research on the discrete logarithm problem wang ping meng xuemei 2003. 05. 18

Research on the Discrete Research on the Discrete Logarithm ProblemLogarithm Problem

Wang Ping Meng Xuemei

2003. 05. 18

2

ContentContent

Introduction

Mathematical Background

Definition of DLP

Methods in Used Today to Compute DL

Future Work

Question & Answer

3

IntroductionIntroduction

DLP is the underlying one-way function for:

Diffie-Hellman key exchange.

DSA (digital signature algorithm).

ElGamal encryption/digital signature scheme.

Elliptic curve cryptosystems.

……

DLP is based on finite groups.

4

Mathematical BackgroundMathematical Background

Groups Definition: A group is a set G of elements together with a binary

operation “•” such that:

If a, b ∈ G then a • b = c ∈ G → (closure).

If (a • b) • c = a • (b • c) → (associativity).

There exists an identity element e ∈ G, for all a ∈ G: e • a = a • e = a → (identity).

For all a ∈ G, there exists an inverse element a-1 such that a • a-1 = e → (inverse).

5

Mathematical BackgroundMathematical Background

Inverses Definition: Let a be a number. If there exists b such that ab = 1

(mod m), then we call b the inverse of a mod m, and write b = a-1 (mod m).

Theorem: a has an inverse mod m iff gcd(a,m)=1.

Zp*: The set of all the invertible integers mod p:

Zp* = {i ∈ Zp | gcd(i, p) = 1 }

Theorem: Zp* forms a group under modulo p multiplication. The

identity element is e = 1.

6

Mathematical BackgroundMathematical Background

Example Z9

* = {1, 2, 4, 5, 7, 8} Multiplication Table * mod 9 1 2 4 5 7 8 1 1 2 4 5 7 8 2 2 4 8 1 5 7 4 4 8 7 2 1 5 5 5 1 2 7 8 4 7 7 5 1 8 4 2 8 8 7 5 4 2 1

Note: From the above Multiplication Table, We can see (Z9*, * mod 9) is

a group.

7

Mathematical BackgroundMathematical Background

Example (cont.) Group: G = (Z9

*, * mod 9) Find the inverse of 7 in the group (Z9

*, * mod 9) through the Extended Euclidean Algorithm:

9 = 1 * 7 + 2 → 2 = 9 − 7 7 = 3 * 2 + 1 → 1 = 7 − 3 * 2 = 4 * 7 − 3 * 9 2 = 2 * 1 + 0 So we have: 1 = 4 * 7 − 3 * 9 → 4 * 7 mod 9 = 1 4 is the inverse of 7 mod 9

8

Mathematical BackgroundMathematical Background

Finite Groups Definition: A group (G, •) is finite if it has a finite number of g

elements, We denote the cardinality of G by |G|.

Definition: The order of an element a ∈ G is the smallest positive

integer n such that a • a • … • a = an = e.

Definition: A group G which contains elements α with maximum order ord(α) = |G| is said to be cyclic. Elements with maximum order are called generators or primititive elements.

9

Mathematical BackgroundMathematical Background

Example Finite group: G = (Z11

*, * mod 11) Find the order of a = 3 a1 = 3 a2 = 32 = 9 a3 = 33 = 27 = 5 a4 = 34 = 33 * 3 = 5 * 3 = 15 = 4 a5 = 35 = 34 * 3 = 4 * 3 = 12 = 1 So ord(3) = 5

10

Mathematical BackgroundMathematical Background

Example (cont.) Finite group: G = (Z11

*, * mod 11) Proof: α = 2 is a generator of G |G| = |{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}| = 10 α1 = 2 α2 = 22 = 4 α3 = 23 = 8 α4 = 24 = 16 = 5 α5 = 25 = 10 α6 = 26 = 20 = 9 α7 = 27 = 18 = 7 α8 = 28 = 14 = 3 α9 = 29 = 6 α10 = 210 = 12 = 1 α11 = 211 = 2 = a

11

Mathematical BackgroundMathematical Background

Example (cont.) Finite group: G = (Z11

*, * mod 11) So we have: ord(α = 2) = 10 = |G| →(1) G is cyclic →(2) α = 2 is a generator of G

Note: 2i; i = 1, 2, …, 10 generates all elements of G i 1 2 3 4 5 6 7 8 9 10 2i 2 4 8 5 10 9 7 3 6 1

12

Definition of DLPDefinition of DLP

The discrete logarithm problem (DLP) Definition: Given a prime p, a generator α of Zp

*, and an element β ∈ Zp

*, find the integer x, 0 ≤ x ≤ p - 2, such that αx = β (mod p).

The generalized discrete logarithm problem (GDLP) Definition: Given a finite cyclic group G of order n, a generator α of

G, and an element β ∈ G, find the integer x, 0 ≤ x ≤ n - 1, such that αx = β.

13

Definition of DLPDefinition of DLP

Example G = (Z11, + mod 11)

We have: i 1 2 3 4 5 6 7 8 9 10 11 2i 2 4 6 8 10 1 3 5 7 9 0 So α = 2 is a generator of G

Let i = 7, β = 7 * 2 = 3 mod 11 Question: given α = 2, β = 3 = i * 2 mod 11, find i Answer: i = 2-1 * 3 mod 11

Note: 2-1 = 6 can computed by Extended Euclidean Algorithm, thus this example is NOT a one-way function.

14

Definition of DLPDefinition of DLP

Example G = (Z11

*, * mod 11) α = 2 is a generator of G

Let i = 8, β = 28 = 3 mod 11

Question: given α = 2, β = 3 = 2i, find i

i = log23 = log22i = ?

Note: No efficient algorithm to find i, it’s a very hard computational

problem! Thus this example is a one-way function.

15

Methods in Used Today to Compute DLMethods in Used Today to Compute DL

Baby-step giant-step Algorithm Algorithm Baby-step giant-step algorithm for computing DL

INPUT: a generator α of G of order n, and an element β∈ G.

OUTPUT: x = logaβ. Set m := Construct a table with entries (j, αj) for 0 ≤ j < m. Sort this table by

second component. Compute α-m and set γ := β. For i from 0 to m-1

1. Check if γ is the second component of some entry in the table.

2. If γ = αj then return (x = im+j).

3. Set γ := γα-m

n

16

Methods in Used Today to Compute DLMethods in Used Today to Compute DL

Baby-step giant-step Algorithm Example

INPUT: a generator α = 2 of G = (Z11*, * mod 11) of order n = 10, and

an element β = 3.

OUTPUT: x = logaβ = log23. Set m := = 4 Construct a table with entries (j, αj) for 0 ≤ j < 4. Sort this table by

second component.

j 0 1 2 3

2j mod 11 1 2 4 8 By Extended Euclidean Algorithm Compute α-1 = 2-1 mod 11 = 6, we have α-

m = 2-4 mod 11 = 64 mod 11 = 9.

and set γ := β = 3.

n

17

Methods in Used Today to Compute DLMethods in Used Today to Compute DL

Baby-step giant-step Algorithm Example (cont.)

For i from 0 to 3, we have the following table: i 0 1 2 3

3*9i mod 11 3 5 1

Because 3*92 mod 11 = α0 = 1, we have: x = im+j = 8.

Baby-step giant-step algorithm is a time-memory trade-off of the method of exhaustive search.

Complexity: O( ) steps

Minimum security requirement: ≥ 2160

G

G

18

Methods in Used Today to Compute DLMethods in Used Today to Compute DL

Pollard’s rho Algorithm

Algorithm Pollard’s rho algorithm for computing DL

INPUT: a generator α of G of order n, and an element β∈ G.

OUTPUT: x = logaβ. Set x0 := 1, a0 := 0, b0 :=0. For i = 1, 2, …do the following:

1.Using the quantities xi-1, ai-1, bi-1, and x2i-2, a2i-2, b2i-2 computed

previously, compute xi, ai, bi, and x2i, a2i, b2i.

2. If xi = x2i, then do the following:

Set r := bi-b2i mod n.

If r = 0 then terminate the algorithm with failure; othewise,

compute x = r-1(a2i-ai) mod n and return(x).

19

Methods in Used Today to Compute DLMethods in Used Today to Compute DL

Pollard’s rho Algorithm

Pollard’s rho algorithm is a randomized algorithm.

Complexity: O( ) steps

Minimum security requirement: ≥ 2160

The same expected running time as baby-step giant-step algorithm,

but which requires a negligible amount of storage.

G

G

20

Methods in Used Today to Compute DLMethods in Used Today to Compute DL

Pohlig-Hellman Algorithm

Algorithm Pohlig-Hellman algorithm for computing DL

INPUT: a generator α of G of order n, and an element β∈ G.

OUTPUT: x = logaβ. Find the prime factorization of n: n = p1

e1p2e2…pr

er, where ei ≥ 1. For i from 1 to r do the following:

1.Set q := pi, e := ei, γ := 1, l-1 := 0.

2.Compute : α* := αn/q.

3.For j from 0 to e-1 do the following:

Compute γ := γα^(lj-1qj-1) and β* := (βγ-1)n/q^(j+1) .

Compute lj := logα*β*

4.Set x := l0 + l1q + … +le-1qe-1.

Use CRT to compute the integer x from xi. Return(x).

21

Methods in Used Today to Compute DLMethods in Used Today to Compute DL

Pohlig-Hellman Algorithm Pohlig-Hellman algorithm take the advantage of the factorization of

the order n.

Complexity: O( ) steps, where pl is the largest prime factor of n.

Minimum security requirement: pl ≥ 2160

lp

22

Methods in Used Today to Compute DLMethods in Used Today to Compute DL

Index-Calculus method

Algorithm Index-Calculus method for computing DL

INPUT: a generator α of G of order n, and an element β∈ G.

OUTPUT: y = logaβ. Choose a subset S = {p1, p2, … ,pt} of G such that all elements in G can

be efficiently expressed as a product of elements from S. Collect linear relations:

1.Select a random integer k, 0 ≤ k ≤ n-1, and compute αk.

2.Try to write αk as a product of elements in S.

3. Repeat steps 1 and 2 until t + c relations are obtained. Select a random integer k, 0 ≤ k ≤ n-1, and compute βαk. Try to write βαk as a product of elements in S. If failure, repeat the above

step, otherwise taking logarithms of both sides, we obtain y. Return(y).

23

Methods in Used Today to Compute DLMethods in Used Today to Compute DL

Index-Calculus method Index-Calculus method is the most powerful method known for

computing DL, It does not apply to all groups, only efficient to Zp*

and Galois fields GF(2k).

Subexponential-time algorithm: O( ) steps.

Minimum security requirement: p ≥ 21024

))ln(ln()ln())1(1( ppOe

24

Future WorkFuture Work

Try to improve some of these algorithms

Challenge to find a polynomial-time algorithm to

compute DL

Question & AnswerQuestion & Answer

Thanks