This preview shows page 1. Sign up to view the full content.
Unformatted text preview: tion Select k: 1 ≤ k ≤ q2
Select C1 = k mod q
C1
mod
C2 = (ykM) mod q
C2
Ciphertext = (C1,C2)
Ciphertext Decryption:
Decryption M = [C2 * (C1x )1 ] mod q
[C2
mod
where b1 (mod q) is the “multiplicative inverse” of b (mod q), i.e.
(mod
[b*b1 ] mod q = 1 mod q ;
mod El Gamal Encryption of plaintext message M (< q ):
Encryption Select k: 0< k < q, relatively prime to (q1)
Select C1 = k mod q
C1
mod
C2 = (ykM) mod q
C2
Ciphertext = (C1,C2)
Ciphertext Decryption:
Decryption M = [C2 * (C1x )1 ] mod q
[C2
mod Proof: [C2 * (C1x )1 ]mod q = [yk M * (C1x )1 ]mod qmod
(C1mod
= [kx M * (C1x )1 ]mod q = [C1x * M * (C1x )1 ] mod q = M mod q = M
(C1mod
(C1
mod
k mod q = kx mod q = C1x
because y mod
mod
where
where
b1 (mod q) is the “multiplicative inverse” of b (mod q), i.e.
(mod
[b*b1 ] mod q = 1 mod q ;
mod
e.g.
81 (mod 17) = 15 (mod 17) because (8 * 15) mod 17 = (17*7+1) mod 17 = 1
(mod
We can use Fermat’s little theorem to find b1 mod q :
mod
If q is prime and q does not divide b, then b1 mod q = bq2 mod q
mod
mod El Gamal  an example El Gamal Ell Gamal can be considered to be a generalization of DiffieHellman keyE
exchange algorithm => relies on the difficulty of doing discrete logarithm: y = x mod q
mod Advantages:
Advantages: support both encryption and digital signature
support Not patented (but someone claims it is covered by the DH patent)
Not
Drawbacks:
Drawbacks: The ciphertext (or digtial signature) is about twice as big as the plaintext (or
The
message digest to be signed on)
The scheme was never popular in practice
The
The Digital Signature Algorithm (DSA) used in the US Digital Signature
The
Standards (DSS) was a variant/ or based on the El Gamal’s scheme ;
The inventor, Taher El Gamal, also from Stanford was Netscape’s Director of
The
Security at one point Digital Signature Standard (DSS) In 1991, NIST in US standardized
In
Digital Signature Standard (DSS).
SHA1 is used to first compute
the message digest which is then
signed by the Digital Signature
Algorithm (DSA).
DSA is based on a variant of El
DSA
Gamal digital signature, thus also
inherits it’s “sizedoubling”
property => SHA1 digest is 160bit long, the DSA signature is 320
bits long: signature = (r,s).
Since DSA does not support
Since
encryption by design, it avoids
US technologyexport concerns. Elliptic Curve Cryptosystems (ECC) Independent proposed by Koblitz (U. of Washington) and Miller (IBM) in 1985
Independent
Depends on the difficulty of the elliptic curve logarithm problem
Depends fastest method is “Pollard rho method”
fastest Best attacks for discrete logarithm problem do NOT apply to elliptic curve
Best
logarithm problem
The first true alternative for RSA
The
ECC is beginning to challenge RSA in practical deployment in selected
ECC
areas: embedded, wireless/mobile systems
It is a family of cryptosystems instead of a single one:
It ECC replaces modulo exponentiation by elliptic curve multiplication (and
ECC
modulo multiplication replaced by ECC addition) Apply directly to DiffieHellman, El Gamal and DSA to yield ECC DiffieApply
Hellman (ECDH), ECCElGamal and ECCDSA algorithms to support
key exchange, encryption and digital signature...
View
Full
Document
This note was uploaded on 04/15/2013 for the course IE IERG4130 taught by Professor Zhangkehuan during the Spring '13 term at CUHK.
 Spring '13
 ZHANGKEHUAN

Click to edit the document details