# 離散對數密碼系統

Document Sample

```					Cryptosystems Based on
Discrete Logarithms

1
Outline
• [1] Discrete Logarithm Problem
• [2] Algorithms for Discrete Logarithm
–   A trivial algorithm
–   Shanks’ algorithm (Baby-step Giant-step)
–   Pollard’s algorithm
–   Pohlig-Hellman algorithm
–   Adleman’s algorithm (the index calculus method)
• [3] Cryptosystems Based on Discrete Logarithm
– Key distribution
– Encryption
– Digital signature

2
[1] Discrete Logarithm Problem
• Let G be a finite multiplicative group (G, *).
For an element α  having order n, define.
G
<α> = {α i | i = 0, 1, 2, …, n-1}
Then <α> is a subgroup of G, and <α> is cyclic of order n.

• Discrete logarithm problem
Given    , find the unique integer a, 0  a  n - 1, s.t.
αa  β
We will denote this integer a by log a β ;
it is called the discretelogarithm of β.                         3
Discrete Logarithm Problem

• Example 1
G = Z*19 = { 1, 2, …, 18}
n=18, generator g = 2
i   1    2    3    4    5    6    7    8    9
gi   2    4    8    16   13   7    14   9    18

10   11   12   13   14   15   16   17   18
17   15   11   3    6    12   5    10   1
then log214 = 7
log26 = 14
4
Discrete Logarithm Problem

• Example 2

In Z*11 = { 1, 2, …, 10}
Let G= <3> ={1, 3, 9, 5, 4}, n=5,
3 is not a generator of Z*11 but a generator of G.

log35 = 3

5
Discrete Logarithm Problem

• Example 3
G=GF*(23) with irreducible poly. p(x) = x3 + x +1
G=Zp*/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 }
n=7, generator g = x
i      1      2       3      4          5          6      7
gi     x      x2    x 1   x2  x   x2  x  1   x2  1   1

then logx(x+1) = 3
logx(x2+x+1) = 5
logx(x2+1) = 6
6
Discrete Logarithm Problem
• Example 4
Let p
=105354628039501697530461658293395873194887
18149259134893426087342587178835751858673003
86287737705577937382925873762451990450430661
35085968269741025626827114728303489756321430
02371663691740666159071764725494700831131071
38189921280884003892629359
NB: p = 158(2800 + 25) + 1 and has 807 bits.
• Find a   such that
23   a
(mod p )
7
[2] Algorithms for Discrete Logarithm

•   A trivial algorithm
•   Shanks’ algorithm (Baby-step giant-step)
•   Pollard rho discrete log algorithm
•   Pohlig-Hellman algorithm
•   The index calculus method

8
A trivial algorithm

• Discrete Logarithm Problem in Zp*
given generator α (i.e. <α>= Zp*) and β in Zp* ,
find a in Zp-1={0,1,…,p-2} s.t. β = αa mod p

• A trivial algorithm
– Compute αi and test if β = αi
– Time complexity O(p)

9
Shanks’ algorithm

• Shanks’ algorithm (Baby-step giant-step) (1972)
– Compute L1 = {(i, αmi), i = 0, 1, …, m-1}
L2 = {(i, βα-i), i = 0, 1, …, m-1}

– where m = ceiling((p-1) ½)
Sort L1 and L2 with respect to the 2nd coordinate.
– Find the same 2nd coordinate from L1 and L2, say,
(q, αmq), (r, βα-r), to get αmq =βα-r.
So β = αmq + r and a = mq+r.
– Time complexity O(m log m) = O(p 1/2 log p)
– Space complexity O(p 1/2)
10
Example 1
log215 mod 19 =?
G = Z*19 = { 1, 2, …, 18}
α = 2, α-1 = 10, n = p-1 = 18, m = 5, αm = 13
β = 15

L1: (i, αmi)    L2: (i, βα-i)
(0, 1)         (0, 15)
(1, 13)         (1, 17)     q=2
(2, 17)         (2, 18)     r=1
(3, 12)         (3, 9)      mq + r = 11
(4, 4)          (4, 14)

log215 mod 19 = 11                           11
Example 2
log3525 mod 809 =?
G = Z*809 = { 1, 2, …, 808} = <3>
α = 3, α-1 = 10, n = p-1 = 808, m = 29, αm = 99
β = 525

L1: (i, αmi)    L2: (i, βα-i)
(0, 1)       (0, 525)
(1, 99)      (1, 175)
(2, 93)      (2, 328)
(3, 308)      (3, 379)
(4, 559)      (4, 396)
(5, 329)     (5, 132)
(6, 211)     (6, 44)
(7, 664)     (7, 554)
(8, 207)     (8, 724)
(9, 268)     (9, 511)
(10, 644)    (10, 440)
(11, 654)    (11, 686)
(12, 26)     (12, 768)
12
L1: (i, αmi)    L2: (i, βα-i)
(13, 147)        (13, 256)
(14, 800)         (14, 355)
(15, 727)        (15, 388)
(16, 781)         (16, 399)
(17, 464)         (17, 133)
(18, 632)        (18, 314)
(19, 275)        (19, 644)
(20, 528)        (20, 754)
(21, 496)        (21, 521)
(22, 564)        (22, 713)
(23, 15)         (23,777)
(24, 676)        (24, 259)
(25, 586)        (25, 356)
(26, 575)        (26, 658)
(27, 295)       (27, 489)
(28, 81)        (28, 163)

q = 10, r = 19, so mq + r = 29*10+19 mod 808 = 309

and log3525 mod 809 = 309                            13
Pollard rho DL algorithm

• Pollard rho discrete logarithm algorithm (1978)
compute integers s and t such that  s   t
– partition the group G into three roughly equal-sized set
S1 , S2 and S3 . Let x0 = 1G and x0 is not in S2
 xi    for xi  S1
xi 1  xi 2    for xi  S 2
 xi    for xi  S3

Let xi   ai  bi

14
ai  1(mod n)     for xi  S1
ai 1    2ai (mod n)      for xi  S 2
ai              for xi  S3
bi                for xi  S1
bi 1  2bi (mod n)       for xi  S 2
bi  1(mod n)     for xi  S3

where n = p-1 when G = Z*p

15
1
We should expect some integer i  3n 2 such that
xi  x2i , then this gives    (using Floyd' s algorithm)
s      t

with s  ai  a2i (mod n)      t  b2i  bi (mod n)
If gcd(s, n)  1
1
then compute s (mod n)
log    s 1t (mod n).
1
and we have    , so that
s t

If gcd(s, n)  d  1
little work to do... (Omitted)

16
• Floyd’s cycle-finding algorithm:

One starts with the pair (x1, x2), and iteratively
computes (xi, x2i) from the previous (xi-1, x2i-2),
until xm=x2m for some m. The expected running
time of this method is O(n1/2).

17
• Pollard’s rho algorithm for discrete logarithms
– INPUT: a generator α of a cyclic group G of prime order n,
and β is an element of G
– OUTPUT: log g a
1. Set x0  1, a0  0, b0  0
2. For i = 1, 2, …. Do the following:
2.1 Use xi-1, ai-1, bi-1 to compute xi, ai, bi
Use x2i-2, a2i-2, b2i-2 to compute x2i, a2i, b2i
2.2 if xi=x2i, then do the following
set r  bi – b2i
if gcd(r,n) ≠1 then return ‘failure’
else return r-1(a2i-ai) mod n
18
• Example:
α= 2 is a generator of the subgroup G of Z383* of
order n= 191.(in this case <α> = G ≠ Z383* )
Suppose β = 228. Find log2228.
Solution:
Partition G into 3 subsets, let
S1  {x  G | x  1 mod 3}
S 2  {x  G | x  0 mod 3}
S3  {x  G | x  2 mod 3}
19
i    xi    ai   bi   x2i   a2i   b2i
1    228   0    1    279   0     2
2    279   0    2    184   1     4
3    92    0    4    14    1     6
4    184   1    4    256   2     7
5    205   1    5    304   3     8
6    14    1    6    121   6     18
7    28    2    6    144   12    38
8    256   2    7    235   48    152
9    152   2    8    72    48    154
10   304   3    8    14    96    118
11   372   3    9    256   97    119
12   121   6    18   304   98    120
13   12    6    19   121   5     51
14   144   12   38   144   10    104   20
• Solution (continued):

From the table, we have x14 = x28 = 144.
Finally compute r = a14-a28 mod 191=125

r-1 = 125-1 mod 191 = 136, and
r-1(b28 - b14) mod 191 = 110.

Hence, log2228 = 110.

21
Pohlig-Hellman algorithm

• Pohlig-Hellman algorithm (1978)
If <α> is of order n and β in <α>
then a = logαβ is determined (uniquely) mod n.
Eg. If <α> = Zp* (i.e. α is a generator of Zp*),
then n = p-1
Let
n  p1 1 p2 2 ... pk k
c    c        c

The idea of Pohlig-Hellman algorithm is that we can compute
a mod pici for each i, then we compute a mod n by CRT (Chinese
remainder theorem). (see Text for details)

22
The index calculus method

• The index calculus method (Suitable only for G=Zp*)

(1st step)
To find the discrete logarithms of the B primes in the factor base.
  {p1 , p 2 , ..., p B }.
(2nd step)
To compute the discrete logarithm of a desired element a,
using the knowledge of the discrete logarithms of the elements
in the factor base.

23
• Example

log59451 mod 10007=?
Choose B={2, 3, 5, 7}. Of course log55=1.
Use lucky exponents 4063, 5136, and 9865
54063 mod 10007 = 42 = 2 * 3 * 7
55136 mod 10007 = 54 = 2 * 33
59865 mod 10007 = 189 = 33 * 7
And we have three congruences:
log52 + log53 + log57 = 4063 mod 10006
log52 + 3 log53 = 5136 mod 10006
3 log53 + log57 = 9865 mod 10006
24
There happens to be a unique solution modulo 10006
log52=6578, log53=6190, and log57=1301
Choose random exponent s = 7736 and try to calculate
βαs = 9451*57736 mod 10007 = 8400
Since 8400 = 24*3*52*7 factors over B, we obtain

log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006
= (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006
= 6057 mod 10006
25
[3] Cryptosystems based on DL

• Key Distribution
– Diffie-Hellman, 1976
• Encryption
– Massey-Omura cryptosystem, 1983
• Digital Signature
– ElGamal, 1985

26
Diffie-Hellman Key Exchange Algorithm
• Global Public Elements
– q : prime number
– α: α< q and α is a primitive root of q

• User A Key Generation
– Select private XA : XA< q
– Calculate public YA : YA= αXA mod q

• User B Key Generation
– Select private XB : XB< q
– Calculate public YB : YB= αXB mod q

• Generation of Secret Key by User A
– K = (YB)XA mod q

• Generation of Secret Key by User B
– K = (YA)XB mod q                         27
User A                         User B
Generate
random XA < q ;
Calculate
YA = αXA mod q     YA       Generate
random XB < q ;
Calculate
YB = αXB mod q
YB       Calculate
Calculate                        K = (YA)XB mod q
K = (YB)XA mod q

Diffie-Hellman Key Exchange
28
Massey-Omura for message transmission
• Parameters
– q : prime number
– e : a random private integer
• 0 < e < q and gcd ( e, q-1) = 1
– d : an inverse of e
• d = e-1 mod q-1 , i.e., de≡1 mod q-1
– M : a message to be encrypted and decrypted

• User A wants to send a message M to User B
– User A : eA and dA are both private
– User B : eB and dB are both private
29
User A                        User B
1.Encryption(1)
C1
C1 = M eA mod q           2.Encryption(2)
C2 = C1eB
C2            = M eAeB mod q
3.Encryption(3)
C3 = C2dA
= (M eAeB)dA    C3
= M eB mod q            4. Decryption
M = C3dB
= M eBdB mod q

Massey-Omura for message transmission
30
ElGamal encryption scheme
• Parameters
–   p : a large prime
–   α: a generator in Zp*
–   a : a private key, a  [1, p-1]
–   c : a public key , β = αa (mod p)
–   m : a message, m  [1, p-1]
–   k : a random integer that is privately selected, k  [0, p-2]
–   K = (p, α, a, β) : public key + private key
• Encryption
eK(m, k)=(y1, y2)
where y1 = αk mod p and y2=mβk mod p
• Decryption
m = dK(y1, y2) = y2(y1a)-1 mod p
31
ElGamal signature scheme
• 1985 ElGamal
• Parameters
–   p : a large prime
–   α: a generator in Zp*
–   a : a private key, a [1, p-1]
–

β : a public key , β = αa (mod p)
–   m : a message to be signed , m [1, p-1]
–

k : a random integer that is privately selected, k       [0, p-2]
• Signature                                                 
– r = αk mod p, where gcd( k, p-1 ) = 1
– m = ks + ra mod (p-1)
– ( m , (r,s) ) is sent to the verifier
• Verification
– αm = rsβ r mod p
– The signature (r,s) is accepted when the equality holds true.
32

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 2 posted: 5/21/2013 language: Unknown pages: 32