IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985 A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms TAHER ELGAMAL IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985 Suhyung Kim Yeojeong Yoon 2010. 2. 25

Outline Introduction Diffie-Hellman key distribution Elgamal Public Key System Elgamal Digital Signature Scheme Property Comparison Attacks on the Signature Conclusion A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

{plaintext}public key Introduction Public-key Encryption(Asymmetric Cryptosystem) First proposed in 1976 "New Directions in Cryptography" Diffie and Hellman Did not produce an algorithm RSA cryptosystem(1978) Based on difficulty of factoring large integers ElGamal cryptosystem(1985) Based on discrete logarithm problem Public Key Public Key Secret Key A(sender) B(receiver) Encrypt with the Public Key {plaintext}public key Decrypt with the Secret Key A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Introduction RSA Cryptosystem “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” published in 1978 Proposed by Rivest, Shimar, and Adleman Used a computationally difficult problem Breaking requires factoring of large numbers 수신자 A는 상당히 큰 서로 다른 두 소수 pq를 선택하여 n = pq를 계산하고 n 값은 공개하지만 pq의 값은 공개하지 않는다 A는 파이(n)의 값을 구한다음에, (b, 파이(n) ) = 1인 정수 b를 택하고 Ab = 1(mod 파이(n) )인 정수 a를 구하여(유클리디안) b 값은 공개하고 a값은 공개하지 않는다. A B 1. Select p, q (large prime) 2. Calculate n = p x q and ф(n) 3. Select b, s.t. Gcd(b, ф(n) ) = 1 4. Calculate a, s.t. b x a ≡ 1 (mod ф(n) ) Private key : (p, q, a) Public key : (n, b) eK(x) = xb mod n dK(y) = ya mod n A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Introduction Discrete Logarithm Problem(DLP) The ElGamal public key cryptosystem is based upon the difficulty of solving the discrete logarithm problem (DLP) which is as follows : For a small value of p, it is easy to solve a DLP By trial and error or exhaustive search For a large value of p, finding discrete logarithms is difficult For a large value of p(p has around 300 decimal digits) it is not possible to solve a DLP using current technology Given a prime p and values g and y, find x such that y = gx mod p A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms 5

Diffie-Hellman key distribution Public parameter p : large prime α : generator of Zp* Secret parameter xA (A’s) xB (B’s) xA = logαyA, xB = logαyB Based on Discrete Logarithm Problem p-1 should have at least one “large” prime factor If p-1 has only small prime factors, then computing discrete logarithms is easy A B yA yB A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Elgamal Public Key System Way to implement the Diffie-Hellman previous scheme A wants to send B a message m, where 0 ≤ m ≤ p-1 A chooses a number k uniformly between 0 and p-1. A B - Public parameter p : large prime α : generator of Zp* - Secret parameter k (A’s) xB (B’s) yB (c1,c2) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Elgamal Public Key System k must be used once If k is used more than once, c1.1 ≡ αk mod p c1.2 ≡ m1K mod p c2.1 ≡ αk mod p c2.2 ≡ m2K mod p Then m1/m2 ≡ c2.1/c2.2 mod p, and m2 is easily computed if m1 is known. Breaking the system is equivalent to solving Discrete Logarithm Problem Adversary can decrypt the ciphertext if adversary can compute the value xB = logαyB <Decryption> - For c1, c2 ∈ Zp*, define dk(c1, c2) = c2(c1xB)-1 mod p A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Elgamal Digital Signature Scheme A digital signature provides Data Integrity The content of the message should be kept intact Sender’s identity B needs a guarantee that the message it received actually originated from where it says it did Non-repudiation Uses sender’s private key for signing from where? Intact! A(sender) B(receiver) Using Encryption for Authentication in Large Networks of Computers

Elgamal Digital Signature Scheme The Signing Procedure(A) Choose a random number k, uniformly between 0 and p-1, such that gcd(k,p-1)=1 r ≡ αk mod p The signature for m is the pair (r,s), 0 ≤ r, s < p-1 αm ≡yArrs ≡ αxArαks mod p which can be solved for s by using m ≡ xAr + ks mod (p-1) s ≡ (m - xAr)/k mod (p-1) The Verification Procedure(B) Given m, r, and s, checking A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Property Public Key System randomization (against k) Encryption operation Two exponentiations are required. Decryption operation Only one exponentiation (plus one division) is need randomization (against k) The cipher text for a given message m is not repeated Prevents attacks like a probable text attack No relation m1, m2, and m1m2, or any other simple function of m1 and m2. (secret) random number k ∈ Zp-1 eK(m, k) = (c1, c2) where c1 = αk mod p c2 = myk mod p - For c1, c2 ∈ Zp*, define dk(c1, c2) = c2(c1xB)-1 mod p A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Property Signature System Signing procedure One exponentiation (plus a few multiplications) is needed. Verification procedure Three exponentiation are needed. Make the table for reducing the exponentiation(1.875 exponentiation) The signature is double the size of the document Same size as that needed for the RSA scheme The number of signature is p2 The number of documents is only p (secret) random number k ∈ Zp-1* sigK( m, k ) = ( r, s ) where r = αk mod p s = ( m - xr )k-1 mod ( p – 1 ) verK( m, ( r, s ) ) = true ⇔ yrrs ≡ αm ( mod p ) Each document m has a lot of signature But any signature signs only one document. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Property Computation complexity Computing discrete logarithms and factoring integers m : the number of bits in p Best known algorithm is given by where the best estimate for c is 0.69 Recent computation complexity O(n3) on elliptic curve(2009) over a 112-bit finite field To prevent known attack p should have at least 300 digits(D R. Stinson, “CRYPTOGRAPHY”) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Comparison Comparison with RSA Elgamal RSA Security based on the difficulty of the discrete log problem Security based on the difficulty of the factorization problem The ciphertext is two values c1 and c2 and so is twice the size of the message m The ciphertext is just one value c which is roughly the same size as the message m Creates longer cipher text Uses longer keys The encryption and decryption algorithms are different (although both take about the same time to perform) The encryption and decryption algorithms are the same (modular exponentiation) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Attacks on the Signature Scheme The goal of an attack: forging signatures Breaking a signature scheme (by Handbook of Applied Cryptography) Total break: e.g. recovering the private key Selective forgery: forging a signature for a particular message or class of messages chosen a priori Existential forgery: forging a signature for at least one message which adversary has no control over it A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Attack: Total break (1/2) Adversary knows Documents = { mi : i = 1, 2, ..., l } and the corresponding Signatures = { (ri, si) : i = 1, 2, ..., l } Adversary tries to solve l equations for the secret key x αm = (αr)x∙ rs mod p … (1) or mi = x∙ ri + ki ∙ si mod (p-1) ... (2) or specially ki=ckj (if some linear dependencies among the unknowns) ... (3) Hard Problems (1), (3) : computing discrete logarithm over GF(p) (2) : l+1 unknowns (∵ ki ≠ kj, i ≠ j,∀i,j ∈ {1,2, ..., l}) the system of equations is undetermined A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Attack: Total break (2/2) If any k is used twice in the signing, the private key x can be determined with high probability s1 = k-1(m1 – α∙ r) mod (p-1) and s2 = k-1(m2 – α∙ r) mod (p-1)  (s1- s2)k = (m1 – m2) mod (p-1)  K = (s1- s2)-1(m1 – m2) mod (p-1) (if s1- s2 ≠0) Once k is known, x is easily found A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Attack: Selective forgery (1/2) Given a document m, adversary tries to find r, s such that αm = yr∙ rs mod p compute s with fixed r (= αj mod p, j chosen at random) … (1) compute r with fixed s … (2) Hard Problems (1) : αm = yr∙ rs mod p – discrete logarithm problem(DLP) (2) : αm = yr∙ rs mod p – not proved to be at least as hard as computing DLP, but not feasible to solve in polynomial time A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Attack: Selective forgery (2/2) Adversary knowing one legitimate signature (r, s) for one message m, can generate other legitimate signatures and messages Select message m' Compute u = m'∙ m-1 mod (p-1), s' = s∙ u mod (p-1), and r' such that r' = r∙ u mod (p-1) and r' =r mod p Verification: αm' = yr' ∙ r' s' = yru∙ rsu = (yr∙ rs)u = (αm)u = αm' mod p How to prevent this attack Verify that 1≤r≤p at verification time (ref. Handbook of Applied Cryptography) (by the Chinese Remainder Theorem) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Attack: Existential forgery Adversary knowing one legitimate signature (r, s) for one message m, can generate other legitimate signatures and messages Select A,B,C arbitrarily such that (A∙ r - C∙ s) is coprime to p-1 compute r'=rA∙ αB∙ yC mod p, s'=s∙ r'/(A∙ r - C∙ s) mod (p-1), and m' = r'(Am+Bs)/(Ar-Cs) mod (p-1) Adversary may claim that (r', s') is the signature of the message m' How to prevent this attack Use one-way hash func: αh(m) = (αr)x∙ rs !!! m' is not an arbitrary message A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Conclusion Proposed cryptosystem and Signature scheme are based on the difficulty of computing discrete logarithms over finite fields good generator for random numbers (ki ≠ kj) Elgamal’s scheme is rarely used in practice. But many variants have been proposed. Specially, DSA A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Question or Comment A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms