring with identity. The set of even integers is a commutative ring without an identity.
Consider polynomials with coefficients in an arbitrary ring. Given two poly nomials
a o + a 1 x + a 2 x 2 + + a n xn f(x) g(x) = bo + b1 x + b2 x2 + + bm xm ·
· ·
·
·
·
we add them by adding their coefficients. The coefficient of xi in the sum f(x) + g(x ) is ai + bi , where we set ai = 0 if i > n and bi = 0 if i > m. The coefficient dk of x k in the product f(x) g(x) is given by ·
dk = L ai bi i+j= k that is do = ao bo , d1 = ao b1 + a 1 bo , d2 = ao b2 + a 1 b1 + aob2 , . . . , dm+ n 1 = an  l bm + an bm  1 , and dm+n = an bm . This is the product you get if you simply multiply f (x) and g (x) using the usual laws. •
The set of polynomials with coefficients in a commutative ring with iden tity is itself a commutative ring with identity.
A.4. FIELDS
311
Of particular interest is the ring F [x] of polynomials over a field F (see next section) . Note that a polynomial of degree greater than zero does not have a multiplicative inverse.
•
For further information about rings and polynomials and how they relate to codes, ciphers, and discrete algorithms, see the follow ing items in the index: Commutative ring; Division algorithm for polynomials; Extended Euclidean algorithm; Generator polynomial. Greatest common divisor of integers; Greatest common divisor of polynomials; Greatest integer; Irreducible polynomial; Kronecker's algorithm; Lagrange interpolation; Minimal polynomial; Neville ' s it erated interpolation algorithm; Polynomial division; Polynomial di vision algorithm; Polynomial interpolation; Polynomial remainder; Polynomial ring; Primitive element; Primitive polynomial; Primitive root; Rational root theorem.
A.4
Fields
In a field you can add, subtract, multiply, and divide. Definition A field is a set F with an addition and a multiplication satisfying 1. a + (b + c) = (a + b) + c for all a, b, c in F
2. a + b = b + a for all a, b in F 3. There is an element 0 in F such that a + 0 = a for all a in F
4. For each a in F there is an element a in F such that a + (a) = 0
5. a(bc) = (ab)c for all a, b, c in F 6. ab = ba for all a, b in F 7. There is an element 1 in F such that a1 = a for all a in F 8. a(b + c) = ab + ac for all a, b, c in F, and 9. For each nonzero a in F there is an element a  l in F such that aa l = 1. Example Here are several important examples of fields: •
•
Take F to be Zp = {0, 1, 2, . . , p  1} with addition and multiplication modulo p, then Zp is a field. This field is also denoted by GFp, and called the Galois field of order p. .
The rational numbers Q form a field as do the real numbers JR, and the complex numbers C. These three fields are infinite. The applications to codes, ciphers, and finite algorithms in this text rely primarily on finite fields.
312
APPENDIX A. TOPICS IN ALGEBRA AND NUMBER THEORY
The following idea of how to construct a field from a field and an irreducible polynomial is due to Kronecker. •
Let F be a field and h (x) an irreducible polynomial of degree m in F [x] . Define K to be the set of congruence classes of polynomials in F [x] modulo h (x) . Let B be the congruence class of the polynomial x, so if f (x) E F [x] , then the congruence class of f (x) is f (B) . Define multiplication in K by setting f (B) g (B) = r (B) where r (x) = ( f (x) g (x) ) mod h (x) . This turns the set K into a field. If F is a finite field of order q, then the order of K is qm . For further information about fields and how they relate to codes, ciphers, and discrete algorithms, see the following items in the index: Binary representation of field element; Cayley table; Fast Fourier in terpolation; Fast Fourier transform; Field; Galois field; GFp; GFpn ; Multiplicative group of a field; Primitive element; Primitive polyno mial; Primitive root; Splitting field.
A.5
Linear Algebra and Matrices
A matrix is a rectangular array of numbers or other algebraic expressions that can be added and multiplied. One application of matrices is to keep track of coefficients of linear equations. They are used in many ways in all of the mathematical sciences. The horizontal lines of a matrix are called rows and the vertical lines are called columns. A matrix with m rows and n columns is called an mbyn matrix. If either m = 1 or n = 1 , the matrix is also called a vector. The product of an m x k matrix with a k x n matrix
is the m x n matrix C= Cm 2
where the ij th entry of C is given by Cij = �;= l air brj .
A.5. LINEAR ALGEBRA AND MATRICES
313
The n x n identity matrix is
The inverse of an n x n matrix A is an n x n matrix B such that AB = I. The inverse is denoted B = A  l . A system of m linear equations in n variables
a u x 1 + a 1 2 X2 + a2 1 X 1 + a22 X2 +
·
·
· ·
·
·
a 1 n Xn + a 2 n Xn +
=
b1 b2
can be represented by the matrix equation
or by the augmented matrix
A system of linear equations can be solved by a series of steps (1) add a multiple of one equation to a second equation, (2) interchange two equations, or (3) multiply both sides of an equation by a nonzero constant. Applied to a matrix, this method is called row reduction. The object of row reduction is to end up with a matrix such that the first nonzero entry in each row is 1 (the leading 1) and the leading 1 in each row is to the right of the leading 1 in the previous row, as in the matrix 1 0 0 0 0
0
0
0
1
dl d2 d3 d4
0
0
0
0
dn
C1 2 C13 C1 4 C1 5 1 C1 5 C25 0 1 C35 0 0
314
APPENDIX A. TOPICS IN ALGEBRA AND NUMBER THEORY
Such a matrix is said to be in row echelon form. To get the solution of the system of linear equations, reinterpret each row of the matrix as an equation and use back substitution. If the last nonzero row is
(0 0 it follows that
Xj  1
, Xn
1
=
Cij n k=j
di  L Cik Xk
where x1 , . . . can be assigned arbitrary values. You get a similar equation for each variable corresponding to a column with a leading 1, which you can evaluate working from the last nonzero row to the first. The variables corresponding to columns without a leading 1 can be assigned arbitrary values. A system of n linear equations in n variables can be solved by using an inverse matrix, if you have one. If
then
provided there is an inverse matrix. The affine transformation given by a matrix and a vector b is the map taking to y = b. When such a transformation is used for encryption, we need to be able to reverse it. This can be done when is invertible, in which case = (y  b) . The determinant function associates with every square matrix a unique number det obtained as the sum and difference of certain products of the entries. The determinant of the n x n matrix ( is
x
x A 1 A
A
Ax+
A
A
aij) det ( aij) L (  1 tgn(a ) a a( )a2a(2) ana(n l l ) =
·
0"
·
·
)sgn(a)
= ±1, where ranges over all the permutations of {1, 2, . . . , n } and (  1 depending on whether permutes an even or odd number of digits. Here are u
u
A.5. LINEAR ALGEBRA AND MATRICES
some examples:
det
det
(
(� �) ��a32: a��33: )
det au a21 a3 1
( 824741 97965 814764 ) 216
663
880
315
= ad  be = a u a22 a33  a u a23 a32  a 12 a21 a33 + a 12 a3 1 a23 + a21 a 1 3 a32  a 1 3 a22 a3 1
=
 96 396 086
One important use of the determinant is that it gives a test for invertibility: a square matrix A is invertible if and only if det A ::/= 0. For further information about linear algebra and matrices and how they relate to codes, ciphers, and discrete algorithms, see the following items in the index: Boolean matrix, Hilbert matrix, Inverse matrix, Linear combination, Permutation matrix, Row reduction, Vandermonde matrix.
Solutions to Odd Problems Integers and Computer Algebra
Chapter 1 P.roblems 1 . 1
1.
Let n = ab with a > 1 and b > 1. If a2 right kind. Otherwise a2 > n and
:::; n ,
then a is a divisor of the
is a divisor of the right kind.
3. 5.
Note that
15 ( 3) + 24 (2) = 3, where 3115 and 3124.
A sum of two cubes factors as a3 + b3 = (a + b) (a2  ab + b2 ) , so
2 9 + 5 1 2 = ( 23 ) 3 + (54 ) 3 = (23 + 54 ) ( (2 3 ) 2  (23 ) (54 ) + ( 54 ) 2 ) = (633) ( 385 689) = ( 3 X 211) (3 X 128 563) = 3 2 X 211 X 128 563 7.
Let a, b, c, and d be arbitrary integers. ( a) This is false. Indeed 4112 and 6112, but 4 6 = 24 does not divide 12. Even simpler, but maybe too simple: 212 and 212 but 2 2 = 4 does ·
·
not divide 2. ( b ) If alb, then b = sa for some integer s. If ale, then c = ta for some integer t. So b + c = sa + ta = (s + t)a, which means that al(b + c). See also part iii of the theorem on properties of divisors. ( c ) This is false. Take a = 2, b = 4, and c = 6. ( d ) If alb, then b = at for some t, so b2 = a2 t2 , which means that a2 l b2 .
317
318
SOLUTIONS TO ODD PROBLEMS
( e) This is false. Take a = 3 J 9, but 5 f l3.
2, b = 4, c = 3, and d = 9.
Note that 2 J 4 and
( f) Let b
= as and d = ct. Then bd = asct = ac · st, which means that acJbd. ( g) Let b = as. Then be = asc, which means that aJbc. 9. 11.
13 is not divisible by 3. Let p be a prime divisor of P1P2 · · · Pk + 1. If p = Pi for some i, then P1P2 · Pk + 1 = Pi n for some integer n. So 1 = Pi n  P 1P2 · · · Pk = Pi ( n  P1Pz · · · Pi  lPi+l · · · Pk ) making Pi a factor of 1. That can't be, so p must be different from each prime Pi · No. The number ·
·
This shows how, given any finite set of primes, you can find another prime not in that set. So there are infinitely many primes.
13. 4 = 2 + 2 24 = 19 + 5 44 = 37 + 7 64 = 61 + 3 84 = 79 + 5 6 = 3 + 3 26 = 19 + 7 46 = 43 + 3 66 = 61+ 5 86 = 79 + 7 8 = 5 + 3 28 = 23 + 5 48 = 43 + 5 68 = 61 + 7 88 = 83 + 5 10 = 7 + 3 30 = 23 + 7 50 = 43 + 7 70 = 67 + 3 90 = 83 + 7 12 = 7 + 5 32 = 29 + 3 52 = 47 + 5 72 = 67 + 5 92 = 89 + 3 14 = 11 + 3 34 = 29 + 5 54 = 47 + 7 74 = 67 + 7 94 = 89 + 5 16 = 13 + 3 36 = 29 + 7 56 = 53 + 3 76 = 73 + 3 96 = 89 + 7 18 = 13 + 5 38 = 31 + 7 58 = 53 + 5 78 = 73 + 5 98 = 79 + 19 20 = 13 + 7 40 = 37 + 3 60 = 53 + 7 80 = 73 + 7 22 = 19 + 3 42 = 37 + 5 62 = 59 + 3 82 = 79 + 3 15. Note that each factorization of n! + 1 involves a prime or primes larger than n. ( a)
( b)
(c)
( d)
(e) ( f)
( g)
(h)
2! + 1 = 3 is prime 3! + 1 = 7 prime 4! + 1 = 52 composite 5! + 1 = 11 2 composite 6! + 1 = 7 x 103 composite 7! + 1 = 71 2 composite 8! + 1 = 61 x 661 composite 9! + 1 = 19 x 71 x 269 composite
319
PROBLEMS 1.2
17.
If three numbers are consecutive odd numbers, they must look like n, n+2, n + 4, where n is odd. But if n is odd, then n = 2m + 1, where m is an integer. Thus, the three numbers are 2m + 1, 2m + 3, 2m + 5. If m = 1, we get the triplet 3, 5, 7 . Suppose m > 1. If 2 m + 1 is not divisible by 3, then dividing 2 m + 1 by 3 gives a remainder of 1 or 2. If the remainder is 1, then 2m + 1 = 3k + 1 for some integer k, and 2m + 3 = 3k + 3 which is divisible by 3. If the remainder is 2, then 2m + 1 3k + 2, and 2m + 5 = 3k + 6 which is divisible by 3. Thus one of the three numbers is divisible by 3, and all are greater than 3, one of them is composite. =
19.
If n = 1, then n2 + 1 = 2, a prime. But if n is an odd number greater than 1, then its square is also odd, and adding 1 gives an even number greater than 2, which is thus composite. So the answer to the first question is, if n is odd, n2 + 1 is a prime if and only if n = 1. If n is even, then n2 + 1 can be prime, for example 22 + 1 = 5 is a prime. But n2 + 1 is not a prime for n = 8 because 8 2 + 1 = 65 = 5 x 13.
21. Yes. If n is composite, then n = ab, where a > 1 and b >
1, so
2 n  1 = 2 ab  1 = 2 a  1) ( 2 ab  a + 2ab 2a + 2 ab 3a + . . . + 1)
(
which shows that 2n  1 is composite. Thus if 2 n  1 is prime, then n is also prime. Problems 1 . 2
Note that j3.14  1l'j = 1. 59 2 7 x 10 3 and 22/7 is the closer approximation to
l 2i  1
3.
A computer algebra system produces places
3. 141 592 654 to ten decimal
5.
Note that
1.
11' .
11'
=
11'
=
1. 264 5 x 10 3 , so
( 1) 2/4 = {j( 1) 2 = 1, whereas ( 1) 1 /2 = A = i.
7. Let x = 0.33333333333 . . .. Then lOx = 3.33333333333 . . . so subtracting gives 9x 3.0, which implies x = 3/9 = 1/3. =
9.
Note that x = 3.489 and 345.5 = 691/2. This gives
lOOx = 348.989,
so
691 = 691 2 99 198 As a check, compute 691/198 3. 489 898 990. X=
;:::j
·
99x = 348.989  3.489 =
320 ·.
11.
SOLUTIONS TO ODD PROBLEMS
Here is one solution:
a 0.469 387 755 1 1 0.469 387 755 1 2 + 0. 130 434 783 1 1 1 1 2 + 7+0. 666666644 2 + 7+ 666 1666 644 2 + o . 1 30 4314 783 23 1 ;1 1   . ..., ,.1 49 2+� 2 + 7+ 1+. 5001 000 051 2 + 77+�::;;1� +� +
b
�
�
�
� :;
�
�
1
o.
 �
�
��
�
1 1 + . 500 000 051  1
Checking,
1· · :2 .
23 49 0.469 387 755 1 �
Problems 1 . 3
10 10 1. I: 2 = ...2 + 2 + . . . + 2 "'. = 10 . 2 = 20 j= 1 10 10 3. L L (i + 1 ) (j + 1 ) = 4356. To see why this is correct, note that i=O j =O
t,� (i + 1)
(H 1)
�
(t, (i + ) (� 1))
(
)
!)
·
(H
2 4356 = 11 � 12 =
n
5. L k3 = i ( n + 1 ) 4  � (n + 1) 3 + i (n + 1 ) 2  1 k=2 m
mn+l times
7. L 1 = 1 + 1 + k=n 5
· ·
·
+1=m

n
+1
9. I: (1 + k3 ) = (1 + 03 ) + (1 + 1 3 ) + (1 + 23 ) + (1 + 33 ) + (1 + 43 ) + k=O (1 + 53 ) = 1 + 2 + 9 + 28 + 65 + 126 = 231 10 11. II i2 = 1 2 . 22 . 32 . 42 . 52 . 62 . 72 . 82 . 92 . 102 = 1 2 . 2 2 . 32 . 24 . 52 . 22 . 32 . i=2l 6 4 7 . 2 . 3 . 22 . 5 2 = 2 16 38 54 72 = 13 168189 440 000
321
PROBLEMS 1 . 4
5 13. IT (n2 + n) = 27 33 5 2 = 86 400 n=1 m 15. L (ai + bi) = an + bn + an+l + bn+1 + · · · + am + bm = an + an+l + · · · + i=n m m . . . am + bn + bn+ l + + bm = I: ai + I: bi
i=n
i=n
Problems 1 .4
1.
n L i2 = k (n + 1) 3  ! (n + 1 ) 2 + �n + � = �n (n + 1) (2n + 1). To verify i= 1 this result by induction on n, first note that with n = 1 we have 1 I: i2 = 1 2 = 1 = �6 (1) (1 + 1) ( 2 (1) + 1 ) i= 1
Then assume that for some k 2:
1.
Then
I: i2 = � k (k + 1) (2k + 1) k
i= 1
k 1
k
+ I: i 2 = (k + 1) 2 + I: i2 i=1 i=1 1 = (k + 1) 2 + 6 k (k + 1) (2k + 1) = 61 (k + 1) ((k + 1 ) + 1) ( 2 (k + 1) + 1) so, by the principle of mathematical induction, for all n 2: 1 we have n L i 2 = 61 n (n + 1 ) ( 2n + 1) i= l
3.
A computer algebra system yields
n L k2k = (n + 1 ) 2n+ 1  2 X 2n+ 1 + 2
k= 1
which further simplifies to
n
L k2 k = 2n+ 1 (n + 1  2 ) + 2 = 2n+ 1 (n  1) + 2 k= 1
See the disc for the proof by mathematical induction.
322
SOLUTIONS TO ODD PROBLEMS
5.
The sum is given by
To verify this by induction, first observe that
Assume that for some n 2
·
� ( � ) xr
� (� ) x r + � C : 1 ) x r + � (�) xr + � (�) xr
1 + xn+l +
=
1 + xn+ 1
=
� (�) xr + x � (�) xr + (1 + xt + x (1 + xt
n
(1 + x) (1 + xt (1 + xt 1 =
'
n+1
+1
=
1 1 1 = 1 � L.. k=1 1 (1+1 ) = 2 = n� 1 holds for some n. Then
ror D
= (1 + xt. Then,
=
=
7
1,
1
n
1 1+1
Assume that
·
1 �n L... k = 1 k(k+1 )
1
t; k (k + 1) = n + 1 + (n + 1) ((n + 1) + 1) =
n (n + 2) + ..,.,... 1 ....,. (n + 1) (n + 2 ) (n + 1) (n+ 2) 2 n + 2n + 1 (n + 1) 2 (n + 1) (n + 2 ) (n + 1) (n + 2 )
n+1 n+2
9. For n = 1, we have L:;=O (;) = (6) + (i) = 1 + 1 2 1 Assume that L�=O (;) = 2 n holds for some n. In the next problem you are asked to =
.
PROBLEMS 1.4
323
prove that
n, and we use that here. So n+ 1 n + 1 n n+ 1 ) L=O ( r ) = L ( r + 1 = r r 1 n +0 1 ) + � (nr ) + � r +n 1 + (nn ++ 11) = ( ) r=O ( r=O n( ; 1) + (ta ( ) = (�) : ) + (ta (�)  (�)) + (: : D
if 0 < r :::;
_
n
1 1 . For = 1, we have (a + b) 1 = a+b = @ a 1 b0 + (D a 1  1 b 1 since @ = G) = 1. Assume that (a + bt = I:�=O (;) an r br . Then (a + bt+ l = (a + b) (a + bt = (a + b)
ta (�)
an  r br
ta (�) anr br + b ta (�) anr br n 1 = . . . = � ( � ) an + 1  r b r which shows that the formula also holds with n replaced with n + 1. (See the disc for details of this simplification.) 13. For n = 1 we have =a
since
( �)
=
G) = 1. Assume that
324
SOL UTIONS TO ODD PROBLEMS Then
� (�) xnryr = X � (�) xn  r yr + y � (�) xn ry r = � (;) xn+ l  r yr + � (�) xn  r yr+ 1 xn+ 1  r yr + I: (r : 1 ) xn  (r  1 ) yr �) ( t r= 1 r=O xn+ 1  r yr + I: (r : 1 ) xn  r+ 1 yr �) ( t r= 1 r=O (�) xn+1 y0 + � (�) xn+lryr + � (r: 1) xnr+l yr
(x + Y t+ 1 = (x + y) (x + Y t (x + y) =
� =
=
which shows that the formula also holds with n replaced with n + 1.
15.
Direct evaluation yields
16! = 20 922 789 888 000 14!5!2! = 20 922 789 888 000 Note that
14! X 5! X 2! = 14! X 24 X 3 X 5 = 14! X 16 X 15 = 16! 17.
For n = 1 we have
( 2 ) 1 ( 1 2 ) 1 ( 1 2 ) _1 ( 1 2 )
2_ 1 + )5 V5
2_
V5
+ )5

2_ V5
0

V5
)5
)5
0
=
1 = F1
= 0 = F,°
PROBLEMS 1.4
325
( ) ( ) ) ( ) �(
Suppose these two equations hold for k, so k k � 1 + V5  � 1  V5 F'; k v'5 2 2 v'5 n =
=
FL k 1
=
l + v'5 2 v'5
k 1
I 1  v'5 2 v'5
_
_
k 1
Then
so the two equations hold for n = k + 1 . 19. Notice that if x 2, then n n kxk k2 k = k= 1 k= 1 If we define =
L
L
=
f (x) then
J
f (x) dx =
n x L kxk  1 k= 1
k =O
n 1 x L (k + l) xk k=O
n 1 =
L=O (k + l) xk
k
n 1
� x k+ 1 �
=
=
n 1 � xk x� k =O
=
x
xn l x1 _

xn+1 X x1 _
:= 
SOL UTIONS TO ODD PROBLEMS
326 and hence xf (x)
= x dxd
( xnx+1 1 x )
n  1) ( x  1)  (xn+ l  x) (x  1) 2 + +1 xn + xn 2 n  xn+ 1 n + X (x  1) 2 xn+ 1 (nx  n  1) + x (x  1) 2
= X ( (n + 1) x =
Therefore, n
2: k2 k = 2f (2)
k= 1
2 n+ 1 (2n  n  1) + 2 (2  1) 2 = 2n+ 1 (n  1) + 2 =
Chapter 2
Codes
Problems 2 . 1
1 . Note that 1 0 1 1 0 1 0 1 0 11 1 00 1 00 1 0 ,".. ,".. ,".. ,".. ,".. 5 A B 9 2 = (1011010101110010010)2 3. Evaluation produces ((((5 . 16) + 10) . 16 + 11) . 16 + 9) . 16 + 2 = 371 602 The definition, in terms of the decimal representation, produces (5AB92) 1 6
= =
5 X 164 + 10 (371 602) 1 0
X
163 + 1 1 X 162 + 9 X 16 + 2
5. Note that (1010101 1 100001 1 10101001101010100)2 = A B 8 7 5 3 5 4 1olal011 J:OooOil1 0i010oil'OiOio1Qo = (AB875354) 1 6 7. We have (1010101 11000011 10101001 101010100)2 = 23 1 + 2 2 9 + 2 27 + 2 2 5 + 2 24 + 2 23 + 2 18 + 2 1 7 + 2 1 6 + 2 1 4 + 2 1 2 + 2 9 + 2 8 + 26 + 24 + 22 = 2877 772 628
327
PROBLEMS 2. 1
9. Conversion yields 50927341
=
1 1 . Note that 50927341 mod 16 3182 958 mod 16 198 934 mod 16 = 12 433 mod 16 777 mod 16 48 mod 16 = 3 mod 16 and hence
(1100001001000101 1011 101101)2 (50927341  13) /16 (3182 958  14) /16 (198 934  6) /16 (12 433  1) /16 (777  9) /16 (48  0) /16
13 14 6 1 9 0 3
(5092 7341) 1 0
=
= = = = = =
(30916ED) 1 6
13. Multiplication yields 1 2 A B 0 E 0 0 3
c X
8 42 1 2 8 0 0 9
11 2 and hence 15. Multiplication yields
(2B) 1 6
X
(C1F) 1 6 1
1
11 0
11 0 0
Ow 1 1
11 1 1 0
=
0 X
01 1 0 0
F B 5 0 0 0 0 0 5 (20935) 1 6 1 1 11 0 1 1
0 0 0
1 1 1
0 0
1
1 1 1 1
and hence
(101 101) 2 X (1101) 2 (1001001001)2 Check by converting to decimal: (101101)2 2 5 + 23 + 22 + 2° 45 (1 101) 2 23 + 22 + 2° = 13 585 45 · 13 2 9 + 2 6 + 23 + 1 = 585 (1001001001)2 =
=
3182 958 198 934 12 433 777 48 3
328
SOLUTIONS TO ODD PROBLEMS
17. 2
B 1 c2 A 1 1
8 F
4 1 c 5s 5
F 8 7
and hence
19. Long division yields 1
and hence
1
0
1 1 1
(101101)2 (1 101) 2
=
1 1 0 1 1 0 1 1 1 0 1 1 0 0 1 1 1 1 0 1 1 1 0 (11) 2 +
(110) 2 (1101) 2
Checking, (1 101) 2
X
(11) 2 + (110) 2 (101 101) 2
=
(2 3 + 22 + 1) (2 + 1) + 6 2 5 + 2 3 + 2 2 + 1 45
=
=
Problems 2.2
1 . Number theory is the queen of mathematics. 3. 4D 6 1 74 68 65 6D 6 1 74 69 63 73 20 69 73 20 74 68 65 20 7 1 75 65 65 6E 20 6F 66 20 74 68 65 20 73 63 69 65 6E 63 65 73 2E
5. ASCII is pronounced askee. 7. Unicode contains over thirty thousand distinct coded characters.
45
PROBLEMS 2.4
329
Problems 2 . 3 1. A.¥.. . � ..!; •
•
T

B
.I.
 · · ·
N
• •
_:
_
p
G
E
. s. .
R
·  ·
.
  ·
A
· 
Y
F
 ·  
6
.
E
R
·  ·
· ·  ·
.I. . s. .
  
   ·
  ·
G
M
_ _
N
T
.
N
0
  
U
N

I
.
L
·  · ·
M
· · 
K
I
 · 
N
. .
Help, my floating point numbers are sinking.
3.
A
T
· 
E
Y
G
.
E
  ·
G
  ·
N
H
T
0
  

M
  ·
0
 
. . . .
 
R
·  ·
T

L
D
.
I
. .
N
I
R
. .
A
·  ·
· 
S
A
I
. .
 · ·
·   ·
T

T
U
· · 
S

. .
.
0
L
  
D
.
P
 ·
· 
E
. . .
N
. .
 ·
 ·  ·
·  ·
I
 · ·
C
•
R
  
E
E
·  · ·
· 
M
.
G
 ·
A
 ·  

A
· 
R
·  ·
L
·  · ·
E .
I
. .
·  · ·
L
I
·  · ·
N
 ·
E
. .
T
I

. .
P
.
·   ·
At Yale College Morse delighted in painting miniature portraits.
5. Using the numbers of units from Problem 4, we have c F B D E H G A I 7.3 0.9 3.0 4.4 13.0 2.8 1.6 3.5 7.4 1 11 9 9 7 7 5 9 3 0.37 0.08 0.33 0.31 0.13 0.25 0.14 0.24 0.22 p N M K R J 0 L Q 0.2 0.3 3.5 2.5 7.8 7.4 2.7 0.3 7.7 11 11 5 7 7 13 9 9 13 0.03 0.03 0.32 0.18 0.39 0.81 0.30 0.04 0.54
Letter %
Units Exp.# Letter %
Units Exp.# Letter
s
u
T
v
y
X
w
z
6.3 9.3 2.7 1.3 1 .6 0.5 1.9 0.1 % 11 11 13 Units 3 9 7 5 9 Exp.# 0.32 0.28 0.19 0.12 0.14 0.06 0.25 0.01 By adding together the contributions from each letter, the expected num ber of time units per letter is 6.06. Notice that the most frequently oc curring letter (E) has the shortest code. 7. Suddenly, Samuel had an idea. Maybe electricity could transmit messages. Problems 2.4
1 . At the age of ten he attended a school for blind boys in Paris. A
T
• • •
•
• •
•
•
•
•
• •
G
A
E
H
T •
• •
E
•
•
•
•
• •
330
SOLUTIONS TO ODD PROBLEMS
•
0
F
• •
T
• •
•
•
•
A
T
T
•
•
•
•
•
•
•
•
s
•
e '
•
•
H
•
•
•
• •
•
•
•
•
p
•
•
• •
•
A
•
•
•
•
•
•
•
•
E
•
D
•
0
0
•
• •
B
•
I •
s
• •
•
•
•
• •
•
•
•
D
•
N
I •
•
• •
•
• •
R
s
I • •
N
•
•
•
•
• •
•
L
L
• •
•
•
y
• •
E
• •
•
•
•
0
•
•
R
•
•
B
D
•
0
•
•
•
•
F
•
H
•
c
•
•
•
•
•
•
•
•
A
•
•
N
E
•
N
•
•
•
•
E
•
•
•
•
•
•
3. Braille is used in virtually every language. •
B
•
R
•
•
•
A
•
•
•
•
•
s
I
•
•
•
•
v
•
• •
•
•
v
L
•
•
•
A
•
•
•
•
•
E
u
•
•
y
•
I •
•
•
G
•
5. Braille became a talented cellist. 7. Braille was admired as a teacher.
• •
A
•
L
•
•
•
•
•
L
•
•
u
•
•
A
• •
•
•
G
• •
y
• •
•
•
•
•
N
•
• •
•
•
D
•
•
•
•
•
•
•
R
•
E
•
•
•
•
•
•
•
N •
•
•
•
• •
•
• •
•
T
•
•
•
E
•
•
•
R
•
•
E
•
L
•
•
I
•
•
s
u
• •
•
L
I
•
E •
•
331
PROBLEMS 2. 6
Problems 2.5
1. The combinations are 1 100, 1010, 1001, 01 10, 0101, and 001 1, so there are six arrangements that can be made by choosing 2 from 4. Note also that this is the value of the binomial coeffiCient
G) = 6
3.
000111 001011 001 101 010101 010110 01 1001 100011 100101 100110 101 100 1 10001 1 10010
001 110 010011 01 1010 011 100 101001 101010 1 10100 1 11000
c3°)
(: )
= 120 and = 126 are reasonable 5. From Problem 4 we see that choices. A single error would be easier to recognize than for a 7bit binary code. With a 7bit binary code, a single error would yield a different ASCII value. With a 4outof9 code, a single error would lead to out of 9 or 5 out of 9, which could immediately be recognized as an error.
3
7. Use induction. If a set has 1 element x, then the subsets are {x} and the empty set, so there are 2 1 = 2 subsets. Assume that a set with n elements has a total of 2n subsets. Consider a set with n + 1 elements formed by adding a new element There are 2n subsets that do not contain and there are 2 n subsets that do contain so there are z.
z
z,
subsets of the set with n + 1 elements. The formula
� (7) = 2m
simply states that every subset has a certain number k of elements. Problems 2.6
1. Lining up the slant cuts in a deck of IBM cards assures that all the cards are right side up and facing in the correct direction. Using 12 locations 2 at a time yields C22) = 66 combinations, plus (�) = 12 single punches for a total of 78.
3.
5. There are Cf ) = 495 patterns with four holes.
332
SOLUTIONS TO ODD PROBLEMS
Chapter
3
Euclidean Algorithm
Problems 3 . 1
1 . Find remainders modulo 5: 9374 mod 5 1874 mod 5 = 374 mod 5 = 74 mod 5 14 mod 5 = 2 mod 5
= 1874 = 374 = 74 = 14 = 2
(9374  4) /5 (1874  4) /5 (374  4) /5 (74  4) /5 (14  4) /5
4 4 4 4 4 2
so 9374 = (244444)5 . As a check, note that ((((2 . 5 + 4) . 5 + 4) . 5 + 4) . 5 + 4) . 5 + 4 = 9374. 3. The addition and multiplication tables are given by EB 0 1 2 3
1
2 1 2 1 2 3 2 3 0 3 0 1 0 0
3 3 0 1 2
® 0 1 2 3
0 1 2 0 0 0 0 1 2 0 2 0 0 3 2
3 0 3 2 1
We see from the addition table that 2 EB 3 = 1 . However, 2 ® x = 1 has no solution because 1 does not appear in the row 2 0 2 0 2. 5. The addition and multiplication tables are given by EB 0 1 2 3 4 5 6
0 0 1 2 3 4 5 6
1 1 2 3 4 5 6 0
2 2 3 4 5 6 0 1
3 3 4 5 6 0 1 2
4 4 5 6 0 1 2 3
5 5 6 0 1 2 3 4
6 6 0 1 2 3 4 5
® 0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 6 0 5 6 3 5 1 4 6 3 4 2 2 1 0
If a and b are in the set {0, 1 , 2, 3, 4, 5, 6}, then you can always solve the equation a + x = b because b appears in every row. If a = 0, then a ® x = b can be solved only if b = 0. Otherwise, b appears in the row headed by a and hence a ® x = b has a solution. 7. There are many possibilities. For example, given a letter that corresponds to the number x, associate the letter that corresponds to y
= x + a mod 26
PROBLEMS 3.2
333
for any fixed integer a strictly between 0 and 26. Another possibility would be to associate the letter that corresponds with x, the letter that corresponds with the number y = ax mod 26 where a is a particular fixed integer such as 3 or 5. For a choose an odd integer other than 13 between 0 and 26. A third possibility would be to do a combination of these two schemes. Given a letter that corresponds to the number x, associate the letter that corresponds to the number y = ax + b mod 26 where b # 0 and a is an odd integer between 0 and 26 other than 13. 9. Add 3 to both sides of the equation 5x + 8 = 4 to get 5x + 1 1 = 7, which is the same as 5x = 7 in the integers modulo 1 1 . From the multiplication table X 1 2 3 4 5 6 7 8 9 10 1 1 2 3 4 5 6 7 8 9 10 2 2 4 6 8 10 1 3 5 7 9 3 3 6 9 1 4 7 10 2 5 8 4 4 8 1 5 9 2 6 10 3 7 5 5 10 4 9 3 8 2 7 1 6 6 6 1 7 2 8 3 9 4 10 5 7 7 3 10 6 2 9 5 1 8 4 8 8 5 2 10 7 4 1 9 6 3 9 9 7 5 3 1 10 8 6 4 2 10 10 9 8 7 6 5 4 3 2 1 locate 7 in row 5. The column header is 8 and 5 8 mod 1 1 = 7. Checking, 5 8 + 8 mod 1 1 = 4, so x = 8 is indeed a solution. 1 1 . There are only 1 1 possible choices for x, so just try them. Let f (x ) = x2 + 9x + 9 mod 1 1 . Then f (1) = 8 f (2) = 9 f (0) = 9 f (3) = 1 f (6) = 0 f (4) = 6 f (7) = 0 f (5) = 2 f ( 10) = 1 f (8) = 2 f (9) = 6 Thus x = 6 or x = 7. Now that the solution is known, it is easy to see that factorization would also work. That is, ( x  6) (x  7) mod 1 1 = x2 + 9x + 9. ·
·
·
Problems 3.2 1. The positive divisors of 48 and of 72 are d ( 48) = {1 , 2, 3, 4, 6, 8, 12, 16, 24, 48} d (72) = {1, 2, 3, 4, 6, 8, 9, 12, 18, 24, 36, 72}
334
SOLUTIONS TO ODD PROBLEMS
The intersection of these two sets is {1 , 2, 3, 4, 6, 8, 12, 24} and max:{ 1, 2, 3, 4, 6, 8, 12, 24} = 24. 3. Factoring gives 55 440 = 24 3 2 5 x 7 x 11 and 48 000 = 2 7 3 x 53 , so gcd (55 440, 48 000) = 2min{ 4 ,7} 3min{l , 2} 5 min{1,3 } 7min{ O,l} llmin{ O,l} = 2 4 3 1 5 1 7°11° = 240 5. From the table
Qn
n
0 ', 1 2 3
1 3
Tn
n
29 432 403 22 254 869 7177 534 722 267
Qn
Tn
9 677 131 4 5 1 45 136 6 15 91 7 496 0
we see that gcd (29 432 403, 22 254 869) = 91 7. Let a and a + 5 denote the two integers. If k I a and k I a + 5 then also k I (a + 5)  a = 5 and hence k I 5. Thus gcd (a, a + 5) = 1 or gcd (a, a + 5) = 5.
9. Note that gcd (a, b) = gcd (b, a mod b) = gcd (b, ro) = gcd (ro , b mod ro) = gcd (ro , r1 ) = gcd (r1 , ro mod rt ) = gcd (r 1 . r2 )
and, in general,
1 1 . The remainders, starting with 233 and 144, are 89, 55, 34, 21, 13, 8, 5, 3, 2, 1, 0
so the number of steps is 1 1 ( or maybe it's 10) . If we start with F21 and F2o , then the remainders are so the number of steps is 19. You can calculate F2 0 and F21 . They are 6765 and 10946. Problems 3.3
1. Let a = 43 and b = 56. Then successive applications of the division algorithm give the equations 56 = 1 43 + 13 and 43 = 3 13 + 4 and 13 = 3 4 + 1 ·
·
·
335
PROBLEMS 3.3
Solve the first equation for 13, the second for 4, and the third for 1 13 = 56  1 43 and 4 = 43  3 13 and 1 = 13  3 4 ·
·
·
Start with the third of these equation's and substitute the expression for 4 from the second equation 1 = 13  3 . 4 = 13  3 . (43  3 . 13 ) = 13  3 . 43 + 9 . 13 = 10 . 13  3 . 43 Now substitute the expression for 13 from the first equation into this 1 = 10 . 13  3 . 43 = 10 . ( 56  1 . 43 )  3 . 43 = 10 . 56  10 . 43  3 . 43 = 10 . 56  13 . 43 ) 3. 1 = gcd ( 43, 56 ) = ( 13 ) · 43 + 10 · 56. ( See disc for details.
5. The solution is
3 = gcd ( 742789479, 9587374758) = 742789479 (  1357 468 553 ) + 9587374758 ( 105 170 955 )
7. Consider the array x \y 5 4 3 2 1 0 1 2 3 4 5 6
4 44 40 36 32 28 24 20  16  12 8 4 0
5 50 46 42 38 34 30 26 22 18  14  10 6
3 38 34 30 26 22 18 14 10 6 2 2 6
2 32 28 24 20 16 12 8 4 0 4 8 12
1 0 1 14 26 20 22 16  10 18 12 6  14 8 2 2 10 4 6 0 6 10 4 2 8 14 2 6 12 18 10 16 22 14 20 26 18 24 30
2 8 4 0 4 8 12 16 20 24 28 32 36
3 2 2 6 10 14 18 22 26 30 34 38 42
4 4 8 12 16 20 24 28 32 36 40 44 48
5 10 14 18 22 26 30 34 38 42 46 50 54
6 16 20 24 28 32 36 40 44 48 52 56 60
array. By Note that 2 is the smallest positive integer that appears in4the 3 ) · 6 = ( + reading the row and column headers, we see that 2 = 5 = 2 and (x, y) 2 · 4 + (  1 ) 6 = (  1 ) · 4 + 1 · 6 = ( 4 ) · 4 + 3 6. Thus d ) . could be any of the pairs ( 5, 3 ) , ( 2,  1 ) , (  1 , 1 ) , or ( 4, 3 ion by c yields 9. Assume aibc and a .1 b, say 1 = ax + by. Then multiplicat = c. bey) c = acx + bey. Since ala and aibc, it follows that al (acx + ·
·
·
336
SOLUTIONS TO ODD PROBLEMS
Problems 3.4 In problems 17, M = { 1 , 4, 7, 10, 13, 16, 19, 22, 25, . . . }.
1 . The next six elements after 25 in the set M are 28, 31, 34, 37, 40, 43. 3. The first six composites in M are 16 = 4 . 4 28 = 4 . 7 40 = 4 · 10 49 = 7 . 7 52 = 4 · 13 64 = 4 · 4 · 4 5. Since p and q are ordinary primes, the only factorization of pq in the positive integers is p q, but p and q are not elements of M so pq must be prime in M. ·
·
7. Each of ab, cd, ac, bd, ad, and be is prime in M because each is of the form (3m + 2) (3n + 2), where 3m + 2 and 3n + 2 are ordinary primes. 9. It takes the mutual cooperation of a factor of 2 and a factor of 5 to generate a multiple of 10 and thus generate a trailing zero. There are 994 factors of 2 available. The number of factors of 5 is given by L1000/5J + Ll000/25J + Ll000/125J + Ll000/625J = 200 + 40 + 8 + 1 = 249 and hence there are exactly 249 factors of the form 2 · 5, each of which contributes 1 zero at the end of 1000!. 11. Let
k
k k p , IT Pi ' , a = IT = {'
and b = IT pf' i= l i l i =l where fi ::; ei and 9i ::; ei for i = 1 , 2, . . . , k. Then n
=
e·
k
k
lcm (a, b) = IT p�ax{f; ,gi } I IT p:; i= l i= l
=
n
Problems 3.5 1 . Finding a solution to the congruence lOx = 14 (mod 8) is equivalent to finding an integer solution to the equation lOx = 14 + 8y, which is equiv alent to finding an integer solution to the equation 5x = 7 + 4y, which is equivalent to finding a solution to the congruence 5x = 7 (mod 4) . The in teger solutions to lOx = 14 + 8y are given by x = 3 + 4Nt and y = 2 + 5Nt and the integer solutions to 5x = 7 + 4y are given by x = 3 + 4N1 and y = 2 + 5Nt .
3. The inverse of 8 modulo 13 is 5 and 3 5 mod 13 is 2. So 3/8 mod 13 = 2. The inverse of 3 modulo 17 is 6, 14 · 6 mod 17 = 1, so  14/3 mod 17 = 1. ·
PROBLEMS 4.1
337
5. We have · 1  l34/1 13J 1  l1 13/34J
) (1341� 01) (11334 01) ) (11334 01)  (341 1 31 ) 1 ) ( 1 1 3) 3 1 10 3) ( 1 10 ) 10 0  1 13 =
=
=
so that 34  1 mod 113 = 10. As a check, note that 10 · 34 mod 113 = 1 . 7. We get 7382784739 1 · 1727372727 mod2783479827 = 213 764 595. As a check, 7382784739 · 213 764 595 mod 2783479827 = 1727 372 727.
·'
9. The multiplication table for the integers modulo 5 using 2,  1 , 0, 1, 2 is X
2 1 0 1 2
2 1 2 0 2 1
1 2 1 0 2 2
0 0 0 0 0 0
1 2 1
0 1 2
2 1 2 0 2 1
Note that ( 2) 2 = 1 and (2 2 ) = 1 in this multiplication table. 1 1 . Multiply the first equation by 37 1 mod 101 = 71 and the second by 17 1 mod 101 = 6 to get 17x + y = 85 and 15x + y = 49. Then sub tract the second equation from the first to get 2x = 36 so that x = 2  1 36 mod 101 = 18; and from the equation 15x + y = 49 get y = 49  15 18 mod 101 82. Checking, we see that 23 18 + 37 · 82 mod 101 = 14 and 53 18 + 17 82 mod 101 = 25. 13. If 1 has a square root modulo p , then x2 + 1 should factor modulo p . Fac toring with a computer algebra system produces results like x2 + 1 mod 2 = (x + 1) 2 , x2 + 1 mod 3 = x2 + 1 , and x2 + 1 mod 5 = (x  2) (x + 2).The prime p = 2 is a special case since 1 = 1 and x2 + 1 has 1 as a double root. Try some primes on your own and you will see that, for the odd primes, it appears that x2 + 1 factors exactly when p mod 4 = 1. To give you a start, the solution on the disc factors the first 30 primes. =
·
·
Chapter 4 Problems 4. 1
1. KHOOR
·
Ciphers
·
338
SOLUTIONS TO ODD 'PROBLEMS
3. KTIXEVZOUT VXUJAIZY COZN RKYY ZNGT YODZE LUAX HOZY GXK LXKKRE KDVUXZGHRK
5. Goodbye. 7. Caesar is considered to be one of the first persons to have ever employed encryption for the sake of securing messages.
9. Drive for show; putt for dough. 1 1 . GHXSG NOOMN NHKFS UEKCE FPJSG WEUYT ADBOS DYFEM HUSFS UVITN RCODP PNENG CAESH YDGFH HSTY
13. y
=
15 (3x + 5 ) + 4 mod 26
=
45x + 79 mod 26
=
19x + 1 mod 26
Problems 4.2
1 . The ciphertext was generated using the shift y x + 6 mod 26, so the inverse is given by the shift x = y  6 mod 26. The plaintext is =
The oldest known encryption device is the scytale.
3. The ciphertext was generated using y = 5x mod 26. Since 5_ 1 mod 26 21 the inverse affine cipher is given by x = 21y mod 26. The plaintext is
=
The scytale consisted of two round pieces of wood which had exactly the same dimensions.
5. The ciphertext was generated using y l lx + 4 mod 26, so the inverse is given by X = ( y  4 ) 1 1  1 mod 26. Since n  1 mod 26 = 19 the inverse is the affine character cipher x ( y  4 } 19 mod 26 19y + 2 mod 26. The plaintext is =
=
=
Messages were encoded by winding a piece of parchment around the cylinder in a spiral and writing the message along the length of the cylinder.
7. The shift ciphers y = x + 7 mod 26 and y x + 1 1 mod 26 were used to encrypt the odd and even letters. Use the inverse shift ciphers y = x + 19 mod 26 and y = x + 15 mod 26 to obtain the plaintext =
Thirtyfive code talkers attended the dedication of the Navajo code talker exhibit. The exhibit includes a display of photographs, equipment, and the original code, along with an explanation of how the code worked. Dedication ceremonies included speeches by the then Deputy Secretary of Defense Donald Atwood, U.S. Senator John McCain of Arizona, and Navajo President Peterson Zah. The Navajo veterans and their families traveled to the ceremony from their homes on the Navajo Reservation, which includes parts of Arizona, New Mexico, and Utah.
PROBLEMS 4.4
339
Problems 4.3 I.
CPCRW CEPST OYVOW T
3. EVIHAA ERSETC 5.
VNLPL HZQBW QJPZL CQXHB BHWJD VTHCP LWQFC HEHCF VNRVR WHINL PHZVP RCZIQ ZHVHQ CRCXC QVZJK ZVHVJ VHQC
7. If a = ( 0 4 7) (I 6 5 3) (2 9 8) and T = (O) (I 3 5 9 7) (2 8 6 4) , then aT = ( 0 2 7) ( I 4) (3) ( 5 ) (6 9) (8) Ta = ( 0 4 9) (I) (2) (3) ( 5 8) (6 7) 9. Let a be a permutation on { I , 2, . . . , n }. If xu = x for all x , then a = (I) (2) · · · (n) is a product of disjoint cycles. We say that an integer x is moved by a if xu =j:. x . We induct on the number k of integers moved by a permutation a. If k = 0, then x u = x for all x and hence a = (I) (2) · · (n) is a product of disjoint cycles, so the theorem holds. For k > 0, assume that all permutations T that move fewer than k integers can be written as products of disjoint cycles. Let a be an integer moved by a and consider the finite sequence a 1 = a, a2 = a'[ , a3 = a2 , and so forth. Since ai E { I , 2, . . , n}, there exist integers i < j such that ai = ai . Let m be the least integer such that ai = am with I ::; i < m. If i > I , then ai = af_ 1 = am = a�_ 1 , contrary to the minimality of m. Consider the permutation ( a 1 a2 am )  1 a = T . Note that a'[ = ai for i = I . m and xu = xt for all other x E { I , 2, . . , n} . Thus T moves fewer than k integers and hence T is a product of disjoint cycles. Thus a = ( a 1 a2 · · · am ) T is also a product of disjoint cycles. ·
.
·
.
�
PY
�
·
.
Problems 4.4
I . IS
·
.
( � ! ) mod 26 24 ) ( � ! ) mod 26
( 8 I8 ) (
I5
=
( 2 IO )
=
�
( 20 9 )
CK
�
UJ
3. MC TX BX HN FZ IY AN TI OH WN BC PD RT XN SV DH DV IE ZW IR MP CV QB RF IY PB VO VR JN YM IN KA IG KT WC RS AH CL YO KS UD OQ DY KM BH HX IC CJ OU RS HN KU
5.
x U �r (�� The inverse cipher is 7 8 7 I 6
3 I 3 7 9
6 9 4 9 3
mod 26 � X
II I2 I6 19 I5 II I I I4 5 I3 I7 0 24 I9 23 I I I 3 I2 I 5
�
l
mod 26
340
SOLUTIONS TO ODD PROBLEMS
7. Assuming the fictitious Social Security number is 555555555, the affine transformation yields the encryption 5 0 3 8 6 5 9 8 5 . See the solution on the disc for details. 9. The plaintext is If sensitive data falls into the wrong hands, it can lead to fraud or identity theft.
See the solution on the disc for details. Problems 4.5
1. The Playfair square is given by c I R s p E A K H u G N B F 0 v D Q T y The plaintext and ciphertext are given by WH EA TS TO NE NA !
!
L M w X z
ME DT J
HE
PL
!
!
HU
AK YR
!
!
RT
UK
GK
PA
QY UP
MC
AY
FA
IR
CI
PH
ER
AF
TE
RH
IS
KT
OE
RS
IR
HB
AI
EO
QA
OI
RL
FR
EI
ND
LY
ON
PL
AY
FA
IR
OI
UE
HY
sz
VG
MC
KT
OE
RS
!
!
!
J
!
J
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
J
3. Use the Playfair square
to obtain the message
R H E 0 s D c B A T F G IJ K L u Q p N M v w X y z
The primary use of a Wheatstone bridge is the measurement of resistance.
5. The Playfair cipher may be improved by seriating its input text. 7. Who ? Not mel
PROBLEMS 4. 7
341
Problems 4.6 1. LOSCH POTYX YXQBL EEYWT NIWAJ MIOMY IPINP PPKLH B
3. Who is the weakest link ? 5. Why Playfair (play fair?) when the other guys are using RSA ? 7. Since 1 + 1 mod 2 = 0, it follows that adding the same binary vector twice gives back the original vector. In particular, if 1 0 0 0 1 0 1 1 ) + ( 1 1 0 1 1 0 0 1 ) mod 2 =( 0 1 0 1 0 0 1 0 )
(
then 0 1 0 1 0 0 1 0 ) + ( 1 1 0 1 1 0 0 1 ) mod 2 =( 1 0 0 0 1 0 1 1 )
(
Problems 4. 7 1 . We take x = 7
and compute y = ( x + s 1 mod 26)a 1 = (7 + 25 mod 26t 1 = 6a 1 = 9 z = (y + s2 mod 26t2 = (9 + 13 mod 26t2 = 22a2 21 = (z + S 3 mod 26)a3 = (21 + 4 mod 26t3 = 25aa = 1 u = (w)P = 1P = 9 z = ua3 1  s3 mod 26 = 9a3 1  4 mod 26 = 18  4 mod 26 = 14 y = (za2 1  s 2 mod 26) = 14a2 1  13 mod 26 = 13  13 mod 26 0 1 1 X = (ya1  8 3 mod 26) = 0a1  25 mod 26 = 23  25 mod 26 = 24 t
'H'
=
W
(
)
=
and hence the first ciphertext character is 24 the shift constants:
+
'Y'. Finally, we update
8 1  s 1 + 1 mod 26 = 0 82  82 + 1 mod 26 = 14 Continuing in this way, we see that the ciphertext is YQ. 3. Attack now!
.
( 26) (24 2 ) . . m In the example there are (26 ) ways 5 . The number is 2 2 ) e2 2 10! ' to choose the first pair {A, Z}, then e24) ways to choose the second pair {B, Y}, and so on. But the 10! ways of listing these 10 pairs all give the same pairings, so we must divide by 10! to get the number of distinct plugboard settings.
.
342
SOLUTIONS TO ODD PROBLEMS
( 61
2 3 4 5 6 7 7 2 5 3 1 4
) and  1  ( 21
)
2 3 4 5 6 7 3 7 1 5 4 6 9. Let p = (at , a2 , , ak ) and set r = 0" 1 • Then (ai) upr = (ai r upr ( a1 ) . ( ai+1 ) £or · 1 , 2 , . . . , k  1 , and (akr ) upr ( ak ) rupr apr apr k i xr so x r is fixed by the If x � {a1 , a2 , . . . , ak } , then xrupr = xPr permutation O"pr. Thus O"pr = (ai , a2 , . . . , ak) is also a kcycle.
7 · O" 1 =
•
=
'T
•
r
.
=
z =
=
=
=
'T
=
Chapter 5
ErrorControl Codes
Problems 5 . 1 1 . The probability of getting 10 out o f 1 0 on a true false exam is ( �) 10 1 0�4 9. 765 6 x 10 4 . 3. The codewords 000 and 1 1 1 are a distance 3 apart. 5. There are 200 places where the error could occur; so the probability of a single error is e�0) (1  0.0001/ 9 9 (0.0001) = 1 . 960 6 X 10  2 • 7. The expected number of errors is the sum of n x ( the probability of exactly n errors ) , which is given by 1000 (1  0 . 001/ 000  n (0.001t = 1.0 nX =
�
�
c�O)
The contribution by the nth bit is 1 x (0.001) = 0.001 . Since there are 1000 bits, the expected number of bit errors is 1000 x (0.001) = 1.0. 9. If the probability of a letter being changed is 1/10, then you can expect about a tenth of the letters to be changed. For two consecutive sentences, about one fifth of the letters can be expected to be different. The length of the sentence is 65, and 65/5 13, so on average the distance between two sentences should be roughly 13. Indeed, the distances between pairs of sentences range from 1 1 to 14, so an average of 13 is reasonable. =
Problems 5.2 l.
ll l l l ll l i l l l li l l il ll ( 2001 ) 5 =wnwnn
3.
7=nnnww
ifi1l dil l I mu I3=wwnnn I IIII 7=nnnww �
.._,._....
( 5773 )
( Note that the short bars were added to indicate the width of beginning and ending spaces. )
343
PROBLEMS 5.3
9
,.....,.__
1
,.....,.__
2
1
,.....,.__
,.....,.__
5. The 2 of 5 bar code IIIII IIIII IIIII as (9112001; September 11, 2001 ) 7, The Code 39 bar code C
0
IIIII
0
,.....,.__
IIIII
E
D
0
,.....,.__
IIIII
1
,.....,.__
IIIII decodes
3
9
iinl lflll U ifill fil ifiTJ U
decodes
as
( Code 39) .
9. The Interleaved 2 of 5 bar code
5=wnwnn
1=wwnnn
II I II II I5=wnwnn II III I III I 8=wnnwn I III II 
......
start

'v'
6=nwwnn
�
end
III I II II III II2=nwnnw
,.....,.__
__......._
"..'
decodes as (551862; Cinco de Mayo) .
( Note that the short bars were added to indicate the width of beginning and ending spaces. )
1 1 . The Code 39 bar code
l l i ll
2 8 11 111 11 111
I If II llfl l IIII I IIi II IIII I III II III II III II IIII I I IIII r
f
e
c
t
*
decodes as 28 is perfect. (A perfect number is a number that is equal to the sum of its proper divisors. In this case, 1 + 2 + 4 + 7 + 14 28.) =
Problems 5.3
1.
0
3
7
0
0
0
...... ...... ...... ...... ......
6 2 8 1 1 8
...... ...... ...... ...... ...... ......
344
SOLUTIONS TO ODD PROBLEMS
10
L iai i= l
mod 1 1 = 0
Assume that ak and an are interchanged, ak =/: an , and 1 S k < n Set bk = an, bn = ak , and otherwise bi = ai . Then
t, ibi mod
11
= = =
=
(t,
ibi 
t, iai) mod
S
9.
11
(k (bk  ak) + n (bn  an)) mod 1 1 (k (an  ak) + n (ak  an) ) mod 1 1 (k  n) (an  ak) mod 1 1 =/: 0
because 1 1 divides neither of the factors k  n or an  ak . ( Why? ) Thus cannot be a valid ISBN number.
� I I r � II � (Ill �' � II � � Il l)' � II �' � II�' � � � � , �� ��, (I l l � " 0
0
5·
7. The first digit (0) represents the country and the second part represents the publisher. The last digit is the check sum
0 1 + 4 2 + 7 3 + 1 4 + 8 · 5 + 9 6 + 6 7 + 1 8 + 4 9 mod 1 1 ·
·
·
·
·
·
9. Do a web search on a bar code such as code 93. 11.
A short element could be added to any of
There are �
=
60 rearrangements of
5!  10 rearrangements of
3121
·
·
=
4
PROBLEMS 5.4
and 2f�1
=
345
{j, l . 1 . u} {1 . 1 · 1 ' 1 · 1 }
30 rearrangements of
for a total of 60 + 10 + 30
=
100 symbols.
Problems 5.4
In the following problems,
H
D
=
=
u
1 0 1 1
1 0 0 0
0 1 1 1
0 0 1 0 0 0 0
0 0 0 0 1 0 0
0 0 0 0 0 1 0
0 0 0 0 0 0 1
0 1 0 0
0 0 1 0
P n. �
0 0 0 1 1 1 1
0 1 1 0 0 1 1
1 0 1 0 1 0 1
, and
1 . The codeword is ( 1 0 1 1 ) H mod 2 = ( 0 1 1 0 0 1 1 )
P
3. The parity is even, so we assume there are either 0 or 2 errors. An error check yields ( 1 0 1 1 0 1 0 ) mod 2 ( 0 0 0 ) which indicates no errors, so the plaintext is given by ( 1 0 1 1 0 1 0 ) D mod 2 ( 1 0 1 0 )
P
=
=
5. The parity is odd, so we assume a single error occurred. An error check yields ( 1 0 1 1 0 1 0 ) mod 2 = ( 0 0 0 ) so we assume the error occurred in the 8th bit. The plaintext is given by ( 1 0 1 1 0 1 0 ) D mod 2 ( 1 0 1 0 ) =
346 7.
SOLUTIONS TO ODD PROBLEMS
The codewords are given by
I ll = ( 0 1 0 1 0 1 o ) = ll I =( 1 0 0 0 0 1 1 )= II =( 1 0 0 1 1 0 o)= II =(0 1 0 0 1 0 1 )= l I =( 1 1 0 0 1 1 o) II =(0 0 0 1 1 1 1 )= I =( 1 1 1 0 0 0 0)= 1 ( 0 0 1 1 0 0 1 )= II =( 1 0 1 1 0 1 o)= l Il =(0 1 1 0 0 1 1 )= II =(0 1 1 1 1 0 0)= I =( 1 0 1 0 1 0 1 )= 1 11 =(0 0 1 0 1 1 o)= II
( 0 0 0 1 ) H mod 2 = ( 1 1 0 1 0 0 1 ) = ( 0 0 1 0 ) H mod 2 ( 0 0 1 1 ) H mod 2 ( 0 1 0 0 ) H mod 2 ( 0 1 0 1 ) H mod 2 ( 0 1 1 0 ) H mod 2 ( 0 1 1 1 ) H mod 2 ( 1 0 0 0 ) H mod 2
=
( 1 0 0 1 ) H mod 2 = ( 1 0 1 0 ) H mod 2 ( 1 0 1 1 ) H mod 2 ( 1 1 0 0 ) H mod 2 ( 1 1 0 1 ) H mod 2 ( 1 1 1 0 ) H mod 2
Omitting patterns with 1 or 4 bars, there are 10 remaining two and threebar codes that could be used to encode the digits 09. This bar code symbology would give single error correction.
PROBLEMS 6. 1
347
9. An error check yields
( 0 0 0 0 0 1 1 ) P mod 2 = ( 0 1 1 )
' which indicates an error in hit ( 0 1 1
(0 0 1 0 0 1 1 )
11 .
0 0 1 0 0 0 0
0 0 0 0 1 0 0
0 0 0 0 0 1 0
) 2 = 3. 0 0 0 0 0 0 1
Thus
mod 2 = ( 1 0 1 1
)
The parity is even, so we assume there are either 0 or 2 errors. An error check yields
( 0 1 0 0 1 0 1 ) P mod 2 = ( 0 0 0 ) so assume there are no errors. Thus the plaintext is
( 0 1 0 0 1 0 1 ) D mod 2 = ( 0 1 0 1 ) 13. The parity is odd, so we assume a single error occurred. An error check yields ( 1 1 1 1 1 1 1 ) P mod 2 = ( 0 0 0 ) so a single error must have occurred at bit 8. The plaintext is 1 1 1 1 1 1 1 ) D mod 2 = ( 1 1 1 1
Chapter 6
)
Chinese Remainder Theorem
Problems 6 . 1
1. Both equations are satisfied by x = 3 and y = 4 ; that is, 2·3+3 · 4 mod 1 1 = 7 and 3 3 + 4 mod 1 1 = 2. See the disc for details of the solution. ·
3. Use row reduction to get 5 1 8 0 and conclude that
(. 43 85 )  l = (
2 1
� 4 3
)
348
SOLUTIONS TO ODD PROBLEMS
( 3 5 ) 1 mod 1 1 = ( 2
Reduce modulo 1 1 to get
�) Check your answer by showing that ( ! ; ) ( 2 ) mod 11 = ( � ) 10 � � 10
4 8
See the disc for further details. 5. Note that
0 ir 1 ( ) 3 1 7
=
( ��
Reduce each entry modulo 17 to get 2 3 1 0 1 5 3 7 2
mod 17 =
7 1  24  12  24 152 5 24  1 2
1
(
1
)
12 12 15 10 12 16 15 8 7
)
See the disc for further details.
7. The answer is x = 1 , y = 12, and solution.
z
= 3. See the disc for details of the
9. A computer algebra system gives the solution 121 139 w = 2 , x = 89, y = 2 , z = 18 Reduce modulo 91 to find the solution 1 �1 mod 91 = 15, 89 mod 91 = 2, 1 �9 mod 91 = 24, and 18 mod 91 = 73. See the disc for further details. Problems 6.2
1 . The solutions to the congruence x = 5 (mod 9) are . . . , 5, 14, 23, 32, 41 , 50, 59, 68, 77, 86, 94, . . . and the solutions of x = 4 (mod 11) are . . . , 4, 15, 26, 37, 48, 59, 70, 81, 92, 103, 114, . and hence the common solutions are 59 + 99k for k E Z. .
.
3. There should be a unique solution x such that 0 :::; x < 3 4 5 = 60. The solutions in the interval 0 :::; x < 60 to three congruences are ·
·
A = {2, 5, 8, 1 1 , 14, 17, 20, 23, 26, 29, 32, 35, 38, 41, 44, 47, 50, 53, 56, 59} = {3, 7, 1 1 , 15, 19, 23, 27, 31, 35, 39, 43, 47, 51, 55, 59} (7 = {4, 9, 14, 19, 24, 29, 34, 39, 44, 49, 54, 59}
B
Note that A n B n (7 = {59}.
PROBLEMS 6.3
349
5. The Chinese remainder algorithm yields 353. 7. The Chinese remainder algorithm yields 419. 9. The congruence 2x + 3 = 7 (mod 1 l) is equivalent to 2x = 7  3 = 4 (mod 1 1 ) , and hence x = 4 · 2  1 = 2 (mod 11 ) . The congruence 3x + 4 = 5 (mod 13 ) is equivalent to 3x = 5  4 = 1 (mod 13 ) , and hence x = 3  1 = 9 (mod 13 ) . Thus the original pair of congruences is equivalent to the system x = 2 (mod 11 ) and x = 9 (mod 13 ) . Thus x must satisfy x = 2 + 11k 9 + 13r 1 1k = 9  2 (mod 13 ) k = 7 . 11  1 mod 13 3 =
=
so x = 2 + 1 1 · 3 = 35 (mod 143 ) . Checking, note that 2 · 35 + 3 mod 1 1 = 7 and 3 · 35 + 4 mod 13 5. =
Problems 6.3
1 . The product is 37759097376· 1 16389305648 = 4394 755 125 487 858 779 648. See the disc for details of the computation using base b 1000 arithmetic. =
3. The product is 37759097376· 1 16389305648 4394 755 125 487 858 779 648. See the disc for details of the computation using the modular basis ( 997, 999, 1000, 1001, 1003, 1007, 1009, 1013 ) and the Chinese remainder algo rithm. 5. We have 240 1 .099 511 628 x 10 1 2 • Modulo 1000, we have 240 mod 1000 2 1 0 x 2 1 0 x 2 1 0 x 2 1 0 mod 1000 24 x 24 x 24 x 24 mod 1000 776. Modulo 100 000, have 2 40 mod 100 000 2 1 0 x 2 1 0 x 2 1 0 x 2 1 0 mod 100 000 · · = 27 776, and hence the last five digits are 27 776. It follows that 240 1099 511 627 776. See the disc for more detail. 7. Because 100! = 2 97 348 5 24 7 1 6 11 9 13 7 17519 5 234 293 31 3 372 41 2 43 2 472 53 x 59 x 61 x 67 x 71 x 73 x 79 x 83 x 89 x 97, the modular representation is =
�
=
=
=
=
=
·
=
100! = (O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O, O) Note that the elements of the modular basis are all powers of distinct primes, and are thus pairwise relatively prime. Problems 6.4
1 . Note that 2x 3 + 3x2 + 3x + 1 = ( 2x + 1 ) ( x2 + x + 1 ) and 2x2 + 5x + 2 ( 2x + 1 ) (x + 2 ) , so gcd ( 2x3 + 3x2 + 3x + 1, 2x2 + 5x + 2 ) 2x + 1 . =
=
350
SOL UTIONS TO ODD PROBLEMS
3. Modulo 5 we have 6x + 3 2x3 + 3x2 + 3x + 1 = x 1+ 2 2x2 + 5x + 2 2x + 5x + 2 2x3 + 3x2 + 3x + 1 = (x + 4) (2x2 + 5x + 2) + x + 3 2x2 + 5x + 2 2x 1 x+3 and modulo 7 we have 6x + 3 2x3 + 3x2 + 3x + 1 = x 1+ 2 2x2 + 5x + 2 2x + 5x + 2 2x3 + 3x2 + 3x + 1 = (x + 6) (2x2 + 5x + 2) + 6x + 3 2 2x2 + 5x + 2 1 = x+ 6x + 3 3 3 The leading coefficient must be 1 or 2. If the leading coefficient is 1, then modulo 5 we have x + 3 and modulo 7 we have 6 1 (6x + 3) mod 7 = x + 4 and x + 18 does not divide 2x3 + 3x 2 + 3x + 1 . Assume the leading coefficient is 2. Then modulo 5 we have 2 (x + 3) = 2x + 1 , and modulo 2 + 3x+l  x 2 + x + 1 and 7 we have 2 (x + 4)  2x + 1 Note that 2x3+23xx+l 2x 2 +x+l 5x+2  x + 2 so 2x + 1 is a common divisor ' 2 ' 5. The greatest common divisor is 1 + 2x2 • As a check, note that 6x5  7x3 + 8x2  5x + 4  3 3x 5x + 4 2x2 + 1 8x4 + 6x3 + 8x2 + 3x + 2  4x 2 + 3 x + 2 2x2 + 1 See the disc for details of the polynomial division. _
_
=
_
·
_
_
_
7. Scientific Notebook produces gcd ( 6x5  7x3 + 8x2  5x + 4, 8x4 + 6x3 + 8x2 + 3x + 2)
=
1 + 2x2
9. Use long division to get 6x6 + 4x5 + 9x4 + 19x3 + 2x2 + 15x + 5 = 2 X 3 + 3X + 1 :: ::3x3 + 2x2 + 5 12x5 + llx4 + l lx3 + 26x2 + 5x + 15  4x 2 + x + 3 3x3 + 2x2 + 5 which shows 3x3 + 2x 2 + 5 is a common divisor. Note that 2.t':2�3;'tl = x+ lf ¥ implies 2x 3 + 3x + 1 = ( l x  l ) (4x 2 + x + 3) + 1 3 x + l! l2 x  l8 + 4x2+x+ 8 8 8 3 2 2 3  32 x  248 + ( 848 ) wh ' h · d 1ca 3 + 3x + 1 ' t th t 2 es a x and 4x11! x++x+ .ll 13 1 69 1 69 sx+s 8 8 and 4x2 + x + 3 are relatively prime. 


_
_
13
11
IC
m
351
PROBLEMS 6.5
Problems 6.5 1 . See the answer to problem 3. See the disc for details of the solution using elementary row operations and rational arithmetic.
3. Direct calculation with a computer algebra system yields 240 16  120 1 21 31 41  1 1 1 1 1 120 1200 2700 5 2 4 3 = 1 1 1 1 240 2700 6480 4 5 6 3 1 1 1 1 140 1680 4200 5
4
6
7
140 1680 4200 2800
5. Note that 1 1 12 2 2 3 1 1 det H3 = 2160 24335 1 1 det H4 = 6048 000 2 8 33537 1 1 det 5 = 1 0 2 355 000 800 5 73 H 266 716 1 1 = det H6 = 1 4395 2 000 200 339 420 313 186 5 75 11
det H2
=
=
=
7. The row operations
coo29
31 1 9 0
n�G �G
�) �)
1 1 1300 1 00 9 29 0 2 1 1 1300 1 00 1 29 1 0
�
(� G
�
1) )
1 1 1300 1 00 1 1 2900  1 00 0 9 31 1 29 100
) ( 10029 319 ) 1 ( 299 31 100 . 24 ) = 1 . Modulo 1 1 , the inverse is 9. Note that mdeed det ( _127 37 7 (� �) , and modulo 13, the inverse is (t71 ��) . The Chinese remainder theorem yields 127 24 )  1  ( c ([7, 7) , [11, 13)) c ([2, 1 1) , [11, 13)) ) ( 37 c ([4, 1 1) , [1 1 , 13)) c ([6, 10) , [11 , 13)) 7  ( 7 24 ) 37 127 . giVe
=
.
SOLUTIONS TO ODD PROBLEMS
352 Checking, note that
Chapter
( ��� :4 ) ( ;7 122� ) = ( � � )
7
Theorems of Fermat and Euler
Problems 7.1
1. Note that (101  1)! mod 101 100 = 1 (mod 101), (103  1)! mod 103 102 = 1 (mod 103), (105  1)! mod 105 = 0, (107  1) ! mod 107 106 = 1 (mod 107) , and (109  1)! mod 109 108 =  1 (mod 109), so 101, 103, 107, and 109 are primes and 105 is not. 3. 1 2 mod 1 1 1 2 2 mod 1 1 = 4 2 3 mod 1 1 9 42 mod 1 1 5 5 2 mod 1 1 3 6 2 mod 1 1 = 3 72 mod 1 1 5 82 mod 1 1 9 92 mod 1 1 = 4 10 2 mod 1 1 1 5. Computing x2 mod 15 for x 1, 2, 3, ... , 14 shows that the solutions are 1 2 mod 15 = 4 2 mod 15 1 1 2 mod 15 = 142 mod 15 = 1 =
=
=
=
=
=
=
=
=
= =
=
=
7. We know that (p  1 ) ! mod p = p  1. Since p  1 j_ p, it follows that (p  2)! mod p 1 . Since p. 2 (mod p) = 2, it follows that 1 (p  3)! (p  2) mod p 2 (p  3) ! modp = 1 2 (p  3) ! mod p p  1. =
=
9. Rearrange the product as 2 3 4 5 · 6 · 7 8 · 9 · 1 0 · 1 1 · 12 · 1 3 14 · 15 = (2 9) · (3 6) (4 · 13) · (5 7) · (8 · 15) ( 10 12) (11 14) and observe that 2 9 mod 17 1, 3 6 mod 17 1 , 4 · 13 mod 17 1, 5 · 7 mod 17 = 1, 8 · 15 mod 17 1, 10 · 12 mod 17 = 1 , and 11 · 14 mod 17 1 . Hence 16! mod 17 = 1 · 16 · (2 9) · (3 6) · (4 · 13) (5 · 7) (8 15) · (10 · 12) · (11 14) mod 17 1 · 16 · 1 · 1 · 1 · 1 · 1 · 1 · 1 mod 17 16 mod 17 = 1 (mod 17) ·
·
·
·
·
·
·
·
=
·
·
·
·
·
·
·
=
=
=
=
·
·
·
·
·
·
=
=
Problems 7.2
k 1 . Using Algorithm 7.1 , gets 1 2 3 4
p 1 1 · 1 1 mod 15 1 1 1 1 1 1 mod 15 1 1 · 1 1 mod 15 = 1 1 11 · 1 1 mod 15 = 1 =
·
=
PROBLEMS 7.3
353
k
p
1 1 · 16 mod 29 16 so 164 mod 29 16 · 16 mod 29 = 24 24 · 16 mod 29 = 7 7 · 16 mod 29 = 25
3. Using Algorithm 7. 1 , gets 21 3 4
=
5. Using Algorithm 7.2, we get 5 97 mod 127 7. Using Algorithm 7.2, we get 46 3 mod 127
=
25.
=
80. See the disc for details.
=
1. See the disc for details.
9. We get 12 72 38789433936 3242 mod 243682743764
=
17 298 641 040.
1 1 . The second variation computes xn and then reduces the result modulo m . For x and n integers, xri is feasible to calculate exactly only if x and n are relatively small integers, say at most 3 or 4 digits each. The first variation makes it easy to calculate xn mod m for numbers x, n, and m that are each perhaps a hundred decimal digits long.
Problems 7.3 x n mod 2 ln/2J * n 1. x2 mod 11 10 0 2 1 2 2 mod l l 4 l10/2J 5 4 2 mod l l 5 l5/2J 2 0 l2/2J 1 1 5 2 mod l l 3 and we see that 2 10 mod 11 1 . 3. 2 1000 mod 13 ( 2 1 2 ) 83 2 4 mod 13 1 83 24 mod 13
p · x mod 11
*
=
1 1 · 4 mod ll = 4
=
=
=
=
=
*
p
3 4 mod l l = 1 ·
=
=
=
5. 5 2000 mod 17
=
7. 11 1 2 34 mod 29 9. 52 1 7 mod 217
(5 1 6 ) 1 2 5 mod 17
=
=
=
=
16 mod 13 = 3
1 1 25 mod 17 = 1
(11 28 ) 44 1 1 2 mod 29
5 although 217
=
=
1 44 11 2 mod 29
=
121 mod 29 = 5
7 x 31
1 1 . To verify this by hand, write 217 as a sum of powers of 2: 217
=
128 + 64 + 16 + 8 + 1 28 + 2 7 + 24 + 2 3 + 1
then compute 5 n (mod 217) for n 1, 2, 2 2 ' 2 3 . . ' 2 8 using the fact that each number 5 n (mod 217) is the square of the preceding one: =
'
.
5, 25, 191, 125, 191, 125, 191, 125, 191
354
SOLUTIONS TO ODD PROBLEMS
Finally, compute 5217
5 128 + 64+ 1 6 + 8+1 5 1 2 8 5 64 5 1 6 5 8 5 191 125 191 125 5 (mod 217) 5 (mod 217) ·
·
·
·
Trying to divide 217 by 3, 5, 7, 1 1 , . . . results quickly in 217 = 7 X 31 13. Note that 1729 = 7 x 13 x 19 and 1728 2 6 33. Since 7, 13, and 19 are primes, it follows that x 7 mod 7 x mod 7 and x 1 3 mod 13 = x mod 13 and x 1 9 mod 19 = x mod 19 for every integer x. Suppose x l. 7, x ..L 13, and x ..L 19. Then x 1 72 8 mod 7 = (x6 ) 288 mod 7 = 1 288 mod 7 = 1 x 1 728 mod 13 = (x 12 ) 144 mod 13 = 1 1 44 mod 13 = 1 x 1 728 mod 19 = (x 1 8 ) 96 mod 19 = 1 96 mod 19 = 1 =
=
and hence by the Chinese remainder theorem, x 1 728 mod 1729 = 1, which means that x 1729 mod 1729 = x mod 1729. Suppose that x mod 7 � 0, x l. 23, and x l. 41. Then x 1 729 mod 7 = 0 = x mod 7 x 1 728 mod 13 (x 1 2 ) 144 mod 13 = 1 1 44 mod 13 = 1 x 1 728 mod 19 = (x 1 8 ) 96 mod 19 = 1 96 mod 19 = 1 =
and hence x 1 729 mod 7 = 0 = X mod 7 and x 1 72 9 mod 13 = X mod 13 and x 1 729 mod 19 = x mod 19 so that x 1 729 mod 1729 = x mod 1729 by the Chinese remainder theorem. The remaining cases can be handled in a similar manner. Observe that 1729 = 103 + 93 = 123 + 13. 15. Let x be an integer and p a prime dividing n. If p divides x, then xn mod p = 0 = x mod p If p does not divide x, then xn  1
=
p (xp  1 ) (n 1 ) / (  1 )
=
1 (n  1 ) / (p 1 )
=
1 (modp)
so xn mod p = x mod p. Thus this equation holds for any prime p dividing n. By the Chinese remainder theorem, xn mod n = x mod n
PROBLEMS 7.4
355
17. Set m = 1 and do a loop such a8 for
k from
1 to 100 do;
if isprime{6 * k+1) = true and isprime{12 * k+1) = true and isprime{18 *k+ 1) = true then c [ m] :={6 * k+1) * {12 *k+ 1) * { 18 *k+ 1) ; m:=m+1 ; end if; end for
and observe that
c (1) c (2) c (3) c (4) c (5) c (6) c (7) c (8) c (9)
1729 = 294409 = 56052361 = 1 18901521 = 172947529 216821881 228842209 1299963601 2301745249 =
=
=
Problems 7.4
1. Since l v'899J
=
29, we check
8�9 8�9 899 17 8 99 29
449 � = 128¥ = 52 15 17 31 =
8�9 = 299 � 8 99 81 _§_ 11 11 899  47...2.. 19 19 =
8 99 = 179 � 5 5 899 69 2 13 13 99 = 39 2 823 23 =

and hence 899 = 29 31. ·
1. Factoring, we have 898 = 2 x 449. The 3. Note that gcd (2, 899) calculations 2449 mod 899 = 698 and 6982 mod 899 = 845 show that 899 is composite. =
5. Since 2P  1 mod p 26 747, it follows from Fermat ' s little theorem that p is composite. Factorization shows that p = 449 x 457. =
356
SOLUTIONS TO ODD PROBLEMS
7. We have 187 736 503  1 = 2 x 93 868 251. Note that 293 868 25 1 mod 187 736 503 = 1 393 868 25 1 mod 187 736 503 =  1 593 868 25 1 mod 187 736 503 = 1 793 868 25 1 mod 187 736 503 = 1 1 1 93 868 25 1 mod 187 736 503 =  1 13 93 868 25 1 mod 187 736 503 =  1 1 793 868 25 1 mod 187 736 503 =  1 1 9 93 868 25 1 mod 187 736 503 =  1 23 93 868 25 1 mod 187 736 503 = 1 29 93 868 2 5 1 mod 187 736 503 =  1 and hence 187 736 503 passes Miller's test with n = 1 0 trials.
·� lnx1 1 x ' Then J' (X ) = lnxx 9 . Let f (X) = lnx (lnx /" = � � lnx and hence the average gap between primes j1 ( 10 100 ) = 4. 324 083 649 X 10 3 , is 4 . 324 083 �49 x 1 o � 231 . Assuming that on average you start halfway between two primes, and you only check even numbers, you will expect to test about 231 /4 � 58 numbers. 1 1 . The gaps are 1243  949 = 294 949  268 = 681 1293  1243 = 50 1983  1293 = 690 2773  1983 = 790 2809  2773 = 36 291 1  2809 = 102 2967  291 1 = 56 3501  3469 = 32 3469  2967 = 502 so the average gap is 681 + 294 + 50 + 690 + 790 + 36 + 102 + 56 + 502 + 32 = 323 � 10 10 which is somewhat larger than the expected gap given in problem 9. 
SO
3
Problems 7.5
1 . Note that gcd ( 7, 100 ) = 1. We have 73 7 mod 101 = 40 and 7 1 mod 100 = 43 and 4043 mod 101 = 73, and hence 73 is recovered. 3. For example, let p = 3391 691 164 919 859 649 719 340 532 627 567 207 607 656 859 034 356 995 566 589 707 894 210 757 866 827 613 621 721 127 496 191 413
PROBLEMS 7.6
357
be the smallest prime
2::
5 1 50 mod 10 100
5. The numbers 2 04 7 679 804 982 929 369 090 035 623 502 251 062 360 672 859 815 645 1 503 714 396 228 131 674 104 263 081 904 252 158 592 322 776 941 888 958 411 586 724 601 781 693 914 292 292 892 305 522 540 318 192 363 442 582 571 176 226 543 020 134 304 037 361 597 914 795 908 agree at 10 spots (see the bold digits) . This is not a surprise because the process does a good job of mixing, and random 100digit numbers would be expected to agree in about 10 spots (onetenth of the time) . Problems 7.6 1 . Since 24 = 23 3, the integers {1 , 5, 7, 11, 13, 17, 19, 23} are relatively prime to 24 and cp(24) = 8. 3. We have cp(27) = cp(33 ) = 3 3  3 2 = 18. There are 18 integers
1 , 2, 4, 5, 7, 8, 10, 11, 13, 14, 16, 17, 19, 20, 22, 23, 25, 26 less than or equal to 27 that are relatively prime to 27. 5. Since 1001 = 7 x 11
x
13, we have cp(1001) = cp(7)cp(11)cp(13) = 6 · 10 · 12 = 720
Note that
5720 mod 1001
=
1
7. We start with the least nonnegative residue system R = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9} and construct {7r + 4 1 r E R} � { 4, 1 1 , 18, 25,· 32, 39, 46, 53, 60, 67} Note that
39 mod 10 = 9 4 mo d 1 0 = 4 46 mod 10 = 6 1 1 1 mod 10 53 mod 10 18 mod 10 8 3 60 mod 10 25 mod 10 = 5 0 67 mod 10 = 7 32 mod 10 = 2 and hence each element of {7r + 4 1 r E R} is congruent modulo 10 to exactly one element of R. =
358
SOL UTIONS TO ODD PROBLEMS
9. Let p be a prime that divides n. If p does not divide a , then aP  1 = 1 (modp) so acp( n) = 1 (modp) because p  1 divides r.p ( n) . Multiplying by a we get
acp( n) + 1 = a (modp) On the other hand, if p does divide a , then a = 0 = acp(n)H (modp) so, trivially, acp( n) + l = a (mod p) Thus acp(n ) + l = a (mod p) for each prime dividing n. But this says that each prime that divides n also divides acp( n) + l  a , so if n is a product of distinct primes, then n must divide acp(n) + l  a, that is, acp( n) +l a (mod n) . _
Chapter
8
Public Key Ciphers
Problems 8 . 1 1 . As m = 5 7 , we have r.p(35) = r.p(5)r.p(7) = 4 6 = 24. Then d = e  1 mod r.p (m) = 1 1 1 mod 24 = 1 1 , so ·
·
x e mod m = 22 1 1 mod 35 = 8 y z = yd mod m = 81 1 mod 35 = 22
See the disc for details of these computations. 3. As m = 29 31, we have r.p(m) = r.p(29)r.p(31) = 28 30 = 840 and d e  1 mod r.p (m) = 101  1 mod 840 = 341 . So y = x e mod m = 555 101 mod 899 = 731 z = y d mod m = 731 341 mod 899 = 555 ·
·
=
5. Let x = 99999999999999, m = 25972641171898723, e = 997, and r.p = 25972640809676568 and note that y = xe mod m = 4815 828 410 330 867 d = e  1 mod r.p = 1 1 514 450 589 645 981 yields yd mod m = 99 999 999 999 999. 7. The numbers p and q are found using p+q = mr.p(m) + 1 = 15 481 643 766 690 322 656 570 354 930 733 675 907 594 344 877 898 320 382 154 352 656 607 014 and p  q = .j(p + q)2  4m = 12 326 200 145 806 231 064 298 751 424 387 459 058 535 358 406 473 593 017 996 013 777 132 860.
359
PROBLEMS 8.2
Then p = (p+ q)!(pq) = 1577 721 810 442 045 796 135 801 753 173 108 424 529 493 235 712 363 682 079 169 439 737 077 and q = (p+ q); (p q) =13 903 921 956 248 276 860 434 553 177 560 567 483 064 851 642 185 956 700 075 183 216 869 937. As a check, pq = 21 936 520 921 056 942 428 185 744 321 881 874 204 790 829 920 570 235 226 904 516 467 385 564 406 736 567 597 367 535 979 699 930 859 170 667 289 061 009 756 151 158 068 196 185 554 149 9. There are c.p (m) = (p  1) (q  1) numbers between 1 and m that are relatively prime to m. So there are m  (p  1) ( q  1) = p + q  1 numbers x in that range with gcd (x, m) =f. 1 . Thus the probability of choosing a number x with gcd (x, m) =f. 1 is p+q  1 � � � = + q p m m Problems 8.2 1. We have 12 3 mod 15 = 3 and 3 5 mod 21 = 12 and hence Kyle sends the message 12 to Sarah.
3. The product Pbqb is given by nb = 2748 401 157 849 763 = 433 834 446 478 963 so the public key is (eb, nb) = (9587, 433 834 446 478 963). Since c.p (nb) = (2748 401  1) (157 849 763  1) = 433 834 285 880 800, it follows that db = 9587  1 mod 433 834 285 880 800 = 394 14 7 97 4 342 523 and hence the private key is ·
(d8 , ns) = (394 147 974 342 523, 433 834 446 478 963)
5. Since n8 = 37 847 755 706 513 < nb = 433 834 446 478 963, Sean decrypts the message by first applying Brendon's public key, then Sean's private key to get
7 ( 386 686 175 803 129958 7 mod nb ) 28 526 1 26 032 45 mod ns 5112 397 193 243 2852 6 1 26 032 457 mod n8 = 1234 567 890 =
7. Since ni < nb , the plaintext message is encrypted by first using Janet's public key, then using Brendan's private key to get ( 99 999 999 785 3 mod 15 092 177) 1 64 1 65 mod 29 143 171 = 6136 937 1 64165 mod 29 143 171 = 24 506 902 9. Encryption yields
( 2000 0007907 mod 49 839 739) 22 91 3 1 6 5 mod 26 513 567 45 57 4 6 2 6 22 9 1 3 1 6 5 mod 26 513 567 = 6765 427 =
360
SOL UTIONS TO ODD PROBLEMS
and decryption yields ( 6765 4274637 mod 26 513 567) 45 679 243 mod 49 839 739 = 19 061 059 45 679 243 mod 49 839 739 = 44 781 288
Information can be lost when modular arithmetic with a large modulus is followed by modular arithmetic with a smaller modulus. 1 1. Since ni > nb , the plaintext message is encrypted by first using Brendon's private key, then using Janet's public key to get
( 99 999 ggg260733 1 57 830 32 1 636 6 1 9 mod 986 577 727 411 807 628 569) 1 77 264 463 mod 7029 75 7 456 346 007 993 017 = 889 504 247 126 301 481 385 1 77264 463 mod 7029 757 456 346 007 993 017 = 6165 005 940 876 305 088 312
13. Encryption yields 70 849 375 393 993 065 812 and decryption yields 333 146 600 281 273 156 600 517. Information can be lost when modular arithmetic with a large modulus is followed by modular arithmetic with a smaller modulus. By first applying Sarah's private key followed by Preston 's pub lic key, the encrypted message is 30 564 624 919 862 526 996 750 and de cryption yields 101 010 101 010 101 010 101. See the disc for details of these computations. Problems 8.3
1 . The ASCII values are given by
and hence the equivalent positive integer is 50 + 94 . 256 + 52 . 256 2 + 61 · 256 3 + 49 . 2564 + 54 . 2565 = 59 585 108 139 570 3. Sarah first translates the plaintext to large integers using the table 0 R 82 1 1 1 i s 105 115 s 0 115 111
n 1 1 0 32 a 32 97 r 1 14 32
R i 82 105 p 32 112 a t 97 116
v 1 18 r 114 32
s e 101 115 f 0 111 102 M I 77 73
t 1 16 32 s e 102 115 T 84 46
PROBLEMS 8.4
361
and the calculations x = 82 + 1 1 1c + 110c2 + 32c3 + 82c4 + 105c5 + 118c6 + 101c7 + 115c8 + 1 16c9 + 32c10 + 105 c 11 + 115c1 f + 32c1 3 + 97c1 4 + 32c1 5 + 1 1 2c 16 + 1 14c 1 7 + 1 1 1c 18 + 102c 1 9 = 584 802 410 296 329 453 294 993 117 073 566 607 047 018 835 794 y = 102 + 115c + 115c2 + 1 1 1c3 + 1 14c4 + 32c5 + 97c6 + 116c7 + 32c8 + 77c9 + 73c 10 + 84c 11 + 46c 12 = 3670 580 832 286 885 393 984 052 753 254 Since nk < n8 , Sarah first uses Kyle ' s public key, then her private key to encrypt the message as (xe k mod nk ) d• mod n8 = 6642 642 701 546 739 554 009 203 231 203 625 130 908 152 661 584 571 (yek mod nk ) d• mod n8 = 5781 828 020 001 339 664 1 10 566 141 724 658 323 575 128 107 486 053
5. The message is Multiplication is easy, but factorization is hard.
See the disc for details. 7. Since nk < n8 , Kyle first uses Sarah's public key then his own private key to calculate the numbers (x997 mod ns ) dk mod nk , (y 997 mod ns ) dk mod nk , and ( z 997 mod n8 ) dk mod nk . The message is RSA keys are typically 1 024 to 2048 bits long
See the disc for details. Problems 8.4
1. Note that 2=2<3 2+3=5<6 2 + 3 + 6 = 1 1 < 12 2 + 3 + 6 + 12 = 23 < 24 2 + 3 + 6 + 12 + 24 = 47 < 48 2 + 3 + 6 + 12 + 24 + 48 = 95 < 96 2 + 3 + 6 + 12 + 24 + 48 + 96 = 191 < 200 so the sequence {2, 3, 6, 12, 24, 48, 96, 200} is super increasing.
SOLUTIONS TO ODD PROBLEMS
362
3. Since 2 + 3 + 6 + 12 + 24 + 48 + 96 + 200 = 391 < 453, it follows that m = 453 is an appropriate modulus. Also, gcd ( 453, 61) = 1 and hence k 61 has an inverse modulo 453. The public key is given by =
2 61 mod 453 = 122 3 · 61 mod 453 = 183 6 · 61 mod 453 = 366 12 · 61 mod 453 = 279 24 61 mod 453 = 105 48 61 mod 453 = 210 96 61 mod 453 = 420 200 61 mod 453 = 422 ·
·
·
·
·
The encrypted message is given by (122, 183, 366, 279, 105, 210, 420, 422) · (1 , 0, 0, 1 , 0, 1 , 1 , 0) = 1031 To decrypt the message, note first that 61  1 mod 453 = 52 and hence the original superincreasing sequence is given by 122 · 52 mod 453 = 2 183 52 mod 453 = 3 366 · 52 mod 453 = 6 279 · 52 mod 453 = 12 105 · 52 mod 453 = 24 210 · 52 mod 453 = 48 420 52 mod 453 = 96 422 · 52 mod 453 = 200 ·
·
and 1031 · 52 mod 453 = 158 We now deduce that 158 = 96 + 62 62 = 48 + 14 14 = 12 + 2 so 158
=
96 + 48 + 12 + 2
and the plaintext is ( 1 0 0 1 0 1 1 0
)2.
363
PROBLEMS 8. 5
5. Note that 1=1<3 1 +3 =4 < 5 4 + 5 = 9 < 10 9 + 10 = 19 < 20 19 + 20 = 39 < 40 39 + 40 = 79 < 80 79 + 80 = 159 < 160 159 + 160 = 319 < 320 319 + 320 = 639 < 640 639 + 640 = 1279 < 1280 1279 + 1280 = 2559 < 2560 2559 + 2560 = 5119 < 5120 5119 + 5120 = 10 239 < 10240 10239 + 10240 = 20 479 < 20480 20 4 79 + 20480 = 40 959 < 40960 40 959 + 40960 = 81 919 < 81920 81 919 + 81920 = 163 839 < 163840 so the sequence 1, 3, 5, 10, 20, 40, 80, 160, 320, 640, 1280, 2560, 5120, 10 240, 20 480, 40 960, 81 920, 163 840 is superincreasing. 7. The public key is 997, 2991, 4985, 9970, 19940, 39880, 79760, 159520, 319040, 310 261 , 292 703, 257 587, 187 355, 46 891, 93 782, 187 564, 47 309, 94 618. The ciphertext is 860 321 mod 327819 = 204 683. The private key is 997 1 mod 327819 = 133 495. To decrypt, multiply by 133495 and reduce modulo 327819 to get the superincreasing sequence 1,3,5,10,20, 40, 80,160, 320, 640, 1280, 2560, 5120, 10240, 20480, 40960, 81920, 163840 and the sum 133495 860 321 mod 327819 = 115 616 . Now ·
115 616 81 920 + 33 696 33 696 = 20 480 + 13 216 13 216 = 10 240 + 2976 2976 = 2560 + 416 416 = 320 + 96 96 80 + 16 16 = 10 + 6 6=5+1 =
=
so the plaintext is 10110010100101 1010.
364
SOL UTIONS TO ODD PROBLEMS
Problems 8.5
1 . Use a computer algebra system to verify that q = 1091 381 946 026 415 813 817 094 712 889 364 130 135 176 179 079 is prime. The evaluations
show that � 1 59
q  2 1 59 = 360 631 127 360 964 354 715 252 296 531 222 620 307 209 907 591 q  2 160 = 370 1 19 691 304 487 104 386 590 119 826 918 889 520 756 363 897 <
q < 2 160 .
3. Evaluation of p  1 mod q should produce 0. 5. The order of g must divide the prime q. Since the order of g is not 1 , it must be exactly q. 7. The generalized prime number theorem implies that 1r q ,m
Let f (x)
=
(
cp q)
•
h�x
=
q�1
j ' (X)
=
·
(x) �
cp
1 . X (q) ln x
h�x . The derivative is given by
1
Q1
. ln x  xlx � 1 Q ln X (ln X) 2
and hence the average gap between primes in the arithmetic sequence kq+ 1 is roughly q ln x. Since q � 2 160 and x � 2 5 12 and we only check every 2q, and on average we start halfway between such primes, the average number of trips through the loop should be about l 2 5 12 T � 354. 891 356 4/4 � 89
Chapter 9 Problems 9 . 1
Finite Fields
1 . From the distributive law, aO + aO = a (0 + 0 ) . So a O + a O = aO. Adding aO to both sides of this equation gives aO = 0.
PROBLEMS 9. 1
365
3. The system 3x + 7y + 6z = 2 4x + 5y + 3z = 2 2x + 4y + 5z = 4 is equivalent to the matrix equation
Calculate the inverse modulo 5 and multiply to get
Thus x = 1, y = 4, z = 1 . As a check, note that 3 4 + 7 4 + 6 2 mod 5 = 2 4 4 + 5 4 + 3 2 mod 5 = 2 2 4 + 4 4 + 5 2 mod 5 = 4 ·
·
·
·
·
·
·
·
·
5. Solve the system 3x + 9y + 4z = 8 2x + 3y + 5z = 2 5x + 4y + 9z = 10 over the rational numbers to get
Reduce modulo 1 1 to produce 32
7 mod ll = 3
O mod ll = 0 10   mod ll = 8 7
366
SOLUTIONS TO ODD PROBLEMS
As a check, note that indeed 3 3 + 9 0 + 4 8 mod 11 = 8 2 3 + 3 0 + 5 8 mod 11 = 2 5 3 + 4 0 + 9 8 mod 1 1 = 10 ·
·
·
·
·
·
·
·
·
7. +
0
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0
0
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0
2
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0
3
3
4
6
7
8
9
10
11
12
13
14
15
16
0
4
4
5
6
7
8
9
10
11
12
13
14
15
16
0
5
6
7
8
9
10
11
12
13
14
15
16
0
6
6
7
8
9
10
11
12
13
14
15
16
0
7
7
9
10
11
12
13
14
15
16
0
8
8
0
9
10
10
11
12
13
14
15
16
11
12
13
14
15
16
0
10
10
11
12
13
14
15
16
11
11
12
13
14
15
16
0
0
12
12
13
14
15
16
13
13
14
15
16
0
14
14
15
16
0
15
15
16
0
16
16
0
2
X
3
2
4
2
3
4
2
3
4
5
8
9
10
11
12
13
9
10
11
12
13
14
3
4
5
6
7
8
9
10
11
12
13
14
15
5
6
7
8
16
15
4
7
11
15
3
3
6
9
12
4
8
12
16
7
5
5
10
15
3
13
6
6
12
7
7
14
4
11
7
15
13
9
10
9
10
2
10
14
6
15
7
16
11
4
14
7
12
6
16
9
12
16
10
4
15
9
3
2
14
9
4
16
11
6 15
16
15
14
13
12
11
10
9
8
11
13
16
10
3
10
10
3
16 13
11
3
12
6
11
13
7
10
10
5
13
2
4
3
16
14
9
16
4
2
11
5
9
13
7
8
15
4
5
5
9
3
9
15
4
13
8
16
13
16
14
11
15
11
11
11
13
14
9
2
12
6
13
7
16
14
5
10
11
15
10
14
2
14
16
8
14
13
6
15
12
12 12
13
10
10
6
11
3
9
11
12
7
7
14
11
11
8
14
15
10
10
7
6
15
9
9
6
12
14
8
6
5
5
7 8
10
5
10
7
9
7
5
4
9
7
6
4
8
12
7
7
3
3
13
6
4
6
13
4
2
2
12
5
4
3
4
16
4
5
7
6
4
3
3
2
4
8
4
3
3
3
4
4
3
8
7
3
2
2 2
12
15 14
8 13
8 13 11
14
7
7
11
9
8
3
15
10
5
3
16
12
8
4
7
4
15
12
9
6
3
16
14
12
10
8
6
4
2
8
7
6
5
4
3
2
PROBLEMS 9.2
367
9. The definition of a field contains the following two properties: a1 = a and, if a =f. 0, then ax = 1 for some x. The element in the set of integers modulo 10 under addition and multiplication such that a1 = a for all a in the set is the congruence class of the number 1 . The multiplication table for the set of integers modulo 10 is 1 2 3 4 5 6 7 8 9
1 1 2 3 4 5 6 7 8 9
2 2 4 6 8 0 2 4 6 8
3 3 6 9 2 5 8 1 4 7
4 4 8 2 6 0 4 8 2 6
5 5 0 5 0 5 0 5 0 5
6 6 2 8 4 0 6 2 8 4
7 7 4 1 8 5 2 9 6 3
8 8 6 4 2 0 8 6 4 2
9 9 8 7 6 5 4 3 2 1
and you can see that there are several rows that do not contain 1. For example, there is no element in the set for which 2n 1. If this were a field, every element would have to have a multiplicative inverse. 11. To factor x 2 + 7x + 10 = (x  a) (x  b) over GF11 , look for a and b in the Cayley tables for GF11 so that a + b = 7 mod 1 1 = 4 and ab = 10 mod 1 1 . The solution is x = 6 or x = 9. =
Problems 9.2
1 . The sum (5x3 + 4x2 + 3) + (4x4 + 6x2 + 3x + 5) mod 7 is equal to 4x4 + 5x3 + 3x2 + 3x + 1 3.
The product (5x3 + 4x2 + 3) (4x4 + 6x2 + 3x + 5) mod 7 is 6x7 + 2x6 + 2x5 + 2x4 + 2x3 + 3x2 + 2x + 1
5. The division algorithm in GF7 [x] writes 4x4 + x2 + 3x + 1 as (5x + 3) ( 5x3 + 4x2 + 3 ) + 3x2 + 2x + 6 so the answer is 3x2 + 2x + 6. 7. Factoring the polynomial in Q [x] gives (x  3) 2 (x + 3) ( 3x + x2  2 ) which lS
9.
(x + 4) 2 (x + 3) ( 3x + x2 + 5 ) mod 7
The codeword x4p (x) + (x4p (x) mod g (x) ) mod 2 is equal to
368
SOLUTIONS TO ODD PROBLEMS
1 1 . Let n be a positive integer. If n is 1 or a prime, then we are done. Otherwise n = ab where a and b are positive integers greater than 1 . So a < n and b < n. By the principle of complete induction, we may assume that each of a and b is a prime or a product of primes. So n = ab is a product of primes.
13. Computing ( r ( x ) mod g (x )) mod 2 gives x 1 5 + x6 + x 3 + x + 1 , so at least one error has occurred. The plaintext must be retransmitted. Problems 9.3
1. The multiplication table is given by
(�)
(�
0 1 (0 1 () () + 1) mod 2 = () B+1 0 B+1
0 B+1 B (B + 1) (() + 1) 2
)
where ( () 2 mod () 2 + () + 1) mod 2 = () + 1 , (() ( () + 1) mod ()2 + () + 1) mod 2 = 1 , and (() + 1) 2 mod () 2 + () + 1 mod 2 = (), so the multiplication table is given by B+ 1 1 0 0 0 0 0 0 () 1 1 B+1 0 B+1 1 () 0 () 1 () () + 1 0 B+1 Addition is vector addition modulo 2. In particular, 0 + 0 = 1 + 1 = B + B = (B + 1) + (B + 1) = 0, so the addition table is given by
(
+ 0 1 () B+1
)
1 0 0+1 0+0 1+1 1+0 B+1 B+O B+1+0 B+1+1
() B+1 0+B+1 0 + () 1+B+1 1+B B+B+1 B+1 B+1+B B+1+B+1
which reduces to + 0 1 () B+ 1 3. Let p (x ) , q ( x) , r ( x )
E
0 0 1 () B+1
1 1 0 B+1 ()
() B+1 () B+1 () 1 + () 1 0 1 0
Z [x] and set s ( x ) = x 2 + x + 1 . Then
PROBLEMS
(p
9.3
369
(x) + q{x)) + r (x) mod s (x) (p (x) q ( x)) r ( x) mod s (x )
= =
p p
(x) + (q (x) r (x)) mod s (x) (x) (q (x) r (x)) mod s (x) +
so
[ [p (x) + q (x) ] + r (x) ] [p (x) + [q (x) + r (x)]] [p ( x) q (x) ] [r (x) ] [p (x) ] [q (x) r (x) ] =
=
5. Suppose
!1 (x)
and
h
(x)
(mod h ( x))
91 (x) 92 (x)
(mod h ( x))
= =
Then
(x) + p (x) h (x) 91 (x) 92 (x) + q ( x) h (x) for some p (x ) , q (x) Z [x] . Thus !1 (x) + 91 ( x) h (x ) + 92 ( x) + (p (x) + q (x)) h (x) !1 (x) 91 (x) h ( x) 92 (x) + ( h (x ) q (x) + 92 ( x) p (x) + p ( x) q ( x) h (x)) h (x) !1 (x)
=
=
h
E
=
=
so !1 ( x) + 91 (x ) !1 ( x) 91 (x )
h = h
=
(x) + 92 (x) (mod h (x)) (x) 92 (x) (mod h (x))
7. Note that f transforms the addition table + 0 1 () fJ + 1
0 0 1 () fJ + 1
1 1 0 fJ + 1 ()
0 0 1
1 1 0 /3 + 1
() fJ + 1 fJ + 1 () () 1 + () 1 0 1 0
into the addition table + 0 1
f3
f3
/3 + 1 /3 + 1
f3
f3 f3
1 + /3 0 1
/3 + 1 /3 + 1
f3 1 0
370
SOL UTIONS TO ODD PROBLEMS
and the multiplication table 0 0 0 0 0
X
0 1
()
B+1
()
B+1 0 () B+1 1 B+1 () 1 () B+1 1 0 1
0
into the multiplication table 0 0 0 0 0
X
0 1 (3 /3 + 1 so f (s + t) 9. Let r (x)
=
=
(3 0 (3 (3 + 1 ,B 1 /3 + 1
1 0 1
f (s) + f (t) and f (st) = f (s) f (t) for all s, t E GF4 .
f (x) mod x 2 + x + 1 . Then j (X)  r ( X )
for some k (x) If s (x) E
/3 + 1 0 ,6 + 1 1 (3
E
=
k (X) ( x2 + X + 1 )
GF2 [x] , and deg (r (x))
[! (x)] then
f (X)
 S
(X)
=
h (X)
<
2 or r (x)
=
0.
(x2 + X + 1)
for some h (x) E GF2 [x) . Suppose that deg (s (x)) < 2 or s (x) = 0. We have r (x)  s (x) = ( f (x)  k (x) (x2 + x + 1))  ( f (x)  h (x) = ( h ( X)  k ( X )) (x 2 + X + 1)
(x 2 + x + 1 ) )
so if ( h (x)  k (x)) =I= 0, then deg (r ( X)
 S
(X))
=
deg ( h (X)  k (X)) + 2 � 2
But this is not possible. Thus h (x)  k (x) = 0, implying that r (x)
=
s (x) .
371
PROBLEMS 9.4
Problems 9.4 1. Note that
( ri + 1)UP + B) = B6 · B4 = B 1 0
= B7 . B3 = 1 . B3 = B + 1
3.
Note that E E= ·
(1110) (1110) ·
= (B3 + B2 + B) . (B3 + B2 + B) = B6 + 2B5 + 3B4 + 2B3 + B2 mod 2 = ( B6 + B4 + B2 mod B4 + B + 1) mod 2 = B3 + B + 1 = (1011) = B
and 8·A=
(1000) (1010) ·
= B3 · (B3 + B) = (B6 + B4 mod B4 + B + 1) mod 2 = B3 + B2 + B + 1 = (1111) = F 5. These polynomials are irreducible over GF2 : x 5 + x4 + x3 + x + 1 x 5 + x4 + x3 + x 2 + 1 x 5 + x3 + 1 x 5 + x4 + x 2 + x + 1 x 5 + x3 + x 2 + x + 1 x5 + x2 + 1 7. Note that in GF2 , x5 + x + 1 mod 2 = (x3 + x2 + 1) (x2 + x + 1) 9. The given polynomials are irreducible because they have no roots in GF2 . That is,
(x3 + x2 + 1 ] x=O = 1 (x3 + x2 + 1 J x= 1 = 1 [x3 + x + 1 J x =o = 1 [x3 + X + 1 ] x = l = 1
372
SOLUTIONS TO ODD PROBLEMS
modulo 2. Here is a complete list of the remaining polynomials of degree 3 together with an evaluation that shows that each polynomial has a root: [x3 ] x =O = 0 [x3 + 1] x = 1 = 0 [x3 + xJ x = o = 0 [x3 + x2 ] x =O = 0 [x3 + x2 + x] x =O = 0 [x3 + x 2 + x + 1J x = 1 = 0 This exhausts all eight possible polynomials of degree 3. Problems 9.5 1. The polynomials x2 + 4x + 1 x2 + x + 1 x2 + 2 x2 + 2x + 3
x2 + x + 2 x2 + 3x + 4 x 2 + 2x + 4
x 2 + 4x + 2 x2 + 3x + 3 x2 + 3
are all irreducible. 3. Let k be the least positive integer such that ak = 1 and assume that an = 1. Write n = kx + b, where 0 :::; b < k. Then an 1 = a kx+b = ( ak t ab = 1 ab implies ab = 1 . Since k is the least positive integer with this property, it follows that b = 0, and hence k I n. If k f= n, then k I !l p for some prime divisor p of n. Thus anfp = (ak r = 1 . =
·
5. The three polynomials are irreducible because [x2 + 1] 0 mod 3 = 1 [x2 + 1] 1 mod 3 = 2 [x2 + 1] 2 mod 3 2 =
[x2 + x + 2] 0 mod 3 = 2 [x 2 + x + 2] 1 mod 3 = 1 [x2 + x + 2L mod 3 2 =
[x 2 + 2x + 2] 0 mod 3 = 2 [x2 + 2x + 2] 1 mod 3 = 2 [x2 + 2x + 2] 2 mod 3 = 1
shows that none of the polynomials has a root in GF3 . 7. Let 0 be a root of x3 + 2x2 + x + 1 in GF27 . The order of 0 divides 26 and hence is 2, 13, or 26. Note that (0 26 mod 03 + 202 + e + 1) mod 3 = 1 (0 1 3 mod 03 + 202 + 0 + 1) mod 3 = 2 (02 mod 03 + 202 + 0 + 1) mod 3 = 02 and hence 0 is an element of order 26.
PROBLEMS 9. 5 9.
373
Note that x 27  x mod 3 = x ( x + 1) ( x + 2) (x3 + 2x2 + x + 1) (x3 + x2 + 2) (x3 + 2x + 1) (x3 + 2x + 2) (x3 + 2x2 + 2x + 2) ( x3 + 2x 2 + 1) ( x3 + x2 + 2x + 1) (x3 + x2 + x + 2) .
is the product of all monic irreducible polynomials of degrees 1 and 3 in GF3 [x] . 11. Consider the field GF9 . Expand Product mod x2 + 1 mod 3 Power x + 1 x+1 x+1 x + 1 y 2 2 x + 2x + 1 2x 2x (x + 1) (x + 1) y 3 2 2x 2 2x + 2x 2x +1 (x + 1) 2x y 4 2 1 + 3x (x + 1) (2x + 1) 2x + 3x + 1 2 y 2x + 2 2x + 2 2x + 2 (x + 1) 2 y5 2 6 2x + 4x + 2 4x (x + 1) (2x + 2) X y 1 2 x 1 x + x x + 2 (x + 1) x y 8 2 x + 3x + 2 1 1 + 3x (x + 1) (x + 2) y a.
X 00 01 02 10 11 12 00 00 00 00 00 00 00 01 00 01 02 10 11 12 02 00 02 01 20 22 21 10 00 10 20 02 12 22 11 00 1 1 22 12 20 01 12 00 12 21 22 01 10 20 00 20 10 01 21 11 21 00 21 12 11 02 20 22 00 22 11 21 10 02 See the disc for the addition table.
b.
c.
+ 0 1 2 3 4 5 6 7 8
0 0 1 2 3 4 5 6 7 8
1 1 2 0 4 5 3 7 8 6
2 2 0 1 5 3 4 8 6 7
3 3 4 5 6 7 8 0 1 2
4 4 5 3 7 8 6 1 2 0
5 5 3 4 8 6 7 2 0 1
6 6 7 8 0 1 2 3 4 5
7 7 8 6 1 2 0 4 5 3
8 8 6 7 2 0 1 5 3 4
X
0 1 2 3 4 5 6 7 8
0 0 0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6 7 8
20 00 20 10 01 21 11 02 22 12
21 00 21 12 11 02 20 22 10 01
22 00 22 11 21 10 02 12 01 20
2 0 2 1 6 8 7 3 5 4
3 0 3 6 2 5 8 1 4 7
4 0 4 8 5 6 1 7 2 3
5 0 5 7 8 1 3 4 6 2
6 0 6 3 1 7 4 2 8 5
7 0 7 5 4 2 6 8 3 1
8 0 8 4 7 3 2 5 1 6
374
SOLUTIONS TO ODJJ PROBLEMS
Problems 9.6
1. The divisors of 12 are 1 , 2, 3, 4, 6, and 12. The following table shows that there are exactly cp (d) elements of order d for each divisor d. Order 1 2 3 4 6 12
cp
1 1 2 2 2 4
( Order)
Elements 1 12 3,9 5,8 4,10 . 2,6,7,11
3. In any group, an am = an +m for any integers n and m. In particular, a0an = a0+n = an = an+ O = an ao so a0 = 1, the identity. The inverse of an is a n because an a n = an  n = a0 = 1. The product of two elements of (a) is in (a) because an am = an+m E (a) . Thus (a) is a subgroup. 5. Let a, b E G. (a) Assume an = 1 and let n = k o (a) + r, where 0 � r < o (a). Then 1 = an = ak ·o (a) + r = (ao(a) ) k ar = ar implies r = 0 [since o (a) is the smallest positive integer i such that ai = 1] , so that o (a) I n. (b) Since ab = ba it follows that an bn = (abt for every integer n. Let o (a) = s and o (b) = t . Note that (ab) st = a8tbst = (a8) t W ) 8 = 1 implies o (ab) I st. If (abt = 1 , then an bn = 1 implies an = b n and hence 1 = (a8t = (an r = (b n ) s = b ns and hence t I ns, but s l_ t implies t I n. Similarly, s I n. Thus st I n. In particular, if n = o ( ab), then st I o (ab) . Hence st = (ab). ·
o
7.
Suppose m  1 = nt. Then xm 1  1 = xnt  1 is equal to xn  1 times the polynomial xn ( t 1) + xn (t  2) + xn (t 2) + . . . + xn + 1 .
9. The divisors of 3 0 are 1 , 2, 3, 5, 6, 10, 1 5 , and 30. The following table shows that there are exactly cp (d) elements of order d for each divisor d. Order 1 2 4 8 16
cp
1 1 2 4 8
(Order)
Elements 1 16 4,13 2,8,9,15 3,5,6,7,10,11,12,14
PROBLEMS 9. 7
375
Problems 9.7 1. Since factor (997) 997 it follows that 997 is the largest threedigit prime. Note that factor (996) 2 2 3 x 83. Since 525996 1 2 mod 997 996 525 99 6 13 mod 997 304 525996 1 83 mod 997 701 =
=
=
=
=
it follows that 525 is primitive. The first 10 terms of the pseudorandom number sequence are given by 789 525 mod 997 470 470 525 mod 997 491 491 525 mod 997 549 549 525 mod 997 92 92 · 525 mod 997 = 444 444 525 mod 997 799 799 525 mod 997 = 735 735 525 mod 997 36 36 525 mod 997 = 954 954 525 mod 997 356 ·
=
·
=
·
=
·
=
·
=
·
·
=
·
·
=
3. There are
primitive elements in GF999 999 999 989 · Thus over 45% of the numbers less than 999 999 999 989 are primitive. Hence the average gap between primitive elements is just over 1 . 5. The expected number of unbroken squares (see Problem 4 ) is 16 5. 697 186 087 16
(��)
�
7. Use something like randomize set trials = 1000000 for i from 1 to trials do if rnd � 2 + rnd � 2 + rnd � 2 < 1 then set n end for print 8 * n/trials end
=
n+1
376
SOLUTIONS TO ODD PROBLEMS
With 1000000 trials, this algorithm produced 4.192168 compared with the exact value 47r/3 4. 188 790 205. �
9. Use something like randomize set trials = 1000000 for i from 1 to trials do set n = abs(rnd  rnd) end for print n/trials end
With 10000b0 trials, the algorithm produced an approximate length of 0.3335 381 . The expected length can be represented by the integral 1 2 X (1  X ) dx =
1
�
where x is the expected length and 2 (1  x) is the probability density function on the unit interval. It can also be represented by the double integral 1 1 lx  Yl dx dy =
11
�
where x and y are the endpoints and f (x, y) = 1 is the probability density function on the unit square. 1 1 . Results of an experiment with 1000000 trials repeated 10 times: 0.10005552 0.10020009 0.10016799 0.09977582 0. 10080621 0.09980621 0.10029138 0.09948852 0.09980552 0.10004283 The expected area is given by the integral 1 3 x2 (1  x) 2 dx =
1
:o
where x 2 is the area of a square of side x and 3 (1  x) 2 is the probability density function. Note that the vertex in the lower left corner of a square must be chosen from a square of edge 1  x.
Chapter 10
ErrorCorrecting Codes
Problems 10. 1 1 . If x3 + x + 1 were reducible over GF2 , then it would have a root in GFz = {0, 1} because the degree of x3 + x + 1 is 3. However, 03 + 0 + 1 mod 2 = 1
377
PROBLEMS 1 0. 1
and 13 + 1 + 1 mod 2 = 1, so x3 +x+ 1 has no roots in GF2 . Thus x3 +x+ 1 is irreducible over GF2 .
3 . If 8 is a root of x3+x+1, then m 1 (x) = m2 (x) = x3+x+1, so that g (x) = x3 + x + 1. Given a plaintext polynomial a (x) a3 x3 + a2 x2 + a1 x + a0 with ai {0, 1 } , the codeword is given by a (x) g (x) mod 2 The following is a list of all polynomials of degree :::; 3 with their corre =
E
sponding codewords.
a (x ) 1 X x+1 x2 x2 + 1 x2 + x x2 + x + 1 0
a (x) g (x) mod 2 0 x3 + x + 1 x4 + x2 + x x4 + x3 + x2 + 1 x5 + x3 + x2 x5 + x2 + x + 1 x5 + x4 + x3 + x x 5 + x4 + 1
a (x ) X x3 + 1 x3 + x x3 + x + 1 x3 + x2 x3 + x2 + 1 x3 + x2 + x x3 + x2 + x + 1
x +x +x x 6 + x4 + x + 1 xB + x3 + x2 + x x6 + x2 + 1 xB + x5 + x4 + x2 xB + x5 + x4 + x3 +x2 + x + 1 x6 + x5 + x xB + x5 + x3 + 1
Observe that the sum of any two distinct codewords is another codeword since
a (X) g (X) + b (X) g (X) mod 2 ( a (X) + b (X)) 9 (X) mod 2 and the degree of a ( x ) + b (x ) :::; 3. Since all nonzero codewords have at least three nonzero terms, it follows that the minimum distance between codewords is 3. 5. If 8 + 1 is a root of an irreducible polynomial m ( x ) , then ( 8 + 1 ) 3 mod 3 = 1 + 38 + 382 + 83 mod 3 = 1 + 83 must also be a root of m (x ) . Since 8 + 1 must be a root of a polynomial of degree :::; 2, it follows that the minimal polynomial of 8 + 1 must be (x  ( 8 + 1)) (x  (83 + 1)) mod a2 + 1 = x2  2x  83 x + 1 + 83  8x + 8 + 84 mod 82 + 1 = x2  2x + 2 mod 3 = x2 + x + 2 =
As a check, note that
( (8 + 1 ) 2 + (8 + 1 ) + 2 mod 82 + 1 ) mod 3 = 0 so 8 + 1 is indeed a root of x2 + x + 2.
378
SOLUTIONS TO ODD PROBLEMS
7. If 03 + 02 is a root of a polynomial over GF2 , then so are (03 + 02 ) 2 , (03 + 0 2 ) 4 , and (03 + 02 t The minimal polynomial of u = 03 + 02 is ((x  u) (x  u2 ) (x  u4 ) (x  u8 ) mod 04 + 03 + 1) mod 2 = x4 + x + 1
9. If u = 04 + 20 is a root of a polynomial m (x) , then so are u3 , u9 , u27 , and u8 1 • The minimal polynomial is ((x  u) (x  u3 ) (x  u9 ) (x  u27 ) (x  u8 1 ) mod v) mod 3 = x 5 + 2x4 + 2x 3 + 2
where v = 05 + 03 + 0 + 1 . 1 1 . The minimal polynomial is
13. Substituting b for b in the equation (a + b)P = aP + bP gives (a  bt = aP + (  l)P bP. If p is odd, then (It =  1 , so this is just aP  bP. If p is even, then p = 2 so c = c for any c because 2c = 0. 15. A polynomial code encodes the polynomial p (x) by the codeword g (x) p ( x). This code encodes the polynomial p ( x) by the codeword ( 1 + x + x2 ) p (x 3 ) , which does not have the right form. Suppose the plaintext word is so the polynomial p ( x) is ao + a 1 x + a2 x 2 + a3 x 3 + a4 x 4 . Then p (x3 ) is ao + a 1 x 3 + a2 x6 + a3 x 9 + a4 x 1 2 and (1 + x + x2 ) p (x3 ) is ao + aox + aox2 + a 1 x 3 + a 1 x4 + a 1 x5 +
·
·
·
Problems 10.2 1 . Since long division produces
1  2x2  x x 5 + x4 + x 3 + 1 = x2 + x + x3 + x + 1 x3 + x + 1 where the remainder 1  2x2  x mod 2 = x + 1 is not zero, we assume a single error. Thus c (x) + x k = x 5 + x4 + x3 + 1 , where c (O) = 0, so evaluation produces ok = (o 5 + 04 + 03 + 1 mod 03 + 0 + 1) mod 2 = 1  20 2  0 mod 2 = 0 + 1 = 0 3
PROBLEMS 1 0.2
and hence
379
k = 3.
Thus c (x) = x5 + x4 + 1 and long division produces
where the remainder 2  2x2 mod 2 x  1 mod 2 = x2 + x + 1.
=
0 and hence the plaintext is x 2 +
3. We have x2 + x + 2 = ( ( x  t P ) ( x  B 6 ) mod B 2 + B + 2) mod 3 = x 2 + 1
m 1 (x) m2 (x)
=
and hence g
(x)
( x 2 + x + 2) ( x 2 + 1) mod 3 = x4 + 3x 2 + x3 + x + 2 mod 3 =
=
x4 + x 3 + x + 2
5. The order of B must divide 31, so (B) = 1 or (B) o
o
=
31. Since
(B mod B5 + B2 + 1) mod 2 = B f:. 1 it follows that (B) o
=
31 and hence q (x) is a primitive polynomial.
7. The plaintext is x 1 9 + x 1 0 + x + 1. (See disc for solution details.) 9. Note that (x  B) (x  B3 ) (x  B 9 ) = ((x  B) (x  B 3 ) (x  B9 ) mod q (B)) mod 3 = x 3 + 2x + 1 m2 (x) = (x  B2 ) (x  B6 ) (x  B 1 8 ) = ( (x  B 2 ) (x  B 6 ) (x  B 1 8 ) mod q (B)) mod 3 = x3 + x 2 + x + 2 m 1 (x)
=
so
p (x) = m 1 (x) m2 (x)
(x3 + 2x + 1) ( x3 + x2 + x + 2) mod 3 = x 6 + x 5 + 2x 3 + 2x + 2 =
Plaintext polynomials in GF3 [x] can be of degree at most 33  6  2 = 19.
380
SOLUTIONS TO ODD PROBLEMS
1 1 . From problem 6, m 1 (x) = x3 + 2x + 1 and m2 (x) = x3 + x2 + x + 2. Since m3 (x) = m 1 (x) (why? ) , we need only find
m4 (x) = (x  84 ) (x  8 1 2 ) (x  836 ) = (x  84 ) (x  8 1 2 ) (x  8 1 0 8 26 ) = ( (x  0 4 ) (x  0 1 2 ) (x  0 1 0 ) mod q ( 0 ) ) mod 3 = x3 + x2 + 2
Hence g
(x) = [m 1 (x) , m2 (x) , m3 (x) , m4 (x)] = m 1 (x) m2 (x) m4 (x) = (x3 + 2x + 1) (x3 + x 2 + x + 2) (x3 + x2 + 2) mod 3 7 = x 9 + 2x8 + x + x 6 + x 5 + 2x4 + 2x 3 + 2x 2 + x + 1
Plaintext polynomials in GF3 [x] can be of degree at most 3 3  9  2 = 16. Problems 10.3
1. Let 8 be a root of x4 + x + 1 . Note that ( 0 3 mod q ( 8) ) mod 2 = 0 3 (0 5 mod q ( 8 ) ) mod 2 = 8 + 82 ( 8 1 5 mod q ( 8 ) ) mod 2 = 1 and hence 0 is primitive.
3. Note that 2 8 mod 17 = 1 and hence 2 has order at most 8. Since 3 8 mod 17 = 16, it follows that 3 has order 16 because the only prime dividing 17  1 = 16 = 24 is 2. 5. Note that 2 1 28 mod 257 = 1 and hence 2 has order at most 128. Note that 3 1 28 mod 257 = 256. Since 2 is the only prime dividing 257  1 = 256 = 2 8 , it follows that 3 is primitive.
7. Let q ( x) = x8 + x4 + x3 + x2 + 1 and let 8 be a root in some extension field. We show that q (x) is primitive by showing that ( 8 ) = 255 = 3 x 5 x 17. This is established by the following: o
8255 mod q (8 ) 025513 mod q (8 ) 0255/5 mod q ( 8) 0255/ 1 7 mod q (8 )
=
1 o7 + o6 + o4 + o2 + o ¥= 1 03 + 0 # 1
PROBLEMS 1 1 .2
381
Chapter 11
Advanced Encryption Standard
Problems 1 1 . 1 1.
Let Ui E {0, 1} and define f (uo, u 1 , u� , u3 ) = (uo + u 1 , uo , u 1 + u2 , u2 + u3 ) . Given an 8bit word, let L denote the left 4 bits and R the right 4 bits. Define F (L , R) = (R, L + f (R)) The first iterations of F applied to (1 1 1 1 1 111) is given by 0 0 0 0 1 0 0 0
0 0 0 0 0 1 0 0
0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 1
1 0 0 0 1 1 0 0
0 1 0 0 1 0 1 0
0 0 1 0 0 0 1 1
0 0 0 1 0 0 0 1
1 1 1 1 1 1 1 1
mod 2 =
1 1 1 1 1 0 1 1
whereas the first iteration applied to (11101 1 1 1 ) yields 0 0 0 0 1 0 0 0
0 0 0 0 0 1 0 0
0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 1
1 0 0 0 1 1 0 0
0 1 0 0 1 0 1 0
0 0 1 0 0 0 1 1
0 0 0 1 0 0 0 1
1 1 1 0 1 1 1 1
mod 2 =
1 1 1 1 1 0 1 0
See the disc for the complete solution. 3. The inverse of the function F (L, R) = (R, L + f (R)) is G (L, R) = (R + f (L) , L) since G (F ( L , R)) = G (R, L + f (R)) = ( L + f (R) + F (R) , R) = (L, R) 5. The Hamming distance between the two vectors (0, 1 , 1 , 0, 0, 1 , 0, 0) and (1, 1 , 0, 1 , 0, 1 , 1 , 1) is 5. Problems 1 1 . 2 1. The product is ( ( 06 + 03 + 0) (07 + 02 + 1 ) mod 08 + 04 + 03 + 0 + 1 ) mod 2 = 06 + 0 + 1
SOLUTIONS TO ODD PROBLEMS
382
3. One solution is x8 + x4 + x3 + x2 + 1. 5. The answer is X = 87 + e + 1 and y = 8 7 + 86 + 8 5 + 8 2 + e. See the disc for details of the solution.
See the disc for details of the solution. Problems 1 1 . 3 1 . Direct evaluation shows the product of these two matrices modulo 2 is the identity matrix. See the disc for details. 3. The inverse of 84 + B is ( 84 + B) 254 mod e 8 + 04 + 83 + e + 1 mod 2 = 87 + 8 5 + 83 + e
(
)
=
(10101010)
Apply the affine transformation 1 1 0 1 0 0 0 1 1 1 1 I · 1 0 1 1 0 0 0 1 1 1 0 0 0 1 1 1 0 0 0 1 1 1 + 0 mod 2 = 1 1 1 1 1 0 0 0 1 0 0 0 1 1 1 1 1 0 0 0 1 1 0 0 1 1 1 1 1 0 0 1 1 0 0 0 1 1 1 1 1 0 1 1 0 0 0 0 1 1 1 1 1 Thus the byte (00010010) gets replaced by (1 1001001 ). 5. Apply the transformation ' e e2 o B+1 1 e B+l e 2 e4 86 mod 88 + 84 + 83 + 8 + 1 8 1 8 3 8 6 89 1 1 84 es 8 12 86 + 83 +82 + 1 8 6 + 85 + 8 + 1 84 2 o 7 3 6 6 4 0 + 8 +8 5 + 8 + 8 +8 +8+ 1 0 +8 5 + 84 +83 + 1 2 8 7 +85 +84 +03 + 1 87 +86 +8 05 +8 +0 0 5 +8+ 1 86 +85 +8 3 +8 8 5 +03 +8
U� (;
Ol!) (;
)
)
�
7. Let {3 be a primitive element of GFpn· Then u = {3k for some k. Thus
383
PROBLEMS 12. 1
Chapter 12 Polynomial Algorithms and Fast Fourier 'Transforms Problems 1 2 . 1 1 . The content and primitive polynomials are 1 1 ( ) 2x 2  3 x = 3 ( 6x 2  1) 2 4 6 ( b) 15 x3  7 x2 + 10 = 105 (14x3  45x2 + 525) 1 1 1 ( ) 3 x + 2' = 6 (2x + 3 ) (d) 14x2  21x + 35 = 7 (2x2  3x + 5) a
c
3. The interpolating polynomial is X  X 1 + X  Xo p (x) = Yo y1 X 1  Xo� Xo  X 1 X  X1 X  Xo + Y1 = Yo  Yo + Yo Xo  X 1 X 1  Xo�  o = Yo + Yl Y (x  xo) X 1  Xo 5. Let p (x) = a + bx + cx2 + dx3 . The solution to the system of equations p (2) = 7, p (4) = 10, p (7) = 23, p (ll) = 5
is
7597 896 } { d =  31564 ' c = 2021 ,a= ,b= 630 630 45
7. The polynomial is 41 4 5 3 165 35 p (x) = B x  x  B x2 + x + 8 12 12 See the disc for details of the solution. 9. Substituting rn for x yields
If i =/= n, then for j = n it foUows that �:=�; = 0, so TI#i �:=:;; = 0. Thus r r p (rn ) = dn II n j = dn #i rn  r · 3
384
SOLUTIONS TO ODD PROBLEMS
Problems 1 2 . 2 1. If the polynomial f(x) = x4 + x2 + 1 factors, then one of the factors must have degree at most two. Three evaluation points are required to determine a polynomial of degree 2. Evaluate f (x) at : 1 , 0, and 1 to get
/ (1) = 3, f (O) = 1 , / (1) = 3 The possible function values for a polynomial of degree at most 2 that divides f (x) are given by Do = {±1, ±3} , D 1 = {±1} , D2 = {±1, ±3}
Since f (x) 2: . 1 for all x, it suffices to choose from among positive values. The choices do = 1 , d1 = 1 , d2 = 1 yield the polynomial (1)
(x + 1) (x  0) (x 1) (x  1) (x  O) (x  1) + (1) =1 + (1) + (0 + 1) (0  1) (1 + 1) (1  0) (1  0) (1  1)
which is a trivial factor. The choices do = 3, d1 = 1 , d2 = 3
yield the polynomial (x  O) (x  1) (x + 1) (x  1) (x + 1) (x  0) + (3) + (1) = 2x2 + 1 ,.(1  0) (1  1) (1 + 1) (1  0) (0 + 1) (0 1) and this is not a factor of x4 + x2 + 1 ( since the leading term would necessarily divide 1). The choices (3)
do = 3, d1 = 1 , d2 = 1
yield the polynomial (x  O) (x  1) (x + 1) (x  0) (x 1) (x  1) = x2 _ x + 1 + (1) + + (1) (0 + 1) (0  1) (1 + 1) (1  0) (1  0) (1  1) and the choices do = 1, d1 = 1 , d2 = 3 yield the polynomial (3)
(x  O) (x  1) (x + 1) (x  1) (x + 1) (x  0) x2 +x+1 + (3) + (1) (0 + 1) (0  1) (1  0) (1  1) (1 + 1) (1  0) A quick check shows that indeed (1)
_
PROBLEMS 1 2.2
385
3. If f (x) = 2x6 + 2x5 + 3x4 + 3x3 + 3x2 + x + 1 factors, then it must have a factor of degree at most 3. This requires four evaluation points. In order to minimize the number of guesses, we choose the evaluation points 3,  1 , 0, and 1 to get f (3) = 1 159 = 19 X 61 f ( 1) = 3 f (0) = 1 f (1) = 15 = 3 X 5 Note that f ( 2 ) = 99 = 3 2 11 and f ( 2 ) = 279 = 32 31 have more divisors to test. Hence Do = {±1, ±19, ±61, ±1 159} D1 = {±1, ±3} D2 = {±1} D3 = {±1, ±3, ±5, ±15} The lucky guesses do = 19, d1 = 3, d2 = 1 , d2 = 3 yield the polynomial (x + 3) (x  O) (x  1) (x + 1) (x  0) (x  1) + (3) (19) (3 + 1) (3  0) (3  1) (  1 + 3) (1  0) ( 1  1) (x + 3) (x + 1) {x  1) {x + 3) {x + 1) (x  O) = 2X 2 + 1 + (1) + (3) (1 + 3) (1 + 1) (1  0) (0 + 3) (0 + 1) (0  1) and long division produces ���1 = x4 + x3 + x2 + x + 1, so
2 f (x) = (2x2 + 1 ) (x4 + x3 + x 2 + x + 1 )
5. If x4 + 2x + 2 factors in Z [x) , then it would also factor in GF3 [x] . Let 0 be a root of x4 + 2x + 2 in some Galois field containing GF3 . The order of 0 is 80 since (080 mod 04 + 20 + 2) mod 3 = 1 (080/2 mod 04 + 20 + 2) mod 3 = 2
7.
(o801 5 mod 04 + 20 + 2) mod 3 = 03 + 20 + 2 Thus x4 + 2x + 2 is irreducible in GF3 [x) and hence irreducible in Z [x) . The only possible rational roots are ±1 and ±2. Since f ( 2 ) = 0, it follows that x + 2 is a factor. Knowing that, it is easy to see that x4 + x 3 + x 2 + x + 1 is the other factor, irreducible by problem 4.
386
SOLUTIONS TO ODD PROBLEMS
9. There are no linear factors because the only possible rational roots are ±1, and f (1) = 1 and f (1) = 1 . If f (x) factors, then it must have an irreducible factor of degree 2. Assume that g (x) = ax2 + bx + c is such a factor. Since f (1) = 1, f (O) = 1, and f (1) = 1 , it follows that g (1) E {1, 1}, g (O) E {1, 1 }, and g (1) E {1, 1}. This yields the 8 possible factors g (x) = 1 g (x) = x2  x + 1 g (x) = 2x 2  1 g (x) = x2 + x + 1 g (x) = x2 + x  1 g (x) = 2x2 + 1 g (x) = x2  x  1 g (x) =  1 Trial division by the six polynomials of degree 2 shows that none is a factor, and .hence f must be irreducible. Problems 12.3 1 . We have
(x  xo) Yl  (x  x 1 ) Yo X l  Xo + X= Yo  Yo + Y1 Y 1 Xo YoX YoX 1 X 1  Xo  Yo Y l = Yo + (x  xo) X 1  Xo
q (1, 1) =
:_ __::_:=. :..:.. _ :.... ::=_.:..:_:__...:
3. Note that (x  (2)) (5)  (x  ( 1)) (3) = _8X _ 13 1  (2) (x  ( 1)) (1)  (x  1) (5) q (2, 1) = = 3x  2 1  (1) (x  1) (1)  (x  2) (1) =1 q (3 ' 1) = 2  (1) (x  ( 2)) (3x  2)  (x  1) ( 8x  13) q (2, 2) = 1  (2) 17 = .!.!. x 2 + 3x 3 3 (x  ( 1)) (1)  (x  2) (3x  2) q (3, 2) = 2  (1) 2 = 3x  1  x _ (x  ( 2)) (3x  1  x2 )  (x  2) ( �1 x2 + 3x  1J ) q (3, 3) 2  ( 2) 4 2 25 7 3 10 = x +  x  x  6 3 6 3 The graphs are as follows: q (1 ' 1) =
PROBLEMS 1 2.4
387 4
_ . ·
' / ':, · , '  6 ·1 I I 8
.  ·
p (2) = 3, p (1) = 5, p (1)
=
1 , p ( 2) = 1
5. We have q
( 1, 1)
=
q
( 2, 1)
=
p (X )
=
� = bx  1) 2 (x  1) � = ix  2) 3 ( x  0)
=
=
x+2 2x + 1
(x  0) ( 2x + 1)  (x  2) ( x + 2) 20
=
4X2 + 4x + 2
Problems 12.4
1. Let f (x) = a + bx + cx2 + dx3 and g (x) = A + Bx + Cx2 + Dx3 and solve the systems f (0) = 0 f (1) = 2 f (2) = 4 f (3) = 1 to get
The graphs
g (0) = 5 and g ( 1) = 2 g (2) = 4 g (3) = 1
388
SOLUTIONS TO ODD PROBLEMS
·I
may be distinguished by their yintercepts. 3. Let p (1) , p (2) , . . . , p (n  1) have fixed values and take Po to be randomly chosen. Neville's iterated interpolation algorithm generates a unique poly nomial q (x) with values q (0) = Po q (1) = p (1) q (n  1) = p (n  1)
Thus the possible values of p (0) have not been limited at all.
Problems 12.5
1 . Let f (x) = 3 (x + 1) (x  2) (x  5). (a) Since f (x) = 3x3  18x2 + 9x + 30, its coefficients are 3,  18, 9, and 30. (b) The function values at x = 0, 1 , 2, 3 are f (0) = 1, f (1) = 15, f (2) = 279, f (3) = 2299. (c) The values at x = i, i2 , i3 , i4 are f (i) =  1 , f (i2 ) = 3, f (i3 ) = 1, f (i4 ) = 15. (d) Its leading coefficient is 3. It is zero at x =  1, 2, and 5.
PROBLEMS 1 2. 5
389
3. The table is Yo Y1 Y2 Y3 Y4 Ys Y6 Y7 This is correct because 5. We have
0 0 0 0 1 0 0 0 1
=
Step 1 0 0 0 0 1 1 0 0 w4 , w
Step 2 Step 3 1 0 0 w w:& 0 w::s 0 1 1 1 w 1 w :& 1 w::s w5 , w2 w 6 , and w 3
=
=
=
w7 .
Permute
3 5 4 1 6 0 0 8
xo 3 X1 6 X2 4 X3 = 0 X4 5 xs 0 X6 1 X7 8 =
=
=
= =
=
=
Permutation phase
and 3 5 4 1 6 0 0 8
X X X X
Combine
Combine
Combine
8 15 5 3 6 6 8 9
i i
10 9 12 1 16 11 11 5
13 10 3 3 14 8 15 4
Combination phase
See the disc for details of the arithmetic. As a check, direct calculation shows that f 22 12 f 2 3 = 1 / (1) 10 f (2) 9 6 4 1 1 f 27 5 f ( 2 ) 16 f ( 25 ) 11 f 2 =
=
=
=
��
=
=
�j
=
390
SOLUTIONS TO ODD PROBLEMS
7. The ijentry of the product is k=O n1
k=O =
L (w i1i+ 1 wi 1 (i1 ) k
k=O n1 i ) k = L (wi k=O
because C
From w n
=
w 1 . If i
=
j, this is n1 k L (wo ) k=O
=
=
n1 L lk k=O
=
n.
1 we get (wi j t
=
(wn ) i  j
=
li j
=
1.
If i =f. j, then w•J =f. 1 because w is a primitive nth root of 1 . But wij is a root of the polynomial !  xn = (1  x) (1 + x + x 2 + . + xn1 ) , so wi j is a root of 1 + x + x2 + + xn1 . Thus when i =f. j , .
·
·
·
·
n1
L (wi i ) k = 0 k=O
9. Recall that if two rows in a matrix are equal, then the determinant of the matrix is zero. Our idea is to show that the polynomial
f (x)
=
det
1 ao a5 1 a 1 a� 1 a2 a�
1 ano n1 a1 an1 2
x2
xn1
1
X
is equal to the polynomial
Then f (an d = g (an d , which is the desired result. Suppose two of ao , a 1 , . . . , an2 are equal. Then clearly g is the zero poly nomial. But f is also the zero polynomial because two of the rows in the defining determinant are equal. So we may assume that ao , a 1 , . . . , an2
391
PROBLEMS 12. 6
are all different. Both f and g are of degree n  1. The leading coefficient of f is equal to the determinant of the matrix obtained by removing the last row and column from the matrix whose determinant is f. By induc tion, this determinant is equal to IJ ( a i  aj ), which is the leading
n  1 >i>j
coefficient of g. Clearly g (aj ) = 0 for j = 0, 1 , . . , n  2, and f (aj ) = 0 for j = 0, 1 , . . . , n  2 because f ( aj ) is the determinant of a matrix with two equal rows. So f and g have the same leading coefficient and the same zeros. Thus they are equal. .
1 1 . The lefthand side is equal to
which is e 5

2e4 + 2e2  e. The righthand side is equal to
e (e  1) 2 (e2  1 )
= =
(e3  2e2 + e) (e2  1 ) e 5  2e4 + e3  e3 + 2e2  e e5  2e4 + 2e2  e
Notice that the equation holds for any e whatsoever, and for any field. But we knew that.
Problems 12.6
1. To find such a prime, look at the numbers 25k + 1 for k = 1, 2, 3, . . . and hope you find a prime quickly. To go from k to k + 1 you simply add 32 to the number you had before. So, starting with k = 1 , which gives 33 (not a prime ) , successively adding 32 gives 65 (not a prime) , then 97, bingo! Thus 97 253 + 1 is a prime. That was easy. The next part is a little trickier. As 96 = 32 3, we get ( a3 ) 32 mod 97 = 1 so we can look for cubes b such that b1 6 mod 97 # 1 . Computing, 8 1 6 mod 97 = 1, 27 1 6 mod 97 = 1, 125 1 6 mod 97 = 96 Bingo! So 125 = 2 8 (mod 97) is an element of order 32. =
·
3. Note that 3 128 mod 257 = 256 and 3 25 6 mod 257 order 256.
=
1 implies that 3 has
5. Use a computer algebra system to verify that p = 1 + 2 30 . 37 . 5 8 . 73 . 1 1 2 .
392
SOLUTIONS TO ODD PROBLEMS
13 172 19 23 is a prime. Let q = p  1 and observe that ·
·
·
29q/2 mod p = 62 504 431 582 015 232 409 600 000 000 29q/ 3 modp = 39 510 906 027 632 123 741 196 378 894 29q /5 mod p = 20 739 905 493 567 049 891 681 480 849 29q/ 7 mod p = 46 525 541 236 811 572 209 996 095 299 29q/ ll mod p = 25 821 169 224 421 318 975 300 997 529 29q/ 1 3 mod p = 9966 500 034 696 371 632 146 125 001 29q/ 1 7 mod p = 27 534 573 559 640 223 122 138 911 033 29q/ 1 9 modp = 2797 174 485 912 474 274 185 207 652 29q/ 23 modp = 57 885 642 771 173 560 912 474 071 472 and hence 29 is a primitive element of GFP ' Let n
= qj 2 30 = 58 211 788 145 839 453 125
Then
29n mod p = 58 183 380 006 354 634 332 026 032 462 is an element of order 2 30 . To verify this, note that 58 183 380 006 354 634 332 026 032 462230 mod p 1 58 183 380 006 354 634 332 026 032 4622 29 mod p =  1 =
7 . To show that the order of w is 242 = 2 x 11 2 , it is sufficient to evaluate w 24 2 mod w 5 + 2w + 1 = 1 w 24212 mod w 5 + 2w + 1 w 242111 mod w5 + 2w + 1 We have w  1 = w 24 1 mod w5 + 2w + 1 = 2w4 + 1 . As a check, note that w ( 2w4 + 1) mod w5 + 2w + 1 = 1 . The minimal polynomial of w  1 is
(
)(
)(
)
(x  (2w4 + 1)) x  ( 2w4 + 1) 3 x  ( 2w4 + 1 ) 9 x  ( 2w4 + 1) 27 . x  ( 2w4 + 1) 81 mod w5  w + 1 = x5 + 2x4 + 1
(
)
9. The polynomial f has a + 1 coefficients and the polynomial g has b + 1 coefficients. Each of the coefficients of f must be multiplied by each of the coefficients of g, for a total of (a + 1) (b + 1) multiplications. Now we have to add these (a + 1) (b + 1) products to form a + b + 1 sums ( deg fg + 1). To add up m numbers and get n sums, you need m  n additions. For example, to add up 7 numbers to get 1 sum, you need 6
PROBLEMS 12.6
393
additions. To add up 8 numbers to get 2 sums you need 6 additions: for example, 1 + 2 + 3 and 4 + 5 + 6 + 7 + 8. So to add up (a + 1) (b + 1) numbers to get a + b + 1 sums, you need (a + 1) (b + 1)  (a + b + 1) = ab additions.
B ibliography [1] Adamek, Jifi.
Foundations of Coding,
[2] Akritas, Alkiviadis G. Elements of Wiley Interscience, New York, 1989 [3] Albert, A. A. Fundamental Chicago Press, Chicago, 1956
John Wiley & Sons, Inc., 1991
Computer A lgebra with Applications,
Concepts of Higher Algebra,
[4] Ax, J. "The elementary theory of finite fields," 271), 1968 [5] Barr, Thomas H. River, NJ, 2002 [6] Berlekamp, E. R.
Invitation to Cryptology,
A lgebraic Coding Theory,
University of
Annals of Math.
88 (239
Prentice Hall, Upper Saddle McGrawHill, New York, 1968
[7] Beutelspacher, A. Cryptology, The Mathematical Association of America, Washington, DC, 1994 [8] Blahut, R. E. Theory and Practice of Error Control Codes, AddisonWesley, Reading, MA, 1983 [9] Bose, R. C. "On the application of the properties of Galois fields to the construction of hyperGraecoLatin squares," Sankhya 3 (323328) , 1938 [10] Ellis, Graham.
Rings and Fields,
Oxford, 1992
[11] Galois, E. "Sur la Theorie des Nombres," 13 (428435), 1830
Bull. Sci. Math. de M. Ferussac
[12] Garrett, Paul. Making, Breaking Codes: An Prentice Hall, Upper Saddle River, NJ, 2001 [13] Garrett, Paul. The Mathematics Saddle River, NJ, 2004 [14] Hamming, R. W. Coding wood Cliffs, NJ, 1986
Introduction to Cryptology,
of Coding Theory,
Prentice Hall, Upper
and Information Theory,
Prentice Hall, Engle
395
396
BIBLIOGRAPHY
[15] Harmon, C. K. and R. Adams. Reading Between lishing, Peterborough, NH, 1989 [16] Heisler, J. "A characterization of finite fields," ( 1211 ) , 1967 [17] Herstein, I. N. MA 1975 [18] Jacobson, N. NJ, 1964
Topics in A lgebra,
the Lines,
Helmers Pub
Amer. Math Monthly
74
2nd ed., Xerox College Publ. , Lexington,
Lectures in A bstract Algebra,
D. Van Nostrand, Princeton,
[19] Lewand, Robert E. Cryptological Mathematics, The Mathematical Associ ation of America, 2000 [20] Lidl, R. and H. Niederreiter. Introduction to Finite Fields plications, Cambridge University Press, Cambridge, 1986 [21] Mao, Wenbo. Modern River, NJ, 2004 [22] Ore, Soc.
Cryptography,
Prentice Hall PTR, Upper Saddle
0. "Contributions to the theory of finite fields," 36 ( 243274) , 1934
[23] Pless, V. Introduction to the York, 1989
and Their Ap
Trans. A mer. Math.
Theory of Error Correcting Codes,
[24] Rhee, M. Y. Cryptography and Secure gapore, 1994
Communications,
Wiley, New
McGrawHill, Sin
[25] Rosen, K. H. Elementary Number Wesley, Reading, MA, 1984
Theory and Its Applications,
[26] Schneier, B.
Wiley, New York, 1994
Applied Cryptography,
Addison
[27] Trappe, Wade and Lawrence C. Washington. Introduction to Cryptography with Coding Theory, Prentice Hall, Upper Saddle River, NJ 2002
Notation
{
f x 0 � X <� 0 If Addition modulo m: a EB b = (a + b) mod m Base 2 logarithm: log2 Base 2 representation: (bn bn  l . . . b2 b 1 boh L::: �= O bi 2 i Base b representation: (an an  l . . . a2 a 1 ao )b = L::: �= O ai bi Binomial coefficient:
Absolute value:
IxI
=
.fX2 =
x
X
=
(nk)
x 1\ y Bitwise and: x Bitwise complement: Bitwise or: xVy x EB y Bitwise xor: Ceiling function: rXl Chinese remainder function: CRA ( a, m,r ) Congruence class modulo p: [a] = { . . . , a  3p, a  2p, a  p, a, a + p, a + 2p , a + 3p, . . . } Congruent modulo m: a = b (mod m ) Congruent modulo m (x) : a (x) = b (x) (mod m (x)) Cyclic subgroup generated by a: (a) Degree of polynomial p ( x ) : deg p (x) Divides: Im
n
n!
n)
397
398
NOTATION
Z = { . . . , 3, 2,  1 , 0, 1, 2, 3, . . . } Integers: a .1 b Integers a and b are relatively prime: Zn = {0, 1 , 2, . . . , n  1} Integers modulo n: Inverse modulo m: a  1 mod m Least common multiple of integers: lcm ( a, b) Least common multiple or polynomials: lcm(a (x) , b (x)) Logarithm base 2 log2
Matrix inverse modulo
m:
(� :)
l
mod m
Minimal pol:ynomial of a field element a: ma ( x) Mod function: n mod m = n  Ln /mJ m Multiplication modulo m: a ® b = ab mod m Multiplicative group of GFvn : (GFvn ) * Next prime larger than m: nextprime (m) Nonnegative integers: N = {0, 1 , 2, 3, . . . } Order of group G: (G) 1 2 3 4 5 6 7 8 Permutation as images: a = 5 8 2 6 9 4 1 3 Permutation as disjoint cycles: a = (1597) (283) ( 46) Permutation a acting on x: xu Polynomial remainder: r (x) = a ( x) mod m ( x) F[x] Polynomials over the field F: Polynomials over the Galois field of order p: GFv [x] Polynomials with integer coefficients: Z (x] Positive integers: JP> {1, 2, 3, 4, . . . } Product: a TI n Rational numbers: Q JR. Real numbers: Secure hash algorithm: SHA ( M ) Shift left: x << n Shift right: x >> n Sum: .L: an o
=
(
�)
Algorithms Algorithm 1 . 1 Algorithm 2.1 Algorithm 3.1 Algorithm 3.2 Algorithm 3.3 Algorithm 3.4 Algorithm 3.5 Algorithm 3.6 Algorithm 3. 7 Algorithm 4.1 Algorithm 5.1 Algorithm 6.1 Algorithm 7. 1 Algorithm 7.2 Algorithm 7.3 Algorithm 7.4 Algorithm 8.1 Algorithm 12.1 Algorithm 12.2 Algorithm 12.3 Algorithm 12.4 Algorithm 12.5
Binomial Coefficient Algorithm Binary representations Base b representation Euclidean algorithm Euclidean algorithm ( recursive) Extended Euclidean algorithm Extended Euclidean algorithm (matrix version ) Inverse modulo m Inverse modulo m Enigma code Hamming ( 8,4) decoding Chinese remainder algorithm Crude method Power method Sieve of Eratosthenes Miller ' s test To solve easy knapsack problem Kronecker's algorithm Neville's iterated interpolation algorithm Modified Neville ' s iterated interpolation algorithm FFT algorithm Fast Fourier interpolation
399
11 16 40 45 46 49 50 58 59 97 125 134 155 156 163 166 192 283 286 291 296 301
Figures Figure 1 . 1 Figure 2.1 Figure 2.2 Figure 2.3 Figure 2.4 Figure 2.5 Figure 2.6 Figure 4.1 Figure 5.1 Figure 5.2 Figure 5.3 Figure 5.4 Figure 5.5 Figure 5.6 Figure 5.7 Figure 5.8 Figure 5.9 Figure 7. 1 Figure 9.1 Figure 10. 1 Figure 10.2 Figure 10.3 Figure 10.4 Figure 12.1
Falling dominos Twooutoffive paper tape Column sums for twooutoffive paper tape Binary sort 80column card Hollerith code for letters Hollerith code for symbols Enigma machine Communications channel Triplerepetition code Majority rule decoding Interleaved two out of five UPCA UPCA Codabar Code 128 Minimum distance Primes < 10 000 Icosahedron Datastrip code MaxiCode PDF 417 PC postage Interpolating polynomial 401
9 32 32 34 35 35 36 96 101 102 103 109 112 113 115 117 121 164 235 241 242 242 242 288
FIGURES
402 Figure 12.2 Figure 12.3 Figure 12.4 Figure 12.5 Figure 12.6 Figure 12.7 Figure 12.8 Figure 12.9 Figure 12.10
Linear polynomials Q uadratic polynomials Cubic polynomials Permutation phase Combination phase Permutation phase Combination phase Permutation phase Combination phase
288 289 289 297 298 299 299 302 302
Tables Table 2.1 Table 2.2 Table 2.3a Table 2.3b Table 2.4 Table 2.5 Table 2.6 Table 2.7 Table 2.8 Table 3. 1 Table 3.2 Table 3.3 Table 4.1 Table 4.2 Table 4.3 Table 4.4 Table 4.5 Table 4.6 Table 4.7 Table 4.8 Table 4.9 Table 4.10 Table 4.11 Table 4.12
Binary code Hexadecimal numbers Binary addition and multiplication Hexadecimal multiplication ASCII code Morse code Braille code for AZ Braille code for digits 09 Braille code for punctuation Addition and multiplication modulo 5 Extended Euclidean algorithm Calculating the inverse of 13 modulo 29 Caesar cipher Letters are numbers Caesar cipher arithmetic Caesar encrypting Ambiguous encryption Polyalphabetic encryption Letter count from selected text Frequencies for shifted ciphertext Simple shift fails Substitution cipher a Permutation cipher Letter pair (digraph) frequencies 403
16 17 18 20 22 25 28 28 28 41 50 59 62 62 63 63 65 66 69 70 72 75 80 84
404 Table 4.13 Table 5.1 Table 5.2 Table 5.3 Table 5.4 Table 5.5 Table 5.6 Table 5.7 Table 5.8 Table 5.9 Table 5.10 Table 7.1 Table 7.2 Table 7.3 Table 7.4 Table 7.5 Table 9. 1 Table 9.2 Table 9.3 Table 10.1a Table 10. 1b Table 10.2
TABLES
Playfair encryption Binary symmetric channel Twooutoffive bar code Code 39 Interleaved two out of five U.S. Postal Code UPCA Codabar Width 6 patterns U.K. Royal Mail Array decoding Powers modulo m Calculation of 5 100 mod 101 = 1 Primes less than 100 Euler phi function Integers relatively prime to 72
GF2a = GFs
Minimal polynomials of elements in GF8 Representations of elements in GF1 6 Using a table for singleerror correction Using a table for singleerror correction Powers of (}
89 103 107 108 109 1 10 1 12 115 1 16 117 122 156 160 164 171 173 221 222 223 252 252 254
Index a  1 mod m, 57 a = b (mod m) , 55 Absolute value, 43 Absolutely least residue, 47 AddRoundKey, 272 Adleman, Leonard, 177 Advanced encryption standard, 261 Affine cipher, 65 Affine transformation, 271, 314 Algorithms, 399 Alphabet, 64 Arithmetic exact, 5 floating point, 4 Array decoding, 121 ASCII Code, 22 Associative law, 199 ATM machines, 5 Back substitution, 47 Bar code Codabar, 1 14 Code 128, 115 Code 39, 107 datastrip, 241 interleaved 2 of 5, 109 MaxiCode, 241 PDF 417, 242 postal code, 109 royal mail, 117 threeoutofnine, 107 two dimensional, 241 twooutoffive, 106 UPCA, 112 Base 10 representation, 137 BCH codes, 242 BCH decoder, 249
Big 0, 46 Binary code, 107 representation of field element, 221 symmetric channel, 103 word, 104, 112 Binomial coefficient, 10 Bit, 15 Bletchley Park, 95 Block cipher, 82 Books, 1 14 Boolean· matrix, 78 Bose, R. C., 241 Braille code, 27 Braille, Louis, 27 Byte, 124, 270 ByteSub, 270 c,
201 Caesar cipher, 62 Carmichael number, 161 Carmichael, R. D., 161 Cayley table, 201 Ceiling function, 16 Check sum, 1 10 Chinese remainder algorithm, 134 Chinese remainder theorem, 127, 132 Cipher, 61 affine, 65 block, 82 Caesar, 62 definition, 61 DES, 261 exponential, 168 knapsack, 190 permutation, 79 Playfair, 88 405
406 polyalphabetic, 64, 66 public key, 177 Rijndael, 262 RSA, 177 shift, 64, 65 substitution, 75 unbreakable, 92 Vigenere, 64 Ciphertext, 61, 178 Closed form, 10 Codabar, 1 14 Code ASCII, 22 BCH, 242 binary, 15 Braille, 27 Codabar, 114 Code 128, 115 CRC, 210 definition, 15 error control, 1 13, 1 14 error correcting, 102 error detecting, 102 Hamming ( 7, 4 ) , 120 Hamming ( 8, 4 ) , 125 hexadecimal, 17 interleaved twooutoffive, 109 ISBN, 114 linear, 105 Morse, 24 perfect, 122 ReedSolomon, 258 ternary, 25 threeoutofnine, 107 triple repetition, 102 twooutoffive, 32, 106 U. S. Postal, 109 universal product, 112 UPCA, 112 Codeword, 102, 120, 242 Common divisor, 42 Communications channel, 101 Commutative group, 229 law, 199 ring, 205
INDEX
Complete induction, 212 Complete residue system, 56 Complex numbers, 201, 293 Composite, 2 Congruence class, 200 modulo a polynomial, 207 relation, 55 Congruent, 55 Content, 278 Control characters, 22 CRC code, 210 Credit card transactions, 5 Cryptanalysis, 68 Cryptography, 61 Cycles definition, 76 disjoint, 76 inverse, 77 length, 237 Cyclic group, 230 Cyclic redundancycheck codes, 210 Daemen, Joan, 270 Data encryption standard, 261 Datastrip bar code, 241 Degree, 206 DES, 261 Determinant, 314 Digital fingerprint, 196 signature, 194 Disjoint cycles, 76 Distance between codewords, 104 Distributive law, 199 Divisibility, 2 Division algorithm for integers, 40 for polynomials, 141, 206, 209 Divisor, 2 Double error detecting, 125 DSA, 194 Electronic document, 194 eavesdropping, 68
407
INDEX
signatures, 183 Elements of a bar code, 107 Ellipsis, 10 Enigma machine, 95 Errorcontrol codes, 101 Errorcorrecting code, 102 Errordetecting code, 32, 102 Espionage, 68 Euclid's lemma, 51 Euclidean algorithm for integers, 45 for polynomials, 141, 209 Euler
Figures, 401 Floatingpoint number, 4 Floor function, 16 Fundamental theorem of arithmetic, 53 Galois field, 199 Galois, Evariste, 199 gcd (a (x) , b (x)) , 141 Generator polynomial, 242 GFp, 201 GFz s B , 265 GFp [x] , 204 GFp"' ' 225 Greatest common divisor of integers, 43 of polynomials, 141 Greatest integer, 16 Group cyclic, 230 definition, 230 of symmetries, 229 Hamming (7, 4) code, 120 (7, 4) decoding, 122 (8, 4) code, 125 (8, 4) decoding, 125 distance, 104 Hamming, Richard, 104 HardyRamanujan number, 162 Hash algorithm, 196 Hexadecimal code, 17 Hilbert matrix, 148 Hilbert, David, 148 Hocquenghem, 241 Hollerith punched cards, 34 HTML, 23 Hypertext markup language, 23 Icosahedron, 235 Index symbol, 6 Induction complete, 212 principle, 8 Industrial espionage, 68 Information theory, 101
408 Integer representations, 137 Integers, 1 Interleaved two of five, 109 International standard book number, 1 14 Interpolation Fast Fourier, 293 Lagrange formula, 279 Neville algorithm, 286 polynomial, 294 Inverse affine transformation, 271 cycle, 77 modulo m , 57 permutation, 77 Inverse matrix, 294, 314 Irreducible polynomial, 213 ISBN, 1 14 Key, 93 expansion, 273 private, 178 public, 177 Knapsack cipher, 191 Kronecker algorithm, 282 construction, 226 Lagrange interpolation formula, 279 theorem, 231 Lagrange, JosephLouis, 279 Large exponents, 157 Law of large numbers, 236 Least common multiple, 54 Least nonnegative residue system, 56 Lenstra, Hendrik, 72 Linear code, 105 Linear combination, 49 Loop invariant, 45 LUCIFER, 262 Majority rule, 102 Mantissa, 4 Mathematical induction, 8 Matrices
INDEX
Boolean, 78 determinant, 314 operations, 312 row reduction, 313 Vandermonde, 293 MaxiCode bar code, 241 Maximum likelihood decoding, 121 Message bits, 120 digest, 196 words, 120 Method of exhaustion, 43, 132 Miller's test, 166 Minimal polynomial, 209, 221 Minimum distance, 105 MixColumns, 272 Mod function fractions, 57 integers, 39 Modular arithmetic, 39 basis, 137 representation, 137 Monic polynomial, 206 Morse code, 24 Morse, Samuel F. B., 24 Multiplicative group of a field, 230 National Institute of Standards and Tech nology, 261 Neville iterated interpolation algorithm, 286 Nibble, 124 NIST, 261 Noisy channel, 102 Nonnegative integer, 1 Notation, 397 Number complex, 293 floatingpoint, 4 integer, 1 random, 237 Number theory, 1, 153 Numerical analysis, 4 Onedimensional bar code, 106
INDEX
Onetime pad, 93 Order of a group, 230 of a group element, 230 Pairwise relatively prime, 133 Paper tape, 32 Parity check bit, 105, 120 code 39, 107 matrix, 105 Pascal's triangle, 1 1 P C postage, 242 PDF 417 bar code, 242 Perfect code, 122 Permutation cipher, 79 definition, 76 matrix, 78 Personal identification numbers, 261 phi function cp (n) , 171 Plaintext, 61, 82, 178, 242 Platonic solid, 235 Playfair cipher, 88 Polyalphabetic cipher, 66 Polynomial code, 242 division, 141 division algorithm, 206 interpolation, 294 primitive over a finite field, 232 primitive over the integers, 277 remainder, 207 ring, 206 Positive integer, 1 Postal code, 109 Power method, 156 Powers modulo n, 155 Primality, 2 Primality test Miller's test, 166 Rabin, 167 Prime, 2 probabilistic, 166, 167 Prime Number Theorem, 168 Primitive element, 232
409 Primitive polynomial over a finite field, 232 over the integers, 277 Primitive root, 293 Principle of mathematical induction, 8, 49, 212 Private key, 178 Probabilistic prime, 167 Product notation, 7 of permutations, 77 of powers of prime integers, 137 of prime integers, 52 Protocol, 179 Pseudo prime, 165 Pseudorandom number generator, 237 Public key, 177 Public key ciphers, 177 Q, 201 Q uotient, 207 IR,
201 Rabin's probabilistic primality test, 167 Random, 237 Rational numbers, 201 Rational root theorem, 279 RayChaudhuri, 241 Real numbers, 201 Recursion, 45 Reduced residue system, 171 ReedSolomon code, 258 Reflector, 95 Relative frequency, 68 Relatively prime, 51 pairwise, 133 Remainder, 207 Residue system complete, 56 reduced, 171 standard, 56 Rijmen, Vincent, 270 Rijndael block cipher, 270 Ring, 204 Rivest, Ron, 177 Rotor, 95
410 Roundoff error, 4 Row reduction, 128 Royal mail code, 117 RSA cipher, 177 Secure hash algorithm, 196 Secure multiparty protocols, 290 Shamir, Adi, 177 Shannon, Claude, 101 Shift, 267 Shift cipher, 64 Shift variable, .� 6 ShiftRows, 272 Sieve of Eratosthenes, 163, 164 Signature verification, 194 Softstrip bar code, 241 Splitting field, 226 Square roots of one, 153 State, 96 Subgroup, 230 Substitution cipher, 75 Sum of binary words, 104 Summation notation, 6 Sun Tsu SuanChing, 127 Superincreasing sequence, 190 Symbols, 397 Symmetric, 201 Symmetric group, 229 Systems of linear equations mod n, 127 Table decoder, 252 Tables, 403 Ternary code, 25 Threeoutofnine bar code, 107 Totient function, 171 Transmission error, 101 Trap door function, 190 Triangle inequality, 121 Triplerepetition code, 102 Truncation error, 4 Turing, Alan, 95 Twodimensional bar code, 241 Twooutoffive code, 32 U. K. royal mail code, 117 U. S. postal code, 109
INDEX .
Unbreakable ciphers, 92 Universal product code, 112 UPCA, 112 Vandermonde matrix, 293 Vector, 312 Vector sum, 104 Verification, 195 Verify signature, 194 Vigenere cipher, 64 Weight, 104 Wiles, Andrew, 159 Wilson ' s theorem, 154 Wilson, Sir John, 153 World War II, 95 xn mod m, 155 z,
1 Zv, 201 Z [x] , 141 ZIP code, 109