Embed Size (px)
Citation preview
Discrete Logarithm(s) (DLs)
• Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that ax ≡ b (mod p) is called the discrete logarithm problem. Suppose that n is the smallest integer such that an ≡1 (mod p),
i.e., n=ordp(a). By assuming 0≤x<n, we denote x=La(b), and call it the discrete log of b w.r.t. a (mod p)
• Ex: p=11, a=2, b=9, then x=L2(9)=6
Discrete Logarithms
• In the RSA algorithms, the difficulty of factoring a large integer yields good cryptosystems
• In the ElGamal method, the difficulty of solving the discrete logarithm problem yields good cryptosystems
• Given p, a, b, solve ax ≡ b (mod p)
• a is suggested to be a primitive root mod p
One-Way Function
• A function f(x) is called a one-way function if f(x) is easy to compute, but, given y, it is computationally infeasible to find x with y=f(x).
• La(b) is a one-way function if p is large
Primitive Roots mod 13
• a is a primitive root mod p if {ak | 1 k p-1} = {1,2, …,p-1}≦ ≦♪ 2, 6,7,11 are primitive roots mod 13
• 33 ≡ 1 (mod 13), 46 ≡ 1 (mod 13),• 54 ≡ 1 (mod 13), 84 ≡ 1 (mod 13),• 93 ≡ 1 (mod 13), 106 ≡ 1 (mod 13),• 122 ≡ 1 (mod 13)
Solve ax ≡ b (mod p)
• An exhaustive search for all 0 ≤ x < p
• Check only for even x or odd x according to b(p-1)/2 ≡ (ax)(p-1)/2 ≡(a(p-1)/2)x ≡(-1)x≡ 1 or -1 (mod p), where a is a primitive root
(Ex) p=11, a=2, b=9, since b(p-1)/2 ≡95≡1,
then check for even numbers {0,2,4,6,8,10}
only to find x=6 such that 26 ≡ 9 (mod 11)
Solve ax ≡ b (mod p) by Pohlig-Hellman
Let p-1 = Πqr for all q|(p-1), write b0 =b,and
x=x0 + x1q +x2q2 + … + xr-1qr-1 for 0 ≤ xi ≤ q-1
1. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡b(p-1)/q , then x0 ≡k, next let b1≡b0a-x0
2. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡[b1](p-1)/q^2 , then x
1 ≡k, next let b2≡b1a-x1
3. Repeat steps 1, 2 until xr-1 is found for a q
4. Repeat steps 1~3 for all q’s, then apply Chinese Remainder Theorem to get the final solution
7x ≡12 (mod 41); p=41, a=7, b=12,
• p-1=41-1=40 =23 5• b0 =12• For q=2: b0 =12, b1 =31, b2=31, and
x = x0 +2x1+4x2 ≡1+2·0+4·1≡ 5 (mod 8)• For q=5: b0 =12, b1 =18, and
x = x0 ≡ 3 (mod 5)Solving x ≡ 5 (mod 8) and x≡ 3 (mod 5), We have x≡13 (mod 40)
Solve ax ≡ b (mod p) by Index Calculus
Let B be a bound and let p1,p2,…, pm be the primes less than B and cover all of the prime Factors of p-1. Then appropriately choose
k(j)’s such that ak(j)≡(p1)r1(p2)r2 … (pm)rm , i.e.,
r1*La(p1)+r2*La(p2)+… + rm*La(pm) ≡k(j) for several j’s, solve the linear system to get
La(p1), La(p2), … , La(pm), then select R apply
baR ≡(p1)b1 (p2)b2 … (pm)bm , then the solution is
La(b)≡-R+ΠbiLa(pi)
Solve 2x ≡37 (mod 131)
p=131, a=2, b=37, let B=10, then
p1=2, p2=3, p3=5, p4=7, since28≡53 , 212≡5·7 , 214≡32 , 234≡3·52 (mod p), we have
3L2(5)≡ 8 (mod 130)
L2(5)+ L2(7)≡12 (mod 130)
2L2(3)≡14 (mod 130)
L2(3)+2L2(5)≡34 (mod 130)
L2([3, 5, 7])=[72, 46, 96]
Choose R=43, then
37·243 ≡3·5·7 (mod 131), so we have
L2(37) ≡-43+ L2(3)+ L2(5)+ L2(7)
≡ 41 (mod 130)
♪ L2(11) ≡ 56 (mod 130) [R=4]
♪ L2(23) ≡ 23 (mod 130) [R=5]
A Lemma on p≡3 (mod 4)
Let p≡3 (mod 4), r≥2. Suppose a and g are
nonzero integers such that g≡ay(2^r) (mod p).
Then
g(p+1)/4 ≡ ay[2^(r-1)] (mod p)
[Proof]
g(p+1)/4 ≡ a(p+1)y[2^(r-2)] ≡ay(2^(r-1))[a(p-1)]y(2^(r-2))
≡ ay(2^(r-1)) (mod p)
A La(b) (mod 4) Machine
• Let a be a primitive root (mod p), where
p≡3 (mod 4) is large, then
Computing La(b) (mod 4) is as difficult as finding the solution of ax ≡ b (mod p)
[P.172]
The ElGamal Public Key Cryptosystem
Alice wants to send a message m to Bob.
Bob chooses a large prime p and a primitive
root a. Assume m is an integer 0≤m<p, and
Bob selects a secret integer x to compute
b≡ax (mod p). The information (p,a,b) is
made public and is Bob’s public key. Alice
does the following procedures.
Encryption and Decryption
1. Downloads (p,a,b)
2. Chooses a secret random k and computes r≡ak (mod p)
3. Computes t≡bkm (mod p)
4. Sends the pair (t,r) to Bob
Bob decrypts by computing tr-x (≡m (mod p))
Exercises on Pages 175 and 176
