\section{Elgamal Asymmetric Encryption} Another cryptographic tool we often use is the \textit{public key cryptosystem}. In such a system, one has two keys: a \textit{public key} that can only encrypt data, and a \textit{private key} that can decrypt it. The following problem provides a simple example. \problem{} Alice wants to send a secret letter to Bob. Eve, the postman, would like to see what is inside. \par \vspace{2mm} Alice has a box, a lock, and a key. Bob does not own a lock. \par Eve will open the box if she can, but she will not try to break any locks. \par Also, she will always deliver the box without modifying its contents. \vspace{2mm} How can Alice send her letter without letting Eve read it? \vfill Elgamal encryption allows Alice to publish a public key ($A$ in the diagram below), which Bob can use to encrypt a message. Alice then uses here private key ($a$) to decrypt it. \begin{center} \begin{tikzpicture}[scale = 0.5] \def\bx{18} \def\ex{13} \node[anchor = center] at (\ex, 7.5) {\textbf{Setup}}; \draw[-] (\ex-4.5, 7) -- (\ex+4.5, 7); \node[anchor = west] at (\ex-4, 6) {Let $p$ be a prime number}; \node[anchor = west] at (\ex-4, 5) {Let $g$ be a generator in $\mathbb{Z}_p^\times$}; \node[anchor = west] at (\ex-4, 4) {Both $g$ and $p$ are public.}; \node[anchor = center] at (4, 1.5) {\textbf{Alice}}; \draw[-] (-0.5, 1) -- (8.5, 1); \node[anchor = west] at (0, 0) {Pick a random $a \in \mathbb{Z}_p^\times$}; \node[anchor = west] at (0, -1) {Set $A = g^a$}; \node[anchor = west] at (0, -2) {Publish $A$}; \draw[->] (6, -2) -- (\ex - 1, -2); \draw[->] (\ex+1, -2) -- (\bx - 1, -2); \node[anchor = west] at (0, -6) {Compute $c_2 \times c_1^{-a}$}; \node[anchor = west] at (0, -7) {$= (mA^k)(g^{-ak})$}; \node[anchor = west] at (0, -8) {$= (m)(g^{ak}g^{-ak})$}; \node[anchor = west] at (0, -9) {$= m$}; \node[anchor = center] at (\bx+4, 1.5) {\textbf{Bob}}; \draw[-] (\bx-0.5, 1) -- (\bx+8.5, 1); \node[anchor = west] at (\bx, 0) {Bob has a message $m \in \mathbb{Z}_p^\times$}; \node[anchor = west] at (\bx, -1) {Pick a random $k \in \mathbb{Z}_p^\times$}; \node[anchor = west] at (\bx, -3) {Set $c_1 = g^k$}; \node[anchor = west] at (\bx, -4) {Set $c_2 = mA^k$}; \node[anchor = west] at (\bx, -5) {Publish $(c_1, c_2)$}; \draw[->] (\bx-1, -5) -- (\ex+1.5, -5); \draw[->] (\ex-1.5, -5) -- (6, -5); \node[anchor = center] at (\ex, 1.5) {\textbf{Public}}; \draw[-] (\ex-2, 1) -- (\ex+2, 1); \node[anchor = center] at (\ex, 0) {$p, g$}; \node[fill=white, anchor = center] at (\ex, -2) {$A$}; \node[fill=white, anchor = center] at (\ex, -5) {$(c_1, c_2)$}; \end{tikzpicture} \end{center} \problem{} Let $p = 17$, $g = 2$, $a = 7$, $k = 10$, and $m = 3$ \par Run this algorithm and make sure it works. \begin{solution} $A = 2^7 = 9$\par $c_1 = 2^10 = 4$\par $c_2 = 3(9^{10}) = 5$ \vspace{2mm} $c_1^a = 13$, so $c_1^{-a} = 4$\par $c_2 \times c_1^a = 5 \times 4 = 3 = m$ \end{solution} \vfill \pagebreak \problem{} Is this secure? What information does Eve have? \par What does Eve need to find $m$? \vfill \problem{} Say Bob re-uses the same $k$ twice.\par Let $(c_1, c_2)$ and $(d_1, d_2)$ be two ciphertexts generated with this key, encrypting messages $m_1$ and $m_2$. \par Also, say Eve knows the value of $m_1 - m_2$. How can Eve find $m_1$ and $m_2$?\par \note[Note]{If Bob doesn't change his key, Eve will also be able to decrypt future messages.} \begin{solution} $c_2 - d_2 = (m_1 - m_2)A^k$ \par So, $(c_2 - d_2)(m_1 - m_2)^{-1} = A^k$\par Now that we have $A^k$, we can compute $m_1 = c_2 \times A^{-k}$ \end{solution} \vfill \pagebreak