Discrete logarithm s dls
This presentation is the property of its rightful owner.
Sponsored Links
1 / 15

Discrete Logarithm(s) (DLs) PowerPoint PPT Presentation


  • 138 Views
  • Uploaded on
  • Presentation posted in: General

Discrete Logarithm(s) (DLs). Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that a x ≡ b (mod p) is called the discrete logarithm problem. Suppose that n is the smallest integer such that a n ≡1 (mod p),

Download Presentation

Discrete Logarithm(s) (DLs)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Discrete logarithm s dls

Discrete Logarithm(s) (DLs)

  • Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that ax ≡ b (mod p) is called the discrete logarithm problem. Suppose that n is the smallest integer such that an ≡1 (mod p),

    i.e., n=ordp(a). By assuming 0≤x<n, we denote x=La(b), and call it the discrete log of b w.r.t. a (mod p)

  • Ex: p=11, a=2, b=9, then x=L2(9)=6


Discrete logarithms

Discrete Logarithms

  • In the RSA algorithms, the difficulty of factoring a large integer yields good cryptosystems

  • In the ElGamal method, the difficulty of solving the discrete logarithm problem yields good cryptosystems

  • Given p, a, b, solve ax ≡ b (mod p)

  • a is suggested to be a primitive root mod p


One way function

One-Way Function

  • A function f(x) is called a one-way function if f(x) is easy to compute, but, given y, it is computationally infeasible to find x with y=f(x).

  • La(b) is a one-way function if p is large


Primitive roots mod 13

Primitive Roots mod 13

  • a is a primitive root mod p if

    {ak | 1≦k≦p-1} = {1,2, …,p-1}

    ♪ 2, 6,7,11 are primitive roots mod 13

  • 33 ≡ 1 (mod 13), 46 ≡ 1 (mod 13),

  • 54 ≡ 1 (mod 13), 84 ≡ 1 (mod 13),

  • 93 ≡ 1 (mod 13), 106 ≡ 1 (mod 13),

  • 122 ≡ 1 (mod 13)


Solve a x b mod p

Solve ax ≡ b (mod p)

  • An exhaustive search for all 0 ≤ x < p

  • Check only for even x or odd x according to b(p-1)/2 ≡ (ax)(p-1)/2 ≡(a(p-1)/2)x ≡(-1)x≡ 1 or -1 (mod p), where a is a primitive root

    (Ex) p=11, a=2, b=9, since b(p-1)/2 ≡95≡1,

    then check for even numbers {0,2,4,6,8,10}

    only to find x=6 such that 26 ≡ 9 (mod 11)


Solve a x b mod p by pohlig hellman

Solve ax ≡ b (mod p) by Pohlig-Hellman

Let p-1 = Πqr for all q|(p-1), write b0 =b,and

x=x0 + x1q+x2q2 + … + xr-1qr-1 for 0 ≤ xi ≤ q-1

1. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡b(p-1)/q ,

then x0 ≡k, next let b1≡b0a-x0

2. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡[b1](p-1)/q^2 , then x1 ≡k, next let b2≡b1a-x1

3. Repeat steps 1, 2 until xr-1 is found for a q

4. Repeat steps 1~3 for all q’s, then apply Chinese Remainder Theorem to get the final solution


7 x 12 mod 41 p 41 a 7 b 12

7x ≡12 (mod 41); p=41, a=7, b=12,

  • p-1=41-1=40 =23 5

  • b0 =12

  • For q=2: b0 =12, b1 =31, b2=31, and

    x = x0 +2x1+4x2 ≡1+2·0+4·1≡ 5 (mod 8)

  • For q=5: b0 =12, b1 =18, and

    x = x0 ≡ 3 (mod 5)

    Solving x ≡ 5 (mod 8) andx≡ 3 (mod 5),

    We have x≡13 (mod 40)


Solve a x b mod p by index calculus

Solve ax ≡ b (mod p) by Index Calculus

Let B be a bound and let p1,p2,…, pm be the

primes less than B and cover all of the prime

Factors of p-1. Then appropriately choose

k(j)’s such that ak(j)≡(p1)r1(p2)r2… (pm)rm,i.e.,

r1*La(p1)+r2*La(p2)+… + rm*La(pm) ≡k(j) for

several j’s, solve the linear system to get

La(p1), La(p2), … , La(pm), then select R apply

baR≡(p1)b1 (p2)b2… (pm)bm , then the solution is

La(b)≡-R+ΠbiLa(pi)


Solve 2 x 37 mod 131

Solve 2x ≡37 (mod 131)

p=131, a=2, b=37, let B=10, then

p1=2, p2=3, p3=5, p4=7, since

28≡53 , 212≡5·7, 214≡32 , 234≡3·52 (mod p),

we have

3L2(5)≡ 8 (mod 130)

L2(5)+ L2(7)≡12 (mod 130)

2L2(3)≡14 (mod 130)

L2(3)+2L2(5)≡34 (mod 130)


L 2 3 5 7 72 46 96

L2([3, 5, 7])=[72, 46, 96]

Choose R=43, then

37·243 ≡3·5·7 (mod 131), so we have

L2(37) ≡-43+ L2(3)+ L2(5)+ L2(7)

≡ 41 (mod 130)

♪ L2(11) ≡ 56 (mod 130) [R=4]

♪ L2(23) ≡ 23 (mod 130) [R=5]


A lemma on p 3 mod 4

A Lemma on p≡3 (mod 4)

Let p≡3 (mod 4), r≥2. Suppose a and g are

nonzero integers such that g≡ay(2^r) (mod p).

Then

g(p+1)/4 ≡ ay[2^(r-1)] (mod p)

[Proof]

g(p+1)/4 ≡ a(p+1)y[2^(r-2)] ≡ay(2^(r-1))[a(p-1)]y(2^(r-2))

≡ ay(2^(r-1)) (mod p)


A l a b mod 4 machine

A La(b) (mod 4) Machine

  • Let a be a primitive root (mod p), where

    p≡3 (mod 4) is large, then

    Computing La(b) (mod 4) is as difficult as finding the solution of ax ≡ b (mod p)

    [P.172]


The elgamal public key cryptosystem

The ElGamal Public Key Cryptosystem

Alice wants to send a message m to Bob.

Bob chooses a large prime p and a primitive

root a. Assume m is an integer 0≤m<p, and

Bob selects a secret integer x to compute

b≡ax (mod p). The information (p,a,b) is

made public and is Bob’s public key. Alice

does the following procedures.


Encryption and decryption

Encryption and Decryption

  • Downloads (p,a,b)

  • Chooses a secret random k and computes r≡ak (mod p)

  • Computes t≡bkm (mod p)

  • Sends the pair (t,r) to Bob

    Bob decrypts by computing tr-x (≡m (mod p))


Exercises on pages 175 and 176

Exercises on Pages 175 and 176


  • Login