Elgamal Elgamal demonstration demonstration project on project on calculators TI-83+ calculators TI-83+ Gerard Tel Gerard Tel Utrecht University Utrecht University With results from Jos Roseboom With results from Jos Roseboom and Meli Samikin and Meli Samikin
25
Embed
Elgamal demonstration project on calculators TI-83+
Elgamal demonstration project on calculators TI-83+. Gerard Tel Utrecht University. With results from Jos Roseboom and Meli Samikin. Overview of the lecture. History and background Elgamal (Diffie Hellman) Discrete Log: Pollard rho Experimentation results - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Elgamal Elgamal demonstration demonstration
project on project on calculators TI-83+calculators TI-83+
Gerard TelGerard TelUtrecht UniversityUtrecht University
With results from Jos Roseboom With results from Jos Roseboom and Meli Samikinand Meli Samikin
Workshop Elgamal 2
Overview of the lectureOverview of the lecture1. History and background2. Elgamal (Diffie Hellman)3. Discrete Log: Pollard rho4. Experimentation results5. Structure of Function Graph:
Cycles, Tails, Layers6. Conclusions
Workshop Elgamal 3
1. History and background1. History and background1. 2003, lecture for school teachers
about Elgamal2. 2006, lecture with calculator demo
Why Elgamal, not RSA?• Functional property easy to show• Security: rely on complexity• Compare exponentiation and DLog
Workshop Elgamal 4
Math: Modular arithmeticMath: Modular arithmetic• Compute modulo prime p (95917)
with 0, 1, … p-2, p-1• Generator g of order q (prime)• Rules of algebra are valid
(ga)k = (gk)a
Secure application: p has ~309 digits!!
Workshop Elgamal 5
Calculator TI-83, 83+, 84+Calculator TI-83, 83+, 84+• Grafical, 14 digit• Programmable• Generally available
in VWO (pre-academic school type in the Netherlands)
• Cost 100 euro(free for me)
Workshop Elgamal 6
The Elgamal programThe Elgamal program• Ceasar cipher (symmetric)• Elgamal parameter and key
generation• Elgamal encryption and
decryption• Discrete Logarithm: Pollard
Infeasible problem!! But doable for 7 digit modulus
Workshop Elgamal 7
2. Public Key codes2. Public Key codes
The problem of Key Agreement:• A and B are on two sides of a river• They want to have common z• Oscar is in a boat on the river• Oscar must not know z
Workshop Elgamal 8
Solution: Diffie-HellmanSolution: Diffie-Hellman• Alice takes random a, shouts b = ga
• Bob takes random k, shouts u = gk
• Alice computes z = ua = (gk)a
• Bob computes z = bk = (ga)k
The two numbers are the sameThe difference in complexity for A&B
and O is relevant
Workshop Elgamal 9
What does Oscar hear?What does Oscar hear?Seen:1. Public b = ga
2. Public u = gk
Not computable:1. Secret a, k2. Common zThis needs discrete
logarithm
Oscar sees the communication, but not the secrets
Workshop Elgamal 10
The Elgamal programThe Elgamal program• In class use• Program, explanation,
slides on website• Program extendible• Booklet with ideas for
Spring 2006, by Barbara ten Tusscher, Jesse Krijthe, Brigitte Sprenger
Workshop Elgamal 16
ObservationsObservations• Average number of iterations
coincides well with √q• Almost no variation within one row
• Is this a bug in the program??– Bad randomization in calculator?– Or general property of Pollard Rho?
Workshop Elgamal 17
5. Function graph5. Function graph• Function f: zi -> zi+1 defines graph• Out-degree 1, cycles with in-trees• Length, component, size• Graph is the same when algorithm is
repeated with the same input• Starting point differs• As zi = z2i, i must be multiple of cycle
length
Workshop Elgamal 18
Layers in a componentLayers in a component• Layer of node measure distance to
cycle in terms of its length l:– Point z in cycle has layer 0– Point z is in layer 1 if f(l)(z) in cycle– Point z is in layer c if f(c.l)(z) in cycle
• Lemma: z0 in layer c gives c.l iter.
• Is there a dominant component or layer?
Workshop Elgamal 19
Layers 0 and 1 dominateLayers 0 and 1 dominateProbability theory analysis by Meli