You are on page 1of 59

# Asymmetric Encryption

Techniques

## DR. ALEKHA KUMAR MISHRA 1

Public-key cryptosystems
One key for encryption and a different, but related key for decryption
Important characteristic
◦ It is computationally infeasible to determine the decryption key given the
cryptographic algorithm and the encryption key.
◦ Some algorithms, such as RSA uses either of the two related keys for
encryption, with the other used for decryption.

## DR. ALEKHA KUMAR MISHRA 2

Public-key encryption
(with public key)
6 components
Plaintext
Encryption algorithm
Public and private keys:
One is used for encryption,
the other is used for
decryption
Ciphertext
Decryption algorithm

## DR. ALEKHA KUMAR MISHRA 3

Public-key encryption
(with private key)
Essential steps:
Each user generates a pair of keys to be used
for the encryption and decryption of
messages.
Each user places one of the two keys in a
public register or other accessible file. (
public key). The companion key is kept
private (private key).
Each user maintains a collection of public
keys obtained from others.
If Bob wishes to send a confidential message
to Alice, Bob encrypts the message using
Alice’s public key.
When Alice receives the message, she
decrypts it using her private key.
No other recipient can decrypt the
message because only Alice knows Alice’s
private key.

## DR. ALEKHA KUMAR MISHRA 4

Public-key Encryption :
Confidentiality

## DR. ALEKHA KUMAR MISHRA 5

Public-Key Cryptosystem:
Authentication

## DR. ALEKHA KUMAR MISHRA 6

Public-Key Cryptosystem:
Authentication and secrecy

## DR. ALEKHA KUMAR MISHRA 7

Requirements of public-key cryptography
It is computationally easy for a party B to generate a key pair
It is computationally easy for a sender A, knowing the public key and the
message to be encrypted, M, to generate the corresponding ciphertext
It is computationally easy for the receiver B to decrypt the resulting
ciphertext using the private key to recover the original message
It is computationally infeasible for an adversary, knowing the public key,
PUb,to determine the private key, PRb
It is computationally infeasible for an adversary, knowing the public key,
PUb, and a ciphertext, C, to recover the original message, M
The two keys can be applied in either order

## DR. ALEKHA KUMAR MISHRA 8

Foundation :One-way function
A one-way function is one that maps a domain into a range such that every function
value has a unique inverse, with the condition that the calculation of the function is easy,
whereas the calculation of the inverse is infeasible:
Y = f(X) is easy (algorithms are said to belong to the class P)
X = f -1(Y) is infeasible (effort to solve it grows faster than polynomial time as a
function of input size)
A trap-door one-way function : It is easy to calculate in one direction and infeasible to
calculate in the other direction unless certain additional information is known. With the
additional information the inverse can be calculated in polynomial time.
A trapdoor one-way function is a family of invertible functions fk, such that
Y = fk(X) easy, if k and X are known
X = fk-1(Y) easy, if k and Y are known
X = fk-1(Y) infeasible, if Y is known but k is not known

## DR. ALEKHA KUMAR MISHRA 9

Cryptanalysis of Public-key
Brute-force attack
◦ Countermeasure: Large key size vs. computation complexity
Computing private key given public key
Probable-message attack

RSA

## DR. ALEKHA KUMAR MISHRA 11

RSA
Developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at
MIT
The most widely accepted and implemented general-purpose
approach to public-key encryption

## DR. ALEKHA KUMAR MISHRA 12

The RSA Algorithm
RSA makes use of an expression with exponentials.
Plaintext is encrypted in blocks, with the block size must be less than or equal to log2(n) + 1 for
some number n; in practice, the block size is i bits, where 2i < n <= 2i+1.
Encryption and decryption are of the following form, for some plaintext block M and ciphertext
block C.
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n
Both sender and receiver must know the value of n.
Public key, PU = {e, n} and a private key, PR = {d, n}.
This algorithm must meet the following requirements:
1. It is possible to find values of e, d, and n such that Med mod n = M for all M < n.
2. It is relatively easy to calculate Me mod n and Cd mod n for all values of M < n.
3. It is infeasible to determine d given e and n.
DR. ALEKHA KUMAR MISHRA 13
The RSA Algorithm
The relationship Med mod n = M holds true if e and d are
multiplicative inverses modulo φ(n), where φ(n) is the Euler totient
function.
for p, q prime, φ(pq) = (p - 1)(q - 1). The relationship between e and
d can be expressed as ed mod f(n) =1
This is equivalent to saying
ed ≡ 1 mod φ(n)
d ≡ e-1 mod φ(n)

## DR. ALEKHA KUMAR MISHRA 14

RSA Key generation
Select p, q, two prime numbers (private)
Calculate n = pq (public)
Calculate φ(n) = p-1 × q-1 (private)
Select e, with gcd(φ(n), e) = 1; 1 < e < φ(n) (public)
Calculate d ≡ e-1 (mod φ(n)) (private)
Public key PU = {e, n}
Private key PR = {d, n}

## DR. ALEKHA KUMAR MISHRA 15

RSA Encryption & Decryption
If Bob want to send secret message to Alice then, he must have
public key of Alice {e,n}
Plain Text: M<n
Cipher Text: C = Me mod n
Alice uses private key to decrypt Bob’s message
Cipher Text: C
Decrypted Plain Text: M = Cd mod n

## DR. ALEKHA KUMAR MISHRA 16

RSA: An Example
Select two prime numbers, p = 17 and q = 11. Let M = 88.
 Calculate n = pq = 17 * 11 = 187. For encryption, we need to calculate
Calculate φ(n) = (p - 1)(q - 1) = 16 * 10 = 160. C = 887 mod 187
Select e such that e is relatively prime to f(n) = ≡ 11 mod 187 (using modular arithmetic).
160 and less than φ(n); we choose e = 7.
For decryption, we calculate
Determine d such that de ≡ 1 (mod 160) and d
< 160. The correct value is M = 1123 mod 187

## d = 23, because 23 * 7 = 161 = (1 * 160) + 1; d ≡ 88 mod 187 (using modular arithmetic)

can be calculated using the extended Euclid’s
algorithm
The resulting keys are public key PU = {7,
187} and private key PR = {23, 187}.
DR. ALEKHA KUMAR MISHRA 17
RSA Multiple
block processing

RSA Multiple
block
processing
:Example

## DR. ALEKHA KUMAR MISHRA 19

Computations in RSA
Exponentiation in modular
arithmetic using
[(a mod n) × (b mod n)] mod n = (a × b) mod n

## More generally, if we wish to

find the value ab mod n, where b
as a binary number bkbk-1…b0,
then we have b = 𝑏𝑖≠0 2𝑖

## DR. ALEKHA KUMAR MISHRA 20

Computations in RSA
A specific choice of e is usually made to speed up the operation of
the RSA algorithm.
The most common choice is 65537 (216 + 1); two other popular
choices are 3 and 17. Each of these choices has only two 1 bits, so the
number of multiplications required to perform exponentiation is
minimized
However, with a very small public key, such as e = 3, RSA becomes
vulnerable to a simple attack

## DR. ALEKHA KUMAR MISHRA 21

Computations in RSA
A small value of d is vulnerable to a brute-force attack and to other forms
of cryptanalysis
However, we can speed up computation using the Chinese Remainder
Theorem.
To compute M = Cd mod n, Define the intermediate results: Vp = Cd mod
p, Vq = Cd mod q
Following the Chinese Remaining Theorem, define the quantities Xp = q ×
(q-1 mod p) Xq = p × (p-1 mod q)
Then, M = (VpXp + VqXq) mod n
We can also simplify the calculation of Vp and Vq using Fermat’s theorem,
(ap-1 ≡ 1 (mod p) if p and a are relatively prime
DR. ALEKHA KUMAR MISHRA 22
Computations in RSA : Key generation
Determining two prime numbers, p and q.
Selecting either e or d and calculating the other
The procedure for picking a prime number is as follows.
1. Pick an odd integer n at random (e.g., using a pseudorandom number
generator).
2. Pick an integer a < n at random.
3. Perform the probabilistic primality test, such as Miller–Rabin, with a as a
parameter. If n fails the test, reject the value n and go to step 1.
4. If n has passed a sufficient number of tests, accept n; otherwise, go to
step 2.

## DR. ALEKHA KUMAR MISHRA 23

Attacks on RSA
Brute force
Mathematical attacks
Timing attacks
Hardware fault-based attack
Chosen ciphertext attack

## DR. ALEKHA KUMAR MISHRA 24

Attacks on RSA : Mathematical attacks
Three approaches to attacking RSA mathematically.
Factor n into its two prime factors. This enables calculation of φ(n) =
(p - 1) * (q - 1), which enables determination of d.
Determine φ(n) directly, without first determining p and q. Again,
this enables determination of d. (Determining φ(n) given n is
equivalent to factoring n)
Determine d directly, without first determining φ(n).

## DR. ALEKHA KUMAR MISHRA 25

Attacks on RSA : Countermeasurs for
Mathematical attacks
N size of 1024-bits
p and q should differ in length by only a few digits. Thus, for a 1024-
bit key (309 decimal digits), both p and q should be on the order of
magnitude of 1075 to 10100.
Both (p - 1) and (q - 1) should contain a large prime factor.
gcd(p - 1, q - 1) should be small.

## DR. ALEKHA KUMAR MISHRA 26

Attacks on RSA : Timing attacks
Paul Kocher, demonstrated that a snooper can determine a private key by
keeping track of how long a computer takes to decipher messages.
Applicable to RSA and other public-key cryptography systems.
This attack is serious because: It comes from a completely unexpected direction,
and it is a ciphertext only attack.
A timing attack is somewhat analogous to a burglar guessing the combination of
a safe by observing how long it takes for someone to turn the dial from number to
number
Countermeasures:
◦ Constant exponentiation time: Ensure that all exponentiations take the same amount of time
before returning a result.
◦ Random delay: Better performance could be achieved by adding a random delay to the
exponentiation algorithm to confuse the timing attack.
◦ Blinding: Multiply the ciphertext by a random number before performing exponentiation.

## DR. ALEKHA KUMAR MISHRA 27

Attacks on RSA : Fault-based attacks
An attack on a processor that is generating RSA digital signatures.
 The attack induces faults in the signature computation by reducing
the power to the processor.
 The faults cause the software to produce invalid signatures, which
can then be analyzed by the attacker to recover the private key.
It is shown that a 1024-bit private RSA key is extracted in
approximately 100 hours, using a commercially available
microprocessor.

## DR. ALEKHA KUMAR MISHRA 28

Attacks on RSA : Chosen Ciphertext attacks
CCA is defined as an attack in which the adversary chooses a number of
ciphertexts and is then given the corresponding plaintexts, decrypted with the
target’s private key.
Example
◦ The RSA property : E(PU, M1) * E(PU, M2) = E(PU, [M1 × M2])
◦ We can decrypt C = Me mod n using a CCA as follows.
◦ Compute X = (C * 2e) mod n.
◦ Submit X as a chosen ciphertext and receive back Y = Xd mod n.
◦ Now note that
◦ X = (C mod n) * (2e mod n) = (Me mod n) * (2e mod n) = (2M)e mod n
◦ This implies Y = 2M mod n
To overcome thissimple attack, practical RSA-based cryptosystems randomly
pad the plaintext prior to encryption.
Optimal asymmetric encryption padding (OAEP).
DR. ALEKHA KUMAR MISHRA 29
Diffie–Hellman key
exchange

## DR. ALEKHA KUMAR MISHRA 30

Diffie–Hellman key exchange
The algorithm to enable two users to securely exchange a key that
can then be used for subsequent symmetric encryption of messages.
The algorithm itself is limited to the exchange of secret values.
Depends for its effectiveness on the difficulty of computing discrete
logarithms.

The Algorithm

## DR. ALEKHA KUMAR MISHRA 32

Validity of the secret key generation
𝑋𝐴
K = (YB) mod q
𝑋𝐵 𝑋𝐴
= (α mod q) mod q
𝑋𝐵 𝑋𝐴
= (α ) mod q by the rules of modular arithmetic
𝑋𝐵 𝑋𝐴
= α mod q
𝑋𝐴 𝑋𝐵
= (α ) mod q
𝑋𝐴 𝑋𝐵
= (α mod q) mod q
𝑋𝐵
= (YA) mod q

## DR. ALEKHA KUMAR MISHRA 33

Strength of the algorithm
An adversary who wishes to determine the secret key K an adversary
only has q, a, YA, and YB the following to work
Because (XA and XB are private),.
To determine the private key of user B, an adversary must compute
XB = dloga,q(YB)
𝑋𝐵
The adversary can then calculate the key K = (YA) mod q
It is very difficult to calculate discrete logarithms. For large primes,
the latter task is considered infeasible.

## DR. ALEKHA KUMAR MISHRA 34

Example
The prime number q = 353 and a primitive root of 353, a = 3.
A and B select private keys
XA = 97 and XB = 233, respectively.
A computes YA = 397 mod 353 = 40.
B computes YB = 3233 mod 353 = 248.
After the exchange of public keys,
A computes K = 24897 mod 353 = 160.
B computes K = 40233 mod 353 = 160.
DR. ALEKHA KUMAR MISHRA 35
Man-in-the-
middle attack
Darth prepares for the attack by
generating two random private
keys XD1 and XD2
Then computing the
corresponding public keys YD1
and YD2.
Darth can simply eavesdrop the
communication or may modify
the message.
Countermeasure
◦ Authentication by digital signature
◦ Public-key certificate

## DR. ALEKHA KUMAR MISHRA 36

Elgamal Cyptosystem

## DR. ALEKHA KUMAR MISHRA 37

Elgamal Cyptosystem
A public-key scheme based on discrete logarithms
Closely related to the Diffie–Hellman technique
The global elements of Elgamal are a prime number q and α, which
is a primitive root of q.
User A generates a private/public key pair as follows:
1. Generate a random integer XA, such that 1 < XA < q - 1.
𝑋𝐴
2. Compute YA = α mod q.
3. A’s private key is XA and A’s public key is {q, a, YA}.

## DR. ALEKHA KUMAR MISHRA 38

Elgamal Cyptosystem
Any user B that has access to A’s public key can encrypt a message
as follows:
1. Represent the message as an integer M in the range 0 … M … q - 1.
2. Longer messages are sent as a sequence of blocks
3. Choose a random integer k such that 1 … k … q - 1.
4. Compute a one-time key K = (YA)k mod q.
5. Encrypt M as the pair of integers (C1, C2) where C1 = αk mod q; C2 = KM
mod q
User A recovers the plaintext as follows:
1. Recover the key by computing K = (C1)XA mod q.
2. Compute M = (C2K-1) mod q.

## DR. ALEKHA KUMAR MISHRA 39

Elgamal Cyptosystem : Example
prime field GF(19); that is, q = 19. It has primitive roots {2, 3, 10,
13, 14, 15}, We choose α = 10.
Alice generates a key pair as follows:
1. Alice chooses XA = 5.
𝑋𝐴
2. Then YA = α mod q = α5 mod 19 = 3
Alice’s private key is 5 and Alice’s public key is {q, α, YA} = {19,
10, 3}.

## DR. ALEKHA KUMAR MISHRA 40

Elgamal Cyptosystem : Example
Suppose Bob wants to send the message with the value M = 17. Then: Bob
chooses k = 6.
Then K = (YA)k mod q = 36 mod 19 = 729 mod 19 = 7.
So C1 = α6 mod 19 = 11
C2 = KM mod q = 7 * 17 mod 19 = 119 mod 19 = 5
4. Bob sends the ciphertext (11, 5).
For decryption:
Alice calculates K = (C1)XA mod q = 115 mod 19 = 161051 mod 19 = 7.
Then K-1 in GF(19) is 7-1 mod 19 = 11.
Finally, M = (C2K-1) mod q = 5 * 11 mod 19 = 55 mod 19 = 17.

ECC

## DR. ALEKHA KUMAR MISHRA 42

Elliptive Curve
An elliptic curve is defined by an equation in two variables with coefficients.
For cryptography, the variables and coefficients are restricted to elements in a finite
field, which results in the definition of a finite abelian group.
Elliptic curves are not ellipses
In general, cubic equations for elliptic curves known as a Weierstrass equation:
y2 + axy + by = x3 + cx2 + dx + e
where a, b, c, d, e are real numbers and x and y take on values in the real numbers.
Elliptive curve over real number uses a specific form: y2 = x3 + ax + b
A single element denoted O and called the point at infinity or the zero point
To plot such a curve, we need to compute: y = x3 + ax + b
Each curve is symmetric about y = 0.

## DR. ALEKHA KUMAR MISHRA 43

Elliptive Curve
Set of points E(a, b) consisting of all of the points (x, y) that satisfy
y2 = x3 + ax + b together with the element O.
Different value of the pair (a, b) results in a different set E(a, b)
A group can be defined based on the set E(a, b) for given a and b,
provided 4a3 + 27b2 ≠ 0 holds true
The operation for this group is addition (+)

## DR. ALEKHA KUMAR MISHRA 44

Elliptive Curve : Examples

## y2= x3-x  E(-1, 0) y2=x3+x+1  E(1, 1),

DR. ALEKHA KUMAR MISHRA 45
Geometric description of addition
If three points on an elliptic curve lie on a straight line, their sum is O.
O serves as the additive identity.
◦ Thus O = -O;
◦ for any point P on the elliptic curve, P + O = P. assume P ≠ O and Q ≠ O

## If P = (x, y), then -P = (x, -y). Note that P + (-P) = P - P = O.

To add two points P and Q with different x coordinates
◦ Draw a straight line between them
◦ Find the third point of intersection R.
◦ There is a unique point R (unless the line is tangent to the curve at either P or Q)
◦ To form a group structure, we need to addthree points: P + Q = -R.
◦ P + Q is defined to be the mirror image of the third point of intersection

For two points, P and -P, with the same x coordinate. The points are joined by a vertical line, which can be
viewed as also intersecting the curve at the infinity point
To double a point Q, draw the tangent line and find the other point of intersection S. Then Q + Q = 2Q = -S.
With the above list of rules, The set E(a, b) is an abelian group.

## DR. ALEKHA KUMAR MISHRA 46

Algebraic description of addition
For two distinct points, P = (xP, yP) and Q = (xQ, yQ), that are not negatives of
each other, the slope of the line l that joins them is
Δ = (yQ - yP)/(xQ - xP).
There is exactly one other point where l intersects the elliptic curve, and that is
the negative of the sum of P and Q.
After some algebraic manipulation, we can express the sum R = P + Q as
xR = Δ 2 - xP - xQ
yR = -yP + Δ(xP - xR)
For R = P+P
xR = ((3x2𝑃 + a )/ 2yp)2
yR = ((3x2𝑃 + a )/ 2yp) (xP - xR)- yP

## DR. ALEKHA KUMAR MISHRA 47

Elliptic curves for cryptography
Elliptic curves in which the variables and coefficients are all
restricted to elements of a finite field
◦ Prime curves over Zp and
◦ Binary curves over GF(2m)

## DR. ALEKHA KUMAR MISHRA 48

For elliptic curves over Zp
The variables and coefficients take on values in the set of integers from 0 through p - 1 and all
calculations are performed modulo p.
The elliptive curve equation of the form
y2 mod p = (x3 + ax + b) mod p
The set Ep(a, b) consisting of all pairs of integers (x, y) that satisfy the above equation
For example, for a = 1, b = 1, and p = 23, the equation is given by
y2 mod 23 = (x3 + x + 1) mod 23
P( 9, 7) a point satisfies this equation
For the set E23(1, 1), we are only interested in the nonnegative integers ((0,0) - (p-1,p-1))
Abelian group can be defined based on the set Ep(a, b) provided (4a2+27b2) mod p ≠ 0 mod p
In a finite group Ep(a, b) number of points in the curve is bounded by p+1-2√p ≤ N ≤ p+1+2√p

E23(1,1) set

## DR. ALEKHA KUMAR MISHRA 50

Addition rule over Ep(a, b)
1) P+O=P
2) If P= (xP , yP) then -P = (xP , -yP)
Ex. in E23(1, 1) if P= (13,7) , the -P=(13,-7 mod 23) = (13,16)
3) If P= (xP , yP) and Q= (xQ , yQ) with P ≠ Q, the R = P+Q = (xR , yR), with
xR = (λ2 – xP - xQ ) mod p
yR = (λ(xP - xR) - yR ) mod p
Where,
yQ−yP
λ = if P ≠ Q
xQ−xP
3x2𝑃 +𝑎
= if P = Q
2𝑦𝑃
4) Multiplication is defined as repeated addition: 4P = P+P+P+P

## DR. ALEKHA KUMAR MISHRA 51

An example
In E23(1, 1). let P = (3, 10) and Q = (9, 7)
Then λ = (7 – 10)/(9 – 3) mod 23 = -3/6 mod 23 = -1/2 mod 23 = 11
xR = (112 - 3 - 9) mod 23 = 109 mod 23 = 17
yR = (11(3 - 17) - 10) mod 23 = -164 mod 23 = 20, So P + Q = (17, 20).
To compute 2P, λ = (3(32) + 1 )/ (2 * 10) mod 23 = 5/20 mod 23 = ¼
mod 23 = 6
xR = (62 - 3 - 3) mod 23 = 30 mod 23 = 7
yR = (6(3 - 7) - 10) mod 23 = (-34) mod 23 = 12
So, 2P = (7, 12).

## DR. ALEKHA KUMAR MISHRA 52

Elliptive curve over m
GF(2 )
It uses a cubic equation in which variable and coefficient take value in GF(2m).
The cubic equation of the curve is
y2+xy=x3+ax2+b
If P,Q are points in E2𝑚 (a,b), then
P+O=P
If P= (xP , yP), then –P = (xP , xP + yP)
If P= (xP , yP) and Q= (xQ , yQ) , P ≠ -Q , and P ≠ Q, then R=P+Q = (xR , yR), where
xR = (λ2 + λ + xP + xQ +a)
yR = (λ(xP+ xR) + xR + yP) , where λ = (yQ+ yP)/(xQ+ xP)
R=2P=(xR , yR), where
xR = (λ2 + λ + a)
yR = (xP2 +(λ+ 1)xR ,where λ = xP+(yP/xP)

## DR. ALEKHA KUMAR MISHRA 53

Elliptive curve cryptography
KEY GENERATION
Select a large integer q, (either a prime p or an integer 2m ), and parameters a and b for for the
curve.
Select a base point G = (x1, y1) in Eq(a, b) of order a large value n. The order n of a point G on an
elliptic curve is the smallest positive integer n such that nG = 0
Eq(a,b) and the point G(x1,y1) are public
Let and A and B are two users where A wish to send some secret message to B
A selects private key, an integer nA < n.
A then generates a public key PA = nA × G; a point in Eq(a, b).
B similarly selects a private key nB and computes a public key PB.
On exchanging PA, and PB ,A generates the secret key k = nA × PB and B generates the secret key
k = nB × PA.
These two step results in same key because nA × PB = nA × (nB * G) = nB × (nA × G) = nB × PA

## DR. ALEKHA KUMAR MISHRA 54

Example : key generation
p = 211; Ep(0, -4), which is equivalent to the curve
y2 = x3 - 4; and G = (2, 2). One can calculate that 240G = O. A’s
private key
is nA = 121, so A’s public key is PA = 121(2, 2) = (115, 48). B’s
private key is
nB = 203, so B’s public key is 203(2, 3) = (130, 203). The shared
secret key is
121(130, 203) = 203(115, 48) = (161, 69).

## DR. ALEKHA KUMAR MISHRA 55

Elliptive curve cryptography
ENCRYPTION
Encode the plaintext message m to be sent as an (x, y) point Pm
A chooses a random positive integer k
Produces the ciphertext Cm as a pair of points: Cm = {kG, Pm + kPB}
DECRYPTION
B multiplies the first point in Cm by B’s private key and subtracts the
result from the second point:
Pm + kPB - nB(kG) = Pm + k(nBG) - nB(kG) = Pm

## DR. ALEKHA KUMAR MISHRA 56

ECC Analysis
A added kPB to Pm and A only knows the value of k
Even though PB is a public key, nobody can remove the mask k from
kPB.
If one knows the private key nB then it can be removed.
For an attacker to recover the message, the attacker would have to
compute k given G and kG, which is assumed to be hard.

## DR. ALEKHA KUMAR MISHRA 57

Example
The global public elements are q = 257; Eq(a, b) = E257(0, -4), (y2 = x3 – 4); and
G = (2, 2).
Bob’s private key is nB = 101, and his public key is PB = nBG = 101(2, 2) = (197,
167).
Alice wishes to send a message to Bob that is encoded in the elliptic point Pm =
(112, 26).
Alice chooses random integer k = 41 and computes kG = 41(2, 2) = (136, 128),
kPB = 41(197, 167) = (68, 84) and Pm + kPB = (112, 26) + (68, 84) = (246, 174).
Alice sends the ciphertext Cm = (C1, C2) = {(136, 128), (246, 174)}
 Bob receives the ciphertext and computes
C2 - nBC1 = (246, 174) -101(136, 128) = (246, 174) - (68, 84) = (112, 26).

## DR. ALEKHA KUMAR MISHRA 58

Comparable Key Sizes in Terms of
Computational Effort for Cryptanalysis