Elgamal demonstration project on calculators TI83

1
Elgamal demonstration project on calculators
TI-83

• Gerard TelUtrecht University

With results from Jos Roseboom and Meli Samikin
2
Overview of the lecture

• History and background
• Elgamal (Diffie Hellman)
• Discrete Log Pollard rho
• Experimentation results
• Structure of Function GraphCycles, Tails,
  Layers
• Conclusions

3
1. History and background

• 2003, lecture for school teachers about Elgamal
• 2006, lecture with calculator demo
• Why Elgamal, not RSA?
• Functional property easy to show
• Security rely on complexity
• Compare exponentiation and DLog

4
Math Modular arithmetic

• Compute modulo prime p (95917)with 0, 1, p-2,
  p-1
• Generator g of order q (prime)
• Rules of algebra are valid
• (ga)k (gk)a
• Secure application p has 309 digits!!

5
Calculator TI-83, 83, 84

• Grafical, 14 digit
• Programmable
• Generally available in VWO (pre-academic school
  type in the Netherlands)
• Cost 100 euro(free for me)

6
The Elgamal program

• Ceasar cipher (symmetric)
• Elgamal parameter and key generation
• Elgamal encryption and decryption
• Discrete Logarithm PollardInfeasible problem!!
  But doable for 7 digit modulus

7
2. Public Key codes

• The problem of Key Agreement
• A and B are on two sides of a river
• They want to have common z
• Oscar is in a boat on the river
• Oscar must not know z

8
Solution Diffie-Hellman

• Alice takes random a, shouts b ga
• Bob takes random k, shouts u gk
• Alice computes z ua (gk)a
• Bob computes z bk (ga)k
• The two numbers are the same
• The difference in complexity for AB and O is
  relevant

9
What does Oscar hear?

• Seen
• Public b ga
• Public u gk
• Not computable
• Secret a, k
• Common z
• This needs discrete logarithm

• Oscar sees the communication, but not the secrets

10
The Elgamal program

• In class use
• Program, explanation, slides on website
• Program extendible
• Booklet with ideas for experimenting, papers
• (All in Dutch!)

http//people.cs.uu.nl/gerard/Cryptografie/Elgamal
/
11
3. Pollard Rho Algorithm

• Fixed p (modulus), g, q (order of g) G is set
  of powers of g
• Discrete Logarithm problem
• Given y in G
• Return x st gx y
• Pollard Rho randomized, vq time

12
Pollard Rho Representation

• Representation of z z ya.gb
• Two representations of same number reveil log
  yIf ya.gb yc.gd,then y g(b-d)/(c-a)
• Goal find 2 representations of one number z
  (value does not matter)

13
Strategy Birthday Theorem

• All values z ya.gb are in G
• Birthday TheoremIn a random sequence, we expect
  a collision after vq steps
• Simulate effect of random sequence by
  pseudorandom function zi1 f (zi)(Keep
  representation of each zi)

14
Cycle detection

• Detect collision by storing previous values too
  expensive
• Floyd cycle detection method
• Develop two sequences zi and ti
• Relation ti z2i
• Collision ti zi, i.e., zi z2i
• In each round, z moves one step and t moves two
  steps.

15
4. Experimentation results
Spring 2006, by Barbara ten Tusscher, Jesse
Krijthe, Brigitte Sprenger
16
Observations

• Average number of iterations coincides well with
  vq
• Almost no variation within one row
• Is this a bug in the program??
• Bad randomization in calculator?
• Or general property of Pollard Rho?

17
5. Function graph

• Function f zi -gt zi1 defines graph
• Out-degree 1, cycles with in-trees
• Length, component, size
• Graph is the same when algorithm is repeated with
  the same input
• Starting point differs
• As zi z2i, i must be multiple of cycle length

18
Layers in a component

• Layer of node measure distance to cycle in terms
  of its length l
• Point z in cycle has layer 0
• Point z is in layer 1 if f(l)(z) in cycle
• Point z is in layer c if f(c.l)(z) in cycle
• Lemma z0 in layer c gives c.l iter.
• Is there a dominant component or layer?

19
Layers 0 and 1 dominate

• Probability theory analysis by Meli Samikin
• Lemma Pr(layer 1) ½
• Proof Assume collision after k steps
• z0 -gt z1 -gt -gt -gt zk-1 -gt ??
• Layer of z0 is 0 if zk z0, Pr 1/k
• Layer of z0 is 1 if zk zj lt k/2, Pr 1/2

20
Dominant Component

• Lemma Random z0 and w0,
• Pr(same component) gt ½.
• Proof First collision after k steps
• z0 -gt z1 -gt -gt -gt zk-1 -gt ??
• w0 -gt w1 -gt -gt -gt wk-1 -gt ??
• Pr ( z meets other sequence ) ½.
• Then, w-sequence may collide into z.

21
Experiments dominance

• Jos Roseboom count points in layers of each
  component
• Plays national korfbal team
• World Champion 2007, november, Brno.

22
Size of largest component
23
Conclusions

• Elgamal handcalculators fun
• Functional requirements easier to explain than
  for RSA
• Security experiment with DLog
• Pollard, only randomizes at start
• Iterations random variable, but takes only
  limited values
• Most often size of heaviest cycle

24
Rabbit Formula

• Ontsleutelen is v delen door ua
• u(a1a2) is ua1.ua2
• Deel eerst door ua1 en dan door ua2
• Team 1 bereken v Deca1(u, v)Team 2 bereken
  x Deca2(u, v)

25
Overzicht van formules

• ConstantenPriemgetal p, grondtal g
• SleutelpaarSecret a en Public b ga
• Encryptie (u, v) (gk, x.bk) met bDecryptie x
  v/ua met a
• Prijsvraag b b1b2. Ontsleutelen?