Score:3

ElGamal discrete logarithm method to send keys

cn flag

In my criptography course I was given the following exercise:

ElGamal proposed the following digital signature scheme using discrete logarithms over a field $\mathbb{F}_p$, where $p$ is a large prime.

  • Step 1) Everybody agrees on a prime $p$ and a generator $g$ for $\mathbb{F}_p^*$.

  • Step 2) A (and all other uses) chooses a secret exponent $d_A$, and makes public $e_A\equiv g^{d_A}\mod p$ (just like in the ElGamal cryptosystem).

  • Step 3) To sign a message, encoded as an integer $m$ with $0\le m\le p-1$, A chooses a random integer $k$ relatively prime to $p-1$ (i. e. $\gcd(k,p-1)=1$). Then calculates $r\equiv g^k \mod p$ and solves the equation $g^m\equiv e_A^r r^s \mod p$ in the unknown $s$. In case $s=0$ (quite unlikely), she starts again with a different $k$. Finally, A sends to B the message $m$ together with the pair $(r,s)$, which is her signatura for that message.

  • Step 4) Beatriz checks that $g^m \equiv e_A^r r^s \mod p$. If this holds, B accepts that the signature $(r,s)$ really belongs to A.

a) Check that Ana knows all she needs to calculate $s$.

b) Check that C can not pretend to be A without knowing $d_A$, that is, without being able to solve a discrete logarithm problem, and, therefore $B$ can be sure that the message really comes from A.

c) Why must A discard $k$ if it turns out that $s=0$?

This is what I have:

a) Since $r\equiv g^k\mod p$ and $e_A=g^{d_A}\mod p$ then: $$g^m\equiv e_A^rr^s\equiv (g^{d_A})^{r}(g^k)^s=g^{d_Ar+ks}\mod p$$ And, Fermat's little theorem implies that $m\equiv d_Ar+ks\mod p-1\Rightarrow ks\equiv m-d_Ar\mod p-1$. Hence, since $\gcd(k,p-1)=1$ we have that $k$ is invertible in $\mathbb{F}^*_p$ and so $s\equiv k^{-1}(m-d_Ar)\mod p-1$. Hence, we are done, since Ana knows $p,k,m,d_A$ and $r$.

b) If $C$ want to pretend to be $A$, it needs to send $m$ and $(r,s)$ such that $g^m\equiv e_A^rr^s\mod p$. But $s$ depends on $d_A$ as we have seen in $a)$. Hence, we can not construct $s$ without knowing $d_A$, and so, if $C$ want to pretend to be $B$, it needs to find $d_A$. But that is hard, since the only thing we know about $d_A$ (if we are not $A$) is that $e_A\equiv g^{d_A}\mod p$ and so, pretending to be $A$ is equivalent to solve a discrete logarithm problem.

c) If $s=0$ then $g^m\equiv e_A^r\equiv g^{d_Ar}\mod p$ and so $m\equiv d_Ar\mod p-1$. From here I am stuck, since this is the only information I have, but I don't see how this enable us to construct a signatura without knowing $d_A$. Of course, we can solve $m\equiv d_Ar\mod p-1$, which will have $\gcd(r,p-1)$ solutions and then cheking which one is the correct $d_A$, but $\gcd(r,p-1)$ can be close to $p-1$ if we have bad luck, and that would mean that this proces is exponential time, and it is not better than solving the discrete logarithm.

If you can check wheter a) and b) are right and give me a hint on c) I will be very grateful.

Score:2
ng flag

The solution given to a is fine.


The attempted proof for b is wrong: it's possible that C “send $m$ and $(r,s)$ such that $g^m\equiv(e_A)^r\,r^s\pmod p$”.

One way to do so even if A made no use of $d_A$ beyond step 1: C chooses $r=s=(p-1)/2$, and computes $(e_A)^r\,r^s\bmod p$. That's either $p-1$ or $1$. C correspondingly chooses $m=(p-1)/2$ or $m=0$, and now has $m$ and $(r,s)$ that pass the verification of step 4. This is an existential forgery (there are others that lead to random-looking $m$). Some degree of relief against these can be obtained by requiring that in step 4, B accept only meaningful $m$ for some definition of meaningful. Or changing the verification equation to $g^{H(m)}\equiv(e_A)^r\,r^s\pmod p$.

But then, there's the issue that C can have captured an $m$ and $(r,s)$ prepared by A in a prior execution of step 3, and send that to B. This is a replay attack on the protocol outlined in b. One way to block these is to have B choose $m$ before each execution of step 3.

But then, C can relay to A whatever message C gets from B, and to B whatever message C gets from A. This is a relay attack on the protocol outlined in b. Solution to that one within the scope of the question are rather limited: deciding that's a non-issue, or hypothesizing that A is isolated from interactions between B and C.

If the question correctly transcribes the problem statement, the later is thus wrong! Should merely pointing it be considered risky, I suggest to rephrase the protocol outlined in b as: assume $m$ is chosen at random in $[0,p-1)$ by B before step 3, and A is not involved in the exchanges between B and C from that choice of $m$ to the completion of step 4. Prove that if C can pass the test of step 4 with non-zero probability, then C can find $d_A$ with same probability. I hope (not sure) there's a relatively simple solution to that reformulation.


Hint for c: First assume $(p-1)/2$ is prime (a common requirement to help make the DLP hard), and an eavesdropper gets hold of $m$ and $(r,s=0)$ passing the test of 4, and $m\not\equiv0\pmod{(p-1)/2}$. Prove that this eavesdropper can find $d_A$, then impersonate A.


Even if the problem statement originally does not, I recommend sticking to standard notation for$\bmod$:

  • $a\equiv b\pmod q$, entered as $a\equiv b\pmod q$, means that $q\ne0$ and $b-a$ is a multiple of $q$, with no bound for $a$. There is an opening parenthesis immediately before$\bmod$, implying it has no left operand. The$\bmod$and it's right operand qualify any earlier $\equiv$ sign. There can be several, as in $a\equiv b\equiv c\pmod q$.
  • $a=b\bmod q$ (entered as $a=b\bmod q$) means that $0\le a<q$ and $b-a$ is a multiple of $q$. In this expression$\bmod$is a two-arguments operator, applying to left operand $b$ and right operand $q$. There is no $\equiv$ sign, and no parenthesis immediately before$\bmod$. We could equivalently write $a=(b\bmod q)$, $(b\bmod q)=a$, or $b\bmod q=a$.
Marcos avatar
cn flag
Hmm, thanks for your solution, I'll ask my teacher about part b) because you are right and it must be wrong. For c) this is my attempt, if you can check it: Let $\frac{p-1}{2}$ be prime then $m\equiv d_Ar\pmod {p-1}$ which implies $m\equiv d_A\,r\pmod {\frac{p-1}{2}}$ and so, since $\gcd(r,p-1)\in\lbrace 1,\frac{p-1}{2},p-1\rbrace$ if we assume $m\neq 0\pmod{\frac{p-1}{2}}$ we have $\gcd(r,p-1)=1$ and we are done, since $r^{-1}m\equiv d_A\pmod{p-1}$
fgrieu avatar
ng flag
@Marcos: all looks fine to me.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.