Upload
tamsin-davis
View
226
Download
0
Tags:
Embed Size (px)
Citation preview
Public key ciphers 2
Session 6
Contents
• The discrete logarithm problem• The Diffie-Hellman key exchange
2/21
The discrete logarithm problem
• Over the real numbers, exponentiation (finding y=bx ) is not significantly easier than the inverse operation (finding x=logb(y))
• Over GF(pn) the algorithm for modular exponentiation or repeated squaring makes exponentiation easy
• But finding logb(y) is considered to be a difficult problem
3/21
The discrete logarithm problem
• Definition (Discrete logarithm)– If G is a finite group, b is an element of G and y is
an element of G such that y=bx, then the discrete logarithm of y for the base b is any integer x such that bx = y
4/21
The discrete logarithm problem
• Example (1)– Let f(x)=x2-x-1 be an irreducible polynomial over
GF(32)– The elements of the multiplicative group of the
field are the powers of a primitive element (1)0=1011=102=2 mod (2--1)=+1113=2=(+1)=2+=+1+=2+121
5/21
The discrete logarithm problem
• Example (2)– The elements of the multiplicative group of the
field (2)4=3=(2+1)=22+=2(+1)+=2+2+=2025=4=2206=5=2=22=2(+1)=2+2227=6=(2+2)=22+2=2(+1)+2=2+2+2= = +21200 is also an element of the field
6/21
The discrete logarithm problem
• Example (3)– The logarithm
log(02)=log(4)=4
• We do not know a polynomial algorithm for determining the discrete log in a general case (i.e. in any group)
7/21
The discrete logarithm problem
• Known algorithms for solving DLP (1)– Algorithms that work in arbitrary groups• Exhaustive search• Baby-step giant-step algorithm• Etc.
– Algorithms that work in arbitrary groups, but are especially efficient if the order of the group has only small prime factors• Example: the Pohlig-Hellman algorithm
8/21
The discrete logarithm problem
• Known algorithms for solving DLP (2)– The index calculus algorithms, which are efficient
only in certain groups
9/21
The discrete logarithm problem
• Exhaustive search– Requires generating of the whole multiplicative
group of the field– That requires O(q) operations, where q=pn is the
order of the multiplicative group of the field GF(pn)
10/21
The discrete logarithm problem
• The Baby step – giant step algorithm (1)– Input• A generator of a cyclic group G of order n, and an
element G– Output• The discrete logarithm x = log
11/21
The discrete logarithm problem
• The Baby step – giant step algorithm (2)1. Set m= 2. Construct a table with entries (j,j), 0j<m3. Sort the table by its second component4. Compute -m mod n and set =
12/21
n
The discrete logarithm problem
• The Baby step – giant step algorithm (3)5. For 0im-1 do
1. Check if is the second component of some entry in the table
2. If =j then return x=im+j3. Set -m
– The algorithm requires O( ) storage and O( ) group multiplications
13/21
n n
The discrete logarithm problem
• Example: n=113, =3, =57 (1)1. Set m= =112. Construct the table
3. Sort the table by the second component
14/21
113
j 0 1 2 3 4 5 6 7 8 9 10
3j mod 113 1 3 9 27 81 17 51 40 7 21 63
j 0 1 8 2 5 9 3 7 6 10 4
3j mod 113 1 3 7 9 17 21 27 40 51 63 81
The discrete logarithm problem
• Example: n=113, =3, =57 (2)4. Compute -11 mod 113 = (11)-1 (1)• We use the extended Euclidean algorithm (1)
11 mod 113=311 mod 113=76 – We compute (113,76)
113=176+3776=237+237=182+1
– Then1=37-182=37-18(76-237)=37-1876+3637= =3737-1876=37(113-76)-1876=37113-3776-1876= =37113-5576
15/21
The discrete logarithm problem
• Example: n=113, =3, =57 (3)4. Compute -11 mod 113 = (11)-1 (2)• We use the extended Euclidean algorithm (2)
– If we take both sides mod 113 we get» 1-55 76 (mod 113)» Since -5558 (mod 113), (11)-1=58
• We also set ==57
16/21
The discrete logarithm problem
• Example: n=113, =3, =57 (4)5. For i=0 to 10 we try -m until we get a value
from the second row in the table
– We conclude that log357=911+1=100
17/21
i 0 1 2 3 4 5 6 7 8 9
57 29 100 37 112 55 26 39 2 3
The Diffie-Hellman key exchange
• Diffie and Hellman gave the first detailed proposal for the process of agreeing on a key for a classical cryptosystem using a public key system
• The key exchange protocol is based on the assumption that it is computationally infeasible to compute gab knowing only ga and gb when g is some fixed element in GF(pn)
18/21
The Diffie-Hellman key exchange
• The Diffie-Hellman assumption is a priori at least as strong as the assumption that discrete logarithms cannot be feasibly computed in a group
• Let p be a prime and let be a generator
19/21
The Diffie-Hellman key exchange
• Example, p=53, n=1, =2
20/21
The Diffie-Hellman key exchange
• The Diffie-Hellman key exchange algorithm gives protection against passive adversaries, but not against active adversaries capable of intercepting, modifying, or injecting messages
• Neither party has assurance of the source identity of the incoming message or the identity of the party which may know the resulting key
21/21