Download presentation

Presentation is loading. Please wait.

Published byShane Topham Modified over 2 years ago

1
1 Cryptanalysis Lecture 7: Discrete Log Based Systems John Manferdelli jmanfer@microsoft.com JohnManferdelli@hotmail.com © 2004-2008, John L. Manferdelli. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only. jlm20090204

2
2 Public Key (Asymmetric) Cryptosystems An asymmetric cipher is a pair of key dependant maps, (E(PK,-),D(pK,-)), based on related keys (PK, pK). D(pK,(E(PK,x))=x, for all x. PK is called the public key. pK is called the private key. Given PK it is infeasible to compute pK and infeasible to compute x given y=E(PK,x). Idea from Diffie, Hellman, Ellis, Cocks, Williamson. Diffie and Hellman, "New Directions in Cryptography“, IEEE Trans on IT 11/1976. CESG work in 1/70-74. JLM 20081102

3
3 Algorithm Timings Adding two m-bit numbers takes O(m) time. Multiplying two m-bit numbers takes

4
4 Representing Large Integers Numbers are represented in base 2 ws where ws is the number of bits in the “standard” unsigned integer (e.g. – 32 on IA32, 64 on AMD-64) Each number has three components: –Sign –Size in 2 ws words –2 ws words where n= i[ws-1]2 ws(size-1) + …+ i[1]2 ws + i[0] –Assembly is often used in inner loops to take advantage of special arithmetic instructions like “add with carry” JLM 20081102

5
5 Classical Algorithms Speed For two numbers of size s 1 and s 2 (in bits) –Addition/Subtraction: O(s 1 )+ O(s 2 ) time and max(s 1, s 2 )+1 space –Multiplication/Squaring: O(s 1 ) x O(s 2 ) time and space (you can save roughly half the multiplies on squaring) –Division: O(s 1 ) x O(s 2 ) time and space Uses heuristic for estimating iterative single digit divisor: less than 1 high after normalization –Extended GCD: O(s 1 ) x O(s 2 ) –Modular versions use same time (plus time for one division by modulus) but smaller space –Modular Exponentiation (a e (mod n)): O((size e)(size n) 2 ) using repeated squaring –Solve simultaneous linear congruence's (using CRT): O(m 2 ) x time to solve 1 where m = number of prime power factors of n JLM 20081102

6
6 Primitive roots in F p F p *= F p – {0} is the finite field with p elements with the zero element. It is a cyclic multiplicative group. Each element, a, that generates F p *is called a primitive root and each such primitive root is the a zero of a primitive polynomial. There are f (p-1) such primitive roots. Example: p=193. a =5 is a primitive root so = F p *. There are f (192) such primitive roots. Since 192= 8 x 24= 2 6 x 3, there are 192 x 1/3 = 64. JLM 20081102

7
7 Irreducibility polynomials in F p [x] Is f(x) irreducible? u(x)= x; for(i=1; i<(m+1)/2; i++) { u(x)= u(x) p (mod f(x)); d(x)= gcd(u(x)-x, f(x)); if(d(x)!=1) return “irreducible”; } JLM 20081102

8
8 Finding generators (Gauss) Find a generator, g, for F p *, n= (p-1)= p 1 e1 p 2 e2 … p k ek. while () { choose a random g G for(i=1; i<=k; k++) { b= g n/pi if (b==1) break; } if(i>k) return g } G has (n) generators. Using the lower bound for (n), the probability that g in line 2 is a generator is at least 1/(6 ln ln n) JLM 20081102

9
9 Discrete Log If b = a x, then L a ( b )=x. L a () is the discrete log function. If g = b x, then L a ( g )=xL a ( b ). L a ( b 1 b 2 )= L a ( b 1 ) + L a ( b 2 ) Discrete Log Problem (DLP): Given p, prime, a: =F p *. B (mod p), a, unknown, find L a ( b ). Computational Diffie Hellman Problem (CDHP): Given p, prime, =F p *. a a (mod p), a b (mod p), find a ab (mod p). Theorem: CDHP £ P DLP. If the factorization of p-1 is known and f (p-1) is O((ln(p)) c ) smooth then DLP and CDHP are equivalent. Why is this different from computing continuous logs? Moral: Exponentiation is a one way function. JLM 20081102

10
10 El Gamal cryptosystem Alice, the private keyholder, picks a large prime, p, where p-1 also has large prime divisors (say, p= 2rq+1) and a generator, g, for F p *. = F p *. Alice also picks a random number, a (secret), and computes A=g a (mod p). Alice’s public key is. To send a message, m, Bob picks a random b (his secret) and computes B= g b (mod p). Bob transmits (B, mA b )= (B, C). Alice decodes the message by computing CB -a =m. Without knowing a, an adversary has to solve the Computational Diffie Hellman Problem to get m. Note: b must be random and never reused! JLM 20081102

11
11 Timing Finding g takes about O(lg(p) 3 ) operations, so does primality testing and raising g to the a power mod p. Encryption is also O(lg(p) 3 ) and so is decryption. Note that key generation is cheap but for safety, p>w 2, where w is the “computational power” of the adversary. JLM 20081102

12
12 Attack on reused nonce Suppose Bob reuses b for two different messages m 1 and m 2. An adversary, Eve, can see and where C i = Bm i (mod p). Suppose Eve discovers m 1. She can compute m 2 = m 1 C 2 C 1 -1 (mod p). Don’t reuse b’s! JLM 20081102

13
13 El Gamal Example Alice chooses –p=919. g=7. –a=111, A= 7 111 = 461 (mod 919). –Alice’s Public key is Bob wants to send m=45, picks b= 29. –B=7 29 =788(mod 919), 461 29 = 902 (mod 919), –C= (45)(902)= 154(mod 919). –Bob transmits (788, 154). Alice computes (788) -111 = 902 -1 (mod 919). –(54)(902)+(-53)(919)=1. 54= 902 -1 (mod 919) –Calculates m= (154) (54)=45 (mod 919). JLM 20081102

14
14 El Gamal Signature = F q *. A picks a random as in encryption. Signing: Signer picks k: 1 k p-2 with (k, p-1)= 1 and publishes g k. k is secret. Sig K (M,k)= (t,d) –t= g k (mod p) –d=(M-gt)k -1 (mod p-1) Ver K (M,t,d) iff g kt t d =g M (mod p) Notes: It’s important that M is a hash otherwise there is an existential forgery attack. It’s important that k be different for every message otherwise adversary can solve for key. JLM 20081102

15
15 DSA Alice –2 159
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/12/3421872/slides/slide_15.jpg",
"name": "15 DSA Alice –2 159

16
16 Baby Step Giant Step --- Shanks g x =y (mod p). m ~ Ö p. Compute g mj, 0 £ j

17
17 Baby Step Giant Step Example p=193. Ö (p) =13. m= 14. a = 5. b =41. 2 x 193 + (-77) x 5 = 1, a -1 = 116. a -14 = 189 (mod 193). JLM 20081102 j1234567891011121314 ajaj 525125463718515318615818906412756 ba -mj 2677787490268930739410153160132 So ba -(14 x 5) = 90 = a 11 (mod 193). Thus b= a 14x5+11 = a 81 (mod 193). L 5 (41)= 193.

18
18 Discrete log Pollard r x i+1 = f(x i ) –f(x i )= b x i, if x i e S 1. –f(x i )= x i 2, if x i e S 2. –f(x i )= a x i, if x i e S 3. x i = a a[i] b b[i]. –a[i]= a[i], if x i e S 1. –a[i]= 2a[i], if x i e S 2. –a[i]= a[i]+1, if x i e S 3. –b[i]= b[i]+1, if x i e S 1. –b[i]= 2b[i], if x i e S 2. –b[i]= b[i], if x i e S 3. x 2i =x i a 2i -a i = L a ( b ) (b 2i -b i ) JLM 20081102

19
19 Pollard r example p=229, n=191, b =228, a =2. L 2 (228)=110 JLM 20081102 ixixi aiai bibi 122801 227902 39204 418414 520515 61416 72826 825627 915228 1030438 1137239 12121618 1312619 141441238 ix 2i a 2i b 2i 127902 218414 31416 425627 530438 6121638 714412152 823548154 97248118 101496119 1125697120 123049851 131215104 1414410163 x 14 = x 28, (b 14 -b 28 )= 125 (mod 191), L 2 (228)=125 -1 (a 28 -a 14 )= 110.

20
20 Pohlig-Hellman p-1= P q i r[i]. Solve a x = y (mod p) for x (mod q i r[i] ) and use Chinese Remainder Theorem. x= x 0 + x 1 q + x 2 q 2 + … + x r[i]-1 q r[i]-1. x (p-1)/q= x 0 (p-1)/q + (p-1) (…) So b (p-1)/q = a x[0](p-1)/q. Solve for x 0. The put g = ba -x[0] and solve g (p-1)/(q x q) = a x[1](p-1)/q. This costs O( S i=1 r e i (lg(n)+ Ö q i ). JLM 20081102

21
21 Pohlig-Hellman example p=251. a = 71, b =210, =F 251 *. n=250= 2 x 5 3. L 71 (210)= 1 (mod 2). x= x 0 + x 1 5 + x 2 5 2. So a n/5 = 71 20. b n/5 = 210 20 = 149. –x 0 = L 20 (149)=2. –x 1 = 4 –x 2 = 2 x= 2+ 4 x 5 + 2 x 25= 72 (mod 125) Applying CRT: L 71 (210)= 197. JLM 20081102

22
22 Index Calculus g x =y (mod p). B= (p 1, p 2, …, p k ). Precompute –g x j = p 1 a 1 p 2 a 2 … p k a k –x j = a 1j log g (p 1 ) + a 2j log g (p 2 ) + …+ a kj log g (p k ) –If you get enough of these, you can solve for the log g (p i ) Solve –Pick s at random and compute y g s = p 1 c 1 p 2 c 2 … p k c k then –log g (y)+s = c 1 log g (p 1 ) + c 2 log g (p 2 ) + …+ c k log g (p k ) This takes O(e (1+ln(p)ln(ln(p)) ) time. LaMacchia and Odlyzko used Gaussian integer index calculus variant to attack discrete log. JLM 20081102

23
23 Index Calculus Example p=229. a =6. = F 229 *. n=228. b =13. S={2,3,5,7,11}. Step 1 1.6 100 (mod 229)= 180= 2 2 x 3 2 x 5 1 x 7 0 x 11 0. 2.6 18 (mod 229)= 176= 2 4 x 3 0 x 5 0 x 7 0 x 11 1. 3.6 12 (mod 229)= 165= 2 0 x 3 1 x 5 1 x 7 0 x 11 0. 4.6 62 (mod 229)= 154= 2 1 x 3 0 x 5 0 x 7 1 x 11 1. 5.6 143 (mod 229)= 198= 2 1 x 3 2 x 5 0 x 7 0 x 11 1. 6.6 206 (mod 229)= 210= 2 1 x 3 1 x 5 1 x 7 1 x 11 0. Taking L a () of both sides, we get: 1.100= 2 L a (2)+2L a (3)+L a (5) (mod 228) 2.18= 4L a (2)+L a (11) (mod 228) 3.12= L a (3)+L a (5)+L a (11) (mod 228) 4.62= L a (2)+L a (7)+L a (11) (mod 228) 5.143=L a (2)+L a (3)+L a (11) (mod 228) 6.206= L a (2)+L a (3)+L a (5)+L a (11) (mod 228) JLM 20081102

24
24 Index Calculus example - continued Review –p=229. a =6. = F 229 *. n=228. Solving, we got: –L a (2)= 21 (mod 228) –L a (3)= 208 (mod 228) –L a (5) = 98 (mod 228) –L a (7)= 107 (mod 228) –L a (11)= 162 (mod 228) Step 2: –Recall b =13. Pick k=77 –13 x 6 77 = 147 = 3 x 7 2 (mod 229) –L 6 (13)= (L 6 (3)+2L 6 (7)-77)= 117 (mod 228) JLM 20081102

25
25 Diffie Hellman key exchange Alice Bob A1: s= min(p size), N a in {0, … 2 256 -1} s,N a B1: Choose (p,q,g), x in {0, … 2 256 -1} (p,q,g), X=g x, Auth B A2: Check (p,q,g) X, Auth B, pick y in {0,…q-1} B2: Check Y, Auth A Y= g y, Auth A K= X y K= Y x JLM 20081102

26
26 DH key exchange example JLM 20081102 p=3547, g=2. Alice: a= 7. Bob: b=17. A B 1 : A=128 (=2 7 ), Sign A (SHA-2(128||r 1 )) B A 1 : B=3380(=2 17 ), Sign B (SHA-2(3380||r 2 )) K= 128 17 =3380 7 = 362.

27
27 Square roots mod p -- general comments We want x: x 2 = a (mod p). Remember, we can check to see if a is a quadratic residue by computing (a/p). If we know a generator of F p *, g and g n =a, then g n/2 =x (mod p). Of course, this requires solving the discrete log problem so it does not offer a practical computational method. Since there is no order relation, approximations (e.g.- Newton’s method) don’t help much. Reference: Cohn, Computational Number Theory. JLM 20081102

28
28 Square roots mod p --- simple cases We want x: x 2 = a (mod p). First check (a/p)=1. p= 3 (mod 4): –x= a (p+1)/4 (mod p) –Example: x 2 = 7 (mod 31), x= 7 8 (mod 31)= 10. 100=7 (mod 31). p= 5 (mod 8) –b=a (p-1)/4 = ±1(mod p). –If b=1, x= a (p+3)/8 (mod p). –If b= -1, x= (2a) (4a) (p-5)/8 (mod p). –Example 1: p=13. a= 9. b= 9 3 = 1 (mod p). x= 9 2 = 3 (surprise!). –Example 2: p=29. a= 6. 6 7 = -1 (mod p). x= (12)(24) 3 = 8 (mod 29). 8 2 = 6 (mod 29). This leaves the hard case, p=1 (mod 8). JLM 20081102

29
29 General case - Tonelli-Shanks We want x: x 2 = a (mod p) p-1=2 e x q, q, odd. Square-Root(a) 1.Choose n: (n/p)= -1; z= n q (mod p); Q=(q-1)/2. 2.y=z; r=e; x=a Q (mod p); b=ax 2 (mod p); x= ax (mod p); 3.// Now if R=2 r-1, ab=x 2, y R =-1, b R =1; if(b==1) return(x); M=2 m ; for smallest m>0: b M = 1 (mod p) if(m=r) return “non-residue” 4.TT= 2 r-m-1 ; t= y TT (mod p); y= t 2 (mod p); r=m; x=xt; b=by; goto 3; JLM 20081102

30
30 Tonelli-Shanks example We want x: x 2 = a (mod p). p=41, a=5, g=7. p-1=2 3 x 5. Note 6 20 = -1 (41) so 6 is a non-residue. a= 5; n=6; z= 6 5 = 27 (mod 41). JLM 20081102 Stepmtyrxb 0327329 122322131 x=13. 13 2 (mod 41)= 5.

31
31 Berlekamp factorization f(x)= P i=1 t f i (x) over F p, deg(f(x))=n. f i (x) irreducible. F={f(x)}; for(i=1; i

32
32 Berlekamp factorization example Factor x 7 -1 over F 2. JLM 20081102 1000000 0010000 0000100 0000001 0100000 0001000 0000010 1 x x2x2 x3x3 x4x4 x5x5 x6x6 1 x2x2 x4x4 x6x6 x1x1 x3x3 x5x5 = Adding I and solving get: 1 x 4 +x 2 +x = x(x 3 +x+1) x 6 +x 5 +x 3 = x 3 (x 3 +x 2 +1) Dividing into x 7 -1, we get: (x+1)

33
33 End JLM 20081102

Similar presentations

OK

MM Clements Cryptography. Last Week....... Firewalls A firewall cannot protect against poor server, client or network configuration A firewall cannot.

MM Clements Cryptography. Last Week....... Firewalls A firewall cannot protect against poor server, client or network configuration A firewall cannot.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on colors tv channel Ppt on principles of object-oriented programming in c++ Ppt on review writing books Free ppt on uses of plants Brainstem anatomy and physiology ppt on cells Ppt on film industry bollywood news Ppt on surface area and volume of frustum Ppt on object oriented programming with c++ Download ppt on turbo generators Ppt on file system vs dbms