DISCRETE MATHEMATICS AND ITS APPLICATIONS Series editor KENNETH H. ROSEN CRYPTOGRAPHY THEORY AND PRACTICE THIRD EDITIONDISCRETE MATHEMATICS ITS APPLICATIONS Series Editor Kenneth H. Rosen, Ph.D. Juergen Bierbrauer, Introduction to Coding Theory Kun-Mao Chao and Bang Ye Wu, Spanning Trees and Optimization Problems Charalambos A. Charalambides, Enumerative Combinatorics Henri Cohen, Gerhard Frey, et al., Handbook of Elliptic and Hyperelliptic Curve Cryptography Charles J. Colbourn and Jeffrey H. Dinitz, The CRC Handbook of Combinatorial Designs Steven Furino, Ying Miao, and Jianxing Yin, Frames and Resolvable Designs: Uses, Constructions, and Existence Randy Goldberg and Lance Riek, A Practical Handbook of Speech Coders Jacob E. Goodman and Joseph O’Rourke, Handbook of Discrete and Computational Geometry, Second Edition Jonathan L. Gross and Jay Yellen, Graph Theory and Its Applications, Second Edition Jonathan L. Gross and Jay Yellen, Handbook of Graph Theory Darrel R. Hankerson, Greg A. Harris, and Peter D. Johnson, Introduction to Information Theory and Data Compression, Second Edition Daryl D. Harms, Miroslav Kraetzl, Charles J. Colbourn, and John S. Devitt, Network Reliability: Experiments with a Symbolic Algebra Environment Derek F. Holt with Bettina Eick and Eamonn A. O’Brien, Handbook of Computational Group Theory David M. Jackson and Terry |. Visentin, An Atlas of Smailer Maps in Orientable and Nonorientable Surfaces Richard E. Klima, Ernest Stitzinger, and Neil P. Sigmon, Abstract Algebra Applications with Maple Patrick Knupp and Kambiz Salari, Verification of Computer Codes in Computational Science and Engineering Willlam Kocay and Donald L. Kreher, Graphs, Algorithms, and Optimization Donald L. Kreher and Douglas R. Stinson, Combinatorial Algorithms: Generation Enumeration and.Search Charles C. Lindner and Christopher A. Rodgers, Design Theory Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of Applied CryptographyContinued Titles Richard A. Mollin, Algebraic Number Theory Richard A. Mollin, Codes: The Guide to Secrecy from Ancient to Modern Times Richard A. Mollin, Fundamental Number Theory with Applications. Richard A. Mollin, An Introduction to Cryptography Richard A. Mollin, Quadratics Richard A. Mollin, RSA and Public-Key Cryptography Kenneth H. Rosen, Handbook of Discrete and Combinatorial Mathematics Douglas R. Shier and K.T. Wallenius, Applied Mathematical Modeling: A Multidisciplinary Approach Jém Steuding, Diophantine Analysis. Douglas R. Stinson, Cryptography: Theory and Practice, Third Edition Roberto Togneri and Christopher J. deSilva, Fundamentals of Information Theory and Coding Design Lawrence C. Washington, Elliptic Curves: Number Theory and CryptographyDISCRETE MATHEMATICS AND ITS APPLICATIONS Series editor KENNETH H. ROSEN CRYPTOGRAPHY THEORY AND PRACTICE THIRD EDITION DOUGLAS R. STINSON University of Waterloo Ontario, Canada oF Chapman & Hall/CRC Taylor & Francis Group Boca Raton London New YorkThe artwork on the cover is reproduced by permission from Ron Shuebrook, Untitled (Monkey Rope Series), 2003. Charcoal on paper, 19 3/4 x 25 1/2 in, Published in 2006 by Chapman & Hall/CRC Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL, 33487-2742 © 2006 by Taylor & Francis Group, LLC (Chapman & Hall/CRC is an imprint of Taylor & Francis Group No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10987654321 International Standard Book Number-10; 1-58488-508-4 (Hardcover) International Standard Book Number-13: 978-1-58488-508-5 (Hardcover) This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed, Reasonable efforts reliable data and information, but the author and the publisher cannot assume No part of this book may be reprinted. reproduced. transmitted, or utilized in any form by any electronic, mechanical, or othet means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc, (CCC) 222 Rosewood Drive. Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users, For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. ‘Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Catalog record is available from the Library of Congress . Visit the Taylor & Francis Web site at inrorm a http2/iwwwaylorandirancis.com ‘Taylor & Francis Group and the CRC Press Web site at is the Academic Division of Informa plc. http://www.crepress.comsg Preface The first edition of this book, which was published in 1995, contained thirteen chapters. My objective was to produce a general textbook that treated all the essential core areas of cryptography, as well as a selection of more advanced topics. In writing the book, I tried to design it to be flexible enough to permit a wide variety of approaches to the subject, so that it could be used for both undergraduate and graduate university courses in cryptography in mathematics, computer science and engineering departments. The second edition, published in 2002, was focused more tightly on the core areas of cryptography that are most likely to be covered in a course. In contrast to the first edition, the second edition contained only seven chapters. At that time, my intention was to write a companion volume containing updated treatments of other chapters from the first edition, as well as chapters covering new topics. Eventually, I changed my plans and I decided to proceed directly to a one- volume, expanded third edition. This third edition more closely resembles the first edition in its breadth and scope, but it has been almost completely rewritten. It consists of the seven chapters from the second edition, updated where appropriate, and seven new chapters. Here is a brief synopsis of the fourteen chapters in this third edition of “Cryptography Theory and Practice”: e Chapter | is a fairly elementary introduction to simple “classical” cryp- tosystems. This chapter also presents basic mathematical techniques that are used throughout the book. e Chapter 2 covers the main elements of Shannon’s approach to cryptogra- phy, including the concepts of perfect secrecy and entropy and the use of information theory in cryptography. © Chapter 3 concerns block ciphers. It uses substitution-permutation net- works as a mathematical model to introduce many of the concepts of modern block cipher design and analysis, including differential and linear cryptanalysis. There is an emphasis on general principles, and the specific block ciphers that are discussed in this chapter (DES and AES) serve to illustrate these general principles. e Chapter 4 contains a unified treatment of keyed and unkeyed hash func-Preface tions and their application to the construction of message authentication codes. There is an emphasis on mathematical analysis and security proofs. This chapter includes a description of the Secure Hash Algorithm. e Chapter 5 concerns the RSA Cryptosystem, together with a considerable amount of background on number-theoretic topics such as primality test- ing and factoring. Chapter 6 discusses public-key cryptosystems, such as the ElGamal Cryp- tosystem, that are based on the Discrete Logarithm problem. This chap- ter also includes material on algorithms for computing discrete logarithms, elliptic curves, and the Diffie-Hellman problems. © Chapter 7 deals with signature schemes. It presents schemes such as the Digital Signature Algorithm, and it includes treatment of special types of signature schemes such as undeniable and fail-stop signature schemes. e Chapter 8 covers pseudorandom bit generation in cryptography. It is based on the corresponding chapter in the first edition. e Chapter 9 deals with identification (entity authentication), The first part of the chapter discusses schemes that are built from simpler cryptographic “primitives” such as signature schemes or message authentication codes. The second part of the chapter is a treatment of special purpose “zero- knowledge” schemes, based on material from the first edition. e Chapters 10 and 11 discuss various methods for key establishment. Chap- ter 10 concerns key distribution and Chapter 11 presents protocols for key agreement. These chapters are significantly expanded from the first edi- tion, which covered this material in abbreviated fashion in one chapter (key establishment was not covered in the second edition). There is a greater emphasis on security models and proofs than before. e Chapter 12 gives an overview of public-key infrastructures, and it also discusses identity-based cryptography as one possible alternative to PKIs. This is a new chapter. e The topic of Chapter 13 is secret sharing schemes. It is based on a chapter from the first edition. e Chapter 14 is a new chapter that discusses some topics in multicast secu- rity, including broadcast encryption and copyright protection. The following features are common to all editions of this book: e Mathematical background is provided where it was needed, in a “just-in- time” fashion. e Informal descriptions of the cryptosystems are given along with more pre- cise pseudo-code descriptions. e Numerical examples are presented to illustrate the workings of most of the algorithms described in the book. e The mathematical underpinnings of the algorithms and cryptosystems arePreface explained carefully and rigorously. e Numerous exercises are included, some of them quite challenging. I believe that these features of the book increase its usefulness as a textbook and a book for independent study. I have tried to present the material in this book in a logical and natural order, Note that it is possible to omit various earlier chapters in order to concentrate on later material, if so desired. However, there are certain chapters which do depend heavily on some earlier chapters. Some of the more important dependencies are the following: e Chapter 9 uses material from Chapters 4 (MACs) and 7 (signature schemes). e Section 13.3.2 uses results on entropy from Chapter 2. e Chapter 14 uses material from Chapters 10 (key predistribution) and 13 (secret sharing). There are also many situations where specific mathematical tools introduced in one chapter will be used again in a later chapter, but this should not cause diffi- culty in using the book in a course. One of the most difficult things about writing any book in cryptography is de- ciding how much mathematical background to include. Cryptography is a broad subject, and it requires knowledge of several areas of mathematics, including number theory, groups, rings and fields, linear algebra, probability and informa- tion theory. As well, some familiarity with computational complexity, algorithms and NP-completeness theory is useful. In my opinion, it is the breadth of math- ematical background required that often creates difficulty for students studying cryptography for the first time. T have tried not to assume too much mathematical background, and thus I de- velop mathematical tools as they are needed, for the most part. But it would cer- tainly be helpful for the reader to have some familiarity with basic linear algebra and modular arithmetic. Many people pointed out typos and errors in the second edition and draft chap- ters of the third edition, and gave me useful suggestions on new material to in- clude and how various topics should be treated. In particular, I would like to thank Carlisle Adams, Eike Best, Dameng Deng, Shuhong Gao, K. Gopalakrish- nan, Pascal Junod, Torleiv Klgve, Jooyoung Lee, Vaclav Matyas, Michael Mona- gan, James Muir, Phil Rose, Tamir Tassa, and Rebecca Wright. As always, I will appreciate being informed of any errata, which I will post on a web page. Douglas R. Stinson Waterloo, OntarioTo my children, Michela and AidenContents 1 Classical Cryptography 1.1 13 Introduction: Some Simple Cryptosystems 1.1.1 The ShiftCipher .. 2... 6... 1.1.2 The Substitution Cipher see 1.1.3 The Affine Cipher... 2.2... 0.020048 1.1.4 The VigenéreCipher..........-... 1.1.5 The HillCipher..............0..8 1.1.6 The PermutationCipher ............ 1.1.7 Stream Ciphers 2. 0.22. ee ee Cryptanalysis ©. 0. ee ee eee 1.2.1 Cryptanalysis of the Affine Cipher . 1.2.2 Cryptanalysis of the Substitution Cipher . 1.2.3. Cryptanalysis of the Vigenére Cipher . . . . . 1.2.4 Cryptanalysis of the Hill Cipher . 1.2.5 Cryptanalysis of the LFSR Stream Cipher . . . Notes 2... ee ee eee Exercises 2... ee ee 2 Shannon’s Theory 21 2.2 2.3 24 2.5 2.6 2.7 2.8 Exercises Introduction. ©... ee eee Elementary Probability Theory ............. Perfect Secrecy... 1... . ee eee eee Entropy... ee ee eee 2.4.1 HuffmanEncodings .............. Properties of Entropy... 2... 0.022 ee Spurious Keys and Unicity Distance Product Cryptosystems Notes 45 45 46 48 54 56 59 62 67 70 703 Block Ciphers and the Advanced Encryption Standard 3.1 Introduction. 6... ee ee ee 3.2 Substitution-Permutation Networks 3.3 Linear Cryptanalysis ............ 3.3.1 The Piling-up Lemma 3.3.2 Linear Approximations of S-I boxes . 3.3.3. A Linear Attack on an SPN 3.4 Differential Cryptanalysis 3.5 The Data Encryption Standard . 3.5.1 Description of DES . . . 3.5.2 Analysis of DES vee 3.6 The Advanced Encryption Standard .... 3.6.1 Description of AES 3.6.2. Analysisof AES .... 3.7 Modes of Operation . 3.8 Notes and References wee : tee Exercises oe ees 4 Cryptographic Hash Functions 4.1 Hash Functions and Data Integrity... 2.0.0... 4.2 Security of Hash Functions»... 6... ee ee 4.2.1 The Random Oracle Model, ........-- 4.2.2 Algorithms in the Random Oracle Model . . . 4.2.3 Comparison of Security Criteria... . 2... 4.3 Iterated Hash Functions... 2... 2.2.2.0. .00-5 4.3.1 The Merkle-Damgard Construction wee 43.2 The Secure Hash Algorithm .......... 44 Message AuthenticationCodes...........-5 4.4.1 _ Nested MACs and HMAC see 4.4.2. CBC-MAC and Authenticated Encryption . . . 4.5 Unconditionally Secure MACs . 2.2... 200005 4.5.1 | Strongly Universal Hash Families sae 4.5.2 Optimality of Deception Probabilities . 4.6 Notes and References tae Exercises 6 ee ee 5 The RSA Cryptosystem and Factoring Integers 5.1 Introduction to Public-key Cryptography... .... « 5.2 More Number Theory 5.2.1 The Euclidean Algorithm... . .. 5.2.2. The Chinese Remainder Theorem . 5.2.3. Other Useful Facts 5.3 The RSA Cryptosystem..... 5.3.1 Implementing RSA Contents 73 73 74 79 80 82 84 89 95 95 100 102 103 108 109 113 114 119 119 121 122 123 127 129 131 137 140 141 144 145 148 151 153 155 161 161 163 163 167 170 173 174Contents 5.4 5.5 5.6 5.7 5.8 5.9 5.10 Exercises Primality Testing 2.2... ee ee eee 5.4.1 Legendre and Jacobi Symbols . te 5.4.2 The Solovay-Strassen Algorithm... ..... 5.4.3. The Miller-Rabin Algorithm .......... Square Roots Modulo n. Factoring Algorithms .. 2... 2... 0. eee eee 5.6.1 The Pollard p— 1 Algorithm. ......... 5.6.2. The Pollard Rho Algorithm tae 5.6.3 Dixon’s Random Squares Algorithm... .. . 5.6.4 Factoring Algorithms in Practice Other Attackson RSA ......... tee 5.7.1 Computing ¢(m) 2... ee ee ee 5.7.2. The Decryption Exponent ........... 5.7.3 Wiener’s Low Decryption Exponent Attack . . The Rabin Cryptosystem ............00.. 5.8.1 | Security of the Rabin Cryptosystem ...... Semantic Security of RSA 2... 0... 5.9.1 Partial Information Concerning Plaintext Bits . 5.9.2. Optimal Asymmetric Encryption Padding . . . Notes and References 6 Public-key Cryptography and Discrete Logarithms 61 6.2 6.6 67 68 Exercises 2... ee The ElGamal Cryptosystem.............-. Algorithms for the Discrete Logarithm Problem . . 6.2.1 Shanks’ Algorithm... . 2... 0... 0005 6.2.2 The Pollard Rho Discrete Logarithm Algorithm 6.2.3 The Pohlig-Hellman Algorithm wee 6.2.4 The Index Calculus Method . . . Lower Bounds on the Complexity of Generic Algorithms Finite Fields . tee tee Elliptic Curves 6.5.1 Elliptic Curves over the Reals 6.5.2 EllipticCurves Moduloa Prime ........ 6.5.3 Properties of Elliptic Curves . . rn 6.5.4 Point Compression and the ECIES ....... 6.5.5 Computing Point Multiples on Elliptic Curves . Discrete Logarithm Algorithms in Practice... 2... Security of ElGamal Systems... ........... 6.7.1 Bit Security of Discrete Logarithms ..... . 6.7.2 Semantic Security of ElGamal Systems . . 6.7.3. The Diffie-Hellman Problems Notes and References . . . . 178 179 182 186 187 189 189 191 194 199 201 201 202 207 211 213 215 215 218 225 226 233 233 236 236 238 241 244 246 250 254 255 257 261 262 265 267 268 268 272 273 274 275Contents 7 Signature Schemes 281 7.1 Introduction... 6... ee ee eee 281 7.2 Security Requirements for Signature Schemes . . . . . 284 7.2.1 Signatures and Hash Functions... ...... 286 7.3 The ElGamal SignatureScheme ............ 287 7.3.1 Security of the ElGamal Signature Scheme . . 289 7.4 Variants of the ElGamal Signature Scheme... . .. . 292 7.4.1 The Schnorr Signature Scheme... ...... 293 7.4.2 The Digital Signature Algorithm. ...... . 294 74.3 The Elliptic Curve DSA see 297 7.5 Provably Secure Signature Schemes .......... 299 7.5.1 One-time Signatures 299 7.5.2 Full Domain Hash 304 7.6 Undeniable Signatures ... . see see 307 7.7 Fail-stop Signatures... 2. . see wee 313 7.8 Notes and References 317 Exercises 6. ee ee 318 8 Pseudo-random Number Generation 323 8.1 Introduction and Examples . . wee 323 8.2 Indistinguishability of Probability Distributions see 327 8.2.1 Next Bit Predictors... 2... eee 330 8.3. The Blum-Blum-Shub Generator... ........- 336 8.3.1 Security of the BBS Generator . . wee 339 8.4 ProbabilisticEncryption .............00.5 344 8.5 Notes and References .. 1... eee ee eee 349 Exercises 2... ee 350 9 Identification Schemes and Entity Authentication 353 9.1 Introduction... 2... ee eee eee 353 9.2 Challenge-and-Response in the Secret-key Setting . . . 356 9.2.1 Attack Model and Adversarial Goals... . . 361 9.2.2 Mutual Authentication... 2... ee 363 9.3. Challenge-and-Response in the Public-key Setting . . . 367 9.3.1 Certificates 2... eee 367 9.3.2 Public-key Identification Schemes .... . . . 368 9.4 The Schnorr Identification Scheme ....... 2... 371 9.4.1 Security of the Schnorr Identification Scheme . 374 9.5 The Okamoto Identification Scheme ......... 5 378 9.6 The Guillou-Quisquater Identification Scheme . . . . . 383 9.6.1 Identity-based Identification Schemes . . . . . 386 9.7 Notes and References... 2... eee eee 387 Exercises 2. ee eee 388Contents 10 11 12 Key Distribution 10.1 Introduction. ©... ee eee 10.2 Diffie-Hellman Key Predistribution. ....... 0.4 10.3 Unconditionally Secure Key Predistribution ..... . 10.3.1 The Blom Key Predistribution Scheme. . . . . 10.4 Key Distribution Patterns see 10.4.1 Fiat-Naor Key Distribution Patterns ... . . . 10.4.2 Mitchell-Piper Key Distribution Patterns . . . . 10.5 Session Key DistributionSchemes ... . . we 10.5.1 The Needham-Schroeder Scheme ....... 10.5.2. The Denning-Sacco Attack on the NS Scheme 10.5.3 Kerberos ............0. sae 10.5.4 The Bellare-Rogaway Scheme . . . 10.6 Notes and References... 2... 2.5.00. wee Exercises 2... ee Key Agreement Schemes 11,1 Introduction. 6... eee 11.2 Diffie-Hellman Key Agreement... .........- 11.2.1 The Station-to-station Key Agreement Scheme 11.2.2 SecurityofSTS. 6... ... 0. ee ee 11.2.3. Known Session Key Attacks ..........- 11.3 MTI Key Agreement Schemes .........004. 11.3.1 Known Session Key Attacks on MTI/AO. . . 11.4 Key Agreement Using Self-certifying Keys ...... 11.5 Encrypted Key Exchange ......... 11.6 Conference Key Agreement Schemes 11.7 Notes and References se Exercises 2. ee ees 12.1.1 A Practical Protocol: Secure Socket Layer. . . 12.2 Certificates ©... eee 12.2.1 Certificate Life-cycle Management . 12.3 Trust Models 2... 2... eee 12.3.1 Strict Hierarchy Model... 2.2... 0 12.3.2 Networked PKIs ... . 12.3.3. The Web Browser Model 12.3.4 PrettyGood Privacy ............04 12.4 The Future of PKI? ... 2... tee se 12.4.1 AlternativestoPKI.... 2... 0.02.04 12.5 Identity-based Cryptography ... 2... 0.2.0.0, 12.5.1 The Cocks Identity-based Encryption Scheme . 393 457 459 461 463 464 464 466 467 468 471 471 472 47312.6 Notes and References... 2... ..-..000004 Exercises 2... eee 13 Secret Sharing Schemes 13.1 Introduction: The Shamir Threshold Scheme 13.1.1 A Simplified (¢, 2)-threshold Scheme 13.2 Access Structures and General Secret Sharing 13.2.1 The Monotone Circuit Construction 13.2.2 Formal Definitions 13.3 Information Rate and Construction of Efficient Schemes 13.3.1 The Vector Space Construction... ...... 13.3.2. An Upper Bound on the Information Rate . . . 13.3.3. The Decomposition Construction ...... . 13.4 Notes and References Exercises 14 Multicast Security and Copyright Protection 14.1 Introduction to Multicast Security ........... 14.2 Broadcast Encryption... 2.6... 0... eee ee 14.2.1 An Improvement using Ramp Schemes 14,3 Multicast Re-keying. ©. 6... ee 14.3.1 The Blacklisting Scheme . . . . 14.3.2. The Naor-Pinkas Re-keying Scheme... . . . 14.3.3 Logical Key Hierarchy 14.4 Copyright Protection .... 14.4.1 Fingerprinting 14.4.2 Identifiable Parent Property 14.4.3 2-IPPCodes .......... 14.5 Tracing Illegally Redistributed Keys . . 14.6 Notes and References .......... Exercises Further Reading Bibliography Index Contents 479 480 481 481 485 486 488 493 496 498 505 509 513 514 517 517 518 528 531 533 534 537 539 540 542 544 548 552 552 557 561 583I ——— Classical Cryptography In this chapter, we provide a gentle introduction to cryptography and cryptanaly- sis. We present several simple systems, and describe how they can be “broken.” Along the way, we discuss various mathematical techniques that will be used throughout the book. SS 1.1 Introduction: Some Simple Cryptosystems The fundamental objective of cryptography is to enable two people, usually re- ferred to as Alice and Bob, to communicate over an insecure channel in such a way that an opponent, Oscar, cannot understand what is being said. This channel could be a telephone line or computer network, for example. The information that Alice wants to send to Bob, which we call “plaintext,” can be English text, numer- ical data, or anything at all — its structure is completely arbitrary. Alice encrypts the plaintext, using a predetermined key, and sends the resulting ciphertext over the channel. Oscar, upon seeing the ciphertext in the channel by eavesdropping, cannot determine what the plaintext was; but Bob, who knows the encryption key, can decrypt the ciphertext and reconstruct the plaintext. These ideas are described formally using the following mathematical notation. Definition 1.1; A cryptosystem is a five-tuple (P, C,K, €,D), where the following conditions are satisfied: 1. Pisa finite set of possible plaintexts; 2. Cisa finite set of possible ciphertexts; 3. K, the keyspace, is a finite set of possible keys; 4. . Foreach K € X, there is an encryption ruleex € € and a corresponding decryption ruledk € D. Eachex : P + Canddx : C > Pare functions such that dx (ex («)) = 2 for every plaintext element x € P.2 Classical Cryptography Oscar x Alice >} encrypter decrypter -—>| Bob [==|__secure channel f key source K FIGURE 1.1 The communication channel The main property is property 4. It says that if a plaintext x is encrypted using ex, and the resulting ciphertext is subsequently decrypted using dx, then the original plaintext results. Alice and Bob will employ the following protocol to use a specific cryptosys- tem. First, they choose a random key A’ € K. This is done when they are in the same place and are not being observed by Oscar, or, alternatively, when they do have access to a secure channel, in which case they can be in different places. Ata later time, suppose Alice wants to communicate a message to Bob over an insecure channel. We suppose that this message is a string X= T1LQ6++ kn for some integer n > 1, where each plaintext symbol 2; € P, 1 < i 1. Then the congruence ax = 0 (mod 26) has (at least) two distinct solutions in Z26, namely = 0 and x = 26/d. In this case e(x) = (aa + 6) mod 26 is not an injective function and hence not a valid encryption function, For example, since ged (4, 26) = 2, it follows that 4a + 7 is not a valid encryp- tion function: x and x + 13 will encrypt to the same value, for any a € Zo6. Let’s next suppose that gcd(a, 26) = 1. Suppose for some 21 and x2 that ax, = ar (mod 26). Then a(x, — x2) = 0 (mod 26),