--- tags: vaje, kirv, elgamal hackmd: https://hackmd.io/wqIJQIUARuijtEa3P18IoA plugins: mathjax --- # Cryptography and computer security - Tutorial 8.12.2020 --- ## ElGamal encryption system Key generation: * Choose a large prime <i>$p$</i> and <i>$\alpha \in \mathbb{Z}_p^*$</i> such that <i>$\langle \alpha \rangle = \mathbb{Z}_p^*$</i> * Choose the **private key** <i>$a \stackrel{R}{\in} \mathbb{Z}_{p-1} \setminus \lbrace 0 \rbrace$</i> * Compute <i>$\beta = \alpha^a \bmod{p}$</i> * Publish <i>$(p, \alpha, \beta)$</i> as the **public key** Encryption of <i>$m \in \mathbb{Z}_p^*$</i>: * Choose <i>$k \stackrel{R}{\in} \mathbb{Z}_{p-1} \setminus \lbrace 0 \rbrace$</i> * Compute <i>$\gamma = \alpha^k \bmod{p}$</i> and <i>$\delta = m \beta^k \bmod{p}$</i> * The **ciphertext** is <i>$c = (\gamma, \delta)$</i> Decryption of <i>$c = (\gamma, \delta) \in (\mathbb{Z}_p^*)^2$</i>: * Compute <i>$m = \gamma^{-a} \delta \bmod{p}$</i> --- ### Exercise 1 Show that the ElGamal encryption and decryption functions are indeed each other's inverses. ---- $$ \gamma^{-a} \delta \equiv (\alpha^k)^{-a} m \beta^k \equiv m \alpha^{-ka} \alpha^{ak} \equiv m \alpha^{ak - ak} \equiv m \pmod{p} $$ --- ### Exercise 2 Let <i>$p = 101$</i>, <i>$\alpha = 2$</i>, <i>$\beta = 14$</i> be the public key for the ElGamal cryptosystem, with <i>$a = 10$</i> being the private key. Encrypt the plaintext <i>$m = 10$</i> using <i>$k = 7$</i> as the random number, and then decrypt the resulting ciphertext. ---- * order of $\alpha$: should be <i>$100 = 2^2 \cdot 5^2$</i> (in general, <i>$p-1 = \prod_{i=1}^t p_i^{e_i}$</i>) - check <i>$\alpha^{(p-1)/p_i} \not\equiv 1 \pmod{p}$</i> * <i>$\beta = 2^{10} \bmod{101} = 14$</i> Encryption: * <i>$\gamma = 2^7 \bmod{101} = 27$</i> * <i>$\delta = 10 \cdot 14^7 \bmod{101} = 60$</i> Decryption: | $k$ | $a$ | $s$ | --- | --- | --- | | 101 | 0 | | 27 | 1 | 3 | 20 | -3 | 1 | 7 | 4 | 2 | 6 | -11 | 1 | 1 | 15 * <i>$\gamma^{-a} \delta \bmod{p} = 17 \cdot 60 \bmod{101} = 10$</i> --- ### Exercise 3 Suppose that we use the same random number $k$ to encrypt two distinct plaintexts <i>$m_1$</i> and <i>$m_2$</i>. Can you reveal <i>$m_2$</i> if you know <i>$m_1$</i> and both ciphertexts? ---- * Public parameters: <i>$p, \alpha, \beta$</i> * <i>$(\gamma_1, \delta_1) = (\alpha^k, m_1 \beta^k)$</i> * <i>$(\gamma_2, \delta_2) = (\alpha^k, m_2 \beta^k)$</i> * We also know <i>$m_1$</i>. * Since the same <i>$k$</i> has been used, we have <i>$\gamma_1 = \gamma_2$</i>. * <i>$m_2 \equiv \delta_2 \delta_1^{-1} m_1 \equiv m_2 \beta^k m_1^{-1} \beta^{-k} m_1 \pmod{p}$</i> --- ### Exercise 4 Show that distinguishing ElGamal encryptions is equivalent to solving the decision Diffie-Hellman problem. ---- * Distinguishing ElGamal encryptions: - given <i>$(\gamma_1, \delta_1)$</i>, <i>$(\gamma_2, \delta_2)$</i> and <i>$(p, \alpha, \beta)$</i>, decide if they both encrypt the same plaintext * Decision Diffie-Hellman problem (DDH): - given a prime <i>$p$</i> and <i>$(\alpha, \beta, \gamma, \delta)$</i> such that <i>$\langle \alpha \rangle = \mathbb{Z}_p^*$</i>, decide if there exist <i>$u, v$</i> such that <i>$\beta \equiv \alpha^u \pmod{p}$</i>, <i>$\gamma \equiv \alpha^v \pmod{p}$</i>, <i>$\delta \equiv \alpha^{uv} \pmod{p}$</i> + assume that we can solve DDH - we are given an input <i>$(\gamma_1, \delta_1)$</i>, <i>$(\gamma_2, \delta_2)$</i> and <i>$(p, \alpha, \beta)$</i> for distinguishing ElGamal encryptions - <i>$\beta \equiv \alpha^a \pmod{p}$</i> - <i>$\gamma_i \equiv \alpha^{k_i} \pmod{p}$</i> (<i>$k = 1, 2$</i>) - <i>$\delta_i \equiv m_i \beta^{k_i} \pmod{p}$</i> (<i>$k = 1, 2$</i>) - we want to decide whether <i>$m_1 = m_2$</i> - construct an input for DDH: <i>$(\alpha, \beta, \gamma_1 \gamma_2^{-1}, \delta_1 \delta_2^{-1}) = (\alpha, \alpha^a, \alpha^{k_1-k_2}, m_1 m_2^{-1} \alpha^{a (k_1 - k_2)})$</i> - we solve DDH, if the answer is **yes**, then we have <i>$m_1 = m_2$</i>, otherwise not + assume we can distinguish ElGamal encryptions - we are given an input <i>$p$</i>, <i>$(\alpha, \beta, \gamma, \delta)$</i> for DDH - <i>$\beta \equiv \alpha^u \pmod{p}$</i> - <i>$\gamma \equiv \alpha^v \pmod{p}$</i> - <i>$\delta \equiv m \alpha^{uv} \pmod{p}$</i> - we want to decide whether <i>$m = 1$</i> - construct the ciphertexts <i>$(\alpha, \beta)$</i> (encrypting the plaintext <i>$1$</i>) and <i>$(\gamma, \delta)$</i> (encrypting the plaintext <i>$m$</i>) - we solve the distinguishing problem, if the two ciphertexts encrypt the same message, then output **yes**, otherwise output **no**