Chapter 10

Asymmetric-Key
Cryptography

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

10.1
 Chapter 10
Objectives

10.2
Why Public-Key Cryptography?
 Developed to address two key issues:
 key distribution – how to have secure
communications in general without having to
trust a KDC with your key
 digital signatures – how to verify a message
comes intact from the claimed sender
 public
invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976
 known earlier in classified community
 Public-Key Cryptography
 public-key/two-key/asymmetric cryptography involves the use
of two keys:
 a public-key, which may be known by anybody, and can be

used to encrypt messages, and verify signatures

 a related private-key, known only to the recipient, used to

decrypt messages, and sign (create) signatures

 infeasible to determine private key from public
 is asymmetric because
 those who encrypt messages or verify signatures cannot

decrypt messages or create signatures

 10-1 INTRODUCTION

Symmetric and asymmetric-key cryptography will exist

in parallel and continue to serve the community. We
actually believe that they are complements of each
other; the advantages of one can compensate for the
disadvantages of the other.

Note
Symmetric-key cryptography is based on sharing secrecy;
asymmetric-key cryptography is based on personal secrecy.

10.5
 10.1.1 Keys

Asymmetric key cryptography uses two separate keys: one

private and one public.

Figure 10.1 Locking and unlocking in asymmetric-key cryptosystem

10.6
 10.1.2 General Idea

Figure 10.2 General idea of asymmetric-key cryptosystem

10.7
 10.1.2 Continued

Plaintext/Ciphertext
Unlike in symmetric-key cryptography, plaintext and
ciphertext are treated as integers in asymmetric-key
cryptography.

Encryption/Decryption

C = f (Kpublic , P) P = g(Kprivate , C)

10.8
 10.1.3 Need for Both

There is a very important fact that is sometimes

misunderstood: The advent of asymmetric-key
cryptography does not eliminate the need for symmetric-
key cryptography.

10.9
 10.1.4 Trapdoor One-Way Function

The main idea behind asymmetric-key cryptography is the

concept of the trapdoor one-way function.
Functions
Figure 10.3 A function as rule mapping a domain to a range

10.10
 10.1.4 Continued
One-Way Function (OWF)

1. f is easy to compute.
2. f −1 is difficult to compute.

Trapdoor One-Way Function (TOWF)

3. Given y and a trapdoor, x can be computed

easily.

10.11
 10.1.4 Continued

Example 10. 1 One-Way Function (OWF)

When n is large, n = p × q is a one-way function. Given p and
q , it is always easy to calculate n ; given n, it is very difficult to
compute p and q. This is the factorization problem.

10.12
 Public-Key Requirements
 need a trapdoor one-way function
 one-way function has
 Y = f(X) easy

 X = f–1(Y) infeasible

 a trap-door one-way function has

 Y = f (X) easy, if k and X are known
k

 X = fk–1(Y) easy, if k and Y are known

 X = fk–1(Y) infeasible, if Y known but k not known
 a practical public-key scheme depends on a suitable trap-
door one-way function
 Comparison
Symmetric Key Encryption Asymmetric Key Encryption
It only requires a single key for both encryption and It requires two key one to encrypt and the other
decryption. one to decrypt.

It is based on substitution and permutation of

It is based on mathematical functions to numbers.
symbols(characters or bits)

Follows Kerkhof's principle Follows Trap-door One-way function

The size of cipher text is same or smaller than the The size of cipher text is same or larger than the
original plain text. original plain text.

The encryption process is very fast. The encryption process is slow.

It is used when a large amount of data is required

It is used to transfer small amount of data.
to transfer.

It provides confidentiality, authenticity and non-

It only provides confidentiality.
repudiation.

Examples: Diffie-Hellman, ECC, El Gamal, DSA and

Examples: 3DES, AES, DES and RC4
RSA

In symmetric key encryption, resource utilization is In asymmetric key encryption, resource utilization is
low as compared to asymmetric key encryption. high.

10.14
 10-2 RSA CRYPTOSYSTEM

The most common public-key algorithm is the RSA

cryptosystem, named for its inventors (Rivest, Shamir,
and Adleman).

Topics discussed in this section:

10.2.1 Introduction
10.2.2 Procedure
10.2.3 Some Trivial Examples
10.2.4 Attacks on RSA

10.15
 RSA
 by Rivest, Shamir & Adleman of MIT in 1977
 best known & widely used public-key scheme
 based on exponentiation in a finite (Galois) field over
integers modulo a prime
 nb. exponentiation takes O((log n)3) operations
(easy)
 uses large integers (eg. 1024 bits)
 security due to cost of factoring large numbers
 nb. factorization takes O(e log n log log n) operations
(hard)
 10.2.1 Introduction

Figure 10.5 Complexity of operations in RSA

10.17
 10.2.2 Procedure

Figure 10.6 Encryption, decryption, and key generation in RSA

10.18
 Proof of RSA

de mod Ø (n) = R
Dividend = quotient ×divisor + remainder
10.20
 Example

10.21
10.22
 10.2.3 Some Trivial Examples
Example 10. 5
Bob chooses 7 and 11 as p and q and calculates n = 77. The
value of (n) = (7 − 1)(11 − 1) or 60. Now he chooses two
exponents, e and d, from Z60∗. If he chooses e to be 13, then
d is 37. Note that e × d mod 60 = 1 (they are inverses of each
Now imagine that Alice wants to send the plaintext 5 to Bob.
She uses the public exponent 13 to encrypt 5.

Bob receives the ciphertext 26 and uses the private key 37 to

decipher the ciphertext:

10.23
 10.2.6 Continued
Example 10. 8

Here is a more realistic example. We choose a 512-bit p

and q, calculate n and (n), then choose e and test for
relative primeness with (n). We then calculate d.
Finally, we show the results of encryption and
decryption. The integer p is a 159-digit number.

10.24
 10.2.6 Continued
Example 10. 8 Continued

The modulus n = p × q. It has 309 digits.

(n) = (p − 1)(q − 1) has 309 digits.

10.25
 10.2.6 Continued
Example 10. 8 Continued

Bob chooses e = 35535 (the ideal is 65537) and tests it to

make sure it is relatively prime with (n). He then finds
the inverse of e modulo (n) and calls it d.

10.26
 10.2.6 Continued
Example 10. 8 Continued

Alice wants to send the message “THIS IS A TEST”,

which can be changed to a numeric value using the
00−26 encoding scheme (26 is the space character).

The ciphertext calculated by Alice is C = Pe, which is

10.27
 10.2.6 Continued
Example 10. 8 Continued

Bob can recover the plaintext from the ciphertext using

P = Cd, which is

The recovered plaintext is “THIS IS A TEST” after

decoding.

10.28
 10.2.4 Attacks on RSA

Figure 10.8 Taxonomy of potential attacks on RSA

10.29
10.30
10.31
10.32
 Attacks on encryption exponent
 Coppersmith Theorem attack:
 Low encryption exponent attack
 It states that “ in a modulo-n polynomial f(x) of degree e , one
can use an algorithm of the complexity log n to find the roots
if one of the roots is smaller than n1/e
 This theorem can be applied to RSA algorithm
 With C=f(P)=P e mod n , if e=3 and only 2/3rd of the bits in P
are known, then the algorithm can find all the bits in the
plaintext.
 Broadcast attack
 Related message attack
 Shortpad Attack

10.33
 Attacks on encryption exponent
 Broadcast attack
- launched if one entity sends the same message to
a group of recipients with same low encryption
exponent.
 Example:
 Alice sends same message to three recipient with same
public exponent e =3 and the moduli n1, n2, and n3
C1 = P3 mod n1
C2 = P3 mod n2
C3 = P3 mod n3

 By applying Chinese Remainder Theorem to these three

equations, Eve can find P3 and P by simple regular
arithmetic

10.34
 Attacks on encryption exponent

10.35
 Attacks on Decryption exponent
 Revealed Decryption attack
 Low decryption attack

10.36
 Plaintext attacks
 Short Message attack
 Cycling Attack
 Unconcealed Message attack

10.39
10.40
 Plaintext attacks
•Unconcealed message attack: In some rare
cases, it is found that some encrypted cipher
text is the same as the plain text i.e original
text. This means that the plain text is not
hidden. Such type of attack is called an
unconcealed message attack

10.41
 Attacks on modulus: Common modulus
attack

10.42
10.43
10.44
 Attacks on encryption exponent
 Coppersmith Theorem attack:
 Low encryption exponent attack
 It states that “ in a modulo-n polynomial f(x) of degree e , one
can use an algorithm of the complexity log n to find the roots
if one of the roots is smaller than n1/e
 This theorem can be applied to RSA algorithm
 With C=f(P)=P e mod n , if e=3 and only 2/3rd of the bits in P
are known, then the algorithm can find all the bits in the
plaintext.
 Broadcast attack
 Related message attack
 Shortpad Attack

10.45
 Attacks on encryption exponent
 Broadcast attack
- launched if one entity sends the same message to
a group of recipients with same low encryption
exponent.
 Example:
 Alice sends same message to three recipient with same
public exponent e =3 and the moduli n1, n2, and n3
C1 = P3 mod n1
C2 = P3 mod n2
C3 = P3 mod n3

 By applying Chinese Remainder Theorem to these three

equations, Eve can find P3 and P by simple regular
arithmetic

10.46