CSCI284 Spring 2004 - PowerPoint PPT Presentation

About This Presentation
Title:

CSCI284 Spring 2004

Description:

Discrete Log Algorithms: Shanks', Pollard-Rho. In Practice. Diffie-Hellman. 9/27/09 ... Show that log = 49 using Pollard-Rho. 9/27/09. CS284/Spring04/GWU/Vora ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 20
Provided by: poo69
Category:

less

Transcript and Presenter's Notes

Title: CSCI284 Spring 2004


1
Discrete Log
  • ElGamal Cryptosystem
  • Discrete Log Algorithms Shanks, Pollard-Rho
  • In Practice
  • Diffie-Hellman
  • CSCI284 Spring 2004
  • GWU

2
CS297-15 Electronic Voting
  • CRN 86928
  • M 1530-1800 in 2020K 9
  • Send mail to jstanton_at_gwu.edu saying why you
    should be allowed to take the class.

3
Various Logistics
  • Project presentations on
  • 26th April, Monday, 610-740
  • 27th April, Tuesday, 610-740 (make-up day) and
  • 28th April, Wednesday, 610-740 (another make-up
    day)
  • No office hours this coming Wed. Send email with
    questions on hw

4
The ElGamal Cryptosystem is based on the Discrete
Log problem
  • Given a multiplicative group G, an element ? ?G
    such that o(?) n, and an element ??lt?gt
  • Find the unique integer a, 0 ? a ? n-1 such that
  • ?a ?
  • a denoted as log??
  • Not known to be doable in polynomial time,
    however exponentiation is. Hence DL is a possible
    one-way function

5
El Gamal Cryptosystem
  • Let p a prime such that DL in Zp is infeasible
  • Let ??Zp be a primtive element
  • P Zp C Zp X Zp and K (p, ?, a, ?) ??a
    (mod p)
  • public key (p, ?, ?) and private key a
  • For a secret random number k ?Zp-1
  • eK(x, k) (y1, y2)
  • y1 ?k mod p
  • y1 x?k mod p
  • dK (y1, y2) y2( y1a)-1 mod p

6
Example
  • p 2579
  • ? 2
  • a 1391
  • Encrypt message 2079

7
Solving Discrete Log finding a such that ?a ?
in group G
  • In O(n) steps brute force, no storage
  • Precompute all possible values of ?i (n
    multiplications) quick sort (O(nlogn)) binary
    search (O(logn)). Requires O(n) storage

8
Time/memory trade-off Shanks Algorithm
  • SHANKS(G, n, ?, ?)
  • m ? ceil(?n)
  • for j? 0 to m-1
  • compute ?mj
  • list L1 ? sorted wrt second coordinate (j, ?mj)
  • for i? 0 to m-1
  • compute ? ?-i
  • list L2 ? sorted wrt second coordinate (i, ?
    ?-i)
  • Find (j, y) ? L1 and (i, y) ? L2 for some y
  • log?? ? (mj i) mod n

9
Proof of correctness? Complexity?
10
Example
  • p 127
  • ? 3
  • a 56
  • ? ?
  • n 126
  • How will you find a using Shanks?

11
Pollard-Rho Discrete Log
  • procedure f(x, a, b)
  • / mimic random function, maintaining x ?a?b /
  • if x?S1
  • f ? (?.x, a, (b1) mod n)
  • else if x?S2
  • f ? (x2, 2a mod n, 2b mod n)
  • else
  • f ? (?.x, (a 1) mod n, b)
  • Return (f)

12
Pollard-Rho Discrete Log - main
  • POLLARD RHO DL (G, n, ?, ?)
  • / partition such that (1, 0, 0) ? S2 /
  • Define G S1 ? S2 ? S3
  • (x1, a1, b1) ? f(1, 0, 0)
  • while(xi, ai, bi) ? (xj, aj, bj) for j?i-1
  • (xi1, ai1, bi1) ? f(xj, aj, bj)
  • / (xi, ai, bi) (xj, aj, bj) /
  • If gcd(bi-bj, n) ? 1
  • Return (failure)
  • Else
  • Return ((ai -aj)(bi bj)-1 mod n)

13
Correctness? Complexity?
14
Example from text
  • p809
  • ? 89
  • o(?) 101
  • ? 618
  • Show that log?? 49 using Pollard-Rho

15
Practicalities
  • More efficient attacks possible unless elliptic
    curve DL, for which these efficient attacks are
    not known.
  • Modulus required for security
  • 2160 with elliptic curves
  • 21880 without
  • DL over elliptic curves very hot problem.

16
Diffie-Hellman Key Exchange
  • Protocol for exchanging secret key over public
    channel.
  • Select global parameters p, n and ?. p is prime
    and ? is of order n in Zp. These parameters are
    public and known to all.

17
Diffie-Hellman Key Exchange contd.
  • Alice privately selects random b and sends to Bob
    ?b mod p.
  • Bob privately selects random c and sends to Alice
    ?c mod p.
  • Alice and Bob privately compute ?bc mod p which
    is their shared secret.
  • An observer Oscar can compute ?bc if he knows
    either c or b or can solve the discrete log
    problem.
  • This is a key agreement protocol.

18
Diffie-Hellman problem
  • Given a multiplicative group G, an element ??G of
    order n and two elements ?, ? ? lt?gt
  • Computational Diffie-Hellman
  • Find ? such that log? ? ? log? ? ? log?? (mod n)
  • Equivalently, given ?b, and ?c find ?bc
  • Decision Diffie-Hellman
  • Given an additional ? ? lt?gt
  • Determine if log? ? ? log? ? ? log?? (mod n)
  • Equivalently, given ?b, ?c, and ?d determine if d
    ? bc (mod n)

19
An attack
  • Diffie-Hellman key exchange is susceptible to a
    man-in-the-middle attack.
  • Mallory captures b and c in transmission and
    replaces with own b and c.
  • Essentially runs two Diffie-Hellmans. One with
    Alice and one with Bob.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CSCI284 Spring 2004" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!