ElGamal Cryptosystem ElGamal Cryptosystem is based on the discrete

Document Sample

ElGamal Cryptosystem
ElGamal Cryptosystem is based on the discrete logarithm problem.
Sometimes this cryptosystem is also called Diﬃe-Hellman type
cryptosystem, because this system is based on some idea from
Diﬃe-Hellman key exchange scheme which we will discuss later.

1
Math
Suppose p is a prime. Then we can ﬁnd some α ∈ Zp such that
each number β ∈ Z∗ (= Zp \{0}) can be written as β ≡ αa (mod p)
p
for some a, α is called a primitive element of Zp (or equivalently,
GF (p)).
For example, if p = 7, then α = 3 is a primitive element of Z7 . This
is because in Z7 we have:

1 = 36 , 2 = 32 , 3 = 31 , 4 = 34 , 5 = 35 , 6 = 33 .

2
Discrete logarithm problem
The discrete logarithm problem is: In the equation

β ≡ αa    (mod p) (β = 1),

ﬁnd the value of a if β, α and p are known.
There are several methods to attack the discrete logarithm problem.
To thwart known attacks, p should be at least 300 decimal digits,
and p − 1 should have at least one large prime factor.

3
The system
Let p be a prime such that the discrete logarithm problem in Zp is
intractable and let α ∈ Z∗ be a primitive element. Let plain text be
p
Zp and cipher text be Zp × Z∗ . Let
∗                     ∗
p

K = {(p, α, a, β) : β ≡ αa mod p}.

The values of p, α and β are public and a is secrete.
For K = (p, α, a, β) ∈ K and for a secret random number k ∈ Zp−1
deﬁne
eK (x, k) = (y1 , y2 ),
where y1 = αk (mod p), y2 = xβ k (mod p).
For y1 , y2 ∈ Z∗ , deﬁne
p

a
dK (y1 , y2 ) = y2 (y1 )−1   (mod p).

4
The correctness of the system is easy to check:

a
dK (y1 , y2 ) = y2 (y1 )−1
= xβ k (αak )−1
≡ x (mod p)

5
Remarks
The ElGamal system is non-deterministic, since the ciphertext
depends not only on plaintext and the public key, but also on the
random number k. A plaintext may have diﬀerent ciphertexts,
which is good for the security of the system.
The length of a ciphertext is twice of the length of its plaintext,
which is not good for the network traﬃc.
When using the ElGamal system, the value of k should be kept in
secret. Otherwise, x can be revealed from k and y2 by computing
x = y2 β −k (mod p).

6
Implementation
To implement the system, we need the following algorithms:
1. Find a large prime p such that p − 1 has at least a large prime
factor.
2. Find a primitive element α of Zp .
3. Choose a random number k ∈ Zp−1 .
4. Compute αk (mod p) and xβ k (mod p).
α
5. Compute (y1 )−1 (mod p).

7
We can ﬁrst ﬁnd a large prime q. Then we try some random
number r such that qr + 1 = p is a prime.
To ﬁnd a primitive element, we can choose a random α and let
g = αr . If g ≡ 1 (mod p), then we use α in the ElGamal system.
Otherwise try another value of α.
In fact, α is not necessary a primitive element of Z∗ by using this
p
method. But it is guaranteed that α has a order not less than q.

8
It is easy to know that if we can solve the discrete logarithm
problem, then the ElGamal system is broken.
ElGamal system can be established in any cyclic group. In this
section, we used Z∗ , a cyclic group of order p − 1, for the system.
p
In practice, other cyclic groups are used. For examples, for a prime
p, Zpn , n a positive integer and Zq , q a prime factor of p − 1 are
used for diﬀerent systems.

9
Other PK systems
The Rabin Cryptosystem also uses a number n = pq, where p, q are
large primes such that p, q ≡ 3 (mod 4). The encryption function is

eK (x) = x2 mod n

and the decryption function is
√
dK (y) = y mod n.

The security of the Rabin system is based on some number theory
√
facts. In general, to ﬁnd the value y mod n is very diﬃcult unless
n is a prime. However, if p and q are known, then there is some
√
easy way to compute y mod n for n = pq.

10
There are some variant forms of RSA system. For examples, some
people suggested to use n = pqr, a production of three primes.
Some people suggested to use n = p2 q, where p, q are primes, etc.

11
The Elliptic curve cryptosystem uses the idea from the ElGamal
system. In the ElGamal system, each element in Z∗ can be written
p
as αi for some i. Z∗ is a cyclic group generated by α. The Elliptic
p
curve system uses a group diﬀerent from Z∗ . The system uses a
p
group of the solutions of y 2 ≡ x3 + ax + b (mod p) instead of the
group Z∗ . Elliptic curve systems depend on more mathematics.
p
The decryption in an Elliptic curve system is more eﬃcient than
that in an RSA system.

12
Another interesting public-key system is NTRU which uses
polynomial rings and depends on some problems in a mathematical
structure called lattices. There is some relationship between
factoring problem and discrete logarithm problem. However, lattice
problem seems to be diﬀerent from these problems.

13
Public-key Systems and Secret-key Systems
In general a public key cryptosystem is much slower than a secret
key cryptosystem. For example, the RSA system is about 1500
times slower than DES.
Usually, we will use public key system to send a key of some secret
key cryptosystem and then use the secret key cryptosystem to
encrypt the plaintexts. So one of the important applications of
public-key systems is distribute secret keys, which we will discuss
later.

14
Example
Suppose Bob has an RSA system. So he published his public key
Kpub and stored his private key Kpri in a secure place.
Alice wants to communicate with Bob. She ﬁrst chooses a random
key K for AES system. Then she send Bob the value of eKpub (K).
Since only Bob has the key Kpri , he can obtain K securely.
After that Alice and Bob can use AES with common key K to
encrypt their communication.

15
Remark
For the security of a public key cryptosystem, we need to consider
the chosen plaintext attacks.
All the existing public key cryptosystems are based on some
diﬃcult mathematical problems. Usually we call such a system a
computational secure cryptosystem, because we don’t know eﬃcient
algorithms to solve these problems. If some eﬃcient algorithm is
invented in the future, then the system will be no longer secure.

16

DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 15 posted: 3/26/2010 language: English pages: 16