CNS Unit 3

M.S.
Ramaiah Institute of Technology

(Autonomous Institute, Affiliated to VTU)
Department of Computer Science and Engineering
Course Name: Cryptography and Network Security

Course Code – CSE555
Credits - 3:0:0
UNIT -3
Term: Oct 2023 – Jan 2024
Prepared by: Dr. Sangeetha. V
Associate Professor
Unit III(Text1)
Advanced Encryption Standard(AES): Asymmetric Key Cryptography: (Chapter 10)
(Chapter 7) oIntroduction
oIntroduction oRSA Cryptosystem
oRabin Cryptosystem
oTransformations
oElgamal Cryptosystem
oKey Expansion
oThe AES Ciphers
oExamples
oAnalysis of AES.
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 2

Why Was the AES Encryption Algorithm
necessary?

Introduction
Advanced Encryption Standard (AES) features are as follows:
•Symmetric key symmetric block cipher
•128-bit block data, 128/192/256-bit keys
•Stronger and faster than Triple-DES

Introduction
•AES is an iterative rather than Feistel cipher.
•It is based on ‘substitution–permutation network’.
network
•It comprises of a series of linked operations, some of which involve
replacing inputs by specific outputs (substitutions) and others
involve shuffling bits around (permutations).
•AES performs all its computations on bytes rather than bits.

Introduction
The Advanced Encryption Standard (AES) published by the
National Institute of Standards and Technology (NIST) in
December 2001.
•History
•Criteria
•Rounds
•Data Units
•Structure of Each Round

Introduction
History
•In February 2001, NIST announced that a draft of the Federal
Information Processing Standard (FIPS) was available for public
review and comment.
•Finally, AES was published as FIPS 197 in the Federal Register in
December 2001.

Introduction
Criteria
The criteria defined by NIST for selecting AES fall into three
areas:
1.Security -128bit key
2.Cost-Computational efficiency and storage requirements
3.Implementation -Flexibility(platform independent)

Introduction
Rounds
The number of round
key is one more than
the number of rounds
Number of Round
keys = Nr+1

Introduction
Rounds
•AES is a non Feistel cipher that encrypts and decrypts a
block of 128bit data.
•It uses 10,12 or 14 rounds 
•Cipher keysize-128/192/256bits

Introduction
Rounds
AES-128
AES-192
AES-256
But roundkey is always 128bits

Introduction
Data Units
AES uses 5 units of measurement to
refer to data
1.Bits
2.Bytes
3.Words
4.Blocks
5.State

Introduction
Data Units – States
•AES uses several rounds
•Each round is made of several stages – Data blocks
are transferred from one stage to other
•At the beginning and end of cipher –data blocks
•Before and after each stage – data block is
referred as state

Introduction
•S – State
•T- temporary state
•States are made up of
16bytes
•Matrix (4x4)

Introduction
•Sate is treated as row
matrix(1 x 4) of words

Introduction
Example

Introduction
Structure of Round

Introduction
Structure of Round
4 Transformations
1.SubBytes
2.ShiftRows
3.MixColumns
4.Add Round Keys

Transformation
SubBytes(Substitution)
• AES uses substitution mechanism
1. Substitution done for each byte
2. Table is used for substitution for each byte
3. Table Lookup process or mathematical calculation in Galois Field(GF-28
field)

Transformation
SubBytes
• SubBytes is used at the encryption site.
• To substitute a byte, we interpret the byte as two
hexadecimal digits.
• Left digit –row
• Right digit -column

Transformation
SubBytes- Transformation table InvSubBytes-Transformation table

Transformation
Example 1
5A16 = BE16
5B16 = 3916

Transformation
Example 2

Transformation
Example 2

Transformation
SubBytes

Transformation

Transformation
ShiftRows (Permutation)
• Another transformation found in a round is shifting, which
permutes the bytes.
• Each row is shifted a particular number of times.

Transformation
• InvShiftRows In the decryption, the transformation is called
InvShiftRows and the shifting is to the right.

Transformation

Transformation
MixColumns (Mixing)
• The MixColumns transformation operates at the column
level; it transforms each column of the state to a new
column.

Transformation
MixColumns (Mixing)
• This step is basically a matrix multiplication.
• Each column is multiplied with a specific matrix and thus the position of
each byte in the column is changed as a result.

Transformation
MixColumns (Mixing)

Transformation
Add Round Keys (Adding)
• AddRoundKey proceeds one column at a time.
• AddRoundKey adds a round key word with each state column
matrix; the operation in AddRoundKey is matrix addition.

Transformation
Add Round Keys (Adding)

Unit II (Text1)
Advanced Encryption Standard(AES): (Chapter 7)
oIntroduction
oTransformations
oKey Expansion
oThe AES Ciphers
oExamples
oAnalysis of AES.

Key Expansion
• To create round keys for each
round, AES uses a key-
expansion process.
• If the number of rounds is Nr ,
the key-expansion routine
creates Nr + 1 128-bit round
keys from one single 128-bit
cipher key

Key Expansion
• First round key is
used for pre-round
transformation
• Remaining all for
every round 4th
transformation

Key Expansion
Key-expansion creates round key word by word, where a word is an array of 4 bytes.
• Key Expansion in AES-128
• Key Expansion in AES-192 and AES-256
• Key-Expansion Analysis

Key Expansion
Key Expansion in AES-128 process
1. Cipher key is an array of
16bytes(k0 to k15)
The first 4 words(w0,w1,w2,w3)
are made from cipher key
• K0 to k3 -> w0
• k4 to k7 -> w1
• K8 to k11 ->w2
• K12 to k15 ->w3

Key Expansion
Key Expansion in AES-128 process
2. The rest of the words (w for i =4 to 43) are made as
i
follows
i) if (i mod 4) ≠ 0, wi = wi-1 ⊕ wi-4

ii) if (i mod 4) = 0, wi = t ⊕ wi-4
Temporary word t
ti = subword(Rotword(wi-1 )) ⊕Rcon i/4

Key Expansion
Rotword : Applied to only one row
Rotate word routine takes a word as an
array of 4bytes and shifts each byte to the left with
wrapping.
Subword : Applied to 4 bytes.
Substitute word routine takes each byte in the word
and substitute another byte for it.

Key Expansion
Rcon : Round constant is a 4byte value in
which the rightmost 3bytes are always
zero

Key Expansion
The key-expansion routine can either use the table when
calculating the words or use the Galois Field,GF(28) field to
calculate the leftmost byte dynamically, as shown below

Key Expansion
Key Expansion in AES-128 - Algorithm

Key Expansion

Key Expansion

t4 = subword(Rotword(w4-1 )) ⊕Rcon 4/4
t4 = subword(Rotword(w3 )) ⊕Rcon 1
Rotword(13AA5487 ) = AA548713
Subword (AA548713) = AC20177D

t4 = AC20177D ⊕ Rcon 1
= AC20177D ⊕ 01 00 00 00  AD20177D
Key Expansion –AES 192 and AES 256

Key expansion analysis

Unit II (Text1)
Advanced Encryption Standard(AES): (Chapter 7)
oIntroduction
oTransformations
oKey Expansion
oThe AES Ciphers
oExamples
oAnalysis of AES.

The AES Ciphers
• AES uses four types of transformations for
encryption and decryption.
• Encryption algorithm is referred to as the cipher
• Decryption algorithm as the inverse cipher.
• Two different design for implementation
• Original Design
• Alternative Design

The AES Ciphers – Original design

The AES Ciphers –Original design

The AES Ciphers –Alternative Design

The AES Ciphers –Alternative Design

Analysis of AES
This section is a brief review of the three characteristics
of AES.
•Security
•Implementation
•Simplicity and Cost

Analysis of AES
Security
•Brute-Force Attack :AES is definitely more secure than
DES due to the larger-size key.
•Statistical Attacks :Numerous tests have failed to do
statistical analysis of the ciphertext.
•Differential and Linear Attacks :There are no differential
and linear attacks on AES as yet.
Analysis of AES
Implementation
AES can be implemented in software, hardware, and
firmware.
The implementation can use table lookup process or
routines that use a well-defined algebraic structure.

Analysis of AES
Simplicity and Cost
The algorithms used in AES are so simple that they can be
easily implemented using cheap processors and a
minimum amount of memory.

Unit III(Text1)
Advanced Encryption Standard(AES): Asymmetric Key Cryptography: (Chapter 10)
(Chapter 7) oIntroduction
oIntroduction oRSA Cryptosystem
oRabin Cryptosystem
oTransformations
oKey Expansion
oThe AES Ciphers
oExamples
oAnalysis of AES.

Asymmetric Key Cryptography
 Distinguish between two cryptosystems: symmetric-key and
asymmetric-key
 Knapsack cryptosystem as one of the first ideas in asymmetric-key
cryptography
 RSA cryptosystem
 Rabin cryptosystem
 ElGamal cryptosystem

Introduction
•Symmetric and asymmetric-key cryptography will exist in
parallel and continue to serve the community.
•We actually believe that they are complements of each other;
the advantages of one can compensate for the disadvantages
of the other.
• Symmetric-key cryptography is based on sharing secrecy.
• Asymmetric-key cryptography is based on personal secrecy.

Knapsack Cryptosystem
•The knapsack cryptosystem is a public-key cryptosystem based on a
special case of the classic problem known as the knapsack problem.
•It is developed by Ralph Merkle and Mertin Hellman in 1978.
•The Knapsack Cryptosystem is first Public-Key cryptography

The knapsack algorithm works like this:
Imagine you have a set of different weights

which you can use to make any total weight
that you need by adding combinations of any
of these weights together.

Let us look at an example:
•Imagine you had a set of weights 1, 6, 8, 15 and 24.
•To pack a knapsack weighing 30, you could use weights 1, 6, 8 and 15.
1+6+8+15 = 30
•Represent the weight 30 by the binary code – 1 1 1 1 0
•So, if someone sends the code 30 this can only have come from the plain text 11110 .
Public
key

•When the Knapsack Algorithm is used in public key cryptography, the idea
is to create two different knapsack problems.
•One is easy to solve, the other not.
•Using the easy knapsack, the hard knapsack is derived from it. The hard
knapsack becomes the public key.
•The easy knapsack is the private key.
•The public key can be used to encrypt messages, but cannot be used to
decrypt messages.
•The private key decrypts the messages.

Suppose given two k-tuples
a=[a1,a2,…….ak] and x=[x1,x2…………..xk]
The first tuple is the predefined set
The second tuple in which x i is only 0 or 1
The sum of elements in the knapsack is s=knapsackSum(a,x)
x=inv_knapsackSum(s,a)
s=knapsackSum(a,x) =x1a1+x2a2 +………….xkak,
given a and x it is easy to calculate to S, however given the value of s and a it is
difficult to compute x

Superincreasing tuple
•Easy to calculate knapsackSum(a,x) and inv_knapsackSum(s,a) if
the k-tuple a is superincreasing
•In superincreasing tuple ai ≥ a1 + a2 + …………….ai-1
•Every element except a1 is greater than or equal to the sum of
previous elements.

•An easy knapsack problem is one in which the weights are in a
superincreasing sequence.
•A superincreasing sequence is one in which the next term of the
sequence is greater than the sum of all preceding terms.
•For example,
•The set {1, 2, 4, 9, 20, 38} is superincreasing,
•The set {1, 2, 3, 9, 10, 24} is not because 10 < 1+2+3+9.

Knapsack Cryptosystem -Algorithm

Assume that a=[17,25,46,94,201,400] and x[0,1,1,0,1,0].
Find S using knapsack sum.
i ai xi s s + a i * xi s
1 17 0 0 + 17 * 0 0
2 25 1 0 + 25 * 1 25
3
4
5
6

Assume that a=[17,25,46,94,201,400] and x[0,1,1,0,1,0].
Find S using knapsack sum.
i ai xi s s + a i * xi s
1 17 0 0 + 17 * 0 0
2 25 1 0 + 25 * 1 25
3 46 1 25 + 46 * 1 71
4 94 0 71 + 94 * 0 71
5 201 1 71 + 201 * 1 272
6 400 0 272 + 400 * 0
272


Assume that a=[17,25,46,94,201,400] and s = 272 .
Find tuple x using inv_knapsack sum.
x[0,1,1,0,1,0] = 25 , 46, 201 are in the knapsack 75

Assume that a=[17,25,46,94,201,400] and s = 272 .
x[0,1,1,0,1,0] = 25 , 46, 201 are in the knapsack 76

Assume that a=[3, 7, 12, 30, 60,115] and s = 82 .
77
Assume that a=[3, 7, 12, 30, 60,115] and s = 82 .
X = [1,1,1,0,1,0]
78
Secret Communication Process with Knapsack Cryptosystem
i.Key Generation at Receiver End
ii.Encryption at Sender End
iii.Decryption at Receiver End


Key Generation at Receiver End
b={1, 2, 4, 10, 20, 40}.
for example, n=110

for example, r=31
Private key Public key

Encryption at Sender End

Decryption at Receiver End
• Receiver receive cipher message s={121, 197, 205}, Now the receiver has to decode
the message
• The person decoding must know the two numbers n=110 and r= 31
• We need r−1, which is a multiplicative inverse r−1mod n = 71

DES/AES/RSA

RSA Cryptosystem
•RSA cryptosystem, named after those who invented it in
1978: Ron Rivest, Adi Shamir, and Leonard Adleman.
•The RSA algorithm is an asymmetric cryptography
algorithm; uses a public key and a private key (i.e two
different, mathematically linked keys).

RSA Cryptosystem
•The length of the plain text is less than or equal to the key length (Bytes)
•RSA is only able to encrypt data to a maximum amount equal to key size
(2048 bits = 256 bytes), minus any padding and header data (11 bytes for
padding).
•The padding standards we generally use are NoPPadding, OAEPPadding,
PKCS1Padding, etc., among which the padding suggested by PKCS#1
occupies 11 bytes.

RSA Cryptosystem
Length of ciphertext
The length of the ciphertext is the bit length of the key

RSA Cryptosystem
Applicaitons
RSA is the world's most widely used public-key
cryptography method for securing communication on
the internet
•WhatsApp, Telegram, Signal and other messaging services.
•RSA secures sensitive financial information like bank details and
protects transactions such as those made via credit card.

RSA Cryptosystem
Characteristics of RSA
It is a public key encryption technique.
It is safe for exchange of data over internet.
It maintains confidentiality of the data.
RSA has high toughness as breaking into the keys by
interceptors is very difficult.

RSA Cryptosystem
Advantages of RSA
•It is very easy to implement RSA algorithm.
•RSA algorithm is safe and secure for transmitting
confidential data.
•Cracking RSA algorithm is very difficult as it involves
complex mathematics.
•Sharing public key to users is easy.
Introduction
Complexity of operations in RSA
• P is Plaintext and C is Ciphertext
• RSA uses two exponents e and d, where e is public and d is private.
• Alice uses C = Pe mod n to create Ciphertext
• Bob uses P = Cd mod n to revert Plaintext

Introduction
Procedure used in RSA
i.Key Generation
ii.Encryption/Decryption Function

Introduction

Introduction

Introduction
Key Generation Encryption/Decryption Function
• Choose two large prime numbers (p and q) • If the plaintext is P, ciphertext
• Calculate n = p*q and C = Pe mod n
Φ(n) = (p-1)(q-1) • If the ciphertext is C, plaintext
• Choose a number e , where 1 < e < Φ(n) P = Cd mod n
e is coprime to Φ(n), gcd(e, Φ(n)) =1
• Calculate d = e-1mod n, or de mod Φ(n) =1
• Public key pair as (e,n)
• Private key is d

Introduction
Key Generation Choose p = 3 and q = 11
• Choose two large prime numbers (p and q) Compute n = p * q = 3 * 11 = 33
• Calculate n = p*q and
Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20
Φ(n) = (p-1)(q-1)
• Choose a number e , where 1 < e < Φ(n) Choose e = ?  3
gcd(e, Φ(n)) =1
• Calculate d = e-1mod n, or de mod Φ(n) =1 gcd(2 ,20) = 2
• Public key pair as (e,n) gcd(3 ,20) = 1

Introduction
Key Generation Let e = 3
• Choose two large prime numbers (p and q)
d e mod Φ(n) = 1
• Calculate n = p*q and (1 * 3 ) mod 20 = 3
Φ(n) = (p-1)(q-1) (2 * 3 ) mod 20 = 6
(3 * 3 ) mod 20 = 9
• Choose a number e , where 1 < e < Φ(n) (4* 3 ) mod 20 = 12
e is coprime to Φ(n), gcd(e, Φ(n)) =1 (5 * 3 ) mod 20 = 15
(6 * 3 ) mod 20 = 8
• Calculate d = e-1mod n, or de mod Φ(n) =1 (7 * 3 ) mod 20 = 1
d=7
Public key is (e, n) => (3, 33)
Private key is d => 7

Introduction
Encryption/Decryption Function The encryption of P = 2
• If the plaintext is P, ciphertext
C = Pe mod n C = 23 mod 33
• If the ciphertext is C, plaintext = 8 mod 33 8
P = Cd mod n
The decryption of C =
P= 87 mod 33
=2

Introduction
• Choose two large prime numbers (p and q) Compute n = p * q = 3 * 11 = 33
Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20
Φ(n) = (p-1)(q-1)
• Choose a number e , where 1 < e < Φ(n) Choose e = ?
gcd(e, Φ(n)) =1
gcd(2 ,20) = 2
• Calculate d = e-1mod n, or de mod Φ(n) =1 gcd(3 ,20) = 1
• Public key pair as (e,n) gcd(4 ,20) = 1
gcd(5 ,20) = 1
• Private key is d gcd(6 ,20) = 1
gcd(7 ,20) = 1
Let e = 7
Introduction
Key Generation
Let e = 7
• Choose two large prime numbers (p and q)
• Calculate n = p*q and d e mod Φ(n) = 1
(1 * 7 ) mod 20 = 7
Φ(n) = (p-1)(q-1) (2 * 7 ) mod 20 = 14
• Choose a number e , where 1 < e < Φ(n) (3 * 7 ) mod 20 = 1
d=3
• Public key pair as (e,n) Public key is (e, n) => (7, 33)
• Private key is d Private key is d => 3

Introduction
• If the ciphertext is C, plaintext = 29
P = Cd mod n
The decryption of C
P= 293 mod 33
=2

Introduction
• If the ciphertext is C, plaintext = 64 mod 15 = 4
P = Cd mod n
The decryption of C =
P= 43 mod 15
=4

Introduction
Encryption/Decryption Function Encrypt the word: “dog”
C = Pe mod n e=7,d=3
• If the ciphertext is C, plaintext
P = Cd mod n
word m Pe C=Pe mod n
d 4 16384 16
o 15 170859375 27
g 7 823543 28

Introduction
Encryption/Decryption Function Decrypt the code 16 27 28
C = Pe mod n e=7,d=3
• If the ciphertext is C, plaintext
P = Cd mod n
C Cd Cd mod n
16 4096 4 D
27 19863 15 O
28 21952 7 G

Introduction
• Choose two large prime numbers (p and q) Compute n = p * q = 3 * 5= 15
Compute φ(n) = (p - 1) * (q - 1) = 2 * 4 = 8
Φ(n) = (p-1)(q-1)
• Choose a number e , where 1 < e < Φ(n) Let e = 3
d = (3 * 3 ) mod 8  9 mod 8 = 1
Public key is (e, n) => (3, 15)
• Private key is d Private key is d => 3

Example: p = 3 and q = 11
Suppose the message is ‘HELP’, assigned the numbers 2, 3,
4 and 5, respectively
Perform Encryption and Decryption

Example: p = 7 and q = 11,e=13 and d=37
Suppose the message is ‘5’ and ’63’,

Example: p = 7 and q = 11
Suppose the message is ‘5’,
C=26 and C= 28

Example

Example: p = 397 and q = 402,e=343 and d=12007
Suppose the message is ‘NO’

Example

Example
Bob chooses 7 and 11 as p and q and calculates n
value. Find the value of φ(n). Now choose the two
exponents e and d. Now assume that Alice wants to
send the plain text 5 to Bob. Find the cipher text and
decrypt it on receiving side to get plaintext using RSA
algorithm.

Example
Show the steps of RSA Algorithm. If the RSA public
key is (31, 3599), what is the corresponding private
key?

Example
Show the steps of RSA Algorithm. If the RSA public key
is (31, 3599), what is the corresponding private key?
e=31 and n=3599
p=59 and q=61
phi(n)= 3480
d*e=1 mod 3480
d= 3031
Private key = 3031

Example
value. Find the value of φ(n). Find the two exponents
e and d. Now assume that Alice wants to send the
plain text 13 to Bob. Find the cipher text and decrypt
it on receiving side to get plaintext using RSA
algorithm.

Example
value. Find the value of φ(n). Let e= 17, Find the
exponents d. Now assume that Alice wants to send
the plain text 65 to Bob. Find the cipher text and
decrypt it on receiving side to get plaintext using RSA
algorithm.

Example
In a RSA cryptosystem a particular A uses two prime numbers
p = 13 and q =17 to generate her public and private keys. If
the public key of A is 35. Then the private key of A is
____________.
(A) 11
(B) 13
(C) 16
(D) 17

Attacks on RSA

Attacks on RSA
Factoring attacks
Factoring is the act of splitting an integer into a set of
smaller integers (factors) which, when multiplied together,
form the original integer.
The factoring problem is to find 3 and 5 when given 15.
Factoring an RSA would allow an attacker to figure out the
private key(e)

Attacks on RSA
Factoring attacks
This is the attack that attempts to find the key through the
solving of the very large prime number factor problem.
If attacker will able to know P and Q using N, then he could
find out value of private key.
This can be failed when N contains atleast 300 longer digits
in decimal terms, attacker will not able to find.

Attacks on RSA
Chosen cipher attack:
Alice creates ciphertext C = Pe mod n and sends C to Bob. Bob will decrypt for eve
Eve intercept C and uses following steps to find P.

Attacks on RSA
C
Sender Receiver
Eve Intercept C
Choose X random integer
Receiver
Construct New Cipher Y = C X e mod n
Z = Y d mod N Z = Y d mod n
= (C X e )d mod n
= Cd X e d mod n
= Cd X mod n
Z = P X mod n
P = Z X-1 mod n
Attacks on RSA
Encryption exponent
Common attack occur when e is low, so use e= 216 +1 = 65537.
• Coppersmith attack
• Broadcast attack
• Related Message attack
• Short pad attack

Attacks on RSA
Coppersmith attack :
Coppersmith method is mainly used in attacks on RSA when parts of
the secret key are known and forms a base for Coppersmith's attack.
Theorem states that in a modulo n polynomial f (x) of degree e, one can
use an algorithm of the complexity log n to find the roots if one of the
roots is smaller than n 1/e

Attacks on RSA
Broadcast attack
Suppose Alice wishes to send same message to three receipents with
the same public key exponent e and the moduli n1,n2,n3

Attacks on RSA
Related Message attack
• If Alice encrypt two P1 and P2 with e =3 and send C1 and C2 to
Bob.
• If P1 and P2 is related by a linear function, then eve can recover
P1 and p2 in a feasible computation time.

Attacks on RSA
Short pad attack
• Alice has a message M to send to Bob. She pads the message with r1, encrypt
and send C1 to Bob. Eve intercept C1 and drops it
• Bob inform Alice that he has not received the message, so Alice pads the
message again with r2, encrypt and send to Bob.Eve also will intercept the
message.
• Eve now has C1 and C2, knows both belong to same plaintext .
• If r1 and r2 are short, eve may be able to recover M
C1 M r1(padding)
C2 M r2(padding)
Attacks on RSA
Attacks on Decryption key:
Revealed decryption exponent attack:
If attacker somehow guess decryption key d, cipher text generated by
encryption key is in danger, and even future messages are also in danger.
So, it is advised to take fresh values of two prime numbers (i.e; P and Q), N
and E.
Low decryption exponent attack:
If we take smaller value of d in RSA this may occur, so to avoid take value of
d = 216+1(atleast).

Attacks on RSA
Plain text attacks: It is classified into 3 subcategories:-
Short message attack:
Attacker knows some blocks of plain text. If this assumption is true, the
attackers can try encrypting each plain-text block to view if it results into the
known cipher-text.
Therefore, it can avoid this short-message attack, it is suggested that it can
pad the plain text before encrypting it.

Attacks on RSA
Cycling attack:
Attacker will think that plain text is converted into cipher text using
permutation.
Continuous encryption of ciphertext will eventually result in plain text. But
attacker does not know the plain text. Hence will keep doing it until gets the
ciphertext, goes back one step find the plain text

Attacks on RSA
Unconcealed Message attack:
For some plain-text messages, encryption provides cipher-text
which is the equal as the original plain-text.
If this appears, the original plain-text message cannot be
secret.
Therefore, this attack is known as unconcealed message
attack.

Attacks on RSA
Attacks on the Modulus – Common modulus attack
If a community uses a common modulus n, select p and q, calculate
n and Φ(n), and create a pair of exponents(ei, di) for each entity.
The problem is eve can also decrypt the message, if he is a member
of the community and assigned a pair of exponent (ee, de )

Attacks on RSA
Implementation –Timing attack
•Eve intercept a large number of ciphertext C1,C2… to Cm.
•Eve observe how long it takes for the underlying hardware to calculate a
multiplication operation from t1 to tm( t is time required to calculate the
multiplication operation)
•The timing difference allows Eve to find the value of bits in d, one by one

Attacks on RSA
Implementation –Timing attack

Attacks on RSA
Implementation – Power attack
Eve can precisely measure the power consumed during
decryption, can launch power attack.
Multiplication and squaring consumes more power.

RSA Cryptosystem
• Introduction
• Procedure
• Attacks on RSA
• Optimal Asymmetric Encryption Padding (OAEP)
• Applications

Padding in RSA
•RSA without padding is also called Textbook RSA.
•RSA without padding is insecure.
•With RSA the padding is essential for its core function.
•RSA has a lot of mathematical structure, which leads to
weaknesses. Using correct padding prevents those
weaknesses.

Padding in RSA
Padding schemes
• PKCS#1 (Public-Key Cryptography Standards)
• Optimal Asymmetric Encryption Padding (OAEP) - It was defined by
Bellare and Rogaway, and has been standardized in PKCS#1 v2 and
RFC 2437.

Optimal Asymmetric Encryption Padding (OAEP)
•Short message makes ciphertext vulnerable to short message attacks.
•Adding bogus data(padding) to the message make Eve’s job harder,
but with additional efforts can still attack the ciphertext.
•The solution is apply a procedure called OAEP.
•A 2048 bit RSA key allows for 256 bytes(2048*8) of which the OAEP
padding takes 42 bytes, leaving around 214 bytes for encrypted data.

Padding in RSA
• OAEP uses a Feistel network with a pair of random oracles G and H.
• These operate on the plaintext before it is encrypted.
• Its strengths are that it adds randomness to the process.




Applications of RSA
•RSA was used with Transport Layer Security (TLS) to secure
communications among two individuals.
•Pretty Good Privacy algorithm use RSA
•Virtual Private Networks (VPNs), email services, web browsers
•Bluetooth
•MasterCard, VISA, e-banking
•e-commerce platform

RSA Cryptosystem
Disadvantages of RSA
•It may fail sometimes because for complete encryption both symmetric
and asymmetric encryption is required and RSA uses symmetric
encryption only.
•It has slow data transfer rate due to large numbers involved.
•It requires third party to verify the reliability of public keys sometimes.
•High processing is required at receiver’s end for decryption.

Outline
Encipherment using Modern Symmetric-Key Ciphers: (Text 1: Chapter 8)
oUse of Modern Block Ciphers
oUse of Stream Ciphers
oOther Issues.
Asymmetric Key Cryptography: (Text1: Chapter 10)
oIntroduction
oRSA Cryptosystem
oRabin Cryptosystem

RABIN CRYPTOSYSTEM
•Rabin Cryptosystem is an public-key cryptosystem invented by Michael Rabin.
•In Rabin cryptosystem, value of e = 2 and d= 1/2 is fixed.
•Rabin is based on quadratic congruence
The encryption is C ≡ P2 (mod n) and the decryption is P ≡ C1/2 (mod n).
•Public key is n
•Private key is tuple(p, q)
•Everyone can encrypt using n and only receiver can decrypt using p and q

RABIN CRYPTOSYSTEM

RABIN CRYPTOSYSTEM

RABIN CRYPTOSYSTEM

RABIN CRYPTOSYSTEM

Chinese Remainder theorem
CRT is used to solve a set of different congruent equations
with one variable but different moduli which are relatively
prime
CRT states that the above equation have a unique solution of

the moduli are relatively prime




RABIN CRYPTOSYSTEM
1. Bob selects p = 23 and q = 7. Note that both are congruent to 3 mod 4. p
and q are in the form 4k+3 and p not equal to q
2. Bob calculates n = p × q = 161.
3. Bob announces n publicly; he keeps p and q private.
4. Alice wants to send the plaintext P = 24.
Note that 161 and 24 are relatively prime; 24 is in Z161*.
She calculates C = 242 = 93 mod 161,
and sends the ciphertext 93 to Bob.
10.159
RABIN CRYPTOSYSTEM
5. Bob receives 93 and calculates four values:
a1 = +(93 (23+1)/4) mod 23 = +(936) mod 23 = 1 mod 23

a2 = −(93 (23+1)/4) mod 23 = -(936) mod 23 = -1mod 23  -1+23 mod 23 = 22 mod 23
b1 = +(93 (7+1)/4) mod 7 = +(932) mod 7 = 4 mod 7
b2 = −(93 (7+1)/4) mod 7 = -(932) mod 7 = -4 mod 7 -4+7 mod 7 = 3 mod 7
6. Bob takes four possible answers, (a1, b1), (a1, b2), (a2, b1), and (a2, b2), and
uses the Chinese remainder theorem to find four possible plaintexts:
116, 24, 137, and 45.
Note that only the second answer is Alice’s plaintext.
10.160
RABIN CRYPTOSYSTEM
6. Bob takes four possible answers, (a1, b1) uses the Chinese remainder
theorem
a1 = 1 mod 23
b1 = 4 mod 7
X = [1 * 7 ( 7 -1 mod 23 ) + 4 * 23 ( 23 -1 mod 7 ) ] mod 161
= [1 *7 ( 10 ) + 4 *23 ( 4) ]
= [70 + 368 ] mod 161
= 116
10.161
RABIN CRYPTOSYSTEM
6. Bob takes four possible answers, (a1, b2) uses the Chinese remainder
theorem
a1 = 1 mod 23
b1 = 3 mod 7
X = [1 * 7 ( 7 -1 mod 23 ) + 3 * 23 ( 23 -1 mod 7 ) ] mod 161
= [1 *7 ( 10 ) + 3 *23 ( 4) ]
= [70 + 276 ] mod 161
= 24
10.162
RABIN CRYPTOSYSTEM
6. Bob takes four possible answers, (a1, b1), (a1, b2), (a2, b1), and (a2, b2), and
uses the Chinese remainder theorem to find four possible plaintexts:
116, 24, 137, and 45.
Note that only the second answer is Alice’s plaintext.
10.163
Security of the RABIN
CRYPTOSYSTEM
• The Rabin system is secure as long as p and q are large
numbers.
• The complexity of the Rabin system is at the same level as
factoring a large number n into its two prime factors p and q.
(Rabin system is as secure as RSA)

RABIN CRYPTOSYSTEM
•Suppose Alice wants to send message to Bob
•Bob(Receiver) chooses the prime numbers p = 43 and q = 47
Note that 43 ≡ 47 ≡ 3 mod 4
•n  p* q = 2021
•To encrypt the message m = 741, Alice(Sender) computes
C = 7412 mod 2021 = 549081 mod 2021 = 1390
sends c = 1390 to Bob

ELAGAMAL CRYPTOSYSTEM
•The ElGamal cryptosystem is a public key encryption algorithm
invented by Taher Elgamal in 1985 that is based on the Diffie-Hellman
key exchange.
•It can be considered the asymmetric algorithm where the encryption

and decryption happen by using public and private keys.

Diffie Hellman key exchange
•The Diffie-Hellman key agreement protocol was the first practical
method for establishing a shared secret over an unsecured
communication channel.
•The point is to agree on a key that two parties can use for a
symmetric encryption, in such a way that an eavesdropper cannot
obtain the key.




•Bob(receiver) chooses p = 11 and e1 = 2, and d = 3 , e2 = e1 d = 8.
•So the public keys are (2, 8, 11) and the private key is 3.
•Alice(sender )chooses r = 4 and calculates C1 and C2 for the plaintext 7.

= 6 * (125) -1 mod 11
=
6 * 3 mod 11
=
18 mod 11
=
7

•Bob(receiver) chooses p = 19 and e1 = 10, and d = 5 , e2 = ?
•Alice(sender)chooses r = 6 and calculates C1 and C2 for the
plaintext 17

Security of Elagamal Cryptosystem
Low Modulus attack
Value of p should be large enough(atleast 1024 bits)

Security of Elagamal Cryptosystem
Known plaintext attack
•If Alice uses the same r to encrypt P and P’.
•Eve discover P’ if she knows P.
•Assume C2 = P * e2r mod p and C’2 = P’ * e2r mod p
•Eve can find P’ using the following steps

THANK YOU

CNS Unit 3

Uploaded by

Copyright:

Available Formats

CNS Unit 3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CNS Unit 3

Uploaded by

Copyright:

Available Formats

M.S.

Ramaiah Institute of Technology

Course Name: Cryptography and Network Security

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 2

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 3

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 4

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 5

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 6

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 7

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 8

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 9

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 10

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 11

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 12

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 13

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 14

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 15

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 16

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 17

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 18

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 19

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 20

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 21

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 22

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 23

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 24

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 25

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 27

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 28

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 29

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 30

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 31

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 32

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 33

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 34

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 35

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 36

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 37

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 38

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 39

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 40

i) if (i mod 4) ≠ 0, wi = wi-1 ⊕ wi-4

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 41

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 42

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 43

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 44

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 45

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 46

ti = subword(Rotword(wi-1 )) ⊕Rcon i/4

Subword (AA548713) = AC20177D

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 48

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 49

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 50

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 51

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 52

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 53

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 54

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 55

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING 57