UNIT II

BLOCK CIPHERS & PUBLIC KEY CRYPTOGRAPHY

Data Encryption Standard (DES)- Advanced Encryption Standard (AES) - Triple DES. Public
key cryptography: Principles of public key cryptosystems - The RSA algorithm - Key
management – Attacks on RSA - Diffie Hellman Key exchange - Elliptic curve arithmetic -
Elliptic curve cryptography.

INTRODUCTION

Block Cipher: A block cipher is one in which a block of plaintext is treated as a whole
and used to produce a cipher text block of equal length. Typical block size is 64 bits or 128
bits. Eg: DES, AES.

Stream Cipher: A stream cipher is one that encrypts a digital data stream one bit or one
byte at a time. Eg: Vigenere cipher, vernam cipher.

Reversible or non-singular transformation: For an encryption to be reversible, i.e. decryption

to be possible, each plaintext must produce a unique cipher text block.

Feistel Cipher:
Approximate the ideal block cipher by utilizing the concept of a product cipher, which is the
execution of two or more simple ciphers in the sequence in such a way that the final result or
product is cryptographically stronger than any of the component ciphers.
Basic Design idea of Feistel cipher:
Feistel proposed the use of a cipher that alternates substitutions and permutations.
• Substitution: Each plaintext element or group of elements is uniquely replaced by a
corresponding cipher text element or group of elements.
• Permutation: A sequence of plaintext elements is replaced by a permutation of that
 sequence, i.e. no elements are added or deleted or replaced in the sequence, rather the order
in which the elements appear in that sequence is changed.

Feistel cipher is the practical application of Claude Shannon’s proposal to develop a product cipher
that alternates confusion and diffusion functions that frustrate statistical cryptanalysts.
Diffusion: The statistical structure of the plaintext is dissipated into long-range statistics of
ciphertext. This is achieved by having each plaintext digit affect the value of many ciphertext
digits.
Confusion: Confusion seeks to make the relationship between the statistics of the cipher text and
the value of the encryption key as complex as possible.

Parameters and Design Features of Feistel Cipher:

• Block size
• Key size
• Number of rounds
• Subkey generation algorithm
• Round function F
• Other considerations:
o Fast software encryption/decryption
o Ease of analysis

DES-DATA ENCRYPTION STANDARD

DES is also called as Data Encryption Algorithm. This algorithm is proposed by National Institute
of Standards and Technology (NIST) in 1977.

DES working principle:

• DES is a symmetric key block cipher.
 • It has exact structure as Feistel cipher: it partitions input block into two halves which are
processed through multiple rounds which perform substitution on left data half – based on
round function of right half and subkey and then have permutation swapping halves.
• In addition to Feistel cipher structure, it does initial permutation of plaintext and final
inverse initial permutation of last round’s output.
• DES takes plain text of block size 64 bits and produces 64-bit as cipher text. Key is of 56
bit size.
• DES has 16 rounds.
• Same algorithm is used for encryption and decryption.

The processing of the algorithm proceeds in 3 phases

Phase 1- Permutation phase, which rearranges the bits to produce permuted input (IP)
Phase 2- This phase has 16 rounds. Each round has permutation and substitution steps.
Phase 3- The output of the phase 2 is passed through permutation which is the inverse of initial
permutation. The final output is 64 bit cipher text.

General depiction of DES encryption algorithm

Initial Permutation (IP)
• The 64 bit plain text is permuted once before entering the round functions.

Single Round of DES

1. Key transformation
2. Expansion permutation
3. S-box substitution
4. Permutation
5. XOR and swap
Single round of a DES algorithm

1. Key transformation
• 64 bit key is taken as input. The key is first subjected to permutation – permuted choice 1
resulting in a 56 bit key.
• This 56-bit key is divided into two halves. Each of 28 bits are left circularly shifted one or
two positions based on the round.
• The permuted 56 bits are given as input to permutation – permuted choice 2 – and a 48 bit
unique subkey is selected for each round.
2. Expansion permutation
• Right (Ri-1) plain text is expanded from 32 bits to 48 bits by expansion permutation (E-
table).
• 48 bit key is XORed with 48 bit right plain text and resulting 48 bit output is given to next
step.
3. Substitution S Boxes
• S-box substitution is a process that accepts 48-bit input from XOR operation and produces
32 bit output.
• There are 8 S-boxes numbered from 1-8. Each S-box takes 6 bits as inputs and gives 4 bits
as output.
4. Permutation
• The output of s-box consists of 32 bits. These 32 bits are permuted using p-box.
5. XOR and swap
• All the above operations are performed only on 32 bits right plain text. Now left plaintext
(Li-1) is XORed with p-box output.
• The result of XOR operation becomes the new right half (Ri). The old right half becomes
the new left half (Li).

Inverse Initial permutation

• At the end of 16 rounds simple transposition is performed.
DES decryption
It uses the same algorithm as encryption except the key is used in reverse order.
Avalanche Effect
• When there is a small change in either the plaintext or the key, it should produce a
significant change in the cipher text. In particular, a change in one bit of the plaintext or one
bit of the key should produce a change in many bits of the cipher text. This is referred to as
the avalanche effect.
• DES exhibits a strong avalanche effect.

Strength of DES
1) The use of 56 bit Key
As the key length is 56 bits, for brute force attack there are 256 possible keys. Hence, it is
impractical.
2) The Nature of the DES Algorithm
For cryptanalysis attack, the characteristic of DES needs to be analyzed. Hence, it makes use of
substitution boxes called S-boxes. Algorithm for the design of S- box wasn’t known to the public.
When the weakness of the S-box is known, then there is a possibility to break DES by cryptanalytic
attack. But until now there is no such attack.
3) Timing attack
Timing attack is one in which information about the key or the plaintext is obtained by observing
how long it takes a given implementation to perform decryptions on various cipher texts. A timing
attack exploits the fact that an encryption or decryption algorithm often takes slightly different
amounts of time on different inputs. An approach known as Hamming weight, yields number of bits
equal to the secret key.

BLOCK CIPHER DESIGN PRINCIPLES

The cryptographic strength of a Feistel cipher derives from three aspects of the design:
1) The number of rounds,
2) The function F, and
3) The key schedule algorithm.

1) Number of Rounds
When the number of rounds increases, the difficulty to perform cryptanalysis also increases even
with a weak F. The number of rounds is to be chosen so that known cryptanalytic efforts should be
greater than the efforts of brute-force attack.
2) Design of Function F
Criteria needed for F,
• It must be difficult to unscramble the substitution done by F.
• The function should satisfy Strict Avalanche Criterion (SAC) – output bit j should change
with the probability of ½ when input bit i is inverted, for all i and j.
• The function should satisfy Bit Independence Criterion (BIC) - Output bits j and k should
change independently when any single input bit i is inverted for all i, j, and k.
• The S- box should have guaranteed avalanche effect.
3) Key Schedule Algorithm
The key generation algorithm is used to generate one subkeys for each round. The subkeys should
be different for each round and it should be difficult to deduce the subkeys and trace the main key.

BLOCK CIPHER MODES OF OPERATION [NOT in Syallabus]

DES is the basic building block for providing data security. To apply a block cipher in a variety of
applications, five "modes of operation" have been defined by NIST.
A mode of operation is a technique for enhancing the effect of a cryptographic algorithm or
adapting the algorithm for an application, such as applying a block cipher to a sequence of data
blocks or a data stream.

(i) Electronic Code Book (ECB)

• The simplest mode is the electronic codebook (ECB) mode, in which 64 bit plaintext is
handled one block at a time and each block of plaintext is encrypted using the same key.
• Message is broken into independent blocks that are encrypted, i.e. if message is longer than
64 bits, break them into 64 bit blocks and pad the last block with some regular patterns of
0 and 1 to complete the block.
• For a given key, there is a unique cipher text for every 64 bit block of plaintext.
• Decryption is performed on one block at a time using the same key K.

Encryption: CN=E(K, PN), N=1,…,n

Decryption: PN=D(K,CN), N=1,…,n
Advantages
• The ECB method is ideal for a short amount of data, such as an encryption of a key.
Disadvantages
• In longer messages, for the same b-bit block of plaintext, if it appears more than once in the
message, ECB always produces the same cipher text, hence the ECB mode may not be secure.

(ii) Cipher Block Chaining Mode (CBC)

• To overcome the drawback of ECB, it is a technique in which the same plaintext block if
repeated, produces different ciphertext blocks.
• The input to the encryption algorithm is the XOR of the current plaintext block and the
preceding ciphertext block; the same key is used for each block.

where - IV- Initialization vector (only known to the communication parties)

• The input to the encryption function for each plain text block bears no fixed relationship to
the plain text block. Therefore, repeating patterns of bits are not exposed.
• For decryption, each cipher block is passed through the decryption algorithm. The result is
XORed with the preceding cipher text block to produce the plain text block.
• To produce the first block of cipher text, an Initialization Vector (IV) is XORed with the
first block of plaintext and to output of decryption algorithm.
Encryption : C1 = E(K, [IV⊕P1]); Cj = E(K, [Cj-1⊕Pj]) j=2 to N
Decryption : D(K, Cj) = D(K, E(K, [Cj-1⊕Pj]))

Advantages :
• An appropriate mode for encrypting messages of length greater than b bits.
• In addition to its use to achieve confidentiality, the CBC mode can be used for authentication.
• CBC mode is self-recovering, i.e. if two blocks are affected by an error, the system recovers
and continues to work correctly for all subsequent blocks.
Disadvantages:
• Both IV and key should be protected.
(iii) Cipher Feedback Mode
DES is a block cipher technique that uses 64 bit blocks. It is possible to convert DES into a stream
cipher using Cipher Feedback (CFB), Output Feedback (OFB) or Counter (CTR) mode.
• The input to the encryption function is a b-bit shift register that is initially set to some
initialization vector (IV).
• The leftmost (most significant) s bits of the output of the encryption function are XORed
with the first segment of plaintext P1 s bits to produce the first unit of ciphertext C1.
• The contents of the shift register are shifted left by s bits and C1 is placed in the rightmost.
• This process continues until all plaintext units have been encrypted.
• For decryption, the same scheme is used, except that the received ciphertext unit is XORed
with the output of the encryption function to produce the plaintext unit.
Encryption & Decryption function
Let Ss(X) be defined as the most significant s bits of X.
C1 = P1⊕Ss[E(K, IV)]
P1 = C1⊕Ss[E(K, IV)]
Advantages:
• Avoids padding
• Operates on real-time
• It is self-recovering
• Simplicity
• Need not be used on byte boundary

(iv) Output feedback mode

• The output feedback (OFB) mode is similar in structure to that of CFB.
• The output of the encryption function that is fed back to the shift register in OFB, whereas
in CFB the cipher text unit is fed back to the shift register.
• Feedback is independent of message.

Advantage
One advantage of the OFB method is that bit errors in transmission do not propagate.
Disadvantage
The disadvantage of OFB is that it is more vulnerable to a message stream modification attack
than is CFB.
(v) Counter Mode – (CTR)
• Here, the counter is equal to the plaintext block size used.
• The counter value must be different for each plain text block.
• The counter is initialized to some value and then incremented by 1 for each subsequent
block.
• For encryption, the counter is encrypted and then XORed with the plaintext block to
produce the cipher text block; there is no chaining.
• For decryption, the same sequence of counter values is used, with each encrypted counter
XORed with a cipher text block to recover the corresponding plaintext block.

Advantages
• Hardware efficiency: Unlike the three chaining modes, encryption (or decryption) in CTR
mode can be done in parallel on multiple blocks of plaintext or cipher text.
• Software efficiency: Similarly, because of the opportunities for parallel execution in CTR
mode, processors that support parallel features can be utilized.
• Preprocessing: The execution of the underlying encryption algorithm does not depend on
input of the plaintext or cipher text.
• Random access: The ith block of plaintext or ciphertext can be processed in random-access
fashion.
Disadvantages
• Synchronous counter at sender and receiver must be present. Loss of
synchronization leads to incorrect recovery of plaintext.

DOUBLE DES
The simplest form of multiple encryption has two encryption stages and two keys. Given a
plaintext P and two encryption keys K1 and K2, ciphertext C is generated as
C = E(K2, E(K1, P))

Drawback
• Meet-in-the-middle attack
Given a known pair, (P, C), the attack proceeds as follows. First, encrypt P for all 256 possible
values of K1. Store these results in a table and then sort the table by the values of X. Next, decrypt
C using all 256 possible values of K2. As each decryption is produced, check the result against the
table for a match. If a match occurs, then test the two resulting keys against a new known plaintext-
ciphertext pair. If the two keys produce the correct ciphertext, accept themas the correct keys.
TRIPLE DES
• To overcome the meet-in-the-middle attack, three stages of encryption with the different
key is used. This is called triple DES.
• Tuchman proposed a triple encryption method that uses only two keys. The function
follows an encrypt-decrypt-encrypt sequence
• C = E(K1, D(K2, E(K1, P)))
• There is no cryptographic significance to the use of decryption for the second stage. Its only
advantage is that it allows users of 3DES to decrypt data encrypted by users of the older
single DES.
• 3DES with two keys is a relatively popular alternative to DES and has been adopted for use
in the key management standards
ADVANCED ENCRYPTION STANDARD (AES)

The Rijndael proposal for AES was submitted by two Belgium cryptographers, Dr. Joan Daemen
and Dr. Vincent Rijmen. The Advanced Encryption Standard (AES) was published by the National
Institute of Standards and Technology (NIST) in 2001. AES is a symmetric block cipher that is
intended to replace DES as the approved standard for a wide range of applications.

• The cipher takes a plaintext block size of 128 bits, or 16 bytes.

• The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred
to as AES-128, AES-192, or AES-256, depending on the key length.
• The cipher consists of N rounds, where the number of rounds depends on the key length:
10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key.
• The first N - 1 rounds consist of four distinct transformation functions:
o SubBytes,
o ShiftRows,
o MixColumns
o AddRoundKey

• The final round contains only three transformations, and there is an initial single
transformation (AddRoundKey) before the first round, which can be considered Round 0.
• Each transformation takes one or more 4 x4 matrices as input and produces a 4x4 matrix
as output.
• Also, the key expansion function generates N + 1 round keys, each of which is a distinct
4x4 matrix.
• Each round key serves as one of the inputs to the AddRoundKey transformation in each
round.

12
Detailed Structure
1. AES is not a Feistel structure. AES processes the entire data block as a single matrix during
each round using substitutions and permutation.
2. The key expanded into an array of forty-four 32-bit words.
3. Four different stages are used,
• Substitute bytes
• ShiftRows
• MixColumns
• AddRoundKey
4. The structure is simple. For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a
tenth round of three stages.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and
ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible
without knowledge of the key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages,
an inverse function is used in the decryption algorithm.
8. The decryption algorithm uses the expanded key in reverse order.
9. The decryption algorithm is does recover the plaintext. At each horizontal point (e.g., the
dashed line in the figure), State is the same for both encryption and decryption.
10. The final round of both encryption and decryption consists of only three stages.

13
Substitute Bytes Transformation
• The forward substitute byte transformation is called SubBytes.
• It is represented by 16x16 matrix called an S-box.
• For each individual byte of State the value is mapped into a new byte.
• The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as
a column value.
• These row and column values serve as indexes into the S-box to select a unique 8-bit output
value.
• For example, the hexadecimal value {95} references row 9, column 5 of the S-box, which
contains the value {2A}.

14
ShiftRows Transformation
• The forward shift row transformation is also called ShiftRows.
• The first row of State is not altered.
• For the second row, a 1-byte circular left shift is performed.
• For the third row, a 2- byte circular left shift is performed.
• For the fourth row, a 3-byte circular left shift is performed.
• The inverse shift row transformation, called InvShiftRows, performs the circular shifts
in the opposite direction for each of the last three rows, with a 1-byte circular right shift
for the second row, and so on.
• The following is an example of ShiftRows.

15
MixColumns Transformation
• The forward mix column transformation, called MixColumns, operates on each column
individually.
• Each byte of a column is mapped into a new value that is a function of all four bytes in
that column.
• The transformation can be defined by the following matrix:

• The following is an example for mixcolumns:

• Multiplication of a value by x (i.e., by {02}) can be implemented as a 1-bit left shift

followed by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original
value (prior to the shift) is 1.
• If the leftmost bit is 0 prior to shift, simply do a 1-bit left shift alone.

• Thus, to verify the MixColumns transformation on the first column:

AddRoundKey Transformation
In the forward add round key transformation, called AddRoundKey, the 128 bits (16 bytes) of
State are bitwise XORed with the 128 bits (16 bytes) of the round key.

16
Key Expansion Algorithm
• The input to this algorithm is 4-word key.
• The output is 44 words.
• The key is copied to the first 4-words of the expanded key.
• The remainder of the expanded key is filled in four words at a time.
• Each added word depends on the immediately preceding word w(i-1) and the word four
positions back, w(i-4).

17
AES Evaluation Criteria
AES can be evaluated in 3 categories, namely,
• Security
• Cost
• Algorithm and implementation
characteristics
a) Security
This refers to the effort required to cryptanalyze an algorithm. Its emphasis in the
evaluation was on the practicality of the attack because minimum key size in AES is
128 bits. This criterion focused on the resistance to cryptanalytic attacks rather than
brute force attacks.
b) Cost
It covers the computational efficiency and storage requirement for different
implementations sch as hardware, software or smart card.
c) Algorithm and implementation characteristics
• Flexibility
• Suitability for a variety of hardware and software implementations
• Simplicity, which will make an analysis of security more straightforward
• C and java implementation

18
PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEMS

Terminologies:
• Asymmetric Keys: Two related keys, a public key and a private key, that are used to
perform complementary operations, such as encryption and decryption or signature
generation and verification.
• Public Key Certificate: A digital document issued and digitally signed by the private
key of a Certificate Authority (CA) that binds the name of a subscriber to a public key.
The certificate indicates that the subscriber identified in the certificate has sole control
and access to the corresponding private key.
• Public Key/Asymmetric Cryptographic Algorithm: A cryptographic algorithm that
uses two related keys, a public key and a private key. The two keys have the property
that deriving the private key from the public key is computationally infeasible.
• Public Key Infrastructure (PKI): A set of policies, processes, server platforms,
software and workstations used for the purpose of administering certificates and public-
private key pairs including the ability to issue, maintain, and revoke public key
certificates.

Why public key cryptosystems?

The concept of public key cryptosystems evolved from an attempt to attack two of the most
difficult problems associated with symmetric encryption, namely
a) Key distribution
b) Digital signatures
The second requirement totally negated the purpose of cryptography: the ability to maintain
total secrecy over your own communication.
Key distribution: Key distribution under symmetric encryption requires either
(1) That two communicants already share a key, which somehow has been distributed to them
(2) The use of a key distribution center

Characteristics of Asymmetric algorithms

Asymmetric algorithm uses one key for encryption and another key for decryption. The
characteristics of an asymmetric algorithm are:
(1) It is computationally infeasible to determine the decryption key given only knowledge of
the cryptographic algorithm and the encryption key.
(2) Either of the two related keys can be used for encryption, with the other used for decryption.

Ingredients of a public-key encryption

(1) Plaintext: this is the readable message or data that is fed into the algorithm as input.
(2) Ciphertext: this is the scrambled message produced as output. It depends on the plaintext
and key. For a message, two different keys will produce two different cipher texts.
(3) Encryption algorithm: the encryption algorithm performs varies transformations on the
plaintext.
(4) Decryption algorithm: this algorithm accepts the cipher text and the matching key and

19
 produces the plaintext.
(5) & (6)Public and private keys: this is a pair of keys that have been selected so that if one
is used fir encryption, the other is used for decryption. The exact transformations performed
by the algorithm depend on the public or private key that is provided as input.

Steps in a public key encryption

The essential steps for public key cryptography are:
() Each user generates a pair of keys to be used for the encryption and decryption.
() Each user places one of the two keys in a public register. This is the public key. The
companion key is kept private.
() If Bob wishes to send a confidential message to Alice, Bob encrypts the message
using Alice public key.
() When Alice receives the message and decrypts it using her private key. No other
recipient can decrypt the message because only Alice knows Alice’ s private key.

Difference between conventional (symmetric) and public-key encryption

Conventional(symmetric) encryption Public key encryption
Needed to work: Needed to work:
1. The same algorithm with the same key is 1. One algorithm is used for encryption and
used for encryption and decryption. a related algorithm for decryption with a
2. The sender and receiver must share the pair of keys, one for encryption and one
algorithm and the key. for decryption.
Needed for security: 2. The sender and receiver must each have
1. The keys must be kept secret. one of the matched pair of keys.
2. It must be impossible or at least Needed for security:
impractical to decipher a message if the 1. One of the two keys must be kept secret.
key is kept secret. 2. It must be impossible or at least
3. Knowledge of the algorithm plus samples impractical to decipher a message if one
of ciphertext must be insufficient to of the keys is kept secret.
determine the key. 3. Knowledge of the algorithm, plus one of
the keys, plus samples of ciphertext must
be insufficient to determine the key.

20
Public-Key Cryptosystem: Secrecy

Source A that produces a message in plaintext, X =[X1, X2,..., XM]. The message is intended
for destination B. B generates a related pair of keys: a public key, PUb, and a private key, PRb.
PRb is known only to B, whereas PUb is publicly available and therefore accessible by A.
Encryption: Y = E(PUb, X)
Decryption: X = D(PRb, Y)
The above scheme provides confidentiality.

Public-Key Cryptosystem: Authentication

In this case, A prepares a message to B and encrypts it using A's private key (PR a) before
transmitting it. B can decrypt the message using A's public key (PUb). The message was
encrypted using A's private key, only A could have prepared the message. Therefore, the entire
encrypted message serves as a digital signature. In addition, it is impossible to alter the message
without access to A's private key, so the message is authenticated both in terms of source and
in terms of data integrity.
But this encryption process does not provide confidentiality. The message being sent is safe
from alteration but not from eavesdropping. Here, there is no protection of confidentiality but
any observer can decrypt the message by using senders public key.

21
Public-Key Cryptosystem: Authentication and Secrecy

It is possible to provide both the authentication function and confidentiality by a double use of
the public-key scheme.
Encryption: Y = E(PUb, E(PRa, X))
Decryption: X = D(PUa, E(PRb, Y))
First, encrypt a message, using the sender's private key (PRa). This provides the digital
signature. Next, encrypt again, using the receiver's public key (PUb). The final ciphertext can
be decrypted only by the intended receiver, who alone has the matching private key. Thus,
confidentiality is provided. The disadvantage of this approach is its complexity.

22
Applications for public-key cryptosystems
(1) Encryption/Decryption: the sender encrypts a message with the recipient’s public
key.
(2) Digital signature: the sender ‘signs’ a message with its private key. Signing is
achieved by a cryptographic algorithm applied to the message or to a small block of
data that is a function of the message.
(3) Key exchange: Two sides cooperate to exchange a session key.

Trap-door One-way Function

It is a family of invertible functions fk such that
Y = fk(X), easy, if k and X are known
X = fk-1(Y), easy, if k and Y are known
X = fk-1(Y), infeasible, if Y is known and k is not known

Conditions/Requirements for Public key Cryptography Algorithms

(1) It is computationally easy for party B to generate a pair of public key PUb and private
key PRb.
(2) It is computationally easy for a sender A, knowing the public key and the message to
be encrypted, M, to generate a ciphertext: C = E(PUb,M)
(3) It is computationally easy for the receiver B to decrypt the resulting ciphertext using
the private key to recover the original message: M = D(PRb,C) = D[PRb, E(PUb,M)]
(4) It is computationally infeasible for an adversary (attacker), knowing the public key PUb,
to determine the private key PRb.
(5) It is computationally infeasible for an adversary, knowing the public key PUb, and a
ciphertext C, to recover the original message M.
(6) Two keys can be applied in either order:
M = D[PUb, E(PRb,M)] = D[PRb, E(PUb,M)]

RIVEST-SHAMIR-ADLEMAN (RSA) ALGORITHM

• RSA is a best known and widely used public-key scheme developed by Ron Rivest,
Adi Shamir and Len Adleman of MIT in 1977 and published in 1978.
• The RSA scheme is a cipher in which the plaintext and ciphertext are integers between
0 and n - 1 for some n.
• A typical size for n is 1024 bits or 309 decimal digits.

Description of the algorithm

• Plaintext is encrypted in blocks, with each block having a binary value less than some number n.
Practically, block size is i-bits, where 2i < n ≤ 2i+1.
• Encryption is denoted by E and decryption is denoted by D, plain text is denoted by M
and ciphertext is denoted by C.
• Parameters needed to calculate keys: Public key: PU={e,n} Private key: PR={d,n}

23
 • Both the sender and receiver must know ‘n’.
• The sender knows ‘e’ and the receiver knows ‘d’.
• Encryption: C = Me mod n
• Decryption: M = Cd mod n = (Me)d mod n = Med mod n
• The requirements to be satisfied by the algorithm are
(i) It is possible to find values of e, d and n such that Med mod n = M, for all M<n.
(ii) It is easy to calculate Me and Cd for all values of M<n
(iii)It is infeasible to determine d given e and n.
• Med mod n = M holds only if e and d are multiplicative inverse modulo ø(n), where ø(n)
is Euler’s totient function.
• The relationship between e and d can be expressed as ed mod ø(n) = 1
That is, ed ≡ 1 mod ø(n)
d ≡ e-1 mod ø(n)

Key Generation
(1) Select two large prime numbers p and q, where p ≠ q (Remarks: p, q ≥ 2512 i.e. 512bits.
Therefore n ≥ 21024 bits)
(2) Calculate n = p*q
(3) Calculate ø(n) = (p – 1)(q – 1)
(4) Select e such that e is relatively prime to ø(n)and less than ø(n).
(5) Calculate d such that de ≡ 1 mod ø(n) and d < ø(n). d is calculated using extended
Euclid’s algorithm.

Encryption and Decryption

Plaintext: M<n
Ciphertext: C = Me (mod n)
Plaintext: M = Cd (mod n)

Example:
Key Generation
() Choose p = 3 and q = 11
() Compute n = p * q = 3 * 11 = 33
() Compute ø(n) = (p - 1) * (q - 1) = 2 * 10 = 20
() Choose e such that 1 < e < ø(n) and e and n are coprime ie. Gcd(e, ø(n)) = 1.
Let e = 7.
() Compute a value for d such that de mod ø(n) = 1, i.e. d ≡ e-1 mod ø(n)
d ≡ 7-1 mod 20
(Applying Extended Euclidean Algorithm)
Gcd(7,20): a = qn+ r
20 = 2 . 7 + 6
7=1.6+1
Back substituting, 1 = 7 – 6
1 = 7 – (20 – 2 . 7)
1 = 7 – 20 + 2 . 7

24
 1 = 3 . 7 + (-1) . 20
Therefore, 7 mod 20 = 3 (because y is the inverse of b mod a, i.e. y = b-1 mod a. Here a = 20
-1

and b = 7, therefore, b-1 mod a = y and y=3, is the coefficient of 7)

One solution is d = 3 [Simpler Explanation: (by trial & error method) (3 . 7) mod 20 =
1]

Encryption and Decryption

Public key is (e, n) => (7, 33)
Private key is (d, n) => (3, 33)
The encryption C = M𝑒 mod n
M = 2 (< 33 condition satisfied)
C = 27 mod 33 = 29
The decryption M = C𝑑 mod n
C = 29
M = 293 mod 33 = 2

RSA Security
Five possible approaches to attacking RSA algorithm are:
• Brute force: this involves trying all possible private keys.
• Mathematical attacks: there are several approaches, all equivalent in effort to

25
 factoring the product of two primes.
• Timing attacks: these depend on the running time of the decryption algorithm.
• Hardware fault-based attack: this involves including hardware faults in the processor
that is generating digital signatures.
• Chosen Ciphertext Attacks (CCA): this type of attack exploits properties of RSA
algorithm.

Primitive Roots
If p is a prime number, a primitive root is ‘a’, that when n goes from 1 to p-1, then an mod p
goes through all the numbers n = 1, 2, …, p-1 in some order.
Example: 3 is a primitive root of 5
Proof: p = 5, a = 3, therefore n = 1, 2, 3, 4
n an an mod p
1 31 = 3 3 mod 5 = 3
2
2 3 =9 9 mod 5 = 4
3
3 3 = 27 27 mod 5 = 2
4 34 = 81 81 mod 5 = 1
Example: 4 is not a primitive root of 5
Proof: p = 5, a = 4, therefore n = 1, 2, 3, 4
n an an mod p
1 41 = 4 4 mod 5 = 4
2
2 4 = 16 16 mod 5 = 1
3
3 4 = 64 64 mod 5 = 4
4
4 4 = 256 256 mod 5 = 1

DIFFIE – HELLMAN KEY EXCHANGE

The purpose of the algorithm is to enable two users to securely exchange a key that can then
be used for subsequent symmetric encryption of messages. The algorithm itself is limited to
the exchange of secret values. Diffie-Hellman algorithm depends for its effectiveness on the
difficulty of computing discrete logarithms.

Alice and Bob share a prime Alice and Bob share a prime
number p and an integer α, such number p and an integer α, such
that α < p and α is a primitive root that α < p and α is a primitive root
of p of p

Alice generates a private key Bob generates a private key

Aliace= cPaR
lcAuslautcehs tphuabtlPicRkAe<y p b =Bob
PRBcalculates public
such that PR B < pkey

A= PU = αa mod p B = PUB = α mod p

b

Alice receives Bob’s public Bob receives Alice’s public

key B in plain text key A in plain text

26
 • In this algorithm, there are two publicly known numbers: a prime number p and an
integer that is a primitive root of p.
• Suppose the users Alice and Bob wish to exchange a key, Alice selects a random integer
a < p and computes PUA= A ≡ αa mod p.
• Similarly, Bob independently selects a random integer b < p and computes PUB = B ≡

Alice calculates the shared secret Bob calculates the shared secret
key KAB ≡ Ba mod p key KAB ≡ Ab mod p

αb mod p. Each side keeps the ‘a’ and ‘b’ values private and makes the ‘A’ and ‘B’
values available publicly to the other side.
• Alice computes the key as KAB ≡ Ba mod P
• Bob computes the key as KAB ≡ Ab mod p.
• These two calculations produce identical results
Alice computes Ba mod p:
B = αb mod p therefore, Ba mod p = (αb)a mod p = αab mod p = KAB
Bob computes Ab mod p:
A = αa mod p therefore, Ab mod p = (αa)b mod p = αab mod p = KAB
• The result is that the two sides have exchanged a secret value. This secret value (KAB)
is used as shared symmetric secret key.
• Considering an adversary who observes the key exchange and wishes to determine the
secret key KAB. Because a and b are private, the adversary only has α, p, A and B.
• Thus, the adversary is forced to take discrete logarithm (dlog) to determine the key.
• To determine the private key b of Bob, the adversary must compute b = dlogα,p (a)
• The adversary can then calculate the shared key KAB in the same manner Bob calculates
it, like, KAB = Ab mod p

Security of Diffie Hellman Key Exchange

• The security of Diffie Hellman key exchange lies in the fact that while it is easy to
calculate exponentials modulo a prime, it is very difficult to calculate discrete
logarithms.
• For example:
1. Key exchange based on the prime number, p = 353
2. A primitive root of 353, α = 3
3. Alice’s private key, a = 97 and Bob’s private key, b = 233
4. Alice computes her public key, A = 397 mod 353 = 40.
5. Bob computes his public key, B = 3233 mod 353 = 248.
After they exchange public keys, each can compute the common secret key KAB:
6. Alice computes secret key, KAB = Ba mod 353 = 24897 mod 353 =160.
7. Bob computes secret key, KAB = Ab mod 353 = 40233 mod 353 = 160.
• Here, it would be possible by brute force to determine the secret key KAB = 160.

27
 • An attacker can determine KAB by discovering a solution to the equation 3a mod 353
= 40 or the equation 3b mod 353 = 248.
• The brute force approach calculates powers of 3 mod 353 until result equals 40 or
248.
• With larger numbers, the problem becomes impractical.

Key Exchange Protocols

• Suppose a user Alice wishes to setup a connection with user Bob and use a secret key
to encrypt messages on that connection. Alice can generate one-time private key ‘a’,
calculate her public key ‘A’ and send that to Bob. Bob responds by generating his
private key ‘b’, calculating his public key ‘B’ and sending it to Alice. Both the users
can now calculate the shared secret key. The parameters p and α should be known ahead
of time or Alice could pick values for p and α and send them to Bob.
• Suppose a group of users, each generate long-lasting private keys Xi and calculate
public keys Yi. These public keys, along with public values for p and α, are stored in
some central directory. At any time, user j can access user i’s public key, calculate a
secret key, and use that to send an encrypted message to i. If the central directory is
trusted, then this form of communication provides both confidentiality and a degree of
authentication. Because only i and j can determine the key, no one can read the message
(confidentiality). Recipient i knows that only j could have created the message using
this key (authentication).
• However, this technique does not protect against reply attacks.

Man-in-the-Middle Attack
The protocol is insecure against a man-in-the-middle attack. Suppose Alice and Bob wish to
exchange keys, and Darth is the adversary. The attack proceeds as follows:
1. Darth prepares for the attack by generating two random private keys d1 and d2 and then
computing the corresponding public keys D1 and D2.
2. Alice transmits her public key A, to Bob.
3. Darth intercepts A and transmits D1 to Bob. Darth also calculates K2=Ad2 mod p.
4. Bob receives D1 and calculates K1 = (D1)b mod p.
5. Bob transmits his public key B, to Alice.
6. Darth intercepts B and transmits D2 to Alice. Darth calculates K1 = (B)d1 modp.
7. Alice receives D2 and calculates K2 = (D2)a mod p.
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share
secret key K1 and Alice and Darth share secret key K2.

28
All future communication between Bob and Alice is compromised in the following way:
1. Alice sends an encrypted message M: E(K2, M).
2. Darth intercepts the encrypted message and decrypts it, to recover M.
3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message.
In the first case, Darth simply wants to eavesdrop on the communication without altering it.
In the second case, Darth wants to modify the message going to Bob.

This vulnerability can be overcome with the use of digital signatures and public-key
Certificates.

ELLIPTIC CURVE ARITHMETIC

Elliptic Curves
• An elliptic curve is a plane algebraic curve defined by an equation given by Weierstrass,
called the Weierstrass equation: y2 + axy + by = x3 + cx2 + dx + e, where a, b, c, d and
e are real numbers. The Weierstrass equation is limited to the form: y2 = x3 + ax + b.
• Elliptic curves are not ellipses. Each curve is symmetric about y=0.
• Examples of elliptic curves:

29
Types of Elliptic curves used in cryptography
a) Prime curves over Zp (best used for software applications)
b) Binary curves over GF(2m) (best used for hardware applications)

Prime curves over Zp

Definition: The prime curves over Zp, p > 3, is the set of all pairs (x,y) ϵ Zp : y2 ≡ x3 + ax + b
mod p, together with an imaginary point at infinity O, where a, b ϵ Zp and 4a3 + 27b2 ≠ O mod
p.

The points on the elliptic curve over Zp can be denoted by Ep(a,b).

P = (xP , yP) , Q = (xQ , yQ) , R = (xR , yR)

P = (xp , yp) and -P = (xp , - yp)
Any point on the curve can be found using the equation: y = √𝑥3 + 𝑎𝑥 + 𝑏

Rules for Addition over Ep(a,b)

1. P + O = P
2. P + (-P) = O
Example: (both the coordinates of the point P and -P must be less than the prime number
p, otherwise take mod p and then continue)
a) if P = (13,7) over E23(1,1), then -P = (13,-7) = (13,-7 mod 23) = (13,16)
b) if P = (13,-7) over E23(1,1), then P = (13, -7 mod 23) = (13,16). Then -P = (13,-
16) = (13,-16 mod 23) = (13,7)
c) if P = (13,25) over E23(1,1), then P = (13,25 mod 23) = (13,2). Then -P = (13,-
2) = (13,-2 mod 23) = (13,21)
d) if P = (13,-25) over E23(1,1), then P = (13,-25 mod 23) = (13,21). Then -P =

30
 (13,-21) = (13,-21 mod 23) = (13,2)
3. P + Q = R (Point Addition)
4. Multiplication is defined by repeated addition: P + P = 2P (Point Doubling)

Formula for Point Addition and Doubling

Addition: P + Q = R (i.e. P ≠ Q)
𝑦𝑄− 𝑦𝑃
Slope λ = mod p
𝑥 𝑄− 𝑥 𝑃
xR = (λ – xP – xQ) mod p
2

yR = (λ(xP – xR) – yP) mod p

Doubling: P + P = 2P (i.e. P = Q)
2
Slope λ = 3 𝑃𝑥 +
𝑎
mod p
2𝑦𝑃
xS = (λ – 2xP) mod p
2

yS = (λ(xP – xS) – yP) mod p

Problems using point addition and doubling (refer class notes for solutions)

1. Let P = (3,10) and Q = (9,7) over the elliptic curve E23(1,1). Calculate the slope and
coordinates of point R on the curve.
Solution: λ = 11, R = (17,20)
2. Find 2P for P = (3,10) over the elliptic curve E23(1,1).
Solution: λ = 6, 2P = (7,12)
3. Find 2P over the elliptic curve y2 = x3 + 2x + 2 mod 17 where P = (5,1)
Solution: λ = 13, 2P = (6,3)

ELLIPTIC CURVE CRYPTOGRAPHY [ECC]

Discrete Logarithm Problem (DLP)

Consider an equation Q = kP where Q ϵ Ep(a,b) and k < p, it is relatively easy to calculate Q
given k and P, but it is relatively hard to determine k given P and Q.
Example: Consider E23(9,17). What is the DL ‘k’ of Q = (4,5) to the base P = (16,5)?
Solution:
P = (16 , 5)
2P = (20, 20) = P + P
3P = (14 , 14) = 2P + P
.
.
.
9P = (4 , 5) = 8P + P = Q (given)
Therefore, Q = 9P, hence k = 9.

Finding k in realtime is hard. The solution to simplify the problem is to use double-and-add

31
algorithm.

Double-and-add Algorithm
Example: 26P = ?
The naïve way of finding 26P is to add P 26 times, i.e. do 25 operations (1 doubling and 24
additions).
By using double-and-add algorithm, the number of operations is reduced to 6 (4 doubling and
2 additions).

26P = (11010)2.P

Double: P + P = 2P = (10)2.P
Add: 2P + P = 3P = (11)2.P
Double: 3P + 3P = 6P = (110)2.P
Double: 6P + 6P = 12P = (1100)2.P
Add: 12P + P = 13P = (1101)2.P
Double: 13P + 13P = 26P = (11010)2.P

ELLIPTIC CURVE CRYPTOGRAPHY DIFFIE-HELLAMN KEY EXCHANGE

(ECCDH)
Elliptic curve cryptography [ECC] is a public-key cryptosystem. Every user has a public and a
private key.
– Public key is used for encryption/signature verification.
– Private key is used for decryption/signature generation. Each user generates their public/private
key pair
Private Key = an integer, x selected from the interval [1, p-1]
Public Key = product of private key and base point (Product = x*G)
Algorithm:
1. Global public elements:
Eq(a, b) – elliptic curve with a, b parameters and q is a prime number
G – base/generator point on E whose order is a large value n
2. User A key generation:
Select private key nA where nA < n
Calculate public key PA where PA = nA . G
3. User B key generation:
Select private key nB where nB < n
Calculate public key PB where PB = nB . G
4. Calculation of secret key by user A:
K = nA.PB
5. Calculation of secret key by user B:
K = nB.PA
Proof of Correctness:
User A: K= nA.PB = nA.nB.G
User B: K= nB.PA = nA.nB.G

32
Example :
Over the elliptic curve E211(0,-4) and the base point G = (2,2) with user A’s private key as 121
and user B’s private key as 203, calculate the public keys of user A and B and also find the
secret key shared between them.
Solution:
Given: nA = 121 nB = 203 G = (2,2)
Public key calculation: PA = nA . G = 121.(2,2) = (115,48)
PB = nB . G = 203.(2,2) = (130,203)
Shared secret key calculation: K= nA.PB = nB.PA = 121.(130,203) = 203.(115,48) = (161,69)

**the above computations cannot be done manually since the scalar multiplication operations
are complex to solve even with using double-and-add algorithm. This is the DLP that ensures
the security of ECC.

Encryption and Decryption

The plaintext message m is encoded as a point Pm that is projected over the elliptic curve. This
point Pm will be encrypted as a cipher text and subsequently decrypted after being received.

Encryption : User A chooses a random positive integer k value from { 1,2,… p-1 } and
produces the Cipher text : Cm = { kG, Pm + kPB }
Decryption : by user B
Take the first point from Cm i.e. kG
Multiply kG and private key of Bob : Product =nB . kG
Take the second point from Cm and subtract the product from it: Pm + kPB - nB kG
Substitute PB = nB * G
Then Pm + k. nB .G – nB. k. G = Pm

Security of ECC
The fastest known technique for taking the elliptic curve logarithm problem is known as the Pollard
Rho method. There is a computational advantage to using ECC with a shorter key length than a
completely secure RSA.

Applications of ECC
ECC is particularly beneficial for application where:
• computational power is limited (wireless devices, PC cards)
• integrated circuit space is limited (wireless devices, PC cards)
• high speed is required.
• intensive use of signing, verifying or authenticating is required.
• signed messages are required to be stored or transmitted (especially for short messages).
• bandwidth is limited (wireless communications and some computer networks).

33
KEY MANAGEMENT
There are two distinct aspects to the use of public-key cryptography:
I) The distribution of public keys
II) The use of public-key encryption to distribute secret keys

I) Distribution of Public Keys

There are four different schemes
i. Public announcement
ii. Publicly available directory
iii. Public-key authority
iv. Public-key certificates

(i) Public announcement

Any participant can send his or her public key to any other participant or broadcast the key to
the community.

Limitation
Anyone can forge such a public announcement. That is, some user could pretend to be user A
and send a public key to another participant or broadcast such a public key. Authentication is
needed to avoid this problem.

(ii) Publicly Available Directory

A greater degree of security can be achieved by maintaining a publicly available dynamic
directory of public keys. Maintenance and distribution of the public directory would have to be
the responsibility of some trusted entity or organization.
• The authority maintains a directory with a {name, public key} entry for each participant.
• Each participant registers a public key with the directory authority.
• Participants could also access the directory electronically.
• Participant may replace the existing key with new one at any time to avoid the attack on that
key.
• Periodically, the authority publishes the entire directory or updates of the directory to all
participants in the form of telephone index.
Advantage
More secure than individual public announcement.

34
Limitation
Problem arises if the opponent captures the private key of the directory authority.

(iii) Public-key authority

Stronger security for public-key distribution can be achieved by providing tighter control over
the distribution of public keys from the directory. The central authority maintains all public
keys of participants in its dynamic directory. Each participant knows the public key of the
authority, but the private key of the authority is kept secret.

1. A sends a timestamped request to public-key authority for the public key of B.

2. The authority replies with a message that is encrypted using the authority's private key,
PRauth. A knows the public key of authority. Therefore, A decrypts the message. The message
includes the following:
• B's public key, PUb
• Request already sent by A (for verification)
• Time1 already sent by A (prove that the message is old or not)
3. A stores B's public key and send message to B in an encrypted format using B’s public key.

35
This message consists of
• A’s identity, (IDA)
• Nonce (N1), which is used to identify this transaction uniquely.
4. B retrieves A's public key from the authority in the same manner as A retrieved B's public
key.
5. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new
nonce generated by B (N2)
6. A returns N2, encrypted using B's public key, to assure B that its correspondent is A.

Advantage
More secure and attractive than previous two.

Limitations
• Each and every time the user must appeal to the authority for a public key for every other
user that it wishes to contact.
• The directory of names and public keys maintained by the authority is vulnerable to
tampering.

(iv) Public key certificate

It uses certificates that can be used by participants to exchange keys without contacting a public
key authority for its every transaction.

Each certificate contains a public key and other information created by certificate authority.
Each participant conveys its key information to its correspondent by transmitting their
certificates. Other participant can verify that the certificate was created by the authority.
The requirements of the scheme are
1. Any participant can read a certificate to determine name and public key of the certificate
owner.
2. Any participant can verify that the certificate originated from certificate authority.
3. Only the certificate authority can create and update the certificates.

36
4. Any participant can verify the currency of the certificate.

II) Public key encryption to distribute secret keys

(i) Simple secret key distribution
(ii) Secret key distribution with confidentiality and authentication

(i) Simple secret key distribution

Steps used for communication between A and B are

1. A generates a public/private key pair {PUa, PRa} and transmits a message intended for B
consisting of PUa and an identifier of A, IDA.
2. B generates a secret key, Ks, encrypted using A’s public key and transmit to A.
3. A computes D(PRa, E(PUa, Ks)) to recover Ks. Now, both A and B knows Ks. Once
communication is over both A and B discard Ks.
Problem : Man in the middle attack . It can be rectified by using authentication.

(ii) Secret Key Distribution with Confidentiality and Authentication

1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a
nonce (N1), which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new
nonce generated by B (N2).
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message
with B's public key ensures that only B can read it; encryption with A's private key ensures that
only A could have sent it.

37
5. B then computes D(PUa, D(PRb, M)) to recover the secret key.

38