340 likes | 463 Views
Cryptosystems Based on Discrete Logarithms. Outline. [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm A trivial algorithm Shanks’ algorithm (Baby-step Giant-step) Pollard’s algorithm Pohlig-Hellman algorithm Adleman’s algorithm (the index calculus method)
E N D
Outline • [1] Discrete Logarithm Problem • [2] Algorithms for Discrete Logarithm • A trivial algorithm • Shanks’ algorithm (Baby-step Giant-step) • Pollard’s algorithm • Pohlig-Hellman algorithm • Adleman’s algorithm (the index calculus method) • [3] Cryptosystems Based on Discrete Logarithm • Key distribution • Encryption • Digital signature
[1] Discrete Logarithm Problem • Let G be a finite multiplicative group (G, *). For an element α G having order n, define. <α> = {αi | i = 0, 1, 2, …, n-1} Then <α> is a subgroup of G, and <α> is cyclic of order n. • Discrete logarithm problem
Discrete Logarithm Problem • Example 1G = Z*19 = { 1, 2, …, 18}n=18, generator g = 2then log214 = 7 log26 = 14
Discrete Logarithm Problem • Example 2 In Z*11 = { 1, 2, …, 10} Let G= <3> ={1, 3, 9, 5, 4}, n=5, 3 is not a generator of Z*11 but a generator of G.log35 = 3
Discrete Logarithm Problem • Example 3G=GF*(23) with irreducible poly. p(x) = x3 + x +1G=Zp*/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 }n=7, generator g = xthen logx(x+1) = 3 logx(x2+x+1) = 5 logx(x2+1) = 6
Discrete Logarithm Problem • Example 4Let p =1053546280395016975304616582933958731948871814925913489342608734258717883575185867300386287737705577937382925873762451990450430661350859682697410256268271147283034897563214300237166369174066615907176472549470083113107138189921280884003892629359 NB: p = 158(2800 + 25) + 1 and has 807 bits. • Find such that
[2] Algorithms for Discrete Logarithm • A trivial algorithm • Shanks’ algorithm (Baby-step giant-step) • Pollard rho discrete log algorithm • Pohlig-Hellman algorithm • The index calculus method
A trivial algorithm • Discrete Logarithm Problem in Zp*given generator α (i.e. <α>= Zp*) and β in Zp* , find a in Zp-1={0,1,…,p-2} s.t. β = αa mod p • A trivial algorithm • Compute αi and test if β = αi • Time complexity O(p)
Shanks’ algorithm • Shanks’ algorithm (Baby-step giant-step) (1972) • Compute L1 = {(i, αmi), i = 0, 1, …, m-1} L2 = {(i, βα-i), i = 0, 1, …, m-1} • where m = ceiling((p-1)½) Sort L1 and L2 with respect to the 2nd coordinate. • Find the same 2nd coordinate from L1 and L2, say, (q, αmq), (r, βα-r), to get αmq =βα-r. So β = αmq + r and a = mq+r. • Time complexity O(m log m) = O(p1/2 log p) • Space complexity O(p 1/2)
Example 1 log215 mod 19 =? G = Z*19 = { 1, 2, …, 18}α = 2, α-1 = 10, n = p-1 = 18, m = 5, αm = 13 β = 15 L1: (i, αmi) L2: (i, βα-i) (0, 1) (0, 15) (1, 13) (1, 17) q = 2 (2, 17) (2, 18) r = 1 (3, 12) (3, 9) mq + r = 11 (4, 4) (4, 14) log215 mod 19 = 11
Example 2 log3525 mod 809 =? G = Z*809 = { 1, 2, …, 808} = <3>α = 3, α-1 = 10, n = p-1 = 808, m = 29, αm = 99 β = 525 L1: (i, αmi) L2: (i, βα-i) (0, 1) (0, 525) (1, 99) (1, 175) (2, 93) (2, 328) (3, 308) (3, 379) (4, 559) (4, 396) (5, 329) (5, 132) (6, 211) (6, 44) (7, 664) (7, 554) (8, 207) (8, 724) (9, 268) (9, 511) (10, 644) (10, 440) (11, 654) (11, 686) (12, 26) (12, 768)
L1: (i, αmi) L2: (i, βα-i) (13, 147) (13, 256) (14, 800) (14, 355) (15, 727) (15, 388) (16, 781) (16, 399) (17, 464) (17, 133) (18, 632) (18, 314) (19, 275) (19, 644) (20, 528) (20, 754) (21, 496) (21, 521) (22, 564) (22, 713) (23, 15) (23,777) (24, 676) (24, 259) (25, 586) (25, 356) (26, 575) (26, 658) (27, 295) (27, 489) (28, 81) (28, 163) q = 10, r = 19, so mq + r = 29*10+19 mod 808 = 309 and log3525 mod 809 = 309
Pollard rho DL algorithm • Pollard rho discrete logarithm algorithm (1978)compute integers s and t such that • partition the group G into three roughly equal-sized set S1 , S2 and S3 . Let x0 = 1G and x0 is not in S2
We should expect some integer such that , then this gives with If then compute and we have , so that If little work to do... (Omitted)
Floyd’s cycle-finding algorithm: One starts with the pair (x1, x2), and iteratively computes (xi, x2i) from the previous (xi-1, x2i-2), until xm=x2m for some m. The expected running time of this method is O(n1/2).
Pollard’s rho algorithm for discrete logarithms • INPUT: a generator α of a cyclic group G of prime ordern, and β is an element of G • OUTPUT: 1. Set x0 1, a0 0, b0 0 2. For i = 1, 2, …. Do the following: 2.1 Use xi-1, ai-1, bi-1 to compute xi, ai, bi Use x2i-2, a2i-2, b2i-2 to compute x2i, a2i, b2i 2.2 if xi=x2i, then do the following set r bi – b2i if gcd(r,n) ≠1 then return ‘failure’ else return r-1(a2i-ai) mod n
Example:α= 2 is a generator of the subgroup G of Z383* of order n= 191.(in this case <α> = G ≠ Z383* ) Suppose β = 228. Find log2228. Solution: Partition G into 3 subsets, let
Solution (continued): From the table, we have x14 = x28 = 144. Finally compute r = a14-a28 mod 191=125 r-1 = 125-1 mod 191 = 136, and r-1(b28 - b14) mod 191 = 110. Hence, log2228 = 110.
Pohlig-Hellman algorithm • Pohlig-Hellman algorithm (1978) If <α> is of order n and β in <α> then a = logαβ is determined (uniquely) mod n. Eg. If <α> = Zp* (i.e. α is a generator of Zp*), then n = p-1 Let The idea of Pohlig-Hellman algorithm is that we can compute a mod picifor each i, then we compute a mod n by CRT (Chinese remainder theorem). (see Text for details)
The index calculus method • The index calculus method (Suitable only for G=Zp*)
Example log59451 mod 10007=? Choose B={2, 3, 5, 7}. Of course log55=1. Use lucky exponents 4063, 5136, and 9865 54063 mod 10007 = 42 = 2 * 3 * 7 55136 mod 10007 = 54 = 2 * 33 59865 mod 10007 = 189 = 33 * 7 And we have three congruences: log52 + log53 + log57 = 4063 mod 10006 log52 + 3 log53 = 5136 mod 10006 3 log53 + log57 = 9865 mod 10006
There happens to be a unique solution modulo 10006 • log52=6578, log53=6190, and log57=1301 • Choose random exponent s = 7736 and try to calculate • βαs = 9451*57736 mod 10007 = 8400 • Since 8400 = 24*3*52*7 factors over B, we obtain • log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006 • = (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006 • = 6057 mod 10006
[3] Cryptosystems based on DL • Key Distribution • Diffie-Hellman, 1976 • Encryption • Massey-Omura cryptosystem, 1983 • Digital Signature • ElGamal, 1985
Diffie-Hellman Key Exchange Algorithm • Global Public Elements • q : prime number • α: α< q and α is a primitive root of q • User A Key Generation • Select private XA : XA< q • Calculate public YA : YA= αXA mod q • User B Key Generation • Select private XB : XB< q • Calculate public YB : YB= αXB mod q • Generation of Secret Key by User A • K = (YB)XA mod q • Generation of Secret Key by User B • K = (YA)XB mod q
User A User B Generate random XA < q ; Calculate YA = αXA mod q Calculate K = (YB)XA mod q Generate random XB < q ; Calculate YB = αXB mod q Calculate K = (YA)XB mod q YA YB Diffie-Hellman Key Exchange
Massey-Omura for message transmission • Parameters • q : prime number • e : a random private integer • 0 < e< q and gcd ( e, q-1) = 1 • d : an inverse of e • d = e-1 mod q-1 , i.e., de≡1 mod q-1 • M : a message to be encrypted and decrypted • User A wants to send a message M to User B • User A : eA and dA are both private • User B : eB and dBare both private
User A User B 1.Encryption(1) C1 = M eA mod q 3.Encryption(3) C3 = C2dA = (M eAeB)dA = M eB mod q 2.Encryption(2) C2 = C1eB = M eAeB mod q 4. Decryption M = C3dB = M eBdBmod q C1 C2 C3 Massey-Omura for message transmission
ElGamal encryption scheme • Parameters • p : a large prime • α: a generator in Zp* • a : a private key, a [1, p-1] • c : a public key , β = αa(mod p) • m : a message, m [1, p-1] • k : a random integer that is privately selected, k [0, p-2] • K = (p, α, a, β) : public key + private key • Encryption eK(m, k)=(y1, y2) where y1= αkmodpand y2=mβkmod p • Decryption m = dK(y1, y2) = y2(y1a)-1 mod p
ElGamal signature scheme • 1985 ElGamal • Parameters • p : a large prime • α: a generator in Zp* • a : a private key, a [1, p-1] • β : a public key , β = αa(mod p) • m : a message to be signed , m [1, p-1] • k : a random integer that is privately selected, k [0, p-2] • Signature • r = αkmod p, where gcd( k, p-1 ) = 1 • m = ks + ra mod (p-1) • ( m , (r,s) ) is sent to the verifier • Verification • αm = rsβr mod p • The signature (r,s) is accepted when the equality holds true.