Post on 16-May-2020
Introduction to Basic CryptographyAttacks on RSA, DLP
Kalyan ChakrabortyHarish-Chandra Research Institute
CIMPA School of Number Theory in Cryptography and Its Applications
School of Science, Kathmandu University,
Dhulikhel, Nepal
July 19 - July 31, 2010
Lecture 2: July 21, 2010
http://www.hri.res.in/~jaymehta/cryptographynotesCIMPA2010.pdf
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 1 / 31
Outline
Outline
1 Attacks on RSAThe Pollard p− 1 AlgorithmThe Pollard’s Rho AlgorithmWeiner’s Low Decryption Exponent Attack
2 Discrete Logarithm ProblemGeneral DL ProblemExampleThe ElGamal CryptosystemMassey-Omura Encryption
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 2 / 31
Attacks on RSA
Factoring Algorithms
Factoring Algorithms
The obvious way to attack RSA is to attempt to factor the publicmodulus.
If n is composite, then the basic method of dividing an integer n by allprimes p ≤ √n is much too slow for most purposes.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 3 / 31
Attacks on RSA The Pollard p − 1 Algorithm
The Pollard p− 1 Algorithm
If one of the prime factors of n has a special property, it issometime easier to factor n. For example, if p|n and p− 1 has“small” prime factors, the following method is effective.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 4 / 31
Attacks on RSA The Pollard p − 1 Algorithm
The Pollard p− 1 Algorithm
If one of the prime factors of n has a special property, it issometime easier to factor n. For example, if p|n and p− 1 has“small” prime factors, the following method is effective.This algorithm was invented by Pollard in 1974.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 4 / 31
Attacks on RSA The Pollard p − 1 Algorithm
The Pollard p− 1 Algorithm
If one of the prime factors of n has a special property, it issometime easier to factor n. For example, if p|n and p− 1 has“small” prime factors, the following method is effective.This algorithm was invented by Pollard in 1974.Fix an integer B. Given an integer n, this algorithm finds a primep such that p|n and p− 1 has prime factors ≤ B.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 4 / 31
Attacks on RSA The Pollard p − 1 Algorithm
The Pollard p− 1 Algorithm
If one of the prime factors of n has a special property, it issometime easier to factor n. For example, if p|n and p− 1 has“small” prime factors, the following method is effective.This algorithm was invented by Pollard in 1974.Fix an integer B. Given an integer n, this algorithm finds a primep such that p|n and p− 1 has prime factors ≤ B.
Pollard p− 1 factoring Algorithm (n,B)
a = 2
for j = 2 to B
do a = aj mod n
d = gcd(a − 1, n)
if 1 < d < n
then return(d)
else return (“failure”)Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 4 / 31
Attacks on RSA The Pollard p − 1 Algorithm
Method
Suppose p|n and q ≤ B ∀ prime power q|p− 1.Then it must be the case that p− 1|B!.At the end of for loop one has
a ≡ 2B! (mod n).
As p|n one hasa ≡ 2B! (mod p).
By Fermat’s little theorem;
2p−1 ≡ 1 (mod p)
As, p− 1|B!, one hasa ≡ 1 (mod p)
⇒ p|a− 1. Also, p|n⇒ p|d; where d = gcd(a − 1, n).d will be a non-trivial divisor of n (unless a = 1)
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 5 / 31
Attacks on RSA The Pollard p − 1 Algorithm
How to choose B ?For a small B the algorithm will run quickly but will have littlechance of success, while large B will make it very slow.The actual choice of B will depend on the situation at hand.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 6 / 31
Attacks on RSA The Pollard p − 1 Algorithm
How to choose B ?For a small B the algorithm will run quickly but will have littlechance of success, while large B will make it very slow.The actual choice of B will depend on the situation at hand.
Avoding p− 1 attack :We use n = pq, which is hard to factor. So, we should ensure thatp− 1 has at least one large prime factor.
For p to have around 100 digits, choose large prime p0 (around1040). Look at integers of the form kp0 + 1 (k could be around1060) and test it for primality by Miller-Rabin Test. This producesdesired value of p in less than 100 steps.Apply same procedure for q.
Then the RSA modulus n will be resistant to p− 1 attack.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 6 / 31
Attacks on RSA The Pollard p − 1 Algorithm
Complexity:
There are B − 1 modular exponentiation, each requiring at most2 log2 B modular multiplications. The gcd can be computed in timeO
(
(log n)3)
.
Hence the complexity of the algorithm is
O(
B log B(log n)3 + (log n)3)
.
If B is O(
(log n)i)
for some fixed i, then algorithm is indeed
polynomial time. One cannot again choose a very small B.
The more powerful elliptic curve factoring algorithm developed byLenstra, is infact a generalization of the p− 1 algorithm.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 7 / 31
Attacks on RSA The Pollard p − 1 Algorithm
Example
Suppose n = 15770708441. If we apply the algorithm withB = 180 then one gets a = 11620221425 and d = 135979
In fact 15770708441 = 135979 × 115979
This factorization succeeds because 135978 has “small” primefactors:135978 = 2× 3× 131× 173.
Hence by taking B ≥ 173, it will be the case that 135978|B! asrequired.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 8 / 31
Attacks on RSA The Pollard p − 1 Algorithm
Example
Suppose n = 15770708441. If we apply the algorithm withB = 180 then one gets a = 11620221425 and d = 135979
In fact 15770708441 = 135979 × 115979
This factorization succeeds because 135978 has “small” primefactors:135978 = 2× 3× 131× 173.
Hence by taking B ≥ 173, it will be the case that 135978|B! asrequired.
Exercise: Factor n = 376875575426394855599989992897873239 by thep− 1 Method. One can choose bound B = 100.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 8 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Pollard Rho Algorithm
Let p be prime divisor of n. Suppose ∃ x, x′ ∈ Zn such that x 6= x′
and x ≡ x′ mod p. Then p ≤ (x− x′, n) < n. One obtains anon-trivial factor of n by computing gcd.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 9 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Pollard Rho Algorithm
Let p be prime divisor of n. Suppose ∃ x, x′ ∈ Zn such that x 6= x′
and x ≡ x′ mod p. Then p ≤ (x− x′, n) < n. One obtains anon-trivial factor of n by computing gcd.
One chooses a random subset X ⊂ Zn and then compute(x− x′, n) for all distinct values in X. This method will besuccessful if and only if the mapping x→ x mod p gives atleastone collision for x ∈ X.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 9 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Pollard Rho Algorithm
Let p be prime divisor of n. Suppose ∃ x, x′ ∈ Zn such that x 6= x′
and x ≡ x′ mod p. Then p ≤ (x− x′, n) < n. One obtains anon-trivial factor of n by computing gcd.
One chooses a random subset X ⊂ Zn and then compute(x− x′, n) for all distinct values in X. This method will besuccessful if and only if the mapping x→ x mod p gives atleastone collision for x ∈ X.
The Pollard Rho Algorithm is a variation of this technique whichneeds fewer gcd computation and less memory and quickly findsrelatively small prime factor p of composite numbers in perhaps√
p steps.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 9 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Description
Description: Given an integer n, define a function f by
f(x) = x2 + a mod n (usually a = 1 is used)
and initialize by setting x = 2, x′ = f(x).
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 10 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Description
Description: Given an integer n, define a function f by
f(x) = x2 + a mod n (usually a = 1 is used)
and initialize by setting x = 2, x′ = f(x).
Compute d = gcd(x − x′, n)if 1 < d < n, stop, d is proper divisor of n.if d = 1, replace x by f(x) and x′ by f(f(x′));and repeat.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 10 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Description
Description: Given an integer n, define a function f by
f(x) = x2 + a mod n (usually a = 1 is used)
and initialize by setting x = 2, x′ = f(x).
Compute d = gcd(x − x′, n)if 1 < d < n, stop, d is proper divisor of n.if d = 1, replace x by f(x) and x′ by f(f(x′));and repeat.
(If d = n; we have a failure and the algorithm has to be re-initialized).
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 10 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Pollard Rho Factoring Algorithm (n, x1)
external f
x← x1
x′ ← f(x) mod n
p← gcd(x− x′, n)
while p = 1
do
comment: in the ith iteration, x = xi and x′ = x2i
x← f(x)(mod n)x′ ← f(x′)(mod n)x′ ← f(x′)(mod n)p← gcd(x− x′, n)
if p = n
then return (“n is prime”)
else return (p)
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 11 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Let x1 ∈ Zn. Consider the sequence x1, x2, . . . where
xj = f(xj−1)mod n ∀ j ≥ 2.
Set X = {x1, x2, . . . xm} for some m.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 12 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Let x1 ∈ Zn. Consider the sequence x1, x2, . . . where
xj = f(xj−1)mod n ∀ j ≥ 2.
Set X = {x1, x2, . . . xm} for some m.
One is looking for two distinct values xi, xj ∈ X such thatgcd(xj − xi, n) > 1.It turns out that one can reduce the gcd computation.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 12 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Let x1 ∈ Zn. Consider the sequence x1, x2, . . . where
xj = f(xj−1)mod n ∀ j ≥ 2.
Set X = {x1, x2, . . . xm} for some m.
One is looking for two distinct values xi, xj ∈ X such thatgcd(xj − xi, n) > 1.It turns out that one can reduce the gcd computation.
Now we show that xi ≡ xj (mod p)⇒ xi+1 ≡ xj+1 (mod p):
Suppose xi ≡ xj (mod p)⇒ f(xi) ≡ f(xj) (mod p);
xi+1 = f(xi) mod nxj+1 = f(xj) mod n
gives
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 12 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Let x1 ∈ Zn. Consider the sequence x1, x2, . . . where
xj = f(xj−1)mod n ∀ j ≥ 2.
Set X = {x1, x2, . . . xm} for some m.
One is looking for two distinct values xi, xj ∈ X such thatgcd(xj − xi, n) > 1.It turns out that one can reduce the gcd computation.
Now we show that xi ≡ xj (mod p)⇒ xi+1 ≡ xj+1 (mod p):
Suppose xi ≡ xj (mod p)⇒ f(xi) ≡ f(xj) (mod p);
xi+1 = f(xi) mod nxj+1 = f(xj) mod n
gives
xi+1 mod p =(
f(xi) mod n)
mod p = f(xi) mod p as p|n.
xj+1 mod p =(
f(xj) mod n)
mod p = f(xj) mod p as p|n.
Therefore, xi+1 ≡ xj+1 (mod p).
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 12 / 31
Attacks on RSA The Pollard’s Rho Algorithm
So, if xi ≡ xj (mod p) then xi+δ ≡ xj+δ (mod p); δ ≥ 0.Denoting l = j − i⇒ xi′ ≡ xj′ (mod p) if j′ > i′ ≥ i and j′ − i′ = 0 (mod l).
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 13 / 31
Attacks on RSA The Pollard’s Rho Algorithm
So, if xi ≡ xj (mod p) then xi+δ ≡ xj+δ (mod p); δ ≥ 0.Denoting l = j − i⇒ xi′ ≡ xj′ (mod p) if j′ > i′ ≥ i and j′ − i′ = 0 (mod l).
The goal is to discover 2 terms xi ≡ xj (mod p) with i < j, bycomputing a gcd. In order to simplify and improve the algorithm,we restrict our search for collision by taking j = 2i.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 13 / 31
Attacks on RSA The Pollard’s Rho Algorithm
So, if xi ≡ xj (mod p) then xi+δ ≡ xj+δ (mod p); δ ≥ 0.Denoting l = j − i⇒ xi′ ≡ xj′ (mod p) if j′ > i′ ≥ i and j′ − i′ = 0 (mod l).
The goal is to discover 2 terms xi ≡ xj (mod p) with i < j, bycomputing a gcd. In order to simplify and improve the algorithm,we restrict our search for collision by taking j = 2i.
If xi ≡ xj (mod p) then it is the case that xi′ ≡ x2i′ (mod p) for alli′ such that i′ ≡ 0 (mod l) and i′ ≥ i.
Among the l consecutive integers i, . . . , j − 1, there must be onethat is divisible by l. Therefore, the smallest value i′ that satisfiesthe condition is atmost j − 1. Hence the # of iterations requiredto find a factor p is atmost j.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 13 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 14 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Example
n = 7171 = 71× 101, f(x) = x2 + 1, x1 = 1, then the sequence xi are
1 2 5 26 677 6557 41016347 4903 2218 219 4936 · ·4872 375 4377 4389 2016 · ·
reduced mod 71
1 2 5 26 38 25 5828 4 17 6 37 21 1644 20 46 58 28 4 17
⇒ x7 mod 71 = x18 mod 71 = 58.
Here, i = 7, j = 18 and l = j − i = 11 which is the length of the cycle.The smallest integer i′ ≥ 7 which is divisible by 11 is i′ = 11.Therefore, this algorithm will give the factor 71 of n when it computesgcd(x11 − x22, n) = 71.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 15 / 31
Attacks on RSA The Pollard’s Rho Algorithm
Exercises
Exercise:
Factor the following numbers using Pollard Rho Algorithm if thefunction f is defined to be f(x) = x2 + 1:
1 262063
2 9420457
3 181937053
How many iterations are needed in each cases?
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 16 / 31
Attacks on RSA Weiner’s Low Decryption Exponent Attack
Weiner’s Low Decryption Exponent attack
This attack succeeds in computing the secret decryption exponentd, whenever
3d < n1/4 and q < p < 2q. (1)
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 17 / 31
Attacks on RSA Weiner’s Low Decryption Exponent Attack
Weiner’s Low Decryption Exponent attack
This attack succeeds in computing the secret decryption exponentd, whenever
3d < n1/4 and q < p < 2q. (1)
This attack will work when d has fewer than l/4−1 bits in binaryrepresentation (assuming n has l-bits) and p and q are not farapart.
This result shows that method of reducing time should be avoided.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 17 / 31
Attacks on RSA Weiner’s Low Decryption Exponent Attack
As, de ≡ 1 (mod φ(n)) ∃ t ∈ Z such that
de− tφ(n) = 1
Now, n = pq > q2, we have q <√
n. Therefore,
0 < n− φ(n) = p + q − 1 < 2q + q − 1 < 3q < 3√
n.
Thus,∣
∣
∣
∣
e
n− t
d
∣
∣
∣
∣
=
∣
∣
∣
∣
ed− tn
dn
∣
∣
∣
∣
=
∣
∣
∣
∣
1 + t(φ(n)− n)
dn
∣
∣
∣
∣
<3t√
n
dn=
3t
d√
n.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 18 / 31
Attacks on RSA Weiner’s Low Decryption Exponent Attack
As, de ≡ 1 (mod φ(n)) ∃ t ∈ Z such that
de− tφ(n) = 1
Now, n = pq > q2, we have q <√
n. Therefore,
0 < n− φ(n) = p + q − 1 < 2q + q − 1 < 3q < 3√
n.
Thus,∣
∣
∣
∣
e
n− t
d
∣
∣
∣
∣
=
∣
∣
∣
∣
ed− tn
dn
∣
∣
∣
∣
=
∣
∣
∣
∣
1 + t(φ(n)− n)
dn
∣
∣
∣
∣
<3t√
n
dn=
3t
d√
n.
As t < d; one has 3t < 3d < n1/4.Therefore
∣
∣
∣
∣
e
n− t
d
∣
∣
∣
∣
=1
dn1/4<
1
3d2
td is very close approximation to e
n .
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 18 / 31
Attacks on RSA Weiner’s Low Decryption Exponent Attack
From the theory of continued fractions, it is known that anyapproximation of e
n that is this close must be one of theconvergents of the continued fraction expansion of e
n .
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 19 / 31
Attacks on RSA Weiner’s Low Decryption Exponent Attack
From the theory of continued fractions, it is known that anyapproximation of e
n that is this close must be one of theconvergents of the continued fraction expansion of e
n .
Theorem: Suppose (a, b) = (c, d) = 1 and
∣
∣
∣
a
b− c
d
∣
∣
∣<
1
2d2.
Then cd is one of the convergents of the continued fractions
expansion of ab .
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 19 / 31
Attacks on RSA Weiner’s Low Decryption Exponent Attack
Example
Example: Compute the continued fraction expansion of 3499
.The Euclidean Algorithm gives:
34 ≡ 0× 99 + 3499 ≡ 2× 34 + 3134 ≡ 1× 31 + 331 ≡ 10× 3 + 13 ≡ 3× 1
Hence, the continued fraction expansion of 34
99= [0, 2, 1, 10, 3].
34
99= 0 +
1
2 +1
1 +1
10 + 1
3
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 20 / 31
Attacks on RSA Weiner’s Low Decryption Exponent Attack
The convergents are:
[0] = 0, [0, 2] =1
2, [0, 2, 1] =
1
3, [0, 2, 1, 10] =
11
32, [0, 2, 1, 10, 3] =
34
99.
Thus if (1) holds then the unknown fraction td is a close
approximation to en .
If td is a convergent of e
n ; then one can compute the value of
φ(n) = (de− 1)/t.
Once n and φ(n) are known we can factor n.
One tries convergent of en until the factorization of n is found.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 21 / 31
Attacks on RSA Weiner’s Low Decryption Exponent Attack
Weiner’s Algorithm (n, e)
(q1, . . . , qm; rm)← Euclidean Algorithm (e, n).c0 = 1, c1 = q1, d0 = 0, d1 = 1for j = 1 to mdo
cj = qjcj−1 + cj−2
dj = qjdj−1 + dj−2
n′ = (dje− 1)/cj
comment: n′ = φ(n) if cj/dj is the correct convergent.if n′ is an integer
then
let p, q be roots of x2 − (n− n′ + 1)x + n = 0if p, q are primitive integers < nthen return (p, q)
return(“failure”)
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 22 / 31
Discrete Logarithm Problem General DL Problem
Discrete Logarithm Problem
Let G be a finite multiplicative group of order n.
Let α ∈ G be of order n.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 24 / 31
Discrete Logarithm Problem General DL Problem
Discrete Logarithm Problem
Let G be a finite multiplicative group of order n.
Let α ∈ G be of order n.
Consider,< α > = {αi : 0 ≤ i ≤ n− 1}.
Set β ∈< α >.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 24 / 31
Discrete Logarithm Problem General DL Problem
Discrete Logarithm Problem
Let G be a finite multiplicative group of order n.
Let α ∈ G be of order n.
Consider,< α > = {αi : 0 ≤ i ≤ n− 1}.
Set β ∈< α >.
For example, take G to be multiplicative group of a finite field Zp
and α to be a primitive element modulo p.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 24 / 31
Discrete Logarithm Problem General DL Problem
Problem : Find the unique integer ‘a’, 0 ≤ a ≤ n− 1 such that
αa = β.
Denote ‘a’ by logα β; discrete logarithm of β.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 25 / 31
Discrete Logarithm Problem General DL Problem
Problem : Find the unique integer ‘a’, 0 ≤ a ≤ n− 1 such that
αa = β.
Denote ‘a’ by logα β; discrete logarithm of β.
The utility of ‘dlp’ in a cryptographic setting is that finding ‘dl’ isdifficult.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 25 / 31
Discrete Logarithm Problem General DL Problem
Problem : Find the unique integer ‘a’, 0 ≤ a ≤ n− 1 such that
αa = β.
Denote ‘a’ by logα β; discrete logarithm of β.
The utility of ‘dlp’ in a cryptographic setting is that finding ‘dl’ isdifficult.
Stated Another Way: Exponentiation is a one-way formula insuitable groups.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 25 / 31
Discrete Logarithm Problem Example
DLP Example
G = Z∗
19 = {1, 2, . . . , 18}.n = 18; generator g = 2
i 1 2 3 4 5 6 7 8 9
gi 2 4 8 16 13 7 14 9 18
i 10 11 12 13 14 15 16 17 18
gi 17 15 11 3 6 12 5 10 1
Then,log2 14 = 7
log2 6 = 14
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 26 / 31
Discrete Logarithm Problem Example
Exercises
1 Let p = 13. Compute log2 3.
Computer Exercises:
1 Let p = 53047. Verify that log3 8576 = 1234.
2 Let p = 3989. Show that log2 3925 = 2000.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 27 / 31
Discrete Logarithm Problem The ElGamal Cryptosystem
The ElGamal Cryptosystem This cryptosystem is based on DLP.
ElGamal proposed a PKC based on dlp in (Z∗
p, ·).
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 28 / 31
Discrete Logarithm Problem The ElGamal Cryptosystem
The ElGamal Cryptosystem This cryptosystem is based on DLP.
ElGamal proposed a PKC based on dlp in (Z∗
p, ·).Encryption : Let p be a prime and g be a generator of Z
∗
p. Theprivate key x is an integer between 1 and p− 2. Set
y = gx mod p.
Public key = (p, g, y). Releasing y = gx mod p doesn’t reveal x.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 28 / 31
Discrete Logarithm Problem The ElGamal Cryptosystem
The ElGamal Cryptosystem This cryptosystem is based on DLP.
ElGamal proposed a PKC based on dlp in (Z∗
p, ·).Encryption : Let p be a prime and g be a generator of Z
∗
p. Theprivate key x is an integer between 1 and p− 2. Set
y = gx mod p.
Public key = (p, g, y). Releasing y = gx mod p doesn’t reveal x.To encrypt a plaintext M , a random integer k coprime to p− 1 isselected and compute
a = gk mod pb = Myk mod p
Ciphertext C = (a, b).
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 28 / 31
Discrete Logarithm Problem The ElGamal Cryptosystem
The ElGamal Cryptosystem This cryptosystem is based on DLP.
ElGamal proposed a PKC based on dlp in (Z∗
p, ·).Encryption : Let p be a prime and g be a generator of Z
∗
p. Theprivate key x is an integer between 1 and p− 2. Set
y = gx mod p.
Public key = (p, g, y). Releasing y = gx mod p doesn’t reveal x.To encrypt a plaintext M , a random integer k coprime to p− 1 isselected and compute
a = gk mod pb = Myk mod p
Ciphertext C = (a, b).Decryption : M = b
ax mod p. Indeed we have;
b
axmod p = Myk(ax)−1 mod p
= Mgxk(gkx)−1 mod p
= M.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 28 / 31
Discrete Logarithm Problem The ElGamal Cryptosystem
Example
Suppose p = 2579, α = 2. Let a = 765. So,
β = 2765 mod 2579 = 949.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 29 / 31
Discrete Logarithm Problem The ElGamal Cryptosystem
Example
Suppose p = 2579, α = 2. Let a = 765. So,
β = 2765 mod 2579 = 949.
Alice wishes to send a message x = 1299 to Bob. k = 853. Thenshe computes,
y1 = 2853 mod 2579 = 435
andy2 = 1299 × 949853 mod 2579 = 2396.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 29 / 31
Discrete Logarithm Problem The ElGamal Cryptosystem
Example
Suppose p = 2579, α = 2. Let a = 765. So,
β = 2765 mod 2579 = 949.
Alice wishes to send a message x = 1299 to Bob. k = 853. Thenshe computes,
y1 = 2853 mod 2579 = 435
andy2 = 1299 × 949853 mod 2579 = 2396.
Bob receives the ciphertext y = (435, 2396) and he computes
x = 2396 × (435765)−1 mod 2579 = 1299.
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 29 / 31
Discrete Logarithm Problem Massey-Omura Encryption
Massey - Omura Encryption
Parameters
p : prime number.e : a random private integer such that
0 < e < p and gcd(e, p− 1) = 1
d : an inverse of e
d = e−1 mod p− 1, i.e., de ≡ 1 mod p− 1
M : a message to be encrypted and decrypted
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 30 / 31
Discrete Logarithm Problem Massey-Omura Encryption
Massey - Omura Encryption
Parameters
p : prime number.e : a random private integer such that
0 < e < p and gcd(e, p− 1) = 1
d : an inverse of e
d = e−1 mod p− 1, i.e., de ≡ 1 mod p− 1
M : a message to be encrypted and decrypted
Alice wants to send a message M to Bob
For Alice : eA and dA are both privateFor Bob : eB and dB are both private
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 30 / 31
Discrete Logarithm Problem Massey-Omura Encryption
Massey-Omura for message transmission
Alice
1. Encryption (1)
C1 = MeA mod p
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 31 / 31
Discrete Logarithm Problem Massey-Omura Encryption
Massey-Omura for message transmission
Alice
1. Encryption (1)
C1 = MeA mod p
Bob
2. Encryption(2)
C2 = C1eB
= MeAeB mod p
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 31 / 31
Discrete Logarithm Problem Massey-Omura Encryption
Massey-Omura for message transmission
Alice
1. Encryption (1)
C1 = MeA mod p
3. Encryption (3)
C3 = C2dA
= (MeAeB)dA
= MeB mod p
Bob
2. Encryption(2)
C2 = C1eB
= MeAeB mod p
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 31 / 31
Discrete Logarithm Problem Massey-Omura Encryption
Massey-Omura for message transmission
Alice
1. Encryption (1)
C1 = MeA mod p
3. Encryption (3)
C3 = C2dA
= (MeAeB)dA
= MeB mod p
Bob
2. Encryption(2)
C2 = C1eB
= MeAeB mod p
4. Decryption
M = C3dB
= MeBdB mod p
Kalyan Chakraborty (HRI) Introduction to basic Cryptography July 21, 2010 31 / 31