E Puzzles

Hochschule Bremen
Department of Computer Science
Mathematical Puzzles
Prof. Dr. Th. Risse
An amusing,
brisk and cool,
enriching and entertaining,
informative and oriented towards practical applications,
playful,
relevant and rewarding,
stimulating,
thought-provoking
little contribution to the (general) mathematical education!

c 20022014

Last Revision Date: August 8, 2014
risse(at)hs-bremen.de
Version 0.5
Table of Contents
0. Introduction
1. Riddles [7]
Measuring with Two Jugs Races Census and its Boycott
Zig-Zag between Trains Outward and Return Journey
Magic Squares Conspicuous Text No Talk about Money
Corrupt Postal System Equal Opportunities Two and
More Eyes
2. More Riddles [11]
Matches Decanting Analytical Riddles I Analytical
Riddles II Analytical Riddles III Analytical Riddles IV
Analytical Riddles V Crossing a Bridge Synthetic Riddles I Synthetic Riddles II Synthetic Riddles III Synthetic Riddles IV Dialectic Riddle Riddles, 588 Riddles,
622 Labyrinth, 652 Riddles, 680 Riddles, 708 Riddles,
734 Riddles, 750 Riddles, 772
3. Prime Numbers
Table of Contents (cont.)
Fermat-Numbers Euler-Numbers Mersenne-Numbers

4. Computations with Remainders
Crucial is What is Left Over Computing With Remainders Adroit Computing With Remainders Euclid & little
Fermat Fermat, Euler and More Chinese Stuff Galois
Fields GF(p) Galois Fields GF(pn )
5. Cryptography
Caesar and Cohorts Caesar in General Vigenère and
Accomplices Permutations DES Public Keys? RSA
AES Elliptic Curves over R Elliptic Curves over GF(p)
Elliptic Curves over GF(2m ) Elliptic Curve Cryptography, ECC
6. Compression
Exploiting Relative Frequencies Using Dictionaries
7. Probability & Intuition
Cards & Goats Algorithms to Generate Chance? What
is Randomness?
8. Sources and Links
Solutions to Problems
0. Introduction
To begin with Youll find some mathematical riddles. But there is
more serious stuff. Several algorithms to be tried are provided by this
document to explore procedures of cryptography, coding, probability,
etc.
There are other in this sense interactive documents, e.g.
www.weblearn.hs-bremen.de/risse/MAI/docs/numerics.pdf or
www.weblearn.hs-bremen.de/risse/MAI/docs/heath.pdf (German)
The functionality of pdf-documents provides
convenient selection of problem areas of interest or of single problems and, uniquely, execution of algorithms
easy navigation between problem and solution and vice versa,
simple visit of the numerous links to informations on our webDAV
server or in the WWW.
1. Riddles [7]
Measuring with Two Jugs

Problem 1. There are two jugs at hand with a capacity of p ` and
q ` liters and any amount of water.
What quantities m of water can be measured out?
(a)
(b)
(c)
(d)
p = 5,
p = 5,
p = 4,
p = 6,
q
q
q
q
= 3,
= 3,
= 9,
= 3,
m=4
m=1
m = 1, 2, . . . , 13
m=4
Races
Problem 2.
(a) Climbing a 3000m mountain top Sisyphos makes 300m a day only
to loose 200m each night again.
Wenn does Sisyphos reach the top?
Section 1: Riddles [7]
(b) At a 100m race the first runner A beats the second B by 10m,
and the second B beats the third C by 10m.
How many meters is the first runner A ahead of the third C when
crossing the finishing line?
Census and its Boycott

Problem 3.
(a) At a census there is the following dialog:
Field helper: number of children?
Citizen:
three!
Field helper: age of Your children in whole numbers?
Citizen:
The product of the years is 36.
Field helper: This not a sufficent answer!
Citizen:
The sum of the ages equals the
number of the house of our next neighbour.
(Field helper acquires the number.)
Field helper: That is still not a sufficient answer!
Citizen:
Our eldest child plays the piano.
How old are the three children?
Zig-Zag between Trains

Problem 4.
(a) Two trains start on the same line 100km apart to drive at 50km/h
towards each other. A fly flies from one to the other at 75km/h.
How many kilometres has the fly travelled up to its unavoidable
fate?
Outward and Return Journey

Problem 5.
(a) In A somebody gets up at sunrise and walks with many rests to
B where he arrives at sunset.
The next day he walks back on the same route, again pausing a
bit here and there.
There is a point of the route the roamer at the same time of day
hits both on the outward as on the return journey.
Magic Squares
Problem 6.
(a) Magic squares are natural numbers arranged in a square grid, i.e.
a quadratic matrix, such that the sum of all numbers in each row,
in each column, and in each diagonal are all the same!
a b c
a + b + c = s ...
a + d + g = s ...
mit
d e f
a + e + i = s ...
g h i
Taking symmetry into consideration, there is exactly one magic
square consisting of the natural numbers 1, 2, . . . , 9 arranged in
a 3 3-matrix.
Conspicuous Text
Problem 7.
(a) Study this paragraph and all things in it. What is virtually wrong
with it? Actually, nothing in it is wrong, but you must admit
that it is most unusual. Dont zip through it quickly, but study
it scrupulously. With luck you should spot what is so particular
about it. Can you say what it is? Tax your brains and try again.
Dont miss a word or a symbol. It isnt all that difficult.
No Talk about Money

Problem 8.
(a) The boss in an office wants to acquire the average salary of his
employees without getting to know individual salaries und thus
breaking privacy. How does he proceed?
10
Corrupt Postal System

Problem 9.
(a) In a corrupt postal system each letter is opened and the content
stolen independently of its value. Only securely closed strong
boxes are delivered reliably (because it takes too much hassle to
open them).
How can Bob send a valuable item to Alice in some strong box
which can be locked with several locks when they both can communicate about the transfer?
Equal Opportunities
Problem 10.
(a) Alice and Bob live in different cities and decide to go to see each
other in turns. They want to find out who starts to drive to the
other by tossing a coin.
How do they find out if they live in different cities?
11
Two and More Eyes

Problem 11. It is called the Two Eyes Principle if two persons each
with a separate key are necessary to open a treasure box, or if two
passwords are necessary to open a file.
Each person opens her/his lock of the treasure box by her/his own
key or adds her/his part of the password to complete the password.
(a) Alice, Bob and Claire own a treasure box with several locks. They
want to make sure that only at least two persons together can get
at the content of the treasure box.
How many locks and how many keys to each lock do they need?
(b) Now, Alice, Bob, Claire and Denis want to be sure that only at
least two persons together can open the treasure box.
Minimally how many locks and minimally how many keys to each
lock do they need?
(c) Only at least m persons together out of a total of n persons are
meant to be able to open the treasure box.
How many locks, how many keys do they need?
12
2. More Riddles [11]
Matches
Problem 12. Move a given number of matches in order to generate
a given number of equally sized squares.
(a)
Move four matches in order to generate three

equally sized squares.
(b)
Move two matches in order to generate four

(c)
Move three matches in order to generate three

(d)
Move three matches in order to generate five

Section 2: More Riddles [11]
13
Decanting
Problem 13.
(a) How can one get 6 litres water from a river if there are only a four
litre and a nine litre bucket available?
(b) How can one get exactly 1 litre from a container if there are only
a 3-litre and a 5-litre container available?
(c) A 8 litre canister is filled with wine. How to decant 4 litre if there
are only a 3-litre and a 5-litre jug available?
(d) A barrel contains 18 litres wine. There is a 2-litre can, a 5-litre
jug and a 8-litre bucket. How to distribute the wine such that the
barrel contains half of it, the bucket a third, the jug a sixth?
Analytical Riddles I
Problem 14.
(a) Let the sum of the ages of a family of four, father, mother, and
two children, be 124. The parents together are three times as
14
old as the children. The mother is more than twice as old as the
oldest child. Age of father minus age of mother is nine times the
difference age of the oldest minus age of the youngest child. How
old is each member of the family?
(b) Emil is 24 years old. Hence, he is twice as old as Anton has been
when Emil was as old as Anton is now. How old is Anton?
(c) In a supermarket one gets a deduction of 20%, but has to pay 15%
turnover tax. What is best, first to deduct the discount or first to
pay the tax?
2
1
(d)
The L-shaped area is to be divided into four congruent subareas.
(e) If Fritz was 5 years younger then he was twice as old as Paul was
when he was 6 years younger. Wenn Fritz was 9 years older then
he was trice as old as Paul when Paul was 4 years younger. How
old are Fritz and Paul?
15
Analytical Riddles II
Problem 15.
(a)
(b)
(c)
(d)
(e)
The vertices of the triangle are labeled with unknown integers. The edges are labeled with the
sum of the labels of the incident vertices. What
are the vertex labels?
27
Hans is 34 years, his wife is 30 and his daughter 7 years old. How
many years before wife and daughter together were as old as Hans?
Three geese together weight 10kg. The second goose is by a third
heavier than the first one. The third goose is by a fourth lighter
than the second one. What are the weights of the geese?
Are there four positive integers summing up to 79 with
The second is by one smaller than double the first.
The third is by one smaller than double the second.
The fourth is by one smaller than double the third.
Loaded with sacks, a mule and a donkey trudge somewhere. When
the donkey groaned under the load the mule said: What are You
complaining? Double Your load Id had to carry if Youd give me
11
18
16
a sack. And we both carried the same number of sacks if Youd

take one of may sacks. How many sacks did the donkey and how
many did the mule carry?
Analytical Riddles III

Problem 16.
(a) What is the radius of a circle whith the same number of inches
circumference as the number of square inches area?
(b) A train passes in 7sec the station master. The platform is 330m
long. It takes 18sec from the beginning of the platform and the
locomotive to the end of the platform and the last railway car.
How long is the train and how fast is it going?
(c) A worker produces parts with a rate of 10 parts a day for the first
half of the lot and a rate of 30 parts a day for the second half.
How many parts per day did the worker produce on average?
(d) Are all palindromial numbers with four decimal digits divisable
by 11?
17
(e) As I was going to St. Ives / I met a man with seven wives. / Each
wife had seven sacks, / Each sack had seven cats, / Each cat had
seven kids, / Kids, cats, sacks, wives, / How many were going to
St. Ives?
(f) By which fraction exceeds four fourth the number three fourth?
Analytical Riddles IV
Problem 17.
(a) If 5 cats catch 5 mice in 5 minutes how many cats catch 100 mice
in 100 minutes?
(b) How to multiply
(c) One and a half hens lay one and a half egg in one and a half day.
How many eggs do seven hens lay in six days?
(d) There are four types of balls: A, B, C, and D. Balls of the same
type have the same weight. It is known that
two balls of type B are as heavy as one ball of type A,
three balls of type C are as heavy as one ball of type B,
18
two balls of type D are as heavy as one ball of type C.

How many balls of type D are as heavy as one ball of type A?
(e) A family consisted of father, mother, two sons and two daughters.
The product of the integer ages of all female family members is
5291, that one of the integer ages of all male family members is
3913. Two childeren of the family are twins. These twins, do they
have the same or different sex?
Analytical Riddles V
Problem 18.
(a) With constant speed a train crosses a 255 m long bridge in 27 sec,
from the of the locomotive to the bridge until the of the last
railway car from the bridge. The train passes a pedestrian walking
in the opposite direction of the train in 9 sec during which time
the pedestrian moves 9 m. How long is the train and how fast is
it?
(b) x2 x2 = x2 x2 (x + x)(x x) = x(x x) x + x = x
2x = x 2 = 1 Where is the mistake?
19
(c) All divisions are integer divisions. If on increases the dividend

by 65 and the divisor by 5 then neither quotient nor rest change.
What is this quotient?
(d) Is it possible to find five positive integers in succession such that
the sum of the squares of the two biggest equals the sum of the
squares of the three remaining numbers?
(e) A bottle of wine costs 9 Euro. The wine costs 8 Euros more than
the bottle. How expensive is the bottle?
(f) A farmer grows wheat on one third of his land, peas on one fourth,
beans on one fifth and corn on the remaining 26 ha. How big is
his land?
(g) Heini and Carl rest. One unpacks five saussages, the other three
suassages. Egon comes along and wants to join in the meal: I am
willing to pay! Heine and Carl agree. Afterwards Egon pays 8
Euros to Heini and Carl. How have Heini and Carl to share this
money?
(h) A farmer has 17 cows. In his will he bequeath half of the cows to
his oldest son, one third to his middle son and one nineth to his
youngest son. No cow is to be slaugthered. How can a neighbour
20
help the sons to share the cows?
Crossing a Bridge
Problem 19.
(a) Four persons have to cross a suspension bridge at night. To do so
one needs a torch. There is only one torch available with maximal
burn time of one hour. There must not be more than two persons
on the bridge at the same time. The four persons take different
times to cross the bridge: A 5 min, B: 10 min, C: 20 min, D:
25 min. The slower person sets the speed. In which order do the
four persons have to cross the bridge so that all four reach the
other side within one hour?
Synthetic Riddles I
Problem 20.
21
The equilateral triangle can be partitioned into

three congruent subtriangles.
The L-shaped figure can be partitioned into four
congruent (L-shaped) subfigures.
Can also a square be partitioned into five congruent subfigures?
The coins are to be moved so that two straigth
(b)
rows with four coins each are produced.
The nine dots are to be connected off the reel by
(c)
four straight lines.
(d) Each of the 30 vassals has to pay 30 gold coins to the king. One
of them is known to pay with 9g coins instead of the obligatory
10g coins. How can the king with a single weighing identify the
fraudster?
(a)
Synthetic Riddles II
Problem 21.
(a) Three farmers together order a plough for 30 taler. Each farmer
22
pays 10 taler. Delivering the plough the blacksmith thinks it too

expensive, 25 taler was enough. So he sends the apprentice to
return 5 taler. The apprentice cannot cut 5 taler into thirds. So
he returns one taler to each farmer and keeps 2 taler. Summing
up, the farmers payed 9 taler each, the apprentice kept 2 taler,
which amounts to 29 taler. Where is the thirtieth taler?
(b) With six matches construct four equilateral triangles.
(c) Plant ten trees such that these trees form five straight lines of four
trees each.
(d) A quadratic beer tray accomodates 36 bottles. Is it possible to
store 14 bottles such that the number of bottles in each row and
column is even?
Synthetic Riddles III

Problem 22.
(a) Expand (x a)(x b) . . . (x z).
(b) A very heavy armchair is to be moved. But it can only be turned
23
around its corners by exactly 90o . Is it possible that the armchair eventually will sit in a position directly adjacent to the start
position so that the back rest is again behind?
(c) Off a chess board two opposite corner squares/locations are removed. Is it possible to cover the modified chess board with
domino pieces if a domino piece covers exactly two chess squares?
(d) In order to square a two decimal digit number t5 with least significant digit 5 one multiplies z and z + 1 and writes after the result
25, e.g. 752 = (7 8) 100 + 25 = 5625. Does the trick always
work?
Synthetic Riddles IV
Problem 23.
(a) A cuboid is to saw up into 27 congruent little cuboids. This is
possible with six cuts. Is it also possible with fewer cuts?
1 floor
(b)
2 floors
3 floors
Build a house of cards as indicated. How many

cards do you need?
24
(c) Find with three weighings on a beam balance without separate

weighs whether one of the 12 golden dublones is fake and as such
lighter or heavier than a true dublone.
(d) Is there a squence of numbers such that every decimal digit 0 to
9 occurs exactly once in them and they sum up to 100?
Dialectic Riddle
Problem 24.
(a) Three captives are released if they solve the following task: they
are blindfolded and positioned in an equilateral triangle looking
to its center of gravity. Behind each of them is set up one of
five flags, three white and two black ones. The two leftover flags
are discarded. Then the blindfolds are removed and each captive
tries to determine the color of the flag behind. After quite a while
of intense consideration they nearly at the same time name the
correct color of the flag behind them. How is that?
25
Riddles, 588
Problem 25.
(a) 81 persons take part in a cross country run, twice as many men
than women. The number of children and twens is half the number
of adults. Twice as many twens as children take part. How many
men, women, twens, and children take part?
(b) FFFEEE symbolizes a row of six glasses, three full and three empty
ones.
Touch/move only one glas (full or empty) to get a row of glasses
every second is full and every second is empty.
=
Move only one match to get a correct equation.

(c)
(d) Engine driver, stoker and conductor of a train are Mr. J., M., and
B. On the train there are travellors Dr. J., Dr. M., and Dr. B.
1. Dr. B. lives in Charlottenburg.
2. Dr. J. earns 5000Euro a month.
3. The conductor lives half way between Charlottenburg and N
urnberg.
26
4. His neighbour, one of the passengers, earns exactly thrice as he

earns.
5. The namesake of the conductor lives in N
urnberg.
6. M. beats the stoker in chess.
What is the name of the engine driver?

(e) Roberts collects lizards, beetles, and worms. He has got more
worms than lizards and beetles together. In total he has got 12
specimen with 26 little legs. How many lizards has Robert?
(f) Three men each have two jobs. The chauffeur insulted the musician. Musician and gardener together go fishing. The painter is
borrowing from the merchant. The chauffeur flirts with the sister
of the painter. Claus owes the gardener 20Euro. Joe beats Claus
and the painter when playing chess. One of them is a barber. No
two of them have the same job. Who has wich jobs?
(g) Five women are sitting around a round table. Mrs. Owald sits
between Mrs. Lutz and Mrs. Martin. Erika sits between Katy and
Mrs. Neidlinger. Mrs. Lutz sits between Erika and Alice. Katy
and Doris are sisters. Bettinas neighbour to the left is Mrs. Pieper,
and to the right it is Mrs. Martin. Who with which first and which
27
last name is sitting where?
Riddles, 622
Problem 26.
(a) Are there 204 squares on a standard chess board?
(b) Drawing any number of lines through some square partitions the
square into disjoint regions. How many colors are needed at least
to color these regions such that no two adjacent regions have the
same color?
(c) Mrs. A., E., I., O. and U. work in a star-shaped office with a
central main office and offices in the north, west, south and east.
The wing offices are connected by the main office. Before A. and
me exchanged work places, my office was north of O.s who worked
east of U. who worked west of E. At that time A. worked east of I.
In addition A. had to make a right in in the central office when she
went to see E. Whereas me, I had to walk straight in the central
office when I went to see A. Who works where? and who is me?
28
Labyrinth, 652
Problem 27.
(a) Find the intersection-free path through the labyrinth back to the
starting point.
Riddles, 680
Problem 28.
(a) How can one measure 15min using a 7-min- and a 11-min-sandglass?
Riddles, 708
Problem 29.
(a) Mr. Punctual sets his clock on Saturday noon by the radio. On
Sunday noon he recognizes that his clock is six minutes late. What
is the time on his clock on Monday at 8h?
29
(b) At a bakery a woman buys half of all breads and half a loaf. Then,
a second woman buys half of all remaining breads and half a loaf.
After that, a third woman buys half of all remaining breads and
half a loaf. Now, all breads are sold. How many breads did the
baker sell?
(c) An automatic stamp tool prints consecutive numbers starting with
0, one number per second. How often does it print the digit 1 in
the the first quarter of an hour?
Riddles, 734
Problem 30.
(a) If campainers group themselves in rows of two, three upto ten,
then in each case there is one campainer too little. How many
campainers are there, if there are less than 5000 campainers?
(b) My sister, you have as many brothers as sisters!
My brother, you have twice as many sisters as brothers!
What is the number of children in this family?
30
(c) The difference of the ages of two sisters is four. The difference
of the cube of the age of the first and the cube of the age of the
second is 988. How old is each sister?
Riddles, 750
Problem 31.
(a) On a farm there are equally many cows, pigs, horses and rabbits.
There is a plague and all complain:
Father: every fifth cow died. Mother: there are as many dead
horses as surviving pigs. Son: the new percentage of rabbits (out
of the survivers) is 5/14. Grandma: death has hit each kind of
animals.
Prove that grandma is wrong.
Riddles, 772
Problem 32.
31
(a) A bottle of wine costs 9 Euro. The wine costs 8 Euro more than
the bottle. What is the price of the bottle only?
(b) A father bequeathes his three sons 30 wine barrels, ten of which
are full, ten half empty and ten empty. How to devide barrels and
wine so that each son gets the same number of barrels and the
same amount of wine?
32
3. Prime Numbers
In all modern cryptographical algorithms prime numbers play a decisive role. On top of that prime numbers challenged not only mathematicians for millennia and, (futile) attempts to generate prime numbers algorithmically date back centuries.
Fermat-Numbers
Problem 33. Fermat1 numbers are specified by
n
F (n) = 22 + 1
(a) Fermat himself misleadingly believed to enumerate (all?) prime
numbers in this way.
Pierre Fermat (1601-1665)
www-history.mcs.st-and.ac.uk/history/Biographies/Fermat.html
Section 3: Prime Numbers
33
Euler-Numbers
Problem 34. Euler2 numbers are defined by
E(n) = n2 n + 41
(a) Only the first 40 Euler-numbers are prime.
Leonhard Euler (1707-1783)
www-history.mcs.st-and.ac.uk/Biographies/Euler.html
Section 3: Prime Numbers
34
Mersenne-Numbers
Problem 35. Mersenne3 numbers are defined by
M (n) = 2n 1
(a) Only some Mersenne numbers are prime. But,
n not prime M (n) not prime
Unfortunately, M (n) is not necessarily prime if n is prime as
already a small (< 212 ) Mersenne number with four digits shows.
3 Marin
Mersenne (1588-1648)
www-history.mcs.st-and.ac.uk/Biographies/Mersenne.html
35
4. Computations with Remainders
Crucial is What is Left Over

Modulo-Arithmetic, i.e. computations with remainders, is essential
(not only) in cryptography.
n mod m = r n = v m + r fur n, v Z, m, r N und 0 r < m
Problem 36.
(a) Which day of the week do we have in n days?
(b) Which day of the week did we have n days ago?
(c) How is the UNIX-date computed, if an internal counter counts the
seconds since 1.1.1970 0h ?
Section 4: Computations with Remainders
36
Computing With Remainders

n r (mod m) m | (n r) m | n r
n r (mod m) n r = v m f
ur m, r, v N und 0 r < m
Problem 37.
(a) Connection of
n mod m = r
and
n r (mod m)
(b) additivity, multiplicativity:

n1 r1 (mod m)
(n1 n2 ) (r1 r2 ) (mod m)
n2 r2 (mod m)
(n1 n2 ) (r1 r2 ) (mod m)
(c) scalar multiples, powers

c n c r (mod m) f
ur jedes c N
n r (mod m)
np rp (mod m) f
ur jedes p N
(d) transitivity
r s (mod m), s t (mod m) r t (mod m)
37
Adroit Computing With Remainders

Let s(n) =
i=0 zi
denote the cross sum of n =
i
i=0 zi 10 .
Problem 38. Better to test dividability than to divide!

(a) 3 | s(n) 3 | n as well as 9 | s(n) 9 | n
Compute
3, 1234567890 mod 9 etc.
P
P 1234567890 mod
(b) 11 | i=o (1)i zi 11 | i=0 zi 10i
Compute 1234567890 mod 11 etc.
(c) The last digit of the 10-digit ISBNumber is a check digit, an error
P9
checking number, namely n mod 11 if n = i=1 i zi denotes the
weighed sum 1 z1 + 2 z2 + . . . + 9 z9 of the first nine digits
z1 . . . z9 .
(InPcase n mod 11 = 10 the check digit is represented by X.)
(d) 7| i=0 z7i+0P+ 3z7i+1 + 2z7i+2 z7i+3 3z7i+4 2z7i+5 + z7i+6
7 | i=0 zi 10i
Compute 1234567890 mod 7 etc.
(e) Parity, ECC, CRC, RSC, . . . ?
Euclid &
38
little Fermat
Problem 39. gcd(a, b) denotes greatest common divisor, gcd of a N

and b N, i.e. gcd(a, b) = d N with d | a and d | b as well as
maximality, i.e. d0 | a, d0 | b d0 | d.
(a) For a, b N holds gcd(a, b) = gcd(a, b mod a) = gcd(b, a mod b)
(b) By iteration we get the (terminating) Euclidean4 algorithm.
(c) Fermat5 s Little Theorem, FLT: if p is prime then
ap1 1 (mod p)
for all a N with gcd(a, p) = 1
Contraposition:
an1 6 1 (mod n) for one a N n is combined!
(d) The implication holds
n prim n | 2n1 1
but not its contraposition n prim n | 2n1 1
4
5
Euclid of Alexandria (ca 325-265)

Pierre Fermat (1601-1665)
www-history.mcs.st-and.ac.uk/Biographies/Euclid.html
www-history.mcs.st-and.ac.uk/Biographies/Fermat.html
39
Fermat, Euler and More

Problem 40. The Euler6 function is defined by
(n) = |{m N : m < n, gcd(m, n) = 1}|
(a)
(b)
(c)
(d)
If p is prime then
(p) = p 1.
If p is prime then
(pk ) = pk pk1 = (p 1)pk1 .
If r and s relatively prime then
(r s) = (r) (s).
The prime factor decomposition of n provides a simple computation of (n). Especially, for prime p and q we have
(p q) = (n) = n (p + q) + 1 = (p 1)(q 1) f
ur n = p q
(e) Theorem of Euler, EFT7 :

a(n) 1 (mod n)
for each n N and each a relatively prime to n.
6

1736
7 Euler-Fermat-Theorem,
40
Chinese Stuff
Problem 41.
(a) Chinese Remainder Theorem: Let m1 , m2 , . . . , mn N be
pairwise relatively prime. To find all solutions x N with
x ri (mod mi ) f
ur i = 1, . . . , n
Qn
determine m =
i=1 mi and bi = m/mi as well as xi with
xi bi = 1 mod mi , hence xi as the (modulo mi )-inverse to bi for
i = 1, . . . , n. Then:
n
X
x
(xi bi ri ) (mod m)
i=1
(b) If p and q relatively prime, then

x = y mod p und x = y mod q
x = y mod (pq)
(c) The age of say party guests can be computed by the remainders
when dividing the unknown age by 3, 5 and 7.
41
Galois Fields GF(p)

Problem 42. Usually arithmetic takes place in fields with infinitely
many elements, like Q, R and C. However, in e.g. cryptography only
fields with finitely many elements are relevant and hence needed.
As a reminder, a field is a set F of elements with two operations, namely
addition + and multiplication , so that (F, +) (with zero-element 0) and
(F , ) = (F \ {0}, ) (with one-element 1) are commutative groups and the
usual laws of distributivity hold:
(F, +) is a commutative group

(F , ) is a commutative group
a,bF a + b = b + a F
a,bF a b = b a F
0F aF a + 0 = 0 + a = a
1F aF a 1 = 1 a = a
aF aF a + (a) = (a) + a = 0 aF a1 F a a1 = a1 a = 1
a (b + c) = a b + a c
(a) How do addition and multiplication have to be defined in GF(2) =

{0, 1}, the Galois8 field of order 2, i.e. with two elements?
(b) How are addition and multiplication to be defined in GF(3) =
8
Evariste Galois (1811-1832)
www-history.mcs.st-andrews.ac.uk/Biographies/Galois.html
42
{0, 1, 2}, the Galois field of order 3 ?

(c) How are addition and multiplication to be defined in GF(5) =
{0, 1, 2, 3, 4}, the Galois field of order 5 ?
(d) How can this approach be generalized to GF(p) = {0, 1, 2, . . . , p
1}, the Galois field of prime order p ? Why is this approach
doomed to failure for GF(pq) with primes p and q, i.e. for GF(m)
with composite m ?
43
Galois Fields GF(pn )

Problem 43. Let p be prime and n N. If GF(pn ) is defined to be
a subset of P(n), the set of all polynomials of order n, i.e. of degree
n 1, with coefficients in GF(p), so called polynomials over GF(p),
then two such polynomals over GF(p) are readily as usual added.

(a) What is then GF(pn ), + ?
(b) What happens if two polynomials r, s GF(pn ) are multiplied as
polynomials over GF(p) ?
(c) Assuming the product of two polynomials r, s GF(pn ) is defined
as the reminder of the product of r and s as polynomials over
GF(p), divided by some polynomial m. How has such a polynomial
m to look like, if each product so defined lies necessarily again in
GF(pn ) ?
(d) Which polynomials m(x) have to be excluded in order to guarantee
that products of non-vanishing factors do not vanish?
(e) E.g., why is m1 (x) = x2 + 1 a reducible and m2 (x) = x2 + x + 1
an irreducible polynomial over GF(2) ?
44
Problem 44.
(a) How do multiplication and computation of inverse elements in
GF(22 ) with m(x) = x2 + x + 1 look like?
(b) Let m(x) be an irreducible polynomial over GF(p) of degree n.
Defining a multiplication by

r s := r(x) s(x) mod m(x)

for r, s GF(pn ) then, what is GF(pn ) , ?
(c) How are inverse elements in GF(pn ) computed?
(d) How many irreducible polynomials over GF(p) there are of a given
(small) degree?
(e) In constructing GF(pn ), what impact has the choice of the irreducible polynomial m(x) over GF(p) of degree n 1 ?
(f) Which elements generate e.g. GF(22 ) or GF(23 ) ?
(g) How can the cyclicity of GF(pn ) be used to speed up the multiplication in GF(pn ) ?
(h) How can the cyclicity of GF(pn ) be used to speed up the inversion
in GF(pn ) ?
45
5. Cryptography
Caesar and Cohorts

Problem 45.
Let the letters of the Latin alphabet be numbered from 0 to 25 !
(a) Caesar9 - encryption/decryption:
Plain text x1 x2 x3 . . . is letter-wise encrypted by key k per
y = (x + k) mod 26 to give the encrypted text y1 y2 y3 . . .
Encrypted text y1 y2 y3 . . . is letter-wise decrypted by key k per
x = (y k) mod 26 to give the plain text x1 x2 x3 . . ..
There is a encrypted text wklvlvdwrsvhfuhwphvvdjh.
(b) How many keys are there? What degree of security is achieved?
9 Gaius
Julius Caesar (100-44 v.Chr.)
Section 5: Cryptography
46
Caesar in General
Problem 46.
(a) Under which condition is y = (kx) mod m a useful encryption
method?
(b) When
encrypting per y = (k x) mod m and
decrypting per x = (k inv y) mod m what k inv has to be used?
(c) Combining both methods gives
encryption per y = (k1 x + ko ) mod m and
decryption per x = (k10 y + ko0 ) mod m using which k10 und ko0 ?
(d) How many keys are there? What degree of security is achieved?
47
Vigenère and Accomplices

Problem 47.
(a) Vigenère10 -encryption/decryption:
Plain text x1 x2 x3 . . . is letter-wise encrypted to encrypted text
y1 y2 y3 . . . per yi = (xi + ki mod l ) mod 26 using key ko k1 ...kl1 ,
encrypted text y1 y2 y3 . . . is letter-wise decrypted to plain text
x1 x2 x3 . . . per xi = (yi ki mod l ) mod 26 using key ko k1 ...kl1 .
dlgcmqkxmzwcmvcdqccwyqi is an encrypted message.
(b) How many keys are there? What degree of security is achieved?
10
Blaise de Vigen`
ere (1523-1596)
raphael.math.uic.edu/~jeremy/crypt/contrib/deepak.html
48
Permutations
Problem 48. For Caesar- and Vigenère-encryption/decryption it is
characteristic that due to one (Caesar) or several (Vigenère) oneto
one functions f : A A of the used alphabet A each plain text
letter is substituted by another ((monoalphabetic) substitution). Such
functions f are also called permutations.
(a) The Latin alphabet A = {A, B, . . . , Z} has 26 letters. How many
permutations of A there are?
(b) Do permutations provide new encryption/decryption methods
essentially better than the Caesar- or the Vigenère-method?
(c) How feasible is encryption by just permuting the plain text letters?
49
DES
Problem 49. Data Encryption Standard, DES [28] is a block oriented, symmetrical (identical keys for encryption and decryption)
encryption/decryption method consisting of permutations and several
substitutions, s.a. www.itl.nist.gov/fipspubs/fip46-2.htm
(a) The DES algorithm applies an initial permutation P , then several
substitutions, and finally P inv to each 64bit block of the plain
text. DES specifies P as follows
58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
P =
. What is P inv ?
57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7
(b) Each of the other operations encrypts left and right 32bit halves
of a 64bit block (L, R) by 32bit key K per
fK (L, R) = (R, L K)
inv
fK
(L, R)
where denotes addition modulo 2
= ? In what respect are these operations substitutions?

(c) What type of encryption has been defined by L := P inv fK16
50
fK15 . . . fK2 fK1 P so far? with what consequences?

(d) The last element in DES is a confusion/diffusion11 -method which
is implemented by the so called substitution boxes, S-Boxes: each
half block `
a 32bit is extended to 48bit by duplicating certain bits
(depending on the round): a total of eight S-Boxes S1 , . . . , S8
encrypt 6bit input to 4bit output each, e.g. S5
S5
middle four bits of input
Outer
2 bits
0000
0001
0010
0011
0100
0101
0110
0111
1000
1001
1010
1011
1100
1101
1110
1111
00
01
10
11
0010
1110
0100
1011
1100
1011
0010
1000
0100
0010
0001
1100
0001
1100
1011
0111
0111
0100
1100
0001
1100
0111
1101
1110
1011
1101
0111
0010
0110
0001
1000
1101
1000
0101
1111
0110
0101
0000
1001
1111
0011
1111
1100
0000
1111
1100
0101
1001
1101
0011
0110
1100
0000
1001
0011
0100
1110
1000
0000
0101
1001
0110
1110
0011
s.a. www.itl.nist.gov/fipspubs/fip46-2.htm or e.g. also

www.kuno-kohn.de/crypto/crypto/des.htm for all eight DES Sboxes. How big are the look up tables for the eight S-boxes alltogether? How big would the look up table for the 32bit substitution
implemented by the S-boxes be? How to invert a S-box?
11
Claude E. Shannon (1916-2001)
www-history.mcs.st-andrews.ac.uk/Biographies/Shannon.html
51
Problem 50. Since its publication, the security of the Data Encryption Standard, DES was disputed, cp. e.g.
http://en.wikipedia.org/wiki/Data Encryption Standard.
In mid 1990ies, the insecurity of DES was demonstrated. This spurred
improvements especially for high security critical applications.
(a) What is effective DES key length? what is the DES key space?
(b) Triple DES, TDES or Triple Data Encryption Algorithm, TDEA
consists in applying DES three times with three keys

TDESK3 ,K2 ,K1 (x) = DESK3 DESinv
K2 DESK1 (x)
What condition guaranties that several DES encryptions (like
TDEA) offer substantially higher security?
(c) What is effective TDEA key length? what is the TDES key space?
(d) When and by what has DES resp. TDEA been superseded?
52
Public Keys?
Problem 51. Symmetric encryption/decryption methods require that the
key (identical for encryption and decryption) can be exchanged between
sender and receiver via a secure channel a contradiction per se!
Asymmetric encryption/decryption methods working with pairs of

private, i.e. secret and public key, so called public key encryption
methods12 do offer a solution.
(a) For each partner A, B, C, . . . there is a public key and hence a public
encryption method fA , fB , fC , . . .. Each partner keeps her/his private
key A1 , B 1 , C 1 , . . . and hence her/his private decryption method
1
1
fA
, fB
, fC1 , . . . top secret.
Now, Bob can tell Alice say x by sending to her the encrypted
message fA (x). Only Alice can decrypt this message by fA1 to
get x = fA1 (fA (x)).
What is the base of the security of such public key methods?
12 Whitfield Diffie, Martin Hellman: New Directions in Cryptography;
IEEE Trans. Inform. Theory, IT-22, 6, Nov 1976 pp.644-654
53
RSA
Problem 52. The RSA13 -method is a public key encryption/decryption method. It works as follows:
Let p and q be big prime numers and n = pq, i.e. (n) = (p1)(q1).
A message x is encrypted by

y = xe mod n with public key e, so that gcd e, (n) = 1.
A message y is (decrypted ) by
x = y d mod n with private key d, so that e d = 1 mod (n).
(a) Show: fe : x xe mod n is a trapdoor function.
(b) The security of the RSA-method, on what basis does it rest?
(c) fe1 , i.e. fd can be used to generate a digital signature.
If Alice signs her message digitally, then Bob is assured that a
message y he received truly originated by Alice. How to cut cost?
13 R. Rivest, A. Shamir, L. Adleman: A method for obtaining digital signatures

and public key cryptosystems; Communications ACM, 21 (1978), 120-126
AES
54
A. Hofmeier, AES Eine Einf

uhrung in Kryptographie
10
rechts weitergegangen und wieder oben angefangen.
Problem 53. Established in 2000, the Advanced Encryption Standard, AES is DESs successor standard. To avoid all suspicions of
conspiracy of the standardizing body (NIST) with the developers of
the standard (IBM in the case of DES) this standard is the result of
a public competition.
AES represents a special case of the Rijndael
In der folgenden graphischen Darstellung wird von einer Blockgroe von 128 Bit
ausgegangen. Die Blocke lieen sich allerdings in Vier-Byte-Schritten (32 Bit)
cipher [26].
bis auf 256 Bit ausweiten. Dasselbe gilt f
ur den Schl
ussel. Daten-Blockgroe
0
12
12
16
20
24
28
13
13
17
21
25
29
10
14
10
14
18
22
26
30
11
15
11
15
19
23
27
31
128 Bit-Block (16-Byte)
256 Bit-Block (32 Byte)
und Schl
ussel-Block-Groe sind vollkommen unabhangig voneinander. Im AES-
Standard sind
lediglich Datenblockgroen von 128 Bit und Schl
ussel(a) What type of cipher
is allerdings
AES?
blocklangen von 128, 192 und 256 Bit vorgesehen. Dies andert nichts daran, dass
der Rijndael-Algorithmus mehr kann, was aber nicht notwendiger implementiert
(b) What are the characteristic
parameters
of AES.
sein muss, wenn auf AES Bezug
genommen ist.
(c) What does a round
of AES
of?der Daten:
Die graphische
Darstellung consist
verdeutlicht den Fluss
k(0)
AddRoundKey(
k(1...)
SubByte()
ShiftRows()
}
Round()
k(n)
MixColums()
FinalRound()
Adaptiert von Daemen und Rijmen (2002).
3.3.1
Anzahl der Runden
Wie oben ersichtlich, wird die Funktion Round() N mal ausgef

uhrt. Wobei N von
der Schl
ussel- und der Daten-Block-Groe abhangt. Die folgende Tabelle stellt
die Lange des Schl
ussels der Lange des Datenblockes gegen
uber und gibt f
ur jede
Kombination eine Anzahl von Runden an. Alle fett dargestellten Falle sind durch
55
Problem 54. Now, the functions of a round are to be examined separately. Identifiers are used as in
csrc.nist.gov/publications/fips/fips197/fips-197.pdf
(a) SubBytes(): How is this substitution specified? How is it implemented by a s-box? How is the substitution inverted?
(b) ShiftRows(): How is the permutation of the rows of a block
implemented when a block is represented as 4 4-byte-matrix?
How is this transformation inverted?
(c) MixColumns(): How are the columns of a block transformed when
a block is represented as 4 4-byte-matrix? How is this transformation inverted?
(d) AddRoundKey(): How are the columns of a block XORed by parts
of the expanded key? Why is this transformation its own inverse?
56
Elliptic Curves over R

Problem 55. To introduce Elliptic Curve Cryptography, ECC it is
reasonable to consider so called elliptic curves y 2 = x3 + ax + b over
R, i.e. curves in R2 with real coefficients a, b R first.
(a) Which geometric features exhibit elliptic curves E = E(R) =
Ea,b (R) over R ? What happens for x + ?
(b) What are the zeroes of the radicand x3 + ax + b of an elliptic curve
E = E(R) = Ea,b (R) over R ?
(c) What condition guaranties that the radicand of an elliptic curve
E = E(R) = Ea,b (R) over R has no multiple zeroes?
(d) Given any non vertical, non tangent line intersecting an elliptic
curve E = E(R) = Ea,b (R) over R at least twice. Why does the
line then intersect the curve E trice?
(e) Given P = (xP , yP ) and Q = (xQ , yQ ) with xP 6= xQ on an elliptic
curve E = Ea,b (R) over R. Under the above condition, what are
the coordinates of the third intersection point R = (xR , yR ) on E
and on the line through P and Q ?
57
Problem 56. One specifies an addition of points P and Q on an

elliptic curve E = Ea,b (R) over R by defining R := P + Q to be the R
the intersection point of the line through P and Q with E, mirrored
at the x-axis.
y
R
Q
P
x
R
a = 3, b = 5
(a) How is P + P to be defined consistently?

(b) How can P + Q for xp = xQ and yP 6= yQ be defined consistently?
(c) What does this mean for P + Q with P = (xP , yP ) and Q =
(xp , yP ) and the solvability of P + Q = R in Q for given P, R
E?
(d) Which structure on E = Ea,b (R) is provided by this addition?
58
Elliptic Curves over GF(p)

Problem 57. Elliptic curves E = Ea,b (R) over R are unfit for cryptographic purposes. Instead one uses elliptic curves E = Ea,b (F) over
some finite field F, e.g. F = GF(p) for prime p.

(a) How is P + Q to be defined on E = Ea,b GF(p) ?
Elliptic Curves over GF(2m )

Problem 58. Using F = GF(2m ), another type of finite
fields, allows
to define groups on elliptic curves E = Ea,b GF(2m ) over GF(2m ),
namely
y 2 + xy = x3 + ax + b for a, b GF(2m )
(a) Why can now y 2 = x3 + ax + b be used no longer?
(b) How is P + Q to be defined on E = Ea,b GF(2m ) ?
59
Elliptic Curve Cryptography, ECC

Problem 59. Elliptic Curve Cryptography, ECC is based on exploiting the group structure of a public elliptic curve E = Ea,b (F) over
some finite field F together with some suitable generator point G E.
Each participant owns a secret and public key pair (r, Q) NE with
random number 1 < r < card(< G >) and Q = rG.
(a) What type of cipher is ECC, suitable for what applications?
(b) How can an ECC based El-Gamal encryption/decryption be implemented?
(c) How can an ECC based Diffie-Hellman key exchange, ECDH, be
implemented?
(d) How can an ECC based Digital Signature Algorithm, ECDSA be
implemented?
60
6. Compression
Exploiting Relative Frequencies

Problem 60.
If the (relative) frequencies of the symbols in a text are known a
priori then one can design a code so that the most frequent symbols
are assigned the shortest codes. Let us call such codings monotonous.
To save the insertion of a special character to separate codes it is
necessary that each code cannot be confused with the beginning of
another code: The coding has to be prefix- or comma-free.
(a) Given an alphabet s1 , s2 , . . . , sn with frequency fi of symbol si ,
where f1 > f2 > . . . > fn for i = 1, . . . , n. Assume ci = code(si ) =
01i1 {0, 1}i . What about this code?
(b) How to represent prefix-free codings by graphs?
(c) Construct a monotonous prefix-free coding.
Section 6: Compression
61
Using Dictionaries
Problem 61.
The idea of LZW14 is to let sender and receiver set up and maintain
a dictionary for characters and combination of characters to be sent
and received.
(a) Both in compression and decompression, first the dictionary is initialized with the letters of the alphabet together with their codes.
Then, plain text resp. compressed text is read character by character.
In compression, the text is read character by character. PATTERN
is the longest string in the dictionary which coincides with the
recently read input characters. In decompression the codes are
read. At the same time, the dictionary is accordingly extended.
14
Jacob Ziv and Abraham Lempel: A Universal Algorithm for Sequential Data
Compression; IEEE Transactions on Information Theory, May 1977
Terry Welch, A Technique for High-Performance Data Compression, Computer,
June 1984
62
Compression:
PATTERN = get input character

WHILE there are still input characters DO
CHARACTER = get input character
IF PATTERN+CHARACTER is in dictionary
PATTERN = PATTERN+character
ELSE
output the code for PATTERN
add PATTERN+CHARACTER to dictionary
PATTERN = CHARACTER
output the code for PATTERN
Decompression:
Read oldCODE; output dict[oldCODE]

Read newCODE
PATTERN = dict[newCODE]
output PATTERN
CHARACTER = first character in PATTERN
add dict[oldCODE]+CHARACTER to dictionary
oldCODE = newCODE
(b) There is a flaw in the algorithm presented above:
63
64
7. Probability & Intuition
Cards & Goats

Problem 62.
(a) In an urn there are three cards: one is on both sides red, one on
both sides blue, and the third one is on one soide red and on one
side blue.
What is the probability P that a card drawn at random from the
urn is red on the top side and blue on the bottom side?
(b) In a contest there are three doors behind which two goats and a
car are hidden (the quizmaster knows where).
The candidate chooses a door. Then the quizmaster reveals a goat
behind another door.
Does the candidate improve the chances to win the car by revising
her/his initial choice?
Section 7: Probability & Intuition
65
Algorithms to Generate Chance?

Random numbers play an importante role in simulation, (zero knowledge) authentification etc. Hence, high level programming languages
usually offer library functions like ran, random or randomize to algorithmically and hence deterministically generate so called pseudorandom numbers.
Problem 63.
(a) What are characteristics of random numbers besides being seemingly random (whatever this might be)? How to generate random
numbers with such given characteristics from random numbers of
some standard?
(b) How to generate standard random numbers fast, i.e. by little computational effort?
(c)
xn+1 = (a xn + c) mod m,
mit
xo = 1
is periodic why? and with which maximal/minimal periodic
length?
Section 7: Probability & Intuition
66
What is Randomness?
Criteria for the quality of pseudo random number generators have to
be established, especially of generators of evenly distributed, continuous pseudo random numbers in the unit interval. These criteria are
to be assessed in tests.
But, randomness has no definition, no specification. Therefore, there
can be tests only for certain features of randomness.
Problem 64.
(a) How to test whether the co-domain is evenly covered?
(b) How to test randomness of pseudo random numbers by measuring
the information content of each generated digit?
(c) How to test randomness of pseudo random numbers by measuring
their compressability?
(d) How to test randomness of pseudo random numbers by measuring
the mutual (in) dependece of their digits?
67
8. Sources and Links

Some references on Recreational Mathematics
[1] About.com: Recreational Mathematics;
http://math.about.com/od/recreationalmath
[2] Bild der Wissenschaft;
www.wissenschaft.de/ s. Spiele-Archiv
[3] Chlond, Martin: Integer Programming in Recreational Mathematics;

www.chlond.demon.co.uk/academic/puzzles.html
[4] Canadian Mathematical Society
www.math.ca/Recreation
[5] Dutch, Steven: Recreational Mathematics;

www.uwgb.edu/dutchs/RECMATH/recmath.htm
[6] Eppstein, David: Math Fun;

www.ics.uci.edu/~eppstein/recmath.html
[7] Flannery, Sarah: In Code A Mathematical Journey; Profile

Books, 2000 ISBN 1-86197-222-9 2, 5, 6, 7, 8, 9, 10, 11
Section 8: Sources and Links
68
[8] Gardner, Martin: Mathematical recreations and many more titles; s. book list, e.g.
http://thinks.com/books/gardner.htm
[9] Gilleland, Michael: Recreational Mathematics Links;
www.weblearn.hs-bremen.de/risse/MAI/docs/MichaelGilleland.html
[10] Google Directory - Science > Math > Recreations;

www.google.com/Top/Science/Math/Recreations
[11] Herold, Helmut, Lurz, Bruno, Wohlrab, J

urgen: Grundlagen der
Informatik; Pearson 2012 2, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21,
22, 23, 24, 25, 26, 27, 28, 29, 30, 31
[12] Journal of Recreational Mathematics, Editor: Charles Ashbacher
and Lamarr Widmer;
www.baywood.com/journals/
PreviewJournals.asp?Id=0022-412x
[13] Mathematical Association of America, MAA: Recreational Mathematics;

www.maa.org/BLL/recmath.htm
[14] Mathematikwettbewerb K
anguru e.V.
www.mathe-kaenguru.de
s.a. www.weblearn.hs-bremen.de/risse/MAI/docs/
69
[15] Michon, Gerard P.: Recreational Mathematics;

www.numericana.com/answer/recreational.htm
[16] New Scientist: Physics & Math

www.newscientist.com/section/physics-math
[17] OConnor, J.J., Robertson, E.F.: mathematical games and recreations;

www-groups.dcs.st-andrews.ac.uk/~history/
HistTopics/Mathematical games.html
[18] open directory project
dmoz.org/Science/Math/Recreations/
[19] Problem of the Week, s. e.g.

[20] Scientific American
s. puzzling adventures in single issues
www.google.com
www.sciam.com,
[21] Singmaster, David: The Unreasonable Utility of Recreational

Mathematics;
anduin.eldar.org/~problemi/singmast/ecmutil.html
[22] Eugène Strens Recreational Mathematics Collection Database;

www.ucalgary.ca/lib-old/sfgate/strens
70
[23] Wilkinson, David: Recreational Mathematics Links;

www.scit.wlv.ac.uk/~cm1985/RecMaths.html
[24] Wolfram Mathworld: Recreational Mathematics;

mathworld.wolfram.com/topics/RecreationalMathematics.html
Some references on Number Theory

[25] Forster, Otto: Algorithmische Zahlentheorie; Vieweg 1996 187,
194
Some references on Cryptography
[26] Federal Information Processing Standards, FIPS: Advanced Encryption Standard (AES); Publication 197
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
Advanced Encryption Standard Algorithm Validation List

http://csrc.nist.gov/cryptval/aes/aesval.html 54
[27] Daemen, Joan, Rijmen, Vincent: The Design of Rijndael AES,
The Advanced Encryption Standard; Springer 2002
71
[28] Federal Information Processing Standards, FIPS: Data Encryption Standard (DES); Publication 46-3 http://csrc.nist.gov/
publications/fips/fips46-3/fips46-3.pdf 49
[29] Federal Information Processing Standards, FIPS: Digital Signature Standard (DSS) DSA, RSA, and ECDSA algorithms; Publication 186-2
http://csrc.nist.gov/cryptval/dss.htm
[30] Hankerson, Darrel, Menezes, Alfred, Vanstone, Scott: Guide to
Elliptic Curve Cryptography; Springer 2004 264
[31] Oswald, Elisabeth: Introduction to Elliptic Curve Cryptography;
www.iaik.tugraz.at/aboutus/people/oswald/papers/
Introduction to ECC.pdf 258, 261, 264
[32] Standards for Efficient Cryptography Group, SECG: SEC1 Elliptic Curve Cryptography;
www.secg.org/collateral/sec1 final.pdf 264
[33] Wagner, Neal R.: The Laws of Cryptography;
www.cs.utsa.edu/~wagner/lawsbookcolor/laws.pdf
72
Some references on Coding Theory and Compression

[34] Dankmeier, Wilfried: Codierung; Vieweg 2001
[35] Nelson, Marc, Gailly, Jean-loup: The Data Compression Book;
2nd edition, M&T Books, New York, NY 1995
Some references on Probability

[36] Bronstein, I.N. & Semendjajew, K.A. et al: (Teubner-) Taschenbuch der Mathematik; Teubner 2003 284
Of course, any feedback, critics, inventive problems and solutions are
most welcome.
Prof. Dr. Th. Risse, ZIMT 244,
www.weblearn.hs-bremen.de/risse
0049 (0)421 5905-5489

mailto: risse@hs-bremen.de
73
Problem 1(a)
4 = (5 3) + (5 3)
74
Problem 1(b)
1=3+35
75
Problem 1(c)
For example, 5 = 9 4, 3 = 4 + 4 + 4 9, . . .
76
Problem 1(d)
There is no solution.
77
Problem 2(a)
This is the height he achieves each day:
At the 1st day he reaches 300m, in the 1st night back to 100m
at the 2nd day he reaches 400m, in the 2nd night back to 200m
at the 3rd day he reaches 500m, in the 3rd night back to 300m
...
at the 27th day he reaches 2900m, in the 3rd night back to 2700m

at the 28th day he reaches 3000m
78
Problem 2(b)
A needed tA time units, TU for the 100m. Hence his speed is vA =
100/tA .
B needed tB TU for the 100m. Hence his speed is vB = 100/tB =
90/tA . Therefore tA /tB = 0.9.
The speed of C is vC = 90/tB = x/tA . Therefore x = 90tA /tB =
90 0.9 = 81m.
Thus, the first runner A beats C by 19m.
79
Problem 3(a)
36 = 22 32 . If one considers also the one year olds, then there are
the following combinations:
P
3. 2. 1.
1 1 36 38
1 2 18 21
1 3 12 16
1 4
9 14
1 6
6 13
2 2
9 13
2 3
6 11
3 3
4 10
Only in case of sum 13 another hint was necessary. But there is an
oldest child only if the family has two years old twins and a nine years
old child.
80
Problem 4(a) poor mans solution:

The catastrophe happens after one hour. Then, the fly has travelled
75km.
alledgedly John von Neumanns solution:
Let sl be the position of the left train, sr that one of the right train.
The fly started right. Let t1 be the point in time when the fly meets
the left train, t2 when it meets the right trains, etc.
Then, we have sl (t1 ) = 50t1 and 75 = (100 sl (t1 ))/t1 . Hence,
75t1 = 100 50t1 , 125t1 = 100 and finally t1 = 4/5.
t/h
0
4/5
4/5 + 4/25
4/5 + 4/25 + 4/125
sl (t)/km
0
40
48
49.6
..
.
sr (t)/km
100
60
52
50.4
d/km
0
60
12
2.4
where d is the distance the fly has travelled between two impinge-
81
ments.
The point in time of the catastrophe is

X
1
5
t = 4
0.2i = 4
1 =4
1 =1
1 0.2
4
i=1
and the total travelled distance
4
4
4
. . . = 75km.
75 + 75 + 75
5
25
125
82
Problem 5(a)
Let sh (t) and sr (t) denote the distance travelled along the outward
journey and the return journey resp., at any point t in time between
sunrise 0 and sunset 1.
Let d denote the total distance between A and B. Then, sh (0) = 0,
sh (1) = d, sr (0) = d, sr (1) = 0.
With sh and sr also (t) = sr (t) sh (t) is a continuous function of t.
Because of the different signs of (0) = d and (1) = d the function
(t) has at least one zero to in the intervall [0, 1].
At time to we have sr (to ) = sh (to ).
Under which conditions are there more than one such point?
83
Problem 6(a) There are eight equations with nine unknowns. And,
the solutions have to consist of the natural numbers 1,. . . ,9.
Stepwise pick the arrangements corresponding to magic squares from
a total of 9!=362880 arrangements.
1. The number in the middle/centre is necessarily 5.
It cannot be n = 6, 7, 8 or 9 because then m = 9, 8, 7 or 6 had
no place in the magic square.
2. The 9 is in no corner, neither in NO, NW, SW, nor SO.
Assuming NW=9 the SO=1 and for the three numbers 6,7 and
8 there would be left only the two positions O and S.
3. Without restriction of generality let W=9, then either NW=2
and SW=4 or NW=4 and SW=2.
Assuming now NW=3.Then also SW=3. But the number 3
must not appear twice.
Two of the eight possible magic squares identical when taking symmetry into consideration are presented
84
2
9
4
7
5
3
6
1
8
und
4
9
2
3
5
7
How do the other six magic squares look like?
8
1
6
85
Problem 7(a)
This text has no letter e, but every other letter of the Latin alphabet
occurs at least once.
Write a similar text in German.
86
Problem 8(a)
With the following procedure he acquires the average salary without
him or any of his employees getting to know an individual salary.
1. He at random chooses a big secret number k.
2. He tells k to the first employee in order to increment k by her/his
own salary and to tell the sum to the second employee.
3. One after another the employees get to know some number in
order to increment it by their own salary and to tell the sum to
the next colleague.
4. The last nth employee increments the number by her/his salary
and tells the sum g to the boss.
Then, the average salary is (g k)/n.
87
Problem 9(a)
The problem is to let Alice get at the content of the box. The two
agree on the following procedure:
1. Bob sends the box locked by his lock to Alice.
2. Alice additionally locks the box she received by her lock and
sends it back to Bob.
3. Bob removes his lock from the box and sends the box locked by
only Alices lock back to Alice.
88
Problem 10(a)
They agree say per e-mail on the following procedure:
1. Alice and Bob agree to use a suitable one way function f , i.e. a
onetoone function f : N D W N, so that f (x) is easily
and f inv (y) is extremely hard to compute.
2. Now, say Alice starts and chooses an odd or even x D. Now
she sends y with y = f (x) to Bob without offenbaren x.
3. Bob receives y and bets whether x was odd or even.
(If he wins then Alice otherwise Bob has to drive.)
4. Alice checks Bobs bet and sends x to Bob for verification, i.e.
to let Bob compare f (x) with the y he initially received.
89
Problem 11(a)
They need three locks with two keys each. If each person owns keys
according to the following scheme,
Alice PP
P
lock 1
PP
P
PPP
Bob PP
lock 2
PP
PP

PP
P lock 3
Claire
then only at least two persons together have keys for all three locks
of the treasure box.
90
Problem 11(b)
The following schema represents a solution
PP
Alice Q

QPPP
Q
P
QPPP
PP
Bob Q
Q
P

Q
PPQ
PQ
QQ
PQ
PQ
P

PP
Claire
Q

PP Q
PPQ

PQ
PQ
P

Dennis
lock 1
lock 2
lock 3
lock 4
because one person is always lacking a key, and any two persons together have a key to each of the four locks.
Is this solution with four locks with three keys each minimal?
With three locks each person may have at most two keys. Hence there
are a total of at most eight keys for three locks and for four persons:
91
There is no lock with only one key, because without the owner of that
one key pairs of persons cannot open the treasure box.
Hence there is either one person with keys to four locks or there are
two persons with keys to three locks. In both cases a contradiction!
Finally with four locks, it is not sufficient to have two keys per person
because then any two persons together might not have keys to each
of the four locks!
92
Problem 11(c) ???
93
Problem 12(a)
94
Problem 12(b)
95
Problem 12(c)
96
Problem 12(d)
97
Problem 13(a)
Let (x, y) be the state of the system with x litres in the four litre and
y litres in the nine litre bucket. Then the follwing state transitions
are possible.
(0, 0) (0, 9) (4, 5) (0, 5) (4, 1) (0, 1) (1, 0) (1, 9)
(4, 6)
98
Problem 13(b)
(0, 0) (3, 0) (0, 3) (3, 3) (1, 5) (1, 0)
99
Problem 13(c)
Let (x, y, z) be the state of the system with x litres in the 8 litre
canister, y litres in the 5-litre and z litres in the 3-litre jug. Then the
follwing state transitions are possible.
(8, 0, 0) (5, 0, 3) (5, 3, 0) (2, 3, 3) (2, 5, 1) (7, 0, 1)
(7, 1, 0) (4, 1, 3)
100
Problem 13(d)
The barrel should contain 9 litres, the bucket 6 litres and the jug 3
litres. The can is empty. Let (w, x, y, z) be the state of the system
with w litres in the barrel, x litres in the bucket, y litres in the jug and
z litres in the can. Then the follwing state transitions are possible.
(18, 0, 0, 0) (10, 8, 0, 0) (10, 6, 0, 2) (10, 6, 2, 0) (7, 6, 5, 0)
(7, 6, 3, 2) (9, 6, 3, 0)
101
Problem 14(a)
Let f , m, c1 and c2 denote ages of father, mother, oldest child and
youngest child resp. Then we know
a)
b)
c)
d)
f + m + c1 + c2 = 124
f + m = 3(c1 + c2 )
m > 2c1
f m = 9(c1 c2 )
a) and b) give c1 + c2 = 31 und f + m = 93 sowie 2f = 93 + 9(c1 c2 )

or 2m = 93 9(c1 c2 ). In any case c1 c2 is odd.
If c1 c2 = 1 then c1 + c2 = 31 implies c1 = 16 and c2 = 15 as well
as m > 32. From f + m = 93 and f m = 9 we conclude f = 51 and
m = 42 > 32. This is the only solution.
Namely, if otherwise c1 c2 3 then c1 + c2 = 31 implies c1 17
and c2 14 as well as m > 34. From f + m = 93 and f m 27 we
conclude f 60 and m 33, a contradiction.
102
Problem 14(b)
E = 24 = 2(A d) where E d = A = 24 d so that 12 = A d =
2A 24 and thus A = 18.
Problem 14(c)
In any case, one has to pay (1 51 )(1 +
of the netto-price.
103
15
100 )
4 23
5 20
23
25 -fold
or 92%
104
Problem 14(d)
2
1
2
105
Problem 14(e)
F 5 = 2(P 6)
F 2P = 7)
P = 14
F + 9 = 3(P 4)
F 3P = 21
F = 21
106
Problem 15(a)
11
18
27
Let A, B, and C the labels of the three vertices. From

AB
B+C
A+C
27
18
11
we conclude B A = 7 and thus B = 17, A = 10 and C = 1. In

general there is only a system of linear equations to solve.
Problem 15(b)
From (30 a) + (7 a) = 34 a we get 3 = 3a and hence a = 1.
107
Problem 15(c)
g1 + g2 + g2 = 10, g2 = 34 g1 , g3 = 34 g2 g1 + 34 g1 + 43 43 g1 = 10 =
g1 = 3, g2 = 4, g3 = 3.
108
10
3 g1
109
Problem 15(d)
k + ` + m + n = 79 and ` + 1 = 2k and m + 1 = 2` and n + 1 = 2m
imply 79 = k + 2k 1 + 2` 1 + 2m 1 = 3k 3 + (4k 2) + (4` 2) =
7k 7 + (8k 4) = 15k 11 and thus 15k = 90, therefore k = 6,
` = 11, m = 21, and n = 41.
110
Problem 15(e)
Let m and d be the number of sacks the mule and the donkey carry
resp. Then m + 1 = 2(d 1) and m 1 = d + 1 imply m = 7 and
d = 5.
Problem 16(a)
U = 2r = r2 = A r = 2
111
112
Problem 16(b)
Let ` [m] be the length and v [m/sec] the speed of the train. We know
` = 7v and 330 = (18 7)v, hence v = 30 [m/sec] and ` = 210 [m].
113
Problem 16(c)
In total, he worker produces x parts. To produce the first half it takes
x
x
20 days, to produce the second half it takes 60 days. On average, he
60
x

produces x/20+x/60 = 4 = 15 parts per day.
114
Problem 16(d)
n = d3 103 + d2 102 + d1 10 + do is palindromial n = do 103 +
d1 102 +d1 10+do . For such n we have 11|n = 1000do +110d1 +do
n|1001do = 11 91do .
Problem 16(e)
I, a man, 7 wives, 72 sacks, 73 cats, 74 kids, i.e.
P4
5
1
1+ i=o 7i = 1+ 771
= 1+ 16 (8235431) = 1+137257 = 137258
115
116
Problem 16(f )
4
4 3
1 3
4 = 3 4 = (1 + 3 ) 4
117
Problem 17(a)
One cat catches 1 mice in 5 minutes. One cat cathes 20 mice in 100
minutes. Five cats catch 100 mice in 100 minutes.
118
Problem 17(b)
Let 6 a, b 10 for a, b N. Then, in general we have
10(a5+b5)+(10a)(10b) = 10(a+b)100+10010(a+b)+ab = ab
119
Problem 17(c)
One hen lays one egg in one and a half days. Seven hens lay seven
eggs in one and a half day. Seven hens lay 28 eggs in six days.
120
Problem 17(d)
Let the type denote at the same time the weight. Then we have
A = 2B, B = 3C, C = 5D A = 2B = 6C = 30D.
121
Problem 17(e)
Because of the prime factorization 5291 = 11 13 37 und 3913 =
7 13 43 the twins are a 13 year old girl and a 13 year old boy.
122
Problem 18(a)
One cat catches 1 mice in 5 minutes. One cat cathes 20 mice in 100
minutes. Five cats catch 100 mice in 100 minutes.
Problem 18(b)
One must not divide by 0.
123
124
Problem 18(c)
Let n be the numerator and d be the denominator. The we have
n
n+65
n

d = d+5 5n = 65d n = 13d d = 13.
125
Problem 18(d)
The numbers are n, n + 1, n + 2, n + 3, n + 4 for some n N. Then we
have n2 + (n + 1)2 + (n + 2)2 = (n + 3)2 + (n + 4)2 3n2 + 6n + 5 =
2n2 + 14n + 25 n2 8n 20 = 0 n1,2 = 4 36 n = 10.
126
Problem 18(e)
Let b be the (price of the) bottle and w of the wine. Then b + w = 9
and w = b + 8 imply 2b + 8 = 9 or b = 21 Euro.
Problem 18(f )
Let x be the area of his land. Then we have
47
13
60 x + 26 = x 60 x = 26 x = 120.
127
x
3
x
4
x
5
+ 26 = x
128
Problem 18(g)
There are 8 saussages and each person eats 83 saussages. Egon pays
for his 83 saussages 8 Euro. Therefore a saussages costs 3 Euro. Hence,
Heini gets for the 3 83 = 13 saussages he has not eaten himself 1 Euro
and Carl gets for the 5 38 = 37 saussages he has not eaten himself
7 Euro.
129
Problem 18(h)
1 1 1
9+6+2
17
+ + =
=
2 3 9
18
18
Thus, the oldest son gets 9 cows, the middle one 6 cows and the
youngest son 2 cows. The moderating neighbour, the 18th person,
gets no cow.
130
Problem 19(a)
time
00
25
30
50
55
this side
ABCD
BC
BC
BC
ABC
B
B
B
AB
bridge
time
00
AD
D
D
D
ACD
CD
CD
CD
ABCD
10
AD
A
AC
A
AB
65
other side
15
40
50
this side
ABCD
CD
CD
CD
ACD
A
A
A
AB
bridge
AB
A
CD
B
AB
60
other side
AB
B
B
B
BCD
CD
CD
CD
ABCD
The left plan obviously does not work. However, it saves time to let
C and D together cross the bridge. But the two must not be the first
to let somebody faster return the torch.
131
Problem 20(a)
132
Problem 20(b)
Put the right most coin on top on the coin at the intersection of the
two rows.
133
Problem 20(c)
134
Problem 20(d)
The ith vassal has to contribute to the weighing i coins. If all
P30would
pay in 10g coins then the contributions would amount to 10 i=1 i =
10 3031
= 150 31g coins. Now, if the jth vassal contributes 9g coins
2
then this will lead to a deficit of exactly jg coins, thus convicting the
jth vassal.
135
Problem 21(a)
time
0
1
2
3
farmers
30
3
bezahlt 27
blacksmith
30
25
25
bekommen 25
One must not mix debit and credit.
apprentice
5
2
behalten 2
30
30
30
30
30
Problem 21(b)
Construct a regular tetraeder in space (!).
136
137
Problem 21(c)
7
1
9
3
10
5
138
Problem 21(d)
Interchanging rows or columns leaves the number of bottles in rows
or columns unchanged. Hence, we can assume that rows and columns
are ordered according to descending number of bottles.
Then, the number of rows with six bottles must be even, namely two.
The remaining two bottles produce odd columns if put into a row,
and odd rows if put into a column.
The number of rows with four bottles is even, namely two. The remaining six bottles similarly produce odd rows or columns necessarily.
It is not possible to store 14 bottles in the tray in rows with only two
bottles.
139
Problem 22(a)
The last but two factor is (xx). This implies (xa)(xb) . . . (xz) =
0.
140
Problem 22(b)
The arrow indicates the viewing direction. The new positions are
shown. Horizontally and vertically horizontal and vertical arrows alternate. Thus, the intended position/orientation is not achievable.
141
Problem 22(c)
Opposite corner squares have the same color. Removing these squares
causes the number of black and white squares to differ. But, a domino
piece covers always exactly one white and one black square. Therefore,
the modified chess board cannot be covered by domino pieces.
Problem 22(d)
n = 10t + 5 n2 = 100t2 + 100t + 25 = 100t(t + 1) + 25.
142
143
Problem 23(a)
No, the inner cuboid has no face on the outside. To cut it one needs
six cuts. So six is the minimum number of cuts.
144
Problem 23(b)
One needs for one floor c1 = 2, for two floors c2 = c1 + 1 + 2 2 = 7
and for three floors c3 = c2 + 2 + 2 3 = 15 cards, hence in general
ci = ci1 + (i 1) + 2i = ci1 + 3i 1 with c1 = 2. The assumption
ci = Ai2 + Bi + C gives ci = 32 i2 + 12 i, especially c47 = 32 472 + 12 47 =
1

2 47(3 47 + 1)47 71.
Problem 23(c)
?
145
Problem 23(d)
?
146
147
Problem 24(a)
There cannot be two black flags because the captive seeing the two
black flags would have instantenously concluded that the flag behind
must be white.
Hence there also cannot be a single black flag because the two captives
seeing the one black flag would have instantenously concluded that
the flags behind them must both be white. So after a while they
unanimously conclude that behind them there are only white flags.
148
Problem 25(a)
Let C, T , W , M denote the number of children, twens, women, and
men resp. Then we have: 2C = T , 2W = M , 3C + 3W = C + T +
W + M = 81 und 2 3C = 2(C + T ) = W + M = 3W , also 2C = W
und daher C = 9, T = 18 = W , M = 36.
149
Problem 25(b)
FFFEEE
Take the second full glas and empty it into the second empty glas.
150
Problem 25(c)
=
d.h. 1 =
151
Problem 25(d)
With a), b) and f) we have
personnel
job
travellers
income
residence
J
Dr. J
5000Euro/Monat
M
6= fireman
Dr. M
B
Dr. B
Ch-burg
5000 is not divisible by 3. Hence, Dr. J is no neighbour of the conductor who lives in (Ch.+N)/2 and not in N so that Dr. J lives neither in
Ch. nor in (Ch.+N)/2. Because of e) Dr. J lives in N. Also, Dr. M is
neighbour of tghe conductor. Because of e) the name of the conductor
is J. Therefor, the name of the is B.
personnel
job
travellors
income
residence
J
conductor
Dr. J
5000Euro/month
N
M
6= fireman
Dr. M
B
engine driver
Dr. B
(Ch+N)/2
Ch
152
Problem 25(e)
Let the number of lizards, beetles and worms be L, B, and W resp.
We have L + B + W = 12. Lizards got four and beetles got six legs.
Worms got no legs. Hence, 4L + 6B = 26 implies B {1, 3}.
If B = 1, then L = 5 and W = 6 = L + B which is excluded because
of W > L + B.
If B = 3, then L = 2 and W = 7 > L + B.
153
Problem 25(f )
One after another we get the following jobs:
Joe
gardener
Hans
6= musiscian, 6= gardener
chauffeur
painter
Klaus
6= gardener
musician
merchant
barber
154
Problem 25(g)
We assume that sisters have the same last name.
Martin
Bettina
Pieper
Problem 26(a)
There is 12 = 1 square with side length 8.
There are 22 = 4 squares with side length 7.
...

P8

=
In total, there are i=1 i2 = n(n+1/2)(n+1)

3
n=8
12 17 = 204 squares.
155
88.59
3
= 24 17
2 =
156
Problem 26(b)
To color the three outer sectors one needs three colors. Then, to color the inner disk one needs another
forth color. cp.
http://en.wikipedia.org/wiki/Four color theorem
Problem 26(c)
???
157
158
Problem 27(a)
159
Problem 28(a)
At t = 0 start both sand glasses. At t = 7 turn both sandglasses.
After 4 min, i.e. at t = 11 the 11-min sand glass is drained. Turn the
7-min sand glass, in order to measure the rest 4 min.
160
Problem 29(a)
The clock is late 6min/24 = 1/4min = 15sec per hour, i.e. in 24 +
20 = 44 hours it is 11 min late and at 8h it shows 7:49h.
161
Problem 29(b)
For the third woman is exactly one bread left: she buys half of it and
another half so that all bread is sold.
For the second woman there are three breads left: she buys one and
a half and another half leaving the one bread for the third woman.
For the first woman there are seven breads left: she buys three and a
half and another half leaving the three breads for the third woman.
The baker has sold seven loafs of bread.
162
Problem 29(c)
A quarter of an hour has 15 60 = 900 seconds. The stamp tool print
numbers 0 to 899 in the first to the 900th second. The sequence 0,1,
. . . , 99 contains 10+10=20 ones. The sequence 100, 101, . . . , 199
contains 120 ones. In total, the stamp tool prints 280 ones.
163
Problem 30(a)
For the number n of campainers we have n mod 2 = 1, n mod 3 = 2,
. . . n mod 10 = 9. And the chinese remainder theorem produces n =
2519, s.a.
www.arndt-bruenner.de/mathe/scripts/chinesischerRestsatz.htm
164
Problem 30(b)
Let S and B be the number of sisters and brothers resp.
S 1 = B, S = 2(B 1) B = 3, S = 4.
165
Problem 30(c)
Let A and B be the age of the first and the second sister resp. Then,
we have
A B = 4, A3 B 3 = 988 = (A B)(A2 + AB + B 2 )
A2 + AB + B 2 = A2 + A(A 4) + (A 4)2 = 247
3A2 12A 231 = 0
A2 4A 77 = 0 A = 11, B = 7.
166
Problem 31(a)
There are n cows, n pigs, n horses and n rabbits of which survived 54 n
5
rn
cows, 45 n pigs, 15 n horses and r n rabbits. The we have 14
=
= 9 n+r
n
5
r
, hence 9 + 5r = 14r and therefore r = 1, so that no rabbit died.
9
5 +r
167
Problem 32(a)
Let B be the price of the bottle and W be the price of the wine. Then
we have 9 = F + W = F + (F + 8) = 2F + 8, i.e. 2F = 1 and hence

F = 12 .
168
Problem 32(b)
Each son has to get the amount of 13 (10 + 5) = 5 barrels full of wine.
Fill half the wine of each of the full barrels into one of the empty
barrels. Then we have 30 half empty barrels and each son gets 10 of
them.
169
Problem 33(a) The first three Fermat numbers

1
2
3
F (1) = 22 + 1 = 5,
F (2) = 22 + 1 = 17,
F (3) = 22 + 1 = 257
can easily be verified to be prime. Using calc.exe, a pocket calculator, www.weblearn.hs-bremen.de/risse/MAI/docs/numerics.pdf,
etc. also the fourth Fermat number F (4) is verified to be prime.
4
F (4) = 22 + 1 = 65537
Not until Euler15 it was achieved to factorise the fifth Fermat number
5
F (5) = 22 + 1 = 4294967297 = 641 6700417

This and a fortiori factorisation of the sixth Fermat number
6
F (6) = 22 + 1 = 18446744073709551617 = 274177 67280421310721

today is conveniently possible using powerful tools like Mathematica,
Maple, MATLAB, MuPAD, etc. (cp. /risse/symbolic/)
15
170
Problem 34(a)
For example,
E(41) = 1681 = 412
and similarly
E(42) = 1763 = 41 43.
To carry on s.a. www.weblearn.hs-bremen.de/risse/MAI/,
www.cs.unb.ca/profs/alopez-o/math-faq/math-faq.pdf
171
Problem 35(a)
Namely, M (11) = 2047 = 23 89.
The Lucas16 -Lehmer17 -test, s. e.g. (3.2.8 What is the current status
on Mersenne primes?) of
www.cs.unb.ca/profs/alopez-o/math-faq/math-faq.pdf tests efficiently whether a Mersenne number is prime or not. 1999 a record in
the Great Internet Mersenne Prime Search (GIMPS), was established
showing that M (6972593) a number with 2098960 digits is prime.
Everybody can provide idle cycles of PCs to compute prime Mersenne
numbers, s. Great Internet Mersenne Prime Search (GIMPS)
GIMPS runs many more projects of distributed computing.
16 Fran
cois
17 Derrick
E.A. Lucas (1842-1891)

www-history.mcs.st-and.ac.uk/Biographies/Lucas.html
N. Lehmer (1867-1938) www.math.berkeley.edu/publications/newsletter/2000/lehmer.html
172
Problem 36(a)
It is the (n mod 7)th day of the week if we arrange the days of the
week cyclically numbered from 0 to 6 starting with todays day of the
week.
173
Problem 36(b)
It is the ((7 (n mod 7)) mod 7)th day of the week if we arrange the
seven days of the week cyclically numbered from 0 to 6 starting with
todays day of the week.
174
Problem 36(c)
E.g. see
www.cl.cam.ac.uk/~mgk25/iso-time.html
175
Problem 37(a)
Per definition we have for m, n, r N
n mod m = r n = v m + r f
ur ein v N
n r = v m f
ur ein v N
m|n r n r (mod m)
176
Problem 37(b)
additivity:
n1
r1 (mod m)
n1 r1 = v1 m
n2
r2 (mod m)
n2 r2 = v2 m
(n1 n2 ) (r1 r2 ) (mod m) n1 + n2 (r1 + r2 ) = (v1 + v2 )m
multiplicativity:

m|n1 r1
m|r2 (n1 r1 )
ni ri (mod m)
m|n2 r2
m|n1 (n2 r2 )
m|r2 (n1 r1 ) + n1 (n2 r2 ) = n1 n2 n1 r2 + n1 r2 r1 r2
n1 n2 r1 r2 (mod m)
177
Problem 37(c)
scalar multiples
n r (mod m) m|n r m|c(n r) c n c r (mod m)
powers either by multiplicativity or directly by induction: p=1

which leaves us to show np rp(mod m) np+1 rp+1(mod m)

n r (mod m)
m|n r
m|rp (n r)
np rp (mod m)
m|n(np rp )
m|np rp
m|rp (n r) + n(np rp ) = np+1 nrp + nrp rp+1
np+1 rp+1 (mod m)
178
Problem 37(d)
transitivity
r s (mod m), s t (mod m) m | r s, m | s t
m | (r s) + (s t) = r t r t (mod m)
179
Problem 38(a)
Division by 3: (due to exponentiation)
10o = 1 1 (mod 3) 10p 1 (mod 3)
and (due to multiplicativity)
zi 10i = zi 1 (mod 3) n =
X
i=0
zi 10i
zi (mod 3)
i=0
Specially we have
s(n) 0 (mod 3) n 0 (mod 3)
Division by 9: analogously! e.g.
1234567890 mod 3 = (1 + 2 + . . . + 9) mod 3 = 45 mod 3 = 0
1234567890 mod 9 = (1 + 2 + . . . + 9) mod 9 = 45 mod 9 = 0
The common tests for divisibility by 2,4 or 5 are deduced correspondingly.
180
Problem 38(b)
Remainders when dividing powers of 10 by 11:

2i
10o 1 (mod 11)
10 1 (mod 11)
101 10 (mod 11)

102i+1 10 (mod 11) 1 (mod 11)
Arithmetic modulo 11 gives
z2i 102i z2i (mod 11) and z2i+1 102i+1 z2i+1 (mod 11)
Together with transititvity we get a test for the divisibility by 11:
11 |
X
i=o
(1)i zi 11 |
zi 10i
i=0
and e.g.
1234567890 mod 11 = (1 + 2 3 + 4 5 + 6 7 + 8 9 + 0) mod 11 =
5 mod 11 = 6
181
Problem 38(c)
Some examples may illustrate the procedure:
Check digit of ISBNumber 1-86197-222 is 1-86197-222-9 because
11+28+36+41+59+67+72+82+92 = 174 mod 11 = 9 mod 11
13+29+33+43+51+64+76+86+97 = 48 mod 11 = 4 mod 11
13+29+33+43+51+64+76+84+93 = 51 mod 11 = 7 mod 11
Check digit of ISBNumber 0-550-10206 is 0-550-10206-X because
10+25+35+40+51+60+72+80+96 = 32 mod 11 = 10 mod 11
182
Problem 38(d) Remainders

dividing powers of 10 by 7:
when
7i+0
10o 1(mod 7)
10
1(mod 7) 6(mod 7)
7i+1
101 3(mod 7)
3(mod 7) 4(mod 7)
10
102 2(mod 7)
107i+2 2(mod 7) 5(mod 7)

103 6(mod 7) 107i+3 6(mod 7) 1(mod 7)
104 4(mod 7)
107i+4 4(mod 7) 3(mod 7)
10 5(mod 7)
107i+5 5(mod 7) 2(mod 7)
7i+6
6
10 1(mod 7)
1(mod 7) 6(mod 7)
10
P
Arithmetic modulo 7 implies for each n = i=0 zi 10i
n
z7i+0 +3z7i+1 +2z7i+2 z7i+3 3z7i+4 2z7i+5 +z7i+6
(mod 7)
i=0
Together with transititvity we get a test for the divisibility by 7:

P
7| i=0 z7i+0P+ 3z7i+1 + 2z7i+2 z7i+3 3z7i+4 2z7i+5 + z7i+6
7 | i=0 zi 10i
and e.g. 1234567890 mod 7 = (21+32+13+14253617+
28+39+10) mod 7 = (2+6+3+410187+16+27) mod 7 =
23 mod 7 = 2
183
Problem 38(e) Parity or Cyclic Redundancy Check, CRC are examples of Error Detecting Codes, EDC or even Error Correcting Codes,
ECC. Using them hardenes data against corruption and loss of data
when transmitting (LAN, wLAN, satellite, ...) or storing (HD, RAID,
CD-ROM, DVD ...).
e.g. Set the parity bit bo for odd or even parity such that the number
of set bits in a bit string b1 . . . bn inclusive parity bit bo is odd
or even resp. By a single parity bit single, i.e. 1-bit errors are
detected.

n
X
1 mod 2 f
ur odd parity
bi =
0 mod 2 f
ur even parity
i=o
By the way, odd parity is standard18 for synchrone, even parity

for asynchrone transmission.
e.g. Obviously it is more demanding to correct errors than only to
detect errors. Correspondingly, algorithms to correct errors like
CRC or Reed-Solomon-Codes are more complex.
18 s.
z.B. www.its.bldrdoc.gov/projects/t1glossary2000/ parity check.html
184
Explanations to relevant procedures to correct errors can be found

e.g. at
Cyclic Redundancy Codes, CRC, s.
ftp.informatik.uni-trier.de/pub/Users-CTVD/sack/ep/CRC.txt
19
Reed -Solomon19 -Code, s. www.4i2i.com/reed solomon codes.htm,

www.cs.cornell.edu/Courses/cs722/2000sp/ReedSolomon.pdf
...
19 Irving Reed (1923-?), Gustave Solomon (1931-1996)

hotwired.lycos.com/synapse/feature/97/29/silberman2a 1.html
185
Problem 39(a)
Let a < b (otherwise there is nothing to do).
Let b = va + r with r = b mod a.
If r = 0 then gcd(a, b) = a and gcd(a, (va) mod a) = gcd(a, 0) = a.
If r > 0 then for d = gcd(a, r) we have d | a and d | r and therefore
also d | b = va + r.
It remains to show that d is greatest divisor of a and b. For
a d0 N with d0 | a and d0 | b = va + r it follows d0 | r. Due to
d = gcd(a, r) we have d0 | d.
In total gcd(a, r) = d = gcd(a, b) is deduced.
186
Problem 39(b)
Recursive version of Euclids algorithm
gcd(a,b)
{
if (b==0) return a; else return gcd(b,a mod b);
}
The algorithm terminates because the arguments in turns are decremented by at least 1 in each step of the recursion.
gcd(
Iterative version of Euclids algorithm

gcd(a,b)
{
while (b != 0) { tmp=b; b=a mod b; a=tmp; } return a;
}
gcd(
187
Problem 39(c)
Proof of FLT see e.g. [25] S.54-55
If p is prime then G = (Z/pZ) = {1, 2, . . . , p 1} is a multiplicative
group with p 1 elements (i.e. closed under multiplication modulo p
with unit 1), hence a group of order ord(G) = p 1.
Each x G generates a subgroup < x >= {x1 , x2 , . . .} in G < x >.
As G can be represented as disjoint union of the coset classes g < x >
(with identical cardinality |g < x > | for all g G) we have as for
each subgroup H of a group G
ord(x) = ord(< x >) | ord(G)
For a G, i.e. relative prime to p we have v ord(a) = ord(G) and
thus
ap1 = aord(G) = avord(a) = (aord(<a>) )v = 1v = 1
representing Fermats little theorem.
ap1 1
(mod p)
188
E.g. m = 11111 is not prime because 211110 10536 (mod 11111)

since
215 10546 (mod m),
290 105466 (mod m) 7830 (mod m)
2150 1054610 (mod m) 3771 (mod m),
2310 10536 (mod m)
2540 78306 (mod m) 1 (mod m), 210800 = (2540 )20 1 (mod m)

Equally, m = 11111 is not prime because 311110 2410 (mod 11111)
since
39 19683 (mod m) 8572 (mod m),
310 3494 (mod m)
360 34946 (mod m) 9757 (mod m),
370 2410 (mod m)
3120 97572 (mod m) 1 (mod m), 311040 = (3120 )92 1 (mod m)
=
20
(mod 11111 )
20
due to limited accuracy of representation and computation
189
Problem 39(d)
The implication is equivalent to FLT with p = n and a = 2.
FLT: 2n1 1 (mod n) 2n1 1 0 (mod n) n|2n1 1.
But, let n = 341. Due to 341 = 11 31, n is composite, that is not
prime. However 2340 1 (mod 341), because
210 = 3341+1 210 1 = 3341 341|210 1 210 1 (mod 341)
Taking powers generates a counter example:
2340 1 (mod 341) 341|2340 1
E.g. 341 is composite because 3340 56(mod 341) due to
36 = 47 mod 341, 37 = 141 mod 341, 38 = 82 mod 341
39 = 246 mod 341, 310 = 56 mod 341, 330 = 1 mod 341
3330 = 1 mod 341, zusammen also 3340 = 56 mod 341
190
Problem 40(a)
Let |M | denote the cardinality of a set M , i.e. the numebr of elements
of M , then obviously
(p) = |{m N : m < p, gcd(m, p) = 1}| = |{1, 2, . . . , p 1}| = p 1
(n) is easily evaluated For small arguments n:
n
(n)
2
3
4
5
6
7
8
9
10
1
2
2
4
2
6
4
6
4
n
11
12
13
14
15
16
17
18
19
20
(n)
10
4
12
6
8
8
16
6
18
8
n
21
22
23
24
25
26
27
28
29
30
(n)
12
10
22
8
20
12
18
12
28
8
191
Problem 40(b)
It is to be shown that there are pk1 1 different m < pk with a
common divisor with pk , i.e. with at least the divisor p.
|{m = vp : m = vp < pk }| = |{m = vp : 1 v < pk1 }| = pk1 1
Hence
(pk )
= |{1, 2, . . . , pk 1} \ {m = vp : 1 v < pk1 }|

= |{1, 2, . . . , pk 1}| |{m = vp : 1 v < pk1 }|
= pk 1 (pk1 1) = pk pk1
192
Problem 40(c) Let n = r s with relatively prime factors r and s.

The set M = {m N : m < n, gcd(m, n) = 1} can be enumerated as
follows: Each r relatively prime to r0 and each s relatively prime to
s0 specifies a m = r0 s0 relatively prime to n, i.e.
{r0 < r : gcd(0 r, r) = 1} {s0 < s : gcd(0 s, s) = 1} M
Vice versa, each divisor of m M is divisor either of r or of s. Its
prime factor decomposition can be thought as a product of two factors
relatively prime to either r or to s.
(n)
|M |
|{r0 < r : gcd(0 r, r) = 1} {s0 < s : gcd(0 s, s) = 1}|
|{r0 < r : gcd(0 r, r) = 1}| |{s0 < s : gcd(0 s, s) = 1}|
(r) (s)
193
Problem 40(d)
Each n N has a prime factor decomposition
v
Y
n=
pvi i
i=1
where vi denotes the multiplicity of the prime factor pi and v the

number of prime factors. Therefore
v
v
Y
Y

vi
vi 1
(n) =
pi pi
=n
1 1/pi
i=1
i=1
but only if the prime factor decomposition of n is known at all.

If p and q are prime and n = p q then specially
(n) = (pq) = (q)(q) = (p1)(q1) = pqpq+1 = n(p+q)+1
194
Problem 40(e) Proof according to [25] p.57

As in the proof of Fermats Little Theorem let G = (Z/nZ) , i.e.
the group of the invertible elements of Z/nZ with unit [1] Z/nZ.
G consists of the elements [m] Z/nZ whose representants m have
a modulo-n inverse. These are exactly the elements [m] with representants m relatively prime to n. Hence G = {[m] : 1 m <
n, gcd(m, n) = 1} and therefore ord(G) = (n).
Witht gcd(a, n) = 1 is [a] G and thus aord(G) = [1] or
a(n) = aord(G) 1 (mod n)
195
Problem 41(a)
gcd(mi , mj ) = 1 implies gcd(bi , mi ) = 1 for i = 1, . . . , n.
Therefore, the (modulo mi )-inverse xi to bi exists, i.e.
xi bi 1 (mod mi )
for i = 1, . . . , n
Also bi xi 0 (mod mj ) if i 6= j, hence xi bi ij (mod mi ). With

x=
n
X
xi bi ri
i=1
we get for j = 1, . . . , n
n
X
x mod mj =
(xi bi ri ) mod mj = (xj bj rj ) mod mj = rj
i=1
196
Problem 41(b)
Obviously
x = y mod p x y pZ p | (x y)
x = y mod q x y qZ q | (x y)
Because p and q are by assumption relatively prime, we get
(pq) | (x y) x y (pq)Z x = y mod (pq)
197
Problem 41(c) Let a be the age to be computed. Ask for

r1 = a%3,
a = r1 mod 3,
a r1
(mod 3)
r2 = a%5,
a = r2 mod 5,
a r2
(mod 5)
r3 = a%7, a = r3 mod 7, a r3 (mod 7)

Q3
Then m = 1 mi = 3 5 7 = 105 and additionly b1 = 105/3 = 35,
b2 = 105/5 = 21 and b3 = 105/7 = 15. The (modulo mi )-inverses are
x1 = 2 because 2 35 = x1 b1 = 1 mod m1 = 1 mod 3,
x2 = 1 because 1 21 = x2 b2 = 1 mod m2 = 1 mod 5 and
x3 = 1 because 1 15 = x3 b3 = 1 mod m3 = 1 mod 7.
Therefore
a=
3
X
xi bi ri mod m = (70 r1 + 21 r2 + 15 r3 ) mod 105
198
Problem 42(a) Use a + 0 = 0 + a = a and a 1 = 1 a = a to

determine all but one result in the addition resp. in the multiplication
table.
+ 0 1
0 1
0 0 1
0 0 0
1 1 0
1 0 1
If we defined 1 + 1 = 1, then 1 had no inverse w.r.t. addition.
If we defined 1 1 = 0, then 1 had no inverse w.r.t. multiplication.
We can interpret and implement addition as XOR or as addition modulo 2. We can interpret and implement multiplication as AND or as
multiplication modulo 2.
199
Problem 42(b) Commutative addition and multiplication in GF(3)

+
0
1
2
0
0
1
2
1
1
2
0
2
2
0
1
0
1
2
0
0
0
0
1
0
1
2
2
0
2
1
200
Problem 42(c) Commutative addition and multiplication in GF(5)

+
0
1
2
3
4
0
0
1
2
3
4
1
1
2
3
4
0
2
2
3
4
0
1
3
3
4
0
1
2
4
4
0
1
2
3
0
1
2
3
4
0
0
0
0
0
0
1
0
1
2
3
4
2
0
2
4
1
3
3
0
3
1
4
2
4
0
4
3
2
1
201
Problem 42(d) For any prime p, addition modulo p makes GF(p)

a commutative group and multiplication modulo p makes GF(p) a
commutative group with distributivity.
a=
b=
a+b=
ab=
m= 6
eval
reset
However, for p, q GF(pq) inadmissably p q = 0 holded, i.e. the

product of factors different from zero vanished.
202
Pn1
Problem 43(a) For any r(x) = i=0 ri xi GF(pn ) and any s(x) =
Pn1
i
n
i=0 si x GF(p ) with ri , si GF(p) define
(r + s)(x) :=
n1
X
(ri + si )xi GF(pn )
i=0
n
Then obviously, GF(p ), + is a commutative (additive) group. Its

zero element is the constant polynomial zero(x) = 0xo . The inverse
Pn1
c xi GF(pn ) w.r.t. addition is the
of a polynomial q(x) =
Pn1 i=0 i
polynomial q(x) = i=0 (p ci mod p)xi GF(pn ).
r = 1,0,1,0
s = 1,1,0,1,1
r=
s=
r+s=
p= 2
n= 8
add
s := r
reset
203
Problem 43(b)
Pn1
Pn1
i
n
i
n
Let r(x) =
i=0 si x GF(p )
i=0 ri x GF(p ) and s(x) =
with ri , si GF(p). Then
2n2
i
X X

rs (x) :=
xi
rj sij P(2n 1)
i=0
j=0
Because obviously r s P(2n 1) in general, the product of factors

in GF(pn ) is itself not necessarily in GF(pn ).
204
Problem 43(c) Then, the polynomial m has to have degree n. A

polynomial m of lower degree does not suffice as the following example
for GF(22 ) shows.
m(x) = x
0
1
0
0
0
1
0
1
0
x
x
x+1 0 x+1
x
0
x
0
0
x+1
0
x+1
0
1
m(x) = x + 1
0
1
0
0
0
1
0
1
0
x
x
x+1 0 x+1
x
0
x
1
0
x+1
0
x+1
0
0
In both cases there are contradictions. In case m(x) = x for example,

x has no inverse element. In case m(x) = x + 1 for example, x + 1 has
no inverse element.
205
Problem 43(d) Then, m has to be irreducible, i.e. m cannot be represented as the product of two non-constant polynomials with lower
degree. Namely, assuming m = m1 m2 with non-constant m1 and m2
of degree not bigger than n. Then m1 , m2 GF(pn ) and m1 m2 = 0
in GF(pn ) holds.
206
Problem 43(e) m1 is reducible over GF(2) because of m1 (x) =

x2 + 1 = x2 + 2x + 1 = (x + 1)2 . Exhaustive listing of all suitable
products shows m2 = x2 + x + 1 to be irreducible over GF(2).
xx
x (x + 1)
(x + 1) x
(x + 1) (x + 1)
=
=
=
=
x2
x2 + x
x2 + x
x2 + 2x + 1 = x2 + 1
207
Problem 44(a) Multiplication in GF(22 ) = GF(2)[x]/m(x) with

m(x) = x2 + x + 1 is given by the following table
0
1
x
x+1
0
0
0
0
0
1
0
1
x
x+1
x
0
x
x+1
1
x+1
0
x+1
1
x
because
x2 = x + 1 mod m(x)
and
x(x + 1) = x2 + x = x + 1 + x = 1 mod m(x)
and
(x + 1)2 = x2 + 2x + 1 = x2 + 1 = x + 2 = x mod m(x).
The inverse elements can be read directly from the multiplication
table.
208
Pn1
Problem 44(b) For r(x) = i=0 ri xi GF(pn ) and s(x) =

GF(pn ) with ri , si GF(p) define
n1
i
X X
(r s)(x) :=
xi
rj sij mod m(x) GF(pn )
i=0
Pn1
i=0
si xi
j=0
Then, GF(pn ) , is a commutative (multiplicative) group. Its oneelement is the constant polynomial one(x) = 1xo .
m = 1,0,0,0,1,1,0,1,1
r = 1,0,1,0,1
s = 1,1,0,1,1
m=
r=
s=
rs =
g=
next irr poly
p= 2
n= 8
irreducible?
multiply
s := 1/r
reset
|{irr poly}|
next generator
209
Problem 44(c) By the extended version of the Euclid algorithm on

p. 38.
First, the classical algorithm in its recursive and iterative form is
presented computing gcd(x, y).
gcd rec(int x,y)
{
if (y=0)
return abs(x);
else
return gcd rec(y,mod(x,y));
}
gcd it(int x,y)

{ int tmp;
while (y<>0) {
tmp = y; y = mod(x,y);
x = tmp; }
return abs(x)
}
The extended Euclid algorithm computes for given x and y coefficients

a and b such that d = gcd(x, y) = ax + by.
With prime p and 0 x < p then 1 = gcd(x, p) = ax + bp holds, i.e.
ax = 1 bp or ax = 1 mod p. Hence, the extended Euclid algorithm
inverts elements in GF(p) and similar in GF(pn ).
gcd coeff(int x,y) % returns vector

{
int q,tmp,q11,q12,q22,t21,t22;
q11 = q22 = 1;
q12 = q21 = 0;
while (y<>0)
{
tmp = y;
q = x / y;
y = x % y;
x = tmp;
t21 = q21; t22 = q22;
q21 = q11 - q*q21;
q22 = q12 - q*q22;
q11 = t21; q12 = t22;
}
return vector(x,q11,q12);
}
210
211
Problem 44(d) Using the feature in the form on p. 208 to generate

irreducible polynomials over GF(p) of a given degree n, the following
little table can be established:
n
2
3
4
5
6
7
8 ...
p\
2
1
2
3
6
9 18 30 . . .
3
6 16
36 96 232 . . .
5 40 160 600 . . .
..
. ...
By the way, it can be shown that there always is at least one irreducible polynomial over GF(p) of degree n.
212
Problem 44(e) Let m1 (x) and m2 (x) be two irreducible polynomials

over GF(p) of degree n 1 and Fi the field constructed using mi (x).
These two fields are isomorphic, i.e. except for renaming the elements,
the two fields are identical, i.e. there is an isomorphism, a bijective
mapping : F1 F2 with (r + s) = (r) + (s) and (r s) =
(r) (s)
because any two finite fields with the same number of elements
are isomorphic
or because finite fields are cyclic, i.e. for any finite field F there
is a generating element g such that F = {g i ; i N}. Let
gi be generating element for Fi . Then : F1 F2 defined
by (g1 ) := g2 and canonically extended to F1 , specifies an
isomorphism between F1 and F2 .
213
Problem 44(f ) Obviously, GF(22 ) with m(x) = x2 + x + 1 has

exactly two generating elements, namely g1 (x) = x and g2 (x) = x + 1.
n
0
1
2
g1n = xn
g10 = 1
g11 = x
g12 = x + 1
n
0
1
2
g2n = (x + 1)n
g20 = 1
g21 = x + 1
g22 = x
GF(23 ) with m(x) = x3 +x+1 has at least three generating elements:

x, x + 1 and x2 .
n
0
1
2
3
4
5
6
xn
1
x
x2
x+1
x2 + x
x2 + x + 1
x2 + 1
n
0
1
2
3
4
5
6
(x + 1)n
1
x+1
x2 + 1
x2
x2 + x + 1
x
x2 + x
n
0
1
2
3
4
5
6
(x2 )n
1
x2
x2 + x
x2 + 1
x
x+1
x2 + x + 1
GF(23 ) with m(x) = x3 +x2 +1 has at least three generating elements:
214
x, x + 1 and x2 .
n
0
1
2
3
4
5
6
xn
1
x
x2
x2 + 1
x2 + x + 1
x+1
x2 + x
n
0
1
2
3
4
5
6
(x + 1)n
1
x+1
x2 + 1
x
x2 + x
x2 + x + 1
x2
n
0
1
2
3
4
5
6
(x2 )n
1
x2
x2 + x + 1
x2 + x
x
x2 + 1
x+1
This comes at no surprise: due to isomorphy, the set of generating

elements is independent of the choice of the irreducible polynomial
m.
There are more generating elements of GF(23 ) : namely, the form on
p. 208 computes step by step all generating elements of GF(pn ) for
any (small) prime p and (small) n N.
215
Problem 44(g) Let g be a generating element von GF(pn ) and let

log r be the logarithm of elements r GF(pn ) to the base g. Then
multiplication can be reduced to addition and three table look ups:
(r s) = g log r+log s
For example, consider GF(28 ) : instead of 256 256 = 65536 entries
in a look up table for the multiplication in GF(28 ) only two look up
tables with 256 entries each are needed.
216
Problem 44(h) Using

1/r = r1 = g log r = g p
1log r
inversion in GF(pn ) can be implemented by two table look ups and

one subtraction.
217
Problem 45(a)
With k = 3 the message is decrypted to give the plain text
thisisatopsecretmessage.
Obviously there are only 26 possible keys.
Also, the Caesar-encryption/decryption preserves the letter frequencies a natural angle for an attack.
s.a. www.weblearn.hs-bremen.de/risse/MAI/docs/mai1.pdf
k=C
Caesar
Caesar1
x=
y=
x=
? Anything special about this implementation ?
218
Problem 45(b)
Besides the trivial key 0 there are only 25 other keys k = 1, 2, . . . , 25.
Security is rather low since only 25 keys have to be tried.
219
Problem 46(a)
Without restricting generality let k = k mod m .
Encryption has to be onetoone, i.e.
(k x1 ) mod m = (k x2 ) mod m x1 = x2
f
ur alle 0 x1 , x2 < m
or equally
x1 6= x2 (k x1 ) mod m 6= (k x2 ) mod m
f
ur alle 0 x1 , x2 < m
Then, necessarily k and m have no common divisor. Assuming otherwise there was some g N with k = v g and m = w g. Hence, for
0 = x1 6= x2 = w < m
(k x1 ) mod m = 0 mod m = 0 = (v w g) mod (w g)
holds in contradiction to encryption being onetoone.
220
Problem 46(b) If and only if 1 = (k k inv ) mod m then

x = (k inv y) mod m = (k inv ((k x) mod m)) mod m = (k inv k x) mod m
for each 0 x < m. Then k inv is called the (modulo-m)-inverse of k.
Now, Euclids algorithm gcd(xo , x1 ) for some xo and x1 with no common divisors computes
xo = q1 x1 + x2
x1 = q2 x2 + x3
x2 = q3 x3 + x4
x2 = xo q1 x1
x3 = x1 q2 x2 = x1 q2 (xo q1 x1 )
x4 = x2 q3 x3 = xo q1 x1 q3 (x1 q2 (xo q1 x1 ))
..
.
xn2 = qn1 xn1 + xn

xn1 = qn xn + xn+1
xn = linear combination of xo and x1
until xn = 1 and xn+1 = 0. Hence, each xi is a linear combination

of xo and x1 . Especially for ggT(k, m) holds xn = 1 = u k + v m if
gcd(k, m) = 1. Therefore follows
u k = 1 vm (u k) = 1 mod m
and u is the (modulo m)-inverse k inv of k.
221
Euclids algorithm is now extended to compute the modulo-m inverse

of k
function invers(k,m)
{
var xm=m,x=k,xp,q;
var l11=1, l12=0, l21=0, l22=1, n11, n12, n21, n22;
while (xm != 1)
{
q=Math.floor(xm/x); xp=xm-x*q;
n11=l21; n12=l22; n21=l11-q*l21; n22=l12-q*l22;
l11=n11; l12=n12; l21=n21; l22=n22; xm=x; x=xp;
}
return (l12+m)-m*Math.floor((l12+m)/m);
}
k=
m=
(modulo m)
-inverse of k
k inv =
222
Problem 46(c)
Insertion gives
x =
=
(k10 y + ko0 ) mod m = (k10 ((k1 x + ko ) mod m) + ko0 ) mod m

(k10 k1 x + k10 ko + ko0 ) mod m = x
iff and only if

k10 = k1inv
and
ko0 = (k1inv ko ) mod m
Then also
y
(k1 x + ko ) mod m = (k1 ((k1inv y + ko0 ) mod m) + ko ) mod m
(k1 k1inv y + k1 ko0 + ko ) mod m
(y + k1 (k1inv ko ) + ko ) mod m = y
223
Problem 46(d)
Each key consists of a pair (k1 , ko ) with ko {0, 1, . . . , m 1} and
k1 {0 k < m : gcd(k, m) = 1}. Therefore all keys are in the space
of keys {0, 1, 2, . . . , 25} {0 k < m : gcd(k, m) = 1}.
For example, in case of m = 26 the key space has 26 (26) = 26 12
elements.
All the same, the level of security is unchanged and rather low, as the
letter frequencies are still preserved.
224
Problem 47(a)
Using the key word key corresponding to k = 10, 4, 24, i.e. l = 3 the
decrypted message is
thisisatopsecretmessage.
Obviously there are 26l possible keys of length l. This cycle length
l can be determined by the method invented by Kasiski. Once the
cycle length is known an attack consists only of l independent Caesardecryptions.
k = KEY
Vigenère
Vigenère1
x=
y=
x=
ABCDEFABCDEF
225
Problem 47(b)
Each key consists of a string k of arbitrary length. Hence, each key is
l
contained in the key space
l=1 {0, 1, 2, . . . , 25} if the Latin alphabet
is used.
Security of the Vigenère-encryption/decryption scheme is the higher
the longer the key. But the longer the key the more difficult it is
to transmit a key to all legitimate receivers without the transmission
being eavesdropped.
Highest security is achieved however at the highest cost to transmit
the keys if keys are used only for one time, so called one time pad,
s.a. www.fourmilab.ch/onetime/otpjs.html
226
Problem 48(a)
There are n! = 1 2 3 n =
Latin alphabet therefore has
Qn
i=1
i permutations of n objects. The
26! = 403291461126605635584000000
permutations.
227
Problem 48(b)
No, because still the frequency of character combinations is preserved
which can be used to decypher an encrypted text.
e.g. Let y = CESVLRHEESUUSLLGANOSGMIHRSTU be the encryption of a German text x.

S, C, and H are because of blocking close together so that one
can guess the trigram SCH. The minimal block length ` is 5. For
this block length the string x improbably starts with ELVSCH. . .
or EVLSCH. . . . For ` = 6 SCH is not possible, so this block length
is disregarded. For ` = 7 we get
...SCH....SEL....ALG.....HMU...
The final position of the trigrams is not yet known; by using the
frequency of other character combinations we get
x = VERSCHLUESSELUNGSALGORITHMUS
s.a. www.kryptoanalytiker.de
228
Problem 48(c)
Text blocks of fixed length are encrypted by pertmutation of its letters.
In the following example
htsisitapoesrcteemssga.e
pairs of plain text letters are interchanged, i.e. the permutation (2, 1)
is applied to 2-letter blocks.
There are n! permutations of n-letter blocks: the longer the blocks
the more permutations or keys there are, i.e. the more secure is the
encryption/decryption method. However at the same time the key
length grows as well as the cost of buffering messages to be encrypted
or decrypted.
229
Problem 49(a)
P inv
x=
y=
x=
40 8 48 16 56 24 64 32
38 6 46 14 54 22 62 30
=
36 4 44 12 52 20 60 28
34 2 42 10 50 18 58 26
This is a TOP secret message!
39 7 47 15 55 23 63 31
37 5 45 13 53 21 61 29
35 3 43 11 51 19 59 27
33 1 41 9 49 17 57 25
padding
DES-P
DES-P inv
? Why is the encoded string represented as o |-string, i.e. each encrypted block of 8 letters as a 64bit block?
Try different padding characters.
230
Problem 49(b)
inv
Let fK
(L, R) = (R K, L). Due to K K = ~0 then

inv
inv
fK
fK (L, R) = fK
(R, L K) = (L K K, R) = (L, R)
as well as

inv
fK fK
(L, R) = fK (R K, L) = (L K K, R) = (L, R)
fK represents a substitution if 64bit blocks (L, R) are considered a
letter in the alphabet A = {0, 1}64 .
x=
K=
y=
x=
This is a TOP secret message!

key!
Now, DES consists of 16 such substitutions.
padding
check
DES-f
DES-f inv
231
DES encrypts by iterated application of functions fKi to a message x

where the keys Ki are generated from some main key K.
Encryption by

y = P inv fK16 fK15 . . . fK2 fK1 P (x)
=
P inv (fK16 (fK15 (. . . (fK2 (fK1 (P (x)))) . . .)))
implies Decryption by
x

inv
inv
inv
inv
P inv fK
fK
. . . fK
fK
P (y)
1
2
15
16

inv
inv
inv
inv
(P (y)) . . .
fK
. . . fK
fK
= P inv fK
16
2
15
1
=
232
Problem 49(c) L can be computed as sequence of matrix transformations and thus is linear. However, linear encryption is relatively
easily cracked.
233
Problem 49(d) The look up table for each S-Box has 26 lines à 4bit,
i.e. 28 = 256bit, a total of 8 256 = 211 = 2Kbit for all eight S-boxes.
On the other hand, a look up table for a 32bit substitution would have
232 lines `
a 32bit, i.e. 32 4 230 = 128Gbit a totally inacceptable
alternative.
Use pre-computed inverse S-boxes.
234
Problem 50(a) DES keys are 64bit long, including 8 parity bits.
Hence, the effective length is 56bit and the key space size is 256 =
64 (210 )5 64(103 )5 = 64 1015 .
235
Problem 50(b) Only if several DES encryptions cannot be emulated

by a single one, i.e. only if
DESK2 DESK1 6= DESKo
holds, then TDEA establishes higher security than DES, s.a.
http://en.wikipedia.org/wiki/Triple DES
236
Problem 50(c) TDEA keys are 356bit long.

Hence, the effective length is 168bit and the key space size is 2168 =
256 (210 )10 256(103 )10 = 2.56 1032 .
237
Problem 50(d) In 2001, the Advanced Encryption Standard, AES

was published and in 2002 standardized. AES is the winner of a
public competition.
Correspondingly, the withdrawal of DES resp. TDEA was proposed
in 2004 and 2005 finalized.
238
Problem 51(a) Public key methods are the more secure the more
difficult it is to deduce fA1 from A and fA .
Functions fA with the following properties are suitable for public key
encryption/decryption methods:
fA is one-to-one. (The plain text is partitioned into fixed length
blocks; fA is applied to each block.)
fA and fA1 are easily evaluated. (Messages are quickly encrypted and decrypted.)
It is practically impossible to deduce fA1 from fA . (Encrypted messages can be decrypted only at astronomical cost
at best the decryption cost can be estimated in order to scale the
encryption/decryption method according to the security needs.)
By the way, such functions are called trapdoor functions.
239
Problem 52(a)
The text to be encrypted is partitioned into fixed length blocks so that
the (ASCII-) string can be thought of as a (big) x N with x < n.
Then fe is applied to each of these x.
Now, fe is a trapdoor function because
fe is onetoone on X = {0, 1, 2, . . . , n 1}, as fd = fe1 .
Namely
d is modulo-(n) invers to e, i.e. d e 1 (mod (n)) or
d e = v(p1)(q1)+1 for a v N, so that xd e = x xv(p1)(q1) .
Due to Fermats Little Theorem, FLT for prime p and q
de
xp1 = 1 mod p
x = x(xp1 )v(q1) = x 1v(q1) = x mod p
de
q1
x
= 1 mod q
x = x(xq1 )v(p1) = x 1v(p1) = x mod q
From xde = x mod p and xde = x mod q follows per Chinese
Remainder Theorem for p and q with gcd(p, q) = 1, i.e. a fortiori
for prime p and q
xed = x mod (pq) = x mod n
240
fe (x) and fd (y) resp. are easily evaluated by computing several

products (m1 m2 ) mod n for mi X.
The bigger n the more difficult it is to determine fe , i.e. to infer
d from e and n.
For example, in 1994 ca. 600 via Internet networked computers
needed a total of 5000MIPS years, to factorize the 129-digit
number R-12921 into its two 64- and 65-digit prime factors.
p=
e=
x=
y=
x=
59
47
q=
d=
71
1123
This is a top secret message
n=
4189
check&fill at random
RSAenc
RSAdec
To check e.g. gcd(e, (n)) = 1 Euclids algorithm is available.

21 D. Atkins, M. Graff, A.K. Lenstra, P.C. Leyland: The magic words are
squeamish ossifrage; Asiacrypt 94, pp263-277, LNCS 917, Springer 1995
241
Problem 52(b)
The security of the RSA-method rests on the difficulty to factorize
big n N with 100 and more digits.
The RSA-method is the more secure the bigger n, cp. e.g.
www.comp.mq.edu.au/courses/comp333/Lecture/
factoring and RSA 4.pdf
242
Problem 52(c)
Let eA and eB be Alices and Bobs public RSA-key with secret RSAkeys dA and dB resp.
Then Alice only has to append to her encrypted message y = feB (x)
the digital signature y 0 = fdA (x).
Bob then decrypts the first half y of the received message to x =
fdB (y) and verifies on the basis of the second half that x and feA (y 0 )
coincide. As only Alice knows dA it is only Alice who could have
generated y 0 . Therefore Bob can be assured to have received a message
from Alice.
By the way, Alice does not need to use the whole message x to generate
the signature y 0 = fdA (x). It is sufficient to use a hash-code hash(x)
which both sender and receiver know to generate.
Typical hash-codes are for example MD4, MD5 or SHA-1.
243
Problem 53(a) AES is a block oriented, symmetrical (identical key

for encryption and decryption) encryption/decryption method consisting of rounds of permutations and substitutions.
csrc.nist.gov/publications/fips/fips197/fips-197.pdf
244
Problem 53(b) AES encrypts 128bit = 16bytes = 4word blocks of

plain text. It allows 128bit, 192bit and 256bit keys with 10, 12 or 14
rounds respectively.
Problem 53(c)
245
An AES encryption round consists of
substitution of each bytes by another one per s-box

permutation of the rows of the block when represented as 4 4byte-matrix
permutation of the columns of the block when represented as
4 4-byte-matrix
XOR of block and part of the expanded key
246
Problem 54(a) SubBytes(): The substitution of a byte b by the

AES s-box is specified to be the multiplicative inverse b1 computed
in GF(28 ), followed by the affine transformation
0

b0
1 0 0 0 1 1 1 1
b0
1
b01
b1 1
b 1
0 1 0 01 1 01 1 0 1 b0 1
1 1
1
0

b 0
1 1 0 01 0 11 1 0 1 0
1 1
b2

b 1
1
0
b2 0
b 1 1 1 0 0 0 1 1 b 0
b3
1
1
1
1
0
0
0
1
0 = b0 = Ab +b c =1 1 1 1 0 0 0 1 b 0
b3 + 0
+0 . 0
=
b4
(5.2)

1
1
1
1
1
0
b 1
1 1 1 1 0 0 0 b
0
0
b4 0

b5
b5 1
1 0 1 11 1 11 0 1 0 b1 1
1 0
b 0
0
0

b 0
0 1 10 1 11 1 1 0 b1 1
1
b6
0 b6 1
0
1
b 0 0 0 1 1 1 1 1 b 0
b07
0 0 0 1 1 1 1 1
b7
0
'
0
'
1
'
2
'
3
'
4
'
5
'
6
'
7
2
3
4
5
6
Figure 6 illustrates the effect of the SubBytes() transformation on the State.
s0,0 s0,1 s0, 2 s0,3
S-Box
s0' , 0 s0' ,1 s0' , 2 s0' ,3
s1, 0 s1,1 s1, 2 s1,3
s1' ,0
s2, 0 s2,1 s2, 2 s2 ,3
s2' , 0 s2' ,1 s2' , 2 s2' ,3
s3, 0 s3,1 s3, 2 s3,3
s3' ,0 s3' ,1 s3' , 2 s3' ,3
sr ,c
s1' ,1' s1' , 2
sr ,c
s1' ,3
Figure 6. SubBytes() applies the S-box to each byte of the State.
The S-box used in the SubBytes() transformation is presented in hexadecimal form in Fig. 7.
s3, 0 s3,1 s3, 2 s3,3
s3,0 s3,1 s3, 2 s3,3
Figure 6. SubBytes() applies the S-box to each byte of the State.
247
The S-box used in the SubBytes() transformation is presented in hexadecimal form in Fig. 7.
For example, if s1,1 = {53}, then the substitution value would be determined by the intersection
The AES s-box ofisthe usually

implemented
look
up
row with index 5 and
the column with index 3 in Fig.as
7. Thisa
would
result in s
havingtable, i.e.
1,1
InvShiftRows()
a value of {ed}.
s'
s'
s'
s'
0 r , 0 1 r ,1 2 r ,3
5
6
7
8
9 r , 0 a r ,1 b r , 2c r d
2
r4, 3
,3
0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7
1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4
S
2 b7 fd 93 26 36 3f f7 cc 34 a5 e5S f1 71 d8
3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27
sd6
sb3
s29
4 09 83 s2c
5a a0 52 s3b
e3
,1 s0 ,1b
2 s0 , 36e
0 ,1
0, 2
0,3
0, 0 s01a
0, 0
5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c
s1fb
s02
s7f
s50
6 d0 ef s1aa
33 85 45 sf9
3c
,0
,1 s1,43
2 s1, 34d
1, 3
1, 0
1,1
1, 2
7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff
x
8 cd 0c s13 s ec s 5f s 97 44 17 c4 sa7 s7e s3d s64 5d
2, 0
2 ,1
2, 2
2 ,3
2, 2
2 ,3
2, 0
2 ,1
9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e
a e0 32 s3a s 0a s 49 s 06 24 5c c2 sd3 sac s62 s91 95
,0
3,1
2
3, 3
3,1
3, 2
3, 3
3, 0
b e7 c8 337
6d 3,8d
d5 4e a9 6c 56
f4
ea
65
7a
c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd
Figure
three
the
d 70 13.
3eInvShiftRows()cyclically
b5 66 48 03 f6 0eshifts
61 the
35last57
b9rows
86 inc1
e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55
f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54
e
f
ab 76
72 c0
31 15
b2 75
2f 84
58 cf
9f a8
f3 d2
19 73
0b db
e4 79
ae 08
8b 8a
State.
1d 9e
28 df
bb 16
5.3.2 InvSubBytes() Transformation

Figure 7. S-box: substitution values for the byte xy (in hexadecimal format).
InvSubBytes() is the inverse of the byte substitution transformation, in which the inverse Sbox is applied to each byte of the State. This is obtained by applying the inverse of the affine
16
transformation (5.1) followed by taking the multiplicative
inverse in GF(28).
as is the inverse s-box
The inverse S-box used in the InvSubBytes() transformation is presented in Fig. 14:
y
0
1
2
3
4
5
6
7
x
8
9
a
b
c
d
e
f
0
52
7c
54
08
72
6c
90
d0
3a
96
47
fc
1f
60
a0
17
1
09
e3
7b
2e
f8
70
d8
2c
91
ac
f1
56
dd
51
e0
2b
2
6a
39
94
a1
f6
48
ab
1e
11
74
1a
3e
a8
7f
3b
04
3
d5
82
32
66
64
50
00
8f
41
22
71
4b
33
a9
4d
7e
4
30
9b
a6
28
86
fd
8c
ca
4f
e7
1d
c6
88
19
ae
ba
5
36
2f
c2
d9
68
ed
bc
3f
67
ad
29
d2
07
b5
2a
77
6
a5
ff
23
24
98
b9
d3
0f
dc
35
c5
79
c7
4a
f5
d6
7
38
87
3d
b2
16
da
0a
02
ea
85
89
20
31
0d
b0
26
8
bf
34
ee
76
d4
5e
f7
c1
97
e2
6f
9a
b1
2d
c8
e1
9
40
8e
4c
5b
a4
15
e4
af
f2
f9
b7
db
12
e5
eb
69
a
a3
43
95
a2
5c
46
58
bd
cf
37
62
c0
10
7a
bb
14
b
9e
44
0b
49
cc
57
05
03
ce
e8
0e
fe
59
9f
3c
63
c
81
c4
42
6d
5d
a7
b8
01
f0
1c
aa
78
27
93
83
55
d
f3
de
fa
8b
65
8d
b3
13
b4
75
18
cd
80
c9
53
21
e
d7
e9
c3
d1
b6
9d
45
8a
e6
df
be
5a
ec
9c
99
0c
f
fb
cb
4e
25
92
84
06
6b
73
6e
1b
f4
5f
ef
61
7d
Figure 14. Inverse S-box: substitution values for the byte xy (in
hexadecimal format).

22
shift (1,4) = 1 ; shift (2,4) = 2 ; shift (3,4) = 3 .

(5.4)
248
This has the effect of moving bytes to lower positions in the row (i.e., lower values of c in a
given row), while
the lowest
bytes wrap around
intorows
the top
row (i.e.,
values of
Problem
54(b)
ShiftRows():
The
of of
a the
block
are higher
cyclically
c in a given
shifted
asrow).
indicated by the following figure: the block S is thus mapped
0 ShiftRows() transformation.
Figure
to
the8 illustrates
block Sthe
.
ShiftRows()
sr , 0 sr ,1 sr , 2 sr ,3
sr' , 0 sr' ,1 sr' , 2 sr' ,3
s0,0 s0,1 s0, 2 s0,3
s0,0 s0,1 s0, 2 s0,3
s1, 0 s1,1 s1, 2 s1,3
s1,1
s2, 0 s2,1 s2, 2 s2,3
s2, 2 s2,3 s2, 0 s2,1
s3, 0 s3,1 s3, 2 s3,3
s3,3 s3, 0 s3,1 s3, 2
s1, 2
s1,3
s1, 0
Figure 8. ShiftRows() cyclically shifts the last three rows in the State.
The inverse transformation just shifts rows cyclically in the opposite

direction.

5.1.3 MixColumns() Transformation
The MixColumns() transformation operates on the State column-by-column, treating each
column as a four-term polynomial as described in Sec. 4.3. The columns are considered as
'
249
s0, c 02 03 01 01 s0, c
'

= 01 02 03 01 s1, c The
s1, cMixColumns():
Problem 54(c)
are considforcolumns
0 c < Nb. of a block (5.6)
s2' , c 01 01 02 03 s2, c
8
' with coefficients

ered as polynomials
in
GF(2
)
and
multiplied
by
s3, c 03 01 01 02 s3, c
As a result
of this
bytes in
are replaced
by the
following:
a(x)
= multiplication,
0x03 x the
+four
0x01
xa column
+ 0x01
x +
0x02
x
s 0 ,c = ({02} s0 ,c ) ({03} s1,c ) s 2,c s3,c
modulo x4 + 1. The cth column then becomes

0 s = s ({02} s ) ({03} s ) s
s0,c
0x02 0x03 0x01 0x01
s0,c
s0,c
s
s
({02}
s
)
({03}
s
)
=
s01,c 0x01 0x02 0x03 0x01 s1,c
0 s == ({03}
s ) s s ({02} s ).
= A s1,c
s2,c 0x01
0x01 0x02 0x03

s2,c
s2,c
0
0x03 0x01 0x01 0x02
s3,c
s3,c
s3,c
1,c
0 ,c
2 ,c
0 ,c
1,c
1,c
3, c
2 ,c
2 ,c
0 ,c
1,c
3, c
3, c
2 ,c
3, c
Figure 9 illustrates the MixColumns() transformation.

MixColumns()
s0,0 s00,,1c s0, 2 s0,3
s1, 0 s11,,1c s1, 2 s1,3

s2 , 0
ss2,c
2 ,1
s2 , 2 s2 , 3
s3, 0 ss33,,1c s3, 2 s3,3
s'
s0' , 0 s0' 0,1,c s0' , 2 s0' ,3

s1' ,0
s
'
2, 0
s3' ,0
s'
s1'1,1,c s1' , 2
ss
'
'
22,1,c
'
s3'3,1,c
'
2, 2
s1' ,3
s2' ,3
s3' , 2 s3' ,3
Figure 9. MixColumns() operates on the State column-by-column.
The block S is thus mapped to the block S 0 .

5.1.4 AddRoundKey() Transformation
The inverse
transformation is specified by multiplication modulo x4 +1
In the AddRoundKey() transformation, a Round Key is added to the State by a simple bitwise
XOR operation. Each Round Key consists of Nb words from the key schedule (described in Sec.
250
by the polynomial
a1 = 0x0b x3 + 0x0d x2 + 0x09 x1 + 0x0e x0
or written as matrix
0
s0,c
0x0e
s01,c 0x09
0 =
s2,c 0x0d
0x0b
s03,c
transformation
0x0b 0x0d 0x09

s0,c
s0,c
0x0e 0x0b 0x09

s1,c = A1 s1,c .
s2,c
0x09 0x0e 0x0b s2,c
0x0d 0x09 0x0e
s3,c
s3,c
251
Problem 54(d) AddRoundKey():

l = round * Nb
s0' ,c
s0,c
s0,0 s0,1 s0, 2 s0,3
s1,c
s1, 0 s1,1 s1, 2 s1,3

s2, 0 s2s,12,c s2, 2 s2,3
s3, 0 s3s,1 s3, 2 s3,3
3,c
wl+c
wl wl +1 wl + 2 wl + 3
'
0, 0
s0' ,1' s0' , 2 s0' ,3
s1,c
s1' ,0 s1' ,1 s1' , 2 s1' ,3

'
s2' , 0 ss2' ,12,c s2' , 2 s2' ,3

'
s3' ,0 s3s' ,13,c s3' , 2 s3' ,3
As forFigure
all XOR
operations, this
transformation
is State
its own
10. AddRoundKey()
XORs
each column of the
with inverse.
a word
from the key schedule.
5.2
Key Expansion
The AES algorithm takes the Cipher Key, K, and performs a Key Expansion routine to generate a
key schedule. The Key Expansion generates a total of Nb (Nr + 1) words: the algorithm requires
an initial set of Nb words, and each of the Nr rounds requires Nb words of key data. The
resulting key schedule consists of a linear array of 4-byte words, denoted [wi ], with i in the range
0 i < Nb(Nr + 1).
The expansion of the input key into the key schedule proceeds according to the pseudo code in
Fig. 11.
252
Problem 55(a)

p
E = E(R) = Ea,b (R) = { x, x3 + ax + b : x3 + ax + b 0}
Obviously, elliptic curves are plane curves which are symmetric to the
x-axis. Depending on the parameters a and b, the radicand is positive
in one intervall or in two intervalls. Correspondingly, E = E(R) =
Ea,b (R) has one or two branches. Cp. e.g.
y
a = 4, b = 1
a = 3, b = 5
a = 5, b = 7
limx+ x3 + ax + b = limx+ x3/2 =
253
Problem 55(b)
Because all coefficients of x3 + ax + b are real, all zeroes xi can conventiently be represented by trigonometric/hyperbolic
means. Let
p
p = a/3, q = b/2, D = p3 + q 2 and P = (sgn q) |p|.
x1
x2,3
p < 0, D 0
p < 0, D > 0
p>0
= 13 arccos Pq3
= 13 arcosh Pq3
= 13 arsinh Pq3
2P cos
2P cosh
2P sinh

2P cos( /3) P (cosh i 3 sinh ) P (sinh i 3 cosh )
254
Problem 55(c)
For the given radicand x3 + ax + b let again p = a/3, q = b/2 and
discriminant D = p3 + q 2 . The discriminant D then determines the
type of zeroes.
D
D
D
D
>0
<0
= 0, q =
6 0
= 0, q = 0
one real zero, two conjugate complex zeroes

three distinct real zeroes
one simple real, one double real zero
one triple real zero
Hence, there are no multiple zeroes if and only if

D = p3 + q 2 =
b2
a2
+
6= 0
27
4
or equivalently if
108D = 108(p3 + q 2 ) = 4a2 + 27b2 6= 0
255
Problem 55(d) Let the line be given by y = mx + c with m 6= 0.

The abszissa x of an intersection points of the line with E solves
(mx + c)2 = x3 + ax + b or equivalently
x3 m2 x2 + (a 2cm)x + b c2 = 0
Substituting y = x m2 /3 the quadratic term is eliminated. According to the assumption the new equation
y 3 + 3py + 2q = 0
with
3p = (a 2cm) 13 m4
2
2q = 27
m6 + 13 (a 2cm)m2 + b c2
has at least two simple real solutions. According to the classification

of the solutions in dependence of the discriminant D = p3 + q 2 (on
p. 254), to the two simple real solutions there must be another simple
real solution.
256
Problem 55(e) Let s = (yQ yP )/(xQ xP ) be the slope and hence

y = y(x) = yP + s(x xP ) the line through P and Q. Then
2
y 2 (x) = yP + s(x xP ) = x3 + ax + b
or just
x3 s2 x2 + (a + . . .)x + (b + . . .) = 0
has the three solutions xP , xQ and xR where xR is the abszissa of the
third intersetion point of the line through P and Q with E. Comparison of the coefficients of x2 gives
s2 = xP xQ xR
or just
xR = s2 xP xQ
Mirroring the third intersection point at the x-axis gives R = P + Q

so that

yR = (yP + s(xR xP ) = s(xP xR ) yP
257
Problem 56(a) Imagine P + P to be the limit of P + Q with E 3

Q P . Then in the limit, the line through P and Q becomes the
tangent in P with slope

d p 3
3x2 + a
3x2 + a
1
s=
x + ax + b = p 3 P
= P
dx
2 x + ax + b
2yP
xP
Hence, y = y(x) = yP + s(x xP ) is the tangent in P . xP is a double

zero of the equation
2
y 2 (x) = yP + s(x xP ) = x3 + ax + b
The other simple zero is xR . Hence, as before, R = (xR , yR ) = P + P
is given by

xR = s2 2xP and yR = yP + s(xR xP ) = s(xP xR ) yP
258
Problem 56(b) Due to the symmetry of E, Q = P holds. The

line through P and Q is vertical and has only these two intersection
points with E. Assuming again, that in a limit process E 3 Q0 Q.
Then R := P + Q0 moves on the unbounded branch of E towards
infinity. Just define this to be an extra point on E, called the point
at infinity or just 0.
Using homogeneous coordinates the plane together with the elliptic
curve is transformed into projective space which shows that there is
only one point at infinity [31].
259
Problem 56(c) Introduction of 0 as above together with the definition P = (xP , yP ) := (xP , yP ) implies
that 0 is a neutral or a zero element w.r.t. this addition and
that P is the inverse of P w.r.t. this addition, i.e.
P + 0 = 0 + P = P for all P E
in addition, 0 + 0 = 0
P + (P ) = (P ) + P = P P = 0 for all P E
in addition, 0 is inverse to 0
The equation P + Q = R is solved by Q = (P ) + R for any P, R E.
260
Problem 56(d)
Because this so defined addition obviously is commutative, it makes
E = Ea,b (R) an (additive) commutative group or a so called Abel22 ian
group.
22
Niels Henrik Abel (1802-1829)
www-history.mcs.st-andrews.ac.uk/Biographies/Abel.html
261
Problem 57(a) Performing all operations

in GF(p) (cp. arithmetic
in GF(p), p. 41) makes E = Ea,b GF(p) a commutative (additive)
group (cp [31] for associativity of this addition).
The neutral element, i.e. the zero element w.r.t. this addition is specified by the point (<empty string>,infty) here.

Elliptic curve E GF(p) = {(x, y) : y 2 = x3 + ax + b} over GF(p)
with a = 1
b = 7
and p = 17
is a (additive) group with card E GF(p) =
elements,
check
where by Hasse23 |card E GF(p) (p+1)| 2 p holds.

E GF(p) =
P = (xP , yP ) with xP = 2
Q = (xQ , yQ ) with xQ = 1
R = (xR , yR ) with xR =
yP = 0
yQ = 3
yR =
R := P + Q
Q := P
c&c24 reset
23
24
Helmut Hasse (1898-1979)

www-history.mcs.st-andrews.ac.uk/Biographies/Hasse.html
c&c = check whether P, Q E; complete the fields P and Q if necessary
262
Problem 58(a) In GF(2m ) any element r is inverse to itself w.r.t.

addition, i.e. r = r GF(2m ). Hence P = (x, y) with y 2 = x3 +
ax + b and P = (x, y) were identical in E = Ea,b GF(2m ) , and
2P = P + P = P P = 0 for any P E, so that E is isomorphic to
GF(2) GF(2) . . . GF(2).
Therefore, the subgroups generated by any element of E have only
two elements preventing any usage in cryptographic applications (cp.
discrete logarithm-problem).
263
Problem 58(b) Performing all operationsin GF(2m ) (cp. arithmetic

in GF(pn), p. 43) makes E = Ea,b GF(2m ) a commutative (additive)
group.
264
Problem 59(a) ECC is a block oriented, asymmetrical public key

encryption/decryption method using the group structure on elliptic
curves E = Ea,b (F) over F = GF(p) or F = GF(2m ).
There is an EC encryption/decryption (ECIES ), an EC Diffie-Hellman key exchange ((ECDH ), and an EC digital signature algorithm
(ECDSA).
Due to its superior performance ECC is mainly used to replace RSA
in hybride encryption/decryption schemes.
[30]
[32]
[31]
www.secg.org/collateral/sec1 final.pdf
www.iaik.tugraz.at/.../oswald/papers/Introduction to ECC.pdf
s.a. e.g. www.faqs.org/rfcs/rfc3278.html,

http://ducati.doc.ntu.ac.uk/uksim/journal/Vol-5/No-1&2/ROBERTS.pdf
265
Problem 59(b) Communication partners agree on some elliptic

curve E = E(F) over some finite field F together with some suitable generator point G E. Let n = card(< G >). Each partner
chooses some random number 0 < r < n as secret key and publishes
rG as public key.
Alice
Bob
..
.
chooses publishes
a
QA = aG
b
QB = bG
..
..
.
.
In order to encrypt and send a message m to Bob, Alice converts the

message to a point M E, chooses some random number k and sends
the encrypted message, i.e. the pair (kG, M + k(bG)) E E to Bob.
Alice
Bob
chooses
k
encrypts
decrypts
(kG, M + kQB )
(kG, M + k(bG)) M = M + kbG b(kG)
To decrypt (kG, M + k(bG)), Bob computes M + k(bG) b(kG) = M .

266
Problem 59(c) Before exchanging a common secret key, Alice and

Bob agree on a public elliptic curve E = E(F) over some finite field
F together with some generator point G E.
Let n = card(< G >).
Now, each partner chooses some random number r N with 1 < r < n
as secret key, publishes the corresponding public key Q = rG E and
computes a secret key R E.
Alice
Bob
chooses publishes
a
QA = aG
b
QB = bG
computes
RA = aQB
RB = bQA
Because of
RA = aQB = abG = baG = bQA = RB
Alice and Bob share the same secret RA = R = RB , the common
secret key R.
267
Problem 59(d) Let n = card(< G >). Alice wants to sign message

m to Bob. Her secret key is a N and her public key is Q = aG E.
chooses
Alice
hashes
computes
signs
r = xkG mod n
e = hash(m) h = k 1 mod n
(r, s)
s = h(e + ar) mod n
Alice repeats choosing some 1 < k < n until r 6= 0 and s 6= 0.

Bob receives Alices message m together with her signature (r, s).
hashes
computes
verifies
w = s mod n
e = hash(m) u = ew mod n, v = rw mod n xP == r
P = uG + vQ
1
Bob
s = k 1 (e + ar) mod n k = s1 (e + ar) mod n. Thus, modulo n

k s1 (e + ar) s1 e + s1 ar we + w ar u + a rw u + va
so that P = uG + vQ = uG + vaG = (u + va)G = kG und hence
xP = xkG = r follows.
268
Problem 60(a) First, this coding takes symbol frequencies into account: the more frequent a symbol to shorter its code. Second, because of code(si ) code(sj ) f
ur i < j, this coding is not prefix-free.
Third, the symbol 0 acts as a separator of codes.
Presumably, there must be better codings.
269
Problem 60(b) A coding can be represented by a labelled graph

with a root: the set {code(si ) : i = 1, . . . , n} of codes is just the set of
labels of its end vertices, i.e. vertices with exactly one incident edge.
0
0=code(s1 )
0
10=code(s2 )
1
11=code(s3 )
Obviously, a coding is prefix-free if and only if the graph representing

this coding is a binary tree.
270
Problem 60(c) The codes of a prefix-free coding are the leaves of

its representing tree. Label the leave vertices by the corresponding
frequencies. Each internal leave is root of exactly one subtree. Its
label is just the sum of the labels of all other vertices of its subtree.
1 = f1 + f2 + f3
0
1
f2 + f3
0=code(s1 ) with f1
10=code(s1 ) with f2
1
11=code(s1 ) with f3
Now, if only the symbol frequencies are given, the tree has to be built
starting from the leaves. In the example above, for c1 = code(s1 ) to
be shortest, necessarily f1 f2 + f3 holds. This can be generalized:
David A. Huffman: A method for the construction of minimumredundancy codes; Proceedings of the Institute of Radio Engineers,
I.R.E. Sept 1952, S. 1098-1102 http://compression.ru/download/articles/huff/huffman 1952 minimum-redund
271
Problem 61(a)
To simplify matters, the alphabet consists of say 64 characters blank
(ASCII 32) up to underline (ASCII 95).
text Abrakadabra Abrakadabra
TEXT
pat=
chr=
init LZWstep
TXT
|dict| =
dict[
]=
check
reset
codes
old=
new=
init WZLstep
TEXT
|dict| =
dict[
]=
check
reset
272
Problem 61(b) The modified decompression of the algorithm:

Read OLD_CODE
CHARACTER = dict[oldCODE]; output CHARACTER
Read newCODE
IF newCODE is not in dictionary
PATTERN = dict[oldCODE]
PATTERN = PATTERN+CHARACTER
ELSE
PATTERN = dict[newCODE]
END of IF
output PATTERN
CHARACTER = first character in PATTERN
add dict[oldCODE] + CHARACTER to dictionary
oldCODE = newCODE
273
Problem 62(a) There are three possible cases, namely RR, RR und
RB.
There are two favorable cases, namely RB.
Therefore, P = P (RB) = 1/3.
274
Problem 62(b) Let a/A and z/Z indicate a door with a car resp. a
goat behind. Small letters correspond to initially chosen doors.
Without loss of generality assume that the candidate chooses door
no 1, and the quizmaster reveals the goat behind door no 2. Then
chances to win without revision: P (aZZ) = 1/3
chances to win with revision:
P (zZA or zZA) = 2/3
www.comedia.com/hot/monty.html or (Monte-Carlo-) experiment:
doors
left
middle
right
state (A=car, Z=goat)

x=choice, o=revelation
A total of
hits
0
chances to win
0
0
without
revisions in a total of 0
with
1
10
100
reset
games, i.e.
without
revisions
with
275
Problem 63(a) Discriminating features are

data type and co-domain, e.g.
0-1-sequences, e.g. coin tosses,
natural or integer random numbers, e.g. decimal digits of
,
rational random numbers, e.g. measured distances of dartsarrows to the middle of the disk,
real random numbers, e.g. freie Wegl
ange of particles in
Brownian motion, etc.
distribution of the random numbers in their co-domain, e.g.
evenly distributed 0-1-random numbers, e.g. tossing a true
coin,
Poisson-distributed natural random numbers, e.g. number
of radioactive decays per time unit,
exponentially distributed random numbers, e.g. life time
of non-aging parts,
normal distributed random numbers with mean and standard deviation , e.g. physical measurements, etc.
276
The continuous random Variable X [0, 1], evenly distributed in the

unit interval, is a suitable standard-random variable: from X one
generates by
if (X <= 0.5) return 0; else return 1;
evenly distributed discrete random numbers Y {0, 1},
if (X < p1 ) return y1 ;
if (X < p1 + p2 ) return y2 ;
..
.
if (X < p1 + . . . + pn ) return yn ;
discrete random numbers Y {y1 , y2 , . . . , yn } with P (Y = yi ) =
pi f
ur i = 1, 2, . . . , n,
(b-a)*X+a
in the interval [a, b] R evenly distributed, continuous random
numbers Y ,
round((b-a)*X+a)
in the interval [a, b]Z evenly distributed, discrete random numbers Y , etc.
277
For in the unit interval evenly distributed continuous random numbers

X R, F inv (X) generates continuous random numbers Y = F inv (X)
with a given distribution function F and its inverse function F inv
because P (Y < y) = P F inv (X) < y = P X < F (y) = F (y).
278
Problem 63(b) There are a number of algorithms to generate pseudo

random numbers. All procedures are recursive, well known is e.g.
J. v. Neumanns method of middle digits of squares

xn+1 = x2n 3b...b1

for suitable 2b bit xo where x2n 3b...b1 denotes the middle 2b bit of
the 4b bit product x2n or better and more commonly used
xn+1 = a xn
mod m
for some xo , say xo = 1, for a suitable factor a of magnitude 2b and

for a modulus m = 2b if b is the integer width of the computer and
if efficiency is at premium. This generator is a special case of the so
called Linear Congruential Generators
xn+1 = (a xn + c)
mod m
for some xo N, say xo = 1, and suitable parameters a, c, m N.

279
Problem 63(c) xn+1 {0, 1, . . . m 1}. Hence, the maximal periodic length is m. For a = 1 and c = 0 it is 1.
280
Problem 64(a) Histogramming shows to what degree random numbers cover the given co-domain. This is tested by the following simulation: As here in JavaScript b = 64, choose m of magnitude 232 , a of
magnitude 216 and some 0 c < m. Then random numbers
yn = 2r xn
where xn+1 = (a xn + c)
mod m
are generated and the relative frequency of their occurrence in certain intervalls is monitored. Let hi = round(100 P (Y = 2r X
i
[ i1
5 , 5 ])).
00000
a = 1300103
h1 = 0
n= 0
c= 0
h2 = 0
1
h3 = 0
10
m = 4294967296
%
h4 = 0
100
h5 = 0
test
1
%
reset
281
Problem 64(b) The entropy

E=
9
X
pi log2 (pi )
i=0
i.e. the information content of each decimal digit (bit per decimal
digit, bpdd), is maximal for true random numbers (with independent
digits). The entropy E is (for evenly distributed digits) maximal
Emax =
9
X
1
1
1
log2 ( ) = log2 ( ) 3.321928 bpdd
10
10
10
i=0
a = 1300103
c= 0
m = 4294967296
0000000000
n= 0
x= 1
10
100
E= 0
test
reset
282
Problem 64(c) A sequence of pseudo random numbers can be compressed whereby the lower compression rate the higher the degree of
unpredictability. Let the compressability with 0 1 be defined
by
=
length of compressed pseudo random number sequence

length of uncompressed pseudo random number sequence
using for example Huffman coding. Compressability is maximal 1

for true random numbers.
283
Problem 64(d) The statistical 2 -test checks whether two random

variables are statistically independent. (It is distribution free, i.e. the
distributions of the two variables do not matter.)
It could be applied to check
the independence of pairs (x, y) of mem
bers of a sequence xi i=0,1,... of random numbers, say (xi , xi+1 ) or
somewhat more general (xi , xi+d ) for fixed d N. Here, let x be the
decimal digits of the pseudo random numbers and d = 1.
Therefore we need to
y
1
...
x@ 0
0
f0,0 f0,1 . . .
1
f1,0 f1,1 . . .
..
..
.
.
i
fi,0 fi,1 . . .
..
..
.
.
9
f,j
f9,0
f,0
f9,1
f,1
set up the so called contingency table.

j
f0,j
f1,j
..
.
...
...
...
9
f0,9
f1,9
..
.
fi,
f0,
f1,
fi,j
..
.
...
fi,9
..
.
fi,
. . . f9,j
. . . f,j
...
...
f9,9
f,9
f0,
n = # of observations
absolute frequency
fi,j = |{(i, j)}|

and absolute marginal frequencies
with fi, =
P9
fi,j
P9
fi,j
j=0
and
f,j =
i=0
284
Then, the expected frequency of (i, j) for independent variables x

and y is
ei,j = n1 fi, f,j
Here, sufficient many observations guaranty that fi,j 10 and ei,j 5
more than necessary to make the 2 -test valid.
The two variables are the more dependent the bigger the deviation
of the observed frequencies from the expected frequencies. The test
statistic 2 is 2 -distributed with 9 9 = 81 degrees of freedom (df ).
2 =
9
9 X
9
9 X
2
X

X
fi,j
(fi,j ei,j )2
=n
1
ei,j
f f
i=0 j=0
i=0 j=0 i, ,j
Quantiles 2df, of the 2 -distribution are tabulated for different df

and levels of significance (here interpolated for df = 81):
df \
...
80
81
...
0.99
0.975
0.95
0.9
0.1
0.05
0.025
0.01
53.54
54.36
57.15
58.00
60.39
61.26
64.28
65.18
96.58
97.68
101.9
103.0
106.6
107.7
112.3
113.5
s. [36]
285
a = 1300103
y
x@
0
1
2
3
4
5
6
7
8
9
f,j
c= 0
2
m = 4294967296
4
fi,
= 0.9
1
x= 1
10
100
2 = 0
test
reset
286
Of course, the test can be applied to the sequence of pseudo random

numbers for any d N. Additionally, the sequence can be considered
as a bit string. in order to apply the test to pairs of bit substrings of
any given length in any given distance.

E Puzzles

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

E Puzzles

Diunggah oleh

Hak Cipta:

Format Tersedia

Hochschule Bremen

Department of Computer Science

little contribution to the (general) mathematical education!

Table of Contents (cont.)

Fermat-Numbers Euler-Numbers Mersenne-Numbers

Measuring with Two Jugs

Section 1: Riddles [7]

Census and its Boycott

Section 1: Riddles [7]

Zig-Zag between Trains

Outward and Return Journey

Section 1: Riddles [7]

Section 1: Riddles [7]

No Talk about Money

Section 1: Riddles [7]

Corrupt Postal System

Section 1: Riddles [7]

Two and More Eyes

2. More Riddles [11]

Move four matches in order to generate three

Move two matches in order to generate four

Move three matches in order to generate three

Move three matches in order to generate five

Section 2: More Riddles [11]

Section 2: More Riddles [11]

The L-shaped area is to be divided into four congruent subareas.

Section 2: More Riddles [11]

Section 2: More Riddles [11]

a sack. And we both carried the same number of sacks if Youd

Analytical Riddles III

Section 2: More Riddles [11]

Section 2: More Riddles [11]

two balls of type D are as heavy as one ball of type C.

Section 2: More Riddles [11]

(c) All divisions are integer divisions. If on increases the dividend

Section 2: More Riddles [11]

help the sons to share the cows?

Section 2: More Riddles [11]

The equilateral triangle can be partitioned into

Section 2: More Riddles [11]

pays 10 taler. Delivering the plough the blacksmith thinks it too

Synthetic Riddles III

Section 2: More Riddles [11]

Build a house of cards as indicated. How many

Section 2: More Riddles [11]

(c) Find with three weighings on a beam balance without separate

Section 2: More Riddles [11]

Move only one match to get a correct equation.

Section 2: More Riddles [11]

4. His neighbour, one of the passengers, earns exactly thrice as he

What is the name of the engine driver?

Section 2: More Riddles [11]

last name is sitting where?

Section 2: More Riddles [11]

Section 2: More Riddles [11]

Section 2: More Riddles [11]

Section 2: More Riddles [11]

Pierre Fermat (1601-1665)

Section 3: Prime Numbers

Leonhard Euler (1707-1783)

Section 3: Prime Numbers

4. Computations with Remainders

Crucial is What is Left Over