Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, - - PowerPoint PPT Presentation

Discrete-Log Based Public Key Cryptosystems

Jim Royer September 25, 2018

Introduction to Cryptography 1

Note: Log = logarithm, not References

• ”Public-Key Cryptosystems Based on the Discrete Logarithm Problem,”

Chapter 8 of Understanding Cryptography by Paar & Pelzl

• ”Primitive Roots,” Chapter 7 of Andrews.

Note: Our terminology Andrew’s terminology primitive element ≡ primitive root discrete log ≡ index

3

Symmetric and Asymmetric Cryptosystems

Symmetric Each pair of users, A and B, share a private encryption/decryption key, kA,B. Q: How do you distribute keys quickly and securely? Q: How do manage the large number

• f keys?

Asymmetric Each user, A, has a public encryption key, eA, and a private decryption key, dA. Q: How do you perform this magic? A: RSA & see below. Q: How do you know it is secure? No simple answer.

4

Uses of Public Key Systems (RSA, ElGamal, etc.)

Encryption You can encrypt a message. But don’t do this unless the message is short! Key distribution Can distribute keys for a (fast) stream or block cipher. Nonrepudiation Can provide unforgeable signatures for messages. Identification Can build challenge/response protocols for establishing identity for banking. Etc. Many other nifty things can be built with these things.

5

Families of PCKs

Integer-Factorization Schemes E.g., RSA Discrete-Logarithm Schemes E.g., Diffie-Hellman and ElGamal. Elliptic Curve (EC) Schemes E.g., EC-RSA, EC-Diffie-Hellman, and EC-ElGamal. Lattice-based Schemes (Post-Quantum) E.g., NTRU, Learning-with-errors, ... And others ... based on hashing, coding-theory, etc. To talk about about the discrete-log schemes, we need

YET MORE MATH!

6

Fields Example: (Zp, +p, ×p) acts like a miniature version of Q.

Definition A field F is a set with operations +F and ×F satisfying the usual:

• associative laws:

(a +F b) +F c = a +F (b +F c). (a ×F b) ×F c = a ×F (b ×F c).

• commutative laws:

a +F b = b +F a. a ×F b = b ×F a.

• distributive law:

(a +F b) ×F c = a ×F c +F b ×F c.

• There is an additive identity (0F) and additive inverses (−a).
• There is a multiplicative identity (1F) and mult. inverses (a−1).

Examples: R, C, Zp (or Fp).

We usually drop the F subscript on +F, ×F, 0F, . . . .

7

Example Finite Field, F2 = ({ 0, 1 }, +2, ∗2) +2

1 1 1 1 ∗2 1 1 1

8

Example Finite Fields, F7 = ({ 0, . . . , 6 }, +7, ∗7) +7

1 2 3 4 5 6 1 2 3 4 5 6 1 1 2 3 4 5 6 2 2 3 4 5 6 1 3 3 4 5 6 1 2 4 4 5 6 1 2 3 5 5 6 1 2 3 4 6 6 1 2 3 4 5 ∗7 1 2 3 4 5 6 1 1 2 3 4 5 6 2 2 4 6 1 3 5 3 3 6 2 5 1 4 4 4 1 5 2 6 3 5 5 3 1 6 4 2 6 6 5 4 3 2 1

9

Example Finite Fields, F4 = ({ 0, 1, x, 1 + x }, +, ∗) +

1 x 1 + x 1 x 1 + x 1 1 1 + x x x x 1 + x 1 1 + x 1 + x x 1 ∗ 1 x 1 + x 1 1 x 1 + x x x 1 + x 1 1 + x 1 + x 1 x

10

More on Fields

• A vector space over a field F is defined just like a vector space over R.
• The number of elements in the smallest basis for a vector space is the

dimension of the vector space.

• F′ F is called an extension field.

F′ is automatically a vector space over F.

Example: C is a 2-dimensional vector space over R. Example: R is an ∞-dimensional vector space over Q.

• F′ is a finite extension of F

iff F′ is a finite dimensional vector space over F.

• The degree of F′ is the dimension of the vector space over F.

11

F4 Again +

1 x 1 + x 1 x 1 + x 1 1 1 + x x x x 1 + x 1 1 + x 1 + x x 1 ∗ 1 x 1 + x 1 1 x 1 + x x x 1 + x 1 1 + x 1 + x 1 x

• F4 is an extension of F2 of degree 2.
• 1 and x form a basis of F4 as a vector

space over F2. { 0, 1, x, 1 + x } = { a · 1 + b · x : a, b ∈ F2 }.

12

Fields and Characteristics

Definition

• F has characteristic 0 iff for all n, (∑n

i=1 1) = 0.

• F has characteristic m iff m = min({ n ∈ Z+

(∑n

i=1 1) = 0 }) < +∞.

Q: What is the characteristic of: F2? F4? F7?

Facts

• If F has char. n > 0, then n is prime.

proof on board

• For each q, there is at most one field with q elements.
• If F is finite, then F = pd for some prime p & d ≥ 1.

13

Fields and Characteristics Definition

• F has characteristic 0 iff for all n, (∑n

• F has characteristic m iff m = min({ n ∈ Z+

(∑n

Q: What is the characteristic of: F2? F4? F7? Facts

• If F has char. n > 0, then n is prime.

proof on board

• For each q, there is at most one field with q elements.
• If F is finite, then F = pd for some prime p & d ≥ 1.

2018-09-25

Discrete-Log PKCs Fields and Characteristics Claim: If F has characteristic n > 0, then n is prime. Proof: n · 1 = 0 in F Suppose by way of contradiction that n = j · k where 1 < j, k < n. Then: 1 + 1 + · · · + 1

• j

+ · · · + 1 + 1 + · · · + 1

• j
• k

CASE 1: j · 1 = 0. But since 0 < j < n, this contradicts our choice of n. CASE 2: j · 1 = 0. Then k · 1 = 0. (Why?) But since 0 < k < n, this also contradicts our choice of n.

Fields and Primes

Definition (a) F∗ =def the nonzero elements of F. (b) The order of a ∈ F∗ is min{ n ∈ Z+ an = 1 }. (c) Fq =def the finite field with q elements. (Recall: For each q there is at most one finite field with q-many elms.) For each prime q, Fq = (Zq, +q, ×q). Proposition Suppose a ∈ F∗

• q. Then (the order of a) |(q − 1).

proof on board Definition A primitive element (or generator) α of Fq is an α ∈ F∗

q with order q − 1.

(Thus, F∗

q = { α1, α2, . . . , αq−1 }.)

Puzzle: What are the primitive elements of F2? F4? F7?

14

Fields and Primes Definition (a) F∗ =def the nonzero elements of F. (b) The order of a ∈ F∗ is min{ n ∈ Z+ an = 1 }. (c) Fq =def the finite field with q elements. (Recall: For each q there is at most one finite field with q-many elms.) For each prime q, Fq = (Zq, +q, ×q). Proposition Suppose a ∈ F∗

• q. Then (the order of a) |(q − 1).

proof on board Definition A primitive element (or generator) α of Fq is an α ∈ F∗

(Thus, F∗

Puzzle: What are the primitive elements of F2? F4? F7?

2018-09-25

Discrete-Log PKCs Fields and Primes Proof of Propositon. Let F∗

q = { a1, . . . , aq−1 }.

Claim 1. ai → a ×Fq ai is 1-1. (Why?) Claim 2. In Fq: aq−1 = 1.

• Proof. Consider

a1 ×Fq a1 ×Fq · · · ×Fq aq−1 = (a ×Fq a1) ×Fq (a ×Fq a1) ×Fq · · · ×Fq (a ×Fq aq−1) (Why?) = aq−1 ×Fq (a1 ×Fq a2 ×Fq · · · ×Fq aq−1). Therefore, in Fq, aq−1 = 1. Now let na = the order of a. Clearly na ≤ q − 1. Write q − 1 = k · na + r where 0 ≤ r < na. Then, in Fq: 1 = aq−1 = ak·na+r = (an

a)k ×Fq ar = ar.

Since r < na and na = min{ n > 0 an = 1 }, it follows that r = 0. Hence, na|(q − 1).

Fields and Primes Definition (a) F∗ =def the nonzero elements of F. (b) The order of a ∈ F∗ is min{ n ∈ Z+ an = 1 }. (c) Fq =def the finite field with q elements. (Recall: For each q there is at most one finite field with q-many elms.) For each prime q, Fq = (Zq, +q, ×q). Proposition Suppose a ∈ F∗

• q. Then (the order of a) |(q − 1).

proof on board Definition A primitive element (or generator) α of Fq is an α ∈ F∗

(Thus, F∗

Puzzle: What are the primitive elements of F2? F4? F7?

2018-09-25

Discrete-Log PKCs Fields and Primes

Puzzle: What are the primitive elements of F2? F4? F7? Answer:

• In Fk, 1j = 1 for all j, so 1 is never a prim. elm. unless k = 2.
• In F4, both x and x + 1 are prim. elms.
• In F7, 23 = 1 and 62 = 1 so they don’t work. However, 3, 4, and

5 do work (as you can check).

More on Primitive Elements

Theorem (a) Every F∗

q has a primitive element.

(b) g is a primitive element of F∗

q

iff for each i with gcd(i, q − 1) = 1, gi is a primitive element. Proof. See the proof of Proposition II.1.2 on page 34 of A Course in Number Theory and Cryptography, 2/e by Neal Koblitz, Springer 1994. Thus, each F∗

q has exactly ϕ(q − 1)-many primitive elements. 15

Aside: When Does the Ring Z∗

n Have Primitive Elements?

By Andrews §7.2, Z∗

n has a primitive element when:

• n = 2 or
• n = 4 or
• n = pk where p is an odd prime and k > 0 or
• n = 2pk where p is an odd prime and k > 0.

Otherwise, Z∗

n fails to have a primitive element.

In particular, Z∗

p·q fails to have a primitive element when p and q are distinct odd

primes (the RSA case).

16

The Discrete Log

Definition Suppose Fq has primitive element α and y ∈ F∗

q.

The discrete log of y to the base α (notation: dlogα(y)) is the solution for x of: y = αx.

Example: 3 = dlog5(6) in F7.

Fact (α, x) → αx is easy, but these seem hard:

• Given α and y, find x ∋ y = αx

basis of many cryptosystems

• Given x and y, find α ∋ y = αx

basis of RSA (although Zp·q is not a field). Puzzle What is: dlog5(a) in F7 for a = 1, . . . , 5?

Hint: Make a table of (5k mod 7), for k = 1, . . . , 6.

17

The Discrete Log Definition Suppose Fq has primitive element α and y ∈ F∗

The discrete log of y to the base α (notation: dlogα(y)) is the solution for x of: y = αx. Example: 3 = dlog5(6) in F7. Fact (α, x) → αx is easy, but these seem hard:

• Given α and y, find x ∋ y = αx

basis of many cryptosystems

• Given x and y, find α ∋ y = αx

basis of RSA (although Zp·q is not a field). Puzzle What is: dlog5(a) in F7 for a = 1, . . . , 5? Hint: Make a table of (5k mod 7), for k = 1, . . . , 6.

2018-09-25

Discrete-Log PKCs The Discrete Log Here is the table of powers of 5 in F7 using k 1 2 3 4 5 6 5k 5 4 6 2 3 1 Since 51 = 5, 52 = 5 · 5 ∼ = 4 (mod 7), 53 = 52 · 5 = 4 · 5 ∼ = 6 (mod 7), etc. So, flipping the last table and ordering by a: a 1 2 3 4 5 6 dlog5(a) 6 4 5 2 1 3

Algorithms for discrete log (for Zp)

METHOD Worst-Case time complexity Pohlig-Hellman O(2

1 2 log p)

Index Calculus O(e( 1

2 +o(1))√

log p log log p)

For more details, see: https://en.wikipedia.org/wiki/Discrete_logarithm#Algorithms

18

Back to Crypto: The Diffie-Hellman Key Exchange

Alice & Bob want to exchange a ton of data using the nice & fast AES cryptosystem. — But first they have to agree on a key. Diffie-Hellman

Setup p, a large prime (Pub) and α, a prim. elem. of Z∗

p (Pub)

Alice Picks x

ran

∈ Z∗

p−1 (Priv.) and sends αx (mod p) to Bob

Bob Picks y

ran

∈ Z∗

p−1 (Priv.) and sends αy (mod p) to Alice

Alice Computes k = (αy)x = αxy (mod p). Bob Computes k = (αx)y = αxy (mod p). Eves Knows αx and αy, but wants αxy all (mod p).

Photo of Hellman and Diffie from: https://www.nytimes.com/2016/03/02/technology/ cryptography-pioneers-to-win-turing-award.html?_r=0

19

Diffie-Hellman and Discrete Log

Fix p, a prime, and α, a primitive elem. of Z∗

p.

• If Eves can compute discrete-log, she can break DH.

E.g.: αx→x, αy→(αy)x mod p = αx·y mod p The Computational Diffie-Hellman Problem Given: u, v ∈ Z∗

p.

Find: αdlogα(u)·dlogα(v) mod p. The Decision Diffie-Hellman Problem Given: u, v, w ∈ Z∗

p.

Decide: w

?

≡ αdlogα(u)·dlogα(v) (mod p) In general:

• Discrete-log easy =

⇒ Comput. DH easy = ⇒ Decision DH easy

• the reverse implications are not know (except for some special cases we’ll see later)

Note that you cannot exchange messages directly with DH.

20

The ElGamal Cryptosystem

Setup

Each user picks a key (p, α, a, b):

• p, a prime such that Z∗

p’s

discrete log problem is hard.

• α, a prim. elem. of
• a and b

∋ b ≡ αa (mod p) plaintexts = Z∗

p

public: p, α, b ciphertexts = Z∗

p × Z∗ p

private: a

Alice’s key = (p, α, a, b) Bob

• Wants to send m ∈ Z∗

p to Alice.

• Chooses k

ran

∈ { 1, . . . , p − 1 }.

• Computes

r ≡ αk (mod p) and t ≡ bkm (mod p).

• Sends (r, t) to Alice.

Alice

Computes m′ = t · r−a (mod p). Claim: m = m′. proof on board

What does Eves need to know to crack this?

21

The ElGamal Cryptosystem Setup Each user picks a key (p, α, a, b):

• p, a prime such that Z∗

• α, a prim. elem. of
• a and b

∋ b ≡ αa (mod p) plaintexts = Z∗

Alice’s key = (p, α, a, b) Bob

• Wants to send m ∈ Z∗

• Chooses k

∈ { 1, . . . , p − 1 }.

• Computes

r ≡ αk (mod p) and t ≡ bkm (mod p).

• Sends (r, t) to Alice.

Alice Computes m′ = t · r−a (mod p). Claim: m = m′. proof on board What does Eves need to know to crack this?

2018-09-25

Discrete-Log PKCs The ElGamal Cryptosystem Key Observation: By Fermat’s Little Lemma, xa ≡ xa mod (p−1) (mod p). Proof: First note that r ≡ αk b ≡ αa t ≡ bkm      (mod p) So: t · r−a ≡ bkmα−a·k ≡ (αa)km(α−ak) ≡ m (mod p).

Taher ElGamal

• ElGamal cryptosystem
• ElGamal signature scheme
• The SET credit card payment protocol
• Currently CTO of Salesforce.
• See https://en.wikipedia.org/wiki/Taher_Elgamal

22

Discrete log and bit security

Q: Computing dlogα(y) seems hard, but are all the bits of dlogα(y) hard to determine? (and why would you care?) A: No! Computing y → dlogα(y) mod 2 is poly-time. If x is our plaintext and y = αx is our ciphertext then everyone can read the last bit in x!! Q: What about the next to last bit?

Lemma Suppose

• p is a prime with p ≡ 3 (mod 4).
• α ∈ Z∗

p such that γ = α2ry.

• r ≥ 2 and y ∈ Z

Then: γ(p+1)/4 ≡ α2r−1y (mod p). proof on board So what?

23

Discrete log and bit security Q: Computing dlogα(y) seems hard, but are all the bits of dlogα(y) hard to determine? (and why would you care?) A: No! Computing y → dlogα(y) mod 2 is poly-time. If x is our plaintext and y = αx is our ciphertext then everyone can read the last bit in x!! Q: What about the next to last bit? Lemma Suppose

• p is a prime with p ≡ 3 (mod 4).
• α ∈ Z∗

• r ≥ 2 and y ∈ Z

Then: γ(p+1)/4 ≡ α2r−1y (mod p). proof on board So what?

2018-09-25

Discrete-Log PKCs Discrete log and bit security Proof: γ(p+1)/4 ≡ (α2ry)(p+1)/4 ≡ α2r−2y(p+1) ≡ α2r−2y((p−1)+2) ≡ α2r−2y(p−1) · α2r−1y ≡ (α2r−2y)(p−1) · α2r−1y ≡ 1 · α2r−1y (By FLL) ≡ α2r−1y.

Computing discrete logs mod 4, continued

• Suppose p is prime, p ≡ 3 (mod 4), and α is a gen. of Z∗

p.

• Suppose we have a cheap way of computing:

low2bits(y) =def dlogα(y) mod 4.

• Suppose β ≡ αx (mod p), where x = ∑n

i=0 xi2i = (xn . . . x0)2.

Here is how to cheaply compute x.

• low2bits(β) gives us x1 and x0.
• To find x2.
• Set β2 = βα−(x0+2x1) = α22(x2+x32+···+xn2n−2).
• Set z = β(p+1)/4

2

= α21(x2+x32+···+xn2n−2). (By prev. Lemma)

• Claim: low2bits(z) = 2 · x2.

(Why?)

• Iterate this process and find x3, x4, . . . , xn.

∴ If discrete log is hard to compute, then so must be low2bits.

24

Bit commitment: Flipping coins over the phone

A Problematic Protocol

Alice: Calls Bob, flips a coin, asks Bob to pick head or tails. Bob: “Tails” Alice: “You loose.” Why is Bob unhappy?

Solution 1: Locked boxes & UPS. Solution 2: Discrete log

Setup Pick p, a prime with p ≡ 3 (mod 4) & α, a prim. elem. of Z∗

p

Alice: Chooses x

ran

∈ Z∗

p, x = (xnxn−1 . . . x1x0)2. x1 is the coin flip. Computes y = αx

(in Z∗

p) and sends y to Bob.

Bob: Receives y and calls head or tails. Alice: Sends x to Bob. Bob: Checks that y = αx.

25

Merkle-Hellman

• It would be nice to base our cryptosystems on problems that are (believed)

harder than factoring and discrete-log.

• Merkle-Hellman was a attempt to do this.

(This one didn’t turn out to be Turing award material.) The Subset Sum Problem

Given: s1, . . . , sn, T ∈ Z+ (si’s : sizes, T : target) Question: Is there a { s′

1, . . . , s′ m } ⊆ { s1, . . . , sn }

∋ s′

1 + · · · + s′ m = T?

• Alt. Question:

Is there (x1, . . . , xn) ∈ Zn

2

∋

• x ·

s = T?

Fact: The Subset Sum Problem is NP-complete. But: There are easy special cases.

26

Merkel-Hellman, Continued

Definition

s1, . . . , sn is super increasing iff sj > (s1 + · · · + sj−1), for j = 2, . . . , n

Example

2, 5, 9, 21, 45, 103, 215, 450, 940

Fact

For super-increasing s, there is an obvious linear-time greedy alg.

A not-so-good cryptosystem

Suppose s is super-increasing of length n. Message: (x1, . . . , xn) ∈ Zn

2.

E

• s(

x) = s · x. (This is 1-1.) D

• s(y) = the result of the greedy alg.

Therefore: Transform s so it is not super-increasing.

27

Merkel-Hellman, Continued

Setup

s = (s1, . . . , sn) is super-increasing.

• p, a prime > ∑ si
• a ∈ Z∗

p

t = (t1, . . . , tn) ∋ ti = a · si mod p.

• Private:

s, p, a. Public: t

• Plaintexts = Zn

2

Ciphertexts = Zn·(p−1) Keys : (

• s, p, a,
• t)

e( x) = x · t d(y) = the solution of the subset sum problem for (

• s, z),

where z = a−1 · y mod p

28

Merkel-Hellman, Concluded

Good Points

• Based on an NP-complete problem
• Reasonably fast

Really, Really BAD Points

• “There are easy special cases of Subset Sum”

...and the cryptosystem produces one of them.

• Shamir in 1982 found a poly (in n) time algorithm for solving this scrambled

version of the subset sum problem. ∴ Merkel-Hellman is broken!

29