Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin

Workshop Elgamal 2 Overview of the lecture 1.History and background 2.Elgamal (Diffie Hellman) 3.Discrete Log: Pollard rho 4.Experimentation results 5.Structure of Function Graph: Cycles, Tails, Layers 6.Conclusions

Workshop Elgamal 3 1. History and background , lecture for school teachers about Elgamal , lecture with calculator demo Why Elgamal, not RSA? Functional property easy to show Security: rely on complexity Compare exponentiation and DLog

Workshop Elgamal 4 Programming Experiences Nuisances: –typing by selecting symbols –no subroutines: inline exponentiation –no local variables Limitation: arithmetic in 14 digits –Limit modulus to 7 digits

Workshop Elgamal 5 Math: Modular arithmetic Compute modulo prime p (95917) with 0, 1, … p-2, p-1 Generator g of order q (prime) (g is 29609, q is 7993) Rules of algebra are valid (g a ) k = (g k ) a Secure application: p has ~309 digits!!

Workshop Elgamal 6 Calculator TI-83, 83+, 84+ Grafical, 14 digit Programmable Generally available in VWO (pre- academic school type in the Netherlands) Cost 100 euro (free for me)

Workshop Elgamal 7 The Elgamal program Ceasar cipher (symmetric) Elgamal parameter and key generation Elgamal encryption and decryption Discrete Logarithm: Pollard Infeasible problem!! But doable for 7 digit modulus

Workshop Elgamal 8 2. Public Key codes The problem of Key Agreement: A and B are on two sides of a river They want to have common z Oscar is in a boat on the river Oscar must not know z Common parameters: p, q, g (Or: group with hard DLog problem)

Workshop Elgamal 9 Solution: Diffie-Hellman Alice takes random a, shouts b = g a Bob takes random k, shouts u = g k Alice computes z = u a = (g k ) a Bob computes z = b k = (g a ) k The two numbers are the same The difference in complexity for A&B and O is relevant

Workshop Elgamal 10 Parameter generation Hoofdmenu, parameters, Maak p,q,r Input limits on q and p Search for prime q from q-limit down Search for prime p from p-limit down among multiples of 2q + 1 Generator: try 100 (p-1)/q, 101 (p-1)/q, …

Workshop Elgamal 11 What does Oscar hear? Seen: 1.Public b = g a 2.Public u = g k Not computable: 1.Secret a, k 2.Common z This needs discrete logarithm Oscar sees the communication, but not the secrets

Workshop Elgamal 12 The Elgamal program In class use Program, explanation, slides on website Program extendible Booklet with ideas for experimenting, papers All in Dutch!

Workshop Elgamal Pollard Rho Algorithm Fixed p (modulus), g, q (order of g); H is set of powers of g Size of H is q Discrete Logarithm problem: –Given y in H –Return x st g x = y Pollard Rho: randomized, √q time

Workshop Elgamal 14 Pollard Rho: Representation Representation of z: z = y a.g b Two representations of same number reveil log y: If y a.g b = y c.g d, then y = g (b-d)/(c-a) Goal: find 2 representations of one number z (value does not matter)

Workshop Elgamal 15 Strategy: Birthday Theorem All values z = y a.g b are in H Birthday Theorem: In a random sequence, we expect a collision after √q steps Simulate effect of random sequence by pseudorandom function: z i+1 = f (z i ) (Keep representation of each z i )

Workshop Elgamal 16 Cycle detection Detect collision by storing previous values: too expensive Floyd cycle detection method: –Develop two sequences: z i and t i –Relation: t i = z 2i –Collision: t i = z i, i.e., z i = z 2i In each round, z “moves” one step and t moves two steps.

Workshop Elgamal Experimentation results pqxm12345Ave , , , Spring 2006, by Barbara ten Tusscher, Jesse Krijthe, Brigitte Sprenger

Workshop Elgamal 18 Barbara, Jesse, Brigitte Verify Pollard rho analysis Use various values of p, q, y Clear dependence of time on q Ignoring 80, cor- relation to √q is overly exact. pqav. it

Workshop Elgamal 19 Dependence on y Run same p, q combination with different inputs y = g x Correspondence to √q again Not to x: the log of small power of g is no easier pqxtime

Workshop Elgamal 20 Surprise: individual numbers pqx Iterations: equal or have high common factor!

Workshop Elgamal 21 Observations Average number of iterations coincides well with √q Almost no variation within one row Is this a bug in the program?? –Bad randomization in calculator? –Or general property of Pollard Rho?

Workshop Elgamal Function graph Function f: z i -> z i+1 defines graph Out-degree 1, cycles with in-trees Length, component, size Graph is the same when algorithm is repeated with the same input Starting point differs As z i = z 2i, i must be multiple of cycle length

Workshop Elgamal 23 Layers in a component Layer of node: measure distance to cycle in terms of its length l: –Point z in cycle has layer 0 –Point z is in layer 1 if f (l) (z) in cycle –Point z is in layer c if f (c.l) (z) in cycle Lemma: z 0 in layer c gives c.l iter. Is there a dominant component or layer?

Workshop Elgamal 24 Layers 0 and 1 dominate Probability theory analysis by Meli Samikin Lemma: Pr(layer ≤ 1) = ½ Proof: Assume collision after k steps: z 0 -> z 1 -> … -> … -> z k-1 -> ?? Layer of z 0 is 0 if z k = z 0, Pr = 1/k Layer of z 0 is 1 if z k = z j < k/2, Pr ≈ 1/2

Workshop Elgamal 25 Dominant Component Lemma: Random z 0 and w 0, Pr(same component) > ½. Proof: First collision after k steps: z 0 -> z 1 -> … -> … -> z k-1 -> ?? w 0 -> w 1 -> … -> … -> w k-1 -> ?? Pr ( z meets other sequence ) = ½. Then, w-sequence may collide into z.

Workshop Elgamal 26 Experiments: dominance Jos Roseboom: count points in layers of each component ACS Experimentation Project, Fall 2007 Explicitly construct and measure function graphs

Workshop Elgamal 27 Size of largest component

Workshop Elgamal 28 Conclusions Elgamal + handcalculators = fun Functional requirements easier to explain than for RSA Security: experiment with DLog Pollard, only randomizes at start Iterations: random variable, but takes only limited values Most often: size of heaviest cycle

Workshop Elgamal 29 Rabbit Formula Ontsleutelen is: v delen door u a u (a1+a2) is: u a1.u a2 Deel eerst door u a1 en dan door u a2 Team 1: bereken v’ = Dec a1 (u, v) Team 2: bereken x = Dec a2 (u, v’)

Workshop Elgamal 30 Overzicht van formules Constanten: Priemgetal p, grondtal g Sleutelpaar: Secret a en Public b = g a Encryptie: (u, v) = (g k, x.b k )met b Decryptie: x = v/u a met a Prijsvraag: b = b 1 b 2. Ontsleutelen?