ElGamal Signature

1
ElGamal Signature
p prime, g generator of GZ/pZ, a secret
exponent, A ga mod p.
p, g, A public key, a secret key, h 0,1 ?
1,2,.. , p-1 hash function M message in 0,1
Signing (1) Generate a random number k in
1,2,..,p-2 (2) r gk mod p, s
k-1 (h(M) ar) mod p-1).
multi-exponentiation
Verification(1) Check 0 lt r lt p.
(2) Check Ar rs gh(M) mod p.
Correctness of the verification Ar rs gar
gkk-1(h(M)-ar) gh(M) mod p.
2
How to Compute g1d1g2d2
The straight-forward method for computing
g1d1g2d2 is 1. compute g1d1 in G 2.
compute g2d2 in G 3. compute g1d1g2d2 in G.
For k-bit d1, d2, we need 3k multiplications
using the binary method.
Question Howe can we improve the speed memory?
Shamirs trick, Interleave method, etc.
3
Shamirs trick
Input g1, g2 in G, d1, d2 in Z Output g1d1 g2d2
in G
Exponent recording stage nothing
Pre-computation stage 1.1 g12 ? g1g2 in G
Evaluation Stage X ? 1 For ik-1 to down
to 0 X ? X2 in G if d1i1 and
d2i0, then X ? Xg1 in G if d1i0 and
d2i1, then X ? Xg2 in G if d1i1
and d2i1, then X ? Xg12 in G Return X
Denote by dji the i-th bit of dj for j1,2 In
the pre-computation stage, we calculate g12
g1 g2 in G. In the evaluation stage, we do the
following calculation accumulator X is always
squared. g1, g2, or g12 is multiplied with X,
based on the bits d1i and d2i.
4
Some properties of Shamirs trick
Example of evaluation stage d1 51 1
1 0 0
1 1 d2
25 0 1 1
0 0 1
1 g12
g16g22 g112g26 g124g212
g150g224 g1
g13g21 g16g23
g125g212 g151g225
We pre-compute only one point, namely g1g2. The
average non-zero density of the non-zero digits
is 3/4.
1 multiplication in the pre-computation
stage. about (13/4)k 1.75k multiplications in
the evaluation stage.
5
Width-w Shamirs trick
We can combine the Shamirs trick with 2w-ary
method.
Example of width-2 version d1 51 0
3 0 0
0 3 d2
25 0 1 0
2 0 1
1 1
g16g22 g112g24 g124g212
g148g224
g13g21 g112g26
g151g225
In general we pre-compute g1ig2j for i,j
0,1,,2w-1 except (i,j)(0,0),(0,1),(1,0), (e.g.
22w-3 points) The average non-zero density of the
non-zero digits is 1/w-1/22w.
22w-3 multiplications in the pre-computation
stage. about (11/w1/22w)k multiplications in
the evaluation stage.
6
Interleave Method
We can combine width-w sliding window method with
multi-exponent algorithm.
Exponent recording stage convert d1i, d2i
to the width-w sliding window chain d1wi,
d2wi Pre-computation stage compute f1(m)
g1m, f2(m) g2m for m 0, 1, 3, 5, ..,
2w-1 Evaluation Stage X ? 1 For ik-1 to
down to 0 X ? X2 in G X ?
Xf1(d1wi) in G X ? Xf2(d2wi) in G
Return X
Input g1, g2 in G, d1, d2 in Z Output g1d1 g2d2
in G
In the exponent recording stage, exponent d1, d2
are converted to the width-w sliding window
chain. The pre-computation stage is same as
width-w SW method for each basis g1,g2. In the
evaluation stage, squaring X2 is always
computed, pre-computed value fj(djwi) is
multiplied separately for j1,2.
7
Some Properties of Interleave Method
Example of interleave method using width-2 SW
method d1 51 0 3
0 0 0
3 d2 25 0
0 3 0
0 1
1 1 g16
g112g26 g124g212 g148g224
g13

g151g224


g16g23
g151g225
In general we pre-compute g1i and g 2j for i,j
3,5,,2w-1. (e.g. 2w-2 points) The average
non-zero density required for the multiplication
is 2/(w1).
2w-2 multiplications in the pre-computation
stage. about (12/(w1))k multiplications in the
evaluation stage.
8
Comparison

Efficiency Additional Memory
Targets Binary method 3.0
k ----- general
purpose Shamirs trick 1.75 k
1 point general
purpose? 2w-ary Shamir (w2) 1.438 k
13 points no memory constraint
2w-ary Shamir (w3) 1.318 k 61
points no memory
constraint Interleave SW (w2) 1.667 k
2 points no memory
constraint Interleave SW (w3) 1.5 k
6 points no memory constraint
Interleave SW (w4) 1.4 k 14
points no memory constraint
9
Lim-Lee Method
Lim-Lee algorithm can efficiently compute
exponentiation gd for fixed base g.
d dk-12k-1 dk-22k-2 d121 d020
is the binary representation of d.
Let m k/2 for even k and m(k-1)/2 for odd k.
Integer d is converted as follows d 2m
(fm-1 2m-1 fm-2 2m-2 f1 21 f0
20) (em-1 2m-1 em-2 2m-2
e1 21 e0 20) 2m f e, where
ei di and fi dim for i
0,1,2,,m-2, and em-10 for odd k.
gd g2m (fm-1 2m-1 f0 20) (em-1
2m-1 e0 20) (g2m) fm-1 2m-1
f0 20 g (em-1 2m-1 e0 20)
hf ge, where h g2m.
If we pre-compute h in off-line, then gd is
calculated by the multi-exponent algorithm.
10
Lim-Lee Method
Exponent recording stage nothing Pre-computatio
n stage mk/2 for even k, m(k-1)/2 for odd k
compute h g2m, v hg Evaluation Stage X ?
1, For im-1 to down to 0 X ? X2 in
G If di1, dim0 then X ? Xg in G
If di0, dim1 then X ? Xh in G
If di1, dim1 then X ? Xv in G Return X
Input g, in G, k-bit d in Z Output gd in G (We
assume that k is odd)
In the pre-computation stage, h g2m, v hg
are calculated. (This computation should be
off-line) In the evaluation stage, the Shamirs
trick is used for computing hf ge, where f,e is
the upper/lower part of d.
11
Properties of Lim-Lee Method
Assume k10 (m5), then we pre-compute h g25
g32 and v g33 in G in off-line.
d 749 129 028 127 126 125 024
123 122 021 120.
gd hf ge h(124 023 122 121 120)
g (024 123 122 021 120).
Example of evaluation stage f 1
0 1
1 1 e
0 1 1
0 1
1 g64 g130
g326 g716
g32 g65
g163 g358 g749

two additional pre-computed points in off-line.
about (13/4)k/2 0.875k multiplications in the
evaluation stage.
12
Some Generalizations

• Multi-exponent algorithm with many bases
• e.g. g1d1 g2d2gjdj (jgt2).
• - Interleave method with many bases
• - Lim-Lee method with many bases
• - Joint sparse form
• Radix-r representation (rgt2)
• e.g. d dk-1 rk-1 d1 r1
  d0r0, 0ltdiltr.
• - construction of window methods (analogue to
  binary)

13
Some Unsigned Addition Chains trade-off
efficiency memory

Efficiency Additional Memory
Targets Binary method 1.5 k
---- general
purpose 2k-ary method (w2) 1.375 k 2
points no memory constraint
2k-ary method (w3) 1.292 k 6 points
no memory constraint Sliding
window (w2) 1.333 k 1 points
no memory constraint Sliding window (w3)
1.25 k 3 points no
memory constraint Lim-Lee (w2)
0.875 k 2 points (off-line) fixed
base Walter method 1.25 k
1 register small fixed exponent