Discrete logarithm and related schemes

Similar documents
Lecture 7: ElGamal and Discrete Logarithms

Short Exponent Diffie-Hellman Problems

CPSC 467b: Cryptography and Computer Security

One can use elliptic curves to factor integers, although probably not RSA moduli.

CPSC 467: Cryptography and Computer Security

Elliptic Curve Cryptography

Public Key Cryptography

Week : Public Key Cryptosystem and Digital Signatures

G Advanced Cryptography April 10th, Lecture 11

Other Public-Key Cryptosystems

Advanced Topics in Cryptography

Introduction to Elliptic Curve Cryptography

8 Elliptic Curve Cryptography

Elliptic Curve Cryptography with Derive

Introduction to Cybersecurity Cryptography (Part 4)

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Introduction to Cryptography. Lecture 8

Arithmétique et Cryptographie Asymétrique

Public Key Cryptography

Cryptography IV: Asymmetric Ciphers

Introduction to Elliptic Curve Cryptography. Anupam Datta

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Other Public-Key Cryptosystems

Introduction to Cybersecurity Cryptography (Part 4)

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Chapter 8 Public-key Cryptography and Digital Signatures

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

Public-Key Encryption: ElGamal, RSA, Rabin

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

CSC 774 Advanced Network Security

Public-key Cryptography and elliptic curves

CSC 774 Advanced Network Security

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CPSC 467b: Cryptography and Computer Security

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

MATH 158 FINAL EXAM 20 DECEMBER 2016

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

5.4 ElGamal - definition

Applied Cryptography and Computer Security CSE 664 Spring 2018

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture Notes, Week 6

RSA-OAEP and Cramer-Shoup

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Ti Secured communications

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Public-key Cryptography and elliptic curves

Joseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Introduction to Public-Key Cryptosystems:

Definition of a finite group

Lecture 1: Introduction to Public key cryptography

Public Key Algorithms

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

ASYMMETRIC ENCRYPTION

Notes for Lecture 17

Breaking Plain ElGamal and Plain RSA Encryption

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

The Cramer-Shoup Cryptosystem

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Topics in Cryptography. Lecture 5: Basic Number Theory

Elliptic Curve Cryptography

SM9 identity-based cryptographic algorithms Part 1: General

CSC 5930/9010 Modern Cryptography: Number Theory

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

5199/IOC5063 Theory of Cryptology, 2014 Fall

Question: Total Points: Score:

Points of High Order on Elliptic Curves ECDSA

Asymmetric Encryption

Recent Advances in Identity-based Encryption Pairing-free Constructions

1 Number Theory Basics

Finite Field Cryptography

Chapter 4 Asymmetric Cryptography

NAVAL POSTGRADUATE SCHOOL THESIS

Asymmetric Cryptography

Introduction to Modern Cryptography. Benny Chor

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Elliptic Curve Cryptosystems

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Part VIII. Elliptic curves cryptography and factorization

Discrete Logarithm Problem

Public Key Cryptography with a Group of Unknown Order

Introduction to Cryptography. Lecture 6

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Digital signature schemes

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Mathematics of Public Key Cryptography

Public-Key Cryptosystems CHAPTER 4

Mathematics of Cryptography

Lecture V : Public Key Cryptography

Cryptography and Security Protocols. Previously on CSP. Today. El Gamal (and DSS) signature scheme. Paulo Mateus MMA MEIC

Course Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week

Polynomial Interpolation in the Elliptic Curve Cryptosystem

10 Public Key Cryptography : RSA

Public Key Encryption

Transcription:

Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18)

Content Discrete logarithm problem examples, equivalent key lengths choosing a base for DLOG Encryption schemes ElGamal, Cramer-Shoup Elliptic curves DLOG and related cryptosystems 2 / 26,

Discrete logarithm problem Given a finite group (G, ) and elements g, y G. Compute x Z such that g x = y. usually cyclic (sub)groups with generator g are used DLOG is easy/hard depending on the group G Easy: (Z n, +) DLOG by solving congruence gx y (mod n) Hard: (Z p, ) for prime p; usually with g generating a subgroup of large prime order q Elliptic curve groups (various curve types over various finite fields) DLOG and related cryptosystems 3 / 26,

Example of DLOG in (Z p, ) let p = 11 case 1: g = 5 x 0 1 2 3 4 5 6 7 8 9 10 5 x mod 11 1 5 3 4 9 1 5 3 4 9 1 log 5 9 = 4; log 5 7 does not exist case 2: g = 7 x 0 1 2 3 4 5 6 7 8 9 10 7 x mod 11 1 7 5 2 3 10 4 6 9 8 1 log 7 2 = 3; log 7 10 = 5 DLOG and related cryptosystems 4 / 26,

Solving hard instances of DLOG (Z p, ) Specific algorithms, e.g. when p 1 lacks large prime factor General algorithm: Number Field Sieve for DLOG complexity as GNFS for factorization ( equal key length) Generic algorithms for any cyclic group the best algorithms for some groups, e.g. elliptic curve groups complexity O(n 1/2 ), for n = G algorithms: baby-step/giant-step, Pollard s ρ, Pohlig-Hellman DLOG and related cryptosystems 5 / 26,

Equivalent key lengths symmetric modular (subgroup) elliptic curves 80 1024 (160) 160 112 2048 (224) 224 128 3072 (256) 256 192 7680 (384) 384 256 15360 (512) 512 NIST Recommendations (SP 800-57 part 1 rev. 4) (2016) various methods are compared at www.keylength.com DLOG and related cryptosystems 6 / 26,

Selection of the base is irrelevant for DLOG g, h generators of G, G = n y input if DLOG w.r.t. the base h can be computed efficiently, then DLOG w.r.t the base g can be computed: 1. compute a, b: h a = g, h b = y 2. g ba 1 = (h a ) ba 1 = h b = y, where the inverse is computed mod n since g, h are generators, the inverse a 1 mod n must exist For some constructions, e.g. ElGamal digital signature scheme, it is important to choose the generator carefully (there are strong and weak ones)! DLOG and related cryptosystems 7 / 26,

How to choose a generator of (Z p, ) generator of (Z p, ) assume p = 2q + 1 for a prime number q (p is called a safe prime) Z p = p 1, thus any element has order in {1, 2, q, p 1} there are ϕ(p 1) = ϕ(2)ϕ(q) = q 1 generators the probability of a random element being a generator is (q 1)/(p 1) = (q 1)/(2q) 50% testing: g {1, 1} is a generator g q mod p 1 generator of a subgroup assume a prime q (p 1) choose random h and compute g = h (p 1)/q mod p; if g = 1 choose again trivially g q 1 (mod p) (FLT), so we have ord(g) q since ord(g) > 1, it follows ord(g) = q useful for working in smaller subgroup (shorter exponents are used) DLOG and related cryptosystems 8 / 26,

Security of the last bit(s) of DLOG in (Z p, ) let g be a generator of (Z p, ) we can write p = 2 s t + 1 for s 1 and some odd t input: y Z p let x be the DLOG of y, i.e. g x mod p = y we use the binary representation of x = (x l x 1 x 0 ) 2 = 2 l x l + + 2x 1 + x 0 compute: y (p 1)/2 g x(p 1)/2 g x 0(p 1)/2 x 0 can be found { 1 if x 0 = 0 1 if x 0 = 1 (mod p) DLOG and related cryptosystems 9 / 26,

...cont. we can continue for s bits let us assume that x 0,, x i 1 are known (i < s) compute (mod p): (y g (x 0+ +2 i 1 x i 1 ) ) (p 1)/2 i+1 g (2i x i + +2 l x l )(p 1)/2 i+1 g x i(p 1)/2 { 1 if x i = 0 1 if x i = 1 cannot be extended for more than s bits we can limit the damage to a single bit by choosing a safe prime DLOG and related cryptosystems 10 / 26,

ElGamal encryption scheme ElGamal (1985) example: originally, a default algorithm in GPG (still an option for public-key encryption in GPG) variants exists (what (sub)groups are used) Initialization: 1. choose a large random prime p, and a generator g of (Z p, ) 2. choose a random x {1,, p 2} 3. y = g x mod p public key: y, p, g (the values p, g can be shared) private key: x DLOG and related cryptosystems 11 / 26,

ElGamal encryption and decryption Encryption (plaintext m Z p): (r, s) = (g k mod p, y k m mod p), for random k Z p 1 Decryption (ciphertext (r, s), computation mod p): s r x = y k m r x = g xk g xk m = m encryption: two exponentiations; decryption: single exponentiation r = g k and y k can be precomputed randomized encryption: 1 plaintext maps to approx. p ciphertexts security of the private key: DLOG problem knowledge of k allows to decrypt without x: s y k = m computing k from r: DLOG problem DLOG and related cryptosystems 12 / 26,

Remarks Reusing k: m 1 (r, s 1 ), m 2 (r, s 2 ), we can compute s 1 /s 2 = m 1 /m 2 Homomorphic property: encryptions of two plaintexts m 1, m 2 : m 1 (r 1, s 1 ) = (g k 1, y k1 m 1 ), m 2 (r 2, s 2 ) = (g k 2, y k2 m 2 ) multiplying the ciphertexts: (r 1 r 2, s 1 s 2 ) = (g k 1+k 2, y k 1+k2 (m 1 m 2 )) Simple malleability: (r, s) (r, s m ) changes the plaintext from m to m m Blinding (CCA): access to a CCA oracle How to decrypt (r, s) if the oracle won t decrypt this message? use (rg c, sy c m ) for a random value c and m after decryption we get a message m m, so m can be recovered easily DLOG and related cryptosystems 13 / 26,

ElGamal security and CDH Computational Diffie-Hellman problem (CDH): compute g ab given g, g a, g b for random generator g, and random a, b DLOG CDH (opposite direction is open in general) ElGamal decryption without the private key CDH use CDH to compute g xk from r = g k and y = g x ; then the plaintext can be computed: m = s (g xk ) 1 input: g a, g b set y = (g a ) 1, r = g b and s = g c for a random c use the decryption oracle for y and (r, s) to get the value m = s r a = g c+ab finally, divide m by s: m s 1 = g c+ab g c = g ab DLOG and related cryptosystems 14 / 26,

Semantic insecurity of ElGamal we can test the parity of k (it is the last bit of discrete logarithm of r) another view: for a generator g we have r QR p k is even for even k: s QR p for odd k: m QR p if y QR p : s QR p m QR p if y QNR p : s QR p m QNR p we can compute something about m from the ciphertext and y how to achieve semantic security: use a subgroup QR p for a safe prime p = 2q + 1 (or a general cyclic group of some prime order) and assume the hardness of a DDH problem in this group DDH (Decisional Diffie-Hellman) problem: efficiently distinguish triplets (g a, g b, g ab ) and (g a, g b, g c ) where c is random there are groups where CDH seems to be hard and DDH is easy (e.g. (Z p, ), elliptic-curve groups with pairing) DLOG and related cryptosystems 15 / 26,

Some variants of ElGamal scheme ElGamal in a general cyclic group: G = q (for prime q) with generator g private key: x Z q; public key y = g x encryption of m G: (r, s) = (g k, m y k ) for random k Z q decryption of (r, s): s r x = m y k g kx = m ElGamal with a hash function: overcoming the group encoding problem (m G) encryption m {0, 1} l : (r, s) = (g k, m H(y k )) for random k Z q and suitable H and l security depends on CDH and properties of H still malleable DLOG and related cryptosystems 16 / 26,

Cramer Shoup scheme group G, G = q for a prime q H cryptographic hash function (outputs from Z q ) generators g 1, g 2 G private key: random x 1, x 2, y 1, y 2, z 1, z 2 Z q public key: g 1, g 2, h = g x 1 1 gx 2 2, c = gy 1 1 gy 2 2, d = gz 1 1 gz 2 2 Encryption (m G): (u 1, u 2, w, π) = (g1 r, gr 2, hr m, (cd α ) r ), where α = H(g1 r gr 2 hr m), and r is a random element from Z q Decryption of a ciphertext (u 1, u 2, w, π): 1. α = H(u v w) 2. if u y 1+α z 1 1 u y 2+α z 2 2 π then reject: invalid ciphertext 3. compute w/(u x 1 1 ux 2 2 ) = hr m/(g x 1r 1 g x 2r 2 ) = (g x 1 1 gx 2 2 )r m/(g x 1r 1 g x 2r 2 ) = m π is a non-interactive proof that log g1 u 1 = log g2 u 2 DLOG and related cryptosystems 17 / 26,

Cramer Shoup scheme (2) IND-CCA2 secure scheme assumptions: DDH and H is collision resistant hash function DLOG and related cryptosystems 18 / 26,

Elliptic curves introduction we start with elliptic curves over real numbers Weierstrass equation (a, b R): y 2 = x 3 + ax + b we are interested in non-singular curves, i.e. 4a 3 + 27b 2 0 non-singular x 3 + ax + b has no repeated roots points: E = {(x, y) y 2 = x 3 + ax + b} {0}, where 0 is an identity element (point in infinity) group (E, +) uses a commutative addition : notation: P = (x P, y P ), P = (x P, y P ) P + P = 0 P + P = R = (x R, y R ) such that the line PR is a tangent in P P + Q = R = (x R, y R ) such that R, P and Q are collinear DLOG and related cryptosystems 19 / 26,

Elliptic curves addition formulas P = (x P, y P ), Q = (x Q, y Q ) case 1: P + ( P) = (x P, y P ) + (x P, y P ) = 0 case 2 and case 3: P + Q = (x R, y R ) x R = λ 2 x P x Q y R = λ(x P x R ) y P λ = { (3x 2 P + a)(2y P) 1 P = Q (y Q y P )(x Q x P ) 1 x P x Q DLOG and related cryptosystems 20 / 26,

Elliptic curves over finite field GF(p) = (Z p, +, ), for prime p > 3 other finite fields can be used, e.g. GF(2 n ), with different forms, conditions and addition formulas E = {(x, y) y 2 = x 3 + ax + b mod p} {0}, for a, b Z p satisfying 4a 3 + 27b 2 0 (mod p) addition of points still works (mod p), i.e. (E, +) is an abelian group no geometric interpretation anymore Hasse s theorem: E p 1 2 p counting the exact number of points: Schoof s algorithm with O(log 5 p) operations in Z p or improved version Schoof-Elkies-Atkin algorithm with O(log 4 p) operations in Z p remark: a point P = (x P, y P ) can be uniquely represented by x P and the sign of y P DLOG and related cryptosystems 21 / 26,

Real world examples (1): NIST P-256 curve prime: p = 2 256 2 224 + 2 192 + 2 96 1 the curve: y 2 = x 3 3x+ number of points (prime): 41058363725152142129326129780047268409 114441015993725554835256314039467401291 11579208921035624876269744694940757352999 6955224135760342422259061068512044369 DLOG and related cryptosystems 22 / 26,

Real world examples (2): NIST P-384 curve prime: p = 2 384 2 128 2 96 + 2 32 1 the curve: y 2 = x 3 3x+ number of points (prime): 275801935599597058778490118403890480930 569058563615685214287073019886892413098 60865136260764883745107765439761230575 3940200619639447921227904010014361380507973927046544666794 6905279627659399113263569398956308152294913554433653942643 required for TOP SECRET classification (NSA Suite B, 2015) critique: Failures in NIST s ECC standards (Bernstein, Lange, 2016) DLOG and related cryptosystems 23 / 26,

Real world examples (3): Curve25519 prime: p = 2 255 19 the curve: y 2 = x 3 + 486662x 2 + x number of points 8 p 1 for a prime p 1 = 2 252 + 27742317777372353535851937790883648493 Montgomery form (different addition formulas, it can be translated into Weierstrass form) non-standard curve used (along other curves) in various applications (OpenSSH, ios, TextSecure, etc.) DLOG and related cryptosystems 24 / 26,

DLOG in elliptic curve groups (E, +) elliptic curve group point P E kp = P + P + + P, for an integer k 0 } {{ } k DLOG: given a point kp, compute k CDH: given ap and bp, compute (ab)p DLOG and related cryptosystems 25 / 26,

EC version of ElGamal scheme (E, +) elliptic curve group G E generator of some subgroup of E, ord(g) = q (prime) private key: random x Z q public key: Y = xg Encryption (M E): (R, S) = (kg, ky + M) for random k Z q Decryption ((R, S) E E): S xr = (ky + M) xr = (kx)g + M (kx)g = M group encoding DLOG and related cryptosystems 26 / 26,

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback