Professional Documents
Culture Documents
Contents
1 Introduction: Mathematical Cryptography 3
1.1 Divisibility and Greatest Common Divisors . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Prime Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Euler Phi Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.1 Prime Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4.2 Polynomials over a Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4.3 Extension Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.4 Powers and Primitive Roots in Finite Fields . . . . . . . . . . . . . . . . . . 9
1.4.5 Finite Field using a Generator . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.5 Modular Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.5.1 The Chinese Reminder Theorem . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.6 The Pohlig-Hellman Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.7 The Fast Powering Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.8 One Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Cryptography 21
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.3 Cryptographic Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3.1 Cryptography & Steganography . . . . . . . . . . . . . . . . . . . . . . . . . 23
1
3.2.4 Hill Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2.5 The XOR Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3 Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.4 Algorithm Classification Based On Keys . . . . . . . . . . . . . . . . . . . . . . . . 28
3.4.1 Symmetric Key Algorithm (secret key algorithms) . . . . . . . . . . . . . . . 28
3.4.2 Asymmetric Key Algorithm (public key algorithms) . . . . . . . . . . . . . . 29
3.5 Classification Based on Plaintext Processing . . . . . . . . . . . . . . . . . . . . . . 30
3.5.1 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.5.2 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.6 Classification Based on Mode of Operation . . . . . . . . . . . . . . . . . . . . . . . 36
3.6.1 Substitution Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.6.2 Transposition Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.7 Kerckho↵’s Principle for Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.8 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.8.1 Ciphertext Only Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.8.2 Known Plaintext Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.8.3 Chosen Plaintext Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.8.4 Chosen Ciphertext Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4 Cryptographic Protocols 39
4.1 Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.2 Security Analysis of Cryptographic Protocols . . . . . . . . . . . . . . . . . . . . . . 44
4.2.1 Tools for Formal Protocol Verification . . . . . . . . . . . . . . . . . . . . . . 47
4.3 The BAN Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.3.1 The BAN Logic Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.3.2 BAN Security Ananlysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
rj 1 = rj · qj + rj+1
is realized. Hence
gcd(rj 1 , rj ) = gcd(rj , rj+1 ) 8 j = 1, 2, 3, . . . (1)
At the step when rj+1 = 0, we have rj 1 = rj · qj and thus:
gcd(rj 1 , rj ) = gcd(rj · qj , rj ) = rj .
gcd(r0 , r1 ) = gcd(a, b) = rj .
Sol. 1.
Generally, one can write the gcd(a, b) as an integer linear combination of a and b. This procedure
is called the extended euclidean algorithm. This procedure will come-in handy in later computations
in finite fileds and some encryption algorithms like the RSA.
Theorem 2 (Extended Euclidean Algorithm.). Let a and b be positive integers, then the equation
au + bv = gcd(a, b) (2)
always has a solution in integers u and v. If (u0 , v0 ) is one such solution then every solution is of
the form
b·k a·k
u = u0 + and v = v0 , for some k 2 Z.
gcd(a, b) gcd(a, b)
r2 = r0 r 1 · q1 = a b · q1
substitute the above equation into the second step of the proof:
b = (a b · q1 ) · q2 + r3 =) r3 = a · q2 + b(1 + q1 q2 )
Continuing until we get to rj = a · u + b · v for some integers u and v. But rj = gcd(a, b), hence the
proof of the first part.
If the gcd(a, b) = 1, we have the following definition.
Definition 4. Let a and b be integers and gcd(a, b) = 1 then a and b are said to be relatively prime.
If we consider the case of Eq. (2), it can be reduced to a case of relatively prime numbers by
a b
u+ v = 1.
gcd(a, b) gcd(a, b)
Example 2. Express the gcd(2024, 748) as a linear combination of 2024 and 748.
Sol. 2. Let 2024 = x and 748 = y, from the first line of the euclidean algorithm:
Proposition 2. Let p be a prime number, and suppose that p divides the product ab of two integers.
Then P divides atleast one of a and b. Generally, if
p|a1 a2 a3 . . . an ,
Given that p is a prime, the set of integers Z/pZ modulo P with its arithmetic operations is an
example of a field. Thus the field Z/pZ of integers modulo p has only finitely many elements (finite
field) and can be denoted by Fp . Thus, Z/pZ and Fp denotes the same object.
an 1 x n 1
+ an 2 x n 2
+ · · · + a1 x + a0
Of particular interest to this course is the finite field of the form F2n . Assuming we have F23 = F8
implying that there are 8 elements in the field, which is represented by the polynomial
a2 x 2 + a1 x + a0 .
F2 = {0, 1}
F22 = {00, 01, 10, 11}
= {0, 1, 2, 3}
F23 = {000, 001, 010, 011, 100, 101, 110, 111}
= {0, 1, 2, 3, 4, 5, 6, 7}
F24 = {0000, 0001, 0010, 0011, 0100, 0101, 0110, 0111, 1000, 1001, 1010, 1011, 1100, 1101, 1110, 1111}
= {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A(10), B(11), C(12), D(13), E(14), F (15)}
.. ..
. .
000 =) 0 · x2 + 0 · x + 0 · 1 = 0
001 =) 0 · x2 + 0 · x + 1 · 1 = 1
010 =) 0 · x2 + 1 · x + 0 · 1 = x
011 =) 0 · x2 + 1 · x + 1 · 1 = 1 + x
100 =) 1 · x2 + 0 · x + 0 · 1 = x2
101 =) 1 · x2 + 0 · x + 1 · 1 = x2 + 1
110 =) 1 · x2 + 1 · x + 0 · 1 = x2 + x
111 =) 1 · x2 + 1 · x + 1 · 1 = x2 + x + 1
Definition 10. A polynomial f 2 Fq [x] is an irreducible polynomial over Fq if f has positive degree
and f = gh with g, h 2 Fq [x] implies that either g or h is a constant polynomial.
Theorem 6 (Fermat’s Little Theorem). Let p be a prime number and let x be any integer. Then
(
1 (mod p), if p - x
xp 1 ⌘
0 (mod p), if p|x
215485863 1
⌘ 1 (mod 15485863).
So, without a single computation, we are able to see that 15485863|(215485862 1).
A combination of the Fermat’s Little Theorem and the fast powering algorithm will avail us
with an efficient algorithm for computing inverses modulo p, namely
1
x ⌘ xp 2
(mod p).
Theorem 7. Let f (x) be an irreducible polynomial of degree k over Fp . The finite field GF (pk )
can be realized as the set of degree k 1 polynomials over Fp , with addition and multiplication done
modulo f (x).
x3 + x + 1 = 01011, x4 + x3 + x + 1 = 11011.
Exercise 1. Let f (x) = x3 + x + 1 and g(x) = x4 + x3 + x + 1, evaluate 1. f (x) + g(x), 2. f (x) · g(x).
Definition 11. A generator g of a finite field F of order q is an element whose first q 1 powers
generate all the non-zero elements of F : {0, g 0 , g 1 , g 2 , . . . , g q 1 }.
Consider the field GF (23 ) defined over the irreducible polynomial x3 + x + 1. The generator g
must satisfy f (g) = g 3 + g + 1 = 0. This equation has solution g 3 = g 1 = g + 1. The rest of
the element are:
g4 = g(g 3 ) = g(g + 1) = g 2 + g
g5 = g(g 4 ) = g(g 2 + g) = g 3 + g 2 = g 2 + g + 1
g6 = g(g 5 ) = g(g 2 + g + 1) = g 3 + g 2 + g = g + 1 + g 2 + 1 = g 2 + 1
g7 = g(g 6 ) = g(g 2 + 1) = g 3 + g = g + g + 1 = 1 = g 0 .
Thus all the non-zero polynomials of GF (23 ) are generated by the powers of g.
Table 3: GF (23 ) Addition Using the Generator for the Polynomial (x3 + x + 1).
Table 4: GF (23 ) Multiplication Using the Generator for the Polynomial (x3 + x + 1).
Generally, for any GF (2n ) with an irreducible polynomial f (x), we calculate all powers of g
n n
from g n+1 through g 2 2 . In the field, multiplication is performed using g j = g j (mod 2 1) for any
integer j.
a ⌘ b(mod m)
2. Let a be an integer, then a · b ⌘ 1(mod m) for some integer b if and only if gcd(a, m) = 1.
If such an integer b exist, then we say b is the inverse (multiplicative) of a modulo m. Given
that a = 3 and m = 7, since gcd(3, 7) = 1 and 3(5) ⌘ 1 (mod m) then 5 is the inverse of
3 (mod 7).
Examples of modular arithmetic:
+ 0 1 2 3 4 5 6 7 ⇥ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0
1 1 2 3 4 5 6 7 0 1 0 1 2 3 4 5 6 7
2 2 3 4 5 6 7 0 1 2 0 2 4 6 0 2 4 6
3 3 4 5 6 7 0 1 2 3 0 3 6 1 4 7 2 5
4 4 5 6 7 0 1 2 3 4 0 4 0 4 0 4 0 4
5 5 6 7 0 1 2 3 4 5 0 5 2 7 4 1 6 3
6 6 7 0 1 2 3 4 5 6 0 6 4 2 0 6 4 2
7 7 0 1 2 3 4 5 6 7 0 7 6 5 4 3 2 1
(a) Modulo 8 addition (b) Modulo 8 Multiplication
Note that addition and multiplication of elements of Z/mZ are also elements of Z/mZ. The set
(9) is called the set of residues or residue classes (mod m). Each integer in (Z/mZ) represents
a residue class. The residue classes (mod m) can be labeled as: [0], [1], [2], . . . , [m 1]. Residue
classes (mod 4) are the following:
Examples:
The group of units modulo 7 is:
· 1 5 7 11 13 17 19 23
1 1 5 7 11 13 17 19 23
5 5 1 11 7 17 13 23 19
7 7 11 1 5 19 23 13 17
11 11 7 5 1 23 19 17 13
13 13 17 19 23 1 5 7 11
17 17 13 23 19 5 1 11 7
19 19 23 13 17 7 11 1 5
23 23 19 17 13 11 7 5 1
c ⌘ c0 (mod m1 m2 · · · mk ).
Proof. Let M = m1 m2 m3 . . . mr , and Mi = M/mi . Since the m0i s are pairwise relatively prime, Mi
is relatively prime to mi , so it has an inverse xi modulo mi that is, Mi xi ⌘ 1 (mod mi ). If i 6= j,
then mi | Mj , that is, Mj ⌘ 0 (mod mi ). Then
x ⌘ a1 M1 x1 + a2 M2 x2 + . . . ar Mr xr M odM
a1 M1 x1 + a2 M2 x2 + . . . ar Mr xr M odM
a1 M1 x1 + a2 M2 x2 + · · · + ar Mr xr ⌘ ai Mi xi |modmi
⌘ ai · 1 (mod mi )
⌘ ai (mod mi )
Suppose x and y are two distinct solutions. Now x ⌘ y (mod mi ) for each i; that is, mi |(x y).
The mi are pairwise relatively prime, hence, by unique factorization, the product
m1 m2 m3 . . . mr |(x y)
that is,
x ⌘ y (mod m1m2 m3 . . . mr )
This proves the uniqueness.
x = 2 + 3y = 2 + 3 · 5 = 17
Substitute the general solution to the first two congruences into the third, we have
z ⌘ 3 · 13 ⌘ 39 ⌘ 7 (mod 16)
All other solutions are of the form X = 336n ± x where n = 1, 2, . . . , (Adding and subtracting
multiples of 336 to x).
Example 7. Solve the system of congruences
Sol. 7. Rewrite the congruence with the largest modulus, x ⌘ 6 (mod 7) and express it as an
equivalent equation: x = 7j + 6, for some integer j.
Substitute this expression for x into the congruence with the next largest modulus:
x = 7(5k + 4) + 6
x = 35k + 34.
Now substitute this expression for x into the final congruence, and solve the congruence for k:
35k + 34 ⌘ 1 (mod 3)
k ⌘ 0 (mod 3).
x ⌘ 34 (mod 105),
A congruence equation(s) withh composite moduli can be solved by first solving several con-
gruences modulo primes generated from the given equation, and then fitting togather the solutions
using the Chinese remainder theorem.
Proposition 4. Let p be a prime satisfying p ⌘ 4 (mod 4). Let a be an integer such that x2 ⌘
a (mod p) (a has a square root modulo p) has a solution, then
b ⌘ b(p+1)/4 (mod p)
Proof. Let g be a primitive root (mod p), then a is equal to some power of g. Since a has a square
root modulo p means that a is an even power of g, hence a = g 2k (mod p) for some integer k. Then
3 x0 2 2 3 2
x1 : (2652 )x1 ⌘ (250 · 265 ) (mod 433) =) (2652 )x1 ⌘ (250 · 265 1 )2 (mod 433)
2
=) (432)x1 ⌘ (250 · 250)2 (mod 433) =) (432)x1 ⌘ 432 (mod 433) =) x1 = 1.
3 1 3 2
x2 : (2652 )x2 ⌘ (250 · 265 x0 2x1 )2 (mod 433) =) (2652 )x2 ⌘ (250 · 265 3 )2 (mod 433)
=) (432)x2 ⌘ (250 · 195)2 (mod 433) =) (432)x2 ⌘ 432 (mod 433) =) x2 = 1.
3 0 3
x3 : (2652 )x3 ⌘ (250 · 265 x0 2x1 4x2 )2 (mod 433) =) (2652 )x3 ⌘ (250 · 265 7 ) (mod 433)
=) (432)x3 ⌘ (250 · 168)2 (mod 433) =) (432)x3 ⌘ 432 (mod 433) =) x3 = 1.
2 1 2 1
x1 : (3743 )x1 ⌘ (335 · 374 x0 )3 (mod 433) =) (3743 )x1 ⌘ (335 · 374 2 )3 (mod 433)
=) (234)x1 ⌘ (335 · 51)3 (mod 433) =) (432)x1 ⌘ 1 (mod 433) =) x1 = 0.
2 0 2
x2 : (3743 )x2 ⌘ (335 · 374 x0 3x1 )3 (mod 433) =) (3743 )x2 ⌘ (335 · 374 2 ) (mod 433)
=) (234)x2 ⌘ (335 · 51) (mod 433) =) (234)x2 ⌘ 198 (mod 433) =) x2 = 2
Thus:
x ⌘ x0 + 3x1 + 9x2 (mod 33 ) =) x ⌘ 2 + 0 + 9(2) (mod 33 ) =) x ⌘ 20 (mod 33 ).
Next, we have to use the CRT to solve the simultaneous congruences:
x ⌘ 14 (mod 24 ), x ⌘ 20 (mod 33 )
which yields x = 47 and hence thhe solution of the DLP.
X = X0 + X1 · 2 + X2 · 22 + X3 · 23 + · · · + Xr · 2r ,
x0 ⌘ g(mod N )
x1 ⌘ x20 ⌘ g 2 (mod N )
2
x2 ⌘ x21 ⌘ g 2 (mod N )
3
x3 ⌘ x22 ⌘ g 2 (mod N )
.. .. ..
. . .
2
xr ⌘ xr 1 (mod N )
It can be seen that each term is a square of the previous one, thus requiring only r multipli-
cations.
The quantities x0 , x1 , x2 , . . . , xr were computed in STEP II, thus the product in Eq. (16) can be
computed by looking up the values of the xis whose exponent Xi = 1 and multiplying them together.
218 = 2 + 23 + 24 + 26 + 27
then,
3 4 6 7
3218 = 32+2 +2 +2 +2
3 4 6 7
= 3 2 · 32 · 32 · 32 · 32
⌘ 9 · 561 · 721 · 281 · 961(mod 1000)
⌘ 489(mod 1000).
Definition 16 (Trapdoor). Trapdoor one-way functions are a family of invertible functions fk such
that y = fk (x) and x = fk (y) are easy if k and x are known, and x = fk 1 (y) is infeasible if y is
known but k is not known.
One way function, with certain unique information (trapdoor information), makes it easy to
invert information. These functions are candidates for public key encryption systems. The forward
operation of the mathematical function (encrypting) is easy but inverting this function (decrypting)
is hard without knowledge of the trapdoor information. This trapdoor information can be seen as
the private key.
2.2 Cryptography
Information security has grown as a significant issue in our digital life. The development of new
transmission technologies forces a specific strategy of security mechanisms especially in state of
the data communication. The significance of network security is increased day by day as the size
of data being transferred across the Internet. Cryptography and Steganography provide most
significant techniques for information security.
Achieving information security in an electronic society requires a vast array of technical and
legal skills. There is, however, no guarantee that all of the information security objectives deemed
necessary can be adequately met. The technical means is provided through cryptography.
Cryptography comes from the Greek words Kryptos meaning hidde, secret and graphein
meaning writing. It is the conversion of information from a readable state to an apparent jargon.
Definition 17. Cryptography is the study of mathematical techniques related to aspects of informa-
tion security such as confidentiality, data integrity, entity authentication, and data origin authenti-
cation.
1. Data Confidentiality is a service used to keep the content of information from all but those
authorized to have it. Secrecy is a term synonymous with confidentiality and privacy. There
are numerous approaches to providing confidentiality, ranging from physical protection to
mathematical algorithms which render data unintelligible.
2. Data integrity is a service which addresses the unauthorized alteration of data. To assure
data integrity, one must have the ability to detect data manipulation by unauthorized parties.
Data manipulation includes such things as insertion, deletion, and substitution.
• Connection Integrity with Recovery Provides integrity for all user data on a con-
nection and detects any modification, insertion, deletion or replay of any data within an
entire data sequence.
• Connectionless Integrity provides for the integrity of a single connectionless data
block which may take the form of detection of data modification.
• Selective Field Connection Integrity Provides for the integrity of selected fields
within the user data transferred over a connection with a view to determine of the
selected data field is modified, inserted, deleted or replayed.
• Selective Field Connectionless Integrity Provides for the integrity of a selected
field within a single connectionless data block to determine if the selected field has been
modified.
• Peer Entity Authentication Provides for the corroboration of the identity of a peer
entity (two entities implementing the same protocol in di↵erent systems) in an associa-
tion. It provides confidence in the identity of the connected entities.
•
• Data Origin Authentication Provides for the authentication of the source of a data unit,
without providing protection against modification or duplication of the data unit. In
a connectionless transfer, it provides assurance that the source of received data is as
claimed.
• Non-repudiation of Source This provides proof that the message was send by the
specified party.
• Non-repudiation of Destination This provides proof that the message was received
by the specified party.
5. Access Control This is the prevention of un-authorized use of a resource. To achieve this,
each user must first be verified or authenticated before gaining access to the resource.
6. Availability guarantees that thhe system services are available whenever needed.
A fundamental goal of cryptography is to adequately address these four areas in both theory and
practice.
3.2.3 Vigenère
The Vigenère Cipher is a polyalphabetic substitution cipher. The method was originally described
by Giovan Battista Bellaso in 1553. However, the scheme was later misattributed to Blaise de
Vigenère in the 19th century, and is now widely known as the Vigenère cipher.
In a Vigenere Cipher, a keyword is use as the key, and it uses the table in Figure 3. Suppose we
want to encipher the message: DEFENDTHEEASTWALLOFTHECASTLE. using the keyword:
FORTIFICATION
We repeat the keyword above the plaintext until it is exhausted:
FORTIFICATIONFORTIFICATIONFO
DEFENDTHEEASTWALLOFTHECASTLE.
Now we take the letter we will be encoding, ’D’, and find it on the first column on the tableau.
Then, we move along the ’D’ row of the tableau until we come to the column with the ’F’ at the
top (The ’F’ is the keyword letter for the first ’D’), the intersection is our ciphertext character, ’I’.
So, the encryption is thus:
F O R T I F I C A T I O N F O R T I F I C A T I O N F O
D E F E N D T H E E A S T W A L L O F T H E C A S T L E
I S W X V I B J E X I G G B O C E W K B J E V I G G Q S.
C ⌘ KP (mod 26)
P ⌘ K 1 C (mod 26) = K 1
KP = P.
where c1 = 0 if ai = bi and c1 = 1 if ai 6= bi .
If we let EK (m) = M K for some M and K and EK = DK , then
DK (EK (M )) = (M K) K=M (K K) = M 00 . . . 0 = M
Since Eve does not know K, she essentially has to check all possible K 0 s between 0 and 2n 1 , which
is hopeless, if n is large enough.
3.3 Cryptosystem
A cryptosystem is an implementation of cryptographic techniques and their accompanying in-
frastructure to provide information security services. A cryptosystem is also referred to as a cipher
system. Components of a Cryptosystem A basic cryptosystem consist of the following components:
• Ciphertext: It is the scrambled version of the plaintext produced by the encryption algorithm
using a specific the encryption key. The ciphertext is not guarded. It flows on public channel.
It can be intercepted or compromised by anyone who has access to the communication channel.
• Encryption Key: It is a value that is known to the sender. The sender inputs the encryption
key into the encryption algorithm along with the plaintext in order to compute the ciphertext.
• Decryption Key: It is a value that is known to the receiver. The decryption key is related
to the encryption key, but is not always identical to it. The receiver inputs the decryption key
into the decryption algorithm along with the ciphertext in order to compute the plaintext.
For a given cryptosystem, a collection of all possible decryption keys is called a key space
• Number of keys used in encryption and decryption determines weather its symmetric or
asymmetric. When a unique key is used, its referred to as symmetric secret-key encryption.
It is asymmetric when the sender and the receiver uses di↵erent keys for both encryption and
decryption.
• The way the plaintext is processed also determines another categorization into either
Stream or block ciphers. A stream cipher processes the input continuously while the block
cipher processes a block of inputs at a time.
The symmetric key cryptography is faced with a number of challenges. There are two restrictive
challenges of employing symmetric key cryptography.
Key establishment - Before any communication, both the sender and the receiver need to agree
on a secret symmetric key. It requires a secure key establishment mechanism in place.
Trust Issue - Since the sender and the receiver use the same symmetric key, there is an implicit
requirement that the sender and the receiver ‘trust’ each other. For example, it may happen that
the receiver has lost the key to an attacker and the sender is not informed.
These two challenges are highly restraining for modern day communication. Today, people need
to exchange information with non-familiar and non-trusted parties. For example, a communication
between online seller and customer. These limitations of symmetric key encryption gave rise to
asymmetric key encryption schemes.
Suppose Alice wants to send a message to Bob through an insecure channel (constantly observed
by Eve) using a symmetric cipher. Both of them have to agree on a secret key K. It is this key that
they will both use in encryption (by Alice) and decryption (by Bob). This is the kind of a cipher
that uses a common key k for both encryption and decryption. A symmetric cipher has about five
ingredients: Let M = [M1 , M2 , . . . MN ] be N elements of a message (plaintext) that is required to
C = EK (M )
The intended receiver, who also has the knowledge of the key K decrypts the ciphertext using a
decryption algorithm DK to get back the original message X:
M = DK (C)
EK : K ⇥ M ! C
whose domain K ⇥ M is the set of pairs (K, M ) and the range is the space C. For the decryption
DK , we have a function of the form:
DK : K ⇥ C ! M.
To be able to recover M 2 M exactly, the encryption and decryption algorithms should be inverses
of each other for a particular K.
DK (EK (M )) = M. 8 K 2 K, and M 2 M.
Assume that n users are connected in a network and any two of them may want to communicate.
This would require each user to securely store n 1 di↵erent symmetric keys (one for each other
user), resulting in a total of n(n 1)/2 keys. If the network is connecting say, 2000 university
students, then there will be roughly 2 million di↵erent keys. A huge key management distribution
problem is imminent.
A better solution to the key distribution problem is obtained if we use symmetric key distribution
protocols. A trusted third party (TTP). Each user has a unique secret key shared with the TTP.
When two users would like to communicate, they establish a shared secret key, usually called a
session key, by interacting with the TTP. There are still drawbacks that can be serious problems in
certain situations. For example, we need access and trust to a TTP and we still need to distribute
one key shared with the TTP for each user. The solution described above is made possible by what
is referred to as Public Key Cryptography.
Public-key cryptosystems have one significant challenge. The need for the user to trust that the
public key that he is using in communications with a person really is the public key of that person
and has not been spoofed by a malicious third party.
This is usually accomplished through a Public Key Infrastructure (PKI) consisting a trusted
third party. The third party securely manages and attests to the authenticity of public keys. When
the third party is requested to provide the public key for any communicating person X, they are
trusted to provide the correct public key.
The third party satisfies itself about user identity by the process of attestation, notarization, or
some other process that X is the one and only, or globally unique, X. The most common method of
making the verified public keys available is to embed them in a certificate which is digitally signed
by the trusted third party.
In a public key cryptosystem (PKC) algorithm, two sets of keys are used, the public Kpub and
private Kpriv keys. The concept of PKC evolved from an attempt to solve two problems, key
distribution and the development of digital signatures.
The Kpub is computed using some key generation algorithm on Kpriv . For each pair (Kpub , Kpriv ),
there is an encryption algorithm EKpub and the corresponding decryption algorithm DKpriv . The
encryption algorithm EKpub corresponding to Kpub is made public and also DKpriv should be easily
computable for anyone that knows Kpriv . The private key Kpriv is said to be a trapdoor information
for the function Kpub . This is a function, without which it is hard to compute the inverse function
to EKpub
The Modes of Operation of block ciphers are configuration methods that allow those ciphers
to work with large data streams, without the risk of compromising the provided security. These
configurations called the block cipher modes of operations, includes:
Electronic Code Book (ECB): In the ECB, the user takes the first block of plaintext M1
and encrypts it with a key K1 to produce the first block of ciphertext C1 . He then takes the second
block of plaintext M2 and follows the same process with same key K1 until all plaintext blocks are
exhausted (Fig. 7). The ECB mode is deterministic, that is, if plaintext block M1 , M2 , . . . , Mn
are encrypted twice under the same key, the output ciphertext blocks will be the same (the same
plaintext block always maps to the same ciphertext).
Encryption:
Input:
k-bit key K,
t-bits plaintext blocks M = M1 M2 . . . Mn .
Algorithm
Ci = EK (Mi ).
Output t-bits ciphertext blocks C = C1 C2 . . . Cn .
Decryption:
Input:
k-bit key K,
t-bits ciphertext blocks C = C1 C2 . . . Cn .
Algorithm Mi = DK (Ci ).
Output t-bits ciphertext blocks M = M1 M2 . . . Mn .
In general, the use of a deterministic cipher is highly discouraged, and hence the ECB mode
should not be used in most applications.
Cipher Block Chaining (CBC): Cipher block chaining mode involves a vector bit sum oper-
ation of the message block with the previous ciphertext block prior to enciphering. The ciphertext
blocks are initialized with a randomly chosen message which may be transmitted openly, i.e. the
security of the cryptosystem is based on the secrecy of the key, not on the secrecy of initialization
vector.
Encryption:
Input:
k-bit key K,
n-bits initialization vector C0
t-bits plaintext blocks M1 M2 . . . Mn .
4. Error recovery: The cryptosystem is said to be self-recovering, in the sense that while
an error in Ci results in incorrectly deciphered plaintext Mj0 and Mi+1
0
, the ciphertext Ci+2
0
correctly deciphers to Mi+2 = Mi+2 .
Cipher Feedback (CFB): The feedback mode allows one to process blocks of size r < n at a
1. Identical plaintext: The same sequence of ciphertext blocks results when the same key and
initialization vector is used. Changing the initialization vector changes the ciphertext.
3. Error propagation: An error in Ci a↵ects the decipherment of the next [n/r] plaintext
blocks. The recovered plaintext Mi0 will di↵er from Mi at exactly the bits for which Ci was in
0
error. These bit errors will appear in subsequent blocks Mi+k at translated positions.
4. Error recovery: Proper deciphering requires the shift register to be correct, for which the
previous [n/r] ciphertext blocks are required. The decipherment is self-recovering from errors,
but only after [n/r] blocks (approximately the same n-bits of the ciphertext block in error).
5. Throughput: The rate of enciphering and deciphering is reduced by a factor of n/r, that is,
for every r bits of output the algorithm must carry out one n-bit enciphering operation.
Output Feedback (OFB): Output feedback mode has a similar use as cipher feedback mode,
but is relevant to applications for which error propagation must be avoided. Output feedback mode
is an example of a synchronous stream cipher (constructed from a block cipher), in which the
keystream is created independently of the plaintext stream.
Encryption:
Mi = C i Lr(Ii ).
2. Chaining dependencies The ciphertext output is order dependent, but the keystream
I1 , I2 , . . . is plaintext independent.
3. Error propagation An error in a ciphertext bit a↵ects only that bit of the plaintext.
4. Error recovery The cipher is self-synchronizing, and bit errors in a ciphertext block a↵ect
only that bit of the recovered plaintext. It recovers immediately from bit errors, but bit losses
a↵ect alignment.
5. Throughput: As with CFB, the rate of enciphering and deciphering is reduced by a factor
of n/r, however the vectors Ii can be precomputed from K and I0 , independently of the
ciphertext blocks.
• DES (Data Encryption Standard). Block size: 64 bits; key size: 56 bits. DES was de-
signed by IBM in 1973-4, tweaked by the NSA, then became the US standard for encryption.
International adoption followed.
• 3DES (Triple DES). Block size: 64 bits; key size: 112 or 168 bits. 3DES is a strengthening
of DES introduced in 1998, because 56 bit keys had become feasible to brute force. 3DES is
simply three DES encryptions with two di↵erent keys, for an e↵ective 112 bit key; or with
three di↵erent keys, for an e↵ective 168 bit key.
• AES (Advanced Encryption Standard). Block size: 128 bits; key size: 128, 192, or 256 bits.
AES resulted from a public competition held by NIST, ending in 2001. It’s now the US
standard, approved by the NSA for Top Secret information. In 2009, new theoretical attacks
were discovered that, if ever made practical, would break AES.
3. Given one or more ciphertexts, C1 , C2 , . . . , Cn 2 C encrypted using the key K 2 K, the process
of computing any of the corresponding plaintexts DK (C1 ), DK (C2 ), . . . , DK (Cn ) without the
knowledge of the key should be very difficult.
4. Given one or more pairs of plaintext and ciphertext (M1 , C2 ), (M2 , C2 ), . . . , (Mn Cn ) decrypting
any ciphertext C not within the given pairs without the knowledge of K, must be difficult.
This is security against chosen plaintext attack.
• Falling of the cryptosystem in the hands of an intruder should not lead to any compromise of
the system, preventing any inconvenience to the user.
• The encryption apparatus and documents should be portable and operable by a single person.
• It is necessary that the system be easy to use, requiring neither mental strain nor the knowledge
of a long series of rules to observe.
3.8 Cryptanalysis
There are four general types of cryptanalytic attacks on cryptosystems. Of course, each of them
assumes that the cryptanalyst has complete knowledge of the encryption algorithm used.
Deduce: k.
• Secure Socket Layer / Transport Layer Security (SSL/TLS): SSL/TLS is the primary
method for protecting http (web) transactions. SSL/TLS usually use a separate TCP/IP
port number from the unsecured port, which the IETF is a little unhappy about (because it
consumes twice as many ports; there are solutions to this).
• Internet Protocol Security (IPSec).:IPSec provides encryption and/or authentication at
the IP packet level. However, IPSec is often used in a way that only guarantees authenticity
of two communicating hosts, not of the users. As a practical matter, IPSec usually requires
low-level support from the operating system (which not all implement) and an additional
keyring server that must be configured.
• OpenPGP and S/MIME: Also referred to as PGP (Pretty Good Privacy) is the most
widely used email encryption standard. It is an encryption system for sending encrypted emails
and files. OpenPGP is an encryption standard that uses both symmetric and asymmetric
cryptographic algorithms. OpenPGP is an encryption protocol which allows users to encrypt
their messages and digitally sign them, giving the message sender a stronger method of both
authentication and data integrity protection. The following can be achieved with OpenPGP:
Encrypt/Decrypt emails (or files), Sign/verify emails (or files), Sign/verify actions. Di↵erent
encryption algorithms are available for use with PGP, such as RSA and DSA for asymmetric
encryption, AES, 3DES, and Twofish for symmetric encryption, and SHA for hashing.
• S/MIME: (Secure/Multipurpose internet Mail Extensions) is a widely accepted protocol for
sending digitally signed and encrypted messages. it employs two keys (public and private)
mathematically associated with each other to facilitates email security. S/MIME provides the
following services for email messages: Encryption - Protects the content of email messages.
Digital signatures - Verifies the identity of the sender of an email message. Because S/MIME
uses asymmetric public key infrastructure (PKI), By digitally signing your emails, the intended
recipient can verify that the message was actually sent by you and hasn’t been tampered with
or modified. When the email is en route from your computer to the recipient’s device, data
encryption ensures that any attacker over the wire can’t read the contents of the message.
• Secure Socket Shell (SSH): It is a network protocol that gives users, particularly system
administrators, a secure way to access a computer over an unsecured network. The most
basic use of SSH is to connect to a remote host for a terminal session. It is a widely used
Transport Layer Protocol to secure connections between clients and servers. It is a method
of securing “remote terminals” over an internet, and it also includes methods for tunelling X
Windows sessions. However, it’s been extended to support single sign-on and general secure
tunelling for TCP streams, so it’s often used for securing other data streams too (such as CVS
accesses).
– Telnet: Telnet and SSH are network protocols used to access and manage remote sys-
tems. Telnet is an application protocol that helps users communicate with a remote
system. It uses a text-based interface to create a virtual terminal, allowing administra-
tors to access applications on other devices. Telnet is the insecure protocol, no encryption
and security involves during transmitting of data. Any data that is being exchanged over
Telnet can be stolen from the communication path because no cryptographic procedures
are applied. The vulnerabilities in Telnet were addressed in SSH. While Telnet can only
transfer data as plain text, SSH can encrypt traffic in both directions.
SSH can be used to “tunnel” or forward arbitrary Transmission Control Protocol (TCP)
connections while providing security to the communication channel.
Transmission Control Protocol (TCP): TCP is a standard for exchanging data between
di↵erent devices in a computer network. The current version of the TCP protocol (defined
in RFC 7323 in 2014.) allows two endpoints in a shared computer network to establish a
connection that enables a two-way transmission of data. It determines how network devices
exchange data. It is considered a reliable protocol because any data loss is detected and
automatically corrected.
The connection is established in the following steps:
1. The requesting client sends the server a SYN packet or segment (SYN stands for syn-
chronize) with a unique, random number. This number ensures full transmission in the
correct order (without duplicates).
• Kerberos.: Kerberos is a protocol for single sign-on and authenticating users against a central
authentication and key distribution server. Kerberos works by giving authenticated users
”tickets”, granting them access to various services on the network. Kerberos is a primary
method for securing and supporting authentication on a LAN, and for establishing shared
secrets. t uses secret-key cryptography and a trusted third party (KDC) for authenticating
client-server applications and verifying users’ identities. The protocol is implemented through
the following steps as indicated in Figure 13:
1. A ! S : {A, B}
2. S ! A : {Kb , B}Ks 1
3. A ! B : {Na , A}Kb
4. B ! S : {B, A}
5. S ! B : {Ka , A}Ks 1
6. B ! A : {Na , Nb }Ka
7. A ! B : {Nb }Kb
It is expected that, initially, both A and B hold S’s public key Ks . Therefore, the principals
A and B can obtain each other’s public keys from S. Using the secret nonce identifiers Na and
Nb , if, say, B recives the message {M, Na }Kb then B may deduce that A sent the message.
• The Kerberos protocol (Figure 14b) establishes a shared key between two principals with
help from an authentication server. It is based on the shared-key Needham- Schroeder pro-
tocol, one of the earliest protocols in use. The Kerberos protocol establishes a shared key
between two principals A and B with help from an authentication server S. It is based on
the shared-key Needham- Schroeder protocol, but makes use of timestamps as nonces, both
to remove security problems, and to reduce the total number of messages required. Let Ta
and Ts be the time stamps generatd by A and S respectively. S generates a lifetime L.
1. A ! S : {A, B}
2. S ! A : {Ts , L, Kab , B, {Ts , L, Kab , A}Kbs }Kas
3. A ! B : {Ts , L, Kab , A}Kbs , {A, Ta }Kab
4. B ! A : {Ta + 1}Kab
First, A sends a cleartext message to S stating his desire to communicate with B. The server
responds with an encrypted message containing a timestamp, a lifetime, a session key for
A and B, and a ticket that only B can read. This ticket also contains the timestamp, the
lifetime, and the key. A forwards the ticket to B together with an authenticator (a timestamp
encrypted with the session key). B first decrypts the ticket and checks the timestamp and
lifetime. If the ticket has been created recently enough, he uses the enclosed key to decrypt
the authenticator. Then, if the authenticator’s timestamp is recent, he uses the session key
to return the timestamp, which A checks. Once the principals are satisfied, they can proceed
to use the session key.
• The Andrew Secure RPC Handshake (Figure 14c) protocol uses an authentication hand-
shake between two principals whenever a client binds to a new server. The handshake is
0
intended to allow a client A to obtain a new session key Kab from a server B, given that they
already share a key Kab .
• The CCITT X.509 Protocol (Figure 14d) is intended for a signed and secure communi-
cation between two principals, assuming that each knows the public key of the other. The
two-message and one-message protocols are formed by removing the last one or two messages,
respectively.
3. A ! B : A, {Nb }Ka 1
whhere, T , and Tb are timestamps, N , and Nb are nonces, and Xa, Ya , Xb, and Yb are user
data. The protocol ensures the integrity of X, and Xb , assuring the recipient of their origin,
and guarantees the privacy of Y , and Yb .
• The Otway Rees Protocol: This protocol involves the generation of a shared key KAB
between two principals A and B with the help of a server S. The server S shares a key KAS
and KBS between it and A and B respectively. Let Na and Nb be the nonces generated by A
and B respectively, the protocol is described thus:
The value M is another random nonce chosen by A. It can be seen that A relies on B to relay
the messages between her and S. At the end of the protocol it is intended that A and B are
both in possession of the shared key KAB and believe it is good for communication with the
other.
S S S
S
1: A, B D 5: {%D& , (}1:
%;<
#A, B
D 5: {%& , (}%;<
1: A, B
# D
1: A, B
2: %' , ?}%;< Type equation here. Type equation here.
2: {"# , ;, %&' , <, {"# , ;, %&' , (}% '# }%&#
#
2: %' , ?}%;<
#
Type equation here.
Type equation here.
4: ?, ( Type equation here.4: ?, (
9. {>& , (}%' 9. {>& , (}%' {"# , ;, %&' , (}%'# , {(, "& }%&'
A @: {>' , >' }%# B
A @: {>' , >' }%#
Type equation here. B
A Type equation here. B
D D {>'}%'
=: D S D =: {>'}%' D &
=: {" + ?}%&' D
(a) Needham - Schroeder Protocol1: A, B D 5: {%
(b) & , (}%;<
Kerberos #
Authentication Protocol
2: %' , ?}%;<
<. (, {>& }%&'
Type equation here.
#
' } %&'
C. {>& + <, >Type equation here.
A 4: '?,
{>
9. {>& , (}%'9.
<}%&'
+ ( B
A @: {>' , >' }%# BB
Type equation here.
A. {%&' , >'}%&'
B
D =: {>'}%' D
(c) The Andrew Square RPC Handshake Protocol
} }%;<
<. (, {"& , >& , ? , A& , {B& %' &
S
S A S, {B'}% }% 1: A, B DB
C. ?, {"' , >' , (, >', A'
;<
& '
1: A, B D 1: A, B D
9. (, {>' }%;<
&
• Z ! Y : {Z, {M }Ypk , Y }
where {M }Ypk means the string M encrypted with the key Ypk the public key of Y .
The verification of cryptographic (security) protocols has been and is still a very active research
area. Their design is error prone. The need to verify such protocols stem from the following reasons:
Their design is prone to errors. Security errors are not detected by testing since they appear only
in the presence of an adversary. Errors can have serious consequences.
This model makes automatic proofs relatively easy. It assumes perfect cryptography. For instance,
shared-key encryption is basically modeled by two function symbols, enc and dec, where enc(x, k)
stands for the encryption of x under key k and dec(x, k) for the decryption of x with key k, with
the equality:
dec(enc(x, k), k) = x. (19)
Models of protocols: The Computational Model:
The computational model has been developed at the beginning of the 1980’s by Goldwasser, Micali,
Rivest, Yao, and others. It is based on the following:
This model is much more realistic than the formal model, but until recently proofs were only
manual. In this model, the length of keys is determined by a value named security parameter, and
the runtime of the adversary is supposed to be polynomial in the security parameter. A security
property is considered to hold when the probability that it does not hold is negligible in the security
parameter.
• #X : (X is fresh) meaning that X has not been sent before in any run of the protocol.
K
• 7 ! B (B has public key K) B has a published public key K and corresponding private key
K 1.
X
• A) * B : (A and B share secret X) X is a secret known only to A, B and possibly some trusted
associates.
• hXiY This represents X combined with the secret formula Y . The posession of Y proves the
identity of whoever utters hXiY .
• Message meaning (MM): If A believes (A share(K) B) and A sees {X}K then A believes(B
said X).
K
A| ⌘ (A ! B), A C {X}K
(20)
A| ⌘ (B| ⇠ X)
• Nonce verification (NV): If A believes X is fresh and A believes B once said X, then A
believes B believes X.
A| ⌘ (#(X)), A| ⌘ (B| ⇠ X)
(21)
A| ⌘ (B| ⌘ X)
• Freshness meaning (FM): The freshness rule states that any message with a fresh compo-
nent is also fresh.
P | ⌘ #(X)
P | ⌘ #(X, Y )
If one part of a formula is fresh, then the entire formula must also be fresh.
B knows the key Kbs and A and B communicates through the shared key Kab . Idealized messages
re of the form: {X}K1 , {X}K2 , · · · , {X}Kn .
In BAN logic, idealization is meant to omit parts of the message that do not contribute to the
beliefs of the recipients. In BAN all plaintext is omitted since it can be forged.
the idealized version is given thus: Each principal knows the public key of the certification
Ka Kb
A| ⌘ (7 ! A) B| ⌘ (7 ! B)
Ks Ks
A| ⌘ (7 ! S) B| ⌘ (7 ! S)
Ka K b
S| ⌘ (7 ! A) S| ⌘ (7 ! B)
Ks
S| ⌘ (7 ! S)
K K
A| ⌘ S =) (7 ! B) B| ⌘ S =) (7 ! A)
A| ⌘ #(Na ) B| ⌘ #(Nb )
a N b N
A| ⌘ (A ! B) B| ⌘ (A ! B)
b K a K
A| ⌘ #(7 ! B) B| ⌘ #(7 ! A)
( (
A| ⌘ (!
7 Kb )B) B| ⌘ (!
7 Ka )A)
Nb Na
A| ⌘ B| ⌘ (A (
+ B) B| ⌘ A| ⌘ (A (+ B)
agent S, as well as his own keys. In addition, S knows the public keys of A and B. Each
principal trusts the certification agent to correctly sign certificates giving the public key of
the other.
The first message is omitted, since it does not contribute to the logical properties of the
protocol. The lifetime L has been combined with the time stamp Ts , which is treated just like
a nonce. To analyze this protocol, we consider the assumptions in table 9:
Kas Kas Kbs Kas
A Believes A ! S : (A| ⌘ A ! S) B Believes B ! S : (B| ⌘ B ! S)
Kas Kas Kbs Kbs
S Believes A ! S : (S| ⌘ A ! S) S Believes B ! S : (S| ⌘ B ! S)
Kab Kab K
S Believes A ! B : (S| ⌘ A ! B) B Believes (S Controls A ! B) :
Kas
(B| ⌘ S =) (A ! B)
K
A Believes (S Controls A ! B) B Believes Fresh(Ts )
Kas
(A| ⌘ S =) (A ! B)
A Believes Fresh(Ts ) : (A| ⌘ #(Ts )) B Believes Fresh(Ta ) : (B| ⌘ #(Ta ))
Table 9: Kerberos
1. A ! B : {Na }Kab
2. B ! A :, {Na , Nb }Kab
3. A ! B : {Nb }Kab
0
Kab
4. B ! A : {A ! B, Nb0 }Kab
3. {Nb }Ka 1
• The Otway Rees Protocol: Let the three nonces M , Na and Nb be collapsed into the nonce
N . The idealized version of the protocol will thhus be:
1. A ! B : {Na , N }Kas
2. B ! S : {{Na , N }Kas , {Nb , N }Kbs }
Kab Kab
3. S ! B : {{Na , (A ! B), (B| ⇠ N )}Kas , {Nb , (A ! B), (A| ⇠ N )}Kbs }
Kab
4. B ! A : {{Na , (A ! B), (B| ⇠ N )}Kas }
By following the steps performed by S it can easily be seen that the message will be found correct
by S and furthermore that C will get the session key Kab encrypted with the key he shares with S,
Kcs .
The main difficulty with the conventional (private key) systems is key distribution :- how to
get the sender and receiver the same secret key. In general, doing this is either very expensive or
impossible. This problem is solved through the use of PKC in a precudure described in Figure 15a.
In situations where two parties want to communicate in secret and are unknown to each other
(say a business and a new customer) there is no easy way to verify the identities of each party
to each other. This is known as the authentication problem, and what is needed is a means of
providing a verifiable digital signature. This can be achieved by PKC as illustrated in Figure
15b.
The security of most common public-key algorithms rely on the immense difficulty of solving
one of these three computations:
Theorem 10. Let g be a primitive root for Fp and let h be a non-zero element of F. The discrete
logarithm problem (DLP) is the problem of finding an exponent x such that
g x ⌘ h (mod p).
The number x is called the discrete logarithm of h to the base g and is denoted by logg (h).
• Anonymous Diffie-Hellman – This version of the Diffie-Hellman key exchange doesn’t use
any authentication, it is therefore vulnerable to man-in-the-middle attacks. It should not be
used or implemented.
• Static Diffie-Hellman – This version uses certificates to authenticate the server, leaving the
client unauthenticated by default. It does not provide forward secrecy.
• These values A0 and B 0 are their common secret key (exchanged key) since:
A0 ⌘ B a ⌘ (g b )a ⌘ g ba ⌘ g ab ⌘ (g a )b ⌘ Ab ⌘ B 0 (mod p).
Alice and Bob has successfully exchanged a secret key which Eve could not compute since she
doesnt know a and b.
Assume Alice and Bob agrees on a prime p = 941 and a primitive root g = 627. Alice chooses
a = 347 and Bob chooses b = 781 as the secret integers and they both computes:
A ⌘ 627347 ⌘ 470 (mod 941) and B ⌘ 627781 ⌘ 691 (mod 641),
generating A = 470 and B = 691. They both computes:
A0 ⌘ 627691·347 ⌘ 470 (mod 941) and B 0 ⌘ 627347·691 ⌘ 470 (mod 941),
which yields A0 = B 0 = 470 as their shared key.
If Eve is able to solve either of the equations
627a ⌘ 390 (mod 941) or 627b ⌘ 691 (mod 941)
then she can reconstitute Alice’s and Bob’s shared key. The security of Alice and Bob’s shared key
is given in the following definition.
Definition 19. Let p be a prime number and g an integer. The Diffie-Hellman Problem (DHP)
is the problem of computing the value of g ab (mod p) from the known values of g a (mod p) and
g b (mod p).
In real life situations, p is chosen of the order p ⇡ 21000 (1000 bits) and g a prime of the order
g ⇡ p/2.
A ⌘ g a (mod p).
and she publishes A. Bob decides to send Alice the message M = 331. He chooses an ephemeral
key k = 197 and computes the quantities
and sends the pair (C1 , C2 ) = (87, 57) as his ciphertext. With her knowledge of a = 153, Alice
computes
x ⌘ C1a ⌘ 87153 ⌘ 367 (mod 467) and x 1 ⌘ 14 (mod 467).
She finally computes
1
C2 · x ⌘ 57 · 14 ⌘ 331 (mod 467).
Thus, anyone who wants to decrypt the El-Gamal must be ready to solve the DHP.
ElGamal was mainly used in PGP, GNU Privacy Guard and other systems because its main
rival, RSA, was patented. RSA’s patent expired in 2000, which allowed it to be implemented freely
after that date. Since then, ElGamal has not been implemented as frequently.
• Suppose Alice chooses two large prime numbers p, q, which serves as her trapdoor. She
computes the product N = pq with (N ) = (p 1)(q 1), and chooses a further number
1 < e < (N ) such that gcd(e, N ) = 1. Then she publishes N and e.
• She thus publishes her public key Epub = {e, N } used for encryption and keeps her private
key Epriv = {d, N } to be used for decryption.
• In RSA we have: N = pq, (N ) = (p 1)(q 1). Carefully choose e and d which are inverses
(mod (N )) hence e · d = 1 + k · (N ) for some k.
• Hence:
C d = M e·d = M 1+k· (N )
= M 1 · (M (N ) )k = M 1 · (1)k
= M 1 = M (mod N ).
If we can factor N then we can compute (N ) and d. RSA relies on the factoring problem. This
does not mean that breaking RSA is equivalent to solving a factorization problem. It is not known
whether RSA can be broken without factoring N .
Consider thhe following implementation:
RSA Encryption parameters. Public key: [e,N].
e: 65537
N: 1034776851837418228051242693253376923 (a product of two 60 bits primes)
Ciphertext: 582984697800119976959378162843817868
-------------------
Message: 345
Confirmation:
-------
p = 1,086,027,579,223,696,553
q = 952,809,000,096,560,291
and
N = p x q = 1,034,776,851,837,418,228,051,242,693,253,376,923
y 2 = x3 + ax + b (25)
for some constants a and b (shown in figure 16). where it is required that the curve x3 + ax + b
will have distinct roots and the discriminant = 4a3 + 27b2 6= 0. While defining points on on an
elliptic curve, we should include a point O called the point at infinity. We have
Let the elliptic curve E : y 2 = x3 + ax + b(mod p) be denoted by Ep (a, b) such that the constants
a and b are non negative integers smaller than the prime number p and must satisfy the condition:
4a3 + 27b2 6= 0(mod p).
In the multiplicative group Fp⇤ , the discrete logarithm problem defined thus: given elements a
and b of the group, and a prime p, find a number k such that a = bk(mod p).
If the elliptic curve groups is described using multiplicative notation, then the elliptic curve
discrete logarithm problem (ECDLP) is: given points P and Q in the group, find a number that
P k = Q; k is called the discrete logarithm of Q to the base P .
When the elliptic curve group is described using additive notation, the elliptic curve discrete
logarithm problem is: given points P and Q in the group, find a number k such that P k = Q.
What will be the discrete logarithm k of Q = (4, 5) to the base P = (16, 5)?
P = (16, 5), 2P = (20, 20), 3P = (14, 14), · · · 6P = (7, 3), 7P = (8, 7), 8P = (12, 17), 9P = (4, 5).
throughh the following steps: Let P1 = (x1 , y1 ) and P2 = (x2 , y2 ) be points on the elliptic curve
E : y 2 = x3 + ax + b (28)
by solving
x3 + ax + b = ( x + v)2 .
we thus have
2 2
= x1 x2 x3 =) x3 = x1 x2 .
from equation (29) defined at the third point:
y 3 = x 3 + v = x3 + y1 x1 = (x3 x1 ) + y1
we have
P1 + P2 = (x3 , y3 ).
Where (x3 , y3 ) is on the curve and x3 , y3 ) is colinear withh P and Q.
Let E be the elliptic curve defined by y 2 = x3 + x + 1 over F7 then
E(F7 ) = {O, (2, 2), (0, 1), (0, 6), (2, 5)}
If we let P = (2, 2) then 3P = (0, 6) = Q and hence k = 3 is a solution to the discrete logarithm
problem.
In a real application, k would be so large that such approach will be infeasible to determine k.
Construction of an elliptic curve over Fp : Let the prime number p = 23 and consider
an elliptic curve E : y 2 = x3 + x + 4(mod 23) defined over F2 3, with the constants a = 1 and
b = 4, which have been checked to satisfy that E is indeed an elliptic curve. We then determine the
quadratic residues Q23 from the reduced set of residue Z23 = {1, 2, 3, . . . , , 21, 22}, which is given by
Q23 = {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}. Which we use to determine the values of E23 (1, 4), i.e.,:
8 9
>
> (0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (416) 7, 3) >
>
< =
(7, 20) (8, 8) (8, 15) (9, 11) (9, 12) (10, 5) (10, 18)
E23 (1, 4) =
>
> (11, 9) (11, 14) (13, 11) (13, 12) (14, 5) (14, 18) (15, 6) > >
: ;
(15, 7) (17, 9) (17, 14) (18, 9) (18, 14) (22, 5) (22, 18)
That the core of elliptic curve arithmetic is an operation called scalar point multiplication,
which computes Q = kP . If for example wwe want to compute 11P we can be expressed as
11P = (2 ⇤ ((2 ⇤ (2 ⇤ P )) + P )) + P ). The problem of calculating k from a given points P and Q
is called the discrete logarithm problem over the elliptic curve (ECDLP). Note that we can easily
calculate Q = kP from given k and P , but it is computationally difficult to calculate the scalar k
from points Q and P .
Let Ep (a, b) = E23 (1, 4) and let Q = (1, 12) and P = (7, 3) be points on the curve E23 (1, 4).
Then one can show that 5P = Q:
Q = 5p = 1P + 1P + 1P + 1P + 1P = (1, 12)
p = 6, 277, 101, 735, 386, 680, 763, 835, 789, 423, 207, 666, 416, 083, 908, 700, 390, 324, 961, 279
N = 6, 277, 101, 735, 386, 680, 763, 835, 789, 423, 337, 720, 473, 986773, 608, 255, 189, 015, 329
with
k = 6, 708, 050, 311, 399, 110, 513, 517, 527, 207, 693, 060, 456, 300217, 054, 473.
It will therefore be almost impossible to determine k. The security of ECC therefore relies on the
hardness of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP).