Presentation is loading. Please wait.

Presentation is loading. Please wait.

IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985

Published byChloe Baldwin Modified over 6 years ago

Similar presentations

Presentation on theme: "IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985"— Presentation transcript:

1 IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985
A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms TAHER ELGAMAL IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985 Suhyung Kim Yeojeong Yoon

2 Outline Introduction Diffie-Hellman key distribution
Elgamal Public Key System Elgamal Digital Signature Scheme Property Comparison Attacks on the Signature Conclusion A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

3 {plaintext}public key
Introduction Public-key Encryption(Asymmetric Cryptosystem) First proposed in 1976 "New Directions in Cryptography" Diffie and Hellman Did not produce an algorithm RSA cryptosystem(1978) Based on difficulty of factoring large integers ElGamal cryptosystem(1985) Based on discrete logarithm problem Public Key Public Key Secret Key A(sender) B(receiver) Encrypt with the Public Key {plaintext}public key Decrypt with the Secret Key A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

4 Introduction RSA Cryptosystem
“A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” published in 1978 Proposed by Rivest, Shimar, and Adleman Used a computationally difficult problem Breaking requires factoring of large numbers 수신자 A는 상당히 큰 서로 다른 두 소수 pq를 선택하여 n = pq를 계산하고 n 값은 공개하지만 pq의 값은 공개하지 않는다 A는 파이(n)의 값을 구한다음에, (b, 파이(n) ) = 1인 정수 b를 택하고 Ab = 1(mod 파이(n) )인 정수 a를 구하여(유클리디안) b 값은 공개하고 a값은 공개하지 않는다. A B 1. Select p, q (large prime) 2. Calculate n = p x q and ф(n) 3. Select b, s.t. Gcd(b, ф(n) ) = 1 4. Calculate a, s.t. b x a ≡ 1 (mod ф(n) ) Private key : (p, q, a) Public key : (n, b) eK(x) = xb mod n dK(y) = ya mod n A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

5 Introduction Discrete Logarithm Problem(DLP)
The ElGamal public key cryptosystem is based upon the difficulty of solving the discrete logarithm problem (DLP) which is as follows : For a small value of p, it is easy to solve a DLP By trial and error or exhaustive search For a large value of p, finding discrete logarithms is difficult For a large value of p(p has around 300 decimal digits) it is not possible to solve a DLP using current technology Given a prime p and values g and y, find x such that y = gx mod p A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms 5

6 Diffie-Hellman key distribution
Public parameter p : large prime α : generator of Zp* Secret parameter xA (A’s) xB (B’s) xA = logαyA, xB = logαyB Based on Discrete Logarithm Problem p-1 should have at least one “large” prime factor If p-1 has only small prime factors, then computing discrete logarithms is easy A B yA yB A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

7 Elgamal Public Key System
Way to implement the Diffie-Hellman previous scheme A wants to send B a message m, where 0 ≤ m ≤ p-1 A chooses a number k uniformly between 0 and p-1. A B - Public parameter p : large prime α : generator of Zp* - Secret parameter k (A’s) xB (B’s) yB (c1,c2) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

8 Elgamal Public Key System
k must be used once If k is used more than once, c1.1 ≡ αk mod p c1.2 ≡ m1K mod p c2.1 ≡ αk mod p c2.2 ≡ m2K mod p Then m1/m2 ≡ c2.1/c2.2 mod p, and m2 is easily computed if m1 is known. Breaking the system is equivalent to solving Discrete Logarithm Problem Adversary can decrypt the ciphertext if adversary can compute the value xB = logαyB <Decryption> - For c1, c2 ∈ Zp*, define dk(c1, c2) = c2(c1xB)-1 mod p A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

9 Elgamal Digital Signature Scheme
A digital signature provides Data Integrity The content of the message should be kept intact Sender’s identity B needs a guarantee that the message it received actually originated from where it says it did Non-repudiation Uses sender’s private key for signing from where? Intact! A(sender) B(receiver) Using Encryption for Authentication in Large Networks of Computers

10 Elgamal Digital Signature Scheme
The Signing Procedure(A) Choose a random number k, uniformly between 0 and p-1, such that gcd(k,p-1)=1 r ≡ αk mod p The signature for m is the pair (r,s), 0 ≤ r, s < p-1 αm ≡yArrs ≡ αxArαks mod p which can be solved for s by using m ≡ xAr + ks mod (p-1) s ≡ (m - xAr)/k mod (p-1) The Verification Procedure(B) Given m, r, and s, checking A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

11 Property Public Key System randomization (against k)
Encryption operation Two exponentiations are required. Decryption operation Only one exponentiation (plus one division) is need randomization (against k) The cipher text for a given message m is not repeated Prevents attacks like a probable text attack No relation m1, m2, and m1m2, or any other simple function of m1 and m2. (secret) random number k ∈ Zp-1 eK(m, k) = (c1, c2) where c1 = αk mod p c2 = myk mod p - For c1, c2 ∈ Zp*, define dk(c1, c2) = c2(c1xB)-1 mod p A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

12 Property Signature System
Signing procedure One exponentiation (plus a few multiplications) is needed. Verification procedure Three exponentiation are needed. Make the table for reducing the exponentiation(1.875 exponentiation) The signature is double the size of the document Same size as that needed for the RSA scheme The number of signature is p2 The number of documents is only p (secret) random number k ∈ Zp-1* sigK( m, k ) = ( r, s ) where r = αk mod p s = ( m - xr )k-1 mod ( p – 1 ) verK( m, ( r, s ) ) = true ⇔ yrrs ≡ αm ( mod p ) Each document m has a lot of signature But any signature signs only one document. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

13 Property Computation complexity
Computing discrete logarithms and factoring integers m : the number of bits in p Best known algorithm is given by where the best estimate for c is 0.69 Recent computation complexity O(n3) on elliptic curve(2009) over a 112-bit finite field To prevent known attack p should have at least 300 digits(D R. Stinson, “CRYPTOGRAPHY”) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

14 Comparison Comparison with RSA Elgamal RSA
Security based on the difficulty of the discrete log problem Security based on the difficulty of the factorization problem The ciphertext is two values c1 and c2 and so is twice the size of the message m The ciphertext is just one value c which is roughly the same size as the message m Creates longer cipher text Uses longer keys The encryption and decryption algorithms are different (although both take about the same time to perform) The encryption and decryption algorithms are the same (modular exponentiation) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

15 Attacks on the Signature Scheme
The goal of an attack: forging signatures Breaking a signature scheme (by Handbook of Applied Cryptography) Total break: e.g. recovering the private key Selective forgery: forging a signature for a particular message or class of messages chosen a priori Existential forgery: forging a signature for at least one message which adversary has no control over it A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

16 Attack: Total break (1/2)
Adversary knows Documents = { mi : i = 1, 2, ..., l } and the corresponding Signatures = { (ri, si) : i = 1, 2, ..., l } Adversary tries to solve l equations for the secret key x αm = (αr)x∙ rs mod p … (1) or mi = x∙ ri + ki ∙ si mod (p-1) ... (2) or specially ki=ckj (if some linear dependencies among the unknowns) ... (3) Hard Problems (1), (3) : computing discrete logarithm over GF(p) (2) : l+1 unknowns (∵ ki ≠ kj, i ≠ j,∀i,j ∈ {1,2, ..., l}) the system of equations is undetermined A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

17 Attack: Total break (2/2)
If any k is used twice in the signing, the private key x can be determined with high probability s1 = k-1(m1 – α∙ r) mod (p-1) and s2 = k-1(m2 – α∙ r) mod (p-1)  (s1- s2)k = (m1 – m2) mod (p-1)  K = (s1- s2)-1(m1 – m2) mod (p-1) (if s1- s2 ≠0) Once k is known, x is easily found A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

18 Attack: Selective forgery (1/2)
Given a document m, adversary tries to find r, s such that αm = yr∙ rs mod p compute s with fixed r (= αj mod p, j chosen at random) … (1) compute r with fixed s … (2) Hard Problems (1) : αm = yr∙ rs mod p – discrete logarithm problem(DLP) (2) : αm = yr∙ rs mod p – not proved to be at least as hard as computing DLP, but not feasible to solve in polynomial time A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

19 Attack: Selective forgery (2/2)
Adversary knowing one legitimate signature (r, s) for one message m, can generate other legitimate signatures and messages Select message m' Compute u = m'∙ m-1 mod (p-1), s' = s∙ u mod (p-1), and r' such that r' = r∙ u mod (p-1) and r' =r mod p Verification: αm' = yr' ∙ r' s' = yru∙ rsu = (yr∙ rs)u = (αm)u = αm' mod p How to prevent this attack Verify that 1≤r≤p at verification time (ref. Handbook of Applied Cryptography) (by the Chinese Remainder Theorem) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

20 Attack: Existential forgery
Adversary knowing one legitimate signature (r, s) for one message m, can generate other legitimate signatures and messages Select A,B,C arbitrarily such that (A∙ r - C∙ s) is coprime to p-1 compute r'=rA∙ αB∙ yC mod p, s'=s∙ r'/(A∙ r - C∙ s) mod (p-1), and m' = r'(Am+Bs)/(Ar-Cs) mod (p-1) Adversary may claim that (r', s') is the signature of the message m' How to prevent this attack Use one-way hash func: αh(m) = (αr)x∙ rs !!! m' is not an arbitrary message A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

21 Conclusion Proposed cryptosystem and Signature scheme are based on
the difficulty of computing discrete logarithms over finite fields good generator for random numbers (ki ≠ kj) Elgamal’s scheme is rarely used in practice. But many variants have been proposed. Specially, DSA A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

22 Question or Comment A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

Download ppt "IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985"

Similar presentations

Public Key Cryptosystem

Public Key Cryptosystem
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.
Cryptography and Network Security Chapter 13

Cryptography and Network Security Chapter 13
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Chapter 12 Cryptography (slides edited by Erin Chambers)

Chapter 12 Cryptography (slides edited by Erin Chambers)
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
CS5204 – Fall 2009 1 Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

Similar presentations

Ads by Google