1. El Gamal and Diffie Hellman
ElGamal Cryptosystem
In Practice
Diffie-Hellman
DSA
El Gamal and Diffie Hellman
CSCI284, 162 Spring 2009
GWU

2. The ElGamal Cryptosystem is based on the Discrete Log problem:
Given a multiplicative group G, an element  G such that o() = n, and an element  <>
Find the unique integer x, 0  x  n-1 such that
 = x
x denoted as log
Not known to be doable in polynomial time, however exponentiation is. Hence DL is a possible one-way function
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

3. CS284-162/Spring09/GWU/Vora/ElGamal
El Gamal Cryptosystem
Let p a prime such that DL in Zp* is infeasible
Let  Zp* be a primitive element
P = Zp* C = Zp* X Zp* and K = {(p, , a, ): =a (mod p)}
public key = (p, , ) and private key = a
For a secret random number k Zp-1
eK(x, k) = (y1, y2)
y1 = k mod p
y1 = xk mod p
dK (y1, y2) = y2( y1a)-1 mod p
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

4. CS284-162/Spring09/GWU/Vora/ElGamal
Example
p = 2579
 = 2
a = 1391
Encrypt message: 2079
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

5. CS284-162/Spring09/GWU/Vora/ElGamal
Practicalities
More efficient attacks possible unless elliptic curve DL, for which these efficient attacks are not known.
Modulus required for security:
2160 with elliptic curves
21880 without
DL over elliptic curves very hot problem.
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

6. Diffie-Hellman Key Exchange
Protocol for exchanging secret key over public channel.
Select global parameters p, n and . p is prime and  is of order n in Zp*. These parameters are public and known to all.
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

7. Diffie-Hellman Key Exchange

8. Diffie-Hellman Key Exchange contd.
Alice privately selects random b and sends to Bob b mod p.
Bob privately selects random c and sends to Alice c mod p.
Alice and Bob privately compute bc mod p which is their shared secret.
An observer Oscar can compute bc if he knows either c or b or can solve the discrete log problem.
This is a key agreement protocol.
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

9. Diffie-Hellman problem
Given a multiplicative group G, an element G of order n and two elements ,   <>
Computational Diffie-Hellman:
Find  such that log   log   log (mod n)
Equivalently, given b, and c find bc
Decision Diffie-Hellman
Given an additional   <>
Determine if log   log   log (mod n)
Equivalently, given b, c, and d determine if d  bc (mod n)
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

10. CS284-162/Spring09/GWU/Vora/ElGamal
An attack
Diffie-Hellman key exchange is susceptible to a man-in-the-middle attack.
Mallory captures b and c in transmission and replaces with own b’ and c’.
Essentially runs two Diffie-Hellman’s. One with Alice and one with Bob.
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

11. Digital Signatures

12. CS284-162/Spring09/GWU/Vora/ElGamal
Definition
P: set of plaintext
S: set of signatures
K: keyspace
private function: sigk: P  S
public function: verK : P X S  {true, false}
verK(m, s) = true iff sigK(m) = s; else verK(m, s) = false
{m, sigK(m)} is a signed message
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

13. RSA encryption can be used for signatures
Attacks: incorrect public key, no message attack
Protection from attacks: use redundancy functions, for example, message is of the form of two identical concatenated strings
Signatures on digests. Requirements of hash function?
2/28/2019
CS /Spring09/GWU/Vora/ElGamal

14. El Gamal Digital Signature, basis for DSA
DSA uses SHA-1 in addition to a DS scheme
For a key K= (p, , , a);  = a mod p; a private
Choose random k invertible mod p-1
sigK(x, k) = (=k mod p, =(x-a)k-1 mod p-1)
verK(x, (G, D)) = true  GGD=x mod p
2/28/2019
CS /Spring09/GWU/Vora/ElGamal