a subexponential algorithm for discrete logarithms over all finite fields
A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
description
Transcript of A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
![Page 1: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/1.jpg)
KAIST
A Public Key Cryptosystem and a Signature Scheme Based
on Discrete Logarithms
TAHER ELGAMALIEEE TRANSACTIONS ON INFORMATION THEORY,
JULY 1985
Suhyung KimYeojeong Yoon
2010. 2. 25
![Page 2: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/2.jpg)
2 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Outline
Introduction
Diffie-Hellman key distribution
Elgamal Public Key System
Elgamal Digital Signature Scheme
Property
Comparison
Attacks on the Signature
Conclusion
![Page 3: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/3.jpg)
Introduction
Public-key Encryption(Asymmetric Cryptosystem)
First proposed in 1976"New Directions in Cryptography" Diffie and HellmanDid not produce an algorithm
RSA cryptosystem(1978)Based on difficulty of factoring large integers
ElGamal cryptosystem(1985)Based on discrete logarithm problem
3 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Public Key
A(sender) B(receiver)
{plaintext}public key Decrypt with the Secret KeyEncrypt with the Public Key
Public Key Secret Key
![Page 4: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/4.jpg)
4 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
IntroductionRSA Cryptosystem
“A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” published in 1978Proposed by Rivest, Shimar, and AdlemanUsed a computationally difficult problem
Breaking requires factoring of large numbersA B
1. Select p, q (large prime)2. Calculate n = p x q and ф(n)3. Select b, s.t. Gcd(b, ф(n) ) = 14. Calculate a, s.t. b x a ≡ 1 (mod ф(n) )
Public key : (n, b)
eK(x) = xb mod n dK(y) = ya mod
n
Private key : (p, q, a)
![Page 5: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/5.jpg)
5/27A Public Key Cryptosystem and a Signature Scheme Based on Discrete Loga-rithms
Discrete Logarithm Problem(DLP)The ElGamal public key cryptosystem is based upon the difficulty of solving the discrete logarithm problem (DLP) which is as follows :
For a small value of p, it is easy to solve a DLP By trial and error or exhaustive search
For a large value of p, finding discrete logarithms is diffi-cult
For a large value of p(p has around 300 decimal digits) it is not pos-sible to solve a DLP using current technology
Introduction
Given a prime p and values g and y, find x such thaty = gx mod p
![Page 6: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/6.jpg)
Diffie-Hellman key distribution
Public parameter p : large primeα : generator of Zp*
Secret parameterxA (A’s) xB (B’s)
xA = logαyA, xB = logαyB Based on Discrete Logarithm Problemp-1 should have at least one “large” prime factor
If p-1 has only small prime factors, then computing discrete loga-rithms is easy
6 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
py
py
pK
A
B
BA
xB
xA
xxAB
mod
mod
mod
A B
yB
yA
py AxA mod py Bx
B mod
![Page 7: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/7.jpg)
Elgamal Public Key System
Way to implement the Diffie-Hellman previous schemeA wants to send B a message m, where 0 ≤ m ≤ p-1A chooses a number k uniformly between 0 and p-1.
7 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
pKmcpc
pyKk
kB
modmod
mod
2
1
yB
(c1,c2)
pKcm
pcK BB xkx
mod
mod)(
2
1
py BxB mod
A B - Public parameter p : large prime
α : generator of Zp*
- Secret parameter k (A’s)
xB (B’s)
![Page 8: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/8.jpg)
k must be used once If k is used more than once,
c1.1 ≡ αk mod p c1.2 ≡ m1K mod p c2.1 ≡ αk mod p c2.2 ≡ m2K mod p Then m1/m2 ≡ c2.1/c2.2 mod p, and m2 is easily computed if
m1 is known.
Breaking the system is equivalent to solving Discrete Logarithm Problem
8 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Elgamal Public Key System
<Decryption>
- For c1, c2 ∈ Zp*, definedk(c1, c2) = c2(c1
xB)-1 mod p
Adversary can decrypt the ci-phertext if adversary can com-pute the value
xB = logαyB
![Page 9: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/9.jpg)
Digital Signature A digital signature provides
Data IntegrityThe content of the message should be kept intact
Sender’s identityB needs a guarantee that the message it received actually originated from where it says it did
Non-repudiationUses sender’s private key for signing
9 / 20Using Encryption for Authentication in Large Networks of Computers
A(sender) B(receiver)
from where?
In-tact!
Elgamal Digital Signature Scheme
![Page 10: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/10.jpg)
The Signing Procedure(A)Choose a random number k, uniformly between 0 and p-1, such that gcd(k,p-1)=1 r ≡ αk mod pThe signature for m is the pair (r,s), 0 ≤ r, s < p-1
αm ≡yArrs
≡ αxArαks mod pwhich can be solved for s by using
m ≡ xAr + ks mod (p-1)s ≡ (m - xAr)/k mod (p-1)
The Verification Procedure(B)Given m, r, and s, checking
αm ≡yArrs
10 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Elgamal Digital Signature Scheme
![Page 11: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/11.jpg)
Property
Public Key System
Encryption operation Two exponentiations are required.
Decryption operation Only one exponentiation (plus one division) is need
11 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- (secret) random number k Z∈ p-1
eK(m, k) = (c1, c2) where
c1 = αk mod pc2 = myk mod p
- For c1, c2 Z∈ p*, define
dk(c1, c2) = c2(c1xB)-1 mod p
randomization (against k)The cipher text for a given message m is not repeatedPrevents attacks like a probable text attack
No relation m1, m2, and m1m2, or any other simple function of m1 and m2.
![Page 12: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/12.jpg)
Property
Signature System
Signing procedureOne exponentiation (plus a few multiplications) is needed.
Verification procedureThree exponentiation are needed.Make the table for reducing the exponentiation(1.875 exponentiation)
12 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
(secret) random number k ∈ Zp-1*
sigK( m, k ) = ( r, s )where r = αk mod p s = ( m - xr )k-1 mod ( p – 1 ) verK( m, ( r, s ) ) = true
⇔ yrrs ≡ αm ( mod p )
The signature is double the size of the document
Same size as that needed for the RSA scheme
The number of signature is p2
The number of documents is only p
![Page 13: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/13.jpg)
Property
Computation complexityComputing discrete logarithms and factoring integers
m : the number of bits in pBest known algorithm is given by
where the best estimate for c is 0.69
Recent computation complexityO(n3) on elliptic curve(2009) over a 112-bit finite fieldTo prevent known attack p should have at least 300 digits(D R. Stin-son, “CRYPTOGRAPHY”)
13 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
)ln(exp mcmO
![Page 14: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/14.jpg)
Comparison
Comparison with RSA
14 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Elgamal RSASecurity based on the diffi-culty of the discrete log problem
Security based on the diffi-culty of the factorization problem
The ciphertext is two values c1 and c2 and so is twice the size of the message m
The ciphertext is just one value c which is roughly the same size as the message m
Creates longer cipher text Uses longer keysThe encryption and decryption algorithms are different (although both take about the same time to perform)
The encryption and decryption algorithms are the same (modular exponentiation)
![Page 15: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/15.jpg)
Attacks on the Signature Scheme
The goal of an attack: forging signatures
Breaking a signature scheme (by Handbook of Applied Cryp-tography)
Total break: e.g. recovering the private keySelective forgery: forging a signature for a particular mes-sage or class of messages chosen a prioriExistential forgery: forging a signature for at least one message which adversary has no control over it
15 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
![Page 16: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/16.jpg)
Attack: Total break (1/2) Adversary knows
Documents = { mi : i = 1, 2, ..., l } and the corresponding Signatures = { (ri, si) : i = 1, 2, ..., l }
Adversary tries to solve l equations for the secret key xαm = (αr)x∙ rs mod p … (1) ormi = x∙ ri + ki ∙ si mod (p-1) ... (2) or speciallyki=ckj (if some linear dependencies among the unknowns) ... (3)
Hard Problems(1), (3) : computing discrete logarithm over GF(p)(2) : l+1 unknowns (∵ ki ≠ kj, i ≠ j,∀i,j ∈ {1,2, ..., l})
the system of equations is undetermined 16 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
![Page 17: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/17.jpg)
Attack: Total break (2/2)If any k is used twice in the signing, the private key x can be determined with high probability
s1 = k-1(m1 – α∙ r) mod (p-1) and s2 = k-1(m2 – α∙ r) mod (p-1)
(s1- s2)k = (m1 – m2) mod (p-1)
K = (s1- s2)-1(m1 – m2) mod (p-1) (if s1- s2 ≠0)
Once k is known, x is easily found
17 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
![Page 18: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/18.jpg)
Attack: Selective forgery (1/2)Given a document m,
adversary tries to find r, s such that
αm = yr∙ rs mod pcompute s with fixed r (= αj mod p, j chosen at random) … (1)compute r with fixed s … (2)
Hard Problems(1) : αm = yr∙ rs mod p – discrete logarithm problem(DLP)(2) : αm = yr∙ rs mod p – not proved to be at least as hard as computing DLP, but not feasible to solve in polynomial time
18 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
![Page 19: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/19.jpg)
Attack: Selective forgery (2/2) Adversary knowing one legitimate signature
(r, s) for one message m, can generate other legitimate signatures and messages
Adversary knowing one legitimate signature Select message m'
Compute u = m'∙ m-1 mod (p-1), s' = s∙ u mod (p-1), and r' such that r' = r∙ u mod (p-1) and r' =r mod p
Verification: αm' = yr' ∙ r' s' = yru∙ rsu = (yr∙ rs)u = (αm)u = αm'
mod p
How to prevent this attackVerify that 1≤r≤p at verification time 19 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
(ref. Handbook of Applied Cryp-tography)
(by the Chinese Remainder Theorem)
![Page 20: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/20.jpg)
Attack: Existential forgery Adversary knowing one legitimate signature
(r, s) for one message m, can generate other legitimate signatures and messages
Select A,B,C arbitrarily such that (A∙ r - C∙ s) is coprime to p-1
compute r'=rA∙ αB∙ yC mod p, s'=s∙ r'/(A∙ r - C∙ s) mod (p-1), and m' = r'(Am+Bs)/(Ar-Cs) mod (p-1)
Adversary may claim that (r', s') is the signature of the message m'
How to prevent this attackUse one-way hash func: αh(m) = (αr)x∙ rs
20 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
!!! m' is not an arbitrary message
![Page 21: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/21.jpg)
Conclusion
Proposed cryptosystem and Signature scheme are based on
the difficulty of computing discrete logarithms over finite fields good generator for random numbers (ki ≠ kj)
Elgamal’s scheme is rarely used in practice. But many variants have been proposed. Specially, DSA
21 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
![Page 22: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815c3c550346895dca3385/html5/thumbnails/22.jpg)
22 / 21A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
Question or Comment