Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key - - PowerPoint PPT Presentation

Diffie-Hellman Key Exchange

Source: Wikipedia

ElGamal — Key Generator

• Generate primes p and q as well as an element g ∈ Z∗

p that generates

the subgroup Gq.

• Choose a random x from {0, . . . , q − 1}.
• Compute h = gx.
• Publish the public key

K = (Gq, q, g, h).

• Retain the private key K = x.

ElGamal — Encryption

Plaintext M, Public key K = (Gq, q, g, h)

• M is considered to be an element of G
• Choose a random y from {0, . . . , q − 1}, then calculate c1 = gy and

c2 = M · hy.

• The ciphertext is then C = (c1, c2).

ElGamal — Decryption

Ciphertext C = (c1, c2), Secret key K = x

• Compute M = c2 · c−x

1

where c−x

1

= (c1−1)

x is the xth exponent of the inverse of c1 in Gq.

Cramer-Shoup — Key Generator

• Generate primes p and q, and the subgroup Gq of Z∗
• p. Choose

randomly two generators g1 and g2 of Gq.

• Choose six random values (x1, x2, y1, y2, z1, z2) from

{0, . . . , q − 1}.

• Compute c = gx1

1 gx2 2 , d = gy1 1 gy2 2 , and h = gz1 1 gz2 2 .

• Publish the public key

K = (Gq, q, g1, g2, c, d, h).

• Retain the private key K = (x1, x2, y1, y2, z1, z2).

Cramer-Shoup — Encryption

Plaintext M, Public key K = (G, q, g1, g2, c, d, h)

• M is considered to be an element of G
• Choose a random k from {0, . . . , q − 1} then calculate:

– u1 = gk

1, u2 = gk 2

– e = hk · M – α = H(u1, u2, e), where H is the hash function – v = ck · dkα

• Ciphertext is C = (u1, u2, e, v).

Cramer-Shoup — Decryption

Ciphertext C = (u1, u2, e, v), Secret key K = (x1, x2, y1, y2, z1, z2)

• Compute α = H(u1, u2, e) and verify that

ux1

1 · ux2 2 · (uy1 1 · uy2 2 )α = v.

If this test fails, further decryption is aborted and the output is rejected.

• Otherwise, compute the plaintext as M = e · (uz1

1 uz2 2 )−1.