1 離散對數密碼系統 交通大學資訊工程系 陳榮傑

2 Outline 離散對數問題 (Discrete Logarithm Problem) 離散對數演算法 (DL Algorithms) –A trivial algorithm –Shanks’ algorithm –Pollard’s algorithm –Pohlig-Hellman algorithm –Adleman’s algorithm (the index calculus method) 離散對數密碼系統 (Cryptosystems based on DL) –Key distribution –Encryption –Digital signature

3 Let G is a finite cyclic group of size n generated by generator g, i.e. G = = {g i | i = 1, 2, …, n} or {g i | i = 0, 1, …, n-1} –Given g and i, it is easy to compute g i by repeated squaring –Discrete logarithm problem Given, find x such that We denote Discrete Logarithm Problem

4 Example 1 G = Z * 19 = { 1, 2, …, 18} n=18, generator g = 2 then log 2 14 = 7 log 2 6 = 14 Discrete Logarithm Problem

5 Example 2 G=GF * (2 3 ) with irreducible poly. p(x) = x 3 + x +1 G=Z * p /p(x) = { 1, x, x 2, 1+x, 1+x 2, x+x 2, 1+x+x 2 } n=7, generator g = x then log x (x+1) = 3 log x (x 2 +x+1) = 5 log x (x 2 +1) = 6 Discrete Logarithm Problem

6 離散對數演算法 (DL Algorithms) A trivial algorithm Shanks’ algorithm Pollard rho discrete log algorithm Pohlig-Hellman algorithm The index calculus method

7 Discrete Logarithm Problem in Z * p given generator g and a in Z * p, find x in Z p-1 such that a = g x mod p A trivial algorithm –Compute g i for all i –Search table for a –Time complexity O(p) Algorithms for Discrete Logarithm

8 Shanks’ algorithm (1972) –Compute L 1 = {(i, g mi ), i = 0, 1, …, m-1} L 2 = {(i, ag -i ), i = 0, 1, …, m-1} –where m = ceiling((p-1) ½ ) Sort L 1 and L 2 with respect to the 2nd coordinate. –Find the same 2nd coordinate from L 1 and L 2, say, (q, g mq ), (r, ag -r ), to get g mq =ag -r. So a = g mq + r and x=mq+r. –Time complexity O(mlogm) = O(p 1/2 logp) –Space complexity O(p 1/2 ) Algorithms for Discrete Logarithm

9 Example log 2 15 mod 19 =? G = Z* 19 = { 1, 2, …, 18} g = 2, g -1 = 10, n=p-1 = 18, m = 5, g m = 13 a = 15 L 1 : (i, g mi ) L 2 : (i, ag -i ) (0, 1) (0, 15) (1, 13) (1, 17)q = 2 (2, 17) (2, 18)r = 1 (3, 12) (3, 9)mq + r = 11 (4, 4) (4, 14) log 2 15 mod 19 = 11 Algorithms for Discrete Logarithm

10 Pollard rho discrete logarithm algorithm (1978) compute integers s and t such that –partition the group G into three roughly equal-sized set S 1, S 2 and S 3. Let x 0 =1 G and x 0 is not in S 2 Algorithms for Discrete Logarithm

11 where n = p-1 when G = Z * p Algorithms for Discrete Logarithm

12 We should expect some integer such that, then this gives with If, then compute u such that and we have, so that If, little work to do... (Omitted) Algorithms for Discrete Logarithm

13 Pohlig-Hellman algorithm (1978) (DLP: find m s.t. α m = c mod q) Suitable for q-1 containing only small prime divisors Assume m is the discrete logarithm of c (i.e. c = α m ) Base case : If q-1 = 2 n and because α q-1 = 1 hence …. So we can compute m Algorithms for Discrete Logarithm

14 Algorithms for Discrete Logarithm General case : Let m (i) = m (mod p i n i ) then apply the Chinese Remainder Theorem, we can compute m. How to compute m (i) ? (similar to the base case, see next page)

15 Let then ….. So we can compute m (i) and then apply CRT to get m –Time complexity: O((log 2 q) 2 ) + factoring q-1 Algorithms for Discrete Logarithm

16 Algorithms for Discrete Logarithm The index calculus method (Suitable only for G=Z p *)

17 Algorithms for Discrete Logarithm Example log mod 10007=? Choose B={2, 3, 5, 7}. Of course log 5 5=1. Use = 9865 mod lucky exponents 4063, 5136, and mod = 42 = 2 * 3 * mod = 54 = 2 * mod = 189 = 3 3 * 7 And we have three congruences: log log log 5 7 = 4063 mod log log 5 3 = 5136 mod log log 5 7 = 9865 mod 10006

18 Algorithms for Discrete Logarithm There happens to be a unique solution modulo log 5 2=6578, log 5 3=6190, and log 5 7=1301 Choose random exponent s = 7736 and try to calculate ag s = 9451* mod = 8400 Since 8400 = 2 4 *3*5 2 *7 factors over B, we obtain log = (4 log log log log 5 7 – s) mod = (4* * – 7736) mod = 6057 mod 10006

19 離散對數密碼系統 (Cryptosystems based on DL) Key Distribution –Diffie-Hellman, 1976 Encryption –Massey-Omura cryptosystem, 1983 Digital Signature –ElGamal, 1985 –DSA(Digital Signature Algorithm), 1992

20 Diffie-Hellman Key Exchange Algorithm Global Public Elements –q : prime number –α: α< q and α is a primitive root of q User A Key Generation –Select private X A : X A < q –Calculate public Y A : Y A = α XA mod q User B Key Generation –Select private X B : X B < q –Calculate public Y B : Y B = α XB mod q Generation of Secret Key by User A –K = (Y B ) XA mod q Generation of Secret Key by User B –K = (Y A ) XB mod q

21 User AUser B Generate random X A < q ; Calculate Y A = α XA mod q Calculate K = (Y B ) XA mod q Generate random X B < q ; Calculate Y B = α XB mod q Calculate K = (Y A ) XB mod q YAYA YBYB Diffie-Hellman Key Exchange

22 Massey-Omura for message transmission Parameters –q : prime number –e : a random private integer 0 < e < q and gcd ( e, q-1) = 1 –d : an inverse of e d = e -1 mod q-1, i.e., de≡1 mod q-1 –M : a message to be encrypted and decrypted User A wants to send a message M to User B –User A : e A and d A are both private –User B : e B and d B are both private

23 User AUser B 1.Encryption(1) C 1 = M eA mod q 3.Encryption(3) C 3 = C 2 dA = (M eAeB ) dA = M eB mod q 2.Encryption(2) C 2 = C 1 eB = M eAeB mod q 4. Decryption M = C 3 dB = M eBdB mod q Massey-Omura for message transmission C1C1 C2C2 C3C3

24 ElGamal encryption scheme Parameters – p : a large prime –α: a primitive number in GF(p) – a : a private key, a [1, p-1] – β : a public key, β = α a (mod p) – m : a message to be signed, m [1, p-1] – k : a random integer that is privately selected, k [0, p-2] –K = (p, α, a, β) : public key + private key Encryption e K (m, k)=(y 1, y 2 ) where y 1 = α k mod p and y 2 =mβ k mod p Decryption m = d K (y 1, y 2 ) = y 2 (y 1 a ) -1 mod p

25 ElGamal signature scheme 1985 ElGamal Parameters – p : a large prime –α: a primitive number in GF(p) – x : a private key, x [1, p-1] – y : a public key, y = α x (mod p) – m : a message to be signed, m [1, p-1] – k : a random integer that is privately selected, k [0, p-2] Signature – r = α k mod p –m = ks + rx mod φ(p),where GCD( k, φ(p) ) = 1 –( m, (r,s) ) is sent to the verifier Verification –α m = r s y r mod p –The signature (r,s) is accepted when the equality holds true.

26 Digital Signature Algorithm (DSA) 1992 NIST Parameters – p : a large prime, 512 bits – q : a large prime, 160 bits, q | p-1 – g : g = h p-1/q mod q, with h [1, p-1] – h : a one-way hash function – x : a private key, 0 < x < q – y : a public key, y = g x (mod p) – m : a message to be signed, 0 < m < p – k : a random integer that is privately selected, 0 < k < q

27 Signature – r = (g k mod p) mod q – s = k -1 ( h(m)+ rx) mod q,where k -1 k = 1 mod q –( m, (r,s) ) is sent to the verifier Verification –check whether (r,s) [0,q] ; if not, (r,s) is not the signature –t = s -1 mod q –r’ = ( g h(m)t y rt mod p ) mod q –if r’ = r,then (r,s) is the legal signature of message m Proof Digital Signature Algorithm (DSA) g h(m)t y rt = (( g h(m)t y r ) t mod p ) mod q = (( g h(m)t (g x ) r ) t mod p ) mod q = (( g h(m)+xr ) t mod p ) mod q = (( g h(m)+xr ) s-1 mod p ) mod q = ( g k mod q ) mod q = r