Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin

Overview of the lecture History and background Elgamal (Diffie Hellman) Discrete Log: Pollard rho Experimentation results Structure of Function Graph: Cycles, Tails, Layers Conclusions Workshop Elgamal

1. History and background 2003, lecture for school teachers about Elgamal 2006, lecture with calculator demo Why Elgamal, not RSA? Functional property easy to show Security: rely on complexity Compare exponentiation and DLog Workshop Elgamal

Math: Modular arithmetic Compute modulo prime p (95917) with 0, 1, … p-2, p-1 Generator g of order q (prime) Rules of algebra are valid (ga)k = (gk)a Secure application: p has ~309 digits!! Workshop Elgamal

Calculator TI-83, 83+, 84+ Grafical, 14 digit Programmable Generally available in VWO (pre-academic school type in the Netherlands) Cost 100 euro (free for me) Workshop Elgamal

The Elgamal program Ceasar cipher (symmetric) Elgamal parameter and key generation Elgamal encryption and decryption Discrete Logarithm: Pollard Infeasible problem!! But doable for 7 digit modulus Workshop Elgamal

2. Public Key codes The problem of Key Agreement: A and B are on two sides of a river They want to have common z Oscar is in a boat on the river Oscar must not know z Workshop Elgamal

Solution: Diffie-Hellman Alice takes random a, shouts b = ga Bob takes random k, shouts u = gk Alice computes z = ua = (gk)a Bob computes z = bk = (ga)k The two numbers are the same The difference in complexity for A&B and O is relevant Workshop Elgamal

What does Oscar hear? Oscar sees the communication, but not the secrets Seen: Public b = ga Public u = gk Not computable: Secret a, k Common z This needs discrete logarithm Workshop Elgamal

The Elgamal program In class use Program, explanation, slides on website Program extendible Booklet with ideas for experimenting, papers (All in Dutch!) http://people.cs.uu.nl/gerard/Cryptografie/Elgamal/ Workshop Elgamal

3. Pollard Rho Algorithm Fixed p (modulus), g, q (order of g); G is set of powers of g Discrete Logarithm problem: Given y in G Return x st gx = y Pollard Rho: randomized, √q time Workshop Elgamal

Pollard Rho: Representation Representation of z: z = ya.gb Two representations of same number reveil log y: If ya.gb = yc.gd, then y = g(b-d)/(c-a) Goal: find 2 representations of one number z (value does not matter) Workshop Elgamal

Strategy: Birthday Theorem All values z = ya.gb are in G Birthday Theorem: In a random sequence, we expect a collision after √q steps Simulate effect of random sequence by pseudorandom function: zi+1 = f (zi) (Keep representation of each zi) Workshop Elgamal

Cycle detection Detect collision by storing previous values: too expensive Floyd cycle detection method: Develop two sequences: zi and ti Relation: ti = z2i Collision: ti = zi, i.e., zi = z2i In each round, z “moves” one step and t moves two steps. Workshop Elgamal

4. Experimentation results Spring 2006, by Barbara ten Tusscher, Jesse Krijthe, Brigitte Sprenger p q x m 1 2 3 4 5 Ave 971 97 8 16 11,2 3989 997 114 10 30 60 15 39 39869 9967 117 53 104,2 1144 192 65 141,2 999611 99961 335 11 6 683 680 340 476 Workshop Elgamal

Observations Average number of iterations coincides well with √q Almost no variation within one row Is this a bug in the program?? Bad randomization in calculator? Or general property of Pollard Rho? Workshop Elgamal

5. Function graph Function f: zi -> zi+1 defines graph Out-degree 1, cycles with in-trees Length, component, size Graph is the same when algorithm is repeated with the same input Starting point differs As zi = z2i, i must be multiple of cycle length Workshop Elgamal

Layers in a component Layer of node measure distance to cycle in terms of its length l: Point z in cycle has layer 0 Point z is in layer 1 if f(l)(z) in cycle Point z is in layer c if f(c.l)(z) in cycle Lemma: z0 in layer c gives c.l iter. Is there a dominant component or layer? Workshop Elgamal

Layers 0 and 1 dominate Probability theory analysis by Meli Samikin Lemma: Pr(layer ≤ 1) = ½ Proof: Assume collision after k steps: z0 -> z1 -> … -> … -> zk-1 -> ?? Layer of z0 is 0 if zk = z0, Pr = 1/k Layer of z0 is 1 if zk = zj < k/2, Pr ≈ 1/2 Workshop Elgamal

Dominant Component Lemma: Random z0 and w0, Pr(same component) > ½. Proof: First collision after k steps: z0 -> z1 -> … -> … -> zk-1 -> ?? w0 -> w1 -> … -> … -> wk-1 -> ?? Pr ( z meets other sequence ) = ½. Then, w-sequence may collide into z. Workshop Elgamal

Experiments: dominance Jos Roseboom: count points in layers of each component Plays national korfbal team World Champion 2007, november, Brno. Workshop Elgamal

Size of largest component Workshop Elgamal

Conclusions Elgamal + handcalculators = fun Functional requirements easier to explain than for RSA Security: experiment with DLog Pollard, only randomizes at start Iterations: random variable, but takes only limited values Most often: size of heaviest cycle Workshop Elgamal

Rabbit Formula Ontsleutelen is: v delen door ua u(a1+a2) is: ua1.ua2 Deel eerst door ua1 en dan door ua2 Team 1: bereken v’ = Deca1(u, v) Team 2: bereken x = Deca2(u, v’) Workshop Elgamal

Overzicht van formules Constanten: Priemgetal p, grondtal g Sleutelpaar: Secret a en Public b = ga Encryptie: (u, v) = (gk, x.bk) met b Decryptie: x = v/ua met a Prijsvraag: b = b1b2. Ontsleutelen? Workshop Elgamal