1.1 Cryptology
1.1.3 The Discrete Logarithm Problem
Some terms used in this section are described in detail in Chapter 2, for other definitions the reader is referred to [4, Chap. 2]. The Discrete Logarithm Problem (DLP) is a one-way problem used in asymmetric cryptography, particularly in the area of cryptography of interest in this thesis. It is defined in a finite, abelian group (G, ∗) as follows: Let β ∈ G be in the group generated by α, that is, there exists an x ∈ Z such that
β = α ∗ α ∗ . . . ∗ α
| {z }
xtimes
∈ G.
Definition 1.1.1. The DLP in G is: given α and β in G, compute x; we call x the discrete logarithmof β with respect to α and write Logα(β) = x.
The groups in which solving the DLP is hard give a structure for the basis of many cryptographic protocols. The DLP currently occurs in two instances in cryptographyl; in the multiplicative group of a finite field and the group of points on an elliptic curve.
1.1.3.1 Finite Field DLP
The first instance of the DLP used in cryptography is in the multiplicative group of a finite field.
Definition 1.1.2. The Finite Field Discrete Logarithm Problem (DLP) is:
Given elements α, β in the multiplicative group of a finite field, F∗pn, such that β is in the subgroup of F∗pngenerated by α (so G = hαi), find x modulo |G| such that αx = β ∈ F∗pn.
ElGamal Signatures
An example of the DLP being the basis for the security of a cryptographic protocol is the digital signature scheme suggested in 1985 by ElGamal in [31]. The protocol requires a collision resistant hash function H, that is, a function which is non-invertible and for which it is infeasible to find two messages m and m0such that H(m) = H(m0).
Key Generation
Using a finite field Fp, p prime, Alice selects an element g ∈ Fp and a random number x ∈ {0, . . . , p − 1} and computes h = gx. Alice’s public key is the set (p, g, h) and she keeps x secret.
Signing
If Alice wants to sign the message m to send to Bob, she first selects a random integer k which is non-zero mod p and coprime to p − 1. Alice computes r = gk mod p and s ≡ (H(m) − xr)k−1 mod (p − 1), where x is Alice’s secret key (if s = 0 then recompute using a new value for k). Alice sends the pair (r, s) as the signature for m. The signature is unique for each message.
Verification of Signature
When Bob receives the pair (r, s) with 0 < r < p and 0 < s < p − 1, he verifies that it is a valid signature by checking that gH(m) ≡ hrrs, where h is Alice’s public key.
It is easy to see that sk + xr ≡ H(x) mod (p − 1) and so by the identity (2.1)
gH(m) ≡ gxr· gks
≡ (gx)r(gk)s
≡ hr· rs mod p. (1.1)
To generate false signatures, an adversary would either have to find a message m0 such that H(m0) = H(m) (which we presume is infeasible) or compute Alice’s private key, that is, solve an instance of the DLP.
The ElGamal signature scheme is not used in this exact form, but the Digital Signa-ture Algorithm (DSA) proposed in [18] by National Institute of Standards and Technology (NIST) is a widely used signature algorithm based on the ElGamal signature scheme.
Signing a message does not conceal the content, but using a similar setup we also have the ElGamal encryption protocol.
ElGamal Encryption
When Bob wants to send a message m to Alice, first m is converted to an element ¯m of Fp, then Bob chooses a random y ∈ {0, . . . , p − 1} and computes c1 = gy and the shared key kAB = hy = gxy(h = gxis Alice’s public key). The shared key kABis also referred to as the ephemeral key as a new key is calculated each time two parties communicate. Using the ephemeral key, Bob calculates c2 = ¯m · kAB and sends (c1, c2) to Alice.
Decryption
On receipt of a cipher text pair (c1, c2), Alice computes kAB = gxy = cx1 and ¯m = c2· kAB−1 and then retrieves m from ¯m. It is clear that this works as
c2· k−1AB = ¯m · hy· (gxy)−1= ¯m · gxy· g−xy = ¯m.
Examining the encryption scheme carefully, we notice that to break the protocol, the
adversary must solve a slight variant of the DLP, not strictly the DLP. An adversary can observe the exchange of h = gxand c1 = gy. To recover the message, the adversary has to compute the session key kAB = gxy from h and c1; this variant of the DLP is known at the Diffie-Hellman Problem and was first suggested in [24].
Diffie-Hellman
The Diffie-Hellman Key Exchange was the first practical public key agreement method suggested [24]. They used a slight variation of the DLP, now known as the Diffie-Hellman Problem.
Definition 1.1.3. The Finite Field Diffie-Hellman Problem (DHP) is: Given elements g, gx and gyin a finite field Fq, calculate gxy.
The DHP has been shown to be as hard as the DLP in some cases [22] and as yet no groups are known in which the DHP can be solved faster than the DLP. Clearly the DHP can be solved if the DLP can be solved.
The Decisional Diffie-Hellman Problem (DDHP) is also a derivative of the DLP and can be used as a basis for security in some settings.
Definition 1.1.4 (Decisional Diffie-Hellman Problem). Given elements g, gx, gy and α ,in a finite field Fq, determine if gxy = α.
Diffie-Hellman Key Exchange Protocol
As above, we use a prime field Fpwith generator g. Two parties, Alice and Bob, each select a random number xA and xB respectively with xA, xB ∈ {0, . . . , q − 1} and compute hA= gxA and hB= gxB.
Key Generation
Alice and Bob publish hAand hBrespectively (they keep xAand xB, respectively, secret).
Alice computes k = hxBA = gxA·xB and Bob computes k = hxAB = gxB·xA = gxA·xB, now
Alice and Bob have a common secret key.
1.1.3.2 Elliptic Curve DLP
In 1985, Miller [71] and Koblitz [54] independently noticed that the DLP in the group of points on an elliptic curve defined over a finite field is also hard to solve – in most cases harder to solve than in the multiplicative group of a finite field of comparable size.
Definition 1.1.5. The Elliptic Curve Discrete Logarithm Problem (ECDLP) is:
Given points Q and P on an elliptic curve such that Q is in the group of points generated by P , find the smallest positive integer l such that Q = lP .
Given that the ECDLP is harder than the DLP in the finite field (of equivalent size), there are implementational advantages in adapting to elliptic curves many of the cryptographic protocols originally proposed using the multiplicative group of a finite field.
EC Diffie-Hellman
The elliptic curve analogues to the DHP and DDHP in the finite field are as follows:
Definition 1.1.6. The Elliptic Curve Diffie-Hellman Problem (ECDHP) is:
Given the points P , aP and bP on an elliptic curve E, compute abP .
Definition 1.1.7. The Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP) is:
Given points P , aP , bP and Q on an elliptic curve E, determine if abP = Q.
Although it may seem, at first glance, that these last two problems would be equiva-lently hard, that is not always the case. There exist groups in which the DHP is considered computationally infeasible, but the DDHP is easy to solve; these groups are called Gap groups[16].
It was believed that all elliptic curves achieve superior efficiency for a given level of se-curity than finite fields (same level of sese-curity achievable using smaller system parameters) until the attacks of [69] and [34, 33] showed that some curves admit a bilinear pairing which
maps the ECDLP to a DLP instance in a finite field, which is an extension of the finite field over which the curve is defined. For curves with computable bilinear pairings, the hardness of the ECDLP in those cases is therefore only as hard as the DLP instance in that finite field;
if this was “easier” than the ECDLP such curves were considered to be weaker and unsuit-able for use in cryptography. With careful selection of the system parameters (discussed in Chapter 7), however, these bilinear pairings can also be used to construct new cryptographic protocols, even giving solutions to some previously unsolved cryptographic problems. The area of public-key cryptography which uses these particular curves and bilinear pairings is known as Pairing-Based Cryptography, which is the focus area of this thesis. The groups of points on the curves admitting bilinear pairings are Gap groups. This will be illustrated below.