Cryptosystems Based on Discrete Logarithms 1 Outline • Discrete Logarithm Problem • Cryptosystems Based on Discrete Logarithm – Encryption – Digital signature 2 Discrete logarithm problem (DLP) • A group GG is cyclic if there is an element α ∈ of order |G |. 012 ||1G − In this case, G = {}ααα, , ,… , α ; α is called a generator. • Let (G ,∗ ) be a finite group (not necessarily cyclic). Let α ∈Gn be an element of order . Then, 012n− 1 ααααα= {}, , ,… , is a cyclic (sub)group of order n. x • For any yxZy∈∈=αα, there is a unique n such that . This integer x is called the discrete logarithm (or index) of y with respect to base α. We write logα yx= . • The DLP is to compute logα yy for a given . 3 Frequently used settings *0122p− •= GZp. ααααα ={}, , ,… ,=G , where pG is a large prime, and α is a generator of . * (Zpp is cyclic when is prime.) *0121*q− •= GZpp. ααααα ={}, , ,… ,⊂Z , * where α ∈ Z p is an element of prime order q. • Elliptic curves defined over finite fields. • For these settings, there is no polynomial-time algorithm for DLP. 4 Example 1 * GZ==19 {1, 2, ..., 18}. * 2 is a generator. That is, Z19 = 2 . 201== 1, 2 2, 2 2 = 4, 2 3 = 8, 2 4 = 16, 2 5 = 13, 27,67== 214, … log2 7= 6 log2 14= 7 log2 12= ? 5 Example 2 * GZ==11 {}1, 2, …, 10 . G′ = 3 = {}1, 3, 9, 5, 4 . * 3 is a generator of GZ′, but not a generator of 11. log3 5= 3 log3 10= not defined 6 * DLP in Z p * • Let α be a generator of Zpp (a primitive root of unity modulo ). * 012 p−2 • Z1,2,,1p =−={} …… p {}ααα ,,,, α . Z p−1 = {}012, , , … , p − 2 . * x • Given yZ∈ pp, find the unique xZ∈=−1 such that yα modp . x * • That is, given α ∈ Z p , find x. * • There is a subexponential-time algorithm for DLP in Z p O nnlog i Index Calculus, O 2() , where np= log . () 7 DLP in (Zn ,+) Let α be a generator of Znn (any element coprime to ). Given yZ∈∈ nn, find the unique xZ−1 such that yx= α mod n. Easy or hard? 8 RSA vs. Discrete Logarithm • RSA is a one-way trapdoor function: xx⎯⎯⎯RSA→ e (easy) −1 xx←⎯RSA ⎯⎯ e (difficult) RSA−1 e d xxd←⎯ ⎯⎯ () ( is a trapdoor) • Logarithm is the inverse of exponetiation: x ⎯⎯⎯expα →α x (easy) x ←⎯logα ⎯⎯ α x (difficult) • log is hard to compute, so exp is a one-way function, but without a trapdoor. • An encryption scheme based on the difficulty of log will not simply encrypt x as α x . 9 Diffie-Hellman key agreement * 0 1 22p− •= Zpp{}ααα , , , … , α . Z −1 ={}01, , 22 , … , p − . • Alice and Bob wish to set up a secret key. 1. Alice and Bob agree on a large prime p and a primitive * root (generator) α ∈ Zp . (p, α, not sec ret) a 2. Alice→← Bob: α modpaZ , where R1p− . b 3. Alice←← Bob: α modpbZ , where R1p− . 4. They agree on the key: α ab modp . ab * ab • Diffie-Hellman problem: given αα, ∈ Z p , compute α . • Diffie-Hellman assumption: the Diffie-Hellman problem is intractable. 10 * Ideas behind ElGamal encryption in Z p 0. Bob is to send a message m to Alice, who has private key xy and public key := α x . * 1. Regard m as an element in Zp . * 2. Use Diffie-Hellman to set up a temporary key key ∈ Z.p i Bob generates ααkk and computes key:== y (xk ). 3. Bob uses key to encrypt m as c:=⋅ m key . 4. Bob sends α k along with ck so that Alice can compute ey. 11 * ElGamal encryption in Z p 1. Key generation (e.g. for Alice): * •∈ choose a large prime p and a primitive root α Zp , where p −1 has a large prime factor. x •∈ randomly choose a number xZp−1 and compute y = α ; •= set sk(pp ,αα , x ) and pk =( , , y ). kk * 2. Encryption: Empk( )=∈ (α , my), where mZ p , k←R1 Z p− . −x 3. Decryption: Dabbask ( , )= . * 4. Remarks: All operations are done in Zp , ie. ., modulo p. The encryption scheme is non-deterministic. 12 Security of ElGamal encryption against CPA • Based on the Diffie-Hellman assumption. •≤ Diffie-Hellman problem discrete logarithm problem. •≤ Open problem: discrete logarithm Diffie-Hellman? Theorem: If the Diffie-Hellman assumption is true, then the ElGamal encryption scheme is CPA-secure. 13 Security of ElGamal encryption against CCA •→ A function fG: G′ is homomorphic if fxyfxfy( ) = ( ) ( ). •=⋅ ElGamal encryption is homomorphic, Emm()()(),′′ Em Em in the following sense: k kk′′k If Em( ) = ()α , my and Em(′ )=⋅ (α , m′′y ), then Em( ) Em ( ) kk k′′ k kk ′ k k ′ kk++′ kk′ =()()(αα , my⋅=, m′′ y ααα, mymy )() =,mm′y is a valid encryption of mm′. • As such, ElGamal encryption is not CCA-secure (i.e., not indistinguishable against CCA). 14 * ElGamal signature in Z p 1. Key generation: same as in ElGamal encryption. * •∈ a large prime p and a primitive root α Zp . x •∈ a randomly chosen number xZp−1 and yp=α mod ; •= sk (p ,α ,x ) and pky= (p ,α , ). 2. To sign a message m∈ Z p−1, * •∈ randomly choose kZp−1; •= compute rsmrxkα k modpp and =−( )−1 mod(1− ) ; * •=∈× the signature is Smsk ( ) ( rs , ) Zp Zp−1 . 3. Verification: Vpk (mrs, , )= true if and only if * msr (mrs , , )∈×× Zppp−−11 Z Z and α ≡r y modp . 15 Ideas behind ElGamal signature * 012p− 2 •= Zpp{}ααα , , , … , α . Z −1 ={}012, , , … , p − 2 . • To sign a message m, Alice needs to show that she knows x. Besides, non-deterministic signature is desired. So, the signature should be a function of (mxk , , ), where k is randomly selected. •∈ The secret key x is an exponent; i.e., xZp−1. This suggests that mk and also be exponents, namely mkZ, ∈ p−1. • So, let the signature be a function of (mxk , , ) whose validity can be verified by using αααmxk, , . • The signer needs to send α k along with the signature. 16 • The main part of ElGamal signature is some value s satisfying s =−(mrxk )−1 mod (p −1). • To verify the validity of the signature, the verifier checks if the above condition is satisfied without knowing x and k: smrxk=−( )−1 mod (1)p − ⇒=+ mksrx mod (1)p − ⇒≡ αααmksrx modp ⇒≡ α msrry modp •=− Why smrxk( )−1 ? •=+=+=+ What about s km k′ x, s km rx, s( m rx ) k −1 , smx= (+ )k −1 ? (k′ is another random number.) 17 Security of ElGamal signature • Based on the assumed intractability of discrete logarithm. • Knowing the random kx implies knowing the secret key with high probability: since smrxk=−( )−1 mod ( p − 1), xmskrprp=−( )−1 mod( − 1) if −1 mod(− 1) exists. • Use a new k for each signing, or the adversary can compute k from two signatures smrx=−( )ksmr−1 and ′′ =( −xk)−1, by solving ss−≡′′( mmk − )−1 mod(p − 1). 18 Security of ElGamal signature (cont'd) • Existential forgery. Construct a message m and a valid signature (rs , ) as follows. * a) choose kc, ∈ Zp−1. b) set ry==α kcmod psrcp , −−−1 mod( 1), and mrkcp=−−1 mod( − 1). • Countermeasure: hash then sign. 19 Digital Signature Algorithm (DSA) - an NIST standard 0. Shnorr's idea: working in a subgroup of order qp will shorten the signature, desired for Smart Card applications. • ElGamal signature scheme uses: * 012p− 2 Zpp=={}ααα , , , … , α . Z −1 {}012, , , … , p − 2 . * A signature is (rs , )∈× Zpp Z−111≈ Z p−− × Z p . • DSA uses: 0bbbb 234 (1 qb− ) 01 q−1 gg=={}ααα, , , α, α, ……, α {,g , ,g} , where g = α b , bp=−( 1) q . A signature is (rs , )∈ Zqq× Z 20 1. Key generation • choose two primes pq and such that qp|(− 1). (qp , e.g., | q |== 160, | p | 1024.) * •∈ let gZp be an element of order q. * x •∈= randomly choose xZq and compute ygmodp ; • system parameters: (hpqg , , , ) •= skx( ) and pky =( ). (Remark: The DLP will be working in g .) 21 2. Signing: to sign a message m, * k •∈= randomly choose kZq ; compute r( g modp )modq . •=+ compute shmrxk( ( ) )−1 mod q. (use a different kr if ==0 or s0.) • (mr, ,s ) is the signed message. * 3. Verification: accept (mrs , , ) iff rs,∈ Zq and hm() r t −1 rgy==()( ) mod p mod q , where tsmod q . 22 DSA Correctness: if the message is signed correctly, the signature will be verified/accepted. shm=+( ( ))modrx k −1 q ⇒= khmrxt( ( ) + ) mod(q ts=−1 mod) q khmrx() t q ⇒≡ ggg()mod p (since g ≡ 1modp ) khmr() t ⇒≡ ggy()mod p kh()mrt ⇒= ggymod pp()mod kh()mrt ⇒ rg==( modp )mod q () ( gy )modp mod q 23 Remarks on DSA • SHA-1 is suggested for use as the hash function. • |qptt | = 160 bits, | |≤+ 512 64 , 0 ≤≤ 8. • Because a hash is used, there is no restriction on m. * • Why not work in Z p ? * • g is a subgroup of Zqp of order . • Shorter message length: |(rs , )| = 2 | q | bits, rather than 2 ||p . * • Why not work in Zqq ? The message length would be 2 ||, too. * • Reason: The Index Calculus method works for Zq but not for g . 24 * The index calculus method for Z p Factor base: Bppp= {}1,2 ,… ,b , a set of small primes. Ideas: Suppose logα pjj is known for all , 1 ≤≤jb. b * ei If yZ∈=pi factors over B, say, y∏ p, i=1 b then logα y =−∑epiilogα mod ( p 1). i=1 25 Step 1: calculate logα pjbj , 1≤ ≤ as follows: • choose cb>∈ random numbers x12,… , xcp Z− such that b xxiieij, αα factors over Bppic: ≡ ∏ j mod , 1≤≤ j=1 b • solve xeiij≡−∑ , logα p j mod (1pi), 1≤ ≤ c j=1 26 * Step 2: to compute logα yyZ , where ∈ p : r 1.