UNIT III ASYMMETRIC CRYPTOGRAPHY

MATHEMATICS OF ASYMMETRIC KEY CRYPTOGRAPHY: Primes –

Primality Testing – Factorization – Euler‘s totient function, Fermat‘s and Euler‘s
Theorem – Chinese Remainder Theorem – Exponentiation and logarithm –
ASYMMETRIC KEY CIPHERS: RSA cryptosystem – Key distribution – Key
management – Diffie Hellman key exchange – Elliptic curve arithmetic-Elliptic
curve cryptography.
MATHEMATICS OF ASYMMETRIC KEY CRYPTOGRAPHY
3.1 PRIME NUMBER
An integer p > 1 is a prime number if and only if its only divisors are ±1 and ±p.
Any integer a> 1 can be factored in a unique way as

where p1 <p2 <…< pt are prime numbers and where each ai is a positive integer.
91 = 7 * 13
3600 = 24 * 32 * 52
11011 = 7 * 112 * 13

If P is the set of all prime numbers, then any positive integer a can be written
uniquely in the following form:

It is easy to determine the greatest common divisor of two positive integers if

we express each integer as the product of primes.

300 = 22 * 31 * 52
18 = 21 * 32
 gcd(18, 300) = 21 * 31 * 50 = 6

The following relationship always holds:

If k = gcd(a, b), then kp = min(ap, bp) for all p.
3.2 TESTING FOR PRIMALITY
 A primality test is used to determine whether an input integer is prime
 For many cryptographic algorithms, it is necessary to select one or more very
large prime numbers at random. Thus, we are faced with the task of
determining whether a given large number is prime. There is no simple yet
efficient means of accomplishing this task.
Fermat Primality Test
Fermat's Little Theorem states that if n is prime, an-1 ≡ 1 (mod n) is the
foundation of the Fermat Primality Test.
Example 1: let’s take n=5 (prime number)
Since 1<a<n, the values of a can be 2,3,4. So let’s check for the three numbers.
24 ≡ 1 (mod 5) [or 24 %5 = 1],
34 ≡ 1 (mod 5) [or 34 %5 = 1]
44 ≡ 1 (mod 5) [or 44 %5 = 1]
Miller-Rabin Algorithm
The algorithm due to Miller and Rabin [MILL75, RABI80] is typically used to test
a large number for primality.
Miller-Rabin-Test (n, a) // n is the number; a is the base{
Find m and k such that n − 1 = m x 2k
T ← am mod n
If (T = ±1)return "a prime"
for (i ← 1 to k − 1) // k – 1 is the maximum number of steps{
T ← T2 mod n
if (T = ±1) return "a composite"
if (T = −1) return "a prime"
 }
return "a composite"
}

Solution: Using Miller-Rabin Algorithm, we can test the number 341 as follows −

Step1: 341 − 1 = 22 x 85. Thus p = 341, k = 2 and q = 85

Step2: x = 2 (given)

Step3: S = xq mod p

= 285 mod 341 = (210) x 25 mod 341 8

= 210 mod 341 x 213 mod 341

= 1 x 8192 mod 341 = 8192 mod 341

=8

Step4: As 8 ≠ 1, we move to the next step.

Step5: For j = 1, S = x2q mod p

= 2170 mod 341 = (220)8 x 210 mod 341

= 220 mod 341 x 28 mod 341 x 210 mod 341

= 1 x 256 x 1 = 256

Now, = 256 ≠ 1

and result is inconclusive

So, 341 is not a composite number.

3.3 Factorization
 The idea of "factoring" a number is important - finding numbers which divide
into it.
  Taking this as far as can go, by factorising all the factors, we can eventually
write the number as a product of (powers of) primes - its prime factorisation.
 Note also that factoring a number is relatively hard compared to multiplying
the factors together to generate the number.
 To factor a number n is to write it as a product of other numbers: n=a x b x c
 The prime factorization of a number n is when its written as a product of
primes eg. 91=7x13; 3600=24x32x52

3.4 Euler’s totient function

It is represented as ø(n).Euler’s totient function is defined as the number of
positive integers less than n and relatively prime to n. ø(1)=1
It should be clear that for a prime number p
ø(p)=p-1
Suppose that we have two prime numbers p and q, with p not equal to q. Then we
can show that
n=pq.
ø(n)= ø(pq)= ø(p)* ø(q)=(p-1)*(q-1)
ø(n)=(pq-1)-[(q-1)+(p-1)]
= pq-(p+q)+1
=(p-1)*(q-1)
= ø(p)* ø(q)
To determine f(35), we list all of the positive integers less than 35 that are relatively
prime to it:
1, 2, 3, 4, 6, 8, 9, 11, 12, 13, 16, 17, 18
19, 22, 23, 24, 26, 27, 29, 31, 32, 33, 34
There are 24 numbers on the list, so f(35) = 24.
f(21) = f(3) * f(7) = (3 - 1) * (7 - 1) = 2 * 6 = 12
3.5 FERMAT’S THEOREM
Fermat’s theorem states the following: if p is a prime and a is a positive integer not
divisible by p, then
ap-1 ≡ 1(mod p)
Consider the set of positive integers less than p:{1,2,3..p-1}
Multiply each element by a modulo p to get the set
X ={ a mod p,2a mod p….(p-1)mod p}.
None of the elements of X is equal to zero because p does not divide a. No
two of the integers in X are equal.(p-1) elements of X are all positive integers with
no two elements are equal. Multiplying the numbers in both sets and taking the result
mod p yields.
a * 2a *…*(p-1)a ≡ [(1*2*…*(p-1)](mod p)
{1 * 2 *…*(p-1)} ap-1 ≡ [(1*2*…*(p-1)](mod p)
(p-1)! ap-1≡ (p-1)!(mod p)
ap-1 ≡ 1(mod p)

Example
a = 7, p = 19
72 = 49≡ 11 (mod 19)
74 = 121 ≡ 7 (mod 19)
78 ≡ 49 ≡ 11 (mod 19)
716 ≡ 121 K 7 (mod 19)
ap-1 = 718 = 716 * 72 ≡ 7 * 11 ≡ 1 (mod 19

An alternative form of Fermat’s theorem is also useful: If p is prime and a is a

positive integer, then

ap ≡ a(mod p)
3.6 EULER’S THEOREM

Euler’s theorem states that for every a and n that are relatively prime:

a ø(n)=1(mod n)

The above equation is true, if n is prime, because in that case ø(n)=(n-1) and
Fermat’s theorem holds. However it holds for any integer n. recall that ø(n)is the
number of positive integers less than n that are relatively prime to n. consider the set
of such integers, labeled as follows:
R={x1,x2….x ø(n)}
That is, each element xi of R is a unique positive integer less than n with
gcd(xi,n)=1.now multiply each element by a modulo n:
S={(ax1 mod n), (ax2 mod n),…. (ax ø(n) mod n)}
The set S is a permutation of R, by the following reasons:
1.Because a is relatively prime to n and xi is relatively prime to n,axi must also be
relatively prime to n. thus all the members of S are integers that are less than n and
that are relatively prime to n.
2. There are no duplicates in S. if axi mod n=axi mod n, then xi=xj
An alternative form of the theorem is also useful:

3.7 THE CHINESE REMAINDER THEOREM

The Chinese Remainder Theorem says it is possible to reconstruct integers in certain
range from their residues modulo a set of pair wise relatively prime moduli.
x≡a1 mod n1, x≡a2 mod n2, x≡ak mod nk
If n1,n2,..,nk are positive integers that are pairwise co-prime and a1,a2,…,ak are
any integers, then CRT is used to find the values of x that solves the following
congruence simultaneously.
Value of x=(a1m1y1+a2m2y2+…+akmkyk)mod M
Where M=n1n2n3..nk
mi=M/ni
miyi=1 mod ni

Problem 1

x ≡ 1 mod 5
x ≡ 2 mod 6
x ≡ 3 mod 7

a1=1
a2=2
a3=3

n1=5
n2=6
n3=7

M=n1n2n3
M=5*6*7=210
mi=M/ni

m1=210/5=42
m2=210/6=35
m3=210/7=30

miyi=1 mod ni
42y1=1 mod 5
y1=3 mod 5

35y2= 1 mod 6
y2=5 mod 6

30y3=1 mod 7
y3=4 mod 7

x=(a1m1y1+a2m2y2+ a3m3y3)mod M
=((1*42*3)+(2*35*5)+(3*30*4)) mod 210
=836 mod 210
=206
Problem 2
A bag has contained number of pens if you take out 3 pens at a time 2 pens are left.
If you take out 4 pens at a time 1 pen is left and if you take out 5 pens at a time 3
pens are left in the bag. What is the number of pens in the bag.
x ≡ 2 mod 3
x ≡ 1 mod 4
x ≡ 3 mod 5

a1=2
a2=1
a3=3

n1=3
n2=4
n3=5

M=n1n2n3
M=3*4*5=60
mi=M/ni

m1=60/3=20
m2=60/4=15
m3=60/5=12

miyi=1 mod ni
20y1=1 mod 3
y1=2 mod 3

15y2= 1 mod 4
y2=3 mod 4

12y3=1 mod 5
y3=3 mod 5
x=(a1m1y1+a2m2y2+ a3m3y3)mod M
=((2*20*2)+(1*15*3)+(3*12*3)) mod 60
=233 mod 60
=53
3.8 Exponentiation and Logarithm
Fast Exponentiation
The idea behind the square-and-multiply method

Figure 9.7 shows the process for calculating y = ax using the Algorithm
9.7 (for simplicity, the modulus is not shown). In this case, x = 22 = (10110)2
in binary. The exponent has five bits.
Demonstration of calculation of a22 using square-and-multiply method

In cryptography, we also need to discuss modular logarithm.

Exhaustive Search

Order of an Element
Find the order of all elements in G = <Z10∗, ×>.
Solution
This group has only φ(10) = 4 elements: 1, 3, 7, 9. We can find the order of each
element by trial and error.

a. 11 ≡ 1 mod (10) → ord(1) = 1.

b. 34 ≡ 1 mod (10) → ord(3) = 4.
c. 74 ≡ 1 mod (10) → ord(7) = 4. d. 92 ≡ 1 mod (10) → ord(9) = 2.
The idea of Discrete Logarithm Properties of G = <Zp*, ×> :

DISCRETE LOGARITHMS.
The idea of Discrete Logarithm Properties of G = <Zp*, ×> :
1. Its elements include all integers from 1 to p − 1.
2. It always has primitive roots.
x
3. It is cyclic. The elements can be created using g where x is an integer from 1
to φ(n) = p − 1.
4. The primitive roots can be thought as the base of logarithm.

The idea of Discrete Logarithm

Properties of G = <Zp*, ×> :

1. Its elements include all integers from 1 to p − 1.

2. It always has primitive roots.
x
3. It is cyclic. The elements can be created using g where x is an integer from 1
to φ(n) = p − 1.
4. The primitive roots can be thought as the base of logarithm.
Solution to Modular Logarithm Using Discrete Logs
Tabulation of Discrete Logarithms

Using Properties of Discrete Logarithms

Using Algorithms Based on Discrete

The discrete logarithm problem has the same complexity as the factorization problem

Discrete logarithms are fundamental to a number of public-key algorithms, including

Diffie-Hellman key exchange and the digital signature algorithm (DSA)
A primitive root of a prime number p is one whose powers modulo p generate
all the integers from 1 to p - 1. That is, if ‘a’ is a primitive root of the prime number
p, then the numbers
a mod p, a2 mod p,…, ap-1 mod p
are distinct and consist of the integers from 1 through p - 1 in some permutation.

For any integer b and a primitive root a of prime number p, we can find a
unique exponent i such that
b≡ ai (mod p) where 0 … i … (p - 1)
The exponent i is referred to as the discrete logarithm of b for the base a, mod p.
3.9 ASYMMETRIC KEY CIPHERS
Difficulties in Symmetric encryption
According to Diffie-Hellman
i) Key distribution is a serious issue.
ii) Symmetric encryption is not applicable for Digital signatures
Public key encryption scheme:
Asymmetric algorithms rely on one key for encryption and a different but related
key for decryption. Characteristics
i) It is computationally infeasible to determine the decryption key given
only knowledge of the cryptographic algorithm and the encryption key.
ii) Either of the two related keys can be used for encryption, with the other
used for decryption.

Conventional / symmetric / private Asymmetric / public key encryption

The same algorithm with the same One algorithm is used for encryption
key is and
used for encryption and decryption. decryption with a pair of keys, one for
encryption
The sender and receiver must share The sender and
and one for decryption.
receiver must each have
the one of the matched pair of keys
algorithm and the key.
The key must be kept secret. One of the two keys must be kept secret.

Applications for Public-Key Cryptosystems

We can classify the use of public-key cryptosystems into three categories
1. Encryption /decryption: The sender encrypts a message with the recipient‘s public
key.
2. Digital signature: The sender ―signs" a message with its private key. Signing is
achieved by a cryptographic algorithm applied to the message or to a small block of
data that is a function of the message.
3. Key exchange: Two sides cooperate to exchange a session key. Several different
approaches are possible, involving the private key(s) of one or both parties.

3.10 RSA – Algorithm

 It was developed by Rivest, Shamir and Adleman. This algorithm makes use
of an expression with exponentials. Plaintext is encrypted in blocks, with each
block having a binary value less than some number n.
 The RSA Algorithm: It is a public key cryptography algorithm. RSA can be
used for key exchange, digital signatures and the encryption of small blocks
of data.

The RSA scheme is a cipher in which the plaintext and cipher text are integers
between 0 and n - 1 for some n. A typical size for n is 1024 bits, or 309 decimal
digits. That is, n is less than 2 1024
Encryption and decryption are of the following form, for some plaintext block M
and cipher text block C:
C = Me mod n
M = Cd mod n
Both the sender and receiver know the value of n. the sender knows the value of e
and only the receiver knows the value of d. thus, this is a public key encryption
algorithm with a public key of KU = {e, n) and a private key of KR = {d, n}.
For this algorithm to be satisfactory for public key encryption, the following
requirements must be met:
1. It is possible to find values of e, d, n such that Med = M mod n for all M < n.
2. It is relatively easy to calculate Me and Cd for all values of M < n.
3. It is infeasible to determine d given e and n.
 It is the best known & widely used public-key scheme and based on
exponentiation in a finite (Galois) field over integers modulo a prime.
 Security due to cost of factoring large numbers
  Plaintext and cipher text are integers between 0 and n – 1 for some n. (eg .
1024 bits) Ingredients of RSA Algorithm
The ingredients are the following:

p, q, two prime numbers (private, chosen)

n = pq (public, calculated)
e, with gcd( ᶲ (n),e) = 1; 1 < e <ᶲ(n) (public, chosen)

d≡ e-1(mod ᶲ (n)) (private, calculated)

RSA Key Setup

 This key setup is done once (rarely) when a user establishes (or replaces) their
public key.
 Each user generates a public/private key pair by:
 Selecting two large primes at random - p, q
 Computing their system modulus N=p .q
 ø (N)= (p-1) (q-1)
 Selecting at random the encryption key e where 1< e < ø(N), gcd (e ,ø
(N)) =1
 Solve following equation to find decryption key d
 e. d=1 mod ø(N) and 0 ≤ d ≤ N

 Publish their public encryption key:

 KU = {e, N}
  Keep secret private decryption key:
 KR = {d, p, q} RSA Use
 To encrypt a message M the sender: obtains public key of recipient KU={e
,N} computes C=Me mod N
 To decrypt the ciphertext C the owner:
 uses their private key KR={d,p,q}

 computes: M=Cd mod N

 note that the message M must be smaller than the modulus N (block
if needed)

RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17×11=187
3. Compute ø(n)=(p–1)(q-1)=16×10=160
4. Select e : gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161
6. Publish public key KU={7,187}
7. Keep secret private key KR={23,17,11}
8. Given message M = 88 ( 88<187)
9. Encryption: C = 887 mod 187 = 11
887 mod 187 = [(884 mod 187) x (882 mod 187) x (881 mod 187)] mod 187

881 mod 187 = 88882 mod 187 = 7744 mod 187 = 77

884 mod 187 = 59969536 mod 187 = 132

887 mod 187 = (88 x 77 x 132 ) mod 187= 894432 mod 187 = 11

10. Decryption: M = 1123 mod 187 = 88

The security of RSA:

Five possible approaches to attacking the RSA algorithm are

■ Brute force: This involves trying all possible private keys.

■ Mathematical attacks: There are several approaches, all equivalent in effort to

factoring the product of two primes.
■ Timing attacks: These depend on the running time of the decryption algorithm.

■ Hardware fault-based attack: This involves inducing hardware faults in the

processor that is generating digital signatures.

■ Chosen ciphertext attacks: This type of attack exploits properties of the RSA
algorithm.

Note : Finding private key d ( ie) multiplicative inverse of e – 1 using

extended Euclidean algorithm) ie) d ≡ e – 1 mod ᶲ(n)

d* e ≡ 1 mod ᶲ(n) Here d * 3 ≡ 1 mod 160
According Extended Euclidean algorithm initial values
A1 = 1 A2 = 0 A3 = 160
B1 = 0 B2 = 1 B3 = 7
Find Q = └ A3/B3┘ ( take lowest nearest
integer) Then A1 = B1 ; A2= B2 ; A3 = B3
B1 = A1+QB1 ; B2 = A2+QB2; B3 = A3-QB3
Q A1 A2 A3 B1 B2 B3
1 0 160 0 1 7
22 0 1 7 1 22 6
1 1 22 6 1 23 1
Since B3 = 1 ; Multiplicative inverse
B2 = 23 d * 3 ≡ 1 mod 160
23 * 7 ≡ 1 mod 160 d = 23
Security of RSA / RSA Attacks:
Four possible approaches to attacking the RSA algorithm are as follows:

RSA Attacks Counter-measures

i)Brute force: This involves trying all The defense against the brute-force approach is the same
possible private keys. for RSA as for other cryptosystems, namely, use a large
key space.
 ii)Mathematical attacks: There are To avoid values of n that may be factored more easily, the
several approaches, all equivalent in algorithm's inventors suggest the following constraints on
effort to factoring the product of two p and q:
primes. p and q should differ in length by only a few
The Factoring Problem digits. Thus, for a 1024-bit key (309 decimal digits),
Three approaches to attack RSA both p and q should be on the order of magnitude of
mathematically: 1075 to 10100.
 Factor n into its two prime Both (p- 1) and (q- 1) should contain a large
factors. prime factor.
This enables calculation of gcd (p- 1, q - 1) should be small.
ᶲ(n) = (p- 1) x (q- 1), which, in
turn, enables determination of

d ≡ e - 1 (mod ᶲ(n)).
Determine ᶲ (n) directly, without first
determining p and q. Again, this
enables determination of

d ≡ e - 1 (mod ᶲ (n)).
Determine d directly, without first
determining ᶲ (n).
iii)Timing attacks: i)Constant exponentiation time: Ensure that
 These depend on the running time of all exponentiations take the same amount of time
the decryption algorithm. A timing before returning a result.
attack is somewhat analogous to a ii)Random delay: Better performance could
burglar guessing the combination of a be achieved by adding a random delay to
safe by observing how long it takes the exponentiation algorithm to confuse the timing
for s o m e o n e t o t u r n t h e dial attack.
f r o m number to number. iii)Blinding: Multiply the cipher text by a
 If modular exponentiation is random number before performing exponentiation.
accomplished bit by bit, with one This process prevents the attacker from knowing what
modular multiplication performed cipher text bits are being processed inside the
at each iteration and an additional computer and therefore prevents the bit-by-bit
modular analysis essential to the timing
 iv)Chosen cipher text attacks: Optimal asymmetric encryption padding
This type of attack exploits properties of  Message M to be encrypted is padded. A set of
the RSA algorithm. optional parameters P is passed through a hash
The basic RSA algorithm is vulnerable to function H.
a chosen cipher text attack (CCA). CCA  The output is then padded with zeros to get the
is defined as an attack in which adversary desired length in the overall data block (DB).
chooses a number of cipher texts and is Next, a random seed is generated and passed
then given the corresponding plaintexts, through another hash function, called the mask
decrypted with the target's private key. generating function (MGF).
 The resulting hash value is bit-by-bit XORed
3.11 Key Distribution & Management with DB to produce a masked DB.
 use
There are actually two distinct aspects to the Theof
concatenation
public-key of the masked seed and the
cryptography:
masked DB forms the encoded message EM.
 The distribution of public keys
 The EM is then encrypted using RSA.
 The use of public-key encryption to distribute secret keys
Distribution of Public Keys
There are four different schemes
 Public announcement
 Publicly available directory
 Public-key authority
 Public-key certificates
Public announcement
Any participant can send his or her public key to any other participant or
broadcast the key to the community.
Uncontrolled Public-Key Distribution
Limitations:
 Anyone can forge such a public announcement. That is, some user could
pretend to be user A and send a public key to another participant or
broadcast such a public key.
 Authentication is needed to avoid this problem.
Publicly Available Directory
A greater degree of security can be achieved by maintaining a publicly available
dynamic directory of public keys. Maintenance and distribution of the public
directory would have to be the responsibility of some trusted entity or
organization.
i)The authority maintains a directory with a {name, public key} entry for each
participant. ii)Each participant registers a public key with the directory authority.
iii) Participants could also access the directory electronically.

Limitations
 An Adversary may impersonate by stealing the private key of public key
directory a n d falsely send the public key details.
 An attacker may attack the records stored in the
directory.
Public key Authority
 Stronger security for public-key distribution can be achieved by providing
tighter control over the distribution of public keys from the directory.
 Each participant reliably knows a public key for the authority, with only the
authority knowing the corresponding private key.

i) A sends a timestamped message to the public-key authority containing a request

for the current public key of B.
ii) The authority responds with a message that is encrypted using the
authority's private key, PRauth
Thus, A is able to decrypt the message using the authority's public key.
Therefore, A is assured that the message originated with the authority. The
message includes the following:
● B's public key, PUb which A can use to encrypt messages destined for B
● The original request, to enable A to match this response with the corresponding
earlier request and to verify that the original request was not altered before
reception by the authority
● The original timestamp, so A can determine that this is not an old message
from the authority containing a key other than B's current public key
iii) A stores B's public key and also uses it to encrypt a message to B containing
an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction
uniquely.
iv) B retrieves A's public key from the authority in the same manner as A retrieved
B's public key. v)At this point, public keys have been securely delivered to A and
B, and they may begin their protected exchange.
vi) B sends a message to A encrypted with PUa and containing A's nonce (N1) as
well as a new nonce generated by B (N2) Because only B could have decrypted
message (3), the presence of N1 in message (6) assures A that the correspondent
is B.
vii) A returns N2, encrypted using B's public key, to assure B that its
correspondent is A. Limitations:
 Bottleneck may occur in public authority.
 Tampering of records stored by the authority may take place.
Public key certificate
  A certificate consists of a public key plus an identifier of the key owner,
with the whole block signed by a trusted third party.
 Typically, the third party is a certificate authority, such as a government
agency or a financial institution, that is trusted by the user community.
 A user can present his or her public key to the authority in a
secure manner, and obtain a certificate. The user can then publish
the certificate.
Secret key distribution
Simple use of public key

 A and B can now securely communicate using conventional encryption and

the session key Ks. At the completion of the exchange, both A and B discard
Ks.
 Problem : Man in the middle attack . It can be rectified by using
authentication.
Secret Key Distribution with Confidentiality and Authentication
i)A uses B's public key to encrypt a message to B containing an identifier of A
(IDA) and a nonce (N1), which is used to identify this transaction uniquely.
ii)B sends a message to A encrypted with PUa and containing A's nonce (N1) as
well as a new nonce generated by B (N2)

iv)A returns N2 encrypted using B's public key, to assure B that its
correspondent is A.

A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of

this message with B's public key ensures that only B can read it; encryption with
A's private key ensures that only A could have sent it.
v) B computes D(PUa, D(PRb, M)) to recover the secret key.
Hybrid scheme
This scheme retains the use of a key distribution center (KDC) that shares a secret
master key with each user and distributes secret session keys encrypted with the
master key. A public key scheme is used to distribute the master keys.
3.12 Diffie – Hellman Key Exchange
 The purpose of the algorithm is to enable two users to securely exchange a
key that can then be used for subsequent encryption of messages.
 The algorithm itself is limited to the exchange of secret values.
  The Diffie-Hellman algorithm depends for its effectiveness on the difficulty
of computing discrete logarithms.
 The Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field
(modulo a prime or a polynomial)

The result is that the two sides have exchanged a secret value.
Ex : ὰ = 3 XA = 97 and XB = 233
A computes YA = 397 mod 353 = 40.
B computes YB = 3233 mod 353 = 248.
After they exchange public keys, each can compute the common secret key: A
computes K = (YB)XA mod 353 = 24897 mod 353 =160.
B computes K = (YA)XB mod 353 = 40233 mod 353 = 160.

Man-in-the-Middle Attack
Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The
attack proceeds as follows:
1. Alice sends an encrypted message M: E(K2, M).
2. Darth intercepts the encrypted message and decrypts it, to recover M.
3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first
case, Darth simply wants to eavesdrop on the communication without altering it. In
the second case, Darth wants to modify the message going to Bob.
This vulnerability can be overcome with the use of digital signatures and public-key
Certificates.
3.13 Elliptic curve arithmetic

Elliptic Curves:

An elliptic Curve is a Cubic equation of the form

Y2+axy+by = x3+cx2+dx +e

Where a,b,c,d and e are real numbers

Majority of public-key crypto (RSA, D-H) use either integer or polynomial
arithmetic with very large numbers/polynomials. This imposes a significant load in
storing and processing keys and messages. An alternative is to use elliptic curves
offers same security with smaller bit sizes
Real Elliptic Curves
 an elliptic curve is defined by an equation in two variables x & y, with
coefficients
 consider a cubic elliptic curve of form y2 = x3 + ax + b where x,y,a,b are all
real numbers also define zero point O
 have addition operation for elliptic curve
Real Elliptic Curve Example

Finite Elliptic Curves

 Elliptic curve cryptography uses curves whose variables & coefficients are
finite
 Two families commonly used:
1) prime curves Ep(a,b) defined over Zp
 use integers modulo a prime
 best in software
 2) binary curves E2m(a,b) defined over GF(2n)
 use polynomials with binary coefficients
 best in hardware
3.14 Elliptic curve cryptography [ECC]
Although RSA and ElGamal are secure asymmetric-key cryptosystems, their
security comes with a price, their large keys.
• Researchers have looked for alternatives that give the same level of security with
smaller key sizes.
• One of these promising alternatives is the elliptic curve cryptosystem (ECC).
DEFINITION
• Elliptic curve cryptography [ECC] is a public-key cryptosystem just
like RSA, Rabin, and El Gamal.
• Every user has a public and a private key.
– Public key is used for encryption/signature verification.
– Private key is used for decryption/signature generation.
• Elliptic curves are used as an extension to other current
cryptosystems.
– Elliptic Curve Diffie-Hellman Key Exchange
– Elliptic Curve Digital Signature Algorithm
ECC- Algorithm
• Both parties agree to some publicly-known data items

– The elliptic curve equation y2 = x3 + ax + b mod p

• values of a and b such that 4a3 + 27 b2 ≠ 0

• prime, p
– The elliptic group is computed from the elliptic curve equation
– A base point, G, taken from the elliptic group
• Each user generates their public/private key pair
– Private Key = an integer, x selected from the interval [1, p-1]
 – Public Key = product of private key and base point
(Product = x*G)
Example:

• Suppose Alice wants to send to Bob an encrypted message.

– Both agree on a base point, G.
– Alice and Bob create public/private keys.
Alice :
Private Key = nA
Public Key = PA = nA * G
Bob :
Private Key = nB
Public Key = PB = nB * G

– Alice takes plaintext message, M, and encodes it onto a point, PM,

from the elliptic group.
Encryption: Alice choose another random k – value from { 1,2,… p-1 } Cipher
text : Cm = { KG, Pm + KPB }

Decryption : by Bob
 Take the first point from Cm - KG
 Multiply KG and private key of Bob : Product = nB KG Take the second
point from Cm and subtract the product from it Pm + KPB - nB KG
 Substitute PB = nB * G Then Pm + K nB * G - nB KG = Pm

ECC is particularly beneficial for application where:

 Computational power is limited (wireless devices, PC cards)
  Integrated circuit space is limited (wireless devices, PC cards)
 High speed is required.
 Intensive use of signing, verifying or authenticating is required.
 Signed messages are required to be stored or transmitted (especially
for short messages).
 Bandwidth is limited (wireless communications and some computer
networks).

Advantages:
• Shorter key lengths
– Encryption, Decryption and Signature Verification speed up
– Storage and bandwidth savings