An Overview of Cryptography

(Part I)
 Security Attacks

Normal Flow

1. Interruption (E.g., DoS attack) 2. Interception (E.g., Sniffing)

3. Modification (E.g., MiM attack 4. Fabrication (E.g, Telnet hijack) 2

(with ARP spoofing / ICMP redirection))
 Security Services
• Cryptography can be used to implement
some of these services:
– Confidentiality
• Only the authorized persons can read or understand
the information
– Authentication
• To prove who they claim to be
– Integrity
• To ensure that the message is not being modified

3
– Non-repudiation
• If a message is indeed sent by a sender, the sender
cannot deny that
– Access control
• Only the authorized persons can access the system
or the file
– Availability
• To ensure that the system is available to authorized
persons

4
Introduction to Cryptography
• Cryptographic Systems are classified by
– Number of keys used
• No key
• Single-key, secret-key, symmetric, or conventional
encryption
• Two-key, asymmetric, or public-key encryption
– Type of operations used for transforming
plaintext to ciphertext
– The way in which the plaintext is processed
• Block cipher
• Stream cipher

5
 Systems without Keys
• Encryption techniques not using any keys
are very simple.
– Transforming or scrambling the information
being encrypted.
– Not secure (apparently secure)
– Easy to decipher the encrypted information,
once you know the algorithm.
• E.g., Based on the English letter frequency

This is an encrypted message

Zmny ny fs jshxduzji rjyyflj
6
 Private Key System
• Only one key is used
• The same key is used for encryption and
decryption
• Also known as single key, secret key, or
symmetric key system
Secret key shared by Secret key shared by
sender and recipient sender and recipient

Transmitted ciphertext
Plaintext Plaintext

Encryption Decryption 7
Algorithm Algorithm
• Data Encryption Standard (DES)
– Commonly used private key algorithms in the past.
– Developed by IBM
– Became a U.S. government standard in 1976.
– It has remained a secure algorithm over the past few
decades.
– But it was finally declared dead in July 1998

8
– Concerns about the strength of DES
• Cryptanalysis
– There has been numerous attempts to find and exploit
weaknesses in the algorithm.
– No one has so far succeeded in discovering a fatal weakness
except that the key length is too short.
• Key length
– Effective key length is 56-bit only
– Rising processor speed and falling hardware costs made it a
simple matter to break DES quickly using brute-force approach.
– It was finally declared dead in July 1998, when the Electronic
Frontier Foundation (EFF) announced that it had broken a new
DES encryption using a special-purpose “DES cracker”.
» 56 hours to break DES at that time
– In recent years, by using brute-force attacks, a DES key can be
broken in few hours
» Even shorter for specific designed hardware or a more
powerful GPU

9
64-bit plaintext 64-bit key (with parity
Parity bit: for error detection bit)

Initial permutation Permuted choice 1

subkey 1
Round 1 Permuted choice 2 Left circular shift

subkey 2
Round 2 Permuted choice 2 Left circular shift

subkey 16
Round 16 Permuted choice 2 Left circular shift

Inverse initial
permutation General Depiction of
DES Encryption Algorithm
64-bit ciphertext
10
 64-bit Text Block 64-bit Key (with parity)

Initial Permutation Key Permutation

56-bit Key
64-bit Text Block

Left half of key Right half of key

Left half of Block Right half of Block Shift x# of bits Shift x# of bits

Expand to 48 bits

Repeat
Compression Permutation
for 16
XOR
rounds

S-Box and Permutation

48-bit subkey

XOR 32-bit block

After 16
Left half of Block Right half of Block rounds Inverse initial 11
Ciphertext
for the next round for the next round Permutation
 The tables of the following few slides are taken from
Reference: http://www.tropsoft.com/strongenc/des.htm

Map a 64-bit key to a 56-bit key

e.g. bit 1 in input  bit 8 in output
bit 2 in input  bit 16 in output
bits 8, 16, 24, 32, 40, 48, 56, and 64 of the original key are not in the table.

PC-1: Permuted Choice 1

Bi
0 1 2 3 4 5 6
t
64-bit Text Block 64-bit Key with parity)

1 57 49 41 33 25 17 9
Initial Permutation Key Permutation

8 1 58 50 42 34 26 18
56-bit key
64-bit Text Block

15 10 2 59 51 43 35 27 Left half of key Right half of key

22 19 11 3 60 52 44 36 Left half of Block Right half of Block

Expand to 48 bits
Shift x# of bits Shift x# of bits

29 63 55 47 39 31 23 15
Repeat
Compression Permutation
for 16
XOR
rounds

S-Box and Permutation

36 7 62 54 46 38 30 22 XOR 32-bit block

48-bit subkey

43 14 6 61 53 45 37 29 Left half of Block

for the next round
Right half of Block
for the next round

12
50
Note: bit21
1 is the13 5bit and28
leftmost 20
bit 64 is 12 bit
the rightmost 4
 The 56-bit key is split into two 28-bit blocks.
In each round, the left and right subkeys are rotated to left with 1 or 2 bits
as specified in the following table.

Subkey Rotation Table

Round Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number of bits to rotate 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

64-bit Text Block 64-bit Key with parity)

Initial Permutation Key Permutation

56-bit key
64-bit Text Block

Left half of key Right half of key

Left half of Block Right half of Block Shift x# of bits Shift x# of bits

Expand to 48 bits

Repeat
Compression Permutation
for 16
XOR
rounds

S-Box and Permutation

48-bit subkey

XOR 32-bit block

Left half of Block Right half of Block 13

for the next round for the next round
Some number ignored

Apply the following table to obtain the 48-bit key for a particular round.

PC-2: Permuted Choice 2

Bi
0 1 2 3 4 5
t 64-bit Text Block 64-bit Key with parity)

1 14 17 11 24 1 5 Initial Permutation Key Permutation

7 3 28 15 6 21 10 64-bit Text Block

56-bit key

Left half of key Right half of key

13 23 19 12 4 26 8 Left half of Block Right half of Block Shift x# of bits Shift x# of bits

19 16 7 27 20 13 2 Repeat
for 16
Expand to 48 bits

Compression Permutation
XOR
rounds

25 41 52 31 37 47 55 S-Box and Permutation

48-bit subkey

XOR 32-bit block

31 30 40 51 45 33 48 Left half of Block Right half of Block

for the next round for the next round

37 44 49 39 56 34 53
43 46 42 50 36 29 32 14
 The plaintext is passed through the following initial permutation table.
e.g. bit 58  bit 1
bit 50  bit 2

IP: Initial Permutation

Bi
0 1 2 3 4 5 6 7
t 64-bit Text Block 64-bit Key with parity)

1 58 50 42 34 26 18 10 2 Initial Permutation Key Permutation

9 60 52 44 36 28 20 12 4 64-bit Text Block

56-bit key

Left half of key Right half of key

17 62 54 46 38 30 22 14 6 Left half of Block Right half of Block Shift x# of bits Shift x# of bits

25 64 56 48 40 32 24 16 8 Repeat
for 16
Expand to 48 bits

Compression Permutation
XOR
rounds

33 57 49 41 33 25 17 9 1 S-Box and Permutation

48-bit subkey

XOR 32-bit block

41 59 51 43 35 27 19 11 3 Left half of Block Right half of Block

for the next round for the next round

49 61 53 45 37 29 21 13 5
15
57 63 55 47 39 31 23 15 7
 For each round, the text will be divided into two parts L and R.
R will be expanded from 32 bit to 48 bit according to the following table.
e.g. bit 1  bit 2 and bit 48
bit 3  bit 4
bit 4  bit 5 and bit 7
The resulting 48-bit data will be XOR with the 48-bit key for this round
E-Bit Selection Table
Bi
0 1 2 3 4 5
t
64-bit Text Block 64-bit Key with parity)

1 32 1 2 3 4 5
Initial Permutation Key Permutation

7 4 5 6 7 8 9
56-bit key
64-bit Text Block

Left half of key Right half of key

13 8 9 10 11 12 13 Left half of Block Right half of Block Shift x# of bits Shift x# of bits

19 12 13 14 15 16 17
Expand to 48 bits

Repeat
Compression Permutation
for 16
XOR
rounds

25 16 17 18 19 20 21 S-Box and Permutation

48-bit subkey

XOR 32-bit block

31 20 21 22 23 24 25 Left half of Block

for the next round
Right half of Block
for the next round

37 24 25 26 27 28 29 16
43 28 29 30 31 32 1
The result from the previous step is XOR with the 48-bit subkey and then split into 8 6-bit segments.
Each 6 bit-segment is passed to the corresponding S-Box to get a 4-bit segment.
S-Box 1 is shown below. The other S-Box are similar, of course the content are different.
The 1st and the last bits will be used to index a row. The middle 4-bit will be used to index a column.
e.g. 011101  row 1 (01), column 14 (1110)  3  0011

S-Box 1: Substitution Box 1

Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

17
 S-Box 2: Substitution Box 2

Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10

1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5

2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15

3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

S-Box 3: Substitution Box 3

Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8

1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1

2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7

3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

S-Box 4: Substitution Box 4

Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15

1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9

2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4

3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

18
S-Box 5: Substitution Box 5

Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9

1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6

2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14

3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

S-Box 6: Substitution Box 6

Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11

1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8

2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6

3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

S-Box 7: Substitution Box 7

Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1

1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6

2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2

3 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

S-Box 8: Substitution Box 8

Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7

1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2

2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8

3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

19
The 8 4-bit numbers resulting from the previous step form a 32-bit string.
Then the resulting string will be passed to the following table for permutation.
The result (a 32-bit string) will be XOR with the left block and move to the right
block for the next round. The original right block will become the left block for
the next round.
The encryption steps will be repeated for 16 rounds.

P Permutation
Bi
0 1 2 3
t 64-bit Text Block 64-bit Key with parity)

1 16 7 20 21 Initial Permutation Key Permutation

5 29 12 28 17 64-bit Text Block

56-bit key

9 1 15 23 26 Left half of key Right half of key

Left half of Block Right half of Block Shift x# of bits Shift x# of bits

13 5 18 31 10 Expand to 48 bits

Repeat
Compression Permutation

17 2 8 24 14
for 16
XOR
rounds

S-Box and Permutation

48-bit subkey

21 32 27 3 9 XOR 32-bit block

Left half of Block Right half of Block

25 19 13 30 6 for the next round for the next round

29 22 11 4 25 20
 The following table will be applied in the last step, and the
cipher text will be obtained.
e.g. bit 1  bit 58
bit 2  bit 50

IP^(-1): Inverse Initial Permutation

Bi
0 1 2 3 4 5 6 7
64-bit Text Block 64-bit Key with parity)

t Initial Permutation Key Permutation

1 40 8 48 16 56 24 64 32 64-bit Text Block

56-bit key

9 39 7 47 15 55 23 63 31 Left half of key Right half of key

Left half of Block Right half of Block Shift x# of bits Shift x# of bits

17 38 6 46 14 54 22 62 30 Repeat
Expand to 48 bits

Compression Permutation
for 16

25 37 5 45 13 53 21 61 29
XOR
rounds

S-Box and Permutation

48-bit subkey

33 36 4 44 12 52 20 60 28
XOR 32-bit block

After 16
Left half of Block Right half of Block rounds Inverse initial Ciphertext
for the next round for the next round Permutation

41 35 3 43 11 51 19 59 27
49 34 2 42 10 50 18 58 26
57 33 1 41 9 49 17 57 25 21
• General Depiction of DES Decryption Algorithm
– Usually, the decryption algorithm of a block cipher
should be identical to encryption algorithm step by step
in reverse order.
– But for DES, the encryption algorithm is so well
designed, that the decryption algorithm is identical to
the encryption algorithm step by step in the same order,
only with the subkeys applied in the reverse order.

22
DES Encryption 64-bit plaintext DES Decryption 64-bit ciphertext

Initial permutation Initial permutation

subkey 1 subkey 16
Round 1 Round 1

subkey 2 subkey 15
Round 2 Round 2

subkey 16 subkey 1
Round 16 Round 16

Inverse initial Inverse initial

permutation permutation

64-bit ciphertext 64-bit plaintext

23
• Triple DES / 3DES
– Officially Triple Data Encryption Algorithm (TDEA)
– Proposed by Tuchman
– First standardized for use in financial applications in
ANSI in 1985.
– TDEA uses three keys (K1, K2, and K3) and three
executions of the DES algorithm.
– The function follows an encrypt-decrypt-encrypt (EDE)
sequence.
C = EK3 [ DK2 [EK1 [ P ] ] ]
• There is no K4 such that C = EK4 [ P ] or C = DK4 [ P ]
– With three distinct keys, 3DES has an effective key
length of 168 bits.
– With K1 = K3, the effective key length is 112.
24
• Strength of block ciphers
– Key length
• Longer key size corresponds to higher computational
complexity (E.g., 256 vs. 2168) for brute force attack
• Should be large enough to make brute force attack infeasible
• Some may use the key length to represent the security strength
of an encryption algorithm
– E.g., RSA Security claimed that a 1024-bit RSA key and a 2048-bit RSA
key (see later slides) provide comparable strength to an 80-bit symmetric
key and an 112-bit symmetric key respectively
– Number of rounds
• In general, more number of rounds increases the difficulty to
find the weaknesses by cryptanalysis
– Block size
• In general, larger block size reduces the chance to have
duplicate ciphertext block, which may cause information
leakage 25
• Other Symmetric Block Ciphers
– Rather than totally reinventing the wheel, virtually all
contemporary conventional block encryption
algorithms use the basic Feistel block structure (the one
similar to that of DES).
– Some popular conventional encryption algorithms are
summarized on the next page.

26
 Conventional Encryption Algorithm
Algorithm Key Size Number of Block Size Mathematical Applications
(bits) Rounds (bits) Operations
DES 56 16 64 XOR, fixed S-boxes SET,
Kerberos
3DES 112 or 168 48 64 XOR, fixed S-boxes Financial key
management,
PGP, S/MIME
IDEA 128 8 64 XOR, addition, PGP
multiplication
Blowfish 32 to 448 16 64 XOR, variable S-boxes,
addition
Twofish 128, 192, or 16 128 XOR, variable S-boxes, Widely used
256 addition, rotation
RC5 0 to 2048 1 to 255 32, 64, or 128 Addition, subtraction,
XOR, rotation
CAST-128 40 to 128 12 or 16 64 Addition, subtraction, PGP
XOR, rotation, fixed S-
boxes
AES 128, 192, or 10, 12, or 128 is the XOR, fixed S-boxes, Widely used
256 14 standard rotation, multiplication 27
• Advanced Encryption Standard (AES)
– AES is a symmetric-key encryption standard currently
adopted by the U.S. government.
– Also known as Rijndael
– Block size of 128 bits is the standard
– Key size of 128, 192, or 256 bits
– Faster and more secure than 3DES

28
• Applications using AES
– Microsoft Office documents
• Office 2007 or later: AES (128 bit)
• Office 2003 or before: RC4 (32/40 bit) [not secure]
– Compressed files (e.g., .zip, .rar, .7z)
• AES (128/256 bit)
• Zip 2.0 Legacy Encryption [not secure, but widely supported]
– WiFi Encryption: WPA/WPA2/WPA3
• AES
• TKIP [only for WPA/WPA2, have security issues]
– Disk encryption
• BitLocker in Windows
• FileVault in macOS
– VPN encryption
29
• Overview of AES
– AES involves both substitution and
permutation
1. Key Expansion
• Convert the cipher key into round keys (4x4
matrix of bytes) using Rijndael's key schedule
2. Initial Round
• AddRoundKey
– Each byte of the state (4x4 matrix of bytes) is
combined with the round key using bitwise XOR.

30
 The size of each ai,j, bi,j, ki,j is one byte.

In the AddRoundKey step, each byte of the state is combined with a byte of
the round subkey using the XOR operation (⊕). 31
3. Subsequent Rounds (except the final round)
• SubBytes
– A non-linear substitution step where each byte is
replaced with another according to a lookup table.
• ShiftRows
– A transposition step where each row of the state is
shifted cyclically a certain number of steps.
• MixColumns
– A mixing operation which operates on the columns of
the state, combining the four bytes in each column.
• AddRoundKey
4. Final Round (no MixColumns)
• SubBytes
• ShiftRows
• AddRoundKey
32
In the SubBytes step, each byte in the state is replaced with its entry in a
fixed 8-bit lookup table S, i.e., bi,j = S(ai,j).

33
In the ShiftRows step, bytes in each row of the state are shifted cyclically to
the left. The number of places each byte is shifted differs for each row.

34
In the MixColumns step, each column of the state is multiplied with
a fixed polynomial c(x).

35
 Key expansion

• AES Decryption
– Reverse the order
of operations
– Replace the
operations with
their inverses
– The inverse of
XOR is also
XOR
• So same “Add
round key”

36
Image source: Stallings, Cryptography and Network Security: Principles and Practice (6 th Edition)
 Public-Key Cryptography
• First proposed by Diffie and Hellman in 1976.
• Asymmetric Keys
– Two separate keys for encryption and decryption.
• Based on mathematical functions rather than on
simple operations on bit/byte patterns.
• A public-key encryption scheme has six
ingredients:
– Plaintext
– Public key
– Private key
– Encryption algorithm
– Decryption algorithm
– Ciphertext
37
• Essential steps
– Each user generates a pair of keys for
encryption and decryption
– Public key
• Release to others by placing in a public register (or
other files accessible by others)
– Private key
• Keep private

38
• Applications for public-key cryptosystems
– Encryption / Decryption
– Digital signature
– Key exchange

Algorithm Encryption / Digital Key Exchange

Decryption Signature
RSA yes (but have yes yes (but have
security issues) security issues)
Diffie-Hellman no no yes
DSS no yes no
Elliptic Curve yes yes yes

39
 • Encryption / Decryption

John sends an encrypted email to Mary.

Source: http://www.infosec.gov.hk 40
The keys are generated by Mary.
 • Digital Signature for Authentication

John wants to prove that the email is sent by him.

Source: http://www.infosec.gov.hk 41
The keys are generated by John.
• Signing a Digital Signature
– The sender applies a hash function (see later lectures)
to the email
– Then encrypts the hash result with the sender’s private
key
• Verifying a Digital Signature
– The receiver checks whether the results of the
following two operations are the same:
• Decrypts the received digital signature using the sender’s
public key to get the original hash result encrypted by the
sender
• Applies the hash function to the email to get the hash result

42
• Key Exchange
– For convention encryption algorithm, a secret key
needs to be shared between two parties first
– A mechanism for them to exchange the key beforehand
is needed
– Public-key cryptosystems can be used for this purpose
– For example, we can use Diffie-Hellman to exchange
the secret key for AES, and then use AES to encrypt /
decrypt all subsequent messages
• AES is faster and has fewer limitations

43
– Security requirements for public-key cryptography
• Computationally infeasible for an opponent, knowing the
public key, to determine the private key.
• Computationally infeasible for an opponent, knowing the
public key and a ciphertext, to recover the original message.
– Efficiency requirements for public-key cryptography
• Computationally easy to generate a pair of public key and
private key.
• Computationally easy for a sender to encrypt a message with a
public key.
• Computationally easy to decrypt the ciphertext with the private
key.
• Optionally, it will be useful if either two related keys can be
used for encryption with the other for decryption.

44
• RSA
– Designed by Ron Rivest, Adi Shamir, and
Leonard Adleman
– The public and private keys are generated
based on the following steps:
1. Choose two large prime numbers p and q.
2. Calculate n = pq and Φ(n) = (p-1)*(q-1).
3. Find e, which is a number that is relatively prime
to Φ(n), i.e., GCD(e, Φ(n)) = 1
The public key is {e, n}.
4. Find d, which is the modular multiplicative
inverse of e mod Φ(n), i.e., (de) mod Φ(n) = 1
The private key is {d, n}.
– RSA is based on the fact: if plaintext P < n
P de (mod n) P(mod n) 45
• Example
1. p = 5, q = 11.
2. n = 55 and Φ(n) = (p-1)(q-1) = 40.
3. Choose a number e that is relatively prime to 40, say
7, where GCD(40, 7) = 1.
• Public key is {7, 55}
• See later slides for computing the GCD
4. Compute d, which is the modular multiplicative
inverse of 7 mod 40, and the result is 23.
• (23*7) mod 40 = 161 mod 40 = 1
• Private key is {23, 55}
• See later slides for computing the modular multiplicative
inverse of e mod Φ(n)

46
• Terminology
– Recall that
• {e, n} is the public key
• {d, n} is the private key
– n is called modulus
– e is called the public exponent
– d is called the private exponent
• The length of the RSA key refers to the number of bits
required to represent n
– RSA-2048  2048-bit RSA key  n is a number with 617 digits
• log10(22048) = 616.51
• The public key stored in a Digital Certificate is usually
encoded in some portable format, say PEM and DER

47
– Let P be a binary block of plaintext of length
smaller than that of the key. RSA encrypts P as
follows:
C P e (mod n)
– To decrypt the ciphertext C, the RSA algorithm
raises C to the power d and reduces the result
modulo n:
C d (mod n) ( P e ) d (mod n) P de (mod n) P (mod n) P

48
– Suppose the plaintext is 18, 19
C1 187 mod 55 17
ciphertext
7
C2 19 mod 55 24
the decryption produces
17 23 mod 55 18
24 23 mod 55 19

49
• How do we find e, which is relatively prime
to Φ(n), in RSA?

• Greatest Common Divisor: GCD(a,b)

– The largest integer that divides both a and b
– E.g., GCD(15, 5) = 5, GCD(5, 9) = 1
– If GCD(a,b) = 1, then a and b are relatively
prime (co-prime) to each other.

50
• Division Algorithm for Integers
– If a and b are positive integers, there exists unique non-
negative integers q and r, such that a = q·b + r
• q : quotient
• r : remainder
• Euclidean Algorithm
– Finding the GCD of two integers by repeatedly
applying the division algorithm.
·

– E.g 1. GCD (81, 57) = 3 can be found as follows:

81 = 1·57 + 24
57 = 2·24 + 9
24 = 2·9 + 6
9 = 1·6 + 3 The last non-zero reminder
6 = 2·3 + 0 is the GCD.

51
 81 57
1 57 48 2
24 9
2 18 6 1
6 3 GCD
2 6
0

52
– E.g 2. GCD (7, 40) = 1 can be found as follows:
40 = 5·7 + 5
7 = 1·5 + 2
The last non-zero reminder
5 = 2·2 + 1
is the GCD.
2 = 2·1 + 0

53
 7 40
1 5 35 5
2 5
2 2 4 2
0 1 GCD

54
• How can we find d, which is the modular multiplicative
inverse of e mod Φ(n), in RSA?

• It is known that if GCD(a, b) = r, there exists integers x

and y, such that
x·a + y·b = r

• We have GCD(81, 57) = 3, to find x and y, we can reverse

·

the steps in the Euclidean algorithm:

3 = 9 – 1·6
= 9 – 1·(24 – 2·9)
= – 1·24 + 3·9
= – 1·24 + 3·(57 – 2·24)
= 3·57 – 7·24
= 3·57 –7·(81 – 1·57)
= – 7·81 + 10·57
We have x = -7 and y = 10 55
• In RSA, since e is relatively prime to Φ(n), we have
GCD(e,Φ(n)) = 1. Hence, there exists integers d and m, so
that:
d·e+m·Φ(n) = 1.
Equivalently, d·e mod Φ(n) = 1

• Therefore, d can be found by reversing the Euclidean

algorithm
• Recall that e = 7, Φ(n) = 40, and GCD(7, 40) = 1
1 = 5 – 2·2
= 5 – 2·(7 – 1·5)
We now have d = –17.
= – 2·7 + 3·5
But we do not want d to be negative,
= – 2·7 + 3·(40 – 5·7) so we add 40 on to it and d = 23.
= – 17·7 + 3·40 56
R.H.S.: Euclidean Algorithm
L.H.S.: Start with 1 and 0 and repeat the process on the R.H.S.

1 0 7 40
1 -5 5 5 35 5
6 -5 2 5
12 4 2
-17 1

d = -17 + 40 = 23

57
 – For RSA-2048, n is number with 617 digits, how do we
calculate modular arithmetic involving large numbers?
– For example, suppose we want to compute 1723 mod 55
but we do not want to compute 1723 directly
– Use this property:
(a * b) mod n (( a mod n) * (b mod n)) mod n
– We have
17 23 mod 55 (171617 417 2171 ) mod 55
((1716 mod 55) (17 4 mod 55) (17 2 mod 55) (17 mod 55)) mod 55
17 2 mod 55 (17 17) mod 55 14
17 4 mod 55 ((17 2 mod 55) (17 2 mod 55)) mod 55 (14 14) mod 55 31
178 mod 55 ((17 4 mod 55) (17 4 mod 55)) mod 55 (3131) mod 55 26
1716 mod 55 ((178 mod 55) (178 mod 55)) mod 55 (26 26) mod 55 16
17 23 mod 55 ((1716 mod 55) (17 4 mod 55) (17 2 mod 55) (17 mod 55)) mod 55
58
(16 3114 17) mod 55 18
• Why is RSA secure?
– Factoring large integer n is very computationally intensive using
currently available techniques.
• The highest RSA number factored on a classical computer
is RSA-250 (with 250 decimal digits / 829 bits) in Feb
2020
– This computation was performed with the Number Field Sieve
(NFS) algorithm, using the open-source CADO-NFS software
– NFS is the most efficient classical algorithm known for factoring
large integers
– The total computation time is roughly 2700 core-years, using Intel
Xeon Gold 6130 CPUs as a reference (16 cores, 2.1GHz)
• Nowadays, RSA-2048 (with 617 decimal digits / 2048
bits) should be used instead

59
• RSA Weaknesses
– The ROBOT Attack
• Allow an attacker to use the server to decrypt RSA
ciphertext
• Hence, RSA should no longer be used as an
encryption algorithm or a key exchange algorithm
• But RSA can still be used for the signature
algorithm

60
– Lack of Forward Secrecy
• Forward Secrecy: if a key is compromised in one
session, the security of earlier sessions will not be
affected
• One way to achieve is to have a new pair of keys for
each new session
• But in practice, RSA key generation is very
expensive and it is usually performed once only,
where one pair of keys are used for multiple
sessions
• To have different keys for different sessions, other
faster key exchange algorithms are needed, such as
Diffie-Hellman key exchange (see next slide)

61
• Diffie-Hellman Key Exchange
– Enable two users to agree on the same secret
key.
– Its effectiveness depends on the difficulty of
computing discrete logarithms.
– Background
• Suppose a is the primitive root of a prime number p.
We have
a mod p, a2 mod p, …, ap-1 mod p
are distinct and consist of the integers from 1
through p – 1 in some permutation.

62
• For any integer b and a primitive root a of
prime number p, one can find a unique
exponent i such that

b = ai mod p, where 1 ≤ i ≤ (p – 1)

• The exponent i is referred to as the discrete

logarithm of b for the base a mod p.
• There is no known efficient algorithm to
calculate discrete logarithm.
– Given a, b, and p, and assume that they are large enough
– It is difficult to compute i

63
– Diffie-Hellman Key Exchange Algorithm
• There are two publicly known numbers
– A prime number p
– An integer a that is a primitive root of p.
• User A key generation
– Select private X  p
A
– Calculate public Y a X A mod p
A
• User B key generation
– Select private X  p
B
– Calculate public Y a X B mod p
B
• Each side keeps the X value private and makes the
Y value available publicly.
• A computes the key
K (YB ) X mod p
A
X X
• B computes the key X
 K a A
mod p
B

K (Y ) mod p
A
B

64
• Example: p = 13 and a = 7
– User A:
• XA = 2
• YA = 72 mod 13 = 10
– User B:
• XB = 3
• YB = 73 mod 13 = 5
– A computes K = 52 mod 13 = 12
– B computes K = 103 mod 13 = 12

65