“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
DISCRETE LOGARITHM PROBLEM
1. CONTENTS
INTRODUCTION
DEFINITION
ELGAMEL PUBLIC KEY CRYPTOSYSTEM
DIFFIE-HELLMAN KEY EXCHANGE
ALGORITHM FOR DLP
Baby-step giant-step
Pohlig–Hellman algorithm
Pollard rho algorithm
Reduction of DLP hard problem
REFERENCE
2. INTRODUCTION
The theme of these presentation concerns public cryptosystem based on
discrete logarithm problem . The first and well known for these is the
elgamel cyptosystem . The discrete logarithm problem forms the basis of
numerous cryptographic protocol .
In this presentation we survey the methods known for solving the discrete
logarithm problem ∝𝑖= β in various group G .
3. DEFINITION
Consider a finite group (G,.). For an element ∝ ∈ 𝐺, . having an order
n . Let <∝> = ∝𝑖 ; 0 ≤ 𝑖 ≤ 𝑛 − 1 .
The Discrete logarithm problem (DLP) is to find the unique integer 𝑖 ,
0 ≤ 𝑖 ≤ 𝑛 − 1 , such that
∝𝑖
= β
We know this integer 𝑖 = 𝐿𝑜𝑔∝β
∝ is suggested to be a primitive element modulo n .
Fix a prime p. Let a, b be nonzero integers (mod p). The problem of
finding x such that ax ≡ b (mod p) is called the discrete logarithm
problem.
In the ElGamal method, the difficulty of solving the discrete
logarithm problem yields good cryptosystems .
4. ELGAMEL PUBLIC KEY CRYPTOSYSTEM
Let p be a prime such that DLP in (𝑍 𝑃
∗
,.) is hard and let ∝ be a primitive element and let
P(plaintext)= 𝑍 𝑃
∗
and C(cipher text) =𝑍 𝑃
∗
× 𝑍 𝑃
∗
and
Define K={(𝑝, 𝛼, 𝑎, 𝛽) : 𝛼 𝑎 ≡ 𝛽 𝑚𝑜𝑑(𝑝)} where p, 𝛼, 𝛽 is public and a is private key.
For a given key k = (𝑝, 𝛼, 𝑎, 𝛽) and for a secret random number 𝑟 𝜖 𝑍 𝑃−1
∗
, define
𝑒 𝑘 𝑥, 𝑟 = (𝑦1, 𝑦2) , where
𝑦1 = 𝛼 𝑟 𝑚𝑜𝑑 𝑝 and 𝑦2 = 𝑥𝛽 𝑟 𝑚𝑜𝑑 𝑝
For 𝑦1 , 𝑦2 ∈ 𝑍 𝑃
∗
, define
𝑑 𝑘 𝑦1, 𝑦2 = 𝑦2(𝑦1
𝑎
)−1
Exampe: -
Suppose p=2579 and 𝛼=2 is a primitive elements mod p . Let 𝑎=765 so 𝛽=2765
modp=949
Alice want to send message x=1299 to bob. Take 853 is the random key choose by Alice
THEN Alice computes 𝑦1 = 2853
𝑚𝑜𝑑2579 = 435 and 𝑦2 = 1299 × 949853
𝑚𝑜𝑑2579 = 2396
When bob receive the cipher text y = (435,2396) , he computes
x = 2396 × (435765)−1mod(2579) = 1299
which was the plain text that alice encrypted .
5. Diffie - hellman key exchange
Choose a prime p and choose a generator ∝ , publish its publicaly
Middle Man EVE
ALICE (15)
ALICE HAS PRIVATE KEY 15
Alice using his private key and
send 315 𝑚𝑜𝑑17 = 6 and send
publicaly to bob.
Now alice use recieve public
key i.e… 1215
𝑚𝑜𝑑17 = 10
And key is 10.
BOB (13)
BOB HAS PRIVATE KEY 13
BOB using his private key and
send 313
𝑚𝑜𝑑17 = 12 and send
publicaly to alice.
Now bob use recieve public
key i.e… 613
𝑚𝑜𝑑17 = 10
And key is 10.
3 𝑋 ≡ 𝑌 𝑚𝑜𝑑17
Key exchange completed
6. DISCRETE LOGARITHM PROBLEM ALGORITHM :-
1. Generic Algorithm : Works in any cyclic group
(a) Brute Force
(b) Shank baby-step/giant-step algorithm
(c) POHLIG – HELLMAN Algorithm
(d) Pollard’s rho Algorithm
2. Non – Generic Algorithm : works only in specific groups , particular in 𝑍 𝑝 .
(a) Index calculus method
7. Shank baby-step/giant-step algorithm
Baby-step/giant-step algorithm is a time-memory tradeoff method, which reduces the time of a
brute-force search at the cost of extra storage.
Input: Elements 𝑔, ℎ ∈ 𝐺 and the order 𝐺 is 𝑞 i.e.. 𝐺 = 𝑞
Output: 𝑙𝑜𝑔 𝑔ℎ
t = [ 𝑞 ]
For 𝑖 = 0 𝑡𝑜 [
𝑞
𝑡
] :
Compute 𝑔𝑖 = 𝑔 𝑖.𝑡
sort the pairs (𝑖, 𝑔𝑖) by their second component
this is the baby step phase that requires 𝑞 steps and need to store 𝑞 group elements .
For 𝑖 = 1 𝑡𝑜 𝑡 :
Compute ℎ𝑖 = ℎ. 𝑔 𝑖
IF ℎ𝑖 = 𝑔 𝑘 for some k ,
return [ 𝑘𝑡 − 𝑖 𝑚𝑜𝑑 𝑞 ]
This is the giant steps.
COMPLEXITY : The baby-step giant-step method requires O( 𝑞) computational steps and O( 𝑞)
amount of memory.
8. EXAMPLE
We show an application of the algorithm in the cyclic group 𝑍29
∗
of order
𝑞 = 29 − 1 = 28 .
Take 𝑔 = 2 𝑎𝑛𝑑 ℎ = 17 .
We set 𝑡 = [ 28 ] = 5 and compute
20
= 1 , 25
= 3 , 210
= 9 , 215
= 27 , 220
= 23 , 225
= 11
(It should be understood that all operations are in 𝑍29
∗
. )
Then compute:
17.21 = 5 , 17.22 = 10 , 17.23 = 20 , 17.24 = 11 ,
and notice that 17.24 = 11 = 225 .
We thus have 𝑙𝑜𝑔217 = 25 − 4 = 21 .
Hence , 221 ≡ 17 𝑚𝑜𝑑29
9. POHLIG – HELLMAN ALGORITHM
∅ 𝑝 = 𝑝 − 1 = 𝑖 𝑝𝑖
𝑒 𝑖 . 𝑝 − 1 𝑖𝑠 𝑠𝑚𝑜𝑜𝑡ℎ i.e. has no large prime factors. Suppose 𝑎 ≡ 𝑏 𝑥
(𝑚𝑜𝑑 𝑝) . Find
𝑥 .
𝑎∅ 𝑝 /𝑝 𝑖
𝑒 𝑖
≡ (𝑏 𝑥
)
∅ 𝑝 /𝑝 𝑖
𝑒 𝑖
≡ (𝑏 𝑝 𝑖
𝑒 𝑖 𝑞 𝑖+𝑟 𝑖 )
∅ 𝑝 /𝑝 𝑖
𝑒 𝑖
( put 𝑥 = 𝑝𝑖
𝑒𝑖 𝑞𝑖 + 𝑟𝑖 )
≡ (𝑏 𝑝 𝑖
𝑒 𝑖 𝑞 𝑖)
∅ 𝑝 /𝑝 𝑖
𝑒 𝑖
. (𝑏𝑖
𝑟 𝑖
)∅ 𝑝 /𝑝 𝑖
𝑒 𝑖
≡ (𝑏∅(𝑝)
) 𝑞 𝑖 . 𝑏 𝑟 𝑖 .∅ 𝑝 /𝑝 𝑖
𝑒 𝑖
≡ 𝑏 𝑟 𝑖 .∅ 𝑝 /𝑝 𝑖
𝑒 𝑖
(𝑚𝑜𝑑 𝑝)
Find 𝑟𝑖 ∈ 0 , . . . , 𝑝𝑖
𝑒 𝑖 − 1 so that 𝑎∅ 𝑝 /𝑝 𝑖
𝑒 𝑖
≡ 𝑏 𝑟 𝑖 .∅ 𝑝 /𝑝 𝑖
𝑒 𝑖
(𝑚𝑜𝑑 𝑝)
Thereby solving 𝑥 ≡ 𝑟𝑖 (𝑚𝑜𝑑 𝑝𝑖
𝑒 𝑖 ) .
Solve all these congruences by Chinese remainder theorem .
TIME COMPLEXITY : The run time of the algorithm clearly depends on the prime factors of the group
order. To prevent the attack, the group order must have its largest prime factor in the range of 2160.
10. Example
2 𝑥
≡ 41 𝑚𝑜𝑑 211 . Find x
𝑝 = 211 𝑠𝑜 ∅ 𝑝 = 𝑝 − 1 = 210 = 2 . 3 .5 .7 ("𝑝 − 1 𝑖𝑠 𝑠𝑚𝑜𝑜𝑡ℎ “)
𝑎 = 41 = 2 𝑥 . Find x
Now Taking 𝑝1 = 7
𝑎∅(𝑝)/7 = (2 𝑥)∅(𝑝)/7 ⇒ (27𝑞+𝑟)∅(𝑝)/7 ⇒ (27𝑞)∅(𝑝)/7 . (2 𝑟)∅(𝑝)/7 ⇒ (2∅ 𝑝 ) 𝑞.2 𝑟.∅(𝑝)/7 ⇒ 2 𝑟.∅(𝑝)/7 ⇒ 2 𝑟.2.3.5(𝑚𝑜𝑑211)
(put 7q + r to find q and r)
𝑎∅(𝑝)/7 ≡ 2 𝑟.2.3.5(𝑚𝑜𝑑211)
Test 𝑟 ∈ {0,1,2,3,4,5,6} for 412.3.5 ≡ (22.3.5) 𝑟 𝑚𝑜𝑑 211 , 𝑠𝑜 x ≡ 3 (mod 7)
Similarly for 𝑝2 = 5 , 𝑤𝑒 𝑔𝑒𝑡 x ≡ 2 (mod 5)
Similarly for 𝑝3 = 3 , we get x ≡ 2 (mod 3)
Similarly for 𝑝4 = 2 , 𝑤𝑒 𝑔𝑒𝑡 x ≡ 1 (mod 2)
And by using Chinese remainder theorem we get
x ≡ 17 ( mod 210 )
Hence , 217
≡ 41 𝑚𝑜𝑑 211
11. Pollard’s rho discrete logarithm algorithm
A generator 𝛼 of a cyclic group G and 𝛽 is an element of G . Find 𝑙𝑜𝑔 𝑔 𝛼
compute integers s and t such that 𝛽 𝑠
= 𝛼 𝑡
1. partition the group G into three roughly equal-sized set 𝑆1 , 𝑆2 and 𝑆3 and let 𝑥0 = 1 and 𝑥0 is not in
𝑆2 . Let
𝑥𝑖+1 =
𝛽 𝑥𝑖 𝑓𝑜𝑟 𝑥𝑖 ∈ 𝑆1
𝑥𝑖
2
𝑓𝑜𝑟 𝑥𝑖 ∈ 𝑆2
𝛼𝑥𝑖 𝑓𝑜𝑟 𝑥𝑖 ∈ 𝑆3
Let 𝑥𝑖 = 𝛽 𝑎 𝑖 𝛼 𝑏 𝑖
𝑎𝑖+1 =
𝑎𝑖 + 1𝑚𝑜𝑑 𝑛 𝑓𝑜𝑟 𝑥𝑖 ∈ 𝑆1
2 𝑎𝑖 𝑚𝑜𝑑 𝑛 𝑓𝑜𝑟 𝑥𝑖 ∈ 𝑆2
𝑎𝑖 𝑓𝑜𝑟 𝑥𝑖 ∈ 𝑆3
𝑏𝑖+1=
𝑏𝑖 𝑓𝑜𝑟 𝑥𝑖 ∈ 𝑆1
2𝑏𝑖 𝑚𝑜𝑑 𝑛 𝑓𝑜𝑟 𝑥𝑖 ∈ 𝑆2
𝑏𝑖 + 1𝑚𝑜𝑑 𝑛 𝑓𝑜𝑟 𝑥𝑖 ∈ 𝑆3
Where n= p-1 where 𝐺 = 𝑍 𝑃
∗
and set (𝑥0, 𝑎0, 𝑏0)=(1, 0, 0)
2. Use 𝑥𝑖−1, 𝑎𝑖−1, 𝑏𝑖−1 to compute 𝑥𝑖 , 𝑎𝑖 , 𝑏𝑖 and use 𝑥2𝑖−2, 𝑎2𝑖−2, 𝑏2𝑖−2 to compute 𝑥2𝑖 , 𝑎2𝑖 , 𝑏2𝑖
3. If 𝑥𝑖 = 𝑥2𝑖 , then do the following
set 𝑟 = 𝑏𝑖 − 𝑏2𝑖
if gcd 𝑟, 𝑛 ≠ 1 , then return ‘failure’
else return r(𝑎2𝑖 − 𝑎𝑖)−1mod n
12. Eg. 𝛼 = 2 is a generator of the subgroup G of 𝑍383
∗
of order n= 191. Suppose β = 228 and find 𝑙𝑜𝑔2228
solution : Partition G into 3 subsets, let
𝑆1 = 𝑥 ∈ 𝐺 𝑥 = 1(𝑚𝑜𝑑 3)}
𝑆2 = 𝑥 ∈ 𝐺 𝑥 = 0(𝑚𝑜𝑑 3)}
𝑆3 = 𝑥 ∈ 𝐺 𝑥 = 2(𝑚𝑜𝑑 3)}
We have 𝑥14 = 𝑥28=144
𝑟 = 12 − 10 = 2
r(𝑎2𝑖 − 𝑎𝑖)−1mod n
=2(𝑎28 − 𝑎14) −1
𝑚𝑜𝑑191
=2
66 𝑚𝑜𝑑191
=33−1 𝑚𝑜𝑑191
=110 𝑚𝑜𝑑191
Hence,
2110
≡ 228 𝑚𝑜𝑑 383
COMPLEXITY : The time complexity of Pollard’s rho method is O( 𝐺) computations .
13. Reduction of DLP hard problem
Some algorithms run faster than the naive algorithm, some of them proportional to the
square root of the size of the group . However none of them run in polynomial time .
Let A and B be two computational problems. Then A is said to polytime reduce to B,
written A ≤ B if
(A) There is an algorithm which solves A using an algorithm which solves B .
(B) This algorithm runs in polynomial time if the algorithm for B does .
Assume we have an efficient algorithm to solve problem B.
We then use this algorithm to give an efficient algorithm for problem A
14. REFERENCES
1. Cryptography: An Introduction (3rd Edition) Nigel Smart
2. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and
S.Vanstone
3. Understanding Cryptography A Textbook for Students and Practitioners by
Christof Paar , Jan Pelzl . Springer Publication