Module 4-

Quote of the day

“Education is not the learning of facts but
training of the mind to think”.
― Albert Einstein
1
 Private-Key Cryptography
traditional private/secret/single key
cryptography uses one key
shared by both sender and receiver
if this key is disclosed communications are
compromised
also is symmetric, parties are equal
hence does not protect sender from receiver
forging a message & claiming is sent by sender
 Public-Key Cryptography
probably most significant advance in the
3000 year history of cryptography
uses two keys – a public & a private key
asymmetric since parties are not equal
uses clever application of number
theoretic concepts to function
complements rather than replaces private
key crypto
 Why Public-Key
Cryptography?
developed to address two key issues:
● key distribution – how to have secure communications
in general without having to trust a KDC with your key
● digital signatures – how to verify a message comes intact
from the claimed sender
public invention due to Whitfield Diffie & Martin
Hellman at Stanford University in 1976
● known earlier in classified community
 Public-Key Cryptography
public-key/two-key/asymmetric cryptography
involves the use of two keys:
● a public-key, which may be known by anybody, and can be used to
encrypt messages, and verify signatures
● a related private-key, known only to the recipient, used to decrypt
messages, and sign (create) signatures
infeasible to determine private key from public
is asymmetric because
● those who encrypt messages or verify signatures cannot decrypt
messages or create signatures
Public-Key Cryptography
 Public-Key Cryptography:Ingredients
• Public-key encryption scheme has six ingredients
– Plaintext
– Encryption algorithm
– Public and private keys
– Ciphertext
– Decryption algorithm

7
Public-Key Cryptography: essential steps
1. Each user generates a pair of keys to be used for the encryption
and decryption of messages.
2. Each user places one of the two keys in a public register or other
accessible file. This is the public key. The companion key is kept
private. Each user maintains a collection of public keys obtained
from others.
3. If Bob wishes to send a confidential message to Alice, Bob
encrypts the message using Alice’s public key.
4. When Alice receives the message, she decrypts it using her
private key. No other recipient can decrypt the message because
only Alice knows Alice’s private key.

8
Symmetric vs Public-Key
Public-Key Cryptography

10
Public-Key Cryptosystems

11
Public-Key Cryptosystems

12
Public-Key Cryptosystems:
Authentication and Secrecy
 Public-Key Applications
can classify uses into 3 categories:
● encryption/decryption (provide secrecy)
● digital signatures (provide authentication)
● key exchange (of session keys)
some algorithms are suitable for all uses,
others are specific to one
 Public-Key Requirements
Public-Key algorithms rely on two keys where:
● it is computationally infeasible to find decryption key
knowing only algorithm & encryption key
● it is computationally easy to en/decrypt messages when the
relevant (en/decrypt) key is known
● either of the two related keys can be used for encryption,
with the other used for decryption (for some algorithms)
these are formidable requirements which only a
few algorithms have satisfied
 Public-Key Requirements
need a trapdoor one-way function
one-way function has
● Y = f(X) easy
● X = f–1(Y) infeasible

a trap-door one-way function has

● Y = fk(X) easy, if k and X are known
● X = fk–1(Y) easy, if k and Y are known
● X = fk–1(Y) infeasible, if Y known but k not known

a practical public-key scheme depends on a

suitable trap-door one-way function
 Security of Public Key Schemes
like private key schemes brute force exhaustive search
attack is always theoretically possible
but keys used are too large (>512bits)
security relies on a large enough difference in difficulty
between easy (en/decrypt) and hard (cryptanalyse)
problems
more generally the hard problem is known, but is made
hard enough to be impractical to break
requires the use of very large numbers
hence is slow compared to private key schemes
 RSA
by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme
based on exponentiation in a finite (Galois) field over
integers modulo a prime
● nb. exponentiation takes O((log n)3) operations (easy)

uses large integers (eg. 1024 bits)

security due to cost of factoring large numbers
● nb. factorization takes O(e log n log log n) operations (hard)
 RSA En/decryption
to encrypt a message M the sender:
● obtains public key of recipient PU={e,n}
● computes: C = Me mod n, where 0≤M<n
to decrypt the ciphertext C the owner:
● uses their private key PR={d,n}
● computes: M = Cd mod n
note that the message M must be smaller than the
modulus n (block if needed)
 RSA Key Setup
each user generates a public/private key pair by:
selecting two large primes at random: p, q
computing their system modulus n=p.q
● note ø(n)=(p-1)(q-1)
selecting at random the encryption key e
● where 1<e<ø(n), gcd(e,ø(n))=1

solve following equation to find decryption key d

● e.d=1 mod ø(n) and 0≤d≤n, gcd(d,ø(n))=1

publish their public encryption key: PU={e,n}

keep secret private decryption key: PR={d,n}
 Why RSA Works
because of Euler's Theorem:
● aø(n)mod n = 1 where gcd(a,n)=1
in RSA have:
● n=p.q
● ø(n)=(p-1)(q-1)
● carefully chose e & d to be inverses mod ø(n)
● hence e.d=1+k.ø(n) for some k
hence :
d e.d 1+k.ø(n) 1 ø(n) k
C =M =M = M .(M )
1 k 1
= M .(1) = M = M mod n
 RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Calculate n = pq =17 x 11=187
3. Calculate ø(n)=(p–1)(q-1)=16x10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de≡1 mod 160 and d < 160 Value is d=23 since
23x7=161= 10x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
 RSA Example - En/Decryption
sample RSA encryption/decryption is:
given message M = 88 (nb. 88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
 Exponentiation
can use the Square and Multiply Algorithm
a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base
and multiplying in the ones that are needed to
compute the result
look at binary representation of exponent
● eg. 75 = 74.71 = 3.7 = 10 mod 11
● eg. 3129 ≡ 3128.31 ≡ 5. 3 mod 11 ≡ 15 mod 11≡ 4 mod 11
 Exponentiation
c = 0; f = 1
for i = k downto 0
do c = 2 x c
f = (f x f) mod n
if bi == 1 then
c=c+1
f = (f x a) mod n
return f
 Exponentiation
• We wish to compute say ab mod p convert b to binary bits bi
• Initially assume c=0 and f=1
• Check bi=1 then c=c+1 and f = f x a mod p
• c = c+2; f = f x f mod p
• Now to compute 397 Mod 353, a=3 and b=97
64 32 16 8 4 2 1

bi 1 1 0 0 0 0 1
c 1 3 6 12 24 48 97
f 3 27 23 176 265 33 40

• Column wise computations are described in next slide

26
 Modular exponentiation column wise computations
64 32 16 8 4 2 1
bi 1 1 0 0 0 0 1
c 1 3 6 12 24 48 97
f 3 27 23 176 265 331 40
• Initially c=0,f=1. Start from MSB i.e. 7th bit of binary (column numerical 64) bi=1,c=c+1=1,
f=1x3=3
• Then compute c=1 x 2=2, f=f x f mod 353= 3 x 3 mod 353 =9
• 6th bit of binary (column numerical 32) bi=1,c=2+1=3, f=9x3=27 mod 353.
• c=6, f=27 x 27 mod 353 =23 next bit =0 update the column with c=6 and f=23
• c=12, f=23 x 23 mod 353 = 176 next bit =0 update the column with c=12 and f=176
• c=24, f=176 x 176 mod 353 =265 next bit =0 update the column with c=24 and f=265
• c=48, f=265 x 265 mod 353 =331 next bit =0 update the column with c=48 and f=331
• c=96 and f=331 x 331 mod 353=131 next bit =1 so
• c=c+1=96+1=97 and f=f x a = 131 x 3 mod 353 =393 mod 353 =40

27
 Exponentiation
• Compute modular exponentiation for 7560 mod 561

• Compute modular exponentiation for 3233 mod 253

128 64 32 16 8 4 2 1

bi 1 1 1 0 1 0 0 1
c 1 3 7 14 29 58 116 233
f 3 27 69 172 149 315 32 248
 Efficient Encryption
encryption uses exponentiation to power e
hence if e small, this will be faster
● often choose e=65537 (216-1)
● also see choices of e=3 or e=17
but if e too small (eg e=3) can attack
● using Chinese remainder theorem & 3 messages with
different moduli
if e fixed must ensure gcd(e,ø(n))=1
● i.e. reject any p or q not relatively prime to e
 Efficient Decryption
decryption uses exponentiation to power d
● this is likely large, insecure if not
can use the Chinese Remainder Theorem (CRT) to
compute mod p & q separately. then combine to get
desired answer
● approx 4 times faster than doing directly
only owner of private key who knows values of p & q can
use this technique
 RSA Key Generation
users of RSA must:
● determine two primes at random - p, q
● select either e or d and compute the other
primes p,q must not be easily derived from
modulus n=p.q
● means must be sufficiently large
● typically guess and use probabilistic test
exponents e, d are inverses, so use Inverse
algorithm to compute the other
 RSA Security
possible approaches to attacking RSA are:
● brute force key search - infeasible given size of
numbers
● mathematical attacks - based on difficulty of computing
ø(n), by factoring modulus n
● timing attacks - on running of decryption
● chosen ciphertext attacks - given properties of RSA
 Factoring Problem
mathematical approach takes 3 forms:
● factor n=p.q, hence compute ø(n) and then d
● determine ø(n) directly and compute d
● find d directly
currently believe all equivalent to factoring
● have seen slow improvements over the years
•as of May-05 best is 200 decimal digits (663) bit with LS
● biggest improvement comes from improved algorithm
•GNFS to SNFS
● currently assume 1024-2048 bit RSA is secure
•ensure p, q of similar size and matching other constraints
Progress in Factoring
Progress
in
Factoring
 Timing Attacks
developed by Paul Kocher in mid-1990’s
exploit timing variations in operations
● eg. multiplying by small vs large number
● or IF's varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
● use constant exponentiation time
● add random delays
● blind values used in calculations
 Chosen Ciphertext Attacks
• RSA is vulnerable to a Chosen Ciphertext
Attack (CCA)
• attackers chooses ciphertexts & gets
decrypted plaintext back
• choose ciphertext to exploit properties of RSA
to provide info to help cryptanalysis
• can counter with random pad of plaintext
• or use Optimal Asymmetric Encryption
Padding (OASP)
 Optimal
Asymmetric
Encryption
Padding
(OASP)
 Diffie-Hellman Key Exchange Algorithm

•Stock availability after certain intervals of time,

•furnace temperature measured at uniform intervals of
Preliminaries
time
•blood pressure record of a patient after every hour.

39
Diffie-Hellman Key Exchange
a public-key distribution scheme
● cannot be used to exchange an arbitrary

message
● rather it can establish a common key

● known only to the two participants

value of key depends on the participants

(and their private and public key
information)
 Diffie-Hellman Key Exchange
Derivation of shared secret is based on
exponentiation in a finite (Galois) field (modulo a
prime or a polynomial)
- easy
security relies on the difficulty of working backward
to get secrets by computing discrete logarithms
(similar to factoring)
– hard
 Diffie-Hellman Key Exchange Algorithm

•Stock availability after certain intervals of time,

•furnace temperature measured
Color Mixing at uniform intervals of
Example
time
•blood pressure record of a patient after every hour.

42
 The Problem of Key Exchange
• One of the main problems of symmetric key encryption
is it requires a secure & reliable channel for the shared
key exchange.

• The Diffie-Hellman Key Exchange protocol offers a way

in which a public channel can be used to create a
confidential shared key.
 Modular what?
• In practice the shared encryption key relies on such
complex concepts as Modular Exponentiation, Primitive
Roots and Discrete Logarithm Problems.

• Let’s see though is we can explain the Diffie-Hellman

algorithm with no complex mathematics.
 A Difficult One-Way Problem
• The first thing we require is a simple real-world
operation that is easy to Do but hard to Undo.
– You can ring a bell but not unring one.
– Toothpaste is easy to squeeze out of a tube but famously
hard to put back in.

• In our example we will use Mixing Colors.

– Easy to mix 2 colors, hard to unmix
Diffie-Hellman Key Exchange

Adding Mathematics
 Let’s get back to math

• We will rely on the formula below being an

easy problem one direction and hard in
reverse.
• s = gn mod p
– Easy: given g, n, & p, solve for s
– Hard: given s, g, & p, solve for n
• And the property of
– ga*b mod p = gb*a mod p
 Step 1 –Publicly shared information
• Alice & Bob publicly agree to a large prime number
called the modulus, or p.
• Alice & Bob publicly agree to a number called the
generator, or g, which has a primitive root relationship
with p.
• In our example we’ll assume
– p = 17
– g=3
• Eve is aware of the values of p or g.
 Step 2 – Select a secret key
• Alice selects a secret key, which we will call a.
• Bob selects a secret key, which we will call b.
• For our example assume:
– a = 54
– b = 24
• Eve is unaware of the values of a or b.
 Step 3 – Combine secret keys with public
information
• Alice combines her secret key of a with the public
information to compute A.
– A = ga mod p
– A = 354 mod 17
– A = 15
 Step 3 – Combine secret key with public
information
• Bob combines his secret key of b with the public
information to compute B.
– B = gb mod p
– B = 354 mod 17
– B = 16
 Step 4 – Share combined values
• Alice shares her combined value, A, with Bob. Bob
shares his combined value, B, with Alice.
• Sent to Bob
– A = 15
• Sent to Alice
– B = 16
• Eve is privy to this exchange and knows the values of A
and B
Step 5 – Compute Shared Key

• Alice computes the shared key.

– s = (B mod p)a mod p
– s = gb*a mod p
– s = 354*24 mod 17
– s=1
• Bob computes the shared key.
– s = (A mod p)a mod p
– s = ga*b mod p
– s = 324*54 mod 17
– s=1
 Alice & Bob have a shared encryption key,
unknown to Eve
• Alice & Bob have created a shared secret key, s,
unknown to Eve
• In our example s=1
• The shared secret key can now be used to encrypt &
decrypt messages by both parties.
• See the Youtube video on this example at:
https://www.youtube.com/watch?v=3QnD2c4Xovk
 Key Exchange Protocol
• Insecure against a
man in the middle
attack

55
 Man-in-the-Middle Attack
• Bob and Alice think that they
share a secret key, but instead
Bob and Darth share secret
key K1 and Alice and Darth
share secret key K2.

56
 Pr. If Alice and Bob agrees to the prime number p=7 and g=3 the primitive root of 7,
then compute the secret key that they share using Diffie-Hellman key exchange
algorithm. (Assume XA=2,XB=5)
• Alice combines her Private key of XA with the public information to compute YA
– YA = gXA mod p
– YA = 32 mod 7
– YA = 9 mod 7=2
• Bob combines his Private key of XB with the public information to compute YB.
– YB = gXB mod p
– YB = 35 mod 7
– YB = 243 mod 7 =5
• Alice shares her combined value, YA=2 with Bob. Bob shares his combined value, YB=5
with Alice.
• Alice computes secret key
– s = (YB mod p) XA mod p=52 mod 7
• Bob computes secret key
– s = (YA mod p) XB mod p=25 mod 7
57
 Pr. If Alice and Bob agrees to the prime number p=353 and g=3 the primitive root
of 7, then compute the secret key that they share using Diffie-Hellman key
exchange algorithm. (Assume XA=97,XB=233)
• Alice combines her Private key of XA with the public information to compute YA
– YA = gXA mod p
– YA = 397 mod 353 = 40
– Use modular exponentiation algorithm to solve this
• We wish to compute say ab mod p convert b to binary bits bi
• Initially assume c=0 and f=1
• Check bi=1 then c=c+1 and f = f x a mod p
• c = c+2; f = f x f mod p
• Now to compute 397 a=3 and b=97
64 32 16 8 4 2 1

bi 1 1 0 0 0 0 1
c 1 3 6 12 24 48 97
f 3 27 23 176 265 33 40
• Column wise computations are described in next slide
58
 Modular exponentiation column wise computations
64 32 16 8 4 2 1
bi 1 1 0 0 0 0 1
c 1 3 6 12 24 48 97
f 3 27 23 176 265 331 40

• Initially c=0,f=1. Start from MSB i.e. 7th bit of binary (column numerical 64) bi=1,c=c+1=1,
f=1x3=3
• Then compute c=1 x 2=2, f=f x f mod 353= 3 x 3 mod 353 =9
• 6th bit of binary (column numerical 32) bi=1,c=2+1=3, f=9x3=27 mod 353.
• c=6, f=27 x 27 mod 353 =23 next bit =0 update the column with c=6 and f=23
• c=12, f=23 x 23 mod 353 = 176 next bit =0 update the column with c=12 and f=176
• c=24, f=176 x 176 mod 353 =265 next bit =0 update the column with c=24 and f=265
• c=48, f=265 x 265 mod 353 =331 next bit =0 update the column with c=48 and f=331
• c=96 and f=331 x 331 mod 353=131 next bit =1 so
• c=c+1=96+1=97 and f=f x a = 131 x 3 mod 353 =393 mod 353 =40

59
 Pr.If Alice and Bob agrees to the prime number p=353 and g=3 the primitive root
of 7, then compute the secret key that they share using Diffie-Hellman key
exchange algorithm. (Assume XA=97,XB=233)
• Bob combines his Private key of XB with the public information to compute YB.
– YB = gXB mod p
– YB = 3233 mod 353 = 248
• Now to compute 3233 a=3 and b=233
• Initially assume c=0 and f=1
• Check bi=1 then c=c+1 and f = f x a mod p
• c = c x 2; f = f x f mod p
128 64 32 16 8 4 2 1

bi 1 1 1 0 1 0 0 1
c 1 3 7 14 29 58 116 233
f 3 27 69 172 149 315 32 248
• For secret key computation see next slide
60
 Pr. If Alice and Bob agrees to the prime number p=353 and g=3 the primitive root
of 7, then compute the secret key that they share using Diffie-Hellman key
exchange algorithm. (Assume XA=97,XB=233)
• Alice shares her combined value, YA=40 with Bob. Bob shares his combined
value, YB=248 with Alice.
• Alice compute secret key (use modular exponentiation algorithm to compute)
– s = (YB mod p) XA mod p=24897 mod 7 = 160
bi 1 1 0 0 0 0 1
c 1 3 6 12 24 48 97
f 248 215 335 324 135 222 160

• Bob computes secret key (Use MEA to compute exponentiation)

– s = (YA mod p) XB mod p=40233 mod 7 = 160
bi 1 1 1 0 1 0 0 1
c 1 3 7 14 29 58 116 233
f 40 107 119 41 170 307 351 160
61
Elliptic curve cryptography

Mathematical concepts
 Graphical Representation

Y axis

X axis

Curves of this nature

are called ELLIPTIC
CURVES
 What exactly is an elliptic curve?

• Let a ∈ ℝ, b ∈ ℝ, be constants such that

4a³ + 27b² ≠ 0. A non-singular elliptic curve is the set
E of solutions (x,y) ∈ ℝ to the equation:
y² = x³ + ax + b
together with a special point O called the point at
infinity.
 Singular Elliptic Curve

• If 4a³ + 27b² = 0, then we have a singular elliptic curve

• This could potentially lead to having to not having 3 distinct
roots
• Therefore, we must deal with non-singular elliptic curves with
the condition 4a³ + 27b² ≠ 0, in order to assure that we have 3
distinct roots.
• This will allow us to establish the fact that the solution set E
forms an Abelian group.
 Elliptic Curve on a finite set of
Integers
• Consider y2 = x3 + 2x + 3 (mod 5)
x = 0 ⇒ y2 = 3 ⇒ no solution (mod 5)
x = 1 ⇒ y2 = 6 = 1 ⇒ y = 1,4 (mod 5)
x = 2 ⇒ y2 = 15 = 0 ⇒ y = 0 (mod 5)
x = 3 ⇒ y2 = 36 = 1 ⇒ y = 1,4 (mod 5)
x = 4 ⇒ y2 = 75 = 0 ⇒ y = 0 (mod 5)
• Then points on the elliptic curve are
(1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and the
point at infinity: ∞

Using the finite fields we can form an Elliptic Curve Group

where we also have a DLP problem which is harder to solve…
 What is a Group?
• Suppose we have any binary operation, such as addition (+), that is
defined for every element in a set G, which is denoted (G, +)
• Then G is a group with respect to addition if the following conditions
hold:
1.) G is closed under addition: x ∈ G, y ∈ G,
imply x + y ∈ G
2.) + is associative. For all x, y, z, ∈ G,
x + (y + z) = (x + y) + z
3.) G has an identity element e. There is an e in G such that x + e = e +
x = x for all x ∈ G.
4.) G contains inverses. For each x ∈ G, there exists y ∈ G, such that x
+ y = y + x = e.
 What is an Abelian Group

• An Abelian group contains all the rules of a

group, but also must meet the following criteria:

5.) + is commutative. For all x ∈ G, y ∈ G,

x + y = y + x.
 3 Cases for Solutions
• Suppose P, Q ∈ E, where P = (x1,y1) and Q = (x2,y2), we
must consider three cases:
1.) x1 ≠ x2
2.) x1 = x2 and y1 = - y2
3.) x1 = x2 and y1 = y2

• These cases must be considered when defining

“addition” for our solution set
 Defining Addition on E: Case 1
For the case x1 ≠ x2, addition is defined as follows:

(x1,y1) + (x2,y2) = (x3,y3) ∈ E where

x3 = λ² - x1 - x2
y3 = λ(x1 – x3) - y1, and
λ = (y2 – y1) / (x2 – x1)
 Defining Addition on E : Case 2
For the case x1 = x2 and y1 = - y2 , addition is defined as
follows:

(x1,y1) + (x2,y2) = (x3,y3) ∈ E where

(x,y) + (x,-y) = O, the point at infinity

 Defining Addition on E : Case 3
For the case x1 = x2 and y1 = y2, addition is defined as
follows:

(x1,y1) + (x2,y2) = (x3,y3) ∈ E where

x3 = λ² - x1 - x2
y3 = λ(x1 – x3) - y1, and
λ = (3x12 + a) / 2y1
 Defining the Identity
• The point at infinity O, is the identity element. P + O = O + P = P, for all P
∈ E.
• From Case 2, and the Identity Element, we now have the existence of
inverses
• Beyond the scope here to prove that we have commutativity and
associativity as well
• Therefore the set of solutions E, forms an Abelian group (Importance of
this will be shown later)
 Elliptic Curves modulo p
• Let p > 3 be prime. The elliptic curve y² = x³ + ax + b over ℤp is the
set of solutions (x,y) ∈ ℤp
y² ≡ x³ + ax + b (mod p)
where a ∈ ℤp, b ∈ ℤp, are constants such that 4a³ + 27b² ≢ 0 (mod
p), together with a special point O called the point at infinity.
• Solutions still form an Abelian group
Examples
 Elliptic Curve Picture

• Consider elliptic curve

E: y2 = x3 - x + 1
y
• If P1 and P2 are on E, we can define
P3 = P1 + P2
P2 as shown in picture
P1
• Addition is all we need
x

P3
 Addition in Affine Co-ordinates

y=m(x-x1)+y1

y Let, P≠Q,

y2=x3+Ax+B
 Doubling of a point
• Let, P=Q

• What happens when P2=∞?

Why do we need the reflection?

y P2=O=∞

P1=P1+ O=P1

P1
 Sum of two points
Define for two points P (x1,y1) and Q (x2,y2) in the Elliptic curve

Then P+Q is given by R(x3,y3) :

 Point at infinity O

P+P = 2P

As a result of the above case P=O+P

O is called the additive identity of the
elliptic curve group.
Hence all elliptic curves have an
additive identity O.
 So now for an example

• Let’s examine the following elliptic curve as an

example:
y² = x³ + x + 6 over ℤ11

X 0 1 2 3 4 5 6 7 8 9 10
x³ + x + 6 mod 11
6 8 5 3 8 4 8 4 9 7 4
QR? N N Y Y N Y N Y Y N Y
Y 4,7 5,6 2,9 2,9 3,8 2,9
 Generating our group
• From the previous slide we have 13 points on the curve y² = x³ + x
+ 6 over ℤ11 including the point at infinity O.
• Since the O(E) is prime, the group is cyclic.
• We can generate the group by choosing any point other then the
point at infinity.
• Let our generator = α = (2,7) now to get 2α

Multiplicative inverse of 3 mod 11 is 4

∴2α = (5,2)
 The Group
We can generate this by using the rules of addition we defined
earlier where 3a = a + 2a, a = (2,7),2a = (5,2)

∴3a = (8,3) Like wise

4a = (10,2) 5a = (3,6) 6a = (7,9)
7a = (7,2) 8a = (3,5) 9a = (10,9)
10a = (8,8) 11a = (5,9) 12a = (2,4)
 Elliptic curve cryptography

Encryption and Decryption

Analog of Diffie-Hellman Key Exchange
 ECC
• Consider the equation Q = kP where Q, P ∈ EP(a, b) and k <
p.
• It is relatively easy to calculate Q given k and P, but it is hard
to determine k given Q and P.
• This is called the discrete logarithm problem for elliptic
curves.
• In previous slide we computed α = (2,7), 9α = (10,9)
• If P= α and Q= 9α Because 9P = (10, 9) = Q, the discrete
logarithm Q = (10, 9) to the base P = (2, 7) is k = 9.
• In a real application, k would be so large as to make the
brute force approach infeasible.

85
 Diffie Hellman Key exchange using ECC
• First pick a large integer q, which is either a prime
number or an integer of the form 2m and elliptic curve
parameters a and b.
• This defines the elliptic group of points Eq(a, b). Next,
pick a base point G = (x1, y1) in Eq(a, b) whose order is a
very large value n.
• The order n of a point G on an elliptic curve is the
smallest positive integer n such that nG = 0 and G are
parameters of the cryptosystem known to all
participants.

86
 Diffie Hellman Key exchange using ECC
• Alice selects an integer XA less than n. This is Alice’s
private key.
• Alice then generates a public key PA = XA * G; the
public key is a point in Eq(a, b).
• Bob similarly selects a private key XB and computes a
public key PB.
• Alice generates the secret key k = XA * PB.
• Bob generates the secret key k = XB * PA.
• The two calculations in step 3 produce the same result
because
• XA * PB = XA * (XB * G) = XB * (XA * G) = XB * PA
87
 Diffie Hellman Key exchange using ECC
• As an example, take q = 211; Eq(0,-4), which is equivalent to
the curve y2 = x3 - 4; and G = (2, 2).
• One can calculate that 240G = O.
• A’s private key is XA = 121, so A’s public key is PA = 121(2, 2) =
(115, 48).
• B’s private key is XB = 203, so B’s public key is 203(2, 3) = (130,
203).
• The shared secret key is 121(130, 203) = 203(115, 48) = (161,
69)

88
 Elliptic Curve Encryption
• The first task in this system is to encode the plaintext
message m to be sent as an (x, y) point Pm.
• As with the key exchange system, an encryption/
decryption system requires a point G and an elliptic group
Eq(a, b) as parameters.
• Each user A selects a private key XA and generates a public
key PA = XA * G.
• To encrypt and send a message Pm to B, A chooses a
random positive integer k and produces the ciphertext Cm
• Cm = {kG, Pm + kPB}

89
 Elliptic Curve Decryption
• To decrypt the cipher text, B multiplies the first point in the
pair by B’s private key and subtracts the result from the
second point
• Pm + kPB - XB(kG) = Pm + k(XBG) - XB(kG) = Pm
• For an attacker to recover the message, the attacker would
have to compute k given G and kG, which is assumed to be
hard.

90
Thank you

91