CSE 3301/CSE433

Cyber Security

Public-Key Cryptography
Diffie-Hellman Key Exchange
Color Mixing Example
 The Problem of Key Exchange

• One of the main problems of symmetric key

encryption is it requires a secure & reliable
channel for the shared key exchange.

• The Diffie-Hellman Key Exchange protocol

offers a way in which a public channel can
be used to create a confidential shared key.
 Modular what?

• In practice the shared encryption key relies

on such complex concepts as Modular
Exponentiation, Primitive Roots and
Discrete Logarithm Problems.

• Let’s see though is we can explain the

Diffie-Hellman algorithm with no complex
mathematics.
 A Difficult One-Way Problem

• The first thing we require is a simple real-

world operation that is easy to Do but hard
to Undo.
• You can ring a bell but not unring one.
• Toothpaste is easy to squeeze out of a tube but
famously hard to put back in.

• In our example we will use Mixing Colors.

• Easy to mix 2 colors, hard to unmix
 Alice & Bob with Eve listening
wish to make a secret shared color
Step 1 - Both publicly agree to a
shared color
Step 2 - Each picks a secret color
Step 3 - Each adds their secret
color to the shared color
Step 4 - Each sends the other
their new mixed color
Each combines the shared color from
the other with their own secret color
 Alice & Bob have agreed to a
shared color unknown to Eve
• How is it that Alice & Bob’s final mixtures
are identical?

• Alice mixed
• [(Yellow + Teal) from Bob] + Orange

• Bob mixed
• [(Yellow + Orange) from Alice] + Teal
 Alice & Bob have agreed to a
shared color unknown to Eve
• How is it that Alice & Bob’s final mixture is
secret?

• Eve never has knowledge of the secret

colors of either Alice or Bob

• Unmixing a color into its component colors

is a hard problem
 Alice & Bob have agreed to a
shared color unknown to Eve
• How is it that Alice & Bob’s final mixture is
secret?

• Eve never has knowledge of the secret

colors of either Alice or Bob

• Unmixing a color into its component colors

is a hard problem
Diffie-Hellman Key Exchange
Adding Mathematics
 Diffie-Hellman Protocol
• Alice and Bob never met and share no secrets
• Public info: p and g
• p is a large prime number, g is a generator of Zp*
• Zp*={1, 2 … p-1}; ∀a∈Zp* ∃i such that a=gi mod p

Pick secret, Pick secret, random

random X Y
gx mod
p
gy mod
p
Alic Bob
e
Compute k=(gy)x=gxy Compute k=(gx)y=gxy
mod p mod p slide 16
 Let’s get back to math

• We will rely on the formula below being an

easy problem one direction and hard in
reverse.
• s = gn mod p
• Easy: given g, n, & p, solve for s
• Hard: given s, g, & p, solve for n
• And the property of
• ga*b mod p = gb*a mod p
 Step 1 –Publicly shared
information
• Alice & Bob publicly agree to a large prime
number called the modulus, or p.
• Alice & Bob publicly agree to a number
called the generator, or g, which has a
primitive root relationship with p.
• In our example we’ll assume
• p = 17
• g=3
• Eve is aware of the values of p or g.
 Step 2 – Select a secret key

• Alice selects a secret key, which we will

call a.
• Bob selects a secret key, which we will
call b.
• For our example assume:
• a = 54
• b = 24
• Eve is unaware of the values of a or b.
 Step 3 – Combine secret keys
with public information
• Alice combines her secret key of a with the
public information to compute A.
• A = ga mod p
• A = 354 mod 17
• A = 15
Step 3 – Combine secret key with
public information
• Bob combines his secret key of b with the
public information to compute B.
• B = gb mod p
• B = 324 mod 17
• B = 16
 Step 4 – Share combined values

• Alice shares her combined value, A, with

Bob. Bob shares his combined value, B,
with Alice.
• Sent to Bob
• A = 15
• Sent to Alice
• B = 16
• Eve is privy to this exchange and knows the
values of A and B
 Step 5 – Compute Shared Key
• Alice computes the shared key.
• s = (B)a mod p
• s = Ba mod p
• s = 1624 mod 17
• s=1
• Bob computes the shared key.
• s = (A )b mod p
• s = Ab mod p
• s = 1554 mod 17
• s=1
 Alice & Bob have a shared
encryption key, unknown to Eve
• Alice & Bob have created a shared secret
key, s, unknown to Eve
• In our example s=1
• The shared secret key can now be used to
encrypt & decrypt messages by both parties.
• See the Youtube video on this example at:
https://www.youtube.com/watch?v=3QnD2c4Xovk
 Public-Key Cryptography
public
key

public ? private
key key

Alic
e Bo
b
Given: Everybody knows Bob’s public key
- How is this achieved in practice?
Only Bob knows the corresponding
private key
Goals: 1. Alice wants to send a message
that
only Bob can read
2. Bob wants to send a message slide 25
Applications of Public-Key Crypto
• Encryption for confidentiality
• Anyone can encrypt a message
• With symmetric crypto, must know the secret key to encrypt
• Only someone who knows the private key can decrypt
• Secret keys are only stored in one place
• Digital signatures for authentication
• Only someone who knows the private key can sign
• Session key establishment
• Exchange messages to create a secret session key
• Then switch to symmetric cryptography (why?)

slide 26
Public-Key Encryption
• Key generation: computationally easy to generate a pair
(public key PK, private key SK)
• Encryption: given plaintext M and public key PK, easy to
compute ciphertext C=EPK(M)
• Decryption: given ciphertext C=EPK(M) and private key
SK, easy to compute plaintext M
• Infeasible to learn anything about M from C without SK
• Trapdoor function: Decrypt(SK,Encrypt(PK,M))=M

slide 27
Some Number Theory Facts(not in syllabus)

• Euler totient function ϕ(n) where n≥1 is the number of

integers in the [1,n] interval that are relatively prime to
n
• Two numbers are relatively prime if their
greatest common divisor (gcd) is 1
• Euler’s theorem:
if a∈Zn*, then aϕ(n) ≡ 1 mod n
• Special case: Fermat’s Little Theorem
if p is prime and gcd(a,p)=1, then ap-1 ≡ 1 mod p

slide 28
RSA Cryptosystem
• Key generation:
• Generate large primes p, q [Rivest, Shamir, Adleman
1977]
• At least 2048 bits each… need primality testing!
• Compute n=pq
• Note that ϕ(n)=(p-1)(q-1)
• Choose small e, relatively prime to ϕ(n)
• Typically, e=3 (may be vulnerable) or e=216+1=65537 (why?)
• Compute unique d such that ed ≡ 1 mod ϕ(n)
or, ed mod ϕ(n) = 1
• Public key = (e,n); private key = d
• Encryption of m: c = me mod n
• Decryption of c: cd mod n = (me)d mod n = m
slide 29
 Why RSA Decryption Works(not
in syllabus)
• e⋅d ≡ 1 mod ϕ(n)
• Thus e⋅d = 1+k⋅ϕ(n) = 1+k(p-1)(q-1) for some k
• If gcd(m,p)=1, then by Fermat’s Little Theorem, mp-1 ≡ 1
mod p
• Raise both sides to the power k(q-1) and multiply by m,
obtaining m1+k(p-1)(q-1) ≡ m mod p
• Thus med ≡ m mod p
• By the same argument, med ≡ m mod q
• Since p and q are distinct primes and p⋅q=n,
med ≡ m mod n
slide 30
 Why Is RSA Secure?
• RSA problem: given c, n=pq, and
e such that gcd(e,(p-1)(q-1))=1,
find m such that me=c mod n
• In other words, recover m from ciphertext c and public key
(n,e) by taking eth root of c modulo n
• There is no known efficient algorithm for doing this
• Factoring problem: given positive integer n, find primes
p1, …, pk such that n=p1e1p2e2…pkek
• If factoring is easy, then RSA problem is easy, but may
be possible to break RSA without factoring n

slide 31
Problems with RSA

(1) It is deterministic – if the same message is encrypted twice

with the same public key, the ciphertext is identical.
(2) If the message 𝑚 is larger than the modulus 𝑛, decryption is incorrect
because only 𝑚 (mod 𝑛) is decrypted.
(3) If the message 𝑚 is much smaller than the modulus 𝑛, it may be easily
decrypted.

slide 32
Problems with RSA

If the message 𝑚 is much smaller than the modulus 𝑛, it may be easily

decrypted.

Assume that Bob has chosen an especially secure 4096-bit modulus for the
RSA algorithm – it is the product of two prime numbers of length 2048 bits
each. To keep the encryption efficient, he chooses 𝑒 = 17. Alice encrypts a
128-bit AES key 𝑘 with these RSA parameters and sends the cryptogram 𝑐
= 𝑘17 mod 𝑛 to Bob, with whom she then shares an AES key 𝑘.
Unfortunately, when using RSA, the chosen parameters are not secure –
an attacker who intercepts the ciphertext 𝑐 and knows Bob’s public key
(𝑒, 𝑛) can easily decrypt the message.

Why?

This is because the number 𝑘17 is a maximum of 128 · 17 = 2176 bits long
and thus much shorter than the modulus 𝑛. The modulo operation is
therefore not applied during encryption, and we have 𝑘𝑒 mod 𝑛 = 𝑘𝑒. This
reduces the problem of computing the plaintext 𝑘 from the ciphertext 𝑐 to
the problem of computing the 𝑒-th root of an integer – this is a simple
problem that any computer can quickly solve.
slide 33
References
• The whole slide is taken from the slides of Dr. Md
Saidur Rahman, CSE, BUET