Cryptography and

Network Security
Chapter 10
Fifth Edition
by William Stallings

Lecture slides by Lawrie Brown

Modified by Richard Newman
 Chapter 10 – Other Public Key
Cryptosystems
Amongst the tribes of Central Australia every man, woman,
and child has a secret or sacred name which is bestowed
by the older men upon him or her soon after birth, and
which is known to none but the fully initiated members of
the group. This secret name is never mentioned except
upon the most solemn occasions; to utter it in the hearing of
men of another group would be a most serious breach of
tribal custom. When mentioned at all, the name is spoken
only in a whisper, and not until the most elaborate
precautions have been taken that it shall be heard by no
one but members of the group. The native thinks that a
stranger knowing his secret name would have special
power to work him ill by means of magic.
—The Golden Bough, Sir James George Frazer
 Roadmap
 Diffie-Hellman key exchange
 ElGamal cryptography
 Elliptic Curve cryptography
 Pseudorandom Number Generation
(PRNG) based on Asymmetric Ciphers
(RSA & ECC)
 Attacks and Standards
 Diffie-Hellman Key Exchange
 first
public-key type scheme proposed
 Astounding concept that two parties can
carry on a public conversation, and still
end up with a secret that only the two of
them know!
 Public Secret Sharing
 Shared secret is derived from private
secrets and publically shared information
 Diffie-Hellman Key Exchange
 first
public-key type scheme proposed
 by Diffie & Hellman in 1976 along with the
exposition of public key concepts
 note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970
 is a practical method for public exchange
of a secret key – in practice, a “pre-key”
 used in a number of commercial products
Diffie-Hellman Key Exchange
a public-key distribution scheme
 cannot be used to exchange an arbitrary

message
 rather it can establish a common key

 known only to the two participants

 value of key depends on the participants

(and their private and public key
information)
Diffie-Hellman Key Exchange
 Derivation of shared secret is based on
exponentiation in a finite (Galois) field
(modulo a prime or a polynomial)
- easy
 security relies on the difficulty of working
backward to get secrets by computing
discrete logarithms (similar to factoring)
– hard
 Diffie-Hellman Setup
 all users agree on global parameters:
 large prime integer or polynomial q
 a, which is a primitive root mod q
 each user (e.g. A) generates their key
 chooses a secret key (number): xA < q
xA
 computes their public key: yA = a mod q
 each user makes public that key yA
Diffie-Hellman Key Exchange
 shared session key for users A & B is KAB:
xA.xB
KAB = a mod q
xB
= yA mod q
(which B can compute)
xA
= yB mod q
(which A can compute)

Each principal has the other's public key

and their own secret, along with a and q.
 Diffie-Hellman Key Exchange
Bob Agree on a and q Alice
xB
yB = a mod q
xA
yA = a mod q
xB xA
KAB = yA mod q KAB = yB mod q

Both Alice and Bob have

xA.xB
KAB = a mod q
Diffie-Hellman Key Exchange
 KAB is used as session key (or pre-key) in
private-key encryption scheme between
Alice and Bob
 if Alice and Bob subsequently
communicate, they will have the same key
as before, unless they choose new public-
keys (can use nonces and pre-key to
make session key different)
 attacker needs a private key x, must solve
discrete log base a modulo q to get it
 Diffie-Hellman Example
 users Alice & Bob who wish to swap keys:
 agree on prime q=353 and a=3
 select random secret keys:
 A chooses xA=97, B chooses xB=233
 compute respective public keys:
97
 yA=3 mod 353 = 40 (Alice)
233
 yB=3 mod 353 = 248 (Bob)
 compute shared session key as:
xA 97
 KAB= yB mod 353 = 248 = 160 (Alice)
xB 233
 KAB= yA mod 353 = 40 = 160 (Bob)
 Key Exchange Protocols
 users could create random private/public
D-H keys each time they communicate
 users could create a known private/public
D-H key and publish in a directory, then
consult and use them to securely
communicate with them
 both of these are vulnerable to a Man-in-
the-Middle Attack
 authentication of the keys is needed
 Man-in-the-Middle Attack
1. Darth prepares by creating two private / public keys
2. Alice transmits her public key to Bob
3. Darth intercepts this and transmits his first public key to
Bob. Darth also calculates a shared key with Alice
4. Bob receives the public key and calculates the shared key
(with Darth instead of Alice)
5. Bob transmits his public key to Alice
6. Darth intercepts this and transmits his second public key
to Alice. Darth calculates a shared key with Bob
7. Alice receives the key and calculates the shared key (with
Darth instead of Bob)
 Darth can then intercept, decrypt, re-encrypt, forward all
messages between Alice & Bob
 Man-in-the-Middle Attack
Bob Darth xA
Alice
yA = a mod q
xDA
y'A = a mod q
xB
yB = a mod q
xDB
y'B = a mod q
xB xA
KDAB = y'A mod q KADB = y'B mod q

Darth has a private, unauthenticated

channel with each of Alice and Bob
 Man-in-the-Middle Attack
 Also known as “Bucket Brigade” Attack
 Need reliable way to associate public key
with principal
 Public key infrastructure (PKI) is one way
 PGP web of trust is another
 In some circumstances, may be possible to
use scheduling/timing to prevent MITM
 Roadmap
 Diffie-Hellman key exchange
 ElGamal cryptography
 Elliptic Curve cryptography
 Pseudorandom Number Generation
(PRNG) based on Asymmetric Ciphers
(RSA & ECC)
 Attacks and Standards
 ElGamal Cryptography
 public-key cryptosystem related to D-H
 uses exponentiation in a finite field
 with security based difficulty of computing
discrete logarithms, as in D-H
 each user (e.g. A) generates their key
 chooses a secret key (number): 1 < xA < q-1
xA
 computes their public key: yA = a mod q
 ElGamal Message Exchange
 Bob encrypts a message to send to A computing
 message M in range 0 <= M <= q-1

• longer messages must be sent as blocks

 chose random integer k, 1 <= k <= q-1
k
 compute one-time key K = yA mod q
 encrypt M as a pair of integers (C1,C2)

where
k
•C1 = a mod q // like D-H public key
•C2 = KM mod q // encrypted msg
 ElGamal Message Exchange
 encrypt M as a pair of integers (C1,C2) where
k
•C1 = a mod q ; C2 = KM mod q
 A then recovers message by
 recovering key K as K = C1
xA mod q

 computing M as M = C2 K
-1 mod q

 a unique K must be used each time

 otherwise result is insecure
 ElGamal Example
 use field GF(19) q=19 and a=10
 Alice computes her key:
5
 A chooses xA=5 & computes yA=10 mod 19 = 3
 Bob send message m=17 as (11,5) by
 chosing random k=6
k 6
 computing K = yA mod q = 3 mod 19 = 7
 computing C1 = ak mod q = 106 mod 19 = 11;
C2 = KM mod q = 7.17 mod 19 = 5
 Alice recovers original message by computing:
5
 recover K = C1xA mod q = 11 mod 19 = 7
 compute inverse K-1 = 7-1 = 11
 recover M = C2 K-1 mod q = 5.11 mod 19 = 17
 Roadmap
 Diffie-Hellman key exchange
 ElGamal cryptography
 Elliptic Curve cryptography
 Pseudorandom Number Generation
(PRNG) based on Asymmetric Ciphers
(RSA & ECC)
 Attacks and Standards
 Elliptic Curve Cryptography
 majority of public-key crypto (RSA, D-H)
use either integer or polynomial arithmetic
with very large numbers/polynomials
 imposes a significant load in storing and
processing keys and messages
 an alternative is to use elliptic curves
 offers same security with smaller bit sizes
 newer, but not as well analysed
 Real Elliptic Curves
 an elliptic curve is defined by an
equation in two variables x & y, with
coefficients
 consider a cubic elliptic curve of form
 y2 = x3 + ax + b
 where x, y, a, b are all real numbers
 also define zero point O
 considerset of points E(a,b) that satisfy
 have addition operation for elliptic curve
 geometrically sum of P+Q is reflection of the
intersection R
Real Elliptic Curve Example
 Finite Elliptic Curves
 Elliptic
curve cryptography uses curves
whose variables & coefficients are finite
 have two families commonly used:
 prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software
 binary curves E2m(a,b) defined over GF(2n)
• use polynomials with binary coefficients
• best in hardware
 Elliptic Curve Cryptography
 ECC addition is analog of modulo multiply
 ECC repeated addition is analog of
modulo exponentiation
 need “hard” problem equiv to discrete log
 Q=kP, where Q,P belong to a prime curve
 is “easy” to compute Q given k,P
 but “hard” to find k given Q,P
 known as the elliptic curve logarithm problem
 Certicom example: E23(9,17)
 ECC Diffie-Hellman
 can do key exchange analogous to D-H
 users select a suitable curve Eq(a,b)
 select base point G=(x1,y1)
 with large order n s.t. nG=O
A& B select private keys nA<n, nB<n
 compute public keys: PA=nAG, PB=nBG
 compute shared key: K=nAPB, K=nBPA
 same since K=nAnBG
 attacker would need to find k, hard
 ECC Encryption/Decryption
 several alternatives, will consider simplest
 must first encode any message M as a point on
the elliptic curve Pm
 select suitable curve & point G as in D-H
 each user chooses private key nA<n
 and computes public key PA=nAG
 to encrypt Pm : Cm={kG, Pm+kPb}, k random
 decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
 ECC Security
 relies on elliptic curve logarithm problem
 fastest method is “Pollard rho method”
 compared to factoring, can use much
smaller key sizes than with RSA, etc.
 for equivalent key lengths computations
are roughly equivalent
 hence for similar security ECC offers
significant computational advantages
 Comparable Key Sizes for
Equivalent Security
Symmetric ECC-based RSA/DSA
scheme scheme (modulus size
(key size in (size of n in in bits)
bits) bits)
56 112 512
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360
 Roadmap
 Diffie-Hellman key exchange
 ElGamal cryptography
 Elliptic Curve cryptography
 Pseudorandom Number Generation
(PRNG) based on Asymmetric Ciphers
(RSA & ECC)
 Attacks and Standards
 Pseudorandom Number
Generation (PRNG) based on
Asymmetric Ciphers
 asymmetric encryption algorithm produce
apparently random output
 hence can be used to build a
pseudorandom number generator (PRNG)
 much slower than symmetric algorithms
 hence only use to generate a short
pseudorandom bit sequence (eg. key)
 PRNG based on RSA
 have Micali-Schnorr PRNG using RSA
 in ANSI X9.82 and ISO 18031
 Roadmap
 Diffie-Hellman key exchange
 ElGamal cryptography
 Elliptic Curve cryptography
 Pseudorandom Number Generation
(PRNG) based on Asymmetric Ciphers
(RSA & ECC)
 Attacks and Standards
 Attacks on Public Key Crypto
 RSA – progress in factoring
 Any – side channel attacks (timing, power)
 Any – quantum computing – gimme qubits
 Key length for factoring (RSA)
 Twice key length for ECC
 Limited plaintext attacks (any)
 Need to randomize
 Other Protocol attacks
 Attacks on Public Key Crypto
 Limited plaintext attacks (any)
 If only a few plaintexts are possible,
 Encrypt all of them and look for match!
 Require random “confounder” in plaintext
 Cube-root attack (RSA) – when e = 3
 Message “small” – m3 < n
 Then just take cube root of c to get m!
 Require e > 3 or make m “big”
 Public Key Standards
 RSA Labs – de facto standards
 PKCS series (also for other crypto)
 NIST - FIPS
 IETF – numerous standards
 ITU-T/PKX – X.509v3 certificates
 ISO/IEC – certs, authentication protocols
 Many others
 PKCS Standards
Standard Standard Title Description
Number
PKCS#1 RSA Cryptography Algorithms and encoding/padding schemes
for performing RSA encryption, decryption,
♪ and producing and verifying signatures.
PKCS#3 Diffie–Hellman Key Algorithms, encoding, and protocol for public
♪ Agreement] secret sharing based on Diffie-Hellman
PKCS#5 Password-based Standard and secure way to derive a secret
Encryption key from a text password
PKCS#7 Cryptographic Formats for signing or encrypting messages
Message Syntax and for certificate distribution
PKCS#8 Private-Key Formats for carrying private certificate key
♪ Information Syntax pairs (encrypted or unencrypted)
PKCS#11 Cryptographic Token Generic interface to cryptographic tokens for
Interface single sign-on, public key encryption, disk
PKCS#12 Personal Information File format to store private keys and public
Exchange Syntax key certificates, protected by a symmetric key
 PKCS#1
 Has subsumed PKCS#2 and #4
 Defines syntax and coding for RSA
signatures and RSA-encrypted data
 Prevents many of the possible attacks
 Forces m to be “big”
 Inserts “confounder”
 Makes it clear what the message is
intended to be (at least at the
cryptographic level) to avoid confusion
 Summary
 have considered:
 Diffie-Hellman key exchange
 ElGamal cryptography
 Elliptic Curve cryptography
 Pseudorandom Number Generation (PRNG)
based on Asymmetric Ciphers (RSA & ECC)
• Attacks and Standards