View
221
Download
0
Embed Size (px)
Citation preview
1
Cryptosystems Based on Discrete Logarithms
2
Outline
• [1] Discrete Logarithm Problem
• [2] Algorithms for Discrete Logarithm– A trivial algorithm
– Shanks’ algorithm (Baby-step Giant-step)
– Pollard’s algorithm
– Pohlig-Hellman algorithm
– Adleman’s algorithm (the index calculus method)
• [3] Cryptosystems Based on Discrete Logarithm– Key distribution
– Encryption
– Digital signature
3
[1] Discrete Logarithm Problem
• Let G be a finite multiplicative group (G, *).
For an element α G having order n, define.
<α> = {α i | i = 0, 1, 2, …, n-1}
Then <α> is a subgroup of G, and <α> is cyclic of order n.
• Discrete logarithm problem
. of logarithm discrete thecalled isit
;logby ainteger thisdenote willWe
s.t. 1,-n0 ,integer unique thefind ,Given
β
β
βα
aa
a
a
4
• Example 1G = Z*
19 = { 1, 2, …, 18}n=18, generator g = 2
then log214 = 7 log26 = 14
Discrete Logarithm Problem
i123456789ig2481613714918
10 11 12 13 14 15 16 17 18
17 15 11 3 6 12 5 10 1
5
• Example 2
In Z*11 = { 1, 2, …, 10}
Let G= <3> ={1, 3, 9, 5, 4}, n=5,
3 is not a generator of Z*11 but a generator of G.
log35 = 3
Discrete Logarithm Problem
6
• Example 3G=GF*(23) with irreducible poly. p(x) = x3 + x +1G=Zp
*/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 }n=7, generator g = x
then logx(x+1) = 3 logx(x2+x+1) = 5 logx(x2+1) = 6
Discrete Logarithm Problem
i 1 2 3 4 5 6 7ig x 2x 1x xx2 12 xx 12x 1
7
Discrete Logarithm Problem• Example 4
Let p =1053546280395016975304616582933958731948871814925913489342608734258717883575185867300386287737705577937382925873762451990450430661350859682697410256268271147283034897563214300237166369174066615907176472549470083113107138189921280884003892629359
NB: p = 158(2800 + 25) + 1 and has 807 bits.• Find such thata
) (mod 32 pa
8
[2] Algorithms for Discrete Logarithm
• A trivial algorithm• Shanks’ algorithm (Baby-step giant-step)• Pollard rho discrete log algorithm• Pohlig-Hellman algorithm• The index calculus method
9
• Discrete Logarithm Problem in Zp*
given generator α (i.e. <α>= Zp*) and β in Zp
* , find a in Zp-1={0,1,…,p-2} s.t. β = αa mod p
• A trivial algorithm– Compute αi and test if β = αi
– Time complexity O(p)
A trivial algorithm
10
• Shanks’ algorithm (Baby-step giant-step) (1972)– Compute L1 = {(i, αmi), i = 0, 1, …, m-1}
L2 = {(i, βα-i), i = 0, 1, …, m-1}
– where m = ceiling((p-1) ½) Sort L1 and L2 with respect to the 2nd coordinate.
– Find the same 2nd coordinate from L1 and L2, say, (q, αmq), (r, βα-r), to get αmq =βα-r. So β = αmq + r and a = mq+r.– Time complexity O(m log m) = O(p 1/2 log p)– Space complexity O(p 1/2)
Shanks’ algorithm
11
Example 1 log215 mod 19 =?
G = Z*19 = { 1, 2, …, 18}α = 2, α-1 = 10, n = p-1 = 18, m = 5, αm = 13
β = 15
L1: (i, αmi) L2: (i, βα-i) (0, 1) (0, 15)
(1, 13) (1, 17) q = 2 (2, 17) (2, 18) r = 1 (3, 12) (3, 9) mq + r = 11 (4, 4) (4, 14)
log215 mod 19 = 11
12
Example 2
log3525 mod 809 =? G = Z*809 = { 1, 2, …, 808} = <3>
α = 3, α-1 = 10, n = p-1 = 808, m = 29, αm = 99 β = 525
L1: (i, αmi) L2: (i, βα-i) (0, 1) (0, 525)
(1, 99) (1, 175) (2, 93) (2, 328)
(3, 308) (3, 379) (4, 559) (4, 396)
(5, 329) (5, 132) (6, 211) (6, 44) (7, 664) (7, 554) (8, 207) (8, 724) (9, 268) (9, 511) (10, 644) (10, 440) (11, 654) (11, 686) (12, 26) (12, 768)
13
L1: (i, αmi) L2: (i, βα-i) (13, 147) (13, 256)
(14, 800) (14, 355) (15, 727) (15, 388)
(16, 781) (16, 399) (17, 464) (17, 133)
(18, 632) (18, 314) (19, 275) (19, 644) (20, 528) (20, 754) (21, 496) (21, 521) (22, 564) (22, 713) (23, 15) (23,777) (24, 676) (24, 259) (25, 586) (25, 356)
(26, 575) (26, 658) (27, 295) (27, 489) (28, 81) (28, 163)
q = 10, r = 19, so mq + r = 29*10+19 mod 808 = 309
and log3525 mod 809 = 309
14
• Pollard rho discrete logarithm algorithm (1978)compute integers s and t such that
– partition the group G into three roughly equal-sized set S1 , S2 and S3 . Let x0 = 1G and x0 is not in S2
Pollard rho DL algorithm
ts
1ix1 Sxforx ii
22 Sxforx ii
3 Sxforx ii
ii baix Let
15
where n = p-1 when G = Z*p
1ia1)(mod1 Sxforna ii 2)(mod2 Sxforna ii
3Sxfora ii
1ib
3)(mod1 Sxfornb ii 2)(mod2 Sxfornb ii 1Sxforb ii
16
We should expect some integer such that , then this gives with If then compute and we have , so that If little work to do... (Omitted)
21
3ni ii xx 2 algorithm) sFloyd' (using ts
)(mod2 naas ii 1),gcd( ns
)(mod1 ns
ts 1
).(mod log 1 nts
1),gcd( dns
) (mod 2 nbbt ii
17
• Floyd’s cycle-finding algorithm:
One starts with the pair (x1, x2), and iteratively
computes (xi, x2i) from the previous (xi-1, x2i-2),
until xm=x2m for some m. The expected running
time of this method is O(n1/2).
18
• Pollard’s rho algorithm for discrete logarithms
– INPUT: a generator α of a cyclic group G of prime order n, and β is an element of G
– OUTPUT: 1. Set x0 1, a0 0, b0 02. For i = 1, 2, …. Do the following: 2.1 Use xi-1, ai-1, bi-1 to compute xi, ai, bi Use x2i-2, a2i-2, b2i-2 to compute x2i, a2i, b2i
2.2 if xi=x2i, then do the following set r bi – b2i
if gcd(r,n) ≠1 then return ‘failure’ else return r-1(a2i-ai) mod n
aglog
19
• Example:α= 2 is a generator of the subgroup G of Z383
* of order n= 191.(in this case <α> = G ≠ Z383
* )
Suppose β = 228. Find log2228.
Solution: Partition G into 3 subsets, let
}3 mod 2|{
}3 mod 0|{
}3 mod 1|{
3
2
1
xGxS
xGxS
xGxS
20
i xi ai bi x2i a2i b2i
1 228 0 1 279 0 2
2 279 0 2 184 1 4
3 92 0 4 14 1 6
4 184 1 4 256 2 7
5 205 1 5 304 3 8
6 14 1 6 121 6 18
7 28 2 6 144 12 38
8 256 2 7 235 48 152
9 152 2 8 72 48 154
10 304 3 8 14 96 118
11 372 3 9 256 97 119
12 121 6 18 304 98 120
13 12 6 19 121 5 51
14 144 12 38 144 10 104
21
• Solution (continued):
From the table, we have x14 = x28 = 144.
Finally compute r = a14-a28 mod 191=125
r-1 = 125-1 mod 191 = 136, and
r-1(b28 - b14) mod 191 = 110.
Hence, log2228 = 110.
22
Pohlig-Hellman algorithm
• Pohlig-Hellman algorithm (1978)
If <α> is of order n and β in <α>
then a = logαβ is determined (uniquely) mod n.
Eg. If <α> = Zp* (i.e. α is a generator of Zp*),
then n = p-1
Let
The idea of Pohlig-Hellman algorithm is that we can compute
a mod pici for each i, then we compute a mod n by CRT (Chinese re
mainder theorem). (see Text for details)
kck
cc pppn ...2121
23
The index calculus method
• The index calculus method (Suitable only for G=Zp*)
base.factor in the
elements theof logarithms discrete theof knowledge theusing
a,element desired a of logarithm discrete thecompute To
step) (2nd
}.p ..., ,p ,{p
base.factor in the primes B theof logarithms discrete thefind To
step)(1st
B21
24
• Example
log59451 mod 10007=? Choose B={2, 3, 5, 7}. Of course log55=1. Use lucky exponents 4063, 5136, and 9865 54063 mod 10007 = 42 = 2 * 3 * 7 55136 mod 10007 = 54 = 2 * 33
59865 mod 10007 = 189 = 33 * 7 And we have three congruences: log52 + log53 + log57 = 4063 mod 10006 log52 + 3 log53 = 5136 mod 10006 3 log53 + log57 = 9865 mod 10006
25
There happens to be a unique solution modulo 10006
log52=6578, log53=6190, and log57=1301
Choose random exponent s = 7736 and try to calculate
βαs = 9451*57736 mod 10007 = 8400
Since 8400 = 24*3*52*7 factors over B, we obtain
log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006
= (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006
= 6057 mod 10006
26
[3] Cryptosystems based on DL
• Key Distribution– Diffie-Hellman, 1976
• Encryption– Massey-Omura cryptosystem, 1983
• Digital Signature– ElGamal, 1985
27
Diffie-Hellman Key Exchange Algorithm
• Global Public Elements– q : prime number
– α: α< q and α is a primitive root of q
• User A Key Generation– Select private XA : XA< q
– Calculate public YA : YA= αXA mod q
• User B Key Generation– Select private XB : XB< q
– Calculate public YB : YB= αXB mod q
• Generation of Secret Key by User A– K = (YB)XA mod q
• Generation of Secret Key by User B– K = (YA)XB mod q
28
User A User B
Generate random XA < q ;Calculate YA = αXA mod q
Calculate K = (YB)XA mod q
Generate random XB < q ;Calculate YB = αXB mod qCalculate K = (YA)XB mod q
YA
YB
Diffie-Hellman Key Exchange
29
Massey-Omura for message transmission
• Parameters– q : prime number
– e : a random private integer
• 0 < e < q and gcd ( e, q-1) = 1
– d : an inverse of e
• d = e-1 mod q-1 , i.e., de≡1 mod q-1
– M : a message to be encrypted and decrypted
• User A wants to send a message M to User B– User A : eA and dA are both private
– User B : eB and dB are both private
30
User A User B
1.Encryption(1) C1 = M eA mod q
3.Encryption(3) C3 = C2
dA
= (M eAeB)dA
= M eB mod q
2.Encryption(2) C2 = C1
eB
= M eAeB mod q
4. Decryption M = C3
dB
= M eBdB mod q
Massey-Omura for message transmission
C1
C2
C3
31
ElGamal encryption scheme
• Parameters– p : a large prime– α: a generator in Zp*– a : a private key, a [1, p-1]– c : a public key , β = αa (mod p)– m : a message, m [1, p-1]– k : a random integer that is privately selected, k [0, p-
2]– K = (p, α, a, β) : public key + private key
• Encryption eK(m, k)=(y1, y2)
where y1 = αk mod p and y2=mβk mod p
• Decryption m = dK(y1, y2) = y2(y1
a)-1 mod p
32
ElGamal signature scheme• 1985 ElGamal• Parameters
– p : a large prime– α: a generator in Zp*– a : a private key, a [1, p-1]– β : a public key , β = αa (mod p)– m : a message to be signed , m [1, p-1]– k : a random integer that is privately selected, k [0, p-2]
• Signature– r = αk mod p, where gcd( k, p-1 ) = 1– m = ks + ra mod (p-1) – ( m , (r,s) ) is sent to the verifier
• Verification– αm = rsβ r mod p– The signature (r,s) is accepted when the equality holds true.