UNIT II

SYMMETRIC KEY
CRYPTOGRAPHY
MATHEMATICS OF SYMMETRIC KEY CRYPTOGRAPHY: Algebraic structures –
Modular arithmetic-Euclid‟s algorithm- Congruence and matrices – Groups, Rings,
Fields- Finite fields- SYMMETRIC KEY CIPHERS: SDES – Block cipher Principles of
DES – Strength of DES – Differential and linear cryptanalysis – Block cipher
design principles – Block cipher mode of operation – Evaluation criteria for AES –
Advanced Encryption Standard – RC4 – Key distribution.
Cryptography is based on some specific areas of mathematics, including number theory, linear algebra,
and algebraic structures.
● To review integer arithmetic, concentrating on divisibility and finding the greatest common divisor
using the Euclidean algorithm
● To understand how the extended Euclidean algorithm can be used to solve linear Diophantine
equations, to solve linear congruence equations, and to find the multiplicative inverses
● To emphasize the importance of modular arithmetic and the modulo operator, because they are
extensively used in cryptography
● To emphasize and review matrices and operations on residue matrices that are extensively used in
cryptography
● To solve a set of congruent equations using residue matrices
INTEGER ARITHMETIC

➔ a set and a few operations

Set of Integers

Z = { . . . , −2, −1, 0, 1, 2, . . . }

Binary operations
Integer Division

a=q×n+r

In cryptography, we impose two restrictions.

● First, we require that the divisor be a positive integer (n > 0).

● Second, we require that the remainder be a nonnegative integer (r ≥ 0).
Divisibility and Division Algorithm

➔ b divides a if a = mb for some m, where a, b, and m are integers

➔ b divides a if there is no remainder on division. The notation b|a is commonly used to
mean b divides a
➔ simple properties of divisibility for integers, which are as follows:
The Division Algorithm

Given any positive integer n and any nonnegative integer a, if we divide a by n, we get an
integer quotient q and an integer remainder r that obey the following relationship:

a = qn + r ;0 r≤ 6 <n; q = a/n
EUCLIDEAN ALGORITHM
➔ a simple procedure for determining the greatest common divisor of two positive integers.
➔ Two integers are relatively prime if their only common positive integer factor is 1.

Greatest Common Divisor

➔ nonzero b is defined to be a divisor of a if a = mb for some m( where a, b, and m are

integers)

gcd(a, b)

➔ the positive integer c is said to be the greatest common divisor of a and b if 1.

1. c is a divisor of a and of b.
2. Any divisor of a and b is a divisor of c

gcd(a, b) = max[k, such that k|a and k|b]

Note:a and b are relatively prime if gcd(a, b) = 1

Finding Greatest Common Divisor

Suppose we have integers a, b such that d = gcd(a, b). Because gcd( a , b) = gcd(a, b),
there is no harm in assuming a ≥ b > 0. Now dividing a by b and applying the division
algorithm,

a = q1b + r1 where 0 ≤ r1 < b

gcd(1725,1620)=15
MODULAR ARITHMETIC
If a is an integer and n is a positive integer, we define a mod n to be the remainder when a
is divided by n. The integer n is called the modulus

a = qn + r

Two integers a and b are said to be congruent modulo n, if (a mod n) = (b mod n). This is
written as a ⩭ b (modn)2
Properties of Congruences

Congruences have the following properties:

1. a ⩭ b (mod n) if n|(a - b).

2. a ⩭ b (mod n) implies b ⩭ a (mod n).

3. a ⩭ b (mod n) and b ⩭ c (mod n) imply a ⩭ c (mod n)

Modular Arithmetic Operations

Modular arithmetic exhibits the following properties:

1. [(a mod n) + (b mod n)] mod n = (a + b) mod n

2. [(a mod n) - (b mod n)] mod n = (a - b) mod n

3. [(a mod n) * (b mod n)] mod n = (a * b) mod n

Exponentiation is performed by repeated multiplication

Properties of Modular Arithmetic

Define the set Zn as the set of nonnegative integers less than n:

Zn = {0, 1, ….., (n - 1)}

This is referred to as the set of residues, or residue classes (mod n)

In general, an integer has a multiplicative inverse in Zn if that integer is relatively prime to n.
Euclidean Algorithm Revisited

The Euclidean algorithm can be based on the following theorem: For any integers a, b,
with a ≥ b ≥ 0,

gcd(a, b) = gcd(b, a mod b)

gcd(55, 22) = gcd(22, 55 mod 22) = gcd(22, 11) = 11

let d = gcd(a, b). Then, by the definition of gcd, d| a and d | b. For any positive integer b,
we can express a as,

a = kb + r ⩭ r (mod b)

a mod b = r

Thus, the set of common divisors of a and b is equal to the set of common divisors of b and
(a mod b). Therefore, the gcd of one pair is the same as the gcd of the other pair, proving
the theorem.
The Extended Euclidean Algorithm

computations in the area of finite fields and in encryption algorithms, such as RSA.

For given integers a and b, the extended Euclidean algorithm not only calculate the
greatest common divisor d but also two additional integers x and y that satisfy the
following equation.

ax + by = d = gcd(a, b)

when a = 42 and b = 30,then gcd(42,30)=6,a partial table of values for 42x + 30y
Every number is of the form 42x + 30y = 6(7x + 5y) is a multiple of 6

Note also that gcd(42, 30) = 6 appears in the table. In general, it can be shown
that for given integers a and b, the smallest positive value of ax + by is equal to
gcd(a, b).

Now let us show how to extend the Euclidean algorithm to determine (x, y, d)
given a and b.

we assume that at each step i we can find integers xi and yi that satisfy ri = axi +
byi.
Euclidean Algorithm
https://www.youtube.com/watch?v=Sy0sXa73PZA
Stream Ciphers and Block Ciphers
Stream Cipher Block Cipher

A stream cipher is one that encrypts a digital A block cipher is one in which a block of
data stream one bit or one byte at a time. plaintext is treated as a whole and used to
produce a ciphertext block of equal length(a
in which the keystream (ki ) is as long as the block size of 64 or 128 bits is used).
plaintext bit stream (pi )

the bit-stream generator must be implemented

as an algorithmic procedure, so that the
cryptographic bit stream can be produced by
both users.
Motivation for the Feistel Cipher Structure
A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n
bits.

There are 2n possible different plaintext blocks and, for the encryption to be reversible/non
singular

when n=2 a ciphertext of 01 could have been produced by one of two plaintext blocks. So
if we limit ourselves to reversible mappings, the number of different transformations is
2n!.2
Feistel refers to this as the ideal block cipher, because it allows for the maximum number of
possible encryption mappings from the plaintext block
In this case, using this straightforward method of defining the key, the required key length is (4
bits) * (16 rows) = 64 bits. In general, for an n-bit ideal block cipher, the length of the key
defined in this fashion is n * 2n bits. For a 64-bit block, which is a desirable length to thwart
statistical attacks, the required key length is 64 * 264 = 270 ≈ 1021 bits.
The Feistel Cipher
Feistel proposed that we can approximate the ideal block cipher by utilizing the concept of
a product cipher, which is the execution of two or more simple ciphers in sequence in such
a way that the final result or product is cryptographically stronger

The essence of the approach is to develop a block cipher with a key length of k bits and a
block length of n bits, allowing a total of 2k possible transformations, rather than the 2n !
transformations

● Substitution
● Permutation
In diffusion, the statistical structure of the plaintext is dissipated into long-range statistics
of the ciphertext. This is achieved by having each plaintext digit affect the value of many
ciphertext digits

confusion seeks to make the relationship between the statistics of the ciphertext and the
value of the encryption key as complex as possible, again to thwart attempts to discover
the key.
Fiestel Structure

Block size:-64 bits/128 bits

Key size

Number of rounds=plaintext/block size

Subkey generation algorithm

Round function F
DES
DES-DATA ENCRYPTION STANDARD
-A round in DES
Expansion permutation
S-box
 P10

3 5 2 7 4 10 1 9 8 6

P8

6 3 7 4 8 5 10 9

IP 1 2345678

2 6 3 1 4 8 5 7 the plaintext is 1 1 0 1 1 1 0 0→ 1 10 1 0 101

IP −1

41357286

E/P
P4

2431

41232341
 AVALANCHE EFFECT
● change in one bit of the plaintext or one
bit of the key should produce a change
in many bits of the ciphertext
 The Strength of DES
● Use of 56 bit key
● 256 possible permutations and substitutions in order to perform brute-force
attack.
● It requires about 1year to decrypt the ciphertext if intruder tries using a PC
● Multiple PC’s it would take about months
● Super computers-10hours
● Key size increased – 56,128,168,192,256…
Timing Attacks
● Information about the key or the plaintext is obtained by observing how long it
takes a given implementation to perform decryptions on various ciphertexts
 Block cipher design principles

● 3 aspects of block cipher design

○ Number of rounds
○ Design of the function F
○ Key scheduling
Design of the function F

->strict avalanche criterion (SAC)states that any output bit j of an S-box

should change with probability 1/2 when any single input bit i is inverted for
all i, j.

->bit independence criterion(BIC), which states that output bits j and k should
change independently when any single input bit i is inverted for all i, j, and k
 Key schedule Algorithm

● Key is used to generate one subkey for each round

● Key schedule should satisfy SAC and BIC

● With any Feistel block cipher, the key is used to generate one subkey for each

round.

-->In general, we would like to select subkeys to maximize the difficulty of

deducing individual subkeys and the difficulty of working back to the main key
 DOUBLE DES

->double DES uses 112 bit key but gives

security level of 2^56

C = E(K2, E(K1, P))

P = D(K1, D(K2, C))

Reduction in a single round

 Meet/Man-in-the-middle attack
X = E(K1, P) = D(K2, P)

1. Given a known pair, (P, C), the attack proceeds as follows. First, encrypt P
for all 256 possible values of K1
2. Store these results in a table and then sort the table by the values of X.
3. Next, decrypt C using all 256 possible values of K2,check the result against
the table for a match.
4. If match found try with another pair(P,C)

-->for a given plaintext P, the number of different 112-bit keys that will
produce a given ciphertext C is 2112/264 = 248 false alarms

-->with an additional 64 bits of known plaintext and ciphertext, the false

alarm rate is reduced to 248-64 = 2-16
2^112 instead of using 168 bit of key
 DIFFERENTIAL AND LINEAR CRYPTANALYSIS

DES has been vulnerable to brute-force attack because of 56 bits key length

With the increasing popularity of block ciphers with longer key lengths,
including triple DES--> brute-force attacks

-->there has been increased emphasis on cryptanalytic attacks on DES and

other symmetric block ciphers.

-->the two most powerful and promising approaches: differential cryptanalysis

and linear cryptanalysis.
Differential Cryptanalysis Attack

differential cryptanalysis is to observe the behavior of pairs of text blocks evolving

along each round of the cipher.

Consider the original plaintext block ‘m’ to consist of two halves ‘m0’,’m1’

Each round of DES maps the right-hand input into the left-hand output and sets the
right hand output to be a function of the left-hand input and the subkey for this
round-->new block mi(2 <= i <= 17)
Intermediate message half,

mi+1 = mi-1 + f(mi, Ki), i = 1, 2, ..., 16

In differential cryptanalysis, we start with two messages, m and m', with a

known XOR difference

Dm =m and m'

consider the difference between the intermediate message halves:

mi = m i mi' Then we have:

-->suppose that many pairs of inputs to ‘f’ with the same difference yield the
same output difference if the same subkey is used

if we know mi-1 and mi with high probability, then we know mi+1 with
high probability.

➔ there are two probable patterns of differences for the two 32-bit halves:
( m17||m16)
➔ Next,we submit m and m' for encryption to determine the actual difference
under the unknown key and compare the result to the probable difference.
If there is a match,

E(K, m) E(K, m') = ( m 17||m16)

Differential analysis focuses on the statistical analysis of two inputs and two outputs of
a cryptographic algorithm.
Linear Cryptanalysis

attack is based on finding linear approximations to describe the transformations

performed in DES

DES key given 243 known plaintexts, as compared to 247 chosen plaintexts for
differential cryptanalysis
For a cipher with n-bit plaintext and ciphertext blocks and an m-bit key, let the
plaintext block be labeled P[1], ... P[n], the cipher text block C[1], ... C[n], and
the key K[1], ... K[m]. Then define

A[i,j, ..., k] = A[i] A[j] ... A[k]

The objective of linear cryptanalysis is to find an effective linear equation of the

form:

P[𝜶1, 𝜶2, ..., 𝜶a] C[𝜷1, 𝜷2, ..., 𝜷b] = K[𝜸1, 𝜸2, ..., 𝜸c]
➔ the procedure is to compute the results of the left hand side of the
preceding equation for a large number of plaintext-ciphertext pairs.
➔ If the result is 0 more than half the time, assume K[𝜸1, 𝜸2, ..., 𝜸c] = 0. If it is
1 most of the time, assume K[𝜸1, 𝜸2, ..., 𝜸c]= 1.
➔ This gives us a linear equation on the key bits.Try to get more such
relations so that we can solve for the key bits.
ADVANCED ENCRYPTION
STANDARD(AES)
● Triple DES is slow
● Rijndael designed AES algorithm for 128/192/256 bit data
● Iterative process
○ Operates on entire data block in every round
○ Processes data as block of 4 columns of 4 bytes
 Advantages
● Resistance against known attacks
● Speed and code compactness on many CPUs
● Design Simplicity
1. Rijndael, do not use a Feistel structure but process the entire data block in
parallel during each round using substitutions and permutation.
2. The key that is provided as input is expanded into an array of forty-four
32-bit words, w[i]. Four distinct words (128 bits) serve as a round key for
each round
3. Four different stages are used, one of permutation and three of
substitution:

❍ Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the

block

❍ ShiftRows: A simple permutation

❍ MixColumns: A substitution that makes use of arithmetic over GF(28)

❍ AddRoundKey: A simple bitwise XOR of the current block with a portion of

the expanded
Rijndael's (AES) finite field
Rijndael (standardised as AES) uses the characteristic 2 finite field with 256 elements, which can also be called the Galois
field GF(28). It employs the following reducing polynomial for multiplication:

x8 + x4 + x3 + x + 1.

The elements {53} and {CA} are multiplicative inverses of one another since their product is 1
Find the multiplicative inverse of 25 mod 33 in GF(2^8)
4.The structure is quite simple. For both encryption and decryption, the cipher
begins with an AddRoundKey stage, followed by nine rounds that each includes
all four stages, followed by a tenth round of three stages.

5.Only the AddRoundKey stage makes use of the key

6.The AddRoundKey stage is a form of Vernam cipher, the other three stages
together provide confusion, diffusion, and nonlinearity

7.Each stage is easily reversible. For the Substitute Byte, ShiftRows, and
MixColumns stages, an inverse function is used in the decryption algorithm. For
the AddRoundKey stage, the inverse is achieved by XORing the same round
key to the block, using the result that A xor A xor B = B.
8. the decryption algorithm makes use of the expanded key in reverse order

9.Once it is established that all four stages are reversible, it is easy to verify
that decryption does recover the plaintext.

10.The final round of both encryption and decryption consists of only three
stages. Again, this is a consequence of the particular structure of AES and is
required to make the cipher reversible.
 Steps for Encryption

1. Initial Transformation-Perform XOR of plaintext AND THE KEY

2. Remaining 9 rounds the state undergoes 4 transformations:

○ Sub byte substitution

○ Shift rows
○ Mix columns
○ Add round key
● Sub byte substitution

○ Lookup on the s-box(16x16 bytes)with 256 (8-bit)values

○ S-box is constructed using defined transformation of values of finite fields
● Shift Rows

○ Circular byte shift

● 1st row is unchanged
● 2nd row does 1 byte circular shift to left
● 3rd row does 2 byte circular shift to left
● 4th row does 3 byte circular shift to left
● Shift rows
● Mix Columns

○ Each column is processed separately

○ Linear transformation on each column
● In the subbyte routine, the multiplicative inverse of the byte (as an 8-bit binary
string) is found in GF(28) with the irreducible polynomial

(x8 + x4 + x3+ x + 1) as the modulus.

● The inverted byte is then interpreted as a column matrix with the least significant
bit at the top and the most significant bit at the bottom.
● This column matrix is multiplied by a constant square matrix,X, and the result,
which is a column matrix, is added with a constant column matrix, y,to give the
new byte.
● Note that multiplication and addition of bits are done in GF(2).
● The invsubbyte is doing the same thing in reverse order.
 Add Round Key

● XOR with 128 bits of round key

 AES KEY EXPANSION
● Takes 128-bit key and expands into an array of 44 32-bit words
1. RotWord performs a one-byte circular left shift on a word. This means that an
input word [B0, B1, B2, B3] is transformed into [B1, B2, B3, B0].

2. SubWord performs a byte substitution on each byte of its input word, using
the S-box

3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].

The round constant is a word in which the three rightmost bytes are always 0
 AES DECRYPTION

● Reverse of encryption

● Swap byte substitution and shift rows

● Swap mix columns and add round key

Strength of AES

● Difficult to implement in software

● Round-four transformations(common)
How Secure Is AES 256?
If AES is the gold standard, 256-bit encryption is its poster child. With the longest rounds, the 256-bit key provides the
strongest level of encryption.

It is near impossible to crack it even if brute force is applied – trying every combination of numbers possible until the
correct key is found. The longer the key size, the more attempts are needed.

A hacker trying to crack a 256-bit key would need 2 to the power of 256 attempts to find the right key. Even if hackers
use Tianhe-2 (MilkyWay-2), the fastest supercomputer in the world, it will take them a few million lifetimes to crack a
256-bit AES encryption.

The bottom line is, entities that face threats from all directions, like the U.S. Military or your Office 365 that stores
business-critical information, need AES 256-bit protection.
1. Show that 3 is a primitive root of 7
2. Find the given polynomial is irreducible or not.x4+x3+x2+x+1 in Z3
 BLOCK CIPHER MODES OF OPERATION

● A block cipher takes a fixed-length block of text of length ‘b’ bits and a key
as input and produces a b-bit block of ciphertext.
● If the amount of plaintext to be encrypted is greater than ‘b’ bits, then the
block cipher can still be used by breaking the plaintext up into b-bit blocks.
● When multiple blocks of plaintext are encrypted using the same key, a
number of security issues arise.
● To apply a block cipher in a variety of applications, five modes of operation
have been defined by NIST
Electronic Code Book(ECB)

-->for a given key, there is a unique ciphertext

for every b-bit block of plaintext

Cj = E(K, Pj )

Pj = D(K, Cj )

The ECB method is ideal for a short amount of

data, such as an encryption key-key exchange

Strength

Break using known pairs(P,C)

Cipher Block Chaining Mode(CBC)

-->a technique in which the same plaintext block, if

repeated, produces different ciphertext blocks.

-->the input to the encryption algorithm is the XOR

of the current plaintext block and the preceding
ciphertext block

Cj = E(K, [Cj-1 ⊕ Pj ])

-->In decryption, each cipher block is passed

through the decryption algorithm-- result is XORed
with the preceding ciphertext block to produce the
plaintext block.

-->IV known to sender and receiver

C1 = E(K, [IV ⊕ P1])

P1 = IV ⊕ D(K, C1)
 -->it is possible to convert a block cipher into a stream cipher, using one of the
three modes to be discussed in this and the next two sections: cipher feedback
(CFB) mode, output feedback (OFB) mode, and counter (CTR) mode.

A stream cipher eliminates the need to pad a message to be an integral number of

blocks

each character can be encrypted and transmitted immediately using a

character-oriented stream cipher.
Cipher Feedback Mode(CFB)
-->it is assumed that the unit of transmission is s bits; a
common value is s = 8.
● As with CBC, the units of plaintext are chained
together
● the plaintext is divided into segments of s bits.
● input to the encryption function is a b-bit shift
register that is initially set to some initialization
vector (IV)
● s bits of the output of the encryption function are
XORed plaintext P1 --> ciphertext C1
● the contents of the shift register are shifted left by s
bits, and C1 is placed in the rightmost (least
significant) s bits of the shift register.
C1 = P1 ⊕ MSBs[E(K, IV)]
Decryption- the received ciphertext unit is XORed with the
output of the encryption function to produce the plaintext
unit.
P1 = C1 ⊕ MSBs[E(K, IV)]
Output Feedback Mode(OFB)

● the output of the encryption function is fed

back to become the input for encrypting the
next block of plaintext
● OFB mode operates on full blocks of plaintext
and ciphertext
● Cj = Pj ⊕ E(K, [Cj-1 ⊕ Pj-1])
● Pj = Cj ⊕ E(K, [Cj-1 ⊕ Pj-1])
● If the last block of plaintext contains u bits with
u < b, the most significant u bits of the last
output block ON are used for the XOR
operation
● the remaining b - u bits of the last output block
are discarded.
● bit errors in transmission do not propagate
Counter Mode(CTR)

● A counter equal to the plaintext block size is

used.
● the counter value must be different for each
plaintext block that is encrypted.
● the counter is initialized to some value and
then incremented by 1 for each subsequent
block
● encryption, the counter is encrypted and then
XORed with the plaintext block to produce the
ciphertext block
● decryption, the same sequence of counter
values is used, with each encrypted counter
XORed with a ciphertext block

Cj = Pj ⊕ E(K, Tj )

Pj = Cj ⊕ E(K, Tj )
 RC 4 ALGORITHM

➔ RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security.
➔ It is a variable key size stream cipher with byte-oriented operations.
➔ uses of a random permutation.
➔ RC4 is used in the (SSL/TLS) standards that have been defined for
communication between Web browsers and servers.
➔ Used in Wired Equivalent Privacy(WEP) protocol and the WiFi Protected
Access (WPA) protocol
➔ Byte of a plaintext is XOR with byte of the key -->ciphertext(byte)
➔ The key to perform XOR is random b/w 0 to 255.

Initialization of S

● S[0] = 0, S[1] = 1, c,S[255] = 255

● A temporary vector, T is created.
● If the length of the key K is 256 bytes, then K is transferred to T.
● Otherwise, for a key of length keylen bytes, the first keylen elements of T
are copied from K, and then K is repeated as many times as necessary to
fill out T.
/* Initialization */

for i = 0 to 255 do

S[i] = i;

T[i] = K[i mod keylen];

Next we use T to produce the initial permutation of S. This involves starting with
S[0] and going through to S[255], and for each S[i], swapping S[i] with another
byte in S according to a scheme dictated by T[i]:

/* Initial Permutation of S */

j = 0;

for i = 0 to 255 do

j = (j + S[i] + T[i]) mod 256;

Swap (S[i], S[j]);

Stream Generation

● Once the S vector is initialized, the input key is no longer used.

● Stream generation involves cycling through all the elements of S[i], and for
each S[i], swapping S[i] with another byte in S
● After S[255] is reached, the process continues, starting over again at S[0]
/* Stream Generation */

i, j = 0;

while (true)

i = (i + 1) mod 256;

j = (j + S[i]) mod 256;

Swap (S[i], S[j]);

t = (S[i] + S[j]) mod 256;

k = S[t];
To encrypt, XOR the value k with the next byte of plaintext.

To decrypt, XOR the value k with the next byte of ciphertext.

Strength of RC4

The key generation-->in WEP application -->confidentiality

KEY DISTRIBUTION
 Requirements of Symmetric key
exchange
• A can select a key and physically deliver it to B.
• A third party can select the key and physically deliver it to A and B.
• If A and B have previously used a key, one party can transmit the new key to the
other, encrypted using the old key.
• If A and B each has an encrypted connection to a third party C, C can deliver a key
on the encrypted links to A and B.
• Hierarchical key control
• Session Key Lifetime
– Connection-oriented protocols-only one session key
– Connectionless protocols-new session key for every information exchange
• A Transparent key control scheme
A Transparent key control scheme
Decentralized key control
DISTRIBUTION OF PUBLIC KEYS
• Public Announcement of public keys

• Publicly Available Directory

• Public key Authority
• Public Key Certificates
Public Announcement of public keys
• users distribute public keys to recipients or
broadcast to community at large

– (e.g. post to a newsgroup)

• major weakness is forgery
– Anyone can claim to be the authenticated
user
Publicly Available Directory
• The users register keys with a public directory
– Directory must be trusted and still vulnerable to forgery
– The authority maintains a directory with
{name , public key}for each participant.
– Registration has to be in person or through some secure
authenticated communication.
– The participant can replace the existing key anytime based
on the requirement.
Public key Authority
• A sends a time stamped message requesting the authority to
send the public key of B
Request||T1

• The authority responds with a message encrypted using the

authority’s private key
E(PR auth ,(PU b||request||T1))
• A stores the B’s public key and uses to encrypt the message to
B with an identifier IDA and a nonce N1

E(PU b,(IDA||N1)

Similarly B gets A’s public key by sending a request to the

authority.

Request||T2
• B sends a message to A encrypted with PUa and containing
A’s nonce (N1) as well as a new nonce generated by B (N2)
E(PU a ,(N1,N2))
• A returns N2, which is encrypted using B’s public key, to assure
B that its correspondent is A.
E(PU b||N2)
Public Key Certificate
• Any participant can read a certificate to determine the name
and public key of the certificate’s owner.

• Any participant can verify that the certificate originated from

the certificate authority and is not counterfeit.

• Only the certificate authority can create and update

certificates.
 CA = E(PRauth, [T|| IDA ||PUa])

The certificate is verified as follows,

D(PU auth, CA) = D(PU auth, E(PR auth, [T|| IDA||PUa])) = (T|| IDA ||PUa)