MODULE 4

ASYMMETRIC CIPHERS: Principles of Public-Key Cryptosystems, The

RSA algorithm, Diffie - Hellman Key Exchange, Elliptic Curve Arithmetic,
Elliptic Curve Cryptography
(Text 1: Chapter 8, Chapter 9: Section 1, 3, 4)

Text Books:
1. William Stallings , “Cryptography and Network Security Principles and Practice”,
Pearson Education Inc., 6th Edition, 2014, ISBN: 978-93-325-1877-3
2. Bruce Schneier, “Applied Cryptography Protocols, Algorithms, and Source code
in C”, Wiley Publications, 2nd Edition, ISBN: 9971-51-348-X.

Reference Books:
1. Cryptography and Network Security, Behrouz A. Forouzan, TMH, 2007.
2. Cryptography and Network Security, Atul Kahate, TMH, 2003.
 Asymmetric Key Encryption

Diffie and
Hellman

* 2
* 3
 Conventional Encryption Public-Key Encryption
Needed to Work: Needed to Work:

1.The same algorithm with the same key is 1.One algorithm is used for encryption
used for encryption and decryption. and decryption with a pair of keys, one
2.The sender and receiver must share the for encryption and one for decryption.
algorithm and the key. 2.The sender and receiver must each have
one of the matched pair of keys (not the
same one).
Needed for Security: Needed for Security:
1.The key must be kept secret. 1.One of the two keys must be kept
2.It must be impossible or at least secret.
impractical to decipher a message if no 2.It must be impossible or at least
other information is available. impractical to decipher a message if no
3.Knowledge of the algorithm plus other information is available.
samples of ciphertext must be 3.Knowledge of the algorithm plus one of
insufficient to determine the key. the keys plus samples of ciphertext must
be insufficient to determine the other
key.
4 *
 Y = E(PUb, X) X = D(PRb, Y)

* 5
 Y = E(PRa, X) X = D(PUa, Y)

* 6
 Z = E(PUb, E(PRa, X)) X = D(PUa, E(PRb, Z))

* 7
* 8
Requirements for Public-Key Cryptography
1. It is computationally easy for a party B to generate a pair (public key PU b,
private key PRb).
2. It is computationally easy for a sender A, knowing the public key and the
message to be encrypted, M, to generate the corresponding ciphertext:
C = E(PUb, M)
3. It is computationally easy for the receiver B to decrypt the resulting
ciphertext using the private key to recover the original message:
M = D(PRb, C) = D[PRb, E(PUb, M)]
4. It is computationally infeasible for an adversary, knowing the public key,
PUb, to determine the private key, PRb.
5. It is computationally infeasible for an adversary, knowing the public key,
PUb, and a ciphertext, C, to recover the original message, M.

We can add a sixth requirement that, although useful, is not necessary for
all public-key applications:
* 9
 The RSA (Ron Rivest, Adi Shamir, and Len Adleman) Algorithm 1977

C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n

For this algorithm to be satisfactory for public-key encryption, the

following requirements must be met:
1.It is possible to find values of e, d, n such that Med mod n = M for all M < n.
2.It is relatively easy to calculate mod Me mod n and Cd for all values of M < n.
3.It is infeasible to determine d given e and n.
Med mod n = M
The preceding relationship holds if e and d are multiplicative inverses
modulo φ(n), where φ(n) is the Euler totient function.
For p, q prime, φ(pq) = (p -1)(q-1) The relationship between e and d can be
expressed as

* 10
That is, e and d are multiplicative inverses mod f(n). Note that, according to
the rules of modular arithmetic, this is true only if d (and therefore e) is
relatively prime to f(n).
Equivalently, gcd(f(n),d) = 1.

* 11
 12
*
 Two numbers are relatively prime if they have no prime factors in
common; that is, their only common divisor is 1. This is equivalent to
saying that two numbers are relatively prime if their greatest
common divisor is 1.

1. Select two prime numbers, p = 17 and q = 11.

2. Calculate n = pq = 17 x 11 = 187.
3. Calculate f(n) = (p-1)(q-1) = 16 x 10 = 160.
4. Select e such that e is relatively prime to f(n) = 160 and less than
f(n) we choose e = 7.
5. Determine d such that de 1 (mod 160) and d < 160. The correct
value is d = 23, because 23 x 7 = 161 = 10 x 160 + 1; d can be
calculated using the extended Euclid's algorithm.

* 13
If gcd(f(ɸ), e) = 1, then e has a multiplicative inverse modulo f(ɸ).
That is, for positive integer b < f(ɸ), there exists a e1 < f(ɸ) such
that ee1 = 1 mod f(ɸ). The Euclidean algorithm can be extended so
that, in addition to finding gcd(f(ɸ), e), if the gcd is 1, the algorithm
returns the multiplicative inverse of e.

EXTENDED EUCLID(f(ɸ), e)
1. (A1, A2, A3) 🡨(1, 0, f(ɸ)); (B1, B2, B3) 🡨 (0, 1, e)
2. If B3 = 0 return A3 = gcd(f(ɸ), b); no inverse
3. If B3 = 1 return B3 = gcd(f(ɸ), b); B2 = b1 mod f(ɸ)
4. Q = A3
B3
5. (T1, T2, T3) 🡨(A1-QB1, A2-QB2, A3-QB3)
6. (A1, A2, A3) 🡨(B1, B2, B3)
7. (B1, B2, B3) 🡨(T1, T2, T3)
8. Goto 2
* 14
 Diffie–Hellman key exchange

Used for sharing a secret key

First, we define a primitive root of a prime number p as one
whose powers modulo p generate all the integers from 1 to
p-1. That is, if a is a primitive root of the prime number p, then
the numbers
a mod p, a2 mod p,..., ap-1 mod p
are distinct and consist of the integers from 1 through p-1 in
some permutation.
For any integer b and a primitive root a of prime number p,
we can find a unique exponent i such that

* 15
The number 3 is a primitive root modulo 7 because

*
16
 The Algorithm

* 17
* 18
 K = (YB)XA mod q
= (aXB mod q)XA mod q
= (aXB)XA mod q by the rules
of modular
arithmetic
= (aXB XA mod q
= (aXA)XB mod q
= (aXA mod q)
= (aXA mod q)XB mod q
= (YA)XB mod q

* 19
1.Alice and Bob agree to use a prime number q=23 and base a=5.
2.Alice chooses a secret integer Xa=6, then sends Bob Ya= aXa mod q
•Ya = 56 mod 23
•Ya = 15,625 mod 23
•Ya = 8
3.Bob chooses a secret integer Xb=15, then sends Alice Yb = aXb mod q
•Yb = 515 mod 23
•Yb = 30,517,578,125 mod 23
•Yb = 19
4.Alice computes s = Yb Xa mod q
•s = 196 mod 23
•s = 47,045,881 mod 23
•s = 2

* 20
5.Bob computes s = Ya Xb mod q
•s = 815 mod 23
•s = 35,184,372,088,832 mod 23
•s = 2
6.Alice and Bob now share a secret: s = 2. This is because 6*15 is the same
as 15*6. So somebody who had known both these private integers might
also have calculated s as follows:
•s = 56*15 mod 23
•s = 515*6 mod 23
•s = 590 mod 23
•s =
807,793,566,946,316,088,741,610,050,849,573,099,185,363,389,551,63
9,556,884,765,625 mod 23
•s = 2

* 21
 Elliptic Curve Cryptography
majority of public-key crypto (RSA, D-H)
use either integer or polynomial arithmetic
with very large numbers/polynomials
imposes a significant load in storing and
processing keys and messages
an alternative is to use elliptic curves
offers same security with smaller bit sizes
newer, but not as well analysed
 Real Elliptic Curves
an elliptic curve is defined by an
equation in two variables x & y, with
coefficients
consider a cubic elliptic curve of form
● y2 = x3 + ax + b
● where x,y,a,b are all real numbers
● also define zero point O
consider set of points E(a,b) that satisfy
have addition operation for elliptic curve
● geometrically sum of P+Q is reflection of the
intersection R
Real Elliptic Curve Example
 Finite Elliptic Curves
Elliptic curve cryptography uses curves
whose variables & coefficients are finite
have two families commonly used:
● prime curves Ep(a,b) defined over Zp
•use integers modulo a prime
•best in software

● binary curves E2m(a,b) defined over GF(2n)

•use polynomials with binary coefficients
•best in hardware
Elliptic Curve Cryptography
ECC addition is analog of modulo multiply
ECC repeated addition is analog of
modulo exponentiation
need “hard” problem equiv to discrete log
● Q=kP, where Q,P belong to a prime curve
● is “easy” to compute Q given k,P
● but “hard” to find k given Q,P
● known as the elliptic curve logarithm problem
Certicom example: E23(9,17)
 ECC Diffie-Hellman
can do key exchange analogous to D-H
users select a suitable curve Eq(a,b)
select base point G=(x1,y1)
● with large order n s.t. nG=O
A & B select private keys nA<n, nB<n
compute public keys: PA=nAG, PB=nBG
compute shared key: K=nAPB, K=nBPA
● same since K=nAnBG
attacker would need to find k, hard
 ECC Encryption/Decryption
several alternatives, will consider simplest
must first encode any message M as a point on
the elliptic curve Pm
select suitable curve & point G as in D-H
each user chooses private key nA<n
and computes public key PA=nAG
to encrypt Pm : Cm={kG, Pm+kPb}, k random
decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
 ECC Security
relies on elliptic curve logarithm problem
fastest method is “Pollard rho method”
compared to factoring, can use much
smaller key sizes than with RSA etc
for equivalent key lengths computations
are roughly equivalent
hence for similar security ECC offers
significant computational advantages
 Comparable Key Sizes for
Equivalent Security
Symmetric ECC-bas RSA/DSA
scheme ed (modulus size in bits)
(key size in bits) scheme
(size of n
in bits)
56 112 512
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360