Discrete Logarithm Problem

Similar documents
L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Practice Assignment 2 Discussion 24/02/ /02/2018

Lecture Notes, Week 6

CPSC 467b: Cryptography and Computer Security

Public-Key Cryptosystems CHAPTER 4

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Notes for Lecture 17

Introduction to Cryptography. Lecture 8

Lecture 1: Introduction to Public key cryptography

10 Public Key Cryptography : RSA

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture 7: ElGamal and Discrete Logarithms

Cryptography and Security Final Exam

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

14 Diffie-Hellman Key Agreement

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Introduction to Modern Cryptography. Benny Chor

CIS 551 / TCOM 401 Computer and Network Security

Math/Mthe 418/818. Review Questions

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CPSC 467: Cryptography and Computer Security

Lecture 28: Public-key Cryptography. Public-key Cryptography

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Introduction to Elliptic Curve Cryptography. Anupam Datta

MATH 158 FINAL EXAM 20 DECEMBER 2016

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

RSA. Ramki Thurimella

Mathematics of Cryptography

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

CRYPTOGRAPHY AND NUMBER THEORY

Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)

8.1 Principles of Public-Key Cryptosystems

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

One can use elliptic curves to factor integers, although probably not RSA moduli.

RSA RSA public key cryptosystem

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Other Public-Key Cryptosystems

Question: Total Points: Score:

Introduction to Modern Cryptography. Benny Chor

Cryptanalysis of a Knapsack Based Two-Lock Cryptosystem

Discrete Logarithm Problem

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Cryptography IV: Asymmetric Ciphers

An Introduction to Probabilistic Encryption

8 Elliptic Curve Cryptography

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Public-Key Encryption: ElGamal, RSA, Rabin

Public Key Encryption

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Fundamentals of Modern Cryptography

Elliptic Curve Cryptography

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

By the way, = = 693 (mod 1823) and ord(3) = 911. I list the commands I used in Mathematica to solve this problem here.

Public Key Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Carmen s Core Concepts (Math 135)

arxiv: v3 [cs.cr] 15 Jun 2017

My brief introduction to cryptography

CPSC 467b: Cryptography and Computer Security

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 17: Constructions of Public-Key Encryption

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Lecture V : Public Key Cryptography

1 Number Theory Basics

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Lecture 22: RSA Encryption. RSA Encryption

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Discrete Mathematics GCD, LCM, RSA Algorithm

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Discrete mathematics I - Number theory

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Cryptography and Security Protocols. Previously on CSP. Today. El Gamal (and DSS) signature scheme. Paulo Mateus MMA MEIC

Topics in Cryptography. Lecture 5: Basic Number Theory

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Advanced Cryptography 03/06/2007. Lecture 8

Public Key Algorithms

Elliptic Curve Cryptosystems

} has dimension = k rank A > 0 over F. For any vector b!

Asymmetric Encryption

Other Public-Key Cryptosystems

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Lecture 11: Key Agreement

Aitken and Neville Inverse Interpolation Methods over Finite Fields

Cryptography and Security Midterm Exam

Transcription:

Discrete Logarithm Problem

Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition: (a + bi) + (c + di) := (a + c) + (b + d)i Multiplication: (a + bi)(c + di) = ac + (ad + bc)i + bdi 2 For instance, (1 + 2i) + (1 + i) = 2 + 0i = 2 (1 + 2i)(1 + i) = (1 + 2) + (1 + 2 + 2)i = 2i (1 + i) 2 = (1 + 1) + (1 + 1 + 1)i = 2 = (ac + bd) + (ad + bc + bd)i

Finite Fields Consider the powers of i: i, i 2 = i+1, i 3 = i 2 + i = 2i + 1, i 4 =(i 2 ) 2 = (i+1) 2 = 2, i 5 = (i 4 )i = 2i, i 6 =(i 4 )(i 2 ) = 2+2i, i 7 = 2 + i, i 8 = 1 An element of a field whose powers give all the non-zero elements of that field is called a primitive element of the field. If F is a finite field, the set F\{0} of non-zero elements is denoted by F* and is a (cyclic) group under multiplication. A primitive element of F is also called a generator of F*. Not all the elements of F* are primitive. 2, 2 2 = 1 i+1, (i+1) 2 = 2, (i+1) 3 = 2i + 2, (i+1) 4 = 1

Square and Multiply Let F = GF(q) and take α as a primitive element of F. Any c F* has a unique representation as c = α m, for 0 m q-1. c can be computed from α and m with only 2 log 2 q multiplications. The binary representation of m gives the order of the needed multiplications, which consist only of squaring and multiplying by α. For instance, if m = 171 then 171 = 128 + 32 + 8 + 2 + 1 = (10101011) 2 and the computation of α 171 is carried out by starting with 1, then, working from the most significant bit down, we square the current value and if there is a 1 in the binary representation we also multiply by α. Thus, α 171 = ((((((((1) 2 α) 2 ) 2 α) 2 ) 2 α) 2 ) 2 α) 2 α.

Discrete Logarithm Problem On the other hand, given c and α, finding m is a more difficult proposition and is called the discrete logarithm problem. If taking a power is of O(t) time, then finding a logarithm is of O(2 t/2 ) time. And this can be made prohibitively large if t = log 2 q is large.

Diffie-Hellman Key Exchange The difficulty of taking logarithms makes exponentiation in a finite field a one-way function (not a trapdoor function however). This can be used in a public key exchange protocol. Public knowledge is p, and α m U for each user U, while each user keeps secret their value of m U. To exchange keys without transmission, A looks up B's public key and exponentiates it with his own secret exponent. B does the same to A's public key. Thus, each of them calculates the same key value α m B m A α m A m B mod p. There does not appear to be any means of obtaining this value without first finding one of the secret exponents... i.e., solving the discrete logarithm problem for this q. Diffie & Hellman suggest using a value of p which is at least 100 bits long.

Diffie-Hellman Key Exchange One problem with this protocol is that there is only one key that the two users can use. A variation which permits different keys (called session keys) to be used is: Public information: prime p and generator of Z p α. Protocol: A chooses a random secret exponent a, with 0 < a < p-1. A computes α a mod p and sends this to B. B chooses a random secret exponent b, with 0 < b < p-1. B computes α b mod p and sends this to A. A computes the key K = (α b ) a mod p while B computes the key K = (α a ) b mod p.

Man in the Middle Attack A new problem arises with this variant. If Oscar is capable of altering the messages between Alice and Bob (an active rather than passive adversary), then Oscar can change Alice's original α a to his own α c and similarly change Bob's original α b to his own α c. Now, all communication between Alice and Bob has to go through Oscar in order to be decrypted. That is, a message from Alice is decrypted by Oscar, possibly altered, and then encrypted by Oscar to send to Bob. This man-in-the-middle attack can be thwarted by the use of a signature scheme. After receiving α a from Alice, Bob sends the pair (α b, sig B (α a,α b )) from which Alice can verify that α b has not been altered from what Bob sent. Alice then sends sig A (α a,α b ) to Bob so that he can verify the α a that Alice originally sent.

El-Gamal Cryptosystem For a prime p which is intractible (i.e., very large), let α be a generator of Z p *. Each user selects a secret element a Z p-1 and makes public the value β α a mod p. Thus, α, β, and p are publicly known. To send a message, Alice randomly selects a secret k Z p-1 and if x is the message, sends the ordered pair (α k, x β k ) mod p, where β is Bob's β. To decrypt, Bob raises the first component to his secret exponent a, finds the inverse mod p of this number, and multiplies the second component by this inverse to get the message back. This computation is, (x β k ) (α ka ) -1 = x β k (β k ) -1 x mod p.

Shank's Algorithm This algorithm is known as a Time-Memory Trade Off, that is, if you have enough memory at your disposal you can use it to cut down the amount of time it would normally take to solve the problem. Let p be a prime, α a generator of Z p *. We wish to find a, given β where β α a mod p. Let. 1: Compute α mj mod p for 0 j m-1. 2: Sort the pairs (j, α mj mod p ) by second coordinate in a list L 1. 3: Compute βα -i mod p for 0 i m-1. 4: Sort the pairs (i, βα -i mod p ) by second coordinate in a list L 2. 5: Find a pair in each list with the same second coordinate, i.e., (j, y) L 1 and (i, y) L 2. 6: a mj + i mod (p-1). m= p 1

Pohlig-Hellman Algorithm There are certain cases in which the discrete logarithm problem can be solved in less than O( q) time, for instance when q-1 has only small prime divisors. An algorithm for dealing with this special case was developed in 1978. We first look at a special case: Suppose that q - 1 = 2 n. Let α be a primitive element in GF(q). Noting that in this case, q is odd, we have α (q-1)/2 = -1. Let m, 0 m q-2, be the exponent of α that we wish to find, i.e. c = α m, and write m in its binary representation: m = m 0 + m 1 2 + m 2 2 2 +... + m n-1 2 n-1. Now, c q 1 q 1 q 1 2 = m 2 = m 0 m 1 2 m n 1 2 n 2 2 = m 0 So the evaluation of c (q-1)/2 which costs at most 2 log 2 q operations, yields m 0. q 1 2 = 1if m 0=0 1if m 0 =1

Pohlig-Hellman Algorithm We then determine c 1 = cα -m 0, and repeat the basic computation again to obtain m 1. c 1 q 1 q 1 2 = m 1 m 2 2 m n 1 2 n 2 2 = m q 1 1 2 = 1if m 1=0 1if m 1 =1 This procedure can then be repeated until each of the m i are obtained. The total number of operations is thus n (2 log 2 q + 2) O ( (log 2 q) 2 ). The general case is dealt with by repeating the analogue of the special case for each of the prime factors of q-1 and then combining the results using the Chinese Remainder Theorem.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback