This document discusses generating prime numbers for use in digital signature algorithms. It provides an overview of groups and subgroups, defines finite cyclic groups, and explains that groups of prime order are cyclic. It then describes how the Digital Signature Algorithm works, including choosing safe primes p and q, calculating public parameters, generating signatures, and verifying signatures. It also discusses attacks on the algorithm such as index calculus and Pollard's rho algorithm, and why certain parameters are chosen to strengthen security against these attacks.
2. Overview of Groups and Subgroup 1
• Any nonempty Set G together with a binary operation on G
which is..
• (i) associative: a(bc)=(ab)c for all a, b, c 𝜖 G
• (ii) identity element e 𝜖 G , so that ae=ea=a for a 𝜖 G
• (iii) for every a 𝜖 G, there is an element b 𝜖 G such that ab=e, b
is called the inverse of a.
• (iv) if ac=ca, for all a, c 𝜖 G, then group is called Abelian or
Commutative Group
3. Overview of Groups and Subgroup 2
• Subgroup is a subset of Group G with all properties of Group.
• We denote H is a proper subgroup of G with H < G.
• |G| = Number of Elements in G = order of G
• |H| = Number of Elements in H = order of H
• Order of H always divides order of G
4. Finite Cyclic Groups
• Any Group G together is called cyclic if there is an element a in
G such that G= {a n | n 𝜖 Z)
• if G’ is a cyclic group generated by c then we can write G’=‹c›.
• |‹c›| = order of a group generated by group element c
• We know that In a cyclic group, the order of element divides the
order of the group.
• If d is a positive divisor of n (order of G), the number of
elements of order d is a cyclic group of order n is Ø (d)
5. Every Group of prime order is cyclic
• A group of prime order n is a non-trivial group has below
equivalent condition..
[1] It has exactly two distinct subgroups: the trivial subgroup and
the whole group.
[2] It is a simple abelian group.
Here it is important to note that if group has prime order then
only possible orders of groups elements are 1 and |G|, hence it is
set of all elements of group, which is useful in DLP or DSA and
many other cryptographic application.
6. Digital Signature Algorithm … 1
• Alice hash the message with hash function which provides 160
bits o/p.
• Alice chooses a safe prime p where q=(p-1)/2 also is prime.
• Here is the reason why we have p=2q+1.
• Generally we’ve p=jq+1 (subgroup of order q which is also very large to
thwart brute force attack of DH.
• We also want to ensure that our generator g which generates subgroup
doesn’t have order equal to j or one of its divisor. So our algorithm
doesn’t select small set whose order is less than q.
7. Digital Signature Algorithm …. 2
• Say g = hj >1 => gq =(h(p-1)/q)q=1. since q is prime so, order of g
can’t be less than q. Let us take one example..
• Take q=47 , Try j=2
• p=2 * 47 +1 = 95 which is not prime, then try different j.
• Try j=6
• P= 6*47 +1 =283 which is prime , (282=47*6)
• now select random h , {h | 1< h < p-1} , take h=5
g= 56 mod 283 = 60 ≠1.
8. Digital Signature Algorithm …. 3
• As 282 = 47 x 6 so, if there is a subgroup exist, then order of
subgroup is either 47 or 6. there are elements of ɸ(47)=46,
ɸ(6)=2.
• Now let us see how do we find elements which as order 47, we know
that first generator is 6 another elements are 6j where gcd(j,47)=1
• There are the elements under Z/282Z which has order 47
• 6j ≡0 (mod 282) = {± 6, ± 12,.., ± 282}
• ((Z/283)x, x) ≅ (Z/282Z, +) , this is means multiplicative group of
Z283
* is isomorphic to additive group modulo Z282
9. Digital Signature Algorithm …. 4
• Let’s check this by Z31
* ≅ Z30
+ with mapping φ(k)= [ak]31 -> [k]30, we
want to know which are the elements are of order 5. Element 3 is a
generator of Z31
* , take a=3.
• 30/5= 6, so Z/6Z={± 6, ± 12, ± 18, ± 24, ± 0 } ,we only have to
search through 36 (mod31), 312 (mod31) … and they are {16,8,4,2}.
Now in our case we have 46(excluding 1) elements of order 47 are
• [1, 4, 15, 16, 29, 38, 42, 51, 54, 60, 61, 64, 66, 71, 78, 86, 106, 111,
116, 127, 134, 141, 151, 152, 155, 158, 161, 163, 168, 175, 181,
199, 204, 207, 216, 225, 230, 240, 244, 250, 251, 253, 256, 262,
264, 275, 281]
• we selected g=60 in …1, in fact , we can use any value from above
set which will generate order of 47. for ex. 25147 ≡ 1 (mod 283)
10. Digital Signature Algorithm … 5
• Now we’ve p, q, g.
• Calculate α ≡ g(p-1)/q (mod p)
• We’ll select secret a such that 1≤ a < q-1
• Calculate β ≡ αa (mod p),
• Publish (p, q, 𝛼, β) and keep a secret
11. Digital Signature Algorithm … 6
• One can signs the message m by following procedure..
• Select random k such that 0 < k < q-1
• Compute r = (𝛼k (mod p)) (mod q)
• Compute s ≡ k-1 (m+ ar) (mod q)
• Signature for message m is (r,s), this can be sent to other party
along with m.
12. Digital Signature Algorithm … 7
• Verifying signature…
Download (p, q, 𝛼, 𝛽)
Compute u1 ≡ s-1m (mod q), and u2 ≡ s-1 r (mod q)
Compute v= (𝛼 𝑢1 𝛽 𝑢2 (
𝑚𝑜𝑑 𝑝)) (𝑚𝑜𝑑 𝑞)
Accept the signature iff v = r
13. Digital Signature Algorithm … 8
• How it works?
• We know that m ≡ (ks –ar) (mod q)
• Then s-1m ≡ k – ar s-1
k ≡ s-1m +ars-1 (mod q) ≡ u1 + au2
αk = 𝛼
( 𝑢1 + 𝑎𝑢2) =
𝛼 𝑢1 𝛽 𝑢2 𝑚𝑜𝑑 𝑝 𝑚𝑜𝑑 𝑞
Thus r = v.
14. Attacks on Zp
* and subgroup of order q
• Size of p in Zp
* is determined by the attack Index calculus. The
standard method for breaking discrete logarithms over a field as
Zp
* is known as the index calculus. It depends on the group in
which the discrete logarithm of interest is set.
• In our example we’ve selected p=283 and q=47 , (p-1)/q=6 but
6 is not there in the subgroup generated by q. so picking such a
subgroup which doesn’t have small element of main group
formed by p, which gives robust cryptographic security.
• In absence of small elements, we can’t use sub-exponential
time index calculus method to recover discrete logarithm.
15. Index Calculus
• Let p a prime number and g is a primitive root modulo, such that
for that every natural number B coprime to p, there exist some
integer e, so that B ≡ g e (mod p)
• A primitive root modulo n exist iff n is 1,2,4,pk,2pk for an odd
prime p and k 𝜖 N.
• We take indg(B) = e if e is the smallest natural number
• If g e ≡ B (mod p) , if p is prime then
• Indg(A · B) = indg(A) + indg(B) (mod p-1)
16. Index Calculus ….Example
• 5x ≡ 9451 (mod 10007), now choose B={2,3,5,7}
We’ll have to find exponents
• 5 4063 mod 10007 = 42 = 2 * 3 * 7
• 5 5136 mod 10007 = 54 = 2 * 33
• 5 9865 mod 10007 = 189 = 33 * 7
we have linear congruences..
• log52 + log53 + log57 = 4063 mod 10006
• log52 + 3 log53 = 5136 mod 10006
• 3 log53 + log57 = 9865 mod 10006
17. Index Calculus …Example
Solving this gives log52=6578, log53=6190, and log57=1301
Choose random exponent s = 7736 and try to calculate
A x gs = 9451 x 57736 mod 10007 = 8400 = 24 x 3 x 52 x 7
log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006
= (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006
= 6057 mod 10006
18. Pollard rho Attack
Pollard rho attack is efficient when we’ve p-1 is B-smooth. This
means when (p-1)/q has many small prime factors.
Thus the complexity of Pollard rho method is determined by the
size of the base group G on which random walk is performed and
the running time of the iterating function. Reducing either one of
these two factors will result in speedup of the Pollard rho method.
Hence, we select the prime q as minimum 160 bit long.