1 | P a g e
COMP 4109 – Applied Cryptography
Cryptosystems (P,C,K,E,D) 1. P is the finite set of possible plaintexts
2. C is a finite set of possible ciphertexts
3. K is the keyspace, a finite set of possible keys
4. For each
1. There exists an encryption rule and;
2. A corresponding decryption rule
5. and
6.
Secured Communications – Cipher rules previously agreed upon.
A and B agree on a random key over a secure channel.
A wants to send to B
A encrypts each of and computes and the encrypted message is
Y is sent over the unsecured channel.
B receives Y
B applies to each of in order to obtain
The encryption function must be 1-to-1 such that:
The Shift Cipher Suppose a and b are integers, and m is a positive integer. We write if
The phrase is called a congruence where a is congruent to b modulo m. This
cipher uses an offset for encrypting a message. It has a small key space due to the size of m
value chosen, such as the size of the alphabet that the P is written in.
Suppose and where and where .
2 | P a g e
Abelian Group Suppose the binary operation * is defined for elements of the set G. Then G is a group with
respect to * provided:
1. G is closed under *, for each
2. * is commutative such that
3. * is associative such that
4. G has an identity element e. There is an e in G such that
5. G contains inverses.
A field has two operations
A group has a single operation
Substitution Cipher
o |K|=26!
* Repetition of values since each letter is merely substituted
is the inverse permutation to . Vulnerability: measurement of the frequencies of most occurring characters
Example: plaintext=shesellsseashellsbytheseashore
1 2 3 4 5 6 3 6 1 5 2 4
Break plaintext into groups of m. shesel|lsseas|hellsb|ythese|ashore
Arrange each group of six letters according to the permutation
ELSEHS|SSLASE|LBHSEL|HEYSTE|HEARSO
The ciphertext could be decrypted using the inverse function
Affine Cipher Uses a shift-rotate or rotate-shift
When then the cipher is a simple Shift-Cipher
3 | P a g e
Example
Substitute:
Vigenère Cipher This cipher uses different values for the same character, but is exploitable when trying to
determine the size of m. A key space of size m is chosen and the plaintext is broken up into
chunks of size m and plaintext letters are switched to cipher text. , and the size of m
can be figured out. However, there are non-unique mappings such that the same character is can
be mapped to a different character.
7.
8. For a key
9.
10. 11. The same character can be mapped to different values.
Example
Suppose and the keyword is CIPHER. This has the numerical equivalent
.
19 7 8 18 2 17 24 2 19 14 18 24
2 8 15 7 4 17 2 8 15 7 4 17
21 15 23 25 6 8 0 10 8 21 22 15
Vulnerability Cryptanalysis – Kasiski Test
2 Identical segments of plaintext will be encrypted to the same ciphertext whenever their
occurrence in plaintext is positions apart such that .
Scan the ciphertext to seach for pairs of identical segments of and record the
distances between string positions of the 2 segments. Several distances will be obtained
that satisfy the GCD between all of them, .
There may be instances such that two string may occur as the splits between different m blocks
where x may be the end of the last block, and ab the beginning of the new block, mimicking the
xab string, but it’s really not what you’re looking for.
4 | P a g e
Hill Cipher This cryptosystem uses invertible matrices in order to encrypt and decrypt a message.
If , K= the set of all invertible matrices. Let
, define , and .
Example:
Stream Ciphers (P,C,K,L,E,D) Generates a keystream and use it to encrypt a plaintext string according
to the encryption rule:
where each character of ciphertext is
encrypted with a character from the keystream alphabet.
1. L is the keystream alphabet
2. g is the keystream generator that takes K as an input, and generates the infinite string
called the keystream alphabet.
Example: Let and Let for , and
Let m = 4
Depends on a combination of some previous 2 keys.
The keystream, z, is independent of plaintext.
Synchronous keystreams Asynchronous keystreams depend upon plaintext.
5 | P a g e
Cryptanalysis
Can an attacker determine k between 2 parties? Assume the attacker knows which cryptosystem
is being used.
Ciphertext Only Attacks Attacker can only see Known Plaintext Attacks posess plaintext and corresponding
ciphertext Chosen Plaintext Attacks Attacker has temporary access to encryption machinery,
and has the ability to choose and generate .
Chosen Ciphertext Attacks Attacker has temporary access to encryption machinery,
and can choose and obtain .
Consider Affine Ciphers
Suppose an attacker has obtained the ciphertext of 57 characters long. Using an english
alphabet, plot the frequencies of each letter. The are determined as follows:
R=8 D=7 E,H,K = 5 F,S,V = 4
From this data, we hypothesize that R is an encryption of E, and D is an encryption of T since
they are the two most commonly used language. Numerically, it is expressed as
, and .
Cryptanalysis of the Vigenère Cipher
For a key ,
To Find m? Use the Kasiski test to determine the key length, m. An observation is made that two
identical segments of plaintext will be encrypted to the same ciphertext, each of length of at least
3, a good chance exists such that they correspond to identical segments of plaintext.
1. Search the ciphertext for pairs of idential segments of at least 3
2. Record the distances between the starting positions of the 2 segments
a. Segment distances denoted by b. Assume
3. is a string of n alphabetic characters
a.
Suppose x is a string of text where the probabilities for each letter are denoted by:
We would expect the probability of two random elements of the alphabet are equal is:
6 | P a g e
Denote the frequencies of occurrences for each letter as . We can
choose 2 elements of x in ways, and for each there are
ways of choosing
both elements to be i.
Suppose has been constructed as ciphertext using the Vigenère Cipher, with m
substrings denoted by , we can write the ciphertext out in columns:
If this matrix is constructed, and m is the keyword length, then each value should be
roughly equal to 0.065. If m is not the correct keyword length, the substrings of will look
more random and even less meaningful.
Cryptanalysis of the Hill Cipher Succumbs easily to a plaintext attack.
Plaintext Attack
The attacker knows m pairs of , and also knows that If X is invertible, then they
can easily determine K by . If X is not invertible, then the attacker would keep trying
until they acquire an invertible matrix, X.
Chapter 2 : Shannon’s Theory Computational Security: How much computational effor is needed to break the system.
Provable Security: A given computational security is secure if a given integer cannot be
factored.
Unconditional Security: No bounds are required.
Elementary Probability Theory Let X be a discrete random variable where the probability that a random variable X takes on the
value x is denoted by , or if the random variable is fixed.
Joint Probability
Conditional Probability Indepenent Random Variables
7 | P a g e
Bayes’ Theorem If
Perfect Secrecy (P,C,K,E,D)
Assume there is a probability distribution on P.
Let X be the Random Variable with the above probability distribution
Let be chosen with the help of some probability distribution
is known
We can assume that k and X are independent random variables.
For a key ,
For all , we have:
Example
Perfect Secrecy The attacker can not get any information about the plaintext by observing the ciphertext.
Computational Security, has a perfect secrecy if
Suppose that 26 keys in the shift cipher are used with equal probability =
, then for any
plaintext probability distribution, the shift cipher has perfect secrecy. That is, each character is
shifted by a random key.
ENC a b
1 2
2 3
3 4
8 | P a g e
Recall that , and for , , so let’s compute
the probability distribution on C with then…
Theroem 2.4
Suppose is Computationally Secure where then perfect secrecy
exists if and only if are used with equal probability.
Proof:
, but from assumption
No two distinctly different keys can map a plaintext character to the same ciphertect
character.
Let and the plaintext, and fix a ciphertext element and set
, using Bayes’ Theorem:
One-Time Pad
Let , for
, define and
Each key can only be used once
Easy to attack due to the use of XOR –
New keys need to be generated and communicated over a secure channel.
2.7 Product Ciphers
Assume that (endomorphic).
Let and
A key, will be a pair and
,
9 | P a g e
Prove
Multiplicative Cipher
Let and let
For define:
Let M be a multiplicative cipher where , and , Let S
be a shift cipher.
Key in affine cipher is equivalent to key in .
3.1 Block Ciphers
Product block cipher which is iterated, i.
Round function
Key Schedule
Encryption of plaintext will go through rounds denoted by Nr.
Key Schedule
Keys: , and random key:
6. Round Function:
Encryption Decryption
3.3 Substitution-Permutation Networks (SPN) This is a special type of iterated cipher with small changes that include breaking the blocks up
into m blocks of l size, where lm is the block length of the cipher. It uses two components,
and where s is the substitution function using S-Boxes, and p is a permutation.
10 | P a g e
Given an lm-bit binary string represented by , where x is the concatenation of
m substrings, each l-bits long, denoted as . For :
The SPN will go through Nr rounds, and on each iteration will perform m substitutions using
followed by a permutation . Before each substitution, the round key bits are used via XOR
operation.
7. is the input to the S-Boxes in round r.
8. is the ouput of the S-Boxes in round r.
9. is obtained from by applying
10. is constructed from by XOR’ing the roung with the key ; round key mixing
11. In the last round, is not applied, allowing the encryption algorithm to be used for
decryption as well.
12. The very last operations in SPN are XOR’s with subkeys, a process called whitening.
1. Prevent an attacker from beginning to carry out an encryption or decryption even
if the key is not known.
Algorithm 3.1:
return y;
11 | P a g e
is defined to be 16 consecutive bits starting at
is the first S-Box
is the result of
is the application of
is the application of
is the 2nd
round of using an S-Box
is the result of
after 4 rounds of substitution, permuation and XOR
The decryption function is merely the inverse of the encryption function
There are always a fixed number of rounds, in the example above, there are 5,
The substitution and permutation functions must be invertible
S-Boxes must have a fixed size, in this case 4-bits with 4 S-Boxes
Linear Cryptanalysis
It is possible to find a probabilistic linear relationship between a subset of plaintext bits and a
subset of state bits immediately preceding the substitutions performed in the last round.
Have a look at all possible keys.
1. Feed a plaintext X into some key and look for a relationship to
Y with said key.
Suppose are 0-1 Independent Random Variables.
Let be real number such that for all i.
Suppose that , and the independence of and implies that:
And for the XOR conditions:
Definition of Bias which is a probability distribution of a random variable which could take on
the values of 0 and 1, where the bias of is:
Let denote the bias of the random variable
Consider an S-Box with an m-tuple S-Box with input
which is a random bit string.
is a 0-1 random variable with bias
12 | P a g e
is the ciphertext output
o is a random variable that is dependent on !
To compute the bias of
The Random Variables defined by an S-Box
If we analyze the random variable:
Bias:
We can compute the bias’ for all possible
combinations of ’s and y’s. There are a total
of 256 possible random variables of this
form. In compact form, this can be written as:
Where , , and we treat each of
the binary vectors and as a hexadecimal digit for input and output.
Have a look at the individual S-Boxes
1. – Random Variable
has a bias
2. - Random Variable
has a bias
3. - Random Variable
has a bias
4. - Random Variable
has a bias
Assuming that are independent random variables, then the bias of
. We need to express the XOR of in terms of
input bits(x), output bits(y) and key bits.
Computing the XOR of the above on the right sides, we see that some V’s cancel out:
Input bits – , Intermediate bits – ,
13 | P a g e
It is best to think about the key bits
as fixed, and we want to figure out
the values :
1. and
2. There are possibilities for these bit sequences
We construct plaintext-ciphertext pairs , and for each pair obtain the value for and
, then compute the value
, and maintain counters
indexed by the possible 256 bit sequences (keys). At the end of the counting process, we expect
that most counters will have a value close to
, but the entry with the correct subkey should have
a value that converges upon –
. If the bias is
, you will need about
pairs.
Data Encryption Standard (DES)
Uses a Feistel Cipher
Each stage is divided into halves –
1.
Round function:
16 rounds of Feistel Cipher with block length of 64
bits –
Keys are 56-bits long – 64 bits includes parity bits.
Cipher text y will be 64-bits long,
Prior to beginning the 16 rounds, an initial
permutation is applied to the plaintext:
After the 16 rounds of encryption, an inverse permutation is applied to the bitstring
, yielding the cipher text y:
Each and are 32 bits in length, so the function
bit strings that are chosen from K, .
consists of substitution (s-boxes) followed by a permutation.
is implemented as follows:
A is expanded to a 48-bit string by an expansion function. E(A) consists of a permutation
of 32 bits of A and some bits are repeated.
Evaluate which is 48 bits
8 S-Boxes are used, each box maps 6 bits to 4 bits
Compute for j=1,…,8
Let which is a 32-bit string
Permute 32 bits of C with a permutation P.
Choose a 56-bit key and determine
14 | P a g e
An example of a DES S-Box:
Each S-box is a matrix, rows numbered 0,1,2,3 and columns 0,…,15.
Given
works as the stored reference location in the S-Box
determine the row number
determine the column number
And note that:
Fermat’s Little Theorem
For any integer a, will be evenly divisible by p:
If p is prime, and a is an integer coprime to p, then will be evenly divisible by p:
4. Hash Functions Message = x, hash of message = h(x)=y, which is known.
1. If a user receives x and computes f(x) AND f(x) = h(x) then the message has data integrity
2. Otherwise the message has been changed since h(x) was computed
3. Collisions may also occur
Keyed Hash Functions
Message authentication Hash Family(x,y,K,H)
Alice and Bob know K x - plaintext
Alice sends a pair y - ciphertext
is hash function k on x. K – keyspace,
An unkeyed hash function has only 1 key such that
Let h be an unkeyed hash function. A hash function is desirable if it is difficult to solve. There
are 3 ways that must be made difficult in order to make such a hash function desirable:
is known and is known.
Given a message digest y, can x be determined such that
is known and is known
Given a message x, if such that and
is known
Find such that
15 | P a g e
If ; how many possible functions from X to Y? Consider an ideal
hash function then the only way to determine for x is to evaluate an ideal function
from the set of all possible functions from x to y.
Let be chosen randomly. Let and the value of h is known for each element
of . Then
Find-Preimage(h, y, Q) Find-Preimage2(h, x, Q)
Choose any
for each do choose
if for each do
return(x) if
return(fail); return( return(fail);
Proof:
Let y be fixed, and Let , and all ’s are all
independent events:
To find Collision Find-Collision(h,Q) Example
Choose Say 80-bit keys are used then
for each do Using a birthday attack,
if for some
return ;
else return(fail);
end for
Proof
Let where , and
Let be the event that:
By Induction – the probability of finding no collisions:
16 | P a g e
With the above estimate, the probability of finding no collisions is approximately:
The probability of finding at least one collision:
But if we want this probability to exceed then
Consider a 40-bit digest, then y is expressed as 40 bits as well. For , choosing a subset
of x of sufficent size should warrant a collision to . In this mentioned
case, . To ensure that you get a collision, it’s best to user a very large subset of
about 128 bits, 256 bits, or eve 512 bits. This increases your chances of obtaining a collision.
When designing a good hash function, it is important to make it very difficult to find a collision
between different hash functions.
4.3 Iterated Hash Functions These are used on very long strings that could be of infinite length, which are broken up into
blocks using a compression function. Suppose a long finite string exists with a function to break
it up into blocks:
Preprocessing
Given an input string x where , construct a string where
for .
Processing Let IV be the initiation vector of length m.
Postprocessing
Output:
17 | P a g e
Merkle-Dangard Construction
A particular method of constructing a hash function from a compression function.
Collision resistance due to compression function being collision resistant.
Compress:
Iterated hash function:
Claim: If compress: is
collision resistant then
constructed by the the Merkle-
Damgard construction is collision resistant.
Proof: Suppose we can find where
in polynomial time.
Let x and be padded with d and 0’s.
Let g values be computed by the algorithm as:
Case 1:
If and we have:
since , but their compression values are the same.
4.4 Message Authentication Codes (MACs) Keyed Hash Functions
Placement of a key in the initialization vector is insufficient (IV key)
An attacker can request up to Q valid MAC’s for well-known messages
o Attacker can generate pairs of such that because the attacker
knows which creates an authentication problem.
The attacker can generate a message without knowing the actual key!
is a forgery
18 | P a g e
Cipher Block Chaining – CBC-MAC(x,k)
On a very long string, encrypt each block from the output of the previous block
IV = 0;
and return when complete.
Birthday Collision Attack – The attacker can request MACs for a large # of messages.
Let , ,
Choose q distinct bit strings of length t:
Choose q random bit strings of length t:
o Define
for
1. The attacker requests MAC’s for each
2. Due to birthday problem,
3. Define
The attacker can compute the MAC of w without knowledge of key k. without
key. The request .
RSA
1. , where p and q are primes:
2. and 3.
Bob-Public = , Bob-Private = are private keys of Bob.
1. Bob selects 2 distinct large prime numbers p and q. Computes and .
2. Bob selects an odd integer ‘b’ that will be his private key such that .
3. Bob publishes the public key, where .
4. Alice wants to send the message to Bob. using Bob’s
public key.
5. When bob receives y, he applies using his private key a.
Example
1. p = 23, q = 41, n = 943,
2.
3. Public: , a=503.
4. Alice sends
5. Bob computes mod 943=35.
Prove that .
19 | P a g e
Requirements:
Easy to generate p,q,a,b
Easy to generate ciphertext
Easy to decrypt
Computationally infeasible to decrypt without knowing a
Proof of correctness:
1. If ; Fermat
2. If ; Euler
3. Let p,q be 2 numbers where
If
then
To prove
Note that ;
If
If : x is a multiple of p.
In both cases,
Proof of if and p is prime then Let . Multiply them all by a and take mod p = . No two values in
Modular Exponentiation
n = pq where p and q are large primes of 1024 bits each. The number of primes
.
The probability that p is prime is:
. If 1024 odd numbers with
generator numbers with greater values of c, we get a greater chance of finding a large prime. Let
n be a number, is n prime? If n is not prime then and
If its factors are 512 bits long then or q
We can find if n is prime by exploring
numbers using the Miller-Rabin Method. Let
be an odd number then is even, or or for . Let
20 | P a g e
. If p s prime and then and since .
Let p be a prime number greater than 2. is odd. Let then
either:
Miller-Rabin Test
1. Find where 2. Select a random number . 3. If then return n may be prime.
4. For to do
If
return n is prime;
Else
return n is composite;
Given an odd number n, what is the probability that a randomly chosen test
returns inconclusive provided that the number is composite is
.
RSA:
Why factoring is hard?
Is factoring hard?
How fast can factoring work?
Sieve of Erastothenes:
Iteratively divide by prime numbers from lower order
By testing numbers up to 2048 bits, we can deduce factors of n.
Pollard-P Heuristic
While TRUE do Example n = 1387
i = i+1;
=
d = if and
print(d); if i = k y = k = 2k; This loop does not stop, and runs forever. We only need to maintain , k, so the memory
requirement is very low. When , then i is some power of 2. If d is printed, it is a non-
trivial factor of n. This algorithm does not go through all possible values of because there
exists a cycle that it will loop through. If n is composite, this procedure typically finds its
factors.
21 | P a g e
We can mathematically describe how long it takes before a cycle is observed by focusing on the
line in the algorithm which produces random numbers in the range
When , The value is from the birthday attack, and it will
takes us steps to discover the cycle. Let p be an non-trivial factor of n where
. Due to the birthday attack, we will get a collision in
steps.
Continuing Example:
Let p be a non-trivial factor of n, ,
,
, Let
be the sequence corresponding to n. Let
be the sequence such that
We have that
, and remember that
, so we have that
We know that there is a collision in values in steps. Since then there exists a
collision in
steps, or a cycle appears after that many steps.
Complexity :
Standard Sieve Method:
Pollard-P:
where number of bits needed to represent n.
In the large cycle of n, there exists a cycle within the factorizations in n that can be solved in the
number of steps in complexity above.
Discrete Log
1: If then . If , then satisfies (1) What is
the least positive integer m for which (1) holds . This value of m is called order
of a, or the value to the power of a is equal to 1. It is the length of period generated by a,
. is the least value of m, and m exists such that .
Example
22 | P a g e
After we know the exponentiation finally equals 1, we will see that the numbers will continue to
cycle from this point on. The length of these sequences always divide which has elements. Important ones are whose length is , . These values for a
are called primitive roots. Any of these values can generate the whole set. Not all n’s have
primitive roots.
Where a is a primitive root of p. , where , so for what
value of i which will satisfy the condition. The i value is called the discreet log problem.
The discreet log problem:
Given b, a, p, finding i is hard. Example: ; p = 19. But given a, i, p then
finding b is easy.
Diffie Helman key exchange algorithm:
Public elements:
Remember that given , finding the exponent is difficult.
Alice: Selects a random positive integer, and computes where is
private and is public.
Bob selects a random integer and computes where is private and
Alice computes the key . Bob computes the key .
Claim :
Example q = 353
Alice chooses , computes Missed example, see textbook
Susceptible to man-in-the-middle attack.
1. Oscar generates two random private keys
2. Alice transmits to Bob
3. Oscar intercepts , and transmits to Bob.
23 | P a g e
4. Bob receives computes .
5. Bob transmits to Alice
6. Oscar intercepts and computes .
7. Oscar transmits to Alice.
8. Alice receives and computes
Bob and Alice are not aware that they have been duped by Oscar who has tricked them
into sharing a secret key, but Oscar has shared two different keys. One with Alice
( and another with Bob .
ElGammal 1984
Public Elements
Alice: Selects a random integer and computes where is
private.
Bob: encrypts a message M as follows: , otherwise chop into those sized blocks.
Bob chooses a random digit k, . Computes one time key , and
encrypts M as a pair where:
Alice recovers M as follows:
Key K is recovered by computing: and the message M is recovered by
computing:
If you know the inverse of K, you can recover the message.
Example
Elliptic Curve Encryption
Abelian Groups
o Associative
o
o
o Inverse exsits
o
24 | P a g e
Consider a cubic equation
Plot which is symmetric about the x-axis. Let and add a point at .
Fix parameters . We will define a group on elements of The group
operator is denoted as a ‘+’. We need to make sure that the point is on the curve. The
operator is defined as follows:
Point at is the identity
For a point its negative – is the image below the x-axis, which is
the negation of the y coordinate.
Application of the ‘+’ operator of two point are
defined as follows:
If then where R is the point where the line through P and Q
intersects . If P is a tangent to this line then R=P, and if Q is tangent to this line,
then R=Q. The line intersects one of the points, and is tangent to the other, if .
If then .
Algebraically, we need to compute the slope of the line passing through P and Q,
Let’s say that R is the intersection of the line through P,Q with the curve .
Defined elliptic curve
Defined the element of infinity
We need to show that is on the curve using the elliptic curve equation.
It can be shown that points on with the ‘+’ operator form an abelian group. We will
restrict ourselves to mod p or in in software or hardware respectively.
Example
With we get , so .
Rules for the ‘+’ are still the same:
1.
2.
25 | P a g e
If
3.
One can show that points in with ‘+’ forms an abelian group. Similarily, it also
holds for .
Multiplication is Hard, unlike in the discrete log problem before.
Let where k is some constant. Multiplication is repeated
addition. It is easy given k,P to compute Q. The hard part is given Q,P We need to find
Hard Problem:
Easy Problem:
Example
Assume , , which are both points on the curve
. Given P, Q, determine k where :
Key Exchange
1. Choose parameters P, a, b and define .
2. Pick a point such that the smallest value of n satisfies ,
which is very large.
3. Alice selects where is Alice’s private key. where is
public.
4. Bob selects where is Bob’s private key. where is
public.
5. Alice Generates key
6. Bob Generates key
Claim: :
- the key is an x-coordinate of .
26 | P a g e
Example
How Encryption/Decryption is done in Elliptic Curve Cryptography
1. Encode the plain text message, m to be sent as a point on .
2. Choose such that and is large (n is order of G).
3. Each user A chooses a private key and generates which is public.
Suppose Alice wants to send a message m to Bob, Alice chooses a random integer k and
computes where is the public key of Bob, and m is the message. On
receiving C, Bob needs to figure out m. Bob uses his private key and multiplies where
is the 1st parameter and subtracts this value from the 2
nd are all
points on the elliptic curve. It is equal to m since . Alice has included a clue, the 1st
coordinate, so that anybody who knows can find out m.
Example
Alice wants to send , so Alice chooses . The public key of Bob is
. Alice’s cipher text:
How to compute
In general,
SBR is in non-adjacent format (NAF) if no two consecutive values are non-zeros.
Example .
If we look at the binary representation of an arbitrary number, the number of 0’s should be equal
to the number of 1’s, but in SBR-NAT, the number of 0’s is 66%.
Signed Binary Representation:
Non-Adjacent Form: no two consecutive bits are non-zero.
Compute cP, assume that c is in SBR-NAF Q = 0;
for i = (l-1) down to 0:
Q = 2Q;
If If Return Q;
27 | P a g e
The standard efficiency is due to the doubling, the efficiency of SBR-NAF is due to the fact that 66% of the bits are zeros.
Digital Signatures Message authentication used to verify that a message
was sent from a particular entity.
Bit pattern that is dependent on the message
o Prevents impersonation
Uses information from the sender
Easy to compute the signature
Easy to verify
Computationally infeasible to tamper with.
Should be short
El-Gammal Dss
Alice: generates public/private keys as follows:
Random .
Private Key: , public key:
To sign a message M, Alice does the following: , where H is the hash function
Choose a random integer k where , and the .
Compute .
Compute as well using the Extended Euclidean Algorithm.
Compute
Signature
Any user Bob, can verify the signature by computing:
Signature is valid if .
Public Elements
p : a prime number, l-bits long, and a multiple of 64.
28 | P a g e
where h is any integer in . The global public elements .
For a user, the private key is x where . The public key of this user .
For each message, the user chooses a random key k, where ,
Signing: , , and the signature becomes
.
Verification: Suppose verifier received
Verifier Computes:
Test: Is ? If yes, then the signature is verified.
Top Related