Chapter 7 Discrete Logarithms

What Are Discrete Logarithms?

Let p be a prime number. An integer α is a primitive root modulo p iffor every β relatively prime to p there is an integer x such thatβ ≡ αx (mod p). For a fixed α and a given β, an integer x with thisproperty is a discrete logarithm of β base α modulo p.

To avoid confusion with ordinary logs, we sometimes call this theindex of β base α modulo p.

In general, for many integers n, there is no primitive root modulo n.

Example of Primitive Root

Examplep = 7, α = 3

31 = 3

32 = 9 ≡ 2

33 = 27 ≡ 6

34 = 81 ≡ 4

35 = 243 ≡ 5

36 = 729 ≡ 1

By taking successive powers, we see that everything non-zero modulo7 is a power of 3 modulo 7. This would be called brute forceverification.

31 = 3

32 = 9 ≡ 2

33 = 27 ≡ 6

34 = 81 ≡ 4

35 = 243 ≡ 5

36 = 729 ≡ 1

31 = 3

32 = 9 ≡ 2

33 = 27 ≡ 6

34 = 81 ≡ 4

35 = 243 ≡ 5

36 = 729 ≡ 1

Example of No Primitive Root

In contrast, consider n = 8. Candidates would be 1, 3, 5, 7.

α = 1: all powers give 1

α = 3: all powers produce 1 or 3

So, there is no primitive root modulo 8.

Notation: x = Lα(β).

A Primitive Root Theorem

TheoremThe only integers n for which there is a primitive root modulo n arethose of the form:

1 n = pe with an odd prime, e ≥ 12 n = 2pe with an odd prime p, e ≥ 13 n = 2, 4

We will not prove this since we are focusing on primes and notgeneral n’s.

A Primitive Root Theorem

TheoremThe only integers n for which there is a primitive root modulo n arethose of the form:

1 n = pe with an odd prime, e ≥ 12 n = 2pe with an odd prime p, e ≥ 13 n = 2, 4

We will not prove this since we are focusing on primes and notgeneral n’s.

Using Fermat’s Little Theorem

Remember ... αp−1 ≡ 1 (mod p). This can be a useful tool. In fact,p− 1 is the smallest integer n such that αn ≡ 1 (mod p). We can usethis when trying to solve for x.

Here is the technique:We know αp−1 ≡ 1 (mod p). So, we know that α

p−12 ≡ −1 (mod p)

which lets us write(α

p−12

)2≡ 1 (mod p).

Consider our congruence β ≡ αx (mod p). Then we have

βp−1

2 ≡ αx p−12 (mod p) ≡ (−1)x (mod p)

If βp−1

2 ≡ 1 (mod p), then x is even.

p−12 ≡ −1 (mod p)

p−12

)2≡ 1 (mod p).

βp−1

2 ≡ αx p−12 (mod p) ≡ (−1)x (mod p)

If βp−1

p−12 ≡ −1 (mod p)

p−12

)2≡ 1 (mod p).

βp−1

2 ≡ αx p−12 (mod p) ≡ (−1)x (mod p)

If βp−1

Example of Solving Congruences

Example

Solve 3x ≡ 7 (mod 19).

βp−1

2 ≡ 79 ≡ 1 (mod 19)

So we know x must be even. By brute force, we find that x = 6.

Given α, x, p, these are easy to calculate, But, the problem arises whenwe want x and are given α, β, p. In fact, for large p, the difficulty is onthe same order as the factoring of primes for the RSA algorithm. But,as already seen, for small p, brute force can do the trick.

Example

βp−1

2 ≡ 79 ≡ 1 (mod 19)

Example

βp−1

2 ≡ 79 ≡ 1 (mod 19)

Example

βp−1

2 ≡ 79 ≡ 1 (mod 19)

We Need A Better Way ...

Computing discrete logarithms this way, however, is naive.

To compute Lα(β) in Z/p for a primitive root α (mod p), compute(all (mod p)) α1, α2, . . . until one of the powers of α (mod p) is thetarget β.

For p large enough for cryptographic purposes, we’d need p to be 100digits or more, making brute force infeasible making it necessary touse other methods as this method takes O(p) trials. So, we want toreduce the number of trials.

Baby-Step Giant-Step

This algorithm works in any acyclic group G, assuming thecomputation of the group operations are not too expensive. Thisruntime is on the order of the square root of |G|, that is O(

√|G|).

Reminder: a cyclic group G =< a > can be generated by a singleelement.

Let G be a cyclic group with generator α. We want to compute thediscrete logarithm of some other element β ∈ G base α. Let n be theorder |G| of G and let m = b

√nc. So, m is an integer, just less than√

n. When we take x = Lα(β), we can write x = m · i + j where0 ≤ i, j < m.

√|G|).

The equation β = αmi+j can be rearranged to β(α−m)i = αj.

Thus, we first compute the m quantities αj, 0 ≤ j < m and put them insome sorted look-up table. Then begin to compute successively the mquantities β, β · α−m, β · α−2m, . . . , β · α−mi, . . .

At the ith step compare αj and β · α−mi. If they are equal, thenLα(β) = mi + j.

So this construction of the list of αj’s takes√

n steps initially. Each ofthe O(

√n) comparisons of β · α−mi to the αj’s must be done in much

less than O(√

n) time, or the total number of steps would be O(n),which is no better than brute force.

Therefore, the list of αj’s must be sorted and ordered in a fashion sothat testing whether or not an element β · α−mi is on the list very fast.For example, in simple cases, this testing can be done in only L2(m)comparisons.

less than O(√

Although this algorithm makes sense in any group, the necessarysorting of the αj’s is easiest to describe in a tangible class ofexamples, such as Z/p∗ for prime p.

Let α be the primitive root modulo p. The order n of the groupG = Z/p∗ is n = p− 1. Let m be the greatest integer not greater than√

p− 1. To compute Lαβ in G, first compute

(0, α0 (mod p)), (1, α1 (mod p)), (2, α2 (mod p)), . . . , (m−1, αm−1 (mod p))

Although this algorithm makes sense in any group, the necessarysorting of the αj’s is easiest to describe in a tangible class ofexamples, such as Z/p∗ for prime p.

Let α be the primitive root modulo p. The order n of the groupG = Z/p∗ is n = p− 1. Let m be the greatest integer not greater than√

p− 1. To compute Lαβ in G, first compute

(0, α0 (mod p)), (1, α1 (mod p)), (2, α2 (mod p)), . . . , (m−1, αm−1 (mod p))

We sort these ordered pairs by size of their second component, so thattesting whether some g ∈ G is in the list will only take L2mcomparisons. Then, to be a little smart about comparisons,

1 Compute c = α−m (mod p)

2 Initialize x = β

3 For i = 0 to i = m− 1, if x is the element αj in the listα0, α1, . . . , αm−1 then Lαβ = mi + j

Otherwise replace x by x · c (mod p) and i = i + 1.

1 Compute c = α−m (mod p)2 Initialize x = β

BSGS Example

Example

Compute L23 (mod 29).

Here, p = 29, β = 3, α = 2. Then, m = b√

29− 1c = 5. Thus, wecompute (0, α0), . . . , (4, α4 (mod 29)).

(0, 1), (1, 2), (2, 4), (3, 8), (4, 16)

c ≡ 2−5 (mod 29) ≡ 10.Initialize x = β = 3. This is not on the list.Replace x by x · c, which is 3 · 10 (mod 29) = 1, which is on the list.That is,

3 · 2−5 = 20

By rearranging as planned, this gives

L23 = 5 · 1 + 0 = 5

in Z/Z∗29.

BSGS Example

Example

Here, p = 29, β = 3, α = 2. Then, m = b√

(0, 1), (1, 2), (2, 4), (3, 8), (4, 16)

3 · 2−5 = 20

L23 = 5 · 1 + 0 = 5

in Z/Z∗29.

BSGS Example

Example

Here, p = 29, β = 3, α = 2. Then, m = b√

(0, 1), (1, 2), (2, 4), (3, 8), (4, 16)

c ≡ 2−5 (mod 29) ≡ 10.

Initialize x = β = 3. This is not on the list.Replace x by x · c, which is 3 · 10 (mod 29) = 1, which is on the list.That is,

3 · 2−5 = 20

L23 = 5 · 1 + 0 = 5

in Z/Z∗29.

BSGS Example

Example

Here, p = 29, β = 3, α = 2. Then, m = b√

(0, 1), (1, 2), (2, 4), (3, 8), (4, 16)

c ≡ 2−5 (mod 29) ≡ 10.Initialize x = β = 3. This is not on the list.

Replace x by x · c, which is 3 · 10 (mod 29) = 1, which is on the list.That is,

3 · 2−5 = 20

L23 = 5 · 1 + 0 = 5

in Z/Z∗29.

BSGS Example

Example

Here, p = 29, β = 3, α = 2. Then, m = b√

(0, 1), (1, 2), (2, 4), (3, 8), (4, 16)

3 · 2−5 = 20

L23 = 5 · 1 + 0 = 5

in Z/Z∗29.

BSGS Example

Example

Here, p = 29, β = 3, α = 2. Then, m = b√

(0, 1), (1, 2), (2, 4), (3, 8), (4, 16)

3 · 2−5 = 20

L23 = 5 · 1 + 0 = 5

in Z/Z∗29.

Another BSGS Example

Example

Here, we have that p = 101, α = 2 and β = 3. Then,m =

√101− 1 = 10. So, we compute the pairs (j, 2j(mod 101)), for

j = 0, . . . ,m− 1 = 9; this list is

(0, 1), (1, 2), (2, 4), (3, 8), (4, 16), (5, 32), (6, 64), (7, 27), (8, 54), (9, 7)

Sorting by size of the second element, the list is

(0, 1), (1, 2), (2, 4), (9, 7), (3, 8), (4, 16), (7, 27), (5, 32), (8, 54), (6, 64)

Also, c ≡ 2−10(mod 101) ≡ 65. We initialize x = β = 3. This is noton the list, so we replace x by x · c as long as x is not on the list :

Example

j = 0, . . . ,m− 1 = 9; this list is

(0, 1), (1, 2), (2, 4), (3, 8), (4, 16), (5, 32), (6, 64), (7, 27), (8, 54), (9, 7)

(0, 1), (1, 2), (2, 4), (9, 7), (3, 8), (4, 16), (7, 27), (5, 32), (8, 54), (6, 64)

Example

j = 0, . . . ,m− 1 = 9; this list is

(0, 1), (1, 2), (2, 4), (3, 8), (4, 16), (5, 32), (6, 64), (7, 27), (8, 54), (9, 7)

(0, 1), (1, 2), (2, 4), (9, 7), (3, 8), (4, 16), (7, 27), (5, 32), (8, 54), (6, 64)

3 · 65(mod 101) ≡ 9494 · 65(mod 101) ≡ 5050 · 65(mod 101) ≡ 1818 · 65(mod 101) ≡ 5959 · 65(mod 101) ≡ 9898 · 65(mod 101) ≡ 7

That is,3 · (2−10)6 ≡ 7 ≡ 29(mod 101)

Rearranging as planned, this gives

L2(3) = 10 · 6 + 9 = 69 in Z/Z∗101

3 · 65(mod 101) ≡ 9494 · 65(mod 101) ≡ 5050 · 65(mod 101) ≡ 1818 · 65(mod 101) ≡ 5959 · 65(mod 101) ≡ 9898 · 65(mod 101) ≡ 7

That is,3 · (2−10)6 ≡ 7 ≡ 29(mod 101)

Rearranging as planned, this gives

L2(3) = 10 · 6 + 9 = 69 in Z/Z∗101

The Index Calculus

This is the best known method for computing discrete logarithms incyclic groups G. This algorithm cannot be applied effectively to allcyclic groups, but when it can be applied it is a sub-exponential timealgorithm. It is probabilistic.

Note: At the outset, the subset S of G used in the algorithm, theso-called factor group, must be chosen well. Unfortunately, it is notgenerally clear how to make a good choice, or even that there is agood choice of factor basis. Timing of the algorithm amounts toadjustment of the choice of factor basis, but in general there may beno good choice to achieve sub-exponential runtime.

The Index Calculus

This is the best known method for computing discrete logarithms incyclic groups G. This algorithm cannot be applied effectively to allcyclic groups, but when it can be applied it is a sub-exponential timealgorithm. It is probabilistic.

Note: At the outset, the subset S of G used in the algorithm, theso-called factor group, must be chosen well. Unfortunately, it is notgenerally clear how to make a good choice, or even that there is agood choice of factor basis. Timing of the algorithm amounts toadjustment of the choice of factor basis, but in general there may beno good choice to achieve sub-exponential runtime.

Factor Groups

DefinitionA subgroup H of a group G is normal if its left and right cosetscoincide; that is, if H is a normal subgroup of G, then

gH = Hg ∀ g ∈ G

In other words, the left and right cosets are the same. This can also bedefined in terms of conjugates, which is to say H is a normalsubgroup of G if for all g ∈ G,

gHg−1 = H

The notation we use for normal subgroups is H / G.

Factor Groups

DefinitionLet H be a normal subgroup of a group G. Then G/H, read “G modH” is the system whose set of elements is

G/H = {aH | a ∈ G}

and whose operation is defined by the rule aHbH = abH.In other words, the factor group is the set of all left cosets of H in G.We often use N for the normal subgroup.

The Index Calculus

Let α be a generator of a cyclic group G of order n = |G|. Let β beanother element of G, whose logarithm base α we want to compute.

1. Choose a factor base: Choose a ‘small’ subset s of G, called thefactor basis

S = {p1, . . . , pk}

2. Collect relations: Choose random integers in the range0 ≤ k ≤ n− 1 and try to express αk as a product of elements of S. Ifsuch a relation exists

αk = pk11 . . . p

take logarithms of both sides to obtain

k = k1 · Lαp1 + . . .+ kt · Lαpt(mod n)

Repeat this until there is somewhat more than t relations.

The Index Calculus

S = {p1, . . . , pk}

αk = pk11 . . . p

The Index Calculus

S = {p1, . . . , pk}

αk = pk11 . . . p

The Index Calculus

3. Find logarithms Lαpi: Solve the system of relations to find thelogarithms base α of the elements of the factor basis. If the system isindeterminate, go back and generate more relations.

4. Finding other logarithms: Given β ∈ G, pick a random integer kand try to express β · αk in the form

β · αk = pk11 · · · p

If successful, solve for

Lαβ = ((k1 · Lαp1 + . . .+ kt · Lαpt)− k)(mod n)

If unsuccessful, choose a different k and repeat.

The Index Calculus

3. Find logarithms Lαpi: Solve the system of relations to find thelogarithms base α of the elements of the factor basis. If the system isindeterminate, go back and generate more relations.4. Finding other logarithms: Given β ∈ G, pick a random integer kand try to express β · αk in the form

β · αk = pk11 · · · p

If successful, solve for

Lαβ = ((k1 · Lαp1 + . . .+ kt · Lαpt)− k)(mod n)

If unsuccessful, choose a different k and repeat.

1 Certainly the precomputation of logarithms of elements of thefactor basis need not be repeated for computations of varyingelements of the group.

2 An examination of the algorithm makes it clear the factor basis Smust be chosen so that ‘many’ of the elements of G areexpressed as products of powers of elements of S with ‘small’exponents. Of course, this idea and its effects must be quantifiedto optimize the algorithm in any particular case.

3 When the cyclic group in question is G = Z/p∗, or prime p, thefactor basis should be the first t primes, Of course, choosing awise t is the issue. Testing whether a randomly produced groupelement is a product of elements from the factor basis (withsmall positive integer exponents) can be done very quickly bytrial division by elements of the factor basis.

Using the Index Calculus

Example

Let G = Z/Z∗29. The order of the group is 28. Use the primitive rootα = 11 Try a factor basis S = {2, 3, 5}. Start generating relations, byconsidering ‘random’ powers of α(mod 29). Bear in mind that wewant to solve the system of relations modulo 28.

α2(mod 29) = 112(mod 29) ≡ 5

α3(mod 29) = 113(mod 29) ≡ 26 (fail)

α4(mod 29) = 114(mod 29) ≡ 14 (fail)

α6(mod 29) = 116(mod 29) ≡ 9 = 32

α7(mod 29) = 117(mod 29) ≡ 12 = 22 · 3α9(mod 29) = 119(mod 29) ≡ 2

Solving the system modulo 28 to obtain the logarithms of the factorbase happens to be easy in this case.

Example

α2(mod 29) = 112(mod 29) ≡ 5

α3(mod 29) = 113(mod 29) ≡ 26 (fail)

α4(mod 29) = 114(mod 29) ≡ 14 (fail)

α6(mod 29) = 116(mod 29) ≡ 9 = 32

α7(mod 29) = 117(mod 29) ≡ 12 = 22 · 3α9(mod 29) = 119(mod 29) ≡ 2

Example

α2(mod 29) = 112(mod 29) ≡ 5

α3(mod 29) = 113(mod 29) ≡ 26 (fail)

α4(mod 29) = 114(mod 29) ≡ 14 (fail)

α6(mod 29) = 116(mod 29) ≡ 9 = 32

α7(mod 29) = 117(mod 29) ≡ 12 = 22 · 3α9(mod 29) = 119(mod 29) ≡ 2

Example

α2(mod 29) = 112(mod 29) ≡ 5

α3(mod 29) = 113(mod 29) ≡ 26 (fail)

α4(mod 29) = 114(mod 29) ≡ 14 (fail)

α6(mod 29) = 116(mod 29) ≡ 9 = 32

α7(mod 29) = 117(mod 29) ≡ 12 = 22 · 3α9(mod 29) = 119(mod 29) ≡ 2

Example

α2(mod 29) = 112(mod 29) ≡ 5

α3(mod 29) = 113(mod 29) ≡ 26 (fail)

α4(mod 29) = 114(mod 29) ≡ 14 (fail)

α6(mod 29) = 116(mod 29) ≡ 9 = 32

α7(mod 29) = 117(mod 29) ≡ 12 = 22 · 3

α9(mod 29) = 119(mod 29) ≡ 2

Example

α2(mod 29) = 112(mod 29) ≡ 5

α3(mod 29) = 113(mod 29) ≡ 26 (fail)

α4(mod 29) = 114(mod 29) ≡ 14 (fail)

α6(mod 29) = 116(mod 29) ≡ 9 = 32

α7(mod 29) = 117(mod 29) ≡ 12 = 22 · 3α9(mod 29) = 119(mod 29) ≡ 2

Example

α2(mod 29) = 112(mod 29) ≡ 5

α3(mod 29) = 113(mod 29) ≡ 26 (fail)

α4(mod 29) = 114(mod 29) ≡ 14 (fail)

α6(mod 29) = 116(mod 29) ≡ 9 = 32

α7(mod 29) = 117(mod 29) ≡ 12 = 22 · 3α9(mod 29) = 119(mod 29) ≡ 2

From the first relation, we directly obtain L115 = 2.

The fourth relation gives 6 = 2 · L113(mod 28), which does notuniquely determine the log of 3 since the coefficient in front hasa common factor with the modulus 28.

The last relation gives L112 = 9

We can use the next to last relation

7 = 2 · L112 + L113(mod 28)

to obtain L113 = 17.

7 = 2 · L112 + L113(mod 28)

Where does this last one come from?

117(mod 28) ≡ 22 · 3⇒ 7 = L1122 · 3

⇒ 7 = 2 · L112 + L113

And now, since L112 = 9, we can solve for L113.

7 = 2 · L112 + L113

7 = 2 · 9 + L113

−11 = L113

L113 = 17

Where does this last one come from?

117(mod 28) ≡ 22 · 3⇒ 7 = L1122 · 3

⇒ 7 = 2 · L112 + L113

And now, since L112 = 9, we can solve for L113.

7 = 2 · L112 + L113

7 = 2 · 9 + L113

−11 = L113

L113 = 17

This finishes the precomputation for the factor basis {2, 3, 5}.

To compute L117, for example, multiply the target β = 7 by ‘random’powers of α ≡ 11(mod 29) and look for results expressible in termsof the factor basis.

β · α(mod 29) ≡ 7 · 11(mod 29) = 19

which is a fail.

β · α2(mod 29) ≡ 7 · 112(mod 29) ≡ 6 = 2 · 3

Therefore,

L117 = L112 + L113− 2 = 9 + 17− 2 = 24

Note: This algorithm becomes noticeably more efficient than theothers for considerably larger groups.

β · α(mod 29) ≡ 7 · 11(mod 29) = 19

which is a fail.

β · α2(mod 29) ≡ 7 · 112(mod 29) ≡ 6 = 2 · 3

Therefore,

L117 = L112 + L113− 2 = 9 + 17− 2 = 24

β · α(mod 29) ≡ 7 · 11(mod 29) = 19

which is a fail.

β · α2(mod 29) ≡ 7 · 112(mod 29) ≡ 6 = 2 · 3

Therefore,

L117 = L112 + L113− 2 = 9 + 17− 2 = 24

β · α(mod 29) ≡ 7 · 11(mod 29) = 19

which is a fail.

β · α2(mod 29) ≡ 7 · 112(mod 29) ≡ 6 = 2 · 3

Therefore,

L117 = L112 + L113− 2 = 9 + 17− 2 = 24

β · α(mod 29) ≡ 7 · 11(mod 29) = 19

which is a fail.

β · α2(mod 29) ≡ 7 · 112(mod 29) ≡ 6 = 2 · 3

Therefore,

L117 = L112 + L113− 2 = 9 + 17− 2 = 24

β · α(mod 29) ≡ 7 · 11(mod 29) = 19

which is a fail.

β · α2(mod 29) ≡ 7 · 112(mod 29) ≡ 6 = 2 · 3

Therefore,

L117 = L112 + L113− 2 = 9 + 17− 2 = 24

Diffie-Hellman Key Exchange

This is both the original public-key idea and an important mechanismin current use. The practical point is that symmetric ciphers aregenerally much faster than asymmetric ones (for both hardware andsoftware reasons), so the public-key cipher is merely used to set up aprivate key, known as a session key, intended to be used only for asingle conversation.

This protocol makes use of the particulars involving discretelogarithms, and of course, in relatively difficulty in computingdiscrete logarithms. Therefore, it not only works for the Z/Zp

discrete logarithm situations, but also generalizes to arbitrary finitefields, elliptical curves, or any other group structure where logarithmsmake sense.

This is both the original public-key idea and an important mechanismin current use. The practical point is that symmetric ciphers aregenerally much faster than asymmetric ones (for both hardware andsoftware reasons), so the public-key cipher is merely used to set up aprivate key, known as a session key, intended to be used only for asingle conversation.

This protocol makes use of the particulars involving discretelogarithms, and of course, in relatively difficulty in computingdiscrete logarithms. Therefore, it not only works for the Z/Zp

discrete logarithm situations, but also generalizes to arbitrary finitefields, elliptical curves, or any other group structure where logarithmsmake sense.

First, the sender and receiver need to agree on a large prime anda primitive element (root) α(mod p). These need not be keptsecret and can be shared by a group of users.

The sender chooses a large random integer X, privately computesX ≡ αx(mod p) and sends X to a receiver by a possibly insecurechannel.

Meanwhile, the receiver similarly chooses a large random integerY , privately computes Y ≡ αy(mod p) and sends Y to the senderacross the possibly insecure channel.

Then, the sender privately computes k ≡ Yx(mod p) and thereceiver symmetrically computes k′ ≡ Xy(mod p).

In fact, k ≡ k′(mod p) as follows:

Computing modulo p, we have

k′ ≡ Xy ≡ (αx)y = αxy ≡ (αy)x ≡ k(mod p)

But no one else on the network obtains k unless they can computediscrete logarithms. Then, the key k(= k′) can be used directly orindirectly as a key for the asymmetric cipher.

Diffie-Hellman Key Exchange Security

For security, the prime modulus should be large, as the security of theDiffie-Hellman key exchange lies in the fact that, while it is relativelyeasy to calculate exponentials modulo p, it is very difficult to calculatediscrete logarithms. For large primes, the latter task is consideredinfeasible.

Diffie-Hellman Example

ExampleThis key exchange is based on the use of the prime number p = 353and a primitive root α = 3. A and B select secret keys x = 97 andy = 233. Each computes its public key:

A computes X ≡ 397(mod 353) ≡ 40B computes Y ≡ 3233(mod 353) ≡ 248After they exchange public keys, they can each compute the commonsecret key:A computes K ≡ (Y)x(mod 353) ≡ 24897(mod 353) ≡ 160B computes K ≡ (X)y(mod 353) ≡ 40233(mod 353) ≡ 160.We assume that a hacker would have that p = 353, X = 40, Y = 248and α = 3.

A brute force attack could work here since we are dealing with arelatively small prime. We would want to find x such that3x(mod 353) ≡ 40 or 3x(mod 353) ≡ 248. The desired result isreached when the exponent value of 97, as 397(mod 353) ≡ 40 isobtained.

ExampleThis key exchange is based on the use of the prime number p = 353and a primitive root α = 3. A and B select secret keys x = 97 andy = 233. Each computes its public key:A computes X ≡ 397(mod 353) ≡ 40

B computes Y ≡ 3233(mod 353) ≡ 248After they exchange public keys, they can each compute the commonsecret key:A computes K ≡ (Y)x(mod 353) ≡ 24897(mod 353) ≡ 160B computes K ≡ (X)y(mod 353) ≡ 40233(mod 353) ≡ 160.We assume that a hacker would have that p = 353, X = 40, Y = 248and α = 3.

ExampleThis key exchange is based on the use of the prime number p = 353and a primitive root α = 3. A and B select secret keys x = 97 andy = 233. Each computes its public key:A computes X ≡ 397(mod 353) ≡ 40B computes Y ≡ 3233(mod 353) ≡ 248

After they exchange public keys, they can each compute the commonsecret key:A computes K ≡ (Y)x(mod 353) ≡ 24897(mod 353) ≡ 160B computes K ≡ (X)y(mod 353) ≡ 40233(mod 353) ≡ 160.We assume that a hacker would have that p = 353, X = 40, Y = 248and α = 3.

ExampleThis key exchange is based on the use of the prime number p = 353and a primitive root α = 3. A and B select secret keys x = 97 andy = 233. Each computes its public key:A computes X ≡ 397(mod 353) ≡ 40B computes Y ≡ 3233(mod 353) ≡ 248After they exchange public keys, they can each compute the commonsecret key:

A computes K ≡ (Y)x(mod 353) ≡ 24897(mod 353) ≡ 160B computes K ≡ (X)y(mod 353) ≡ 40233(mod 353) ≡ 160.We assume that a hacker would have that p = 353, X = 40, Y = 248and α = 3.

ExampleThis key exchange is based on the use of the prime number p = 353and a primitive root α = 3. A and B select secret keys x = 97 andy = 233. Each computes its public key:A computes X ≡ 397(mod 353) ≡ 40B computes Y ≡ 3233(mod 353) ≡ 248After they exchange public keys, they can each compute the commonsecret key:A computes K ≡ (Y)x(mod 353) ≡ 24897(mod 353) ≡ 160

B computes K ≡ (X)y(mod 353) ≡ 40233(mod 353) ≡ 160.We assume that a hacker would have that p = 353, X = 40, Y = 248and α = 3.

ExampleThis key exchange is based on the use of the prime number p = 353and a primitive root α = 3. A and B select secret keys x = 97 andy = 233. Each computes its public key:A computes X ≡ 397(mod 353) ≡ 40B computes Y ≡ 3233(mod 353) ≡ 248After they exchange public keys, they can each compute the commonsecret key:A computes K ≡ (Y)x(mod 353) ≡ 24897(mod 353) ≡ 160B computes K ≡ (X)y(mod 353) ≡ 40233(mod 353) ≡ 160.

We assume that a hacker would have that p = 353, X = 40, Y = 248and α = 3.

ExampleThis key exchange is based on the use of the prime number p = 353and a primitive root α = 3. A and B select secret keys x = 97 andy = 233. Each computes its public key:A computes X ≡ 397(mod 353) ≡ 40B computes Y ≡ 3233(mod 353) ≡ 248After they exchange public keys, they can each compute the commonsecret key:A computes K ≡ (Y)x(mod 353) ≡ 24897(mod 353) ≡ 160B computes K ≡ (X)y(mod 353) ≡ 40233(mod 353) ≡ 160.We assume that a hacker would have that p = 353, X = 40, Y = 248and α = 3.

Man-in-the-Middle Attack

Suppose A and B want to share a message and D is their adversary.1 D prepares for the attack by generating two random private keys

XD1 and XD2 and computes the corresponding public keys YD1

and YD2 .

2 A transmits X to B.3 D intercepts X and transmits YD1 to B. D also calculates

K2 = (X)XD2 (mod p).4 B receives YD1 and calculates K1 = (YD1)

y(mod p).5 B transmits Y to A.6 D intercepts Y and transmits YD2 to A. D calculates

K1 ≡ (Y)XD1 (mod p).7 A receives YD2 and calculates K2 ≡ (YD1)

x(mod p).

At this point, A and B think they share a secret key, but instead B andD share K1 and a and D share K2. All future communications betweenA and B are now compromised.

and YD2 .2 A transmits X to B.

3 D intercepts X and transmits YD1 to B. D also calculatesK2 = (X)XD2 (mod p).

4 B receives YD1 and calculates K1 = (YD1)y(mod p).

5 B transmits Y to A.6 D intercepts Y and transmits YD2 to A. D calculates

x(mod p).

and YD2 .2 A transmits X to B.3 D intercepts X and transmits YD1 to B. D also calculates

K2 = (X)XD2 (mod p).

4 B receives YD1 and calculates K1 = (YD1)y(mod p).

x(mod p).

y(mod p).

x(mod p).

y(mod p).5 B transmits Y to A.

6 D intercepts Y and transmits YD2 to A. D calculatesK1 ≡ (Y)XD1 (mod p).

7 A receives YD2 and calculates K2 ≡ (YD1)x(mod p).

K1 ≡ (Y)XD1 (mod p).

7 A receives YD2 and calculates K2 ≡ (YD1)x(mod p).

x(mod p).

The Man-in-the-Middle attack is the most effective attack on theDiffie-Hellman key exchange.

The key exchange is vulnerable to such an attack because it does notauthenticate participants. If digital signatures and public-keycertificates are included, then this attack is overcome.

The Man-in-the-Middle attack is the most effective attack on theDiffie-Hellman key exchange.

The key exchange is vulnerable to such an attack because it does notauthenticate participants. If digital signatures and public-keycertificates are included, then this attack is overcome.

ElGamal Cryptosystem

In 1984, Taher Elgamal announced a public-key scheme based ondiscrete logarithms closely related to the Diffie-Hellman technique.The ElGamal cryptosystem is used in some form in a number ofstandards.

As with Diffie-Hellman, the global elements of ElGamal are theprime numbers p and α, which is a primitive root of p.

ElGamal Cryptosystem

In 1984, Taher Elgamal announced a public-key scheme based ondiscrete logarithms closely related to the Diffie-Hellman technique.The ElGamal cryptosystem is used in some form in a number ofstandards.

As with Diffie-Hellman, the global elements of ElGamal are theprime numbers p and α, which is a primitive root of p.

How ElGamal Works

A generates a private/public key pair as follows:1 Generate a random integer XA such that 1 < XA < p− 1.

2 Compute YA ≡ αXA(mod p).3 A’s private key is XA; A’s public key is {p, α, YA}

How ElGamal Works

A generates a private/public key pair as follows:1 Generate a random integer XA such that 1 < XA < p− 1.2 Compute YA ≡ αXA(mod p).

3 A’s private key is XA; A’s public key is {p, α, YA}

How ElGamal Works

A generates a private/public key pair as follows:1 Generate a random integer XA such that 1 < XA < p− 1.2 Compute YA ≡ αXA(mod p).3 A’s private key is XA; A’s public key is {p, α, YA}

How ElGamal Works

Any user B that has access to A’s public key can encrypt a message asfollows:

1 Represent the message as an integer M in the range of0 ≤ M ≤ p− 1. Longer messages are represented as a sequenceof blocks, with each block being an integer less than p.

2 Choose a random integer k such that 1 ≤ k ≤ p− 1.3 Compute a one-time key K ≡ (YA)

k(mod p).4 Encrypt M as the pair of integers (C1,C2) where

C1 ≡ αk(mod p)C2 ≡ KM(mod p)

How ElGamal Works

2 Choose a random integer k such that 1 ≤ k ≤ p− 1.

3 Compute a one-time key K ≡ (YA)k(mod p).

4 Encrypt M as the pair of integers (C1,C2) whereC1 ≡ αk(mod p)C2 ≡ KM(mod p)

How ElGamal Works

k(mod p).

4 Encrypt M as the pair of integers (C1,C2) whereC1 ≡ αk(mod p)C2 ≡ KM(mod p)

How ElGamal Works

C1 ≡ αk(mod p)

C2 ≡ KM(mod p)

How ElGamal Works

C1 ≡ αk(mod p)C2 ≡ KM(mod p)

How ElGamal Works

User A recovers the plaintext as follows:1 Recover the key by computing K ≡ (C1)

XA(mod p).

2 Compute M ≡ (C2K−1)(mod p).

How ElGamal Works

User A recovers the plaintext as follows:1 Recover the key by computing K ≡ (C1)

XA(mod p).2 Compute M ≡ (C2K−1)(mod p).

How ElGamal Works

Here is why ElGamal works: First, let’s show how K is recovered bythe decryption process:

K ≡ (YA)k(mod p)

K ≡ (αXA(mod p))k(mod p)

K ≡ αkXA(mod p)

K ≡ (C1)XA(mod p)

Next, using K, we recover the plaintext as:

C2 ≡ KM(mod p)

(C2K−1)(mod p) ≡ KMK−1(mod p)

≡ M(mod p)

How ElGamal Works

Here is why ElGamal works: First, let’s show how K is recovered bythe decryption process:

K ≡ (YA)k(mod p)

K ≡ (αXA(mod p))k(mod p)

K ≡ αkXA(mod p)

K ≡ (C1)XA(mod p)

Next, using K, we recover the plaintext as:

C2 ≡ KM(mod p)

(C2K−1)(mod p) ≡ KMK−1(mod p)

≡ M(mod p)

Example Using ElGamal

Example

Let’s start with the prime field GF(19). That is, p = 19. It hasprimitive roots {2, 3, 10, 13, 14, 15}. Choose α = 10.

A generates a key pair as follows:1 A chooses XA = 52 Then YA ≡ αXA(mod p) ≡ 105(mod 19) ≡ 3.3 A’s private key is 5; A’s public key is {p, α, YA} = {19, 10, 3}.

Example

A generates a key pair as follows:1 A chooses XA = 5

2 Then YA ≡ αXA(mod p) ≡ 105(mod 19) ≡ 3.3 A’s private key is 5; A’s public key is {p, α, YA} = {19, 10, 3}.

Example

A generates a key pair as follows:1 A chooses XA = 52 Then YA ≡ αXA(mod p) ≡ 105(mod 19) ≡ 3.

3 A’s private key is 5; A’s public key is {p, α, YA} = {19, 10, 3}.

Example

A generates a key pair as follows:1 A chooses XA = 52 Then YA ≡ αXA(mod p) ≡ 105(mod 19) ≡ 3.3 A’s private key is 5; A’s public key is {p, α, YA} = {19, 10, 3}.

Suppose B wants to send the message with the value M = 17. Then:1 B chooses k = 6.

2 Then, K ≡ (YA)k(mod p) = 36(mod 19) ≡ 729(mod 19) ≡ 7

3 So, we haveC1 ≡ αk(mod p) ≡ 106(mod 19) ≡ 11C2 ≡ KM(mod p) ≡ 7 · 17(mod 19) ≡ 119(mod 19) ≡ 5

4 B sends the ciphertext 11, 5.

Suppose B wants to send the message with the value M = 17. Then:1 B chooses k = 6.2 Then, K ≡ (YA)

k(mod p) = 36(mod 19) ≡ 729(mod 19) ≡ 7

3 So, we haveC1 ≡ αk(mod p) ≡ 106(mod 19) ≡ 11C2 ≡ KM(mod p) ≡ 7 · 17(mod 19) ≡ 119(mod 19) ≡ 5

k(mod p) = 36(mod 19) ≡ 729(mod 19) ≡ 73 So, we have

C1 ≡ αk(mod p) ≡ 106(mod 19) ≡ 11

C2 ≡ KM(mod p) ≡ 7 · 17(mod 19) ≡ 119(mod 19) ≡ 54 B sends the ciphertext 11, 5.

C1 ≡ αk(mod p) ≡ 106(mod 19) ≡ 11C2 ≡ KM(mod p) ≡ 7 · 17(mod 19) ≡ 119(mod 19) ≡ 5

For decryption:1 A calculates

K ≡ (C1)XA(mod p)

≡ 115(mod 19)

≡ 161051(mod 19)

2 Then K−1 in GF(19) ≡ 113 Finally, we have

M ≡ (C2K−1)(mod p)

≡ 5 · 11(mod 19)

≡ 55(mod 19)

≡ 17

K ≡ (C1)XA(mod p)

≡ 115(mod 19)

≡ 161051(mod 19)

2 Then K−1 in GF(19) ≡ 11

3 Finally, we have

M ≡ (C2K−1)(mod p)

≡ 5 · 11(mod 19)

≡ 55(mod 19)

≡ 17

K ≡ (C1)XA(mod p)

≡ 115(mod 19)

≡ 161051(mod 19)

2 Then K−1 in GF(19) ≡ 113 Finally, we have

M ≡ (C2K−1)(mod p)

≡ 5 · 11(mod 19)

≡ 55(mod 19)

≡ 17

Chapter 7 Discrete Logarithms - Dr. Travers Page of...

Documents

Transcript of Chapter 7 Discrete Logarithms - Dr. Travers Page of...