This document discusses the discrete logarithm problem (DLP) over prime fields and its generalizations. It begins by defining the DLP and providing an example. It then discusses why the DLP is important as the basis for Diffie-Hellman key exchange. Various algorithms for solving the DLP are mentioned. The document goes on to discuss generalizations of the DLP to other algebraic structures like elliptic curves. It also discusses the Smart attack for solving the DLP on anomalous elliptic curves. Finally, it proposes an approach to convert the DLP modulo a prime p to the DLP modulo the composite p(p-1) by using properties of Fermat quotients and Carmichael's function.
This Presentation Elliptical Curve Cryptography give a brief explain about this topic, it will use to enrich your knowledge on this topic. Use this ppt for your reference purpose and if you have any queries you'll ask questions.
The following slides explains about elliptic curves, their interpretation over Gallois finite fields, algorithms that reduces arithmetic computational requirements and primarly applications of the ECC.
Elliptic Curve Cryptography for those who are afraid of mathsMartijn Grooten
A low level introduction into elliptic curve cryptography, as presented at BSides San Francisco 2016.
NB don't be put off by the 100 slides; every transition is on its own slide.
Flow Base Programming with Node-RED and Functional Reactive Programming with ...Sven Beauprez
To overcome callback hell in node.js, the presentation gives an overview of the advantages of using Flow Based Programming with node-RED and Functional Reactive Programming with Bacon.js.
The presentation was made for IoTBE (Internet of Things Belgium) user group to prove that node.js can actually be used for the Internet of Things (IoT).
This Presentation Elliptical Curve Cryptography give a brief explain about this topic, it will use to enrich your knowledge on this topic. Use this ppt for your reference purpose and if you have any queries you'll ask questions.
The following slides explains about elliptic curves, their interpretation over Gallois finite fields, algorithms that reduces arithmetic computational requirements and primarly applications of the ECC.
Elliptic Curve Cryptography for those who are afraid of mathsMartijn Grooten
A low level introduction into elliptic curve cryptography, as presented at BSides San Francisco 2016.
NB don't be put off by the 100 slides; every transition is on its own slide.
Flow Base Programming with Node-RED and Functional Reactive Programming with ...Sven Beauprez
To overcome callback hell in node.js, the presentation gives an overview of the advantages of using Flow Based Programming with node-RED and Functional Reactive Programming with Bacon.js.
The presentation was made for IoTBE (Internet of Things Belgium) user group to prove that node.js can actually be used for the Internet of Things (IoT).
The Cryptography puzzle discussed here is part of an online challenge. I demonstrate how I broke RSA when random prime numbers were common among a set of keys. I discuss basic metrics as well as implementation/design of my exploit scripts, too.
This report to document the RSA code and how it works from encrypting certain message to how to decrypt it using general and private keys which will be generated in the given code.
The Advanced Encryption Standard, also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S.
this presentation is on block cipher modes which are used for encryption and decryption to any message.That are Defined by the National Institute of Standards and Technology . Block cipher modes of operation are part of symmetric key encryption algorithm.
i hope you may like this.
The presentation include:
-Diffie hellman key exchange algorithm
-Primitive roots
-Discrete logarithm and discrete logarithm problem
-Attacks on diffie hellman and their possible solution
-Key distribution center
Discrete Logarithmic Problem- Basis of Elliptic Curve CryptosystemsNIT Sikkim
ECC was developed in 1985 independently by Neal Koblitz and Victor Miller. Both men saw the application of the elliptic curve discrete log problem (ECDLP) as a replacement for the conventional discrete log problem (DLP) which is used in DSA, and the integer factorization problem found in RSA. For both problems, sub-exponential solutions have been generated; the
same which cannot be said for ECDLP . In addition to offering increased security for a smaller key size, operations of adding and doubling can be optimized successfully on a mobile
platform . ECC offers a viable replacement to the most common public-key cryptography algorithms on mobile devices.
Cryptography is the practice and study of techniques for conveying information security.
The goal of Cryptography is to allow the intended recipients of the message to receive the message securely.
The most famous algorithm used today is RSA algorithm
this pdf contain simple method to install one of important MPLS service MPLS L3VPN and explain how mpls distribute labels
use simple routing protocol with customer (static route) to initiate L3VPN
Backtracking is a general algorithm for finding all (or some) solutions to some computational problems, notably constraint satisfaction problems, that incrementally builds candidates to the solutions, and abandons each partial candidate c ("backtracks") as soon as it determines that c cannot possibly be completed to a valid solution.
Slides for a college cryptography course at CCSF. Instructor: Sam Bowne
Based on: Understanding Cryptography: A Textbook for Students and Practitioners by Christof Paar, Jan Pelzl, and Bart Preneel, ISBN: 3642041000 ASIN: B014P9I39Q
See https://samsclass.info/141/141_F17.shtml
Two fish & Rijndael (AES) Encryption AlgorithmRifat Tasnim
In cryptography, the Advanced Encryption Standard (AES) is an encryption standard adopted by the
U.S. government. Back in 1997 the National Institute of Standards and Technology (NIST) made a public call for new cipher
algorithms that could replace the DES. A rough summary of
the requirements made by NIST for the new AES were the
following:
Symmetric-key cipher
Block cipher
Support for 128 bit block sizes
Support for 128, 192, and 256 bit key lengths.
A combination of factors such as security, performance,
efficiency, ease of implementation and flexibility contributed
to the selection of this algorithm as the AES.Twofish and Rijndael were designed to meet the requirements of the
Advanced Encryption Standard(AES) competition and selected among five finalists of that
competition.
Rijndael is the block cipher algorithm recently chosen by the National Institute of Science and Technology (NIST) as the Advanced Encryption Standard (AES). It supercedes the Data Encryption Standard (DES). NIST selected Rijndael as the standard symmetric key encryption algorithm to be used to encrypt sensitive (unclassified) American federal information. The choice was based on a careful and comprehensive analysis of the security and efficiency characteristics of Rijndael's algorithm.
The Cryptography puzzle discussed here is part of an online challenge. I demonstrate how I broke RSA when random prime numbers were common among a set of keys. I discuss basic metrics as well as implementation/design of my exploit scripts, too.
This report to document the RSA code and how it works from encrypting certain message to how to decrypt it using general and private keys which will be generated in the given code.
The Advanced Encryption Standard, also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S.
this presentation is on block cipher modes which are used for encryption and decryption to any message.That are Defined by the National Institute of Standards and Technology . Block cipher modes of operation are part of symmetric key encryption algorithm.
i hope you may like this.
The presentation include:
-Diffie hellman key exchange algorithm
-Primitive roots
-Discrete logarithm and discrete logarithm problem
-Attacks on diffie hellman and their possible solution
-Key distribution center
Discrete Logarithmic Problem- Basis of Elliptic Curve CryptosystemsNIT Sikkim
ECC was developed in 1985 independently by Neal Koblitz and Victor Miller. Both men saw the application of the elliptic curve discrete log problem (ECDLP) as a replacement for the conventional discrete log problem (DLP) which is used in DSA, and the integer factorization problem found in RSA. For both problems, sub-exponential solutions have been generated; the
same which cannot be said for ECDLP . In addition to offering increased security for a smaller key size, operations of adding and doubling can be optimized successfully on a mobile
platform . ECC offers a viable replacement to the most common public-key cryptography algorithms on mobile devices.
Cryptography is the practice and study of techniques for conveying information security.
The goal of Cryptography is to allow the intended recipients of the message to receive the message securely.
The most famous algorithm used today is RSA algorithm
this pdf contain simple method to install one of important MPLS service MPLS L3VPN and explain how mpls distribute labels
use simple routing protocol with customer (static route) to initiate L3VPN
Backtracking is a general algorithm for finding all (or some) solutions to some computational problems, notably constraint satisfaction problems, that incrementally builds candidates to the solutions, and abandons each partial candidate c ("backtracks") as soon as it determines that c cannot possibly be completed to a valid solution.
Slides for a college cryptography course at CCSF. Instructor: Sam Bowne
Based on: Understanding Cryptography: A Textbook for Students and Practitioners by Christof Paar, Jan Pelzl, and Bart Preneel, ISBN: 3642041000 ASIN: B014P9I39Q
See https://samsclass.info/141/141_F17.shtml
Two fish & Rijndael (AES) Encryption AlgorithmRifat Tasnim
In cryptography, the Advanced Encryption Standard (AES) is an encryption standard adopted by the
U.S. government. Back in 1997 the National Institute of Standards and Technology (NIST) made a public call for new cipher
algorithms that could replace the DES. A rough summary of
the requirements made by NIST for the new AES were the
following:
Symmetric-key cipher
Block cipher
Support for 128 bit block sizes
Support for 128, 192, and 256 bit key lengths.
A combination of factors such as security, performance,
efficiency, ease of implementation and flexibility contributed
to the selection of this algorithm as the AES.Twofish and Rijndael were designed to meet the requirements of the
Advanced Encryption Standard(AES) competition and selected among five finalists of that
competition.
Rijndael is the block cipher algorithm recently chosen by the National Institute of Science and Technology (NIST) as the Advanced Encryption Standard (AES). It supercedes the Data Encryption Standard (DES). NIST selected Rijndael as the standard symmetric key encryption algorithm to be used to encrypt sensitive (unclassified) American federal information. The choice was based on a careful and comprehensive analysis of the security and efficiency characteristics of Rijndael's algorithm.
We approach the screening problem - i.e. detecting which inputs of a computer model significantly impact the output - from a formal Bayesian model selection point of view. That is, we place a Gaussian process prior on the computer model and consider the $2^p$ models that result from assuming that each of the subsets of the $p$ inputs affect the response. The goal is to obtain the posterior probabilities of each of these models. In this talk, we focus on the specification of objective priors on the model-specific parameters and on convenient ways to compute the associated marginal likelihoods. These two problems that normally are seen as unrelated, have challenging connections since the priors proposed in the literature are specifically designed to have posterior modes in the boundary of the parameter space, hence precluding the application of approximate integration techniques based on e.g. Laplace approximations. We explore several ways of circumventing this difficulty, comparing different methodologies with synthetic examples taken from the literature.
Authors: Gonzalo Garcia-Donato (Universidad de Castilla-La Mancha) and Rui Paulo (Universidade de Lisboa)
An RSA private key is made of a few private variables. We analyze how these private variables are chained together. Further, we study if one of the private variables is leaked, can we derive the other private variables? Demos of the algorithms are also provided.
Distributed solution of stochastic optimal control problem on GPUsPantelis Sopasakis
Stochastic optimal control problems arise in many
applications and are, in principle,
large-scale involving up to millions of decision variables. Their
applicability in control applications is often limited by the
availability of algorithms that can solve them efficiently and within
the sampling time of the controlled system.
In this paper we propose a dual accelerated proximal
gradient algorithm which is amenable to parallelization and
demonstrate that its GPU implementation affords high speed-up
values (with respect to a CPU implementation) and greatly outperforms
well-established commercial optimizers such as Gurobi.
In general dimension, there is no known total polynomial algorithm for either convex hull or vertex enumeration, i.e. an algorithm whose complexity depends polynomially on the input and output sizes. It is thus important to identify problems (and polytope representations) for which total polynomial-time algorithms can be obtained. We offer the first total polynomial-time algorithm for computing the edge-skeleton (including vertex enumeration) of a polytope given by an optimization or separation oracle, where we are also given a superset of its edge directions. We also offer a space-efficient variant of our algorithm by employing reverse search. All complexity bounds refer to the (oracle) Turing machine model. There is a number of polytope classes naturally defined by oracles; for some of them neither vertex nor facet representation is obvious. We consider two main applications, where we obtain (weakly) total polynomial-time algorithms: Signed Minkowski sums of convex polytopes, where polytopes can be subtracted provided the signed sum is a convex polytope, and computation of secondary, resultant, and discriminant polytopes. Further applications include convex combinatorial optimization and convex integer programming, where we offer a new approach, thus removing the complexity's exponential dependence in the dimension.
In the study of probabilistic integrators for deterministic ordinary differential equations, one goal is to establish the convergence (in an appropriate topology) of the random solutions to the true deterministic solution of an initial value problem defined by some operator. The challenge is to identify the right conditions on the additive noise with which one constructs the probabilistic integrator, so that the convergence of the random solutions has the same order as the underlying deterministic integrator. In the context of ordinary differential equations, Conrad et. al. (Stat.
Comput., 2017), established the mean square convergence of the solutions for globally Lipschitz vector fields, under the assumptions of i.i.d., state-independent, mean-zero Gaussian noise. We extend their analysis by considering vector fields that need not be globally Lipschitz, and by
considering non-Gaussian, non-i.i.d. noise that can depend on the state and that can have nonzero mean. A key assumption is a uniform moment bound condition on the noise. We obtain convergence in the stronger topology of the uniform norm, and establish results that connect this topology to the regularity of the additive noise. Joint work with A. M. Stuart (Caltech), T. J. Sullivan (Free University of Berlin).
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Discrete Logarithm Problem over Prime Fields, Non-canonical Lifts and Logarithmic Derivative
1. Discrete Logarithm Problem over Prime Fields,
Non-canonical Lifts and
Logarithmic Derivatives
H. Gopalakrishna Gadiyar and R. Padma
Department of Mathematics
School of Advanced Sciences
Vellore Institute of Technology, Vellore
Chandrasekharan Centenary Symposium in Number
Theory - 19 December 2020
Indian Mathematical Society
86th Annual Conference
VIT, 17 - 20 December 2020
Gadiyar, Padma Discrete Logarithm Problem
3. Definition of Discrete Logarithm
Let a0 be a primitive root of a prime number p > 2.
Then for every b0 ∈ {1, 2, · · · , p − 1} mod p there exists a
unique integer np modulo p − 1 satisfying
a
np
0 ≡ b0 (mod p) . (1)
np is called the discrete logarithm or index of b0 to the base
a0 modulo p.
Given a0 and b0 modulo p finding np modulo (p − 1) is
called the discrete logarithm problem (DLP) over the prime
field Fp.
Gadiyar, Padma Discrete Logarithm Problem
4. Example
Let us take p = 11
a0 = 2 is a primitive root of 11
Consider the powers of 2 mod 11
k 0 1 2 3 4 5 6 7 8 9
2k mod 11 1 2 4 8 5 10 9 7 3 6
Ritt called the finite fields as Monkey fields as the points
jump around when you multiply.
Hence they are used to generate randomness
One cannot use continuity argument to get the discrete
logarithm.
Gadiyar, Padma Discrete Logarithm Problem
5. The DLP is believed to be computationally difficult if p is a
randomly chosen large prime.
There are various algorithms to compute the DLP like the
baby step - giant step method, Pollard’s ρ-method, Pohlig -
Hellman attack and the index calculus method.
Pohlig - Hellman algorithm works in polynomial time if all
the prime factors of p − 1 are ‘small’.
The other algorithms are exponential or sub-exponential
time algorithms
All these attacks are algebraic in nature
There are no known polynomial time algorithms to
compute the discrete logarithm for a large prime p.
Gadiyar, Padma Discrete Logarithm Problem
6. Why is this problem important?
The computational intractability of the DLP is the basis of
the famous Diffie - Hellman key exchange protocol which is
the first published (1976) public key cryptographic
algorithm.
The Diffie - Hellman Key exchange protocol allows two
users to exchange a secret key over an insecure network.
Let p be a large prime number say at least 512 bits.
Let a0 be a primitive root of p.
Both p and a0 are publicly available.
The two users Alice and Bob generate the common secret
key as follows.
Alice and Bob both choose two private numbers a and b
respectively.
Gadiyar, Padma Discrete Logarithm Problem
7. Alice computes X = aa
0 mod p and Bob computes
Y = ab
0 mod p
X and Y are exchanged over an insecure network
Alice computes kA = Ya mod p
Bob computes kB = Xb mod p
Now kA = Ya mod p = aab
0 mod p
kB = Xbmod p = aab
0 mod p
kA = kB is the common key for symmetric encryption.
Gadiyar, Padma Discrete Logarithm Problem
8. Diffie - Hellman Key Exchange Protocol
Alice Bob
,
( ) = ( ) =
Secret Secret
Common Key
Gadiyar, Padma Discrete Logarithm Problem
9. An evesdropper can compute this key, if he can find out
either a or b.
Finding a from X is the DLP
Finding b from Y is the DLP
Gadiyar, Padma Discrete Logarithm Problem
10. Variants of this protocol are used in the Internet security
standards provided by IEEE P1363, RFC 2631, ANSI
X9.42, NIST etc.
Some of the protocols are:
Secure Socket Layer (SSL), Transport Layer Security
(TLS), Secure Shell (SSH), Internet Protocol Security
(IPSec), Public Key Infrastructure (PKI)
Gadiyar, Padma Discrete Logarithm Problem
11. Generalizations
The DLP can be generalized to
Multiplicative group of a finite field.
Elliptic curves over a finite field.
Hyperelliptic curves over a finite field.
Gadiyar, Padma Discrete Logarithm Problem
12. Elliptic curves
An elliptic curve over Fp is given by
y2
= x3
+ ax + b mod p (2)
with 4a3 + 27b2 ≡ 0 mod p. (p > 3)
The set of points on this curve along with a point called ‘O
is a finite group under a certain addition law.
It is denoted by E(Fp).
If P and Q are points on the curve such that Q = nP then
‘n is called the discrete logarithm of Q w.r.t. P
Finding n given P and Q is called the elliptic curve discrete
logarithm problem (ECDLP)
Gadiyar, Padma Discrete Logarithm Problem
13. Anomalous Elliptic curves
When the number of points on the curve is p, then the
elliptic curve is called anomalous.
The anomalous curves should not be used for
cryptographic purpose as
Nigel P Smart
I. A. Semaev
T. Satoh and K. Araki
independently found a linear time algorithm to compute the
discrete logarithm on such curves.
Gadiyar, Padma Discrete Logarithm Problem
14. Attack on Anomalous Elliptic curves
There are two steps in their attack
1. Lift the points P and Q to points P and Q over Qp.
2. p-adic elliptic logarithm.
Gadiyar, Padma Discrete Logarithm Problem
15. pQ, pP ∈ E1(Qp) as p is the cardinality of the group
Q − nP ∈ E1(Qp) as the ECDLP is given by Q = nP .
p(Q − nP) ∈ E2(Qp)
p-adic elliptic logarithm of pQ and pP will be a multiple of p
but
the p-adic elliptic logarithm of p(Q − nP) will be a multiple
of p2
ϑ(pQ) − nϑ(pP) ≡ 0 mod p2
(3)
n ≡
ϑ(pQ)
ϑ(pP)
mod p. (4)
Gadiyar, Padma Discrete Logarithm Problem
16. Smart attack for the DLP over Prime Fields
It turns out that a lot of elementary number theory is
involved unlike the case of anomalous elliptic curves.
Did extensive calculations in Maple to arrive at the results
presented here.
The tools we use are:
1. Lift -Teichmüller lift
2. Logarithm - Iwasawa logarithm
We use two approaches both of which fail.
This forces us to use more abstract tools.
Gadiyar, Padma Discrete Logarithm Problem
17. Tool 1. Teichmüller lift
By Fermat’s little theorem we have
xp−1
0 ≡ 1 + q(x0)p (mod p2
) (5)
for any integer x0 ∈ {1, 2, · · · , p − 1 mod p}.
q(x0) is called the Fermat quotient of x0 modulo p.
We can write this as
xp
0 ≡ x0 + x1p (mod p2
) . (6)
where x1 = x0q(x0) mod p.
By Euler’s theorem of congruences
(x0 + x1p)p−1
≡ 1 (mod p2
) , (7)
x0 + x1p is the Teichmüller expansion of x0 modulo p2.
As x1 =
x
p
0 −x0
p (mod p), and xp
0 (mod p2) can be computed
in polynomial time using the repeated square and multiply
algorithm, one can compute x1 in polynomial time.
Gadiyar, Padma Discrete Logarithm Problem
18. Teichmüller lift Contd.
Similarly xp2
0 ≡ x0 + x1p + x2p2 (mod p3) is the Teichmüller
expansion of x0 modulo p3 and
(x0 + x1p + x2p2)p−1 ≡ 1 (mod p3)
Thus one gets the Teichmüller representative T(x0) of x0
as a p-adic integer which is represented by
T(x0) = lim
k→∞
xpk
0 . (8)
Note that
T(x0)p−1
= 1 (9)
for any x0 ≡ 0 (mod p).
Gadiyar, Padma Discrete Logarithm Problem
19. Teichmüller Expansion as Hensel Lift
Hensel Lift is the p-adic Newton - Raphson method.
Use the polynomial f(x) = xp − x.
Then f (x) = p xp−1 − 1
f (x0) ≡ −1 (mod p)
By Fermat’s little theorem f(x0) ≡ xp
0 − x0 ≡ 0 (mod p)
Thus the Hensel lifting x0 − f(x0)
f (x0) of x0 gives precisely
x0 + x1p (mod p2).
Gadiyar, Padma Discrete Logarithm Problem
20. Tool 2. Iwasawa Logarithm
For a p-adic integer x = x0 + x1p + x2p2 + · · · with
gcd(x0, p) = 1, the Iwasawa logarithm of x is denoted by
Log x and is defined as
1
p − 1
log xp−1
(10)
log xp−1
= log(1 + 1p + 2p2
+ · · · )
= 1p + 2p2
+ · · · −
1
2
1p + 2p2
+ · · ·
2
+ · · ·
Note that the Iwasawa logarithm of the Teichmüller
representative Log T(x) = 0.
Gadiyar, Padma Discrete Logarithm Problem
21. Applying to DLP
a
np
0 ≡ b0 (mod p) . (11)
Raising both sides to power p, we get
a
pnp
0 ≡ bp
0 (mod p2
) . (12)
(a0 + a1p)np
≡ b0 + b1p mod p2
. (13)
If we raise both sides by the power (p − 1) , the equation
becomes 1 ≡ 1 mod p2
Gadiyar, Padma Discrete Logarithm Problem
22. βnp
- Carry
Expanding the l.h.s. using the binomial theorem
a
np
0 + na
np−1
0 a1p ≡ b0 + b1p mod p2
. (14)
Writing
a
np
0 ≡ b0 + βnp p mod p2
, (15)
where βnp is the carry, we get
b0 + βnp p + npa
np−1
0 a1p ≡ b0 + b1p mod p2
. (16)
βnp + np
b0
a0
a1 ≡ b1 mod p . (17)
np ≡
(b1 − βnp )/b0
a1/a0
(mod p) (18)
This is a linear congruence in two unknowns np and βnp
Hence the method fails.
Gadiyar, Padma Discrete Logarithm Problem
23. Kontsevich and Riesel point out that the difficulty arises
because
the problem is stated modulo p but
the solution is needed modulo p − 1.
Hence we convert the DLP modulo p to the DLP modulo
the composite p(p − 1)
Gadiyar, Padma Discrete Logarithm Problem
24. DLP mod p → DLP mod p(p − 1)
We consider primes p of the form 2q + 1 where q is a
prime number.
Examples
11 = 2 ∗ 5 + 1
23 = 2 ∗ 11 + 1
47 = 2 ∗ 23 + 1
Gadiyar, Padma Discrete Logarithm Problem
25. DLP mod p to DLP mod pq
Lemma
Let a0 be a primitive root of p and q. Let gcd(b0, q) = 1. Then
the congruence a
np
0 ≡ b0 mod p can be extended to
an
0 ≡ b0 (mod pq) . (19)
if and only if the Legendre symbols
b0
p
=
b0
q
. (20)
Gadiyar, Padma Discrete Logarithm Problem
26. Proof.
an
0 ≡ b0 (mod pq) if and only if
an
0 ≡ a
np
0 ≡ b0 (mod p) and
an
0 ≡ a
nq
0 ≡ b0 (mod q) .
This happens if and only if
n ≡ np (mod p − 1) and (21)
n ≡ nq (mod q − 1) . (22)
This is possible if and only if
2 = gcd(p − 1, q − 1)|(np − nq) . (23)
np ≡ nq (mod 2) . (24)
Gadiyar, Padma Discrete Logarithm Problem
27. In other words b0 is a quadratic residue or nonresidue
modulo p and q simultaneously.
b0
p = b0
q .
Here we have used the Chinese Remainder theorem when
the moduli are not relatively prime.
Gadiyar, Padma Discrete Logarithm Problem
28. Fermat Quotient for Composite Modulus
Definition
(Lerch) Let x be such that gcd(x, n) = 1. Then q(x) defined by
xφ(n)
≡ 1 + q(x)n (mod n2
) . (25)
is called the Fermat quotient of x modulo n. Here φ(n) is the
Euler totient function.
φ(1) = 1,
φ(pr
) = pr−1
,
φ(pr1
1 pr2
2 ...prk
k ) = pr1−1
1 (p1 − 1)pr2−1
2 (p2 − 1) · · · prk −1
k (pk − 1) .
Gadiyar, Padma Discrete Logarithm Problem
29. Properties of q(x)
1. q(xy) ≡ q(x) + q(y) mod n
2. q(x + zn) ≡ q(x) + z
x φ(n) mod n
Gadiyar, Padma Discrete Logarithm Problem
30. Carmichael’s Function λ(n)
Definition
λ(1) = 1, λ(2) = 1, λ(4) = 2 and
λ(n) =
φ(Pr ), if n = Pr
2r−2, if n = 2r , r ≥ 3
lcm(λ(pr1
1 ), λ(pr2
2 ), · · · , λ(prk
k )), if n = pr1
1 pr2
2 · · · prk
k
,
(26)
where P > 2, p1, · · · pk are primes.
When p = 2q + 1, where p and q are both odd primes ,
φ(p2q2) = φ(p2)φ(q2) = p(p − 1)q(q − 1) = 2pq2φ(q)
and
λ(p2q2) = lcm(λ(p2), λ(q2)) = lcm(p(p − 1), q(q − 1)) =
lcm(2pq, q(q − 1)) = pqφ(q).
Gadiyar, Padma Discrete Logarithm Problem
31. In other words the order of the group of units modulo p2q2
is φ(p2q2)
whereas λ(p2q2) is the order of the largest cyclic group
modulo p2q2.
Hence we define Q(x) by the congruence
xλ(p2q2)
≡ xpqφ(q)
≡ 1 + Q(x)p2
q2
(mod p3
q3
) . (27)
Gadiyar, Padma Discrete Logarithm Problem
32. Teichmüller Lift Modulo p2
q2
Lemma
Let an
0 ≡ b0 (mod pq).
a1 = −
Q(a0)a0
φ(q)
(mod pq) and b1 = −
Q(b0)b0
φ(q)
(mod pq) . (28)
Then the Teichmüller lifts of a0 and b0 modulo p2q2 are
a0 + a1pq and b0 + b1pq modulo p2q2 respectively and satisfy
(a0 + a1pq)n
≡ b0 + b1pq (mod p2
q2
) , (29)
Gadiyar, Padma Discrete Logarithm Problem
33. Proof.
We want a1 and b1 to satisfy (??). Expanding (??) using the
binomial theorem and using the carry notation
an
0 ≡ b0 + βnpq (mod p2
q2
) , (30)
we get the equation
βn + n
b0
a0
a1 ≡ b1 (mod pq) . (31)
Taking the power λ(p2q2) = pqφ(q) on both sides of (??)
a
npqφ(q)
0 ≡ (b0 + βnpq)pqφ(q)
(mod p3
q3
) (32)
This can be written as
(1 + Q(a0)p2
q2
)n
≡ 1 + Q(b0)p2
q2
+b
pqφ(q)−1
0 βnφ(q)p2
q2
(mod p3
q3
)
Gadiyar, Padma Discrete Logarithm Problem
35. Analog of Iwasawa Logarithm Fails
From (??) and with the assumptions made in Lemma 1 we
can go to the discrete logarithm problem
an
0 ≡ b0 (mod pq) (35)
Here a0 generates a subgroup of order qφ(q) modulo pq.
From Lemma 2 we get
(a0 + a1pq)n
≡ b0 + b1pq (mod p2
q2
) . (36)
The order of the group generated by a0 + a1pq modulo
p2q2 is again qφ(q). Also
(a0 + a1pq)qφ(q)
≡ 1 (mod p2
q3
) . (37)
Gadiyar, Padma Discrete Logarithm Problem
36. Carry Problem Persists
Expanding (??) using the binomial theorem, we get
an
0 + nan−1
0 a1pq ≡ b0 + b1pq (mod p2
q2
) . (38)
Writing
an
0 ≡ b0 + βnpq (mod p2
q2
) (39)
will give
βn + n
b0
a0
a1 ≡ b1 (mod pq) . (40)
Here βn is the carry of an
0 modulo p2q2 and
Note that n and βn are the two unknowns in the above
linear congruence.
Gadiyar, Padma Discrete Logarithm Problem
37. Summary
The first constrant is that the problem is given modulo p
and the solution is needed modulo p − 1.
We overcame this problem by going to a DLP modulo pq.
The fact that we cannot get n arises from two possibilities
being blocked as in the modulo p case.
The analogue of the Teichmüller lift modulo p2q2 gives
1 ≡ 1 (see (??))
If the binomial theorem is used, a carry occurs as in the
case of mod p, see (??).
Gadiyar, Padma Discrete Logarithm Problem
41. Main Idea: Non-canonical Lifts
If we can construct a non-canonical lift modulo p2q2 then
the problems dissolve.
Thus solving the discrete logarithm problem is equivalent
to the construction of a non-canonical lift.
Gadiyar, Padma Discrete Logarithm Problem
42. Non-canonical Lifts
Non-canonical lifts exist and can be written in the form
(a0 + (a1 + k)pq)n
≡ b0 + (b1 + l)pq (mod p2
q2
) . (41)
When k = k1p for some k1 ≡ 0 mod q, then l = l1p for
some l1mod q.
In this case the order of the group is qφ(q).
On expanding (??) using the binomial theorem, one gets
(a0+a1pq)n
+n(a0+a1pq)n−1
k pq ≡ (b0+b1pq) +l pq (mod p2
q2
)
(42)
Using (??) we get
n ≡
l1/b0
k1/a0
(mod q) (43)
If we use the notation da0 for k1 and db0 for l1 then
n ≡
db0/b0
da0/a0
(mod q) (44)
Thus n can be thought of as the logarithmic derivative.
Gadiyar, Padma Discrete Logarithm Problem
43. For the other k ≡ 0 and l modulo pq the order of the group
will be pqφ(q).
n ≡
l/b0
k/a0
(mod pq) (45)
If we use the notation da0 for k and db0 for l then
n ≡
db0/b0
da0/a0
(mod pq) . (46)
The non-canonical extensions (modulo p2q2) of the
subgroup generated by a0 mod pq are labeled by da0.
As p = 2q + 1 once we get n mod q, n mod p − 1 would be
either n or n + q mod p − 1 which can be checked in
polynomial time.
Gadiyar, Padma Discrete Logarithm Problem
44. Note that we can get (??) and (??) by raising (??) to the
powers qφ(q) and pqφ(q) respectively.
In the second case we get
(a0 + (a1 + k)pq)pqφ(q)
n
≡ (b0 + (b1 + l)pq)pqφ(q)
(mod p3
q3
) ,
(47)
On expanding this and using the earlier notation we get
1 + n q(a0) +
(a1 + k)
a0
φ(q) p2
q2
≡
1 + q(b0) +
(b1 + l)
b0
φ(q) p2
q2
(mod p3
q3
) .(48)
Using the formula for a1 and b1 one gets (??).
This way of getting n is analogous to the attack on
anomalous elliptic curves by Smart , Semaev , Satoh and
Araki.
Gadiyar, Padma Discrete Logarithm Problem
45. Historically derivatives of numbers have been studied for a
long time starting from Kummer , A. Weil (expanded by
Kawada) and more recently by A. Buium.
Hence the problem which is standing in isolation studied
only by cryptologists gets connected to mainstream
algebra and number theory.
Gadiyar, Padma Discrete Logarithm Problem
46. Key Idea - Noncanonical Lift-1
+ ≡ + mod
+ + ≡ + + mod
≡
Gadiyar, Padma Discrete Logarithm Problem
47. Key Idea - Noncanonical Lift-2
+ ≡ + mod
+ + ≡ + + mod
≡
Gadiyar, Padma Discrete Logarithm Problem
48. What we were looking for...
If you have two functions f(x) and g(x) satisfying the
relation
f(x)n
= g(x) (49)
the logarithmic differentiation gives
n =
g (x)
g(x)
/
f (x)
f(x)
(50)
Gadiyar, Padma Discrete Logarithm Problem
49. Conclusion
We speculate a little philosophically.
Like in Godel’s theorem it is possible that this is a case of a
difficult problem within a system of axioms becoming easy
when the system of axioms is enlarged.
The problem may be hard mod p but going out of the
system of axioms of modular arithmetic
mod p → mod pq → mod q
is forced on us because of the discrete logarithm problem
is given mod p but the value of the index n is given mod
p − 1.
We are not experts in mathematical logic.
We leave this topic to logicians and theoretical computer
scientists.
Gadiyar, Padma Discrete Logarithm Problem
50. Acknowledgements
Gadiyar remembers with gratitude being taught advanced
topics like the extension of groups in a very simple way by
the Late Prof. E.C.G. Sudarshan
The all pervasive culture of Bourbaki style mathematics
was imbibed by us thanks to the presence of the late Prof.
C. S. Seshadri in Chennai.
The late Prof. K. Ramachandra’s philosophy is used in this
work: Use elementary methods and analyse the simplest
case.
We would like to thank Prof. M. S. Rangachari for
encouragement.
We would like to thank Prof. R. Balasubramanian and Prof.
Bimal Roy who encouraged academic research in
cryptography through the CRSI
We would like to thank Prof. M. Ram Murty for
encouragement.
Gadiyar, Padma Discrete Logarithm Problem
51. Acknowledgements
We would also like to thank Prof. A. Sankaranarayanan,
Prof. K. Srinivas and Prof. Arul Lakshminarayan for getting
relevant papers from the libraries of TIFR, IMSc and IITM
This work was started at the AU-KBC Research Centre
and brought to a final form at VIT, Vellore
We thank both the organisations for supporting us.
Gadiyar, Padma Discrete Logarithm Problem
52. Papers
1. H. Gopalkrishna Gadiyar, K M Sangeeta Maini, R. Padma:
Cryptography, Connections, Cocycles and Crystals: A
p-adic Exploration of the Discrete Logarithm Problem.
Progress in Cryptology - INDOCRYPT 2004, 305-314,
Lecture Notes in Comput. Sci., 3348. Zbl 1115.94008,
MR2147933 (Edlyn Teske)
2. H. Gopalakrishna Gadiyar, R. Padma: The discrete
logarithm problem over prime fields: the safe prime case.
The Smart attack, non-canonical lifts and logarithmic
derivatives. Czech Math J 68, 1115-1124 (2018).
https://doi.org/10.21136/CMJ.2018.0128-17 MR3881901
(Cunsheng Ding)
Gadiyar, Padma Discrete Logarithm Problem