Let G be a finite group of order q written multiplicatively Let g be some element of G Consider the set ltggt g 0 g 1 We know g q 1 g 0 so the set has ID: 1022507
Download Presentation The PPT/PDF document "Cryptography Lecture 23 Cyclic groups" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. CryptographyLecture 23
2. Cyclic groupsLet G be a finite group of order q (written multiplicatively)Let g be some element of GConsider the set <g> = {g0, g1, …}We know gq = 1 = g0, so the set has ≤ q elementsIf the set has q elements, then it is all of G !In this case, we say g is a generator of GIf G has a generator, we say G is cyclic
3. ExamplesℤNCyclic (for any N); 1 is always a generator: {0, 1, 2, …, N-1}ℤ8Is 3 a generator?{0, 3, 6, 1, 4, 7, 2, 5} – yes!Is 2 a generator?{0, 2, 4, 6} – no!
4. Exampleℤ*11Is 3 a generator?{1, 3, 9, 5, 4} – no!Is 2 a generator?{1, 2, 4, 8, 5, 10, 9, 7, 3, 6} – yes!Is 8 a generator?{1, 8, 9, 6, 4, 10, 3, 2, 5, 7} – yes!Note that elements appear in a different order from above…
5. Exampleℤ*13<2> = {1, 2, 4, 8, 3, 6, 12, 11, 9, 5, 10, 7},so 2 is a generator<8> = {1, 8, 12, 5},so 8 is not a generator
6. Important examplesTheorem: Any group of prime order is cyclic, and every non-identity element is a generatorTheorem: If p is prime, then ℤ*p is cyclicNote: the order is p-1, which is not prime for p > 3
7. Uniform samplingGiven cyclic group G of order q along with generator g, easy to sample a uniform hG:Choose uniform x{0, …, q-1}; set h := gx
8. Discrete-logarithm problemFix cyclic group G of order q, and generator gWe know that {g0, g1, …, gq-1} = GFor every hG, there is a unique xℤq s.t. gx = hDefine loggh to be this x – the discrete logarithm of h with respect to g (in the group G)
9. ExamplesIn ℤ*11What is log2 9?<2> = {1, 2, 4, 8, 5, 10, 9, 7, 3, 6}, so log2 9 = 6What is log8 9?<8> = {1, 8, 9, 6, 4, 10, 3, 2, 5, 7}, so log8 9 = 2In ℤ*13What is log2 9?<2> = {1, 2, 4, 8, 3, 6, 12, 11, 9, 5, 10, 7}, so log2 9 = 8
10. Discrete-logarithm problem (informal)Dlog problem in G: Given generator g and element h, compute logghDlog assumption in G: Solving the discrete log problem in G is hard
11. ExampleIn ℤ*3092091139What is log2 1656755742 ?
12. Discrete-logarithm problemLet G be a group-generation algorithmOn input 1n, outputs a (description of a) cyclic group G, its order q (with ǁqǁ=n), and a generator gFor algorithm A, define exp’t DlogA,G(n):Compute (G, q, g) G(1n)Choose uniform hGRun A(G, q, g, h) to get xExperiment evaluates to 1 if gx = h
13. Discrete-logarithm problemThe discrete-logarithm problem is hard relative to G if for all PPT algorithms A, Pr[DlogA,G(n) = 1] ≤ negl(n)
14. Diffie-Hellman problemsFix cyclic group G and generator gDefine DHg(h1, h2) = DHg(gx, gy) = gxy
15. ExampleIn ℤ*11<2> = {1, 2, 4, 8, 5, 10, 9, 7, 3, 6}So DH2(7, 5) = ?In ℤ*3092091139What is DH2(1656755742, 938640663)?Is 1994993011 the answer, or is it just a random element of ℤ*3092091139 ?
16. Diffie-Hellman assumptionsComputational Diffie-Hellman (CDH) problem:Given g, h1, h2, compute DHg(h1, h2)Decisional Diffie-Hellman (DDH) problem:Given g, h1, h2, distinguish DHg(h1, h2) from a uniform element of G
17. DDH problemLet G be a group-generation algorithmOn input 1n, outputs a cyclic group G, its order q (with ǁqǁ=n), and a generator gThe DDH problem is hard relative to G if for all PPT algorithms A: | Pr[A(G, q, g, gx, gy, gz)=1] – Pr[A(G, q, g, gx, gy, gxy)=1] | ≤ (n)
18. Relating the Diffie-Hellman problemsRelative to G:If the discrete-logarithm problem is easy, so is the CDH problemIf the CDH problem is easy, so is the DDH problemI.e., the DDH assumption is stronger than the CDH assumptionI.e., the CDH assumption is stronger than the dlog assumption
19. Group selectionThe discrete logarithm is not hard in all groups!For example, it is easy in ℤN (for any N, and for any generator)Nevertheless, there are certain groups where the problem is believed to be hardNote: since all cyclic groups of the same order are isomorphic, the group representation matters!
20. Group selectionFor cryptographic applications, best to use prime-order groupsThe dlog problem becomes easier if the order of the group has small prime factorsPrime-order groups have several nice featuresE.g., every element except identity is a generatorTwo common choices of groups…
21. Group selection: choice 1Prime-order subgroup of ℤ*p, p primeE.g., p = tq + 1 for q primeTake the subgroup of tth powers, i.e., G = { [xt mod p]| x ℤ*p }This is a groupIt has order (p-1)/t = qSince q is prime, the group must be cyclicGeneralizations based on finite fields also used
22. Group selection: choice 2Prime-order subgroup of an elliptic curve groupSee book for details…
23. Group selectionWe will describe algorithms in “abstract” groupsCan ignore details of the underlying group in the analysisCan instantiate with any (appropriate) group for an implementation