1 / 27

離散對數密碼系統

離散對數密碼系統. 交通大學資訊工程系 陳榮傑. Outline. 離散對數問題 (Discrete Logarithm Problem) 離散對數演算法 (DL Algorithms) A trivial algorithm Shanks’ algorithm Pollard’s algorithm Pohlig-Hellman algorithm Adleman’s algorithm (the index calculus method) 離散對數密碼系統 (Cryptosystems based on DL) Key distribution

dmarcus
Download Presentation

離散對數密碼系統

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 離散對數密碼系統 交通大學資訊工程系 陳榮傑

  2. Outline • 離散對數問題 (Discrete Logarithm Problem) • 離散對數演算法 (DL Algorithms) • A trivial algorithm • Shanks’ algorithm • Pollard’s algorithm • Pohlig-Hellman algorithm • Adleman’s algorithm (the index calculus method) • 離散對數密碼系統 (Cryptosystems based on DL) • Key distribution • Encryption • Digital signature

  3. Discrete Logarithm Problem • Let G is a finite cyclic group of size n generated by generator g, i.e. G = <g> = {g i | i = 1, 2, …, n} or {g i | i = 0, 1, …, n-1} • Given g and i, it is easy to compute gi by repeated squaring • Discrete logarithm problem Given , find x such that We denote

  4. Discrete Logarithm Problem • Example 1G = Z*19 = { 1, 2, …, 18}n=18, generator g = 2then log214 = 7 log26 = 14

  5. Discrete Logarithm Problem • Example 2G=GF*(23) with irreducible poly. p(x) = x3 + x +1G=Z*p/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 }n=7, generator g = xthen logx(x+1) = 3 logx(x2+x+1) = 5 logx(x2+1) = 6

  6. 離散對數演算法 (DL Algorithms) • A trivial algorithm • Shanks’ algorithm • Pollard rho discrete log algorithm • Pohlig-Hellman algorithm • The index calculus method

  7. Algorithms for Discrete Logarithm • Discrete Logarithm Problem in Z*p given generator g and a in Z*p, find x in Zp-1 such that a = gx mod p • A trivial algorithm • Compute gi for all i • Search table for a • Time complexity O(p)

  8. Algorithms for Discrete Logarithm • Shanks’ algorithm (1972) • Compute L1 = {(i, gmi), i = 0, 1, …, m-1} L2 = {(i, ag-i), i = 0, 1, …, m-1} • where m = ceiling((p-1)½) Sort L1 and L2 with respect to the 2nd coordinate. • Find the same 2nd coordinate from L1 and L2, say, (q, gmq), (r, ag-r), to get gmq =ag-r. So a = gmq + r and x=mq+r. • Time complexity O(mlogm) = O(p 1/2 logp) • Space complexity O(p 1/2)

  9. Algorithms for Discrete Logarithm Example log215 mod 19 =? G = Z*19 = { 1, 2, …, 18}g = 2, g-1 = 10, n=p-1 = 18, m = 5, gm = 13 a = 15 L1: (i, gmi) L2: (i, ag-i) (0, 1) (0, 15) (1, 13) (1, 17) q = 2 (2, 17) (2, 18) r = 1 (3, 12) (3, 9) mq + r = 11 (4, 4) (4, 14) log215 mod 19 = 11

  10. Algorithms for Discrete Logarithm • Pollard rho discrete logarithm algorithm (1978)compute integers s and t such that • partition the group G into three roughly equal-sized set S1 , S2 and S3 . Let x0=1G and x0 is not in S2

  11. Algorithms for Discrete Logarithm where n = p-1 when G = Z*p

  12. Algorithms for Discrete Logarithm • We should expect some integer such that , then this gives with If , then compute u such that and we have , so that If ,little work to do... (Omitted)

  13. Algorithms for Discrete Logarithm • Pohlig-Hellman algorithm (1978) (DLP: find m s.t. αm = c mod q) Suitable for q-1 containing only small prime divisorsAssume m is the discrete logarithm of c (i.e. c = αm ) • Base case : If q-1 = 2n and because αq-1 = 1 hence …. So we can compute m

  14. Algorithms for Discrete Logarithm • General case : Let m(i) = m (mod pini) then apply the Chinese Remainder Theorem, we can compute m.How to compute m(i) ? (similar to the base case, see next page)

  15. Algorithms for Discrete Logarithm Let then ….. So we can compute m(i) and then apply CRT to get m • Time complexity: O((log2q)2) + factoring q-1

  16. Algorithms for Discrete Logarithm • The index calculus method (Suitable only for G=Zp*)

  17. Algorithms for Discrete Logarithm • Example log59451 mod 10007=? Choose B={2, 3, 5, 7}. Of course log55=1. Use = 9865 mod 10006 lucky exponents 4063, 5136, and 9865 54063 mod 10007 = 42 = 2 * 3 * 7 55136 mod 10007 = 54 = 2 * 33 59865 mod 10007 = 189 = 33 * 7 And we have three congruences: log52 + log53 + log57 = 4063 mod 10006 log52 + 3 log53 = 5136 mod 10006 3 log53 + log57 = 9865 mod 10006

  18. Algorithms for Discrete Logarithm • There happens to be a unique solution modulo 10006 • log52=6578, log53=6190, and log57=1301 • Choose random exponent s = 7736 and try to calculate • ags = 9451*57736 mod 10007 = 8400 • Since 8400 = 24*3*52*7 factors over B, we obtain • log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006 • = (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006 • = 6057 mod 10006

  19. 離散對數密碼系統(Cryptosystems based on DL) • Key Distribution • Diffie-Hellman, 1976 • Encryption • Massey-Omura cryptosystem, 1983 • Digital Signature • ElGamal, 1985 • DSA(Digital Signature Algorithm), 1992

  20. Diffie-Hellman Key Exchange Algorithm • Global Public Elements • q : prime number • α: α< q and α is a primitive root of q • User A Key Generation • Select private XA : XA< q • Calculate public YA : YA= αXA mod q • User B Key Generation • Select private XB : XB< q • Calculate public YB : YB= αXB mod q • Generation of Secret Key by User A • K = (YB)XA mod q • Generation of Secret Key by User B • K = (YA)XB mod q

  21. User A User B Generate random XA < q ; Calculate YA = αXA mod q Calculate K = (YB)XA mod q Generate random XB < q ; Calculate YB = αXB mod q Calculate K = (YA)XB mod q YA YB Diffie-Hellman Key Exchange

  22. Massey-Omura for message transmission • Parameters • q : prime number • e : a random private integer • 0 < e< q and gcd ( e, q-1) = 1 • d : an inverse of e • d = e-1 mod q-1 , i.e., de≡1 mod q-1 • M : a message to be encrypted and decrypted • User A wants to send a message M to User B • User A : eA and dA are both private • User B : eB and dBare both private

  23. User A User B 1.Encryption(1) C1 = M eA mod q 3.Encryption(3) C3 = C2dA = (M eAeB)dA = M eB mod q 2.Encryption(2) C2 = C1eB = M eAeB mod q 4. Decryption M = C3dB = M eBdBmod q C1 C2 C3 Massey-Omura for message transmission

  24. ElGamal encryption scheme • Parameters • p : a large prime • α: a primitive number in GF(p) • a : a private key, a [1, p-1] • β : a public key , β = αa(mod p) • m : a message to be signed , m [1, p-1] • k : a random integer that is privately selected, k [0, p-2] • K = (p, α, a, β) : public key + private key • Encryption eK(m, k)=(y1, y2) where y1= αkmodpand y2=mβkmod p • Decryption m = dK(y1, y2) = y2(y1a)-1 mod p

  25. ElGamal signature scheme • 1985 ElGamal • Parameters • p : a large prime • α: a primitive number in GF(p) • x : a private key, x [1, p-1] • y : a public key , y = αx(mod p) • m : a message to be signed , m [1, p-1] • k : a random integer that is privately selected, k [0, p-2] • Signature • r = αkmod p • m = ks + rx mod φ(p) ,where GCD( k, φ(p) ) = 1 • ( m , (r,s) ) is sent to the verifier • Verification • αm = rs yr mod p • The signature (r,s) is accepted when the equality holds true.

  26. Digital Signature Algorithm (DSA) • 1992 NIST • Parameters • p : a large prime, 512 bits • q : a large prime, 160 bits , q | p-1 • g : g = h p-1/q mod q , with h [1, p-1] • h : a one-way hash function • x : a private key, 0 < x < q • y : a public key , y = gx(mod p) • m : a message to be signed , 0 < m < p • k : a random integer that is privately selected, 0 < k < q

  27. Digital Signature Algorithm (DSA) • Signature • r = (gkmod p) mod q • s = k -1( h(m)+ rx)mod q ,where k-1k = 1 mod q • ( m , (r,s) ) is sent to the verifier • Verification • check whether (r,s) [0,q] ; if not , (r,s) is not the signature • t = s-1 mod q • r’ = ( g h(m)t yrt mod p ) mod q • if r’ = r ,then (r,s) is the legal signature of message m • Proof g h(m)t yrt = (( g h(m)t yr )t mod p ) mod q = (( g h(m)t(gx)r )t mod p ) mod q = (( g h(m)+xr )t mod p ) mod q = (( g h(m)+xr )s-1 mod p ) mod q = ( gkmod q ) mod q = r

More Related