ElGamal Cryptosystem

 In 1984 Taher ElGamal presented a cryptosystem which is based on

the Discrete Logarithm.
 Thus ElGamal simplified the Die-Hellman key exchange algorithm by
introducing
a random exponent k.
 The ElGamal cryptosystem is usually used in a hybrid cryptosystem.
 It is faster to encrypt the symmetric with Elgamal and the with a
symmetric cipher.
 There are THREE aspects in EIGamal Cryptography
 EIGamal Key Generation
 EIGamal Key Encryption
 EIGamal Key Decryption
EIGamal Key Generation

Steps 1:- Select a large prime number P, This is first part of Public Key.
Step 2:- Select a decryption key or private key D.
Steps 3:- Select the Second part of public key as E1.
Steps 4:- The Third part of public key as E2= E1˄D mod P
Step 5:- The Public key will be (E1,E2,P) and Private key will be D.

Example:-

Consider P=11, E1=2 and D=3

Then E2= E1˄D mod P = 2˄3 mod 11 = 8
Hence public key will be ((2,8,11) and private key D=3
EIGamal Key Encryption

Steps 1:- Select a random integer R.

Step 2:- Compute the First part of cipher text C1= E1˄R mod P .
Steps 3:- Compute the Second part of cipher text C2=PT. E2˄R mod P .
Steps 4:- The Final cipher text is (C1,C2)

Example:-
Let R= 4 and PT = 7
From Previous P=11, E1=2 and D=3
and public key will be (2,8,11)
C1 = E1˄R mod P = 2˄4 mod11= 5
C2=PT. E2˄R mod P = 7. 2˄8 mod 11 = 6
Hence Cipher Text is (5,6)
EIGamal Key Decryption

Steps 1:- Compute the plain text using the following formula
PT = (C2.C1˄D) ˄ -1 mod P
Example:-

PT = (C2.C1˄D) ˄ -1 mod P
PT = (6. 5˄3) ˄-1 mod 11
\ PT = (6.3) mod 11= 7
 Digital Signature
A digital signature is a mathematical scheme for demonstrating the
authenticity of a digital message or documents.

Bob has been given two keys. One of Bob's keys is called a Public Key, the other is called a Private
Key.

Bob's Public key is available to anyone who needs it, but he keeps his Private Key
to himself. Keys are used to encrypt information. Either one of Bob's two keys can
encrypt data, and the other key can decrypt that data.
Susan can encrypt a message using Bob's Public Key. Bob uses his
Private Key to decrypt the message. Any of Bob's coworkers might
have access to the message Susan encrypted, but without Bob's Private
Key, the data is worthless.

With his private key and the right software, Bob can put digital
signatures on documents and other data.
A digital signature is a "stamp" Bob places on the data which is unique
to Bob, and is very difficult to forge. In addition, the signature assures
that any changes made to the data that has been signed can not go
undetected.
To sign a document, Bob's software will crunch down the data into just a
few lines by a process called "hashing". These few lines are called a
message digest. (It is not possible to change a message digest back into
the original data from which it was created.)

Bob's software then encrypts the message digest with his private key. The result is the
digital signature.
Finally, Bob's software appends the digital signature to document. All of
the data that was hashed has been signed.
Message Digest
 Message digests are secure one-way hash functions that take
arbitrary-sized data and output a fixed-length hash value.
A Message Digest object starts out initialized. The data is processed
through it using the update methods. At any point reset can be called to
reset the digest.
 Message digest is basically a fingerprint or summary of the message.
 Message digest functions also called hash functions , are used to
produce digital summaries of information called message digests.
 Message digests are commonly 128 bits to 160 bits in length and
provide a digital identifier for each digital file or document.
 It is similar to CRC or LRC.
Introduction
 MD5 algorithm was developed by Professor Ronald
L. Rivest in 1991. According to RFC 1321, “MD5
message-digest algorithm takes as input a
message of arbitrary length and produces as
output a 128-bit "fingerprint" or "message digest"
of the input …The MD5 algorithm is intended for
digital signature applications, where a large file
must be "compressed" in a secure manner before
being encrypted with a private (secret) key under a
public-key cryptosystem such as RSA.”
MD5 Algorithm Structure
Implementation Steps
 Step1 Append padding bits
The input message is "padded" (extended) so
that its length (in bits) equals to 448 mod 512.
Padding is always performed, even if the length of
the message is already 448 mod 512.
Padding is performed as follows: a single "1" bit is
appended to the message, and then "0" bits are
appended so that the length in bits of the padded
message becomes congruent to 448 mod 512. At
least one bit and at most 512 bits are appended.
Implementation Steps
 Step2. Append length
A 64-bit representation of the length of the
message is appended to the result of step1. If the
length of the message is greater than 2^64, only
the low-order 64 bits will be used.

The resulting message (after padding with bits and

with b) has a length that is an exact multiple of 512
bits. The input message will have a length that is
an exact multiple of 16 (32-bit) words.
Implementation Steps
 Step3. Initialize MD buffer
A four-word buffer (A, B, C, D) is used to compute
the message digest. Each of A, B, C, D is a 32-bit
register. These registers are initialized to the
following values in hexadecimal, low-order bytes
first):

word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10
Implementation Steps
 Step4. Process message in 16-word blocks
Four functions will be defined such that each
function takes an input of three 32-bit words and
produces a 32-bit word output.

F (X, Y, Z) = XY or not (X) Z

G (X, Y, Z) = XZ or Y not (Z)
H (X, Y, Z) = X xor Y xor Z
I (X, Y, Z) = Y xor (X or not (Z))
Implementation Steps
Round 1.

[abcd k s i] denote the operation a = b + ((a + F (b, c, d)

+ X [k] + T [i]) <<< s).

Do the following 16 operations.

[ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4]
[ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8]
[ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22
12]
[ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22
16]
SECURE HASHING ALGORITHM
Purpose: Authentication : Not Encryption

Authentication Requirements:
 Masquerade – Insertion of message from
fraudulent source
 Content Modification – Changing content of
message
 Sequence Modification – Insertion, deletion and
reordering sequence
 Timing Modification – Replaying valid sessions
Applications:
One-way hash functions
• Public Key Algorithms
– Password Logins
– Encryption Key Management
– Digital Signatures
• Integrity Checking
– Virus and Malware Scanning
• Authentication
– Secure Web Connections
• (PGP, SSL, SSH, S/MIME)
Basic Hash Function Diagram
Message Diagram
SHA-1 (160 bit message)
Algorithm Framework
 Step 1: Append Padding Bits….
Message is “padded” with a 1 and as many 0’s as
necessary to bring the message length to 64 bits
fewer than an even multiple of 512.
 Step 2: Append Length....
64 bits are appended to the end of the padded message.
These bits hold the binary format of 64 bits indicating the
length of the original message.
 http://www.herongyang.com

f
SHA-1 Framework Continued
 Step 3: Prepare Processing Functions….
SHA1 requires 80 processing functions defined as:
f(t;B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19)
f(t;B,C,D) = B XOR C XOR D (20 <= t <= 39)
f(t;B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <=59)

f(t;B,C,D) = B XOR C XOR D (60 <= t <= 79)

 Step 4: Prepare Processing Constants....

SHA1 requires 80 processing constant words defined as:
K(t) = 0x5A827999 ( 0 <= t <= 19)
K(t) = 0x6ED9EBA1 (20 <= t <= 39)
K(t) = 0x8F1BBCDC (40 <= t <= 59)
K(t) = 0xCA62C1D6 (60 <= t <= 79)

 http://www.herongyang.com
SHA-1 Framework Continued
 Step 5: Initialize Buffers….
SHA1 requires 160 bits or 5 buffers of words (32
bits):
H0 = 0x67452301
H1 = 0xEFCDAB89
H2 = 0x98BADCFE
H3 = 0x10325476
H4 = 0xC3D2E1F0
 http://www.herongyang.com
SHA-1 Framework Final Step
 Step 6: Processing Message in 512-bit blocks
(L blocks in total message)….
This is the main task of SHA1 algorithm which loops through
the padded and appended message in 512-bit blocks.
Input and predefined functions:
M[1, 2, ..., L]: Blocks of the padded and appended message
f(0;B,C,D), f(1,B,C,D), ..., f(79,B,C,D): 80 Processing Functions
K(0), K(1), ..., K(79): 80 Processing Constant Words
H0, H1, H2, H3, H4, H5: 5 Word buffers with initial values

 http://www.herongyang.com
SHA-1 Framework Continued
 Step 6: Pseudo Code….
For loop on k = 1 to L
(W(0),W(1),...,W(15)) = M[k] /* Divide M[k] into 16 words */
For t = 16 to 79 do:
W(t) = (W(t-3) XOR W(t-8) XOR W(t-14) XOR W(t-16)) <<< 1
A = H0, B = H1, C = H2, D = H3, E = H4
For t = 0 to 79 do:
TEMP = A<<<5 + f(t;B,C,D) + E + W(t) + K(t) E = D, D
= C,
C = B<<<30, B = A, A = TEMP
End of for loop
H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 =
H4 + E
End of for loop

Output:
H0, H1, H2, H3, H4, H5: Word buffers with final message
digest
 http://www.herongyang.com
Message Diagram
SHA-1 Message Digest

The message digest of the string:

“This is a test for theory of computation”

4480afca4407400b035d9debeb88bfc402db514f
Cryptanalysis and Limitation

• Key Premises for Hash Functions:

1. Impossible to re-create a message
given a fingerprint
2. Collision Free

• SHA-1 failure using brute force attack in 280

operations
• Collision failure found in 2005 in 233 operations
Merkle-Hellman Knapsack
 One of first public key systems
 Based on NP-complete problem
 Original algorithm is weak
◦ Lattice reduction attack
 Newer knapsacks are more secure
◦ But nobody uses them…
◦ Once bitten, twice shy
Knapsack Problem
 Given a set of n weights W0,W1,...,Wn-1 and a
sum S, is it possible to find ai  {0,1} so that
S = a0W0+a1W1 +...+ an-1Wn-1
(technically, this is “subset sum” problem)
 Example
◦ Weights (62,93,26,52,166,48,91,141)
◦ Problem: Find subset that sums to S = 302
◦ Answer: 62+26+166+48 = 302
 The (general) knapsack is NP-complete
Knapsack Problem
 General knapsack (GK) is hard to solve
 But superincreasing knapsack (SIK) is easy
 In SIK each weight greater than the sum
of all previous weights
 Example
◦ Weights (2,3,7,14,30,57,120,251)
◦ Problem: Find subset that sums to S = 186
◦ Work from largest to smallest weight
◦ Answer: 120+57+7+2 = 186
Knapsack Cryptosystem

1. Generate superincreasing knapsack (SIK)

2. Convert SIK into “general” knapsack (GK)
3. Public Key: GK
4. Private Key: SIK plus conversion factors

 Easy to encrypt with GK

 With private key, easy to decrypt
(convert ciphertext to SIK)
 Without private key, must solve GK ?
 Knapsack Cryptosystem
 Let (2,3,7,14,30,57,120,251) be the SIK
 Choose m = 41 and n = 491 with m and n
relatively prime, n > sum of SIK elements
 General knapsack
2  41 (mod 491) = 82
3  41 (mod 491) = 123
7  41 (mod 491) = 287
14  41 (mod 491) = 83
30  41 (mod 491) = 248
57  41 (mod 491) = 373
120  41 (mod 491) = 10
251  41 (mod 491) = 471
 General knapsack: (82,123,287,83,248,373,10,471)
Knapsack Example
 Private key: (2,3,7,14,30,57,120,251)
m1 mod n = 411 (mod 491) = 12
 Public key: (82,123,287,83,248,373,10,471), n=491
 Example: Encrypt 10010110
82 + 83 + 373 + 10 = 548
 To decrypt,
◦ 548 · 12 = 193 (mod 491)
◦ Solve (easy) SIK with S = 193
◦ Obtain plaintext 10010110
Knapsack Weakness
 Trapdoor: Convert SIK into “general”
knapsack using modular arithmetic
 One-way: General knapsack easy to
encrypt, hard to solve; SIK easy to solve
 This knapsack cryptosystem is insecure
◦ Broken in 1983 with Apple II computer
◦ The attack uses lattice reduction
 “General knapsack” is not general
enough!
 This special knapsack is easy to solve
Elliptic Curve Cryptography
 Elliptic curve cryptography (ECC) is an approach to public-key
cryptography based on the algebraic structure of elliptic
curves over finite fields. One of the main benefits in comparison
with non-ECC cryptography (with plain Galois fields as a basis)
is the same level of security provided by keys of smaller size.

Private Key Public Key Set of Operations Domain Parameters

(Predefined
constants)
A Components
 random Point on a curve These are defined G, a, b
number over the curve
= Private Key * y2 = x3 + ax + b,
G where 4a3 + 27b2
≠0
Discrete Logarithm Problem (DLP)
 Let P and Q be two points on the elliptic curve
◦ Such that Q = kP, where k is a scalar value

 DLP: Given P and Q, find k?

◦ If k is very large, it becomes computationally
infeasible

 The security of ECC depends on the difficulty

of DLP

 Main operation in ECC is Point Multiplication

Point Multiplication
 Point Multiplication is achieved by two basic
curve operations:

1. Point Addition, L = J + K
2. Point Doubling, L = 2J

Example:
If k = 23; then, kP = 23*P
= 2(2(2(2P) + P) + P) + P
Point Addition
Geometrical explanation:
Point Addition
 Analytical explanation:

 Consider two distinct points J and K such that J

= (xJ, yJ) and K = (xK, yK)
Let L = J + K where L = (xL, yL), then
 xL = s2 - xJ – xK
 yL = -yJ + s (xJ – xL)
s = (yJ – yK)/(xJ – xK), s is slope of the line
through J and K
Point Doubling

Geometrical explanation:
Point Doubling
Analytical explanation
Consider a point J such that J = (xJ, yJ), where yJ
≠0
Let L = 2J where L = (xL, yL), Then
 xL = s2 – 2xJ
 yL = -yJ + s(xJ - xL)
s = (3xJ2 + a) / (2yJ), s is the tangent at point J
and a is one of the parameters chosen with the
elliptic curve
Finite Fields
 The Elliptic curve operations shown were on real
numbers
◦ Issue: operations are slow and inaccurate due to round-off
errors

To make operations more efficient and accurate,

the curve is defined over two finite fields
1. Prime field Fp and
2. Binary field F2m
 The field is chosen with finitely large number of
points suited for cryptographic operations
EC on Prime field Fp
 Elliptic Curve equation:
y2 mod p= x3 + ax + b mod p
where 4a3 + 27b2 mod p ≠ 0.
 Elements of finite fields are integers between 0

and p-1
 The prime number p is chosen such that there

is finitely large number of points on the elliptic

curve to make the cryptosystem secure.
 SEC specifies curves with p ranging between

112-521 bits
 EC on Binary field F2m
 EllipticCurve equation:
y2 + xy = x3 + ax2 + b,
where b ≠ 0
 Here the elements of the finite field are integers of

length at most m bits.

 In binary polynomial the coefficients can only be 0 or

1.
 The m is chosen such that there is finitely large

number of points on the elliptic curve to make the

cryptosystem secure.
 SEC specifies curves with m ranging between 113-

571 bits
Elliptic Curve Domain parameters
Domain parameters for EC over field Fp
 Parameters:
p, a, b, G, n and h.

Domain parameters for EC over field F2m

 Parameters:
m, f(x), a, b, G, n and h.
Implementations
 ECDSA - Elliptic Curve Digital Signature Algorithm
Signature Generation:
For signing a message m by sender A, using A’s private key dA
and public key QA = dA * G
1. Calculate e = HASH (m), where HASH is a cryptographic hash
function, such as
SHA-1
2. Select a random integer k from [1,n − 1]
3. Calculate r = x1 (mod n), where (x1, y1) = k * G. If r = 0, go to
step 2
4. Calculate s = k − 1(e + dAr)(mod n). If s = 0, go to step 2
5. The signature is the pair (r, s)
 Implementations
 ECDSA - Elliptic Curve Digital Signature Algorithm
Signature Verification:
For B to authenticate A's signature, B must have A’s public key Q A
1. Verify that r and s are integers in [1,n − 1]. If not, the signature
is invalid
2. Calculate e = HASH (m), where HASH is the same function used
in the signature generation
3. Calculate w = s −1 (mod n)
4. Calculate u1 = ew (mod n) and u2 = rw (mod n)
5. Calculate (x1, y1) = u1G + u2QA
6. The signature is valid if x1 = r(mod n), invalid otherwise
Implementations
 ECDH – Elliptic Curve Diffie Hellman
A (QA,dA) – Public, Private Key pair
B (QB,dB) – Public, Private Key pair

1. The end A computes K = (xK, yK) = dA * QB

2. The end B computes L = (xL, yL) = dB * QA
3. Since dAQB = dAdBG = dBdAG = dBQA. Therefore K = L
and hence xK = xL
4. Hence the shared secret is xK