270 likes | 281 Views
離散對數密碼系統. 交通大學資訊工程系 陳榮傑. Outline. 離散對數問題 (Discrete Logarithm Problem) 離散對數演算法 (DL Algorithms) A trivial algorithm Shanks’ algorithm Pollard’s algorithm Pohlig-Hellman algorithm Adleman’s algorithm (the index calculus method) 離散對數密碼系統 (Cryptosystems based on DL) Key distribution
E N D
離散對數密碼系統 交通大學資訊工程系 陳榮傑
Outline • 離散對數問題 (Discrete Logarithm Problem) • 離散對數演算法 (DL Algorithms) • A trivial algorithm • Shanks’ algorithm • Pollard’s algorithm • Pohlig-Hellman algorithm • Adleman’s algorithm (the index calculus method) • 離散對數密碼系統 (Cryptosystems based on DL) • Key distribution • Encryption • Digital signature
Discrete Logarithm Problem • Let G is a finite cyclic group of size n generated by generator g, i.e. G = <g> = {g i | i = 1, 2, …, n} or {g i | i = 0, 1, …, n-1} • Given g and i, it is easy to compute gi by repeated squaring • Discrete logarithm problem Given , find x such that We denote
Discrete Logarithm Problem • Example 1G = Z*19 = { 1, 2, …, 18}n=18, generator g = 2then log214 = 7 log26 = 14
Discrete Logarithm Problem • Example 2G=GF*(23) with irreducible poly. p(x) = x3 + x +1G=Z*p/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 }n=7, generator g = xthen logx(x+1) = 3 logx(x2+x+1) = 5 logx(x2+1) = 6
離散對數演算法 (DL Algorithms) • A trivial algorithm • Shanks’ algorithm • Pollard rho discrete log algorithm • Pohlig-Hellman algorithm • The index calculus method
Algorithms for Discrete Logarithm • Discrete Logarithm Problem in Z*p given generator g and a in Z*p, find x in Zp-1 such that a = gx mod p • A trivial algorithm • Compute gi for all i • Search table for a • Time complexity O(p)
Algorithms for Discrete Logarithm • Shanks’ algorithm (1972) • Compute L1 = {(i, gmi), i = 0, 1, …, m-1} L2 = {(i, ag-i), i = 0, 1, …, m-1} • where m = ceiling((p-1)½) Sort L1 and L2 with respect to the 2nd coordinate. • Find the same 2nd coordinate from L1 and L2, say, (q, gmq), (r, ag-r), to get gmq =ag-r. So a = gmq + r and x=mq+r. • Time complexity O(mlogm) = O(p 1/2 logp) • Space complexity O(p 1/2)
Algorithms for Discrete Logarithm Example log215 mod 19 =? G = Z*19 = { 1, 2, …, 18}g = 2, g-1 = 10, n=p-1 = 18, m = 5, gm = 13 a = 15 L1: (i, gmi) L2: (i, ag-i) (0, 1) (0, 15) (1, 13) (1, 17) q = 2 (2, 17) (2, 18) r = 1 (3, 12) (3, 9) mq + r = 11 (4, 4) (4, 14) log215 mod 19 = 11
Algorithms for Discrete Logarithm • Pollard rho discrete logarithm algorithm (1978)compute integers s and t such that • partition the group G into three roughly equal-sized set S1 , S2 and S3 . Let x0=1G and x0 is not in S2
Algorithms for Discrete Logarithm where n = p-1 when G = Z*p
Algorithms for Discrete Logarithm • We should expect some integer such that , then this gives with If , then compute u such that and we have , so that If ,little work to do... (Omitted)
Algorithms for Discrete Logarithm • Pohlig-Hellman algorithm (1978) (DLP: find m s.t. αm = c mod q) Suitable for q-1 containing only small prime divisorsAssume m is the discrete logarithm of c (i.e. c = αm ) • Base case : If q-1 = 2n and because αq-1 = 1 hence …. So we can compute m
Algorithms for Discrete Logarithm • General case : Let m(i) = m (mod pini) then apply the Chinese Remainder Theorem, we can compute m.How to compute m(i) ? (similar to the base case, see next page)
Algorithms for Discrete Logarithm Let then ….. So we can compute m(i) and then apply CRT to get m • Time complexity: O((log2q)2) + factoring q-1
Algorithms for Discrete Logarithm • The index calculus method (Suitable only for G=Zp*)
Algorithms for Discrete Logarithm • Example log59451 mod 10007=? Choose B={2, 3, 5, 7}. Of course log55=1. Use = 9865 mod 10006 lucky exponents 4063, 5136, and 9865 54063 mod 10007 = 42 = 2 * 3 * 7 55136 mod 10007 = 54 = 2 * 33 59865 mod 10007 = 189 = 33 * 7 And we have three congruences: log52 + log53 + log57 = 4063 mod 10006 log52 + 3 log53 = 5136 mod 10006 3 log53 + log57 = 9865 mod 10006
Algorithms for Discrete Logarithm • There happens to be a unique solution modulo 10006 • log52=6578, log53=6190, and log57=1301 • Choose random exponent s = 7736 and try to calculate • ags = 9451*57736 mod 10007 = 8400 • Since 8400 = 24*3*52*7 factors over B, we obtain • log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006 • = (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006 • = 6057 mod 10006
離散對數密碼系統(Cryptosystems based on DL) • Key Distribution • Diffie-Hellman, 1976 • Encryption • Massey-Omura cryptosystem, 1983 • Digital Signature • ElGamal, 1985 • DSA(Digital Signature Algorithm), 1992
Diffie-Hellman Key Exchange Algorithm • Global Public Elements • q : prime number • α: α< q and α is a primitive root of q • User A Key Generation • Select private XA : XA< q • Calculate public YA : YA= αXA mod q • User B Key Generation • Select private XB : XB< q • Calculate public YB : YB= αXB mod q • Generation of Secret Key by User A • K = (YB)XA mod q • Generation of Secret Key by User B • K = (YA)XB mod q
User A User B Generate random XA < q ; Calculate YA = αXA mod q Calculate K = (YB)XA mod q Generate random XB < q ; Calculate YB = αXB mod q Calculate K = (YA)XB mod q YA YB Diffie-Hellman Key Exchange
Massey-Omura for message transmission • Parameters • q : prime number • e : a random private integer • 0 < e< q and gcd ( e, q-1) = 1 • d : an inverse of e • d = e-1 mod q-1 , i.e., de≡1 mod q-1 • M : a message to be encrypted and decrypted • User A wants to send a message M to User B • User A : eA and dA are both private • User B : eB and dBare both private
User A User B 1.Encryption(1) C1 = M eA mod q 3.Encryption(3) C3 = C2dA = (M eAeB)dA = M eB mod q 2.Encryption(2) C2 = C1eB = M eAeB mod q 4. Decryption M = C3dB = M eBdBmod q C1 C2 C3 Massey-Omura for message transmission
ElGamal encryption scheme • Parameters • p : a large prime • α: a primitive number in GF(p) • a : a private key, a [1, p-1] • β : a public key , β = αa(mod p) • m : a message to be signed , m [1, p-1] • k : a random integer that is privately selected, k [0, p-2] • K = (p, α, a, β) : public key + private key • Encryption eK(m, k)=(y1, y2) where y1= αkmodpand y2=mβkmod p • Decryption m = dK(y1, y2) = y2(y1a)-1 mod p
ElGamal signature scheme • 1985 ElGamal • Parameters • p : a large prime • α: a primitive number in GF(p) • x : a private key, x [1, p-1] • y : a public key , y = αx(mod p) • m : a message to be signed , m [1, p-1] • k : a random integer that is privately selected, k [0, p-2] • Signature • r = αkmod p • m = ks + rx mod φ(p) ,where GCD( k, φ(p) ) = 1 • ( m , (r,s) ) is sent to the verifier • Verification • αm = rs yr mod p • The signature (r,s) is accepted when the equality holds true.
Digital Signature Algorithm (DSA) • 1992 NIST • Parameters • p : a large prime, 512 bits • q : a large prime, 160 bits , q | p-1 • g : g = h p-1/q mod q , with h [1, p-1] • h : a one-way hash function • x : a private key, 0 < x < q • y : a public key , y = gx(mod p) • m : a message to be signed , 0 < m < p • k : a random integer that is privately selected, 0 < k < q
Digital Signature Algorithm (DSA) • Signature • r = (gkmod p) mod q • s = k -1( h(m)+ rx)mod q ,where k-1k = 1 mod q • ( m , (r,s) ) is sent to the verifier • Verification • check whether (r,s) [0,q] ; if not , (r,s) is not the signature • t = s-1 mod q • r’ = ( g h(m)t yrt mod p ) mod q • if r’ = r ,then (r,s) is the legal signature of message m • Proof g h(m)t yrt = (( g h(m)t yr )t mod p ) mod q = (( g h(m)t(gx)r )t mod p ) mod q = (( g h(m)+xr )t mod p ) mod q = (( g h(m)+xr )s-1 mod p ) mod q = ( gkmod q ) mod q = r