A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

KAIST

A Public Key Cryptosystem and a Signature Scheme Based

on Discrete Logarithms

TAHER ELGAMALIEEE TRANSACTIONS ON INFORMATION THEORY,

JULY 1985

Suhyung KimYeojeong Yoon

2010. 2. 25

2 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Outline

Introduction

Diffie-Hellman key distribution

Elgamal Public Key System

Elgamal Digital Signature Scheme

Property

Comparison

Attacks on the Signature

Conclusion

Introduction

Public-key Encryption(Asymmetric Cryptosystem)

First proposed in 1976"New Directions in Cryptography" Diffie and HellmanDid not produce an algorithm

RSA cryptosystem(1978)Based on difficulty of factoring large integers

ElGamal cryptosystem(1985)Based on discrete logarithm problem


Public Key

A(sender) B(receiver)

{plaintext}public key Decrypt with the Secret KeyEncrypt with the Public Key

Public Key Secret Key


IntroductionRSA Cryptosystem

“A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” published in 1978Proposed by Rivest, Shimar, and AdlemanUsed a computationally difficult problem

Breaking requires factoring of large numbersA B

1. Select p, q (large prime)2. Calculate n = p x q and ф(n)3. Select b, s.t. Gcd(b, ф(n) ) = 14. Calculate a, s.t. b x a ≡ 1 (mod ф(n) )

Public key : (n, b)

eK(x) = xb mod n dK(y) = ya mod

n

Private key : (p, q, a)

5/27A Public Key Cryptosystem and a Signature Scheme Based on Discrete Loga-rithms

Discrete Logarithm Problem(DLP)The ElGamal public key cryptosystem is based upon the difficulty of solving the discrete logarithm problem (DLP) which is as follows :

For a small value of p, it is easy to solve a DLP By trial and error or exhaustive search

For a large value of p, finding discrete logarithms is diffi-cult

For a large value of p(p has around 300 decimal digits) it is not pos-sible to solve a DLP using current technology

Introduction

Given a prime p and values g and y, find x such thaty = gx mod p

Diffie-Hellman key distribution

Public parameter p : large primeα : generator of Zp*

Secret parameterxA (A’s) xB (B’s)

xA = logαyA, xB = logαyB Based on Discrete Logarithm Problemp-1 should have at least one “large” prime factor

If p-1 has only small prime factors, then computing discrete loga-rithms is easy


py

py

pK

A

B

BA

xB

xA

xxAB

mod

mod

mod

A B

yB

yA

py AxA mod py Bx

B mod


Way to implement the Diffie-Hellman previous schemeA wants to send B a message m, where 0 ≤ m ≤ p-1A chooses a number k uniformly between 0 and p-1.


pKmcpc

pyKk

kB

modmod

mod

2

1

yB

(c1,c2)

pKcm

pcK BB xkx

mod

mod)(

2

1

py BxB mod

A B - Public parameter p : large prime

α : generator of Zp*

- Secret parameter k (A’s)

xB (B’s)

k must be used once If k is used more than once,

c1.1 ≡ αk mod p c1.2 ≡ m1K mod p c2.1 ≡ αk mod p c2.2 ≡ m2K mod p Then m1/m2 ≡ c2.1/c2.2 mod p, and m2 is easily computed if

m1 is known.

Breaking the system is equivalent to solving Discrete Logarithm Problem



<Decryption>

- For c1, c2 ∈ Zp*, definedk(c1, c2) = c2(c1

xB)-1 mod p

Adversary can decrypt the ci-phertext if adversary can com-pute the value

xB = logαyB

Digital Signature A digital signature provides

Data IntegrityThe content of the message should be kept intact

Sender’s identityB needs a guarantee that the message it received actually originated from where it says it did

Non-repudiationUses sender’s private key for signing

9 / 20Using Encryption for Authentication in Large Networks of Computers

A(sender) B(receiver)

from where?

In-tact!


The Signing Procedure(A)Choose a random number k, uniformly between 0 and p-1, such that gcd(k,p-1)=1 r ≡ αk mod pThe signature for m is the pair (r,s), 0 ≤ r, s < p-1

αm ≡yArrs

≡ αxArαks mod pwhich can be solved for s by using

m ≡ xAr + ks mod (p-1)s ≡ (m - xAr)/k mod (p-1)

The Verification Procedure(B)Given m, r, and s, checking

αm ≡yArrs



Property

Public Key System

Encryption operation Two exponentiations are required.

Decryption operation Only one exponentiation (plus one division) is need


- (secret) random number k Z∈ p-1

eK(m, k) = (c1, c2) where

c1 = αk mod pc2 = myk mod p

- For c1, c2 Z∈ p*, define

dk(c1, c2) = c2(c1xB)-1 mod p

randomization (against k)The cipher text for a given message m is not repeatedPrevents attacks like a probable text attack

No relation m1, m2, and m1m2, or any other simple function of m1 and m2.

Property

Signature System

Signing procedureOne exponentiation (plus a few multiplications) is needed.

Verification procedureThree exponentiation are needed.Make the table for reducing the exponentiation(1.875 exponentiation)


(secret) random number k ∈ Zp-1*

sigK( m, k ) = ( r, s )where r = αk mod p s = ( m - xr )k-1 mod ( p – 1 ) verK( m, ( r, s ) ) = true

⇔ yrrs ≡ αm ( mod p )

The signature is double the size of the document

Same size as that needed for the RSA scheme

The number of signature is p2

The number of documents is only p

Property

Computation complexityComputing discrete logarithms and factoring integers

m : the number of bits in pBest known algorithm is given by

where the best estimate for c is 0.69

Recent computation complexityO(n3) on elliptic curve(2009) over a 112-bit finite fieldTo prevent known attack p should have at least 300 digits(D R. Stin-son, “CRYPTOGRAPHY”)


)ln(exp mcmO

Comparison

Comparison with RSA


Elgamal RSASecurity based on the diffi-culty of the discrete log problem

Security based on the diffi-culty of the factorization problem

The ciphertext is two values c1 and c2 and so is twice the size of the message m

The ciphertext is just one value c which is roughly the same size as the message m

Creates longer cipher text Uses longer keysThe encryption and decryption algorithms are different (although both take about the same time to perform)

The encryption and decryption algorithms are the same (modular exponentiation)

Attacks on the Signature Scheme

The goal of an attack: forging signatures

Breaking a signature scheme (by Handbook of Applied Cryp-tography)

Total break: e.g. recovering the private keySelective forgery: forging a signature for a particular mes-sage or class of messages chosen a prioriExistential forgery: forging a signature for at least one message which adversary has no control over it


Attack: Total break (1/2) Adversary knows

Documents = { mi : i = 1, 2, ..., l } and the corresponding Signatures = { (ri, si) : i = 1, 2, ..., l }

Adversary tries to solve l equations for the secret key xαm = (αr)x∙ rs mod p … (1) ormi = x∙ ri + ki ∙ si mod (p-1) ... (2) or speciallyki=ckj (if some linear dependencies among the unknowns) ... (3)

Hard Problems(1), (3) : computing discrete logarithm over GF(p)(2) : l+1 unknowns (∵ ki ≠ kj, i ≠ j,∀i,j ∈ {1,2, ..., l})

the system of equations is undetermined 16 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Attack: Total break (2/2)If any k is used twice in the signing, the private key x can be determined with high probability

s1 = k-1(m1 – α∙ r) mod (p-1) and s2 = k-1(m2 – α∙ r) mod (p-1)

(s1- s2)k = (m1 – m2) mod (p-1)

K = (s1- s2)-1(m1 – m2) mod (p-1) (if s1- s2 ≠0)

Once k is known, x is easily found


Attack: Selective forgery (1/2)Given a document m,

adversary tries to find r, s such that

αm = yr∙ rs mod pcompute s with fixed r (= αj mod p, j chosen at random) … (1)compute r with fixed s … (2)

Hard Problems(1) : αm = yr∙ rs mod p – discrete logarithm problem(DLP)(2) : αm = yr∙ rs mod p – not proved to be at least as hard as computing DLP, but not feasible to solve in polynomial time


Attack: Selective forgery (2/2) Adversary knowing one legitimate signature

(r, s) for one message m, can generate other legitimate signatures and messages

Adversary knowing one legitimate signature Select message m'

Compute u = m'∙ m-1 mod (p-1), s' = s∙ u mod (p-1), and r' such that r' = r∙ u mod (p-1) and r' =r mod p

Verification: αm' = yr' ∙ r' s' = yru∙ rsu = (yr∙ rs)u = (αm)u = αm'

mod p

How to prevent this attackVerify that 1≤r≤p at verification time 19 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

(ref. Handbook of Applied Cryp-tography)

(by the Chinese Remainder Theorem)

Attack: Existential forgery Adversary knowing one legitimate signature

(r, s) for one message m, can generate other legitimate signatures and messages

Select A,B,C arbitrarily such that (A∙ r - C∙ s) is coprime to p-1

compute r'=rA∙ αB∙ yC mod p, s'=s∙ r'/(A∙ r - C∙ s) mod (p-1), and m' = r'(Am+Bs)/(Ar-Cs) mod (p-1)

Adversary may claim that (r', s') is the signature of the message m'

How to prevent this attackUse one-way hash func: αh(m) = (αr)x∙ rs


!!! m' is not an arbitrary message

Conclusion

Proposed cryptosystem and Signature scheme are based on

the difficulty of computing discrete logarithms over finite fields good generator for random numbers (ki ≠ kj)

Elgamal’s scheme is rarely used in practice. But many variants have been proposed. Specially, DSA



Question or Comment