Formula sheet Introduction to Cryptography Symmetric Cryptography

1 Mathematical concepts

1.1 Euler’s totient function

Let n > 1 be an integer such that n = i pki i , where pi are distinct prime numbers and ki > 0.
Q
Then φ(n) is computed as
!
(pi i − piki −1 ) = (pi − 1)pki i −1 .
Y k Y Y k Y
φ(n) = φ pi i
= φ(pki i ) =
i i i i

1.2 A left-to-right Square-and-multiply algorithm

Data: Integers a, d, n
Result: x with x ≡ ad (mod n)
Write d = (dk−1 dk−2 · · · d1 d0 )2
x 1
for i = k − 1 to 0 do
x x2 mod n
if di = 1 then
x ax mod n
end
end
return x

1.3 CRT, specifically for RSA

Suppose that we want to solve a system of modular equations like

(
x ≡ a0 (mod p);
x ≡ a1 (mod q).

A solution is x = u0 a0 + u1 a1 (mod n), where u0 = (q −1 mod p) · q and u1 = (p−1 mod q) · p.

Garner’s method:
A solution is x = a1 + q · ((a0 − a1 mod p) · (q −1 mod p) mod p).

1
2 Security strength

Advantage:
The advantage of distinguishing, e.g., a stream cipher SC with uniformly random key from a
random oracle RO is given by: AdvA = | Pr(A = 1 | SCK ) − Pr(A = 1 | RO)|.
Security strength:
A cryptographic scheme offers security strength s if there are no attacks with (M +N )/p < 2s
with N and M the adversary’s (offline and online) resources and p the success probability,
and there are no attacks with (M + N )/ Adv < 2s with N and M the adversary’s (offline and
online) resources and Adv the advantage of the adversary.

3 Symmetric cryptography

3.1 Feistel structure

PL PR CL CR

F F

K1 K3

F F

K2 K2

F F

K3 K1
CL CR PL PR
(a) Encryption (b) Decryption

Figure 1: Three-round Feistel structure.

2
3.2 Block cipher modes

P1 P2 ··· Pℓ ∥10∗ IV

BK BK ··· BK BK BK BK ··· BK

··· P1 P2 P3 Pℓ
C1 C2 Cℓ
C1 C2 C3 ··· Cℓ

(a) Electronic codebook mode (b) Output Feedback mode

P1 P2 ··· Pℓ ∥10∗ D∥⟨1⟩r D∥⟨2⟩r D∥⟨3⟩r ··· D∥⟨ℓ⟩r

IV
BK BK BK ··· BK
BK BK ··· BK
P1 P2 P3 Pℓ

C1 C2 ··· Cℓ C1 C2 C3 ··· Cℓ

(c) Cipher block chaining mode (d) Counter mode

3.3 Hash function constructions

M1 ··· Mk ∥10∗ len(M )

IV F
CV1 · · · CVk−1 F
CVk
F H

Figure 3: Merkle-Damgård construction for hash functions.

M pad trunc Z

r 0
outer f f f f f f
inner
c 0

absorbing squeezing

Figure 4: Sponge function.

3
4 Public-key cryptography

4.1 Key agreement schemes

4.1.1 Textbook (Merkle-)Diffie-Hellman key agreement

Alice Bob
p, g, q p, g, q
$ $
a ← Z/qZ b ← Z/qZ
A ← ga B ← gb
Alice,A
−−−−−−−−→
Bob,B
←−−−−−−−
KA,B ← B a KB,A ← Ab

4.2 Encryption schemes

4.2.1 ElGamal encryption scheme

Alice Bob
p, g, (q), B p, g, (q), b, B(= g b )
$
a ← Z/qZ
A ← ga
(C,A)
C ← M × Ba −−−−−−−→ M ← C × Aq−b

4.2.2 Textbook RSA encryption scheme

Bob Alice
Alice’s public key (n, e) Alice’s private key (n, d)
c
c ← me mod n −−−−→ m ← cd mod n

4.3 Key encapsulation mechanisms (KEM)

4.3.1 KEM from ElGamal

Alice Bob
p, g, (q), B p, g, (q), b, B(= g b )
$
a ← Z/qZ
A ← ga
K ← h(“KDF”; B a )
(A,CT )
CT ← EncK (m) −−−−−−−−→ K ← h(“KDF”; Ab )
m ← DecK (CT )

4
4.3.2 KEM from RSA

Bob has Alice’s public key (n, e) Alice with private key (n, d)
$
r ← Z/nZ
c ← re mod n
K ← h(“KDF”; r)
(c,CT )
CT ← EncK (m) −−−−−−−−→ r ← cd mod n
K ← h(“KDF”; r)
m ← DecK (CT )

4.4 Authentication protocols

4.4.1 Chaum-Evertse-van de Graaf (CEG) protocol

Alice Bob
p, g, q, A, a p, g, q (Alice: A)
$
v ← Z/qZ
Alice,V $
V ← gv −−−−→ c ← {0, 1}
c
←−−−−
r ?
r ← v−ca −−−−→ V = g r Ac

4.4.2 Schnorr’s authentication protocol

Alice Bob
p, g, q, A, a p, g, q (Alice: A)
$
v ← Z/qZ
Alice,V $
V ← gv −−−−→ c ← Z/qZ
c
←−−−−
r ?
r ← v − ca −−−−→ V = g r Ac

4.5 Signature schemes

4.5.1 Schnorr’s signature scheme

Alice Bob
p, g, q, A, a p, g, q (Alice: A)
$
v ← Z/qZ
V ← gv
c ← h(p; g; A; V ; m)
Alice,m,(r,V )
r ← v − ca −−−−−−−−−−−−→ c ← h(p; g; A; V ; m)
?
V = g r Ac

5
4.5.2 Full-domain hash RSA signatures

Alice with private key (n, d) Bob with Alice’s public key (n, e)
H ← h(m)
Alice,m,s
s ← H d mod n −−−−−−→ H ← h(m)
?
H = se mod n

4.5.3 Security notions

Discrete log (DL) problem:

$
Let a ← Z/qZ and A ← g a . Given ⟨g⟩ and A, determine a.
Computational Diffie-Hellman (CDH) problem:
$
Let a, b ← Z/qZ , A ← g a and B ← g b . Given ⟨g⟩ and A, B, determine g ab .
Decisional Diffie-Hellman (DDH) problem:
$
Let a, b, c ← Z/qZ, and A ← g a , and B ← g b . With probability 12 , set C ← g c , and otherwise
C ← g ab . Given ⟨g⟩ and A, B, C, determine whether C = g ab holds.
Advantage:
The advantage of an adversary on the decisional Diffie-Hellman problem is given by:

AdvA = | Pr(A = 1 | C = g ab ) − Pr(A = 1 | C = g c )|.

IND-CPA security:

Challenger Adversary
Domain parameters (if any) Domain parameters (if any)
PK
randomly generate (PrK , PK ) −−−−−−−−−→ Repeat: EncPK (M )
M0 , M1
←−−−−−−−−− M0 , M1 messages
$
i ← {0, 1}
CT
CT ← EncPK (Mi ) −−−−−−−−−→ Repeat: EncPK (M )

4.6 Elliptic curves

4.6.1 Elliptic Curve Diffie-Hellman (ECDH) key exchange

Alice Bob
E, G, (q) E, G, (q)
$ $
a ← Z/qZ b ← Z/qZ
A ← [a]G B ← [b]G
Alice,A
−−−−−−−−→
Bob,B
←−−−−−−−
P ← [a]B P ← [b]A

6
4.6.2 EC Schnorr

Alice Bob
E, G, q, A, a E, G, q (Alice: A)
$
v ← Z/qZ
Alice,V $
V ← [v]G −−−−→ R ← Z/qZ
R
←−−−−
r ?
r ← v − Ra −−−−→ V = [r]G + [R]A

4.6.3 EC ElGamal

Alice Bob
E, G, (q), B E, G, (q), b, B(= [b]G)
$
a ← Z/qZ
A ← [a]G
Alice,(C,A)
C ← M + [a]B −−−−−−−−−−→ M ← C − [b]A

4.6.4 ECDSA

Alice Bob
E, G, q, A, a E, G, q (Alice: A)
$
v ← Z/qZ, V ← [v]G
R ← xv mod q
m,(r,R)
r ← v −1 (h(m) + Ra) −−−−−−−−→ w ← r−1
P ← [h(m)w]G + [Rw]A
?
R = xp mod q

4.6.5 Addition formulas for Weierstrass curves over prime fields

An elliptic curve (in short Weierstrass form) is the set of points in F2p that satisfy

E : y 2 = x3 + ax + b, (a, b ∈ Fp )

together with the point at infinity O.

If points P = (x1 , y1 ), Q = (x2 , y2 ) are on curve E, then we can compute their sum, R =
(x3 , y3 ), algebraically as follows:

P = −Q P ̸= ±Q P =Q
3x2 +a
λ = xy11 −y
−x2
2
λ = 2y1 1
R= O x3 = λ 2 − x1 − x2 x3 = λ2 − 2x1
y3 = −y1 + λ(x1 − x3 ) y3 = −y1 + λ(x1 − x3 )

For a point P = (x, y) on the curve E, the inverse of P is the point −P = (x, −y).

7
4.6.6 Projective coordinates

We can convert any point (X : Y : Z) with Z ̸= 0 to affine coordinates, as (XZ −1 , Y Z −1 ).

The homogeneous elliptic curve has the form
Y 2 Z = X 3 + aXZ 2 + bZ 3 .
The curve’s point at infinity is O = (0 : 1 : 0).

4.7 Attacks on the discrete logarithm problem

We use multiplicative notation in the following. In additive notation, multiplications are

replaced by additions and exponentiations by scalar multiplications.

4.7.1 Baby-step giant-step algorithm

Data: Group elements g, h and table size m

Result: Integer a such that h = g a
q #⟨g⟩
L []
for i = 0 to m do
bi g i
Append(L, bi )
end
j 0
repeat cj h · g −m·j
until ∃i : cj = L[i]
then i0 i
return i0 + m · j

4.7.2 Example of how to execute Pollard’s ρ algorithm

Let p be a prime number such that g ∈ (Z/pZ)∗ has order q. We want to solve the DL
problem given ⟨g⟩ and h with h = g a , to determine a.
We take as starting point (g, 1, 0) and as our function:

(ai · g, bi + 1, ci ) if ai ≡ 1
 (mod 3);
(ai+1 , bi+1 , ci+1 ) = (ai · h, bi , ci + 1) if ai ≡ 2 (mod 3);

 2
(ai , 2bi , 2ci ) if ai ≡ 0 (mod 3).

When we find i ̸= j with ai = aj , then we have

g bi hci ≡ g bj hcj (mod p),
so we get
g bi −bj ≡ hcj −ci ≡ g x(cj −ci ) (mod p).
We then find x by solving bi − bj ≡ x(cj − ci ) modulo q.