ASYMMETRIC KEY CRYPTOGRAPHY

1 / 50
Outline

Introduction

RSA Cryptosystem

Attacks on RSA Cryptosystem

ElGamal Cryptosystem

Attacks on ElGamal Cryptosystem

Elliptic Curve Cryptosystem

Attacks on Elliptic Curve Cryptosystem

2 / 50
Introduction

3 / 50
General idea of Asymmetric Key Cryptosystem

4 / 50
RSA Cryptosystem

5 / 50
RSA Key Generation

select two large primes p and q such that p 6= q

n ← pxq
φ(n) ← (p − 1)x(q − 1)
select e such that 1 < e < φ(n) and e is coprime to φ(n)
d ← e −1 mod φ(n)
publickey ← (e, n)
privatekey ← d

6 / 50
RSA Encryption

Encryption :
C ← P e mod n

7 / 50
RSA Decryption

Decryption :
P ← C d mod n

8 / 50
RSA Cryptosystem

9 / 50
Attacks on RSA Cryptosystem

10 / 50
Factorization Attack

Trial Division Method

Fermat Method
Pollard p-1 Method
Pollard rho Method

11 / 50
Coppersmith Theorem Attack

A modulo-n polynomial f (x) of degree e, one can use an algorithm

of the complexity log n to find the roots if one of the root is
smaller than n1/e

12 / 50
Broadcast Attack

Broadcast attack can be launched if one entity sends the same

message to a group of recipients with the same low encryption
exponent
C1 = P 3 mod n1
C2 = P 3 mod n2
C3 = P 3 mod n3
Applying Chinese remainder theorem to these three equations,
attacker can find out P

13 / 50
Chinese Remainder Theorem

a1 = x mod m1
a2 = x mod m2
a3 = x mod m3
...
ak = x mod mk
The solution to the above simultaneous equation is
x = (a1 × M1 × M1 −1 + a2 × M2 × M2 −1 . . . ak × Mk × Mk −1 ) mod M
Where
M = m1 × m2 × · · · × mk
M1 = M/m1 , M1 −1 = Inverse of M1 mod m1
M2 = M/m2 , M2 −1 = Inverse of M2 mod m2
...
Mk = M/mk , Mk −1 = Inverse of Mk mod mk
14 / 50
Related Message Attack

C1 = P1 e mod n
C2 = P2 e mod n
If P1 is related to P2 by linear function, then attacker can recover
P1 and P2

15 / 50
Short Pad Attack

C1 = {P : r1 }e mod n
C2 = {P : r2 }e mod n
If r1 and r2 are small then, then attacker can recover P

16 / 50
Short Message Attack

If attacker knows the set of possible plaintexts (if this set is a small
set), then he can encrypt all possible messages until the result is
the same as the ciphertext.

17 / 50
Common Modulus Attack

People in a community might let a trusted party select p and q,

calculate n and φ(n), and create a pair of exponents (ei , di ) for
each person. If attacker is a member of this community and
assigned a pair of exponents (ea , da ), then he can launch a
probabilistic attack to factor n.

18 / 50
Power Attack

Decryption algorithm uses

I only squaring if the corresponding bit in the private exponent
d is 0,
I both squaring and multiplication if the corresponding bit is 1
An iteration involving multiplication and squaring consumes more
power than and iteration that uses only squaring

19 / 50
ElGamal Cryptosystem

20 / 50
Definitions

Order of an Element The order of an element a in a group is the

smallest integer n such that an = e.
Primitive Roots In a multiplicative group G =< Zn∗ , × > when
order an element is same as φ(n), the element is
called the primitive root of the group

21 / 50
ElGamal Key Generation

select a large prime p

select d to be the member of the group G =< Zp∗ , × > such that
1≤d ≤p−2
select e1 to be the primitive root in the Group G =< Zp∗ , × >
e2 ← e1d mod p
Public key ← (e1 , e2 , p)
Private key ← d

22 / 50
ElGamal Encryption(e1 , e2 , p, P)

select a random integer r in the group G =< Zp∗ , × >

C1 ← e1r mod p
C2 ← (P×e2r ) mod p
return C1 and C2

23 / 50
ElGamal Decryption(d, p, C1 , C2 )

P ← [C2 (C1d )−1 ] mod p

return P

24 / 50
ElGamal Cryptosystem

25 / 50
Attacks on ElGamal Cryptosystem

26 / 50
Discrete Logarithm

27 / 50
Discrete Logarithm

y = g x mod p
x = Lg y

y 1 2 3 4 5 6
x = L3 y 6 2 1 4 5 3
x = L5 y 6 4 5 2 1 3

28 / 50
Low-Modulus Attack

e2 = e1d mod p
d = Le1 e2
If the value of p is not large enough, an attacker can use some
efficient algorithm to solve the discrete logarithm problem to find d.

29 / 50
Known-Plaintext Attack

If Alice uses the same random exponent r, to encrypt two

plaintexts P and P’, the attacker discovers P’ if he knows P.
Assume that
C2 ← (P×e2r ) mod p
C20 ← (P’×e2r ) mod p
Attacker finds P’ using the following steps
(e2r ) = C2 ×P−1 mod p
P’= C20 × (e2r )−1 mod p

30 / 50
Elliptic Curve Cryptosystem

31 / 50
Elliptic Curve

A special class of elliptic curves of the form is used for Elliptic

Curve Cryptosystem

y 2 = x 3 + ax + b
In the above above equation, if 4a3 + 27b 2 6= 0, the equation
represents a nonsingular elliptic curve

32 / 50
Elliptic Curve

33 / 50
Operations

34 / 50
Operations

35 / 50
Operations

36 / 50
Operations

37 / 50
Point Addition

assume P = (x1 , y1 ), Q = (x2 , y2 )

λ = (y2 − y1 )/(x2 − x1 )
x3 = λ2 − x1 − x2
y3 = λ(x1 − x3 ) − y1
R 0 = (x3 , y3 )

38 / 50
Point Doubling

λ = (3x12 + a)/(2y1 )
x3 = λ2 − x1 − x2
y3 = λ(x1 − x3 ) − y1

39 / 50
Additive Inverse

P = (x1 , y1 )
Q = (x1 , −y1 )

40 / 50
Key Generation

Choose E(a, b) with an elliptic curve over GF(p) or GF(2n )

Choose a point on the curve e1 (x1 , y1 )
Choose an integer d
e2 (x2 , y2 ) = d × e1 (x1 , y1 )
Public key ← E(a, b), e1 (x1 , y1 ), e2 , (x2 , y2 )
Private key ← d

41 / 50
Encryption

C1 = r × e 1
C2 = P +r × e2

42 / 50
Decryption

P = C2 − (d × C1 )

43 / 50
Elliptic Curve Cryptosystem

44 / 50
Attacks on Elliptic Curve Cryptosystem

45 / 50
Elliptic Curve Logarithm Problem

If attacker knows r

P= C2 − (r × e2 )

to find r

C1 = r × e1

46 / 50
Elliptic Curve Logarithm Problem

to find d

e2 = d × e1

47 / 50
Quantum Computing

I Quantum computing is computing using quantum mechanics.

I Quantum mechanics is a fundamental theory in physics which
describes nature at the smallest scales of energy levels of
atoms and subatomic particles.

48 / 50
Post Quantum Cryptography

Post-quantum cryptography refers to cryptographic algorithms

(usually public-key algorithms) that are thought to be secure
against an attack by a quantum computer.

49 / 50
Post Quantum Cryptography

1. Lattice-based cryptography
2. Hash-based cryptography
3. Code-based cryptography
4. Supersingular elliptic curve isogeny cryptography

50 / 50
END

51 / 50