8.4 The Diffie-Hellman Problem and the Discrete Logarithm Problem
The secrecy of the agreed shared key from the Diffie-Hellman key exchange protocol is exactly the problem of computing gab (mod p) given ga and gb. This problem is called computational Modern Cryptography: Theory and Practice lem).
Definition 8.1: Computational Diffie-Hellman Problem (CDH Problem) (in finite field)
Publisher: Prentice Hall PTR
INPub Date: July 25, 2003 ISBN: 0-13-066943-1
desc( ):the description of finite field ;
Pages: 648 :a generator element of ;
ga, for some integers 0 < a, b < q.
ab
Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much moreiattention tofit-for-application aspects of cryptography. It Hellman key exchange protocol in §8.3 uses a special case. For formalism purpose, in definition guys behave nicely.It reveals the general.unfitness of "textbook crypto" for the real worldiby explanations outside formal definitions we will often use special cases which help toiexposelideas world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, IefxtphlaeinCsDtHhepirrowbolermkinisgeparsinyc,ipthleesn,gdisc(umssoedspt)heciarnpbraecctiocmalpuusategdesfr,oamndtheexavmaliuneesspth, egi,rgstr,gon,gwhich (air.ee.t,rfaitn-sfomri-tatepdplaicsaptiaornt)osfetchueriptyroptroocpoelrmtiesss,aogfteesn.wAictchosredcinugrittyo eovuirdeansscuemfoprtmioanlslyoensttahbeliasbhielidty. of Tohuer abdovoekrsaalsroy i(nsceleud§e2s.3s)e,lft-hceosnetavianleudetsheaorereativcaaillabbalcektgoroaunnaddmveartsearriayl. that is the foundation for modern cryptography.
The CDH problem lies, in turn, on the difficulty of the discrete logarithm problem (DL problem).
Definition 8.2: Discrete Logarithm Problem (DL Problem) (in finite field)
INPUT desc( ):the description of finite field ;
:a generator element of ;
.
OUTPUT the unique integer a < q such that h = ga.
We denote the integer a by loggh.
The DL problem looks similar to taking ordinary logarithms in the reals. But unlike logarithms in the reals where we only need approximated "solutions," the DL problem is defined in a discrete domain where a solution must be exact.
We have discussed in Chapter 4 that the security theory of modern public-key cryptography is
established on a complexity-theoretic foundation. Upon this foundation, the security of a public-key cryptosystem is conditional on some assumptions that certain problems are intractable. The CDH problem and the DL problem are two assumed intractable problems. Intuitively we can immediately see that the difficulties of these problems depend on the size of the problems (here,
it is the size of the field ), as well as on the choice of the parameters (here, it is the choice of the public parameter g and the private data a, b). Clearly, these problems need not be difficult for small instances. In a moment we will further see that these problems need not be difficult for poorly chosen instances. Thus, a precise description of the difficulty must formulate properly bothrthe problem size and the choice of the instances. With the complexity-theoretic foundations that we have established in Chapter 4, we can now describe precisely the assumptions on the intractabilities of these two problems. The reader may review Chapter 4 to refresh several notions to be used in the following formulations (such as "1k," "probabilistic polynomial time," and "negligible quantity in k").
Assumption 8.1: Computational Diffie-Hellman Assumption (CDH Assumption)A CDH problem solver is a PPT algorithm such that with an advantage > 0:
Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good intan ideal world where data are random andtbad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.
a PPT algorithm such that with an advantage > 0:
where the input to is defined in Definition 8.2.
Let be an instance generator that on input 1k,runs in time polynomial in k, and outputs (i)
desc( )with |q| = k, (ii) a generator element ,(iii) .
We say that
solver for
satisfies the discrete logarithm (DL) assumption if there exists no DL problem
(1k)with advantagee > 0 non-negligible in k for all sufficiently large k.
In a nutshell, these two assumptions state that in finite fields for all sufficiently large instances, there exists no efficient algorithm to solve the CDH problem or the DL problem for almost all instances. A negligible fraction of exceptions are due to the existence of weak instances.
However, much more decent elaborations are needed for these two assumptions. Let us first make a few important remarks, in which we will keep the "formal tone".
. Remark 8.1
1. InAssumptions 8.1 and 8.2, the respective probability space should consider (i) the instance space, i.e., arbitary finite fields and arbitrary elements are sampled (the
importance of this will be discussed in §8.4.1), and (ii) the space of the random operations • in an efficientfalgorithm. The need for considering (ii) is because by "polynomial-time" or
Moder"efficient" algorithm we include randomized algorithms (see Definition 4.6 in §4.4.6). ByWenbo Mao Hewlett-Packard Company
2. The number k in the both formulations is called asecurity parameter. (1k)is a Purandom instance of the field and the element(s). From our study of the probabilistic prime PugDate: Jtly 25, 200 .4.6.1 and the field construction in §5.4 we know that (1k)indeed
terminates0in polynomial time in k. It is now widely accepted that k = 1024 is the lower bound setting of security parameter for the DLP in finite fields. This lower bound is a result of a subexponential time algorithm (index calculus) for solving the DLP in finite fields. The subexponential complexity expression is in (8.4.2). For |q| = 1024, the expression yields a quantity greater than 280.This is why the setting of k = 1024 becomes the widely agreed lower bound. Thus, as stipulated by the phrase "for all sufficiently large k" in both
Many cryptographic schemes and protocols, especially thoseibased on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explaEinqsuwahtiyo"nte8x.t4b.o1ok crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) securityiproperties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for e mod belief ptography. , see §4.5), or the function in (8.4.1) should be one-way, or in other
words, one-way function should exist.
4. It is not known to date whether or not the function in (8.4.1) is a trapdoor function (see Property 8.1 in §8.1 for the meaning of one-way trapdoor function). That is, no one knows how to embed trapdoor information inside this function to enable an efficient inversion of the function (i.e., an efficient method to compute x from gx using trapdoor information). However, if the function uses a composite modulus (the function remains one-way), then the function becomes a trapdoor where the prime factorization of the modulus forms the trapdoor information. The reader is referred to [229,224,228] for the technical details.
We still need more "common-language" explanations for these two assumptions.
These two assumptions essentially say that "there is no polynomial in k algorithms for solving these two problems". However, we must read this statement with great care. A "poly(k) solver", if it exists, runs in time kn for some integer n. On the other hand, we know there exists a "subexponential solver" for the DLP running in time
Equation 8.4.2
wherec is a small constant (e.g., c < 2). Combining "no poly(k) solver" and "having an sub_exp(q) solver", we are essentially saying that kn is much much smaller than sub_exp(k log 2) (for k = |q| = log2q, we have logq = klog2). However, this "much much smaller" relation can only be true when n is fixed and k (as a function of n) is sufficiently large. Let us make this point explicit.
ByWenbo Mao Hewlett-Packard Company
Supposek is not sufficiently large. Taking natural logarithm on poly (k) and on sub_exp(k log 2), weibecometcomparing the following two quantities:
Pub Date: July 25, 2003 ISBN: 0-13-066943-1
Pages: 648
where . Now we see that the known subexponential solver will be quicker
Many cryptographic schemesiand protocols,"especially those based on public-keycryptography,f have basic or so-called "textbook crypto" versions, as these versionsare usuallytthe subjects for cryptography: it pays.much more attention tofit-for-application aspects oficryptography. Itrity e guys behave nicely.It reveals the general unfitness of "textbook crypto" for)the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-schemes, protocolsfand systems, many of themtstandards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for
This asymptotic meaning of "no poly solver" will apply to all complexity-theoretic based intractability assumptions to appear in the rest ofthe book.
Finally let us look at the relationship between these two problems.
Notice that the availability of a = loggg1 or b = loggg2 will permit the calculation of
That is, an efficient algorithm which solves the DLP will lead to an efficient algorithm to solve the CDH problem. Therefore if the DL assumption does not hold, then we cannot have the CDH assumption. We say that the CDH problem is weaker than the DL problem, or equivalently, the CDH assumption is a stronger assumption than the DL assumption. The converse of this statement is an open question:
Can the DL assumption be true if the CDH assumption is false?
Maurer and Wolf give a strong heuristic argument on the relation between these two problems; they suggest that it is very likely that these two problems are equivalent [190].
8.4.1 Importance of Arbitrary Instances for Intractability Assumptions
We should emphasize the importance of arbitrary instances required in the DL assumption. Let
us consider with p being a k-bit prime and the problem of extracting a from h g a (mod p).
We know that a is an element in . If p – 1 = q1q2…qe with each factor qi being small
(meaning,q polynomial(k) for i = 1, 2, …, ), then the discrete-logarithm-extraction problem can be turned into extracting ai a (mod q i) from h(p-1)/qi (mod p) but now ai are small and can be extracted in time polynomial in k. After a1,a 2, …, ae are extracted, a can be constructed by applying the Chinese Remainder Theorem (Theorem 6.7). This is the idea behind the polynomial-time algorithmtof Pohlig and Hellman [231] for solving the DL problem modulo p if p – 1 has no largub rite: Jfactor.00learly, ifevery prime factor of p – 1 is bounded by a polynomial in k, then the Pohlig-Hellman algorithm has a running time in polynomial in k.
A primegnumber p with p – 1 containing no large prime factor is called a smooth prime. But sometimes we also say "p – 1 is smooth" with the same meaning. A standard way to avoid the smooth-prime weak case is to construct the prime p such that p – 1 is divisible by another large
primep`. By Theorem 5.2(2), the cyclic group contains the unique subgroup of order p`. If p` Many cryptographic schemes and protocols, especially those basedcon public-keycryptography, have basic or so-called "textbook.crypto" versions, asfthese versionsare usually the subjects forh cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages,fand examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established.ze The book also`includes self-containedtheoretical background material thatiis the foundation for .) modern cryptography.
The DLP and the CDH problem are also believed as intractable in a general finite abelian group of a large order, such as a large prime-order subgroup of a finite field, or a group of points on an elliptic curve defined over a finite field (for group construction: §5.5, and for the elliptic-curve discrete logarithm problem, ECDLP: §5.5.3). Thus, the Diffie-Hellman key exchange protocol will also work well in these groups.
There are several exponential-time algorithms which are very effective for extracting the discrete logarithm when the value to be extracted is known to be small. We have described Pollard`s l-method (§3.6.1). Extracting small discrete logarithms has useful applications in many cryptographic protocols.
Research into the DLP is very active. Odlyzko provided a survey of the area which included an extensive literature on the topic [221].
...
- tailieumienphi.vn

nguon tai.lieu . vn