Discrete Log ElGamal Cryptosystem Discrete Log Algorithms: Shanks’, Pollard-Rho In Practice Diffie-Hellman Discrete Log CSCI284 Spring 2004 GWU

CS297-15: Electronic Voting CRN 86928 M 1530-1800 in 2020K 9 Send mail to jstanton@gwu.edu saying why you should be allowed to take the class. 4/11/2019 CS284/Spring04/GWU/Vora/RSA

CS284/Spring04/GWU/Vora/RSA Various Logistics Project presentations on: 26th April, Monday, 6:10-7:40 27th April, Tuesday, 6:10-7:40 (make-up day) and 28th April, Wednesday, 6:10-7:40 (another make-up day) No office hours this coming Wed. Send email with questions on hw 4/11/2019 CS284/Spring04/GWU/Vora/RSA

The ElGamal Cryptosystem is based on the Discrete Log problem: Given a multiplicative group G, an element  G such that o() = n, and an element <> Find the unique integer a, 0  a  n-1 such that a =  a denoted as log Not known to be doable in polynomial time, however exponentiation is. Hence DL is a possible one-way function 4/11/2019 CS284/Spring04/GWU/Vora/RSA

CS284/Spring04/GWU/Vora/RSA El Gamal Cryptosystem Let p a prime such that DL in Zp* is infeasible Let Zp* be a primtive element P = Zp* C = Zp* X Zp* and K = {(p, , a, ): =a (mod p)} public key = (p, , ) and private key = a For a secret random number k Zp-1 eK(x, k) = (y1, y2) y1 = k mod p y1 = xk mod p dK (y1, y2) = y2( y1a)-1 mod p 4/11/2019 CS284/Spring04/GWU/Vora/RSA

CS284/Spring04/GWU/Vora/RSA Example p = 2579  = 2 a = 1391 Encrypt message: 2079 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Solving Discrete Log: finding a such that a =  in group G In O(n) steps – brute force, no storage Precompute all possible values of i (n multiplications); quick sort (O(nlogn)); binary search (O(logn)). Requires O(n) storage 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Time/memory trade-off: Shanks’ Algorithm SHANKS(G, n, , ) m  ceil(n) for j 0 to m-1 compute mj list L1  sorted wrt second coordinate {(j, mj)} for i 0 to m-1 compute  -i list L2  sorted wrt second coordinate {(i,  -i)} Find (j, y)  L1 and (i, y)  L2 for some y log  (mj + i) mod n 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Proof of correctness? Complexity? 4/11/2019 CS284/Spring04/GWU/Vora/RSA

CS284/Spring04/GWU/Vora/RSA Example p = 127  = 3 a = 56  = ? n = 126 How will you find a using Shanks’? 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Pollard-Rho Discrete Log procedure f(x, a, b) /* mimic random function, maintaining x = ab */ if xS1 f  (.x, a, (b+1) mod n) else if xS2 f  (x2, 2a mod n, 2b mod n) else f  (.x, (a +1) mod n, b) Return (f) 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Pollard-Rho Discrete Log - main POLLARD RHO DL (G, n, , ) /* partition such that (1, 0, 0)  S2 */ Define G = S1  S2  S3 (x1, a1, b1)  f(1, 0, 0) while(xi, ai, bi)  (xj, aj, bj) for ji-1 (xi+1, ai+1, bi+1)  f(xj, aj, bj) /* (xi, ai, bi) = (xj, aj, bj) */ If gcd(bi-bj, n)  1 Return (failure) Else Return ((ai -aj)(bi – bj)-1 mod n) 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Correctness? Complexity? 4/11/2019 CS284/Spring04/GWU/Vora/RSA

CS284/Spring04/GWU/Vora/RSA Example: from text p=809  = 89 o() = 101  = 618 Show that log = 49 using Pollard-Rho 4/11/2019 CS284/Spring04/GWU/Vora/RSA

CS284/Spring04/GWU/Vora/RSA Practicalities More efficient attacks possible unless elliptic curve DL, for which these efficient attacks are not known. Modulus required for security: 2160 with elliptic curves 21880 without DL over elliptic curves very hot problem. 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Diffie-Hellman Key Exchange Protocol for exchanging secret key over public channel. Select global parameters p, n and . p is prime and  is of order n in Zp*. These parameters are public and known to all. 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Diffie-Hellman Key Exchange contd. Alice privately selects random b and sends to Bob b mod p. Bob privately selects random c and sends to Alice c mod p. Alice and Bob privately compute bc mod p which is their shared secret. An observer Oscar can compute bc if he knows either c or b or can solve the discrete log problem. This is a key agreement protocol. 4/11/2019 CS284/Spring04/GWU/Vora/RSA

Diffie-Hellman problem Given a multiplicative group G, an element G of order n and two elements ,   <> Computational Diffie-Hellman: Find  such that log   log   log (mod n) Equivalently, given b, and c find bc Decision Diffie-Hellman Given an additional   <> Determine if log   log   log (mod n) Equivalently, given b, c, and d determine if d  bc (mod n) 4/11/2019 CS284/Spring04/GWU/Vora/RSA

CS284/Spring04/GWU/Vora/RSA An attack Diffie-Hellman key exchange is susceptible to a man-in-the-middle attack. Mallory captures b and c in transmission and replaces with own b’ and c’. Essentially runs two Diffie-Hellman’s. One with Alice and one with Bob. 4/11/2019 CS284/Spring04/GWU/Vora/RSA