DOCSLIB.ORG

Cryptosystems Based on Discrete Logarithms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptosystems Based on Discrete Logarithms Cryptosystems Based on Discrete Logarithms 1 Outline • Discrete Logarithm Problem • Cryptosystems Based on Discrete Logarithm – Encryption – Digital signature 2 Discrete logarithm problem (DLP) • A group GG is cyclic if there is an element α ∈ of order |G |. 012 ||1G − In this case, G = {}ααα, , ,… , α ; α is called a generator. • Let (G ,∗ ) be a finite group (not necessarily cyclic). Let α ∈Gn be an element of order . Then, 012n− 1 ααααα= {}, , ,… , is a cyclic (sub)group of order n. x • For any yxZy∈∈=αα, there is a unique n such that . This integer x is called the discrete logarithm (or index) of y with respect to base α. We write logα yx= . • The DLP is to compute logα yy for a given . 3 Frequently used settings *0122p− •= GZp. ααααα ={}, , ,… ,=G , where pG is a large prime, and α is a generator of . * (Zpp is cyclic when is prime.) *0121*q− •= GZpp. ααααα ={}, , ,… ,⊂Z , * where α ∈ Z p is an element of prime order q. • Elliptic curves defined over finite fields. • For these settings, there is no polynomial-time algorithm for DLP. 4 Example 1 * GZ==19 {1, 2, ..., 18}. * 2 is a generator. That is, Z19 = 2 . 201== 1, 2 2, 2 2 = 4, 2 3 = 8, 2 4 = 16, 2 5 = 13, 27,67== 214, … log2 7= 6 log2 14= 7 log2 12= ? 5 Example 2 * GZ==11 {}1, 2, …, 10 . G′ = 3 = {}1, 3, 9, 5, 4 . * 3 is a generator of GZ′, but not a generator of 11. log3 5= 3 log3 10= not defined 6 * DLP in Z p * • Let α be a generator of Zpp (a primitive root of unity modulo ). * 012 p−2 • Z1,2,,1p =−={} …… p {}ααα ,,,, α . Z p−1 = {}012, , , … , p − 2 . * x • Given yZ∈ pp, find the unique xZ∈=−1 such that yα modp . x * • That is, given α ∈ Z p , find x. * • There is a subexponential-time algorithm for DLP in Z p O nnlog i Index Calculus, O 2() , where np= log . () 7 DLP in (Zn ,+) Let α be a generator of Znn (any element coprime to ). Given yZ∈∈ nn, find the unique xZ−1 such that yx= α mod n. Easy or hard? 8 RSA vs. Discrete Logarithm • RSA is a one-way trapdoor function: xx⎯⎯⎯RSA→ e (easy) −1 xx←⎯RSA ⎯⎯ e (difficult) RSA−1 e d xxd←⎯ ⎯⎯ () ( is a trapdoor) • Logarithm is the inverse of exponetiation: x ⎯⎯⎯expα →α x (easy) x ←⎯logα ⎯⎯ α x (difficult) • log is hard to compute, so exp is a one-way function, but without a trapdoor. • An encryption scheme based on the difficulty of log will not simply encrypt x as α x . 9 Diffie-Hellman key agreement * 0 1 22p− •= Zpp{}ααα , , , … , α . Z −1 ={}01, , 22 , … , p − . • Alice and Bob wish to set up a secret key. 1. Alice and Bob agree on a large prime p and a primitive * root (generator) α ∈ Zp . (p, α, not sec ret) a 2. Alice→← Bob: α modpaZ , where R1p− . b 3. Alice←← Bob: α modpbZ , where R1p− . 4. They agree on the key: α ab modp . ab * ab • Diffie-Hellman problem: given αα, ∈ Z p , compute α . • Diffie-Hellman assumption: the Diffie-Hellman problem is intractable. 10 * Ideas behind ElGamal encryption in Z p 0. Bob is to send a message m to Alice, who has private key xy and public key := α x . * 1. Regard m as an element in Zp . * 2. Use Diffie-Hellman to set up a temporary key key ∈ Z.p i Bob generates ααkk and computes key:== y (xk ). 3. Bob uses key to encrypt m as c:=⋅ m key . 4. Bob sends α k along with ck so that Alice can compute ey. 11 * ElGamal encryption in Z p 1. Key generation (e.g. for Alice): * •∈ choose a large prime p and a primitive root α Zp , where p −1 has a large prime factor. x •∈ randomly choose a number xZp−1 and compute y = α ; •= set sk(pp ,αα , x ) and pk =( , , y ). kk * 2. Encryption: Empk( )=∈ (α , my), where mZ p , k←R1 Z p− . −x 3. Decryption: Dabbask ( , )= . * 4. Remarks: All operations are done in Zp , ie. ., modulo p. The encryption scheme is non-deterministic. 12 Security of ElGamal encryption against CPA • Based on the Diffie-Hellman assumption. •≤ Diffie-Hellman problem discrete logarithm problem. •≤ Open problem: discrete logarithm Diffie-Hellman? Theorem: If the Diffie-Hellman assumption is true, then the ElGamal encryption scheme is CPA-secure. 13 Security of ElGamal encryption against CCA •→ A function fG: G′ is homomorphic if fxyfxfy( ) = ( ) ( ). •=⋅ ElGamal encryption is homomorphic, Emm()()(),′′ Em Em in the following sense: k kk′′k If Em( ) = ()α , my and Em(′ )=⋅ (α , m′′y ), then Em( ) Em ( ) kk k′′ k kk ′ k k ′ kk++′ kk′ =()()(αα , my⋅=, m′′ y ααα, mymy )() =,mm′y is a valid encryption of mm′. • As such, ElGamal encryption is not CCA-secure (i.e., not indistinguishable against CCA). 14 * ElGamal signature in Z p 1. Key generation: same as in ElGamal encryption. * •∈ a large prime p and a primitive root α Zp . x •∈ a randomly chosen number xZp−1 and yp=α mod ; •= sk (p ,α ,x ) and pky= (p ,α , ). 2. To sign a message m∈ Z p−1, * •∈ randomly choose kZp−1; •= compute rsmrxkα k modpp and =−( )−1 mod(1− ) ; * •=∈× the signature is Smsk ( ) ( rs , ) Zp Zp−1 . 3. Verification: Vpk (mrs, , )= true if and only if * msr (mrs , , )∈×× Zppp−−11 Z Z and α ≡r y modp . 15 Ideas behind ElGamal signature * 012p− 2 •= Zpp{}ααα , , , … , α . Z −1 ={}012, , , … , p − 2 . • To sign a message m, Alice needs to show that she knows x. Besides, non-deterministic signature is desired. So, the signature should be a function of (mxk , , ), where k is randomly selected. •∈ The secret key x is an exponent; i.e., xZp−1. This suggests that mk and also be exponents, namely mkZ, ∈ p−1. • So, let the signature be a function of (mxk , , ) whose validity can be verified by using αααmxk, , . • The signer needs to send α k along with the signature. 16 • The main part of ElGamal signature is some value s satisfying s =−(mrxk )−1 mod (p −1). • To verify the validity of the signature, the verifier checks if the above condition is satisfied without knowing x and k: smrxk=−( )−1 mod (1)p − ⇒=+ mksrx mod (1)p − ⇒≡ αααmksrx modp ⇒≡ α msrry modp •=− Why smrxk( )−1 ? •=+=+=+ What about s km k′ x, s km rx, s( m rx ) k −1 , smx= (+ )k −1 ? (k′ is another random number.) 17 Security of ElGamal signature • Based on the assumed intractability of discrete logarithm. • Knowing the random kx implies knowing the secret key with high probability: since smrxk=−( )−1 mod ( p − 1), xmskrprp=−( )−1 mod( − 1) if −1 mod(− 1) exists. • Use a new k for each signing, or the adversary can compute k from two signatures smrx=−( )ksmr−1 and ′′ =( −xk)−1, by solving ss−≡′′( mmk − )−1 mod(p − 1). 18 Security of ElGamal signature (cont'd) • Existential forgery. Construct a message m and a valid signature (rs , ) as follows. * a) choose kc, ∈ Zp−1. b) set ry==α kcmod psrcp , −−−1 mod( 1), and mrkcp=−−1 mod( − 1). • Countermeasure: hash then sign. 19 Digital Signature Algorithm (DSA) - an NIST standard 0. Shnorr's idea: working in a subgroup of order qp will shorten the signature, desired for Smart Card applications. • ElGamal signature scheme uses: * 012p− 2 Zpp=={}ααα , , , … , α . Z −1 {}012, , , … , p − 2 . * A signature is (rs , )∈× Zpp Z−111≈ Z p−− × Z p . • DSA uses: 0bbbb 234 (1 qb− ) 01 q−1 gg=={}ααα, , , α, α, ……, α {,g , ,g} , where g = α b , bp=−( 1) q . A signature is (rs , )∈ Zqq× Z 20 1. Key generation • choose two primes pq and such that qp|(− 1). (qp , e.g., | q |== 160, | p | 1024.) * •∈ let gZp be an element of order q. * x •∈= randomly choose xZq and compute ygmodp ; • system parameters: (hpqg , , , ) •= skx( ) and pky =( ). (Remark: The DLP will be working in g .) 21 2. Signing: to sign a message m, * k •∈= randomly choose kZq ; compute r( g modp )modq . •=+ compute shmrxk( ( ) )−1 mod q. (use a different kr if ==0 or s0.) • (mr, ,s ) is the signed message. * 3. Verification: accept (mrs , , ) iff rs,∈ Zq and hm() r t −1 rgy==()( ) mod p mod q , where tsmod q . 22 DSA Correctness: if the message is signed correctly, the signature will be verified/accepted. shm=+( ( ))modrx k −1 q ⇒= khmrxt( ( ) + ) mod(q ts=−1 mod) q khmrx() t q ⇒≡ ggg()mod p (since g ≡ 1modp ) khmr() t ⇒≡ ggy()mod p kh()mrt ⇒= ggymod pp()mod kh()mrt ⇒ rg==( modp )mod q () ( gy )modp mod q 23 Remarks on DSA • SHA-1 is suggested for use as the hash function. • |qptt | = 160 bits, | |≤+ 512 64 , 0 ≤≤ 8. • Because a hash is used, there is no restriction on m. * • Why not work in Z p ? * • g is a subgroup of Zqp of order . • Shorter message length: |(rs , )| = 2 | q | bits, rather than 2 ||p . * • Why not work in Zqq ? The message length would be 2 ||, too. * • Reason: The Index Calculus method works for Zq but not for g . 24 * The index calculus method for Z p Factor base: Bppp= {}1,2 ,… ,b , a set of small primes. Ideas: Suppose logα pjj is known for all , 1 ≤≤jb. b * ei If yZ∈=pi factors over B, say, y∏ p, i=1 b then logα y =−∑epiilogα mod ( p 1). i=1 25 Step 1: calculate logα pjbj , 1≤ ≤ as follows: • choose cb>∈ random numbers x12,… , xcp Z− such that b xxiieij, αα factors over Bppic: ≡ ∏ j mod , 1≤≤ j=1 b • solve xeiij≡−∑ , logα p j mod (1pi), 1≤ ≤ c j=1 26 * Step 2: to compute logα yyZ , where ∈ p : r 1.
Load more

Recommended publications
  • A Public-Key Cryptosystem Based on Discrete Logarithm Problem Over Finite Fields 퐅퐩퐧
    IOSR Journal of Mathematics (IOSR-JM) e-ISSN: 2278-5728, p-ISSN: 2319-765X. Volume 11, Issue 1 Ver. III (Jan - Feb. 2015), PP 01-03 www.iosrjournals.org A Public-Key Cryptosystem Based On Discrete Logarithm Problem over Finite Fields 퐅퐩퐧 Saju M I1, Lilly P L2 1Assistant Professor, Department of Mathematics, St. Thomas’ College, Thrissur, India 2Associate professor, Department of Mathematics, St. Joseph’s College, Irinjalakuda, India Abstract: One of the classical problems in mathematics is the Discrete Logarithm Problem (DLP).The difficulty and complexity for solving DLP is used in most of the cryptosystems. In this paper we design a public key system based on the ring of polynomials over the field 퐹푝 is developed. The security of the system is based on the difficulty of finding discrete logarithms over the function field 퐹푝푛 with suitable prime p and sufficiently large n. The presented system has all features of ordinary public key cryptosystem. Keywords: Discrete logarithm problem, Function Field, Polynomials over finite fields, Primitive polynomial, Public key cryptosystem. I. Introduction For the construction of a public key cryptosystem, we need a finite extension field Fpn overFp. In our paper [1] we design a public key cryptosystem based on discrete logarithm problem over the field F2. Here, for increasing the complexity and difficulty for solving DLP, we made a proper additional modification in the system. A cryptosystem for message transmission means a map from units of ordinary text called plaintext message units to units of coded text called cipher text message units. The face of cryptography was radically altered when Diffie and Hellman invented an entirely new type of cryptography, called public key [Diffie and Hellman 1976][2].
    [Show full text]
  • 2.3 Diffie–Hellman Key Exchange
    2.3. Di±e{Hellman key exchange 65 q q q q q q 6 q qq q q q q q q 900 q q q q q q q qq q q q q q q q q q q q q q q q q 800 q q q qq q q q q q q q q q qq q q q q q q q q q q q 700 q q q q q q q q q q q q q q q q q q q q q q q q q q qq q 600 q q q q q q q q q q q q qq q q q q q q q q q q q q q q q q q qq q q q q q q q q 500 q qq q q q q q qq q q q q q qqq q q q q q q q q q q q q q qq q q q 400 q q q q q q q q q q q q q q q q q q q q q q q q q 300 q q q q q q q q q q q q q q q q q q qqqq qqq q q q q q q q q q q q 200 q q q q q q q q q q q q q q q q q q q q q q q q q q q q q q q q qq q q qq q q 100 q q q q q q q q q q q q q q q q q q q q q q q q q 0 q - 0 30 60 90 120 150 180 210 240 270 Figure 2.2: Powers 627i mod 941 for i = 1; 2; 3;::: any group and use the group law instead of multiplication.
    [Show full text]
  • Making NTRU As Secure As Worst-Case Problems Over Ideal Lattices
    Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé1 and Ron Steinfeld2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d’Italie, 69364 Lyon Cedex 07, France. [email protected] – http://perso.ens-lyon.fr/damien.stehle 2 Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University, NSW 2109, Australia [email protected] – http://web.science.mq.edu.au/~rons Abstract. NTRUEncrypt, proposed in 1996 by Hoffstein, Pipher and Sil- verman, is the fastest known lattice-based encryption scheme. Its mod- erate key-sizes, excellent asymptotic performance and conjectured resis- tance to quantum computers could make it a desirable alternative to fac- torisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields. Our main contribution is to show that if the se- cret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the R-LWE problem. Keywords. Lattice-based cryptography, NTRU, provable security. 1 Introduction NTRUEncrypt, devised by Hoffstein, Pipher and Silverman, was first presented at the Crypto’96 rump session [14]. Although its description relies on arithmetic n over the polynomial ring Zq[x]=(x − 1) for n prime and q a small integer, it was quickly observed that breaking it could be expressed as a problem over Euclidean lattices [6].
    [Show full text]
  • The Discrete Log Problem and Elliptic Curve Cryptography
    THE DISCRETE LOG PROBLEM AND ELLIPTIC CURVE CRYPTOGRAPHY NOLAN WINKLER Abstract. In this paper, discrete log-based public-key cryptography is ex- plored. Specifically, we first examine the Discrete Log Problem over a general cyclic group and algorithms that attempt to solve it. This leads us to an in- vestigation of the security of cryptosystems based over certain specific cyclic × groups: Fp, Fp , and the cyclic subgroup generated by a point on an elliptic curve; we ultimately see the highest security comes from using E(Fp) as our group. This necessitates an introduction of elliptic curves, which is provided. Finally, we conclude with cryptographic implementation considerations. Contents 1. Introduction 2 2. Public-Key Systems Over a Cyclic Group G 3 2.1. ElGamal Messaging 3 2.2. Diffie-Hellman Key Exchanges 4 3. Security & Hardness of the Discrete Log Problem 4 4. Algorithms for Solving the Discrete Log Problem 6 4.1. General Cyclic Groups 6 × 4.2. The cyclic group Fp 9 4.3. Subgroup Generated by a Point on an Elliptic Curve 10 5. Elliptic Curves: A Better Group for Cryptography 11 5.1. Basic Theory and Group Law 11 5.2. Finding the Order 12 6. Ensuring Security 15 6.1. Special Cases and Notes 15 7. Further Reading 15 8. Acknowledgments 15 References 16 1 2 NOLAN WINKLER 1. Introduction In this paper, basic knowledge of number theory and abstract algebra is assumed. Additionally, rather than beginning from classical symmetric systems of cryptog- raphy, such as the famous Caesar or Vigni`ere ciphers, we assume a familiarity with these systems and why they have largely become obsolete on their own.
    [Show full text]
  • Sieve Algorithms for the Discrete Logarithm in Medium Characteristic Finite Fields Laurent Grémy
    Sieve algorithms for the discrete logarithm in medium characteristic finite fields Laurent Grémy To cite this version: Laurent Grémy. Sieve algorithms for the discrete logarithm in medium characteristic finite fields. Cryptography and Security [cs.CR]. Université de Lorraine, 2017. English. NNT : 2017LORR0141. tel-01647623 HAL Id: tel-01647623 https://tel.archives-ouvertes.fr/tel-01647623 Submitted on 24 Nov 2017 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. AVERTISSEMENT Ce document est le fruit d'un long travail approuvé par le jury de soutenance et mis à disposition de l'ensemble de la communauté universitaire élargie. Il est soumis à la propriété intellectuelle de l'auteur. Ceci implique une obligation de citation et de référencement lors de l’utilisation de ce document. D'autre part, toute contrefaçon, plagiat, reproduction illicite encourt une poursuite pénale. Contact : [email protected] LIENS Code de la Propriété Intellectuelle. articles L 122. 4 Code de la Propriété Intellectuelle. articles L 335.2- L 335.10 http://www.cfcopies.com/V2/leg/leg_droi.php
    [Show full text]
  • Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-Digit Experiment⋆
    Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment? Fabrice Boudot1, Pierrick Gaudry2, Aurore Guillevic2[0000−0002−0824−7273], Nadia Heninger3, Emmanuel Thomé2, and Paul Zimmermann2[0000−0003−0718−4458] 1 Université de Limoges, XLIM, UMR 7252, F-87000 Limoges, France 2 Université de Lorraine, CNRS, Inria, LORIA, F-54000 Nancy, France 3 University of California, San Diego, USA In memory of Peter L. Montgomery Abstract. We report on two new records: the factorization of RSA-240, a 795-bit number, and a discrete logarithm computation over a 795-bit prime field. Previous records were the factorization of RSA-768 in 2009 and a 768-bit discrete logarithm computation in 2016. Our two computations at the 795-bit level were done using the same hardware and software, and show that computing a discrete logarithm is not much harder than a factorization of the same size. Moreover, thanks to algorithmic variants and well-chosen parameters, our computations were significantly less expensive than anticipated based on previous records. The last page of this paper also reports on the factorization of RSA-250. 1 Introduction The Diffie-Hellman protocol over finite fields and the RSA cryptosystem were the first practical building blocks of public-key cryptography. Since then, several other cryptographic primitives have entered the landscape, and a significant amount of research has been put into the development, standardization, cryptanalysis, and optimization of implementations for a large number of cryptographic primitives. Yet the prevalence of RSA and finite field Diffie-Hellman is still a fact: between November 11, 2019 and December 11, 2019, the ICSI Certificate Notary [21] observed that 90% of the TLS certificates used RSA signatures, and 7% of the TLS connections used RSA for key exchange.
    [Show full text]
  • Discrete Logarithm Based Protocols
    Discrete Logarithm Based Protocols Patrick Horster Hans- Joachim Knobloch University of Karlsruhe European Institute for System Security Am Fasanengarten 5 D-7500 Karlsruhe 1 FR Germany Abstract The Exponential Security System (TESS) developed at the European Institute for System Security is the result of an attempt to increase the security in heteroge- nous computer networks. In this paper we present the cryptographic protocols in the kernel of TESS. We show how they can be used to implement access control, authentication, confiden- tiality protection, key exchange, digital signatures and distributed network security management. We also look at the compatibility of TESS with existing standards, like the X.509 Directory Authentication Framework, and compare it to established systems like Kerberos. A comparison of TESS with the non-electronic “paper”-world of authentication and data exchange shows strong parallels. Finally we give a short overview of the current state of development and avail- ability of different TESS components. 1 Introduction During the last years a workinggroup at the European Institute for System Security devel- oped the network security system SELANE (Skure Local Area Network Environment) [BausSO]. The main part of the system is a family of cryptographic protocols based on the discrete logarithm problem. After the possible scope of applications of these protocols had been extended far beyond the originally anticipated area of LAN security, a larger system called TESS (The Exponential Security System) was formed. SELANE is the part of TESS dealing with network security. Another part is an electronic signature system named EES (Exponential Electronic Signature). D.W. Davies (Ed.): Advances in Cryptology - EUROCRYPT ’91, LNCS 547, pp.
    [Show full text]
  • 11.6 Discrete Logarithms Over Finite Fields
    Algorithms 61 11.6 Discrete logarithms over finite fields Andrew Odlyzko, University of Minnesota Surveys and detailed expositions with proofs can be found in [7, 25, 26, 28, 33, 34, 47]. 11.6.1 Basic definitions 11.6.1 Remark Discrete exponentiation in a finite field is a direct analog of ordinary exponentiation. The exponent can only be an integer, say n, but for w in a field F , wn is defined except when w = 0 and n ≤ 0, and satisfies the usual properties, in particular wm+n = wmwn and (for u and v in F )(uv)m = umvm. The discrete logarithm is the inverse function, in analogy with the ordinary logarithm for real numbers. If F is a finite field, then it has at least one primitive element g; i.e., all nonzero elements of F are expressible as powers of g, see Chapter ??. 11.6.2 Definition Given a finite field F , a primitive element g of F , and a nonzero element w of F , the discrete logarithm of w to base g, written as logg(w), is the least non-negative integer n such that w = gn. 11.6.3 Remark The value logg(w) is unique modulo q − 1, and 0 ≤ logg(w) ≤ q − 2. It is often convenient to allow it to be represented by any integer n such that w = gn. 11.6.4 Remark The discrete logarithm of w to base g is often called the index of w with respect to the base g. More generally, we can define discrete logarithms in groups.
    [Show full text]
  • Decisional Diffie-Hellman Problem (DDH)
    Course Business • Homework 3 Due Now • Homework 4 Released • Professor Blocki is travelling, but will be back next week 1 Cryptography CS 555 Week 11: • Discrete Log/DDH • Applications of DDH • Factoring Algorithms, Discrete Log Attacks + NIST Recommendations for Concrete Security Parameters Readings: Katz and Lindell Chapter 8.4 & Chapter 9 Fall 2017 2 Recap: Cyclic Group • = = 0, 1, 2, … (g is generator) • If = then for each h and each integer 0 we have = ∈ ≥ ℎ ℎ Fact 1: Let p be a prime then is a cyclic group of order p-1. ∗ Fact 2: Number of generatorsℤ g s.t. of = is ∗ −1 Example (generator): p=7, g=5 ℤ −1 <2>={1,5,4,6,2,3} 3 Recap: Cyclic Group • = = 0, 1, 2, … (g is generator) • If = then for each h and each integer 0 we have = ∈ ≥ ℎ ℎ Fact 1: Let p be a prime then is a cyclic group of order p-1. Fact 2: Number of generators g∗ s.t. of = is ℤ ∗ −1 Proof: Suppose that = and let h = then ℤ −1 = , , ( ), ∗ ( ), … ℤ Recall: 0 2 1 :−1 03 = {0, −…1, 1} if and only if gcd(i,p-1)=1. ℎ − ≥ − 4 Recap Diffie-Hellman Problems Computational Diffie-Hellman Problem (CDH) • Attacker is given h1 = and h2 = . • Attackers goal is to find 1 = h1 = h22 • CDH Assumption: For all PPT1∈2 A there is2 a negligible∈1 function negl such that A succeeds with probability at most negl(n). Decisional Diffie-Hellman Problem (DDH) • Let z0 = and let z1 = , where x1,x2 and r are random • Attacker is given12 , and (for a random bit b) • Attackers goal is to guess1 2 b • DDH Assumption: For all PPT A there is a negligible function negl such that A succeeds with probability at most ½ + negl(n).
    [Show full text]
  • Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside Sn
    cryptography Brief Report Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside Sn María Isabel González Vasco 1,*,†, Angela Robinson 2,† and Rainer Steinwandt 2,† 1 MACIMTE, Universidad Rey Juan Carlos, 28933 Móstoles, Madrid, Spain 2 Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431, USA; [email protected] (A.R.); [email protected] (R.S.) * Correspondence: [email protected]; Tel.: +34-91-488-7605 † These authors contributed equally to this work. Received: 21 May 2018; Accepted: 16 July 201; Published: 19 July 2018 Abstract: In 2008, Doliskani et al. proposed an ElGamal-style encryption scheme using the symmetric group Sn as mathematical platform. In 2012, an improvement of the cryptosystem’s memory requirements was suggested by Othman. The proposal by Doliskani et al. in particular requires the discrete logarithm problem in Sn, using its natural representation, to be hard. Making use of the Chinese Remainder Theorem, we describe an efficient method to solve this discrete logarithm problem, yielding a polynomial time secret key recovery attack against Doliskani et al.’s proposal. Keywords: cryptanalysis; symmetric group; public key encryption 1. Introduction Discrete logarithm problems in certain representations of cyclic groups, such as subgroups of elliptic curves over prime fields, are a popular resource in the construction of cryptographic primitives. Widely deployed solutions for digital signatures and key establishment rely on the computational hardness of such discrete logarithm problems. Doliskani et al. proposed a cryptosystem in [1] which relies on the discrete logarithm problem inside the symmetric group Sn, using its standard representation, to be hard.
    [Show full text]
  • Discrete Logarithms Aurore Guillevic, François Morain
    Discrete Logarithms Aurore Guillevic, François Morain To cite this version: Aurore Guillevic, François Morain. Discrete Logarithms. Nadia El Mrabet; Marc Joye. Guide to pairing-based cryptography, CRC Press - Taylor and Francis Group, pp.42, 2016, 9781498729505. hal-01420485v1 HAL Id: hal-01420485 https://hal.inria.fr/hal-01420485v1 Submitted on 20 Dec 2016 (v1), last revised 13 Dec 2017 (v2) HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. 9 Discrete Logarithms ∗ 9.1 Setting and First Properties ..................... 9-2 General Setting • The Pohlig-Hellman Reduction • A Tour of Possible Groups 9.2 Generic Algorithms .............................. 9-3 Shanks's Baby-Steps Giant-Steps Algorithm • The RHO Method • The Kangaroo Method • Solving Batch-DLP 9.3 Finite Fields ...................................... 9-15 Introduction • Index-Calculus Methods • Linear Algebra • The Number Field Sieve (NFS) • Number Field Sieve: Renements • Large Characteristic Non-Prime Fields • Medium Characteristic Fields • Small Characteristic: From the Function Field Sieve (FFS) to the Quasi-Polynomial-Time Aurore Guillevic Algorithm (QPA) • How to Choose Real-Size Finite INRIA-Saclay and École Polytechnique/LIX Field Parameters • Discrete logarithm algorithms in pairing-friendly target nite elds Fpn : August François Morain 2016 state-of-the-art École Polytechnique/LIX and CNRS and INRIA-Saclay References .............................................
    [Show full text]
  • The Past, Evolving Present and Future of Discrete Logarithm
    The Past, evolving Present and Future of Discrete Logarithm Antoine Joux, Andrew Odlyzko and Cécile Pierrot Abstract The first practical public key cryptosystem ever published, the Diffie-Hellman key exchange algorithm, relies for its security on the assumption that discrete logarithms are hard to compute. This intractability hypothesis is also the foundation for the security of a large variety of other public key systems and protocols. Since the introduction of the Diffie-Hellman key exchange more than three decades ago, there have been substantial algorithmic advances in the computation of discrete logarithms. However, in general the discrete logarithm problem is still considered to be hard. In particular, this is the case for the multiplicative group of finite fields with medium to large characteristic and for the additive group of a general elliptic curve. This paper presents a current survey of the state of the art concerning discrete logarithms and their computation. 1 Introduction 1.1 The Discrete Logarithm Problem Many popular public key cryptosystems are based on discrete exponentiation. If G is a multi- plicative group, such as the group of invertible elements in a finite field or the group of points on an elliptic curve, and g is an element of G, then gx is the discrete exponentiation of base g to the power x. This operation shares basic properties with ordinary exponentiation, for example gx+y = gx · gy. The inverse operation is, given h in G, to determine a value of x, if it exists, such that h = gx. Such a number x is called a discrete logarithm of h to the base g, since it shares many properties with the ordinary logarithm.
    [Show full text]