Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’"— Presentation transcript:

1 1 Cryptosystems Based on Discrete Logarithms

2 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’ algorithm (Baby-step Giant-step) –Pollard’s algorithm –Pohlig-Hellman algorithm –Adleman’s algorithm (the index calculus method) [3] Cryptosystems Based on Discrete Logarithm –Key distribution –Encryption –Digital signature

3 3 [1] Discrete Logarithm Problem Let G be a finite multiplicative group (G, *). For an element α G having order n, define. = {α i | i = 0, 1, 2, …, n-1} Then is a subgroup of G, and is cyclic of order n. Discrete logarithm problem

4 4 Example 1 G = Z * 19 = { 1, 2, …, 18} n=18, generator g = 2 then log 2 14 = 7 log 2 6 = 14 Discrete Logarithm Problem

5 5 Example 2 In Z * 11 = { 1, 2, …, 10} Let G= ={1, 3, 9, 5, 4}, n=5, 3 is not a generator of Z * 11 but a generator of G. log 3 5 = 3 Discrete Logarithm Problem

6 6 Example 3 G=GF * (2 3 ) with irreducible poly. p(x) = x 3 + x +1 G=Z p * /p(x) = { 1, x, x 2, 1+x, 1+x 2, x+x 2, 1+x+x 2 } n=7, generator g = x then log x (x+1) = 3 log x (x 2 +x+1) = 5 log x (x 2 +1) = 6 Discrete Logarithm Problem

7 7 Example 4 Let p =105354628039501697530461658293395873194887 18149259134893426087342587178835751858673003 86287737705577937382925873762451990450430661 35085968269741025626827114728303489756321430 02371663691740666159071764725494700831131071 38189921280884003892629359 NB: p = 158(2 800 + 25) + 1 and has 807 bits. Find such that

8 8 [2] Algorithms for Discrete Logarithm A trivial algorithm Shanks’ algorithm (Baby-step giant-step) Pollard rho discrete log algorithm Pohlig-Hellman algorithm The index calculus method

9 9 Discrete Logarithm Problem in Z p * given generator α (i.e. = Z p * ) and β in Z p *, find a in Z p-1 ={0,1,…,p-2} s.t. β = α a mod p A trivial algorithm –Compute α i and test if β = α i –Time complexity O(p) A trivial algorithm

10 10 Shanks’ algorithm (Baby-step giant-step) (1972) –Compute L 1 = {(i, α mi ), i = 0, 1, …, m-1} L 2 = {(i, βα -i ), i = 0, 1, …, m-1} –where m = ceiling((p-1) ½ ) Sort L 1 and L 2 with respect to the 2nd coordinate. –Find the same 2nd coordinate from L 1 and L 2, say, (q, α mq ), (r, βα -r ), to get α mq =βα -r. So β = α mq + r and a = mq+r. –Time complexity O(m log m) = O(p 1/2 log p) –Space complexity O(p 1/2 ) Shanks’ algorithm

11 11 Example 1 log 2 15 mod 19 =? G = Z* 19 = { 1, 2, …, 18} α = 2, α -1 = 10, n = p-1 = 18, m = 5, α m = 13 β = 15 L 1 : (i, α mi ) L 2 : (i, βα -i ) (0, 1) (0, 15) (1, 13) (1, 17)q = 2 (2, 17) (2, 18)r = 1 (3, 12) (3, 9)mq + r = 11 (4, 4) (4, 14) log 2 15 mod 19 = 11

12 12 Example 2 log 3 525 mod 809 =? G = Z* 809 = { 1, 2, …, 808} = α = 3, α -1 = 10, n = p-1 = 808, m = 29, α m = 99 β = 525 L 1 : (i, α mi ) L 2 : (i, βα -i ) (0, 1) (0, 525) (1, 99) (1, 175) (2, 93) (2, 328) (3, 308) (3, 379) (4, 559) (4, 396) (5, 329) (5, 132) (6, 211) (6, 44) (7, 664) (7, 554) (8, 207) (8, 724) (9, 268) (9, 511) (10, 644) (10, 440) (11, 654) (11, 686) (12, 26) (12, 768)

13 13 L 1 : (i, α mi ) L 2 : (i, βα -i ) (13, 147) (13, 256) (14, 800) (14, 355) (15, 727) (15, 388) (16, 781) (16, 399) (17, 464) (17, 133) (18, 632) (18, 314) (19, 275) (19, 644) (20, 528) (20, 754) (21, 496) (21, 521) (22, 564) (22, 713) (23, 15) (23,777) (24, 676) (24, 259) (25, 586) (25, 356) (26, 575) (26, 658) (27, 295) (27, 489) (28, 81) (28, 163) q = 10, r = 19, so mq + r = 29*10+19 mod 808 = 309 and log 3 525 mod 809 = 309

14 14 Pollard rho discrete logarithm algorithm (1978) compute integers s and t such that –partition the group G into three roughly equal-sized set S 1, S 2 and S 3. Let x 0 = 1 G and x 0 is not in S 2 Pollard rho DL algorithm

15 15 where n = p-1 when G = Z * p

16 16 We should expect some integer such that, then this gives with If then compute and we have, so that If little work to do... (Omitted)

17 17 Floyd’s cycle-finding algorithm: One starts with the pair (x 1, x 2 ), and iteratively computes (x i, x 2i ) from the previous (x i-1, x 2i-2 ), until x m =x 2m for some m. The expected running time of this method is O(n 1/2 ).

18 18 Pollard’s rho algorithm for discrete logarithms –INPUT: a generator α of a cyclic group G of prime order n, and β is an element of G –OUTPUT: 1. Set x 0  1, a 0  0, b 0  0 2. For i = 1, 2, …. Do the following: 2.1 Use x i-1, a i-1, b i-1 to compute x i, a i, b i Use x 2i-2, a 2i-2, b 2i-2 to compute x 2i, a 2i, b 2i 2.2 if x i =x 2i, then do the following set r  b i – b 2i if gcd(r,n) ≠1 then return ‘failure’ else return r -1 (a 2i -a i ) mod n

19 19 Example: α= 2 is a generator of the subgroup G of Z 383 * of order n= 191.(in this case = G ≠ Z 383 * ) Suppose β = 228. Find log 2 228. Solution: Partition G into 3 subsets, let

20 20 i xixi aiai bibi x 2i a 2i b 2i 12280127902 2 0218414 392041416 41841425627 52051530438 61416121618 728261441238 82562723548152 9 287248154 10304381496118 113723925697119 1212161830498120 1312619121551 14144123814410104

21 21 Solution (continued): From the table, we have x 14 = x 28 = 144. Finally compute r = a 14 -a 28 mod 191=125 r -1 = 125 -1 mod 191 = 136, and r -1 (b 28 - b 14 ) mod 191 = 110. Hence, log 2 228 = 110.

22 22 Pohlig-Hellman algorithm Pohlig-Hellman algorithm (1978) If is of order n and β in then a = log α β is determined (uniquely) mod n. Eg. If = Z p * (i.e. α is a generator of Z p *), then n = p-1 Let The idea of Pohlig-Hellman algorithm is that we can compute a mod p i ci for each i, then we compute a mod n by CRT (Chinese remainder theorem). (see Text for details)

23 23 The index calculus method The index calculus method (Suitable only for G=Z p *)

24 24 Example log 5 9451 mod 10007=? Choose B={2, 3, 5, 7}. Of course log 5 5=1. Use lucky exponents 4063, 5136, and 9865 5 4063 mod 10007 = 42 = 2 * 3 * 7 5 5136 mod 10007 = 54 = 2 * 3 3 5 9865 mod 10007 = 189 = 3 3 * 7 And we have three congruences: log 5 2 + log 5 3 + log 5 7 = 4063 mod 10006 log 5 2 + 3 log 5 3 = 5136 mod 10006 3 log 5 3 + log 5 7 = 9865 mod 10006

25 25 There happens to be a unique solution modulo 10006 log 5 2=6578, log 5 3=6190, and log 5 7=1301 Choose random exponent s = 7736 and try to calculate βα s = 9451*5 7736 mod 10007 = 8400 Since 8400 = 2 4 *3*5 2 *7 factors over B, we obtain log 5 9451 = (4 log 5 2 + log 5 3 + 2 log 5 5 + log 5 7 – s) mod 10006 = (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006 = 6057 mod 10006

26 26 [3] Cryptosystems based on DL Key Distribution –Diffie-Hellman, 1976 Encryption –Massey-Omura cryptosystem, 1983 Digital Signature –ElGamal, 1985

27 27 Diffie-Hellman Key Exchange Algorithm Global Public Elements –q : prime number –α: α< q and α is a primitive root of q User A Key Generation –Select private X A : X A < q –Calculate public Y A : Y A = α XA mod q User B Key Generation –Select private X B : X B < q –Calculate public Y B : Y B = α XB mod q Generation of Secret Key by User A –K = (Y B ) XA mod q Generation of Secret Key by User B –K = (Y A ) XB mod q

28 28 User AUser B Generate random X A < q ; Calculate Y A = α XA mod q Calculate K = (Y B ) XA mod q Generate random X B < q ; Calculate Y B = α XB mod q Calculate K = (Y A ) XB mod q YAYA YBYB Diffie-Hellman Key Exchange

29 29 Massey-Omura for message transmission Parameters –q : prime number –e : a random private integer 0 < e < q and gcd ( e, q-1) = 1 –d : an inverse of e d = e -1 mod q-1, i.e., de≡1 mod q-1 –M : a message to be encrypted and decrypted User A wants to send a message M to User B –User A : e A and d A are both private –User B : e B and d B are both private

30 30 User AUser B 1.Encryption(1) C 1 = M eA mod q 3.Encryption(3) C 3 = C 2 dA = (M eAeB ) dA = M eB mod q 2.Encryption(2) C 2 = C 1 eB = M eAeB mod q 4. Decryption M = C 3 dB = M eBdB mod q Massey-Omura for message transmission C1C1 C2C2 C3C3

31 31 ElGamal encryption scheme Parameters – p : a large prime –α: a generator in Z p * – a : a private key, a [1, p-1] – c : a public key, β = α a (mod p) – m : a message, m [1, p-1] – k : a random integer that is privately selected, k [0, p-2] –K = (p, α, a, β) : public key + private key Encryption e K (m, k)=(y 1, y 2 ) where y 1 = α k mod p and y 2 =mβ k mod p Decryption m = d K (y 1, y 2 ) = y 2 (y 1 a ) -1 mod p

32 32 ElGamal signature scheme 1985 ElGamal Parameters – p : a large prime –α: a generator in Z p * – a : a private key, a [1, p-1] –β : a public key, β = α a (mod p) – m : a message to be signed, m [1, p-1] – k : a random integer that is privately selected, k [0, p-2] Signature – r = α k mod p, where gcd( k, p-1 ) = 1 –m = ks + ra mod (p-1) –( m, (r,s) ) is sent to the verifier Verification –α m = r s β r mod p –The signature (r,s) is accepted when the equality holds true.

Download ppt "1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’"

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
7. Asymmetric encryption-

7. Asymmetric encryption-
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
and Factoring Integers (I)

and Factoring Integers (I)
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )

Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.

Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
and Factoring Integers

and Factoring Integers
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography & Number Theory

Cryptography & Number Theory
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Similar presentations

Ads by Google