Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei

2 Content Introduction Mathematical Background Definition of DLP Methods in Used Today to Compute DL Future Work Question & Answer

3 Introduction DLP is the underlying one-way function for: Diffie-Hellman key exchange. DSA (digital signature algorithm). ElGamal encryption/digital signature scheme. Elliptic curve cryptosystems. …… DLP is based on finite groups.

4 Mathematical Background Groups Definition: A group is a set G of elements together with a binary ope ration “” such that: If a, b ∈ G then a b = c ∈ G → (closure). If (a b) c = a (b c) → (associativity). There exists an identity element e ∈ G, for all a ∈ G: e a = a e = a → (identity). For all a ∈ G, there exists an inverse element a -1 such that a a -1 = e → (inverse).

5 Mathematical Background Inverses Definition: Let a be a number. If there exists b such that ab = 1 (mod m), then we call b the inverse of a mod m, and write b = a -1 (mod m). Theorem: a has an inverse mod m iff gcd(a,m)=1. Z p * : The set of all the invertible integers mod p: Z p * = {i ∈ Z p | gcd(i, p) = 1 } Theorem: Z p * forms a group under modulo p multiplication. The ide ntity element is e = 1.

6 Mathematical Background Example Z 9 * = {1, 2, 4, 5, 7, 8} Multiplication Table * mod Note: From the above Multiplication Table, We can see (Z 9 *, * mod 9) is a group.

7 Mathematical Background Example (cont.) Group: G = (Z 9 *, * mod 9) Find the inverse of 7 in the group (Z 9 *, * mod 9) through the Extended E uclidean Algorithm: 9 = 1 * → 2 = 9 − 7 7 = 3 * → 1 = 7 − 3 * 2 = 4 * 7 − 3 * 9 2 = 2 * So we have: 1 = 4 * 7 − 3 * 9 → 4 * 7 mod 9 = 1 4 is the inverse of 7 mod 9

8 Mathematical Background Finite Groups Definition: A group (G, ) is finite if it has a finite number of g elem ents, We denote the cardinality of G by |G|. Definition: The order of an element a ∈ G is the smallest positive inte ger n such that a a … a = a n = e. Definition: A group G which contains elements α with maximum ord er ord(α) = |G| is said to be cyclic. Elements with maximum order are called generators or primititive elements.

9 Mathematical Background Example Finite group: G = (Z 11 *, * mod 11) Find the order of a = 3 a 1 = 3 a 2 = 3 2 = 9 a 3 = 3 3 = 27 = 5 a 4 = 3 4 = 3 3 * 3 = 5 * 3 = 15 = 4 a 5 = 3 5 = 3 4 * 3 = 4 * 3 = 12 = 1 So ord(3) = 5

10 Mathematical Background Example (cont.) Finite group: G = (Z 11 *, * mod 11) Proof: α = 2 is a generator of G |G| = |{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}| = 10 α 1 = 2 α 2 = 2 2 = 4 α 3 = 2 3 = 8 α 4 = 2 4 = 16 = 5 α 5 = 2 5 = 10 α 6 = 2 6 = 20 = 9 α 7 = 2 7 = 18 = 7 α 8 = 2 8 = 14 = 3 α 9 = 2 9 = 6 α 10 = 2 10 = 12 = 1 α 11 = 2 11 = 2 = a

11 Mathematical Background Example (cont.) Finite group: G = (Z 11 *, * mod 11) So we have: ord(α = 2) = 10 = |G| →(1) G is cyclic →(2) α = 2 is a generator of G Note: 2 i ; i = 1, 2, …, 10 generates all elements of G i i

12 Definition of DLP The discrete logarithm problem (DLP) Definition: Given a prime p, a generator α of Z p *, and an element β ∈ Z p *, find the integer x, 0 ≤ x ≤ p - 2, such that α x = β (mod p). The generalized discrete logarithm problem (GDLP) Definition: Given a finite cyclic group G of order n, a generator α of G, and an element β ∈ G, find the integer x, 0 ≤ x ≤ n - 1, such that α x = β.

13 Definition of DLP Example G = (Z 11, + mod 11) We have: i i So α = 2 is a generator of G Let i = 7, β = 7 * 2 = 3 mod 11 Question: given α = 2, β = 3 = i * 2 mod 11, find i Answer: i = 2 -1 * 3 mod 11 Note: 2 -1 = 6 can computed by Extended Euclidean Algorithm, thus this example is NOT a one-way function.

14 Definition of DLP Example G = (Z 11 *, * mod 11) α = 2 is a generator of G Let i = 8, β = 2 8 = 3 mod 11 Question: given α = 2, β = 3 = 2 i, find i i = log 2 3 = log 2 2 i = ? Note: No efficient algorithm to find i, it’s a very hard computational pro blem! Thus this example is a one-way function.

15 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Algorithm Baby-step giant-step algorithm for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: x = log a β. Set m := Construct a table with entries (j, α j ) for 0 ≤ j < m. Sort this table by secon d component. Compute α -m and set γ := β. For i from 0 to m-1 1. Check if γ is the second component of some entry in the table. 2. If γ = α j then return (x = im+j). 3. Set γ := γα -m

16 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Example INPUT: a generator α = 2 of G = (Z 11 *, * mod 11) of order n = 10, and an element β = 3. OUTPUT: x = log a β = log 2 3. Set m := = 4 Construct a table with entries (j, α j ) for 0 ≤ j < 4. Sort this table by secon d component. j j mod By Extended Euclidean Algorithm Compute α -1 = 2 -1 mod 11 = 6, we have α - m = 2 -4 mod 11 = 6 4 mod 11 = 9. and set γ := β = 3.

17 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Example (cont.) For i from 0 to 3, we have the following table: i *9 i mod Because 3*9 2 mod 11 = α 0 = 1, we have: x = im+j = 8. Note: The baby-step giant-step algorithm is a time-memory trade-off of the method of exhaustive search. Complexity: O( ) steps, Minimum security requirement: ≥ 2 160

18 Future Work Study and implement other methods in used today to co mpute DL such as: Pollard’s rho algorithm Pohlig-Hellman algorithm Index-Calculus method Challenge or improve some of these methods

Question & Answer Thanks