Public key ciphers 2 Session 6

Contents The discrete logarithm problem The Diffie-Hellman key exchange

The discrete logarithm problem Over the real numbers, exponentiation (finding y=bx ) is not significantly easier than the inverse operation (finding x=logb(y)) Over GF(pn) the algorithm for modular exponentiation or repeated squaring makes exponentiation easy But finding logb(y) is considered to be a difficult problem

The discrete logarithm problem Definition (Discrete logarithm) If G is a finite group, b is an element of G and y is an element of G such that y=bx, then the discrete logarithm of y for the base b is any integer x such that bx = y

The discrete logarithm problem Example (1) Let f(x)=x2-x-1 be an irreducible polynomial over GF(32) The elements of the multiplicative group of the field are the powers of a primitive element  (1) 0=101 1=10 2=2 mod (2--1)=+111 3=2=(+1)=2+=+1+=2+121

The discrete logarithm problem Example (2) The elements of the multiplicative group of the field (2) 4=3=(2+1)=22+=2(+1)+=2+2+=202 5=4=220 6=5=2=22=2(+1)=2+222 7=6=(2+2)=22+2=2(+1)+2=2+2+2= = +212 00 is also an element of the field

The discrete logarithm problem Example (3) The logarithm log(02)=log(4)=4 We do not know a polynomial algorithm for determining the discrete log in a general case (i.e. in any group)

The discrete logarithm problem Known algorithms for solving DLP (1) Algorithms that work in arbitrary groups Exhaustive search Baby-step giant-step algorithm Etc. Algorithms that work in arbitrary groups, but are especially efficient if the order of the group has only small prime factors Example: the Pohlig-Hellman algorithm

The discrete logarithm problem Known algorithms for solving DLP (2) The index calculus algorithms, which are efficient only in certain groups

The discrete logarithm problem Exhaustive search Requires generating of the whole multiplicative group of the field That requires O(q) operations, where q=pn is the order of the multiplicative group of the field GF(pn)

The discrete logarithm problem The Baby step – giant step algorithm (1) Input A generator  of a cyclic group G of order n, and an element G Output The discrete logarithm x = log

The discrete logarithm problem The Baby step – giant step algorithm (2) Set m=  Construct a table with entries (j,j), 0j<m Sort the table by its second component Compute -m mod n and set =

The discrete logarithm problem The Baby step – giant step algorithm (3) For 0im-1 do Check if  is the second component of some entry in the table If =j then return x=im+j Set  -m The algorithm requires O( ) storage and O( ) group multiplications

The discrete logarithm problem Example: n=113, =3, =57 (1) Set m= =11 Construct the table Sort the table by the second component j 1 2 3 4 5 6 7 8 9 10 3j mod 113 27 81 17 51 40 21 63 j 1 8 2 5 9 3 7 6 10 4 3j mod 113 17 21 27 40 51 63 81

The discrete logarithm problem Example: n=113, =3, =57 (2) Compute -11 mod 113 = (11)-1 (1) We use the extended Euclidean algorithm (1) 11 mod 113=311 mod 113=76 We compute (113,76) 113=176+37 76=237+2 37=182+1 Then 1=37-182=37-18(76-237)=37-1876+3637= =3737-1876=37(113-76)-1876=37113-3776-1876= =37113-5576

The discrete logarithm problem Example: n=113, =3, =57 (3) Compute -11 mod 113 = (11)-1 (2) We use the extended Euclidean algorithm (2) If we take both sides mod 113 we get 1-55 76 (mod 113) Since -5558 (mod 113), (11)-1=58 We also set ==57

The discrete logarithm problem Example: n=113, =3, =57 (4) For i=0 to 10 we try -m until we get a value from the second row in the table We conclude that log357=911+1=100 i 1 2 3 4 5 6 7 8 9  57 29 100 37 112 55 26 39

The Diffie-Hellman key exchange Diffie and Hellman gave the first detailed proposal for the process of agreeing on a key for a classical cryptosystem using a public key system The key exchange protocol is based on the assumption that it is computationally infeasible to compute gab knowing only ga and gb when g is some fixed element in GF(pn)

The Diffie-Hellman key exchange The Diffie-Hellman assumption is a priori at least as strong as the assumption that discrete logarithms cannot be feasibly computed in a group Let p be a prime and let  be a generator

The Diffie-Hellman key exchange Example, p=53, n=1, =2

The Diffie-Hellman key exchange The Diffie-Hellman key exchange algorithm gives protection against passive adversaries, but not against active adversaries capable of intercepting, modifying, or injecting messages Neither party has assurance of the source identity of the incoming message or the identity of the party which may know the resulting key