Lecture 3

Introduction to Basic Cryptography
Digital Signatures, Attacks on DLP
Kalyan Chakraborty
Harish-Chandra Research Institute
CIMPA School of Number Theory in Cryptography and Its Applications

School of Science, Kathmandu University,
Dhulikhel, Nepal
July 19 - July 31, 2010
Lecture 3: July 22, 2010
http://www.hri.res.in/~jaymehta/cryptographynotesCIMPA2010.pdf
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
1 / 38
Outline
Outline
Digital Signatures
ElGamal Digital Signatures
RSA Digital Signatures
Hash Functions
Diffe-Hellman Key Exchange
Attacks on DLP
Shanks Algorithm
Pollards Rho Algorithm
The Pohlig-Hellman Algorithm
The Index Calculus Method
July 22, 2010
2 / 38
Digital Signatures
Using ElGamal for Digital Signature
Suppose we want to sign an e-document. One can digitize the

signature and append it to the document.
July 22, 2010
3 / 38
Digital Signatures

But anyone who has access to it can simply remove the signature
and add it to something else.
July 22, 2010
3 / 38
Digital Signatures

Such an e-forgery is quite easy and cannot be distinguished from
the original.
July 22, 2010
3 / 38
Digital Signatures

the original.
Hence we require that digital signatures cannot be separated from
the message and attach to another.
July 22, 2010
3 / 38
Digital Signatures

the original.
Hence we require that digital signatures cannot be separated from
the message and attach to another.
This also should be easily verifiable by the other party.
July 22, 2010
3 / 38
Digital Signatures
Digital Signature scheme consists of two steps:

1
The signing process.
Verification process.
July 22, 2010
4 / 38
Digital Signatures

1
A variation of the ElGamal crypto scheme provides a digital

signature.
July 22, 2010
4 / 38
Digital Signatures

1

signature.
A signature for message M is a pair (a, b) obtained by selecting a
random integer k with (k, p 1) = 1 where

a = gk mod p
(ElGamal Signature)
b = k1 (M xa) mod (p 1)
July 22, 2010
4 / 38
Digital Signatures

1

signature.
A signature for message M is a pair (a, b) obtained by selecting a
random integer k with (k, p 1) = 1 where

a = gk mod p
(ElGamal Signature)
b = k1 (M xa) mod (p 1)
To verify a digital signature, s = (a, b) one checks that
y a ab gM mod p
(ElGamal Verification)
where
y = gx mod p.
July 22, 2010
4 / 38
Digital Signatures
Exercise
Suppose Alice is using the ElGamal Signature Scheme with

p = 31847, = 5 and = 25703. Compute the values of k and a
(without solving any instance of the DLP), for the following:
Given the Signature (23972, 31396) for the message x = 8900.
Given the Signature (23972, 20481) for the message x = 31415
July 22, 2010
5 / 38
Digital Signatures
Security of ElGamal Digital Signature
If Alice wants to sign a second document, then she must choose a

new random value of k.
July 22, 2010
6 / 38
Digital Signatures

She uses the same k for two messages M1 and M2 . Then the value
of a(= gk mod p) will be same in both signatures.
So, Eve will notice immediately that k is used twice.
July 22, 2010
6 / 38
Digital Signatures

The b-values are different. Let us call them b1 and b2 .
July 22, 2010
6 / 38
Digital Signatures

Eve knows that
b1 k M1 xa b2 k M2
mod (p 1)
This implies
(b1 b2 )k (M1 M2 ) mod (p 1)
July 22, 2010
6 / 38
Digital Signatures

Eve knows that
b1 k M1 xa b2 k M2
mod (p 1)
This implies
(b1 b2 )k (M1 M2 ) mod (p 1)
She can solve for k. If (b1 b2 , p 1) = d, then there are d
solutions to the congruence and they could be found.
Usually d is small so there are not many values of k.
July 22, 2010
6 / 38
Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
July 22, 2010
7 / 38
Digital Signatures
one which gives a.
Now, she knows k.
July 22, 2010
7 / 38
Digital Signatures
one which gives a.
Now, she knows k.
She solves
xa (M1 kb1 ) mod (p 1) for x
July 22, 2010
7 / 38
Digital Signatures
one which gives a.
Now, she knows k.
She solves
There are (a, p 1) possibilities for x.
July 22, 2010
7 / 38
Digital Signatures
one which gives a.
Now, she knows k.
She solves
Now, Eve computes gx for each of these possibilities of x, until she

finds y.
At this point she knows the private key x.
July 22, 2010
7 / 38
Digital Signatures
one which gives a.
Now, she knows k.
She solves
Now, Eve computes gx for each of these possibilities of x, until she

finds y.
At this point she knows the private key x.
Thus, she breaks the system and can produce Alices Signatures at
will.
July 22, 2010
7 / 38
Digital Signatures
RSA Digital Signature
Bob has a document that Alice agrees to sign. They do the following:
July 22, 2010
8 / 38
Digital Signatures
1
Alice generates two large primes p, q and computes n = pq.

She choses eA s.t. 1 < eA < (n) with (eA , (n)) = 1, and
calculates dA s.t. eA dA = 1( mod (n)).
She publishes (eA , n) and keeps private dA , p, q.
July 22, 2010
8 / 38
Digital Signatures
1

Alices signature is
y = mdA ( mod n).
(where m is message)
July 22, 2010
8 / 38
Digital Signatures
1

Alices signature is
y = mdA ( mod n).
The pair (m, y) is then made public.
July 22, 2010
8 / 38
Digital Signatures
1

Alices signature is
y = mdA ( mod n).
The pair (m, y) is then made public.
Bob verifies Alices sign as:

1
Download Alices (eA , n).
Calculate z = y eA (mod n).
If z = m, then he accepts the signature as valid.

July 22, 2010
8 / 38
Digital Signatures
Suppose Eve wants to attach Alices signature to another message

m1 .
She cannot simply use (m1 , y) as
y eA 6 m1 (mod n)
July 22, 2010
9 / 38
Digital Signatures

m1 .
y eA 6 m1 (mod n)
Therefore, she needs y1 with
y1 eA m1 (mod n)
July 22, 2010
9 / 38
Digital Signatures

m1 .
y eA 6 m1 (mod n)
Therefore, she needs y1 with
y1 eA m1 (mod n)
This is the same problem as decrypting an RSA Ciphertext m1
to obtain the plaintext y1 . This is hard.
July 22, 2010
9 / 38
Digital Signatures
Another possibility is that Eve chooses y1 first, then lets the

message be
m1 y1 eA (mod n)
July 22, 2010
10 / 38
Digital Signatures

message be
m1 y1 eA (mod n)
It doesnt appear that Alice can deny having signed the message
m1 under the scheme, but its unlikely that m1 will be of any
meaning.
July 22, 2010
10 / 38
Digital Signatures

message be
m1 y1 eA (mod n)
It doesnt appear that Alice can deny having signed the message
m1 under the scheme, but its unlikely that m1 will be of any
meaning.
There is a variation on this procedure that allows Alice to sign a
document without knowing its contents.
July 22, 2010
10 / 38
Digital Signatures
Some Remarks on the two Signature Schemes
ElGamal Digital Signature
July 22, 2010
11 / 38
Digital Signatures

ElGamal Scheme is an
example of a Signature
with appendix .
July 22, 2010
11 / 38
Digital Signatures

with appendix .

In Contrast, the RSA
Signature Scheme is a
Message Recovery
Scheme.
July 22, 2010
11 / 38
Digital Signatures

with appendix .
The message is not easily
recovered from the
Signature (a, b).

Message Recovery
Scheme.
July 22, 2010
11 / 38
Digital Signatures

with appendix .
recovered from the
Signature (a, b).

Message Recovery
Scheme.
The message comes out
automatically from the
signature y.
July 22, 2010
11 / 38
Digital Signatures

with appendix .
recovered from the
Signature (a, b).

Message Recovery
Scheme.
signature y.
The message M must be

included in the verification
procedure.
July 22, 2010
11 / 38
Digital Signatures

with appendix .
recovered from the
Signature (a, b).
The message M must be
included in the verification
procedure.

Message Recovery
Scheme.
signature y.
Therefore, only y needs to
be send since anyone can
deduce M as y eA mod (n).
July 22, 2010
11 / 38
Digital Signatures
Hash Functions
Hash Functions
What is a Hash Function?
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
Hash Functions

A Hash Function h takes a message of arbitrary length as input
and produces a shorter message of fixed length as output.
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
Hash Functions

Why it is needed?
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
Hash Functions

Why it is needed?
In the Signature Schemes discussed, the signature is at least as
long as the message. This is a disadvantage when message is long.
As a remedy of this situation, a hash function is used and the
signature scheme is applied to the hash of the message instead to
the message itself.
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
Hash Functions

Why it is needed?
In the Signature Schemes discussed, the signature is at least as
long as the message. This is a disadvantage when message is long.
As a remedy of this situation, a hash function is used and the
signature scheme is applied to the hash of the message instead to
the message itself.
Long Message
160- Bit Message 1

Hash Function
1
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
A Hash function should satisfy:
July 22, 2010
13 / 38
Digital Signatures
Hash Functions

Given a message m, the hashed message h(m) should be easily
computable.
July 22, 2010
13 / 38
Digital Signatures
Hash Functions

computable.
It should be one way function.
July 22, 2010
13 / 38
Digital Signatures
Hash Functions

computable.
It should be collision-free function i.e., it should be
computationally infeasible to find two messages m1 and m2 such
that h(m1 ) = h(m2 ).
July 22, 2010
13 / 38
Digital Signatures
Hash Functions

computable.
It should be collision-free function i.e., it should be
computationally infeasible to find two messages m1 and m2 such
that h(m1 ) = h(m2 ).
There are several professional hash functions and among them Rivests
MD family is most popular. We provide an example which is good for
illustration.
July 22, 2010
13 / 38
Digital Signatures
Hash Functions
Example of Hash Function
Example : This example is due to Chaum, van Heijst and Pfitzmann.

This is slow to be used in practice.
Choose a large prime p such that q = (p 1)/2 is also a prime.
Choose two primitive roots and modulo p. Thus there exists a

such that a mod (p).
h will map integer modulo q 2 to integer modulo p. Therefore the
hashed message contains approximately half as many bits as the
message.
Write m = x0 + x1 q with 0 x0 , x1 q 1. Then
h(m) x0 x1
mod (p).
One can show that its probably collision-free.
July 22, 2010
14 / 38
Digital Signatures
Hash Functions
Key Exchange
Keys are the most important component of a cryptosystem. Key

exchanges are required for Symmetric Cryptosystem, which is
faster than PKC and used in practice.
July 22, 2010
15 / 38
Digital Signatures
Hash Functions
Key Exchange

Key agreement is a type of protocol whereby a key is established
by exchanging information between Alice and Bob.
July 22, 2010
15 / 38
Digital Signatures
Hash Functions
Key Exchange

It turns out that key agreement protocols are best done using
Public Key Cryptography, which is more secured.
July 22, 2010
15 / 38
Digital Signatures
Hash Functions
Key Exchange

It turns out that key agreement protocols are best done using
Public Key Cryptography, which is more secured.
A famous example of this protocol is Diffe- Hellman Key
Exchange, which provides the key with two message transfers.
July 22, 2010
15 / 38
Digital Signatures

Let p be a prime and a be a primitive root modulo p.
July 22, 2010
16 / 38
Digital Signatures

User A key generation:
Select private XA : XA < p.
Calculate public YA : YA = aXA mod p.
July 22, 2010
16 / 38
Digital Signatures

User B key generation:
Select private XB : XB < p.
Calculate public YB : YB = aXB mod p.
July 22, 2010
16 / 38
Digital Signatures

Generation of Secret Key by A.
k = (YB )XA mod p.
July 22, 2010
16 / 38
Digital Signatures

Generation of Secret Key by A.
k = (YB )XA mod p.
Generation of Secret Key by B.
k = (YA )XB mod p.
July 22, 2010
16 / 38
Digital Signatures
User A
Generate random
XA < p
Calculate
YA = aXA mod p
July 22, 2010
17 / 38
Digital Signatures
User A
Generate random
User B
Generate random
XA < p
XB < p
Calculate
Calculate
YA = aXA mod p
YB = aXB mod p
July 22, 2010
17 / 38
Digital Signatures
User A
Generate random
User B
Generate random
XA < p
XB < p
Calculate
Calculate
YA = aXA mod p
YB = aXB mod p
k =(YA )XB mod p

=(aXA )XB mod p
=aXA XB mod p
July 22, 2010
17 / 38
Digital Signatures
User A
Generate random
User B
Generate random
XA < p
XB < p
Calculate
Calculate
YA = aXA mod p
YB = aXB mod p
k =(YB )XA mod p
k =(YA )XB mod p
=(aXB )XA mod p
=(aXA )XB mod p
=aXB XA mod p
=aXA XB mod p
July 22, 2010
17 / 38
Attacks on Discrete Log Problem
Attacks on DLP
Shanks Algorithm
Shanks baby-step giant-step Algorithm (1972)
Description:
m = p 1
(ceiling(x) = x is the smallest integer not less than x.)
July 22, 2010
19 / 38
Attacks on DLP
Shanks Algorithm
Description:
m = p 1

Compute L1 = {(j, mj ), j = 0, 1, . . . , m 1}
L2 = {(i, i ), i = 0, 1, . . . , m 1}
July 22, 2010
19 / 38
Attacks on DLP
Shanks Algorithm
Description:
m = p 1

Compute L1 = {(j, mj ), j = 0, 1, . . . , m 1}
L2 = {(i, i ), i = 0, 1, . . . , m 1}
Sort L1 and L2 with respect to second co-ordinate.

Find the same second co-ordinate from L1 and L2 , say
(q, mq ) and (r, r ), to get
July 22, 2010
19 / 38
Attacks on DLP
Shanks Algorithm
Description:
m = p 1

Compute L1 = {(j, mj ), j = 0, 1, . . . , m 1}
L2 = {(i, i ), i = 0, 1, . . . , m 1}
Sort L1 and L2 with respect to second co-ordinate.

Find the same second co-ordinate from L1 and L2 , say
(q, mq ) and (r, r ), to get
mq = r .
mq+r
=
and a = mq + r.
July 22, 2010
19 / 38
Attacks on DLP
Shanks Algorithm
Shanks Algorithm: (G, n, , )
1 m
n
2
3
for j 0 to m 1
do compute mj
Obtain list L1
for i 0 to m 1
do compute i
Obtain list L2
Find a pair (q, y) L1 and (r, y) L2
log (mq + r) mod n
July 22, 2010
20 / 38
Attacks on DLP
Shanks Algorithm
Comments on Algorithm
Step 3 in the algorithm is the Baby-Step and Step 6 is the

Giant-Step.
This method runs in O(m log m) time with O(m) memory where
m= n
July 22, 2010
21 / 38
Attacks on DLP
Shanks Algorithm
Example
log2 15 mod 19 = ?
July 22, 2010
22 / 38
Attacks on DLP
Shanks Algorithm
Example
log2 15 mod 19 = ?
G = Z19 , = 2, = 15
1 = 10, n = p 1 = 18, m = 5, m = 13.
July 22, 2010
22 / 38
Attacks on DLP
Shanks Algorithm
Example
log2 15 mod 19 = ?
G = Z19 , = 2, = 15
1 = 10, n = p 1 = 18, m = 5, m = 13.
L1 : (j, mj )
L2 : (i, i )
(0, 1)
(0, 15)
(1, 13)
(1, 17)
(2, 17)
(2, 18)
(3, 12)
(3, 9)
(4, 4)
(4, 14)
July 22, 2010
22 / 38
Attacks on DLP
Shanks Algorithm
Example
log2 15 mod 19 = ?
G = Z19 , = 2, = 15
1 = 10, n = p 1 = 18, m = 5, m = 13.
L1 : (j, mj )
L2 : (i, i )
(0, 1)
(0, 15)
(1, 13)
(1, 17)
(2, 17)
(2, 18)
(3, 12)
(3, 9)
(4, 4)
(4, 14)
Then, q = 2 and r = 1
mq + r = 11 log2 15 mod 19 = 11.
July 22, 2010
22 / 38
Attacks on DLP
Pollards Rho Algorithm (1978)
This is the corresponding algorithm for finding discrete

logarithms. As with the Rho-Algorithm one forms a sequence
{x1 , x2 , . . .} by iteratively applying a random function f .
July 22, 2010
23 / 38
Attacks on DLP

Once one obtains two elements xi and xj such that xi = xj for

i < j then hopefully one can compute log .
July 22, 2010
23 / 38
Attacks on DLP


As in the factoring algorithm one will look for a collision of the
form xi = x2i .
July 22, 2010
23 / 38
Attacks on DLP


As in the factoring algorithm one will look for a collision of the
form xi = x2i .
This algorithm needs less storage than the Shanks Algorithm and
runs in approximately same time.
July 22, 2010
23 / 38
Attacks on DLP
Let (G, ) be a group, G, o() = n.

Let < >. We can treat log Zn .
July 22, 2010
24 / 38
Attacks on DLP

partition G into 3 roughly equal sized sets; S1 , S2 , S3 . Let
x0 = 1G and x0 6 S2
July 22, 2010
24 / 38
Attacks on DLP

partition G into 3 roughly equal sized sets; S1 , S2 , S3 . Let
x0 = 1G and x0 6 S2
Define a function f :< > Zn Zn < > Zn Zn
(x, a, b + 1) if x S1
f (x, a, b) =
(x2 , 2a, 2b)
if x S2
(x, a + 1, b) if x S3 .
Each triplet (x, a, b) that we from have the property that

x = a b
July 22, 2010
24 / 38
Attacks on DLP
We begin with an initial triplet (1, 0, 0).

Note that f (x, a, b) satisfies desired property if (x, a, b) does. Thus, we
define

(1, 0, 0)
if i = 0
(xi , ai , bi ) =
f (xi1 , ai1 , bi1 ) if i 1.
July 22, 2010
25 / 38
Attacks on DLP

define

(1, 0, 0)
if i = 0
(xi , ai , bi ) =
f (xi1 , ai1 , bi1 ) if i 1.
We compare (x2i , a2i , b2i ) and (xi , ai , bi ) until we find a value of i 1
such that
x2i = xi
when this occurs, we have
a2i b2i = ai bi
July 22, 2010
25 / 38
Attacks on DLP

define

(1, 0, 0)
if i = 0
(xi , ai , bi ) =
f (xi1 , ai1 , bi1 ) if i 1.
We compare (x2i , a2i , b2i ) and (xi , ai , bi ) until we find a value of i 1
such that
x2i = xi
when this occurs, we have
a2i b2i = ai bi
If we denote c = log , then it must have
a2i +cb2i = ai +cbi .
July 22, 2010
25 / 38
Attacks on DLP
Since, ord() = n, we have

a2i + cb2i ai + cbi (mod n)
c(b2i bi ) ai a2i (mod n)
July 22, 2010
26 / 38
Attacks on DLP

If (b2i bi , n) = 1, then we can solve for c as
c = (ai a2i )(b2i bi )1 ( mod n).
July 22, 2010
26 / 38
Attacks on DLP

If (b2i bi , n) = 1, then we can solve for c as
c = (ai a2i )(b2i bi )1 ( mod n).
If (b2i bi , n) = d, we have
c = (ai a2i )(b2i bi )1 ( mod
n
).
d
This gives us d choices of c. Usually d is small, so we can try all

possibilities until we have the result.
July 22, 2010
26 / 38
Attacks on DLP
Pohlig-Hellman Algorithm (1978)
Let be a generator of Fp and Fp . Assume

r
Y
p1=
pj cj ; cj N; pj s are distinct primes.
j=1
July 22, 2010
27 / 38
Attacks on DLP

r
Y
p1=
j=1
To compute a = log , we compute a mod pj cj for j = 1, 2, . . . , r,

then apply Chinese Remainder Theorem. As we operate on each
prime power, we replace pj with q and refer to q c .
July 22, 2010
27 / 38
Attacks on DLP

r
Y
p1=
j=1
To compute a = log , we compute a mod pj cj for j = 1, 2, . . . , r,

then apply Chinese Remainder Theorem. As we operate on each
prime power, we replace pj with q and refer to q c .
To compute a mod q c we need to determine a in its base q
representation:
c1
X
a=
bi q i ,
0 bi q 1, 0 i c 1
i=0
July 22, 2010
27 / 38
Attacks on DLP
First set 0 = = a and observe that

(p 1)
Pc1
k=i bk q
ki1
(p 1) bqi (mod p 1)
July 22, 2010
(1)
28 / 38
Attacks on DLP

(p 1)
1
Pc1
k=i bk q
ki1
(p 1) bqi (mod p 1)
(1)
Calculate b0 , by (1)
(p1)/q
(p1)b0 /q (mod p)
(Fermats little thm.)
(2)
We compute (p1)k/q (mod p) until (2) is satisfied and then

k = b0 .
July 22, 2010
28 / 38
Attacks on DLP

(p 1)
1
Pc1
k=i bk q
ki1
(p 1) bqi (mod p 1)
(1)
Calculate b0 , by (1)
(p1)/q
(p1)b0 /q (mod p)
(Fermats little thm.)
(2)
We compute (p1)k/q (mod p) until (2) is satisfied and then

k = b0 .
2
Calculate bi for i = 1, 2, . . . , c 1. P
i1
k
First recursively define i = i1 k=0 bk q . By (1),
(p1)/q i+1
(p1)
P c1
k>i bk q
ki1
(p1)bi /q (mod p)
(3)
So, we compute (p1)k/q mod p for non-zero k c until (3) is

satisfied, in which case k = bi .
July 22, 2010
28 / 38
Attacks on DLP
Pohlig-Hellman Algorithm
Algorithm : (G, n, , , q, c)
j0
j
while j c 1
do
j+1
j n/(q )
find i such that = in/q
bj i
j
j+1 j bj q
j j+1
return (b0 , . . . , bc1 )
July 22, 2010
29 / 38
Attacks on DLP
Example Let p = 37. = 2 generates F37 .
July 22, 2010
30 / 38
Attacks on DLP

Given 0 = = 19, we want to compute
a = log2 (19) in F37 .
July 22, 2010
30 / 38
Attacks on DLP

a = log2 (19) in F37 .
p 1 = 36 = 22 .32 = p1 c1 p2 c2 . All congruences are assumed to be mod 37.
July 22, 2010
30 / 38
Attacks on DLP

a = log2 (19) in F37 .
For p1 = 2:
k
(p1)k/p1
i
i
i
(p1)/p1 i+1
bi
0
1
1
218 36
0
19
18
19 36
1
1
19.21
289
28
36
1
July 22, 2010
30 / 38
Attacks on DLP

a = log2 (19) in F37 .
For p1 = 2:
k
(p1)k/p1
i
i
i
(p1)/p1 i+1
bi
0
1
1
218 36
0
19
18
19 36
1
1
19.21
289
28
36
1
Thus the base 2 representation of log2 (19) mod 4 is

c1
X
i=0
bi p1 i = 1.20 + 1.21 3 mod 4

(4)
July 22, 2010
30 / 38
Attacks on DLP
For p2 = 3
k
(p1)k/p2
i
i
i
(p1)/p2 i+1
bi
0
1
1
212 26
0
19
12
19 10
2
2
224 10
1
19.2 14
149 10
2
2
July 22, 2010
31 / 38
Attacks on DLP
For p2 = 3
k
(p1)k/p2
i
i
i
(p1)/p2 i+1
bi
0
1
1
212 26
0
19
12
19 10
2
2
224 10
1
19.2 14
149 10
2
2
Thus, the base 3 representation of log2 (19) mod 9 is

cX
2 1
i=0
bi p2 i = 2.30 + 2.31 8 mod 9
(5)
July 22, 2010
31 / 38
Attacks on DLP
For p2 = 3
k
(p1)k/p2
i
i
i
(p1)/p2 i+1
bi
0
1
1
212 26
0
19
12
19 10
2
2
224 10
1
19.2 14
149 10
2
2
Thus, the base 3 representation of log2 (19) mod 9 is

cX
2 1
i=0
bi p2 i = 2.30 + 2.31 8 mod 9
(5)
On solving (4) (5) by Chinese Remainder Theorem, we get

a = log2 19 = 35 in F37 .
If n = p 1, then given factorization of n the running time is
Pr

pj ) group multiplications.
O
j>1 cj (ln n +
July 22, 2010
31 / 38
Attacks on DLP
Chinese Remainder Theorem
Suppose m1 , m2 , . . . , mr are pairwise relatively prime positive integers,

and let a1 , a2 , . . . , ar be integers. Then the system of r congruences
x ai (mod mi ) (1 i r) has a unique solution modulo
M = m1 . . . mr , which is given by
x=
r
X
ai Mi yi mod M,
i=1
where Mi = M/mi and yi = Mi 1 mod mi , for 1 i r.
July 22, 2010
32 / 38
Attacks on DLP
Chinese Remainder Theorem
Suppose m1 , m2 , . . . , mr are pairwise relatively prime positive integers,

and let a1 , a2 , . . . , ar be integers. Then the system of r congruences
x ai (mod mi ) (1 i r) has a unique solution modulo
M = m1 . . . mr , which is given by
x=
r
X
ai Mi yi mod M,
i=1
where Mi = M/mi and yi = Mi 1 mod mi , for 1 i r.
Example: Here we have,

x 3 (mod 4) and x 8 (mod 9). So, by CRT
x 3.9.(91 (mod 4)) + 8.4.(41 (mod 9)) (mod 36)

3.9.1 + 8.4.7 (mod 36)
35 (mod 36)
July 22, 2010
32 / 38
Attacks on DLP
Index Calculus Method
This algorithm is applicable to the particular situation of finding the

discrete log in Zp , and is a primitive element mod p.
In such situation this algorithm is faster than others.
July 22, 2010
33 / 38
Attacks on DLP

This method uses a factor base, which is a set B of small primes.
Suppose B = {p1 , p2 , . . . pB }.
July 22, 2010
33 / 38
Attacks on DLP

Suppose B = {p1 , p2 , . . . pB }.
1st Step: To find the discrete logarithms of the B primes in the
factor base.
July 22, 2010
33 / 38
Attacks on DLP

Suppose B = {p1 , p2 , . . . pB }.
1st Step: To find the discrete logarithms of the B primes in the
factor base.
2nd Step: Compute the discrete logarithm of a desired element ,
using the knowledge of discrete logarithms of the elements in the
factor base.
July 22, 2010
33 / 38
Attacks on DLP
Explanation
Let c = B + 10 (a bit bigger than B).
One constructs c mod p which have the form:
xj p1 a1j p2 a2j . . . pB aBj (mod p) for 1 j c.
July 22, 2010
34 / 38
Attacks on DLP
Explanation
These congruences can be written equivalently as:
xj a1j log p1 + + aBj log pB (mod p 1), 1 j c.
July 22, 2010
34 / 38
Attacks on DLP
Explanation
These congruences can be written equivalently as:
xj a1j log p1 + + aBj log pB (mod p 1), 1 j c.
Given c congruences in the B unknowns log pi (1 i B), we hope
that there is a unique solution mod p 1. In this case, we compute the
logarithms in the factor base.
To generate the c congruences in the desired form, take a random x,
compute x mod p; then determine if x mod p has all its factors in B.
July 22, 2010
34 / 38
Attacks on DLP
After pre-computation, we compute a desired logarithm log :

Choose a random integer s(1 s p 2) and compute
= s mod p.
July 22, 2010
35 / 38
Attacks on DLP

= s mod p.
Now attempt to factor over B. If this can be done, we obtain a
congruence of the form:
s p1 c1 p2 c2 . . . pB cB (mod p)
July 22, 2010
35 / 38
Attacks on DLP

= s mod p.
Now attempt to factor over B. If this can be done, we obtain a
congruence of the form:
s p1 c1 p2 c2 . . . pB cB (mod p)
log + s c1 log p1 + + cb log pB (mod (p 1)).
as except log , all other terms are known, we can get log .
July 22, 2010
35 / 38
Attacks on DLP
Example of Index Calculus method
Example : log5 9451 mod 10007 = ?
July 22, 2010
36 / 38
Attacks on DLP
Example : log5 9451 mod 10007 = ?

Choose B = {2, 3, 5, 7}.
Of course log5 5 = 1, so there are three logs of factor base elements to

be determined.
July 22, 2010
36 / 38
Attacks on DLP
Example : log5 9451 mod 10007 = ?

Choose B = {2, 3, 5, 7}.

be determined.
Use exponents 4063, 5163 and 9865
54063 mod 10007 = 42 = 2 3 7
55136 mod 10007 = 54 = 2 33
59865 mod 10007 = 189 = 33 7.
July 22, 2010
36 / 38
Attacks on DLP
Example : log5 9451 mod 10007 = ?

Choose B = {2, 3, 5, 7}.

be determined.
Use exponents 4063, 5163 and 9865
54063 mod 10007 = 42 = 2 3 7
55136 mod 10007 = 54 = 2 33
59865 mod 10007 = 189 = 33 7.
And so have 3 congruences;
log5 2
+ log5 3 + log5 7 = 4063 mod 10006
log5 2
+3 log5 3
= 5136 mod 10006
3 log5 3 + log5 7
= 9865 mod 10006
(we now have 3 congruences in 3 unknowns)
July 22, 2010
36 / 38
Attacks on DLP
There happens to be a unique solution mod 10006, namely

log5 2 = 6578
log5 3 = 6190
log5 7 = 1301
July 22, 2010
37 / 38
Attacks on DLP

log5 2 = 6578
log5 3 = 6190
log5 7 = 1301
Choose random exponent s = 7736 and try to calculate
s = 9451 57736 mod 10007 = 8400.
Since 8400 = 24 3 52 7 factors over B,
July 22, 2010
37 / 38
Attacks on DLP

log5 2 = 6578
log5 3 = 6190
log5 7 = 1301
Choose random exponent s = 7736 and try to calculate
s = 9451 57736 mod 10007 = 8400.
Since 8400 = 24 3 52 7 factors over B,
log5 9451 = (4 log 5 2 + log5 3 + 2 log5 5 + log5 7 s) mod 10006
= (4 6578 + 6190 + 2 1 + 1301 7736) mod 10006

= 6057 mod 10006
July 22, 2010
37 / 38
THANK YOU

Lecture 3

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Lecture 3

Enviado por

Direitos autorais:

Formatos disponíveis

Introduction to Basic Cryptography

Digital Signatures, Attacks on DLP

CIMPA School of Number Theory in Cryptography and Its Applications

Lecture 3: July 22, 2010

Introduction to basic Cryptography

July 22, 2010

Kalyan Chakraborty (HRI)

Introduction to basic Cryptography

July 22, 2010

ElGamal Digital Signatures

Using ElGamal for Digital Signature

Suppose we want to sign an e-document. One can digitize the

Kalyan Chakraborty (HRI)

Introduction to basic Cryptography

July 22, 2010

ElGamal Digital Signatures

Using ElGamal for Digital Signature

Suppose we want to sign an e-document. One can digitize the

Kalyan Chakraborty (HRI)

Introduction to basic Cryptography

July 22, 2010

ElGamal Digital Signatures

Using ElGamal for Digital Signature

Suppose we want to sign an e-document. One can digitize the

Kalyan Chakraborty (HRI)

Introduction to basic Cryptography

July 22, 2010

ElGamal Digital Signatures

Using ElGamal for Digital Signature

Suppose we want to sign an e-document. One can digitize the

Kalyan Chakraborty (HRI)

Introduction to basic Cryptography

July 22, 2010

ElGamal Digital Signatures

Using ElGamal for Digital Signature

Suppose we want to sign an e-document. One can digitize the

Kalyan Chakraborty (HRI)

Introduction to basic Cryptography

July 22, 2010

ElGamal Digital Signatures

Digital Signature scheme consists of two steps:

The signing process.

Kalyan Chakraborty (HRI)

Introduction to basic Cryptography

July 22, 2010

ElGamal Digital Signatures

Digital Signature scheme consists of two steps:

The signing process.

A variation of the ElGamal crypto scheme provides a digital

Kalyan Chakraborty (HRI)

Introduction to basic Cryptography

July 22, 2010

ElGamal Digital Signatures

Digital Signature scheme consists of two steps:

The signing process.

A variation of the ElGamal crypto scheme provides a digital

Kalyan Chakraborty (HRI)

Introduction to basic Cryptography

July 22, 2010

ElGamal Digital Signatures

Digital Signature scheme consists of two steps:

The signing process.

A variation of the ElGamal crypto scheme provides a digital