Unit-3

Syllabus: Asymmetric Encryption, Mathematics of Asymmetric Key Cryptography, Asymmetric

Key Cryptography

3.1 Asymmetric Encryption

A cryptosystem which uses two keys called as public key and private key for securely transmitting
of information between two users is called as Asymmetric Key Cryptography or Public Key
Cryptosystem.

If one key is used for encryption of plaintext, the other key is used for decrypting the message.

In asymmetric-key cryptography, the secret key is personal, each person creates and keeps his
or her own secret key and announces his or her public key publicly to everyone.

In a community of ‘n’ people, n(n − 1)/2 shared secrets are needed for symmetric-key
cryptography and ‘n’ personal secrets are needed in asymmetric-key cryptography.

Asymmetric-key cryptography is based on applying mathematical functions to numbers. In

asymmetric-key cryptography, the plaintext and ciphertext are numbers, encryption and
decryption are mathematical functions that are applied to numbers to create other numbers.

3.2 Mathematics of Asymmetric Key Cryptography

Asymmetric-key cryptography uses prime numbers extensively. The positive integers can be
divided into three groups: the number 1, primes, and composites as shown in below.

• A positive integer is a prime if and only if it is exactly divisible by two integers, 1 and itself.
• A composite is a positive integer with more than two divisors.
 • The smallest prime is 2. Number 1 is neither prime nor composite.

Co-primes: Two positive integers, ‘a’ and ‘b’, are relatively prime, or coprime, if GCD(a, b) = 1.

Number of Primes: There is an infinite number of primes.

Euler’s Phi-Function

Euler’s phi-function, φ(n), which is sometimes called the Euler’s totient function plays a very
important role in cryptography. The function finds the number of integers that are both smaller
than n and relatively prime to ‘n’.

The following helps to find the value of φ(n).

1. φ(1) = 0.

2. φ(p) = p − 1 if p is a prime.

3. φ(m × n) = φ(m) × φ(n) if m and n are relatively prime.

4. φ(pe) = pe − pe−1 if p is a prime.

We can combine the above four rules to find the value of φ(n). if n can be factored as

n = p1e1 × p2e2 × … × pkek,

then we combine the third and the fourth rule to find

φ(n) = (p1e1 − p1e1−1) × (p2e2 − p2e2 − 1) × … × (pkek − pkek − 1)

Note: The difficulty of finding φ(n) depends on the difficulty of finding the factorization of n.

Fermat’s Little Theorem

Fermat’s little theorem plays a very important role in number theory and cryptography.

Two versions of the theorem exist:

First Version: The first version says that if p is a prime and a is an integer such that p does not
divide a, then ap−1 ≡ 1 mod p.

i.e. ap−1 mod p = 1.

Second Version: The second version removes the condition on a. It says that if p is a prime and
a is an integer, then ap ≡ a mod p.

i.e. ap mod p = a.

Multiplicative Inverses

A very interesting application of Fermat’s theorem is in finding some multiplicative inverses

quickly if the modulus is a prime. If ‘p’ is a prime and ‘a’ is an integer such that ‘p’ does not divide
‘a’ , then a−1 mod p = ap−2 mod p.

Example: 8−1 mod 17 = 817−2 mod 17

= 815 mod 17
= 15 mod 17
= 15
(here p=17, 17 won’t divide 8)
Factorization:

According to the Fundamental Theorem of Arithmetic, any positive integer greater than one can
be written uniquely in the following prime factorization form where p1, p2,…, pk are primes and e1,
e2, …, ek are positive integers.

n = p1e1× p2e2 × … × pkek

Chinese Remainder Theorem
It is used to solve a set of congruent equations with one variable but different moduli,
which are relatively prime.
x ≡ a1 (mod m1)
x ≡ a2 (mod m2)
…
x ≡ ak (mod mk)
i.e.
x * a1 mod m1 = n
x * a2 mod m2 = n
x * a3 mod m3 = n

The Chinese remainder theorem states that the above equations have a unique solution
if the moduli are relatively prime.
The Chinese remainder theorem has several applications in cryptography.

• One is to solve quadratic congruence.

• Second is to represent a very large integer in terms of a list of small integers.

3.3 Asymmetric Key Cryptography

General Idea of Asymmetric Key Cryptosystem: Below figure shows the general idea of
asymmetric-key cryptography as used for encipherment. Unlike symmetric-key
cryptography, there are two distinctive keys are used in asymmetric-key cryptography: a
private key and a public key.

• The burden of providing security is mostly depends on the shoulders of the

receiver.
• Both sender and receiver need to create two keys: one private and one public.
Both are responsible for distributing the public key to the community. This can be
done through a public-key distribution channel.
• Cannot use the same set of keys for two-way communication. Each entity in the
community should create its own private and public keys.
• Bob needs only one private key to receive all correspondence from anyone in the
community, but Alice needs n public keys to communicate with n entities in the
community, one public key for each entity.
Plaintext/Ciphertext
In asymmetric-key cryptography, plaintext and ciphertext are treated as integers. The
message must be encoded as an integer (or a set of integers) before encryption, and the
integer (or the set of integers) must be decoded into the message after decryption.
Asymmetric-key cryptography is normally used to encrypt or decrypt small pieces of
information, such as the secret key for a symmetric key cryptography.
Encryption/Decryption
Encryption and decryption in asymmetric-key cryptography are mathematical functions
applied over the numbers representing the plaintext and ciphertext. The ciphertext can
be thought of as C = f (Kpublic, P), the plaintext can be thought of as P = g(Kprivate, C). The
decryption function f is used only for encryption; the decryption function g is used only
for decryption.
Need of Both Symmetric and Asymmetric Cryptography
Introduction of asymmetric-key (public-key) cryptography does not eliminate the need
for symmetric-key (secret key) cryptography. The reason is that asymmetric-key
cryptography, which uses mathematical functions for encryption and decryption, is
much slower than symmetric-key cryptography. For encipherment of large messages,
symmetric-key cryptography is still needed. On the other hand, the speed of symmetric-
key cryptography does not eliminate the need for asymmetric-key cryptography.
Asymmetric-key cryptography is still needed for authentication, digital signatures, and
secret-key exchanges.

Trapdoor One-Way Function

The main idea behind asymmetric-key cryptography is the concept of one-way function
and the trapdoor one-way function.

• A function f is a rule that associates (maps) one element in set A, called the
domain, to one element in set B, called the range.
 • An invertible function f-1 is a function that associates each element in the range
with exactly one element in the domain.

One-Way Function
A one-way function (OWF) is a function that satisfies the following two properties:
1. f is easy to compute. In other words, given x, y = f (x) can be easily computed.
2. f −1 is difficult to compute. In other words, given y, it is computationally infeasible
to calculate x = f −1(y).
Trapdoor One-Way Function
A trapdoor one-way function (TOWF) is a one-way function with a third property:
3. Given y and a trapdoor (secret), x can be computed easily.

3.3.1 RSA Cryptography

Most common public-key algorithm is the RSA cryptosystem, named after its inventors
(Rivest, Shamir, and Adleman). RSA is based on the exponentiation congruence.
RSA uses two exponents, ‘e’ and ‘d’, where ‘e’ is public, and ‘d’ is private. Suppose P is the
plaintext and C is the ciphertext. Sender uses C = Pe mod n to create ciphertext C from
plaintext P, Receiver uses P = Cd mod n to retrieve the plaintext sent by Sender. The
modulus n, a very large number, is created during the key generation process. Encryption
and decryption use modular exponentiation

Modular exponentiation is feasible in polynomial time using the fast exponentiation

algorithm. However, modular logarithm is as hard as factoring the modulus, for which
there is no polynomial algorithm yet. This means that Sender can encrypt in polynomial
time (e is public), Receiver also can decrypt in polynomial time (because he knows d),
but Eve cannot decrypt because she would have to calculate the eth root of C using
modular arithmetic.
Key Generation, Encryption and Decryption procedure

RSA uses two algebraic structures: a Ring and a Group.

Encryption/Decryption Ring: Encryption and decryption are done using the
commutative ring R = <Zn, +, × > with two arithmetic operations addition and
multiplication.
In RSA, this ring is public because the modulus n is public. Anyone can send a message
to Bob using this ring to do encryption.

Key-Generation Group: RSA uses a multiplicative group G = <Zφ(n)∗, × > for key
generation. This group supports only multiplication and division (using multiplicative
inverses), which are needed for generating public and private keys. This group is hidden
from the public because its modulus, φ(n), is hidden from the public.
Two aspects of the RSA cryptosystem, firstly generation of key pair and secondly
encryption-decryption algorithms.

Key Generation: Steps to create public and private key

1. Select two large primes p and q such that p ≠ q.
2. Calculate n, n= p × q
3. Calculate φ(n), φ(n)= (p − 1) × (q − 1)
4. Select ‘e’ such that 1 < e < φ(n) and e is coprime to φ(n)
i.e. GCD(e, φ(n)=1
5. Select ‘d’ such that d =e −1 mod φ(n) // d is inverse of e modulo φ(n)
i.e. d * e mod φ(n)=1
6. Public_key is (e, n) // To be announced publicly
7. Private_key is (d, n) // To be kept secret
Sender/Receiver uses the above steps to create his public and private keys. After key
generation, they announces the tuple (e, n) as his public key and keeps the integer d as
his private key. They can discard p, q, and φ(n) unless if they want to change his private
key without changing the modulus (which is not recommended). To be secure, the
recommended size for each prime, p or q, is 512 bits (almost 154 decimal digits). This
makes the size of n, the modulus, 1024 bits (309 digits).
Encryption
Anyone can send a message to Bob using his public key. Encryption in RSA can be done
using an algorithm with polynomial time complexity.
RSA_Encryption (P, e, n) // P is the plaintext in Zn and P < n
{
C ← Fast_Exponentiation (P, e, n); // Calculation of (Pe mod n)
return C; }

Decryption
Receiver can use the below steps to decrypt the ciphertext message he received.
Decryption in RSA can be done using an algorithm with polynomial time complexity. The
size of the ciphertext is less than n.
RSA_Decryption (C, d, n) //C is the ciphertext in Zn
{
P ← Fast_Exponentiation (C, d, n); // Calculation of (Cd mod n)
return P; }

Example: Bob chooses 7 and 11 as ‘p’ and ‘q’ and calculates n = 7 × 11 = 77. The value
of φ(n) = (7 − 1)(11 − 1) or 60.

Now he chooses two exponents, ‘e’ and ‘d’, from Z60 ∗. If he chooses e=13, then d =37.
Note that e × d mod 60 = 1 (they are inverses of each other). Now imagine that Alice
wants to send the plaintext 5 to Bob.
She uses the public exponent 13 to encrypt 5.
Plaintext: 5 C = 513 mod 77 = 26 mod 77 Ciphertext: 26
Bob receives the ciphertext 26 and uses the private key 37 to decipher the ciphertext:
Ciphertext: 26 P = 2637 mod 77 = 5 mod 77 Plaintext: 5
The plaintext 5 sent by Alice is received as plaintext 5 by Bob.

RSA Analysis
The security of RSA depends on the strengths of two separate functions.

• Encryption Function: It is considered as a one-way function of converting

plaintext into ciphertext and it can be reversed only with the knowledge of private
key ‘d’.
• Key Generation: The difficulty of determining a private key from an RSA public key
is equivalent to factoring the modulus ‘n’. An attacker thus cannot use knowledge
 of an RSA public key to determine an RSA private key unless he can factor ‘n’. It is
also a one-way function, going from p & q values to modulus ‘n’ is easy but reverse
is not possible. If either of these two functions are proved non-one-way, then RSA
will be broken.

Attacks on RSA
No devastating attacks on RSA have been yet discovered. Several attacks have been
predicted based on the weak plaintext, weak parameter selection, or inappropriate
implementation. Below diagram shows the categories of potential attacks.

Potential Attacks on RSA Cryptosystem

1. Factorization Attack (Brute force attack)
2. Chosen-Ciphertext Attack
3. Attacks on the Encryption Exponent
a. Coppersmith Theorem Attack
b. Broadcast Attack
c. Related Message Attack
4. Attacks on the Decryption Exponent
a. Revealed Decryption Exponent Attack
b. low decryption exponent attack
5. Plaintext Attacks
a. Short Message Attack
b. Cycling Attack
c. Unconcealed Message Attack
6. Attacks on the Modulus
a. Common Modulus Attack
7. Attacks on Implementation
a. Timing Attack
b. Power Attack (Side channel Attack)
1. Factorization: The security of RSA is based on the idea that the modulus is so large
that it is infeasible to factor it in a reasonable time. If Sender/Receiver chooses small
prime numbers, finding the prime factors of ‘n’ become easy for the adversary. Once ‘p’
and ‘q’ are known, adversary calculates ‘φ(n)’, with the help of ‘e’, he/she determines ‘d’
and decrypts the ciphertext.
To be secure, RSA states that 'n' should be more than 300 decimal digits, which means
that the modulus must be at least 1024 bits.
2. Chosen-Ciphertext: A potential attack on RSA is based on the multiplicative property
of RSA. Assume a sender creates a ciphertext C=Pe mod n and sends it to receiver.
Adversary modifies the ciphertext by choosing a random integer ‘X’ in Zn* calculates Y = X
* Ce mod n and sends Y to Receiver for decryption. Z = Yd mod n. If adversary knows Z, he
can easily calculate ‘P’ by using extended Euclidean algorithm.
Z = Yd mod n = (C × Xe)d mod n = (Cd × Xed) mod n = (Cd × X) mod n = (P × X) mod n
Z = (P × X) mod n → P = Z × X−1 mod n
3. Attacks on the Encryption Exponent: To reduce the encryption time, it is tempting to
use a small encryption exponent e. To thwart these kinds of attacks, the recommendation
is to use e = 216 + 1 = 65537 (or a prime close to this value).

• The major low encryption exponent attack is referred to as the Coppersmith

theorem attack. It says, in a modulo-n polynomial f(x) of degree ‘e’, one can use an
algorithm of the complexity log n to find the roots if one of the roots is smaller than
n1/e.
• The broadcast attack can be launched if one entity sends the same message to a
group of recipients with the same low encryption exponent.
• The related message attack, discovered by Franklin Reiter says if Alice encrypts
two plaintexts, P1 and P2, and encrypts them with e = 3 and sends C1 and C2 to
Bob. If P1 is related to P2 by a linear function, then Eve can recover P1 and P2 in a
feasible computation time.
• The short pad attack, discovered by Coppersmith says if Alice has a message M to
send to Bob. She pads the message with r1, encrypts the result to get C1, and
sends C1 to Bob. Eve intercepts C1 and drops it. Bob informs Alice that he has not
received the message, so Alice pads the message again with r2, encrypts it, and
sends it to Bob. Eve also intercepts this message. Eve now has C1 and C2, and she
knows that they both are ciphertexts belonging to the same plaintext.
Coppersmith proved that if r1 and r2 are short, Eve may be able to recover the
original message M.
4. Attacks on the Decryption Exponent: Two forms of attacks can be launched on the
decryption exponent: revealed decryption exponent attack and low decryption exponent
attack.

• Revealed Decryption Exponent Attack: If adversary can find the decryption

exponent, d, she can decrypt the current encrypted message. Using d she can use
 a probabilistic algorithm to factor n and find the value of p and q. Later if
sender/receiver modifies d and maintains the same n, adversary will be able to
decrypt future messages from sender/receiver.
• Low Decryption Exponent Attack: Receiver may think that using a small private-
key d, would make the decryption process faster for him.
5. Plaintext Attacks: Plaintext and ciphertext in RSA are permutations of each other
because they are integers in the same interval (0 to n − 1). If adversary already knows
something about the plaintext, it may allow some attacks on the plaintext. Three attacks
have been mentioned in the literature: short message attack, cycling attack, and
unconcealed attack.
6. Attacks on the Modulus: It is also one kind of factorization attack. Common modulus
attack can be launched if a community uses a common modulus, n. For example, people
in a community might let a trusted party select ‘p’ and ‘q’, calculate ‘n’ and ‘φ(n)’, and
create a pair of exponents (ei, di) for each entity. If adversary is also a part of the
community, there is a chance that adversary modulo ‘n’ has a close relation with some of
the community members modulo ‘n’. So, adversary can launch a probabilistic attack to
factor n and finds someone’s private key d.
7. Attacks on Implementation: Previous attacks were based on the underlying structure
of RSA. There are several attacks on the implementation of RSA. They are timing attack
and the power attack.

• Timing Attack: The attack is based on the fast-exponential algorithm. This

algorithm uses only squaring if the corresponding bit in the private exponent d is
0, it uses both squaring and multiplication if the corresponding bit is 1. So, the
time required to do each iteration is longer if the corresponding bit is 1. This timing
difference allows Eve to find the value of bits in d, one by one. Suppose adversary
has intercepted a large number of ciphertexts, C1 to Cm. Also assume that he has
observed how long it takes for receiver to decrypt each ciphertext, T1 to Tm. He also
knows how long it takes for the underlying hardware to calculate a multiplication
operation, calculated t1 to tm, where ti is the time required to calculate the
multiplication operation Result = Result × Ci mod n. Adversary can use a simplified
version of the RSA_Timing_Attack([T1....Tm]) algorithm to calculate all bits in d (d0
to dk−1).
• The Power attack is similar to the timing attack. Kocher showed that if adversary
can precisely measure the power consumed during decryption can launch a
power attack based on the principle discussed for timing attack. An iteration
involving multiplication and squaring consumes more power than an iteration that
uses only squaring.
3.3.2 Diffie Hellman Key Exchange Algorithm
The Diffie-Hellman key exchange algorithm is used to share a secret between to
communicating parties without any physical meeting or using any third party. Shared
secret can be used for secure communications over a public network.
Procedure:

• For the sake of simplicity and practical implementation of the algorithm, we will
consider only 4 variables, one is a large prime P and G (a primitive root of P or
another large prime) and two private values 'a' and 'b'.
• P and G are both publicly available numbers. Users (say Alice and Bob) Alice pick
the private value 'a' and Bob pick the private value 'b' and both generates public
key and exchange it publicly to each other. The opposite person receives the
public key and generates a secret key which is eventually same for both users.
After this they can use the secret key for encryption and decryption of
communication.
Steps:

Alice Bob
Step1: Choose two large primes P and Q which are known to each other.
(or) Choose a large prime P and Q (a primitive root of P)
Step2: Select a random integer ‘a’ which Step2: Select a random integer ‘b’ which
is less than P. is less than P.
Note: ‘a’ must be kept secretly Note: ‘b’ must be kept secretly
Step3: Calculate X= Qa mod P Step3: Calculate Y= Qb mod P
Step4: Send X to Bob Step4: Send Y to Alice
Step5: Generate Secret Key: Step5: Generate Secret Key:
KA=Y mod P
a
KB=Yb mod P
Algebraically both KA and KB are same
Both users can use Symmetric-Key Cryptosystem to communicate Securely

Example:
Step 1: Alice and Bob choose P = 23, Q = 9
Step 2: Alice selected a private key a = 4 and
Bob selected a private key b = 3
Step 3: Alice and Bob compute public values
Alice: X = (94 mod 23) = (6561 mod 23) = 6
Bob: Y = (93 mod 23) = (729 mod 23) = 16
Step 4: Alice and Bob exchange public values
Alice receives public key Y = 16 and
Bob receives public key X = 6
Step 5: Alice and Bob compute symmetric keys
Alice: KA = Ya mod p = 164 mod 23 = 65536 mod 23 = 9
Bob: KB = Xb mod p = 63 mod 23 = 216 mod 23 = 9
Step 6: 9 is the shared secret
3.3.3 Rabin Cryptosystem
The Rabin cryptosystem, devised by M. Rabin. It is a variation of the RSA cryptosystem.
Rabin is based on quadratic congruence.
The Rabin cryptosystem can be thought of as an RSA cryptosystem in which the value of
e and d are fixed. e = 2 and d = 1/2.
Encryption is C ≡ P2 (mod n) Decryption is P ≡ C 1/2 (mod n).
The public key in the Rabin cryptosystem is ‘n’, the private key is the tuple (p, q). Everyone
can encrypt a message using ‘n’. Only Bob can decrypt the message using ‘p’ and ‘q’.
Decryption of the message is infeasible for Eve because she does not know the values of
‘p’ and ‘q’.
Encryption, decryption, and key generation procedure in the Rabin cryptosystem

Key Generation Algorithm

Rabin_Key_Generation
{
Choose two large primes p and q in the form 4k + 3 and p ≠ q.
n←p×q
Public_key ← n // To be announced publicly
Private_key ← (p, q) // To be kept secret
return Public_key and Private_key
}
Encryption Algorithm
Rabin_Encryption (n, P) // n is the public key; P is the ciphertext from Zn*
{
C ← P2 mod n // C is the ciphertext
return C }
Decryption Algorithm
Rabin_Decryption (p, q, C) // C is the ciphertext; p and q are private keys
{
a1 ← +(C(p+1)/4) mod p
a2 ← −(C(p+1)/4) mod p
b1 ← +(C(q+1)/4) mod q
b2 ← −(C(q+1)/4) mod q
// Decryption algorithm calls Chinese remainder theorem four times.
P1 ← Chinese_Remainder (a1, b1, p, q)
P2 ← Chinese_Remainder (a1, b2, p, q)
P3 ← Chinese_Remainder (a2, b1, p, q)
P4 ← Chinese_Remainder (a2, b2, p, q)
return P1, P2, P3, and P4
}

Security of the Rabin System

The Rabin system is secure as long as p and q are large numbers. The complexity of the
Rabin system is at the same level as factoring a large number n into its two prime factors
p and q. In other words, the Rabin system is as secure as RSA.

3.3.4 ElGamal Cryptography

ElGamal cryptosystem is another Public-key Cryptosystem, named after its inventor,
Taher ElGamal. ElGamal. It is based on the discrete logarithm problem.

ElGamal says that if p is a very large prime, e1 is a primitive root in the group G = <Zp*, × >
and r is an integer, then e2 = e1r mod p is easy to compute using the fast exponential
algorithm (square-and-multiply method), but given e2, e1, and p, it is infeasible to
calculate r = loge1e2 mod p (discrete logarithm problem).
Key generation, encryption, and decryption procedure in ElGamal
Key Generation
Bob uses the steps to create his public and private keys.
ElGamal_Key_Generation
{
Select a large prime p
Select d to be a member of the group G = < Zp*, × > such that 1 ≤ d ≤ p − 2
Select e1 to be a primitive root in the group G = < Zp*, × >
e2 ← e1d mod p
Public_key ← (e1, e2, p) // To be announced publicly
Private_key ← d // To be kept secret
return Public_key and Private_key
}
Encryption: Anyone can send a message to Bob using his public key.
ElGamal_Encryption (e1, e2, p, P) // P is the plaintext
{
Select a random integer r in the group G = < Zp*, × >
C1 ← e1r mod p
C2 ← (P × e2r) mod p // C1 and C2 are the ciphertexts
return C1 and C2
}

Decryption: Bob can decrypt the ciphertext message received using the below
algorithm.
ElGamal_Decryption (d, p, C1, C2) // C1 and C2 are the ciphertexts
{
P ← [C2 (C1d-1)] mod p // P is the plaintext
return P
}

Security of ElGamal
Two attacks have been mentioned in the literatures for the ElGamal cryptosystem:
1) Attacks based on low modulus
2) Known-plaintext attacks.
3.3.5 Elliptic Curve Cryptosystem (ECC)
Elliptic Curve Cryptography (ECC) is also a public-key cryptography and an alternative approach
to RSA algorithm, based on the algebraic structure of elliptic curves over finite fields. ECC
requires a smaller key size as compared to non-ECC cryptography to provide equivalent security
(i.e. a 256-bit ECC security has equivalent security attained by 3072-bit RSA cryptography).

An elliptic curve is a cubic planar algebraic curve E(a, b) defined by an equation of the form
y2 = x3+ax+b, where are a and b are constants of Elliptic curve. Elliptic curves are symmetric along
x-axis. There are two types of elliptic curves, Non-Singular and Singular curves. Only Non-singular
curves are used for Elliptic Curve Cryptography.

if 4a3 + 27b2 ≠ 0, then the elliptic curve is non-singular, otherwise singular curve, where ‘a’ and ‘b’
are constants of elliptic curve E(a, b).

Non-singular cubic elliptic curve contains three distinct roots.

On this kind of curves, if we draw a horizontal line, it intersects at three points. If a vertical line is
drawn, it intersects at two points.

Given any point P, we can take −P to be the point opposite in non-singular elliptic curve. If P and
Q are two points on the curve, then we can uniquely describe a third point P + Q. draw the line
that intersects P and Q. This will generally intersect the cubic at a third point, R. We then take
P + Q to be −R, the point opposite R.

If P and Q are any two points on a horizontal line, then the line intersects at third point R.

• Q=kP where k is some constant.

• R=P + Q (Point addition)
• If P and Q are same, R = 2P (scalar multiplication)

If P = (x1, y1) and Q = (x2, y2) then R is calculated by using the below equation

1) λ = (y2 − y1) / (x2 − x1) // Slope

2) x3 = λ2 − x1 − x2
3) y3 = λ (x1 − x3) − y1

if P, Q = (x1, x2) then R = 2P is calculated by using the below equations

1) λ = (3x12 + a)/(2y1)
2) x3 = λ2 − x1 − x2
3) y3 = λ (x1 − x3) − y1
Secret Key Exchange using Elliptic Curve Cryptography
Elliptic Curve Diffie–Hellman Key Exchange (ECDH):
ECDH is anonymous key agreement scheme, which allows two parties, each having an
elliptic-curve public–private key pair, to establish a shared secret over an insecure
channel. ECDH is very similar to the classical DHKE (Diffie–Hellman Key Exchange)
algorithm, but it uses ECC point multiplication.
Alice selects 'a' and Bob selects 'b' as private keys, and an EQ(a, b) an elliptic curve with
Global generator point G on the curve and Q is a prime number.
Key Generation Procedure:

Alice Key generation: Bob Key Generation:

Using ‘a’, G Alice generates public key as Using ‘b’, G Bob generates public key as
PA = a * G PB = b * G
Sends PA to Bob Sends PB to Alice
Secret Key KA= a x PB Secret Key KB= a x PA
KA, KB are same

Encryption of Message:
Let ‘M’ is the message to be transmitted to Bob from Alice.
Step1: Convert the message ‘M’ into a point on the elliptic curve EQ(a, b). Consider this
point as PM.
Step2: Encrypt PM using the secret key generated by Alice.
Step3: choose a random integer ‘k’ and calculate ciphertext point CM as
CM = (kG, PM + kPB) // G: global generator point, PB is public key of Bob
Send CM to Bob
Decryption of ciphertext:
To decrypt the received ciphertext point use the following steps:
Step1: multiply the x-coordinate of CM with private key of Bob: b*kG
Step2: the subtract b*kG from the y-coordinate of CM :
 PM + kPB – b*kG // PB = b*G
 PM + kb*G – b*kG
 PM // original message point
 Convert the message point into Message.
Secure communication using Elliptic Curve Cryptography
Generating Public and Private Keys
1. Bob chooses E(a, b) with an elliptic curve over GF(p) or GF(2n).
2. Bob chooses a point on the curve, e1(x1, y1).
3. Bob chooses an integer ‘d’.
4. Bob calculates e2(x2, y2) = d × e1(x1, y1). Note that multiplication here means Scalar
multiplication.
5. Bob announces E(a, b), e1(x1, y1), and e2(x2, y2) as his public key, he keeps ‘d’ as his
private key.
Encryption
Alice selects P, a point on the curve, as her plaintext. She then calculates a pair of points
on the text as ciphertexts:

• ‘r’ is a integer chosen by Alice.

• C1 = r × e1
• C2 = P + r × e2

Decryption

P = C2 − (d × C1) // The minus sign here means adding with the inverse.