32
Chapter 3 Public Key Cryptosystem
3.1 Introduction
Using symmetric cryptosystem, it is safe to send encrypted message without
fear of interception because an interceptor is unlikely to be able to decipher the
message; however, with this advantage, symmetric cryptosystem also have the
following problems:
(a) Sender and receiver share a common secret key, which must be transmitted
before an encryption procedure can start.
(b) There is always a problem of how to transfer the common secret key.
(c) Classical cryptosystem are unable to deal the dispute between the sender &
receiver, as to what message, if any, was sent. Third party cannot verify who
actually send the message.
(d) Key management is the major problem in classical cryptosystem because
every pair of users has to have an exclusive secret key.
To solve these problems we will discuss a new cryptosystem known as public
key cryptosystem.
Public-Key Algorithms are symmetric, that is to say the key that is used to
encrypt the message is different from the key used to decrypt the message. The
encryption key, known as the Public key is used to encrypt a message, but the
message can only be decoded by the person that has the decryption key, known as the
private key. This type of encryption has a number of advantages over traditional
symmetric Ciphers. It means that the recipient can make their public key widely
available anyone wanting to send them a message uses the algorithm and the
recipient's public key to do so. An eavesdropper may have both the algorithm and the
public key, but will still not be able to decrypt the message. Only the recipient, with
the private key can decrypt the message. An advantage of public-key algorithm is that
they are more computationally intensive than symmetric algorithms, and therefore
encryption and decryption take longer. This may not be significant for a short text
message, but certainly is for bulk data encryption.
33
3.2 The Basic Principle
The primary objective of an adversary who wishes to ―attack‖ a public-key
encryption scheme is to systematically recover plaintext from ciphertext intended for
some other entity A. If this is achieved, the encryption scheme is informally said to
have been broken. A more ambitious objective is key recovery – to recover A‘s
private key. If this is achieved, the encryption scheme is informally said to have been
completely broken since the adversary then has the ability to decrypt all ciphertext
sent to A.
Consider an example that shows the Encryption & Decryption process:
In order to decrypt a message, Bob (the recipient) has to know the key
However; it may be difficult for Alice (the sender) to tell Bob what the key is. If they
simply agree on a key bye-mail for example, Eve could be listening in on their e-mail
conversation and thus also learn what the key is. Public key cryptography was
invented to solve this problem. When using public-key cryptography, Alice and Bob
both have their own key pairs. A key pair consists of a public key and a private-key. If
the public-key is used to encrypt something, then it can be decrypted only using the
private-key. And similarly, if the private-key is used to encrypt something, then it can
be decrypted only using the public-key. It is not possible to figure out what the
private-key is given only the public key, or vice versa. This makes it possible for
Alice and Bob to simply send their public keys to one another, even if the channel
they are using to do so is insecure. It is no problem that Eve now gets a copy of the
public keys. If Alice wants to send a secret message to Bob, she encrypts the message
using Bob's public key. Bob then takes his private key to decrypt the message. Since
Eve does not have a copy of Bob's private key, she cannot decrypt the message. Of
course this means that Bob has to carefully guard his private key.
With public key cryptography it is thus possible for two people who have
never met to securely exchange messages. Figure 3.1 (W. Stallings, 3rd Ed.) illustrates
the public-key encryption process.
34
Figure: 3.1 Encryption
3.3 Comparative study of Public-Key Cryptography & Secret-Key
Cryptography
1. The primary advantage of public-key cryptography is increased security and
convenience. Private keys never need to transmitted or revealed to anyone. In a
secret-key system, by contrast, the secret keys must be transmitted (either manually or
through a communication channel), and there may be a chance that an enemy can
discover the secret keys during their transmission.
2. Another major advantage of public-key systems is that they can provide a
method for digital signatures. Authentication via secret-key systems requires the
sharing of some secret and sometimes requires trust of a third party as well. As a
result, a sender can repudiate a previously authenticated message by claiming that the
shared secret was somehow compromised by one of the parties sharing the secret.
For example, the Kerberos secret-key authentication system involves a central
database that keeps copies of the secret keys of all users; an attack on the database
would allow widespread forgery. Public-key authentication, on the other hand,
prevents this type of repudiation; each user has sole responsibility for protecting his or
her private key. This property of public-key authentication is often called non-
repudiation.
3. A disadvantage of using public-key cryptography for encryption is speed;
there are popular secret-key encryption methods that are significantly faster than any
currently available public-key encryption method. Nevertheless, public-key
cryptography can be used with secret-key cryptography to get the best of both worlds.
35
For encryption, the best solution is to combine public- and secret-key systems in order
to get both the security advantages of public-key systems and the speed advantages of
secret-key systems. The public-key system can be used to encrypt a secret key, which
is used to encrypt the bulk of a file or message. Such a protocol is called a digital
envelope.
4. Public-key cryptography may be vulnerable to impersonation, however,
even if users' private keys are not available. A successful attack on a certification
authority will allow an adversary to impersonate whomever the adversary chooses to
by using a public-key certificate from the compromised authority to bind a key of the
adversary's choice to the name of another user.
5. In some situations, public-key cryptography is not necessary and secret-key
cryptography alone is sufficient. This includes environments where secure secret - key
agreement can take place, for example by users meeting in private. It also includes
environments where a single authority knows and manages all the keys (e.g., a closed
banking system) Since the authority knows everyone's keys already, there is not much
advantage for some to be "public" and others "private" Also, public-key cryptography
is usually not necessary in a single-user environment.
For example, if you want to keep your personal files encrypted, you can do so
with any secret-key encryption algorithm using, say, your personal password as the
secret key. In general, public-key cryptography is best suited for an open multi-user
environment.
6. Public-key cryptography is not meant to replace secret-key cryptography,
but rather to supplement it, to make it more secure. The first use of public-key
techniques was for secure key exchange in an otherwise secret-key system; this is still
one of its primary functions. Secret-key cryptography remains extremely important
and is the subject of ongoing study and research. Some secret-key cryptosystems are
discussed in the sections on Block Cipher and Stream Cipher.
3.4 The RSA Algorithm
RSA is an algorithm for public-key cryptography that is based on the
presumed difficulty of factoring large integers. RSA stands for Ron Rivest, Adi
Shamir and Leonard Adleman (W. Stallings, 2005), who first publicly described it in
36
1978. A user of RSA creates and then publishes the product of two large prime
numbers, along with an auxiliary value, as their public key. The prime factors must be
kept secret. Anyone can use the public key to encrypt a message, but with currently
published methods, if the public key is large enough, only someone with knowledge
of the prime factors can feasibly decode the message. Whether breaking RSA
encryption is as hard as factoring is an open question known as the RSA problem. It
may be used to provide both secrecy and digital signatures and its security is based on
the intractability of the integer factorization.
The RSA scheme is a block cipher in which the plaintext and ciphertext are
integers between 0 and n-1 for some n. A typical size for n is 1024 bits, or 309
decimal digits. That is, n are less than 21024
. We examine RSA in this section in some
detail, beginning with an explanation of the algorithm. Then we examine some of the
computational and crypt analytical implications of RSA.
3.4.1 Prime Number Generation and Integer Factorization
Two basic facts and one conjecture in number theory prepare the way for
today‘s RSA public-key cryptosystem.
FACT-1
Prime generation is easy: It‘s easy to find a random prime number of a given size.
This is a result of two other points: Prime numbers of any size are very
common, and it‘s easy to test whether a number is a prime – even a large prime.
To generate a random prime, one can simply generate random numbers of a given size
and test them for primality until a prime is found. According to the Prime Number
Theorem, the expected number of candidates to test will be on the order of ln x (the
natural logarithm of x) where x is a typical number of the intended size.
It hasn‘t always been easy to test whether a number is a prime. In fact, it might
seem that testing for primality would require one to determine all the factors of the
number to see if there are others beside the number itself and 1. Faster methods for
primality testing were discovered in the 1970s that test for certain properties held by
prime numbers but not by composites, rather than finding the factors. Without these
results, much of public-key cryptography today would not be practical because of the
dependence on efficient methods of generating primes.
37
In the following, let p and q be two large, randomly generated primes. ―Large‖
in the cryptographic context typically means 512 bits (155 decimal digits) or more.
FACT-2
Multiplication is easy: Given p and q, it‘s easy to find their product, n = pq.
There are many efficient ways to multiply two large numbers, starting with the
―grade-school‖ method that multiplies one number by the other digit-by-digit, and
sums the tableau of intermediate results.
Factoring is hard: Given such an n, it appears to be quite hard to recover the prime
factors p and q.
Despite hundreds of years of study of the problem, finding the factors of a
large number still takes a long time in general. The fastest current methods are much
faster than the simple approach of trying all possible factors one at a time. (Such a
method would take on the order of n steps.) However, they are still expensive. For
instance, it has been estimated recently that recovering the prime factors of a 1024-bit
number would take a year on a machine costing US $10 million. A 2048-bit number
would require several billion times more work.
These estimates are much less than would have been expected in the 1970s
when the problem was first proposed in cryptography. The recommended sizes have
accordingly.
No one knows whether still faster methods might be discovered in the coming
years. On the other hand, no one has proved that they can‘t be. Both aspects remain
important research areas in mathematics
3.4.2 Description of the Algorithm
The scheme developed by Rivest, Shamir, and Adleman makes use of an
expression with exponentials. Plaintext is encrypted in blocks, with each block having
a binary value less than some number n. That is, the block size must be less than or
equal to log2(n); in practice, the block size is i bits, where 2i< n 2i+1. Encryption and
decryption are of the following form, for some plaintext block M and ciphertext
block C
C = Me mod n
M = Cd mod n = (M e)
d mod n = M
ed mod n
38
Both sender and receiver must know the value of n. The sender knows the
value of e, and only the receiver knows the value of d. Thus, this is a public-key
encryption algorithm with a public key of PU = {e, n} and a private key of
PU = {d, n}. For this algorithm to be satisfactory for public-key encryption, the
following requirements must be met.
1. It is possible to find values of e, d, n such that Med
mod n = M for all M < n.
2. It is relatively easy to calculate Me mod n and C
d mod n for all values of
M < n.
3. It is infeasible to determine d given e and n.
For now, we focus on the first requirement and consider the other questions
later. We need to find a relationship of the form
Med
mod n = M
Two very large prime numbers, normally of equal length, are randomly
chosen then multiplied together.
n =a x b ------------ (3.1)
T = (a-1) x (b-1) --------------- (3.2)
A third number is then also chosen randomly as the public key (e) such that it has no
common factors (i.e. is relatively prime) with T. The private key (d) is then
D = e-1
mod T -------------- (3.3)
To encrypt a block of plaintext (M) into cipher text (C)
C = Me mod n ------------- (3.4)
To decrypt
M = Cd mod n --------------- (3.5)
3.4.3 Practical Aspects of Computation
We now turn to the issue of the complexity of the computation required to use
RSA. There are actually two issues to consider: encryption/decryption and key
generation. Let us look first at the process of encryption and decryption and then
consider key generation.
a. Exponentiation in Modular Arithmetic
Both encryption and decryption in RSA involve raising an integer to an integer
power, mod n. If the exponentiation is done over the integers and then reduced
39
modulo n, the intermediate values would be gargantuan. We can make use of a
property of modular arithmetic:
[(a mod n) x (b mod n)] mod n = (a x b) mod n
Thus, we can reduce intermediate results modulo n. This makes the calculation
practical.
Another consideration is the efficiency of exponentiation, because with RSA
we are dealing with potentially large exponents. To see how efficiency might be
increased, consider that we wish to compute x16
. A straightforward approach requires
15 multiplications:
x16
= x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x
However, we can achieve the same final result with only four multiplications
if we repeatedly take the square of each partial result, successively forming x2, x
4, x
8,
x16
. As another example, suppose we wish to calculate x11
mod n for some integers
x and n. Observe that x11
= x1+2+8
= (x) (x2) (x
8). In this case we compute x mod n,
x2 mod n, x
4 mod n, and x
8 mod n and then calculate [(x mod n) x (x
2mod n) x
(x8 mod n)] mod n.
More generally, suppose we wish to find the value ab with a and b positive integers. If
we express b as a binary number bkbk-1 ... b0 then we have
Therefore,
We can therefore develop the algorithm for computing ab
mod n, shows an
example of the execution of this algorithm. Note that the variable c is not needed; it is
included for explanatory purposes. The final value of c is the value of the exponent.
40
Figure 3.2: Algorithm for computing ab mod n
i 9 8 7 6 5 4 3 2 1 0
bi 1 0 0 0 1 1 0 0 0 0
c 1 2 4 8 17 35 70 140 280 560
f 7 49 157 526 160 241 298 166 67 1
Table 3.1: Result of the Fast Modular Exponentiation Algorithm
for ab mod n, where a = 7, b = 560 = 1000110000, n = 561
b. Efficient Operation Using the Public Key
To speed up the operation of the RSA algorithm using the public key, a
specific choice of e is usually made. The most common choice is 65537 (216
-1); two
other popular choices are 3 and 17. Each of these choices has only two 1 bits and so
the number of multiplications required to perform exponentiation is minimized.
However, with a very small public key, such as e = 3, RSA becomes
vulnerable to a simple attack. Suppose we have three different RSA users who all use
the value e = 3 but have unique values of n, namely n1, n2, n3. If user A sends the
same encrypted message M to all three users, then the three ciphertexts are
C1 = M3mod n1; C2 = M
3 mod n2; C3 = M
3 mod n3. It is likely that n1, n2, and n3 are
pair wise relatively prime. Therefore, one can use the Chinese remainder theorem
(CRT) to compute M3 mod (n1n2n3). By the rules of the RSA algorithm, M is less than
each of the ni therefore M3 < n1n2n3. Accordingly, the attacker need only compute the
cube root of M3. This attack can be countered by adding a unique pseudorandom bit
41
string as padding to each instance of M to be encrypted. This approach is discussed
subsequently.
By the definition of RSA algorithm requires that during key generation the
user selects a value of e that is relatively prime to f (n). Thus, for example, if a user
has preselected e = 65537 and then generated primes p and q, it may turn out that
gcd (f (n),e) ≠1, Thus, the user must reject any value of p or q that is not congruent to
1 (mod 65537).
c. Efficient Operation Using the Private Key
We cannot similarly choose a small constant value of d for efficient operation.
A small value of d is vulnerable to a brute-force attack and to other forms of
cryptanalysis (Wiener, M. 1990). However, there is a way to speed up computation
using the CRT. We wish to compute the value M = Cd mod n. Let us define the
following intermediate results: Vp = Cd mod p Vq = C
d mod q
Following the CRT, Ci= Mi × (Mi-1
mod mi) for 1≤i ≤ k , define the quantities:
Xp = q x (q-1
mod p) Xq = p x (p-1
mod q)
The CRT then shows, using that M = (VpXp + VqXq) mod n Further, we
can simplify the calculation of Vp and Vq using Fermat's theorem, which states that
ap-1
≡1 (mod p) if p and a are relatively prime. Some thought should convince you
that the following are valid:
Vp = Cd mod p = C
d mod (p-1) mod p Vq = C
d mod q = C
d mod (q-1) mod q
The quantities d mod (p-1) and d mod (q-1) can be precalculated. The end result is
that the calculation is approximately four times as fast as evaluating M = Cd mod n
directly.
d. Key Generation
Before the application of the public-key cryptosystem, each participant must
generate a pair of keys. This involves the following tasks:
1. Determining two prime numbers, p and q
2. Selecting either e or d and calculating the other
42
The primes must be chosen from a sufficiently large set (i.e., p and q must be
large numbers). On the other hand, the method used for finding large primes must be
reasonably efficient.
At present, there are no useful techniques that yield arbitrarily large primes, so
some other means of tackling the problem is needed. The procedure that is generally
used is to pick at random an odd number of the desired order of magnitude and test
whether that number is prime, If not, pick successive random numbers until one is
found that tests prime.
In short, the procedure for picking a prime number is as follows.
1. Pick an odd integer n at random (e.g., using a pseudorandom number
generator).
2. Pick an integer a < n at random.
3. Perform the probabilistic primality test, such as Miller-Rabin, with a as a
parameter. If n fails the test, reject the value n and go to step 1.
4. If n has passed a sufficient number of tests, accept n; otherwise, go to step 2.
This is a somewhat tedious procedure. However, remember that this process is
performed relatively infrequently: only when a new pair (PU, PR) is needed.
Having determined prime numbers p and q, the process of key generation is
completed by selecting a value of e and calculating d or, alternatively, selecting a
value of d and calculating e. Assuming the former, then we need to select an e such
that gcd(f(n), e) = 1 and then calculate d≡ e1(mod f(n)). Fortunately, there is a single
algorithm that will, at the same time, calculate the greatest common divisor of two
integers and, if the gcd is 1, determine the inverse of one of the integers modulo the
other. The algorithm, referred to as the extended Euclid's algorithm. Thus, the
procedure is to generate a series of random numbers, testing each against f (n) until a
number relatively prime to f (n) is found. Again, we can ask the question: How many
random numbers must we test to find a usable number, that is, a number relatively
prime to f (n)? It can be shown easily that the probability that two random numbers
are relatively prime is about 0.6; thus, very few tests would be needed to find a
suitable integer.
43
3.4.4 Security of RSA
The security of RSA algorithm depends on the ability of the hacker to
factorize numbers. New, faster and better methods for factoring numbers are
constantly being devised. The Trent best for long numbers is the Number Field Sieve.
Prime Numbers of a length that was unimaginable a mere decade ago are now
factored easily. Obviously the longer a number is, the harder is to factor, and so the
better the security of RSA. As theory and computers improve, large and large keys
will have to be used. The advantage in using extremely long keys is the computational
overhead involved in encryption / decryption. This will only become a problem if a
new factoring technique emerges that requires keys of such lengths to be used that
necessary key length increases much faster than the increasing average speed of
computers utilizing the RSA algorithm. RSA's future security relies solely on
advances in factoring techniques.
There are four approaches to attacking the RSA Algorithm are as follows:
1. Brute Force: This involves trying all possible private keys.
2. Mathematical Attacks: There are several approaches, all equivalent in
effort to factoring the product of two primes.
3. Timing Attacks: These depend on the running time of the decryption
algorithm.
4. Chosen ciphertext attacks: This type of attack exploits the properties of the
RSA algorithm.
Thus, choosing a large size of n is an ultimate solution for the security of
RSA cryptosystem. In addition to this requirement, a number of other ways have been
suggested by the researcher to increase the security of RSA cryptosystem. RSA
algorithm has a suggested length of about 200 decimal digits; one gets a strong feeling
that factoring of such large prime is an extremely difficult problem. No one has yet
found a good factoring algorithm. For secure RSA the value of n should not be less
than 1024-bits.
3.5 Diffie-Hellman Key Exchange Algorithm
In 1976, Diffie and Hellman published the first public key based algorithm
(Diffie, W., and Hellman, M., 1976), which was designed to provide a means to
44
exchange securely a key K over a public network. That key K can later be used as a
session key. Note however that this algorithm applies only to the exchange of keys.
Before the key exchange actually begins, two global public values are generated and
made public to everyone: a prime number q and a, a primitive root of q, where a < q.
A primitive root a of a prime number p is an integer for which the successive
powers modulo p:
a mod p, a^2 mod p, a^3 mod p, ....... , a^(p-1) mod p --------------(3.6)
are distinct and consist of the integers from 1 through p-1 in some permutation.
For any integer b and a primitive root a of prime number p, we can find a
unique exponent i such that
b ≡ ai (mod p), where 0≤ i ≤ (p-1)
The exponent i is referred to as the discrete logarithm of b in base a, mod p.
Suppose that Alice, A, and Bob, B, want to exchange a key K. Alice selects a
secret random number XA < q, compute the public value YA = a^XA mod q and makes
it public. Bob does the same, that is, he generates his private random number XB < q,
calculate YB = a^XB mod q and publishes YB. Then compute the key K as follows:
K = (YB) X
A mod q ------------- (3.7)
= (𝛂XB mod q)
XA mod q ------------- (3.8)
= (𝛂XB)
XA mod q ------------- (3.9)
By the rules of modular arithmetic
= 𝛂XB
XA mod q ------------- (3.10)
= (𝛂XA)
XB mod q ------------- (3.11)
= (𝛂XA mod q)
XB mod q ------------- (3.12)
= (YA) X
B mod q) ------------- (3.13)
Similarly, Bob computes K using the public information and his own private
random number: The security of the algorithm is based on the difficulty to compute
discrete logarithms While it is easy to compute the modular exponentials Y = aX mod
q knowing the secret number X, it is difficult for an attacker to compute X from Y and
the global public values a and q:
Y= aX mod q (modular exponentiation) ----------- (3.14)
X= logy Y mod q (discrete logarithm) ------------ (3.15)
45
3.6 ElGamal Cryptosystem
The ElGamal cryptographic algorithm is a public key system like the Diffie-
Hellman system mainly based on the difficulty of discrete logarithm. It is mainly used
to establish common keys and not to encrypt message. The ElGamal cryptographic
algorithm is comparable to the Diffie-Hellman system. Although the inventor, Taher
Elgamal, did not apply for a patent on his invention, the owners of the Diffie-Hellman
patent felt this system was covered by their patent. A disadvantage of the EIGamal
system is that the encrypted message becomes very big, about twice the size of the
original message m. For this reason it is only used for small messages such as secret
keys.
3.6.1 Generating the ElGamal Public key
As with Diffie-Hellman, Alice and Bob have a (publicly known) prime
number p and a generator g. Alice begins by publishing information consisting of a
public key and an algorithm. The public key is simply a number, and the algorithm is
the method by which Bob encrypts his messages using Alice's public key. Alice does
not disclose her private key, which is another number. The private key allows Alice,
and only Alice, to decrypt messages that have been encrypted using her public key.
Alice chooses a secret number a to act as her private key, and she computes the
quantity
A ≡ ga (mod p)
Notice the resemblance to Diffie Hellman key exchange. Alice publishes her public
key A and she keeps her private key a secret.
3.6.2 Encrypting and Decrypting Messages
If Bob now wants to send a message m to Alice, he randomly picks a
number k, which is smaller than p. Bob uses k to encrypt one, and only one, message,
and He then computes: then he discards it. The number k is called an ephemeral key,
since it exists only for the purposes of encrypting a single message. Bob takes his
plaintext message m, his chosen random ephemeral key k, and Alice's public key A
and uses them to compute the two quantities
c1 ≡ gk (mod p) and c2 ≡ mA
k (mod p)
46
Bob's ciphertext, i.e., his encryption of m, is the pair of numbers (c1; c2), which he
sends to Alice.
How does Alice decrypt Bob's ciphertext (c1; c2)? Since Alice knows a, she
can compute the quantity
x ≡ (mod p)
and hence also x-1
(mod p). Alice next multiplies c2 by x-1
, and the resulting value is
the plaintext m. To see why, we expand the value of x-1
. c2 and find that
x-1
. c2 ≡ ( )-1
. c2 (mod p); since x ≡ (mod p),
≡ (gak
)-1
. (mAk) (mod p); since c1≡ g
k, c2 ≡ mA
k (mod p),
≡ (gak
)-1
. (m(ga)
k) (mod p); since A ≡ ga (mod p),
≡ m (mod p); since the gak
terms cancel out.
3.7 Elliptic Curve Cryptography
Elliptic curve cryptography (ECC) is an approach to public-key cryptography
based on the algebraic structure of elliptic curves over finite fields. The use of elliptic
curves in cryptography was suggested independently by Neal Koblitz (Koblitz, N.
1987) and Victor S (Miller, V.1985). Elliptic curves are also used in several integer
factorization algorithms that have applications in cryptography, such as Lenstra
elliptic curve factorization.
Public key cryptography systems are usually based on the assumption that a
particular mathematical operation is easy to do, but difficult to undo unless you know
some particular secret. A recent development in this field is the so-called Elliptic
Curve Cryptography. ECC works with point on a curve. The security of this type of
public key cryptography depends on the elliptic curve discrete logarithm problem. It
was invented by Neil Koblitz in 1987 and by Victor Miller in 1986. The principles of
ECC can be used to adapt many cryptographic algorithms, such as Diffie-Hellman or
EIGamal. Although no general patent on elliptic curve cryptography appears to exist,
there are several patents that may be relevant depending on the implementation. The
main advantage of elliptic curve cryptography is that the keys can be much smaller.
Recommended key sizes are in the order of 160 bits rather than 1024 bits for RSA.
47
3.7.1 Elliptic Curves
An elliptic curve is a set of points (x, y), for which it is true that y2= x
3 +ax+c
Given certain chosen numbers a & b, typically the numbers are integers; although in
principle the system also works with real numbers. Despite what the name suggests,
the curve does not have an elliptic shape.
For example: a= -4 and b=0.67 gives the elliptic curve with equation
y2= x
3 - 4x +0.67
Figure 3.3 example of Elliptic Curves
If x3 + ax + b contains no repeated factors, or equivalently if 4a
3 + 27b
2 is not
0, then the elliptic curve can be used to form a group. A group is simply a set of
points on the curve. Because it is a group, it is possible to "add up" points which give
another point on the curve. On the graph, two points are added up by drawing a line
through both and taking as the outcome where the line intersects the curve. For
cryptographic purposes, an elliptic curve must have only points with all coordinates
whole numbers (integers) in the group. The trick with elliptic curve cryptography is
that if you have a point F on the curve, all multiples of these points are also on the
curve.
3.7.2 Key Generation in ECC
Alice and Bob agree on an elliptic curve and pick a certain point F on this
curve. They can do this with Eve listening in. Alice next picks a random number As
(which does not have to be a point on the curve) and computes AI' = As*F. The point
AI' is on the curve, [because it is a multiple of F. This is easy to compute Alice's
48
public key is AI' and her secret key is As. Bob does the same thing and ends up with
Bp and Bs.
3.7.3 Encrypting and Decrypting Messages
Alice and Bob can now secretly agree on a key with which they can encrypt
messages since secret key cryptography. The key simply is the product of Alice's
public key and Bob's secret key (which is the same as the product of Alice's secret key
and Bob's public key). It will be clear that Alice and Bob can compute this product
after they have exchanged their public keys, but Eve cannot since she has none of the
secret keys.
3.7.4 Cracking the Elliptic Curve Key
If Eve wanted to crack the key, she would have to reconstruct one of the
secret keys. The number of discrete points on the curve (points with both X and Y
coordinates being integers) is called the order of the curve. If the order of the point F
is a prime number of n bits, then computing As from As*F and F takes roughly 2"'2
operations. If F is, say, 160 bits long, then Eve needs about 2^80 operations. If she
can do a billion operations per second, this takes about 38 million years. This problem
is commonly referred to as the elliptic curve discrete logarithm problem.
3.8 Conclusion
Brief review of public-key cryptography and implemented RSA algorithm
are presented in this chapter. Also some popular public-key cryptography methods
presented briefly. Public- key algorithms are based on mathematical functions rather
than on substitution and permutation. Hence the advantage of public key algorithm is
that they are more computationally intensive than symmetric algorithms. More
important, public-key cryptography is asymmetric involving the use of two separate
keys, in contrast to symmetric conventional encryption, which uses only one key. The
use of two keys has profound consequences in the areas of confidentiality, key
distribution and authentication.