Docstoc

離散對數密碼系統

Document Sample
離散對數密碼系統 Powered By Docstoc
					Cryptosystems Based on
  Discrete Logarithms




                         1
                             Outline
• [1] Discrete Logarithm Problem
• [2] Algorithms for Discrete Logarithm
   –   A trivial algorithm
   –   Shanks’ algorithm (Baby-step Giant-step)
   –   Pollard’s algorithm
   –   Pohlig-Hellman algorithm
   –   Adleman’s algorithm (the index calculus method)
• [3] Cryptosystems Based on Discrete Logarithm
   – Key distribution
   – Encryption
   – Digital signature

                                                         2
  [1] Discrete Logarithm Problem
• Let G be a finite multiplicative group (G, *).
  For an element α  having order n, define.
                     G
      <α> = {α i | i = 0, 1, 2, …, n-1}
  Then <α> is a subgroup of G, and <α> is cyclic of order n.

• Discrete logarithm problem
 Given    , find the unique integer a, 0  a  n - 1, s.t.
                     αa  β
 We will denote this integer a by log a β ;
 it is called the discretelogarithm of β.                         3
       Discrete Logarithm Problem

• Example 1
  G = Z*19 = { 1, 2, …, 18}
  n=18, generator g = 2
   i   1    2    3    4    5    6    7    8    9
  gi   2    4    8    16   13   7    14   9    18

       10   11   12   13   14   15   16   17   18
       17   15   11   3    6    12   5    10   1
  then log214 = 7
       log26 = 14
                                                    4
      Discrete Logarithm Problem

• Example 2

  In Z*11 = { 1, 2, …, 10}
  Let G= <3> ={1, 3, 9, 5, 4}, n=5,
  3 is not a generator of Z*11 but a generator of G.

  log35 = 3



                                                       5
        Discrete Logarithm Problem

• Example 3
  G=GF*(23) with irreducible poly. p(x) = x3 + x +1
  G=Zp*/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 }
  n=7, generator g = x
   i      1      2       3      4          5          6      7
   gi     x      x2    x 1   x2  x   x2  x  1   x2  1   1


  then logx(x+1) = 3
       logx(x2+x+1) = 5
       logx(x2+1) = 6
                                                             6
       Discrete Logarithm Problem
• Example 4
  Let p
  =105354628039501697530461658293395873194887
  18149259134893426087342587178835751858673003
  86287737705577937382925873762451990450430661
  35085968269741025626827114728303489756321430
  02371663691740666159071764725494700831131071
  38189921280884003892629359
   NB: p = 158(2800 + 25) + 1 and has 807 bits.
• Find a   such that
                23   a
                          (mod p )
                                            7
[2] Algorithms for Discrete Logarithm

  •   A trivial algorithm
  •   Shanks’ algorithm (Baby-step giant-step)
  •   Pollard rho discrete log algorithm
  •   Pohlig-Hellman algorithm
  •   The index calculus method



                                                 8
               A trivial algorithm

• Discrete Logarithm Problem in Zp*
    given generator α (i.e. <α>= Zp*) and β in Zp* ,
   find a in Zp-1={0,1,…,p-2} s.t. β = αa mod p


• A trivial algorithm
   – Compute αi and test if β = αi
   – Time complexity O(p)




                                                       9
               Shanks’ algorithm

• Shanks’ algorithm (Baby-step giant-step) (1972)
   – Compute L1 = {(i, αmi), i = 0, 1, …, m-1}
             L2 = {(i, βα-i), i = 0, 1, …, m-1}

   – where m = ceiling((p-1) ½)
     Sort L1 and L2 with respect to the 2nd coordinate.
   – Find the same 2nd coordinate from L1 and L2, say,
     (q, αmq), (r, βα-r), to get αmq =βα-r.
     So β = αmq + r and a = mq+r.
   – Time complexity O(m log m) = O(p 1/2 log p)
   – Space complexity O(p 1/2)
                                                          10
Example 1
log215 mod 19 =?
 G = Z*19 = { 1, 2, …, 18}
α = 2, α-1 = 10, n = p-1 = 18, m = 5, αm = 13
 β = 15

L1: (i, αmi)    L2: (i, βα-i)
     (0, 1)         (0, 15)
    (1, 13)         (1, 17)     q=2
    (2, 17)         (2, 18)     r=1
    (3, 12)         (3, 9)      mq + r = 11
    (4, 4)          (4, 14)

   log215 mod 19 = 11                           11
Example 2
 log3525 mod 809 =?
 G = Z*809 = { 1, 2, …, 808} = <3>
  α = 3, α-1 = 10, n = p-1 = 808, m = 29, αm = 99
 β = 525

 L1: (i, αmi)    L2: (i, βα-i)
     (0, 1)       (0, 525)
     (1, 99)      (1, 175)
     (2, 93)      (2, 328)
     (3, 308)      (3, 379)
     (4, 559)      (4, 396)
     (5, 329)     (5, 132)
     (6, 211)     (6, 44)
     (7, 664)     (7, 554)
     (8, 207)     (8, 724)
     (9, 268)     (9, 511)
     (10, 644)    (10, 440)
     (11, 654)    (11, 686)
     (12, 26)     (12, 768)
                                                    12
L1: (i, αmi)    L2: (i, βα-i)
    (13, 147)        (13, 256)
    (14, 800)         (14, 355)
    (15, 727)        (15, 388)
    (16, 781)         (16, 399)
    (17, 464)         (17, 133)
    (18, 632)        (18, 314)
    (19, 275)        (19, 644)
    (20, 528)        (20, 754)
    (21, 496)        (21, 521)
    (22, 564)        (22, 713)
    (23, 15)         (23,777)
    (24, 676)        (24, 259)
    (25, 586)        (25, 356)
    (26, 575)        (26, 658)
    (27, 295)       (27, 489)
    (28, 81)        (28, 163)

   q = 10, r = 19, so mq + r = 29*10+19 mod 808 = 309

   and log3525 mod 809 = 309                            13
         Pollard rho DL algorithm

• Pollard rho discrete logarithm algorithm (1978)
  compute integers s and t such that  s   t
   – partition the group G into three roughly equal-sized set
     S1 , S2 and S3 . Let x0 = 1G and x0 is not in S2
                   xi    for xi  S1
          xi 1  xi 2    for xi  S 2
                    xi    for xi  S3

                Let xi   ai  bi

                                                            14
          ai  1(mod n)     for xi  S1
ai 1    2ai (mod n)      for xi  S 2
          ai              for xi  S3
         bi                for xi  S1
bi 1  2bi (mod n)       for xi  S 2
        bi  1(mod n)     for xi  S3


 where n = p-1 when G = Z*p


                                          15
                                                1
We should expect some integer i  3n 2 such that
xi  x2i , then this gives    (using Floyd' s algorithm)
                                 s      t


with s  ai  a2i (mod n)      t  b2i  bi (mod n)
If gcd(s, n)  1
                          1
    then compute s (mod n)
                                             log    s 1t (mod n).
                             1
    and we have    , so that
                             s t


If gcd(s, n)  d  1
   little work to do... (Omitted)

                                                               16
• Floyd’s cycle-finding algorithm:

  One starts with the pair (x1, x2), and iteratively
  computes (xi, x2i) from the previous (xi-1, x2i-2),
  until xm=x2m for some m. The expected running
  time of this method is O(n1/2).




                                                        17
• Pollard’s rho algorithm for discrete logarithms
   – INPUT: a generator α of a cyclic group G of prime order n,
     and β is an element of G
   – OUTPUT: log g a
       1. Set x0  1, a0  0, b0  0
       2. For i = 1, 2, …. Do the following:
            2.1 Use xi-1, ai-1, bi-1 to compute xi, ai, bi
                 Use x2i-2, a2i-2, b2i-2 to compute x2i, a2i, b2i
            2.2 if xi=x2i, then do the following
                    set r  bi – b2i
                    if gcd(r,n) ≠1 then return ‘failure’
                    else return r-1(a2i-ai) mod n
                                                              18
• Example:
  α= 2 is a generator of the subgroup G of Z383* of
  order n= 191.(in this case <α> = G ≠ Z383* )
  Suppose β = 228. Find log2228.
  Solution:
      Partition G into 3 subsets, let
             S1  {x  G | x  1 mod 3}
             S 2  {x  G | x  0 mod 3}
             S3  {x  G | x  2 mod 3}
                                                      19
i    xi    ai   bi   x2i   a2i   b2i
1    228   0    1    279   0     2
2    279   0    2    184   1     4
3    92    0    4    14    1     6
4    184   1    4    256   2     7
5    205   1    5    304   3     8
6    14    1    6    121   6     18
7    28    2    6    144   12    38
8    256   2    7    235   48    152
9    152   2    8    72    48    154
10   304   3    8    14    96    118
11   372   3    9    256   97    119
12   121   6    18   304   98    120
13   12    6    19   121   5     51
14   144   12   38   144   10    104   20
• Solution (continued):

  From the table, we have x14 = x28 = 144.
  Finally compute r = a14-a28 mod 191=125

       r-1 = 125-1 mod 191 = 136, and
       r-1(b28 - b14) mod 191 = 110.

  Hence, log2228 = 110.

                                             21
            Pohlig-Hellman algorithm

• Pohlig-Hellman algorithm (1978)
  If <α> is of order n and β in <α>
  then a = logαβ is determined (uniquely) mod n.
  Eg. If <α> = Zp* (i.e. α is a generator of Zp*),
       then n = p-1
  Let
                    n  p1 1 p2 2 ... pk k
                         c    c        c



   The idea of Pohlig-Hellman algorithm is that we can compute
   a mod pici for each i, then we compute a mod n by CRT (Chinese
   remainder theorem). (see Text for details)

                                                                    22
               The index calculus method

• The index calculus method (Suitable only for G=Zp*)

  (1st step)
  To find the discrete logarithms of the B primes in the factor base.
            {p1 , p 2 , ..., p B }.
  (2nd step)
  To compute the discrete logarithm of a desired element a,
  using the knowledge of the discrete logarithms of the elements
  in the factor base.

                                                                   23
• Example

  log59451 mod 10007=?
  Choose B={2, 3, 5, 7}. Of course log55=1.
  Use lucky exponents 4063, 5136, and 9865
   54063 mod 10007 = 42 = 2 * 3 * 7
   55136 mod 10007 = 54 = 2 * 33
   59865 mod 10007 = 189 = 33 * 7
  And we have three congruences:
    log52 + log53 + log57 = 4063 mod 10006
    log52 + 3 log53 = 5136 mod 10006
    3 log53 + log57 = 9865 mod 10006
                                              24
There happens to be a unique solution modulo 10006
  log52=6578, log53=6190, and log57=1301
Choose random exponent s = 7736 and try to calculate
    βαs = 9451*57736 mod 10007 = 8400
Since 8400 = 24*3*52*7 factors over B, we obtain


 log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006
          = (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006
          = 6057 mod 10006
                                                          25
[3] Cryptosystems based on DL

• Key Distribution
  – Diffie-Hellman, 1976
• Encryption
  – Massey-Omura cryptosystem, 1983
• Digital Signature
  – ElGamal, 1985



                                      26
Diffie-Hellman Key Exchange Algorithm
     • Global Public Elements
        – q : prime number
        – α: α< q and α is a primitive root of q

     • User A Key Generation
        – Select private XA : XA< q
        – Calculate public YA : YA= αXA mod q

     • User B Key Generation
        – Select private XB : XB< q
        – Calculate public YB : YB= αXB mod q

     • Generation of Secret Key by User A
        – K = (YB)XA mod q

     • Generation of Secret Key by User B
        – K = (YA)XB mod q                         27
    User A                         User B
Generate
  random XA < q ;
Calculate
  YA = αXA mod q     YA       Generate
                                random XB < q ;
                              Calculate
                                YB = αXB mod q
                     YB       Calculate
Calculate                        K = (YA)XB mod q
  K = (YB)XA mod q



         Diffie-Hellman Key Exchange
                                                    28
Massey-Omura for message transmission
• Parameters
  – q : prime number
  – e : a random private integer
          • 0 < e < q and gcd ( e, q-1) = 1
  – d : an inverse of e
          • d = e-1 mod q-1 , i.e., de≡1 mod q-1
  – M : a message to be encrypted and decrypted

• User A wants to send a message M to User B
  – User A : eA and dA are both private
  – User B : eB and dB are both private
                                                   29
    User A                        User B
1.Encryption(1)
                     C1
   C1 = M eA mod q           2.Encryption(2)
                                C2 = C1eB
                     C2            = M eAeB mod q
3.Encryption(3)
  C3 = C2dA
     = (M eAeB)dA    C3
     = M eB mod q            4. Decryption
                                 M = C3dB
                                   = M eBdB mod q



   Massey-Omura for message transmission
                                                    30
           ElGamal encryption scheme
• Parameters
  –   p : a large prime
  –   α: a generator in Zp*
  –   a : a private key, a  [1, p-1]
  –   c : a public key , β = αa (mod p)
  –   m : a message, m  [1, p-1]
  –   k : a random integer that is privately selected, k  [0, p-2]
  –   K = (p, α, a, β) : public key + private key
• Encryption
   eK(m, k)=(y1, y2)
      where y1 = αk mod p and y2=mβk mod p
• Decryption
   m = dK(y1, y2) = y2(y1a)-1 mod p
                                                               31
              ElGamal signature scheme
• 1985 ElGamal
• Parameters
   –   p : a large prime
   –   α: a generator in Zp*
   –   a : a private key, a [1, p-1]
   –
                             
       β : a public key , β = αa (mod p)
   –   m : a message to be signed , m [1, p-1]
   –
                                        
       k : a random integer that is privately selected, k       [0, p-2]
• Signature                                                 
   – r = αk mod p, where gcd( k, p-1 ) = 1
   – m = ks + ra mod (p-1)
   – ( m , (r,s) ) is sent to the verifier
• Verification
   – αm = rsβ r mod p
   – The signature (r,s) is accepted when the equality holds true.
                                                                           32

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:5/21/2013
language:Unknown
pages:32