Académique Documents
Professionnel Documents
Culture Documents
1st Author
Melissa Helgeson
3rd Author
helge117@morris.umn.edu
3rd E-mail
ABSTRACT
1. INTRODUCTION
In 1985, Taher ElGamal wrote an article in IEEE Transactions on
Information Theory outlining a new asymmetric encryption
scheme he had devised. The mathematical basis of his encryption
lies within a problem presented for encryption purposes by
Whitfield Diffie and Martin Hellman in 1976 [1].
In order to determine the security of ElGamals encryption, we
explain the terminology used to describe encryption, the
encryptions basis in the Diffie-Hellman problem, and explain the
steps of the algorithm. We notice that the element called the
generator must be chosen to satisfy certain properties, rather than
chosen completely at random, but a generator which satisfies
these properties is often difficult and time consuming. By
examining the properties of good generators in greater detail it is
possible to find an efficiently computed version of ElGamals
encryption which is secure against a wider range of attacks.
ElGamals encryption is a key element in Pretty Good Privacy
(PGP) and its open source versions. PGP is popular bundled
encryption software which is used to encrypt numerous types of
Internet traffic. However, we have chosen to examine some more
recent research into the uses of ElGamals encryption: anonymous
recipients and online voting.
3. ELGAMALS ENCRYPTION
ElGamals encryption is an asymmetric encryption with private
key and public key (, , ). In the public key, is a prime to
use as the message space and modulus in our calculations; is a
high order (generator) element for
as described in Section 4.1;
and utilizes the Diffie-Hellman problem to incorporate and hide
1.
4
11
10
) = ' ( )
= 1' ( )
=
(
)
= 1
(
)
=
(
) =
=
=
56 7
(87 )4
( )
5(84 )7
(84 )7
59
9
Using this formula and the private key , we can decrypt our
example cipher text (, )) = (8, 25). Because the recipient is the
owner of the public and private key pair, the value of for =
(
) is known to them. In the case of public
key (31, 3, 4), was calculated by 4 = 3: (
31), so = 18.
Then we can decrypt the message by = ) %%
(
) =
25(8)!%%: . This reduces to the original message of 19.
34
( )
( )
= ( )
To generate the public key (, , ), we first need to create a finite
field of order . We do this by choosing a large (approximately
1024-bit) prime at random [3]. Because sets up the message
space
, it must be large enough to hide the message, so our
example of = 31 would be a very bad choice in practice. We
also choose a random element of
, to be our generator .
Verifying whether is a generator for a large
is difficult as it
requires that we check the condition times. We will look at
solutions and approximations for this problem in Section 4.
The private key must be chosen in a uniformly random method
from $% , similar to the choice of & for encryption. Then the
final piece of the public key utilizes the discrete logarithm
problem to incorporate and hide the recipients private key . It
is =
(
). If = 1, it is necessary to choose a
different , refer to Theorem 1. The Diffie-Hellman problem is
also used to hide because all message senders
compute ' (
) and ' =
' (
).
(1)
(CD D )
R
CD D
R
R SH
CD D % CD D
R
CD D
= C|% (1 )
(2)
V(%)
%
= W1 X W1 X = W X W X =
!
!
is a
by (2). This means that one out of every three elements in Y
generator. This is equivalent to the result of 6/18 = 1/3 we count
in either Figure 1 or Table 2.
This example and (2) in general show that larger prime factors
will have less impact on the resulting probability than small ones.
This can be seen more clearly by using the formula to find the
probability for = 149. Then 1 = 148 = 2 37, and W1
:
p
2
3 4
4 2
8 9 10 11 12 13 14 15 16 17 18
6 3
11 10
5 5
5 10 10 10 5
13 12
3 6
4 12 12
6 12
17
8 16 4 16 16 16
19 18 18 9
4 3
8 8 16 16 16
6 9 18
6 18 18 18
4 16
5. APPLICATIONS
The most common application of ElGamals encryption is PGP. It
is used to help users exchange keys so they can use symmetric
encryption. We will focus on lesser known applications.
ElGamals encryption is often used for research because it can be
modified to fit in a special class called semantically secure
algorithms. This means it will hide the message so well that even
if an attackers specifically prepare two messages to encrypt, they
18
16
12
13
13
16
9
16
13
8
!
12
13
16
18
18
8
Because the messages are encrypted using the same private key
for each user, regardless of , decryption is a simple process.
When a cipher text is sent to the group, each person tries to
decrypt it using their key. Note that nothing has changed within
the algorithm itself, therefore the message decrypts just as quickly
as any other message encrypted with ElGamals encryption.
In Table 4, we encrypt = 19 with three different public keys
belonging to two different people. To show they are
indistinguishable, we use the same random number & to encode all
of them. Note that it is unclear from the cipher text which
(31, 3, 16)
(31, 12, 9)
(31, 16, 8)
Encryption (b = 4)
(12, 10)
(13, 22)
(9, 15)
Decryption (a = 6)
19
19
random _ $%
(, , ] =
a
B_b
_ )
for all 1 ` ?_
_ =
a
_c {2, , 2 }
for all 1 ) ?2
Votes
for random
&_c $%
Ballots
for all `
Messages
a
B_b
d_c
'ac
g2 =
( 'ac , ]
=
_c )
for all )
Next, the individuals need to encrypt their actual votes or fill out
their ballot. To do this, each person votes yes by
Because all the encrypted totals as well as the decryption keys are
all public, the results may be verified by any of the participants.
Totals
Set-up
Decryptions
a = ( 'ac )
a
_c = ]
'ac
i _c /^
^=i
^ = ] 'ac
= (i
Ba
Ba
a
_b
a ) 'ac
_b
Furthermore, in order to find out what one persons vote was, the
entire group would have to work together to find it because the
votes are combined before they were decrypted.
5.2.2 Extensions of this idea
The authors discuss two extensions of this basic idea: hiding the
number of votes a person received and voting with wider
confidence values. We will look briefly at each of these as they
demonstrate the fluidity of the voting protocol and the use of
ElGamals encryption.
If we want to keep the candidates totals a secret the process is a
bit more complex. We do this by comparing the encrypted totals
and only publishing the resulting rankings. This means we do not
ask for decryption keys for the totals.
To compare two candidates, we divide one candidates encrypted
total g by the others encrypted total g . The result will be an
encryption of 2jH%jI . To find out if the first candidate won, lost, or
tied the second, we need to know if g g is positive, negative or
zero. We dont want to expose the difference in votes, so we have
to compare them without decrypting.
We can make this comparison by calculating all non-negative
solutions for encrypting 2jH%jI with a single random key. There
are ? + 1 solutions for this for ? voters because results range from
a tie to everyone voting for the same person. Then we divide the
encrypted comparison by each of these possible results in turn.
The combined comparisons and possible results are then shuffled
and encrypted with another random key so that no one can tell
which result corresponds to which difference in votes. Finally, we
calculate ^ % ) as in Section 5.2.2 for each of these different
encryptions. If one of the decryptions is 1 = 2, , then g g must
be non-negative. This is because either g g = 0 to begin with
or to have divided by 2jH%jI to get 1.
The algorithm also allows other confidence levels. The powers are
only restricted to 0 and 1 to keep the size of the computation low
when the votes for each individual are being hidden. The
functions and protocols which are used to verify votes are valid
could be extended to see votes of 0 to 2 as valid, for example.
Then the people would be allowed to double vote for candidates
they were very confident in, while still voting for candidates they
were generally unopposed to.
6. CONCLUSIONS
prime factors. The issue lies with the time it takes to verify a
potential quasi-generator. Recall that a partial factorization is
necessary to do this and the process may take up to a few seconds
depending on the users decision on how to find prime factors and
how to determine if the factorization is sufficient.
Because the generator is typically only chosen once for the public
key and then reused, this time concern is negligible in a standard
use of ElGamals encryption or a system with many private keys
like confidence voting. This is a much more significant drawback
in the case of anonymous public keys, however, because many
generators must be chosen by the recipient in order to remain
anonymous.
7. ACKNOWLEDGMENTS
My thanks to my advisors for this project: David Roberts and
Elena Machkasova, as well as Barry McQuarrie, Kristin
Lamberty, and Marianne Helgeson for their assistance in
preparing this paper.
8. REFERENCES
1 ElGamal T. A Public Key Cryptosystem and a Signature
Scheme Based on Descrete Logarithms. Information Theory,
IEEE Transactions. 1985;31(4):496-492.
2 Herstein IN. Abstract Algebra. Hoboken, NJ: John Wiley &
Sons, Inc.; 1999.
3 Mao W. Modern Cryptography: Theory and Practice. Upper
Saddle River, NJ: Prentice Hall PTR; 2004.
4 Montenegro RaTP. How long does it take to catch a wild
kangaroo? STOC '09: Proceedings of the 41st annual ACM
symposium on Theory of computing. 2009 553-560.
5 Tsiounis Y, Yung M. On the Security of ElGamal Based
Encryption. Lecture Notes in Computer Science 1431. 1998
117-134.
6 Wang C, Leung Hf. A secure voter-resolved approval voting
protocol over internet. In: ICEC '05: Proceedings of the 7th
international conference on Electronic commerce; 2005; New
York. p. 646-652.
7 Waters BR, Felten EW, Sahai A. Receiver anonymity via
incomparable public keys. In: CCS '03: Proceedings of the 10th
ACM conference on Computer and communications security;
2003; Washington D.C. p. 112-121.