Public key systems
 An asymmetrical cipher system
 A system based on a single (secret) key, such as the DES, is called
a symmetrical cipher system
 Two keys are used: :one for enciphering, one for deciphering a text
 The cipher key is made public; anyone has access to this key and
is permitted to use it for enciphering a text
 Principle: anyone is able to encipher a text, but only a few can
decrypt the cipher text
 Two important aspects of public key systems
1. One-way functions: relatively easy to calculate themselves, but
whose inverse function is far more difficult to compute(power
function)
2. The trapdoor function: a variation on one-way functions;
determining their inverse functions is extremely difficult, unless
additional information is available.
The RSA system
 One of the most well-known and popular public key systems
 Named after the first letters of the surnames of its designers (R
L .Rivest, A.Shamir and L.Adleman of MIT ( Rivest et al.(1978))
Public key system
2
 Based on the fact that it is relatively easy to calculate the product of
two prime numbers, but that determining the original prime numbers,
given the product, is far more complicated
The RSA outline

Two prime numbers are generated and their product is calculated and
denoted by n: n =pq

A number e is determined, which satisfies the following expression:
3<e<(p-1)(q-1)
and e is also relatively prime to (p-1)(q-1)

e is used to determine another number, d, for which:
ed=1(mod (p-1)(q-1))
Public key system
3

The public key consists of the pair (e,n); the other values are kept
secret

The encipherment of a text is performed as follows
1. A binary representation of the text is used, which is divided into
blocks denoted by M.
2. The cipher block C is computed by C =Me (mod n).
3. The ciphertext is deciphered M=Cd (mod n)

It is almost impossible to calculate d if only the public key (e,n) is
known

To find d, p and q must be known
1. Since only n is publicly available, a cryptanalyst must determine
p and q from this
Public key system
4
2. If n is of the order of 200 decimal digits, this would take
approximately 30 million years, with the current technology

Example:
1. p=3, q=17, n=51, (p-1)(q-1)=32
2. Find e between 3 and 32 with (e, 32)=1
3. Let e =7, determine d with ed=1 (mod (p-1)(q-1))
4. d = 23, since ed=7×23=161=1(mod32)
5. The public key is (7,51)
6. If M=2, then C =Me (mod n)=27(mod51)=26.
7. Decipherment:
M=Cd (mod n) =2623 (mod 51) =2612622642616 (mod 51)
=26×13×16×1 (mod 51) =2
Public key system
5
 In the above example, the calculation of 2623 (mod51) is simplified by
(i) a =b (mod n) ⇒ a2=b2(mod n)
proof: ∵ a =b (mod n)
⇒ a =b+kn ⇒ a2=b2+(kn)2+2bkn
⇒ a2=b2 (mod n)
(ii) ab (mod n)=[a(mod n)] [b(mod n)]
pf: ∵ [a (mod n)][b(mod n)]=(a+kn)(b+hn)
=ab +anh+bkh+khn2=ab (mod n)
 By (ii), 2623(mod 51) =2612622642616(mod 51)
 By (i), 262=13 (mod 51) ⇒ 264=132 (mod 51) etc.
 These two characteristics can reduce the complexity of the calculations
considerably.
Public key system
6
 Euler’s totient functionφ(n): the number of positive integers smaller
than n and relatively prime to n
 for a given prime number p,φ(p)=p-1, it follows for the product of
two prime numbers p and q thatφ(n) = φ(p)φ(q) =(p-1)(q-1)
Theorem 6.1 (Euler's theorem)
For all a and n, which are relatively prime with respect to each other and
φ(n)
0<a<n, it holds that a
=1 (mod n)
Proof:
1. For a given n, a∈ Z'n, with Z'n =(r1,…,rm) representing the set of all
positive integers between 0 and n which are relatively prime to n
2. m =φ(n)
3. For all values of i,∃j (1≦i,j≦m) such that ari = rj (mod n)
Public key system
7
∵
(a, n)=1 and (n, ri )=1 ⇒ (n, ari ) =1⇒ ari (mod n)εZ'n
⇒ ari = rj (mod n) for some j
4. If ari = rj (mod n) and ark = rj (mod n) then ri =rk
∵ ari = rj (mod n) and ark = rj (mod n) ⇒ (ari -ark ) = 0 (mod n)
⇒ (ri -rk ) = 0 (mod n) ⇒ ri = rk
(∵ 0< ri , rk <n)
5. By (4), we have ar1 ar2 ar3 ar4…arm = r1 r2 r3 r4 …rm (mod n)
⇒am(rlr2...rm) = (rlr2...rm) (mod n) ⇒ (am -1) (rlr2...rm) = 0 (mod n)
φ(n)
∵(rlr2...rm ,n)=1⇒ am-1=0 (mod n) ⇒ am =1 (mod n) ⇒a
=1(mod n)
 Example:
Let n =17,
a =2 ⇒ φ(17)=16 ⇒ 216=1(mod 17)
(∵216=65536=1+3855×17)
Public key system
8
Theorem 6.2
Consider a message M, and a ciphertext C: C =Me mod n.
If M'=Cd (mod n) with ed=1 (mod(p-1)(q-1)).Then for all cases M'=M
Proof: ∵φ(n) = φ(p)φ(q) =(p-1)(q-1)
⇒ ed=1 (mod (p-1)(q-1))
=1 (modφ(n)) ⇒ ed=kφ(n)+1
∵ C=Me (mod n) , M'=Cd (mod n) ⇒ M'=Med (mod n)
⇒ M'=M k
φ(n)+1
(mod n)
Case1: (M, n)=1⇒ M
φ(n)
=1(mod n) ⇒ M'= M k
Case2: (M, n)= p (or q) ⇒ (M, q)=1, (M
⇒ (M
φ(p) φ(q)
)
=1 (mod q) ⇒ M
∵(M, n)= p ⇒
Mk
φ(n)+1
φ(n)+1
=M (mod n)
φ(p)
φ(n)
,q) =1
=1 (mod q) ⇒
=M (mod p) ⇒
Mk
φ(n)+1
φ(n)+1
M'=M k
=M (mod q)
=M (mod n)
Public key system
9
Example

Let p = 47 and q = 59, then n = pq = 2773 and (p -1)(q -1) = 2668.

Assume e = 17, then d = 157

Assume that the alphabet is represented by decimal values, i.e. a= 01,
b = 02, c = 03, etc. and a blank space is given the value 00.

The plaintext ready for encipherment is given as
M = MAKE CONTACT IMMEDIATELY
in decimal representation:
M= 13011105031514200103200913130504090120051225

The message is enciphered by regarding a block of four digits as an
individual message, which is encrypted separately
Public key system
10
M1 = 1301, M2 = 1105 etc.
C1=130117 (mod 2773)

Note that the calculation of d from ed = 1 (mod (p -1)(q -1)), for
given values of e, p and q, and the computation of terms such as X =
Me (mod n) is not easy, especially when large values are concerned.

The calculation of d: using Euclidean algorithm
Suppose r(0) =φ(n) and r( 1) = e. calculate the parameters r(2),
r(3), ..., r(k) recursively, until r(k) = 1
r(0) = a(1)r(1) + r(2)
r(1) = a(2)r(2) + r(3)
r(2) = a(3)r(3) + r(4)
⋮
⋮
⋮
⋮
Public key system
11
r(k-2) = a(k-l)r(k-l) + r(k)

Note that for all k, r(k) < r(k-1)

The above statement now enables us to express r(2), r(3), ..., r(k) in
terms of r(0) and r(1) alone:
r(2) = r(0) -a(1)r(1)
r(3) = r(1) -a(2)r(2) = -a(2)r(0) + [1 + a(1)a(2)] r(1)
Let r(i) = u(i)r(0) + v(i) r(1)
(∵ r(i) = r(i-2) -a(i-1)r(i-1))
= (u(i-2)r(0) + v(i-2) r(1)) -a(i-1) (u(i-1)r(0) + v(i-1) r(1))
= (u(i-2)- a(i-1)u(i-1))r(0) +( v(i-2) -a(i-1) v(i-1)) r(1)
⇒ u(i) =u(i-2)- a(i-1)u(i-1)
v(i)= v(i-2) -a(i-1) v(i-1)
(u(1)=0, v(1)=1, u(0)=1,v(0)=0)
Public key system
12
 This process is terminated as soon as r(k) = 1
 r(k) can be expressed in terms of r(0) and r(1) alone
 Suppose r(k) = ur(0) + vr(1), then v must be equal to d
∵
r(k) = 1 ⇒ 1 = ur(0) + vr(1) = uφ(n) + ve
⇒ ve = 1 (modφ(n)) ⇒ v = d
Example
Determine d, given 7d =1 (mod 32)
Suppose r(0) = 32 and r( 1) = 7. Substitution in the recursive expressions
yields:
32 = 4 x 7 + 4⇒ r(2) = r(0) -4r(1)
Public key system
13
7 = 1 x4 + 3⇒ r(3) = r(1) -r(2) =- r(0) + 5 r(1)
4 = 1 x 3 + 1 ⇒ r(4) = r(2) -r(3) = r(0) –4r(1) -(-r(0) + 5 r(1))
= 2 r(0) -9 r(1) ⇒ d = -9 = 23 mod 32
 The method for calculating X = Me (mod n)
(1) Write e in a binary form, e = ek, ek-1, ..., e0,
(2) Set X := 1
(3) For i=k ,k-1, ...,0
X := remainder of (X2/n)
if ei =1 then X := remainder of (XM/n).
(4) If i = 0 then stop. The current value of X is the required value.
Public key system
14
Example
Calculate X= 25 (mod 11). We can write M = 2, n = 11, e = 5 = 1012
(1) k = 2: X := remainder of (1/11) = I
since e2 = 1: X := remainder of ( lx2/11 ) = 2;
(2) k= 1: X:= remainder of (22/11) = 4;
(3) k = 0: X := remainder of (42/11) = 5
since eo = 1: X := remainder of (5x2/11) = 10.
(4) Thus we find that X= 25 (mod 11) = 10 (mod 11)
Public key system
15
primality test (proposed by Solovay and Strassen (1977/8))
 Let p be a candidate prime number and aε(1,...,p-1). If gcd(a,p )> 1,
then p is not a prime number. If gcd(a,p) = I then check the following
statement:
J(a,p) = a(p-1)/2 (mod p)
J(a,p) is the Jacobi symbol
1. If p is a prime number, the above statement will be true for all
values of a
2. if p is not a prime number, then the above statement will be false
in more than 50% of the cases
Public key system
16

Note that if the statement is true for 100 different values of a, the
probability of p actually being a prime number will be larger than
1-2-100
 This method does not provide an absolute guarantee, it is possible
that very occasionally, a non-prime number will be used in the
RSA system. In this case, n can be written as the product of three,
rather than two prime numbers. This may provide a potential weak
spot for cryptanalysis.
 The Jacobi symbol J(a,p) represents a function with only two
values: l or -1.
 For all p, J(1,p) = 1
 For other values of a and p, the Jacobi symbol can be calculated
with the following expressions:
Public key system
17
a even:
a odd:
J(a,p) = J(a/2,p)(-1)(p*p-1)/8
J(a,p) = J(p(mod a),a)(-1)(a-1)(p-1)/4
Example
Let p = 17. a = 10. gcd(10,17) = 1
J(10,17) = J (5, 17)-(-1)(17*17-1)/8 = J (5,17)(-1)36 = J (5,17)
= J (17 (mod 5),5)(-1)(5-1)(17-1)/4 = J (2,5) = J (1,5)-(-1)(5*5-1)/8 =-1
a(p-1)/2 (mod p) = 108 (mod 17) = -1 (mod 17).

Not every number which passes the primality test is suitable for use
in the RSA system
 There are certain types of prime number for which it would be
relatively easy to find the corresponding factorization of n Therefore,
in general, the following rules must be obeyed when selecting p and q:
Public key system
18
(a) p must be chosen such that the factorization of p -1 has a large
prime factor r
(b) p + 1 must also have a large prime factor s
(c) r - 1 must have a large prime factor t
(d) The same restrictions are imposed on q
(e) p and q must be large, but their difference abs(p –q) must also be
large
 The following procedure can be followed for generating a prime
number p:
1. an arbitrary prime number s is generated, for instance by searching
for the first prime number larger than a given starting value s0, based
on the primality test of Solovay and Strassen
2. In the same manner, a second prime number t is generated
Public key system
19
3. r is constructed from t. Since r -1 must contain a prime factor t and r
itself is odd, it must hold that r = 1 (mod 2t). Each value of r = 2it +
1 is tested on its primeness, for successive values of i, until a suitable
value of r is found.
4. A value for p can be determined, based on r and s, which satisfies
criteria (a)(r/(p-1)) and (b)(s/(p+1)). This is accomplished as
follows:
 Calculate u(r,s) = sr-1 -rs-1 (mod rs)
 If u(r,s) is odd, then let p0 = u(r,s); if not p0 = u(r,s) + rs.
 Calculate p using p = p0+ 2jrs, for a given value of j, depending on
the required order of magnitude of p and perform a primality test on p
 Take successive values of j and perform primality tests on p, until a
prime number is found.
Public key system
20
5. It will become evident that this procedure will result in a prime number
p, which satisfies conditions (a) and (b), when the following is
considered.
 In order for (a) and (b) to be satisfied, there must be a k and h such,
that:
p = 2hr + 1 = 2ks -1, or
p = 1 (mod 2r) = -1 (mod 2s)
 With Euler's theorem this leads to:
sr-1 = 1 (mod r)
 It also holds that rs-1 = 0 (mod r). This implies that
u(r,s) =sr-1- rs-1 = 1 (mod r) = 1 + k'r
Public key system
21
 If u(r,s) is even, i.e. k' is odd, it follows that
p = po + 2jrs = u(r,s) + rs + 2jrs
= 1 + k'r+ (2j + 1)rs
= 1 (mod 2r)
 If u(r,s) is odd, i.e. k' is even, it follows that
p =p0 + 2krs = u(r,s) + 2jrs
= 1 + k'r+ 2jrs
= 1 (mod 2r)
 In the same manner it is possible to prove that p = -I (mod 2s). We
can thus conclude that the value found for p is a strong prime
number
Public key system
22

As far as the RSA system is concerned, there is no faster method of
attack than factorisation

It would take approximately 500 years to factorise a random number
of 130 digits, assuming the computer used is capable of performing 1
million operations per second

In practice, numbers of 768 bits (approximately 230 decimal digits)
are recommended. Factorization will then take at least 108 years using
1 million operations per second

RSA system is not suited for real-time encryption of large amounts of
data

With a key of 512 bits (154 digits), the processing speed of the RSA
implemented in VLSI technology is no larger than 64 kbit/s. For the
DES, hardware is being produced that can achieve 1 Gbit/s
Public key system
23

RSA system is often used for enciphering limited amounts of data, for
instance for the transportation of secret keys. The actual data can be
encrypted with the DES algorithm and only the secret key of the DES
algorithm is enciphered with the RSA system
Public key system
24
Public key systems based on elliptic curves
 A more recent development in the field of public key systems is based
on the use of elliptic curves(proposed by Miller (1986) and Koblitz
(1987))
 An elliptic curve given by F: y2 = x3 + ax + b and defined for Zp
(0,1,…,p-1) includes all pairs of numbers (x,y) ∊ Zp x Zp which
satisfy:
y2 = x3 + ax + b (mod p )
p is prime, p > 3 and a and b are constants with 4a3 + 27b2≠ 0 (mod p).

Definition: z is a quadratic residue, if z = y2 (mod p)
Public key system
25
Euler's criterion:

z can only be a quadratic residue modulo p if and only if
z(p-1)/2 = 1 (mod p)

(1)
By multiplying both sides of Equation (1) by z, it follows that
z(p+1)/2 = z (mod p)

We then find the roots of this equation are
y =∓ z(p+1)/4
with p = 3 (mod 4)
Example:
1. the elliptic curve y2 = x3 + x + 5 over Z11 for p = 11
2. a = 1 and b = 5 satisfy 4a3 + 27b2≠ 0 (mod 11)
Public key system
26
3. Since p = 11 = 3 (mod 4), then the values for z (and consequently for y)
are given for every x by y =∓ z(p+1)/4 .
These results are listed in Table
6.1. Ten points are found for this case
 In general, the total number of points will be of the order of the prime
number p
 By selecting a suitable operator, the points on the elliptic curve F may
be regarded as an Abelian group. This means that the operator + is
chosen such that if P ∊ F and Q ∊ F then it holds that P+Q ∊ F
Public key system
27
Public key system
28
Operator + is defined such that the following conditions are satisfied
1. P = (x1,y1) ∊ F and Q = (x1,-y1) ∊ F, then P + Q = 0 and Q is the
inverse of P; 0 is a point for which P + 0 = P, for all P ∊ F
2. P = (x1,y1) ∊ F and Q = (x2,y2) ∊ F, then P + Q = (x3,y3), with
x3 = σ2 - x1 - x2 (mod p)
y3 = σ(x1- x3)- y1 (mod p)
and
if P  Q
( y2  y1 ) /( x2  x1 ),
 
2
(
3
x
if P  Q
1  a ) /( 2 y1 )

Public key system
29
 All points of the elliptic curve can be generated through the above
equations by choosing an arbitrary point P ∊ F as an initial starting
point
Example
1. Consider y2 = x3 + x + 5 (mod 11)
2. Take P = (0,7) ∊ F
3. Calculate 2P, 3P, ...,10P
2P = (0,7) + (0,7)
σ= (3x02 + 1)/(2x7) = 1/14 = 4 (mod 11), (since 4x14 = 1 (mod 11))
This yields x3 = 16 = 5 (mod 11), y3 = 4(0- 5) -7 = -27 = 6 (mod 11)
4. Similar for 3P, ...,10P:
4P = (2,2), 5P = (7,5),
P = (0,7), 2P = (5,6), 3P = (10,6)
6P = (7,6) , 7P = (2,9), 8P = (10,5),
Public key system
30
9P = (5,5), 10P = (0,4)
 It is obvious that for a given P, the point aP can easily be calculated for
any value of a. However, it is a difficult task to find a when P and aP
are given
 The value of a can be found by generating the entire list P, 2P, 3P, ...etc.
However, if the prime number p is very large, say of the order of 2160,
then the number points on the elliptic curve will be the same order of
magnitude. It will be totally impractical to generate the list P, 2P, 3P,…
Public key system
31
The EI-Gamal cipher system based on elliptic curves

Let F be an elliptic curve defined for Zp, with p a prime number and
p > 3; P is a point on the elliptic curve: P ∊ F

The number a is a secret exponent. Q is defined as: Q = aP (Q ∊ F)

The public key consists of P and Q. The value of a is the secret key

Let the message M = (u1,u2) ∊ F.
If k is a random number, then the
encipherment is defined as:
C= e(M,k) = (v1,v2)
v1 = kP and v2 = M + kQ
Public key system
32

Decipher according to:
d(C,a) = v2 -a v1

The strength of the algorithm relies on the fact that it is absolutely
impractical to find a, when only P and Q are known
Example
1. Assume P = (0, 7) and a = 3. Then Q = 3(0, 7) = (10,6)
2. Suppose M = (2,9), k = 6. The cipher text will now consist of two
elements:
v1 = 6P = (7,6)
v2 = M + kQ = (2,9) + 6(10,6) = (10,6)
3. For deciphennent, the values of v1, v2 and a must be known:
d(C,3) = v2-3v1 = (10,6) -3(7,6) = (10,6) + 3(7,5) = (2,9)
Public key system
33
4. Here we employed the fact that -(7,6) = (7,-6) = (7,5)

A disadvantage of this algorithm is that the messages to be enciphered
must be points on the curve F
The Menezes- Vanstone cipher system based on elliptic curves

Let F be an elliptic curve defined on Zp (p is a prime number, p > 3).
P is a point on the elliptic curve: P ∊ F. The number a is a secret
exponent. Q is defined as Q = aP. P and Q are made public

Let the message M = (u1,u2). If k is a random number, then the
enciphennent is given by.
C= e(M,k) = (y0,y1,y2), with
y0= kP, (cI ,c2) = kQ, y1 = cI u1 (mod p), y2 = c2 u2 (mod p)
Public key system
34

Decipherment is performed by calculating
d(C,a) = (y1 cI -l (mod p), y2c2-1 (mod p)) in which
a y0 =(cI, c2)
Example
1. Assume P = (0, 7) and a = 3. Then Q = 3(0, 7) = (10,6)
2. Suppose k = 6, M = (3,4) is not a point on the elliptic curve F
3. The elements of the cipher text are subsequently found to be:
y0= kP= 6(0, 7) = (7,6)
(cI ,c2) = kQ= 6(10,6) = (2,9)
y1 = cI u1= 2 x 3 (mod 11) = 6
y2 = c2 u2= 9 x 4 (mod 11) = 3
4. From this it follows that
C = ((7,6),6,3)
Public key system
35
5. The deciphering is performed as follows:
(cI, c2) =a y0 = 3(7,6) = (2,9)
M = (y1 cI -l , y2c2-1) = (6/2, 3/9) = (3,4)
 A disadvantage of both of these methods is the fact that the ciphertext
becomes twice as long as the plain text
 On the other hand, however, in these methods smaller prime numbers
can generally be used than in the RSA system
 the size of the public key is limited and, consequently, the complexity
of the calculations is also limited
 In general, encipherment and decipherment based on elliptic curves
requires much less time than that based on the RSA
Public key system
36