AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM

Similar documents
CRYPTOGRAPHY AND NUMBER THEORY

Cryptography IV: Asymmetric Ciphers

CPSC 467b: Cryptography and Computer Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Public-Key Cryptosystems CHAPTER 4

Lecture 7: ElGamal and Discrete Logarithms

Lecture 1: Introduction to Public key cryptography

Lecture Notes, Week 6

MATH 158 FINAL EXAM 20 DECEMBER 2016

An Introduction to Probabilistic Encryption

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Notes for Lecture 17

RSA ENCRYPTION USING THREE MERSENNE PRIMES

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cryptography. P. Danziger. Transmit...Bob...

Introduction to Cryptography. Lecture 8

RSA RSA public key cryptosystem

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Public Key Cryptography

CPSC 467: Cryptography and Computer Security

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Other Public-Key Cryptosystems

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Question: Total Points: Score:

8.1 Principles of Public-Key Cryptosystems

Introduction to Modern Cryptography. Benny Chor

Public-key Cryptography and elliptic curves

10 Public Key Cryptography : RSA

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

10 Modular Arithmetic and Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

CPSC 467b: Cryptography and Computer Security

8 Elliptic Curve Cryptography

One can use elliptic curves to factor integers, although probably not RSA moduli.

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Public Key Cryptography

Ti Secured communications

1 Number Theory Basics

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Other Public-Key Cryptosystems

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CPSC 467: Cryptography and Computer Security

Chapter 4 Asymmetric Cryptography

Public Key Algorithms

Week 7 An Application to Cryptography

Asymmetric Cryptography

Public Key Encryption

CIS 551 / TCOM 401 Computer and Network Security

CPSC 467b: Cryptography and Computer Security

The Elliptic Curve in https

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

THE RSA CRYPTOSYSTEM

Math 430 Midterm II Review Packet Spring 2018 SOLUTIONS TO PRACTICE PROBLEMS

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

Elliptic Curve Cryptography

Introduction to Modern Cryptography. Benny Chor

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

arxiv: v3 [cs.cr] 15 Jun 2017

Classical Cryptography

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Public-key Cryptography and elliptic curves

Practice Assignment 2 Discussion 24/02/ /02/2018

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Introduction to Cybersecurity Cryptography (Part 4)

Public-Key Encryption: ElGamal, RSA, Rabin

Breaking Plain ElGamal and Plain RSA Encryption

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Joseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia

Final Report. Cryptography and Number Theory Boot Camp NSF-REU. Summer 2017

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Number theory (Chapter 4)

Aspect of Prime Numbers in Public Key Cryptosystem

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Gurgen Khachatrian Martun Karapetyan

Methods of Public-Key Cryptography. Émilie Wheeler

Blind Collective Signature Protocol

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Public Key Cryptography

Attacks on RSA & Using Asymmetric Crypto

My brief introduction to cryptography

NUMBER THEORY FOR CRYPTOGRAPHY

Math.3336: Discrete Mathematics. Primes and Greatest Common Divisors

19. Coding for Secrecy

Introduction to Cybersecurity Cryptography (Part 5)

14 Diffie-Hellman Key Agreement

Pseudo-random Number Generation. Qiuliang Tang

Transcription:

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM VORA,VRUSHANK APPRENTICE PROGRAM Abstract. This paper will analyze the strengths and weaknesses of the underlying computational problems of the ElGamal Cryptosystem. By investigating the infeasibility involved in solving such mathematical problems and the possible algorithm that could break the cryptosystem, the paper will comment upon the security of the system and its correct application. While we will briefly focus on systematic cryptosystems, the main focus of this paper will be on the ElGamal Cryptosystem and the Discrete Logarithm Problem. Contents 1. Introduction 1 2. Systematic Cryptosystems and the Rise of Public-Key Cryptosystems 2 3. Introduction to Public-Key Encryption 3 4. ElGamal Cryptosystem and the Discrete Logarithm Problem 3 5. Baby Step - Giant Step Algorithm 4 6. Security Measures Against the Baby Step-Giant Step Algorithm 5 7. Conclusion and Applications 6 Acknowledgments 6 References 7 1. Introduction Let us first consider two parties, Harry and Ron, who wish to exchange covert information with each other. They could communicate through different channels such as letters, text messaging, email, etc.; however, regardless of the medium, they face a third party, Voldemort, who wishes to obtain the secret information between Harry and Ron. Since all communication channels are insecure, Harry and Ron must use other means to communicate safely. The objective of cryptography is to provide this secure mode of exchange. Using cryptography, Harry can convert the original message (plaintext) into seemingly indecipherable language (ciphertext) and send this ciphertext to Ron. This would thus allow the exchanges between Harry and Ron to be more secure across all channels depending on the strength of the underlying encryption. In the following pages, we will discuss the security of different encryption methods and their overall efficiency. Date: DEADLINE August 26, 2011. 1

2 VORA,VRUSHANK APPRENTICE PROGRAM 2. Systematic Cryptosystems and the Rise of Public-Key Cryptosystems Definition 2.1. Let n be an integer. Then two integers a and b are said to be congruent modulo n if and only if n divides a b. Denote the congruence by: a b (mod n) Notation: Z/26Z = {the ring of integers modulo 26} Definition 2.2. (Shift Ciphers) Consider plaintext x and choose a number n from Z/26Z which will serve as the encryption key. Encryption will be: x x+ n (mod 26) Example 2.3. Let the plaintext be vrush then x = 21 17 20 18 7 and choose n = 5 then x 0 22 25 23 12 = A W Z X M. Here, n = 5 was the encryption key and A W Z X M was the encryption of the plaintext vrush. Next, we will consider more complex systematic ciphers. Definition 2.4. (Affine Ciphers) Consider plaintext x and choose a and n from Z/26Z which will serve as the encryption key. Encryption will be: x ax+ n (mod 26) Example 2.5. Let the plaintext be vrush then x = 21 17 20 18 7 and choose a = 5 and n = 1 then x 2 8 23 13 10 = C I U N H. 5x +1 (mod 26) was the encryption key while the C I U N H serves as the encryption. Proposition 2.6. Two letters of plaintext will usually suffice to break any Affine Cipher. Proof. With out loss of generality, let us assume that Voldemort knows that he NO, i.e, 7 4 13 14. From this, Voldemort attains: 13 = 7a + n 14 = 4a + n = 1 = 3a = a = 9 17 mod (26) and n = 24. Thus, the encryption key is fully known to the third party intruder and the cipher is subsequently broken. The previous example illustrates the relative ease in solving the underlying computational problems involved in Shift and Affine ciphers. While one can employ more complicated iterations such as applying matrices to encryption keys and representing the message as a vector, such encryptions are nevertheless susceptible to Brute-Force-Attacks, methodical checking of all possible keys by the intruder. In addition to systematic cryptosystems being relatively insecure, any two individuals wishing to communicate securely must directly contact each other to agree upon the encryption key. These systems are not only insecure, but they are also impractical for many applications: if large organizations such as banks, social networking sites, online retail stores, etc. would like to communicate with all of their clients, then using systematic cryptosystems would require them to contact their clients individually. For these reasons, systematic cryptosystems are relatively laborious and obsolete. We will hence discuss more modern systems: public-key encryption.

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM3 3. Introduction to Public-Key Encryption Public-Key cryptosystems allow large organizations to communicate safely with many individuals by using asymmetric encryption. Asymmetric encryption encompasses two corresponding keys: public and private. The two keys work congruently as the ciphertext encrypted by a public key can only be decrypted by the corresponding private key. Thus, multiple individuals with the same public key can send messages to an organization that holds the private key, while preserving the security of the system. This paper will discuss one of the most prominent modern public-key cryptosystems: the ElGamal Cryptosystem. 4. ElGamal Cryptosystem and the Discrete Logarithm Problem The ElGamal Cryptosystem is a public-key cryptosystem derived from the infeasibility of solving the discrete logarithm problem for very large finite fields. This section will explore the cryptosystem s key generation algorithm, encryption, and decryption methods. Definition 4.1. Order of the finite field, F p, is the number of elements in the field. It is denoted by the subscript p. Definition 4.2. Multiplicative order of an element x in F p is the number of different elements which can be obtained by raising x to all powers mod(p).it is denoted by ord(x). Definition 4.3. Multiplicative generator of F p is an element y in the finite field such that ord(y) = p 1 ElGamal encryption system uses finite fields to create ciphertexts. By choosing p such that it is prime, we will always be able to construct a finite field with p n elements. The choice of prime-numbered fields thus facilitates encryptions more efficiently than the choice of finite fields with non-prime number of elements. Definition 4.4. (Discrete Logarithms) Let F p be the finite field with p elements and let y be a generator of F p. Then for all x F p can be written as x = y a and we define a = L y (x) L y (x) is the discrete logarithm of x to the base y. It is only defined p-1 because y p 1 = 1. Example 4.5. Let us consider F 17 where y=3 is a generator F 17. We ll find: L 3 (15) =? We will compute the different powers of 3 until we can attain 15: 3 1 = 3 ; 3 2 = 9 ; 3 3 = 10 ; 3 4 = 13 ; 3 5 = 5; 3 6 = 15 hence; L 3 (15) = 6 Application of discrete logarithm in cryptosystems derives from the computational difficulty of finding a = L y (x). Since we are applying modular arithmetic over the finite field, it is more difficult to compute the discrete logarithm than it would be in the real number system. In the real numbers, it would be simple to use the log function to get an approximation for a. Working in a prime numbered

4 VORA,VRUSHANK APPRENTICE PROGRAM field, however, forces us to find an exact integer solution. Though, if p is small, the answer can be found relatively quickly by trying all possibilities, i.e., a Brute-Force Attack. For this reason we must use high-order fields since there is no fast way of computing the discrete logarithm over a large field. Key Generation Algorithm: Let s first consider Harry who wants to communicate with Ron and Hermonie covertly. If he wants to use the ElGamal System, he should do the following: 1.) Create a finite field F p and a generator y of F p 2.) Choose an integer a and compute x = y a the Discrete Logarithm 3.) The triple (F p, y, x) will become public, but the discrete logarithm, L y (x) = a is only known to Harry. Encryption: If Ron wants to encrypt a message to Harry, then Ron should do the following: 1.) Represent the message in terms of an integer m, such that m {0, 1,..., p 1} 2.) Choose a random integer k, such that 1 k p - 2 3.) Then compute r = y k and t = mx k such that r,t {0, 1,..., p 1} The Ciphertext c = (r,t) should be sent to Harry Decryption: In order to recover message, m, from the ciphertext, c, Harry should do the following: 1.) Use the private key a to compute r p 1 a mod(p) 2.) Recover the m by deriving tr a Proposition 4.6. ElGamal s encryption returns the original plaintext message when given a correctly calculated ciphertext. Proof. Let c = (r, t) then r = y k and t = mx k where x = y a. Deriving tr a attains the following: tr a = mx k (y k ) a = m(g a ) k (g k ) a = m Thus, we are guaranteed to attain the plaintext if the ciphertext is correctly computed in the ElGamal encryption. Example 4.7. Let the public ElGamal Cryptosystem, (F p, y, x) = (F 23,7, 4). Assume the encrypted pair (r,t) = (21, 11). Then using what we know about discrete logarithms, we can calculate value of the discrete logarithm and the message m: a = L 7 (4) = 6 m = 21 6 (11) = 7 5. Baby Step - Giant Step Algorithm We will next explore a possible attack against this sytem. An attacker can learn information about the plaintext without decrypting the ciphertext: given two encryptions the attacker can figure out which plaintext was a quadratic residue and one was not. This is the fundamental premise of the Baby Step-Giant Step attack, which encompasses a series of well-defined steps to compute the discrete logarithm of the underlying ElGamal system. Definition 5.1. (Baby Step - GiantStep Algorithm) Assume there exists a discrete logarithm, x = y a in F p that we want to solve. Let N = p 1 + 1

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM5 Final step in the algorithm consists of making two lists and looking for a match: Baby Step: y 0, y 1, y 2,..., y N 1 Giant Step: x, xy N, xy 2N,..., xy (N 1)N Proposition 5.2. If we find that there exists a match between the Baby Step and Giant Step lists, then the ElGamal System is broken. Proof. Assume there is a match between the two lists, y j = xy kn y j+kn = x and since y a = x Thus, y a = y j+kn = x Since j, k, and N are public, the discrete logarithm problem is solved and the underlying ElGamal cryptosystem is broken. Theorem 5.3. Using the Baby Step-Giant Step algorithm, there will always be a match between the two lists. Proof. Recall that N = p 1 + 1. Note by this definition: and therefore a can be written as: This thus leads to: hence; 0 a < p 1 N 2 a = a 0 + a 1 N where a 0, a 1 N 1. x = y a = y a0 (y a1 ) N y a0 = b(y a1 ) N. This shows that we have a match between the Baby Step and the Giant Step lists. Remark 5.4. The Bay Step-Giant Step Algorithm roughly needs 2 p in order to calculate the discrete logarithm. 6. Security Measures Against the Baby Step-Giant Step Algorithm The previous theorem and remark illustrate that the underlying discrete logarithm of an ElGamal Cryptosystem can be computed using the Baby Step-Giant Step Algorithm. While it is possible to solve the underlying discrete logarithm, it nevertheless requires 2 p calculations for any given finite prime ordered field. Thus, in order to make the cryptosystem probabilistically secure, one must choose a large enough field and a high order generator. It becomes impractical to break the ElGamal system with the Baby Step-Giant Step Algorithm for a prime numbered field larger than 10 20. This section will analyze other possible and practical ways to make the ElGamal Cryptosystem more secure against the Bab Step-Giant Step Attack. We will first introduce the computational diffie-hellman problem and show how its computational difficulty affects the underlying discrete logarithm.

6 VORA,VRUSHANK APPRENTICE PROGRAM Definition 6.1. (Diffie-Hellman Problem) Let F p be the finite field with p elements and let y be a generator of F p. Then for given values y b, y c in F p, finding y bc is the computational diffie-hellman problem. While the ElGamal system relies on the discrete logarithm problem, the security of the cryptosystem is very entrenched in difficulty of solving the underlying diffiehellman problem. The following theorem proves that if the underlying diffie-hellman problem is weak then its discrete logarithm is easily breakable. Theorem 6.2. The ElGamal cryptosystem is breakable if and only if the underlying computational diffie-hellman problem is breakable. Proof. Let us first assume that we have the algorithm that breaks the underlying Diffie-Hellman Problem: Thus, we know the value of y bc from the values of y b and y c. Take as input y b = a and y c = r, where a and r are the quantities of the underlying discrete logarithm and the ElGamal system. As y x = a and y k = r, the algorithm will compute y bc = y xk. Since, m = tr a = tg ak and we find m and the system is broken. Next, let us assume that the we have the algorithm that breaks the underlying Discrete Logarithm Problem: Therefore, we know that m = tr a from a given pair (r,t) associated with the triple (F p, y, x). We thus take as input a = y x, so b = x and r = y c, so t = 1. The algorithm thus produces m = tr a = y bc. This provides us with the value of the underlying diffie-hellman problem. The theorem thus implies that the diffie-hellman problem must be secure in order for the ElGamal Encryption based upon the discrete logarithm problem to be secure. For the protection of the ElGamal system, the organization using the cryptosystem must check for the security of the diffie-hellman problem as it serves as a necessary means to secure the ElGamal cryptosystem against the Baby Step- Giant Step Algorithm. 7. Conclusion and Applications Since the ElGamal encryption is prone to attacks such as the Baby Step-Giant Step, users of this cryptosystem must take proper precautions to strengthen the underlying discrete logarithm problem such that it becomes probabilistically infeasible to break the system. The users should use a large (possibly greater than 10 20 elements) prime numbered finite field with a high-order generator and check for the computational difficulty of the respective diffie-hellman problem. ElGamal cryptosystem likewise allows for individuals using the encryption to remain anonymous in one way or another. Thus, this system can be very useful in conducting online voting ballots or any other transactions in which the recipients wish to hide their identities. Acknowledgments. It is a pleasure to thank my mentor, Preston Wake for all his guidance and knowledge on the subject of the paper. I would also like to thank Peter May and the REU Professors providing this opportunity and sharing their Mathematical knowledge with me.

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM7 References [1] Helgeson, Melissa. Security and Application of ElGamal s Encryption Algorithm. University of Minnesota, Morris. 04 May 2009. Web. 16 Aug. 2011. http://www.morris.umn.edu/academic/math/ma4901/sp2010/final/missyhelgesonfinal.pdf. [2] Kolster, Michael. Introduction to Cryptography. 2009. [3] Menezes, A. J., Oorschot Paul C. Van, and Scott A. Vanstone. Handbook of Applied Cryptography. Boca Raton: CRC, 1997

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback