El Gamal Public Key Cryptosystem
The El Gamal public-key encoding strategy can be viewed as Diffie-Hellman cardinal understanding in cardinal transportation manner. Its security is based on the intractableness of the distinct logarithm job and the Diffie-Hellman job.
Diffie-Hellman Key Exchange
The first system to do usage of public-key or asymmetric cryptanalytic keys was the Diffie-Hellman algorithm ( by Whitfield Diffie and Martin Hellman, 1976 ) . These systems overcome the troubles of private-key or symmetric cardinal systems because asymmetric cardinal direction is much easier. In the symmetric key system it ‘s of import for both sides of the communicating to hold indistinguishable keys ; the unafraid exchange of the keys has ever been a immense concern. This concern is alleviated utilizing asymmetric cardinal systems because they use two keys – one called the private key that in secret belongs to the user and another called the populace key that can be shared with the universe and therefore is distributed without trouble. Unfortunately, the pros of asymmetric cardinal systems are overshadowed by velocity – they are really slow for any type of bulk encoding. Soon, the typical pattern is to utilize a symmetric system to code the informations and so code the symmetric keys used for distribution with an asymmetric system. And this is what Diffie-Hellman cardinal exchange does.
Basic El Gamal encoding
Complete Diffie-Hellman Key Exchange Process
The Game: Mental Poker
Playing the game of fire hook without any cards over a telecommunications device ( phone or more realistically cyberspace ) is known as Mental Poker. The game normally does n’t include a sure 3rd party trader or a beginning of entropy and as such it seems that person ( the trader ) will ever cognize what cards have been given out or instead, that participants will be able to lie about the cards they have.
The first serious effort at the job was by Adi Shamir, Ronald Rivest and Leonard Adleman in 1979 in [ SRA ] . It ‘s this strategy, which relies on commutative encoding. The writers foremost proved, in an information theoretic sense, that the job is insolvable and so went on to offer a solution. Their protocol worked for two participants and did n’t necessitate a sure 3rd party. However, it did non offer confidentiality of scheme, necessitating the participants to uncover their custodies at the terminal of each game.
We assume two participants and 52 cards. Five cards are dealt so one unit of ammunition of wagering so all cards shown. Players have disjoint custodies, any participant can hold any possible manus, no participant can detect another participants manus and any collusion has minimum consequence.
The SRA protocol was shown to leak at least one spot of information: whether the card was a quadratic residue or non. There were suggestions to get the better of this job but there was still no warrant that other information was non leaked.
The SRA protocol
The protocol relies on a commutative encoding strategy i.e. :
EA ( EB ( M ) ) = EB ( EA ( M ) )
Where EX denotes encoding utilizing X ‘s public key. Likewise, we use DX to denote decoding utilizing X ‘s private key.
Stairss
- Two participants Alice and Bob together choose a big premier figure N, so Alice chooses her key A s.t. gcd ( A, n-1 ) = 1 and Bob chooses B likewise.
- Encode the fifty-two cards as whole numbers.
- Encoding EA ( M ) = MA ( mod N )
- Decoding DA ( M ) = Minv ( A ) ( mod N )
- Bob permutes the cards to x1, x2, … , x52 encrypts them so sends to Alice EB ( xi ) .
- Alice chooses 5 cards for herself, code them and sends to Bob EA ( EB ( xi ) ) . Besides chooses 5 cards for Bob and sends them to him ( without coding ) EB ( xi ) .
- British shillings can now decode his cards to see his manus DB ( EB ( xi ) = eleven. He besides decrypts Alice ‘s cards so sends them back to her. Here is where we need commutativity so DB ( EA ( EB ( xi ) ) ) = EA ( xi )
- Alice receives her cards and decode them seeing her manus DA ( EA ( xi ) ) = eleven.
Execution of Game
Protocol Security
Efficiency of El Gamal encoding
The encoding procedure requires two modular involutions, viz. ak mod P and ( aa ) K mod p. These involutions can be sped up by choosing random advocates k holding some extra construction, for illustration, holding low Hamming weights. Care must be taken that the possible figure of advocates is big plenty to prevent a hunt via a baby-step giant-step algorithm.
A drawback of El Gamal encoding is that there is message enlargement by a factor of 2, i.e. , the ciphertext is dual the length of the corresponding plaintext.
Randomized Encoding
Among many other encoding strategies, El Gamal encoding utilizes randomisation in the encoding procedure, an illustration of others include: McEliece encoding, and Goldwasser-Micali, and Blum-Goldwasser probabilistic encoding. Deterministic encoding strategies such as RSA may besides use randomisation in an attempt to avoid some onslaughts. The basic thought behind randomised encoding techniques is to utilize randomisation to increase the cryptanalytic security of an encoding procedure through one or more of the undermentioned methods:
- increasing the effectual size of the plaintext message infinite ;
- precluding or diminishing the effectivity of chosen-plaintext onslaughts by virtuousness of a one-to-many function of plaintext to ciphertext ; and
- precluding or diminishing the effectivity of statistical onslaughts by leveling the a priori chance distribution of inputs.
Security of El Gamal Encryption
The job of interrupting the El Gamal encoding strategy, specifically, retrieving m given Ps, a, aa, ? , and vitamin D, is tantamount to work outing the Diffie-Hellman job. In world, the ElGamal encoding strategy can be seen as simply consisting a Diffie-Hellman cardinal exchange to verify a session key aak, and so coding the message by generation with that session key. Hence, the security of the El-
Gamal encoding strategy is said to be based on the distinct logarithm job in mathbb { Z } _p ! , * , although such an equality has n’t been verified.
It is critical that different random whole numbers k be used to code different messages. Assume the same K is used to code two messages M1s and M2 and the attendant ciphertext braces are ( ? 1, d1 ) and ( ? 2, d2 ) . Then d1/ d2 = m1/m2, and M2 could be easy computed if M1s were known.
Analysis of Mental Poker
Upon having the shuffled and encrypted battalion of cards she ca n’t state which is which, hence, she picks indiscriminately, that is, she is unable to see Bob ‘s manus. When Bob receives Alice ‘s dual encrypted manus he would be unable to read it even when he partly decrypts it. But is there information leaked by the encoding procedure? Yes! It ‘s known as Quadratic Residues.
Quadratic Residues
An whole number a, non divisible by an uneven premier P, is a quadratic residue modulo P if there is a B in { 1, 2, … , p-1 } s.t. a = b2 ( mod P ) . Otherwise a is a quadratic no residue.
So for P = 11, 1=12, 3=52, 4=22, 5=42, 9=32 are the quadratic residues and 2, 6, 7, 8, 10 are the quadratic no residues.
This works in general. For a premier P there are ( p-1 ) /2 of both residues and no residues.
Cheating
- In 1981 R. Lipton showed for uneven K, xk is a quadratic residue mod P if x is a quadratic residue mod P.
- So the cards whose representations are quadratic residues are still quadratic residues when they are encrypted.
- This allows Alice to happen the cards that are residues and no residues, for the peculiar P used, and so take ( on norm ) high cards for herself and low cards for Bob.
Cheat Prevention
- The easiest manner to forestall the onslaught we have discussed is to merely stand for cards with quadratic residues. However other, more general onslaughts have been shown to be effectual so SRA is n’t a good protocol.
- Other protocols for the Mental Poker job have been considered with the most successful 1s utilizing probabilistic encoding and nothing cognition cogent evidence. Crepeau solved the job in 1987 although his protocol is non computationally executable. Research is still traveling on.
Decision
Mental Poker is an of import job, both for usage in the big cyberspace fire hook concern and as a metaphor for other multi-party calculations were secrets need to be kept. It is possible to implement the SRA protocol expeditiously and firmly, nevertheless it has a major defect in that it leaks one spot of information about the cards. Other protocols have been suggested with Crepeau work outing the job in 1987 although with a computationally impracticable algorithm.
Bibliography
hypertext transfer protocol: //www.ics.uci.edu/~goodrich/teach/ics247/W03/notes/poker.pdf
hypertext transfer protocol: //www.netip.com/articles/keith/diffie-helman.htm
hypertext transfer protocol: //www.ics.uci.edu/~goodrich/teach/ics247/W03/notes/elgamal.pdf
Handbook of Applied Cryptography, by A. Menezes, P. new wave Oorschot, and S. Vanstone, CRC Press, 1996.