Cryptology Design Fundamentals Grundlagen des kryptographischen Systementwurfs Module ID: ET-IDA-048 11.12.2018, v39 Prof. W. Adi Tutorial-9 ElGamal Public-Key Systems over GF(p) & GF(2m)

ElGamal Secrecy-System (1985)  primitive element in GF(p) User A sends M to B User B receives  primitive element in GF(p) Xa = secret key of A  Xa Xb = secret key of B  Xb ya =  Xa public key of A yb =  Xb public key of B C M X X C = M .  Xb . R / m M yb Z =  Xb. R Z-1 =  - Xb. R (yb)R r =  R r / m-bits  R (r)-Xb = - Xb. R - Xb R m = log2 p - Xb = (p-1) - Xb Random Generator : R = 0 ... p-1 a new R is needed for every message Notice: The scheme applies similarly over GF(2m) with  as a primitive element in that field. 2

ElGamal Signature Scheme public directory User A signs M Verifier  is primitive in GF(p) Xa = Secret Key of A  Xa = ya ya = public key of A p, , ya If M M S r k -1 ( M - r . Xa ) mod (p-1) = S  M = yar . r S mod p Then M is authentic k k = r k Random unit in Zp-1 That is: gcd (k, p-1 ) = 1 Signed Message

ElGamal Secrecy-System Over GF (p) 4

 = 2 = primitive element in GF(11) Problem 1: Setup ElGamal Encryption System using GF(11). Send the message M=10 from user A to B. The secret key of B is 9 and for A is 7 Solution 1 : Computing order of  =2: 22=41, 23=8, 24=5, 25=10 1, 26=9, 27=7, 28=3, 29=6, 210=1 => order of 2 is 10 => 2 is a primitive element !. p = 11= 2 . 5 +1 , Possible orders = divisors of p-1=2x5, that is 1,2,5,10. User A sends M to B User B receives  = 2 = primitive element in GF(11) Xa = secret key of A=7  7 = 7 Xb =9= secret key of B Yb= Xb= 2 9 = 6 ya =  Xa public key of A = 7 yb =  Xb public key of B = 6 C=7 M =21 mod 11 =10 M=10 X X C = M . Xb . R = 10 . 4 =7 / m (3) yb 6 8 = (2 9)8 = 272 mod 10 =22 =4 (6)R r =2 8 =3 r=3 (3)-Xb = (3)1 / m-bits - Xb = -9  R R=8 Xb = (p-1) – Xb -9= (11-1)-9=1 m = log2 p=4 Random Generator : R = 0 ... P-1 , we select R= 8 5

 = 3 = primitive element in GF(29) Problem 2: Setup El Gamal Encryption System using GF(29). Send the message M=17 from user A to B. The secret key of B is 4 and for A is 7 Solution 2 : Computing order of  =3: 31=3, 32=9 1, 34=92=81=231, 37=34.33 =23.27= 12 1, 314 =(37) 2 =(12)2= 28 1 => 3 is a primitive element !. p=29=2 . 2 . 7 + 1, Possible orders = divisors of p-1=2x2x7, that is 1,2,4,7,14,28. User A sends M to B User B receives  = 3 = primitive element in GF(29) Xb = 4 = secret key of B Yb =  Xb = 3 4 = 23 Xa = secret key of A=7 Ya =  Xa = 3 7 = 12 ya =  Xa = 3 7 =12 public key of A yb =  Xb = 3 4 =23 public key of B C=17 = M ! X X M=17 C = M . Xb . R = 17.(384) = 17 / m M =17 The selected R is not reasonable ! C=M no encryption ! 4 .21 mod 28 =1 3 - 4 .21 = 3 -84 mod 28 =30=1 Y b (3 4 ) 21 r = 3 R = 3 21 r = 3 21 (3 21) -4 = 3 - 4.21 3 21 / m-bits - Xb R=21 Xb = (p-1) – Xb 4= (29-1)- 4 = 24 m = log2 29 Random Generator : R = 0 ... P-1 , we select R= 21 6

 = 3 = primitive element in GF(29) Problem 3 (alternative solution for 2): Setup El Gamal Encryption System using GF(29). Send the message M=17 from user A to B. The secret key of B is 4 and for A is 7 Solution 3: The fact that selecting R=21 results with a cipher text C=M. This is an teresting bad selection which can happen in real implementations!!!. Therefore another random integer R=25 is selected and the solution is repeated as follows: User A sends M to B User B receives  = 3 = primitive element in GF(29) Xb = 4 = secret key of B Yb =  Xb = 3 4 = 23 Xa = secret key of A=7  7 = 12 ya =  Xa = 3 7 public key of A = 12 yb =  Xb = 3 4 public key of B = 23 C=21 X M =17 X C = M .  Xb . R = 17. 20 =21 / m M =17  Xb . R =(3 4) 25 mod 28 = 3 -12 = 3 16 = 20 yb 3 12 = 16 (yb).R r =3 25 =3 -3 r = 3 -3 (3 -3)-4 = 312 mod 28 3 25 / m-bits - Xb = - 4 (3 -3)24 = 3-72 mod 28 R=25 Xb = (p-1) – Xb -4= (29-1)- 4 = 24 m = log2 29 Random Generator : R = 0 ... P-1 , we select R= 25 7

Problem 4: ElGamal Crypto-System over GF(179): Send the message M=75 from user A to B. The secret key of B is 130 and for A is 102. Solution: Ensuring the good choice of the GF p= 2.q +1 , let’s chose q as a prime such that p is also a prime according to Pocklington Theorem: Let q= 89 => p= 2x89 + 1 = 179 (1) Pocklignton’s three conditions for p=prime are: We select a=11 11179-1 mod 179 = 1 gcd(11179-1/89 -1, 179) = gcd(11² -1 , 179) =1 √179 <√89 All the 3 conditions are valid => 179 is a prime Seeking a Primitive element : Possible orders are devisors of p-1= 179-1= 178 = 2x 89 from (1) => Possible orders :1, 2 , 89 , 179 Let’s take a random α= 5 and check if it is primitive ? Number of primitive elements (178) = (2x89) = (2-1) (89-1) = 88 51 ≠ 1 AND 5² ≠ 1 AND 589 = 1 => is not primitive Let’s take a random α= 6 , let’s check if it is primitive element ? 61 ≠ 1 AND 6²=36 ≠ 1 AND 689 ≠ 1 => 6 is primitive element.

Solution 4: ElGamal Crypto-System over GF(179) A signs the contract M=75 : (Ref. Fig (6) ) Let’s chose K that gcd(K, (179-1)) = 1 K=11 K-1 = 81 r=611 =35 S= K-1 (M-r. Xa ) mod (p-1) = 81(75-35x102 ) mod178 = 103 That is message + Signature : M, r, S = 75, 35,103 A sends only r, S = 35,103 as signature as A knows M Verification on side A: If  M = yar . r S mod p then M is authentic αM = 675 = 98 yar . r S = 17235 x 35103 = 98 = αM => Signature is authentic Q- Is there any security threats if M is signed directly (without any change) ? Open directory set up: Ya =6102 =172 Yb = 6130 =3 A encrypts M=75 to B (Ref. Fig (5) ) - Encryption on the side of A: Random value R1 =7 Z=(Yb )R1 = 37 mod 179 = 39 C = M.Z = 75x 39 = 61 r= α R1= 67 = 159 For M=75 : YA->B = r, C , The cryptogram is : YA->B = 159, 61 - Decryption on the side of B : Z-1 = r -Xb =159-130+178 = 15948 mod 179 = 101 M= C Z-1 = 61x 101 mod 179 = 75 q.e.d Secret keys: Xa = 102 Xb =130

 = 6 = primitive element in GF(179) Solution 4: ElGamal Crypto-System over GF(179) Message encryption User A encrypts M = 75 User B decrypts C  = 6 = primitive element in GF(179) Xa = secret key of A =102  102 = 172 Xb =130= secret key of B Yb= Xb= 6 130 = 3 ya =  Xa public key of A = 172 yb =  Xb public key of B = 3 C=61 M =61 mod 179 =75 M=75 X X C = M . Xb . R = 61 / m (3) yb Z=39 (3)R r =6 7 =159 r=159 (159)-Xb = 101 - Xb = -130  R / m-bits R=7 Xb = (p-1) – Xb =(179-1)-130=48 Random Generator : R = 0 ... P-1 , we select R= 7 Fig. (5) 10

Signature generation User A signs M Verifier Fig. (6) Solution 4: ElGamal Crypto-System over GF(179) Signature generation User A signs M Verifier public directory Xa = Secret Key of A (Xa = 102)  Xa = ya ( 102= 6102)  is primitive in GF(p) ( = 6, p =179) ya = public key of A p, , ya If M (=75) S (=103) r (=35)  M = yar . r S mod p k -1 ( M - r . Xa ) mod (p-1) = S Then M is authentic k k = r αM = 675 = 98 ya r .rs= 17235 x 35103 = 98 k Random unit in Zp-1 That is: gcd (k, p-1 ) = 1 Signed Message Fig. (6)

Problem 5: ElGamal Crypto-System over GF(263): Send the message M=35 from user A to B. The secret key of A is 40 and for B is 113 and use the random value R= 22 for this message. Solution: Ensuring the good choice of the GF p= 2.q +1 , let’s chose q as a prime such that p is also a prime according to Pocklington Theorem: Let q= 41 => p= 2x131 + 1 = 263 (1) Pocklignton’s three conditions for p=prime are: We select a=11 11263-1 mod 263 = 1 gcd(11262/131 -1, 179) = gcd(11 , 179) =1 131>√263 All the 3 conditions are valid => 263 is a prime Seeking a Primitive element : Possible orders are devisors of p-1= 263-1= 262 = 2x 131 from (1) => Possible orders :1, 2 , 131 , 262 Let’s take a random α= 12 and check if it is primitive ? Number of primitive elements (262) = (2x131) = (2-1) (131-1) =130 121 ≠ 1 AND 12² ≠ 1 AND 12131 = 1 => is not primitive Let’s take a random α= 8 , let’s check if it is primitive element ? 81 ≠ 1 AND 8²=36 ≠ 1 AND 8131 = 1 => 8 is not primitive element. Let’s take a random α= 11 , let’s check if it is primitive element ? 111 ≠ 1 AND 11² ≠ 1 AND 11131 = 1 => 11 is not primitive element. Let’s take a random α= 7 , let’s check if it is primitive element ? 71 ≠ 1 AND 7² ≠ 1 AND 7131 ≠ 1 => 7 is primitive element.

Soliution 5: ElGamal Crypto-System over GF(263) Open directory set up: α=7 Ya =740 mod 263=166 Yb = 7113 mod 263=236 A encrypts M=35 to B - Encryption on the side of A: Random value R =22 Z=(Yb )R = 23622 mod 263 = 23 C = M.Z = 23x 25 mod 263 = 16 r= α R= 722 mod 263 = 11 For M=35 : YA->B = r, C , The cryptogram is : YA->B = 11, 16 - Decryption on the side of B : Z-1 = r -Xb =11-113+178 = 11-113+262 mod 263 = 183 M= C Z-1 = 16x 183 mod 263 = 35 q.e.d Secret keys: Xa = 40 Xb = 113 B signs the contract M=35 : Let’s chose K that gcd(K, (263-1)) = 1 K=121 K-1 = 13 r= α k = 7121 mod 263 =85 S= K-1 (M-r. Xb ) mod (p-1) = 13(35-85x113 ) mod 262 = -222 mod 262 =40 Signature : r, S = 85, 40 B sends only r, S = 35,103 as signature as A knows M Verification on side A: If  M = ybr . r S mod p then M is authentic αM = 735 = 67 ybr . r S = 23685 x 8540 mod 263= 67 = αM => Signature is authentic

ElGamal Secrecy-System Over GF (2m) 14

Problem 6: ElGamal Crypto-System over GF(26) Set up ElGamal public-key encryption system using GF(26), which is generated by the irreducible polynomial P(x)=1+x²+x4+x5+x6 = 1110101 The secret keys for users A and B are 22 and 10 respectively. Check if you can take  = 0011 as a primitive element. Send the message M = 3 from user A to B and use the random value R=43 for this message. Notice: Many real systems use ElGamal secrecy system over GF(2m). Solution: For the selected P(x), e=21 this mean ord(x)=21 (from the table List of all irreducible Polynomials over GF(2 ) ) x21 = 1 mod p(x) Possible elements orders are the devisors of 26 -1 = 63 = 32 x 7 Possible orders : 1,3,7,9,21,63 Helping computations : x6= 1+x²+x4+x5 x7= 1+x+x²+x3+x4 x8= x+x²+x3+x4+x5 x9 = 1+x3 x10 =x+x4 x11 = x²+x5 x12 =1+x²+x3 + x4 +x5 x16 = (x8)² = 1+x²+x3 x21 = 1

Solution 6: ElGamal Crypto-System over GF(26) Seeking a Primitive element Let’s take any α and check it is a primitive element: α=(1+x) Α is primitive iff α1 ≠1 AND α3 ≠1 AND α7 ≠1 AND α9 ≠1 AND α21 ≠1 The order of any element is a divisor of 26-1 = 63, that is 1, 3, 7, 9, 21 or 63 Check the exponents 3, 7, 9, 21 of  = x+1 in F(26) : α3 =(x +1)3 = (x+1)2.(x+1) = (x2+1).(x+1) = 1+x+x2+x3  1 α7 =(x +1)7 = (x+1)4.(x+1)3 = (x+1)4(1+x+x2+x3) = 1+x2+x4  1 α9 = (x + 1)9 = (x+1)7.(x+1)2 = x2+x4+x5  1 α 21 = α 12 . α 9 = [α 6 ]2 . α 9 = (x5)2 (x2+x4+x5) = x10 (x2+x4+x5) = (x+x4) (x2+x4+x5)= 1+x+x2+x3+x4 1 α 6 = (α 3 )2 = (1+x+x2+x3 )2 = x5 As the order of =(x+1) is not 3 or 7 or 9 or 21 => it is 63 =>  is primitive! Open directory set up: Ya = 22, Yb = 10 Secret keys: Xa = 102 Xb =130 Random value: R = 43 Massage to encrypt M = 3 Encryption on the side of A: Z = (Yb)R = (10)43 = 430 mod 63 =52 r = R = (x+1)43 = 43 C = Z . M = 52 3 . = 55 Decryption on the side of B: Z-1 = (r)-Xb = (43 )-10+63 = 2279 mod 63 = 11 M = Z-1.C = 11 . 55 = 66 mod 63 = 3

Problem 7: ElGamal Crypto-System over GF(24) P(x) = ( x4+ x +1 ) is the irreducible polynomial in the GF. The secret keys for users A and B are 7 and 12 respectively. Check if you can take  = 1011 as a primitive element. Send the message M = 0101 from user A to B and use the random value R=13 for this message. Notice: Many real systems use ElGamal secrecy system over GF(2m). Solution 6: If P(x)= x4+ x +1 is the modulus then x4 + x +1 = 0, thus x4 = x +1. the exponents of x in GF(24) are: x = x 0010 x2= x2 0100 x3= x3 1000 x4= x4 = x + 1 0011 x5= x x4 = x2 +x 0110 x6= x (x2 +x)= x3 +x2 1100 x7= x (x3 +x2) = ( x4 +x3 ) = x +1+x3 1011 x8= x4 + x2 +x = 1+x + x2 +x = 1+x2 0101 x9 = x3 + x 1010 x10 = x4 + x2 = x+1 + x2 0111 x11 = x3 + x2 +x 1110 x12= x4 + x3 + x2 = x +1+ x3 + x2 1111 x13= x4 + x3 + x2 +x = x3 + x2 + 1 1101 x14= x4 + x3 + x= x+1+x3 + x = x3 +1 1001 x15= x4 + x = x + 1 + x = 1 0001 The order of any element is a divisor of 24-1=15 = 3 x 5, that is 1,3,5 or 15 Check if =x7= 1011 is a primitive element Order =x7: 3= (x7)3 = x21 mod 15 = x6=1100 1 5= (x7)5 = x35 mod 15 = x35-2x15= x51 =>  is a primitive element Ya= Xa= (x7)7= x49 mod 15 = x4 = 0011 Yb= Xb= (x7)12= x84 mod 15 = x9= 1010 Modulus in the exponent is 24-1=15 Is this a primitive element ? Another proof: as x is primitive, xi is also primitive iff gcd(i,15)=1 => x7 is primitive 17

Solution 7: Public directory User A sends M to B User B receives GF(24) generated by P(x)= x4+ x +1  = x7=1+x +x3 = 1011 (primitive element) Ya= Xa = 7 = (x7)7= x49 mod 15 = x4 = 0011 Yb= Xb= 12 =(x7)12= x84 mod 15 = x9= 1010 Xa = secret key of A=7 Xb =12 secret key of B C = M . Xb . R = x8 x 12 =x 20 mod 15 C =0110 = x 5 C=0110= x 5 M = x 5 x3 = x8 = 0101 M=0101=x8 X X / m  Xb . R = x 9x13=117 mod 15 = x 12 x3 Yb = x9 Modulus in the exponent in GF(2m) is 2m-1 (x9)13 r =x 7x13 =x r=x=0010 (x)-Xb = (x)3 - Xb = -12  R R=13 Cryptogram sent to B: [ C=0110, r=0010 ] Xb = 15 – 12 = 3 Random Generator : R = 0 ... 15 , 18

Problem 8: Set up ElGamal public-key encryption system using GF(26), which is generated by the irreducible polynomial P(x) = ( x6 + x3 + 1 ). The secret keys for users A and B are 22 and 10 respectively. Check if you can take  = 1+x as a primitive element. Send the message M = 100100 = x5+x2 from user A to B and use the random value R = 20 for this message. Solution 8:  primitive. Another primitive element is 2 as: Probability of picking up a primitive element: Ya= Xa= (x+1)22= (x+1)21.(x+1) = (1+x3 ) .(x+1) = =x+x4+1+x3= 1+x+x3+x4 = 011011 Yb= Xb= (x+1)10= (x + 1)9.(x+1) = (x+x2+x5).(x+1) = =x2+x3+x6+x+x2+x5 = x3+(1+x3)+x+x5 = 1+x+x5 = 100011 If P(x) = ( x6 + x3 + 1 ) is the modulus then x6 + x3 +1 = 0, thus x6 = x3 +1. x7 = x6.x = (x3+1).x = x4 + x x8 = x6.x2 = (x3+1).x2 = x5 + x2 x9 = x6.x3 = (x3+1).x3 = 1 ( notice that x is not a primitive element) The order of any element is a divisor of 26-1 = 63, that is 1, 3, 7, 9, 21 or 63 Check the exponents 3, 7, 9, 21 of  = x+1 in GF(26) : (x +1)3 = (x+1)2.(x+1) = (x2+1).(x+1) = 1+x+x2+x3  1 (x +1)7 = (x+1)6.(x+1) =(x2+x3+x4)(x+1) = x3+ x4+x5+x2+x3+x4 = x2+x5  1 (x+1)6 = ((x+1) 3)2 = (1+x+x2+x3 )2 = 1+x2+x4+x6 = 1+x2+x4 + x3 +1. = x2+x3+x4 (x + 1)9 = (x+1)7.(x+1)2 = (x2+x5).(x2+1) = x4+(x4+x)+x2+x5 = x+x2+x5  1 (x + 1)21 = (x+1)12.(x+1)9 = (1+ x2+x3+x4+x5).(x+x2+x5) = 1+x3  1 (x+1)12 =((x+1)6)2 = (x2+x3+x4)2 = x4+x6+x8 = x4+ x3+1+x5+x2 =1+ x2+x3+x4+x5 As the order of =(x+1) is not 3 or 7 or 9 or 21 => it is 63 =>  is primitive! Choosing R = 20 and sending a massage M = x5+x2 = (x+1)7 =7 = 100100 Encryption: Z = (Yb)R = (10)20 = 200 mod 63 = 11= x2+x3+x5=101100 r = R = (x+1)20 = 20 = (10 )2= 1+ x2+x = 000111 C = Z . M = 11 . 7 = 18 mod 63= 18 = x + x2 + x4 Decryption Z-1 = (r)-Xb = (20 )-10 = -200 mod 63 = -11 = 52 M = Z-1.C = 52.18= 70 mod 63 = 7 Modulus in the exponent is 26-1 = 63

Or [ (x+1)20 ]-10+63 = (x+1)1060 mod 63 =  52 Solution 8: Public directory User A sends M to B User B receives GF(26) generated by P(x)= x6+ x3 +1  = (x+1) (primitive element) Ya= Xa = (x+1)22 = 1+x+x3+x4 = 011011 Yb= Xb= (x+1)10 = 1+x+x5 = 100011 Xa = 22 secret key of A Xb =10 secret key of B C= 010110 = (x+1)18 M=100100=x5+x2=(x+1)7=7 C = M . Xb . R = 7 10.20 = = 7 11= 18 C = 1+x2+x4 = 010101 X X M = 52.18 = 70 mod 63 = 7 = (x+1)7 = x5 + x2 = 100100 / m  -11 = 52 Yb = 1+x+x5  Xb . R = (x+1)10.20 mod63 = (x+1)11 (1+x+x5)20 r =  20 =(x+1)20 [ (x+1)20 ]-Xb = [ (x+1)20 ]53 =(x+1)1060 mod 63 =  52 Z= R r =(x+1)20= 1 + x + x2 = 000111 R=20 - Xb = -10+63=53 Cryptogram sent to B: [ C = 010110, r = 000111 ] Modulus in the exponent in GF(2m) is 2m-1 = 63 Random Generator : R = 0 ... 63 Or [ (x+1)20 ]-10+63 = (x+1)1060 mod 63 =  52

Problem 9: Set up ElGamal public-key encryption system using GF(26), which is generated by the irreducible polynomial P(x) = ( x6 + x3 + 1 ). The secret keys for users A and B are 22 and 10 respectively. Check if you can take  = 1+x as a primitive element. Send the message M = 100100 = x5+x2 from user A to B and use the random value R = 20 for this message. Solution 9:  primitive. Another primitive element is 2 as: Probability of picking up a primitive element: Ya= Xa= (x+1)22= (x+1)21.(x+1) = (1+x3 ) .(x+1) = =x+x4+1+x3= 1+x+x3+x4 = 011011 Yb= Xb= (x+1)10= (x + 1)9.(x+1) = (x+x2+x5).(x+1) = =x2+x3+x6+x+x2+x5 = x3+(1+x3)+x+x5 = 1+x+x5 = 100011 If P(x) = ( x6 + x3 + 1 ) is the modulus then x6 + x3 +1 = 0, thus x6 = x3 +1. x7 = x6.x = (x3+1).x = x4 + x x8 = x6.x2 = (x3+1).x2 = x5 + x2 x9 = x6.x3 = (x3+1).x3 = 1 ( notice that x is not a primitive element) The order of any element is a divisor of 26-1 = 63, that is 1, 3, 7, 9, 21 or 63 Check the exponents 3, 7, 9, 21 of  = x+1 in GF(26) : (x +1)3 = (x+1)2.(x+1) = (x2+1).(x+1) = 1+x+x2+x3  1 (x +1)7 = (x+1)6.(x+1) =(x2+x3+x4)(x+1) = x3+ x4+x5+x2+x3+x4 = x2+x5  1 (x+1)6 = ((x+1) 3)2 = (1+x+x2+x3 )2 = 1+x2+x4+x6 = 1+x2+x4 + x3 +1. = x2+x3+x4 (x + 1)9 = (x+1)7.(x+1)2 = (x2+x5).(x2+1) = x4+(x4+x)+x2+x5 = x+x2+x5  1 (x + 1)21 = (x+1)12.(x+1)9 = (1+ x2+x3+x4+x5).(x+x2+x5) = 1+x3  1 (x+1)12 =((x+1)6)2 = (x2+x3+x4)2 = x4+x6+x8 = x4+ x3+1+x5+x2 =1+ x2+x3+x4+x5 As the order of =(x+1) is not 3 or 7 or 9 or 21 => it is 63 =>  is primitive! Choosing R = 20 and sending a massage M = x5+x2 = (x+1)7 =7 = 100100 Encryption: Z = (Yb)R = (10)20 = 200 mod 63 = 11= x2+x3+x5=101100 r = R = (x+1)20 = 20 = (10 )2= 1+ x2+x = 000111 C = Z . M = 11 . 7 = 18 mod 63= 18 = x + x2 + x4 Decryption Z-1 = (r)-Xb = (20 )-10 = -200 mod 63 = -11 = 52 M = Z-1.C = 52.18= 70 mod 63 = 7 Modulus in the exponent is 26-1 = 63

Problem 10: ElGamal Crypto-System over GF(28) Set up ElGamal public-key encryption system using GF(28), which is generated by the irreducible polynomial P(x)=1+x3+x4+x5+x8 = 10011101 The secret keys for users A and B are 42 and 101 respectively. Check if you can take  = 0011 as a primitive element. Send the message M = 4 from user A to B and use the random value R= 91 for this message. Notice: Many real systems use ElGamal secrecy system over GF(2m). Solution: Possible elements orders are the devisors of 2n -1 =28 -1 = 255 = 3 x5x17 (see factorization table in the annex) Possible orders : 1,3,5,15,17,51,85,255 Helping computations : x8= 1+x3+x4+x5 x9= x+x4+x5+x6 x10= x²+x5+x6+x7 x11 = 1+x4 +x5+x6+x7 x12 =1+x+x3+x4+x6+x7 x13=1+x+x2+x3+x7 x14=x5+x2+x+1 x15=x6+x3+x2+x x16=x7+x4+x3+x2 x17=1 x32=(x16)2=x6+x3+x2+x x64=(x32)2=x7+x3+x2+x+1 x128=(x64)2 =x6+x5+x4+x

As the order of =(x+1) is not: => it is 255 =>  is primitive! Solution 10: ElGamal Crypto-System over GF(28) Seeking a Primitive element: Let’s take any α and check if it is a primitive element: α=(1+x) α is primitive iff α1 ≠1 AND α3 ≠1 AND α5 ≠1 AND α15 ≠1 AND α17 ≠1 AND α51 ≠1 AND α85 ≠1 α1 = 1+x ≠1 α3 =(x +1)3 = (x+1)2.(x+1) = (x2+1).(x+1) = 1+x+x2+x3  1 α5 = α2 α3=(x2+1).(x+1)3 = (x2+1)(1+x+x2+x3) = 1+x+x4+x5 1 α15 = α10 α5 α10 = (α5)2=x3+x4+x6+x7 α15 = x2+x3+x4+x7 1 α17 = α15 α2 = x+x2+x3+x4+x7  1 α51 = α50 α = (α25 )2 α α25 = α20 α5 α20 = (α10 )2 = (1+x2+x7) α25 = (1+x2+x7) (1+x+x4+x5)= x+x6+x7 α51 = (x+x6+x7)2 (1+x) = 1+x4+x5  1 α85 = α80 α5 α80 = (α40 )2 =[(α20 )2 ]2 =((1+x2+x7)2 )2 = (x+x2+x4+x5 )2 =1+x3+x6+x7 α85 = (1+x3+x6+x7) (1+x+x4+x5) = 1+x3+x6+x7  1 As the order of =(x+1) is not: 5 nor 15 nor 17 nor 51 nor 85 => it is 255 =>  is primitive!

Solution 10: ElGamal Crypto-System over GF(28) Open directory set up: Ya = 101, Yb = 42 Secret keys: Xa = 101, Xb =42 Encryption on side A: A sends the message M=4 to B Random value: R = 91 M= 4 = (x+x3)4 = x4+x12 = 1+x+x3+x6+x7 = 11001011 Z= (Yb )R = (42 )91 = 42*91 mod 255 = 252 r= 91 C=Z.M= 252 4 =  YA->B = r , C = 91,  Decryption on the side of B: Z-1 = (r)-Xb = (91 )-42 = 91 (255-42) =91.213 mod 255 = 3 M = Z-1.C = 3 .  = 4

Annex: List of all irreducible Polynomials over GF(2 ) up to degree 11

Annex; Some factorizations for of 2n-1