Decisional Diffie-Hellman Problem (DDH)

Course Business

• Homework 3 Due Now

• Homework 4 Released

• Professor Blocki is travelling, but will be back next week

Week 11: • Discrete Log/DDH • Applications of DDH • Factoring Algorithms, Discrete Log Attacks + NIST Recommendations for Concrete Security Parameters Readings: Katz and Lindell Chapter 8.4 & Chapter 9

Fall 2017 2 Recap: Cyclic Group

• = = 0, 1, 2, … (g is generator) • If = then for each h and each integer 0 we have 𝔾𝔾 𝑔𝑔 𝑔𝑔 𝑔𝑔 𝑔𝑔 = 𝑚𝑚 𝔾𝔾 ∈𝑥𝑥𝔾𝔾 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑚𝑚 𝑥𝑥 ≥ ℎ ℎ Fact 1: Let p be a prime then is a cyclic group of order p-1. ∗ Fact 2: Number of generatorsℤ g𝑝𝑝 s.t. of = is ∗ 𝜙𝜙 𝑝𝑝−1 Example (generator): p=7, g=5 𝑔𝑔 ℤ𝑝𝑝 𝑝𝑝−1 <2>={1,5,4,6,2,3}

Recap: Cyclic Group

• = = 0, 1, 2, … (g is generator) • If = then for each h and each integer 0 we have 𝔾𝔾 𝑔𝑔 𝑔𝑔 𝑔𝑔 𝑔𝑔 = 𝑚𝑚 𝔾𝔾 ∈ 𝔾𝔾𝑥𝑥 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑚𝑚 𝑥𝑥 ≥ ℎ ℎ Fact 1: Let p be a prime then is a cyclic group of order p-1. Fact 2: Number of generators g∗ s.t. of = is ℤ𝑝𝑝 ∗ 𝜙𝜙 𝑝𝑝−1 Proof: Suppose that = and let h = then𝑝𝑝 𝑔𝑔 ℤ 𝑝𝑝−1 = , , ( ), ∗ ( ), …𝑖𝑖 𝑔𝑔 ℤ𝑝𝑝 𝑔𝑔 Recall: 0 𝑖𝑖 2𝑖𝑖 𝑚𝑚𝑚𝑚𝑚𝑚1 𝑝𝑝:−1 03𝑖𝑖 𝑚𝑚𝑚𝑚𝑚𝑚= {0𝑝𝑝, −…1, 1} if and only if gcd(i,p-1)=1. ℎ 𝑔𝑔 𝑔𝑔 𝑔𝑔 𝑔𝑔

𝑖𝑖𝑗𝑗 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 − 𝑗𝑗 ≥ 𝑝𝑝 − 4

Recap Diffie-Hellman Problems

Computational Diffie-Hellman Problem (CDH) • Attacker is given h1 = and h2 = . • Attackers goal is to find 𝑥𝑥1 = h1 = h𝑥𝑥22 • CDH Assumption: For all𝑔𝑔 PPT𝑥𝑥1∈𝑥𝑥2 𝔾𝔾A there𝑥𝑥 is2 a 𝑔𝑔negligible∈𝑥𝑥1𝔾𝔾 function negl such that A succeeds with probability𝑔𝑔 at most negl(n). Decisional Diffie-Hellman Problem (DDH)

• Let z0 = and let z1 = , where x1,x2 and r are random • Attacker is𝑥𝑥 given1𝑥𝑥2 , and𝑟𝑟 (for a random bit b) • Attackers𝑔𝑔 goal is to𝑥𝑥 guess1 𝑥𝑥2 b 𝑔𝑔 𝑏𝑏 • DDH Assumption𝑔𝑔: For𝑔𝑔 all PPT A𝑧𝑧 there is a negligible function negl such that A succeeds with probability at most ½ + negl(n).

5 Can we find a cyclic group where DDH holds?

• Example 1: where p is a random n-bit prime. • CDH is believed∗ to be hard • DDH is *not*ℤ𝑝𝑝 hard (You will prove this in homework 4 )

• Theorem: p=rq+1 be a random n-bit prime where q is a large - bit prime then the set of rth residues modulo p is a cyclic subgroup of order q. Then𝐿𝐿𝐿𝐿𝐿𝐿 = [ ] is a cyclic subgroup of 𝜆𝜆 of order q. 𝑟𝑟 ∗ ∗ • Remark 1: DDH𝔾𝔾𝑟𝑟 is believedℎ 𝑚𝑚𝑚𝑚𝑚𝑚 to hold𝑝𝑝 forℎ ∈ suchℤ𝑝𝑝 a group ℤ𝑝𝑝 • Remark 2: It is easy to generate uniformly random elements of • Remark 3: Any element (besides 1) is a generator of 𝔾𝔾𝑟𝑟 𝑟𝑟 𝔾𝔾 6 Can we find a cyclic group where DDH holds?

• Theorem: p=rq+1 be a random n-bit prime where q is a large -bit prime then the set of rth residues modulo p is a cyclic subgroup of order q. Then =𝐿𝐿𝐿𝐿𝐿𝐿[ ] is a cyclic subgroup of of order𝜆𝜆 q. • Closure: 𝑟𝑟= ∗ ∗ 𝑟𝑟 𝑝𝑝 𝑝𝑝 • Inverse𝔾𝔾 of 𝑟𝑟 ℎ𝑟𝑟 is 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝𝑟𝑟 ℎ ∈ ℤ ℤ ℎ 𝑔𝑔 ℎ𝑔𝑔 • Size =𝑟𝑟 [ −1 𝑟𝑟 ] = = [ ] = [ ] ℎ ℎ ∈ 𝔾𝔾𝑟𝑟 𝑟𝑟 𝑥𝑥 𝑟𝑟𝑟𝑟 𝑚𝑚𝑚𝑚𝑚𝑚 𝑟𝑟𝑟𝑟 𝑟𝑟 𝑥𝑥 𝑟𝑟 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 𝑟𝑟 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 ℎ ℎ ℎ ℎ ℎ 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 Remark: Two known attacks on Discrete Log Problem for (Section 9.2). • First runs in time = 2 / 𝔾𝔾𝑟𝑟 / • Second runs in time 2 𝜆𝜆 2 𝑂𝑂 𝑞𝑞 3 𝑂𝑂 2 3 𝑂𝑂 𝑛𝑛 log 𝑛𝑛 7 Can we find a cyclic group where DDH holds?

Remark: Two known attacks (Section 9.2). • First runs in time = 2 / / • Second runs in time 2 𝜆𝜆 2 , where n is bit length of p 𝑂𝑂 𝑞𝑞 3 𝑂𝑂 2 3 𝑂𝑂 𝑛𝑛 log 𝑛𝑛 Goal: Set and n to balance attacks = log / 𝜆𝜆 3 2 3 How to sample p=rq+1? 𝜆𝜆 𝑂𝑂 𝑛𝑛 𝑛𝑛 • First sample a random -bit prime q and • Repeatedly check if rq+1 is prime for a random n- bit value r 𝜆𝜆

𝜆𝜆 8 More groups where DDH holds?

𝒪𝒪 𝑥𝑥 𝑦𝑦 𝒪𝒪 𝑥𝑥 𝑦𝑦 What is 1, 1 + 2, 2 ?

𝑥𝑥 𝑦𝑦 𝑥𝑥 𝑦𝑦 9 Elliptic Curve Example

, (x3,y3) 𝒙𝒙𝟐𝟐 𝒚𝒚𝟐𝟐 , The line passing through , , 𝟏𝟏 𝟏𝟏 and has the 𝒙𝒙 𝒚𝒚 equation 𝟏𝟏 𝟏𝟏 𝟐𝟐 𝟐𝟐 𝒙𝒙 =𝒚𝒚 𝒙𝒙1 +𝒚𝒚 1 Where the slope 𝑦𝑦 𝑚𝑚 𝑥𝑥 −1 𝑥𝑥 2 𝑦𝑦 𝑚𝑚𝑚𝑚𝑚𝑚 𝑃𝑃 = 1 2 (x ,-y )= , + , 𝑦𝑦 − 𝑦𝑦 3 3 𝑚𝑚 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 𝒙𝒙𝟏𝟏 𝒚𝒚𝟏𝟏 𝒙𝒙𝟐𝟐 𝒚𝒚𝟐𝟐 𝑥𝑥 − 𝑥𝑥

10 Elliptic Curve Example

, (x3,y3) , 𝟐𝟐 𝟐𝟐 𝒙𝒙 𝒚𝒚 Formally, let 𝟏𝟏 𝟏𝟏 𝒙𝒙 𝒚𝒚 1 2 = 𝑦𝑦1 − 𝑦𝑦2 𝑚𝑚 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 Be the slope.𝑥𝑥 −Then𝑥𝑥 the line passing through , and , has the equation , + , 𝟏𝟏 𝟏𝟏 (x3,-y3)= = 1 +𝒙𝒙 1𝒚𝒚 𝟐𝟐 𝟐𝟐 𝟏𝟏 𝟏𝟏 𝟐𝟐 𝟐𝟐 𝒙𝒙 𝒚𝒚 = [ 2 𝒙𝒙] 𝒚𝒚 𝒙𝒙 𝒚𝒚 3 1 2 𝑦𝑦 𝑚𝑚 𝑥𝑥 − 𝑥𝑥 2𝑦𝑦 𝑚𝑚𝑚𝑚𝑚𝑚 𝑃𝑃 1 + 1 = [ + ] 3 3 3 1 1 = + + 11 𝑥𝑥 𝑚𝑚 − 𝑥𝑥 − 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 𝑚𝑚 𝑥𝑥 − 𝑥𝑥 𝑦𝑦 𝑦𝑦 𝑚𝑚 𝑥𝑥 − 𝑥𝑥 𝑦𝑦 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 𝑥𝑥 𝐴𝐴𝐴𝐴 𝐵𝐵 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝

12 Elliptic Curve Example

• No third point R on the line intersects our elliptic curve.

• Thus, + =

𝑃𝑃 𝑄𝑄 𝒪𝒪

13 Summary: Elliptic Curves

Elliptic Curves Example: Let p be a prime (p > 3) and let A, B be constants. Consider the equation 2 = 3 + + And let = , 𝑦𝑦 𝑥𝑥 2 =𝐴𝐴𝐴𝐴 3 +𝐵𝐵 𝑚𝑚𝑚𝑚𝑚𝑚+ 𝑝𝑝 2 𝐸𝐸 ℤ𝑝𝑝 𝑥𝑥 𝑦𝑦 ∈ ℤ𝑝𝑝 𝑦𝑦 𝑥𝑥 𝐴𝐴𝐴𝐴 𝐵𝐵 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 ∪ 𝒪𝒪 Fact: defines an abelian group • For appropriate curves the DDH assumption is believed to hold 𝐸𝐸 ℤ𝑝𝑝 • If you make up your own curve there is a good chance it is broken… • NIST has a list of recommendations

14 Week 11: Topic 1: Discrete Logarithm Applications Diffie-Hellman Key Exchange Collision Resistant Hash Functions Password Authenticated Key Exchange

15 Diffie-Hellman Key Exchange

1. Alice picks and sends to Bob 2. Bob picks and sends 𝑥𝑥𝐴𝐴 to Alice 𝑥𝑥𝐴𝐴 𝑔𝑔 3. Alice and Bob can both compute𝑥𝑥𝐵𝐵 = 𝑥𝑥𝐵𝐵 𝑔𝑔 , 𝑥𝑥𝐵𝐵 𝑥𝑥𝐴𝐴 𝐾𝐾𝐴𝐴 𝐵𝐵 𝑔𝑔

16 Key-Exchange Experiment , : 𝑒𝑒𝑒𝑒𝑒𝑒 • Two parties run to exchange secret messages (with𝐴𝐴 Πsecurity parameter 1n). • Let trans be a transcript which contains all messages𝐾𝐾𝐾𝐾 sent and𝑛𝑛 let k be the secret key output by eachΠ party. • Let b be a random bit and let kb = k if b=0; otherwise kb is sampled uniformly at random.

• Attacker A is given trans and kb (passive attacker). • Attacker outputs b’ ( , =1 if and only if b=b’) 𝑒𝑒𝑒𝑒𝑒𝑒 𝐴𝐴 Π Security of against an𝐾𝐾 𝐾𝐾eavesdropping𝑛𝑛 attacker: For all PPT A there is a negligible function negl such that Π Pr , =½ + n . 𝑒𝑒𝑒𝑒𝑒𝑒 𝐾𝐾𝐾𝐾𝐴𝐴 Π 𝑛𝑛 𝐧𝐧𝐧𝐧𝐧𝐧𝐧𝐧 17 Diffie-Hellman Key-Exchange is Secure

Theorem: If the decisional Diffie-Hellman problem is hard relative to group generator then the Diffie-Hellman key-exchange protocol is secure in the presence of a (passive) eavesdropper (*). (*) Assuming𝒢𝒢 keys are chosen uniformly at random from theΠ cyclic group

𝔾𝔾 Protocol 1. Alice picks and sends to Bob Π 2. Bob picks and sends 𝑥𝑥𝐴𝐴 to Alice 𝑥𝑥𝐴𝐴 𝑔𝑔 3. Alice and Bob can both compute𝑥𝑥𝐵𝐵 = 𝑥𝑥𝐵𝐵 𝑔𝑔 , 𝑥𝑥𝐵𝐵 𝑥𝑥𝐴𝐴 𝐾𝐾𝐴𝐴 𝐵𝐵 𝑔𝑔 18 Diffie-Hellman Assumptions

Computational Diffie-Hellman Problem (CDH) • Attacker is given h1 = and h2 = . • Attackers goal is to find 𝑥𝑥1 = h1 = h𝑥𝑥22 • CDH Assumption: For all𝑔𝑔 PPT𝑥𝑥1∈𝑥𝑥2 𝔾𝔾A there𝑥𝑥 is2 a 𝑔𝑔negligible∈𝑥𝑥1𝔾𝔾 function negl upper bounding the probability𝑔𝑔 that A succeeds Decisional Diffie-Hellman Problem (DDH)

19 Diffie-Hellman Key Exchange

1. Alice picks and sends to Bob 𝑥𝑥𝐴𝐴 2. Bob picks 𝐴𝐴 and sends to Alice 𝑥𝑥 𝑔𝑔𝑥𝑥𝐵𝐵 3. Alice and Bob𝐵𝐵 can both compute , = 𝑥𝑥 𝑔𝑔 𝐵𝐵 𝐴𝐴 𝑥𝑥 𝑥𝑥 𝐾𝐾𝐴𝐴 𝐵𝐵 𝑔𝑔 Intuition: Decisional Diffie-Hellman assumption implies that a passive attacker who observes and still cannot distinguish between

, = and a random𝑥𝑥𝐴𝐴 group𝑥𝑥 element𝐵𝐵 . 𝑥𝑥𝐵𝐵 𝑥𝑥𝐴𝐴 𝑔𝑔 𝑔𝑔 𝐴𝐴 𝐵𝐵 𝐾𝐾 𝑔𝑔 Remark: Modified protocol sets , = . You will prove that this protocol is secure under the weaker CDH assumption𝑥𝑥𝐵𝐵 𝑥𝑥𝐴𝐴 in homework 4. 𝐾𝐾𝐴𝐴 𝐵𝐵 𝐻𝐻 𝑔𝑔

20 Diffie-Hellman Key-Exchange is Secure

Theorem: If the decisional Diffie-Hellman problem is hard relative to group generator then the Diffie-Hellman key-exchange protocol is secure in the presence of an eavesdropper (*). Proof: 𝒢𝒢 Π Pr , = 1 =½Pr , = 1| = 1𝑒𝑒𝑒𝑒𝑒𝑒+ ½Pr , = 1| = 0 𝐴𝐴 Π =½Pr , , 𝑒𝑒𝑒𝑒𝑒𝑒, , , 𝐾𝐾=𝐾𝐾 1 +𝑛𝑛½Pr 𝑒𝑒𝑒𝑒𝑒𝑒 , , , , , = 1 𝐴𝐴 Π 𝐴𝐴 Π =½+½ Pr 𝐾𝐾 ,𝐾𝐾 , ,𝑥𝑥𝑛𝑛 ,𝑦𝑦 ,𝑥𝑥𝑥𝑥𝑏𝑏 = 1 Pr𝐾𝐾𝐾𝐾 , 𝑛𝑛, , 𝑥𝑥 , 𝑏𝑏𝑦𝑦 , 𝑧𝑧 = 1 . 𝐴𝐴 𝔾𝔾 𝑔𝑔 𝑞𝑞 𝑔𝑔 𝑥𝑥𝑔𝑔 𝑦𝑦𝑔𝑔½ +𝑥𝑥 ½𝑥𝑥 negl(n) (by DDH)𝐴𝐴 𝔾𝔾 𝑔𝑔 𝑞𝑞 𝑔𝑔 𝑥𝑥 𝑔𝑔 𝑦𝑦 𝑔𝑔 𝑧𝑧 (*) Assuming keys𝐴𝐴 𝔾𝔾 are𝑔𝑔 chosen𝑞𝑞 𝑔𝑔 𝑔𝑔uniformly𝑔𝑔 at random− 𝐴𝐴 from𝔾𝔾 𝑔𝑔 the𝑞𝑞 cyclic𝑔𝑔 𝑔𝑔 group𝑔𝑔 ≤

𝔾𝔾 21 Diffie-Hellman Key Exchange

1. Alice picks and sends to Bob 2. Bob picks and sends 𝑥𝑥𝐴𝐴 to Alice 𝑥𝑥𝐴𝐴 𝑔𝑔 3. Alice and Bob can both compute𝑥𝑥𝐵𝐵 = 𝑥𝑥𝐵𝐵 𝑔𝑔 , 𝑥𝑥𝐵𝐵 𝑥𝑥𝐴𝐴 𝐾𝐾𝐴𝐴 𝐵𝐵 𝑔𝑔 Intuition: Decisional Diffie-Hellman assumption implies that a passive attacker who observes and still cannot distinguish between

, = and a random𝑥𝑥𝐴𝐴 group𝑥𝑥 element𝐵𝐵 . 𝑥𝑥𝐵𝐵 𝑥𝑥𝐴𝐴 𝑔𝑔 𝑔𝑔 Remark𝐴𝐴 𝐵𝐵 : The protocol is vulnerable against active attackers who can 𝐾𝐾tamper 𝑔𝑔with messages.

22 Man in the Middle Attack (MITM)

23 Man in the Middle Attack (MITM)

1. Alice picks and sends to Bob • Mallory intercepts , picks 𝑥𝑥𝐴𝐴 and sends to Bob instead 𝐴𝐴 2. Bob picks 𝑥𝑥 and sends𝑥𝑥𝐴𝐴 𝑔𝑔 to Alice 𝑥𝑥𝐸𝐸 𝑔𝑔 𝑥𝑥𝐸𝐸 𝑔𝑔 1. Mallory intercepts , picks𝑥𝑥𝐵𝐵 and sends to Alice instead 𝐵𝐵 3. Eve computes𝑥𝑥 𝑥𝑥 and𝐵𝐵 𝑔𝑔 𝑥𝑥𝐸𝐸퐸 𝑔𝑔 𝑥𝑥𝐸𝐸′ 𝑔𝑔 1. Alice computes 𝑥𝑥secret𝐸𝐸′𝑥𝑥𝐴𝐴 key 𝑥𝑥𝐸𝐸𝑥𝑥𝐵𝐵 (shared with Eve not Bob) 2. Bob computes𝑔𝑔 (shared𝑔𝑔 𝑥𝑥with𝐸𝐸′𝑥𝑥𝐴𝐴 Eve not Alice) 4. Mallory forwards 𝑥𝑥messages𝐸𝐸𝑥𝑥𝐵𝐵 𝑔𝑔 between Alice and Bob (tampering with the messages if 𝑔𝑔desired) 5. Neither Alice nor Bob can detect the attack

24 Discrete Log Experiment DLogA,G(n)

1. Run 1 to obtain a cyclic group of order q (with = ) and a generator𝑛𝑛 g such that < g >= . 2. Select𝒢𝒢 h uniformly at random. 𝔾𝔾 𝑞𝑞 𝑛𝑛 𝔾𝔾 3. Attacker A is given , q, g, h and outputs integer x. ∈ 𝔾𝔾 4. Attacker wins (DLog (n)=1) if and only if gx=h. 𝔾𝔾A,G

We say that the discrete log problem is hard relative to generator if (negligible) s. t Pr DLogA,n = 1 ( ) 𝒢𝒢 ∀𝑃𝑃𝑃𝑃𝑃𝑃 𝐴𝐴 ∃𝜇𝜇 ≤ 𝜇𝜇 𝑛𝑛 25 Collision Resistant Hash Functions (CRHFs)

• Recall: not known how to build CRHFs from OWFs • Can build collision resistant hash functions from Discrete Logarithm Assumption • Let 1 output , , where is a cyclic group of order and g is a generator𝑛𝑛 of the group. • Suppose𝒢𝒢 that discrete𝔾𝔾 𝑞𝑞 log𝑔𝑔 problem𝔾𝔾 is hard relative to generator𝑞𝑞 . (negligible) s. t Pr DLogA,n = 1 ( ) 𝒢𝒢 ∀𝑃𝑃𝑃𝑃𝑃𝑃 𝐴𝐴 ∃𝜇𝜇 ≤ 𝜇𝜇 𝑛𝑛

26 Collision Resistant Hash Functions

• Let 1 output , , where is a cyclic group of order and g is a generator𝑛𝑛 of the group. Collision𝒢𝒢 Resistant Hash𝔾𝔾 𝑞𝑞 Function𝑔𝑔 (Gen,H𝔾𝔾 ): 𝑞𝑞 • 1 1. 𝑛𝑛, , 1 𝐺𝐺𝐺𝐺𝐺𝐺2. Select random h𝑛𝑛 3. Output𝔾𝔾 𝑞𝑞 𝑔𝑔 s =← 𝒢𝒢 , , , ← 𝔾𝔾 , = , • 𝔾𝔾 𝑞𝑞 𝑔𝑔 ℎ (where, ) Claim𝑠𝑠 : (Gen,H) is 𝑥𝑥collision1 𝑥𝑥2 resistant if the discrete log assumption holds for 𝐻𝐻 𝑥𝑥1 𝑥𝑥2 𝑔𝑔 ℎ 𝑥𝑥1 𝑥𝑥2 ∈ ℤ𝑞𝑞

27 𝒢𝒢 Collision Resistant Hash Functions

• , = (where, , ) Claim𝑠𝑠 : (Gen,H) is 𝑥𝑥collision1 𝑥𝑥2 resistant 𝐻𝐻 𝑥𝑥1 𝑥𝑥2 𝑔𝑔 ℎ 𝑥𝑥1 𝑥𝑥2 ∈ ℤ𝑞𝑞

Proof: Suppose we find a collision , = , then we have = which implies𝑠𝑠 𝑠𝑠 1 2 1 2 𝑥𝑥1 𝑥𝑥2 𝑦𝑦1 𝑦𝑦2 𝐻𝐻= 𝑥𝑥 𝑥𝑥 𝐻𝐻 𝑦𝑦 𝑦𝑦 Use extended𝑔𝑔 ℎ GCD𝑔𝑔 toℎ find 𝑥𝑥2−𝑦𝑦2 𝑦𝑦mod1−𝑥𝑥1 q then ℎ 𝑔𝑔 = −=1 𝑥𝑥−21− 𝑦𝑦2 −1 Which means that𝑥𝑥2− 𝑦𝑦2 𝑥𝑥2−𝑦𝑦2 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 𝑦𝑦1−𝑥𝑥 1 𝑥𝑥is2 −the𝑦𝑦2 discrete𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 log of h. ℎ ℎ 𝑔𝑔 −1 𝑦𝑦1 − 𝑥𝑥1 𝑥𝑥2 − 𝑦𝑦2 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 28 Password Authenticated Key-Exchange

• Suppose Alice and Bob share a low-entropy password pwd and wish to communicate securely • (without using any trusted party) • Assuming an active attacker may try to mount a man-in-the-middle attack • Can they do it?

Tempting Approach: • Alice and Bob both compute K= KDF(pwd)= (pwd) and communicate with using an authenticated encryption scheme. 𝑛𝑛 • Practice Midterm Exam: Secure in random 𝐻𝐻oracle model if attacker cannot query random oracle H(.) too many times.

29 Password Authenticated Key-Exchange

Tempting Approach: • Alice and Bob both compute K= KDF(pwd)=Hn(pwd) and communicate with using an authenticated encryption scheme. • Midterm Exam: Secure in random oracle model if attacker cannot query random oracle too many time. • Problems: • In practice the attacker can (and will) query the random oracle many times. • In practice people tend to pick very weak passwords • Brute-force attack: Attacker enumerates over a dictionary of passwords and attempts to decrypt messages with Kpwd’=KDF(pwd’) (only succeeds if Kpwd’=K). • An offline attack (brute-force) will almost always succeed

Attempt 2

1. Alice picks and sends to Bob 2. Bob picks and sends 𝐻𝐻 𝑝𝑝𝑝𝑝𝑝𝑝 +𝑥𝑥𝑥𝑥 to Alice 𝑥𝑥𝐴𝐴 𝑔𝑔 𝐻𝐻 𝑝𝑝𝑝𝑝𝑝𝑝 +𝑥𝑥𝐵𝐵 3. Alice and Bob𝐵𝐵 can both compute , = 𝑥𝑥 𝑔𝑔 𝑥𝑥𝐵𝐵 𝑥𝑥𝐴𝐴 4. Alice picks random nonce and sends𝐴𝐴 𝐵𝐵 , to Bob 1. Enc is an authentication encryption𝐾𝐾 scheme 𝐻𝐻 𝑔𝑔 𝐴𝐴 𝐾𝐾𝐴𝐴 𝐵𝐵 𝐴𝐴 5. Bob decrypts and sends 𝑟𝑟 to Alice 𝐸𝐸𝐸𝐸𝐸𝐸 𝑟𝑟

𝑟𝑟𝐴𝐴 Advantage: MITM Attacker cannot establish connection without password Disadvantage: Mallory could mount a brute-force attack after attempted MITM attack

31 Attempt 2: MITM Attack

1. Alice picks and sends to Bob 2. Bob picks and sends 𝐻𝐻 𝑝𝑝𝑝𝑝𝑝𝑝 +𝑥𝑥𝑥𝑥 to Alice 𝑥𝑥𝐴𝐴 𝑔𝑔 1. Mallory intercepts 𝐻𝐻 𝑝𝑝𝑝𝑝𝑝𝑝, picks+𝑥𝑥𝐵𝐵 and sends to Alice instead 𝐵𝐵 𝐻𝐻 𝑝𝑝𝑝𝑝𝑝𝑝 +𝑥𝑥𝑥𝑥 𝑥𝑥𝐸𝐸 𝑥𝑥 𝑔𝑔 = 𝐸𝐸 3. Bob can both compute𝑔𝑔 , 𝑥𝑥 𝑔𝑔 𝐵𝐵 𝐴𝐴 1. Allice computes , = 𝑥𝑥 𝑥𝑥 instead 𝐴𝐴 𝐵𝐵 𝐾𝐾 𝑥𝑥𝐻𝐻𝐸𝐸−𝐻𝐻𝑔𝑔𝑝𝑝𝑝𝑝𝑝𝑝 𝑥𝑥𝐴𝐴 𝐴𝐴 𝐵𝐵 4. Alice picks random𝐾𝐾 nonce′ 𝐻𝐻 𝑔𝑔and sends c = , to Bob

1. Mallory intercepts , and proceeds to mount brute-force attack on password 𝑟𝑟𝐴𝐴 𝐸𝐸𝐸𝐸𝐸𝐸 𝐾𝐾𝐴𝐴 𝐵𝐵′ 𝑟𝑟𝐴𝐴 5. For each password guess𝐸𝐸𝐸𝐸𝐸𝐸 𝐾𝐾 𝐴𝐴y 𝐵𝐵 ′ 𝑟𝑟𝐴𝐴 1. let = and 𝐸𝐸 𝐴𝐴 2. if 𝑥𝑥 −𝐻𝐻 then𝑦𝑦 𝑥𝑥output y 𝐾𝐾𝑦𝑦 ,𝐻𝐻 𝑔𝑔

𝐷𝐷𝐷𝐷𝐷𝐷 𝐾𝐾𝐴𝐴 𝐵𝐵′ 𝑐𝑐 ≠⊥

Advantage: MITM Attacker cannot establish connection without password Disadvantage: Mallory could mount a brute-force attack on password after attempted MITM attack

32 Password Authenticated Key-Exchange (PAKE)

Better Approach (PAKE): 1. Alice and Bob both compute W = 2. Alice picks and sends “Alice", =𝑝𝑝𝑝𝑝𝑝𝑝 to Bob 𝑔𝑔 3. Bob picks computes r = H 1, , 𝑥𝑥𝐴𝐴 , and = × and sends Alice the following 𝑥𝑥" 𝐴𝐴 , " 𝑋𝑋 𝑔𝑔 message: 𝑟𝑟 𝑥𝑥𝐵𝐵 𝐵𝐵 4. Alice computes𝑥𝑥 K = = where𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴 𝐵𝐵=𝐵𝐵𝐵𝐵1 𝑋𝑋 ×𝑌𝑌 +𝑋𝑋 𝑊𝑊 . Alice sends the message V = 𝐵𝐵𝐵𝐵𝐵𝐵 𝑌𝑌 A H(2,Alice,Bob,X,Y,K) to 𝑍𝑍Bob. 𝑥𝑥𝐵𝐵 𝐴𝐴 5. Bob verifies that VA==𝑌𝑌 H(2,Alice,Bob,X,Y,K𝑔𝑔 𝑧𝑧 ) where⁄ 𝑝𝑝𝑝𝑝 K𝑝𝑝 = 𝑟𝑟 . Bob𝑥𝑥 generates𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 VB= H(3,Alice,Bob,X,Y,K) and sends VB to Alice. 𝑥𝑥𝐵𝐵 6. Alice verifies that VB==H(3,Alice,Bob,X,Y, ) where 𝑔𝑔= 1 × + . 7. If Alice and Bob don’t terminate the session𝑍𝑍 key is H(4,Alice,Bob,X,Y, ) 𝑌𝑌 𝑧𝑧 ⁄ 𝑝𝑝𝑝𝑝𝑝𝑝 𝑟𝑟 𝑥𝑥𝐴𝐴 Security: 𝐾𝐾 • No offline attack (brute-force) is possible. Attacker get’s one password guess per instantiation of the protocol. • If attacker is incorrect and he tampers with messages then he will cause the Alice & Bob to quit. • If Alice and Bob accept the secret key K and the attacker did not know/guess the password then K is “just as good” as a truly random secret key. 33 See RFC 6628

Week 11: Topic 2: Factoring Algorithms, Discrete Log Attacks + NIST Recommendations for Concrete Security Parameters

34 Pollard’s p-1 Algorithm (Factoring)

• Let = where (p-1) has only “small” prime factors. • Pollard’s p-1 algorithm can factor N. • Remark𝑁𝑁 𝑝𝑝 𝑝𝑝1: This happens with very small probability if p is a random n bit prime. • Remark 2: One convenient/fast way to generate big primes it to multiply many small primes, add 1 and test for primality. • Example: 2 × 3 × 5 × 7 + 1 = 211 is prime

Claim: Suppose we are given an integer B such that (p-1) divides B but (q-1) does not divide B then we can factor N.

35 Pollard’s p-1 Algorithm (Factoring)

Claim: Suppose we are given an integer B such that (p-1) divides B but (q-1) does not divide B then we can factor N. Proof: Suppose B=c(p-1) for some integer c and let = 1 Applying the Chinese Remainder Theorem𝐵𝐵 we have 𝑦𝑦 1𝑥𝑥 mod− p,𝑚𝑚𝑚𝑚𝑚𝑚 𝑁𝑁1 mod q 𝐵𝐵= 0, 1 mod𝐵𝐵 q This means that p divides𝑦𝑦 ↔ y,𝑥𝑥 but− q does𝐵𝐵 not𝑥𝑥 divide− y (unless = 1 mod q, which is very unlikely). 𝑥𝑥 − 𝐵𝐵 𝑥𝑥 Thus, GCD(y,N) = p

36 Pollard’s p-1 Algorithm (Factoring)

• Let = where (p-1) has only “small” prime factors. • Pollard’s p-1 algorithm can factor N. Claim𝑁𝑁: Suppose𝑝𝑝𝑝𝑝 we are given an integer B such that (p-1) divides B but (q-1) does not divide B then we can factor N.

• Goal: Find B such that (p-1) divides B but (q-1) does not divide B. • Remark: This is difficult if (p-1) has a large prime factor. / = 𝑘𝑘 𝑛𝑛 log 𝑝𝑝𝑖𝑖 𝐵𝐵 � 𝑝𝑝𝑖𝑖 𝑖𝑖=1 37 Pollard’s p-1 Algorithm (Factoring)

• Goal: Find B such that (p-1) divides B but (q-1) does not divide B. • Remark: This is difficult if (p-1) has a large prime factor. / = 𝑘𝑘 𝑛𝑛 log 𝑝𝑝𝑖𝑖 Here p =2,p =3,… 𝐵𝐵 � 𝑝𝑝𝑖𝑖 1 2 𝑖𝑖=1

Fact: If (q-1) has prime factor larger than pk then (q-1) does not divide B. Fact: If (p-1) does not have prime factor larger than pk then (p-1) does divide B.

38 Pollard’s p-1 Algorithm (Factoring)

• Option 1: To defeat this attack we can choose strong primes p and q • A prime p is strong if (p-1) has a large prime factor • Drawback: It takes more time to generate (provably) strong primes

• Option 2: A random prime is strong with high probability

• Current Consensus: Just pick a random prime

39 Pollard’s Rho Algorithm

• General Purpose Factoring Algorithm • Doesn’t assume (p-1) has no large prime factor • Goal: factor N=pq (product of two n-bit primes) • Running time: pol ( ) 4 • Naïve Algorithm takes time pol ( ) to factor 𝑂𝑂 𝑁𝑁 𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦 𝑁𝑁 𝑂𝑂 𝑁𝑁 𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦 𝑁𝑁 • Core idea: find distinct x, such that = mod • Implies that x-x’ is a multiple of p ∗and, thus, GCD(x-x’,N′)=p (whp) x′ ∈ ℤ𝑁𝑁 𝑥𝑥 𝑥𝑥 𝑝𝑝

40 Pollard’s Rho Algorithm

• General Purpose Factoring Algorithm • Doesn’t assume (p-1) has no large prime factor

• Running time: pol ( ) 4 • Core idea: find𝑂𝑂 distinct𝑁𝑁 x, 𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦 𝑁𝑁 such that = mod • Implies that x-x’ is a multiple of p ∗and, thus, GCD(x-x’,N′)=p (whp) x′ ∈ ℤ𝑁𝑁 𝑥𝑥 𝑥𝑥 𝑝𝑝 • Question: If we pick k = O random ( ), … , ( ) then what is the probability that we can find distinct and such that ( ) ( ) 1 𝑘𝑘 ∗ 𝑝𝑝 = mod𝑥𝑥 p? 𝑥𝑥 ∈ ℤ𝑁𝑁 𝑖𝑖 𝑗𝑗 𝑖𝑖 𝑗𝑗

𝑥𝑥 𝑥𝑥 41 Pollard’s Rho Algorithm

• Question: If we pick k = O random ( ), … , ( ) then what ( ) is the probability that we can find distinct 1and such𝑘𝑘 that∗ = ( ) 𝑁𝑁 mod p? 𝑝𝑝 𝑥𝑥 𝑥𝑥 ∈ ℤ 𝑖𝑖 • Answer:𝑗𝑗 𝑖𝑖 𝑗𝑗 𝑥𝑥 𝑥𝑥 1 • Proof (sketch):2 Use the Chinese Remainder Theorem + Birthday Bound ≥ ⁄ ( ) = ( ) , ( ) 𝑖𝑖 𝑖𝑖 𝑖𝑖 𝑥𝑥 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 Note: We will also have ( ) mod q (whp) 𝑖𝑖 𝑗𝑗 𝑥𝑥 ≠ 𝑥𝑥 42 Pollard’s Rho Algorithm

• Question: If we pick k = O random ( ), … , ( ) then what ( ) is the probability that we can find distinct 1and such𝑘𝑘 that∗ = ( ) 𝑁𝑁 mod p? 𝑝𝑝 𝑥𝑥 𝑥𝑥 ∈ ℤ 𝑖𝑖 • Answer:𝑗𝑗 𝑖𝑖 𝑗𝑗 𝑥𝑥 𝑥𝑥 • Challenge: We1 do not know p or q so we cannot sort the ( )’s using ≥ ⁄2 the Chinese Remainder Theorem Representation 𝑖𝑖 𝑥𝑥 ( ) = ( ) , ( ) How can we identify the𝑖𝑖 pair 𝑖𝑖 and such that𝑖𝑖 ( ) = ( )mod p? 𝑥𝑥 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 𝑖𝑖 𝑗𝑗 𝑖𝑖 𝑗𝑗 𝑥𝑥 𝑥𝑥 43 Pollard’s Rho Algorithm

• Pollard’s Rho Algorithm is similar the low-space version of the birthday attack

Input: N (product of two n bit primes) ( ) ( ) , x = x = Remark 1: F should have the property that For0 i=1 to∗ 2 / ′ 0 if x=x’ mod p then F(x) = F(x’) mod p. 𝑥𝑥 ← ℤ𝑁𝑁 𝑥𝑥 ( )𝑛𝑛 2 Remark 2: = + 1 will work since 2 𝑥𝑥 ← 𝐹𝐹 𝑥𝑥 p ′= GCD(x-x’,N) = 𝐹𝐹 +𝑥𝑥 1 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑁𝑁 𝑥𝑥 ← 𝐹𝐹 𝐹𝐹 𝑥𝑥′ if 1< p < N return p 2 + 1 , + 1 𝐹𝐹 𝑥𝑥 mod𝑥𝑥 2 𝑚𝑚𝑚𝑚𝑚𝑚 𝑁𝑁 , 2 mod ↔ 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 44 ↔ 𝐹𝐹 𝑥𝑥 𝑝𝑝 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 𝐹𝐹 𝑥𝑥 𝑞𝑞 𝑚𝑚𝑚𝑚𝑚𝑚 𝑞𝑞 Pollard’s Rho Algorithm

• Pollard’s Rho Algorithm is similar the low-space version of the birthday attack

Input: N (product of two n bit primes) Claim: Let ( ) = ( ) and suppose that for ( ) , x = x = ( ) some distinct𝑖𝑖 +i,1j < 2 / we𝑖𝑖 have ( ) = ( ) mod p / For0 i=1 to∗ 2 ′ 0 ( ) 𝑥𝑥 ( ) 𝐹𝐹 𝑥𝑥 𝑥𝑥 ← ℤ𝑁𝑁 𝑥𝑥 but . Then𝑛𝑛 the2 algorithm 𝑖𝑖will find𝑗𝑗 p. ( )𝑛𝑛 2 𝑖𝑖 𝑗𝑗 𝑥𝑥 𝑥𝑥 ( ) mod p 𝑥𝑥 ≠ 𝑥𝑥 𝑥𝑥 ← 𝐹𝐹 𝑥𝑥 3 p ′= GCD(x-x’,N) 𝑥𝑥 𝑥𝑥 ← 𝐹𝐹 𝐹𝐹 𝑥𝑥′ if 1< p < N return p Cycle length: i-j

Pollard’s Rho Algorithm (Summary)

• General Purpose Factoring Algorithm • Doesn’t assume (p-1) has no large prime factor

• Expected Running Time: pol ( ) • (Birthday Bound) 4 • (still exponential in number𝑂𝑂 of bits𝑁𝑁 ~2𝑦𝑦/𝑦𝑦𝑦𝑦𝑦𝑦) 𝑁𝑁 • Required Space: log( ) 𝑛𝑛 4

𝑂𝑂 𝑁𝑁

46 Quadratic Sieve Algorithm

• Runs in sub-exponential time 2 = 2 • Still not polynomial time but 2 𝑂𝑂 log grows𝑁𝑁 log muchlog 𝑁𝑁 slower 𝑂𝑂than𝑛𝑛 2log/ 𝑛𝑛. 𝑛𝑛 log 𝑛𝑛 𝑛𝑛 4 • Core Idea: Find x, y such that ∗ = mod 𝑁𝑁 and ∈ ℤ 2 2 𝑥𝑥 ±𝑦𝑦 mod 𝑁𝑁

𝑥𝑥 ≠ 𝑦𝑦 𝑁𝑁

47 Quadratic Sieve Algorithm

• Core Idea: Find x, y such that ∗ = mod (1) 𝑁𝑁 and ∈ ℤ 2 2 𝑥𝑥 ±𝑦𝑦 mod 𝑁𝑁 2 Claim: gcd(x-y,N) , N=pq divides = 𝑥𝑥 ≠ 𝑦𝑦 + 𝑁𝑁. (by (1)).  + ∈2 𝑝𝑝0𝑞𝑞 2(by (2)). N does not divide𝑥𝑥 − 𝑦𝑦 𝑥𝑥(by− (2)).𝑦𝑦 𝑥𝑥 𝑦𝑦 N𝑥𝑥 does− 𝑦𝑦 not𝑥𝑥 divide𝑦𝑦 ≠ + . (by (2)). p is a factor of exactly𝑥𝑥 − 𝑦𝑦one of the terms and + . (q is a factor of the𝑥𝑥 other𝑦𝑦 term) 𝑥𝑥 − 𝑦𝑦 𝑥𝑥 𝑦𝑦 48

Quadratic Sieve Algorithm

• Core Idea: Find x, y such that ∗ = mod 𝑁𝑁 and ∈ ℤ 2 2 𝑥𝑥 ±𝑦𝑦 mod 𝑁𝑁 • Key Question: How to find such an x, y ? 𝑥𝑥 ≠ 𝑦𝑦 𝑁𝑁 • Step 1: ∗ ∈ ℤ𝑁𝑁 j=0; For x = + 1, + 2, … , + ,…

q + = + 2 𝑁𝑁 𝑁𝑁 𝑁𝑁 𝑖𝑖 2 Check if q is B-smooth (all prime← factors𝑁𝑁 𝑖𝑖of q𝑚𝑚𝑚𝑚𝑚𝑚 are in𝑁𝑁 {p1,…,2𝑖𝑖pk} 𝑁𝑁where𝑖𝑖 𝑚𝑚𝑚𝑚𝑚𝑚pk < B).𝑁𝑁 If q is B smooth then factor q, increment j and define

, qj = 𝑘𝑘 , 𝑒𝑒𝑗𝑗 𝑖𝑖 ← 𝑞𝑞 � 𝑝𝑝𝑖𝑖 𝑖𝑖=1

49 Quadratic Sieve Algorithm

• Core Idea: Find x, y such that ∗ = mod 𝑁𝑁 and ∈ ℤ 2 2 𝑥𝑥 ±𝑦𝑦 mod 𝑁𝑁 • Key Question: How to find such an x, y ? • Step 2: Once we have > equations𝑥𝑥 ≠ 𝑦𝑦of the∗ form𝑁𝑁 ∈ ℤ𝑁𝑁 , ℓ 𝑘𝑘 qj = 𝑘𝑘 , 𝑒𝑒𝑗𝑗 𝑖𝑖 We can use linear algebra to find ←S such𝑞𝑞 �that𝑝𝑝 for𝑖𝑖 each we have 𝑖𝑖=1 = 0 2. , 𝑖𝑖 ≤ 𝑘𝑘 � 𝑒𝑒𝑗𝑗 𝑖𝑖 𝑚𝑚𝑚𝑚𝑚𝑚 𝑗𝑗∈𝑆𝑆 50 Quadratic Sieve Algorithm

• Key Question: How to find x, y such that = mod and ± mod ? • Step 2: Once we have > equations∗ of the form2 2 ∈ ℤ𝑁𝑁 𝑥𝑥 𝑦𝑦 𝑁𝑁 𝑥𝑥 ≠ 𝑦𝑦 𝑁𝑁 , ℓ 𝑘𝑘 qj = 𝑘𝑘 , 𝑒𝑒𝑗𝑗 𝑖𝑖 We can use linear algebra to find a subset← 𝑞𝑞 S �such𝑝𝑝 𝑖𝑖that for each i k we have 𝑖𝑖=1 = 0 2. , ≤ 𝑗𝑗 𝑖𝑖 Thus, � 𝑒𝑒 𝑚𝑚𝑚𝑚𝑚𝑚 𝑗𝑗∈𝑆𝑆

q = , = , 2 = 2 j 𝑘𝑘 𝑘𝑘 1 ∑𝑗𝑗∈𝑆𝑆 𝑗𝑗 𝑖𝑖 ∑𝑗𝑗∈𝑆𝑆 𝑒𝑒𝑗𝑗 𝑖𝑖 𝑒𝑒 2 � � 𝑝𝑝𝑖𝑖 � 𝑝𝑝𝑖𝑖 𝑦𝑦 𝑗𝑗∈𝑆𝑆 𝑖𝑖=1 𝑖𝑖=1

Quadratic Sieve Algorithm

• Key Question: How to find x, y such that = mod and ± mod ? ∗ 2 2 𝑁𝑁 Thus, ∈ ℤ 𝑥𝑥 𝑦𝑦 𝑁𝑁 𝑥𝑥 ≠ 𝑦𝑦 𝑁𝑁 q = , = , 2 = 2 j 𝑘𝑘 𝑘𝑘 1 𝑗𝑗∈𝑆𝑆 𝑗𝑗 𝑖𝑖 ∑𝑗𝑗∈𝑆𝑆 𝑗𝑗 𝑖𝑖 ∑ 𝑒𝑒 2 𝑒𝑒 � � 𝑝𝑝𝑖𝑖 � 𝑝𝑝𝑖𝑖 𝑦𝑦 But we also𝑗𝑗 ∈have𝑆𝑆 𝑖𝑖=1 𝑖𝑖=1 2 2 qj = = 2 = � � 𝑥𝑥𝑗𝑗 � 𝑥𝑥𝑗𝑗 𝑥𝑥 𝑚𝑚𝑚𝑚𝑚𝑚 𝑁𝑁 𝑗𝑗∈𝑆𝑆 𝑗𝑗∈𝑆𝑆 𝑗𝑗∈𝑆𝑆 52 Quadratic Sieve Algorithm (Summary)

• Appropriate parameter tuning yields sub-exponential time algorithm 2 = 2 𝑂𝑂• Stilllog not𝑁𝑁 logpolynomiallog 𝑁𝑁 time𝑂𝑂 but𝑛𝑛 2log 𝑛𝑛 grows much slower than 2 / . 𝑛𝑛 log 𝑛𝑛 𝑛𝑛 4

53 Discrete Log Attacks

• Pohlig-Hellman Algorithm • Given a cyclic group of non-prime order q=| |=rp • Reduce discrete log problem to discrete problem(s) for subgroup(s) of order p (or smaller). • Preference for prime𝔾𝔾 order subgroups in cryptography𝔾𝔾 • Baby-step/Giant-Step Algorithm • Solve discrete logarithm in time ( ) • Pollard’s Rho Algorithm 𝑂𝑂 𝑞𝑞 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑞𝑞 • Solve discrete logarithm in time ( ) • Bonus: Constant memory! • Index Calculus Algorithm 𝑂𝑂 𝑞𝑞 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑞𝑞 • Similar to quadratic sieve • Runs in sub-exponential time 2 • Specific to the group (e.g., attack𝑂𝑂 log doesn’t𝑞𝑞 log log work𝑞𝑞 elliptic-curves) ∗ ℤ𝑝𝑝 54 Discrete Log Attacks

• Pohlig-Hellman Algorithm • Given a cyclic group of non-prime order q=| |=rp • Reduce discrete log problem to discrete problem(s) for subgroup(s) of order p (or smaller). • Preference for prime𝔾𝔾 order subgroups in cryptography𝔾𝔾 • Let = and h = be given. For simplicity assume that r is prime and r < p. • Observe that generates𝑥𝑥 a subgroup of size p and that hr . r • Solve𝔾𝔾 discrete𝑔𝑔 log𝑟𝑟 problem𝑔𝑔 ∈ in𝔾𝔾 subgroup with input h . 𝑟𝑟 rz • Find z such that𝑔𝑔 h = . 𝑟𝑟 ∈ 𝑔𝑔 • Observe that generates𝑟𝑟𝑧𝑧 a subgroup𝑔𝑔 of size p and that hp . 𝑔𝑔 p • Solve discrete log𝑝𝑝 problem in subgroup with input h . 𝑝𝑝 yp • Find y such that𝑔𝑔 h = . 𝑝𝑝 ∈ 𝑔𝑔 • Chinese Remainder Theorem𝑦𝑦𝑦𝑦 h = where𝑔𝑔 x mod , [ mod ] 𝑔𝑔 𝑥𝑥

𝑔𝑔 ↔ 𝑧𝑧 𝑝𝑝 𝑦𝑦 𝑟𝑟 55 Baby-step/Giant-Step Algorithm

• Input: = of order q, generator g and h = • Set = 𝑥𝑥 𝔾𝔾 𝑔𝑔 𝑔𝑔 ∈ 𝔾𝔾 For i =0 to 𝑡𝑡 𝑞𝑞 𝑞𝑞 𝑡𝑡 𝑖𝑖𝑖𝑖 Sort the pairs (i,gi) by their second𝑖𝑖 component For i =0 to 𝑔𝑔 ← 𝑔𝑔 = = 𝑡𝑡 if = 𝑖𝑖 , … , then 𝑖𝑖 𝑖𝑖 𝑘𝑘𝑘𝑘 ℎ return← ℎ𝑔𝑔 [kt-i mod q] 𝑖𝑖 = 𝑖𝑖 0 𝑡𝑡 ℎ ℎ𝑔𝑔 𝑔𝑔 ℎ 𝑔𝑔𝑔𝑔 ∈ 𝑔𝑔 𝑔𝑔 𝑘𝑘𝑘𝑘−𝑖𝑖 56 → ℎ 𝑔𝑔 Discrete Log Attacks

• Baby-step/Giant-Step Algorithm • Solve discrete logarithm in time ( ) • Requires memory ( ) • Pollard’s Rho Algorithm 𝑂𝑂 𝑞𝑞 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑞𝑞 • Solve discrete logarithm𝑂𝑂 𝑞𝑞 in𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 time 𝑞𝑞 ( ) • Bonus: Constant memory! • Key Idea: Low-Space Birthday Attack𝑂𝑂 𝑞𝑞 𝑝𝑝 (*)𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 using𝑞𝑞 our collision resistant hash function , , = , , = , , 𝑥𝑥 1 𝑥𝑥2 = 𝑔𝑔 ℎ 1 2 𝐻𝐻 =𝑥𝑥 𝑥𝑥 𝑔𝑔 ℎ𝑦𝑦2−𝑥𝑥 2 𝑥𝑥1−𝑦𝑦1 𝑔𝑔 ℎ 1 2 𝑔𝑔 ℎ 1 2 −1 (*) A few small𝐻𝐻 technical𝑦𝑦 𝑦𝑦 details𝐻𝐻 to address𝑥𝑥𝑥𝑥1−𝑥𝑥𝑦𝑦1 →𝑦𝑦2−ℎ𝑥𝑥2 𝑔𝑔 → ℎ 𝑔𝑔 57 Remark: We used discrete-log problem to construct collision resistant hash functions. Discrete Log Attacks Security Reduction showed that attack on collision resistant hash function yields attack • Baby-step/Giant-Step Algorithm on discrete log. • Solve discrete logarithm in time ( ) • Requires memory ( ) Generic attack on collision resistant hash • Pollard’s Rho Algorithm 𝑂𝑂 𝑞𝑞 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑞𝑞 functions (e.g., low space birthday attack) 𝑂𝑂 𝑞𝑞 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑞𝑞 yields generic attack on discrete log. • Solve discrete logarithm in time ( )

• Bonus: Constant memory!

• Key Idea: Low-Space Birthday Attack𝑂𝑂 𝑞𝑞 (*)𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑞𝑞 , , = , , = , 𝑥𝑥1 𝑥𝑥, 2 𝑔𝑔 ℎ 1 2 𝐻𝐻 𝑥𝑥 𝑥𝑥 𝑔𝑔 ℎ 𝑔𝑔 ℎ 1 2 𝑔𝑔 ℎ 1 2 𝐻𝐻 𝑦𝑦 𝑦𝑦 =𝐻𝐻 𝑥𝑥 𝑥𝑥 =𝑦𝑦2−𝑥𝑥2 𝑥𝑥1−𝑦𝑦1 −1 (*) A few small technical details to address→ ℎ 𝑥𝑥1−𝑦𝑦1 𝑔𝑔𝑦𝑦2−𝑥𝑥2 → ℎ 𝑔𝑔

58 Discrete Log Attacks

• Index Calculus Algorithm • Similar to quadratic sieve • Runs in sub-exponential time 2 • Specific to the group (e.g., attack𝑂𝑂 log doesn’t𝑞𝑞 log log work𝑞𝑞 elliptic-curves) ∗ ℤ𝑝𝑝 • As before let {p1,…,pk} be set of prime numbers < B. • Step 1.A: Find > distinct values , … , such that = is B-smooth for each j. That is 𝑥𝑥𝑗𝑗 1 𝑘𝑘 𝑗𝑗 ℓ 𝑘𝑘 𝑥𝑥 𝑥𝑥, 𝑔𝑔 𝑔𝑔 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 = 𝑘𝑘 . 𝑒𝑒𝑖𝑖 𝑗𝑗 𝑔𝑔𝑗𝑗 � 𝑝𝑝𝑖𝑖 𝑖𝑖=1 59 Discrete Log Attacks

• As before let {p1,…,pk} be set of prime numbers < B. • Step 1.A: Find > distinct values , … , such that = is B-smooth for each j. That is 𝑥𝑥𝑗𝑗 ℓ 𝑘𝑘 𝑥𝑥1 𝑥𝑥𝑘𝑘 𝑔𝑔𝑗𝑗 𝑔𝑔 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 , = 𝑘𝑘 . 𝑒𝑒𝑖𝑖 𝑗𝑗 𝑗𝑗 Step 1.B: Use linear algebra to 𝑔𝑔solve �the 𝑝𝑝equations𝑖𝑖 • 𝑖𝑖=1

= 𝑘𝑘 × , mod ( 1).

𝑗𝑗 𝐠𝐠 𝐢𝐢 𝑖𝑖 𝑗𝑗 𝑥𝑥 � 𝐥𝐥𝐥𝐥𝐥𝐥 𝐩𝐩 𝑒𝑒 𝑝𝑝 − (Note: the ’s are the𝑖𝑖= 1unknowns)

𝐥𝐥𝐥𝐥𝐥𝐥𝐠𝐠𝐩𝐩𝐢𝐢 60 Discrete Log

• As before let {p1,…,pk} be set of prime numbers < B.

• Step 1 (precomputation): Obtain y1,…,yk such that pi = . • Step 2: Given discrete log challenge h=gx mod p. 𝑦𝑦𝑖𝑖 • Find y such that h mod p is B-smooth 𝑔𝑔 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 𝑦𝑦 𝑔𝑔 h mod p = 𝑘𝑘 𝑦𝑦 𝑒𝑒𝑖𝑖 𝑔𝑔 � 𝑝𝑝𝑖𝑖 = 𝑘𝑘 = 𝑖𝑖=1 𝑦𝑦𝑖𝑖 𝑒𝑒𝑖𝑖 ∑𝑖𝑖 𝑒𝑒𝑖𝑖𝑦𝑦𝑖𝑖 � 𝑔𝑔 𝑔𝑔 𝑖𝑖=1

61 Discrete Log

• As before let {p1,…,pk} be set of prime numbers < B. • Step 1 (precomputation): Obtain y1,…,yk such that pi = . • Step 2: Given discrete log challenge h=gx mod p. 𝑦𝑦𝑖𝑖 • Find z such that h mod p is B-smooth 𝑔𝑔 𝑚𝑚𝑚𝑚𝑚𝑚 𝑝𝑝 h mod𝑧𝑧 p = = 𝑔𝑔 𝑧𝑧 =∑𝑖𝑖 𝑒𝑒𝑖𝑖𝑦𝑦𝑖𝑖 ∑𝑖𝑖 𝑒𝑒𝑖𝑖𝑦𝑦𝑖𝑖−𝑧𝑧 𝑔𝑔 𝑔𝑔 → ℎ 𝑔𝑔 → 𝑥𝑥 � 𝑒𝑒𝑖𝑖𝑦𝑦𝑖𝑖 − 𝑧𝑧 • Remark: Precomputation costs can𝑖𝑖 be amortized over many discrete log instances • In practice, the same group = and generator g are used repeatedly.

Reference: https://www.weakdh.org/ 𝔾𝔾 𝑔𝑔 62 NIST Guidelines (Concrete Security) Best known attack against 1024 bit RSA takes time (approximately) 280

63 NIST Guidelines (Concrete Security) Diffie-Hellman uses subgroup of size q ∗ ℤ𝑝𝑝

q=224 bits

q=256 bits

q=384 bits

q=512 bits