AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM

Transcription

1 AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM VORA,VRUSHANK APPRENTICE PROGRAM Abstract. This paper will analyze the strengths and weaknesses of the underlying computational problems of the ElGamal Cryptosystem. By investigating the infeasibility involved in solving such mathematical problems and the possible algorithm that could break the cryptosystem, the paper will comment upon the security of the system and its correct application. While we will briefly focus on systematic cryptosystems, the main focus of this paper will be on the ElGamal Cryptosystem and the Discrete Logarithm Problem. Contents 1. Introduction 1 2. Systematic Cryptosystems and the Rise of Public-Key Cryptosystems 2 3. Introduction to Public-Key Encryption 3 4. ElGamal Cryptosystem and the Discrete Logarithm Problem 3 5. Baby Step - Giant Step Algorithm 4 6. Security Measures Against the Baby Step-Giant Step Algorithm 5 7. Conclusion and Applications 6 Acknowledgments 6 References 7 1. Introduction Let us first consider two parties, Harry and Ron, who wish to exchange covert information with each other. They could communicate through different channels such as letters, text messaging, , etc.; however, regardless of the medium, they face a third party, Voldemort, who wishes to obtain the secret information between Harry and Ron. Since all communication channels are insecure, Harry and Ron must use other means to communicate safely. The objective of cryptography is to provide this secure mode of exchange. Using cryptography, Harry can convert the original message (plaintext) into seemingly indecipherable language (ciphertext) and send this ciphertext to Ron. This would thus allow the exchanges between Harry and Ron to be more secure across all channels depending on the strength of the underlying encryption. In the following pages, we will discuss the security of different encryption methods and their overall efficiency. Date: DEADLINE August 26,

2 2 VORA,VRUSHANK APPRENTICE PROGRAM 2. Systematic Cryptosystems and the Rise of Public-Key Cryptosystems Definition 2.1. Let n be an integer. Then two integers a and b are said to be congruent modulo n if and only if n divides a b. Denote the congruence by: a b (mod n) Notation: Z/26Z = {the ring of integers modulo 26} Definition 2.2. (Shift Ciphers) Consider plaintext x and choose a number n from Z/26Z which will serve as the encryption key. Encryption will be: x x+ n (mod 26) Example 2.3. Let the plaintext be vrush then x = and choose n = 5 then x = A W Z X M. Here, n = 5 was the encryption key and A W Z X M was the encryption of the plaintext vrush. Next, we will consider more complex systematic ciphers. Definition 2.4. (Affine Ciphers) Consider plaintext x and choose a and n from Z/26Z which will serve as the encryption key. Encryption will be: x ax+ n (mod 26) Example 2.5. Let the plaintext be vrush then x = and choose a = 5 and n = 1 then x = C I U N H. 5x +1 (mod 26) was the encryption key while the C I U N H serves as the encryption. Proposition 2.6. Two letters of plaintext will usually suffice to break any Affine Cipher. Proof. With out loss of generality, let us assume that Voldemort knows that he NO, i.e, From this, Voldemort attains: 13 = 7a + n 14 = 4a + n = 1 = 3a = a = 9 17 mod (26) and n = 24. Thus, the encryption key is fully known to the third party intruder and the cipher is subsequently broken. The previous example illustrates the relative ease in solving the underlying computational problems involved in Shift and Affine ciphers. While one can employ more complicated iterations such as applying matrices to encryption keys and representing the message as a vector, such encryptions are nevertheless susceptible to Brute-Force-Attacks, methodical checking of all possible keys by the intruder. In addition to systematic cryptosystems being relatively insecure, any two individuals wishing to communicate securely must directly contact each other to agree upon the encryption key. These systems are not only insecure, but they are also impractical for many applications: if large organizations such as banks, social networking sites, online retail stores, etc. would like to communicate with all of their clients, then using systematic cryptosystems would require them to contact their clients individually. For these reasons, systematic cryptosystems are relatively laborious and obsolete. We will hence discuss more modern systems: public-key encryption.

3 AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM3 3. Introduction to Public-Key Encryption Public-Key cryptosystems allow large organizations to communicate safely with many individuals by using asymmetric encryption. Asymmetric encryption encompasses two corresponding keys: public and private. The two keys work congruently as the ciphertext encrypted by a public key can only be decrypted by the corresponding private key. Thus, multiple individuals with the same public key can send messages to an organization that holds the private key, while preserving the security of the system. This paper will discuss one of the most prominent modern public-key cryptosystems: the ElGamal Cryptosystem. 4. ElGamal Cryptosystem and the Discrete Logarithm Problem The ElGamal Cryptosystem is a public-key cryptosystem derived from the infeasibility of solving the discrete logarithm problem for very large finite fields. This section will explore the cryptosystem s key generation algorithm, encryption, and decryption methods. Definition 4.1. Order of the finite field, F p, is the number of elements in the field. It is denoted by the subscript p. Definition 4.2. Multiplicative order of an element x in F p is the number of different elements which can be obtained by raising x to all powers mod(p).it is denoted by ord(x). Definition 4.3. Multiplicative generator of F p is an element y in the finite field such that ord(y) = p 1 ElGamal encryption system uses finite fields to create ciphertexts. By choosing p such that it is prime, we will always be able to construct a finite field with p n elements. The choice of prime-numbered fields thus facilitates encryptions more efficiently than the choice of finite fields with non-prime number of elements. Definition 4.4. (Discrete Logarithms) Let F p be the finite field with p elements and let y be a generator of F p. Then for all x F p can be written as x = y a and we define a = L y (x) L y (x) is the discrete logarithm of x to the base y. It is only defined p-1 because y p 1 = 1. Example 4.5. Let us consider F 17 where y=3 is a generator F 17. We ll find: L 3 (15) =? We will compute the different powers of 3 until we can attain 15: 3 1 = 3 ; 3 2 = 9 ; 3 3 = 10 ; 3 4 = 13 ; 3 5 = 5; 3 6 = 15 hence; L 3 (15) = 6 Application of discrete logarithm in cryptosystems derives from the computational difficulty of finding a = L y (x). Since we are applying modular arithmetic over the finite field, it is more difficult to compute the discrete logarithm than it would be in the real number system. In the real numbers, it would be simple to use the log function to get an approximation for a. Working in a prime numbered

4 4 VORA,VRUSHANK APPRENTICE PROGRAM field, however, forces us to find an exact integer solution. Though, if p is small, the answer can be found relatively quickly by trying all possibilities, i.e., a Brute-Force Attack. For this reason we must use high-order fields since there is no fast way of computing the discrete logarithm over a large field. Key Generation Algorithm: Let s first consider Harry who wants to communicate with Ron and Hermonie covertly. If he wants to use the ElGamal System, he should do the following: 1.) Create a finite field F p and a generator y of F p 2.) Choose an integer a and compute x = y a the Discrete Logarithm 3.) The triple (F p, y, x) will become public, but the discrete logarithm, L y (x) = a is only known to Harry. Encryption: If Ron wants to encrypt a message to Harry, then Ron should do the following: 1.) Represent the message in terms of an integer m, such that m {0, 1,..., p 1} 2.) Choose a random integer k, such that 1 k p ) Then compute r = y k and t = mx k such that r,t {0, 1,..., p 1} The Ciphertext c = (r,t) should be sent to Harry Decryption: In order to recover message, m, from the ciphertext, c, Harry should do the following: 1.) Use the private key a to compute r p 1 a mod(p) 2.) Recover the m by deriving tr a Proposition 4.6. ElGamal s encryption returns the original plaintext message when given a correctly calculated ciphertext. Proof. Let c = (r, t) then r = y k and t = mx k where x = y a. Deriving tr a attains the following: tr a = mx k (y k ) a = m(g a ) k (g k ) a = m Thus, we are guaranteed to attain the plaintext if the ciphertext is correctly computed in the ElGamal encryption. Example 4.7. Let the public ElGamal Cryptosystem, (F p, y, x) = (F 23,7, 4). Assume the encrypted pair (r,t) = (21, 11). Then using what we know about discrete logarithms, we can calculate value of the discrete logarithm and the message m: a = L 7 (4) = 6 m = 21 6 (11) = 7 5. Baby Step - Giant Step Algorithm We will next explore a possible attack against this sytem. An attacker can learn information about the plaintext without decrypting the ciphertext: given two encryptions the attacker can figure out which plaintext was a quadratic residue and one was not. This is the fundamental premise of the Baby Step-Giant Step attack, which encompasses a series of well-defined steps to compute the discrete logarithm of the underlying ElGamal system. Definition 5.1. (Baby Step - GiantStep Algorithm) Assume there exists a discrete logarithm, x = y a in F p that we want to solve. Let N = p 1 + 1

5 AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM5 Final step in the algorithm consists of making two lists and looking for a match: Baby Step: y 0, y 1, y 2,..., y N 1 Giant Step: x, xy N, xy 2N,..., xy (N 1)N Proposition 5.2. If we find that there exists a match between the Baby Step and Giant Step lists, then the ElGamal System is broken. Proof. Assume there is a match between the two lists, y j = xy kn y j+kn = x and since y a = x Thus, y a = y j+kn = x Since j, k, and N are public, the discrete logarithm problem is solved and the underlying ElGamal cryptosystem is broken. Theorem 5.3. Using the Baby Step-Giant Step algorithm, there will always be a match between the two lists. Proof. Recall that N = p Note by this definition: and therefore a can be written as: This thus leads to: hence; 0 a < p 1 N 2 a = a 0 + a 1 N where a 0, a 1 N 1. x = y a = y a0 (y a1 ) N y a0 = b(y a1 ) N. This shows that we have a match between the Baby Step and the Giant Step lists. Remark 5.4. The Bay Step-Giant Step Algorithm roughly needs 2 p in order to calculate the discrete logarithm. 6. Security Measures Against the Baby Step-Giant Step Algorithm The previous theorem and remark illustrate that the underlying discrete logarithm of an ElGamal Cryptosystem can be computed using the Baby Step-Giant Step Algorithm. While it is possible to solve the underlying discrete logarithm, it nevertheless requires 2 p calculations for any given finite prime ordered field. Thus, in order to make the cryptosystem probabilistically secure, one must choose a large enough field and a high order generator. It becomes impractical to break the ElGamal system with the Baby Step-Giant Step Algorithm for a prime numbered field larger than This section will analyze other possible and practical ways to make the ElGamal Cryptosystem more secure against the Bab Step-Giant Step Attack. We will first introduce the computational diffie-hellman problem and show how its computational difficulty affects the underlying discrete logarithm.

6 6 VORA,VRUSHANK APPRENTICE PROGRAM Definition 6.1. (Diffie-Hellman Problem) Let F p be the finite field with p elements and let y be a generator of F p. Then for given values y b, y c in F p, finding y bc is the computational diffie-hellman problem. While the ElGamal system relies on the discrete logarithm problem, the security of the cryptosystem is very entrenched in difficulty of solving the underlying diffiehellman problem. The following theorem proves that if the underlying diffie-hellman problem is weak then its discrete logarithm is easily breakable. Theorem 6.2. The ElGamal cryptosystem is breakable if and only if the underlying computational diffie-hellman problem is breakable. Proof. Let us first assume that we have the algorithm that breaks the underlying Diffie-Hellman Problem: Thus, we know the value of y bc from the values of y b and y c. Take as input y b = a and y c = r, where a and r are the quantities of the underlying discrete logarithm and the ElGamal system. As y x = a and y k = r, the algorithm will compute y bc = y xk. Since, m = tr a = tg ak and we find m and the system is broken. Next, let us assume that the we have the algorithm that breaks the underlying Discrete Logarithm Problem: Therefore, we know that m = tr a from a given pair (r,t) associated with the triple (F p, y, x). We thus take as input a = y x, so b = x and r = y c, so t = 1. The algorithm thus produces m = tr a = y bc. This provides us with the value of the underlying diffie-hellman problem. The theorem thus implies that the diffie-hellman problem must be secure in order for the ElGamal Encryption based upon the discrete logarithm problem to be secure. For the protection of the ElGamal system, the organization using the cryptosystem must check for the security of the diffie-hellman problem as it serves as a necessary means to secure the ElGamal cryptosystem against the Baby Step- Giant Step Algorithm. 7. Conclusion and Applications Since the ElGamal encryption is prone to attacks such as the Baby Step-Giant Step, users of this cryptosystem must take proper precautions to strengthen the underlying discrete logarithm problem such that it becomes probabilistically infeasible to break the system. The users should use a large (possibly greater than elements) prime numbered finite field with a high-order generator and check for the computational difficulty of the respective diffie-hellman problem. ElGamal cryptosystem likewise allows for individuals using the encryption to remain anonymous in one way or another. Thus, this system can be very useful in conducting online voting ballots or any other transactions in which the recipients wish to hide their identities. Acknowledgments. It is a pleasure to thank my mentor, Preston Wake for all his guidance and knowledge on the subject of the paper. I would also like to thank Peter May and the REU Professors providing this opportunity and sharing their Mathematical knowledge with me.

7 AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM7 References [1] Helgeson, Melissa. Security and Application of ElGamal s Encryption Algorithm. University of Minnesota, Morris. 04 May Web. 16 Aug [2] Kolster, Michael. Introduction to Cryptography [3] Menezes, A. J., Oorschot Paul C. Van, and Scott A. Vanstone. Handbook of Applied Cryptography. Boca Raton: CRC, 1997