Deterministic Algorithm Computing All Generators: Application in Cryptographic Systems Design

Transcription

1 Int. J. Communications, Networ and System Sciences, 0, 5, Published Online November 0 ( Deterministic Alorithm Computin All Generators: Application in Cryptoraphic Systems Desin Boris S. Verhovsy Computer Science Department, New Jersey Institute of Technoloy, University Heihts, Newar, USA verb73@mail.com Received September 7, 0; revised November 4, 0; accepted November 8, 0 ABSTRACT Primitive elements play important roles in the Diffie-Hellman protocol for establishment of secret communication eys, in the desin of the ElGamal cryptoraphic system and as enerators of pseudo-random numbers. In eneral, a deterministic alorithm that searches for primitive elements is currently unnown. In information-hidin schemes, where a primitive element is the ey factor, there is the freedom in selection of a modulus. This paper provides a fast deterministic alorithm, which computes every primitive element in modular arithmetic with special moduli. The alorithm reuires at most lo p diital operations for computation of a enerator. In addition, the accelerated-descend alorithm that computes small enerators is described in this paper. Several numeric examples and tables illustrate the alorithms and their properties. Keywords: Diffie-Hellman Key Exchane; ElGamal Cryptosystem; Generator; Generator of Pseudo-Random Numbers; Information Hidin; Primitive Element; Safe Prime. Introduction and Basic Definitions To ensure a hih level of crypto-immunity of some cryptoraphic systems, it is necessary to select a system parameter (called a primitive element) that satisfies certain conditions. The primitive elements are used in the Diffie-Hellman secret ey establishment (DHKE) protocol [] and in the ElGamal alorithm [] for secure exchane of information via open channels. They are also used in the desin of enerators of pseudo-random numbers [3]. In modular arithmetic, a primitive element modulo p is an inteer havin the property that every inteer h coprime with p can be expressed as a power of modulo p. Therefore, powers of enerate all non-zero elements of the multiplicative roup of inteers modulo p. Definition.: If an inteer has a property that for every inteer h p there exists a correspondin inteer x such that x mod p h, (.) then is called a primitive element (enerator, in short) and x is called the discrete loarithm of h to the base modulo p. For every prime p there exist several enerators. For instance, if p = 3, then = 3,,, 3, 7,, and 4 are enerators. Leonhard Euler discovered the primitive elements, and Carl F. Gauss described their properties in [4]. A mathematically-oriented reader can find further results in [5,6]. The elliptic curve cryptoraphy (ECC), initially described in [7,8], is an analoue of the ElGamal protocol. As a result, the ECC also reuires selection of a point G on the elliptic curve, which is an analoue of the enerators in cyclic roups based on real inteers. However, an efficient alorithm that computes G is an open problem.. Verification Procedure In order to verify whether is a enerator for prime p, consider all factors of p. Proposition.: Suppose p f f f e e e m m where every inteer f and every inteer e ; if p f ; (.) mod p ; (.) holds for every,,, m, then is a enerator [9]. Example.: Suppose p = 7; let us find a enerator. Since p 70 57, then is a enerator if and only if 35 mod 7 ; 4 mod 7 ; and 0 mod 7. (.3) Copyriht 0 SciRes.

2 76 B. VERKHOVSKY n Table shows values of mod 7. Since = 7 satisfies every condition in (.3), therefore, after fifteen exponentiations we find that it is the enerator for p = 7. Althouh the conditions (.) are straiht-forward to verify, if m is lare, then (.) reuires factorization of p [0] and m exponentiations for each potential candidate. Also, if at least one of these conditions does not hold, it is necessary to consider the next candidate. In eneral, non-deterministic alorithms are typical for various problems in modular arithmetic. 3. Two Deterministic Alorithms In information-hidin schemes, where a primitive element is necessary, there are alternatives for selectin a prime modulus. Definition 3.: If both p and p are primes, then p is called a safe prime [9]. Example 3.: Inteers 5, 7,, 3, 47, 59, 83, 07, 67, 79, 7, 63, 347, 863, 9839, , and 9567 are examples of safe primes. Althouh the search for safe primes is not the oal of this paper, the followin properties of safe primes eliminate numerous false candidates: p mod 0 = 3 or 7 or 9, otherwise p is not a prime. A non-deterministic alorithm for the selection of safe primes is provided in [9] {see 4.86 Alorithm}. Proposition 3.: If p 7 is a safe prime, then : p p ; (3.) Remar 3.: Althouh (3.) does not always compute the smallest enerator, its value is small in comparison with p: = O p. Indeed, p 3. (3.) Moreover, if p 7, 3, 47,67, then If p 3 3,7,,3. p,83, 7, then for every p Proposition 3.: If. p 7 is a safe prime, then 3p 4; (3.3) Proofs of both propositions are provided in the next section. Table provides fifteen examples of safe primes and three correspondin enerators for each of them. For every safe prime, the procedures (3.), (3.3) as well as (6.4), described in the sixth section, are deterministic and reuire at most one inteer multiplication. As a result, in the ElGamal alorithm, the enerator can be periodically renewed for enhancement of communication security. Notice that in Table for p =, 3, 47, 59, 67, 79 and 347 m; and for the rest of these primes it m is otherwise, i.e.,. 4. Alorithm Computin All Generators Both Propositions 3. and 3. are special cases of more eneral proposition. Proposition 4.: Let p 7 be a safe prime; then for every inteer z that satisfies the ineualities z p ; (4.) pz mod p Proof: Definition 3. implies that for a safe prime p ; (4.3) ; (4.) where is an odd prime. Therefore, is a enerator because by Fermat s Little Theorem [3,4] p mod pz z p p mo d (4.4) 4 and z z p. (4.5) Table. Choice of enerator for p = 7. \n n = 0 n = 4 n = 35 = = = 5 57 = = Table. Safe primes and correspondin enerators. p m Copyriht 0 SciRes.

3 B. VERKHOVSKY 77 Suppose that (4.5) does not hold, i.e., there exists at least one Z, for which Z 4 modp. z Therefore, it implies that Z Z Z Z 4 mod p 0. (4.6) However, none of three factors in (4.6) are conruent with zero modulo p: the first two are excluded by the constraints in (4.); and the case Z mo d p ; (4.7) is also infeasible, since by Euler s criterion of uadratic residuosity [4,9] p mod p ; (4.8) which implies that does not have a suare root modulo p. In other words, z in (4.7) has no real inteer solution. Q.E.D. Proof of Proposition 3.: It is easy to verify that (3.3) is a special case of (4.) for z =. Indeed, consider p p p p 4 3p 3p p 4mod p Since for every safe prime p mod 4 = 3 holds, then In addition, 3 mod40 3 mod p0 p (4.9) p p. (4.0) p p. (4.) Because the last term in (4.9) is an inteer, therefore, (4.9)-(4.) imply (3.3). Q.E.D. Table 3 lists all enerators for p = 47 as functions of parameter z {see (4.)}. Since every safe prime p has ; (4.) distinct enerators, {here x is Euler stotient function [4]}, the function (z) enerates each of them if z is chanin on the interval [, ]; {see (4.) and Table 3}. In addition, (4.) implies that pz z mod p. (4.3) For an illustration of (4.3), compare 3 for z = 3 and 4; or for z = and 5. Proposition 4.: If every 0,,, p 7 z in Table is a safe prime, then for 3 3p 4 p 4 mod p; 5. Alorithm for a Small Generator This alorith m computes a small enerator for every safe prime p 7. Step 5.: Compute Step 5.: Compute p (4.4) 0 : 3 4; (5.) m: 0 ; (5.) Step 5.3: Compute the enerator : 0 mod m m m p (5.3) 6. Validation of Alorithm (5.)-(5.3) Let us consider a seuence of acceleratinly decreasin enerators. Let 0 : 3p 4 (3.3); Consider z p 3 ; (6.) and let : pz 0p9 p 4mod p, (6.) where every term in (6.) is an inteer. Hence (4.0), (4.) and (6.) imply that 0p 9 3p 4 7p 9 4mod p. Proposition 6.: For every safe prime p there exists a subset S of enerators 0,,, m such that for,,, m holds. (6.3) Table 3. p = 47 and correspondin enerators (z). z (z) z (z) Copyriht 0 SciRes.

4 78 B. VERKHOVSKY For instance, if p = 83, then (0) = 6; () = 60; () = 56; (3) = 50; (4) = 4; (5) = 3; (6) = 0; (7) = 6. Therefore, (6.3) implies that for,,, m 0 mod p. (6.4) As a result, we derive a monotone decreasin seuence of enerators 0 m m where an optimal m minimizes the constraints Remar 6.: In the worst case ; (6.5), {see (6.4)}, under and 0. (6.6) 3p m. (6.7) Example 6.: Let p = 47; then (0) = 35 and from (6.6) m = 5. Hence (m) = 5, which is the smallest enerator. Yet, (3.). Example 6.: Let p = 83; then (0) = 6 and m = 7. Therefore, (7) = 6, which is the third smallest one after the enerators and 5. Yet, (3.), is the smallest enerator. Example 6.3: Let now p = 9567; then (0) = 7465; and from (5.) m = 67. Therefore, (67) = 473. Yet, = 494. The procedure described above finds small enerators. In some cases, it even provides the smallest enerators; {as in Example 6.}. However, it does not find the smallest enerator for every safe prime p. In that case select : min, m. (6.8) 7. Results of Computer Experiments Several hundred computer experiments with the safe prime p randomly-selected on interval (0 7, 0 0 ) confirm that for every p there exists a monotone-decreasin subset S of enerators (0), (), (),, (m) that satisfy the ineualities (6.3). For instance, if p = , then the number m of enerators in the subset S is eual The experiments also indicate that m with freuency f m with freuency It 0.38 and f implies that, if only one alorithm is used to compute a small enerator, then m should be computed, because m with probability close to 6%. Remar 6.: Notice that f f, i.e., these freuencies satisfy the olden ratio euality. 8. Acnowledements I express my appreciation to W. Gruver and R. Rubino for their helpful suestions for improvement of the manuscript. I am also rateful to E. Gerda and Y. Polyaov for their assistance in computer experiments. REFERENCES [] W. Diffie and M. E. Hellman, New Directions in Cryptoraphy, IEEE Transactions on Information Theory, Vol., No. 6, 976, pp doi:0.09/tit [] T. ElGamal, A Public Key Crypto-System and a Sinature Scheme Based on Discrete Loarithms, IEEE Transactions on Information Theory, Vol. 3, No. 4, 985, pp doi:0.09/tit [3] D. Knuth, The Art of Computer Prorammin, Vol. : Seminumerical Alorithms, 3rd Edition, Addison-Wesley, Readin, 998, pp. 8-. [4] C. F. Gauss, Disuisitiones Arithmeticae, nd Edition, Spriner, New Yor, 986. [5] P. Ribenboim, The New Boo of Prime Number Records, Spriner, New Yor, 996. doi:0.007/ [6] E. Bach and J. Shallit, Alorithmic Number Theory: Vol. : Efficient Alorithms, MIT Press, Cambride, 996. [7] V. S. Miller, Use of Elliptic Curves in Cryptoraphy, Advances in Cryptoraphy-CRYPTO (LNCS 8), 986, pp [8] N. Koblitz, Elliptic Curve Crypto-Systems, Mathematics of Computation, Vol. 48, No. 0, 987, pp doi:0.090/s [9] A. Menezes, P. van Oorschot and S. Vanstone, Handboo of Applied Cryptoraphy, CRC Press, Boca Raton, 997, pp [0] B. Verhovsy, Inteer Factorization of Semi-Primes Based on Analysis of a Seuence of Modular Elliptic Euations, Int. J. of Communications, Networ and System Sciences, Vol. 4, No. 0, 0, pp Copyriht 0 SciRes.

5 B. VERKHOVSKY 79 Appendix Alternative Search for Small Generators Consider a safe prime p ; and let z: p5 ; : p h p z 4 5 p 4 mod p. (A.) Since every term in (A.) is an inteer, therefore now, p p mod 4 ; (A.) and p p mod p 0. (A.3) Hence h 3p 5 4mod p z p m. In eneral, for : ; (A.4) Thus, h m 4m 5 p m 4 mod p. (A.5) h m h m m 6 mod p. (A.6) Since h 6 0, therefore (A.6) and (6.4) provide the same results. Copyriht 0 SciRes.