Computer and Data

Security
4th Class
Dr. Ashwaq Mahmood Alabaichi
2015-2016
lec.8
ElGamal Public-Key Algorithm

 ElGamal is a public-key cryptosystem in 1985.

 It consists of both encryption and signature algorithms.
ElGamal Key Generation
 B chooses large random prime p.
 then B chooses two random numbers a, α .
 2 ≤ a < p−1 then computes y=( αa mod p).
 public key of B is (p, α, y) and a is private key.
Cont …
Enciphering stage:
 A obtains public key of B (p, α, y).
 A chooses secret random natural number b such that b<p − 1.
 A computes c1=( αb mod p) and c2= ( m yb mod p).
 A then sends the ciphertext (c1, c2) to B.
Deciphering stage:
 B uses private key to compute p1=(( c1)p−1−a )mod p.
 Then recover m by computing (p1* c2 ) mod p.
Cont …
Suppose that A wants to send the message m = 2132 to B using the
ElGamal Algorithm.
 B chooses p = 3359, α = 11, and a = 5 as private key.
 B computes αa =115 =3178 mod p. public key of B is therefore (p,
α, y) = (3359, 11, 3178).
 A chooses b = 69 and computes both αb = 1169 mod p=193
 And myb =(2132 . 317869 )mod p=2719 The ciphertext is c= (193,
2719), which A sends to B.
 B uses private key to decrypt .
 p1=(c1) p−1−a mod p=1933353 mod p=2243
 And p1*c2=(2243 · 2719 ) mod p= 2132,thereby recovering m.
ElGamal Signature Scheme
 A performs each of the following:
 Select α, p, aA.
 Select secret random key r < p − 1
 Compute S1 ≡ ( αr mod p) and S2 = (m − aA S1)r−1 mod p-1.
 For k = (p, α, aA, y) the signed message (S1, S2) is sent, along
with m to B.
 Verification Stage: B does each of the following:
 Using public key of A(p, α, y) verify from the message.
 Compute V1=( yS1S1S2 ) mod p and V2=αm mod p.
 if V1 =V2 accept the message otherwise reject it.
Cont…
 Let p = 3469, with α = 2. A selects a = 153 as private key and
computes αa = 2153 mod 3469=2501 = y Thus, public key of A is (p,
α, y) = (3469, 2, 2501).
 If m = 1121, and A chooses r = 251, then A computes
 S1 =2251 mod 3469=2142
 S2 =(m−aS1)r −1 mod 3468=(1121−153 · 2142)·251 −1 mod 3468
=1849.
 251 −1 =2639
 and sends (1121, 251) = (S1, S2) = (2142, 1849) to B.
 First B verifies by computes
 V1 = yS1S1S2 mod 3469 =2501214221421849 mod 3469 =1487
 V2= 21121 =αm mod 3469 =1487
 so B accepts the signature as valid.

Knapsack Problem
 The knapsack problem is a simple one. Given a quantity of items,
each with different weights, is it possible to put some of those items
into a knapsack so that the knapsack weight a given amount.
 More formally: Given a set of items M1, M2,..., Mn , and a sum S
such that
 S = b1M1 + b2M2 + ...+ bnMn
 The values of bi can be either zero or one. A one indicates that the
item is in the knapsack; a zero indicates that it isn’t.
 For example, the items might have weight of 1, 5, 6, 11, 14, and 20.
knapsack weight is 22; use weight 5, 6, and 11.
Superincreasing Knapsacks
 A superincreasing sequence is a sequence in which every term is
greater than the sum of all the previous terms. For example, {2, 3,
6, 13, 27, 52} is a superincreasing sequence, but {2, 3, 4, 9, 15, 25}
is not.
 The solution to a superincreasing knapsack is easy to find. Take
the total weight of the knapsack and compare it with the largest
number in the sequence. If the total weight is less than the number,
then it is not in the knapsack. If the total weight is greater than or
equal to the number, then it is in the knapsack.
 Reduce the weight of the knapsack by the value and move to the
next largest number in the sequence. Repeat until finished. If the
total weight has been brought to zero, then there is a solution. If the
total weight has not, there isn’t.
Cont…

 Suppose the total weight of knapsack is 70.

 The largest weight, 52, is less than 70, so 52 is in the knapsack.
Subtracting 52 from 70 leaves 18. The next weight, 27, is greater
than 18, so 27 is not in the knapsack. The next weight, 13, is less
than 18, so 13 is in the knapsack. Subtracting 13 from 18 leaves 5.
The next weight, 6, is greater than 5, so 6 is not in the knapsack.
Continuing this process will show that both 2 and 3 are in the
knapsack and the total weight is brought to 0, which indicates that a
solution has been found the plaintext that resulted from a ciphertext
value of 70 would be 110101 {2, 3, 6, 13, 27, 52}.
Encryption with knapsacks.
 The Merkle-Hellman algorithm is based on this property. The
private key is a sequence of weights for a superincreasing knapsack
problem. The public key is a sequence of weights for a normal
knapsack problem.
 Merkle and Hellman developed a technique for converting a
superincreasing knapsack problem into a normal knapsack problem.
They did this using modular arithmetic.
 for example {2, 3, 6, 13, 27, 52}, and multiply all of the values by a
number n, mod m. The modulus should be a number greater than
the sum of all the numbers in the sequence. the summation is 103
then chose 105 as m. Then chose n such that GCD(m, n)=1: for
example, 31. The normal knapsack sequence would then be
 2 * 31 mod 105 = 62
 3 * 31 mod 105 = 93
 6 * 31 mod 105 = 81
 13 * 31 mod 105 = 88
 27 * 31 mod 105 = 102
 52 * 31 mod 105 = 37
 Cont…
 The knapsack would then be {62, 93, 81, 88, 102, 37}. The
superincreasing knapsack sequence is the private key. The normal
knapsack sequence is the public key.
Encryption
 To encrypt a binary message, first break it up into blocks equal to
the number of items in the knapsack sequence. Then, allowing a
one to indicate the item is present and a zero to indicate that the
item is absent, compute the total weights of the knapsacks one for
every message block.
 For example, if the message were 011000110101101110 in binary,
encryption using the previous knapsack would proceed like this:
 message = 011000 110101 101110
 011000 corresponds to 93 + 81 = 174
 110101 corresponds to 62 + 93 + 88 + 37 = 280
 101110 corresponds to 62 + 81 + 88 + 102 = 333
Cont…
 The ciphertext would be 174,280,333
 Decryption
 A receiver of this message knows the private key: the
superincreasing knapsack.
 To decrypt the message,
 the receiver must first determine n-1 such that n(n-1 )≡1(mod m).
 Multiply each of the ciphertext values by n-1 mod m, and then
partition with the private knapsack to get the plaintext values.
 For example, the superincreasing knapsack is {2, 3, 6, 13, 27, 52},
m is equal to 105, and n is equal to 31. The ciphertext message is
174, 280, 333.
 In this case n-1 is equal to 61, so the ciphertext values must be
multiplied by 61 mod 105.
 174 * 61 mod 105 = 9 = 3 + 6, which corresponds to 011000
 280 * 61 mod 105 = 70 = 2 + 3 + 13 + 52, which corresponds to
110101.
Cont…
 333 * 61 mod 105 = 48 = 2 + 6 + 13 + 27, which corresponds to
101110
 The recovered plaintext is 011000 110101 101110