Cryptography

Ch.6: Introduction to Public-Key

Cryptography
Prepared By
Dr. Ibrahim Attiya
© 2024 NMU
 Ch.6: Outline
❑ Symmetric Cryptography Revisited.
❑ Principles of Asymmetric Cryptography.
❑ Practical Aspects of Public-Key
Cryptography.
❑ Important Public-Key Algorithms.
❑ Essential Number Theory for Public-Key
Algorithms.
❑ Lessons Learned.
 Symmetric Cryptography
Revisited
➢ Let’s recall the basic symmetric encryption scheme.

➢ Such a system is symmetric with respect to two

properties:
1. The same secret key k is used for encryption and
decryption.
2. The encryption and decryption function are very similar
(in the case of DES they are essentially identical).
 Symmetric Cryptography
Revisited (Cont.)
➢ The action of encrypting of a message can be
viewed as putting the message in the safe.
➢ In order to read, i.e., decrypt, the message, Bob
uses his key and opens the safe.
 Symmetric Cryptography
Revisited (Cont.)
➢ Symmetric algorithms such as AES or 3DES are
very secure, fast and are in widespread use.
However, there are several shortcomings associated
with symmetric-key schemes:
▪ Key Distribution Problem: The key must be transported
between Alice and Bob using a secure channel.
▪ Number of Keys: Even if we solve the key distribution
problem, we must potentially deal with a very large
number of keys. If each pair of users needs a separate
𝑛. (𝑛−1)
pair of keys in a network with n users, there are
2
key pairs, and every user has to store n−1 keys securely.
 Symmetric Cryptography
Revisited (Cont.)
▪ No Protection Against Cheating by Alice or Bob:
Alice and Bob have the same capabilities, since they
possess the same key. As a consequence, symmetric
cryptography cannot be used for applications where we
would like to prevent cheating by either Alice or Bob as
opposed to cheating by an outsider like Oscar.
❖ Preventing this is called nonrepudiation and can be
achieved with asymmetric cryptography. Digital
signatures provide nonrepudiation.
 Principles of Asymmetric
Cryptography
➢ In order to overcome these drawbacks, Diffie,
Hellman and Merkle had a revolutionary proposal:
▪ It is not necessary that the key possessed by the person
who encrypts the message (that’s Alice in our example)
is secret.
▪ The crucial part is that Bob, the receiver, can only
decrypt using a secret key.
➢ In order to realize such a system, Bob publishes a
public encryption key which is known to everyone.
Bob also has a matching secret key, which is used
for decryption.
 Principles of Asymmetric
Cryptography (Cont.)
➢ Thus, Bob’s key k consists of two parts, a public
part, kpub, and a private one, kpr.
➢ A simple analogy of such a system is shown in the
following Figure.

➢ This systems works quite similarly to the good old mailbox on the corner of a
street: Everyone can put a letter in the box, i.e., encrypt, but only a person with a
private (secret) key can retrieve letters, i.e., decrypt.
 Principles of Asymmetric
Cryptography (Cont.)
➢ If we assume we have cryptosystems with such a
functionality, a basic protocol for public-key
encryption looks as shown in the following Figure.

Fig. 6.4: Basic protocol for public-key encryption

 Principles of Asymmetric
Cryptography (Cont.)
➢ By looking at that protocol you might argue that
even though we can encrypt a message without a
secret channel for key establishment, we still
cannot exchange a key if we want to encrypt with,
say, AES.
➢ However, the protocol can easily be modified for
this use. What we have to do is to encrypt a
symmetric key, e.g., an AES key, using the public-
key algorithm. Once the symmetric key has been
decrypted by Bob, both parties can use it to encrypt
and decrypt messages using symmetric ciphers.
 Principles of Asymmetric
Cryptography (Cont.)
➢ Figure 6.5 shows a basic key transport protocol
where we use AES as the symmetric cipher for
illustration purposes (of course, one can use any
other symmetric algorithm in such a protocol).
 Principles of Asymmetric
Cryptography (Cont.)
➢ The main advantage of the protocol in Fig. 6.5 over
the protocol in Fig. 6.4 is that the payload is
encrypted with a symmetric cipher, which tends to
be much faster than an asymmetric algorithm.
➢ It looks as though asymmetric cryptography is a
desirable tool for security applications.
➢ The question remains how one can build public-key
algorithms. Later, we introduce most asymmetric
schemes of practical relevance. They are all built
from one common principle, the one-way function.
 Principles of Asymmetric
Cryptography (Cont.)
➢ The informal definition of it is as follows:

▪ In order to be useful in practical crypto schemes, the

computation y = f (x) should be sufficiently fast that it
does not lead to unacceptably slow execution times in an
application. The inverse computation x = f −1(y) should be
so computationally intensive that it is not feasible to
evaluate it in any reasonable time period, say, 10,000
years, when using the best known algorithm.
 Principles of Asymmetric
Cryptography (Cont.)
➢ There are two popular one-way functions which are
used in practical public-key schemes.
➢ The first is the integer factorization problem, on which
RSA is based. Given two large primes, it is easy to
compute the product. However, it is very difficult to
factor the resulting product. In fact, if each of the primes
has 150 or more decimal digits, the resulting product
cannot be factored, even with thousands of PCs running
for many years.
➢ The other one-way function that is used widely is the
discrete logarithm problem.
Practical Aspects of Public-Key
Cryptography (Cont.)
➢ Main Security Mechanisms of Public-Key
Algorithms:
▪ Key Establishment There are protocols for
establishing secret keys over an insecure
channel. Examples for such protocols include
the Diffie–Hellman key exchange (DHKE) or
RSA key transport protocols.
▪ Nonrepudiation Providing nonrepudiation and
message integrity can be realized with digital
signature algorithms, e.g., RSA, DSA or
ECDSA.
Practical Aspects of Public-Key
Cryptography (Cont.)
➢ Main Security Mechanisms of Public-Key
Algorithms (Cont.):
▪ Identification We can identify entities using
challenge-and-response protocols together with
digital signatures, e.g., in applications such as
smart cards for banking or for mobile phones.
▪ Encryption We can encrypt messages using
algorithms such as RSA or Elgamal.
➢ Disadvantage: Computationally very intensive
(1000 times slower than symmetric Algorithms!).
Practical Aspects of Public-Key
Cryptography (Cont.)
➢ Public-key schemes can provide all functions
required by modern security protocols. But the
major drawback in practice is that encryption of
data is very computationally intensive (extremely
slow) with public-key algorithms.
➢ Many block and stream ciphers can encrypt about
one hundred to one thousand times faster than
public-key algorithms.
➢ On the other hand, symmetric algorithms are poor
at providing nonrepudiation and key establishment
functionality.
Practical Aspects of Public-Key
Cryptography (Cont.)
➢ In order to use the best of both worlds, most
practical protocols are hybrid protocols which
incorporate both symmetric and public-key
algorithms.
1. Key exchange (for symmetric schemes) and
digital signatures are performed with (slow)
asymmetric algorithms
2. Encryption of data is done using (fast)
symmetric ciphers, e.g., block ciphers or
stream ciphers.
Practical Aspects of Public-Key
Cryptography (Cont.)
➢ Example: Hybrid protocol with AES as the
symmetric cipher.
 Important Public-Key
Algorithms
➢ There are only three major families of public-key
algorithms which are of practical relevance. They
can be classified based on their underlying
computational problem.
➢ Public-Key Algorithm Families of Practical
Relevance:
▪ Integer-Factorization Schemes: Several public-
key schemes are based on the fact that it is difficult
to factor large integers. The most prominent
representative of this algorithm family is RSA.
 Important Public-Key
Algorithms (Cont.)
▪ Discrete Logarithm Schemes: There are several
algorithms which are based on what is known as the
discrete logarithm problem in finite fields. The most
prominent examples include the Diffie–Hellman key
exchange, Elgamal encryption or the Digital Signature
Algorithm (DSA).
▪ Elliptic Curve (EC) Schemes: A generalization of the
discrete logarithm algorithm are elliptic curve public-
key schemes. The most popular examples include
Elliptic Curve Diffie–Hellman key exchange (ECDH)
and the Elliptic Curve Digital Signature Algorithm
(ECDSA).
 Essential Number Theory for
Public-Key Algorithms
➢ We will now study a few techniques from number
theory which are essential for public-key
cryptography.
➢ We introduce the Euclidean algorithm, Euler’s phi
function as well as Fermat’s Little Theorem and
Euler’s theorem.
➢ All are important for asymmetric algorithms,
especially for understanding the RSA crypto
scheme.
 Euclidean Algorithm
➢ We start with the problem of computing the
greatest common divisor (gcd).
➢ The gcd of two positive integers r0 and r1 is
denoted by gcd(𝑟0, 𝑟1)
and is the largest positive number that divides both
r0 and r1.
➢ Example 6.1. Let r0 = 84 and r1 = 30. Factoring yields
r0 = 84 = 2 · 2 · 3 · 7
r1 = 30 = 2 · 3 · 5
▪ The gcd is the product of all common prime factors:
2 · 3 = 6 = gcd(30,84)
 Euclidean Algorithm (Cont.)
➢ For small numbers, the gcd is easy to calculate by
factoring both numbers and finding the highest
common factor.
➢ For the large numbers which occur in public-key
schemes, however, factoring often is not possible,
and a more efficient algorithm is used for gcd
computations, the Euclidean algorithm.
➢ The algorithm is based on the simple observation that:
gcd(r0, r1) = gcd(r0−r1, r1),
where we assume that r0 > r1, and that both numbers
are positive integers.
 Euclidean Algorithm (Cont.)
➢ Example 6.2. Again, let r0 = 84 and r1 = 30. We now look at
the gcd of (r0 −r1)
and r1:
r0−r1 = 54 = 2 · 3 · 3 · 3
r1 = 30 = 2 · 3 · 5
The largest common factor still is 2 · 3 = 6 = gcd(30,54) =
gcd(30,84).
➢ It also follows immediately that we can apply the
process iteratively:
gcd(r0, r1) = gcd(r0−r1, r1) = gcd(r0−2r1, r1) = · · · = gcd(r0−m r1, r1)
as long as (r0 −m r1) > 0.
 Euclidean Algorithm (Cont.)
➢ The algorithm uses the fewest number of steps if
we choose the maximum value for m. This is the
case if we compute:.
gcd(r0, r1) = gcd(r0 mod r1, r1).
➢ Since the first term (r0 mod r1) is smaller than the
second term r1, we usually swap them:
gcd(r0, r1) = gcd(r1, r0 mod r1).
➢ The core observation from this process is that we
can reduce the problem of finding the gcd of two
given numbers to that of the gcd of two smaller
numbers.
 Euclidean Algorithm (Cont.)
➢ This process can be applied recursively until we
obtain finally gcd(rl ,0) = rl.
➢ Since each iteration preserves the gcd of the
previous iteration step, it turns out that this final
gcd is the gcd of the original problem, i.e.,
gcd(r0, r1) = · · · = gcd(rl ,0) = rl .
➢ Example 6.3. Let r0 = 27 and r1 = 21.
 Euclidean Algorithm (Cont.)
➢ Example 6.4. Let r0 = 973 and r1 = 301. The gcd is then
computed as.

➢ The Euclidean algorithm is very efficient, even

with the very long numbers typically used in
public-key cryptography.
➢ The number of iterations is close to the number of
digits of the input operands.
 Euler’s Phi Function
➢ We now look at another tool that is useful for
public-key cryptosystems, especially for RSA.
➢ We consider the ring Zm, i.e., the set of integers
{0, 1, . . . , m−1}.
➢ We are interested in the problem of knowing how
many numbers in this set are relatively prime to m.
➢ This quantity is given by Euler’s phi function.
➢ In other words, the Euler’s phi function computes
the number of integers in the range 0 to m−1 that
have no common factors with m other than 1.
 Euler’s Phi Function
➢ The Euler’s phi function is defined as follows:

➢ Example 6.8. Let m = 6. The associated set is Z6 =

{0,1,2,3,4,5}.
gcd(0,6) = 6
gcd(1,6) = 1 *
gcd(2,6) = 2
gcd(3,6) = 3
gcd(4,6) = 2
gcd(5,6) = 1 *
▪ Since there are two numbers in the set which are relatively
prime to 6, namely 1 and 5, the phi function takes the value
2, i.e., Φ(6) = 2.
 Euler’s Phi Function
➢ From the examples above we can guess that
calculating Euler’s phi function by running through
all elements and computing the gcd is extremely
slow if the numbers are large.
➢ Fortunately, there exists a relation to calculate it
much more easily if we know the factorization of
m, which is given in following theorem.
 Euler’s Phi Function
➢ Example 6.10. Let m = 240. The factorization of 240 in the
canonical factorization form is
m = 240 = 16 · 15 = 24 · 3 · 5 = 𝑃1𝑒1 . 𝑃2𝑒2 . 𝑃3𝑒3
▪ There are three distinct prime factors, i.e., n = 3. The value
for Euler’s phi functions follows then as:
Φ(m) = (24−23)(31−30)(51−50) = 8 · 2 · 4 = 64.
▪ That means that 64 integers in the range {0,1, . . . ,239} are
coprime to m = 240.
▪ The alternative method, which would have required to
evaluate the gcd 240 times, would have been much slower
even for this small number.
 Lessons Learned
➢ Public-key algorithms have capabilities that symmetric
ciphers don’t have, in particular digital signature and
key establishment functions.
➢ Public-key algorithms are computationally intensive,
and hence are poorly suited for bulk data encryption.
➢ The extended Euclidean algorithm allows us to
compute modular inverses quickly, which is important
for almost all public-key schemes.
➢ Euler’s phi function gives us the number of elements
smaller than an integer n that are relatively prime to n.
This is an important function for the RSA crypto
scheme.
Any Questions?