Fall 2003

Chris Christensen

Class notes

The El Gamal Cryptosystem

In 1985, Tahir El Gamal published a public-key cryptosystem based upon
the discrete logarithm problem (("A public key cryptosystem and signature
scheme based upon discrete logarithms," IEEE Transactions on Information
Theory, vol. IT-31, 469 473). The algorithm is a bit more complicated
than RSA, but it can be more easily generalized.
Logarithms
A logarithm is an exponent. Another way of expressing that 2 raised to the
power 5 is 32
2 2 2 2 2 25 32
is that the logarithm of 32 to the base 2 is 5
log 2 32 5 .
The logarithm is the exponent 5.
It is relatively easy to raise numbers to powers; e.g.,
320 3 ... 3 3486784401 .
twenty factors

It is harder to find the logarithm; e.g., what is the base-2 logarithm of

8589934592?
2? 8589934592
For real numbers, we can play the "high-low" game. For example,
210 1024 . We need a larger exponent (i.e., a larger logarithm).
220 1048576 ; we still need a larger exponent. 230 1073741824 ; still
1

larger. 240 1099511627776 ; too large. 235 34359735368 ; still too large.
Finally, we see that 233 8589934592 . So, the base-2 logarithm of
8589934592 is 33.
The El Gamal cryptosystem and the Diffie-Hellman key exchange system
are based upon the difficulty of the discrete logarithm problem.
Discrete Logarithms
Discrete mathematics refers to working with number systems having the
property that every number is surrounded by a neighborhood that contains
no other number of the system.

1,

23, 31, 42 is discrete. There is, for example, no number of

the set between 1 and 23 or between 23 and 31. 23 is the only number
of the system in the neighborhood (1, 31).
In fact, any finite set is discrete.
The set of integers is discrete. There is, for example, no integer
between 1 and 0 or between 0 and 1. 0 is the only integer in the
neighborhood (-1, 1).
The set of real numbers is not discrete. Between any two real
numbers, there is another real number. Between 0 and 1 there are
infinitely many other real numbers. In the neighborhood (0, 1) there
are infinitely many real numbers. Such a number system is said to be
continuous.
The discrete logarithm problem refers to the problem of finding logarithms
modulo some integer. Recall that when we mod out by an integer n, we are
left with only finitely many integers a discrete set -- usually 0, 1, 2, n-1
(or 1, , n).

The Discrete Logarithm Problem

The discrete logarithm problem asks for a solution of something like this:
2? 9mod11 .
Just like multiplication modulo p, raising to powers modulo p scrambles the
results. For example, here are the powers of 2 modulo 11:
21 2mod11
22 4mod11
23 8mod11
24 5mod11
25 10mod11
26 9mod11
27 7 mod11
28 3mod11
29 6mod11
210 1mod11
So, the answer to our discrete logarithm problem is 6; 26 9mod11 .
Because the powers do not increase as the exponent does, we cannot play the
"high-low" game that we did before. There is no known algorithm for
computing discrete logarithms. Except in special cases, the only way to
determine a discrete logarithm is by trial and error. For, large values of p,
there are too many possibilities for brute force to be computationally
feasible.
Notice that in this example, the ten powers of the base 2 are representatives
of the ten nonzero equivalence classes modulo 11 1, 2, 3, 4, 5, 6, 7, 8, 9,
10. We describe this property by saying that 2 is a primitive element (or
primitive root). There is always at least one primitive element. Because all
ten of the nonzero integers modulo 11 occur as powers of 2, it could have
taken 10 trials to discover the logarithm.
There are tables of primitive elements for various moduli.

It is not absolutely essential that the element we pick for the base be
primitive; it is not necessary that all of the powers be distinct. However, if
there is too much repetition, the number of trials needed to determine the
logarithm would be cut considerably. For example, say we want to know
3? 5mod11 .
Computing the powers of 3 modulo 11 results in:
31 3mod11
32 9mod11
33 5mod11
34 4mod11
35 1mod11
36 3mod11
37 9mod11
38 5mod11
39 4mod11
310 1mod11
Notice that only five of the representatives modulo 11 occur 3, 9, 5, 4, 1.
And, each is repeated. When we try to solve 3? 5mod11 , we are twice as
likely to find the logarithm because there are only half as many possible
powers. Either 3 or 8 can be used as the logarithm of 5 for base 3 and
modulo 11.

El Gamal Encryption
To keep calculation to a level that can be done on a calculator, we will do an example
that uses an artificial plaintext.

We select for our prime p = 997, and we select a = 7 for our primitive
element.
Our plaintext message is m = 813. The message must be an integer mod p;
so, in our example, it must be one of 1, 2, , 996.
The receiver selects some positive integer n and calculates b a n mod p .
Say, n = 105; then b 7105 mod997 989 .
The public-key is p = 997, a = 7, and b = 989. The private-key is n = 105.
For large values of the prime p, the private-key cannot be easily determined
from the public-key.
The sender chooses a positive integer k and calculates y a k mod p and
z mb k mod p . Say, our sender selects k = 87.
y 787 mod997 849
z 813 98987 mod997 19
The ciphertext message sent by the sender to the receiver is y and z 849
and 19.

El Gamal Decryption
How does the receiver decrypt the message?
Recall that the receiver has some additional information the private-key n.
The sender "possesses" this information only buried in the number
b a n mod p . The sender cannot determine n without solving the discrete
logarithm problem b a ? mod p .
How can the receiver use n to decrypt the message?
Using the ciphertext and the private key, the receiver calculates zy n mod p .
zy n mod p mb k (a k ) n mod p m(ba n ) k mod p m(1) k mod p m
For our example,
y n 849105 mod997 (849105 ) 1 mod997 5581 mod997 620mod997
zy n 19 620mod997 813
which was the plaintext message.

Exercises
1a. 35 ?
1b. 27 ?
1c. 55 ?
2a. 2? 4096 .
2b. 3? 59049 .
2c. 5? 78125 .
3a. ?9 512 .
3b. ?8 6561 .
3c. ?6 60466176 .
4. Determine the following:
21 mod13 ?
22 mod13 ?
23 mod13 ?
24 mod13 ?
25 mod13 ?
26 mod13 ?
27 mod13 ?
28 mod13 ?
29 mod13 ?
210 mod13 ?
211 mod13 ?
212 mod13 ?
Is 2 a primitive element modulo 13?
5. Is 2 a primitive element modulo 7?
6. 2? 2147483648 . How many trials did it take to discover the logarithm?

7a. 2? mod59 9 . How many trials did it take to discover the logarithm?
7b. 2? mod59 37 . How many trials did it take to discover the logarithm?
7c. 2? mod59 41 . How many trials did it take to discover the logarithm?
8. Use the public-key p = 997, a = 7, and b = 989 to encrypt the message
712.
9. Use the public-key p = 997, a = 7, and b = 32 to encrypt the message 605.
Try to determine n.
10. The following was encrypted with the public-key p = 997, a = 7, and b =
989. The private key is n = 105. Decrypt the message y = 147 and z = 343.