# Algorithmic Number Theory (Part III: Discrete Logarithm)

Document Sample

```					 Algorithmic Number Theory
(Part III: Discrete Logarithm)

1
Outline
• [1] Discrete Logarithm Problem
• [2] Algorithms for Discrete Logarithm
–   A trivial algorithm
–   Shanks’ algorithm
–   Pollard’s algorithm
–   Pohlig-Hellman algorithm
–   Adleman’s algorithm (the index calculus method)
• [3] Cryptosystems Based on Discrete Logarithm
– Key distribution
– Encryption
– Digital signature

2
[1] Discrete Logarithm Problem

• Let G is a finite cyclic group of size n generated by
generator g, i.e.
G = <g> = {g i | i = 1, 2, …, n}
or {g i | i = 0, 1, …, n-1}
– Given g and i, it is easy to compute gi by repeated squaring
– Discrete logarithm problem
Given         , find x such that
We denote

3
Discrete Logarithm Problem

• Example 1
G = Z*19 = { 1, 2, …, 18}
n=18, generator g = 2

then log214 = 7
log26 = 14
4
Discrete Logarithm Problem

• Example 2

In Z*11 = { 1, 2, …, 10}
Let G= <3> ={1, 3, 9, 5, 4}, n=5,
3 is not a generator of Z*11 but a generator of G.

log35 = 3

5
Discrete Logarithm Problem

• Example 3
G=GF*(23) with irreducible poly. p(x) = x3 + x +1
G=Z*p/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 }
n=7, generator g = x

then logx(x+1) = 3
logx(x2+x+1) = 5
logx(x2+1) = 6
6
[2] Algorithms for Discrete Logarithm

•   A trivial algorithm
•   Shanks’ algorithm (Baby-step giant-step)
•   Pollard rho discrete log algorithm
•   Pohlig-Hellman algorithm
•   The index calculus method

7
A trivial algorithm

• Discrete Logarithm Problem in Z*p
given generator g and a in Z*p,
find x in Zp-1 such that a = gx mod p
• A trivial algorithm
– Compute gi for all i
– Search table for a
– Time complexity O(p)

8
Shanks’ algorithm

• Shanks’ algorithm (1972)
– Compute L1 = {(i, gmi), i = 0, 1, …, m-1}
L2 = {(i, ag-i), i = 0, 1, …, m-1}

– where m = ceiling((p-1) ½)
Sort L1 and L2 with respect to the 2nd coordinate.
– Find the same 2nd coordinate from L1 and L2, say,
(q, gmq), (r, ag-r), to get gmq =ag-r.
So a = gmq + r and x=mq+r.
– Time complexity O(mlogm) = O(p 1/2 logp)
– Space complexity O(p 1/2)
9
Example

log215 mod 19 =?
G = Z*19 = { 1, 2, …, 18}
g = 2, g-1 = 10, n=p-1 = 18, m = 5, gm = 13
a = 15

L1: (i, gmi)     L2: (i, ag-i)
(0, 1)     (0, 15)
(1, 13)    (1, 17)         q=2
(2, 17)    (2, 18)         r=1
(3, 12)    (3, 9)          mq + r = 11
(4, 4)     (4, 14)

log215 mod 19 = 11
10
Pollard rho DL algorithm

• Pollard rho discrete logarithm algorithm (1978)
compute integers s and t such that
– partition the group G into three roughly equal-sized set
S1 , S2 and S3 . Let x0=1G and x0 is not in S2

11
where n = p-1 when G = Z*p

12
•
We should expect some integer         such that
, then this gives
with
If
then compute
and we have            , so that
If
little work to do... (Omitted)

13
• Floyd’s cycle-finding algorithm:

One starts with the pair (x1, x2), and iteratively
computes (xi, x2i) from the previous (xi-1, x2i-2),
until xm=x2m for some m. The expected running
time of this method is O(n1/2).

14
• Pollard’s rho algorithm for discrete logarithms
– INPUT: a generator g of a cyclic group G of prime order n,
and a is an element of G
– OUTPUT:
1. Set x0  1, a0  0, b0  0
2. For I = 1, 2, …. Do the following:
2.1 Use xi-1, ai-1, bi-1 to compute xi, ai, bi
Use x2i-2, a2i-2, b2i-2 to compute x2i, a2i, b2i
2.2 if xi=x2i, then do the following
set s  ai – a2i
if s=0 then return ‘failure’
else return s-1(b2i – bi) mod n
15
• Example:
g= 2 is a generator of the subgroup G of Z383* of
order n= 191. Suppose a = 228.
Find log2228.
Solution:
Partition G into 3 subsets, let

16
i    xi    ai   bi   x2i   a2i   b2i
1    228   1    0    279   2     0
2    279   2    0    184   4     1
3    92    4    0    14    6     1
4    184   4    1    256   7     2
5    205   5    1    304   8     3
6    14    6    1    121   18    6
7    28    6    2    144   38    12
8    256   7    2    235   152   48
9    152   8    2    72    154   48
10   304   8    3    14    118   96
11   372   9    3    256   119   97
12   121   18   6    304   120   98
13   12    19   6    121   51    5
14   144   38   12   144   104   10    17
• Solution (continued):

From the table, we have x14 = x28 = 144.
Finally compute s = a14-a28 mod 191=125

s-1 = 125-1 mod 191 = 136, and
s-1(b14-b28) mod 191 = 110.

Hence, log2228 = 110.

18
Pohlig-Hellman algorithm
• Pohlig-Hellman algorithm (1978)
(DLP: find m s.t. αm = c mod q)
Suitable for q-1 containing only small prime divisors
Assume m is the discrete logarithm of c (i.e. c = αm )
• Base case : If q-1 = 2n and
because αq-1 = 1
hence

….
So we can compute m

19
• General case :

Let m(i) = m (mod pini)
then apply the Chinese Remainder Theorem,
we can compute m.

How to compute m(i) ? (similar to the base case,
see next page)

20
Algorithms for Discrete Logarithm
Let

then

…..

So we can compute m(i) and then apply CRT to get m
– Time complexity: O((log2q)2) + factoring q-1

21
The index calculus method

• The index calculus method (Suitable only for G=Zp*)

22
• Example

log59451 mod 10007=?
Choose B={2, 3, 5, 7}. Of course log55=1.
Use = 9865 mod 10006
lucky exponents 4063, 5136, and 9865
54063 mod 10007 = 42 = 2 * 3 * 7
55136 mod 10007 = 54 = 2 * 33
59865 mod 10007 = 189 = 33 * 7
And we have three congruences:
log52 + log53 + log57 = 4063 mod 10006
log52 + 3 log53 = 5136 mod 10006
3 log53 + log57 = 9865 mod 10006
23
There happens to be a unique solution modulo 10006
log52=6578, log53=6190, and log57=1301
Choose random exponent s = 7736 and try to calculate
ags = 9451*57736 mod 10007 = 8400
Since 8400 = 24*3*52*7 factors over B, we obtain

log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006
= (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006
= 6057 mod 10006
24
Cryptosystems based on DL

• Key Distribution
– Diffie-Hellman, 1976
• Encryption
– Massey-Omura cryptosystem, 1983
• Digital Signature
– ElGamal, 1985
– DSA(Digital Signature Algorithm), 1992

25
Diffie-Hellman Key Exchange Algorithm
• Global Public Elements
– q : prime number
– α: α< q and α is a primitive root of q

• User A Key Generation
– Select private XA : XA< q
– Calculate public YA : YA= αXA mod q

• User B Key Generation
– Select private XB : XB< q
– Calculate public YB : YB= αXB mod q

• Generation of Secret Key by User A
– K = (YB)XA mod q

• Generation of Secret Key by User B
– K = (YA)XB mod q                         26
User A                         User B
Generate
random XA < q ;
Calculate
YA = αXA mod q     YA       Generate
random XB < q ;
Calculate
YB = αXB mod q
YB       Calculate
Calculate                        K = (YA)XB mod q
K = (YB)XA mod q

Diffie-Hellman Key Exchange
27
Massey-Omura for message transmission
• Parameters
– q : prime number
– e : a random private integer
• 0 < e < q and gcd ( e, q-1) = 1
– d : an inverse of e
• d = e-1 mod q-1 , i.e., de≡1 mod q-1
– M : a message to be encrypted and decrypted

• User A wants to send a message M to User B
– User A : eA and dA are both private
– User B : eB and dB are both private
28
User A                        User B
1.Encryption(1)
C1
C1 = M eA mod q           2.Encryption(2)
C2 = C1eB
C2            = M eAeB mod q
3.Encryption(3)
C3 = C2dA
= (M eAeB)dA    C3
= M eB mod q            4. Decryption
M = C3dB
= M eBdB mod q

Massey-Omura for message transmission
29
ElGamal encryption scheme
• Parameters
–   p : a large prime
–   α: a primitive number in GF(p)
–   a : a private key, a [1, p-1]
–   β : a public key , β = αa (mod p)
–   m : a message to be signed , m [1, p-1]
–   k : a random integer that is privately selected, k   [0, p-2]
–   K = (p, α, a, β) : public key + private key
• Encryption
eK(m, k)=(y1, y2)
where y1 = αk mod p and y2=mβk mod p
• Decryption
m = dK(y1, y2) = y2(y1a)-1 mod p
30
ElGamal signature scheme
• 1985 ElGamal
• Parameters
–   p : a large prime
–   α: a primitive number in GF(p)
–   x : a private key, x [1, p-1]
–   y : a public key , y = αx (mod p)
–   m : a message to be signed , m [1, p-1]
–   k : a random integer that is privately selected, k   [0, p-2]
• Signature
– r = αk mod p
– m = ks + rx mod φ(p) ,where GCD( k, φ(p) ) = 1
– ( m , (r,s) ) is sent to the verifier
• Verification
– αm = rs yr mod p
– The signature (r,s) is accepted when the equality holds true.     31
Digital Signature Algorithm (DSA)

• 1992 NIST
• Parameters
–   p : a large prime, 512 bits
–   q : a large prime, 160 bits , q | p-1
–   g : g = h p-1/q mod q , with h [1, p-1]
–   h : a one-way hash function
–   x : a private key, 0 < x < q
–   y : a public key , y = gx (mod p)

– m : a message to be signed , 0 < m < p
– k : a random integer that is privately selected, 0 < k < q
32
Digital Signature Algorithm (DSA)
• Signature
– r = (gk mod p) mod q
– s = k -1( h(m)+ rx) mod q ,where k-1 k = 1 mod q
– ( m , (r,s) ) is sent to the verifier

• Verification
–   check whether (r,s) [0,q] ; if not , (r,s) is not the signature
–   t = s -1 mod q
–   r’ = ( g h(m)t yrt mod p ) mod q
–   if r’ = r ,then (r,s) is the legal signature of message m

• Proof         g h(m)t yrt = (( g h(m)t yr )t mod p ) mod q
= (( g h(m)t (gx)r )t mod p ) mod q
= (( g h(m)+xr )t mod p ) mod q
= (( g h(m)+xr )s-1 mod p ) mod q
= ( gk mod q ) mod q
33
= r

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 51 posted: 11/23/2011 language: English pages: 33