National Institute of Technology, Raipur

Department of Information Technology

Asymmetric Key Cryptography

IT 802: Cryptography
Public-Key Cryptography
• Probably most significant advance in the 3000 year history of
cryptography
• Uses two keys – a public & a private key
• Asymmetric since parties are not equal
• Uses clever application of number theoretic concepts to function
• Complements rather than replaces private key cryptosystem

07-02-2022 2
 Why Public-Key Cryptography?
• Developed to address two key issues:
• key distribution – how to have secure communications in general without having
to trust a KDC with your key
• digital signatures – how to verify a message comes intact from the claimed sender

• Public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni
in 1976
• known earlier in classified community

07-02-2022 3
 Public-Key Cryptography
• Public-key/two-key/asymmetric cryptography involves the use of
two keys:
• a public-key, which may be known by anybody, and can be used to
encrypt messages, and verify signatures
• a related private-key, known only to the recipient, used to decrypt
messages, and sign (create) signatures
• Infeasible to determine private key from public
• It is asymmetric because
• those who encrypt messages or verify signatures cannot decrypt
messages or create signatures

07-02-2022 4
Public-Key Cryptography

07-02-2022 5
Symmetric vs Public-Key

07-02-2022 6
 RSA
➢By Rivest, Shamir & Adleman of MIT in 1977

➢Best known & widely used public-key scheme

➢Based on exponentiation in a finite (Galois) field over integers modulo a

prime number. exponentiation takes O((log n)3) operations (easy)

➢Uses large integers (eg. 1024 bits)

➢Security due to cost of factoring large numbers

⚫Factorization takes O(e log n log log n) operations (hard)

07-02-2022 7
 Introduction

Figure Complexity of operations in RSA

07-02-2022 10.8
 Procedure

Figure Encryption, decryption, and key generation in RSA

07-02-2022 10.9
 Continued

07-02-2022 10.10
 Some Trivial Examples

Example

Jennifer creates a pair of keys for herself. She

chooses p = 397 and q = 401. She calculates
n = 159197. She then calculates f(n) = 158400. She
then chooses e = 343 and d = 12007. Show how Ted
can send a message to Jennifer if he knows e and n.

Suppose Ted wants to send the message “NO” to

Jennifer. He changes each character to a number
(from 00 to 25), with each character coded as two
digits. He then concatenates the two coded
characters and gets a four-digit number. The plaintext
is 1314. Figure 10.7 shows the process.
07-02-2022 10.11
 Continued

Figure 10.7 Encryption and decryption in Example 10.7

07-02-2022 10.12
 Continued

Example

Here is a more realistic example. We choose a 512-bit p

and q, calculate n and f(n), then choose e and test for
relative primeness with f(n). We then calculate d. Finally,
we show the results of encryption and decryption. The
integer p is a 159-digit number.

07-02-2022 10.13
 Continued

Example Continued

The modulus n = p × q. It has 309 digits.

f(n) = (p − 1)(q − 1) has 309 digits.

07-02-2022 10.14
 Continued

Example Continued

Bob chooses e = 35535 (the ideal is 65537) and tests it to

make sure it is relatively prime with f(n). He then finds the
inverse of e modulo f(n) and calls it d.

07-02-2022 10.15
 Continued

Example Continued

Alice wants to send the message “THIS IS A TEST”, which

can be changed to a numeric value using the 00−26
encoding scheme (26 is the space character).

The ciphertext calculated by Alice is C = Pe, which is

07-02-2022 10.16
 Continued

Example Continued

Bob can recover the plaintext from the ciphertext using P =

Cd, which is

The recovered plaintext is “THIS IS A TEST” after

decoding.

07-02-2022 10.17
RSA En/decryption
• To encrypt a message M the sender:
• obtains public key of recipient PU={e,n}
• computes: C = Me mod n, where 0≤M<n
• To decrypt the ciphertext C the owner:
• uses their private key PR={d,n}
• computes: M = Cd mod n
• Note that the message M must be smaller than the modulus n (block
if needed)

07-02-2022 18
 RSA Key Setup
• Each user generates a public/private key pair by:
• Selecting two large primes at random: p, q
• Computing their system modulus n=p.q
• note ø(n)=(p-1)(q-1)
• Selecting at random the encryption key e
• where 1<e<ø(n), gcd(e,ø(n))=1
• Solve following equation to find decryption key d
• e.d=1 mod ø(n) and 0≤d≤n
• Publish their public encryption key: PU={e,n}
• keep secret private decryption key: PR={d,n}

07-02-2022 19
RSA Example - Key Setup
• Select primes: p=17 & q=11
• Calculate n = pq =17 x 11=187
• Calculate ø(n)=(p–1)(q-1)=16x10=160
Can be calculated
• Select e: gcd(e,160)=1; choose e=7 using Euclid’s
Inverse algorithm
• Determine d: d.e=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 10x160+1
• Publish public key PU={7,187}
• Keep secret private key PR={23,187}
07-02-2022 20
RSA Example - En/Decryption
➢sample RSA encryption/decryption is:
➢given message M = 88 (nb. 88<187)
➢encryption:
C = 887 mod 187 = 11
➢decryption:
M = 1123 mod 187 = 88

07-02-2022 21
 ELGAMAL CRYPTOSYSTEM

Besides RSA and Rabin, another public-key

cryptosystem is ElGamal. ElGamal is based on the
discrete logarithm problem.

07-02-2022 22
 Procedure

Figure Key generation, encryption, and decryption in ElGamal

C2

07-02-2022 23
 Continued

Key Generation

07-02-2022 24
 Continued

07-02-2022 25
 Continued

07-02-2022 26
Proof of ElGamal Cryptosystem
d −1
[C2  (C1 ) ] mod p
rd −1
= [(e2  P)  (e1 ) ] mod p
r

rd −1
= (e1 )  P  (e1 ) = P
rd

07-02-2022 27
 Continued
Example

Here is a trivial example. Bob chooses p = 11 and e1 = 2.

and d = 3 e2 = e1d = 8. So the public keys are (2, 8, 11)
and the private key is 3. Alice chooses r = 4 and calculates
C1 and C2 for the plaintext 7.

Bob receives the ciphertexts (5 and 6) and calculates the

plaintext.

07-02-2022 28
 Continued

Example
Instead of using P = [C2 × (C1d) −1] mod p for decryption, we can
avoid the calculation of multiplicative inverse and use
P = [C2 × C1 p−1−d] mod p (see Fermat’s little theorem in Chapter
9). In Example 10.10, we can calculate P = [6 × 5 11−1−3] mod 11
= 7 mod 11.

Note
For the ElGamal cryptosystem, p must be at least 300 digits
and r must be new for each encipherment.

07-02-2022 29
 Continued
Example
Bob uses a random integer of 512 bits. The integer p is a 155-digit
number (the ideal is 300 digits). Bob then chooses e1, d, and
calculates e2, as shown below:

07-02-2022 30
 Continued
Example
Alice has the plaintext P = 3200 to send to Bob. She chooses
r = 545131, calculates C1 and C2, and sends them to Bob.

Bob calculates the plaintext P = C2 × ((C1)d)−1 mod p = 3200 mod p.

07-02-2022 31
 ELLIPTIC CURVE CRYPTOSYSTEMS

• Although RSA and ElGamal are secure asymmetric-key

cryptosystems, they use either integer or polynomial arithmetic
with very large numbers/polynomials
• Imposes a significant load in storing and processing keys and
messages
• An alternative is to use elliptic curves
• Offers same security with smaller bit sizes
• Newer, but not as well analyzed

07-02-2022 32
Finite Elliptic Curves
• ECC is an approach to public key cryptography based on the
algebraic structure of elliptic curves over finite fields.
• Its security is based on the possibility of efficient additive
exponentiation and absence of efficient (classical) algorithms
for additive logarithm.
• have two families commonly used:
• prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software
• binary curves E2m(a,b) defined over GF(2n)
• use polynomials with binary coefficients
• best in hardware

07-02-2022 33
Elliptic Curve Cryptography

• ECC addition is analog of modulo multiply

• ECC repeated addition is analog of modulo exponentiation
• need “hard” problem equiv to discrete log
• Q=kP, where Q,P belong to a prime curve
• is “easy” to compute Q given k,P
• but “hard” to find k given Q,P
• known as the elliptic curve logarithm problem

07-02-2022 34
 Elliptic Curves over Real Numbers

The general equation for an elliptic curve is

Elliptic curves over real numbers use a special class of

elliptic curves of the form
where 4a^3 + 27b^2!=0

The left-hand side has a degree of 2 while the right-hand side has
a degree of 3. This means that a horizontal line can intersects the
curve in three points if all roots are real. However, a vertical line
can intersects the curve at most in two points.

07-02-2022 35
 Example
Figure shows two elliptic curves with equations y2 = x3 − 4x and y2
= x3 − 1. However, the first has three real roots (x = −2, x = 0, and
x = 2), but the second has only one real root (x = 1) and two
imaginary ones.

Figure Two elliptic curves over a real field

07-02-2022 36
Elliptic Curves over Real Numbers

• An Abelian (commutative) Group

• All points on an elliptic curve. A tuple P(x1, y1) represents a point on the
curve if x1 and y1 are coordinates of a point on the curve that satisfy the
equation of the curve.
• For example, the points P(2, 0), Q(0, 0), R(-2, 0), S(10, 30.98) are all points on
the curve

• Each point is represented by two real number.

07-02-2022 37
Elliptic Curves over Real Numbers

• Set
• We define the set as the points on the curve, where each point is a pair of
real numbers
• E={(2, 0), (0, 0), (-2, 0), (10, 30.98) (10, -30.98)}
• Operation
• We can define an addition operation on the points of the curve. Addition
operation is different from the integer addition.

07-02-2022 38
 Continued

Figure Three adding cases in an elliptic curve

07-02-2022 39
 Continued

1.

2.

3. The intercepting point is at infinity; a point O as the

point at infinity or zero point, which is the additive
identity of the group.
07-02-2022 40
 Elliptic Curves over GF( p)

Finding an Inverse
The inverse of a point (x, y) is (x, −y), where −y is the
additive inverse of y. For example, if p = 13, the inverse of
(4, 2) is (4, 11). Because 2+11 mod 13 = 0

Finding Points on the Curve

Algorithm shows the pseudocode for finding the points on
the curve Ep(a, b).

07-02-2022 41
 Continued

07-02-2022 42
 Example
The equation is y2 = x3 + x + 1 and the calculation is done modulo
13.
Figure Points on an elliptic curve over GF(p) where p is 13

x1 = x2 and y1+y2 mod p = 0

07-02-2022 43
 ECC Simulating ElGamal

Figure ElGamal cryptosystem using the elliptic curve

07-02-2022 44
 Continued

Generating Public and Private Keys

E(a, b) e1(x1, y1) d e2(x2, y2) = d × e1(x1, y1)

Encryption

Decryption

Note
The security of ECC depends on the difficulty of
solving the elliptic curve logarithm problem.
07-02-2022 45
 Continued

• The P calculated by Bob is the same as that intended

by Alice.
P = C2 – (d ×C1)
= P + r × e2 – (d × r × e1)
= P + (r × d × e1) - (r × d × e1)
=P+O

Known: e2 = d × e1

07-02-2022 46
 Continued

Example

Here is a very trivial example of encipherment using an elliptic

curve over GF(p).
1. Bob selects E67(2, 3) as the elliptic curve over GF(p).
2. Bob selects e1 = (35, 1) and d = 4.
3. Bob calculates e2 = (23, 25), where e2 = d × e1.
4. Bob publicly announces the tuple (E, e1, e2).
5. Alice wants to send the plaintext P = (25, 0) to Bob. She selects
r = 2.

07-02-2022 47