A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
description
Transcript of A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
KAIST
A Public Key Cryptosystem and a Signature Scheme Based
on Discrete Logarithms
TAHER ELGAMALIEEE TRANSACTIONS ON INFORMATION THEORY,
JULY 1985
Suhyung KimYeojeong Yoon
2010. 2. 25
2 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Outline
Introduction
Diffie-Hellman key distribution
Elgamal Public Key System
Elgamal Digital Signature Scheme
Property
Comparison
Attacks on the Signature
Conclusion
Introduction
Public-key Encryption(Asymmetric Cryptosystem)
First proposed in 1976"New Directions in Cryptography" Diffie and HellmanDid not produce an algorithm
RSA cryptosystem(1978)Based on difficulty of factoring large integers
ElGamal cryptosystem(1985)Based on discrete logarithm problem
3 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Public Key
A(sender) B(receiver)
{plaintext}public key Decrypt with the Secret KeyEncrypt with the Public Key
Public Key Secret Key
4 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
IntroductionRSA Cryptosystem
“A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” published in 1978Proposed by Rivest, Shimar, and AdlemanUsed a computationally difficult problem
Breaking requires factoring of large numbersA B
1. Select p, q (large prime)2. Calculate n = p x q and ф(n)3. Select b, s.t. Gcd(b, ф(n) ) = 14. Calculate a, s.t. b x a ≡ 1 (mod ф(n) )
Public key : (n, b)
eK(x) = xb mod n dK(y) = ya mod
n
Private key : (p, q, a)
5/27A Public Key Cryptosystem and a Signature Scheme Based on Discrete Loga-rithms
Discrete Logarithm Problem(DLP)The ElGamal public key cryptosystem is based upon the difficulty of solving the discrete logarithm problem (DLP) which is as follows :
For a small value of p, it is easy to solve a DLP By trial and error or exhaustive search
For a large value of p, finding discrete logarithms is diffi-cult
For a large value of p(p has around 300 decimal digits) it is not pos-sible to solve a DLP using current technology
Introduction
Given a prime p and values g and y, find x such thaty = gx mod p
Diffie-Hellman key distribution
Public parameter p : large primeα : generator of Zp*
Secret parameterxA (A’s) xB (B’s)
xA = logαyA, xB = logαyB Based on Discrete Logarithm Problemp-1 should have at least one “large” prime factor
If p-1 has only small prime factors, then computing discrete loga-rithms is easy
6 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
py
py
pK
A
B
BA
xB
xA
xxAB
mod
mod
mod
A B
yB
yA
py AxA mod py Bx
B mod
Elgamal Public Key System
Way to implement the Diffie-Hellman previous schemeA wants to send B a message m, where 0 ≤ m ≤ p-1A chooses a number k uniformly between 0 and p-1.
7 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
pKmcpc
pyKk
kB
modmod
mod
2
1
yB
(c1,c2)
pKcm
pcK BB xkx
mod
mod)(
2
1
py BxB mod
A B - Public parameter p : large prime
α : generator of Zp*
- Secret parameter k (A’s)
xB (B’s)
k must be used once If k is used more than once,
c1.1 ≡ αk mod p c1.2 ≡ m1K mod p c2.1 ≡ αk mod p c2.2 ≡ m2K mod p Then m1/m2 ≡ c2.1/c2.2 mod p, and m2 is easily computed if
m1 is known.
Breaking the system is equivalent to solving Discrete Logarithm Problem
8 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Elgamal Public Key System
<Decryption>
- For c1, c2 ∈ Zp*, definedk(c1, c2) = c2(c1
xB)-1 mod p
Adversary can decrypt the ci-phertext if adversary can com-pute the value
xB = logαyB
Digital Signature A digital signature provides
Data IntegrityThe content of the message should be kept intact
Sender’s identityB needs a guarantee that the message it received actually originated from where it says it did
Non-repudiationUses sender’s private key for signing
9 / 20Using Encryption for Authentication in Large Networks of Computers
A(sender) B(receiver)
from where?
In-tact!
Elgamal Digital Signature Scheme
The Signing Procedure(A)Choose a random number k, uniformly between 0 and p-1, such that gcd(k,p-1)=1 r ≡ αk mod pThe signature for m is the pair (r,s), 0 ≤ r, s < p-1
αm ≡yArrs
≡ αxArαks mod pwhich can be solved for s by using
m ≡ xAr + ks mod (p-1)s ≡ (m - xAr)/k mod (p-1)
The Verification Procedure(B)Given m, r, and s, checking
αm ≡yArrs
10 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Elgamal Digital Signature Scheme
Property
Public Key System
Encryption operation Two exponentiations are required.
Decryption operation Only one exponentiation (plus one division) is need
11 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- (secret) random number k Z∈ p-1
eK(m, k) = (c1, c2) where
c1 = αk mod pc2 = myk mod p
- For c1, c2 Z∈ p*, define
dk(c1, c2) = c2(c1xB)-1 mod p
randomization (against k)The cipher text for a given message m is not repeatedPrevents attacks like a probable text attack
No relation m1, m2, and m1m2, or any other simple function of m1 and m2.
Property
Signature System
Signing procedureOne exponentiation (plus a few multiplications) is needed.
Verification procedureThree exponentiation are needed.Make the table for reducing the exponentiation(1.875 exponentiation)
12 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
(secret) random number k ∈ Zp-1*
sigK( m, k ) = ( r, s )where r = αk mod p s = ( m - xr )k-1 mod ( p – 1 ) verK( m, ( r, s ) ) = true
⇔ yrrs ≡ αm ( mod p )
The signature is double the size of the document
Same size as that needed for the RSA scheme
The number of signature is p2
The number of documents is only p
Property
Computation complexityComputing discrete logarithms and factoring integers
m : the number of bits in pBest known algorithm is given by
where the best estimate for c is 0.69
Recent computation complexityO(n3) on elliptic curve(2009) over a 112-bit finite fieldTo prevent known attack p should have at least 300 digits(D R. Stin-son, “CRYPTOGRAPHY”)
13 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
)ln(exp mcmO
Comparison
Comparison with RSA
14 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Elgamal RSASecurity based on the diffi-culty of the discrete log problem
Security based on the diffi-culty of the factorization problem
The ciphertext is two values c1 and c2 and so is twice the size of the message m
The ciphertext is just one value c which is roughly the same size as the message m
Creates longer cipher text Uses longer keysThe encryption and decryption algorithms are different (although both take about the same time to perform)
The encryption and decryption algorithms are the same (modular exponentiation)
Attacks on the Signature Scheme
The goal of an attack: forging signatures
Breaking a signature scheme (by Handbook of Applied Cryp-tography)
Total break: e.g. recovering the private keySelective forgery: forging a signature for a particular mes-sage or class of messages chosen a prioriExistential forgery: forging a signature for at least one message which adversary has no control over it
15 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attack: Total break (1/2) Adversary knows
Documents = { mi : i = 1, 2, ..., l } and the corresponding Signatures = { (ri, si) : i = 1, 2, ..., l }
Adversary tries to solve l equations for the secret key xαm = (αr)x∙ rs mod p … (1) ormi = x∙ ri + ki ∙ si mod (p-1) ... (2) or speciallyki=ckj (if some linear dependencies among the unknowns) ... (3)
Hard Problems(1), (3) : computing discrete logarithm over GF(p)(2) : l+1 unknowns (∵ ki ≠ kj, i ≠ j,∀i,j ∈ {1,2, ..., l})
the system of equations is undetermined 16 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attack: Total break (2/2)If any k is used twice in the signing, the private key x can be determined with high probability
s1 = k-1(m1 – α∙ r) mod (p-1) and s2 = k-1(m2 – α∙ r) mod (p-1)
(s1- s2)k = (m1 – m2) mod (p-1)
K = (s1- s2)-1(m1 – m2) mod (p-1) (if s1- s2 ≠0)
Once k is known, x is easily found
17 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attack: Selective forgery (1/2)Given a document m,
adversary tries to find r, s such that
αm = yr∙ rs mod pcompute s with fixed r (= αj mod p, j chosen at random) … (1)compute r with fixed s … (2)
Hard Problems(1) : αm = yr∙ rs mod p – discrete logarithm problem(DLP)(2) : αm = yr∙ rs mod p – not proved to be at least as hard as computing DLP, but not feasible to solve in polynomial time
18 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attack: Selective forgery (2/2) Adversary knowing one legitimate signature
(r, s) for one message m, can generate other legitimate signatures and messages
Adversary knowing one legitimate signature Select message m'
Compute u = m'∙ m-1 mod (p-1), s' = s∙ u mod (p-1), and r' such that r' = r∙ u mod (p-1) and r' =r mod p
Verification: αm' = yr' ∙ r' s' = yru∙ rsu = (yr∙ rs)u = (αm)u = αm'
mod p
How to prevent this attackVerify that 1≤r≤p at verification time 19 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
(ref. Handbook of Applied Cryp-tography)
(by the Chinese Remainder Theorem)
Attack: Existential forgery Adversary knowing one legitimate signature
(r, s) for one message m, can generate other legitimate signatures and messages
Select A,B,C arbitrarily such that (A∙ r - C∙ s) is coprime to p-1
compute r'=rA∙ αB∙ yC mod p, s'=s∙ r'/(A∙ r - C∙ s) mod (p-1), and m' = r'(Am+Bs)/(Ar-Cs) mod (p-1)
Adversary may claim that (r', s') is the signature of the message m'
How to prevent this attackUse one-way hash func: αh(m) = (αr)x∙ rs
20 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
!!! m' is not an arbitrary message
Conclusion
Proposed cryptosystem and Signature scheme are based on
the difficulty of computing discrete logarithms over finite fields good generator for random numbers (ki ≠ kj)
Elgamal’s scheme is rarely used in practice. But many variants have been proposed. Specially, DSA
21 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
22 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Question or Comment