Cryptography

Md. Shadmim Hasan Sifat

Lecturer in CSE,SUST
CSE 461 (Intro To Comp. Security and Forensics)
Jan - June 24
Cryptography

Is about constructing and

Practice and study of techniques
analyzing protocols that prevent
for secure communication in the
third parties or the public from
presence of adversarial behavior
reading private messages

Hidden Writing : Hide the Depends on secrecy of a short

meaning of the message key, not method
Cryptography
• Cryptography (cryptographer)
• Creating ciphers
• Cryptanalysis (cryptanalyst)
• Breaking ciphers

• The history of cryptography is an arms race between cryptographers

and cryptanalysts.
Goals of Cryptography
• The most fundamental problem cryptography addresses:
• ensure security of communication over insecure medium

• What does secure communication mean?

• confidentiality (privacy, secrecy) : only the intended recipient can see the
communication
• integrity (authenticity) : the communication is generated by the alleged sender
• Insecure medium
• Passive attacker: the adversary can eavesdrop
• Active attacker: the adversary has full control over the communication channel
Cryptography < Security
• Cryptography isn't the solution to security
• Buffer overflows, worms, viruses etc. can still happen and cause damages
• Even when used, difficult to get right
• Choice of encryption algorithms
• Choice of parameters
• Implementation
• Hard to detect errors : vulnerability can only be recognized after exploitation
• ..think of Caesar / substitution ciphers
Some Related Security Principles
Open Design Principle
Do not rely on secret designs,
attacker ignorance, or security by
obscurity.
Kerckhoffs’ principle—a system’s
security should not rely on the
secrecy of its design details.
Time-tested tools
Rely wherever possible on time-
tested, expert-built security tools
including protocols, cryptographic
primitives and toolkits, rather than
designing and implementing your
own.
History shows that security design
and implementation is difficult to
get right even for experts.
Sufficient work factor
tune the mechanism so that the
cost to defeat the system (work
factor) clearly exceeds the
resources of anticipated classes of
adversaries.
Generic Concepts
Types of
Cryptography
• Symmetric key
• Encryption and decryption
keys are the same
• Asymmetric key
• Encryption and decryption
keys differ
Caesar Cipher
• Every character is replaced with the
character K slots to the right
• S E C U R I T Y ::
VHFXULWB
Substitution Cipher
Cryptanalysis Hints
Substitution Cipher : Example

n:a r:e g:t b:o v:i a:n x:k y:l s:f u:h t:g
i:v f:s o:b e:r p:c q:d j:w h:u w:j l:y z:m
Hill Cipher
GYBNQKURP
GYBNQKURP

Hill Cipher

Plaintext : ACT

KEY : GYBNQKURP >>> GYB-NQK-URP

Ciphertext: POH

Hill Cipher Ciphertext: POH

Encryption

Decryption
 Plaintext: attackatdawn

KEY: LEMONLEMONLE

Ciphertext: LXFOPVEFRNHR

• Encryption
Vigenère • Ei = (Pi + Ki) mod 26

cipher • Decryption
• Di = (Ei - Ki) mod 26
Vernam Cipher
 The key must be at least as long as the plaintext.

The key must be random (uniformly distributed

in the set of all possible keys and independent of
One Time the plaintext)

Pads (OTP) The key must never be reused in whole or in

part.

The key must be kept completely secret by the

communicating parties.
One Time Pads
• One-time pads are information-theoretically secure
• The encrypted message (i.e., the ciphertext) provides no information about
the original message to a cryptanalyst.

• A cryptosystem is considered to have information-theoretic security if the

system is secure against adversaries even with unlimited computing resources
and time.

• A system which depends on the computational cost of cryptanalysis to be

secure (and thus can be broken by an attack with unlimited computation) is
called computationally or conditionally secure.
One Time Pads : Problems
• Bindings of Key to be as long as message and also has to be secret.

• Difficult to generate truly random key.

• True random number generators exist but are typically slower and more
specialized.

• Very limited practical usage

• A common use of the one-time pad in quantum cryptography is being used in
association with Quantum Key Distribution (QKD).
One Time Pads : Problems
• Vulnerable to Reused Key Attacks
• Keys must never be used twice!!!

• Even if neither message is known, as long as both messages are in a

natural language, such a cipher can often be broken by paper-and-
pencil methods
Types of Attacks
Attacker may have collections of
• ciphertexts (ciphertext only attack)
• plaintext/ciphertext pairs (known plaintext
attack)
• plaintext/ciphertext pairs for plaintexts
selected by the attacker (chosen plaintext
attack)
• plaintext/ciphertext pairs for ciphertexts
selected by the attacker (chosen ciphertext
attack)
Block Ciphers
• Processes plaintext in fixed-length chunks or blocks
• Each block, perhaps a group of ASCII-encoded characters, is
encrypted with a fixed transformation dependent on the key
• Main properties of algorithm : block-length and key-length
• If the last plaintext block has fewer bits than the block-length, it is
padded with “filler” characters.
Block Ciphers :
Modes of Operation

Various methods called modes of

operation combine successive n-bit
block operations such that the
encryption of one block may or
may not depends on other blocks.

For Example:
• ECB (Electronic Code Book)
• CBC (Cipher Block Chaining)
• CTR (Counter)
 ECB MODE:
Modes of
Operation

ECB (Electronic Code Book):

Each encryption block operation is independent
of adjacent blocks

N.B: If a given key k is used to encrypt several

identical plaintext blocks mi then identical
ciphertext blocks ci result
 CBC MODE:
Modes of
Operation

CBC (Cipher Block Chaining):

Each encryption block operation is
dependent of adjacent blocks

N.B: If a given key k is used to

encrypt several identical plaintext
blocks mi then different ciphertext
blocks ci result
 CTR MODE:
Modes of
Operation

CTR (Counter):
Each encryption block operation is partially dependent of adjacent blocks

N.B: If a given key k is used to encrypt several identical plaintext blocks mi then
different ciphertext blocks ci result
Data Encryption Standard (DES)
• Why AES, not DES ???
• In 1990's the cracking of DES algorithm became possible. Around 50 hours of
brute-forcing allowed to crack the message.
• Requirements from National Institute of Standards and Technology (NIST) was
that it had to be efficient both in software and hardware implementations. DES
was originally practical only in hardware implementations.
• DES is insecure due to the relatively short 56 bits key size where AES allows to
choose the option for various key lengths like 128-bit, 192-bit or 256-bit key,
making it exponentially stronger than the 56-bit key of DES.
• NIST started searching for new feasible algorithm and proposed its
requirement in 1997 and put out a public call for a replacement to DES.
 Why AES , not DES ???
• NIST arranged a competition and narrowed down the list of
submissions to five finalists.
• In 2001 Rijndael algorithm designed by Rijment and Daemon of
Belgium was declared as the winner of the competition.
• As It met all Security, Cost and Implementation criteria.
• NIST ultimately chose the Rijndael algorithm that is now known as
the Advanced Encryption Standard (AES).
Advanced Encryption Standard (AES)
• AES is an encryption standard chosen by the National Institute of
Standards and Technology(NIST), USA to protect classified information.
• It has been accepted world-wide as a desirable algorithm to encrypt
sensitive data.
• AES, also called Rijndael is a symmetric block cipher that operates on
128-bit blocks.
• It is designed to be used with keys that are 128, 192, or 256 bits long,
yielding ciphers known as AES-128, AES-192, and AES-256.
 How Does it work?
E(M,K) D(C,K)

M(128bits) E C(128bits) D M(128bits)

K K

E = Encryption function for a symmetric block cipher

M = plaintext message of size 128 bits
C = ciphertext
K = Key of size 128 bits which is same for both encryption and decryption
D = Decryption function for symmetric block cipher
 How Does it work?
• The 128-bits version of the AES encryption
algorithm proceeds in 10 rounds.
• Each round performs an invertible transformation
on a 128-bit array, called state.
• The initial state X0 is the XOR of the plaintext P
with the key K: X0 = P XOR K.
• Round i (i = 1,2, …, 10) receives state Xi-1 as input
and produces state Xi.
• The ciphertext C is the output of the final round:
C = X10.
How Does it work?
 How Does it work?
• AES basically repeats 4 major functions per round (mostly) to
encrypt data.
• It takes 128 bits block of data and a key and gives a ciphertext
as output.

• The functions are:

➢ Substitute Bytes()
➢ Shift Rows()
➢ Mix Columns()
➢ Add Round Key()
How Does it work?
Block
Diagram of
AES
AES 128 bits Data Block
• AES operates on a 4 × 4 matrix of 4 column-wise order array of bytes,
called the state.
• For instance, if there are 16 bytes, these bytes are represented as this
two-dimensional array:
Data units used in AES
Block-to-State and State-to-Block transformation
Changing plaintext to state
 Analysis of Steps
Key Expansions:
• In the key Expansion process the given 128 bits cipher key is stored
in [4]x[4]= 16 bytes or 4 words matrix (16*8 = 128 bits) and then
• the four column words of the key matrix is expanded into a
schedule of 44 words (44*4 = 176 bytes) resulting in 11 round keys
(176/11 = 16 bytes or 128 bits per round).
• Number of round keys = Nr + 1.
• Where Nr is the number of rounds (which is 10 in case of 128
bits key size)
• So here the round keys = 11.
 Analysis of Steps
Key Expansions:
Block
Diagram of
AES
 Analysis of Steps
Add round key:
This is identical to the decryption side add round key
transformation, because the XOR operation is its own inverse.
 Analysis of Steps
Substitute Bytes:
Each element of the matrix is replaced by an element of s-box
matrix.
 Analysis of Steps
Substitute Bytes:
For an element {d1} corresponding value is {3e}

Rijndael S-box
 Analysis of Steps
Inverse Substitute Bytes:
For an element {3e} corresponding value is {d1}

Rijndael S-box
 Analysis of Steps
Substitute Bytes:
• The S-box is a special lookup table which is constructed by
Galois fields.
• The Generating function used in this algorithm is GF(2^8)
• i.e. 256 values are possible.
• The elements of the sbox are written in hexadecimal
system.
 Analysis of Steps
Shift Rows:
• In this step rows, of the block are cylindrically shifted in left direction.
• The first row is untouched, the second by one shift, third by two and
fourth by three.
 Analysis of Steps
Inverse Shift Rows:
It performs the circular shifts in the opposite direction (right) for each of
the last three rows, with (first row is untouched), the second by one-byte
circular right shift, third by two and fourth by three.
 Analysis of Steps
Mix Columns:

• This is the most important part of the algorithm.

• It causes the flip of bits to spread all over the block.
• In this step the block is multiplied with a fixed matrix.
• The multiplication is field multiplication in Galois field.
• For each row there are 16 multiplication, 12 XORs and a 4 bytes
output.
 Analysis of Steps
Mix Columns:
 Analysis of Steps
Inverse Mix Columns:
 Analysis of Steps
Add round key:
AES Round
View of all the internal details of
the AES round, showing how each
byte of the state is manipulated.
AES Encryption Simulation
 Self Study (Not Included in Syllabus**)
• Rationale behind the steps.
• Mathematics Behind Galois Fields.
• S-box and Inverse S-box table generation
 AES
• Based on a design principle known as a substitution–permutation
network and is efficient in both software and hardware.
• Takes a block of the plaintext and the key as inputs, and applies
several alternating rounds or layers of substitution boxes (S-boxes)
and permutation boxes (P-boxes) to produce the ciphertext block
• The key is introduced in each round, usually in the form of "round
keys" derived from it.
• Decryption is done by simply reversing the process.
Substitution-Permutation Network (SP Net)
• An S-box substitutes a small block of bits (the input of the S-box) by
another block of bits (the output of the S-box).
• This substitution should be one-to-one, to ensure invertibility (hence decryption).
• A P-box is a permutation of all the bits
• It takes the outputs of all the S-boxes of one round, permutes the bits, and feeds
them into the S-boxes of the next round.

• A good P-box has the property that the output bits of any S-box are
distributed to as many S-box inputs as possible.
• The round key (obtained from the key with some simple operations, for
instance, using S-boxes and P-boxes) is combined using some group
operation, typically XOR.
SP Net : Target
• A single typical S-box or a single P-box alone does not have much
cryptographic strength
• An S-box could be thought of as a substitution cipher, while a P-box could be
thought of as a transposition cipher.

• A well-designed SP network with several alternating rounds of S-boxes

and P-boxes already satisfies Shannon's confusion and diffusion
properties
• These properties, when present, work to restrict the application of statistics
and other methods of cryptanalysis.
Shannon’s Confusion and Diffusion Properties

• Confusion means that each binary digit (bit) of the ciphertext should
depend on several parts of the key, obscuring the connections
between the two.

• Diffusion means that if we change a single bit of the plaintext, then

about half of the bits in the ciphertext should change, and similarly, if
we change one bit of the ciphertext, then about half of the plaintext
bits should change.
 AES (Advanced Encryption Standard)
• Based on the substitution–permutation network design principle
• Is efficient in both software and hardware
• Steps: (Encryption Side
• Key expansion
• Initial round key addition
• 9/11/13 rounds of subBytes, shiftRow and mixColumn and addRoundKey
• Final row of shiftRow, subBytes and addRoundKey
• N.B: mixColumn sub-step is not present here!!!
 AES (Advanced Encryption Standard)
• subBytes Step: Uses S-Box
• Avoid attacks based on simple algebraic properties
• The Rijndael S-box was specifically designed to be resistant to linear and
differential cryptanalysis.
• Minimizing the correlation between linear transformations of input/output bits.
• Minimizing the difference propagation probability.
• Obscures the relationship between the key and the ciphertext, thus ensuring
Shannon's property of confusion.
 AES (Advanced Encryption Standard)
shiftRows and shiftColumns Step Implements P-Box combinedly.

• Shift Rows:
• Avoids the columns being encrypted independently, otherwise AES would
degenerate into four independent block ciphers

• Mix Columns:
• Together with ShiftRows, MixColumns provides diffusion in the cipher.
Attacks on Block Ciphers (like DES,3DES,AES)
• Linear Cryptanalysis:
• General form of cryptanalysis based on finding affine approximations to the
action of a cipher
• Steps:
• Construct linear equations relating plaintext, ciphertext and key bits that
have a high bias; that is, whose probabilities of holding are as close as
possible to 0 or 1
• Use these linear equations in conjunction with known plaintext-ciphertext
pairs to derive key bits.
Attacks on Block Ciphers
• Differential Cryptanalysis:
• It is the study of how differences in information input can affect the resultant
difference at the output
• The attacker then computes the differences of two ciphertexts of two known
plaintexts, hoping to detect statistical patterns in their distribution
• Statistical properties depend upon the nature of the S-boxes used for
encryption
Cryptographic Hash Function
• A cryptographic hash function (CHF) is a mathematical algorithm that maps
data of an arbitrary to a bit array of a fixed size
SHA-256

• SHA stands for Secure Hash Algorithm is one of a number of cryptographic

hash functions.
• SHA is a family of cryptographic hash functions published by the National
Institute of Standards and Technology (NIST).
• SHA-0 is the first version of SHA-Algorithm in 1993 and then SHA-1 in 2004.
• SHA-2 is a widely used in standard modern cryptographic applications.
• Bitcoin uses the SHA-256 variants as a hashing algorithm to solve Proof-of-
Work(POW : the process of validating transactions on a blockchain to
confirm transactions, close a block, and open a new one).
How does SHA-256 Algorithm Works?
Cryptographic Hash Function : Properties

Pre-image • for essentially all possible hash values h, given h it should

be infeasible to find any m such that H(m) = h.
resistance • Also known as One-way property

Second pre- • Given any first input m1, it should be infeasible to find
any distinct second input m2 such that H(m1) = H(m2)
image resistance • Also known as weak collision resistance

Collision • It should be infeasible to find any pair of distinct inputs

m1, m2 such that H(m1) = H(m2)
resistance • Also known as strong collision resistance
 Collision • Second-preimage resistance fails to guarantee
Resistant Hash collision resistance
• Fixing one string (say m1 in H) makes
Functions collision-finding significantly more costly
• Reason : Birthday Paradox !!!
at least
 at least

at least
The Birthday Paradox
• What number n of people are needed in a room before a shared birthday is
expected among them (i.e., with probability p = 0.5)?
• Ans. Only 23.
• Related Question :
Given n people in a room, what is the probability that two of them have the same
birthday?
• P = 0.71 for n = 30
• P = 0.97 for n = 50
• In security, attackers can often solve problems more efficiently than
expected !
• The “collision” here is not for one pre-specified day (e.g., your birthday);
any matching pair will do
Probability that
no two people
share a birthday
in a group
of n people
Note that the vertical scale is
logarithmic (each step down is
1020 times less likely)
The Birthday
Paradox
The Birthday Paradox Vs Hash Value Collisions

Birthday Collisions Hash Collisions

m = 365 (1 year = 365 days) m = # of hash values available for
messages

k = # of persons considered k = # of messages considered for

mapping into those available hash
values.
• The Merkle Damgard construction is a process of
making a cryptographic hash function using a one-
way compression function.
• This construction is based on the rule that if the
Hash Function
compression function is collision resistance, the Design : The
hash function will also be collision resistance.
• Many popular hash functions like MD5, SHA-1,
Merkle-
and SHA-2 have been designed using Merkle Damgard
Damgard construction. Construction
The Merkle-Damgard Construction : How it works?

• The process starts with expanding the input message to a length that
is multiple of some fixed number of bits.
• It is necessary because compression function only works on the fixed-
length inputs.
The Merkle-Damgard Construction : How it works?

• Why padding is important?

• It is important to carefully select the padding scheme for message length
expansion because weak padding can introduce security vulnerability to the
function.
• Padding should be MD-compliant which means it should satisfy following
conditions:
The Merkle-Damgard Construction : How it works?
RSA

The acronym "RSA" comes The security of RSA relies

RSA is one of the oldest from the surnames of Ron on the practical difficulty
asymmetric encryption Rivest, Adi of factoring the product of
algorithm Shamir and Leonard two large prime numbers,
Adleman the "factoring problem".
 1. Key-Generation

Step-1: Select two large prime numbers p and q where

RSA p ≠ q.
Step-2: Calculate n = p * q.
algorithm Step-3: Calculate Ф(n) = (p-1) * (q-1).
Step-4: Select e such that, e is relatively prime to Ф(n),
steps i.e. gcd(e, Ф(n)) = 1 and 1 < e < Ф(n)
Step-5: Calculate d = e -1 mod Ф(n) or ed = 1 mod Ф(n).
Step-6: Public key = {e, n}, Private key = {d, n}.
RSA algorithm : Example
Step – 1: Select two prime numbers p and q where p ≠ q.
Example, Two prime numbers p = 13, q = 11.

Step – 2: Calculate n = p * q.
Example, n = p * q = 13 * 11 = 143.

Step – 3: Calculate Ф(n) = (p-1) * (q-1).

Example, Ф(n) = (13 – 1) * (11 – 1) = 12 * 10 = 120.

Step – 4: Select e such that, e is relatively prime to Ф(n),

i.e. gcd(e, Ф(n)) = 1 and 1 < e < Ф(n).
Example, Select e = 13, gcd (13, 120) = 1.
See Euler’s Totient
RSA algorithm : Example
• Step – 5: Calculate d = e -1 mod Ф(n) or e * d = 1 mod Ф(n)
• Example, Finding d: e * d mod Ф(n) = 1
• 13 * d mod 120 = 1
• (How to find: d *e = 1 mod Ф(n)
• d = ((Ф(n) * i) + 1) / e
• d = (120 + 1) / 13 = 9.30 (∵ i = 1)
• d = (240 + 1) / 13 = 18.53 (∵ i = 2)
• d = (360 + 1) / 13 = 27.76 (∵ i = 3)
• d = (480 + 1) / 13 = 37 (∵ i = 4))

Step – 6: Public key = {e, n}, private key = {d, n}.

Example,
Public key = {13, 143} and
Private key = {37, 143}.
2. Encryption • Find out cipher text using the formula,
C = Pe mod n where, P < n.

• Example, Plain text P = 13. (Where, P < n)

C = Pe mod n = 1313 mod 143 = 52.
3. Decryption • P = Cd mod n. Plain text P can be obtained
using the given formula.

• Example, Cipher text C = 52

P = Cd mod n = 5237 mod 143 = 13.
Digital Signature
RSA Signature Scheme
• Almost Similar (actually reverse) to the RSA Algorithm

Given That,
RSA Digital Signature Scheme : Proof

Alice (Sender) Bob (Receiver)

• Creating Message, 𝑀
• Generating Signature, 𝑆
• 𝑆 = 𝑀𝑑 𝑚𝑜𝑑 𝑛
• Sending (𝑀, 𝑆) pair through
Communication Channel)
• Receiving the pair (𝑀, 𝑆)
• Extracting 𝑀′ from Signature
• 𝑀′ = 𝑆 𝑒 𝑚𝑜𝑑 𝑛
Digital Signature

• Digital signature provides 3 important properties

• Data origin authentication: assurance of who originated
(signed) a message or file
• Data integrity: assurance that received content is the
same as that originally signed.
• Non-repudiation: strong evidence of unique origination,
making it hard for a party to digitally sign data and later
successfully deny having done so.
RSA Signature
Scheme :
Existential
Forgery
RSA Signature
Scheme :
Existential
Forgery
RSA Signature Scheme : Problem
• Solution :
• Get cryptographic hash h of the message m
• Sign on the hash of the message
• Send the message other side
• Receiver gets the hash h’ for that message
• Extract the signature from message.
• So.H(M) . H(N) very unlikely to match H(M.N)
RSA Signature
Scheme :
Existential
Forgery
Solution
RSA Signature
Scheme :
Existential
Forgery
Solution
Message Authentication Code (MAC)
• Provides authentication
and integrity
• But not Non-repudiation…
• Because, even if a third
party cannot compute the
MAC, the sender could
dispute sending the
message and assert that
the recipient forged it
because it is impossible to
tell which of the two
parties computed the
MAC.
The Elgamal Cryptosystem
• The Elgamal cryptosystem, named after its inventor, Taher Elgamal, is
a public-key cryptosystem that uses randomization, so that
• independent encryptions of the same plaintext are likely to produce
different ciphertexts.

• It is based on viewing input blocks as numbers and applying

arithmetic operations on these numbers to perform encryption and
decryption.
The Elgamal Cryptosystem
• In the number system 𝑍𝑝 , all arithmetic is done modulo a prime
number p
• A number, 𝑔 in 𝑍𝑝 , is said to be a generator or primitive root modulo
𝑝 if for each positive integer 𝑖 in 𝑍𝑝 there is an integer 𝑘 such that
𝑖 = 𝑔𝑘 𝑚𝑜𝑑 𝑝.
• There are 𝜙 𝑝 − 1 generators in 𝑍𝑝
The Elgamal Cryptosystem
• For a prime number 𝜙 𝑝 = 𝑝 − 1
• Test different numbers until we find a generator
• Test for g :

• For each prime factor 𝑝𝑖 of 𝑝 − 1

• If any value is equal to 1, g is not a generator
• Difficult to find all prime factors of p – 1 : choose p such that p is large and the
factors of p-1 is known
The Elgamal Cryptosystem
• Once we have a generator 𝑔, we can efficiently compute
𝑥 = 𝑔𝑘 𝑚𝑜𝑑 𝑝 for any value 𝑘 between 1 to 𝑝 − 2

• Conversely, Conversely, given 𝑥, 𝑔, and 𝑝, the problem of determining

𝑘 such that 𝑥 = 𝑔𝑘 𝑚𝑜𝑑 𝑝 is known as the discrete logarithm
problem.
• Widely considered computationally difficult (similar to factoring problem)
The Elgamal Cryptosystem : Method
• As a part of the setup, Bob chooses a random large prime number, 𝑝,
and finds a generator, 𝑔, for 𝑍𝑝
• picks a random number, 𝑥, between 1 and 𝑝 − 2, and computes
𝑦 = 𝑔 𝑥 𝑚𝑜𝑑 𝑝
• 𝑥 is the secret key for Bob
• (𝑝, 𝑔, 𝑦) triplet is the public key
The Elgamal Cryptosystem
• Alice wants to send message 𝑀 to Bob
• First, she collects Bob’s public key i.e. (𝑝, 𝑔, 𝑦)
• Generates a random number 𝑘 between 1 to 𝑝 − 2
• she then uses modular multiplication and exponentiation to
compute two numbers:

• So, the ciphertext pair (𝑎, 𝑏) is sent to Bob.

• Bob decrypts it by computing :
The Elgamal Cryptosystem
• Given that, Is it Valid ?

𝑷𝒓𝒐𝒐𝒇: 𝑀′ =
The Elgamal Cryptosystem : Secure ???
• The security of this scheme is based on the fact that, without knowing
x, it would be very difficult for an eavesdropper to decrypt the
ciphertext, (a, b).
• Since everyone knows 𝑦 = 𝑔 𝑥 𝑚𝑜𝑑 𝑝, from Bob’s public key, the
security of this scheme is therefore related to the difficulty of solving
the discrete logarithm problem.
• Which is computationally difficult.
• Thus, the security of the Elgamal cryptosystem is based on a difficult
problem from number theory.
The Elgamal Signature Scheme
• In the Elgamal signature scheme, document signatures are done
through randomization, as in Elgamal encryption,
• but the details for Elgamal signatures are quite different from Elgamal
encryption

• Alice chooses a large random number, p, finds a generator for 𝑍𝑃 ,

picks a (secret) random number, x, computes 𝑦 = 𝑔 𝑥 𝑚𝑜𝑑 𝑝, and
publishes the pair (𝑦, 𝑝, 𝑔) as her public key.
• To sign a message, M, Alice generates a fresh one-time-use random
number, k, and computes the following two numbers:
The Elgamal Signature Scheme
The Elgamal Signature Scheme : Secure ???
• The security of this scheme is based on the fact that the computation
of b depends on both the random number, k, and Alice’s secret key, x.
• Also, because k is random, its inverse is also random; hence, it is
impossible for an adversary to distinguish b from a random number,
unless she can solve the discrete logarithm problem to determine the
number k from a (which equals g k mod p).
• Thus, like Elgamal encryption, the security of the Elgamal signature
scheme is based on the difficulty of computing discrete logarithms.
The Elgamal Signature Scheme : Caution
• Alice should never reuse the same 𝑘 twice
Key Exchange
Protocol
• A key exchange protocol is a cryptographic approach to
establishing a shared secret key by communicating
solely over an insecure channel, without any previous
private communication.
• Shared secret key for symmetric encryption
• Assumption : Attacker cannot actively modify message
• it can be shown that no key exchange protocol
exists if the adversary can actively modify messages
sent over the insecure channel
• Passive eavesdropping on channel
 Diffie-
Hellman Key
Exchange
Protocol
(DH)
Man In the Middle Attack
Man In the
Middle
Attack
References
• https://en.wikipedia.org/wiki/Substitution%E2%80%93permutation_
network
• https://en.wikipedia.org/wiki/Confusion_and_diffusion
• https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
• https://en.wikipedia.org/wiki/Data_Encryption_Standard
• https://www.youtube.com/watch?v=orIgy2MjqrA
Resources
• https://people.scs.carleton.ca/~paulv/toolsjewels.html : Chapter 2
• Goodrich and Tamassia : Chapter 8
• https://www3.nd.edu/~busiforc/handouts/cryptography/cryptograph
y%20hints.html#:~:text=The%20most%20common%20two%2Dletter,
words%20are%20the%20and%20and.
• https://crypto.stackexchange.com/questions/13274/the-difference-
between-these-4-breaking-cipher-techniques
• https://security.stackexchange.com/questions/261753/why-is-one-
time-pad-informationally-secure