Scribd
Upload
1K views12 pages

Elgamal Public Key Cryptography: Cs 303 Alg. Number Theory & Cryptography Jeremy Johnson

The document summarizes ElGamal public key cryptography, including: - ElGamal encryption uses a public key to encrypt messages and a private key to decrypt. It is based on the discrete logarithm problem. - ElGamal digital signatures allow a user to sign a message with their private key in a way that can be verified by others using the public key. - Both are based on a group where the discrete logarithm problem is hard. ElGamal introduced these techniques in 1985 based on earlier work by Diffie and Hellman on key exchange.

Uploaded by

Kishan Singh Vishen
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
1K views12 pages

Elgamal Public Key Cryptography: Cs 303 Alg. Number Theory & Cryptography Jeremy Johnson

The document summarizes ElGamal public key cryptography, including: - ElGamal encryption uses a public key to encrypt messages and a private key to decrypt. It is based on the discrete logarithm problem. - ElGamal digital signatures allow a user to sign a message with their private key in a way that can be verified by others using the public key. - Both are based on a group where the discrete logarithm problem is hard. ElGamal introduced these techniques in 1985 based on earlier work by Diffie and Hellman on key exchange.

Uploaded by

Kishan Singh Vishen
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 12

ElGamal Public Key Cryptography

CS 303 Alg. Number Theory & Cryptography Jeremy Johnson

Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Transactions on Information Theory, v. IT-31, n. 4, 1985, pp469472 or CRYPTO 84, pp1018, Springer-Verlag.

Outline
Primitive Element Theorem Diffie Hellman Key Distribution ElGamal Encryption ElGamal Digital Signatures

12/10/2008

Goldwasser

Public Key Cryptography

Let M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting.

D(E(M)) = M Both E() and D() are easy to compute Publicly revealing E() does not make it easy to determine D() E(D(M)) = M - needed for signatures

The collection of E()s are made publicly available but the D()s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)
2

Order

Definition. Let b Zn* The order of b is the smallest positive integer satisfying be 1 (mod n).

Theorem 1. If b has order e modulo n and if j is a positive integer such that bj 1 (mod n), then e|j. Proof. j = qe+r, 0 r < e. bj 1 (be)q br br (mod n). This implies that r = 0, since e is the smallest power of b equivalent to 1 mod n. Corollary 2. Let b Zn*. ord(b)|(n).

Primitive Element Theorem

Zp* = <>, i.e. ord() = p-1.


Example

Z7* = <3> 31=3, 32=2, 33=6, 34=4, 35=5, 36=1 Z13* = <2> 21=2, 22=4, 23=8, 24=3, 25=6, 26=12, 27=11, 28=9, 29=5, 210=10, 211=7, 212=1

Note. ord() = p-1 {1,, 2,, p-1} distinct.

Discrete Logarithms

Discrete log problem


Given Zp* = <> log(y) = x, if y = x.

Example

Z13* = <2> 21=2, 22=4, 23=8, 24=3, 25=6, 26=12, 27=11, 28=9, 29=5, 210=10, 211=7, 212=1 Log2(5) = 9.

Properties of Primitive Elements

Theorem 3. If b has order e modulo n, then ord(bi) = e/gcd(e,i).


Theorem 4. Let p be a prime and d a divisor of p-1, then the number of positive integers less than p with order d is (d). Corollary 5. The number of primitive elements mod p is equal to (p-1) > 1.

Some Lemmas
Lemma 6. Let P(x) be a polynomial of degree t and let p be a prime. If p does not divide the coefficient of xt in P(x), then P(x) 0 (mod p), has at most t solutions mod p. Proof. By induction on the degree of P(x)=t. P(x1) = 0 P(x) = P1(x)(x - x1), and the degree of P1(x) = t-1. Lemma 7. The sum of (d) over the divisors of n = n.

Example: n=12. (1)+ (2)+ (3)+ (4)+ (6)+ (12)=1+1+2+2+2+4 = 12.

Primitive Element Theorem

Theorem. Let p be a prime and d a divisor of p-1, then the number of positive integers less than p with order d is (d).

Proof. If there is an element a of order d, then by Theorem 3, ai, gcd(i,d)=1 is also of order d. By Lemma 6, 1, a, a2,,ad-1 are the roots of P(x)=xd-1, and there (d) elements of order d. Since every elements is of order d|p-1 and p-1 = d|p-1 (d), there must be an element of order d for every d|p-1 and hence exactly (d) of them.
8

Public Key Distribution

The goal is for two users to securely exchange a key over an insecure channel. The key is then used in a normal cryptosystem Diffie-Hellman Key Exchange

A = ga mod p (p prime, g primitive all elements of (Zp)*are powers of g) [Alice sends A to Bob] a = logg A mod p [discrete log] B = gb mod p [Bob sends B to Alice] K = gab mod p [shared key] Ab = gab = Ba mod p
9

ElGamal Encryption

Zp* = <g>, m Zp message

Bob encrypts a message to Alice.

Alice: a random, A = ga, public key = (p, g, A) Bob: k random (ephemeral key), c1 = gk, shared key K = Ak = gak

EA(m) = (c1,c2), c2=mK mod p. DA((c1,c2)) = c2*(1/K) mod p, K = c1 a = gak

Security depends on Computational Diffie-Hellman (CDH) assumption: given (g, ga,gb) it is hard to compute gab Do not use same k twice

10

ElGamal Digital Signature

Zp* = <g>, m Zp message

Alice signs message m.

Alice: h = gx, public key = (p, g, A), secret key = x. Alice: k random with gcd(k,p-1)=1

r = gk (mod p) s = (m xr)(1/k) mod p-1 [m = sk + xr (mod p-1)] Signature = (r,s) Verify gm=rshr

11

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy