 So before the mid-term exam, we finished on the topic or with the topic number theory and we introduced the concepts of the operations in modular arithmetic and you had some short questions about that in the mid-term exam. Let's just recap on some things because the next topic uses this modular arithmetic and some of the theorems that we have here. So just remind ourselves so that we can move on to the next topic. So we know what modular arithmetic is that we perform our operations mod n. We've seen some different properties, some of the new things which are a little bit interesting. Every number has an additive inverse, but not every number has a multiplicative inverse. The multiplicative inverse of some number is the number we multiply by to get one in mod n. The multiplicative inverse of A is B if A times B equals 1 or is equivalent to 1. And a number A has a multiplicative inverse in mod n if A is relatively prime with n. So that's important. Not all numbers have a multiplicative inverse. And what's relatively prime? Two numbers are relatively prime if their greatest common divisor is 1. I know some of you don't have the slides, so let's just write down some of these theorems and concepts that we've learned. You don't need to write them down. I'll just write them here so we can refer back to them. So remember about the multiplicative inverse. A number multiplied by its multiplicative inverse equals 1. And the multiplicative inverse exists if A and n are relatively prime, or I can't get a good colour. So I'll just make note of that so you can remember, where rp means relatively prime. If A and n are relatively prime, the multiplicative inverse of A and mod n exists. And we can find that value. There are algorithms to find the inverse quite well, quickly. What else did we see? We ended with some theorems, Fermat's theorem and Euler's theorem. I remember the totion, the totion of n, the count of numbers less than n and relatively prime with n. We'll write down just one theorem because we're going to use it later, the second form of Euler's theorem, this one here. And you saw that in the exam. If we have some number raised to the power of the totion of n plus 1, then in mod n, it's equivalent to that number, A. That's the second form of Euler's theorem. It doesn't hold for all values of A, but the values that we're going to deal with, if A is relatively prime to n, then it holds, and also some other cases it holds. And when we use it later, we'll see that it holds for the values we deal with. Those are things that we're going to need when we look at public key encryption. We didn't cover logarithms. So we covered the four operations of addition, subtraction, multiplication, division, and the other two operations are exponentiation and logarithms. We raise a number to its exponent, which is an extension of multiplication, and the last one is logarithms. Let's try and cover it now. So this will be new. So exponentiation in modular arithmetic is the same as our normal exponentiation. We just raise it to the power, the same as multiplying n times when we raise to a power of n. What's our normal logarithm? If B equals A to the power of i, then in normal arithmetic we say that the log in base A of B equals the index i. That's our definition of our normal logarithm. If A, the base equals 10, and the index equals 2, then B equals 100, that's exponentiation, and the logarithm in base 10 of 100 equals the index 2, so that's just the way we write our normal logarithm. In modular arithmetic we have the same concept. If B equals A to the power of some index i in mod p, so now we have a modulus, then we say the logarithm in base A, and instead of writing mod p here, we often for convenience we write the p as a subscript here, the logarithm in base A using mod p of B equals the index i. That's the way we write it. A logarithm in modular arithmetic is called a discrete logarithm. Discrete logarithm or abbreviated to delog. Delog means discrete logarithm, which is simply a logarithm using modular arithmetic. That's just the way, the notation we use. What is discrete log of 4 in base 2 mod 7? You would try and find the value, the index, you would try and find the value such that 2, let's get a better pen, the value 2 to the power of some index mod 7 equals 4. So the discrete log of 4 in base 2 mod 7 is this value i, whatever it is. That's just the notation and how we can use it. Does anyone know the answer? Can anyone find an i where that is true? 2 to the power of some integer mod 7 equals 4. You could try the different values of i, try i equal to 0, no i equal to 1, 2 to the power of 1 mod 7, no i equal to 2, does it work? What if the index is 2 in this case? If i is 2, then we get 2 to the power of 2 is 4 mod 7, 4 mod 7 equals 4, so this is true. So an answer of discrete log in base 2 mod 7 of 4 equals, we run out of space 2, because if i equals 2 that's true. Now are there any other values of i? What about i equal to 3? 2 to the power of 3, 8 mod 7 is a 4, no, what about i equal to 4? 2 to the power of 4 is 16, 16 mod 7 is 2, what about 5? 2 to the power of 5 is 32, 32 mod 7 is, so if i equal to 5 is also a valid number here. So if i equals 2 this holds, this is true, and if i equals 5 this is true. We do not have a unique answer of this discrete log in this case, because the discrete log of 4 in base 2 mod 7 can be 2 or 5 or possibly other numbers. What we'd like is a distinct value, just one value. So similar in our division, we can only divide when a number has a multiplicative inverse, and not all numbers have a multiplicative inverse, remember, a multiplicative inverse exists if we have a and n being relatively prime. Similar here, not all numbers can we find a unique discrete logarithm. And it turns out there are some conditions under which we can find a unique discrete logarithm, and we'll try and explain them. So first, before we go through the conditions, any questions about how to calculate the notation for a discrete logarithm? Just remember back to your normal logarithms, but now we have a modulus. So what we want, the discrete logarithm needs to produce a unique value. In this case it doesn't, because we see if i equals 2, our equation here holds, and if i equals 5, our equation holds. So our discrete logarithm would return different values. We need it to return a distinct value, a discrete value, and hence the discrete logarithm. So for what values can we find a discrete logarithm, a unique discrete logarithm? That's what we want to determine. We can only perform a discrete logarithm under some conditions, and the conditions are, we can find a value i if a, the base, is a primitive root of prime p. That is, the modulus p, if that's prime, a prime number, and the base a is a primitive root of that prime number, then it turns out we can find a unique value for a discrete log. If not, we get multiple answers, and we don't want that. The definition of our discrete log is we'll find a unique value, a unique exponent. So the next question is what's a primitive root? Our number a is a primitive root of p, or if it is, then if we take that number a and raise it to the power of 1, and mod by p we get some number, and take a squared, a to the power of 2, mod p and get another number, and a3, a to the power of 3, a to the power of 4, a to the power of p minus 1, then all this set of numbers are distinct. Give us different values, none of them repeat. Let's go through an example to show that. Let's find my example. Let's say we use a value of p equal to 7, so our modulus is 7. Why did that go blue? Our modulus is 7, a simple example. So for all this, p equals 7. Let's consider different values of a. From a equal to, we consider from 0 up to 6, less than 7, but 0 we'll see is not very useful. So from 1 to 6. And our definition, we need a to be a primitive root of p. P is 7 in our case, we need to find a value of a, such that if we take a and raise it to the power of 1, to the power of 2, to the power of 3, up to the power of 6, then those answers are distinct values. So let's try for different values of a. So what we want to find is the answers of a squared, a cubed and so on. We'll quickly calculate some of them. Try. Try and find for a equal to 1, a squared, everything's mod p, that is mod 7. Find the answers for a equal to 1 of those other five values. You try and calculate the answers first. You can calculate for all of them. They're quite simple. What's the first answer? Here, a equal to 1, a squared mod 7 is 1, a cubed mod 7, when a equals 1, the first set are easy. So when a equals 1, a to the power of 6 is of course 1, mod 7 is 1. And now do it for a equal to 2, a squared, 2 squared is 4, mod 7 gives us 4, 2 cubed mod 7, 1, 2 to the power of 4, mod 7, 2, 2 to the power of 5, mod 7 and 1. And now do it for a equal to 3, 3 squared mod 7, this is easy, 3 cubed mod 7, 27 mod 7, 6, 81 mod 7. All right, maybe you take a bit more time, it's 4, 283 mod 7, I need my calculator but I've calculated before, it turns out to be 5, okay. And the last one is 1 as well. And I'll give you the answers for the remaining ones, we've got 2, 1, 4, 2, 1, 5 squared is 25, mod 7 is 4, 6, 2 and 6, we get 1, 6, 1, 6, 1. So which values of a are primitive roots of 7, 3 and 5? Because the answers here of a to the power of 1, a squared, a cubed and so on give us distinct values, 3, 2, 6, 4, 5, 1 and for 5, 5, 4, 6, 2, 3, 1, we get no repetitions in there. What that means is when we do a discrete logarithm where the base a equals 3 and p equals 7, for any value here we'll get one answer, a distinct value here. And similar if the base a equals 5, mod 7, for any value here we'll get one distinct answer. Whereas with a equal to 2, there are multiple answers, okay. So the primitive root is defined as giving distinct values for a1 up to a to the power of p minus 1. So we only deal with discrete logarithms when we get a unique exponent, that's what we're interested in. What's the answer? Discrete log base 2, mod 7 of 4, so we've got the answers here. When a is 2, when the answer is 4, sorry what have I done? I've given you the wrong one, a equal to 3, 2 doesn't work, that is we've already done 2, 2 gives us multiple values. When a equals 3, where 3 is a primitive root of 7, 4 in this case, discrete log, discrete log of 5, discrete log of 5, why am I choosing easy ones, 6. So when we have the base of 3 and we raise 3 to some power, we get an answer of 6. When we have the base of 3 and we raise it to the power of 3, the answer is 6. So the answer here is 3, 3 to the power of 3, mod 7 equals 6. So we can find discrete or unique answers in this case, my pen's gone wild. So now we, similar with multiplication, not all numbers have a multiplicative inverse, not all discrete logarithms have a unique exponent. So we only deal with certain sets and in this case if we have a primitive root, if a is a primitive root of p then we can get a unique exponent i with a discrete logarithm. That will become important in one of our later, in fact in public key cryptography in several algorithms. Solving a discrete logarithm is an important challenge and we need to select numbers such that we can get a unique answer. There's some integers which have primitive roots and 2, 4, when p is an odd prime, p to the power of alpha, where alpha is an integer and 2 times p to the power of alpha, turns out they have primitive roots. This is another example. So the example we went through was the mod of 7, here's an example with mod 19, where we look at a to the power of 1 up to a to the power of 18 for all the different values of a and we see what are the primitive roots, what are the primitive roots in mod 19? First primitive root and this slide gives the hint in that it's coloured as a grey box. If you look inside, well for a equal to 1 we get all the same value, with a equal to 2 if you look at these 18 values they are unique, there's no repetitions. So a equal to 2 is a primitive root of 19 and similar with a equal to 3 is a primitive root of 19. 10 is 13, 14 and 15 are primitive roots of 19. What's the discrete log of 3? Where the base 13 and modulus 19, base 17, 3 to the power, sorry, 13 to the power of 17, mod 19 equals 3. 13 to the power of 17, mod 19 equals 3. So that's the answer here is 17. Finding the discrete log of large numbers is hard. Even if we know there's a unique discrete log, if we know a number is a primitive root of n then still finding the value is computationally difficult. Let's just record our notation here. So the different primitive roots of 19, 2, 3, 10, 13, 14 and 15. So that finishes our topic on number theory. We're going to see that being used in the next topics. And we're going to see that even though we've gone through simple examples, some of the calculations of solving the problems we've seen in modular arithmetic and number theory are computationally difficult. That is, if we use very large numbers, there are no known ways to find an answer in a reasonable amount of time. Three problems which are important. First is integer factorization. That is, integer can be factored into its primes. If n is calculated as p times q where p and q are prime numbers, so the factors of n are p and q, the prime factors, then if p and q are large then there's no easy way to find p and q given n. So if someone gives you n and you know it was calculated by multiplying two large prime numbers, you don't know those prime numbers, your challenge is to find p and q if they're large enough then it will take you forever to find it. So large enough, some examples we'll see, we'll talk about RSA later, but primes n is, for example, 768 bits or about 232 decimal digits. So if you have a number, you write down 232 decimal digits and n, that's the value of n, or the approximate length of n, where that was determined by multiplying two primes p and q together, then given that n, find p and q, the best, well, over the past few years people could solve that if there was 232 digits, if there was 300 digits then there's no way you can solve that in a reasonable amount of time. It takes too long to find the answer. So if n is large, finding p and q is considered practically impossible. Similar of our brute force attacks, if we have enough bits in our key, finding the right key is practically impossible because it takes too long. Another problem is calculating Euler's Totion. We saw it as quite simple. What we do is we count the numbers less than n, which are relatively prime with n. You had one in the midterm exam, the Totion of 24, easy, you found it was 8. So if n is a composite number, it's not prime, if it's prime it's easy to calculate. The answer is p minus 1. If n is prime, the Totion of n is n minus 1, that's easy to calculate. But if n is not prime, finding the Totion is computationally difficult to calculate. Again, for large values of n, it's considered practically impossible to calculate. It takes too long to find the answer and it's considered a harder problem than integer factorization. Given some n, either find the two prime p or q or find the Totion of n, both of them are going to take too long if n is large enough and it's considered that the fastest one would be the factorization. Finding the Totion is even slower than factorization. The other thing is that solving our discrete logarithms is hard. If we know, if we have, if we a, p and b find the index i and again with large values, that's considered too hard to solve. There are no known ways that can solve them in reasonable time. And it's comparable in difficulty to factorization. We're going to use this, or different security algorithms use these concepts in providing the strength in their security. They use these different algorithms, factorization, the Totion to make it hard for an attacker to try and break the security. So we're going to see that coming to play. The next topic is public key cryptography and that's where we see these used. Any questions on any of the things, the discrete logarithm especially that we've covered quickly this afternoon. Just try and understand that not all values we can calculate a unique discrete logarithm for only when a is a primitive root of p, the modulus. And we'll see where these problems come into play in the next. What's gone wrong? Let's talk about public key cryptography. First we'll talk about the general principles and then we'll go into one example algorithm, RSA, and we'll see those problems or those challenges of factorization and so on being applied. Everything up until now that we've covered is considered symmetric key cryptography. And all the ciphers, Caesar cipher, those classical ciphers, DES, AES are all symmetric key ciphers. And it wasn't until the 1960s that people come up with new approaches, an alternative. And the approach is called asymmetric key cryptography, symmetric versus asymmetric or also known as public key cryptography. In the 1960s the security organization in the US, the NSA, found or developed a different way to encrypt information, the concept of public key cryptography. And the first known report that reported on such technique was come from a similar organization in the UK. And the first public report was by two guys called Diffie and Hellman. And in 1976 they introduced the concept publicly of public key cryptography. It wasn't until more recently that these earlier reports from the UK and NSA came out. They were kept secret. The idea of Diffie and Hellman was to develop a technique that didn't rely on other parties to help distributing the keys. The main problem with symmetric key cryptography is that source and destination must have the same shared key. For me to get the key to someone else, it's very inconvenient. One way to make it more convenient and automatic is to use some trusted third party who distributes keys. For example, two students want to communicate using symmetric key cryptography. One of them selects a key. One approach is that they need to somehow distribute that key to the other student. That's the challenge with symmetric key cryptography. They need to get that key secretly to the other student without everyone else finding out. That's difficult, especially when we want to automate it approach, like across a network. So one approach would be to have one person act as a trusted third party. For example, me. One approach with symmetric key cryptography is that when one student wants to communicate with some other student, they come to me and I give both the students a shared secret key. So one comes to me, I give them a shared secret key, and then later the other student comes to me and I give them the same key. And then that pair of students can communicate using that one key. So a common way to distribute keys is to use a trusted third party to help distribute the keys. It makes it more practical. But in a number of cases, we don't want to have to trust other entities. You may not trust me to do that for you. So Diffian Helman wanted to develop a technique that didn't rely on such techniques. And they wanted also to allow digital signatures. The digital equivalent of signing something to show that it came from you. So that later we can prove that it came from you. And we'll see that concept in more detail later. So they develop public key cryptography. What is it? Well, before we get what is it, let's compare it with symmetric key cryptography. Note, I'll use different terminology here. So symmetric key cryptography or symmetric algorithms, sometimes called secret key cryptography, we have a secret key at both the source and destination, the same secret key. There's just one key. Symmetric, it's the same at both sides. Asymmetric algorithms, or also public key algorithms, we have two keys, two different keys. So we have a pair of keys. One is a public key and one is a private key. By public, we mean anyone can know that key. It doesn't have to be kept secret. In fact, the important way, or the practical way to use it, is that it's made public, it's not kept secret. But the other key in the pair, a private key, is kept secret. So it's also a secret key. But there are two keys in this case, as opposed to symmetric key algorithms, which use just a single secret key. And in asymmetric algorithms, we encrypt our data using one of the keys in a pair. And the algorithm must be such that the ciphertext can be decrypted using the other key in the pair. So imagine every user has a pair of keys now. I have a public key and a private key. If I want to send some data, I encrypt with some public key and it's decrypted with the corresponding private key. And in some cases it can be the other way around. Encrypt with a private key, decrypt with a public key. You encrypt with one, decrypt with the other. Yes, the public key we assume can be seen by everyone. So let's say I have my own pair of keys, a public and a private key. I can write the public key on the board. I can send it in an email. Everyone can see the public key. By definition, it's open. It's not secret. The private key is secret. It must be kept secret for all of these algorithms to work. What we will need for asymmetric algorithms, where we use two keys, a public and a private key, is that it's hard, computationally infeasible, to determine one key given the algorithm and the other key. So if a malicious user knows the algorithm, we assume in all of our ciphers that the algorithm is known. Desk is known, RSA is known, all the algorithms are known in advance. So if a malicious user knows the algorithm and it knows the public key, it should be hard to work out what the corresponding private key is. Because the private key must be kept private, secret. If they can find it out, it's no longer secret. In some cases, in some algorithms, we have an optional feature such that we can use the keys in opposite directions. One approach is I encrypt with my public key and the ciphertext can be decryptive with the private key. The alternative is I encrypt some message with a private key and the ciphertext can be decryptive with the public key. So you use them in opposite order. In some of the algorithms we'll go through, this feature is present. In others, it's not. It's not necessary in all cases. So let's give some notation and definitions for these keys. So now we have the two keys. A public key is available to everyone and the private key must be secret, secret, known only by the owner. So in fact now, a user has a pair of keys. So I will have my own private key and public key pair. My private key only I know. My public key I can tell everyone else. All of you may have your own public-private key pair. And you can tell everyone your own public key but you'll keep your private key secret. How do we use them? For secrecy, which means if we want to provide confidentiality of our data, that is I want to send a secret message to someone, then what I do is I encrypt that message using a public key and the ciphertext is just decrypted using the corresponding private key. Okay? So for confidentiality or secrecy, so keeping the contents of the message private or secret, encrypt with the public key, decrypt with the private key. So that's providing the equivalent service as the symmetric key algorithms. With DES, what we do is we encrypt our plain text with a shared secret key, send the ciphertext and we decrypt with the same shared secret key. Now with a public key algorithm what we do is we take our plain text, I encrypt it with a public key, send the ciphertext and the receiver will decrypt with the corresponding private key. Okay? If we have an appropriate algorithm and chosen the keys correctly, we can see that we will see that that provides secrecy or confidentiality. It turns out we can also use most of these algorithms for authentication. What's that? That's about proving that the message came from the right person, the person who they say they are. So secrecy is confidentiality, making sure that no one else can see the message. Authentication is we don't care about whether someone sees the message, we care about when I receive a message that it came from the person who they say they are. And we can do that by using the keys in the opposite order. So what I do is I take a message, I encrypt it with a private key, it will turn out to be my private key, send it to you, you decrypt with my public key to confirm that it came from me. So the goal here is the receiver must be able to confirm that that message came from me. It didn't come from someone pretending to be me. That's what authentication is about. Making sure that the message came from the right person. We'll see that that's a key part of or an important part of how public key cryptography is used for authentication. So importantly every user now will assume has a pair of keys, a public and private key. And we'll often denote that as PU for public and PR for private. So the user A has their own public key, PU A, and also a corresponding private key, PRA. And depending upon, well, there's a relationship between these keys. Okay, they're not just random keys. We'll see that the algorithms help us or determine how to choose these keys. They're no longer just random values, they relate it. Depending upon the algorithm, we'll see the different relationships. Here's an example. Here we have our user Bob. This is Bob on this side. And there are other users in the network. There's Alice, there's Joy, Mike and Ted. Assume everyone has their own pair of keys. Bob has his own public and private key. Alice has her own public and private key. So do the other users. And in this case, Bob wants to send a confidential message to Alice. So a secret message. Bob must know the public key of the other users, especially Alice in this case. And that's not difficult. Because they are public, it's easy for Bob to find out the public key of Joy, Mike, Alice and Ted, that public keys of other users. For example, what they can do, every user puts their public key on a website. This is the public key of Alice. This is the public key of Joy and so on. This is the public key of Bob. Because everyone's allowed to see them. And now when Bob wants to send a message to Alice and doesn't want anyone else to read it, Bob encrypts the plain text using Alice's public key and gets some ciphertext and sends the ciphertext to Alice. And then Alice decrypts that ciphertext using her private key and should get the corresponding plain text. If the algorithms are designed correctly and the keys are chosen correctly, that will work. We need to go through the details of those algorithms. But if we've got an appropriate algorithm, if we encrypt with the public key, we can decrypt with the corresponding private key. And why do we get confidentiality in this case? Well, this will work or this will provide confidentiality if only Alice's private key can decrypt the ciphertext. Take our plain text encrypt with the public key of Alice. Assuming the algorithm is such that only the corresponding key can successfully decrypt, any other key will not. Any other key will produce an error. If only it can be decrypted with Alice's private key, then that means that this is confidential because there's only one person in the world that can decrypt and that is Alice. Because by definition, only Alice has her private key. So this is a basic concept of confidentiality with public key encryption. The sending user encrypts with the receiver's user's public key. The receiver decrypts using their private key under the assumption that we have an algorithm that if we encrypt with one key, we can only successfully decrypt with the other corresponding key. So you want to send me a secret message. What do you do with public key cryptography? Which one? Which public key? My public key. If someone wants to send me a message, a secret message, you encrypt using my public key. And only I can decrypt it because only I have my private key. That's the idea there. So encrypt with the recipient's public key. Of course, we need to look at what algorithms can be used here and there are different algorithms that can be used here and the algorithms define how the keys are related as well. That's for confidentiality or encrypting data. In fact, we can also use it, my mouse is dying. We can also use the keys sometimes in the opposite direction. Here's a case where we don't want confidentiality but we want authentication. Here Bob wants to send, Bob's going to send a message to Alice. Bob doesn't care if someone else sees the message. The important thing here is that Alice can confirm that this message came from Bob. It didn't come from someone else pretending to be Bob. So this is authentication. What happens is that Bob uses his own private key to encrypt the message, sends the ciphertext to Alice and Alice uses Bob's public key to decrypt. So we're always using this assumption. If we encrypt with one key, we can only decrypt with the other key of the pair. Can someone else see the message? How do they see the message? Okay. If I intercept this message, the ciphertext here, note it's encrypted using the private key of Bob. I just find the public key of Bob which is public and decrypted. So I can see the contents of the message. So this does not provide confidentiality. It's not intended to. Now, can I pretend to be Bob and send a message to Alice? What do I do? I want to pretend to be Bob, perform a masquerade attack and send a message to Alice so Alice thinks it came from Bob. I would need the private key of Bob. By definition, I don't have that because that's secret. It's private just to Bob because what Alice is going to do when Alice receives a message and it says this message is from Bob, she would decrypt that using Bob's public key. If I send the message and it was encrypted with Steve's private key, Alice thinks it came from Bob therefore will try Bob's public key and it will not successfully decrypt. And that's where Alice will determine us. Something's gone wrong. It should successfully decrypt if it came from Bob. So this is a way for providing authentication. For the receiver to check where the message came from. And that's an important service. And the difference between the two is that we just use the keys in the opposite order. Here we use private key, public key. In the previous, we use public key, private key. Let's compare. What do we got here? Something looks wrong. You're right. The public key, so for secrecy is this case, confidentiality. The public key is used in encryption here. And for secrecy, the private key is used in decryption. But the second one, that should be the opposite way or wrong. Here the public key is used in decryption. And the private key is used for encryption here. So thanks, you've picked up a mistake here. This for private key for authentication, which was the second diagram is used in encryption. So for authentication, we encrypt with the private key, decrypt with the public key. Yes, but we're using the public key to do that. So for secrecy, public key, and then private key, that's this case, public key, private key. Authentication is this second case, private key, then public key to decrypt. What have we got left? What's the difference between asymmetric and symmetric cryptography? Here. Okay, it's getting confusing because here's another name. Symmetric key cryptography, also called conventional encryption. That was the original form. Symmetric key cryptography, secret key cryptography, conventional cryptography or encryption are all the same. Public key cryptography or asymmetric key cryptography are the same. Let's compare the two, the symmetric versus public key. In conventional symmetric key cryptography, we have the same algorithm, and we have the same key. We have one key used. And the send and receive must share that algorithm and key. Importantly, the key must be known by the send and receiver. In public key cryptography, we have a pair of keys. One is used for encryption and one is used for decryption. So now we have two keys. And the send and receiver must have one of the keys in the pair. So the sender may have the public key and the receiver uses the private key or the other way around. The sender uses the private key and the receiver uses the public key. In symmetric or conventional encryption, to provide security, we need to keep the key secret. That's important. And some of the things we've seen, it must be impractical to find the message if there's no other information known. That is, given the ciphertext, it must be hard to find the plaintext. And given knowledge of the algorithm and even some past samples of ciphertext, as from previous ciphertext, it should be hard to find the key. There are normal requirements for symmetric key cryptography. Now, with public key cryptography, we have the requirement that one of the keys must be secret, the private key. Given some ciphertext, it must be still hard to find the plaintext. That's the same requirement. And it should be hard to find the other key. If you know one key, it should be hard for malicious users to find the other key. That is, if you know my public key, you shouldn't be able to calculate what my private key is, because there, then it would no longer be private and our security or our system would not work. But with all the algorithms, there is a relationship between public and private key. It just must be hard for the malicious user to find one given the other. So we'll see how that works for one or two algorithms. Let's go to an example. And then we'll come back to these slides after the break. Let's go direct to an example algorithm and then we'll return. One of the most well known algorithms for public key cryptography is the RSA algorithm. We'll talk a bit more about the history later after the break, developed by Revest, Shamir and Adelman, same guy who made RC4, Ron Revest and a number of other algorithms, and of course, named them, R, S and A. Let's just look at the encryption algorithm, go through a quick example and then later we'll come back and explain how it works and why it works important. Here it is, here's RSA. Just focus on this equation. C equals M to the power of E mod N. In the symmetric key cryptography and desks, at least with simplified desks, we went through all those steps of initial permutations, S boxes and so on. With RC4, we went through these steps of permutating and rearranging our vector. With RSA, we have a simple equation, C equals M to the power of E mod N. That's encryption, where M is our plain text, C is the ciphertext, and E and N are parts of one of our keys. Here's where our modular arithmetic is going to come in. We'll see later things like multiplicative inverses, discrete logarithms, because you can see we're raising something with the power, gives a hint that discrete logarithms are going to come into play. E and N are the public key. The public key, in fact, is two values, they are integers. The length we'll talk about later, but two integers. So the public key of some user, E, P, U, of B is E and N. What we do to encrypt a message, we take that message, which we represent as an integer as well. So if the message is, let's say it's a long string, then we need to represent that as an integer. Let's say we convert it to binary and take a thousand bits and that's a one thousand bit number, a one thousand bit integer. So we have an integer. We raise it to the power of E in our public key, mod by N, and we get our ciphertext. Let's give an example. Actually, there's an example on the screen. We'll use that for, here's the example. We have, in this case, the public key E is seven and N is one hundred and eighty seven and we have a message, which is the number 88. That's not a good message, but the idea is that if we have some string, for example, we can represent it in binary, then that can be represented as some integer. In this simple example, the integer is 88. That's the message M that we want to send to the other side. So what we do is we take 88, we raise it to the power of seven and mod by 187 and if you use your calculator, you get 11 in this case. So the ciphertext is 11. We send 11 to the other side and the other side decrypts and the decryption algorithm, which was on one of the previous slides, is effectively the same. To get the original plaintext back, we take the ciphertext, raise it to some number, in this case a different number, D and mod by the same modulus N, where the private key is often written as D and N. That's at the bottom, that's here. The private key is D and N. The public key is E and N. Encryption, C equals M to the power of E mod N. Decryption, M equals C to the power of D mod N. Same N and you can check at least for these values and see that it works. When I say it works, it means if we encrypt M and get ciphertext and then we decrypt, we must get the same M back otherwise it's unsuccessful. We take 11, raise to the power, in this case D is 23. So that was chosen. The private key was 23 and N, the same value 187. 11 to the power of 23, mod 187 and you can check with your calculator and the answer is 88. It gives the same plaintext as what we had at the start. That's how RSA works. Under what conditions does it work is important. Let's try another example. A simpler one that maybe we can do before our break. Let's say we have a public key E equal to 4, N equal to 20 and there will also be a private key D equal to 2, N is also 20. So in fact N, although we say N is part of the private key, that is in fact public because it's the same N in the private and public keys. So N is known. The only thing secret is D in this case. And let's say I want to encrypt some message M equal to 15 encrypt and so I'll help you with a calculator. What's the step? Let's say I want to send, I have, you have this public private key pair. I want to send you a confidential message. So I encrypt using your public key, this value, and you will decrypt using the private key. So what I do is using our algorithm C equals M to the power of E mod N. M is 15. E is 4. N is 20. Anyone know the answer? Calculator. Let's try it. What have we got? 15 to the power of 4, mod 20, 5. Okay? Simple. That's our cipher text. Did you get that? Same value? Should end with 5, correct? You look at the other number. Go back. Do it again. What's 15 to the power of 4? 50625 mod 20, I think if you divide by 20 the remainder is going to be 5 in that case. 5 is a cipher text. I send 5 to you. What do you do? How do you decrypt? You take the cipher text 5, raise it to the power of D2 and mod by the same N. What's the answer? Good. What's wrong? Didn't work. Here I took the cipher text so you receive the cipher text, you apply this algorithm, 5 to the power of 2, mod 20, and you get 5. But my original plain text was 15 and you've got a plain text of 5. That's of course not a good cipher because we need to get the same plain text out at the receiver. It didn't work here. So importantly the RSA algorithm only works under certain conditions that is only works for some values of E, N and D. It doesn't work for any possible value. That's why we need some way to generate the values of E, N and D such that this will work. In the first example, with example on the screen, it worked. Why did it work? Because E, N and D were chosen in such a way that it would work. In this example they were not chosen correctly. The keys were not generated correctly and hence when we decrypted we didn't get the original plain text. So what we need to do is go through how to select the values of E, N and D such that it will decrypt successfully and that's what we'll do after the break. So what we'll do after the break is we'll go through in detail of when does RSA work. So let's stop there and start at 20 to 3.