250 likes | 563 Views
Elgamal demonstration project on calculators TI-83+. Gerard Tel Utrecht University. With results from Jos Roseboom and Meli Samikin. Overview of the lecture. History and background Elgamal (Diffie Hellman) Discrete Log: Pollard rho Experimentation results
E N D
Elgamal demonstration project on calculators TI-83+ Gerard TelUtrecht University With results from Jos Roseboom and Meli Samikin
Overview of the lecture • History and background • Elgamal (Diffie Hellman) • Discrete Log: Pollard rho • Experimentation results • Structure of Function Graph:Cycles, Tails, Layers • Conclusions Workshop Elgamal
1. History and background • 2003, lecture for school teachers about Elgamal • 2006, lecture with calculator demo Why Elgamal, not RSA? • Functional property easy to show • Security: rely on complexity • Compare exponentiation and DLog Workshop Elgamal
Math: Modular arithmetic • Compute modulo prime p (95917)with 0, 1, … p-2, p-1 • Generator g of order q (prime) • Rules of algebra are valid (ga)k = (gk)a Secure application: p has ~309 digits!! Workshop Elgamal
Calculator TI-83, 83+, 84+ • Grafical, 14 digit • Programmable • Generally available in VWO (pre-academic school type in the Netherlands) • Cost 100 euro(free for me) Workshop Elgamal
The Elgamal program • Ceasar cipher (symmetric) • Elgamal parameter and key generation • Elgamal encryption and decryption • Discrete Logarithm: PollardInfeasible problem!! But doable for 7 digit modulus Workshop Elgamal
2. Public Key codes The problem of Key Agreement: • A and B are on two sides of a river • They want to have common z • Oscar is in a boat on the river • Oscar must not know z Workshop Elgamal
Solution: Diffie-Hellman • Alice takes random a, shouts b = ga • Bob takes random k, shouts u = gk • Alice computesz = ua = (gk)a • Bob computesz = bk = (ga)k The two numbers are the same The difference in complexity for A&B and O is relevant Workshop Elgamal
Seen: Public b = ga Public u = gk Not computable: Secret a, k Common z This needs discrete logarithm Oscar sees the communication, but not the secrets What does Oscar hear? Workshop Elgamal
The Elgamal program • In class use • Program, explanation, slides on website • Program extendible • Booklet with ideas for experimenting, papers • (All in Dutch!) http://people.cs.uu.nl/gerard/Cryptografie/Elgamal/ Workshop Elgamal
3. Pollard Rho Algorithm • Fixed p (modulus), g, q (order of g); G is set of powers of g • Discrete Logarithm problem: • Given y in G • Return x st gx = y • Pollard Rho: randomized, √q time Workshop Elgamal
Pollard Rho: Representation • Representation of z: z = ya.gb • Two representations of same number reveil log y:If ya.gb = yc.gd,then y = g(b-d)/(c-a) • Goal: find 2 representations of one number z (value does not matter) Workshop Elgamal
Strategy: Birthday Theorem • All values z = ya.gb are in G • Birthday Theorem:In a random sequence, we expect a collision after √q steps • Simulate effect of random sequence by pseudorandom function:zi+1 = f (zi)(Keep representation of each zi) Workshop Elgamal
Cycle detection • Detect collision by storing previous values: too expensive • Floyd cycle detection method: • Develop two sequences:ziandti • Relation: ti= z2i • Collision: ti = zi, i.e., zi= z2i In each round, z “moves” one step and t moves two steps. Workshop Elgamal
4. Experimentation results Spring 2006, by Barbara ten Tusscher, Jesse Krijthe, Brigitte Sprenger Workshop Elgamal
Observations • Average number of iterations coincides well with √q • Almost no variation within one row • Is this a bug in the program?? • Bad randomization in calculator? • Or general property of Pollard Rho? Workshop Elgamal
5. Function graph • Function f: zi -> zi+1 defines graph • Out-degree 1, cycles with in-trees • Length, component, size • Graph is the same when algorithm is repeated with the same input • Starting point differs • As zi = z2i, i must be multiple of cycle length Workshop Elgamal
Layers in a component • Layer of node measure distance to cycle in terms of its length l: • Point z in cycle has layer 0 • Point z is in layer 1 if f(l)(z) in cycle • Point z is in layer c if f(c.l)(z) in cycle • Lemma: z0 in layer c gives c.l iter. • Is there a dominant component or layer? Workshop Elgamal
Layers 0 and 1 dominate Probability theory analysis by Meli Samikin Lemma: Pr(layer ≤ 1) = ½ Proof: Assume collision after k steps: z0 -> z1 -> … -> … -> zk-1-> ?? Layer of z0 is 0 if zk = z0, Pr = 1/k Layer of z0 is 1 if zk = zj < k/2, Pr ≈ 1/2 Workshop Elgamal
Dominant Component Lemma: Random z0 and w0, Pr(same component) > ½. Proof: First collision after k steps: z0 -> z1 -> … -> … -> zk-1-> ?? w0 -> w1 -> … -> … -> wk-1-> ?? Pr ( z meets other sequence ) = ½. Then, w-sequence may collide into z. Workshop Elgamal
Experiments: dominance • Jos Roseboom: count points in layers of each component • Plays national korfbal team • World Champion 2007, november, Brno. Workshop Elgamal
Size of largest component Workshop Elgamal
Conclusions • Elgamal + handcalculators = fun • Functional requirements easier to explain than for RSA • Security: experiment with DLog • Pollard, only randomizes at start • Iterations: random variable, but takes only limited values • Most often: size of heaviest cycle Workshop Elgamal
Rabbit Formula • Ontsleutelen is: v delen door ua • u(a1+a2) is: ua1.ua2 • Deel eerst door ua1 en dan door ua2 • Team 1: bereken v’ = Deca1(u, v)Team 2: bereken x = Deca2(u, v’) Workshop Elgamal
Overzicht van formules • Constanten:Priemgetal p, grondtal g • Sleutelpaar:Secret a en Public b = ga • Encryptie: (u, v) = (gk, x.bk) met bDecryptie: x = v/ua met a • Prijsvraag: b = b1b2. Ontsleutelen? Workshop Elgamal