1. CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

2. CS470, A.SelcukElGamal Cryptosystem2 ElGamal – Encryption Parameters: –p, a large prime –g, a generator of Z p * –α  Z p-1, β = g α mod p –p, g, β public; α private Encryption: –generate random, secret k  Z p-1. –E(x, k) = (r, s), where r = g k mod p s = xβ k mod p –D(r, s) = s(r α ) -1 mod p = xg αk g -αk mod p = x.

3. CS470, A.SelcukElGamal Cryptosystem3 ElGamal – Encryption Plaintext x is masked by a random factor, g αk mod p. DH problem: Given g α, g k mod p, what is g αk mod p? p, g can be common. Then g k mod p can be computed in advance. Same k should not be used repeatedly. Performance: –encryption: two exponentiations –decryption: one exponentiation, one inversion Size: Ciphertext twice as large as plaintext.

4. CS470, A.SelcukElGamal Cryptosystem4 ElGamal – Signature Parameters: The same as encryption. Signature: –generate random, secret k  Z p-1 *. –S(m, k) = (r, s), where r = g k mod p s = (m – rα)k -1 mod (p – 1) (i.e., m = rα + sk ) Verification: –Is β r r s ≡ g m (mod p) ? –β r r s = g αr g k(m – rα)k^(-1) = g αr + (m – rα) = g m mod p.

5. CS470, A.SelcukElGamal Cryptosystem5 ElGamal – Signature Security: –Only one who knows α can sign; can be verified by β. –Solving α from β, or s from r, m, β, is discrete log. –Other ways of forgery? Unknown. –Same k should not be used repeatedly. Variations: –Many variants, by changing the “signing equation”, m = rα + sk. –E.g., the DSA way: m = –rα + sk with verification: β r g m ≡ r s (mod p)? (≡ g m + rα )

6. CS470, A.SelcukElGamal Cryptosystem6 Schnorr Signature Let q | (p-1) be prime, and g  Z p * be of order q. Schnorr group: The subgroup in Z p * generated by g, of prime order q. = {1, g, g 2, …, g q-1 } Fact: q can be much shorter than p (e.g. 160 vs. 1024 bits), and the hardness of DLP in remains the same.

7. CS470, A.SelcukElGamal Cryptosystem7 Schnorr Signature Parameters: prime p, prime q | (p-1), and g  Z p * of order q. Hash fnc. H: {0,1}*  Z q. Keys: α  Z q is private; β = (g α mod p) is public. Signature: (r,s) where –v = g k mod p –r = H(M ‖ v) –s = (k − r α) mod q Verification: –v’ = g s β r mod p –r = H(M ‖ v’) ? Advantage: Reduced size & complexity

8. CS470, A.SelcukElGamal Cryptosystem8 Digital Signature Algorithm (DSA) US government standard, by NSA. Based on ElGamal & Schnorr: –patent-free (ElGamal) –can’t be used for encryption Objections: –ElGamal was not analyzed as much as RSA –slower verification –industry had already invested in RSA –closed-door design

9. CS470, A.SelcukElGamal Cryptosystem9 DSA (cont’d) Parameters: The same as Schnorr’s. Signature: (r,s) where –v = g k mod p –r = v mod q –s = (H(M) + r α) k -1 mod q Verification: –v’ = g H(M) s^(-1) β r s^(-1) mod p –r = v’ mod q ? (compared to Schnorr?)

10. CS470, A.SelcukElGamal Cryptosystem10 Elliptic Curve Cryptosystems Generalized Discrete Log Problem: –For any group (G, ), for x  G, define x n = x x... x (n times) –DLP: For y = x n, given x, y, what is n? Elliptic curves over Z p : –Set of points (x, y)  Z p x Z p that satisfy y 2 ≡ x 3 + ax + b (mod p) and an additional point of infinity, 0. –Group operation: PQ is the inverse of where the line thru P & Q intersects the curve. (inverse of P = (x, y) is defined as P -1 = (x, -y).) –Well-defined, provided that 4a 3  -27b 2 (mod p).

11. CS470, A.SelcukElGamal Cryptosystem11 Elliptic Curve Cryptosystems (cont’d) EC example over R 2 :

12. CS470, A.SelcukElGamal Cryptosystem12 Elliptic Curve Cryptosystems (cont’d) Facts for an EC over a finite field: –Exponentiation is efficient. –DLP is hard. In fact, harder than in Z p. (no sub-exponential algorithm is known) Hence, DH, ElGamal, etc. can be used with smaller key sizes over ECs. (160-bit EC ~ 1024-bit RSA) Popular for constrained devices (e.g., smart cards) Advantages over RSA: –smaller key size –compact in hardware –faster (for private key operations) Licensed by NSA.