Mathematical algorithms of asymmetric cryptography and an introduction to public key infrastructure

Ravi Das
February 3, 2017 by
Ravi Das

Our last article provided an overview of what asymmetric cryptography infrastructure looks like. It is far different than that of a symmetric cryptography infrastructure, in that two sets of keys are being used as opposed to just one set. In this regard, it is the public key/private key combination that is utilized. Thus it affords it a much higher level of security than that of a symmetric cryptography infrastructure.

Also, an overview of the technical details of the public key/private key combinations was provided, as well as some of the disadvantages of utilizing an asymmetry cryptography infrastructure. The biggest disadvantage is that it can be much slower to use. The primary reason for this is the number of public key/private key combinations that can be generated and the sheer number of sending and receiving parties that can use them.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

In this article, we continue the theme of asymmetric cryptography, focusing on the following topics:

  1. The mathematical algorithms used
  2. The public key infrastructure

Click here for a primer into public key infrastructure.

The mathematical algorithms used

There are a number of key mathematical algorithms that serve as the crux for asymmetric cryptography, and of course, use widely differing mathematical algorithms than the ones used with symmetric cryptography. The mathematical algorithms used in asymmetric cryptography include the following:

  1. The RSA algorithm
  2. The Diffie-Hellman algorithm
  3. The Elliptical Wave Theory algorithm

The RSA algorithm

Regarding the RSA algorithm, this is probably the most famous and widely used asymmetric cryptography algorithm. In fact, this very algorithm serves as the foundation for the tools of bio cryptography, in which the principles of cryptography can be used to protect a biometric template further. The RSA algorithm originates from the RSA data corporation, and it is named after its inventors, namely Ron Rivest, Ali Shamir and Leonard Adelman.

The RSA algorithm uses the power of prime numbers to create both the public keys and the private keys. However, using such large keys to encrypt large amounts of information and data is totally infeasible, from the standpoint of the processing power and central server resources.

Instead, ironically, the encryption is done using symmetric cryptography algorithms. In this regard, the private key then gets further encrypted by the public key which is used by the sending party.

Once the receiving party obtains its ciphertext from the sending party, the private key which has been generated by the symmetric cryptography algorithms is then decrypted. From this point, the public key that was generated by the RSA algorithm can then be subsequently used to decrypt the rest of the ciphertext.

The Diffie-Hellman algorithm

Regarding the Diffie Hellman asymmetric algorithm, it is named after its inventors as well, who are White Diffie and Martin Hellman. It is also known as the "DH Algorithm." However, interestingly enough, this algorithm is not used for the encryption of the ciphertext, rather, its main objective is to find a solution for sending the public key/private key combination through a secure channel.

Here is how the Diffie-Hellman algorithm specifically works:

  1. The receiving party has possession of the public key and the private key that has been generated, but this time, they have been created by the Diffie-Hellman algorithm.
  2. The sending party receives the public key generated by the receiving party and thus uses the DH algorithm to generate another set of public keys, but on a temporary basis.
  3. The sending party now takes this newly created, temporary public key/private key combination sent by the receiving party to generate a random, secret number-this becomes known specifically as the "session key."
  4. The sending party uses this newly established session key to encrypt the ciphertext message further and sends this forward to the receiving party, with the public key which has been temporarily generated.
  5. When the receiving party finally receives the ciphertext message from the sending party, the session key can now be derived mathematically.
  6. Once the above step has been completed, the receiving party can now decrypt the rest of the ciphertext message.

The elliptical wave theory algorithm

The Elliptical Wave Theory algorithm is a much newer type of asymmetric mathematical algorithm. It can be used to encrypt a very large amount of data, and its main advantage is that it is very quick, and thus, does not require a lot of central server overhead or processing power. As its name implies, Elliptical Wave Theory first starts off with a parabolic curve which is composed over a normal, "x," "y," coordinate plane.

After the series of "x" and "y" coordinates are plotted, various lines are then drawn through the image of the curve, and this process continues until many more curves are created, and their corresponding interesting lines are also created.

Once this particular process has been completed, the plotted "x" and "y" coordinates of each of the intersected lines and parabolic curves are then extracted. Once this extraction has been completed, then all of the hundreds and hundreds of "x" and "y" coordinates are then added together to create the public and private keys.

However, the trick to decrypting a ciphertext message encrypted with the Elliptical Wave Theory algorithm is that the receiving party has to know the particular shape of the original elliptical curve, and all of the "x" and "y" coordinates of the lines that intersect with the various curves and the actual starting point at which the addition of the "x" and "y" coordinates was first created.

The public key infrastructure

Since the public key has become so important in both the encryption and the decryption of the ciphertext messages between the sending and the receiving parties and given the nature of its public role in the overall communications process, extensive research has been conducted.

This has primarily been geared to create an infrastructure that would make the process of creating and sending of the public key/private key combination much more robust and secure. In fact, this type of infrastructure happens to be a very sophisticated form of asymmetric cryptography, which is known as the "public key infrastructure," or "PKI" for short.

The basic premise of the PKI is to help create, organize, store and distribute as well as maintain the public keys. However, in this infrastructure, both of the public and private keys are referred to as "digital signatures," and they are not created by the sending and the receiving parties. Rather, they are created by a separate entity known as the "certificate authority," or "CA" for short.

This particular entity is usually an outside third party that hosts the technological infrastructure that is needed to initiate, create and distribute the digital certificates. At a very simplistic level, the PKI consists of the following components:

The certificate authority

This is the outside third party that creates, issues and distributes the digital certificates.

The digital certificate

As mentioned, this consists of both the public key and the private key, which are issued by the relevant certificate authority. This is also the entity that the end user would go to in case he or she needed to have a digital certificate verified. These digital certificates are typically kept in the central server of the business or the corporation.

The LDAP or X.500 directories

These are the databases that collect and distribute the digital certificates from the CA.

The registration authority, also known as the "RA"

If the place of business or corporation is very large (such as that of a multinational corporation or business, this entity then usually handles and processes the requests for the required digital certificates and then transmits those requests to the CA to process and create the required digital certificates.

Regarding the CA, it can be viewed as the governing body of the entire public key infrastructure. To start using the PKI to communicate with others, it is the CA that issues the digital certificates, which consist of both the public and the private keys.

Certificate authority specifications

Each digital certificate that is governed by certificate authority consists of the following technical specifications:

  • The digital certificate version number: Typically, this is either version numbers 1, 2 or 3.
  • The serial number: This is the unique ID number that separates and distinguishes a particular digital certificate from all of the others (in fact, this can even be likened to each digital certificate having its very own Social Security number).
  • The signature algorithm identifier: This contains the information and data about the mathematical algorithm used by the CA to issue the particular digital certificate.
  • The issuer name: This is the actual name of the certificate authority, which is issuing the digital certificate to the place of business or corporation.
  • The validity period: This contains both the activation and the deactivation dates of the digital certificates, in other words, this is the lifetime of the digital certificate as determined by the certificate authority.
  • The public key: This is created by the certificate authority.
  • The subject distinguished name: This is the name that specifies the digital certificate owner.
  • The subject alternate name email: This specifies the digital certificate's owner email address (this is where the actual digital certificates go to).
  • The subject name URL: This is the specific web address of the place of business or corporation to whom the digital certificates are issued to.

Our next article will examine how the public key infrastructure actually works, as well as the various PKI policies and rules which need to be implemented.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.


Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at (or; and contact Ravi at