Escolar Documentos
Profissional Documentos
Cultura Documentos
Kalyan Chakraborty
Harish-Chandra Research Institute
http://www.hri.res.in/~jaymehta/cryptographynotesCIMPA2010.pdf
Kalyan Chakraborty (HRI)
1 / 38
Outline
Outline
Digital Signatures
ElGamal Digital Signatures
RSA Digital Signatures
Hash Functions
Diffe-Hellman Key Exchange
Attacks on DLP
Shanks Algorithm
Pollards Rho Algorithm
The Pohlig-Hellman Algorithm
The Index Calculus Method
2 / 38
Digital Signatures
3 / 38
Digital Signatures
3 / 38
Digital Signatures
3 / 38
Digital Signatures
3 / 38
Digital Signatures
3 / 38
Digital Signatures
Verification process.
4 / 38
Digital Signatures
Verification process.
4 / 38
Digital Signatures
Verification process.
4 / 38
Digital Signatures
Verification process.
(ElGamal Verification)
where
y = gx mod p.
Kalyan Chakraborty (HRI)
4 / 38
Digital Signatures
Exercise
5 / 38
Digital Signatures
6 / 38
Digital Signatures
6 / 38
Digital Signatures
6 / 38
Digital Signatures
mod (p 1)
This implies
(b1 b2 )k (M1 M2 ) mod (p 1)
6 / 38
Digital Signatures
mod (p 1)
This implies
(b1 b2 )k (M1 M2 ) mod (p 1)
She can solve for k. If (b1 b2 , p 1) = d, then there are d
solutions to the congruence and they could be found.
Usually d is small so there are not many values of k.
Kalyan Chakraborty (HRI)
6 / 38
Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
7 / 38
Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
7 / 38
Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
She solves
xa (M1 kb1 ) mod (p 1) for x
7 / 38
Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
She solves
xa (M1 kb1 ) mod (p 1) for x
There are (a, p 1) possibilities for x.
7 / 38
Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
She solves
xa (M1 kb1 ) mod (p 1) for x
There are (a, p 1) possibilities for x.
7 / 38
Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
She solves
xa (M1 kb1 ) mod (p 1) for x
There are (a, p 1) possibilities for x.
7 / 38
Digital Signatures
Bob has a document that Alice agrees to sign. They do the following:
8 / 38
Digital Signatures
Bob has a document that Alice agrees to sign. They do the following:
1
8 / 38
Digital Signatures
Bob has a document that Alice agrees to sign. They do the following:
1
Alices signature is
y = mdA ( mod n).
(where m is message)
8 / 38
Digital Signatures
Bob has a document that Alice agrees to sign. They do the following:
1
Alices signature is
y = mdA ( mod n).
(where m is message)
8 / 38
Digital Signatures
Bob has a document that Alice agrees to sign. They do the following:
1
Alices signature is
y = mdA ( mod n).
(where m is message)
8 / 38
Digital Signatures
9 / 38
Digital Signatures
9 / 38
Digital Signatures
9 / 38
Digital Signatures
10 / 38
Digital Signatures
10 / 38
Digital Signatures
10 / 38
Digital Signatures
11 / 38
Digital Signatures
11 / 38
Digital Signatures
11 / 38
Digital Signatures
11 / 38
Digital Signatures
11 / 38
Digital Signatures
11 / 38
Digital Signatures
11 / 38
Digital Signatures
Hash Functions
Hash Functions
12 / 38
Digital Signatures
Hash Functions
Hash Functions
12 / 38
Digital Signatures
Hash Functions
Hash Functions
12 / 38
Digital Signatures
Hash Functions
Hash Functions
12 / 38
Digital Signatures
Hash Functions
Hash Functions
Hash Function
1
12 / 38
Digital Signatures
Hash Functions
13 / 38
Digital Signatures
Hash Functions
13 / 38
Digital Signatures
Hash Functions
13 / 38
Digital Signatures
Hash Functions
13 / 38
Digital Signatures
Hash Functions
13 / 38
Digital Signatures
Hash Functions
mod (p).
14 / 38
Digital Signatures
Hash Functions
Key Exchange
15 / 38
Digital Signatures
Hash Functions
Key Exchange
15 / 38
Digital Signatures
Hash Functions
Key Exchange
15 / 38
Digital Signatures
Hash Functions
Key Exchange
15 / 38
Digital Signatures
16 / 38
Digital Signatures
16 / 38
Digital Signatures
16 / 38
Digital Signatures
16 / 38
Digital Signatures
16 / 38
Digital Signatures
User A
Generate random
XA < p
Calculate
YA = aXA mod p
17 / 38
Digital Signatures
User A
Generate random
User B
Generate random
XA < p
XB < p
Calculate
Calculate
YA = aXA mod p
YB = aXB mod p
17 / 38
Digital Signatures
User A
Generate random
User B
Generate random
XA < p
XB < p
Calculate
Calculate
YA = aXA mod p
YB = aXB mod p
17 / 38
Digital Signatures
User A
Generate random
User B
Generate random
XA < p
XB < p
Calculate
Calculate
YA = aXA mod p
YB = aXB mod p
=aXB XA mod p
=aXA XB mod p
17 / 38
Attacks on DLP
Shanks Algorithm
Description:
m = p 1
19 / 38
Attacks on DLP
Shanks Algorithm
Description:
m = p 1
19 / 38
Attacks on DLP
Shanks Algorithm
Description:
m = p 1
19 / 38
Attacks on DLP
Shanks Algorithm
Description:
m = p 1
19 / 38
Attacks on DLP
Shanks Algorithm
1 m
n
2
3
for j 0 to m 1
do compute mj
Obtain list L1
for i 0 to m 1
do compute i
Obtain list L2
20 / 38
Attacks on DLP
Shanks Algorithm
Comments on Algorithm
m= n
21 / 38
Attacks on DLP
Shanks Algorithm
Example
log2 15 mod 19 = ?
22 / 38
Attacks on DLP
Shanks Algorithm
Example
log2 15 mod 19 = ?
G = Z19 , = 2, = 15
1 = 10, n = p 1 = 18, m = 5, m = 13.
22 / 38
Attacks on DLP
Shanks Algorithm
Example
log2 15 mod 19 = ?
G = Z19 , = 2, = 15
1 = 10, n = p 1 = 18, m = 5, m = 13.
L1 : (j, mj )
L2 : (i, i )
(0, 1)
(0, 15)
(1, 13)
(1, 17)
(2, 17)
(2, 18)
(3, 12)
(3, 9)
(4, 4)
(4, 14)
22 / 38
Attacks on DLP
Shanks Algorithm
Example
log2 15 mod 19 = ?
G = Z19 , = 2, = 15
1 = 10, n = p 1 = 18, m = 5, m = 13.
L1 : (j, mj )
L2 : (i, i )
(0, 1)
(0, 15)
(1, 13)
(1, 17)
(2, 17)
(2, 18)
(3, 12)
(3, 9)
(4, 4)
(4, 14)
Then, q = 2 and r = 1
mq + r = 11 log2 15 mod 19 = 11.
Kalyan Chakraborty (HRI)
22 / 38
Attacks on DLP
23 / 38
Attacks on DLP
23 / 38
Attacks on DLP
23 / 38
Attacks on DLP
23 / 38
Attacks on DLP
24 / 38
Attacks on DLP
24 / 38
Attacks on DLP
(x, a, b + 1) if x S1
f (x, a, b) =
(x2 , 2a, 2b)
if x S2
(x, a + 1, b) if x S3 .
24 / 38
Attacks on DLP
25 / 38
Attacks on DLP
25 / 38
Attacks on DLP
25 / 38
Attacks on DLP
26 / 38
Attacks on DLP
26 / 38
Attacks on DLP
n
).
d
26 / 38
Attacks on DLP
27 / 38
Attacks on DLP
27 / 38
Attacks on DLP
27 / 38
Attacks on DLP
Pc1
k=i bk q
ki1
(p 1) bqi (mod p 1)
(1)
28 / 38
Attacks on DLP
Pc1
k=i bk q
ki1
(p 1) bqi (mod p 1)
(1)
Calculate b0 , by (1)
(p1)/q
(p1)b0 /q (mod p)
(2)
28 / 38
Attacks on DLP
Pc1
k=i bk q
ki1
(p 1) bqi (mod p 1)
(1)
Calculate b0 , by (1)
(p1)/q
(p1)b0 /q (mod p)
(2)
Calculate bi for i = 1, 2, . . . , c 1. P
i1
k
First recursively define i = i1 k=0 bk q . By (1),
(p1)/q i+1
(p1)
P c1
k>i bk q
ki1
(p1)bi /q (mod p)
(3)
28 / 38
Attacks on DLP
Pohlig-Hellman Algorithm
Algorithm : (G, n, , , q, c)
j0
j
while j c 1
do
j+1
j n/(q )
find i such that = in/q
bj i
j
j+1 j bj q
j j+1
29 / 38
Attacks on DLP
30 / 38
Attacks on DLP
30 / 38
Attacks on DLP
30 / 38
Attacks on DLP
(p1)/p1 i+1
bi
0
1
1
218 36
0
19
18
19 36
1
1
19.21
289
28
36
1
30 / 38
Attacks on DLP
(p1)/p1 i+1
bi
0
1
1
218 36
0
19
18
19 36
1
1
19.21
289
28
36
1
(4)
July 22, 2010
30 / 38
Attacks on DLP
For p2 = 3
k
(p1)k/p2
i
i
i
(p1)/p2 i+1
bi
0
1
1
212 26
0
19
12
19 10
2
2
224 10
1
19.2 14
149 10
2
2
31 / 38
Attacks on DLP
For p2 = 3
k
(p1)k/p2
i
i
i
(p1)/p2 i+1
bi
0
1
1
212 26
0
19
12
19 10
2
2
224 10
1
19.2 14
149 10
2
2
(5)
31 / 38
Attacks on DLP
For p2 = 3
k
(p1)k/p2
i
i
i
(p1)/p2 i+1
bi
0
1
1
212 26
0
19
12
19 10
2
2
224 10
1
19.2 14
149 10
2
2
(5)
31 / 38
Attacks on DLP
r
X
ai Mi yi mod M,
i=1
32 / 38
Attacks on DLP
r
X
ai Mi yi mod M,
i=1
32 / 38
Attacks on DLP
33 / 38
Attacks on DLP
33 / 38
Attacks on DLP
33 / 38
Attacks on DLP
33 / 38
Attacks on DLP
Explanation
Let c = B + 10 (a bit bigger than B).
One constructs c mod p which have the form:
xj p1 a1j p2 a2j . . . pB aBj (mod p) for 1 j c.
34 / 38
Attacks on DLP
Explanation
Let c = B + 10 (a bit bigger than B).
One constructs c mod p which have the form:
xj p1 a1j p2 a2j . . . pB aBj (mod p) for 1 j c.
These congruences can be written equivalently as:
xj a1j log p1 + + aBj log pB (mod p 1), 1 j c.
34 / 38
Attacks on DLP
Explanation
Let c = B + 10 (a bit bigger than B).
One constructs c mod p which have the form:
xj p1 a1j p2 a2j . . . pB aBj (mod p) for 1 j c.
These congruences can be written equivalently as:
xj a1j log p1 + + aBj log pB (mod p 1), 1 j c.
Given c congruences in the B unknowns log pi (1 i B), we hope
that there is a unique solution mod p 1. In this case, we compute the
logarithms in the factor base.
To generate the c congruences in the desired form, take a random x,
compute x mod p; then determine if x mod p has all its factors in B.
Kalyan Chakraborty (HRI)
34 / 38
Attacks on DLP
35 / 38
Attacks on DLP
35 / 38
Attacks on DLP
35 / 38
Attacks on DLP
36 / 38
Attacks on DLP
36 / 38
Attacks on DLP
36 / 38
Attacks on DLP
36 / 38
Attacks on DLP
37 / 38
Attacks on DLP
37 / 38
Attacks on DLP
37 / 38
THANK YOU