Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei

2 Content Introduction Mathematical Background Definition of DLP Methods in Used Today to Compute DL Future Work Question & Answer

3 Introduction DLP is the underlying one-way function for: Diffie-Hellman key exchange. DSA (digital signature algorithm). ElGamal encryption/digital signature scheme. Elliptic curve cryptosystems. …… DLP is based on finite groups.

4 Mathematical Background Groups Definition: A group is a set G of elements together with a binary ope ration “” such that: If a, b ∈ G then a b = c ∈ G → (closure). If (a b) c = a (b c) → (associativity). There exists an identity element e ∈ G, for all a ∈ G: e a = a e = a → (identity). For all a ∈ G, there exists an inverse element a -1 such that a a -1 = e → (inverse).

5 Mathematical Background Inverses Definition: Let a be a number. If there exists b such that ab = 1 (mod m), then we call b the inverse of a mod m, and write b = a -1 (mod m). Theorem: a has an inverse mod m iff gcd(a,m)=1. Z p * : The set of all the invertible integers mod p: Z p * = {i ∈ Z p | gcd(i, p) = 1 } Theorem: Z p * forms a group under modulo p multiplication. The ide ntity element is e = 1.

6 Mathematical Background Example Z 9 * = {1, 2, 4, 5, 7, 8} Multiplication Table * mod Note: From the above Multiplication Table, We can see (Z 9 *, * mod 9) is a group.

7 Mathematical Background Example (cont.) Group: G = (Z 9 *, * mod 9) Find the inverse of 7 in the group (Z 9 *, * mod 9) through the Extended E uclidean Algorithm: 9 = 1 * → 2 = 9 − 7 7 = 3 * → 1 = 7 − 3 * 2 = 4 * 7 − 3 * 9 2 = 2 * So we have: 1 = 4 * 7 − 3 * 9 → 4 * 7 mod 9 = 1 4 is the inverse of 7 mod 9

8 Mathematical Background Finite Groups Definition: A group (G, ) is finite if it has a finite number of g elem ents, We denote the cardinality of G by |G|. Definition: The order of an element a ∈ G is the smallest positive inte ger n such that a a … a = a n = e. Definition: A group G which contains elements α with maximum ord er ord(α) = |G| is said to be cyclic. Elements with maximum order are called generators or primititive elements.

9 Mathematical Background Example Finite group: G = (Z 11 *, * mod 11) Find the order of a = 3 a 1 = 3 a 2 = 3 2 = 9 a 3 = 3 3 = 27 = 5 a 4 = 3 4 = 3 3 * 3 = 5 * 3 = 15 = 4 a 5 = 3 5 = 3 4 * 3 = 4 * 3 = 12 = 1 So ord(3) = 5

10 Mathematical Background Example (cont.) Finite group: G = (Z 11 *, * mod 11) Proof: α = 2 is a generator of G |G| = |{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}| = 10 α 1 = 2 α 2 = 2 2 = 4 α 3 = 2 3 = 8 α 4 = 2 4 = 16 = 5 α 5 = 2 5 = 10 α 6 = 2 6 = 20 = 9 α 7 = 2 7 = 18 = 7 α 8 = 2 8 = 14 = 3 α 9 = 2 9 = 6 α 10 = 2 10 = 12 = 1 α 11 = 2 11 = 2 = a

11 Mathematical Background Example (cont.) Finite group: G = (Z 11 *, * mod 11) So we have: ord(α = 2) = 10 = |G| →(1) G is cyclic →(2) α = 2 is a generator of G Note: 2 i ; i = 1, 2, …, 10 generates all elements of G i i

12 Definition of DLP The discrete logarithm problem (DLP) Definition: Given a prime p, a generator α of Z p *, and an element β ∈ Z p *, find the integer x, 0 ≤ x ≤ p - 2, such that α x = β (mod p). The generalized discrete logarithm problem (GDLP) Definition: Given a finite cyclic group G of order n, a generator α of G, and an element β ∈ G, find the integer x, 0 ≤ x ≤ n - 1, such that α x = β.

13 Definition of DLP Example G = (Z 11, + mod 11) We have: i i So α = 2 is a generator of G Let i = 7, β = 7 * 2 = 3 mod 11 Question: given α = 2, β = 3 = i * 2 mod 11, find i Answer: i = 2 -1 * 3 mod 11 Note: 2 -1 = 6 can computed by Extended Euclidean Algorithm, thus this example is NOT a one-way function.

14 Definition of DLP Example G = (Z 11 *, * mod 11) α = 2 is a generator of G Let i = 8, β = 2 8 = 3 mod 11 Question: given α = 2, β = 3 = 2 i, find i i = log 2 3 = log 2 2 i = ? Note: No efficient algorithm to find i, it’s a very hard computational pro blem! Thus this example is a one-way function.

15 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Algorithm Baby-step giant-step algorithm for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: x = log a β. Set m := Construct a table with entries (j, α j ) for 0 ≤ j < m. Sort this table by secon d component. Compute α -m and set γ := β. For i from 0 to m-1 1. Check if γ is the second component of some entry in the table. 2. If γ = α j then return (x = im+j). 3. Set γ := γα -m

16 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Example INPUT: a generator α = 2 of G = (Z 11 *, * mod 11) of order n = 10, and an element β = 3. OUTPUT: x = log a β = log 2 3. Set m := = 4 Construct a table with entries (j, α j ) for 0 ≤ j < 4. Sort this table by secon d component. j j mod By Extended Euclidean Algorithm Compute α -1 = 2 -1 mod 11 = 6, we have α - m = 2 -4 mod 11 = 6 4 mod 11 = 9. and set γ := β = 3.

17 Methods in Used Today to Compute DL Baby-step giant-step Algorithm Example (cont.) For i from 0 to 3, we have the following table: i *9 i mod Because 3*9 2 mod 11 = α 0 = 1, we have: x = im+j = 8. Baby-step giant-step algorithm is a time-memory trade-off of the met hod of exhaustive search. Complexity: O( ) steps Minimum security requirement: ≥ 2 160

18 Methods in Used Today to Compute DL Pollard’s rho Algorithm Algorithm Pollard’s rho algorithm for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: x = log a β. Set x 0 := 1, a 0 := 0, b 0 :=0. For i = 1, 2, …do the following: 1.Using the quantities x i-1, a i-1, b i-1, and x 2i-2, a 2i-2, b 2i-2 computed previously, compute x i, a i, b i, and x 2i, a 2i, b 2i. 2. If x i = x 2i, then do the following: Set r := b i -b 2i mod n. If r = 0 then terminate the algorithm with failure; othewise, compute x = r -1 (a 2i -a i ) mod n and return(x).

19 Methods in Used Today to Compute DL Pollard’s rho Algorithm Pollard’s rho algorithm is a randomized algorithm. Complexity: O( ) steps Minimum security requirement: ≥ The same expected running time as baby-step giant-step algorithm, but which requires a negligible amount of storage.

20 Methods in Used Today to Compute DL Pohlig-Hellman Algorithm Algorithm Pohlig-Hellman algorithm for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: x = log a β. Find the prime factorization of n: n = p 1 e1 p 2 e2 …p r er, where e i ≥ 1. For i from 1 to r do the following: 1.Set q := p i, e := e i, γ := 1, l -1 := 0. 2.Compute : α* := α n/q. 3.For j from 0 to e-1 do the following: Compute γ := γα^(l j-1 q j-1 ) and β* := (βγ -1 ) n/q^(j+1). Compute l j := log α* β* 4.Set x := l 0 + l 1 q + … +l e-1 q e-1. Use CRT to compute the integer x from x i. Return(x).

21 Methods in Used Today to Compute DL Pohlig-Hellman Algorithm Pohlig-Hellman algorithm take the advantage of the factorization of the order n. Complexity: O( ) steps, where p l is the largest prime factor of n. Minimum security requirement: p l ≥ 2 160

22 Methods in Used Today to Compute DL Index-Calculus method Algorithm Index-Calculus method for computing DL INPUT: a generator α of G of order n, and an element β ∈ G. OUTPUT: y = log a β. Choose a subset S = {p 1, p 2, …,p t } of G such that all elements in G can be efficiently expressed as a product of elements from S. Collect linear relations: 1.Select a random integer k, 0 ≤ k ≤ n-1, and compute α k. 2.Try to write α k as a product of elements in S. 3. Repeat steps 1 and 2 until t + c relations are obtained. Select a random integer k, 0 ≤ k ≤ n-1, and compute βα k. Try to write βα k as a product of elements in S. If failure, repeat the above step, otherwise taking logarithms of both sides, we obtain y. Return(y).

23 Methods in Used Today to Compute DL Index-Calculus method Index-Calculus method is the most powerful method known for computing DL, It does not apply to all groups, only efficient to Z p * and Galois fields GF(2 k ). Subexponential-time algorithm: O( ) steps. Minimum security requirement: p ≥

24 Future Work Try to improve some of these algorithms Challenge to find a polynomial-time algorithm to compute DL

Question & Answer Thanks