Docstoc

ElGamal Cryptosystem ElGamal Cryptosystem is based on the discrete

Document Sample
ElGamal Cryptosystem ElGamal Cryptosystem is based on the discrete Powered By Docstoc
					ElGamal Cryptosystem
ElGamal Cryptosystem is based on the discrete logarithm problem.
Sometimes this cryptosystem is also called Diffie-Hellman type
cryptosystem, because this system is based on some idea from
Diffie-Hellman key exchange scheme which we will discuss later.




                               1
Math
Suppose p is a prime. Then we can find some α ∈ Zp such that
each number β ∈ Z∗ (= Zp \{0}) can be written as β ≡ αa (mod p)
                    p
for some a, α is called a primitive element of Zp (or equivalently,
GF (p)).
For example, if p = 7, then α = 3 is a primitive element of Z7 . This
is because in Z7 we have:

            1 = 36 , 2 = 32 , 3 = 31 , 4 = 34 , 5 = 35 , 6 = 33 .




                                     2
Discrete logarithm problem
The discrete logarithm problem is: In the equation

                    β ≡ αa    (mod p) (β = 1),

find the value of a if β, α and p are known.
There are several methods to attack the discrete logarithm problem.
To thwart known attacks, p should be at least 300 decimal digits,
and p − 1 should have at least one large prime factor.




                                 3
The system
Let p be a prime such that the discrete logarithm problem in Zp is
intractable and let α ∈ Z∗ be a primitive element. Let plain text be
                         p
Zp and cipher text be Zp × Z∗ . Let
  ∗                     ∗
                             p

                  K = {(p, α, a, β) : β ≡ αa mod p}.

The values of p, α and β are public and a is secrete.
For K = (p, α, a, β) ∈ K and for a secret random number k ∈ Zp−1
define
                         eK (x, k) = (y1 , y2 ),
where y1 = αk (mod p), y2 = xβ k (mod p).
For y1 , y2 ∈ Z∗ , define
               p

                                        a
                   dK (y1 , y2 ) = y2 (y1 )−1   (mod p).


                                      4
The correctness of the system is easy to check:


                                        a
                   dK (y1 , y2 ) = y2 (y1 )−1
                                = xβ k (αak )−1
                                ≡ x (mod p)




                                 5
Remarks
The ElGamal system is non-deterministic, since the ciphertext
depends not only on plaintext and the public key, but also on the
random number k. A plaintext may have different ciphertexts,
which is good for the security of the system.
The length of a ciphertext is twice of the length of its plaintext,
which is not good for the network traffic.
When using the ElGamal system, the value of k should be kept in
secret. Otherwise, x can be revealed from k and y2 by computing
x = y2 β −k (mod p).




                                  6
Implementation
To implement the system, we need the following algorithms:
 1. Find a large prime p such that p − 1 has at least a large prime
    factor.
 2. Find a primitive element α of Zp .
 3. Choose a random number k ∈ Zp−1 .
 4. Compute αk (mod p) and xβ k (mod p).
              α
 5. Compute (y1 )−1 (mod p).




                                 7
We can first find a large prime q. Then we try some random
number r such that qr + 1 = p is a prime.
To find a primitive element, we can choose a random α and let
g = αr . If g ≡ 1 (mod p), then we use α in the ElGamal system.
Otherwise try another value of α.
In fact, α is not necessary a primitive element of Z∗ by using this
                                                    p
method. But it is guaranteed that α has a order not less than q.




                                  8
It is easy to know that if we can solve the discrete logarithm
problem, then the ElGamal system is broken.
ElGamal system can be established in any cyclic group. In this
section, we used Z∗ , a cyclic group of order p − 1, for the system.
                    p
In practice, other cyclic groups are used. For examples, for a prime
p, Zpn , n a positive integer and Zq , q a prime factor of p − 1 are
used for different systems.




                                  9
Other PK systems
The Rabin Cryptosystem also uses a number n = pq, where p, q are
large primes such that p, q ≡ 3 (mod 4). The encryption function is

                        eK (x) = x2 mod n

and the decryption function is
                               √
                       dK (y) = y mod n.

The security of the Rabin system is based on some number theory
                                   √
facts. In general, to find the value y mod n is very difficult unless
n is a prime. However, if p and q are known, then there is some
                       √
easy way to compute y mod n for n = pq.




                                 10
There are some variant forms of RSA system. For examples, some
people suggested to use n = pqr, a production of three primes.
Some people suggested to use n = p2 q, where p, q are primes, etc.




                                11
The Elliptic curve cryptosystem uses the idea from the ElGamal
system. In the ElGamal system, each element in Z∗ can be written
                                                   p
as αi for some i. Z∗ is a cyclic group generated by α. The Elliptic
                    p
curve system uses a group different from Z∗ . The system uses a
                                            p
group of the solutions of y 2 ≡ x3 + ax + b (mod p) instead of the
group Z∗ . Elliptic curve systems depend on more mathematics.
        p
The decryption in an Elliptic curve system is more efficient than
that in an RSA system.




                                12
Another interesting public-key system is NTRU which uses
polynomial rings and depends on some problems in a mathematical
structure called lattices. There is some relationship between
factoring problem and discrete logarithm problem. However, lattice
problem seems to be different from these problems.




                                13
Public-key Systems and Secret-key Systems
In general a public key cryptosystem is much slower than a secret
key cryptosystem. For example, the RSA system is about 1500
times slower than DES.
Usually, we will use public key system to send a key of some secret
key cryptosystem and then use the secret key cryptosystem to
encrypt the plaintexts. So one of the important applications of
public-key systems is distribute secret keys, which we will discuss
later.




                                14
Example
Suppose Bob has an RSA system. So he published his public key
Kpub and stored his private key Kpri in a secure place.
Alice wants to communicate with Bob. She first chooses a random
key K for AES system. Then she send Bob the value of eKpub (K).
Since only Bob has the key Kpri , he can obtain K securely.
After that Alice and Bob can use AES with common key K to
encrypt their communication.




                               15
Remark
For the security of a public key cryptosystem, we need to consider
the chosen plaintext attacks.
All the existing public key cryptosystems are based on some
difficult mathematical problems. Usually we call such a system a
computational secure cryptosystem, because we don’t know efficient
algorithms to solve these problems. If some efficient algorithm is
invented in the future, then the system will be no longer secure.




                                16

				
DOCUMENT INFO