1. Applied Cryptography
Spring 2015
Asymmetric ciphers

2. Types of ciphers Symmetric  Asymmetric (public key
Block ciphers  Stream ciphers

3. Symmetric vs. asymmetric cryptography
Symmetric ciphers – sender and recipient use the same key
Dkey(Ekey(m)) = m
Substitution cipher is an example of a symmetric cipher
Impractical for big systems – number of keys is quadratic in the number of users
The solution – asymmtric algorithms. Think of a locked mailbox! Different keys for encryption and decryption
Dprivate key(Epublic key(m)) = m

4. Asymmetric ciphers
[From Information Security Group, ICU]

5. Mathematical foundations for public key cryptography
Traditionally used one-way functions:
Factoring
Given primes p and q, it is easy to compute n=pq, but it
is hard to factor n
Discrete logarithm problem
Given prime p and g,x<p, it is easy to compute y = gx mod p,
but it is hard to compute logg y in Z*p.
Square root problem
Given primes p,q, n=pq and x<n, it is easy to compute
y = x2 mod n, but it is hard to compute sqrt(y) in Z*n.
Knapsack?

6. PKC schemes
[From Information Security Group, ICU]

7. What we will use from number theory
Fermat's little Theorem
If p is prime and gcd(a,p) = 1 then ap1 = 1 mod p.

8. Complexity of modular operations
Addition, subtraction
Almost the same as without modulos, time complexity ( )
Multiplication:
for given a and b find x such that ab mod n = x
multiplication + division, i.e. time complexity ( 2)

9. What we will use from number theory
Extended Euclid's algorithm
d = gcd(a,b) - the greatest common divisor of integers
a and b
There exist integers x and y such that d = ax + by
ExtendedEuclid(a, b)
if b = 0 then return (a,1,0)
(d’,x’,y’)  ExtendedEuclid(b, a mod b)
(d,x,y)  (d’,y’,x’ – a/b y’)
return (d,x,y)

10. Complexity of modular operations
Division:
for given a and b find x such that bx mod n = a
Not always such x exists - we should have gcd(b,n) | a
Extended Euclid's algorithm:
finds x and y such that gcd(s,t) = su + tv
Take b = s and t = n and set x = ua/gcd(b,n)
Time complexity ( 3)

11. Complexity of modular operations
Exponentiation:
for given a and b find x such that ab mod n = x
Time complexity?

12. Modular Exponentiation
ModularExponentiation(base a, degree b, modulus n)
let <bk,bk–1,...,b0> be the binary representation of b
c  0
d  1
for i  k downto 0 do
c  2  c
d  (d  d) mod n
if bi = 1 then
c  c + 1
d  (d  a) mod n
return d
Time complexity T() = ( 3)

13. Modular Exponentiation - example
ModularExponentiation(a, b, n)
c  0; d  1
for i  k downto 0 do
c  2  c
d  (d  d) mod n
if bi = 1 then
c  c + 1
d  (d  a) mod n
return d
[Adapted from T.Cormen, C.Leiserson, R. Rivest]

14. What we will use from number theory
Chinese reminder theorem
Suppose n1, n2, …, nk are integers which are pairwise coprime.
Then, for any given integers a1,a2, …, ak, there exists an integer
x solving the system of simultaneous congruences:
Furthermore, all solutions x to this system are congruent modulo
the product N = n1n2…nk.

15. Merkle's puzzles (around 1974)
Bob:
220 messages: "this is puzzle number x. This is the
secret key y"
Alice:
decirpts random message, sends Bob pair: (Ey(P),x)

16. Knapsack algorithms First generalized public key encryption algorithm
[Merkle, Hellman, 1979]

17. Knapsack problem

18. Knapsack problem
[From B.Schneier]

19. Knapsack algorithms
Encryption - ok, Decryption ?
[From B.Schneier]

20. Knapsack algorithms
[From B.Schneier]

21. Knapsack algorithms
[From B.Schneier]

22. Knapsack algorithms
[From B.Schneier]

23. Knapsack algorithms
[From B.Schneier]

24. Knapsack algorithms
[From B.Schneier]

25. Knapsack algorithms What sizes of keys to use?
Numbers in (superincreasing sequence) 200 to 400 bits
modulus m to 200 bits
Unfortunately Merkle-Hellman (and quite a number of other)
knapsack schemas are already broken...
Few knapsack variations (Chor-Rivest) still are not broken, but
probably can not be particularly recommended...

26. Diffie-Hellman (key-exchange algorithm)
First public-key algorithm ever invented (1976)
n - prime, g - number such that gcd(g,n) =1
Alice: chooses random large x, sends X = gx mod n
Bob: chooses random large y, sends Y = gy mod n
Alice, Bob: compute k = Yx mod n and k' = Xy mod n

27. RSA Asymmetric cryptographic algorithm published in 1978
The most popular asymmetric algorithm used today
Now free to use – patent expired in 2000
Relies on the hardness of factoring a number consisting of two primes
Actually invented by Cocks (from UK) in 1973,
unfortunately the work was classified...

28. RSA

29. RSA

30. RSA - The authors
[From Information Security Group, ICU]

31. The RSA public-key cryptosystem
p,q - two large primes (100 digits or more)
n = pq
e - small odd integer that is relatively prime to
(p – 1)(q – 1)
d - integer such that de  1 (mod (p – 1)(q – 1))
(it can be shown that it always exists)
P = (e,n) - public key
S = (d,n) - secret key
Encoding: P(M) = Me (mod n)
Decoding: S(C) = Cd (mod n)
It works!

32. RSA - Correctness
n = pq
e - odd and relatively prime to (p – 1)(q – 1)
d - such that de  1(mod (p – 1)(q – 1))
P(M) = Me (mod n), S(C) = Cd (mod n)
P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k (p – 1)(q – 1)
M  0 (mod p)  Med  M(Mp–1)k(q–1) (mod p)
 M(1)k(q–1) (mod p)
 M (mod p)
M  0 (mod p)  Med  M (mod p)

33. RSA - Correctness
Med  M (mod p)
Med  M (mod q)
Thus Med  M (mod n)

34. RSA - Complexity Encoding: P(M) = Me (mod n)
Decoding: S(C) = Cd (mod n)

35. RSA - Speed
[From B.Schneier]

36. RSA - Speed
[From B.Schneier]

37. RSA - Speed
[From B.Schneier]

38. Attacks on RSA

39. RSA Challange
[From Information Security Group, ICU]

40. RSA Challange
[From wikipedia.org]

41. Security assumptions for “textbook algorithms”

42. Attacks on RSA – “small” messages
Finding m is trivial, if c = me mod n = me.
If m is known to have a small finite set of values (e.g. 4 digit PIN),
The value of m can be found by trying all possible values 

43. Attacks on RSA – “small” messages
E.g., what happens if we
will directly encrypt 56 bit DES key ?
[From W.Mao]

44. Attacks on RSA

45. Common modulus attack

46. Don’t sign with encryption key 

47. Attacks on RSA

48. RSA - Choice of p and q r - a prime factor of p
[From Information Security Group, ICU]

49. RSA and PKCS standard Encryption: (PKCS #1 v1.5, RFC 2313)
first 0: to guarantee x < n
2: indicates encryption
second 0: indicates end of padding
Protects against:
guessable message attacks (e.g., a yes/no message)
cube root problem, for e = 3
broadcast problem, for e = 3
random non-zero octets 00 02
data
1 byte each
1 byte
≥ 8 bytes
CS519, © A.Selcuk

50. RSA and PKCS standard
PKCS #1 v2.2
RSA EME-OAEP mode

51. Bit security of RSA The following two problems are equally hard:
given the RSA encryption of a message, retrieve the message
given the RSA encryption of a message, retrieve the least
significant bit of the message

52. ElGamal
[From B.Schneier]

53. ElGamal
[From B.Schneier]

54. Elliptic Curve Cryptography
Fq - a finite field (q = pm)
a,b Fq
Consider all pairs (x,y) such that
y2 = x3 + ax + b
The number of such points lies between (q1/21)2 and (q1/2+1)2
This set of point is a group (with a bit tricky to define group operation :)
The best known algorithms for discrete logarithm problem in
such groups require time q1/2

55. Elliptic Curve Cryptography
Emerging public key cryptography standard for constrained devices.
160 bit key length is equivalent in cryptographic strength to 1024-bit RSA.
313 bit ECC is equivalent to 4096 bit RSA
As algebraic/geometric entities have been studied extensively for the past 150 years.
Rich and deep theory suitable to cryptography
First proposed for cryptographic usage in 1985 independently by Neal Koblitz and Victor Miller
[From E.Savas]

56. Rabin's scheme Michael Rabin 1979
The Rabin cryptosystem is an asymmetric cryptographic technique,
whose security, like that of RSA, is related to the difficulty of
factorization. However the Rabin cryptosystem has the advantage
that the problem on which it relies has been proved to be as hard as
integer factorization, which is not currently known to be true of the
RSA problem. It has the disadvantage that each output of the Rabin
function can be generated by any of four possible inputs; if each
output is a ciphertext, extra complexity is required on decryption
to identify which of the four possible inputs was the true plaintext.
[From

57. Rabin's scheme

58. Rabin's scheme Choose two large distinct primes p and q.
One may choose Blum integers to simplify the computation of square
roots modulo p and q. But the scheme works with any primes.
Let n=p*q. Then n is the public key.
The primes p and q are the private key.
To encrypt a message only the public key n is needed.
To decrypt a ciphertext the factors p and q of n are necessary.
[From

59. Rabin's scheme

60. Rabin's scheme

61. Rabin's scheme For the same reason decryption assistance
immediately factors n 
(Chosen plaintext attack)

62. Rabin's scheme Encryption: C = M2 mod n Decryption? Decryption:
m1 = C(p+1)/4 mod p
m2 = (p C(p+1)/4)mod p
m3 = C(q+1)/4 mod q
m4 = (q C(q+1)/4) mod q
a = q (q1 mod p), b = p (p1 mod q)
a + b = kq + lp = 1 (mod n)
M1 = (am1+bm3)mod n
M2 = (am1+bm4)mod n
M3 = (am2+bm3)mod n
M4 = (am2+bm4)mod n

63. Rabin's scheme