Presentation is loading. Please wait.

Presentation is loading. Please wait.

Homework 3 As announced: not due today 

Published byRussell Clark Modified over 5 years ago

Similar presentations

Presentation on theme: "Homework 3 As announced: not due today "— Presentation transcript:

1 Homework 3 As announced: not due today 
Due Friday at the beginning of class.

2 Cryptography CS 555 Topic 27: Factoring Algorithm, Discrete Log Attacks + NIST Recommendations for Concrete Security Parameters

3 Recap OWFs + CRHFs from Discrete Log + Factoring
Pollards (p-1) algorithm (works when N=pq and (p-1) has only “small” prime factors)

4 Pollard’s Rho Algorithm
General Purpose Factoring Algorithm Doesn’t assume (p-1) has no large prime factor Goal: factor N=pq (product of two n-bit primes) Running time: 𝑂 4 𝑁 pol𝑦𝑙𝑜𝑔(𝑁) Naïve Algorithm takes time 𝑂 𝑁 pol𝑦𝑙𝑜𝑔(𝑁) to factor Core idea: find distinct x,x′∈ ℤ 𝑁 ∗ such that 𝑥= 𝑥 ′ mod 𝑝 Implies that x-x’ is a multiple of p and, thus, GCD(x-x’,N)=p (whp)

5 Pollard’s Rho Algorithm
General Purpose Factoring Algorithm Doesn’t assume (p-1) has no large prime factor Running time: 𝑂 4 𝑁 pol𝑦𝑙𝑜𝑔(𝑁) Core idea: find distinct x,x′∈ ℤ 𝑁 ∗ such that 𝑥= 𝑥 ′ mod 𝑝 Implies that x-x’ is a multiple of p and, thus, GCD(x-x’,N)=p (whp) Question: If we pick k=O 𝑝 random 𝑥 (1) ,…, 𝑥 (𝑘) ∈ ℤ 𝑁 ∗ then what is the probability that we can find distinct 𝑖 and 𝑗 such that 𝑥 (𝑖) = 𝑥 (𝑗) mod p?

6 Pollard’s Rho Algorithm
Question: If we pick k=O 𝑝 random 𝑥 (1) ,…, 𝑥 (𝑘) ∈ ℤ 𝑁 ∗ then what is the probability that we can find distinct 𝑖 and 𝑗 such that 𝑥 (𝑖) = 𝑥 (𝑗) mod p? Answer: ≥ 1 2 Proof (sketch): Use the Chinese Remainder Theorem + Birthday Bound 𝑥 (𝑖) = 𝑥 (𝑖) 𝑚𝑜𝑑 𝑝, 𝑥 (𝑖) 𝑚𝑜𝑑 𝑞 Note: We will also have 𝑥 (𝑖) ≠ 𝑥 𝑗 mod q (whp)

7 Pollard’s Rho Algorithm
Question: If we pick k=O 𝑝 random 𝑥 (1) ,…, 𝑥 (𝑘) ∈ ℤ 𝑁 ∗ then what is the probability that we can find distinct 𝑖 and 𝑗 such that 𝑥 (𝑖) = 𝑥 (𝑗) mod p? Answer: ≥ 1 2 Challenge: We do not know p or q so we cannot sort the 𝑥 (𝑖) ’s using the Chinese Remainder Theorem Representation 𝑥 (𝑖) = 𝑥 (𝑖) 𝑚𝑜𝑑 𝑝, 𝑥 (𝑖) 𝑚𝑜𝑑 𝑞 How can we identify the pair 𝑖 and 𝑗 such that 𝑥 (𝑖) = 𝑥 (𝑗) mod p?

8 Pollard’s Rho Algorithm
Pollard’s Rho Algorithm is similar the low-space version of the birthday attack Input: N (product of two n bit primes) 𝑥 (0) ← ℤ 𝑁 ∗ , x= x ′ = 𝑥 (0) For i=1 to 2 𝑛/2 𝑥←𝐹(𝑥) 𝑥 ′ ←𝐹 𝐹 𝑥 p = GCD(x-x’,N) if 1< p < N return p Remark 1: F should have the property that if x=x’ mod p then F(x) = F(x’) mod p. Remark 2: 𝐹 𝑥 = 𝑥 2 +1 𝑚𝑜𝑑 𝑁 will work since 𝐹 𝑥 = 𝑥 2 +1 𝑚𝑜𝑑 𝑁 ↔ 𝑥 2 +1 𝑚𝑜𝑑 𝑝, 𝑥 2 +1 𝑚𝑜𝑑 𝑞 ↔ 𝐹 𝑥 mod 𝑝 𝑚𝑜𝑑 𝑝,𝐹 𝑥 mod 𝑞 𝑚𝑜𝑑 𝑞

9 Pollard’s Rho Algorithm
Pollard’s Rho Algorithm is similar the low-space version of the birthday attack Input: N (product of two n bit primes) 𝑥 (0) ← ℤ 𝑁 ∗ , x= x ′ = 𝑥 (0) For i=1 to 2 𝑛/2 𝑥←𝐹(𝑥) 𝑥 ′ ←𝐹 𝐹 𝑥 p = GCD(x-x’,N) if 1< p < N return p Claim: Let 𝑥 (𝑖+1) =𝐹 𝑥 (𝑖) and suppose that for some distinct i,j< 2 𝑛/2 we have 𝑥 (𝑖) = 𝑥 (𝑗) mod p but 𝑥 (𝑖) ≠ 𝑥 (𝑗) . Then the algorithm will find p. Proof: First part of claim states that there is a cycle. If there is such a cycle we will detect it 𝑥 (3) mod p Cycle length: i-j

10 Pollard’s Rho Algorithm (Summary)
General Purpose Factoring Algorithm Doesn’t assume (p-1) has no large prime factor Running time: 𝑂 4 𝑁 pol𝑦𝑙𝑜𝑔(𝑁) (still exponential in number of bits ~ 2 𝑛/4 ) Required Space: 𝑂 log(𝑁) Succeeds with constant probability

11 Quadratic Sieve Algorithm
Runs in sub-exponential time 2 𝑂 log 𝑁 log log 𝑁 = 2 𝑂 𝑛 log 𝑛 Still not polynomial time but 2 𝑛 log 𝑛 grows much slower than 2 𝑛/4 . Core Idea: Find x,y∈ ℤ 𝑁 ∗ such that 𝑥 2 = 𝑦 2 mod 𝑁 and 𝑥≠±𝑦 mod 𝑁

12 Quadratic Sieve Algorithm
Core Idea: Find x,y∈ ℤ 𝑁 ∗ such that 𝑥 2 = 𝑦 2 mod 𝑁 (1) and 𝑥≠±𝑦 mod 𝑁 2 Claim: gcd(x-y,N)∈ 𝑝,𝑞 N=pq divides 𝑥 2 − 𝑦 2 = 𝑥−𝑦 𝑥+𝑦 . (by (1)). 𝑥−𝑦 𝑥+𝑦 ≠0 (by (2)). N does not divide 𝑥−𝑦 (by (2)). N does not divide 𝑥+𝑦 . (by (2)). p is a factor of exactly one of the terms 𝑥−𝑦 and 𝑥+𝑦 . (q is a factor of the other term)

13 Quadratic Sieve Algorithm
Core Idea: Find x,y∈ ℤ 𝑁 ∗ such that 𝑥 2 = 𝑦 2 mod 𝑁 and 𝑥≠±𝑦 mod 𝑁 Key Question: How to find such an x,y∈ ℤ 𝑁 ∗ ? Step 1: j=0; For x= 𝑁 +1, 𝑁 +2,…, 𝑁 +𝑖,… q← 𝑁 +𝑖 2 𝑚𝑜𝑑 𝑁 = 2𝑖 𝑁 +𝑖2 𝑚𝑜𝑑 𝑁 Check if q is B-smooth (all prime factors of q are in {p1,…,pk} where pk < B). If q is B smooth then factor q, increment j and define qj←𝑞= 𝑖=1 𝑘 𝑝 𝑖 𝑒 𝑗,𝑖 ,

14 Quadratic Sieve Algorithm
Core Idea: Find x,y∈ ℤ 𝑁 ∗ such that 𝑥 2 = 𝑦 2 mod 𝑁 and 𝑥≠±𝑦 mod 𝑁 Key Question: How to find such an x,y∈ ℤ 𝑁 ∗ ? Step 2: Once we have ℓ>𝑘 equations of the form qj←𝑞= 𝑖=1 𝑘 𝑝 𝑖 𝑒 𝑗,𝑖 , We can use linear algebra to find S such that for each 𝑖≤𝑘 we have 𝑗∈𝑆 𝑒 𝑗,𝑖 =0 𝑚𝑜𝑑 2.

15 Quadratic Sieve Algorithm
Key Question: How to find x,y∈ ℤ 𝑁 ∗ such that 𝑥 2 = 𝑦 2 mod 𝑁 and 𝑥≠±𝑦 mod 𝑁? Step 2: Once we have ℓ>𝑘 equations of the form qj←𝑞= 𝑖=1 𝑘 𝑝 𝑖 𝑒 𝑗,𝑖 , We can use linear algebra to find a subset S such that for each i≤k we have 𝑗∈𝑆 𝑒 𝑗,𝑖 =0 𝑚𝑜𝑑 2. Thus, 𝑗∈𝑆 qj = 𝑖=1 𝑘 𝑝 𝑖 𝑗∈𝑆 𝑒 𝑗,𝑖 = 𝑖=1 𝑘 𝑝 𝑖 𝑗∈𝑆 𝑒 𝑗,𝑖 =𝑦2

16 Quadratic Sieve Algorithm
Key Question: How to find x,y∈ ℤ 𝑁 ∗ such that 𝑥 2 = 𝑦 2 mod 𝑁 and 𝑥≠±𝑦 mod 𝑁? Thus, 𝑗∈𝑆 qj = 𝑖=1 𝑘 𝑝 𝑖 𝑗∈𝑆 𝑒 𝑗,𝑖 = 𝑖=1 𝑘 𝑝 𝑖 𝑗∈𝑆 𝑒 𝑗,𝑖 =𝑦2 But we also have 𝑗∈𝑆 qj = 𝑗∈𝑆 𝑥𝑗2 = 𝑗∈𝑆 𝑥𝑗 2 =𝑥2 𝑚𝑜𝑑 𝑁

17 Quadratic Sieve Algorithm (Summary)
Appropriate parameter tuning yields sub-exponential time algorithm 2 𝑂 log 𝑁 log log 𝑁 = 2 𝑂 𝑛 log 𝑛 Still not polynomial time but 2 𝑛 log 𝑛 grows much slower than 2 𝑛/4 .

18 Discrete Log Attacks Pohlig-Hellman Algorithm
Given a cyclic group 𝔾 of non-prime order q=| 𝔾 |=rp Reduce discrete log problem to discrete problem(s) for subgroup(s) of order p (or smaller). Preference for prime order subgroups in cryptography Baby-step/Giant-Step Algorithm Solve discrete logarithm in time 𝑂 𝑞 𝑝𝑜𝑙𝑦𝑙𝑜𝑔(𝑞) Pollard’s Rho Algorithm Bonus: Constant memory! Index Calculus Algorithm Similar to quadratic sieve Runs in sub-exponential time 2 𝑂 log 𝑞 log log 𝑞 Specific to the group ℤ 𝑝 ∗ (e.g., attack doesn’t work elliptic-curves)

19 Discrete Log Attacks Pohlig-Hellman Algorithm
Given a cyclic group 𝔾 of non-prime order q=| 𝔾 |=rp Reduce discrete log problem to discrete problem(s) for subgroup(s) of order p (or smaller). Preference for prime order subgroups in cryptography Let 𝔾= 𝑔 and h= 𝑔 𝑥 ∈𝔾 be given. For simplicity assume that r is prime and r < p. Observe that 𝑔𝑟 generates a subgroup of size p and that hr∈ 𝑔𝑟 . Solve discrete log problem in subgroup 𝑔𝑟 with input hr. Find z such that hrz=𝑔𝑟𝑧. Observe that 𝑔𝑝 generates a subgroup of size p and that hp∈ 𝑔𝑝 . Solve discrete log problem in subgroup 𝑔𝑝 with input hp. Find y such that hyp=𝑔𝑦𝑝. Chinese Remainder Theorem h= 𝑔 𝑥 where x↔ 𝑧 mod 𝑝 , [𝑦 mod 𝑟]

20 Baby-step/Giant-Step Algorithm
Input: 𝔾= 𝑔 of order q, generator g and h= 𝑔 𝑥 ∈𝔾 Set 𝑡= 𝑞 For i =0 to 𝑞 𝑡 𝑔 𝑖 ← 𝑔 𝑖𝑡 Sort the pairs (i,gi) by their second component For i =0 to 𝑡 ℎ 𝑖 ←ℎ 𝑔 𝑖 if ℎ 𝑖 =𝑔𝑘∈ 𝑔 0 ,…, 𝑔 𝑡 then return [kt-i mod q] ℎ 𝑖 =ℎ 𝑔 𝑖 = 𝑔 𝑘𝑡 →ℎ= 𝑔 𝑘𝑡−𝑖

21 Discrete Log Attacks Baby-step/Giant-Step Algorithm
Solve discrete logarithm in time 𝑂 𝑞 𝑝𝑜𝑙𝑦𝑙𝑜𝑔(𝑞) Requires memory 𝑂 𝑞 𝑝𝑜𝑙𝑦𝑙𝑜𝑔(𝑞) Pollard’s Rho Algorithm Bonus: Constant memory! Key Idea: Low-Space Birthday Attack (*) using our collision resistant hash function 𝐻 𝑔,ℎ 𝑥 1 , 𝑥 2 = 𝑔 𝑥 1 ℎ 𝑥 2 𝐻 𝑔,ℎ 𝑦 1 , 𝑦 2 = 𝐻 𝑔,ℎ 𝑥 1 , 𝑥 2 → ℎ 𝑦 2 − 𝑥 2 = 𝑔 𝑥 1 − 𝑦 1 →ℎ= 𝑔 𝑥 1 − 𝑦 𝑦 2 − 𝑥 2 −1 (*) A few small technical details to address

22 Discrete Log Attacks Baby-step/Giant-Step Algorithm
Remark: We used discrete-log problem to construct collision resistant hash functions. Security Reduction showed that attack on collision resistant hash function yields attack on discrete log. Generic attack on collision resistant hash functions (e.g., low space birthday attack) yields generic attack on discrete log. Baby-step/Giant-Step Algorithm Solve discrete logarithm in time 𝑂 𝑞 𝑝𝑜𝑙𝑦𝑙𝑜𝑔(𝑞) Requires memory 𝑂 𝑞 𝑝𝑜𝑙𝑦𝑙𝑜𝑔(𝑞) Pollard’s Rho Algorithm Bonus: Constant memory! Key Idea: Low-Space Birthday Attack (*) 𝐻 𝑔,ℎ 𝑥 1 , 𝑥 2 = 𝑔 𝑥 1 ℎ 𝑥 2 𝐻 𝑔,ℎ 𝑦 1 , 𝑦 2 = 𝐻 𝑔,ℎ 𝑥 1 , 𝑥 2 → ℎ 𝑦 2 − 𝑥 2 = 𝑔 𝑥 1 − 𝑦 1 →ℎ= 𝑔 𝑥 1 − 𝑦 𝑦 2 − 𝑥 2 −1 (*) A few small technical details to address

23 Discrete Log Attacks Index Calculus Algorithm
Similar to quadratic sieve Runs in sub-exponential time 2 𝑂 log 𝑞 log log 𝑞 Specific to the group ℤ 𝑝 ∗ (e.g., attack doesn’t work elliptic-curves) As before let {p1,…,pk} be set of prime numbers < B. Step 1.A: Find ℓ>𝑘 distinct values 𝑥 1 ,…, 𝑥 𝑘 such that 𝑔 𝑗 = 𝑔 𝑥 𝑗 𝑚𝑜𝑑 𝑝 is B-smooth for each j. That is 𝑔 𝑗 = 𝑖=1 𝑘 𝑝 𝑖 𝑒 𝑖,𝑗 .

24 Discrete Log Attacks As before let {p1,…,pk} be set of prime numbers < B. Step 1.A: Find ℓ>𝑘 distinct values 𝑥 1 ,…, 𝑥 𝑘 such that 𝑔 𝑗 = 𝑔 𝑥 𝑗 𝑚𝑜𝑑 𝑝 is B-smooth for each j. That is 𝑔 𝑗 = 𝑖=1 𝑘 𝑝 𝑖 𝑒 𝑖,𝑗 . Step 1.B: Use linear algebra to solve the equations 𝑥 𝑗 = 𝑖=1 𝑘 𝐥𝐨𝐠 𝐠 𝐩 𝐢 ×𝑒 𝑖,𝑗 mod (𝑝−1). (Note: the 𝐥𝐨𝐠 𝐠 𝐩 𝐢 ’s are the unknowns)

25 Discrete Log As before let {p1,…,pk} be set of prime numbers < B.
Step 1 (precomputation): Obtain y1,…,yk such that pi= 𝑔 𝑦 𝑖 𝑚𝑜𝑑 𝑝. Step 2: Given discrete log challenge h=gx mod p. Find y such that 𝑔 𝑦 h mod p is B-smooth 𝑔 𝑦 h mod p = 𝑖=1 𝑘 𝑝 𝑖 𝑒 𝑖 = 𝑖=1 𝑘 𝑔 𝑦 𝑖 𝑒 𝑖 = 𝑔 𝑖 𝑒 𝑖 𝑦 𝑖

26 Discrete Log 𝑔 𝑧 h mod p = 𝑔 𝑖 𝑒 𝑖 𝑦 𝑖 →ℎ= 𝑔 𝑖 𝑒 𝑖 𝑦 𝑖 −𝑧
As before let {p1,…,pk} be set of prime numbers < B. Step 1 (precomputation): Obtain y1,…,yk such that pi= 𝑔 𝑦 𝑖 𝑚𝑜𝑑 𝑝. Step 2: Given discrete log challenge h=gx mod p. Find z such that 𝑔 𝑧 h mod p is B-smooth 𝑔 𝑧 h mod p = 𝑔 𝑖 𝑒 𝑖 𝑦 𝑖 →ℎ= 𝑔 𝑖 𝑒 𝑖 𝑦 𝑖 −𝑧 Remark: Precomputation costs can be amortized over many discrete log instances In practice, the same group 𝔾= 𝑔 and generator g are used repeatedly. Reference:

27 NIST Guidelines (Concrete Security)
Best known attack against 1024 bit RSA takes time (approximately) 280

28 NIST Guidelines (Concrete Security)
Diffie-Hellman uses subgroup of ℤ 𝑝 ∗ size q q=224 bits q=256 bits q=384 bits q=512 bits

29

30 Next Class: Key Management
Read Katz and Lindell: Chapter 10

Download ppt "Homework 3 As announced: not due today "

Similar presentations

Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Prime recognition and factorization

Prime recognition and factorization
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.

Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.
Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.

Factoring Algorithms Ref: D. Stinson, Cryptography - Theory and Practice, 2001.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Topic 18: RSA Implementation and Security

Topic 18: RSA Implementation and Security
-Anusha Uppaluri.  ECC- A set of algorithms for key generation, encryption and decryption (public key encryption technique)  ECC was introduced by Victor.

-Anusha Uppaluri.  ECC- A set of algorithms for key generation, encryption and decryption (public key encryption technique)  ECC was introduced by Victor.
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright © The McGraw-Hill Companies, Inc. Permission required.

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright © The McGraw-Hill Companies, Inc. Permission required.

1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz

1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Cryptography and Network Security (CS435) Part Eight (Key Management)

Cryptography and Network Security (CS435) Part Eight (Key Management)
Discrete Logarithm(s) (DLs) Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that a x ≡ b (mod p) is called the discrete.

Discrete Logarithm(s) (DLs) Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that a x ≡ b (mod p) is called the discrete.

Similar presentations

Ads by Google