Security 4th Class Dr. Ashwaq Mahmood Alabaichi 2015-2016 lec.8 ElGamal Public-Key Algorithm
ElGamal is a public-key cryptosystem in 1985.
It consists of both encryption and signature algorithms. ElGamal Key Generation B chooses large random prime p. then B chooses two random numbers a, α . 2 ≤ a < p−1 then computes y=( αa mod p). public key of B is (p, α, y) and a is private key. Cont … Enciphering stage: A obtains public key of B (p, α, y). A chooses secret random natural number b such that b<p − 1. A computes c1=( αb mod p) and c2= ( m yb mod p). A then sends the ciphertext (c1, c2) to B. Deciphering stage: B uses private key to compute p1=(( c1)p−1−a )mod p. Then recover m by computing (p1* c2 ) mod p. Cont … Suppose that A wants to send the message m = 2132 to B using the ElGamal Algorithm. B chooses p = 3359, α = 11, and a = 5 as private key. B computes αa =115 =3178 mod p. public key of B is therefore (p, α, y) = (3359, 11, 3178). A chooses b = 69 and computes both αb = 1169 mod p=193 And myb =(2132 . 317869 )mod p=2719 The ciphertext is c= (193, 2719), which A sends to B. B uses private key to decrypt . p1=(c1) p−1−a mod p=1933353 mod p=2243 And p1*c2=(2243 · 2719 ) mod p= 2132,thereby recovering m. ElGamal Signature Scheme A performs each of the following: Select α, p, aA. Select secret random key r < p − 1 Compute S1 ≡ ( αr mod p) and S2 = (m − aA S1)r−1 mod p-1. For k = (p, α, aA, y) the signed message (S1, S2) is sent, along with m to B. Verification Stage: B does each of the following: Using public key of A(p, α, y) verify from the message. Compute V1=( yS1S1S2 ) mod p and V2=αm mod p. if V1 =V2 accept the message otherwise reject it. Cont… Let p = 3469, with α = 2. A selects a = 153 as private key and computes αa = 2153 mod 3469=2501 = y Thus, public key of A is (p, α, y) = (3469, 2, 2501). If m = 1121, and A chooses r = 251, then A computes S1 =2251 mod 3469=2142 S2 =(m−aS1)r −1 mod 3468=(1121−153 · 2142)·251 −1 mod 3468 =1849. 251 −1 =2639 and sends (1121, 251) = (S1, S2) = (2142, 1849) to B. First B verifies by computes V1 = yS1S1S2 mod 3469 =2501214221421849 mod 3469 =1487 V2= 21121 =αm mod 3469 =1487 so B accepts the signature as valid. Knapsack Problem The knapsack problem is a simple one. Given a quantity of items, each with different weights, is it possible to put some of those items into a knapsack so that the knapsack weight a given amount. More formally: Given a set of items M1, M2,..., Mn , and a sum S such that S = b1M1 + b2M2 + ...+ bnMn The values of bi can be either zero or one. A one indicates that the item is in the knapsack; a zero indicates that it isn’t. For example, the items might have weight of 1, 5, 6, 11, 14, and 20. knapsack weight is 22; use weight 5, 6, and 11. Superincreasing Knapsacks A superincreasing sequence is a sequence in which every term is greater than the sum of all the previous terms. For example, {2, 3, 6, 13, 27, 52} is a superincreasing sequence, but {2, 3, 4, 9, 15, 25} is not. The solution to a superincreasing knapsack is easy to find. Take the total weight of the knapsack and compare it with the largest number in the sequence. If the total weight is less than the number, then it is not in the knapsack. If the total weight is greater than or equal to the number, then it is in the knapsack. Reduce the weight of the knapsack by the value and move to the next largest number in the sequence. Repeat until finished. If the total weight has been brought to zero, then there is a solution. If the total weight has not, there isn’t. Cont…
Suppose the total weight of knapsack is 70.
The largest weight, 52, is less than 70, so 52 is in the knapsack. Subtracting 52 from 70 leaves 18. The next weight, 27, is greater than 18, so 27 is not in the knapsack. The next weight, 13, is less than 18, so 13 is in the knapsack. Subtracting 13 from 18 leaves 5. The next weight, 6, is greater than 5, so 6 is not in the knapsack. Continuing this process will show that both 2 and 3 are in the knapsack and the total weight is brought to 0, which indicates that a solution has been found the plaintext that resulted from a ciphertext value of 70 would be 110101 {2, 3, 6, 13, 27, 52}. Encryption with knapsacks. The Merkle-Hellman algorithm is based on this property. The private key is a sequence of weights for a superincreasing knapsack problem. The public key is a sequence of weights for a normal knapsack problem. Merkle and Hellman developed a technique for converting a superincreasing knapsack problem into a normal knapsack problem. They did this using modular arithmetic. for example {2, 3, 6, 13, 27, 52}, and multiply all of the values by a number n, mod m. The modulus should be a number greater than the sum of all the numbers in the sequence. the summation is 103 then chose 105 as m. Then chose n such that GCD(m, n)=1: for example, 31. The normal knapsack sequence would then be 2 * 31 mod 105 = 62 3 * 31 mod 105 = 93 6 * 31 mod 105 = 81 13 * 31 mod 105 = 88 27 * 31 mod 105 = 102 52 * 31 mod 105 = 37 Cont… The knapsack would then be {62, 93, 81, 88, 102, 37}. The superincreasing knapsack sequence is the private key. The normal knapsack sequence is the public key. Encryption To encrypt a binary message, first break it up into blocks equal to the number of items in the knapsack sequence. Then, allowing a one to indicate the item is present and a zero to indicate that the item is absent, compute the total weights of the knapsacks one for every message block. For example, if the message were 011000110101101110 in binary, encryption using the previous knapsack would proceed like this: message = 011000 110101 101110 011000 corresponds to 93 + 81 = 174 110101 corresponds to 62 + 93 + 88 + 37 = 280 101110 corresponds to 62 + 81 + 88 + 102 = 333 Cont… The ciphertext would be 174,280,333 Decryption A receiver of this message knows the private key: the superincreasing knapsack. To decrypt the message, the receiver must first determine n-1 such that n(n-1 )≡1(mod m). Multiply each of the ciphertext values by n-1 mod m, and then partition with the private knapsack to get the plaintext values. For example, the superincreasing knapsack is {2, 3, 6, 13, 27, 52}, m is equal to 105, and n is equal to 31. The ciphertext message is 174, 280, 333. In this case n-1 is equal to 61, so the ciphertext values must be multiplied by 61 mod 105. 174 * 61 mod 105 = 9 = 3 + 6, which corresponds to 011000 280 * 61 mod 105 = 70 = 2 + 3 + 13 + 52, which corresponds to 110101. Cont… 333 * 61 mod 105 = 48 = 2 + 6 + 13 + 27, which corresponds to 101110 The recovered plaintext is 011000 110101 101110