UNIT 3 PUBLIC KEY ENCRYPTION AND KEY MANAGEMENT

Introduction to number theory – Public key cryptography and RSA – Key

Management Diffie-hellman Key exchange
1. Introduction

Number Theory
Sending messages in secret has been necessary for thousands of years. If two
parties want to communicate without a third party knowing what they are saying,
they must correspond in a fashion that the third party couldn’t understand even
if they saw the message. For example, if ally military leaders want to discuss
key battle tactics, they cannot risk their foes intercepting and understanding their
messages. This overall idea gave rise to the concept of cryptography. Individuals
were enlisted to create ciphers in order to encrypt messages. One famous historical
technique is the Caesar Cipher, a primitive method of encryption named after
Julius Caesar. This is an example of a shift cipher, as its idea is to replace each
letter with a different letter by shifting the alphabet a specific number of places
(e.g. “at” becomes “buy” if the alphabet is shifted by 1). If this was used for the English
alphabet, obviously any number but a multiple of 26 would work (as this would
shift a letter back to itself). However, since there are only 25 possible ways to shift
the alphabet, this was easily broken by codebreakers. Even though more complex
ciphers of the same sort are possible, they are often easily broken by frequency
analysis, a technique that uses the frequency of letters in words and attempts to
match the most common symbols of the encrypted text to the most common letters
in the alphabet (e.g. a circle is the most common symbol in the intercepted message
and e is the most common letter in the English alphabet, therefore there is a solid
chance that the circle represents e).
Following this process, there has been a race between code makers and code breakers
for many years. One wants to construct an indecipherable code, and the other will
keep attempting to crack the cipher. As math advances, so do the different
techniques used to construct ciphers? Overall, this paper will demonstrate that
number theory is a crucial component of cryptography by allowing a coherent way
of encrypting a message that is also challenging to decrypt. The discussion in this
paper follows the set of notes by Evan Dummit.

2.1. Basic Principles. We must begin by explaining the math that is useful in
cryptography to allow for easier comprehension of specific cryptosystems.

2.1.1. Divisibility and Prime Numbers. Prime numbers are an elementary

part of number theory that all readers must understand. First, consider all positive
integers besides 1, e.g. 2, 3, 4, etc. We can divide these numbers into two types:
prime numbers and composite numbers. However, prior to going into the
definition, we first need to explain the statement “a divides b.”
Definition 2.1. For any two integers, we say that “a divides b” or “a b”| if b is divisible
by a. In other words, a divides b if b = ac for some integer c.
Example 2.2. 4 | 12, since 12 = 4(3).
Example 2.3. 8 | 56, since 56 = 8(7).
Now, we can explore the idea of prime numbers and composite numbers.

≥
Definition 2.4. An integer n 2 is prime if the only positive integers that divide
n are 1 and n.
Definition 2.5. An integer n is composite if more than two positive integers divide
n.
To clarify, every positive integer besides 1 is either prime or composite, as it will
always be divisible by at least 1 and itself.

2.1.2. Modular Arithmetic. We will next discuss a part of number theory

that has played a role in a vast array of ciphers: modular arithmetic. To understand
modular arithmetic, picture a clock. The maximum number is 12, and no number
is larger than that. If one were to reference 5 hours after 12, they would not be
referencing 17, as there is no 17 on the clock. They would be talking about 5. This
is the idea of modular arithmetic, and this is what we will call “modulo 12.”
We define modular arithmetic formally as follows:
Definition 2.6. We say that a ≡ b (mod m) if m divides a − b.
In arithmetic modulo (or “mod”) 12, all numbers are equivalent to some number in
the ranges 0-11 or 1-12. If we were speak about 20 hours after 6, we would not be
referring to 26, but instead be talking about 2. To reduce a large number to a
smaller number modulo 12, we repeatedly subtract 12 from that number until we
arrive at a number between 0 and 11. [1]
Additionally, the following are some (but not all) arithmetic rules which still
apply:
If a c (mod ≡ n) and b ≡ n), then a + b = c + d (mod n) and ab = cd
d (mod
(Mod n).
Example 2.7. (1) 10 is congruent to 2 modulo 4, because 10 −
2 = 8, which is a
multiple of 4.

(2) 127 ≡ 13 (mod 19), because 127 − 13 = 114 = 6 · 19.

The Caesar Cipher from the introduction can be described more succinctly using
arithmetic modulo 26. If one wants to shift all letters by 3, then the easy way to
accomplish this is the following:
(1) Convert all letters into numbers, with a being 0, b being 1, etc.,
with z eventually representing 25.
(2) Add 3 to each number, ensuring that one uses modular arithmetic
here. For instance, to encrypt c, one uses (2+3) mod 26 = 5 mod 26 = 5.
(3) Convert each number back into a letter. Now, c is represented by
f, y is represented by b, etc., and z is represented by c. We have our new alphabet.

2.2. Definitions and Theorems to Know.

2.2.1. Definitions and Theorems. We should also express the following

definitions and theorems before we begin to discuss cryptography.
 Definition 2.8. Two positive integers a and b are relatively prime if there does not
exist a positive integer c greater than 1 such that c|a and c|b.

Theorem 2.9. Chinese Remainder Theorem: Let m1, m2... mk be relatively prime
positive integers such that the greatest common divisor of mi and mj is 1 when i = j.
Also let a1, a2... /ak be arbitrary integers. Then there exists an integer a such that the
set of values x satisfying the equations
x = a1 (mod m1) x = a2 (mod m
. 2)
x = ak (mod mk)
Consists of those integers x congruent to a modulo m1m2...mk. essentially, this
system of equations has a unique solution modulo m1m2...mk.
Definition 2.10. We define ϕ (n) as the number of integers between 1 and n,
inclusive, that are relatively prime to n. This function is known as Euler’s totient
function.
Example 2.11. ϕ (7) = 6.
The numbers between 1 and 7, inclusive that are relatively prime to 7 are 1, 2, 3,
4, 5, and 6. It is important to note here that 7 is prime and ϕ (7) = 6, which is
7 −
1. More generally, ϕ(p) = p - 1 for every prime number p, as every
number less than p shares no factors with p besides 1 and is thus relatively prime
to p.
Lemma 2.12. If N = PQ where p and p are prime numbers, then ϕ (N) = ϕ (p) ·ϕ (q).
Proof. By the definition, we know that ϕ (N) will tell us the number of integers
between 1 and N (inclusive) that are relatively prime to N.We also know that two
integers are relatively prime if no positive integers greater than 1 divide both of
them. We can picture N as the prime number p which is then multiplied by the other
prime q. As a result, N only has one more positive divisor than p (which is q), as
q is only divided by 1 and itself. Therefore, only 4 numbers divide N: 1, p, q, and
N.
We can conceptually think about ϕ (N) as follows: ϕ (N) will not include p, q, and
all the multiples of p and q up to and including N, as those will share a common factor
with N (either p or q). There are precisely q multiples of p up to N, and there are
precisely p multiples of q up to N. Since we only multiplied p and q together once,
there is no overlap except for N, which we double counted. Thus, ϕ (N) = N − p − q
+ 1 = PQ − p − q + 1 = (p − 1) (q − 1) = ϕ (p) · ϕ (q). □
Definition 2.13. The inverse of x modulo m is some number y that satisfies xy
= 1 (mod m). If x has an inverse modulo m, we say that x is a unit modulo m.
Example 2.14. Suppose x = 5 and m = 19. Take y = 4. Then, xy = (5) (4) = 20
≡ 1 (mod 19). Therefore, 5 is a unit modulo 19.
Note that an inverse does not always exist. In fact, the inverse of a modulo m
Only exists if a is relatively prime to m.
Definition 2.15. Suppose b is a unit modulo m. The order of b is the smallest integer
e > 0 such that be ≡ 1 (mod m).
Example 2.16. Consider b = 2 and m = 7. 21 = 2, which is congruent to 2 mod 7.
22 = 4, which is congruent to 4 mod 7.
23 = 8, which is congruent to 1 mod 7. Thus, the order of 2 is 3.
Definition 2.17. We say that a is a primitive root modulo m if a is a unit modulo
M and the order of a is ϕ (m).
Example 2.18. Since 5 is prime, we know that ϕ (5) = 5 −
1 = 4. Additionally, 3
Is a unit modulo 5 since 7 satisfies 3(7) = 21≡ 1 (mod
5). The order of 3 mod 5
Is 4, since 31 = 3 ≡
3 (mod 5), 32 = ≡9 ≡
4 mod 5, 33 = 27≡2 (mod
4
5), 3 = 81
1 (mod 5). Thus, since 3 is a unit modulo 5 and the order of 3 is 4, which is ϕ
(5), 3 is a primitive root modulo 5.
Theorem 2.19. Fermat’s Little Theorem: Suppose a is an integer. If p is prime, then
ap−1 ≡ 1 (mod p) if p is prime.

2. Public Key Cryptography

The development of public-key cryptography is the greatest and perhaps the only true
revolution in the entire history of cryptography. It is asymmetric, involving the use of two
separate keys, in contrast to symmetric encryption, which uses only one key. Public key
schemes are neither more nor less secure than private key (security depends on the key size
for both). Public-key cryptography complements rather than replaces symmetric
cryptography. Both also have issues with key distribution, requiring the use of some suitable
protocol. The concept of public-key cryptography evolved from an attempt to attack two of
the most difficult problems associated with symmetric encryption:
1.) Key distribution – how to have secure communications in general without having to trust
a KDC with your key
2.) Digital signatures – how to verify a message comes intact from the claimed sender
Public-key/two-key/asymmetric cryptography involves the use of two keys:
1. a public-key, which may be known by anybody, and can be used to encrypt messages,
and verify signatures
2. a private-key, known only to the recipient, used to decrypt messages, and sign(create)
signatures is asymmetric because those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
Public-Key algorithms rely on one key for encryption and different but related key for
decryption. These algorithms have the following important characteristics:
1. it is computationally infeasible to find decryption key knowing only algorithm &
encryption key
2. it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key
is known either of the two related keys can be used for encryption, with the other
used for decryption (for some algorithms like RSA)
The following figure illustrates public-key encryption process and shows that a public-key
encryption scheme has six ingredients: plaintext, encryption algorithm, public & private keys,
cipher text & decryption algorithm.
 The essential steps involved in a public-key encryption scheme are given below: 1.) each
user generates a pair of keys to be used for encryption and decryption.
2.) Each user places one of the two keys in a public register and the other key is kept private.

3.) If B wants to send a confidential message to A, B encrypts the message using A’s public
key.
4.) When A receives the message, she decrypts it using her private key. Nobody else can
decrypt the message because that can only be done using A’s private key (Deducing a private
key should be infeasible).
5.) If a user wishes to change his keys –generate another pair of keys and publish the public
one: no interaction with other users is needed. Notations used in Public-key cryptography:
The public key of user A will be denoted KUA.
The private key of user A will be denoted KRA.
Encryption method will be a function E.
Decryption method will be a function D.
If B wishes to send a plain message X to A, then he sends the crypto text Y=E (KUA, X)
The intended receiver A will decrypt the message: D (KRA, Y) =X

The first attack on Public-key Cryptography is the attack on Authenticity. An attacker may
impersonate user B: he sends a message E (KUA, X) and claims in the message to be B –A
has no guarantee this is so. To overcome this, B will encrypt the message using his private
key: Y=E (KRB, X). Receiver decrypts using B’s public key KRB. This shows the
authenticity of the sender because (supposedly) he is the only one who knows the private key.
The entire encrypted message serves as a digital signature. This scheme is depicted in the
following figure:
 But, a drawback still exists. Anybody can decrypt the message using B’s public key. So,
secrecy or confidentiality is being compromised. One can provide both authentication and
confidentiality using the public-key scheme twice:

B encrypts X with his private key: Y=E (KRB, X) B encrypts Y with A’s public key: Z=E
(KUA, Y)
A will decrypt Z (and she is the only one capable of doing it): Y=D (KRA, Z)

A can now get the plaintext and ensure that it comes from B (he is the only one who knows
his private key): decrypt Y using B’s public key: X=E (KUB, Y).
Applications for Public-Key Cryptosystems:
1.) Encryption/decryption: sender encrypts the message with the receiver’s public key.

2.) Digital signature: sender “signs” the message (or a representative part of the message)
using his private key
3.) Key exchange: two sides cooperate to exchange a secret key for later use in a secret-key
cryptosystem.

The main requirements of Public-key cryptography are:

1.Computationally easy for a party B to generate a pair (public key Kobe, private key KRb).
2.Easy for sender A to generate cipher text:
3.Easy for the receiver B to decrypt cipher text using private key:
4.Computationally infeasible to determine private key (KRb) knowing public key (KUb)
5.Computationally infeasible to recover message M, knowing KUb and cipher text C
6.either of the two keys can be used for encryption, with the other used for decryption:
M= DKRb [EKUb (M)] =DKUb [EKRb (M)]
Easy is defined to mean a problem that can be solving polynomial time as a function of input
length. A problem is infeasible if the effort to solve it grows faster than polynomial time as a
function of input size. Public-key cryptosystems usually rely on difficult math functions rather
than -P networks as classical cryptosystems. One-way function is one, easy to calculate in
one direction, infeasible to calculate in the other direction (i.e., the inverse is infeasible to
compute). Trap-door function is a difficult function that becomes easy if some extra
information is known. Our aim to find a trap-door one-way function, which is easy to
calculate in one direction and infeasible to calculate in the other direction unless certain
additional information is known.
Security of Public-key schemes:
1. Like private key schemes brute force exhaustive search attack is always theoretically
possible. But keys used are too large (>512bits).
2. Security relies on a large enough difference in difficulty between easy (en/decrypt)
and hard (cryptanalysis) problems. More generally the hard problem is known, it’s
just made too hard to do in practice.
3. Requires the use of very large numbers, hence is slow compared to private key
schemes.
3. RSA Algorithm
RSA is the best known, and by far the most widely used general public key encryption
algorithm, and was first published by Rivest, Shamir & Adleman of MIT in 1978 [RIVE78].
Since that time RSA has reigned supreme as the most widely accepted and implemented
general-purpose approach to public-key encryption. The RSA scheme is a block cipher in
which the plaintext and the ciphertext are integers between 0 and n-1 for some fixed n and
typical size for n is 1024 bits (or 309 decimal digits). It is based on exponentiation in a finite
(Galois) field over integers modulo a prime, using large integers (Eg. 1024 bits). Its security
is due to the cost of factoring large numbers. RSA involves a public-key and a private-key
where the public key is known to ll and is used to encrypt data or message. The data or
message which has been encrypted using a public key can only be decrypted by using its
corresponding private-k y. Each user generates a key pair i.e. public and private key using the
following steps:
➢ each user selects two large primes at random - p, q
➢ compute their system modulus n=p.q
➢ calculate ø(n), where ø(n)=(p-1)(q- 1)
➢ selecting at random the encryption key e, where 1<e<ø(n),and gcd(e,ø(n))=1
➢ solve following equation to find decryption key d: e.d=1 mod ø(n) and 0≤d≤n
➢ publish their public encrption key: KU={e,n}
➢ keep secret private decryption key: KR={d,n}

Both the sender and receiver must know the values of n and e, and only the receiver knows
the value of d. Encryption and Decryption are done using the following equations. To encrypt
a message M the sender:

• obtains public key of recipient KU={e,n}

• computes: C=Me mod n, where 0≤M<n To decrypt the ciphertext C the owner:
• uses their private key KR={d,n}
• computes: M=Cd mod n = (Me) d mod n = Med mod n
For this algorithm to be satisfactory, the following requirements are to be met.
a) It’s possible to find values of e, d, n such that Med = M mod n for all M<n
b) It is relatively easy to calculate Me and C for all values of M < n.
c) It is impossible to determine d given e and n

The way RSA works is based on Number theory: Fermat’s little theorem: if p is prime and
a is positive integer not divisible by p, then ap-1 ≡ 1 mod p. Corollary: For any positive
integer a and prime p, ap ≡ a mod p.
Fermat’s theorem, as useful as will turn out to be does not provide us with integers d,e we are
looking for –Euler’s theorem (a refinement of Fermat’s) does. Euler’s function associates to
any positive integer n, a number φ(n): the number of positive integers smaller than n and
relatively prime to n. For example, φ(37) = 36 i.e. φ(p) = p-1 for any prime p. For any two
primes p,q, φ(pq)=(p-1)(q-1). Euler’s theorem: for any relatively prime integers a,n we have
aφ(n)≡1 mod n. Corollary: For ny integers a,n we have aφ(n)+1≡a mod n Corollary: Let
p,q be two odd primes and n=pq. Then: φ(n)=(p-1)(q-
1) For any integer m with 0<m<n, m(p-1)(q-1)+1 ≡ m mod n For any integers k,m with
0<m<n, mk(p-1)(q-1)+1 ≡ m mod n Euler’s theorem provides us the numbers d, e such that
Med=M mod n. We have to choose d,e such that ed=kφ(n)+1, or equivalently, d≡e-1mod φ(n)
An example of RSA can be given as, Select primes: p=17 & q=11 Compute n = pq
=17×11=187
Compute ø (n) = (p–1) (q-1) =16×10=160 Select e: gcd (e, 160) =1; choose e=7
Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 10×160+1 Publish
public key KU= {7,187}
Keep secret private key KR= {23,187} Now, given message M = 88 (nb. 88<187) encryption:
C = 887 mod 187 = 11
Decryption: M = 1123 mod 187 = 88
Another example of RSA is given as,
Let p = 11, q = 13, e = 11, m = 7
n = pq i.e. n= 11*13 = 143
ø (n)= (p-1)(q-1) i.e. (11-1)(13-1) = 120
e.d=1 mod ø(n) i.e. 11d mod 120 = 1 i.e. (11*11) mod 120=1; so d
= 11 public key :{11,143} and private key: {11,143}
C=Me mod n, so ciphertext = 711mod143 = 727833 mod 143; i.e. C = 106
M=Cd mod n, plaintext = 10611 mod 143 = 1008 mod 143; i.e. M = 7

For RSA key generation,

Users of RSA must:
• Determine two primes at random - p, q
• select either e or d and compute the other
• earns must be sufficiently large
• typically guess and use probabilistic test

Security of RSA
There are three main approaches of attacking RSA algorithm.
Brute force key search (infeasible given size of numbers) As explained before, involves
trying all possible private keys. Best defense is using large keys.
Mathematical attacks (based on difficulty of computing ø(N), by factoring modulus N)
There are several approaches, all equivalent in effect to factoring the product of two primes.
Some of them are given as:
• factor N=p.q, hence find ø(N) and then d
• determine ø(N) directly and find d
• find d directly
The possible defense would be using large keys and also choosing large numbers for p and q,
which should differ only by a few bits and are also on the order of magnitude 1075 to 10100.
And gcd (p-1, q-1) should be small.
4. Diffie-Hellman Key Exchange
Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that
have no prior knowledge of each other to jointly establish a shared secret key over an insecure
communications channel. This key can then be used to encrypt subsequent communications
using a symmetric key cipherMedia.TheD-Hlgorithm depends for its effectiveness on the
difficulty of computing discrete logarithms.

First, a primitive root of a prime number p, can be fined as one whose powers generate all the
integers from 1 to p-1. If a is a primitive root of the prime number p, then the numbers, a mod
p, a2 mod p,..., ap-1 mod p, are distinct and consist of the integers from 1 through p 1 in
some permutation.
For any integer b and a primitive root a of prime number p, we can find a unique exponent

i such that .The exponent i is referred to as the discrete

logarithm of b for the base a, mod p. We express this value as dloga,p (b). The algorithm is
summarized below:
 For this scheme, there are two publicly known numbers: a prime number q and an integer α
that is a primitive root of q. suppose the users A and B wish to exchange a key. User A selects
a random integer XA < q and computes YA = αXA mod q. Similarly, user B independently
selects a random integer XA < q and computes YB = αXB mod q. Each side keeps the X value
private and makes the Y value available publicly to the other side. User A computes the key
as K = (YB) XA mod q and user B computes the key as K = (YA) XB mod
q. These two calculations produce identical results.
Discrete Log Problem
The (discrete) exponentiation problem is as follows: Given a base a, an exponent b and a
modulus p, calculate c such that ab ≡ c (mod p) and 0 ≤ c < p. It turns out that this problem is
fairly easy and can be calculated "quickly" using fast-exponentiation. The discrete log
problem is the inverse problem: Given a base a, a result c (0 ≤ c < p) and a modulus p,Calculate
the exponent b such that ab ≡ c (mod p). It turns out that no one has found a quick way to
solve this problem With DLP, if P had 300 digits, Xa and Xb have more than 100 digits, it
would take longer than the life of the universe to crack the method.
Examples for D-H key distribution scheme:
1) Let p = 37 and g = 13.

Let Alice pick a = 10. Alice calculates 1310 (mod 37) which is 4 and sends that to Bob. Let
Bob pick b = 7. Bob calculates 137 (mod 37) which is 32 and sends that to Alice. (Note: 6
and 7 are secret to Alice and Bob, respectively, but both 4 and 32 are known by all.)

2) Let p = 47 and g = 5. Let Alice pick a = 18. Alice calculates 518 (mod 47) which is 2
and sends that to Bob. Let Bob pick b = 22. Bob calculates 522 (mod 47) which is 28 and
sends that to Alice.

Man-in-the-Middle Attack on D-H Protocol

Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack
proceeds as follows:
1. Darth prepares for the attack by generating two random private keys XD1 and XD2 and
then computing the corresponding public keys YD1 and YD2.
2. Alice transmits YA to Bob.

3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA)
XD2mod q.

4. Bob receives YD1 and calculates K1 = (YD1) XE mod q.

5. Bob transmits XA to Alice.

6. Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB) XD1 mod
q.

7. Alice receives YD2 and calculates K2 = (YD2) XA mod q.

 At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth
share secret key K1 and Alice and Darth share secret key K2. All future communication
between Bob and Alice is compromised in the following way:
1. Alice sends an encrypted message M: E (K2, M).

2. Darth intercepts the encrypted message and decrypts it, to recover M.

3. Darth sends Bob E(K1, M) or E (K1, M'), where M' is any message. In the first case,
Darth simply wants to eavesdrop on the communication without altering it. In the second case,
Darth wants to modify the message going to Bob.
The key exchange protocol is vulnerable to such an attack because it does not authenticate
the participants. This vulnerability can be overcome with the use of digital signatures and
public- key certificates.

Elliptic Curve Cryptography (Ecc)

Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the
algebraic structure of elliptic curves over finite fields. The use of elliptic curves in
cryptography was suggested independently by N al Koblitz and Victor S. Miller in 1985. The
principal attraction of ECC compared to RSA is that it appears to offer equal security for a far
smaller bit Sky upsize, thereby reducing the processing overhead.
Elliptic Curve over GF (p)
Let GF (p) be a finite field, > 3, and let a, b
4a3 + 27b2 ≡ 0 (mod p). An elliptic curve, E(a,b)(GF(p)),
is defined as the set of points (x,y) ᴄGF(p) * GF(p) which satisfy the equation

y2 ≡ x3 + ax + b (mod p), together with a special point, O, called the point at infinity. Let P
and Q be two points on E(a,b)(GF(p)) and O is the point at infinity.
• P+O = O+P = P

• If P = (x1, y1) then -P = (x1,-y1) and P + (-P) = O.

• If P = (x1, y1) and Q = (x2, y2), and P and Q are not O. 86

Then P +Q = (x3 ,y3) where

X3 = ƛ 2 - x1 - x2
y3 = ƛ (x1 - x3) - y1 and
ƛ = (y2-y1)/(x2-x1) if P ≠ Q
ƛ = (3x12+a)/ 2y1 if P = Q
An elliptic curve may be defined over any finite field GF (q). For GF (2m), the curve has a
different form: - y2 + my = x3 + ax2 + b, where b! =0.
Cryptography with Elliptic Curves
The addition operation in ECC is the counterpart of modular multiplication in RSA, and
multiple additions are the counterpart of modular exponentiation. To form a cryptographic
system using elliptic curves, some kind of hard problem such as discrete logarithm or
factorization of prime numbers is needed. Considering the equation, Q=kP, where Q,P are
points in an elliptic curve, it is “easy” to compute Q given k,P , but “hard” to find k given
Q,P. This is known as the elliptic curve logarithm problem. K could be so large as to make
brute-force fail.
Pick a prime number p= 2180 and elliptic curve parameters and b for the equation
y2 ≡ x3 + ax + b (mod p) which defines the elliptic group of points Ep(a,b). Select generator
point G=(x1,y1) in Ep(a,b) such that the smallest value for which nG=O
ECC Key a very large prime number. Ep(a,b) and G are parameters of the
Exchange be cryptosystem known to all participants. The following steps take place:
• A & B select private keys nA<n, nB<n
• compute public keys: PA=nA×G, PB=nB×G
• Compute shared key: K=nA×PB, K=nB×PA {same since K=nA×nB×G }
ECC Encryption/Decryption As with key exchange system, an encryption/decryption
system requires a point G and and elliptic group Ep (a,b) as parameters. First thing to be done
is to encode the plaintext message m to be sent as an x-y point Pm. Each user chooses private
key nA<n and computes public key PA=nA×G. To encrypt and send a message to Pm to B,
A chooses a random positive integer k and produces the ciphertext Cm consisting of the pair
of points Cm={kG, Pm+kPb}. Here, A uses B’s public key.
To decrypt the cipher text, B multiplies the first point in the pair by B’s secret key and
subtracts the result from the second point Pm+kPb – nB(kG) = Pm+kPb(nBG) – nB(kG) =
Pm A has masked the message Pm by adding kPb to it. Nobody but A knows the value of k,
so even though Pb is a public key, nobody can remove the mask kPb. For an attacker to
recover the message, he has to compute k given G and kG, which is assumed hard.
Security of ECC To protect a 128 bit AES key it would take a RSA Key Size of 3072 bits
whereas an ECC Key Size of 256 bits.
Hence for similar security ECC offers significant computational advantages.
Applications of ECC:
•Wireless communication devices
•Smart cards
•Web servers that need to handle many encryption sessions
•Any application where security is needed but lacks the power, storage and
computational power that is necessary for our current cryptosystems
Key Management
One of the major roles of public-key encryption has been to address the problem of key
distribution. Two distinct aspects to use of public key encryption are present.
• The distribution of public keys.
• Use of public-key encryption to distribute secret keys.
Distribution of Public Keys The most general schemes for distribution of public keys
are given below
Public Announcement of Public Keys
Here any participant can send his or her public key to any other participant or broadcast
the key to the community at large. For example, many PGP users have adopted the practice
of appending their public key to messages that they send to public forums.

Though this approach seems convenient, it has a major drawback. Anyone can forge such
a public announcement. Some user could pretend to be user and send a public key to
another participant or broadcast such a public key. Until the time when A discovers about
the forgery and alerts other participants, the forger is able to read all encrypted messages
intended for A and can use the forged keys for authentication.
 Publicly Available Directory
A greater degree of security can be achieved by maintaining a publicly available dynamic
directory of public keys. Maintenance and distribution of the public directory would have
to be the responsibility of some trusted entity or organization. It includes the following
elements:
1.The authority maintains a directory with a {name, public key} entry for each
participant.
2.Each participant registers a public key with the directory authority. Registration would
have to be in person or by some form of secure authenticated communication.

3.A participant may replace the existing key with a new one at any time, either because
of the desire to replace a public key that has already been used for a large amount of
data, or because the corresponding private key has been compromised in some way.
4.Participants could also access the directory electronically. For this purpose, secure,
authenticated communication from the authority to the participant is mandatory. This
scheme has still got some vulnerability. If an adversary succeeds in obtaining or
computing the private key of the directory authority, the adversary could authoritatively
a out counterfeit public keys and subsequently impersonate any participant and
eavesdrop on messages sent to any participant. Or else, the adversary may tam er with
the records kept by the authority.

Public-Key Authority
Stronger security for public-key distribution can be achieved by providing tighter control
over the distribution of public keys from the directory. This scenario assumes the existence
of a public authority (whoever that may be) that maintains a dynamic directory of public
keys of all users. The public authority has its own (private key, public key) that it is using
to communicate to users. Each participant reliably knows a public key for the authority,
with only the authority knowing the corresponding private key. For example, consider that
Alice and Bob wish to communicate with each other and the following steps take place
and are also shown in the figure below:
 1.) Alice sends a timestamped message to the central authority with a request for Bob’s
public key (the time stamp is to mark the moment of the request)
2.) The authority sends back a message encrypted w th its private key (for authentication)
– message contains Bob’s public k y and the original message of Alice – this way Alice
knows this is not a reply to an old request;
3.) Alice starts the communication to Bob by sending him an encrypted message
containing her identity IDA and a nonce N 1 (to identify uniquely this transaction)
4.) Bob requests Alice’s public key in the same way (step 1)

5.) Bob acquires Alice’s public key in the same way as Alice did. (Step-2)

6.) Bob replies to Alice by sending an encrypted message with N1 plus a new generated
nonce N2 (to identify uniquely the transaction)
7.) Alice replies once more encrypting Bob’s nonce N2 to assure bob that its
correspondent is Alice
Thus, a total of seven messages are required. However, the initial four messages need be
used only infrequently because both A and B can save the other's public key for future
use, a technique known as caching. Periodically, a user should request fresh copies of the
public keys of its correspondents to ensure currency.
Public-Key Certificates
The above technique looks attractive, but still has some drawbacks. For any
communication between any two users, the central authority must be consulted by both
users to get the newest public keys i.e. the central authority must be online 24 hours/day.
If the central authority goes offline, all secure communications get to a halt. This clearly
leads to an undesirable bottleneck. A further improvement is to use certificates, which can
be used to exchange keys without contacting a public-key authority, in a way that is as
reliable as if the keys were obtained directly from a public-key authority. A certificate
binds an identity to public key, with all contents signed by a trusted Public-Key or
Certificate Authority (CA). A user can present his or her public key to the authority in a
secure manner, and obtain a certificate. The user can then publish the certificate. Anyone
needed this user's public key can obtain the certificate and verify that it is valid by way of
the attached trusted signature. A participant can also convey its key information to another
by transmitting its certificate. Other participants can verify that the certificate was created
by the authority. This certificate issuing scheme does have the following requirements:
 1. Any participant can read a certificate to determine the n me and public key of the
certificate's owner.
2. Any participant can verify that the certificate originate from the certificate authority
and is not counterfeit.
3. Only the certificate authority can create and update certificates.

4. Any participant can verify the currency of the certificate.

Application must be in person or by some form of secure authenticated communication. For

participant A, the authority provides a certificate of the form
CA = E(PRauth, [T||IDA||PUa]) where PRauth is the private key used by the authority

and T is a timestamp. A may then pass this certificate on to any other participant, who
reads and verifies the certificate as follows: D(PUauth, CA) = D(PUauth, E(PRauth,
[T||IDA||PUa])) = (T||IDA||PUa) The recipient uses the authority's public key, PUauth to
decrypt the certificate. Because the certificate is readable only using the authority's public
key, this verifies that the certificate came from the certificate authority. The elements IDA
and PUa provide the recipient with the name and public key of the certificate's holder. The
timestamp T validates the currency of the certificate. The timestamp counters the
following scenario. A's private key is learned by an adversary. A generates a new
private/public key pair and applies to the certificate authority for a new certificate.
Meanwhile, the adversary replays the old certificate to B. If B then encrypts messages
using the compromised old public key, the adversary can re d those messages. In this
context, the compromise of a private key is comparable to the loss of a credit card. The
owner cancels the credit card number but is at risk until all possible communicants are
aware that the old credit card is obsolete. Thus, the timestamp serves as something like an
expiration date. If a certificate is sufficiently old, it is assumed to be expired.
One scheme has becomeSkyupsuniversallyaccepted for formatting public-key
certificates: the
X.509 standard. X.509 certificates are ed in most network security applications, including
IP security, secure sockets layer (SSL), secure electronic transactions (SET), and
S/MIME. Secret Key Distribution With Confidentiality And Authentication
It is assumed that A and B have exchanged public keys by one of the schemes described
earlier. Then the following steps occur:

1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and
a nonce (N1), which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a
new nonce generated by B (N2) Because only B could have decrypted message (1), the
presence of N1 in message (2) assures A that the correspondent is B.
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A.A
selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this
message with B's public key ensures that only B can read it; encryption with A's private
key ensures that only A could have sent it. B computes D (PUa, D(PRb, M)) to recover
the secret key. The result is that this scheme ensures both confidentiality and
authentication in the exchange of a secret key.
Part-A
Q BT
n Questions Competence Level
o

Define Discrete Logarithm Understand BTL 2

1.

State the use of Fermat’s Theorem Remember BTL 1

2.

Find 117 mod 13. Apply BTL 3

3.

State Euler’s Theorem Remember BTL 1

4.

Define Finite Field Understand BTL 2

5.

Define Diffusion Understand BTL2

6.
Write down the difference between the BTL6
7. public key and private key cryptosystems Create

Is it possible to use the DES algorithm to BTL4

8. generate message authentication code? Analysis
Justify.
Mention the application of public key BTL5
9. cryptography. Evaluate

State the difference between conventional BTL4

10. encryption and public-key encryption. Analysis

Part-B
Q BT
. Level
Questions Competence
N
o
Explain briefly about Fermat’s and BTL1
1. Euler’s theorem Understand

In a public key system using RSA, you BTL4

intercept the cipher text C=10 sent to a user
2. whose public key is e=5, n=35. What is the Analyse
plain text? Explain the above problem with
an algorithm description

Describe Chinese Reminder theorem. Understand BTL1

3.
Explain Diffie-Hellman key exchange BTL3
algorithm with an example. Consider a Apply
4.
Diffie-Hellman scheme with a common
prime q=353 and a primitive root α=3.
 Users A and B have private keys XA=17
and XB=21 respectively. What is the shared
secret key K1 and K2?
Demonstrate encryption and decryption BTL3
5. for the RSA algorithm parameters: p=3, Apply
q=11, e=7, d=? , M=5.
Users A and B use the Diffie-Hellman Key BTL5
exchange technique with a common prime
6. q=71 and a primitive root 𝛼 = 7. If the user Evaluate
A has private key XA=5, what is A’s public
key YA?
Explain Diffie-Hellman Key exchange BTL1
7. algorithm with its merits and demerits. Understand