ElGamal+introduction

Due November 4, 2009 If you skipped the Pollard optional page from semester break, please take a look at it.

We move on to another Public-key encryption method, ElGamal. It has this idea in common with RSA: use a complicated math move which is easy to do but almost impossible to undo. The move in ElGamal is discrete logarithms.

When we work with a continuous domain such as the real numbers, logarithms behave well. They're so easy, high school textbooks study logarithms and scientific calculators have logarithms wired into their circuitry. Let's recall the definition of a logarithm.

b^x = y is logically equivalent to log_b (y) = x. That's log to the base b of y equals x. (I don't have a nice way to write the log subscript in this wiki.) x is the logarithm to the base b of y. See? x is the logarithm. In the exponential form, x is the exponent.

The discrete logarithm employs a modulus. The notational vocab is the same. x is the logarithm. (In the encryption next week, we'll see that x is the plaintext message. Hard to solve for that x.) Here's the discrete log equation in exponential form. We don't need to write this equation as a logarithm.

b^x = y (mod n) for b < n.

As prep for ElGamal encryption, let's see how tough it is to find x. Example. 17^x = 18 (mod 23). I can only solve by brute force because my number theory is so weak. I'm making a table.

x ....17^x (mod 23) 1 ....17 2 ....13 3 ....14

4.... 8 5 ....21 6 ....12

7 ....20 8 ....18 Whew! I'm glad I have a program to do this for me.

So x = 8. 8 is the only number less than 23 that will work. The reason for this requires a little abtract algebra. Maybe we'll talk about it another day. The main idea is, when the base and the modulus are chosen , finding the message x from knowing the modulus and the base to the message mod the modulus is super-difficult. In ElGamal, the encrypting info is made public and the encrypted message could be intercepted. Yet, even with the encrypted message, base and modulus known, working back to the original message is, so far, considered near impossible for big modulus.

(The exciting part is this: ElGamal has survived all published attacks so far. Nobody has found a chink in the armor yet, theoretically. So, ElGamal remains an option to replace RSA. But, can you imagine the storm of controversy if one person found a way to crack ElGamal after it became the new internet security standard? What could we do? Lock down all internet commerce and secured digital communication until everybody decides to switch to elliptic curves? So you can understand the hesitation to switch from RSA to ElGamal prematurely.)

Take a moment to observe that there's no obvious pattern for those remainders. If I were to continue my table, all the integers less than 23 would occur once each before they start reappearing. That's one nice fact, when it happens. THERE IS A HUGE hassle here.

Huge Hassle: the base has to be a generator of the group Z_p. Having p prime and the base mutually prime to p is not enough! Choosing p prime and and base prime has worked for most of the homework problems below, but Dave has found one which did not work. That alone is nice. We'll see the deatils of the story in the next wiki page, proper ElGamal encryption.

Here's your homework. Feel free to write your own Maple or TI program for solving.

Solve for x. Also, feel free to make the base a smaller number and try the problem again. Write out your version completely. That should give you all plenty of problems to try.

Problem 1. 19^x = 6 (mod 31) x. . . . 19^x (mod31) 2 20 3 8 4 28 5 5 6 2 7 7 8 10 9 16 10 25 11 10 12 4 13 14 14 18 15 1 16 19 17 20 18 8 19 28 20 5 21 2 22 7 23 9 24 16 25 25 26 10 27 4 28 14 29 18 30 1 31 19 32 20 33 8 As you can see, the remainders have cycled through already, and have started again with 32=1 and 33=2 for x. Clearly there is no point in which 19^x (mod31)=6. This seems odd, since all numbers 1-30 seems like they should be used at least once. Here 6 is not.

user:D_Sweeney Ah, this was bound to happen. There is a structure ElGamal needs which has gone unmentioned.user:mcdaniel30

This set actually cycled through again starting at 16 so 1=16=31 and 2=17=32 and so on....user:TrevorBarton Ah yes, I overlooked that one, so still, 6 is not a remainder. user:D_Sweeney

Problem 2. 11^x = 7 (mod 13) x ... 11^x mod 13 1 ... 11 2 ... 4 3 ... 5 4 ... 3 5 ... 7 So x = 5 user:LauraShuman Laura gets lucky. user:mcdaniel30

Problem 3. 23^x = 10 (mod 59) x...23^x (mod 59) 1...23 2...57 3...13 4...4 5...33 6...51 7..52 8...16 9...14 10...27 11...31 12...5 13...56 14...49 15...6 16...20 17...47 18...19 19...24 20...21 21...11 22...17 23...37 24...25 25...44 26...9 27...30 28...41 29...58 30...36 31...2 32...46 33...55 34...26 35...8 36...7 37...43 38...45 39...32 40...28 41...54 42...3 43...10!!!!! Wow that sucked. x=43user:TrevorBarton From your perspective, this problem was annoying. But from mine, it was beautiful. Look at the lack of structure in the sequence of remainders in the second column. Wowie zowie. user:mcdaniel30

Problem 4. 13^x = 8 (mod 23) x...(17^x)mod(23) 1...17 2...13 3...14 4...8 wee hoo! x=4 user:wrighann

Problem 5. The solving is easier when the modulus is small. Why? Having a small modulus is a terrible idea for at least two reasons. Why?

Smaller mods will have solutions for x more frequently, there are less numbers that rotate around; in mod 23, there are only 23 options, 0-22, so if you want to get to 8, you have a better chance of choosing a good number. Small solutions can also be calculated without a heavy duty program. user:wrighann You're both thinking correctly. Somebody needs to put this answer in the language of the course. user:mcdaniel30