A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Transcription

1 A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia Abstract- This paper introduces a knapsack cryptosystem based on the problem of discrete logarithm. The proposed algorithm obtains the public knapsack values by finding the discrete logarithms of the secret knapsack ones. Also, it encrypts the message block by obtaining its binary bits and then computing the modular multiplication of the public knapsack values corresponding to the 1-bits of the binary form. The decryption is done by obtaining the inverse of the discrete logarithm of the encrypted message. The computation of this inverse is known inverse is known to be a hard problem. The block length is as the same as the knapsack length. The paper discusses the security issues of the system. Keywords: Knapsack cryptosystems, Discrete logarithm problem, Encryption, Decryption. 1. INTRODUCTION The inverse problem of modular exponentiation is that of finding the discrete logarithm of a number. This is a hard problem. The problem was utilized in designing public knapsack systems for encryption and signature applications. Most of these systems use certain weights to obtain the public knapsacks from secret ones. Almost, all these knapsack systems were broken by solving some equations to obtain the original bits of the encrypted message [1,2]. Because of the hardness of finding the inverse of the discrete logarithm of a certain value, the security of many public key algorithms is based on that problem. Thus, we can benefit from such a problem in designing a knapsack system which encrypts the message block by obtaining the public knapsack values from the private or secret knapsack ones by computing their discrete logarithms. Then, the binary bits of the message block are obtained. The modular multiplication of the public knapsack values, corresponding to the 1 bits of the message block, is carried out to yield the encryption value of the block. In this case, it will be hard for any one except the legal parties (by the legal parties we mean the parties who have the private keys of the system) to compute the inverse of the discrete logarithm of the encrypted message to obtain the original one [1,2]. This paper proposes an algorithm that implements the above idea. In section (2), the original knapsack problem is explained and in section (3), the discrete logarithm problem is introduced. The proposed algorithm is given in section (4) and an implementation example is illustrated in section (5). Some security issues are depicted in section (6) and some conclusions are driven in section (7). At the end of the paper, a list of the used references is given. 2. THE KNAPSACK PROBLEM The first algorithm for generalized public key encryption was the knapsack algorithm developed by Ralph Merkle and Martin Hellman [3,4] which was developed for only encryption. Later, Adi Shamir adopted it for digital signatures [1]. By the time, the algorithm has been found insecure [5-8] and broken [9-11]. The idea behind the Merkle-Hellman knapsack algorithm is to create a super-increasing set of values such that each value is greater than the summation of all the preceding ones. This set is kept as secret. A public set of values is obtained from the secret one by multiplying its values by a certain weight (W) and taking the modulus of the multiplication to a certain number (P). The value (P) should be greater than the summation of the secret set values. The public knapsack is published to be used for encryption while the secret knapsack is used for decryption. If the private knapsack set is {pri_set}, the public knapsack set is {pub_set}, and the multiplication weight is W, then the relationship (pub_set=w * pri_set) exists. This means that (pri_set=w -1 * pub_set) and that W has to have an inverse modulo (P). This means that (W) -1 should exist. For instance, if we have a secret knapsack of the form: {2,3,7,15,30,61,123,251}, then (P) could be chosen to be 503. Note that the summation of the set values is (492). Now, assume that W=115 then =35 mod 503. Thus, the public knapsack set can be calculated as {230, 345, 302, 216, 432, 476, 61, 194}. Thus if we have a data block with a binary form of {b 0,b 1,b 2,b 3,b 4,b 5,b 6,b 7 }={ }, or a decimal value (215), then the encrypted value will be (1564= ). Multiplying this value by W -1 =35 mod 503 yields 1564*35 mod 503=416= It should be noted here that the data blocks should be of binary combinations less than or equal to ( }. Note that in the super-increasing knapsacks, the difference between each value and the summation of its preceding ones can be fixed or randomly changed. Mathematically, if we have the first value in the

2 knapsack (k 0 =x), the second value will be (k 1 =x+a 1 ) The other values could be obtained as follows: k 2 : k 0 +k 1 +a 2 =(x) + (x+a 1 ) + a 2 = 2 * x + 1 * a * a 2 k 3 : k 0 +k 1 +k 2 +a 3 = 4 * x + 2 * a * a * a 3 k 4 : k 0 +k 1 +.+k 3 +a 4 = 8 * x + 4 * a * a * a * a 4.. k j : 2 (i-1) * x + from j=0 to j=i-2 (2 j * a i-j-1 ) + a i Note that the summation of all the terms will be less than twice the last one. 3. THE DISCRETE LOGARITHM (DLOG) PROBLEM Modular exponentiation is a one-way function used frequently in cryptography. Evaluating this expression is easy: For a value x, find y=g x mod P). The inverse problem of modular exponentiation is that of finding the discrete logarithm of a number. This is a hard problem [1,2]: For a value y, find x where a x = y mod P Not all discrete logarithms have solutions (remember, the only valid solutions are integers). There are three main groups whose discrete logarithms are of interest to cryptographers. These are: 1- The multiplicative group of prime fields [i.e., GF(P)]. 2- The multiplicative group of finite fields of characteristic 2 [i.e., GF(2 P )] 3- Elliptic curve groups over finite fields F [i.,e., EC(F)] The security of many public key algorithms is based on the problem of finding discrete logarithms. If a prime (P) is the modulus, then the complexity of finding discrete logarithms in GF(P) is essentially the same as factoring an integer (n) of about the same size, where (n) is the product of two approximately equal length primes [12,13]. Several algorithms were proposed to compute discrete logarithms in GF(P) [14] and in GF(P n ) [15,16]. The discrete logarithm problem has been used in encryption/decryption, digital signature, proofs of identity, pass word authentication and key exchange applications and algorithms [17-22]. In the following, a discrete logarithm algorithm {proposed by Shank [2]} will be described. 1- Obtain m=the upper integer of (P-1) 2- Compute g m* j mod P, 0 j m-1 3- Arrange the m ordered pairs (j, g m* j mod P), with respect to their second coordinates, obtaining a list L Compute y*g -i mod P, 0 i m-1 5- Arrange the m ordered pairs (i, y*g -i mod P) with respect to their second coordinates, obtaining a list L Find a pair (j,y) L 1 and a pair (i,y) L 2 (i.e., a pair having identical second coordinates). 7- Define log g y =(m * j + i) mod (P-1) For instance, if we have P= 103, g=43, then we can compute m= 11, and g m* j mod p= {1,40,55,37,38,78,30,67,2,80,7}. Also, g -i = {12,41,80,33,87,14,65,59,90,50} Suppose we need to obtain log g (67). This means that β=56. Thus, we compute y *g -i mod P = {67,83,69,4,48,61,11,29,39,56,54} Now comparing the two lists (g m* j mod P) and (y*g -i mod P) we find (67) a common value. We can see that j =7 and i = 0. Then, we can compute log =11*7 + 0 = 77. It is indeed mod 103 = 67. This method, of finding the inverse discrete logarithm, will be used in our proposed algorithm in the following section. 4. THE PROPOSED CRYPTO-SYSTEM This crypto-system is composed of three parts. The first one is the pre-computation part which derives the secret knapsack and chooses the values of P and g to be used in computing the public knapsack. The public knapsack values and the modular P are used in the second part for encryption while the values of g, P, and the private knapsack are used in the third part for decryption. The different parts are described in the following subsections Pre-operation computation 1- Derive the secret knapsack values, x 1, x 2,.., x n. 2- Choose two prime numbers P,g, where P > sum of the secret knapsack values. P and g should satisfy certain conditions [see section (6.1)]. 3- For each value (x i ) obtain a value (y i ) where: y i =g xi mod P 4- Publish the values P, y i, where i=1,2,,n and n is the knapsack length For encryption 5- Transform the message into blocks, each of them is of n bits (i.e., b 0, b 1, b 2, b 3,., b n-1 ). For each block carry out the following steps. 6- Obtain y=e(m)=mult(y i ) mod P, where (i) indicates the public knapsack values corresponding to the cases where b i =1. 7- Send the obtained value (y) to the receiver For decryption 8- Obtain a value (x) corresponding to the received value (y) where x=idlog(y) NB: In this step the algorithm, explained in section (3), is applied. 9- Refer to the secret knapsack values to construct an n- bit binary block. This is done by comparing the block value (dm=x) to the last value (x n ) in the knapsack: If the dm>x n, then the corresponding bit is set "1" and otherwise the bit is set "0". If the bit is "1" the knapsack value is subtracted from the block value to get a new value (dm). The process of comparison and subtraction is repeated with the values x n-1, x n-2,.., x 1,x Obtain the corresponding message block from its binary form.

3 5. AN IMPLEMENTATION EXAMPLE In this example, we take P=103 and g=43. Obtaining the values (43 i mod 103, with 0 i 102) yields: 43 i mod 103 = {1,43,98,94,25,45,81,84,7,95,68,40,72,6,52,73,49,47,64,74,92,42,55,99,34,20,36,3,26,88,76,75,32,37,46,21,79, 101,17,10,18,53,13,44,38,89,16,70,23,62,91,102,60,5,9, 78,58,22,19,96,8,35,63,31,97,51,30,54,56,39,29,11,61,4 8,4,69,83,67,100,77,15,27,28,71,66,57,82,24,2,86,93,85,50,90,59,65,14,87,33,80,41,12} From the obtained values, we can see that the set values repeat every 102 steps. In other words, the cycle of the set is (P-1). Choosing P,g affects the cycle. This will be explained in section (6). Proceeding in computation we obtain: m= UPER INT(SQRT(P-1))=11, Assuming the private knapsack={2,3,6,12,24,48}, then The public knapsack={98,94,81,72,34,23}. g m* j = {1,40,55,37,38,78,30,67,2,80,7}, where 0 j m-1. The inverses g -i = {12,41,80,33,87,14,65,59,90,50}, where 0 i m-1 Let us run the algorithm for all the values consisting of 6 bits. For each value (1 j 63), table (1) gives the block decimal value (ms), its bit combination, its encrypted value (em), the list (em*g -i mod P), the decrypted value (dm), and the bits of (dm). We should mention here that the set cycle affects the process of obtaining the inverse of the discrete logarithms of the received blocks. This will be explained in section (6). It is important to notice that from table (1) we can see that the second coordinates of the two lists (L 1 =g m* j mod P) and (L 2 =em*g -i mod P) match at more than one case for some messages. For instance, when ms=2, the two lists are L 1 ={1,40,55,37,38,78,30,67,2,80,7} and L 2 ={94,98,43,1,12,41,80,33,87,14,65} It is clear that they match at the two cases (the value "1" when j=0, i=3) and (the value "80" when j=9, i=6}. Computing log g y =(m * j + i) mod (P-1) for the two cases, with y = encryption value of (ms)=em(2)=94, we find: The case of j=0, i=3: Log =(11 * 0 + 3) mod (102) = 3 This means that only the value 3 is taken from the secret knapsack. This corresponds to a bit combination of {010000} and thus the decrypted value is (2). The case of j=9, i=6: Log =(11 * 9 + 6) mod (102) = 105 mod 102 = 3 This yields a value as the same as the result of the last case (i.e., the value 3 is taken from the secret knapsack). If the cycle is less than P-1, the computation of the inverse of the discrete logarithm of the encrypted messages will yield wrong results. This will be explained in the following section. Table (1): Results of running the proposed algorithm for the messages (ms= 1 to 63) where (ms) is the bit combination, (em) is the encrypted value, (dm) is the decrypted value Block (ms) Bits of ms sequence Encr. Block em em*g -i Sequence Decr. block (dm) Bits of dm sequence s 0, s 1, s 2, s 3, s 4, s 5, s 6, s 7, s 8, s 9, s ,43,1,12,41,80,33,87,14,65, ,98,43,1,12,41,80,33,87,14, ,25,94,98,43,1,12,41,80,33, ,45,25,94,98,43,1,12,41,80, ,84,81,45,25,94,98,43,1,12, ,7,84,81,45,25,94,98,43,1, ,68,95,7,84,81,45,25,94,98, ,40,68,95,7,84,81,45,25,94, ,6,72,40,68,95,7,84,81,45, ,52,6,72,40,68,95,7,84,81, ,49,73,52,6,72,40,68,95,7, ,47,49,73,52,6,72,40,68,95, ,74,64,47,49,73,52,6,72,40, ,92,74,64,47,49,73,52,6,72, ,55,42,92,74,64,47,49,73,52, ,99,55,42,92,74,64,47,49,73, ,20,34,99,55,42,92,74,64,47, ,36,20,34,99,55,42,92,74,64, ,26,3,36,20,34,99,55,42,92, ,88,26,3,36,20,34,99,55,42, ,75,76,88,26,3,36,20,34,99, ,32,75,76,88,26,3,36,20,34, ,46,37,32,75,76,88,26,3,36, ,21,46,37,32,75,76,88,26,3, ,101,79,21,46,37,32,75,76,88,

4 ,17,101,79,21,46,37,32,75,76, ,18,10,17,101,79,21,46,37,32, ,53,18,10,17,101,79,21,46,37, ,44,13,53,18,10,17,101,79,21, ,38,44,13,53,18,10,17,101,79, ,16,89,38,44,13,53,18,10,17, ,70,16,89,38,44,13,53,18,10, ,62,23,70,16,89,38,44,13,53, ,91,62,23,70,16,89,38,44,13, ,60,102,91,62,23,70,16,89,38, ,5,60,102,91,62,23,70,16,89, ,78,9,5,60,102,91,62,23,70, ,58,78,9,5,60,102,91,62,23, ,19,22,58,78,9,5,60,102,91, ,96,19,22,58,78,9,5,60,102, ,35,8,96,19,22,58,78,9,5, ,63,35,8,96,19,22,58,78,9, ,97,31,63,35,8,96,19,22,58, ,51,97,31,63,35,8,96,19,22, ,54,30,51,97,31,63,35,8,96, ,56,54,30,51,97,31,63,35,8, ,29,39,56,54,30,51,97,31,63, ,11,29,39,56,54,30,51,97,31, ,48,61,11,29,39,56,54,30,51, ,4,48,61,11,29,39,56,54,30, ,83,69,4,48,61,11,29,39,56, ,67,83,69,4,48,61,11,29,39, ,77,100,67,83,69,4,48,61,11, ,15,77,100,67,83,69,4,48,61, ,28,27,15,77,100,67,83,69,4, ,71,28,27,15,77,100,67,83,69, ,57,66,71,28,27,15,77,100,67, ,82,57,66,71,28,27,15,77,100, ,2,24,82,57,66,71,28,27,15, ,86,2,24,82,57,66,71,28,27, ,85,93,86,2,24,82,57,66,71, ,50,85,93,86,2,24,82,57,66, ,59,90,50,85,93,86,2,24,82, SECURITY ISSUES OF THE PROPOSED SYSTEM In this section we will discuss some security issues that are necessary for securing and maintaining the proposed algorithm. These issues include: 1- The order and number of the knapsack values. 2- Choosing P and g. 3- Is publishing the prime P a weakness point? 6.1. The Order and number of the knapsack values The knapsack values should be in the order of bits. The number of these values should be in the range of numbers. In this way, it will be very difficult and exhaustive for anyone except the legal parties (the legal arties are those who know the values of g and private knapsack) to try to recover the original message bits from the encrypted message. This is true because using big numbers means that a long time and exhaustive computational power are needed to carry out the different computations of cryptanalysis. Also, it will be difficult for the cryptanalyst to try some special texts (e.g., all the message bits, except one bit, are zeros or all the bits are 1's or half of the bits are 1's) for encryption hoping to get some of the system keys. This will not help because the modular multiplication of the corresponding values of the public knapsack will be the result of the encryption. This encryption value is equal to g xi, mod P. Because the values of g and x i (0 i n-1) are unknown, the cryptanalyst gets nothing from the encryption of the special texts Choosing P and g A. Choosing P The value of P should satisfy the following conditions: 1- It is a big prime number (P should be in the order of 512 or 1024 bits). 2- It is greater than the summation of secret knapsack values. 3- It is not the prime number next to the last value in the private knapsack.

5 B. Choosing g The value of g should satisfy the following conditions: 1- It is to be greater than (1) and less than (P), i.e., 2 g P The cycle of the set {g i, 0 i P-1} should equal to P- 1. The second condition is vital because if it is not satisfied, the values of (em) will repeat every cycle. This is true because g x mod P = g x+cycle mod P. For example, if we use P=103, g=41, then cycle=51. Assume the private knapsack={2,3,6,12,24,48} then the public knapsack={33, 14, 93, 100, 9, 81} and assume ms 1 = 2, then we find that: em(2)= em({b 0,b 1,b 2,b 3,b 4,b 5 }={010000})=41 3 mod 103=14. Computing ( mod 103 = mod 103) yields 14. Thus, the two exponent values of (3,54) give the same encryption value of (14). Referring to the private knapsack, the value 54=48+6, is corresponding to a binary representation of {b 0,b 1,b 2,b 3,b 4,b 5 }={001001}. This means that the original message is 32+4=36. Hence, the two messages of (ms 1 = 2 and ms 2 = 36) have the same encryption value. Another example, if we use P=103, g=31 then cycle=34. Assume that the private knapsack={2,3,6,12,24,48}, then the public knapsack={34,24,61,13,66,30}. Thus, for ms 1 =1, we can compute em(1)= em({b 0,b 1,b 2,b 3,b 4,b 5 }={100000})=31 2 mod 103= 34. Computing ( mod 103=31 36 mod 103) yields 34. Thus, the two exponent values of (2,36) give the same encryption value of (34). Referring to the private knapsack, the value 36=24+12, is corresponding to a binary representation of {b 0,b 1,b 2,b 3,b 4,b 5 }={000110}. This means that the original message is 16+8=24. Hence, the two messages of (ms 1 =1 and ms 2 =24) have the same encryption value of (34). According to these results, the cycle should be P Is Publishing P a weakness point? In this discussion we concern two points 1- The use of P to recover some bits of an encrypted message. 2- What the public cryptosystems, based on discrete logarithm problem, used to do. For the first point, assume we have a message (ms) which is encrypted to (em) by obtaining the modular multiplication of the public knapsack values corresponding to the 1-bits of the original message. Then a question might be asked: Is it possible for anyone except the legal parties to guess the public knapsack values which were used to obtain the value of the encrypted message? The yes answer means that we need to try to get the multiplication of the values of the public knapsack two by two, then three by three,.., and so on. Then we compare the results of the multiplication to the encrypted message. This may need a number of trials of P!/2!+P!/3!+P!/4!+ P!/(P- 1)!+1 to find the correct match (n! denotes the factorial of n). When P is very large (i.e., at least bits), a very long time and an exhaustive computational power are needed to reach the match. Because P is a big prime larger than the summation of the private knapsack values, another question may be asked: Is it possible to use this property of (P) to guess the values of the private knapsack? Of course the answer is "no". This is because it needs to try to construct an n x n system of inequality equations in x i, 0 i n (n is the length of the knapsack). This will not help because the variables x i are unknown. Also if someone tries to use the values g xi mod P (where 0 i P) instead of the values x i, it becomes more difficult because g and x i are unknown. A third question may be raised: Is it possible to use the different values of the public knapsack to obtain the value of (g)? In other words, if we have y 1 and y 2 where y 1 =g x1 mod P and y 2 =g x2 mod P. Then is it possible to use y 1 * y 2 = g (x1+x2) to obtain the value of g? This will not help because g, x 1 and x 2 are all unknown. A suggestion may be given here. This is to use an initial value x to construct the private knapsack by adding a value a1 to get the first value and then add another value to get the second value. Then the other values in the knapsack are obtained by following the procedure given in section (2). The initial value (x) is kept secret. This will make the things more difficult to deduce the original knapsack values from any way. For the second point, In the cryptosystems, based on discrete logarithm problem, the modular P is usually published [1,2]. For instance, in ElGamal public key crypto-system, the key set = {P, α, a, β: β = α a mod P} where {P, α, a, β} are made public and {a} is kept secret [16-18]. To encrypt a message {x}, a private key {k} is chosen, then the encryption e K (x,k)=(y 1,y 2 ) where y 1 = α k mod P and y 2 = x*β k mod P. To decrypt y 1, y 2 d K (y 1,y 2 )=y 2 * (y 1 ) -1 mod P. In ElGamal cryptosystem, since gcd(p,α)=1, α has a multiplicative inverse modulo P, and we can compute α - 1 mod P easily using the Euclidean algorithm. Then we can solve for α obtaining log α β which is a cyclic group of order (P-1). Actually, our algorithm is an application of the ElGamal cryptosystem in an intelligent way. Table (2) gives a comparison between the ElGamal cryptosystem and our system [see section (4.1)]. The comparison shows that our system is very safer because only the public knapsack values and the modular prime P will be available to the non-legal parties. Consequently, the protection of the secret keys {x i,g} is a responsibility of the legal parties against the non-legal parties. Table (2): A Comparison between ElGamal and the proposed cryptosystems ElGamal cryptosystem Our system It computes β = α a mod P It computes y i =g x i, {P,α,β} are published and {a} is kept secret 0 i P-1 Only {P,y i } are published and {g,x i } are kept secret.

6 7. CONCLUSIONS A new cryptosystem is introduced. The system depends on the discrete logarithm problem in creating public knapsack sets using private ones. The system uses a big prime number (P) and a value (g) to obtain the public knapsack values from the formula: y i =g xi mod P, where x i are the private knapsack values (x i should be in the range of bits, 0 i n-1 where n is the length of the knapsack and n is in the order of numbers). The value (P) and the public knapsack values (y i ) are published. The value (P) should be big and prime (i.e., in the order of bit) while the value of (g) satisfies the condition that 2 g P-1 and it yields a cycle of the set (g i mod P) to be P-1. If the cycle is not P-1, then the values (g i mod P) will repeat every cycle. This means that (g x mod P) = (g x+cycle mod P). This yields the same encryption value where x n is the last value for more than one message. An implementation example has been given and the security issues of the system have been discussed. Some conditions on choosing P,g and x i were discussed for security and maintaining the system. Also, the system compared to the ElGamal public key cryptosystem which is based on the discrete logarithm problem. The comparison shows that the proposed system is very safer. REFERENCES [1] Schneier, B.: "Applied Cryptography: Protocols, Algorithms, and Source Code in C", 2 nd Edition, John Wiley & Sons, Inc., New York, [2] Stinson, D.R.: "Cryptography: Theory and Practice", CRC Press, London, [3] Hellman, M.E.: "The Mathematics of Public Key Cryptography", Scientific American, v. 241, n. 8, Aug. `979, pp [4] Merkle and R.C. and Hellman, M.E.: "Hiding Information and Signatures in Trapdoor Knapsacks", IEEE Transactions on Information Theory, v.24, n. 5, Sep. 1978, pp [5] Herlestam, T.: "Critical Remarks on Some Public Key Cryptosystems", BIT, v. 18, 1978, pp [6] Shamir, A.: "On the Cryptocomplexity of Knapsack Systems", Proceedings of the 11 th ACM Symposium on the Theory of Computing, 1979, pp [7] Ingemarsson, I.: "A New Algorithm for the Solution of the Knapsack Problem", Lecture Notes in Computer Science 149, Cryptography: Proceedings of the Workshop on Cryptography, Springer-Verlag, 1983, pp [8] Shamir, A. and Zippel, R.: "On the Security of the Merkle-Hellman Cryptographic Scheme", IEEE Transactions on Information Theory, v. 26, n. 3, May 1980, pp [9] Shamir, A.: "A Polynomial Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem", Advances in Cryptography: Proceedings of Crypto 82, Plenum Press, 1983, pp [10] Shamir, A.: "A Polynomial Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem", Proceedings of the 23 rd IEEE Symposium on the Foundations of Computer Science, 1982, pp [11] Shamir, A.: "A Polynomial Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem", IEEE Transactions on Information Theory, v. IT-30, n. 5, Sep. 1984, pp [12] Savage. J.E.: "Some Simple Seli-Synchronizing Digital Data Scramblers", Bell System Technical Journal, v. 46, n. 2, Feb. 1967, pp [13]LaMacchia, B.A. and Odlyzko, A.M.: "Computation of Discrete Logarithm in Prime Fields", Designs, Codes, and Cryptography, v.1, 1991, pp [14] Pohlig, S.C. and Hellman, M.E.: "An Improved Algorithm for Computing Logarithms in GF(P) and Its Cryptographic Significance", IEEE Transactions on Information Theory, v. 24, n. 1, Jan. 1978, pp [15] Hellman, M.E.: "A Cryptanalytic Time Memory Trade Off", IEEE Transactions of Information Theory, v. 26, n. 4, Jul. 1980, pp [16] ElGamal, T.: "On Computing Logarithms Over Finite Fields", Advances in Cryptography-Crypto '85 Proceedings, Springer-Verlag, 1986, pp [17] ElGamal, T.: "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", Advances in Cryptography-Crypto '84 Proceedings, Springer-Verlag, 1985, pp [18] ElGamal, T.: "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Transactions on Information Theory, v. IT- 31, n. 4, 1985, pp [19] Saryazdi, S.: "An Extension to ElGamal Public Key Cryptosystem with a New Signature Scheme", Proceedings of the 1990 Bilkent International Conference on New Trends in Communications, Control, and Signal Processing, North Holland: Elsevier Science Publishers, 1990, pp [20] Beth, T.: "Efficient Zero-Knowledge Identification Scheme for Smart Cards", Advances in Cryptography-Eurocrypt '88 Proceedings, Springer- Verlag, 1988, pp [21]Chang, C.C. and Hwang, S.J.: "Cryptographic Authentication of Passwords", Proceedings of the 25 th Annual Conference on Security Technology, Taipei, Taiwan, 1-3 Oct. 1991, pp [22] Jaburek, W.J.: "A Generalization of ElGamal Public Key Cryptosystem", Advances in Cryptography-Eurocrypt '89 Proceedings, 1990, Springer-Verlag, pp