RSA Cryptosystem

RSA Cipher
• The most common public-key algorithm, named after
its inventors (Rivest, Shamir, and Adleman)
• Two keys
– The sender uses recipient’s public key to encrypt
– The receiver uses his private key to decrypt
• Based on trap door, one way function
– Easy to compute in one direction
– Hard to compute in other direction
– “Trap door” used to create keys
– Example: Given p and q, product N=pq is easy to compute,
but given N, it is hard to find p and q
 Public Key Cryptography
• Encryption
– Suppose we encrypt M with Bob’s public key
– Only Bob’s private key can decrypt to find M
• Digital Signatures
– Sign by encrypting with private key
– Anyone can verify signature by decrypting with
public key
– But only private key holder could have signed
– Like a handwritten signature
 Encryption
• The encryption algorithm performs various transformations on
the plaintext
• Public and private keys:
– A pair of keys is selected so that if one is used for encryption, the
other is used for decryption
 Decryption
• This algorithm accepts the ciphertext and the matching key produces
the original plaintext
• Each user generates a pair of keys to be used for the encryption and
decryption of messages
• Each user places one of the two keys in a public register or other
accessible file - this is the public key
• The companion key is kept private
• If Bob wishes to send a confidential message
to Alice, Bob encrypts the message using
Alice’s public key
• When Alice receives the message, she decrypts
it using her private key
• With this approach, all participants have access
to public keys, and private keys are generated
locally by each participant and therefore need
never be distributed
– As long as a user’s private key remains protected
and secret, incoming communication is secure
RSA Cryptosystem
RSA parameter generation
• This cryptosystem uses computations in 𝑍𝑛 ,
where n is the product of two distinct odd
primes p and q
• 𝜙 𝑛 = (𝑝 − 1)(𝑞 − 1)
• Encryption and decryption are inverse
operations (proof of correctness)
– 𝑎𝑏 ≡ 1 ( mod ϕ 𝑛 ) ⇒ 𝑎𝑏 = 𝑡 × ϕ 𝑛 +1 for
some integer 𝑡 ≥ 1
– Suppose that 𝑥 ∈ 𝑍𝑛∗ , the we have
– (𝑥 𝑏 )𝑎 ≡ 𝑥 𝑡ϕ 𝑛 +1 𝑚𝑜𝑑 𝑛 ≡
𝑡
𝑥ϕ 𝑛 𝑥 𝑚𝑜𝑑 𝑛 ≡ 1𝑡 𝑥 𝑚𝑜𝑑 𝑛 ≡ 𝑥 (𝑚𝑜𝑑 𝑛)
 Fermat’s Theorem
• Theorem
– If p is prime and a is a positive integer not
divisible by p, then
𝑎𝑝−1 ≡ 1(𝑚𝑜𝑑 𝑝)
 Euler’s Theorem
• It states that for every a and n that are
relatively prime: 𝑎ϕ 𝑛 ≡ 1 mod n
• Example:
– Suppose that 𝑎 = 3 𝑎𝑛𝑑 𝑛 = 10.
– Show that 𝑎ϕ 𝑛 ≡ 1 mod n.
• Answer:
–ϕ 𝑛 =4
, 𝑤ℎ𝑒𝑟𝑒 𝑡ℎ𝑒𝑠𝑒 4 𝑖𝑛𝑡𝑒𝑔𝑒𝑟𝑠 𝑎𝑟𝑒 {1, 3, 7, 9}
– So, 34 = 81 ≡ 1(𝑚𝑜𝑑 10)
• Example
– Suppose Bob chooses p = 101 and q = 113
– Then n = 11413 and 𝜙 𝑛 = 100 × 112 =
11200 = 26 52 7
– An integer b can be used as an encryption exponent
if and only if b is not divisible by 2, 5, or 7
– In practice, Bob will not factor 𝜙 𝑛 , but will
check whether gcd 𝑏, 𝜙 𝑛 = 1 and compute 𝑏 −1
– Suppose Bob chooses b = 3533, then
𝑏 −1 𝑚𝑜𝑑 11200 = 6597
– Hence, Bob’s secret decryption exponent is a =
6597
• Bob publishes n = 11413 and b = 3533 in a
directory
• Suppose Alice wants to encrypt the
plaintext 9726 to send to Bob
• So, she computes 𝑥 𝑏 𝑚𝑜𝑑 𝑛 =
97263533 𝑚𝑜𝑑 11413 = 5761 and sends
to Bob
• When Bob receives the ciphertext 5761, he
uses his secret decryption exponent to
compute 57616597 𝑚𝑜𝑑 11413 = 9726
Multiplicative inverse calculation
• 3533−1 𝑚𝑜𝑑 11200 𝒕 = 𝒕𝟏 − 𝒒𝒕𝟐
q 𝒓𝟏 𝒓𝟐 r 𝒕𝟏 𝒕𝟐 t
3 11200 3533 601 0 1 -3
5 3533 601 528 1 -3 16
1 601 528 73 -3 16 -19
7 528 73 17 16 -19 149
4 73 17 5 -19 149 -615
3 17 5 2 149 -615 1994
2 5 2 1 -615 1994 -4603
2 2 1 0 1994 -4603 11200
1 0 -4603 11200
• 3533−1 𝑚𝑜𝑑 11200 = −4603 = −4603 + 11200 = 6597
 Example
– Suppose Bob chooses p = 17 and q = 11
– Then n = 187 and 𝜙 𝑛 = 16 × 10 = 160
– Suppose Bob chooses b = 7 which is co-prime to
160, then 𝑏 −1 𝑚𝑜𝑑 160 = 23
– So, Bob’s secret decryption exponent is a =23
– The resulting keys are public key PU = {7, 187}
and private key PR = {23, 187}.
– Suppose Alice wants to encrypt the plaintext 88 to
send to Bob
– So, she computes 𝑥 𝑏 𝑚𝑜𝑑 𝑛 = 887 𝑚𝑜𝑑 187 =
11 and sends to Bob
– When Bob receives the ciphertext 11, he uses his
secret decryption exponent to compute
1123 𝑚𝑜𝑑 187 = 88
• Compute 28−1 (𝑚𝑜𝑑 75)

• Suppose that 𝑎 and b are positive integers

having 𝑘 and 𝑙 bits respectively in their
binary representations
– 𝑘 = log 2 𝑎 + 1
– 𝑙 = log 2 𝑏 + 1
• We have considered modular exponentiation,
i.e., computation of a function of the form
𝑥 𝑐 𝑚𝑜𝑑 𝑛
• Both the encryption and the decryption
operations in the RSA Cryptosystem are
modular exponentiations
• Computation of 𝑥 𝑐 𝑚𝑜𝑑 𝑛 can be done using
(𝑐 − 1) modular multiplications; however, this
is very inefficient if c is large
• Note that c might be as big as 𝜙 𝑛 − 1, which
is almost as big as 𝑛 and exponentially large
compared to 𝑙 where 𝑙 = log 2 𝑐 + 1 is the
number bits representing c
 Efficient Exponentiation
• It reduces the number of modular
multiplications required to compute
𝑥 𝑐 𝑚𝑜𝑑 𝑛 to at most 2𝑙, where 𝑙 is the
number of bits in the binary representation
of c
• The exponent c is represented in binary
𝑙−1
notation, say 𝑐 = 𝑖=0 𝑐𝑖 2𝑖 , where 𝑐𝑖 =
σ
0 𝑜𝑟 1
Square-and-multiply (𝑥, 𝑐, 𝑛)
 Primality Testing
• In setting up the RSA Cryptosystem, it is
necessary to generate large “random primes”
• How can we carry a test for primality?
• We use randomized algorithm called Monte-
Carlo algorithm
• This algorithm gives an answer in time that is
polynomial in log 2 𝑛, which is the number of
bits to store 𝑛
• But there is a possibility that the algorithm
may claim that 𝑛 is prime when it is not
• The other pertinent question is how many
random integers (of a specified size) will
need to be tested until we find one that is
prime
• Prime number theorem:
– Number of primes that are less than or equal to
N is given by:
𝑁
𝜋 𝑁 ≈
ln 𝑁
• If N is a 512-bit number, then there are
2512 2512
around ≈
ln 2512 355
• So, a random 512-bit integer will be a prime
with probability of 1/355
• Thus, if we choose 355 integers then there
is one number which is prime
 Monte-Carlo Algorithm
• Randomized algorithm which is yes based
• There is always an answer
• When the answer is yes, it is correct
• If the answer is no, the answer may be wrong
– (𝐸𝑟𝑟𝑜𝑟 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑦=𝜀)⇒(𝑓𝑜𝑟 𝑎𝑛𝑦 𝑖𝑛𝑠𝑡𝑎𝑛𝑐𝑒 𝑖𝑓
𝑡ℎ𝑒 𝑎𝑛𝑠𝑤𝑒𝑟 𝑖𝑠 𝑦𝑒𝑠, 𝑖𝑡 𝑐𝑎𝑛 𝑠𝑎𝑦 𝑛𝑜 𝑤𝑖𝑡ℎ 𝑎
𝑝𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑦 𝑎𝑡 𝑚𝑜𝑠𝑡 𝜀)
– The probability is over all random choices of the
algorithm
• Miller-Rabin primality test is such randomized
polynomial time Monte-Carlo algorithm
 Miller-Rabin primality test
• It provides an elegant way to test whether a number (n) is prime
with high probability
• In this test, we write (𝑛 − 1) as the product of an odd number m
and a power of 2:
𝑛 − 1 = 𝑚 × 2𝑘
 Example: primality test
• Example: Test if 61 is prime or not.
• Answer:
– We use base 2
61 − 1 = 60 = 15 × 22 → 𝑚 = 15, 𝑘 = 2, 𝑎
=2
Initialization: 𝑇 = 215 𝑚𝑜𝑑 61 = 11 𝑚𝑜𝑑 61
k=1 𝑇 = 112 𝑚𝑜𝑑 61
= 60 𝑚𝑜𝑑 61 = −1 𝑚𝑜𝑑 61 → 𝑎 𝑝𝑟𝑖𝑚𝑒
 ElGamal Cryptosystem
• Public-key cryptosystems are based on the
Discrete Logarithm problem
• First and best-known of these is the ElGamal
Cryptosystem
• The Discrete Logarithm problem forms the
basis of numerous cryptographic protocols
• Consider a finite multiplicative group (𝐺, . )
• For an element 𝛼 ∈ 𝐺 having order 𝑛, let
𝛼 = {𝛼 𝑖 : 0 ≤ 𝑖 ≤ 𝑛 − 1}
• 𝛼 is a subgroup of 𝐺 and is cyclic of order 𝑛
• The subgroup 𝛼 is called the subgroup generated by α
• For a prime number 𝑝, the total number of elements in the subgroup 𝛼
generated by 𝛼 is 𝑛 = 𝛼 = 𝑝 − 1, where 𝛼 is a primitive element
• For the prime number 19, its primitive elements are 2, 3, 10, 13, 14, and 15
 Discrete Logarithm problem
• The Discrete Logarithm Problem (DLP) is to find the
unique integer i, 0 ≤ 𝑖 ≤ 𝑛 − 1 where n is the order of
the subgroup 𝛼 , such that:
𝛼𝑖 = 𝛽
• We denote this integer by log 𝛼 𝛽 (referred to as Discrete
Log)
– Discrete Logarithm is the inverse of exponentiation
operation
• Exponentiation is easy to compute (by the square and
multiply algorithm)
• If the group is properly chosen, computation of Discrete
Logarithm is believed to be difficult
• Thus, the exponentiation is a potential one-way
problem, having applications in public key cryptography
• The encryption operation in the ElGamal
Cryptosystem is randomized
• The ciphertext depends on both the
plaintext 𝑥 and on the random value 𝑘
chosen by Alice
• There will be many ciphertexts (p-1, in fact)
that are encryptions of the same plaintext
 Example
• Suppose p=17, 𝛼=6 (primitive element of ℤ∗𝑝 )
• Let 𝑎 = 5 (secret value)
• 𝛽 = 65 𝑚𝑜𝑑 17 = 7
• Suppose, Alice wishes to send 𝑥 = 13 to Bob
– She randomly chooses k = 10
– 𝑦1 = 610 𝑚𝑜𝑑 17 = 15
– 𝑦2 = 13(710 ) 𝑚𝑜𝑑 17 = 9
• Alice sends 𝑦 = (15,9)
• Bob computes 𝑥 = 9 155 −1
𝑚𝑜𝑑 17 = 13
• Clearly the ElGamal Cryptosystem will be
insecure if Eve can compute the value
𝑎 = log 𝛼 𝛽 , then Eve can decrypt ciphertexts
exactly as Bob does
• Hence, a necessary condition for the ElGamal
Cryptosystem to be secure is that the Discrete
Logarithm problem in ℤ∗𝑝 is infeasible
• For a secure setting, it is recommended that 𝑝
should have at least 2048 bits in its binary
representation, and 𝑝 − 1 should have at least
one “large” prime factor
Elliptic curve
cryptography
• An elliptic curve is defined by an equation in two
variables with coefficients
• Elliptic curves are not ellipses
– They are so named because they are described by cubic
equations, similar to those used for calculating the
circumference of an ellipse
• Elliptic curve cryptography (ECC) is an encryption
technique based on elliptic curve theory that can be
used as faster, smaller, and more efficient
cryptosystems
• Miller and Koblitz in mid 1980s and Lenstra
showed how to use elliptic curves to factor integers
• Obtain same level of security as conventional
cryptosystems but with much smaller key sizes
• Two types of elliptic curves are used in cryptographic
applications:
– 1. prime curves over 𝑍𝑝
– 2. binary curves over 𝐺𝐹(2𝑚 )
• For a prime curve over 𝑍𝑝 , we use a cubic equation in
which the variables and coefficients all take on values in
the set of integers from 0 through 𝑝 − 1 and in which
calculations are performed 𝑚𝑜𝑑𝑢𝑙𝑜 𝑝
• For a binary curve defined over 𝐺𝐹(2𝑚 ), the variables
and coefficients all take on values in 𝐺𝐹(2𝑚 ) and
calculations are performed over 𝐺𝐹(2𝑚 )
• Prime curves are best for software applications
• Binary curves are best for hardware applications, where
it takes remarkably few logic gates to create a powerful,
fast cryptosystem
 General Form of Elliptic Curve
• An elliptic curve
E: 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏

• (a, b) belong to any of the

appropriate sets namely
rational numbers, complex
numbers, integers etc.

• More general form:

𝑦2 + 𝑎1𝑥𝑦 + 𝑎3𝑦
= 𝑥3 + 𝑎2𝑥2 + 𝑎4𝑥 + 𝑎5
 Addition Law: Example
• Given two points 𝑃1 and 𝑃2
on E, we can find 𝑃3 as
follows:
Q
𝑷𝟐
Let 𝑃1 = (2, 9) and 𝑃2 = (3, 𝑷𝟏
10) and E: 𝑦2 = 𝑥3 + 73

Find the equation of the line

passing through 𝑃1 and 𝑃2 𝑷𝟑

Find a point Q such that it

lies on the line through 𝑃1
and 𝑃2 and the curve E
 Example contd…
• Equation of the line: y = x + 7
• For Q, substitute this eqn. in E.

2
𝑥+7 = 𝑥 3 + 73
Q
𝑷𝟐
• Roots of this cubic: P1, P2 and Q. 𝑷𝟏
• Rule: For a cubic polynomial of the form
• 𝑥 3 + 𝑎2 𝑥 2 + 𝑎1 𝑥 + 𝑎0 , the roots 𝑟1, 𝑟2, 𝑎𝑛𝑑𝑟3,
are related by: 𝑟1, + 𝑟2 + 𝑟3 = −𝑎2

• Applying this to our cubic 𝑥 3 − 𝑥 2 − 14𝑥 + 24 𝑷𝟑

= 0, we obtain 2 + 3 + 𝑥𝑄 = 1 ⇒ 𝑥𝑄 = −4
𝑦𝑄 = 𝑥𝑄 + 7 ⇒ 𝑦𝑄 = 3 ⇒ 𝑄 = (−4,3)
• P3 is the mirror image of Q.
Thus 𝑃3 = (−4, −3)
 Addition Law-Definition
• Define a law of addition on E by:
𝑃1 + 𝑃2 = 𝑃3 (i.e., addition of two points will give the third point)

• Addition Law: Let E: 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏 and let 𝑃1 =

𝑥1 , 𝑦1 & 𝑃2 = (𝑥2 , 𝑦2 ) then 𝑃1 + 𝑃2 = 𝑃3 = (𝑥3 , 𝑦3 )

Where
𝑥3 = 𝑚2 − 𝑥1 − 𝑥2
𝑦3 = 𝑚 𝑥1 − 𝑥3 − 𝑦1

and
𝑚 = (𝑦2 − 𝑦1 )/(𝑥2 − 𝑥1 ) if 𝑃1 ≠ 𝑃2 ,
𝑚 = (3𝑥12 + 𝑎)/ 2𝑦1 if 𝑃1 = 𝑃2
 Definition of 𝑃 + 𝑃
• Draw a tangent line
through P, the point of
intersection with the
curve is defined as –R,
then 𝑃 + 𝑃 = 2𝑃 = 𝑅
 Definition of P + (-P)
• 𝑃 + (−𝑃) = 𝑂
• The line connecting
the two points does
not intercept the
curve at a third point.
• The point 𝑂 is
defined as the point
at infinity or zero
point, which is the
additive identity of
the group.
 Multiplication
• 𝑘. 𝑃 = 𝑃 + 𝑃 + 𝑃 + … . + 𝑃 (k times)
where k is an integer
 Elliptic Curves mod n
• Let E: Let E: 𝑦 2 ≡ 𝑥 3 + 2𝑥 + 3 (𝑚𝑜𝑑 5)

• The points on E are pairs (x, y) mod 5 that satisfy the equation

• The possible values are

x ≡ 0 ⇒ y2 ≡ 3 (mod 5) ⇒ no solutions
x ≡ 1 ⇒ y2 ≡ 6 (mod 5) ⇒ y ≡ 1, 4
x ≡ 2 ⇒ y2 ≡ 15 (mod 5) ⇒ y ≡ 0
x ≡ 3 ⇒ y2 ≡ 36 (mod 5) ⇒ y ≡ 1, 4
x ≡ 4 ⇒ y2 ≡ 75 (mod 5) ⇒ y ≡ 0

• Therefore the points on E are (1,1), (1,4), (2,0), (3,1), (3,4), (4,0)
 Encryption: Example
• Let E: 𝑦 2 ≡ 𝑥 3 + 2𝑥
+ 3 (𝑚𝑜𝑑 5)

• P = (1, 4), K = (3, 1)

Q
• The cipher text is obtained as K
follows: P
𝑚 = (1– 4)/(3 − 1)
= 1 (𝑚𝑜𝑑 5)
𝑥3 = 1 − 1 − 3
= −3 (𝑚𝑜𝑑 5) = 2 C
𝑦3 = 1(1 − 2) − 4
= 0 (𝑚𝑜𝑑 5)

• Cipher Text = C = (2,0)

 Decryption: Example
• Let E: 𝑦2 ≡ 𝑥3 + 2𝑥 +
3 (𝑚𝑜𝑑 5)
• C = (2, 0); K = (3, 1)
• The decryption is same as
encrypting with –K Q
K
• −𝐾 = (3, −1) (𝑚𝑜𝑑 5) = (3,4) P
• 𝑚 = 4/1 = 4
𝑥3 = 16 − 2 − 3 = 1 (𝑚𝑜𝑑 5)

𝑦3 = 4(2 − 1) − 0 = 4 C
• Hence, 𝑃 = (1,4)
 Example: kP
• Consider E: 𝑦2 = 𝑥3 + 9𝑥 + 17 (𝑚𝑜𝑑 23)
– Denoted as group 𝐸23 (9,17)
• Consider a point 𝑃 = (16,5)
• Find the values of 2P, 3P.
• Answer:
3𝑥12 +𝑎 777 9
–𝑚= = = 𝑚𝑜𝑑 23 = 9 ∗ 14 𝑚𝑜𝑑 23 =
2𝑦1 10 5
11
– 𝑥3 = 𝑚2 − 𝑥1 − 𝑥2 = 121 − 32 𝑚𝑜𝑑 23 = 23
– 𝑦3 = 11 𝑥1 − 𝑥3 − 𝑦1 = 11 16 − 20 − 5 =
− 49 𝑚𝑜𝑑 23 = 20
– Therefore, 2𝑃 = (20,20)
 Generic Procedures of ECC
• Both parties agree to some publicly-known data items
– The elliptic curve equation
• values of a and b
• prime, p
– The elliptic group 𝐸𝑝 (𝑎, 𝑏) computed from the elliptic
curve equation
– A base point, B, taken from the elliptic group
• Similar to the generator used in current cryptosystems
• Each user generates their public/private key pair
– Private Key = an integer, x, selected from the interval [1, p-
1]
– Public Key = product, Q, of private key and base point
• (Q = x*B)
 An Example of Elliptic Curves
• Cryptography can be done as follows:
• Suppose Alice wants to send to Bob an encrypted
message.
– Both agree on a base point, B.
– Alice and Bob create public/private keys.
• Alice
– Private Key = a
– Public Key = PA = a * B
• Bob
– Private Key = b
– Public Key = PB = b * B
– Alice takes plaintext message, M, and encodes it onto a
point, PM, from the elliptic group
 General Diffie-Hellman Key
Exchange
• Alice and Bob choose a large
prime number 𝑝 and a
primitive root/element Alice (𝛼, 𝑝) Bob
𝛼 (𝑚𝑜𝑑 𝑝). Both 𝑝 and 𝛼 can
be made public. 𝑥 𝛼𝑥 (𝑚𝑜𝑑 𝑝)
• Alice chooses a secret random
value (private key) 𝑥 and Bob
chooses a secret random value 𝛼𝑦 (𝑚𝑜𝑑 𝑝) 𝑦
(private key) 𝑦.
• Alice sends 𝛼𝑥 (𝑚𝑜𝑑 𝑝) to
Bob, and Bob sends
𝛼𝑦 (𝑚𝑜𝑑 𝑝) to Alice.
• Alice calculates
(
key as 𝐾 = (𝛼𝑦)𝑥 (𝛼𝑥 )𝑦
(𝛼𝑦)𝑥 𝑚𝑜𝑑 𝑝) and Bob (𝑚𝑜𝑑 𝑝) (𝑚𝑜𝑑 𝑝)
𝑥 𝑦 (
calculates 𝐾 = (𝛼 ) 𝑚𝑜𝑑 𝑝)
• This secret value “K” is used
as shared symmetric secret key
 Diffie-Hellman: Example
• Consider prime number p=353, and primitive root of
353 as 𝛼 = 3.
• Alice and Bob select private keys 𝑥 = 97 and 𝑦 = 233,
respectively.
• Each computes its public keys:
– Alice computes 𝑃𝐴 = 𝛼 𝑥 𝑚𝑜𝑑 353 = 397 𝑚𝑜𝑑 353 = 40
– Bob computes 𝑃𝐵 = 𝛼 𝑦 𝑚𝑜𝑑 353 = 3233 𝑚𝑜𝑑 353 = 248
• After they exchange the public keys, each can compute
the common secret key:
– Alice computes 𝐾 = (𝑃𝐵 )𝑥 𝑚𝑜𝑑 353 = 24897 𝑚𝑜𝑑 353 =
160
– Bob computes 𝐾 = (𝑃𝐴 )𝑌 𝑚𝑜𝑑 353 = 40233 𝑚𝑜𝑑 353 =
160
• Now consider an adversary who can observe the key exchange and
wishes to determine the secret key K.
• Because 𝑥 and 𝑦 are private, an adversary only has the following
ingredients to work with:
– 𝑝, 𝛼, 𝑃𝐴 , 𝑎𝑛𝑑𝑃𝐵 .
• Thus, the adversary is forced to take a discrete logarithm to determine
the key.
• For example, to determine the private key of user B, an adversary must
compute
– 𝑦 = 𝑙𝑜𝑔𝛼,𝑝 (𝑃𝐵 )
• The adversary can then calculate the key K in the same manner as user
B calculates it. That is, the adversary can calculate K as
– 𝐾 = (𝑃𝐴 )𝑦 𝑚𝑜𝑑 𝑝
• The security of the Diffie–Hellman key exchange lies in the fact that,
while it is relatively easy to calculate exponentials modulo a prime, it
is very difficult to calculate discrete logarithms. For large primes, the
latter task is considered infeasible.
 Man-in-the-middle attack
• Eve shares secret 𝛼 𝑥𝑡 𝑚𝑜𝑑 𝑝 with Alice
• Eve shares secret 𝛼 𝑦𝑡 𝑚𝑜𝑑 𝑝 with Bob
• Alice and Bob do not know Eve exists!

𝛼 𝒙 𝒎𝒐𝒅 𝒑 𝛼 𝒕 𝒎𝒐𝒅 𝒑
Alice Bob
x 𝒚

𝛼 𝒕 𝒎𝒐𝒅 𝒑 𝛼 𝒚 𝒎𝒐𝒅 𝒑
Eve
𝑡
 Designing cryptographic
protocols
• The Man in the Middle attack on the DH
key agreement scheme shows that although
the primitives are strong, the protocol can
be weak
• Therefore, the question is
– How to design strong protocols from strong
primitives
 Example – Elliptic Curve
Diffie-Hellman Key Exchange
• Alice and Bob want to agree on a shared key.
– Alice and Bob compute their public and private keys.
• Alice
» Private Key = a
» Public Key = PA = a * B
• Bob
» Private Key = b
» Public Key = PB = b * B
– Alice and Bob send each other their public keys.
– Both take the product of their private key and the other user’s
public key.
• Alice → KAB = a(bB)
• Bob → KAB = b(aB)
• Shared Secret Key = KAB = abB
 Security of ECC

• Similar to protect a 128 bit AES key it would take a:

– RSA Key Size: 3072 bits
– ECC Key Size: 256 bits
• How do we strengthen RSA?
– Increase the key length
 Applications of ECC
• Many devices are small and have limited storage
and computational power
• Where can we apply ECC?
– Wireless communication devices
– Smart cards
– Web servers that need to handle many encryption
sessions
– Any application where security is needed but lacks
the power, storage and computational power that is
necessary for our current cryptosystems
 Benefits of ECC
• Same benefits just like the other
cryptosystems: confidentiality, integrity,
authentication and non-repudiation but…
• Shorter key lengths
– Encryption, Decryption and Signature
Verification speed up
– Storage and bandwidth savings
• “Hard problem” analogous to discrete log
– Q=kP, where Q,P belong to elliptic curve
given k,P → “easy” to compute Q
given Q,P → “hard” to find k
– known as the elliptic curve logarithm problem
• k must be large enough

• ECC security relies on elliptic curve

logarithm problem
– We can use much smaller key sizes than RSA etc
➔ for similar security ECC offers significant
computational advantages