Professional Documents
Culture Documents
El Gamal and Digital Sign...
El Gamal and Digital Sign...
El Gamal and Digital Sign...
Step 2 – Key Generation – Alice selects a private key XA<Q and calculate
a public key YA as in Diffie_hellman
YA= XA
Independently, Bob also generates his public key Y B and private key.
a) Compute:
K=(YB)k mod q
C1=k mod q
C2=KM mod q
(a) Compute
XB
K= (C1 ) mod q
Which is
Oct. 15, 03 1
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
(b) Compute
M=(C2K-1) mod q
Therefore:
(C2K-1) mod q=(KMK-1) mod q
=MKK-1 mod q
=M mod q
Note 2 – The plaintext M is usually a digest of a message. It is seen that DSS does
not encrypt the digest. The input to the algorithm is the digest of the data to sign,
M, the key, YB and a random number, k. The output is a pair of numbers C 1, and
C2, as shown in Fig. 1. There will be many ciphertexts that are encryptions of the
same digest, since the output depends on both the digest M and on the random
value k chosen by Alice.
Data to
sign DSS
M Algorithm
C1 :
Key, YB
C2 :
Random "k"
Fig. 1 DSS takes in three inputs and gives two numbers as a result
Oct. 15, 03 2
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
Note 3 – To defeat this scheme and infer the values of X B and k givenC1, C2 and
M, the intrude, Oscar, could find a means of computing a discrete logarithm to
solve
YB =
XB
and C1=k
(b) If Alice now chooses a different value of k, so that the encoding of M=30
is C=(59, C2), what is the integer C2?
Solution
k
K= YB mod q=33 mod 71
=27
Note 4 – Informally, this is how the El Gamal algorithm works: The plaintext M is
k
“masked” by multiplying it by YB , yielding C2. The value C1=k is also transmitted
Oct. 15, 03 3
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
k
as past of the ciphertext. Bob who knows the private key, X B, can compute YB
k
from C1. Then he can “remove the mask” by dividing C2 by YB to obtain M.
El Gamal Cryptosystem
Let q be a prime such that the discrete logarithm problem in (Zq,.) is infeasible
and let Zq be a primitive element. Let P=Zq, C=Zq×Zq, and define
The values q, and YB are the public key and XB is the private key.
For K=(q, , XB, YB), and for a (secret) random number kZq-1, define
where
C1=k mod q
k
C2=x YB mod q
X 1
k(C1, C2)=C2 (C1 B ) mod q
Solution
Oct. 15, 03 4
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
The U.S. Digital Signature Algorithm is the El Gamal algorithm with a few
restrictions:
(a) The size of q is specifically fixed at 2 511<q<2512 (so that q is roughly 170
decimal digits long).
(c) The algorithm uses a hash value instead of the full message plaintext M.
The vast majority of the products and standards that use public key cryptography
for encryption and digital signatures use RSA. Recently, a competing system has
begun to challenge RSA: elliptic curve cryptography (ECC, or EC for short).
Already, ECC is showing up in standardization efforts, including the IEEE P1363
standards for public-key cryptography.
Elliptic curves are described by the set of solutions to certain equations in two variables.
In general, cubic equations for elliptic curves take the form:
y2 + axy + by = x3 + cx2 + dx + e
where a, b, c, d, and e are real numbers that satisfy some simple conditions. They get the
name because they used for calculating the circumference of an ellipse.
Oct. 15, 03 5
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
x3 + cx2 + dx + e = 0
x3 + px + q = 0
to be solved.
Proof:
q e cd / 3 2c / 27
3
Solutions of the original cubic are then in terms of the canonical cubic roots. The
three roots of the canonical cubic are:
X1 = (A)1/3 + B1/3
X2 = W (A)1/3 + W2 (B)1/3
X3 = W2 (A)1/3 + W (B)1/3
Where
A ( 1 / 2) q 1 / 6 (4 p 3 27q 2 ) / 3
B ( 1 / 2) q 1 / 6 (4 p 3 27q 2 ) / 3
W (1 i 3 ) / 2, W 2 ( 1 i 3 ) / 2
Where 4p3 + 27q2 0, A is complex.
Note 2: For ECC, we are concerned with a restricted form of elliptic curve that is
defined over a finite field. More specifically:
such that 4a3 + 27b20. A non-singular elliptic curve is the set E of solutions (x, y)
R x R to the equation
y2 = x3 + ax + b
together with a special point called the point at infinity denoted , which is most
easily regarded as sitting at the top of the y-axis.
Oct. 15, 03 6
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
R’
Q
x
-2 0 2
R
-P
Let us find the addition rules over E for all points P, Q E, where P= (x1, y1) and
Q = (x2, y2). The rules for addition over E correspond to the geometric technique
illustrated in Figure 2. Given two points P and Q on E, to obtain a third point R(x3,
y3) on E draw the line L through P and Q, the line L intersects E in a third point
R’, reflect R’ through the x-axis (i.e., change y3 to –y3) to get R. Define the law of
addition by P+Q=R. We consider three cases:
1. x1 x2
2. x1 = x2 and y1 = -y2
3. x1 = x2 and y1 = y2
Case 1:
Let L to be the line through P and Q. L intersects E in the two points P and Q, and
it is easy to see that L will intersect E in one further point, which we call R’. We
reflect R’ in the x-axis, then we get a point which we call R. We define P+Q=R to
compute coordinates of R, i.e., (x3, y3) note that equation for line L is
L: y = x +
Where = (y2-y1)/(x2-x1)
= y1-x1 = y2 – x2
Oct. 15, 03 7
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
To find the coordinates of R’, (x3, y3), which are the intersection of line L and
curve E, we substitute equation for line L into the equation for E:
L: y = x +
E: y2 = x3 + ax + b
(x + )2 = x3 + ax + b
x3 - 2x2 + (a - 2)x + (b - 2) = 0
To find y3, note that slope of line L, i.e. can be determined by any two points on
this line. We will denote the y-coordinate of R’ by –y3, so the y-coordinate of R
will be y3. If we use the points (x1, y1) and (x3, -y3) to compute this slope, we get
= (-y3-y1)/(x3-x1)
y3 = (x1-x3) – y1
Thus, we have derived a formula for P+Q in case 1, when x1x2, for
Case 2:
x1 = x2 and y1 = -y2
(x, y) + (x, -y) = (Point at infinity) for all (x, y) E Therefore,
(x, y) and (x, -y) are inverses with respect to the elliptic curve addition
operation.
Oct. 15, 03 8
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
P+ = +P =P P E
+ =
P + (-P) =
Case 3:
x1 = x2, y1 = y2
That is adding a point P to itself. In this case, the line L in case 1 is to be tangent
to E at the point E. The slope L can be computed using implicit differentiation of
equation of E:
2y dy/dx = 3x2 + a
= (3x12 + a) / 2y1
Def. Addition Law – Let E be given by y 2 x 3 ax b and Let P(x1,y1) and let
Q(x2,y2) be on E. Then:
P Q R ( x3 , y 3 )
where
x 3 2 x1 x 2
y 3 ( x 2 x 3 ) y1
(y2-y1)/(x2-x1) if P Q
=
(3x12+a)/(2y1) if P = Q
If the slop is infinite, then R (point at the infinity). There is one additional
law:
P P P E
Note 4 -
( P Q ) R P (Q R) Associative Law
PQ Q P Commutative Law
3- Elliptic Curves Modulo a Prime
y2 = x3 + ax + b
Oct. 15, 03 9
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
y2 = x3 + ax + b (mod p)
where a, b, Zp are constants such that 4a3 + 27b2 / 0 (mod p), together with a
special point called the point at infinity.
Example 1 – Let’s take the following elliptic curve and apply to it the modulus 11.
(1, 9) (6, 9)
(2, 1) (8, 4)
(4, 2) (9, 5)
(4, 9) (9, 6)
infinity
kP1 = 3 x ( 4, 2) = P1 + P1 + P1
x2 2 – 2x1 (mod p)
Oct. 15, 03 10
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
That is :
x2 (42 – 2 x 4) mod 11 = 8
y2 [4 (4 – 8) – 2 ] mod 11 -7 mod 11 = 4
P1 + P2 = P2 = (8, 4)
P2 + P1 = P3 = (8, 4) + (4, 2) = (x3, y3)
Where
x3 = 2 – x1 - x2 62 – 8 – 4 2
Thus, kP1 = 3 x (4, 2) = (2, 10). The multiplier k (i.e., 3 in the example) is known as a
scalar.
Note 5 –The addition of points on an elliptic curve over Z p does not have the nice
geometric interpretation that it does on an elliptic curve over the reals.
However, the same formulas are used to define addition.
Note 7 –To form a cryptographic system using elliptic curves, we need to have a “hard
problem” corresponding to factoring the product of two primes or taking the
discrete logarithm. For example consider the equation Q = kP, where Q, P E
and k < p. It is relatively easy to calculate Q given k and P, but it is relatively
hard to determine k given Q and P.
Step 1 – Pick a prime number p and elliptic curve parameters a and b for equation
y2 3 + a + b ( mod p )
Oct. 15, 03 11
S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security
Step 2 – Alice selects an integer dA and generates a public key QA = dA x P. The key QA is
a point in E. dA is Alice’s private key.
Step 3 – Similarly, Bob selects a private key dB and computes a public key QB = dB x P.
Note 8 – Since that secret key K is another point on the elliptic curve, and we need just a
number,. Alice and Bob need to decide beforehand which coordinates of or y
to use. The most common way is to use the x-coordinate, and ignore the y-
coordinate.
Bob picks dB = 203 as his private key. His public key can be computed as:
Note 9 – The security of ECC depends on how difficult it is to determine k given kP and
P. This is referred to as the elliptic curve logarithm problem. It can be shown
that a considerably smaller key size can be used for ECC compared to RSA.
Furthermore, for equal key lengths, the computational efforts required for ECC
and RSA is comparable. Thus it appears that there is a computational
advantage to using ECC with a shorter key length than a comparably secure
RSA.
Oct. 15, 03 12