Presentation is loading. Please wait.

Presentation is loading. Please wait.

Elgamal demonstration project on calculators TI-83+

Published byEeva-Kaarina Mikkonen Modified over 5 years ago

Similar presentations

Presentation on theme: "Elgamal demonstration project on calculators TI-83+"— Presentation transcript:

1 Elgamal demonstration project on calculators TI-83+
Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin

2 Overview of the lecture
History and background Elgamal (Diffie Hellman) Discrete Log: Pollard rho Experimentation results Structure of Function Graph: Cycles, Tails, Layers Conclusions Workshop Elgamal

3 1. History and background
2003, lecture for school teachers about Elgamal 2006, lecture with calculator demo Why Elgamal, not RSA? Functional property easy to show Security: rely on complexity Compare exponentiation and DLog Workshop Elgamal

4 Math: Modular arithmetic
Compute modulo prime p (95917) with 0, 1, … p-2, p-1 Generator g of order q (prime) Rules of algebra are valid (ga)k = (gk)a Secure application: p has ~309 digits!! Workshop Elgamal

5 Calculator TI-83, 83+, 84+ Grafical, 14 digit Programmable
Generally available in VWO (pre-academic school type in the Netherlands) Cost 100 euro (free for me) Workshop Elgamal

6 The Elgamal program Ceasar cipher (symmetric)
Elgamal parameter and key generation Elgamal encryption and decryption Discrete Logarithm: Pollard Infeasible problem!! But doable for 7 digit modulus Workshop Elgamal

7 2. Public Key codes The problem of Key Agreement:
A and B are on two sides of a river They want to have common z Oscar is in a boat on the river Oscar must not know z Workshop Elgamal

8 Solution: Diffie-Hellman
Alice takes random a, shouts b = ga Bob takes random k, shouts u = gk Alice computes z = ua = (gk)a Bob computes z = bk = (ga)k The two numbers are the same The difference in complexity for A&B and O is relevant Workshop Elgamal

9 What does Oscar hear? Oscar sees the communication, but not the secrets Seen: Public b = ga Public u = gk Not computable: Secret a, k Common z This needs discrete logarithm Workshop Elgamal

10 The Elgamal program In class use
Program, explanation, slides on website Program extendible Booklet with ideas for experimenting, papers (All in Dutch!) Workshop Elgamal

11 3. Pollard Rho Algorithm Fixed p (modulus), g, q (order of g); G is set of powers of g Discrete Logarithm problem: Given y in G Return x st gx = y Pollard Rho: randomized, √q time Workshop Elgamal

12 Pollard Rho: Representation
Representation of z: z = ya.gb Two representations of same number reveil log y: If ya.gb = yc.gd, then y = g(b-d)/(c-a) Goal: find 2 representations of one number z (value does not matter) Workshop Elgamal

13 Strategy: Birthday Theorem
All values z = ya.gb are in G Birthday Theorem: In a random sequence, we expect a collision after √q steps Simulate effect of random sequence by pseudorandom function: zi+1 = f (zi) (Keep representation of each zi) Workshop Elgamal

14 Cycle detection Detect collision by storing previous values: too expensive Floyd cycle detection method: Develop two sequences: zi and ti Relation: ti = z2i Collision: ti = zi, i.e., zi = z2i In each round, z “moves” one step and t moves two steps. Workshop Elgamal

15 4. Experimentation results
Spring 2006, by Barbara ten Tusscher, Jesse Krijthe, Brigitte Sprenger p q x m 1 2 3 4 5 Ave 971 97 8 16 11,2 3989 997 114 10 30 60 15 39 39869 9967 117 53 104,2 1144 192 65 141,2 999611 99961 335 11 6 683 680 340 476 Workshop Elgamal

16 Observations Average number of iterations coincides well with √q
Almost no variation within one row Is this a bug in the program?? Bad randomization in calculator? Or general property of Pollard Rho? Workshop Elgamal

17 5. Function graph Function f: zi -> zi+1 defines graph
Out-degree 1, cycles with in-trees Length, component, size Graph is the same when algorithm is repeated with the same input Starting point differs As zi = z2i, i must be multiple of cycle length Workshop Elgamal

18 Layers in a component Layer of node measure distance to cycle in terms of its length l: Point z in cycle has layer 0 Point z is in layer 1 if f(l)(z) in cycle Point z is in layer c if f(c.l)(z) in cycle Lemma: z0 in layer c gives c.l iter. Is there a dominant component or layer? Workshop Elgamal

19 Layers 0 and 1 dominate Probability theory analysis by Meli Samikin
Lemma: Pr(layer ≤ 1) = ½ Proof: Assume collision after k steps: z0 -> z1 -> … -> … -> zk-1 -> ?? Layer of z0 is 0 if zk = z0, Pr = 1/k Layer of z0 is 1 if zk = zj < k/2, Pr ≈ 1/2 Workshop Elgamal

20 Dominant Component Lemma: Random z0 and w0, Pr(same component) > ½.
Proof: First collision after k steps: z0 -> z1 -> … -> … -> zk-1 -> ?? w0 -> w1 -> … -> … -> wk-1 -> ?? Pr ( z meets other sequence ) = ½. Then, w-sequence may collide into z. Workshop Elgamal

21 Experiments: dominance
Jos Roseboom: count points in layers of each component Plays national korfbal team World Champion 2007, november, Brno. Workshop Elgamal

22 Size of largest component
Workshop Elgamal

23 Conclusions Elgamal + handcalculators = fun
Functional requirements easier to explain than for RSA Security: experiment with DLog Pollard, only randomizes at start Iterations: random variable, but takes only limited values Most often: size of heaviest cycle Workshop Elgamal

24 Rabbit Formula Ontsleutelen is: v delen door ua u(a1+a2) is: ua1.ua2
Deel eerst door ua1 en dan door ua2 Team 1: bereken v’ = Deca1(u, v) Team 2: bereken x = Deca2(u, v’) Workshop Elgamal

25 Overzicht van formules
Constanten: Priemgetal p, grondtal g Sleutelpaar: Secret a en Public b = ga Encryptie: (u, v) = (gk, x.bk) met b Decryptie: x = v/ua met a Prijsvraag: b = b1b2. Ontsleutelen? Workshop Elgamal

Download ppt "Elgamal demonstration project on calculators TI-83+"

Similar presentations

Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin.

Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, A Public-Key Cryptosystem and a Signature Scheme.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz

1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
Lecture 7 Discrete Logarithms

Lecture 7 Discrete Logarithms
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Prelude to Public-Key Cryptography Rocky K. C. Chang, February 2014 1.

Prelude to Public-Key Cryptography Rocky K. C. Chang, February
1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS 4362 - CIS 5357 Network Security.

1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.
Midterm Review Cryptography & Network Security

Midterm Review Cryptography & Network Security
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
General Attacks on Elliptic Curve Based Cryptosystems Merabi Chicvashvili Ron Ryvchin Project Advisor: Barukh Ziv Spring 2014.

General Attacks on Elliptic Curve Based Cryptosystems Merabi Chicvashvili Ron Ryvchin Project Advisor: Barukh Ziv Spring 2014.
Discrete Logarithm(s) (DLs) Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that a x ≡ b (mod p) is called the discrete.

Discrete Logarithm(s) (DLs) Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that a x ≡ b (mod p) is called the discrete.
Understanding Cryptography by Christof Paar and Jan Pelzl www.crypto-textbook.com These slides were prepared by Christof Paar and Jan Pelzl Chapter 8 –

Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 8 –

Similar presentations

Ads by Google