Block-03 Public Key Cryptosystems and Digital Signature
Block-03 Public Key Cryptosystems and Digital Signature
CRYPTOGRAPHY
Indira Gandhi
National Open University
School of Sciences
Block
3
PUBLIC KEY CRYPTOSYSTEMS AND DIGITAL
SIGNATURE
UNIT 7
Public Key Encryption 5
UNIT 8
Digital Signatures 37
UNIT 9
Practical Guide 53
Curriculum Design Committee
Dr. B.D. Acharya Prof. O.P. Gupta Prof. C. Musili
Dept. of Science & Technology Dept. of Financial Studies Dept. of Mathematics and Statistics
New Delhi University of Delhi University of Hyderabad
Prof. Adimurthi Prof. S.D. Joshi Prof. Sankar Pal
School of Mathematics Dept. of Electrical Engineering ISI, Kolkata
TIFR, Bangalore IIT, Delhi Prof. A.P. Singh
Prof. Archana Aggarwal Dr. R. K. Khanna PG Dept. of Mathematics
CESP, School of Social Sciences Scientific Analysis Group University of Jammu
JNU, New Delhi DRDO, Delhi Faculty Members
Prof. R. B. Bapat Prof. Susheel Kumar School of Sciences, IGNOU
Indian Statistical Institute, New Delhi Dept. of Management Studies Dr. Deepika
IIT, Delhi Prof. Poornima Mital
Prof. M.C. Bhandari Dr. Atul Razdan
Dept. of Mathematics Prof. Veni Madhavan Prof. Parvin Sinclair
IIT, Kanpur Scientific Analysis Group Prof. Sujatha Varma
Prof. R. Bhatia DRDO, Delhi Dr. S. Venkataraman
Indian Statistical Institute, New Delhi Prof. J.C. Mishra
Prof. A. D. Dharmadhikari Dept. of Mathematics
Dept. of Statistics IIT, Kharagpur
University of Pune
One of the problems that was a hurdle for widespread use of Cryptography was the
problem of key exchange, i.e. exchange of keys before communication can be started.
Parties had to meet at one place to agree on keys or keys had to be distributed by trusted
couriers. The secrecy could be compromised if these means were not adopted.
In their path breaking paper [5], Diffie and Hellman discussed a secure method for
exchanging keys without meeting in person or using trusted couriers. Their method was
based on the fact that finding discrete logarithms is difficult. They also proposed a
frame work for a new type of cryptosystems called Public Key Cryptosystems.
In their paper [14], Rivest, Shamir and Adleman proposed such a cryptosystem based
on the fact that it is difficult to factorise a natural number. They also proposed a method
for digitally signing documents, which is an analogue of the physical signature on
documents. In [6], ElGamal proposed a cryptosystem based on the fact that it is
difficult to find discrete logarithms in an abelian group. We discuss these cryptosystems
in Unit 7. In the same Unit, we also take on the role of a cryptanalyst who tries to break
these cryptosystems. Since the two cryptosystems are based on the computational
difficulty of factoring and discrete logarithm problems, we discuss methods for
factoring and solving discrete logatithms.
It is now known that James Ellis, who worked for Communication-Electronics Security
Group (GESG) which was a part of Government Communications Headquarters
(GCHQ) of UK also came up with the idea of a public key cryptosytem in 1969.
Clifford Cocks, also of the GCHQ came up with a system similar to RSA in 1973. The
Diffie-Hellman key exchange was discovered by Williamson of GCHQ around 1975,
In the third Unit, we discuss digital signatures. They are the digital analogues of the
conventional signatures. Digital signatures provide the functionalities provided by
conventional signatures, namely authentication and non-repudiation. In this Unit, we
discuss three digital signature algorithms, namely RSA signature algorithm, ElGamal
algorithm and Digital Signature Standard.
In the final Unit, we have given the practical exercises for this course. As in other
courses, you have to complete 70% of the sessions to be elgible to appear for the
practical examination.
If you have comments, corrections or if you need clarification, please write to:
[email protected].
NOTATIONS AND SYMBOLS
a⊕b Bit string obtained by XORing the bit string a with bit string b, page 12
M Message, page 7
7.1 INTRODUCTION
In the previous block, we discussed some symmetric key cryptosystems where we can
obtain the decryption key from the encryption key. Because of this reason, the key has
to be kept secret and the parties that want to communicate securely have to find a way
of exchanging the keys. This was not a problem in the earlier times when the
cryptography was not used widely and the users were very few.
However, things changed with invention of more communication tools and the digital
computer. Many commercial organisations started using cryptography and they faced
the problem of distributing keys. The organisations exchanged keys through trusted
couriers or meeting in person. In their path breaking paper [5], Diffie and Hellman
proposed the framework for a new cryptosystem called public key cryptosystem.
However, they did not give any concrete example. In public key cryptosystem, the
encryption key can be made public without compromising the security. So, people can
send messages to each other without exchanging keys before.
In Sec. 2, we will introduce you to public key cryptosystems. In Sec. 3, we will discuss
RSA public key cryptosystem. In Sec. 4, we will discuss the ElGamal public key
cryptosystem. In the same paper where they discussed the public key crypto system,
Diffie and Hellman also gave a method of exchanging keys without meeting in person
or using trusted couriers. We will discuss this also in Sec. 4. The security of the RSA
cryptosystem is based on the fact that integer factorisation is a ‘hard’ problem.
Similarly, the security of the ElGamal cryptosystem is based on the fact that discrete
logarithm problems is a ‘hard’ problem. we will discuss the integer factorisation
problem and discrete logarithms problem in Sec. 5.
Objectives
After studying this unit, you should be able to
• explain what is a one way function;
• explain what is a cryptographic protocol;
• explain the RSA algorithm;
• explain the ElGamal algorithm;
• explain Fermat factorisation algorithm, p − 1 algorithm and the quadratic sieve
algorithm; and 5
Public Key Cryptosystems • explain Pohling-Hellman algorithm, Baby Step-Giant Step alogrithm and the index
and Digital Signature
calculus algorithm for discrete logarithms.
In Block 2, we discussed symmetric key cryptosystems like DES, AES and RC4. The
drawback in these systems is that the communicating parties have to exchange the keys
securely before they start their communication. Another issue is the huge storage
required for storing all the encryption and decryption keys. Also, until the parties
exchange the keys, it is not possible for the parties to communicate securely. In
commercial activities, organisations need to communicate securely with other
organisations or persons with whom they have not had any previous transaction. In
such cases, commercial organisations may lose business opportunities if they wait till
they decide upon the keys.
To overcome this difficulty, in [5], Diffie and Hellman described a new concept, the
public key cryptosystem. However, they didn’t propose any specific cryptosytem based
on this. As we will see later, specific systems that were based on this concept were
invented by others. In the same paper they also proposed a method by which two
parties that want to communicate with each other can exchange keys securely without
meeting in person.
Note that, in the case of symmetric key cryptosystems, we assume that it is not possible
break the cryptosystem by exhaustive key search, i.e. it will require impossibly large
memory and time to try out all the keys. As we will see in the definition that follows, in
the public key cryptosystems, we assume that it is ‘computationally infeasible’ to find
the decryption key from the encryption key.
Before we formally define a public key cryptosystem, we need the following definition:
Definition 2: A public key cryptosystem is a pair of families {Ek }k∈K and {Dk }k∈K
You may like to refer to of functions satisfying
pages 51 and 52 of Block 1
to recall what K , P and C Ek : P −→ C (1)
are.
and
Dk : C −→ P (2)
such that:
1) For every k ∈ K , Ek is the inverse of Dk .
2) For every k ∈ K and p ∈ P, c ∈ C , Ek (p) and Dk (c) are easy to compute.
3) For every k ∈ K , it is feasible to compute inverse pairs Ek and Dk from k.
4) For almost every k ∈ K , it is computationally infeasible to derive Dk from Ek
without knowing k.
After the paper [5] was published, many people provided examples of one way
functions and designed cryptosystems based on them. We will discuss some of them
now.
In [14], Rivest, Shamir and Adleman described the RSA cryptosystem. This is one of
the most popular systems for public key encryption and is widely used. Let us now
discuss this encryption algorithm.
Suppose you are given two 300 digit prime numbers and asked to multiply them, you Of course, with
can multiply them quite quickly on a computer. But, if you are given a product of two improvements in
carefully chosen 300 digit primes and asked to find what the primes are, it may take computational power, the
millions of years to find it using the knowledge and the computing power available number of digits required to
make factorisation
now. This was the idea behind the design of the RSA cryptosystem that we will study in
computationally infeasible
this section. will increase.
Suppose Bob wants to use the RSA cryptosystem to receive messages. He does the
following:
1) Selects two large primes p and q and multiplies them to get n = pq.
Note that, (p − 1)(q − 1) = φ (n) where φ (n) is the Euler’s φ function(see Block 1
of this course and Block 1 of MMT-003.). He can then find integers d, d0 using
extended euclidean algorithm(see Unit 2 of Block 1)such that
Now, if Alice wants to send a message to Bob, she looks up the values of n and e. She
represents the message by a number, say M , 0 ≤ M ≤ n − 1, and calculates
c ≡ Me (mod n)
and sends the value c to Bob. If the message is long, she breaks up the message into
blocks so that each block can be represented by a number between 0 and n − 1. We will
discuss some methods for converting text into numbers in the practical guide. Here, we
will assume that we have converted text to a number using any of the methods.
Bob decrypts the message by raising c to the power d modulo n. Of course, both Bob
and Alice can calculate the powers using repeated squaring algorithm we discussed in 7
Public Key Cryptosystems Block 1. Before we prove that the encryption and decryption work correctly, let us look
and Digital Signature
at some examples.
Example 1: Let us take p = 13, q = 19. Then, n = 247 and φ (n) = 12 · 18 = 216. Let
us take e = 7. Note that, this is a valid choice since (7, 216) = 1. Using extended
euclidean algorithm, we get 7 · 31 − 216 = 1, so d = 31.
We can calculate 1157 (mod 247) using repeated square algorithm in page 34 of Block
1 with the help of a calculator. Here are the values at the end of each iteration, so that
you can check your calculations.
Here, we have calculated all the values modulo 247. We have also used the same
notation as in Block 1. So, c, the encrypted text is 210.
Again, to decrypt, we raise 210 to the power 31 modulo 247. Here are the calculations
using repeated squaring method:
So, 21031 ≡ 115 (mod 247). So, the encryption and decryption functions work
correctly.
∗∗∗
E1) Take p = 7, q = 11. Find φ (n). Check that e = 6 is a proper encryption exponent
and if it is not, find a suitable encryption and decryption exponent. Encrypt the
message M = 40 and check your decryption exponent by checking that c
decrypts correctly.
E2) Let p = 17, q = 23 and e = 71. If the ciphertext is 171, find the plaintext.
Let us now see why the RSA algorithm is correct. Suppose M is the plain text and c is
the cipher text.
We have
cd ≡ (M e )d ≡ M ed (mod n) (5)
We have M ed = M 1+kφ (n) for some integer k since ed ≡ 1 (mod φ (n)). So, if
(M , n) = 1, then M ed ≡ M (mod n) since M φ (n) ≡ 1 (mod n) by Euler’s theorem.
k(p−1)
M 1+k(p−1)(q−1) ≡ M · M k(p−1)(q−1) ≡ M · M q−1 ≡ M (mod q).
Let us now verify that the RSA cryptosystem has the properties mentioned in
Definition 2. Let us take
Of course, once we know e, p and q, we can easily calculate d. So, condition 3) is also
satisfied.
Regarding 4), it is believed by experts that only way of finding d from n and e is to
factorise n, find φ (n) and use it to find d from e and φ (n) by extended euclidean
algorithm. Of course, we cannot prove that factorising n is the only way to find φ (n),
though experts believe this is so. DeLaurentis, [4], and Miller,[8], show that computing
an RSA private key (p, q, d) from its public key (n, e) is as difficult as factoring.
Remark 1: Note that, if we know n and φ (n), we can recover p and q as follows: We
have
φ (n) = pq − p − q + 1 = n − (p + q) + 1
Since we know n, we can find p + q from the above equation. Since we know pq = n
and p + q, we can find p and q by factoring the quadratic equation
x2 − (p + q)x + pq = 0.
So, p and q are the roots of the equation x2 − 360x + 29591. Solving, we get the roots
127 and 233. So, 29591 = 127 · 233.
E3) You are given that n = 31309 and φ (n) = 30940. Find the factors of p and q.
What we have described is the bare bones version of the RSA algorithm. However,
when we implement it, we have to take many precautions. Let us now discuss some of
them now.
We mentioned that the only way of finding the decryption exponent seems to be
factoring n. It is easy to factorise n if the primes are not properly chosen. If p and q are 9
Public Key Cryptosystems close to each other so that |p − q| is small, then we can factorise n using Fermat’s
and Digital Signature
method that we will discuss in the section on integer factorisation.
Let us now discuss how to generate a random prime. Suppose we want to generate a
k-bit prime m. We set the first and last bit of m to 1 and use a pseudo random bit
generator to generate the remaining k − 2 bits. We choose random bits that are
uniformly distributed. We first check by trial division if m is a prime by dividing m by
all primes up to a certain limit, usually, 106 . We then apply the Rabin-Miller test three
See pages 41 and 42 of times. If the test returns NO, then probability of m being composite is less than 2180 . We
Block 1 for a discussion of then consider m to be a prime. If m turns out to be composite, the receiver of
Rabin-Miller test. messages(Bob) will detect it because the decryption will not work properly. In this
case, Alice can generate a new set of primes and start afresh. Note that, this has very
negligible probability.
The decryption exponent should be sufficiently large so that it cannot be found using
1/4
brute force. Also, in [16], Wiener proves that if d < n , we can calculate d from n and
3
e.
Another issue regarding the security of the RSA is the choice of encrpytion exponent.
Suppose there are three recipients, all of them with the same encrption exponent 3, but
with different modulus ni , i = 1, 2, 3. Then, we calculate yi = M 3 (mod ni ) and send
them to the recipients. Suppose two of them, say n1 and n2 , are not coprime. Then,
(n1 , n2 ) is a non-trivial factor of n1 and n2 and any adversary can factorise both of them.
So, we can always assume that ni are pairwise coprime.
using Chinese remainder theorem. We have n1 = 799, n2 = 1159, n3 = 1909. So, See page 74 of Block 1,
N = n1 · n2 · n3 = 1767812269, N1 = n2 · n3 = 1159.1909 = 2212531, N2 = 1525291 MMT-003 study guide for a
and N3 = 799 · 1159 = 926041. We have a1 = 593, a2 = 1122 and a3 = 1727. Recall discussion of Chinese
that N0i is such that Ni N0i ≡ 1 (mod ni ). We can find N0i using extended euclidean Remainder Theroem.
algorithm. We have, N01 = 8, N02 = 74, N03 = 1768. So,
∗∗∗
E4) Eve knows that Alice has encrypted a message using the exponent 3 and 3
different moduli. The encrypted messages and the modulii are 78 (mod 989), 254
(mod 1273) and 66 (mod 1513). Find the message.
Since the encryption key is known in RSA, we may succeed in a known plain text
attack. Consider the following situation. Suppose Bob sends Alice e-mails periodically,
informing about the date of a particular event. Suppose Eve gets hold of one of these
messages and knows that the date of the event in the letter is in a specific format. To
find the date, Eve has to just encrypt all the 365 dates in the format used by Bob and
check if the encrypted text in Bob’s message contains any of 365 possible texts.
We can overcome many of the problems we mentioned above by using the Optimally
Assymetric Encryption Protocal(OAEP) discovered by Bellare and Rogaway, [1]. Our
discussion follows [15].
In this method, Alice does the following: Suppose Bob’s encryption exponent is e and
the modulus is n. Further, suppose that the size of n is k bits. Alice and Bob fix three
positive integers k0 , k1 and k2 such that k0 + k1 + k2 = k. Alice’s message should be k2
bits long. (If length of the message is less than k2 , she can pad the message with zeros.
If the length of the message is greater than k2 , she can always divide the message into
chunks of size k2 . In this process, there may be at most one chunk with size less than
k2 . She can pad this with zeros so that all the chunks have size k2 .) Let G be a
pseudorandom generator that takes as input a string of size k0 and outputs a string of
size k1 + k2 bits and H be a function that takes as input a string of size k1 + k2 bits and
outputs a string of size k0 bits. We usually construct G and H from hash functions.
To encrypt the message Alice concatenates the message with k1 zero bits and expands
the message to M ||0k1 and this string has size k1 + k2 . Next, she selects a random
string r of length k0 bits, uses it as the random seed for G(r) and computes
Note that G(r) and M ||0k1 have length k1 + k2 . Also, r and H (x1 ) have length k0 . So,
the XOR operations in Eqn. (6) are possible. 11
Public Key Cryptosystems If x1 ||x2 is a binary number bigger than n, Alice choses another random string r and
and Digital Signature
computes the new values of x1 and x2 . If G(r) produces fairly random outputs, x1 ||x2
will be less than n in binary with a probability greater than half. After getting a string r
with x1 ||x2 < n, Alice then encypts x1 ||x2 to get the ciphertext
The process is summarised in Fig. 1. Note that, the inputs and outputs are in oval
M ||0k1 G(r)
k1 + k2 bits k1 + k2 bits
Apply XOR
x1 = M ||0k1 ⊕ G(r)
k1 + k2 bits
H: Input-k1 + k2 bits
Output k0 bits
H(x1 )
k0 bits
Apply XOR
x2 = r ⊕ H(x1 )
Concatenate k0 bits
Ciphertext c
Bob decrypts the ciphertext by using his private key d and finding cd (mod n). He then
writes the result in the form
where y1 has k1 + k2 bits and y2 has k0 bits. Note that y1 = x1 and y2 = x2 since
d
cd ≡ ((x1 ||x2 )e ) = (x1 ||x2 ) .
Since x1 = M ||0k1 ⊕ G(r), Bob can find M ||0k1 if he can find r and hence G(r) because
Let us see how Bob can find r. Bob can recover the random string r by calculating
H (y1 ) ⊕ y2 = H (x1 ) ⊕ x2
= H (x1 ) ⊕ r ⊕ H (x1 ) (from Eqn. (6))
= r.
Note that we can use OAEP with any public key cryptosystem. We simply have to
change the encryption and decryption functions. If we use this method, we cannot call
the encryption operation a function on the plaintext space. This is because the same
plain text may be encrypted differently at different times depending on the choice of the
random string chosen. However, given the ciphertext we can always recover the
plaintext provided we know the decryption exponent.
We have merely touched upon the various attacks on the RSA cryptosystem. For a more
detailed discussion of other methods of attacking the RSA cryptosystem see [13], [15].
In the next section, we will discuss the ElGamal cryptosystem. This system is based on
discrete logarithms. Before you read the next section, you may find it useful go through
the discussion on discrete logarithms on pages 21, 22 and 23 of Block 1.
Note that logγ : F∗q −→ {0, 1, . . . , q − 2} and alogγ : {0, 1, . . . , q − 2} −→ F∗q are inverse
functions of each other. Further, they satisfy the relations
logγ (αβ ) ≡ logγ (α) + logγ (β ) (mod q − 1) (9)
logγ (αβ −1 ) ≡ logγ (α) − logγ (β ) (mod q − 1) (10)
In the first block, we have already seen examples of discrete logarithms in general finite
fields. Let us now look at an example over a finite field of the type Fp , where p is a
prime.
Example 3: Consider Z23 a finite field with 23 elements. Then, 5 is a primitive root for
Z23 . In Table 1 we have computed all the powers of 5.
i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
5i 1 5 2 10 4 20 8 17 16 11 9 22 18 21 13 19 3 15 6 7 12 14
Table 1: Powers of 5 in Z23 .
So, we can read off the discrete logarithm to the base 5 of any element of Z∗23 from this
table. For example, if we want to find the discrete logarithm of 17, we see that it
appears under i = 7, i.e. 57 = 17. So, log5 17 = 7. The table of logarithms is in Table 2. 13
Public Key Cryptosystems i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
and Digital Signature log5 i 0 2 16 4 1 18 19 6 10 3 9 20 14 21 17 8 7 12 15 5 13 11
Table 2: Logarithms to the base 5 in Z23 .
∗∗∗
Recall that the natural logarithm, ln n, and the logarithm to the base 10, log n, are
continuous functions of n. For example log 20 = 1.301029996 and
log 21 = 1.322219295 is quite close to this. So, we can make use of continuity and
differentiability of these functions to calculate logarithms and antilogarithms using
numberical methods. However, as you can see from Table 2, this is not the case for
discrete logarithms. In Table 2, while the discrete log of 2 to the base 5 is 2, the discrete
log of 3 to the base 5 is 16, which is nowhere near 2. It increases and decreases with n
in such a way that we can’t use numerical methods to calculate discrete logarithms. You
can see the comparison of discrete logarithm to the base 5 and the usual logarithm to the
base five in Fig. 2. The red dots correspond to the values of the discrete logarithm to the
base five and the values of log5 n are joined by a blue line. As you can see, the values of
the discrete logarithm are all over the place, but the values of log5 n are continuous.
22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Fig. 2: Plot of Discrete logarithm (mod 23) to the base 5 and log5 n
We can always make a table like Table 2, but the amount of computation grows large
very quickly with increase in p. If all the prime factors of p − 1 are sufficiently small,
there are other methods for calculating discrete logarithms. However, the calculation of
discrete logarithms is very difficult if we choose our p so that p − 1 has at least one large
prime factor. We exploit this property for creating one-way functions in the following
sections. In the next subsection, we will see how Alice and Bob can use this property of
14 discrete logarithms to safely exchange keys for a symmetric key cryptosystem.
7.4.1 Diffie-Hellman key exchange Public Key Encryption
1) Alice chooses a large prime p such that p − 1 has a large prime factor. She then
chooses a primitive root α (mod p). She selects an integer x, 0 < x < p − 1. She
keeps the value of x secret, finds α x (mod p) and sends the values (p, α, α x ) to
Bob.
2) Bob chooses a y, 0 < y < p − 1 and keeps it secret. He finds α y (mod p) and
sends it to Alice.
Of course, Bob can also initiate the process by choosing the prime p, a primitive root α
(mod p) and y, 0 < y < p − 1 and sending (p, α, α y ) to Alice. Either way, at the end of
the exchanges, both Alice and Bob have the number α xy and they can use this as the
key for some symmetric key cryptosystem like AES.
Let us see why this system is secure. Eve has to calculate α xy (mod p) from the value
of α, α x and α y . This is a computationally infeasible problem known as the
Computational Diffie-Hellman problem.
Of course, if Eve can compute discrete logs, she can find x from α x and compute
(α y )x = α xy from the given value of α y and x. As we will see in the section on
factorisation and discrete logarithms, if p − 1 has a large prime factor, it is difficult to
find discrete logarithim mod p. So, this problem is no harder than the problem of
computation of discrete logs. However, it is not known whether solving Computational
Diffie-Hellman problem is equivalent to finding Discrete logs.
∗∗∗
E5) Suppose Alice chooses p = 127 and α = 3 and computes 37 ≡ 28 (mod 127).
She starts the Diffie-Hellman key exchange process by sending (127, 3, 28) to
Bob. Bob responds by sending 39 ≡ 125 (mod 127). At the end of the key
exchange process, what number will both of them have?
In the next subsection, we will discuss the ElGamal Cryptosystem. This also uses
discrete logarithm.
15
Public Key Cryptosystems 7.4.2 ElGamal Cryptosystem
and Digital Signature
In the case of ElGamal cryptosystem, we work in the field F∗P . This is our ciphertext
space C . To setup such a system, Bob does the following:
1) He chooses a large prime p such that p − 1 has a large prime factor. We will see
why it is necessary for p − 1 to have a large prime factor later. He also chooses an
arbitrary primitive root g mod p, i.e g ∈ Fp such that the cyclic group generated by
g is the whole of F∗p .
2) He chooses at random an integer x such that 0 < x ≤ p − 2, computes y = gx ,
publishes (p, g, y) and keeps x a secret.
If Alice wants to send a message to Bob, she chooses at random a natural number k
such that 1 ≤ k ≤ p − 2. She keeps the value of k secret and sends the pair gk , M yk to
x
Bob. Since Bob knows x, he can compute gk = (gx )k = yk . Bob can easily find
−1
y−k = yk using extended euclidean algorithm. So, he can recover the message by
multiplying M yk by y−k :
M ≡ M yk y−k (mod p)
Note that, strictly speaking, we cannot put this in the framework of Definition 2. This is
because the same message will encrypt to different ciphertexts at different times
depending on the value of k that Alice selects. However, apart from this, in essence, it
is a public key cryptosystem in the sense that anyone can send a message to Bob using
the publicly available values of p, g and y. Also, we can encrypt and decrypt fast using
the repeated squaring algorithm.
If Eve wants to recover the message from gk , M yk , she has to calculate yk = gxk
Let us see how we can find a primitive root mod p. Note that, we can check that g is a
n
primitive root for a prime p as follows: Suppose p − 1 = ∏kj=1 qj j is the factorisation of
n
p − 1 into distinct powers. Let ti = ∏kj=1,j6=i qj j and gi = gti for each i, 1 ≤ i ≤ k. Then g
ni −1
q
is a primitive root mod p iff gi i 6≡ 1 (mod p) for each value of i. This is a simple
exercise in group theory. We leave this to you as an exercise to verify this fact.
But,
!
k
nj p−1
ti qni i −1 = ∏ qj qni i −1 =
j6=i qi
p−1
Writing si = qi , we have the following criterion:
Proposition 1: Let p be a prime and suppose
k
n
p − 1 = ∏ qj j
j=1
Then, g ∈ F∗p is a primitive root if and only if gsi 6≡ 1 (mod p) for each i, 1 ≤ i ≤ k
16 where si = p−1
qi .
Let us now look at an example. Public Key Encryption
Example 5: Suppose Bob selects 109 as the prime p. Then, p − 1 = 108 = 22 · 33 . Let
q1 = 2, q2 = 3. Then s1 = 2 · 33 and s2 = 22 · 32 .
Let us now check if 2 is a primitive root. We have gs1 = 254 = 254 ≡ 108 ≡ −1 6≡ 1
(mod 109). But, gs2 = 236 ≡ 1 (mod 109). So, 2 is not a primitive root.
Let us check if 3 is a primitive root. We have 3s1 = 354 ≡ 1 (mod 109). So, 3 is not a
primitive root. We need not check 4 because 4 is a perfect power.
Let us check if 5 is a primitive root. We have 5s1 = 554 ≡ 1 (mod 109), so 5 is not a
primitive root.
gs1 = 654 ≡ 108 ≡ −1 (mod 109) and gs2 = 636 ≡ 63 6≡ 1 (mod 109).
Suppose Bob chooses x = 40. Then, he calculates g40 = 640 ≡ 7 (mod 109). He keeps
the value x = 40 secret and publishes the values p = 109, g = 6 and g40 = 7.
Suppose Alice wants to send the message M = 17 to Bob. She chooses k = 13 and
finds
She then finds M gxk = 17 · 80 ≡ 52 (mod 109). She then sends (96, 52) to Bob. To
p−1−x
recover the message Bob computes gk = 96109−1−40 = 9668 ≡ 15 (mod 109).
He then multiplies the encrypted message 52 by 15 to get 52 · 15 = 780 ≡ 17
(mod 109), thus recovering the message.
∗∗∗
E6) Let G be a finite abelian group and let n divide the order of G. Suppose
n
n = ∏kj=1 qj j and let g ∈ G. Write
k
n
ti = ∏ qj j and gi = gti .
j=1,j6=i
Then, g has order n if and only if gn = 1 and gi has order qni i for each i, i.e.
ni −1 ni
q q
gi i 6= 1 and gi i = 1 for all values of j.
E7) Suppose Bob chooses p = 181. Check that 2 is a primitive root mod 181. Suppose
Bob chooses x = 21 and publishes (181, 2, 86). He receives the pair (7, 122). Find
the message.
Recall that the security of RSA cryptosystem depends on the fact that it is difficult, in
general, to factorise a natural number. Similarly, the security of the ElGamal
cryptosystem depends on the fact that it is difficult find disrete logs in Z∗p , p a prime. In
the next section, we will see that we can solve these problems under certain conditions
using certain methods. We will gain some insights by studying the conditions under
which these problems can be solved and the methods by which they can be solved. This
insight is of help to us in strengthening these cryptosystems. 17
Public Key Cryptosystems
and Digital Signature
7.5 INTEGER FACTORISATION AND DISCRETE
LOGARITHMS
In this section, we will wear the hat of a cryptanalyst and look at methods for breaking
the RSA and the ElGamal cryptosystem. We will discuss the problems of integer
factorisation and discrete logarithms, the problems a cryptanalyst has to solve if she has
to break the RSA and ElGamal cryptosystems, respectively. Our discussion follows
[15].
We start with integer factorisation. For all practical purposes, the method of dividing an
√
integer n by all primes p ≤ n is much too slow. In this section, we will discuss other
methods which are faster. Before we move on to more general methods, we would like
to amplify our remark that we can factorise the modulus n used in RSA cryptosystem if
we know the decryption exponent.
We mentioned while discussing the RSA cryptosystem that we can factor n if we know
both the encryption and decryption exponent. In [8], Miller proved that we can
successfully factorise n, with a high probability, if we know any multiple of φ (n). Since
ed ≡ 1 (mod φ (n)), ed − 1 is a multiple of φ (n). So, we can apply Miller’s method to
factorise n if we know e and d. We will discuss this method now.
Here is how the probabilistic algorithm works. Suppose we can find an exponent r such
that
Note that, any multiple of φ (n) will satisfy this condition since aφ (n) ≡ 1 (mod n) for
all a with (a, n) = 1, by Euler’s theorem. If e and d are the encryption and decryption
exponents, we have bed−1 ≡ 1 (mod n) for all b with (b, n) = 1. So, there is always an r
satisfying Eqn. (11).
Write r = a2s with a odd. Choose a random b with 1 < b < n − 1. If gcd(b, n) 6= 1 we
have a factor of n. Otherwise, let b0 = ba (mod n). We find b1 , b2 , . . ., in N such that
etc. If b0 ≡ 1 (mod n), we choose another b and repeat the procedure. Also, if bk ≡ −1
(mod n) for some k, we choose a different b and repeat the procedure. If bk+1 ≡ 1
(mod n) and bk 6≡ ±1 (mod n) for some k, (bk − 1, n) gives a non-trivial divisor of n.
This is because, b2k ≡ bk+1 ≡ 1 (mod n) or (bk − 1) (bk + 1) = b2k − 1 ≡ 0 (mod n). So,
n | (bk + 1) (bk − 1). Since bk 6≡ ±1 (mod n), n - bk − 1 and n - bk + 1. So, (n, bk − 1)
and (bk + 1, n) must be non-trivial factors of n. Also, since bs ≡ 1 (mod n), for each b
with (b, n) = 1, it is guaranteed that there is a k such that bk ≡ 1 (mod n).(Why?)
∗∗∗
E8) Let n = 12193, e = 303, d = 79. You can take for granted the following
information:
Factor n.
Remark 2: Even if we find one b and one r > 0, where b and r are integers with br ≡ 1
(mod n), we may succeed in factoring n. We write r = 2s a with a odd. We then find
b0 = ba , b1 ≡ b20 (mod n), · · · and proceed exactly as before. Of course, we may get
bk ≡ −1 (mod n), for some k ≤ s − 1 and this method may fail.
Another method we mentioned in our discussion of the precautions we have to take
while implementing the RSA algorithm is Pollard’s p − 1 algorithm. Pollard invented
this algorithm in 1974. Using this method, we can factorise a number n if there is a
prime p which divides n and p − 1 has only small prime factors. Here is a brief
description of the method.
Suppose p is a prime factor of n such that p − 1 has only small prime factors. Then B! is
likely to be divisible by p − 1, say B! = (p − 1)k. We have
∗∗∗
Try the next exercise to check your understanding of the above example.
E9) Let n = 16867. Factor n using p − 1-algorithm, taking the value of B to be 10.
Given an odd integer n, how do we find x and y? For various values of i, we check
whether n + i2 is a perfect square. As we saw just now, if there is a factorisation n = pq,
then n = x2 − y2 with x = p+q p−q
2 , y = 2 . So, the number of values of i we have to check
will be at most
p − q
min n = pq, where p, q ∈ N, p, q > 1
2
If there are factors p and q that are close to each other, p − q is small and so n can be
factored easily. Let us now look at an example.
∗∗∗
in the factor base, we form a ` × q matrix as follows: Each column of the matrix
corresponds to a prime in the factor base and each row corresponds to a xi such that
x2i ≡ ci (mod 7680587) with all the prime divisors of ci less than or equal to B. The
entry in the ith row, jth column gives the power of the jth prime that divides ci . For
example, since 39292 ≡ 75867 (mod 7680587) and 75867 = 3 · 113 · 19, 3929 will
correspond to the row [0, 1, 0, 0, 3, 0, 0, 1] indicating that the power of 3 dividing 75867
20 is 1, the power of 11 dividing 75867 is 3 and the power of 19 dividing 75867 is 1 and
the primes 2, 5, 7, 13 and 17 do not divide 75867. Similarly, we find that Public Key Encryption
We have
We look for linear dependencies mod 2 among the rows of Eqn. (12). We reduce the
rows of the matrix in Eqn. (12) mod 2 to get matrix
0 1 0 0 1 0 0 1
1 0 1 0 0 0 0 0
0 0 0 0 1 0 0 1
1 0 1 0 0 0 0 0 . (13)
1 0 0 0 1 1 1 1
1 0 1 0 0 0 0 0
0 0 0 0 1 0 0 1
We note that second, fourth and sixth rows are identical. Also, third and the seventh
rows are identical. Since we are working modulo 2, any two of them add up to 0. A
systematic way of finding relations is to view Eqn. (13) as map from F72 to F82 and find
the relations from the kernel. For example, the kernel of the matrix in Eqn. (13) is
generated by the vectors {(0, 1, 0, 1, 0, 0, 0), (0, 1, 0, 0, 0, 1, 0), (0, 0, 1, 0, 0, 1)}. From the
kernel, we have the following relations:
1. Note that, on multiplying Eqn. (13) on the left by the first vector (0, 1, 0, 1, 0, 0, 0),
we get the sum of the second and fourth columns as the answer. Since
(0, 1, 0, 1, 0, 0, 0) is in the kernel, this implies that the sum of the second and fourth
rows are zero. 21
Public Key Cryptosystems 2. Similarly, from the second vector in the kernel we get that the sum of the second
and Digital Signature
and sixth rows are zero.
3. From the third vector in the kernel we get that the sum of the third and eighth rows
are zero.
When we have such a dependency, we get a relation of the form
x2 ≡ y2 (mod 7680587).
For example:
1. The sum of the second and fourth rows of the matrix in Eqn. (13) is 0. The second
row corresponds to the relation
2. The sum of the second and sixth rows of the matrix in Eqn. (13) is 0. The second
row corresponds the congruence
3. The sum of the third and sixth rows of the matrix in Eqn. (13) is 0. The third row
corresponds to the congruence
78392 ≡ 52 ·11·19 (mod 7680587) and 149322 ≡ 32 ·113 ·19 (mod 7680587)
We have (7839 · 14932 − 3 · 5 · 112 · 19, 7680587) = 1129. Thus, we have found a
factor of 7680587. Dividing 7680587 by 1129, we get the other factor 6803. You
can check that 1129 and 6803 are primes.
Note that, for the sake of simplicity, we have taken only seven rows. But, in practice,
we usually make sure there are more rows than columns, i.e. ` > q, so that the kernel of
the reduced matrix is always non-trivial.
∗∗∗
Try the following exercise to check your understanding of the above example.
The quadratic sieve is an improved version of the above method. The number field sieve
uses more sophisticated techniques to produce relations of the form x2 ≡ y2 (mod n)
and is somewhat faster in many situations. See [7] for an exposition of this method.
Next, we shall discuss methods for finding discrete logarithms. You may like to review
the relevant portions from Block 1 and Sec. 4 of this Unit before proceeding further.
Let us fix a prime p and suppose α and β be non-zero integers. Suppose that we have to
find x such that
Recall that, the problem of finding x is called the discrete logarithm problem because
if x satisfies Eqn. (14), then we say that x is the discrete logarithm of β to the base α.
Of course, a solution may not exist for arbitrary α and β . However, if we take α to be a 23
Public Key Cryptosystems primitive root mod p, there is always a solution to Eqn. (14) for any nonzero β . So,
and Digital Signature
from now, we will assume that α is a primitive root mod p for the sake of simplicity.
Observe that,
Note that, we can formulate the problem in Eqn. (14) in a more general setting.
Suppose G is a cyclic group of order n and α is a generator of G. If β ∈ G, we can ask
for the solution to the equation
αx = β . (16)
We now describe a method due to Pohlig and Hellman for solving Eqn. (16). See [10].
Pohlig and Hellman discuss a method for solving Eqn. (14) on the previous page, but
we will discuss the method in the more general situation given by Eqn. (16). Our will
work for Eqn. (14) because Z∗p is a cyclic group of order p − 1.
We first show how to reduce the problem in Eqn. (16) to the case where the cyclic
group has prime power order. Suppose
n = ∏ qri i
i
ni = n
r
, αi = α ni and βi = β ni .
qi i
Then, the order of αi is qri i and it generates the unique Sylow-qi subgroup of G.(Why?)
Further, order of βi divides qri i and so βi is in the Sylow-qi subgroup of G. So, the
equation
αix = βi (17)
has a solution for each i, 1 ≤ i ≤ k. Let x(i), 1 ≤ i ≤ k, be a solution of Eqn. (17). The
next proposition says how to get the solution to Eqn. (16) from the solutions to the
family of equations given by Eqn. (17).
Proof: We have
n
α −x β i = (α ni )−x β ni ≡ αi−x βi
r
−x(i)+kqi i
= αi βi , k ∈ Z (∵ x ≡ x(i) (mod qri i ))
(∵ αi has order qri i )
−x(i)
= αi βi
=1
We write x(i) as
24 x(i) = x0 (qi ) + x1 (qi )qi + x2 (qi )q2i + · · · + xri −1 (qi )qri i −1 . (18)
where Public Key Encryption
0 ≤ xj (qi ) ≤ qi − 1 for 0 ≤ j ≤ ri − 1.
We’ll determine the coefficients x0 (qi ), x1 (qi ), . . . xri −1 (qi ) successively, and thus obtain
x mod qri i .
For simplifying notation, we will fix a qi and write q for qi and k for ri . We will also
write x0 , x1 , . . . instead of x0 (qi ), x1 (qi ), . . ..
xqk−1 qk−1
αi = βi (19)
qk−1
Writing γi = αi and δ0 (q) = βi , we can write Eqn. (21) as
k−1
γix0 = δ0 (q)q (22)
k−1
where γi and δ0 (q)q have order q and we have to solve Eqn. (22) in a group of order
q. We solve this equation by brute force; we find different powers of γi and see which
k−1
power of γi gives δ0 (q)q . The solution to Eqn. (22) will give us the value of x0 .
Denoting the right hand side of Eqn. (23) by δi (q) and raising both sides of Eqn. (23) to
the power qk−i−1 , we get
k−1 +x k 2k−i−2 k−i−1
(αi )xi q i+1 q +···+xk−1 q
= δi (q)q (24)
and this is a discret logarithm problem with solution xi . Since γi has order q, we have to
solve Eqn. (25) in a group of order q. As we did in the case of x0 , we again solve for xi
by brute force.
This will give the value of x` (qi ). Successively solving for x0 (qi ), x1 (qi ), . . .,
xri −1 (qi ), we will get x(i) = x0 (qi ) + x1 (qi )qi + · · · + xri −1 (qi )qri i −1 .
Example 10: Suppose p = 2269. Here, the order of the group Z∗p is 2268, i.e.
n = 2268. Then, 2 is a primitive root. Suppose we want to solve the equation
2x ≡ 6 (mod 2269).
q1 = 2, r1 = 2, q2 = 3, r2 = 4, q3 = 7, r3 = 1.
We also have
2268 2268 2268
n1 = 22
= 567, n2 = 34
= 28, n3 = 7 = 324.
We have
α1 = α n1 = α 567 ≡ 1287 (mod 2269) and β1 = 6567 = 982 (mod 2269). (29)
r −1
q1
26 γ1 = α1 1 = α12 = α12 = 12872 ≡ 2268 (mod 2269)
Let x(2) = x0 (2) + x1 (2) · 2. We have to solve the equation γ1x = β12 to find the value of Public Key Encryption
x0 (2), i.e.
We have to solve the equation Eqn. (28) with ` = 1 to get x1 (2). In other words, we
have to solve the equation
2−1−1
γ1x ≡ δ12 = δ1 or 2268x ≡ 2268 (mod 2269)
We have
α2 = α n2 = α 28 ,
3
so α2 ≡ 228 ≡ 1411 (mod 2269). Further, γ2 = α23 so
So x0 (3) = 1.
To find x1 (3), we have to solve Eqn. (28) with ` = 1. First, let us compute δ1 (3). We
have
We have
4−1−1
δ1 (3)3 = δ19 ≡ 829 ≡ 1 (mod 2269)
x ≡ 3 (mod 4)
x ≡ 55 (mod 81)
x ≡ 2 (mod 7)
∗∗∗
Pohlig-Hellman algorithm is feasible to apply only if all the qi are small. So, for this
reason, in Diffie-Hellman key exchange and Elgamal algorithm, we have to ensure that
p − 1 has a large prime factor.
Notice that, for applying Pohlig-Hellman algorithm, we need to know the prime
factorisation of n, the order of the group. In the next subsection, we discuss the
Baby-Step, Giant-Step algorithm due to Daniel Shanks for discrete logarithm for which
we don’t need the prime factorisation of n. Our discussion follows [2].
Suppose we want to solve Eqn. (16), i.e. the equation α x ≡ β (mod n). In Baby-Step
Giant-Step algorithm, we do the following:
√
We choose m = d ne and write x = mq + r where 0 ≤ r < m. The baby-step finds r and
the giant-step finds q if q 6= 0.
β α −r , r 0 ≤ r < m . (30)
Example 11: Let us solve the equation 5x ≡ 13 (mod 97) using this method.
√
We have m = d 97e = 10, β = 13, α = 5. So,
B = {(13, 0), (22, 1), (82, 2), (94, 3), (77, 4), (93, 5), (38, 6),
(27, 7), (83, 8), (36, 9)} (31)
There is no pair in Eqn. (31) with first coordinate 1, so we carry out the giant step. We
first find γ = α 10 ≡ 510 ≡ 53 (mod 97). Since 53 is not the first coordinate of any of
the pairs in Eqn. (31), we compute 532 ≡ 93 (mod 97). We see that 93 appears as the
first coordinate in the sixth element of Eqn. (31). The value of r in this case is 5 and the
value of q is 2. So, x = 2 · 10 + 5 = 25 is the solution to our equation 5x ≡ 13 (mod 97)
∗∗∗
Try the following exercise to check your understanding of the baby-step, giant-step
algorithm.
E13) Solve the equation 5x ≡ 4 (mod 73) using baby-step, giant-step method.
While this algorithm has the advantage that we don’t need the factorisation of the order
of the group, the memory requirements become large when the order of the group is
≈ 1020 . In the next subsection, we discuss the index calculus algorithm for finding
discrete logarithms.
In this subsection, we will discuss the index calculus algorithm which is similar to the
quadratic sieve algorithm. Our discussion follows [15]. The algorithm has the
following steps.
or
m
logα β = r + ∑ si logα qi (34)
j=1
Example 12: Let p = 137 and α = 2. Let B = 10, so we are working with the primes
2, 3, 5, 7. A calculation yields the following:
51 ≡ 5 (mod 137)
57 ≡ 5 · 7 (mod 137)
550 ≡ 5 · 33 (mod 137)
65 4
5 ≡ 2 · 5 (mod 137)
Therefore,
Note that we are abusing the notation here. We are not taking the usual logarithm with
respect to 5, but taking the discrete logarithm in the group Z∗137 to the base 5.
Eqn. (35) and Eqn. (36) yield log5 (7) ≡ 6 (mod 136).
for some integer t. Dividing the second equation throughout by four, we get
30 16 − log5 (2) = 34t or 16 ≡ log5 (2) (mod 34). This means that log5 (2) is congruent to
16 (mod 135) or 16 + 34 = 50 (mod 136) or 50 + 34 = 84 (mod 136) or Public Key Encryption
84 + 34 = 118 (mod 136). We find 516 , 550 , 584 and 5118 and see which of them equals
2 (mod 137). We see that 5118 ≡ 2 (mod 137), so log5 (2) = 118.
From Eqn. (35) on the preceding page and Eqn. (38) on the facing page, we get
3 log5 (3) ≡ 49 (mod 136). Since 3 is coprime to 136, we can solve this to get
log5 (3) = 107.
Suppose now that we want to find log5 (29). Finding 29 · 5−r (mod 137) for some
random values of r, we find that 29 · 5−31 ≡ 135 = 33 · 5 (mod 137). So,
log5 (29) ≡ 3 log5 (3) + log5 (5) + 31 log5 (5) = 321 + 1 + 31 ≡ 81 (mod 136)
∗∗∗
Here is an exercise for you to test your understanding of index calculus algorithm.
E14) Solve the equation 2x ≡ 31 (mod 163) using index calculus algorithm. You are
given the following information:
We end this unit here. In the next section, we summarise the contents of the Unit.
7.6 SUMMARY
Let us summarise the main topics that we have discussed in this unit. In this Unit, we
have discussed
6) the Pohling-Hellman algorithm, Baby Step-Giant Step alogrithm and the index
calculus algorithm for discrete logarithms.
7.7 SOLUTIONS/ANSWERS
E1) We have φ (n) = 6 × 10 = 60. However, 6 and 60 are not coprime, so we cannot
choose 6 as our exponent. However, we can choose e = 7 since (7, 60) = 1. Using
extended euclidean algorithm, we get
7 · (−17) + 2 · 60 = 1 31
Public Key Cryptosystems So, we can choose d = 43 ≡ −17 (mod 60). Using repeated squaring algorithm,
and Digital Signature
we have:
So,
M 7 ≡ 61 (mod 77)
71 · 119 − 24 · 352 = 1,
30940 = 31309 − (p + q) + 1
∴ p + q = 31309 − 30940 + 1 = 369
So, the quadratic equation is x2 − 370x + 31309. We leave it to you to solve the
equation and find p and q.
E4) We have
E5) Both of them will have 126 since 1257 ≡ 289 ≡ 126 (mod 127).
E6) In this exercise, let O(g) denote the order of g ∈ G. In general, we have
O(g)
O gk = (39)
.
(k, O(g))
Suppose g has order n. Then, gn = 1. Use Eqn. (39) to show that gi = gti has order
ni −1
q
qni i . So, gi i 6= 1.
ni −1
q
Conversely, suppose that gn = 1 and gi i 6= 1 for each i. We have O(g) | n since
gn = 1. Further, gi has order qni i . Since O(gi ) = O (gti ) and O(gk ) | O(g) for all
k ∈ N, from Eqn. (39), it follows that qni | O(g). Since qn1 , qn2 , · · · are pairwise
coprime, it follows that n | O(g). Since n | O(g) and O(g) | n, it follows that
32 O(g) = n.
E7) Here p − 1 = 180 = 22 · 32 · 5. Let us take g = 2 and check if it is a primitive root. Public Key Encryption
We have q1 = 2, q2 = 3, q3 = 5, s1 = 2 · 32 · 5 = 90, s2 = 22 · 3 · 5 = 60 and
s3 = 22 · 32 = 36. . We have
E9) We have 210! ≡ 2627 (mod 16867) and (2626, 16867) = 101. The other factor is
167.
E10) We have 51067 + 32 = 2262 . Therefore, 51067 = (226 + 3)(226 − 3) = 223 · 229.
But, we have 486 · 972 ≡ 22 · 74 (mod 115697), so this relation gives us nothing.
Multiplying the first and third relations, we get
2
(486 · 1407)2 ≡ 25 · 5 · 72 (mod 115697).
So, 911 is a factor of 115697. Dividing 115697 by 911, we get the other factor
127.
So,
Further,
5−1 5−1
γ1 = 282 = 2816 ≡ 96 (mod 97) and δ0 (2) = β12 = 5216 ≡ 96 (mod 97) 33
Public Key Cryptosystems To find x0 (2), we have to solve the equation
and Digital Signature
96x ≡ 96 (mod 97).
Therefore, x0 (2) = 1.
Next, we compute
−x0 (2)
δ1 (2) = β1 α1 ≡ 52 · 28−1 = 52 · 52 ≡ 85 (mod 97)
and
5−1−1
δ12 = δ18 = 858 ≡ 96 (mod 97)
So, x2 (2) = 1.
To find x3 (2), we have to solve the equation γ1x = δ3 (2)2 . We have
2
δ3 (2) = δ2 (2)α −x2 (2)2 = 47 · 28−4 ≡ 75 (mod 97)
x ≡ 31 (mod 32)
x ≡ 1 (mod 3)
we get x = 31.
B = {(4, 0), (30, 1), (6, 2), (45, 3), (9, 4), (31, 5), (50, 6),
(10, 7), (2, 8), (15, 9)} . (40)
There is no pair in Eqn. (40) with first coordinate 1. So, we carry out the
giant-step. We set γ = 59 = 10 and we see that this occurs as the first coordinate
of the eighth pair in Eqn. (40) and the value of r for this pair is 7. We have q = 1,
34 so x = 1 · 9 + 7 = 16.
E14) We have the following equations: Public Key Encryption
From Eqn. (41) and Eqn. (43), we see that log2 (5) = 15 .
From Eqn. (44), we see that 20 ≡ log2 (3) (mod 81). So, log2 (3) ≡ 20 or
20 + 81 = 101 (mod 162). Checking, we find that 2101 ≡ 3 (mod 163), so
log2 (3) = 101.
Using the value of log2 (3) in Eqn. (42), we see that
35
Public Key Cryptosystems
and Digital Signature
36
UNIT 8 DIGITAL SIGNATURES
Structure Page No.
8.1 Introduction 37
Objectives
8.2 Digital Signature Algorithms 38
RSA Digital Signature Algorithm
ElGamal Digital Signature Algorithm
Digital Signature Standard
8.3 Summary 50
8.4 Solutions/Answers 50
8.1 INTRODUCTION
In the earlier units, we have seen how cryptography protects the communication
between Alice and Bob from the prying eyes of Eve. However, the methods and
algorithms that we have seen so far doesn’t protect Alice and Bob from each other in
the following sense: Suppose Alice is a stock broker and Bob is a client who buys and
sell stocks through Alice. Assume that they use some public key cryptosystem to
communicate with each other. Suppose Bob asks Eve to sell some stocks and they go
up in value afterwards. Bob can claim that he never sent the message and that it was
forged by Alice since the encrytion exponent of Bob is in the public domain. The other
way around, suppose Alice wants to offload some worthless stock on Bob. Since Bob’s
encryption algorithm is in the public domain, she can forge a message from Bob that
supposedly instructs her to buy those worthless stocks and claim that she was acting on
Bob’s instructions when she purchased the stocks. Of course, these problems could
arise in the case of symmetric key cryptosystems also because both Alice and Bob have
the encryption an decryption keys. How to address this issue?
Objectives
After studying this unit, you should be able to
• define digital signature;
• explain how to sign a message using RSA algorithm and verify a signature created
with RSA algorithm;
• explain how to sign a message using ElGamal algorithm and verify the signature
created using ElGamal algorithm;and
• explain how to sign a message using Digital Signature Standard and verify the
signature created using Digital Signature Standard.
37
Public Key Cryptosystems
and Digital Signature
8.2 DIGITAL SIGNATURE ALGORITHMS
In the third unit of the first block of this course, we discussed the goals of cryptography
which is to achieve PAIN, i.e. namely Privacy/confidentiality, Authentication, Integrity
of data and Non-repudiation. As we have seen already, the cryptosytems provide
privacy. Symmetric key cryptosystems provide certain level of authentication also if we
assume that no one other than the authorised persons have access to the keys. If Bob
and Alice alone know a key and Bob receives a message encrypted with this key, Bob
can be certain that the message was sent by Alice. This is not there in public key
cryptosystems because anyone can send a message using the encyrption exponent
available in the public domain.
Even in the case of private key cryptosystems the following situations can arise:
1) Bob can send a message to Alice and deny that he sent it at a latter date.
2) Alice can forge a message and claim that Bob sent it to her.
In the case of public key cryptosystems, a third person, say Eve, can fool Alice into
thinking a message from Eve to be a message from Bob.
To avoid such situations, we need the digital analogues of the conventional signatures
used in paper documents. Note that, in the case of paper documents, the signature in
one document cannot be pasted on another without being detected. So, whatever the
digital analogue of the conventional signature be, it should not be possible to copy the
digital signature from one document to another document. In other words, the digital
signature and the document it authenticates must be ‘inseparable’ from each other. How
do we achieve this?
Before we discuss specific algorithms, let us first see what are the properties of a digital
signature. With the help of digital signature, we should be able to:
2) Authenticate the contents of the message, i.e. check that the message has not been
tampered with.
1) The signature should be a bit pattern that should depend on the sender.
The different approaches that have been suggested for digital signatures fall into two
broad categories, namely direct signatures and arbitrated signatures.
Direct Signatures involve only Alice and Bob, the communicating parties. Suppose
(EA , DA ) is the public encryption function, private decryption function, respectively, of
Alice and (EB , DB ) is the public encryption function and private decryption function
pair of Bob. (For example, they could be RSA exponentiation functions for encryption
and decryption.) Let h denote a hash function. The following are the steps involved:
ALICE BOB
h(M ) s = DA (h(M ))
YES
EA (x) = h(M )?
Sender
NO is
Alice
Sender
may not
be Alice
Let us see why this is so. Note that, on the one hand,
If the message has been tampered with, the hash value of the tampered message will not
match the hash value calculated from the signature.
Note that, encryption of the message is optional and Alice may encrypt the message
only if it is confidential. If she doesn’t encrypt the message and sends the signature,
message pair (s, M ) to Bob, Bob has to check that
Note that, only Alice could have created DA (h(M )) because she alone knows the
decryption function DA . So, only Alice could have sent the message.
Suppose Eve wants to create another message with the same digital signature. She will
have to create a message M 0 such that h(M ) = h(M 0 ). By the properties of hash
function, it is computationaly infeasible to produce a message M 0 such that
See page 50 of block 2 for h(M ) = h(M 0 ) because of the collision resistance property of hash funtions.
properties of hash functions.
Suppose Alice claims at a later date that she never sent the message (s, c) and the issue
is taken up by a judge. Bob can submit (s, M ) to the judge and the judge can calculate
EA (s) and h(M ). If the two values are equal the judge concludes that Alice must have
sent the message if they are equal because only Alice could have created
s = DA (h(M )) because only she has access to DA .
There are some shortcomings in this scheme. If Alice wants to deny that she sent the
message, she may claim that her secret key was stolen by someone else and misused to
create the message and its signature. One way to overcome this is to include a time
stamp in the message and insist that Alice report any loss of key to a central authority.
Another possible problem could be that Eve could steal Alice’s key at time T and she
may send a message signed with Alice’s signature and a time stamp before or equal to
T.
Some of these problems can be avoided by using arbitrated schemes. We now discuss
an arbitrated scheme that works with symmetric key cryptosystem. Suppose Alice
wants to send a message to Bob. We assume that there is an arbiter trusted by both
Alice and Bob. Alice shares a secret key kA with arbiter and Bob shares a secret key kB
with the arbiter. Let (EkA , DkA ) be the encryption and decryption functions
corresponding to kA and (EkB , DkB ) be the encryption and decryption functions
corresponding to kB . Alice sends the message to Bob as follows:
1) Alice finds the hash of the message h(M ). She encrypts this hash value and a text
XA , that identifies that the sender of the message is Alice, to get
s = EkA (h(M )||XA ). This is the signature for the message. She sends this along
with the message to tthe arbiter.
She extracts XA and h(M ). From XA , she knows that the sender is supposedly
Alice. She can confirm this by comparing the value of h(M ) that she has
extracted from the signature to the hash value she calculates from the message
40 itself. If they are the same, she is satisified that the message is from Alice.
3) If M is a valid message for Bob, she concatenates the identity of Alice with the Digital Signatures
message M and signature s, encrypts it using Bob’s key and sends it to Bob, i.e.,
she sends EkB (XA ||M ||s). Bob can then decrypt this using DkB and obtain the
identity of the sender and the message.
If Alice denies that she sent the message, Bob can send EkB (XA ||M ||s) to the
arbitrator. The arbiter can decrypt it using DkB and obtain XA , the identity of the sender,
the message M and the signature EkA (h(M )||XA ). She compares the value h(M )
computed from M with the value extracted from the signature s. If they are equal,
arbitrator concludes that the message has been sent by Alice. This is because Bob
cannot tamper with s since he doesn’t know kA . In this method, Bob cannot verify
directly that the message has been sent by Alice. He needs the services of the arbitrator
for verification.
We now discuss some digital signature algorithsms. A good reference for our
discussion is FIPS 186-4, [9]. The document gives three different algorithms, the RSA
Digital Signature Algorithm, the Digital Signature Standard (DSA) and Elliptic Curve
Digital Signature Algorithm (ECDSA). In this section, we will discuss the RSA Digital
Signature Algorithm, the ElGamal algorithm and the Digital Signature Standard (DSA).
In their paper [14], Rivest, Shamir and Adleman also suggest a method for digitally
signing documents using their algorithm. We now describe the algorithm. This is
similar to the RSA algorithm. Suppose Alice wants to sign and send a message. She
does the following:
1) Alice generates two primes p and q as she does for the RSA algorithm and
computes n = pq. She then chooses eA such that (eA , φ (n)) = 1. She then
computes the inverse dA of eA using extended euclidean algorithm. Her
encryption and decryption functions are, respectively, EA (M ) = M eA (mod n)
and DA (M ) = M dA (mod n). She then publishes (n, eA ).
2) To sign a message M she computes the hash h(M ) of the message using some
standard Hash function like SHA for h and raises the hash of the message to power
dA , i.e. s = DA (h(M )) = h(M )dA (mod n). She then sends (M , s) to Bob.
To verify the signature, Bob downloads (n, eA ). He finds the value h(M ) and checks
whether this is the same as EA (s) = seA ≡ (h(M ))dA eA (mod n). If seA ≡ h(M )
(mod n), the message has been sent by Alice.
Example 13: Suppose the public key, private key and the modulus of Alice are e = 13,
d = 37 and n = 77. She publishes the values (77, 7) on the web. Let us suppose that the
message she wants to send is M = 17. Then, she calculates s = M 37 . For the sake of
simplicity, we assume that she raises the whole message to the power dA instead raising
the hash value h(M ) to the power dA . Using repeated squaring algorithm we have the
following:
Values at the end of iteration 1:
P = 17, b = 53, m = 9. 41
Public Key Cryptosystems Values at the end of iteration 3:
and Digital Signature
P = 54, b = 37, m = 4.
P = 54, b = 60, m = 2.
P = 54, b = 58, m = 1.
P = 52, b = 53, m = 0.
So, 52 is the signature of the message. She sends the pair (17, 52) to Bob. To check the
signature, Bob downloads the values n = 77 and e = 13. He then checks whether
seA = M . In this example, Bob calculates 5213 (mod 77). Again, using repeated
squaring algorithm, we have the following: Values at the end of iteration 1:
P = 52, b = 9, m = 6.
P = 52, b = 4, m = 3.
P = 54, b = 16, m = 1.
P = 17, b = 25, m = 0.
Bob finds that 5213 ≡ 17 (mod 77). So, he is convinced that the message was indeed
sent by Alice.
∗∗∗
Here is an exercise for you to check your understanding of RSA Signature Algorithm.
In Example 13 on the previous page, we assumed that Alice does not want to encrypt
her message. Suppose, she wants to encrypt the message using RSA as well as sign her
message using RSA digital signature algorithm.
Suppose she signs first and encrypts later; she first finds s = DA (h(M )) = h(M )dA
(mod n) and then c = EB (M ) = M eB (mod n). She sends (c, s) to Bob. Bob
downloads (nA , eA ), the modulus and public key of Alice. Then, using the value of eA ,
he computes
42 EA (s) = EA (DA (h(M ))) = h(M )dA eA (mod n) = h(M ) (mod n).
He then decrypts and finds the message M = DB (c) = cdB = M eB dB ≡ M (mod n). Digital Signatures
Then, he finds the hash value h(M ) and checks if EA (s) = h(M ). If it is, Bob can be
sure that the message was sent by Alice.
Now, Bob has a pair (s, M ) and if Alice denies that she sent the message, Bob can
submit the pair (s, M ) to a judge. The judge checks whether EA (s) = h(M ). If this is
the case then DA (M ) has to be s and Bob cannot produce DA (M ) because Bob does
not know DA .
On the other hand, suppose Alice encrypts the message before signing. In this case, she
computes
She sends (s, c) to Bob. Bob can recover the message by computing
DB (c) = DB (EB (M )) = M .
Bob can calculate h(c) since he knows c. Bob checks whether EA (s) = h(c). If it is, he
can be sure that message was sent by Alice.
In case Alice denies that she sent the message, Bob submits the pair (s, M ) to a judge.
The judge finds EB (M ) = c and checks whether h(c) = EA (s). If this is the case,
DA (h(c)) must be s and Alice alone could have produced s = DA (h(c)).
Now, the question is whether Alice should first encrypt the message and then sign it or
sign first and encrypt afterwards. Both have problems as we will see presently.
Suppose Alice sends the sales plan M ="SALES PLAN" to her colleague Bob. Alice
signs first and encrypts later. She computes the signature s = DA (h(M )). She then
encrypts the message with Bob’s public key to find c = EB (M ). She then sends (c, s) to
Bob. At a later time, suppose Bob has a fight with Alice and wants to make her appear
guilty of divulging trade secrets to a rival, say, Charlie.
So, in this case, the signature authenticates the sender, but it cannot be used to
determine who is the intended recipient. One simple solution is to include the name of
the recipient in the message.
Suppose Alice encrypts first and signs later. Suppose Alice has an exciting new idea and
she sends it to Bob, her Boss. She sends the message M ="MY IDEA" as follows: She
computes c = EB (M ) and then finds the s = DA (h(c)) and sends the pair (s, c) to Bob.
Her rival Charlie may block the message and do the following in an attempt to claim
credit for the idea. Since he knows EA , he can find EA (s) = EA (DA (h(c))) = h(c).
Then, he computes s1 = DC (h(c)) and sends (s1 , c) to Bob. Bob will be fooled into
believing that Charlie is the discoverer of the new idea.
In this case, the signature can be used to determine who the recipient is, but it cannot be
used to determine who the sender is. One simple solution to the issue is to include the
name of the sender as a part of the message. 43
Public Key Cryptosystems In general, the solution is to make these signing procedures a part of properly designed
and Digital Signature
cryptographic protocols. A Cryptographic protocol is a step by step procedure for
carrying out crytographic procedures like encryption or signing. Cryptographic
protocols ensures that the cryptographic algorithms are used securely.
A thorough discussion of the issues involved is beyond the scope of this course. If you
are interested in knowing more, see [3] and the references given there for a detailed
discussion of the issues involved.
We end our discussion of RSA signature algorithm here. In the next sub-section, we
will discuss a digital signature procedure due to ElGamal.
Suppose Alice wants to digitally sign her messages using ElGamal Scheme. She
chooses a prime p such that p − 1 has at least one large prime factor. She then chooses a
primitive root α, i.e. α ∈ Z∗p such that α generates the cyclic group Z∗p . She chooses
another integer a such that 2 ≤ a ≤ p − 2. She finds β = α a (mod p) and makes the
values (p, α, β ) public. She keeps the value of a secret.
for the value of x. Indeed, since k is coprime to p − 1, the congruence Eqn. (1) has a
unique solution s with 0 ≤ s ≤ p − 2. She sends the triple (M , r, s) to Bob.
Let us see why these two values should be equal. Note that since s is a solution
to Eqn. (1), sk ≡ M − ar mod p − 1. So, sk − M + ar is a multiple of p − 1. Since α is
an element of order p − 1, it follows that
α M ≡ α sk α ar (3)
Note that, since only Alice knows the values of a, k and r only she could solve the
congruence Eqn. (1).
Suppose Eve wants to forge the signature of Alice for a mess M1 . She can choose some
value k1 and find r1 = α k1 . If she has to convince Bob that the message was sent by
Alice, she has to find a s such that
rx1 = γ
Example 14: Suppose Alice chooses p = 173. Then 2 is a primitive root for for 173.
So, she chooses α = 2. Then, she chooses a = 8 and finds
Suppose Alice wants to send sign and send the message M = 16 to Bob. Here,
172 = 4 · 43. She chooses k = 9 which is coprime to 172. So, r = α k = 29 ≡ 166
(mod 173). To find s, she has to solve equation 9x ≡ 16 − 8 · 166 (mod 172) or
9x ≡ 64 (mod 172) since 16 − 8 · 166 = −1312 ≡ 64 (mod 172). Using extended
euclidean algorithm, we get (−19) · 9 + 172 = 1. So, −19 is the inverse of 9 in Z∗172 .
−1
We have −19 ≡ 153 (mod 172), i.e 9 is 153 in Z∗172 . Solving 9x ≡ 64 (mod 172),
we get x ≡ 153 · 64 ≡ 160 (mod 172). She sends the value (16, 166, 160) to Bob.
To verify the signature, Bob finds α M = 216 ≡ 142 (mod 173) to find the LHS value
in Eqn. (2) on the preceding page.
He then finds
and this agrees with LHS value. So, Bob is convinced that the message was sent by
Alice.
∗∗∗
E2) Suppose Alice chooses p = 139. Then, 2 is a primitive root so, she chooses α = 2.
She chooses a = 9 and finds β = α a = 29 ≡ 95 (mod 139). She makes the triple
(139, 2, 95) public. Suppose she wants to send the message 25 to Bob.
i) Find the signature for the message if she chooses k = 11.
ii) Explain in detail how Bob will verify the signature.
Next, we discuss some precautions that Alice has to take to make sure that the Eve is
not able to forge her signature. One precaution is that Alice should not choose the same
value of r for signing two different messages. Let us see what happens when Alice does
this. 45
Public Key Cryptosystems Suppose Aice signs two messages, M1 and M2 with the same value of r and hence the
and Digital Signature
same value of k. Eve can find this out because Alice sends the value of r to Bob along
with the message.
M1 − s1 k ≡ ar ≡ M2 − s2 k mod p − 1 or s1 k − s2 k ≡ M1 − M2 (mod p − 1)
for k.
Recall how we solve such congruences. Suppose, we want to solve the congruence
ax ≡ b (mod n) (5)
and (a, n) = d. Then, we know from Unit 6 in MMT-003 that Eqn. (5) has a solution if
and only if d | b. We let a0 = da , and b0 = db and n0 = nd . We consider the congruence
a0 x ≡ b0 (mod n0 ) (6)
Since (a0 , n0 ) = 1, Eqn. (6) has a unique solution x0 and we can find it by finding the
−1
inverse a0 of a0 in Zn0 using extended euclidean algorithm and multiplying both sides
−1
of Eqn. (6) by a0 . Then, all the solutions of Eqn. (5) are given by x0 + i dn ,
0 ≤ i ≤ d − 1. So, Eqn. (5) has d solutions.
ar ≡ M1 − s1 k (mod p − 1) (7)
or
ar ≡ M2 − s2 k (mod p − 1) (8)
for a. For the sake of definiteness, let us assume that Eve solve Eqn. (8). Again, if
` = (r, p − 1), there are ` solutions to Eqn. (7), say a1 , a2 , . . . a` . Eve finds α a1 , α a2 , . . .,
α a` and checks which ai gives α ai = β . Thus, she can find the value of a. Once she
finds a, Eve can easily forge Alice’s signature. Let us now look at an example.
Suppose Alice uses the same value k = 9 and signs the message M2 = 40. Then, Alice
has to solve the equation
(160 − 48)k ≡ −24 (mod 172) or 112k ≡ 148 (mod 172) (9)
Comparing Eqn. (5) on the facing page, we have a = 112, b = 148, n = 172 and
d = (112, 172) = 4. So, we have a0 = 112 0 148 0 172
4 = 28, b = 4 = 37, n = 4 = 43.
Comparing with Eqn. (6) on the preceding page, we first solve the congruence
x ≡ 20 · 37 ≡ 9 (mod 43)
i.e 9, 52, 95 and 138. Finding 29 (mod 173), 252 (mod 173), 295 (mod 173), 2138
(mod 173), Eve finds that 29 ≡ 166 (mod 173). So, she has the value of k.
Next, she solves the congruence Eqn. (7) on the facing page with M1 = 16, s1 = 160,
k = 9. In other words, she has to solve the congruence
Again, comparing with Eqn. (5) on the preceding page, we see that r = 166, b = 124,
n = 172 and d = (166, 172) = 2. So,
x ≡ 57 · 62 ≡ 8 (mod 86)
So, the solutions to Eqn. (11) are 8 and 8 + 86 = 94. Eve easily checks that 28 ≡ 83 = β
(mod 173) and so, she finds that a = 8. Eve can now forge Alice’s signature.
∗∗∗
Try the next exercise to see if you have understood Example 15 on the preceding page.
E3) Alice has published the values p = 173, α = 5, β = 84. She sends the signed
messages (25, 26, 101) and (35, 26, 167) to Bob. Find the value of a.
In the next section, we will discuss the Digital Signature Standard, another digital
signature algorithm based on discrete logarithm. This removes some shortcomings that
are in the ElGamal signature scheme. 47
Public Key Cryptosystems 8.2.3 Digital Signature Standard(DSS)
and Digital Signature
The Digital Signature Standard (DSS) or Digital Signature Algorithm (DSA) was
proposed by NIST (National Institute of Standards and Technology) in 1991 and was
adopted in 1994. NIST continues to release updates on the use of algorithm from time
to time. At the time of writing this Unit, the last released version of the algorithm is
Federal Information Processing Standards (FIPS) 186-4. [9]. This was released in July
2013. To keep the discussion simple, we discuss only a special case of the algorithm.
For a general version of the algorithm, you can refer to FIPS 186-4 which is available
for download from the NIST website.
We assume that we will be signing the hash of the message and that the hash function
we use produces an output of length 160 bits. To set up the signature scheme, Alice
does the following:
1) She chooses a prime q of size 160 bits, i.e. a prime q such that 2159 < q < 2160 .
She then chooses another prime p which is of size 1024 bits such that q | p − 1.
You can refer to [9] for the details regarding choice of primes.
2) She chooses a primitive root g (mod p) and sets α = g(p−1)/q (mod p). Then, α
has order q in Z∗p .
3) She chooses a secret value a and computes β = α a . She then makes the values
(p, q, α, β ) public.
As we did in RSA digital signature scheme, here also we will assume that Alice signs
the message rather than the hash of the message. Suppose she wants to sign a message.
She calculates the hash and gets 160-bit number M . She generates a signature for the
message as follows:
1) She chooses a secret value k such that 0 < k < q − 1 and finds r = α k (mod p)
(mod q).
The solution to Eqn. (13) is the signature s to the message. She sends (r, s) along with
the message to Bob.
1) Bob calculates the hash of the message using the same hash function used by
Alice and gets the value M .
Let us see how this proceduce works. Note that, from Eqn. (13), we get
48 or α ≡ α αs (mod p)
Reducing both sides (mod q), we get Digital Signatures
−1 −1
α k (mod p) (mod q) ≡ α s M α s ar (mod p) (mod q) (15)
Note that, in equation Eqn. (13) on the facing page, we do not directly reduce α k
(mod q) to get r. First, we reduce α k (mod p) and then reduce it mod q. So, we have
to proceed similarly when we calculate the RHS of equation Eqn. (15). Note that
α k ≡ r (mod p), so the value of the RHS in Eqn. (15) is r. On the other hand,
−1 r
(α a )s
−1 M −1 (M +ar) −1 M −1 r
α u1 β u2 = α s = αs ≡ αs βs (mod p)
As we have already seen, the value of LHS is r, so v = r. Let us now look at an example.
Example 16: To keep the example simple, instead of taking a 160 bit prime q, we will
suppose that Alice chooses q = 43 and p = 173. Then, she takes g = 2 and
She then chooses a = 7 and finds β = α a = 167 ≡ 6 (mod 173). She then publishes
(173, 43, 16, 6).
Suppose the hash of the message she wants to sign is 30. She chooses k = 9 and finds
r = α k = 169 ≡ 152 (mod 173) and 152 ≡ 23 (mod 43), so r = 23. She solves the
equation
9s ≡ 30 + 7 · 23 ≡ 19 (mod 43)
−1
for s. We have 9 = 24 in Z−1
43 . So,
s ≡ 19 · 24 ≡ 26 (mod 43)
Bob then calculates the hash of the message and finds M = 30. He finds that
−1
s−1 = 26 = 5 in Z43 . He then finds
Bob finds
∗∗∗
Here is an exercise for you to check your understanding of digital signature standard.
E4) a) Suppose Alice chooses p = 167, q = 83, g = 5 which is a primitive root (mod
p). She chooses α = g(p−1)/q = 5166/83 = 52 = 25. She chooses a = 8 and
gets β = 258 ≡ 144 (mod 167). Assume that she chooses k = 13 and the
hash of the message she wants to sign is 39. Find the signature of the
message if Alice Digital Signature Standard. 49
Public Key Cryptosystems b) Assume that Alice has published the values (p, q, α, β ) = (167, 83, 25, 144).
and Digital Signature
She sends a message to Bob along with the pair (r, s) = (31, 61) which was
created using Digital Signature Algorithm. Bob finds that the hash of the
message is 47. Explain how Bob will check whether the message has been
sent by Alice or not.
2) Unlike the Elgamal signature scheme, we can use the same r again. Suppose h1 is
the hash of the first message and h2 is the hash of the second message, both signed
with the same value of r. Suppose further, that the signature of the first message is
s1 and the signature of the second message is s2 . Then,
s1 k − h1 ≡ ar = s2 k − h2 (mod q)
for k. After solving (mod q) and Eve gets a value k0 (mod q). There are
2512−160 = 2342 numbers modulo p which reduce to k0 modulo q. Eve has to find
the value α i for each of these 2342 values of i and see which of these values gives r
(mod p) to find the value of k. This is computationally infeasible.
8.3 SUMMARY
4) how to sign a message using RSA algorithm and verify a signature created with
RSA algorithm;
5) how to sign a message using ElGamal algorithm and verify the signature created
using ElGamal algorithm;and
6) how to sign a message using Digital Signature Standard and verify the signature
created using Digital Signature Standard.
8.4 SOLUTIONS/ANSWERS
E1) a) She has to find dA (25) = 2535 (mod 221). Using repeated squaring
algorithm, we have the following:
Values at the end of iteration 1:
P = 25, b = 183, m = 17
50 P = 155, b = 118, m = 8
Values at the end of iteration 3: Digital Signatures
P = 155, b = 1, m = 4
P = 155, b = 1, m = 2
P = 155, b = 1, m = 1
P = 155, b = 1, m = 0
P = 82, b = 94, m = 5
P = 194, b = 217, m = 2
P = 194, b = 16, m = 1
P = 10, b = 35, m = 0
E2) i) We have
We have (66, 172) = 2 and 2 divides 10. So, we have to solve the congruence
We have (26, 172) = 2 and 2 divides 140. So, we have to solve the congruence
Solving, we get a = 12. so, the solution to Eqn. (17) are 12, 12 + 86 = 98.
We see that α 12 ≡ 84 (mod 173), so a = 12.
E4) a) We have r = α k = 2513 = 114 (mod 167) and 114 ≡ 31 (mod 83), so
r = 31. We have to solve the equation
x ≡ 32 · 38 ≡ 54 (mod 83).
52
UNIT 9 PRACTICAL GUIDE
Note: In all the sessions,the characters in all the texts used are in capitals and there are
no punctuation characters.
In some of the programmes, we ask you to read from files and write to files. Here is a
template that you can use in such programmes. This templates contain commands for
opening, reading, writing and closing files. You have to fill in the code for processing
the information.
1 /* Template for input, output*/
2 # i n c l u d e <stdio.h>
3 # i n c l u d e <stdlib.h>
4 # i n c l u d e <ctype.h>
5 # i n c l u d e <string.h>
6 v o i d decrypt_key( c h a r *input);
7 v o i d encry_decry(FILE *fp_in,FILE *fp_out, c h a r *key);
8 i n t main()
9 {
10 FILE *fp_in,*fp_out;
11 c h a r in_name[40],out_name[40],key[20];
12 printf("Enter an input file name-not more than twenty characters:\n");
13 scanf("%s",in_name);
14 getchar();
15 i f ((fp_in=fopen(in_name,"r+"))==NULL){
16 printf("Unable to open the file. Are you sure the file exists?\n");
17 printf("Bye!");
18 exit(1);
19 }/*endif*/
20 printf("Enter an output file name-not more that twenty characters:\n");
21 scanf("%s",out_name);
22 getchar();
23 i f ((fp_out=fopen(out_name,"w+"))==NULL){
24 printf("Unable to open the file. Bye!\n");
25 exit(1);
26 }/*endif*/
27 w h i l e ((ch=getc(fp_in))!=EOF){
28 /*Do whatever you want with the character*/
29 }/*end while*/
30 fclose(fp_in);
31 fclose(fp_out);
32 printf("Done!\n");
33 r e t u r n 0;
34 }/*end main*/
Session 1
Program 1
Write a C programme that reads a text file, and writes a text file in which
Here is a version without file input output. Modify it so that it reads the input from a
file and writes the output to another file. Also, modify it so that it prompts for the
number of characters in each block and the number of characters in each line.
1 /*Programme to convert a text file
2 in such a way that each line contains 30 characters
3 and the text is divided into blocks of five.*/
4 # i n c l u d e <stdio.h>
5 # d e f i n e MAX_STRING 100
6 i n t main()
7 {
8 i n t i=0,j=0,k=0;
9 c h a r s[MAX_STRING];
10 printf("Enter the string that you want to convert.\n:");
11 printf("Length should be not greater than 50.\n");
12 gets(s);
13 w h i l e (s[k] !=’\0’){
14 i f (isalpha(s[k])){
15 s[k]=toupper(s[k]);
16 printf("%c",s[k]);
17 i++;
18 j++;
19 i f (i==5){
20 printf(" ");/*Print a space after
21 printing 5 characters*/
22 i=0;/*Initialise i to 0*/
23 }
24 i f (j==30){
25 printf("\n");/*After printing 30
26 characters, print a new line character."
27 j=i=0;/*Initialise i and j to 0.*/
28 }
29 }
30 k++;
31 }
32 r e t u r n 0;
33 }
Program 2
Write a programme that encrypts(and therefore decrypts) text using an affine cipher. It
should prompt for the values of a and b and use the values to encrypt/decrypt from the
text in a file. It should give an error message if a is not co-prime to 26. You can use the
following programme as a starting point and modify it suitably if you like.
1 /* Programme for affine cipher*/
2 /*The programme assumes that the
3 input file contains only upper case characters
4 and spaces*/
5 # i n c l u d e <stdio.h>
6 # d e f i n e MAX_SIZE 50
7 i n t check( i n t a);
8 v o i d encry_decry( c h a r s[], i n t a, i n t b);
9 i n t inverse( i n t a);
10 i n t main()
11 {
54 12 i n t a,b,c,ch,resp;
13 c h a r s[MAX_SIZE]; Digital Signatures
14 printf("Enter the text. Not longer than 50...\n");
15 gets(s);
16 printf("What do you want to do?\n");
17 printf("Enter 1 if you want to encrypt.\n");
18 printf("Enter 2 if you want to decrypt.\n");
19 scanf("%d",&resp);
20 getchar();
21 printf("Enter the value of a:\n");
22 printf("It should be relative prime to 26.\n");
23 scanf("%d",&a);
24 getchar();
25 i f (check(a)){
26 printf("a is not coprime to 26! Exiting.\n");
27 r e t u r n (1);
28 }
29 printf("Enter the value of b:\n");
30 scanf("%d",&b);
31 i f (b < 0){
32 printf("b cannot be negative! Exiting.\n");
33 r e t u r n (1);
34 }
35 s w i t c h (resp){
36 case 1:
37 encry_decry(s,a,b);
38 break;
39 case 2:
40 c=inverse(a);
41 b=(-b*c)%26;
42 w h i l e (b<0){/*Make sure that the value of b is +ve*/
43 b=b+26;
44 };
45 encry_decry(s,c,b);
46 break;
47 }
48 r e t u r n 0;
49 }
50 i n t check( i n t a)
51 {
52 i f ((a % 2 == 0)||(a % 13==0)){
53 r e t u r n 1;
54 }
55 else{
56 r e t u r n 0;
57 }
58 }
59 v o i d encry_decry( c h a r s[], i n t a, i n t b)
60 {
61 c h a r ch;
62 w h i l e (*s!=’\0’){
63 ch=*s;
64 i f (isalpha(ch)){
65 ch=ch-’A’;
66 ch=(a*ch+b)%26;
67 ch=ch+’A’;
68 printf("%c",ch);
69 }
70 else{
71 printf("%c",ch);
72 }
73 s++;
74 }
55
Public Key Cryptosystems 75 return;
and Digital Signature 76 }
77 i n t inverse( i n t a)
78 /*Find inverse by brute force*/
79 {
80 i n t i=1;
81 w h i l e ((i*a)%26!=1)
82 i++;
83 r e t u r n (i);
84 }
Use it to decrypt the following text which was encrypted with a = 7, b = 14.
Program 3
The following text was encrypted using a shift cipher.
Write a program that gives the outputs for all the 26 different keys and hence decrypt
the text.
Session 2
Program 1
Write a program that reads from file, encrypts or decrypts the text using Vigenere
cipher and writes the output to another output file specified. Use it to decrypt the
following text that was encrypted using the key ‘SUCCESS’.
Program 2
Write a program that reads a text file in which all the punctuation characters are
removed and all the characters are in upper case and gives the frequency of each of the
26 characters. For example, if the input text is
A B C D E F G H I J K L M
0.0286 0.0000 0.0000 0.0857 0.1143 0.0000 0.0286 0.1143 0.1143 0.0000 0.0000 0.0571 0.0000
N O P Q R S T U V W X Y Z
0.0857 0.0571 0.0286 0.0000 0.0571 0.0571 0.0571 0.0286 0.0000 0.0857 0.0000 0.0000 0.0000
Find the frequency of the letters in the following text encrypted using an affine cipher.
Session 3
For many of the practical sessions, we will use GP. So, in this session, you will explore
GP and familiarise yourself with the basic features of the package. This package is
available under GPL(General Public Licence) from
http://pari.math.u-bordeaux.fr/download.html. Download
Pari-2.3.3 which is the stable version. The windows version from
http://pari.math.u-bordeaux.fr/pub/pari/windows/Pari-2-3-4.exe.
Download the file and double click on the file to install the programme. During the
installation, opt for a shortcut on the desktop. The installer does this by default, so just
accept all the defaults that the installer offers. You can start GP by double clicking on
the icon on the desktop. You will get a window that looks like this: Note the question
mark in the last line. This is the prompt and you have to type your commands there.
The most important command you have to know is the command to quit!. Type \q to
quit the program now. Restart the programme by double clicking on the short cut.
We will first give a short guided tour of gp. Many software packages offer help. Some
help is available in gp also. The user manual and a tutorial are available in PDF format
in the directory c:\ProgrammeFiles\PARI\doc and you can view them using
acrobat reader. There is also some online help. Let us see how to access it. Type a
question mark ? at the command line. You will get the following output.
? ?
Also:
?\(keyboard shortcuts)
?. (member functions)
Let us see what are the number theoretic functions provided by gp. For this we type ?4
at the commandline. You will get the following output.
? ?4
The function gcd looks familiar. Is it the usual gcd function?. Let us type ?gcd to
confirm our guess.
? ?gcd
gcd(x,{y}): greatest common divisor of x and y.
So, our guess is correct. We will come back to these number theoretic functions a little
later. There are a few more basic commands that we have to pick up before we look at
them.
Before we move on to other topics, there is one useful command you should know, the
command \l. It enables a log file. All the computations you do while the log file is
enabled is saved to a file called pari.gp by default. If you want to use a different file
name, say mysession.gp, give it as an argument.
\l mysession.gp
? \l mysession.gp
logfile = "mysession.gp"
log = 1 (on)
\l session3.gp
Save a record of the sessions, record your calculations and show it to your practical
counsellor. Also, add a printout of the session to your practical file.
The GP/Pari package has the four basic operations represented by the four operators
‘+’,‘-’,‘∗’ and ‘/’. Let us first explore these three operations first. Type 2+2 at the
command prompt. The following is what you will see.
? 2+2
%1 = 4
?
It prints the answer 4. Note the %1 at the beginning line. GP numbers the output serially
as %1, %2 etc. You can use the output in the later commands. Try typing %1*%1.
? %1*%1
%2 = 16 61
Public Key Cryptosystems Incidentally, we have also introduced the multiplication operator ∗. There is also a
and Digital Signature
power operator.
? 2^4
%3 = 16
All these are available in calculators are also, so what is special about gp? To begin
with, it lets you do modular arithmetic. For example, let us look at 2 mod 21. We enter
2 mod 21 as follows:
? Mod(2,21)
%4 = Mod(2, 21)
We can add and multiply mod 21. Let us multiply 5 mod 21 and 2 mod 21.
? Mod(2,21)*Mod(5,21)
%5 = Mod(10, 21)
? Mod(5,21)^2
%6 = Mod(4, 21)
Now let us see if the inverse operation works for integer mod also.
? Mod(2,21)^-1
%7 = Mod(11, 21)
? Mod(2,21)*Mod(11,21)
%8 = Mod(1, 21)
So, the inverse operator works in modular arithmetic. Let us now try Mod(3,21)^-1.
We know that it doesn’t exist because 3 is not relatively prime to 21.
? Mod(3,21)^-1
*** impossible inverse modulo: Mod(3, 21).
So, gp knows this too! Here are some exercises for you to try out. Type the following
commands on the command line in the order we have given below and try to understand
what they do.
The following points are worth noting while you do the above exercise:
√
1) The symbol I is used for −1.
2) \Pi prints the value of π using the current precision which is 28 digits.
The package can work with polynomials also. Try the following commands:
1) x^2+1-(2*x^2+2) 2) (x-1)*(x^2+x+1) 3) (x^3-1)/(x-1)
4) (x^3-1)% (x-1) 5) (x^3+x^2+1)/(x^2+1)
The gp package can factorise, even modulo an integer. Let us check out the capabilities
in this direction. We know that (x − 1)2 = x2 − 2x + 1, so let us ask gp to factorise
x2 − 2x + 1.
? factor(x^2-2*x+1)
%28 =
[x - 1 2]
Note that this output means that x − 1 is a factor and it occurs twice. We know that
x3 − 2x2 + 2x + 2 is irreducible by Eisenstein’s criterion. Let us check this out.
? factor(x^3-2*x^2+2*x+2)
%29 =
? factormod(x^3-2*x^2+2*x+2,7)
%30 =
Another useful fact is that the gcd function works for polynomials and for polynomials
with coefficients in Zp . Let us explore this now. Let us first store the factors we found.
This is possible because gp outputs the answer in the form of a matrix. In this case the
answer is a 2 × 2 matrix with the factors given in the first column. Note that, if a is any
matrix object in gp, a[i,j] is the element in the ith row and jth column as we would
expect.
? ans=%30
%31 =
? f1=ans[1,1]
? gcd(f1,f2)
%35 = 1
So, the two factors do not have any non trivial common factor! We knew this because
f2 is irreducible.
Let us now conclude with a brief discussion on using matrices in gp. Let us first see
how to enter a matrix in gp.
? m=[1,3;2,7]
%38 =
[1 3]
[2 7]
Note that rows are separated by a semi-colon and the entries in a row are separated by a
comma. Here is how we find the transpose of a matrix:
? m~
%39 =
[1 2]
[3 7]
? m^-1
%40 =
[7 -3]
[-2 1]
? m*m^-1
%41 =
[1 0]
[0 1]
Let us now see how to find the determinant and the character polynomial of a matrix.
? matdet(m)
%40 = 1
? charpoly(m)
64 ? m1=[Mod(1,11),Mod(3,11);Mod(2,11),Mod(7,11)]
%42 = Digital Signatures
? matdet(m1)
? charpoly(m1)
2 4 7
3 2 1 ∈ GL2 (Z11 )
2 1 6
2) Find all the irreducible polynomials of degree 9 over Z2 .(Hint: They are all the
factors of a single polynomial.)
Session 4
We hope you are convinced that gp is more than a calculator. In fact, it can even use
variables, and has decision structures and control structures. Let us look at a few
examples. Start gp and activate the log file by typing
\l session4.gp
?f(p)=a=1;while(a,b=Mod(random()%p,p);a=issquare(b));print(lift(b))
Let us try and understand this program. The first thing that may strike you is that we
have not declared any variables or functions in the program. You can start using a
variable right away. Here, the backbone is the while() loop. Let us type ?while to
get a short summary of the usage of while().
? ?while
Otherwise 0.
So, this is similar to the C language. But, note the difference also. The instructions that
have to be repeated when the conditions are true has to be within the round brackets
after while, separated by a comma. In fact, we will see that this is a common feature
of all loop constructs in gp. Also, note that the instructions that appear after the comma
are separated by a semi-colon.
The command random() returns a (pseudo)random number between 1 and 231 . The
command random()%p gives the remainder on division of the random number
returned by the chosen prime p. So, the instruction b=Mod(random()%p,p); finds
a random number between 0 and p, creates the residue class of that number mod p. The 65
Public Key Cryptosystems command issquare(b) checks whether b is a square modulo p or not. If b is a
and Digital Signature
square mod p, it returns the value 1; otherwise, it returns the value 0. The value
returned is stored in a, so the while end loop is repeated till a non-residue mod p is
found. The function lift(a), if a is a residue mod of the form Mod(x,n), returns
an integer in the range [0, n − 1] that is in the same residue class mod n as x. Type the
commands s=Mod(18,7) followed by t=lift(s) to convince yourself.
Let us now write our own function that tells whether a is a residue mod p or not, where
p is a prime. First, we write a function that stores all the squares in a set first. Here is
how we create and store all the squares mod 97.
? v=vector(96,i,Mod(i,97)^2);
Note the semicolon at the end. This means that we are asking gp to perform the
calculation and store in v, but not to print the answer. The output is too long with 96
elements in it and we do not want it to be printed.
But, there are only 48 squares, so how come the list has 96 elements? The point is
a2 ≡ (97 − a)2 (mod 97), so a2 will be stored twice. We can remove the duplicates by
converting v into a set. Let us do this now.
w=Set(v);
Once again, we suppress the output by using a semi-colon. We can check that
everything is all right by finding the length of w.
? length(w)
How to check whether something is a square or not using w? For example, let us check
if Mod(6,97) is a square or not.
? setsearch(w,Mod(6,97))
%72 = 26
So, gp is telling us that Mod(6,26) is the 26th element in the list w. We now have all
the pieces necessary for the programme. Let us now write the general function.
?
Issquare(a,p)=w=Set(vector(p-1,i,Mod(i,p)^2));if(setsearch(w,a),1,0)
First of all, note that the first letter of the function name is in capitals. This is to
differentiate the function from the function issquare that already exists in gp.
The new element in the program is the if statement. Let us understand what it does.
Let us type
? ?if
The output is
The command setsearch(w,a) returns the position of a in the list if it is there, i.e.
if a is a square. In this case, the if statement returns the value 1. If a is not in w, then
setsearch(w,a) returns the value 0 and so the if statement returns the value 0.
So, our function Issquare returns the value 1 if a is a square mod p and it returns 0
66 if it is not a square mod p.
Let us look at some more examples of control structures. Let us now write a Digital Signatures
programme that encrypts a text string using affine cipher.
As before, we will first assemble the various parts of our programme. We will try out
each of the parts in the task of encrypting the string “ABC” using the keys a = 3, b = 4.
The first one is the function Vecsmall which converts a string into a array of numbers
with each entry in the array containing the ASCII value of a character in the string. For
example, let us see what happens when we convert the string ABC to a vector of
integers.
? v=Vecsmall("ABC")
? v[1]
%18 = 65
If you refer to the ASCII table given in the first block of the C programming course,
you will find that the ASCII value of A is 65, B is 66 and C is 67. As you know, the
characters A—Z are indexed from 65 to 90. Later, we will re-index the characters from
0 to 26. Since we have to loop over the length of v, we have to find the length v and
store it in a variable.
? l=length(v)
%20 = 3
Unfortunately, v is of type t_VECSMALL and it can’t store residue classes. So, we will
now create another general list and transfer the values. While doing so, we will also
re-index the characters from 0 to 26.
? u=vector(l,i,0)
%21 = [0, 0, 0]
? for(i=1,l,u[i]=v[i]-65)
Next, we replace the ith entry of u with its residue class mod 26 and then carry out the
encryption.
? for(i=1,l,u[i]=Mod(u[i],26);u[i]=3*u[i]+4)
? u
? for(i=1,l,u[i]=lift(u[i]))
? u
We then convert back ASCII by adding 65, the ASCII code of A, to all the entries.
? for(i=1,l,u[i]=u[i]+65)
? u
%25 = "EHK"
f(a,b,c)=local(v,w,u,l);
v=Vecsmall(a);
l=length(v);
w=vector(l,i,0);
for(i=1,l,w[i]=v[i]-65);\\Subtract 65.
for(i=1,l,
w[i]=b*w[i]+c;\\Encrypt.
\\class to integer
return(u);
Here the double backslashes \\ are used for inserting comments in the program. The
source of the function is in a file called affine.gp. Read the file with the command
\r affine.gp
Use the function f to decrypt the following ciphertexts encrypted using affine cipher.
Write a loop that prints all the possible decryptions of the given texts and find out
which is the correct one.
1) "HYYRXPZYY" 2) PEEPHBPEQPFC
3) "AYMLYVKOSCXYLYVBTYY"
Write a function in gp that carries out encryption using the Vigenere cipher. Use it to
encrypt the following texts.
1) ATHINGOFBEAUTYISAJOYFOREVER using KEATS as the key.
2) FORTHEFOOLSRUSHINWHEREANGELSFFEARTOTREAD using POPE as the
key.
Write a function in gp that carries out decryption using the Vigenere cipher. Use it to
68 decrypt the following text.
1) NETKKAFCYMBFEMNEIQUNXRXWLBUNOFULUOCZMYUSXKFIZUSGBBJT Digital Signatures
using the key MARKTWAIN.
2) QQVRECDWQDGVDMAZVLPCXZVWGWPCAWXIHUNITRYJVETOSUOEEMMK
using the key BIERCE.
Session 5
Write programs in gp for the following:
1) Miller-Rabin test.
2) Finding a random irreducible polynomial of degree 20 over Z7 .
3) AKS algorithm for testing primality.
Session 6
Suppose, we use a recurrence relation
is the nth state vector. Then, Sn describes the contents of the cells xm , xm+1 , . . .,
xm+k−1 after n clock cycles. Thus, S0 describes the initial state and is called the initial
state vector. The nth state vector and the n + 1th state vector are related by relation
0 0 0 . . . 0 a0
1 0 0 . . . 0 a1
sn+1 = sn 0 1 0 . . . 0 a2
(2)
. . . . . ..
.. .. .. .. .. .
0 0 0 . . . 1 ak−1
Use this to write a function in C that simulates a LFSR. It should take an initial state
vector (x1 , x2 , . . . , xk ) and the coefficients a0 , a2 , . . ., ak−1 of the polynomial
p(x) = xk + ak−1 xk−1 + · · · + a1 x + a0 and number of terms ` of the Pseudo-Random Bit
Sequence as input and output ` terms of the Pseudo-Random Bit Sequence generated
by the LFSR given by the polynomial p(x) as output.
Session 7
In this session, we discuss RSA cryptosystem. We first discuss prime generation. Here
is a gp script that generates a 64 bit prime:
mrandomprime={
local(i,j,k,v,number);
number=0;
while(!isprime(number),
number=0;
v=vector(64);
v[1]=v[64]=1;
for(i=2,63,v[i]=random()%2);
for(i=1,64,j=i-1;number+=v[i]*2^j);
);
return(number);
}
This script implements the method discussed in page 10 of Block 3 for generating a
k-bit prime. 69
Public Key Cryptosystems
and Digital Signature
E5) Modify the script so that it takes the number of bits as an argument and returns a
prime of the required size. For example, mrandomprime(512) should return a
512 bit prime.
H E L L O H O W A R E Y O U
8 5 12 12 15 8 15 23 1 18 5 25 15 21
Table 2: Numerical values
Now, we convert the text into a number. The numerical value of the message is
Here are gp scripts for converting a text to number and number to text:
text2num(a)={local(integer,i,j,l,t);
integer=0;
t=Vecsmall(a);
l=length(t);
for(i=1,l,j=i-1;integer+=(t[i]-64)*27^j);
return(integer);
}
num2text(n)={
local(w,a,b,c);
a=n;
w=[];
while(a,b=a%27;c=b+64;w=concat(w,[c]);print(w);a=(a-b)\27);
return(Strchr(w));
}
Save the scripts in a file and load the file into GP. The command
text2num("HELLOHOWAREYOU") returns the value 87495221502384554951. The
command num2text(87495221502384554951) returns the text
"HELLOHOWAREYOU".
? e=65537;d=50962936505884432853;n=87495296950731677369;
? text2num("HELLOHOWAREYOU")
%35 = 87495221502384554951
? Mod(%,n)^e
%36 = Mod(59907042726193783589, 87495296950731677369)
? num2text(lift(%))
70 %37 = "ECXYGYZGTQLCUN"
Now, continue and decrypt the text "ECXYGYZGTQLCUN" as follows: Digital Signatures
? text2num(%)
%38 = 59907042726193783589
? Mod(%,n)^d
%39 = Mod(87495221502384554951, 87495296950731677369)
? num2text(lift(%))
%40 = "HELLOHOWAREYOU"
?
∗∗∗
E6) Write a gp script for converting a text string into a number as above and a gp
script for converting a number back to text that accepts any radix instead of 27.
The function should take the radix also as an argument.
Session 8
Use Fermat factorisation algorithm in GP to factor
n = 100416730655787958391455215892041411419.
7x ≡ 13 (mod 52489).
71
Bibliography
[3] D. Davis, “Defective sign & encrypt in s/mime, PKCS#7, MOSS, PEM, PGP, and
XML,” in Proceedings of the General Track: 2002 USENIX Annual Technical
Conference. Berkeley, CA, USA: USENIX Association, 2001, pp. 65–78.
[Online]. Available: http://dl.acm.org/citation.cfm?id=647055.715781
[7] A. Lenstra and H. Lenstra, The Development of the Number Field Sieve, ser.
Lecture Notes in Mathematics. Springer, 1993.
[8] G. L. Miller, “Riemann’s hypothesis and tests for primality,” JCSS, vol. 13, no. 3,
pp. 300–317, 1976.
[11] C. Pomerance, “A tale of two sieves,” Notices Amer. Math. Soc, vol. 43, pp.
1473–1485, 1996.
[12] R. Rivest and R. Silverman, “Are ‘Strong’ Primes Needed for RSA?” Cryptology
ePrint Archive, Report 2001/007, 2001, http://eprint.iacr.org/.
deciphering transformation, 6
Diffie-Hellman, 6
Diffie-Hellman key exchange, 13
Digial signature standard, 50
Digital Signature
arbitrated, 39
Definition of, 39
direct, 39
Digital signature standard, 48
Discrete Logarithm, 13
factor base, 20
Fermat factorisation method, 20
Pohlig-Hellman algorithm, 24
Pollard’s p − 1 algorithm, 19
primitive root, 16
public key cryptosystem, 6
definition of, 6