5.4 ElGamal - definition

Transcription

1 5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is called a generator of G if G = {g a : 0 a G 1}, i.e. every element h G can be written uniquely as h = g a for some a {0, 1,..., G 1}. The ElGamal encryption scheme can be defined over any cyclic group. For concreteness sake we restrict ourselves to the ElGamal scheme over the cyclic groups Z p, where p is a prime. ElGamal key generation On input 1 n the ElGamal key generation algorithm works as follows: 1. Generate a random prime p with n bits such that p 1 has at least one large prime factor. 2. Choose a generator g of Z p, a random a Z p 1, and set h := g a mod p. 3. Return pk := (p, g, h) and sk := (p, g, a). For pk = (p, g, h) the set of feasible plaintexts P pk is Z p. The set of feasible ciphertexts is Z p Z p. ElGamal encryption On input pk = (p, g, h) and m Z p the encryption algorithm works as follows: 1. Choose r Z p 1 uniformly at random. 2. Set v := g r mod p and w := h r m mod p. 3. Return the pair (v, w). ElGamal decryption On input sk = (p, g, a) and c = (v, w) Z p Z p the decryption works as follows: 1. Set u := v a mod p and m := u 1 w mod p. 2. Return m. Note that unlike RSA the ElGamal scheme uses a randomized encryption algorithm. This will prove to be important when we consider the security of the ElGamal system. Before we explain how to implement the key generation 70

2 efficiently and why we use primes p such that p 1 has at least one large prime factor, let us show that ElGamal works correctly, i.e. we show that every key pair (pk, sk) = ((p, g, h), (p, g, a)) and every m Z p we have D sk (E pk (m)) = m. In fact, we have D sk ( Epk (m) ) = (g r ) a h r m = g ra g ra m = m. Next we explain how to implement the ElGamal key generation efficiently. First we describe how to generate primes p such that p 1 has at least one large prime factor. We will restrict ourselves to the generation of strong primes. A prime number p is called a strong prime if p 1 = 2q for a prime number q. Strong primes certainly satisfy the conditions of the ElGamal key generation. To generate a strong prime we proceed as follows. Until we find a strong prime, we generate a random integer p and test whether p and (p 1)/2 are primes. We already know that there are efficient prime number tests. Therefore, we only need to argue that there exist sufficiently many strong primes. Unfortunately, this has not been proved, but it is widely believed to be true. More precisely, if we define π strong := {p x : p is a strong prime}, then the following conjecture is well established. Conjecture There is a constant c such that for all x large enough π strong (x) c x ln(x) 2. If we believe this conjecture, then the procedure sketched above will find a strong prime with n bits after trying O(n 2 ) numbers. Next we describe how to compute generators for Z p. Since we use strong primes we can assume that we know the prime factorization of p 1, i.e. we know the prime q such that p 1 = 2q. The following theorem shows that Z p has many generators. Theorem The cyclic group Z p has exactly φ(p 1) generators. If p 1 = 2q with q prime, then φ(p 1) = q 1 (see (5.1). Hence, roughly half of the elements in Z p are generators. The next theorem gives a characterization of generators in Z p that can be verified efficiently if the factorization of p 1 is known. 71

3 Theorem Let p be a prime and let p 1 = l i=1 qe i i be the prime factorization of p 1. An element g Z p is a generator for Z p if and only if g (p 1)/qi 1 mod p for all i = 1,..., l. If p = 2q + 1 is a strong prime, then g Z p is a generator of Z p if g 2 1 mod p and g q 1 mod p. Now it is quite easy to compute generators in Z p. Input: Two primes p, q such that p = 2q + 1. Output: A generator g of Z p. Step 1: While no generator has been returned Step 2: Choose g uniformly at random in Z p. Step 3: If g 2 1 mod p and g q 1 mod p, return g. For each g chosen in step 1 we only need time polynomial in log p to check the conditions in step 3. By Theorem the expected number of g we have to choose in step 1 before we find a generator is roughly 2. Hence, in expected polynomial time we can find generators for Z p. Therefore, assuming Conjecture is correct, the key generation in ElGamal can be implemented in expected polynomial time. 5.5 ElGamal - security In this section we consider key recovery, plaintext recovery, and plaintext indistinguishability for ElGamal. We start with key recovery. Key recovery for ELGamal. Key recovery in ElGamal is equivalent to the computation of discrete logarithms in Z p, where discrete logarithms are defined as follows. Let G be a cyclic group with generator g. In the discrete logarithm problem in the group G with generator g, we are given as input an element h G and have to find the unique a {0, 1,..., G 1} satisfying g a = h (in G). Unfortunately, as in the case of the factoring problem, the exact complexity theoretic status of the discrete logarithm problem in the groups Z p 72

4 is unclear. It is not known to be N P-hard, nor is the computation of discrete logarithms in the groups Z p known to be solvable in polynomial time. Currently, the most efficient algorithm to compute discrete logarithms in Z p is a variant of the number field sieve. Under some reasonable number theoretic assumptions its running time is exp(c log(n) 1/3 log log(n) 2/3 ), c 3 2/3. Note that the running time of the number field sieve is superpolynomial in log p. However, there is another algorithm to compute discrete logarithms that is efficient if p 1 has only small prime divisors and the factorization of p 1 is known. The algorithm is called the Pohlig-Hellman algorithm. It cannot only be applied in Z p but in any cyclic group. We do not describe the algorithm here, instead we just mention it running time. Theorem Assuming that the prime factorization G = l i=1 pe i i is known, the Pohlig-Hellman algorithms solves the discrete logarithm problem in G with success probability 1. The Pohlig-Hellman algorithm uses O ( log( G ) 2 + k ) i=1 pi group operations in G. A group operation in Z p is a modular multiplication. A modular multiplication in Z p requires time O(log(p) 2 ). Hence, in the groups Z p, where p 1 has only small prime divisors, the Pohlig-Hellman algorithm efficiently computes discrete loagrithms. This explains why we require in the key generation algorithm for ElGamal that a prime p is generated, where p 1 has at least one large prime divisor. Plaintext recovery in ElGamal. It is not hard to see that under chosen ciphertext attacks plaintext recovery in ElGamal is easy. Unfortunately, plaintext recovery under chosen plaintext attacks in ElGamal is not known to be equivalent to the computation of discrete logarithms. Instead, we can only show that it is equivalent to the so-called computational Diffie-Hellman problem (CDH). You will do the proof that plaintext recovery in ElGamal is equivalent to CDH in an exercise. The CDH can be defined for any cyclic group. So let G be a cyclic group with generator g. In the computational Diffie-Hellman problem (CDH) in the group G with generator g, we are given as input two elements g a, g b G and have to compute the element g a b. Clearly, if we can compute discrete logarithms in a cyclic group G, then we can solve the CDH in G efficiently. However, whether an efficient algorithm for the CDH in G implies an efficient algorithm for discrete logarithms in G is not known. Currently all algorithms that solve the CDH do this by first solving the discrete logarithm problem. 73

5 Plaintext indistinguishability in ElGamal. Next we consider plaintext indistinguishability in ElGamal. We will show that if a variant of the Diffie-Hellman problem, the Decisional Diffie-Hellman problem (DDH), is difficult, then ElGamal is plaintext indistinguishable under chosen plaintext attacks. To define the Decisional Diffie-Hellman problem (DDH) we need to make some preliminary remarks. By f 0 denote the following map f 0 : {0, 1,..., G 1} 2 G 3 (a, b) (g a, g b, g a b ). By D 0 denote the distribution on G 3 induced by f 0 and the uniform distribution on {0, 1,..., G 1} 2. Furthermore, by f 1 denote the mapping f 0 : {0, 1,..., G 1} 3 G 3 (a, b, c) (g a, g b, g c ). By D 1 denote the distribution on G 3 induced by f 1 and the uniform distribution on {0, 1,..., G 1} 3. Note that D 1 is just the uniform distribution on G 3. In the DDH for G with generator g we have to distinguish the distributions D 0 and D 1. Definition The DDH in group G is (t, ɛ)-hard, if no (ɛ, t)-distinguisher for D 0 and D 1 exists, i.e. there is an algorithm A running for at most t step with Pr(A(D 0 ) = 1) Pr(A(D 1 ) = 1) ɛ. To remind yourself of distinguishers etc., you may want to look back at Chapter 3. We want to show that if the DDH in Z p is difficult then ElGamal in Z p is plaintexttext indistinguishable. Theorem There exists a constant c < 1 such that if the DDH in Z p is (t, ɛ)-hard, then the ElGamal encryption scheme in Z p is (c t, ɛ) plaintext indistinguishable under chosen plaintext attacks. Proof: We show that if the ElGamal encryption scheme is not (c t, ɛ)- indistinguishable against chosen plaintext attacks then DDH in Z p is not (t, ɛ)-hard for some c. To prove this we assume that there exists an adversary A using at most ct steps and with advantage Adv pi-cpa ɛ in the plaintext indistinguishability game Game pi-cpa with the ElGamal encryption 74

6 scheme (see page 60 for the definition of Game pi-cpa for asymmetric encryption schemes). Using this adversary we construct an ɛ- distinguisher D for the distributions D 0 and D 1 defined above. We also show that if A runs in ct steps for some constant c < 1, then D uses at most t steps. First we describe how to obtain the distinguisher D from the adversary A. We assume that the prime p and a generator g for Z p is already known and need not be computed. Distinguisher D from plaintext indistinguishability adversary A On input (a a, g b, α) Z p Z p Z p: 1. Simulate A with public key pk = (p, g, g a ) as in the first step of Game pi-cpa to obtain two plaintexts m 0, m Choose β {0, 1}. 3. Simulate A as in the third step of Game pi-cpa with tuple (g b, α m β ) as ciphertext to obtain bit β. 4. Return 1 iff β = β. First let us estimate the running time of D. Basically, all that D needs to do is simulate A. Other than that, D just needs to generate a random bit and compare two bits. Hence, the running time of D is t, if A has running time t/c for some c < 1. Next we need to determine Pr(D(D 0 ) = 1) Pr(D(D 1 ) = 1). First, we note that Pr(D(D 0 ) = 1) = Succ cpa (A). In fact, if the triple (g a, g b, α) is chosen according to the distribution D 0, then α = g ab. Hence the simulation of A behaves exactly as A in Game pi-cpa with the ElGamal encryption scheme. In particular, the tuple (g b, α m β ) used to simulate A in step 3 is a possible encryption of message m β. Therefore, Pr(A(D 0 ) = 1) is the probability that A wins Game pi-cpa. Hence, Pr(A(D) = 1) = Succ cpa (A) = 1/2+ɛ. Now consider Pr(D(D 1 ) = 1). Then α is chosen uniformly at random and independently from g a and g b. Then the tuples (g b, α m 0 ) and (g b, α m 1 ) both are distributed according to the uniform distribution on Z p Z p. Hence, the distribution of the tuples (g b, α m β ) used in the simulation of A in step 3 of the distinguisher D is independent from the value of β. But then the bit β that the simulation of A returns is independent from β. This implies 75

7 Pr(β = β ) = 1/2. Hence, Pr(D(D 1 ) = 1). Altogether we obtain Pr(D(D 0 ) = 1) Pr(D(D 1 ) = 1) = 1/2 + ɛ 1/2 = ɛ. The original version of RSA is not plaintext indistinguishable. Only, if we use random padding then the RSA encryption scheme becomes plaintext indistinguishable. As we have just seen, ElGamal itself is plaintext indistinguishable. The difference between RSA and ElGamal is that in ElGamal the encryption is randomized, which implies that there are many (in fact p 1) possible encryptions for each plaintext. 76