ElGamal
===============

## Diffie-Hellman key distribution scheme

IN 1975, Diffie and Hellman introduced the concept of public key cryptography.

Suppose that $A$ and $B$ want to share a secret $K_{AB}$ , where A has a secret $x_A$ and $B$ has a secret $x_B$ . Let $p$ be a large prime and $\alpha$ be a **primitive element** mod $p$, both known. computes $y \equiv \alpha^{x_a} \mod p$ , and sends $y_A$ . Similarly, $B$ computes $y_B \equiv \alpha^{x_B} \mod p$ and sends $y_B$ . Then the secret $K_{AB}$ is computed as:

\begin{align}
K_{AB} &\equiv \alpha^{x_ax_B} \mod p\\
&\equiv y_A^{x_B} \mod p\\
&\equiv y_B^{x_A} \mod p
\end{align}

In any of the cryptographic systems based on discrete logarithms, p must be chosen such that $p - 1$ has at least one large prime factor. If $p - 1$ has only small prime factors, then computing discrete logarithms is easy

In [1]:
from klefki.numbers.primes import generate_prime
from klefki.types.algebra.meta import field
from klefki.types.algebra.utils import randfield
from math import gcd

In [2]:
p = generate_prime(32)
F = field(p)
mF = field(p-1)
G = F(generate_prime(32))

In [3]:
xa, xb = randfield(F).value, randfield(F).value
ya, yb = G ** xa, G ** xb
G ** (xa * xb) == ya ** xb == yb ** xa

True

## ElGamal signature scheme

Let m be a document to be signed, where $0 \le m \ge p - 1$. The public file still consists of the public key $y \equiv x \mod p$ for each user.

To sign a document, a user $A$ should be able to use the secret key $x_A$ to find a signature for $m$ in such a way that all users can verify the authenticity of the signature by using the public key $y_A$ (together with $\alpha$ and $p$), and no one can forge a signature without knowing the secret $x_A$ .

The signature for $m$ is the pair $(r, s), 0 \le r, s < p - 1$, chosen such that the equation

$$
\alpha^m \equiv y^r r^s \mod p
$$

is satisfied.

In [4]:
m = randfield(F).value
alpha = G
x = xa
y = ya

* The Signing Procedure

The signing procedure consists of the following three steps.

1) Choose a random number $k$, uniformly between $0$ and $p - 1$, such that $gcd(k, p - 1) = 1$.

2) Compute

$$
r \equiv \alpha^k \mod p\\
\alpha^m \equiv \alpha^{xr}\alpha^{ks} \mod p
$$

which can be solved for $s$ by using

$$
m \equiv xr + ks \mod (p-1)
$$

Above Equation as a solution for $s$ if $k$ is chosen such that $gcd(k, p - 1) = 1$.

In [5]:
k = generate_prime(32)
assert gcd(k, p-1) == 1

In [6]:
from klefki.numbers import invmod
r = (alpha ** k).value
s = ((mF(m) - mF(r) * mF(x)) * ~mF(k)).value


In [7]:
assert pow(alpha, m) ==  pow(alpha, (x * r + k * s))

* The Verification Procedure

Given $m, r$, an $s$, it is easy to verify the authenticity of the signature by computing both sides of $\alpha^m \equiv y^r r^s \mod p$ and checking that they are equal.

In [8]:
alpha ** m == y ** r * F(r) ** s

True

## ElGamal encryption over Cyclic Group

In [9]:
from klefki.types.algebra.concrete import EllipticCurveCyclicSubgroupSecp256k1 as Curve
from klefki.types.algebra.meta import field

### Key generation

The first party, Alice, generates a key pair as follows:

* Generate an efficient description of a cyclic group $G$, of order $q$  with generator $g$. Let $e$ represent the unit element of $G$.

* Choose an integer $x\leftarrow Z_q$

* Compute $h:=g^x$

* he public key consists of the values $( G , q , g , h )$. Alice publishes this public key and retains $x$ as her private key, which must be kept secret.

In [10]:
G = Curve.G
F = field(G.N, "N")
sk = randfield(F).value
H = G ** sk


### Encryption

A second party, Bob, encrypts a message $M$ to Alice under her public key $( G , q , g , h )$  as follows: 

* Map the message $M$ to an element $m$ of $G$ using a reversible mapping function.

* Choose an integer $y$ randomly from $\{ 1 , … , q − 1 \}$ 

* Compute $s := h^y$. This is called the shared secret.

* Compute $c_1 := g^y$

* Compute $c_2 := m \cdot s$

Bob sends the ciphertext $( c_1 , c_2 )$ to Alice.

$$
c=g^r, h^{mr}
$$

In [11]:
M = F(1235)

In [12]:
r = randfield(F).value
m = Curve.lift_x(G.x.functor(M))

c1 = G ** r
c2 = H ** r * m

(c1, c2)

(EllipticCurveCyclicSubgroupSecp256k1::(FiniteFieldSecp256k1::50695783910046893601666390337786619587659246921908112925672115372148138900665, FiniteFieldSecp256k1::114406174390362987978349124809309676386946546953753080812602069581418585244744),
 EllipticCurveCyclicSubgroupSecp256k1::(FiniteFieldSecp256k1::70974968352896830540264905238426315678617660882922307546609957308559565418409, FiniteFieldSecp256k1::13734995876652768244494860365199198012026770801308456782571082504898450404863))

### Decryption

Alice decrypts a ciphertext $c_1, c_2$ with her private key $sk$ as follows: 

* Compute $s := c_1^{x}$.

* Compute $s^{-1}$,  the inverse of $s$ in the group $G$.

* Compute $m:=c_2\cdot s^{-1}$



\begin{align}
m&=\frac{c_2}{c_1^x}=\frac{H^{rm}}{G^{xr}}=\frac{G^{xrm}}{G^{xr}}
\end{align}


In [13]:
m = (c2 - (c1 ** sk))

In [14]:
m.x == M

True

## Implentmentation in klefki

Addressed to the $RMF$(reversible mapping function), secret $s \in Z_{P1}$

In [24]:
from klefki.crypto.elgamal import ElGamal
from klefki.types.algebra.concrete import FiniteFieldCyclicSecp256k1 as F

In [33]:
M = F(31415926).value
x = randfield(F).value
el = ElGamal(x)
assert el.D(el.E(M)) == M

In [30]:
N = 271828182
assert el.D(el.E(N)) == N

## Ref:
    
   * T. ElGamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Trans. Info. Theory, IT 31:469–472, 1985.
    
   * ElGamal encryption https://en.wikipedia.org/wiki/ElGamal_encryption
    
   * http://www.docsdrive.com/pdfs/ansinet/itj/2005/299-306.pdf