1 / 12

A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms TAHER ELGAMAL

A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms TAHER ELGAMAL. 2005 . 3 . 28 KANG JEON-IL INHA Univ. A. B. y A. y B. Diffie-Hellman key distribution. p : large prime number α : primitive element mod p A has a secret x A B has a secret x B

tamra
Download Presentation

A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms TAHER ELGAMAL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Public Key Cryptosystem and a Signature Scheme Based on Discrete LogarithmsTAHER ELGAMAL 2005 . 3 . 28 KANG JEON-IL INHA Univ.

  2. A B yA yB Diffie-Hellman key distribution • p : large prime number • α : primitive element mod p • A has a secret xA • B has a secret xB • It is not yet proved that breaking the system is equivalent to computing discrete logarithms. • If p-1 has only small prime factors, then computing discrete logarithms is easy.

  3. A B yB (c1,c2) Public Key System [1] • A wants to send B a message m, where 0 ≤ m ≤ p-1 • A chooses a number k uniformly between 0 and p-1.

  4. Public Key System [2] • If k is used more than once, c1.1 ≡ αk mod pc2.1 ≡ m1K mod p c1.2 ≡ αk mod pc2.2 ≡ m2K mod p Then m1/m2 ≡ c2.1/c2.2 mod p, and m2 is easily computed if m1 is known. • Breaking the system is equivalent to breaking the Diffie-Hellman distribution scheme • If m can be computed from c1, c2 and y, then K can also be computed from y, c1, and c2. • (Even if m is known) computing k or x from c1, c2, and y is equiavalent to computing discrete logarithms.

  5. A Digital Signature Scheme • The Signing Procedure • Choose a random number k, uniformly between 0 and p-1, such that gcd(k,p-1)=1 • r ≡ αk mod p • The signature for m is the pair (r,s), 0 ≤ r, s < p-1 αm ≡yrrs≡ αxrαks mod p which can be solved for s by using m ≡ xr + ks mod (p-1) s ≡ (m - xr)/k mod (p-1) • The Verification Procedure • Given m, r, and s, it is easy to verify the authenticity of the signature by computing both sides of αm and checking that they are equal.

  6. Attacks on the Signature [1] • Attack 1. (to recover x) • Given {mi,(ri,si): i = 1,2,…,l}, and intruder may try to solve l equation. m1 ≡ xr1 + k1s1 mod (p-1) m2 ≡ xr2 + k2s2 mod (p-1) ... ml ≡ xrl + klsl mod (p-1) • But, this is l+1 equation! • Attack 2. (to recover x) • Trying to solve equation of the form αm ≡ yrrs≡ αxrrsmod p • It’s always equivalent to computing discrete logarithms over GF(p).

  7. Attacks on the Signature [2] • Attack 3. (to recover x) • An intruder might try to develop some linear dependencies among the unknowns {ki:i=1,2,…,l}. • This is also equivalent to computing discrete logarithms. • Attack 4. (forging signature) • Given a document m, a forger may try to find r, s. • If r ≡ αj mod p is fixed for some j chosen at random, then computing s is equivalent to solving a DLP over GF(p). • If the forger fixes s first, then r could be computed from the equation rsyr ≡ A mod p • It is not yet proved to be at least as hard as computing DLPs. But, it does not seem to be feasible to solve it in polynomial time.

  8. Attacks on the Signature [3] • Attack 5. (forging signature) • It seems possible that αm ≡ yrrsmod p can be solved for both r and s simultaneously. • Attack 6. (forging signature) • Select integers A(=0),B and C arbitrarily such that (Ar-Cs) is relatively prime to p-1 (r’,s’) signs m’.

  9. Properties [1] • Best known algorithm is given by where the best estimate for c is 0.69 • These estimates imply that we have to use numbers that are about the size of the numbers used in the RSA system in order to obtain the same level of security. So, the size of the public file is larger (exactly twice) that that for the RSA system.

  10. Properties [2] public key system • Due to the randomization (against k) in the enciphering operation, the cipher text for a given message m is not repeated. • This prevents attacks like a probable text attack. • Due to the structure of system, there is no obvious relation between the enciphering of m1, m2, and m1m2, or any other simple function of m1 and m2. • For enciphering operation, two exponentiations are required. • For deciphering operation, only one exponentiation (plus one division) is need.

  11. Properties [3] signature scheme • The signature is double the size of the document. Then the size of signature is the same size as that needed for the RSA scheme. • Since the number of signature is p2, while the number of documents is only p, each document m has a lot of signature but any signature signs only one document. • For the signing procedure, one exponentiation (plus a few multiplications) is needed. • To verify a signature, it seems that three (or 1.875) exponentiation are needed.

More Related