Cryptography and

Network Security
Chapter 10
Fifth Edition
by William Stallings

Lecture slides by Lawrie Brown

 Chapter 10 Other Public Key
Cryptosystems
Amongst the tribes of Central Australia every man, woman,
and child has a secret or sacred name which is bestowed
by the older men upon him or her soon after birth, and
which is known to none but the fully initiated members of
the group. This secret name is never mentioned except
upon the most solemn occasions; to utter it in the hearing of
men of another group would be a most serious breach of
tribal custom. When mentioned at all, the name is spoken
only in a whisper, and not until the most elaborate
precautions have been taken that it shall be heard by no
one but members of the group. The native thinks that a
stranger knowing his secret name would have special
power to work him ill by means of magic.
The Golden Bough, Sir James George Frazer
Diffie-Hellman Key Exchange
first public-key type scheme proposed
by Diffie & Hellman in 1976 along with the
exposition of public key concepts
note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970
is a practical method for public exchange
of a secret key
used in a number of commercial products
Diffie-Hellman Key Exchange
a public-key distribution scheme
cannot be used to exchange an arbitrary message
rather it can establish a common key
known only to the two participants
value of key depends on the participants (and
their private and public key information)
based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
security relies on the difficulty of computing
discrete logarithms (similar to factoring) hard
 Diffie-Hellman Setup
all users agree on global parameters:
large prime integer or polynomial q
a being a primitive root mod q
each user (eg. A) generates their key
chooses a secret key (number): xA < q
compute their public key: yA = axA mod q
each user makes public that key yA
Diffie-Hellman Key Exchange
shared session key for users A & B is KAB:
KAB = axA.xB mod q
= yAxB mod q (which B can compute)
= yBxA mod q (which A can compute)
KAB is used as session key in private-key
encryption scheme between Alice and Bob
if Alice and Bob subsequently communicate,
they will have the same key as before, unless
they choose new public-keys
attacker needs an x, must solve discrete log
 Diffie-Hellman Example
users Alice & Bob who wish to swap keys:
agree on prime q=353 and a=3
select random secret keys:
A chooses xA=97, B chooses xB=233
compute respective public keys:
yA=397 mod 353 = 40 (Alice)
yB=3233 mod 353 = 248 (Bob)
compute shared session key as:
KAB= yBxA mod 353 = 24897 = 160 (Alice)
KAB= yAxB mod 353 = 40233 = 160 (Bob)
 Key Exchange Protocols
users could create random private/public
D-H keys each time they communicate
users could create a known private/public
D-H key and publish in a directory, then
consulted and used to securely
communicate with them
both of these are vulnerable to a meet-in-
the-Middle Attack
authentication of the keys is needed
 Man-in-the-Middle Attack
1. Darth prepares by creating two private / public keys
2. Alice transmits her public key to Bob
3. Darth intercepts this and transmits his first public key to
Bob. Darth also calculates a shared key with Alice
4. Bob receives the public key and calculates the shared key
(with Darth instead of Alice)
5. Bob transmits his public key to Alice
6. Darth intercepts this and transmits his second public key to
Alice. Darth calculates a shared key with Bob
7. Alice receives the key and calculates the shared key (with
Darth instead of Bob)
Darth can then intercept, decrypt, re-encrypt, forward all
messages between Alice & Bob
 ElGamal Cryptography
public-key cryptosystem related to D-H
so uses exponentiation in a finite (Galois)
with security based difficulty of computing
discrete logarithms, as in D-H
each user (eg. A) generates their key
chooses a secret key (number): 1 < xA < q-1
compute their public key: yA = axA mod q
 ElGamal Message Exchange
Bob encrypt a message to send to A computing

represent message M in range 0 <= M <= q-1
longer messages must be sent as blocks
chose random integer k with 1 <= k <= q-1
compute one-time key K = yAk mod q
encrypt M as a pair of integers (C1,C2) where
C1 = ak mod q ; C2 = KM mod q
A then recovers message by
recovering key K as K = C1xA mod q
computing M as M = C2 K-1 mod q
a unique k must be used each time
otherwise result is insecure
 ElGamal Example
use field GF(19) q=19 and a=10
Alice computes her key:
A chooses xA=5 & computes yA=105 mod 19 = 3
Bob send message m=17 as (11,5) by
chosing random k=6
computing K = yAk mod q = 36 mod 19 = 7
computing C1 = ak mod q = 106 mod 19 = 11;
C2 = KM mod q = 7.17 mod 19 = 5
Alice recovers original message by computing:
recover K = C1xA mod q = 115 mod 19 = 7
compute inverse K-1 = 7-1 = 11
recover M = C2 K-1 mod q = 5.11 mod 19 = 17
 Elliptic Curve Cryptography
majority of public-key crypto (RSA, D-H)
use either integer or polynomial arithmetic
with very large numbers/polynomials
imposes a significant load in storing and
processing keys and messages
an alternative is to use elliptic curves
offers same security with smaller bit sizes
newer, but not as well analysed
 Real Elliptic Curves
an elliptic curve is defined by an equation
in two variables x & y, with coefficients
consider a cubic elliptic curve of form

y2 = x3 + ax + b

where x,y,a,b are all real numbers

also define zero point O
consider set of pointsE(a,b) that satisfy
have addition operation for elliptic curve

geometrically sum of P+Q is reflection of the
intersection R
Real Elliptic Curve Example
 Finite Elliptic Curves
Elliptic curve cryptography uses curves
whose variables & coefficients are finite
have two families commonly used:
prime curves Ep(a,b) defined over Zp
use integers modulo a prime
best in software
binary curves E2m(a,b) defined over GF(2n)
use polynomials with binary coefficients
best in hardware
 Elliptic Curve Cryptography
ECC addition is analog of modulo multiply
ECC repeated addition is analog of modulo
exponentiation
need hard problem equiv to discrete log

Q=kP, where Q,P belong to a prime curve

is easy to compute Q given k,P

but hard to find k given Q,P

known as the elliptic curve logarithm problem
Certicom example: E23(9,17)
 ECC Diffie-Hellman
can do key exchange analogous to D-H
users select a suitable curve Eq(a,b)
select base point G=(x1,y1)

with large order n s.t. nG=O
A & B select private keys
nA<n, nB<n
compute public keys: PA=nAG, PB=nBG
compute shared key: K=nAPB, K=nBPA
same since K=nAnBG
attacker would need to find k, hard
 ECC Encryption/Decryption
several alternatives, will consider simplest
must first encode any message M as a point on
the elliptic curve Pm
select suitable curve & point G as in D-H
each user chooses private key nA<n
and computes public key PA=nAG
to encrypt Pm : Cm={kG, Pm+kPb}, k random
decrypt Cm compute:
Pm+kPbnB(kG) = Pm+k(nBG)nB(kG) = Pm
 ECC Security
relies on elliptic curve logarithm
problem
fastest method is Pollard rho method
compared to factoring, can use much
smaller key sizes than with RSA etc
for equivalent key lengths computations
are roughly equivalent
hence for similar security ECC offers
significant computational advantages
 Comparable Key Sizes for
Equivalent Security
Symmetric ECCbased RSA/DSA
scheme scheme (modulussizein
(keysizeinbits) (sizeofninbits) bits)
56 112 512
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360
 Pseudorandom Number
Generation (PRNG) based on
Asymmetric Ciphers
asymmetric encryption algorithm produce
apparently random output
hence can be used to build a
pseudorandom number generator (PRNG)
much slower than symmetric algorithms
hence only use to generate a short
pseudorandom bit sequence (eg. key)
 PRNG based on RSA
have Micali-Schnorr PRNG using RSA
in ANSI X9.82 and ISO 18031
 PRNG based on ECC
dual elliptic curve PRNG
NIST SP 800-9, ANSI X9.82 and ISO 18031
some controversy on security /inefficiency
algorithm
for i = 1 to k do
set si = x(si-1 P )
set ri = lsb240 (x(si Q))
end for
return r1 , . . . , rk

only use if just have ECC

 Summary
have considered:
Diffie-Hellman key exchange
ElGamal cryptography
Elliptic Curve cryptography
Pseudorandom Number Generation (PRNG)
based on Asymmetric Ciphers (RSA & ECC)