elgamal demonstration project on calculators ti-83+ gerard tel utrecht university with results from...
TRANSCRIPT
![Page 1: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/1.jpg)
Elgamal Elgamal demonstration demonstration
project on project on calculators TI-83+calculators TI-83+
Gerard TelGerard TelUtrecht UniversityUtrecht University
With results from Jos Roseboom With results from Jos Roseboom and Meli Samikinand Meli Samikin
![Page 2: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/2.jpg)
Workshop Elgamal 2
Overview of the lectureOverview of the lecture1. History and background2. Elgamal (Diffie Hellman)3. Discrete Log: Pollard rho4. Experimentation results5. Structure of Function Graph:
Cycles, Tails, Layers6. Conclusions
![Page 3: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/3.jpg)
Workshop Elgamal 3
1. History and background1. History and background1. 2003, lecture for school teachers
about Elgamal2. 2006, lecture with calculator demo
Why Elgamal, not RSA?• Functional property easy to show• Security: rely on complexity• Compare exponentiation and DLog
![Page 4: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/4.jpg)
Workshop Elgamal 4
Programming ExperiencesProgramming Experiences• Nuisances:
– typing by selecting symbols– no subroutines: inline exponentiation– no local variables
• Limitation: arithmetic in 14 digits– Limit modulus to 7 digits
![Page 5: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/5.jpg)
Workshop Elgamal 5
Math: Modular arithmeticMath: Modular arithmetic• Compute modulo prime p (95917)
with 0, 1, … p-2, p-1• Generator g of order q (prime)
(g is 29609, q is 7993)• Rules of algebra are valid
(ga)k = (gk)a
Secure application: p has ~309 digits!!
![Page 6: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/6.jpg)
Workshop Elgamal 6
Calculator TI-83, 83+, 84+Calculator TI-83, 83+, 84+• Grafical, 14 digit• Programmable• Generally available
in VWO (pre-academic school type in the Netherlands)
• Cost 100 euro(free for me)
![Page 7: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/7.jpg)
Workshop Elgamal 7
The Elgamal programThe Elgamal program• Ceasar cipher (symmetric)• Elgamal parameter and key
generation• Elgamal encryption and
decryption• Discrete Logarithm: Pollard
Infeasible problem!! But doable for 7 digit modulus
![Page 8: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/8.jpg)
Workshop Elgamal 8
2. Public Key codes2. Public Key codes
The problem of Key Agreement:• A and B are on two sides of a river• They want to have common z• Oscar is in a boat on the river• Oscar must not know z• Common parameters: p, q, g
(Or: group with hard DLog problem)
![Page 9: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/9.jpg)
Workshop Elgamal 9
Solution: Diffie-HellmanSolution: Diffie-Hellman• Alice takes random a, shouts b = ga
• Bob takes random k, shouts u = gk
• Alice computes z = ua = (gk)a
• Bob computes z = bk = (ga)k
The two numbers are the sameThe difference in complexity for A&B
and O is relevant
![Page 10: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/10.jpg)
Workshop Elgamal 10
Parameter generationParameter generation• Hoofdmenu, parameters, Maak p,q,r• Input limits on q and p• Search for prime q from q-limit down• Search for prime p from p-limit down
among multiples of 2q + 1• Generator: try 100(p-1)/q, 101(p-1)/q, …
![Page 11: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/11.jpg)
Workshop Elgamal 11
What does Oscar hear?What does Oscar hear?Seen:1. Public b = ga
2. Public u = gk
Not computable:1. Secret a, k2. Common zThis needs discrete
logarithm
Oscar sees the communication, but not the secrets
![Page 12: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/12.jpg)
Workshop Elgamal 12
The Elgamal programThe Elgamal program• In class use• Program, explanation,
slides on website• Program extendible• Booklet with ideas for
experimenting, papers• All in Dutch!
http://people.cs.uu.nl/gerard/Cryptografie/Elgamal/
![Page 13: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/13.jpg)
Workshop Elgamal 13
3. Pollard Rho Algorithm3. Pollard Rho Algorithm• Fixed p (modulus), g, q (order of g);
H is set of powers of g• Size of H is q• Discrete Logarithm problem:
– Given y in H– Return x st gx = y
• Pollard Rho: randomized, √q time
![Page 14: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/14.jpg)
Workshop Elgamal 14
Pollard Rho: RepresentationPollard Rho: Representation• Representation of z: z = ya.gb
• Two representations of same number reveil log y:If ya.gb = yc.gd,then y = g(b-d)/(c-a)
• Goal: find 2 representations of one number z (value does not matter)
![Page 15: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/15.jpg)
Workshop Elgamal 15
Strategy: Birthday TheoremStrategy: Birthday Theorem• All values z = ya.gb are in H• Birthday Theorem:
In a random sequence, we expect a collision after √q steps
• Simulate effect of random sequence by pseudorandom function: zi+1 = f (zi)(Keep representation of each zi)
![Page 16: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/16.jpg)
Workshop Elgamal 16
Cycle detectionCycle detection• Detect collision by storing previous
values: too expensive• Floyd cycle detection method:
– Develop two sequences: zi and ti
– Relation: ti = z2i
– Collision: ti = zi, i.e., zi = z2i
In each round, z “moves” one step and t moves two steps.
![Page 17: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/17.jpg)
Workshop Elgamal 17
4. Experimentation results4. Experimentation results
p q x m 1 2 3 4 5 Ave
971 97 4 3 8 16 8 16 8 11,2
3989 997 114 10 30 30 60 15 60 39
39869 9967 4 3 117 117 117 117 53 104,2
39869 9967 1144 15 192 65 192 65 192 141,2
999611 99961 4 3 335 335 335 335 335 335
999611 99961 11 6 683 683 683 683 683 683
999611 99961 1144 15 680 340 340 340 680 476
Spring 2006, by Barbara ten Tusscher, Jesse Krijthe, Brigitte Sprenger
![Page 18: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/18.jpg)
Workshop Elgamal 18
Barbara, Jesse, BrigitteBarbara, Jesse, Brigitte• Verify Pollard rho
analysis• Use various
values of p, q, y• Clear
dependence of time on q
• Ignoring 80, cor- relation to √q is overly exact.
p q av. it
999683 97 19
997001 997 68
957409 9973 80
999611 99961 683
![Page 19: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/19.jpg)
Workshop Elgamal 19
Dependence on yDependence on y• Run same p, q
combination with different inputs y = gx
• Correspondence to √q again
• Not to x: the log of small power of g is no easier
p q x time
3989 997 4 44
3989 997 11 16
3989 997 114 39
999611 99961 4 335
999611 99961 114 297
999611 99961 11144 266
![Page 20: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/20.jpg)
Workshop Elgamal 20
Surprise: individual numbersSurprise: individual numbersp q x 1 2 3 4 5999611 99961 4 335 335 335 335 335999611 99961 11 683 683 683 683 683999611 99961 114 103 392 206 392 392999611 99961 1144 680 340 340 340 680999611 99961 11144 158 120 300 390 360
Iterations: equal or have high common factor!
![Page 21: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/21.jpg)
Workshop Elgamal 21
ObservationsObservations• Average number of iterations
coincides well with √q• Almost no variation within one row
• Is this a bug in the program??– Bad randomization in calculator?– Or general property of Pollard Rho?
![Page 22: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/22.jpg)
Workshop Elgamal 22
5. Function graph5. Function graph• Function f: zi -> zi+1 defines graph• Out-degree 1, cycles with in-trees• Length, component, size• Graph is the same when algorithm is
repeated with the same input• Starting point differs• As zi = z2i, i must be multiple of cycle
length
![Page 23: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/23.jpg)
Workshop Elgamal 23
Layers in a componentLayers in a component• Layer of node: measure distance to
cycle in terms of its length l:– Point z in cycle has layer 0– Point z is in layer 1 if f(l)(z) in cycle– Point z is in layer c if f(c.l)(z) in cycle
• Lemma: z0 in layer c gives c.l iter.
• Is there a dominant component or layer?
![Page 24: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/24.jpg)
Workshop Elgamal 24
Layers 0 and 1 dominateLayers 0 and 1 dominateProbability theory analysis by Meli
Samikin
Lemma: Pr(layer ≤ 1) = ½Proof: Assume collision after k steps: z0 -> z1 -> … -> … -> zk-1 -> ??
Layer of z0 is 0 if zk = z0, Pr = 1/k
Layer of z0 is 1 if zk = zj < k/2, Pr ≈ 1/2
![Page 25: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/25.jpg)
Workshop Elgamal 25
Dominant ComponentDominant ComponentLemma: Random z0 and w0,
Pr(same component) > ½.Proof: First collision after k steps: z0 -> z1 -> … -> … -> zk-1 -> ??
w0 -> w1 -> … -> … -> wk-1 -> ??
Pr ( z meets other sequence ) = ½.Then, w-sequence may collide into z.
![Page 26: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/26.jpg)
Workshop Elgamal 26
Experiments: dominanceExperiments: dominance• Jos Roseboom:
count points in layers of each component
• ACS Experimentation Project, Fall 2007
• Explicitly construct and measure function graphs
![Page 27: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/27.jpg)
Workshop Elgamal 27
Size of largest componentSize of largest componentVerdeling puntenwolk Pollard
0
10
20
30
40
50
60
70
80
90
100
1,00E+00 1,00E+01 1,00E+02 1,00E+03 1,00E+04 1,00E+05 1,00E+06 1,00E+07
Omvang resterende zoekruimte
Per
cen
tag
e zo
ekru
imte
do
or
gro
ots
te c
ykel
![Page 28: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/28.jpg)
Workshop Elgamal 28
ConclusionsConclusions• Elgamal + handcalculators = fun• Functional requirements easier to
explain than for RSA• Security: experiment with DLog• Pollard, only randomizes at start• Iterations: random variable, but
takes only limited values• Most often: size of heaviest cycle
![Page 29: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/29.jpg)
Workshop Elgamal 29
Rabbit FormulaRabbit Formula• Ontsleutelen is: v delen door ua
• u(a1+a2) is: ua1.ua2
• Deel eerst door ua1 en dan door ua2
• Team 1: bereken v’ = Deca1(u, v)Team 2: bereken x = Deca2(u, v’)
![Page 30: Elgamal demonstration project on calculators TI-83+ Gerard Tel Utrecht University With results from Jos Roseboom and Meli Samikin](https://reader036.vdocuments.mx/reader036/viewer/2022062423/56649ccf5503460f9499b457/html5/thumbnails/30.jpg)
Workshop Elgamal 30
Overzicht van formulesOverzicht van formules• Constanten:
Priemgetal p, grondtal g• Sleutelpaar:
Secret a en Public b = ga
• Encryptie: (u, v) = (gk, x.bk) met bDecryptie: x = v/ua met a
• Prijsvraag: b = b1b2. Ontsleutelen?