8.

Public- Key Cryptography
The two keys are used for public key encryption are referred as public key (KUb) and private
key (KRb). With the message X and encryption key Kub as input, A forms the ciphertext
Y = EKub(X)
The intendedreceiver, in possesion ofvthe mutching private key KRb, is able to generatethe
message X from ciphertext
X = DRub(X)
Sender A
Message
source

X

Receiver B

Encryption

Y

Decryption

X

Destination

KRb

KUb
Key pair
source

8.1 Requirement for Public- Key Cryptography
1. It is computationally easy for a party B to generate a pair (public key KUb, private key
KRb).
2. It is computationally easy for a sender A, knowing the public key and the message to
be encrypted, M, to generate the corresponding ciphertext:
Y = EKUb (X)
3. It is computationally easy for the receiver B to decrypt the resulting ciphertext using
the private key to recorver the original message:
X = DKRb(Y) = DKRb[EKUb(X)]
4. It is computationally infeasible for an opponent, knowing the public key, KUb, to
determine the private key, KRb.
5. It is computationally infeasible for an opponent, knowing the public key, KUb, and a
ciphertex, Y, to recover the original message, X.
We can add a sixth requirement that, although useful, is not necessary for all
public- key applications:
6. Either of the two related keys can be used for encryption, with the other used for
decryption.
X= DKRb[EKUb (X)] = DKUb[EKRb(X)]

59

The two most widely used public-key algorithms are RSA and Diffie- Hellman. We look at
both of these in this section and then briefly introduce two other algorithms.
8.2 The RSA Public-Key Encryption Algorithm
One of the first public- key schemes was developed in 1977 by Ron Rivest, Adi Shamir, and
Len Adlement at MIT and first published in 1978. The RSA scheme has since that time
reigned supreme as the most widely accepted and implemented approach to public-key
encryption. RSA is a blockcipher in which the plaintext and ciphertext are integers between 0
and n-1 for some n.
Encryption and decryption are of the following form, for some plaintext block x
and ciphertext block y:
y = xe mod n
x = yd mod n = (xe)d mod n = xed mod n = x / mod n
where, e=kUb - encryption key, d=kRb- decryption key.
Both sender and receiver must know the values of n and e, and only the receiver knows the
value of d. this is public-key encryption algorithm with a public key of KU= {e, n} and a
private key of KR = {d, n}. For this algorithm to be satisfactory for public-key encryption, the
following requirements must be met:
1. It is possible to find values of e, d, n such that xed = x mod n for all x < n.
2. It is relatively easy to calculate xe and y for all values of x<n.
3. It is infeasible to find d given e and n.
The first two requirements are easily met. The third requirement can be met for a
large values of e and n.
Figure summarizes the RSA algorithm. Begin by selecting two prime numbers, p
and q, and calculating their product n, which is the modulus for encryption and decryption.
Next, we need the Φ(n), referred to as the Euler totient of n, which is the number of positive
integer less than n and relatively prime to n. then select an integer e that is relatively prime to
n. then select an integer e that is relatively prime to Φ(n) [i.e., gcd (e, c(n))=1]. Finally,
calculate d as the multiplicative inverse of e, modulo Φ(n). d= e-1 mod c (n) it can be shown
that d and e have the desired properties.
Suppose that user A has published its public key and that user B wishes to send
the message x to A. Then B calculates y = xe (mod n) and transmits y. On receipt of this
ciphertext, user A decrypts by calculating x = yd (mod n).
Bob (B)

KU={e, n}

Alice(A)
Select: p ,q
Calculation:
n=p.q; Φ(n)=(p-1).(q-1)

x

Encryption

gcd(Φ(n),e)=1; 1<e<Φ(n)

e

y=x mod n

y

d=e-1modΦ(n)
KU={e, n}
KR={d, n}
Decryption:
x=yd mod n

60

An example is shown in figure. For this example, the keys were generated as follows:
1. Select two prime numbers, p = 7 and q = 17.
2. Calculate n = pq = 7 × 17 = 119.
3. Calculate Φ(n) = (p-1)(q-1) = 96.
4. Select e such that e is relatively prime to Φ(n) = 96 and less than Φ(n); in this case,
e = 5.
Encryption
Message
source

19

195mod119
=66

Decryption
66

6677mod119
=19

19

Destination

(77,119)

(5,119)
Key pair
source

Key Generation
Select p,q
Calculate n = p×q
Calculate Φ(n) = (p-1)(q-1)
Select integer e
Calculate d
Public key
Private key

q and p both prime
gcd (Φ(n), e) = 1; 1<e< Φ(n)
d = e-1 mod Φ(n)
KU = {e, n}
KR = {d, n}

Encryption
Plaintext:
Ciphertext:

x<n
y = xe (mod n)

Dencryption
Ciphertext:
Plaintext:

The RSA Algorithm
y

x = yd (mod n)

5. Determine d such that de = 1 mod 96 and d <96. the correct values is d = 77, because
77 × 5 = 385 = 4 × 96+1.
61

Remark: Finding d; d=((Φ(n).i+1)/e=(96.i+1)/5; i=1, 2, 3, 4..when remainder r=0, d=77).
The resulting keys are public key KU = {5, 119}and private key KR = {77, 119}. The
example shows the use of these keys for a plaintext input of M = 19. for encryption, 19 is
raised to the fifth power, yielding 2476099. upon division by 119, the remainder is determined
to be 66. Hence, 195 ≡ 66 mod 119, and the ciphertext is 66. For decryption, it is determined
that 6677 ≡ 19 mod 119.
There are two possible approaches to defeating the RSA algorithm. The first is the
brute- force approach: try all possible private keys. Thus, the larger the number of bits in e
and d, the more secures the algorithm. However, because the calculations involved both in
key generation and in encryption, are complex, the larger the size of the key, the slower the
system will run.
Most discussions of the cryptanalysis of RSA have focused on the task of factoring n
into its two prime factors. For a large n with large prime factors, factoring is a hard problem,
but not as hard as it used to be. A striking illustration of this is the following. In 1977, the
there inventors of RSA dares Scientific American readers to decode a cipher they printed in
Martin Gardner’s ‘Mathematical Games’ column. They offered a $ 100 reward for the
return of a plaintext sentence, an event they predicted might not occur for some 40 quadrillion
years. In April of 1994, a group working over the Internet and using over 1600 computers
chimed the prize after only eight months of work this challenge used a public-key size (length
of n) of 129 decimal digits, or around 428 bits. This result does not invalidate the use of RSA;
it simply means that larger key sizes must be used. Currently, a 1024-bit key size (about 300
decimal digits) is considered strong enough for virtually all applications.
8.3 Discrete Logarithm Problem
In the RSA algorithm, we saw how the difficulty of factoring yields useful cryptosystems.
There is another number theory problem, namely discrete logarithms, that has similar
applications.
Fix a prime p. Let α and β be non zero integers mod p and suppose
β ≡ αx (mod p).
The problem of finding x is called the discrete logarithm problem. If n is the smallest positive
integer such that αn ≡ 1 (mod p), we may assume 0 ≤ x ≤ n, and then we denote
x = Lα,p (β)
and call it the discrete log of β with respect to α).
For example, let p = 11 and let α = 2. since 26 ≡ 9 (mod 11), we have L2,11(9) = 6. of
course, 26 ≡ 216 ≡ 226 ≡ 9 (mod 11),so we could consider taking any one of 6, 16, 26 as the
discrete logarithm. But we fix the value by taking the smallest nonnegative value, namely 6.
note that we could have defined the discrete logarithm in this case to be the congruence class
(6 mod).
In some ways, this would be more natural, but there are applications where it is convenient to
have a number, not just a congruence class.
Often, α is taken to be a primitive root mod p, which means that every β is a power of
α (mod p). That is, if a is a primitive root of the prime number p, then the numbers
a mod p, a2 mod p,…, ap-1 mod p
62

are distinct and consist of the integers from 1 through p – 1 in some permutation.
If α is not a primitive root, then the discrete logarithm will not be defined for certain values of
β.
Given a prime p, it is fairly easy to find a primitive root in many cases.
The discrete log behaves in many ways like the usual logarithm. In particular, if α is a
primitive root mod p, then
Lα,p (β 1β 2) ≡ Lα,p (β 1) + Lα,p (β 2)(mod p-1)
When p is small, it is easy to compute discrete logs by exhaustive search through all possible
exponents. However, when p is large this is not feasible. We given some ways of attacking
discrete log problems later. However, it is believed that discrete logs are hard to compute in
general. This assumption is the basis of several cryptosystems.
The size of the largest primes for which discrete logs can be computed has usually
been approximately the same size as the size of largest integers that could be factored (both of
these refer to computations that would work for arbitrary numbers of these sizes; special
choices of integers will succumb to special techniques, and thus discrete log computations and
factorizations work for much larger specially chosen numbers). In the year 2001, a discrete
log was computed for a 110- digit prime, which was the record at that time. The record
factorization up to then was 155 digits.
A function f (x) is called a one-way function if f(x) is easy to compute, but, given y, it
is computationally in feasible to find x with f(x) = y. modular exponentiation is probably an
example of such a function. It is easy compute α x (mod p), but solving α x ≡ β for x is
probably hard. Multiplication of large primes can also be regarded as a (probable) one-way
function: it is easy to multiply primes but difficult to factor the result to recover the primes.
One-way functions have many cryptographic uses.
Example: let p = 19, d = 2 and β = 14. we are then looking for a choice of x such that
2x ≡ 14 (mod 19).

αx ≡ β mod p.

We proceed by systematic trial and error, calculating values of 2x modulo 19 until we either
find an x that works or we exhaust all the possibilities and find that there is no solution.
Shows a complete set of values, and we see that x = 7 is the only solution.

x

1
2
3
4
5
6
7
8
9

2x mod 19

2
4
8
16
13
7
14
9
18

2x mod 19

x

10
11
12
13
14
15
16
17
18

17
15
11
3
6
12
5
10
1
63

8.4 Diffie-Hellman Key Exchange
The first published public-key algorithm appeared in the seminal paper by Diffie and
Hellman that defined public-key cryptography and is generally referred to as Diffie-Hellman
key Exchange. A number of commercial products employ this key exchange technique.
The purpose of the algorithm is to enable two users to exchange a secret key securely
that can then be used for subsequent encryption of messages.
The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of
computing discrete logarithms.
The Diffie-Hellman key exchange, is summarized as follows. There are two publicly
known numbers: a prime number q and a integer α that is primitive root of q. Suppose the
users A and B wish to exchange a key. User A selects a random integer XA < q and computes
Y A   X A mod q , similarly, user B independently selects a random integer XB<q and computes
YB   X B mod q .
Global Public Elements
q

prime number

α

α<q and α a primitive root of q

User A Key Generation
Select private XA

XA < q

Calculate public YA

Y A   X A mod q

User B Key Generation
Select private XB

XB < q

Calculate public YB

YB  a X B mod q

Generation of Secret Key by User A
K  (YB ) X A mod q

Generation of Secret Key by User B
K  (Y A ) X B mod q

64

Each side keeps the X value private and makes the Y value available publicly to the other
side. User A computes the key as K  (YB ) X A mod q and user B computes the key as
K  (YA ) X B mod q .These two calculations produce identical results:
K  (YB ) X A mod q
= ( X B mod q ) X A mod q
= ( X B ) X A mod q

=
=
=
=

XA

 X mod q
( X ) X mod q
( X mod q ) X mod q
(YA ) X mod q
B

A

B

A

B

B

Thus, the two sides have exchanged a secret key. Furthermore, because XA AND XB are
private, an opponent is forced to take a discrete logarithm to determine the key. For example,
attacking the secret key of user B, the opponent must compute XB from YB  a X B mod q .
The opponent can then calculate the key K in the same manner as user B calculates it.
The security of the Diffie-Hellman key Exchange lies in the fact that, while it is
relatively easy to calculate exponentials modulo a prime, it is very difficult to calculate
discrete logarithms. For large primes, the latter task is considered infeasible.
Here is an example, taken from. Key exchange is based on the use of the prime
number q=71 and a primitive root of 71, in this case α = 7. A and B select private keys XA = 5
and XB = 12, respectively. Each computes its public key:
YA = 75 = 51 mod 71
YB = 712 = 4 mod 71
After they exchange public keys, each can compute the common secret key:
K  (YB ) X A mod 71  45  30 mod 71
K  (YA ) X B mod 71  5112  30 mod 71

From {51, 4}, an attacker cannot easily compute 30.
This shows a simple protocol that makes use of the Diffie-Hellman calculation.
Suppose that user A wishes to set up a connection with user B and use a secret key to encrypt
messages an that connection. User A can generate a one-time private key XA, calculate YA,
and send that to user B. user B responds by generating a private value XB, calculating YB, and
sending YB to user A. both users can now calculate the key. The necessary public values q and
α would need to be known ahead of time. Alternatively, user A could pick values for q and α
and include those in the first message.
As an example of another use of the Diffie-Hellman algorithm, suppose that a group of
users each generate a long-lasting private value XA an calculate a public value YA. these
public values, together with global public values for q and α, are stored in some central
directory. At any time, user B can access user A’s public value, calculate a secret key, and
use that to send an encrypted message to user A. If the central directory is trusted, then
this from of communication provides both confidentiality and a degree of authentication.
Because only A and B can determine the key, no other user can read the message.
65

Recipient A knows that only user B could have created a message using this key.
However, the technique does not protect against replay attack Euclid’s Algorithm
8.5 The ElGamal Public Key Cryptosystem
We studied a public key cryptosystem whose security is based on the difficulty of factoring. It
is also possible to design a system whose security relies on the difficulty of computing
discrete logarithms. This was done by ElGamal in 1985. This system does not quit fit the
definition of a public key cryptosystem given at the end, since the set of possible plaintexts
(integer mod p) is not the same as the set of possible ciphertext (pairs of integers (r, t) mod p).
However, this technical point will not concern us.
Alice wants to send a message m to Bob. Bob chooses a large prime p and a primitive
root α . Assume is an integer with 0≤ m <p. If m is larger, break it into smaller blocks. Bob
also chooses a secret integer a and computes β ≡ αa (mod p). the information (p, α, β) is made
public and is Bob’s public key. Alice does the following:
1.
2.
3.
4.

Downloads (p, α, β)
Choose a secret random integer k and computer r ≡ αk (mod p)
Compute t ≡ βkm (mod p)
Sends the pair (r, t) to Bob.

Bob decrypts by computing
tr –a ≡ m (mod p).
this works because
tr-a ≡ βkm (αk)-a ≡ (αk)a m α-ak ≡ m

(mod p).
Bob

Alice

m

m-message
Downloads:
Bob’s public key:
p, , 
Selects:
k with gcd(k,p-1)=1
Computes:
r   k (mod p)
t=  km(mod p)

Bob’s public key
p, , 

r,t

Selects:
Large prime p, primitive root
 , secret integres
a(  a  p  2 ) and
Computes:
   a (mod p)
Decrypts by computing
tr –a ≡ m (mod p).
tr-a ≡ βkm (αk)-a ≡
k a
(α ) m α-ak ≡ m (mod p).

If Eve determines a, then she can also decrypt by the same procedure that Bob uses. Therefore
it is important for Bob to keep a secret. The numbers α and β are public, and β ≡ αa (mod p).
the difficultly of computing discrete logs is what keeps a secure.
Since k is a random integer, βk will be random nonzero integer mod t is random mod p
(unless m = 0, which should be avoided, of course). Therefore, t gives Eve no information
about m, knowing r does not seem to give Eve enough addition information.
The integer k is difficult to determine from r, since this is again a discrete logarithm
problem. However if Eve finds k, she can then calculate tβ-k, which is m.
66

It is important that a different random k be used for each message. Suppose Alice
encrypts message m1 and m2 for Bob and uses the same value k for each message. Then r will
be the same for both message, so the cipher texts will be (r, t1) and (r, t2). If eve finds out the
plaintext m1, she can also determine m2, as follows. Note that
t1 /m1 ≡ βk ≡ t2 / m2 (mod p).

67