MODULE 2_CNS

Pseudorandom number Generators: Linear Congruential Generators, Blum Blum Shub

Generator. Public key cryptography and RSA: Principles of public key Cryptosystems-Public
key cryptosystems, Applications for public key cryptosystems, Requirements for public key
cryptography, Public key Cryptanalysis, The RSA algorithm: Description of the Algorithm,
Computational aspects, The Security of RSA. Diffie-Hellman key exchange: The Algorithm,
Key exchange Protocols, Man-in-the-middle Attack, Elliptic Curve Cryptography: Analog of
Diffie-Hellman key Exchange, Elliptic Curve Encryption/Decryption, Security of Elliptic
Curve Cryptography. Chapter 8: 8.2 Chapter 9: 9.1, 9.2 Chapter 10: 10.1, 10.4
PSEUDORANDOM NUMBER GENERATORS:
Pseudorandom number generators (PRNGs) are algorithms that produce sequences of
numbers that appear random but are actually generated by a deterministic process.
[A deterministic process is a procedure where identical inputs always produce identical
outputs through a fixed sequence of operations, without any random or probabilistic
elements]
There are two types of algorithms for PRNGs.
i.Linear Congruential Generator
ii. Blum Blum Shub Generator
I.LINEAR CONGRUENTIAL GENERATOR
 A Linear Congruential Generator (LCG) is an algorithm that produces a sequence of
pseudo-random numbers using the recurrence relation: Xn+1 = (a * Xn + c) mod m.
 The sequence is defined by a starting value called the seed (X0), and three constants:
1.the multiplier (a),
2.the increment (c), and
3.the modulus (m).
 LCGs are simple, fast, and easy to implement, but are not suitable for cryptographic
purposes due to their predictable nature and susceptibility to statistical attacks.
 linear congruential generator algorithm is parameterized with four numbers, as
follows:

 The selection of values for a, c, and m is critical in developing a good random number
generator.
 For example, consider a = c = 1. The sequence produced is obviously not satisfactory.
 Now consider the values a = 7, c = 0, m = 32, and X0 = 1. This generates the
sequence {7, 17, 23, 1, 7, etc.}, which is also clearly unsatisfactory.
 Generate the sequence:
X1= (7⋅1+0) mod 32=(7⋅1+0 ) mod 32=7

Mrs. Mangala Patil., Dept., of CSE, ICEAS 1

 MODULE 2_CNS

X2= (7⋅7+0) mod 32=49 mod 32=17

X3= (7⋅17+0) mod 32=119 mod 32=23
X4= (7⋅23+0) mod 32=161 mod 32=1
X5=(7⋅1+0) mod 32=(7⋅1+0 ) mod 32=7
Sequence: {7, 17, 23, 1, 7, ...} (cycles after 4 numbers)
This repeats quickly and does not produce a large, "random-looking" sequence —
showing the importance of choosing PRNG parameters wisely.
o Of the 32 possible values, only four are used; thus, the sequence is said to
have a period of 4.
 If, instead, we change the value of a to 5, then the sequence is {5, 25, 29, 17, 21, 9,
13, 1, 5, etc. }, which increases the period to 8.
 Below example need not write

 A common criterion is that m be nearly equal to the maximum representable

nonnegative integer for a given computer. Thus, a value of m near to or equal to 2 31 is
typically chosen
 [PARK88] proposes three tests to be used in evaluating a random number generator:
T1: The function should be a full-period generating function. That is, the function
should generate all the numbers from 0 through m - 1 before repeating.
T2: The generated sequence should appear random.
T3: The function should implement efficiently with 32-bit arithmetic.
 With appropriate values of a, c, and m, these three tests can be passed.
 With respect to T1, it can be shown that if m is prime and c = 0, then for
certain values of the period of the generating function is m - 1, with only the
value 0 missing.
 For 32-bit arithmetic, a convenient prime value of m is 2 31 - 1. Thus, the
generating function becomes Xn+1 = (aXn) mod (231 - 1)
 The strength of the linear congruential algorithm is that if the multiplier and modulus
are properly chosen, the resulting sequence of numbers will be statistically
indistinguishable from a sequence drawn at random (but without replacement) from
the set 1, 2, … , m - 1.
 Limitations:
 Once that value is chosen, the remaining numbers in the sequence follow
deterministically. This has implications for cryptanalysis

Mrs. Mangala Patil., Dept., of CSE, ICEAS 2

 MODULE 2_CNS

 If an opponent knows that the linear congruential algorithm is being used and
if the parameters are known (e.g., a = 75, c = 0, m = 231 - 1), then once a single
number is discovered, all subsequent numbers are known.

 Solution: To make a pseudorandom number generator (PRNG) sequence

nonreproducible—so that knowing part of the sequence does not allow an opponent to
predict future numbers—introduce external, unpredictable elements like the system
clock. Two suggested methods are:
1.Restart the sequence after every N numbers, using the current clock value (mod m)
as the new seed.
2.Add the current clock value to each random number (mod m).
Both approaches use the system clock to inject unpredictability, making it much
harder for an attacker to reconstruct or predict the random sequence
2.BLUM BLUM SHUB GENERATOR
 The BBS is referred to as a cryptographically secure pseudorandom bit generator
(CSPRBG). Blum Blum Shub (BBS), is specially designed to produce sequences of
bits that appear random, but more importantly, are secure for cryptographic use.
 The key property that makes such a generator "cryptographically secure" is its ability
to pass the next-bit test. The next-bit test means:
 No efficient (i.e., polynomial-time) algorithm exists that, given the
first k bits of the output, can predict the next (k+1 st) bit with probability
significantly greater than 50% (which is a random guess).
 In simple terms: Even if part of the output is seen, cryptanalyst cannot predict
the next bit any better than random guessing.
 This property is crucial because, for a pseudorandom generator to be useful in
cryptography (like key generation, encryption), it must ensure that attackers can't use
previous bits to deduce or compute future bits. As a result, the unpredictability holds
up even if parts of the output leak.
 Blum Blum Shub Block Diagram is depicted as shown below

 It has perhaps the strongest public proof of its cryptographic strength of any purpose-
built algorithm. The procedure is as follows. First, choose two large prime numbers, p
and q, that both have a remainder of 3 when divided by 4.

 (p mod 4) = (q mod 4) = 3.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 3

 MODULE 2_CNS

 For example, the prime numbers 7 and 11 satisfy .

 Let n = p * q. Next, choose a random number s, such that s is relatively prime
to n; this is equivalent to saying that neither p nor q is a factor of s. Then the
BBS generator produces a
sequence of bits Bi according to the following algorithm:

 Thus, the least significant bit is taken at each iteration.

 For all practical purposes, the sequence is unpredictable. The security of BBS is based
on the difficulty of factoring n. That is, given n, we need to determine its two prime
factors p and q
 Bi is the output bit, taken as the LSB of Xi.
BBS is secure because no known efficient method can predict the next bit of the
sequence any better than guessing, making their output ideal for cryptographic uses
Table 8.1 shows an example of BBS operation. Here, n = 192649 = 383 * 503, and the
seed s = 101355.

PUBLIC KEY CRYPTOGRAPHY AND RSA:

I.PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEMS
 The concept of public-key cryptography evolved from an attempt to attack two of the
most difficult problems associated with symmetric encryption.
 key distribution
 digital signatures
1.PUBLIC KEY CRYPTOSYSTEMS
Asymmetric algorithms rely on one key for encryption and a different but related key for
decryption. These algorithms have the following important characteristic.
 It is computationally infeasible to determine the decryption key given only knowledge
of the cryptographic algorithm and the encryption key.
 RSA algorithm: Either of the two related keys can be used for encryption, with the
other used for decryption.
A public-key encryption scheme has six ingredients (Figure 9.1a; compare with Figure 3.1).
1. Plaintext: This is the readable message or data that is fed into the algorithm as input.
2. Encryption algorithm: The encryption algorithm performs various transformations on the
plaintext.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 4

 MODULE 2_CNS

3. and 4. Public and private keys: This is a pair of keys that have been selected so that if one
is used for encryption, the other is used for decryption. The exact transformations performed
by the algorithm depend on the public or private key that is provided as input.
4.Ciphertext: This is the encrypted message produced as output. It depends on the plaintext
and the key. For a given message, two different keys will produce two different ciphertexts.
5. Decryption algorithm: This algorithm accepts the ciphertext and the matching key and
produces the original plaintext.
 With this approach, all participants have access to public keys, and private keys are
generated locally by each participant and therefore need never be distributed. As long
as a user’s private key remains protected and secret, incoming communication is
secure.
 Bob sends confidential message to Alice
Bob’s Keys=[PUb, PRb]
Alice’s Keys=[PUa, PRa]

The essential steps are the following.

1. Each user generates a pair of keys to be used for the encryption and decryption of
messages.
2. Each user places one of the two keys in a public register or other accessible file. This is
the public key. The companion key is kept private. As Figure 9.1a suggests, each user
maintains a collection of public keys obtained from others.
3. If Bob wishes to send a confidential message to Alice, Bob encrypts the message using
Alice’s public key. C=E[PUa,X]

Mrs. Mangala Patil., Dept., of CSE, ICEAS 5

 MODULE 2_CNS

4. When Alice receives the message, she decrypts it using her private key. No other recipient
can decrypt the message because only Alice knows Alice’s private key.
X=D[PRa,Y]
 Figures 9.1b shows the use of public-key encryption to provide authentication, but
does not provide confidentiality. Plaintext is encrypted using Bob’s(senders) private
key.
C=E[PRb,X]
 Ciphertext is decrypted using Alce’s private key.
X=D[PUb, Y]
 Table 9.2 summarizes some of the important aspects of symmetric and publickey
encryption.

Public Key Cryptosystem: Confidentiality

 Consider the essential elements of a public-key encryption scheme, using below
Figure 9.2 which provides confidentiality (compare with Figure 3.2).
 There is some source A that produces a message in plaintext, X = [X1, X2,
…, XM].
o The M elements of X are letters in some finite alphabet. The message is
intended for destination B.
 B generates a related pair of keys: a public key, PU b, and a private key, PRb. PRb is
known only to B, whereas PUb is publicly available and therefore accessible by A.
 With the message X and the encryption key PU b as input, A forms the ciphertext Y =
[Y1, Y2, … , YN]: Y = E(PUb, X)
 The intended receiver, in possession of the matching private key, is able to invert the
transformation: X = D(PRb,Y)

Mrs. Mangala Patil., Dept., of CSE, ICEAS 6

 MODULE 2_CNS

Public Key Cryptosystem: Authentication

 Below Figure 9.3 show the use of public-key encryption to provide authentication:
 In this case, A prepares a message to B and encrypts it using A’s private key before
transmitting it.
Y = E(PRa,X)
 B can decrypt the message using A’s public key. Because the message was encrypted
using A’s private key, only A could have prepared the message.
X = D(PUa,Y)
 Therefore, the entire encrypted message serves as a digital signature. Also, it is
impossible to alter the message without access to A’s private key, so the message is
authenticated both in terms of source and in terms of data integrity.
 In the preceding scheme, the entire message is encrypted, validating both author and
contents, requires a great deal of storage. Each document must be kept in plaintext to
be used for practical purposes. A copy also must be stored in ciphertext so that the
origin and contents can be verified in case of a dispute.
 When A wants to send a message to B and ensure authenticity and integrity, A
encrypts the message using A’s private key. B can then decrypt it using A's public
key. Because only A has access to A’s private key, this process proves that the
message could only have come from A, making the encrypted message act as a digital
signature. Additionally, it is impossible to alter the message without access to A’s
private key, ensuring both the source and the integrity of the message are
authenticated.
 So, a more efficient way of achieving the same results is to encrypt a small block of
bits that is a function of the document. Such a block, called an authenticator, must
have the property that it is infeasible to change the document without changing the
authenticator.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 7

 MODULE 2_CNS

 If the authenticator is encrypted with the sender’s private key, it serves as a signature
that verifies origin, content, and sequencing.
It does not provide confidentiality.

Public-Key Cryptosystem: Authentication and Secrecy (fig 9.4)

 It is important to emphasize that the encryption process depicted in Public Key
Cryptosystem using private key 9.1b and Public Key Cryptosystem: Authentication
9.3 does not provide confidentiality. Even in the case of complete encryption,
there is no protection of confidentiality because any observer can decrypt the
message by using the sender’s public key.
 It is, however, possible to provide both the authentication function and
confidentiality by a double use of the public-key scheme (Figure 9.4):
Z = E(PUb, E(PRa,X))
X = D(PUa, D(PRb,Z))
 It is possible to provide both the authentication function and confidentiality by a
double use of the public-key scheme (Figure 9.4):
 In this case, encrypt a message, using the sender’s private key. This provides the
digital signature. Next, encrypt again, using the receiver’s public key.
 The final ciphertext can be decrypted only by the intended receiver, who alone has
the matching private key. Thus, confidentiality is provided.
 The disadvantage of this approach is that the public-key algorithm, which is
complex, must be exercised four times rather than two in each communication

Mrs. Mangala Patil., Dept., of CSE, ICEAS 8

 MODULE 2_CNS

2. APPLICATIONS FOR PUBLIC KEY CRYPTOSYSTEM

Public-key systems are characterized by the use of a cryptographic algorithm with two keys,
one held private and one available publicly. Depending on the application, the sender uses
either the sender’s private key or the receiver’s public key, or both, to perform some type of
cryptographic function. Use of public-key cryptosystems can be classified into three
categories
■ Encryption/decryption: The sender encrypts a message with the recipient’s public key, and
the recipient decrypts the message with the recipient’s private key.
■ Digital signature: The sender “signs” a message with its private key. Signing is achieved by
a cryptographic algorithm applied to the message or to a small block of data that is a function
of the message.
■ Key exchange: Two sides cooperate to exchange a session key, which is a secret key for
symmetric encryption generated for use for a particular transaction (or session) and valid for
a short period of time
Table 9.3 indicates the applications supported by the algorithms discussed in this book.

3.REQUIREMENTS FOR PUBLIC KEY CRYPTOGRAPHY

Public Key Cryptosystems provide Confidentiality, Authenticity, Integrity and Secrecy. The
cryptosystems depend on a cryptographic algorithm based on two related keys[ PUa, PRb].
These are difficult requirements, as evidenced by the fact that only a few algorithms (RSA,
elliptic curve cryptography, Diffie–Hellman, DSS) have received widespread acceptance
1. It is computationally easy for a party B to generate a key pair (public key PUb, private key
PRb).
2. It is computationally easy for a sender A, knowing the public key of receiver and the
message to be encrypted, M, to generate the corresponding ciphertext: C = E(PUb, M)
3. It is computationally easy for the receiver B to decrypt the resulting ciphertext using the
private key to recover the original message: M = D(PRb, C) = D[PRb, E(PUb, M)]

Mrs. Mangala Patil., Dept., of CSE, ICEAS 9

 MODULE 2_CNS

4. It is computationally infeasible for an adversary, knowing the public key, PUb, to

determine the private key, PRb.
5. It is computationally infeasible for an adversary, knowing the public key, PUb, and a
ciphertext, C, to recover the original message, M.
6. The two keys can be applied in either order: M = D[PUb, E(PRb, M)] = D[PRb, E(PUb, M)]
Before elaborating on why the requirements are so difficult, let us consider them. The
requirements need for a trap-door one-way function
One-way function is one that maps a domain into a range such that every function value has a
unique inverse, with the condition that the calculation of the function is easy, whereas the
calculation of the inverse is infeasible:
Y = f(X) easy
X = f -1 (Y) infeasible
Trap-door one-way function, which is easy to calculate in one direction and infeasible to
calculate in the other direction unless certain additional information is known. With the
additional information the inverse can be calculated in polynomial time. A trapdoor one-way
function is a family of invertible functions fk, such that

 Thus, the development of a practical public-key scheme depends on discovery of a

suitable trap-door one-way function.
Easy (Feasible) Problems:
 A problem is considered easy if it can be solved in polynomial time relative to the
length of the input (measured in bits).
 If an algorithm takes time proportional to na (where n is input size and a is a constant),
it belongs to the complexity class P.
 Such problems are seen as "tractable" or "efficient" because their resource
requirements grow reasonably as input size increases.
Infeasible Problems:
 A problem is considered infeasible if solving it requires more than polynomial time,
such as exponential time (2n), as input size grows.
 For example, integer factorization by brute force is exponential in the number of bits,
making it infeasible for large inputs.
 Infeasibility means that, even with powerful computers, solving large instances would
take an impractically long time.
Complexity in Cryptography:
 Cryptography relies on problems that are infeasible to solve for almost all inputs, not
just in the worst or average case.
 Traditional complexity theory focuses on worst-case or average-case complexity, but
cryptography demands stronger guarantees: functions must be hard to invert for
virtually every input, not just some.
 This distinction is crucial because a cryptosystem is only secure if attackers cannot
efficiently break it for any input, not just on average

4. PUBLIC KEY CRYPTANALYSIS

Mrs. Mangala Patil., Dept., of CSE, ICEAS 10

 MODULE 2_CNS

 Public-key encryption, like symmetric encryption, is vulnerable to brute-force attacks,

where an attacker tries all possible keys.
 The main defense is to use large keys, but there is a tradeoff: as key sizes increase, the
computational complexity of encryption and decryption grows faster than linearly,
making large keys impractical for general-purpose encryption due to slow speeds.
 As a result, public-key encryption is mainly used for key management (e.g., securely
exchanging symmetric keys) and digital signatures, not for bulk data encryption.
Private Key Recovery Attacks
 Another risk is that attackers might find a way to compute the private key from the
public key.
 There is no mathematical proof that this is impossible for any given public-key
algorithm, including RSA, so all such algorithms remain potentially vulnerable to new
cryptanalytic breakthroughs.
Probable-Message (Known-Plaintext) Attacks
 A unique threat to public-key systems is the probable-message attack. It uses a piece
of suspected plaintext and its corresponding ciphertext, to deduce the encryption key
and algorithm
 For example, if a message is just a 56-bit DES key, an attacker could encrypt all
possible 56-bit keys with the public key and match the result to the intercepted
ciphertext, reducing the attack to a brute-force search over 56 bits, regardless of the
public-key size.
 This can be prevented by appending random bits to the message, making such attacks
infeasible.
Conclusion
 Public-key encryption is powerful but has practical limits due to computational cost
and potential vulnerabilities.
 Large keys are necessary to prevent brute-force attacks, but excessive key sizes slow
down encryption and decryption.
 Public-key cryptography is best used for secure key exchange and digital signatures,
with symmetric encryption handling bulk data.

II. The RSA algorithm:

The Rivest-Shamir-Adleman (RSA) scheme is the most widely accepted and implemented
general-purpose approach to public-key encryption.
The RSA scheme is a cipher in which the plaintext and ciphertext are integers between 0 and
n - 1 for some n. A typical size for n is 1024 bits, or 309 decimal digits. That is, n is less than
21024.
1.Description of the Algorithm
2.Computational aspects
i.Encryption/Decryption and
ii.key generation.
3. The Security of RSA

1.DESCRIPTION OF THE ALGORITHM

 RSA makes use of an expression with exponentials. Plaintext is encrypted in blocks,
with each block having a binary value less than some number n.
 the block size must be less than or equal to log2(n) + 1;

Mrs. Mangala Patil., Dept., of CSE, ICEAS 11

 MODULE 2_CNS

 the block size is i bits, where 2i <6 n<=2i+1 .

 Encryption and decryption are of the following form, for some plaintext block M and
ciphertext block C

 Both sender and receiver must know the value of n.

 The sender knows the value of e, and only the receiver knows the value of d. Thus,
this is a publickey encryption algorithm with a public key of PU = {e, n} and
 a private key of PR = {d, n}.
 For this algorithm to be satisfactory for public-key encryption, the following
requirements must be met.

 The preceding relationship holds if e and d are multiplicative inverses modulo

, where is the Euler totient function

The private key consists of {d, n} and the public key consists of {e, n}. Suppose that user
A has published its public key and that user B wishes to send the message M to A.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 12

 MODULE 2_CNS

Then B calculates C = Me mod n and transmits C. On receipt of this ciphertext, user A

decrypts by calculating M = Cd mod n.
Figure 9.5 summarizes the RSA algorithm. It corresponds to Figure 9.1a: Alice generates
a public/private key pair; Bob encrypts using Alice’s public key; and Alice decrypts using
her private key. An example from [SING99] is shown in Figure 9.6.

The factors of (160) are (1,2,4,5,8,10,16,20,32,40,80,160)

e can be chosen as 7 because its factors are (1,7) and 7 is not a factor 160, so e is taken as 7
For this example, the keys were generated as follows.

de mod 160=1

Mrs. Mangala Patil., Dept., of CSE, ICEAS 13

 MODULE 2_CNS

so, d= 3, 5,7,11,13,17 does not satisfy the above equation, so d is taken as 23, which
satisfies the above equation 23*7 mod 160=1
6. Find Public and Private keys

RSA Processing of Multiple Blocks

Below example shows the use of RSA to process multiple blocks of data. In this simple
example, the plaintext is an alphanumeric string. Each plaintext symbol is assigned a
unique code of two decimals.
digits (e.g., a = 00, A = 26). A plaintext block consists of four decimal digits, or two
alphanumeric characters.
Figure 9.7a illustrates the sequence of events for the encryption of multiple blocks, and
Figure 9.7b gives a specific example. The circled numbers indicate the order in which
operations are performed

Mrs. Mangala Patil., Dept., of CSE, ICEAS 14

 MODULE 2_CNS

Figure 9.7 RSA Processing of Multiple Blocks

 Each character in “How_are_you?” is mapped to a unique two-digit number.
 The mapping might be determined by a key, a table, or a straightforward
mathematical transformation (e.g., ASCII manipulation, modular arithmetic).
For example:
 “H” → 33
 “o” → 14
 “w” → 22
 “_” → 62
 “a” → 00
 “r” → 17
 “e” → 04
 “_” → 62
 “y” → 24
 “o” → 14

Mrs. Mangala Patil., Dept., of CSE, ICEAS 15

 MODULE 2_CNS

 “u” → 20
 “?” → 66

2. COMPUTATIONAL ASPECTS
There are actually two issues to be considered for the complexity of the computation
required to use RSA.
I. Encryption/Decryption and
ii. key generation.
1.Encryption/Decryption. Exponentiation in Modular Arithmetic
 Both encryption and decryption in RSA involve raising an integer to an integer power,
mod n. If the exponentiation is done over the integers and then reduced modulo n, the
intermediate values would be gargantuan (large).
 Fortunately, as the preceding example shows, property of modular arithmetic can be
used:
[(a mod n) * (b mod n)] mod n = (a * b) mod n
 Thus, reduce intermediate results modulo n. This makes the calculation practical
 Another consideration is the efficiency of exponentiation. To see how efficiency
might be increased, consider that we wish to compute x 16. A straightforward
approach requires 15 multiplications:
x16 = x * x * x * x * x * x * x * x * x * x * x * x * x * x * x * x
 However, the same final result can be achieved with only four multiplications if we
repeatedly take the square of each partial result, successively forming (x 2 , x4 , x8 ,
x16).
 As another example, suppose we wish to calculate x11 mod n for some integers x and
n. Observe that x11 = x1+2+8 = (x)(x2 )(x8 ).
 In this case, we compute x mod n, x2 mod n, x4 mod n, and x8 mod n and then
calculate [(x mod n) * (x2 mod n) * (x8 mod n)] mod n.

Therefore, algorithm for computing ab mod n is developed, shown in the below Figure. The
final value of c is the value of the exponent. So, develop the algorithm for computing ab mod
n, shown

Mrs. Mangala Patil., Dept., of CSE, ICEAS 16

 MODULE 2_CNS

I. Efficient Operation Using the Public Key

 To speed up the operation of the RSA algorithm using the public key, a specific
choice of e is usually made. The most common choice is 65537 (2 16 + 1); two other
popular choices are 3 and 17
 However, with a very small public key, such as e = 3, RSA becomes vulnerable to a
simple attack. Suppose we have three different RSA users who all use the value e = 3
but have unique values of n, namely (n1, n2, n3).
 If user A sends the same encrypted message M to all three users, then the three
ciphertexts are
C1 = M3 mod n1, C2 = M3 mod n2, and C3 = M3 mod n3. It is likely that n1, n2, and
n3 are pairwise relatively prime.
 Therefore, one can use the Chinese remainder theorem (CRT) to compute M3 mod
(n1n2n3). By the rules of the RSA algorithm, M is less than each of the ni ; therefore
M3 < n1n2n3.
 Accordingly, the attacker need only compute the cube root of M3. This attack can be
countered by adding a unique pseudorandom bit string as padding to each instance of
M to be encrypted.

ii.Efficient Operation Using the Private Key

 We cannot similarly choose a small constant value of d for efficient operation. A
small value of d is vulnerable to a brute-force attack and to other forms of
cryptanalysis [WIEN90]. However, there is a way to speed up computation using the
CRT. To compute the value M = Cd mod n. Let us define the following intermediate
results:

Mrs. Mangala Patil., Dept., of CSE, ICEAS 17

 MODULE 2_CNS

The quantities d mod (p - 1) and d mod (q - 1) can be pre calculated. The end result is that the
calculation is approximately four times as fast as evaluating M = Cd mod n directly

2.Key Generation
Each participant must generate a pair of keys. This involves the following tasks.
I. Determining two prime numbers, p and q.
ii Selecting either e or d and calculating the other.
i. Determining two prime numbers, p and q.
 When selecting the primes p and q for cryptographic algorithms such as RSA, they
must be large enough to prevent their discovery by exhaustive search, since the
product n=pq will be public.
 Instead, the standard approach is to randomly select odd numbers of the desired size
and test them for primality until a suitable prime is found. Most primality tests used
for this purpose are probabilistic. These tests do not guarantee that a number is prime,
but can determine with high probability that a number is "probably prime.
 " The Miller–Rabin” test is a widely used example.
 In this test, a randomly chosen integer a is used in a calculation involving the
candidate number n. If n fails the test, it is definitely composite.
 If it passes, it may be prime, and repeating the test with different values of a
increases confidence in the result.
 By running these tests multiple times, the probability of incorrectly identifying
a composite as prime can be made arbitrarily small, making the process both
practical and secure for cryptographic applications.
In summary, the procedure for picking a prime number is as follows.
1. Pick an odd integer n at random (e.g., using a pseudorandom number generator).
2. Pick an integer a < n at random.
3. Perform the probabilistic primality test, such as Miller–Rabin, with a as a
parameter. If n fails the test, reject the value n and go to step 1.
4. If n has passed a sufficient number of tests, accept n; otherwise, go to step 2.
 The prime number theorem, states that, on average, one would have to test on the
order of ln(N) integers before a prime is found.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 18

 MODULE 2_CNS

 Actually, because all even integers can be immediately rejected, the correct figure is
ln(N)/2. For example, if a prime on the order of magnitude of 2200 were sought, then
about ln(2200)/2 = 70 trials would be needed to find a prime.

ii.Selecting either e or d and calculating the other

 The process of key generation is completed by selecting a value of e and calculating d
or, alternatively, selecting a value of d and calculating e. Assuming the former, then
we need to select an e such that

calculate the greatest common divisor of two integers and, if the gcd is 1, determine
the inverse of one of the integers modulo the other using extended Euclid’s algorithm.
 The probability that two randomly chosen integers are relatively prime is exactly 6/π2,
which is approximately 60.8%. This means that, on average, you would only need to
test a small number of random integers before finding one that is relatively prime
to f(n)

3. THE SECURITY OF RSA

Five possible approaches to attacking the RSA algorithm are
1. Brute force: This involves trying all possible private keys.
2. Mathematical attacks: There are several approaches, all equivalent in effort to factoring the
product of
two primes.
3. Timing attacks: These depend on the running time of the decryption algorithm.
4. Hardware fault-based attack: This involves inducing hardware faults in the processor that is
generating
digital signatures.
5.Chosen ciphertext attacks: This type of attack exploits properties of the RSA algorithm.
 An overview of mathematical and timing attacks.

1. Brute force: The defence against the brute-force approach is the same for RSA as for other
cryptosystems, namely, to use a large key space. Thus, the larger the number of bits in d, the
better. However, because the calculations involved, both in key generation and in
encryption/decryption
2. Mathematical attacks: RSA Security and Factoring
 The security of RSA is directly linked to the difficulty of factoring large number n
into its two prime factors p and q.
 If an attacker can factor n, they can compute Euler’s totient function φ(n)=(p−1)(q−1),
which allows them to derive the private key d from the public key components e and
n.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 19

 MODULE 2_CNS

 Determining d given e and n is, with current algorithms, considered at least as hard as
factoring n.
Implications for Key Size and Security
 The increase in computing power and improvements in factoring algorithms have made
smaller RSA key sizes insecure.
 Factoring a 1024-bit RSA modulus is estimated to be about a thousand times harder
than a 768-bit modulus, but experts predicted that a 1024-bit modulus could be factored
within a decade by a determined academic effort.
 Therefore, 1024-bit RSA keys are now considered vulnerable, and it is recommended
to use larger key sizes (at least 2048 bits) for secure applications.
 To avoid values of n that may be factored more easily, the algorithm’s inventors
suggest the following constraints on p and q.
1. p and q should differ in length by only a few digits. Thus, for a 1024-bit key
(309 decimal digits), both p and q should be on the order of magnitude of
1075 to 10100.
2. Both (p - 1) and (q - 1) should contain a large prime factor.
3. gcd(p - 1, q - 1) should be small. In addition, it has been demonstrated that if
e <n and d <n1/4, then d can be easily determined [WIEN90].
Summary Table: Key Size vs. Security

3. Timing Attacks:
Attackers analyse how long it takes a system to encrypt or decrypt data. If processing time
varies based on input, they might infer parts of the key.
 Although the timing attack is a serious threat, there are simple countermeasures that can be
used, including the following.
1. Constant exponentiation time: Ensure that all exponentiations take the same amount of
time before returning a result. This is a simple fix but does degrade performance.
2. Random delay: Better performance could be achieved by adding a random delay to the
exponentiation algorithm to confuse the timing attack. Further, if defenders don’t add
enough noise, attackers could still succeed by collecting additional measurements to
compensate for the random delays.

4. Blinding:
Multiply the ciphertext by a random number before performing exponentiation. This process
prevents the attacker from knowing what ciphertext bits are being processed inside the
computer and therefore prevents the bit-by-bit analysis essential to the timing attack.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 20

 MODULE 2_CNS

5.Fault-Based Attack on RSA

Fault-based attacks exploit hardware vulnerabilities to extract cryptographic secrets, but
require significant physical access and technical capability to execute
A fault-based attack on RSA targets the hardware performing RSA signature
computations by deliberately inducing errors—typically by manipulating the power supply to
the processor. These faults cause the processor to generate incorrect (faulty) digital
signatures. By collecting and analyzing these invalid signatures, an attacker can extract
information about the private RSA key.
The attack works as follows:
 The attacker induces transient faults (such as single-bit errors) during the signature
computation by varying the voltage supply to the processor
 These faults result in incorrect signatures, which the attacker can observe and collect.
 By analysing enough faulty signatures, the attacker can mathematically deduce the
private key used for RSA signatures.
However, this attack is not considered a widespread threat because it requires:
 Physical access to the target machine.
 The ability to precisely control the processor's power supply, often needing access to
hardware-level power controls, not just the main power input.

6. CHOSEN CIPHERTEXT ATTACK AND OPTIMAL ASYMMETRIC ENCRYPTION PADDING

 The basic RSA algorithm is vulnerable to a chosen ciphertext attack (CCA). CCA is defined
as an attack in which the adversary chooses a number of ciphertexts and then given the
corresponding plaintexts, decrypted with the target’s private key.
 Thus, the opponent could select a plaintext, encrypt it with the target’s public key, and then
be able to get the plaintext back by having it decrypted with the private key. Clearly, this
provides the adversary with no new information. Instead, the adversary exploits properties of
RSA and selects blocks of data that, when processed using the target’s private key, yield
information needed for cryptanalysis.
 A simple example of a CCA against RSA takes advantage of the following property of RSA:

Mrs. Mangala Patil., Dept., of CSE, ICEAS 21

 MODULE 2_CNS

 Therefore, Y = (2M)e mod n. From this, an attacker can deduce M.

 To overcome chosen ciphertext attack , optimal asymmetric encryption padding (OAEP) is
recommended

Below Figure depicts OAEP encryption.

1.The message M to be encrypted is padded. A set of optional parameters, P, is passed through a

hash function, H.
2.The output is then padded with zeros to get the desired length in the overall data block (DB).
3.Next, a random seed is generated and passed through another hash function, called the mask
generating function (MGF).
4.The resulting hash value is bit by-bit XORed with DB to produce a maskedDB. The maskedDB
is in turn passed through the MGF to form a hash that is XORed with the seed to produce the
maskedseed.
5.The concatenation of the maskedseed and the maskedDB forms the encoded message EM.
Note that the EM includes the padded message, masked by the seed, and the seed, masked by the
maskedDB. The EM is then encrypted using RSA.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 22

 MODULE 2_CNS

DIFFIE-HELLMAN KEY EXCHANGE:

The purpose of the algorithm is to
 Enable two users to securely exchange a key that can then be used for subsequent symmetric
encryption of messages.
 The Diffie–Hellman algorithm depends on the difficulty of computing discrete logarithms. A
primitive root of a prime number p is one whose powers modulo p generate all the integers
from 1 to p - 1. That is, if a is a primitive root of the prime number p, then the numbers
a mod p, a2 mod p . . . , ap-1 mod p
are distinct and consist of the integers from 1 through p - 1 in some permutation. For any
integer b and a primitive root a of prime number p, we can find a unique exponent i such that

 The exponent i is referred to as the discrete logarithm of b for the base a, mod p.
 This value is expressed as dloga,p(b).

1.THE ALGORITHM
[ Explain the Diffie–Hellman Key Exchange Protocol and show its calculations or Explain
the Diffie–Hellman Key Exchange Algorithm]
The Diffie–Hellman algorithm enables two users to securely exchange a key that can then be
used for subsequent symmetric encryption of messages.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 23

 MODULE 2_CNS

 The Diffie–Hellman algorithm depends on the difficulty of computing discrete

logarithms. Below Figure summarizes the Diffie–Hellman key exchange algorithm.
 For this scheme, there are two publicly known numbers:
i. a prime number q and
ii. an integer a that is a (alpha) primitive root q.
 Suppose the users A and B wish to create a shared key.

1.User A selects a random integer XA < q and computes

2.Similarly, user B independently selects a random integer XB < q and compute

s.
 Each side keeps the X value private and makes the Y value available publicly to the
other side. Thus, XA is A’s private key and YA is A’s corresponding public key, and
similarly for B.
3 User A computes the key as K = (YB) XA mod q and user B computes the key as K = (YA)
XB
mod q. These two calculations produce identical results:

Fig. The Diffie–Hellman Key Exchange

A discrete logarithm is used to determine the key. For example, to determine the private key of
user B, an opponent must compute

Mrs. Mangala Patil., Dept., of CSE, ICEAS 24

 MODULE 2_CNS

Example

Above is given in the book which is solved as below

Evaluate a Diffie–Hellman Key Exchange concept for the prime number q = 353 and a primitive root of 353,
A and B select private keys XA = 97 and XB = 233, respectively. Find YA ,YB and secrete key K

1.User A computes his public key , YA

YA=397 mod 353

97=64+32+1
So, Need to find 364*332*3 1
Calculate squared powers
 3 1 mod 353=3
 3 2 mod 353 = 9 mod 353 =9
 3 4 mod 353=92 mod 353 = 81 mod 353= 81
 3 8 mod 353=812 mod 353
=6561 mod 353
=6561/353
=18.5864-18
=0.5864*353
=207

 3 16 mod 353 = 2072 mod 353

Mrs. Mangala Patil., Dept., of CSE, ICEAS 25

 MODULE 2_CNS

=42848/353
=121.3852-121
=.3852*353
=136
 3 32 mod 353=1362 mod 353
=18496/353=52.3966-52=.3966=140
 3 64 mod 353 = 1402 mod 353
=19600/353=55.5240-55=.5240*353=185
64 32 1
3 *3 *3 = (185*140*3) mod 353
=77700 mod 353
 Divide 77700 by 353:
 77700÷353≈220.13677700≈220.136
 The integer part (quotient) is 220.
220.136-220=.136*353=40
YA=397 mod 353= (364*332*3 1 ) mod 353 =40
=(185*140*3) mod 353
2.User B computes his public key , YB

Given data: XB = 233 and q = 353

233
So, YB= 3 mod 353
YB= 3233 mod 353
364*364*364*332*38*3 1 = 3233
364 mod 353=185
332 mod 353=140
38 mod 353=207
31 mod 353=3
(185*185*185*207*3) mod 353
= 550,471,477,500 mod 353
= 550,471,477,500 /353
=1,559,409,283.702-550,471,477,500
= .702 mod 353
=248
YB= 3233 mod 353
=248
3.Once A and B compute their public keys, they exchange them and calculates the
secrete keys
User A computes the key as K = (YB) XA mod q
Given data: XA=97 , q=353
YB evaluated as 248
K=248 97 mod 353
248 97 can be calculated as below
K= (248 64 *248 32 *2481 ) mod 353
To find 248 64 , Calculate squared powers
 248 1 mod 353=248
 2482 mod 353 = 61504 mod 353
=61504÷353=174.2322

Mrs. Mangala Patil., Dept., of CSE, ICEAS 26

 MODULE 2_CNS

=174.2322-174=.2322
=.2322*353
=82
 2484 mod 353=882 mod 353 = 6724 mod 353
= 6724÷353=19.0481-19=.0481*353
=17
 2488 mod 353=172 mod 353
= 289 mod 353=289÷353
=0.8186*353
=289
 248 mod 353 = 2892 mod 353
16

=83521÷353
=236.6033-236
=.6033*353
=213
 248 mod 353 = 2132 mod 353
32

=45369÷353
=128.5240-128
=.5240*353
=185
 24864 mod 353 = 1852 mod 353
=34255÷353
=96.9546-96
=.9546*353
=337

K=248 97 mod 353

= 64+32+1=97
= (248 64 *248 32 *248 1 ) mod 353
= (337*185*248) mod 353
=15461560 mod 353
15461560 mod 353 =15461560÷353=43800.4532-43800=.4532
=.4532*353=160
K=248 97 mod 353 =160
4.In the same way user B generates the key

 In this simple example, it would be possible by brute force to determine the secret key
160. An attacker E can determine the common key by discovering a solution to
the equation 3 mod 353 = 40 or the equation 3b mod 353 = 248.
a

 The brute-force approach is to calculate powers of 3 modulo 353, stopping when the
result equals either 40 or 248. The desired answer is reached with the exponent value
of 97, which provides 397 mod 353 = 40. With larger numbers, the problem becomes
impractical.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 27

 MODULE 2_CNS

Solve the below problem

2. KEY EXCHANGE PROTOCOLS [Explain the Diffie–Hellman Key Exchange Protocol]

 Below Figure shows a simple protocol that makes use of the Diffie–Hellman calculation.
Suppose that user A wishes to set up a connection with user B and use a secret key to
encrypt messages on that connection.
 User A can generate a one-time private key X A, calculate YA, and send that to user
B.
 User B responds by generating a private value X B, calculating YB, and sending YB to
user A.
 Both users can now calculate the key.
 As an example of another use of the Diffie–Hellman algorithm, suppose that a group
of users (e.g., all users on a LAN) each generate a long-lasting private value Xi (for
user i) and calculate a public value Yi . These public values, together with global
public values for q and a, are stored in some central directory. At any time, user j can
access user i’s public value, calculate a secret key, and use that to send an encrypted
message to user A.
 If the central directory is trusted, then this form of communication provides both
confidentiality and a degree of authentication.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 28

 MODULE 2_CNS

Fig. The Diffie–Hellman Key Exchange

3. MAN-IN-THE-MIDDLE ATTACK
The Diffie–Hellman Key Exchange protocol is insecure against a man-in-the-middle attack.
Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack
proceeds as follows (Figure 10.2).

At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth
share secret key K1 and Alice and Darth share secret key K2. All future communication
between Bob and Alice is compromised in the following way.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 29

 MODULE 2_CNS

Figure 10.2 Man-in-the-Middle Attack

The key exchange protocol is vulnerable to such an attack because it does not authenticate the
participants.

ELLIPTIC CURVE CRYPTOGRAPHY

The addition operation in ECC is the counterpart of modular multiplication in RSA, and
multiple addition is the counterpart of modular exponentiation.
To form a cryptographic system using elliptic curves, we need to find a “hard problem”
corresponding to factoring the product of two primes or taking the discrete logarithm.

Because 9P = (4, 5) = Q, the discrete logarithm Q = (4, 5) to the base P = (16, 5) is k = 9.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 30

 MODULE 2_CNS

In a real application, k would be so large as to make the bruteforce approach infeasible. In

the remainder of this section, we show two approaches to ECC that give the flavor of this
technique.

1.ANALOG OF DIFFIE–HELLMAN KEY EXCHANGE (ECC Diffie–Hellman Key

Exchange)
(ECC) is a public key cryptographic technique that uses the mathematics of elliptic curves
over finite fields to create secure, efficient keys for encryption and decryption. Unlike RSA,
ECC does not directly encrypt messages but uses a hybrid scheme—typically combining
elliptic curve key agreement (like ECDH) with symmetric encryption.
Elliptic Curve is defined by the below equations. Key exchange using elliptic curves can be
done in the following manner.
y2 mod p = (x3 + ax + b) mod p (10.5)
2 3 2
y + xy = x + ax + b (10.7)
1.Pick a large integer q, which is either a prime number p or an integer of the form 2 m, and
elliptic curve parameters a and b for the above two equations. This defines the elliptic group
of points Eq(a, b).
2.Pick a base point G = (x1, y1) in E q(a, b) whose order is a very large value n. The order n of
a point G on an elliptic curve is the smallest positive integer n such that nG = 0 and G are
parameters of the cryptosystem known to all participants.
A key exchange between users A and B can be accomplished as follows (Figure 10.7)

To break this scheme, an attacker would need to be able to compute k given G and kG, which
is assumed to be hard.
 As an example, take p = 211; Ep(0, -4), which is equivalent to the curve y2 = x3 - 4;
and G = (2, 2).
 One can calculate that 240G = O.
1. User A‘s key generation
A’s private key is nA = 121,
so A’s public key is PA = nA * G=121(2, 2) = (115, 48).
2. User B’s key generation
B’s private key is , nB = 203
B’s public key PB =nB*G,
so B’s public key = 203(2, 3) = (130, 203).
3.The shared secret key is K= nA * PB
= 121(130, 203) = 203(115, 48) = (161, 69)

Mrs. Mangala Patil., Dept., of CSE, ICEAS 31

 MODULE 2_CNS

2.ELLIPTIC CURVE ENCRYPTION/DECRYPTION

The first task in this system is to encode the plaintext message m to be sent as an (x, y) point
Pm.
It is the point Pm that will be encrypted as a ciphertext and decrypted. Note that we cannot
simply encode the message as the x or y coordinate of a point, because not all such coordinates
are in Eq(a, b)

PB=nB*G Substituted is in the above equation

 A has masked the message Pm by adding kPB to it. Nobody but A knows the
value of k, so even though Pb is a public key, nobody can remove the mask kPB.
Mrs. Mangala Patil., Dept., of CSE, ICEAS 32
 MODULE 2_CNS

 However, A also includes a “clue,” which is enough to remove the mask if one
knows the private key nB. For an attacker to recover the message, the attacker would have to
compute k given G and kG, which is assumed to be hard.
Let us consider a simple example.
The global public elements are
q = 257;
Eq(a, b) = E257(0, -4), which is equivalent to the curve y2 = x3 - 4; and
G = (2, 2).
Bob’s private key is nB = 101, and
his public key is PB = nBG = 101(2, 2) = (197, 167).
Alice wishes to send a message to Bob that is encoded in the elliptic point P m = (112, 26).
Alice choose random integer k
= 41 and
computes kG = 41(2, 2) = (136, 128),
kPB = 41(197, 167) = (68, 84) and
Pm + kPB = (112, 26) + (68, 84) = (246, 174).
Alice sends the ciphertext Cm = (C1, C2) = {(136, 128), (246, 174)} to Bob. Bob receives the
ciphertext and computes
C2 - nBC1 = (246, 174) - 101(136, 128)
= (246, 174) - (68, 84)
= (112, 26).

3.THE SECURITY OF ECC

 The security of ECC depends on how difficult it is to determine k given kP and P.
This is referred to as the elliptic curve logarithm problem. The fastest known
technique for taking the elliptic curve logarithm is known as the Pollard rho method.
Table 10.3, from NIST SP 800-57, compares various algorithms by showing
comparable key sizes in terms of computational effort for cryptanalysis. As can be
seen, a considerably smaller key size can be used for ECC compared to RSA.
 Based on this analysis, SP 800-57 recommends that at least through 2030, acceptable
key lengths are from 3072 to 14,360 bits for RSA and 256 to 512 bits for ECC.
 Similarly, the European Union Agency for Network and Information Security
(ENISA) recommends in their 2014 report (Algorithms, Key Size and Parameters
report—2014, November 2014) minimum key lengths for future system of 3072 bits
and 256 bits for RSA and ECC, respectively.

Mrs. Mangala Patil., Dept., of CSE, ICEAS 33

 MODULE 2_CNS

VTU QUESTIONS
Refer assignments questions, IA question paper, below questions and any topic not included in
all three.
1.Explain six ingredients of public key cryptography [8]
2. Explain RSA operation in detail. Encryption and decryption p=3, q=11 and c=7 and
M=5[10]
3Explain Diffie–Hellman key exchange algorithm and perform encryption and decryption

Mrs. Mangala Patil., Dept., of CSE, ICEAS 34

 MODULE 2_CNS

Mrs. Mangala Patil., Dept., of CSE, ICEAS 35