research on the discrete logarithm problem wang ping meng xuemei 2003. 05. 18
TRANSCRIPT
![Page 1: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/1.jpg)
Research on the Discrete Research on the Discrete Logarithm ProblemLogarithm Problem
Wang Ping Meng Xuemei
2003. 05. 18
![Page 2: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/2.jpg)
2
ContentContent
Introduction
Mathematical Background
Definition of DLP
Methods in Used Today to Compute DL
Future Work
Question & Answer
![Page 3: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/3.jpg)
3
IntroductionIntroduction
DLP is the underlying one-way function for:
Diffie-Hellman key exchange.
DSA (digital signature algorithm).
ElGamal encryption/digital signature scheme.
Elliptic curve cryptosystems.
……
DLP is based on finite groups.
![Page 4: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/4.jpg)
4
Mathematical BackgroundMathematical Background
Groups Definition: A group is a set G of elements together with a binary
operation “•” such that:
If a, b ∈ G then a • b = c ∈ G → (closure).
If (a • b) • c = a • (b • c) → (associativity).
There exists an identity element e ∈ G, for all a ∈ G: e • a = a • e = a → (identity).
For all a ∈ G, there exists an inverse element a-1 such that a • a-1 = e → (inverse).
![Page 5: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/5.jpg)
5
Mathematical BackgroundMathematical Background
Inverses Definition: Let a be a number. If there exists b such that ab = 1
(mod m), then we call b the inverse of a mod m, and write b = a-1 (mod m).
Theorem: a has an inverse mod m iff gcd(a,m)=1.
Zp*: The set of all the invertible integers mod p:
Zp* = {i ∈ Zp | gcd(i, p) = 1 }
Theorem: Zp* forms a group under modulo p multiplication. The
identity element is e = 1.
![Page 6: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/6.jpg)
6
Mathematical BackgroundMathematical Background
Example Z9
* = {1, 2, 4, 5, 7, 8} Multiplication Table * mod 9 1 2 4 5 7 8 1 1 2 4 5 7 8 2 2 4 8 1 5 7 4 4 8 7 2 1 5 5 5 1 2 7 8 4 7 7 5 1 8 4 2 8 8 7 5 4 2 1
Note: From the above Multiplication Table, We can see (Z9*, * mod 9) is
a group.
![Page 7: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/7.jpg)
7
Mathematical BackgroundMathematical Background
Example (cont.) Group: G = (Z9
*, * mod 9) Find the inverse of 7 in the group (Z9
*, * mod 9) through the Extended Euclidean Algorithm:
9 = 1 * 7 + 2 → 2 = 9 − 7 7 = 3 * 2 + 1 → 1 = 7 − 3 * 2 = 4 * 7 − 3 * 9 2 = 2 * 1 + 0 So we have: 1 = 4 * 7 − 3 * 9 → 4 * 7 mod 9 = 1 4 is the inverse of 7 mod 9
![Page 8: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/8.jpg)
8
Mathematical BackgroundMathematical Background
Finite Groups Definition: A group (G, •) is finite if it has a finite number of g
elements, We denote the cardinality of G by |G|.
Definition: The order of an element a ∈ G is the smallest positive
integer n such that a • a • … • a = an = e.
Definition: A group G which contains elements α with maximum order ord(α) = |G| is said to be cyclic. Elements with maximum order are called generators or primititive elements.
![Page 9: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/9.jpg)
9
Mathematical BackgroundMathematical Background
Example Finite group: G = (Z11
*, * mod 11) Find the order of a = 3 a1 = 3 a2 = 32 = 9 a3 = 33 = 27 = 5 a4 = 34 = 33 * 3 = 5 * 3 = 15 = 4 a5 = 35 = 34 * 3 = 4 * 3 = 12 = 1 So ord(3) = 5
![Page 10: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/10.jpg)
10
Mathematical BackgroundMathematical Background
Example (cont.) Finite group: G = (Z11
*, * mod 11) Proof: α = 2 is a generator of G |G| = |{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}| = 10 α1 = 2 α2 = 22 = 4 α3 = 23 = 8 α4 = 24 = 16 = 5 α5 = 25 = 10 α6 = 26 = 20 = 9 α7 = 27 = 18 = 7 α8 = 28 = 14 = 3 α9 = 29 = 6 α10 = 210 = 12 = 1 α11 = 211 = 2 = a
![Page 11: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/11.jpg)
11
Mathematical BackgroundMathematical Background
Example (cont.) Finite group: G = (Z11
*, * mod 11) So we have: ord(α = 2) = 10 = |G| →(1) G is cyclic →(2) α = 2 is a generator of G
Note: 2i; i = 1, 2, …, 10 generates all elements of G i 1 2 3 4 5 6 7 8 9 10 2i 2 4 8 5 10 9 7 3 6 1
![Page 12: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/12.jpg)
12
Definition of DLPDefinition of DLP
The discrete logarithm problem (DLP) Definition: Given a prime p, a generator α of Zp
*, and an element β ∈ Zp
*, find the integer x, 0 ≤ x ≤ p - 2, such that αx = β (mod p).
The generalized discrete logarithm problem (GDLP) Definition: Given a finite cyclic group G of order n, a generator α of
G, and an element β ∈ G, find the integer x, 0 ≤ x ≤ n - 1, such that αx = β.
![Page 13: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/13.jpg)
13
Definition of DLPDefinition of DLP
Example G = (Z11, + mod 11)
We have: i 1 2 3 4 5 6 7 8 9 10 11 2i 2 4 6 8 10 1 3 5 7 9 0 So α = 2 is a generator of G
Let i = 7, β = 7 * 2 = 3 mod 11 Question: given α = 2, β = 3 = i * 2 mod 11, find i Answer: i = 2-1 * 3 mod 11
Note: 2-1 = 6 can computed by Extended Euclidean Algorithm, thus this example is NOT a one-way function.
![Page 14: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/14.jpg)
14
Definition of DLPDefinition of DLP
Example G = (Z11
*, * mod 11) α = 2 is a generator of G
Let i = 8, β = 28 = 3 mod 11
Question: given α = 2, β = 3 = 2i, find i
i = log23 = log22i = ?
Note: No efficient algorithm to find i, it’s a very hard computational
problem! Thus this example is a one-way function.
![Page 15: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/15.jpg)
15
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Baby-step giant-step Algorithm Algorithm Baby-step giant-step algorithm for computing DL
INPUT: a generator α of G of order n, and an element β∈ G.
OUTPUT: x = logaβ. Set m := Construct a table with entries (j, αj) for 0 ≤ j < m. Sort this table by
second component. Compute α-m and set γ := β. For i from 0 to m-1
1. Check if γ is the second component of some entry in the table.
2. If γ = αj then return (x = im+j).
3. Set γ := γα-m
n
![Page 16: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/16.jpg)
16
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Baby-step giant-step Algorithm Example
INPUT: a generator α = 2 of G = (Z11*, * mod 11) of order n = 10, and
an element β = 3.
OUTPUT: x = logaβ = log23. Set m := = 4 Construct a table with entries (j, αj) for 0 ≤ j < 4. Sort this table by
second component.
j 0 1 2 3
2j mod 11 1 2 4 8 By Extended Euclidean Algorithm Compute α-1 = 2-1 mod 11 = 6, we have α-
m = 2-4 mod 11 = 64 mod 11 = 9.
and set γ := β = 3.
n
![Page 17: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/17.jpg)
17
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Baby-step giant-step Algorithm Example (cont.)
For i from 0 to 3, we have the following table: i 0 1 2 3
3*9i mod 11 3 5 1
Because 3*92 mod 11 = α0 = 1, we have: x = im+j = 8.
Baby-step giant-step algorithm is a time-memory trade-off of the method of exhaustive search.
Complexity: O( ) steps
Minimum security requirement: ≥ 2160
G
G
![Page 18: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/18.jpg)
18
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Pollard’s rho Algorithm
Algorithm Pollard’s rho algorithm for computing DL
INPUT: a generator α of G of order n, and an element β∈ G.
OUTPUT: x = logaβ. Set x0 := 1, a0 := 0, b0 :=0. For i = 1, 2, …do the following:
1.Using the quantities xi-1, ai-1, bi-1, and x2i-2, a2i-2, b2i-2 computed
previously, compute xi, ai, bi, and x2i, a2i, b2i.
2. If xi = x2i, then do the following:
Set r := bi-b2i mod n.
If r = 0 then terminate the algorithm with failure; othewise,
compute x = r-1(a2i-ai) mod n and return(x).
![Page 19: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/19.jpg)
19
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Pollard’s rho Algorithm
Pollard’s rho algorithm is a randomized algorithm.
Complexity: O( ) steps
Minimum security requirement: ≥ 2160
The same expected running time as baby-step giant-step algorithm,
but which requires a negligible amount of storage.
G
G
![Page 20: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/20.jpg)
20
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Pohlig-Hellman Algorithm
Algorithm Pohlig-Hellman algorithm for computing DL
INPUT: a generator α of G of order n, and an element β∈ G.
OUTPUT: x = logaβ. Find the prime factorization of n: n = p1
e1p2e2…pr
er, where ei ≥ 1. For i from 1 to r do the following:
1.Set q := pi, e := ei, γ := 1, l-1 := 0.
2.Compute : α* := αn/q.
3.For j from 0 to e-1 do the following:
Compute γ := γα^(lj-1qj-1) and β* := (βγ-1)n/q^(j+1) .
Compute lj := logα*β*
4.Set x := l0 + l1q + … +le-1qe-1.
Use CRT to compute the integer x from xi. Return(x).
![Page 21: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/21.jpg)
21
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Pohlig-Hellman Algorithm Pohlig-Hellman algorithm take the advantage of the factorization of
the order n.
Complexity: O( ) steps, where pl is the largest prime factor of n.
Minimum security requirement: pl ≥ 2160
lp
![Page 22: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/22.jpg)
22
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Index-Calculus method
Algorithm Index-Calculus method for computing DL
INPUT: a generator α of G of order n, and an element β∈ G.
OUTPUT: y = logaβ. Choose a subset S = {p1, p2, … ,pt} of G such that all elements in G can
be efficiently expressed as a product of elements from S. Collect linear relations:
1.Select a random integer k, 0 ≤ k ≤ n-1, and compute αk.
2.Try to write αk as a product of elements in S.
3. Repeat steps 1 and 2 until t + c relations are obtained. Select a random integer k, 0 ≤ k ≤ n-1, and compute βαk. Try to write βαk as a product of elements in S. If failure, repeat the above
step, otherwise taking logarithms of both sides, we obtain y. Return(y).
![Page 23: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/23.jpg)
23
Methods in Used Today to Compute DLMethods in Used Today to Compute DL
Index-Calculus method Index-Calculus method is the most powerful method known for
computing DL, It does not apply to all groups, only efficient to Zp*
and Galois fields GF(2k).
Subexponential-time algorithm: O( ) steps.
Minimum security requirement: p ≥ 21024
))ln(ln()ln())1(1( ppOe
![Page 24: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/24.jpg)
24
Future WorkFuture Work
Try to improve some of these algorithms
Challenge to find a polynomial-time algorithm to
compute DL
![Page 25: Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei 2003. 05. 18](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e555503460f94b4c5f3/html5/thumbnails/25.jpg)
Question & AnswerQuestion & Answer
Thanks