Mathematical Puzzles - FBE - · PDF fileHochschule Bremen Department of Computer Science...

Hochschule BremenDepartment of Computer Science

Mathematical Puzzles

Prof. Dr. Th. Risse

An amusing,brisk and cool,

enriching and entertaining,informative and oriented towards practical applications,

playful,relevant and rewarding,

stimulating,thought-provoking

little contribution to the (general) mathematical education!

c© 2002–2014 risse(at)hs-bremen.deLast Revision Date: August 8, 2014 Version 0.5

mailto:risse(at)hs-bremen.de

Table of Contents

0. Introduction1. Riddles [7]

•Measuring with Two Jugs • Races • Census and its Boycott• Zig-Zag between Trains • Outward and Return Journey•Magic Squares • Conspicuous Text • No Talk about Money• Corrupt Postal System • Equal Opportunities • Two andMore Eyes

2. More Riddles [11]• Matches • Decanting • Analytical Riddles I • AnalyticalRiddles II • Analytical Riddles III • Analytical Riddles IV• Analytical Riddles V • Crossing a Bridge • Synthetic Rid-dles I • Synthetic Riddles II • Synthetic Riddles III • Syn-thetic Riddles IV • Dialectic Riddle • Riddles, 588 • Riddles,622 • Labyrinth, 652 • Riddles, 680 • Riddles, 708 • Riddles,734 • Riddles, 750 • Riddles, 772

3. Prime Numbers

Table of Contents (cont.) 3

• Fermat-Numbers • Euler-Numbers • Mersenne-Numbers4. Computations with Remainders

• Crucial is What is Left Over • Computing With Remain-ders • Adroit Computing With Remainders • Euclid & little

Fermat • Fermat, Euler and More • Chinese Stuff • GaloisFields GF(p) • Galois Fields GF(pn)

5. Cryptography• Caesar and Cohorts • Caesar in General • Vigenere andAccomplices • Permutations • DES • Public Keys? • RSA• AES • Elliptic Curves over R • Elliptic Curves over GF(p)• Elliptic Curves over GF(2m) • Elliptic Curve Cryptogra-phy, ECC

6. Compression• Exploiting Relative Frequencies • Using Dictionaries

7. Probability & Intuition• Cards & Goats • Algorithms to Generate Chance? •Whatis Randomness?

8. Sources and LinksSolutions to Problems

4

0. Introduction

To begin with You’ll find some mathematical riddles. But there ismore serious stuff. Several algorithms to be tried are provided by thisdocument to explore procedures of cryptography, coding, probability,etc.There are other in this sense interactive documents, e.g.www.weblearn.hs-bremen.de/risse/MAI/docs/numerics.pdf orwww.weblearn.hs-bremen.de/risse/MAI/docs/heath.pdf (German)

The functionality of pdf-documents provides

convenient selection of problem areas of interest or of single prob-lems • and, uniquely, execution of algorithms

easy navigation between problem and solution and vice versa,

simple visit of the numerous links to informations on our webDAVserver or in the WWW.

http://www.weblearn.hs-bremen.de/risse/MAI/docs/numerics.pdf

http://www.weblearn.hs-bremen.de/risse/MAI/docs/heath.pdf

5

1. Riddles [7]

• Measuring with Two Jugs

Problem 1. There are two jugs at hand with a capacity of p ` andq ` liters and any amount of water.What quantities m of water can be measured out?

(a) p = 5, q = 3, m = 4(b) p = 5, q = 3, m = 1(c) p = 4, q = 9, m = 1, 2, . . . , 13(d) p = 6, q = 3, m = 4

• Races

Problem 2.

(a) Climbing a 3000m mountain top Sisyphos makes 300m a day onlyto loose 200m each night again.Wenn does Sisyphos reach the top?

Section 1: Riddles [7] 6

(b) At a 100m race the first runner A beats the second B by 10m,and the second B beats the third C by 10m.How many meters is the first runner A ahead of the third C whencrossing the finishing line?

• Census and its Boycott

Problem 3.

(a) At a census there is the following dialog:Field helper: number of children?Citizen: three!Field helper: age of Your children in whole numbers?Citizen: The product of the years is 36.Field helper: This not a sufficent answer!Citizen: The sum of the ages equals the

number of the house of our next neighbour.(Field helper acquires the number.)

Field helper: That is still not a sufficient answer!


Citizen: Our eldest child plays the piano.How old are the three children?

• Zig-Zag between Trains

Problem 4.

(a) Two trains start on the same line 100km apart to drive at 50km/htowards each other. A fly flies from one to the other at 75km/h.How many kilometres has the fly travelled up to its unavoidablefate?

• Outward and Return Journey

Problem 5.

(a) In A somebody gets up at sunrise and walks with many rests toB where he arrives at sunset.The next day he walks back on the same route, again pausing abit here and there.


There is a point of the route the roamer at the same time of dayhits both on the outward as on the return journey.

• Magic Squares

Problem 6.

(a) Magic squares are natural numbers arranged in a square grid, i.e.a quadratic matrix, such that the sum of all numbers in each row,in each column, and in each diagonal are all the same!

a b c

d e f

g h i

mita + b + c = s . . .a + d + g = s . . .a + e + i = s . . .

Taking symmetry into consideration, there is exactly one magicsquare consisting of the natural numbers 1, 2, . . . , 9 arranged ina 3× 3-matrix.


• Conspicuous Text

Problem 7.

(a) Study this paragraph and all things in it. What is virtually wrongwith it? Actually, nothing in it is wrong, but you must admitthat it is most unusual. Don’t zip through it quickly, but studyit scrupulously. With luck you should spot what is so particularabout it. Can you say what it is? Tax your brains and try again.Don’t miss a word or a symbol. It isn’t all that difficult.

• No Talk about Money

Problem 8.

(a) The boss in an office wants to acquire the average salary of hisemployees without getting to know individual salaries und thusbreaking privacy. How does he proceed?


• Corrupt Postal System

Problem 9.

(a) In a corrupt postal system each letter is opened and the contentstolen independently of its value. Only securely closed strongboxes are delivered reliably (because it takes too much hassle toopen them).How can Bob send a valuable item to Alice in some strong boxwhich can be locked with several locks when they both can com-municate about the transfer?

• Equal Opportunities

Problem 10.

(a) Alice and Bob live in different cities and decide to go to see eachother in turns. They want to find out who starts to drive to theother by tossing a coin.How do they find out if they live in different cities?


• Two and More Eyes

Problem 11. It is called the Two Eyes Principle if two persons eachwith a separate key are necessary to open a treasure box, or if twopasswords are necessary to open a file.Each person opens her/his lock of the treasure box by her/his ownkey or adds her/his part of the password to complete the password.

(a) Alice, Bob and Claire own a treasure box with several locks. Theywant to make sure that only at least two persons together can getat the content of the treasure box.How many locks and how many keys to each lock do they need?

(b) Now, Alice, Bob, Claire and Denis want to be sure that only atleast two persons together can open the treasure box.Minimally how many locks and minimally how many keys to eachlock do they need?

(c) Only at least m persons together out of a total of n persons aremeant to be able to open the treasure box.How many locks, how many keys do they need?

12

2. More Riddles [11]

• Matches

Problem 12. Move a given number of matches in order to generatea given number of equally sized squares.

(a)Move four matches in order to generate threeequally sized squares.

(b)Move two matches in order to generate fourequally sized squares.

(c)Move three matches in order to generate threeequally sized squares.

(d)Move three matches in order to generate fiveequally sized squares.

Section 2: More Riddles [11] 13

• Decanting

Problem 13.

(a) How can one get 6 litres water from a river if there are only a fourlitre and a nine litre bucket available?

(b) How can one get exactly 1 litre from a container if there are onlya 3-litre and a 5-litre container available?

(c) A 8 litre canister is filled with wine. How to decant 4 litre if thereare only a 3-litre and a 5-litre jug available?

(d) A barrel contains 18 litres wine. There is a 2-litre can, a 5-litrejug and a 8-litre bucket. How to distribute the wine such that thebarrel contains half of it, the bucket a third, the jug a sixth?

• Analytical Riddles I

Problem 14.

(a) Let the sum of the ages of a family of four, father, mother, andtwo children, be 124. The parents together are three times as


old as the children. The mother is more than twice as old as theoldest child. Age of father minus age of mother is nine times thedifference age of the oldest minus age of the youngest child. Howold is each member of the family?

(b) Emil is 24 years old. Hence, he is twice as old as Anton has beenwhen Emil was as old as Anton is now. How old is Anton?

(c) In a supermarket one gets a deduction of 20%, but has to pay 15%turnover tax. What is best, first to deduct the discount or first topay the tax?

(d)

2

2

1

1

The L-shaped area is to be divided into four con-gruent subareas.

(e) If Fritz was 5 years younger then he was twice as old as Paul waswhen he was 6 years younger. Wenn Fritz was 9 years older thenhe was trice as old as Paul when Paul was 4 years younger. Howold are Fritz and Paul?


• Analytical Riddles II

Problem 15.

(a)11 18

27

The vertices of the triangle are labeled with un-known integers. The edges are labeled with thesum of the labels of the incident vertices. Whatare the vertex labels?

(b) Hans is 34 years, his wife is 30 and his daughter 7 years old. Howmany years before wife and daughter together were as old as Hans?

(c) Three geese together weight 10kg. The second goose is by a thirdheavier than the first one. The third goose is by a fourth lighterthan the second one. What are the weights of the geese?

(d) Are there four positive integers summing up to 79 with• The second is by one smaller than double the first.• The third is by one smaller than double the second.• The fourth is by one smaller than double the third.

(e) Loaded with sacks, a mule and a donkey trudge somewhere. Whenthe donkey groaned under the load the mule said: What are Youcomplaining? Double Your load I’d had to carry if You’d give me


a sack. And we both carried the same number of sacks if You’dtake one of may sacks. How many sacks did the donkey and howmany did the mule carry?

• Analytical Riddles III

Problem 16.

(a) What is the radius of a circle whith the same number of inchescircumference as the number of square inches area?

(b) A train passes in 7sec the station master. The platform is 330mlong. It takes 18sec from the beginning of the platform and thelocomotive to the end of the platform and the last railway car.How long is the train and how fast is it going?

(c) A worker produces parts with a rate of 10 parts a day for the firsthalf of the lot and a rate of 30 parts a day for the second half.How many parts per day did the worker produce on average?

(d) Are all palindromial numbers with four decimal digits divisableby 11?


(e) As I was going to St. Ives / I met a man with seven wives. / Eachwife had seven sacks, / Each sack had seven cats, / Each cat hadseven kids, / Kids, cats, sacks, wives, / How many were going toSt. Ives?

(f) By which fraction exceeds four fourth the number three fourth?

• Analytical Riddles IV

Problem 17.

(a) If 5 cats catch 5 mice in 5 minutes how many cats catch 100 micein 100 minutes?

(b) How to multiply(c) One and a half hens lay one and a half egg in one and a half day.

How many eggs do seven hens lay in six days?(d) There are four types of balls: A, B, C, and D. Balls of the same

type have the same weight. It is known that• two balls of type B are as heavy as one ball of type A,• three balls of type C are as heavy as one ball of type B,


• two balls of type D are as heavy as one ball of type C.How many balls of type D are as heavy as one ball of type A?

(e) A family consisted of father, mother, two sons and two daughters.The product of the integer ages of all female family members is5291, that one of the integer ages of all male family members is3913. Two childeren of the family are twins. These twins, do theyhave the same or different sex?

• Analytical Riddles V

Problem 18.

(a) With constant speed a train crosses a 255 m long bridge in 27 sec,from the of the locomotive to the bridge until the of the lastrailway car from the bridge. The train passes a pedestrian walkingin the opposite direction of the train in 9 sec during which timethe pedestrian moves 9 m. How long is the train and how fast isit?

(b) x2 − x2 = x2 − x2 ⇒ (x + x)(x − x) = x(x − x) ⇒ x + x = x ⇒2x = x⇒ 2 = 1 Where is the mistake?


(c) All divisions are integer divisions. If on increases the dividendby 65 and the divisor by 5 then neither quotient nor rest change.What is this quotient?

(d) Is it possible to find five positive integers in succession such thatthe sum of the squares of the two biggest equals the sum of thesquares of the three remaining numbers?

(e) A bottle of wine costs 9 Euro. The wine costs 8 Euros more thanthe bottle. How expensive is the bottle?

(f) A farmer grows wheat on one third of his land, peas on one fourth,beans on one fifth and corn on the remaining 26 ha. How big ishis land?

(g) Heini and Carl rest. One unpacks five saussages, the other threesuassages. Egon comes along and wants to join in the meal: ’I amwilling to pay!’ Heine and Carl agree. Afterwards Egon pays 8Euros to Heini and Carl. How have Heini and Carl to share thismoney?

(h) A farmer has 17 cows. In his will he bequeath half of the cows tohis oldest son, one third to his middle son and one nineth to hisyoungest son. No cow is to be slaugthered. How can a neighbour


help the sons to share the cows?

• Crossing a Bridge

Problem 19.

(a) Four persons have to cross a suspension bridge at night. To do soone needs a torch. There is only one torch available with maximalburn time of one hour. There must not be more than two personson the bridge at the same time. The four persons take differenttimes to cross the bridge: A 5 min, B: 10 min, C: 20 min, D:25 min. The slower person sets the speed. In which order do thefour persons have to cross the bridge so that all four reach theother side within one hour?

• Synthetic Riddles I

Problem 20.


(a)The equilateral triangle can be partitioned intothree congruent subtriangles.

2

2

1

1 The L-shaped figure can be partitioned into fourcongruent (L-shaped) subfigures.Can also a square be partitioned into five congru-ent subfigures?

(b)The coins are to be moved so that two straigthrows with four coins each are produced.

(c)The nine dots are to be connected off the reel byfour straight lines.

(d) Each of the 30 vassals has to pay 30 gold coins to the king. Oneof them is known to pay with 9g coins instead of the obligatory10g coins. How can the king with a single weighing identify thefraudster?

• Synthetic Riddles II

Problem 21.

(a) Three farmers together order a plough for 30 taler. Each farmer


pays 10 taler. Delivering the plough the blacksmith thinks it tooexpensive, 25 taler was enough. So he sends the apprentice toreturn 5 taler. The apprentice cannot cut 5 taler into thirds. Sohe returns one taler to each farmer and keeps 2 taler. Summingup, the farmers payed 9 taler each, the apprentice kept 2 taler,which amounts to 29 taler. Where is the thirtieth taler?

(b) With six matches construct four equilateral triangles.(c) Plant ten trees such that these trees form five straight lines of four

trees each.(d) A quadratic beer tray accomodates 36 bottles. Is it possible to

store 14 bottles such that the number of bottles in each row andcolumn is even?

• Synthetic Riddles III

Problem 22.

(a) Expand (x− a)(x− b) . . . (x− z).(b) A very heavy armchair is to be moved. But it can only be turned


around its corners by exactly 90o. Is it possible that the arm-chair eventually will sit in a position directly adjacent to the startposition so that the back rest is again behind?

(c) Off a chess board two opposite corner squares/locations are re-moved. Is it possible to cover the modified chess board withdomino pieces if a domino piece covers exactly two chess squares?

(d) In order to square a two decimal digit number t5 with least signif-icant digit 5 one multiplies z and z+ 1 and writes after the result25, e.g. 752 = (7 · 8) · 100 + 25 = 5625. Does the trick alwayswork?

• Synthetic Riddles IV

Problem 23.

(a) A cuboid is to saw up into 27 congruent little cuboids. This ispossible with six cuts. Is it also possible with fewer cuts?

(b)

1 floor 2 floors 3 floors

Build a house of cards as indicated. How manycards do you need?


(c) Find with three weighings on a beam balance without separateweighs whether one of the 12 golden dublones is fake and as suchlighter or heavier than a true dublone.

(d) Is there a squence of numbers such that every decimal digit 0 to9 occurs exactly once in them and they sum up to 100?

• Dialectic Riddle

Problem 24.

(a) Three captives are released if they solve the following task: theyare blindfolded and positioned in an equilateral triangle lookingto its center of gravity. Behind each of them is set up one offive flags, three white and two black ones. The two leftover flagsare discarded. Then the blindfolds are removed and each captivetries to determine the color of the flag behind. After quite a whileof intense consideration they nearly at the same time name thecorrect color of the flag behind them. How is that?


• Riddles, 588

Problem 25.

(a) 81 persons take part in a cross country run, twice as many menthan women. The number of children and twens is half the numberof adults. Twice as many twens as children take part. How manymen, women, twens, and children take part?

(b) FFFEEE symbolizes a row of six glasses, three full and three emptyones.Touch/move only one glas (full or empty) to get a row of glassesevery second is full and every second is empty.

(c)=

Move only one match to get a correct equation.(d) Engine driver, stoker and conductor of a train are Mr. J., M., and

B. On the train there are travellors Dr. J., Dr. M., and Dr. B.1. Dr. B. lives in Charlottenburg.2. Dr. J. earns 5000Euro a month.3. The conductor lives half way between Charlottenburg and Nurn-

berg.


4. His neighbour, one of the passengers, earns exactly thrice as heearns.

5. The namesake of the conductor lives in Nurnberg.6. M. beats the stoker in chess.

What is the name of the engine driver?(e) Roberts collects lizards, beetles, and worms. He has got more

worms than lizards and beetles together. In total he has got 12specimen with 26 little legs. How many lizards has Robert?

(f) Three men each have two jobs. The chauffeur insulted the musi-cian. Musician and gardener together go fishing. The painter isborrowing from the merchant. The chauffeur flirts with the sisterof the painter. Claus owes the gardener 20Euro. Joe beats Clausand the painter when playing chess. One of them is a barber. Notwo of them have the same job. Who has wich jobs?

(g) Five women are sitting around a round table. Mrs. Oßwald sitsbetween Mrs. Lutz and Mrs. Martin. Erika sits between Katy andMrs. Neidlinger. Mrs. Lutz sits between Erika and Alice. Katyand Doris are sisters. Bettinas neighbour to the left is Mrs. Pieper,and to the right it is Mrs. Martin. Who with which first and which


last name is sitting where?

• Riddles, 622

Problem 26.

(a) Are there 204 squares on a standard chess board?(b) Drawing any number of lines through some square partitions the

square into disjoint regions. How many colors are needed at leastto color these regions such that no two adjacent regions have thesame color?

(c) Mrs. A., E., I., O. and U. work in a star-shaped office with acentral main office and offices in the north, west, south and east.The wing offices are connected by the main office. Before A. andme exchanged work places, my office was north of O.s who workedeast of U. who worked west of E. At that time A. worked east of I.In addition A. had to make a right in in the central office when shewent to see E. Whereas me, I had to walk straight in the centraloffice when I went to see A. Who works where? and who is me?


• Labyrinth, 652

Problem 27.

(a) Find the intersection-free path through the labyrinth back to thestarting point.

• Riddles, 680

Problem 28.

(a) How can one measure 15min using a 7-min- and a 11-min-sandglass?

• Riddles, 708

Problem 29.

(a) Mr. Punctual sets his clock on Saturday noon by the radio. OnSunday noon he recognizes that his clock is six minutes late. Whatis the time on his clock on Monday at 8h?


(b) At a bakery a woman buys half of all breads and half a loaf. Then,a second woman buys half of all remaining breads and half a loaf.After that, a third woman buys half of all remaining breads andhalf a loaf. Now, all breads are sold. How many breads did thebaker sell?

(c) An automatic stamp tool prints consecutive numbers starting with0, one number per second. How often does it print the digit 1 inthe the first quarter of an hour?

• Riddles, 734

Problem 30.

(a) If campainers group themselves in rows of two, three upto ten,then in each case there is one campainer too little. How manycampainers are there, if there are less than 5000 campainers?

(b) ’My sister, you have as many brothers as sisters!’’My brother, you have twice as many sisters as brothers!’What is the number of children in this family?


(c) The difference of the ages of two sisters is four. The differenceof the cube of the age of the first and the cube of the age of thesecond is 988. How old is each sister?

• Riddles, 750

Problem 31.

(a) On a farm there are equally many cows, pigs, horses and rabbits.There is a plague and all complain:Father: every fifth cow died. Mother: there are as many deadhorses as surviving pigs. Son: the new percentage of rabbits (outof the survivers) is 5/14. Grandma: death has hit each kind ofanimals.Prove that grandma is wrong.

• Riddles, 772

Problem 32.


(a) A bottle of wine costs 9 Euro. The wine costs 8 Euro more thanthe bottle. What is the price of the bottle only?

(b) A father bequeathes his three sons 30 wine barrels, ten of whichare full, ten half empty and ten empty. How to devide barrels andwine so that each son gets the same number of barrels and thesame amount of wine?

32

3. Prime Numbers

In all modern cryptographical algorithms prime numbers play a deci-sive role. On top of that prime numbers challenged not only mathe-maticians for millennia and, (futile) attempts to generate prime num-bers algorithmically date back centuries.

• Fermat-Numbers

Problem 33. Fermat1 numbers are specified by

F (n) = 22n

+ 1

(a) Fermat himself misleadingly believed to enumerate (all?) primenumbers in this way.

1 Pierre Fermat (1601-1665) www-history.mcs.st-and.ac.uk/history/Biographies/Fermat.html

http://www-history.mcs.st-and.ac.uk/history/Biographies/Fermat.html

Section 3: Prime Numbers 33

• Euler-Numbers

Problem 34. Euler2 numbers are defined by

E(n) = n2 − n+ 41

(a) Only the first 40 Euler-numbers are prime.

2 Leonhard Euler (1707-1783) www-history.mcs.st-and.ac.uk/Biographies/Euler.html

http://www-history.mcs.st-and.ac.uk/Biographies/Euler.html

Section 3: Prime Numbers 34

• Mersenne-Numbers

Problem 35. Mersenne3 numbers are defined by

M(n) = 2n − 1

(a) Only some Mersenne numbers are prime. But,

n not prime⇒M(n) not prime

Unfortunately, M(n) is not necessarily prime if n is prime – asalready a small (< 212) Mersenne number with four digits shows.

3Marin Mersenne (1588-1648) www-history.mcs.st-and.ac.uk/Biographies/Mersenne.html

http://www-history.mcs.st-and.ac.uk/Biographies/Mersenne.html

35

4. Computations with Remainders

• Crucial is What is Left Over

Modulo-Arithmetic, i.e. computations with remainders, is essential(not only) in cryptography.

n mod m = r ⇐⇒ n = vm+ r fur n, v ∈ Z,m, r ∈ N und 0 ≤ r < m

Problem 36.

(a) Which day of the week do we have in n days?(b) Which day of the week did we have n days ago?(c) How is the UNIX-date computed, if an internal counter counts the

seconds since 1.1.1970 0h ?

http://www.elsop.com/linkscan/year2000.html

Section 4: Computations with Remainders 36

• Computing With Remainders

n ≡ r (mod m) ⇐⇒ m | (n− r) ⇐⇒ m |n− rn ≡ r (mod m) ⇐⇒ n− r = v ·m fur m, r, v ∈ N und 0 ≤ r < m

Problem 37.

(a) Connection of n mod m = r and n ≡ r (mod m) ?(b) additivity, multiplicativity:

n1≡ r1 (mod m)n2≡ r2 (mod m)

}⇒{

(n1 ± n2)≡ (r1 ± r2) (mod m)(n1 · n2)≡ (r1 · r2) (mod m)

(c) scalar multiples, powers

n ≡ r (mod m)⇒{c · n ≡ c · r (mod m) fur jedes c ∈ Nnp ≡ rp (mod m) fur jedes p ∈ N

(d) transitivity

r ≡ s (mod m), s ≡ t (mod m)⇒ r ≡ t (mod m)


• Adroit Computing With Remainders

Let s(n) =∑∞i=0 zi denote the cross sum of n =

∑∞i=0 zi10i.

Problem 38. Better to test dividability than to divide!

(a) 3 | s(n)⇒ 3 |n as well as 9 | s(n)⇒ 9 |nCompute 1234567890 mod 3, 1234567890 mod 9 etc.

(b) 11 |∑∞i=o(−1)izi ⇒ 11 |

∑∞i=0 zi10i

Compute 1234567890 mod 11 etc.(c) The last digit of the 10-digit ISBNumber is a check digit, an error

checking number, namely n mod 11 if n=∑9i=1 i · zi denotes the

weighed sum 1 · z1 + 2 · z2 + . . . + 9 · z9 of the first nine digitsz1 . . . z9.(In case n mod 11 = 10 the check digit is represented by X.)

(d) 7|∑∞i=0

(z7i+0 + 3z7i+1 + 2z7i+2− z7i+3− 3z7i+4− 2z7i+5 + z7i+6

)⇒ 7 |

∑∞i=0 zi10i

Compute 1234567890 mod 7 etc.(e) Parity, ECC, CRC, RSC, . . . ?


• Euclid & little Fermat

Problem 39. gcd(a, b) denotes greatest common divisor, gcd of a ∈ Nand b ∈ N, i.e. gcd(a, b) = d ∈ N with d | a and d | b as well asmaximality, i.e. d′ | a, d′ | b⇒ d′ | d.

(a) For a, b ∈ N holds gcd(a, b) = gcd(a, b mod a) = gcd(b, a mod b)(b) By iteration we get the (terminating) Euclidean4 algorithm.(c) Fermat5s Little Theorem, FLT: if p is prime then

ap−1 ≡ 1 (mod p)

for all a ∈ N with gcd(a, p) = 1Contraposition:

an−1 6≡ 1 (mod n) for one a ∈ N⇒ n is combined!

(d) The implication holds n prim⇒ n | 2n−1 − 1but not its contraposition n prim⇐ n | 2n−1 − 1

4 Euclid of Alexandria (ca 325-265) www-history.mcs.st-and.ac.uk/Biographies/Euclid.html

5 Pierre Fermat (1601-1665) www-history.mcs.st-and.ac.uk/Biographies/Fermat.html

http://www-history.mcs.st-and.ac.uk/Biographies/Euclid.html

http://www-history.mcs.st-and.ac.uk/Biographies/Fermat.html


• Fermat, Euler and More

Problem 40. The Euler6 function ϕ is defined by

ϕ(n) = |{m ∈ N : m < n, gcd(m,n) = 1}|

(a) If p is prime then ϕ(p) = p− 1.(b) If p is prime then ϕ(pk) = pk − pk−1 = (p− 1)pk−1.(c) If r and s relatively prime then ϕ(r · s) = ϕ(r) · ϕ(s).(d) The prime factor decomposition of n provides a simple computa-

tion of ϕ(n). Especially, for prime p and q we have

ϕ(p · q) = ϕ(n) = n− (p+ q) + 1 = (p− 1)(q − 1) fur n = p · q(e) Theorem of Euler, EFT7:

aϕ(n) ≡ 1 (mod n)

for each n ∈ N and each a relatively prime to n.


7Euler-Fermat-Theorem, 1736



• Chinese Stuff

Problem 41.

(a) Chinese Remainder Theorem: Let m1, m2, . . . , mn ∈ N bepairwise relatively prime. To find all solutions x ∈ N with

x ≡ ri (mod mi) fur i = 1, . . . , n

determine m =∏ni=1mi and bi = m/mi as well as xi with

xibi = 1 mod mi, hence xi as the (modulo mi)-inverse to bi fori = 1, . . . , n. Then:

x ≡n∑i=1

(xibiri) (mod m)

(b) If p and q relatively prime, then

x = y mod p und x = y mod q ⇒ x = y mod (pq)

(c) The age of say party guests can be computed by the remainderswhen dividing the unknown age by 3, 5 and 7.


• Galois Fields GF(p)

Problem 42. Usually arithmetic takes place in fields with infinitelymany elements, like Q, R and C. However, in e.g. cryptography onlyfields with finitely many elements are relevant and hence needed.As a reminder, a field is a set F of elements with two operations, namely

addition + and multiplication ·, so that (F,+) (with zero-element 0) and

(F ∗, ·) = (F \ {0}, ·) (with one-element 1) are commutative groups and the

usual laws of distributivity hold:

(F,+) is a commutative group (F ∗, ·) is a commutative group∀a,b∈F a+ b = b+ a ∈ F ∀a,b∈F a · b = b · a ∈ F

∃0∈F∀a∈F a+ 0 = 0 + a = a ∃1∈F∗∀a∈F∗ a · 1 = 1 · a = a∀a∈F∃−a∈F a+ (−a) = (−a) + a = 0 ∀a∈F∗∃a−1∈F∗ a · a−1 = a−1 · a = 1

a · (b+ c) = a · b+ a · c(a) How do addition and multiplication have to be defined in GF(2) ={0, 1}, the Galois8 field of order 2, i.e. with two elements?

(b) How are addition and multiplication to be defined in GF(3) =

8 Evariste Galois (1811-1832) www-history.mcs.st-andrews.ac.uk/Biographies/Galois.html

http://www-history.mcs.st-andrews.ac.uk/Biographies/Galois.html


{0, 1, 2}, the Galois field of order 3 ?(c) How are addition and multiplication to be defined in GF(5) ={0, 1, 2, 3, 4}, the Galois field of order 5 ?

(d) How can this approach be generalized to GF(p) = {0, 1, 2, . . . , p−1}, the Galois field of prime order p ? Why is this approachdoomed to failure for GF(pq) with primes p and q, i.e. for GF(m)with composite m ?


• Galois Fields GF(pn)

Problem 43. Let p be prime and n ∈ N. If GF(pn) is defined to bea subset of P(n), the set of all polynomials of order n, i.e. of degreen−1, with coefficients in GF(p), so called polynomials over GF(p),then two such polynomals over GF(p) are readily as usual added.

(a) What is then(GF(pn),+

)?

(b) What happens if two polynomials r, s ∈ GF(pn) are multiplied aspolynomials over GF(p) ?

(c) Assuming the product of two polynomials r, s ∈ GF(pn) is definedas the reminder of the product of r and s as polynomials overGF(p), divided by some polynomialm. How has such a polynomialm to look like, if each product so defined lies necessarily again inGF(pn) ?

(d) Which polynomialsm(x) have to be excluded in order to guaranteethat products of non-vanishing factors do not vanish?

(e) E.g., why is m1(x) = x2 + 1 a reducible and m2(x) = x2 + x + 1an irreducible polynomial over GF(2) ?


Problem 44.

(a) How do multiplication and computation of inverse elements inGF(22) with m(x) = x2 + x+ 1 look like?

(b) Let m(x) be an irreducible polynomial over GF(p) of degree n.Defining a multiplication by

r · s :=(r(x) · s(x)

)mod m(x)

for r, s ∈ GF(pn)∗ then, what is(GF(pn)∗, ·

)?

(c) How are inverse elements in GF(pn) computed?(d) How many irreducible polynomials over GF(p) there are of a given

(small) degree?(e) In constructing GF(pn), what impact has the choice of the irre-

ducible polynomial m(x) over GF(p) of degree n− 1 ?(f) Which elements generate e.g. GF(22)∗ or GF(23)∗ ?(g) How can the cyclicity of GF(pn)∗ be used to speed up the multi-

plication in GF(pn)∗ ?(h) How can the cyclicity of GF(pn)∗ be used to speed up the inversion

in GF(pn)∗ ?

45

5. Cryptography

• Caesar and Cohorts

Problem 45.Let the letters of the Latin alphabet be numbered from 0 to 25 !

(a) Caesar9- encryption/decryption:Plain text x1x2x3 . . . is letter-wise encrypted by key k per

y = (x+ k) mod 26 to give the encrypted text y1y2y3 . . .

Encrypted text y1y2y3 . . . is letter-wise decrypted by key k per

x = (y − k) mod 26 to give the plain text x1x2x3 . . ..

There is a encrypted text wklvlvdwrsvhfuhwphvvdjh.(b) How many keys are there? What degree of security is achieved?

9Gaius Julius Caesar (100-44 v.Chr.)

Section 5: Cryptography 46

• Caesar in General


(a) Under which condition is y = (kx) mod m a useful encryption

method?(b) When

encrypting per y = (k x) mod m and

decrypting per x = (kinvy) mod m what kinv has to be used?

(c) Combining both methods gives

encryption per y = (k1 x+ ko) mod m and

decryption per x = (k′1y + k′o) mod m using which k′1 und k′o ?

(d) How many keys are there? What degree of security is achieved?


• Vigenere and Accomplices


(a) Vigenere10-encryption/decryption:Plain text x1x2x3 . . . is letter-wise encrypted to encrypted text

y1y2y3 . . . per yi = (xi + ki mod l) mod 26 using key kok1...kl−1,

encrypted text y1y2y3 . . . is letter-wise decrypted to plain text

x1x2x3 . . . per xi = (yi − ki mod l) mod 26 using key kok1...kl−1.

dlgcmqkxmzwcmvcdqccwyqi is an encrypted message.(b) How many keys are there? What degree of security is achieved?

10 Blaise de Vigenere (1523-1596) raphael.math.uic.edu/~jeremy/crypt/contrib/deepak.html

http://raphael.math.uic.edu/~jeremy/crypt/contrib/deepak.html


• Permutations

Problem 48. For Caesar- and Vigenere-encryption/decryption it ischaracteristic that due to one (Caesar) or several (Vigenere) one–to–one functions f : A → A of the used alphabet A each plain textletter is substituted by another ((monoalphabetic) substitution). Suchfunctions f are also called permutations.

(a) The Latin alphabet A = {A,B, . . . , Z} has 26 letters. How manypermutations of A there are?

(b) Do permutations provide new encryption/decryption methods –essentially better than the Caesar- or the Vigenere-method?

(c) How feasible is encryption by just permuting the plain text letters?


• DES

Problem 49. Data Encryption Standard, DES [28] is a block ori-ented, symmetrical (identical keys for encryption and decryption)encryption/decryption method consisting of permutations and severalsubstitutions, s.a. www.itl.nist.gov/fipspubs/fip46-2.htm

(a) The DES algorithm applies an initial permutation P , then severalsubstitutions, and finally P inv to each 64bit block of the plaintext. DES specifies P as follows

P =

58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 462 54 46 38 30 22 14 6 64 56 48 40 32 24 16 857 49 41 33 25 17 9 1 59 51 43 35 27 19 11 361 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

. What is P inv ?

(b) Each of the other operations encrypts left and right 32bit halvesof a 64bit block (L,R) by 32bit key K per

fK(L,R) = (R,L⊕K) where ⊕ denotes addition modulo 2

f invK (L,R) = ? In what respect are these operations substitutions?(c) What type of encryption has been defined by L := P inv ◦ fK16

◦

http://www.itl.nist.gov/fipspubs/fip46-2.htm


fK15 ◦ . . . ◦ fK2 ◦ fK1 ◦ P so far? with what consequences?(d) The last element in DES is a confusion/diffusion11-method which

is implemented by the so called substitution boxes, S-Boxes: eachhalf block a 32bit is extended to 48bit by duplicating certain bits(depending on the round): a total of eight S-Boxes S1, . . . , S8

encrypt 6bit input to 4bit output each, e.g. S5

S5 middle four bits of inputOuter2 bits

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 0010 1100 0100 0001 0111 1100 1011 0110 1000 0101 0011 1111 1101 0000 1110 100101 1110 1011 0010 1100 0100 0111 1101 0001 0101 0000 1111 1100 0011 1001 1000 011010 0100 0010 0001 1011 1100 1101 0111 1000 1111 1001 1100 0101 0110 0011 0000 111011 1011 1000 1100 0111 0001 1110 0010 1101 0110 1111 0000 1001 1100 0100 0101 0011

s.a. www.itl.nist.gov/fipspubs/fip46-2.htm or e.g. alsowww.kuno-kohn.de/crypto/crypto/des.htm for all eight DES S-boxes. How big are the look up tables for the eight S-boxes allto-gether? How big would the look up table for the 32bit substitutionimplemented by the S-boxes be? How to invert a S-box?

11 Claude E. Shannon (1916-2001) www-history.mcs.st-andrews.ac.uk/Biographies/Shannon.html

http://www.itl.nist.gov/fipspubs/fip46-2.htm

http://www.kuno-kohn.de/crypto/crypto/des.htm

http://www-history.mcs.st-andrews.ac.uk/Biographies/Shannon.html


Problem 50. Since its publication, the security of the Data Encryp-tion Standard, DES was disputed, cp. e.g.http://en.wikipedia.org/wiki/Data Encryption Standard.In mid 1990ies, the insecurity of DES was demonstrated. This spurredimprovements especially for high security critical applications.

(a) What is effective DES key length? what is the DES key space?(b) Triple DES, TDES or Triple Data Encryption Algorithm, TDEA

consists in applying DES three times with three keys

TDESK3,K2,K1(x) = DESK3

(DESinv

K2

(DESK1

(x)))

What condition guaranties that several DES encryptions (likeTDEA) offer substantially higher security?

(c) What is effective TDEA key length? what is the TDES key space?(d) When and by what has DES resp. TDEA been superseded?

http://en.wikipedia.org/wiki/Data_Encryption_Standard


• Public Keys?

Problem 51. Symmetric encryption/decryption methods require that the

key (identical for encryption and decryption) can be exchanged between

sender and receiver via a secure channel – a contradiction per se!

Asymmetric encryption/decryption methods working with pairs ofprivate, i.e. secret and public key, so called public key encryptionmethods12 do offer a solution.

(a) For each partner A,B,C, . . . there is a public key and hence a public

encryption method fA, fB , fC , . . .. Each partner keeps her/his private

key A−1, B−1, C−1, . . . and hence her/his private decryption method

f−1A , f−1

B , f−1C , . . . top secret.

Now, Bob can tell Alice say x by sending to her the encryptedmessage fA(x). Only Alice can decrypt this message by f−1A toget x = f−1A (fA(x)).What is the base of the security of such public key methods?

12 Whitfield Diffie, Martin Hellman: New Directions in Cryptography;IEEE Trans. Inform. Theory, IT-22, 6, Nov 1976 pp.644-654


• RSA

Problem 52. The RSA13-method is a public key encryption/decryp-tion method. It works as follows:

Let p and q be big prime numers and n = p·q, i.e. ϕ(n) = (p−1)(q−1).A message x is encrypted by

y = xe mod n with public key e, so that gcd(e, ϕ(n)

)= 1.

A message y is (decrypted) by

x = yd mod n with private key d, so that e d = 1 mod ϕ(n).

(a) Show: fe : x→ xe mod n is a trapdoor function.(b) The security of the RSA-method, on what basis does it rest?(c) f−1e , i.e. fd can be used to generate a digital signature.

If Alice signs her message digitally, then Bob is assured that amessage y he received truly originated by Alice. How to cut cost?

13R. Rivest, A. Shamir, L. Adleman: A method for obtaining digital signaturesand public key cryptosystems; Communications ACM, 21 (1978), 120-126


• AES

Problem 53. Established in 2000, the Advanced Encryption Stan-dard, AES is DESs successor standard. To avoid all suspicions ofconspiracy of the standardizing body (NIST) with the developers ofthe standard (IBM in the case of DES) this standard is the result ofa public competition. AES represents a special case of the Rijndaelcipher [26].

(a) What type of cipher is AES?(b) What are the characteristic parameters of AES.(c) What does a round of AES consist of?

A. Hofmeier, AES – Eine Einfuhrung in Kryptographie 10

rechts weitergegangen und wieder oben angefangen.

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

128 Bit-Block (16-Byte) 256 Bit-Block (32 Byte)

In der folgenden graphischen Darstellung wird von einer Blockgroße von 128 Bitausgegangen. Die Blocke ließen sich allerdings in Vier-Byte-Schritten (32 Bit)bis auf 256 Bit ausweiten. Dasselbe gilt fur den Schlussel. Daten-Blockgroßeund Schlussel-Block-Große sind vollkommen unabhangig voneinander. Im AES-Standard sind allerdings lediglich Datenblockgroßen von 128 Bit und Schlussel-blocklangen von 128, 192 und 256 Bit vorgesehen. Dies andert nichts daran, dassder Rijndael-Algorithmus mehr kann, was aber nicht notwendiger implementiertsein muss, wenn auf AES Bezug genommen ist.

Die graphische Darstellung verdeutlicht den Fluss der Daten:

k(0) k(1...) k(n)} }

Round() FinalRound()

SubByte() ShiftRows() MixColums()AddRoundKey( )

Adaptiert von Daemen und Rijmen (2002).

3.3.1 Anzahl der Runden

Wie oben ersichtlich, wird die Funktion Round() N mal ausgefuhrt. Wobei N vonder Schlussel- und der Daten-Block-Große abhangt. Die folgende Tabelle stelltdie Lange des Schlussels der Lange des Datenblockes gegenuber und gibt fur jedeKombination eine Anzahl von Runden an. Alle fett dargestellten Falle sind durch


Problem 54. Now, the functions of a round are to be examined sep-arately. Identifiers are used as incsrc.nist.gov/publications/fips/fips197/fips-197.pdf

(a) SubBytes(): How is this substitution specified? How is it imple-mented by a s-box? How is the substitution inverted?

(b) ShiftRows(): How is the permutation of the rows of a blockimplemented when a block is represented as 4 × 4-byte-matrix?How is this transformation inverted?

(c) MixColumns(): How are the columns of a block transformed whena block is represented as 4× 4-byte-matrix? How is this transfor-mation inverted?

(d) AddRoundKey(): How are the columns of a block XORed by partsof the expanded key? Why is this transformation its own inverse?

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf


• Elliptic Curves over R

Problem 55. To introduce Elliptic Curve Cryptography, ECC it isreasonable to consider so called elliptic curves y2 = x3 + ax + b overR, i.e. curves in R2 with real coefficients a, b ∈ R first.

(a) Which geometric features exhibit elliptic curves E = E(R) =Ea,b(R) over R ? What happens for x→ +∞ ?

(b) What are the zeroes of the radicand x3+ax+b of an elliptic curveE = E(R) = Ea,b(R) over R ?

(c) What condition guaranties that the radicand of an elliptic curveE = E(R) = Ea,b(R) over R has no multiple zeroes?

(d) Given any non vertical, non tangent line intersecting an ellipticcurve E = E(R) = Ea,b(R) over R at least twice. Why does theline then intersect the curve E trice?

(e) Given P = (xP , yP ) and Q = (xQ, yQ) with xP 6= xQ on an ellipticcurve E = Ea,b(R) over R. Under the above condition, what arethe coordinates of the third intersection point R = (xR, yR) on Eand on the line through P and Q ?


Problem 56. One specifies an addition of points P and Q on anelliptic curve E = Ea,b(R) over R by defining R := P +Q to be the Rthe intersection point of the line through P and Q with E, mirroredat the x-axis.

x

y

a = −3, b = 5

P

Q

−R

R

(a) How is P + P to be defined consistently?(b) How can P +Q for xp = xQ and yP 6= yQ be defined consistently?(c) What does this mean for P + Q with P = (xP , yP ) and Q =

(xp,−yP ) and the solvability of P +Q = R in Q for given P,R ∈E ?

(d) Which structure on E = Ea,b(R) is provided by this addition?


• Elliptic Curves over GF(p)

Problem 57. Elliptic curves E = Ea,b(R) over R are unfit for cryp-tographic purposes. Instead one uses elliptic curves E = Ea,b(F) oversome finite field F, e.g. F = GF(p) for prime p.

(a) How is P +Q to be defined on E = Ea,b(GF(p)

)?

• Elliptic Curves over GF(2m)

Problem 58. Using F = GF(2m), another type of finite fields, allowsto define groups on elliptic curves E = Ea,b

(GF(2m)

)over GF(2m),

namelyy2 + xy = x3 + ax+ b for a, b ∈ GF(2m)

(a) Why can now y2 = x3 + ax+ b be used no longer?(b) How is P +Q to be defined on E = Ea,b

(GF(2m)

)?


• Elliptic Curve Cryptography, ECC

Problem 59. Elliptic Curve Cryptography, ECC is based on exploit-ing the group structure of a public elliptic curve E = Ea,b(F) oversome finite field F together with some suitable generator point G ∈ E.Each participant owns a secret and public key pair (r,Q) ∈ N×E withrandom number 1 < r < card(< G >) and Q = rG.

(a) What type of cipher is ECC, suitable for what applications?(b) How can an ECC based El-Gamal encryption/decryption be im-

plemented?(c) How can an ECC based Diffie-Hellman key exchange, ECDH, be

implemented?(d) How can an ECC based Digital Signature Algorithm, ECDSA be

implemented?

60

6. Compression

• Exploiting Relative Frequencies

Problem 60.If the (relative) frequencies of the symbols in a text are known apriori then one can design a code so that the most frequent symbolsare assigned the shortest codes. Let us call such codings monotonous.To save the insertion of a special character to separate codes it isnecessary that each code cannot be confused with the beginning ofanother code: The coding has to be prefix- or comma-free.

(a) Given an alphabet s1, s2, . . . , sn with frequency fi of symbol si,where f1 > f2 > . . . > fn for i = 1, . . . , n. Assume ci = code(si) =01i−1 ∈ {0, 1}i. What about this code?

(b) How to represent prefix-free codings by graphs?(c) Construct a monotonous prefix-free coding.

Section 6: Compression 61

• Using Dictionaries

Problem 61.The idea of LZW14 is to let sender and receiver set up and maintaina dictionary for characters and combination of characters to be sentand received.

(a) Both in compression and decompression, first the dictionary is ini-tialized with the letters of the alphabet together with their codes.Then, plain text resp. compressed text is read character by char-acter.In compression, the text is read character by character. PATTERN

is the longest string in the dictionary which coincides with therecently read input characters. In decompression the codes areread. At the same time, the dictionary is accordingly extended.

14 Jacob Ziv and Abraham Lempel: A Universal Algorithm for Sequential DataCompression; IEEE Transactions on Information Theory, May 1977Terry Welch, ”A Technique for High-Performance Data Compression”, Computer,June 1984


Compression: PATTERN = get input character

WHILE there are still input characters DO

CHARACTER = get input character

IF PATTERN+CHARACTER is in dictionary

PATTERN = PATTERN+character

ELSE

output the code for PATTERN

add PATTERN+CHARACTER to dictionary

PATTERN = CHARACTER

output the code for PATTERN

Decompression: Read oldCODE; output dict[oldCODE]


Read newCODE

PATTERN = dict[newCODE]

output PATTERN

CHARACTER = first character in PATTERN

add dict[oldCODE]+CHARACTER to dictionary

oldCODE = newCODE


(b) There is a flaw in the algorithm presented above:

64

7. Probability & Intuition

• Cards & Goats

Problem 62.

(a) In an urn there are three cards: one is on both sides red, one onboth sides blue, and the third one is on one soide red and on oneside blue.What is the probability P that a card drawn at random from theurn is red on the top side and blue on the bottom side?

(b) In a contest there are three doors behind which two goats and acar are hidden (the quizmaster knows where).The candidate chooses a door. Then the quizmaster reveals a goatbehind another door.Does the candidate improve the chances to win the car by revisingher/his initial choice?

Section 7: Probability & Intuition 65

• Algorithms to Generate Chance?

Random numbers play an importante role in simulation, (zero knowl-edge) authentification etc. Hence, high level programming languagesusually offer library functions like ran, random or randomize to al-gorithmically and hence deterministically generate so called pseudo-random numbers.

Problem 63.

(a) What are characteristics of random numbers besides being seem-ingly random (whatever this might be)? How to generate randomnumbers with such given characteristics from random numbers ofsome standard?

(b) How to generate standard random numbers fast, i.e. by little com-putational effort?

(c) xn+1 = (a xn + c) mod m, mit xo = 1is periodic – why? and with which maximal/minimal periodiclength?

Section 7: Probability & Intuition 66

• What is Randomness?

Criteria for the quality of pseudo random number generators have tobe established, especially of generators of evenly distributed, contin-uous pseudo random numbers in the unit interval. These criteria areto be assessed in tests.But, randomness has no definition, no specification. Therefore, therecan be tests only for certain features of randomness.

Problem 64.

(a) How to test whether the co-domain is evenly covered?(b) How to test randomness of pseudo random numbers by measuring

the information content of each generated digit?(c) How to test randomness of pseudo random numbers by measuring

their compressability?(d) How to test randomness of pseudo random numbers by measuring

the mutual (in) dependece of their digits?

67

8. Sources and Links

Some references on Recreational Mathematics

[1] About.com: Recreational Mathematics;http://math.about.com/od/recreationalmath

[2] Bild der Wissenschaft; www.wissenschaft.de/ s. Spiele-Archiv

[3] Chlond, Martin: Integer Programming in Recreational Mathe-matics; www.chlond.demon.co.uk/academic/puzzles.html

[4] Canadian Mathematical Society www.math.ca/Recreation

[5] Dutch, Steven: Recreational Mathematics;www.uwgb.edu/dutchs/RECMATH/recmath.htm

[6] Eppstein, David: Math Fun;www.ics.uci.edu/~eppstein/recmath.html

[7] Flannery, Sarah: In Code – A Mathematical Journey; ProfileBooks, 2000 ISBN 1-86197-222-9 2, 5, 6, 7, 8, 9, 10, 11

http://math.about.com/od/recreationalmath

http://www.wissenschaft.de/

http://www.chlond.demon.co.uk/academic/puzzles.html

http://www.math.ca/Recreation

http://www.uwgb.edu/dutchs/RECMATH/recmath.htm

http://www.ics.uci.edu/~eppstein/recmath.html

Section 8: Sources and Links 68

[8] Gardner, Martin: Mathematical recreations and many more ti-tles; s. book list, e.g. http://thinks.com/books/gardner.htm

[9] Gilleland, Michael: Recreational Mathematics Links;www.weblearn.hs-bremen.de/risse/MAI/docs/MichaelGilleland.html

[10] Google Directory - Science > Math > Recreations;www.google.com/Top/Science/Math/Recreations

[11] Herold, Helmut, Lurz, Bruno, Wohlrab, Jurgen: Grundlagen derInformatik; Pearson 2012 2, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21,22, 23, 24, 25, 26, 27, 28, 29, 30, 31

[12] Journal of Recreational Mathematics, Editor: Charles Ashbacherand Lamarr Widmer; www.baywood.com/journals/

PreviewJournals.asp?Id=0022-412x

[13] Mathematical Association of America, MAA: Recreational Math-ematics; www.maa.org/BLL/recmath.htm

[14] Mathematikwettbewerb Kanguru e.V. www.mathe-kaenguru.de

s.a. www.weblearn.hs-bremen.de/risse/MAI/docs/

http://thinks.com/books/gardner.htm

http://www.weblearn.hs-bremen.de/risse/MAI/docs/MichaelGilleland.html

http://www.google.com/Top/Science/Math/Recreations/

http://www.baywood.com/journals/PreviewJournals.asp?Id=0022-412x

http://www.baywood.com/journals/PreviewJournals.asp?Id=0022-412x

http://www.maa.org/BLL/recmath.htm

http://www.mathe-kaenguru.de

http://www.weblearn.hs-bremen.de/risse/MAI/docs/


[15] Michon, Gerard P.: Recreational Mathematics;www.numericana.com/answer/recreational.htm

[16] New Scientist: Physics & Mathwww.newscientist.com/section/physics-math

[17] O’Connor, J.J., Robertson, E.F.: mathematical games and re-creations; www-groups.dcs.st-andrews.ac.uk/~history/

HistTopics/Mathematical games.html

[18] open directory project dmoz.org/Science/Math/Recreations/

[19] Problem of the Week, s. e.g. www.google.com

[20] Scientific American www.sciam.com,s. puzzling adventures in single issues

[21] Singmaster, David: The Unreasonable Utility of RecreationalMathematics;

anduin.eldar.org/~problemi/singmast/ecmutil.html

[22] Eugene Strens Recreational Mathematics Collection Database;www.ucalgary.ca/lib-old/sfgate/strens

http://www.numericana.com/answer/recreational.htm

http://www.newscientist.com/section/physics-math

http://www-groups.dcs.st-andrews.ac.uk/~history/HistTopics/Mathematical_games.html

http://www-groups.dcs.st-andrews.ac.uk/~history/HistTopics/Mathematical_games.html

http://dmoz.org/Science/Math/Recreations/

http://www.google.com

http://www.sciam.com

http://anduin.eldar.org/~problemi/singmast/ecmutil.html

http://www.ucalgary.ca/lib-old/sfgate/strens


[23] Wilkinson, David: Recreational Mathematics Links;www.scit.wlv.ac.uk/~cm1985/RecMaths.html

[24] Wolfram Mathworld: Recreational Mathematics;mathworld.wolfram.com/topics/RecreationalMathematics.html

Some references on Number Theory

[25] Forster, Otto: Algorithmische Zahlentheorie; Vieweg 1996 187,194

Some references on Cryptography

[26] Federal Information Processing Standards, FIPS: Advanced En-cryption Standard (AES); Publication 197http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

Advanced Encryption Standard Algorithm Validation Listhttp://csrc.nist.gov/cryptval/aes/aesval.html 54

[27] Daemen, Joan, Rijmen, Vincent: The Design of Rijndael – AES,The Advanced Encryption Standard; Springer 2002

http://www.scit.wlv.ac.uk/~cm1985/RecMaths.html

http://mathworld.wolfram.com/topics/RecreationalMathematics.html


http://csrc.nist.gov/cryptval/aes/aesval.html


[28] Federal Information Processing Standards, FIPS: Data Encryp-tion Standard (DES); Publication 46-3 http://csrc.nist.gov/

publications/fips/fips46-3/fips46-3.pdf 49

[29] Federal Information Processing Standards, FIPS: Digital Signa-ture Standard (DSS) – DSA, RSA, and ECDSA algorithms; Pub-lication 186-2 http://csrc.nist.gov/cryptval/dss.htm

[30] Hankerson, Darrel, Menezes, Alfred, Vanstone, Scott: Guide toElliptic Curve Cryptography; Springer 2004 264

[31] Oswald, Elisabeth: Introduction to Elliptic Curve Cryptogra-phy; www.iaik.tugraz.at/aboutus/people/oswald/papers/

Introduction to ECC.pdf 258, 261, 264

[32] Standards for Efficient Cryptography Group, SECG: SEC1 – El-liptic Curve Cryptography;

www.secg.org/collateral/sec1 final.pdf 264

[33] Wagner, Neal R.: The Laws of Cryptography;www.cs.utsa.edu/~wagner/lawsbookcolor/laws.pdf

http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

http://csrc.nist.gov/cryptval/dss.htm

http://www.iaik.tugraz.at/aboutus/people/oswald/papers/Introduction_to_ECC.pdf


http://www.secg.org/collateral/sec1_final.pdf

http://www.cs.utsa.edu/~wagner/lawsbookcolor/laws.pdf


Some references on Coding Theory and Compression

[34] Dankmeier, Wilfried: Codierung; Vieweg 2001

[35] Nelson, Marc, Gailly, Jean-loup: The Data Compression Book;2nd edition, M&T Books, New York, NY 1995

Some references on Probability

[36] Bronstein, I.N. & Semendjajew, K.A. et al: (Teubner-) Taschen-buch der Mathematik; Teubner 2003 284

Of course, any feedback, critics, inventive problems and solutions aremost welcome.

Prof. Dr. Th. Risse, ZIMT 244, 0049 (0)421 5905-5489www.weblearn.hs-bremen.de/risse mailto: [email protected]

http://www.weblearn.hs-bremen.de/risse

mailto: [email protected]

73

Solutions to Problems

Problem 1(a)

4 = (5− 3) + (5− 3) �

Solutions to Problems 74

Problem 1(b)

1 = 3 + 3− 5 �


Problem 1(c)

For example, 5 = 9− 4, 3 = 4 + 4 + 4− 9, . . . �


Problem 1(d)

There is no solution. �


Problem 2(a)

This is the height he achieves each day:

At the 1st day he reaches 300m, in the 1st night back to 100mat the 2nd day he reaches 400m, in the 2nd night back to 200mat the 3rd day he reaches 500m, in the 3rd night back to 300m. . .at the 27th day he reaches 2900m, in the 3rd night back to 2700mat the 28th day he reaches 3000m �


Problem 2(b)

A needed tA time units, TU for the 100m. Hence his speed is vA =100/tA.

B needed tB TU for the 100m. Hence his speed is vB = 100/tB =90/tA. Therefore tA/tB = 0.9.

The speed of C is vC = 90/tB = x/tA. Therefore x = 90tA/tB =90 · 0.9 = 81m.

Thus, the first runner A beats C by 19m. �


Problem 3(a)

36 = 22 · 32. If one considers also the one year olds, then there arethe following combinations:

3. 2. 1.∑

1 1 36 381 2 18 211 3 12 161 4 9 141 6 6 132 2 9 132 3 6 113 3 4 10

Only in case of sum 13 another hint was necessary. But there is anoldest child only if the family has two years old twins and a nine yearsold child. �


Problem 4(a) poor man’s solution:

The catastrophe happens after one hour. Then, the fly has travelled75km.

alledgedly John von Neumann’s solution:

Let sl be the position of the ’left’ train, sr that one of the ’right’ train.The fly started ’right’. Let t1 be the point in time when the fly meetsthe ’left’ train, t2 when it meets the ’right’ trains, etc.Then, we have sl(t1) = 50t1 and 75 = (100 − sl(t1))/t1. Hence,75t1 = 100− 50t1, 125t1 = 100 and finally t1 = 4/5.

t/h sl(t)/km sr(t)/km d/km0 0 100 04/5 40 60 604/5 + 4/25 48 52 124/5 + 4/25 + 4/125 49.6 50.4 2.4

...

where d is the distance the fly has travelled between two impinge-

http://www-groups.dcs.st-andrews.ac.uk/history/Mathematicians/Von_Neumann.html


ments.

The point in time of the catastrophe is

t∞ = 4

∞∑i=1

0.2i = 4

(1

1− 0.2− 1

)= 4

(5

4− 1

)= 1

and the total travelled distance

754

5+ 75

4

25+ 75

4

125. . . = 75km.

�


Problem 5(a)

Let sh(t) and sr(t) denote the distance travelled along the outwardjourney and the return journey resp., at any point t in time betweensunrise 0 and sunset 1.

Let d denote the total distance between A and B. Then, sh(0) = 0,sh(1) = d, sr(0) = d, sr(1) = 0.

With sh and sr also δ(t) = sr(t)− sh(t) is a continuous function of t.Because of the different signs of δ(0) = d and δ(1) = −d the functionδ(t) has at least one zero to in the intervall [0, 1].

At time to we have sr(to) = sh(to).

Under which conditions are there more than one such point? �


Problem 6(a) There are eight equations with nine unknowns. And,the solutions have to consist of the natural numbers 1,. . . ,9.Stepwise pick the arrangements corresponding to magic squares froma total of 9!=362880 arrangements.

1. The number in the middle/centre is necessarily 5.It cannot be n = 6, 7, 8 or 9 because then m = 9, 8, 7 or 6 hadno place in the magic square.

2. The 9 is in no corner, neither in NO, NW, SW, nor SO.Assuming NW=9 the SO=1 and for the three numbers 6,7 and8 there would be left only the two positions O and S.

3. Without restriction of generality let W=9, then either NW=2and SW=4 or NW=4 and SW=2.Assuming now NW=3.Then also SW=3. But the number 3must not appear twice.

Two of the eight possible magic squares – identical when taking sym-metry into consideration – are presented


2 7 6

9 5 1

4 3 8

und

4 3 8

9 5 1

2 7 6

How do the other six magic squares look like? �


Problem 7(a)

This text has no letter e, but every other letter of the Latin alphabetoccurs at least once.

Write a similar text in German. �


Problem 8(a)

With the following procedure he acquires the average salary withouthim or any of his employees getting to know an individual salary.

1. He at random chooses a big ’secret’ number k.

2. He tells k to the first employee in order to increment k by her/hisown salary and to tell the sum to the second employee.

3. One after another the employees get to know some number inorder to increment it by their own salary and to tell the sum tothe next colleague.

4. The last nth employee increments the number by her/his salaryand tells the sum g to the boss.

Then, the average salary is (g − k)/n. �


Problem 9(a)

The problem is to let Alice get at the content of the box. The twoagree on the following procedure:

1. Bob sends the box locked by his lock to Alice.

2. Alice additionally locks the box she received by her lock andsends it back to Bob.

3. Bob removes his lock from the box and sends the box locked byonly Alice’s lock back to Alice.

�


Problem 10(a)

They agree – say per e-mail – on the following procedure:

1. Alice and Bob agree to use a suitable one way function f , i.e. aone–to–one function f : N ⊃ D →W ⊂ N, so that f(x) is easilyand f inv(y) is extremely hard to compute.

2. Now, say Alice starts and chooses an odd or even x ∈ D. Nowshe sends y with y = f(x) to Bob without offenbaren x.

3. Bob receives y and bets whether x was odd or even.(If he wins then Alice otherwise Bob has to drive.)

4. Alice checks Bob’s bet and sends x to Bob for verification, i.e.to let Bob compare f(x) with the y he initially received.

�


Problem 11(a)

They need three locks with two keys each. If each person owns keysaccording to the following scheme,

Alice

Bob

Claire

PPPPPPPPPPPPPPPPPP��

lock 1

lock 2

lock 3

then only at least two persons together have keys for all three locksof the treasure box. �


Problem 11(b)

The following schema represents a solution

Alice

Bob

Claire

Dennis

PPPPPPPPP

QQQQQQQQQ

PPPPPPPPP

QQQQQQQQQ

PPPPPPPPP

��

��

��

lock 1

lock 2

lock 3

lock 4

because one person is always lacking a key, and any two persons to-gether have a key to each of the four locks.

Is this solution with four locks with three keys each minimal?

With three locks each person may have at most two keys. Hence thereare a total of at most eight keys for three locks and for four persons:


There is no lock with only one key, because without the owner of thatone key pairs of persons cannot open the treasure box.Hence there is either one person with keys to four locks or there aretwo persons with keys to three locks. In both cases a contradiction!

Finally with four locks, it is not sufficient to have two keys per personbecause then any two persons together might not have keys to eachof the four locks! �


Problem 11(c) ??? �


Problem 12(a)

�


Problem 12(b)

�


Problem 12(c)

�


Problem 12(d)

�


Problem 13(a)Let (x, y) be the state of the system with x litres in the four litre andy litres in the nine litre bucket. Then the follwing state transitionsare possible.(0, 0)→ (0, 9)→ (4, 5)→ (0, 5)→ (4, 1)→ (0, 1)→ (1, 0)→ (1, 9)→(4, 6) �


Problem 13(b)(0, 0)→ (3, 0)→ (0, 3)→ (3, 3)→ (1, 5)→ (1, 0) �


Problem 13(c)Let (x, y, z) be the state of the system with x litres in the 8 litrecanister, y litres in the 5-litre and z litres in the 3-litre jug. Then thefollwing state transitions are possible.(8, 0, 0) → (5, 0, 3) → (5, 3, 0) → (2, 3, 3) → (2, 5, 1) → (7, 0, 1) →(7, 1, 0)→ (4, 1, 3) �


Problem 13(d)The barrel should contain 9 litres, the bucket 6 litres and the jug 3litres. The can is empty. Let (w, x, y, z) be the state of the systemwith w litres in the barrel, x litres in the bucket, y litres in the jug andz litres in the can. Then the follwing state transitions are possible.(18, 0, 0, 0)→ (10, 8, 0, 0)→ (10, 6, 0, 2)→ (10, 6, 2, 0)→ (7, 6, 5, 0)→(7, 6, 3, 2)→ (9, 6, 3, 0) �


Problem 14(a)Let f , m, c1 and c2 denote ages of father, mother, oldest child andyoungest child resp. Then we know

a) f +m+ c1 + c2 = 124b) f +m = 3(c1 + c2)c) m > 2c1d) f −m = 9(c1 − c2)

a) and b) give c1 + c2 = 31 und f +m = 93 sowie 2f = 93 + 9(c1− c2)or 2m = 93− 9(c1 − c2). In any case c1 − c2 is odd.

If c1 − c2 = 1 then c1 + c2 = 31 implies c1 = 16 and c2 = 15 as wellas m > 32. From f +m = 93 and f −m = 9 we conclude f = 51 andm = 42 > 32. This is the only solution.

Namely, if otherwise c1 − c2 ≥ 3 then c1 + c2 = 31 implies c1 ≥ 17and c2 ≤ 14 as well as m > 34. From f +m = 93 and f −m ≥ 27 weconclude f ≥ 60 and m ≤ 33, a contradiction. �


Problem 14(b)E = 24 = 2(A− d) where E − d = A = 24− d so that 12 = A− d =2A− 24 and thus A = 18. �


Problem 14(c)In any case, one has to pay (1− 1

5 )(1 + 15100 ) = 4

52320 = 23

25 -fold or 92%of the netto-price. �


Problem 14(d)

2

2

1

1

�


Problem 14(e)

F − 5 = 2(P − 6)F + 9 = 3(P − 4)

⇒ F − 2P = −7)F − 3P =−21

⇒ P = 14F = 21

�


Problem 15(a)

11 18

27Let A, B, and C the labels of the three vertices. From

A ∗B 27B + C 18A+ C 11

we conclude B − A = 7 and thus B = 17, A = 10 and C = 1. Ingeneral there is only a system of linear equations to solve. �


Problem 15(b)From (30− a) + (7− a) = 34− a we get 3 = 3a and hence a = 1. �


Problem 15(c)g1 +g2 +g2 = 10, g2 = 4

3g1, g3 = 34g2 ⇒ g1 + 4

3g1 + 34

43g1 = 10 = 10

3 g1⇒ g1 = 3, g2 = 4, g3 = 3. �


Problem 15(d)k + ` + m + n = 79 and ` + 1 = 2k and m + 1 = 2` and n + 1 = 2mimply 79 = k+2k−1+2`−1+2m−1 = 3k−3+(4k−2)+(4`−2) =7k − 7 + (8k − 4) = 15k − 11 and thus 15k = 90, therefore k = 6,` = 11, m = 21, and n = 41. �


Problem 15(e)Let m and d be the number of sacks the mule and the donkey carryresp. Then m + 1 = 2(d − 1) and m − 1 = d + 1 imply m = 7 andd = 5. �


Problem 16(a)U = 2πr = πr2 = A⇒ r = 2 �


Problem 16(b)Let ` [m] be the length and v [m/sec] the speed of the train. We know` = 7v and 330 = (18 − 7)v, hence v = 30 [m/sec] and ` = 210 [m].

�


Problem 16(c)In total, he worker produces x parts. To produce the first half it takesx20 days, to produce the second half it takes x

60 days. On average, heproduces x

x/20+x/60 = 604 = 15 parts per day. �


Problem 16(d)n = d3103 + d2102 + d110 + do is palindromial ⇐⇒ n = do103 +d1102+d110+do. For such n we have 11|n = 1000do+110d1+do ⇐⇒n|1001do = 11 · 91do. �


Problem 16(e)I, a man, 7 wives, 72 sacks, 73 cats, 74 kids, i.e.

1+∑4i=o 7i = 1+ 75−1

7−1 = 1+ 16 (823543−1) = 1+137257 = 137258 �


Problem 16(f)44 = 4

334 = (1 + 1

3 ) 34 �


Problem 17(a)One cat catches 1 mice in 5 minutes. One cat cathes 20 mice in 100minutes. Five cats catch 100 mice in 100 minutes. �


Problem 17(b)Let 6 ≤ a, b ≤ 10 for a, b ∈ N. Then, in general we have

10(a−5+b−5)+(10−a)(10−b) = 10(a+b)−100+100−10(a+b)+ab = ab

�


Problem 17(c)One hen lays one egg in one and a half days. Seven hens lay seveneggs in one and a half day. Seven hens lay 28 eggs in six days. �


Problem 17(d)Let the type denote at the same time the weight. Then we haveA = 2B, B = 3C, C = 5D ⇒ A = 2B = 6C = 30D. �


Problem 17(e)Because of the prime factorization 5291 = 11 · 13 · 37 und 3913 =7 · 13 · 43 the twins are a 13 year old girl and a 13 year old boy. �


Problem 18(a)One cat catches 1 mice in 5 minutes. One cat cathes 20 mice in 100minutes. Five cats catch 100 mice in 100 minutes. �


Problem 18(b)One must not divide by 0. �


Problem 18(c)Let n be the numerator and d be the denominator. The we havend = n+65

d+5 ⇒ 5n = 65d⇒ n = 13d⇒ nd = 13. �


Problem 18(d)The numbers are n, n+ 1, n+ 2, n+ 3, n+ 4 for some n ∈ N. Then wehave n2 + (n+ 1)2 + (n+ 2)2 = (n+ 3)2 + (n+ 4)2 ⇒ 3n2 + 6n+ 5 =2n2 + 14n+ 25⇒ n2 − 8n− 20 = 0⇒ n1,2 = 4±

√36⇒ n = 10. �


Problem 18(e)Let b be the (price of the) bottle and w of the wine. Then b+ w = 9and w = b+ 8 imply 2b+ 8 = 9 or b = 1

2 Euro. �


Problem 18(f)Let x be the area of his land. Then we have x

3 + x4 + x

5 + 26 = x⇒4760x+ 26 = x⇒ 13

60x = 26⇒ x = 120. �


Problem 18(g)There are 8 saussages and each person eats 8

3 saussages. Egon paysfor his 8

3 saussages 8 Euro. Therefore a saussages costs 3 Euro. Hence,Heini gets for the 3− 8

3 = 13 saussages he has not eaten himself 1 Euro

and Carl gets for the 5 − 83 = 7

3 saussages he has not eaten himself7 Euro. �


Problem 18(h)

1

2+

1

3+

1

9=

9 + 6 + 2

18=

17

18Thus, the oldest son gets 9 cows, the middle one 6 cows and theyoungest son 2 cows. The moderating neighbour, the 18th person,gets no cow. �


Problem 19(a)time this side bridge other side00 ABCD

BC →AD→25 BC AD

BC ←A← D30 ABC D

B →AC→ D50 B ACD

B ←A← CD55 AB CD

→AB→ CD65 ABCD

time this side bridge other side00 ABCD

CD →AB→10 CD AB

CD ←A← B15 ACD B

A →CD→ B40 A BCD

A ←B← CD50 AB CD

→AB→ CD60 ABCD

The left plan obviously does not work. However, it saves time to letC and D together cross the bridge. But the two must not be the firstto let somebody faster return the torch. �


Problem 20(a)

�


Problem 20(b)Put the right most coin on top on the coin at the intersection of thetwo rows. �


Problem 20(c)

�


Problem 20(d)The ith vassal has to contribute to the weighing i coins. If all wouldpay in 10g coins then the contributions would amount to 10

∑30i=1 i =

10 30·312 = 150 · 31g coins. Now, if the jth vassal contributes 9g coins

then this will lead to a deficit of exactly jg coins, thus convicting thejth vassal. �


Problem 21(a)

time farmers blacksmith apprentice∑

0 30 301 30 302 25 5 303 3 25 2 30

bezahlt 27 bekommen 25 behalten 2 30

One must not mix debit and credit. �


Problem 21(b)Construct a regular tetraeder in space (!). �


Problem 21(c)

1

2

3 45 6

7 8

9 10

�


Problem 21(d)Interchanging rows or columns leaves the number of bottles in rowsor columns unchanged. Hence, we can assume that rows and columnsare ordered according to descending number of bottles.Then, the number of rows with six bottles must be even, namely two.The remaining two bottles produce odd columns if put into a row,and odd rows if put into a column.The number of rows with four bottles is even, namely two. The re-maining six bottles similarly produce odd rows or columns necessarily.It is not possible to store 14 bottles in the tray in rows with only twobottles. �


Problem 22(a)The last but two factor is (x−x). This implies (x−a)(x−b) . . . (x−z) =0. �


Problem 22(b)

The arrow indicates the viewing direction. The new positions areshown. Horizontally and vertically horizontal and vertical arrows al-ternate. Thus, the intended position/orientation is not achievable.

�


Problem 22(c)Opposite corner squares have the same color. Removing these squarescauses the number of black and white squares to differ. But, a dominopiece covers always exactly one white and one black square. Therefore,the modified chess board cannot be covered by domino pieces. �


Problem 22(d)n = 10t+ 5⇒ n2 = 100t2 + 100t+ 25 = 100t(t+ 1) + 25. �


Problem 23(a)No, the inner cuboid has no face on the outside. To cut it one needssix cuts. So six is the minimum number of cuts. �


Problem 23(b)One needs for one floor c1 = 2, for two floors c2 = c1 + 1 + 2 · 2 = 7and for three floors c3 = c2 + 2 + 2 · 3 = 15 cards, hence in generalci = ci−1 + (i− 1) + 2i = ci−1 + 3i− 1 with c1 = 2. The assumptionci = Ai2 +Bi+C gives ci = 3

2 i2 + 1

2 i, especially c47 = 32472 + 1

247 =1247(3 · 47 + 1)47 · 71. �


Problem 23(c)? �


Problem 23(d)? �


Problem 24(a)There cannot be two black flags because the captive seeing the twoblack flags would have instantenously concluded that the flag behindmust be white.Hence there also cannot be a single black flag because the two captivesseeing the one black flag would have instantenously concluded thatthe flags behind them must both be white. So after a while theyunanimously conclude that behind them there are only white flags.

�


Problem 25(a)Let C, T , W , M denote the number of children, twens, women, andmen resp. Then we have: 2C = T , 2W = M , 3C + 3W = C + T +W +M = 81 und 2 · 3C = 2(C + T ) = W +M = 3W , also 2C = Wund daher C = 9, T = 18 = W , M = 36. �


Problem 25(b)FFFEEE

Take the second full glas and empty it into the second empty glas.�


Problem 25(c)

=

d.h. 1 =√

1 �


Problem 25(d)With a), b) and f) we have

personnel J M B

job 6= firemantravellers Dr. J Dr. M Dr. B

income 5000Euro/Monatresidence Ch-burg

5000 is not divisible by 3. Hence, Dr. J is no neighbour of the conduc-tor who lives in (Ch.+N)/2 and not in N so that Dr. J lives neither inCh. nor in (Ch.+N)/2. Because of e) Dr. J lives in N. Also, Dr. M isneighbour of tghe conductor. Because of e) the name of the conductoris J. Therefor, the name of the is B.

personnel J M B

job conductor 6= fireman engine drivertravellors Dr. J Dr. M Dr. B

income 5000Euro/monthresidence N (Ch+N)/2 Ch

�


Problem 25(e)Let the number of lizards, beetles and worms be L, B, and W resp.We have L + B + W = 12. Lizards got four and beetles got six legs.Worms got no legs. Hence, 4L+ 6B = 26 implies B ∈ {1, 3}.If B = 1, then L = 5 and W = 6 = L+B which is excluded becauseof W > L+B.If B = 3, then L = 2 and W = 7 > L+B. �


Problem 25(f)One after another we get the following jobs:

Joe Hans Klausgardener 6= musiscian, 6= gardener 6= gardener

musicianchauffeur painter

merchantbarber

�


Problem 25(g)

We assume that sisters have the same last name.

Bettina

Pieper

Martin

�


Problem 26(a)There is 12 = 1 square with side length 8.There are 22 = 4 squares with side length 7.There are 32 = 9 squares with side length 6.. . .There are 88 = 64 squares with side length 1.

In total, there are∑8i=1 i

2 = n(n+1/2)(n+1)3

∣∣∣n=8

= 8·8.5·93 = 24 17

2 =

12 · 17 = 204 squares. �


Problem 26(b)

To color the three outer sectors one needs three col-ors. Then, to color the inner disk one needs anotherforth color. cp.http://en.wikipedia.org/wiki/Four color theorem

�

http://en.wikipedia.org/wiki/Four_color_theorem


Problem 26(c)??? �


Problem 27(a)�


Problem 28(a)At t = 0 start both sand glasses. At t = 7 turn both sandglasses.After 4 min, i.e. at t = 11 the 11-min sand glass is drained. Turn the7-min sand glass, in order to measure the rest 4 min. �


Problem 29(a)The clock is late 6min/24 = 1/4min = 15sec per hour, i.e. in 24 +20 = 44 hours it is 11 min late and at 8h it shows 7:49h. �


Problem 29(b)For the third woman is exactly one bread left: she buys half of it andanother half so that all bread is sold.For the second woman there are three breads left: she buys one anda half and another half leaving the one bread for the third woman.For the first woman there are seven breads left: she buys three and ahalf and another half leaving the three breads for the third woman.The baker has sold seven loafs of bread. �


Problem 29(c)A quarter of an hour has 15 · 60 = 900 seconds. The stamp tool printnumbers 0 to 899 in the first to the 900th second. The sequence 0,1,. . . , 99 contains 10+10=20 ones. The sequence 100, 101, . . . , 199contains 120 ones. In total, the stamp tool prints 280 ones. �


Problem 30(a)For the number n of campainers we have n mod 2 = 1, n mod 3 = 2,. . .n mod 10 = 9. And the chinese remainder theorem produces n =2519, s.a.www.arndt-bruenner.de/mathe/scripts/chinesischerRestsatz.htm �

http://www.arndt-bruenner.de/mathe/scripts/chinesischerRestsatz.htm


Problem 30(b)Let S and B be the number of sisters and brothers resp.

S − 1 = B, S = 2(B − 1) ⇒ B = 3, S = 4. �


Problem 30(c)Let A and B be the age of the first and the second sister resp. Then,we have

A−B = 4, A3 −B3 = 988 = (A−B)(A2 +AB +B2)⇒ A2 +AB +B2 = A2 +A(A− 4) + (A− 4)2 = 247⇒ 3A2 − 12A− 231 = 0⇒ A2 − 4A− 77 = 0 ⇒ A = 11, B = 7. �


Problem 31(a)There are n cows, n pigs, n horses and n rabbits of which survived 4

5ncows, 4

5n pigs, 15n horses and r n rabbits. The we have 5

14 = r n95n+r n

=r

95+r

, hence 9 + 5r = 14r and therefore r = 1, so that no rabbit died.

�


Problem 32(a)Let B be the price of the bottle and W be the price of the wine. Thenwe have 9 = F +W = F + (F + 8) = 2F + 8, i.e. 2F = 1 and henceF = 1

2 . �


Problem 32(b)Each son has to get the amount of 1

3 (10 + 5) = 5 barrels full of wine.Fill half the wine of each of the full barrels into one of the emptybarrels. Then we have 30 half empty barrels and each son gets 10 ofthem. �


Problem 33(a) The first three Fermat numbers

F (1) = 221

+ 1 = 5, F (2) = 222

+ 1 = 17, F (3) = 223

+ 1 = 257can easily be verified to be prime. Using calc.exe, a pocket calcula-tor, www.weblearn.hs-bremen.de/risse/MAI/docs/numerics.pdf,etc. also the fourth Fermat number F (4) is verified to be prime.

F (4) = 224

+ 1 = 65537

Not until Euler15 it was achieved to factorise the fifth Fermat number

F (5) = 225

+ 1 = 4294967297 = 641 · 6700417

This and a fortiori factorisation of the sixth Fermat number

F (6) = 226

+ 1 = 18446744073709551617 = 274177 · 67280421310721

today is conveniently possible using powerful tools like Mathematica,Maple, MATLAB, MuPAD, etc. (cp. /risse/symbolic/) �


http://www.weblearn.hs-bremen.de/risse/MAI/docs/numerics.pdf

http://www.weblearn.hs-bremen.de/risse/symbolic/



Problem 34(a)

For example,E(41) = 1681 = 412

and similarlyE(42) = 1763 = 41 · 43.

To carry on s.a. www.weblearn.hs-bremen.de/risse/MAI/,www.cs.unb.ca/profs/alopez-o/math-faq/math-faq.pdf �

http://www.weblearn.hs-bremen.de/risse/MAI/

http://www.cs.unb.ca/profs/alopez-o/math-faq/math-faq.pdf


Problem 35(a)

Namely, M(11) = 2047 = 23 · 89.

The Lucas16-Lehmer17-test, s. e.g. (3.2.8 What is the current statuson Mersenne primes?) ofwww.cs.unb.ca/profs/alopez-o/math-faq/math-faq.pdf tests ef-ficiently whether a Mersenne number is prime or not. 1999 a record inthe Great Internet Mersenne Prime Search (GIMPS), was establishedshowing that M(6972593) – a number with 2098960 digits – is prime.

Everybody can provide idle cycles of PC’s to compute prime Mersennenumbers, s. Great Internet Mersenne Prime Search (GIMPS)

GIMPS runs many more projects of distributed computing. �

16Francois E.A. Lucas (1842-1891) www-history.mcs.st-and.ac.uk/Biographies/Lucas.html

17Derrick N. Lehmer (1867-1938) www.math.berkeley.edu/publications/newsletter/2000/lehmer.html

http://www.cs.unb.ca/profs/alopez-o/math-faq/math-faq.pdf

http://www.mersenne.org/

http://www.mersenne.org/

http://www-history.mcs.st-and.ac.uk/Biographies/Lucas.html

http://www.math.berkeley.edu/publications/newsletter/2000/lehmer.html


Problem 36(a)

It is the (n mod 7)th day of the week if we arrange the days of theweek cyclically numbered from 0 to 6 starting with todays day of theweek. �


Problem 36(b)

It is the ((7− (n mod 7)) mod 7)th day of the week if we arrange theseven days of the week cyclically numbered from 0 to 6 starting withtodays day of the week. �


Problem 36(c)

E.g. see

www.cl.cam.ac.uk/~mgk25/iso-time.html �

http://www.cl.cam.ac.uk/~mgk25/iso-time.html


Problem 37(a)

Per definition we have for m,n, r ∈ N

n mod m = r ⇐⇒ n = v ·m+ r fur ein v ∈ N⇐⇒ n− r = v ·m fur ein v ∈ N⇐⇒ m|n− r ⇐⇒ n ≡ r (mod m)

�


Problem 37(b)

additivity:

n1≡ r1 (mod m)⇒ n1 − r1 = v1mn2≡ r2 (mod m)⇒ n2 − r2 = v2m

(n1 ± n2)≡ (r1 ± r2) (mod m)⇐n1 + n2 − (r1 + r2) = (v1 + v2)m

multiplicativity:

ni ≡ ri (mod m)⇒{m|n1 − r1m|n2 − r2

}⇒{m|r2(n1 − r1)m|n1(n2 − r2)

}⇒

m|r2(n1 − r1) + n1(n2 − r2) = n1n2 − n1r2 + n1r2 − r1r2⇒ n1 · n2 ≡ r1 · r2 (mod m)

�


Problem 37(c)

scalar multiples

n ≡ r (mod m)⇒ m|n− r ⇒ m|c(n− r)⇒ c · n ≡ c · r (mod m)

powers either by multiplicativity or directly by induction: p=1√

which leaves us to show np ≡ rp(mod m)⇒ np+1 ≡ rp+1(mod m)

n ≡ r (mod m)np ≡ rp (mod m)

}⇒{m|n− rm|np − rp

}⇒{m|rp(n− r)m|n(np − rp)

}⇒

m|rp(n− r) + n(np − rp) = np+1 − nrp + nrp − rp+1

⇒ np+1 ≡ rp+1 (mod m)

�


Problem 37(d)

transitivity

r ≡ s (mod m), s ≡ t (mod m)⇒ m | r − s,m | s− t⇒ m | (r − s) + (s− t) = r − t⇒ r ≡ t (mod m)

�


Problem 38(a)

Division by 3: (due to exponentiation)

10o = 1 ≡ 1 (mod 3)⇒ 10p ≡ 1 (mod 3)

and (due to multiplicativity)

zi10i = zi ≡ 1 (mod 3)⇒ n =

∞∑i=0

zi10i ≡∞∑i=0

zi (mod 3)

Specially we have

s(n) ≡ 0 (mod 3)⇒ n ≡ 0 (mod 3)

Division by 9: analogously! e.g.

1234567890 mod 3 = (1 + 2 + . . .+ 9) mod 3 = 45 mod 3 = 01234567890 mod 9 = (1 + 2 + . . .+ 9) mod 9 = 45 mod 9 = 0

The common tests for divisibility by 2,4 or 5 are deduced correspond-ingly. �


Problem 38(b)

Remainders when dividing powers of 10 by 11:

10o ≡ 1 (mod 11)101 ≡ 10 (mod 11)

}⇒{

102i ≡ 1 (mod 11)102i+1 ≡ 10 (mod 11) ≡ −1 (mod 11)

Arithmetic modulo 11 gives

z2i102i ≡ z2i (mod 11) and z2i+1102i+1 ≡ −z2i+1 (mod 11)

Together with transititvity we get a test for the divisibility by 11:

11 |∞∑i=o

(−1)izi ⇒ 11 |∞∑i=0

zi10i

and e.g.

1234567890 mod 11 = (−1+2−3+4−5+6−7+8−9+0) mod 11 =−5 mod 11 = 6 �


Problem 38(c)

Some examples may illustrate the procedure:

Check digit of ISBNumber 1-86197-222 is 1-86197-222-9 because

1·1+2·8+3·6+4·1+5·9+6·7+7·2+8·2+9·2=174 mod 11=9 mod 11


1·3+2·9+3·3+4·3+5·1+6·4+7·6+8·6+9·7=48 mod 11=4 mod 11


1·3+2·9+3·3+4·3+5·1+6·4+7·6+8·4+9·3=51 mod 11=7 mod 11

Check digit of ISBNumber 0-550-10206 is 0-550-10206-X because

1·0+2·5+3·5+4·0+5·1+6·0+7·2+8·0+9·6=32 mod 11=10 mod 11

�


Problem 38(d) Remainders when dividing powers of 10 by 7:10o ≡ 1(mod 7)101 ≡ 3(mod 7)102 ≡ 2(mod 7)103 ≡ 6(mod 7)104 ≡ 4(mod 7)105 ≡ 5(mod 7)106 ≡ 1(mod 7)

⇒

107i+0 ≡ 1(mod 7) ≡ −6(mod 7)107i+1 ≡ 3(mod 7) ≡ −4(mod 7)107i+2 ≡ 2(mod 7) ≡ −5(mod 7)107i+3 ≡ 6(mod 7) ≡ −1(mod 7)107i+4 ≡ 4(mod 7) ≡ −3(mod 7)107i+5 ≡ 5(mod 7) ≡ −2(mod 7)107i+6 ≡ 1(mod 7) ≡ −6(mod 7)

Arithmetic modulo 7 implies for each n =∑∞i=0 zi10i

n≡∞∑i=0

(z7i+0+3z7i+1+2z7i+2−z7i+3−3z7i+4−2z7i+5+z7i+6

)(mod 7)

Together with transititvity we get a test for the divisibility by 7:

7|∑∞i=0

(z7i+0 + 3z7i+1 + 2z7i+2 − z7i+3 − 3z7i+4 − 2z7i+5 + z7i+6

)⇒ 7 |

∑∞i=0 zi10i

and e.g. 1234567890 mod 7 = (2 ·1+3 ·2+1 ·3+1 ·4−2 ·5−3 ·6−1 ·7+2 ·8+3 ·9+1 ·0) mod 7 = (2+6+3+4−10−18−7+16+27) mod 7 =23 mod 7 = 2 �


Problem 38(e) Parity or Cyclic Redundancy Check, CRC are exam-ples of Error Detecting Codes, EDC or even Error Correcting Codes,ECC. Using them hardenes data against corruption and loss of datawhen transmitting (LAN, wLAN, satellite, ...) or storing (HD, RAID,CD-ROM, DVD ...).

e.g. Set the parity bit bo for odd or even parity such that the numberof set bits in a bit string b1 . . . bn inclusive parity bit bo is oddor even resp. By a single parity bit single, i.e. 1-bit errors aredetected.

n∑i=o

bi =

{1 mod 2 fur odd parity0 mod 2 fur even parity

By the way, odd parity is standard18 for synchrone, even parityfor asynchrone transmission.

e.g. Obviously it is more demanding to correct errors than only todetect errors. Correspondingly, algorithms to correct errors likeCRC or Reed-Solomon-Codes are more complex.

18s. z.B. www.its.bldrdoc.gov/projects/t1glossary2000/ parity check.html

http://www.its.bldrdoc.gov/projects/t1glossary2000/_parity_check.html


Explanations to relevant procedures to correct errors can be founde.g. at

Cyclic Redundancy Codes, CRC, s.ftp.informatik.uni-trier.de/pub/Users-CTVD/sack/ep/CRC.txt

Reed19-Solomon19-Code, s. www.4i2i.com/reed solomon codes.htm,www.cs.cornell.edu/Courses/cs722/2000sp/ReedSolomon.pdf

... �

19Irving Reed (1923-?), Gustave Solomon (1931-1996)hotwired.lycos.com/synapse/feature/97/29/silberman2a 1.html

ftp://ftp.informatik.uni-trier.de/pub/Users-CTVD/sack/ep/CRC.txt

http://www.4i2i.com/reed_solomon_codes.htm

http://www.cs.cornell.edu/Courses/cs722/2000sp/ReedSolomon.pdf

http://hotwired.lycos.com/synapse/feature/97/29/silberman2a_1.html


Problem 39(a)

Let a < b (otherwise there is nothing to do).

Let b = va+ r with r = b mod a.

If r = 0 then gcd(a, b) = a and gcd(a, (va) mod a) = gcd(a, 0) = a.

If r > 0 then for d = gcd(a, r) we have d | a and d | r and thereforealso d | b = va+ r.It remains to show that d is greatest divisor of a and b. Fora d′ ∈ N with d′ | a and d′ | b = va + r it follows d′ | r. Due tod = gcd(a, r) we have d′ | d.

In total gcd(a, r) = d = gcd(a, b) is deduced.

�


Problem 39(b) Recursive version of Euclid’s algorithm

gcd(a,b)

{if (b==0) return a; else return gcd(b,a mod b);

}The algorithm terminates because the arguments in turns are decre-mented by at least 1 in each step of the recursion.

gcd( , ) =

Iterative version of Euclid’s algorithm

gcd(a,b)

{while (b != 0) { tmp=b; b=a mod b; a=tmp; } return a;

}

gcd( , ) = �


Problem 39(c)

Proof of FLT see e.g. [25] S.54-55

If p is prime then G = (Z/pZ)∗ = {1, 2, . . . , p− 1} is a multiplicativegroup with p− 1 elements (i.e. closed under multiplication modulo pwith unit 1), hence a group of order ord(G) = p− 1.

Each x ∈ G generates a subgroup <x>= {x1, x2, . . .} in G ⊃<x>.As G can be represented as disjoint union of the coset classes g <x>(with identical cardinality |g < x> | for all g ∈ G) we have – as foreach subgroup H of a group G –

ord(x) = ord(<x>) | ord(G)

For a ∈ G, i.e. relative prime to p we have v · ord(a) = ord(G) andthus

ap−1 = aord(G) = av·ord(a) = (aord(<a>))v = 1v = 1

representing Fermat’s little theorem.

ap−1 ≡ 1 (mod p)


E.g. m = 11111 is not prime because 211110 ≡ 10536(mod 11111)since

215 ≡ 10546 (mod m), 290 ≡ 105466 (mod m) ≡ 7830 (mod m)

2150 ≡ 1054610 (mod m) ≡ 3771 (mod m), 2310 ≡ 10536 (mod m)

2540 ≡ 78306 (mod m) ≡ 1 (mod m), 210800 = (2540)20 ≡ 1 (mod m)

Equally, m = 11111 is not prime because 311110 ≡ 2410(mod 11111)since

39 ≡ 19683 (mod m) ≡ 8572 (mod m), 310 ≡ 3494 (mod m)

360 ≡ 34946 (mod m) ≡ 9757 (mod m), 370 ≡ 2410 (mod m)

3120 ≡ 97572 (mod m) ≡ 1 (mod m), 311040 = (3120)92 ≡ 1 (mod m)

ˆ = (mod )

ˆ ≈20

�

20 due to limited accuracy of representation and computation


Problem 39(d)The implication is equivalent to FLT with p = n and a = 2.

FLT: 2n−1 ≡ 1 (mod n)⇒ 2n−1 − 1 ≡ 0 (mod n)⇒ n|2n−1 − 1.

But, let n = 341. Due to 341 = 11 · 31, n is composite, that is notprime. However 2340 ≡ 1 (mod 341), because

210 = 3·341+1⇒ 210−1 = 3·341⇒ 341|210−1⇒ 210 ≡ 1 (mod 341)

Taking powers generates a counter example:

2340 ≡ 1 (mod 341)⇒ 341|2340 − 1

E.g. 341 is composite because 3340 ≡ 56(mod 341) due to

36 = 47 mod 341, 37 = 141 mod 341, 38 = 82 mod 341

39 = 246 mod 341, 310 = 56 mod 341, 330 = 1 mod 341

3330 = 1 mod 341, zusammen also 3340 = 56 mod 341

�


Problem 40(a)

Let |M | denote the cardinality of a set M , i.e. the numebr of elementsof M , then obviously

ϕ(p) = |{m ∈ N : m < p, gcd(m, p) = 1}| = |{1, 2, . . . , p− 1}| = p− 1

ϕ(n) is easily evaluated For small arguments n:

n ϕ(n) n ϕ(n) n ϕ(n)11 10 21 12

2 1 12 4 22 103 2 13 12 23 224 2 14 6 24 85 4 15 8 25 206 2 16 8 26 127 6 17 16 27 188 4 18 6 28 129 6 19 18 29 2810 4 20 8 30 8

�


Problem 40(b)

It is to be shown that there are pk−1 − 1 different m < pk with acommon divisor with pk, i.e. with at least the divisor p.

|{m = vp : m = vp < pk}| = |{m = vp : 1 ≤ v < pk−1}| = pk−1 − 1

Hence

ϕ(pk) = |{1, 2, . . . , pk − 1} \ {m = vp : 1 ≤ v < pk−1}|= |{1, 2, . . . , pk − 1}| − |{m = vp : 1 ≤ v < pk−1}|= pk − 1− (pk−1 − 1) = pk − pk−1

�


Problem 40(c) Let n = r · s with relatively prime factors r and s.

The set M = {m ∈ N : m < n, gcd(m,n) = 1} can be enumerated asfollows: Each r relatively prime to r′ and each s relatively prime tos′ specifies a m = r′ · s′ relatively prime to n, i.e.

{r′ < r : gcd(′r, r) = 1} × {s′ < s : gcd(′s, s) = 1} ⊂MVice versa, each divisor of m ∈ M is divisor either of r or of s. Itsprime factor decomposition can be thought as a product of two factorsrelatively prime to either r or to s.

ϕ(n) = |M |= |{r′ < r : gcd(′r, r) = 1} × {s′ < s : gcd(′s, s) = 1}|= |{r′ < r : gcd(′r, r) = 1}| · |{s′ < s : gcd(′s, s) = 1}|= ϕ(r) · ϕ(s)

�


Problem 40(d)

Each n ∈ N has a prime factor decomposition

n =

v∏i=1

pvii

where vi denotes the multiplicity of the prime factor pi and v thenumber of prime factors. Therefore

ϕ(n) =

v∏i=1

(pvii − p

vi−1i

)= n

v∏i=1

(1− 1/pi

)but only if the prime factor decomposition of n is known at all.

If p and q are prime and n = p · q then specially

ϕ(n)=ϕ(p·q)=ϕ(q)·ϕ(q)=(p−1)(q−1)=p·q−p−q+1=n−(p+q)+1

�


Problem 40(e) Proof according to [25] p.57

As in the proof of Fermat’s Little Theorem let G = (Z/nZ)∗, i.e.the group of the invertible elements of Z/nZ with unit [1] ∈ Z/nZ.G consists of the elements [m] ∈ Z/nZ whose representants m havea modulo-n inverse. These are exactly the elements [m] with rep-resentants m relatively prime to n. Hence G = {[m] : 1 ≤ m <n, gcd(m,n) = 1} and therefore ord(G) = ϕ(n).

Witht gcd(a, n) = 1 is [a] ∈ G and thus aord(G) = [1] or

aϕ(n) = aord(G) ≡ 1 (mod n)

�


Problem 41(a)

gcd(mi,mj) = 1 implies gcd(bi,mi) = 1 for i = 1, . . . , n.

Therefore, the (modulo mi)-inverse xi to bi exists, i.e.

xibi ≡ 1 (mod mi) for i = 1, . . . , n

Also bixi ≡ 0 (mod mj) if i 6= j, hence xibi ≡ δij (mod mi). With

x =

n∑i=1

xibiri

we get for j = 1, . . . , n

x mod mj =

n∑i=1

(xibiri) mod mj = (xjbjrj) mod mj = rj

�


Problem 41(b)

Obviously

x = y mod p ⇐⇒ x− y ∈ pZ ⇐⇒ p | (x− y)

x = y mod q ⇐⇒ x− y ∈ qZ ⇐⇒ q | (x− y)

Because p and q are by assumption relatively prime, we get

(pq) | (x− y) ⇐⇒ x− y ∈ (pq)Z ⇐⇒ x = y mod (pq)

�


Problem 41(c) Let a be the age to be computed. Ask for

r1 = a%3, a = r1 mod 3, a ≡ r1 (mod 3)

r2 = a%5, a = r2 mod 5, a ≡ r2 (mod 5)

r3 = a%7, a = r3 mod 7, a ≡ r3 (mod 7)

Then m =∏3

1mi = 3 · 5 · 7 = 105 and additionly b1 = 105/3 = 35,b2 = 105/5 = 21 and b3 = 105/7 = 15. The (modulo mi)-inverses are

x1 = 2 because 2 · 35 = x1b1 = 1 mod m1 = 1 mod 3,x2 = 1 because 1 · 21 = x2b2 = 1 mod m2 = 1 mod 5 andx3 = 1 because 1 · 15 = x3b3 = 1 mod m3 = 1 mod 7.

Therefore

a =

3∑1

xibiri mod m = (70 r1 + 21 r2 + 15 r3) mod 105

�


Problem 42(a) Use a + 0 = 0 + a = a and a · 1 = 1 · a = a todetermine all but one result in the addition resp. in the multiplicationtable.

+ 0 10 0 11 1 0

· 0 10 0 01 0 1

If we defined 1 + 1 = 1, then 1 had no inverse w.r.t. addition.If we defined 1 · 1 = 0, then 1 had no inverse w.r.t. multiplication.We can interpret and implement addition as XOR or as addition mod-ulo 2. We can interpret and implement multiplication as AND or asmultiplication modulo 2. �


Problem 42(b) Commutative addition and multiplication in GF(3)

+ 0 1 20 0 1 21 1 2 02 2 0 1

· 0 1 20 0 0 01 0 1 22 0 2 1

�


Problem 42(c) Commutative addition and multiplication in GF(5)

+ 0 1 2 3 40 0 1 2 3 41 1 2 3 4 02 2 3 4 0 13 3 4 0 1 24 4 0 1 2 3

· 0 1 2 3 40 0 0 0 0 01 0 1 2 3 42 0 2 4 1 33 0 3 1 4 24 0 4 3 2 1

�


Problem 42(d) For any prime p, addition modulo p makes GF(p)a commutative group and multiplication modulo p makes GF(p)∗ acommutative group – with distributivity.

a =

b =

a+ b =

a · b =

m =

evalreset

However, for p, q ∈ GF(pq)∗ inadmissably p · q = 0 holded, i.e. theproduct of factors different from zero vanished. �


Problem 43(a) For any r(x) =∑n−1i=0 rix

i ∈ GF(pn) and any s(x) =∑n−1i=0 six

i ∈ GF(pn) with ri, si ∈ GF(p) define

(r + s)(x) :=

n−1∑i=0

(ri + si)xi ∈ GF(pn)

Then obviously,(GF(pn),+

)is a commutative (additive) group. Its

zero element is the constant polynomial zero(x) = 0xo. The inverse

of a polynomial q(x) =∑n−1i=0 cix

i ∈ GF(pn) w.r.t. addition is the

polynomial −q(x) =∑n−1i=0 (p− ci mod p)xi ∈ GF(pn).

r =

s =

p =

n =

r =

s =

r + s =

adds := −r

reset

�


Problem 43(b)

Let r(x) =∑n−1i=0 rix

i ∈ GF(pn) and s(x) =∑n−1i=0 six

i ∈ GF(pn)with ri, si ∈ GF(p). Then(

rs)(x) :=

2n−2∑i=0

xii∑

j=0

rjsi−j ∈ P(2n− 1)

Because obviously r · s ∈ P(2n− 1) in general, the product of factorsin GF(pn) is itself not necessarily in GF(pn). �


Problem 43(c) Then, the polynomial m has to have degree n. Apolynomial m of lower degree does not suffice as the following examplefor GF(22) shows.

m(x) = x∗ 0 1 x x+ 10 0 0 0 01 0 1 x x+ 1x 0 x 0 0

x+ 1 0 x+ 1 0 1

m(x) = x+ 1∗ 0 1 x x+ 10 0 0 0 01 0 1 x x+ 1x 0 x 1 0

x+ 1 0 x+ 1 0 0

In both cases there are contradictions. In case m(x) = x for example,x has no inverse element. In case m(x) = x+ 1 for example, x+ 1 hasno inverse element. �


Problem 43(d) Then, m has to be irreducible, i.e. m cannot be rep-resented as the product of two non-constant polynomials with lowerdegree. Namely, assuming m = m1 ·m2 with non-constant m1 and m2

of degree not bigger than n. Then m1,m2 ∈ GF(pn) and m1 ·m2 = 0in GF(pn) holds. �


Problem 43(e) m1 is reducible over GF(2) because of m1(x) =x2 + 1 = x2 + 2x + 1 = (x + 1)2. Exhaustive listing of all suitableproducts shows m2 = x2 + x+ 1 to be irreducible over GF(2).

x · x = x2

x · (x+ 1) = x2 + x(x+ 1) · x = x2 + x

(x+ 1) · (x+ 1) = x2 + 2x+ 1 = x2 + 1

�


Problem 44(a) Multiplication in GF(22) = GF(2)[x]/m(x) withm(x) = x2 + x+ 1 is given by the following table

· 0 1 x x+ 10 0 0 0 01 0 1 x x+ 1x 0 x x+ 1 1

x+ 1 0 x+ 1 1 x

becausex2 = x+ 1 mod m(x)

andx(x+ 1) = x2 + x = x+ 1 + x = 1 mod m(x)

and

(x+ 1)2 = x2 + 2x+ 1 = x2 + 1 = x+ 2 = x mod m(x).

The inverse elements can be read directly from the multiplicationtable. �


Problem 44(b) For r(x) =∑n−1i=0 rix

i ∈ GF(pn)∗ and s(x) =∑n−1i=0 six

i ∈GF(pn)∗ with ri, si ∈ GF(p) define

(r · s)(x) :=

n−1∑i=0

xii∑

j=0

rjsi−j

mod m(x) ∈ GF(pn)

Then,(GF(pn)∗, ·

)is a commutative (multiplicative) group. Its one-

element is the constant polynomial one(x) = 1xo.

m =

r =

s =

m =

r =

s =

r·s =

g =

next irr poly

p =

n =irreducible?

multiply

s := 1/r

reset

|{irr poly}|next generator

�


Problem 44(c) By the extended version of the Euclid algorithm onp. 38.First, the classical algorithm in its recursive and iterative form ispresented computing gcd(x, y).

gcd rec(int x,y) gcd it(int x,y)

{ { int tmp;

if (y=0) while (y<>0) {return abs(x); tmp = y; y = mod(x,y);

else x = tmp; }return gcd rec(y,mod(x,y)); return abs(x)

} }The extended Euclid algorithm computes for given x and y coefficientsa and b such that d = gcd(x, y) = ax+ by.

With prime p and 0 ≤ x < p then 1 = gcd(x, p) = ax + bp holds, i.e.ax = 1 − bp or ax = 1 mod p. Hence, the extended Euclid algorithminverts elements in GF(p) and similar in GF(pn).


gcd coeff(int x,y) % returns vector

{int q,tmp,q11,q12,q22,t21,t22;

q11 = q22 = 1;

q12 = q21 = 0;

while (y<>0)

{tmp = y;

q = x / y;

y = x % y;

x = tmp;

t21 = q21; t22 = q22;

q21 = q11 - q*q21;

q22 = q12 - q*q22;

q11 = t21; q12 = t22;

}return vector(x,q11,q12);

}

�


Problem 44(d) Using the feature in the form on p. 208 to generateirreducible polynomials over GF(p) of a given degree n, the followinglittle table can be established:

p\n 2 3 4 5 6 7 8 . . .2 1 2 3 6 9 18 30 . . .3 6 16 36 96 232 . . .5 40 160 600 . . .... . . .

By the way, it can be shown that there always is at least one irre-ducible polynomial over GF(p) of degree n. �


Problem 44(e) Let m1(x) and m2(x) be two irreducible polynomialsover GF(p) of degree n− 1 and Fi the field constructed using mi(x).These two fields are isomorphic, i.e. except for renaming the elements,the two fields are identical, i.e. there is an isomorphism, a bijectivemapping ϕ : F1 → F2 with ϕ(r + s) = ϕ(r) + ϕ(s) and ϕ(r · s) =ϕ(r) · ϕ(s)

• because any two finite fields with the same number of elementsare isomorphic

• or because finite fields are cyclic, i.e. for any finite field F thereis a generating element g such that F∗ = {gi; i ∈ N}. Letgi be generating element for Fi. Then ϕ : F1 → F2 definedby ϕ(g1) := g2 and canonically extended to F1, specifies anisomorphism between F1 and F2.

�


Problem 44(f) Obviously, GF(22)∗ with m(x) = x2 + x + 1 hasexactly two generating elements, namely g1(x) = x and g2(x) = x+1.

n gn1 = xn

0 g01 = 11 g11 = x2 g21 = x+ 1

n gn2 = (x+ 1)n

0 g02 = 11 g12 = x+ 12 g22 = x

GF(23)∗ with m(x) = x3+x+1 has at least three generating elements:x, x+ 1 and x2.

n xn

0 11 x2 x2

3 x+ 14 x2 + x5 x2 + x+ 16 x2 + 1

n (x+ 1)n

0 11 x+ 12 x2 + 13 x2

4 x2 + x+ 15 x6 x2 + x

n (x2)n

0 11 x2

2 x2 + x3 x2 + 14 x5 x+ 16 x2 + x+ 1

GF(23)∗ withm(x) = x3+x2+1 has at least three generating elements:


x, x+ 1 and x2.

n xn

0 11 x2 x2

3 x2 + 14 x2 + x+ 15 x+ 16 x2 + x

n (x+ 1)n

0 11 x+ 12 x2 + 13 x4 x2 + x5 x2 + x+ 16 x2

n (x2)n

0 11 x2

2 x2 + x+ 13 x2 + x4 x5 x2 + 16 x+ 1

This comes at no surprise: due to isomorphy, the set of generatingelements is independent of the choice of the irreducible polynomialm.

There are more generating elements of GF(23)∗: namely, the form onp. 208 computes step by step all generating elements of GF(pn)∗ forany (small) prime p and (small) n ∈ N. �


Problem 44(g) Let g be a generating element von GF(pn)∗ and letlog r be the logarithm of elements r ∈ GF(pn)∗ to the base g. Thenmultiplication can be reduced to addition and three table look ups:

(r · s) = glog r+log s

For example, consider GF(28)∗: instead of 256 · 256 = 65536 entriesin a look up table for the multiplication in GF(28)∗ only two look uptables with 256 entries each are needed. �


Problem 44(h) Using

1/r = r−1 = g− log r = gpn−1−log r

inversion in GF(pn)∗ can be implemented by two table look ups andone subtraction. �


Problem 45(a)With k = 3 the message is decrypted to give the plain text

thisisatopsecretmessage.

Obviously there are only 26 possible keys.Also, the Caesar-encryption/decryption preserves the letter frequen-cies – a natural angle for an attack.

s.a. www.weblearn.hs-bremen.de/risse/MAI/docs/mai1.pdf

k =Caesar

Caesar−1

x =y =x =

? Anything special about this implementation ? �

http://www.weblearn.hs-bremen.de/risse/MAI/docs/mai1.pdf


Problem 45(b)Besides the trivial key 0 there are only 25 other keys k = 1, 2, . . . , 25.

Security is rather low since only 25 keys have to be tried. �


Problem 46(a)

Without restricting generality let k = k mod m .

Encryption has to be one–to–one, i.e.

(k x1) mod m = (k x2) mod m⇒ x1 = x2 fur alle 0 ≤ x1, x2 < m

or equally

x1 6= x2 ⇒ (k x1) mod m 6= (k x2) mod m fur alle 0 ≤ x1, x2 < m

Then, necessarily k and m have no common divisor. Assuming oth-erwise there was some g ∈ N with k = v g and m = w g. Hence, for0 = x1 6= x2 = w < m

(k x1) mod m = 0 mod m = 0 = (v w g) mod (w g)

holds in contradiction to encryption being one–to–one. �


Problem 46(b) If and only if 1 = (k kinv) mod m then

x = (kinvy) mod m = (kinv((k x) mod m)) mod m = (kinvk x) mod m

for each 0 ≤ x < m. Then kinv is called the (modulo-m)-inverse of k.

Now, Euclid’s algorithm gcd(xo, x1) for some xo and x1 with no com-mon divisors computes

xo = q1x1 + x2 x2 = xo − q1x1x1 = q2x2 + x3 x3 = x1 − q2x2 = x1 − q2(xo − q1x1)x2 = q3x3 + x4 x4 = x2 − q3x3 = xo − q1x1−q3(x1−q2(xo−q1x1))

...xn−2 = qn−1xn−1 + xn xn = linear combination of xo and x1xn−1 = qnxn + xn+1

until xn = 1 and xn+1 = 0. Hence, each xi is a linear combinationof xo and x1. Especially for ggT(k,m) holds xn = 1 = u k + vm ifgcd(k,m) = 1. Therefore follows

u k = 1− vm⇒ (u k) = 1 mod m

and u is the (modulo m)-inverse kinv of k.


Euclid’s algorithm is now extended to compute the modulo-m inverseof k

function invers(k,m)

{

var xm=m,x=k,xp,q;

var l11=1, l12=0, l21=0, l22=1, n11, n12, n21, n22;

while (xm != 1)

{

q=Math.floor(xm/x); xp=xm-x*q;

n11=l21; n12=l22; n21=l11-q*l21; n22=l12-q*l22;

l11=n11; l12=n12; l21=n21; l22=n22; xm=x; x=xp;

}

return (l12+m)-m*Math.floor((l12+m)/m);

}

k = m =(modulo m)-inverse of k

kinv = �


Problem 46(c)

Insertion gives

x = (k′1y + k′o) mod m = (k′1((k1 x+ ko) mod m) + k′o) mod m

= (k′1 k1 x+ k′1ko + k′o) mod m = x

iff and only if

k′1 = kinv1 and k′o = (−kinv1 ko) mod m

Then also

y = (k1 x+ ko) mod m = (k1((kinv1 y + k′o) mod m) + ko) mod m

= (k1 kinv1 y + k1 k

′o + ko) mod m

= (y + k1(−kinv1 ko) + ko) mod m = y

�


Problem 46(d)

Each key consists of a pair (k1, ko) with ko ∈ {0, 1, . . . ,m − 1} andk1 ∈ {0 ≤ k < m : gcd(k,m) = 1}. Therefore all keys are in the spaceof keys {0, 1, 2, . . . , 25} × {0 ≤ k < m : gcd(k,m) = 1}.For example, in case of m = 26 the key space has 26 · ϕ(26) = 26 · 12elements.

All the same, the level of security is unchanged and rather low, as theletter frequencies are still preserved.

�


Problem 47(a)

Using the key word key corresponding to k = 10, 4, 24, i.e. l = 3 thedecrypted message is

thisisatopsecretmessage.

Obviously there are 26l possible keys of length l. This cycle lengthl can be determined by the method invented by Kasiski. Once thecycle length is known an attack consists only of l independent Caesar-decryptions.

k =Vigenere

Vigenere−1

x =y =x =


http://www.trincoll.edu/depts/cpsc/cryptography/vigenere.html


Problem 47(b)

Each key consists of a string k of arbitrary length. Hence, each key iscontained in the key space ∪∞l=1{0, 1, 2, . . . , 25}l if the Latin alphabetis used.

Security of the Vigenere-encryption/decryption scheme is the higherthe longer the key. But the longer the key the more difficult it isto transmit a key to all legitimate receivers without the transmissionbeing eavesdropped.

Highest security is achieved – however at the highest cost to transmitthe keys – if keys are used only for one time, so called one time pad,s.a. www.fourmilab.ch/onetime/otpjs.html �

searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213673,00.html

www.fourmilab.ch/onetime/otpjs.html


Problem 48(a)

There are n! = 1 · 2 · 3 · · ·n =∏ni=1 i permutations of n objects. The

Latin alphabet therefore has

26! = 403291461126605635584000000

permutations. �


Problem 48(b)

No, because still the frequency of character combinations is preservedwhich can be used to decypher an encrypted text.

e.g. Let y = CESVLRHEESUUSLLGANOSGMIHRSTU be the en-cryption of a German text x.S, C, and H are – because of blocking – close together so that onecan guess the trigram SCH. The minimal block length ` is 5. Forthis block length the string x improbably starts with ”ELVSCH. . . ”or ”EVLSCH. . . ”. For ` = 6 SCH is not possible, so this block lengthis disregarded. For ` = 7 we get

...SCH....SEL....ALG.....HMU...

The final position of the trigrams is not yet known; by using thefrequency of other character combinations we get

x = VERSCHLUESSELUNGSALGORITHMUS

s.a. www.kryptoanalytiker.de �

http://www.kryptoanalytiker.de


Problem 48(c)

Text blocks of fixed length are encrypted by pertmutation of its letters.In the following example

htsisitapoesrcteemssga.e

pairs of plain text letters are interchanged, i.e. the permutation (2, 1)is applied to 2-letter blocks.

There are n! permutations of n-letter blocks: the longer the blocksthe more permutations or keys there are, i.e. the more secure is theencryption/decryption method. However at the same time the keylength grows as well as the cost of buffering messages to be encryptedor decrypted. �


Problem 49(a)

P inv =

40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 3138 6 46 14 54 22 62 30 37 5 45 13 53 21 61 2936 4 44 12 52 20 60 28 35 3 43 11 51 19 59 2734 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25

x = padding

y = DES-Px = DES-P inv

? Why is the encoded string represented as o |-string, i.e. each en-crypted block of 8 letters as a 64bit block?

Try different padding characters. �


Problem 49(b)

Let f invK (L,R) = (R⊕K,L). Due to K ⊕K = ~0 then

f invK

(fK(L,R)

)= f invK (R,L⊕K) = (L⊕K ⊕K,R) = (L,R)

as well as

fK(f invK (L,R)

)= fK(R⊕K,L) = (L⊕K ⊕K,R) = (L,R)

fK represents a substitution if 64bit blocks (L,R) are considered aletter in the alphabet A = {0, 1}64.

x = padding

K = check

y = DES-f

x = DES-f inv

Now, DES consists of 16 such substitutions.


DES encrypts by iterated application of functions fKi to a message xwhere the keys Ki are generated from some main key K.Encryption by

y =(P inv ◦ fK16

◦ fK15◦ . . . ◦ fK2

◦ fK1◦ P)

(x)

= P inv (fK16 (fK15 (. . . (fK2 (fK1 (P (x)))) . . .)))

implies Decryption by

x =(P inv ◦ f invK1

◦ f invK2◦ . . . ◦ f invK15

◦ f invK16◦ P)

(y)

= P inv(f invK1

(f invK2

(. . .(f invK15

(f invK16

(P (y)))). . .)))

�


Problem 49(c) L can be computed as sequence of matrix transfor-mations and thus is linear. However, linear encryption is relativelyeasily cracked. �


Problem 49(d) The look up table for each S-Box has 26 lines a 4bit,i.e. 28 = 256bit, a total of 8 · 256 = 211 = 2Kbit for all eight S-boxes.On the other hand, a look up table for a 32bit substitution would have232 lines a 32bit, i.e. 32 · 4 · 230 = 128Gbit – a totally inacceptablealternative.

Use pre-computed inverse S-boxes. �


Problem 50(a) DES keys are 64bit long, including 8 parity bits.Hence, the effective length is 56bit and the key space size is 256 =64 (210)5 ≈ 64(103)5 = 64 · 1015. �


Problem 50(b) Only if several DES encryptions cannot be emulatedby a single one, i.e. only if

DESK2◦DESK1

6= DESKo

holds, then TDEA establishes higher security than DES, s.a.http://en.wikipedia.org/wiki/Triple DES �

http://en.wikipedia.org/wiki/Triple_DES


Problem 50(c) TDEA keys are 3×56bit long.Hence, the effective length is 168bit and the key space size is 2168 =256 (210)10 ≈ 256(103)10 = 2.56 · 1032. �


Problem 50(d) In 2001, the Advanced Encryption Standard, AESwas published and in 2002 standardized. AES is the winner of apublic competition.Correspondingly, the withdrawal of DES resp. TDEA was proposedin 2004 and 2005 finalized. �


Problem 51(a) Public key methods are the more secure the moredifficult it is to deduce f−1A from A and fA.

Functions fA with the following properties are suitable for public keyencryption/decryption methods:

• fA is one-to-one. (The plain text is partitioned into fixed lengthblocks; fA is applied to each block.)

• fA and f−1A are easily evaluated. (Messages are quickly en-crypted and decrypted.)

• It is practically impossible to deduce f−1A from fA. (En-crypted messages can be decrypted only at astronomical cost –at best the decryption cost can be estimated in order to scale theencryption/decryption method according to the security needs.)

By the way, such functions are called trapdoor functions. �


Problem 52(a)

The text to be encrypted is partitioned into fixed length blocks so thatthe (ASCII-) string can be thought of as a (big) x ∈ N with x < n.Then fe is applied to each of these x.Now, fe is a trapdoor function because

• fe is one–to–one on X = {0, 1, 2, . . . , n − 1}, as fd = f−1e .Namely

d is modulo-ϕ(n) invers to e, i.e. d e ≡ 1(mod ϕ(n)) ord e=v(p−1)(q−1)+1 for a v ∈ N, so that xd e=x · xv(p−1)(q−1).Due to Fermat’s Little Theorem, FLT for prime p and q

xp−1 =1 mod pxq−1 =1 mod q

}⇒{xde=x(xp−1)v(q−1) =x · 1v(q−1) =x mod pxde=x(xq−1)v(p−1) =x · 1v(p−1) =x mod q

From xde = x mod p and xde = x mod q follows per ChineseRemainder Theorem for p and q with gcd(p, q) = 1, i.e. a fortiorifor prime p and q

xed = x mod (pq) = x mod n


• fe(x) and fd(y) resp. are easily evaluated by computing severalproducts (m1 ·m2) mod n for mi ∈ X.

• The bigger n the more difficult it is to determine fe, i.e. to inferd from e and n.For example, in 1994 ca. 600 via Internet networked computersneeded a total of 5000MIPS years, to factorize the 129-digitnumber R-12921 into its two 64- and 65-digit prime factors.

p = q = n =e = d = check&fill at random

x =y =x =

RSAencRSAdec

To check e.g. gcd(e, ϕ(n)) = 1 Euclids algorithm is available. �

21 D. Atkins, M. Graff, A.K. Lenstra, P.C. Leyland: The magic words aresqueamish ossifrage; Asiacrypt ’94, pp263-277, LNCS 917, Springer 1995

http://www.math.okstate.edu/~wrightd/crypt/


Problem 52(b)

The security of the RSA-method rests on the difficulty to factorizebig n ∈ N with 100 and more digits.

The RSA-method is the more secure the bigger n, cp. e.g.www.comp.mq.edu.au/courses/comp333/Lecture/

factoring and RSA 4.pdf

�

http://www.comp.mq.edu.au/courses/comp333/Lecture/factoring_and_RSA_4.pdf

http://www.comp.mq.edu.au/courses/comp333/Lecture/factoring_and_RSA_4.pdf


Problem 52(c)

Let eA and eB be Alice’s and Bob’s public RSA-key with secret RSA-keys dA and dB resp.

Then Alice only has to append to her encrypted message y = feB (x)the digital signature y′ = fdA(x).

Bob then decrypts the first half y of the received message to x =fdB (y) and verifies on the basis of the second half that x and feA(y′)coincide. As only Alice knows dA it is only Alice who could havegenerated y′. Therefore Bob can be assured to have received a messagefrom Alice.

By the way, Alice does not need to use the whole message x to generatethe signature y′ = fdA(x). It is sufficient to use a hash-code hash(x)which both sender and receiver know to generate.Typical hash-codes are for example MD4, MD5 or SHA-1. �

http://pajhome.org.uk/crypt/md5/


Problem 53(a) AES is a block oriented, symmetrical (identical keyfor encryption and decryption) encryption/decryption method con-sisting of rounds of permutations and substitutions.

csrc.nist.gov/publications/fips/fips197/fips-197.pdf �



Problem 53(b) AES encrypts 128bit = 16bytes = 4word blocks ofplain text. It allows 128bit, 192bit and 256bit keys with 10, 12 or 14rounds respectively. �


Problem 53(c) An AES encryption round consists of

• substitution of each bytes by another one per s-box

• permutation of the rows of the block when represented as 4× 4-byte-matrix

• permutation of the columns of the block when represented as4× 4-byte-matrix

• XOR of block and part of the expanded key

�


Problem 54(a) SubBytes(): The substitution of a byte b by theAES s-box is specified to be the multiplicative inverse b−1 computedin GF(28), followed by the affine transformation

b′0b′1b′2b′3b′4b′5b′6b′7

= b′ = Ab+ c =

1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1

b0b1b2b3b4b5b6b7

+

11000110

16

+

=

0

1

1

0

0

0

1

1

11111000

01111100

00111110

00011111

10001111

11000111

11100011

11110001

7

6

5

4

3

2

1

0

'7

'6

'5

'4

'3

'2

'1

'0

b

b

b

b

b

b

b

b

b

b

b

b

b

b

b

b

. (5.2)

Figure 6 illustrates the effect of the SubBytes() transformation on the State.

0,0s 1,0s 2,0s 3,0s '0,0s '

1,0s '2,0s '

3,0s

0,1s 1,1s 2,1s 3,1s'

0,1s'1,1s

'2,1s

'3,1s

0,2s 1,2s 2,2s 3,2s '0,2s '

1,2s '2,2s '

3,2s

0,3s 1,3s 2,3s 3,3s '0,3s '

1,3s '2,3s '

3,3s

Figure 6. SubBytes() applies the S-box to each byte of the State.

The S-box used in the SubBytes() transformation is presented in hexadecimal form in Fig. 7.

For example, if =1,1s {53}, then the substitution value would be determined by the intersection

of the row with index ‘5’ and the column with index ‘3’ in Fig. 7. This would result in 1,1s′ having

a value of {ed}.

y0 1 2 3 4 5 6 7 8 9 a b c d e f

0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 761 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c02 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 153 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 754 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 845 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a87 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d28 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 739 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b dba e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8ad 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9ee e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df

x

f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

Figure 7. S-box: substitution values for the byte xy (in hexadecimal format).

crs ,',crs

S-Box


The AES s-box is usually implemented as a look up table, i.e.

16

+

=

0

1

1

0

0

0

1

1

11111000

01111100

00111110

00011111

10001111

11000111

11100011

11110001

7

6

5

4

3

2

1

0

'7

'6

'5

'4

'3

'2

'1

'0

b

b

b

b

b

b

b

b

b

b

b

b

b

b

b

b

. (5.2)

Figure 6 illustrates the effect of the SubBytes() transformation on the State.

0,0s 1,0s 2,0s 3,0s '0,0s '

1,0s '2,0s '

3,0s

0,1s 1,1s 2,1s 3,1s'

0,1s'1,1s

'2,1s

'3,1s

0,2s 1,2s 2,2s 3,2s '0,2s '

1,2s '2,2s '

3,2s

0,3s 1,3s 2,3s 3,3s '0,3s '

1,3s '2,3s '

3,3s

Figure 6. SubBytes() applies the S-box to each byte of the State.

The S-box used in the SubBytes() transformation is presented in hexadecimal form in Fig. 7.

For example, if =1,1s {53}, then the substitution value would be determined by the intersection

of the row with index ‘5’ and the column with index ‘3’ in Fig. 7. This would result in 1,1s′ having

a value of {ed}.

y0 1 2 3 4 5 6 7 8 9 a b c d e f

0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 761 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c02 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 153 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 754 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 845 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a87 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d28 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 739 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b dba e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8ad 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9ee e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df

x

f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

Figure 7. S-box: substitution values for the byte xy (in hexadecimal format).

crs ,',crs

S-Box

as is the inverse s-box

22

S S ’

0,0s 1,0s 2,0s 3,0s 0,0s 1,0s 2,0s 3,0s

0,1s 1,1s 2,1s 3,1s 3,1s 0,1s 1,1s 2,1s

0,2s 1,2s 2,2s 3,2s 2,2s 3,2s 0,2s 1,2s

0,3s 1,3s 2,3s 3,3s 1,3s 2,3s 3,3s 0,3s

Figure 13. InvShiftRows()cyclically shifts the last three rows in the State.

5.3.2 InvSubBytes() Transformation

InvSubBytes() is the inverse of the byte substitution transformation, in which the inverse S-box is applied to each byte of the State. This is obtained by applying the inverse of the affinetransformation (5.1) followed by taking the multiplicative inverse in GF(28).

The inverse S-box used in the InvSubBytes() transformation is presented in Fig. 14:

y0 1 2 3 4 5 6 7 8 9 a b c d e f

0 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb1 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb2 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e3 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 254 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 925 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 846 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 067 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b8 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 739 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6ea 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1bb fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4c 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5fd 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c efe a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61

x

f 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d

Figure 14. Inverse S-box: substitution values for the byte xy (inhexadecimal format).

InvShiftRows()

0,rs 1,rs 2,rs 3,rs '0,rs '

2,rs '3,rs'

1,rs

�


Problem 54(b) ShiftRows(): The rows of a block are cyclicallyshifted as indicated by the following figure: the block S is thus mappedto the block S′.

17

5.1.2 ShiftRows() Transformation

In the ShiftRows() transformation, the bytes in the last three rows of the State are cyclicallyshifted over different numbers of bytes (offsets). The first row, r = 0, is not shifted.

Specifically, the ShiftRows() transformation proceeds as follows:

NbNbrshiftcrcr ss mod)),((,', += for 0 < r < 4 and 0 ≤ c < Nb, (5.3)

where the shift value shift(r,Nb) depends on the row number, r, as follows (recall that Nb = 4):

1)4,1( =shift ; 2)4,2( =shift ; 3)4,3( =shift . (5.4)

This has the effect of moving bytes to “lower” positions in the row (i.e., lower values of c in agiven row), while the “lowest” bytes wrap around into the “top” of the row (i.e., higher values ofc in a given row).

Figure 8 illustrates the ShiftRows() transformation.

S S ’

0,0s 1,0s 2,0s 3,0s 0,0s 1,0s 2,0s 3,0s

0,1s 1,1s 2,1s 3,1s 1,1s 2,1s 3,1s 0,1s

0,2s 1,2s 2,2s 3,2s 2,2s 3,2s 0,2s 1,2s

0,3s 1,3s 2,3s 3,3s 3,3s 0,3s 1,3s 2,3s

Figure 8. ShiftRows() cyclically shifts the last three rows in the State.

5.1.3 MixColumns() Transformation

The MixColumns() transformation operates on the State column-by-column, treating eachcolumn as a four-term polynomial as described in Sec. 4.3. The columns are considered aspolynomials over GF(28) and multiplied modulo x4 + 1 with a fixed polynomial a(x), given by

a(x) = {03}x3 + {01}x2 + {01}x + {02} . (5.5)

As described in Sec. 4.3, this can be written as a matrix multiplication. Let

)()()( xsxaxs ⊗=′ :

ShiftRows()

0,rs 1,rs 2,rs 3,rs '0,rs '

2,rs '3,rs'

1,rs

The inverse transformation just shifts rows cyclically in the oppositedirection. �


Problem 54(c) MixColumns(): The columns of a block are consid-ered as polynomials with coefficients in GF(28) and multiplied by

a(x) = 0x03 x3 + 0x01 x2 + 0x01 x1 + 0x02 x0

modulo x4 + 1. The cth column then becomess′0,cs′1,cs′2,cs′3,c

=

0x02 0x03 0x01 0x010x01 0x02 0x03 0x010x01 0x01 0x02 0x030x03 0x01 0x01 0x02

s0,cs1,cs2,cs3,c

= A

s0,cs1,cs2,cs3,c

18

=

c

c

c

c

c

c

c

c

s

s

s

s

s

s

s

s

,3

,2

,1

,0

',3

',2

',1

',0

02010103

03020101

01030201

01010302

for 0 ≤ c < Nb. (5.6)

As a result of this multiplication, the four bytes in a column are replaced by the following:

=′ cs ,0 ({02} • cs ,0 ) ⊕ ({03} • cs ,1 ) ⊕ cs ,2 ⊕ cs ,3

=′ cs ,1 cs ,0 ⊕ ({02} • cs ,1 ) ⊕ ({03} • cs ,2 ) ⊕ cs ,3

=′ cs ,2 cs ,0 ⊕ cs ,1 ⊕ ({02} • cs ,2 ) ⊕ ({03} • cs ,3 )

=′ cs ,3 ({03} • cs ,0 ) ⊕ cs ,1 ⊕ cs ,2 ⊕ ({02} • cs ,3 ).

Figure 9 illustrates the MixColumns() transformation.

0,0s 1,0s 2,0s 3,0s '0,0s '

1,0s '2,0s '

3,0s

0,1s 1,1s 2,1s 3,1s'

0,1s'1,1s

'2,1s

'3,1s

0,2s 1,2s 2,2s 3,2s '0,2s '

1,2s '2,2s '

3,2s

0,3s 1,3s 2,3s 3,3s '0,3s '

1,3s '2,3s '

3,3s

Figure 9. MixColumns() operates on the State column-by-column.

5.1.4 AddRoundKey() Transformation

In the AddRoundKey() transformation, a Round Key is added to the State by a simple bitwiseXOR operation. Each Round Key consists of Nb words from the key schedule (described in Sec.5.2). Those Nb words are each added into the columns of the State, such that

][],,,[]',',','[ ,3,2,1,0,3,2,1,0 cNbroundcccccccc wssssssss +∗⊕= for 0 ≤ c < Nb, (5.7)

where [wi] are the key schedule words described in Sec. 5.2, and round is a value in the range0 ≤ round ≤ Nr. In the Cipher, the initial Round Key addition occurs when round = 0, prior tothe first application of the round function (see Fig. 5). The application of the AddRoundKey()transformation to the Nr rounds of the Cipher occurs when 1 ≤ round ≤ Nr.

The action of this transformation is illustrated in Fig. 10, where l = round * Nb. The byteaddress within words of the key schedule was described in Sec. 3.1.

MixColumns()

cs ,0

cs ,1

cs ,2

cs ,3

',0 cs

',1 cs

',2 cs

',3 cs

The block S is thus mapped to the block S′.The inverse transformation is specified by multiplication modulo x4+1


by the polynomial

a−1 = 0x0b x3 + 0x0d x2 + 0x09 x1 + 0x0e x0

or written as matrix transformations′0,cs′1,cs′2,cs′3,c

=

0x0e 0x0b 0x0d 0x090x09 0x0e 0x0b 0x090x0d 0x09 0x0e 0x0b0x0b 0x0d 0x09 0x0e

s0,cs1,cs2,cs3,c

= A−1

s0,cs1,cs2,cs3,c

.

�


Problem 54(d) AddRoundKey():

19

0,0s 1,0s 2,0s 3,0s '0,0s '

1,0s '2,0s '

3,0s

0,1s 1,1s 2,1s 3,1s'

0,1s'1,1s

'2,1s

'3,1s

0,2s 1,2s 2,2s 3,2s '0,2s '

1,2s '2,2s '

3,2s

0,3s 1,3s 2,3s 3,3s

lw 1+lw 2+lw 3+lw

'0,3s '

1,3s '2,3s '

3,3s

Figure 10. AddRoundKey() XORs each column of the State with a wordfrom the key schedule.

5.2 Key ExpansionThe AES algorithm takes the Cipher Key, K, and performs a Key Expansion routine to generate akey schedule. The Key Expansion generates a total of Nb (Nr + 1) words: the algorithm requiresan initial set of Nb words, and each of the Nr rounds requires Nb words of key data. Theresulting key schedule consists of a linear array of 4-byte words, denoted [wi ], with i in the range0 ≤ i < Nb(Nr + 1).

The expansion of the input key into the key schedule proceeds according to the pseudo code inFig. 11.

SubWord() is a function that takes a four-byte input word and applies the S-box (Sec. 5.1.1,Fig. 7) to each of the four bytes to produce an output word. The function RotWord() takes aword [a0,a1,a2,a3] as input, performs a cyclic permutation, and returns the word [a1,a2,a3,a0]. Theround constant word array, Rcon[i], contains the values given by [xi-1,{00},{00},{00}], withx i-1 being powers of x (x is denoted as {02}) in the field GF(28), as discussed in Sec. 4.2 (notethat i starts at 1, not 0).

From Fig. 11, it can be seen that the first Nk words of the expanded key are filled with theCipher Key. Every following word, w[[i]], is equal to the XOR of the previous word, w[[i-1]], andthe word Nk positions earlier, w[[i-Nk]]. For words in positions that are a multiple of Nk, atransformation is applied to w[[i-1]] prior to the XOR, followed by an XOR with a roundconstant, Rcon[i]. This transformation consists of a cyclic shift of the bytes in a word(RotWord()), followed by the application of a table lookup to all four bytes of the word(SubWord()).

It is important to note that the Key Expansion routine for 256-bit Cipher Keys (Nk = 8) isslightly different than for 128- and 192-bit Cipher Keys. If Nk = 8 and i-4 is a multiple of Nk,then SubWord() is applied to w[[i-1]] prior to the XOR.

⊕

cs ,0

cs ,1

cs ,2

cs ,3

',0 cs

',1 cs

',2 cs

',3 cs

wl+c

Nbroundl *=

As for all XOR operations, this transformation is its own inverse. �


Problem 55(a)

E = E(R) = Ea,b(R) = {(x,±

√x3 + ax+ b

): x3 + ax+ b ≥ 0}

Obviously, elliptic curves are plane curves which are symmetric to thex-axis. Depending on the parameters a and b, the radicand is positivein one intervall or in two intervalls. Correspondingly, E = E(R) =Ea,b(R) has one or two branches. Cp. e.g.

x

y

a = −4, b = 1

x

y

a = −3, b = 5

x

y

a = 5, b = −7

limx→+∞±√x3 + ax+ b = limx→+∞±x3/2 = ±∞ �


Problem 55(b)

Because all coefficients of x3 + ax + b are real, all zeroes xi can con-ventiently be represented by trigonometric/hyperbolic means. Letp = a/3, q = b/2, D = p3 + q2 and P = (sgn q)

√|p|.

p < 0, D ≤ 0 p < 0, D > 0 p > 0β = 1

3 arccos qP 3 β = 1

3 arcosh qP 3 β = 1

3 arsinh qP 3

x1 −2P cosβ −2P coshβ −2P sinhβ

x2,3 2P cos(β ± π/3) P (coshβ ± i√

3 sinhβ) P (sinhβ ± i√

3 coshβ)�


Problem 55(c)

For the given radicand x3 + ax + b let again p = a/3, q = b/2 anddiscriminant D = p3 + q2. The discriminant D then determines thetype of zeroes.

D > 0 one real zero, two conjugate complex zeroesD < 0 three distinct real zeroesD = 0, q 6= 0 one simple real, one double real zeroD = 0, q = 0 one triple real zero

Hence, there are no multiple zeroes if and only if

D = p3 + q2 =a2

27+b2

46= 0

or equivalently if

108D = 108(p3 + q2) = 4a2 + 27b2 6= 0

�


Problem 55(d) Let the line be given by y = mx + c with m 6= 0.The abszissa x of an intersection points of the line with E solves(mx+ c)2 = x3 + ax+ b or equivalently

x3 −m2x2 + (a− 2cm)x+ b− c2 = 0

Substituting y = x−m2/3 the quadratic term is eliminated. Accord-ing to the assumption the new equation

y3 + 3py + 2q = 0 with3p= (a− 2cm)− 1

3m4

2q=− 227m

6 + 13 (a− 2cm)m2 + b− c2

has at least two simple real solutions. According to the classificationof the solutions in dependence of the discriminant D = p3 + q2 (onp. 254), to the two simple real solutions there must be another simplereal solution. �


Problem 55(e) Let s = (yQ−yP )/(xQ−xP ) be the slope and hencey = y(x) = yP + s(x− xP ) the line through P and Q. Then

y2(x) =(yP + s(x− xP )

)2= x3 + ax+ b

or justx3 − s2x2 + (a+ . . .)x+ (b+ . . .) = 0

has the three solutions xP , xQ and xR where xR is the abszissa of thethird intersetion point of the line through P and Q with E. Compar-ison of the coefficients of x2 gives

−s2 = −xP − xQ − xR or just xR = s2 − xP − xQMirroring the third intersection point at the x-axis gives R = P +Qso that

yR = −((yP + s(xR − xP )

)= s(xP − xR)− yP

�


Problem 56(a) Imagine P + P to be the limit of P + Q with E 3Q → P . Then in the limit, the line through P and Q becomes thetangent in P with slope

s =d

dx

√x3 + ax+ b

∣∣∣∣xP

=1

2

3x2P + a√x3P + axP + b

=3x2P + a

2yP

Hence, y = y(x) = yP + s(x−xP ) is the tangent in P . xP is a doublezero of the equation

y2(x) =(yP + s(x− xP )

)2= x3 + ax+ b

The other simple zero is xR. Hence, as before, R = (xR, yR) = P +Pis given by

xR = s2 − 2xP and yR = −(yP + s(xR − xP )

)= s(xP − xR)− yP

�


Problem 56(b) Due to the symmetry of E, Q = −P holds. Theline through P and Q is vertical and has only these two intersectionpoints with E. Assuming again, that in a limit process E 3 Q′ → Q.Then R := P + Q′ moves on the unbounded branch of E towardsinfinity. Just define this to be an extra point on E, called the pointat infinity or just 0.

Using homogeneous coordinates the plane together with the ellipticcurve is transformed into projective space which shows that there isonly one point at infinity [31]. �


Problem 56(c) Introduction of 0 as above together with the defini-tion −P = −(xP , yP ) := (xP ,−yP ) impliesthat 0 is a neutral or a zero element w.r.t. this addition andthat −P is the inverse of P w.r.t. this addition, i.e.

• P + 0 = 0 + P = P for all P ∈ Ein addition, 0 + 0 = 0

• P + (−P ) = (−P ) + P = P − P = 0 for all P ∈ Ein addition, 0 is inverse to 0

The equation P +Q = R is solved by Q = (−P )+R for any P,R ∈ E.�


Problem 56(d)

Because this so defined addition obviously is commutative, it makesE = Ea,b(R) an (additive) commutative group or a so called Abel22iangroup. �

22 Niels Henrik Abel (1802-1829) www-history.mcs.st-andrews.ac.uk/Biographies/Abel.html

http://www-history.mcs.st-andrews.ac.uk/Biographies/Abel.html


Problem 57(a) Performing all operations in GF(p) (cp. arithmeticin GF(p), p. 41) makes E = Ea,b

(GF(p)

)a commutative (additive)

group (cp [31] for associativity of this addition).The neutral element, i.e. the zero element w.r.t. this addition is spec-ified by the point (<empty string>,infty) here.

Elliptic curve E(GF(p)

)= {(x, y) : y2 = x3 + ax + b} over GF(p)

with a = b = and p = is a (addi-tive) group with card

(E(GF(p)

))= elements,

where by Hasse23 |card(E(GF(p)

))− (p+1)| ≤ 2

√p holds. check

E(GF(p)

)=

P = (xP , yP ) with xP = yP =

Q = (xQ, yQ) with xQ = yQ =

R = (xR, yR) with xR = yR =

R := P +Q

Q := −Pc&c24 reset

�

23 Helmut Hasse (1898-1979) www-history.mcs.st-andrews.ac.uk/Biographies/Hasse.html

24 c&c = check whether P,Q ∈ E; complete the fields P and Q if necessary

http://www-history.mcs.st-andrews.ac.uk/Biographies/Hasse.html


Problem 58(a) In GF(2m) any element r is inverse to itself w.r.t.addition, i.e. −r = r ∈ GF(2m). Hence P = (x, y) with y2 = x3 +ax + b and −P = (x,−y) were identical in E = Ea,b

(GF(2m)

), and

2P = P + P = P − P = 0 for any P ∈ E, so that E is isomorphic toGF(2)×GF(2)× . . .×GF(2).Therefore, the subgroups generated by any element of E have onlytwo elements preventing any usage in cryptographic applications (cp.discrete logarithm-problem). �


Problem 58(b) Performing all operations in GF(2m) (cp. arithmeticin GF(pn), p. 43) makes E = Ea,b

(GF(2m)

)a commutative (additive)

group. �


Problem 59(a) ECC is a block oriented, asymmetrical public keyencryption/decryption method using the group structure on ellipticcurves E = Ea,b(F) over F = GF(p) or F = GF(2m).There is an EC encryption/decryption (ECIES ), an EC Diffie-Hell-man key exchange ((ECDH ), and an EC digital signature algorithm(ECDSA).Due to its superior performance ECC is mainly used to replace RSAin hybride encryption/decryption schemes.

[30][32] www.secg.org/collateral/sec1 final.pdf

[31] www.iaik.tugraz.at/.../oswald/papers/Introduction to ECC.pdf

s.a. e.g. www.faqs.org/rfcs/rfc3278.html,http://ducati.doc.ntu.ac.uk/uksim/journal/Vol-5/No-1&2/ROBERTS.pdf �

http://www.secg.org/collateral/sec1_final.pdf


http://www.faqs.org/rfcs/rfc3278.html

http://ducati.doc.ntu.ac.uk/uksim/journal/Vol-5/No-1&2/ROBERTS.pdf


Problem 59(b) Communication partners agree on some ellipticcurve E = E(F) over some finite field F together with some suit-able generator point G ∈ E. Let n = card(< G >). Each partnerchooses some random number 0 < r < n as secret key and publishesrG as public key.

chooses publishesAlice a QA = aGBob b QB = bG

......

...

In order to encrypt and send a message m to Bob, Alice converts themessage to a point M ∈ E, chooses some random number k and sendsthe encrypted message, i.e. the pair (kG,M +k(bG)) ∈ E×E to Bob.

chooses encrypts decryptsAlice k (kG,M + kQB)Bob (kG,M + k(bG)) M = M + kbG− b(kG)

To decrypt (kG,M+k(bG)), Bob computes M+k(bG)−b(kG) = M .�


Problem 59(c) Before exchanging a common secret key, Alice andBob agree on a public elliptic curve E = E(F) over some finite fieldF together with some generator point G ∈ E.Let n = card(< G >).Now, each partner chooses some random number r ∈ N with 1 < r < nas secret key, publishes the corresponding public key Q = rG ∈ E andcomputes a secret key R ∈ E.

chooses publishes computesAlice a QA = aG RA = aQBBob b QB = bG RB = bQA

Because of

RA = aQB = abG = baG = bQA = RB

Alice and Bob share the same secret RA = R = RB , the commonsecret key R. �


Problem 59(d) Let n = card(< G >). Alice wants to sign messagem to Bob. Her secret key is a ∈ N and her public key is Q = aG ∈ E.

chooses hashes computes signs

Alice k e = hash(m)r = xkG mod nh = k−1 mod ns = h(e+ ar) mod n

(r, s)

Alice repeats choosing some 1 < k < n until r 6= 0 and s 6= 0.Bob receives Alices message m together with her signature (r, s).

hashes computes verifies

Bob e = hash(m)w = s−1 mod nu = ew mod n, v = rw mod nP = uG+ vQ

xP == r

s = k−1(e+ ar) mod n ⇐⇒ k = s−1(e+ ar) mod n. Thus, modulo n

k ≡ s−1(e+ ar) ≡ s−1e+ s−1ar ≡ we+ w ar ≡ u+ a rw ≡ u+ va

so that P = uG + vQ = uG + vaG = (u + va)G = kG und hencexP = xkG = r follows. �


Problem 60(a) First, this coding takes symbol frequencies into ac-count: the more frequent a symbol to shorter its code. Second, be-cause of code(si) ⊂code(sj) fur i < j, this coding is not prefix-free.Third, the symbol 0 acts as a separator of codes.Presumably, there must be better codings. �


Problem 60(b) A coding can be represented by a labelled graphwith a root: the set {code(si) : i = 1, . . . , n} of codes is just the set oflabels of its end vertices, i.e. vertices with exactly one incident edge.

0 1

0 10=code(s1)

10=code(s2) 11=code(s3)

Obviously, a coding is prefix-free if and only if the graph representingthis coding is a binary tree. �


Problem 60(c) The codes of a prefix-free coding are the leaves ofits representing tree. Label the leave vertices by the correspondingfrequencies. Each internal leave is root of exactly one subtree. Itslabel is just the sum of the labels of all other vertices of its subtree.

0 1

0 10=code(s1) with f1

10=code(s1) with f2 11=code(s1) with f3

f2 + f3

1 = f1 + f2 + f3

Now, if only the symbol frequencies are given, the tree has to be builtstarting from the leaves. In the example above, for c1 = code(s1) tobe shortest, necessarily f1 ≥ f2 + f3 holds. This can be generalized:

David A. Huffman: A method for the construction of minimum-redundancy codes; Proceedings of the Institute of Radio Engineers,I.R.E. Sept 1952, S. 1098-1102 http://compression.ru/download/articles/huff/huffman 1952 minimum-redundancy-codes.pdf

�

http://compression.ru/download/articles/huff/huffman_1952_minimum-redundancy-codes.pdf


Problem 61(a)To simplify matters, the alphabet consists of say 64 characters blank(ASCII 32) up to underline (ASCII 95).

text

TEXT

pat= chr= init LZWstep

TXT

|dict| = dict[ ]= check reset

codes

old= new= init WZLstep

TEXT

|dict| = dict[ ]= check reset



Problem 61(b) The modified decompression of the algorithm:

Read OLD_CODE

CHARACTER = dict[oldCODE]; output CHARACTER


Read newCODE

IF newCODE is not in dictionary

PATTERN = dict[oldCODE]

PATTERN = PATTERN+CHARACTER

ELSE

PATTERN = dict[newCODE]

END of IF

output PATTERN

CHARACTER = first character in PATTERN

add dict[oldCODE] + CHARACTER to dictionary

oldCODE = newCODE

�


Problem 62(a) There are three possible cases, namely RR, RR undRB.There are two favorable cases, namely RB.

Therefore, P = P (RB) = 1/3. �


Problem 62(b) Let a/A and z/Z indicate a door with a car resp. agoat behind. Small letters correspond to initially chosen doors.Without loss of generality assume that the candidate chooses doorno 1, and the quizmaster reveals the goat behind door no 2. Then

chances to win without revision: P (aZZ) = 1/3chances to win with revision: P (zZA or zZA) = 2/3

www.comedia.com/hot/monty.html or (Monte-Carlo-) experiment:

doors left middle right

state (A=car, Z=goat)

x=choice, o=revelation

1 ×10 ×

100 ×reset

A total of hitswithout

withrevisions in a total of games, i.e.

chances to win ≈ withoutwith

revisions �

http://www.comedia.com/hot/monty.html


Problem 63(a) Discriminating features are

• data type and co-domain, e.g.

– 0-1-sequences, e.g. coin tosses,– natural or integer random numbers, e.g. decimal digits ofπ,

– rational random numbers, e.g. measured distances of darts-arrows to the middle of the disk,

– real random numbers, e.g. freie Weglange of particles inBrownian motion, etc.

• distribution of the random numbers in their co-domain, e.g.

– evenly distributed 0-1-random numbers, e.g. tossing a truecoin,

– Poisson-distributed natural random numbers, e.g. numberof radioactive decays per time unit,

– exponentially distributed random numbers, e.g. life timeof non-aging parts,

– normal distributed random numbers with mean µ and stan-dard deviation σ, e.g. physical measurements, etc.


The continuous random Variable X ∈ [0, 1], evenly distributed in theunit interval, is a suitable standard-random variable: from X onegenerates by

if (X <= 0.5) return 0; else return 1;evenly distributed discrete random numbers Y ∈ {0, 1},

if (X < p1) return y1;if (X < p1 + p2) return y2;...if (X < p1 + . . .+ pn) return yn;

discrete random numbers Y ∈ {y1, y2, . . . , yn} with P (Y = yi) =pi fur i = 1, 2, . . . , n,

(b-a)*X+ain the interval [a, b] ⊂ R evenly distributed, continuous randomnumbers Y ,

round((b-a)*X+a)in the interval [a, b]∩Z evenly distributed, discrete random num-bers Y , etc.


For in the unit interval evenly distributed continuous random numbersX ∈ R, F inv(X) generates continuous random numbers Y = F inv(X)with a given distribution function F and its inverse function F inv

because P (Y < y) = P(F inv(X) < y

)= P

(X < F (y)

)= F (y). �


Problem 63(b) There are a number of algorithms to generate pseudorandom numbers. All procedures are recursive, well known is e.g.J. v. Neumanns method of middle digits of squares

xn+1 =(x2n)3b...b−1

for suitable 2b bit xo where(x2n)3b...b−1 denotes the middle 2b bit of

the 4b bit product x2n – or better and more commonly used

xn+1 = a xn mod m

for some xo, say xo = 1, for a suitable factor a of magnitude 2b andfor a modulus m = 2b if b is the integer width of the computer andif efficiency is at premium. This generator is a special case of the socalled Linear Congruential Generators

xn+1 = (a xn + c) mod m

for some xo ∈ N, say xo = 1, and suitable parameters a, c,m ∈ N.�


Problem 63(c) xn+1 ∈ {0, 1, . . .m − 1}. Hence, the maximal peri-odic length is m. For a = 1 and c = 0 it is 1. �


Problem 64(a) Histogramming shows to what degree random num-bers cover the given co-domain. This is tested by the following simu-lation: As here in JavaScript b = 64, choose m of magnitude 232, a ofmagnitude 216 and some 0 ≤ c < m. Then random numbers

yn = 2−r xn where xn+1 = (a xn + c) mod m

are generated and the relative frequency of their occurrence in cer-tain intervalls is monitored. Let hi = round(100P (Y = 2−rX ∈[ i−15 , i5 ])).

a = c = m =

h1 = % h2 = % h3 = % h4 = % h5 = %

n = 1 × 10 × 100 × test reset

�


Problem 64(b) The entropy

E = −9∑i=0

pi log2(pi)

i.e. the information content of each decimal digit (bit per decimaldigit, bpdd), is maximal for true random numbers (with independentdigits). The entropy E is (for evenly distributed digits) maximal

Emax = −9∑i=0

1

10log2(

1

10) = − log2(

1

10) ≈ 3.321928 bpdd

a = c = m =

n = x = E =

1 × 10 × 100 × test reset

�


Problem 64(c) A sequence of pseudo random numbers can be com-pressed whereby the lower compression rate the higher the degree ofunpredictability. Let the compressability κ with 0 ≤ κ ≤ 1 be definedby

κ =length of compressed pseudo random number sequence

length of uncompressed pseudo random number sequence

using for example Huffman coding. Compressability κ is maximal 1for true random numbers. �


Problem 64(d) The statistical χ2-test checks whether two randomvariables are statistically independent. (It is distribution free, i.e. thedistributions of the two variables do not matter.)

It could be applied to check the independence of pairs (x, y) of mem-bers of a sequence

(xi)i=0,1,...

of random numbers, say (xi, xi+1) or

somewhat more general (xi, xi+d) for fixed d ∈ N. Here, let x be thedecimal digits of the pseudo random numbers and d = 1.

Therefore we need to set up the so called contingency table.

@xy

0 1 . . . j . . . 9 fi,∗0 f0,0 f0,1 . . . f0,j . . . f0,9 f0,∗1 f1,0 f1,1 . . . f1,j . . . f1,9 f1,∗...

......

...i fi,0 fi,1 . . . fi,j . . . fi,9 fi,∗...

......

...9 f9,0 f9,1 . . . f9,j . . . f9,9 f0,∗f∗,j f∗,0 f∗,1 . . . f∗,j . . . f∗,9 n = # of observations

with

absolute frequency

fi,j = |{(i, j)}|and absolute mar-

ginal frequencies

fi,∗ =∑9j=0 fi,j

and

f∗,j =∑9i=0 fi,j


Then, the expected frequency of (i, j) for independent variables xand y is

ei,j = 1nfi,∗ f∗,j

Here, sufficient many observations guaranty that fi,j ≥ 10 and ei,j ≥ 5– more than necessary to make the χ2-test valid.

The two variables are the more dependent the bigger the deviationof the observed frequencies from the expected frequencies. The teststatistic χ2 is χ2-distributed with 9 · 9 = 81 degrees of freedom (df).

χ2 =

9∑i=0

9∑j=0

(fi,j − ei,j)2

ei,j= n

( 9∑i=0

9∑j=0

f2i,jfi,∗ f∗,j

− 1)

Quantiles χ2df,α of the χ2-distribution are tabulated for different df

and levels of significance α (here interpolated for df = 81):

df\α 0.99 0.975 0.95 0.9 0.1 0.05 0.025 0.01

...80 53.54 57.15 60.39 64.28 96.58 101.9 106.6 112.381 54.36 58.00 61.26 65.18 97.68 103.0 107.7 113.5...

s. [36]


a = c = m =@xy

0 1 2 3 4 5 6 7 8 9 fi,∗

0

1

2

3

4

5

6

7

8

9

f∗,j

α = x = χ2 =

1 × 10 × 100 × test reset


Of course, the test can be applied to the sequence of pseudo randomnumbers for any d ∈ N. Additionally, the sequence can be consideredas a bit string. in order to apply the test to pairs of bit substrings ofany given length in any given distance. �

Mathematical Puzzles - FBE - · PDF fileHochschule Bremen Department of Computer Science...

Documents

Transcript of Mathematical Puzzles - FBE - · PDF fileHochschule Bremen Department of Computer Science...