Upload
gertrude-booth
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Research on the Discrete Research on the Discrete Logarithm ProblemLogarithm Problem
Wang Ping Meng Xuemei
2003. 05. 18
2
ContentContent
Introduction
Mathematical Background
Definition of DLP
Methods in Used Today to Compute DL
Future Work
Question & Answer
3
IntroductionIntroduction
DLP is the underlying one-way function for:
Diffie-Hellman key exchange.
DSA (digital signature algorithm).
ElGamal encryption/digital signature scheme.
Elliptic curve cryptosystems.
……
DLP is based on finite groups.
4
Mathematical BackgroundMathematical Background
Groups Definition: A group is a set G of elements together with a binary
operation “•” such that:
If a, b ∈ G then a • b = c ∈ G → (closure).
If (a • b) • c = a • (b • c) → (associativity).
There exists an identity element e ∈ G, for all a ∈ G: e • a = a • e = a → (identity).
For all a ∈ G, there exists an inverse element a-1 such that a • a-1 = e → (inverse).
5
Mathematical BackgroundMathematical Background
Inverses Definition: Let a be a number. If there exists b such that ab = 1
(mod m), then we call b the inverse of a mod m, and write b = a-1 (mod m).
Theorem: a has an inverse mod m iff gcd(a,m)=1.
Zp*: The set of all the invertible integers mod p:
Zp* = {i ∈ Zp | gcd(i, p) = 1 }
Theorem: Zp* forms a group under modulo p multiplication. The
identity element is e = 1.
6
Mathematical BackgroundMathematical Background
Example Z9
* = {1, 2, 4, 5, 7, 8} Multiplication Table * mod 9 1 2 4 5 7 8 1 1 2 4 5 7 8 2 2 4 8 1 5 7 4 4 8 7 2 1 5 5 5 1 2 7 8 4 7 7 5 1 8 4 2 8 8 7 5 4 2 1
Note: From the above Multiplication Table, We can see (Z9*, * mod 9) is
a group.
7
Mathematical BackgroundMathematical Background
Example (cont.) Group: G = (Z9
*, * mod 9) Find the inverse of 7 in the group (Z9
*, * mod 9) through the Extended Euclidean Algorithm:
9 = 1 * 7 + 2 → 2 = 9 − 7 7 = 3 * 2 + 1 → 1 = 7 − 3 * 2 = 4 * 7 − 3 * 9 2 = 2 * 1 + 0 So we have: 1 = 4 * 7 − 3 * 9 → 4 * 7 mod 9 = 1 4 is the inverse of 7 mod 9
8
Mathematical BackgroundMathematical Background
Finite Groups Definition: A group (G, •) is finite if it has a finite number of g
elements, We denote the cardinality of G by |G|.
Definition: The order of an element a ∈ G is the smallest positive
integer n such that a • a • … • a = an = e.
Definition: A group G which contains elements α with maximum order ord(α) = |G| is said to be cyclic. Elements with maximum order are called generators or primititive elements.
9
Mathematical BackgroundMathematical Background
Example Finite group: G = (Z11
*, * mod 11) Find the order of a = 3 a1 = 3 a2 = 32 = 9 a3 = 33 = 27 = 5 a4 = 34 = 33 * 3 = 5 * 3 = 15 = 4 a5 = 35 = 34 * 3 = 4 * 3 = 12 = 1 So ord(3) = 5
10
Mathematical BackgroundMathematical Background
Example (cont.) Finite group: G = (Z11
*, * mod 11) Proof: α = 2 is a generator of G |G| = |{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}| = 10 α1 = 2 α2 = 22 = 4 α3 = 23 = 8 α4 = 24 = 16 = 5 α5 = 25 = 10 α6 = 26 = 20 = 9 α7 = 27 = 18 = 7 α8 = 28 = 14 = 3 α9 = 29 = 6 α10 = 210 = 12 = 1 α11 = 211 = 2 = a
11
Mathematical BackgroundMathematical Background
Example (cont.) Finite group: G = (Z11
*, * mod 11) So we have: ord(α = 2) = 10 = |G| →(1) G is cyclic →(2) α = 2 is a generator of G
Note: 2i; i = 1, 2, …, 10 generates all elements of G i 1 2 3 4 5 6 7 8 9 10 2i 2 4 8 5 10 9 7 3 6 1
12
Definition of DLPDefinition of DLP
The discrete logarithm problem (DLP) Definition: Given a prime p, a generator α of Zp
*, and an element β ∈ Zp
*, find the integer x, 0 ≤ x ≤ p - 2, such that αx = β (mod p).
The generalized discrete logarithm problem (GDLP) Definition: Given a finite cyclic group G of order n, a generator α of
G, and an element β ∈ G, find the integer x, 0 ≤ x ≤ n - 1, such that αx = β.
13
Definition of DLPDefinition of DLP
Example G = (Z11, + mod 11)
We have: i 1 2 3 4 5 6 7 8 9 10 11 2i 2 4 6 8 10 1 3 5 7 9 0 So α = 2 is a generator of G
Let i = 7, β = 7 * 2 = 3 mod 11 Question: given α = 2, β = 3 = i * 2 mod 11, find i Answer: i = 2-1 * 3 mod 11
Note: 2-1 = 6 can computed by Extended Euclidean Algorithm, thus this example is NOT a one-way function.
14
Definition of DLPDefinition of DLP
Example G = (Z11
*, * mod 11) α = 2 is a generator of G
Let i = 8, β = 28 = 3 mod 11
Question: given α = 2, β = 3 = 2i, find i
i = log23 = log22i = ?
Note: No efficient algorithm to find i, it’s a very hard computational
problem! Thus this example is a one-way function.
15
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Baby-step giant-step Algorithm Algorithm Baby-step giant-step algorithm for computing DL
INPUT: a generator α of G of order n, and an element β∈ G.
OUTPUT: x = logaβ. Set m := Construct a table with entries (j, αj) for 0 ≤ j < m. Sort this table by
second component. Compute α-m and set γ := β. For i from 0 to m-1
1. Check if γ is the second component of some entry in the table.
2. If γ = αj then return (x = im+j).
3. Set γ := γα-m
n
16
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Baby-step giant-step Algorithm Example
INPUT: a generator α = 2 of G = (Z11*, * mod 11) of order n = 10, and
an element β = 3.
OUTPUT: x = logaβ = log23. Set m := = 4 Construct a table with entries (j, αj) for 0 ≤ j < 4. Sort this table by
second component.
j 0 1 2 3
2j mod 11 1 2 4 8 By Extended Euclidean Algorithm Compute α-1 = 2-1 mod 11 = 6, we have α-
m = 2-4 mod 11 = 64 mod 11 = 9.
and set γ := β = 3.
n
17
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Baby-step giant-step Algorithm Example (cont.)
For i from 0 to 3, we have the following table: i 0 1 2 3
3*9i mod 11 3 5 1
Because 3*92 mod 11 = α0 = 1, we have: x = im+j = 8.
Baby-step giant-step algorithm is a time-memory trade-off of the method of exhaustive search.
Complexity: O( ) steps
Minimum security requirement: ≥ 2160
G
G
18
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Pollard’s rho Algorithm
Algorithm Pollard’s rho algorithm for computing DL
INPUT: a generator α of G of order n, and an element β∈ G.
OUTPUT: x = logaβ. Set x0 := 1, a0 := 0, b0 :=0. For i = 1, 2, …do the following:
1.Using the quantities xi-1, ai-1, bi-1, and x2i-2, a2i-2, b2i-2 computed
previously, compute xi, ai, bi, and x2i, a2i, b2i.
2. If xi = x2i, then do the following:
Set r := bi-b2i mod n.
If r = 0 then terminate the algorithm with failure; othewise,
compute x = r-1(a2i-ai) mod n and return(x).
19
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Pollard’s rho Algorithm
Pollard’s rho algorithm is a randomized algorithm.
Complexity: O( ) steps
Minimum security requirement: ≥ 2160
The same expected running time as baby-step giant-step algorithm,
but which requires a negligible amount of storage.
G
G
20
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Pohlig-Hellman Algorithm
Algorithm Pohlig-Hellman algorithm for computing DL
INPUT: a generator α of G of order n, and an element β∈ G.
OUTPUT: x = logaβ. Find the prime factorization of n: n = p1
e1p2e2…pr
er, where ei ≥ 1. For i from 1 to r do the following:
1.Set q := pi, e := ei, γ := 1, l-1 := 0.
2.Compute : α* := αn/q.
3.For j from 0 to e-1 do the following:
Compute γ := γα^(lj-1qj-1) and β* := (βγ-1)n/q^(j+1) .
Compute lj := logα*β*
4.Set x := l0 + l1q + … +le-1qe-1.
Use CRT to compute the integer x from xi. Return(x).
21
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Pohlig-Hellman Algorithm Pohlig-Hellman algorithm take the advantage of the factorization of
the order n.
Complexity: O( ) steps, where pl is the largest prime factor of n.
Minimum security requirement: pl ≥ 2160
lp
22
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Index-Calculus method
Algorithm Index-Calculus method for computing DL
INPUT: a generator α of G of order n, and an element β∈ G.
OUTPUT: y = logaβ. Choose a subset S = {p1, p2, … ,pt} of G such that all elements in G can
be efficiently expressed as a product of elements from S. Collect linear relations:
1.Select a random integer k, 0 ≤ k ≤ n-1, and compute αk.
2.Try to write αk as a product of elements in S.
3. Repeat steps 1 and 2 until t + c relations are obtained. Select a random integer k, 0 ≤ k ≤ n-1, and compute βαk. Try to write βαk as a product of elements in S. If failure, repeat the above
step, otherwise taking logarithms of both sides, we obtain y. Return(y).
23
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Index-Calculus method Index-Calculus method is the most powerful method known for
computing DL, It does not apply to all groups, only efficient to Zp*
and Galois fields GF(2k).
Subexponential-time algorithm: O( ) steps.
Minimum security requirement: p ≥ 21024
))ln(ln()ln())1(1( ppOe
24
Future WorkFuture Work
Try to improve some of these algorithms
Challenge to find a polynomial-time algorithm to
compute DL
Question & AnswerQuestion & Answer
Thanks