UNIT- III:

Asymmetric Encryption
Mathematics of Asymmetric Key Cryptography, Asymmetric Key Cryptography

CJR 1/18
 Ch-10 – Asymmetric-Key Cryptography

1. Introduction to asymmetric-key cryptography

Public-key algorithms rely on one key for encryption and a different but related key for decryption.
These algorithms have the following important characteristic:

• It is computationally infeasible to determine the decryption key given only knowledge of the
cryptographic algorithm and the encryption key.
In addition, some algorithms, such as RSA, also exhibit the following characteristic:

• Either of the two related keys can be used for encryption, with the other used for decryption.
A public-key encryption scheme has six ingredients

• Plaintext: This is the readable message or data that is fed into the algorithm as input.
• Encryption algorithm: The encryption algorithm performs various transformations on the
plaintext.
• Public and Private Key: This is a pair of keys that have been selected so that if one is used for
encryption, the other is used for decryption. The exact transformations performed by the
encryption algorithm depend on the public or private key that is provided as input.
• Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and
the key. For a given message, two different keys will produce two different cipher texts.
• Decryption algorithm: This algorithm accepts the ciphertext and the matching key and
produces the original plaintext.

Figure 10.1: Public Key Cryptography (Secrecy)

CJR 2/18
The essential steps are the following:

1. Each user generates a pair of keys to be used for the encryption and decryption of messages.
2. Each user places one of the two keys in a public register or other accessible file. This is the
public key. The companion key is kept private. As Figure 10.1 suggests, each user maintains
a collection of public keys obtained from others.
3. If Bob wishes to send a confidential message to Alice, Bob encrypts the message using Alice’s
public key.
4. When Alice receives the message, she decrypts it using her private key. No other recipient can
decrypt the message because only Alice knows Alice’s private key.

With this approach, all participants have access to public keys, and private keys are
generated locally by each participant and therefore need never be distributed. As long as system
controls its private key, its incoming communication is secure. At any time, a system can change
its private key and publish the companion public key to replace its old public key.
Let us take a closer look at the essential elements of a public-key encryption scheme, using
Figure 10.2. There is some source A that produces a message in plaintext X. The message is intended
for destination B. B generates a related pair of keys: a public key, KUb, and a private key, KRb. KRb
is known only to B, whereas KUb is publicly available and therefore accessible by A.
With message X and the encryption key KUb as input, A forms the ciphertext Y.

Y = EKUb(X)
The intended receiver, in possession of the matching private key, is able to invert the
transformation:

X = DKRb(Y)

An opponent, observing Y having access to KUb and does have knowledge of encryption (E)
and decryption (D) algorithms. But he does not have access to KRb. so he can’t generate the
original message.
So, in this case secrecy is there but authentication fails. Anybody can send message using
B’s public key but receiver confuses that which one is the original A’s message.

Figure 10.2: Public Key Cryptosystem: Secrecy

CJR 3/18
 Figure 10.3: Public Key Cryptosystem: Authentication

Another scheme illustrated in Figure 10.3 show the use of public key encryption to provide
authentication.
Y = EKRa(X)
X = DKUa(Y)

In this case, A prepares a message to B and encrypts it using A’s private key before
transmitting it. B can decrypt the message using A’s public key. Because the message was encrypted
using A’s private key, only A could have prepared the message.
It is impossible to alter the message without access to A’s private key, so the message is
authenticated both in terms of source and in terms of data integrity.
In this scheme authentication is there but no secrecy. Anybody can decrypt the message and
obtain the plaintext using A’s public key.
It is, however, possible to provide both the authentication function and confidentiality by a
double use of the public-key scheme:
Z = EKUb[EKRa(X)]
X = DKUa[DKRb(Z)]

In this case, we begin as before by encryption a message, using the sender’s private key. Next, we
encrypt again, using the receiver’s public key. The final ciphertext can be decrypted only by the
intended receiver, who alone has the matching private key. Thus, confidentiality is provided. The
disadvantage of this approach is that the public-key algorithm, which is complex, must be exercised
four times rather than two in each communication.

Difference between symmetric-key and asymmetric-key cryptosystems

• The conceptual difference between the two systems are based on how these systems keep a
secret. In symmetric-key cryptography, the secret must be shared between two persons. In
asymmetric-key cryptography, the secret is personal (unshared); each person creates and
keeps his or her own secret.

CJR 4/18
 • In a community of n people, n(n-1)/2 shared secrets are needed for symmetric-key
cryptography; only n personal secrets are needed in asymmetric-key cryptography. For a
community with a population of 1 million, symmetric-key cryptography would require half a
billion shared secrets; asymmetric-key cryptography would require 1 million personal secrets.
• Symmetric-key cryptography is based on substitution and permutation of symbols
(characters or bits), asymmetric-key cryptography is based on applying mathematical
functions to numbers.
• In symmetric key cryptography, the plaintext and ciphertext are thought of as a combination
of symbols. Encryption and decryption permute these symbols or substitute a symbol for
another. In asymmetric-key cryptography, the plaintext and ciphertext are numbers;
encryption and decryption are mathematical functions that are applied to numbers to create
other numbers.

Symmetric-key cryptography is based on shared secrecy;

Asymmetric-key cryptography is based on personal secrecy.

In symmetric-key cryptography, symbols are permuted or substituted;

In asymmetric-key cryptography, numbers are manipulated.

Need for both

There is a very important fact that is sometimes misunderstood: The advent of asymmetric-key
(public-key) cryptography does not eliminate the need for symmetric-key cryptography. The reason
is that asymmetric-key cryptography, which uses mathematical functions for encryption and
decryption, is much slower than symmetric-key cryptography. For encipherment of large messages,
symmetric-key cryptography is still needed. On the other hand, the speed of symmetric-key
cryptography does not eliminate the need for asymmetric-key cryptography. Asymmetric-key
cryptography is still needed for authentication, digital signatures, and secret-key exchanges. This
means that, to be able to use all aspects of security today, we need both symmetric-key and
asymmetric-key cryptography.

Trapdoor One-Way Function

The main idea behind asymmetric-key cryptography is the concept of the trapdoor one-way function.
A function is a rule that associates (maps) one element in set A, called the domain, to one element
in set B, called the range, as shown in the below figure.

Figure A function as rule mapping a domain to a range

One-way function A one-way function (OWF) is a function that satisfies the following two properties:

1. f is easy to compute. In other words, given x, y = f(x) can be easily computed.

2. f-1 is difficult to compute. In other words, given y, it is computationally infeasible to calculate
x = f-1(y)

A trapdoor one-way function (TOWF) is a one-way function with a third property:

CJR 5/18
 3. Given y and a trapdoor (secret), x can be computed easily.

Knapsack Cryptosystem

Suppose we are given two k-tuples, a = [a1, a2, …., ak] and x = [x1, x2, ….., xk]. The first
tuple is the predefined set; the second tuple, in which xi is only 0 or 1, defines which elements of a
are to be dropped in the knapsack. The sum of elements in the knapsack is

s = knapsackSum(a, x) = a1x1 + a2x2 + …… + akxk

Given a and x, it is easy to calculate s. however, given s and a it is difficult to find x. in other
words, s = knapsackSum(x, a) is easy to calculate, but x = inv_knapsackSum(s, a) is difficult.

Superincreasing Tuple It is easy to compute knapsackSum and inv_knapsackSum if the k-

tuple a is superincreasing. In a superincreasing tuple, ai ≥ a1 + a2 + … + ai−1. In other words,
each element (except a1) is greater than or equal to the sum of all previous elements.

Algorithm: knapsackSum and inv_knapsackSum for a superincreasing k-tuple

Example:
As a very trivial example, assume that a = [17, 25, 46, 94, 201,400] and s = 272 are given. Table
10.1 shows how the tuple x is found using inv_knapsackSum routine in Algorithm 10.1. In this case
x = [0, 1, 1, 0, 1, 0], which means that 25, 46, and 201 are in the knapsack.

Solution:

CJR 6/18
This is a trivial (very insecure) example just to show the procedure.

2. RSA Cryptosystem

The most common public-Key algorithm is the RSA cryptosystem, named for its inventors (Rivest,
Shamir, and Adleman)

RSA uses two exponents, e and d, where e is public and d is private. Suppose P is the plaintext and
C is the ciphertext. Alice uses C = Pe mod n to create ciphertext C from plaintext P; Bob uses P =
Cd mod n to retrieve the plaintext sent by Alice. The modulus n, a very large number, is created
during the key generation process, as we will discuss later.

Figure 10.4 Complexity of operations in RSA

CJR 7/18
In other words, Alice uses a one-way function (modular exponentiation) with a trapdoor known only
to Bob. Eve, who does not know the trapdoor, cannot decrypt the message. If some day, a polynomial
algorithm for eth root modulo n calculation is found, modular exponentiation is not a one-way
function any more.

Procedure:
Figure 10.5 shows the general idea behind the procedure used in RSA.

Figure 10.5 Encryption, decryption, and key generation in RS

RSA key generation algorithm

In RSA, the tuple (e, n) is the public key; the integer d is the private key.

CJR 8/18
Encryption algorithm

Decryption algorithm

In RSA, p and q must be at least 512 bits; n must be at least 1024 bits.

Example:
Bob chooses 7 and 11 as p and q and calculates n = 77. The value of (n) = (7 − 1)(11 − 1) or 60.
Now he chooses two exponents, e and d, from Z60∗. If he chooses e to be 13, then d is 37. Note that
e × d mod 60 = 1 (they are inverses of each Now imagine that Alice wants to send the plaintext 5 to
Bob. She uses the public exponent 13 to encrypt 5.

Plaintext: 5 C = 513 mod 77 = 26 mod 77 Ciphertext: 26

Bob receives the ciphertext 26 and uses the private key 37 to decipher the ciphertext:

Ciphertext: 26 P = 2637 mod 77 = 5 mod 77 Plaintext: 5

Example:
Now assume that another person, John, wants to send a message to Bob. John can use the same
public key announced by Bob (probably on his website), 13; John’s plaintext is 63. John calculates
the following:

Plaintext: 63 C = 6313 mod 77 = 28 mod 77 Ciphertext: 28

Bob receives the ciphertext 28 and uses his private key 37 to decipher the ciphertext:

Ciphertext: 28 P = 2837 mod 77 = 63 mod 77 Plaintext: 63

Example:
Jennifer creates a pair of keys for herself. She chooses p = 397 and q = 401. She calculates
n = 159197. She then calculates (n) = 158400. She then chooses e = 343 and d = 12007. Show
how Ted can send a message to Jennifer if he knows e and n.

Suppose Ted wants to send the message “NO” to Jennifer. He changes each character to a number
(from 00 to 25), with each character coded as two digits. He then concatenates the two coded
characters and gets a four-digit number. The plaintext is 1314. Figure 10.7 shows the process.

CJR 9/18
 Figure 10.6 Encryption and decryption for the above example

Attacks on RSA

Security of RSA:-
These are explained as following below.

1. Plain text attacks:

It is classified into 3 subcategories:-

• (i) Short message attack:

In this we assume that attacker knows some blocks of plain text and tries to decode cipher
text with the help of that. So, to prevent this pad the plain text before encrypting.
• (ii) Cycling attack:
In this attacker will think that plain text is converted into cipher text using permutation and
he will apply right for conversion. But attacker does not right plain text. Hence will keep
doing it.
• (iii) Unconcealed Message attack:
Sometimes happened that plain text is same as cipher text after encryption. So it must be
checked it cannot be attacked.

2. Choosen cipher attack:

In this attacker is able to find out plain text based on cipher text using Extended Euclidian
Algorithm.

3. Factorization attack:
If attacker will able to know P and Q using N, then he could find out value of private key. This
can be failed when N contains at least 300 longer digits in decimal terms, attacker will not able
to find. Hence it fails.

4. Attacks on Encryption key:

If we take smaller value of E in RSA this may occur so to avoid this take value of E = 2^16+1 (at
least).

5. Attacks on Decryption key:

• (i) Revealed decryption exponent attack:

If attacker somehow guess decryption key D, not only the cipher text generated by encryption
the plain text with corresponding encryption key is in danger, but even future messages are

CJR 10/18
 also in danger. So, it is advised to take fresh values of two prime numbers (i.e; P and Q), N
and E.
• (ii) Low decryption exponent attack:
If we take smaller value of D in RSA this may occur so to avoid this take value of D =
2^16+1(at least).

3. RABIN Cryptosystem

The Rabin cryptosystem, devised by M. Rabin, is a variation of the RSA cryptosystem.

The Rabin cryptosystem can be thought of as an RSA cryptosystem in which the value of e and d
are fixed; e = 2 and d = ½. The encryption is C ≡ P2 (mod n) and the decryption is P ≡ C1/2 (mod
n).

The public key in the Rabin cryptosystem is n; the private key is the tuple (p, q). Everyone can
encrypt a message using n; only Bob can decrypt the message using p and q. decryption of the
message is infeasible for Eve because she does not know the values of p and q. Figure 10.7 shows
the encryption and decryption.

Figure 10.7 Rabin cryptosystem

Algorithm: Key generation for Rabin cryptosystem

CJR 11/18
 Algorithm: Encryption in Rabin cryptosystem

Algorithm: Decryption in Rabin cryptosystem

The most important point about the Rabin system is that it is to deterministic. The decryption has
four answers. The receiver chooses one among the four plaintexts that is meaningful/suitable for
the situation.

The Robin cryptosystem is not deterministic; Decryption creates four equally probable
plaintexts.

Example:

Here is a very trivial example to show the idea.

1. Bob selects p = 23 and q = 7. Note that both are congruent to 3 mod 4.

2. Bob calculates n = p × q = 161.
3. Bob announces n publicly; he keeps p and q private.
4. Alice wants to send the plaintext P = 24. Note that 161 and 24 are relatively prime; 24 is in
Z161*. She calculates C = 242 mod 161 = 93, and sends the ciphertext 93 to Bob.
5. Bob receives 93 and calculates four values:
a1 = +(93 (23+1)/4) mod 23 = 1 mod 23
a2 = −(93 (23+1)/4) mod 23 = 22 mod 23

CJR 12/18
 b1 = +(93 (7+1)/4) mod 7 = 4 mod 7
b2 = −(93 (7+1)/4) mod 7 = 3 mod 7

6. Bob takes four possible answers, (a1, b1), (a1, b2), (a2, b1), and (a2, b2), and uses the Chinese
remainder theorem to find four possible plaintexts: 116, 24, 137, and 45. Note that only the
second answer is Alice’s plaintext.

4. ElGamal Cryptosystem

Besides RSA and Rabin, another public-key cryptosystem is ElGamal, named after its inventor,
Taher ElGamal. ElGamal is based on the discrete logarithm problem discussed in the previous
chapter.

Figure 10.8 shows key generation, encryption, and decryption in ElGamal.

Figure 10.8 Key generation, encryption, and decryption in ElGamal

CJR 13/18
 Algorithm: ElGamal key generation

Algorithm: ElGamal encryption

Algorithm: ElGamal decryption

Example:

Here is a trivial example. Bob chooses p = 11 and e 1 = 2 and d = 3; e2 = e1d mod 11 = 8. So the public
keys are (2, 8, 11) and the private key is 3. Alice chooses r = 4 and calculates C1 and C2 for the
plaintext 7.

CJR 14/18
Encryption
C1 = e1r mod 11 = 24 mod 11 = 5 mod 11
C2 = P x e2r mod 11 = 7 x 84 mod 11 = 7 x 4096 mod 11 = 6 mod 11
Ciphertext: (5, 6)

Bob receives the ciphertext (5 and 6) and calculates the plaintext.

P = C2 x (C1d)-1 mod p
= C2 x (C1)p-1-d mod p [according to Fermat’s little theorem]
= 6 x 511-1-3 mod 11
=7

For the ElGamal cryptosystem, p must be at least 300 digits and r must be new for each
encipherment.

5. Elliptic Curve Cryptosystems

Although RSA and ElGamal are secure asymmetric-key cryptosystems, their security comes with
their large keys. Elliptic curve cryptosystem (ECC) gives the same level of security with smaller key
sizes.

Comparable key sizes for equivalent security

Symmetric scheme ECC-based scheme RSA/DSA

(key size in bits) (size of n in bits) (modulus size in bits)
56 112 512

: : :
: : :

128 256 3072

: : :
: : :

256 512 15360

The elliptic curves over real numbers is of the form

y2 = x3 + ax + b [for some fixed values for the parameters a and b]

The curve is non-singular which means that the curve has no self-intersections.

Since the curve is symmetrical about the x-axis, given any point P, we can take −P to be the point
opposite it. We take −O to be just O.

CJR 15/18
The example elliptic curves are given here

Expressing the elliptic curve in the form Ep(a, b) means that we have an elliptic curve with
parameters a and b and we need to operate over mod p where p is a prime number.

Example:
Find points on the elliptic curve E13(1, 6)

Solution:

In the above problem a = 1, b = 6, p = 11

The general elliptic curve form is y2 = x3 + ax + b

Substitute a and b values the equation changed to y2 = x3 + x + 6

The calculation should be done over mod 11.

So x and y values should only vary from 0 to 10 - because Z11 = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10}

We need to find the values of x and y such that LHS equals RHS. When LHS = RHS that point will
lie on the elliptic curve.

RHS LHS
x x3 + x + 6 (mod 11) y y2 (mod 11)
0 6 0 0
1 8 1 1
2 5 2 4
3 3 3 9
4 8 4 5
5 4 5 3
6 8 6 3
7 4 7 5
8 9 8 9
9 7 9 4
10 4 10 1

The points on the elliptic curve are

(2, 4) (2, 7)
(3, 5) (3, 6)
(5, 2) (5, 9)

CJR 16/18
(7, 2) (7, 9)
(8, 3) (8, 8)
(10, 2) (10, 9)

Exercise:
Find the points on the elliptic curve y2 = x3 + x + 1 calculation should be done over modulo 13.

Finding an inverse The inverse of a point (x, y) is (x, -y), where –y is the additive inverse of
y. for example, if p = 13, the inverse of (4, 2) is (4, -2 mod 13) = (4, 11).

Elliptic Curve Cryptography Simulating ElGamal

Several methods have been used to encrypt and decrypt using elliptic curves. The common one is
to simulate the ElGamal cryptosystem using an elliptic curve over GF(p) or GF(2 n), as shown in
figure 10.9.

Figure 10.9 ElGamal cryptosystem using the elliptic curve

Generating Public and Private Keys

1. Bob chooses E(a, b) with an elliptic curve over FG(p) or GF(2n).

2. Bob chooses a point on the curve, e1(x1, y1)
3. Bob chooses an integer d.
4. Bob calculates e2(x2, y2) = d × e1(x1, y1)
5. Bob announces E(a, b), e1(x1, y1), and e2(x2, y2) as his public key; he keeps d as his private
key

CJR 17/18
Encryption
Alice selects P, a point on the curve, as her plaintext, P. She then calculates a pair of points on the
text as ciphertexts:

Decryption
Bob, after receiving C1 and C2, calculates P, the plaintext using the following formaula.

Example:

1. Bob selects E67(2, 3) as the elliptic curve over GF(p).

2. Bob selects e1 = (2, 22) and d = 4.
3. Bob calculates e2 = (13, 45), where e2 = d × e1.
4. Bob publicly announces the tuple (E, e1, e2).
5. Alice sends the plaintext P = (24, 26) to Bob. She selects r = 2.
6. Alice finds the point C1 = (35, 1), C2 = (21, 44).
7. Bob receives C1, C2. He uses 4 x C1(35,1) to get (23, 25), inverts the points (23, 25)
to get the points (23, 42).
8. Bob adds (23, 42) with C2 = (21, 44) to get the original one P = (24, 26).

CJR 18/18