Discrete Logarithm(s) (DLs)

1
Discrete Logarithm(s) (DLs)

• Fix a prime p. Let a, b be nonzero integers (mod
  p). The problem of finding x such that ax b
  (mod p) is called the discrete logarithm problem.
  Suppose that n is the smallest integer such that
  an 1 (mod p),
• i.e., nordp(a). By assuming 0xltn, we denote
  xLa(b), and call it the discrete log of b w.r.t.
  a (mod p)
• Ex p11, a2, b9, then xL2(9)6

2
Discrete Logarithms

• In the RSA algorithms, the difficulty of
  factoring a large integer yields good
  cryptosystems
• In the ElGamal method, the difficulty of solving
  the discrete logarithm problem yields good
  cryptosystems
• Given p, a, b, solve ax b (mod p)
• a is suggested to be a primitive root mod p

3
One-Way Function

• A function f(x) is called a one-way function if
  f(x) is easy to compute, but, given y, it is
  computationally infeasible to find x with yf(x).
• La(b) is a one-way function if p is large

4
Primitive Roots mod 13

• a is a primitive root mod p if
• ak 1?k?p-1 1,2, ,p-1
• ? 2, 6,7,11 are primitive roots mod 13
• 33 1 (mod 13), 46 1 (mod 13),
• 54 1 (mod 13), 84 1 (mod 13),
• 93 1 (mod 13), 106 1 (mod 13),
• 122 1 (mod 13)

5
Solve ax b (mod p)

• An exhaustive search for all 0 x lt p
• Check only for even x or odd x according to
  b(p-1)/2 (ax)(p-1)/2 (a(p-1)/2)x (-1)x 1 or
  -1 (mod p), where a is a primitive root
• (Ex) p11, a2, b9, since b(p-1)/2 951,
• then check for even numbers 0,2,4,6,8,10
• only to find x6 such that 26 9 (mod 11)

6
Solve ax b (mod p) by Pohlig-Hellman

• Let p-1 ?qr for all q(p-1), write b0 b,and
• xx0 x1q x2q2 xr-1qr-1 for 0 xi q-1
• 1. Find 0 k q-1 such that (a(p-1)/q)kb(p-1)/q
  ,
• then x0 k, next let b1b0a-x0
• 2. Find 0 k q-1 such that (a(p-1)/q)kb1(p-1)/
  q2 , then x1 k, next let b2b1a-x1
• 3. Repeat steps 1, 2 until xr-1 is found for a q
• 4. Repeat steps 13 for all qs, then apply
  Chinese Remainder Theorem to get the final
  solution

7
7x 12 (mod 41) p41, a7, b12,

• p-141-140 23 5
• b0 12
• For q2 b0 12, b1 31, b231, and
• x x0 2x14x2 12041 5 (mod 8)
• For q5 b0 12, b1 18, and
• x x0 3 (mod 5)
• Solving x 5 (mod 8) and x 3 (mod 5),
• We have x13 (mod 40)

8
Solve ax b (mod p) by Index Calculus

• Let B be a bound and let p1,p2,, pm be the
• primes less than B and cover all of the prime
• Factors of p-1. Then appropriately choose
• k(j)s such that ak(j)(p1)r1(p2)r2 (pm)rm ,
  i.e.,
• r1La(p1)r2La(p2) rmLa(pm) k(j) for
• several js, solve the linear system to get
• La(p1), La(p2), , La(pm), then select R apply
• baR (p1)b1 (p2)b2 (pm)bm , then the solution
  is
• La(b)-R?biLa(pi)

9
Solve 2x 37 (mod 131)

• p131, a2, b37, let B10, then
• p12, p23, p35, p47, since
• 2853 , 21257 , 21432 , 234352 (mod p),
• we have
• 3L2(5) 8 (mod 130)
• L2(5) L2(7)12 (mod 130)
• 2L2(3)14 (mod 130)
• L2(3)2L2(5)34 (mod 130)

10
L2(3, 5, 7)72, 46, 96

• Choose R43, then
• 37243 357 (mod 131), so we have
• L2(37) -43 L2(3) L2(5) L2(7)
• 41 (mod 130)
• ? L2(11) 56 (mod 130) R4
• ? L2(23) 23 (mod 130) R5

11
A Lemma on p3 (mod 4)

• Let p3 (mod 4), r2. Suppose a and g are
• nonzero integers such that gay(2r) (mod p).
• Then
• g(p1)/4 ay2(r-1) (mod p)
• Proof
• g(p1)/4 a(p1)y2(r-2) ay(2(r-1))a(p-1)y(
  2(r-2))
• ay(2(r-1)) (mod p)

12
A La(b) (mod 4) Machine

• Let a be a primitive root (mod p), where
• p3 (mod 4) is large, then
• Computing La(b) (mod 4) is as difficult as
  finding the solution of ax b (mod p)
• P.172

13
The ElGamal Public Key Cryptosystem

• Alice wants to send a message m to Bob.
• Bob chooses a large prime p and a primitive
• root a. Assume m is an integer 0mltp, and
• Bob selects a secret integer x to compute
• bax (mod p). The information (p,a,b) is
• made public and is Bobs public key. Alice
• does the following procedures.

14
Encryption and Decryption

• Downloads (p,a,b)
• Chooses a secret random k and computes rak (mod
  p)
• Computes tbkm (mod p)
• Sends the pair (t,r) to Bob
• Bob decrypts by computing tr-x (m (mod p))

15
Exercises on Pages 175 and 176