2. Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 03. 30

3. 2 Content Introduction Mathematical Background Definition of DLP Methods in Used Today to Compute DL Future Work Question & Answer

4. 3 Introduction DLP is the underlying one-way function for: Diffie-Hellman key exchange. DSA (digital signature algorithm). ElGamal encryption/digital signature scheme. Elliptic curve cryptosystems. …… DLP is based on finite groups.

5. 4 Mathematical Background Groups Definition: A group is a set G of elements together with a binary ope ration “” such that: If a, b ∈ G then a b = c ∈ G → (closure). If (a b) c = a (b c) → (associativity). There exists an identity element e ∈ G, for all a ∈ G: e a = a e = a → (identity). For all a ∈ G, there exists an inverse element a -1 such that a a -1 = e → (inverse).

6. 5 Mathematical Background Inverses Definition: Let a be a number. If there exists b such that ab = 1 (mod m), then we call b the inverse of a mod m, and write b = a -1 (mod m). Theorem: a has an inverse mod m iff gcd(a,m)=1. Z p * : The set of all the invertible integers mod p: Z p * = {i ∈ Z p | gcd(i, p) = 1 } Theorem: Z p * forms a group under modulo p multiplication. The ide ntity element is e = 1.

7. 6 Mathematical Background Example Z 9 * = {1, 2, 4, 5, 7, 8} Multiplication Table * mod 9 1 2 4 5 7 8 1 1 2 4 5 7 8 2 2 4 8 1 5 7 4 4 8 7 2 1 5 5 5 1 2 7 8 4 7 7 5 1 8 4 2 8 8 7 5 4 2 1 Note: From the above Multiplication Table, We can see (Z 9 *, * mod 9) is a group.

8. 7 Mathematical Background Example (cont.) Group: G = (Z 9 *, * mod 9) Find the inverse of 7 in the group (Z 9 *, * mod 9) through the Extended E uclidean Algorithm: 9 = 1 * 7 + 2 → 2 = 9 − 7 7 = 3 * 2 + 1 → 1 = 7 − 3 * 2 = 4 * 7 − 3 * 9 2 = 2 * 1 + 0 So we have: 1 = 4 * 7 − 3 * 9 → 4 * 7 mod 9 = 1 4 is the inverse of 7 mod 9

9. 8 Mathematical Background Finite Groups Definition: A group (G, ) is finite if it has a finite number of g elem ents, We denote the cardinality of G by |G|. Definition: The order of an element a ∈ G is the smallest positive inte ger n such that a a … a = a n = e. Definition: A group G which contains elements α with maximum ord er ord(α) = |G| is said to be cyclic. Elements with maximum order are called generators or primititive elements.

10. 9 Mathematical Background Example Finite group: G = (Z 11 *, * mod 11) Find the order of a = 3 a 1 = 3 a 2 = 3 2 = 9 a 3 = 3 3 = 27 = 5 a 4 = 3 4 = 3 3 * 3 = 5 * 3 = 15 = 4 a 5 = 3 5 = 3 4 * 3 = 4 * 3 = 12 = 1 So ord(3) = 5

11. 10 Mathematical Background Example (cont.) Finite group: G = (Z 11 *, * mod 11) Proof: α = 2 is a generator of G |G| = |{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}| = 10 α 1 = 2 α 2 = 2 2 = 4 α 3 = 2 3 = 8 α 4 = 2 4 = 16 = 5 α 5 = 2 5 = 10 α 6 = 2 6 = 20 = 9 α 7 = 2 7 = 18 = 7 α 8 = 2 8 = 14 = 3 α 9 = 2 9 = 6 α 10 = 2 10 = 12 = 1 α 11 = 2 11 = 2 = a

12. 11 Mathematical Background Example (cont.) Finite group: G = (Z 11 *, * mod 11) So we have: ord(α = 2) = 10 = |G| →(1) G is cyclic →(2) α = 2 is a generator of G Note: 2 i ; i = 1, 2, …, 10 generates all elements of G i 1 2 3 4 5 6 7 8 9 10 2 i 2 4 8 5 10 9 7 3 6 1

13. 12 Definition of DLP The discrete logarithm problem (DLP) Definition: Given a prime p, a generator α of Z p *, and an element β ∈ Z p *, find the integer x, 0 ≤ x ≤ p - 2, such that α x = β (mod p). The generalized discrete logarithm problem (GDLP) Definition: Given a finite cyclic group G of order n, a generator α of G, and an element β ∈ G, find the integer x, 0 ≤ x ≤ n - 1, such that α x = β.

14. 13 Definition of DLP Example G = (Z 11, + mod 11) We have: i 1 2 3 4 5 6 7 8 9 10 11 2 i 2 4 6 8 10 1 3 5 7 9 0 So α = 2 is a generator of G Let i = 7, β = 7 * 2 = 3 mod 11 Question: given α = 2, β = 3 = i * 2 mod 11, find i Answer: i = 2 -1 * 3 mod 11 Note: 2 -1 = 6 can computed by Extended Euclidean Algorithm, thus this example is NOT a one-way function.

15. 14 Definition of DLP Example G = (Z 11 *, * mod 11) α = 2 is a generator of G Let i = 8, β = 2 8 = 3 mod 11 Question: given α = 2, β = 3 = 2 i, find i i = log 2 3 = log 2 2 i = ? Note: No efficient algorithm to find i, it’s a very hard computational pro blem! Thus this example is a one-way function.

16. 15 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Algorithm Baby-step giant-step algorithm for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: x = log a β. Set m := Construct a table with entries (j, α j ) for 0 ≤ j < m. Sort this table by secon d component. Compute α -m and set γ := β. For i from 0 to m-1 1. Check if γ is the second component of some entry in the table. 2. If γ = α j then return (x = im+j). 3. Set γ := γα -m

17. 16 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Example INPUT: a generator α = 2 of G = (Z 11 *, * mod 11) of order n = 10, and an element β = 3. OUTPUT: x = log a β = log 2 3. Set m := = 4 Construct a table with entries (j, α j ) for 0 ≤ j < 4. Sort this table by secon d component. j 0 1 2 3 2 j mod 11 1 2 4 8 By Extended Euclidean Algorithm Compute α -1 = 2 -1 mod 11 = 6, we have α - m = 2 -4 mod 11 = 6 4 mod 11 = 9. and set γ := β = 3.

18. 17 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Example (cont.) For i from 0 to 3, we have the following table: i 0 1 2 3 3*9 i mod 11 3 5 1 Because 3*9 2 mod 11 = α 0 = 1, we have: x = im+j = 8. Note: The baby-step giant-step algorithm is a time-memory trade-off of the method of exhaustive search. Complexity: O( ) steps, Minimum security requirement: ≥ 2 160

19. 18 Future Work Study and implement other methods in used today to co mpute DL such as: Pollard’s rho algorithm Pohlig-Hellman algorithm Index-Calculus method Challenge or improve some of these methods

20. Question & Answer Thanks