ElGamal Public-Key Encryption and Signature

Similar documents
Discrete Square Root. Çetin Kaya Koç Winter / 11

Data security (Cryptography) exercise book

The number theory behind cryptography

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Diffie-Hellman key-exchange protocol

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

TMA4155 Cryptography, Intro

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Public-key Cryptography: Theory and Practice

Algorithmic Number Theory and Cryptography (CS 303)

EE 418: Network Security and Cryptography

Primitive Roots. Chapter Orders and Primitive Roots

CHAPTER 2. Modular Arithmetic

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

Simple And Efficient Shuffling With Provable Correctness and ZK Privacy

DUBLIN CITY UNIVERSITY

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Asynchronous vs. Synchronous Design of RSA

Public Key Encryption

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Fermat s little theorem. RSA.

MA/CSSE 473 Day 9. The algorithm (modified) N 1

Math 319 Problem Set #7 Solution 18 April 2002

Cryptography, Number Theory, and RSA

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Number Theory and Public Key Cryptography Kathryn Sommers

Exploring Signature Schemes with Subliminal Channel

Cryptography s Application in Numbers Station

Classical Cryptography

DTTF/NB479: Dszquphsbqiz Day 30

Triple-DES Block of 96 Bits: An Application to. Colour Image Encryption

EE 418 Network Security and Cryptography Lecture #3

Chapter 4 The Data Encryption Standard

Principles of Ad Hoc Networking

DUBLIN CITY UNIVERSITY

Applications of Fermat s Little Theorem and Congruences

Secure Localization Using Elliptic Curve Cryptography in Wireless Sensor Networks

Network Security: Secret Key Cryptography

An interesting class of problems of a computational nature ask for the standard residue of a power of a number, e.g.,

PT. Primarity Tests Given an natural number n, we want to determine if n is a prime number.

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

Proceedings of Meetings on Acoustics

Block Ciphers Security of block ciphers. Symmetric Ciphers

Cryptanalysis of Ladder-DES

CS 261 Notes: Zerocash

DES Data Encryption standard

אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים

MA 111, Topic 2: Cryptography

A Design for Modular Exponentiation Coprocessor in Mobile Telecommunication Terminals

Secure Distributed Computation on Private Inputs

Assignment 2. Due: Monday Oct. 15, :59pm

Self-Scrambling Anonymizer. Overview

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Solutions for the Practice Final

1 Introduction to Cryptology

Lecture Notes in Computer Science,

Problem Set 6 Solutions Math 158, Fall 2016

A Second-price Sealed-bid Auction wi Discriminant of the p_<0>-th Root. Author(s)Omote, Kazumasa; Miyaji, Atsuko. Financial cryptography : 6th Interna

UNIVERSITY OF MANITOBA DATE: December 7, FINAL EXAMINATION TITLE PAGE TIME: 3 hours EXAMINER: M. Davidson

Identity-based multisignature with message recovery

Sheet 1: Introduction to prime numbers.

Application: Public Key Cryptography. Public Key Cryptography

Final exam. Question Points Score. Total: 150

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

Signatures for Network Coding

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

A Public Shuffle without Private Permutations

Towards a Cryptanalysis of Scrambled Spectral-Phase Encoded OCDMA

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

The Chinese Remainder Theorem

Chapter 4 MASK Encryption: Results with Image Analysis

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

The Chinese Remainder Theorem

Number Theory and Security in the Digital Age

Andrei Sabelfeld. Joint work with Per Hallgren and Martin Ochoa

LECTURE NOTES ON SUBLIMINAL CHANNEL & COMMUNICATION SYSTEM

RSA hybrid encryption schemes

Cryptanalysis on short messages encrypted with M-138 cipher machine

L29&30 - RSA Cryptography

Information Security Theory vs. Reality

Stream Ciphers And Pseudorandomness Revisited. Table of contents

Collision-based Power Analysis of Modular Exponentiation Using Chosen-message Pairs

SOLUTIONS FOR PROBLEM SET 4

Introduction to Cryptography CS 355

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

Sequential Aggregate Signatures from Trapdoor Permutations

A New Chaotic Secure Communication System

OFDM Based Low Power Secured Communication using AES with Vedic Mathematics Technique for Military Applications

High-Speed RSA Crypto-Processor with Radix-4 4 Modular Multiplication and Chinese Remainder Theorem

Successful Implementation of the Hill and Magic Square Ciphers: A New Direction

Introduction to Modular Arithmetic

Solutions for the Practice Questions

Generic Attacks on Feistel Schemes

Drill Time: Remainders from Long Division

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Transcription:

ElGamal Public-Key Encryption and Signature Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 10

ElGamal Cryptosystem and Signature Scheme Taher ElGamal, originally from Egypt, was a graduate student at Stanford University, and earned a PhD degree in 1984, Martin Hellman as his dissertation advisor He published a paper in 1985 titled A public key cryptosystem and a signature scheme based on discrete logarithms in which he proposed the ElGamal discrete log cryptosystem and the signature scheme The ElGamal signature scheme is the basis for Digital Signature Algorithm (DSA) adopted by the NIST The ElGamal cryptosystem essentially turns the Diffie-Hellman key exchange method into an encryption algorithm Çetin Kaya Koç http://koclab.org Winter 2017 2 / 10

ElGamal Public-Key Encryption and Encryption Domain Parameters: The prime p and the generator g of Z p Keys: The private key is the integer x Z p and the public key y is computed as y = g x (mod p) Example: Given the prime p = 2579 and the generator g = 2, we select the private key x = 765, and compute the public key y as y = g x (mod p) = 2 765 (mod 2579) = 949 (mod 2579) Therefore, the private key x = 765 and the public key y = 949 Çetin Kaya Koç http://koclab.org Winter 2017 3 / 10

ElGamal Public-Key Encryption Encryption: The User B forms a message m Z p, generates a random number r and computes the ciphertext pair (c 1, c 2 ) c 1 = g r (mod p) c 2 = m y r (mod p) Example: Assume m = 1299, compute E(m) = (c 1, c 2 ) using the public key y = 949 and the random number r = 853 c 1 = g r (mod p) = 2 853 = 435 (mod 2579) c 2 = m y r (mod p) = 1299 949 853 = 2396 (mod 2579) Therefore, E(1299) = (c 1, c 2 ) = (435, 2396) Çetin Kaya Koç http://koclab.org Winter 2017 4 / 10

ElGamal Public-Key Decryption Decryption: The User A decrypts the ciphertext pair (c 1, c 2 ) to obtain the message m by computing u 1 = c1 x = (g r ) x = (g x ) r = y r (mod p) u 2 = c 2 u1 1 = y r m y r = m (mod p) Given E(m) = (c 1, c 2 ) = (435, 2396), the User A finds the plaintext: u 1 = c x 1 (mod p) = 435 765 = 2424 (mod 2579) u 2 = c 2 u 1 1 (mod p) = 2396 2424 1 = 1299 (mod 2579) Therefore, D(c 1, c 2 ) = D(435, 2396) = 1299 Çetin Kaya Koç http://koclab.org Winter 2017 5 / 10

ElGamal Cryptosystem Properties The ElGamal cryptosystem is a randomized algorithm: Every encryption requires the generation and use of a random number r The random number r should not be guessable The same random number r should not be used for another encryption, otherwise, the knowledge of one message allows the adversary to compute the other message The random number r is not needed for decryption The ElGamal cryptosystem produces a ciphertext pair, which is of twice length as the message Its security depends on the difficulty of the DLP in Z p Breaking Diffie-Hellman also implies breaking ElGamal Çetin Kaya Koç http://koclab.org Winter 2017 6 / 10

ElGamal Cryptosystem Signature Scheme Domain Parameters: The prime p and the generator g of Z p Keys: The private key is the integer x Z p and the public key y is computed as y = g x (mod p) Signing: The User A forms a message m Z p, generates a random number r and computes the signature pair (s 1, s 2 ) s 1 = g r (mod p) s 2 = (m x s 1 ) r 1 (mod p 1) The message and signature consists of [m, s 1, s 2 ] Similar to the encryption case, the size of the signature is twice the size of the message Çetin Kaya Koç http://koclab.org Winter 2017 7 / 10

ElGamal Cryptosystem Signature Scheme Verifying: The verifier receives the triple [m, c 1, c 2 ] and also has the public key y u 1 = g m (mod p) u 2 = y s1 s s 2 1 (mod p) If u 1 = u 2, then, the signature is valid Proof. The equality u 1 = u 2 implies g m = y s1 s s 2 1 = (g x ) s1 (g r ) s 2 (mod p) according to the Fermat s theorem m = x s 1 + r s 2 (mod p 1) Çetin Kaya Koç http://koclab.org Winter 2017 8 / 10

ElGamal Cryptosystem Signature Example The parameters: the prime p = 2579 and the generator g = 2, the private key x = 765, and the public key y = 949 We compute the signature pair on the message m = 2013 using the random number r = 999 as s 1 = g r (mod p) = 2 999 = 1833 (mod 2579) s 2 = (m x s 1 ) r 1 (mod p 1) = (2013 765 1833) 999 1 (mod 2578) = 2200 1329 = 348 (mod 2578) The message and signature triple is [m, s 1, s 2 ] = [2013, 1833, 348] Çetin Kaya Koç http://koclab.org Winter 2017 9 / 10

ElGamal Cryptosystem Signature Example The verifier has access to (p, g, y) = (2579, 2, 949) The verifier receives [m, s 1, s 2 ] = [2013, 1833, 348] and computes u 1 = g m (mod p) = 2 2013 (mod 2579) = 713 u 2 = y s1 s s 2 1 (mod p) = 949 1833 1833 348 (mod 2579) = 385 2333 (mod 2579) = 713 Since u 1 = u 2, the signature is valid Çetin Kaya Koç http://koclab.org Winter 2017 10 / 10

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback