EE 418 Network Security and Cryptography Lecture #10 November 1, 2016 RSA and ElGamal Public Key Cryptosystems. Introduction to Key Distribution. Diffie-Hellman Key Distribution. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Review: Public Key Cryptography { The Discrete logarithm problem { ElGamal cryptosystem 2. Introduction to Key Distribution Problem 3. Diffie-Hellman Key Distribution 1 Review: Public Key Cryptography and RSA Cryptosystem Last lecture, we continued our discussion about public key cryptography. In a public key cryptosystem, there are two keys: a public encryption key, i.e., a key known to everyone and a private decryption key that is kept private and known only to a person whom a ciphertext was intended for. Under a public key cryptosystem, anyone can encrypt a message to send to Alice using her public key, PKA, but only Alice can decrypt the message using her private key SKA. The figure below presents a block diagram of a secure communication using public key cryptosystem. Plaintext Ciphertext Plaintext ENC CHANNEL Ciphertext DEC Bob Alice Public Private key PKA key SKA Fig. 1. Schematic of public key-based encryption and decryption. In this lecture, we will continue our discussion about the ElGamal cryptosystem. In doing so, let's first recall the definition of the discrete logarithm problem. 1.1 The Discrete Logarithm Problem Let's consider the set of integers modulo p, denoted as Zp. The set of integers in Zp that are relatively prime ? ? to p is denoted as Zp. As an example, when p = 13, Z13 = f1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12g. ? ? Theorem 1. There exists an element α 2 Zp, denoted as a primitive element, such that for every y 2 Zp and for some x it holds that: y = αx(mod p) (1) 1 We omit the proof for this theorem, put let's consider the following example. Example 2: When p = 13, one of the primitive elements is equal to α = 2, leading to the elements f2; 22 = 4; 23 = 8; 24 = 3 (mod 13); 25 = 6; 26 = 12; 27 = −2 (mod 13) = 11 (mod 13); 28 = −4 (mod 13) = 9 10 11 12 ? 9 (mod 13); 2 = −8 (mod 13) = 5 (mod 13); 2 = 10; 2 = 7; 2 = 1g = Z13. Definition 1 (Discrete Logarithm Problem). Let's assume p is a prime number, and α and β are two nonzero integers (mod p). Let's now consider the equality: β ≡ αx(mod p) (2) The problem of finding x that satisfies equation (2) is known as the discrete logarithm problem. To date, no efficient algorithm for computing the discrete logarithm has been found. The assumption that the discrete logarithm problem is difficult is the basis for the ElGamal cryptosystem. For small primes p, of course, one can hand compute the set of elements, and do trial and error. For example, when p = 13, given α = 2 and β = 8,one can find that 23 = 8, and solve for a = 3. Therefore, typically the value of p needs to be very large (100 digit primes). 2 ElGamal Cryptosystem The ElGamal cryptosystem was developed by Taher ElGamal in 1985. The basic idea of ElGamal is as follows: 1. To encrypt, Bob generates a random number r and multiplies it by the plaintext x to obtain ciphertext Y = xr. Bob then transmits the ciphertext to Alice. 2. To decrypt, Alice follows an algorithm to remove the random number r, and retrieve the original plaintext. Since Bob generates a different random number during each instance of the encryption algorithm, a different ciphertext is generated even when the same plaintext is encrypted multiple times. Unlike RSA, whose security is based on the difficulty of factoring large integers, ElGamal bases its security on the difficulty of the Discrete Logarithm Problem. ElGamal has not been patented, which along with its randomized nature has contributed to its wide adoption. Ideas underlying the ElGamal cryptosystem have been incorporated into digital signature schemes and the Elliptic Curve Cryptography. We now describe the key generation, encryption, and decryption algorithms for ElGamal. 2.1 Key Generation Key generation consists of the following steps: 1. Choosing a large prime number p and an integer α satisfying 1 ≤ α ≤ (p − 1). Number α must be a primitive root, i.e., every integer z with 1 ≤ z ≤ (p − 1) can be written as z = αw mod p for some w. 2. Picking an integer a satisfying 1 ≤ a ≤ (p − 1), and then computing β = αa mod p. 3. The public key is defined by PK = (α; β; p) and the private key is defined by SK = a. As usual, public key PK is published, while the private key SK is kept secret. As an example of typical ElGamal key lengths, the GNU Privacy Guard (an open-source package from encrypting email) uses a key length of 2048 bits. 2.2 Encryption ElGamal encryption consists of the following steps: 1. Generate a random integer k satisfying 1 ≤ k ≤ (p − 2). 2 2. Compute Y1 and Y2 as k Y1 = α mod p k Y2 = xβ mod p 3. The ciphertext is given by (Y1;Y2) and is transmitted to Alice. Note that Bob chooses a different random integer k for each encrypted message that is sent. Hence, the same plaintext will yield a different ciphertext if it is encrypted twice using the ElGamal cryptosystem. 2.3 Decryption Alice decrypts a received ciphertext (Y1;Y2) as a −1 x = Y2(Y1 ) mod p: a −1 a a −1 a Here (Y1 ) denotes the inverse of Y1 , defined as the unique integer satisfying (Y1 ) (Y1 ) = 1 mod p.A schematic illustration of ElGamal is given in Figure 2. Alice Bob Key Generation: Generate prime p, integer α Generate a, compute β = αa mod p PKA = (α; β; p), SKA = a Alice publishes PKA = (α; β; p) Bob knows: PKA = (α; β; p) Encryption: Generate random integer k Compute ciphertext (Y1;Y2): k Y1 = α mod p, k k Y1 = α mod p Y2 = xβ mod p k Y2 = xβ mod p Decryption: a −1 x = Y2(Y1 ) mod p Fig. 2. Schematic illustration of ElGamal key generation, encryption, and decryption. Theorem 2. ElGamal cryptosystem is a well-defined cryptosystem. Proof. In order to prove that a cryptosystem is a well-defined cryptosystem, we need to prove that: d(Y; a) = d(e(x; α; β; p)) = x (3) Let's start from the following ElGamal decryption equation: a −1 x = Y2(Y1 ) (mod p) (4) Using ElGamal encryption equations: k Y1 = α (mod p) k Y2 = xβ (mod p) (5) 3 we can rewrite equation (4) as: x = xβk[(αk)a]−1 = xβk( αa )−k |{z} β = xβkβ−k (6) 2.4 Example of ElGamal Key Generation, Encryption, and Decryption An example of ElGamal key generation by Alice is: 1. Generate prime p = 2579 and α = 2. 2. Choose secret a = 765, and compute β = αa mod p = 2765 mod 2579 = 949. 3. Publish PKA = (α; β; p) = (2; 949; 2579). In order to encrypt the plaintext x = 1299, Bob carries out the following steps: 1. Generate a random number k = 853. 2. Compute k 853 Y1 = α mod p = 2 mod 2579 = 435 mod 2579 k 853 Y2 = xβ mod p = 1299(949) mod 2579 = 2396 mod 2579 3. The ciphertext is given by (Y1;Y2) = (435; 2396). Alice decrypts the received ciphertext (Y1;Y2) = (435; 2396) as a −1 765 −1 x = Y2(Y1 ) mod 2579 = 2396(435 ) mod 2579 = 1299 mod 2579: 2.5 Security of ElGamal Cryptosystem In order to decrypt an ElGamal ciphertext, the private key a is needed. The public key (α; β; p) and private key a are related by β = αa mod p. This resembles the problem of taking a logarithm of a real number, i.e., finding x such that y = ex, and is referred to as the Discrete Logarithm Problem (DLP). Analogous to RSA and factorization, known attacks on ElGamal require solving the DLP. Since there are currently no efficient algorithms for solving DLP, ElGamal is believed to be secure. 3 Introduction to Key Distribution Cryptographic primitives including encryption/decryption, message authentication, and digital signatures require the communicating parties Alice and Bob to agree on a shared secret key, or to obtain one another's valid public keys. Ensuring that Alice and Bob have valid cryptographic keys is the goal of key management, and today we focus on agreeing on a shared secret key over a public (insecure) channel. 4 Diffie-Hellman Key Exchange One efficient and secure method to agree on a shared secret key over an insecure channel relies on public key cryptography, and it is referred to as the Diffie-Hellman key exchange. The Diffie-Hellman key exchange was proposed by Witfield Diffie and Martin Hellman in 1976, and it was covered by U.S. patent 4,200,770, which has expired. The advantage of this approach is that symmetric key cryptosystems are typically much more efficient than public key cryptosystems. 4 The Diffie-Hellman protocol consists of the following steps, which are illustrated in Figure 3: 1. Alice and Bob agree on a prime number p and an integer α, with 1 ≤ α ≤ (p−1), such that α is a primitive ∗ ? w root of the set Zp = f1; 2; : : : ; p−1g; i.e., any integer z 2 Zp can be expressed as z = α ( mod p) for some integer w. Since (α; p) do not need to be secret, Alice and Bob can agree upon them \in the clear".