1 / 9

El Gamal and Diffie Hellman

ElGamal Cryptosystem In Practice Diffie-Hellman. El Gamal and Diffie Hellman. CSCI284, 162 Spring 2008 GWU. The ElGamal Cryptosystem is based on the Discrete Log problem:. Given a multiplicative group G, an element  G such that o() = n, and an element  <>

dora
Télécharger la présentation

El Gamal and Diffie Hellman

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ElGamal Cryptosystem • In Practice • Diffie-Hellman El Gamal and Diffie Hellman CSCI284, 162 Spring 2008 GWU

  2. The ElGamal Cryptosystem is based on the Discrete Log problem: • Given a multiplicative group G, an element  G such that o() = n, and an element  <> • Find the unique integer x, 0  x  n-1 such that  = x x denoted as log • Not known to be doable in polynomial time, however exponentiation is. Hence DL is a possible one-way function CS284-162/Spring08/GWU/Vora/Discrete Log

  3. El Gamal Cryptosystem Let p a prime such that DL in Zp* is infeasible Let  Zp* be a primitive element P = Zp*C = Zp* X Zp* and K = {(p, , a, ): =a (mod p)} public key = (p, , ) and private key = a For a secret random number k Zp-1 eK(x, k) = (y1, y2) y1 = k mod p y1 = xk mod p dK (y1, y2) = y2( y1a)-1 mod p CS284-162/Spring08/GWU/Vora/Discrete Log

  4. Example • p = 2579 •  = 2 • a = 1391 • Encrypt message: 2079 CS284-162/Spring08/GWU/Vora/Discrete Log

  5. Practicalities • More efficient attacks possible unless elliptic curve DL, for which these efficient attacks are not known. • Modulus required for security: • 2160 with elliptic curves • 21880 without • DL over elliptic curves very hot problem. CS284-162/Spring08/GWU/Vora/Discrete Log

  6. Diffie-Hellman Key Exchange • Protocol for exchanging secret key over public channel. • Select global parameters p, n and . p is prime and  is of order n in Zp*. These parameters are public and known to all. CS284-162/Spring08/GWU/Vora/Discrete Log

  7. Diffie-Hellman Key Exchange contd. • Alice privately selects random b and sends to Bob b mod p. • Bob privately selects random c and sends to Alice c mod p. • Alice and Bob privately compute bc mod p which is their shared secret. • An observer Oscar can compute bc if he knows either c or b or can solve the discrete log problem. • This is a key agreement protocol. CS284-162/Spring08/GWU/Vora/Discrete Log

  8. Diffie-Hellman problem • Given a multiplicative group G, an element G of order n and two elements ,   <> • Computational Diffie-Hellman: • Find  such that log   log   log (mod n) • Equivalently, given b, and c find bc • Decision Diffie-Hellman • Given an additional   <> • Determine if log   log   log (mod n) • Equivalently, given b, c, and d determine if d  bc (mod n) CS284-162/Spring08/GWU/Vora/Discrete Log

  9. An attack Diffie-Hellman key exchange is susceptible to a man-in-the-middle attack. • Mallory captures b and c in transmission and replaces with own b’ and c’. • Essentially runs two Diffie-Hellman’s. One with Alice and one with Bob. CS284-162/Spring08/GWU/Vora/Discrete Log

More Related