MODULE 2

Pseudorandom number Generators: Linear Congruential Generators, Blum

Blum Shub Generator.
Public key cryptography and RSA: Principles of public key cryptosystems-
Public key cryptosystems, Applications for public key cryptosystems,
Requirements for public key cryptography, Public key Cryptanalysis, The RSA
algorithm: Description of the Algorithm, Computational aspects, The Security
of RSA.
Di ie-Hellman key exchange: The Algorithm, Key exchange Protocols, Man-
in-the-middle Attack, Elliptic Curve Cryptography: Analog of Di ie-Hellman
key Exchange, Elliptic Curve Encryption/Decryption, Security of Elliptic Curve
Cryptography.

Pseudorandom Number Generators

linear congruential method:
A popular method for generating pseudorandom numbers is the linear congruential method,
proposed by Lehmer in 1951. It uses four numbers:
 m – the modulus m>0
 a – the multiplier 0<a<m
 c – the increment 0≤c<m
 X₀ – the starting value or seed 0 ≤ X₀ < m
The random numbers {Xₙ} are generated using:
Xₙ₊₁ = (aXₙ + c) mod m
This gives numbers between 0 and m. The values of a, c, and m must be chosen carefully.
For example:
 a = 7, c = 0, m = 32, X₀ = 1 → sequence: {7, 17, 23, 1, 7,...} → uses only 4 values → bad
 a = 5 instead → sequence: {5, 25, 29, 17, 21, 9, 13, 1, 5,...} → 8 values → better
We want a large m, close to 2³¹, to get a long sequence.
Park and Miller in 1988 suggested 3 tests:
T1: The sequence should go through all values before repeating
T2: The numbers should look random
T3: It should work well with 32-bit systems
If m is a prime number and c = 0, then some a values give a period of m–1.
For 32-bit systems, m = 2³¹–1 is a good choice:
Xₙ₊₁ = (aXₙ) mod (2³¹–1)
One good value of a is 7⁵ = 16807, which was originally selected for use in the IBM 360 family of
computers in 1969. This generator is well tested and used for statistics and simulations, as stated by
Jain in 1991.
Even though it looks random, the sequence is fixed once X₀ is known. If someone knows the formula
and sees one number, they can find the rest.
If an attacker knows X₀, X₁, X₂, X₃:
X₁ = (aX₀ + c) mod m
X₂ = (aX₁ + c) mod m
X₃ = (aX₂ + c) mod m
They can solve these to find a, c, and m.
To avoid this, Briggs in 1979 suggested using the system clock. For example:
 Restart the sequence after N numbers using the clock (mod m) as the new seed
 Or add the clock value to each number (mod m)

Blum Blum Shub Generator

The Blum Blum Shub (BBS) generator, developed in 1986, is a secure pseudorandom number
generator.
Steps:
 Choose large primes p and q such that p ≡ q ≡ 3 (mod 4)
 Compute n = p × q
 Pick seed s relatively prime to n
 Initialize: X₀ = s² mod n
 For i = 1 to ∞:
Xᵢ = (Xᵢ₋₁)² mod n
Bᵢ = Xᵢ mod 2
It outputs the least significant bit (Bᵢ) each time.
Security is based on the di iculty of factoring n. It passes the next-bit test, meaning no practical
algorithm can predict the next bit with probability better than 1/2.
An example is shown where:
n = 192649 = 383 × 503
Seed s = 101355
security of BBS is based on the di iculty of factoring n (finding p and q from n).
Public-Key Cryptography and RSA
 Asymmetric Keys use a related public and private key for complementary operations like
encryption and decryption.
 Public Key Certificate is a digitally signed document from a Certification Authority that links a
public key to its owner.
 Public Key Cryptographic Algorithm uses two keys where deriving the private key from the
public key is computationally infeasible.
 Public Key Infrastructure (PKI) is a framework of policies and technologies for managing
public-private key pairs and certificates.

Principles of Public-Key Cryptosystems

The concept of public-key cryptography evolved from an attempt to solve two major problems
associated with symmetric encryption:

i) Key Distribution:
Under symmetric encryption, key distribution requires either:

That two communicants already share a key, which has somehow been securely distributed to them or
The use of a key distribution centre (KDC).

However, the core principle of cryptography is compromised if users must share their keys with a KDC
that itself could be vulnerable or compromised.

ii) Digital Signatures:

The second major problem is the need for digital signatures.
For cryptography to be used widely—not just in military, but also in commercial and private contexts—
electronic messages and documents must have the digital equivalent of handwritten signatures.

This means a method is needed that can prove, to the satisfaction of all parties, that a specific digital
message was indeed sent by a particular individual.

Public-Key Cryptosystems
  Asymmetric algorithms use one key for encryption and a di erent, but related, key for
decryption.

 It is computationally infeasible to find the decryption key from just the encryption key and the
algorithm.

 Some algorithms like RSA allow either key to encrypt, with the other used for decryption.

A public-key encryption scheme has six ingredients:

1. Plaintext: The original readable message given as input.

2. Encryption algorithm: Performs transformations on the plaintext.

3. Public and private keys: A key pair where one encrypts and the other decrypts, depending on
which is used.

4. Ciphertext: The encrypted output, which varies with di erent keys.

5. Decryption algorithm: Uses the matching key to recover the original plaintext.

Essential steps:

1. Each user generates a key pair for encryption and decryption.

2. One key is made public, the other kept private; public keys from others are stored.

3. To send a secure message, the sender encrypts using the recipient’s public key.

4. The recipient decrypts using their private key, ensuring only they can read the message.
Secrecy (Confidentiality):

 A sender A creates a plaintext message X = [X₁, X₂,…, Xₘ], with letters from a finite alphabet.
  The message is meant for receiver B, who generates a key pair:
PUb (public key) and PRb (private key).

 PRb is kept secret; PUb is shared publicly with A.

 A encrypts the message using PUb:

Y = E(PUb, X) → ciphertext Y

 B decrypts using their private key:

X = D(PRb, Y)

 An adversary may know PUb, Y, and the encryption/decryption algorithms, but without PRb,
they must guess the original message X or the private key PRb.

2. Authentication:

 Sender A encrypts the message using their private key (PRa):

Y = E(PRa, X)

 Receiver B decrypts using A’s public key (PUa):

X = D(PUa, Y)

 Since only A has PRa, the message must be from A — this acts as a digital signature.

 The message is authenticated in both source and integrity.

 Full message encryption increases storage needs; plaintext must be kept for use, ciphertext for
verification.

 Note: This method does not provide confidentiality, as anyone with PUa can decrypt the
message.
3. Authentication and Secrecy Together:

 The message is first encrypted using the sender's private key (for authentication), then with the
receiver's public key (for confidentiality):
Z = E(PUb, E(PRa, X))

 The receiver first decrypts with their private key, then with the sender’s public key:
X = D(PUa, D(PRb, Z))

 This ensures both authenticity and confidentiality.

 Drawback: The public-key algorithm must run four times per message, making it
computationally expensive.

Applications for Public-Key Cryptosystems

 Based on the application, the sender uses either their private key, the receiver’s public key, or
both to perform cryptographic functions.

 Public-key cryptosystems are broadly used in three categories:

i) Encryption/Decryption:
The sender encrypts a message using the recipient’s public key.

ii) Digital Signature:

The sender signs the message using their private key by applying a cryptographic algorithm to the
message or to a related block of data.

iii) Key Exchange:

Both parties cooperate to exchange a session key, using the private key(s) of one or both participants.

 Some algorithms support all three applications, while others are limited to only one or two

Requirements for Public-Key Cryptography

Public-key cryptography algorithms must meet the following conditions:

1. It must be computationally easy for a party B to generate a key pair:

(public key PUb, private key PRb)

2. It must be computationally easy for sender A to encrypt a message M using the public key:
C = E(PUb, M)

3. It must be computationally easy for receiver B to decrypt the ciphertext using the private key:
M = D(PRb, C) = D[PRb, E(PUb, M)]

4. It must be computationally infeasible for an adversary to determine the private key PRb from
the public key PUb.

5. It must be computationally infeasible for an adversary, knowing PUb and ciphertext C, to

recover the original message M.

6. A useful (but not necessary) condition:

The two keys should work in either order:
M = D[PUb, E(PRb, M)] = D[PRb, E(PUb, M)]

All the above rely on a trap-door one-way function, which has the following properties:

 A one-way function is easy to compute:

Y = f(X)

 But hard to reverse:

X = f⁻¹(Y) is infeasible
 "Easy" means computable in polynomial time (e.g., time ∝ nᵃ), while "infeasible" means time
grows faster than polynomial.

A trap-door one-way function allows reversal only if additional information (the trap-door) is
known:

 Y = fₖ(X) → easy, if k and X are known

 X = fₖ⁻¹(Y) →

o easy, if k and Y are known

o infeasible, if only Y is known and k is not

Thus, the core of a practical public-key cryptosystem is finding a suitable trap-door one-way
function.

Public-Key Cryptanalysis

➤ Brute-Force Attack:

 Public-key encryption is vulnerable to brute-force attacks, similar to symmetric encryption.

 The solution is to use large key sizes.

 However, public-key systems rely on invertible mathematical functions, which grow in

complexity faster than linearly with key size.

 So, key size must balance security (against brute force) and e iciency (for practical use).

 As a result, public-key encryption is mainly used for key management and digital signatures.

➤ Computing the Private Key from the Public Key:

 An attack could involve computing the private key from the public key.

 No public-key algorithm, including RSA, has been proven to make this attack mathematically
infeasible.

 Cryptanalysis history shows that problems once thought unsolvable may eventually be broken
using new perspectives.

➤ Probable-Message Attack:

 For example, if a message contains only a 56-bit DES key, an attacker could encrypt all possible
DES keys using the public key.

 By matching these to the ciphertext, the attacker could recover the key.

 This can be prevented by adding random bits to simple or predictable messages.

Key Generation example

1. Select two prime numbers:

o p = 17

o q = 11

2. Compute:

o n = p × q = 17 × 11 = 187

o φ(n) = (p - 1)(q - 1) = 16 × 10 = 160

3. Choose e such that 1 < e < φ(n) and gcd(φ(n), e) = 1:

o e=7

4. Determine d such that d × e ≡ 1 mod φ(n):

o d = 23 (since 23 × 7 = 161 = 1 mod 160)

  Public Key: { e, n } = { 7, 187 }

 Private Key: { d, n } = { 23, 187 }

Encryption

 Plaintext M = 88

 Ciphertext C = M^e mod n = 88⁷ mod 187

Using modular exponentiation:

 88¹ mod 187 = 88

 88² mod 187 = 7744 mod 187 = 77

 88⁴ mod 187 = 59969536 mod 187 = 132

Now:

 C = (88 × 77 × 132) mod 187 = 894432 mod 187 = 11

Encrypted Ciphertext: 11

Decryption

Ciphertext C = 11

 Plaintext M = C^d mod n = 11²³ mod 187

Modular values:

 11¹ mod 187 = 11

 11² mod 187 = 121

 11⁴ mod 187 = 14641 mod 187 = 55

 11⁸ mod 187 = 214358881 mod 187 = 33

Now:

 M = (11 × 121 × 55 × 33 × 33) mod 187 = 79720245 mod 187 = 88

Decrypted Plaintext: 88

Computational Aspects of RSA

The RSA algorithm involves two main areas of computation:

1. Encryption/Decryption
2. Key Generation

Modular Exponentiation
In RSA, both encryption and decryption require computing:
Encryption:
C = P^e mod n
Decryption:
P = C^d mod n
If we calculate large powers directly, the numbers become too large to handle e iciently. Instead, we
use modular arithmetic to simplify:
[(a mod n) * (b mod n)] mod n = (a * b) mod n
This allows us to reduce values after each step and keep the calculations practical.
Rather than multiplying many times, we square intermediate results to reduce the number of
operations.

Example:
To calculate x^16, instead of 15 multiplications:
x^2 = x * x
x^4 = (x^2)^2
x^8 = (x^4)^2
x^16 = (x^8)^2
So, only 4 multiplications are needed.

Now, to compute x^11 mod n:

Since 11 = 1 + 2 + 8, we compute:
x^11 mod n = [(x mod n) * (x^2 mod n) * (x^8 mod n)] mod n
This method is called Fast Modular Exponentiation.

E icient Public Key Operation

To make encryption faster, we choose small values for e, such as:
* e = 65537 (i.e., 2^16 + 1)
* e = 17
*e=3
These values require fewer multiplications since they have fewer binary 1s.

Security Risk with Small e:

If three users use e = 3, and the same message M is sent:
C1 = M^3 mod n1
C2 = M^3 mod n2
C3 = M^3 mod n3
Using the Chinese Remainder Theorem, an attacker can compute:
M^3 mod (n1 * n2 * n3)
Then take the cube root to get M.
Solution: Add a random padding to each message before encryption.

E icient Private Key Operation (Using CRT)

We cannot choose a small d because it is vulnerable to brute-force attacks.
Instead, we speed up decryption using the Chinese Remainder Theorem (CRT).
Let:
M = C^d mod n

Compute intermediate results:

V_p = C^d mod p
V_q = C^d mod q

Then:
X_p = q * (q^(-1) mod p)
X_q = p * (p^(-1) mod q)

Finally:
M = (V_p * X_p + V_q * X_q) mod n

Using Fermat’s Theorem:

C^d mod p = C^(d mod (p-1)) mod p
C^d mod q = C^(d mod (q-1)) mod q

This process makes decryption up to 4 times faster.

Key Generation
To create RSA keys:

1. Generate two large random primes, p and q, such that:

n=p*q

2. Use probabilistic primality tests like Miller-Rabin:

* Pick random odd integer n
* Choose a random number a < n
* Test whether n passes the primality test
* Repeat until a prime is found

On average, about ln(N)/2 random numbers must be tested to find a prime, where N is the size of the
number.
For example, for 2^200, approximately 70 trials are needed.

3. Compute:
φ(n) = (p - 1)(q - 1)

4. Choose e such that:

gcd(e, φ(n)) = 1

5. Calculate d using the Extended Euclidean Algorithm:

d = e^(-1) mod φ(n)

Since the probability that two numbers are relatively prime is about 0.6, we won’t need to try many
values of e.
The Security of RSA

The RSA algorithm can be attacked using five main methods: brute force, mathematical attacks, timing
attacks, fault-based attacks, and chosen ciphertext attacks.

1. Brute Force Attack:

This involves trying all possible private keys. The defense is to use a large key space. However, larger
keys slow down the system.

2. Mathematical Attacks – The Factoring Problem:

The security of RSA relies on the di iculty of factoring large numbers. There are three main approaches:

 Factor n into its prime factors p and q to compute φ(n) = (p − 1)(q − 1), then find d ≡ e⁻¹ mod φ(n).

 Compute φ(n) directly without finding p and q.

 Compute d directly from e and n.

Modern algorithms like the Generalized Number Field Sieve (GNFS) have reduced the e ort required to
factor large numbers. To improve RSA’s strength:

 p and q should be close in size.

 Both (p − 1) and (q − 1) should have large prime factors.

 gcd(p − 1, q − 1) should be small.

3. Timing Attacks:
An attacker can analyze how long decryption takes to deduce private keys. This works because modular
exponentiation varies in time depending on the exponent bits. Countermeasures include:

 Constant-time exponentiation.

 Adding random delays.

 Blinding (example steps below):

1. C′ = C × rᵉ mod n
2. M′ = (C′)ᵈ mod n
3. M = M′ × r⁻¹ mod n

This protects against revealing bit-by-bit timing information.

4. Fault-Based Attacks:
By causing faults (e.g., lowering CPU power), an attacker can induce incorrect digital signatures, which
can be analyzed to recover private keys. Physical access is needed for this attack.
5. Chosen Ciphertext Attack (CCA):
RSA’s multiplicative property can be exploited. If:

 C = Mᵉ mod n, then:
1. Attacker computes X = C × 2ᵉ mod n
2. Submits X for decryption to get Y = Xᵈ mod n = (2M) mod n
→ This reveals M after dividing Y by 2.

Solution:
Use random padding such as Optimal Asymmetric Encryption Padding (OAEP) before encryption to
randomize ciphertext:

 Message M is padded and hashed with parameters P.

 A random seed is generated, masked, and XORed to produce a secure encoded message.

 This encoded message is encrypted using RSA.

Di ie-Hellman Key Exchange (7 Marks)

The Di ie-Hellman Key Exchange is a public-key cryptographic algorithm introduced by Whitfield

Di ie and Martin Hellman. It enables two users to securely generate a shared secret key over an
insecure channel. This shared key is then used for symmetric encryption of messages.

Core Principle:

The algorithm’s security relies on the Discrete Logarithm Problem (DLP). This problem involves finding
the exponent x in the equation α^x ≡ y mod q, given α, q, and y. For large primes, this problem is
mathematically hard and forms the backbone of Di ie-Hellman security.
Example:

Let q = 353, α = 3

 Alice picks XA = 97 → YA = 3^97 mod 353 = 40

 Bob picks XB = 233 → YB = 3^233 mod 353 = 248

 Shared secret:

o Alice: K = 248^97 mod 353 = 160

o Bob: K = 40^233 mod 353 = 160

Both compute the same shared key: K = 160.

Security:

Even if an attacker knows q, α, YA, and YB, they cannot compute the shared key K without solving the
discrete logarithm problem—which is computationally infeasible for large prime values.

Key Exchange Protocols

Scenario 1: Two Users Exchanging a Key

 User A wants to securely connect with user B using a secret key for encryption.

 A generates a one-time private key XA, computes the public key YA, and sends YA to B.
  User B then generates their own private key XB, calculates YB, and sends YB to A.

 Now, both users can compute the same shared secret key.

 The public values q (a large prime number) and α (a primitive root of q) must be known
beforehand.

 Alternatively, A can choose values for q and α and include them in the first message to B.

Scenario 2: Key Exchange in a Group (e.g., LAN)

 Each user (say user i) creates a long-term private value Xi and computes a public value Yi.

 These public values, along with the global values q and α, are stored in a central directory.

 If user j wants to securely contact user i, they can look up Yi in the directory and compute a
shared secret key.

 This key is then used to send an encrypted message to user i.

Security Benefits:

 If the central directory is trusted, this system gives:

o Confidentiality: Only users i and j know the key, so no one else can read the message.

o Authentication: User i knows that only user j could have created a message with this key.

Man-in-the-Middle (MITM) Attack

The basic Di ie-Hellman key exchange is not secure against a man-in-the-middle attack. Here’s how
an attacker named Darth can intercept the communication between Alice and Bob and secretly control
the key exchange: Steps of the attack:

Results of the Attack:

 Alice and Darth share a key: K2

 Bob and Darth share a di erent key: K1

  Alice and Bob think they are securely communicating, but Darth is in the middle of the
exchange.

Communication is Compromised:

1. Alice sends an encrypted message:

2. Darth intercepts, decrypts the

message using , and gets the plaintext .

3. Darth re-encrypts the message using

K1 and sends it to Bob:

o This could be:

 just eavesdropping, or

 modifying the message.

Why the Attack Works:

 The protocol does not authenticate

the participants.

 There is no way to confirm if the

public key really belongs to the expected
person.

 Use digital signatures and public-key

certificates to authenticate identities to Prevent This

Elliptic Curve Cryptography (ECC)

Elliptic Curve Cryptography is a public-key cryptosystem that uses properties of elliptic curves over
finite fields. It o ers similar security to RSA with smaller key sizes, making it e icient.
Elliptic Curve Discrete Logarithm Problem (ECDLP)
ECC security relies on the di iculty of the Elliptic Curve Discrete Logarithm Problem:

Given: Points P and Q on an elliptic curve such that Q = kP

Find: The scalar k

It is easy to compute Q from k and P, but hard to find k given P and Q.

Example
Consider elliptic curve group E23(9,17):
Equation: y^2 mod 23 = (x^3 + 9x + 17) mod 23
Let P = (16,5) and Q = (4,5)

We compute successive multiples of P:

2P = (20,20)
3P = (14,14)
4P = (19,20)
5P = (13,10)
6P = (7,3)
7P = (8,7)
8P = (12,17)
9P = (4,5) = Q

Hence, k = 9, since 9P = Q
ECC-based Di ie-Hellman Key Exchange
Steps to exchange a secret key:

Setup:
Choose a large prime p
Choose elliptic curve parameters a, b for the curve equation
Choose base point G = (x, y) on the curve, with large order n

Key Generation:
User A picks private key nA, computes public key PA = nA * G
User B picks private key nB, computes public key PB = nB * G

Shared Secret:
A computes: k = nA * PB
B computes: k = nB * PA

Since:
k = nA * PB = nA * (nB * G) = nB * (nA * G) = nB * PA
Both compute the same shared key.
Example
Let:
p = 211, elliptic curve: y^2 = x^3 − 4
Base point: G = (2,2), and order: 240

A's keys:
Private: nA = 121
Public: PA = 121 * G = (115, 48)

B's keys:
Private: nB = 203
Public: PB = 203 * G = (130, 203)

Shared secret key:

k = 121 * (130,203) = 203 * (115,48) = (161,69)
Only the x-coordinate (e.g., 161) may be used for symmetric encryption.
Elliptic Curve Encryption and Decryption

Elliptic Curve Cryptography (ECC) can also be used for secure message encryption and decryption. The
core idea is to mask the message point using a random value and the recipient's public key.

Encryption Process (By Sender - Alice)

Goal: Alice wants to send a message securely to Bob using ECC.

Step-by-Step:

1. Message encoding:
Convert the plaintext message m into a point Pm = (x, y) on the elliptic curve Eq(a, b).
(Not all coordinates lie on the curve, so suitable encoding methods must be used.)

2. Key setup:

o Public parameters (global):

 Prime number q,

 Curve parameters a and b for elliptic curve Eq(a, b),

 Base point G on the curve with large order n.

o Each user selects a private key and computes a corresponding public key:

 Bob: Private key = nB, Public key = PB = nB * G

3. Encryption (by Alice):

o Select a random integer k

o Compute two points:

 C1 = k * G

 C2 = Pm + k * PB

o Send ciphertext: Cm = {C1, C2}

Ciphertext = {kG, Pm + kPB}

Here, the message Pm is masked by kPB. Only someone who knows nB can remove the mask.

Decryption Process (By Receiver - Bob)

Goal: Bob wants to recover the original message Pm.

Step-by-Step:

1. Use his private key nB to compute:

o nB * C1 = nB * kG = kPB

2. Recover message:
 o Pm = C2 - nB * C1 = Pm + kPB - kPB = Pm

Thus, the original message point Pm is successfully retrieved.

Example

 Global parameters:

o Prime q = 257, Curve: y² = x³ - 4, Base point G = (2, 2)

 Bob’s private key: nB = 101

o Public key: PB = 101 * (2, 2) = (197, 167)

 Message point: Pm = (112, 26)

 Alice picks random k = 41

o kG = 41 * (2, 2) = (136, 128)

o kPB = 41 * (197, 167) = (68, 84)

o Pm + kPB = (112, 26) + (68, 84) = (246, 174)

 Ciphertext sent: Cm = {(136, 128), (246, 174)}

 Bob decrypts:

o nB * C1 = 101 * (136, 128) = (68, 84)

o C2 - nB * C1 = (246, 174) - (68, 84) = (112, 26) = Pm

Security of Elliptic Curve Cryptography (ECC)

1. The security of ECC depends on the di iculty of determining k given kP and P.

2. This problem is called the elliptic curve logarithm problem.

3. The Pollard rho method is the fastest known technique for solving the elliptic curve logarithm
problem.

4. According to NIST SP800-57, ECC o ers security equivalent to other cryptographic systems but
with smaller key sizes.

5. Table 10.3 from NIST compares various algorithms by showing comparable key sizes in terms
of computational e ort for cryptanalysis.

6. ECC allows the use of considerably smaller key sizes compared to RSA for the same level of
security.

7. For equal key lengths, ECC and RSA require comparable computational e ort.

8. Therefore, ECC provides a computational advantage by o ering strong security with shorter
key lengths than RSA.