Chapter 9

Public-Key Cryptography
(CS-452)

CS-452: Cryptography 1/57

Private-Key Cryptography
Symmetric key cryptography uses one key, shared by both
sender and receiver
If this key is disclosed, communications are compromised
Symmetric: parties are equal
Can we use symmetric key encryption to protect sender
from receiver forging a message and claiming is sent by
sender?

CS-452: Cryptography 2/57

Private-Key Cryptography
Symmetric key cryptography uses one key, shared by
both sender and receiver
If this key is disclosed, communications are compromised
Symmetric: parties are equal
Can we use symmetric key encryption to protect sender
from receiver forging a message and claiming is sent by
sender?
John can deny sending the message. Because it is
possible for Mary to forge a message, there is no way to
prove that John did in fact send the message.
Mary may forge a different message and claim that it
came from John

CS-452: Cryptography 3/57

Public-Key Cryptography
Probably most significant advance in the history of
cryptography
Public-key encryption: encryption and decryption are
performed using different keys – a public key and a
private key.
Public-key encryption transforms plaintext into
ciphertext using one of two keys and an encryption
algorithm. Using the paired key and a decryption
algorithm, the plaintext is recovered from the
ciphertext.
Can be used for confidentiality, authentication, or
both.

CS-452: Cryptography 4/57

Public-key cryptography: Misconceptions
Misconception 1: Public-key encryption is more secure
from cryptanalysis than symmetric encryption
The security depends on the length of the key and the
computational work involved in breaking a cipher.
Misconception 2: Public-key encryption is a general-
purpose technique that has made symmetric
encryption obsolete.
Computation overhead of public-key encryption

CS-452: Cryptography 5/57

Why Public-Key Cryptography?
Developed to address two key issues:
Key distribution – how to have secure communications in
general without having to trust a KDC
Digital signatures – how to verify a message comes intact
from the claimed sender

Public invention due to Whitfield Diffie & Martin Hellman

at Stanford University in 1976.
known earlier in classified community

CS-452: Cryptography 6/57

Public-Key Cryptography
Public-key/two-key/asymmetric cryptography involves
the use of two keys:
A public-key, which may be known by anybody, and can be
used to encrypt messages, and verify signatures
A private-key, known only to the recipient, used to decrypt
messages, and sign (create) signatures

Is asymmetric because
Those who encrypt messages or verify signatures may not
decrypt messages or create signatures

CS-452: Cryptography 7/57

Public-Key Characteristics
Public-Key algorithms rely on two keys where:
It is computationally infeasible to find decryption key
knowing only algorithm & encryption key
It is computationally easy to en/decrypt messages when
the relevant (en/decrypt) key is known
Either of the two related keys can be used for encryption,
with the other used for decryption (for some algorithms
such as RSA)

CS-452: Cryptography 8/57

Public-Key Cryptography
Each user generates a pair of keys to be used for the
encryption and decryption of messages
Each user places one of the two keys in a public register or
other accessible file – public key. The other key is kept
private.
Each user maintains a collection of public keys obtained from
others.

CS-452: Cryptography 9/57

Public-Key Cryptography
If Bob wishes to send a confidential message to Alice,
Bob encrypts the message using Alice’s public key
When Alice receives the message, Alice decrypts it using
her private key. No other recipient can decrypt the
message because only Alice knows Alice’s private key

CS-452: Cryptography 10/57

Public-Key Cryptography
If Bob wishes to send a confidential message to Alice,
Bob encrypts the message using Alice’s public key
When Alice receives the message, Alice decrypts it
using her private key. No other recipient can decrypt
the message because only Alice knows Alice’s private
key

CS-452: Cryptography 11/57

Public-Key Cryptography
All participants have access to public keys and private
keys are generated locally by each participant and need
never be distributed
As long as a user’s private key remains protected and
secret, incoming communication is secure
At any time, a system can change its private key and
publish the public key to replace its old public key

CS-452: Cryptography 12/57

Conventional vs. Public-Key Encryption

CS-452: Cryptography 13/57

Public-Key Cryptosystems: Secrecy
A produces plaintext X = [X1,X2,…,Xn]
The message is intended for destination B.
A has two keys: a public key PUa, and a private key PRa.
B has two keys: a public key PUb, and a private key PRb.

CS-452: Cryptography 14/57

Public-Key Cryptosystems: Secrecy
A forms the ciphertext Y = [Y1,Y2,…,Yn]:
Y = E(PUb,X)
The receiver is able to invert the transformation
X = D(PRb,Y)

CS-452: Cryptography 15/57

Public-Key Cryptosystems: Secrecy
A forms the ciphertext Y = [Y1,Y2,…,Yn]:
Y = E(PUb,X)
The receiver is able to invert the transformation
X = D(PRb,Y)

CS-452: Cryptography 16/57

Public-Key Cryptosystems: Authentication

CS-452: Cryptography 17/57

Public-Key Cryptosystems: Authentication
A prepares a message to B and encrypts it using A’s
private key before transmitting it.
Y = E(PRa,X)
B decrypts the message using A’s public key
X = D(PUa,Y)

CS-452: Cryptography 18/57

Public-Key Cryptosystems: Authentication
Does not provide confidentiality.
The message being sent is safe from alteration but
not from eavesdropping
Any observer can decrypt the message using the
sender’s public key

CS-452: Cryptography 19/57

Public-Key Cryptosystems: Authentication
Because the message was encrypted using A’s private key,
only A could have prepared the message
Serves as digital signature.
It is impossible to alter the message without knowing A’s
private key ➔ data integrity

CS-452: Cryptography 20/57

Public-Key Cryptosystems: Authentication and
Secrecy

CS-452: Cryptography 21/57

Public-Key Cryptosystems: Authentication and
Secrecy
Double use of the public-key scheme:
Z = E(PUb, E(PRa, X))
X = D(PUa, D(PRb,Z))

CS-452: Cryptography 22/57

Public-Key Applications
Can classify uses into 3 categories:
Encryption/decryption (provide secrecy)
Digital signatures (provide authentication)
Key exchange (of session keys)

CS-452: Cryptography 23/57

Requirements for Public-Key Cryptography
It is computationally easy for a party B to generate a
pair: public key PUb, private key PRb
It is computationally easy for sender A, knowing the
public key and the message to be encrypted, M, to
generate the corresponding ciphertext.
C = E(PUb, M)
It is computationally easy for the receiver B to decrypt
the resulting ciphertext using the private key to recover
the original message.
M = D(PRb, C) = D(PRb, E(PUb, M))

CS-452: Cryptography 24/57

Requirements for Public-Key Cryptography (Cont.)
It is computationally infeasible for an adversary, knowing
the public key PUb, to determine the private key PRb.
It is computationally infeasible for an adversary, knowing
the public key PUb and the ciphertext C encrypted using
PUb, to recover the original message M.
The two keys can be applied in either order.
M =D(PUb, E(PRb, M)) = D(PRb, E(PUb, M))
These are formidable requirements – only a few
algorithms (e.g. RSA) have received widespread
acceptance.

CS-452: Cryptography 25/57

 Chapter 8
Introduction to Number Theory

CS-452: Cryptography 26/57

Prime Numbers
Prime numbers play a critical role both in number
theory and in cryptography

CS-452: Cryptography 27/57

Prime Numbers
Prime numbers play a critical role both in number
theory and in cryptography
An integer p > 1 is a prime number if and only if its only
divisors are 1 and p
Eg. 2,3,5,7 are prime, 4,6,8,9,10 are not

Any integer a > 1 can be factored in a unique way as

a = p1a1p2a2…ptat
p1 < p2 < … < pt are prime numbers and ai are positive
integers.
eg. 91= ; 3600=

CS-452: Cryptography 28/57

Prime Numbers
Prime numbers play a critical role both in number
theory and in cryptography
An integer p > 1 is a prime number if and only if its only
divisors are 1 and p
Eg. 2,3,5,7 are prime, 4,6,8,9,10 are not

Any integer a > 1 can be factored in a unique way as

a = p1a1p2a2…ptat
p1 < p2 < … < pt are prime numbers and ai are positive
integers.
eg. 91=7 * 13 ; 3600=

CS-452: Cryptography 29/57

Prime Numbers
Prime numbers play a critical role both in number
theory and in cryptography
An integer p > 1 is a prime number if and only if its only
divisors are 1 and p
Eg. 2,3,5,7 are prime, 4,6,8,9,10 are not

Any integer a > 1 can be factored in a unique way as

a = p1a1p2a2…ptat
p1 < p2 < … < pt are prime numbers and ai are positive
integers.
eg. 91=7 * 13 ; 3600=24 * 32 * 52

CS-452: Cryptography 30/57

Greatest Common Divisor (gcd)
The greatest common divisor of integers a and b, is
expressed as gcd(a,b):

CS-452: Cryptography 31/57

Greatest Common Divisor (gcd)
The greatest common divisor of integers a and b,
expressed gcd(a,b):
The largest positive integer that divides both numbers
without remainder
Can determine the greatest common divisor by
comparing their prime factorizations and using least
powers
eg. 300=22x31x52, 18=21x32 hence
gcd(18,300)=

CS-452: Cryptography 32/57

Greatest Common Divisor (gcd)
The greatest common divisor of integers a and b,
expressed gcd(a,b):
The largest positive integer that divides both numbers
without remainder
Can determine the greatest common divisor by
comparing their prime factorizations and using least
powers
eg. 300=21x31x52, 18=21x32 hence
gcd(18,300)= 21x31x50=6

CS-452: Cryptography 33/57

Modulus Operations

Modulus operations are written as a mod b = c where c is

the remainder when a is divided by b.

CS-452 Cryptography 34/57

Laws of Modular Arithmetic
1. (a + b)mod n = (amodn + bmod n)modn
Example: (20 + 40)mod 23 = (20mod23 + 40mod23)mod23 =
14

2. (a – b)mod n = (amodn – bmodn)modn

Example: (20 – 40)mod 23 = (20mod23 – 40mod23)mod23 = 3

3. abmodn = [(amodn) * (bmodn)]modn

Example: (20)(40)mod23 = [(20mod23) * (40mod23)]mod23
=18

4 a(b + c)modn = [(ab modn) + (acmodn)] modn

Example: 20(40 + 60)mod23 =
[((20)(40) mod23) + (20)(60)mod23)] mod23 = 22

CS-452 Cryptography 35/57

Fermat's Theorem
Fermat’s Theorem: If p is a prime number and a positive
integer not divisible by p, then
ap-1 mod p = 1.
E.g. p =3, a = 2 ➔ ap-1 mod p = 4 mod 3 = 1.
Also ap mod p = a
Useful in public key and primality testing

CS-452: Cryptography 36/57

Fermat's Theorem
Fermat’s Theorem: If p is a prime number and a positive
integer not divisible by p, then
ap-1 mod p = 1.
E.g. p =3, a = 2 ➔ ap-1 mod p = 4 mod 3 = 1.
Also ap mod p = a

Example: What is the value of 2121mod 7?

According to Fermat’s little theorem, we know that: 26mod
7=1
2121mod 7 = [(26mod7)20mod 7 * (2mod7) mod 7] (3rd law of
mods)
= (1)20 mod7 * (2mod7) mod7 = 2 (by FT)

CS-452: Cryptography 37/57

Euler Totient Function ø(n)
Euler Totient Function ø(n):the number of positive
integers less than n and relatively prime to n.
m is a relatively prime to n if gcd(m,n)=1
ø(37)

CS-452: Cryptography 38/57

Euler Totient Function ø(n)
Euler Totient Function ø(n):the number of positive
integers less than n and relatively prime to n.
m is a relatively prime to n if gcd(m,n)=1
ø(37) = 36: all integers from 1 through 36 are relatively
prime to 37
ø(35)

CS-452: Cryptography 39/57

Euler Totient Function ø(n)
Euler Totient Function ø(n):the number of positive
integers less than n and relatively prime to n.
m is a relatively prime to n if gcd(m,n)=1
ø(37) = 36: all integers from 1 through 36 are relatively
prime to 37.
ø(35) = 24:
1, 2, 3, 4, 6, 8, 9, 11, 12, 13, 16, 17, 18, 19, 22, 23, 24, 26, 27, 29, 31, 32,
33, 34.
For a prime number p, ø(p)

CS-452: Cryptography 40/57

Euler Totient Function ø(n)
Euler Totient Function ø(n):the number of positive
integers less than n and relatively prime to n.
m is a relatively prime to n if gcd(m,n)=1
ø(37) = 36: all integers from 1 through 36 are relatively
prime to 37.
ø(35) = 24:
1, 2, 3, 4, 6, 8, 9, 11, 12, 13, 16, 17, 18, 19, 22, 23, 24, 26, 27, 29, 31,
32, 33, 34.
For a prime number p, ø(p) = p-1

CS-452: Cryptography 41/57

Euler Totient Function ø(n)
Two prime numbers p and q with p  q, then
ø(pq) = ø(p)*ø(q) = (p-1)*(q-1)
The set of integers less than pq is {1, 2, …, pq-1}

CS-452: Cryptography 42/57

Euler Totient Function ø(n)
Two prime numbers p and q with p  q, then
ø(pq) = ø(p)*ø(q) = (p-1)*(q-1)
The set of integers less than n = pq is {1, 2, …, pq-1}
The integers in this set that are not relatively prime to n:{p,
2p, …., (q-1)p} and {q, 2q, …, (p-1)q}

CS-452: Cryptography 43/57

Euler Totient Function ø(n)
Two prime numbers p and q with p  q, then
ø(pq) = ø(p)*ø(q) = (p-1)*(q-1)
The set of integers less than n = pq is {1, 2, …, pq-1}
The integers in this set that are not relatively prime to
n:{p, 2p, …., (q-1)p} and {q, 2q, …, (p-1)q}
Example: n = 21
pq = 3 * 7
p – 1 = 3 – 1 = 2; q – 1 = 7 – 1 = 6
Set of integers less than 21 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
13, 14, 15, 16, 17, 18, 19, 20}
{p…(q-1)p} =

CS-452: Cryptography 44/57

Euler Totient Function ø(n)
Two prime numbers p and q with p  q, then
ø(pq) = ø(p)*ø(q) = (p-1)*(q-1)
The set of integers less than n = pq is {1, 2, …, pq-1}
The integers in this set that are not relatively prime to
n:{p, 2p, …., (q-1)p} and {q, 2q, …, (p-1)q}
Example: n = 21
pq = 3 * 7
p – 1 = 3 – 1 = 2; q – 1 = 7 – 1 = 6
Set of integers less than 21 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
13, 14, 15, 16, 17, 18, 19, 20}
{p…(q-1)p} = {1*3, 2*3, 3*3, 4*3, 5*3, 6*3}
= {1, 6, 9, 12, 15, 18}

CS-452: Cryptography 45/57

Euler Totient Function ø(n)
Two prime numbers p and q with p  q, then
ø(pq) = ø(p)*ø(q) = (p-1)*(q-1)
The set of integers less than n = pq is {1, 2, …, pq-1}
The integers in this set that are not relatively prime to n:{p,
2p, …., (q-1)p} and {q, 2q, …, (p-1)q}
Example: n = 21
pq = 3 * 7
p – 1 = 3 – 1 = 2; q – 1 = 7 – 1 = 6
Set of integers less than 21 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
13, 14, 15, 16, 17, 18, 19, 20}
{p…(q-1)p} = {1, 6, 9, 12, 15, 18}
{q…(p-1)q} = {7*1, 7*2} = {7, 14}

CS-452: Cryptography 46/57

Euler Totient Function ø(n)
Two prime numbers p and q with p  q, then
ø(pq) = ø(p)*ø(q) = (p-1)*(q-1)
The set of integers less than n = pq is {1, 2, …, pq-1}
The integers in this set that are not relatively prime to
n:{p, 2p, …., (q-1)p} and {q, 2q, …, (p-1)q}
Example: n = 21
pq = 3 * 7
p – 1 = 3 – 1 = 2; q – 1 = 7 – 1 = 6
Set of integers less than 21 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
12, 13, 14, 15, 16, 17, 18, 19, 20}
How many numbers less than 21 are relatively prime to 21?

CS-452: Cryptography 47/57

Euler Totient Function ø(n)
Two prime numbers p and q with p  q, then
ø(pq) = ø(p)*ø(q) = (p-1)*(q-1)
The set of integers less than pq is {1, 2, …, pq-1}
The integers in this set that are not relatively prime to
p*q:{p, 2p, …., (q-1)p} and {q, 2q, …, (p-1)q}
ø(pq) = (pq - 1) – [(q-1) + (p-1)]
= pq – p – q +1
= (p-1) * (q-1)
= ø(p)*ø(q)
E.g. ø(21) = (3–1)*(7–1) = 2*6 = 12

CS-452: Cryptography 48/57

Euler Totient Function ø(n)

Generalized formula:

If the prime factorization of n is given by

n = p1e1 *...*pnen, then

φ(n) = n *(1 - 1/p1)* ... *(1 - 1/pn).

Example: φ(64):
Prime factorization: 64 = 26
φ(64) = 64 * (1 – 1/2) = 32

CS-452 Cryptography 49/57

Euler's Theorem
Euler's Theorem: for every a and n that are relatively
prime, aø(n) mod n = 1
a=3;n=10;
ø(10)=4; 34 mod 10 = 81 mod 10 = 1
a=2;n=11;
ø(11)=10; 210 mod 11 = 1024 mod 11 = 1

NOTE: Fermat’s Theorem is just a special case of the Euler’s

Theorem where p is prime. Because when p is prime ø(n)= n-1
and hence:
aø(n) mod n = 1
an-1 mod n = 1 (since n is prime)

CS-452: Cryptography 50/57

Primality Testing
For many cryptographic algorithms, it is necessary to
select one or more very large prime numbers at random

CS-452: Cryptography 51/57

Primality Testing
For many cryptographic algorithms, it is necessary to
select one or more very large prime numbers at random
Naïve algorithm: divide by all numbers in turn less than
the square root of the number n.
Works because: if you find a factor ≥ sqrt(n), then it
has to be paired with a factor smaller than sqrt(n).
Only practical for small numbers

CS-452: Cryptography 52/57

Miller Rabin Algorithm
Background
n-1 = 2kq with n > 3, n odd, k > 0, q odd
Divide (n-1) by 2 until the result is an odd number.

Property
Let n > 2 be a prime number, a be an integer 1 < a < n-1, and n-
1 = 2kq. Then one of the following two conditions is true:
1) aq mod n = 1 or
j-1
2) there exists 1  j  k such that a(2 q) mod n = n - 1.

CS-452: Cryptography 53/57

Miller Rabin Algorithm
Background
n-1 = 2kq with n > 3, n odd, k > 0, q odd
Divide (n-1) by 2 until the result is an odd number.

Property
Let n > 2 be a prime number, a be an integer 1 < a < n-1, and
n-1 = 2kq. Then one of the following two conditions is true:
1) aq mod n = 1 or
j-1
2) there exists 1  j  k such that a(2 q) mod n = n - 1.

However, if the above condition is met, n may not be a

prime.
E.g. n=2047=23*89, then n-1 = 2*1023.
21023 mod 2047 = 1, but 2047 is not a prime

CS-452: Cryptography 54/57

Miller Rabin Algorithm

Algorithm: check if n is a prime

1. Find integers k > 0, q odd, so that (n–1)=2kq
2. Select a random integer 1<a<n–1
3. if aq mod n = 1 then return (“maybe prime");
4. for j = 1 to k do
if a2 mod n = n-1 then return("maybe prime")
j-1q

//n is definitely not prime

5. return (“not prime")

CS-452: Cryptography 55/57

Probabilistic Considerations
It was shown that given an odd number n that is not
prime and a randomly chosen integer 1 < a < n-1, the
probability that the algorithm fails to detect that n is
not a prime is < ¼

CS-452: Cryptography 56/57

Probabilistic Considerations
It was shown that given an odd number n that is not
prime and a randomly chosen integer 1 < a < n-1, the
probability that the algorithm fails to detect that n is
not a prime is < ¼
Hence if repeat test with different a, then chance n is
prime after t tests is:
Pr(n maybe a prime after t tests) = (1/4)t
eg. for t=10 this probability is < 10-6

CS-452: Cryptography 57/57