Lecture 7: ElGamal and Discrete Logarithms

Similar documents
CPSC 467b: Cryptography and Computer Security

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Lecture 1: Introduction to Public key cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Introduction to Cryptography. Lecture 8

Public Key Cryptography

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lecture Notes, Week 6

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Discrete logarithm and related schemes

Notes for Lecture 17

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 28: Public-key Cryptography. Public-key Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Introduction to Cybersecurity Cryptography (Part 4)

Discrete Logarithm Problem

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 17: Constructions of Public-Key Encryption

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Carmen s Core Concepts (Math 135)

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

5.4 ElGamal - definition

CPSC 467: Cryptography and Computer Security

8 Elliptic Curve Cryptography

CRYPTOGRAPHY AND NUMBER THEORY

CS259C, Final Paper: Discrete Log, CDH, and DDH

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Introduction to Modern Cryptography. Benny Chor

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM

14 Diffie-Hellman Key Agreement

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

Other Public-Key Cryptosystems

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

The Elliptic Curve in https

Digital Signatures. Adam O Neill based on

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Question: Total Points: Score:

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Public-Key Cryptosystems CHAPTER 4

Ti Secured communications

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Lecture 11: Key Agreement

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Lecture 22: RSA Encryption. RSA Encryption

Sharing a Secret in Plain Sight. Gregory Quenell

5199/IOC5063 Theory of Cryptology, 2014 Fall

Cryptography IV: Asymmetric Ciphers

9 Knapsack Cryptography

Course Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week

Introduction to Elliptic Curve Cryptography. Anupam Datta

Introduction to Cybersecurity Cryptography (Part 5)

Elliptic Curve Cryptography

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

ASYMMETRIC ENCRYPTION

CSC 5930/9010 Modern Cryptography: Number Theory

Asymmetric Encryption

10 Modular Arithmetic and Cryptography

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

CPSC 467b: Cryptography and Computer Security

Introduction to Modern Cryptography. Benny Chor

MATH 158 FINAL EXAM 20 DECEMBER 2016

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Advanced Topics in Cryptography

Number theory (Chapter 4)

Provable security. Michel Abdalla

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Short Exponent Diffie-Hellman Problems

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Elliptic Curve Cryptography with Derive

RSA. Ramki Thurimella

Lecture Note 3 Date:

1 Number Theory Basics

CPSC 467: Cryptography and Computer Security

Public Key Encryption

Cryptography. P. Danziger. Transmit...Bob...

CPSC 467: Cryptography and Computer Security

Public-Key Encryption: ElGamal, RSA, Rabin

Public Key Cryptography

Public Key Algorithms

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Public-key Cryptography and elliptic curves

Transcription:

Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that the set g = {g i 0 i n 1} contains every element of G. If g is a generator, the other generators are given by g r where gcd(r, n) =1. We will work with the integers modulo p for a prime p. The corresponding multiplicative group does not contain 0 and hence its order is p 1. We will also be interested in subgroups of this group and in such a case the order is always a factor in p 1. For example, 2 is a generator of the group of positive integers modulo 11 under multiplication, with the following sequence of powers: 1, 2, 4, 8, 16 = 5, 10, 20 = 9, 18 = 7, 14 = 3, 6, 12 = 1 Of course, not all elements are generators. above and we try g =4: For example, if p =11as 1, 4, 16 = 5, 20 = 9, 36 = 3, 12 = 1 We are generally interested in multiplicative groups over positive integers modulo a prime. Primes of the form p =1+2q where q is prime are especially interesting in cryptographic applications. Then, if g is a generator, the other generators are given by g r where r is odd and r q. The other elements, except g q (which in fact equals 1), generate the subgroup with q elements given by the even powers of g and this is also a commonly used subgroup in cryptography. 1.1 The discrete logarithm problem (DLOG) Given p, g, andy, the discrete logarithm problem is to find x such that g x = y mod p, or written another way, calculate x =log g,p y. It is easy to 1of5

compute y from p, g, andx, but no efficient way of calculating x from p, g, and y is known. 2 The ElGamal cryptosystem Take a large prime p (preferably of the form 1+2q where q is prime), a generator g, and randomly choose x, 1 x p 1, and calculate y = g x mod p. Publish y, p, andg. 2.1 Encryption Pick a random r and let α = g r mod p β = m y r mod p. The ciphertext is given by (α, β). 2.2 Decryption Decryption can be done if x is known in addition to α and β as follows: β α = m yr x (g r ) = m (gx ) r = m grx x (g r ) x g rx where all operations are taking modulo p. = m 2.3 Security We have a way to encrypt and a way to decrypt. But is it secure? Obviously, if we can calculate discrete logarithms efficiently, ElGamal can be broken. It is unknown whether the converse is true; it might be that it is possible to break ElGamal without computing discrete logarithms. 3 Algorithms for the discrete logarithm problem 3.1 The naive algorithm The naive way to calculate the discrete logarithm is simply to calculate g, g 2,g 3,... until y is found. This is very inefficient since the time taken 2of5

is proportional to p. 3.2 The baby-step / giant-step algorithm An improvement over the naive algorithm is to first calculate y, y g, y g 2,y g 3,...,y g a,wherea = p, and put the values in a hash table. Then calculate g a,g 2a,g 3a,...,g a2, and look in the table for a collision. In the case of a collision, g i y = g ja gives y = g ja i. The time taken is clearly proportional to p. Are we guaranteed to find a collision? The answer is yes. To see this, rewrite x as x = ax 1 + x 2,where0 x 1,x 2 <a. From y = g x we get y = g ax 1+x 2, and multiplying both sides by g a x 2 we have yg a x 2 = g (x1+1)a. The left hand side is one of the values in the hash table, and the right hand side is one of the other values. 3.3 The Pohlig-Hellman algorithm Assume that p 1 has a factorization with only small primes, i.e. p 1 = Π r i=1 q i, where every q i is small. The idea is to find x modulo each of the q i separately and then use the Chinese Remainder Theorem to find x. Suppose x = x i (mod q i ), i.e. that x = x i + a i q i for some integer a i.we have that g x = y and hence q i = g (x i+a i q i ) q i = g x i +a q i () i = g x i q i (mod p) as g =1. Given a number of the form g ()a/q i, 0 a<q i, how do we find a? Naively, as there are only q i possibilities, we can compute g b q i for 0 b q i and compare. Looking more closely we see that we are back at the discrete logarithm problem in a group of order q i and we can apply the baby-step/giant-step algorithm getting an algorithm that runs in time about q i. 3.4 The best known algorithm The best known algorithm is a variant of the number field sieve, the algorithm used for integer factorization, and has almost the same time complexity, 2 c(log p)1/3 (log log p) 2/3. The constants for this algorithm are worse and not as much effort has been spent solving large instances. However a p with 512 bits must be considered insecure while 1024 bits is probably beyond reach for the moment. 3of5

4 Diffie-Hellman key exchange Assume that Alice and Bob want to share a key K via a possibly insecure communication channel. Alice, who knows a, sends g a to Bob, and Bob, who knows b, sends g b to Alice. If we let the key be g ab mod p, thenboth Alice and Bob can calculate K since (g b ) a =(g a ) b = g ab = K, whereall calculations are mod p, andg is a generator. The ElGamal encryption scheme can be seen as version of DH that has b fixed and where the common key is used as a multiplicative one-time-pad. If ElGamal is used in the entire Z p, i.e. 0 m p 1, thenaneavesdropper can get information about one bit, whether m is even or odd in DLOG g,p in the following way: If x is even, i.e. x =2x,then x 2x 2 = g 2 = g 2 = g x () =(g ) x =1modp If x is odd, i.e. x =2x +1,then x 2 = g 2 = g (2x +1) 2 = g x ()+ 2 = g 2 = 1 modp So { 2 1 if x even = 1 if x odd That is the motivation to instead use p =1+2q with a g that generates a subgroup of order q. The message m is assumed to have even DLOG (if that is not the case, random bits can be used to correct it). DH can then use the same g. It is unknown whether DH is hard given that DLOG is hard. The security of the above key exchange protocol relies on the assumption that the following problems are difficult (of course, CDH is at least as hard as DDH): 4.1 Computational Diffie-Hellman (CDH) Given g a and g b, find g ab. 4.2 Decision Diffie-Hellman (DDH) Given either (g a,g b,g ab ) or (g a,g b,g c ) for random a, b and c, decide whether you have been given a triple of the first kind or the second kind. 4of5

DDH, loosely speaking, says that no efficient algorithm can do better than guessing on this problem, i.e. cannot be correct with probability significantly higher than 50 %. Put differently, DDH says that we cannot recognize the correct answer to CDH even if it is given to us. 5of5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback