1

Cryptosystems Based on Discrete Logarithms

2

Outline

• [1] Discrete Logarithm Problem

• [2] Algorithms for Discrete Logarithm– A trivial algorithm

– Shanks’ algorithm (Baby-step Giant-step)

– Pollard’s algorithm

– Pohlig-Hellman algorithm

– Adleman’s algorithm (the index calculus method)

• [3] Cryptosystems Based on Discrete Logarithm– Key distribution

– Encryption

– Digital signature

3

[1] Discrete Logarithm Problem

• Let G be a finite multiplicative group (G, *).

For an element α G having order n, define.

<α> = {α i | i = 0, 1, 2, …, n-1}

Then <α> is a subgroup of G, and <α> is cyclic of order n.

• Discrete logarithm problem

. of logarithm discrete thecalled isit

;logby ainteger thisdenote willWe

s.t. 1,-n0 ,integer unique thefind ,Given

β

β

βα

aa

a

a

4

• Example 1G = Z*

19 = { 1, 2, …, 18}n=18, generator g = 2

then log214 = 7 log26 = 14

Discrete Logarithm Problem

i123456789ig2481613714918

10 11 12 13 14 15 16 17 18

17 15 11 3 6 12 5 10 1

5

• Example 2

In Z*11 = { 1, 2, …, 10}

Let G= <3> ={1, 3, 9, 5, 4}, n=5,

3 is not a generator of Z*11 but a generator of G.

log35 = 3

Discrete Logarithm Problem

6

• Example 3G=GF*(23) with irreducible poly. p(x) = x3 + x +1G=Zp

*/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 }n=7, generator g = x

then logx(x+1) = 3 logx(x2+x+1) = 5 logx(x2+1) = 6

Discrete Logarithm Problem

i 1 2 3 4 5 6 7ig x 2x 1x xx2 12 xx 12x 1

7

Discrete Logarithm Problem• Example 4

Let p =1053546280395016975304616582933958731948871814925913489342608734258717883575185867300386287737705577937382925873762451990450430661350859682697410256268271147283034897563214300237166369174066615907176472549470083113107138189921280884003892629359

NB: p = 158(2800 + 25) + 1 and has 807 bits.• Find such thata

) (mod 32 pa

8

[2] Algorithms for Discrete Logarithm

• A trivial algorithm• Shanks’ algorithm (Baby-step giant-step)• Pollard rho discrete log algorithm• Pohlig-Hellman algorithm• The index calculus method

9

• Discrete Logarithm Problem in Zp*

given generator α (i.e. <α>= Zp*) and β in Zp

* , find a in Zp-1={0,1,…,p-2} s.t. β = αa mod p

• A trivial algorithm– Compute αi and test if β = αi

– Time complexity O(p)

A trivial algorithm

10

• Shanks’ algorithm (Baby-step giant-step) (1972)– Compute L1 = {(i, αmi), i = 0, 1, …, m-1}

L2 = {(i, βα-i), i = 0, 1, …, m-1}

– where m = ceiling((p-1) ½) Sort L1 and L2 with respect to the 2nd coordinate.

– Find the same 2nd coordinate from L1 and L2, say, (q, αmq), (r, βα-r), to get αmq =βα-r. So β = αmq + r and a = mq+r.– Time complexity O(m log m) = O(p 1/2 log p)– Space complexity O(p 1/2)

Shanks’ algorithm

11

Example 1 log215 mod 19 =?

G = Z*19 = { 1, 2, …, 18}α = 2, α-1 = 10, n = p-1 = 18, m = 5, αm = 13

β = 15

L1: (i, αmi) L2: (i, βα-i) (0, 1) (0, 15)

(1, 13) (1, 17) q = 2 (2, 17) (2, 18) r = 1 (3, 12) (3, 9) mq + r = 11 (4, 4) (4, 14)

log215 mod 19 = 11

12

Example 2

log3525 mod 809 =? G = Z*809 = { 1, 2, …, 808} = <3>

α = 3, α-1 = 10, n = p-1 = 808, m = 29, αm = 99 β = 525

L1: (i, αmi) L2: (i, βα-i) (0, 1) (0, 525)

(1, 99) (1, 175) (2, 93) (2, 328)

(3, 308) (3, 379) (4, 559) (4, 396)

(5, 329) (5, 132) (6, 211) (6, 44) (7, 664) (7, 554) (8, 207) (8, 724) (9, 268) (9, 511) (10, 644) (10, 440) (11, 654) (11, 686) (12, 26) (12, 768)

13

L1: (i, αmi) L2: (i, βα-i) (13, 147) (13, 256)

(14, 800) (14, 355) (15, 727) (15, 388)

(16, 781) (16, 399) (17, 464) (17, 133)

(18, 632) (18, 314) (19, 275) (19, 644) (20, 528) (20, 754) (21, 496) (21, 521) (22, 564) (22, 713) (23, 15) (23,777) (24, 676) (24, 259) (25, 586) (25, 356)

(26, 575) (26, 658) (27, 295) (27, 489) (28, 81) (28, 163)

q = 10, r = 19, so mq + r = 29*10+19 mod 808 = 309

and log3525 mod 809 = 309

14

• Pollard rho discrete logarithm algorithm (1978)compute integers s and t such that

– partition the group G into three roughly equal-sized set S1 , S2 and S3 . Let x0 = 1G and x0 is not in S2

Pollard rho DL algorithm

ts

1ix1 Sxforx ii

22 Sxforx ii

3 Sxforx ii

ii baix Let

15

where n = p-1 when G = Z*p

1ia1)(mod1 Sxforna ii 2)(mod2 Sxforna ii

3Sxfora ii

1ib

3)(mod1 Sxfornb ii 2)(mod2 Sxfornb ii 1Sxforb ii

16

We should expect some integer such that , then this gives with If then compute and we have , so that If little work to do... (Omitted)

21

3ni ii xx 2 algorithm) sFloyd' (using ts

)(mod2 naas ii 1),gcd( ns

)(mod1 ns

ts 1

).(mod log 1 nts

1),gcd( dns

) (mod 2 nbbt ii

17

• Floyd’s cycle-finding algorithm:

One starts with the pair (x1, x2), and iteratively

computes (xi, x2i) from the previous (xi-1, x2i-2),

until xm=x2m for some m. The expected running

time of this method is O(n1/2).

18

• Pollard’s rho algorithm for discrete logarithms

– INPUT: a generator α of a cyclic group G of prime order n, and β is an element of G

– OUTPUT: 1. Set x0 1, a0 0, b0 02. For i = 1, 2, …. Do the following: 2.1 Use xi-1, ai-1, bi-1 to compute xi, ai, bi Use x2i-2, a2i-2, b2i-2 to compute x2i, a2i, b2i

2.2 if xi=x2i, then do the following set r bi – b2i

if gcd(r,n) ≠1 then return ‘failure’ else return r-1(a2i-ai) mod n

aglog

19

• Example:α= 2 is a generator of the subgroup G of Z383

* of order n= 191.(in this case <α> = G ≠ Z383

* )

Suppose β = 228. Find log2228.

Solution: Partition G into 3 subsets, let

}3 mod 2|{

}3 mod 0|{

}3 mod 1|{

3

2

1

xGxS

xGxS

xGxS

20

i xi ai bi x2i a2i b2i

1 228 0 1 279 0 2

2 279 0 2 184 1 4

3 92 0 4 14 1 6

4 184 1 4 256 2 7

5 205 1 5 304 3 8

6 14 1 6 121 6 18

7 28 2 6 144 12 38

8 256 2 7 235 48 152

9 152 2 8 72 48 154

10 304 3 8 14 96 118

11 372 3 9 256 97 119

12 121 6 18 304 98 120

13 12 6 19 121 5 51

14 144 12 38 144 10 104

21

• Solution (continued):

From the table, we have x14 = x28 = 144.

Finally compute r = a14-a28 mod 191=125

r-1 = 125-1 mod 191 = 136, and

r-1(b28 - b14) mod 191 = 110.

Hence, log2228 = 110.

22

Pohlig-Hellman algorithm

• Pohlig-Hellman algorithm (1978)

If <α> is of order n and β in <α>

then a = logαβ is determined (uniquely) mod n.

Eg. If <α> = Zp* (i.e. α is a generator of Zp*),

then n = p-1

Let

The idea of Pohlig-Hellman algorithm is that we can compute

a mod pici for each i, then we compute a mod n by CRT (Chinese re

mainder theorem). (see Text for details)

kck

cc pppn ...2121

23

The index calculus method

• The index calculus method (Suitable only for G=Zp*)

base.factor in the

elements theof logarithms discrete theof knowledge theusing

a,element desired a of logarithm discrete thecompute To

step) (2nd

}.p ..., ,p ,{p

base.factor in the primes B theof logarithms discrete thefind To

step)(1st

B21

24

• Example

log59451 mod 10007=? Choose B={2, 3, 5, 7}. Of course log55=1. Use lucky exponents 4063, 5136, and 9865 54063 mod 10007 = 42 = 2 * 3 * 7 55136 mod 10007 = 54 = 2 * 33

59865 mod 10007 = 189 = 33 * 7 And we have three congruences: log52 + log53 + log57 = 4063 mod 10006 log52 + 3 log53 = 5136 mod 10006 3 log53 + log57 = 9865 mod 10006

25

There happens to be a unique solution modulo 10006

log52=6578, log53=6190, and log57=1301

Choose random exponent s = 7736 and try to calculate

βαs = 9451*57736 mod 10007 = 8400

Since 8400 = 24*3*52*7 factors over B, we obtain

log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006

= (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006

= 6057 mod 10006

26

[3] Cryptosystems based on DL

• Key Distribution– Diffie-Hellman, 1976

• Encryption– Massey-Omura cryptosystem, 1983

• Digital Signature– ElGamal, 1985

27

Diffie-Hellman Key Exchange Algorithm

• Global Public Elements– q : prime number

– α: α< q and α is a primitive root of q

• User A Key Generation– Select private XA : XA< q

– Calculate public YA : YA= αXA mod q

• User B Key Generation– Select private XB : XB< q

– Calculate public YB : YB= αXB mod q

• Generation of Secret Key by User A– K = (YB)XA mod q

• Generation of Secret Key by User B– K = (YA)XB mod q

28

User A User B

Generate random XA < q ;Calculate YA = αXA mod q

Calculate K = (YB)XA mod q

Generate random XB < q ;Calculate YB = αXB mod qCalculate K = (YA)XB mod q

YA

YB

Diffie-Hellman Key Exchange

29

Massey-Omura for message transmission

• Parameters– q : prime number

– e : a random private integer

• 0 < e < q and gcd ( e, q-1) = 1

– d : an inverse of e

• d = e-1 mod q-1 , i.e., de≡1 mod q-1

– M : a message to be encrypted and decrypted

• User A wants to send a message M to User B– User A : eA and dA are both private

– User B : eB and dB are both private

30

User A User B

1.Encryption(1) C1 = M eA mod q

3.Encryption(3) C3 = C2

dA

= (M eAeB)dA

= M eB mod q

2.Encryption(2) C2 = C1

eB

= M eAeB mod q

4. Decryption M = C3

dB

= M eBdB mod q

Massey-Omura for message transmission

C1

C2

C3

31

ElGamal encryption scheme

• Parameters– p : a large prime– α: a generator in Zp*– a : a private key, a [1, p-1]– c : a public key , β = αa (mod p)– m : a message, m [1, p-1]– k : a random integer that is privately selected, k [0, p-

2]– K = (p, α, a, β) : public key + private key

• Encryption eK(m, k)=(y1, y2)

where y1 = αk mod p and y2=mβk mod p

• Decryption m = dK(y1, y2) = y2(y1

a)-1 mod p

32

ElGamal signature scheme• 1985 ElGamal• Parameters

– p : a large prime– α: a generator in Zp*– a : a private key, a [1, p-1]– β : a public key , β = αa (mod p)– m : a message to be signed , m [1, p-1]– k : a random integer that is privately selected, k [0, p-2]

• Signature– r = αk mod p, where gcd( k, p-1 ) = 1– m = ks + ra mod (p-1) – ( m , (r,s) ) is sent to the verifier

• Verification– αm = rsβ r mod p– The signature (r,s) is accepted when the equality holds true.