MSE Applied Cryptography

ABUBAKAR TAFAWA BALEW UNIVERSITY
DEPARTMENT OF MATHEMATICAL SCIENCES
M.Sc CYBER SECURITY

Applied Cryptography - CSE 654
[Dr. A. D. HINA]
First Semester 2021/2022 Session.
Contents
1 Introduction: Mathematical Cryptography 3
1.1 Divisibility and Greatest Common Divisors . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Prime Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Euler Phi Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.1 Prime Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4.2 Polynomials over a Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4.3 Extension Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.4 Powers and Primitive Roots in Finite Fields . . . . . . . . . . . . . . . . . . 9
1.4.5 Finite Field using a Generator . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.5 Modular Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.5.1 The Chinese Reminder Theorem . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.6 The Pohlig-Hellman Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.7 The Fast Powering Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.8 One Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Cryptography 21
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.3 Cryptographic Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3.1 Cryptography & Steganography . . . . . . . . . . . . . . . . . . . . . . . . . 23
3 Cryptographic Algorithms & Protocols 24

3.1 Cryptographic Algorithhms (Ciphers) . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2 Classical Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.1 Monoalphabetic and Polyalphabetic Cipher . . . . . . . . . . . . . . . . . . . 24
3.2.2 Caesar Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2.3 Vigenère . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1
3.2.4 Hill Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2.5 The XOR Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3 Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.4 Algorithm Classification Based On Keys . . . . . . . . . . . . . . . . . . . . . . . . 28
3.4.1 Symmetric Key Algorithm (secret key algorithms) . . . . . . . . . . . . . . . 28
3.4.2 Asymmetric Key Algorithm (public key algorithms) . . . . . . . . . . . . . . 29
3.5 Classification Based on Plaintext Processing . . . . . . . . . . . . . . . . . . . . . . 30
3.5.1 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.5.2 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.6 Classification Based on Mode of Operation . . . . . . . . . . . . . . . . . . . . . . . 36
3.6.1 Substitution Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.6.2 Transposition Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.7 Kerckho↵’s Principle for Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.8 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.8.1 Ciphertext Only Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.8.2 Known Plaintext Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.8.3 Chosen Plaintext Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.8.4 Chosen Ciphertext Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4 Cryptographic Protocols 39
4.1 Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.2 Security Analysis of Cryptographic Protocols . . . . . . . . . . . . . . . . . . . . . . 44
4.2.1 Tools for Formal Protocol Verification . . . . . . . . . . . . . . . . . . . . . . 47
4.3 The BAN Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.3.1 The BAN Logic Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.3.2 BAN Security Ananlysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5 Key Agreement Schemes 52

5.1 Discrete Logarithms and Diffie Hellman . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.1.1 Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.1.2 Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.2 The El-Gamal Public Key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . 55
5.3 The RSA Public Key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.4 Elliptic Curve Discrete Logarithm Problem (ECDLP) . . . . . . . . . . . . . . . . . 57
CSE 654 2 2021/2022 Session

1 Introduction: Mathematical Cryptography
Algebra and number theory has been the foundation of modern cryptography, thus the need to
explore some tools of algebra and number theory.
1.1 Divisibility and Greatest Common Divisors

Definition 1. Let a and b 6= 0 be integers, we say the b divides a if there is an integer c such that
a = bc.
In other words we say a is divisible by b. b divides a is denoted by b|a.
Proposition 1. Let a, b, c 2 Z be integers
(a) If a|b and b|c the a|c
(b) If a|b and b|a then a = ±b.
(c) If a|b and a|c then a|(b ± c).
Definition 2. A common divisor of two integers a and b is a positive integer d such that d|a and
d|b. The greatest common divisor of a and b, denoted gcd(a, b), is the largest number d such that
d|a and d|b.
The efficient algorithm for computing gcd is the division algorithm.
Definition 3 (Division Algorithm.). Let a and b be positive integers. Then a divided by b has
quotient q and remainder r.
a = b · q + r. 0  r < b.
the values of q and r are uniquely determined by a and b.
The division algorithm is applied in a more general method called the Euclidean algorithm.
Theorem 1 (Euclidean Algorithm.). Let a and b with a b. The following algorithm computes
the gcd(a, b) in a finite number of steps.
1. Let r0 = a and r1 = b.
2. Set j = 1
3. Divide rj 1 by rj to get a quotient qj and remainder rj+1 :
rj 1 = rj · qj + rj+1 with 0  rj+1 < rj .
4. If the remainder rj+1 = 0 then rj = gcd(a, b) and the algorithm terminates.

5. Otherwise, rj+1 > 0, set j = j + 1 and go to step 3
Proof. Set r0 = a and r1 = b then we have
r0 = r1 · q1 + r2 with 0  r2 < r1 ,
r1 = r2 · q2 + r3 with 0  r3 < r2 ,
r2 = r3 · q3 + r4 with 0  r4 < r3 ,
.. .. .. ..
. . . .
rj 2 = rj 1 · qj 1 + rj with 0  rj < rj 1 ,
r j 1 = r j · qj .
CSE 654 3 2021/2022 Session

Then rj = gcd(a, b).
One will observe that the rj values decreases, the algorithm terminates when rj+1 = 0. Hence the
algorithm runs for a finite number of steps. At each step of the iteration, an equation of the form:
rj 1 = rj · qj + rj+1
is realized. Hence
gcd(rj 1 , rj ) = gcd(rj , rj+1 ) 8 j = 1, 2, 3, . . . (1)
At the step when rj+1 = 0, we have rj 1 = rj · qj and thus:
gcd(rj 1 , rj ) = gcd(rj · qj , rj ) = rj .
Now with Eq. (1), for j = 1 we have
gcd(r0 , r1 ) = gcd(a, b) = rj .
Example 1. Evaluate gcd(1970, 1066)
Sol. 1.
1970 = 1 ⇥ 1066 + 904, gcd(1066, 904)

1066 = 1 ⇥ 904 + 162, gcd(904, 162)
904 = 5 ⇥ 162 + 94, gcd(162, 94)
162 = 1 ⇥ 94 + 68, gcd(94, 68)
94 = 1 ⇥ 68 + 26, gcd(68, 26)
68 = 2 ⇥ 26 + 16, gcd(26, 16)
26 = 1 ⇥ 16 + 10, gcd(16, 10)
16 = 1 ⇥ 10 + 6, gcd(10, 6)
10 = 1 ⇥ 6 + 4, gcd(6, 4)
6 = 1 ⇥ 4 + 2, gcd(4, 2)
4 = 2 ⇥ 2 + 0,
Therefore gcd(1970, 1066) = 2.
Generally, one can write the gcd(a, b) as an integer linear combination of a and b. This procedure
is called the extended euclidean algorithm. This procedure will come-in handy in later computations
in finite fileds and some encryption algorithms like the RSA.
Theorem 2 (Extended Euclidean Algorithm.). Let a and b be positive integers, then the equation
au + bv = gcd(a, b) (2)
always has a solution in integers u and v. If (u0 , v0 ) is one such solution then every solution is of
the form
b·k a·k
u = u0 + and v = v0 , for some k 2 Z.
gcd(a, b) gcd(a, b)
CSE 654 4 2021/2022 Session

Proof. From the first step of the proof of the Euclidean algorithm, we have
r2 = r0 r 1 · q1 = a b · q1
substitute the above equation into the second step of the proof:
b = (a b · q1 ) · q2 + r3 =) r3 = a · q2 + b(1 + q1 q2 )
substituting r2 and r3 into the next step we have:
(a b · q1 ) = ( a · q2 + b(1 + q1 q2 )) · q3 + r4 =) r4 = a · (1 + q1 q2 ) b(q1 + q2 + q1 q2 q3 ). (3)
Eq. (3) can be expressed as
r4 = a · u0 + b · v 0 , where u0 and v 0 are integers.
Continuing until we get to rj = a · u + b · v for some integers u and v. But rj = gcd(a, b), hence the
proof of the first part.
If the gcd(a, b) = 1, we have the following definition.
Definition 4. Let a and b be integers and gcd(a, b) = 1 then a and b are said to be relatively prime.
If we consider the case of Eq. (2), it can be reduced to a case of relatively prime numbers by
a b
u+ v = 1.
gcd(a, b) gcd(a, b)
Example 2. Express the gcd(2024, 748) as a linear combination of 2024 and 748.
Sol. 2. Let 2024 = x and 748 = y, from the first line of the euclidean algorithm:
2024 = 748 · 2 + 528, =) 528 = 2024 2 · 748 = x 2y

748 = 528 · 1 + 220 =) y = (x 2y) · 1 + 220 =) 220 = x + 3y
528 = 220 · 2 + 88 =) x 2y = ( x + 3y) · 2 + 88 =) 88 = 3x 8y
220 = 88 · 2 + 44 =) x + 3y = (3x 8y) · 2 + 44 =) 44 = 7x + 19y
88 = 44 · 2 + 0 =) gcd(2024, 748) = 44.
Therefore, 7x + 19y = 7(2024) + 19(748) = 44 = gcd(2024, 748).
1.2 Prime Numbers

Definition 5. An integer P is said to be prime if p 2 and the only positive integers dividing p
are 1 and p.
Proposition 2. Let p be a prime number, and suppose that p divides the product ab of two integers.
Then P divides atleast one of a and b. Generally, if
p|a1 a2 a3 . . . an ,
the p divides atleast one of the individual ai
CSE 654 5 2021/2022 Session

Theorem 3 (Fundamental Theorem of Arithmetic). Let a 2 be an integer, then a can be factored
as the product of prime numbers
2
a = pe11 · pe2 · pe33 · penn .
This factorization into prime powers is unique.
In the factorization of a, each of the primes appears to a certain power e, we denote this power
by ordp (a) (the order of p in a). If 1728 = 26 · 33 , the ord2 (1728) = 6 and ord3 (1728) = 3, and
ordp (1728) = 0 for all p 5. Thus we can have the definition in-terms of ordp :
Y
a= pordp (a) .
primes p
Given that p is a prime, the set of integers Z/pZ modulo P with its arithmetic operations is an
example of a field. Thus the field Z/pZ of integers modulo p has only finitely many elements (finite
field) and can be denoted by Fp . Thus, Z/pZ and Fp denotes the same object.
1.3 Euler Phi Function

The Euler phi function (n) is the number of non-negative integers less than n that are relatively
prime to n. If n is a prime then
(na ) = na na 1
=n 1, where a is a positive integer. (4)
(32) = (25 ) = 25 25 1
= 25 24 = 32 16 = 16.
(125) = (53 ) = 53 53 1
= 53 52 = 125 25 = 100.
The Euler phi function counts the number of k < n such that gcd(k, n) = 1. For any integer n, we
have
Y✓ 1
◆ ✓
1
◆✓
1
◆ ✓
1
◆
(n) = n 1 = 1 1 ··· 1 (5)
p p1 p2 pm
p|n
where p1 , p2 , · · · , pm are the distinct prime factors of n. So,

(n) = (Z \ n)⇤ = #{k, 1  k  n | gcd(k, n) = 1} (6)
Theorem 4. Euler’s theorem states that if a and n are relatively prime then,
(n)
a ⌘ 1(mod n). (7)
1.4 Finite Fields

A field F is an algebraic structure consisting of a set of elements for which the operations of addition,
subtraction, multiplication, and division satisfy certain prescribed properties. To define fields, we
consider the following definitions first
Definition 6. A ring (R, +, ·) is a nonempty set R together with two operations, (+) and ( ) such
that:
(1) (R, +) is an abelian group;
(2) (·) is associative, that is for all a, b, 2 R; a · (b · c) = (a · b) · c;
(3) left and right distributive laws hold: for all a, b, c 2 R
a · (b + c) = a · b + a · c and (b + c) · a = b · a + c · a.
CSE 654 6 2021/2022 Session

Definition 7. Let R be a ring.
(1) R is a ring with identity if the ring has a multiplicative identity;
(2) R is commutative if (·) is commutative;
(3) R is an integral domain if it is commutative with identity and a · b = 0 implies a = 0 or b = 0,
for any a, b 2 R.
(4) R is a division ring (also called a skew field) if the nonzero elements of R form a group under
(·);
(5) R is a field if it is a commutative division ring.
A field F is said to be finite if the number of elements contained therein is finite. The order of a
finite field F is the number of distinct elements in F. Recall that every field has a unique smallest
subfield, called the prime subfield, which is the intersection of all of its subfields.
1.4.1 Prime Fields

Let p be a prime, the finite field of order p, Fp is the set of integers Zp = {0, 1, 2, . . . , p 1} together
with arithmetic operation (mod p) (modulo p). Fp could be written as GF (p), where GF stands
for Galois field.
Example of such fields is F5 = GF (p) = {0, 1, 2, 3, 4} where arithmetic operations can be performed
on the field. The field F⇤p = {1, 2, 3, 4} is the field Fp \ 0.
1.4.2 Polynomials over a Field

Recall that a polynomial is an equation of the form:
f (x) = a0 + a1 x + a2 x2 + a3 x3 + · · · + an xn . (8)
Thus, given a field Fpn we can restrict the coefficients of Eq. (8): a0 , a1 , a2 , . . . , an 2 Fp . For
subsequent illustrations, let q = pn .
Definition 8. Let Fp be a field. A Polynomial over f is an equation of the form (8) where the
coefficients a0 , a1 , . . . , an 2 Fp . The set of all polynomials over a field Fp is denoted Fp [x].
Theorem 5. If Fq is a field then (Fq [x], +, ·) is a field where for all f, g 2 Fq [x] with
f (x) = a0 + a1 x + a2 x2 + · · · + an xn and g(x) = b0 + b1 x + b2 x2 + · · · + bm xm ,
we define:
f + g = [a0 + a1 x + a2 x2 + · · · + an xn ] + [b0 + b1 x + b2 x2 + · · · + bm xm ]
f · g = [a0 + a1 x + a2 x2 + · · · + an xn ][b0 + b1 x + b2 x2 + · · · + bm xm ].
The additive identity in Fq [x] is the polynomial 0(x) = 0, and the multiplicative identity in Fq [x] is
the polynomial 1(x) = 1.
Definition 9. If Fq is a field and f 2 Fq [x], f (x) 6= 0 with f (x) = a0 + a1 x + a2 x2 + · · · + an xn
then f is said to be a Monic Polynomial if an = 1.
A polynomial is irreducible in GF (p) if it does not factor over GF (p). Otherwise it is reducible.
Example, the polynomial x5 + x4 + x3 + x + 1 is reducible in GF (5):
x5 + x4 + x3 + x + 1 (mod 5) = (x + 2)(x4 + x3 + 3x + 2)
but irreducible in GF (2).
CSE 654 7 2021/2022 Session

1.4.3 Extension Fields
Unlike prime fields whose elements are integers, extension fields has polynomials as its elements.
Extension fields are denoted by Fnp where n > 1. These polynomials are of the form
an 1 x n 1
+ an 2 x n 2
+ · · · + a1 x + a0
Of particular interest to this course is the finite field of the form F2n . Assuming we have F23 = F8
implying that there are 8 elements in the field, which is represented by the polynomial
a2 x 2 + a1 x + a0 .
The elements of the field will be of the form a2 a1 a0 :
F23 = {0(000), 1(001), x(010), x + 1(011), x2 (100), x2 + 1(101), x2 + x(110), x2 + x + 1(111)}
Examples of such fields includes:
F2 = {0, 1}
F22 = {00, 01, 10, 11}
= {0, 1, 2, 3}
F23 = {000, 001, 010, 011, 100, 101, 110, 111}
= {0, 1, 2, 3, 4, 5, 6, 7}
F24 = {0000, 0001, 0010, 0011, 0100, 0101, 0110, 0111, 1000, 1001, 1010, 1011, 1100, 1101, 1110, 1111}
= {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A(10), B(11), C(12), D(13), E(14), F (15)}
.. ..
. .
Example 3. Find the elements of F8 [x] = F23 [x].
Sol. 3. The following are members in the set:
000 =) 0 · x2 + 0 · x + 0 · 1 = 0
001 =) 0 · x2 + 0 · x + 1 · 1 = 1
010 =) 0 · x2 + 1 · x + 0 · 1 = x
011 =) 0 · x2 + 1 · x + 1 · 1 = 1 + x
100 =) 1 · x2 + 0 · x + 0 · 1 = x2
101 =) 1 · x2 + 0 · x + 1 · 1 = x2 + 1
110 =) 1 · x2 + 1 · x + 0 · 1 = x2 + x
111 =) 1 · x2 + 1 · x + 1 · 1 = x2 + x + 1
Therefore the set is given by: {0, 1, x, x + 1, x2 , x2 + 1, x2 + x, x2 + x + 1}.
Definition 10. A polynomial f 2 Fq [x] is an irreducible polynomial over Fq if f has positive degree
and f = gh with g, h 2 Fq [x] implies that either g or h is a constant polynomial.
CSE 654 8 2021/2022 Session

11 ⌘ 1 12 ⌘1 13 ⌘1 14 ⌘1 15 ⌘1 16 ⌘1
21 ⌘ 2 22 ⌘4 23 ⌘1 24 ⌘2 25 ⌘4 26 ⌘1
31 ⌘ 3 32 ⌘2 33 ⌘6 34 ⌘4 35 ⌘5 36 ⌘1
41 ⌘ 4 42 ⌘2 43 ⌘1 44 ⌘4 45 ⌘2 46 ⌘1
51 ⌘ 5 52 ⌘4 53 ⌘6 54 ⌘2 55 ⌘3 56 ⌘1
61 ⌘ 6 62 ⌘1 63 ⌘6 64 ⌘1 65 ⌘6 66 ⌘1
Figure 1: Powers of F7 modulo 7
1.4.4 Powers and Primitive Roots in Finite Fields

Raising the elements of Fp to higher powers is greatly applied in cryptography. Suppose we want
to find the powers of elements in the field F7 = {0, 1, 2, 3, 4, 5, 6} modulo 7. From table 1, we can
see that
x6 ⌘ 1 (mod 7), 8 x 2 {1, 2, 3, 4, 5, 6}.
hence, (
1 (mod 7), if 7 - x
x6 ⌘
0 (mod 7), if 7|x
This is generally presented with the Fermat’s Little theorem
Theorem 6 (Fermat’s Little Theorem). Let p be a prime number and let x be any integer. Then
(
1 (mod p), if p - x
xp 1 ⌘
0 (mod p), if p|x
Example 4. Show that the number p = 15485863 is prime.
Sol. 4. Let x = 2, hence by Fermat’s Little Theorem:
215485863 1
⌘ 1 (mod 15485863).
So, without a single computation, we are able to see that 15485863|(215485862 1).
A combination of the Fermat’s Little Theorem and the fast powering algorithm will avail us
with an efficient algorithm for computing inverses modulo p, namely
1
x ⌘ xp 2
(mod p).
The inverse of 7814 modulo 17449 will be given by

1
7814 ⌘ 781417447 ⌘ 1284 (mod 17449).
Theorem 7. Let f (x) be an irreducible polynomial of degree k over Fp . The finite field GF (pk )
can be realized as the set of degree k 1 polynomials over Fp , with addition and multiplication done
modulo f (x).
CSE 654 9 2021/2022 Session

By the theorem the finite field GF (25 ) can be realized as the set of degree 4 polynomials over F2 ,
with addition and multiplication done modulo the irreducible polynomial f (x) = x5 +x4 +x3 +x+1.
The coefficients of polynomials over F2 are 0 or 1. So a degree k polynomial can be written down
by k + 1 bits. For example, with k = 4 :
x3 + x + 1 = 01011, x4 + x3 + x + 1 = 11011.
Exercise 1. Let f (x) = x3 + x + 1 and g(x) = x4 + x3 + x + 1, evaluate 1. f (x) + g(x), 2. f (x) · g(x).
000 001 010 011 100 101 110 111

+ 0 1 x x+1 x2 x2 + 1 x2 + x x2 + x + 1
000 0 0 1 x x+1 x2 x2 + 1 x2 + x x2 + x + 1
2
001 1 1 0 1+x x x +1 x2 2
x +x+1 x2 + x
010 x x x+1 0 1 x2 + x 2
x +x+1 x2 x2 + 1
011 x+1 x+1 x 1 0 x2 + x + 1 x2 + x 2
x +1 x2
100 x2 x2 x2 + 1 x2 + x x2 + x + 1 0 1 x x+1
2 2
101 x +1 x +1 x2 x2 + x + 1 x2 + x 1 0 x+1 x
110 x2 + x x2 + x 2
x +x+1 x2 x2 + 1 x x+1 0 1
111 x2 + x + 1 x+ x + 1 x2 + x 2
x +1 x2 x+1 x 1 0
Table 1: Polynomial Addition Modulo (x3 + x + 1).
000 001 010 011 100 101 110 111

⇥ 0 1 x x+1 x2 x2 + 1 x2 + x x2 + x + 1
000 0 0 0 0 0 0 0 0 0
001 1 0 1 x x+1 x2 x2 + 1 x2 + x x2 + x + 1
010 x 0 x x2 x2 + x x+1 1 x2 + x + 1 x2 + 1
2
011 x+1 0 x+1 x +x x2 + 1 x2 + x + 1 x2 1 x
100 x2 0 x2 x+1 2
x +x+1 x2 + x x x2 + 1 1
101 x2 + 1 0 x2 + 1 1 x2 x x2 + x + 1 x+1 x2 + x
110 x2 + x 0 x2 + x 2
x +x+1 1 2
x +1 x+1 x x2
2 2
111 x +x+1 0 x +x+1 x2 + 1 x 1 x2 + x x2 x+1
Table 2: Polynomial Multiplication Modulo (x3 + x + 1).
In GF (23 ), x2 + 1 = 1012 and x2 + x + 1 = 1112 .

Addition:
x2 + 1 + x2 + x + 1 = x =) 101 XOR 111 = 0102
Multiplication:
(x + 1) · (x2 + 1) = x · (x2 + 1) + 1 · (x2 + 1) = x3 + x + x2 + 1 = x3 + x2 + x + 1
=) (011) ⇥ (101) = 3 ⇥ 5 = 15 = 11112 .

Polynomial modulo reduction:
(x3 + x2 + x + 1) (mod x3 + x + 1) = 1 · (x3 + x + 1) + (x2 ) = x2
=) 1111 (mod 1011) = 1111 XOR 1011 = 01002 .
CSE 654 10 2021/2022 Session

1.4.5 Finite Field using a Generator
Finite fields of the form GF (2n ) can be defined using an equivalent technique on an irreducible
polynomial.
Definition 11. A generator g of a finite field F of order q is an element whose first q 1 powers
generate all the non-zero elements of F : {0, g 0 , g 1 , g 2 , . . . , g q 1 }.
Consider the field GF (23 ) defined over the irreducible polynomial x3 + x + 1. The generator g
must satisfy f (g) = g 3 + g + 1 = 0. This equation has solution g 3 = g 1 = g + 1. The rest of
the element are:
g4 = g(g 3 ) = g(g + 1) = g 2 + g
g5 = g(g 4 ) = g(g 2 + g) = g 3 + g 2 = g 2 + g + 1
g6 = g(g 5 ) = g(g 2 + g + 1) = g 3 + g 2 + g = g + 1 + g 2 + 1 = g 2 + 1
g7 = g(g 6 ) = g(g 2 + 1) = g 3 + g = g + g + 1 = 1 = g 0 .
Thus all the non-zero polynomials of GF (23 ) are generated by the powers of g.
000 001 010 100 011 110 111 101

+ 0 1 g g2 g3 g4 g5 g6
000 0 0 1 g g2 g+1 2
g +g 2
g +g+1 2
g +1
001 1 1 0 g+1 g2 + 1 g g2 + g + 1 g2 + g g2
010 g g g+1 0 g2 + 1 1 g2 g2 + 1 2
g +g+1
100 g2 g2 g2 + 1 g2 + g 0 g2 + g + 1 g g+1 1
011 g3 g+1 g 1 g2 + g + 1 0 g2 + 1 g2 g2 + g
110 g4 g2 + g g2 + g + 1 g2 g g2 + 1 0 1 g+1
111 g5 g2 + g + 1 g2 + g g2 + 1 g+1 g2 1 0 g
101 g6 g2 + 1 g2 g2 + g + 1 1 g2 + g g+1 g 0
Table 3: GF (23 ) Addition Using the Generator for the Polynomial (x3 + x + 1).
000 001 010 100 011 110 111 101

⇥ 0 1 g g2 g3 g4 g5 g6
000 0 0 0 0 0 0 0 0 0
001 1 0 1 g g2 g+1 g2 + g g2 + g + 1 g2 + 1
010 g 0 g g2 g+1 g2 + g g2 + g + 1 g2 + 1 1
100 g2 0 g2 g+1 g2 + g 2
g +g+1 g2 + 1 1 g
011 g3 0 g+1 g2 + g g2 + g + 1 g2 + 1 1 g g2
110 g4 0 g2 + g g2 + g + 1 g2 + 1 1 g g2 g+1
111 g5 0 2
g +g+1 g2 + 1 1 g g2 g+1 g2 + g
101 g6 0 g2 + 1 1 g g2 g2 + 1 g2 + g g2 + g + 1
Table 4: GF (23 ) Multiplication Using the Generator for the Polynomial (x3 + x + 1).
Generally, for any GF (2n ) with an irreducible polynomial f (x), we calculate all powers of g
n n
from g n+1 through g 2 2 . In the field, multiplication is performed using g j = g j (mod 2 1) for any
integer j.
CSE 654 11 2021/2022 Session

1.5 Modular Arithmetic
If a is an integer and m is a positive integer, we define a (mod n) to be the remainder when a is
divided by m. The integer m is called the modulus. Two integers a and b are said to be congruent
modulo m if a (mod m) = b (mod m), which is expressed as a ⌘ b (mod m)
Definition 12. Let m 1 be an integer.The integers a and b are said to be congruent modulo m if
a b is divisible by m. This is written as
a ⌘ b(mod m)
where m is called the modulus.

Proposition 3. Let m 1 be an integer,
1. If a1 ⌘ b1 (mod m) and a2 ⌘ b2 (mod m), then
a1 ± a2 ⌘ b1 ± b2 (mod m) and a1 · a2 ⌘ b1 · b2 (mod m).
2. Let a be an integer, then a · b ⌘ 1(mod m) for some integer b if and only if gcd(a, m) = 1.
If such an integer b exist, then we say b is the inverse (multiplicative) of a modulo m. Given
that a = 3 and m = 7, since gcd(3, 7) = 1 and 3(5) ⌘ 1 (mod m) then 5 is the inverse of
3 (mod 7).
Examples of modular arithmetic:
11 ⌘ 4 (mod 7), 11 ⌘ 3 (mod 7), 73 ⌘ 4 (mod 23).
Modular addition and multiplication is given in tables 5a and 5b respectively
+ 0 1 2 3 4 5 6 7 ⇥ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0
1 1 2 3 4 5 6 7 0 1 0 1 2 3 4 5 6 7
2 2 3 4 5 6 7 0 1 2 0 2 4 6 0 2 4 6
3 3 4 5 6 7 0 1 2 3 0 3 6 1 4 7 2 5
4 4 5 6 7 0 1 2 3 4 0 4 0 4 0 4 0 4
5 5 6 7 0 1 2 3 4 5 0 5 2 7 4 1 6 3
6 6 7 0 1 2 3 4 5 6 0 6 4 2 0 6 4 2
7 7 0 1 2 3 4 5 6 7 0 7 6 5 4 3 2 1
(a) Modulo 8 addition (b) Modulo 8 Multiplication
Table 5: Modulo 8 Arithmetic
Exponentiation is performed by repeated multiplication:

Example 5. to find 117 mod 13
Sol. 5. We proceed as follows:
112 = 121 ⌘ 4(mod 13)

114 = 112 ⇥ 112 = (112 )2 ⌘ 42 ⌘ 3(mod 13)
117 = 11 ⇥ 112 ⇥ 114 ⌘ 11 ⇥ 4 ⇥ 3 ⌘ 132 ⌘ 2(mod 13).
CSE 654 12 2021/2022 Session

From the division algorithm we have a = m · q + r with 0  r < m to mean: a divided by
m has quotient q and remainder r. It can also be expressed as a ⌘ r (mod m) for some integer
0  r < m 1. Thus the interval 0  r < m 1 is enough to work with integers modulo m. Thus
the following definition
Definition 13. The ring of integers modulo m, (Z/mZ) is given by
Z/mZ = {0, 1, 2, . . . , m 1}. (9)
Note that addition and multiplication of elements of Z/mZ are also elements of Z/mZ. The set
(9) is called the set of residues or residue classes (mod m). Each integer in (Z/mZ) represents
a residue class. The residue classes (mod m) can be labeled as: [0], [1], [2], . . . , [m 1]. Residue
classes (mod 4) are the following:
[0] = {. . . , 20, 16, 12, 8, 4, 0, 4, 8, 12, 16, . . . }

[1] = {. . . , 19, 15, 11, 7, 3, 1, 5, 9, 13, 17, . . . }
[2] = {. . . , 18, 14, 10, 6, 2, 2, 6, 10, 14, 18, . . . }
[3] = {. . . , 17, 13, 9, 5, 1, 3, 7, 11, 15, 19, . . . }
Definition 14. The group of units modulo m, (Z/mZ)⇤ is given by
(Z/mZ)⇤ = {a 2 Z/mZ : gcd(a, m) = 1} = {a 2 Z/mZ : a has an inverse modulo m}. (10)
Examples:
The group of units modulo 7 is:
(Z/7Z)⇤ = {1, 2, 3, 4, 5, 6}.
The group of units modulo 24 is:
(Z/24Z)⇤ = {1, 5, 7, 11, 13, 17, 19, 23}
· 1 5 7 11 13 17 19 23
1 1 5 7 11 13 17 19 23
5 5 1 11 7 17 13 23 19
7 7 11 1 5 19 23 13 17
11 11 7 5 1 23 19 17 13
13 13 17 19 23 1 5 7 11
17 17 13 23 19 5 1 11 7
19 19 23 13 17 7 11 1 5
23 23 19 17 13 11 7 5 1
Table 6: Unit Group Modulo 23
CSE 654 13 2021/2022 Session

1.5.1 The Chinese Reminder Theorem
Let m = m1 · m2 · m3 · · · mn be the product of pairwise relatively prime integers. The Chinese
remainder theorem (CRT) says that solving an equation modulo m is equivalent to solving systems
of equations modulo mi for each 1  i  n. Solutions of systems of simultaneous linear congruences
of the form
x ⌘ a (mod m) and x ⌘ b (mod n)
where gcd(m, n) = 1 can best be solved by Chinese reminder theorem.
Theorem 8. Let m1 , m2 , . . . , mk be a collection of pairwise relatively prime integers, gcd(mi , mj ) =

1 for all i 6= j. Let a1 , a2 , . . . , ak be arbitrary integers. Then the system of simultaneous congruences
x ⌘ a1 (mod m1 ), x ⌘ a2 (mod m2 ), x ⌘ a3 (mod m3 ), . . . , x ⌘ ak (mod mk )
has a solution x = c. If x = c and x = c0 are both solutions, then
c ⌘ c0 (mod m1 m2 · · · mk ).
Proof. Let M = m1 m2 m3 . . . mr , and Mi = M/mi . Since the m0i s are pairwise relatively prime, Mi
is relatively prime to mi , so it has an inverse xi modulo mi that is, Mi xi ⌘ 1 (mod mi ). If i 6= j,
then mi | Mj , that is, Mj ⌘ 0 (mod mi ). Then
x ⌘ a1 M1 x1 + a2 M2 x2 + . . . ar Mr xr M odM
is a solution to the system because
a1 M1 x1 + a2 M2 x2 + . . . ar Mr xr M odM
is a solution to the system because
a1 M1 x1 + a2 M2 x2 + · · · + ar Mr xr ⌘ ai Mi xi |modmi
⌘ ai · 1 (mod mi )
⌘ ai (mod mi )
Suppose x and y are two distinct solutions. Now x ⌘ y (mod mi ) for each i; that is, mi |(x y).
The mi are pairwise relatively prime, hence, by unique factorization, the product
m1 m2 m3 . . . mr |(x y)
that is,
x ⌘ y (mod m1m2 m3 . . . mr )
This proves the uniqueness.
Example 6. Solve the simultaneous systems of congruences
x ⌘ 2 (mod 3), x ⌘ 3 (mod 7), x ⌘ 4 (mod 16)
CSE 654 14 2021/2022 Session

Sol. 6. The theorem says that there is a unique solution modulo 3 · 7 · 16 = 336. From the first
congruence, we have x = 2 + 3y (for some integer Y ) to be substituted into the second congruence
to obtain
2 + 3y ⌘ 3 (mod 7) which simplifies to 3y ⌘ 1 (mod 7).
Since 3 ⇥ 5 (mod 7) = 1 (3 and 5 are inverses), we have y ⌘ 5 (mod 7):
x = 2 + 3y = 2 + 3 · 5 = 17
as a solution to the first two congruences with a general solution:
x = 17 + 3(7)z = 17 + 21z (for some integer z).
Substitute the general solution to the first two congruences into the third, we have
17 + 21z ⌘ 4 (mod 16) which reduces to 5z ⌘ 1 (mod 16).
Since 5 · 13 (mod 16) = 1 (13 is the inverse of 5) we obtain
z ⌘ 3 · 13 ⌘ 39 ⌘ 7 (mod 16)
Substituting z = 7 into x = 17 + 21z we have
x = 17 + 21(7) = 164 (mod (3)(7)(16)) = 164 (mod 336).
All other solutions are of the form X = 336n ± x where n = 1, 2, . . . , (Adding and subtracting
multiples of 336 to x).
Example 7. Solve the system of congruences
x ⌘ 1 (mod 3), x ⌘ 4 (mod 5), x ⌘ 6 (mod 7)
Sol. 7. Rewrite the congruence with the largest modulus, x ⌘ 6 (mod 7) and express it as an
equivalent equation: x = 7j + 6, for some integer j.
Substitute this expression for x into the congruence with the next largest modulus:
x ⌘ 4 (mod 5) =) 7j + 6 ⌘ 4 (mod 5).
Then solve this congruence for j:

j ⌘ 4 (mod 5).
Rewrite this congruence as an equivalent equation:
j = 5k + 4, for some integer k.
Substitute this expression for j into the expression for x:
x = 7(5k + 4) + 6
x = 35k + 34.
Now substitute this expression for x into the final congruence, and solve the congruence for k:
35k + 34 ⌘ 1 (mod 3)
k ⌘ 0 (mod 3).
CSE 654 15 2021/2022 Session

Write this congruence as an equation, and then substitute the expression for k into the expression
for x:
k = 3l, for some integer l.

x = 35(3l) + 34
x = 105l + 34.
This equation implies the congruence
x ⌘ 34 (mod 105),
which is the solution to the system of congruences.
A congruence equation(s) withh composite moduli can be solved by first solving several con-
gruences modulo primes generated from the given equation, and then fitting togather the solutions
using the Chinese remainder theorem.
Proposition 4. Let p be a prime satisfying p ⌘ 4 (mod 4). Let a be an integer such that x2 ⌘
a (mod p) (a has a square root modulo p) has a solution, then
b ⌘ b(p+1)/4 (mod p)
is the solution which satisfies b2 ⌘ a (mod p).
Proof. Let g be a primitive root (mod p), then a is equal to some power of g. Since a has a square
root modulo p means that a is an even power of g, hence a = g 2k (mod p) for some integer k. Then
b2 ⌘ a(p+1)/2 (mod p), by definition of b

⌘ (g 2k )(p+1)/2 (mod p), since a ⌘ g 2k (mod p)
⌘ g (p+1)k (mod p),
⌘ g 2k+(p 1)k (mod p),
⌘ a · (g p 1 )k (mod p), since a ⌘ g 2k (mod p)
⌘ a (mod p), since g p 1 ⌘ 1 (mod p)
Therefore, b is the square root of a modulo p.
1.6 The Pohlig-Hellman Algorithm

The discrete logarithm problem (DLP - to be discused in subsequent sections) requires that we
solve the equation
g x ⌘ h (mod p) (11)
where p is a prime and g 2 G is an element of order N in the group G.
Since the modulus p is a prime, this suggests that the CRT will be irrelevant. Since p 1 is
fatorizable and we are told that the solution can be determioned modulo p 1, it will thus down on
us that the solution resides in Z/(p 1)Z. The need to factorize p 1 into primes in thus imperative
and it helps in determining the difficulty of the DLP in F⇤p . This factorization is the core of the
Pohlig-Hellman algorithm.
CSE 654 16 2021/2022 Session

Theorem 9. Let G be a group. Suppose that we have an algorithm that can solve the DLP in G
for any element whose order is a power of a prime. Let g 2 G has order q e and suppose N factors
into the product of primes:
N = q1e1 · q2e2 · · · qnen .
Then the DLP g x ⌘ hh (mod p) can be solved in
n
!
X
O Sqeii + log N steps. (12)
i=1
Using the following proceedures:

1. For each 1  i  n, let ei ei
gi = g N/qi and hi = hN/qi (13)
and use the above to solve
giy = hi . (14)
let y = yi be the solution to the equation (14).
2. Use the CRT to solve
x ⌘ y1 (mod q1e1 ), x ⌘ y2 (mod q2e2 ), · · · , x ⌘ yn (mod qnen ). (15)
Example 8. Solve the for x, 7x ⌘ 166 (mod 433)

Sol. 8. Using g x ⌘ a (mod p) wwe have g = 7, a = 166 and p = 433 and
Y
N = p 1 = 432 = 24 · 33 = qiei =) q1 = 2, q2 = 3, e1 = 4, e2 = 3.
For i = 1, we have q1 = 2, and e1 = 4.

e1 e1
g1 = g N/q1 = 7432/16 = 727 = 265, h1 = hN/q1 = 166432/16 = 16627 = 250
we now need to solve
x ⌘ x0 + x1 q1 + x2 q12 + · · · + xe1 1 q1e1 1
(mod 24 ) =) x ⌘ x0 + 2x1 + 4x2 + 8x3 (mod 24 )
we solve
g1x ⌘ h1 (mod 433) =) 265x ⌘ 250 (mod 433) for x0 , x1 , x2 , x3 .
3 3
x0 : (2652 )x0 ⌘ 2502 (mod 433) =) (432)x0 ⌘ 432 (mod 433) =) x0 = 1
3 x0 2 2 3 2
x1 : (2652 )x1 ⌘ (250 · 265 ) (mod 433) =) (2652 )x1 ⌘ (250 · 265 1 )2 (mod 433)
2
=) (432)x1 ⌘ (250 · 250)2 (mod 433) =) (432)x1 ⌘ 432 (mod 433) =) x1 = 1.
3 1 3 2
x2 : (2652 )x2 ⌘ (250 · 265 x0 2x1 )2 (mod 433) =) (2652 )x2 ⌘ (250 · 265 3 )2 (mod 433)
=) (432)x2 ⌘ (250 · 195)2 (mod 433) =) (432)x2 ⌘ 432 (mod 433) =) x2 = 1.
3 0 3
x3 : (2652 )x3 ⌘ (250 · 265 x0 2x1 4x2 )2 (mod 433) =) (2652 )x3 ⌘ (250 · 265 7 ) (mod 433)
=) (432)x3 ⌘ (250 · 168)2 (mod 433) =) (432)x3 ⌘ 432 (mod 433) =) x3 = 1.
CSE 654 17 2021/2022 Session

Thus:
x ⌘ x0 + 2x1 + 4x2 + 8x3 (mod 24 ) =) x ⌘ 1 + 2 + 4 + 8 (mod 24 ) =) x ⌘ 15 (mod 24 ).
For i = 2, we have q2 = 3, and e2 = 3.
e2 e2
g2 = g N/q2 = 7432/27 = 716 = 374, h2 = hN/q2 = 166432/27 = 16616 = 335
we now need to solve
x ⌘ x0 + x1 q1 + x2 q12 + · · · + xe1 1 q1e1 1
(mod 33 ) =) x ⌘ x0 + 3x1 + 9x2 (mod 33 )
we solve
g2x ⌘ h2 (mod 433) =) 374x ⌘ 335 (mod 433) for x0 , x1 , x2 .
2 2
x0 : (3743 )x0 ⌘ 3353 (mod 433) =) (234)x0 ⌘ 198 (mod 433) =) x0 = 2
2 1 2 1
x1 : (3743 )x1 ⌘ (335 · 374 x0 )3 (mod 433) =) (3743 )x1 ⌘ (335 · 374 2 )3 (mod 433)
=) (234)x1 ⌘ (335 · 51)3 (mod 433) =) (432)x1 ⌘ 1 (mod 433) =) x1 = 0.
2 0 2
x2 : (3743 )x2 ⌘ (335 · 374 x0 3x1 )3 (mod 433) =) (3743 )x2 ⌘ (335 · 374 2 ) (mod 433)
=) (234)x2 ⌘ (335 · 51) (mod 433) =) (234)x2 ⌘ 198 (mod 433) =) x2 = 2
Thus:
x ⌘ x0 + 3x1 + 9x2 (mod 33 ) =) x ⌘ 2 + 0 + 9(2) (mod 33 ) =) x ⌘ 20 (mod 33 ).
Next, we have to use the CRT to solve the simultaneous congruences:
x ⌘ 14 (mod 24 ), x ⌘ 20 (mod 33 )
which yields x = 47 and hence thhe solution of the DLP.
1.7 The Fast Powering Algorithm

In cryptosystems we will study in the future, we will be required to compute large powers of a
number g modulo another number say, N where the numbers may have hundreds of digits (more
especially N ). In a naive way, g X is computed by successively multiplying g
g1 ⌘ g(mod N )
g2 ⌘ g · g1 (mod N )
g3 ⌘ g · g2 (mod N )
g4 ⌘ g · g3 (mod N )
.. .. ..
. . .
X
gX ⌘ g (mod N ).
If X is large (X ⇡ 21000 ), such a computation will take ages. The best approach is to use the binary
expansion of the exponent X in the calculation of g X . Now we present the algorithm.
The Fast Powering algorithm:
CSE 654 18 2021/2022 Session

• Step I: Compute the binary expansion of X:
X = X0 + X1 · 2 + X2 · 22 + X3 · 23 + · · · + Xr · 2r ,
with X0 , X1 , X2 , . . . , Xr 2 {0, 1} and its assumed that Ar = 1.

i
• Step II: Compute the powers g 2 (mod N ) for 0  i  r by successive squaring
x0 ⌘ g(mod N )
x1 ⌘ x20 ⌘ g 2 (mod N )
2
x2 ⌘ x21 ⌘ g 2 (mod N )
3
x3 ⌘ x22 ⌘ g 2 (mod N )
.. .. ..
. . .
2
xr ⌘ xr 1 (mod N )
It can be seen that each term is a square of the previous one, thus requiring only r multipli-
cations.
• Step III: Compute g X using the formula:

2 r
g X = g X0 +X1 ·2+X2 ·2 +···+Xr ·2
2 r
= g X0 · (g 2 )X1 · (g 2 )X2 . . . (g 2 )Xr
⌘ xX 0 X1 X2 Xr
0 · x1 · x2 · · · + xr (mod N ) (16)
The quantities x0 , x1 , x2 , . . . , xr were computed in STEP II, thus the product in Eq. (16) can be
computed by looking up the values of the xis whose exponent Xi = 1 and multiplying them together.
Example 9. Compute 3218 (mod 1000).
Sol. 9. We have g = 3 and X = 218. We express 218 as a sum of powers of 2.
218 = 2 + 23 + 24 + 26 + 27
then,
3 4 6 7
3218 = 32+2 +2 +2 +2
3 4 6 7
= 3 2 · 32 · 32 · 32 · 32
⌘ 9 · 561 · 721 · 281 · 961(mod 1000)
⌘ 489(mod 1000).
1.8 One Way Functions

Definition 15 (One Way Function). A one-way function is a function that maps a domain into a
range such that every function value has a unique inverse, with the condition that the calculation of
the function is easy whereas the calculation of the inverse is infeasible:
1
y = f (x) ! easy, x=f (y) ! difficult.
CSE 654 19 2021/2022 Session

The phrase ”difficult to compute” implies that it is difficult to find an algorithm that will attempt
to compute the inverse in finite time. Such an algorithm if found, will certainly fail when finding
the inverse in ”reasonable time”.
Definition 16 (Trapdoor). Trapdoor one-way functions are a family of invertible functions fk such
that y = fk (x) and x = fk (y) are easy if k and x are known, and x = fk 1 (y) is infeasible if y is
known but k is not known.
One way function, with certain unique information (trapdoor information), makes it easy to
invert information. These functions are candidates for public key encryption systems. The forward
operation of the mathematical function (encrypting) is easy but inverting this function (decrypting)
is hard without knowledge of the trapdoor information. This trapdoor information can be seen as
the private key.
CSE 654 20 2021/2022 Session

2 Cryptography
2.1 Introduction
The proliferation of computers and communications systems in the 1960s brought with it a demand
from the private sector for means to protect information in digital form and to provide security
services. The most striking development in the history of cryptography came in 1976 when Diffie
and Hellman published New Directions in Cryptography. This paper introduced the revolutionary
concept of public-key cryptography and also provided a new and ingenious method for key exchange,
the security of which is based on the intractability of the discrete logarithm problem. Although the
authors had no practical realization of a public-key encryption scheme at the time, the idea was
clear and it generated extensive interest and activity in the cryptographic community.
In 1978 Rivest, Shamir, and Adleman discovered the first practical public-key encryption and
signature scheme, now referred to as RSA. The RSA scheme is based on another hard mathematical
problem, the intractability of factoring large integers. This application of a hard mathematical
problem to cryptography revitalized e↵orts to find more efficient methods to factor. The 1980s saw
major advances in this area but none which rendered the RSA system insecure.
Another class of powerful and practical public-key schemes was found by ElGamal in 1985.
These are also based on the discrete logarithm problem. One of the most significant contributions
provided by public-key cryptography is the digital signature. In 1991 the first international standard
for digital signatures: International Organization of Standardization/International Elec-
trotechnical Commission (ISO/IEC 9796) was adopted, based on the RSA public-key scheme.
In 1994 the U.S. Government adopted the Digital Signature Standard, a mechanism based on the
ElGamal public key scheme.
The search for new public-key schemes, improvements to existing cryptographic mechanisms,
and proofs of security continues at a rapid pace. Various standards and infrastructures involving
cryptography are being put in place. Security products are being developed to address the security
needs of an information intensive society. The principal goal of cryptography is to allow two people
to exchange confidential information, even if they can only communicate via a channel monitored
by an adversary.
2.2 Cryptography
Information security has grown as a significant issue in our digital life. The development of new
transmission technologies forces a specific strategy of security mechanisms especially in state of
the data communication. The significance of network security is increased day by day as the size
of data being transferred across the Internet. Cryptography and Steganography provide most
significant techniques for information security.
Achieving information security in an electronic society requires a vast array of technical and
legal skills. There is, however, no guarantee that all of the information security objectives deemed
necessary can be adequately met. The technical means is provided through cryptography.
Cryptography comes from the Greek words Kryptos meaning hidde, secret and graphein
meaning writing. It is the conversion of information from a readable state to an apparent jargon.
Definition 17. Cryptography is the study of mathematical techniques related to aspects of informa-
tion security such as confidentiality, data integrity, entity authentication, and data origin authenti-
cation.
CSE 654 21 2021/2022 Session

Note that cryptography is not the only means of providing information security, but rather one
set of techniques.
2.3 Cryptographic Security Services

Cryptography is about the prevention and detection of cheating and other malicious activities.
X.800 defines security services as a service provided by a protocol layer of communicating open
systems whcih ensures adequate security of the system and the data transferred. In RFC2828,
security services was defined as a processing or communicating service that is provided by a system
to give a specific kind of protection to system resources. Security services implement security policies
and are implemented by security mechanisms.
Based on X.800 categorizations, security services are divided into five (5) specific services through
which the goals of cryptography are achieved (security requirements).
1. Data Confidentiality is a service used to keep the content of information from all but those
authorized to have it. Secrecy is a term synonymous with confidentiality and privacy. There
are numerous approaches to providing confidentiality, ranging from physical protection to
mathematical algorithms which render data unintelligible.
• Connection Confidentiality Is the protection of all user data in a connection.

• Connectionless Confidentiality This is the protection of all user data in a single data
block.
• Selective Field Confidentiality The confidentiality of selected fields within the user
data on a connection or in a single data block.
• Traffic Flow Confidentiality The prevention of information that might be derived
from observing a given traffic.
2. Data integrity is a service which addresses the unauthorized alteration of data. To assure
data integrity, one must have the ability to detect data manipulation by unauthorized parties.
Data manipulation includes such things as insertion, deletion, and substitution.
• Connection Integrity with Recovery Provides integrity for all user data on a con-
nection and detects any modification, insertion, deletion or replay of any data within an
entire data sequence.
• Connectionless Integrity provides for the integrity of a single connectionless data
block which may take the form of detection of data modification.
• Selective Field Connection Integrity Provides for the integrity of selected fields
within the user data transferred over a connection with a view to determine of the
selected data field is modified, inserted, deleted or replayed.
• Selective Field Connectionless Integrity Provides for the integrity of a selected
field within a single connectionless data block to determine if the selected field has been
modified.
3. Authentication is a service related to identification. This function applies to both entities

and information itself. Two parties entering into a communication should identify each other.
Information delivered over a channel should be authenticated as to origin, date of origin, data
content, time sent, etc. For these reasons this aspect of cryptography is usually subdivided
CSE 654 22 2021/2022 Session

into two major classes: entity authentication and data origin authentication. Data origin
authentication implicitly provides data integrity (for if a message is modified, the source has
changed). Two specific authentication services are defined thus:
• Peer Entity Authentication Provides for the corroboration of the identity of a peer
entity (two entities implementing the same protocol in di↵erent systems) in an associa-
tion. It provides confidence in the identity of the connected entities.
•
• Data Origin Authentication Provides for the authentication of the source of a data unit,
without providing protection against modification or duplication of the data unit. In
a connectionless transfer, it provides assurance that the source of received data is as
claimed.
4. Non-repudiation is a service which prevents an entity from denying previous commitments

or actions. When disputes arise due to an entity denying that certain actions were taken,
a means to resolve the situation is necessary. For example, one entity may authorize the
purchase of property by another entity and later deny such authorization was granted. A
procedure involving a trusted third party is needed to resolve the dispute.
• Non-repudiation of Source This provides proof that the message was send by the
specified party.
• Non-repudiation of Destination This provides proof that the message was received
by the specified party.
5. Access Control This is the prevention of un-authorized use of a resource. To achieve this,
each user must first be verified or authenticated before gaining access to the resource.
6. Availability guarantees that thhe system services are available whenever needed.
A fundamental goal of cryptography is to adequately address these four areas in both theory and
practice.
2.3.1 Cryptography & Steganography

Steganography from the Greek word Steganos which means coverred and graphein which means
writing is practice of canceling the existence of a message in another message. While, cryptography
cancels the meaning of a message such that it appears unintelligible.
CSE 654 23 2021/2022 Session

3 Cryptographic Algorithms & Protocols
The need to have a secured system deployed over the unsecure interenet depends on cryptographic
algorimes and the protocols. Cryptographic protocols and algorithms are difficult to get right,
for, they require rigorous mathematical analysis to establish their robustness, hence, the need to
use protocols and algorithms that have been cerified and are widely-used, heavily analyzed, and
accepted as secure.
3.1 Cryptographic Algorithhms (Ciphers)

A cryptographic algorithm (cipher) simply put, is a set of steps (an algorithm) for performing
both an encryption, and the corresponding decryption. All ciphers involve either transposition or
substitution, or a combination of the two operations. If the elements of the plaintext (e.g., a letter,
word, or string of symbols) are rearranged without any change in the identity of the elements, such
a cipher is called a transposition cipher. In substitution ciphers, elements are replaced by other
objects or groups of objects without distorting their sequence. Cipher devices or machines have
commonly been used to encipher and decipher messages.
The first cipher device appears to have been employed by the ancient Greeks around 400 bc for
secret communications between military commanders. This device, called the ”scytale”, consisted
of a tapered baton around which was spirally wrapped a piece of parchment inscribed with the
message (Fig. 2). When unwrapped the parchment bore an incomprehensible set of letters, but
when wrapped around another baton of identical proportions, the original text reappeared. Other
examples of ancient ciphers includes: The Caesar Cipher and the V igenère Cipher.
Figure 2: The Scytale
3.2 Classical Ciphers

The term classical ciphers refers to encryption techniques which have become well known and are
created before the second half of the second half of the twentieth century. Some of such ciphers are
created many hundred years earlier. Most of the early ciphers are variations of simple substitution
and simple transposition.
3.2.1 Monoalphabetic and Polyalphabetic Cipher

Monoalphabetic cipher is a substitution cipher in which for a given key, the cipher alphabet for
each plain alphabet is fixed throughout the encryption process. For example, if ‘A’ is encrypted as
‘D’, for any number of occurrence in that plaintext, ‘A’ will always get encrypted to ‘D’.
CSE 654 24 2021/2022 Session

All of the substitution ciphers we have discussed earlier in this chapter are monoalphabetic;
these ciphers are highly susceptible to cryptanalysis.
Polyalphabetic Cipher is a substitution cipher in which the cipher alphabet for the plain alphabet
may be di↵erent at di↵erent places during the encryption process.
3.2.2 Caesar Cipher

The Caesar cipher is one of the earliest known and simplest ciphers. It is a type of substitution
cipher in which each letter in the plaintext is ’shifted’ a certain number of places down the alphabet.
For example, with a shift of 1, A would be replaced by B, B would become C, and so on. The method
is named after Julius Caesar, who apparently used it to communicate with his generals. In a Caesar
cipher, we first translate all of our characters to numbers, 0 a0 = 0,0 b0 = 1,0 c0 = 2, . . . ,0 z 0 = 25. We
can now represent the Caesar cipher encryption function, E(x), where x is the character we are
encrypting, as:
E(x) ⌘ (x + k) (mod 26) = x0
Where k is the key (the shift) applied to each letter. After applying this function the result is a
number which must then be translated back into a letter. The decryption function is:
D(x0 ) ⌘ (x0 k) (mod 26) = x.
The following is encrypted and decrypted with a shift (key) = 1:

plaintext: defend the east wall of the castle
ciphertext: efgfoe uif fbtu xbmm pg uif dbtumf.
3.2.3 Vigenère
The Vigenère Cipher is a polyalphabetic substitution cipher. The method was originally described
by Giovan Battista Bellaso in 1553. However, the scheme was later misattributed to Blaise de
Vigenère in the 19th century, and is now widely known as the Vigenère cipher.
In a Vigenere Cipher, a keyword is use as the key, and it uses the table in Figure 3. Suppose we
want to encipher the message: DEFENDTHEEASTWALLOFTHECASTLE. using the keyword:
FORTIFICATION
We repeat the keyword above the plaintext until it is exhausted:
FORTIFICATIONFORTIFICATIONFO
DEFENDTHEEASTWALLOFTHECASTLE.
Now we take the letter we will be encoding, ’D’, and find it on the first column on the tableau.
Then, we move along the ’D’ row of the tableau until we come to the column with the ’F’ at the
top (The ’F’ is the keyword letter for the first ’D’), the intersection is our ciphertext character, ’I’.
So, the encryption is thus:
F O R T I F I C A T I O N F O R T I F I C A T I O N F O
D E F E N D T H E E A S T W A L L O F T H E C A S T L E
I S W X V I B J E X I G G B O C E W K B J E V I G G Q S.
Table 7: Encryption Using the Vigenere Cipher.
CSE 654 25 2021/2022 Session

Figure 3: Vigenere Cipher
3.2.4 Hill Cipher

Invented by Lester S. Hill in 1929, the Hill cipher is a polygraphic substitution cipher based on
linear algebra. Hill used matrices and matrix multiplication to mix up the plaintext. The encryp-
tion algorithm takes m successive plaintexts and substitute for them m ciphertexts. Each of the
characters is attached a numerical value (a = 0, b = 1, . . . z = 25) and it uses a matrix as its key.
To encrypt three letters at a time a matrix of dimension (3 ⇥ 3) should be used as the key.
0 1 0 10 1
C1 K11 K12 K13 P1
@C2 A ⌘ @K21 K22 K23 A @P2 A (mod 26)
C3 K31 K32 K33 P3
C ⌘ KP (mod 26)
P ⌘ K 1 C (mod 26) = K 1
KP = P.
3.2.5 The XOR Cipher

Assume, the message is a number 0  M  2n 1 , i.e. a binary number of n bits. Now Alice and
Bob agree on a binary number k also on n bits. So in this case,
M = C = K = {0, 1}n , a binary sequence of length n
Define now the operation as the bitwise addition of binary. Let

n 1
X n 1
X
i
a= ai 2 and b = bi 2 i
i=0 i=0
CSE 654 26 2021/2022 Session

then
n 1
X
a b= ci 2 i
i=0
where c1 = 0 if ai = bi and c1 = 1 if ai 6= bi .
If we let EK (m) = M K for some M and K and EK = DK , then
DK (EK (M )) = (M K) K=M (K K) = M 00 . . . 0 = M
Since Eve does not know K, she essentially has to check all possible K 0 s between 0 and 2n 1 , which
is hopeless, if n is large enough.
3.3 Cryptosystem
A cryptosystem is an implementation of cryptographic techniques and their accompanying in-
frastructure to provide information security services. A cryptosystem is also referred to as a cipher
system. Components of a Cryptosystem A basic cryptosystem consist of the following components:
• Plaintext: It is the data to be protected during transmission.
• Encryption Algorithm: It is a mathematical process that produces a ciphertext for any

given plaintext and encryption key. It is a cryptographic algorithm that takes plaintext and
an encryption key as input and produces a ciphertext.
• Ciphertext: It is the scrambled version of the plaintext produced by the encryption algorithm
using a specific the encryption key. The ciphertext is not guarded. It flows on public channel.
It can be intercepted or compromised by anyone who has access to the communication channel.
• Decryption Algorithm: It is a mathematical process, that produces a unique plaintext

for any given ciphertext and decryption key. It is a cryptographic algorithm that takes a
ciphertext and a decryption key as input, and outputs a plaintext. The decryption algorithm
essentially reverses the encryption algorithm and is thus closely related to it.
• Encryption Key: It is a value that is known to the sender. The sender inputs the encryption
key into the encryption algorithm along with the plaintext in order to compute the ciphertext.
• Decryption Key: It is a value that is known to the receiver. The decryption key is related
to the encryption key, but is not always identical to it. The receiver inputs the decryption key
into the decryption algorithm along with the ciphertext in order to compute the plaintext.
For a given cryptosystem, a collection of all possible decryption keys is called a key space
Cryptosystems (cryptographic algorithms) are characterized viz:
• Number of keys used in encryption and decryption determines weather its symmetric or
asymmetric. When a unique key is used, its referred to as symmetric secret-key encryption.
It is asymmetric when the sender and the receiver uses di↵erent keys for both encryption and
decryption.
• The way the plaintext is processed also determines another categorization into either
Stream or block ciphers. A stream cipher processes the input continuously while the block
cipher processes a block of inputs at a time.
CSE 654 27 2021/2022 Session

• Mode of operation transforming plaintext to ciphertext (encryption) are based on two
general principles substitution and transposition. In substitution, the elements in the
plaintext (bits, alphabets etc) are mapped into other elements while transposition rearrange
the elements. This is done in such a way that no information is lost while transforming from
plaintext to ciphertext. This is achieved only when all the operations are reversible.
3.4 Algorithm Classification Based On Keys

There are two types of cryptosystems based on the manner in which encryption-decryption is carried
out in the system, namely, Symmetric Key Encryption and Asymmetric Key Encryption.
3.4.1 Symmetric Key Algorithm (secret key algorithms)

This algorithm requires that the same secret key is shared by the communicating parties (eg, RC4,
RC6, Blowfish etc). Both the sender and receiver share a single key. The sender uses this key to
encrypt plaintext and send the cipher text to the receiver. On the other side the receiver applies
the same key to decrypt the message and recover the plain text, Fig. 4.
Figure 4: Symmetric Key Algorithm
The symmetric key cryptography is faced with a number of challenges. There are two restrictive
challenges of employing symmetric key cryptography.
Key establishment - Before any communication, both the sender and the receiver need to agree
on a secret symmetric key. It requires a secure key establishment mechanism in place.
Trust Issue - Since the sender and the receiver use the same symmetric key, there is an implicit
requirement that the sender and the receiver ‘trust’ each other. For example, it may happen that
the receiver has lost the key to an attacker and the sender is not informed.
These two challenges are highly restraining for modern day communication. Today, people need
to exchange information with non-familiar and non-trusted parties. For example, a communication
between online seller and customer. These limitations of symmetric key encryption gave rise to
asymmetric key encryption schemes.
Suppose Alice wants to send a message to Bob through an insecure channel (constantly observed
by Eve) using a symmetric cipher. Both of them have to agree on a secret key K. It is this key that
they will both use in encryption (by Alice) and decryption (by Bob). This is the kind of a cipher
that uses a common key k for both encryption and decryption. A symmetric cipher has about five
ingredients: Let M = [M1 , M2 , . . . MN ] be N elements of a message (plaintext) that is required to
CSE 654 28 2021/2022 Session

be sent. A set of keys K = [K1 , K2 , . . . , Kj ] is generated to be used by an encryption algorithm Ek
to generate the ciphertext C = [C1 , C2 , . . . , CN ]. This can be presented as
C = EK (M )
The intended receiver, who also has the knowledge of the key K decrypts the ciphertext using a
decryption algorithm DK to get back the original message X:
M = DK (C)
This operation is illustrated in Figure 4.

Let M be the possible set of plaintext messages, K the possible space of keys and C be the space
of possible ciphertexts, then encryption EK can be seen as the function:
EK : K ⇥ M ! C
whose domain K ⇥ M is the set of pairs (K, M ) and the range is the space C. For the decryption
DK , we have a function of the form:
DK : K ⇥ C ! M.
To be able to recover M 2 M exactly, the encryption and decryption algorithms should be inverses
of each other for a particular K.
DK (EK (M )) = M. 8 K 2 K, and M 2 M.
Definition 18. A symmetric cryptosystem is a a 5-tuple (K, M, C, Ek , DK ) where K, M, C are

sets and Ek : K ⇥ M ! C, DK : K ⇥ C ! M are functions satisfying that for every K 2 K,
DK (EK (M )) = M .
Assume that n users are connected in a network and any two of them may want to communicate.
This would require each user to securely store n 1 di↵erent symmetric keys (one for each other
user), resulting in a total of n(n 1)/2 keys. If the network is connecting say, 2000 university
students, then there will be roughly 2 million di↵erent keys. A huge key management distribution
problem is imminent.
A better solution to the key distribution problem is obtained if we use symmetric key distribution
protocols. A trusted third party (TTP). Each user has a unique secret key shared with the TTP.
When two users would like to communicate, they establish a shared secret key, usually called a
session key, by interacting with the TTP. There are still drawbacks that can be serious problems in
certain situations. For example, we need access and trust to a TTP and we still need to distribute
one key shared with the TTP for each user. The solution described above is made possible by what
is referred to as Public Key Cryptography.
3.4.2 Asymmetric Key Algorithm (public key algorithms)

the public key is made public, and the corresponding private key is kept secret by a single entity. In
Public-Key Cryptography (eg. Diffie-Hellman, RSA, Elliptic Curve), two related keys (public and
private key) are used. Public key may be freely distributed, while its paired private key, remains a
secret. The public key is used for encryption and the private key for decryption, Fig. 5.
CSE 654 29 2021/2022 Session

Figure 5: Asymmetric Algorithm
Public-key cryptosystems have one significant challenge. The need for the user to trust that the
public key that he is using in communications with a person really is the public key of that person
and has not been spoofed by a malicious third party.
This is usually accomplished through a Public Key Infrastructure (PKI) consisting a trusted
third party. The third party securely manages and attests to the authenticity of public keys. When
the third party is requested to provide the public key for any communicating person X, they are
trusted to provide the correct public key.
The third party satisfies itself about user identity by the process of attestation, notarization, or
some other process that X is the one and only, or globally unique, X. The most common method of
making the verified public keys available is to embed them in a certificate which is digitally signed
by the trusted third party.
In a public key cryptosystem (PKC) algorithm, two sets of keys are used, the public Kpub and
private Kpriv keys. The concept of PKC evolved from an attempt to solve two problems, key
distribution and the development of digital signatures.
The Kpub is computed using some key generation algorithm on Kpriv . For each pair (Kpub , Kpriv ),
there is an encryption algorithm EKpub and the corresponding decryption algorithm DKpriv . The
encryption algorithm EKpub corresponding to Kpub is made public and also DKpriv should be easily
computable for anyone that knows Kpriv . The private key Kpriv is said to be a trapdoor information
for the function Kpub . This is a function, without which it is hard to compute the inverse function
to EKpub
3.5 Classification Based on Plaintext Processing

3.5.1 Stream Ciphers
A stream cipher is an encryption algorithm that encrypts one bit or byte of plaintext at a time
(Figure 6a). It uses an infinite stream of pseudorandom bits as the key. For a stream cipher
implementation to remain secure, its pseudorandom generator should be unpredictable and the
key stream should never be reused. The key stream should be provided to the users in advance
via an independent and secure channel. Stream ciphers are designed to approximate an idealized
cipher, known as the One-Time Pad. RC4 (Figure 6b), which stands for Rivest Cipher 4, is the
most widely used of all stream ciphers, particularly in software. It’s also known as ARCFOUR or
CSE 654 30 2021/2022 Session

ARC4. RC4 has been used in various protocols like Wired Equivalent Privacy (WEP) and Wireless
Protected Access (WPA, WPA2), both security protocols for wireless networks, as well as in TLS.
Unfortunately, recent studies have revealed vulnerabilities in RC4, prompting Mozilla and Microsoft
to recommend that it be disabled where possible.
(a) Stream Cipher (b) RC4 Cipher
Figure 6: Stream Cipher
3.5.2 Block Ciphers

Block ciphers encrypt blocks of fixed sizes through some simple operations producing blocks of
ciphertexts of equal length. Most block ciphers use block length or either 64bits or 128bits. A block
cipher that operates on a plaintext of length n produces a ciphertext of length n. Thus there are
2n possible di↵erent plaintext blocks and each is expected to produce a unique ciphertext block.
When this happens we say that the encryption is reversible. When there exist a reversible mapping
between plaintexts and ciphertexts, it is referred to as an ideal cipher. The error propagation
phenomenon implies that errors in the encrypted text produce errors in the decrypted plaintext.
So, it is important that the decrypting process be able to recover from bit errors in the ciphertext.
The most popular block ciphers includes among others the DES, 3DES, AES, Blowfish, twofish etc.
An iterated block cipher is one that encrypts a plaintext block by a process that has several rounds.
In each round, the same transformation or round function is applied to the data using a subkey.
The set of subkeys are usually derived from the user-provided secret key by a key schedule. The
number of rounds in an iterated cipher depends on the desired security level and the consequent
trade-o↵ with performance. In most cases, an increased number of rounds will improve the security
o↵ered by a block cipher, but for some ciphers the number of rounds required to achieve adequate
security will be too large for the cipher to be practical or desirable.
A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger
than the block size. Hence, the long message is divided into a series of sequential message blocks,
and the cipher operates on these blocks one at a time.
The Modes of Operation of block ciphers are configuration methods that allow those ciphers
to work with large data streams, without the risk of compromising the provided security. These
configurations called the block cipher modes of operations, includes:
Electronic Code Book (ECB): In the ECB, the user takes the first block of plaintext M1
and encrypts it with a key K1 to produce the first block of ciphertext C1 . He then takes the second
block of plaintext M2 and follows the same process with same key K1 until all plaintext blocks are
exhausted (Fig. 7). The ECB mode is deterministic, that is, if plaintext block M1 , M2 , . . . , Mn
are encrypted twice under the same key, the output ciphertext blocks will be the same (the same
plaintext block always maps to the same ciphertext).
Encryption:
CSE 654 31 2021/2022 Session

Figure 7: Electronic Codebook (ECB) Mode
Input:
k-bit key K,
t-bits plaintext blocks M = M1 M2 . . . Mn .
Algorithm
Ci = EK (Mi ).
Output t-bits ciphertext blocks C = C1 C2 . . . Cn .
Decryption:
Input:
k-bit key K,
t-bits ciphertext blocks C = C1 C2 . . . Cn .
Algorithm Mi = DK (Ci ).
Output t-bits ciphertext blocks M = M1 M2 . . . Mn .
In general, the use of a deterministic cipher is highly discouraged, and hence the ECB mode
should not be used in most applications.
Cipher Block Chaining (CBC): Cipher block chaining mode involves a vector bit sum oper-
Figure 8: Cipher Block Chaining (CBC) Mode
ation of the message block with the previous ciphertext block prior to enciphering. The ciphertext
blocks are initialized with a randomly chosen message which may be transmitted openly, i.e. the
security of the cryptosystem is based on the secrecy of the key, not on the secrecy of initialization
vector.
Encryption:
Input:
k-bit key K,
n-bits initialization vector C0
t-bits plaintext blocks M1 M2 . . . Mn .
CSE 654 32 2021/2022 Session

Algorithm Ci = EK (Ci 1 Mi ).
Output t-bits ciphertext blocks C1 C2 . . . Cn .
Decryption:
Input:
k-bit key K,
t-bits ciphertext blocks C1 C2 . . . Cn . Algorithm Mi = Ci 1 DK (Ci ). Output t-bits ciphertext
blocks M1 M2 . . . Mn .
The CBC is characterized with the following properties:
1. Identical plaintext: The same sequence of ciphertext blocks result when the same key and
the same initialization vector are used. Same sequence of ciphertext blocks result when the
same key and the same initialization vector are used.
2. Chaining dependencies: The chaining mechanism causes Ci to depend on Ci 1 and Mi , so

enciphering is not independent of reordering.
3. Error propagation: An error in a ciphertext block Ci a↵ects decipherment of Ci and Ci+1 .

For a reasonable enciphering algorithm, a single bit error a↵ects 50% of the bits in the deci-
phered plaintext block Mi0 , while the bit error a↵ects only that bit of Mi+1
0
(Error propagation).
4. Error recovery: The cryptosystem is said to be self-recovering, in the sense that while
an error in Ci results in incorrectly deciphered plaintext Mj0 and Mi+1
0
, the ciphertext Ci+2
0
correctly deciphers to Mi+2 = Mi+2 .
Cipher Feedback (CFB): The feedback mode allows one to process blocks of size r < n at a
Figure 9: Cipher Feedback (CFB) Mode
time. The typical value for r is 1, while n may be of size 64.

Encryption:
Input:
k-bit key K,
n-bits initialization vector I1
r-bits plaintext blocks M = M1 M2 . . . Mn .
Algorithm
Ci = Mi Lr (EK (Ii )), Ii+1 = Rn r (Ii )||Ci .
where Lr and Rn r are the operators which take the left-most r-bits and the right-most n r-
bits, and || is the concatenation operator. The vector Ii should be thought of as a shift register,
CSE 654 33 2021/2022 Session

a block of n-bits of memory which stores some state of the algorithm. The formation of Ii+1 is a
left-shift by r of this block, discarding the left-most r bits, with the right-most r bits replaced by
Ci .
Decryption:
Input:
k-bit key K,
r-bits ciphertext blocks C = C1 C2 . . . Cn .
Algorithm I1 , . . . , It as in the enciphering algorithm, which can be generated independently of the
deciphered message text, and then compute
Mi = C i Lr (EK (Ii )).
Note that in CFB deciphering requires only the block cipher EK .

The CFB has the following Properties:
1. Identical plaintext: The same sequence of ciphertext blocks results when the same key and
initialization vector is used. Changing the initialization vector changes the ciphertext.
2. Chaining dependencies: Ciphertext block Ci depends on the previous plaintext blocks

Mi 1 , . . . , M1 as well as Mi , so the ciphertext blocks are not reordering independent.
3. Error propagation: An error in Ci a↵ects the decipherment of the next [n/r] plaintext
blocks. The recovered plaintext Mi0 will di↵er from Mi at exactly the bits for which Ci was in
0
error. These bit errors will appear in subsequent blocks Mi+k at translated positions.
4. Error recovery: Proper deciphering requires the shift register to be correct, for which the
previous [n/r] ciphertext blocks are required. The decipherment is self-recovering from errors,
but only after [n/r] blocks (approximately the same n-bits of the ciphertext block in error).
5. Throughput: The rate of enciphering and deciphering is reduced by a factor of n/r, that is,
for every r bits of output the algorithm must carry out one n-bit enciphering operation.
Output Feedback (OFB): Output feedback mode has a similar use as cipher feedback mode,
Figure 10: Output Feedback (OFB) Mode
but is relevant to applications for which error propagation must be avoided. Output feedback mode
is an example of a synchronous stream cipher (constructed from a block cipher), in which the
keystream is created independently of the plaintext stream.
Encryption:
CSE 654 34 2021/2022 Session

Input:
k-bit key K,
r-bits plaintext blocks M = M1 M2 . . . Mn .
Algorithm
Ii = EK (Ii 1 ) C i = Mi Lr (Ii ).
Decryption:
Input:
k-bit key K,
r-bits plaintext blocks C = C1 C2 . . . Cn .
Algorithm Compute I1 , . . . , It as in the enciphering algorithm.
Mi = C i Lr(Ii ).
It has the following Properties:
1. Identical plaintext: The same as that of CBC and CFB.
2. Chaining dependencies The ciphertext output is order dependent, but the keystream
I1 , I2 , . . . is plaintext independent.
3. Error propagation An error in a ciphertext bit a↵ects only that bit of the plaintext.
4. Error recovery The cipher is self-synchronizing, and bit errors in a ciphertext block a↵ect
only that bit of the recovered plaintext. It recovers immediately from bit errors, but bit losses
a↵ect alignment.
5. Throughput: As with CFB, the rate of enciphering and deciphering is reduced by a factor
of n/r, however the vectors Ii can be precomputed from K and I0 , independently of the
ciphertext blocks.
Notable examples of block ciphers includes:
• DES (Data Encryption Standard). Block size: 64 bits; key size: 56 bits. DES was de-
signed by IBM in 1973-4, tweaked by the NSA, then became the US standard for encryption.
International adoption followed.
• 3DES (Triple DES). Block size: 64 bits; key size: 112 or 168 bits. 3DES is a strengthening
of DES introduced in 1998, because 56 bit keys had become feasible to brute force. 3DES is
simply three DES encryptions with two di↵erent keys, for an e↵ective 112 bit key; or with
three di↵erent keys, for an e↵ective 168 bit key.
• AES (Advanced Encryption Standard). Block size: 128 bits; key size: 128, 192, or 256 bits.
AES resulted from a public competition held by NIST, ending in 2001. It’s now the US
standard, approved by the NSA for Top Secret information. In 2009, new theoretical attacks
were discovered that, if ever made practical, would break AES.
CSE 654 35 2021/2022 Session

3.6 Classification Based on Mode of Operation
3.6.1 Substitution Cipher
A substitution cipher replaces each letter in the message with a di↵erent letter, in accordance with
some established mapping. A simple example of a substitution cipher is called the Caesar cipher,
sometimes called a shift cipher. In this approach, each letter is replaced with a letter some fixed
number of positions later in the alphabet.
3.6.2 Transposition Cipher

Transposition Cipher is a cryptographic algorithm where the order of alphabets in the plaintext is
rearranged to form a cipher text. In this process, the actual plain text alphabets are not included.
In other words, a transposition cipher encrypts a plaintext by shifting the positions held by the units
of the plaintext (which are commonly characters or groups of characters) according to a regular
system, so that the ciphertext constitutes a permutation of the plaintext.
A cryptographic system (K, M, C, E, D) that is to be successful, the following properties are
required:
1. For any K 2 K and plaintext M 2 M, the process of computing EK (M ) should be easy.
2. For any K 2 K and plaintext C 2 C, it must be easy to compute DK (C).
3. Given one or more ciphertexts, C1 , C2 , . . . , Cn 2 C encrypted using the key K 2 K, the process
of computing any of the corresponding plaintexts DK (C1 ), DK (C2 ), . . . , DK (Cn ) without the
knowledge of the key should be very difficult.
4. Given one or more pairs of plaintext and ciphertext (M1 , C2 ), (M2 , C2 ), . . . , (Mn Cn ) decrypting
any ciphertext C not within the given pairs without the knowledge of K, must be difficult.
This is security against chosen plaintext attack.
3.7 Kerckho↵ ’s Principle for Cryptosystem

In the 19th century, a Dutch cryptographer A. Kerckho↵ furnished the requirements of a good
cryptosystem. Kerckho↵ stated that a cryptographic system should be secure even if everything
about the system, except the key, is public knowledge. He suggested six design principles for for
defining a good cryptosystem:
• The cryptosystem should be unbreakable practically, if not mathematically.
• Falling of the cryptosystem in the hands of an intruder should not lead to any compromise of
the system, preventing any inconvenience to the user.
• The key should be easily communicable, memorable, and changeable.
• The ciphertext should be transmissible by telegraph, an unsecure channel.
• The encryption apparatus and documents should be portable and operable by a single person.
• It is necessary that the system be easy to use, requiring neither mental strain nor the knowledge
of a long series of rules to observe.
CSE 654 36 2021/2022 Session

The second rule is currently known as Kerckho↵ principle. It is applied in virtually all the con-
temporary encryption algorithms such as Data encryption standard (DES), Advance encryption
standard (AES), etc. These public algorithms are considered to be thoroughly secure. The security
of the encrypted message depends solely on the security of the secret encryption key.
Keeping the algorithms secret may act as a significant barrier to cryptanalysis. However, keeping
the algorithms secret is possible only when they are used in a strictly limited circle.
In modern era, cryptography needs to cater to users who are connected to the Internet. In such
cases, using a secret algorithm is not feasible, hence Kerckho↵ principles became essential guidelines
for designing algorithms in modern cryptography.
3.8 Cryptanalysis
There are four general types of cryptanalytic attacks on cryptosystems. Of course, each of them
assumes that the cryptanalyst has complete knowledge of the encryption algorithm used.
3.8.1 Ciphertext Only Attack

The cryptanalyst has the ciphertext of several messages, all of which have been encrypted using the
same encryption algorithm. The cryptanalyst intends to recover the plaintext of as many messages
as possible, or better yet to deduce the key (or keys) used to encrypt the messages, in order to
decrypt other messages encrypted with the same keys.
Given:
C1 = Ek (P1 ), C2 = Ek (P2 ), . . . , Cn = Ek (Pn ), deduce either: P1 , P2 , . . . , Pn ; k
or an algorithm to infer:
Cn+1 = Ek (Pn+1 ).
3.8.2 Known Plaintext Attack

The cryptanalyst has access not only to the ciphertext of several messages, but also to the plaintext
of those messages. He is required to deduce the key(s) used to encrypt the messages or an algorithm
to decrypt any new messages encrypted with the same key(s). Given:
P1 , C1 = Ek (P1 ); P2 , C2 = Ek (P2 ); . . . ; Pn , Cn = Ek (Pn ), (17)
deduce either:
k; or an algorithm to infer Pn+1 from Cn+1 = Ek (Pn+1 ).
3.8.3 Chosen Plaintext Attack

The cryptanalyst not only has access to the ciphertext and associated plaintext for several messages,
but he also chooses the plaintext that gets encrypted. This is more powerful than a known-plaintext
attack, because the cryptanalyst can choose specific plaintext blocks to encrypt, ones that might
yield more information about the key. His job is to deduce the key(s) used to encrypt the messages
or an algorithm to decrypt any new messages encrypted with the same key(s). Given:
P1 , C1 = Ek (P1 ); P2 , C2 = Ek (P2 ); . . . ; Pn , Cn = Ek (Pn ), (18)
the cryptanalyst chooses P1 , P2 , . . . , Pn which he uses to deduce either k or an algorithm to infer
Pn+1 from Cn+1 = Ek (Pn+1 ).
CSE 654 37 2021/2022 Session

3.8.4 Chosen Ciphertext Attack
The cryptanalyst can choose di↵erent ciphertexts to be decrypted and has access to the decrypted
plaintext. For example, the cryptanalyst has access to a tamper-proof box that does automatic
decryption. His job is to deduce the key. Given:
C1 , P1 = Dk (C1 ); C2 , P2 = Dk (C2 ); . . . ; Cn , Pn = Dk (Cn )
Deduce: k.
CSE 654 38 2021/2022 Session

4 Cryptographic Protocols
A protocol is a ssequence of steps designed to accomplish a task which involves two or more parties.
A “sequence of steps” means that the protocol comprises of a sequence, from start to finish. Every
step must be executed in turn, and no step can be taken before the previous step is finished.
“Designed to accomplish a task” means that the protocol must achieve something, yield a result
“Involving two or more parties” means that at least two entities (people, objects or machines) are
required to complete the protocol; one entity alone does not make a protocol. An entity alone can
perform a series of steps to accomplish a task, but this is not a protocol.
When a protocol employs the use of cryptographic algorithms and/or tools, it is refered to as a
cryptographic protocol. The parties can be friends and trust each other implicitly or they can be
adversaries and not trust one another. The whole point of using cryptography in a protocol is to
prevent or detect eavesdropping and cheating.
Cryptographic protocols are used to provide security guarantees for the exchanged data when
multiple parties are communicating in an insecure environment
A cryptographic protocol is designed to allow secure communication under a given set of cir-
cumstances. The most common examples of cryptographic protocols deployed over the internet are
the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol.
• Secure Socket Layer / Transport Layer Security (SSL/TLS): SSL/TLS is the primary
method for protecting http (web) transactions. SSL/TLS usually use a separate TCP/IP
port number from the unsecured port, which the IETF is a little unhappy about (because it
consumes twice as many ports; there are solutions to this).
• Internet Protocol Security (IPSec).:IPSec provides encryption and/or authentication at
the IP packet level. However, IPSec is often used in a way that only guarantees authenticity
of two communicating hosts, not of the users. As a practical matter, IPSec usually requires
low-level support from the operating system (which not all implement) and an additional
keyring server that must be configured.
• OpenPGP and S/MIME: Also referred to as PGP (Pretty Good Privacy) is the most
widely used email encryption standard. It is an encryption system for sending encrypted emails
and files. OpenPGP is an encryption standard that uses both symmetric and asymmetric
cryptographic algorithms. OpenPGP is an encryption protocol which allows users to encrypt
their messages and digitally sign them, giving the message sender a stronger method of both
authentication and data integrity protection. The following can be achieved with OpenPGP:
Encrypt/Decrypt emails (or files), Sign/verify emails (or files), Sign/verify actions. Di↵erent
encryption algorithms are available for use with PGP, such as RSA and DSA for asymmetric
encryption, AES, 3DES, and Twofish for symmetric encryption, and SHA for hashing.
• S/MIME: (Secure/Multipurpose internet Mail Extensions) is a widely accepted protocol for
sending digitally signed and encrypted messages. it employs two keys (public and private)
mathematically associated with each other to facilitates email security. S/MIME provides the
following services for email messages: Encryption - Protects the content of email messages.
Digital signatures - Verifies the identity of the sender of an email message. Because S/MIME
uses asymmetric public key infrastructure (PKI), By digitally signing your emails, the intended
recipient can verify that the message was actually sent by you and hasn’t been tampered with
or modified. When the email is en route from your computer to the recipient’s device, data
encryption ensures that any attacker over the wire can’t read the contents of the message.
CSE 654 39 2021/2022 Session

Figure 11: SSL Handshake
• Secure Socket Shell (SSH): It is a network protocol that gives users, particularly system
administrators, a secure way to access a computer over an unsecured network. The most
basic use of SSH is to connect to a remote host for a terminal session. It is a widely used
Transport Layer Protocol to secure connections between clients and servers. It is a method
of securing “remote terminals” over an internet, and it also includes methods for tunelling X
Windows sessions. However, it’s been extended to support single sign-on and general secure
tunelling for TCP streams, so it’s often used for securing other data streams too (such as CVS
accesses).
– Telnet: Telnet and SSH are network protocols used to access and manage remote sys-
tems. Telnet is an application protocol that helps users communicate with a remote
system. It uses a text-based interface to create a virtual terminal, allowing administra-
tors to access applications on other devices. Telnet is the insecure protocol, no encryption
and security involves during transmitting of data. Any data that is being exchanged over
Telnet can be stolen from the communication path because no cryptographic procedures
are applied. The vulnerabilities in Telnet were addressed in SSH. While Telnet can only
transfer data as plain text, SSH can encrypt traffic in both directions.
CSE 654 40 2021/2022 Session

– File Transfer Protocol (FTP): Thhis is a protocol that was created for the transfer
of files from a remote location to a local computer, or vice versa. FTP is a file transfer
protocol, while SSH is a network protocol. FTP is inherently unsecure,, while SSH is
inherently secure. FTP only allows the control of files, while SSH allows a wide variety
of applications.
The SSH handshake process includes:

SSH protocol version exchange
Key Exchange
Elliptic Curve Diffie-Hellman Initialization
Elliptic Curve Diffie-Hellman Reply
New Keys
(b) TCP Handshake
(a) SSH Handshake
Figure 12: SSH & TCP Handshake
SSH can be used to “tunnel” or forward arbitrary Transmission Control Protocol (TCP)
connections while providing security to the communication channel.
Transmission Control Protocol (TCP): TCP is a standard for exchanging data between
di↵erent devices in a computer network. The current version of the TCP protocol (defined
in RFC 7323 in 2014.) allows two endpoints in a shared computer network to establish a
connection that enables a two-way transmission of data. It determines how network devices
exchange data. It is considered a reliable protocol because any data loss is detected and
automatically corrected.
The connection is established in the following steps:
1. The requesting client sends the server a SYN packet or segment (SYN stands for syn-
chronize) with a unique, random number. This number ensures full transmission in the
correct order (without duplicates).
CSE 654 41 2021/2022 Session

2. Upon the recipt of the segment, the server agrees to the connection by returning a SYN-
ACK packet (ACK stands for acknowledgment) including the client’s sequence number
plus 1. It also transmits its own sequence number to the client.
3. The client acknowledges the receipt of the SYN-ACK segment by sending its own ACK
packet, which in this case contains the server’s sequence number plus 1. At the same
time, the client can already begin transferring data to the server.
Figure 13: Kerberos Protocol
• Kerberos.: Kerberos is a protocol for single sign-on and authenticating users against a central
authentication and key distribution server. Kerberos works by giving authenticated users
”tickets”, granting them access to various services on the network. Kerberos is a primary
method for securing and supporting authentication on a LAN, and for establishing shared
secrets. t uses secret-key cryptography and a trusted third party (KDC) for authenticating
client-server applications and verifying users’ identities. The protocol is implemented through
the following steps as indicated in Figure 13:
1. Client requests an authentication tickets (TGT)

2. The KDC verifies the credentials and sends back an encrypted TGT
3. The client stores the TGT and when it expires another one is requested by the local
session manager
4. TGS sends a valid session key for the service to the client
5. Client forwards the session key to the service as a request for access
6. The server authenticates the client and eventually grants access
CSE 654 42 2021/2022 Session

4.1 Authentication Protocols
• The Needham - Schroeder Protocol (Figure 14a) is based on public-key cryptography;
it allowed two principals to exchange two secret numbers. Let Ks , Ka and Kb be the public
keys of the ser ver, principal A and principal B respectively. The message exchange goes as
follows:
1. A ! S : {A, B}
2. S ! A : {Kb , B}Ks 1
3. A ! B : {Na , A}Kb
4. B ! S : {B, A}
5. S ! B : {Ka , A}Ks 1
6. B ! A : {Na , Nb }Ka
7. A ! B : {Nb }Kb
It is expected that, initially, both A and B hold S’s public key Ks . Therefore, the principals
A and B can obtain each other’s public keys from S. Using the secret nonce identifiers Na and
Nb , if, say, B recives the message {M, Na }Kb then B may deduce that A sent the message.
• The Kerberos protocol (Figure 14b) establishes a shared key between two principals with
help from an authentication server. It is based on the shared-key Needham- Schroeder pro-
tocol, one of the earliest protocols in use. The Kerberos protocol establishes a shared key
between two principals A and B with help from an authentication server S. It is based on
the shared-key Needham- Schroeder protocol, but makes use of timestamps as nonces, both
to remove security problems, and to reduce the total number of messages required. Let Ta
and Ts be the time stamps generatd by A and S respectively. S generates a lifetime L.
1. A ! S : {A, B}
2. S ! A : {Ts , L, Kab , B, {Ts , L, Kab , A}Kbs }Kas
3. A ! B : {Ts , L, Kab , A}Kbs , {A, Ta }Kab
4. B ! A : {Ta + 1}Kab
First, A sends a cleartext message to S stating his desire to communicate with B. The server
responds with an encrypted message containing a timestamp, a lifetime, a session key for
A and B, and a ticket that only B can read. This ticket also contains the timestamp, the
lifetime, and the key. A forwards the ticket to B together with an authenticator (a timestamp
encrypted with the session key). B first decrypts the ticket and checks the timestamp and
lifetime. If the ticket has been created recently enough, he uses the enclosed key to decrypt
the authenticator. Then, if the authenticator’s timestamp is recent, he uses the session key
to return the timestamp, which A checks. Once the principals are satisfied, they can proceed
to use the session key.
• The Andrew Secure RPC Handshake (Figure 14c) protocol uses an authentication hand-
shake between two principals whenever a client binds to a new server. The handshake is
0
intended to allow a client A to obtain a new session key Kab from a server B, given that they
already share a key Kab .
CSE 654 43 2021/2022 Session

1. A ! B : {A, {Na }Kab }
2. B ! A :, {Na + 1, Nb }Kab }
3. A ! B : {Nb + 1}Kab
0
4. B ! A : {Kab , Nb0 }Kab
where Nb0 is an initial sequence number to be used in subsequent communication.
• The CCITT X.509 Protocol (Figure 14d) is intended for a signed and secure communi-
cation between two principals, assuming that each knows the public key of the other. The
two-message and one-message protocols are formed by removing the last one or two messages,
respectively.
1. A ! B : A, {Ta , Na , B, Xa , {Ya }Kb }Ka 1

2. B ! A : B, {Tb , Nb , Na , Xb , {Yb }Ka }K 1
b
3. A ! B : A, {Nb }Ka 1
whhere, T , and Tb are timestamps, N , and Nb are nonces, and Xa, Ya , Xb, and Yb are user
data. The protocol ensures the integrity of X, and Xb , assuring the recipient of their origin,
and guarantees the privacy of Y , and Yb .
• The Otway Rees Protocol: This protocol involves the generation of a shared key KAB
between two principals A and B with the help of a server S. The server S shares a key KAS
and KBS between it and A and B respectively. Let Na and Nb be the nonces generated by A
and B respectively, the protocol is described thus:
1. A ! B : {M, A, B, {Na , M, A, B}KA S }

2. B ! S : {M, A, B, {Na , M, A, B}KAS , {Nb , M, A, B}KBS }
3. S ! B : {M, {Na , KAB }KAS , {Nb , KAB }KbS }
4. B ! A : {M, {Na , KAB }KAS }
The value M is another random nonce chosen by A. It can be seen that A relies on B to relay
the messages between her and S. At the end of the protocol it is intended that A and B are
both in possession of the shared key KAB and believe it is good for communication with the
other.
4.2 Security Analysis of Cryptographic Protocols

How can we tell if a cryptographic protocol is secure? Phrased another way, how can we be sure
that a given protocol meets a given security goal? Before we can analyze a protocol we need to
choose a model: a collection of assumptions and proof methods.
All communication between honest principals passes through atleast a single adversary. An
improperly designed cryptographic protocol could be vulnerable to an “active” saboteur, one who
may impersonate another user and may alter or replay the message.As a protocol might be com-
promised in a complex way, informal argumentsthat assert the security for a protocol are prone to
errors. It is thus desirable to have a formal model in which the security issues cann be disussed.
CSE 654 44 2021/2022 Session

1: A, B
S S S
S
1: A, B D 5: {%D& , (}1:
%;<
#A, B
D 5: {%& , (}%;<
1: A, B
# D
1: A, B
2: %' , ?}%;< Type equation here. Type equation here.
2: {"# , ;, %&' , <, {"# , ;, %&' , (}% '# }%&#
#
2: %' , ?}%;<
#

Type equation here.
Type equation here.
4: ?, ( Type equation here.4: ?, (
9. {>& , (}%' 9. {>& , (}%' {"# , ;, %&' , (}%'# , {(, "& }%&'
A @: {>' , >' }%# B
A @: {>' , >' }%#
Type equation here. B
A Type equation here. B
D D {>'}%'
=: D S D =: {>'}%' D &
=: {" + ?}%&' D
(a) Needham - Schroeder Protocol1: A, B D 5: {%
(b) & , (}%;<
Kerberos #
Authentication Protocol
2: %' , ?}%;<
<. (, {>& }%&'
Type equation here.
#
' } %&'
C. {>& + <, >Type equation here.
A 4: '?,
{>
9. {>& , (}%'9.
<}%&'
+ ( B
A @: {>' , >' }%# BB
Type equation here.
A. {%&' , >'}%&'
B
D =: {>'}%' D
(c) The Andrew Square RPC Handshake Protocol
} }%;<
<. (, {"& , >& , ? , A& , {B& %' &
S
S A S, {B'}% }% 1: A, B DB
C. ?, {"' , >' , (, >', A'
;<
& '
1: A, B D 1: A, B D
9. (, {>' }%;<
&
2: {"# , %&' , {"# , %&' , (}% '# }%&#

(d) The CCITT X. 509 Protocol.
2: {"# , %&' , {"# , %&' , (}% '# }%&# 2: {"# , %&' , {"# , %&' , (}% '# }%&# Type equation here.
Figure 14: Authentication A Protocols B
9: {"# , %&' , (}%&'
Type equation here. S
Type equation here.
D D
A A 1: B
A, B9: {" , % D B
&' , (}%&'
Consider the 9: {"# , %&' , protocol:
following (}%&'
D
#
D
D D
X and Y be two parties who wants to communicate between themselves, and hence needs to
establish a key. Let Z be an intruder who2: {" wants
# , %&' , {to
"# , intercept the
%&' , (}% '# }%&# communication betwween X and
Y . Assuming X wants to send the plaintext M to Y ,
Type equation here.
1. X ! Y : {X, {M }Ypk , Y } A B
9: {"# , %&' , (}%&'
D D
2. Y ! X : {Y, {M }Xpk , X}
This protocol is easy to break by a saboteur Z in the following way:
• Z intercepts the message sent from X to Y in step (1) above
• Z ! Y : {Z, {M }Ypk , Y }
• Y ! Z : {Y, {M }Xpk , Z}, as per step (2) above.
• Z decodes {M }Zsk to find the plaintext M .

One way to over come the weakness in the above protocol is to concatenate the name/identity of
the sender alongside the plaintext in the encrypted text.
1. X ! Y : {X, {M ||X}Ypk , Y }
CSE 654 45 2021/2022 Session

2. Y ! X : {Y, {M ||Y }Xpk , X}
where {M }Ypk means the string M encrypted with the key Ypk the public key of Y .
The verification of cryptographic (security) protocols has been and is still a very active research
area. Their design is error prone. The need to verify such protocols stem from the following reasons:
Their design is prone to errors. Security errors are not detected by testing since they appear only
in the presence of an adversary. Errors can have serious consequences.
Model verifications can be formal or computational.

Models of protocols: The Formal Model:
The application of formal methods to cryptographic protocol analysis is the process of employing
automated formal analysis tools, such as theorem provers or model checkers, to the problem of
determining whether an attacker can prevent the protocol from accomplishing one or more of its
security goals.
The formal model or “Dolev-Yao model” is based on the following:
• The cryptographic primitives are blackboxes.
• The messages are terms on these primitives.

,! {m}k encryption of the message m with key k,
,! {m1 , m2 } pairing of messages m1 and m2 .
• The attacker is restricted to compute only using these primitives:

) perfect cryptography assumption
This model makes automatic proofs relatively easy. It assumes perfect cryptography. For instance,
shared-key encryption is basically modeled by two function symbols, enc and dec, where enc(x, k)
stands for the encryption of x under key k and dec(x, k) for the decryption of x with key k, with
the equality:
dec(enc(x, k), k) = x. (19)
Models of protocols: The Computational Model:
The computational model has been developed at the beginning of the 1980’s by Goldwasser, Micali,
Rivest, Yao, and others. It is based on the following:
• The messages are bitstrings.
• The cryptographic primitives are functions on bitstrings.
• The attacker is any probabilistic (polynomial-time) Turing machine.
This model is much more realistic than the formal model, but until recently proofs were only
manual. In this model, the length of keys is determined by a value named security parameter, and
the runtime of the adversary is supposed to be polynomial in the security parameter. A security
property is considered to hold when the probability that it does not hold is negligible in the security
parameter.
CSE 654 46 2021/2022 Session

4.2.1 Tools for Formal Protocol Verification
Formal verification methods, and the corresponding front- end tools, provide a systematic way
to assess the correctness of protocols, processes and systems. Their main di↵erence compared to
simulation methods and tools is that instead of only examining a limited area of the operational
space of the system under consideration, they are used to examine the whole state space of possible
operations and conditions under which the system may operate. This means that all possible
combinations of inputs and actions can be taken into account and, therefore, all possible outputs
can be derived. One of the advantages, among others, of formal veification methods is that in formal
verification methods is capable of capturing conditions and operations that may otherwise remain
unnoticed, even after a very large number of simulation runs. The following are some of the formal
verification tools used:
• ProVerif: Protocol Verifier
• AVISPA: Automated Validation of Internet Security Protocols and Applications
• CAPSL: Common Authentication Protocol Specification Language
4.3 The BAN Logic

In somany distribution systems, the basis of their security is the authentication protocols used. For
the security to be extablished, the functions of the protocols will have to be analyzed. A simple
logic has been developed by Michael Burrows, Martin Abadi and Roger Needham (BAN) which
allowed us to describe the beliefs of trustworthy parties involved in authentication protocols and
the evolution of these beliefs as a consequence of communication. This approach is a verification
approach based on the Belief Based Approach.
The BAN logic is used to evaluate whether an authentication protocol works correctly. The
BAN logic has been used to analyse a number of protocols which includes: Kerberos, the Andrew
Secure RPC Handshake, the CCITT X.509 Protocol etc.
A formalism was built on many sorted model logic. In the logic we distinguish several sorts of
objects: principals, encryption keys, and formulas (also called statements). We identify messages
with statements in the logic. Typically, the symbols A, B, and S denote specific principals; Kab ,
Kas ,, and Kbs denote specific shared keys; Ka , Kb , and Ks denote specific public keys, and Ka 1 ,
Kb 1 , and Ks 1 denote the corresponding secret keys; and N , Nb , and Nc denote specific statements.
The symbols P , Q, and R range over principals; X and Y range over statements; and K ranges
over encryption keys.
The BAN (Burrows, Abadi, and Needham) logic is a formal security analysis proof used by
many researchers to verify mutual authentication. The BAN logic is a modal logic of belief. It has
several modal operators including:
• P | ⌘ X : (P believes X) P is entitled to act as though X is true.
• A C X : (A sees X) someone has sent a message to A
• A| ⇠ K (A once said K) A used key K
• A| ⇠ X : (A once said X) A uttered a message containing X.
• A =) X : (A has jurisdiction over X) A is an authority on X and can be trusted on X.
CSE 654 47 2021/2022 Session

K
• A ! B : (A and B share key K:) A and B can use key K to communicate. The key is
unknown to anyone else.
• #X : (X is fresh) meaning that X has not been sent before in any run of the protocol.
K
• 7 ! B (B has public key K) B has a published public key K and corresponding private key
K 1.
X
• A) * B : (A and B share secret X) X is a secret known only to A, B and possibly some trusted
associates.
• {X} the formula X encrypted under the key K
• hXiY This represents X combined with the secret formula Y . The posession of Y proves the
identity of whoever utters hXiY .
4.3.1 The BAN Logic Rules

There are numerous rules of inference for manipulating the protocol to generate a set of beliefs.
• Message meaning (MM): If A believes (A share(K) B) and A sees {X}K then A believes(B
said X).
K
A| ⌘ (A ! B), A C {X}K
(20)
A| ⌘ (B| ⇠ X)
• Nonce verification (NV): If A believes X is fresh and A believes B once said X, then A
believes B believes X.
A| ⌘ (#(X)), A| ⌘ (B| ⇠ X)
(21)
A| ⌘ (B| ⌘ X)
• Jurisdiction (JR): If A believes B has jurisdiction over X and A believes B believes X,

then A believes X.
A| ⌘ (B =) X), A| ⌘ (B| ⌘ X)
(22)
A| ⌘ X
• Freshness meaning (FM): The freshness rule states that any message with a fresh compo-
nent is also fresh.
P | ⌘ #(X)
P | ⌘ #(X, Y )
If one part of a formula is fresh, then the entire formula must also be fresh.
• Believe Rule (BR): A principal believes a collection of statements i↵ he believes each

component of the statements.
P | ⌘ X, P | ⌘ X
P | ⌘ (X, Y )
• Seeing Rule: A principal sees all components of every message it sees, assuming it believes
the necessary decryption key is a good key.
K
P C (X, Y ) P C hXiY P | ⌘ (Q ! P ), P C {X}K
, ,
P CX P CX P CX
CSE 654 48 2021/2022 Session

Idealization:
Idealization tries to turn the message sent into its intended semantics. It is a proceedure to get
from protocol steps to logical inferences. A message in the idealized protocol is a formula. Given
the protocol step:
A ! B : {A, Kab }bs (23)
A sends to B, who uses his secret key Kbs to unlock the message {A, Kab } wich contains the key
Kab to be used in communicating between them. This can be expressed in idealized form as:
Kab
A ! B : {A ! B}bs (24)
B knows the key Kbs and A and B communicates through the shared key Kab . Idealized messages
re of the form: {X}K1 , {X}K2 , · · · , {X}Kn .
In BAN logic, idealization is meant to omit parts of the message that do not contribute to the
beliefs of the recipients. In BAN all plaintext is omitted since it can be forged.
4.3.2 BAN Security Ananlysis

• The Needham - Schroeder Protocol: The idealized protocol is given thus:
bK
1. S ! A : {7 ! B}Ks 1
2. A ! B : {Na }Kb
aK
3. S ! B : {7 ! A}Ks 1
Nb
4. B ! A : {hA (
+ BiNa }Ka
Na
5. A ! B : {hA (+ BiNb }Kb
the idealized version is given thus: Each principal knows the public key of the certification
Ka Kb
A| ⌘ (7 ! A) B| ⌘ (7 ! B)
Ks Ks
A| ⌘ (7 ! S) B| ⌘ (7 ! S)
Ka K b
S| ⌘ (7 ! A) S| ⌘ (7 ! B)
Ks
S| ⌘ (7 ! S)
K K
A| ⌘ S =) (7 ! B) B| ⌘ S =) (7 ! A)
A| ⌘ #(Na ) B| ⌘ #(Nb )
a N b N
A| ⌘ (A ! B) B| ⌘ (A ! B)
b K a K
A| ⌘ #(7 ! B) B| ⌘ #(7 ! A)
( (
A| ⌘ (!
7 Kb )B) B| ⌘ (!
7 Ka )A)
Nb Na
A| ⌘ B| ⌘ (A (
+ B) B| ⌘ A| ⌘ (A (+ B)
Table 8: Needham - Schroeder
agent S, as well as his own keys. In addition, S knows the public keys of A and B. Each
principal trusts the certification agent to correctly sign certificates giving the public key of
the other.
CSE 654 49 2021/2022 Session

A weakness in the protocol permits a replay attack in the interactions with the certification
authority if a key is compromised, as in the shared-key Needham-Schroeder protocol.
• The Kerberos Protocol: The Kerberos protocol is idealized as follows:

Kab Kab
2. S ! A : {Ts , A ! B, {Ts , A ! B}Kbs }Kas
Kab Kab
3. A ! B : {Ts , A ! B}Kbs , {Ta , A ! B}Kab
Kab
4. B ! A : {Ta , A ! B}Kab
The first message is omitted, since it does not contribute to the logical properties of the
protocol. The lifetime L has been combined with the time stamp Ts , which is treated just like
a nonce. To analyze this protocol, we consider the assumptions in table 9:
Kas Kas Kbs Kas
A Believes A ! S : (A| ⌘ A ! S) B Believes B ! S : (B| ⌘ B ! S)
Kas Kas Kbs Kbs
S Believes A ! S : (S| ⌘ A ! S) S Believes B ! S : (S| ⌘ B ! S)
Kab Kab K
S Believes A ! B : (S| ⌘ A ! B) B Believes (S Controls A ! B) :
Kas
(B| ⌘ S =) (A ! B)
K
A Believes (S Controls A ! B) B Believes Fresh(Ts )
Kas
(A| ⌘ S =) (A ! B)
A Believes Fresh(Ts ) : (A| ⌘ #(Ts )) B Believes Fresh(Ta ) : (B| ⌘ #(Ta ))
Table 9: Kerberos
• The Andrew Secure RPC Handshake The protocol is idealized as follows:
1. A ! B : {Na }Kab
2. B ! A :, {Na , Nb }Kab
3. A ! B : {Nb }Kab
0
Kab
4. B ! A : {A ! B, Nb0 }Kab
The protocol is analyzed in table 10:

Kab Kab
A| ⌘ A !B B| ⌘ A !B
0
Kab
K
(A| ⌘ B =) (A ! B) B| ⌘ A ! B
A| ⌘ #(Na ) B| ⌘ #(Nb )
B| ⌘ #(Nb0 )
Table 10: The RPC
• The CCITT X.509 Protocol: The idealized version is given as:
1. A ! B : {Ta , Na , Xa , {Ya }Kb }Ka 1

2. B ! A : {Tb , Nb , Na , Xb , {Yb }Ka }K 1
b
CSE 654 50 2021/2022 Session

aK K b
A| ⌘ (7 ! A) B| ⌘ (7 ! B)
bK K a
A| ⌘ (7 ! B) B| ⌘ (7 ! A)
A| ⌘ #(Na ) B| ⌘ #(Nb )
A| ⌘ #(Tb ) B| ⌘ #(Ta )
A| ⌘ B| ⌘ Xb B| ⌘ A| ⌘ Xa
Table 11: The CCITT X.509
3. {Nb }Ka 1
and analyzed in table 11:
• The Otway Rees Protocol: Let the three nonces M , Na and Nb be collapsed into the nonce
N . The idealized version of the protocol will thhus be:
1. A ! B : {Na , N }Kas
2. B ! S : {{Na , N }Kas , {Nb , N }Kbs }
Kab Kab
3. S ! B : {{Na , (A ! B), (B| ⇠ N )}Kas , {Nb , (A ! B), (A| ⇠ N )}Kbs }
Kab
4. B ! A : {{Na , (A ! B), (B| ⇠ N )}Kas }
All descriptions are as defined in the BAN logic notations.
We can make the following interpretation for the precise actions of S.

(a) S uses the cleartext identifiers (M, A, B) to choose keys to decrypt the two messages received.
(b) S checks that the fields containing (M, A, B) are the same in both messages.
(c) S encrypts the new key and respective random numbers using the same keys used in step (a).
If this the only checkings S does, then an adversary C could do the following using his nonce Nc in
step (2) of the protocol:
2. C ! S : {M, A, C, {Na , M, A, B}Kas , {Nc , M, A, B}Kcs }
By following the steps performed by S it can easily be seen that the message will be found correct
by S and furthermore that C will get the session key Kab encrypted with the key he shares with S,
Kcs .
CSE 654 51 2021/2022 Session

5 Key Agreement Schemes
A key agreement scheme (KAS) is a scheme that avails two users the oppurtunity to establish a
new session key through an interactive protocol which does not require the active participation of
a trusted authority (TA). The Kpub (public key) is computed using some key generation algorithm
on Kpriv (private key). For each pair (Kpub , Kpriv ), there is an encryption algorithm EKpub and
the corresponding decryption algorithm DKpriv . The encryption algorithm EKpub corresponding to
Kpub is made public and also DKpriv should be easily computable for anyone that knows Kpriv . The
private key Kpriv is said to be a trapdoor information for the function Kpub . This is a function,
without which it is hard to compute the inverse function to EKpub The development of a practical
public-key scheme depends on the discovery of a suitable trapdoor one-way function.
(a) PKC-Encryption (b) PKC-Authentication
Figure 15: Public Key Cryptography
The main difficulty with the conventional (private key) systems is key distribution :- how to
get the sender and receiver the same secret key. In general, doing this is either very expensive or
impossible. This problem is solved through the use of PKC in a precudure described in Figure 15a.
In situations where two parties want to communicate in secret and are unknown to each other
(say a business and a new customer) there is no easy way to verify the identities of each party
to each other. This is known as the authentication problem, and what is needed is a means of
providing a verifiable digital signature. This can be achieved by PKC as illustrated in Figure
15b.
The security of most common public-key algorithms rely on the immense difficulty of solving
one of these three computations:
• The discrete logarithm problem
• The integer factorization problem
• The elliptic-curve discrete logarithm problem
5.1 Discrete Logarithms and Diffie Hellman

The cryptosystems presented below all depend on computational problems. Those which, according
to the current state of art, are computationally difficult (i.e. at the moment, there are no fast
algorithms to solve them) are considered to be secure. One of such computational problems is the
discrete logarithm problem (DLP).
CSE 654 52 2021/2022 Session

5.1.1 Discrete Logarithm Problem
Recall that, given a large prime p, there exist a primitive element g such that every non-zero element
of F is determined by some power of g. By Fermat’s little theorem, we have g p 1 ⌘ 1 (mod p), and
that
1, g, g 2 , . . . , g p 2 2 F⇤p .
Theorem 10. Let g be a primitive root for Fp and let h be a non-zero element of F. The discrete
logarithm problem (DLP) is the problem of finding an exponent x such that
g x ⌘ h (mod p).
The number x is called the discrete logarithm of h to the base g and is denoted by logg (h).
5.1.2 Diffie-Hellman Key Exchange

In 1976 Whitfield Diffie and Martin Hellman achieved great success in developing the conceptual
framework. For conventional encryption the same key is used for encryption and decryption. This
is not a necessary condition. Instead it is possible to develop a cryptographic system that relies on
one key for encryption and a di↵erent but related key for decryption
The Diffie-Hellman key exchange was one of the most important developments in public-key
cryptography and it is still frequently implemented in a range of today’s di↵erent security protocols.
It allows two parties who have not previously met to securely establish a key which they can use
to secure their communications. It was the first widely used method of safely developing and
exchanging keys over an insecure channel.
The protocol can be implemented in a number of di↵erent ways, and it has also provided the
basis for several other algorithms. Some of these implementations provide authorization, while
others have various cryptographic features such as perfect forward secrecy (generating a unique
session key for every user initiated session).
Elliptic-curve Diffie-Hellman: Elliptic-curve Diffie-Hellman takes advantage of the algebraic
structure of elliptic curves to allow its implementations to achieve a similar level of security with a
smaller key size. A 224-bit elliptic-curve key provides the same level of security as a 2048-bit RSA
key. This can make exchanges more efficient and reduce the storage requirements.
Apart from the smaller key length and the fact that it relies on the properties of elliptic curves,
elliptic-curve Diffie-Hellman operates in a similar manner to the standard Diffie-Hellman key ex-
change.
Transport Layer Security (TLS): TLS uses the Diffie-Hellman exchange in three di↵erent
ways: anonymous, static and ephemeral. In practice, only ephemeral Diffie-Hellman should be
implemented, because the other options have security issues.
• Anonymous Diffie-Hellman – This version of the Diffie-Hellman key exchange doesn’t use
any authentication, it is therefore vulnerable to man-in-the-middle attacks. It should not be
used or implemented.
• Static Diffie-Hellman – This version uses certificates to authenticate the server, leaving the
client unauthenticated by default. It does not provide forward secrecy.
• Ephemeral Diffie-Hellman – This is considered the most secure implementation because

it provides perfect forward secrecy. It is generally combined with an algorithm such as digital
signature algorithm (DSA) or RSA to authenticate one or both of the parties in the connection.
CSE 654 53 2021/2022 Session

Ephemeral Diffie-Hellman uses di↵erent key pairs each time the protocol is run. This gives
the connection perfect forward secrecy, because even if a key is compromised in the future, it
can’t be used to decrypt all of the past messages.
• ElGamal - is a public-key algorithm built on top of the Diffie-Hellman key exchange. Like
Diffie-Hellman, it contains no provisions for authentication on its own, and is generally com-
bined with other mechanisms for this purpose.
Alice and Bob wants to share a secret key for use in a symmetric cipher through an insecure
channel. This channel is constantly observed by Eve. This appears to be an impossible task, this
impossibility has been made possible by Diffie and Hellman, using the intractability of the DLP. It
is made possible through the following steps:
• Alice and Bob will agree on a large prime p and a non-zero integer g (mod p) which are made
public.
• Alice picks a secret integer a that she doesn’t share with anyone. Bob picks his own integer b
which he keeps secret too. They both use their secret integers to compute:
Alice computes: A ⌘ g a (mod p), Bob computes: B ⌘ bb (mod p).
Alice sends to Bob ”A” and Bob sends to Alice ”B”. Eve sees these values since they are sent
through an insecure channel.
• They both use their secret integers to compute
Alice computes: A0 ⌘ B a (mod p), Bob computes: B 0 ⌘ Ab (mod p),
• These values A0 and B 0 are their common secret key (exchanged key) since:
A0 ⌘ B a ⌘ (g b )a ⌘ g ba ⌘ g ab ⌘ (g a )b ⌘ Ab ⌘ B 0 (mod p).
Alice and Bob has successfully exchanged a secret key which Eve could not compute since she
doesnt know a and b.
Assume Alice and Bob agrees on a prime p = 941 and a primitive root g = 627. Alice chooses
a = 347 and Bob chooses b = 781 as the secret integers and they both computes:
A ⌘ 627347 ⌘ 470 (mod 941) and B ⌘ 627781 ⌘ 691 (mod 641),
generating A = 470 and B = 691. They both computes:
A0 ⌘ 627691·347 ⌘ 470 (mod 941) and B 0 ⌘ 627347·691 ⌘ 470 (mod 941),
which yields A0 = B 0 = 470 as their shared key.
If Eve is able to solve either of the equations
627a ⌘ 390 (mod 941) or 627b ⌘ 691 (mod 941)
then she can reconstitute Alice’s and Bob’s shared key. The security of Alice and Bob’s shared key
is given in the following definition.
Definition 19. Let p be a prime number and g an integer. The Diffie-Hellman Problem (DHP)
is the problem of computing the value of g ab (mod p) from the known values of g a (mod p) and
g b (mod p).
In real life situations, p is chosen of the order p ⇡ 21000 (1000 bits) and g a prime of the order
g ⇡ p/2.
CSE 654 54 2021/2022 Session

5.2 The El-Gamal Public Key Cryptosystem
The El-Gamal public key encryption algorithm is based on the DLP and is closely related to the
Diffie-Hellman key exchange. It is achieved through the following steps
• Alice chooses a secret number a that serves as as her private key and computes the quantity
A ⌘ g a (mod p).
which she publishes on her website.

• Suppose Bob wants to send Alice the message 2  M < p, he randomly chooses a number
K (mod p) as a key which will be used only once (an ephemeral key). Bob uses the ephemeral
key K and the message M to compute
C1 ⌘ g K (mod p) and C2 ⌘ M AK (mod p)
Bob sends the pair (C1 , C2 ) to Alice as his ciphertext.

• Alice computes:
x ⌘ C1a (mod p)
and hence determine x 1 . The message M is determined from M = x 1
· C2 .
• This is achieved thus:
1
x · C2 ⌘ (C1a ) 1 · C2 (mod p)
⌘ (g ak ) 1 · (M Ak ) (mod p)
⌘ (g ak ) 1 · (M (g a )k ) (mod p)
⌘ M (mod p)
The message M is therefore recovered.

Suppose Alice chooses the prime p = 467 and the primitive root g = 2. She chooses a = 153 as her
private key and computes her public key
A ⌘ g a ⌘ 2153 ⌘ 224 (mod 467)
and she publishes A. Bob decides to send Alice the message M = 331. He chooses an ephemeral
key k = 197 and computes the quantities
C1 ⌘ 2197 ⌘ 87 (mod 467) and C2 ⌘ 331 · 224197 ⌘ 57 (mod 467)
and sends the pair (C1 , C2 ) = (87, 57) as his ciphertext. With her knowledge of a = 153, Alice
computes
x ⌘ C1a ⌘ 87153 ⌘ 367 (mod 467) and x 1 ⌘ 14 (mod 467).
She finally computes
1
C2 · x ⌘ 57 · 14 ⌘ 331 (mod 467).
Thus, anyone who wants to decrypt the El-Gamal must be ready to solve the DHP.
ElGamal was mainly used in PGP, GNU Privacy Guard and other systems because its main
rival, RSA, was patented. RSA’s patent expired in 2000, which allowed it to be implemented freely
after that date. Since then, ElGamal has not been implemented as frequently.
CSE 654 55 2021/2022 Session

5.3 The RSA Public Key Cryptosystem
Ron Rivest, Adi Shamir and Leonard Adleman (RSA) developed the algorithm at MIT in 1978.
Since this time it has reigned supreme as the most widely accepted and implemented general-purpose
approach to public-key encryption.
• Suppose Alice chooses two large prime numbers p, q, which serves as her trapdoor. She
computes the product N = pq with (N ) = (p 1)(q 1), and chooses a further number
1 < e < (N ) such that gcd(e, N ) = 1. Then she publishes N and e.
• Alice computes the multiplicative inverse 0  d  N of e that is d · e ⌘ 1 (mod (N )), which

will be easy to her since she knows: (N ) = (p 1)(q 1).
• She thus publishes her public key Epub = {e, N } used for encryption and keeps her private
key Epriv = {d, N } to be used for decryption.
The RSA algorithm works becouse of the following:

• Because of Euler’s Theorem: a (N )
(mod N ) = 1 where gcd(a, N ) = 1
• In RSA we have: N = pq, (N ) = (p 1)(q 1). Carefully choose e and d which are inverses
(mod (N )) hence e · d = 1 + k · (N ) for some k.
• Hence:
C d = M e·d = M 1+k· (N )
= M 1 · (M (N ) )k = M 1 · (1)k
= M 1 = M (mod N ).
If we can factor N then we can compute (N ) and d. RSA relies on the factoring problem. This
does not mean that breaking RSA is equivalent to solving a factorization problem. It is not known
whether RSA can be broken without factoring N .
Consider thhe following implementation:
RSA Encryption parameters. Public key: [e,N].
e: 65537
N: 1034776851837418228051242693253376923 (a product of two 60 bits primes)
Ciphertext: 582984697800119976959378162843817868
-------------------
Message: 345
checking: M^e (mod N) = 547552632648538792619285370735999098
Confirmation:
-------
p = 1,086,027,579,223,696,553
q = 952,809,000,096,560,291
and
N = p x q = 1,034,776,851,837,418,228,051,242,693,253,376,923
CSE 654 56 2021/2022 Session

phi(N) = (p-1) x (q-1) = 1034776851837418226012406113933120080
d = Inverse of 65537 (mod phi(N)) = 568411228254986589811047501435713
Message = Ciphertext^d (mod N) = 345

Ciphertext = Message^e (mod N) = 582984697800119976959378162843817868
5.4 Elliptic Curve Discrete Logarithm Problem (ECDLP)

Elliptic curve cryptosystems (ECC) were first proposed independently by Miller and Koblitz in
the mid-1980s. Elliptic curve cryptography constitutes a fundamental and efficient technology for
public key cryptosystems. They are seen to be analogs of existing public-key cryptosystems in
which modular arithmetic is replaced by operations defined over elliptic curves.
With ECC, the operation of public-key cryptographic schemes involves arithmetic operations
on an elliptic curve over a finite field determined by some elliptic curve domain parameters. ECC
domain parameters over Fq (where Fq is either Fp and F2m ). Elliptic curves can equally have points
with coordinates in any field, such as Q, R, or C.
An elliptic curve with real coefficients can be expressed in the standard form:
y 2 = x3 + ax + b (25)
for some constants a and b (shown in figure 16). where it is required that the curve x3 + ax + b
Figure 16: Elliptic Curve.
will have distinct roots and the discriminant = 4a3 + 27b2 6= 0. While defining points on on an
elliptic curve, we should include a point O called the point at infinity. We have
E = {(x, y) | y 2 = x3 + ax + b} [ {O} (26)
CSE 654 57 2021/2022 Session

as the set of points on the curve.
Elliptic curves whose points are in Fp are finite groups. The best known algorithm to solve the
elliptic curve discrete logarithm problem (ECDLP), the discrete logarithm problem for the group
of points on an elliptic curve over a finite field, is exponential, which is why elliptic curve groups
are used for cryptography.
*Explore the geometry and algebra of elliptic curves in the literature.
Let the elliptic curve E : y 2 = x3 + ax + b(mod p) be denoted by Ep (a, b) such that the constants
a and b are non negative integers smaller than the prime number p and must satisfy the condition:
4a3 + 27b2 6= 0(mod p).
In the multiplicative group Fp⇤ , the discrete logarithm problem defined thus: given elements a
and b of the group, and a prime p, find a number k such that a = bk(mod p).
If the elliptic curve groups is described using multiplicative notation, then the elliptic curve
discrete logarithm problem (ECDLP) is: given points P and Q in the group, find a number that
P k = Q; k is called the discrete logarithm of Q to the base P .
When the elliptic curve group is described using additive notation, the elliptic curve discrete
logarithm problem is: given points P and Q in the group, find a number k such that P k = Q.
Consider the elliptic curve group defined by
y 2 = x3 + 9x + 17 over F23 , (27)
What will be the discrete logarithm k of Q = (4, 5) to the base P = (16, 5)?
We can find k by computing multiples of P until Q is found. Thus:
P = (16, 5), 2P = (20, 20), 3P = (14, 14), · · · 6P = (7, 3), 7P = (8, 7), 8P = (12, 17), 9P = (4, 5).
throughh the following steps: Let P1 = (x1 , y1 ) and P2 = (x2 , y2 ) be points on the elliptic curve
E : y 2 = x3 + ax + b (28)
let the line connecting P1 and P2 be

L:y = x+v (29)
the slope of L is given by (
y2 y1
x2 x1
, P1 6= P2
= 3x21 +a (30)
2y1
, P 1 = P2
and the y-intercept of L is
v = y1 x1 . (31)
We now find the intersection of the curve and the line connecting P1 and P2 :
E : y 2 = x3 + ax + b and L:y = x+v (32)
by solving
x3 + ax + b = ( x + v)2 .
CSE 654 58 2021/2022 Session

Since x1 and x2 are solutions, we now find the third solution, x3 ,
x3 + ax + b ( x + v)2 = (x x1 )(x x2 )(x x3 )

= x3 (x1 + x2 + x3 )x2 + (x1 x2 + x1 x3 + x2 x3 )x x1 x2 x3 .
we thus have
2 2
= x1 x2 x3 =) x3 = x1 x2 .
from equation (29) defined at the third point:
y 3 = x 3 + v = x3 + y1 x1 = (x3 x1 ) + y1
we have
P1 + P2 = (x3 , y3 ).
Where (x3 , y3 ) is on the curve and x3 , y3 ) is colinear withh P and Q.
Let E be the elliptic curve defined by y 2 = x3 + x + 1 over F7 then
E(F7 ) = {O, (2, 2), (0, 1), (0, 6), (2, 5)}
If we let P = (2, 2) then 3P = (0, 6) = Q and hence k = 3 is a solution to the discrete logarithm
problem.
In a real application, k would be so large that such approach will be infeasible to determine k.
Construction of an elliptic curve over Fp : Let the prime number p = 23 and consider
an elliptic curve E : y 2 = x3 + x + 4(mod 23) defined over F2 3, with the constants a = 1 and
b = 4, which have been checked to satisfy that E is indeed an elliptic curve. We then determine the
quadratic residues Q23 from the reduced set of residue Z23 = {1, 2, 3, . . . , , 21, 22}, which is given by
Q23 = {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}. Which we use to determine the values of E23 (1, 4), i.e.,:
8 9
>
> (0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (416) 7, 3) >
>
< =
(7, 20) (8, 8) (8, 15) (9, 11) (9, 12) (10, 5) (10, 18)
E23 (1, 4) =
>
> (11, 9) (11, 14) (13, 11) (13, 12) (14, 5) (14, 18) (15, 6) > >
: ;
(15, 7) (17, 9) (17, 14) (18, 9) (18, 14) (22, 5) (22, 18)
That the core of elliptic curve arithmetic is an operation called scalar point multiplication,
which computes Q = kP . If for example wwe want to compute 11P we can be expressed as
11P = (2 ⇤ ((2 ⇤ (2 ⇤ P )) + P )) + P ). The problem of calculating k from a given points P and Q
is called the discrete logarithm problem over the elliptic curve (ECDLP). Note that we can easily
calculate Q = kP from given k and P , but it is computationally difficult to calculate the scalar k
from points Q and P .
Let Ep (a, b) = E23 (1, 4) and let Q = (1, 12) and P = (7, 3) be points on the curve E23 (1, 4).
Then one can show that 5P = Q:
Q = 5p = 1P + 1P + 1P + 1P + 1P = (1, 12)
and hence k = 5 is the solution to the discrete logarithm problem.
Assuming the curve is defined over a large prime, say
p = 6, 277, 101, 735, 386, 680, 763, 835, 789, 423, 207, 666, 416, 083, 908, 700, 390, 324, 961, 279
CSE 654 59 2021/2022 Session

containing a large group of points, say, exactly N points where:
N = 6, 277, 101, 735, 386, 680, 763, 835, 789, 423, 337, 720, 473, 986773, 608, 255, 189, 015, 329
with
k = 6, 708, 050, 311, 399, 110, 513, 517, 527, 207, 693, 060, 456, 300217, 054, 473.
It will therefore be almost impossible to determine k. The security of ECC therefore relies on the
hardness of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP).
Implementation of ECDH key agreement protocol: As an illustration, let’s consider the

elliptic curve i.e., is Ep (a, b) = E23 (1, 4). Alice (A) chooses the secret-key kA = 12 and computes
her public-key:
QA = kA P = 12P = (13, 11).
Similarly, Bob (B) chooses the secret-key kB = 23 and computes its public-key:
QB = kB P = 23P = (0, 2).
Thus, their common secret-key is SAB = kA kB . Alice computes:
kA QB = 12(23P ) = 15P = (17, 9)
and the Bob computes:

kB QA = 23(12P ) = 15P = (17, 9)
such that:
SAB = kA QB = kB QA = 15P = (17, 9).
Therefore their shared key is SAB = (17, 9).
The use of ECC in public and private sectors has increased over the past few years. While
RSA continues to be more widely used and is easier to understand compared to ECC, the efficiency
benefits of ECC make it appealing for many enterprise use cases. These include speeding up secure
access to Secure Sockets Layer-encrypted websites and streaming encrypted data from IoT devices
with limited computing power.
CSE 654 60 2021/2022 Session

MSE Applied Cryptography

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MSE Applied Cryptography

Uploaded by

Copyright:

Available Formats

ABUBAKAR TAFAWA BALEW UNIVERSITY

DEPARTMENT OF MATHEMATICAL SCIENCES

M.Sc CYBER SECURITY

First Semester 2021/2022 Session.

3 Cryptographic Algorithms & Protocols 24

5 Key Agreement Schemes 52

CSE 654 2 2021/2022 Session

1.1 Divisibility and Greatest Common Divisors

4. If the remainder rj+1 = 0 then rj = gcd(a, b) and the algorithm terminates.

CSE 654 3 2021/2022 Session

Now with Eq. (1), for j = 1 we have

Example 1. Evaluate gcd(1970, 1066)

1970 = 1 ⇥ 1066 + 904, gcd(1066, 904)

Therefore gcd(1970, 1066) = 2.

CSE 654 4 2021/2022 Session

substituting r2 and r3 into the next step we have:

(a b · q1 ) = ( a · q2 + b(1 + q1 q2 )) · q3 + r4 =) r4 = a · (1 + q1 q2 ) b(q1 + q2 + q1 q2 q3 ). (3)

Eq. (3) can be expressed as

r4 = a · u0 + b · v 0 , where u0 and v 0 are integers.

2024 = 748 · 2 + 528, =) 528 = 2024 2 · 748 = x 2y

Therefore, 7x + 19y = 7(2024) + 19(748) = 44 = gcd(2024, 748).

1.2 Prime Numbers

the p divides atleast one of the individual ai

CSE 654 5 2021/2022 Session

1.3 Euler Phi Function

where p1 , p2 , · · · , pm are the distinct prime factors of n. So,

1.4 Finite Fields

CSE 654 6 2021/2022 Session

1.4.1 Prime Fields

1.4.2 Polynomials over a Field

CSE 654 7 2021/2022 Session

The elements of the field will be of the form a2 a1 a0 :

F23 = {0(000), 1(001), x(010), x + 1(011), x2 (100), x2 + 1(101), x2 + x(110), x2 + x + 1(111)}

Examples of such fields includes:

Example 3. Find the elements of F8 [x] = F23 [x].

Sol. 3. The following are members in the set:

Therefore the set is given by: {0, 1, x, x + 1, x2 , x2 + 1, x2 + x, x2 + x + 1}.

CSE 654 8 2021/2022 Session

Figure 1: Powers of F7 modulo 7

1.4.4 Powers and Primitive Roots in Finite Fields

Example 4. Show that the number p = 15485863 is prime.

Sol. 4. Let x = 2, hence by Fermat’s Little Theorem:

The inverse of 7814 modulo 17449 will be given by

CSE 654 9 2021/2022 Session

000 001 010 011 100 101 110 111

Table 1: Polynomial Addition Modulo (x3 + x + 1).

000 001 010 011 100 101 110 111

Table 2: Polynomial Multiplication Modulo (x3 + x + 1).

In GF (23 ), x2 + 1 = 1012 and x2 + x + 1 = 1112 .

(x + 1) · (x2 + 1) = x · (x2 + 1) + 1 · (x2 + 1) = x3 + x + x2 + 1 = x3 + x2 + x + 1

=) (011) ⇥ (101) = 3 ⇥ 5 = 15 = 11112 .

(x3 + x2 + x + 1) (mod x3 + x + 1) = 1 · (x3 + x + 1) + (x2 ) = x2

=) 1111 (mod 1011) = 1111 XOR 1011 = 01002 .

CSE 654 10 2021/2022 Session

000 001 010 100 011 110 111 101

000 001 010 100 011 110 111 101

CSE 654 11 2021/2022 Session

where m is called the modulus.

a1 ± a2 ⌘ b1 ± b2 (mod m) and a1 · a2 ⌘ b1 · b2 (mod m).

11 ⌘ 4 (mod 7), 11 ⌘ 3 (mod 7), 73 ⌘ 4 (mod 23).

Modular addition and multiplication is given in tables 5a and 5b respectively

Table 5: Modulo 8 Arithmetic

Exponentiation is performed by repeated multiplication: