S. Erfani, ECE Dept.

, University of Windsor

0688-590-18 Network Security

1- El Gamal and Digital Signature Algorithm

A public-key algorithm was devised in 1984 by T. El Gamal based on discrete
logarithms. The scheme is closely related to the Diffie-Hellman technique. It is
used in the Digital Signature Standard (DSS) by NIST.
1.1 El Gamal Algorithm
Step 1 Global Public Elements As with Diffie-Hellman, to generate a
key pair, first choose a prime number q and , a primitive root of q.
Step 2 Key Generation Alice selects a private key XA<Q and calculate
a public key YA as in Diffie_hellman
YA= XA
Independently, Bob also generates his public key YB and private key.
Step 3 User A Signs a Message Alice encrypts a plaintext M<q
intended for Bob as follows:
a) Choose a random integer k, 1kq
a) Compute:
K=(YB)k mod q
(C1, C2) where:
C1=k mod q
C2=KM mod q
These two numbers together make up the signature.
Step 4 User B Verifies the Signature Bob verifies the signature by
recovering the plaintext M as follows:
(a) Compute
K= (C1 )

XB

mod q

Which is
k
K= ( k ) X B mod q = ( X B )k mod q = (YB ) mod q

Oct. 15, 03

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

(b) Compute
M=(C2K-1) mod q
Where K-1 is the multiplicative inverse of K.
Therefore:
(C2K-1) mod q=(KMK-1) mod q
=MKK-1 mod q
=M mod q
Note 1 This scheme is sometimes referred to as DSA stands for Digital
Signature Algorithm.
Note 2 The plaintext M is usually a digest of a message. It is seen that DSS
does not encrypt the digest. The input to the algorithm is the digest of the data
to sign, M, the key, YB and a random number, k. The output is a pair of numbers
C1, and C2, as shown in Fig. 1. There will be many ciphertexts that are
encryptions of the same digest, since the output depends on both the digest M
and on the random value k chosen by Alice.

Data to
sign
M

DSS
Algorithm

C1 :

Key, YB
C2 :

Random "k"
Fig. 1 DSS takes in three inputs and gives two numbers as a result

Oct. 15, 03

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Note 3 To defeat this scheme and infer the values of X B and k givenC1, C2 and
M, the intrude, Oscar, could find a means of computing a discrete logarithm to
solve
YB =

XB

and C1=k

Example 1 Consider an El Gamal scheme with a common prime q=71 and a

primitive root =7.
(a) If Bob has public key YB=3 and Alice chose the random integer k=2, what
is the ciphertext of M=30?
(b)

If Alice now chooses a different value of k, so that the encoding of M=30

is C=(59, C2), what is the integer C2?

Solution
K=(YB)k mod q=32 mod 71=9

(a)

C1=k mod q=72 mod 71=49

C2=KM mod q=930 mod 71
=270 mod 7157
(b) In this case we have
C1=59=k mod q=7k mod 71
We need to solve a discrete logarithm to find k. It can be shown that k=3
because:
73 mod 71=343 mod 71=59=C1
k

K= YB mod q=33 mod 71

=27
C2=KM mod 71=2730 mod 71
=810 mod 7129
Note 4 Informally, this is how the El Gamal algorithm works: The plaintext M is
k
masked by multiplying it by YB , yielding C2. The value C1=k is also transmitted

Oct. 15, 03

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

k
as past of the ciphertext. Bob who knows the private key, X B, can compute YB
k
from C1. Then he can remove the mask by dividing C 2 by YB to obtain M.

Note 5 The El Gamal cryptosystem can be defined mathematically as follows:

El Gamal Cryptosystem
Let q be a prime such that the discrete logarithm problem in (Zq,.) is infeasible
and let Zq be a primitive element. Let P=Zq, C=ZqZq, and define
K={(q, , XB, YB): YB= X B mod q}.
The values q, and YB are the public key and XB is the private key.
For K=(q, , XB, YB), and for a (secret) random number kZq-1, define
ek(x, k)=(C1, C2)
where
C1=k mod q
k

C2=x YB mod q
For C1 and C2Zq , define
X 1
k(C1, C2)=C2 (C1 B ) mod q

Example 2 Suppose q=2579 and =2. Is a primitive element modulo q. Let

XB=7. Now, suppose that Alice wishes to send the message M=1299 to Bob. Say
k=853 is the random integer she chooses. Show the steps in El Gamal algorithm.
Solution
XB=765, =2, q=2579
YB= X B mod q=2765 mod 2579 949
K=(YB)k mod q = (949)853 mod 2579
C1 = k mod q = 2853 mod 2579 435
Oct. 15, 03

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

C2=KM mod q =1299949853 mod 2579 2396

When Bob receives the ciphertext (C1, C2)=(435, 2396), He computes:
M=(C2K-1) mod q = 2396(435765)-1 mod 2579 =1299,
Which was the plaintext that Alice encrypted.
1.2- Digital Signature Algorithm(DSA)
The U.S. Digital Signature Algorithm is the El Gamal algorithm with a few
restrictions:
(a)

The size of q is specifically fixed at 2 511<q<2512 (so that q is roughly 170

decimal digits long).

(b)

The large prime factor of (q-1) is chosen, so that 2 519<p<2160.

(c)

The algorithm uses a hash value instead of the full message plaintext M.

(d)

The computations of C1 and C2 are taken mod p instead of mod q.

2- Elliptic Curve Cryptography

The vast majority of the products and standards that use public key cryptography
for encryption and digital signatures use RSA. Recently, a competing system has
begun to challenge RSA: elliptic curve cryptography (ECC, or EC for short).
Already, ECC is showing up in standardization efforts, including the IEEE P1363
standards for public-key cryptography.
This scheme is based on solutions to elliptic curves modulo a prime p. We
begin looking briefly at elliptic curves defined over the real numbers and
move on to operations defined for elliptic curve modulo a prime p.
2.1- Elliptic Curves over the Reals
Elliptic curves are described by the set of solutions to certain equations in two variables.
In general, cubic equations for elliptic curves take the form:
y2 + axy + by = x3 + cx2 + dx + e
where a, b, c, d, and e are real numbers that satisfy some simple conditions. They get
the name because they used for calculating the circumference of an ellipse.
Oct. 15, 03

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Note 1: It can be shown that the cubic equation

x3 + cx2 + dx + e = 0
can be reduced to the canonical form:
x3 + px + q = 0
to be solved.
Proof:
Let X = x + c/3 in the above equation we get:
X3 + (d c2/3)X + (e cd/3 + 2c3/27) = 0

p d c 2 / 3

q e cd / 3 2c 3 / 27
Solutions of the original cubic are then in terms of the canonical cubic roots. The
three roots of the canonical cubic are:
X1 = (A)1/3 + B1/3
X2 = W (A)1/3 + W2 (B)1/3
X3 = W2 (A)1/3 + W (B)1/3
Where
A ( 1 / 2) q 1 / 6 (4 p 3 27 q 2 ) / 3
B ( 1 / 2) q 1 / 6 (4 p 3 27 q 2 ) / 3
W (1 i 3 ) / 2, W 2 (1 i 3 ) / 2

Where 4p3 + 27q2 0, A is complex.

Note 2: For ECC, we are concerned with a restricted form of elliptic curve that is
defined over a finite field. More specifically:
Def. Let a, b

R be constants

such that 4a3 + 27b20. A non-singular elliptic curve is the set E of solutions (x, y)
R x R to the equation
y2 = x3 + ax + b
Oct. 15, 03
together with a special point called the point at infinity denoted
easily regarded as sitting at the top of the y-axis.

6
which is most

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

P
R
Q
x
-2

R
-P

Figure 2 Adding Points on an Elliptic Curve

Note 3 Elliptic curves are not ellipses. They receive their name from their
relation to elliptic integrals such as

x2

x1

dx
x 3 ax b

and

x2

x1

xdx
x 3 ax b

and arise

in the computation of the arc length of ellipses.

2- Adding Points on an Elliptic Curve
Let us find the addition rules over E for all points P, Q E, where P= (x1, y1) and
Q = (x2, y2). The rules for addition over E correspond to the geometric technique
illustrated in Figure 2. Given two points P and Q on E, to obtain a third point R(x3,
y3) on E draw the line L through P and Q, the line L intersects E in a third point
R, reflect R through the x-axis (i.e., change y3 to y3) to get R. Define the law of
addition by P+Q=R. We consider three cases:
1.
x 1 x2
2.
x1 = x2 and y1 = -y2
3.
x1 = x2 and y1 = y2
Case 1:
Let L to be the line through P and Q. L intersects E in the two points P and Q,
and it is easy to see that L will intersect E in one further point, which we call R.
We reflect R in the x-axis, then we get a point which we call R. We define
P+Q=R to compute coordinates of R, i.e., (x3, y3) note that equation for line L is
L:
y = x +
Where = (y2-y1)/(x2-x1)
= y1-x1 = y2 x2
Oct. 15, 03

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

To find the coordinates of R, (x3, y3), which are the intersection of line L and
curve E, we substitute equation for line L into the equation for E:
L:
E:

y = x +
y2 = x3 + ax + b

(x + )2 = x3 + ax + b
x3 - 2x2 + (a - 2)x + (b - 2) = 0
The roots are x-coordinates of points in L
Therefore

E, i.e., P, Q, and R.

x1 + x2 + x3 = 2
x 3 = 2 - x 1 - x 2
To find y3, note that slope of line L, i.e. can be determined by any two points on
this line. We will denote the y-coordinate of R by y3, so the y-coordinate of R
will be y3. If we use the points (x1, y1) and (x3, -y3) to compute this slope, we
get
= (-y3-y1)/(x3-x1)
y3 = (x1-x3) y1
Thus, we have derived a formula for P+Q in case 1, when x1x2, for
(x1, y1) + (x2, y2) = (x3, y3) as:

x3 2 x1 x2

y3 ( x1 x3 ) y1
( y y ) /( x x )
2
1
2
1

Case 2:
x1 = x2 and y1 = -y2
If we try to add P , we get a line through and P, which is vertical. It
intersects E in P(x1, y1) and also in P in (x1, -y1), (see Fig. 2). When we reflect
(x1,-y1) across the x-axis, we get back P (x1,y1). Therefore, P P . Now, try to
add P and P. The line through (x1,y1) and (x1,-y1) is vertical, so the third point of
intersection with E is . The reflection across the x-axis is still . Therefore, in
this case, we define
Oct. 15, 03

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

(x, y) + (x, -y) = (Point at infinity) for all (x, y) E Therefore,

(x, y) and (x, -y) are inverses with respect to the elliptic curve
addition operation.
The point at infinity, , will be defined as the identity element, so
P+ = +P =P
+ =

P E

P + (-P) =

Case 3:
x1 = x2, y1 = y2
That is adding a point P to itself. In this case, the line L in case 1 is to be tangent
to E at the point E. The slope L can be computed using implicit differentiation of
equation of E:
2y dy/dx = 3x2 + a
Substituting x = x1, y=y1, we get the slope of the line L as:
= (3x12 + a) / 2y1
The rest is identical to case 1.
Def. Addition Law Let E be given by y 2 x 3 ax b and Let P(x1,y1) and let
Q(x2,y2) be on E. Then:
P Q R ( x3 , y 3 )

where

x3 2 x1 x2

y3 ( x2 x3 ) y1
(y2-y1)/(x2-x1) if P Q
=

(3x12+a)/(2y1) if P = Q

Oct. 15, 03

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

If the slop is infinite, then R (point at the infinity). There is one additional
law:
P P

P E

Note 4 -

( P Q ) R P (Q R )

PQ Q P
3- Elliptic Curves Modulo a Prime

Associative Law
Commutative Law

Let p3 be a prime. The elliptic curve

y2 = x3 + ax + b
over Zp is the set of solutions (x, y) ZpX
to the congruence
y2 = x3 + ax + b (mod p)
where a, b, Zp are constants such that 4a3 + 27b2 / 0 (mod p), together
with a special point called the point at infinity.
Example 1 Lets take the following elliptic curve and apply to it the modulus 11.
y2 mod 11 = (x3 + x + 2) mod 11
check to see if point P = (9, 5) is on the curve :
25 mod 11 = (729 + 9 + 2) mod 11
25 mod 11 = 740 mod 11
3 mod 11 (67 x 11 + 3) = 3 mod 11
We can find other points on the curve. For instance:
(1, 2)
(6, 2)
(1, 9)

(6, 9)

(2, 1)

(8, 4)

(4, 2)

(9, 5)

(4, 9)

(9, 6)
infinity

Lets multiply point P1 = ( 4, 2 ) by k = 3 :

kP1 = 3 x ( 4, 2) = P1 + P1 + P1
Oct. 15, 03

10

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

P1 + P1 P2 [(4, 2) + (4, 2) ] mod 11

We can easily find P2 using the following addition rule :

x2 2 2x1 (mod p)
y2 (x1 x2) y1 (mod p)
(3x12 + a) / 2y1 (mod p)
That is :
3x(42+1) / (2 x 2) mod 11 49/4 mod 11
5 x 4-1 mod 11 = 5x3 mod 11 4
x2 (42 2 x 4) mod 11 = 8
y2 [4 (4 8) 2 ] mod 11 -7 mod 11 = 4
P1 + P2 = P2 = (8, 4)
P2 + P1 = P3 = (8, 4) + (4, 2) = (x3, y3)
Where
x3 = 2 x1 - x2 62 8 4 2
y3 = (x1 x3) y1 = 6(8-2)-410
= (y2-y1)/(x2-x1) = (2-4)/(4-8) 1x2-1 mod 11 6
Thus, kP1 = 3 x (4, 2) = (2, 10). The multiplier k (i.e., 3 in the example) is known as a
scalar.
Note 5 The addition of points on an elliptic curve over Z p does not have the nice
geometric interpretation that it does on an elliptic curve over the reals.
However, the same formulas are used to define addition.
Note 6 The addition operation in ECC is the counterpart of modular multiplication in
RSA, and multiple addition is the counterpart of modular exponentiation.
Oct. 15, 03

11

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Note 7 To form a cryptographic system using elliptic curves, we need to have a hard
problem corresponding to factoring the product of two primes or taking the
discrete logarithm. For example consider the equation Q = kP, where Q, P
E and k < p. It is relatively easy to calculate Q given k and P, but it is
relatively hard to determine k given Q and P.
4- The ECC DiffieHellman Algorithm
Step 1 Pick a prime number p and elliptic curve parameters a and b for equation
y2 3 + a + b ( mod p )
Pick a generator point P = (1, y1) in E.
The integers a and b, prime number p, and generator point P are parameters of
the cryptosystem known to all participants.
Step 2 Alice selects an integer dA and generates a public key QA = dA x P. The key QA is
a point in E. dA is Alices private key.
Step 3 Similarly, Bob selects a private key dB and computes a public key QB = dB x P.
Step 4 Alice generates the secret key K as
K = dA x QB = dA x dB x P
Independently, Bob also generates the secret key K as
K = dB x QA = dB x dA x P
That is the same thing Alice computed.
Note 8 Since that secret key K is another point on the elliptic curve, and we need just a
number,. Alice and Bob need to decide beforehand which coordinates of or y
to use. The most common way is to use the x-coordinate, and ignore the ycoordinate.
Example 2 Take p = 211, a = 0, b = -4, and P = ( 2, 2 ). Alice selects dA = 121 as her
private key. So her public key is :
QA = dA x P 121 x ( 2, 2 ) mod 211 = ( 115 , 48 )
Bob picks dB = 203 as his private key. His public key can be computed as:
QB = dB x P = 203 x (2, 2) mod 211 ( 130, 203 ).
Therefore the shared secret key K is
K = dA x QB = dB x QA = 121 x ( 130 , 203 ) = 203 x ( 115, 48 ) = (161, 169).

Oct. 15, 03

12

S. Erfani, ECE Dept., University of Windsor

0688-590-18 Network Security

Note 9 The security of ECC depends on how difficult it is to determine k given kP and
P. This is referred to as the elliptic curve logarithm problem. It can be shown
that a considerably smaller key size can be used for ECC compared to RSA.
Furthermore, for equal key lengths, the computational efforts required for ECC
and RSA is comparable. Thus it appears that there is a computational
advantage to using ECC with a shorter key length than a comparably secure
RSA.

Oct. 15, 03

13