Presentation is loading. Please wait.

Presentation is loading. Please wait.

Discrete Log ElGamal Cryptosystem

Published byGary Walker Modified over 5 years ago

Similar presentations

Presentation on theme: "Discrete Log ElGamal Cryptosystem"— Presentation transcript:

1 Discrete Log ElGamal Cryptosystem
Discrete Log Algorithms: Shanks’, Pollard-Rho In Practice Diffie-Hellman Discrete Log CSCI284 Spring 2004 GWU

2 CS297-15: Electronic Voting
CRN 86928 M in 2020K 9 Send mail to saying why you should be allowed to take the class. 4/11/2019 CS284/Spring04/GWU/Vora/RSA

3 CS284/Spring04/GWU/Vora/RSA
Various Logistics Project presentations on: 26th April, Monday, 6:10-7:40 27th April, Tuesday, 6:10-7:40 (make-up day) and 28th April, Wednesday, 6:10-7:40 (another make-up day) No office hours this coming Wed. Send with questions on hw 4/11/2019 CS284/Spring04/GWU/Vora/RSA

4 The ElGamal Cryptosystem is based on the Discrete Log problem:
Given a multiplicative group G, an element  G such that o() = n, and an element <> Find the unique integer a, 0  a  n-1 such that a =  a denoted as log Not known to be doable in polynomial time, however exponentiation is. Hence DL is a possible one-way function 4/11/2019 CS284/Spring04/GWU/Vora/RSA

5 CS284/Spring04/GWU/Vora/RSA
El Gamal Cryptosystem Let p a prime such that DL in Zp* is infeasible Let Zp* be a primtive element P = Zp* C = Zp* X Zp* and K = {(p, , a, ): =a (mod p)} public key = (p, , ) and private key = a For a secret random number k Zp-1 eK(x, k) = (y1, y2) y1 = k mod p y1 = xk mod p dK (y1, y2) = y2( y1a)-1 mod p 4/11/2019 CS284/Spring04/GWU/Vora/RSA

6 CS284/Spring04/GWU/Vora/RSA
Example p = 2579  = 2 a = 1391 Encrypt message: 2079 4/11/2019 CS284/Spring04/GWU/Vora/RSA

7 Solving Discrete Log: finding a such that a =  in group G
In O(n) steps – brute force, no storage Precompute all possible values of i (n multiplications); quick sort (O(nlogn)); binary search (O(logn)). Requires O(n) storage 4/11/2019 CS284/Spring04/GWU/Vora/RSA

8 Time/memory trade-off: Shanks’ Algorithm
SHANKS(G, n, , ) m  ceil(n) for j 0 to m-1 compute mj list L1  sorted wrt second coordinate {(j, mj)} for i 0 to m-1 compute  -i list L2  sorted wrt second coordinate {(i,  -i)} Find (j, y)  L1 and (i, y)  L2 for some y log  (mj + i) mod n 4/11/2019 CS284/Spring04/GWU/Vora/RSA

9 Proof of correctness? Complexity?
4/11/2019 CS284/Spring04/GWU/Vora/RSA

10 CS284/Spring04/GWU/Vora/RSA
Example p = 127  = 3 a = 56  = ? n = 126 How will you find a using Shanks’? 4/11/2019 CS284/Spring04/GWU/Vora/RSA

11 Pollard-Rho Discrete Log
procedure f(x, a, b) /* mimic random function, maintaining x = ab */ if xS1 f  (.x, a, (b+1) mod n) else if xS2 f  (x2, 2a mod n, 2b mod n) else f  (.x, (a +1) mod n, b) Return (f) 4/11/2019 CS284/Spring04/GWU/Vora/RSA

12 Pollard-Rho Discrete Log - main
POLLARD RHO DL (G, n, , ) /* partition such that (1, 0, 0)  S2 */ Define G = S1  S2  S3 (x1, a1, b1)  f(1, 0, 0) while(xi, ai, bi)  (xj, aj, bj) for ji-1 (xi+1, ai+1, bi+1)  f(xj, aj, bj) /* (xi, ai, bi) = (xj, aj, bj) */ If gcd(bi-bj, n)  1 Return (failure) Else Return ((ai -aj)(bi – bj)-1 mod n) 4/11/2019 CS284/Spring04/GWU/Vora/RSA

13 Correctness? Complexity?
4/11/2019 CS284/Spring04/GWU/Vora/RSA

14 CS284/Spring04/GWU/Vora/RSA
Example: from text p=809  = 89 o() = 101  = 618 Show that log = 49 using Pollard-Rho 4/11/2019 CS284/Spring04/GWU/Vora/RSA

15 CS284/Spring04/GWU/Vora/RSA
Practicalities More efficient attacks possible unless elliptic curve DL, for which these efficient attacks are not known. Modulus required for security: 2160 with elliptic curves 21880 without DL over elliptic curves very hot problem. 4/11/2019 CS284/Spring04/GWU/Vora/RSA

16 Diffie-Hellman Key Exchange
Protocol for exchanging secret key over public channel. Select global parameters p, n and . p is prime and  is of order n in Zp*. These parameters are public and known to all. 4/11/2019 CS284/Spring04/GWU/Vora/RSA

17 Diffie-Hellman Key Exchange contd.
Alice privately selects random b and sends to Bob b mod p. Bob privately selects random c and sends to Alice c mod p. Alice and Bob privately compute bc mod p which is their shared secret. An observer Oscar can compute bc if he knows either c or b or can solve the discrete log problem. This is a key agreement protocol. 4/11/2019 CS284/Spring04/GWU/Vora/RSA

18 Diffie-Hellman problem
Given a multiplicative group G, an element G of order n and two elements ,   <> Computational Diffie-Hellman: Find  such that log   log   log (mod n) Equivalently, given b, and c find bc Decision Diffie-Hellman Given an additional   <> Determine if log   log   log (mod n) Equivalently, given b, c, and d determine if d  bc (mod n) 4/11/2019 CS284/Spring04/GWU/Vora/RSA

19 CS284/Spring04/GWU/Vora/RSA
An attack Diffie-Hellman key exchange is susceptible to a man-in-the-middle attack. Mallory captures b and c in transmission and replaces with own b’ and c’. Essentially runs two Diffie-Hellman’s. One with Alice and one with Bob. 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Download ppt "Discrete Log ElGamal Cryptosystem"

Similar presentations

Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.

Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, A Public-Key Cryptosystem and a Signature Scheme.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
By Abhijith Chandrashekar and Dushyant Maheshwary.

By Abhijith Chandrashekar and Dushyant Maheshwary.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google