handouts/Advanced/Cryptography/parts/5 Elgamal.tex

\section{Elgamal Asymmetric Encryption}

Another cryptographic tool we often use is the \textit{public key cryptosystem}.
In such a system, one has two keys: a \textit{public key} that can only encrypt data, and a \textit{private key} that can decrypt it.
The following problem provides a simple example.


\problem{}
Alice wants to send a secret letter to Bob. Eve, the postman, would like to see what is inside. \par

\vspace{2mm}

Alice has a box, a lock, and a key. Bob does not own a lock. \par
Eve will open the box if she can, but she will not try to break any locks. \par
Also, she will always deliver the box without modifying its contents.

\vspace{2mm}

How can Alice send her letter without letting Eve read it?


\vfill

Elgamal encryption allows Alice to publish a public key ($A$ in the diagram below),
which Bob can use to encrypt a message. Alice then uses here private key ($a$) to decrypt it.


\begin{center}
\begin{tikzpicture}[scale = 0.5]

	\def\bx{18}
	\def\ex{13}

	\node[anchor = center] at (\ex, 7.5) {\textbf{Setup}};
	\draw[-] (\ex-4.5, 7) -- (\ex+4.5, 7);

	\node[anchor = west] at (\ex-4, 6) {Let $p$ be a prime number};
	\node[anchor = west] at (\ex-4, 5) {Let $g$ be a generator in $\mathbb{Z}_p^\times$};
	\node[anchor = west] at (\ex-4, 4) {Both $g$ and $p$ are public.};





	\node[anchor = center] at (4, 1.5) {\textbf{Alice}};
	\draw[-] (-0.5, 1) -- (8.5, 1);

	\node[anchor = west] at (0, 0) {Pick a random $a \in \mathbb{Z}_p^\times$};
	\node[anchor = west] at (0, -1) {Set $A = g^a$};
	\node[anchor = west] at (0, -2) {Publish $A$};
	\draw[->] (6, -2) -- (\ex - 1, -2);
	\draw[->] (\ex+1, -2) -- (\bx - 1, -2);


	\node[anchor = west] at (0, -6) {Compute $c_2 \times c_1^{-a}$};
	\node[anchor = west] at (0, -7) {$= (mA^k)(g^{-ak})$};
	\node[anchor = west] at (0, -8) {$= (m)(g^{ak}g^{-ak})$};
	\node[anchor = west] at (0, -9) {$= m$};




	\node[anchor = center] at (\bx+4, 1.5) {\textbf{Bob}};
	\draw[-] (\bx-0.5, 1) -- (\bx+8.5, 1);

	\node[anchor = west] at (\bx, 0) {Bob has a message $m \in \mathbb{Z}_p^\times$};
	\node[anchor = west] at (\bx, -1) {Pick a random $k \in \mathbb{Z}_p^\times$};
	\node[anchor = west] at (\bx, -3) {Set $c_1 = g^k$};
	\node[anchor = west] at (\bx, -4) {Set $c_2 = mA^k$};


	\node[anchor = west] at (\bx, -5) {Publish $(c_1, c_2)$};
	\draw[->] (\bx-1, -5) -- (\ex+1.5, -5);
	\draw[->] (\ex-1.5, -5) -- (6, -5);




	\node[anchor = center] at (\ex, 1.5) {\textbf{Public}};
	\draw[-] (\ex-2, 1) -- (\ex+2, 1);

	\node[anchor = center] at (\ex, 0) {$p, g$};

	\node[fill=white, anchor = center] at (\ex, -2) {$A$};
	\node[fill=white, anchor = center] at (\ex, -5) {$(c_1, c_2)$};
\end{tikzpicture}
\end{center}

\problem{}
Let $p = 17$, $g = 2$, $a = 7$, $k = 10$, and $m = 3$ \par
Run this algorithm and make sure it works.

\begin{solution}
	$A = 2^7 = 9$\par
	$c_1 = 2^10 = 4$\par
	$c_2 = 3(9^{10}) = 5$

	\vspace{2mm}

	$c_1^a = 13$, so $c_1^{-a} = 4$\par
	$c_2 \times c_1^a = 5 \times 4 = 3 = m$
\end{solution}

\vfill
\pagebreak


\problem{}
What information does Eve have? \par
What does Eve need to do to find $m$?
\vfill

\problem{}
Say Bob re-uses the same $k$ twice.\par
Let $(c_1, c_2)$ and $(d_1, d_2)$ be two ciphertexts generated with this key, encrypting messages $m_1$ and $m_2$. \par
Also, say Eve knows the value of $m_1 - m_2$. How can Eve find $m_1$ and $m_2$?\par
\note[Note]{If Bob doesn't change his key, Eve will also be able to decrypt future messages.}

\begin{solution}
	$c_2 - d_2 = (m_1 - m_2)A^k$ \par
	So, $(c_2 - d_2)(m_1 - m_2)^{-1} = A^k$\par
	Now that we have $A^k$, we can compute $m_1 = c_2 \times A^{-k}$
\end{solution}

\vfill
\pagebreak