Faculty of Computing

Universiti Teknologi Malaysia

SCSR3443 Introduction to Cryptography

Semester 2, 13/14

Recall: Euler's theorem

Euler's theorem is also known as the Fermat-Euler theorem or Euler's totient theorem.
States that if n is a positive integer and a is a positive integer co prime to n, then

where (n) is Euler's totient function and "... ... (mod n)" denotes congruency ... modulo n.
Example 1
If a = 3, n = 10 and and (10) = 4.
Therefore a(n) = 34 = 81 = 1 mod 10 = 1 (mod n)
The theorem may be used to easily reduce large powers modulo n.
Example 2
Consider finding the last decimal digit of 7222 (mod 10).
Note that 7 and 10 are relatively prime, and (10) = 4.
So Euler's theorem yields 74 1 (mod 10),
7222 74x55 + 2 (74)55x72 155x72 49 9 (mod 10).
In general, when reducing a power of a modulo n (where a and n are relatively prime), one
needs to work modulo (n) in the exponent of a:
if x y (mod (n)), then ax ay (mod n).

Discrete Logarithm
Fundamental to a number of public-key algorithms, including Diffie-Hellman key exchange and
digital signature algorithm (DSA).
Discrete Logarithm is to find an integer x, such that,
ax = b mod n
x logaa = logab mod n
x = logab mod n
The discrete logarithm problem is as follows:
Given an element g in a finite group G and another element h G, find an integer x
such that gx = h.
Example 3
Solution to the problem 3x 13 (mod 17) is 4, because 34 = 81 13 (mod 17).

Page 1 of 11

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

Semester 2, 13/14

Example 4
Find x when 3x = 10 mod 17
x=3

since 33 = 27 10 mod 17

Given Euler totient function, if a and n are relatively prime then

a (n) 1 mod n
Consider
a m 1 mod n
If a and n are relatively prime then there is at least one integer m that satisfies the equation
above, namely m = (n)
The least positive exponent m for which the equation holds is referred to in a several ways:
the order of a (mod n)
the exponent to which a belongs (mod n)
the length of period generated by a
Example 5
Fill in the table for ax mod 7
a
1
2
3
4
5
6

a2
1
4
2
2
4
1

a3
1
1
6
1
6
6

a4
1
2
4
4
2
1

a5
1
4
5
2
3
6

a6
1
1
1
1
1
1

Length of a Period
o There exists at least one x which satisfies the following equation:
ax = 1 mod n,
where a and n are relatively prime, that is when x = (n) (Eulers Theorem).
o

The smallest exponent x which satisfies the above equation is known as length of a
period generated by a.

Exercise: What is the length of a period for each a in ax mod 7?

The sequence length divides (7) = (2, 3 or 6).

Primitive Root

Page 2 of 11

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

o
o

Semester 2, 13/14

An integer a which gives sequence length = (7) is known as primitive root of mod 7.
Generally, if a is a primitive root of p, all powers of a, a2, , a p-1 has different (mod p)
and all are relatively prime to p.

For prime number p, if a is a primitive root of p, then a, a2, a p-1

Not all integers have primitive roots.
Example 6

For 19, its primitive roots are 2, 3, 10, 13, 14, and 15.
Example
1.
Is 2 a primitive root of 3? b
a. yes
b. no
2.

Is 2 a primitive root of 5? a
a. yes
b. no

3.

Is 3 a primitive root of 7? a
a. yes
b. no

Page 3 of 11

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

4.

Is 3 a primitive root of 11? b

a. yes
b. no

5.

Is 5 a primitive root of 7? a
a. yes
b. no

6.

Is 5 a primitive root of 11? b

a. yes
b. no

Semester 2, 13/14

Discrete Logarithm: Application

Properties of logarithms:
o Logx(1) = 0
o Logx (x) = 1
o Logx (y z) = Logxy + Logx z
o Logx (yr) = r Logx (y)
It is easy to calculate y = ax mod p, given a, x and p.
However given y, a and p, it is difficult to calculate x (use discrete log).
The complexity of discrete algorithm is exponential. Therefore it is not feasible for large
primes.
Discrete logarithm problem is difficult to solve and therefore is used as a fundamental security
for several public-key algorithms such as El-Gamal, Diffie-Hellman key exchange and digital
signature algorithm (DSA).

The Problem of Secret Key Cryptosystem

Alice and Bob wish to exchange encrypted information.
To do this they choose, because of its efficiency in encryption speed, to use a
Secret/Symmetric/Session key algorithm.
Now the problem:
How to agree upon a key, known only to the two of them and no one else.
One obvious solution is to meet in the dark behind Mamak Corner and each scribble
the same key on a piece of paper. Besides the fact that this is subject to typographical
error, loss of the paper, discovery of the paper by someone else, and other obvious
problems.
There is also the fact that Alice lives in Malaysia and Bob lives in Antarctica: they are
not likely to meet. So it will be nice if there will be a "spontaneous" way to both
suddenly agree on a key, exchanging only information that will not compromise the
Page 4 of 11

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

Semester 2, 13/14

knowledge of the key to those who might eavesdrop electronically on their

conversation.

Key Exchange
Alice and Bob each pick a number say Alice picks x, and Bob picks y.
They do not exchange these numbers directly, but they exchange mathematical
transformations of the numbers, by a trapdoor function.
An eavesdropper cannot learn x or y, only t(x) and t(y).
Mathematics:
The discrete logarithm problem is hard, even for computers. That is, given a prime
number p, and a particular base element g, it is difficult from knowledge of the power
gx mod p to determine x.
The transformation x gx will be the trapdoor function.

Diffie-Hellman (DH)
First published public-key algorithm whereby it was proposed by Diffie & Hellman in 1976.
Purpose of the algorithm is to enable two users to exchange a key securely that can be used
for subsequent encryption of messages.
Not use for encryption or decryption.
It is a public-key distribution scheme:
o cannot be used to exchange an arbitrary message
o Rather it can establish a common key known only to the two participants.
The value of key depends on the participants (and their private and public key information)
It is based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) easy
problem.
The security relies on the difficulty of computing discrete logarithms (similar to factoring)
hard problem.
Discrete logarithm: is to find the exponent x such that:
b = ax mod p where 0 x (p-1), a primitive root and p a prime number.
Whats involved?

p is a prime (about 512 bits, very large), and g < p

p and g are publicly known

DH Procedure
Diffie-Hellman key exchange algorithm starts with the selection of a prime number plus one of
its primitive roots.
Alice and Bob agree on a prime p, preferably rather large.
Page 5 of 11

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

Semester 2, 13/14

Alice
pick XA randomly
compute Y(XA) = gXA mod p
send YA to Bob
compute YBXA

Bob
pick XB randomly
compute Y(XB) = gXBmod p
send YB to Alice
compute YA XB

Alice and Bob reached the same secret g XAXB mod p

No one listening on the channel can compute the discrete algorithm and recover XA and XB.
Prove that KA = YB XA (mod p), KB = YA XB (mod p).
KA = YB XA (mod p)
= (gXB mod p) XA (mod p)
= (gXB) XA mod p
= gXB XA mod p
= (gXA) XB mod p
= (gXA mod p) XB (mod p)
= YA XB (mod p)
= KB

DH Security
Discrete Logarithm is hard
o For T = gx mod p, 0 <= x <= (p-1).
o Conjecture: Given T, g, p, it is extremely hard to compute the value of x
(Discrete Logarithm)
Example 7
T = 4, g = 2, p = 5, 4 = 22 mod 5.
o What should be the value of x?
Page 6 of 11

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

Semester 2, 13/14

p needs to be large!

Example 8
8 is a primitive root of 11. If these numbers are used by two parties in a Diffie-Hellman key
exchange (i.e. g = 8, p= 11) where the random integer chosen by the first party (Initiator) is 5
and the random integer chosen by the second party (Responder) is 7, what is the value of the
key that they will both end up calculating?
a. 1
b. 2
c. 3
d. 4
e. 5
f. 6
g. 7
h. 8
i. 9
j. 10
k. 11

(85) 7 mod 11 = (10) 7 mod 11 = 10

Example 9
Given p = 97 and g = 5
Alice chooses a private key, XA = 36 < p
Bob chooses a private key, XB = 58 < p
Alice calculates her public key, YA = g XA (mod p):
536 mod 97 = 50, sends to Bob.
Bob calculates his public key, YB = g XB (mod p)
558 mod 97 = 44, sends to Alice.
Alice calculates a shared secret key, KA = YB XA (mod p).
4436 mod 97 = 75
Bob calculates a shared secret key, KB = YA XB(mod p).
5058 mod 97 = 75
Example 10
Alice & Bob who wish to swap keys.
They agree on prime q=353 and g=3
i.

Select random secret keys:

A chooses xA=97, B chooses xB=233
Page 7 of 11

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

Semester 2, 13/14

ii.

Compute public keys:

yA=397 mod 353 = 40 (Alice)
yB=3233 mod 353 = 248 (Bob)

iii.

Compute shared session key as:

KAB= yBxA mod 353 = 24897 = 160 (Alice)
KAB = yA xB mod 40233 = 160 (Bob)

Example 11: Activity: Key Exchange

used a program to create a random integer of 512 bits (the ideal is 1024 bits). The integer p is
a 159-digit number. Choose g, x, and y as shown below:

Example 12: Activity: Key Exchange

i.
ii.

Use on prime q=97 and g=5

Each person select your random secret keys:
your key must be less than q.

iii.
iv.

Compute your public key:

Tell your public key to your partner

v.
vi.

Compute your shared session key.

Check with your partner whether they are the same.

Page 8 of 11

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

Semester 2, 13/14

DH with 3 or More Parties

Example: Alice, Bob and Carol
1.
Alice choose random integer x and computes X = gx mod n
2.
Bob choose random integer y and send Carol Y = gy mod n
3.
Carol choose random integer z and send Alice Z = gz mod n
4.
Alice sends Bob Z = Zx mod n
5.
Bob sends Carol X = Xymod n
6.
Carol sends Alice Y = Yz mod n
7.
Alice computes k = Yx mod n
8.
Bob computes k = Zy mod n
9.
Carol computes k = Xz mod n
The secret key, k is equal to g xyz mod n.

Epilogue: Nothing is Perfect

Malicious, who lives in Timbuktu, and is able to eavesdrop on the communications between
Alice and Bob, and in fact to intercept and make substitutions in their communications.
Malicious is terrible at mathematics, does not have a clue as to how to solve the discrete
logarithm problem, but is malicious.
Malicious hits upon a simple scheme, which as always described as a "man-in-the-middle"
attack (apparently women do not involve themselves in such attacks!).

Man-in-the-Middle Attack
Malicious chooses numbers also, one for Alice which she will call a, and one for Bob, which she
will call b.
Malicious intercepts and throws away the transmission of gx to Bob, and sends instead gz.
Malicious intercepts and throws away the transmission of gy to Alice , and sends instead ga.
Alice is now happily ready to communicate with Bob (he thinks) using the secret key gax.
Bob is ready to happily communicate with Alice (she thinks) using the secret key gzy.
Malicious is ecstatic, knowing both secret keys and able to manipulate Alice and Bob from the
position in the middle.
Alice
ga=123

Malicious
gx =654
Page 9 of 11

Bob
g =255
b

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

123

Semester 2, 13/14

654
654

654a=123x

255
255x=654b

Malicious plays Bob to Alice and Alice to Bob.

Authenticated DH Key Agreement Protocol

Vulnerability is present in DH key exchange is because DH key exchange does not authenticate
the participants.
Possible solutions include the use of digital signatures and other protocol variants.
The authenticated Diffie-Hellman key agreement protocol, or Station-to-Station (STS)
protocol, was developed by Diffie, van Oorschot, and Wiener in 1992 to defeat the man-inthe-middle attack on the Diffie-Hellman key agreement protocol.
The immunity is achieved by allowing the two parties to authenticate themselves to each
other by the use of digital signatures and public-key certificates.
Basic idea is as follows:
Prior to execution of the protocol, the two parties Alice and Bob each obtain a
public/private key pair and a certificate for the public key.

Page 10 of 11

Faculty of Computing
Universiti Teknologi Malaysia
SCSR3443 Introduction to Cryptography

Semester 2, 13/14

During the protocol, Alice computes a signature on certain messages, covering the
public value ga mod p.
Bob proceeds in a similar way.
Even though Carol is still able to intercept messages between Alice and Bob, he cannot
forge signatures without Alice private key and Bob private key.
Hence, the enhanced protocol defeats the man-in-the-middle attack.
A trusted third party is used to distribute certified signature keys

Where
SX { } is signature by X
SY { } is signature by Y
K = axy mod p
EK { } is encryption under K

Page 11 of 11