CS8792 CRYPTOGRAPHY AND

NETWORK SECURITY

UNIT – I
 UNIT - I

Security trends - Legal, Ethical and Professional

Aspects of Security, Need for Security at Multiple
levels, Security Policies - Model of network security
– Security attacks, services and mechanisms – OSI
security architecture – Classical encryption
techniques: substitution techniques, transposition
techniques, steganography- Foundations of modern
cryptography: perfect security – information theory –
product cryptosystem – cryptanalysis.

2
 BACKGROUND

• Information Security requirements have

changed in recent times
• traditionally provided by physical and
administrative mechanisms
• computer use requires automated tools to
protect files and other storedinformation
• use of networks and communications links
requires measures to protect data during
transmission

3
 DEFINITIONS

• Computer Security - generic name for the

collection of tools designed to protect data
from hackers
• Network Security - measures to protect
data during their transmission
• Internet Security - measures to protect data
during their transmission over a collection of
interconnectednetworks

4
 SECURITY TRENDS
•protection afforded to an automated information system
in order to attain the applicable objectives of preserving
the
•Integrity
•Availability
•Confidentiality of information system resources
(hardware, software, firmware, information/ data, and
telecommunications)
•three key objectives that are at the heart of computer
security:
❖ Confidentiality: This term covers two related concepts:
➢Data confidentiality: Assures that private or confidential
information is not made available or disclosed to
unauthorized individuals.
➢Privacy: Assures that individuals control or influence what
information related to them may be collected and stored and
by whom and to whom that information may be disclosed.
❖Integrity: This term covers two related concepts:
➢ Data integrity: Assures that information and programs
are changed only in a specified and authorized manner
➢System integrity: Assures that a system performs its
intended function in an unimpaired manner, free from
deliberate or unintended unauthorized manipulation of
the system
❖Availability: Assures that systems work promptly and
service is not denied to authorized users
• Three concepts form what is often referred to as
the CIA triad
•Three concepts embody the fundamental
security objectives for both data and for
information and computing services
 AIM OF COURSE
• our focus is on Internet Security
• which consists of measures to deter,
prevent, detect, and correct security
violations that involve the transmission &
storage of information

9
 Model for Network Security
•Message to be transferred from one party to another
across some sort of Internet service
•Two parties, who are the principals in this transaction,
must cooperate for the exchange to take place.
•A logical information channel is established by defining a
route through the Internet from source to destination
• cooperative use of communication protocols (e.g.,
TCP/IP) by the two principals
•A security-related transformation on the information to be
sent
•Examples include the encryption of the message, which
scrambles the message so that it is unreadable by the
opponent,
•Some secret information shared by the two principals and,
it is hoped, unknown to the opponent.
•example is an encryption key used in conjunction with the
transformation to scramble the message before
transmission and unscramble it on reception.
•A trusted third party may be needed to achieve
secure transmission:
•for distributing the secret information to the two
principals
•to arbitrate disputes between the two principals
concerning the authenticity of a message
transmission
Four basic tasks in designing a particular
security service:
1. Design an algorithm for performing the security-
related transformation such that an opponent cannot
defeat its purpose.
2. Generate the secret information to be used with
the algorithm.
3. Develop methods for the distribution and sharing
of the secret information.
4. Specify a protocol to be used by the two
principals that makes use of the security algorithm
and the secret information to achieve a particular
security service
Network Access Security Model
•Protecting an information system from unwanted
access from hacker, intruder
•hacker who, with no harmful target, simply gets
satisfaction from breaking and entering a
computer system
•Intruder can be a disgruntled employee who
wishes to do damage or a Criminal who seeks to
exploit computer assets for financial gain
Two kinds of threats:
•Information access threats: Intercept or modify
data on behalf of users who should not have
access
•Service threats: Exploit service flaws in
computers to inhibit use by legitimate users
•Examples: Viruses and worms, spread using
disks & inserted over network
 OSI SECURITYARCHITECTURE

• ITU-T( International Telecommunication

Union)X.800 - “Security Architecture for OSI”

• defines a systematic way of defining and

providing security requirements

• for us it provides a useful, if abstract, overview

of concepts
1
 ASPECTS OF SECURITY

• consider 3 aspects of information

security:
–security attack
–security mechanism
–security service

1
 SECURITYATTACK
• any action that compromises the security of
information owned by an organization
• information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
• often threat & attack used to mean same thing
• have a wide range of attacks
• can focus of generic types of attacks
– passive
– active
2
• Have “passive attacks” which attempt to learn
or make use of information from the system but
does not affect system resources.
• By eavesdropping on, or monitoring of,
transmissions to:
+ obtain message contents
+ monitor traffic flows
• Are difficult to detect because they do not
involve any alteration of the data.
• emphasis in dealing with passive attacks is on
prevention rather than detection
Two types of passive attacks:

▪ Release of message contents

▪Traffic analysis.
 Release of Message Contents

•A telephone conversation, an electronic mail

message, and a transferred file may contain
sensitive or confidential information
•to prevent an opponent from learning the
contents of these transmissions
Traffic Analysis
 Traffic Analysis
•masking the contents of messages or other
information traffic so that opponents, even if
they captured the message
•could not extract the information from the
message
• common technique for masking contents is
encryption
• encryption protection in place, an opponent
might still be able to observe the pattern of
these messages.
•Passive attacks are very difficult to detect,
because they do not involve any alteration of
the data
•message traffic is not sent and received in
an apparently normal fashion and the sender
nor receiver is aware that a third party has
read the messages or observed the traffic
pattern
 Active attacks
•Active attacks involve some modification of the
data stream or the creation of a false stream
•subdivided into four categories:
❖Masquerade
❖Replay
❖modification of messages
❖denial of service
Masquerade
 Masquerade
•A masquerade takes place when one entity
pretends to be a different entity
•A masquerade attack usually includes one of the
other forms of active attack
•For example, authentication sequences can be
captured and replayed after a valid authentication
sequence has taken place, thus enabling an
authorized entity with few privileges to obtain
extra privileges by impersonating an entity that
has those privileges.
 Replay

•Replay involves the passive capture of a data

unit
•subsequent retransmission to produce an
unauthorized effect
30
Modification of messages
•Modification of messages simply means that
some portion of a legitimate message is altered
•messages are delayed or reordered, to produce an
unauthorized effect
•For example, a message meaning “Allow John
Smith to read confidential file accounts” is
modified to mean “Allow Fred Brown to read
confidential file account
Denial of Service
•prevents or inhibits the normal use or
management of communications facilities
•This attack may have a specific target
•Active attacks present the opposite
characteristics of passive attacks
• Whereas passive attacks are difficult to
detect, measures are available to prevent their
success
• Active attacks present the opposite
characteristics of passive attacks.
• Whereas passive attacks are difficult to detect,
measures are available to prevent their
success.
• On the other hand, it is quite difficult to
prevent active attacks absolutely, because of
the wide variety of potential physical,
software, and network vulnerabilities
• Instead, the goal is to detect active attacks and
to recover from any disruption or delays
caused by them.
 SECURITYSERVICE

•A processing or communication service that

enhances the security of the data processing
systems and the information transfers of an
organization
•The services are intended to counter security
attacks, and they make use of one or more security
mechanisms to provide the service
•Security services implement security policies and
are implemented by security mechanisms

36
 SECURITYSERVICES

• X.800:
“a service provided by a protocol layer of communicating
open systems, which ensures adequate security of the
systemsor of datatransfers”
• RFC2828:
“a processing or communication service provided by a
system to give a specific kind of protection to system
resources”

37
 X.800
• divides these services into five categories and
fourteen specific services
Authentication
•The assurance that the communicating entity is the
one that it claims to be
•Two types
o Peer Entity Authentication:
✓Used in association with a logical connection to
provide confidence in the identity of the entities
connected
o Data-Origin Authentication
✓In a connectionless transfer, provides assurance
that the source of received data is as claimed
Access control
▪The prevention of unauthorized use of a resource
▪This service controls who can access to a resource
▪What conditions access can occur
▪What those accessing the resource are allowed to do
Data confidentiality
•The protection of data from unauthorized disclosure.
•Four Types
o Connection Confidentiality
✓Protection of all user data on a connection
o Connectionless Confidentiality
✓ Protection of all user data in a single data block
Selective-Field Confidentiality
✓Confidentiality of selected fields within the user
data on a connection or in a single data block
o Traffic-Flow Confidentiality
✓Protection of the information that might be
derived from observation of traffic
• Data Integrity:
• Assurance that data received are exactly as sent
by an authorized entity
• Contain no modification, insertion, deletion,
replay
➢ Connection Integrity with Recovery
✓ Provides integrity of all user date on connection
• Detects any modification, insertion of data
within entire data sequence with recovery
➢ Connection Integrity without Recovery
• Provide only detection without Recovery
➢ Selective Field connection Integrity
✓ Provide integrity only selected field of user data
➢ Connectionless Integrity
✓ Provide integrity of single connectionless data
block
➢ Selective Field Connectionless Integrity
✓ Provide integrity only selected field within single
connectionless data block
• Non Repudiation
❖ Provide protection against denial by one of the
entities involved in a communication
➢ Nonrepudiation, Origin
✓ Proof that message was sent by the specified
party
➢ Nonrepudiation, Destination
✓ Proof that message was received by the
specified party
 SECURITYMECHANISM
• Feature designed to detect, prevent, or recover
from asecurityattack
• no single mechanism that will support all services
required
• however one particular element underlies many of the
security mechanisms
• Mechanisms are divided into:
✓ those implemented in a specific protocol layer,
such as TCP or application-layer protocol
✓ those are not specific to any particular protocol
layer or security service
44
 Security Mechanisms: X.800
• Specific Security Mechanisms:
▪ May incorporated into appropriate protocol
layer in order to provide some OSI security
services
➢ Encipherment
✓ Use of mathematical algorithms to transform
data into a form that is not readily intelligible
✓ transformation and subsequent recovery of the
data depend on algorithm and zero or more
encryption keys
➢ Digital Signature
✓ Data appended to, or a cryptographic
transformation of, a data unit that allows a
recipient of the data unit to prove the source
✓ integrity of the data unit and protect against
forgery
➢ Access Control
✓ A variety of mechanisms that enforce access
rights to resources.
➢ Data Integrity
✓ A variety of mechanisms used to assure the
integrity of a data unit or stream of data units.
➢ Authentication Exchange
✓ mechanism intended to ensure the identity of an
entity by means of information exchange.
➢ Traffic Padding
✓ insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts
➢ Routing Control
✓ Enables selection of particular physically secure
routes for certain data and allows routing changes,
especially when a crack of security is suspected
➢ Notarization
✓ use of a trusted third party to assure certain
properties of a data exchange
➢ Pervasive Security Mechanisms
• Mechanisms that are not specific to any
particular OSI security service or protocol layer.
➢ Trusted Functionality
✓ which is perceived to be correct with respect to
some criteria (e.g., as established by a security
policy)
➢ Security Label
✓ marking bound to a resource (which may be a
data unit) that names or designates the security
attributes of resource
➢ Event Detection
✓ Detection of security-relevant events
➢ Security Audit Trail
✓ Data collected and potentially used to facilitate
a security audit
✓ which is an independent review and
examination of system records and activities
➢ Security Recovery
✓ Deals with requests from mechanisms, such as
event handling and management functions
✓ takes recovery actions.
Classical Encryption
Techniques

50
 CRYPTOGRAPHY
• Cryptography is the study of secret (crypto-)
writing (-graphy)
• Concerned with developing algorithms which may be used
to:
– Conceal the context of some message from all
except the sender and recipient (privacy or
secrecy)
– Verify the correctness of a message to the recipient
(authentication or integrity)
• Basis of many technological solutions to computer and
communications security problems

51
 BASICTERMINOLOGY
• Cryptography - The art or science encompassing the
principles and methods of transforming message an
intelligible into one that is unintelligible, and then
retransforming that messageback to its originalform
• Plaintext - The original intelligible message
• Ciphertext - The transformed message (unintelligible)
• Cipher - An algorithm for transforming an intelligible
message into one that is unintelligible by transposition
and/or substitution methods
• Key - Some critical information used by the cipher, known
only to the sender &receiver

52
 BASIC TERMINOLOGY

• Encipher (encode) - Process of converting plaintext to

ciphertext using acipher and a key
• Decipher (decode) - The process of converting
ciphertext back into plaintext using acipher and akey
• Cryptanalysis (codebreaking) - The study of principles
and methods of transforming an unintelligible message back
into an intelligible messagewithout knowledge of the key.
• Cryptology - The field encompassing both
cryptography and cryptanalysis

53
 BASIC TERMINOLOGY

• Encryption
– The mathematical function mapping plaintext to
ciphertext using the specified key:

Y= EK(X) or E(K, X)
• Decryption
– The mathematical function mapping ciphertext to
plaintext using the specified key:
X= DK(Y) or D (K, Y) = E-1 K(Y)

54
 BASIC TERMINOLOGY
• Cryptographic system (Cryptosystem)
A cryptosystem is a five-tuple (P, C, K, E, D), where
following conditions are satisfied :
1. P is a finite set of possibleplaintexts
2. C is a finite set of possibleciphertexts
3. K,the keyspace, is a finite set of possible keys
4. For each K K, there is an encryption algorithm
EK Eand a corresponding decryption
algorithm DK D. Each EK : P Cand DK: C
P are functions such that DK(EK(X)) = X for
every plaintext X P.

55
 Symmetric Encryption
➢ conventional / private-key / single-key
➢ sender and recipient share a common key
➢ all classical encryption algorithms are private-
key
➢ was only type prior to invention of public-key
in 1970’s
➢ by far most widely used
SIMPLIFIED CONVENTIONAL ENCRYPTIONMODEL

Kerchhoff’s Principle
“Encryption algorithms being used should be assumed
to be publicly known and the security of the algorithm
should reside only in the key chosen”
CONVENTIONAL CRYPTOSYSTEMMODEL

29
 Requirements

➢ two requirements for secure use of symmetric

encryption:
➢a strong encryption algorithm
➢a secret key known only to sender / receiver
➢ mathematically have:
➢ Y = EK(X)
➢ X = DK(Y)
➢ assume encryption algorithm is known
➢ implies a secure channel to distribute key
 Cryptography
characterize cryptographic system by:
➢ type of encryption operations used
✓ substitution / transposition / product
➢ number of keys used
✓ single-key or private / two-key or public
➢ way in which plaintext is processed
✓ block / stream
 CRYPTANALYSIS
• Process of attempting to discover Xor Kor both.
• Various types of cryptanalyticattacks

61
 EXHAUSTIVEKEYSEARCH

• Brute-force attack
• Always theoretically possible to simply try everykey
• Most basic attack, directly proportional to keysize
• Assume either know or can recognize when plaintext is found

– Average Time Required for Exhaustive KeySearch

62
UNCONDITIONAL AND COMPUTATIONAL SECURITY

• Unconditionally secure (Perfect secure)

– No matter how much computer power is available, the
cipher cannot be broken since the ciphertext provides
insufficient information to uniquely determine the
corresponding plaintext
• Computationally secure
– The cost of breaking the security exceeds the value of
the secured service or information.
– The time required to break the security exceeds the
useful lifetime of theinformation

63
 CLASSICALENCRYPTIONTECHNIQUES

• Substitution Techniques
–Caesar Cipher
–Monoalphabetic Ciphers
–Playfair Cipher
–Hill Cipher
–Polyalphabetic Ciphers
–One-Time Pad
64
 CLASSICALENCRYPTIONTECHNIQUES

• Transposition (Permutation) Techniques

–Rail FenceTechnique
–Block (Columnar)Transposition
Technique
• Product Techniques
–Substitution and transposition ciphers are
concatenated
65
 Classical Substitution Ciphers

➢ where letters of plaintext are replaced by other

letters or by numbers or symbols
➢ or if plaintext is viewed as a sequence of bits,
then substitution involves replacing plaintext
bit patterns with ciphertext bit patterns
 CAESARCIPHER

• 2000 years ago, by Julius Caesar

• first attested use in military affairs
• Asimple substitution cipher, known as Caesar cipher
• Replace each letter with the letter standing 3 places
further down the alphabet
– Plain: meet me after the togaparty
– Cipher: PHHW PH DIWHU WKH WRJDSDUWB

67
• No key, just one mapping (translation)
0123456...
Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC
3456789...
• ci=E(3,pi)=(pi+3) mod 26;

pi=D(3,ci)=(ci-3) mod 26

68
 GENERALIZED CAESARCIPHER

• Can use any shift from 1 to 25, i.e.,

replace each letter by a letter a fixed
distance away
ci=E(k,pi)=(pi+k) mod 26
pi=D(k,ci)=(ci-k) mod 26
• Shift cipher
• Key= k

69
• Key letter: the letter a plaintextA
maps to
–e.g. a key letter of Fmeans Amaps to F,B
to G, …,Yto D, Zto E
• Hence have 26 (25 useful) ciphers
–Key space = 26

70
BRUTE-FORCE CRYPTANALYSIS OF CAESAR CIPHER

• Ciphertext only attack

• Charateristics for
success
1. The encryption and
decryption algorithms are
known
2. There are only 25 keys to
try
3. The language of the
plaintext is known and
easily recongnizable
 MONOALPHABETIC SUBSTITUTION CIPHERS

• Further generalization of the Caesarcipher,

Plain:
abcdefghijklmnopqrstuvwxyz
Cipher:
DEFGHIJKLMNOPQRSTUVWXYZABC
is obtained by allowing any permutation of 26
characters for the cipher
• Key size = 26
• Key space = 26! 4x1026

73
 Monoalphabetic Cipher
➢ rather than just shifting the alphabet
➢ could shuffle (jumble) the letters arbitrarily
➢ each plaintext letter maps to a different random
cipher text letter
➢ hence key is 26 letters long

Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
 Monoalphabetic Cipher Security

➢ now have a total of 26! = 4 x 1026 keys

➢ with so many keys, might think is secure
➢ but would be !!!WRONG!!!
➢ problem is language characteristics
 Language Redundancy and
Cryptanalysis
➢ human languages are redundant
➢ eg "th lrd s m shphrd shll nt wnt"
➢ letters are not equally commonly used
➢ in English E is by far the most common letter
➢ followed by T,R,N,I,O,A,S

➢ other letters like Z,J,K,Q,X are fairly rare

➢ have tables of single, double & triple letter
frequencies for various languages
RELATIVEFREQUENCYOFLETTERSIN ENGLISHTEXT

77
 FREQUENCYSTATISTICSOFLANGUAGE
• In addition to the frequency info of single letters, the
frequency info of two-letter (digram) or three-letter
(trigram) combinations can be used for the
cryptanalysis
• Most frequent digrams
– TH, HE, IN, ER,AN, RE,ED,ON, ES,ST,EN, AT,TO, NT,
HA, ND, OU, EA, NG, AS, OR, TI, IS, ET,IT, AR, TE, SE,
HI, OF
• Most frequent trigrams
– THE,ING, AND, HER,ERE,ENT,THA, NTH, WAS, ETH,
FOR, DTH
44
 HOMOPHONES

• Monoalphabetic substitution ciphers are easy to

break through letter frequency analysis
• Multiple substitutes (homophones) for a single letter
can be used to hide the single-letter frequency
information
• But even with homophones, multiple-letter patterns
(e.g. digram frequencies) still survive in the ciphertext
• Two approaches for this problem
– Encrypt multiple letters of plaintext
• Playfair cipher
• Hill cipher
– Use multiple cipher alphabets
• Polyalphabetic cipher
79
 Playfair Cipher
➢ not even the large number of keys in a
monoalphabetic cipher provides security
➢ one approach to improving security was to
encrypt multiple letters
➢ the Playfair Cipher is an example
➢ invented by Charles Wheatstone in 1854, but
named after his friend Baron Playfair
 Playfair Key Matrix
➢ The best-known multiple-letter encryption
cipher is the Playfair
➢ which treats digrams in the plaintext as single
units and translates these units into ciphertext
digrams.
➢ based on the use of a 5x5 matrix of letters
constructed using a keyword.
➢ The rules for filling in this 5x5 matrix are:
➢ L to R
➢ top to bottom
➢ first with keyword after duplicate letters have been
removed
➢ and then with the remain letters, with I/J used as a
single letter.
➢ eg. using the keyword MONARCHY
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
 Encrypting and Decrypting

plaintext is encrypted two letters at a time

1. if a pair is a repeated letter, insert filler like 'X’
• eg. "balloon" encrypts as "ba lx lo on"
2. if both letters fall in the same row, replace each
with letter to right (wrapping back to start from
end)
• eg. “ar" encrypts as "RM"
3. if both letters fall in the same column, replace
each with the letter below it (again wrapping to
top from bottom)
• eg. “mu" encrypts to "CM"
4. otherwise each letter is replaced by the letter in the
same row and in the column of the other letter of
the pair
• eg. “hs" encrypts to "BP", and “ea" to "IM"
or "JM" (as desired)
 Security of Playfair Cipher
➢ security much improved over monoalphabetic
➢ since have 26 x 26 = 676 digrams
➢ would need a 676 entry frequency table to analyse
(verses 26 for a monoalphabetic) and correspondingly
more ciphertext
➢ was widely used for many years
▪ eg. by US & British military in World War I

➢ it can be broken, given a few hundred letters

➢ since still has much of plaintext structure
 Hill Cipher
➢ Developed by the mathematician Lester Hill in 1929
➢ Strength is that it completely hides single-letter
frequencies
➢ The use of a larger matrix hides more frequency
information
➢ A 3 x 3 Hill cipher hides not only single-letter but
also two-letter frequency information
➢ Strong against a ciphertext-only attack but easily
broken with a known plaintext attack
 Hill Cipher
• The key for a hill cipher is a matrix e.g.

• In the above case, we have taken the size to be

3×3, however it can be any size (as long as it is
square).
• Assume we want to encipher the
message ATTACK AT DAWN.
• To encipher this, we need to break the message
into chunks of 3.
 HILLCIPHER
• Multi-letter cipher
• Takes m successive plaintext letters and substitutes
for them m ciphertextletters
• 3x3 Hill cipher:

k11 k12 k13 c1 = (k11p1 + k12p2 + k13p3) mod 26

k21 k22 k23
• K= k31 k32 k33
c2 = (k21p1 + k22p2 + k23p3) mod26
c 3 = (k 31p 1 + k 32p 2 + k 33p 3) mod 26

• C = EK(P) = KP;
• P= DK(C) = K-1C = K-1KP = P

88
 Hill Cipher
• We now take the first 3 characters from our
plaintext, ATT and create a vector that corresponds to the
letters (replace A with 0, B with 1 ... Z with 25 etc.) to
get: [0 19 19] (this is ['A' 'T' 'T']).

• To get our ciphertext we perform a matrix multiplication

(you may need to revise matrix multiplication

• This process is performed for all 3 letter blocks in the

plaintext.
• The plaintext may have to be padded with some extra letters
to make sure that there is a whole number of blocks.

• Now for the tricky part, the decryption.

• We need to find an inverse matrix modulo 26 to use as our

'decryption key'. i.e. we want something that will take 'PFO'
back to 'ATT'.

• If our 3 by 3 key matrix is called K, our decryption key will

be the 3 by 3 matrix K-1, which is the inverse of K.
 Polyalphabetic Ciphers
• polyalphabetic substitution ciphers

• improve security using multiple cipher alphabets

• make cryptanalysis harder with more alphabets to

guess and flatter frequency distribution

• use a key to select which alphabet is used for each

letter of the message

• use each alphabet in turn

• repeat from start after end of key is reached

 Vigenère Cipher
• simplest polyalphabetic substitution cipher

• effectively multiple caesar ciphers

• key is multiple letters long K = k1 k2 ... kd

• ith letter specifies ith alphabet to use

• use each alphabet in turn

• repeat from start after letters in message

• decryption simply works in reverse

VIGENÈRE CIPHER

93
Example of Vigenère Cipher
• To encrypt a message, a key is needed that is as long
as the message

• Usually, the key is a repeating keyword

• For example, if the keyword is deceptive, the

message “we are discovered save yourself” is
encrypted as:

key: deceptive deceptive deceptive

plaintext: wearedisc overedsav eyourself
ciphertext:ZICVTWQNG RZGVTWAVZ HCQYGLMGJ
 Autokey Cipher
• ideally want a key as long as the message
• Vigenère proposed the autokey cipher
• with keyword is prefixed to message as key
• knowing keyword can recover the first few letters
• use these in turn on the rest of the message
• but still have frequency characteristics to attack
• eg. given key deceptive
key: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA
 Vernam Cipher
➢ defense against cryptanalysis to choose a keyword long as the
plaintext
➢ Such a system was introduced by an AT&T engineer named
Gilbert Vernam in 1918.
➢ system works on binary data (bits) rather than letters.
➢ essence of this technique is construction of the key.
➢ Vernam proposed the use of a running loop of tape that
eventually repeated the key with very long
➢ Although such a scheme, with a long key cryptanalytic
difficulties, it can be broken with sufficient ciphertext, the use
of known or probable plaintext sequences, or both.
Vernam Cipher
 One-Time Pad
➢ Improvement to Vernam cipher proposed by an Army
Signal Corp officer, Joseph Mauborgne
➢ Use a random key that is as long as the message so that
the key need not be repeated
➢ Key is used to encrypt and decrypt a single message and
then is discarded
➢ Each new message requires a new key of the same length
as the new message
➢ Scheme is unbreakable
➢ Produces random output that bears no statistical
relationship to the plaintext
➢ Because the ciphertext contains no information
whatsoever about the plaintext, there is simply no
way to break the code
 Difficulties
➢ The one-time pad offers complete security but, in practice,
has two fundamental difficulties:
➢ There is the practical problem of making large quantities
of random keys
➢ Any heavily used system might require millions of
random characters on a regular basis
➢ Mammoth key distribution problem
➢ For every message to be sent, a key of equal length is
needed by both sender and receiver
➢ Because of these difficulties, the one-time pad is of limited
utility
➢ Useful primarily for low-bandwidth channels requiring
very high security
➢ The one-time pad is the only cryptosystem that exhibits
perfect secrecy
 Transposition Ciphers
• now consider classical transposition or
permutation ciphers
• these hide the message by rearranging the
letter order
• without altering the actual letters used
• can recognise these since have the same
frequency distribution as the original text
 Rail Fence cipher
➢ write message letters out diagonally over a number of
rows
➢ then read off cipher row by row
➢ To encipher the message “meet me after the toga
party” with a rail fence of depth 2, we would write:
m e m a t r h t g p r y
e t e f e t e o a a t
➢ giving ciphertext:
➢ MEMATRHTGPRYETEFETEOAAT
 Block (Columnar) Transposition
• Generalization: multiple transpositions → More
secure
• Block (Columnar) Transposition Ciphers
– Message is written in rectangle, row by row, but read
off column by column; The order of columns read off
is the key
– Example: Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

10
 Product Ciphers
➢ ciphers using substitutions or transpositions are not
secure because of language characteristics
➢ hence consider using several ciphers in succession to
make harder, but:
➢ two substitutions make a more complex substitution
➢ two transpositions make more complex transposition
➢ but a substitution followed by a transposition makes a new
much harder cipher

➢ this is bridge from classical to modern ciphers

 Rotor Machines
➢ before modern ciphers, rotor machines were most
common complex ciphers in use
➢ widely used in WW2
➢ German Enigma, Allied Hagelin, Japanese Purple

➢ implemented a very complex, varying substitution

cipher
➢ used a series of cylinders, each giving one
substitution, which rotated and changed after each
letter was encrypted
➢ with 3 cylinders have 263=17576 alphabets
Hagelin Rotor Machine
THREE-ROTOR MACHINES
 STEGANOGRAPHY

• “The art of coveredwriting”

• “Security by obscurity”
• Hide mesasages in other messages
• Conceal the existence of message
• Conceal what you are communicating (Sending
encrypted messageswould make you aspy)
• an alternative to encryption

10
 Various other techniques
• Character marking:
➢ Selected letters of printed or typewritten text are
overwritten in pencil.
➢ The marks are ordinarily not visible unless the paper is
held at an angle to bright light.
• Invisible ink:
➢ A number of substances can be used for writing but leave
no visible trace until heat or some chemical is applied to
the paper.
• Pin punctures:
➢ Small pin punctures on selected letters are ordinarily not
visible unless the paper is held up in front of a light.
• Typewriter correction ribbon:
➢ Used between lines typed with a black ribbon, the results
of typing with the correction tape are visible only under a
strong light.
 Foundations of modern cryptography
➢Modern encryption is key to advanced computer and

communication security

➢stream of cryptography is completely based on

➢ ideas of mathematics such as number theory

➢computational complexity theory

➢as well as concepts of probability

 Characteristics of Modern Cryptography
➢four major characteristics that separate modern cryptography
from the classical approach
Traditional Encryption Modern Encryption
For making ciphertext, For making ciphertext, operations
manipulation is done in the are performed on binary bit
characters of the plaintext sequence
The whole of the ecosystem is Here, only the parties who want
required to communicate to execute secure communication
confidentiality possess the secret key
These are weaker as compared to The encryption algorithm formed
modern encryption by this encryption technique is
stronger as compared to
traditional encryption algorithms
It believes in the concept of Its security depends on the
security through obscurity publicly known mathematical
algorithm
Types of Modern Cryptography
➢ Different algorithms have come up with powerful
encryption mechanisms incorporated in them.
➢ It gave rise to two new ways of encryption mechanism
for data security
➢ These are:
o Symmetric key encryption
o Asymmetric key encryption
•Key
➢It can be a number, word, phrase, or any code that will be
used for encrypting as well as decrypting any ciphertext
information to plain text and vice versa
➢Symmetric and asymmetric key cryptography is based on
the number of keys and the way these keys work.
Symmetric key encryption
➢Technique uses a straight forward method of encryption
➢simpler among these two practices
➢encryption is done through only one secret key, which is
known as "Symmetric Key", and this key remains to both
the parties
➢The same key is implemented for both encodings as well
as decoding the information
➢key is used first by the sender prior to sending the
message, and on the receiver side, that key is used to
decipher the encoded message.
➢good old examples of this technique is Caesar's Cipher
➢Modern examples and algorithms that use the concept of
symmetric key encryption are RC4, QUAD, AES, DES,
Blowfish, 3DES, etc.
Asymmetric Key Encryption
➢Asymmetric Encryption is another encryption
method that uses two keys
➢a new and sophisticated encryption technique
➢because it integrates two cryptographic keys for
implementing data security
➢These keys are termed as Public Key and Private
Key
➢"public key", as the name implies, is accessible to
all who want to send an encrypted message.
➢other is the "private key" that is kept secure by the
owner of that public key or the one who is
encrypting
➢Encryption of information is done through public key first,
with the help of a particular algorithm
➢Then the private key, which the receiver possesses, will
use to decrypt that encrypted information
➢same algorithm will be used in both encodings as well as
decoding
➢Examples : Diffie-Hellman and RSA algorithm
➢Security Services of Cryptography
➢Confidentiality of information
➢Data Integrity
➢Authentication
❖Message authentication
❖Entity authentication
➢Non-repudiation
▪Cryptography Primitives
➢tools and techniques in Cryptography that can be
selectively used to provide a set of desired security
services
➢Encryption
➢Hash functions
➢Message Authentication codes (MAC)
➢Digital Signatures
Primitives and Security Service
 Perfect Security
➢Perfect Secrecy (or information-theoretic secure) means
that the ciphertext conveys no information about the
content of the plaintext
➢However, part of being provably secure is that you need
as much key material as you have plaintext to encrypt.
Definition
➢Let ε= (E,D) be a Shannon cipher defined over (K,M, C)
➢Consider a probabilistic experiment in which the random
variable k is uniformly distributed over K.
➢ If for all m0,m1 Є M, and all c Є C,
➢we have
Pr [ E(k,m0) = c ] = Pr [ E(k,m1) = c ],
then we say that ε is a perfectly secure Shannon cipher.
 Information Theory

➢Information theory studies the quantification, storage, and

communication of information
➢It was originally proposed by Claude Shannon in 1948
➢to find fundamental limits on signal processing and
communication operations such as data compression
➢mainly been used in cryptography to prove lower bounds
on the size of the secret key required to achieve certain level
of security in secrecy and authentication systems
➢ field intersection mathematics, statistics, computer
science, physics, information engineering, and electrical
engineering
➢Important sub-fields of information theory include source
coding, algorithmic complexity theory, algorithmic
information theory, information-theoretic security, Grey
system theory and measures of information
➢Applications of fundamental topics of information theory
include lossless data compression (e.g. ZIP files), lossy data
compression (e.g. MP3s and JPEGs), and channel coding
➢Information theory is used in information retrieval,
intelligence gathering, gambling, and even in musical
composition.
Introduction to NumberTheory

12
 Group
• a set of elements or “numbers”
• with some operation whose result isalso
in the set(closure)
• obeys:
– associative law: (a.b).c = a.(b.c)
– has identity e: e.a = a.e = a
– has inversesa-1: a.a-1 = e
• if commutative a.b = b.a
–then forms an abelian group
12
 Cyclic Group
• define exponentiation as repeated
application of operator
– example: a-3 = a.a.a
• and let identity be: e=a0
• a group is cyclic if every element is apower
of some fixed element
– ie b = ak for some a and every b in group
• a is said to be a generator of the group
12
 Ring
• a set of “numbers”
• with two operations (additionand multiplication)
which form:
• an abelian group with addition operation
• and multiplication:
– has closure
– is associative
– distributive over addition: a(b+c) = ab + ac
• if multiplication operation is commutative,it
forms a commutative ring
• if multiplication operation has an identity andno
zero divisors, it forms an integral domain
71
 Field
• a set of numbers
• with two operations whichform:
–abelian group for addition
–abelian group for multiplication(ignoring
0)
–ring
• have hierarchy with more axioms/laws
–group -> ring ->field
12
 Modular Arithmetic
• define modulo operator “a mod n” to be
remainder when a is divided by n
• use the term congruence for: a = b mod n
– when divided by n, a & b have sameremainder
– eg. 100 = 34 mod 11
• b is called a residue of a mod n
– since with integers can always write: a = qn + b
– usually chose smallest positive remainder as residue
• ie. 0 <= b <= n-1
– process is known as modulo reduction
eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7

12
 Divisors

• say a non-zero number b divides a if for

some m have a=mb (a,b,m all integers)
• that is b divides into a with no remainder
• denote this b|a
• and say that b is a divisor of a
• eg. all of 1,2,3,4,6,8,12,24 divide24

12
 Modular Arithmetic Operations

• is 'clock arithmetic'
• uses a finite number of values, andloops
back from either end
• modular arithmetic is when do addition&
multiplication and modulo reduceanswer
• can do reduction at any point, ie
– a+b mod n = [a mod n + b mod n] mod n

12
 Modular Arithmetic
• can do modular arithmetic with any groupof
integers: Zn = {0, 1, … , n-1}
• form a commutative ring for addition
• with a multiplicative identity
• note some peculiarities
– if (a+b)=(a+c) mod n
then b=c mod n
– but if (a.b)=(a.c) mod n
then b=c mod n only if a is relatively prime to n
12
Modulo 8 Addition Example
+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6 77
 Greatest Common Divisor (GCD)

• a common problem in number theory

• GCD(a,b) of a and b is the largest number
that divides evenly into botha and b
– eg GCD(60,24) =12
• often want no common factors (except1)
and hence numbers are relatively prime
– eg GCD(8,15) =1
– hence 8 & 15 are relatively prime

78
 Euclidean Algorithm
• an efficient way to findthe GCD(a,b)
• uses theorem that:
– GCD(a,b) = GCD(b, a mod b)
• Euclidean Algorithm to compute GCD(a,b)is:
EUCLID(a,b)
1. A = a; B = b
2. if B = 0 return A = gcd(a, b)
3. R = A mod B
4. A = B
5. B = R
6. goto 2 79
 Example GCD(1970,1066)
1970 = 1 x 1066 + 904 gcd(1066, 904)
1066 = 1 x 904 + 162 gcd(904, 162)
904 = 5 x 162 + 94 gcd(162, 94)
162 = 1 x 94 + 68 gcd(94, 68)
94 = 1 x 68 + 26 gcd(68, 26)
68 = 2 x 26 + 16 gcd(26, 16)
26 = 1 x 16 + 10 gcd(16, 10)
16 = 1 x 10 + 6 gcd(10, 6)
10 = 1 x 6 + 4 gcd(6, 4)
6 = 1 x 4 + 2 gcd(4, 2)
4 = 2 x 2 + 0 gcd(2, 0)
13
 Modular exponentiation

•On RSA, encyption as well as decryption require Modular

Exponentiation, i.e. determine xc mod n. This can be done in
c-1 modulo multiplications but is very inefficient when c is
large.

•The "square-and-multiply“ algorithms reduces the amount of

modulo multiplications needed to at most 2l, where l is the
number of bits in the binary representation of c.

•Since l <= k, it is possible to find xc mod n in O(k3).

Thus RSA encryption and decryption can be performed in
polynomial time.

13
 Exponential Notation
• Recall that exponential notation represents an expression
of the form
k ,
a
where a represents the base of the expression and k
represents the exponent. If the exponent k is apositive
integer, then

ak a a a
a
a multiplied k times

13
71MOD 41 7
72 MOD 41 49 MOD 41 8

74 MOD 41 (72 )2 MOD 41 (8)2 MOD 41 64 MOD 41 23

78MOD 41 (74)2 MOD 41 (23)2MOD 41 529 MOD 41 37

716 MOD 41 (78)2 MOD 41 (37)2 MOD 41 1369 MOD 41 16

732MOD 41 (716)2 MOD 41 (16)2MOD 41 256 MOD 41 10

764MOD 41 (732)2 MOD 41 (10)2MOD 41 100 MOD 41 18

13
Hence,
785 MOD 41 71 4 16 64 MOD 41
(71 74 716 764 ) MOD 41
(7 23 16 18) MOD 41 Substituting from 's above

(161 288) MOD 41 Note that 7 23 161 and 16 18 288

(38 1) MOD 41 Note 161 MOD 41 38 and 288 MOD 41 1
38 MOD 41
38 Hence, 785 MOD 41 38

13
 Exponentiation
• can use the Square and Multiply Algorithm
• a fast, efficient algorithm for exponentiation
• concept is based on repeatedly squaringbase
• and multiplying in the ones that are needed to
compute the result
• look at binary representation ofexponent
• only takes O(log2 n) multiples for number n
– eg. 75 = 74.71 = 3.7 = 10 mod 11
– eg. 3129 = 3128.31 = 5.3 = 4 mod 11
13
Exponentiation

13
 Modular Exponentiation
• An efficient way to compute ab mod n
• Repeated squaring
• Computes ac mod n as c is Modular-Exponentiation(a, b, n)
1. c 0
increased from 0 to b 2. d 1
• Each exponent computed 3. let bkbk-1…b0 be the binary representation of
in a sequence is either twice 4. for i k downto 0
the previous exponent or 5. do c 2c
6. d (d d) mod n
one more than the previous 7. if bi = 1
exponent 8. then c c+1
• Each iteration of the loop 9. d (d a) mod n
uses one of the identities 10. return d
a2c mod n = (ac)2 modn,
a2c+1 mod n = a (ac)2 mod n
depending on whether bi = 0 or 1
• Just after bit bi is read and processed, the value of c is the same as the prefix
bkbk-1…bi of the binary representation of b
• Variable c is not needed (included just for explanation)

13
 Modular Exponentiation - Example
Modular-Exponentiation(a, b, n)
1. c 0
2. d 1
3. let bkbk-1…b0 be the binary representation of b
4. for i k downto 0
5. do c 2c
6. d (d d) mod n
7. if bi = 1
8. then c c+1
9. d (d a) mod n
10. return d

• Example
– Result of Modular-Exponentiation algorithm for ab mod n, where a =
7, b = 560 = 1000110000, n = 561. The values are shown after
each execution of the for loop

88
Finite fields

89
 Fields
• Definition 3.1.1: A field is a nonempty set Fof elements with two
operations “+” and “‧” satisfying the following axioms.
a,b,c F
– (i) Fis closed under + and ‧; i.e., a+b and a‧b are in F.
– (ii) Commutative laws: a+b=b+a,a‧b=b‧a
– (iii) Associative laws: (a+b)+c=a+(b+c) , (a‧b)‧c=a‧(b‧c)
– (iv) Distributive law: a‧(b+c) = a‧b +a‧c
– (v) (vi) Identity: a+0 = a , a‧1 = a for all a F. 0‧a = 0.
– (vii) Additive inverse: for alla F,there exists an additive inverse
(-a) such that a+(-a)=0
– (viii) Multiplicative inverse: for alla F,a≠0, there existsa
multiplicative inverse a-1 such that a‧a-1=1 90
 Fields

• Lemma 3.1.3: Fis a field. a, b F

– (i) (-1)．a = -a
– (ii) ab = 0 implies a =0 or b =0.
• Proof:
– (i) (-1)．a + a = (-1)．a + 1．a = ((-1)+1)．a = 0．a
=0
Thus, (-1)．a = -a

– (ii) If a≠0, then b = 1*b = (a-1a)b = a-1(ab) = a-1* 0 =0.

14
 Fields
• Definition:
– A field containing only finitely many elements is
called a finite field.
– A set F satisfying axioms (i)-(vii) in Definition3.1.1 is
called a (commutative) ring.
• Example 3.1.4:
– Integer ring: The set of all integers Z={0, ±1, ±2, …}
forms a ring under the normal addition and
multiplication.
– The set of all polynomials over a field F, F[x] =
{a0+a1x+…+anxn | ai F, n≧0} forms a ring under the
normal addition and multiplication of polynomials.
14
 Fields
• Definition 3.1.5: Let a, b and m>1 be integers. Wesay
that a is congruent to b modulo m, written as
if m| (a - b); i.e., m divides a - b.
a b(mod m)
• Remark 3.1.7: a = mq + b ,where b is uniquely
determined by a and m. The integer b is called the
(principal) remainder of adivided by m, denoted by
(a (mod m))

14
5
 Fields

• Ring Zm(or Z/(m)) is the set {0, 1, …,m-1}

under addition and multiplication defined as
follows
– + : a + b in Zm = (a + b) mod m
– ．: a ．b in Zm= ab mod m
• Example 3.1.8:
– Z2 is a ring also afield.
– Z4is a ring but not a field since 2-1 does not exist.

14
6
 Fields
• Theorem 3.1.9 Zmis a field if and only if m is aprime.
Proof:
– (➔)Suppose that m is a composite number and let m = ab for
two integers 1< a, b< m. Thus, a≠0, b≠0. 0=m=ab in Zm. This isa
contradiction to Lemma 3.1.3. Hence Zm is not afield.

() If m isa prime. a Zm 0<a<m, a is prime to m. thereexist

two integers u,v such that ua +vm =1. ua≡1 (mod m). u =a-1. This
implies that axiom (viii) in Definition 3.1.1 is also satisfied and
hence Zmis a field.
95
 Fields

• Definition 3.1.10:
Let F be a field. The characteristic of Fis the least positive
integer p such that p*1=0, where 1 is the multiplicative identity
of F.
If no such p exists, we define the characteristic to be 0.

• Example 3.1.11
– The characteristics of Q, R, Care 0.
– The characteristic of the field Zp is p for any primep.

96
 Fields
• Theorem 3.1.12: The characteristics of a field is
either 0 or a prime number.
• Proof: 1 is not the characteristic as 1*1≠0.
Suppose that the characteristic p of a fieldFis
composite. Let p = m*n for 1<n, m <p.
p 1 0
(mn) 1 0
m n
1 1 0
i1 i1

(m 1)(n 1) 0
(m 1) 0 or (n 1) 0(lemma3.1.3)
This contradicts the definition of thecharacteristic.
97
 Fields
• In abstract algebra a subfield is a subset of a field
which, together with the additive and multiplicative
operators restricted to it, is a field in its own right.
• If K is a subfield of L, then L is said to be a field
extension of K.
• Example:
– Qis a subfield of both Rand C.
– Ris a subfield of C.
– Let F be a field of characteristic p; then Zp can be
naturally viewed asa subfield of F.
98
 Fields
• Theorem 3.1.14: A finite field F of characteristic p contains
pn elements for some integern≧1.
• Proof:
– Choose an element α1 F*. We claim that 0‧α1, 1‧α1,…,(p-1)‧α1 are
pairwise distinct. If i‧α1= j‧α1 for some 0≦i ≦j ≦p-1, then (j - i) α1=
0. Hence i = j .(∵characteristic of F is p) If F={0‧α1, 1‧α1,…,(p-
1)‧α1}, we are done.
– Otherwise, we choose an element α2 in F\{0‧α1, 1‧α1,…,(p-1)‧α1}.
We claim that a1α1+a2α2 are pairwise distinct. If a1α1+a2α2=
b1α1+b2α2 for some 0≦a1, a2, b1, b2 ≦p-1, then a2=b2. Otherwise,
α2=(b2-a2)-1(a1-b1)α1 contradict our choice of α2. Since a2=b2, then
a1=b1.
– In the same manner, we can show that a1α1+…+anαn are pairwise
distinct for all ai Zp. This implies |F| = pn.
 Polynomial rings
• Definition 3.2.1:
n
– F[x] ai xi : a i F,n 0 is called the polynomial
i 0

ring over a field F.

n

– deg( f(x)): for a polynomial

i
f (x) ai x , n is
called the degree of f(x).
i 0

– deg(0) =-∞ n

– A nonzeropolynomial f ( x )
i
ai x is said to be
monic if an = 1.
i 0

– deg(f(x)) >0, f(x) is said to be reducible if there exist

g(x), h(x), such that deg(g(x)) < deg(f(x)), deg(h(x)) <
deg(f(x)) and f(x) = g(x) h(x) . Otherwise f(x) is saidto
be irreducible. 100
 Polynomial rings
• Example 3.2.2
– f(x) = x4 + 2x6 Z3[x] is of degree6.
It is reducible as f(x) =x4(1+2x2).

– g(x) = 1+ x+ x2 Z2[x] is of degree 2. It is irreducible since g(0) = g(1)= 1 ≠0.

– 1+ x+ x3 and 1 +x2 +x3 are irreducible over Z2.

• Definition3.2.3: Let f(x) F[x], deg(f(x)) ≧1.

For any polynomial g(x) F[x], there exists a unique pair ( s(x), r(x))with
deg(r(x)) < deg(f(x)) or r(x) =0 such that g(x) = s(x)f(x) +r(x).
– r(x) is called (principal) remainder of g(x) divided by f(x), denoted by ( g(x)
(mod f(x)))

101
 Finite Fields

• will now introduce finitefields

• of increasing importance in cryptography
–AES, Elliptic Curve, IDEA, Public Key
• concern operations on “numbers”
–where what constitutes a “number” and the
type of operations variesconsiderably
• start with concepts of groups, rings, fields
from abstract algebra
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
 PRIME NUMBERS
• An integer p > 1 is a prime number if its only divisors
are 1 and p
• There are infinite number of primes
• Distribution of Primes
– The Prime Number Theorem
• Let (N) denote the number of primes not
exceeding N. Then (N) is approximately N / lnN
– Twin Primes
• (Infinitely many) pairs of primes differ bytwo
• e.g., (5, 7), (11, 13), (101, 103), (4967, 4969), …
– For any positive integer n, there are at least n
consecutive composite positive integers s.t.
(n+1)! + 2, (n+1)! + 3, … , (n+1)! + (n+1)
PRIMESUNDER2000
 PRIME FACTORIZATION
• Unique Factorization
– The Fundamental Theorem of Arithmetic
• Every positive integer a>1 can be factored
uniquely as
a = p 1a1 p 2a2 …p at t , where p1 < p2 < …< pt
are primes and
each ai >0
– If Pis the set of all prime numbers, thenany
positive integer can be written uniquely in the
following form

184
 PRIME FACTORIZATION

• The value of any positive integer can be

specified by listing all nonzero exponents(ap)
• 12 (= 22x3) is represented by {a2 = 2, a3 =1}
• (Multiplication) k = ab → kp = ap + bp for all p
P
• (Divisibility) a|b → ap bp for all p P

185
 FERMAT’S LITTLETHEOREM
• Theorem If p is prime and a is a positive integer not
divisible by p, then ap-1 1 mod p
• Proof
Start by listing the first p – 1 positive multiples ofa:
a, 2a, 3a, …,(p-1)a
Suppose that ja and ka are the same modulo p,
then we have
j k mod p, so the p-1 multiples of a above are
distinct and nonzero; that is, they must be
congruent to 1, 2, 3, …,p-1 in some order.Multiply
all these congruences together and we find
a 2a 3a (p-1)a 1 2 3 (p-1)
mod p
or better, ap-1(p-1)! (p-1)! mod p. Divide both side
by (p-1)! to complete the proof.
 FERMAT’S LITTLETHEOREM

• Corollary If p is prime and a is a

positive integer, then ap a modp

• Corollary If p is prime and a is a

positive integer not divisible by p,
then ap-2 is an inverse of a modulop

187
 EULER’S PHI-FUNCTION

• Definition Euler’s phi-function

(n) is defined to be the number
of positive integers less than n
(including 1) that are relatively
prime to n

188
 EULER’S PHI-FUNCTION
• Properties
(1) (1) = 1 (by convention)
(2) p is prime , (p) = p-1
(3) Let p be a prime and a is a positive integer.
Then (pa) = pa – pa-1 = pa(1 - 1/p)
(4) Let m and n be relatively prime positiveintegers.
Then (mn) = (m) (n)
(5) Let n = p1a1 p 2a2 …p tat be the prime-power
factorization of the positive integer n. Then
(n) = n(1-1/p1)(1-1/p2) (1-1/pt)

189
 EULER’S THEOREM

• Generalization of Fermat’s little

theorem
• Theorem For every a and n that are
relatively prime,
a (n) 1 mod n

190
• Proof
– The proof is completely analogous to that of the
Fermat's Theorem except that instead of theset of
residues {1,2,...,n-1} we now consider the set of
residues {x1,x2,...,x (n)} which are relatively prime
to n. In exactly the same manner as before,
multiplication by a modulo n results in a
permutation of the set {x1, x2, ..., x (n)}. Therefore,
two products are congruent:
x1x2 ... x (n) (ax1)(ax2) ... (ax (n)) mod n
dividing by the left-hand side proves the theorem.
• Corollary
(1) a (n)+1 a mod n
(2) If gcd(a,n) = 1, then a (n)-1 is an inverse of a
139
modulo n
 Primality Testing

• often need to find large primenumbers

• traditionally sieve using trial division
• ie. divide by all numbers (primes) in turn less than the
square root of the number
• only works for smallnumbers
• alternatively can use statistical primality tests based
on properties of primes
• for which all primes numbers satisfyproperty
• but some composite numbers, called pseudo-primes,also
satisfy the property
• can use a slower deterministic primality test

192
 CHINESEREMAINDERTHEOREM

• Chinese Remainder Theorem (CRT)

Suppose m1 , …, mk are pairwise relatively prime
positive integers, and suppose a1 , …, ak are integers.
Then the system of k congruences x ai (mod mi) (1 ≤
i ≤ k) hasa

unique solution modulo M = m1 mk, which is

given by

where ci = Mi (Mi-1 mod mi) and Mi = M / mi , for 1 ≤ i ≤ k.

193
 CHINESEREMAINDERTHEOREM
Proof
• Let M =m1 m2 … mk, where mi’s are pairwise
relatively prime, i.e., gcd(mi , mj) = 1, 1 ≤ i ≠ j ≤ k
• A (a1, a2, …,ak), where A ZM, ai Zmi, and ai = A
mod mi for 1 ≤ i ≤k
• One to one correspondence (bijection) between ZM
and the Cartesian product Zm1 Zm2 … Zmk
– For every integer A such that 0 ≤ A < M, there is a
unique k-tuple (a1, a2, …,ak) with 0 ≤ ai <mi
– For every such k-tuple (a1, a2, …,ak), there is a
unique A in ZM

194
 CHINESEREMAINDERTHEOREM
• Computing A from (a1, a2, …,ak) is done asfollows:
• Let Mi = M/mi for 1 ≤ i ≤ k, i.e., Mi = m1 m2 …
mi-1 mi+1 … mk
• Note that Mi ≡ 0 (mod mj) for all j ≠ i and gcd (Mi,
mi) = 1
• Let ci = Mi x (Mi-1 mod mi) for 1 ≤ i ≤k
• Then A ≡ (a1c1+ a2c2 + + akck) mod M
 ai = A mod mi, since cj ≡ Mj ≡ 0 (mod mi) if j≠ i
and ci ≡ 1 (modmi)

195
 CHINESEREMAINDERTHEOREM
• Operations performed on the elements of ZM can be
equivalently performed on the correspondingk-tuples
by performing the operation independently in each
coordinate position
– ex) A ↔ (a1, a2, ... ,ak), B↔ (b1, b2, …,bk)
(A B) mod M ↔ ((a1 b1) mod m1, …,(ak bk)
mod mk)
(A B) mod M ↔ ((a1 b1) mod m1, …,(ak bk)
mod mk)
(A B) mod M ↔ ((a1 b1) mod m1, …,(ak bk)
mod mk)
• CRTprovides a way to manipulate (potentially large)
numbers mod M in term of tuples of smaller numbers
196
 CHINESEREMAINDERTHEOREM
• Example
– Let m1 = 37, m2 = 49, M = m1 m2 = 1813, A = 973, B
= 678
– M1 = 49, M2 = 37
– Using the extended Euclid’s algorithm
• M1-1 mod m1 = 34, and M2-1 mod m2 = 4

– Taking residues modulo 37 and 49

• 973 (11, 42), 678 (12, 41)
– Add the tuples element-wise
• (11 + 12 mod 37, 42 + 41 mod 49) = (23, 34)

197
–To verify, we compute
• (23, 34) (a1c1+ a2c2) mod M =
(a1M1M1-1 + a2M2M2-1 ) mod M
= [(23)(49)(34) +
(34)(37)(4)] mod 1813 =1651
• which is equal to (678 + 973)mod
1813 = 1651
198
199
200
201
202
203
204
205
 Discrete Logarithm(s) (DLs)

• Fix a prime p. Let a, b be nonzero integers

(mod p). The problem of finding x such that ax
≡ b (mod p) is called the discrete logarithm
problem. Suppose that n is the smallest
integer such that an ≡1 (mod p),
i.e., n=ordp(a). By assuming 0≤x<n, we denote
x=La(b), and call it the discrete log of b w.r.t. a
(mod p)
• Ex: p=11, a=2, b=9, then x=L2(9)=6

206
 Discrete Logarithms

• In the RSAalgorithms, the difficultyof

factoring a large integer yields good
cryptosystems
• In the ElGamal method, the difficulty of
solving the discrete logarithm problemyields
good cryptosystems
• Given p, a, b, solve ax ≡ b (mod p)
• a is suggested to be a primitive root modp
207
 One-Way Function

• A function f(x) is called a one-way

function if f(x) is easy to compute,
but, given y, it is computationally
infeasible to find x with y=f(x).
• La(b) is a one-way function if p is
large

208
 Primitive Roots mod 13
• a is a primitive root mod pif
{ak | 1≦k≦p-1} = {1,2, …,p-1}
♪2, 6,7,11 are primitive roots mod 13

• 33 ≡ 1 (mod 13), 46 ≡ 1 (mod 13),

• 54 ≡ 1 (mod 13), 84 ≡ 1 (mod 13),
• 93 ≡ 1 (mod 13), 106 ≡ 1 (mod 13),
• 122 ≡ 1 (mod13)
209
 Solve ax ≡ b (mod p)

• An exhaustive search for all 0 ≤ x <p

• Check only for even x or odd x according to b(p-
1)/2 ≡ (ax)(p-1)/2 ≡(a(p-1)/2)x ≡(-1)x≡ 1 or -1 (mod

p), where a is a primitive root

(Ex) p=11, a=2, b=9, since b(p-1)/2 ≡95≡1,

then check for even numbers {0,2,4,6,8,10}
only to find x=6 such that 26 ≡ 9 (mod11)
210
 Solve ax ≡ b (mod p) by Pohlig-Hellman

Let p-1 = Πqr for all q|(p-1), write b0 =b,and

x=x0 + x1q +x2q2 + … + xr-1qr-1 for 0 ≤ xi ≤q-1
1. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡b(p-1)/q ,
then x0 ≡k, next let b1≡b0a-x0
2. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡[b1](p-1)/q^2 , then x1
≡k, next let b2≡b1a-x1
3. Repeat steps 1, 2 until xr-1 is found for aq
4. Repeat steps 1~3 for all q’s, then apply Chinese
Remainder Theorem to get the finalsolution
211
 7x ≡12 (mod 41); p=41, a=7, b=12,

• p-1=41-1=40 =23 5
• b0 =12
• For q=2: b0 =12, b1 =31, b2=31, and
x = x0 +2x1+4x2 ≡1+2·0+4·1≡ 5 (mod 8)
• For q=5: b0 =12, b1 =18, and

x = x0 ≡ 3 (mod 5)
Solving x ≡ 5 (mod 8) and x≡ 3 (mod 5),
We have x≡13 (mod 40)
212
 Solve ax ≡ b (mod p) by IndexCalculus

Let Bbe a bound and let p1,p2,…, pm be the

primes less than Band cover all of the prime
Factors of p-1. Then appropriately choose
k(j)’s such that ak(j)≡(p1)r1(p2)r2 … (pm)rm , i.e.,
r1*La(p1)+r2*La(p2)+… + rm*La(pm) ≡k(j) for
several j’s, solve the linear system to get
La(p1), La(p2), … , La(pm), then select Rapply
baR ≡(p1)b1 (p2)b2 … (pm)bm , then the solution is
La(b)≡-R+ΠbiLa(pi)

213
 Solve 2x ≡37 (mod 131)

p=131, a=2, b=37, let B=10, then

p1=2, p2=3, p3=5, p4=7, since
28≡53 , 212≡5·7 , 214≡32 , 234≡3·52 (modp),
we have
3L2(5)≡ 8 (mod 130)
L2(5)+ L2(7)≡12 (mod 130)
2L2(3)≡14 (mod 130)
L2(3)+2L2(5)≡34 (mod 130)
214
 L2([3, 5, 7])=[72, 46, 96]

Choose R=43, then

37·243 ≡3·5·7 (mod 131), so we have

L2(37) ≡-43+ L2(3)+ L2(5)+ L2(7)

≡ 41 (mod 130)
♪ L2(11) ≡ 56 (mod 130) [R=4
]
♪ L2(23) ≡ 23 (mod 130) [R=5
] 215
 A Lemma on p≡3 (mod 4)

Let p≡3 (mod 4), r≥2. Suppose a and g are

nonzero integers such that g≡ay(2^r) (mod p).
Then
g(p+1)/4 ≡ ay[2^(r-1)] (modp)
[Proof]
g(p+1)/4 ≡ a(p+1)y[2^(r-2)] ≡ay(2^(r-1))[a(p-1)]y(2^(r-2))
≡ ay(2^(r-1)) (mod p)

216
 A La(b) (mod 4) Machine

• Let a be a primitive root (mod p), where

p≡3 (mod 4) is large, then
Computing La(b) (mod 4) is as difficult
as finding the solution of ax ≡b
(mod p)
[P.172]

217
 The ElGamal Public Key Cryptosystem

Alice wants to send a message m to Bob.

Bob chooses a large prime p and a primitive
root a. Assume m is an integer 0≤m<p, and
Bob selects a secret integer x to compute
b≡ax (mod p). The information (p,a,b) is
made public and is Bob’s public key. Alice
does the following procedures.

218
 Encryption and Decryption

1. Downloads (p,a,b)
2. Chooses a secret random k and computes
r≡ak (mod p)
3. Computes t≡bkm (mod p)
4. Sends the pair (t,r) to Bob

Bob decrypts by computing tr-x (≡m (modp))

219
Questions ?