Professional Documents
Culture Documents
An Exploration of Mathematical Applications in Cryptography
An Exploration of Mathematical Applications in Cryptography
APPLICATIONS IN CRYPTOGRAPHY
THESIS
By
2015
Thesis Committee:
Rodica Costin
c Copyright by
Amy Kosek
2015
ABSTRACT
number theory or modern algebra. The structure of the paper also lends itself to be
their own, since we will always give a review of the background material which will
ii
ACKNOWLEDGMENTS
My sincerest thanks to Jim Cogdell for working with me as my advisor for this
thesis project. His encouragement and guidance during the last year has meant so
much to me, and I am exceedingly grateful for it. Working with him has been a
pleasure and an honor. Also, thank you to Rodica Costin for being a member of
my thesis committee and my academic advisor. I so appreciate all of the advice and
support she has given me during my time at OSU. Lastly, I would like to thank my
wonderful husband, Pete Kosek. He has loved and supported me through every part
iii
VITA
PUBLICATIONS
FIELDS OF STUDY
iv
TABLE OF CONTENTS
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Vita . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
CHAPTER PAGE
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Public-Key vs. Private-Key Ciphers . . . . . . . . . . . . . . . . . 2
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
v
CHAPTER 1
INTRODUCTION
1.1 Motivation
In cryptography people design systems which can be used for protecting data. A
except by the person who can decrypt it. It is as if you put the message which
you want safe into a box with a lock on it; that way only someone with the key to
the lock can read the message. Information security is an extremely important and
relevant problem in the world, particularly in this day and age in which so much of
our communication occurs over the internet. Think about the last time you paid for
something online with your credit card. Did you trust that your card information
was safe and that it couldn’t be stolen by someone intercepting it? It most likely was
going to learn several different cryptographic ciphers and focus on what types of
very accessible to anyone who is familiar with elementary number theory or group
theory. In each of those chapters, we will do a brief refresher of the main mathe-
matical concepts which we will use before we jump into learning the cryptographic
ciphers. Chapter 4 will look into the study of elliptic curves and their applications to
1
cryptography. In that chapter we will give an introduction to elliptic curves before
studying the way they can be used in cryptographic ciphers. So you do not need
to have any prior exposure to elliptic curves to be able to study that section. It
may be helpful, however, to have some familiarity with finite fields in order to easily
able to send important or sensitive messages and information from party to party in
such a way that it cannot be intercepted or tampered with. Some examples could be
Public-key and private-key ciphers provide two techniques for this. In each of these
types of ciphers we will discuss encryption keys and decryption keys. The encryption
key is what will be used to encode the message from “plaintext” into “ciphertext”,
whereas the decryption key is what will be used to decode the ciphertext back into
of this is Caesar’s Cipher, which is a very simple shift cipher. To do this you take
each letter in your message and replace it with a different letter which is a fixed
number of places further in the alphabet. For example you could replace A with
E, B with F, C with G, etc. To decrypt the message you simply reverse shift the
letters the same fixed amount you used in the encryption. So anyone who knows
how the message was encrypted could decrypt it. Currently used symmetric ciphers
are far more complicated and provide far more security than Caesar’s Cipher. The
main idea to grasp at this point, however, is that in a private-key cipher both the
2
encryption key and decryption key must be kept secret from those who are not a
part of the communications at hand in order to ensure the cipher’s security. Because
of this encryption/decryption keys must be generated for pairs of people each time
they wish to communicate. One thing to note is that because the encryption key and
decryption key for a symmetric cipher are essentially equivalent we will sometimes
oped in such a way that knowledge of the encryption key gives no information as to
what the decryption key is (at least not in any reasonable amount of computing time).
problem which is “easy” in one direction, but “difficult” in the other direction. For
example, the RSA Cipher which we will discuss in the next chapter uses the notion
that multiplying two large primes together, each on the order of 1080 or larger, is
relatively easy in a computational sense, versus trying to factor a large number, say
on the order of 10160 or larger, into its prime factors, which is seemingly impossible
to do in any realistic amount of time. This may not make perfect sense now, but as
we move on to the sections describing the various public-key ciphers we will explain
The benefit of a public-key cipher is that one person, say Bob, could use it to
set up an encryption key which he then makes public and keeps his decryption key
private to himself. Now several parties could look up Bob’s encryption key and send
him a message which only he will be able to decrypt. This reduces the number of
to use a public-key cipher in order to encrypt and send a shared private-key which can
3
then be used for communication using a faster running symmetric cipher. This shared
private-key will be used for a single session of communication and then discarded after
4
CHAPTER 2
In this section we will be outlining several topics from number theory which we will
need in order to explore the mathematics behind the cryptographic cipher known as
the RSA Cipher. The RSA Cipher is a wonderful example of a real world application
of the theoretical topics learned in elementary number theory. As you read through
this section you will find that we have omitted much of the material surrounding
the definitions and theorems given, and instead trimmed it down into just the basics
which we will need to recall when we learn the RSA cipher. If you need a more in
depth explanation of any of these topics there are several wonderful resources such
divisor of b. Often we will use the notation a | b which is read as “a divides b.”
Lemma 2.1.1. Suppose we have two integers a and b with a common divisor d 6= 0.
That is, d | a and d | b, then we will have d | (ra + sb) for any integers r and s.
for some integers j and k. Then ra + sb = r(dj) + s(dk) = d(rj + sk). Since (rj + sk)
a pair of unique integers q and r with 0 ≤ r < a such that b = aq + r. We call q the
Finding such a quotient and remainder is what we find when performing long
division. After doing long division it is sometimes common to represent the ratio of
b r
b divided by a as = q + , but we can see that this statement is equivalent to the
a a
statement b = aq + r given in the proposition above.
Definition 2.1.2. The greatest common divisor of two non-zero integers a and
b is the largest integer c such that c divides both a and b. This is denoted by gcd
this text. If the greatest common divisor of a and b is 1 then we say that a and b are
relatively prime.
There is a very useful procedure for computing the greatest common divisor of
have two positive integers a and b, with a ≤ b and let d = gcd(a, b). By Proposition
that d is also a common divisor of r1 and r2 . Iterating this process we continue until
we obtain an rk+1 = 0. Then we have that d = rk . We can see that the process
will terminate because the remainders are getting smaller with each iteration, but
It should be clear that rk is a common divisor of a and b, but we will omit the proof
that rk is actually the greatest common divisor. Let us do a few examples to better
522 = 213(2) + 96
213 = 96(2) + 21
96 = 21(4) + 12
21 = 12(1) + 9
12 = 9(1) + 3
9 = 3(3) + 0.
So gcd(522, 213) = 3.
1549 = 726(2) + 97
726 = 97(7) + 47
97 = 47(2) + 3
47 = 3(15) + 2
3 = 2(1) + 1.
1, whose only positive divisors are 1 and itself. An integer greater than 1 which is
teger greater than 1 we can write that integer as a unique product of primes (up to
Definition 2.1.4. For a positive integer m, which we will call our modulus, we say
a and b have the same remainder when divided by m. Symbolically this is written as
since 5 - (7 − 3) = 4.
way of finding multiplicative inverses modulo n. The way we can do this is by first
using the algorithm to show that gcd(a, n) = 1. We then work backwards through
the equations that were found in order to represent 1 = ad + nc for some integers d
and c. We then will have that the multiplicative inverse of a modulo n is d. This is
1 ≡ ad + nc ≡ ad + 0 ≡ ad (mod n).
Example: Find the multiplicative inverse of 9 modulo 32. First let us perform
the Euclidean Algorithm to show that gcd(32, 9) = 1; this is seen in the left hand
column below. At each step we will also solve for the remainder in the equation,
8
which can be seen in the right hand column below. These remainder equations are
Now we work backwards through these equations. First we use the last equation (i)
which states 1 = [5 − 4(1)]. Next we use the second to last equation (ii ) to substitute
4 = [9 − 5(1)] into our previous expression. We then distribute and group our terms
replace 5 = [32 − 9(3)] (iii ) and again group our terms to obtain the desired equation
in terms of 32 and 9.
1 = [5 − 4(1)] (i)
= 5 − [9 − 5(1)] (ii)
= 5 − 9 + 5 distribute
Thus we see that 9−1 ≡ −7 ≡ 25 (mod 32). We can confirm this by checking that
Example: Find the multiplicative inverse of 726 modulo 1549. Recall earlier we
9
used the Euclidean Algorithm to find that gcd(1549, 726) = 1 by finding:
1 = [3 − 2] (i)
= −47 + 3(16)
= 97(16) − 47(33)
= −726(33) + 97(247)
= 726(−527) + 1549(247).
Definition 2.1.6. The Euler φ-function, φ(n), is defined to be the number of positive
Examples: Consider n = 10. We see that the only positive integers k ≤ 10 such
Consider n = 7. Then all positive integers strictly less than 7 are relatively prime to
gcd(1, 1) = 1.
We can find a formula for computing φ(n), given the prime factorization of n. We
Consider n = p for any prime p. Then we see that all positive integers k < p
Consider n = pj where p is any prime and j is any positive integer. The only
integers which will have a common (non-trivial) factor with pj are multiples of p.
The multiples of p less than or equal to pj are: p, 2p, 3p, ..., (pj−1 )p = pj . So we
see that there are pj−1 such multiples. We can then conclude that the number of
positive integers less than or equal to pj which are relatively prime to pj will be
j j j−1 j 1
φ(p ) = p − p =p 1− .
p
We can now conclude the following proposition:
Proposition 2.1.3. For a positive integer n where n = pa11 pa22 · · · pakk we have
k
Y 1
φ(n) = n 1−
i=1
pi
11
Proof. Since φ(n) is multiplicative then we have
Y 1
An alternative way of representing this product is to write φ(n) = n 1− ,
p
p|n
where it is understood that this will mean to index the product over all prime divisors
of n.
Theorem 2.1.2. (Euler’s theorem) For two positive integers n and m which are
mφ(n) ≡ 1 (mod n)
have that gcd(3, 10) = 1 and we can confirm that 34 ≡ 81 ≡ 1 (mod 10).
Little Theorem, which states that for any prime p and integer a we have ap ≡ a
12
(mod p). Restricting a to be not divisible by p then makes Fermat’s Little Theorem
equivalent to ap−1 ≡ 1 (mod p) which is the same as Euler’s Theorem in the case that
n is a prime p. Also, for those readers familiar with groups we can see that Euler’s
theorem is a specific case of the fact that in a finite group, the order of an element
One of the most well known and widely used public-key cipher systems is the RSA
Cipher [1,8]. It is named for its authors Ron Risvest, Adi Shamir, and Leonard Adle-
man who first publicly described the system in 1977. Clifford Cocks, a cryptographer
tion cipher to RSA in 1973, but his work was not declassified until 1997, so Risvest,
Shimir and Adleman are commonly credited with the discovery of the cipher [8]. The
security of this system is based upon the difficulty of factoring large numbers into
elementary number theory topics to the realm of cryptography. The cipher utilizes
the Euler φ-function, and Euler’s Theorem. We will first explain how the cipher
works and work through an example of its implementation. We then will delve into
The RSA Cipher: Bob wishes to establish a public encryption key so that
people may send him encrypted messages which only he can decrypt. To do so,
first Bob will choose two secret large prime numbers, p and q. Bob then forms his
modulus n by computing n = pq. Next, Bob will choose an integer e such that
gcd(e, (p − 1)(q − 1)) = 1. This e will serve as his encryption key. Bob then
computes his decryption key d such that de ≡ 1 (mod (p − 1)(q − 1)). That is, d is
13
the multiplicative inverse of e modulo (p − 1)(q − 1). Bob then makes n and e public,
If Alice wants to send a secret message to Bob, she will first convert her plaintext
message into an integer m. (Note that if m ≥ n then Alice should break up m into
several blocks which are each smaller than n and send the blocks individually. For
now we will assume m < n). Alice then encrypts her plaintext message m into her
ciphertext c by computing
c ≡ me (mod n)
and choosing the value for c such that 0 < c < n. Alice will send the ciphertext c to
Bob.
In order to read Alice’s message, Bob will then decrypt her ciphertext c by com-
puting
m ≡ cd (mod n)
We will do an example now to see how this cipher will work before we continue
Example: For this example we will use small numbers in order to simplify the
work. In practice, however, numbers such as the choice of n will need to be on the
order of 10160 . For a few of the computations we will still likely need the use of a
computer.
3149. Next he needs to choose an encryption key e so that gcd(e, (p − 1)(q − 1)) = 1.
We can use the Euclidean Algorithm to verify that gcd(5, 3036) = 1. We write:
3036 = (607)5 + 1
14
5 = (5)1 + 0.
So indeed we have gcd(5, 3036) = 1. Now Bob must compute his decryption exponent
we need:
3036 + (−607)5 = 1.
Thus we have that d = 2429. Bob now has his secret primes p and q, his modulus n,
his encryption key e and his decryption key d. Bob keeps p, q, and d secret, and he
makes n and e public so that Alice can send him an encrypted message.
Suppose Alice wants to send the plaintext message “HI” to Bob. One way Alice
could convert her message into an integer m is to use a basic mapping of A → 01,
B → 02, etc. So she gets “HI” becomes m = 0809 = 809 which is strictly less than
c ≡ me (mod n)
obtaining
plications. We see that 654481 ≡ 2638 (mod 3149). So by reducing, next we will
obtain:
So Alice has computed that c ≡ 2522 (mod 3149) and since 0 < 2522 < 3149 she will
m ≡ cd (mod n)
He notes that 0 < 809 < 3149 so Bob knows that Alice’s message m must be m = 809.
So we see Bob was able to recover and read Alice’s message “HI”.
This example allows us to see that the RSA cipher works. That is Alice was able
to encrypt her message, send it to Bob, and Bob was then able to properly decrypt
it and read her message. What is not as easy to see is why the cipher works. To see
this we will use several of the number theory topics we have discussed so far.
Let us look at several of the elements of the RSA cipher and figure out why we
the cipher algorithm we see that the decryption key d is chosen so that d ≡ e−1
(mod (p − 1)(q − 1)). Thus e must have a multiplicative inverse modulo (p − 1)(q − 1),
and recall that this inverse exists if and only if gcd(e, (p − 1)(q − 1)) = 1. Thus we
Then since de ≡ 1 (mod φ(n)) we are able to write de = 1 + kφ(n) for some integer k.
Euler’s Theorem then tells us that for two positive integers, a and n, if gcd(a, n) = 1
You may have noticed that Euler’s Theorem has a condition that gcd(a, n) = 1.
But in the RSA cipher we never state that we need m relatively prime to n. In fact,
because of the construction of the RSA algorithm we do not need the condition of
gcd(m, n) = 1. The cipher will still work even if they are not relatively prime. A
curious reader could prove this by following the outline given in Chapter 6, Exercise
19 of [8].
Intuitively we can also discover, however, that the probability of having an m such
that gcd(m, n) 6= 1 is extremely small for our choice of n = pq where p and q are very
large primes. That is because to have gcd(m, n) 6= 1 then we must have that m is a
in the range 0 < k ≤ n = pq. The probability that k will be divisible by p or q will be
q p 1 1 1 1
+ − = + − . That is because the positive multiples of p which are less
pq pq pq p q pq
than or equal to n are p, 2p, 3p, . . . , qp = n. So there are q such possibilities. Similarly
17
the positive multiples of q which are less than or equal to n are q, 2q, 3q, . . . , pq = n.
So there are p such possibilities. We then get the final result by adding up these two
q are large numbers then the probability of m and n not being relatively prime is
extremely small.
The security of the RSA cipher is based on the difficulty of factoring large integers
into their prime factorization. The decryption key d is easily computed when φ(n)
is known, however φ(n) is not easily know without having the prime factorization
To give a bit of intuition behind this consider that a common way of looking for
prime factors of a number n is to divide n by all of the prime numbers less than
√
or equal to n and see if they divide n. In mathematics there is a prime-counting
function π(x) which estimates the number of primes less than or equal to x. The Prime
x
Number Theorem tells us that is a good approximation for π(x) as x → ∞. So
ln x
√
for a large value of n, we will have that π( n) is a very large number. That would
time consuming computational process. This example is certainly not the best way
n. Even the best known algorithms for attempting to factor n are very “bad” in that
they take an infeasible amount of time to run if n is very large [1, 8].
Something important to notice about the RSA algorithm is how c and m are
chosen after the modular computation has been completed. In order to determine
a (mod n) what we are really finding are equivalence classes of numbers which all
have the same remainder when divided by n. This is called the residue class of a
modulo n and can be denoted JaKn . So for example we see that r ≡ 2 (mod 5)
18
is really describing the set of numbers {..., −8, −3, 2, 7, 12, ...} = J2K5 . In the RSA
algorithm, however, what we really want are particular numbers c and m. This is why
we choose c and m so that they lie in the interval (0, n). In doing so we guarantee
the uniqueness of c and m for the use of the cipher. Such a c and m are called the
for example, c is the smallest positive integer in Jme Kn . (Note that based on our
orginal creation of m we will not have c or m equal to 0 in the RSA cipher. In general
settings, however, a residue can be 0 and so the least non-negative residue is used.)
than using b ≡ a (mod n) and specifying which value of b to choose. The command
a%n returns the least non-negative residue of a (mod n) which is precisely the desired
result.
19
CHAPTER 3
(DLP) which has been very well used in the world of cryptography. The DLP has
the potential of being a very difficult problem to solve and so cryptographers have
created ciphers in which cracking the system would require solving the DLP. We will
explain this in greater detail once we define the Discrete Log Problem, but before we
do so, we will explain several preliminary concepts. For more in depth explanations
notation (Z/nZ)× , is the set of integers, k, with 1 ≤ k < n such that gcd(k, n) = 1,
41 ≡ 4 6≡ 1 (mod 9),
20
42 ≡ 16 ≡ 7 6≡ 1 (mod 9),
So ord9 (4) = 3 since 3 is the smallest positive integer satisfying 4k ≡ 1 (mod 9).
had aφ(n) ≡ 1 (mod n). Thus we can conclude that we must have ordn (a) ≤ φ(n).
A much stronger conclusion can be shown which states that ordn (a) must divide
φ(n). For those familiar with group theory, this can be seen as a specific example of
the order of an element dividing the order of the group since the order of the group
(Z/nZ)× is φ(n). Knowing this fact can make the process of finding the order of an
element much easier. Rather than checking all possible exponents from 1 up to φ(n),
we only need to check those exponents which are divisors of φ(n). For the above
example, we could have determined that ord9 (4) was either 3 or 9 since those are the
only divisors of 9 that are less than or equal to 9 and only checked those values.
This is the same as saying that g satisfies ordn (g) = φ(n). Thinking of this in
terms of group theory, this would mean that the group (Z/nZ)× is cyclic and that g
It is important to note that in general primitive roots will not exist for all arbitrary
n. The following theorem states for which moduli n a primitive root will exist.
Theorem 3.1.1. Given a positive integer n, a primitive root modulo n will exist if
21
• n = 2pk for and odd prime p and an integer k with k ≥ 1
• n = 2, or 4
It is sometimes also included that n = 1 has a primitive root trivially. The main
point which we will take away from this theorem for use in the cryptographic ciphers
we will discuss is that every modulus which is an odd prime will have a primitive
root.
then it follows that there will be a primitive root modulo 10. We will show that
g = 3 is a primitive root modulo 10. The integers less than or equal to 10 which are
31 ≡ 3 (mod 10),
32 ≡ 9 (mod 10),
33 ≡ 27 ≡ 7 (mod 10),
34 ≡ 81 ≡ 1 (mod 10).
So we can see that g = 3 can generate all of the integers relatively prime to 10. We
Consider n = 7. Since 7 is prime then a primitive root will exist. We will show
g = 5 is a primitive root modulo 7. All positive integers strictly less than 7 are
relatively prime to 7 and so for each such integer j there should be an exponent k
51 ≡ 5 (mod 7),
52 ≡ 25 ≡ 4 (mod 7),
When working with a modulus, n, which we know will have a primitive root, then
we can find a more efficient way to check if g is a primitive root modulo n. Recalling
from above we saw that ordn (a) must be less than or equal to φ(n) and must divide
φ(n). We also had that g was a primitive root modulo n if ordn (g) = φ(n). Thus, we
can check that g is a primitive root modulo n by checking that no proper divisor, k,
of φ(n) satisfies g k ≡ 1 (mod n). That is to say, that no proper divisor of φ(n) is the
order of g modulo n and so we must have ordn (g) = φ(n) so g must be a primitive
root modulo n. Another important note to make is that if ordn (g) = k then we have
g ck ≡ (g k )c ≡ (1)c ≡ 1 (mod n) for any positive integer c. Thus we can use the
following process to check if g is a primitive root modulo n, when given the prime
factoriation of φ(n).
Check if g is a primitive root modulo n: Given φ(n) = pa11 pa22 · · · pakk , for each
This check works much faster than checking all of the proper divisors of φ(n) to see
if they are ordn (g). What we have is that any proper divisor of φ(n) = pa11 pa22 · · · pakk ,
will be a proper divisor of, or equal to, φ(n)/pi for some i = 1, 2, . . . , k. Thus if
ordn (g) is a proper divisor if φ(n) then it will be a divisor of, or equal to φ(n)/pi for
23
Example: Check that g = 11 is a primitive root modulo p = 71 given that
So we can see that none of the divisors of φ(71) = 70 are the order of 11 modulo 71,
p = 71.
An interesting point to make here is that trying to find the prime factorization
of φ(n) is a “hard” problem. In fact, if n is not a prime, even finding φ(n) can be
hard because we would need to know the prime factorization of n. We can recall that
the security of the RSA cipher discussed in Section 2.2 was based on the fact that
factoring large numbers was hard. So unless we know φ(n) and its factorization, this
method is not very practical. We will discuss this issue and how it could be handled
Now that we have discussed these preliminary topics, let us discuss the Discrete
Logarithm Problem.
and two positive integers s and t = sm , both reduced modulo n, find m. We call the
smallest positive integer m such that t ≡ sm (mod n) the discrete logarithm base s
of t modulo n.
Example: Find the discrete logarithm base 5 of 2 modulo 7. That is, we want
to find the smallest integer m so that 5m ≡ 2 (mod 7). With a small amount of trial
24
When working in the standard real numbers, solving logarithms is a very well
understood problem. We can use series to accurately solve for or give good approx-
imations for real valued logarithms, and so for a computer this would be considered
an “easy” problem. When working in the finite group of (Z/pZ)× for an odd prime
p, the Discrete Log Problem (DLP) can be a very difficult problem to solve. In par-
ticular if we choose s = g where g is a primitive root modulo p then solving the DLP
becomes extremely difficult, especially as p becomes very large. The intuition behind
why this particular problem is so hard is that since g is a primitive root modulo p
then, by its definition, every integer a which is relatively prime to p can be expressed
as g k ≡ a (mod p) for some positive integer k ∈ [1, φ(p)] where φ(p) = p − 1. Since
p is a large prime then all integers 1, . . . , p − 1 are relatively prime to p. Thus for
modulo p to any a ∈ [1, p − 1]. As p then becomes very large, the probability of
choosing the correct exponent, k, for which g k ≡ t (mod p) for a given integer t is
1
which is extremely small.
p−1
To date, there are no known “fast” algorithms which can solve this DLP [1, 8].
Because of this difficulty, cryptographers have developed ciphers which are based
upon the DLP. That is, they have developed systems in which, in order to crack
the system, one would need to be able to solve the DLP. In the next two sections
we will discuss two different cryptographic ciphers which implement the Discrete Log
Problem, and we will explain the mathematical applications that we can find in them.
We can recall from Section 1.2 the difference between public-key ciphers and private-
key ciphers. One benefit of private-key ciphers is that they are often much faster
computationally than public-key ciphers are. So for this benefit they are still widely
25
used for communication. A very real issue can arise, however, when trying to use a
private-key cipher.
Suppose Bob and Alice want to communicate privately using a symmetric cipher.
To do this they both need to know a shared key which will allow them to encrypt
and decrypt the information that they send to one another. But, they currently do
not have any secure way of communicating (it is possible they have never even met
each other before!), so they cannot just publicly discuss what key to use as it might
be overheard and intercepted by Eve the eavesdropper. They need a way to securely
establish a secret shared key which they can use for their private-key cipher without
Eve (who presumably can read/hear all of their current communication) being able
One way that this problem can be solved is with the Diffie-Hellman Key Exchange.
This key exchange was first published by Whitfield Diffie and Martin Hellman in
1976 [1, 8]. The idea is that we can use a type of dual public-key cipher in order to
create a shared key for a private-key cipher. We will explain how this cipher works
and then discuss some of the mathematical applications that we can see are used.
shared secret key for use in a private-key cipher. They can do so using the following
method.
A large prime number p is chosen and a primitive root g modulo p is chosen. Both
numbers p and g can be made public, and so Alice and Bob can share these with each
Once p and g are established then Alice will choose a secret large integer x and
Bob will choose a secret large integer y. They can choose these such that 1 ≤ x < p−1
and 1 ≤ y < p − 1.
Alice computes X = g x (mod p), chooses the value of X satisfying 0 < X < p,
26
and sends X to Bob. Similarly, Bob computes Y = g y (mod p), chooses the value of
Once they have received these messages each of Alice and Bob can compute a
shared private-key K. Alice does this by computing K ≡ Y x (mod p) and Bob does
this by computing K ≡ X y (mod p) and each chooses K such that 0 < K < p. We
can see that they have computed the same key K by observing that
Y x ≡ (g y )x ≡ (g x )y ≡ X y (mod p).
Let us do an example so that we can see how this system works. For our example
we will be using relatively small numbers so that the computations we need to make
do not get out of hand. A true implementation of the Diffie-Hellman Key Exchange
would need to use a very large value of p and would use a computer to carry out all
of the computations.
Example: Bob and Alice agree to use p = 71. They need to find a primitive root
g modulo p = 71. They try g = 11. We have already shown in a previous example
in Section 3.1 that g = 11 is a primitive root modulo p = 71, so we will skip the
computation here.
Alice then chooses her secret integer. She picks x = 12 which is in the interval
[1, 70). Similarly Bob chooses his secret integer y = 47 which is in [1, 70).
Alice computes
Bob computes
and determines K = 15 since 0 ≤ 15 < 71. Now Bob and Alice have a secret shared
key of K = 15. We won’t discuss how they can use it specifically, but they now
have K as a commonly shared piece of secret information, which they can use as a
Why is it that the Diffie-Hellman key exchange is secure? That is, if Eve is an
eavesdropper listening in on Bob and Alice’s communications, why is Eve not able to
find K for herself? Eve will be able to know p, g, X and Y since all of these are sent
via insecure communication channels. If Eve wanted to compute K she would need
to compute g xy (mod p). Eve does not know x or y, however, unless she can solve
X ≡ g x (mod p). Thus the security of the Diffie-Helman key exchange is based on
the difficulty of computing discrete logarithms over finite groups. In particular the
discrete log problem is difficult in the group of units modulo p when the base of the
Let us consider why it is sufficient for Alice and Bob to choose integers x and y
which lie in the interval [1, p−1). In Chapter 1 we looked at the Euler- φ function and
Euler’s Theorem (Definition 2.1.6 and Theorem 2.1.2). We saw that for a prime p we
had φ(p) = p − 1 and that for any integer a relatively prime to a modulus n, aφ(n) ≡ 1
So if, for example, Alice chose x > φ(p) = p − 1 then g x (mod p) would be equivalent
0
to g x (mod p) for some integer x0 in [0, p − 1) with x ≡ x0 (mod p − 1). Alice further
does not want to choose x = 0 since then g x ≡ 1 (mod p) which is not very secure.
So she should choose x in [1, p − 1), and Bob should choose y similarly, in order to
In this key exchange, we see that, Bob and Alice have to compute several modular
squaring. Example of how this is done can be seen in the example of the RSA Cipher
in Section 2.2, and in the example of the ElGamal Cipher in the section below.
The ElGamal Cipher is another example of a public-key cipher which was developed
by Taher ElGamal in 1985 [1, 8]. It allows a person, say Bob, to publically publish
an encryption key, which another person such as Alice can use to encode a secret
message to send to Bob and only he will have the ability to decode the message. The
discrete log problem in the multiplicative group (Z/pZ)× . Let us now look at how the
ElGamal Cipher works, after which, we will work through an example which will give
us some good practice applying the number theory concepts we have learned. Then
we will discuss some interesting complications which can arise in the implementation
ElGamal Cipher: Bob wishes to establish a public-key so that people may send
29
him encypted messages which only he can decrypt. To do this, Bob will choose a
secret large prime p and find a primitive root g modulo p. He then chooses a secret
integer d in the interval [1, p − 1). This value d will serve as his decryption key later.
Bob then computes x ≡ g d (mod p), and chooses x satisfying 0 < x < p. Bob then
Alice wants to send a secret message m to Bob. If m ≥ p then she will break up
m into smaller blocks each of which is less than p and encrypt them individually. For
now we will assume 0 < m < p. First Alice will choose her own secret random integer
r and computes k ≡ g r (mod p) choosing k satisfying 0 < k < p. Next she computes
c ≡ xr m (mod p) choosing c satisfying 0 < c < p. Alice sends the pair (k, c) to Bob.
(Note that k is sometimes referred to as a “header” for the message and it serves as
(mod p). Then he finds the multiplicative inverse (xr )−1 of xr modulo p. Finally, he
can decrypt Alice’s message by computing the multiplication (xr )−1 · c ≡ m (mod p)
root modulo p. Let us check that g = 19 is in fact a primitive root modulo p = 1549
using the method described in Section 3.1. We see φ(1549) = 1548 and have that
ord1549 (19) = 1548 = φ(1549) and be a primitive root. Now Bob chooses a secret
x ≡ gd (mod p).
successive squaring. This process will be outlined in the computation bellow. Notice
that with each step we continually are reducing modulo 1549 so that the numbers we
are working with are all relatively small. For more description on successive squaring,
4 +22 +2+1
x ≡ 1923 ≡ 1916+4+2+1 ≡ 192 ≡ (((192 )2 )2 )2 · (192 )2 · (19)2 · (19)
Since 0 < 254 < 1549 Bob chooses x = 254. Now Bob can publish his public-key
Alice wants to send a secret message “OK” to Bob. First she has to convert her
message into an integer. One way she could do this is with a simple substitution of
A → 01, B → 02, etc. So she uses O → 15, K → 11 and obtains m = 1511 which
is less than p = 1549 so she does not need to break up her message. Next she will
choose her own secret integer r in the interval [1, 1548). She chooses r = 5. She then
computes,
k ≡ gr (mod p),
31
Since 0 < 797 < 1549 she chooses k = 797. Next she will compute,
c ≡ xr m (mod p),
She chooses c = 294 since 0 < 294 < 1549. She then sends her message with header
Once Bob receives Alice’s encrypted message he first computes k d (mod p) be-
So Bob has found the same xr = 726 that Alice found. Next Bob will find the multi-
plicative inverse of 726 modulo 1549. To do this he can use the Euclidean Algorithm
and then work backwards. This process is described in Section 2.1, following Defini-
tion 2.1.5. The computation for computing the multiplicative inverse of 726 modulo
1549 can be found in the second example after Definition 2.1.5. Using this computa-
tion, Bob concludes that the inverse of xr = 726 modulo p = 1549 is (xr )−1 = 1022.
He determines Alice’s message was m = 1511 since 0 < 1511 < 1549. So Bob was
When the Diffie-Helman key exchange and ElGamal cipher are implemented, a
problem arises with the way in which we have been computing primitive roots. To
(mod p) for all prime divisors q of (p − 1) = φ(p). This requires that we know the
32
prime factorization of (p − 1). We have purposefully chosen p to be large, which
means that (p − 1) will be large. This is an issue, because the problem of finding
of this problem that provided the security of the RSA cipher. So we cannot expect
How then, can we determine a pair p and g so that p is prime and g is a primitive
root modulo p? One way that this could be done [4] is to first choose a product of
primes q1a1 · q2a2 · · · qkak , set (p − 1) = q1a1 · q2a2 · · · qkak , and then check if (p − 1) + 1 = p
the new resulting p is checked for primality. Once we find a p which is a prime, we
have by our construction the prime factorization of φ(p) = (p − 1), so we can now
use the process of choosing a g and checking if it is a primitive root modulo p by the
process described in Section 3.1. By clever choices for (p − 1) we can find a prime p
It also may seem surprising that checking if p is prime is an easier problem than
finding a prime factorization. Primes satisfy many special properties and these prop-
erties can be used to create clever algorithms which check for primality (or sometimes
for compositeness). For example the Rabin-Miller Strong Pseudoprime Test uses facts
from Fermat’s Little Theorem to test probabilistically if a number is prime [10]. This
try factoring the number into prime factors and is indeed a much easier problem than
prime factorization.
33
CHAPTER 4
In the previous chapters we have been looking at several cryptographic ciphers which
were based on the multiplicative group (Z/nZ)× , that is, the multiplicative group of
can be generalized to be used with other groups. A different group which has become
popular for use in cryptography is the additive group defined by the rational points of
an elliptic curve over a finite field. We will explain further what this group is and how
the group addition works in a moment. For now we will note that for the sake of this
paper, we will not be delving into the study of elliptic curves with any real amount
of depth. We will simply be introducing the group which they can generate, and
observing how this new group can be applied to the area of cryptography. The key
thing to remember is that an elliptic curve over a finite field generates an additive,
finite, abelian group in which we can define the discrete logarithm problem. As
E : y 2 = x3 + Ax + B
34
such that the discriminant of the curve is non-zero. That is, we need the curve to be
An elliptic curve is often considered over a field. This means that for the curve
R, Q, C, or Fq which is the finite field with q elements where q = pk for some prime
We will run into some problems with the the discriminant of the curve E given
above if our field is of characteristic 2 or 3. If we are working with such a field then
E : y 2 + c1 xy + c2 y = x3 + c3 x2 + c4 x + c5 .
to use and refer to elliptic curves given by E, in Weierstass normal form, but just be
Elliptic curves over finite fields are very useful in application to cryptography. In
general any finite field, Fq , could be used. For the examples this paper we will often
choose to work in Fp , where p is an odd prime. This is because the field structure
for a general q can be rather difficult to work with, whereas, the structure of the
field Fp simply requires us to work modulo p which will simplify our explanations and
examples nicely.
Once we have a curve E over a field, we can form an additive group from the set
point (x, y) which is a solution to the equation given by E (denoted by (x, y) ∈ E),
and satisfies that both x and y are elements of the field. There additionally will be a
35
point O, which is the point “at infinity”, which will be on every curve. The derivation
of this point O comes from projective geometry, and we will skip it for this paper
as it veers to far away from our desired discussions. Thus, we can define the set of
Such points are often referred to as the rational points of the curve. We will discuss
how a group law is defined for such a set in a moment, but first let us give an example
field F5 . We wish to find all of the rational points of the curve. We know that we
e 5 ) = {O, (x, y) ∈ E
will have E(F e | x, y ∈ F5 }. So to find all such points (x, y) we
can plug in each of the elements of F5 in for x and determine which yield a square
in F5 . Before we do that let’s find what the squares in F5 are. Recalling that we are
02 = 0, 12 = 1, 22 = 4, 32 = 4, and, 42 = 1.
So the squares in F5 are 0, 1, and 4. Now plug in x = 0, 1, 2, 3, 4 into the right hand
side of E
e and see if the result is a square. (Remember, for all of our computations in
03 + 0 + 1 = 1 (1 = 12 or 42 )
13 + 1 + 1 = 3 not a square
23 + 2 + 1 = 3 + 2 + 1 = 1 (1 = 12 or 42 )
33 + 3 + 1 = 2 + 3 + 1 = 1 (1 = 12 or 42 )
43 + 4 + 1 = 4 + 4 + 1 = 4 (4 = 22 or 32 )
e 5 ) = {O, (0, 1), (0, 4), (2, 1), (2, 4), (3, 1), (3, 4), (4, 2), (4, 3)}.
Thus we have E(F
36
An additive group operation can be defined for E(F). The way in which the
lines through rational points. For our needs, however, let us just look at a specific
case. We will give the resulting formulas which are used for E(Fq ) where E is the
• First case
• For the rest of the cases, let us assume that neither P1 nor P2 are equal to O.
• For the next two cases we will define a λ and an υ which will then be used to
compute P1 + P2 .
λ(x1 + x2 ) − υ).
37
In all of the above calculations it is important to remember that the values we are
working with are all to be considered as elements of the finite field Fq . If we have
reducing modulo p, and the value of (n)−1 is the multiplicative inverse of n modulo
p.
Another important note to make is that the calculations above are specific to
calculations were derived which could be used to calculate an explicit addition rule
for other elliptic curves. We will skip the discussion of this process since we do not
in discussing. An interested reader can learn more about this process from [6].
It can be shown that the set E(Fq ) under the additive operation gives a finite
abelian group. This group has its identity element as O, and the additive inverse of
For the specific case described above, in which we gave instructions on how to add
two points in E(Fq ), it is a fairly simple exercise to show these two facts as well as to
show that the addition described is commutative. It is not as easy so show that the
Let us take a look at an example of how to add points on an elliptic curve over a
finite field.
e : y 2 = x3 +x+1 over the finite field
Example: Recall that for the elliptic curve E
e 5 ) = {O, (0, 1), (0, 4), (2, 1), (2, 4), (3, 1), (3, 4), (4, 2), (4, 3)}. Let’s
F5 , we found E(F
practice adding some of these points using the rules described above. (Remember
that because we are working in F5 , our numerical computations are all made modulo
5.)
38
• Add O to O: O + O = O.
• Add (3, 1) to (3, 4): The points are not equal, but the x coordinates are, so
these points are inverses of one another and we have (3, 1) + (3, 4) = O.
• Add (0, 1) to (0, 1): Since the two points are equal and y 6= 0 then let
When considering an elliptic curve over a finite field, we can also define the discrete
S and T = mS in E(Fq ), find m. We call the smallest positive integer m such that
tion, whereas now for E(Fq ) it is described through multiplication by an integer. This
is because for (Z/nZ)× the operation being performed is multiplicative, whereas for
E(Fq ) it is additive. For a multiplicative group, repeated operations are expressed via
So the representation of the discrete logarithm is altered slightly in this new context
In order to use elliptic curves in the area of cryptography we again make use of
the difficulty of the discrete logarithm problem, as was done in Chapter 3. In order to
make this successful the implementation must make use of elliptic curves over finite
fields which create a group in which the ECDLP is actually hard. For certain “bad”
curves, the ECDLP will be too easy to solve and would compromise the security of
the cipher. An example of this would be if the group E(Fp ) has exactly p elements. In
this case there is a homomorphism from E(Fp ) to the additive group Z/pZ (integers
modulo p) and solving the discrete log problem in Z/pZ is an easy problem since we
know how to find multiplicative inverses modulo p [5]. So such a curve would not be
For most elliptic curves, however, the fastest known algorithms for solving the
ECDLP are extremely slow, and for large enough values of q in E(Fq ) running such
algorithms would be infeasible [5]. There has been a lot of study as to which curves
are best to use and these curves are used when the ciphers we will discuss are actually
implemented.
A benefit of using elliptic curves in cryptography is that these ciphers can use
smaller key sizes and message sizes while still offering the same level of security as
ciphers using (Z/pZ)× . This can cause them to run faster and be more efficient.
40
4.2 Diffie-Hellman Key Exchange for Elliptic Curves
In Section 3.2 we learned about the Diffie-Hellman Key Exchange for the multiplica-
tive group (Z/nZ)× . The same algorithm can be redefined to instead use the additive
group E(Fq ) [9]. The implementation of these two versions will look very different
we compare the algorithms for the two versions, we will discover that they have the
exact same structure. The differences which we can see are only a result of the dif-
ferences in the way in which repeated operations are expressed and computed in the
Diffie-Hellman Key Exchange for Elliptic Curves: Suppose Bob and Alice
wish to establish a shared secret key for use in a private-key cipher. They can do so
Alice and Bob choose an elliptic curve E over a finite field Fq . Next they choose
a rational point on the curve, P , so that P has a large order in the group of rational
Once these have been chosen, Alice will choose a secret integer w and compute
W = wP as a point in E(Fq ), and then send W to Bob. Similarly Bob will choose a
Bob and Alice can then compute their shared key as follows. Alice computes
K = wZ and Bob computes K = zW as points in E(Fq ). They can then use some
agreed upon number derived from this point such as the value of the x coordinate as
their shared key. They will be sure to obtain the same point K because we have:
e : y 2 = x3 + x + 1 over the
Example: Bob and Alice decide to use the curve E
41
finite field F5 . They also choose to use the point P = (0, 1). Recall that in our
e 5 ) = {O, (0, 1), (0, 4), (2, 1), (2, 4), (3, 1), (3, 4), (4, 2), (4, 3)}.
E(F
We also found in our previous examples in Section 4.1 that in this group, 2(0, 1) =
(4, 2) and that 3(0, 1) = (0, 1) + (4, 2) = (2, 1). If we continued to compute these
additions we would find that the point P = (0, 1) is a generator of the group E(F
e 5)
because we have:
7P = (4, 3) 8P = (0, 4) 9P = O.
The information E,
e Fq and P can be sent back and forth between Alice and Bob
using insecure channels. To send this they could just send cetain key information
in a pattern which would be understood. For example Alice could send Bob the
combination (q, A, B, x, y) = (5, 1, 1, 0, 1) and he would then know that they are
e : y 2 = x3 + Ax + B = x3 + x + 1
using Fq = F5 as their finite field with the curve E
Alice now chooses her secret integer w and computes W = wP . She chooses w = 2
and so W = 2P = (4, 2) (we know this based on the table we gave above). She sends
Similarly, Bob chooses his secret integer z and computes Z = zP . Bob chooses
When Alice receives Bob’s Z she computes K = wZ = 2(2, 4). Similarly once Bob
received Alice’s W he would compute K = zW = 6(4, 2). They would do this using
the addition rules described in Section 4.1. We will skip showing these additions since
42
it would require a fair amount of work, and tell you that K = (2, 1). We can check
this because we as readers (who know all of the information, including both Alice’s
So Alice and Bob now both have a shared point K = (2, 1) from which they can
Cipher. When originally described the cipher uses the finite multiplicative group of
(Z/nZ)× . Similar to the Diffie-Hellman Key Exchange, the ElGamal Cipher can be
restated to use the additive group E(Fq ) [9]. Let us now look at how the cipher works
that people may send him encrypted messages which only he can decrypt. To do so,
Bob chooses an an elliptic curve E over a finite field Fq . Then he chooses a rational
point P on E, so that P has a large order in the group of rational points, E(Fq ).
Alice wants to send Bob a secret message, so she first expresses her message as
a point M in the group E(Fq ). Then Alice chooses her own secret integer r and
point in E(Fq ). Alice will then send the information pair, K and C to Bob.
43
Once Bob receives this information from Alice, he will first compute dK =
d(rP ) = drP = rdP = r(dP ) = rX. Next he finds (−rX). This is the additive
inverse of rX and by the construction of the group we know that this will be ob-
tained by finding the additive inverse of the y coordinate of the point rX in Fq . Once
a point in E(Fq ).
be confusing as to how this could be accomplished. There are many possible ways
that a message could be imbedded as a point in E(Fq ). We will give one example of
large prime p satisfying p ≡ 3 (mod 4). First represent the plaintext message as an
p
integer m in the range 0 ≤ m < − 1. Try appending three digits to the end
1000
of the integer m to create a new integer x. We hope to find an x in the range of
after appending digits to m does not satisfy these conditions, then we try appending
three different digits to the end of m to obtain a different x and check the conditions
again. We will do this until we obtain an x which works. Once we have such an x,
such that y 2 = x3 + Ax + B. There may be two choices for y but it will not matter
which you choose. To then reobtain the message m we simply drop the last three
digits from the coordinate x. This imbedding is called “probabilistic” because there
44
is an extremely small probability that x3 + Ax + B will be nonsquare for all x in
1000m ≤ x < 1000(m + 1) < p. Thus the imbedding will nearly always work.
A signature is a common concept in the world of paper and pens in order to validate
a person’s identity and approval of a document. When we shift into the world of
sending messages and documents through electronic sources the simple concept of a
Suppose Alice is sending Bob a message and she wants to sign it so that Bob
knows that it came from her and she approves its contents. How can Alice sign
her message which is no longer a traditional document, but has now been converted
electronically into some sort of integer? A naive solution would be to make a digital
copy of Alice’s signature and send it off to Bob along with her message. This causes an
issue, though, because our eavesdropper Eve could get her hands on Alice’s digitized
signature and start sending out messages with Alice’s signature, masquerading as
Alice. The recipients of these fake messages sent by Eve would have no way of
knowing that these documents were not in fact authentic. This could cause a lot of
problems for Alice! So Alice needs a way to create a digital signature which is directly
tied to her document so that only she can use it. That way, the signature cannot be
One algorithm which can be used to solve this problem is the Digital Signature
Algorithm (DSA). The original version of the DSA was formed using multiplicative
groups such as (Z/nZ)× , but a new version has recently been created to be used with
elliptic curves. This new version is known as the Elliptic Curve Digital Signature
Algorithm (ECDSA) [9]. We will now take a look at how this algorithm works.
ECDSA: Alice is sending a message to Bob and she wants to be able to sign her
45
document so that Bob can ensure its authenticity. In order to do this, Alice will choose
an elliptic curve E over a finite field Fq . These should satisfy that #E(Fq ) = nr,
small integer to help keep the algorithm efficient, common choices are n = 1, 2, or
4. Then Alice chooses a point P in E(Fq ) which has order r. Next, Alice chooses a
she first shooses a random integer k with 1 ≤ k < r and computes R = kP = (x, y).
Once she has this she computes s = k −1 (m + ax) (mod r) and chooses s satisfying
When Bob receives the document from Alice he can verify her signature by com-
pleting the following steps. First he computes u1 = s−1 m (mod r) and chooses u1
V = R.
The notation above may be slightly confusing. What we find is that since the
order of P is r then when we compute nP we can reduce n modulo r and the result
will remain the same. This is because if we write n = qr + n0 then we find that
46
Thus by using multiplicative inverses modulo r we can obtain the desired reductions.
So the last few steps of the verification of the DSA work because we have that
The security of the ECDSA is based on the Elliptic Curve Discrete Logarithm
Problem. Say evil Eve wants to masquerade as Alice and send a document with
Alice’s signature on it. Eve would need to be able to produce a signature triple
and, Q. Eve will be able to create her own message m and the point R = (x, y) by
using Alice’s published point P and choosing her own secret integer k. Eve won’t be
able to sign this message validly, however, unless she can create the corresponding
But, recall that a was Alice’s secret integer. So Eve would need to know a in order
It is worth noting that this algorithm is not a way to encrypt Alice’s message. If
Alice wishes to keep the contents of the message she is sending a secret, she must first
encrypt the message using a cipher such as the ones we have discussed previously.
This encryption could result in her message being a very large number which would
make the computations of the ECDSA very complicated and time consuming. As a
result a common practice is to sign a hash of the message instead. A hash function
is a type of function in computer science which takes inputs of a very large size and
outputs a value of a small fixed length. So for example Alice’s message might be
billions of bits long, but the hash of her message could be just 160 bits. This will
greatly cut down on the computing time of creating and verifying a signature for her
message.
If Alice and Bob agreed to do this then they would first need to agree on a hash
47
function to use. Alice would then take her message m and compute its hash value
h. When signing her document she would use h in all of the computations instead of
m. She then could still send Bob the triple (m, R, s) and when Bob received this he
would know to use the agreed upon hash function to find the hash value h of m to
use in his verification computations. This way Bob receives Alice’s message and has
48
BIBLIOGRAPHY
[6] Joseph H. Silverman and John Tate. Rational Points on Elliptic Curves.
Springer-Verlag, New York, 1992.
[7] Harold M. Stark. An Introduction to Number Theory. The MIT Press, Cam-
bridge, Massachusetts, 1970.
49