Professional Documents
Culture Documents
CNS Unit 2
CNS Unit 2
Data Encryption Standard (DES)- Advanced Encryption Standard (AES) - Triple DES. Public
key cryptography: Principles of public key cryptosystems - The RSA algorithm - Key
management – Attacks on RSA - Diffie Hellman Key exchange - Elliptic curve arithmetic -
Elliptic curve cryptography.
INTRODUCTION
Block Cipher: A block cipher is one in which a block of plaintext is treated as a whole
and used to produce a cipher text block of equal length. Typical block size is 64 bits or 128
bits. Eg: DES, AES.
Stream Cipher: A stream cipher is one that encrypts a digital data stream one bit or one
byte at a time. Eg: Vigenere cipher, vernam cipher.
Feistel Cipher:
Approximate the ideal block cipher by utilizing the concept of a product cipher, which is the
execution of two or more simple ciphers in the sequence in such a way that the final result or
product is cryptographically stronger than any of the component ciphers.
Basic Design idea of Feistel cipher:
Feistel proposed the use of a cipher that alternates substitutions and permutations.
• Substitution: Each plaintext element or group of elements is uniquely replaced by a
corresponding cipher text element or group of elements.
• Permutation: A sequence of plaintext elements is replaced by a permutation of that
sequence, i.e. no elements are added or deleted or replaced in the sequence, rather the order
in which the elements appear in that sequence is changed.
Feistel cipher is the practical application of Claude Shannon’s proposal to develop a product cipher
that alternates confusion and diffusion functions that frustrate statistical cryptanalysts.
Diffusion: The statistical structure of the plaintext is dissipated into long-range statistics of
ciphertext. This is achieved by having each plaintext digit affect the value of many ciphertext
digits.
Confusion: Confusion seeks to make the relationship between the statistics of the cipher text and
the value of the encryption key as complex as possible.
DES is also called as Data Encryption Algorithm. This algorithm is proposed by National Institute
of Standards and Technology (NIST) in 1977.
1. Key transformation
• 64 bit key is taken as input. The key is first subjected to permutation – permuted choice 1
resulting in a 56 bit key.
• This 56-bit key is divided into two halves. Each of 28 bits are left circularly shifted one or
two positions based on the round.
• The permuted 56 bits are given as input to permutation – permuted choice 2 – and a 48 bit
unique subkey is selected for each round.
2. Expansion permutation
• Right (Ri-1) plain text is expanded from 32 bits to 48 bits by expansion permutation (E-
table).
• 48 bit key is XORed with 48 bit right plain text and resulting 48 bit output is given to next
step.
3. Substitution S Boxes
• S-box substitution is a process that accepts 48-bit input from XOR operation and produces
32 bit output.
• There are 8 S-boxes numbered from 1-8. Each S-box takes 6 bits as inputs and gives 4 bits
as output.
4. Permutation
• The output of s-box consists of 32 bits. These 32 bits are permuted using p-box.
5. XOR and swap
• All the above operations are performed only on 32 bits right plain text. Now left plaintext
(Li-1) is XORed with p-box output.
• The result of XOR operation becomes the new right half (Ri). The old right half becomes
the new left half (Li).
Strength of DES
1) The use of 56 bit Key
As the key length is 56 bits, for brute force attack there are 256 possible keys. Hence, it is
impractical.
2) The Nature of the DES Algorithm
For cryptanalysis attack, the characteristic of DES needs to be analyzed. Hence, it makes use of
substitution boxes called S-boxes. Algorithm for the design of S- box wasn’t known to the public.
When the weakness of the S-box is known, then there is a possibility to break DES by cryptanalytic
attack. But until now there is no such attack.
3) Timing attack
Timing attack is one in which information about the key or the plaintext is obtained by observing
how long it takes a given implementation to perform decryptions on various cipher texts. A timing
attack exploits the fact that an encryption or decryption algorithm often takes slightly different
amounts of time on different inputs. An approach known as Hamming weight, yields number of bits
equal to the secret key.
1) Number of Rounds
When the number of rounds increases, the difficulty to perform cryptanalysis also increases even
with a weak F. The number of rounds is to be chosen so that known cryptanalytic efforts should be
greater than the efforts of brute-force attack.
2) Design of Function F
Criteria needed for F,
• It must be difficult to unscramble the substitution done by F.
• The function should satisfy Strict Avalanche Criterion (SAC) – output bit j should change
with the probability of ½ when input bit i is inverted, for all i and j.
• The function should satisfy Bit Independence Criterion (BIC) - Output bits j and k should
change independently when any single input bit i is inverted for all i, j, and k.
• The S- box should have guaranteed avalanche effect.
3) Key Schedule Algorithm
The key generation algorithm is used to generate one subkeys for each round. The subkeys should
be different for each round and it should be difficult to deduce the subkeys and trace the main key.
Advantages :
• An appropriate mode for encrypting messages of length greater than b bits.
• In addition to its use to achieve confidentiality, the CBC mode can be used for authentication.
• CBC mode is self-recovering, i.e. if two blocks are affected by an error, the system recovers
and continues to work correctly for all subsequent blocks.
Disadvantages:
• Both IV and key should be protected.
(iii) Cipher Feedback Mode
DES is a block cipher technique that uses 64 bit blocks. It is possible to convert DES into a stream
cipher using Cipher Feedback (CFB), Output Feedback (OFB) or Counter (CTR) mode.
• The input to the encryption function is a b-bit shift register that is initially set to some
initialization vector (IV).
• The leftmost (most significant) s bits of the output of the encryption function are XORed
with the first segment of plaintext P1 s bits to produce the first unit of ciphertext C1.
• The contents of the shift register are shifted left by s bits and C1 is placed in the rightmost.
• This process continues until all plaintext units have been encrypted.
• For decryption, the same scheme is used, except that the received ciphertext unit is XORed
with the output of the encryption function to produce the plaintext unit.
Encryption & Decryption function
Let Ss(X) be defined as the most significant s bits of X.
C1 = P1⊕Ss[E(K, IV)]
P1 = C1⊕Ss[E(K, IV)]
Advantages:
• Avoids padding
• Operates on real-time
• It is self-recovering
• Simplicity
• Need not be used on byte boundary
Advantage
One advantage of the OFB method is that bit errors in transmission do not propagate.
Disadvantage
The disadvantage of OFB is that it is more vulnerable to a message stream modification attack
than is CFB.
(v) Counter Mode – (CTR)
• Here, the counter is equal to the plaintext block size used.
• The counter value must be different for each plain text block.
• The counter is initialized to some value and then incremented by 1 for each subsequent
block.
• For encryption, the counter is encrypted and then XORed with the plaintext block to
produce the cipher text block; there is no chaining.
• For decryption, the same sequence of counter values is used, with each encrypted counter
XORed with a cipher text block to recover the corresponding plaintext block.
Advantages
• Hardware efficiency: Unlike the three chaining modes, encryption (or decryption) in CTR
mode can be done in parallel on multiple blocks of plaintext or cipher text.
• Software efficiency: Similarly, because of the opportunities for parallel execution in CTR
mode, processors that support parallel features can be utilized.
• Preprocessing: The execution of the underlying encryption algorithm does not depend on
input of the plaintext or cipher text.
• Random access: The ith block of plaintext or ciphertext can be processed in random-access
fashion.
Disadvantages
• Synchronous counter at sender and receiver must be present. Loss of
synchronization leads to incorrect recovery of plaintext.
DOUBLE DES
The simplest form of multiple encryption has two encryption stages and two keys. Given a
plaintext P and two encryption keys K1 and K2, ciphertext C is generated as
C = E(K2, E(K1, P))
Drawback
• Meet-in-the-middle attack
Given a known pair, (P, C), the attack proceeds as follows. First, encrypt P for all 256 possible
values of K1. Store these results in a table and then sort the table by the values of X. Next, decrypt
C using all 256 possible values of K2. As each decryption is produced, check the result against the
table for a match. If a match occurs, then test the two resulting keys against a new known plaintext-
ciphertext pair. If the two keys produce the correct ciphertext, accept themas the correct keys.
TRIPLE DES
• To overcome the meet-in-the-middle attack, three stages of encryption with the different
key is used. This is called triple DES.
• Tuchman proposed a triple encryption method that uses only two keys. The function
follows an encrypt-decrypt-encrypt sequence
• C = E(K1, D(K2, E(K1, P)))
• There is no cryptographic significance to the use of decryption for the second stage. Its only
advantage is that it allows users of 3DES to decrypt data encrypted by users of the older
single DES.
• 3DES with two keys is a relatively popular alternative to DES and has been adopted for use
in the key management standards
ADVANCED ENCRYPTION STANDARD (AES)
The Rijndael proposal for AES was submitted by two Belgium cryptographers, Dr. Joan Daemen
and Dr. Vincent Rijmen. The Advanced Encryption Standard (AES) was published by the National
Institute of Standards and Technology (NIST) in 2001. AES is a symmetric block cipher that is
intended to replace DES as the approved standard for a wide range of applications.
• The final round contains only three transformations, and there is an initial single
transformation (AddRoundKey) before the first round, which can be considered Round 0.
• Each transformation takes one or more 4 x4 matrices as input and produces a 4x4 matrix
as output.
• Also, the key expansion function generates N + 1 round keys, each of which is a distinct
4x4 matrix.
• Each round key serves as one of the inputs to the AddRoundKey transformation in each
round.
12
Detailed Structure
1. AES is not a Feistel structure. AES processes the entire data block as a single matrix during
each round using substitutions and permutation.
2. The key expanded into an array of forty-four 32-bit words.
3. Four different stages are used,
• Substitute bytes
• ShiftRows
• MixColumns
• AddRoundKey
4. The structure is simple. For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a
tenth round of three stages.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and
ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible
without knowledge of the key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages,
an inverse function is used in the decryption algorithm.
8. The decryption algorithm uses the expanded key in reverse order.
9. The decryption algorithm is does recover the plaintext. At each horizontal point (e.g., the
dashed line in the figure), State is the same for both encryption and decryption.
10. The final round of both encryption and decryption consists of only three stages.
13
Substitute Bytes Transformation
• The forward substitute byte transformation is called SubBytes.
• It is represented by 16x16 matrix called an S-box.
• For each individual byte of State the value is mapped into a new byte.
• The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as
a column value.
• These row and column values serve as indexes into the S-box to select a unique 8-bit output
value.
• For example, the hexadecimal value {95} references row 9, column 5 of the S-box, which
contains the value {2A}.
14
ShiftRows Transformation
• The forward shift row transformation is also called ShiftRows.
• The first row of State is not altered.
• For the second row, a 1-byte circular left shift is performed.
• For the third row, a 2- byte circular left shift is performed.
• For the fourth row, a 3-byte circular left shift is performed.
• The inverse shift row transformation, called InvShiftRows, performs the circular shifts
in the opposite direction for each of the last three rows, with a 1-byte circular right shift
for the second row, and so on.
• The following is an example of ShiftRows.
15
MixColumns Transformation
• The forward mix column transformation, called MixColumns, operates on each column
individually.
• Each byte of a column is mapped into a new value that is a function of all four bytes in
that column.
• The transformation can be defined by the following matrix:
AddRoundKey Transformation
In the forward add round key transformation, called AddRoundKey, the 128 bits (16 bytes) of
State are bitwise XORed with the 128 bits (16 bytes) of the round key.
16
Key Expansion Algorithm
• The input to this algorithm is 4-word key.
• The output is 44 words.
• The key is copied to the first 4-words of the expanded key.
• The remainder of the expanded key is filled in four words at a time.
• Each added word depends on the immediately preceding word w(i-1) and the word four
positions back, w(i-4).
17
AES Evaluation Criteria
AES can be evaluated in 3 categories, namely,
• Security
• Cost
• Algorithm and implementation
characteristics
a) Security
This refers to the effort required to cryptanalyze an algorithm. Its emphasis in the
evaluation was on the practicality of the attack because minimum key size in AES is
128 bits. This criterion focused on the resistance to cryptanalytic attacks rather than
brute force attacks.
b) Cost
It covers the computational efficiency and storage requirement for different
implementations sch as hardware, software or smart card.
c) Algorithm and implementation characteristics
• Flexibility
• Suitability for a variety of hardware and software implementations
• Simplicity, which will make an analysis of security more straightforward
• C and java implementation
18
PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEMS
Terminologies:
• Asymmetric Keys: Two related keys, a public key and a private key, that are used to
perform complementary operations, such as encryption and decryption or signature
generation and verification.
• Public Key Certificate: A digital document issued and digitally signed by the private
key of a Certificate Authority (CA) that binds the name of a subscriber to a public key.
The certificate indicates that the subscriber identified in the certificate has sole control
and access to the corresponding private key.
• Public Key/Asymmetric Cryptographic Algorithm: A cryptographic algorithm that
uses two related keys, a public key and a private key. The two keys have the property
that deriving the private key from the public key is computationally infeasible.
• Public Key Infrastructure (PKI): A set of policies, processes, server platforms,
software and workstations used for the purpose of administering certificates and public-
private key pairs including the ability to issue, maintain, and revoke public key
certificates.
19
produces the plaintext.
(5) & (6)Public and private keys: this is a pair of keys that have been selected so that if one
is used fir encryption, the other is used for decryption. The exact transformations performed
by the algorithm depend on the public or private key that is provided as input.
20
Public-Key Cryptosystem: Secrecy
Source A that produces a message in plaintext, X =[X1, X2,..., XM]. The message is intended
for destination B. B generates a related pair of keys: a public key, PUb, and a private key, PRb.
PRb is known only to B, whereas PUb is publicly available and therefore accessible by A.
Encryption: Y = E(PUb, X)
Decryption: X = D(PRb, Y)
The above scheme provides confidentiality.
21
Public-Key Cryptosystem: Authentication and Secrecy
It is possible to provide both the authentication function and confidentiality by a double use of
the public-key scheme.
Encryption: Y = E(PUb, E(PRa, X))
Decryption: X = D(PUa, E(PRb, Y))
First, encrypt a message, using the sender's private key (PRa). This provides the digital
signature. Next, encrypt again, using the receiver's public key (PUb). The final ciphertext can
be decrypted only by the intended receiver, who alone has the matching private key. Thus,
confidentiality is provided. The disadvantage of this approach is its complexity.
22
Applications for public-key cryptosystems
(1) Encryption/Decryption: the sender encrypts a message with the recipient’s public
key.
(2) Digital signature: the sender ‘signs’ a message with its private key. Signing is
achieved by a cryptographic algorithm applied to the message or to a small block of
data that is a function of the message.
(3) Key exchange: Two sides cooperate to exchange a session key.
• RSA is a best known and widely used public-key scheme developed by Ron Rivest,
Adi Shamir and Len Adleman of MIT in 1977 and published in 1978.
• The RSA scheme is a cipher in which the plaintext and ciphertext are integers between
0 and n - 1 for some n.
• A typical size for n is 1024 bits or 309 decimal digits.
23
• Both the sender and receiver must know ‘n’.
• The sender knows ‘e’ and the receiver knows ‘d’.
• Encryption: C = Me mod n
• Decryption: M = Cd mod n = (Me)d mod n = Med mod n
• The requirements to be satisfied by the algorithm are
(i) It is possible to find values of e, d and n such that Med mod n = M, for all M<n.
(ii) It is easy to calculate Me and Cd for all values of M<n
(iii)It is infeasible to determine d given e and n.
• Med mod n = M holds only if e and d are multiplicative inverse modulo ø(n), where ø(n)
is Euler’s totient function.
• The relationship between e and d can be expressed as ed mod ø(n) = 1
That is, ed ≡ 1 mod ø(n)
d ≡ e-1 mod ø(n)
Key Generation
(1) Select two large prime numbers p and q, where p ≠ q (Remarks: p, q ≥ 2512 i.e. 512bits.
Therefore n ≥ 21024 bits)
(2) Calculate n = p*q
(3) Calculate ø(n) = (p – 1)(q – 1)
(4) Select e such that e is relatively prime to ø(n)and less than ø(n).
(5) Calculate d such that de ≡ 1 mod ø(n) and d < ø(n). d is calculated using extended
Euclid’s algorithm.
Example:
Key Generation
() Choose p = 3 and q = 11
() Compute n = p * q = 3 * 11 = 33
() Compute ø(n) = (p - 1) * (q - 1) = 2 * 10 = 20
() Choose e such that 1 < e < ø(n) and e and n are coprime ie. Gcd(e, ø(n)) = 1.
Let e = 7.
() Compute a value for d such that de mod ø(n) = 1, i.e. d ≡ e-1 mod ø(n)
d ≡ 7-1 mod 20
(Applying Extended Euclidean Algorithm)
Gcd(7,20): a = qn+ r
20 = 2 . 7 + 6
7=1.6+1
Back substituting, 1 = 7 – 6
1 = 7 – (20 – 2 . 7)
1 = 7 – 20 + 2 . 7
24
1 = 3 . 7 + (-1) . 20
Therefore, 7 mod 20 = 3 (because y is the inverse of b mod a, i.e. y = b-1 mod a. Here a = 20
-1
One solution is d = 3 [Simpler Explanation: (by trial & error method) (3 . 7) mod 20 =
1]
RSA Security
Five possible approaches to attacking RSA algorithm are:
• Brute force: this involves trying all possible private keys.
• Mathematical attacks: there are several approaches, all equivalent in effort to
25
factoring the product of two primes.
• Timing attacks: these depend on the running time of the decryption algorithm.
• Hardware fault-based attack: this involves including hardware faults in the processor
that is generating digital signatures.
• Chosen Ciphertext Attacks (CCA): this type of attack exploits properties of RSA
algorithm.
Primitive Roots
If p is a prime number, a primitive root is ‘a’, that when n goes from 1 to p-1, then an mod p
goes through all the numbers n = 1, 2, …, p-1 in some order.
Example: 3 is a primitive root of 5
Proof: p = 5, a = 3, therefore n = 1, 2, 3, 4
n an an mod p
1 31 = 3 3 mod 5 = 3
2
2 3 =9 9 mod 5 = 4
3
3 3 = 27 27 mod 5 = 2
4 34 = 81 81 mod 5 = 1
Example: 4 is not a primitive root of 5
Proof: p = 5, a = 4, therefore n = 1, 2, 3, 4
n an an mod p
1 41 = 4 4 mod 5 = 4
2
2 4 = 16 16 mod 5 = 1
3
3 4 = 64 64 mod 5 = 4
4
4 4 = 256 256 mod 5 = 1
The purpose of the algorithm is to enable two users to securely exchange a key that can then
be used for subsequent symmetric encryption of messages. The algorithm itself is limited to
the exchange of secret values. Diffie-Hellman algorithm depends for its effectiveness on the
difficulty of computing discrete logarithms.
Alice and Bob share a prime Alice and Bob share a prime
number p and an integer α, such number p and an integer α, such
that α < p and α is a primitive root that α < p and α is a primitive root
of p of p
26
• In this algorithm, there are two publicly known numbers: a prime number p and an
integer that is a primitive root of p.
• Suppose the users Alice and Bob wish to exchange a key, Alice selects a random integer
a < p and computes PUA= A ≡ αa mod p.
• Similarly, Bob independently selects a random integer b < p and computes PUB = B ≡
Alice calculates the shared secret Bob calculates the shared secret
key KAB ≡ Ba mod p key KAB ≡ Ab mod p
αb mod p. Each side keeps the ‘a’ and ‘b’ values private and makes the ‘A’ and ‘B’
values available publicly to the other side.
• Alice computes the key as KAB ≡ Ba mod P
• Bob computes the key as KAB ≡ Ab mod p.
• These two calculations produce identical results
Alice computes Ba mod p:
B = αb mod p therefore, Ba mod p = (αb)a mod p = αab mod p = KAB
Bob computes Ab mod p:
A = αa mod p therefore, Ab mod p = (αa)b mod p = αab mod p = KAB
• The result is that the two sides have exchanged a secret value. This secret value (KAB)
is used as shared symmetric secret key.
• Considering an adversary who observes the key exchange and wishes to determine the
secret key KAB. Because a and b are private, the adversary only has α, p, A and B.
• Thus, the adversary is forced to take discrete logarithm (dlog) to determine the key.
• To determine the private key b of Bob, the adversary must compute b = dlogα,p (a)
• The adversary can then calculate the shared key KAB in the same manner Bob calculates
it, like, KAB = Ab mod p
27
• An attacker can determine KAB by discovering a solution to the equation 3a mod 353
= 40 or the equation 3b mod 353 = 248.
• The brute force approach calculates powers of 3 mod 353 until result equals 40 or
248.
• With larger numbers, the problem becomes impractical.
Man-in-the-Middle Attack
The protocol is insecure against a man-in-the-middle attack. Suppose Alice and Bob wish to
exchange keys, and Darth is the adversary. The attack proceeds as follows:
1. Darth prepares for the attack by generating two random private keys d1 and d2 and then
computing the corresponding public keys D1 and D2.
2. Alice transmits her public key A, to Bob.
3. Darth intercepts A and transmits D1 to Bob. Darth also calculates K2=Ad2 mod p.
4. Bob receives D1 and calculates K1 = (D1)b mod p.
5. Bob transmits his public key B, to Alice.
6. Darth intercepts B and transmits D2 to Alice. Darth calculates K1 = (B)d1 modp.
7. Alice receives D2 and calculates K2 = (D2)a mod p.
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share
secret key K1 and Alice and Darth share secret key K2.
28
All future communication between Bob and Alice is compromised in the following way:
1. Alice sends an encrypted message M: E(K2, M).
2. Darth intercepts the encrypted message and decrypts it, to recover M.
3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message.
In the first case, Darth simply wants to eavesdrop on the communication without altering it.
In the second case, Darth wants to modify the message going to Bob.
This vulnerability can be overcome with the use of digital signatures and public-key
Certificates.
Elliptic Curves
• An elliptic curve is a plane algebraic curve defined by an equation given by Weierstrass,
called the Weierstrass equation: y2 + axy + by = x3 + cx2 + dx + e, where a, b, c, d and
e are real numbers. The Weierstrass equation is limited to the form: y2 = x3 + ax + b.
• Elliptic curves are not ellipses. Each curve is symmetric about y=0.
• Examples of elliptic curves:
29
Types of Elliptic curves used in cryptography
a) Prime curves over Zp (best used for software applications)
b) Binary curves over GF(2m) (best used for hardware applications)
30
(13,-21) = (13,-21 mod 23) = (13,2)
3. P + Q = R (Point Addition)
4. Multiplication is defined by repeated addition: P + P = 2P (Point Doubling)
Doubling: P + P = 2P (i.e. P = Q)
2
Slope λ = 3 𝑃𝑥 +
𝑎
mod p
2𝑦𝑃
xS = (λ – 2xP) mod p
2
Problems using point addition and doubling (refer class notes for solutions)
1. Let P = (3,10) and Q = (9,7) over the elliptic curve E23(1,1). Calculate the slope and
coordinates of point R on the curve.
Solution: λ = 11, R = (17,20)
2. Find 2P for P = (3,10) over the elliptic curve E23(1,1).
Solution: λ = 6, 2P = (7,12)
3. Find 2P over the elliptic curve y2 = x3 + 2x + 2 mod 17 where P = (5,1)
Solution: λ = 13, 2P = (6,3)
Finding k in realtime is hard. The solution to simplify the problem is to use double-and-add
31
algorithm.
Double-and-add Algorithm
Example: 26P = ?
The naïve way of finding 26P is to add P 26 times, i.e. do 25 operations (1 doubling and 24
additions).
By using double-and-add algorithm, the number of operations is reduced to 6 (4 doubling and
2 additions).
26P = (11010)2.P
Double: P + P = 2P = (10)2.P
Add: 2P + P = 3P = (11)2.P
Double: 3P + 3P = 6P = (110)2.P
Double: 6P + 6P = 12P = (1100)2.P
Add: 12P + P = 13P = (1101)2.P
Double: 13P + 13P = 26P = (11010)2.P
32
Example :
Over the elliptic curve E211(0,-4) and the base point G = (2,2) with user A’s private key as 121
and user B’s private key as 203, calculate the public keys of user A and B and also find the
secret key shared between them.
Solution:
Given: nA = 121 nB = 203 G = (2,2)
Public key calculation: PA = nA . G = 121.(2,2) = (115,48)
PB = nB . G = 203.(2,2) = (130,203)
Shared secret key calculation: K= nA.PB = nB.PA = 121.(130,203) = 203.(115,48) = (161,69)
**the above computations cannot be done manually since the scalar multiplication operations
are complex to solve even with using double-and-add algorithm. This is the DLP that ensures
the security of ECC.
Encryption : User A chooses a random positive integer k value from { 1,2,… p-1 } and
produces the Cipher text : Cm = { kG, Pm + kPB }
Decryption : by user B
Take the first point from Cm i.e. kG
Multiply kG and private key of Bob : Product =nB . kG
Take the second point from Cm and subtract the product from it: Pm + kPB - nB kG
Substitute PB = nB * G
Then Pm + k. nB .G – nB. k. G = Pm
Security of ECC
The fastest known technique for taking the elliptic curve logarithm problem is known as the Pollard
Rho method. There is a computational advantage to using ECC with a shorter key length than a
completely secure RSA.
Applications of ECC
ECC is particularly beneficial for application where:
• computational power is limited (wireless devices, PC cards)
• integrated circuit space is limited (wireless devices, PC cards)
• high speed is required.
• intensive use of signing, verifying or authenticating is required.
• signed messages are required to be stored or transmitted (especially for short messages).
• bandwidth is limited (wireless communications and some computer networks).
33
KEY MANAGEMENT
There are two distinct aspects to the use of public-key cryptography:
I) The distribution of public keys
II) The use of public-key encryption to distribute secret keys
Limitation
Anyone can forge such a public announcement. That is, some user could pretend to be user A
and send a public key to another participant or broadcast such a public key. Authentication is
needed to avoid this problem.
34
Limitation
Problem arises if the opponent captures the private key of the directory authority.
35
This message consists of
• A’s identity, (IDA)
• Nonce (N1), which is used to identify this transaction uniquely.
4. B retrieves A's public key from the authority in the same manner as A retrieved B's public
key.
5. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new
nonce generated by B (N2)
6. A returns N2, encrypted using B's public key, to assure B that its correspondent is A.
Advantage
More secure and attractive than previous two.
Limitations
• Each and every time the user must appeal to the authority for a public key for every other
user that it wishes to contact.
• The directory of names and public keys maintained by the authority is vulnerable to
tampering.
Each certificate contains a public key and other information created by certificate authority.
Each participant conveys its key information to its correspondent by transmitting their
certificates. Other participant can verify that the certificate was created by the authority.
The requirements of the scheme are
1. Any participant can read a certificate to determine name and public key of the certificate
owner.
2. Any participant can verify that the certificate originated from certificate authority.
3. Only the certificate authority can create and update the certificates.
36
4. Any participant can verify the currency of the certificate.
1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a
nonce (N1), which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new
nonce generated by B (N2).
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message
with B's public key ensures that only B can read it; encryption with A's private key ensures that
only A could have sent it.
37
5. B then computes D(PUa, D(PRb, M)) to recover the secret key.
38