The ElGamal cryptosystem

The math and definitions explained

In cryptography, we often encrypt and sign messages that contain characters. However, asymmetric key cryptosystems (where Alice and Bob use different keys), such as RSA and ElGamal, are based on arithmetic operations on integers. Symmetric key cryptosystems (where Alice and Bob use the same key), such as DES and AES, are based on bitwise operations on bits (a bit is either 0 or 1 and is an abbreviation for binary digit). Therefore, we must convert characters into integers or bits before applying the cryptosystem to the message.

Because a computer can only handle bits, there already exists a method for converting characters into integers or bits, which uses the ASCII (American Standard Code for Information Interchange) table. A part of the ASCII table from Wikipedia is shown in the following table (note that the binary representation on the Wikipedia site uses only seven bits, but we use eight bits by prepending an extra 0):

Character Decimal Hexadecimal Binary
(space) 32 20 00100000
! 33 21 00100001
\( \vdots \) \( \vdots \) \( \vdots \) \( \vdots \)
A 65 41 01000001
B 66 42 01000010
\( \vdots \) \( \vdots \) \( \vdots \) \( \vdots \)
a 97 61 01100001
b 98 62 01100010
\( \vdots \) \( \vdots \) \( \vdots \) \( \vdots \)

For example, if Alice wants to send the message "Hey Bob!" encrypted to Bob using a symmetric key cryptosystem, she first converts it into its integer representation and then into its binary representation:

\( \eqalign{ H &\rightarrow 72 &&\rightarrow 01001000 \\ e &\rightarrow 101 &&\rightarrow 01100101 \\ y &\rightarrow 121 &&\rightarrow 01111001 \\ &\rightarrow 32 &&\rightarrow 00100000 \\ B &\rightarrow 66 &&\rightarrow 01000010 \\ o &\rightarrow 111 &&\rightarrow 01101111 \\ b &\rightarrow 98 &&\rightarrow 01100010 \\ ! &\rightarrow 33 &&\rightarrow 00100001 } \)

That is, the message "Hey Bob!" is represented with integers as "72 101 121 32 66 111 98 33" and in binary as "01001000 01100101 01111001 00100000 01000010 01101111 01100010 00100001".

While ASCII is sufficient for basic English text, modern cryptographic applications often need to handle international characters. Unicode standards like UTF-8 extend ASCII and can encode virtually all characters from all writing systems. In UTF-8, ASCII characters still use a single byte, while other characters may use 2-4 bytes.

Modern cryptographic algorithms typically operate on bytes (8-bit units) or words (groups of bytes). The binary representation shown above organizes characters into bytes, which serve as the fundamental unit for cryptographic operations in algorithms like AES, where data is processed in 128-bit (16-byte) blocks.

Notice the relationship between the different representations:

  • The decimal form is what computers process mathematically
  • The hexadecimal form (base 16) provides a more compact representation where each hex digit represents exactly 4 bits
  • The binary form (base 2) shows the actual bit pattern stored in memory

It's important to note that encoding (converting characters to numbers or binary) is not the same as encryption. Encoding is a standardized, reversible process with no secret key. Anyone knowing the encoding scheme can decode the message. Encryption, on the other hand, requires a key to reverse the process, providing actual security.

Related Encoding Schemes in Cryptography

Several other encoding schemes are commonly used in cryptographic applications:

  • Base64: Often used to encode binary data (like encryption keys or encrypted messages) into ASCII text for safe transmission over text-based channels
  • Hex encoding: Frequently used to represent hashes, keys, and other binary values in a human-readable format
  • Block padding: Many cryptographic algorithms operate on fixed-size blocks (e.g., AES uses 128-bit blocks), requiring messages to be padded to the appropriate length

The exponent of a number indicates how many times the number is multiplied by itself. For example:

\( 4^{3} = 4 \cdot 4 \cdot 4 = 64 \)

Here, 3 is the exponent (or power), and 4 is the base. In words, we say "4 to the power of 3."

Here are the laws of exponents:

Law Example
\( x^{1} = x \) \( 3^{1} = 3 \)
\( x^{0} = 1 \) \( 4^{0} = 1 \)
\( x^{-1} = \frac{1}{x} \) \( 5^{-1} = \frac{1}{5} \)
\( x^{m} \cdot x^{n} = x^{m+n} \) \( x^{2} \cdot x^{3} = (x \cdot x) \cdot (x \cdot x \cdot x) = x \cdot x \cdot x \cdot x \cdot x = x^{5} = x^{2+3} \)
\( \frac{x^{m}}{x^{n}} = x^{m-n} \) \( \frac{x^{4}}{x^{2}} = \frac{x \cdot x \cdot x \cdot x}{x \cdot x} = x \cdot x \cdot \frac{x \cdot x}{x \cdot x} = x \cdot x \cdot 1 = x^{2} = x^{4-2} \)
\( (x^{m})^{n} = x^{m \cdot n} \) \( (x^{2})^{3} = (x \cdot x) \cdot (x \cdot x) \cdot (x \cdot x) = x \cdot x \cdot x \cdot x \cdot x \cdot x = x^{6} = x^{2 \cdot 3} \)
\( (x \cdot y)^{n} = x^{n} \cdot y^{n} \) \( (x \cdot y)^{2} = (x \cdot y) \cdot (x \cdot y) = x \cdot x \cdot y \cdot y = x^{2} \cdot y^{2} \)
\( (\frac{x}{y})^{n} = \frac{x^{n}}{y^{n}} \) \( (\frac{x}{y})^{3} = (\frac{x}{y}) \cdot (\frac{x}{y}) \cdot (\frac{x}{y}) = \frac{x \cdot x \cdot x}{y \cdot y \cdot y} = \frac{x^{3}}{y^{3}} \)
\( x^{-n} = \frac{1}{x^{n}} \) \( x^{-3} = (x^{-1})^{3} = (\frac{1}{x})^{3} = \frac{1}{x} \cdot \frac{1}{x} \cdot \frac{1}{x} = \frac{1 \cdot 1 \cdot 1}{x \cdot x \cdot x} = \frac{1}{x^{3}} \)
\( x^{\frac{1}{n}} = \sqrt[n]{x} \) \( 9^{\frac{1}{2}} = \sqrt{9} = 3 \)
\( x^{\frac{m}{n}} = \sqrt[n]{x^m} = (\sqrt[n]{x})^m \) \( 8^{\frac{2}{3}} = \sqrt[3]{8^2} = \sqrt[3]{64} = 4 \)
Exponentiation in Modular Arithmetic

In cryptography, we often compute exponents in modular arithmetic:

\( a^b \mod n \) means raising \(a\) to power \(b\) and then taking the remainder when divided by \(n\)

Example: \( 3^4 \mod 7 = 81 \mod 7 = 4 \)

The same exponent rules apply in modular arithmetic:

\( (a^m \cdot a^n) \mod n = a^{m+n} \mod n \)

\( (a^m)^n \mod p = a^{m \cdot n} \mod p \)

Importance in Cryptography

These exponent rules are fundamental to many cryptographic algorithms:

  • RSA: Uses the property that \((m^e)^d \mod n = m^{e \cdot d} \mod n\)
  • Diffie-Hellman: Relies on \((g^a)^b \mod p = g^{ab} \mod p = (g^b)^a \mod p\)
  • Fast exponentiation: Used for efficient computation of large powers in cryptographic operations
Computing Large Exponents Efficiently

For cryptographic applications, we need to efficiently compute large exponents. The square-and-multiply algorithm lets us calculate \(x^n\) with only \(O(\log n)\) multiplications:

  1. Convert the exponent to binary representation
  2. Start with result = 1
  3. For each bit in the exponent (from left to right):
    • Square the result
    • If the current bit is 1, multiply by the base

Example: To compute \(3^{13}\), we use binary 13 = 1101:
result = 1
bit 1: result = \( 1^{2} \times 3 = 3 \)
bit 1: result = \( 3^{2} \times 3 = 27 \)
bit 0: result = \( 27^{2} = 729 \)
bit 1: result = \( 729^{2} \times 3 = 1,594,323 \)

You already use modulo computation when you look at a clock and, for example, need to figure out what time it will be 3 hours after 11 o'clock, which is 2 o'clock. In mathematics, we write this as:

\( (11 + 3) \: mod \: 12 = 2 \)

Here, 12 is the modulus because we want the time as an integer between 0 and 11 (in this case, 12 o'clock is denoted by 0). In words, we say "11 plus 3 modulo 12 equals 2." The result of a modulo computation is an integer between 0 and the modulus minus 1. For example, with modulus 3, we have:

  • \( 1 \: mod \: 3 = 1 \)
  • \( 2 \: mod \: 3 = 2 \)
  • \( 3 \: mod \: 3 = 0 \)
  • \( 4 \: mod \: 3 = 1 \)
  • \( 5 \: mod \: 3 = 2 \)
  • \( 6 \: mod \: 3 = 0 \)
  • etc.

For example, if we look at \( 27 \: mod \: 5 \), modulo computes how many times 5 divides into 27 and then returns the remainder, which is 2 in this case. That is, \( 27 \: mod \: 5 = 2 \). But how do we get this result?

First, we compute how many times we can multiply 5 by an integer \( x \) so that the result is as close as possible to 27 without exceeding it. In other words, we find the maximum value of \( x \) such that \( 5 \cdot x \leq 27 \). In this case, \( x = 5 \) because \( 5 \cdot 5 = 25 \leq 27 \). Then, by subtracting 25 from 27, we get the answer: \( 27 - 25 = 2 \).

If the integer is negative, for example \( -27 \: mod \: 5 \), we have to do it slightly differently, and the answer is \( -27 \: mod \: 5 = 3 \). In this case, the integer \( x \) is negative and should be the closest integer such that \( 5 \cdot x \) does not exceed -27. That is, we find the minimum value of \( -x \) such that \( 5 \cdot -x \geq -27 \). Here, \( -x = -6 \) because \( 5 \cdot -6 = -30 \geq -27 \). Then, by subtracting -30 from -27, we get the answer: \( -27 - (-30) = -27 + 30 = 3 \).

It is important that \( x \) or \( -x \) is an integer such as \( -14, 3, 17 \), etc., and NOT a fraction or decimal such as \( \frac{1}{4}, \frac{-3}{7}, 2.5, 5.1 \), etc.

If two integers \( a \) and \( b \) modulo the same modulus \( c \) return the same remainder \( r \), then we say that \( a \) and \( b \) are congruent modulo \( c \). That is, if \( a \: mod \: c = r \) and \( b \: mod \: c = r \), then \( a \equiv b \: (mod \: c) \). Also, notice that if the modulus \( c \) is greater than the integer \( a \), i.e., \( c > a \), the result will always be \( a \: mod \: c = a \).

Properties of Modular Arithmetic

Modular arithmetic has several important properties that make it useful in cryptography:

  • Addition: \((a + b) \: \text{mod} \: n = ((a \: \text{mod} \: n) + (b \: \text{mod} \: n)) \: \text{mod} \: n\)
  • Subtraction: \((a - b) \: \text{mod} \: n = ((a \: \text{mod} \: n) - (b \: \text{mod} \: n)) \: \text{mod} \: n\)
  • Multiplication: \((a \cdot b) \: \text{mod} \: n = ((a \: \text{mod} \: n) \cdot (b \: \text{mod} \: n)) \: \text{mod} \: n\)
  • Exponentiation: \(a^b \: \text{mod} \: n = (a \: \text{mod} \: n)^b \: \text{mod} \: n\)

These properties allow us to perform calculations on smaller values rather than potentially very large ones, which is essential in cryptographic algorithms.

Modular Inverse

A modular inverse of an integer \(a\) with respect to modulus \(n\) is an integer \(a^{-1}\) such that:

\(a \cdot a^{-1} \equiv 1 \: (\text{mod} \: n)\)

The modular inverse exists if and only if \(a\) and \(n\) are coprime (i.e., their greatest common divisor is 1). Finding modular inverses is crucial in cryptography, particularly in algorithms like RSA where we need to find \(d\) such that \(e \cdot d \equiv 1 \: (\text{mod} \: \phi(n))\).

Important Theorems in Modular Arithmetic

Fermat's Little Theorem: If \(p\) is a prime number and \(a\) is not divisible by \(p\), then \(a^{p-1} \equiv 1 \: (\text{mod} \: p)\).

Euler's Theorem: If \(a\) and \(n\) are coprime, then \(a^{\phi(n)} \equiv 1 \: (\text{mod} \: n)\), where \(\phi(n)\) is Euler's totient function.

These theorems are fundamental to understanding and implementing many cryptographic algorithms, especially RSA.

Applications in Cryptography

Modular arithmetic is fundamental to many cryptographic algorithms:

  • RSA: Relies on modular exponentiation for encryption and decryption
  • Diffie-Hellman: Uses modular exponentiation for key exchange
  • ElGamal: Employs modular arithmetic for public-key encryption
  • Digital Signatures: Many signature schemes use modular operations
  • Hash Functions: Often incorporate modular operations in their compression functions

A prime number is an integer greater than 1 that can only be divided evenly by 1 and itself. "Divided evenly" means the result is an integer, not a float. For example, if you divide 13 by 3, you get the float \( \frac{13}{3} = 4.333 \). We see that 13 is a prime number because it can only be divided evenly by 1 and itself: \( \frac{13}{1} = 13 \) and \( \frac{13}{13} = 1 \).

If an integer is not a prime number, it is called a composite number. For example, the integer 6 is a composite number because it can be divided evenly by 1, 2, 3, and 6:

\( \frac{6}{1} = 6 \), \( \frac{6}{2} = 3 \), \( \frac{6}{3} = 2 \), and \( \frac{6}{6} = 1 \)

The term "composite" means "something made by combining things." So, a composite number is an integer made by multiplying prime numbers:

  • 2 is a prime
  • 3 is a prime
  • 4 is composite: \( 2 \cdot 2 = 4 \)
  • 5 is a prime
  • 6 is composite: \( 2 \cdot 3 = 6 \)
  • 7 is a prime
  • 8 is composite: \( 2 \cdot 2 \cdot 2 = 8 \)
  • 9 is composite: \( 3 \cdot 3 = 9 \)
  • etc.

Therefore, every integer greater than 1 is either a prime number or a product of prime numbers (a composite number).

The famous Greek mathematician Euclid proved that there are infinitely many prime numbers.

Michael Rabin and Gary Miller developed an algorithm that determines whether an integer is a prime or a composite number by testing the integer with multiple bases, denoted by \( a \). The algorithm is called the Rabin-Miller primality test.

The Fundamental Theorem of Arithmetic

Every integer greater than 1 can be expressed as a unique product of prime numbers (up to the order of the factors). This fundamental property makes prime numbers the "building blocks" of all natural numbers and is crucial for many cryptographic applications.

Importance in Cryptography

Prime numbers form the foundation of many cryptographic systems:

  • RSA encryption relies on the difficulty of factoring the product of two very large primes
  • Diffie-Hellman key exchange uses prime numbers to create secure shared secrets
  • Elliptic curve cryptography often works over finite fields of prime order
  • Digital signature algorithms like DSA and ECDSA use primes in their mathematical operations
Primality Testing

Determining whether a number is prime is crucial in cryptography. Several methods exist:

  • Trial division: Dividing by all integers up to the square root (inefficient for large numbers)
  • Fermat primality test: Based on Fermat's Little Theorem, but can be fooled by Carmichael numbers
  • Miller-Rabin test: A probabilistic algorithm that can determine primality with high confidence
  • AKS primality test: The first deterministic polynomial-time algorithm for primality testing

The Miller-Rabin test is particularly useful because it's efficient and can achieve any desired level of certainty by increasing the number of test rounds.

Special Types of Primes in Cryptography
  • Safe primes: Primes p where (p-1)/2 is also prime. Used in Diffie-Hellman key exchange.
  • Strong primes: Primes with certain properties that make them resistant to specific factoring algorithms, often used in RSA.
  • Sophie Germain primes: Primes p where 2p+1 is also prime, useful for cryptographic applications.
  • Mersenne primes: Primes of the form 2n-1, which allow for efficient arithmetic operations.
Definition

The greatest common divisor (GCD) of two or more integers is the largest positive integer that divides each of the given integers without a remainder. It is denoted as \(\gcd(a, b)\) or sometimes as \((a, b)\).

Formally, for two integers \(a\) and \(b\), not both zero, \(\gcd(a,b)\) is the largest positive integer \(d\) such that \(d|a\) and \(d|b\) (where \(d|a\) means "\(d\) divides \(a\)" or "\(a\) is divisible by \(d\)").

Before we describe what the greatest common divisor of two integers is, we first define what we mean by a divisor. In this context, a divisor of an integer \( x \) is any integer that divides \( x \) evenly, meaning the result is not a fraction. For example, if you divide \( x=12 \) by 5, you get the fraction \( \frac{12}{5} = 2.4 \), so 5 is not a divisor of \( x=12 \). For \( x=12 \), the divisors are 1, 2, 3, 4, 6, and 12 because \( \frac{12}{1} = 12 \), \( \frac{12}{2} = 6 \), \( \frac{12}{3} = 4 \), \( \frac{12}{4} = 3 \), \( \frac{12}{6} = 2 \), and \( \frac{12}{12} = 1 \).

Similarly, the divisors of 16 are 1, 2, 4, 8, and 16 because \( \frac{16}{1} = 16 \), \( \frac{16}{2} = 8 \), \( \frac{16}{4} = 4 \), \( \frac{16}{8} = 2 \), and \( \frac{16}{16}=1 \).

The greatest common divisor of 12 and 16 is therefore 4, because it is the largest integer among their common divisors. In mathematics, we write this as \( \gcd(12, 16) = 4 \).

Two integers whose greatest common divisor is 1 are called relatively prime numbers or co-primes. For example, 15 and 28 are relatively prime because \( \gcd(15, 28) = 1 \) (note that 28 is not a prime number).

If one of the two integers is a prime number, the greatest common divisor will always be 1, i.e., \( \gcd(a, p) = 1 \), where \( a \) is any integer (either prime or composite) and \( p \) is a prime number.

Key Properties
  • \(\gcd(a,b) = \gcd(b,a)\) (Commutativity)
  • \(\gcd(a,b) = \gcd(a-b,b)\) when \(a \geq b\) (Subtraction property)
  • \(\gcd(a,b) = \gcd(a \bmod b, b)\) when \(b \neq 0\) (Basis of the Euclidean algorithm)
  • \(\gcd(a,0) = |a|\) for any \(a\) (Base case)
  • If \(p\) is prime and \(p\) doesn't divide \(a\), then \(\gcd(a,p) = 1\)

One method to compute the greatest common divisor of two integers is by using the Euclidean algorithm, developed by the famous Greek mathematician Euclid. See "The extended Euclidean algorithm" for more information about how to compute the greatest common divisor of two integers.

The Euclidean Algorithm

The Euclidean algorithm is an efficient method to find the GCD of two integers. It works by repeatedly applying the division algorithm:

  1. Start with two positive integers \(a\) and \(b\), where \(a \geq b\)
  2. Divide \(a\) by \(b\) to get quotient \(q\) and remainder \(r\) such that \(a = bq + r\) where \(0 \leq r < b\)
  3. If \(r = 0\), then \(\gcd(a,b) = b\)
  4. Otherwise, set \(a = b\) and \(b = r\), and repeat from step 2

Example: Find \(\gcd(48, 18)\)

  • \(48 = 18 \cdot 2 + 12\)
  • \(18 = 12 \cdot 1 + 6\)
  • \(12 = 6 \cdot 2 + 0\)

Since the remainder is now 0, \(\gcd(48, 18) = 6\).

Applications in Cryptography

The GCD has several important applications in cryptography:

  • Key Generation: In RSA, we need to find two numbers \(e\) and \(d\) such that \(ed \equiv 1 \pmod{\phi(n)}\), which requires \(\gcd(e, \phi(n)) = 1\)
  • Primality Testing: Many primality tests use GCD calculations
  • Modular Arithmetic: Finding modular inverses (via the extended Euclidean algorithm) requires co-prime numbers
  • Factorization Attacks: Some attacks on cryptosystems use GCD calculations to factor large numbers
Definition and Purpose

The extended Euclidean algorithm is an extension of the Euclidean algorithm, which only returns the greatest common divisor of two integers. Given two integers \( a \) and \( b \), the extended Euclidean algorithm returns the integers \( a \), \( b \), \( \lambda \), and \( \mu \) such that:

\( a \cdot \lambda + b \cdot \mu = \gcd(a, b) \)

Here, \( \lambda \) and \( \mu \) are called the Bézout coefficients for \( a \) and \( b \). Only if \( a \) and \( b \) are relatively prime, i.e., \( \gcd(a, b) = 1 \), then:

\( a \cdot \lambda + b \cdot \mu = 1 \)

In this case, \( \lambda \; mod \; b \) is the inverse of \( a \), denoted \( a^{-1} = \lambda \; mod \; b \), and \( \mu \: mod \: a \) is the inverse of \( b \), denoted \( b^{-1} = \mu \: mod \: a \) (see "Modulo computation" for more information about the \( mod \) operator). One useful property of an integer and its inverse is that \( a \cdot a^{-1} \; mod \; b = 1 \) and \( b \cdot b^{-1} \; mod \; a = 1 \).

Example

You can easily compute \( \gcd(a, b) \), \( \lambda \), and \( \mu \) for example with \( a=5 \) and \( b=39 \) using a simple table. First, let us create a table with three columns (we do not yet know how many rows there will be). Let us denote the entry in the first row and first column as [1,1], the entry in the first row and second column as [1,2], the entry in the second row and first column as [2,1], and so on.

Next, we write \( b=39 \) in entry [1,1] and \( a=5 \) in entry [2,1]. Then we try to find the largest integer \( q_{1} \) such that \( q_{1} \cdot a \leq b \). We have \( q_{1}=7 \), which we write in entry [2,2], because \( 7 \cdot 5 = 35 \leq 39 \), and a remainder of \( r_{1}=4 \), which we write in entry [3,1].

Again, we try to find the largest integer \( q_{2} \) such that \( q_{2} \cdot r_{1} \leq a \). We have \( q_{2}=1 \), which we write in entry [3,2], because \( 1 \cdot 4 = 4 \leq 5 \), and a remainder of \( r_{2}=1 \), which we write in entry [4,1]. Notice that we are repeating the same process as before, just with the numbers in the next row.

The next computation returns a remainder of \( r_{3} = 0 \) because \( q_{3} \cdot r_{2} = 4 \cdot 1 = 4 \leq 4 = r_{1} \). We have now computed \( \gcd(5, 39)=r_{2}=1 \) since \( r_{3} = 0 \). Because 5 and 39 are relatively prime, we know that \( \lambda \) and \( \mu \) exist, and we can start using the last column.

First, we write \( x_{1}=0 \) in entry [4,3] and \( x_{2}=1 \) in entry [3,3]. Then we write \( x_{3}=q_{2} \cdot x_{2} + x_{1} = 1 \cdot 1 + 0 = 1 \) in entry [2,3]. For entry [1,3], we compute as before, just with numbers from the row above, i.e., \( x_{4}=q_{1} \cdot x_{3} + x_{2} = 7 \cdot 1 + 1 = 8 \).

Finally, we have that \( a \cdot x_{4} \pm b \cdot x_{3} = r_{2} \), where we need to decide whether it should be plus or minus between the two terms. Because \( a \cdot x_{4} = 5 \cdot 8 = 40 \), \( b \cdot x_{3} = 39 \cdot 1 \), and \( 40 \geq 39 \), we have \( 5 \cdot 8 - 39 \cdot 1 = 1 \) (which is the same as \( 5 \cdot 8 + 39 \cdot (-1) = 1 \)), so the Bézout coefficients are \( \lambda=8 \) and \( \mu=-1 \). Notice that \( a^{-1} = \lambda \; mod \; b = 8 \; mod \; 39 = 8\) and \( b^{-1} = \mu \; mod \; a = -1 \: mod \: 5 = 4\), where \( a \cdot a^{-1} \; mod \; b = 5 \cdot 8 \; mod \; 39 = 1 \) and \( b \cdot b^{-1} \; mod \; a = 39 \cdot 4 \; mod \; 5 = 1 \).

Table for the example

The table for computing \( 5 \cdot \lambda + 39 \cdot \mu = \gcd(5, 39) \) is:

\( b=39 \) \( x_{4}=8 \)
\( a=5 \) \( q_{1}=7 \) \( x_{3}=1 \)
\( r_{1}=4 \) \( q_{2}=1 \) \( x_{2}=1 \)
\( r_{2}=1 \) \( q_{3}=4 \) \( x_{1}=0 \)
\( r_{3}=0 \)
Algorithm in Pseudocode
function extended_gcd(a, b)
    if b = 0 then
        return (a, 1, 0)
    else
        (d, x', y') = extended_gcd(b, a mod b)
        return (d, y', x' - (a div b) * y')

The function returns a tuple (d, x, y) such that d = gcd(a, b) and d = ax + by.

Applications in Cryptography
  • RSA Key Generation: Computing the private key d where d ≡ e-1 (mod φ(n)) requires finding the modular inverse of the public exponent e
  • Chinese Remainder Theorem: Finding solutions to systems of modular congruences, which enables efficient RSA implementations
  • Elliptic Curve Cryptography: Computing point addition and scalar multiplication operations
  • Digital Signatures: Many schemes require modular inverse calculations
  • Key Exchange Protocols: Used in various secure communication protocols
Relation to the Basic Euclidean Algorithm

While the standard Euclidean algorithm computes only the GCD through successive divisions, the extended version keeps track of the coefficients at each step. This "extension" allows us to express the GCD as a linear combination of the original numbers, which is crucial for finding modular inverses.

Computational Complexity

The extended Euclidean algorithm has the same time complexity as the standard Euclidean algorithm: O(log min(a,b)). This makes it highly efficient even for very large integers, which is crucial for its application in cryptographic systems.

In abstract algebra, a ring is a set with two operations (usually addition and multiplication) where addition forms an abelian group and multiplication is associative and distributes over addition. A group is a set with a single operation that satisfies closure, associativity, identity, and inverse properties.

Integers and Modular Arithmetic

The set of integers \( \{ \dots, -2, -1, 0, 1, 2, \dots \} \) is denoted by the symbol \( \mathbb{Z} \), i.e., \( \mathbb{Z} = \{ \dots, -2, -1, 0, 1, 2, \dots \} \), and is called the ring of integers or an additive group. The group of integers modulo \( n \) is a subset of \( \mathbb{Z} \) and is denoted by \( \mathbb{Z}/n\mathbb{Z} \), but we use the shorthand \( \mathbb{Z}_{n} \). This subset contains the following elements (because we compute modulo \( n \)):

\( \mathbb{Z}_{n} = \{ 0, 1, 2, \dots, n - 1 \}\)

Notice that whenever we perform addition or multiplication in \( \mathbb{Z}_{n} \), we always compute the result modulo \( n \) to obtain an integer in \( \mathbb{Z}_{n} \). To illustrate this, let us look at \( n = 5 \):

\( \mathbb{Z}_{5} = \{ 0, 1, 2, 3, 4 \}\)

When adding \( 3 \) and \( 4 \) in \( \mathbb{Z}_{5} \), we do the following: \( (3 + 4) \: mod \: 5 = 7 \: mod \: 5 = 2 \). Likewise, when multiplying \( 3 \) by \( 4 \) in \( \mathbb{Z}_{5} \), we have: \( (3 \cdot 4) \: mod \: 5 = 12 \: mod \: 5 = 2 \).

Units and Multiplicative Groups

An integer \( a \) in \( \mathbb{Z}_{n} \) has an inverse if the greatest common divisor of \( a \) and \( n \) is 1, i.e., \( \gcd(a, n) = 1 \) (see "The extended Euclidean algorithm" for more information). The integer \( a \) is then called a unit. The set of units (all integers with an inverse in \( \mathbb{Z}_{n} \)) is denoted by \( (\mathbb{Z}/n\mathbb{Z})^{*} \). Again, we use the shorthand \( \mathbb{Z}_{n}^{*} \). If \( a_{1} \) and \( a_{2} \) are units, then their product \( (a_{1} \cdot a_{2}) \: mod \: n \) is also always a unit (i.e., \( a_{1} \cdot a_{2} \) is in the group \( \mathbb{Z}_{n}^{*} \)), but the sum \( (a_{1} + a_{2}) \: mod \: n \) may NOT be a unit (i.e., \( a_{1} + a_{2} \) is in \( \mathbb{Z}_{n} \) but may not be in \( \mathbb{Z}_{n}^{*} \)). We see the difference in the two sets \( \mathbb{Z}_{8} \) and \( \mathbb{Z}_{8}^{*} \):

  • \( \mathbb{Z}_{8} = \{ 0, 1, 2, 3, 4, 5, 6, 7 \}\)
  • \( \mathbb{Z}_{8}^{*} = \{ 1, 3, 5, 7 \} \)

If we choose \( n \) to be a prime number \( p \), then for all integers \( a \) except 0 in \( \mathbb{Z}_{p} \), we have \( \gcd(a, p) = 1 \), which means that \( \mathbb{Z}_{p}^{*} \) contains all integers from \( \mathbb{Z}_{p} \) except 0, i.e.:

\( \mathbb{Z}_{p}^{*} = \{ 1, 2, 3, \dots, p - 1 \}\)

For example, for \( p=7 \), the only difference between the two sets \( \mathbb{Z}_{7} \) and \( \mathbb{Z}_{7}^{*} \) is the integer 0:

  • \( \mathbb{Z}_{7} = \{ 0, 1, 2, 3, 4, 5, 6 \}\)
  • \( \mathbb{Z}_{7}^{*} = \{ 1, 2, 3, 4, 5, 6 \} \)
Euler's Phi Function

The number of elements in \( \mathbb{Z}_{n}^{*} \) is denoted by \( \phi(n) \), named after the famous Swiss mathematician Euler, and is called Euler's phi function. As we saw previously, if \( n \) is a prime number \( p \), then \( \phi(p) = p-1 \). The number of elements in a group \( G \) is also called the order of \( G \) and is written as \( \left| G \right| \). The order of:

  • \( \mathbb{Z}_{n} \) is \( \left| \mathbb{Z}_{n} \right| = n \) where \( n \) is a composite number
  • \( \mathbb{Z}_{n}^{*} \) is \( \left| \mathbb{Z}_{n}^{*} \right| = \phi(n) \) where \( n \) is a composite number
  • \( \mathbb{Z}_{n}^{*} \) is \( \left| \mathbb{Z}_{n}^{*} \right| = \phi(n) = (p-1) \cdot (q-1) \) where \( n = p \cdot q \) and \( p \) and \( q \) are prime numbers
  • \( \mathbb{Z}_{p}^{*} \) is \( \left| \mathbb{Z}_{p}^{*} \right| = \phi(p) = p-1 \) where \( p \) is a prime number

Euler's phi function \(\phi(n)\) can be computed efficiently when the prime factorization of \(n\) is known:

For a prime power \(p^k\): \(\phi(p^k) = p^k - p^{k-1} = p^k(1 - \frac{1}{p})\)

For a product of prime powers: \(\phi(n) = n \prod_{p|n} (1 - \frac{1}{p})\)

For example, \(\phi(36) = \phi(2^2 \cdot 3^2) = 36 \cdot (1 - \frac{1}{2}) \cdot (1 - \frac{1}{3}) = 36 \cdot \frac{1}{2} \cdot \frac{2}{3} = 12\)

Modular Exponentiation Rules

If, for example, we choose the elements \( x \), \( a \), and \( b \) from the group \( \mathbb{Z}_{p}^{*} \) and want to compute \( x^{a + b} \: mod \: p \), then in the exponent we actually compute \( a + b \) modulo the order of the group, i.e., \( a + b \: mod \: (p-1) \) because \( \left| \mathbb{Z}_{p}^{*} \right| = \phi(p) = p-1 \). So, what we actually compute is \( x^{a + b \: mod \: (p-1)} \: mod \: p \). The same is true if we had chosen one of the other groups: we always compute modulo the order of the group in the exponent. Therefore, next time you look at an equation from a cryptosystem and wonder why they suddenly compute, for example, modulo \( p-1 \) instead of modulo \( p \), it is because the equation is used in the exponent of some integer.

Units are particularly important in cryptography because they have multiplicative inverses, allowing operations like division in modular arithmetic. The existence of these inverses is crucial for many cryptographic algorithms, including RSA, where we need to find values \(e\) and \(d\) such that \(e \cdot d \equiv 1 \pmod{\phi(n)}\).

Important Theorems

Fermat's Little Theorem: If \(p\) is a prime number and \(a\) is not divisible by \(p\), then \(a^{p-1} \equiv 1 \pmod{p}\).

Euler's Theorem: For any coprime integers \(a\) and \(n\), \(a^{\phi(n)} \equiv 1 \pmod{n}\). This generalizes Fermat's Little Theorem and forms the mathematical foundation of the RSA cryptosystem.

Applications in Cryptography
  • RSA: Uses the fact that \(m^{ed} \equiv m \pmod{n}\) when \(ed \equiv 1 \pmod{\phi(n)}\)
  • Diffie-Hellman: Operates in the multiplicative group \(\mathbb{Z}_p^*\) where \(p\) is prime
  • ElGamal: Relies on modular exponentiation in \(\mathbb{Z}_p^*\)
  • Digital Signatures: Many schemes use properties of these groups for verification
What is a Generator?

A generator (or primitive root) of a group is an element whose powers can produce every element in the group. In other words, if g is a generator of a group G, then by computing all possible powers of g, you will eventually generate all elements in G.

In the following, we use the group \( \mathbb{Z}_{p} \) as an example for simplicity, but any group could be chosen.

There exists an element \( g \) in the group of integers \( \mathbb{Z}_{p} \) (see "The group of integers and units" for more information), where \( p \) is a prime number, whose powers generate every element in the set of units \( \mathbb{Z}_{p}^{*} \). That is, there exists an integer \( g \) in \( \mathbb{Z}_{p} \) such that:

\( \mathbb{Z}_{p}^{*} = \{ g^{1} \: mod \: p, g^{2} \: mod \: p, g^{3} \: mod \: p, \dots, g^{p-1} \: mod \: p \} \)

where \( g^{p-1} \: mod \: p = 1 \) because \( p-1 \: mod \: (p-1) = 0 \) (remember that the order of \( \mathbb{Z}_{p}^{*} \) is \( p-1 \), and we compute modulo the order of the group in the exponent of \( g \) because \( g \) belongs to the group \( \mathbb{Z}_{p}^{*} \)), and \( g^{0} = 1 \). Such a \( g \) is called a generator or a primitive root of the group, and it's denoted as \( \left< g \right> = \mathbb{Z}_{p}^{*} \). We also say that the order of \( g \) is \( ord(g) = p-1 \) because \( g \) generates the group \( \mathbb{Z}_{p}^{*} \) with \( p-1 \) elements.

To clarify, let's look at an example with the prime number 5. Recall that \( \mathbb{Z}_{5}^{*} = \{ 1, 2, 3, 4 \} \) (see "The group of integers and units" for the example). The group \( \mathbb{Z}_{5}^{*} \) has 2 as a generator because the powers of 2 generate every element in the group, i.e., \( \left< 2 \right> = \mathbb{Z}_{5}^{*} \):

  • \( 2^{1} \: mod \: 5 = 2 \)
  • \( 2^{2} \: mod \: 5 = 4 \)
  • \( 2^{3} \: mod \: 5 = 3 \)
  • \( 2^{4} \: mod \: 5 = 1 \)

The last power is 4 because \( p - 1 = 5 - 1 = 4 \). On the other hand, 4 is NOT a generator of \( \mathbb{Z}_{5}^{*} \) because the powers of 4 only generate the integers 1 and 4:

  • \( 4^{1} \: mod \: 5 = 4 \)
  • \( 4^{2} \: mod \: 5 = 1 \)
  • \( 4^{3} \: mod \: 5 = 4 \)
  • \( 4^{4} \: mod \: 5 = 1 \)

If you don't know the factorization of the integer \( p-1 \), then the only way to find a generator is to perform the above computation, i.e., check that it generates every element in the group \( \mathbb{Z}_{p}^{*} \). However, if you know the factorization of \( p-1 \), then for every prime number \( q \) that evenly divides \( p-1 \), we check that \( g^{(p-1)/q} \: mod \: p \neq 1 \) for a random integer \( g \) in the group \( \mathbb{Z}_{p} \). If this is the case, then \( g \) is a generator of \( \mathbb{Z}_{p}^{*} \).

Because the prime factorization problem is hard (the problem of computing the factorization of the integer \( p-1 \)), we use a so-called safe prime \( p \). A safe prime \( p \) is of the form \( p = 2 \cdot q + 1 \) where \( q \) is a prime number. Now, the factorization of \( p-1 \) is always only \( 2 \) and \( q \). For example, if we compute the safe prime \( p = 2 \cdot 5 + 1 = 11 \) with the prime number \( q = 5 \), we see that \( g = 7 \) is a generator of the group \( \mathbb{Z}_{11}^{*} \) because:

  • \( 7^{(11-1)/2} \: mod \: 11 = 10 \neq 1 \)
  • \( 7^{(11-1)/5} \: mod \: 11 = 5 \neq 1 \)

where 2 and \( q=5 \) are the only prime numbers that divide \( p-1=11-1=10 \) evenly. For the same reason, \( g = 5 \) is not a generator of \( \mathbb{Z}_{11}^{*} \) because:

  • \( 5^{(11-1)/2} \: mod \: 11 = 1 \)
  • \( 5^{(11-1)/5} \: mod \: 11 = 3 \neq 1 \)

The group \( \mathbb{Z}_{n}^{*} \), where \( n \) is a composite number, may not have a generator, but if \( n \) is a prime number \( p \), then the group \( \mathbb{Z}_{p}^{*} \) has at least one generator.

Number of Generators

For a prime p, the number of generators (primitive roots) in \(\mathbb{Z}_p^*\) is exactly \(\phi(\phi(p)) = \phi(p-1)\), where \(\phi\) is Euler's totient function. This means that generators are relatively common in prime-order groups.

For example, in \(\mathbb{Z}_{11}^*\), there are \(\phi(10) = 4\) generators: 2, 6, 7, and 8.

Importance in Cryptography

Generators are fundamental to many cryptographic protocols:

  • Diffie-Hellman key exchange relies on working in a group with a known generator
  • ElGamal encryption requires a generator to create public-private key pairs
  • Digital Signature Algorithm (DSA) uses generators for signing and verification
  • The security of these protocols depends on the difficulty of the discrete logarithm problem in the group generated by g
Subgroups and Cyclic Groups

When an element g is not a generator of the entire group, it generates a subgroup. The order of this subgroup will be the smallest positive integer k such that \(g^k = 1\).

For example, in \(\mathbb{Z}_5^*\), the element 4 generates the subgroup \(\{1, 4\}\) of order 2, while the element 2 generates the entire group of order 4.

A group that can be generated by a single element is called a cyclic group. All groups \(\mathbb{Z}_p^*\) where p is prime are cyclic groups.

Let \( g \) be a generator of the group \( G \). Given the values \( g \) and \( H \), the discrete logarithm (DL) problem is to compute the exponent \( a \) in the following equation, which is considered a hard problem:

\( g^{a} = H \)

The exponent \( a \) is also called the discrete logarithm of \( H \) to the base \( g \).

For example, if we use the group \( \mathbb{Z}_{p}^{*} \), where \( p \) is a large prime number and \( g \) is a generator of the group, then given \( g \), \( p \), and \( H \), it is hard to compute \( a \) such that the following equation holds:

\( g^{a} \: mod \: p = H \)

In addition to the DL problem, there are two related problems: the Diffie-Hellman (DH) problem and the Decisional Diffie-Hellman (DDH) problem. Given the values \( g \), \( g^{a} \), and \( g^{b} \), the DH problem is to compute the exponent \( a \cdot b \) in \( g^{a \cdot b} \).

Similarly, given the values \( g \), \( g^{a} \), \( g^{b} \), and \( g^{c} \), the DDH problem is to decide whether \( c = a \cdot b \) or whether \( c \) is a random integer.

You may have noticed that if we can solve the DL problem, that is, compute \( a \) in \( g^{a} = H \), then we can also solve the DH problem: first compute \( a \) from \( g^{a} \), then \( b \) from \( g^{b} \), and finally calculate \( a \cdot b \). This also implies that we can solve the DDH problem: first compute \( a \cdot b \) as described above, then compute \( c \) from \( g^{c} \), and finally check whether \( c = a \cdot b \).

Computational Hardness

The discrete logarithm problem is believed to be computationally hard when proper parameters are chosen. For \( \mathbb{Z}_{p}^{*} \), the problem becomes harder as the size of the prime \( p \) increases, especially when \( p-1 \) has at least one large prime factor. The best known classical algorithms (Number Field Sieve) run in sub-exponential time, making the problem practically intractable for large enough parameters.

Simple Example

Consider a small example in \( \mathbb{Z}_{11}^{*} \) with generator \( g = 2 \):

  • \( 2^1 \mod 11 = 2 \)
  • \( 2^2 \mod 11 = 4 \)
  • \( 2^3 \mod 11 = 8 \)
  • \( 2^4 \mod 11 = 5 \)
  • \( 2^5 \mod 11 = 10 \)
  • \( 2^6 \mod 11 = 9 \)
  • \( 2^7 \mod 11 = 7 \)
  • \( 2^8 \mod 11 = 3 \)
  • \( 2^9 \mod 11 = 6 \)
  • \( 2^{10} \mod 11 = 1 \)

If given \( H = 9 \), finding \( a \) such that \( 2^a \mod 11 = 9 \) means finding \( a = 6 \). For small groups like this, we can compute all powers, but for cryptographically secure groups, this approach becomes computationally infeasible.

Cryptographic Applications

The hardness of these problems forms the security foundation for many cryptographic protocols:

  • Diffie-Hellman Key Exchange: Based on the DH problem, allows two parties to establish a shared secret over an insecure channel
  • ElGamal Encryption: Security relies on the DDH problem
  • Digital Signature Algorithm (DSA): Uses the discrete logarithm problem for signature generation and verification
  • Zero-knowledge proofs: Many constructions rely on the hardness of the discrete logarithm
Beyond \( \mathbb{Z}_{p}^{*} \)

While the examples above use the multiplicative group of integers modulo a prime, these problems are also defined in other groups:

  • Elliptic curve groups: The Elliptic Curve Discrete Logarithm Problem (ECDLP) is the basis for elliptic curve cryptography, offering similar security with smaller key sizes
  • Ideal class groups: Used in some post-quantum cryptographic proposals
Algorithms for Solving DLP

Several algorithms exist for solving the discrete logarithm problem:

  • Baby-step Giant-step: A time-memory tradeoff with \( O(\sqrt{n}) \) complexity
  • Pollard's Rho: A probabilistic algorithm with similar performance but lower memory requirements
  • Index Calculus: Sub-exponential time for certain groups
  • Shor's Algorithm: A quantum algorithm that can solve the DLP in polynomial time, posing a threat to systems based on this problem if large-scale quantum computers become available
Chosen Plaintext Attack (CPA) Security

The security of an asymmetric (public-key) cryptosystem, such as RSA or ElGamal, is measured with respect to chosen plaintext attacks (CPA) and chosen ciphertext attacks (CCA).

In a chosen plaintext attack (sometimes called a semantic attack), Alice and Bob's adversary, Eve, is passive; she only observes the ciphertexts sent between Alice and Bob and tries to guess the plaintexts. An asymmetric cryptosystem is considered CPA-secure if Eve's advantage in correctly guessing the plaintext in the following game is negligible:

Eve sends a message \( m \) to an oracle, which returns a ciphertext \( c \) that is either an encryption of \( m \) or a random message of the same length as \( m \). Eve then tries to guess what \( c \) is an encryption of.

Therefore, if an asymmetric cryptosystem is CPA-secure, the only information that a ciphertext reveals is the length of the encrypted message.

Formally, Eve's "advantage" in these security games is defined as the absolute difference between 1/2 and the probability that Eve correctly guesses whether she received an encryption of her chosen message: |Pr[Eve wins] - 1/2|. We say this advantage is "negligible" if it decreases faster than any polynomial in the security parameter (typically the key length).

Chosen Ciphertext Attack (CCA) Security

In a chosen ciphertext attack, Eve is active, making this a stronger attack compared to a chosen plaintext attack. Now, Eve can have ciphertexts decrypted by the oracle. An asymmetric cryptosystem is considered CCA-secure if Eve's advantage in correctly guessing the plaintext in the following game is negligible:

Eve sends a ciphertext \( c_{i} \) to an oracle, which returns the decrypted message \( m_{i} \) of \( c_{i} \). This can be repeated as many times as Eve wants. Then, Eve sends a message \( m \) to the oracle, which returns a ciphertext \( c \) that is either an encryption of \( m \) or a random message of the same length as \( m \). Finally, Eve sends a ciphertext \( c_{i}' \), which must be different from \( c \), to the oracle, and it returns the decrypted message \( m_{i}' \) of \( c_{i}' \). This can also be repeated as many times as Eve wants. Eve then tries to guess what \( c \) is an encryption of.

Again, if an asymmetric cryptosystem is CCA-secure, the only information that a ciphertext reveals is the length of the encrypted message.

In cryptographic security models, an "oracle" refers to a theoretical entity that performs certain cryptographic operations (like encryption or decryption) when queried. It represents the capability an attacker might have to interact with the cryptosystem.

Cryptographers further distinguish between two levels of CCA security:

  • CCA1 (non-adaptive CCA): Eve can only query the decryption oracle before receiving the challenge ciphertext.
  • CCA2 (adaptive CCA): Eve can query the decryption oracle both before and after receiving the challenge ciphertext (except for the challenge ciphertext itself), as described in our game above.

CCA2 security is considered the gold standard for modern asymmetric encryption schemes.

Security of Common Asymmetric Cryptosystems
  • Basic RSA (textbook RSA) is neither CPA nor CCA secure
  • RSA-OAEP (Optimal Asymmetric Encryption Padding) is designed to be CCA2-secure under certain assumptions
  • Basic ElGamal is CPA-secure but not CCA-secure
  • Modern elliptic curve cryptosystems like ECIES can achieve CCA2 security when properly implemented
Real-world Implications

The distinction between CPA and CCA security matters significantly in practice:

  • Systems that are only CPA-secure may be vulnerable to attacks where the adversary can trick legitimate users into decrypting specially crafted messages
  • For applications like secure messaging or financial transactions, CCA2-security is typically required
  • In some constrained environments where decryption queries are impossible for an attacker, CPA security might be sufficient

The security of digital signatures, such as RSA and ElGamal, is typically measured using the concept of Existential Unforgeability under Chosen Message Attack (EUF-CMA), which is analogous to CPA security for encryption schemes.

In a chosen plaintext attack, Alice and Bob's adversary, Eve, is passive; she only observes the messages and signatures exchanged between Alice and Bob and tries to forge a signature. A digital signature scheme is considered CPA-secure if Eve's advantage in forging a signature in the following game is negligible:

Eve sends a message \( m_{i} \) to an oracle (which represents the legitimate signer's capabilities), which returns its signature \( \sigma_{i} \). This process can be repeated as many times as Eve wishes. Finally, Eve outputs a message \( m \), which must be different from all previously queried messages \( m_{i} \), along with a signature \( \sigma \). Eve wins the game if \( \sigma \) is a valid signature for the message \( m \).

Types of Signature Forgeries

Cryptographers classify forgeries into several types:

  • Existential forgery: The adversary can forge a signature for at least one message (possibly meaningless)
  • Selective forgery: The adversary can forge a signature for a specific message of their choosing
  • Universal forgery: The adversary can forge signatures for any message
  • Total break: The adversary can recover the signer's private key
Real-world Implications of Signature Security

Secure digital signatures are critical in many applications:

  • Code signing to verify software authenticity
  • Certificate authorities in PKI infrastructure
  • Non-repudiation in legal documents and financial transactions
  • Blockchain transactions

If a signature scheme is vulnerable to forgery attacks, these systems could be compromised.

Security of Common Digital Signature Schemes
  • RSA signatures (plain, without hashing) are vulnerable to existential forgery
  • RSA-PSS (Probabilistic Signature Scheme) provides provable security under reasonable assumptions
  • DSA and ECDSA are EUF-CMA secure if the underlying hash function is collision-resistant
  • EdDSA (like Ed25519) offers strong security with additional benefits like deterministic signing
The Role of Hash Functions in Signature Security

Most secure signature schemes operate on hashed messages rather than raw messages. This serves two purposes:

  • It allows signing messages of arbitrary length
  • It prevents mathematical attacks that exploit the algebraic structure of the signature algorithm

The security of the signature scheme depends heavily on the security of the underlying hash function.

The encryption scheme explained

The ElGamal cryptosystem was first described by Taher ElGamal in 1985 and is closely related to the Diffie-Hellman key exchange. While the Diffie-Hellman key exchange provides a method for Alice and Bob to share a secret key, it does not by itself enable them to communicate messages securely.

ElGamal is a public key cryptosystem based on the discrete logarithm problem for a group \( G \). In this system, every person has a key pair \( (sk, pk) \), where \( sk \) is the secret key and \( pk \) is the public key. Given only the public key, one would need to solve the discrete logarithm problem to obtain the secret key.

The cryptosystem serves two purposes: first, as an encryption scheme (described in this section) that helps Alice and Bob exchange sensitive information over an insecure channel that may be eavesdropped by their adversary Eve; and second, as a digital signature scheme (detailed in the next section) that enables the creation of digital signatures. The signature scheme differs slightly from the encryption scheme. Various other digital signature schemes, such as the Schnorr signature scheme and the Digital Signature Algorithm (DSA), are based on ElGamal's signature scheme but utilize shorter keys.

The group used in ElGamal can be \( \mathbb{Z}_{p}^{*} \) where \( p \) is a prime number, a subgroup of \( \mathbb{Z}_{p}^{*} \) of order \( q \) where \( q \) is a prime number, or an elliptic curve group. In the following, we use the group \( \mathbb{Z}_{p}^{*} \) for simplification, but this group is not used in practice because it's insecure: Alice and Bob's adversary Eve can tell whether a ciphertext is an encryption of a meaningful message or some random letters (i.e., when the used group in ElGamal is \( \mathbb{Z}_{p}^{*} \), it's not CPA-secure).

Key Generation

In the encryption scheme, Alice (or a trusted third party) first chooses a large prime number \( p \), such that the discrete logarithm problem is hard in the group \( \mathbb{Z}_{p}^{*} \), and a generator \( g \) of the group \( \mathbb{Z}_{p}^{*} \). Next, Alice chooses the secret key \( sk = a \) between \( 1 \) and \( p-1 \) and computes \( A = g^{a} \: mod \: p \). Alice then publishes the public key \( pk = (p, g, A) \). Notice that both Alice's friend Bob and their adversary Eve can see the public key, but they have to compute the discrete logarithm of \( A \) to get the secret key, i.e., compute the value \( a \).

Encryption Process

Suppose that Bob has a secret message he wants to send to Alice and he needs to hide the content from Eve. Bob first converts the message into an integer \( m \) such that \( 1 \leq m \leq p-1 \), i.e., the plaintext \( m \) is in the group \( \mathbb{Z}_{p}^{*} \). He also chooses a random number \( k \) between \( 1 \) and \( p-1 \), which is called an ephemeral key. The ephemeral key is only used to encrypt a single message \( m \) before being discarded. After using \( k \) to encrypt the message, Bob chooses a new ephemeral key for any future messages. Bob encrypts \( m \) using the encryption algorithm \( E \) with Alice's public key \( pk = (p, g, A) \) by calculating \( (c_{1}, c_{2}) = E_{pk}(m) \) where \( c_{1} = g^{k} \: mod \: p \) and \( c_{2} = m \cdot A^{k} \: mod \: p \). The resulting values \( (c_{1}, c_{2}) \) are called the ciphertext and are sent to Alice.

Decryption Process

When Alice receives the ciphertext \( (c_{1}, c_{2}) \), she first computes \( x = c_{1}^{a} \: mod \: p \) and then calculates the inverse \( x^{-1} \) of \( x \) using the extended Euclidean algorithm. The extended Euclidean algorithm gives her the equation \( x \cdot \lambda + p \cdot \mu = \gcd(x, p) \) where \( x^{-1} = \lambda \: mod \: p \) is the inverse of \( x \) and \( x \cdot x^{-1} \: mod \: p = 1 \) (remember that in the case of ElGamal, \( x^{-1} \) only exists because \( \gcd(x, p) = 1 \)). Finally, she decrypts the received ciphertext with the decryption algorithm \( D \) and her secret key \( sk = a \) by computing \( m' = D_{sk}(c_{1}, c_{2}) = x^{-1} \cdot c_{2} \: mod \: p \) where \( m' = m \) because:

\( \eqalign{ m' &= x^{-1} \cdot c_{2} \: mod \: p &&(x = c_{1}^{a}) \\&= (c_{1}^{a})^{-1} \cdot c_{2} \: mod \: p &&(c_{1} = g^{k}, c_{2} = m \cdot A^{k}) \\ &= ((g^{k})^{a})^{-1} \cdot m \cdot A^{k} \: mod \: p &&(A = g^{a}) \\ &= ((g^{k})^{a})^{-1} \cdot m \cdot (g^{a})^{k} \: mod \: p &&(\mbox{exponent rule}) \\ &= (g^{k \cdot a})^{-1} \cdot m \cdot g^{a \cdot k} \: mod \: p &&((g^{k \cdot a})^{-1} \cdot g^{a \cdot k} = 1) \\ &= m } \)

Group Security Analysis

So, why is \( \mathbb{Z}_{p}^{*} \) an insecure group while, e.g., the subgroup \( G \) of \( \mathbb{Z}_{p}^{*} \) of order \( q \) is a secure group where \( p \) and \( q \) are prime numbers? First, we have to define what a secure cryptosystem is: When an adversary like Eve intercepts a ciphertext, she shouldn't be able to tell whether it's an encryption of a specific message or just random letters (this is also the definition of a CPA-secure cryptosystem).

In the following discussion, we will use — without proof — a theorem stating that if Eve can determine whether the exponent \( a \cdot k\) from \( A^{k} = (g^{a})^{k} = g^{a \cdot k} \) in \( c_{2} \) is an even or odd number, she can distinguish whether a ciphertext is an encryption of a meaningful message or just random letters. This means that if the DDH problem is easy to solve for the group being used, then ElGamal is not CPA-secure (in other words: if the DDH problem is hard in the group being used, then ElGamal is CPA-secure).

First, we need some definitions: We say that \( y \) is a quadratic residue modulo a prime number \( p \), written as \( y \in QR(p) \), if there exists a number \( x \) such that \( y \: mod \: p = r \) and \( x^{2} \: mod \: p = r \), i.e., \( y \equiv x^{2} \: (mod \: p) \) (they have the same residue \( r \)). If no such \( x \) exists, then \( y \) is called a non-quadratic residue modulo \( p \), written as \( y \in NQR(p) \). For example, with the prime number \( p = 7\), we have:

\( \eqalign{ 1^{2} &\equiv 1 \: (mod \: 7) \\2^{2} &\equiv 4 \: (mod \: 7) \\3^{2} &\equiv 2 \: (mod \: 7) \\4^{2} &\equiv 2 \: (mod \: 7) \\5^{2} &\equiv 4 \: (mod \: 7) \\6^{2} &\equiv 1 \: (mod \: 7)} \)

which tells us that \( \{1, 2, 4\} \in QR(7) \) (the numbers on the right side of \( \equiv \)) and \( \{3, 5, 6\} \in NQR(7) \) (the remaining numbers excluding 0). Notice that half of the numbers from \( 1, 2, \dots, p-1 \) are quadratic residues modulo \( p \) and the other half are quadratic non-residues modulo \( p \).

A famous Swiss mathematician named Euler defined the equation \( (g^{i})^{(p-1)/2} \: mod \: p \) where \( g \) is a generator of the group \( \mathbb{Z}_{p}^{*} \). If \( (g^{i})^{(p-1)/2} \: mod \: p = 1 \) then \( g^{i} \in QR(p) \) and if \( (g^{i})^{(p-1)/2} \: mod \: p = -1 \) then \( g^{i} \in NQR(p) \). Another important observation that we will use without proof is that if \( g^{i} \in QR(p) \), then the exponent \(i\) is an even number. Otherwise, \(i\) is an odd number.

Finally, we will define \( LSB(g^{i}) \) as the value of the least significant bit of \( i \) (when expressed in binary) and we have that \( LSB(g^{i}) = 0 \) if the exponent \( i \) is an even number and \( LSB(g^{i}) = 1 \) otherwise. Using the above definitions we have that \( LSB(g^{i}) = 0 \) if and only if \( (g^{i})^{(p-1)/2} \: mod \: p = 1 \) or \( g^{i} \in QR(p) \). We also have that \( LSB(g^{i}) \cdot LSB(g^{j}) = LSB(g^{i \cdot j}) \).

Now, let us return to the ElGamal cryptosystem and examine how Eve can determine whether a ciphertext contains a meaningful message or random letters. Remember, we only need to prove that she can identify whether the exponent \( a \cdot k \) is even or odd. Suppose a trusted third party has chosen the prime number \( p = 7 \) and the generator \( g = 3 \) of the group \( \mathbb{Z}_{7}^{*} \). Let's assume that Alice has chosen the secret key \( a = 2 \) and the ephemeral key \( k = 5 \). She then computes \( A = g^{a} \: mod \: p = 3^{2} \: mod \: 7 = 2 \) and \( c_{1} = g^{k} \: mod \: p = 3^{5} \: mod \: 7 = 5 \). For the value of \( c_{2} = m \cdot A^{k} \: mod \: p \), we have:

\( \eqalign{ A^{k} \: mod \: p &= (g^{a})^{k} \: mod \: p \\ &= g^{a \cdot k} \: mod \: p \\ &= 3^{2 \cdot 5} \: mod \: 7 \\ &= 3^{10} \: mod \: 7 \\ &= 4} \)

Eve doesn't know the values of \( a \) and \( k \), but she can use Euler's equation to compute:

\( \eqalign{ A^{(p-1)/2} \: mod \: p &= (g^{a})^{(p-1)/2} \: mod \: p = 2^{(7-1)/2} \: mod \: 7 = 1 \\ c_{1}^{(p-1)/2} \: mod \: p &= (g^{k})^{(p-1)/2} \: mod \: p = 5^{(7-1)/2} \: mod \: 7 = -1} \)

i.e., \( A \in QR(7) \) and \( c_{1} \in NQR(7) \) which means that \( LSB(A) = LSB(g^{a}) = 0 \) (i.e., the exponent \( a \) in \( A \) is an even number, which is true because \( a = 2 \)) and \( LSB(c_{1}) = LSB(g^{k}) = 1\) (i.e., the exponent \( k \) in \( c_{1} \) is an odd number, which is true because \( k = 5 \)). Now Eve knows that the exponent \( a \cdot k \) is an even number (which is true because \( a \cdot k = 10 \)) because she can use the following multiplication rule: \( LSB(g^{a \cdot k}) = LSB(g^{a}) \cdot LSB(g^{k}) = 0 \cdot 1 = 0 \). Using the above theorem, Eve can now tell whether a ciphertext is an encryption of a meaningful message or some random letters.

The reason why Eve can tell whether the exponent \( a \cdot k \) is an even or odd number is because all the numbers in the group \( \mathbb{Z}_{p}^{*} \) excluding 0 can be divided into quadratic residues modulo \( p \) or non-quadratic residues modulo \( p \). This observation is used to construct the secure subgroup \( G \) of \( \mathbb{Z}_{p}^{*} \) of order \( q \) where \( G = QR(p) \), i.e., all numbers in \( G \) are quadratic residues modulo \( p \). Now if Eve tries to use the above method, she always gets \( LSB(x) = 0 \) for any number \( x \) in the subgroup \( G \). In other words: ElGamal is CPA-secure in the subgroup \( G \) because the DDH problem in \( G \) is hard.

Homomorphic Properties

ElGamal is also a partially homomorphic cryptosystem with respect to pointwise multiplication, meaning that ciphertexts can be combined through the operation \( (a,b) \cdot (c,d) = (a \cdot c, b \cdot d) \). This property can be demonstrated as follows:

\( \eqalign{ E_{pk}(m) \cdot E_{pk}(m') \: mod \: p &= (g^{k} \: mod \: p, m \cdot A^{k} \: mod \: p) \cdot (g^{k'} \: mod \: p , m' \cdot A^{k'} \: mod \: p) &&(\mbox{pointwise multiplication}) \\ &= (g^{k} \cdot g^{k'} \: mod \: p, m \cdot A^{k} \cdot m' \cdot A^{k'} \: mod \: p) &&(\mbox{exponent rule}) \\ &= (g^{k + k'} \: mod \: p, (m \cdot m') \cdot A^{k+k'} \: mod \: p) \\ &= E_{pk}(m \cdot m' \: mod \: p) } \)

In other words, pointwise multiplication of two ciphertexts corresponds to multiplying the two underlying plaintexts. ElGamal is partially homomorphic, not fully homomorphic, because only multiplication (not addition) has this property.

This property can be both an advantage and a disadvantage for the cryptosystem. It is advantageous, for example, when Alice has some private data \( m \) on which she wants a cloud service to perform computations. She first computes \( (c_{1}, c_{2}) = E_{pk}(m) \) and then sends the ciphertext \( (c_{1}, c_{2}) \) to the cloud service. The cloud service can then perform computations on Alice's data by calculating \( (c_{1}, c_{2}) \cdot (c_{1}', c_{2}') \: mod \: p \) for some \( (c_{1}', c_{2}') = E_{pk}(m') \). Alice then receives and decrypts the resulting ciphertext, which yields the data \( m \cdot m' \: mod \: p \). On the other hand, this property can be a disadvantage: for example, if Eve intercepts a ciphertext \( (c_{1}, c_{2}) \) sent from Alice to Bob and computes \( (c_{1}, c_{2}) \cdot (c_{1}', c_{2}') \: mod \: p \) for some \( (c_{1}', c_{2}') = E_{pk}(m') \), which she then sends to Bob. When Bob decrypts the ciphertext, he obtains the plaintext \( m \cdot m' \: mod \: p \) instead of the original plaintext \( m \).

Security Considerations

The ephemeral key (k) must never be reused when creating signatures. Doing so can lead to complete private key compromise!

The ephemeral key (k) must be:

  • Truly random: Use cryptographically secure random number generators
  • Used only once: Never reuse the same ephemeral key for different messages
  • Securely erased: After encryption or signing is complete

Parameter Requirements (2025):

  • Prime modulus p should be at least 2048 bits
  • For subgroup schemes (Schnorr/DSA), q should be at least 224 bits
  • Use strong primes that resist specialized attacks

Known Attacks:

  • Small subgroup attacks: Can occur when parameters aren't verified
  • Pohlig-Hellman attack: Effective when the order of the group has small factors
  • Baby-step Giant-step and Pollard's rho: Generic discrete logarithm attacks
  • Malleability issues: ElGamal encryption is malleable by design (homomorphic property)

Quantum Computing Threats:

Shor's algorithm on a sufficiently powerful quantum computer can break ElGamal and all discrete logarithm-based cryptosystems in polynomial time. Organizations planning for long-term security should consider post-quantum alternatives like:

  • Lattice-based cryptography
  • Hash-based signatures
  • Code-based cryptosystems
Comparison with Other Cryptosystems
Feature ElGamal RSA ECC-based ElGamal
Security basis Discrete logarithm Integer factorization Elliptic curve discrete logarithm
Key size (2025) 2048+ bits 2048+ bits 256-384 bits
Ciphertext expansion 2x Minimal 2x
Homomorphic property Multiplicative Multiplicative Multiplicative
Standardization Limited Widespread Growing
Quantum resistance Vulnerable Vulnerable Vulnerable
Computation efficiency Moderate High Very high
The protocol
Public parameters
A trusted third party publishes a large prime number \( p \) and a generator \( g \) of the group \( \mathbb{Z}_{p}^{*} \).
Key creation
Alice:
  1. Chooses the secret key \( 1 \leq a \leq p-1 \)
  2. Computes \( A = g^{a} \: mod \: p \)
Alice sends the public key \( pk = (p, g, A) \) to Bob.
Encryption
Bob:
  1. Chooses a unique random ephemeral key \( 1 \leq k \leq p-1 \).
  2. Uses Alice's public key \( pk = (p, g, A) \) and the ephemeral key \( k \) to compute the ciphertext \( (c_{1}, c_{2}) = E_{pk}(m) \) of the plaintext \( 1 \leq m \leq p-1 \), where:
    • \( c_{1} = g^{k} \: mod \: p \)
    • \( c_{2} = m \cdot A^{k} \: mod \: p \)
Bob sends the ciphertext \( (c_{1},c_{2}) \) to Alice.
Decryption
Alice:
  1. Computes \( x = c_{1}^{a} \: mod \: p \)
  2. Computes the inverse \( x^{-1} \) using the extended Euclidean algorithm
  3. Calculates the plaintext \( m' = D_{sk}(c_{1}, c_{2}) = x^{-1} \cdot c_{2} \: mod \: p \), where \( m' = m \)

Try a demo of the encryption scheme here.

Example

Alice uses the prime number \( p = 283 \) and the generator \( g = 189 \) of the group \( \mathbb{Z}_{283}^{*} \), which are chosen by a trusted third party. She then chooses the secret key \( sk = a = 129 \) and computes \( A = g^{a} \: mod \: p = 189^{129} \: mod \: 283 = 33 \). Finally, she publishes the public key \( pk = (p, g, A) = (283, 189, 33) \).

Alice's friend Bob decides to send the message \( m = 123 \) to Alice. He first chooses the ephemeral key \( k = 33 \) and then computes the ciphertext \( (c_{1}, c_{2}) = E_{pk}(m) = (219, 269) \), where \( c_{1} = g^{k} \: mod \: p = 189^{33} \: mod \: 283 = 219 \) and \( c_{2} = m \cdot A^{k} \: mod \: p = 123 \cdot 33^{33} \: mod \: 283 = 269 \), which he sends to Alice.

Before Alice can decrypt the ciphertext, she computes \( x = c_{1}^{a} \: mod \: p = 219^{129} \: mod \: 283 = 39 \) and the inverse \( x^{-1} \) of \( x \) using the extended Euclidean algorithm. The extended Euclidean algorithm gives her the equation \( \gcd(x, p) = x \cdot \lambda + p \cdot \mu = 39 \cdot (-29) + 283 \cdot 4 = 1 \), where \( x^{-1} = \lambda \: mod \: p = -29 \: mod \: 283 = 254 \). Finally, she decrypts the ciphertext by computing \( m' = D_{sk}(c_{1}, c_{2}) = x^{-1} \cdot c_{2} \: mod \: p = 254 \cdot 269 \: mod \: 283 = 123 \).

The signature scheme explained

Two people, Samantha and Victor, use a digital signature when one of them—say, Samantha—needs to send a digitally signed piece of data, such as a document or message, to Victor, and it is important that Victor knows it is from Samantha. For example, Samantha might want to send money to her friend Carla through her bank, where Victor works. Before Victor withdraws the money from Samantha's account, he needs to verify that the transfer request is actually from Samantha and not from someone else. If the signature scheme is insecure, it would be possible for Samantha's adversary, Eve, to forge a signature on a message stating that Samantha wants to send money to Eve, and Victor would believe that the message is from Samantha.

Key Generation for Signatures

In ElGamal's signature scheme, Samantha (or a trusted third party) first chooses a large prime number \( p \) and a generator \( g \) of the group \( \mathbb{Z}_{p}^{*} \). She then chooses the secret signing exponent \( s \) between \( 1 \) and \( p-1 \) and computes the public verification exponent \( v = g^{s} \: mod \: p \). Now \( pk = (p, g, v) \) is her public key and \( sk = s \) is her secret key, which she sends to Victor.

Signature Creation Process

To sign a message \( m \), Samantha first computes the fingerprint \( \mathcal{H}(m) \) of the message using a publicly known hash function \( \mathcal{H} \), such that \( 1 \leq \mathcal{H}(m) \leq p-1 \). A hash function always produces the same output for the same input, and its output has a fixed length regardless of the input size. This means that, no matter how large the message Samantha wants to sign, the signing algorithm remains efficient because Samantha signs the fingerprint \( \mathcal{H}(m) \) instead of the entire message \( m \).

Before Samantha can sign the fingerprint \( \mathcal{H}(m) \), she needs a random number \( e \) (called an ephemeral key) between \( 1 \) and \( p-1 \) such that \( \gcd(e, p-1) = 1 \), because she also needs the inverse \( e^{-1} \) of \( e \). She computes \( e^{-1} \) using the extended Euclidean algorithm, which gives her the equation \( e \cdot \lambda + (p-1) \cdot \mu = \gcd(e, p-1) \), where \( e^{-1} = \lambda \: mod \: (p-1) \) and \( e \cdot e^{-1} \: mod \: (p-1) = 1 \) (remember that in the case of ElGamal, \( e^{-1} \) only exists because \( \gcd(e, p-1) = 1 \)). She then signs the fingerprint using the signing algorithm \( S \) with the secret signing key \( sk = s \), computing \( (\sigma_{1}, \sigma_{2}) = S_{sk}(\mathcal{H}(m)) \), where \( \sigma_{1} = g^{e} \: mod \: p \) and \( \sigma_{2} = (\mathcal{H}(m) - s \cdot \sigma_{1}) \cdot e^{-1} \: mod \: (p-1) \). Finally, Samantha sends the signature \( (\sigma_{1}, \sigma_{2}) \) of \( \mathcal{H}(m) \) and the message \( m \) to Victor.

Verification Process

To verify the signature, Victor first uses the same hash function \( \mathcal{H} \) as Samantha to compute the fingerprint \( \mathcal{H}(m) \) of the message \( m \). He then verifies the signature \( (\sigma_{1}, \sigma_{2}) \) of \( \mathcal{H}(m) \) by computing \( V_{1} = v^{\sigma_{1}} \cdot \sigma_{1}^{\sigma_{2}} \: mod \: p \) and checking that it is equal to \( V_{2} = g^{\mathcal{H}(m)} \: mod \: p \). The signature is valid only if \( V_{1} = V_{2} \), because:

\( \eqalign{ V_{1} &= v^{\sigma_{1}} \cdot \sigma_{1}^{\sigma_{2}} \: mod \: p &&(v = g^{s} \: \mbox{and} \: \sigma_{1} = g^{e}) \\ &= (g^{s})^{\sigma_{1}} \cdot (g^{e})^{\sigma_{2}} \: mod \: p &&(\mbox{exponent rule}) \\ &= g^{s \cdot \sigma_{1}} \cdot g^{e \cdot \sigma_{2}} \: mod \: p &&(\mbox{exponent rule}) \\ &= g^{s \cdot \sigma_{1} + e \cdot \sigma_{2}} \: mod \: p &&(\sigma_{2} = (\mathcal{H}(m) - s \cdot \sigma_{1}) \cdot e^{-1}) \\ &= g^{s \cdot \sigma_{1} + e \cdot ((\mathcal{H}(m) - s \cdot \sigma_{1}) \cdot e^{-1})} \: mod \: p &&(e \cdot e^{-1} = 1) \\ &= g^{s \cdot \sigma_{1} + (\mathcal{H}(m) - s \cdot \sigma_{1})} \: mod \: p &&(s \cdot \sigma_{1} - s \cdot \sigma_{1} = 0) \\ &= g^{\mathcal{H}(m)} \: mod \: p &&(V_{2} = g^{\mathcal{H}(m)}) \\ &= V_{2} } \)

Only if Samantha's and Victor's adversary, Eve, knows how to solve the discrete logarithm problem—i.e., to compute the secret key \( sk = s \) from the public key \( pk = g^{s} \: mod \: p \)—will she be able to sign documents on behalf of Samantha. But the discrete logarithm problem is hard to solve in the group \( \mathbb{Z}_{p}^{*} \) when the prime number \( p \) is large.

It's important that Samantha signs the fingerprint instead of the message itself for several reasons:

  1. Efficiency: Hashing allows signing of arbitrarily large messages with fixed computational effort
  2. Security: Prevents existential forgery attacks (explained below)
  3. Integrity: Even minor changes to the message result in a completely different hash
  4. Domain conversion: Maps message data to the mathematical domain required by the signature algorithm

Without using a hash function, Eve could easily forge a signature by computing the following values: First, Eve randomly chooses \( w \) and \( z \) between 1 and \( p-1 \) such that \( \gcd(w, p-1)=1 \), because she needs the inverse \( w^{-1} \) of \( w \) (which she computes with the extended Euclidean algorithm). She then uses Samantha's public key \( pk = (p, g, v) \) to compute \( \sigma_{1} = g^{z} \cdot v^{w} \: mod \: p \), \( \sigma_{2} = -\sigma_{1} \cdot w^{-1} \: mod \: (p-1) \), and the message \( m = -\sigma_{1} \cdot z \cdot w^{-1} \: mod \: (p-1) \). (The message may seem a bit odd, but the content of the message is not important—only that Eve can forge a signature.) We see that \( (\sigma_{1}, \sigma_{2}) \) is a valid signature of \( m \) because Victor's final check is still true, i.e., \( v^{\sigma_{1}} \cdot \sigma_{1}^{\sigma_{2}} \: mod \: p \) is equal to \( g^{m} \: mod \: p \), which is the same as \( \sigma_{1}^{\sigma_{2}} \: mod \: p \) being equal to \( g^{m} \cdot v^{-\sigma_{1}} \: mod \: p \):

\( \eqalign{ V_{1} &= \sigma_{1}^{\sigma_{2}} \: mod \: p &&(\sigma_{1} = g^{z} \cdot v^{w} \: \mbox{and} \: \sigma_{2} = -\sigma_{1} \cdot w^{-1}) \\ &= (g^{z} \cdot v^{w})^{(-\sigma_{1} \cdot w^{-1})} \: mod \: p &&(\mbox{exponent rule}) \\ &= (g^{z} \cdot (g^{s})^{w})^{(-\sigma_{1} \cdot w^{-1})} \: mod \: p &&(\mbox{exponent rule}) \\ &= (g^{z} \cdot g^{s \cdot w})^{(-\sigma_{1} \cdot w^{-1})} \: mod \: p &&(\mbox{exponent rule}) \\ &= (g^{z + s \cdot w})^{(-\sigma_{1} \cdot w^{-1})} \: mod \: p &&(\mbox{exponent rule}) \\ &= g^{z \cdot (-\sigma_{1} \cdot w^{-1}) + (s \cdot w) \cdot (-\sigma_{1} \cdot w^{-1})} \: mod \: p &&(m = -\sigma_{1} \cdot z \cdot w^{-1} \: \mbox{and} \: w \cdot w^{-1} = 1) \\ &= g^{m - s \cdot \sigma_{1}} \: mod \: p &&(\mbox{exponent rule}) \\ &= g^{m} \cdot g^{- s \cdot \sigma_{1}} \: mod \: p &&(\mbox{exponent rule}) \\ &= g^{m} \cdot (g^{s})^{-\sigma_{1}} \: mod \: p &&(v = g^{s}) \\ &= g^{m} \cdot v^{-\sigma_{1}} \: mod \: p = V_{2} } \)

However, if Samantha uses a secure hash function, i.e., \( (\sigma_{1}, \sigma_{2}) = S_{sk}(\mathcal{H}(m)) \), the above method is no longer possible because Eve would now be required to find a preimage of the hash function, which is computationally hard. In other words, think of \( -\sigma_{1} \cdot z \cdot w^{-1} \) (the value of the message in the above attack) as a fingerprint; now Eve must find a message \( m \) such that \( \mathcal{H}(m) = -\sigma_{1} \cdot z \cdot w^{-1} \).

The ElGamal signature \( (\sigma_{1}, \sigma_{2}) \) is approximately \( 2 \cdot \log_{2}(p) \) bits in length, since \( \sigma_{1} \) is \( \log_{2}(p) \) bits and \( \sigma_{2} \) is \( \log_{2}(p-1) \) bits (because \( \sigma_{1} \) is computed modulo \( p \) and \( \sigma_{2} \) is computed modulo \( p-1 \)). Therefore, for the signature scheme to be secure, the prime number \( p \) should be at least \( 2048 \) bits according to today's standards, which implies that the ElGamal signature \( (\sigma_{1}, \sigma_{2}) \) is at least \( 4096 \) bits long.

Below, we present some variants of the ElGamal signature scheme that use shorter signatures: the Schnorr signature and the Digital Signature Algorithm (DSA). Both of these schemes use a subgroup of order \( q \) (explained in more detail later), where \( q \) is a prime number typically chosen to be between \( 160 \) and \( 230 \) bits. As a result, the Schnorr and DSA signatures \( (\sigma_{1}', \sigma_{2}') \) are between \( 320 \) and \( 460 \) bits in length (since both \( \sigma_{1}' \) and \( \sigma_{2}' \) are computed modulo \( q \), making the signature approximately \( 2 \cdot \log_{2}(q) \) bits long).

Practical Applications

Direct Applications

  • Document authentication in digital archives
  • Code signing for software distribution
  • Foundation for modern signature schemes (DSA, ECDSA)
  • Digital certificates and public key infrastructure

Modern Variants

  • Schnorr signatures in blockchain technology
  • DSA in SSL/TLS communications
  • ECDSA in cryptocurrency transactions
  • EdDSA in secure messaging applications

While pure ElGamal signatures are rarely used in practice today due to their large size, the variants (Schnorr and DSA) described in the following sections are widely deployed in modern cryptographic systems.

Comparison of Signature Schemes
Feature ElGamal Signature Schnorr Signature DSA
Signature Size \( 2 \times log_{2}(p) \) bits (~4096 bits with \( p = 2048 \)) \(2 \times log_{2}(q)\) bits (~320-460 bits) \(2 \times log_{2}(q)\) bits (~320-460 bits)
Security Basis Discrete logarithm in \( \mathbb{Z}_{p}^{*} \) Discrete logarithm in subgroup of order q Discrete logarithm in subgroup of order q
Computational Efficiency Less efficient due to larger parameter size More efficient with simpler verification Similar to Schnorr but with additional modular operations
Standardization Less widely standardized Used in some protocols (e.g., Ed25519) FIPS 186 standard (US Government)
Key Property Original scheme Supports batch verification Common in legacy applications
The protocol
Public parameters
A trusted third party publishes a large prime number \( p \) and a generator \( g \) of the group \( \mathbb{Z}_{p}^{*} \).
Key creation
Samantha:
  1. Chooses a secret signing key \( 1 \leq s \leq p-1 \).
  2. Computes the public verification key \( v = g^{s} \: mod \: p \).
Samantha sends the public key \( pk = (p, g, v) \) to Victor.
Signing
Samantha:
  1. Chooses a unique random ephemeral key \( 1 \leq e \leq p-1 \).
  2. Computes the inverse \( e^{-1} \) of \( e \) using the extended Euclidean algorithm.
  3. Computes the fingerprint \( \mathcal{H}(m) \) of the message \( m \), where \( 1 \leq \mathcal{H}(m) \leq p-1 \).
  4. Uses the secret key \( sk = s \) and the ephemeral key to sign the fingerprint by computing \( (\sigma_{1}, \sigma_{2}) = S_{sk}(\mathcal{H}(m)) \), where \( \sigma_{1} = g^{e} \: mod \: p \) and \( \sigma_{2} = (\mathcal{H}(m) - s \cdot \sigma_{1}) \cdot e^{-1} \: mod \: (p - 1) \).
Samantha sends the signature \( (\sigma_{1}, \sigma_{2}) \) and the message \( m \) to Victor.
Verification
Victor:
  1. Computes the fingerprint \( \mathcal{H}(m) \) of the message \( m \).
  2. Uses Samantha's public key \( pk = (p, g, v) \) to verify the signature by checking that \( v^{\sigma_{1}} \cdot \sigma_{1}^{\sigma_{2}} \: mod \: p \) is equal to \( g^{\mathcal{H}(m)} \: mod \: p \).
  3. The signature is valid only if these two values are equal.

Try a demo of the signature scheme here.

Example

A trusted third party chooses the prime number \( p = 379 \) and the generator \( g = 360 \) of the group \( \mathbb{Z}_{379}^{*} \). Samantha then chooses the secret key \( sk = s = 77 \) and computes the public verification key \( v = g^{s} \: mod \: p = 360^{77} \: mod \: 379 = 202 \). She then publishes the public key \( pk = (p, g, v) = (379, 360, 202) \).

The message Samantha wants to sign is \( m = \mbox{"Transfer 100 USD to Carla"} \), for which she computes the fingerprint \( \mathcal{H}(m) = 273 \) using a publicly known hash function \( \mathcal{H} \). She then chooses the ephemeral key (a unique random number) \( e = 187 \) such that \( \gcd(e, p-1) = \gcd(187, 379-1) = 1 \), and computes the inverse \( e^{-1} \) of \( e \) using the extended Euclidean algorithm. The extended Euclidean algorithm gives her the equation \( \gcd(e, p-1) = e \cdot \lambda + (p-1) \cdot \mu = 187 \cdot (-152) + (379-1) \cdot 75 = 1 \), where \( e^{-1} = \lambda \: mod \: (p-1) = -152 \: mod \: (379-1) = 283 \).

Finally, she signs the fingerprint by computing \( \sigma_{1} = g^{e} \: mod \: p = 360^{187} \: mod \: 379 = 358 \) and \( \sigma_{2} = (\mathcal{H}(m) - s \cdot \sigma_{1}) \cdot e^{-1} \: mod \: (p-1) = (273 - 77 \cdot 358) \cdot 283 \: mod \: (379-1) = 133 \), where \( (\sigma_{1}, \sigma_{2}) = S_{sk}(\mathcal{H}(m)) = (358, 133) \) is the signature of \( \mathcal{H}(m) \) that she sends to Victor along with the message \( m \).

Victor verifies the signature by first computing the fingerprint \( \mathcal{H}(m) = 273 \) of the message using the same hash function \( \mathcal{H} \) as Samantha. He then uses Samantha's public key to verify that \( v^{\sigma_{1}} \cdot \sigma_{1}^{\sigma_{2}} \: mod \: p = 202^{358} \cdot 358^{133} \: mod \: 379 = 145 \) is equal to \( g^{\mathcal{H}(m)} \: mod \: p = 360^{273} \: mod \: 379 = 145 \).

The Schnorr signature explained

The Schnorr signature was first proposed by Claus P. Schnorr in 1989 and is a more efficient variant of the ElGamal signature scheme that allows for shorter signatures.

  • Shorter signatures: ~320-460 bits vs ~4096 bits for ElGamal
  • Provable security: Based on the discrete logarithm problem
  • Key aggregation: Supports signature aggregation for multi-signature applications
  • Batch verification: Multiple signatures can be verified together efficiently
Schnorr Key Generation

First, Samantha (or a trusted third party) chooses two prime numbers \( p \) and \( q \) such that \( p \: mod \: q = 1 \) (by first choosing \( q \) and then computing \( p = i \cdot q + 1 \) for \( i \geq 2 \) until \( p \) is a prime number), and a generator \( g \) of order \( q \) from the group \( \mathbb{Z}_{p}^{*} \). If a generator \( g \) has order \( q \), it means that it generates a subgroup \( G \) of \( \mathbb{Z}_{p}^{*} \) with \( q \) elements, i.e., \( |G|=q \). Samantha can easily find \( g \) by computing \( g = g_{1}^{(p-1)/q} \: mod \: p \), where \( g_{1} \) is a generator of the group \( \mathbb{Z}_{p} \). Next, Samantha chooses a secret signing key \( s \) between \( 1 \) and \( q-1 \) and computes the public verification key \( v = g^{s} \: mod \: p \). Samantha publishes her public key \( pk = (p, q, g, v) \) and stores her secret key \( sk = s \). Notice that both Victor and their adversary Eve can see the public key, but they would have to solve the discrete logarithm problem for \( v \) to obtain the secret key \( s \).

Signature Creation Process

Suppose Samantha wants to sign a large message \( m \). She first computes the fingerprint \( \mathcal{H}(m) \) of the message \( m \) using a publicly known hash function \( \mathcal{H} \), and then signs the fingerprint instead of the message itself. One property of a hash function is that the input can be of arbitrary length, but the output always has a fixed length. The hash function used by Samantha returns a fingerprint such that \( 1 \leq \mathcal{H}(m) \leq q-1 \). Samantha then chooses a unique random number \( e \) (an ephemeral key, which is only used once for each signature) such that \( 1 \leq e \leq q-1 \). Finally, she uses the signing algorithm \( S \) with the secret key \( sk = s \) to compute the signature \( (\sigma_{1}, \sigma_{2}) = S_{sk}(\mathcal{H}(m)) \), where \( \sigma_{1} = \mathcal{H}(\mathcal{H}(m) \: \| \: g^{e} \: mod \: p) \) and \( \sigma_{2} = e + s \cdot \sigma_{1} \: mod \: q \) (the symbol \( \| \) means concatenation). She then sends the signature \( (\sigma_{1}, \sigma_{2}) \) and the message \( m \) to Victor.

Verification Process

To verify the signature, Victor first uses the same hash function \( \mathcal{H} \) as Samantha to compute the fingerprint \( \mathcal{H}(m) \) of the message \( m \). He then computes \( S = \mathcal{H}(\mathcal{H}(m) \: \| \: g^{\sigma_{2}} \cdot v^{-\sigma_{1} \: mod \: q} \: mod \: p) \) and checks that \( S \) is equal to \( \sigma_{1} \). The signature is valid only if \( S = \sigma_{1} \), because:

\( \eqalign{ S &= \mathcal{H}(\mathcal{H}(m) \: \| \: g^{\sigma_{2}} \cdot v^{-\sigma_{1}} \: mod \: p) &&(\sigma_{2} = e + s \cdot \sigma_{1}) \\ &= \mathcal{H}(\mathcal{H}(m) \: \| \: g^{e + s \cdot \sigma_{1}} \cdot v^{-\sigma_{1}} \: mod \: p) &&(v = g^{s}) \\ &= \mathcal{H}(\mathcal{H}(m) \: \| \: g^{e + s \cdot \sigma_{1}} \cdot (g^{s})^{-\sigma_{1}} \: mod \: p) &&(\mbox{exponent rule}) \\ &= \mathcal{H}(\mathcal{H}(m) \: \| \: g^{e + s \cdot \sigma_{1}} \cdot g^{-(s \cdot \sigma_{1})} \: mod \: p) &&(\mbox{exponent rule}) \\ &= \mathcal{H}(\mathcal{H}(m) \: \| \: g^{e + s \cdot \sigma_{1} - (s \cdot \sigma_{1})} \: mod \: p) &&((s \cdot \sigma_{1})-(s \cdot \sigma_{1}) = 0) \\ &= \mathcal{H}(\mathcal{H}(m) \: \| \: g^{e} \: mod \: p) \\ &= \sigma_{1} } \)

Security Considerations

Schnorr signatures offer several security advantages:

  • Provable security: Security reducible to the discrete logarithm problem under the random oracle model
  • Non-malleability: More resistant to certain signature manipulation attacks
  • Simplicity: Simpler design means fewer implementation pitfalls

As with ElGamal signatures, never reuse the ephemeral key \(e\). Doing so would allow an attacker to recover the private key.

Practical Applications

Modern Implementations

  • Bitcoin: Added Schnorr signatures in the 2021 "Taproot" upgrade
  • Ed25519: A variant of Schnorr using Edwards curves
  • libsecp256k1: Popular implementation for cryptocurrency wallets
  • TLS: Used in some TLS implementations for authentication

Key Advantages

  • Multi-signature: Multiple parties can create a single compact signature
  • Threshold signatures: Enables m-of-n signing schemes
  • Signature aggregation: Combining multiple signatures into one
  • Improved privacy: Multi-signature transactions look like regular ones

Schnorr signatures have seen renewed interest in recent years, particularly in blockchain technology, due to their elegant mathematical properties and efficiency benefits.

The protocol
Public parameters
A trusted third party publishes two large prime numbers \( p \) and \( q \) such that \( p \: mod \: q = 1 \), and a generator \( g = g_{1}^{(p-1)/q} \: mod \: p \) of order \( q \) from the group \( \mathbb{Z}_{p}^{*} \) (where \( g_{1} \) is a generator of the group \( \mathbb{Z}_{p} \)).
Key creation
Samantha:
  1. Chooses a secret signing key \( 1 \leq s \leq q-1 \).
  2. Computes the public verification key \( v = g^{s} \: mod \: p \).
Samantha sends the public key \( pk =(p,q,g,v) \) to Victor.
Signing
Samantha:
  1. Computes the fingerprint \( \mathcal{H}(m) \) of the message \( m \), where \( 1 \leq \mathcal{H}(m) \leq q-1 \).
  2. Chooses a unique random ephemeral key \( 1 \leq e \leq q-1 \).
  3. Uses the secret key \( sk = s \) and the ephemeral key to sign the fingerprint by computing \( (\sigma_{1}, \sigma_{2}) = S_{sk}(\mathcal{H}(m)) \), where \( \sigma_{1} = \mathcal{H}(\mathcal{H}(m) \: \| \: g^{e} \: mod \: p) \) and \( \sigma_{2} = e + s \cdot \sigma_{1} \: mod \: q \) (\( \| \) denotes concatenation).
Samantha sends the signature \( (\sigma_{1},\sigma_{2}) \) and the message \( m \) to Victor.
Verification
Victor:
  1. Computes the fingerprint \( \mathcal{H}(m) \) of the message \( m \).
  2. Uses Samantha's public key \( pk = (p, q, g, v) \) to verify the signature by checking that \( \mathcal{H}(\mathcal{H}(m) \: \| \: g^{\sigma_{2}} \cdot v^{-\sigma_{1} \: mod \: q} \: mod \: p) = \sigma_{1} \), where \( \| \) denotes concatenation.
  3. The signature is valid only if this equality holds.
Example

A trusted third party chooses the two prime numbers \( p = 2111 \) and \( q = 211 \), the generator \( g_{1} = 434 \) of the group \( \mathbb{Z}_{2111} \), and computes the generator \( g = g_{1}^{(p-1)/q} \: mod \: p = 434^{(2111-1)/211} \: mod \: 2111 = 682 \) of order \( q = 211 \). Samantha then chooses the secret key \( sk = s = 116 \) and computes the public verification key \( v = g^{s} \: mod \: p = 682^{116} \: mod \: 2111 = 1758 \). She then publishes her public key \( pk = (p, q, g, v) = (2111, 211, 682, 1758) \).

The message Samantha wants to sign is \( m = \mbox{"Transfer 100 USD to Carla"} \), for which she computes the fingerprint using the hash function \( \mathcal{H} \): \( \mathcal{H}(m) = 189 \). She then chooses an ephemeral key (a unique random number) \( e = 82 \) and computes the signature \( (\sigma_{1}, \sigma_{2}) = (121, 192) \), where \( \sigma_{1} = \mathcal{H}(\mathcal{H}(m) \: \| \: g^{e} \: mod \: p) = \mathcal{H}(189 \: \| \: 682^{82} \: mod \: 2111) = 121 \) and \( \sigma_{2} = e + s \cdot \sigma_{1} \: mod \: q = 82 + 116 \cdot 121 \: mod \: 211 = 192 \). Finally, she sends the signature \( (\sigma_{1}, \sigma_{2}) = (121, 192) \) and the message \( m \) to Victor, who works at the bank.

Victor verifies the signature by first computing the fingerprint \( \mathcal{H}(m) = 189 \) of the message using the same hash function \( \mathcal{H} \) as Samantha. He then computes \( S = \mathcal{H}(\mathcal{H}(m) \: \| \: g^{\sigma_{2}} \cdot v^{-\sigma_{1} \: mod \: q} \: mod \: p) = \mathcal{H}(189 \: \| \: 682^{192} \cdot 1758^{-121 \: mod \: 211} \: mod \: 2111) = 121 \) and checks that \( S = 121 \) is equal to \( \sigma_{1} = 121 \).

The Digital Signature Algorithm (DSA) explained

The Digital Signature Algorithm (DSA), proposed by NIST (the National Institute of Standards and Technology) in 1991 and published as the DSS (Digital Signature Standard) in 1994, is a modified version of the Schnorr and ElGamal signature schemes. DSA allows for shorter signatures compared to the original ElGamal signature.

The Digital Signature Algorithm (DSA) is a FIPS-standardized signature scheme with these key properties:

  • Security basis: Discrete logarithm problem in a prime-order subgroup
  • Compact signatures: Similar size to Schnorr (~320-460 bits)
  • Standardization: FIPS 186 standard widely adopted in government applications
  • Variants: Adapted for use with elliptic curves (ECDSA)

DSA has an interesting historical background:

  • Developed by David W. Kravitz, an NSA employee, in the early 1990s
  • Patented by the US government (now expired) but freely available for public use
  • Created as an alternative to the RSA algorithm which was patented at the time
  • Selected as the Digital Signature Standard (DSS) by NIST in 1994
  • Met with initial controversy due to its classified development process
Key Generation for DSA

First, Samantha (or a trusted third party) chooses two prime numbers \( p \) and \( q \) such that \( p \: mod \: q = 1 \) (this is typically done by first choosing \( q \) and then computing \( p = i \cdot q + 1 \) for \( i \geq 2 \) until \( p \) is prime), and a generator \( g \) of order \( q \) from the group \( \mathbb{Z}_{p}^{*} \). If a generator \( g \) has order \( q \), it means that it generates a subgroup \( G \) of \( \mathbb{Z}_{p}^{*} \) with \( q \) elements, i.e., \( |G|=q \). Samantha can easily find \( g \) by computing \( g = g_{1}^{(p-1)/q} \: mod \: p \), where \( g_{1} \) is a generator of the group \( \mathbb{Z}_{p} \). Next, Samantha chooses a secret signing key \( s \) and computes the public verification key \( v = g^{s} \: mod \: p \). Samantha publishes her public key \( pk = (p, q, g, v) \) and stores her secret key \( sk = s \). Notice that both Victor and their adversary Eve can see the public key, but they would need to solve the discrete logarithm problem for \( v \) to obtain the secret key \( s \).

Signature Creation Process

Instead of signing the message \( m \) itself, Samantha signs its fingerprint \( \mathcal{H}(m) \), which is computed using a publicly known hash function \( \mathcal{H} \). In DSA, the hash function used is SHA-1, where \( 1 \leq \mathcal{H}(m) \leq q-1 \). One property of a hash function is that the input can be of arbitrary length, but the output always has a fixed length.

Samantha chooses a unique random number \( e \) (an ephemeral key that is only used once for each signature) such that \( 1 \leq e \leq q-1 \) and \( \gcd(e, q) = 1 \), because she also needs the inverse \( e^{-1} \) of \( e \). (Remember that in the case of DSA, \( e^{-1} \) only exists when \( \gcd(e, q) = 1 \).) The inverse \( e^{-1} \) is computed using the extended Euclidean algorithm, which gives her the equation \( e \cdot \lambda + q \cdot \mu = \gcd(e, q) \), where \( e^{-1} = \lambda \: mod \: q \) and \( e \cdot e^{-1} \: mod \: q = 1 \). Finally, she computes the signature using the signing algorithm \( S \) with the secret key \( sk=s \) by \( (\sigma_{1}, \sigma_{2}) = S_{sk}(\mathcal{H}(m)) \), where \( \sigma_{1} = (g^{e} \: mod \: p) \: mod \: q \) and \( \sigma_{2} = (\mathcal{H}(m) + s \cdot \sigma_{1}) \cdot e^{-1} \: mod \: q \). Samantha sends the signature \( (\sigma_{1}, \sigma_{2}) \) and the message \( m \) to Victor.

Verification Process

To verify the signature, Victor first uses the SHA-1 hash function \( \mathcal{H} \), as Samantha did, to compute the fingerprint \( \mathcal{H}(m) \) of the message \( m \). He then computes the inverse \( \sigma_{2}^{-1} \) of \( \sigma_{2} \) using the extended Euclidean algorithm, which gives him the equation \( \sigma_{2} \cdot \lambda + q \cdot \mu = \gcd(\sigma_{2}, q) \), where \( \sigma_{2}^{-1} = \lambda \: mod \: q \) and \( \sigma_{2} \cdot \sigma_{2}^{-1} \: mod \: q = 1 \). (Remember that in the case of DSA, \( \sigma_{2}^{-1} \) only exists because \( \gcd(\sigma_{2}, q)=1 \).) Finally, he computes \( V_{1} = \mathcal{H}(m) \cdot \sigma_{2}^{-1} \: mod \: q \) and \( V_{2} = \sigma_{1} \cdot \sigma_{2}^{-1} \: mod \: q \), and checks that \( S = (g^{V_{1}} \cdot v^{V_{2}} \: mod \: p) \: mod \: q \) is equal to \( \sigma_{1} \). The signature is valid only if \( S = \sigma_{1} \), because:

\( \eqalign{ S &= (g^{V_{1}} \cdot v^{V_{2}} \: mod \: p) \: mod \: q &&(v=g^{s}) \\ &= (g^{V_{1}} \cdot (g^{s})^{V_{2}} \: mod \: p) \: mod \: q &&(\mbox{exponent rule}) \\ &= (g^{V_{1}} \cdot g^{s \cdot V_{2}} \: mod \: p) \: mod \: q &&(V_{1} = \mathcal{H}(m) \cdot \sigma_{2}^{-1} \: \mbox{and} \: V_{2} = \sigma_{1} \cdot \sigma_{2}^{-1}) \\ &= (g^{\mathcal{H}(m) \cdot \sigma_{2}^{-1}} \cdot g^{s \cdot \sigma_{1} \cdot \sigma_{2}^{-1}} \: mod \: p) \: mod \: q &&(\mbox{exponent rule}) \\ &= (g^{\mathcal{H}(m) \cdot \sigma_{2}^{-1} + s \cdot \sigma_{1} \cdot \sigma_{2}^{-1}} \: mod \: p) \: mod \: q \\ &= (g^{(\mathcal{H}(m) + s \cdot \sigma_{1}) \cdot \sigma_{2}^{-1}} \: mod \: p) \: mod \: q &&(e \cdot \sigma_{2} \: mod \: q = \mathcal{H}(m) + s \cdot \sigma_{1} \: mod \: q) \\&= (g^{e \cdot \sigma_{2} \cdot \sigma_{2}^{-1}} \: mod \: p) \: mod \: q &&(\sigma_{2} \cdot \sigma_{2}^{-1} \: mod \: q = 1) \\&= (g^{e} \: mod \: p) \: mod \: q \\ &= \sigma_{1} } \)

It may not be immediately obvious that \( e \cdot \sigma_{2} \: mod \: q = \mathcal{H}(m) + s \cdot \sigma_{1} \: mod \: q \), but as we can see:

\( \eqalign{ e \cdot \sigma_{2} \: mod \: q &= e \cdot ((\mathcal{H}(m) + s \cdot \sigma_{1}) \cdot e^{-1}) \: mod \: q \\ &= e \cdot (\mathcal{H}(m) \cdot e^{-1} + s \cdot \sigma_{1} \cdot e^{-1}) \: mod \: q \\ &= \mathcal{H}(m) \cdot e^{-1} \cdot e + s \cdot \sigma_{1} \cdot e^{-1} \cdot e \: mod \: q &&(e \cdot e^{-1} \: mod \: q = 1) \\ &= \mathcal{H}(m) + s \cdot \sigma_{1} \: mod \: q } \)

The reason why it is important that the value \( e \) is only used once for each signature is that, otherwise, it would be easy for Eve to compute Samantha's secret key \( s \). The second part of the signature, \( \sigma_{2} = (\mathcal{H}(m) + s \cdot \sigma_{1}) \cdot e^{-1} \: mod \: q \), can be rearranged to \( s = (\sigma_{2} \cdot e - \mathcal{H}(m)) \cdot \sigma_{1}^{-1} \: mod \: q \). Thus, knowing the value of \( e \) allows Eve to easily recover the private key \( s \). Suppose Samantha signs two different messages, \( m \) and \( m' \), using the same \( e \). She then produces two signatures, \( (\sigma_{1}, \sigma_{2}) \) and \( (\sigma_{1}', \sigma_{2}') \), where \( \sigma_{2} = (\mathcal{H}(m) + s \cdot \sigma_{1}) \cdot e^{-1} \: mod \: q \) and \( \sigma_{2}' = (\mathcal{H}(m') + s \cdot \sigma_{1}) \cdot e^{-1} \: mod \: q \). Eve can now compute the value of \( e \) by first calculating:

\( \eqalign{ \sigma_{2} - \sigma_{2}' &= ((\mathcal{H}(m) + s \cdot \sigma_{1}) \cdot e^{-1} - (\mathcal{H}(m') + s \cdot \sigma_{1}) \cdot e^{-1}) \: mod \: q \\ &= ((\mathcal{H}(m) \cdot e^{-1} + s \cdot \sigma_{1} \cdot e^{-1}) - (\mathcal{H}(m') \cdot e^{-1} + s \cdot \sigma_{1} \cdot e^{-1})) \: mod \: q \\ &= (\mathcal{H}(m) \cdot e^{-1} + s \cdot \sigma_{1} \cdot e^{-1} - \mathcal{H}(m') \cdot e^{-1} - s \cdot \sigma_{1} \cdot e^{-1}) \: mod \: q &&(s \cdot \sigma_{1} \cdot e^{-1} - s \cdot \sigma_{1} \cdot e^{-1} = 0) \\ &= (\mathcal{H}(m) \cdot e^{-1} - \mathcal{H}(m') \cdot e^{-1}) \: mod \: q\\ &= (\mathcal{H}(m) - \mathcal{H}(m')) \cdot e^{-1} \: mod \: q } \)

By rearranging the equation \( \sigma_{2} - \sigma_{2}' = (\mathcal{H}(m) - \mathcal{H}(m')) \cdot e^{-1} \: mod \: q \), Eve can solve for \( e \) as follows: \( e = (\mathcal{H}(m) - \mathcal{H}(m')) \cdot (\sigma_{2} - \sigma_{2}')^{-1} \: mod \: q \).

Security Considerations

DSA requires careful implementation to avoid several security pitfalls:

  • Random number generation: The ephemeral key must come from a cryptographically secure random number generator
  • Key length: Modern implementations should use at least 2048-bit p and 256-bit q
  • Parameter validation: All parameters should be validated to prevent small subgroup attacks
  • Modern hash functions: While the original DSA used SHA-1, modern implementations should use SHA-256 or stronger

The reason why it is important that the value \( e \) is only used once for each signature is that, otherwise, it would be easy for Eve to compute Samantha's secret key \( s \)...

Practical Applications

Common DSA Uses

  • Government applications: FIPS 186 compliance requirements
  • PKI infrastructure: Certificate signing in X.509 systems
  • SSH authentication: Used in OpenSSH implementations
  • Document signing: Digital signatures for PDFs and other documents

Modern Variants

  • ECDSA: Elliptic curve variant used in cryptocurrencies
  • GOST: Russian standardized variant of DSA
  • DSA-2: Enhanced version with larger parameter sizes
  • Historical significance: First US government approved signature algorithm

As computing power increases, DSA implementations are gradually transitioning to elliptic curve variants (ECDSA) for improved efficiency with smaller key sizes while maintaining equivalent security.

The protocol
Public parameters
A trusted third party publishes two large prime numbers \( p \) and \( q \) such that \( p \: mod \: q = 1 \), and a generator \( g = g_{1}^{(p-1)/q} \: mod \: p \) of order \( q \) from the group \( \mathbb{Z}_{p}^{*} \) (where \( g_{1} \) is a generator of the group \( \mathbb{Z}_{p} \)).
Key creation
Samantha:
  1. Chooses a secret signing key \( 1 \leq s \leq q-1 \).
  2. Computes the public verification key \( v = g^{s} \: mod \: p \).
Samantha sends the public verification key \( pk =(p,q,g,v) \) to Victor.
Signing
Samantha:
  1. Computes the fingerprint \( \mathcal{H}(m) \) of the message \( m \) using the SHA-1 hash function, where \( 1 \leq \mathcal{H}(m) \leq q-1 \).
  2. Chooses a unique random ephemeral key \( 1 \leq e \leq q-1 \).
  3. Computes the inverse \( e^{-1} \) of \( e \) using the extended Euclidean algorithm.
  4. Uses the secret key \( sk = s \) and the ephemeral key to sign the fingerprint by computing \( (\sigma_{1}, \sigma_{2}) = S_{sk}(\mathcal{H}(m)) \), where \( \sigma_{1} = (g^{e} \: mod \: p) \: mod \: q \) and \( \sigma_{2} = (\mathcal{H}(m) + s \cdot \sigma_{1}) \cdot e^{-1} \: mod \: q \).
Samantha sends the signature \( (\sigma_{1},\sigma_{2}) \) and the message \( m \) to Victor.
Verification
Victor:
  1. Computes the fingerprint \( \mathcal{H}(m) \) of the message \( m \).
  2. Computes the inverse \( \sigma_{2}^{-1} \) of \( \sigma_{2} \) using the extended Euclidean algorithm.
  3. Calculates \( V_{1} = \mathcal{H}(m) \cdot \sigma_{2}^{-1} \: mod \: q \) and \( V_{2} = \sigma_{1} \cdot \sigma_{2}^{-1} \: mod \: q \).
  4. Verifies that \( (g^{V_{1}} \cdot v^{V_{2}} \: mod \: p) \: mod \: q = \sigma_{1} \).
Example

A trusted third party chooses the two prime numbers \( p = 467 \) and \( q = 233 \), and the generator \( g_{1} = 383 \) of the group \( \mathbb{Z}_{467} \). The generator \( g \) of order \( q = 233 \) is computed as \( g = g_{1}^{(p-1)/q} \: mod \: p = 383^{(467-1)/233} \: mod \: 467 = 51 \). Samantha chooses the secret signing key \( s = 193 \) and computes the public verification key \( v = g^{s} \: mod \: p = 51^{193} \: mod \: 467 = 117 \). She then publishes her public key \( pk = (p, q, g, v) = (467, 233, 51, 117) \).

The message Samantha wants to sign is \( m = \mbox{"Transfer 100 USD to Carla"} \), for which she computes the fingerprint using the SHA-1 hash function \( \mathcal{H} \): \( \mathcal{H}(m) = 84 \). She then chooses an ephemeral key (a unique random number) \( e = 83 \) such that \( \gcd(e, q) = \gcd(83, 233) = 1 \), and computes the inverse \( e^{-1} \) of \( e \) using the extended Euclidean algorithm. The extended Euclidean algorithm gives her the equation \( \gcd(e, q) = e \cdot \lambda + q \cdot \mu = 83 \cdot 73 + 233 \cdot (-26) = 1 \), where \( e^{-1} = \lambda \: mod \: q = 73 \: mod \: 233 = 73 \).

Next, she computes the signature \( (\sigma_{1}, \sigma_{2}) = (135, 110) \), where \( \sigma_{1} = (g^{e} \: mod \: p) \: mod \: q = (51^{83} \: mod \: 467) \: mod \: 233 = 135 \) and \( \sigma_{2} = (\mathcal{H}(m) + s \cdot \sigma_{1}) \cdot e^{-1} \: mod \: q = (84 + 193 \cdot 135) \cdot 73 \: mod \: 233 = 110 \). Finally, she sends the signature \( (\sigma_{1}, \sigma_{2}) = (135, 110) \) and the message \( m \) to Victor, who works at the bank.

Victor verifies the signature by first computing the fingerprint \( \mathcal{H}(m) = 84 \) of the message, just as Samantha did, using the SHA-1 hash function \( \mathcal{H} \). He then computes the inverse \( \sigma_{2}^{-1} = 197 \) of \( \sigma_{2} = 110 \) using the extended Euclidean algorithm, and the two values \( V_{1} = \mathcal{H}(m) \cdot \sigma_{2}^{-1} \: mod \: q = 84 \cdot 197 \: mod \: 233 \) and \( V_{2} = \sigma_{1} \cdot \sigma_{2}^{-1} \: mod \: q = 135 \cdot 197 \: mod \: 233 \). Finally, he verifies that \( (g^{V_{1}} \cdot v^{V_{2}} \: mod \: p) \: mod \: q = (51^{5} \cdot 117^{33} \: mod \: 467) \: mod \: 233 = 135 \) is equal to \( \sigma_{1} = 135 \).