ElGamal Public-Key Encryption and Signature Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 10
ElGamal Cryptosystem and Signature Scheme Taher ElGamal, originally from Egypt, was a graduate student at Stanford University, and earned a PhD degree in 1984, Martin Hellman as his dissertation advisor He published a paper in 1985 titled A public key cryptosystem and a signature scheme based on discrete logarithms in which he proposed the ElGamal discrete log cryptosystem and the signature scheme The ElGamal signature scheme is the basis for Digital Signature Algorithm (DSA) adopted by the NIST The ElGamal cryptosystem essentially turns the Diffie-Hellman key exchange method into an encryption algorithm Çetin Kaya Koç http://koclab.org Winter 2017 2 / 10
ElGamal Public-Key Encryption and Encryption Domain Parameters: The prime p and the generator g of Z p Keys: The private key is the integer x Z p and the public key y is computed as y = g x (mod p) Example: Given the prime p = 2579 and the generator g = 2, we select the private key x = 765, and compute the public key y as y = g x (mod p) = 2 765 (mod 2579) = 949 (mod 2579) Therefore, the private key x = 765 and the public key y = 949 Çetin Kaya Koç http://koclab.org Winter 2017 3 / 10
ElGamal Public-Key Encryption Encryption: The User B forms a message m Z p, generates a random number r and computes the ciphertext pair (c 1, c 2 ) c 1 = g r (mod p) c 2 = m y r (mod p) Example: Assume m = 1299, compute E(m) = (c 1, c 2 ) using the public key y = 949 and the random number r = 853 c 1 = g r (mod p) = 2 853 = 435 (mod 2579) c 2 = m y r (mod p) = 1299 949 853 = 2396 (mod 2579) Therefore, E(1299) = (c 1, c 2 ) = (435, 2396) Çetin Kaya Koç http://koclab.org Winter 2017 4 / 10
ElGamal Public-Key Decryption Decryption: The User A decrypts the ciphertext pair (c 1, c 2 ) to obtain the message m by computing u 1 = c1 x = (g r ) x = (g x ) r = y r (mod p) u 2 = c 2 u1 1 = y r m y r = m (mod p) Given E(m) = (c 1, c 2 ) = (435, 2396), the User A finds the plaintext: u 1 = c x 1 (mod p) = 435 765 = 2424 (mod 2579) u 2 = c 2 u 1 1 (mod p) = 2396 2424 1 = 1299 (mod 2579) Therefore, D(c 1, c 2 ) = D(435, 2396) = 1299 Çetin Kaya Koç http://koclab.org Winter 2017 5 / 10
ElGamal Cryptosystem Properties The ElGamal cryptosystem is a randomized algorithm: Every encryption requires the generation and use of a random number r The random number r should not be guessable The same random number r should not be used for another encryption, otherwise, the knowledge of one message allows the adversary to compute the other message The random number r is not needed for decryption The ElGamal cryptosystem produces a ciphertext pair, which is of twice length as the message Its security depends on the difficulty of the DLP in Z p Breaking Diffie-Hellman also implies breaking ElGamal Çetin Kaya Koç http://koclab.org Winter 2017 6 / 10
ElGamal Cryptosystem Signature Scheme Domain Parameters: The prime p and the generator g of Z p Keys: The private key is the integer x Z p and the public key y is computed as y = g x (mod p) Signing: The User A forms a message m Z p, generates a random number r and computes the signature pair (s 1, s 2 ) s 1 = g r (mod p) s 2 = (m x s 1 ) r 1 (mod p 1) The message and signature consists of [m, s 1, s 2 ] Similar to the encryption case, the size of the signature is twice the size of the message Çetin Kaya Koç http://koclab.org Winter 2017 7 / 10
ElGamal Cryptosystem Signature Scheme Verifying: The verifier receives the triple [m, c 1, c 2 ] and also has the public key y u 1 = g m (mod p) u 2 = y s1 s s 2 1 (mod p) If u 1 = u 2, then, the signature is valid Proof. The equality u 1 = u 2 implies g m = y s1 s s 2 1 = (g x ) s1 (g r ) s 2 (mod p) according to the Fermat s theorem m = x s 1 + r s 2 (mod p 1) Çetin Kaya Koç http://koclab.org Winter 2017 8 / 10
ElGamal Cryptosystem Signature Example The parameters: the prime p = 2579 and the generator g = 2, the private key x = 765, and the public key y = 949 We compute the signature pair on the message m = 2013 using the random number r = 999 as s 1 = g r (mod p) = 2 999 = 1833 (mod 2579) s 2 = (m x s 1 ) r 1 (mod p 1) = (2013 765 1833) 999 1 (mod 2578) = 2200 1329 = 348 (mod 2578) The message and signature triple is [m, s 1, s 2 ] = [2013, 1833, 348] Çetin Kaya Koç http://koclab.org Winter 2017 9 / 10
ElGamal Cryptosystem Signature Example The verifier has access to (p, g, y) = (2579, 2, 949) The verifier receives [m, s 1, s 2 ] = [2013, 1833, 348] and computes u 1 = g m (mod p) = 2 2013 (mod 2579) = 713 u 2 = y s1 s s 2 1 (mod p) = 949 1833 1833 348 (mod 2579) = 385 2333 (mod 2579) = 713 Since u 1 = u 2, the signature is valid Çetin Kaya Koç http://koclab.org Winter 2017 10 / 10