Download
1 / 22
320 likes | 602 Views
A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. TAHER ELGAMAL IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985 Suhyung Kim Yeojeong Yoon 2010. 2. 25. Outline. Introduction Diffie -Hellman key distribution Elgamal Public Key System
E N D
A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms TAHER ELGAMAL IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985 Suhyung Kim YeojeongYoon 2010. 2. 25
Outline Introduction Diffie-Hellman key distribution ElgamalPublic Key System ElgamalDigital Signature Scheme Property Comparison Attacks on the Signature Conclusion A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Introduction • Public-key Encryption(Asymmetric Cryptosystem) • First proposed in 1976 • "New Directions in Cryptography" Diffie and Hellman • Did not produce an algorithm • RSA cryptosystem(1978) • Based on difficulty of factoring large integers • ElGamal cryptosystem(1985) • Based on discrete logarithm problem Public Key Public Key Secret Key A(sender) B(receiver) Encrypt with the Public Key {plaintext}public key Decrypt with the Secret Key A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Introduction • RSA Cryptosystem • “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” published in 1978 • Proposed by Rivest, Shimar, andAdleman • Used a computationally difficult problem • Breaking requires factoring of large numbers A B 1. Select p, q (large prime) 2. Calculate n = p x q and ф(n) 3. Select b, s.t. Gcd(b, ф(n) ) = 1 4. Calculate a, s.t. b x a ≡ 1 (mod ф(n) ) Private key : (p, q, a) Public key : (n, b) eK(x) = xb mod n dK(y) = ya mod n A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Discrete Logarithm Problem(DLP) The ElGamal public key cryptosystem is based upon the difficulty of solving the discrete logarithm problem (DLP) which is as follows : For a small value of p, it is easy to solve a DLP By trial and error or exhaustive search For a large value of p, finding discrete logarithms is difficult For a large value of p(p has around 300 decimal digits) it is not possible to solve a DLP using current technology Introduction • Given a prime p and values g and y,find x such that • y = gx mod p A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Diffie-Hellman key distribution • Public parameter • p : large prime • α : generator of Zp* • Secret parameter • xA (A’s) • xB(B’s) • xA= logαyA,xB= logαyB • Based on Discrete Logarithm Problem • p-1 should have at least one “large” prime factor • If p-1 has only small prime factors, then computing discrete logarithms is easy A B yA yB A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Elgamal Public Key System • Way to implement the Diffie-Hellman previous scheme • A wants to send B a message m, where 0 ≤ m ≤ p-1 • A chooses a number k uniformly between 0 and p-1. - Public parameter p : large prime α : generator of Zp* - Secret parameter k (A’s) xB (B’s) A B yB (c1,c2) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Elgamal Public Key System • kmust be used once • If k is used more than once, c1.1 ≡ αk mod p c1.2≡ m1K mod p c2.1≡ αk mod p c2.2 ≡ m2K mod p Then m1/m2 ≡ c2.1/c2.2 mod p, and m2 is easily computed if m1 is known. • Breaking the system is equivalent to solving Discrete Logarithm Problem • Adversary can decrypt the ciphertext if adversary can compute the value • xB = logαyB <Decryption> - For c1, c2∈ Zp*, define dk(c1, c2) = c2(c1xB)-1 mod p A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Elgamal Digital Signature Scheme • Digital Signature • A digital signature provides • Data Integrity • The content of the message should be kept intact • Sender’s identity • B needs a guarantee that the message it received actually originated from where it says it did • Non-repudiation • Uses sender’s private key for signing from where? Intact! A(sender) B(receiver) Using Encryption for Authentication in Large Networks of Computers
Elgamal Digital Signature Scheme • The Signing Procedure(A) • Choose a random number k, uniformly between 0 and p-1, such that gcd(k,p-1)=1 • r ≡ αk mod p • The signature for m is the pair (r,s), 0 ≤ r, s < p-1 αm≡yArrs ≡ αxArαksmod p which can be solved for s by using m ≡ xAr+ ks mod (p-1) s ≡ (m - xAr)/k mod (p-1) • The Verification Procedure(B) • Given m, r, and s, checking αm ≡yArrs A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Property • Public Key System • Encryption operation • Two exponentiations are required. • Decryption operation • Only one exponentiation (plus one division) is need • randomization (against k) • The cipher text for a given message m is not repeated • Preventsattacks like a probable text attack • No relation m1, m2, and m1m2, or any other simple function of m1 and m2. • (secret) random number k ∈ Zp-1 • eK(m, k) = (c1, c2) • where • c1= αk mod p • c2= mykmod p • - For c1, c2∈ Zp*, define • dk(c1, c2) = c2(c1xB)-1 mod p A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Property • Signature System • Signing procedure • One exponentiation (plus a few multiplications) is needed. • Verification procedure • Three exponentiation are needed. • Make the table for reducing the exponentiation(1.875 exponentiation) • The signature is double the size of the document • Same size as that needed for the RSA scheme • The number of signature is p2 • The number of documents is only p (secret) random number k∈Zp-1*sigK( m, k ) = ( r, s )where r= αkmod p s= ( m - xr)k-1 mod ( p – 1 )verK( m, ( r, s ) ) = true ⇔ yrrs≡ αm ( mod p ) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Property • Computation complexity • Computing discrete logarithms and factoring integers • m : the number of bits in p • Best known algorithm is given by where the best estimate for c is 0.69 • Recent computation complexity • O(n3) on elliptic curve(2009) over a 112-bit finite field • To prevent known attack p should have at least 300 digits(D R. Stinson, “CRYPTOGRAPHY”) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Comparison • Comparison with RSA A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attacks on the Signature Scheme • The goal of an attack: forging signatures • Breaking a signature scheme (by Handbook of Applied Cryptography) • Total break: e.g. recovering the private key • Selective forgery: forging a signature for a particular message or class of messages chosena priori • Existential forgery: forging a signature for at least onemessage which adversary has no control over it A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attack: Total break (1/2) • Adversary knows • Documents = { mi : i = 1, 2, ..., l } and the corresponding Signatures = { (ri, si) : i = 1, 2, ..., l } • Adversary tries to solve l equations for the secret key x • αm = (αr)x∙ rs mod p … (1) or • mi=x∙ ri + ki∙ si mod (p-1) ... (2) or specially • ki=ckj(if some linear dependencies among the unknowns) ... (3) • Hard Problems • (1), (3) : computing discrete logarithm over GF(p) • (2) : l+1 unknowns (∵ ki ≠ kj, i ≠ j,∀i,j ∈ {1,2, ..., l}) the system of equations is undetermined A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attack: Total break (2/2) • If any k is used twice in the signing, the private key x can be determined with high probability • s1 = k-1(m1 – α∙ r) mod (p-1) and s2 = k-1(m2 – α∙ r) mod (p-1) (s1- s2)k = (m1 – m2) mod (p-1) K= (s1- s2)-1(m1 – m2) mod (p-1) (if s1- s2 ≠0) • Once k is known, x is easily found A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attack: Selective forgery (1/2) • Given a document m, adversary tries to find r, s such that • αm = yr∙ rs mod p • compute s with fixed r (= αj mod p, j chosen at random) … (1) • compute r with fixed s … (2) • Hard Problems • (1) : αm = yr∙ rs mod p – discrete logarithm problem(DLP) • (2) : αm = yr∙ rs mod p –not proved to be at least as hard as computing DLP, but not feasible to solve in polynomial time A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attack: Selective forgery (2/2) • Adversary knowing one legitimate signature (r, s) for one message m, can generate other legitimate signatures and messages • Adversary knowing one legitimate signature • Select message m' Compute u = m'∙ m-1 mod (p-1), s' = s∙ u mod (p-1), and r' such that r' = r∙ u mod (p-1) and r' =r mod p • Verification: αm' = yr' ∙ r' s' = yru∙ rsu= (yr∙ rs)u = (αm)u = αm' mod p • How to prevent this attack • Verify that 1≤r≤p at verification time (ref. Handbook of Applied Cryptography) (by the Chinese Remainder Theorem) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Attack: Existential forgery • Adversary knowing one legitimate signature (r, s) for one message m, can generate other legitimate signatures and messages • Select A,B,C arbitrarily such that (A∙ r - C∙ s) is coprime to p-1 compute r'=rA∙ αB∙ yC mod p, s'=s∙ r'/(A∙ r - C∙ s) mod (p-1), and m' = r'(Am+Bs)/(Ar-Cs) mod (p-1) • Adversary may claim that (r', s') is the signature of the message m' • How to prevent this attack • Use one-way hash func: αh(m)= (αr)x∙ rs !!! m' is not an arbitrary message A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Conclusion • Proposed cryptosystem and Signature scheme are based on • the difficulty of computing discrete logarithms over finite fields • good generator for random numbers (ki ≠ kj) • Elgamal’s scheme is rarely used in practice. But many variants have been proposed. Specially, DSA A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Question or Comment A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
