Public key ciphers 2

Session 6

Contents

• The discrete logarithm problem• The Diffie-Hellman key exchange

2/21

The discrete logarithm problem

• Over the real numbers, exponentiation (finding y=bx ) is not significantly easier than the inverse operation (finding x=logb(y))

• Over GF(pn) the algorithm for modular exponentiation or repeated squaring makes exponentiation easy

• But finding logb(y) is considered to be a difficult problem

3/21

The discrete logarithm problem

• Definition (Discrete logarithm)– If G is a finite group, b is an element of G and y is

an element of G such that y=bx, then the discrete logarithm of y for the base b is any integer x such that bx = y

4/21

The discrete logarithm problem

• Example (1)– Let f(x)=x2-x-1 be an irreducible polynomial over

GF(32)– The elements of the multiplicative group of the

field are the powers of a primitive element (1)0=1011=102=2 mod (2--1)=+1113=2=(+1)=2+=+1+=2+121

5/21

The discrete logarithm problem

• Example (2)– The elements of the multiplicative group of the

field (2)4=3=(2+1)=22+=2(+1)+=2+2+=2025=4=2206=5=2=22=2(+1)=2+2227=6=(2+2)=22+2=2(+1)+2=2+2+2= = +21200 is also an element of the field

6/21

The discrete logarithm problem

• Example (3)– The logarithm

log(02)=log(4)=4

• We do not know a polynomial algorithm for determining the discrete log in a general case (i.e. in any group)

7/21

The discrete logarithm problem

• Known algorithms for solving DLP (1)– Algorithms that work in arbitrary groups• Exhaustive search• Baby-step giant-step algorithm• Etc.

– Algorithms that work in arbitrary groups, but are especially efficient if the order of the group has only small prime factors• Example: the Pohlig-Hellman algorithm

8/21

The discrete logarithm problem

• Known algorithms for solving DLP (2)– The index calculus algorithms, which are efficient

only in certain groups

9/21

The discrete logarithm problem

• Exhaustive search– Requires generating of the whole multiplicative

group of the field– That requires O(q) operations, where q=pn is the

order of the multiplicative group of the field GF(pn)

10/21

The discrete logarithm problem

• The Baby step – giant step algorithm (1)– Input• A generator of a cyclic group G of order n, and an

element G– Output• The discrete logarithm x = log

11/21

The discrete logarithm problem

• The Baby step – giant step algorithm (2)1. Set m= 2. Construct a table with entries (j,j), 0j<m3. Sort the table by its second component4. Compute -m mod n and set =

12/21

n

The discrete logarithm problem

• The Baby step – giant step algorithm (3)5. For 0im-1 do

1. Check if is the second component of some entry in the table

2. If =j then return x=im+j3. Set -m

– The algorithm requires O( ) storage and O( ) group multiplications

13/21

n n

The discrete logarithm problem

• Example: n=113, =3, =57 (1)1. Set m= =112. Construct the table

3. Sort the table by the second component

14/21

113

j 0 1 2 3 4 5 6 7 8 9 10

3j mod 113 1 3 9 27 81 17 51 40 7 21 63

j 0 1 8 2 5 9 3 7 6 10 4

3j mod 113 1 3 7 9 17 21 27 40 51 63 81

The discrete logarithm problem

• Example: n=113, =3, =57 (2)4. Compute -11 mod 113 = (11)-1 (1)• We use the extended Euclidean algorithm (1)

11 mod 113=311 mod 113=76 – We compute (113,76)

113=176+3776=237+237=182+1

– Then1=37-182=37-18(76-237)=37-1876+3637= =3737-1876=37(113-76)-1876=37113-3776-1876= =37113-5576

15/21

The discrete logarithm problem

• Example: n=113, =3, =57 (3)4. Compute -11 mod 113 = (11)-1 (2)• We use the extended Euclidean algorithm (2)

– If we take both sides mod 113 we get» 1-55 76 (mod 113)» Since -5558 (mod 113), (11)-1=58

• We also set ==57

16/21

The discrete logarithm problem

• Example: n=113, =3, =57 (4)5. For i=0 to 10 we try -m until we get a value

from the second row in the table

– We conclude that log357=911+1=100

17/21

i 0 1 2 3 4 5 6 7 8 9

57 29 100 37 112 55 26 39 2 3

The Diffie-Hellman key exchange

• Diffie and Hellman gave the first detailed proposal for the process of agreeing on a key for a classical cryptosystem using a public key system

• The key exchange protocol is based on the assumption that it is computationally infeasible to compute gab knowing only ga and gb when g is some fixed element in GF(pn)

18/21

The Diffie-Hellman key exchange

• The Diffie-Hellman assumption is a priori at least as strong as the assumption that discrete logarithms cannot be feasibly computed in a group

• Let p be a prime and let be a generator

19/21

The Diffie-Hellman key exchange

• Example, p=53, n=1, =2

20/21

The Diffie-Hellman key exchange

• The Diffie-Hellman key exchange algorithm gives protection against passive adversaries, but not against active adversaries capable of intercepting, modifying, or injecting messages

• Neither party has assurance of the source identity of the incoming message or the identity of the party which may know the resulting key

21/21