32

Chapter 3 Public Key Cryptosystem

3.1 Introduction

Using symmetric cryptosystem, it is safe to send encrypted message without

fear of interception because an interceptor is unlikely to be able to decipher the

message; however, with this advantage, symmetric cryptosystem also have the

following problems:

(a) Sender and receiver share a common secret key, which must be transmitted

before an encryption procedure can start.

(b) There is always a problem of how to transfer the common secret key.

(c) Classical cryptosystem are unable to deal the dispute between the sender &

receiver, as to what message, if any, was sent. Third party cannot verify who

actually send the message.

(d) Key management is the major problem in classical cryptosystem because

every pair of users has to have an exclusive secret key.

To solve these problems we will discuss a new cryptosystem known as public

key cryptosystem.

Public-Key Algorithms are symmetric, that is to say the key that is used to

encrypt the message is different from the key used to decrypt the message. The

encryption key, known as the Public key is used to encrypt a message, but the

message can only be decoded by the person that has the decryption key, known as the

private key. This type of encryption has a number of advantages over traditional

symmetric Ciphers. It means that the recipient can make their public key widely

available anyone wanting to send them a message uses the algorithm and the

recipient's public key to do so. An eavesdropper may have both the algorithm and the

public key, but will still not be able to decrypt the message. Only the recipient, with

the private key can decrypt the message. An advantage of public-key algorithm is that

they are more computationally intensive than symmetric algorithms, and therefore

encryption and decryption take longer. This may not be significant for a short text

message, but certainly is for bulk data encryption.

33

3.2 The Basic Principle

The primary objective of an adversary who wishes to ―attack‖ a public-key

encryption scheme is to systematically recover plaintext from ciphertext intended for

some other entity A. If this is achieved, the encryption scheme is informally said to

have been broken. A more ambitious objective is key recovery – to recover A‘s

private key. If this is achieved, the encryption scheme is informally said to have been

completely broken since the adversary then has the ability to decrypt all ciphertext

sent to A.

Consider an example that shows the Encryption & Decryption process:

In order to decrypt a message, Bob (the recipient) has to know the key

However; it may be difficult for Alice (the sender) to tell Bob what the key is. If they

simply agree on a key bye-mail for example, Eve could be listening in on their e-mail

conversation and thus also learn what the key is. Public key cryptography was

invented to solve this problem. When using public-key cryptography, Alice and Bob

both have their own key pairs. A key pair consists of a public key and a private-key. If

the public-key is used to encrypt something, then it can be decrypted only using the

private-key. And similarly, if the private-key is used to encrypt something, then it can

be decrypted only using the public-key. It is not possible to figure out what the

private-key is given only the public key, or vice versa. This makes it possible for

Alice and Bob to simply send their public keys to one another, even if the channel

they are using to do so is insecure. It is no problem that Eve now gets a copy of the

public keys. If Alice wants to send a secret message to Bob, she encrypts the message

using Bob's public key. Bob then takes his private key to decrypt the message. Since

Eve does not have a copy of Bob's private key, she cannot decrypt the message. Of

course this means that Bob has to carefully guard his private key.

With public key cryptography it is thus possible for two people who have

never met to securely exchange messages. Figure 3.1 (W. Stallings, 3rd Ed.) illustrates

the public-key encryption process.

34

Figure: 3.1 Encryption

3.3 Comparative study of Public-Key Cryptography & Secret-Key

Cryptography

1. The primary advantage of public-key cryptography is increased security and

convenience. Private keys never need to transmitted or revealed to anyone. In a

secret-key system, by contrast, the secret keys must be transmitted (either manually or

through a communication channel), and there may be a chance that an enemy can

discover the secret keys during their transmission.

2. Another major advantage of public-key systems is that they can provide a

method for digital signatures. Authentication via secret-key systems requires the

sharing of some secret and sometimes requires trust of a third party as well. As a

result, a sender can repudiate a previously authenticated message by claiming that the

shared secret was somehow compromised by one of the parties sharing the secret.

For example, the Kerberos secret-key authentication system involves a central

database that keeps copies of the secret keys of all users; an attack on the database

would allow widespread forgery. Public-key authentication, on the other hand,

prevents this type of repudiation; each user has sole responsibility for protecting his or

her private key. This property of public-key authentication is often called non-

repudiation.

3. A disadvantage of using public-key cryptography for encryption is speed;

there are popular secret-key encryption methods that are significantly faster than any

currently available public-key encryption method. Nevertheless, public-key

cryptography can be used with secret-key cryptography to get the best of both worlds.

35

For encryption, the best solution is to combine public- and secret-key systems in order

to get both the security advantages of public-key systems and the speed advantages of

secret-key systems. The public-key system can be used to encrypt a secret key, which

is used to encrypt the bulk of a file or message. Such a protocol is called a digital

envelope.

4. Public-key cryptography may be vulnerable to impersonation, however,

even if users' private keys are not available. A successful attack on a certification

authority will allow an adversary to impersonate whomever the adversary chooses to

by using a public-key certificate from the compromised authority to bind a key of the

adversary's choice to the name of another user.

5. In some situations, public-key cryptography is not necessary and secret-key

cryptography alone is sufficient. This includes environments where secure secret - key

agreement can take place, for example by users meeting in private. It also includes

environments where a single authority knows and manages all the keys (e.g., a closed

banking system) Since the authority knows everyone's keys already, there is not much

advantage for some to be "public" and others "private" Also, public-key cryptography

is usually not necessary in a single-user environment.

For example, if you want to keep your personal files encrypted, you can do so

with any secret-key encryption algorithm using, say, your personal password as the

secret key. In general, public-key cryptography is best suited for an open multi-user

environment.

6. Public-key cryptography is not meant to replace secret-key cryptography,

but rather to supplement it, to make it more secure. The first use of public-key

techniques was for secure key exchange in an otherwise secret-key system; this is still

one of its primary functions. Secret-key cryptography remains extremely important

and is the subject of ongoing study and research. Some secret-key cryptosystems are

discussed in the sections on Block Cipher and Stream Cipher.

3.4 The RSA Algorithm

RSA is an algorithm for public-key cryptography that is based on the

presumed difficulty of factoring large integers. RSA stands for Ron Rivest, Adi

Shamir and Leonard Adleman (W. Stallings, 2005), who first publicly described it in

36

1978. A user of RSA creates and then publishes the product of two large prime

numbers, along with an auxiliary value, as their public key. The prime factors must be

kept secret. Anyone can use the public key to encrypt a message, but with currently

published methods, if the public key is large enough, only someone with knowledge

of the prime factors can feasibly decode the message. Whether breaking RSA

encryption is as hard as factoring is an open question known as the RSA problem. It

may be used to provide both secrecy and digital signatures and its security is based on

the intractability of the integer factorization.

The RSA scheme is a block cipher in which the plaintext and ciphertext are

integers between 0 and n-1 for some n. A typical size for n is 1024 bits, or 309

decimal digits. That is, n are less than 21024

. We examine RSA in this section in some

detail, beginning with an explanation of the algorithm. Then we examine some of the

computational and crypt analytical implications of RSA.

3.4.1 Prime Number Generation and Integer Factorization

Two basic facts and one conjecture in number theory prepare the way for

today‘s RSA public-key cryptosystem.

FACT-1

Prime generation is easy: It‘s easy to find a random prime number of a given size.

This is a result of two other points: Prime numbers of any size are very

common, and it‘s easy to test whether a number is a prime – even a large prime.

To generate a random prime, one can simply generate random numbers of a given size

and test them for primality until a prime is found. According to the Prime Number

Theorem, the expected number of candidates to test will be on the order of ln x (the

natural logarithm of x) where x is a typical number of the intended size.

It hasn‘t always been easy to test whether a number is a prime. In fact, it might

seem that testing for primality would require one to determine all the factors of the

number to see if there are others beside the number itself and 1. Faster methods for

primality testing were discovered in the 1970s that test for certain properties held by

prime numbers but not by composites, rather than finding the factors. Without these

results, much of public-key cryptography today would not be practical because of the

dependence on efficient methods of generating primes.

37

In the following, let p and q be two large, randomly generated primes. ―Large‖

in the cryptographic context typically means 512 bits (155 decimal digits) or more.

FACT-2

Multiplication is easy: Given p and q, it‘s easy to find their product, n = pq.

There are many efficient ways to multiply two large numbers, starting with the

―grade-school‖ method that multiplies one number by the other digit-by-digit, and

sums the tableau of intermediate results.

Factoring is hard: Given such an n, it appears to be quite hard to recover the prime

factors p and q.

Despite hundreds of years of study of the problem, finding the factors of a

large number still takes a long time in general. The fastest current methods are much

faster than the simple approach of trying all possible factors one at a time. (Such a

method would take on the order of n steps.) However, they are still expensive. For

instance, it has been estimated recently that recovering the prime factors of a 1024-bit

number would take a year on a machine costing US $10 million. A 2048-bit number

would require several billion times more work.

These estimates are much less than would have been expected in the 1970s

when the problem was first proposed in cryptography. The recommended sizes have

accordingly.

No one knows whether still faster methods might be discovered in the coming

years. On the other hand, no one has proved that they can‘t be. Both aspects remain

important research areas in mathematics

3.4.2 Description of the Algorithm

The scheme developed by Rivest, Shamir, and Adleman makes use of an

expression with exponentials. Plaintext is encrypted in blocks, with each block having

a binary value less than some number n. That is, the block size must be less than or

equal to log2(n); in practice, the block size is i bits, where 2i< n 2i+1. Encryption and

decryption are of the following form, for some plaintext block M and ciphertext

block C

C = Me mod n

M = Cd mod n = (M e)

d mod n = M

ed mod n

38

Both sender and receiver must know the value of n. The sender knows the

value of e, and only the receiver knows the value of d. Thus, this is a public-key

encryption algorithm with a public key of PU = {e, n} and a private key of

PU = {d, n}. For this algorithm to be satisfactory for public-key encryption, the

following requirements must be met.

1. It is possible to find values of e, d, n such that Med

mod n = M for all M < n.

2. It is relatively easy to calculate Me mod n and C

d mod n for all values of

M < n.

3. It is infeasible to determine d given e and n.

For now, we focus on the first requirement and consider the other questions

later. We need to find a relationship of the form

Med

mod n = M

Two very large prime numbers, normally of equal length, are randomly

chosen then multiplied together.

n =a x b ------------ (3.1)

T = (a-1) x (b-1) --------------- (3.2)

A third number is then also chosen randomly as the public key (e) such that it has no

common factors (i.e. is relatively prime) with T. The private key (d) is then

D = e-1

mod T -------------- (3.3)

To encrypt a block of plaintext (M) into cipher text (C)

C = Me mod n ------------- (3.4)

To decrypt

M = Cd mod n --------------- (3.5)

3.4.3 Practical Aspects of Computation

We now turn to the issue of the complexity of the computation required to use

RSA. There are actually two issues to consider: encryption/decryption and key

generation. Let us look first at the process of encryption and decryption and then

consider key generation.

a. Exponentiation in Modular Arithmetic

Both encryption and decryption in RSA involve raising an integer to an integer

power, mod n. If the exponentiation is done over the integers and then reduced

39

modulo n, the intermediate values would be gargantuan. We can make use of a

property of modular arithmetic:

[(a mod n) x (b mod n)] mod n = (a x b) mod n

Thus, we can reduce intermediate results modulo n. This makes the calculation

practical.

Another consideration is the efficiency of exponentiation, because with RSA

we are dealing with potentially large exponents. To see how efficiency might be

increased, consider that we wish to compute x16

. A straightforward approach requires

15 multiplications:

x16

= x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

However, we can achieve the same final result with only four multiplications

if we repeatedly take the square of each partial result, successively forming x2, x

4, x

8,

x16

. As another example, suppose we wish to calculate x11

mod n for some integers

x and n. Observe that x11

= x1+2+8

= (x) (x2) (x

8). In this case we compute x mod n,

x2 mod n, x

4 mod n, and x

8 mod n and then calculate [(x mod n) x (x

2mod n) x

(x8 mod n)] mod n.

More generally, suppose we wish to find the value ab with a and b positive integers. If

we express b as a binary number bkbk-1 ... b0 then we have

Therefore,

We can therefore develop the algorithm for computing ab

mod n, shows an

example of the execution of this algorithm. Note that the variable c is not needed; it is

included for explanatory purposes. The final value of c is the value of the exponent.

40

Figure 3.2: Algorithm for computing ab mod n

i 9 8 7 6 5 4 3 2 1 0

bi 1 0 0 0 1 1 0 0 0 0

c 1 2 4 8 17 35 70 140 280 560

f 7 49 157 526 160 241 298 166 67 1

Table 3.1: Result of the Fast Modular Exponentiation Algorithm

for ab mod n, where a = 7, b = 560 = 1000110000, n = 561

b. Efficient Operation Using the Public Key

To speed up the operation of the RSA algorithm using the public key, a

specific choice of e is usually made. The most common choice is 65537 (216

-1); two

other popular choices are 3 and 17. Each of these choices has only two 1 bits and so

the number of multiplications required to perform exponentiation is minimized.

However, with a very small public key, such as e = 3, RSA becomes

vulnerable to a simple attack. Suppose we have three different RSA users who all use

the value e = 3 but have unique values of n, namely n1, n2, n3. If user A sends the

same encrypted message M to all three users, then the three ciphertexts are

C1 = M3mod n1; C2 = M

3 mod n2; C3 = M

3 mod n3. It is likely that n1, n2, and n3 are

pair wise relatively prime. Therefore, one can use the Chinese remainder theorem

(CRT) to compute M3 mod (n1n2n3). By the rules of the RSA algorithm, M is less than

each of the ni therefore M3 < n1n2n3. Accordingly, the attacker need only compute the

cube root of M3. This attack can be countered by adding a unique pseudorandom bit

41

string as padding to each instance of M to be encrypted. This approach is discussed

subsequently.

By the definition of RSA algorithm requires that during key generation the

user selects a value of e that is relatively prime to f (n). Thus, for example, if a user

has preselected e = 65537 and then generated primes p and q, it may turn out that

gcd (f (n),e) ≠1, Thus, the user must reject any value of p or q that is not congruent to

1 (mod 65537).

c. Efficient Operation Using the Private Key

We cannot similarly choose a small constant value of d for efficient operation.

A small value of d is vulnerable to a brute-force attack and to other forms of

cryptanalysis (Wiener, M. 1990). However, there is a way to speed up computation

using the CRT. We wish to compute the value M = Cd mod n. Let us define the

following intermediate results: Vp = Cd mod p Vq = C

d mod q

Following the CRT, Ci= Mi × (Mi-1

mod mi) for 1≤i ≤ k , define the quantities:

Xp = q x (q-1

mod p) Xq = p x (p-1

mod q)

The CRT then shows, using that M = (VpXp + VqXq) mod n Further, we

can simplify the calculation of Vp and Vq using Fermat's theorem, which states that

ap-1

≡1 (mod p) if p and a are relatively prime. Some thought should convince you

that the following are valid:

Vp = Cd mod p = C

d mod (p-1) mod p Vq = C

d mod q = C

d mod (q-1) mod q

The quantities d mod (p-1) and d mod (q-1) can be precalculated. The end result is

that the calculation is approximately four times as fast as evaluating M = Cd mod n

directly.

d. Key Generation

Before the application of the public-key cryptosystem, each participant must

generate a pair of keys. This involves the following tasks:

1. Determining two prime numbers, p and q

2. Selecting either e or d and calculating the other

42

The primes must be chosen from a sufficiently large set (i.e., p and q must be

large numbers). On the other hand, the method used for finding large primes must be

reasonably efficient.

At present, there are no useful techniques that yield arbitrarily large primes, so

some other means of tackling the problem is needed. The procedure that is generally

used is to pick at random an odd number of the desired order of magnitude and test

whether that number is prime, If not, pick successive random numbers until one is

found that tests prime.

In short, the procedure for picking a prime number is as follows.

1. Pick an odd integer n at random (e.g., using a pseudorandom number

generator).

2. Pick an integer a < n at random.

3. Perform the probabilistic primality test, such as Miller-Rabin, with a as a

parameter. If n fails the test, reject the value n and go to step 1.

4. If n has passed a sufficient number of tests, accept n; otherwise, go to step 2.

This is a somewhat tedious procedure. However, remember that this process is

performed relatively infrequently: only when a new pair (PU, PR) is needed.

Having determined prime numbers p and q, the process of key generation is

completed by selecting a value of e and calculating d or, alternatively, selecting a

value of d and calculating e. Assuming the former, then we need to select an e such

that gcd(f(n), e) = 1 and then calculate d≡ e1(mod f(n)). Fortunately, there is a single

algorithm that will, at the same time, calculate the greatest common divisor of two

integers and, if the gcd is 1, determine the inverse of one of the integers modulo the

other. The algorithm, referred to as the extended Euclid's algorithm. Thus, the

procedure is to generate a series of random numbers, testing each against f (n) until a

number relatively prime to f (n) is found. Again, we can ask the question: How many

random numbers must we test to find a usable number, that is, a number relatively

prime to f (n)? It can be shown easily that the probability that two random numbers

are relatively prime is about 0.6; thus, very few tests would be needed to find a

suitable integer.

43

3.4.4 Security of RSA

The security of RSA algorithm depends on the ability of the hacker to

factorize numbers. New, faster and better methods for factoring numbers are

constantly being devised. The Trent best for long numbers is the Number Field Sieve.

Prime Numbers of a length that was unimaginable a mere decade ago are now

factored easily. Obviously the longer a number is, the harder is to factor, and so the

better the security of RSA. As theory and computers improve, large and large keys

will have to be used. The advantage in using extremely long keys is the computational

overhead involved in encryption / decryption. This will only become a problem if a

new factoring technique emerges that requires keys of such lengths to be used that

necessary key length increases much faster than the increasing average speed of

computers utilizing the RSA algorithm. RSA's future security relies solely on

advances in factoring techniques.

There are four approaches to attacking the RSA Algorithm are as follows:

1. Brute Force: This involves trying all possible private keys.

2. Mathematical Attacks: There are several approaches, all equivalent in

effort to factoring the product of two primes.

3. Timing Attacks: These depend on the running time of the decryption

algorithm.

4. Chosen ciphertext attacks: This type of attack exploits the properties of the

RSA algorithm.

Thus, choosing a large size of n is an ultimate solution for the security of

RSA cryptosystem. In addition to this requirement, a number of other ways have been

suggested by the researcher to increase the security of RSA cryptosystem. RSA

algorithm has a suggested length of about 200 decimal digits; one gets a strong feeling

that factoring of such large prime is an extremely difficult problem. No one has yet

found a good factoring algorithm. For secure RSA the value of n should not be less

than 1024-bits.

3.5 Diffie-Hellman Key Exchange Algorithm

In 1976, Diffie and Hellman published the first public key based algorithm

(Diffie, W., and Hellman, M., 1976), which was designed to provide a means to

44

exchange securely a key K over a public network. That key K can later be used as a

session key. Note however that this algorithm applies only to the exchange of keys.

Before the key exchange actually begins, two global public values are generated and

made public to everyone: a prime number q and a, a primitive root of q, where a < q.

A primitive root a of a prime number p is an integer for which the successive

powers modulo p:

a mod p, a^2 mod p, a^3 mod p, ....... , a^(p-1) mod p --------------(3.6)

are distinct and consist of the integers from 1 through p-1 in some permutation.

For any integer b and a primitive root a of prime number p, we can find a

unique exponent i such that

b ≡ ai (mod p), where 0≤ i ≤ (p-1)

The exponent i is referred to as the discrete logarithm of b in base a, mod p.

Suppose that Alice, A, and Bob, B, want to exchange a key K. Alice selects a

secret random number XA < q, compute the public value YA = a^XA mod q and makes

it public. Bob does the same, that is, he generates his private random number XB < q,

calculate YB = a^XB mod q and publishes YB. Then compute the key K as follows:

K = (YB) X

A mod q ------------- (3.7)

= (𝛂XB mod q)

XA mod q ------------- (3.8)

= (𝛂XB)

XA mod q ------------- (3.9)

By the rules of modular arithmetic

= 𝛂XB

XA mod q ------------- (3.10)

= (𝛂XA)

XB mod q ------------- (3.11)

= (𝛂XA mod q)

XB mod q ------------- (3.12)

= (YA) X

B mod q) ------------- (3.13)

Similarly, Bob computes K using the public information and his own private

random number: The security of the algorithm is based on the difficulty to compute

discrete logarithms While it is easy to compute the modular exponentials Y = aX mod

q knowing the secret number X, it is difficult for an attacker to compute X from Y and

the global public values a and q:

Y= aX mod q (modular exponentiation) ----------- (3.14)

X= logy Y mod q (discrete logarithm) ------------ (3.15)

45

3.6 ElGamal Cryptosystem

The ElGamal cryptographic algorithm is a public key system like the Diffie-

Hellman system mainly based on the difficulty of discrete logarithm. It is mainly used

to establish common keys and not to encrypt message. The ElGamal cryptographic

algorithm is comparable to the Diffie-Hellman system. Although the inventor, Taher

Elgamal, did not apply for a patent on his invention, the owners of the Diffie-Hellman

patent felt this system was covered by their patent. A disadvantage of the EIGamal

system is that the encrypted message becomes very big, about twice the size of the

original message m. For this reason it is only used for small messages such as secret

keys.

3.6.1 Generating the ElGamal Public key

As with Diffie-Hellman, Alice and Bob have a (publicly known) prime

number p and a generator g. Alice begins by publishing information consisting of a

public key and an algorithm. The public key is simply a number, and the algorithm is

the method by which Bob encrypts his messages using Alice's public key. Alice does

not disclose her private key, which is another number. The private key allows Alice,

and only Alice, to decrypt messages that have been encrypted using her public key.

Alice chooses a secret number a to act as her private key, and she computes the

quantity

A ≡ ga (mod p)

Notice the resemblance to Diffie Hellman key exchange. Alice publishes her public

key A and she keeps her private key a secret.

3.6.2 Encrypting and Decrypting Messages

If Bob now wants to send a message m to Alice, he randomly picks a

number k, which is smaller than p. Bob uses k to encrypt one, and only one, message,

and He then computes: then he discards it. The number k is called an ephemeral key,

since it exists only for the purposes of encrypting a single message. Bob takes his

plaintext message m, his chosen random ephemeral key k, and Alice's public key A

and uses them to compute the two quantities

c1 ≡ gk (mod p) and c2 ≡ mA

k (mod p)

46

Bob's ciphertext, i.e., his encryption of m, is the pair of numbers (c1; c2), which he

sends to Alice.

How does Alice decrypt Bob's ciphertext (c1; c2)? Since Alice knows a, she

can compute the quantity

x ≡ (mod p)

and hence also x-1

(mod p). Alice next multiplies c2 by x-1

, and the resulting value is

the plaintext m. To see why, we expand the value of x-1

. c2 and find that

x-1

. c2 ≡ ( )-1

. c2 (mod p); since x ≡ (mod p),

≡ (gak

)-1

. (mAk) (mod p); since c1≡ g

k, c2 ≡ mA

k (mod p),

≡ (gak

)-1

. (m(ga)

k) (mod p); since A ≡ ga (mod p),

≡ m (mod p); since the gak

terms cancel out.

3.7 Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) is an approach to public-key cryptography

based on the algebraic structure of elliptic curves over finite fields. The use of elliptic

curves in cryptography was suggested independently by Neal Koblitz (Koblitz, N.

1987) and Victor S (Miller, V.1985). Elliptic curves are also used in several integer

factorization algorithms that have applications in cryptography, such as Lenstra

elliptic curve factorization.

Public key cryptography systems are usually based on the assumption that a

particular mathematical operation is easy to do, but difficult to undo unless you know

some particular secret. A recent development in this field is the so-called Elliptic

Curve Cryptography. ECC works with point on a curve. The security of this type of

public key cryptography depends on the elliptic curve discrete logarithm problem. It

was invented by Neil Koblitz in 1987 and by Victor Miller in 1986. The principles of

ECC can be used to adapt many cryptographic algorithms, such as Diffie-Hellman or

EIGamal. Although no general patent on elliptic curve cryptography appears to exist,

there are several patents that may be relevant depending on the implementation. The

main advantage of elliptic curve cryptography is that the keys can be much smaller.

Recommended key sizes are in the order of 160 bits rather than 1024 bits for RSA.

47

3.7.1 Elliptic Curves

An elliptic curve is a set of points (x, y), for which it is true that y2= x

3 +ax+c

Given certain chosen numbers a & b, typically the numbers are integers; although in

principle the system also works with real numbers. Despite what the name suggests,

the curve does not have an elliptic shape.

For example: a= -4 and b=0.67 gives the elliptic curve with equation

y2= x

3 - 4x +0.67

Figure 3.3 example of Elliptic Curves

If x3 + ax + b contains no repeated factors, or equivalently if 4a

3 + 27b

2 is not

0, then the elliptic curve can be used to form a group. A group is simply a set of

points on the curve. Because it is a group, it is possible to "add up" points which give

another point on the curve. On the graph, two points are added up by drawing a line

through both and taking as the outcome where the line intersects the curve. For

cryptographic purposes, an elliptic curve must have only points with all coordinates

whole numbers (integers) in the group. The trick with elliptic curve cryptography is

that if you have a point F on the curve, all multiples of these points are also on the

curve.

3.7.2 Key Generation in ECC

Alice and Bob agree on an elliptic curve and pick a certain point F on this

curve. They can do this with Eve listening in. Alice next picks a random number As

(which does not have to be a point on the curve) and computes AI' = As*F. The point

AI' is on the curve, [because it is a multiple of F. This is easy to compute Alice's

48

public key is AI' and her secret key is As. Bob does the same thing and ends up with

Bp and Bs.

3.7.3 Encrypting and Decrypting Messages

Alice and Bob can now secretly agree on a key with which they can encrypt

messages since secret key cryptography. The key simply is the product of Alice's

public key and Bob's secret key (which is the same as the product of Alice's secret key

and Bob's public key). It will be clear that Alice and Bob can compute this product

after they have exchanged their public keys, but Eve cannot since she has none of the

secret keys.

3.7.4 Cracking the Elliptic Curve Key

If Eve wanted to crack the key, she would have to reconstruct one of the

secret keys. The number of discrete points on the curve (points with both X and Y

coordinates being integers) is called the order of the curve. If the order of the point F

is a prime number of n bits, then computing As from As*F and F takes roughly 2"'2

operations. If F is, say, 160 bits long, then Eve needs about 2^80 operations. If she

can do a billion operations per second, this takes about 38 million years. This problem

is commonly referred to as the elliptic curve discrete logarithm problem.

3.8 Conclusion

Brief review of public-key cryptography and implemented RSA algorithm

are presented in this chapter. Also some popular public-key cryptography methods

presented briefly. Public- key algorithms are based on mathematical functions rather

than on substitution and permutation. Hence the advantage of public key algorithm is

that they are more computationally intensive than symmetric algorithms. More

important, public-key cryptography is asymmetric involving the use of two separate

keys, in contrast to symmetric conventional encryption, which uses only one key. The

use of two keys has profound consequences in the areas of confidentiality, key

distribution and authentication.