Crypto Series – ElGamal Cryptosystem « Limited Entropy Dot Com

12Feb/100

Crypto Series – ElGamal Cryptosystem

In our last post we learnt about the Discrete Lograithm problem, why it is a difficult problem and how we can attempt to solve it if the numbers are manageable. Of course, in a real setting we wouldn't use 16 bit numbers as in my example, but at least 1024 bit numbers nowadays (and most likely even bigger numbers).

Now, we are going to see how to make use of that problem to create a public key cryptosystem. We will look at how ElGamal uses the DL problem to provide public key encryption and digital signatures. Keep on reading if you are interested!

ElGamal encryption

So we have our friends Alice and Bob wanting to communicate securely. To that end, they first agree on the public settings of the ElGamal cryptosystem. They need a finite cyclic group G to work on (such as $\mathbb{Z}*_p$ ) and a generator for that group, g. Of course, the group G must be a group where computing discrete logarithms is infeasible. Otherwise the system will not work.

With these numbers, Alice and Bob first generate their respective key pairs. First, they generate a random element in G, which will serve as a private key: $x_A$ and $x_B$ respectively. Now, they compute the corresponding secret keys as follows:

$h_A = g^{x_A}$ in G

$h_B = g^{x_B}$ in G

And now they can publish their public keys, $h_i$ , without any fear. Thanks to the difficulty of solving the discrete logarithm in G, their respective private keys remain safe even though everyone knows how they were generated.

So, now our friend Alice wants to send some message m to Bob. This message is represented as an element in the group G. First, she grabs Bob's public key. Then, she generates a random number r in the same group G. With that number and Bob's public key, she computes the following cryptogram:

$(R,S) = (g^r, h_B^r \cdot m )$

It is needless to say that these operations always take place in the group G. Now, when Bob receives this message he can compute m like this:

$m = \frac{S}{R^{x_B}} = \frac{h_B^r \cdot m}{(g^r)^{x_B}} = \frac{h_B^r \cdot m}{ (g^{x_B})^r} = \frac{h_B^r \cdot m}{h_B^r} = m$

This is good news, at least Bob can recover the message knowing $x_B$ . But that doesn't mean that the message will be safe from everyone else.

However, since the DL problem is difficult, it turns out that recovering r from R is difficult. Therefore, it is not easy to compute $h_B^r$ from the cryptogram and then recover m. It is also difficult to compute Bob's private key from his public key, which would be another way to recover the message.

And also, since r was random, R is randomized as well as S. Thus, an attacker has no information on the structure of the message and the system seems secure under the assumption that the DL problem is hard.

Example: ElGamal encryption

Let's continue with our previous example. We take again the same group, $Z^*_{17627}$ and its generator $g=6$ . Alice and Bob compute their respective private and public keys:

sage: G = IntegerModRing(17627) sage: g = G(6) sage: g.multiplicative_order() 17626 sage: xA = G.random_element() sage: xB = G.random_element() sage: hA = g^xA sage: hB = g^xB sage: hA 11094 sage: hB 1593 sage:

So now everyone knows the public keys of Alice (11094) and Bob (1593). Now let's imagine that Alice wants to send the message m (1337) to Bob. She has to create a new random number and compute the cryptogram:

sage: r=G.random_element() sage: R = g^r sage: m=1337 sage: S=hB^r*m sage: (R,S) (4831, 8533) sage:

Alright, now Alice sends this pair of numbers to Bob and he receives it and tries to decrypt them:

sage: mp = S/(R^xB) sage: mp 1337 sage:

Great, it works! However, note that this is not secure against chosen ciphertext attacks and the cryptogram is easily modifiable. For instance, one could modify the decrypted message by modifying only the S part of the cryptogram:

sage: Sp = 3*S sage: mp = Sp/(R^xB) sage: mp 4011 sage: 3*m 4011 sage:

Here an attacker has intercepted the message and modified S to be 3S. This results in the decrypted message being 3m instead of m. However, this kind of properties becomes very useful in multiparty computations such as electronic voting schemes.

ElGamal signature scheme

Now we know how to encrypt and decrypt messages using ElGamal. Next step is to see how ElGamal approaches digital signatures. The steps for generating the key pair are the same, i.e. each participant generates a random number as their private key and then computes $h=g^x$ as their public key.

Now, given a message m, Alice will first generate a cryptographic hash H(m). Then, she picks again a random number r and computes the following things:

$R=g^r$

$S = (H(m)-x_A\cdot R)\cdot r^{-1}$

Note that now we used the private key for the generation of the signature. Otherwise, we would not be able to prove that the message is linked to Alice since everyone knows the public key. If S turns out to be 0, Alice has to pick a new random number and compute the signature again.

The verification of the signature is performed by Bob as follows. Bob first computes the message H(m) and then performs the following two calculations:

$g^{H(m)}$

$h_A^R \cdot R^S$

Due to the way in which the values R and S have been computed, the two results should be the same if the signature and the message have not been modified:

$h_A^R \cdot R^S = (g^x_A)^R \cdot g^{r\cdot (H(m)-x_A\cdot R)\cdot r^{-1}}= g^{ x_A \cdot R + H(m) - x_A \cdot R} = g^{H(m)}$

So this tells us that the system is correct, and again in order to forge a signature one would need to either find collisions in the function H (see my post on hash functions) or solve a discrete logarithm. Both problems are believed to be hard. Note that the hash collision must occur over the group G, so that $g^{H(m')} \equiv g^{H(m)}$ .

Further reading

Once again, I refer the interested readers to the Handbook of Applied Cryptography for more extensive and accurate information on these topics. In this case, the ElGamal public key system is described in chapter 8, section 8.4.

Enjoy this article?

Consider subscribing to our rss feed!

Posted by Eloi Sanfèlix

Tagged as: Crypto Series, Cryptography, ElGamal Leave a comment

Comments (0) Trackbacks (0) ( subscribe to comments on this post )

No comments yet.

My tweets!

RT @daniel_rome: We have published some vulnerabilities we found during an internal @NCCGroupplc research. Further news will come soon, sta… 03:35:50 PM May 29, 2019 Reply Retweet Favorite
@singe @bluefrostsec oops, thanks! 12:36:32 PM May 27, 2019 in reply to singe Reply Retweet Favorite
RT @bluefrostsec: We just published the slides for the TEE presentation @esanfelix gave at #zer0con2019 and #infiltrate19, and kicking off… 11:38:13 AM May 27, 2019 Reply Retweet Favorite
Made it to seoul for #zer0con2019, will be arriving at the venue in about an hour. Ping me if you're around and like to meet up. 09:03:28 AM April 10, 2019 Reply Retweet Favorite
#protip: keep your webex window in sight so you can notice if your connection drops XD Despite that hiccup, and the… https://t.co/WuaWjPmQ1r 05:28:29 PM March 25, 2019 Reply Retweet Favorite
RT @matalaz: Use whatever tool you want, I do use both IDA and Ghidra. But stop being a fucking dick and acting like it's holy war insultin… 12:00:49 PM March 22, 2019 Reply Retweet Favorite
RT @bluefrostsec: BFS Ski Seminar in Seefeld and Axamer Lizum! https://t.co/EzUvPhYyoL 03:39:17 PM March 20, 2019 Reply Retweet Favorite
RT @doegox: "White-Box Cryptography: Don’t Forget About Grey-Box Attacks" in Journal of Cryptology ヽ(^o^)ノ Courtesy link: (requires js) ht… 11:12:08 PM February 14, 2019 Reply Retweet Favorite
RT @Kachakil: If you liked the blog post I published about how I discovered and exploited a vulnerability in Android (https://t.co/SGtyFPQk… 12:56:07 PM February 05, 2019 Reply Retweet Favorite
RT @jmartijnb: Interested to learn more about Trusted Execution Environment security? In a few weeks I will present @nullcon my work on fuz… 08:42:13 PM February 01, 2019 Reply Retweet Favorite

@esanfelix

Limited Entropy Dot Com Not so random thoughts on security featured by Eloi Sanfèlix