ElGamal Cryptosystem ElGamal Cryptosystem is based on the discrete

Document Sample
ElGamal Cryptosystem ElGamal Cryptosystem is based on the discrete Powered By Docstoc
					ElGamal Cryptosystem
ElGamal Cryptosystem is based on the discrete logarithm problem.
Sometimes this cryptosystem is also called Diffie-Hellman type
cryptosystem, because this system is based on some idea from
Diffie-Hellman key exchange scheme which we will discuss later.

Suppose p is a prime. Then we can find some α ∈ Zp such that
each number β ∈ Z∗ (= Zp \{0}) can be written as β ≡ αa (mod p)
for some a, α is called a primitive element of Zp (or equivalently,
GF (p)).
For example, if p = 7, then α = 3 is a primitive element of Z7 . This
is because in Z7 we have:

            1 = 36 , 2 = 32 , 3 = 31 , 4 = 34 , 5 = 35 , 6 = 33 .

Discrete logarithm problem
The discrete logarithm problem is: In the equation

                    β ≡ αa    (mod p) (β = 1),

find the value of a if β, α and p are known.
There are several methods to attack the discrete logarithm problem.
To thwart known attacks, p should be at least 300 decimal digits,
and p − 1 should have at least one large prime factor.

The system
Let p be a prime such that the discrete logarithm problem in Zp is
intractable and let α ∈ Z∗ be a primitive element. Let plain text be
Zp and cipher text be Zp × Z∗ . Let
  ∗                     ∗

                  K = {(p, α, a, β) : β ≡ αa mod p}.

The values of p, α and β are public and a is secrete.
For K = (p, α, a, β) ∈ K and for a secret random number k ∈ Zp−1
                         eK (x, k) = (y1 , y2 ),
where y1 = αk (mod p), y2 = xβ k (mod p).
For y1 , y2 ∈ Z∗ , define

                   dK (y1 , y2 ) = y2 (y1 )−1   (mod p).

The correctness of the system is easy to check:

                   dK (y1 , y2 ) = y2 (y1 )−1
                                = xβ k (αak )−1
                                ≡ x (mod p)

The ElGamal system is non-deterministic, since the ciphertext
depends not only on plaintext and the public key, but also on the
random number k. A plaintext may have different ciphertexts,
which is good for the security of the system.
The length of a ciphertext is twice of the length of its plaintext,
which is not good for the network traffic.
When using the ElGamal system, the value of k should be kept in
secret. Otherwise, x can be revealed from k and y2 by computing
x = y2 β −k (mod p).

To implement the system, we need the following algorithms:
 1. Find a large prime p such that p − 1 has at least a large prime
 2. Find a primitive element α of Zp .
 3. Choose a random number k ∈ Zp−1 .
 4. Compute αk (mod p) and xβ k (mod p).
 5. Compute (y1 )−1 (mod p).

We can first find a large prime q. Then we try some random
number r such that qr + 1 = p is a prime.
To find a primitive element, we can choose a random α and let
g = αr . If g ≡ 1 (mod p), then we use α in the ElGamal system.
Otherwise try another value of α.
In fact, α is not necessary a primitive element of Z∗ by using this
method. But it is guaranteed that α has a order not less than q.

It is easy to know that if we can solve the discrete logarithm
problem, then the ElGamal system is broken.
ElGamal system can be established in any cyclic group. In this
section, we used Z∗ , a cyclic group of order p − 1, for the system.
In practice, other cyclic groups are used. For examples, for a prime
p, Zpn , n a positive integer and Zq , q a prime factor of p − 1 are
used for different systems.

Other PK systems
The Rabin Cryptosystem also uses a number n = pq, where p, q are
large primes such that p, q ≡ 3 (mod 4). The encryption function is

                        eK (x) = x2 mod n

and the decryption function is
                       dK (y) = y mod n.

The security of the Rabin system is based on some number theory
facts. In general, to find the value y mod n is very difficult unless
n is a prime. However, if p and q are known, then there is some
easy way to compute y mod n for n = pq.

There are some variant forms of RSA system. For examples, some
people suggested to use n = pqr, a production of three primes.
Some people suggested to use n = p2 q, where p, q are primes, etc.

The Elliptic curve cryptosystem uses the idea from the ElGamal
system. In the ElGamal system, each element in Z∗ can be written
as αi for some i. Z∗ is a cyclic group generated by α. The Elliptic
curve system uses a group different from Z∗ . The system uses a
group of the solutions of y 2 ≡ x3 + ax + b (mod p) instead of the
group Z∗ . Elliptic curve systems depend on more mathematics.
The decryption in an Elliptic curve system is more efficient than
that in an RSA system.

Another interesting public-key system is NTRU which uses
polynomial rings and depends on some problems in a mathematical
structure called lattices. There is some relationship between
factoring problem and discrete logarithm problem. However, lattice
problem seems to be different from these problems.

Public-key Systems and Secret-key Systems
In general a public key cryptosystem is much slower than a secret
key cryptosystem. For example, the RSA system is about 1500
times slower than DES.
Usually, we will use public key system to send a key of some secret
key cryptosystem and then use the secret key cryptosystem to
encrypt the plaintexts. So one of the important applications of
public-key systems is distribute secret keys, which we will discuss

Suppose Bob has an RSA system. So he published his public key
Kpub and stored his private key Kpri in a secure place.
Alice wants to communicate with Bob. She first chooses a random
key K for AES system. Then she send Bob the value of eKpub (K).
Since only Bob has the key Kpri , he can obtain K securely.
After that Alice and Bob can use AES with common key K to
encrypt their communication.

For the security of a public key cryptosystem, we need to consider
the chosen plaintext attacks.
All the existing public key cryptosystems are based on some
difficult mathematical problems. Usually we call such a system a
computational secure cryptosystem, because we don’t know efficient
algorithms to solve these problems. If some efficient algorithm is
invented in the future, then the system will be no longer secure.