ElGamal Public-Key Systems over GF(p) & GF(2m) Network Security Design Fundamentals ET-IDA-082 Tutorial-9 ElGamal Public-Key Systems over GF(p) & GF(2m) 11.05.2016, v28 Prof. W. Adi

ElGamal Secrecy-System Over GF (p) 2

 primitive element in GF(p) ElGamal Secrecy-System (1985) User A sends M to B User B receives  primitive element in GF(p) Xa = secret key of A  Xa Xb = secret key of B  Xb ya =  Xa public key of A yb =  Xb public key of B C M X X C = M .  Xb . R / m M yb Z =  Xb. R Z-1 =  - Xb. R (yb)R r =  R r / m-bits  R (r)-Xb = - Xb. R - Xb R m = log2 p - Xb = (p-1) - Xb Random Generator : R = 0 ... p-1 a new R is needed for every message Notice: The scheme applies similarly over GF(2m) with  as a primitive element in that field. 3

 = 2 = primitive element in GF(11) Example 1: Setup ElGamal Encryption System using GF(11). Send the message M=10 from user A to B. The secret key of B is 9 and for A is 7 Solution 1 : Computing order of  =2: 22=41, 23=8, 24=5, 25=10 1, 26=9, 27=7, 28=3, 29=6, 210=1 => order of 2 is 10 => 2 is a primitive element !. p = 11= 2 . 5 +1 , Possible orders = divisors of p-1=2x5, that is 1,2,5,10. User A sends M to B User B receives  = 2 = primitive element in GF(11) Xa = secret key of A=7  7 = 7 Xb =9= secret key of B Yb= Xb= 2 9 = 6 ya =  Xa public key of A = 7 yb =  Xb public key of B = 6 C=7 M =21 mod 11 =10 M=10 X X C = M . Xb . R = 10 . 4 =7 / m (3) yb 6 8 = (2 9)8 = 272 mod 10 =22 =4 (6)R r =2 8 =3 r=3 (3)-Xb = (3)1 / m-bits - Xb = -9  R R=8 Xb = (p-1) – Xb -9= (11-1)-9=1 m = log2 p=4 Random Generator : R = 0 ... P-1 , we select R= 8 4

 = 3 = primitive element in GF(29) Example 2: Setup El Gamal Encryption System using GF(29). Send the message M=17 from user A to B. The secret key of B is 4 and for A is 7 Solution 2 : Computing order of  =3: 31=3, 32=9 1, 34=92=81=231, 37=34.33 =23.27= 12 1, 314 =(37) 2 =(12)2= 28 1 => 3 is a primitive element !. p=29=2 . 2 . 7 + 1, Possible orders = divisors of p-1=2x2x7, that is 1,2,4,7,14,28. User A sends M to B User B receives  = 3 = primitive element in GF(29) Xb = 4 = secret key of B Yb =  Xb = 3 4 = 23 Xa = secret key of A=7 Ya =  Xa = 3 7 = 12 ya =  Xa = 3 7 =12 public key of A yb =  Xb = 3 4 =23 public key of B C=17 = M ! X X M=17 C = M . Xb . R = 17.(384) = 17 / m M =17 The selected R is not reasonable ! C=M no encryption ! 4 .21 mod 28 =1 3 - 4 .21 = 3 -84 mod 28 =30=1 Y b (3 4 ) 21 r = 3 R = 3 21 r = 3 21 (3 21) -4 = 3 - 4.21 3 21 / m-bits - Xb R=21 Xb = (p-1) – Xb 4= (29-1)- 4 = 24 m = log2 29 Random Generator : R = 0 ... P-1 , we select R= 21 5

 = 3 = primitive element in GF(29) Example 3 (alternative solution for 2): Setup El Gamal Encryption System using GF(29). Send the message M=17 from user A to B. The secret key of B is 4 and for A is 7 Solution 3: The fact that selecting R=21 results with a cipher text C=M. This is an teresting bad selection which can happen in real implementations!!!. Therefore another random integer R=25 is selected and the solution is repeated as follows: User A sends M to B User B receives  = 3 = primitive element in GF(29) Xb = 4 = secret key of B Yb =  Xb = 3 4 = 23 Xa = secret key of A=7  7 = 12 ya =  Xa = 3 7 public key of A = 12 yb =  Xb = 3 4 public key of B = 23 C=21 X M =17 X C = M .  Xb . R = 17. 20 =21 / m M =17  Xb . R =(3 4) 25 mod 28 = 3 -12 = 3 16 = 20 yb 3 12 = 16 (yb).R r =3 25 =3 -3 r = 3 -3 (3 -3)-4 = 312 mod 28 3 25 / m-bits - Xb = - 4 (3 -3)24 = 3-72 mod 28 R=25 Xb = (p-1) – Xb -4= (29-1)- 4 = 24 m = log2 29 Random Generator : R = 0 ... P-1 , we select R= 25 6

ElGamal Secrecy-System Over GF (2m) 7

Example 4: Set up ElGamal public-key encryption system using GF(24), which is generated by the irreducible polynomial P(x) = ( x4+ x +1 ). The secret keys for users A and B are 7 and 12 respectively. Check if you can take  = 1011 as a primitive element. Send the message M = 0101 from user A to B and use the random value R=13 for this message. Notice: Many real systems use ElGamal secrecy system over GF(2m). Solution 4: If P(x)= x4+ x +1 is the modulus then x4 + x +1 = 0, thus x4 = x +1. the exponents of x in GF(24) are: x = x 0010 x2= x2 0100 x3= x3 1000 x4= x4 = x + 1 0011 x5= x x4 = x2 +x 0110 x6= x (x2 +x)= x3 +x2 1100 x7= x (x3 +x2) = ( x4 +x3 ) = x +1+x3 1011 x8= x4 + x2 +x = 1+x + x2 +x = 1+x2 0101 x9 = x3 + x 1010 x10 = x4 + x2 = x+1 + x2 0111 x11 = x3 + x2 +x 1110 x12= x4 + x3 + x2 = x +1+ x3 + x2 1111 x13= x4 + x3 + x2 +x = x3 + x2 + 1 1101 x14= x4 + x3 + x= x+1+x3 + x = x3 +1 1001 x15= x4 + x = x + 1 + x = 1 0001 The order of any element is a divisor of 24-1=15 = 3 x 5, that is 1,3,5 or 15 Check if =x7= 1011 is a primitive element Order =x7: 3= (x7)3 = x21 mod 15 = x6=1100 1 5= (x7)5 = x35 mod 15 = x35-2x15= x51 =>  is a primitive element Ya= Xa= (x7)7= x49 mod 15 = x4 = 0011 Yb= Xb= (x7)12= x84 mod 15 = x9= 1010 Modulus in the exponent is 24-1=15 Is this a primitive element ? Another proof: as x is primitive, xi is also primitive iff gcd(i,15)=1 => x7 is primitive 8

Solution 4: Public directory User A sends M to B User B receives GF(24) generated by P(x)= x4+ x +1  = x7=1+x +x3 = 1011 (primitive element) Ya= Xa = 7 = (x7)7= x49 mod 15 = x4 = 0011 Yb= Xb= 12 =(x7)12= x84 mod 15 = x9= 1010 Xa = secret key of A=7 Xb =12 secret key of B C = M . Xb . R = x8 x 12 =x 20 mod 15 C =0110 = x 5 C=0110= x 5 M = x 5 x3 = x8 = 0101 M=0101=x8 X X / m  Xb . R = x 9x13=117 mod 15 = x 12 x3 Yb = x9 Modulus in the exponent in GF(2m) is 2m-1 (x9)13 r =x 7x13 =x r=x=0010 (x)-Xb = (x)3 - Xb = -12  R R=13 Cryptogram sent to B: [ C=0110, r=0010 ] Xb = 15 – 12 = 3 Random Generator : R = 0 ... 15 , 9

Example 5: Set up ElGamal public-key encryption system using GF(26), which is generated by the irreducible polynomial P(x) = ( x6 + x3 + 1 ). The secret keys for users A and B are 22 and 10 respectively. Check if you can take  = 1+x as a primitive element. Send the message M = 100100 = x5+x2 from user A to B and use the random value R = 20 for this message. Solution 5:  primitive. Another primitive element is 2 as: Probability of picking up a primitive element: Ya= Xa= (x+1)22= (x+1)21.(x+1) = (1+x3 ) .(x+1) = =x+x4+1+x3= 1+x+x3+x4 = 011011 Yb= Xb= (x+1)10= (x + 1)9.(x+1) = (x+x2+x5).(x+1) = =x2+x3+x6+x+x2+x5 = x3+(1+x3)+x+x5 = 1+x+x5 = 100011 If P(x) = ( x6 + x3 + 1 ) is the modulus then x6 + x3 +1 = 0, thus x6 = x3 +1. x7 = x6.x = (x3+1).x = x4 + x x8 = x6.x2 = (x3+1).x2 = x5 + x2 x9 = x6.x3 = (x3+1).x3 = 1 ( notice that x is not a primitive element) The order of any element is a divisor of 26-1 = 63, that is 1, 3, 7, 9, 21 or 63 Check the exponents 3, 7, 9, 21 of  = x+1 in GF(26) : (x +1)3 = (x+1)2.(x+1) = (x2+1).(x+1) = 1+x+x2+x3  1 (x +1)7 = (x+1)6.(x+1) =(x2+x3+x4)(x+1) = x3+ x4+x5+x2+x3+x4 = x2+x5  1 (x+1)6 = ((x+1) 3)2 = (1+x+x2+x3 )2 = 1+x2+x4+x6 = 1+x2+x4 + x3 +1. = x2+x3+x4 (x + 1)9 = (x+1)7.(x+1)2 = (x2+x5).(x2+1) = x4+(x4+x)+x2+x5 = x+x2+x5  1 (x + 1)21 = (x+1)12.(x+1)9 = (1+ x2+x3+x4+x5).(x+x2+x5) = 1+x3  1 (x+1)12 =((x+1)6)2 = (x2+x3+x4)2 = x4+x6+x8 = x4+ x3+1+x5+x2 =1+ x2+x3+x4+x5 As the order of =(x+1) is not 3 or 7 or 9 or 21 => it is 63 =>  is primitive! Choosing R = 20 and sending a massage M = x5+x2 = (x+1)7 =7 = 100100 Encryption: Z = (Yb)R = (10)20 = 200 mod 63 = 11= x2+x3+x5=101100 r = R = (x+1)20 = 20 = (10 )2= 1+ x2+x = 000111 C = Z . M = 11 . 7 = 18 mod 63= 18 = x + x2 + x4 Decryption Z-1 = (r)-Xb = (20 )-10 = -200 mod 63 = -11 = 52 M = Z-1.C = 52.18= 70 mod 63 = 7 Modulus in the exponent is 26-1 = 63

Or [ (x+1)20 ]-10+63 = (x+1)1060 mod 63 =  52 Solution 5: Public directory User A sends M to B User B receives GF(26) generated by P(x)= x6+ x3 +1  = (x+1) (primitive element) Ya= Xa = (x+1)22 = 1+x+x3+x4 = 011011 Yb= Xb= (x+1)10 = 1+x+x5 = 100011 Xa = 22 secret key of A Xb =10 secret key of B C= 010110 = (x+1)18 M=100100=x5+x2=(x+1)7=7 C = M . Xb . R = 7 10.20 = = 7 11= 18 C = 1+x2+x4 = 010101 X X M = 52.18 = 70 mod 63 = 7 = (x+1)7 = x5 + x2 = 100100 / m  -11 = 52 Yb = 1+x+x5  Xb . R = (x+1)10.20 mod63 = (x+1)11 (1+x+x5)20 r =  20 =(x+1)20 [ (x+1)20 ]-Xb = [ (x+1)20 ]53 =(x+1)1060 mod 63 =  52 Z= R r =(x+1)20= 1 + x + x2 = 000111 R=20 - Xb = -10+63=53 Cryptogram sent to B: [ C = 010110, r = 000111 ] Modulus in the exponent in GF(2m) is 2m-1 = 63 Random Generator : R = 0 ... 63 Or [ (x+1)20 ]-10+63 = (x+1)1060 mod 63 =  52

List of all irreducible Polynomials over GF(2 ) up to degree 11

Factorization of 2n-1