Lecture 7 Discrete Logarithms. In the RSA algorithm, we saw how the difficulty of factoring yields...

Lecture 7 Discrete Logarithms

In the RSA algorithm, we saw how the difficulty of factoring yields useful cryptosystem. There is another number theory problem, namely discrete logarithms, that has similar applications. According to Diffie, the discrete logarithm problem was suggested by Gill. The discrete logarithm problem is a major open question in public-key cryptography.

Outline

Discrete Logarithms Computing Discrete Logs The ElGamal Public Key Cryptosystem Bit Commitment

1 Discrete Logarithms

11). (mod 9

22 2 Course, Of .in 6 = 9 log 11), (mod 9

2 Since 2. = is ofgenerator A 11. = Let

1).( mod )(log )(log and

1)( mod )log + (log )(logThen integer.an be

Let . ,let and , ofgenerator a be Let

).(log Write). (mod such that

,2 0 ,integer thefind , element an and

, of generator a , prime agiven :following the

is (DLP) problem logarithm discrete The

26166112

611

*

*

s

*p

*p

x

*p

*p

Z

Zp

ps

ps

ZZ

xp

pxxZβ

Zp

1 Example

1Fact

1 Definition

.in generator a also is that base

otherany tologarithms compute toused becan base theto

logarithms computes which algorithmany that means This

.)1 (mod ) (log ) (log

log and ,)1 (mod ly Consequent .)( =

Then .log = and ,log = ,log =

Let .let and ,in generators twobe and Let

generator. oft independen is DLP theof Difficulty

1

*p

yz

yx

*p

Z

p

pyzx

zyx

GZ

2Fact

GDLP. than general,in solve,

harder to bemay problem This . ofgenerator a be that required

not isit is,it ifeven and, group, cyclic a be that requirednot isit

n,formulatio In this exists.integer an such that provided ,= that

such integer an find , , elements and group finite agiven

:following theis GDLP theofn formulatio general moreA

.= that

such ,1 0 ,integer thefind , element an and , of

generator a ,order of group cyclic finite agiven :following theis

(GDLP) problem logarithm discrete dgeneralize The

G

G

xGG

nxxGG

nG

x

x

Comment.

2 Definition

2 Computing Discrete Logs2.1 Exhaustive Search

interest). hiccryptograp of

casesin (i.e. large is ift inefficien thereforeis and , of

order theis 1 wheretions,multiplica 1)O( takes

method This obtained. is until . . . , , , compute

ly successive tois DLPfor algorithm obviousmost The210

p

pp

2.2 Baby-Step Giant-Step Algorithm

. computingfor

algorithm following thesuggests This . )(

implies which , Hence, . , 0 where

, can write one then , = If n.observatio

following on the based is andsearch exhaustive of method

theof off-y trade timememora is algorithm step-giant

step-baby The . oforder theis 1 where, 1Let

x

mji

m+jx=i

ppm=

jim

jmix

x

2.2 Baby-Step Giant-Step Algorithm (Continued)

. · Set (4.3)

).(return then If (4.2)

table.in the

entry some ofcomponent second theis ifCheck (4.1)

:following thedo1 to0 from For (4)

.set and Compute (3)

component. secondby table this

Sort . 0for ),( entries with tableaConstruct (2)

.1Set (1)

.log logarithm discrete the:OUTPUT

.element an and 1,order of generator a :INPUT

algorithm step-giant step-Baby

m

j

m

j

m + jx = i

mi

mjj

pm

x=

p

1 Algorithm


tions.multiplica )1O( is algorithm step-giant step-baby

theof timerunning The follows. asconcisely more stated becan

of timerunning thes,comparison 1 lg than timemore

tion takesmultiplica a that assumption Under theups.-look table

)1O( and tionsmultiplica )1O( takes(4) step table,this

dconstructe Having sort. toscomparison )1 lg 1O( and

construct, totionsmultiplica )1O( takes tableThe elements.

group )1O(for storage requires

p

p

pp

pp

p

p

1 Algorithm

1 AlgorithmComment.


100. = 57log, thereforeand, ,, 3 since Finally,

32 392655112371002957113) (mod58 · 57

9876543210

:yields This obtained. is table theof row second in the value

a until computed is . . . 2, 1, 0,=for 113) (mod= (4)

58. 113) (mod 38

compute then and 38 ) 113 (mod 3 Compute (3)

81635140 272117971113) (mod 3

41067395 280

:component secondby tablesort the and11, 0

for )) (mod ,( are entries whose tableaConstruct (2)

11.=112Set (1)

follows. as computed is 57 logThen 57. = Consider 112. =1

order ofgenerator a is 3 = element The .113Let

31001

11

11

3

im

i

im

m

j

j

i

i

j

j

pαj

m

p

p=

3

1

2 Example

2.3 Pollard’s Rho Algorithm

0,for and 0, 0, So, 0. for

satisfying . . . , , , and . . . , , , integers of sequences

twodefinesin turn elements group of sequence This 0. for

if,

if ,

if,

)(

and 1 =by . . . , , , elements group of sequence a Define

. 1 example,for partition, theselectingin exercised bemust care

Some property. tableeasily tes someon based size equalroughly

of and , , sets threeinto dpartitione is ) (mod group The

00

210210

3

22

1

1

0210

2

321

ibaix

bbbaaa

i

Sxx

Sxx

Sxx

xfx

xxxx

S

SSSp

ii bai

ii

ii

ii

ii+

2.3 Pollard’s Rho Algorithm (Continued)

.log determine tosolvedy efficientl

becan then equation this),1 (mod Provided

).1 (mod )( ≡ log · )(

yieldsequation last thisof sidesboth of base the tologarithms

Taking . so and , Hence

.such that and elements group twofindcan We

.

if,

if ,2

if1,

and

if1,

if ,2

if,

2

22

22

3

2

1

1

3

2

1

1

2222

pbb

paabb

x xx x

Sxb

Sxb

Sxb

b

Sxa

Sxa

Sxa

a

ii

iiii

aabbbaba

iiii

ii

ii

ii

i+

ii

ii

ii

i+

iiiiiiii


).return( and 1) (mod )( compute

otherwise, failure; with algorithm theinate then term, 0 If

1). (mod Set

:following thedo then , If (2.2)

equations. previous

using , , and , , , compute,previously computed

, , and , , , quantities the Using(2.1)

:following thedo . . . 2, 1, For (2)

0. 0, 1,Set (1)

.log logarithm discrete the:OUTPUT

. element an and 1,order prime of generator a :INPUT

algorithm rho sPollard'

21

2

2

222

222222111

000

xpaarx

r

pbbr

xx

baxbax

baxbax

i

bax

x=

p

ii

ii

ii

iiiiii

iiiiii

2 Algorithm


. = with starting and ],2 [1, interval the

in , integers random selectingby repeated becan procedure

thefailure, with s terminate that case rare In the (2)

storage. ofamount

negligible a requiresbut which algorithm, step-giant step-baby the

as timerunning expected same with thealgorithm randomized a

is logarithms discrete computingfor algorithm rho sPollard'(1)

000

00

baxp

ba

2 Algorithm

Comment.


110. 228 log Hence, 110.

191) (mod ) ( and 136,= 191) (mod 125 125,

191) (mod )( compute Finally, 144. = = that Note

. of 2 step

ofiteration each of end at the and , ,, , , of values

theshows We3). (mod 2 if and 3), (mod 0 if

3), (mod 1 if rule the toaccording subsets threeinto of

elements thePartition 228. Suppose 191. = order of of

subgroup theofgenerator a is 2 element The

2

1428111

28142814

222

32

1383

383

aarr

bbrxx

baxbax

xSxxSx

xSxZ

nZ

iiiiii

*

*

2 Algorithm

3 Example


10410381214

5151211961213

1209830481 6 12112

119972569337211

11896148330410

1544872821529

15248235722568

381214462287

18612161146

83304512055

72256411844

6114 40923

4 1 184202792

20279102281222

144144

iiiiii baxbaxi

2.4 Pohlig-Hellman Algorithm

.6 fact,In even. havemust we

, )11(mod19

Since .)11(mod92 solve want to weSuppose

odd. is otherwise, even; is then ,1 If

). (mod)1(

Hence

). (mod1

have weso 1, yield oexponent t

smallest thebe toassumed is 1 However, ). (mod1

so ), (mod1)( that Note

. ofbit last thefindeasily can We

.10 ,

that assume and , ofgenerator a be Let

51)/2(

1)/2(

2/)1(1)/2(

1)/2(

1)/2(1)(21)/2(

x x

xx

p

p

pp

p

x

px

Z

p

x

p

xpxp

p

ppp

x

*p

4 Example

3Fact

2.4 Pohlig-Hellman Algorithm (Continued)

).Return( (4)

.1for )(mod such that ,20

,integer thecompute totheoremremainder Chinese the Use(3)

.Set (2.5)

.logCompute

. )(mod)(and )(mod Compute

:following thedo 1 to0 from For ) the(Compute (2.4)

. Compute (2.3)

.0 and 1Set (2.2)

.and Set notation) the(Simplify (2.1)

)) mod( where, (Compute

:following thedo to1 from For (2)

1. where, =1 ofion factorizat prime theFind (1)

.log = logarithm discrete the:OUTPUT

.element an and ,1order of generator a :INPUT

algorithmHellman -Pohlig

1110

)1(1

)1(

1

110

21

111

1

21

x

ri pxxpx

x

q+ lq ++llx

l

p p

ejl

l

e epq

px xplp + l = l x

r i

epppp

x

p

i

j+jj

ii

i

r

eii

eei

j

/qpql

j

/qp

ii

eii

eieii

ier

ee

3 Algorithm


. toequal

indeed is log Hence, theorom.sFermat' because truebeingequality last The

.)( )(

)(

)()(

Hence, ). (mod (2.4), step

of iteration at Next, . is oforder the(2.3) stepin first that Observe

.10 where, tion representa

ary - its ofin turn , , , digits thecomputingby determined is

integerEach .)(modinteger thecompute totheoremremainder Chinese

theuse then and ,1for ) mod( determine toisapproach

then the,log If ion.factorizat prime thebe =1Let

11

11

11

11

1

11110

1

1110

1

1

21

)1(

)1(

)1()()1(1

110

10

21

j

lqlq + ll/qp

qlq + lql/qp

/qpqlq + llx/qp

qlq + ll

ijeieii

iei

eii

er

ee

l

p

jq

pl plp + l = lx

pll lx

px

ripx x

xpppp

jje

ejj

ee

jj

jj

j+

j+jj

j+

jj

i

i

i

i

r


anyway.

tinefficien is theninteger,smooth anot is1order theIf (3)

algorithm.Hellman -Pohlig theusing

logarithms compute easy to relatively isit 350377,only is 1 ofdivisor

primelargest theSince .350377224737 10472921 isorder The

33937.27713965086411276642274751597718979831145596453269

2850524967592910215852314518195086781039742270882319=

:prime

digit-107 theis whereConsider small. relatively is of divisor prime

each ifonly efficient is algorithmHellman -Pohlig that theimplies (1) (2)

tions.multiplica ) )+ )1((lg( is algorithm

Hellman -Pohlig theof timerunning the1, ofion factorizat Given the (1)

4884

*

1

3 Algorithm

Comment.

p

p

p

p

pZnp

pp eO

p

pi

ri ii


.197210log

get to125) (mod 72 ),2mod(1 scongruence ofpair thesolve Finally, (3)

72. = 5 2 + 54+2 = Hence,

.2149log compute search, exhaustive

Using149. ) (mod )( and 115 ) (mod Compute (2.2.4)

4. = 113 log compute search, exhaustive

113.Using ) (mod )( and 21) (mod Compute (2.2.3)

.2149log

compute search, exhaustive Using149. ) (mod )( and 1 = Compute (2.2.2)

20. ) (mod Compute (2.2.1)

)55 )5(mod (Compute (2.2)

1. = 250 log= Then 250.) (mod and 250 ) (mod Compute

))2(mod (Compute (2.1) (2)

.5 · 2 = 250 ofion factorizat prime The (1)

follows. as computed is 210log

Then 210. =Consider generator. a is 71 = element The .251Let

71

22

202

125154

201

2512

200

51

5

2210

32

250122

1

3

71

x

x x

x

l

pp

l

pp

l

p

p

+ l + ll x x

xpp

x x

n

x=

p

n/

n/

n/

n/

n/n/

5 Example

2.5 The Index-Calculus Algorithm

. from elements of products as expressedy efficientl becan

of elements offraction t significan a way that asuch in base,

factor thecalled , of elements of subset small relatively

a ofselection therequires algorithm calculus-index The

.in worksalgorithm

theHere, algorithm. timelexponentia-sub a givesoften

it does,it but when groups, all apply tonot does employed

techniqueThe .logarithms discrete computingfor known

method powerfulmost theis algorithm calculus-index The

*

*

*

SZ

ZS

Z

p

p

p

2.5 The Index-Calculus Algorithm (Continued)

solution). unique a hasgiven equations of system thesuch that integer,

positive small a is ( obtained are relations until (2.2) and (2.1) stepsRepeat (2.3)

).1(modlog

relationlinear aobtain oequation t of sidesboth of logarithms take,successful If

0 ,)mod(

:in elements ofproduct a as writeTry to (2.2)

. compute and ,10 ,integer random aSelect (2.1)

)in elements of logarithms involving relationslinear (Collect (2)

. from elements ofproduct a

as expressedy efficientl becan in elements all of "proportiont significan"

asuch that of } , , ,{ = subset a Choose ) basefactor a(Select (1)

.log = logarithm discrete the:OUTPUT

.element an and , of generator a :INPUT

Algorithm Calculus-Index

1

1

*

*21

*

ct + c

p pc k

. c ppα

Sα

αnkk

S

S

Z

ZpppSS

x

Z

t

iii

i

t

i

ci

k

k

k

p

pt

p

i

4 Algorithm


).Return(

.)1)mod(log(= log

yieldsequation of sidesboth of logarithms

takingOtherwise, 4.1. steprepeat then ulunsuccessf isattempt theIf

0 ,)mod(

:in elements ofproduct a as writeTry to (4.2)

. compute and ,1 0 ,integer random aSelect (4.1)

) (Compute (4)

.1 ,log of values the

obtain to2 stepin collected equations of systemlinear thesolve

,1modulo Working)in elements of logarithms the(Find (3)

)(Continued Algorithm Calculus-Index

1

1

x

xpk pd

. d pp

S

nkk

y

ti p

t + c

pS

iti i

i

t

i

di

k

k

k

i

i

4 Algorithm


numbers. prime

first theaschosen becan basefactor the, field For the (3)

specified.

not is relations generatingy efficientlfor method a Secondly,

specified.not is basefactor theselectingfor techniquea Firstly,

reasons. for two incomplete is ofn descriptio The (2)

required. iselement group particular a of logarithm

theeach time database thisreuses then and ,in elements theall of

logarithms thecontaining database a precompute toproceedsIt (1)

tSZ

S

S

*p

4 Algorithm

Comment.


7. 5 3 2 210) 229 (mod6

11 3 2198 229) (mod6

11 7 2 154 229) (mod 6

115 3 165 229) (mod6

112 176 ) 229 (mod 6

5 32 180229) (mod6

:shown)not are attempts ful(unsuccess obtained are base

factor theof elements involving relationssix following The (2)

11}. 7, 5, 3, {2, :primes 5first thebe chosen to is basefactor The (1)

. techniquecalculus-index

theusing follows, as computed is 13logThen 13.Consider

. ofgenerator a is 6 = element The .229Let

206

2143

62

12

418

22100

6

S

Zp= *p

6 Example


117. = 228) (mod 77)7 log2 + 3 (log

13log that followsit ,7 3 147229) (mod 6 13

Since selected. is 77 =integer that theSuppose (4)

162. = 11 log and 107, = 7log 98, = 5log 208,=3log

21, = 2log solutions theyields )log logarithms (the

unknowns fivein equationssix of systemlinear theSolving (3)

228). (mod 7log + 5log + 3log+2log206

228) (mod 11log+3log2 + 2log 143

228) (mod 11log + 7log + 2log 62

228) (mod 11 log+5log + 3log 12

228) (mod 11log+ 2log4 18

228) (mod 5log+3log2+2log 2 100

:basefactor in the elements of logarithms theinvolving equations

six following theyield relations These )(Continued

66

6277

6666

66

6666

666

666

666

66

666

k

ii

k

p =x

6 Example

3 The ElGamal Public Key Cryptosystem

The security of the ElGamal public-key encryption scheme is relies on the intractability of the discrete logarithm problem and the Diffie-Hellman problem. The basic ElGamal encryption scheme is done by ElGamal in 1985.

3.1 Description

. iskey private s' ); , ,( iskey public s' (3)

). (mod compute and ,21 ,integer random aSelect (2)

. modulo integers theof group tivemultiplica

theof generator a and prime random large a Generate (1)

:following thedo should entity Each

key. private

ingcorrespond a andkey public a createsentity each :SUMMARY

encryptionkey -public ElGamalfor generationKey

aApA

ppaa

pZ

p

A

a

a

*p

5 Algorithm

3.1 Description (Continued)

).(mod computingby Recover (2)

).

:(note )(mod compute tokey private the Use(1)

:following thedo should , from plaintext recover To

. to) ,( = ciphertext theSend (5)

).(mod)( and )(mod Compute (4)

.21 ,integer random aSelect (3)

1]. [0, range in the integer an as message theRepresent (2)

). , ,(key public authentic s'Obtain (1)

:following thedo should

decrypts. which,for message a encrypts :SUMMARY

encryptionkey -public ElGamal

11

pm

α

pa

Acm.Decryption

A c

pm p

pkk

pm

pA

. BEncryption

AAmB

a

ka

aapap

kak

a

6 Algorithm

3.1 Description (Continued)

. warrantedbemay modulilarger that is parameters

wide-systemcommon of gedisadvanta potentialA sizes.

smaller of keys publicin results This key. public theofpart

as published benot need and casein which ,generator

and prime same theuse elect tomay entities All

). (mod

becauseplaintext original ofrecovery allows

of decryption The worksdecryption that Proof

p

p

p

pmmγ

.

akaka

Comment.

6 Algorithm

3.2 Example

2035. 2357) 697(mod 872

computingby recovers and

,872)2357(mod1430

computes decrypt, To .

. to697 = and 1430 sends

697. 2357) (mod1185 2035

and

1430 2357) (mod 2

computes and 1520 = integer

random a selects 2035, message aencrypt To

1185). 2, 2357, ( iskey public s'

1185.2357) 21751(mod ) (mod

computes and 1751 = key private thechooses . Zof 2 =

generator a and 2357 = prime theselects Entity .

6051

1520

1520

*2357

m

m

ADecryption

A B

k

B m.Encryption

pA

p

aA

pAtionKey genera

ap

a

a

7 Example

3.3 Efficiency of ElGamal Encryption

plaintext. ingcorrespond the

as long as twiceis ciphertext theis,That 2. offactor aby expansion

message is e that theris encryption ElGamal of gedisadvantaA (2)

algorithm. step-giant step-baby a search via a preclude

enough to large is exponents ofnumber possible thetaken that

bemust Care weights.Hamming low having example,for structure,

additional some having exponents random selectingby up sped be

can tionsexponentia These .)(mod)( and )(modnamely

tions,exponentiamodular tworequires process encryption The (1)

k

p p kak

3.4 Security of ElGamal Encryption

proven.been not has

eequivalencan such although ,in problem logarithm discrete the

on based be tosaid is always , and , ,, ,given recovering

i.e., scheme, encryption ElGamal thebreaking of problem The (2)

known. were if

computedeasily be could and ,/ / Then ). ,( and

) ,( are pairs ciphertext resulting theand and messages

oencrypt tw toused is same theSuppose messages.different

encrypt toused be integers randomdifferent that critical isIt (1)

1

2212122

1121

*p

a

Z

α pm

m

mmm

mm

k

k

3.4 Security of ElGamal Encryption (Continued)

. using derived keys private all ofsecrecy thecompromise will

modulus particular onefor logarithms of database thecomputing Thus

quickly. relatively computed becan logarithms individual which following

,logarithms basefactor of database a oftion precomputa theis in

logarithms discretefor algorithm calculus-index in the stagedominant the

because is This . warrantedbemay sizeskey larger even parameters

wide-systemcommon For used. be should modulilarger or bit -1024

,in problem logarithm discrete on the progresslatest Given the (3)

p

p

Z

Z

*p

*p

4 Bit Commitment 4.1 Scenarios (1) Alice claims that she has a method to

predict the outcome of football games. She wants to sell her method to Bob. Bob asks her method works by predicting the results of the games that will be played this weekend. “No way,” says Alice. “Then you will simply make your bets and not pay me. Why don’t I show you my predictions for last week’s game?”

4.2 Requirements of Bit Commitment

Alice can send a bit b, which is either 0 or 1, to Bob. It require that

(1) Bob cannot determine the value of the bit without Alice’s help.

(2) Alice cannot change the bit once she send it.

Now, for each game, Alice sends a symbol b=1 if she predicts the team will win, a symbol b=0 if she predicts it will lose. After the game has been played, Alice reveals the bit to Bob.

4.3 Computing Discrete Logs Modulo 4

4. modulocongruent not are

that 16, and 6 values twohave would we16, be toalsoit allowed

had weIf case. in this 69log define We).11(mod922

example,For .2 and 0between integer an be tologs

discrete thenormalized webecauseonly possible isquestion this

fact,In exponent. factional a ofambigutiy theyield dwhich woul

power, )/41( the tonumbers raise tous require it would since

t work, won'algorithmHellman -Pohlig the?)4(mod3

when happens What quickly. quite 4) (mod logs discrete

computes algorithmHellman -Pohlig the,)4(mod1When

2166

p

p

p

p

4.3 Computing Discrete Logs Modulo 4 (Continued)

).(mod)(

Proof.

).(mod

Then ).(modsuch that

modulo numbers nonzero twoare and Suppose integer.

an be let and ,2letprime, be )4(mod3Let

1212

1

22122)1(4/)1(

24/)1(

2

p

p

p

p

y rp

yypyypp

yp

y

rrrr

r

r

1 Lemma

4.3 Computing Discrete Logs Modulo 4 (Continued)

.,,, values theallobtain wey,inductivel

Proceeding . of value theyieldsequation this tomachine theApplying

). (mod

find we times,1 theUsing

.

Let .2 with

,,, determined have weSuppose . and determined wemachine,

theUsing. ofexpansion binary thebe 22let and

)(mod assume Now log. discrete theofbit second only thereally

is machine by the suppliedn informatio new theSo 2). (modlog compute

easily can wefact,In 4). (modlogoutput thegives input an give that,

machine a have weAssume generator. a be let and )4 (mod3 prime aFix

quickly. 1 modulo

logs discrete compute it to usecan then we),4 (mod3 prime afor

4 modulo logs discrete computesquickly that algorithman have weIf

10

)2(2)4/)1((

)2(2)2(

1

1010

10

11

111

0

n

r

xxpr

xxxxr

r

nn

x

xxx

x

p

r

rx

xxxx

xxxxx

p

p

p

p

rrr

rrr

rr

1 Lemma

4Fact

4.4 A Bit Commitment Scheme

. finds he 4), (modat looking

and )(mod? checkingby and , of valuefull the

him sends Alice , of value theknow to wantsBob When (3)

Bob. to send and )(mod computes Alice (2)

. of valuethe

determinecannot Bob , in theout pointed As . is bit

second whose1number random a chooses Alice (1)

.generator

a and )4 (mod3 prime large aon agree Bob and Alice

1

1

bx

px

b

p

xb

bx

px

p

x

x

4Fact

Thank You!

Lecture 7 Discrete Logarithms. In the RSA algorithm, we saw how the difficulty of factoring yields...

Documents

Transcript of Lecture 7 Discrete Logarithms. In the RSA algorithm, we saw how the difficulty of factoring yields...