Elgamal Cryptosystem and Elliptic Curve Cryptography

Hassan Jameel Asghar

COMP2300/6300
Week 8

September, 2023

1 / 66
Example Slide [1.1]

The number in square brackets is the relevant section in the

textbook [Sma16]
If I use another reference, it will be clearly labelled

2 / 66
Public-Key Cryptosystems

RSA is not the only public-key cryptosystem

We will study two more in this lecture
Elgamal Cryptosystem
Elliptic Curve Elgamal Cryptosystem
Security of RSA based on factoring integers
Security of these cryptosystems is based on solving the discrete
logarithm problem
The difference between the two is the underlying group
Algorithms to solve the discrete logarithm problem

3 / 66
Basic Elgamal Cryptosystem

4 / 66
Basic Elgamal Cryptosystem [16.1.2]

Proposed by Taher Elgamal in 1985 [Sma16]

Security based on the discrete logarithm problem (DLP)

5 / 66
Discrete Logarithm Problem [3.1]

Definition 1 (Discrete Logarithm Problem (DLP) (3.1))

Given g , h ∈ G and q the order of G , find an integer x ∈ Zq such that
g x = h. For additive groups, find x ∈ Zq such that x · g = h

Example group:
Let p be a prime
Let G be the group Z∗p = {1, 2, . . . , p − 1} under multiplication modulo
p
Its order is p − 1
Identity element is 1
If g is a generator and i ∈ Zp−1 = {0, 1, . . . , p − 2}, then g i (mod p) is
a unique element in {1, 2, . . . , p − 1}
And g 0 ≡ g p−1 ≡ 1 (mod p)

6 / 66
Basic Elgamal Cryptosystem – Setup [16.1.2]

A large prime p (around 2048 bits)

An element g of the group Z∗p = {1, 2, . . . , p − 1} of order p − 1
(generator)
⇒ g p−1 ≡ 1 (mod p)

7 / 66
Basic Elgamal Cryptosystem – Keys [16.1.2]

Alice:
Private key: xA ← Zp−1 = {0, 1, . . . , p − 2}
Public key: hA = g xA (mod p)
Bob:
Private key: xB ← Zp−1 = {0, 1, . . . , p − 2}
Public key: hB = g xB (mod p)

Note: Finding private key from public key amounts to solving DLP

8 / 66
Basic Elgamal Cryptosystem – Encryption [16.1.2]

Alice wants to send message m ∈ Z∗p to Bob

Alice computes c ≡ m · hBxA (mod p)
hB is Bob’s public key
xA is Alice’s private key

9 / 66
Basic Elgamal Cryptosystem – Decryption [16.1.2]

Bob receives c ≡ m · hBxA (mod p)

Bob computes hAxB (mod p)
Bob computes

c · (hAxB )−1 ≡ m · hBxA · (hAxB )−1

≡ m · g xB xA · (g xA xB )−1
≡ m · g xA xB · (g xA xB )−1
≡m·1
≡ m (mod p)

10 / 66
Basic Elgamal Cryptosystem – Example [16.1.2]

p = 809, g = 3, m = 100

? g = Mod(3, p);
? znorder(g)
%1 = 808 # (proof that) g has order p-1
? xB = 68; # Bob’s private key
? hB = g^xB # Bob’s public key
%2 = Mod(65, 809)
? xA = 117; # Alice’s private key
? hA = g^xA # Alice’s public key
%3 = Mod(59, 809)
? c = m*(hB^xA) # Encryption
%4 = Mod(769, 809)
? c/(hA^xB) # Decryption
%5 = Mod(100, 809)

11 / 66
Basic Elgamal Cryptosystem – Security

There is a big flaw in encryption

Suppose Eve (somehow) knows original message m
Eve can compute:

c · m−1 ≡ m · hBxA · m−1 ≡ m · m−1 · hBxA ≡ hBxA ≡ g xA xB (mod p)

Eve learns g xA xB
Every subsequent message (b/w Alice and Bob) can be decrypted by
Eve
Without knowing the secret key!

12 / 66
(Randomized) Elgamal Cryptosystem

13 / 66
Elgamal Cryptosystem [16.1.2]

Problem with Basic Elgamal: same value used for encryption every
time:
Alice multiplies message by hBxA = g xA xB
Need to change this for every encryption (randomization)

14 / 66
Elgamal Cryptosystem – Encryption [16.1.2]

Alice wants to send message m ∈ Z∗p to Bob

Alice chooses k ← Zp−1
Alice computes
c1 ← g k
c2 ← m · hBk (mod p)
Ciphertext is (c1 , c2 )
Note: A new k for every encryption

15 / 66
Elgamal Cryptosystem – Decryption [16.1.2]

Bob receives (c1 , c2 ) = (g k , m · hBk )

Bob computes c1xB ≡ g kxB (mod p)
Bob computes

c2 · (c1xB )−1 ≡ m · hBk · (g kxB )−1 ≡ m · g xB k · (g kxB )−1 ≡ m (mod p)

Note: Alice’s private and public key never used for encryption and
decryption (respectively)

16 / 66
Elgamal Cryptosystem – Example [16.1.2]

p = 809, g = 3, m = 100

? g = Mod(3, p);
? xB = 68; # Bob’s private key
? hB = g^xB # Bob’s public key
%2 = Mod(65, 809)
? k = 69; # Random integer
? c1 = g^k # Encryption
%3 = Mod(195, 809)
? c2 = m*(hB^k)
%4 = Mod(184, 809)
? c2/(c1^xB) # Decryption
%5 = Mod(100, 809)

17 / 66
Elgamal Cryptosystem – Security [16.1.2]

What does Eve see?

Public key: h = g x (dropping subscripts)
c1 = g k
c2 = m · hk = m · g xk
Eve does not know x, k and m
Eve’s task is to retrieve m

18 / 66
Elgamal Cryptosystem – Security [16.1.2]

One way to find m is to find g xk

Eve can then compute

c2 · (g xk )−1 ≡ m · hk · (g xk )−1 ≡ m · g xk · (g xk )−1 ≡ m (mod p)

This can be done by solving the Diffie-Hellman problem:

Definition 2 (Diffie-Hellman Problem (DHP))

Given g ∈ G , x = g a and y = g b , for unknowns a and b chosen at random
from Zq , find z such that z = g ab .

19 / 66
Elgamal Cryptosystem – Security [16.1.2]

Breaking Elgamal reduces to solving DHP

i.e., given an algorithm A that solves DHP, we can use it to break
Elgamal

Give h = g x and c1 = g k to A
Receive z = g xk from A
Compute m0 ≡ c2 · z −1 (mod p)
Output m0
As long as A is correct, we can break Elgamal.

20 / 66
Elgamal Cryptosystem – Security [16.1.2]

What does Eve see?

Public key: h = g x (dropping subscripts)
c1 = g k
c2 = m · hk = m · g xk
Another way to retrieve m is to find k given c1 = g k .
Eve computes

c2 · (hk )−1 = m · hk · (hk )−1 ≡ m (mod p)

21 / 66
Elgamal Cryptosystem – Security [16.1.2]

How can Eve find k given c1 = g k ?

By solving the Discrete Logarithm Problem (Definition 1)

22 / 66
Elgamal Cryptosystem – Security [16.1.2]

Breaking Elgamal reduces to solving DLP

i.e., given an algorithm A that solves DLP, we can use it to break
Elgamal

Give c1 = g k to A
Receive k 0 from A
0
Compute m0 ≡ c2 · (hk )−1 (mod p)
Output m0
As long as A is correct, we can break Elgamal.

23 / 66
Elgamal Cryptosystem – Security [16.1.2]

Another way of proving this:

In this lecture, we showed that breaking Elgamal reduces to DHP
It can be shown that DHP reduces to DLP
If you know how to solve DLP, you can solve DHP
Thus, breaking Elgamal reduces to DLP
We have also shown this explicitly
Conclusion: Breaking Elgamal is no harder than solving DHP, which is no
harder than solving DLP

24 / 66
DLP Attack Algorithms: Pollard’s Rho Algorithm

25 / 66
Elgamal Cryptosystem [16.1.2]

Recall that h ≡ g x (mod p)

This is another DLP problem
Observation: We can also break Elgamal (find m) by finding x
Left as exercise

How do we find x such that h ≡ g x (mod p)?

26 / 66
Floyd’s Cycle-Finding Algorithm [3.4]
Consider the DLP: h ≡ g x (mod p)
over Z∗p of order n
Let S = Z∗p
Let f be a random map from S
to itself
Consider for i ≥ 0

xi+1 = f (xi )

If we start with x0 randomly 𝑆 𝑆

chosen from S, then
Figure: An example random map f
x0 , x1 , x2 , . . . ,

is a random sequence (since f is

random)

27 / 66
Finding Collisions [3.4]

Pollard’s rho algorithm finds collisions in the random sequence, i.e.,

xi = xj ,

for some j > i

By Birthday Paradox:
√
We find collision after O( n)√invocations of f
But we also need to store O( n) xi ’s

28 / 66
Cycles [3.4]

Since S is finite, we must

eventually have x6
x7

x8

xi = xj , x5

x9

for some j > i x4

This means x10

x3
x14
xi = xj x2
x11
x13
x12
f (xi ) = f (xj )
x1
f (f (xi )) = f (f (xj ))
.. .. x0
.=.
Figure: Pollard’s rho.
There’s a cycle after initial tail
Looks like Greek symbol ρ
29 / 66
Floyd’s Cycle-Finding Algorithm [3.4]

Track

(x1 , x2 ) = (f (x0 ), f (f (x0 )))

(x2 , x4 ) = (f (x1 ), f (f (x2 )))
(x3 , x6 ) = (f (x2 ), f (f (x4 )))
.. ..
.=.

Stop when xm = x2m , for some m

If xi = xj , for some j > i, then we should get xm = x2m for some
i =m
Example: If x7 = x17 then x10 = x20

30 / 66
Floyd’s Cycle-Finding Algorithm [3.4]

√
We find a collision after m = O( n)
But we only require constant memory
We only store current pair (xi , x2i )

31 / 66
Pollard’s Rho Algorithm [3.4]

How does it relate to DLP?

We divide S = Z∗p into three disjoint sets S1 , S2 , S3
We define the function f as

h · xi
 xi ∈ S1 ,
xi+1 ← f (xi ) = xi2 xi ∈ S2 ,

g · xi xi ∈ S3


This function behaves like a random walk over S

We start with x0 = 1 ∈ S1

32 / 66
Pollard’s Rho Algorithm [3.4]

At each step xi is of the form

xi = g ai hbi = g ai (g x )bi = g ai +bi x

for integers ai , bi
We keep track of the tuple: (xi , ai , bi )
We start with: (x0 , a0 , b0 ) = (1, 0, 0)

33 / 66
Pollard’s Rho Algorithm [3.4]

At xm = x2m (modulo p), we have

g am +bm x = g a2m +b2m x ,

modulo p

34 / 66
Some More Group Theory I

Let G be a group of order n with generator g

We know that g n = e, where e is identity element

Theorem 3
If g t = e for any t > 1, then n divides t

Proof.
Suppose n - t, then t = kn + r , for integers k, r with 0 < r < n. We get

e = g t = g kn+r = (g n )k · g r = e k · g r = g r ,

which shows that n is not the order of g , a contradiction.

35 / 66
Some More Group Theory II

Let G be a group of order n with generator g

We know that g n = e, where e is identity element

Theorem 4
If g a = g b for some integers a, b then a ≡ b (mod n)

Proof.
g a = g b ⇒ g a · (g b )−1 = e ⇒ g a · g −b = e ⇒ g a−b = e.
By Theorem 3, n | (a − b), which means

a − b ≡ 0 (mod n) ⇒ a ≡ b (mod n)

36 / 66
Pollard’s Rho Algorithm [3.4]

Since g has order n,

g am +bm x = g a2m +b2m x ,

means (from Theorem 4)

am + bm x ≡ a2m + b2m x (mod n)

⇒ bm x − b2m x ≡ a2m − am (mod n)
⇒ (bm − b2m )x ≡ a2m − am (mod n)
⇒ x ≡ (a2m − am ) · (bm − b2m )−1 (mod n)

Bottomline: We have used a collision to find the discrete logarithm x

37 / 66
Pollard’s Rho Algorithm – Example [3.4]

Exercise: Go through the example in [Sma16, Section 3.4, p. 61]

In the example
p = 607
g = 64 with order n = 101
h = 122 ≡ g x (mod p)

38 / 66
Discrete Logarithm Attacks

√
Pollard’s Rho Algorithm takes O( 2l )
l is size of group of order n (approximately same size as q, largest
prime factor of p − 1)
Other more efficient algorithms exist, e.g., Index Calculus [Sma16,
Section 3.5]
However, all take time exponential in input
Elgamal cryptosystem over Z∗p requires large key size, e.g., 2048-bit p
Similar key sizes to RSA
Are there groups where DLP is harder? Hence requiring smaller keys

39 / 66
Elliptic Curve Cryptography

40 / 66
Elliptic Curve Over a Field

Definition 5 (Elliptic Curves)

An elliptic curve over a field K (denoted E (K )) is given by the equation

y 2 = x 3 + ax + b,

where a, b ∈ K and 4a3 + 27b 6= 0.

Example 6
An elliptic curve over the field Zp , where p is prime:

y 2 = x 3 + ax + b (mod p),

and a, b ∈ Zp .

41 / 66
Example: Elliptic Curve Modulo p

Take p = 5 and define the curve

E : y 2 = x 3 + 2x + 1 (mod p)

The point P = (1, 2) is on the curve:

22 = 13 + 2 · 1 + 1

The point P = (3, 3) is also on the curve:

32 = 33 + 2 · 3 + 1 (mod 5)

42 / 66
The Elliptic Curve Abelian Group

We will define addition + of any two points on E (K ) such that it

becomes an Abelian group, i.e.:
Closure: Result of adding two points is still in the group
Existence of identity point
Existence of inverse of each point
Addition is commutative (Abelian)
Addition is associative

43 / 66
Adding Two Different Points

Addition: P + Q = R
Q 6= ±P.
Draw a line through P and Q
𝑄
The line intersects the curve at
a third point. 𝑃
R is the reflection of this point
about the x-axis.
𝑅

44 / 66
Doubling: Adding the Same Point Twice

Doubling: P + P = 2P = R
Draw the tangent line at P
The line intersects the curve at 𝑃

a second point
R is the reflection of this point
about the x-axis.
𝑅

45 / 66
Inverse and Identity

Point at infinity: ∞
Negatives:
If P = (x1 , y1 )
Then −P = (x1 , −y1 )
Verify that −P is on the
curve
𝑃 = 𝑥$ , 𝑦$
Draw a line through P and −P
The line intersects the curve at −𝑃 = 𝑥$ , −𝑦$

the point at infinity ∞

∞ is the identity element

46 / 66
Addition with the Point at Infinity

Point at infinity: ∞

P +∞=P
Why?
Draw a line through P and ∞
The line intersects the curve at 𝑃

a third point: −P
−𝑃
The result is the reflection of
−P about the x-axis, i.e., P

47 / 66
Algebraic Formulae

Geometric addition laws are equivalent to the following

Define: P1 = (x1 , y1 ), P2 = (x2 , y2 ), P3 = P1 + P2 = (x3 , y3 )
Then,
x3 = λ 2 − x1 − x2
y3 = λ(x1 − x3 ) − y1
Where λ is the slope:
y − y
2 1
 if P1 6= ±P2
x2 − x1

λ = 3x 2 + a
 1
 otherwise
2y1

48 / 66
Algebraic Formulae

Important: The operations are over the field K

Example: Elliptic curve over modulus p
y2 −y1
x2 −x1 is y2 − y1 times the inverse of x2 − x1 modulo p.

49 / 66
Algebraic Formulae: Example

E : y 2 = x 3 + 2x + 1 (mod 5)
P1 = (1, 2), P2 = (3, 3), and P3 = P1 + P2 = (x3 , y3 ).
Then:

λ = (y2 − y1 )/(x2 − x1 ) = 1 × 2−1 (mod 5) = 2−1 (mod 5) = 3

x3 = λ2 − x1 − x2 = 32 − 1 − 3 (mod 5) = 0
y3 = λ(x1 − x3 ) − y1 = 3(1 − 0) − 2 (mod 5) = 1

Is (0, 1) on the curve?

50 / 66
Scalar Multiplication

Definition 7
Given an integer n and a point P on the curve, the scalar multiplication is
P added to itself n times:

| + ·{z
nP = P · · + P}
n times

Note: 0P = ∞.
Definition 8
The order of the point P is the smallest positive integer k such that
kP = ∞.

From Lagrange’s Theorem, if the number of points p in the curve is a

prime, then
Every point P (other than ∞) has order p
Every point P (other than ∞) is a generator.
51 / 66
PARI/GP

Consider: E : y 2 = x 3 + 2x + 1 (mod 5)
E = ellinit([2, 1], 5): Initialize curve
ellcard(E): Number of elements
P = [1, 2]: Defining the point P = (1, 2)
ellorder(E,P): Order of point P
ellisoncurve: Checking if a point is on the curve
elladd: Adding two points
ellmul: Scalar multiplication

52 / 66
Elliptic Curve Cryptography (ECC)

Use of elliptic curves in cryptography first proposed in mid

80’s [Mil85, Kob87]
Why ECC?
For the same complexity of a DLP attack, key sizes required in ECC
are much smaller than other cryptosystems

53 / 66
Elliptic Curve Cryptography – Efficiency

Elgamal cryptosystem is defined on Z∗p , p a prime

Order of this group is p − 1
Sub-groups can be exploited to solve DLP
So, both p and prime factors of p − 1 need to be large

ECC is defined on an elliptic curve modulo a prime p

The order is n (also a prime), which is (often) very close to p
So, p does not need to be much larger than n

54 / 66
Elliptic Curves – Review

Definition 9 (Elliptic Curves over Zp )

An elliptic curve E over the field Zp , where p is prime:

y 2 = x 3 + ax + b (mod p),

and a, b ∈ Zp .

The number of points in E is a prime n

These are all points satisfying the equation plus point at infinity
We will denote the point at infinity by [0]
Every point P other than [0] has order n
i.e., nP = [0]

55 / 66
Computing dP

We can modify square-and-multiply algorithm (earlier lecture) to

double-and-add
d in binary: d = (dt dt−1 · · · d0 )2 .

Algorithm 1: Binary exponentiation: Left-to-right

R ← [0].
for i = t down to 0 do
R ← 2R.
if di = 1 then
R ← R + P.

56 / 66
Elliptic Curve Elgamal – Setup

An Elliptic curve over Zp , where p is a prime

P a point on curve of prime order n
P generates the group of points on E :

{[0], P, 2P, 3P, . . . , (n − 1)P}

E , p, P and n are public

57 / 66
Elliptic Curve Elgamal – Keys

Alice wants to send a secret message to Bob

Bob’s private key:
A random integer x from Z∗n = {1, . . . , n − 1}
Bob’s public key:
Q = xP (note Q is a point on E )

58 / 66
Elliptic Curve Elgamal – Encryption

Alice encodes a message m as a point M on E

Alice chooses random k ← Z∗n
Alice computes
C1 ← kP
C2 ← M + kQ
Ciphertext is (C1 , C2 )

59 / 66
Elliptic Curve Elgamal – Decryption

Bob receives (C1 , C2 )

Bob computes xC1 = xkP
Bob computes

C2 − xC1 = M + kQ − xkP = M + kxP − xkP = M

Bob decodes M to m

60 / 66
Elliptic Curve Elgamal – Toy Example

Consider: E : y 2 = x 3 + 2x + 1 (mod 5)
We have a = 2, b = 1, p = 5, P = (1, 2)
message M = (3, 2)

? E = ellinit([a,b],p); # Initialize curve

? P = [1, 2]; # Generator P = (1, 2)
? M = [3, 2]; # Message M = (3, 2)
? ellorder(E,P) # Order n = 7
% = 7
? x = 4; # Private key
? Q = ellmul(E, P, x) # Public key Q = xP
% = [Mod(0, 5), Mod(4, 5)] # Q = (0, 4)

61 / 66
Elliptic Curve Elgamal – Toy Example

Encryption

? k = 6 # Random integer
? C1 = ellmul(E,P,k) # C1 = kP
% = [Mod(1, 5), Mod(3, 5)] # C1 = (1, 3)
? Q1 = ellmul(E, Q, k) # kQ
% = [Mod(0, 5), Mod(1, 5)] # kQ = (0, 1)
? C2 = elladd(E, M, Q1) # C2 = M + kQ
% = [Mod(1, 5), Mod(2, 5)] # C2 = (1, 2)

62 / 66
Elliptic Curve Elgamal – Toy Example

Decryption

? D = ellmul(E, C1, x) # xC1

% = [Mod(0, 5), Mod(1, 5)] # xC1 = (0, 1)
? nD = ellneg(E,D) # -xC1
% = [Mod(0, 5), Mod(4, 5)] # -xC1 = (0, 4)
? elladd(E, C2, nD) # C2 - xC1
% = [Mod(3, 5), Mod(2, 5)] # M = (3, 2)

63 / 66
Elliptic Curve Elgamal

The DLP attacks still apply to ECC

The curves have to be chosen carefully
Some curves are more susceptible to attacks
For security similar to 2048-bit Elgamal, we need only 224-bit elliptic
curve Elgamal [HMV06]
More computationally efficient

64 / 66
References

65 / 66
[HMV06] Darrel Hankerson, Alfred J Menezes, and Scott Vanstone.
Guide to elliptic curve cryptography.
Springer Science & Business Media, 2006.
[Kob87] Neal Koblitz.
Elliptic curve cryptosystems.
Mathematics of computation, 48(177):203–209, 1987.
[Mil85] Victor S Miller.
Use of elliptic curves in cryptography.
In Conference on the theory and application of cryptographic
techniques, pages 417–426. Springer, 1985.
[Sma16] Nigel P Smart.
Cryptography made simple, volume 481.
Springer, 2016.

66 / 66