Elgamal Elgamal demonstration demonstration

project on project on calculators TI-83+calculators TI-83+

Gerard TelGerard TelUtrecht UniversityUtrecht University

With results from Jos Roseboom With results from Jos Roseboom and Meli Samikinand Meli Samikin

Workshop Elgamal 2

Overview of the lectureOverview of the lecture1. History and background2. Elgamal (Diffie Hellman)3. Discrete Log: Pollard rho4. Experimentation results5. Structure of Function Graph:

Cycles, Tails, Layers6. Conclusions

Workshop Elgamal 3

1. History and background1. History and background1. 2003, lecture for school teachers

about Elgamal2. 2006, lecture with calculator demo

Why Elgamal, not RSA?• Functional property easy to show• Security: rely on complexity• Compare exponentiation and DLog

Workshop Elgamal 4

Math: Modular arithmeticMath: Modular arithmetic• Compute modulo prime p (95917)

with 0, 1, … p-2, p-1• Generator g of order q (prime)• Rules of algebra are valid

(ga)k = (gk)a

Secure application: p has ~309 digits!!

Workshop Elgamal 5

Calculator TI-83, 83+, 84+Calculator TI-83, 83+, 84+• Grafical, 14 digit• Programmable• Generally available

in VWO (pre-academic school type in the Netherlands)

• Cost 100 euro(free for me)

Workshop Elgamal 6

The Elgamal programThe Elgamal program• Ceasar cipher (symmetric)• Elgamal parameter and key

generation• Elgamal encryption and

decryption• Discrete Logarithm: Pollard

Infeasible problem!! But doable for 7 digit modulus

Workshop Elgamal 7

2. Public Key codes2. Public Key codes

The problem of Key Agreement:• A and B are on two sides of a river• They want to have common z• Oscar is in a boat on the river• Oscar must not know z

Workshop Elgamal 8

Solution: Diffie-HellmanSolution: Diffie-Hellman• Alice takes random a, shouts b = ga

• Bob takes random k, shouts u = gk

• Alice computes z = ua = (gk)a

• Bob computes z = bk = (ga)k

The two numbers are the sameThe difference in complexity for A&B

and O is relevant

Workshop Elgamal 9

What does Oscar hear?What does Oscar hear?Seen:1. Public b = ga

2. Public u = gk

Not computable:1. Secret a, k2. Common zThis needs discrete

logarithm

Oscar sees the communication, but not the secrets

Workshop Elgamal 10

The Elgamal programThe Elgamal program• In class use• Program, explanation,

slides on website• Program extendible• Booklet with ideas for

experimenting, papers• (All in Dutch!)

http://people.cs.uu.nl/gerard/Cryptografie/Elgamal/

Workshop Elgamal 11

3. Pollard Rho Algorithm3. Pollard Rho Algorithm• Fixed p (modulus), g, q (order of g);

G is set of powers of g• Discrete Logarithm problem:

– Given y in G– Return x st gx = y

• Pollard Rho: randomized, √q time

Workshop Elgamal 12

Pollard Rho: RepresentationPollard Rho: Representation• Representation of z: z = ya.gb

• Two representations of same number reveil log y:If ya.gb = yc.gd,then y = g(b-d)/(c-a)

• Goal: find 2 representations of one number z (value does not matter)

Workshop Elgamal 13

Strategy: Birthday TheoremStrategy: Birthday Theorem• All values z = ya.gb are in G• Birthday Theorem:

In a random sequence, we expect a collision after √q steps

• Simulate effect of random sequence by pseudorandom function: zi+1 = f (zi)(Keep representation of each zi)

Workshop Elgamal 14

Cycle detectionCycle detection• Detect collision by storing previous

values: too expensive• Floyd cycle detection method:

– Develop two sequences: zi and ti

– Relation: ti = z2i

– Collision: ti = zi, i.e., zi = z2i

In each round, z “moves” one step and t moves two steps.

Workshop Elgamal 15

4. Experimentation results4. Experimentation results

p q x m 1 2 3 4 5 Ave

971 97 4 3 8 16 8 16 8 11,2

3989 997 114 10 30 30 60 15 60 39

39869 9967 4 3 117 117 117 117 53 104,2

39869 9967 1144 15 192 65 192 65 192 141,2

999611 99961 4 3 335 335 335 335 335 335

999611 99961 11 6 683 683 683 683 683 683

999611 99961 1144 15 680 340 340 340 680 476

Spring 2006, by Barbara ten Tusscher, Jesse Krijthe, Brigitte Sprenger

Workshop Elgamal 16

ObservationsObservations• Average number of iterations

coincides well with √q• Almost no variation within one row

• Is this a bug in the program??– Bad randomization in calculator?– Or general property of Pollard Rho?

Workshop Elgamal 17

5. Function graph5. Function graph• Function f: zi -> zi+1 defines graph• Out-degree 1, cycles with in-trees• Length, component, size• Graph is the same when algorithm is

repeated with the same input• Starting point differs• As zi = z2i, i must be multiple of cycle

length

Workshop Elgamal 18

Layers in a componentLayers in a component• Layer of node measure distance to

cycle in terms of its length l:– Point z in cycle has layer 0– Point z is in layer 1 if f(l)(z) in cycle– Point z is in layer c if f(c.l)(z) in cycle

• Lemma: z0 in layer c gives c.l iter.

• Is there a dominant component or layer?

Workshop Elgamal 19

Layers 0 and 1 dominateLayers 0 and 1 dominateProbability theory analysis by Meli

Samikin

Lemma: Pr(layer ≤ 1) = ½Proof: Assume collision after k steps: z0 -> z1 -> … -> … -> zk-1 -> ??

Layer of z0 is 0 if zk = z0, Pr = 1/k

Layer of z0 is 1 if zk = zj < k/2, Pr ≈ 1/2

Workshop Elgamal 20

Dominant ComponentDominant ComponentLemma: Random z0 and w0,

Pr(same component) > ½.Proof: First collision after k steps: z0 -> z1 -> … -> … -> zk-1 -> ??

w0 -> w1 -> … -> … -> wk-1 -> ??

Pr ( z meets other sequence ) = ½.Then, w-sequence may collide into z.

Workshop Elgamal 21

Experiments: dominanceExperiments: dominance• Jos Roseboom:

count points in layers of each component

• Plays national korfbal team

• World Champion 2007, november, Brno.

Workshop Elgamal 22

Size of largest componentSize of largest componentVerdeling puntenwolk Pollard

0

10

20

30

40

50

60

70

80

90

100

1,00E+00 1,00E+01 1,00E+02 1,00E+03 1,00E+04 1,00E+05 1,00E+06 1,00E+07

Omvang resterende zoekruimte

Per

cen

tag

e zo

ekru

imte

do

or

gro

ots

te c

ykel

Workshop Elgamal 23

ConclusionsConclusions• Elgamal + handcalculators = fun• Functional requirements easier to

explain than for RSA• Security: experiment with DLog• Pollard, only randomizes at start• Iterations: random variable, but

takes only limited values• Most often: size of heaviest cycle

Workshop Elgamal 24

Rabbit FormulaRabbit Formula• Ontsleutelen is: v delen door ua

• u(a1+a2) is: ua1.ua2

• Deel eerst door ua1 en dan door ua2

• Team 1: bereken v’ = Deca1(u, v)Team 2: bereken x = Deca2(u, v’)

Workshop Elgamal 25

Overzicht van formulesOverzicht van formules• Constanten:

Priemgetal p, grondtal g• Sleutelpaar:

Secret a en Public b = ga

• Encryptie: (u, v) = (gk, x.bk) met bDecryptie: x = v/ua met a

• Prijsvraag: b = b1b2. Ontsleutelen?