Introduction to

Public key
Cryptography
Prof. Sugata Gangopadhyay
Department of Computer Science and
Engineering
Indian Institute of Technology Roorkee
Public key cryptosystems

We define a cryptosystem by a five-tuple of sets

(𝒫, 𝒞, 𝒦, ℰ, 𝒟) where
• 𝒫 is the set of all possible plaintexts;
• 𝒞 is the set of all possible ciphertexts;
• 𝒦 is the key-space consisting of all possible
keys;
• ℰ and 𝒟 are sets of encryption and decryption
functions, respectively.
Public key cryptosystems

• For each 𝐾 ∈ 𝒦, there exists an encryption

function 𝑒𝐾 : 𝒫 → 𝒞 and
• a decryption function 𝑑𝐾 : 𝒞 → 𝒫 such that
𝑑𝐾 𝑒𝐾 𝑥 = 𝑥, for all 𝑥 ∈ 𝒫.
 Public key cryptosystem
• In public key cryptosystems each key
has a public component and a private
(secret) component. That is, 𝐾 =
𝐾𝑝𝑢𝑏 , 𝐾𝑠𝑒𝑐 .
• Alice, the sender, computes the
encryption function exclusively using
the knowledge of 𝐾𝑝𝑢𝑏 ; so we write
𝑒𝐾 = 𝑒𝐾𝑝𝑢𝑏 .
 Public key cryptosystem
• The cryptosystem must be such that
without the knowledge of 𝐾sec , it is not
possible for anyone, including Alice, to
compute 𝑑𝐾 .
• The receiver, Bob, therefore, may
publish the public part of his key 𝐾𝑝𝑢𝑏 ,
and unlike secret-key cryptography,
need not share any secret key with Alice,
the sender.
Public key cryptosystem
• Alice encrypts a message 𝑚 to 𝑒𝐾𝑝𝑢𝑏 𝑚 and
sends to Bob. Since computing 𝑑𝐾 from 𝑒𝐾𝑝𝑢𝑏
is computationally infeasible, the encrypted
text is secure from all except the intended
receiver Bob who has the decryption function
𝑑𝐾 due to the privileged knowledge of 𝐾sec .

• Due to the use of a public key, we call this

model of encryption public-key cryptography
or asymmetric cryptography.
Diffie-Helman 1976

• Diffie and Hellman proposed the first public-key

encryption algorithms based on modular
exponentiation that is known as Diffie-Hellman
key exchange protocol.
Diffie-Hellman key exchange protocol
• Diffie-Hellman key exchange protocol uses
modular exponentiation in ℤ𝑝 for encryption of
plaintext where 𝑝 is a large prime.

• A generator of the group ℤ𝑝∗ is used as the public

key.

• The underlying intractable problem is called the

Discrete Logarithm Problem (DLP).
Description the Diffie-Hellman protocol
• Diffe-Hellamn Key Exchange Protocol
COMMON INPUT: 𝑝, 𝑔 : 𝑝 is a large prime, 𝑔 is a generator of ℤ∗𝑝
OUTPUT: An element in ℤ∗𝑝 shared between Alice and Bob
— Alice picks up 𝑎 ∈𝑈 1, 𝑝 − 1 ; computes 𝑔𝑎 ← 𝑔𝑎 (mod 𝑝); sends 𝑔𝑎 to Bob
— Bob picks up 𝑏 ∈𝑈 [1, 𝑝 − 1]; computes 𝑔𝑏 ← 𝑔𝑏 (mod 𝑝); sends 𝑔𝑏 to Alice
— Alice computes 𝑘 ← 𝑔𝑏𝑎 (mod 𝑝);
— Bob computes 𝑘 ← 𝑔𝑎𝑏 (mod 𝑝)

For Alice 𝑘 = 𝑔𝑏𝑎 (mod 𝑝) and for Bob 𝑘 = 𝑔𝑎𝑏 (mod 𝑝).
Since 𝑎𝑏 ≡ 𝑏𝑎 (mod 𝑝 − 1), the two parties have computed the same value.
Example: Diffie-Hellman protocol
• Let 𝑝 = 5 and 𝑔 = 2. Suppose Alice chooses 𝑎 = 2 and
sends
𝑔𝑎 = 22 mod 5 = 4
Suppose Bob chooses 𝑏 = 3 and sends 𝑔𝑏 = 23 mod 5 = 3
to Alice.

• Alice computes 𝑔𝑏2 mod 5 = 4, and Bob computes

𝑔𝑎3 mod 5 = 4.

• In this way Alice and Bob agrees upon the secret key 𝐾 = 4.
Security of Diffie-Hellman protocol
• Let 𝑝 be a prime number, 𝑔 ∈ ℤ𝑝∗ is a
generator, and ℎ = 𝑔𝑎 mod 𝑝.

• The problem of finding 𝑎 ∈ ℤ𝑝∗ given 𝑝, 𝑔

and ℎ is said to be Diffie-Hellman problem.
Security of Diffie-Hellman protocol
• It is generally assumed that Diffie-Hellman
problem is equivalent to the
Computational Diffie-Hellman problem
that is to find 𝑔𝑎𝑏 mod 𝑝 given
𝑝, 𝑔, 𝑔𝑎 mod 𝑝, and 𝑔𝑏 mod 𝑝, for any
choice 𝑎 and 𝑏 with 1 < 𝑎, 𝑏 < 𝑝 − 1.

• This is the theoretical basis of the security

of Diffie-Hellman protocol.
Rivest-Shamir-Adleman Cryptosystem

• In the year 1973, Clifford Cocks working at

Government Communications Headquarters
(GCHQ) of the United Kingdom discovered a public
key cryptosystem based on the difficulty of integer
factorization that is essentially the same as what is
now known as the Rivest-Shamir-Adleman (RSA)
cryptosystem.
Rivest-Shamir-Adleman Cryptosystem

• Cocks was influenced by a classified article on non-

secret encryption by James H. Ellis also working for the
GCHQ. Another cryptographer at GCHQ, Malcom J.
Williamson invented what is now known as Diffie-
Hellman key exchange in 1974.
• All these developments were classified by the British
government until 1997.
Rivest-Shamir-Adleman Cryptosystem
• In 1976, Diffie and Hellman proposed their key
exchange protocol.

• In 1978 Rivest, Shamir, and Adleman proposed RSA.

• In the next slide we will describe the RSA algorithm.

 RSA algorithm
Let 𝑛 = 𝑝𝑞 where 𝑝 and 𝑞 are primes. Let 𝒫 =
𝒞 = ℤ𝑛 , and define
𝒦 = 𝑛, 𝑝, 𝑞, 𝑎, 𝑏 ∶ 𝑎𝑏 ≡ 1 mod 𝜙 𝑛
For 𝐾 = (𝑛, 𝑝, 𝑞, 𝑎, 𝑏), define
𝑒𝐾 𝑥 = 𝑥 𝑏 mod 𝑛
and
𝑑𝐾 𝑦 = 𝑦 𝑎 mod 𝑛
(𝑥, 𝑦 ∈ ℤ𝑛 ). The values 𝑛 and 𝑏 comprise the
public key, and the values 𝑝, 𝑞 and 𝑎 form the
private key. That is 𝐾𝑝𝑢𝑏 = (𝑛, 𝑏) and 𝐾𝑠𝑒𝑐 =
(𝑝, 𝑞, 𝑎).
RSA encryption-decryption function
• Suppose that 𝑛 = 𝑝𝑞 where 𝑝 and 𝑞 are distinct
odd primes and 𝑎𝑏 ≡ 1 (mod 𝑝 − 1 𝑞 − 1 ).
• The RSA encryption operation 𝑒 𝑥 = 𝑥 𝑏 mod 𝑛
and decryption operation 𝑑 𝑦 = 𝑦 𝑎 mod 𝑛.
• Since 𝑎𝑏 ≡ 1 mod 𝑝 − 1 𝑞 − 1 ,
𝑎𝑏 = 1 + 𝑟 𝑝 − 1 𝑞 − 1 for some 𝑟 ∈ ℤ.
• We have the following three cases:
• Case 1: 𝑝 ∤ 𝑥 and 𝑞 ∤ 𝑥.
• Case 2: 𝑝 ∤ 𝑥 and 𝑞| 𝑥
• Case 3: 𝑝 | 𝑥 and 𝑞 ∤ 𝑥
Case 1: 𝑝 ∤ 𝑥 and 𝑞 ∤ 𝑥
• gcd 𝑥, 𝑛 = 1.

• Therefore, 𝑥 𝜙 𝑛
=𝑥 𝑝−1 𝑞−1
≡
1 mod 𝑛

• 𝑥 𝑎𝑏 = 𝑥 1+𝑟 𝑝−1 𝑞−1 = 𝑥 × 𝑥𝑟 𝑝−1 𝑞−1 =

𝑥 (mod 𝑛).
Case 2: 𝑝 ∤ 𝑥 and 𝑞| 𝑥

• So 𝑥 𝑟 𝑝−1 𝑞−1 ≡ 1 mod 𝑝 , since 𝑥 𝑝−1 ≡

1 (mod 𝑝).
• Therefore, 𝑥 1+𝑟 𝑝−1 𝑞−1
≡ 𝑥 (mod 𝑝)
• Since 𝑞| 𝑥, 𝑥 1+𝑟 𝑝−1 𝑞−1 ≡ 𝑥 (mod 𝑞)
• Combining
𝑥 𝑎𝑏 = 𝑥 1+𝑟 𝑝−1 𝑞−1 ≡ 𝑥 (mod 𝑝𝑞)
Case 3: 𝑝|𝑥and 𝑞 ∤ 𝑥
• Same argument as Case 2 with 𝑝 and 𝑞
interchanged.
Example: RSA
• Suppose Alice chooses 𝑝 = 101 and 𝑞 = 113. Then 𝑛 = 11413. The
Euler totient function 𝜙 𝑛 = 100 × 112 = 11200.
• Suppose 𝑏 = 3533. Then 𝑎 = 𝑏 −1 mod 11200 = 6597.
• Alice publishes 𝑛 = 11413 and 𝑏 = 3533.
• Suppose Bob wants to encrypt the plaintext 9726 to send to Alice. He
will compute 97363533 mod 11413 = 5761.
• When Alice receives the ciphertext 5761, she uses her decryption
exponent 𝑎 = 6597 to compute 57616597 mod 11413 = 9726.
Complexity of RSA computation
• Multiply two big primes 𝑝 and 𝑞 almost of RSA Cryptosystem

the same size. Number of steps: Let 𝑛 = 𝑝𝑞, where 𝑝 and 𝑞 are primes.
approximately (log 2 𝑝)2 .
Let 𝒫 = 𝒞 = ℤ𝑛 , and define
𝒦 = 𝑛, 𝑝, 𝑞, 𝑎, 𝑏 : 𝑎𝑏 ≡ 1 𝑚𝑜𝑑 𝜙 𝑛 ,
where 𝜙 𝑛 = 𝜙 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1).
• For computing 𝜙 𝑛 the number of steps
is approximately (log 2 𝑝)2 . For 𝑘 ∈ 𝑛, 𝑝, 𝑞, 𝑎, 𝑏 ∈ 𝒦
Encryption: 𝑒𝑘 𝑥 = 𝑥 𝑏 𝑚𝑜𝑑 𝑛, for all
𝑥 ∈ ℤ𝑛 ;
Decryption: 𝑑 𝑦 = 𝑦 𝑎 𝑚𝑜𝑑 𝑛, for all
• Next is to decide whether 𝑎 is coprime to 𝑦 ∈ ℤ𝑛 .
𝜙 𝑛 = (𝑝 − 1)(𝑞 − 1) and if so find 𝑏.
The key is split into two parts.
Public key: 𝑛, 𝑏 ;
Private key: (𝑝, 𝑞, 𝑎).
Complexity of RSA computation
• Next is to decide whether 𝑎 is coprime to Let 𝑛 = 𝑝𝑞, where 𝑝 and 𝑞 are primes.
?
Let 𝒫 = 𝒞 = ℤ𝑛 , and define
gcd a, 𝜙 𝑛 =
ฎ 1 and if so find 𝑏. 𝒦 = 𝑛, 𝑝, 𝑞, 𝑎, 𝑏 : 𝑎𝑏 ≡ 1 𝑚𝑜𝑑 𝜙 𝑛 ,
where 𝜙 𝑛 = 𝜙 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1).

• The greatest common divisor (gcd) is For 𝑘 ∈ 𝑛, 𝑝, 𝑞, 𝑎, 𝑏 ∈ 𝒦

Encryption: 𝑒𝑘 𝑥 = 𝑥 𝑏 𝑚𝑜𝑑 𝑛, for all
computed by using Euclidean algorithm. 𝑥 ∈ ℤ𝑛 ;
Decryption: 𝑑 𝑦 = 𝑦 𝑎 𝑚𝑜𝑑 𝑛, for all
𝑦 ∈ ℤ𝑛 .
• The inverse of 𝑏 by using Extended The key is split into two parts.
Euclidean Algorithm. Public key: 𝑛, 𝑏 ;
Private key: (𝑝, 𝑞, 𝑎).
Euclidean Algorithm: intermediate steps
• 𝑟𝑖−1 = 𝑞𝑖 𝑟𝑖 + 𝑟𝑖+1
𝑟𝑖 = 𝑞𝑖+1 𝑟𝑖+1 + 𝑟𝑖+2
Where 0 ≤ 𝑟𝑖+1 < 𝑟𝑖 , 0 ≤ 𝑟𝑖+2 < 𝑟𝑖+1 .
1
• Suppose 𝑟𝑖+1 > 𝑟𝑖 .
2
1 1
• 𝑟𝑖+2 = 𝑟𝑖 − 𝑞𝑖+1 𝑟𝑖+1 ≤ 𝑟𝑖 − 𝑟𝑖+1 < 𝑟𝑖 − 𝑟𝑖 < 𝑟𝑖 .
2 2
1
• Suppose 𝑟𝑖+1 ≤ 𝑟
2 𝑖
1
• 𝑟𝑖+2 < 𝑟𝑖+1 ≤ 𝑟.
2 𝑖
Euclidean Algorithm: upper bound on the
number of steps
• The number of steps required in Euclidean
Algorithm is 2log 2 𝑝.

• The number of steps required for finding the

inverse of 𝑏 modulo 𝜙(𝑛) is at most 4 log 2 𝑝.

• Each step requires division which approximately

requires the same number of steps as
multiplication which is (2 log 2 𝑝)2 .
Complexity gcd computation
Let 𝑛 = 𝑝𝑞, where 𝑝 and 𝑞 are primes.

Let 𝒫 = 𝒞 = ℤ𝑛 , and define

𝒦 = 𝑛, 𝑝, 𝑞, 𝑎, 𝑏 : 𝑎𝑏 ≡ 1 𝑚𝑜𝑑 𝜙 𝑛 ,
• The number of steps required for where 𝜙 𝑛 = 𝜙 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1).
computation of gcd 𝑏, 𝜙 𝑛 and 𝑎 in For 𝑘 ∈ 𝑛, 𝑝, 𝑞, 𝑎, 𝑏 ∈ 𝒦
case gcd 𝑏, 𝜙 𝑛 = 1 is Encryption: 𝑒𝑘 𝑥 = 𝑥 𝑏 𝑚𝑜𝑑 𝑛, for all
𝑐(log 2 𝑝)3 𝑥 ∈ ℤ𝑛 ;
Decryption: 𝑑 𝑦 = 𝑦 𝑎 𝑚𝑜𝑑 𝑛, for all
where 𝑐 is a small constant. 𝑦 ∈ ℤ𝑛 .

The key is split into two parts.

Public key: 𝑛, 𝑏 ;
Private key: (𝑝, 𝑞, 𝑎).
Complexity of Exponentiation
• 𝑒𝑘 𝑥 = 𝑥 𝑏 𝑚𝑜𝑑 𝑛 Let 𝑛 = 𝑝𝑞, where 𝑝 and 𝑞 are primes.

Let 𝒫 = 𝒞 = ℤ𝑛 , and define

𝒦 = 𝑛, 𝑝, 𝑞, 𝑎, 𝑏 : 𝑎𝑏 ≡ 1 𝑚𝑜𝑑 𝜙 𝑛 ,
• 𝑑 𝑦 = 𝑦 𝑎 𝑚𝑜𝑑 𝑛 where 𝜙 𝑛 = 𝜙 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1).

For 𝑘 ∈ 𝑛, 𝑝, 𝑞, 𝑎, 𝑏 ∈ 𝒦
Encryption: 𝑒𝑘 𝑥 = 𝑥 𝑏 𝑚𝑜𝑑 𝑛, for all
• This is done by an algorithm called square 𝑥 ∈ ℤ𝑛 ;
and multiply. Decryption: 𝑑 𝑦 = 𝑦 𝑎 𝑚𝑜𝑑 𝑛, for all
𝑦 ∈ ℤ𝑛 .

The key is split into two parts.

Public key: 𝑛, 𝑏 ;
Private key: (𝑝, 𝑞, 𝑎).
Square and Multiply Algorithm
• Suppose that we want to compute 𝑥 𝑏 𝑚𝑜𝑑 𝑛 where 𝑏 is a very large
positive integer.
• The steps are as follows:
• Binary representation of 𝑏: 𝑏 = σℓ−1 𝑏
𝑖=0 𝑖 2 𝑖 where 𝑏 ∈ {0, 1}.
𝑖
• Set 𝑧 to 1. That is 𝑧 ← 1
• for 𝑖 ← ℓ − 1 down to 0
• 𝑧 ← 𝑧 2 𝑚𝑜𝑑 𝑛
• if 𝑏𝑖 = 1 then 𝑧 ← 𝑧 × 𝑥 𝑚𝑜𝑑 𝑛
• return(𝑧)