Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18.

Published byGertrude Booth Modified over 8 years ago

Similar presentations

Presentation on theme: "Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18."— Presentation transcript:

1

2 Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18

3 2 Content Introduction Mathematical Background Definition of DLP Methods in Used Today to Compute DL Future Work Question & Answer

4 3 Introduction DLP is the underlying one-way function for: Diffie-Hellman key exchange. DSA (digital signature algorithm). ElGamal encryption/digital signature scheme. Elliptic curve cryptosystems. …… DLP is based on finite groups.

5 4 Mathematical Background Groups Definition: A group is a set G of elements together with a binary ope ration “” such that: If a, b ∈ G then a b = c ∈ G → (closure). If (a b) c = a (b c) → (associativity). There exists an identity element e ∈ G, for all a ∈ G: e a = a e = a → (identity). For all a ∈ G, there exists an inverse element a -1 such that a a -1 = e → (inverse).

6 5 Mathematical Background Inverses Definition: Let a be a number. If there exists b such that ab = 1 (mod m), then we call b the inverse of a mod m, and write b = a -1 (mod m). Theorem: a has an inverse mod m iff gcd(a,m)=1. Z p * : The set of all the invertible integers mod p: Z p * = {i ∈ Z p | gcd(i, p) = 1 } Theorem: Z p * forms a group under modulo p multiplication. The ide ntity element is e = 1.

7 6 Mathematical Background Example Z 9 * = {1, 2, 4, 5, 7, 8} Multiplication Table * mod 9 1 2 4 5 7 8 1 1 2 4 5 7 8 2 2 4 8 1 5 7 4 4 8 7 2 1 5 5 5 1 2 7 8 4 7 7 5 1 8 4 2 8 8 7 5 4 2 1 Note: From the above Multiplication Table, We can see (Z 9 *, * mod 9) is a group.

8 7 Mathematical Background Example (cont.) Group: G = (Z 9 *, * mod 9) Find the inverse of 7 in the group (Z 9 *, * mod 9) through the Extended E uclidean Algorithm: 9 = 1 * 7 + 2 → 2 = 9 − 7 7 = 3 * 2 + 1 → 1 = 7 − 3 * 2 = 4 * 7 − 3 * 9 2 = 2 * 1 + 0 So we have: 1 = 4 * 7 − 3 * 9 → 4 * 7 mod 9 = 1 4 is the inverse of 7 mod 9

9 8 Mathematical Background Finite Groups Definition: A group (G, ) is finite if it has a finite number of g elem ents, We denote the cardinality of G by |G|. Definition: The order of an element a ∈ G is the smallest positive inte ger n such that a a … a = a n = e. Definition: A group G which contains elements α with maximum ord er ord(α) = |G| is said to be cyclic. Elements with maximum order are called generators or primititive elements.

10 9 Mathematical Background Example Finite group: G = (Z 11 *, * mod 11) Find the order of a = 3 a 1 = 3 a 2 = 3 2 = 9 a 3 = 3 3 = 27 = 5 a 4 = 3 4 = 3 3 * 3 = 5 * 3 = 15 = 4 a 5 = 3 5 = 3 4 * 3 = 4 * 3 = 12 = 1 So ord(3) = 5

11 10 Mathematical Background Example (cont.) Finite group: G = (Z 11 *, * mod 11) Proof: α = 2 is a generator of G |G| = |{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}| = 10 α 1 = 2 α 2 = 2 2 = 4 α 3 = 2 3 = 8 α 4 = 2 4 = 16 = 5 α 5 = 2 5 = 10 α 6 = 2 6 = 20 = 9 α 7 = 2 7 = 18 = 7 α 8 = 2 8 = 14 = 3 α 9 = 2 9 = 6 α 10 = 2 10 = 12 = 1 α 11 = 2 11 = 2 = a

12 11 Mathematical Background Example (cont.) Finite group: G = (Z 11 *, * mod 11) So we have: ord(α = 2) = 10 = |G| →(1) G is cyclic →(2) α = 2 is a generator of G Note: 2 i ; i = 1, 2, …, 10 generates all elements of G i 1 2 3 4 5 6 7 8 9 10 2 i 2 4 8 5 10 9 7 3 6 1

13 12 Definition of DLP The discrete logarithm problem (DLP) Definition: Given a prime p, a generator α of Z p *, and an element β ∈ Z p *, find the integer x, 0 ≤ x ≤ p - 2, such that α x = β (mod p). The generalized discrete logarithm problem (GDLP) Definition: Given a finite cyclic group G of order n, a generator α of G, and an element β ∈ G, find the integer x, 0 ≤ x ≤ n - 1, such that α x = β.

14 13 Definition of DLP Example G = (Z 11, + mod 11) We have: i 1 2 3 4 5 6 7 8 9 10 11 2 i 2 4 6 8 10 1 3 5 7 9 0 So α = 2 is a generator of G Let i = 7, β = 7 * 2 = 3 mod 11 Question: given α = 2, β = 3 = i * 2 mod 11, find i Answer: i = 2 -1 * 3 mod 11 Note: 2 -1 = 6 can computed by Extended Euclidean Algorithm, thus this example is NOT a one-way function.

15 14 Definition of DLP Example G = (Z 11 *, * mod 11) α = 2 is a generator of G Let i = 8, β = 2 8 = 3 mod 11 Question: given α = 2, β = 3 = 2 i, find i i = log 2 3 = log 2 2 i = ? Note: No efficient algorithm to find i, it’s a very hard computational pro blem! Thus this example is a one-way function.

16 15 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Algorithm Baby-step giant-step algorithm for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: x = log a β. Set m := Construct a table with entries (j, α j ) for 0 ≤ j < m. Sort this table by secon d component. Compute α -m and set γ := β. For i from 0 to m-1 1. Check if γ is the second component of some entry in the table. 2. If γ = α j then return (x = im+j). 3. Set γ := γα -m

17 16 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Example INPUT: a generator α = 2 of G = (Z 11 *, * mod 11) of order n = 10, and an element β = 3. OUTPUT: x = log a β = log 2 3. Set m := = 4 Construct a table with entries (j, α j ) for 0 ≤ j < 4. Sort this table by secon d component. j 0 1 2 3 2 j mod 11 1 2 4 8 By Extended Euclidean Algorithm Compute α -1 = 2 -1 mod 11 = 6, we have α - m = 2 -4 mod 11 = 6 4 mod 11 = 9. and set γ := β = 3.

18 17 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Example (cont.) For i from 0 to 3, we have the following table: i 0 1 2 3 3*9 i mod 11 3 5 1 Because 3*9 2 mod 11 = α 0 = 1, we have: x = im+j = 8. Baby-step giant-step algorithm is a time-memory trade-off of the met hod of exhaustive search. Complexity: O( ) steps Minimum security requirement: ≥ 2 160

19 18 Methods in Used Today to Compute DL Pollard’s rho Algorithm Algorithm Pollard’s rho algorithm for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: x = log a β. Set x 0 := 1, a 0 := 0, b 0 :=0. For i = 1, 2, …do the following: 1.Using the quantities x i-1, a i-1, b i-1, and x 2i-2, a 2i-2, b 2i-2 computed previously, compute x i, a i, b i, and x 2i, a 2i, b 2i. 2. If x i = x 2i, then do the following: Set r := b i -b 2i mod n. If r = 0 then terminate the algorithm with failure; othewise, compute x = r -1 (a 2i -a i ) mod n and return(x).

20 19 Methods in Used Today to Compute DL Pollard’s rho Algorithm Pollard’s rho algorithm is a randomized algorithm. Complexity: O( ) steps Minimum security requirement: ≥ 2 160 The same expected running time as baby-step giant-step algorithm, but which requires a negligible amount of storage.

21 20 Methods in Used Today to Compute DL Pohlig-Hellman Algorithm Algorithm Pohlig-Hellman algorithm for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: x = log a β. Find the prime factorization of n: n = p 1 e1 p 2 e2 …p r er, where e i ≥ 1. For i from 1 to r do the following: 1.Set q := p i, e := e i, γ := 1, l -1 := 0. 2.Compute : α* := α n/q. 3.For j from 0 to e-1 do the following: Compute γ := γα^(l j-1 q j-1 ) and β* := (βγ -1 ) n/q^(j+1). Compute l j := log α* β* 4.Set x := l 0 + l 1 q + … +l e-1 q e-1. Use CRT to compute the integer x from x i. Return(x).

22 21 Methods in Used Today to Compute DL Pohlig-Hellman Algorithm Pohlig-Hellman algorithm take the advantage of the factorization of the order n. Complexity: O( ) steps, where p l is the largest prime factor of n. Minimum security requirement: p l ≥ 2 160

23 22 Methods in Used Today to Compute DL Index-Calculus method Algorithm Index-Calculus method for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: y = log a β. Choose a subset S = {p 1, p 2, …,p t } of G such that all elements in G can be efficiently expressed as a product of elements from S. Collect linear relations: 1.Select a random integer k, 0 ≤ k ≤ n-1, and compute α k. 2.Try to write α k as a product of elements in S. 3. Repeat steps 1 and 2 until t + c relations are obtained. Select a random integer k, 0 ≤ k ≤ n-1, and compute βα k. Try to write βα k as a product of elements in S. If failure, repeat the above step, otherwise taking logarithms of both sides, we obtain y. Return(y).

24 23 Methods in Used Today to Compute DL Index-Calculus method Index-Calculus method is the most powerful method known for computing DL, It does not apply to all groups, only efficient to Z p * and Galois fields GF(2 k ). Subexponential-time algorithm: O( ) steps. Minimum security requirement: p ≥ 2 1024

25 24 Future Work Try to improve some of these algorithms Challenge to find a polynomial-time algorithm to compute DL

26 Question & Answer Thanks

Download ppt "Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18."

Similar presentations

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Mathematics of Cryptography Part II: Algebraic Structures

Mathematics of Cryptography Part II: Algebraic Structures
Cryptography and Network Security

Cryptography and Network Security
Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”

Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”
Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.

Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-

7. Asymmetric encryption-
ECC Curve Selection By Edward Yin CS 265 Project Spring 2005.

ECC Curve Selection By Edward Yin CS 265 Project Spring 2005.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
6/20/2015 5:05 AMNumerical Algorithms1 x0123456789 x1x1 1739.

6/20/2015 5:05 AMNumerical Algorithms1 x x1x
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.

Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
ECE578: Cryptography 6: Primes, Galois Fields, ECC, and the Discrete Logarithm Problem Professor Richard A. Stanley, P.E. Spring 2010 © 2000-2010, Richard.

ECE578: Cryptography 6: Primes, Galois Fields, ECC, and the Discrete Logarithm Problem Professor Richard A. Stanley, P.E. Spring 2010 © , Richard.

Similar presentations

Ads by Google