Discrete Logarithm(s) (DLs) Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that a x ≡ b (mod p) is called the discrete logarithm problem. Suppose that n is the smallest integer such that a n ≡1 (mod p), i.e., n=ord p (a). By assuming 0≤x<n, we denote x=L a (b), and call it the discrete log of b w.r.t. a (mod p) Ex: p=11, a=2, b=9, then x=L 2 (9)=6

Discrete Logarithms In the RSA algorithms, the difficulty of factoring a large integer yields good cryptosystems In the ElGamal method, the difficulty of solving the discrete logarithm problem yields good cryptosystems Given p, a, b, solve a x ≡ b (mod p) a is suggested to be a primitive root mod p

One-Way Function A function f(x) is called a one-way function if f(x) is easy to compute, but, given y, it is computationally infeasible to find x with y=f(x). L a (b) is a one-way function if p is large

Primitive Roots mod 13 a is a primitive root mod p if {a k | 1 ≦ k ≦ p-1} = {1,2, …,p-1} ♪ 2, 6,7,11 are primitive roots mod ≡ 1 (mod 13), 4 6 ≡ 1 (mod 13), 5 4 ≡ 1 (mod 13), 8 4 ≡ 1 (mod 13), 9 3 ≡ 1 (mod 13), 10 6 ≡ 1 (mod 13), 12 2 ≡ 1 (mod 13)

Solve a x ≡ b (mod p) An exhaustive search for all 0 ≤ x < p Check only for even x or odd x according to b (p-1)/2 ≡ (a x ) (p-1)/2 ≡(a (p-1)/2 ) x ≡(-1) x ≡ 1 or -1 (mod p), where a is a primitive root (Ex) p=11, a=2, b=9, since b (p-1)/2 ≡9 5 ≡1, then check for even numbers {0,2,4,6,8,10} only to find x=6 such that 2 6 ≡ 9 (mod 11)

Solve a x ≡ b (mod p) by Pohlig- Hellman Let p-1 = Πq r for all q|(p-1), write b 0 =b,and x=x 0 + x 1 q +x 2 q 2 + … + x r-1 q r-1 for 0 ≤ x i ≤ q-1 1. Find 0≤ k ≤q-1 such that (a (p-1)/q ) k ≡b (p-1)/q, then x 0 ≡k, next let b 1 ≡b 0 a -x0 2. Find 0≤ k ≤q-1 such that (a (p-1)/q ) k ≡[b 1 ] (p-1)/q^2, then x 1 ≡k, next let b 2 ≡b 1 a -x1 3. Repeat steps 1, 2 until x r-1 is found for a q 4. Repeat steps 1~3 for all q’s, then apply Chinese Remainder Theorem to get the final solution

7 x ≡12 (mod 41); p=41, a=7, b=12, p-1=41-1=40 =2 3 5 b 0 =12 For q=2: b 0 =12, b 1 =31, b 2 =31, and x = x 0 +2x 1 +4x 2 ≡1+2·0+4·1≡ 5 (mod 8) For q=5: b 0 =12, b 1 =18, and x = x 0 ≡ 3 (mod 5) Solving x ≡ 5 (mod 8) and x≡ 3 (mod 5), We have x≡13 (mod 40)

Solve a x ≡ b (mod p) by Index Calculus Let B be a bound and let p 1,p 2,…, p m be the primes less than B and cover all of the prime Factors of p-1. Then appropriately choose k(j)’s such that a k(j) ≡(p 1 ) r1 (p 2 ) r2 … (p m ) rm, i.e., r 1 *L a (p 1 )+r 2 *L a (p 2 )+… + r m *L a (p m ) ≡k(j) for several j’s, solve the linear system to get L a (p 1 ), L a (p 2 ), …, L a (p m ), then select R apply ba R ≡(p 1 ) b1 (p 2 ) b2 … (p m ) bm, then the solution is L a (b)≡-R+Πb i L a (p i )

Solve 2 x ≡37 (mod 131) p=131, a=2, b=37, let B=10, then p 1 =2, p 2 =3, p 3 =5, p 4 =7, since 2 8 ≡5 3, 2 12 ≡5·7, 2 14 ≡3 2, 2 34 ≡3·5 2 (mod p), we have 3L 2 (5)≡ 8 (mod 130) L 2 (5)+ L 2 (7)≡12 (mod 130) 2L 2 (3)≡14 (mod 130) L 2 (3)+2L 2 (5)≡34 (mod 130)

L 2 ([3, 5, 7])=[72, 46, 96] Choose R=43, then 37·2 43 ≡3·5·7 (mod 131), so we have L 2 (37) ≡-43+ L 2 (3)+ L 2 (5)+ L 2 (7) ≡ 41 (mod 130) ♪ L 2 (11) ≡ 56 (mod 130) [R=4] ♪ L 2 (23) ≡ 23 (mod 130) [R=5]

A Lemma on p≡3 (mod 4) Let p≡3 (mod 4), r≥2. Suppose a and g are nonzero integers such that g≡a y(2^r) (mod p). Then g (p+1)/4 ≡ a y[2^(r-1)] (mod p) [Proof] g (p+1)/4 ≡ a (p+1)y[2^(r-2)] ≡a y(2^(r-1)) [a (p-1) ] y(2^(r-2)) ≡ a y(2^(r-1)) (mod p)

A L a (b) (mod 4) Machine Let a be a primitive root (mod p), where p≡3 (mod 4) is large, then Computing L a (b) (mod 4) is as difficult as finding the solution of a x ≡ b (mod p) [P.172]

The ElGamal Public Key Cryptosystem Alice wants to send a message m to Bob. Bob chooses a large prime p and a primitive root a. Assume m is an integer 0≤m<p, and Bob selects a secret integer x to compute b≡a x (mod p). The information (p,a,b) is made public and is Bob’s public key. Alice does the following procedures.

Encryption and Decryption 1.Downloads (p,a,b) 2.Chooses a secret random k and computes r≡a k (mod p) 3.Computes t≡b k m (mod p) 4.Sends the pair (t,r) to Bob Bob decrypts by computing tr -x (≡m (mod p))

Exercises on Pages 175 and 176