Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 11

    Uploaded by

    Mayank Raj
    8 views5 pages
    The ElGamal encryption scheme works as follows: 1. It is an extension of the Diffie-Hellman key exchange that allows encryption of messages. 2. It uses the discrete logarithm problem to encrypt a message x by choosing a random exponent k and computing Y1 = k and Y2 = x * k (mod p). 3. To decrypt, the recipient uses their private key a to compute Y1a (mod p) and then Y2 divided by this to recover the original message x.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The ElGamal encryption scheme works as follows: 1. It is an extension of the Diffie-Hellman key exchange that allows encryption of messages. 2. It uses the discrete logarithm problem to encrypt a message x by choosing a random exponent k and computing Y1 = k and Y2 = x * k (mod p). 3. To decrypt, the recipient uses their private key a to compute Y1a (mod p) and then Y2 divided by this to recover the original message x.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    8 views5 pages

    Chapter 11

    Uploaded by

    Mayank Raj
    The ElGamal encryption scheme works as follows: 1. It is an extension of the Diffie-Hellman key exchange that allows encryption of messages. 2. It uses the discrete logarithm problem to encrypt a message x by choosing a random exponent k and computing Y1 = k and Y2 = x * k (mod p). 3. To decrypt, the recipient uses their private key a to compute Y1a (mod p) and then Y2 divided by this to recover the original message x.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 5

    Chapter 11 ElGamal Encryption Scheme

    11.1 Cryptosystem
    Remarks:
    Published in 1985.
     Based on the DL problem in Zp or GF2k .

    Extension of the D-H key exchange for encryption.

    Protocol:
    Alice choose private key kprA = aA compute kpubA = aA mod p = bA Bob choose private key kprB = aB compute kpubB = aB mod p = bB

    kAB = baA = aA aB mod p B y = x  kAB mod p

    bA ,! bB , y ,!

    kAB = baB = aB aA mod p A


    ,1 x = y  kAB mod p

    105

    ElGamal: Set-up:
    1. Choose large prime p.
     2. Choose primitive element 2 Zp .

    3. Choose secret key a 2 f2; 3; : : : ; p , 2g. 4. Compute =


    a

    mod p.

    5. Public Key: Kpub = p; ; . 6. Private Key: Kpr = a.

    Encryption:
    1. Choose k 2 f2; 3; : : : ; p , 2g. 2. Y1 =
    k

    mod p.
    k

    3. Y2 = x 

    mod p.

    4. Encryption: = ekpub x; k = Y1; Y2.

    Decryption:
    x = dkpr Y1 ; Y2  = Y2 Y1a ,1 mod p:

    106

    Question: How does the ElGamal scheme work?


    dkpr Y1 ; Y2  = Y2 Y1a ,1 = x  k  k a ,1 ! but = a = x a k  k a,1 = x  ak  ,ak =x

    107

    Remarks:
    ElGamal is essentially an extension of the D-H key exchange protocol.
    Y2 = x1  Y3 = x2  k
    k

    Thus for every message block xi choose a new k! Message expansion factor .  of y bits = 2dlog 2py e = 2  of x bits dlog 2pxe

    9 = ; if x1 is known,

    can be found from Y2.

    11.2 Computational Aspects


    11.2.1 Encryption

    Y1 = k mod p = apply the square-and-multiply for exponentiation Y2 = x  k mod p ;


    11.2.2 Decryption

    x = dkpr Y1 ; Y2  = Y2 Y1a ,1 mod p.

    Question: How can Y1a ,1 be computed e ciently? Derivation: b 2 Zp:


    be = bqp,1+r = bp,1 q  br

    = 1q  br mod p = br mod p

     e = r mod p , 1
    108

     Thus, be be mod p,1 mod p, where b 2 Zp and e 2 Z

    The above derivation can be used for decryption: Y1a,1 = Y1,a = Y1,a mod p,1 mod p = Y1p,1,a mod p

    Note: Y1p,1,a mod p can be computed using the square-and-multiply algorithm.

    11.3 Security of ElGamal


    Oscar knows: p; ; = a; Y1 = k ; Y2 = x  k . Oscar wants to know: x He attempts to nd the secret key a: 1. a = log mod p  hard, DL problem. 2. x = Y2Y1a ,1 mod p  easy. He attempts to nd the random exponent k: 1. k = log Y1 mod p  hard, DL problem. 2. Y2  ,k = x  easy.
     In both cases Oscar has to compute the DL problem in nite elds Zp or GF2k . He can use index-calculus method which forces us to implement schemes with at least 1024 bits.

    109

    You might also like