El Gamal and Diffie Hellman ElGamal Cryptosystem In Practice Diffie-Hellman DSA El Gamal and Diffie Hellman CSCI284, 162 Spring 2009 GWU

The ElGamal Cryptosystem is based on the Discrete Log problem: Given a multiplicative group G, an element  G such that o() = n, and an element  <> Find the unique integer x, 0  x  n-1 such that  = x x denoted as log Not known to be doable in polynomial time, however exponentiation is. Hence DL is a possible one-way function 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

CS284-162/Spring09/GWU/Vora/ElGamal El Gamal Cryptosystem Let p a prime such that DL in Zp* is infeasible Let  Zp* be a primitive element P = Zp* C = Zp* X Zp* and K = {(p, , a, ): =a (mod p)} public key = (p, , ) and private key = a For a secret random number k Zp-1 eK(x, k) = (y1, y2) y1 = k mod p y1 = xk mod p dK (y1, y2) = y2( y1a)-1 mod p 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

CS284-162/Spring09/GWU/Vora/ElGamal Example p = 2579  = 2 a = 1391 Encrypt message: 2079 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

CS284-162/Spring09/GWU/Vora/ElGamal Practicalities More efficient attacks possible unless elliptic curve DL, for which these efficient attacks are not known. Modulus required for security: 2160 with elliptic curves 21880 without DL over elliptic curves very hot problem. 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

Diffie-Hellman Key Exchange Protocol for exchanging secret key over public channel. Select global parameters p, n and . p is prime and  is of order n in Zp*. These parameters are public and known to all. 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange contd. Alice privately selects random b and sends to Bob b mod p. Bob privately selects random c and sends to Alice c mod p. Alice and Bob privately compute bc mod p which is their shared secret. An observer Oscar can compute bc if he knows either c or b or can solve the discrete log problem. This is a key agreement protocol. 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

Diffie-Hellman problem Given a multiplicative group G, an element G of order n and two elements ,   <> Computational Diffie-Hellman: Find  such that log   log   log (mod n) Equivalently, given b, and c find bc Decision Diffie-Hellman Given an additional   <> Determine if log   log   log (mod n) Equivalently, given b, c, and d determine if d  bc (mod n) 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

CS284-162/Spring09/GWU/Vora/ElGamal An attack Diffie-Hellman key exchange is susceptible to a man-in-the-middle attack. Mallory captures b and c in transmission and replaces with own b’ and c’. Essentially runs two Diffie-Hellman’s. One with Alice and one with Bob. 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

Digital Signatures

CS284-162/Spring09/GWU/Vora/ElGamal Definition P: set of plaintext S: set of signatures K: keyspace private function: sigk: P  S public function: verK : P X S  {true, false} verK(m, s) = true iff sigK(m) = s; else verK(m, s) = false {m, sigK(m)} is a signed message 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

RSA encryption can be used for signatures Attacks: incorrect public key, no message attack Protection from attacks: use redundancy functions, for example, message is of the form of two identical concatenated strings Signatures on digests. Requirements of hash function? 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal

El Gamal Digital Signature, basis for DSA DSA uses SHA-1 in addition to a DS scheme For a key K= (p, , , a);  = a mod p; a private Choose random k invertible mod p-1 sigK(x, k) = (=k mod p, =(x-a)k-1 mod p-1) verK(x, (G, D)) = true  GGD=x mod p 2/28/2019 CS284-162/Spring09/GWU/Vora/ElGamal