Math 5248: Cryptology and Number Theory
Spring 2019: Professor Andrew Odlyzko
Classes: MW 1:00  2:15, Vincent 113
Office Vincent Hall 511
 phone 6126255413
 email: odlyzko@umn.edu (preferred and most reliable method)
Office hours (starting Mon Jan 28): Mon 5:30  7:00, Tue 2:00  5:30, and by appointment. However, always check this web page
before coming over, as on some days the hours may be restricted.
Textbook: "Cryptology and Number Theory" by Paul Garrett, available
at Alpha Print in Dinkytown (next to McDonald's), 1407 4th St SE, 6123798535.
Copies from previous years, produced by Alpha Print, are the same, and will work fine. However,
the first edition, printed by a regular publisher, has substantial differences, and
will not suffice.
Additional material:
You might find useful two textbooks that are available freely (and legally) online,
Victor Shoup's "A Computational Introduction to Number Theory and Algebra",
Shoup book, and William Stein's
"Elementary Number Theory: Primes, Congruences, and Secrets",
Stein book.
For popular historical accounts of cryptology, highly recommended sources
are Simon Singh, "The Code Book"
and (for much more detail) David Kahn, "The Codebreakers".
Computer algebra systems (very helpful, although not absolutely essential and not required): Maple, Mathematica,
available in Math computer labs, and also (for CSE undergrads) for free downloads at
CSE Labs. Some systems available for free on the Web, such
as Wolfram Alpha, will likely suffice. A calculator is advisable, even if you use a computer
algebra system, to reduce the tedium of computations.
Tests: No final, three 75minute inclass midterms on Wed Feb 20, Wed Apr 3, and Mon May 6 (last class day).
Weekly homework assignments (usually, excluding midterm days), due (usually) on Wednesdays, first one (a small
one) due Jan. 30.
Will be posted by the preceding Friday, and will (usually) cover material through the preceding Wednesday.
Always due at the beginning of a class, late homeworks will not be accepted.
If you can't make it to class, you can leave your homework in
my mailbox in Vincent 107, or email it to me (in either typeset or scanned form, PDF preferred).
You may work with others on homework
problems. However, you have to write up your solutions yourself, in your own words, to show you
understand the arguments.
Special challenge problems: There will be occasional challenge problems for extra credit.
No collaborations are permitted on those.

Each of these problems will be worth some number of points towards the
homework score (with fractional credit for partial solutions).
Suppose that the maximal score on all the regular homeworks is x, and you get y points
on those regular homeworks and z on the extra credit ones. Then your final homework score will be
the minimum of x and y+z.
Solutions to homework problems will be available through this site, usually posted the
evening of the day they are due. However, they will not be
live links, but URLs that you will have to paste into your browser to download (to keep
crawlers from downloading and archiving them). These are for your use only, do not put
them up on any web sites, Facebook pages, etc.
Tests will be open book; you may bring books, notes, and calculators, but no smart
phones, iPads, or other communication devices can be used, and you have to do all the work
yourself.
Grades: homework will count for 30%, the three tests for 20%, 25%, and 25%, respectively.
Expected effort: This is a 4credit course, so you are expected to devote 12 hours per week,
on average (including lectures).
Solution files for homeworks and midterms are provided for your personal use only. Do not
distribute them via email or posting anyplace.
Scholastic Conduct: Cheating or other misconduct will not be tolerated. The standard University
policies will be followed.
General remarks:
This course develops the basic ideas of cryptology and related areas
of number theory. Both symmetric and public key cryptosystems will
be introduced, as will random number generators and cryptographic
protocols. The basics of the Bitcoin cryptocurrency and of blockchain
technology will be covered
as an example of the application of the techniques developed in the
course.
Homework assignments and other notes:

Material covered on Wed Jan 23: sections 1.2, 1.4  1.6 of Chapter 1.

Due Mon Feb 4 (changed from original Wed Jan 30):

Textbook exercises 1.2.13, 1.2.17, 1.5.06, 1.5.09, and 1.6.01 (10 pts each).

Important note: In 1.2.17, assume that m is positive. (The claimed result is false if m is negative.
It would be a good (ungraded) exercise to find a counterexample to the claim of this problem when m is negative.)

Material covered on Mon Jan 28: sections 1.1 and 1.7, much of sections 26.1 and 26.2.

No office hours on Tue Jan 29 and no class on Wed Jan 30, due to U cancellations.

Due Wed Feb 6:

Textbook exercises 1.6.14, 26.2.08, 26.2.12, 26.2.29, and 26.2.30 (10 pts each)

Extra credit problem (20 pts): 26.2.17. (Reminder: no collaborations allowed on these problems.)

Material covered the week of Feb 4: rest of Chapter 1 and of sections 26.1 and 26.2, covered lightly
Chapter 8 and parts of Chapter 2.

Due Wed Feb 13:

Textbook exercises 1.6.09 (10 pts), 1.6.20, 1.7.14, 1.7.19, 1.7.21, 26.2.28, and 26.2.32 (15 pts each).

Material covered the week of Feb 11: a bit more material from Chapter 2, cover Chapter 4, start
on Chapter 6 (sections 6.1 and 6.4).

Material covered on Mon Feb 18: completed Chapter 6 (sections 6.2 and 6.3), lightly went over Chapter 5.

Wed Feb 20:

In class midterm. Material to be covered: Material to be covered: chapters 1, 2, 4, and sections
6.1, 6.4, 26.2, and 26.3.

Open book; you may bring books, notes, and calculators, but no smart phones, iPads, or other communication devices can be used, and you have to do all the work yourself. Blue books will be available, but you do not have to use them.

No homework due this week. For practice on material that was not covered on homeworks,
work out textbook exercises 4.1.05, 4.1.08, 4.2.06,
4.5.01, 4.5.02 (although those two are poorly written, in 4.5.01
all the phrases about probabilities should be deleted, and they should instead be moved to 4.5.02),
6.1.02, and 6.4.01.

Office hours on Tue Feb 26: only 2:30 to 5:00.

Due Wed Feb 27:

Textbook exercises 6.2.07, 6.2.08, 6.3.06, 6.3.08, 26.2.25, and 26.2.31 (10 pts each).

Material covered the week of Feb 25: Much of chapters 9 and 10 (in a mixedup order, leaving
for next week primarily sections 9.2  9.4, 9.7, 10.4  10.5, and 10.7  10.8).

Office hours on Tue Mar 5: 1:30 to 5:00 instead of 2:00 to 5:30.

Note: The method of Section 6.3 for computing multiplicative inverses does not
have to be used (or fully understood). The more primitive, but more intuitive,
method presented in class, where one builds the magic equation giving the gcd
of two integers by going backwards through the Euclidean algorithms, suffices.

No need to understand Section 9.8. Later on we'll learn another, more
intuitive method for this computation. The homework exercise for
this section is meant to take you through the cookbook approach,
to show it works. That can be done without a basic understanding
of why it works. (If you have had group theory, do try to read
that section, it might be understandable.)

Due Wed Mar 6:

Textbook exercises 9.1.06, 9.1.07, 9.5.04, 9.5.09,
9.6.03, 9.8.02, 10.2.07, and 10.3.01 (10 pts each), plus:

A1 (10 pts). Prove that x^5 + y^5 = 3 has no solution in integers x and y. (Hint: use modulo 11 arithmetic.)

A2 (10 pts). For which positive integer n < 100 is the Euler phifunction of n, which is the
size of (Z/n)^(x) (the set of reduced residue
classes mod n, those relatively prime to n) largest?

Material covered the week of Mar 4: completed chapters 9 and 10, started Chapter 7.

Due Wed Mar 13:

Textbook exercises
9.4.05 (you should use results of 9.4.01, even though you are not required to solve that problem),
9.7.05, 10.4.04, 10.4.06, 10.5.03, 10.8.02 and 10.8.08 (15 pts each, except 10.8.02 which is 10 pts),
where in 10.4.06 you are asked to
explain why the quadratic formula you have learned in high school does not solve
this equation.

Extra credit problem (20 pts): 10.5.06. Remember you have to work on this on your own, no
collaborations allowed on this or other extra credit problems.

Material covered the week of Mar 11: most of rest of Chapter 7 and a little of Chapter 14.

Due Wed Mar 27:

Textbook exercises
7.2.06 (10 pts), 7.2.10 (20 pts), 7.3.08 (10 pts), 7.3.12 (20 pts), 7.3.13 (25 pts), and

A1 (15 pts): Suppose that p is an odd prime, and g and h are two primitive roots mod p.
Can g*h ever be a primitive root?

Material to be covered the week of Mar 25: finish Chapter 7, cover Section 15.9, start Chapter 13.

Office hours on Tue Apr 2: 3:00 to 6:30 instead of 2:00 to 5:30.

Wed Apr 3:

In class midterm. Material to be covered: sections 6.2 and 6.3, 7.1 through 7.5, chapters 9 and 10,
sections 13.1, 13.2, 13.5, 13.6, and 15.9.

Open book; you may bring books, notes, and calculators, but no smart phones, iPads, or other communication devices can be used, and you have to do all the work yourself. Blue books will be available, but you do not have to use them.

No homework due this week. For practice on material that was not covered on homeworks, work out
textbook exercises 7.5.03, 13.1.04, 13.1.08, 13.6.01, and 13.6.05.

A1: Show that if k is a positive integer such that 6*k+1, 12*k+1, and 18*k+1 are all
prime, then n = (6*k+1)*(12*k+1)*(18*k+1) is a Carmichael number. (There is additional material
on Carmichael numbers in Section 17.2.)

Material covered on Mon Apr 1: completed Chapter 13, did most of chapters 12 and 17 (lightly).

Due Wed Apr 10:

Textbook exercises 12.5.11, 12.5.13, and 12.5.14 (20 pts each).

Extra credit problem (20 pts): Consider a knapsack cipher of the type described in Section 7.6,
where the superincreasing sequence is given by a_i = 2^i, and the public weights c_i are a permutation
of the (t*a_i)%m. Show how to break this scheme.
As before, no collaborations on this problem are allowed.

Material covered the week of April 8: Chapter 18.

Due Wed Apr 17:

Textbook exercises 18.1.03, 18.2.04, and 18.3.03 (20 pts each).

A1. (20 pts) Are there integers x such that 5 * ( 45 * x^2 + 2 )^1111 = 33 mod 77, and if so,
find at least one.

A2. (20 pts) Given the values of n below, determine, without exhaustive search, etc., how many integers
k there are, with gcd(k, n) = 1, and 1 <= k <= n, such that k has a square root modulo n.
Do this for (a) n = 143, (b) n = 286, (c) n = 572, (d) n = 1144, and (e) n = 2288.
In each case, determine also phi(n), so as to be able to tell what fraction
of reduced residue classes modulo n have square roots.

Material covered the week of April 15: Chapters 19 and 20, started on sections 24.3 and 24.4.

Office hours on Tue Apr 16: 2:00 to 3:30 and 4:45 to 5:45.

Due Wed Apr 24:

Textbook exercises 20.1.11 and 20.2.07 (20 pts each).
Please note that the textbook has a slight mistake in the description of
the babystep giantstep algorithm. In the first display
equation on p. 273, floor(sqrt(n)) should be replaced by ceiling(sqrt(n))
(i.e., the least integer equal to or larger than n^(1/2)).
Also, there is a certain twist to 20.2.07 that you might find surprising.

2. (10 pts) Express (1, 0, 1) as a linear combination over the integers mod 2 of (1, 1, 1), (0, 1, 1),
and (1, 1, 0).

3. (20 pts) Find a linear dependency over the integers mod 2 of the row vectors (0 1 1 0 1 1 0 1 1),
(1 0 1 0 1 0 1 0 1), (0 1 0 0 1 1 1 0 0), (1 0 1 1 0 0 1 1 1), and (1 0 0 1 0 0 0 0 0)
(where I have dropped commas, the symbols are all 0 and 1, and these are all binary row vectors of
length 9); that is, find a linear combination of those vectors that is the zero vector.

4. (30 pts) Factor the integer n = 13231 (= 101 * 131) by taking advantage of the relations
(all modulo n): 122^2 = 3 * 19 * 29, 124^2 = 3 * 5 * 11 * 13, 125^2 = 2 * 3^2 * 7 * 19,
126^2 = 5 * 23^2, 127^2 = 2 * 3^2 * 7 * 23, 129^2 = 2 * 5 * 11 * 31,
134^2 = 3^3 * 5^2 * 7, 136^2 = 3^4 * 5 * 13, 139^2 = 2 * 3 * 5 * 7 * 29,
141^2 = 2 * 5^2 * 7 * 19, 146^2 = 3 * 5 * 7^2 * 11, 149^2 = 2 * 3 * 5 * 13 * 23
and linear algebra on exponents of the prime factorizations.

Extra credit problem (20 pts): Suppose we modified the Pollard rho method, so the
iteration would be f(x) = x^2 mod n instead of f(x) = x^2 + 2 mod n.
How well would it perform, and why? (You are encouraged to try some moderately
large examples using a computer.)

Material covered the week of April 22: completed sections 24.3 and 24.4,
covered much of Chapter 15, and the notes on Lagrange polynomial
interpolation formula and secret sharing schemes, written up in
file http://www.dtc.umn.edu/~odlyzko/Math5248/lagrange20101203.pdf.

Due Wed May 1:

Textbook exercise 15.3.01 (25 pts).
 1 (20 pts) Find the simplest counterexample you can to the Lemma on p. 195 of the
textbook, about LCM of polynomials.
 2 (25 pts) Formulate the Chinese Remainder Theorem for polynomials over Z/p and prove it.
 3 (15 pts) How many linear factors does the polynomial x^((p1)/2)  1 have over Z/p
for an odd prime p?
 4 (15 pts) A teacher wants to distribute a secret (which is an integer between 1 and 100)
to a class of 10 girls and 29 boys. He regards the girls as twice as reliable as boys, so
wants a scheme in which (i) any 3 girls, or (ii) any 2 girls and any 2 boys, or (iii) any girl
and any 4 boys, or (iv) any 6 boys, can get together and recover the secret, but no smaller
group (such as any girl and any 3 boys, or any 5 boys) can do it. Describe how to set up
such a scheme. (You don't have to write out the gory details, but use mathematical notation
to make clear what you are doing. Elegance of solution will count in assigning grades.)

Material to be covered on Mon Apr 29: complete Chapter 15, cover some of Chapter 16.
Also, present some material on polynomials and their algebraic properties, covered by notes in
file http://www.dtc.umn.edu/~odlyzko/Math5248/polyfactor20141127.pdf

Wed May 1: Last regular class.
Primarily hash functions and applications of methods
from this class to Bitcoin. (It you are interested in a light introduction to cryptocurrencies
such as Bitcoin, you can watch the video of my presentation at the 2014 TEDx held here
at the U, YouTube video on cryptocurrencies.)

Class evaluation forms will be handed
out to be completed after the (shortened) session.

Office hours on Tue Apr 30: 1:30 to 3:30 and 4:45 to 5:30.

You might be interested in the popular lecture on cryptography by
Professor J. Hoffstein of Brown University, which will be given this day in
Vincent 16 at 3:35,
seminar announcement.

Extra office hours on Thursday afternoon, May 2, 2:00 to 3:30.

Mon May 6: Homeworks due May 1 should be available between 11 am and 12:45 pm this day
in a folder in my mailbox in Vincent 107 (among the faculty mailboxes
on the extreme left as you enter the room).

Mon May 6: last session, inclass midterm.

Material to be covered on midterm: chapters 15, 16 (first 3 sections), 17, 18, 19, 20, and 24 (last 2 sections),
and the notes posted on this page about
Lagrange polynomial interpolation and secret sharing
and polynomial irreducibility testing and factorization.
 Same rules as on other exams: open book, ..., 75 minutes.
 No homework due this week. For practice on material that was not covered on homeworks,
work out exercises 16.3.01, 16.3.02, 24.3.06, 24.3.07, 24.3.11, 24.4.03, and 24.4.05
(and in this last case also express this GCD
as a linear combination with polynomial coefficients of the two given polynomials).

Midterm and course grades should be available by Thu May 9, and will be emailed to everyone.
Up [
Return to home page
]