Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Transcription

1 Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages MEI-NA WANG Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. SUNG-MING YEN National Central University Dept. of Computer Science and Information Eng. Lab. of Cryptography and Information Security Jhong-Li, TAIWAN 3001, R.O.C. CHI-DIAN WU National Central University Dept. of Computer Science and Information Eng. Lab. of Cryptography and Information Security Jhong-Li, TAIWAN 3001, R.O.C. CHIH-TA LIN Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. Abstract: This paper considers both the security issues and fundamental properties of a recently proposed for encrypting large messages. This may be useful for communicating large messages since it reduces both computation and bandwidth requirement. However, the result of this paper shows that security level of this modified is different from that of the original ElGamal cryptosystem. Furthermore, fundamental weakness exists in this modified system, say successful decryption can not be guaranteed. Finally, we propose an enhancement on the security of the. Key Words: Carmichael s lambda function, Discrete logarithm, ElGamal cryptosystem, Primitive root. 1 Introduction Conventionally, symmetric-key cryptosystems, e.g., DES [1] and AES [], are used for bulk encryption where large messages need to be encrypted and decrypted. There are two major problems for symmetric-key cryptosystems. The first problem is about session key (secret key) distribution, and the second problem is the inability to provide undeniability. On the other hand, asymmetric-key cryptosystems, e.g., RSA [3] and ElGamal [4], are able to encrypt and decrypt messages as symmetric-key cryptosystems, and can solve the above two disadvantages of symmetric-key cryptosystems. Unfortunately, the performance of asymmetric-key cryptosystems is much inferior to that of symmetric-key cryptosystems. Therefore, hybrid cryptosystems are widely employed in such a way that symmetrickey cryptosystems are used for bulk encryption, and asymmetric-key cryptosystems are applied in order to distribute secret keys prior to the bulk encryption. However, in this situation we need two categories of cryptosystems to be implemented and coexist. In order to encrypt large messages efficiently by using asymmetric-key cryptosystems, an was proposed in [5]. This modified asymmetric-key cryptosystem certainly works much more efficiently than the original ElGamal cryptosystem when encrypting large messages. It was claimed [5] that both the original ElGamal and the s share the same security assumption, i.e., both are based on the intractability of solving discrete logarithm problem. However, no rigorous security proof nor functionality analysis was provided in [5]. The contribution of this paper is that thorough security consideration of the ElGamal-like extension [5] is provided. The result shows that the security level of this (although it is more efficient for encrypting large messages) is not equivalent to the original ElGamal cryptosystem [4], say more or less

2 weaker. Disadvantage of possible unsuccessful decryption is also pointed out in this paper. Furthermore, enhancement on both security and performance of the ElGamal-like extension are given. The result obtained in this paper can especially be useful to resource limited small devices, e.g., smart card, to achieve efficient bulk encryption as well as easy session key distribution with only one kind of cryptosystem. Review of the ElGamal-Like Cryptosystem for Encrypting Large Messages The original ElGamal cryptosystem [4] is reviewed as follows. A prime P and a primitive root (or called generator) g for ZZ P are selected. Each user, e.g., user u i, randomly selects his own secret key x i R [1, P ] and computes the related public key y i = g x i mod P. When encrypting a message m < P, the sender computes both s = g r mod P (where r R [1, P ]) and c = m yi r mod P (where y i is the public key of the receiver, say u i ). The receiver u i can decrypt the cipher (s, c) by computing m = c (s x i ) 1 mod P. In a recent work [5], the above original ElGamal cryptosystem was extended to facilitate large messages encryption, say a message m P where m denotes the bit length of m. The modified works as follows. The sender computes s 1 = g r 1 mod P and s = g r mod P (where r 1, r R [1, P ]) and c j = m j ([y r 1 i mod P ] [(y r i ) j mod P ]) mod P (in most of the following discussions, [y r 1 i mod P ] will be abbreviated as y r 1 i ) where denotes bitwise XOR operation and j = 1,,, t. Similar to the original ElGamal cryptosystem, the receiver u i decrypts the cipher (s 1, s, c j (j = 1,,, t)) by computing m j = c j (s x i 1 (sx i )j ) 1 mod P. The above modified cryptosystem may be useful for encrypting and transmitting large messages over the network since it offers low data expansion ratio (defined as ciphertext / plaintext ) and lower computational overhead when compared with the original ElGamal cryptosystem. Notice that the data expansion ratio of the original ElGamal cryptosystem is two, while the data expansion ratio of the is almost one for large t and thus saves communication bandwidth. 3 The Difference From the Original ElGamal Cryptosystem 3.1 Some remarks on the design of Some remarks on the design of will be given in the following which were missing in [5]. The system aims to generalize the Diffie-Hellman key exchange protocol [6] to enable the sharing of multiple keys between two parties. We notice that related topic has been considered in the literature [7] (or refer to the introduction of [8]) which requires the shared keys to be authenticated. Note that however in the original ElGamal cryptosystem (which extends Diffie-Hellman key exchange to an encryption), no shared key authentication is assumed. In the above, both s 1 = g r 1 mod P and s = g r mod P are employed trying to distribute multiple sessions keys, say t keys, by defining each shared session key to be (y r 1 i ) j ) mod P for j = 1,,, t. 3. Security analysis of the ElGamallike cryptosystem Some necessary fundamental results of number theory to be used in the following discussions will be reviewed. Given an odd prime P and a primitive root g when modulo P, any element in ZZ P can be represented by g k mod P for some integer k [1, P 1] (or k [0, P ]) [9]. Given integers n and g, the size of the largest cyclic group generated by g k mod n (for all integers k) is λ(n) where λ(n) is called Carmichael s lambda function of n [9]. Carmichael s theorem states that g λ(n) 1 (mod n) if gcd(g, n) = 1, and the order of g is a factor of λ(n). A related but seldom noticed result is that the smallest positive integer T for g T +1 g (mod n) if gcd(g, n) 1 (evidently g 1) is a factor of λ(n). Note that in this case, g has no order since no positive R can be found such that g R 1 (mod n). Theorem 1 Given an odd prime P and a primitive root g when modulo P, g j mod P (or more precisely g j mod P 1 mod P ) cannot generate all the elements in ZZ P where j = 1,,, P 1. Proof By the property that g k mod P (for all integers k [1, P 1] or k [0, P ]) can generate all the elements in ZZ P, in order to enable g j mod P 1 mod P to generate all the ele-

3 ments in ZZ P, we need j mod (P 1) to generate all the integers in [0, P ]. If P = 3, then j mod (P 1) = 0 for all integers j. For P > 3, because P 1 is not a prime and cannot have a primitive root to generate all the integers in [0, P ]. Based on Carmichael s theorem, the total number of integers generated by evaluating j mod (P 1), say T, is a factor of λ(p 1) which is always less than P 1. Therefore, T is always less than P 1. This proves the theorem. For example, let P = 7, we observe that j mod 6 generates {, 4} for all integers j in [1, 6] since the smallest positive integer T such that T +1 (mod 6) is two. In this example, λ(6) = λ( 3) = lcm(φ(), φ(3)) = lcm(1, ) = where φ(a) is Euler s totient function of a. The integer T is a factor of λ(6). In order to enhance the security of the ElGamal-like extension reported in [5], we need to select the prime P such that the smallest positive integer T for T +1 (mod P 1) is as large as possible. Theorem Given an odd prime P and a primitive root g when modulo P, the largest possible number of integers generated by evaluating g j mod P (j = 1,,, P 1) is P 1 1 Proof Let P = Q + 1 where Q is also an odd prime. Based on Carmichael s theorem, the total number of integers, say T, generated by evaluating j mod ( Q) is a factor of λ( Q) = lcm(φ(), φ(q)) = Q 1 = P 1 1. Therefore, T is at most P 1 1. It can be derived easily that if P is not in the form of P = Q + 1 with Q being a prime, i.e., Q is a composite integer, then λ(p 1) < Q 1. One good approach to select P of the to provide high security level is to employ the following Algorithm 1 to generate the prime P such that the smallest positive integer T for T +1 (mod P 1) is equal to P 1 1. However, we wish to emphasize that even if such P can be selected, security level of the ElGamal-like extension is still different from that of the original ElGamal cryptosystem. We will conclude this in the following remark. One further remark is that in all the above analysis, we assume that the public key y i of user u i is also a primitive root when modulo P. Note that this requires the user secret key x i to be relatively prime to P 1, i.e., gcd(x i, P 1) = 1 based on the basic property of number theory [9]. Input: some appropriate bit length of q Output: P repeat randomly select a prime q Q q + 1 P Q + 1 if (either Q or P is not a prime) then repeat again if ( T +1 (mod P 1) for T {1,, q}) then repeat again else appropriate P is found until (appropriate P is found) return P Figure 1: Algorithm for generation of P. In the original ElGamal cryptosystem, if y i is a primitive root, then it leads to yi r mod P (r is all the integers in [1, P 1]) is a permutation of all the integers within [1, P 1] [9]. So, for a specific message m the ciphertext c = m yi r mod P can be any integer within [1, P 1]. However, this is not the case for the ElGamal-like extension [5] since (y r 1 i ) j ) mod P is not a permutation of all the integers within [1, P 1] even if gcd(r, P 1) = 1 in order to let y r i mod P to be a primitive root modulo P. This can be seen from the result of Theorem and the fact that (y r 1 i ) j ) mod P can generate the same number of integers as that generated by (y r i ) j mod P. One thing to notice in Algorithm 1 is that we select P = Q + 1 where Q is also a prime which maximizes the probability to find r such that gcd(r, P 1) = 1 in order to let y r i mod P to be a primitive root modulo P [9]. Notice that the above restriction on gcd(r, P 1) = 1 in order to generate as many integers as possible by evaluating (y r i ) j mod P is different from that of the original ElGamal cryptosystem in which any integer r R [1, P ] is applicable. 3.3 Undecryptable cipher in the One of the fundamental design criteria of encryption system is that all ciphertext should be decryptable by the legitimate receiver. However, we find two possible reasons for the ElGamal-like ex-

4 tension [5] to be undecryptable for some cases. The first case is that when (y r 1 i (y r i ) j ) = P the ciphertext c j = m j P mod P = 0. This makes the plaintext m j impossible to recover. The second case is that when y r 1 i (y r i ) j (mod P ) which leads to (y r 1 i ) j ) = 0. This will occur when r 1 r j (mod w) if r 1 and r are not well selected where w is the order of y i when modulo P. Some precaution is possible but this implies that r 1 and r are not truly randomly selected in [1, P ]. Although some mechanism is possible to fix the above mentioned two disadvantages of undecryptable cipher, e.g., to increment j automatically if necessary, however it may more or less lead to either an irregular encryption/decryption process or somewhat reducing the security level because of the constraint of selecting parameters. 4 Possible Enhancement of Security One possible approach of security enhancement of the ElGamal-like extension is provided in the following. The sender computes s 1 = g r 1 mod P and s = g r mod P (where r 1, r R [1, P ]) and c j = m j (y r 1 i ) j ) mod P where j = 1,,, t. The above modified version has exactly the same performance as the original ElGamal-like extension in [5] since (y r i ) j mod P = (y r i ) j 1 (y r i ) mod P where (y r i ) j 1 mod P has been computed when preparing c j 1. In this enhanced, suppose that y i is a primitive root (this is also implicitly assumed in the original ElGamal cryptosystem) and gcd(r, P 1) = 1 (this is also necessary in the original ElGamal-like extension as discussed in this paper), then (y r i ) j mod P for j = 1,,, P 1 can generate all the elements in ZZ P. This evidently improves the security level. However, we notice that even if (y r i ) j mod P (for j = 1,,, P 1) can generate all the elements in ZZ P, it is still possible that y r 1 i ) j y r 1 i ) k (mod P ) with j k. We call this property as a collision of y r 1 i ) j and y r 1 i ) k. This implies that for some cases y r 1 i ) j mod P (for j = 1,,, P 1) may not generate P 1 different integers and this basically depends on the value of y r 1 i mod P. Since the probability of the above collision is negligible, we will not consider it in the following discussions. Based on the result of Theorem, it can be proven that the collision probability of the original ElGamal-like extension is at least twice of that of the enhanced cryptosystem. 4.1 Advantage of the enhanced In the original ElGamal cryptosystem, to encrypt t messages the sender has to select t different random exponents r s and to compute yi r mod P. Note that all these t random exponents should be all different for security reason. A good pseudo random number generator (PRNG) would be necessary, but this does not assure that repetition of some r will never happen. Based on fundamental probability theory, if r is to be randomly selected within [1, K], then roughly every K outcomes of the PRNG will have one repetition with the probability of about 1. However, in the real case, occurrence of repetition of r may still happen for the number of application on the PRNG much less than K, especially if an inappropriate PRNG is adopted. This requires all the previously used random exponents r s be stored and be compared with each time a new one is selected by the PRNG. Of course, this would not be a practical solution. On the other hand, if the ElGamal-like and especially the enhanced s will be employed, the above disadvantage can be avoided. In the enhanced, under appropriate parameters selection as described in this paper, (y r i ) j mod P (for j = 1,,, P 1) can generate all the elements in ZZ P. No (yr i ) j mod P (for j = 1,,, P 1) will be repeated in a single communication round, say when both r 1 and r are repeated employed. This implies that a non-repeated random exponent R is selected each time and y R i mod P is computed subject to t < P 1 as in almost all real applications. 5 Concluding Remark and Possible Further Enhancement The considers primarily to improve the performance of the original El- Gamal cryptosystem when encrypting large messages, i.e., message P. During the design of, both arithmetic and Boolean operations are employed to generate each mask (i.e., (y r 1 i ) j ) mod P or (y r 1 i (y r i ) j ) mod P ) in order to protect each m j.

5 Someone might think that further improvement on performance is possible by computing c j = m j (y r 1 i ) j ) since one modular multiplication is replaced by a bitwise XOR operation which is much less time consuming. However, the above design is not very secure except that a special property of P will be applicable as shown in the following. Let B = yi r mod P be represented in binary form as (b n 1, b n,, b 1, b 0 ). The above modification is not very secure because that the probabilities P r(b i = 0) P r(b i = 1) (say P r(b i = 0) = 1 + δ i and P r(b i = 1) = 1 δ i for a very small bias δ i ) for all i since P is an odd integer. The situation is a little bit worse for larger i. This condition is the same for both the original ElGamal and the s. However, it can be easily proven that in the enhanced P r(b i = 0) = 1 + δ i and P r(b i = 1) = 1 δ i and also δi < δ i. However, it is interesting to notice that the above design has three potential merits especially if P is very close to n 1. In this case, the above probability bias problem for all bit positions b i is minimized and security can be extensively improved. Firstly, in this design the range of m does not have to be less than P. Secondly, the design can solve the undecryptable cipher problem for both the original and the enhanced ElGamal-like cryptosystems, i.e., the cipher can be decrypted even if (y r 1 i ) j ) = 0. Thirdly, the collision problem can be overcome if the above design is employed. [5] M.S. Hwang, C.C. Chang, and K.F. Hwang, An for enciphering large messages, IEEE Trans. Knowledge and Data Engineering, vol. 14, no., pp , 00. [6] W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Trans. on Inform. Theory, vol., no. 6, pp , [7] L. Harn and H.Y. Lin, An authenticated key agreement protocol without using oneway functions, Proc. of 8th National Conf. on Information Security, Kaoshiung Taiwan, pp , [8] S.M. Yen and M. Joye, An improved authenticated multiple-key agreement protocol, IEE Electronics Letters, vol. 34, no. 18, pp , [9] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone. Handbook of applied cryptography. CRC Press, Acknowledgements: This work was supported in part by Institute for Information Industry, R.O.C. References: [1] National Bureau of Standard, Data encryption standard, Federal Information Processing Standards, NBS, [] NIST, FIPS-197: Advanced Encryption Standard, Federal Information Processing Standard, FIPS 197, 001. [3] R. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Comm. of the ACM, vol. 1, no., pp , [4] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inf. Theory, vol. 31, no. 4, pp , 1985.