ElGamal Cryptosystem and variants - PowerPoint PPT Presentation

About This Presentation
Title:

ElGamal Cryptosystem and variants

Description:

ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk ElGamal Encryption Parameters: p, a large prime g, a ... – PowerPoint PPT presentation

Number of Views:453
Avg rating:3.0/5.0
Slides: 13
Provided by: AliAydi
Category:

less

Transcript and Presenter's Notes

Title: ElGamal Cryptosystem and variants


1
ElGamal Cryptosystemand variants
  • CS 470
  • Introduction to Applied Cryptography
  • Instructor Ali Aydin Selcuk

2
ElGamal Encryption
  • Parameters
  • p, a large prime
  • g, a generator of Zp
  • a ? Zp-1, ß ga mod p
  • p, g, ß public a private
  • Encryption
  • generate random, secret k ? Zp-1.
  • E(x, k) (r, s), where r gk mod p s xßk
    mod p
  • D(r, s) s(ra)-1 mod p xgakg-ak mod p x.

3
ElGamal Encryption
  • Plaintext x is masked by a random factor, gak mod
    p.
  • DH problem Given ga, gk mod p, what is gak mod
    p?
  • p, g can be common. Then gk mod p can be computed
    in advance.
  • Same k should not be used repeatedly.
  • Performance
  • encryption two exponentiations
  • decryption one exponentiation, one inversion
  • Size Ciphertext twice as large as plaintext.

4
ElGamal Signature
  • Parameters The same as encryption.
  • Signature
  • generate random, secret k ? Zp-1.
  • S(m, k) (r, s), where r gk mod p s (m
    ra)k-1 mod (p 1) (i.e., m ra sk )
  • Verification
  • Is ßrrs gm (mod p) ?
  • ßrrs gargk(m ra)k(-1) gar (m ra) gm
    mod p.

5
ElGamal Signature
  • Security
  • Only one who knows a can sign can be verified by
    ß.
  • Solving a from ß, or s from r, m, ß, is discrete
    log.
  • Other ways of forgery? Unknown.
  • Same k should not be used repeatedly.
  • Variations
  • Many variants, by changing the signing
    equation, m ra sk.
  • E.g., the DSA way m ra skwith
    verification ßrgm rs (mod p)? ( gm ra)

6
Schnorr Signature
  • Let q (p-1) be prime, and g ? Zp be of order
    q.
  • Schnorr group The subgroup in Zp generated by
    g, of prime order q.
  • ltggt 1, g, g2, , gq-1
  • Fact q can be much shorter than p (e.g. 160 vs.
    1024 bits), and the hardness of DLP in ltggt
    remains the same.

7
Schnorr Signature
  • Parameters prime p, prime q (p-1), and g ? Zp
    of order q. Hash fnc. H 0,1 ? Zq.
  • Keys a ? Zq is private ß (ga mod p) is
    public.
  • Signature (r,s) where
  • v gk mod p
  • r H(M?v)
  • s (k - r a) mod q
  • Verification
  • v gs ßr mod p
  • r H(M?v) ?
  • Advantage Reduced size complexity

8
Digital Signature Algorithm (DSA)
  • US government standard, by NSA.
  • Based on ElGamal Schnorr
  • patent-free (ElGamal)
  • cant be used for encryption
  • Objections
  • ElGamal was not analyzed as much as RSA
  • slower verification
  • industry had already invested in RSA
  • closed-door design

9
DSA (contd)
  • Parameters The same as Schnorrs.
  • Signature (r,s) where
  • v gk mod p
  • r v mod q
  • s (H(M) r a) k-1 mod q
  • Verification
  • v gH(M) s(-1) ßr s(-1) mod p
  • r v mod q ?
  • (compared to Schnorr?)

10
Elliptic Curve Cryptosystems
  • Generalized Discrete Log Problem
  • For any group (G, ), for x ? G, define xn x
    x ... x (n times)
  • DLP For y xn, given x, y, what is n?
  • Elliptic curves over Zp
  • Set of points (x, y) ? Zp x Zp that satisfy y2
    x3 ax b (mod p)and an additional point of
    infinity, 0.
  • Group operation PQ is the inverse of where the
    line thru P Q intersects the curve. (inverse of
    P (x, y) is defined as P-1 (x, -y).)
  • Well-defined, provided that 4a3 ? -27b2 (mod p).

11
Elliptic Curve Cryptosystems (contd)
  • EC example over R2

12
Elliptic Curve Cryptosystems (contd)
  • Facts for an EC over a finite field
  • Exponentiation is efficient.
  • DLP is hard. In fact, harder than in Zp. (no
    sub-exponential algorithm is known)
  • Hence, DH, ElGamal, etc. can be used with smaller
    key sizes over ECs. (160-bit EC 1024-bit RSA)
  • Popular for constrained devices (e.g., smart
    cards)
  • Advantages over RSA
  • smaller key size
  • compact in hardware
  • faster (for private key operations)
  • Licensed by NSA.
Write a Comment
User Comments (0)
About PowerShow.com