Computing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.

Similar documents
Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Discrete Logarithm Problem

One can use elliptic curves to factor integers, although probably not RSA moduli.

Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Integer factorization, part 1: the Q sieve. D. J. Bernstein

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

CPSC 467: Cryptography and Computer Security

ENHANCING THE PERFORMANCE OF FACTORING ALGORITHMS

Lecture 6: Cryptanalysis of public-key algorithms.,

Chapter 4 Finite Fields

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Fixed points for discrete logarithms

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Public-key Cryptography and elliptic curves

Basic Algorithms in Number Theory

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Public-key Cryptography and elliptic curves

Math 430 Midterm II Review Packet Spring 2018 SOLUTIONS TO PRACTICE PROBLEMS

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Lecture Notes, Week 6

CPSC 467b: Cryptography and Computer Security

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

10 Public Key Cryptography : RSA

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

a the relation arb is defined if and only if = 2 k, k

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Number Theory. Modular Arithmetic

ICS141: Discrete Mathematics for Computer Science I

Applied Cryptography and Computer Security CSE 664 Spring 2018

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Part I, Number Systems. CS131 Mathematics for Computer Scientists II Note 1 INTEGERS

Points of High Order on Elliptic Curves ECDSA

How long does it take to catch a wild kangaroo?

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright

Pollard s Rho Algorithm for Elliptic Curves

Projective space. There are some situations when this approach seems to break down; for example with an equation like f(x; y) =y 2 (x 3 5x +3) the lin

8 Elliptic Curve Cryptography

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Dixon s Factorization method

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

COMP4109 : Applied Cryptography

CSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

Elliptic Curve Cryptography with Derive

D. J. Bernstein, University of Illinois at Chicago & Technische Universiteit Eindhoven. Tanja Lange, Technische Universiteit Eindhoven

THE RSA ENCRYPTION SCHEME

CPSC 467b: Cryptography and Computer Security

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Practice Number Theory Problems

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

CHAPTER 3. Congruences. Congruence: definitions and properties

Elementary factoring algorithms

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

Mathematics for Cryptography

Chapter 3 Basic Number Theory

LECTURE NOTES IN CRYPTOGRAPHY

Discrete Logarithm Computation in Hyperelliptic Function Fields

Number Theory Proof Portfolio

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Chapter 9 Factorisation and Discrete Logarithms Using a Factor Base

Cryptography IV: Asymmetric Ciphers

Integers and Division

Algorithmic Number Theory and Public-key Cryptography

Cryptography. Number Theory with AN INTRODUCTION TO. James S. Kraft. Lawrence C. Washington. CRC Press

Commutative Rings and Fields

CRYPTOGRAPHY AND NUMBER THEORY

Basic elements of number theory

Basic elements of number theory

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

11 Division Mod n, Linear Integer Equations, Random Numbers, The Fundamental Theorem of Arithmetic

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

Chapter 5. Number Theory. 5.1 Base b representations

18. Cyclotomic polynomials II

Computational Number Theory. Adam O Neill Based on

Homework #2 solutions Due: June 15, 2012

Number Theory Math 420 Silverman Exam #1 February 27, 2018

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

Public-Key Cryptosystems CHAPTER 4

Introduction to Information Security

SOME AMAZING PROPERTIES OF THE FUNCTION f(x) = x 2 * David M. Goldschmidt University of California, Berkeley U.S.A.

Summation polynomials and the discrete logarithm problem on elliptic curves

Math 261 Spring 2014 Final Exam May 5, 2014

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

A quasi polynomial algorithm for discrete logarithm in small characteristic

Algorithms for Solving the Discrete Logarithm Problem

Part V. Chapter 19. Congruence of integers

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

MATH 361: NUMBER THEORY FOURTH LECTURE

Transcription:

Computing Discrete Logarithms Many cryptosystems could be broken if we could compute discrete logarithms quickly. The first discrete logarithm algorithms below apply in any group. They are about the best one can do in elliptic curve groups. The last algorithm depends on the idea of smoothness and solve the discrete logarithm problem only in the group R p, the integers modulo a prime p, where one can define smooth numbers. The index calculus is much faster than the methods of Shanks and Pollard. Hence, the group R p must be much larger than an elliptic curve group to achieve the same security. A rough rule of thumb is that R p with a 1024- bit prime p is about as safe as an elliptic curve modulo a 128-bit prime. 1

Consider first the congruence a x b mod p. By analogy to ordinary logarithms, we may write x = Log a b when p is understood from the context. These discrete logarithms enjoy many properties of ordinary logarithms, such as Log a bc = Log a b + Log a c, except that the arithmetic with logarithms must be done modulo p 1 because a p 1 1 mod p. Neglecting powers of log p, the congruence may be solved in O(p) time and O(1) space by raising a to successive powers modulo p and comparing each with b. It may also be solved in O(1) time and O(p) space by looking up x in a precomputed table of pairs (x, a x mod p), sorted by the second coordinate. We next explain an intermediate method which takes essentially O( p) time and O( p) space. 2

Shanks Baby-Step-Giant-Step Method Shanks baby-step-giant-step algorithm solves the congruence a x b mod p in O( p log p) time and O( p) space as follows. Let m = p 1. Compute and sort the m ordered pairs (j, a mj mod p), for j from 0 to m 1, by the second coordinate. Compute and sort the m ordered pairs (i, ba i mod p), for i from 0 to m 1, by the second coordinate. Find a pair (j, y) in the first list and a pair (i, y) in the second list. This search will succeed because every integer between 0 and p 1 can be written as a twodigit number ji in base m. Finally, x = mj + i mod p 1. 3

Example Let p = 23, a = 2 and h = 13. Find x = Log a h. We have m = p 1 = 22 = 5. Also, 2 m 2 5 32 9 (mod 23) and a 1 12 (mod 23). j 2 5j i 13 12 i 0 1 0 13 1 9 1 18 2 12 2 9 3 16 3 16 4 6 4 8 The value 9 appears for j = 1 and for i = 2, so x = Log 2 13 = mj + i = 5 1 + 2 = 7 (mod 22). Indeed, 2 7 13 (mod 23). Also, the value 16 appears for j = 3 and for i = 3, so x = Log 2 13 = mj + i = 5 3 + 3 = 18 (mod 22). Indeed, 2 18 13 (mod 23). Both 7 and 18 are correct. 4

Pollard s Methods In 1978, Pollard invented two methods for finding discrete logarithms analogous to his rho method for factoring integers. Like Shanks baby-step-giant-step algorithm, these algorithms work in any group and have complexity O( p), where p is the group order. However, their space requirements are tiny. We will describe the rho method for solving the congruence a x b mod p, where p is prime, although it works in any group. We are given a prime p > 3, a primitive root g modulo p and an element h of R p, the group of nonzero integers modulo p. We seek the x modulo p 1 for which g x h (mod p). The answer x may be written x = Log g h. 5

Define three sequences {x i }, {a i }, {b i } by x 0 = 1, a 0 = b 0 = 0 and if 0 < x i < p/3, then x i+1 = hx i mod p, a i+1 = 1+a i mod p 1 and b i+1 = b i mod p 1, if p/3 < x i < 2p/3, then x i+1 = x 2 i mod p, a i+1 = 2a i mod p 1 and b i+1 = 2b i mod p 1, and if 2p/3 < x i < p, then x i+1 = gx i mod p, a i+1 = a i mod p 1 and b i+1 = 1+b i mod p 1. A simple induction argument shows that x i h a ig b i (mod p). 6

The mapping x i x i+1 is a random mapping from R p to itself. By the birthday problem, after about p iterations of the mapping there will be a repeated value x i = x j. We can use the Floyd cycle-finding algorithm to find two repeated values by computing two iterates of the mapping in the same loop, with one instance running twice as fast as the other. This gives us a subscript e with x 2e = x e. 7

Now we have a congruence h a 2eg b 2e h ae g be (mod p). As we can easily find inverses modulo p, this leads at once to a congruence h m g n (mod p), where m a e a 2e (mod p 1) and n b 2e b e (mod p 1). We can rewrite this as mx mlog g h n (mod p 1). (1) Let d = gcd(m, p 1). We know that Congruence (1) must have a solution because g is a primitive root modulo p and p does not divide h. One of them is the answer x we seek. One can show that d is usually small, say, d = 1 or 2, so we can try all d solutions to Congruence (1) and find x. 8

Example Let p = 999959, g = 7 and h = 3. Find x = Log g h. At e = 1174 we have x e = x 2e = 11400, m = 310686 and n = 764000. Congruence (1) becomes 310686x 764000 (mod 999958). The extended Euclidean algorithm gives 2 = gcd(310686, 999958) = = 148845 310686 46246 999958, and we find that 3 2 7 356324 (mod p) and 3 ±7 178162. Since 3 is a quadratic residue modulo p and 1 is not, the plus sign is correct and x = Log g h = 178162. 9

In the setting of an elliptic curve group E, we are given two points P and Q, are told that Q = xp for some integer x, and must find x. The group is partitioned into three pieces of roughly equal size. The random mapping of E E takes a point X into X + P, X + X or X + Q, according to which piece of the group contains X. The initial value of the variable point X is the identity. The a i and b i are defined just as above. A repeated point yields an equation mq = np, which means that mx n (mod N), where N is the order of P in E. Since we know that Q = xp, this congruence must have a solution. 10

Pollard s Lambda Method We describe Pollard s lambda method in the general setting of groups. This method is also called the kangaroo method, since it employs two kangaroos to hop around in the group. Let G be a finite cyclic group with generator g and let h be an element of G. We seek the least positive integer x so that h = g x. Suppose we know that x lies in the interval a x < b. Pollard defined two kangaroos, a tame one T starting at t 0 = g b (the upper end point of the interval) and a wild one W starting at w 0 = h (an unknown point in the interval). Define d 0 (T ) = b, the initial distance of T from the origin. Let d 0 (W) = 0, the initial distance of W from h. 11

Let S = {g s 1,..., g s k} be a set of jumps. Let G be partitioned into k pieces and for each r G, let f(r), with 1 f(r) k, be the number of the piece to which r belongs. The exponents s i should be positive and small compared to b a. Pollard suggested that s i = 2 i might be good choices. Think of the s i as the lengths of the hops of the kangaroos. 12

Now let the two kangaroos hop around in the group G. The tame one T hops from t i to t i+1 = t i g s f(t i ) for i 0. Keep track of T s distance from the origin by computing d i+1 (T ) = d i (T ) + s f(ti ) for i 0. It follows that t i = g d i(t ) for i 0. After a while T stops and sets a trap at its final location, say t m. 13

Then the wild kangaroo hops along the path from w i to w i+1 = w i g s f(w i ) for i 0. Keep track of W s distance from the unknown starting position (the discrete logarithm of h) by computing d i+1 (W) = d i (W) + s f(wi ) for i 0. Then w i = g x+di(w) for i 0. After each hop, we check to see whether W has fallen into the trap by testing whether w i = t m. With a good choice of the parameters s i, it is highly likely that eventually w n = t m for some n. Then we have x = d m (T ) d n (W). 14

If we find that d n (W) > d m (T ), then W has passed the trap. In this case, we start a new wild kangaroo at w 0 = hg z for some small integer z > 0 and hope it falls into the trap. If the two kangaroos ever land on the same spot (w i = t j ), then their paths will coincide from that point on and W will be trapped. If you draw their paths going upwards, the paths will form the Greek letter lambda: λ. This is the reason for the name. The most important property of the jumps sizes s i is their average. Van Oorschot and Wiener have shown that if the mean value of the s i is about 2 1 b a and if T makes about 0.7 b a hops before setting the trap, the running time will be minimal. With these choices, W will hop about 2.7 b a times before getting trapped, which happens three-fourths of the time, or passing the trap. The space requirement is about O(log(b a)). 15

Example Let p = 31, g = 3 and h = 13. Find x = Log g h. Let k = 3, s 1 = 2, s 2 = 3, s 3 = 4, so S = {9, 27, 19}. Start the tame kangaroo at t 0 = 1 and let it set a trap after six hops: i f(i) d i (T ) t i 0 1 0 1 1 1 2 9 2 2 4 19 3 2 7 17 4 3 10 25 5 1 14 10 6 3 16 28 The wild kangaroo starts at w 0 = 13 and hops: i f(i) d i (W) w i 0 2 0 13 1 1 3 10 2 2 5 28 The wild kangaroo W is trapped and x = Log g h = d 6 (T ) d 2 (W) = 16 5 = 11. 16

Discrete Logarithms via Index Calculus There is a faster way to solve a x b (mod p) using a method similar to the integer factoring algorithm QS. It is called the index calculus method. If a x b (mod p), then we write x = Log a (b). Note that Log a (b) is an integer determined modulo p 1 because of Fermat s theorem: a p 1 1 (mod p). Log a (b) is called the discrete logarithm of b to base a. (The modulus p is usually supressed.) 17

Choose a finite set of primes p 1,..., p k, usually all primes B. Perform the following precomputation which depends on a and p but not on b. For many random values of x, try to factor a x mod p using the primes in the factor base. Save at least k + 20 of the factored residues: a x j k i=1 or equivalently p e ij i (mod p) for 1 j k + 20, x j k i=1 e ij Log a p i (mod p 1) for 1 j k+20. 18

Use linear algebra to solve for the Log a p i. When b is given, perform the following main computation to find Log a b. Try many random values for s until one is found for which ba s mod p can be factored using only the primes in the factor base. Write it as or ba s k i=1 p c i i (mod p) (Log a b) + s k i=1 c i Log a p i (mod p 1). Substitute the values of Log a p i found in the precomputation to get Log a b. 19

Using arguments like those for the running time of the quadratic sieve factoring algorithms, one can prove that the precomputation takes time ( ) exp 2 log p log log p, while the main computation takes time ( ) exp log p log log p. 20

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback