Asymmetric

or
Public Key
Cryptography
INTRODUCTION

Symmetric and asymmetric-key cryptography will exist in

parallel and continue to serve the community. We actually
believe that they are complements of each other; the
advantages of one can compensate for the disadvantages of
the other.
Note
Symmetric-key cryptography is based on sharing secrecy;
asymmetric-key cryptography is based on personal secrecy.
2
 Keys
Asymmetric key cryptography uses two separate keys: one private
and one public.

Locking and unlocking in asymmetric-key cryptosystem

3
General Idea

General idea of asymmetric-key cryptosystem

4
Plaintext/Ciphertext
Unlike in symmetric-key cryptography, plaintext and
ciphertext are treated as integers in asymmetric-key
cryptography.
Encryption C = E(Kpublic , P)

Decryption P = D(Kprivate , C)

5
PKC for Encryption
6
PKC for Authentication
7
Y = E(PUb, X)
X = D(PRb, Y)
PKC for Secrecy
8
 Y = E(PRa, X)
X = E(PUa, Y)
PKC for Authentication
9
 Z = E(PUb, E(PRa, X))
X = D(PUa, D(PRb, Z))
PKC for Authentication & Secrecy
10
 SYMMETRIC KEY ENCRYPTION ASYMMETRIC KEY ENCRYPTION
It only requires a single key for both It requires two key one to encrypt and the
encryption and decryption. other one to decrypt.
The encryption process is very fast. The encryption process is slow.
It is used when a large amount of data is
It is used to transfer small amount of data.
required to transfer.
It provides confidentiality, authenticity
It only provides confidentiality.
and non-repudiation.
Examples: Diffie-Hellman, ECC, El
Examples: 3DES, AES, DES and RC4
Gamal, DSA and RSA

11
 Need for Both

There is a very important fact that is sometimes

misunderstood:
The advent of asymmetric-key cryptography does not
eliminate the need for symmetric-key cryptography.
Applications for Public-Key Cryptosystems

• Encryption/decryption
• Digital signature
•Key exchange

12
 RSA CRYPTOSYSTEM

The most common public-key algorithm is the RSA

cryptosystem, named for its inventors (Rivest, Shamir, and
Adleman).

13
 RSA CRYPTOSYSTEM
• RSA uses two exponents, e and d, where e is public and d is private.
• Suppose P is the plaintext and C is the ciphertext.
• Alice uses C = Pe mod n to create ciphertext C from plaintext P; Bob
uses P = Cd mod n to retrieve the plaintext sent by Alice.

14
 Introduction

• This means that Alice can encrypt in polynomial time (e is public),

Bob also can decrypt in polynomial time (because he knows d), but
Eve cannot decrypt because she would have to calculate the eth root
of C using modular arithmetic.
• If some day, a polynomial algorithm for eth root modulo n
calculation is found, modular exponentiation is not a one-way
function any more.

15
Encryption, decryption, and key generation in RSA

16
Encryption, decryption, and key generation in RSA

17
Encryption, decryption, and key generation in RSA

18
Two Algebraic Structures

Encryption/Decryption Ring: R = <Zn , +, × >

Key-Generation Group: G = <Z f(n)∗, × >

19
Proof of RSA: We can prove that encryption and decryption are
inverses of each other using the second version of Euler’s theorem.

20
Encryption, decryption, and key generation in RSA

21
1. Select primes p=11, q=3.
2. n = pq = 11*3 = 33
3. (n) = (p-1)*(q-1) = 10*2 = 20
4. Choose e = 3
5. Compute d = 7

Public key : (3, 33) private key = 7

Now say we want to encrypt the message m = 7,

22
 Example

Bob chooses 7 and 11 as p and q and chooses e from Z60∗. If he chooses e to

be 13, now Alice wants to send the plaintext 5 to Bob. FIND OUT
CIPHERTEXT

Bob receives the ciphertext 26 and uses the private key 37 to decipher
the ciphertext:

23
 Some Trivial Examples
Example

Now assume that another person, John, wants to send a message to

Bob. John can use the same public key announced by Bob (probably
on his website), 13; John’s plaintext is 63. John calculates the
following:

Bob receives the ciphertext 28 and uses his private key 37 to

decipher the ciphertext:

24
 Example

Jennifer creates a pair of keys for herself. She chooses p = 397 and q
= 401. She calculates n = 159197. She then calculates f(n) = 158400.
She then chooses e = 343 and d = 12007. Show how Ted can send a
message to Jennifer if he knows e and n.

Suppose Ted wants to send the message “NO” to Jennifer. He changes

each character to a number (from 00 to 25), with each character coded
as two digits. He then concatenates the two coded characters and gets
a four-digit number. The plaintext is 1314.

25
Continued

Encryption and decryption

26
 Example

Here is a more realistic example. We choose a 512-bit p and q,

calculate n and f(n), then choose e and test for relative primeness with
f(n). We then calculate d. Finally, we show the results of encryption
and decryption. The integer p is a 159-digit number.

27
 Example

The modulus n = p × q. It has 309 digits.

f(n) = (p − 1)(q − 1) has 309 digits.

28
Example

Bob chooses e = 35535 (the ideal is 65537) and tests it to make sure
it is relatively prime with f(n). He then finds the inverse of e
modulo f(n) and calls it d.

29
 Example

Alice wants to send the message “THIS IS A TEST”, which can

be changed to a numeric value using the 00−26 encoding scheme
(26 is the space character).

The ciphertext calculated by Alice is C = Pe, which is

30
 Example

Bob can recover the plaintext from the ciphertext

using P = Cd, which is

The recovered plaintext is “THIS IS A TEST” after

decoding.

31
32
Taxonomy of potential attacks on RSA

33
34
 Taxonomy of potential attacks on RSA

• The security of RSA is based on the idea that the modulus is so large
that it is infeasible to factor it in a reasonable time.
• If attacker can factor n and obtain p and q, she can calculate φ(n) =
(p − 1) (q − 1).
• Eve then can calculate d = e−1 mod φ(n) because e is public. The
private exponent d is the trapdoor that Eve can use to decrypt any
encrypted message.
• There are many factorization algorithms, but none of them can factor
a large integer with polynomial time complexity.

35
 Taxonomy of potential attacks on RSA

• To be secure, RSA presently requires that n should be more than 300

decimal digits, which means that the modulus must be at least 1024
bits.
• Even using the largest and fastest computer available today, factoring
an integer of this size would take an infeasibly long period of time.
• This means that RSA is secure as long as an efficient algorithm for
factorization has not been found.

Determining d given e and n appears to be at least as time-consuming as the

factoring problem.

36
THE FACTORING PROBLEM: RSA Laboratories states that: for each RSA
number n, there exists prime numbers p and q such that
n = p × q.
The problem is to find these two primes, given only n.

We can identify three approaches to attacking RSA mathematically.

1. Factor n into its two prime factors. This enables calculation of fi(n) = (p -
1) × (q - 1), which in turn enables determination of d = e-1 (mod f(n)).
2. Determine f(n) directly, without first determining p and q. Again, this
enables determination of d = e-1 (mod f(n)).
3. Determine d directly, without first determining f(n).
37
 Chosen Ciphertext attack

The attack is based on multiplicative property of the RSA.

1. Eve intercepts C and uses following steps to find P.
2. Eve selects a random integer X in Zn*.
3. Eve calculates Y = C*Xe (mod n).
4. Eve sends Y to bob for decryption and get Z = Yd (mod n) (Chosen
ciphertext attack ).
5. Eve can easily find P because Z = Yd (mod n) = (Pe *Xe )d (mod n) =
(P*X) (mod n) .
6. P = Z*X-1 (mod n)
 RSA Recommendations
The following recommendations are based on theoretical and experimental results.
1. The number of bits for n should be at least 1024. This means that n should be
around 21024, or 309 decimal digits.
2. The two primes p and q must each be at least 512 bits. This means that p and q
should be around 2512 or 154 decimal digits.
3. The values of p and q should not be very close to each other.
4. Both p − 1 and q − 1 should have at least one large prime factor.
5. The ratio p/q should not be close to a rational number with a small numerator or
denominator.
6. The modulus n must not be shared.
7. The value of e should be 216 + 1 or an integer close to this value.
8. If the private key d is leaked, Bob must immediately change n as well as both e and
d. It has been proven that knowledge of n and one pair (e, d ) can lead to the
discovery of other pairs of the same modulus.
 RABIN CRYPTOSYSTEM

• The Rabin cryptosystem is devised by M. Rabin is

variation of the RSA cryptosystem.
• The RSA Algorithm is based on exponentiation
congruence, while Rabin is based on quadratic
congruence.

40
 RABIN CRYPTOSYSTEM

The Rabin cryptosystem can be thought of as an RSA

cryptosystem in which the value of e and d are fixed (e=2, d=
1/2).

Encryption: C ≡ P2 (mod n)
Decryption: P ≡ C1/2 (mod n).

41
RABIN CRYPTOSYSTEM

Rabin Cryptosystem
42
Key Generation

43
 Encryption

Note
The Rabin cryptosystem is not deterministic:
Decryption creates four plaintexts.

44
Decryption

45
 Example

Here is a very trivial example to show the idea.

1. Bob selects p = 23 and q = 7. Note that both are congruent to 3
mod 4.
2. Bob calculates n = p × q = 161.
3. Bob announces n publicly; he keeps p and q private.
4. Alice wants to send the plaintext P = 24. Note that 161 and 24
are relatively prime; 24 is in Z161*.
5. She calculates C = 242 = 93 mod 161, and sends the ciphertext
93 to Bob.
46
 Example

5. Bob receives 93 and calculates four values:

a1 = +(93 (23+1)/4) mod 23 = 1 mod 23

a2 = −(93 (23+1)/4) mod 23 = 22 mod 23

b1 = +(93 (7+1)/4) mod 7 = 4 mod 7

b2 = −(93 (7+1)/4) mod 7 = 3 mod 7

6. Bob takes four possible answers, (a1, b1), (a1, b2), (a2, b1), and

(a2, b2), and uses the Chinese remainder theorem to find four
possible plaintexts: 116, 24, 137, and 45. Note that only the
second answer is Alice’s plaintext.
47
ELGAMAL CRYPTOSYSTEM

Besides RSA and Rabin, another public-key cryptosystem

is ElGamal.

ElGamal is based on the discrete logarithm problem.

48
Key Generation

49
Encryption

50
 Decryption

Note
The bit-operation complexity of encryption or
decryption in ElGamal cryptosystem is polynomial.

51
 Example

Here is a trivial example. Bob chooses p = 11 and e1 = 2. and d = 3 e2

= e1d = 8. So the public keys are (2, 8, 11) and the private key is 3.

Alice chooses r = 4 and calculates C1 and C2 for the plaintext 7.

Bob receives the ciphertexts (5 and 6) and calculates the

plaintext.

52
 Example

Instead of using P = [C2 × (C1d) −1] mod p for decryption, we can

avoid the calculation of multiplicative inverse and use
P = [C2 × C1 p−1−d] mod p (see Fermat’s little theorem in Chapter 9).
In this Example, we can calculate P = [6 × 5 11−1−3
] mod 11 = 7 mod
11.

Note
For the ElGamal cryptosystem, p must be at least 300 digits
and r must be new for each encipherment.

53
Example

Bob uses a random integer of 512 bits. The integer p is a 155-

digit number (the ideal is 300 digits). Bob then chooses e1, d,
and calculates e2, as shown below:

54
 Example

Alice has the plaintext P = 3200 to send to Bob. She chooses

r = 545131, calculates C1 and C2, and sends them to Bob.

Bob calculates the plaintext P = C2 × ((C1)d)−1 mod p = 3200 mod p.

55