Introduction to Cryptography
CS 355
Lecture 24
Diffie-Hellman and Discrete Log
CS 355
Fall 2005 / Lecture 24
�Lecture Outline
The Discrete Log
problem
The Diffie-Hellman
protocol
CS 355
Fall 2005 / Lecture 24
�Discrete Logarithm Problem (DLP)
Given a multiplicative group (G, *), an element g in G
having order n and an element y in the subgroup
generated by g, denoted <g>
Find the unique integer x such that
gx mod n = y
i.e., x is the discrete logarithm loggy
For example, given the group Z p*, where p is a 1024bit prime, let g be an element having order q, where
q is a 160-bit prime
q | (p-1)
e.g., Z 7*={3,2,6,4,5,1}, we choose the subgroup {2,4,1}
CS 355
Fall 2005 / Lecture 24
�The Diffie-Hellman Protocol
Key agreement protocol, both A and B contribute
to the key
Setup: p prime and g generator of Zp*, p and g
public.
ga mod p
gb mod p
Pick random, secret a
Compute and send ga mod p
Pick random, secret b
Compute and send gb mod p
K = (gb mod n)a = gab mod p
K = (ga mod n)b = gab mod p
CS 355
Fall 2005 / Lecture 24
�Diffie-Hellman Key Establishment
A and B wishes to establish a shared secret key
so that no eavesdropper can compute the key:
A and B shares public parameters a group Zp
and a generator g
A randomly chooses x and send gx mod p to B
B randomly chooses y and send gy mod p to A
Both A and B can compute gxy mod p
It is (believed to be) infeasible for an eavesdropper to
compute gxy mod p
A and B can establish a shared secret without sharing
any secret to start with
CS 355
Fall 2005 / Lecture 24
�CDH and DDH
Security of the Diffie-Hellman key establishment
protocol based on the CDH problem
Computational Diffie-Hellman (CDH)
Given a multiplicative group (G, *), an element g G having
order q, given gx and gy, find gxy
Decision Diffie-Hellman (DDH)
Given a multiplicative group (G, *), an element g G having
order q, given gx, gy, and gz, determine if gxy gz mod n
Discrete Log is at least as hard as CDH, which is at
least as hard as DDH.
CS 355
Fall 2005 / Lecture 24
�Choices of Parameters
Why use an element of order q, instead of just
using a generator for Zp*?
Answer:
it is often beneficial to have order being a prime
e.g., given e, one can find d s.t. ged=g
Balance security and size
p needs to be large enough for discrete log to be hard,
thus 1024 bits
we want the group to be relative small, so that an index
to an element in the group is short (e.g., 160 bits)
it needs to be large enough to prevent exhaustive search
CS 355
Fall 2005 / Lecture 24
�Algorithms for The Discrete Log
Problem
There are generic algorithms that work for every
cyclic group
Pollard Rho
Pohlig-Hellman
There are algorithms that work just for some
groups such as Zp*
e.g., the index calculus algorithms
these algorithms are much more efficient
therefore, 1024 bits are needed for adequate level of
security
CS 355
Fall 2005 / Lecture 24
�Bit Security in Discrete Log
Even though it is difficult to find loggx, it is possible to
determine some bits in loggx
e.g., let g be the generator of Zp*, consider the least significant bit
(LSB) of loggx
recall that loggx is even iff. x is quadratic residue in Zp*
However, finding some bits (aka. hard-core bits) is as
hard as computing discrete log
in Zp*, when p-1=2st, where t is odd, computing the s least
significant bits are easy, computing the s+1 LSB is difficult
CS 355
Fall 2005 / Lecture 24
�One Way Functions
A function f(x) is a one-way function if
given a, it is easy to compute f(a).
yet given b, it is difficult to find a such that f(a)=b.
Examples of one-way functions
Modular exponentiation f(x) = gx mod p
Multiplication f(x,y) = xy
One way functions are the foundations for
modern cryptography, yet we do not know
whether they exist or not.
existence of one-way functions imply PNP
CS 355
Fall 2005 / Lecture 24
10
�Coming Attractions
ElGamal Encryption
CS 355
Fall 2005 / Lecture 24
11
