Explain in detail about Schnorr Digital signature scheme.

For the Schnorr Digital Signature

Scheme, p = 311, q = 31, a = 169, Private Key = 11, which of the following is a transcript (x,
e, y) of a correctly performed execution of the Schnorr Identification scheme? (15, 10, 12),
(15, 10, 27), (16, 10, 12), (15, 16,0)
To determine which of the given transcripts (x, e, y) is a correctly performed execution of the
Schnorr Identification scheme, we need to consider the following conditions:

x and y should both be integers modulo q.

e should be calculated as e = H(x || y) where H is a cryptographic hash function.

e should be less than q.

Let's evaluate each of the given transcripts:

(15, 10, 12):

x and y are integers modulo q, but e is not less than q. So, this transcript is not correct.

(15, 10, 27):

x and y are integers modulo q, and e is less than q. This transcript satisfies the conditions and
could be a correctly performed execution.

(16, 10, 12):

x is not an integer modulo q. So, this transcript is not correct.

(15, 16, 0):

y is not an integer modulo q. So, this transcript is not correct.

So, the correct transcript is (15, 10, 27) if e is correctly calculated using the hash function, and it's
less than q.

State the ELGamal Digital signature scheme and find out the public and private key for the
given values and verify the signature
Prime field GF (19); XA =16, K=5, m=14, α = 10
Primitive roots {2, 3, 10, 13, 14, 15}
Interpret how is it possible to use a hash function to construct a block cipher with a
structure similar to DES. Because a hash function is one way and a block cipher must be
reversible to decrypt. Explain in detail.
Constructing a Block Cipher with Hash Functions
To build a block cipher using a hash function, we can employ a structure that uses the hash
function in a reversible scheme. Here's a detailed breakdown of how this can be conceptualized:

1. Key Generation and Expansion

Just like DES, which uses a key schedule to generate subkeys for each round of encryption, our
block cipher would begin with a key that can be processed through a key expansion function. This
could involve using a hash function to derive multiple subkeys from the main key, ensuring that
each round uses a unique key segment.
2. Initial Permutation and Rounds
We can maintain the structure of multiple rounds of processing, akin to DES. For each round, we
can apply the hash function to transform the data. While the hash function is inherently one-way,
we can leverage it in a way that simulates reversible operations.
3. Using a Hash Function with a Modifiable Input
To make the hash function seem reversible, we could structure the cipher to include additional
parameters or data that modify the input to the hash function:
Mixing with the plaintext: Before hashing, the plaintext could be XORed with a round-specific key.
The hash function then processes this mixed input.
Iterative Hashing: You can hash a combination of the current data and the key, and then include
transformations (like XORing with round keys) in subsequent rounds to alter the state iteratively.
4. Reversibility Through State Management
While a hash function alone is not reversible, the reversible operations before and after hashing
allow the overall encryption/decryption process to maintain reversibility. For instance:
Encryption:
𝐶=Hash(𝑃⊕𝐾)
C=Hash(P⊕K)
Decryption: To retrieve
𝑃
P, you can keep track of how
𝐾
K was used in previous rounds and apply the inverse transformations after hashing.
5. Final Transformation
At the end of the rounds, the final output can again be processed through a permutation function,
similar to the final permutation in DES, to produce the ciphertext.
By creatively using a hash function as part of a broader structure that includes mixing operations
and state management, it is possible to emulate the functionality of a block cipher. This
construction relies on the combination of hash outputs with reversible operations to ensure that
the overall scheme remains invertible, thereby enabling both encryption and decryption
processes.
This approach doesn't directly transform the hash function into a block cipher, but rather
integrates the properties of both to achieve a secure and functional encryption scheme. The
security considerations would differ, as the one-way nature of the hash function would provide
certain cryptographic strengths, particularly in terms of collision resistance and unpredictability,
while still adhering to the necessary reversible characteristics of a block cipher.

Illustrate how the operation for SHA would be carried out on a little-endian machine. SHA
is designed to work with a big-endian byte order. Explain in detail.
Steps to Carry Out SHA on a Little-Endian Machine
Step 1: Convert Input to Big-Endian Format
When data is read from a little-endian machine, it must be converted to big-endian format before
processing:
Byte Reordering: For every multi-byte integer in the input (e.g., 32-bit words), the bytes need to
be reversed. For example, if the data is stored as 0x12 0x34 0x56 0x78 in little-endian, it should
be interpreted as 0x78 0x56 0x34 0x12 in big-endian.
Step 2: Padding the Message
Add a '1' Bit: Append a single '1' bit to the end of the message.
Add '0' Bits: Fill the rest of the block with '0' bits until the total length is 448 bits (or 56 bytes).
Append Length: Finally, append the length of the original message (in bits) as a 64-bit big-endian
integer.
This length is represented in big-endian, so if the length in little-endian was 0xAABBCCDD, you
must store it as 0xDDCCBBAA.
Step 3: Process Each 512-bit Block
Divide into 32-bit Words: Split the 512 bits into sixteen 32-bit words. After the byte order
adjustment, ensure these words are treated as big-endian.
Expand to 64 Words: The SHA algorithm requires 64 words. Use the message schedule to expand
the original 16 words into 64 words by applying bitwise operations and rotations.
Step 4: Initialize Hash Values
The initial hash values must also be set in big-endian. If they are stored as 0x67452301 in little-
endian, it must be reversed to 0x01234567 for use.
Step 5: Execute the Main Loop
In the main processing loop:
Use the big-endian words directly for all operations. Ensure that any multi-byte operations (e.g.,
additions, logical operations) consider the values as big-endian. This might involve reinterpreting
data as needed.
Step 6: Finalize the Hash Value
Once all blocks are processed, the final hash value is obtained from the hash values maintained
throughout processing, which also must be represented in big-endian format.
In summary, when implementing SHA on a little-endian machine, you need to:
Convert the input data and the length representation to big-endian format.
Ensure all operations treat the data as big-endian throughout processing, particularly during the
expansion and the main loop.

Illustrate how arbitrated digital signatures schemes can be used to overcome the problem
associated with the direct digital signature.
Arbitrated Digital Signatures
The problem associated with the Direct digital signature can be overcome by using arbitrated
schemes.
In the arbitrated scheme, the entire signed message from the sender goes to the arbiter A. The
arbiter subjects the message and signature to a number of tests to check the origin and control.
The date and time is attached to the message. This indicates that the digital signature has been
verified and is satisfied. The message is then transmitted to the receiver.
Requirement of the arbiter:
As the arbiter plays a sensitive and crucial role, it should be a trusted third party.
Notation:X = Sender Y = Recipient A = Arbiter M=Message T=Timestamp
Scheme 1: Conventional encryption, Arbiter sees the message:
The sender X and arbiter A share the master key Kax the receiver y and the arbiter A share
the master key Kay
When X wants to send a message M to Y, construct a message computes the hash value
H(M). This hash is encrypted using symmetric encryption with the key Kax which acts as
signature. The message along with the signature is transmitted to A.
At A, it decrypts the signature and checks the hash value to validate the message. A
transmit the message to Y, encrypted with Kay. Y decrypt to extract the message and signature.
Disadvantage:
Eaves dropper can read the message as there is no confidentiality.
Scheme 2: Conventional encryption, Arbiter does not see the message:
Kax and Kay are the master keys.
Kxy is the key shared between the X and Y
When x wants to transmit a message to Y, the packet goes to arbiter.
The same procedure as that of I scheme is used X transmit an identifier, a copy of the message
encrypted with Kxy and a signature to A.
The signature is the hash of the message encrypted with Kxa
A decrypt the signature, and checks the hash value to validate the message.
A cannot read the message, A attaches to it the time stamps, encrypt with Kxa and transmit to Y.
Attack: The arbiter can join with an attacker and deny a message with sender’s signature.
Scheme 3: Public key encryption, Arbiter does not see the message:
This method uses the public key cryptography which gives authentication and digital signature.
The doubly encrypted message is concatenated with IDx and sent to arbiter.
A can decrypt the outer encryption to ensure that the message has come from X.
A then transmit the message with IDx and time stamp.
Advantages:
No information is shared among parties before communication, hence fraud is avoided.
No incorrectly dated message can be sent.
Disadvantages:
The complex public key algorithm is to be twice for encryption and twice for decryption.

Explain the DSS approach with appropriate block diagram.

The DSS Approach
The DSS uses an algorithm that is designed to provide only the digital signature function. Unlike
RSA, it cannot be used for encryption or key exchange. Nevertheless, it is a public-key technique.
RSA approach
The message to be signed is input to a hash function that produces a secure hash code of fixed
length. This hash code is then encrypted using the sender’s private key to form the signature.
Both the message and the signature are then transmitted. The recipient takes the message and
produces a hash code. The recipient also decrypts the signature using the sender’s public key.
If the calculated hash code matches the decrypted signature, the signature is accepted as valid.
Because only the sender knows the private key, only the sender could have produced a valid
signature.
DSS approach
The DSS approach also makes use of a hash function. The hash code is provided as input to a
signature function along with a random number generated for this particular signature.
The signature function also depends on the sender’s private key (PRa) and a set of parameters
known to a group of communicating principals. We can consider this set to constitute a global
public key (PUG). The result is a signature consisting of two components, labeled s and r(fig 1).

Figure 1 Two Approaches to Digital Signatures

At the receiving end, the hash code of the incoming message is generated. This plus the signature
is input to a verification function. The verification function also depends on the global public key
as well as the sender’s public key, which is paired with the sender’s private key.
The output of the verification function is a value that is equal to the signature component if the
signature is valid. The signature function is such that only the sender, with knowledge of the
private key, could have produced the valid signature.
The Digital Signature Algorithm:
There are three parameters that are public and can be common to a group of users.

 A 160-bit prime number q is chosen.

 Next, a prime number p is selected with a length between 512 and 1024 bits such that q
divides (p - 1).
 Finally, g is chosen to be of the form h(p-1)/q mod p, where h is an integer between 1 and
(p-1).
With these numbers in hand, each user selects a private key and generates a public key. The
private key x must be a number from 1 to (q-1) and should be chosen randomly. T
The public key is calculated from the private key as y = gx mod p .The calculation of given(Fig 2)
is relatively straightforward. However, given the public key y, it is believed to be computationally
infeasible to determine x, which is the discrete logarithm of y to the base g, mod p.
At the receiving end, verification is performed using the formulas. The receiver generates a
quantity v that is a function of the public key components, the sender’s public key, and the hash
code of the incoming message. If this quantity matches the component of the signature, then the
signature is validated.
 Figure 2 The Digital Signature Algorithm (DSA)
The value r does not depend on the message at all. Instead, r is a function of k and the three global
public-key components.
The multiplicative inverse of k (mod q) is passed to a function that also has as inputs the message
hash code and the user’s private key.
The structure of this function is such that the receiver can recover using the incoming message
and signature, the public key of the user, and the global public key. Given the difficulty of taking
discrete logarithms, it is infeasible for an opponent to recover k from r to recover x from s.
The only computationally demanding task in signature generation is the exponential calculation
gkmod p. Because this value does not depend on the message to be signed, it can be computed
ahead of time.
Selects a private key and generates a public key. The private key x must be a number from 1 to
(q1) and should be chosen randomly. The public key is calculated from the private key as y =
gxmod p.
To create a signature, a user calculates two quantities, r and s, that are functions of the public key
components ( p, q, g), the user's private key (x), the hash code of the message, H(M), and an
additional integer k that should be generated randomly and be unique for each signing.
At the receiving end, verification is performed using the formulas. The receiver generates a
quantity v that is a function of the public key components, the sender's public key, and the hash
code of the incoming message. If this quantity matches the r component of the signature, then the
signature is validated (Fig 3).
 Figure 3 DSS Signing and Verifying

Summarize the four requirements of Kerberos and its various elements.

The following are the requirements for Kerberos:

 Secure: A network eavesdropper should not be able to obtain the necessary information to
impersonate a user. More generally, Kerberos should be strong enough that a potential
opponent does not find it to be the weak link.
 Reliable: For all services that rely on Kerberos for access control, lack of availability of
the Kerberos service means lack of availability of the supported services. Hence, Kerberos
should be highly reliable and should employ distributed server architecture, with one
system able to back up another.
 Transparent: Ideally, the user should not be aware that authentication is taking place,
beyond the requirement to enter a password.
 Scalable: The system should be capable of supporting large numbers of clients and servers.
This suggests a modular, distributed architecture.

To support these requirements, the overall scheme of Kerberos is that of a trusted third-party
authentication service that uses a protocol based on Needham and Schroeder.

It is trusted in the sense that clients and servers trust Kerberos to mediate their mutual
authentication. Assuming the Kerberos protocol is well designed, and then the authentication service is
secure if the Kerberos server itself is secure.
Two versions of Kerberos are in common use. Version 4 and Version 5
Kerberos Version 4
Version 4 of Kerberos makes use of DES, in a rather elaborate protocol, to provide the
authentication service

4.2.1 A Simple Authentication Dialogue

In an unprotected network environment, any client can apply to any server for service. The
obvious security risk is that of impersonation. To counter this threat, servers must be able to confirm
the identities of clients who request service. But in an open environment, this places a substantial burden
on each server.
An alternative is to use an authentication server (AS) that knows the passwords of all users and
stores these in a centralized database. In addition, the AS shares a unique secret key with each server.
The simple authentication dialogue is as follows:
1. C >> AS: IDc||Pc||IDv
 2. AS >> C: Ticket
3. C >> V: IDc||Ticket
Ticket= EKv(IDc||ADc||IDv)

C : Client,
AS : Authentication Server,
V : Server, IDc : ID of the client,
Pc : Password of the client,
ADc : Address of client, IDv : ID of the server,
Kv : secret key shared by AS and V,
|| : concatenation.
4.2.2 A More Secure Authentication Dialogue

There are two major problems associated with the previous approach:
 Plaintext transmission of the password.
 Each time a user has to enter the password.
To solve these problems, we introduce a scheme for avoiding plaintext passwords, and a new
server, known as ticket granting server (TGS). The hypothetical scenario is as follows:
Once per user logon session:-
1. C >> AS: IDc||IDtgs
2. AS >> C: Ekc (Tickettgs)

Once per type of service:

3. C >> TGS: IDc||IDv||Tickettgs
4. TGS >> C: ticketv

Once per service session:

5. C >> V: IDc|| Ticketv
Tickettgs= Ektgs(IDc||ADc||IDtgs||TS1||Lifetime1)
Ticketv= Ekv(IDc||ADc||IDv||TS2||Lifetime2)

C: Client, AS: Authentication Server, V: Server,

IDc : ID of the client, Pc:Password of the client, ADc: Address of client,
IDv : ID of the server, Kv: secret key shared by AS and V,
|| : concatenation, IDtgs: ID of the TGS server, TS1, TS2: time stamps, lifetime:
lifetime of the ticket.

The new service, TGS, issues tickets to users who have been authenticated to AS. Thus, the
user first requests a ticket-granting ticket (Tickettgs) from the AS. The client module in the user
workstation saves this ticket.
Each time the user requires access to a new service, the client applies to the TGS, using the
ticket to authenticate itself. The TGS then grants a ticket for the particular service. The client saves each
service-granting ticket and uses it to authenticate its user to a server each time a particular service is
requested.
Let us look at the details of this scheme:
1. The client requests a ticket-granting ticket on behalf of the user by sending its user's ID and
password to the AS, together with the TGS ID, indicating a request to use the TGS service
 2. The AS responds with a ticket that is encrypted with a key that is derived from the user's
password.
When this response arrives at the client, the client prompts the user for his or her password,
generates the key, and attempts to decrypt the incoming message.
If the correct password is supplied, the ticket is successfully recovered.
Because only the correct user should know the password, only the correct user can recover the
ticket. Thus, we have used the password to obtain credentials from Kerberos without having to transmit
the password in plaintext. Now that the client has a ticket-granting ticket, access to any server can be
obtained with steps 3 and 4:
3. The client requests a service-granting ticket on behalf of the user. For this purpose, the client
transmits a message to the TGS containing the user's ID, the ID of the desired service, and the
ticket-granting ticket
4. The TGS decrypts the incoming ticket and verifies the success of the decryption by the presence
of its ID. It checks to make sure that the lifetime has not expired. Then it compares the user ID
and network address with the incoming information to authenticate the user. If the user is
permitted access to the server V, the TGS issues a ticket to grant access to the requested service.
The service-granting ticket has the same structure as the ticket-granting ticket. Indeed, because
the TGS is a server, we would expect that the same elements are needed to authenticate a client to the
TGS and to authenticate a client to an application server.

Again, the ticket contains a timestamp and lifetime. If the user wants access to the same service
at a later time, the client can simply use the previously acquired service-granting ticket and need not
bother the user for a password.

Note that the ticket is encrypted with a secret key (Kv) known only to the TGS and the server,
preventing alteration.

Finally, with a particular service-granting ticket, the client can gain access to the corresponding
service with step 5:
5. The client requests access to a service on behalf of the user. For this purpose, the client transmits
a message to the server containing the user's ID and the service-granting ticket. The server
authenticates by using the contents of the ticket.

This new scenario satisfies the two requirements of only one password query per user session
and protection of the user password.

4.2.3 Kerberos V4 Authentication Dialogue Message Exchange

Two additional problems remain in the more secure authentication dialogue:

 Lifetime associated with the ticket granting ticket. If the lifetime is very short, then the
user will be repeatedly asked for a password. If the lifetime is long, then the opponent
has the greater opportunity for replay.

 Requirement for the servers to authenticate themselves to users.

The actual Kerberos protocol version 4 is as follows

:
 A basic third-party authentication scheme
 Have an Authentication Server (AS)
o Users initially negotiate with AS to identify self
o AS provides a non-corruptible authentication credential (ticket granting ticket
TGT)
  Have a Ticket Granting
o Users subsequently request access to other services from TGS on basis of
users TGT

(a) Authentication service exchange: to obtain ticket granting ticket

(1) C → AS : IDC II IDtgs II TS1

(2) AS → C : EKc [ Kc,tgs II IDtgs II TS2 II Lifetime2 II Tickettgs]

(b) Ticket-Granting Service Exchange: to obtain service-granting ticket

(3) C → TGS: IDv II Tickettgs II Authenticatorc

(4) TGS → C: EKc,tgs[Kc,y II IDv II TS4 II Ticketv]
Tickettgs = EK,tgs[Kc,tgs II IDC II ADC II IDtgs IITS2 II Lifetime2]
Ticketv = EKv[Kc,v II IDC II ADC II IDv IITS4 II Lifetime4]
AuthenticatorC = EKtgs [ IDC II ADC II TS3]

(c) Client/Server Authentication Exchange: to obtain service

(5) C → V : Ticketv II Authenticatorc
(6) V → C: Ekc,v[TS5 +1]
Ticketv = EKv[Kc,v II IDC II ADC II Idv II TS4 II Lifetime4]

Authenticatorc = EKtgs [IDC II ADC II TS3]

4.2.4 Kerberos 4 Overview

Fig 4.1 Overview of Kerberos 4

Explain the steps involved in SHA algorithm for encrypting a message and produces
output as a 512-bit message digest.

SHA
The algorithm takes as input a message with a maximum length of less than bits and produces
as output a 512-bit message digest. The input is processed in 1024-bit blocks. Figure 3.8 depicts the
overall processing of a message to produce a digest.

Fig Message Digest Generation Using SHA-512

The processing consists of the following steps.

Step 1: Append padding bits.

The message is padded so that its length is congruent to 896 modulo 1024. Padding is always
added, even if the message is already of the desired length. Thus, the number of padding bits is in the
range of 1 to 1024. The padding consists of a single 1 bit followed by the necessary number of 0 bits.

Step 2: Append length.

A block of 128 bits is appended to the message. This block is treated as an unsigned 128-bit
integer (most significant byte first) and contains the length of the original message (before the padding).

The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in
length. In Figure 3,8 , the expanded message is represented as the sequence of 1024-bit blocks M1, M2,
……….. MN , so that the total length of the expanded message is NX1024 bits.

Step 3: Initialize hash buffer.

A 512-bit buffer is used to hold intermediate and final results of the hash function.The buffer
can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).These registers are initialized to the
following 64-bit integers (hexadecimal values):

a = 6A09E667F3BCC908 e = 510E527FADE682D1
 b = BB67AE8584CAA73B f = 9B05688C2B3E6C1F
c = 3C6EF372FE94F82B g = 1F83D9ABFB41BD6B
d = A54FF53A5F1D36F1 h = 5BE0CD19137E2179

These values are stored in big-endian format, which is the most significant byte of a word in the low-
address (leftmost) byte position. These words were obtained by taking the first sixty-four bits of the
fractional parts of the square roots of the first eight prime numbers.

Step 4: Process message in 1024-bit (128-word) blocks.

The heart of the algorithm (Fig 3.9) is a module that consists of 80 rounds; Each round takes as
input the 512-bit buffer value, abcdefgh, and updates the contents of the buffer. At input to the first
round, the buffer has the value of the intermediate hash value,Hi-1
Each round makes use of a 64-bit value Wt, derived from the current 1024-bit block (Mi) being
processed .These values are derived using a message schedule described subsequently.

Each round also makes use of an additive constant kt, where 0<=t<=79 indicates one of the 80
rounds.

The output of the eightieth round is added to the input to the first round (Hi-1) to produce Hi.The
addition is done independently for each of the eight words in the buffer with each of the corresponding
words in Hi-1, using addition modulo 264 .

Step 5: Output.

After all N 1024-bit blocks have been processed, the output from the Nth stage is the 512-bit message
digest.

The behavior of SHA-1 is summarized as follows:

H0 = IV
Hi = SUM64 (Hi-1, ABCDEFGHi)
MD = HN
Where

IV = initial value of the abcdefgh buffer, defined in step 3

ABCDEq = the output of the last round of processing of the ith message block

L = the number of blocks in the message (including padding and

length fields)

SUM32 = Addition modulo 232 performed separately on each word of the pair
of inputs

MD = final message digest value

 Figure. SHA-512 Processing of a Single 1024-Bit Block

SHA-512 Round Function

Let us look in more detail at the logic in each of the 80 steps of the processing of one 512-bit block.
Each round is defined by the following set of equations:

T1 = h + Ch(e,f,g) + ( e) + Wt + Kt)

T2 = ( a) + Maj(a,b,c)

h=g g=f f=e e = d + T1 d=c

c=b b=a a = T1 + T2

Where
T = Step number; 0 ≤ t ≤ 79
Ch(e,f,g) = (a AND f) (NOT e AND g)
The conditional function: If e then f else g (Fig 3.10)
 Fig 3.10 Elementary SHA Operation(single step)
The functions can be summarized as follows:

Steps Function Name Function Value

0≤t≤9 f1 = f(t,B,C,D) (B Λ C) V (B! Λ D)
20≤t≤39 f2 = f(t,B,C,D) B C D
40≤t≤59 f3 = f(t,B,C,D) (B Λ C) V (B Λ D) V (C Λ D)
60≤t≤79 f4 = f(t,B,C,D) B C D
The logical operators AND,OR,NOT,XOR, are represented by the symbols Λ V !

Only three different functions are used.

For, 0≤ t ≤ 19 the function is the conditional function.

For 20 ≤ t ≤ 39 and 60 ≤ t ≤ 79 the function produces a parity bit.

For A0 ≤ t ≤ 59 the function is true if two or three of the argument are true.

The following diagram 3.11 illustrates how the 32bit word values wt are derived from the 512 bit
message.
 Figure 3.11.Creation of 80-word Input Sequence for SHA-512 Processing of Single Block
The first 16 values of wt are taken directly from the 16 words of the current block.the remaining values
are defined as follows.

wt = S’(wt-16 + wt-14 + w t-8 + wt-3 )

Thus in the first 16 steps of processing the values of wt is equal to the corresponding word in the
message block. For the remaining 64 steps the value of wt consists of the circular left shift by one bit
of the XOR of four of the processing values of wt.
Both MD5 and RIPEMD-160 uses one of the 16 words of a message block directly as input to each step
function only the order of the word is permuted from round to round.
SHA-1 expands the 16 block words to 80 words for use in the compression function.
Apply public key system using RSA, to intercept the cipher text C=11 sent to a user whose
public key is e=7, n=187. What is the plain text M?

The steps involved in RSA algorithm for generating the key are

 Select two prime numbers, p = 17 and q = 11.

 Calculate n = p*q = 17*11 = 187

 Calculate Ф(n) = (p-1)(q-1) = 16*10 = 160.
 Select e such that e is relatively prime to Ф(n) = 160 and less than Ф(n); we choose
e = 7.
 Determine d such that de K 1 (mod 160) and d < 160.The correct value is d = 23,
because 23 × 7 = 161 = (1 × 160) + 1; d can be calculated using the extended
Euclid’s algorithm

The resulting keys are public key PU = {7, 187} and private key PR = {23, 187}.

The example shows the use of these keys for a plaintext input of M= 88. For encryption, we
need to calculate C = 887 mod 187.

Exploiting the properties of modular arithmetic, we can do this as follows.

887 mod 187 = [(884 mod 187) × (882 mod 187)× (881 mod 187)] mod 187
881 mod 187 = 88
882 mod 187 = 7744 mod 187 = 77
884 mod 187 = 59,969,536 mod 187 = 132
887 mod 187 = (88 × 77 × 132) mod 187 = 894,432 mod 187 = 11

For decryption, we calculate M = 1123 mod 187:

1123 mod 187 = [(111 mod 187) × (112 mod 187) × (114 mod 187)× (118 mod 187) ×
8
(11 mod 187)] mod 187
111 mod 187 = 11
112 mod 187 = 121
114 mod 187 = 14,641 mod 187 = 55
118 mod 187 = 214,358,881 mod 187 = 33
1123 mod 187 = (11 × 121 × 55 × 33 × 33) mod 187 = 79,720,245 mod 187 = 88

Users Alice and Bob use the Diffie-Hellman key exchange technique with a common
prime q = 83 and a primitive root α = 5.

i) If Alice has a private key XA = 6, what is Alice’s public key YA? (5)

ii) If Bob has a private key XB = 10, what is Bob’s public key YB? (5)

iii) Construct the shared secret key. (3)

Next, we compute 15625 mod 83

Thus, Alice's public key is:

YA = 69

Next, we compute 9765625 mod 83

Thus, Bob's public key is:

YB = 55
Substituting in the values:

KB= 6910mod 83
The shared secret key calculated by both parties is:

𝐾=23
(Alice’s calculation)
K=23(Alice’s calculation)
𝐾=4
(Bob’s calculation)
K=4(Bob’s calculation)
Alice's public key
𝑌𝐴=69
Bob's public key
𝑌𝐵=55
Shared secret key
𝐾=23

Explain RSA algorithm in detail with an example.

THE RSA ALGORITHM

It was developed by Rivest, Shamir and Adleman. This algorithm makes use of an
expression with exponentials. Plaintext is encrypted in blocks, with each block having a binary
value less than some number n.
 The RSA scheme is a cipher in which the plaintext and cipher text are integers between
0 and n - 1 for some n. A typical size for n is 1024 bits, or 309 decimal digits. That is, n is less
than 21024.
That is, the block size must be less than or equal to log2 (n); in practice, the block size
is k-bits, where 2k< n < 2k+1. Encryption and decryption are of the following form, for some
plaintext block M and ciphertext block C:
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n

Both the sender and receiver know the value of n. the sender knows the value of e and
only the receiver knows the value of d. thus, this is a public key encryption algorithm with a
public key of KU = {e, n} and a private key of KR = {d, n}. For this algorithm to be satisfactory
for public key encryption, the following requirements must be met:
1. It is possible to find values of e, d, n such that Med = M mod n for all M < n.
2. It is relatively easy to calculate Me and Cd for all values of M < n.
3. It is infeasible to determine d given e and n.

Let us focus on the first requirement. We need to find the relationship of the form:

Med = M mod n

Given two prime numbers p and q and two integers, n and m, such that n=pq and 0<m<n, and
arbitrary integer k, the following relationship holds

mkФ(n) +1 = mk(p-1)(q-1) +1 = m mod n

where Ф(n) – Euler totient function, which is the number of positive integers less than n and
relatively prime to n. we can achieve the desired relationship, if

ed = kФ(n)+1
This is equivalent to saying:
ed ≡ 1 mod Ф(n)
d = e-1 mod Ф(n)
That is, e and d are multiplicative inverses mod Ф(n). According to the rule of modular
arithmetic, this is true only if d (and therefore e) is relatively prime to Ф(n). Equivalently,
gcd(Ф(n), d) = 1.

We are now ready to state the RSA scheme. The ingredients are the following:
p, q, two prime numbers (private, chosen)
n = pq (public, calculated)
e, with gcd(Ф (n), e) = 1; 1 <e < Ф (n) (public, chosen)
d≡K e-1 (mod Ф (n)) (private, calculated)
The steps involved in RSA algorithm for generating the key are

 Select two prime numbers, p = 17 and q = 11.

 Calculate n = p*q = 17*11 = 187

 Calculate Ф(n) = (p-1)(q-1) = 16*10 = 160.
 Select e such that e is relatively prime to Ф(n) = 160 and less than Ф(n); we choose
e = 7.
 Determine d such that de K 1 (mod 160) and d < 160.The correct value is d = 23,
because 23 × 7 = 161 = (1 × 160) + 1; d can be calculated using the extended
Euclid’s algorithm

The resulting keys are public key PU = {7, 187} and private key PR = {23, 187}.

The example shows the use of these keys for a plaintext input of M= 88. For encryption, we
need to calculate C = 887 mod 187.

Exploiting the properties of modular arithmetic, we can do this as follows.

887 mod 187 = [(884 mod 187) × (882 mod 187)× (881 mod 187)] mod 187
881 mod 187 = 88
882 mod 187 = 7744 mod 187 = 77
884 mod 187 = 59,969,536 mod 187 = 132
887 mod 187 = (88 × 77 × 132) mod 187 = 894,432 mod 187 = 11

For decryption, we calculate M = 1123 mod 187:

1123 mod 187 = [(111 mod 187) × (112 mod 187) × (114 mod 187)× (118 mod 187) ×
8
(11 mod 187)] mod 187
111 mod 187 = 11
112 mod 187 = 121
114 mod 187 = 14,641 mod 187 = 55
118 mod 187 = 214,358,881 mod 187 = 33
1123 mod 187 = (11 × 121 × 55 × 33 × 33) mod 187 = 79,720,245 mod 187 = 88
Explain Diffie Hellman Key Exchange algorithm in detail.

DIFFIE HELLMAN KEY EXCHANGE

The purpose of the algorithm is to enable two users to exchange a key securely that can
then be used for subsequent encryption of messages. The Diffie-Hellman algorithm depends
for its effectiveness on the difficulty of computing discrete logarithms.

First, we define a primitive root of a prime number p as one whose power generate all
the integers from 1 to (p-1) i.e., if ‘a’ is a primitive root of a prime number p, then the numbers
a mod p, a2 mod p, … ap-1 mod p
are distinct and consists of integers from 1 to (p-1) in some permutation.
For any integer ‘b’ and a primitive root ‘a’ of a prime number ‘p’, we can find a unique
exponent ‘i’ such that
b ≡ ai mod p where 0 ≤ i ≤ (p-1)
The exponent ‘i’ is referred to as discrete logarithm.

The Algorithm
Figure 2.37 summarizes the Diffie-Hellman key exchange algorithm.There are publicly
known numbers: a prime number ‘q’ and an integer α that is primitive root of q. suppose users
A and B wish to exchange a key. User A selects a random integer XA< q and computes YA = α
XA mod q.
 Similarly, user B independently selects a random integer XB< q and computes YB = α
XB mod q. Each side keeps the X value private and makes the Y value available publicly to the
other side.
User A computes the key as

K = (YB)XA mod q and

User B computes the key as
K = (YA)XB mod q

These two calculations produce identical results.

K= (YB)XA mod q
= (α XB mod q)XA mod q
= (α XB)XA mod q
= (α XA)XB mod q
= (α XA mod q)XB mod q
= (YA)XB mod q
Global Public Elements
q prime number
α α<q and α is the primitive root of q
User A Key generation
Select XA XA< q
Calculate public YA YA= αXA mod q
 User B Key generation
Select XB XB< q
Calculate public YB YB= αXB mod q
Generation of secret key by User A
K = (YB)XA mod q
Generation of secret key by User B
XB
K = (YA) mod q
The result is that two sides have exchanged a secret key. The security of the algorithm
lies in the fact that, while it is relatively easy to calculate exponentials modulo a prime, it is
very difficult to calculate discrete logarithms.

Key Exchange Protocols

The protocol depicted in figure 2.38 is insecure against a man-in-the-middle attack. Suppose
Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds as
follows:

1. Darth prepares for the attack by generating two random private keys XD1 and XD2 and then
computing the corresponding public keys YD1 and YD2.
2. Alice transmits YA to Bob.
3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA) XD2 mod q.
4. Bob receives YD1 and calculates K1 = (YD1) XB mod q.
5. Bob transmits XA to Alice.
6. Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB) XD1 mod q.
7. Alice receives YD2 and calculates K2 = (YD2) XA mod q.
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share
secret key K1 and Alice and Darth share secret key K2. All future communication between Bob
and Alice is compromised in the following way:
1. Alice sends an encrypted message M: E(K2, M).
2. Darth intercepts the encrypted message and decrypts it, to recover M.
3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message
Example:
Key exchange is based on the use of the prime number q = 353 and a primitive root of 353, in
this case α = 3. A and B select secret keys XA= 97 and XB= 233, respectively.
Each computes its public key:
A computes YA=397 mod 353 = 40.
B computes YB= 3233 mod 353 = 248.
After they exchange public keys, each can compute the common secret key:
A computes K = (YB)XAmod 353 = 24897 mod 353 = 160.
B computes K = (YA)XBmod 353 = 40 233 mod 353 = 160.

Illustrate in detail about Elliptic curve over Zp.

ELLIPTIC CURVE ARITHMETIC

Elliptic Curves:
An elliptic Curve is a Cubic equation of the form
Y2+axy+by = x3+cx2+dx +e

Where a,b,c,d and e are real numbers

A special addition operation is defined over elliptic curves and with the inclusion of a point
“O” called point at infinity.

If three points are on a line intersecting an elliptic curve, then their sum is equal to this
point at infinity O (which acts as the identity element for this addition operation)

Elliptic Curves over Galois field:

An elliptic group over the Galois Field Ep(a,b) is obtained by computing x3+ax+b mod
p for 0≤ x≤ p. The constants a&b are non-negative integers smaller than the prime number p
must satisfy the condition.
4a3 + 27b2 mod p ≠ 0

For each value of x, one needs to determine whether or not it is a quadratic residue.
If not then the point is not in the elliptic group Ep (a,b)

Addition and multiplication operation over elliptic groups:

Let the points P = (x1,y1) and Q = (X2,Y2) be in the elliptic group Ep (a,b) and O be the point at
infinity.
The rules for addition over the elliptic group Ep (a,b) are:
1. P+O = O+P = P

2.If x2 = x1 and y2 = -y1, that is P = (x1,y1) and Q = (X2,Y2) = (x1,-y1) = -P Then P+Q = O

3.If Q ≠ -P ,then their sum P+Q =(x3,y3) is given by

x3   2  x1  x2

and y3   ( x1  x3 )  y1

 y2  y1
 x x if PQ
 2 1
 2
 3 x1  a if PQ
 2 y1
Elliptic Curve Encryption:

Elliptic curve cryptography can be used to encrypt the plain text message M, into
ciphertext. The plain text message M is encoded into a point PM from the finite set of points in
the elliptic group, Ep(a,b).

The first step consists in choosing a generator point, G ε Ep(a, b) , such that the smallest value
of n for which nG = o is a very large prime number.

The elliptic group Ep(a,b) and the generator point G are made public.

Each user select a private key,nA< n and compute the public key PA as PA = nAG

To encrypt the message point PM for Bob (B),

Alice (A) choses a random integer k and compute the ciphertext pair of points Pc

Using Bob’s public key PB

PC = [(KG),(PM + KPB)]

After receiving the ciphertext pair of points, PC, Bob multiplies the firstpoint,(KG) with his
private key nB and then adds the result to the second point in the ciphertext pair of points (PM
+ KPB)

(PM + KPB) – [nB(KG)]= (PM+KnBG)-[nB(KG)]=PM

which is the plaintext point, corresponding to the plaintext message M.

Only Bob knowing the private key nB, can remove nB(KG) from the second point of the
ciphertext pair of point, i.e (PM + KPB), and hence retrieve the plaintext information PM
Explain Public key-distribution with an example.

Public-Key distribution of Secret Keys using public key cryptography:

 Use previous methods to obtain public-key

 Can use for secrecy or authentication
 Public-key algorithms are slow so usually want to use private-key encryption to protect
message contents, Hence need a session key
The methods are,
a) Simple
b) Secret key distribution with confidentiality and authentication
c) Hybrid
d) Diffie Hell man key exchange

(a)Simple Secret Key Distribution:

1. A generates a public/private key pair {KUa,KRa} and transmits a message to B consisting of

KUa and an identifier of A,IDA.
2. B generatesa secret key Ks, and transmits it to A, encrypted with A’s public key.
3. A computes DKRa [EKUa [Ks]] to recover the secret key. Because only A can decrypt the
message, only A and B will know the identity of Ks.
4. A discards KUa and KRa and B discards KUa.

Advantages:
 No keys exist before the start of the communication no key exist after the completion
of communication
 Secure from eaves dropping

Disadvatages:
 Replay attack
 Meet in the middle attack
 A generates a public/private key pair {PUa, PRa} and transmits a message intended
for B consisting of PUaand an identifier of A, IDA.
 D intercepts the message, creates its own public/private key pair {PUd, PRd} and
transmits PUs 0 0 IDA to B.
 B generates a secret key, Ks, and transmits E(PUs, Ks).
 D intercepts the message and learns Ks by computing D(PRd, E(PUd, Ks)).
 D transmits E(PUa, Ks) to A.

(b) Secret Key Distribution with Confidentiality and Authentication:

1. A uses B’s public key to encrypt a message to B containing an identifier of A (IDA)

and a nonce (N1),which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with KUa and containing A’s decrypted message
(1),the presence of N1 in message (2) assures A that correspondent is B.
3. A returns N2, encrypted using B’s public key, to assurer B that its correspondent is A.
 4. A select a secret key Ks and sends M = EKUb[EKRa[KS]] TO B. Encryption of this
message with B’s public key ensures that only B can read it.;encryption with A’s private
key ensures that only A could have sent it.
5. Computes DKUa[DKRb[M]]to recover thesecret key.

Figure 2.35. Public Key Distribution of secret Keys

Advantages:
Scheme ensures both confidentiality and authentication in the exchange of a secret key.

(c)A Hybrid Scheme

Public-key scheme isused to distribute the master keys. The following rationale is provided for
using this three-level approach:
1. Performance:
The public key encryption is used occasionally to update the master key between uses
and KDC
When the distribution of session keys is done by public key encryption the performance
degrades because of high computation needed by P.K.E.
2. Backward compatibility: The hybrid scheme is easily overlaid on an existing KDC
scheme with minimal disruption or software changes.
The addition of a public-key layer provides a secure, efficient means of distributing master
keys.