- 171 Views
- Uploaded on
- Presentation posted in: General

Discrete Logarithm(s) (DLs)

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

- Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that ax ≡ b (mod p) is called the discrete logarithm problem. Suppose that n is the smallest integer such that an ≡1 (mod p),
i.e., n=ordp(a). By assuming 0≤x<n, we denote x=La(b), and call it the discrete log of b w.r.t. a (mod p)

- Ex: p=11, a=2, b=9, then x=L2(9)=6

- In the RSA algorithms, the difficulty of factoring a large integer yields good cryptosystems
- In the ElGamal method, the difficulty of solving the discrete logarithm problem yields good cryptosystems
- Given p, a, b, solve ax ≡ b (mod p)
- a is suggested to be a primitive root mod p

- A function f(x) is called a one-way function if f(x) is easy to compute, but, given y, it is computationally infeasible to find x with y=f(x).
- La(b) is a one-way function if p is large

- a is a primitive root mod p if
{ak | 1≦k≦p-1} = {1,2, …,p-1}

♪ 2, 6,7,11 are primitive roots mod 13

- 33 ≡ 1 (mod 13), 46 ≡ 1 (mod 13),
- 54 ≡ 1 (mod 13), 84 ≡ 1 (mod 13),
- 93 ≡ 1 (mod 13), 106 ≡ 1 (mod 13),
- 122 ≡ 1 (mod 13)

- An exhaustive search for all 0 ≤ x < p
- Check only for even x or odd x according to b(p-1)/2 ≡ (ax)(p-1)/2 ≡(a(p-1)/2)x ≡(-1)x≡ 1 or -1 (mod p), where a is a primitive root
(Ex) p=11, a=2, b=9, since b(p-1)/2 ≡95≡1,

then check for even numbers {0,2,4,6,8,10}

only to find x=6 such that 26 ≡ 9 (mod 11)

Let p-1 = Πqr for all q|(p-1), write b0 =b,and

x=x0 + x1q+x2q2 + … + xr-1qr-1 for 0 ≤ xi ≤ q-1

1. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡b(p-1)/q ,

then x0 ≡k, next let b1≡b0a-x0

2. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡[b1](p-1)/q^2 , then x1 ≡k, next let b2≡b1a-x1

3. Repeat steps 1, 2 until xr-1 is found for a q

4. Repeat steps 1~3 for all q’s, then apply Chinese Remainder Theorem to get the final solution

- p-1=41-1=40 =23 5
- b0 =12
- For q=2: b0 =12, b1 =31, b2=31, and
x = x0 +2x1+4x2 ≡1+2·0+4·1≡ 5 (mod 8)

- For q=5: b0 =12, b1 =18, and
x = x0 ≡ 3 (mod 5)

Solving x ≡ 5 (mod 8) andx≡ 3 (mod 5),

We have x≡13 (mod 40)

Let B be a bound and let p1,p2,…, pm be the

primes less than B and cover all of the prime

Factors of p-1. Then appropriately choose

k(j)’s such that ak(j)≡(p1)r1(p2)r2… (pm)rm,i.e.,

r1*La(p1)+r2*La(p2)+… + rm*La(pm) ≡k(j) for

several j’s, solve the linear system to get

La(p1), La(p2), … , La(pm), then select R apply

baR≡(p1)b1 (p2)b2… (pm)bm , then the solution is

La(b)≡-R+ΠbiLa(pi)

p=131, a=2, b=37, let B=10, then

p1=2, p2=3, p3=5, p4=7, since

28≡53 , 212≡5·7, 214≡32 , 234≡3·52 (mod p),

we have

3L2(5)≡ 8 (mod 130)

L2(5)+ L2(7)≡12 (mod 130)

2L2(3)≡14 (mod 130)

L2(3)+2L2(5)≡34 (mod 130)

Choose R=43, then

37·243 ≡3·5·7 (mod 131), so we have

L2(37) ≡-43+ L2(3)+ L2(5)+ L2(7)

≡ 41 (mod 130)

♪ L2(11) ≡ 56 (mod 130) [R=4]

♪ L2(23) ≡ 23 (mod 130) [R=5]

Let p≡3 (mod 4), r≥2. Suppose a and g are

nonzero integers such that g≡ay(2^r) (mod p).

Then

g(p+1)/4 ≡ ay[2^(r-1)] (mod p)

[Proof]

g(p+1)/4 ≡ a(p+1)y[2^(r-2)] ≡ay(2^(r-1))[a(p-1)]y(2^(r-2))

≡ ay(2^(r-1)) (mod p)

- Let a be a primitive root (mod p), where
p≡3 (mod 4) is large, then

Computing La(b) (mod 4) is as difficult as finding the solution of ax ≡ b (mod p)

[P.172]

Alice wants to send a message m to Bob.

Bob chooses a large prime p and a primitive

root a. Assume m is an integer 0≤m<p, and

Bob selects a secret integer x to compute

b≡ax (mod p). The information (p,a,b) is

made public and is Bob’s public key. Alice

does the following procedures.

- Downloads (p,a,b)
- Chooses a secret random k and computes r≡ak (mod p)
- Computes t≡bkm (mod p)
- Sends the pair (t,r) to Bob
Bob decrypts by computing tr-x (≡m (mod p))