Public Key Encryption
Kyle Schmidt
Department of Computer Science
University of Wisconsin-Platteville
[email protected]
Abstract
Asymmetric cryptography, also known as public key cryptography, was first proposed in the
1970s as a way to solve the issue of safely and securely sharing a private key for use in
symmetric cryptography. Cryptography in general has a fascinating history, but in the last few
decades, with the advancements in technology, it has particularly flourished and become
increasingly vital to computer and network security. Several different public key schemes exist
today, many of which involve a great deal of number theory and modular arithmetic. The most
widely used public key scheme currently is RSA, yet the Elliptic Curve scheme is quickly
growing in popularity.
Introduction
Cryptography has a long and interesting history, dating back to the time of the ancient Greeks
and possibly even further. In the fifth century B.C.E., the Spartans were among the first to
develop a widely used cipher [3]. They would wrap a strip of leather or parchment around a
wooden staff, and then write a message on the material. When the material was unwound from
the staff, the message was chopped up and unable to be read until it was wound again around
another staff of equal diameter. Centuries later, Julius Caesar invented what is now called the
Caesar cipher, the most well known method of traditional cryptography today in which the letters
of a message are simply shifted down the alphabet a fixed number of places [3]. Over time,
people discovered how to break these simple ciphers and more complex systems were required.
In 1918, a machine was invented which not only encrypted and decrypted messages
automatically, but also brought security to a whole new level [3]. This was, of course, the famous
Enigma machine, best known for its use by the Nazis during World War II. However, despite
being groundbreaking technology in its day, it too was eventually cracked, and to this day
cryptosystems continue to evolve and become increasingly secure (and complex).
The most general definition of cryptography is the practice of secure and private communication
between two parties. Encryption is the process of rendering a message unintelligible to anyone
but the sender and the intended recipient. Almost all forms of cryptography require a secret key
to perform the encryption or decryption. In the examples above, the key for the cipher used by
the Spartans would be the diameter of the staff; for the Caesar cipher, the key would be the
2
number of letters to shift the message. Until modern times, cryptography and encryption were
synonymous with one another. However, with the advent of the computer and the discovery of
more complex and sophisticated cryptosystems, cryptography now serves a much wider array of
purposes including its use in credit cards, computer passwords, e-commerce, and digital
signatures. Today, there are two main types of cryptography: symmetric and asymmetric.
Symmetric vs. Asymmetric
Symmetric key cryptography uses only a single key (or two very similar keys) for both
encrypting and decrypting information. In other words, the key that the sender uses to make a
message unreadable is the same key as (or can be derived easily from) the key that the recipient
uses to make the message readable again [7]. All of the examples given in the introduction are
examples of symmetric key cryptosystems.
On the other hand, asymmetric (also called public key) cryptography uses two keys, a public key
and a private one. One of the keys is used for encrypting, and the other for decrypting. The
private key is never shared with anyone else; it is in the sole possession of a single person or
party at all times. The public key is accessible to anyone and everyone [7]. If the public key is
the encrypting key, then the system allows for anybody to encrypt a message for the owner of the
private key, and only the owner of the private key is able to read the message. Whereas
symmetric key cryptography can be analogized to a safe, in which two people must share a key
in order to place things in or remove things from the safe, public key cryptography is more
similar to a locked mailbox; anybody can drop in a letter, but only one person can retrieve those
letters.
Advantages of Asymmetric
This new method of using two keys has many advantages over symmetric key cryptography. For
instance, with symmetric key cryptography, exchanging the keys could be a very difficult task
since the key cannot be discovered by a third party. This is especially tricky if the two parties
who wish to communicate in secret are in very distant locations from each other, and thus must
trust a middle medium, such as a courier or telephone line, not to reveal the key. Furthermore,
even if the keys were successfully exchanged, the sender or recipient of the message must trust
one another to not modify the message [7]. Consider monetary transactions. The sender may
encrypt a message stating he or she is willing to pay the recipient an arbitrary sum, and the
recipient may claim that the message he or she received stated a much larger amount. There
would be no way to prove if the sender really did state the larger amount, if the recipient altered
it, or if the message was altered somewhere in between. Public key cryptography solves all these
problems since the private key is never shared with anyone else; therefore, the message that is
received is almost certainly the message that was sent, or else the recipient is at fault for not
securing their private key [7].
Public key cryptography has also created the possibility of other types of encryption that were
not possible with symmetric key cryptography, such as message authentication and digital
3
signatures [7]. If the encrypting key is private and the decrypting key public, then the system
serves as verification that a message did in fact originate from where it is said to have originated.
For instance, if the sender encrypts his or her message with his or her private key, then anybody
can decrypt it and read the message if it is legible, thus ensuring that the message came from the
right person since only that person could have encrypted it [7].
Modular Arithmetic and Essential Number Theory
Most cryptosystems are based on finite sets of discrete numbers [5]. That is, sets of a limited
number of integers. As such, modular arithmetic plays a huge role in public key cryptography, as
well as other areas of cryptography. Figuratively speaking, modular arithmetic is similar to
standard arithmetic, except instead of results being placed on a continuous number line, they are
placed on a discrete number circle. The number of integers on this circle is called the modulus.
After computing the result of a standard arithmetic expression, the result is divided by the
modulus and the new result is the remainder. The symbol “mod” is used to represent the modulus
operation.
Formally, if given integers a, r, and m, we say “a  r mod m” if (r – a) is divisible by m [5]. This
is read, “a is congruent to r modulo m.” Note: this is not to be confused with the modulo
operator, also represented with the symbol “mod,” as in “r = a mod b,” which calculates the
remainder r of a divided by b.
A clock is a great example of this concept. Say it is 10:00, and we want to know what time it will
be in four hours. The modulus is 12 since there are 12 hours on the clock, so then we evaluate
(10 + 4) / 12 = 1 with a remainder of 2, thus (10 + 4) mod 12 = 2, and 2  (10 + 4) mod 12. The
purpose of the modulus operation is to keep the results of arithmetic expressions within a given
finite set of integers.
Also note that for any given modulus m and integer a there are infinitely many valid remainders
[5]. This is, in part, what makes modular arithmetic so useful in cryptography.
The Ring Zm
Using modular arithmetic we obtain an integer ring Zm, a set of m integers with the following
properties [5]:
 We can perform any arithmetic operation on any two numbers in Zm and the result will
always be in Zm
 There is always a neutral element 0 for addition and a neutral element 1 for multiplication
o i.e. For all a ε Zm, a + 0 ≡ a mod m, and a (1) ≡ a mod m
 There is always an additive inverse for any element in Zm
o i.e. For all a ε Zm, there exists b = -a such that a + b ≡ 0 mod m
 The multiplicative inverse only exists for some, not all, elements in Zm
4
Euclidean Algorithm
The Euclidean Algorithm is an algorithm used to find the greatest common divisor (GCD) of two
integers [11]. The main idea behind the algorithm is to alter the problem of finding the GCD of
two larger numbers into a problem of finding the GCD of two smaller numbers, but yielding the
same result. This is based on the knowledge that GCD(a, b) = GCD(a - b, b) [7].
Let a = bq + r, then find a number u which divides both a and b, i.e. a = su and b = tu for some
integers s and t. We can see that u also divides r by rewriting our original equation in the form:
r = a – bq = su – qtu = (s – qt) u
Similarly, find a number v which divides b and r, and we see that v also divides a in the same
way: a = bq + r = s’vq + t’v = (s’q + t’) v. Therefore, every common divisor of a and b is also a
common divisor of b and r, so Euclid’s algorithm calculates the GCD of a and b by performing
recursive calculations as demonstrated in Figure 1 of the Appendix.
The GCD is discovered when rn+1 = 0; that is, when qn+1 divides rn-1 evenly. At this point, the
GCD is equal to rn, or the last non-zero remainder [11].
This is a very efficient algorithm, even with large numbers, since the complexity grows linearly
with the number of bits [7]. Notice that the Euclidean algorithm can also be used to find integers
x and y such that ax + by = GCD(a, b) by working the algorithm backwards. This method is used
to find modular inverses through a process called the Extended Euclidean Algorithm.
Extended Euclidean Algorithm
While addition, subtraction, and multiplication are performed the usual way when doing modular
arithmetic, division is different. Rather than dividing, we multiply by the inverse instead. That is,
in order to compute b / a we compute ba-1. The inverse of a is defined such that aa-1  1 mod m
[7].
The Extended Euclidean Algorithm is a fast and easy method of finding the modular inverse of b
mod a, which is extremely useful in almost all public key cryptographic schemes (especially the
RSA scheme) since many of them require performing division [7]. The first step of this
algorithm is to perform the regular Euclidean Algorithm on two integers to find their GCD. In
order for an inverse to exist, a and b must be relatively prime; that is, GCD(a, b) = 1. If this is
true, then x and y are the modular inverses of a and b, respectively [7].
To prove this, we take the relation mod a to find the inverse. So if ax + by = 1, then:
ax + by  1 mod a
Of course, anything divided by itself yields a remainder of zero. Thus a mod a = 0, and we get:
by  1 mod a
Recall that this is the definition of the modular inverse (aa-1  1 mod a), so therefore y is the
modular inverse of b. To calculate the modular inverse of a instead, we follow the same
procedure, but substitute mod b in for mod a, and we find the same result.
5
Euler’s Totient Function
A central part of the RSA scheme utilizes Euler’s Totient Function. The totient (n) is the
number of totatives of an integer n, where a totative is defined as an integer m for which 0 < m <
n and GCD(m, n) = 1 [8]. In other words, the totient of n is the number of natural numbers less
than and relatively prime to n.
So how is (n) calculated? Unfortunately, just as the Extended Euclidean Algorithm requires that
both integers be relatively prime, Euler’s Totient Function also has a prerequisite that the prime
factorization of n be known [8]. Say we have a set S = {1, 2, …, n}. Then, let us create subsets
for each prime factor of n that include all numbers in S for which the prime factor is a multiple.
Figure 1 in the Appendix shows an example of this, with n = 30. As you can see, there are three
subsets, A, B, and C, one for each 2, 3, and 5 (the prime factors of 30) and their multiples that are
in S = {1, 2, …, 30}. The blue set contains multiples of 2, the green set contains multiples of 3,
the red set contains multiples of 5, and the magenta, cyan, yellow, and white regions contain
multiples that are members of two or more sets.
The numbers in the gray region are the totatives; we want to find out how many of those there
are. We can use De Morgan’s theorem for sets and calculate the size of S\A ∩ S\B ∩ S\C, or all
numbers not in A, and not in B, and not in C [8]. By counting the number of items that are not in
the red region and not in the blue region and not in the green region, we are left with only the
numbers in the gray region. This, of course, give us the result (30) = 8.
We can determine the probability that a number in set S will be a totative by using the probability
that a number will not be in one of the subsets of prime factors; in particular, the probability of
an item being outside a set is simply one minus the probability of that item being in the set [8]. In
our example, the probability that a number from set S chosen at random will be in set A is 1/2,
and for set B it is 1/3, and for set C it is 1/5. Therefore, the probability that a number will not be
in any of these sets is P = (1 – 1/2)(1 – 1/3)(1 – 1/5). By multiplying this probability by n, we get
the frequency of totatives in S:
(30) = 30(1 – 1/2)(1 – 1/3)(1 – 1/5) = 8
This can be generalized as follows, with p1…pm representing the prime factors of n [8]:
(n) = n(1 – 1/p1)(1 – 1/p2)…(1 – 1/pm)
By using some algebraic manipulation, we can derive an alternative formula for (n). We first
replace n with its prime factorization, and then by grouping like terms and rewriting the equation
we get the following formula for (n), with km representing the multiplicity of each factor [8]:
(n) = (p1 – 1)p1k1–1(p2 – 1)p2k2–1 …(pm – 1)pmkm–1
This is the formula used in the RSA Scheme, discussed next.
6
RSA
Proposed in 1977 by Ronald Rivest, Adi Shamir, and Leonard Adleman, the RSA scheme is the
most widely used asymmetric cryptosystem today [1]. Generally too computationally intensive to
be used for mass encryption, the scheme is typically used for two purposes: secure exchange of
symmetric keys, and digital signatures, the latter of which will not be discussed in this paper [6].
How It Works
The scheme is based around the selection of two arbitrary, but very large, prime integers p and q
[1]. Encryption and decryption are simply exponentiations within the integer ring Zn (that is,
arithmetic modulo n) where n = pq. The keys are comprised of pairs of integers; (e, n) for the
public key, and (d, n) for the private key. To encrypt a plaintext message, M, represented as an
integer using a hash function, one would perform the calculation C = Me mod n, resulting in the
cyphertext C. Similarly, to decrypt the cyphertext and receive the intended message, one would
perform a similar operation M = Cd mod n [1].
The steps for creating the keys are outlined below [6]:
1. Choose two large prime numbers p and q (typically each thousands of digits long)
2. Calculate n = pq
3. Calculate (n) = (p – 1)(q – 1)
4. Choose a random integer e < (n) - 1 relatively prime to (n)
5. Using the Extended Euclidean Algorithm, calculate the inverse d of e modulo (n)
Note that the basic requirements here are, after choosing two distinct primes p and q, to choose
three distinct integers e, d, and k satisfying ed – 1 = k(p–1)(q–1) [1]. By ensuring e and (n) are
relatively prime in step 4, we are ensuring that e has an inverse, and thus we are guaranteed a
private key to match the public key [6].
Why It Works
As described above, we use C = Me mod n to represent the encryption function, and likewise we
use M = Cd mod n for the decryption function. In order to prove that this cryptosystem works we
must prove that Cd ≡ (Me)d ≡ Med ≡ M mod n.
This is possible using Fermat’s Little Theorem, which states that M(n) ≡ 1 mod n if M and n are
relatively prime [8]. Since the left-hand side of this relation is congruent to one, raising it to any
power will not change its value, so it must also be true that Mk(n) ≡ 1 mod n. Multiplying both
sides by M then gives us Mk(n)+1 ≡ M mod n. By rewriting our requirement from above of ed – 1
= k(p–1)(q–1), and remembering that (p–1)(q–1) = (n), we can get the equality ed = k(n) + 1.
Therefore, by replacing the exponent k(n)+1 with ed we get Med ≡ M mod n, which matches our
original hypothesis [8].
7
This is easily verified with a little manipulation. If M = Med = M1+(n)k, we can expand it in the
following way [1]:
M = Med = M1+(n)k = (M)M(n)k = (M)(M(n))k = (M)(1)k = M
Faster Encryption
You may be wondering, since the initial primes p and q are rather large, how it could possibly be
computationally feasible to perform exponentiations with these numbers. In fact, exponentiation
is never actually explicitly calculated; instead, the “square-and-multiply” algorithm is used to
quickly and efficiently calculate exponentiation, even with large numbers [6].
The algorithm is an iterative procedure based off the binary representation of the exponent (the
public or private key), iterating through each bit [6]. Consider the equation y = xh mod n, with y
initially being equal to x. We start with the second-to-leftmost bit (ignoring the leftmost bit) of
the binary representation of h. For each iteration, we do the following: square the current value
of y (if this is the first iteration, then y = x2 now), and then calculate y mod n. If the current bit of
h is 1, then also multiply y by x, and again calculate y mod n. Repeat for each bit in the exponent,
moving left to right [6]. Since we are performing modulo reduction after each operation, the
results stay within the integer ring Zn and the values do not get so large that they are impossible
to compute.
Consider the equation y = 226 mod 5 (of course, in practice these values would be much greater),
and see the example of this algorithm in the Appendix. Realize that 2610 = 110102, and remember
the first bit is skipped. As you can see, using this algorithm we find the answer of 4. We can
check that this is correct by computing 226 = 67108864 mod 5 = 4.
Since the number of iterations is directly related to the number of bits in the exponent, this
algorithm has a complexity of O(log n), which makes it relatively efficient [6]. Yet even though
this algorithm is much quicker than pure exponentiation, it can still be quite computationally
intensive, so care must be taken in implementation (especially on constrained devices such as
smart cards). To speed up the encryption and decryption process even more, sometimes a small
public key exponent is chosen. This does not significantly decrease security in the cryptosystem
as long as the private key exponent remains large.
Faster Decryption
It is easy to see why using a small public key exponent greatly increases the speed at which
encryption can be computed. However, we cannot do the same for decryption. Using a small
private key exponent would drastically reduce the security of the cryptosystem, as it would then
be very easy to compute the private key with the knowledge of the public key. Therefore another
method is required.
The Chinese Remainder Theorem provides us with a method of computing y = x mod (pq) given
yp = x mod p and yq = x mod q [10]. Using this theorem, we can speed up the process of
8
decryption by breaking down the computation of Cd mod n into two computations: Cd mod p and
Cd mod q. Although we are performing twice as many computations, this technique is less
computationally intensive since p and q are relatively small compared to n. Since using the
Chinese Remainder Theorem requires knowledge of p and q, it can only be used to speed up
decryption, not encryption, because only the holder of the private key knows these values.
Fermat’s Little Theorem conveniently states that xp–1 mod p ≡ 1. Using this knowledge, we can
simplify these two computations even more by splitting the exponent d into two smaller values
as well; namely, dp ≡ d mod (p – 1) and dq ≡ d mod (q – 1). With these new values, the
exponentiation required for decryption requires two simpler exponentiations: yp ≡ xpdp mod p and
yq ≡ xqdq mod q. Using the Chinese Remainder Theorem, we can use these two equations to
determine the final result, which is computed as y ≡ ypq (q–1 mod p) + yqp(p–1 mod q) mod n.
Although this seems rather complex, in practice this method is actually an average of four times
faster than straightforward exponentiation. [10]
Uses of RSA
Even when using these various methods to increase the speed of RSA’s encryption and
decryption procedures, RSA is still much slower than traditional symmetric cryptosystems. As a
result, it is not typically used for encrypting or decrypting large documents. Most often RSA is
used for digital signatures or to encrypt smaller messages, such as passwords or the keys to some
symmetric cryptosystems [6]. This allows for the best of both worlds of symmetric and
asymmetric: the secure exchanging of keys with fast and efficient encryption and decryption.
Elliptic Curve Cryptography
With computers becoming more efficient and faster algorithms being discovered, factoring large
numbers is becoming easier. This means larger keys are constantly needed for RSA to remain
secure, which, in turn, causes RSA to gradually become slower. An alternative method may soon
be required that can provide the same security with smaller keys. Elliptic Curve Cryptography
(ECC), first suggested independently by Neal Koblitz and Victor S. Miller in 1985, can provide
exactly this and is estimated to become widespread within the next decade [4].
The Premise
Suppose we have a set of points E in a plane, and we define a group operator “+” so that, given
two points P, Q in E we can compute R = P + Q. Note that this is not an actual arithmetic
addition; it is merely given the name for convenience. So now we can use this operator
repeatedly to compute G = P + P + … + P, or G = kP with a given integer k. Whereas the
security of RSA is based around the difficulty of factoring large integers, the security of ECC is
based around the difficulty of finding k given G and P [2]. Remember that since this “+” operator
is not an actual arithmetic addition, this is likewise not an actual arithmetic multiplication, and
thus it is not possible to simply divide G by P to get k. This is called the Elliptic Curve Discrete
9
Logarithm Problem, so called because it is more similar to the problem of finding k in the
equation a = bk [2]. So far there is no efficient algorithm for solving this problem, which is what
makes ECC so secure [2].
Elliptic Curve Algebra
The assumptions in the above paragraph are all made possible when the set of points E is drawn
from an elliptic curve [2]. An elliptic curve is represented with the relation y2 = x3 + ax + b; you
can see a couple graphical representations of elliptic curves in Figure 2 of the Appendix.
The group operator “+” discussed above can be defined in the following way. Given two points
P, Q in E, first draw a line connecting P and Q. Since elliptic curves are cubic, there are
generally three points at which a line will intersect the curve. The point P + Q is the mirror
image of the third point R at which this line intersects the curve [2]. Thus P + Q = –R. See Figure
3 in the Appendix for graphical examples. If the line does not intersect the curve at a third point
(i.e., P and Q are each other’s mirror reflections), then R is said to be at infinity, denoted O. This
is an additive identity element, so P + O = P [2]. To add a point P to itself (i.e. P + P, or 2P), we
simply use the tangent line at the point P instead [2]. We can calculate the coordinates of point P
+ Q with the equations xP+Q = α2 – xP – xQ and yP+Q = α(xP – xR) – yP, where α is the slope of the
line from P to Q [2]. These formulae are derived simple algebra; to derive the formulae for the
coordinates of 2P is slightly more complicated. These derivations are beyond the scope of this
paper, and are left as an exercise to the reader.
How it is Applied to Cryptography
In order for elliptic curves to be useful in cryptography, some restrictions must be placed on
what curves may be used. First of all, the curve must be smooth (i.e., the curve must not cross
itself and must not contain a cusp). Additionally, we cannot use real numbers in cryptography
because this may create a loss of precision [2]. The examples above have been over the field of
real numbers. Instead, we must use finite number fields; in particular, prime number fields. Of
course, graphically this is no longer a curve but rather a set of scattered points, but the algebra
used above to calculate the addition of two points remains the same. This uncommon algebra,
which is more complex than simply factoring, is what makes the Elliptic Curve Discrete
Logarithm Problem so difficult to solve.
Using this algebra we can securely exchange secret keys between two parties using the Elliptic
Curve Diffie-Hellman Key Exchange. First, the two parties (we’ll call them Alice and Bob) must
agree publicly on the parameters for the elliptic curve, including a and b for the elliptic curve
equation, as well as a starting point G in E. Alice selects a private integer XA and calculates the
point YA = XAG. Bob does similar, choosing a private integer XB to calculate YB. Alice and Bob
then publicly exchange these two points. The secret key K is computed by Alice calculating K =
XAYB; similarly, Bob computes K = XBYA. This works because XAYB = XAXBG = XBXAG = XBYA
[2]. Alice and Bob have now computed a secret key known only to them without ever publicly
10
exchanging it. This secret key can be used together with a symmetric cryptosystem. For a visual
analogy of this process, see Figure 4 in the Appendix.
The Big Picture
This is just an example of how elliptic curves can be used in cryptography. There are also
various other elliptic curve schemes used for encryption, such as the Elliptic Curve Integrated
Encryption Scheme, as well as schemes for digital signatures [4]. ECC has been found to be
roughly ten times faster than RSA, and because ECC requires less memory space and
computational power than RSA while providing the same security, it is ideal for use on
constrained devices such as smart cards and for wireless communications [4]. Furthermore, while
RSA has gradually become susceptible to increasingly efficient attack algorithms, there has been
no significant advancement in the efficiency of attack algorithms directed at ECC. Hence, ECC
is still as secure today as it was when it was first proposed 25 years ago [4]. See Table 3 in the
Appendix for a comparison of key sizes required to provide the same level of security among
symmetric schemes, RSA, and ECC.
Conclusion
The invention of public key cryptography in the 1970s has been a major breakthrough in
computer science and security. It has not entirely replaced the more traditional symmetric key
cryptography, however; rather, it was developed for the purpose of complementing it. The most
widespread public key scheme used today is RSA, which is based around the difficulty of
factoring large prime numbers. Although this scheme is more secure than symmetric
cryptosystems, it is also slower, and thus is generally used for digital signatures, or for securely
exchanging keys for use in symmetric cryptosystems. Elliptic Curve Cryptography has recently
been gaining popularity, since it has been found to be faster and more efficient while requiring
less memory and computational power. Cryptosystems are constantly evolving and becoming
increasingly complex, and in turn, increasingly secure. The future of cryptography and
encryption is certain to be a dynamic and interesting one.
References
[1] Alayont, Feryâl. (2005). “RSA: A Public Key Cryptosystem”.
<http://faculty.gvsu.edu/alayontf/talks/rsa.pdf>
[2] Kak, Avi. (2011). “Elliptic Curve Cryptography and Digital Rights Management”. Lecture
Notes on Computer and Network Security.
<https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture14.pdf>
[3] Kotas, William A. (2000). “A Brief History of Cryptography”. University of Tennessee
Honors Thesis Projects. <http://trace.tennessee.edu/utk_chanhonoproj/398>
11
[4] National Security Agency. (2009). “The Case for Elliptic Curve Cryptography”.
<http://www.nsa.gov/business/programs/elliptic_curve.shtml>
[5] Paar, Christof and Pelzl, Jan. (2010). “Introduction to Cryptography”. Understanding
Cryptography – A Textbook for Students and Practitioners (online slides).
<http://www.crypto-textbook.com>
[6] Paar, Christof and Pelzl, Jan. (2010). “The RSA Cryptosystem”. Understanding
Cryptography – A Textbook for Students and Practitioners (online slides).
<http://www.crypto-textbook.com>
[7] RSA Laboratories. (2000). “RSA Laboratories’ Frequently Asked Questions About Today’s
Cryptography, Version 4.1”. <http://www.rsasecurity.com/rsalabs/faq/files/rsalabs_faq41.pdf>
[8] Turner, Clay S. (2008). “Euler’s Totient Function and Public Key Cryptography”.
<http://web.cs.du.edu/~ramki/courses/security/2011Winter/notes/RSAmath.pdf>
[9] Vinck, A.J. Han. (2011). “Introduction to Public Key Cryptography”.
<http://www.exp-math.uni-essen.de/~vinck/crypto/script-crypto-pdf/add-to-3.pdf>
[10] Wagner, Neal R. (2003). “The RSA Public Key Cryptosystem”. The Laws of Cryptography
with Java Code. <http://www.cs.utsa.edu/~wagner/lawsbookcolor/laws.pdf>
[11] Weisstein, Eric W. “Euclidean Algorithm”. MathWorld – A Wolfram Web Resource.
<http://mathworld.wolfram.com/EuclideanAlgorithm.html>
12
Appendix
Table 1: Procedure of Euclidean Algorithm [11]
1
q1 = a / b
a = bq1 + r1
r1 = a – b q1
2
q2 = b / r1
b = q2 r1 + r2
r2 = b – q2 r1
3
q3 = r1 / r2
r1 = q3 r2 + r3
r3 = r1 – q3 r2
n
qn = rn-2 / rn-1 rn-2 = qn rn-1 + rn rn = rn-2 – qn rn-1
n+1 qn+1 = rn-1 / rn rn-1 = qn+1 rn + 0
--Table 2: Example of Square-and-Multiply
Iteration Current Bit
1
1
2
1 [1] 0 1 0
3
3
4
1 1 0 [1] 0
1 [1] 0 1 0
1 1 [0] 1 0
1 1 0 [1] 0
1 1 0 1 [0]
Calculation
y=x
y = y2 mod 5
y = y * 2 mod 5
y = y2 mod 5
Value of y
2
4 mod 5 = 4
8 mod 5 = 3
9 mod 5 = 4
y = y2 mod 5
y = y * 2 mod 5
y = y2 mod 5
16 mod 5 = 1
2 mod 5 = 2
4 mod 5 = 4
Comment
Initial value
Square and perform modular reduction
Multiply by 2 because current bit is 1
Square and perform modular reduction
Do not multiply by 2 because current bit is 0
Square and perform modular reduction
Multiply by 2 because current bit is 1
Square and perform modular reduction
Do not multiply by 2 because current bit is 0
Table 3: NIST Recommended Key Sizes for Equal Security [11]
Symmetric Key Size (bits)
80
112
128
192
256
RSA Key Size (bits)
1024
2048
3072
7680
15360
Elliptic Curve Key Size (bits)
160
224
256
384
521
13
Figure 1: Visualization of the Multiples and Totients of 30 [8]
Figure 2: Examples of Elliptic Curves [2]
Figure 3: Examples of Point Addition [2]
14
Figure 4: Illustrated Analogy of the Diffie-Hellman Key Exchange [9]