S. Erfani, ECE Dept.

, University of Windsor

1- El Gamal and Digital Signature Algorithm

A public-key algorithm was devised in 1984 by T. El Gamal based on discrete

logarithms. The scheme is closely related to the Diffie-Hellman technique. It is
used in the Digital Signature Standard (DSS) by NIST.

1.1– El Gamal Algorithm

Step 1 – Global Public Elements – As with Diffie-Hellman, to generate a
key pair, first choose a prime number q and , a primitive root of q.

Step 2 – Key Generation – Alice selects a private key XA<Q and calculate
a public key YA as in Diffie_hellman

YA= XA

Independently, Bob also generates his public key YB and private key.

Step 3 – User A Signs a Message – Alice encrypts a plaintext M<q

intended for Bob as follows:

a) Choose a random integer k, 1kq

a) Compute:

K=(YB)k mod q

(C1, C2) where:

C1=k mod q

C2=KM mod q

These two numbers together make up the signature.

Step 4 – User B Verifies the Signature – Bob verifies the signature by

recovering the plaintext M as follows:

(a) Compute
K= (C1 ) X B mod q

Which is

K= ( k ) XB mod q = ( XB )k mod q = (YB )k mod q

1
 S. Erfani, ECE Dept., University of Windsor

(b) Compute
M=(C2K-1) mod q

Where K-1 is the multiplicative inverse of K.

Therefore:
(C2K-1) mod q=(KMK-1) mod q

=MKK-1 mod q

=M mod q

Note 1 – This scheme is sometimes referred to as DSA stands for Digital Signature
Algorithm.

Note 2 – The plaintext M is usually a digest of a message. It is seen that DSS does not
encrypt the digest. The input to the algorithm is the digest of the data to sign, M,
the key, YB and a random number, k. The output is a pair of numbers C 1, and C2,
as shown in Fig. 1. There will be many ciphertexts that are encryptions of the same
digest, since the output depends on both the digest M and on the random value k
chosen by Alice.

Data to
sign DSS
M Algorithm
C1 :

Key, YB
C2 :

Random "k"

Fig. 1 DSS takes in three inputs and gives two numbers as a result

2
 S. Erfani, ECE Dept., University of Windsor

Note 3 – To defeat this scheme and infer the values of XB and k givenC1, C2 and
M, the intrude, Oscar, could find a means of computing a discrete logarithm to
solve

YB=  XB and C1=k

Example 1 – Consider an El Gamal scheme with a common prime q=71 and a

primitive root =7.
(a) If Bob has public key YB=3 and Alice chose the random integer k=2, what
is the ciphertext of M=30?

(b) If Alice now chooses a different value of k, so that the encoding of M=30
is C=(59, C2), what is the integer C2?

Solution

(a) K=(YB)k mod q=32 mod 71=9

C1=k mod q=72 mod 71=49

C2=KM mod q=9×30 mod 71

=270 mod 7157

(b) In this case we have

C1=59=k mod q=7k mod 71

We need to solve a discrete logarithm to find k. It can be shown that k=3 because:

73 mod 71=343 mod 71=59=C1

 K= YB k mod q=33 mod 71

=27

C2=KM mod 71=27×30 mod 71

=810 mod 7129

Note 4 – Informally, this is how the El Gamal algorithm works: The plaintext M is
“masked” by multiplying it by YB k , yielding C2. The value C1=k is also transmitted
as past of the ciphertext. Bob who knows the private key, XB, can compute YB k
from C1. Then he can “remove the mask” by dividing C2 by YB k to obtain M.

3
 S. Erfani, ECE Dept., University of Windsor

Note 5 – The El Gamal cryptosystem can be defined mathematically as follows:

El Gamal Cryptosystem

Let q be a prime such that the discrete logarithm problem in (Zq,.) is infeasible
and let Zq be a primitive element. Let P=Zq, C=Zq×Zq, and define

K={(q, , XB, YB): YB=  XB mod q}.

The values q,  and YB are the public key and XB is the private key.

For K=(q, , XB, YB), and for a (secret) random number kZq-1, define

ek(x, k)=(C1, C2)

where

C1=k mod q

C2=x YB k mod q

For C1 and C2Zq , define

k(C1, C2)=C2 (C1X B )1 mod q

Example 2 – Suppose q=2579 and =2.  Is a primitive element modulo q. Let

XB=7. Now, suppose that Alice wishes to send the message M=1299 to Bob. Say
k=853 is the random integer she chooses. Show the steps in El Gamal algorithm.

Solution

XB=765, =2, q=2579

YB=  XB mod q=2765 mod 2579  949

K=(YB)k mod q = (949)853 mod 2579

C1 = k mod q = 2853 mod 2579  435

C2=KM mod q =1299×949853 mod 2579  2396

4
 S. Erfani, ECE Dept., University of Windsor

When Bob receives the ciphertext (C1, C2)=(435, 2396), He computes:

M=(C2K-1) mod q = 2396×(435765)-1 mod 2579 =1299,

Which was the plaintext that Alice encrypted.

1.2- Digital Signature Algorithm(DSA)

The U.S. Digital Signature Algorithm is the El Gamal algorithm with a few
restrictions:

(a) The size of q is specifically fixed at 2511<q<2512 (so that q is roughly 170
decimal digits long).

(b) The large prime factor of (q-1) is chosen, so that 2519<p<2160.

(c) The algorithm uses a hash value instead of the full message plaintext M.

(d) The computations of C1 and C2 are taken mod p instead of mod q.