1 / 15

Discrete Logarithm(s) (DLs)

Discrete Logarithm(s) (DLs). Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that a x ≡ b (mod p) is called the discrete logarithm problem. Suppose that n is the smallest integer such that a n ≡1 (mod p),

toviel
Télécharger la présentation

Discrete Logarithm(s) (DLs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Discrete Logarithm(s) (DLs) • Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that ax ≡ b (mod p) is called the discrete logarithm problem. Suppose that n is the smallest integer such that an ≡1 (mod p), i.e., n=ordp(a). By assuming 0≤x<n, we denote x=La(b), and call it the discrete log of b w.r.t. a (mod p) • Ex: p=11, a=2, b=9, then x=L2(9)=6

  2. Discrete Logarithms • In the RSA algorithms, the difficulty of factoring a large integer yields good cryptosystems • In the ElGamal method, the difficulty of solving the discrete logarithm problem yields good cryptosystems • Given p, a, b, solve ax ≡ b (mod p) • a is suggested to be a primitive root mod p

  3. One-Way Function • A function f(x) is called a one-way function if f(x) is easy to compute, but, given y, it is computationally infeasible to find x with y=f(x). • La(b) is a one-way function if p is large

  4. Primitive Roots mod 13 • a is a primitive root mod p if {ak | 1≦k≦p-1} = {1,2, …,p-1} ♪ 2, 6,7,11 are primitive roots mod 13 • 33 ≡ 1 (mod 13), 46 ≡ 1 (mod 13), • 54 ≡ 1 (mod 13), 84 ≡ 1 (mod 13), • 93 ≡ 1 (mod 13), 106 ≡ 1 (mod 13), • 122 ≡ 1 (mod 13)

  5. Solve ax ≡ b (mod p) • An exhaustive search for all 0 ≤ x < p • Check only for even x or odd x according to b(p-1)/2 ≡ (ax)(p-1)/2 ≡(a(p-1)/2)x ≡(-1)x≡ 1 or -1 (mod p), where a is a primitive root (Ex) p=11, a=2, b=9, since b(p-1)/2 ≡95≡1, then check for even numbers {0,2,4,6,8,10} only to find x=6 such that 26 ≡ 9 (mod 11)

  6. Solve ax ≡ b (mod p) by Pohlig-Hellman Let p-1 = Πqr for all q|(p-1), write b0 =b,and x=x0 + x1q+x2q2 + … + xr-1qr-1 for 0 ≤ xi ≤ q-1 1. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡b(p-1)/q , then x0 ≡k, next let b1≡b0a-x0 2. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡[b1](p-1)/q^2 , then x1 ≡k, next let b2≡b1a-x1 3. Repeat steps 1, 2 until xr-1 is found for a q 4. Repeat steps 1~3 for all q’s, then apply Chinese Remainder Theorem to get the final solution

  7. 7x ≡12 (mod 41); p=41, a=7, b=12, • p-1=41-1=40 =23 5 • b0 =12 • For q=2: b0 =12, b1 =31, b2=31, and x = x0 +2x1+4x2 ≡1+2·0+4·1≡ 5 (mod 8) • For q=5: b0 =12, b1 =18, and x = x0 ≡ 3 (mod 5) Solving x ≡ 5 (mod 8) andx≡ 3 (mod 5), We have x≡13 (mod 40)

  8. Solve ax ≡ b (mod p) by Index Calculus Let B be a bound and let p1,p2,…, pm be the primes less than B and cover all of the prime Factors of p-1. Then appropriately choose k(j)’s such that ak(j)≡(p1)r1(p2)r2… (pm)rm,i.e., r1*La(p1)+r2*La(p2)+… + rm*La(pm) ≡k(j) for several j’s, solve the linear system to get La(p1), La(p2), … , La(pm), then select R apply baR≡(p1)b1 (p2)b2… (pm)bm , then the solution is La(b)≡-R+ΠbiLa(pi)

  9. Solve 2x ≡37 (mod 131) p=131, a=2, b=37, let B=10, then p1=2, p2=3, p3=5, p4=7, since 28≡53 , 212≡5·7, 214≡32 , 234≡3·52 (mod p), we have 3L2(5)≡ 8 (mod 130) L2(5)+ L2(7)≡12 (mod 130) 2L2(3)≡14 (mod 130) L2(3)+2L2(5)≡34 (mod 130)

  10. L2([3, 5, 7])=[72, 46, 96] Choose R=43, then 37·243 ≡3·5·7 (mod 131), so we have L2(37) ≡-43+ L2(3)+ L2(5)+ L2(7) ≡ 41 (mod 130) ♪ L2(11) ≡ 56 (mod 130) [R=4] ♪ L2(23) ≡ 23 (mod 130) [R=5]

  11. A Lemma on p≡3 (mod 4) Let p≡3 (mod 4), r≥2. Suppose a and g are nonzero integers such that g≡ay(2^r) (mod p). Then g(p+1)/4 ≡ ay[2^(r-1)] (mod p) [Proof] g(p+1)/4 ≡ a(p+1)y[2^(r-2)] ≡ay(2^(r-1))[a(p-1)]y(2^(r-2)) ≡ ay(2^(r-1)) (mod p)

  12. A La(b) (mod 4) Machine • Let a be a primitive root (mod p), where p≡3 (mod 4) is large, then Computing La(b) (mod 4) is as difficult as finding the solution of ax ≡ b (mod p) [P.172]

  13. The ElGamal Public Key Cryptosystem Alice wants to send a message m to Bob. Bob chooses a large prime p and a primitive root a. Assume m is an integer 0≤m<p, and Bob selects a secret integer x to compute b≡ax (mod p). The information (p,a,b) is made public and is Bob’s public key. Alice does the following procedures.

  14. Encryption and Decryption • Downloads (p,a,b) • Chooses a secret random k and computes r≡ak (mod p) • Computes t≡bkm (mod p) • Sends the pair (t,r) to Bob Bob decrypts by computing tr-x (≡m (mod p))

  15. Exercises on Pages 175 and 176

More Related