the discrete logarithm problem (DLP) is the computational problem of finding x = log a (b)such that b = a x .Efficient algorithms for the discrete logarithm problem would render the ElGamal Cryptosysteminsecure, the possibly weaker Diffie-Hellman problem (DHP) is the precise problemon which the cryptosystem is based: given b = a x and c = a y in F ∗ p, compute a xy .Note that a xy can not be formed as any obvious algebraic combination of a x and a ylike a x a y = a x+y . In fact, other cryptosystems rely on the difficult of the Decision Diffie-Hellman problem (DDHP) being hard: given a x , a y and c, decide whether or not c = a xy .Both the DHP and the DDHP are easy if the DLP is easy.Definition. Recall that an element a of F ∗ p is said to be primitive if and only if1, a, a 2 , . . . , a p−2are all distinct. Primitive elements always exist in any finite field.ElGamal ProtocolPublic key: (a, a x , p) where p is a prime, a is a primitive element of F ∗ p,and x is an integer 1 ≤ x < p − 1.Private key: The integer x.Initial setup:1. Alice obtains Bob’s public key (a, a x , p).For each message m Alice → Bob:1. Alice chooses a private element y randomly in 1 ≤ y < p − 1.1. Alice computes r = a y and s = ma xy .2. Alice sends the ciphertext message c = (r, s) to Bob.3. Bob deciphers the ciphertext message as m = r −x s mod p.The correctness of the deciphering is verified as follows:r −x s = (a y ) −x ma xy = ma −yx a xy = ma xy−yx = m.Disrete LogarithmsThe main known attack on an ElGamal cryptosystem is to solve the discrete logarithmproblem: given both a and a x (in the finite field F p ), find the value for x. In order forthe discrete logarithm problem (DLP) to be hard, it is not enough to choose any prime p.One needs to select a prime p such that p − 1 has a large prime factor. Suppose, on thecontrary, that p − 1 is divisibly only by primes less than some positive integer B. Such anumber is said to be B-smooth. The DLP can be reduced to solving a small number ofdiscrete logarithm problems of “size” B rather than of size p − 1.As an example, let r be a prime divisor of p − 1, and let m = (p − 1)/r. Suppose that wewant to solve for x such that b = a x . The exponent is defined up to multiples of p−1. If weElGamal 73
aise both sides to the power m, then for the problem b m = a mx a solution x is well-definedup to multiples of r:a m(x+r) = a mx+mr = a mx a p−1 = a mx ,since a p−1 = 1.If we now find that p − 1 = r 1 r 2 · · · r t for pairwise distinct primes r i , the by the Chineseremainder theorem the value of x mod p − 1 can be determined from its modular valuesx mod r i , for all 1 ≤ i ≤ t. So the hardness of the DLP determined by the size of thelargest prime divisor of p − 1.Exercise. Suppose that a prime power r k divides p − 1. How would you solve the DLPfor x mod r k ?Algorithmic ConsiderationsA naïve algorithm for solving the discrete logarithm problem for log a (b) is to compute1, a, a 2 , . . . until a match is found with b. As we have just seen, it is possible to replace awith a 1 = a m and b with b 1 = b m in order to solve log a1(b 1 ) modulo r such that rm = p−1.In this way we have to build the list 1, a 1 , a 2 1, . . . , a x 1 of length at most r before finding b 1 .An alternative approach is called the baby-step, giant-step method. We set s = [ √ r] + 1and to form a first list 1, a 1 , a 2 1, . . . , a s−11 of length s, called the baby steps, then form thesecond list b 1 , a s 1b 1 , a 2s1 b 1 , . . . , a s21 b 1 of giant steps, to find a match.If a match is found, say a i 1 = b 1 a js1 , then we have found b 1 = a i−js1 , so x = i − js mod r.On the other hand, if x is a solution to the DLP modr, then we can write x = i − js forsome 0 ≤ i, −j ≤ s, so the above algorithm finds a match.8.4 Diffie–Hellman Key ExchangeDiffie and Hellman proposed the following scheme for establishing a common key. Thescheme is widely used because of the simplicity of its implementation, however an naiveimplementation without identity authentication leaves the protocol subject to a man-inthe-middleattack.1. A and B decide on a large prime number p and a primitive element a of Z/pZ, bothof which can be made public.2. A chooses a secret random x with GCD(x, p − 1) = 1 and B chooses a secret randomy with GCD(y, p − 1) = 1.3. A sends Bob a x mod p and Bob sends Alice a y mod p.4. Each is able to compute a session key K = a xy = (a x ) y = (a y ) x .An eavesdropper only has knowledge of p, a, a x and a y , and would need to break theDiffie-Hellman problem to be able to come up with the session key.74 Chapter 8. Public Key <strong>Cryptography</strong>
- Page 1 and 2:
Author (David R. Kohel) /Title (Cry
- Page 4 and 5:
CONTENTS1 Introduction to Cryptogra
- Page 6:
PrefaceWhen embarking on a project
- Page 10 and 11:
information. We introduce here some
- Page 12 and 13:
ut strings in A ∗ map injectively
- Page 14 and 15:
CHAPTERTWOClassical Cryptography2.1
- Page 16 and 17:
LV MJ CW XP QO IG EZ NB YH UA DS RK
- Page 18 and 19:
As a special case, consider 2-chara
- Page 20 and 21:
Note that if d k = 1, then we omit
- Page 22:
ExercisesSubstitution ciphersExerci
- Page 25 and 26:
Ciphertext-only AttackThe cryptanal
- Page 27 and 28: of size n, suppose that p i is the
- Page 29 and 30: Note that ZKZ and KZA are substring
- Page 31: Checking possible keys, the partial
- Page 34 and 35: sage: X = pt.frequency_distribution
- Page 36 and 37: CHAPTERFOURInformation TheoryInform
- Page 38 and 39: For each of these we can extend our
- Page 40 and 41: in terms of the cryptosystem), then
- Page 42 and 43: CHAPTERFIVEBlock CiphersData Encryp
- Page 44 and 45: Deciphering. Suppose we begin with
- Page 46 and 47: The Advanced Encryption Standard al
- Page 48 and 49: 1. Malicious substitution of a ciph
- Page 50 and 51: locks M j−1 , . . . , M 1 as well
- Page 52: where X = K ⊕ M = (X 1 , X 2 , X
- Page 55 and 56: 6.2 Properties of Stream CiphersSyn
- Page 57 and 58: Exercise. Verify that the equality
- Page 59 and 60: n 2 n − 11 12 33 74 155 316 637 1
- Page 61 and 62: Exercise 6.6 In the previous exerci
- Page 63 and 64: Exercise 6.9 Compute the first 8 te
- Page 65 and 66: which holds since −4 = 17 + (−1
- Page 67 and 68: must therefore have a divisor of de
- Page 69 and 70: Shrinking Generator cryptosystemLet
- Page 72 and 73: CHAPTEREIGHTPublic Key Cryptography
- Page 74 and 75: Initial setup:1. Alice and Bob publ
- Page 76 and 77: We apply this rule in the RSA algor
- Page 80 and 81: Man in the Middle AttackThe man-in-
- Page 82: Exercise 8.6 Fermat’s little theo
- Page 85 and 86: k < p − 1 with GCD(k, p − 1) =
- Page 88 and 89: CHAPTERTENSecret SharingA secret sh
- Page 90: using any t shares (x 1 , y 1 ), .
- Page 93 and 94: sage-------------------------------
- Page 95 and 96: sage: x.is_unit?Type:builtin_functi
- Page 97 and 98: Python (hence SAGE) has useful data
- Page 99 and 100: sage: n = 12sage: for i in range(n)
- Page 101 and 102: sage: I = [55+i for i in range(3)]
- Page 103 and 104: sage: I = [7, 4, 11, 11, 14, 22, 14
- Page 105 and 106: ExercisesRead over the above SAGE t
- Page 107 and 108: 102
- Page 109 and 110: Solution. The block length is the n
- Page 111 and 112: Solution.below.The coincidence inde
- Page 113 and 114: analysis of the each of the decimat
- Page 115 and 116: arbitrary permutation of the alphab
- Page 117 and 118: In order to understand naturally oc
- Page 119 and 120: We do this by first verifying the e
- Page 121 and 122: Solution.None provided.Linear feedb
- Page 123 and 124: Multiplying each through by the con
- Page 125 and 126: Solution. The linear complexity of
- Page 127 and 128: If a, b, and c are as above, then f
- Page 129 and 130:
Exercise 8.5 Use SAGE to find a lar
- Page 131 and 132:
Solution. Now we can verify that e
- Page 133 and 134:
which has no common factors with p
- Page 135 and 136:
sage: p = 2^32+61sage: m = (p-1).qu
- Page 137 and 138:
sage: a5 := a^n5sage: c5 := c^n5sag
- Page 139 and 140:
The application of this function E
- Page 141 and 142:
5. (∗) How many elements a of G h
- Page 143:
1. The value f(0) of the polynomial