The document discusses encryption and decryption techniques including symmetric and asymmetric cryptosystems. It describes the goals of cryptography including confidentiality, integrity, authentication, and non-repudiation. The document outlines the RSA cryptosystem including key generation, encryption, and digital signatures. It also discusses hashing, the discrete logarithm problem, and how elliptic curves can be used in cryptography.

1. Encryption and Decryption
Unit - V

2. Security Goals
 Consider the following security risks that could face two
communicating entities in an unprotected environment:
2
A B
C could view the secret message by eavesdropping on the communication.
Loss of privacy / confidentiality
C
m(1)

3. 3
C could alter/corrupt the message, or the message could change while in
transit. If B does not detect this, then we have Loss of Integrity
C
A Bm
A B
C
m
it could send a massage to B pretending to be A
If B cannot verify the source entity of the information then we lack
authentication
(2)
(3)

4. 4
A Bm
A might repudiate having sent m to B
Hence, some possible goals for communication:
• Privacy/confidentiality - information not disclosed to unauthorized entities
• Integrity - information not altered deliberately or accidentally
• Authentication - validation of identity of source of information
• Non-repudiation – Sender should not be able to deny sending a message
(4)

5. What is Cryptography
 Cryptography is the study of mathematical techniques related
to aspects of information security such as confidentiality, data
integrity, authentication, and non-repudiation.
5

6. What is a cryptographic system composed of?
6
(encryption)
(encryption key)
C PP (decryption)
Sender Receiver
(decryption key)
• Plaintext : original message or data (also called cleartext)
• Encryption : transforming the plaintext, under the control of the key
• Ciphertext : encrypted plaintext
• Decryption : transforming the ciphertext back to the original plaintext
• Cryptographic key: used with an algorithm to determine the transformation from
plaintext to ciphertext, and v.v.

7. Attack classification
7
(encryption)
(key)
CP
 Ciphertext Alone attack: The attacker has available only the
intercepted cryptogram C.
From C , try to find P or (even better) the key.

8. Attack classification
8
 Known Plaintext attack: The attacker knows a small amount of
plaintext (Pi) and its ciphertext Equivalent (Ci).
(encryption)
(key)
Ci
Pi
Ci+1
Pi+1
Attacker tries to find key or to infer Pi+1 (next plaintext)

9. Attack classification
9
 Chosen Plaintext attack: The attacker can choose plaintext (Pi) and obtain its
ciphertext (Ci).
 A careful selection of (Pi) would give a pair of (Pi, Ci) good for analyzing Enc.
Alg. + key and in finding Pi+1 (next plaintext of sender)
(encryption)
(key)
Ci
Pi
Ci+1
Pi+1

10. Forms of Cryptosystems
10
• Private Key (symmetric) :
• A single key (K) is used for both encryption and decryption and must
be kept secret.
• Key distribution problem a secure channel is needed to transmit the
key before secure communication can take place over an unsecure
channel.
(encryption)
(K)
C
MM (decryption)
Sender Receiver
(K)
EK(M) = C DK(C) = M

11. Forms of Cryptosystems
• Public Key (asymmetric):
• The encryption procedure (key) is public while the decryption procedure
(key) is private.
• Each participant has a public key and a private key.
• May allow for both encryption of messages and creation of digital signatures.

12. Forms of Cryptosystems
12
Public Key (asymmetric):
Requirements:
1. For every message M, encrypting with public key and then decrypting resulting
ciphertext with matching private key results in M.
2. Encryption and Decryption can be efficiently applied to M
3. It is impractical to derive decryption key from encryption key.
(encryption)
(public key
of Receiver)
C
MM (decryption)
Sender Receiver
(private key
of Receiver)

13. Combining Public/Private Key Systems
13
• Public key encryption is more expensive than symmetric key encryption
• For efficiency, combine the two approaches
1. Use public key encryption for authentication; once authenticated,
transfer a shared secret symmetric key
2. Use symmetric key for encrypting subsequent data transmissions
(1)
(2)A B

14. Rivest Shamir Adelman (RSA) Method
 Named after the designers: Rivest, Shamir, and Adleman
 Public-key cryptosystem and digital signature scheme.
 Based on difficulty of factoring large integers
 For large primes p & q, n = pq
 Public key e and private key d calculated
14

15. RSA Key Generation
15
Every participant must generate a Public and Private key:
1. Let p and q be large prime numbers, randomly chosen from the set of all large
prime numbers.
2. Compute n = pq.
3. Choose any large integer, d, so that:
GCD( d, ϕ(n)) = 1 (where ϕ(n) = (p1)(q1) )
4. Compute e = d-1 (mod ϕ(n)).
5. Publish n and e. Keep p, q and d secret.
Note:
• Step 4 can be written as:
• Find e so that: e x d = 1 (modulo ϕ(n))
• If we can obtain p and q, and we have (n, e), we can find d

16. Rivest Shamir Adelman (RSA) Method
16
Assume A wants to send something confidentially to B:
• A takes M, computes C = Me mod n, where (e, n) is B’s public key. Sends C to B
• B takes C, finds M = Cd mod n, where (d, n) is B’s private key
A
Me mod n Cd mod n
Encryption Key for user B
(B’s Public Key)
Decryption Key for user B
(B’s PrivateKey)
C
(e, n) (d, n)
B
M M
+ Confidentiality

17. RSA Method
17
Example:
1. p = 5, q = 11 and n = 55.
(p1)x(q1) = 4 x 10 = 40
2. A valid d is 23 since GCD(40, 23) = 1
3. Then e = 7 since:
23 x 7 = 161 modulo 40 = 1
in other words
e = 23-1 (mod 40) = 7

18. Digital Signatures Based on RSA
18
• In RSA algorithm the encryption and decryption operations are
commutative: ( me ) d = ( md ) e = m
• We can use this property to create a digital signature with RSA.

19. Digital Signatures (Public Key)
19
• Public Key System:
Sender, A: (EA : public, DA : private)
Receiver, B: (EB : public, DB : private)
• A signs the message m using its private key, the result is then encrypted
with B’s public key, and the resulting ciphertext is sent to B:
• C= EB (DA (M))
• B receives ciphertext C decrypts it using its private key, the result is then
encrypted with the senders public key (A’s public key) and the message m
is retrieved.
• M = EA (DB (C))

20. Hashing
20
A one-way hash function h is a public function h (which should be simple and fast to
compute) that satisfies three properties:
• A message m of arbitrary length must be able to be converted into a message
digest h(m) of fixed length.
• It must be one-way, that is given y = h(m) it must be computationally infeasible to
find m.
• It must be collision free, that is it should be computationally infeasible to find m1
and m2 such that h(m1) = h(m2).
Examples: MD5 , SHA-1

21. Hash Function
21
…M… H (M)
Hash Function
H
Message of arbitrary length Fixed length
output

22. Producing Digital Signatures
22
Step 1: A produces a one-way hash of the message.
Step 2: A encrypts the hash value with its private key, forming the signature.
Step 3: A sends the message and the signature to B.
Hash
Function
Encryption
Algorithm
Digital
Signature
A’s private key
message
digestMessage
H(M) Sig A
M

23. Verifying Digital Signature
23
Step 4: B forms a one-way hash of the message.
Step 5: B uses A’s public key to decrypt the signature and obtain the sent hash.
Step 6: compare the computed and sent hashes
Hash
Function
Decryption
Algorithm
Digital Signature
received
sender’s (A’s) public key
message digest
H(M’)
H(M)
CompareSig A
M’
H(M’)
Message received

24. Security of Digital Signatures
24
• If the hashes match then we have guaranteed the following: Integrity: if m
changed then the hashes would be different Authenticity & Non-repudiation: A
is who sent the hash, as we used A’s public key to reveal the contents of the
signature A cannot deny signing this, nobody else has the private key.
Satisfies the requirements of a Digital Signature
• If we wanted to further add confidentiality, then we would encrypt the sent m
+ signature such that only B could reveal the contents (encrypt with B’s public
key)
Possible problem: If signing modulus > encrypting modulus
-> Reblocking Problem

25. Secure Communication (Public Key)
25
BA
Handshaking
If B sees the same nonce at a later time,
then it should suspect a replay attack.
EPKA (IA, IB)
EPKB, (IA, A)
EPKB (IB)
• IA, IB are “nonces” nonces can be included in each subsequent message
• PKB: public key of B; PKA: public key of A;
C
EPKB (IB)

26. Data Encryption Standard
US standard
 64 bit plain text blocks
 56 bit key

27. DES
Encryption
Algorithm

28. DES Single Iteration

29. Strength of DES
 Declared insecure in 1998
 Electronic Frontier Foundation
 DES Cracker machine
 DES now worthless
 Alternatives include TDEA

30. Introduction to Elliptic Curves

31. Lets start with a puzzle…
 What is the number of balls that may be piled as a square
pyramid and also rearranged into a square array?
 Soln: Let x be the height of the pyramid…
Thus,
We also want this to be a square:
Hence,
2 2 2 2 ( 1)(2 1)
1 2 3 ...
6
x x x
x
 
    
2 ( 1)(2 1)
6
x x x
y
 


32. Graphical Representation
X axis
Y axis
Curves of this nature
are called ELLIPTIC
CURVES

33. Method of Diophantus
 Uses a set of known points to produce new points
 (0,0) and (1,1) are two trivial solutions
 Equation of line through these points is y=x.
 Intersecting with the curve and rearranging terms:
 We know that 1 + 0 + x = 3/2 =>
x = ½ and y = ½
 Using symmetry of the curve we also have (1/2,-1/2) as another
solution
3 23 1
0
2 2
x x x  

34. Diophantus’ Method
 Consider the line through (1/2,-1/2) and (1,1) =>
y=3x-2
 Intersecting with the curve we have:
 Thus ½ + 1 + x = 51/2 or x = 24 and y=70
 Thus if we have 4900 balls we may arrange them in
either way
3 251
... 0
2
x x  

35. Elliptic curves in Cryptography
 Elliptic Curve (EC) systems as applied to cryptography
were first proposed in 1985 independently by Neal
Koblitz and Victor Miller.
 The discrete logarithm problem on elliptic curve groups is
believed to be more difficult than the corresponding
problem in (the multiplicative group of nonzero elements
of) the underlying finite field.

36. Discrete Logarithms
in Finite Fields
Alice Bob
Pick secret, random X
from F
Pick secret, random Y
from F
gy mod p
gx mod p
Compute k=(gy)x=gxy mod p
Compute k=(gx)y=gxy mod p
Eve has to compute gxy from gx and gy without knowing x and y…
She faces the Discrete Logarithm Problem in finite fields
F={1,2,3,…,p-1}

37. Elliptic Curve on a finite set of Integers
 Consider y2 = x3 + 2x + 3 (mod 5)
x = 0  y2 = 3  no solution (mod 5)
x = 1  y2 = 6 = 1  y = 1,4 (mod 5)
x = 2  y2 = 15 = 0  y = 0 (mod 5)
x = 3  y2 = 36 = 1  y = 1,4 (mod 5)
x = 4  y2 = 75 = 0  y = 0 (mod 5)
 Then points on the elliptic curve are (1,1) (1,4) (2,0) (3,1)
(3,4) (4,0) and the point at infinity: 
Using the finite fields we can form an Elliptic Curve Group
where we also have a DLP problem which is harder to solve…

38. Definition of Elliptic curves
 An elliptic curve over a field K is a nonsingular
cubic curve in two variables, f(x,y) =0 with a rational
point (which may be a point at infinity).
 The field K is usually taken to be the complex
numbers, reals, rationals, algebraic extensions of
rationals, p-adic numbers, or a finite field.
 Elliptic curves groups for cryptography are examined
with the underlying fields of Fp (where p>3 is a
prime) and F2
m (a binary representation with 2m
elements).

39. General form of a EC
 An elliptic curve is a plane curve defined by an
equation of the form
baxxy  32
Examples

40. Weierstrass Equation
 A two variable equation F(x,y)=0, forms a curve in the plane.
We are seeking geometric arithmetic methods to find solutions
 Generalized Weierstrass Equation of elliptic curves:
2 2 2
1 3 2 4 6y a xy a y x a x a x a     
Here, A, B, x and y all belong to a field of say rational numbers,
complex numbers, finite fields (Fp) or Galois Fields (GF(2n)).

41.  If Characteristic field is not 2:
 If Characteristics of field is neither 2 nor 3:
22
2 3 23 31 1
2 4 6
2 3 ' 2 ' '
1 2 4 6
( ) ( ) ( )
2 2 4 4
a aa x a
y x a x a x a
y x a x a x a
       
    
'
1 2
2 3
1 1 1
/3x x a
y x Ax B
 
   

42. Points on the Elliptic Curve (EC)
 Elliptic Curve over field L
 It is useful to add the point at infinity.
 The point is sitting at the top of the y-axis and any line is
said to pass through the point when it is vertical.
 It is both the top and at the bottom of the y-axis.
2 3
( ) { } {( , ) | ... ...}E L x y L L y x       

43. The Abelian Group
 P + Q = Q + P (commutativity)
 (P + Q) + R = P + (Q + R) (associativity)
 P + O = O + P = P (existence of an identity element)
 there exists ( − P) such that − P + P = P + ( − P) = O
(existence of inverses)
Given two points P,Q in E(Fp), there is a third point, denoted by
P+Q on E(Fp), and the following relations hold for all P,Q,R in
E(Fp).

44. Elliptic Curve Picture
 Consider elliptic curve
E: y2 = x3 - x + 1
 If P1 and P2 are on E, we can
define
P3 = P1 + P2
as shown in picture
 Addition is all we need
P1
P2
P3
x
y

45. Addition in Affine Co-ordinates
x
y
1 1 2 2
3 3
( , ), ( , )
( ) ( , )
P x y Q x y
R P Q x y
 
  
y=m(x-x1)+y1
Let, P≠Q,
y2=x3+Ax+B

46. Doubling of a point
 Let, P=Q
 What happens when P2=∞?
2
2
1
1
1 1 2
3 2 2
2
3 1 3 1 3 1
2 3
3
2
, 0 (since then P +P = ):
0 ...
2 , ( )
dy
y x A
dx
dy x A
m
dx y
If y
x m x
x m x y m x x y
 

  
 
   
     

47. Why do we need the reflection?
P2=O=∞
P1
y
P1=P1+ O=P1

48. Sum of two points












21
1
2
1
21
12
12
_
2
3
_
xxfor
y
ax
xxfor
xx
yy

Define for two points P (x1,y1) and
Q (x2,y2) in the Elliptic curve
Then P+Q is given by R(x3,y3) :
1133
213
)( yxxy
xxx





49. P+P =
2P
Point at infinity O
• As a result of the above case P=O+P
• O is called the additive identity of the
elliptic curve group.
• Hence all elliptic curves have an additive
identity O.

50. Projective Co-ordinates
 Two-dimensional projective space over K is given
by the equivalence classes of triples (x,y,z) with x,y z
in K and at least one of x, y, z nonzero.
 Two triples (x1,y1,z1) and (x2,y2,z2) are said to be
equivalent if there exists a non-zero element λ in K, st:
 (x1,y1,z1) = (λx2, λy2, λz2)
 The equivalence class depends only the ratios and hence is
denoted by (x:y:z)
2
KP

51. Projective Co-ordinates
 If z≠0, (x:y:z)=(x/z:y/z:1)
 What is z=0? We obtain the point at infinity.
 The two dimensional affine plane over K:
2
2 2
{( , ) }
Hence using,
( , ) ( : :1)
K
K K
A x y K K
x y X Y
A P
  

 
 There are advantages with projective co-ordinates from
 the implementation point of view

52. Singularity
 For an elliptic curve y2=f(x), define
F(x,y)=y2-F(x). A singularity of the EC is a pt (x0,y0) such
that:
0 0 0 0
0 0
0 0
( , ) ( , ) 0
,2 '( ) 0
, ( ) '( )
f has a double root
F F
x y x y
x y
or y f x
or f x f x
 
 
 
  


It is usual to assume the EC has no singular points

53. 1. Hence condition
for no singularity
is 4A3+27B2≠0
2. Generally, EC
curves have no
singularity
0 0 0 0
0 0
0 0
2 3
3 2
2
4 2
2 2
2
2
2
3 2
( , ) ( , ) 0
, 2 '( ) 0
, ( ) '( )
f has a double root
For double roots,
3 0
/ 3.
Also, +Bx=0,
0
9 3
2
9
2
3( ) 0
9
4 27 0
F F
x y x y
x y
or y f x
or f x f x
y x Ax B
x Ax B x A
x A
x Ax
A A
Bx
A
x
B
A
A
B
A B
 
 
 
  


  
    
  

   
 
  
  
2 3
( )y f x x Ax B   
If Characteristics of field
is not 3:

54. Elliptic Curves in Characteristic 2
 Generalized Equation:
 If a1 is not 0, this reduces to the form:
 If a1 is 0, the reduced form is:
 Note that the form cannot be:
2 3 2
y xy x Ax B   
2 3 2
1 3 2 4 6y a xy a y x a x a x a     
2 3
y Ay x Bx C   
2 3
y x Ax B  

55. Outline of the Talk…
 Introduction to Elliptic Curves
 Elliptic Curve Cryptosystems
 Implementation of ECC in Binary Fields

56. Elliptic Curve Cryptosystems
(ECC)

57. Public-Key Cryptosystems
Secrecy: Only B can Decrypt
the message
Authentication: Only A can
generate the encrypted message

58. Public-Key Cryptography

59. Public-Key Cryptography

60. What Is Elliptic Curve Cryptography (ECC)?
 Elliptic curve cryptography [ECC] is a public-key
cryptosystem just like RSA, Rabin, and El Gamal.
 Every user has a public and a private key.
 Public key is used for encryption/signature verification.
 Private key is used for decryption/signature generation.
 Elliptic curves are used as an extension to other
current cryptosystems.
 Elliptic Curve Diffie-Hellman Key Exchange
 Elliptic Curve Digital Signature Algorithm

61. Using Elliptic Curves In Cryptography
 The central part of any cryptosystem involving elliptic
curves is the elliptic group.
 All public-key cryptosystems have some underlying
mathematical operation.
 RSA has exponentiation (raising the message or
ciphertext to the public or private values)
 ECC has point multiplication (repeated addition of two
points).

62. Generic Procedures of ECC
 Both parties agree to some publicly-known data items
 The elliptic curve equation
 values of a and b
 prime, p
 The elliptic group computed from the elliptic curve equation
 A base point, B, taken from the elliptic group
 Similar to the generator used in current cryptosystems
 Each user generates their public/private key pair
 Private Key = an integer, x, selected from the interval [1, p-1]
 Public Key = product, Q, of private key and base point
 (Q = x*B)

63. Example – Elliptic Curve Cryptosystem
Analog to El Gamal
 Suppose Alice wants to send to Bob an encrypted
message.
 Both agree on a base point, B.
 Alice and Bob create public/private keys.
 Alice
 Private Key = a
 Public Key = PA = a * B
 Bob
 Private Key = b
 Public Key = PB = b * B
 Alice takes plaintext message, M, and encodes it onto a
point, PM, from the elliptic group

64. Example – Elliptic Curve Cryptosystem
Analog to El Gamal
 Alice chooses another random integer, k from the
interval [1, p-1]
 The ciphertext is a pair of points
 PC = [ (kB), (PM + kPB) ]
 To decrypt, Bob computes the product of the first point
from PC and his private key, b
 b * (kB)
 Bob then takes this product and subtracts it from the
second point from PC
 (PM + kPB) – [b(kB)] = PM + k(bB) – b(kB) = PM
 Bob then decodes PM to get the message, M.

65. Example – Compare to El Gamal
 The ciphertext is a pair of points
 PC = [ (kB), (PM + kPB) ]
 The ciphertext in El Gamal is also a pair.
 C = (gk mod p, mPB
k mod p)
--------------------------------------------------------------------------
 Bob then takes this product and subtracts it from the second
point from PC
 (PM + kPB) – [b(kB)] = PM + k(bB) – b(kB) = PM
 In El Gamal, Bob takes the quotient of the second value and
the first value raised to Bob’s private value
 m = mPB
k / (gk)b = mgk*b / gk*b = m

66. Diffie-Hellman (DH) Key Exchange

67. ECC Diffie-Hellman
 Public: Elliptic curve and point B=(x,y) on curve
 Secret: Alice’s a and Bob’s b
Alice, A Bob, B
a(x,y)
b(x,y)
• Alice computes a(b(x,y))
• Bob computes b(a(x,y))
• These are the same since ab = ba

68. Example – Elliptic Curve
Diffie-Hellman Exchange
 Alice and Bob want to agree on a shared key.
 Alice and Bob compute their public and private keys.
 Alice
 Private Key = a
 Public Key = PA = a * B
 Bob
 Private Key = b
 Public Key = PB = b * B
 Alice and Bob send each other their public keys.
 Both take the product of their private key and the other user’s
public key.
 Alice  KAB = a(bB)
 Bob  KAB = b(aB)
 Shared Secret Key = KAB = abB

69. Why use ECC?
 How do we analyze Cryptosystems?
 How difficult is the underlying problem that it is based upon
 RSA – Integer Factorization
 DH – Discrete Logarithms
 ECC - Elliptic Curve Discrete Logarithm problem
 How do we measure difficulty?
 We examine the algorithms used to solve these problems

70. Security of ECC
 To protect a 128 bit AES
key it would take a:
 RSA Key Size: 3072 bits
 ECC Key Size: 256 bits
 How do we strengthen RSA?
 Increase the key length
 Impractical?

71. Applications of ECC
 Many devices are small and have limited storage and
computational power
 Where can we apply ECC?
 Wireless communication devices
 Smart cards
 Web servers that need to handle many encryption sessions
 Any application where security is needed but lacks the
power, storage and computational power that is
necessary for our current cryptosystems

72. Benefits of ECC
 Same benefits of the other cryptosystems: confidentiality,
integrity, authentication and non-repudiation but…
 Shorter key lengths
 Encryption, Decryption and Signature Verification speed up
 Storage and bandwidth savings

73. Summary of ECC
 “Hard problem” analogous to discrete log
 Q=kP, where Q,P belong to a prime curve
given k,P  “easy” to compute Q
given Q,P  “hard” to find k
 known as the elliptic curve logarithm problem
 k must be large enough
 ECC security relies on elliptic curve logarithm problem
 compared to factoring, can use much smaller key sizes than with RSA etc
 for similar security ECC offers significant computational advantages

74. Public-Key Cryptosystems
Secrecy: Only B can Decrypt
the message
Authentication: Only A can
generate the encrypted message

75. Public-Key Cryptography - 1

76. Public-Key Cryptography - 2