Asymmetric Ciphers

• Also known as public key cryptosystem/ cryptography/ ciphers

• Different keys for encryption and decryption
✓ The development of public-key cryptography is the greatest and perhaps the only true
revolution in the entire history of cryptography.
✓ It is asymmetric, involving the use of two separate keys, in contrast to symmetric
encryption, which uses only one key.
✓ Anyone knowing the public key can encrypt messages or verify signatures, but cannot
decrypt messages or create signatures
✓ It works by the clever use of number theory problems that are easy one way but hard
the other.
✓ Note that public key schemes are neither more nor less secure than private key
(security depends on the key size for both), nor do they replace private key schemes
(they are too slow to do so), rather they complement them. Both also have issues with
key distribution, requiring the use of some suitable protocol.

Why Public-Key Cryptography?

 Developed to address two key issues:

1. Key distribution – how to have secure communications in general without having
to trust a KDC (Key Distribution Center) with your key
2. Digital signatures – how to verify a message comes intact from the claimed sender
 It was publicly introduced by Whitfield Diffie, Martin Hellman and Ralph Merkle in
1976

Number Theory
A number of concepts from number theory are essential in the design of public-key cryptographic
algorithms.

Prime Numbers:

➔ An integer p > 1 is a prime number if and only if its only divisors are ± 1 and ±p.
 Cryptography

➔ Prime numbers play a critical role in number theory and in the techniques discussed in
following chapters

▪ Any integer a 𝑎 >1 can be factored in a unique way as

Where,

And each 𝑎𝑖is a positive integer.

▪ This is known as the fundamental theorem of arithmetic.

▪ Example:

▪ If P is the set of all prime numbers, then any positive integer a can be written
uniquely in the following form:

• The right-hand side is the product over all possible prime numbers p; for any

particular value of a, most of the exponents 𝑎𝑝will be 0.

• The value of any given positive integer can be specified by simply listing all the
nonzero exponents in the foregoing formulation.
 Cryptography

• Multiplication of two numbers is equivalent to adding the corresponding exponents.

Given ,

Define 𝒌 = 𝒂𝒃. We know that the integer 𝒌 can be expressed as the product of
powers of primes:

It follows that

𝑘𝑝 = 𝑎𝑝 + 𝑏𝑝 for all 𝑝 ∈ 𝑃.

• Any integer of the form pn can be divided only by an integer that is of a lesser or
equal power of the same prime number, pj with j≤ n. Thus, we can say the
following.
 Cryptography

• It is easy to determine the greatest common divisor of two positive integers if we

express each integer as the product of primes.

The following relationship always holds:

Note: Determining the prime factors of a large number is no easy task, so the preceding
relationship does not directly lead to a practical method of calculating the greatest common
divisor

Fermat’s Theorem
• Also known as Fermat’s little theorem
• Given in 1640 by French mathematician Pierre de Fermat
 Cryptography

• Fermat’s theorem states the following:

If p is prime and a is a positive integer not divisible by p, then

Here, a and p are relatively prime.

Example:

Let a = 2 and P = 17

According to Fermat's little theorem

2 17 - 1 ≡ 1 (mod 17)

[ 65536 % 17 ≡ 1 that means (65536-1) is divisible by 17]

• An alternative form of Fermat’s theorem is also useful:

If p is prime and a is a positive integer, then

Here a and p need not to be relatively prime

 Cryptography

Euler’s Totient Function

• By Leonhard Euler in 1763
• Also known as Euler's phi function or simply the phi function.
• Euler’s totient function, written 𝝓(n), and defined as the number of positive integers less
than n and relatively prime to n.
• By convention, 𝝓(1) = 1

Try yourself:
Verify:
𝜙(4) = 2 𝜙(12) = 4 𝜙(15) = 8 𝜙(32) = 16

• The value 𝜙(1) is without meaning but is defined to have the value 1.
• Now suppose that we have two prime numbers p and q with p ≠q. Then we can show that,
for n = pq,
 Cryptography

Some Values of Euler’s Totient Function 𝝓(n)

Euler’s Theorem

• Also known as the Fermat–Euler theorem or Euler's totient theorem ( Given in 1763 by
Euler)
• Euler’s theorem states that for every a and n that are relatively prime:

(Integers a and n are coprime)

• As is the case for Fermat’s theorem, an alternative form of the theorem is also useful:

(Integers a and p need not to be relatively prime)

 Cryptography

Testing for Primality

 For many cryptographic algorithms, it is necessary to select one or more very large prime
numbers at random.
 Thus, we are faced with the task of determining whether a given large number is prime.
 There is no simple yet efficient means of accomplishing this task.

Miller-Rabin Algorithm
 Also referred to in the literature as the Rabin-Miller algorithm, or the Rabin-Miller test, or
the Miller- Rabin test.
 Due to Miller and Rabin
 Typically used to test a large number for primality.

Necessary Background Concepts

▪ Any positive odd integer n ≥ 3 can be expressed as

n - 1 = 2kq with k > 0, q odd

To see this, note that n - 1 is an even integer. Then, divide (n - 1) by 2 until the result is an odd
number q, for a total of k divisions. If n is expressed as a binary number, then the result is achieved
by shifting the number to the right until the rightmost digit is a 1, for a total of k shifts

Two Properties of Prime Numbers

The first property is stated as follows:

If p is prime and a is a positive integer less than p, then a2 mod p = 1 if and only if either

a mod p = 1 or a mod p = -1 mod p = p - 1.

By the rules of modular arithmetic

(a mod p) (a mod p) = a2 mod p.

Thus, if either a mod p = 1 or a mod p = -1, then a2 mod p = 1.

Conversely, if a2 mod p = 1, then (a mod p)2 = 1, which is true only for

a mod p = 1 or a mod p = -1.

 Cryptography

The second property is stated as follows:

Let p be a prime number greater than 2. We can then write p - 1 = 2kq with k > 0, q odd.

Let a be any integer in the range 1 < a < p - 1.

Then one of the two following conditions is true.

1. aq is congruent to 1 modulo p. That is, aq mod p = 1,

or equivalently,

aq ≡ 1(mod p).

2. One of the number

is congruent to -1 modulo p.
That is, there is some number j in the range (1≤ j≤k) such
that

mod p = -1 mod p = p - 1

or equivalently,
 Cryptography

Algorithm

If n is the number whose primality is to be tested, then:

Note:
• It can be shown that given an odd number n that is not prime and a randomly chosen integer,
a with 1 < a < n - 1, the probability that TEST will return inconclusive (i.e., fail to detect
that n is not prime) is less than 1/4.
• Thus, if t different values of a are chosen, the probability that all of them will pass TEST
(return inconclusive) for n is less than (1/4) t.
 Cryptography

• For example, for t = 10, the probability that a nonprime number will pass all ten tests is
less than 10-6.
• Thus, for a sufficiently large value of t, we can be confident that n is prime if Miller’s test
always returns inconclusive.
• This gives us a basis for determining whether an odd integer n is prime with a reasonable
degree of confidence.
• The procedure is as follows: Repeatedly invoke TEST (n) using randomly chosen values
for a. If, at any point, TEST returns composite, then n is determined to be nonprime. If
TEST continues to return inconclusive for t tests, then for a sufficiently large value of t,
assume that n is prime.
 Cryptography

Ingredients of Public Key Cryptosystems

A public-key encryption scheme has following six ingredients

1. Plaintext: This is the readable message or data that is fed

into the algorithm as input.
2. Encryption algorithm: The encryption algorithm performs
various transformations on the plaintext.
3. Public and private keys: This is a pair of keys that have
been selected so that if one is
used for encryption, the other is used for decryption. The
exact transformations performed by the algorithm depend
on the public or private key that is provided as input.
4. Ciphertext: This is the scrambled message produced as
output. It depends on the plaintext and the key. For a given
message, two different keys will produce two different
ciphertexts.
5. Decryption algorithm: This algorithm accepts the
ciphertext and the matching key and produces the original
plaintext.
The essential steps are the following.

1. Each user generates a pair of keys to be used for the encryption

and decryption of messages.
2. Each user places one of the two keys in a public register or other
accessible file. This is the
public key. The companion key is kept private. As in Figure
below suggests, each user maintains a collection of public keys
obtained from others.
3. If Bob wishes to send a confidential message to Alice, Bob
encrypts the message using Alice’s public key.
4. When Alice receives the message, she decrypts it using her private
key. No other recipient can decrypt the message because only
Alice knows Alice’s private key.
Cryptography
Cryptography
A closer look at the essential elements of a public-key encryption
scheme
Let us take a closer look at the essential elements of a public-key
encryption scheme, using following figure.
Public-Key Cryptosystem: Secrecy
Main Idea: Encryption by Receiver’s public key and Decryption by
Receiver’s private key.
• There is some source A that produces a message in plaintext, X =
[X1, X2, … , XM].
• The M elements of X are letters in some finite alphabet.
• The message is intended for destination B.
• B generates a related pair of keys: a public key, PU , and a private
b

key, PRb.
• PR bis known only to B, whereas PUb is publicly available and
therefore accessible by A.
• With the message X and the encryption key PU b as input, A forms
the ciphertext
Y = [Y1, Y2, … , YN]:
Y = E(PUb, X)

• The intended receiver, in possession of the matching private key,

is able to invert the transformation:

X = D(PRb,Y)
 Cryptography

• An adversary, observing Y and having access to PUb, but not having access to PRb or X,
must attempt to recover X and/or PRb.
• It is assumed that the adversary does have knowledge of the encryption (E) and
decryption (D) algorithms. If the adversary is interested only in this particular
message, then the focus of effort is to recover X by generating a plaintext estimate
𝑿̂ . Often, however, the adversary is interested in being able to read future
messages as well, in which case an attempt is made to recover PRb by generating
an estimate

𝑷̂𝑹𝒃

Figure : Public-Key Cryptosystem: Secrecy

• This scheme is for confidentiality

 Cryptography

Public-Key Cryptosystem: Authentication

Main Idea: Encryption by Sender’s private key and Decryption by Sender’s public key.

• In this case, A prepares a message to B and encrypts it using A’s private key before
transmitting it.
• B can decrypt the message using A’s public key.

• Because the message was encrypted using A’s private key, only A could have prepared
the message. Therefore, the entire encrypted message serves as a digital signature.
• In addition, it is impossible to alter the message without access to A’s private key, so the
message is authenticated both in terms of source and in terms of data integrity.

Figure: Public-Key Cryptosystem: Authentication

 Cryptography

Public-Key Cryptosystem: Authentication and Secrecy

It is possible to provide both the authentication function and confidentiality by a double

use of the public-key scheme

Main Idea: First encrypt using Sender’s private key and again encrypt the result by
Receiver’s public key similarly first decrypt by using Receiver’s private key and again
decrypt the result by Sender’s public key.

• In this case, we begin as before by encrypting a message, using the sender’s private
key. This provides the digital signature.
• Next, we encrypt again, using the receiver’s public key. The final ciphertext can be
decrypted only by the intended receiver, who alone has the matching private key.
Thus, confidentiality is provided.
• The disadvantage of this approach is that the public-key algorithm, which is complex,
must be exercised four times rather than two in each communication.
 Cryptography

Applications for Public-Key Cryptosystems

• Public-key systems are characterized by the use of a cryptographic algorithm with two
keys, one held private and one available publicly.
• Depending on the application, the sender uses either the sender’s private key or the
receiver’s public key, or both, to perform some type of cryptographic function.
• In broad terms, we can classify the use of public-key cryptosystems into following three
categories:
1. Encryption/decryption: The sender encrypts a message with the recipient’s
public key.
2. Digital signature: The sender “signs” a message with its private key. Signing is
achieved by a cryptographic algorithm applied to the message or to a small block
of data that is a function of the message.
3. Key exchange: Two sides cooperate to exchange a session key. Several different
approaches are possible, involving the private key(s) of one or both parties.
• Some algorithms are suitable for all uses, others are specific to one

Requirements for Public-Key Cryptography

A public- key cryptographic algorithm must satisfy following conditions:

1. It is computationally easy for a party B to generate a pair (public key PUb, private key
PRb).
2. It is computationally easy for a sender A, knowing the public key and the message to be
encrypted, M, to generate the corresponding ciphertext:
C = E(PUb, M)
3. It is computationally easy for the receiver B to decrypt the resulting ciphertext using the
private key to recover the original message:

M = D(PRb,C) = D[PRb, E(PUb,M)]

 Cryptography

4. It is computationally infeasible for an adversary, knowing the public key, PUb, to

determine the private key, PRb.
5. It is computationally infeasible for an adversary, knowing the public key, PUb, and a
ciphertext, C, to recover the original message, M.

We can add a sixth requirement that, although useful, is not necessary for all public-key
applications:
6. The two keys can be applied in either order:
M = D[PUb, E(PRb, M)] = D[PRb, E(PUb, M)]

The RSA Algorithm

• RSA is the best known, and by far the most widely used general public key encryption
algorithm, and was first published by Rivest, Shamir & Adleman of MIT in 1978
• Since that time RSA has reigned supreme as the most widely accepted and implemented
general-purpose approach to public-key encryption.
• It is based on exponentiation in a finite (Galois) field over integers modulo a prime, using
large integers (eg. 1024 bits).
• Its security is due to the cost of factoring large numbers.
• The RSA scheme is a cipher in which the plaintext and ciphertext are integers between 0
and n - 1 for some n. A typical size for n is 1024 bits, or 309 decimal digits. That is, n is
less than 21024.
 Cryptography

Algorithm

Alice generates a public/private key pair; Bob encrypts using Alice’s public key; and Alice
decrypts using her private key.

Key Generation by Alice

Encryption by Bob with Alice’s Public Key

Decryption by Alice with Alice’s Private Key

 Cryptography

Example of RSA algorithm

In this simple example, the plaintext is an alphanumeric string. Each plaintext symbol is
assigned a unique code of two decimal digits (e.g., a = 00, A = 26). A plaintext block
consists of four decimal digits, or two alphanumeric characters.

For this example, the keys were generated as follows

The resulting keys are public key PU = {7, 187} and

Private key PR = {23, 187}.

The example shows the use of these keys for a plaintext input of M = 88.

For encryption, we need to calculate C = 887 mod 187.

Exploiting the properties of modular arithmetic, we can do this as follows.

 Cryptography

For decryption, we calculate M = 1123 mod 187:

Encryption of multiple blocks using RSA

Following figures illustrates the sequence of events for the encryption of multiple blocks,
figure (b) gives a specific example. The circled numbers indicate the order in which
operations are performed.
 Cryptography

Diffie-Helman Key Exchange

▪ The first published public-key algorithm appeared in the seminal paper by Diffie and
Hellman that defined public-key cryptography and is generally referred to as
Diffi- Hellman key exchange
▪ A number of commercial products employ this key exchange technique.
▪ The purpose of the algorithm is to enable two users to securely exchange a key that can
then be used for subsequent symmetric encryption of messages.
▪ The algorithm itself is limited to the exchange of secret values.
▪ The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of
computing discrete logarithm.

The algorithm

Following figure summarizes the Diffie-Hellman key exchange algorithm. For this scheme,
there are two publicly known numbers: a prime number q and an integer a that is a primitive
root of q. Suppose the users A and B wish to create a shared key.

▪ User A selects a random integer 𝑋 𝐴 < 𝑞 and computes 𝒀𝑨 = 𝑎 𝑿𝑨 𝐦𝐨𝐝 𝐪.

▪ Similarly, user B independently selects a random integer 𝑋 𝐵 < 𝑞 and computes
𝒀𝑩 = 𝑎 𝑿𝑩 𝐦𝐨𝐝 𝐪.
▪ Each side keeps the X value private and makes the Y value available publicly to the other
side.
o Thus, XA is A’s private key and YA is A’s corresponding public key, and similarly
for B.
▪ User A computes the key as

𝑲 = (𝒀𝑩)𝑿𝑨𝒎𝒐𝒅 𝒒

and user B computes the key as

𝑲 = (𝒀𝑨)𝑿𝑩𝒎𝒐𝒅 𝒒
 Cryptography

These two calculations produce identical results:

by the rules of modular arithmetic

 Cryptography

Figure: The Diffie-Hellman Key Exchange

▪ The result is that the two sides have exchanged a secret value. Typically, this secret value is
used as shared symmetric secret key.
▪ Now consider an adversary who can observe the key exchange and wishes to determine the
secret key K.
⎯Because XA and XB are private, an adversary only has the following ingredients to
work with:

q, 𝑎, Y A, and YB.

⎯ Thus, the adversary is forced to take a discrete logarithm to determine thekey. For
example, to determine the private key of user B, an adversary must compute

⎯ The adversary can then calculate the key K in the same manner as user B calculates
it. That is, the adversary can calculate K as

NOTE: The security of the Diffie-Hellman key exchange lies in the fact that, while it is
relatively easy to calculate exponentials modulo a prime, it is very difficult to calculate
discrete logarithms. For large primes, the latter task is considered infeasible.
 Cryptography

In this simple example, it would be possible by brute force to determine the secret key 160. In
particular, an attacker E can determine the common key by discovering a solution to the equation
3a mod 353 = 40 or the equation 3b mod 353 = 248. The brute-force approach is to calculate
powers of 3 modulo 353, stopping when the result equals either 40 or 248. The desired answer is
reached with the exponent value of 97, which provides 397 mod 353 = 40. With larger numbers,
the problem becomes impractical.

Man-in-the-Middle Attack
The Diffie-Helman Key Exchange protocol depicted in above figure is insecure against a
Man-in-the-middle attack.
Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds
as follows
1. Darth prepares for the attack by generating two random private keys XD1 and
XD2 and then computing the corresponding public keys YD1 and YD2.

2. Alice transmits YA to Bob.

3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates

4. Bob receives YD1 and calculates

5. . Bob transmits YB to Alice.

6. Darth intercepts YB and transmits YD2 to Alice. Darth calculates

7. Alice receives YD2 and calculates

 Cryptography

Figure: Man-in-the-Middle Attack

❖ At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth
share secret key K1 and Alice and Darth share secret key K2. All future communication
between Bob and Alice is compromised in the following way.

1. Alice sends an encrypted message M: E (K2, M).

2. Darth intercepts the encrypted message and decrypts it to recover M.

 Cryptography

3. Darth sends Bob E(K1, M) or E(K1, M′), where M′ is any message.

⎯ In the first case, Darth simply wants to eavesdrop on the communication without
altering it.
⎯ In the second case, Darth wants to modify the message going to Bob.
❖ The key exchange protocol is vulnerable to such an attack because it does not
authenticate the participants. This vulnerability can be overcome with the use of digital
signatures and
public-key certificates.