Research on the Discrete Logarithm Problem Wang Ping
Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 30
Content n Introduction n Mathematical Background n Definition of DLP n Methods in Used Today to Compute DL n Future Work n Question & Answer 2
Introduction n DLP is the underlying one-way function for: l Diffie-Hellman key exchange. l DSA (digital signature algorithm). l El. Gamal encryption/digital signature scheme. l Elliptic curve cryptosystems. l …… n DLP is based on finite groups. 3
Mathematical Background n Groups l Definition: A group is a set G of elements together with a binary operation “ • ” such that: n If a, b ∈ G then a • b = c ∈ G → (closure). n If (a • b) • c = a • (b • c) → (associativity). n n There exists an identity element e ∈ G, for all a ∈ G: e • a = a • e = a → (identity). For all a ∈ G, there exists an inverse element a-1 such that a • a-1 = e → (inverse). 4
Mathematical Background n Inverses l Definition: Let a be a number. If there exists b such that ab = 1 (mod m), then we call b the inverse of a mod m, and write b = a-1 (mod m). l Theorem: a has an inverse mod m iff gcd(a, m)=1. l Zp*: The set of all the invertible integers mod p: Zp* = {i∈ Zp | gcd(i, p) = 1 } l Theorem: Zp* forms a group under modulo p multiplication. The identity element is e = 1. 5
Mathematical Background n Example l Z 9* = {1, 2, 4, 5, 7, 8} n n Multiplication Table * mod 9 1 2 4 5 1 1 2 4 5 2 2 4 8 1 4 4 8 7 2 5 5 1 2 7 7 7 5 1 8 8 8 7 5 4 7 7 5 1 8 4 2 8 8 7 5 4 2 1 Note: From the above Multiplication Table, We can see (Z 9*, * mod 9) is a group. 6
Mathematical Background n Example (cont. ) l Group: G = (Z 9*, * mod 9) n Find the inverse of 7 in the group (Z 9*, * mod 9) through the Extended Euclidean Algorithm: 9=1*7+2 → 2=9− 7 7=3*2+1 → 1=7− 3*2=4*7− 3*9 2=2*1+0 So we have: 1 = 4 * 7 − 3 * 9 → 4 * 7 mod 9 = 1 4 is the inverse of 7 mod 9 7
Mathematical Background n Finite Groups l Definition: A group (G, • ) is finite if it has a finite number of g elements, We denote the cardinality of G by |G|. l Definition: The order of an element a∈ G is the smallest positive integer n such that a • … • a = an = e. l Definition: A group G which contains elements α with maximum order ord(α) = |G| is said to be cyclic. Elements with maximum order are called generators or primititive elements. 8
Mathematical Background n Example l Finite group: G = (Z 11*, * mod 11) n Find the order of a = 3 a 1 = 3 a 2 = 32 = 9 a 3 = 33 = 27 = 5 a 4 = 33 * 3 = 5 * 3 = 15 = 4 a 5 = 34 * 3 = 12 = 1 So ord(3) = 5 9
Mathematical Background n Example (cont. ) l Finite group: G = (Z 11*, * mod 11) n Proof: α = 2 is a generator of G |G| = |{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}| = 10 α 1 = 2 α 2 = 22 = 4 α 3 = 23 = 8 α 4 = 24 = 16 = 5 α 5 = 25 = 10 α 6 = 20 = 9 α 7 = 27 = 18 = 7 α 8 = 28 = 14 = 3 α 9 = 29 = 6 α 10 = 210 = 12 = 1 α 11 = 2 = a 10
Mathematical Background n Example (cont. ) l Finite group: G = (Z 11*, * mod 11) n n So we have: ord(α = 2) = 10 = |G| →(1) G is cyclic →(2) α = 2 is a generator of G Note: 2 i; i = 1, 2, …, 10 generates all elements of G i 1 2 3 4 5 6 7 8 9 2 i 2 4 8 5 10 9 7 3 6 10 1 11
Definition of DLP n The discrete logarithm problem (DLP) l Definition: Given a prime p, a generator α of Zp*, and an element β ∈ Zp*, find the integer x, 0 ≤ x ≤ p - 2, such that αx = β (mod p). n The generalized discrete logarithm problem (GDLP) l Definition: Given a finite cyclic group G of order n, a generator α of G, and an element β ∈ G, find the integer x, 0 ≤ x ≤ n - 1, such that αx = β. 12
Definition of DLP n Example l G = (Z 11, + mod 11) n We have: i 1 2 3 4 5 6 7 8 9 10 11 2 i 2 4 6 8 10 1 3 5 7 9 0 So α = 2 is a generator of G Let i = 7, β = 7 * 2 = 3 mod 11 Question: given α = 2, β = 3 = i * 2 mod 11, find i Answer: i = 2 -1 * 3 mod 11 n Note: 2 -1 = 6 can computed by Extended Euclidean Algorithm, thus this example is NOT a one-way function. 13
Definition of DLP n Example l G = (Z 11*, * mod 11) n α = 2 is a generator of G Let i = 8, β = 28 = 3 mod 11 Question: given α = 2, β = 3 = 2 i, find i i = log 23 = log 22 i = ? n Note: No efficient algorithm to find i, it’s a very hard computational problem! Thus this example is a one-way function. 14
Methods in Used Today to Compute DL n Baby-step giant-step Algorithm l Algorithm Baby-step giant-step algorithm for computing DL INPUT: a generator α of G of order n, and an element β∈ G. OUTPUT: x = logaβ. n n Set m : = Construct a table with entries (j, αj) for 0 ≤ j < m. Sort this table by second component. Compute α-m and set γ : = β. For i from 0 to m-1 1. Check if γ is the second component of some entry in the table. 2. If γ = αj then return (x = im+j). 3. Set γ : = γα-m 15
Methods in Used Today to Compute DL n Baby-step giant-step Algorithm l Example INPUT: a generator α = 2 of G = (Z 11*, * mod 11) of order n = 10, and an element β = 3. OUTPUT: x = logaβ = log 23. n n n Set m : = =4 Construct a table with entries (j, αj) for 0 ≤ j < 4. Sort this table by second component. j 0 1 2 3 2 j mod 11 1 2 4 8 By Extended Euclidean Algorithm Compute α-1 = 2 -1 mod 11 = 6, we have αm = 2 -4 mod 11 = 64 mod 11 = 9. and set γ : = β = 3. 16
Methods in Used Today to Compute DL n Baby-step giant-step Algorithm l Example (cont. ) n For i from 0 to 3, we have the following table: i 0 1 2 3 3*9 i mod 11 3 5 1 Because 3*92 mod 11 = α 0 = 1, we have: x = im+j = 8. l Note: The baby-step giant-step algorithm is a time-memory trade-off of the method of exhaustive search. l Complexity: O( l Minimum security requirement: ) steps, ≥ 2160 17
Future Work n Study and implement other methods in used today to compute DL such as: l Pollard’s rho algorithm l Pohlig-Hellman algorithm l Index-Calculus method n Challenge or improve some of these methods 18
Question & Answer Thanks
- Slides: 19