6/10/2014
ElGamal Zero Knowledge Proofs | What's This Do?
ElGamal Zero Knowledge Proofs Welcome to my first ever crypto-nerd post! I’ll be going through the topic of ElGamal cryptography and some of the more advanced protocols which are derived from its properties.
Groups But first, some theory! A group is defined by a set of elements (things) and a binary operation (like addition or multiplication). When you take two elements in the set and apply the operation to them, the result has the following properties: Closure: The result of the operation is also an element of the set, Associativity:
,
Identity: There is some element that, when combined with another element of the set with respect to the group’s operation, leaves the other element unchanged. For example, for any integer . Here, the identity is . Another example is the identity matrix, often denoted , for a square matrix. Invertibility: For every element
in the set, the exists an element
such that
where
is the identity.
Follow A classic example of a group is the set of all integers under addition. Note that any integer added with another integer also gives and integer, so the set of all integers is closed under addition. Secondly, we know that integer addition is associative. For addition of integers, we have an identity element, Finally, we can see that for any integer that
, we have the inverse element
is the identity for this group.
http://anthony-arnold.com/2014/05/04/elgamal-zero-knowledge-proofs/
Follow “What's This
which allows us to correctly express invertibility as
Do?”
;
for any integer
.
, remembering
1/7
6/10/2014
ElGamal Zero Knowledge Proofs | What's This Do?
Do?”
Note that the set of integers under multiplication do not form a group. This is because the definition fails for invertibility; the multiplicative inverse
of many
values is not
an integer. This problem is solved, thanks to Galois, by operating on a set of integers modulo a primenew (see post Finite delivered Field). Get every
to your Inbox. For ElGamal encryption, we talk about the cyclic group as a power of another element,
. We call
of order . That is, there is a group
means
elements in it, and each of these elements can be calculated
a generator of the group. In particular, we’re interested in groups of integers where the operation is multiplication modulo
a prime; for example, the group generated by taking powers of and
which has
Join 155 other followers
modulo
. Specifically, we find Enter your
where email address
(the notation
means
).
Sign me up
1
2
2
4
3
8
4
5
5
10
6
9
7
7
8
3
9
6
10
1
Notice how the entire set
Powered by WordPress.com
is generated by
? It can be demonstrated clearly that the results in the right column form a cyclic group.
Discrete Logarithms If you don’t know about logarithms, then put a pause on reading this post and go and read this one first. Similar to the traditional logarithm, a discrete logarithm is an integer
which solves the equation
when operating in some group (like
) of which
and
are
members. The interesting thing about discrete logarithms is that they’re believed to be hard to compute. At the time of this writing, there is no known way of calculating a discrete http://anthony-arnold.com/2014/05/04/elgamal-zero-knowledge-proofs/
2/7
6/10/2014
ElGamal Zero Knowledge Proofs | What's This Do?
logarithm in a feasibly efficient way without a quantum computer (if anyone has one stashed away somewhere, our modern cryptosystems are kaput.) However, the exponentiation
is quite simple to compute, and there are well-known algorithms for doing these computations. So, in theory, the encryption step is easy, but
decryption without knowledge of the private key is computationally infeasible.
ElGamal Encryption The ElGamal cryptosystem is an asymmetric encryption system, similar to the more widely-known RSA. The security of ElGamal is based on the previously-mentioned difficulty of computing discrete logarithms. To construct an ElGamal cryptosystem, you have to generate a public/private key pair. The public key is made available to anyone who wants to encrypt a message. The private key is kept secret, and is used to do decryption. While the formal ElGamal description is more general in that it works for any kind of cyclic group (with caveats), the following is a flexible and reasonably efficient way of setting up keys for doing ElGamal cryptography. It operates on a multiplicative subgroup of group is useful, because a subgroup of
where
of order
of
(referred to as
) where
is a large prime number. This kind
is prime will always be closed under multiplication, which is what we need.
Choose a safe prime To begin with, all interested parties agree on a large safe prime number prime is a prime number such that
(probably around 1024 bits although it’s not uncommon for it to be a lot larger than that). A safe
is also prime. It is now trivial to find a generator .
Find a generator To find a generator
for
choose a random element
working modulo a safe prime. The order of of order , otherwise it is of order
is
. Now set
. If
then
is a generator of
and the order of all elements in the subgroup divides the group order. So if
. This is a special property when then the group generated by
is
and a generator we’re looking for.
Choose a private key Now choose a random integer
. This is the private key and should be kept secret.
Finalise the public key http://anthony-arnold.com/2014/05/04/elgamal-zero-knowledge-proofs/
3/7
6/10/2014
Compute the value
ElGamal Zero Knowledge Proofs | What's This Do?
. The public key
can now be distributed. In practice, you can omit either
or , because one can be calculated from the
other.
Encryption Encryption is performed, as mentioned earlier, by anyone with the public key. To encrypt a plaintext message the ciphertext
, select a random element
and compute
.
Decryption Decryption is possible through knowledge of the private key
By computing So, more succinctly, to decrypt
. If you take a look at the algebraic expansion of
it is now clear that compute
:
can just be divided by this value in order to produce
.
.
ElGamal is Homomorphic By this, I mean that for two ElGamal encryptions
and
we have the equality
.
You can see this more clearly by expanding:
Because
is just another random integer, the above construction is a valid encryption of
.
Building on ElGamal Schnorr Identification http://anthony-arnold.com/2014/05/04/elgamal-zero-knowledge-proofs/
4/7
6/10/2014
ElGamal Zero Knowledge Proofs | What's This Do?
A similar crypto protocol which can make use of the ElGamal keys already constructed is Schnorr Identification. In general, the Schnorr identification protocol, given a generator
of
, a private key
and the value
, allows for one party known as the prover to prove to another party, the verifier, that they
possess the private key without having to reveal any information about
(we call this a Zero Knowledge, or ZK proof). The protocol works as follows:
The prover selects a random element The prover outputs a “commitment� to the proof by computing The verifier generates a random challenge
and sending it to the verifier.
and sends it to the prover.
The prover calculates
and sends this value back to the verifier.
The verifier now checks that
.
To see how this works, expand it out:
Plaintext Equivalence Proof The plaintext equivalence proof, or PEP, leverages the Schnorr protocol to allow the prover to convince a verifier two ElGamal ciphertexts are encryptions of the same plaintext value without having to reveal any information about the plaintext. Consider the ElGamal encryption
. The ciphertext can be reencrypted by exploiting the aforementioned homomorphic property of ElGamal. To
reencrypt, select a new random value
and calculate the new ciphertext
Algebraically, you can see that Therefore
and
. The value
is the reencryption exponent.
is a valid ElGamal encryption of the value . .
Both the prover and the verifier now construct a Schnorr public key. The verifier selects a random value The prover calculates
as an initial challenge to the prover. .
The verifier calculates Both parties calculate the Schnorr public key Schnorr identification is carried out, with
being the private key.
http://anthony-arnold.com/2014/05/04/elgamal-zero-knowledge-proofs/
5/7
6/10/2014
ElGamal Zero Knowledge Proofs | What's This Do?
I’ll omit the expansion here; it’s a bit verbose.
Disjunctive Schnorr and DISPEP There are further protocols that build on the ones I’ve shown you here. The next step is the Disjunctive Schnorr Identification protocol which allows, for two public keys and
, a proof that the private key
for one of these public keys is known without revealing the private key and without revealing which public key it
corresponds with. An extension of PEP, known as DISPEP, utilises the Disjunctive Schnorr Identification protocol. It allows the prover to show, for an ElGamal ciphertext ciphertexts
and
and two other
, that one of the latter ciphertexts is a reencryption of the first ciphertext, without revealing which one.
Useful Links El Gamal on Wikipedia Lecture notes from NYU polytechnic university. Millimix with a description of PEP and DISPEP. A handy StackExchange reference. Wikipedia section on Schnorr Identification.
Share t his:
Related
Attribute Access using C++ Templates - Part I In "C++"
Cryptography
Debugging Standard Output In "Debugging"
UUIDs in Ada In "Ada"
ciphertext, cryptography, decryption, discrete logarithm, DISPEP, elgamal, encryption, galois field, generator, groups, homomorphic, mathematics,
PEP, plaintext, rsa, Schnorr, Schnorr Identification, zero knowledge proof, ZK
http://anthony-arnold.com/2014/05/04/elgamal-zero-knowledge-proofs/
6/7
6/10/2014
ElGamal Zero Knowledge Proofs | What's This Do?
← So, you wanna be a programmer?
Blog at WordPress.com. The zBench Theme.
http://anthony-arnold.com/2014/05/04/elgamal-zero-knowledge-proofs/
↑ Top
7/7