Abstract:
The security of the new information society that exchange data via modern intelligent
communication systems is nowadays very essential because of public connectivity
and the related threads (espionage or sabotage etc.). Many security product and
specially cryptographic systems (e.g., RSA, ElGamal, Diffie-Hellman, Elliptic
Curves cryptosystems, etc. ) was invented to encrypt and decrypt data, where the
security of such cryptosystems are based on the apparent intractability of solving
some number theoretic problems (e.g., The Discrete Logarithm Problem, Integer
Factorization Problem, Diffie-Hellman Problem, Quadratic Residuosity Problem,
Knapsack problem, etc.). Such problems are generally considered as being difficult
to solve if the associated parameters are carefully chosen. The Discrete Logarithm
Problem (DLP) on finite fields can be defined as followed: If we assume Zp
(denotes the set of integers {0, 1, 2, ....., p - 1}, where addition and multiplication
are performed modulo p) is a finite cyclic group of order p, where α a generator
of Zp and βεZp, then the Discrete Logarithm of
β to the base α, denoted loga β, is the unique
integer x, 0 <= x <= p-1, such that β = αx.
Many years this problem was studied but no known polynomial-time algorithm for
solving the Discrete Logarithm Problem (DLP) has been found. This study introduce
a new attack on the Discrete Logarithm Problem over finite fields- (
INTRODUCTION
Since Internet, computer and communications technology are one of the fastest technology in today’s world, it is very important to have suitable security products and security systems that meet all security need and wishes of the different user’s.
Many standards organizations (e.g., Internet Architecture Board (IAB), Internet Engineering Task Force (IETF), etc.) did specify a huge set of security protocols, algorithms and applications that provide security services which meets that needs for data privacy and secure communication.
Although not all users needs and wishes can be achieved in one single mechanism; however, we can note that Cryptography underlies most of the security mechanisms. Cryptographic techniques or generally Cryptography is the science of data encryption and decryption.
The Codebreaker (Kahn, 1967) describes a 4000 years historical overview from its limited use by the Egyptians until it major use in the twentieth century. Today Cryptography enables you to securely store sensitive information or transmit it across insecure networks so that it cannot be read by anyone except the intended recipient. By using a powerful tool such as encryption we gain privacy, authenticity, integrity and limited access to data.
Cryptographic systems can be divided in private key cryptography (also known as conventional cryptography systems) and public key cryptography.
Private key cryptography, also known as secret-key or symmetric-key encryption, has an old history and is based on using one key for encryption and decryption. In the 1960s many modern private key cryptographic systems where developed based on Feistel cipher, e.g., Data Encryption Standard (DES), Triple Data Encryption standards (3DES), Advanced Encryption Standard (AES), The International Data Encryption Algorithm (IDEA), Blowfish, RC5, CAST, etc.
Diffie and Hellman et al. (1976) published a revolutionary concept of public-key cryptography based on two keys (Public and Private key) that solved many weaknesses and problems in private key cryptography. Upon this, many public key cryptographic systems was invented (e.g., RSA (Rivest et al., 1978), ElGamal (ElGamal, 1985), Diffie-Hellman et al (1976) key exchange, elliptic curves (Koblitz, 1987), etc.). The security of such Public key cryptosystems often based on apparently difficult mathematical number theory problems like the discrete logarithm problem over finite fields and over elliptic curves, the integer factorization problem, the Diffie-Hellman Problem, etc.
This study discuss a new attack on the discrete logarithm problem, a discrete logarithm based cryptosystem is only secure if discrete logarithms in the underlying group is difficult.
PROBLEM DEFINITION
Let p be a prime number, then Zp denotes the set of integers {0, 1, 2, …., p - 1}, where addition and multiplication are performed modulo p. It is well-known that there exists a non-zero element αεZp such that each non-zero element in Zp can be written as a power of α; such an element α is called a generator of Zp. A group is called cyclic if such an element α exists.
A Field is a nonempty set F of elements with two operations “+” (called addition) and “•” (called multiplication) satisfying the following axioms: for all a, b, c ε F,
| (i) |
F is closed under + and •, i.e., a + b and a •b are in F; |
| (ii) | Commutative laws: a + b = b + a, a • b = b • a; |
| (iii) | Associative laws: (a + b) + c = a + (b + c), a • (b • c) = (a • b) • c; |
| (iv) | Distributive law: a • (b + c) = a • b + a • c. |
Furthermore, two distinct identity elements 0 and 1 (called the additive and multiplicative identities, respectively) must exist in F satisfying
| (v) |
a + 0 = a for all a ε F; |
| (vi) | a •1 = a and a •0 = 0 for all a ε F; |
| (vii) | For any a in F, there exists an additive inverse element (a) in F such that a + (a) = 0; |
| (viii) | For any a ≠ 0 in F, there exists a multiplicative inverse element α-1 in F such that α• α-1 = 1. |
Finite field of prime order p or prime power q = pf (f ≥ 1) is commonly denoted Fq or GF (q) (for Galois field) and because Zm is a field if and only if m is a prime, we denote the field Zm by Fm. This is called a prime field.
For simplicity I will only consider the Discrete Logarithm Problem in Zp, which can be defined as follows: If we assume Zp is a finite cyclic group of order p, where, α a generator of Zp and βεZp, then the discrete logarithm of β to the base α, denoted logα β, is the unique integer x, 0 = x = p-1, such that β = αx (Menezes et al., 1999).
The Discrete Logarithm Problem (DLP) in Zp has been the object of much study. The problem is generally regarded as being difficult if field parameters are carefully chosen. In particular, there is no known polynomial-time algorithm for the DLP. There are two types of algorithms for solving the discrete logarithm problem. Special-purpose algorithms (Denny et al., 1998) attempt to exploit special features of the prime p. In contrast, the running times of general-purpose algorithms which depend only on the size of p, for example exhaustive search, Shank’s Baby step Giant step (Cohen, 1993), Pohlig Hellman (Pohlig et al., 1978) (for group with small prime factors), Pollard’s rho algorithm (Pollard, 1978), Index Calculus method (Enge et al., 2000; Gaudry, 1999) (efficient only in certain groups), Number field Sieve (Gordon, 1993), etc. The fastest general-purpose algorithms known for solving the discrete logarithm problem over finite fields are based on a method called the index-calculus and the best current algorithm known for the DLP is the number field sieve. To thwart these attacks, p should have at least 150 digits and p - 1 should have at least one “large” prime factor, but it is important to notice that security is relative regarding time and what is secure today may need to be improved tomorrow. The utility of the discrete logarithm problem in a cryptographic setting is that finding discrete logs is (probably) difficult, but the inverse operation of exponentiation can be computed efficiently (e.g., the square-and-multiply method), this property is known in number theory as trapdoor or one-way function, there is no proof existence of one way function, but it is widely believed.
SUBSET SEARCH ALGORITHM
The new attack introduced in this paper can computes discrete logarithm problem in arbitrary finite cyclic group, but for simplicity I will only consider the discrete logarithm problem in Zp. The SUBSET SEARCH algorithm for finding the discrete logarithm x in finite fields Zp (where, α generator of a cyclic group Zp of order p, αx = β, βεZp) is based on the following observation:
Instead of computing x in:
αx = β
We consider:
αxi αx = αj
xi εZp Can be set any random number, but for faster calculation of the discrete logarithm problem we set
xi = -i*m Or xi = i*m where, i ε {0,1,..,m}
We build an array A of group elements.
Search in array A for
j and αj
If j, αj found in table A, then:
x ≡ (j-x1) mod (p-1) Or x ≡ (j+x1) mod (p-1)
Proposed algorithm: The Subset search algorithm for computing the discrete logarithm x can be described as followed:
|
Step 1:
|
Choose maximum array length m (equals a Mersenne-number Mn= 2n-1) that fit in memory. |
A Mersenne List Ln (n>1) of length 2n-1 with sorted elements have the following properties:
(i) |
Each Mersenne list has a middle element. His index is at 2n-1. |
| (ii) | All element right (left) from the middle element build also Mersenne list Ln-1 |
| (iii) | All 2n-1 Elements right (left) from the middle element are bigger (smaller) than the middle element |
The maximum number of searching step in a Mersenne List Ln requires maximum n steps.
| Step 2: | Construct a one dimension array A of length m, |
with entry (
Note: if we choose jx randomly then Array A elements can also be set any arbitrary group elements, but for faster calculation of the discrete logarithm problem we choose the above parameters.
| Step 3: | Sort array A byαj. |
| Notes: | 1: | One can also use a hash table instead of sorted array to implement the array lookup. |
| 2: | The discrete logarithm x can be found faster if we choose larger m. |
| Step 4: | Check array A, if αx = αjx then return x = jx |
| Step 5: | For i = 1 to m-1 do the following: |
| Step 5.1: | Set x1 = i*m |
| Step 5.2: | Compute αx1 and α-xi |
| Step 5.3: | Compute αx12 = αx * αx1 and αx22 = αx * α-x1 mod (p-1) |
| Step 5.4: | Check array A, if αx12 = αjx then return x = jx - x1 mod (p-1) |
| Step 5.5: | Check array A, if αx22 = αjx then return x = jx + x1 mod (p-1) |
We now consider algorithm runtime, this algorithm require storage for O(m)
group elements, The array takes O(m) multiplications to construct and O(m*log
(m)) comparison to sort. After having constructed the array, step 5 takes O(
Example: The following sketch was made with Mathematica 5, it shows calculation time comparison (sec) between Shanks Baby step Giant step (Fig. 1) and the Subset search algorithm for (Fig. 2) solving the discrete logarithm x of 100 randomly chosen β = αx, where p = 897579869, α = 3, m = 100000 in Shanks algorithm, m = 200000 in Subset search algorithm (50% less memory).
| Fig. 1: | Subset search algorithm |
| Fig. 2: | Shanks Baby step Giant step algorithm |
CONCLUSION
This study we briefly discussed the security of public-key cryptographic systems that are based on the discrete logarithm problem, however; they will no longer be secure if the corresponding hard problem is solved in the future.
Some threads come from general purpose attacks. The new attack described above have several advantages compared with other general purpose attacks, first it can be applied on finite fields and elliptic curves groups, this attack is of more importance on elliptic curves groups, because elliptic curves group size is much more smaller compared to finite fields groups and where elliptic curve encryption is widely used especially on limited memory devices such as smart cards, additionally the new attack use 50% less memory usage compared with Shanks baby step giant step algorithm and it can easily be implemented. Nevertheless the calculation of the discrete logarithm x in F*p where p have at least 150 digits and p-1 have at least one “large” prime factor, will stay hard.
The best known algorithm for finding the discrete logarithm in finite field groups is the index calculus method, unfortunately it can not be transformed on elliptic curves groups, the best known algorithms for any other finite abelian group (such as elliptic curves groups) is the Pollard (1978) is described in the present study techniques. Shanks Baby step Giant step algorithm (Cohen, 1993), or the new attack, all these attacks are close to the best what cryptanalysis till now achieved on finite fields and elliptic curves.
Many cryptosystems (e.g., based on knapsack problem) have been broken; our assumption about the intractability of the discrete logarithm problem may change in the future due to mathematic insights that will allow the definition of new attacks that may solve the Discrete Logarithm Problem in reasonable time.