Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Cryptographic Value of the q th Root Problem Cheryl Beaver Peter Gemmell Anna Johnston William Neumann.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "On the Cryptographic Value of the q th Root Problem Cheryl Beaver Peter Gemmell Anna Johnston William Neumann."— Presentation transcript:

1 On the Cryptographic Value of the q th Root Problem Cheryl Beaver Peter Gemmell Anna Johnston William Neumann

2 The Big Picture  Mod N q th roots

3 q th Roots Vs Square Roots q th roots  discrete logs Simple one-way function Functions over a group for which discrete logarithms are difficult. No Trapdoor. 2 ond Roots  Factoring Simple one-way function Functions over a ring for which factoring the groups is difficult. Simple Trapdoor q th Roots Square Roots

4 What is a q th Root? Let G be a finite cyclic group,  an element of G and q a prime integer. The q th root of  is  where:

5 How do you take q th roots? s=0,1 s>1 Compute (q  1 mod r) raise  to that integer. Same as for s=1, then find a discrete log of an element of order q (s-1). Let the order of G be q s r, with GCD(r,q)=1. Find the q th root of .

6 When are q th Roots Hard? qGqG A large prime integer A group whose order is divisible by q 2 CLAIM: Finding q th roots in G is equivalent to the discrete logarithm problem! Note: WLOG -- let the order of G=q 2

7 What are the roots? Let the order of G be q 2,  be a generator of G and  =  qx (0  x<q). The q th roots of  are:

8 Discrete Logs ==> q th Roots Given the ability to find discrete logarithms q th roots can be found  is a generator of G.

9 q th Roots ==> Discrete Logs Using a q th root oracle, devise a fast algorithm for computing discrete logarithms. ORACLE

10 Assumptions about Oracle The function f(x) defines the oracle. Oracle assumptions imply assumptions on f. Assume that the oracle behaves similar to the oracle for a group whose order is qr. cf(x)=f(cx) mod (q)

11 Discrete Logarithm Technique Find the discrete log of  base  (  is a generator) 1.Let  =  t, with t=qt 1 +t 0 2.Find t 0 with Oracle: 3.Find t 1 with Oracle:

12 Oracle Discrete Logarithm If the range of the discrete logarithm is known then the Oracle divides the range by half  =  qx, with 0  x<q/2 k. 2.The bounds on x imply that 0  2 k+1 x<2q. 3.In reduced form modulo q, 2 k+1 x  2 k+1 x  bq (mod q) b  {0,1} 4.Compare  raised to 2 k+1 with M(  ) raised to this power.

13 Function Comparison

14 Putting them together 1.If the result of this equation is the identity, b-=0; otherwise b=1; 2.If b=0, 0  x<q/2 k+1 ; 3.If b=1, q/2 k+1  x<q/2 k+1

15 1.Compute T where  =  qT. 2.Start with 0  x=T)<q/2 0,  =  qx, and set T=0 3.For k=0 to  lg(q) , use the oracle to find out which half of the range x is in. 4.If x is in the upper range (q/2 k+1  x<q/2 k ), then T=T+  q/2 k+1 , 5.The new range for x is 0  x<q/2 k+1. Summary of Discrete Logarithm Technique Find the discrete logarithm of an element  in G.

16 Groups, Subgroups, and Residues |G|=q 2   q  q |G|=qr  q  r   q  r  r  q

17 Public Key Protocols Exponential Knapsack Similar to the Fiat-Shamir signature scheme. ElGamal Style: Similar in some ways to ElGamal, but secret is in the group instead of the exponent.

18 Exponential Knapsack Components Secret Key:{x i }, with i=0,1, …,k  1 Public Key:{y i }, with y i  x i  q Secret 1-time random:r Public 1-time random:t=r q Hash of message|random: U= H(m|t)=  u i 2 i

19 Signature Protocol Signer Verifier S,U,m Verifies if U=U’

20 ElGamal Style Signature Components Secret Key:x Public Key:y, with y  x  q Secret 1-time random:r Public 1-time random:t=r q Hash of message|random:U = H(m|t), 0<U<q

21 Signature Protocol Signer Verifier S,U,m Verifies if U=U’

22 Conclusions In a group whose order is divisible by q 2, the problems of taking discrete logarithms and finding a q th root are equivalent. The q th root problem is a new foundation upon which public key cryptosystems can be built. Discrete logarithm based systems with secrets in the group instead of the exponent.

23 Square Roots Modulo N Equivalent to Factoring 1.Choose random r 2.Take the square root modulo N: r 2  s mod N 3.If the the square root is not r (75% chance), then (r-s)(r+s)=0 mod N 4.With luck GCD(r-s,N) or GCD(r+s,N) will be P and Q (conversely, knowing the factorization enables square roots to be easily found)

24 Why Does this Work? Let the order of G be q s r (s>0) and GCD(r,q)=1; v:v  r -1 mod q  :A generator in G  :an element of G which has a q th root --  =  qx for some integer 0  x<q (s-1) r ;

25 Generalizing for q th roots Let |G|=q s r where s>0 and GCD(r,q)=1. 1.Raise  to the (1+rc)/q, where c=(-r -1 mod q) Þ  x+rcx 2.  rc has order q s. 3.Find x modulo q s-1 by finding the discrete log of  r base  qr. 4. Remove the error term:

26 Square Roots if the Order of G is Known Let  be a generator of G, |G|=2 s r be the order of G, s>0 and r is odd 1.Raise  to the (1+r)/2 ® (  x+rx ) 2.  r has order 2 s. 3.Find x modulo 2 s-1 by finding the discrete log of  r base  2r. 4. Remove the error term: Find the square root of  =  2x

Download ppt "On the Cryptographic Value of the q th Root Problem Cheryl Beaver Peter Gemmell Anna Johnston William Neumann."

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.

Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.
Some Hashing Techniques (used to randomize the relative addresses) 1Prepared by Perla P. Cosme.

Some Hashing Techniques (used to randomize the relative addresses) 1Prepared by Perla P. Cosme.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-

7. Asymmetric encryption-
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Chapter 8 – Introduction to Number Theory Prime Numbers  prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers.

Chapter 8 – Introduction to Number Theory Prime Numbers  prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Chapter 8 – Introduction to Number Theory Prime Numbers

Chapter 8 – Introduction to Number Theory Prime Numbers
15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Chapter 8 – Introduction to Number Theory Prime Numbers  prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers.

Chapter 8 – Introduction to Number Theory Prime Numbers  prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers.

Similar presentations

Ads by Google