Public key cryptography

(asymmetric cryptography)
Review

n Secret-key cryptography (symmetric cryptography)

q Shift cipher, substitution cipher, vigenere cipher, DES
q Use the same key for both encryption & decryption (Z=Z’)
q Key must be kept secret
q Weakness
n Managing and distributing shared secret keys is so difficult in a
model environment with too many parties and relationships
n N parties è n(n-1)/2 relationships è each manages (n-1) keys
n No way for digital signatures
q No non-repudiation service

2
Diffie-Hellman new ideas for PKC

n In principle, a PK cryptosystem is designed for a

single user, not for a pair of communicating users
q More uses other than just encryption
n Proposed in Diffie and Hellman (1976) “New
Directions in Cryptography”
q public-key encryption schemes
q public key distribution systems
n Diffie-Hellman key agreement protocol
q digital signature

3
Diffie-Hellman’s proposal

n Each user creates 2 keys: a secret (private) key and a

public key à published for everyone to know
q The PK is for encryption and the SK for decryption
𝑋 = 𝐷(𝑧, 𝐸(𝑍, 𝑋))
q The SK is for creating signatures and the PK for verifying these
signatures
𝑋 = 𝐸(𝑍, 𝐷(𝑧, 𝑋)) à 𝐷() for creating signatures, 𝐸() à verifying

n Also, called asymmetric key cryptosystems

q Knowing the public-key and the cipher, it is computationally
infeasible to compute the private key

4
Principles for creating a PKC

n A PKC can be created based on a one-way (1 chiều), which satisfies the

following properties
q for all 𝑋, it is easy to compute 𝑌 = 𝑓(𝑋)
q But, it is almost computationally impossible to inversely determine 𝑋 given 𝑌
n given 𝑌, it is almost computationally impossible to compute 𝑓 !" (𝑋)

n Example: Let 𝑝' , 𝑝( , … 𝑝) be primes à

q it is easy to compute 𝑛 = 𝑝!× 𝑝"× ⋯×𝑝#
q But, given 𝑛, it is difficult to factorize n into the product of 𝑝!× 𝑝"× ⋯×𝑝#
n To build a PKC à we need a special one-way function, which has a so-called
trap-door
q if someone knows the trap-door, they can easily determine 𝑋 given 𝑓 𝑋
q otherwise, it is impossible to determine X from 𝑓 𝑋
n How to build a PKC from a one-way function with having trap ?
q the encoding function 𝐸𝑧 is the one-way function with the trap-door
q Trap-door is the secret key
q if one has the secret key à can decrypt the cipher text
PKC based on the Knapsack problem

n 1978, Merkle – Hellman proposed a PKC based on the

knapsack problem as follows
n knapsack problem:
q given a set of 𝑎𝑖 , 1£𝑖£𝑛, and a positive number 𝑇.
q find the indices 𝑆 Ì {1,2, … , 𝑛 } such that : å 𝑖Î𝑆 𝑎𝑖 = 𝑇
à this is a one-way function
n for the inverse problem, we need to perform the brute-force
with the complexity of exponentiation of
n ex: 𝑎1, 𝑎2, 𝑎3, 𝑎4 = 2, 3, 5, 7 𝑎nd 𝑇 = 7.
à we have two solutions S = (1, 3) and S = (4).

Van K Nguyen --Dai hoc

Bach khoa Ha noi
Merkle – Hellman PKC
n what if ai satisfy 𝑎* so-called super-increasing property?
q 𝑎'() > 𝑎) + ⋯ + 𝑎'
n à the inverse problem can be easily done
ex: 𝑎 = (1,2,4,8)
𝑇 = 11,
𝑇 = 𝑇0
𝑋4 = 1 𝑇0 = 𝑇0 − 𝑋4 = 3 è (𝑋1 𝑋2 𝑋3 1)
𝑋3 = 0𝑇2 = 𝑇1 = 3è (𝑋1 𝑋2 0 1)
𝑋2 = 1𝑇3 = 𝑇2 − 2 = 1è (𝑋1 1 0 1)
𝑋1 = 1 è (1 1 0 1)

Van K Nguyen --Dai hoc

Bach khoa Ha noi
n 𝑎! < 𝑎" < ⋯ < 𝑎#
n 𝑎$ > 𝑎$%! + ⋯ + 𝑎!
n 𝑇 = ∑ 𝑎&8 + 𝑎&9 + ⋯ + 𝑎&:
n 𝑎'8 | 𝑎'8 < 𝑇 < 𝑎'8 (!
n 𝑇 = 𝑎'8 + (𝑇- 𝑎'8 )
n 𝑇 = 𝑎' + ⋯ . .
n 𝑎'9 < 𝑇 − 𝑎'8 < 𝑎'9 (!
n 𝑎! < 𝑎" < ⋯ < 𝑎'9 < 𝑎'9 (! < ⋯ < 𝑎'8 < ⋯
n 𝑇 = 𝑎'8 + 𝑎'9 + ⋯
8
Merkle – Hellman PKC
n Idea of the Merkel-Hellman PKC
q Choose a so-called cargo vector 𝑎 = (𝑎1, 𝑎2, … , 𝑎𝑛)
q encryption
n for a plain text 𝑋 = (𝑋1, 𝑋2, 𝑋3 … , 𝑋𝑛) à encrypt by 𝑇 = å 𝑎𝑖𝑋𝑖 (*)
q decryption
n for a cipher text 𝑇, and the cargo vector a, determine 𝑋𝑖 satisfying (*).

n à decryption is a one-way function è we need to design a

trap-door
Merkle – Hellman PKC
How to hide the trap-door
n key generation:
Alice chooses a super-increasing vector :
a’ = (a1’,a2’,...,an’)
a’ is kept as a part of the secret key
q Alice chooses

n m > å ai’, named as the congruent modulothe

n a random integer w, named as gọi là multiplier, which is co-prime with m.

q public key is a = a’.w

a = (a1,a2,...,an)

ai=w´ai’ (mod m); i=1,2,3...n

q secret key: (a’, m, w)

Merkle – Hellman PKC
Details
n Encryption:
q When Bob wants to send a message X to Alice, he encrypted X :
𝑇 = å aiXi
n Decryption:
q When Alice receives T, she decrypts as follows:
she first calculates w*' satisfying that w´𝜔*' = 1 (𝑚𝑜𝑑 𝑚),
then determines 𝑇 + = 𝑇´ 𝜔*' (𝑚𝑜𝑑 𝑚)
q Alice knows that 𝑇 + = 𝑎+ . 𝑋, and because 𝑎+ is a super-increasing vector,
Alice can determine X given 𝑇 + and 𝑎+
n Note
𝑇 + = 𝑇´ 𝜔*' = å aiXi 𝜔*' = å ai ’ w Xi w-1
= å (ai’w w-1)Xi = å ai’Xi = a’.X
RSA Algorithm

n Invented in 1978 by Ron Rivest, Adi Shamir

and Leonard Adleman
q Published as R L Rivest, A Shamir, L Adleman,
"On Digital Signatures and Public Key
Cryptosystems",Communications of the ACM, vol
21 no 2, pp120-126, Feb 1978
q Security relies on the difficulty of factoring large
composite numbers

12
Main idea

n Encryption and decryption functions are modulo

exponential in the field 𝑍𝑛 = {0,1,2, . . 𝑛 − 1}
q Encryption : 𝑌 ≡ 𝑋𝑒 (𝑚𝑜𝑑 𝑛)
q Decryption: 𝑋 ≡ 𝑌 : (𝑚𝑜𝑑 𝑛)
q The clue is that e & d must be selected such that
n 𝑋𝑒𝑑 ≡ 𝑋 (𝑚𝑜𝑑 𝑛)

13
Main idea

n Euler theorem: 𝑋 "($) ≡ 1 (𝑚𝑜𝑑 𝑛)

q 𝜑(𝑛): the number of 𝑘: 0 < 𝑘 < 𝑛| 𝑔𝑐𝑑 𝑘, 𝑛 = 1
q If 𝑛 = 𝑝×𝑞 (𝑝, 𝑞 are primes) → 𝜑(𝑛) = (𝑝 − 1)(𝑞 − 1)
n First choose 𝑒 then compute 𝑑 s.t. 𝑒𝑑 ≡ 1(𝑚𝑜𝑑 𝜑 𝑛 )
q 𝑑 ≡ 𝑒 ;<(𝑚𝑜𝑑 𝜑 𝑛 )
q 𝑋𝑒𝑑 ≡ 𝑋=> ? @< ≡ (𝑋 > ? )= ×𝑋 ≡ 𝑋 (𝑚𝑜𝑑 𝑛)
n Note this works because we know 𝑛’s factorization
q From e we compute 𝑑 º 𝑒 01 𝑚𝑜𝑑 𝜑(𝑛) since we know 𝜑(𝑛),
otherwise it is computational infeasible to compute d s.t. 𝑋𝑒𝑑 ≡
𝑚𝑜𝑑 𝑛

14
RSA public key cryptography

n Key generation:
q Select 2 large prime numbers of about the same size,
𝑝, 𝑞
q Compute 𝑛 = 𝑝𝑞, and 𝜑(𝑛) = (𝑞 − 1)(𝑝 − 1)
q Select a random integer 𝑒, 1 < 𝑒 < φ(𝑛), s.t.
gcd(𝑒, 𝜑(𝑛)) = 1
q Compute d, 1 < 𝑑 < 𝜑(𝑛) s.t. 𝑒𝑑 ≡ 1 𝑚𝑜𝑑 φ(𝑛)
q Public key: 𝒆, 𝒏 and Private key: 𝒅
n Note: 𝒑 and 𝒒 must remain secret

15
RSA public key cryptography

n Encryption
q Given a message 𝑀, 0 < 𝑀 < 𝑛
q Use public key (𝑒, 𝑛) compute :
𝐶 = 𝑀& (𝑚𝑜𝑑 𝑛)
n Decryption
q Given a ciphertext 𝐶, use private key (𝑑) và compute:
n 𝑀 = 𝐶 2 (𝑚𝑜𝑑 𝑛)
n Why work?
q 𝐶𝑑 𝑚𝑜𝑑 𝑛 ≡ 𝑀&' (𝑚𝑜𝑑𝑒 𝑛) ≡ 𝑀(𝑚𝑜𝑑 𝑛)

16
Example
n Parameters:
q Select 𝑝 = 11 và 𝑞 = 13
q 𝑛 = 11 ∗ 13 = 143; 𝑚 = (𝑝 − 1)(𝑞 − 1) = 10 ∗ 12 = 120
q Choose 𝑒 = 37 è gcd(37,120) = 1
q Find 𝑑 such that: 𝑒×𝑑 ≡ 1 (𝑚𝑜𝑑 120) è 𝑑 = 13 (𝑒×𝑑 = 481)
n To encrypt a binary string
q Split it into segments of 𝑢 bits, 23 ≤ 142 è 𝑢 = 7
n each segment presents a number from 1 to 127
q Compute 𝑌 = 𝑋 4 (𝑚𝑜𝑑 𝑛)
E.g.: for 𝑋 = (0000010) = 2, we have 𝑌 ≡ 𝑋37 ≡
12 𝑚𝑜𝑑 143 → 𝑌 = (00001100)
n Decryption : 𝑋 ≡ 12() 𝑚𝑜𝑑 143 = 2 → 𝑋 =
00000010

17
RSA implementation

n 𝑛, 𝑝, 𝑞
q The security of RSA depends on how large 𝑛 is, which is often
measured in the number of bits for 𝑛. Current recommendation is
1024 bits for 𝑛.
q 𝑝 and 𝑞 should have the same bit length, so for 1024 bits RSA, 𝑝
and 𝑞 should be about 512 bits.
q 𝑝 − 𝑞 should not be small
q Way to select 𝑝 and 𝑞
n In general, select large numbers (some special forms), then test for
primality
n Many implementations use the Rabin-Mille test, (probabilistic test)

18
Modular multiplicative inverse

n Bézout lemma:
q Let 𝑎 and 𝑏 be integers with greatest common
divisor 𝑑. Then, there exist integers 𝑥 and 𝑦 such
that 𝑎𝑥 + 𝑏𝑦 = 𝑑. More generally, the integers of the
form 𝑎𝑥 + 𝑏𝑦 are exactly the multiples of 𝑑
n Diophantine equation: ax+by=c
q This equation has solution if and only if 𝑐 ⋮ gcd(𝑎, 𝑏)
n If 1 = 𝐺𝐶𝐷(𝑒, 𝑛) à 1 = 𝑥𝑒 + 𝑦𝑛 à 𝑥𝑒 ≡
1(𝑚𝑜𝑑 𝑛) à 𝑥 ≡ 𝑒 %! (𝑚𝑜𝑑 𝑛)

19
Modular multiplicative inverse

n Euclidean algorithm for determining GCD(𝑟R , 𝑟! )

q It can be proved that: gcd 𝑟* , 𝑟( = gcd 𝑟( , 𝑟+ = ⋯ =

gcd 𝑟,-( , 𝑟, = 𝑟,

20
Modular multiplicative inverse

n Example
q Determine gcd(252, 198)
252 =198 × 1 + 54
198 = 54 × 3 + 36
54 = 36 × 1 + 18
36 =18 × 2 + 0

Gcd(252, 198) = 18

21
Modular multiplicative inverse

n Example
q Solve: 252x+198y=18

252 =198 × 1 + 54 18 = 54−36

198 = 54 × 3 + 36 18 = 54−(198−54×3)
54 = 36 × 1 + 18 18 = 54×4−198
36 =18 × 2 + 0 18 = (252−198)×4−198
18 = 252−198×5

(x, y) = 1, -5

22
Modular multiplicative inverse

n Example
q Solve: 252x+198y=18

252 =198 × 1 + 54 18 = 54−36

198 = 54 × 3 + 36 18 = 54−(198−54×3)
54 = 36 × 1 + 18 18 = 54×4−198
36 =18 × 2 + 0 18 = (252−198)×4−198
18 = 252−198×5

(x, y) = 1, -5

23
Modular multiplicative inverse

n Example
q Determine 28-( 𝑚𝑜𝑑 75

q Correspond to solving equation 28𝑥 + 75 𝑦 = 1

75 = 28 × 2 + 19 1 = 19 - 9 × 2
28 = 19 × 1 + 9 1 = 19 – (28 – 19 × 1) × 2 = -28 × 2 + 19 × 3
1 = -28 × 2 + (75 – 28 × 2) × 3 = 75 × 3 - 28 × 8
19 = 9 × 2 + 1

28!" 𝑚𝑜𝑑 75 = −8 𝑚𝑜𝑑 75 = 75 − 8 = 67

24
Modular exponentiation

n compute 𝑥 S (𝑚𝑜𝑑 𝑛)
n Naïve method:
q 𝑥 . 𝑚𝑜𝑑 𝑛 = 𝑥 𝑚𝑜𝑑 𝑛 × 𝑥 𝑚𝑜𝑑 𝑛 × …×
𝑥 𝑚𝑜𝑑 𝑛
q à repeating modular multiplication for 𝑎 times
n Square and multiply algorithm

25
Square and multiply algorithm
n Representing 𝑎 in binary notation : 𝑎 = ∑U$TR 𝑎$ 2$
𝑧←1 E.g. Compute 𝑥 !* 𝑚𝑜𝑑 𝑛
For 𝑖 = 𝑙 down to 0 19 = 16 + 2 + 1 = 2+ + 2! + 2, = 10011
𝑧 ← 𝑧 - 𝑚𝑜𝑑 𝑛 𝑧←1
if 𝑎' = 1 then 𝑖 = 4: 𝑎+ = 1; 𝑧 ← 𝑧 "×𝑥 ≡ 1"×𝑥 ≡ 𝑥
𝑧 ← 𝑧×𝑥 𝑚𝑜𝑑 𝑛 𝑖 = 3; 𝑎- = 0; 𝑧 ← 𝑧 " ≡ 𝑥 "
𝑖 = 2; 𝑎" = 0; 𝑧 ← 𝑧 " ≡ 𝑥 +
end if
𝑖 = 1; 𝑎! = 1; 𝑧 ← 𝑧 "×𝑥 ≡ 𝑥 .×𝑥 ≡ 𝑥 *
End for 𝑖 = 0; 𝑎! = 1; 𝑧 ← 𝑧 " ≡ 𝑥 !.×𝑥 ≡ 𝑥 !*
Return 𝑧
E.g. Compute 3!* 𝑚𝑜𝑑 5
19 = 10011
𝑧←1
𝑖 = 4: 𝑎+ = 1; 𝑧 ← 1"×3 ≡ 3
𝑖 = 3; 𝑎- = 0; 𝑧 ← 3" ≡ −1
𝑖 = 2; 𝑎" = 0; 𝑧 ← (−1)"≡ 1
𝑖 = 1; 𝑎! = 1; 𝑧 ← 1"×3 ≡ 3
𝑖 = 0; 𝑎! = 1; 𝑧 ← 3"×3 ≡ −3 ≡ 2

26
Exercises
1. Compute
1. 17.) 𝑚𝑜𝑑 101
2. 357.) 𝑚𝑜𝑑 1234
3. 3125.) 𝑚𝑜𝑑 9987
4. 9726-/-- 𝑚𝑜𝑑 11413
5. 127296*,0 (𝑚𝑜𝑑 186101)
2. Given 𝑝 = 61, 𝑞 = 53
1. create a RSA system with these values
2. Suppose the value of plaintext is 123 -> find the cipher text
3. Decrypt the cipher text to obtain the plain text
3. Prove that: 𝑋 (H01)(I01) ≡ 1 (𝑚𝑜𝑑 𝑝𝑞) 𝑝, 𝑞 are primes
4. Write pseudo code for Extended Euclidean algorithm
1. The ones for computing modular multiplicative inverse
5. Prove the correctness of square and multiply algorithm

27
Projects
1. Cryptanalysis for substitution cipher
2. Cryptanalysis for vigenere cipher
3. A program for encryption and cryptanalysis of RSA as follows.
1. Encryption:
1. Input: plain text, and public key (𝑒, 𝑛)
2. Output: cipher text
3. Encryption flow
1. The plaintext is an English document. Each word of the plaintext is encoded as follows
§ DOG à 3×26! + 14×26 + 6 = 2398
§ CAT à 2×26! + 0×26 + 6 = 19
2. Each encoded word then is encrypted using RSA with the public key (𝑒, 𝑛)
§ Applying square and multiply for determining modular exponent
2. Cryptanalysis
1. Input: cipher text, and public key (𝑒, 𝑛)
2. Output: plaintext
3. Hint:
1. Determine primes p, q, s.t. n = p x q
2. Calculate 𝜑(𝑛)
3. Determine private key 𝑑
§ By using extended Euclidean algorithm
4. Decrypt with private key 𝑑
§ Applying square and multiply for determining modular exponent
28