frederik vercauteren esat/cosic - k.u. leuven · i alice chooses the private key a = 68 and...

Basic DefinitionsAlgorithms for DLP

Reductions of Hard Problems

Discrete Logarithms in Cryptography

Frederik VercauterenESAT/COSIC - K.U. Leuven

ECRYPT Summer School 2008

Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography



Basic Definitions

Algorithms for DLP





Outline

Basic Definitions

Algorithms for DLP





Symmetric Key Cryptography

PLAINTEXT

110100011100

PLAINTEXT

110100011100

CIPHERTEXT

????????????

SYMMETRIC KEY CRYPTOSYSTEM

ENCRYPTION KEY DECRYPTION KEY

=

ALICE BOB




Public Key Cryptography

PLAINTEXT

110100011100

PLAINTEXT

110100011100

CIPHERTEXT

????????????

CIPHERTEXT

????????????

PUBLIC KEY CRYPTOSYSTEM

ENCRYPTION KEY DECRYPTION KEY

ALICE BOB

PUBLIC KEY

OF BOBPRIVATE

KEY OF BOB

PUBLIC LIST




Factoring and Discrete Logarithm Problem

I Rivest-Shamir-Adleman (1977): RSA based on factoring.I Main idea: easy to find two large primes p and q, but very

hard to find p and q from n = p · q.I RSA still most popular public key cryptosystem.

I ElGamal (1984): discrete logarithm problem (DLP).I Group G is set with operation · and each element has

inverse.I Main idea: very easy to compute h = gx for given x , but

very hard to find x given h and g.I Popular choices: finite fields and elliptic curves.




GroupA group (G, ·) consists of a set G and an operation ·, satisfying

1. associative: a · (b · c) = (a · b) · c,∀a,b, c ∈ G2. identity element: ∃1 ∈ G,∀a ∈ G : a · 1 = 1 · a = a3. inverse element: ∀a ∈ G,∃a−1 ∈ G : a · a−1 = a−1 · a = 14. abelian (extra): ∀a,b ∈ G : a · b = b · a

I The order of an element a of a group (G, ·) is n, iff n is thesmallest positive number such that

a · a · · · · · a︸︷︷︸n

= 1

I The set {a,a2, . . . ,an−1,an = 1} is called the groupgenerated by a and denoted 〈a〉.




Finite Fields

I Let p be a prime, then Fp = Z/pZ is a finite field with pelements.

I Every non-zero element has inverse for multiplication.I Thus: F∗p,× has p − 1 elements.I Theorem: F∗p,× is cyclic, i.e. there exists a generator α

such that F∗p = {α0, α1, α2, . . .}.I Extension field Fpn : polynomials over Fp modulo irreducible

polynomial P(x) of degree n, i.e. Fp[x ]/(P(x)).




Discrete Logarithm Problem

I Let (G, ·) be an abelian group.I Discrete Logarithm Problem Given g,h ∈ G, find an x (if

it exists) such thatgx = h.

I The difficulty of this problem depends on the group G:I Very easy: polynomial time algorithm, e.g. (ZN ,+)I Hard: sub-exponential time algorithm, e.g. (Fp,×).I Very hard: exponential time algorithm, e.g. elliptic curve

groups.




Problems Related to DLP

I Given an abelian group (G, ·) and g ∈ G of order n.I Discrete Logarithm Problem (DLP) :

Given h ∈ G such that h = gx find x . (DLP(g,h)→ x)

I Computational Diffie-Hellman Problem (CDH) :Given a = gx and b = gy find c = gxy (CDH(g,a,b)→ c).

I Decisional Diffie-Hellman Problem (DDH) :Given a = gx , b = gy and c = gz , determine if

gxy = gz or equivalently xy ≡ z mod n

(DDH(g,a,b, c)→ true/false)




Diffie-Hellman Key AgreementDiffie and Hellman (1976): New directions in cryptographyChoose a large prime number p and a generator α mod p

Alice BobxA ∈R [1,p − 1], αxA

−αxA

−−−−−−−−→xB ∈R [1,p − 1], αxB

←αxB

−−−−−−−−−KBA = (αxB)xA KBA = (αxA)xB

I Note: all calculations mod pI Security based on Diffie-Hellman problem: given αxA andαxB compute αxAxB




ElGamal Encryption - Key Generation

ElGamal (1985): A public key cryptosystem and a signaturescheme based on discrete logarithms.

Domain Parameter Generation:I Generate a “large prime” p (≥ 1024 bits) such that p − 1 is

divisible by another “large prime” q (> 160 bits).I Compute a generator g of the multiplicative group of order

q in GF (p)∗, via (for some random r )

g ≡ r (p−1)/q mod p

until g 6= 1.




ElGamal Encryption - Key Generation

Key Generation:I Select a random integer a, 1 ≤ a ≤ q − 1 and compute

h ≡ ga mod p

I Public key = (p,g,h) which can be published.I Private key = a which needs to be kept secret.




ElGamal - Encryption / Decryption

Bob encrypts a message for Alice as follows:I Obtain Alice’s authentic public key (p,g,h).I Generate random k (1 < k < q − 1) with gcd(k ,p − 1) = 1I r ≡ gk mod p (k and r are ephemeral key pair)I s ≡ hk ·m mod p (0 ≤ m ≤ p − 1)I Ciphertext: c = (r , s)

To recover the message, Alice does the following:I m ≡ s · r−a mod pI Indeed: r−a ≡ g−ka ≡ h−k mod p




ElGamal Encryption - Example

I Prime p = 809, then 809− 1 = 808 is divisible by q = 101.I Compute a generator g = 16 of subgroup of GF (p)∗ of

order q.I Alice chooses the private key a = 68 and computes

ga mod p ≡ 1668 mod p ≡ 46.

I Alice’s public key then is (p = 809,g = 16,h = 46), whichcan be published.

I Alice’s private key is a = 68 which she keeps secret.




ElGamal Encryption - Example

I To encrypt the message m = 100, Bob selects a randominteger k = 89 and computes

r = gk = 342 and s = m · hk = 745.

I Bob then sends the ciphertext (r , s) to Alice.I To decrypt, Alice first computes

r−a mod p ≡ 34233 mod 809 ≡ 49 mod 809,

and recovers m by computing

m ≡ 745 · 49 mod 809 ≡ 100 mod 809.




Outline

Basic Definitions

Algorithms for DLP





Pohlig and Hellman Reduction

I Let G,+ be a group of order n =∏k

i=1 peii and let Q = xP

I Assume prime p|n and let t = n/p, then

Q′ = tQ = txP = x(tP) = xP ′ = x0P ′

I Note P ′,Q′ are in subgroup of order p, thus x0 ≡ x mod pI Find x mod p and recover x mod p1 · · · pk using CRTI Exercise: algorithm to compute x mod pe with e > 1I Hint: write x mod pe = x0 + x1p + · · ·+ xe−1pe−1

I Conclusion: order of G should contain large prime factor




Baby-step Giant-step Algorithm

I Assume P has order n, let m =⌈√

n⌉

and write

x = x0 + mx1

with 0 ≤ x0,x1 < m.I Compute baby steps: bi = iP for i = 0, . . . ,m − 1I Store them in table and sort themI Compute giant steps: gj = jmP for j = 0, . . . ,m − 1I For each j check if Q − gj is in table.I If match bi = Q − gj found, then return i + mj .

I Storage: O(m) and time O(q/m).




Pollard Rho Algorithm: General Case

I Let S be a set |S| = n and f : S → S random mappingI Starting with random value r0 ∈ S, compute

ri+1 = f (ri) for i ≥ 0

I Sequence r0, r1, r2, . . . is deterministic random walkI Since S is finite we must eventually obtain

ri = rj ⇒ ri+1 = f (ri) = f (rj) = rj+1

I Sequence r0, r1, r2, . . . , becomes cyclicI Picture of sequence looks like the Greek letter rho ρ




Pollard Rho Algorithm: General Case

I The rho-shape has an initial tail and cyclic partI Expected length of both tail and cyclic part is√

πn/8

I Using this in naive way also requires O(√

n) memoryI Main problem in Baby-step Giant-step algorithmI Use Floyd’s cycle finding algorithm (theory) or

distinguished points (practice)




Pollard Rho: Discrete Logarithms

I Let G denote a group of order n and let Q = xPI Partition G into three sets S1,S2,S3 (O 6∈ S2)I Define the following random walk

Ri+1 = f (Ri) =

Q + Ri Ri ∈ S1,2Ri Ri ∈ S2,P + Ri Ri ∈ S3.





Let Ri = aiP + biQ, then

ai+1 =

ai Ri ∈ S1,2ai (mod n) Ri ∈ S2,ai + 1 (mod n) Ri ∈ S3,

and

bi+1 =

bi + 1 (mod n) Ri ∈ S1,2bi (mod n) Ri ∈ S2,bi Ri ∈ S3.





I Start with the triple

(R0,a0,b0) = (O,0,0)

I Then we have, for all i ,

logP(Ri) = ai + bi logP(Q) = ai + bix.

I Collision Ri = Rj , then ai + bix ≡ aj + bjx mod n

x ≡ai − aj

bj − bimod n




Parallel Pollard Rho (van Oorschot and Wiener)

I With m processors, m pseudo-random walks starting at

R(i)0 = aiP + biQ

I Each processor needs to compute O(√πn/2/m) iterations

I Naive idea: central server stores all O(√πn/2) points

I Define distinguished points SD ⊂ G and θ = |SD|/|G|I Processors only send distinguished points to central server

O(

√πn/2m

+1θ) time O(θ

√πn/2) space




Floyd’s Cycle Finding Algorithm

I Given (x1, x2), compute (x2, x4), then (x3, x6) and so on . . .I Given the pair (xi , x2i) we compute

(xi+1, x2i+2) = (f (xi), f (f (x2i)))

I We stop when we find xm = x2m

I Exercise: prove that if tail has length λ and cycle length µ

m = µ ·⌈λ

µ

⌉I Since λ ≤ m ≤ λ+ µ we see that m = O(

√n)

I Detect a collision with O(1) storage




Black Box Groups: Lower Bound on DLP

I Group G represented by set of strings S = {σ(g) | g ∈ G}I Equality test simply string comparisonI Oracles to compute group operation + and −

A(σ(x), σ(y)) = σ(x + y) and S(σ(x), σ(y)) = σ(x − y)

I Shoup: algorithm that makes m oracle queries and hasinput (σ, σ(1), σ(x)) will return x with probability at mostO(m2/p), with p largest prime factor of |G|.

I Implies that generic algorithm needs√

p group ops.




Index Calculus: General Setting

I G cyclic group of order n, i.e. G =< g > and let h = gx

I Choose a subset S = {s1, . . . , st} ⊂ G called factor baseI S chosen s.t. almost all elements in G can be expressed

efficiently as product of elements from SI Compute logg(si) for i = 1, . . . , t by collecting relationsI Find the DLOG of individual elements using databaseI Gives sub-exponential algorithm Ln(1/2, c) or Ln(1/3, c)

withLn[a,b] = O

(e(b+O(1))(log n)a(log log n)1−a

)




Index Calculus: Algorithm - Phase 1

1. Select random integer 0 ≤ k < n and compute αk = gk

2. Try to decompose αk over the factor base S

αk = gk =t∏

i=1

scii , ci ≥ 0

3. If αk factors over S, then take DLOG and obtain

k ≡t∑

i=1

ci logg si (mod n) (?)

4. Repeat until t + ε relations found5. Solve linear system (?) mod n to obtain logg si ,1 ≤ i ≤ t




Index Calculus: Algorithm - Phase 2

1. Select random integer 0 ≤ k < n and compute βk = h · gk

2. Try to decompose βk over the factor base S

βk = hgk =t∏

i=1

sdii , di ≥ 0

3. Repeat until βk decomposes over S4. By taking DLOGs of both sides, obtain

x ≡t∑

i=1

di logg si − k




Index Calculus in Fp

I Represent Fp as {0, . . . ,p − 1} and embed Fp in ZI Factor base S consists of first t primes pi ,0 < i ≤ tI z ∈ Z is B-smooth if all prime factors of z are less than BI Element z ∈ Fp decomposes over S iff z is pt -smoothI Relation collection: try to factor αk = gk (mod p) for

random exponents kI Problem 1: αk is the same size of pI Problem 2: not possible to use a sieveI More complicated methods exist to generate relations . . .




Exponential vs. Sub-exponential: Security

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

50

100

150

200

250

300

350

400

450

500

Keylength conventional systems RSA and DSA

Key

leng

th e

llipt

ic c

urve

sys

tem

Key lengths in bits for equivalent cryptographic strength

ECDSA

RSA & DSA




Outline

Basic Definitions

Algorithms for DLP





Reductions

I Let A and B be two computational problems. Then A issaid to polytime reduce to B, written A ≤P B if

I There is an algorithm which solves A using an algorithmwhich solves B.

I This algorithm runs in polynomial time if the algorithm for Bdoes.

I Assume we have an oracle (or efficient algorithm) to solveproblem B.

I We then use this oracle to give an efficient algorithm forproblem A.




Reductions: CDH ≤P DLP

Here we show how to reduce CDH to DLP, i.e. we give anefficient algorithm for solving the CDH given an oracle for theDLP.

I Given gx and gy we wish to find gxy .I First compute y = DLP(g,gy ) using the oracle.I Then compute (gx)y = gxy .I So CDH is no harder than DLP, i.e. CDH ≤P DLP.




Reductions: DDH ≤P CDH

Here we show how to reduce DDH to CDH, i.e. we give anefficient algorithm to solve the DDH given an oracle for theCDH.

I Given elements gx , gy and gz , determine ifz ≡ x · y mod n.

I Using the oracle to solve CDH, compute

gxy = CDH(g,gx ,gy ).

I Then check whether gxy = gz .I So DDH is no harder than CDH, i.e. DDH ≤P CDH.




Inverse Diffie-Hellman Problem

I I-DHP: given g,gx compute gx−1, where x−1 is computed

modulo the order of g.I I-DHP ≤P DHP with one DH call:I Let h = gx , then g = hx−1

, so

DHP(h,g,g) = hx−1·x−1= gx−1

I I-DHP ≤P DHP with log2 n DH-calls:I Recall: x−1 ≡ xϕ(n)−1 mod nI Use DH-oracle and square and multiplyI CDH(g,gx ,gx) = gx2

and CDH(g,gxs,gx t

) = gxs+t




Reductions: DLP ≤P CDH

I Assume for simplicity that n = q a prime.I Implicit representations (i.e. computing in exponent):

Explicit Implicitx gx

y gy

x + y mod q gx · gy

x · y mod q CDH(g,gx ,gy )

I CDH-oracle enables us to compute implicitly over Fq,+, ·or a strongly algebraic group H defined over Fq.





I If DLP in Fq, · or H/Fq is easy, we could try to compute xby computing DLPs in implicit representation.

I Since x is determined modulo q, we can write

x ≡ αs mod q

for α a generator modulo q. Goal: compute s instead of x .I den Boer: DLP in Fq is easy when q − 1 is smooth, so

compute s using implicit computations

gx = gαs

I Limitation: only applies to groups G such that ϕ(|G|) issmooth, e.g. if |G| = q, then q − 1 has to be smooth.





I den Boer: DH-oracle combined with easy DLP in Fq, ·I Limitation: only one choice Fq for each q.I Maurer-Wolf: DH-oracle combined with other auxiliary

groups over Fq, e.g. elliptic curves E/Fq.I Advantage: for each q, all integers in the interval

[q − 2√

q + 1,q + 2√

q + 1]

occur as group order of elliptic curve E/Fq.I Much more likely to find smooth one!





I Let G be finite cyclic group with |G| = pI Given elliptic curve E(Fp) with B-smooth #E(Fp), i.e. all

prime factors qi | #E(Fp) are qi < B.I Given a DH oracle for G, thenI Can compute DLP in G in time

√B (log p)O(1)

I In many cases: DLP =P CDH, but exist examples whereDDH <P CDH.




References

I Nigel Smart’s book (chapter 12):http://www.cs.bris.ac.uk/∼nigel/Crypto Book

I Optional: Maurer and Wolf, The Diffie-Hellman Protocolftp://ftp.inf.ethz.ch/pub/crypto/publications/MauWol00c.pdf


frederik vercauteren esat/cosic - k.u. leuven · i alice chooses the private key a = 68 and...

Documents