sign in sign up
<<
Home , Discrete logarithm

Cryptosystems Based on Discrete

1 Outline

• Discrete Problem • Cryptosystems Based on Discrete Logarithm – Encryption –

2 Discrete logarithm problem (DLP) • A GG is cyclic if there is an element α ∈ of |G |. In this case, G = {}ααα012 , , α,… α , ||1G − ; is called a generator. • Let (G ,∗ ) be a (not necessarily cyclic). Let α ∈Gn be an element of order . Then, αααα= {}012 , , ,… ,n− 1 is α a cyclic (sub)group of order n .

x • For any yxZy∈∈=αα , there is a unique n such that . This x is called the discrete logarithm (or index) of y

with respect to base α . We write logα yx= .

• The DLP is to compute logα yy for a given .

3 Frequently used settings

*0122p− •= GZp . αααα ={} , , ,… ,= αG , where pG is a large prime, and α is a generator of . * (Zpp is cyclic when is prime.)

*0121*q− •= GZpp . αααα ={} , , ,… ,⊂ αZ , * where α ∈ Z p is an element of prime order q . • Elliptic curves defined over finite fields. • For these settings, there is no polynomial-time for DLP.

4 Example 1

* GZ==19 {1, 2, ..., 18}.

* 2 is a generator. That is, Z19 = 2 . 201== 1, 2 2, 2 2 = 4, 2 3 = 8, 2 4 = 16, 2 5 = 13, 27,67== 214, … log2 7= 6 log2 14= 7 log2 12= ?

5 Example 2

* GZ==11 {}1, 2, … , 10 .

G′ = 3 = {} 1, 3, 9, 5, 4 .

* 3 is a generator of GZ′ , but not a generator of 11 . log3 5= 3 log3 10= not defined

6 * DLP in Z p

* • Let α be a generator of Zpp (a primitive root of unity modulo ).

* 012 p−2 • Z1,2,,1p =−={} …… p {}ααα ,,,, α .

Z p−1 = {}012 , , , … , p − 2 .

* x • Given yZ∈ pp , find the unique xZ∈=−1 such that yα modp .

x * • That is, given α ∈ Z p , find x .

* • There is a subexponential-time algorithm for DLP in Z p

O()nnlog i Index Calculus, O () 2 , where np= log .

7 DLP in (Zn ,+)

Let α be a generator of Znn (any element coprime to ).

Given yZ∈∈ nn , find the unique xZ−1 such that yx= α mod n.

Easy or hard?

8 RSA vs. Discrete Logarithm • RSA is a one-way : xx⎯⎯⎯RSA→ e (easy)

−1 xx←⎯RSA ⎯⎯ e (difficult)

−1 d xxd←⎯RSA ⎯⎯ ()e ( is a trapdoor) • Logarithm is the inverse of exponetiation: x ⎯⎯⎯expα →α x (easy) x ←⎯logα ⎯⎯ α x (difficult) • log is hard to compute, so exp is a one-way function, but without a trapdoor. • An encryption scheme based on the difficulty of log will not simply encrypt x as α x . 9 Diffie-Hellman key agreement

* 0 1 22p− •= Zpp{}ααα , , α, … , . Z −1 ={}01 , , 22 , … , p − . • Alice and Bob wish to set up a secret key. 1. Alice and Bob agree on a large prime p and a primitive * root (generator) α ∈ Zp . (p, α , not sec ret) a 2. Alice→← Bob: α modpaZ , where R1p− . b 3. Alice←← Bob: α modpbZ , where R1p− . 4. They agree on the key: α ab modp . ab * ab • Diffie-Hellman problem: given αα , ∈ Z p , compute α . • Diffie-Hellman assumption: the Diffie-Hellman problem is intractable.

10 * Ideas behind ElGamal encryption in Z p 0. Bob is to send a message m to Alice, who has private key xy and public key := α x .

* 1. Regard m as an element in Zp .

* 2. Use Diffie-Hellman to set up a temporary key key ∈ Z.p i Bob generates ααkk and computes key :== y (xk ).

3. Bob uses key to encrypt m as c :=⋅ m key .

4. Bob sends α k along with ck so that Alice can compute ey .

11 * ElGamal encryption in Z p 1. Key generation (e.g. for Alice): * •∈ choose a large prime p and a primitive root α Zp , where p − 1 has a large prime factor. x •∈ randomly choose a number xZp−1 and compute y = α ; •= set sk (pp ,αα , x ) and pk = ( , , y ). kk * 2. Encryption: Empk( )=∈ (α , my ), where m Z p , k←R1 Z p− . −x 3. Decryption: Dabbask ( , )= . * 4. Remarks: All operations are done in Zp , ie . ., modulo p . The encryption scheme is non-deterministic.

12 Security of ElGamal encryption against CPA • Based on the Diffie-Hellman assumption. •≤ Diffie-Hellman problem discrete logarithm problem. •≤ Open problem: discrete logarithm Diffie-Hellman?

Theorem: If the Diffie-Hellman assumption is true, then the ElGamal encryption scheme is CPA-secure.

13 Security of ElGamal encryption against CCA •→ A function fG : G′ is homomorphic if fxyfxfy ( ) = ( ) ( ).

•=⋅ ElGamal encryption is homomorphic, Emm ()()(),′′ Em Em in the following sense: If Em ( ) = ()α k , mykkand Em(′ )=⋅α ′′ , m′′yk , then ( Em( ) Em ( ) ) =()()(ααkk , my⋅= k′′ , m′′ y k ααkk ′, mymy k k ′ = αkk++′,mm′y kk′ )() is a valid encryption of mm′ .

• As such, ElGamal encryption is not CCA-secure (i.e., not indistinguishable against CCA).

14 * ElGamal signature in Z p 1. Key generation: same as in ElGamal encryption. * •∈ a large prime p and a primitive root α Zp . x •∈ a randomly chosen number xZp−1 and yp=α mod ; •= sk (p ,α ,x ) and pky= (p ,α , ).

2. To sign a message m∈ Z p−1 , * •∈ randomly choose kZp−1 ; •= compute rsmrxkα k modpp and =− ( )−1 mod(1− ) ; * •=∈× the signature is Smsk ( ) ( rs , ) Zp Zp−1 .

3. Verification: Vpk (mrs, , )= true if and only if * msr (mrs , , )∈×× Zppp−−11 Z Z and α ≡r y modp .

15 Ideas behind ElGamal signature

* 012p− 2 •= Zpp{}ααα , , ,α … , . Z −1 ={}012 , , , … , p − 2 . • To sign a message m , Alice needs to show that she knows x . Besides, non-deterministic signature is desired. So, the signature should be a function of (mxk , , ), where k is randomly selected.

•∈ The secret key x is an exponent; i.e., xZp−1 . This suggests

that mk and also be exponents, namely mkZ , ∈ p−1 . • So, let the signature be a function of (mxk , , ) whose validity can be verified by using αααmxk , , . • The signer needs to send α k along with the signature.

16 • The main part of ElGamal signature is some value s satisfying s =− (mrxk )−1 mod (p −1). • To verify the validity of the signature, the verifier checks if the above condition is satisfied without knowing x and k: smrxk=− ( )−1 mod (1)p − ⇒=+ mksrx mod (1)p − ⇒≡ αααmksrx modp ⇒≡ α msrry modp •=− Why smrxk ( )−1 ? •=+=+=+ What about s km k′ x , s km rx , s ( m rx ) k −1 , smx= (+ )k −1 ? (k′ is another random number.)

17 Security of ElGamal signature • Based on the assumed intractability of discrete logarithm. • Knowing the random kx implies knowing the secret key with high probability: since smrxk=− ( )−1 mod ( p − 1), xmskrprp=− ( )−1 mod( − 1) if −1 mod(− 1) exists. • Use a new k for each signing, or the adversary can compute k from two signatures smrx=−( )ksmr−1 and ′′ =( −xk)−1, by solving ss−≡′′( mmk − )−1 mod(p − 1).

18 Security of ElGamal signature (cont'd) • Existential forgery. Construct a message m and a valid signature (rs , ) as follows. * a) choose kc , ∈ Zp−1 . b) set ry==α kc mod psrcp , −−−1 mod( 1), and mrkcp=−−1 mod( − 1).

• Countermeasure: hash then sign.

19 Digital Signature Algorithm (DSA) - an NIST standard 0. Shnorr's idea: working in a of order qp will shorten the signature, desired for Smart Card applications.

• ElGamal signature scheme uses:

* 012p− 2 Zpp=={}ααα , , ,α … , . Z −1 {}012 , , , … , p − 2 . * A signature is (rs , )∈× Zpp Z−111≈ Z p−− × Z p . • DSA uses:

gg=={}ααα0 , bbbb , 234 , α α , α , …… , (1 qb− ) {01 ,g , ,gq−1} ,

where g = α b , bp=− ( 1) q .

A signature is (rs , )∈ Zqq× Z 20 1. Key generation • choose two primes pq and such that qp|(− 1) . (qp , e.g., | q |== 160, | p | 1024.) * •∈ let gZp be an element of order q . * x •∈= randomly choose xZq and compute yg modp ; • system parameters: (hpqg , , , ) •= skx ( ) and pky = ( ).

(Remark: The DLP will be working in g .)

21 2. Signing: to sign a message m , * k •∈= randomly choose kZq ; compute r ( g modp )modq . •=+ compute shmrxk ( ( ) )−1 mod q. (use a different kr if == 0 or s 0.) • (mr, ,s ) is the signed message.

* 3. Verification: accept (mrs , , ) iff rs ,∈ Zq and rgy==() (hm() r ) t mod p mod q , where ts−1mod q .

22 DSA Correctness: if the message is signed correctly, the signature will be verified/accepted. shm=+ ( ( ))modrx k −1 q ⇒= khmrxt ( ( ) + ) mod(q ts=−1 mod) q

t ⇒≡ gggkhmrx()() mod p (since g q ≡ 1modp )

t ⇒≡ ggykhmr()() mod p

t ⇒= ggykh mod pp()()mrmod

⇒ rg== (kh modp )mod q () ( g()myr)modtp mod q

23 Remarks on DSA • SHA-1 is suggested for use as the hash function. • |qptt | = 160 bits, | |≤+ 512 64 , 0 ≤≤ 8. • Because a hash is used, there is no restriction on m . * • Why not work in Z p ? * • g is a subgroup of Zqp of order . • Shorter message length: |(rs , )| = 2 | q | bits , rather than 2 ||p . * • Why not work in Zqq ? The message length would be 2 ||, too. * • Reason: The Index Calculus method works for Zq but not for g .

24 * The index calculus method for Z p

Factor base: Bppp= {}1,2 ,… ,b , a set of small primes.

Ideas: Suppose logα pjj is known for all , 1 ≤≤jb.

b * ei If yZ∈=pi factors over B , say, y∏ p , i=1 b then logα y =−∑epiilogα mod ( p 1). i=1

25 Step 1: calculate logα pjbj , 1≤ ≤ as follows:

• choose cb>∈ random numbers x12 ,… , xcp Z− such that b xxiieij, αα factors over Bppic : ≡ ∏ j mod , 1≤≤ j=1 b • solve xeiij≡−∑ , logα p j mod (1pi), 1≤ ≤ c j=1

26 * Step 2: to compute logα yyZ , where ∈ p : r 1. Choose r ∈R1Z p− and try to factor yα over B . Repeat this untill success (or giving up). b r ei 2. Then we have yppα ≡ ∏ i mod , and i=1 b logα y + r ≡−∑epiilogα mod ( p 1) i=1 ⎛ b ⎞ logα y =−+⎜ re∑ iilogα pp⎟ mod ( −1) ⎝ i=1 ⎠

27