LINNAEUS UNIVERSITY

School of Computer Science,

Physics, and Mathematics

April 3, 2012

Exercises in
Cryptography and Coding Theory

Per-Anders Svensson

Principles for Encryption

In the exercises below, we will use the following principles. Unless nothing else is
said, plaintexts are written in English, and the 26 letters of the English alphabet
will be encoded by the elements in Z26 = {0, 1, 2, . . . , 25} in the following way:
a
0
n
13

b
1
o
14

c
2
p
15

d
3
q
16

e
4
r
17

f
5
s
18

g
6
t
19

h
7
u
20

i
8
v
21

j
9
w
22

k
10
x
23

l
11
y
24

m
12
z
25

We will not distinguish between capitals and small letters, whence s and S will
both be encoded as 18, for instance. All spaces and punctuation marks, such as
points, commas, colons, semicolons, exclamation marks, question marks, etc.,
will be excluded before encryption. It is also assumed that any text will not
contain any digits.
As an example, according to the these rules, the text
This message has 2 sentences. The second one ends with an
exclamation mark!
will be transformed to
thismessagehassentencesthesecondoneendswithanexclamationmark
before encryption.
For some ciphers, such as RSA, the plaintext is divided into blocks consisting
of n letters each. If the numbers of letters in the plaintext isnt a multiple of n,
a number of so called junk letters are added to the last block, so that each block
will contain exactly n letters. Furthermore each letter is encoded according to
the scheme
a 01, b 02, . . . , y 25, z 26.
For example, to divide the plaintext cryptology into three-letter blocks we will
have to add some junk letters to the last block. We then obtain
cry pto log yxx
Here we have used x as a junk letter. We now encode each block, letter by
letter, to obtain
31824, 162015, 121507, 252424.

Elementary number theory

1. Find the quotient q and the remainder r when a is divided by b, according
to the Division Algorithm, if
(a) a = 4 and b = 2
(d) a = 5 and b = 7

(b) a = 4 and b = 3
(e) a = 13 and b = 2

(c) a = 215 and b = 3

(f ) a = 13 and b = 2.

2. Let b = 3 and complete the table below according to the Division Algorithm a = bq + r.
a
q
r

1
0
1

a
q
r

10

11

12

13

14

15

16

What patterns can you discover in the table?

3. Find all divisors of each one of the following integers:
(a) 7

(b) 15

(c) 27

(d) 28

4. Compute
(a) gcd(3, 9)
(d) gcd(36, 192)

(b) gcd(5, 15)

(e) gcd(124, 992)

(c) gcd(46, 89)

(f ) gcd(124, 994)

5. Two integers a and b are said to be relatively prime, if gcd(a, b) = 1. Which

of the following pairs of integers are relatively prime?
(a) 5 and 7
(d) 1 and 89

(b) 12 and 33
(e) 11 and 191

(c) 54 and 73
(f ) 13 and 195

(b) a = 190, b = 172

(c) a = 34, b = 55

6. Find gcd(a, b), if

(a) a = 55, b = 120

7. Find integers s and t, such that as + bt = gcd(a, b), for each choice of a
and b in the previous exercise. (Note that s and t are not uniquely determined.)
8. Are there any integers m and n such that gcd(m, n) = 3 and m + n = 100?
9. Let a be an integer. What can you then say about the value of gcd(a, a+2)?
10. Compute
(a) 3 + 6 in Z7
(d) 142 + 67 in Z143

(b) 2 8 + 4 3 in Z9
(e) 7270 in Z73

(c) 32 + 42 in Z25
(f ) (149+553)83 in Z37

11. Which ones of the following congruences are true?

(a) 35 371 (mod 3) (b) 1 1 (mod 2)
(d) 4 87 (mod 12) (e) 9 67 (mod 4)
2

(c) 3 17 (mod 5)
(f ) 621 0 (mod 9)

12. For what values of the integer m > 1 are the following congruences true?
(a) 6 1 (mod m)

(b) 31 7 (mod m)

(c) 198 83 (mod m)

13. Is there a positive integer m such that a b (mod m) is true for all
integers a and b?
14. The Rule of Nines says that an integer a is divisible by 9, if and only if the
sum of the digits of a (when expressed in the decimal notation) is divisible
by 9. For instance, 9 | 738, since the sum of digits of 738 is 7 + 3 + 8 = 18,
and 18 is divisible by 9.
(a) Use the Rule of Nines to show that 9 | 451 099 125.
(b) Prove the Rule of Nines.
Hint: Show that 10k 1 (mod 9) for each positive integer k.
15. Construct one table for addition modulo 8 and one for multiplication modulo 8 on the set Z8 = {0, 1, 2, 3, 4, 5, 6, 7}, similar to those on page 72 in
the text book.
16. What will you obtain if you compute 1 + 2 + 3 + + (n 1) in Zn ?
17. Find all elements in Zn that have a multiplicative inverse modulo n, if
(a) n = 8

(b) n = 9

(c) n = 10

(d) n = 11.

18. If n is an positive integer, what could the unit digit of n6 be?

19. Find the multiplicative inverse, in case it exists, of
(a) 3 (mod 5)
(d) 14 (mod 25)

(b) 10 (mod 15)

(e) 12 (mod 21)

(c) 23 (mod 24)

(f ) 57 (mod 101)

20. Suppose a and b both have a multiplicative inverse modulo n. What can
you then say about the multiplicative inverse modulo n of ab and a + b?
21. Find all solutions to the following congruence equations.
(a) 3x 2 (mod 8)
(d) 2x 7 (mod 10)

(b) 6x 2 (mod 9)
(e) 9x 8 (mod 11)

(c) 4x 6 (mod 10)

(f ) 4x 10 (mod 18)

22. Find all solutions to the following congruence equations.

(a) 2x 3 (mod 7)
(c) 3x 3 (mod 12)

(b) 4x 4 (mod 11)

(d) 6x 39 (mod 969)

23. For what integers a, where 0 a < 70, has the congruence equation
30x a (mod 70) a solution? How many solutions are there in each such
case?

Classical ciphers
1. (a) Encrypt encrypt with the Caesar cipher.
(b) The ciphertext mxolxv was obtained by Caesar encryption. What
was the plaintext?
2. Encrypt plus by using a shift cipher with the shift length
(a) 5

(b) 10

(c) 14.

3. In some computer programs one can encrypt a message by using a command called Rot13. This command works like a shift cipher with the shift
length 13, i.e. the encryption mapping may be written as
E(x) = x + 13

(mod 26).

(a) What is the result of running Rot13 on the message hello?

(b) Prove that encrypting the same message twice with Rot13 returns
the original message. In other words, prove that E(E(x)) = x for all
x Z26 .
4. Will the security be increased, if you encrypt a message twice, using a
shift cipher both times, but with different shift lengths?
5. Suppose that you are playing the role of Eve. You know that Alice and
Bob use a shift cipher. How can you use the information you get below
to break their cipher (i.e. to find the key Alice is using) in each of the
separate cases below? Also, describe what kind of attack you are using
(of the four main kinds of attacks).
(a) Alice starts her message with the phrase Dear Bob, and the seven
first letters of the corresponding cipher text is ijfwgtg.
(b) Alice sends mphlcpzqpgp to Bob.
6. A frequency analysis of the letters in a ciphertext obtained by a shift
cipher yields the following data:
a
152
n
47
s
59

b
52
o
58
t
41

c
19
p
188
u
122

d
24
q
32
v
137

e
14
r
32
w
36

f
31
j
97
x
2

g
2
k
141
y
106

h
117
l
2
z
113

i
26
m
9

The plaintext is written in English. Which is the most probable decryption

mapping? Explain why.
7. A frequency analysis of a ciphertext, obtained from a shift cipher, returns
the following table of letter frequencies:

a
b
c
d
e
f
g
h
i

0
3
19
21
39
39
22
0
28

j
k
l
m
n
o
p
q
r

24
57
12
2
6
8
11
0
42

s
t
u
v
w
x
y
z

5
15
11
62
11
8
23
39

The plaintext is written in English. Find a probable decryption mapping,

and use this to decrypt the ciphertext xffuxlvjj.
8. The ciphertext irsayh is the result of a shift cipher encryption. Find the
plaintext!
9. Which of the following mappings are affine on Z26 ?
(a) E(x) = 3x + 26
(d) E(x) = 9x

(b) E(x) = 4x + 1
(e) E(x) = 12x

(c) E(x) = x
(f ) E(x) = 15x + 15

10. How many affine mappings E(x) = ax + b can be used as a key for an
affine cipher, if the alphabet we are using contains
(a) 28 letters

(b) 26 letters

(c) 29 letters?

11. Use the affine mapping E(x) = 3x + 17 (mod 26) to encrypt the message
vaxjo. Which affine mapping should be used for decryption?
12. An affine cipher uses E(x) = 25x + b (mod 26) for encryption, where
b Z26 . For which b Z26 will the mapping for decryption look exactly
the same?
13. Suppose we know that an affine cipher encrypts the letters e and n to s
and t, respectively. How will hurrah be encrypted with this cipher?
14. Is there an affine cipher that encrypts
(a) he to it

(b) no to we

(c) hug to and?

15. A plaintext is encrypted two times. First, we use the affine mapping
E1 (x) = 9x + 19 (mod 26) as the key, then E2 (x) = 5x + 2 (mod 26).
The resulting ciphertext can be obtained from the plaintext by using a
single mapping mapping E(x) = ax + b. Which one?
16. Decrypt the ciphertext yqjjoodboik, provided that we know that it is the
result from an affine cipher that encrypts be to do.
17. Let E1 , E2 , and E3 denote affine mappings on Z26 . If we encrypt the
plaintext examine twice, first using E1 and on top of that E2 , the ciphertext labfvol is obtained. If we instead encrypt by first using E2
followed by E3 , the resulting ciphertext will be mvgystm. Find E3 , given
that E1 (x) = 5x + 11 (mod 26).
5

18. Bob has received the ciphertext KDQJCUJDSTSQGCGEBXVCXS. It is encrypted

by using a substitution cipher, where the key is determined by the following table.
Plaintext
Ciphertext
Plaintext
Ciphertext

a
Q
n
G

b
A
o
B

c
Z
p
Y

d
W
q
H

e
S
r
N

f
X
s
U

g
E
t
J

h
D
u
M

i
C
v
I

j
R
w
K

k
F
x
O

l
V
y
L

m
T
z
P

What does Alice want to know from Bob?

19. Use key as a keyword for a Vigenre cipher, in order to
(a) encrypt winner

(b) decrypt vylml.

20. If the plaintext thisisanexampleofvigenereencryption is Vigenre encrypted, the ciphertext becomes

tabskcagxxcwpexohfizxngbexgctipmbop.
Find the keyword.
21. Let V1 and V2 denote Vigenre encryption mappings. Suppose that the
keywords used for V1 and V2 are first and second, respectively. Given a
plaintext txt, we write V1 (txt) and V2 (txt) for the corresponding ciphertexts
that are obtained.
(a) Find V1 (vigenere) and V2 (vigenere).
(b) Show that the mapping V , defined by V (txt) = V2 (V1 (txt)) for all
plaintexts txt, is also an encryption mapping for an Vigenre cipher.
What is its period?
22. Let V1 and V2 be as in the previous exercise, but assume that the keywords used by V1 and V2 are yes and no, respectively. Let V and W
be the Vigenre encryption mappings defined as V (txt) = V2 (V1 (txt)) and
W (txt) = V1 (V2 (txt)). Find the keywords for V and W .
23. Divide the alphabet into the set of all vowels
V = {a, e, i, o, u, y}
and the set of all consonants
C = {b, c, d, f, g, h, j, k, l, m, n, p, q, r, s, t, v, w, x, z}.
Define v : Z6 V so that v(0) = a, v(1) = e, v(2) = i, . . . , v(5) = y, and
c : Z20 C so that c(0) = b, c(1) = c, c(2) = d, . . . , c(19) = z.
We will now encrypt messages by the following rules: If the nth vowel of
the plaintext is v(a), where a Z6 , we let the corresponding encrypted
letter be v(b), where b a + n (mod 6). In the same manner, if the nth
consonant in the plaintext is c(a), where a Z20 , we encrypt it to k(b),
where b a + n (mod 20).
Example: In the plaintext cipher will the first vowel i be encrypted to o,
and the second vowel e to o as well, while the consonants c, p, h, and r will
6

in turn be encrypted to d, r, l, and w, respectively. Hence the ciphertext

will be dorlow.
(a) Encrypt the plaintexts football, handball, and volleyball.
(b) Decrypt tifvozsubcuqa.
24. Let the matrices

A=

4
2


3
1


and B =

2
3


2
7

be given. Compute
(a) AB (mod 10)

(b) BA (mod 11)

25. Does the matrix


8
2

5
2

(c) A + BA (mod 12).

has an inverse
(a) (mod 5)

(b) (mod 12)

(c) (mod 18)

26. Find the inverse (mod 15), in case

matrices.



4 11
6
(a)
(b)
2 4
10

(d) (mod 35)?

it exists, to each one of the following


1
4


13
(c)
1

11
2

27. Find the inverse (mod 25), in case it exists, to each one of the matrices in
the previous exercise.
28. A binary matrix is a matrix whose elements can only be 0 or 1. How
many binary 2 2 matrices are there? How many of those matrices has
an inverse modulo 2?
29. Which of the matrices below is possible to use as a key in a Hill cipher?
(We assume that our alphabet consists of 26 letters.)








3 18
5 11
7 1
4 13
(a)
(b)
(c)
(d)
4 21
8 27
4 2
8 18
30. Encrypt check with a Hill cipher that uses the matrix


1 10
3 5
as an encryption key. (Append a junk letter, x for instance, to the end
of the word check, so it can be divided into two-letter blocks.)
31. By using the matrix


4
3


1
12

as a key for Hill encryption, the ciphertext krji is obtained. Find the
plaintext.

32. (a) Show that the matrix


A=

3
1


21
7

cannot be used a key for a Hill cipher.

(b) Supposed that we are stubborn and use A as the key for a Hill cipher
anyway. What could then happen? (Hint: Encrypt the words hand
and lock).
33. Bob receives the Hill encrypted ciphertext yiujkywsbusseukekyuabuzo
from Alice. After decrypting it, the plaintext manyamicklemakesamuckle
is obtained. Find the 2 2-matrix that Alice used for encryption.
34. A Hill cipher uses a 2 2-matrix A as the encryption key. Furthermore,
the plaintext tame corresponds to the ciphertext fmsk.
(a) Show that A cannot be uniquely determined from the information
above. What are the candidates for A?
(b) Suppose someone tells you how the plaintext what is encrypted. Will
this be enough do determine A uniquely?
35. A plaintext is Hill encrypted twice. In the first round, we use the matrix
in Exercise 30 as a key, and in the second round, we use the matrix in
Exercise 31. The resulting ciphertext can be obtained from the plaintext
by a single Hill encryption. Which matrix should then be used as the
encryption key?
36. (a) Find all x Z26 such that the matrix


7 5
A=
3 x
can be used as the key for a Hill cipher.
(b) Encrypt the plaintext starwars with one of the matrices that you
obtain above.
37. Prove that there is no x Z26 such that the matrix


x
x+1
x+2 x+3
can be used as a key in a Hill cipher.

DES and AES

1. Let Si denote the ith S-box of the DES cipher, see page 128 in the textbook. Find
(a) S3 (110011)

(b) S1 (010100)

(c) S7 (000010)

(d) S6 (100111)

2. What will the outcome of the first round (of 16) in the Feistel system that
is a part of the DES algorithm, if both the plaintext block and the key
consist of ones only? Or in other words, given the plaintext m = 111 . . . 1
(64 bits) and the key K = 111 . . . 1 (56 bits), decide L1 R1 (see Figure 4.4
on page 125 in the textbook).
3. Suppose we encrypt messages using the following version of 3DES: Each
message m is encrypted with two DES keys K1 and K2 by the formula
c = EK1 (EK2 (EK2 (m))).
Describe how to break this cipher using a Meet-in-the-Middle Attack.
4. As described on page 144 of the textbook, the DESX cryptosystem is
described as one way to strengthen up DES. To encrypt a plaintext m
using DESX, you choose three DES keys K1 , K2 , and K3 , and compute
c = K3 EK2 (K1 m),
where signifies bitwise addition (XOR), and EK2 stands for DES encryption. How do you decrypt c, using DESX?
5. Using long division, compute the quotient q(x) and remainder r(x) when
f (x) is divided by g(x), according to the division algorithm of Z2 [x], if
(a) f (x) = x3 + x2 + x + 1 and g(x) = x + 1
(b) f (x) = x6 + x2 + x and g(x) = x3 + x + 1
(c) f (x) = x7 + x6 + 1 and g(x) = x2 + x.
6. Compute the products of bytes given below, by means of the arithmetic
of GF(28 ) that is used in the Rijndael cipher.
(a) 00010011 00000111
(c) 10101010 00010010

(b) 01001011 01000100

(d) 10000001 10000001

7. Suppose that the input to the first round of the four layers BS, SR, MC
and ARK, that is used in the Rijndael cipher, is given by the matrix

00001001 01010010 01010010 01010010

01010010 01010010 00001001 01010010

M0 =
00001001 01010010 01010010 01010010 .
01010010 01010010 00001001 01010010
Find the output matrix M1 of this round, if the key that is used for this
actual round is represented by the identity matrix of bytes, i.e.

00000001 00000000 00000000 00000000

00000000 00000001 00000000 00000000

K1 =
00000000 00000000 00000001 00000000 .
00000000 00000000 00000000 00000001
9

8. Recall that the polynomial m(x) = x8 + x4 + x3 + x + 1, which plays an

important role in Rijndaels cipher, is irreducible in Z2 [x], i.e. if one tries
to factorize it as m(x) = f (x)g(x) for some polynomials f (x), g(x) Z2 [x],
then we must have f (x) = m(x) or g(x) = m(x). Decide whether some of
the following polynomials i Z2 [x] is irreducible as well.
(a) x2 + x

(b) x2 + 1

(c) x3 + x + 1

10

(d) x4 + x + 1

RSA
1. Suppose that we encode a plaintext by encoding each of one its letters
according to
a 01, b 02, . . . , y 25, z 26.
How will then the following plaintexts be encoded?
(a) no

(b) yes

(c) hello

(d) goodbye

2. Divide the following plaintexts into blocks of three letters each (and add
junk letters (e.g. x) to the last block if necessary), and encode each such
block according to the principle of the previous exercise.
(a) beatles

(b) rollingstones

(c) elvispresley

3. Translate the following pairs of integers into blocks of letters, using the
principles of Exercise 1 above. Put together the blocks into a single plaintext and ignore the junk letters in the last block (if there are any).
(a) (130120, 81924)
(c) (13051919, 1070524)

(b) (80912, 122424)

(d) (5240518, 3091905)

4. If we use the convention of encoding plaintext blocks as in the previous

exercises, we can thus represent each block by a positive integer m. What
is the maximal length of such a block if wish that m < n, where
(a) n = 9999

(b) n = 765237

(c) n = 2610

(d) n = 1073 ?

5. Find the value of

(a) (10)

(b) (17)

(c) (18)

(d) (22)

(e) (25),

where denotes Eulers -function.

6. Lt denote Eulers -function.
(a) Derive a formula for (p2 ), where p is a prime.
(b) Generalize the formula of (a) by deriving a formula for (pk ), where p
is a prime and k an integer such that k 2.
(c) Find the value of (243) (Hint: 243 = 35 ).
(d) One can prove that (mn) = (m)(n) whenever gcd(m, n) = 1 (so
for instance (15) = (3 5) = (3) (5) = 2 4 = 8). Use this fact
and the formula you derived in (b), to find the value of (10000).
7. Compute (using the previous exercise)
(a) (59)
(b) (66)
(d) (3894) (Hint: 3894 = 59 66)

(c) (256)

8. Derive a formula for the number of affine mappings from Zn to Zn .

9. Evaluate the following congruences. (Hint: Use Eulers Theorem or Fermats Little Theorem).
(a) 6107 (mod 11)
(c) 51201 + 2242 (mod 99)

(b) 25183 (mod 27)

(d) 7240 992 (mod 31)
11

10. Find the remainder when 11183 and 23176 are divided by 16.
11. Use n = 77 and e = 7 as the public key for an RSA cryptosystem, to
encrypt the message yes. (Encode the plaintext letter by letter, with its
ordinal number in the alphabet.)
12. A ciphertext, represented by c1 = 60, c2 = 71, and c3 = 57, has been
obtained by RSA encryption. The same public key as in the previous
exercise has been used. Find the plaintext.
13. Find e and n in the public key of an RSA cryptosystem, if the private key
is given by
(a) p = 5, q = 3, d = 3
(c) p = 23, q = 11, d = 19

(b) p = 13, q = 17, d = 35

(d) p = 31, q = 41, d = 403.

14. Find p, q, and d in the private key of an RSA cryptosystem, if the public
key is given by
(a) n = 55, e = 3
(c) n = 26, e = 7

(b) n = 143, e = 13
(d) n = 95, e = 65.

15. Bob is about to construct a key for an RSA cryptosystem. So far, he has
chosen the primes p = 17 and q = 31 and an integer e = 7.
(a) How will the public and the private key look like?
(b) Use Bobs key to encrypt the plaintext hey.
16. Bob is going to construct a public RSA-key. He starts by choosing two
primes p = 59 and q = 73. When he comes to choosing the number e, he
hesitates between choosing e = 32, e = 53, or e = 261. Explain to Bob,
why two of these alternatives for e are out of discussion, and help him
to complete the construction his public key, as well as the corresponding
private key.
17. In a public key (n, e) for an RSA cryptosystem, e = 3. Suppose that a
plaintexts represented by the integers m and m+1 yields the ciphertexts c1
and c2 , respectively. Show that we can find the plaintext m, by solving
the congruence equation
(c2 c1 + 2)x c2 + 2c1 1

(mod n)

for x. Find m, given that n = 77, and that c1 = 24, c2 = 31.

18. Will the security of RSA increase, if you encrypt a plaintext twice, first
using the public key (n, e1 ), then (n, e2 )?
19. Factor n (given that n is the product of two different primes), if
(a) n = 253, (n) = 220
(c) n = 185, (n) = 144

(b) n = 403, (n) = 360

(d) n = 1 763, (n) = 1 680.

20. Bobs public RSA-key is given by (n, e) = (1333, 11). You happen to know
that (n) = 1260. Find Bobs private key (p, q, d).
12

21. Let n = pq be the product of

two different primes p and q. Show that if
p < q < 2p, then n (n) < 3 n.
22. Use Fermats factorization method to factor the following integers.
(a) 209

(b) 161

(c) 2021

(d) 11663

23. Verify that none of the integers below is a prime, by using Fermats
method, i.e. if gcd(a, n) = 1 and an1 6 1 (mod n), then n is not a
prime.
(a) 15

(b) 33

(c) 645

13

(d) 1 729

Discrete Logarithms and ElGamals Cryptosystem

1. Find all primitive roots
(a) modulo 5

(b) modulo 11.

2. Which of the following numbers are primitive roots modulo 13?

(a) 2

(b) 3

(c) 5

(d) 6

(e) 11

3. One can show that if is a primitive root modulo p, where p is a prime,

then all primitive roots modulo p can be written k , where k is an integer
such that 1 k p 1 and gcd(k, p 1) = 1. Compute the number of
primitive roots modulo
(a) 13
(b) 19
(c) 23
(d) 89
(f ) p, where p is an arbitrarily chosen prime.

(e) 101

4. Use the information given in the previous exercise to find all primitives
root modulo the prime p, given that is a primitive root:
(a) p = 17, = 3

(b) p = 19, = 2

5. Given that 2 is a primitive root modulo 11, compute the discrete logarithms
(a) L2 (8)

(b) L2 (5)

(c) L2 (7)

(d) L2 (6).

6. A primitive root modulo 19 is given by = 2. Furthermore we have

L2 (7) = 6 and L2 (9) = 8. Use this fact to compute L2 (6).
7. Compute the following discrete logarithms modulo the prime p = 73, given
that 5 is a primitive root modulo 73, and that L5 (2) = 8 and L5 (31) = 11.
(a) L5 (62)

(b) L5 (10)

(c) L5 (8)

(d) L5 (25)

(e) L5 (52)

Hint: 125 52 (mod 73). Recall that La (bc) La (b)+La (c) (mod p1).
8. Suppose we use (p, , ) = (13, 2, 3) as the public key in ElGamals cryptosystem. Find the private key a.
9. Bob intends to construct a key for an ElGamal cryptosystem. He chooses
the prime p = 17 and finds that = 3 is a primitive root modulo 17.
Furthermore, he chooses a = 3.
(a) Help Bob to finish the construction.
(b) Encrypt the message m = 13, using the random number k = 4.
(c) Decrypt the ciphertext (4, 9).
10. Encrypt the message m = 5 with (p, , ) = (11, 2, 9) as the public key in
ElGamals cryptosystem.
11. Encrypt the plaintext ok using ElGamals cryptosystem, when the public
key is given by (p, , ) = (59, 44, 48). The number k that is needed in
the encryption process may be chosen from the set {2, 3, 4}.

14

12. A message m is encrypted to (r, t) = (3, 5), using ElGamals krypto. The
private key is a = 4. When it comes to the public key (p, , ), we know
that p = 7. Find m.
13. Two different messages m1 and m2 have been encrypted in ElGamals
cryptosystem with the same public key (p, , ). The corresponding ciphertexts are represented by (r1 , t1 ) = (5, 10) and (r2 , t2 ) = (5, 9), respectively. Suppose m1 = 4. Find m2 , given that p = 17.
14. As a public key to ElGamals cryptosystem (p, , ) = (47, 5, 43) is used.
Eve intercepts the ciphertext (14, 23), (14, 9), (14, 8). Knowing that the
first letter of the plaintext is e, she can actually find the complete message!
What is it?
15. Bobs public key to ElGamals cryptosystem is (p, , ) = (29, 2, 8). Alice
uses this to send him the ciphertext (13, 26), (19, 24), (21, 13). What is the
plaintext?
16. Alice and Bob will use Diffie-Hellmans key exchange protocol to decide
a key k for a symmetric cryptosystem. The key is represented by an
integer. Let p = 47. Then = 5 is a primitive root modulo 47. Alice
chooses x = 21 and Bob chooses y = 7. Compute those integers that they
will send to one another, as well as the key k.
17. When using the Diffie-Hellman key exchange protocol, Alice computes
a = x (mod p) and sends it to Bob. Here p is a prime, a primitive
root modulo p, and x an element in Zp1 . Find , given that p = 17,
a = 3, and x = 11. (Hint: Note that gcd(x, p 1) = 1, whence x has a
multiplicative inverse modulo p 1.)

15

Coding Theory
1. Compute the following Hamming distances.
(a) d(10011, 10100)
(c) d(0110111, 1001000)

(b) d(111001, 000011)

(d) d(00010110, 01100101)

2. Compute the Hamming weights of the following words.

(a) 10011 + 10100
(c) 0110111 + 1001000

(b) 111001 + 000011

(d) 00010110 + 01100101

3. Based on the answers of the two previous exercises, there seems to be some
kind of connection between the Hamming distance between two words and
the Hamming weight of sum of the same words. What kind of connection?
Is this connection generally true? Give a proof or find a counterexample.
4. Let x and y be words in An . Prove that wt(x + y) wt(x) + wt(y).
Hint: Exercise 3 and the triangle inequality.
5. Prove that d(x + z, y + z) = d(x, y) for all x, y, z An . (The Hamming
distance is invariant of translations.)
Hint: Exercise 3.
6. Find the minimum distance and the minimal Hamming weight for each
one of the codes below.
(a)
(b)
(c)
(d)
(e)

{0000, 0101, 1010, 1111}

{000011, 010110, 101001, 111100}
{00000000, 01010101, 10101010, 11111111}
{0001, 0010, 0100, 0111, 1000, 1011, 1101, 1110}
{000111, 001110, 010101, 011100, 100011, 101010, 110001, 111000}

7. Decide which codes of the previous exercise that are linear.

8. Let x = x1 x2 x3 and y = y1 y2 y3 be words of length 3. Put
p
f (x, y) = (x1 y1 )2 + (x2 y2 )2 + (x3 y3 )2 .
(a) Compute f (010, 111) and f (001, 110).
p
(b) Show that f (x, y) = d(x, y), where d denotes the Hamming distance on A3 .
9. Study the codes in Exercise 6. How many errors can each one of the codes
(a) detect?

(b) correct?

10. Find all words in each one of the Hamming spheres below.
(a) B(0000, 1)

(b) B(01001, 1)

(c) B(101, 2)

11. Study the code C = {0000, 0111, 1011, 1101} in A4 . Compute wt(C) and
d(C). Is the code linear? Justify your answer.

16

12. Let C An be a code. Prove the converse statements of the theorem on

page 400 in the textbook, i.e.
(a) If C can detect all s-bit errors, then d(C) s + 1.
(Hint: Show that if d(C) s, then there is a Hamming sphere B(c, s),
centered at a codeword c, that contains at least one more codeword,
besides c.)
(b) If C can correct all t-bit errors, then d(C) 2t + 1.
(Hint: Show that if d(C) 2t, then a word x An can be constructed in such a way, that the Hamming sphere B(x, t) contains
(at least) two different codewords.)
13. It is possible to prove that if a code C An contains N codewords, and
can correct r errors, then
r  
X
n
k=0

2n
.
N

(1)

This is the so-called Hamming bound of the code C. For example, the code
C = {000000, 010101, 101010, 111111} A6 (that can correct 1 error)
fulfills the Hamming bound, since
1  
X
6
k=0

   
6
6
26
= 1 + 6 = 7 16 = .
+
0
1
4

By using (1), prove the following assertions:

(a) There is no (4, 2)-code that can correct all single-bit errors.
(b) There is no (7, 3)-code that can correct all double-bit errors.
14. Decide all codewords of the linear (5, 3)-code that is generated by the
matrix

1 0 0 1 1
G = 0 1 0 0 1 .
0 0 1 1 0
How many errors is the code capable to detect and correct?
15. Find the parity check matrix H that corresponds to the generating matrix G in the previous exercise.
16. Let C be a linear (6, 3)-code with the parity check matrix

1 0 1
0 1 1

1 1 0

.
H=

1 0 0
0 1 0
0 0 1
(a) Find all codewords in C and its minimum distance.
(b) Correct the following words (if possible): 101011, 100110, and
010100.
17

17. Construct a linear (5, 2)-code that can correct all single-bit errors.
Hint: Construct a suitable parity check matrix.
18. The matrix

1
G = 0
0

0
1
0

0
0
1

1
0
1

0
1
1

1
0
0

generates a linear (6, 3)-code.

(a) Show, by examining the corresponding parity check matrix, that this
code is not capable of correcting all single bit errors.
(b) Find an example of a word in A6 that does not have a unique nearest
codeword, i.e. a word that cannot be corrected if it is the result of a
single bit error.
19. Study the Hamming code with the parity check matrix

0 1 1
1 0 1

1 1 0

H=
1 1 1 .
1 0 0

0 1 0
0 0 1
Decide whether the words below are codewords or not. Correct those
words that are not codewords to the closest codeword (with respect to the
Hamming distance).
(a) 0011001
(d) 0110010

(b) 1100001
(e) 0101010

(c) 1010011
(f ) 1110111

20. Give an example of a code that is

(a) both cyclic and linear
(c) linear but not cyclic

(b) cyclic but not linear

(d) neither cyclic nor linear

21. Which of the codes in Exercise 6 are cyclic?

22. The polynomial x6 1 Z2 [x] is divisible by g(x) = x3 + 1.
(a) Find the cyclic linear (6, 3)-code that has g(x) as its generating polynomial.
(b) Does any of the polynomials x + x4 + x5 , 1 + x3 , or x2 + x4 correspond
to a codeword?
23. Given that x8 1 = (1+x)8 in Z2 [x], find a generating matrix and a parity
check matrix for a cyclic linear (8, 3)-code. Correct the word 10001100 to
the closest codeword.
24. How many linear cyclic codes are there in A4 ?
(Hint: x4 1 = (1 + x)4 in Z2 [x].)
25. Encode the words 010010, 110100 and 101110, using CRC-12.
18

26. Decide whether any of the two words

101000111000111101 and 011111111000110011
in A18 is a codeword of CRC-12. If it is a codeword, find the word that
has been encoded.
27. Let g(x) = 1 + x2 + x5 act as a generating polynomial for the CRC Algorithm. (In fact this polynomial is a CRC standard called USB-5.) Compute the codeword that corresponds to the word 0100 A4 .
28. As the private key of McElieces
matrix

1
G = 0
0

cryptosystem, we will use the generating

0 0 1 1 1
1 0 0 1 1 ,
0 1 1 1 0

together with the matrix

1
S = 1
0
that is invertible modulo 2, and

0
0

0
P=
1

0
0

1
1 ,
1

0
1
1

the permutation matrix

0 1 0 0 0
1 0 0 0 0

0 0 0 0 1
.
0 0 0 0 0

0 0 1 0 0
0 0 0 1 0

(a) What is the corresponding public key?

(b) In how many ways can a given plaintext be encrypted? We assume
that the plaintext is represented by a word in A3 .
(c) Find all possible ciphertexts of the plaintext m = 011.
(d) Using the fact that

0 1 1
S 1 = 1 1 0
1 1 1
and

P 1

0
0

1
=
0

0
0

0
1
0
0
0
0

0
0
0
0
0
1

decrypt the ciphertext c = 011110.

19

1
0
0
0
0
0

0
0
0
1
0
0

0
0

0
,
0

1
0

Answers
Elementary number theory
1 (a) q = 2, r = 0
(d) q = 0, r = 5

(b) q = 1, r = 1
(e) q = 6, r = 1

(c) q = 71, r = 2
(f ) q = 7, r = 1

2 Note how q and r somewhat behaves as a trip mileage counter of a car:

a
q
r

1
0
1

2
0
2

3
1
0

4
1
1

5
1
2

6
2
0

7
2
1

8
2
2

a
q
r

9
3
0

10
3
1

11
3
2

12
4
0

13
4
1

14
4
2

15
5
0

16
5
1

3 (a) 1, 7
(c) 1, 3, 9, 27
4 (a) 3
(d) 12

(b) 1, 3, 5, 15
(d) 1, 2, 4, 7, 14, 28
(b) 5
(e) 124

(c) 1
(f ) 2

6 (a) 5

(b) 2

(c) 1

7 (a) s = 11, t = 5

(b) s = 19, t = 21

(c) s = 21, t = 13

5 (a), (c), (d), and (e)

8 No. Why?
9 It is either 1 or 2, depending on whether a is odd or even.
10 (a) 2
66
(d) 66

(b) 1

(c) 0

(e) 1

(f ) 36

11 (a), (b), (e), and (f)

12 (a) 5
(c) 5, 23, and 115

(b) 2, 3, 4, 6, 8, 12, and 24

13 Yes, m = 1
15 Addition table:

20

+
0
1
2
3
4
5
6
7

0
0
1
2
3
4
5
6
7

1
1
2
3
4
5
6
7
0

2
2
3
4
5
6
7
0
1

3
3
4
5
6
7
0
1
2

Multiplication table:
0 1 2 3
0 0 0 0 0
1 0 1 2 3
2 0 2 4 6
3 0 3 6 1
4 0 4 0 4
5 0 5 2 7
6 0 6 4 2
7 0 7 6 5

4
4
5
6
7
0
1
2
3

5
5
6
7
0
1
2
3
4

6
6
7
0
1
2
3
4
5

7
7
0
1
2
3
4
5
6

4
0
4
0
4
0
4
0
4

5
0
5
2
7
4
1
6
3

6
0
6
4
2
0
6
4
2

7
0
7
6
5
4
3
2
1

16 If n is odd, you obtain 0; if n is even, you obtain n/2.

17 (a) 1, 3, 5, and 7
(c) 1, 3, 7, and 9

(b) 1, 2, 4, 5, 7, and 8
(d) all elements but 0

18 0, 1, 4, 5, 6, or 9
19 (a) 2
(d) 9

(b) no inverse
(e) no inverse

(c) 23
(f ) 39

20 ab has a multiplicative inverse modulo n, but it could happen that a + b

has not.
21 (a)
(c)
(d)
(f )

x 6 (mod 8)
(b) no solutions
x 4 (mod 10), x 9 (mod 10)
no solutions
(e) x 7 (mod 11)
x 7 (mod 18), x 16 (mod 18)

22 (a) x 5 (mod 7)
(b) x 1 (mod 11)
(c) x 1 (mod 12), x 5 (mod 12), x 9 (mod 12)
(d) x 168 (mod 969), x 491 (mod 969), x 814 (mod 969)
23 a = 0, 10, 20, 30, 40, 50, 60; there are 10 solutions in each case.

Classical ciphers
1 (a) hqfubsw
2 (a) uqzx

(b) julius
(b) zvec
21

(c) dzig

3 (a) uryyb
4 No. Why?
5 (a) A known plaintext attack yields the key k = 5
(b) A ciphertext only attack yields the key k = 11
6 D(x) = x + 19 mod 26, since this will map l, the most common letter in
the ciphertext, onto e, the most common letter in the English alphabet.
7 D(x) = x + 9 yields the plaintext goodguess.
8 oxygen
9 (a), (c), (d), and (f)
10 (a) 335
(b) 311
(c) 811
(if you do not take the affine mapping E(x) = x into consideration)
11 crish; D(x) = 9x + 3
12 All b Z26
13 boffgb
14 (a) Yes

(b) No

(c) Yes

15 E(x) = 19x + 19
16 coffeebreak
17 E3 (x) = 3x (mod 26)
18 what is the meaning of life
19 (a) gmlxip

(b) lunch

20 attack
21 (a) V1 (vigenere) = aqxwgjzv, V2 (vigenere) = nmisahji
(b) 30
22 The keyword is lsfmrg for both V and W .
23 (a) guywfoqr, jeqhgirs, and wunpoigurs, respectively
(b) secretmessage





7 9
1 8
9
24 (a)
(b)
(c)
7 1
4 5
9
25 (a) Yes

(b) No

(c) No

22

8
0

(d) Yes

26 (a) No inverse

27 (a)

16
17

6
16



11 1
(b)
10 9


11 16
(b)
10 4

(c) No inverse

(c) No inverse

28 Out of 16 binary 2 2 matrices, 6 has an inverse modulo 2.

29 (a) and (b)
30 xdkybh (if x is the junk letter)
31 foot
32 (b) Different plaintexts might yield the same ciphertext


2 5
33
3 2




3 2
3 2
34 (a) Either
or
(b) Yes
2 3
15 3
35


8
1

17
11

36 (a) x {1, 3, 7, 9, 11, 13, 15, 17, 19, 21, 23, 25}
(b) Depending on how x is chosen, the following ciphertexts are obtained:
x ciphertext
1 bfzrygrz
3 brzzygrj
7 bpzpygrd
9 bbzxygrn
11 bnzfygrx
13 bzznygrh
15 blzvygrr
17 bxzdygrb
19 bjzlygrl
21 bvztygrv
23 bhzbygrf
25 btzjygrp

DES and AES

1 (a) 1111

(b) 0110

(c) 1011

(d) 1100

2 L1 = 111 . . . 1 (32 bits), R1 = 00100111001001110010010001000011

3 Find DES-keys K1 and K2 such that DK1 (c) = EK2 (EK2 (m)).
4 Compute K1 DK2 (K3 c), where DK2 signifies DES decryption. This
will be m. Why?

23

5 (a) q(x) = x2 + 1 and r(x) = 0

(b) q(x) = x3 + x + 1 and r(x) = x + 1
(c) q(x) = x5 and r(x) = 1
6 (a) 01111001
(b) 01101010
(c) 00000001
(d) 10011011

00000011 00000011 00000001 00000001

00000001 00000011 00000011 00000001

7 M1 =
00000001 00000001 00000011 00000011
00000011 00000001 00000001 00000011
8 (c) and (d) are irreducible

RSA
1 (a) 1415
(c) 805121215

(b) 250519
(d) 7151504022505

2 (a) (20501, 201205, 192424)

(b) (181512, 120914, 71920, 151405, 192424)
(c) (51222, 91916, 180519, 120525)
3 (a) maths

(b) hill

(c) message

(d) exercise

4 (a) 2

(b) 3

(c) 1

(d) 36

5 (a) 4

(b) 16

(c) 6

(d) 10

(e) 20

6 (a) p(p 1)

(b) pk1 (p 1)

(c) 162

(d) 4000

7 (a) 58

(b) 20

(c) 128

(d) 1160

(b) 19

(c) 9

(d) 19

8 n (n)
9 (a) 8

10 15 and 1, respectively
11 The ciphertext is represented by c1 = 53, c2 = 47, and c3 = 68.
12 doh
13 (a) n = 15, e = 3
(c) n = 253, e = 139

(b) n = 221, e = 11
(d) n = 1 271, e = 667

14 (a) p = 5, q = 11, d = 27
(c) p = 2, q = 13, d = 7

(b) p = 11, q = 13, d = 37

(d) p = 5, q = 19, d = 41

15 (a) The public key is (527, 7) and the private key is (17, 31, 343)
(b) 219, 129, 304
16 Neither e = 32 nor e = 261 is relatively prime to (p 1)(q 1), so the

24

public key must be (n, e) = (4307, 53), while (p, q, d) = (59, 73, 2285) is
the corresponding private key.
17 m = 60
18 No
19 (a) 11 23

(b) 13 31

(c) 5 37

(d) 41 43

(c) 43 47

(d) 107 109

20 (p, q, d) = (19, 31, 47)

22 (a) 11 19

(b) 7 23

Discrete Logarithms and ElGamals Cryptosystem

1 (a) 2 and 3

(b) 2, 6, 7, and 8

2 2, 6, and 11
3 (a) 4
(d) 40

(b) 6
(e) 40

(c) 10
(f ) (p 1)

4 (a) 3, 5, 6, 7, 10, 11, 12, and 14

(b) 2, 3, 10, 13, 14, and 15
5 (a) 3

(b) 4

(c) 7

(d) 9

6 14
7 (a) 19

(b) 9

(c) 24

(d) 2

(e) 3

8 a=4
9 (a) (p, , ) = (17, 3, 10); a = 3
(b) (13, 1)

(c) 2

10 Several answers are possible, depending on the value of the randomly

chosen number k in the encryption algorithm.
11 Depending on the choice of k, the letters o and k will be encrypted as
k=2
(48, 45)

k=3
(47, 36)

k=2
k=4
and
(3, 17)
(48, 33)

respectively.
12 m = 3
13 m2 = 7
14 end
15 bob

25

k=3
(47, 50)

k=4
(3, 40)

16 Alice sends x 15 (mod 47) to Bob, and he sends b 11 (mod 47) to

Alice. Their key will be k 157 1121 40 (mod 47).
17 = 10

Coding Theory
1 (a) 3

(b) 4

(c) 7

(d) 5

2 (a) 3

(b) 4

(c) 7

(d) 5

3 For all binary words x, y An we have d(x, y) = wt(x + y).

6 (a)
(b)
(c)
(d)
(e)

Minimum
Minimum
Minimum
Minimum
Minimum

distance:
distance:
distance:
distance:
distance:

2;
3;
4;
2;
2;

minimal
minimal
minimal
minimal
minimal

Hamming
Hamming
Hamming
Hamming
Hamming

weight:
weight:
weight:
weight:
weight:

2
2
4
1
3

7 (a) and (c)

8 (a) f (010, 111) =

2, f (001, 110) =

3.

9 (a) Code (a), (d), and (e) can detect all single-bit errors, code (b) can
detect all double-bit errors, and code (c) can detect all triple-bit
errors.
(b) Code (b) and (c) can correct all single-bit errors, while there could
be single-bit errors that neither code (a), (d), nor (e) can correct.
10 (a) 0000, 1000, 0100, 0010, and 0001
(b) 01001, 11001, 00001, 01101, 01011, and 01000
(c) 101, 001, 111, 100, 110, 000, and 011
11 wt(C) = 3, d(C) = 2; the code is not linear.
14 00000, 00110, 01001, 01111, 10011, 10101, 11010, and 11100; the code
can detect all single bit errors but not correct them all.

1 1
0 1

15 H =
1 0 (Note that the rows of H are not all different.)
1 0
0 1
16 (a) Codewords: 000000, 001110, 010011, 011101, 100101, 101011,
110110, and 111000. Minimum distance: 3
(b) 101011 is a codeword; 100110 can be corrected to 110110; 010100
cannot be corrected.

26


0
1

17 Example of a parity check matrix: H =

1
0
0

1
1

0
1

1
0
0
1
0

18 (b) 010000 (for example)

19 (a)
(b)
(c)
(d)
(e)
(f )

Codeword
Not codeword;
Not codeword;
Not codeword;
Codeword
Not codeword;

is corrected to 1101001
is corrected to 1000011
is corrected to 0110011
is corrected to 1111111

20 (a) {000, 011, 101, 110}

(c) {0000, 0110, 1011, 1101}

(b) {001, 010, 100, 111}

(d) {01, 11}

21 All but (b)

22 (a) {000000, 001001, 010010, 011011, 100100, 101101, 110110, 111111}
(b) Yes; 1 + x3 corresponds to the codeword 100100
23 Generating matrix:

1
G = 0
0

1
1
0

0
1
1

0
0
1

1
0
0

1
1
0

0
1
1

0
0
1

Parity check matrix:

1
1

1
H=
0

0
0

0
1
1
1
1
0
0
0

0
0
1
1
1
1
0
0

0
0
0
1
1
1
1
0

0
0

1
1

10001100 is corrected to 11001100.

24 Five (of which two are extreme cases; all of A4 is in itself a cyclic linear
code, as well as the code consisting of the zero word 0000 alone).
25 001011010000010010, 110100100001110100, and 010010110000101110,
respectively
26 101000111000111101 is not a codeword, but 011111111000110011 is, and
the encoded word is 110011.
27 010100100
27

28 (a)
(b)
(c)
(d)

0 0 1
G1 = 0 1 1
1 1 0
6
101111, 101100,
m = 110

0
1
0

1
0
1

1
1
1

101010, 100110, 111110, or 001110

28