1. Cryptology Design Fundamentals
Grundlagen des kryptographischen Systementwurfs
Module ID: ET-IDA-048
, v39
Prof. W. Adi
Tutorial-9
ElGamal Public-Key Systems over GF(p) & GF(2m)

2. ElGamal Secrecy-System (1985)  primitive element in GF(p)
User A sends M to B
User B receives
 primitive element in GF(p)
Xa = secret key of A
 Xa
Xb = secret key of B
 Xb
ya =  Xa public key of A
yb =  Xb public key of B C M X X
C = M .  Xb . R / m M yb
Z =  Xb. R
Z-1 =  - Xb. R
(yb)R
r =  R r /
m-bits
 R
(r)-Xb = - Xb. R
- Xb R
m = log2 p
- Xb = (p-1) - Xb
Random Generator : R = p-1
a new R is needed for every message
Notice: The scheme applies similarly over GF(2m) with  as a primitive element in that field. 2

3. ElGamal Signature Scheme
public directory
User A signs M
Verifier
 is primitive in GF(p)
Xa = Secret Key of A
 Xa = ya
ya = public key of A
p, , ya If M M S r
k -1 ( M - r . Xa ) mod (p-1) = S
 M = yar . r S mod p
Then M is authentic k
k = r
k Random unit in Zp-1
That is: gcd (k, p-1 ) = 1
Signed Message

4. ElGamal Secrecy-System
Over GF (p) 4

5.  = 2 = primitive element in GF(11)
Problem 1: Setup ElGamal Encryption System using GF(11). Send the message M=10 from user A to B. The secret key of B is 9 and for A is 7
Solution 1 :
Computing order of  =2: 22=41, 23=8, 24=5, 25=10 1, 26=9, 27=7, 28=3, 29=6, 210=1 => order of 2 is 10 => 2 is a primitive element !.
p = 11= , Possible orders = divisors of p-1=2x5, that is 1,2,5,10.
User A sends M to B
User B receives
 = 2 = primitive element in GF(11)
Xa = secret key of A=7
 7 = 7
Xb =9= secret key of B
Yb= Xb= 2 9 = 6
ya =  Xa public key of A = 7
yb =  Xb public key of B = 6
C=7
M =21 mod 11 =10
M=10 X X
C = M . Xb . R = =7 / m
(3) yb
6 8 = (2 9)8 = 272 mod 10 =22 =4
(6)R
r =2 8 =3
r=3
(3)-Xb = (3)1 /
m-bits
- Xb = -9
 R
R=8
Xb = (p-1) – Xb
-9= (11-1)-9=1
m = log2 p=4
Random Generator : R = P-1 ,
we select R= 8 5

6.  = 3 = primitive element in GF(29)
Problem 2: Setup El Gamal Encryption System using GF(29). Send the message M=17 from user A to B. The secret key of B is 4 and for A is 7
Solution 2 :
Computing order of  =3: 31=3, 32=9 1, 34=92=81=231, 37=34.33 =23.27= 12 1, 314 =(37) 2 =(12)2= 28 1 => 3 is a primitive element !.
p=29= , Possible orders = divisors of p-1=2x2x7, that is 1,2,4,7,14,28.
User A sends M to B
User B receives
 = 3 = primitive element in GF(29)
Xb = 4 = secret key of B
Yb =  Xb = 3 4 = 23
Xa = secret key of A=7
Ya =  Xa = 3 7 = 12
ya =  Xa = 3 7 =12 public key of A
yb =  Xb = 3 4 =23 public key of B
C=17 = M ! X X
M=17
C = M . Xb . R = 17.(384) = 17 / m
M =17
The selected R is not reasonable ! C=M
no encryption !
4 .21 mod 28 =1
= mod 28 =30=1
Y b
(3 4 ) 21
r = 3 R = 3 21
r = 3 21
(3 21) -4 =
3 21 /
m-bits
- Xb
R=21
Xb = (p-1) – Xb
4= (29-1)- 4 = 24
m = log2 29
Random Generator : R = P-1 ,
we select R= 21 6

7.  = 3 = primitive element in GF(29)
Problem 3 (alternative solution for 2): Setup El Gamal Encryption System using GF(29). Send the message M=17 from user A to B. The secret key of B is 4 and for A is 7
Solution 3: The fact that selecting R=21 results with a cipher text C=M. This is an teresting bad selection which can happen in real implementations!!!. Therefore another random integer R=25 is selected and the solution is repeated as follows:
User A sends M to B
User B receives
 = 3 = primitive element in GF(29)
Xb = 4 = secret key of B
Yb =  Xb = 3 4 = 23
Xa = secret key of A=7
 7 = 12
ya =  Xa = 3 7 public key of A = 12
yb =  Xb = 3 4 public key of B = 23
C=21 X
M =17 X
C = M .  Xb . R = =21 / m
M =17
 Xb . R =(3 4) 25 mod 28 = = 3 16 = 20 yb
3 12 = 16
(yb).R
r =3 25 =3 -3
r = 3 -3
(3 -3)-4 = 312 mod 28
3 25 /
m-bits
- Xb = - 4
(3 -3)24 = 3-72 mod 28
R=25
Xb = (p-1) – Xb
-4= (29-1)- 4 = 24
m = log2 29
Random Generator : R = P-1 ,
we select R= 25 7

8. Problem 4: ElGamal Crypto-System over GF(179):
Send the message M=75 from user A to B. The secret key of B is 130 and for A is 102.
Solution:
Ensuring the good choice of the GF
p= 2.q +1 , let’s chose q as a prime such that p is also a prime according to Pocklington Theorem:
Let q= => p= 2x = (1)
Pocklignton’s three conditions for p=prime are: We select a=11
mod 179 = 1
gcd( /89 -1, 179) = gcd(11² -1 , 179) =1
√179 <√89
All the 3 conditions are valid => 179 is a prime
Seeking a Primitive element :
Possible orders are devisors of p-1= 179-1= 178 = 2x 89 from (1) => Possible orders :1, 2 , 89 , 179
Let’s take a random α= 5 and check if it is primitive ?
Number of primitive elements (178) = (2x89) = (2-1) (89-1) = 88
51 ≠ 1 AND 5² ≠ 1 AND 589 = 1 => is not primitive
Let’s take a random α= 6 , let’s check if it is primitive element ?
61 ≠ 1 AND 6²=36 ≠ 1 AND 689 ≠ => 6 is primitive element.

9. Solution 4: ElGamal Crypto-System over GF(179)
A signs the contract M=75 : (Ref. Fig (6) )
Let’s chose K that gcd(K, (179-1)) = 1
K=11
K-1 = 81
r=611 =35
S= K-1 (M-r. Xa ) mod (p-1)
= 81(75-35x102 ) mod178 = 103
That is message + Signature :
M, r, S = 75, 35,103
A sends only r, S = 35,103 as signature as A knows M
Verification on side A:
If  M = yar . r S mod p then M is authentic
αM = 675 = 98
yar . r S = x = 98 = αM
=> Signature is authentic
Q- Is there any security threats if M is signed directly (without any change) ?
Open directory set up:
Ya =6102 =172
Yb = 6130 =3
A encrypts M=75 to B (Ref. Fig (5) )
- Encryption on the side of A: Random value R1 =7
Z=(Yb )R1 = 37 mod 179 = 39
C = M.Z = 75x 39 = 61
r= α R1= 67 = 159
For M=75 : YA->B = r, C ,
The cryptogram is : YA->B = 159, 61
- Decryption on the side of B :
Z-1 = r -Xb = = mod 179 = 101
M= C Z-1 = 61x 101 mod 179 = 75 q.e.d
Secret keys:
Xa = 102
Xb =130

10.  = 6 = primitive element in GF(179)
Solution 4: ElGamal Crypto-System over GF(179)
Message encryption
User A encrypts M = 75
User B decrypts C
 = 6 = primitive element in GF(179)
Xa = secret key of A =102
 102 = 172
Xb =130= secret key of B
Yb= Xb= = 3
ya =  Xa public key of A = 172
yb =  Xb public key of B = 3
C=61
M =61 mod 179 =75
M=75 X X
C = M . Xb . R = 61 / m
(3) yb
Z=39
(3)R
r =6 7 =159
r=159
(159)-Xb = 101
- Xb = -130
 R /
m-bits
R=7
Xb = (p-1) – Xb
=(179-1)-130=48
Random Generator : R = P-1 ,
we select R= 7
Fig. (5) 10

11. Signature generation User A signs M Verifier Fig. (6)
Solution 4: ElGamal Crypto-System over GF(179)
Signature generation
User A signs M
Verifier
public directory
Xa = Secret Key of A
(Xa = 102)
 Xa = ya
( 102= 6102)
 is primitive in GF(p) ( = 6, p =179)
ya = public key of A
p, , ya If
M (=75)
S (=103)
r (=35)
 M = yar . r S mod p
k -1 ( M - r . Xa ) mod (p-1) = S
Then M is authentic k
k = r
αM = 675 = 98
ya r .rs= x = 98
k Random unit in Zp-1
That is: gcd (k, p-1 ) = 1
Signed Message
Fig. (6)

12. Problem 5: ElGamal Crypto-System over GF(263):
Send the message M=35 from user A to B. The secret key of A is 40 and for B is 113 and use the random value R= 22 for this message.
Solution:
Ensuring the good choice of the GF
p= 2.q +1 , let’s chose q as a prime such that p is also a prime according to Pocklington Theorem:
Let q= 41 => p= 2x = (1)
Pocklignton’s three conditions for p=prime are: We select a=11
mod 263 = 1
gcd(11262/131 -1, 179) = gcd(11 , 179) =1
131>√263
All the 3 conditions are valid => 263 is a prime
Seeking a Primitive element :
Possible orders are devisors of
p-1= 263-1= 262 = 2x 131 from (1)
=> Possible orders :1, 2 , 131 , 262
Let’s take a random α= 12 and check if it is primitive ?
Number of primitive elements (262) = (2x131) = (2-1) (131-1) =130
121 ≠ 1 AND 12² ≠ 1 AND = 1 => is not primitive
Let’s take a random α= 8 , let’s check if it is primitive element ?
81 ≠ 1 AND 8²=36 ≠ 1 AND 8131 = 1
=> 8 is not primitive element.
Let’s take a random α= 11 , let’s check if it is primitive element ?
111 ≠ 1 AND 11² ≠ 1 AND = 1
=> 11 is not primitive element.
Let’s take a random α= 7 , let’s check if it is primitive element ?
71 ≠ 1 AND 7² ≠ 1 AND 7131 ≠ 1
=> 7 is primitive element.

13. Soliution 5: ElGamal Crypto-System over GF(263)
Open directory set up:
α=7
Ya =740 mod 263=166
Yb = 7113 mod 263=236
A encrypts M=35 to B
- Encryption on the side of A: Random value R =22
Z=(Yb )R = mod 263 = 23
C = M.Z = 23x 25 mod 263 = 16
r= α R= 722 mod 263 = 11
For M=35 : YA->B = r, C ,
The cryptogram is : YA->B = 11, 16
- Decryption on the side of B :
Z-1 = r -Xb = = mod 263 = 183
M= C Z-1 = 16x 183 mod 263 = 35 q.e.d
Secret keys:
Xa = 40
Xb = 113
B signs the contract M=35 :
Let’s chose K that gcd(K, (263-1)) = 1
K=121
K-1 = 13
r= α k = 7121 mod 263 =85
S= K-1 (M-r. Xb ) mod (p-1)
= 13(35-85x113 ) mod 262 = -222 mod 262 =40
Signature : r, S = 85, 40
B sends only r, S = 35,103 as signature as A knows M
Verification on side A:
If  M = ybr . r S mod p then M is authentic
αM = 735 = 67
ybr . r S = x 8540 mod 263= 67 = αM
=> Signature is authentic

14. ElGamal Secrecy-System
Over GF (2m) 14

15. Problem 6: ElGamal Crypto-System over GF(26)
Set up ElGamal public-key encryption system using GF(26), which is generated by the irreducible polynomial P(x)=1+x²+x4+x5+x6 =
The secret keys for users A and B are 22 and 10 respectively. Check if you can take  = 0011 as a primitive element.
Send the message M = 3 from user A to B and use the random value R=43 for this message.
Notice: Many real systems use ElGamal secrecy system over GF(2m).
Solution:
For the selected P(x), e=21 this mean ord(x)=21 (from the table List of all irreducible Polynomials over GF(2 ) )
x21 = 1 mod p(x)
Possible elements orders are the devisors of = 63 = 32 x 7
Possible orders : 1,3,7,9,21,63
Helping computations :
x6= 1+x²+x4+x5
x7= 1+x+x²+x3+x4
x8= x+x²+x3+x4+x5
x9 = 1+x3
x10 =x+x4
x11 = x²+x5
x12 =1+x²+x3 + x4 +x5
x16 = (x8)² = 1+x²+x3
x21 = 1

16. Solution 6: ElGamal Crypto-System over GF(26)
Seeking a Primitive element
Let’s take any α and check it is a primitive element:
α=(1+x)
Α is primitive iff
α1 ≠1 AND α3 ≠1 AND α7 ≠1 AND α9 ≠1 AND α21 ≠1
The order of any element is a divisor of 26-1 = 63,
that is 1, 3, 7, 9, 21 or 63
Check the exponents 3, 7, 9, 21 of  = x+1 in F(26) :
α3 =(x +1)3 = (x+1)2.(x+1) = (x2+1).(x+1)
= 1+x+x2+x3  1
α7 =(x +1)7 = (x+1)4.(x+1)3 = (x+1)4(1+x+x2+x3)
= 1+x2+x4  1
α9 = (x + 1)9 = (x+1)7.(x+1)2
= x2+x4+x5  1
α 21 = α 12 . α 9 = [α 6 ]2 . α 9 = (x5)2 (x2+x4+x5) = x10 (x2+x4+x5)
= (x+x4) (x2+x4+x5)= 1+x+x2+x3+x4 1
α 6 = (α 3 )2 = (1+x+x2+x3 )2 = x5
As the order of =(x+1) is not 3 or 7 or 9 or 21
=> it is 63 =>  is primitive!
Open directory set up:
Ya = 22, Yb = 10
Secret keys:
Xa = 102
Xb =130
Random value: R = 43
Massage to encrypt M = 3
Encryption on the side of A:
Z = (Yb)R = (10)43 = 430 mod 63 =52
r = R = (x+1)43 = 43
C = Z . M = 52 3 . = 55
Decryption on the side of B:
Z-1 = (r)-Xb = (43 ) = 2279 mod 63 = 11
M = Z-1.C = 11 . 55 = 66 mod 63 = 3

17. Problem 7: ElGamal Crypto-System over GF(24)
P(x) = ( x4+ x +1 ) is the irreducible polynomial in the GF. The secret keys for users A and B are 7 and 12 respectively. Check if you can take  = 1011 as a primitive element.
Send the message M = 0101 from user A to B and use the random value R=13 for this message.
Notice: Many real systems use ElGamal secrecy system over GF(2m).
Solution 6:
If P(x)= x4+ x +1 is the modulus then x4 + x +1 = 0,
thus x4 = x +1. the exponents of x in GF(24) are:
x = x
x2= x
x3= x
x4= x4 = x
x5= x x4 = x2 +x
x6= x (x2 +x)= x3 +x
x7= x (x3 +x2) = ( x4 +x3 ) = x +1+x
x8= x4 + x2 +x = 1+x + x2 +x = 1+x
x9 = x3 + x
x10 = x4 + x2 = x+1 + x
x11 = x3 + x2 +x
x12= x4 + x3 + x2 = x +1+ x3 + x
x13= x4 + x3 + x2 +x = x3 + x
x14= x4 + x3 + x= x+1+x3 + x = x
x15= x4 + x = x x =
The order of any element is a divisor of
24-1=15 = 3 x 5, that is 1,3,5 or 15
Check if =x7= 1011 is a primitive element
Order =x7: 3= (x7)3 = x21 mod 15 = x6=1100 1
5= (x7)5 = x35 mod 15 = x35-2x15= x51
=>  is a primitive element
Ya= Xa= (x7)7= x49 mod 15 = x4 = 0011
Yb= Xb= (x7)12= x84 mod 15 = x9= 1010
Modulus in the exponent is 24-1=15
Is this a primitive element ?
Another proof: as x is primitive, xi is
also primitive iff gcd(i,15)=1 => x7 is primitive 17

18. Solution 7: Public directory User A sends M to B User B receives
GF(24) generated by P(x)= x4+ x +1
 = x7=1+x +x3 = 1011 (primitive element)
Ya= Xa = 7 = (x7)7= x49 mod 15 = x4 = 0011
Yb= Xb= 12 =(x7)12= x84 mod 15 = x9= 1010
Xa = secret key of A=7
Xb =12 secret key of B
C = M . Xb . R = x8 x 12 =x 20 mod 15
C = = x 5
C=0110= x 5
M = x 5 x3 = x8 = 0101
M=0101=x8 X X / m
 Xb . R = x 9x13=117 mod 15 = x 12 x3
Yb = x9
Modulus in the exponent in
GF(2m) is 2m-1
(x9)13
r =x 7x13 =x
r=x=0010
(x)-Xb = (x)3
- Xb = -12
 R
R=13
Cryptogram sent to B: [ C=0110, r=0010 ]
Xb = 15 – 12 = 3
Random Generator : R = , 18

19. Problem 8: Set up ElGamal public-key encryption system using GF(26), which is generated by the irreducible polynomial P(x) = ( x6 + x3 + 1 ). The secret keys for users A and B are 22 and 10 respectively. Check if you can take  = 1+x as a primitive element. Send the message M = = x5+x2 from user A to B and use the random value R = 20 for this message.
Solution 8:
 primitive. Another primitive element is 2 as:
Probability of picking up a primitive element:
Ya= Xa= (x+1)22= (x+1)21.(x+1) = (1+x3 ) .(x+1) =
=x+x4+1+x3= 1+x+x3+x4 =
Yb= Xb= (x+1)10= (x + 1)9.(x+1) = (x+x2+x5).(x+1) =
=x2+x3+x6+x+x2+x5 = x3+(1+x3)+x+x5
= 1+x+x5 =
If P(x) = ( x6 + x3 + 1 ) is the modulus then x6 + x3 +1 = 0, thus x6 = x3 +1.
x7 = x6.x = (x3+1).x = x4 + x
x8 = x6.x2 = (x3+1).x2 = x5 + x2
x9 = x6.x3 = (x3+1).x3 = 1 ( notice that x is not a primitive element)
The order of any element is a divisor of 26-1 = 63, that is 1, 3, 7, 9, 21 or 63
Check the exponents 3, 7, 9, 21 of  = x+1 in GF(26) :
(x +1)3 = (x+1)2.(x+1) = (x2+1).(x+1) = 1+x+x2+x3  1
(x +1)7 = (x+1)6.(x+1) =(x2+x3+x4)(x+1) = x3+ x4+x5+x2+x3+x4 = x2+x5  1
(x+1)6 = ((x+1) 3)2 = (1+x+x2+x3 )2 = 1+x2+x4+x6 = 1+x2+x4 + x3 +1. = x2+x3+x4
(x + 1)9 = (x+1)7.(x+1)2 = (x2+x5).(x2+1) = x4+(x4+x)+x2+x5 = x+x2+x5  1
(x + 1)21 = (x+1)12.(x+1)9 = (1+ x2+x3+x4+x5).(x+x2+x5) = 1+x3  1
(x+1)12 =((x+1)6)2 = (x2+x3+x4)2 = x4+x6+x8 = x4+ x3+1+x5+x2 =1+ x2+x3+x4+x5
As the order of =(x+1) is not 3 or 7 or 9 or 21 => it is 63 =>  is primitive!
Choosing R = 20 and sending a massage M = x5+x2 = (x+1)7 =7 =
Encryption: Z = (Yb)R = (10)20 = 200 mod 63 = 11= x2+x3+x5=101100
r = R = (x+1)20 = 20 = (10 )2= 1+ x2+x =
C = Z . M = 11 . 7 = 18 mod 63= 18 = x + x2 + x4
Decryption
Z-1 = (r)-Xb = (20 )-10 = -200 mod 63 = -11 = 52
M = Z-1.C = 52.18= 70 mod 63 = 7
Modulus in the exponent is 26-1 = 63

20. Or [ (x+1)20 ]-10+63 = (x+1)1060 mod 63 =  52
Solution 8:
Public directory
User A sends M to B
User B receives
GF(26) generated by P(x)= x6+ x3 +1
 = (x+1) (primitive element)
Ya= Xa = (x+1)22 = 1+x+x3+x4 = Yb= Xb= (x+1)10 = 1+x+x5 =
Xa = 22 secret key of A
Xb =10 secret key of B
C= = (x+1)18
M=100100=x5+x2=(x+1)7=7
C = M . Xb . R = 7 10.20 =
= 7 11= 18
C = 1+x2+x4 = X X
M = 52.18 = 70 mod 63 = 7
= (x+1)7 = x5 + x2 = / m
 -11 = 52
Yb = 1+x+x5
 Xb . R = (x+1)10.20 mod63 = (x+1)11
(1+x+x5)20
r =  20 =(x+1)20
[ (x+1)20 ]-Xb = [ (x+1)20 ]53 =(x+1)1060 mod 63 =  52
Z= R
r =(x+1)20= 1 + x + x2 =
R=20
- Xb = =53
Cryptogram sent to B: [ C = , r = ]
Modulus in the exponent in
GF(2m) is 2m-1 = 63
Random Generator : R =
Or [ (x+1)20 ] = (x+1)1060 mod 63 =  52

21. Problem 9: Set up ElGamal public-key encryption system using GF(26), which is generated by the irreducible polynomial P(x) = ( x6 + x3 + 1 ). The secret keys for users A and B are 22 and 10 respectively. Check if you can take  = 1+x as a primitive element. Send the message M = = x5+x2 from user A to B and use the random value R = 20 for this message.
Solution 9:
 primitive. Another primitive element is 2 as:
Probability of picking up a primitive element:
Ya= Xa= (x+1)22= (x+1)21.(x+1) = (1+x3 ) .(x+1) =
=x+x4+1+x3= 1+x+x3+x4 =
Yb= Xb= (x+1)10= (x + 1)9.(x+1) = (x+x2+x5).(x+1) =
=x2+x3+x6+x+x2+x5 = x3+(1+x3)+x+x5
= 1+x+x5 =
If P(x) = ( x6 + x3 + 1 ) is the modulus then x6 + x3 +1 = 0, thus x6 = x3 +1.
x7 = x6.x = (x3+1).x = x4 + x
x8 = x6.x2 = (x3+1).x2 = x5 + x2
x9 = x6.x3 = (x3+1).x3 = 1 ( notice that x is not a primitive element)
The order of any element is a divisor of 26-1 = 63, that is 1, 3, 7, 9, 21 or 63
Check the exponents 3, 7, 9, 21 of  = x+1 in GF(26) :
(x +1)3 = (x+1)2.(x+1) = (x2+1).(x+1) = 1+x+x2+x3  1
(x +1)7 = (x+1)6.(x+1) =(x2+x3+x4)(x+1) = x3+ x4+x5+x2+x3+x4 = x2+x5  1
(x+1)6 = ((x+1) 3)2 = (1+x+x2+x3 )2 = 1+x2+x4+x6 = 1+x2+x4 + x3 +1. = x2+x3+x4
(x + 1)9 = (x+1)7.(x+1)2 = (x2+x5).(x2+1) = x4+(x4+x)+x2+x5 = x+x2+x5  1
(x + 1)21 = (x+1)12.(x+1)9 = (1+ x2+x3+x4+x5).(x+x2+x5) = 1+x3  1
(x+1)12 =((x+1)6)2 = (x2+x3+x4)2 = x4+x6+x8 = x4+ x3+1+x5+x2 =1+ x2+x3+x4+x5
As the order of =(x+1) is not 3 or 7 or 9 or 21 => it is 63 =>  is primitive!
Choosing R = 20 and sending a massage M = x5+x2 = (x+1)7 =7 =
Encryption: Z = (Yb)R = (10)20 = 200 mod 63 = 11= x2+x3+x5=101100
r = R = (x+1)20 = 20 = (10 )2= 1+ x2+x =
C = Z . M = 11 . 7 = 18 mod 63= 18 = x + x2 + x4
Decryption
Z-1 = (r)-Xb = (20 )-10 = -200 mod 63 = -11 = 52
M = Z-1.C = 52.18= 70 mod 63 = 7
Modulus in the exponent is 26-1 = 63

22. Problem 10: ElGamal Crypto-System over GF(28)
Set up ElGamal public-key encryption system using GF(28), which is generated by the irreducible polynomial P(x)=1+x3+x4+x5+x8 =
The secret keys for users A and B are 42 and 101 respectively. Check if you can take  = 0011 as a primitive element.
Send the message M = 4 from user A to B and use the random value R= 91 for this message.
Notice: Many real systems use ElGamal secrecy system over GF(2m).
Solution:
Possible elements orders are the devisors of 2n -1 =28 -1 = 255 = 3 x5x17 (see factorization table in the annex)
Possible orders : 1,3,5,15,17,51,85,255
Helping computations :
x8= 1+x3+x4+x5
x9= x+x4+x5+x6
x10= x²+x5+x6+x7
x11 = 1+x4 +x5+x6+x7
x12 =1+x+x3+x4+x6+x7
x13=1+x+x2+x3+x7
x14=x5+x2+x+1
x15=x6+x3+x2+x
x16=x7+x4+x3+x2
x17=1
x32=(x16)2=x6+x3+x2+x
x64=(x32)2=x7+x3+x2+x+1
x128=(x64)2 =x6+x5+x4+x

23. As the order of =(x+1) is not: => it is 255 =>  is primitive!
Solution 10: ElGamal Crypto-System over GF(28)
Seeking a Primitive element:
Let’s take any α and check if it is a primitive element: α=(1+x)
α is primitive iff
α1 ≠1 AND α3 ≠1 AND α5 ≠1 AND α15 ≠1
AND α17 ≠1 AND α51 ≠1 AND α85 ≠1
α1 = 1+x ≠1
α3 =(x +1)3 = (x+1)2.(x+1) = (x2+1).(x+1)
= 1+x+x2+x3  1
α5 = α2 α3=(x2+1).(x+1)3 = (x2+1)(1+x+x2+x3)
= 1+x+x4+x5 1
α15 = α10 α5
α10 = (α5)2=x3+x4+x6+x7
α15 = x2+x3+x4+x7 1
α17 = α15 α2 = x+x2+x3+x4+x7  1
α51 = α50 α
= (α25 )2 α
α25 = α20 α5
α20 = (α10 )2 = (1+x2+x7)
α25 = (1+x2+x7) (1+x+x4+x5)= x+x6+x7
α51 = (x+x6+x7)2 (1+x)
= 1+x4+x5  1
α85 = α80 α5
α80 = (α40 )2 =[(α20 )2 ]2 =((1+x2+x7)2 )2
= (x+x2+x4+x5 )2
=1+x3+x6+x7
α85 = (1+x3+x6+x7) (1+x+x4+x5)
= 1+x3+x6+x7  1
As the order of =(x+1) is not:
5 nor 15 nor 17 nor 51 nor 85
=> it is 255 =>  is primitive!

24. Solution 10: ElGamal Crypto-System over GF(28)
Open directory set up:
Ya = 101, Yb = 42
Secret keys:
Xa = 101, Xb =42
Encryption on side A:
A sends the message M=4 to B
Random value: R = 91
M= 4 = (x+x3)4
= x4+x12
= 1+x+x3+x6+x7 =
Z= (Yb )R = (42 )91 = 42*91 mod 255 = 252
r= 91
C=Z.M= 252 4 = 
YA->B = r , C = 91, 
Decryption on the side of B:
Z-1 = (r)-Xb = (91 )-42 = 91 (255-42)
= mod 255 = 3
M = Z-1.C = 3 .  = 4

25. Annex: List of all irreducible Polynomials over GF(2 ) up to degree 11

26. Annex; Some factorizations for of 2n-1