CRYPTOGRAPHY

Course Code: 18CS744

P R E PA R E D BY : M r J o h n P r a k a s h Ve i g a s

Associate Professor

Department of ISE

A J I n s ti t u t e o f E n g i n e e r i n g A n d Te c h n o l o g y

Mangaluru
Course Outcomes
Define cryptography and its principles
Explain Cryptography algorithms
Illustrate Public and Private key cryptography
Explain Key management, distribution and ceritification
Explain authentication protocols
SYLLABUS
MODULE 2
Public-Key Cryptography and RSA: Principles of public-key
cryptosystems. Public-key cryptosystems. Applications for
public-key cryptosystems, requirements for public-key
cryptosystems. public-key cryptanalysis. The RSA algorithm,
desription of the algorithm, computational aspects, the
security of RSA.
Other Public-Key Cryptosystems: Diffie-hellman key
exchange, The algorithm, key exchange protocols, man in
the middle attack,Elgamal Cryptographic systems
Terminology Related to Asymmetric
Encryption
Asymmetric Keys
◦ Two related keys, a public key and a private key, that are used
to perform complementary operations, such as encryption and
decryption or signature generation and signature verification.
Public Key Certificate
◦ A digital document issued and digitally signed by the private
key of a Certification Authority that binds the name of a
subscriber to a public key.
◦ The certificate indicates that the subscriber identified in the
certificate has sole control and access to the corresponding
private key.
Public Key (Asymmetric) Cryptographic Algorithm
◦ A cryptographic algorithm that uses two related keys, a public
key and a private key.
◦ The two keys have the property that deriving the private key
from the public key is computationally infeasible.
Public Key Infrastructure (PKI)
◦ A set of policies, processes, server platforms, software and
workstations used for the purpose of administering certificates
and public-private key pairs, including the ability to issue,
maintain, and revoke public key certificates.
PRINCIPLES OF PUBLIC-KEY
CRYPTOSYSTEMS
Public-Key Cryptosystems
 Asymmetric algorithms rely on one key for encryption and a
different but related key for decryption.
 These algorithms have the following important characteristic.
o It is computationally infeasible to determine the decryption
key given only knowledge of the cryptographic algorithm and
the encryption key
 In addition, some algorithms, such as RSA, also exhibit the
following characteristic.
o Either of the two related keys can be used for encryption,
with the other used for decryption.
 A public-key encryption scheme has six ingredients:
• Plaintext: This is the readable message or data that is fed into
the algorithm as input.
• Encryption algorithm: The encryption algorithm performs
various transformations on the plaintext.
• Public and private keys: This is a pair of keys that have been
selected so that if one is used for encryption, the other is used
for decryption.
The exact transformations performed by the algorithm
depend on the public or private key that is provided as input.
• Ciphertext: This is the scrambled message produced as
output.
It depends on the plaintext and the key.
For a given message, two different keys will produce two
different ciphertexts.
• Decryption algorithm: This algorithm accepts the ciphertext
and the matching key and produces the original plaintext.
The essential steps are the following.
1. Each user generates a pair of keys to be used for the encryption and
decryption of messages.
2. Each user places one of the two keys in a public register or other
accessible file.
This is the public key.
The companion key is kept private.
Each user maintains a collection of public keys obtained from others.
3. If Bob wishes to send a confidential message to Alice, Bob
encrypts the message using Alice’s public key.
4. When Alice receives the message, she decrypts it using her
private key.
No other recipient can decrypt the message because only Alice
knows Alice’s private key.
 We refer to the key used in symmetric encryption as a secret
key.
The two keys used for asymmetric encryption are referred to as
the public key and the private key.
 Invariably, the private key is kept secret, but it is referred to as a
private key rather than a secret key to avoid confusion with
symmetric encryption.
The essential elements of a public-key encryption scheme:
 There is some source A that produces a message in plaintext, X =
[X1, X2, … , XM].
 The M elements of X are letters in some finite alphabet.
 The message is intended for destination B.
 B generates a related pair of keys: a public key, PUb, and a private
key, PRb.
 PRb is known only to B, whereas PUb is publicly available and
therefore accessible by A.
 With the message X and the encryption key PUb as input, A forms
the ciphertext Y = [Y1, Y2, … , YN]:
Y = E(PUb, X)
 The intended receiver, in possession of the matching private key,
is able to invert the transformation:
X = D(PRb, Y)
Figure: Public-Key Cryptosystem: Authentication
 In this case, A prepares a message to B and encrypts it using A’s
private key before transmitting it.
 B can decrypt the message using A’s public key.
 Because the message was encrypted using A’s private key, only A
could have prepared the message.
 Therefore, the entire encrypted message serves as a digital
signature.
 In addition, it is impossible to alter the message without access
to A’s private key, so the message is authenticated both in terms
of source and in terms of data integrity.
 In the preceding scheme, the entire message is encrypted,
which, although validating both author and contents, requires a
great deal of storage.
 A more efficient way of achieving the same results is to encrypt a
small block of bits that is a function of the document.
 Such a block, called an authenticator, must have the property
that it is infeasible to change the document without changing the
authenticator.
 The encryption process discussed does not provide confidentiality.
 It is possible to provide both the authentication function and
confidentiality by a double use of the public-key scheme
Z = E(PUb, E(PRa, X))
X = D(PUa, D(PRb, Z))
 In this case, we begin as before by encrypting a message, using the
sender’s private key.
 This provides the digital signature.
 Next, we encrypt again, using the receiver’s public key.
 The final ciphertext can be decrypted only by the intended receiver,
who alone has the matching private key.
 Thus, confidentiality is provided.
Public-Key Cryptosystem:
Authentication and Secrecy
Applications for Public-Key Cryptosystems
 We can classify the use of public-key cryptosystems into three
categories:
• Encryption/decryption: The sender encrypts a message with
the recipient’s public key.
• Digital signature: The sender “signs” a message with its private
key. Signing is achieved by a cryptographic algorithm applied to
the message or to a small block of data that is a function of the
message.
• Key exchange: Two sides cooperate to exchange a session key.
Several different approaches are possible, involving the private
key(s) of one or both parties.
Requirements for Public-Key Cryptography
1. It is computationally easy for a party B to generate a pair
(public key PUb, private key PRb).
2. It is computationally easy for a sender A, knowing the public
key and the message to be encrypted, M, to generate the
corresponding ciphertext:
C = E(PUb, M)
3. It is computationally easy for the receiver B to decrypt the
resulting ciphertext using the private key to recover the original
message:
M = D(PRb,C) = D[PRb, E(PUb,M)]
4. It is computationally infeasible for an adversary, knowing the
public key, PUb, to determine the private key, PRb.
5. It is computationally infeasible for an adversary, knowing the
public key, PUb, and a ciphertext, C, to recover the original
message, M.
We can add a sixth requirement that, although useful, is not
necessary for all public-key applications:
6. The two keys can be applied in either order:
M = D[PUb, E(PRb, M)] = D[PRb, E(PUb, M)]
Public-Key Cryptanalysis
 A public-key encryption scheme is vulnerable to a brute-force
attack. The countermeasure is the same: Use large keys.
 Another form of attack is to find some way to compute the
private key given the public key.
 Finally, a probable-message attack.
 Suppose, for example, that a message were to be sent that
consisted solely of a 56-bit DES key.
 An adversary could encrypt all possible 56-bit DES keys using the
public key and could discover the encrypted key by matching the
transmitted ciphertext.
THE RSA ALGORITHM
THE RSA ALGORITHM
Description of the Algorithm
 RSA(Rivest-Shamir-Adleman) algorithm makes use of an
expression with exponentials.
 Encryption and decryption are of the following form, for
some plaintext block M and ciphertext block C.
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n
 Both sender and receiver must know the value of n.
 The sender knows the value of e, and only the receiver
knows the value of d.
THE RSA ALGORITHM
Thus, this is a public-key encryption algorithm with a public key
of PU = {e, n} and a private key of PR = {d, n}.
 For this algorithm to be satisfactory for public-key encryption,
the following requirements must be met.
1. It is possible to find values of e, d, and n such that Med mod n =
M for all M < n.
2. It is relatively easy to calculate Me mod n and Cd mod n for all
values of M < n.
3. It is infeasible to determine d given e and n.
 Both sender and receiver must know the value of n.
 The sender knows the value of e, and only the receiver knows
the value of d.
 Thus, this is a public-key encryption algorithm with a public key
of PU = {e, n} and a private key of PR = {d, n}.
 For this algorithm to be satisfactory for public-key encryption,
the following requirements must be met.
1. It is possible to find values of e, d, and n such that Med mod n
= M for all M < n.
2. It is relatively easy to calculate Me mod n and Cd mod n for all
values of M < n.
3. It is infeasible to determine d given e and n.
The ingredients are the following:
p, q, two prime numbers (private, chosen)
n = pq (public, calculated)
e, with gcd(φ(n), e) = 1; 1 < e < φ(n) (public, chosen)
d Ξ e-1 (mod φ(n)) (private, calculated)
1. Select two prime numbers, p = 17 and q = 11.
2. Calculate n = pq = 17 * 11 = 187.
3. Calculate φ(n) = (p - 1)(q - 1) = 16 * 10 = 160.
4. Select e such that e is relatively prime to φ(n) = 160 and less
than φ(n); we choose e = 7.
5. Determine d such that de Ξ 1 (mod 160) and d < 160. The
correct value is d = 23, because 23 * 7 = 161 = (1 * 160) + 1; d can
be calculated using the extended Euclid’s algorithm
 The resulting keys are public key PU = {7, 187} and private key PR
= {23, 187}.
 The example shows the use of these keys for a plaintext input of
M = 88.
 For encryption, we need to calculate C = 887 mod 187.
 Exploiting the properties of modular arithmetic, we can do this as
follows.
The Security of RSA
Five possible approaches to attacking the RSA algorithm are
• Brute force: This involves trying all possible private keys.
• Mathematical attacks: There are several approaches, all equivalent
in effort to factoring the product of two primes.
• Timing attacks: These depend on the running time of the decryption
algorithm. The attacker needs to have the target system compute Cd
mod N for several carefully selected values of C
• Hardware fault-based attack: This involves inducing hardware faults
in the processor that is generating digital signatures.
• Chosen ciphertext attacks: This type of attack exploits properties of
the RSA algorithm.
THE FACTORING PROBLEM
We can identify three approaches to attacking RSA
mathematically.
1. Factor n into its two prime factors. This enables calculation of
φ(n) = (p - 1) * (q - 1), which in turn enables determination of
d Ξ e-1 (mod φ(n)).
2. Determine φ(n) directly, without first determining p and q.
Again, this enables determination of d Ξ e-1 (mod φ(n)).
3. Determine d directly, without first determining φ(n).
TIMING ATTACKS
 A snooper can determine a private key by keeping track of how
long a computer takes to decipher messages
 There are simple countermeasures that can be used, including
the following.
• Constant exponentiation time: Ensure that all
exponentiations take the same amount of time before
returning a result. This is a simple fix but does degrade
performance.
• Random delay: Better performance could be achieved by
adding a random delay to the exponentiation algorithm to
confuse the timing attack.
• Blinding: Multiply the ciphertext by a random number
before performing exponentiation.
FAULT-BASED ATTACK
 The approach is an attack on a processor that is generating RSA
digital signatures.
 The attack induces faults in the signature computation by
reducing the power to the processor.
 The faults cause the software to produce invalid signatures,
which can then be analyzed by the attacker to recover the private
key.
 The attack algorithm involves inducing single-bit errors and
observing the results.
CHOSEN CIPHERTEXT ATTACK AND
OPTIMAL ASYMMETRIC ENCRYPTION
PADDING
 The basic RSA algorithm is vulnerable to a chosen ciphertext
attack (CCA).
 CCA is defined as an attack in which the adversary chooses a
number of ciphertexts and is then given the corresponding
plaintexts, decrypted with the target’s private key.
Thus, the adversary could select a plaintext, encrypt it with the
target’s public key, and then be able to get the plaintext back by
having it decrypted with the private key.
 A simple example of a CCA against RSA takes advantage of the
following property of RSA:
 E(PU, M1) * E(PU, M2) = E(PU, [M1 * M2])
We can decrypt C = Me mod n using a CCA as follows.
1. Compute X = (C * 2e) mod n.
2. Submit X as a chosen ciphertext and receive back Y = Xd mod n.
But now note that
X = (C mod n) * (2e mod n)
= (Me mod n) * (2e mod n)
= (2M)e mod n
 Therefore, Y = (2M) mod n.
 From this, we can deduce M.
 To overcome this simple attack, practical RSA-based cryptosystems
randomly pad the plaintext prior to encryption.
 This randomizes the ciphertext
 However, more sophisticated CCAs are possible, and a simple
padding with a random value has been shown to be insufficient to
provide the desired security.
 To counter such attacks, modifying the plaintext using a procedure
known as optimal asymmetric encryption padding (OAEP) is
recommended.
 As a first step, the message M to be encrypted is padded.
 A set of optional parameters, P, is passed through a hash
function, H.
 The output is then padded with zeros to get the desired length in
the overall data block (DB).
 Next, a random seed is generated and passed through another
hash function, called the mask generating function (MGF).
 The resulting hash value is bit-by-bit XORed with DB to produce a
maskedDB.
 The maskedDB is in turn passed through the MGF to form a hash
that is XORed with the seed to produce the maskedseed.
 The concatenation of the maskedseed and the maskedDB forms
the encoded message EM.
 The EM includes the padded message, masked by the seed, and
the seed, masked by the maskedDB.
 The EM is then encrypted using RSA.
DIFFIE-HELLMAN KEY EXCHANGE
 The purpose of the algorithm is to enable two users to securely
exchange a key that can then be used for subsequent symmetric
encryption of messages.
 The Diffie-Hellman algorithm depends for its effectiveness on the
difficulty of computing discrete logarithms.

A primitive root of a prime number p is one whose powers modulo p

generate all the integers from 1 to p - 1.
That is, if a is a primitive root of the prime number p, then the
numbers a mod p, a2 mod p,..., ap-1 mod p are distinct and consist of
the integers from 1 through p - 1 in some permutation.
The Algorithm
 There are two publicly known numbers: a prime number q and
an integer α that is a primitive root of q.
 Suppose the users A and B wish to create a shared key.
 User A selects a random integer X < q and computes Y = α XA
A A
mod q.
Similarly, user B independently selects a random integer XB < q
and computes YB = α XB mod q.
 Each side keeps the X value private and makes the Y value
available publicly to the other side.
 Thus, XA is A’s private key and YA is A’s corresponding public key,
and similarly for B. User A computes the key as K = (YB)XA mod q
and user B computes the key as K = (YA)XB mod q.
These two calculations produce identical results:
 The result is that the two sides have exchanged a secret value.
 Typically, this secret value is used as shared symmetric secret key.
 Suppose that user A wishes to set up a connection with user B and use
a secret key to encrypt messages on that connection.
 User A can generate a one-time private key XA, calculate YA, and send
that to user B.
 User B responds by generating a private value XB, calculating YB, and
sending YB to user A.
 Both users can now calculate the key.
 The necessary public values q and a would need to be known ahead of
time.
 Alternatively, user A could pick values for q and a and include those in
the first message.
Man-in-the-Middle Attack
 The protocol depicted in Figure 10.1 is insecure against a man-in-
the-middle attack.
Suppose Alice and Bob wish to exchange keys, and Darth is the
adversary.
 The attack proceeds as follows (Figure 10.2).
1. Darth prepares for the attack by generating two random
private keys XD1 and XD2 and then computing the corresponding
public keys YD1 and YD2.
2. Alice transmits YA to Bob.
3. Darth intercepts YA and transmits YD1 to Bob. Darth also
calculates K2 = (YA)XD2 mod q.
4. Bob receives YD1 and calculates K1 = (YD1)XB mod q.
5. Bob transmits YB to Alice.
6. Darth intercepts YB and transmits YD2 to Alice. Darth
calculates K1 = (YB)XD1 mod q.
7. Alice receives YD2 and calculates K2 = (YD2)XA mod q.
Figure: Man-in-the-Middle Attack
 At this point, Bob and Alice think that they share a secret key,
but instead Bob and Darth share secret key K1 and Alice and
Darth share secret key K2.
 All future communication between Bob and Alice is
compromised in the following way.
1. Alice sends an encrypted message M: E(K2, M).
2. Darth intercepts the encrypted message and decrypts it to
recover M.
3. Darth sends Bob E(K1, M) or E(K1, M′), where M′ is any
message. In the first case, Darth simply wants to eavesdrop on
the communication without altering it. In the second case,
Darth wants to modify the message going to Bob.
ELGAMAL CRYPTOGRAPHIC SYSTEM
 The global elements of Elgamal are a prime number q and a,
which is a primitive root of q.
 User A generates a private/public key pair as follows:
1. Generate a random integer XA, such that 1 < XA < q - 1.
2. Compute YA = αXA mod q.
3. A’s private key is XA and A’s public key is {q, a, YA}.
 Any user B that has access to A’s public key can encrypt a
message as follows:
1. Represent the message as an integer M in the range 0 ≤M ≤
q - 1. Longer messages are sent as a sequence of blocks, with
each block being an integer less than q.
2. Choose a random integer k such that 1 ≤ k ≤ q - 1.
3. Compute a one-time key K = (YA)k mod q.
4. Encrypt M as the pair of integers (C1, C2) where
C1 = αk mod q; C2 = KM mod q
 User A recovers the plaintext as follows:
1. Recover the key by computing K = (C1)XA mod q.
2. Compute M = (C2K-1) mod q.
 These steps are summarized next. Alice generates a
public/private key pair; Bob encrypts using Alice’s public key; and
Alice decrypts using her private key.
 Following steps show how K is recovered by the decryption process:

K = (YA)k mod q K is defined during the encryption process

K = (αXA mod q)k mod q substitute using YA = α XA mod q
K = αk XA mod q by the rules of modular arithmetic
K = (C1)XA mod q substitute using C1 = α k mod q
 Next, using K, we recover the plaintext as
C2 = KM mod q
(C2K-1) mod q = KMK-1 mod q = M mod q = M
 We can restate the Elgamal process as follows:
1. Bob generates a random integer k.
2. Bob generates a one-time key K using Alice’s public-key
components YA, q, and k.
3. Bob encrypts k using the public-key component a, yielding
C1 . C1provides sufficient information for Alice to recover K.
4. Bob encrypts the plaintext message M using K.
5. Alice recovers K from C1 using her private key.
6. Alice uses K-1 to recover the plaintext message from C2.
 Thus, K functions as a one-time key, used to encrypt and decrypt
the message.
Example
Consider q = 19. The primitive roots are {2, 3, 10, 13, 14, 15}.
Choose α= 10.
Alice generates a key pair as follows:
1. Alice chooses XA = 5.
2. Then YA = α XA mod q = α 5 mod 19 = 3
3. Alice’s private key is 5 and Alice’s public key is {q, a, YA} = {19,
10, 3}.
Suppose Bob wants to send the message with the value M = 17.
Then:
1. Bob chooses k = 6.
2. Then K = (YA)k mod q = 36 mod 19 = 729 mod 19 = 7.
3. So
C1 = α k mod q = α 6 mod 19 = 11
C2 = KM mod q = 7 X 17 mod 19 = 119 mod 19 = 5
4. Bob sends the ciphertext (11, 5).
For decryption:
1. Alice calculates K = (C1)XA mod q = 115 mod 19 = 161051 mod 19 = 7.
2. Then K-1 in GF(19) is 7-1 mod 19 = 11.
3. Finally, M = (C2K-1) mod q = 5 X 11 mod 19 = 55 mod 19 = 17.
PRNG(Pseudorandom Number Generation) Based on RSA
- Micali-Schnorr PRNG

 The RSA algorithm is considered secure and is a good

candidate to form the basis of a PRNG
We can define the PRNG as follows.
 PRNG has much the same structure as the output feedback
(OFB) mode
 a portion of the output is fed back to the next iteration of the
encryption algorithm and the remain- der of the output is used
as pseudorandom bits
The parameters n, r, e, and k are selected to satisfy the
following six requirements.