frederik vercauteren esat/cosic - k.u. leuven · i alice chooses the private key a = 68 and...
TRANSCRIPT
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Discrete Logarithms in Cryptography
Frederik VercauterenESAT/COSIC - K.U. Leuven
ECRYPT Summer School 2008
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Basic Definitions
Algorithms for DLP
Reductions of Hard Problems
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Outline
Basic Definitions
Algorithms for DLP
Reductions of Hard Problems
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Symmetric Key Cryptography
PLAINTEXT
110100011100
PLAINTEXT
110100011100
CIPHERTEXT
????????????
SYMMETRIC KEY CRYPTOSYSTEM
ENCRYPTION KEY DECRYPTION KEY
=
ALICE BOB
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Public Key Cryptography
PLAINTEXT
110100011100
PLAINTEXT
110100011100
CIPHERTEXT
????????????
CIPHERTEXT
????????????
PUBLIC KEY CRYPTOSYSTEM
ENCRYPTION KEY DECRYPTION KEY
ALICE BOB
PUBLIC KEY
OF BOBPRIVATE
KEY OF BOB
PUBLIC LIST
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Factoring and Discrete Logarithm Problem
I Rivest-Shamir-Adleman (1977): RSA based on factoring.I Main idea: easy to find two large primes p and q, but very
hard to find p and q from n = p · q.I RSA still most popular public key cryptosystem.
I ElGamal (1984): discrete logarithm problem (DLP).I Group G is set with operation · and each element has
inverse.I Main idea: very easy to compute h = gx for given x , but
very hard to find x given h and g.I Popular choices: finite fields and elliptic curves.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
GroupA group (G, ·) consists of a set G and an operation ·, satisfying
1. associative: a · (b · c) = (a · b) · c,∀a,b, c ∈ G2. identity element: ∃1 ∈ G,∀a ∈ G : a · 1 = 1 · a = a3. inverse element: ∀a ∈ G,∃a−1 ∈ G : a · a−1 = a−1 · a = 14. abelian (extra): ∀a,b ∈ G : a · b = b · a
I The order of an element a of a group (G, ·) is n, iff n is thesmallest positive number such that
a · a · · · · · a︸ ︷︷ ︸n
= 1
I The set {a,a2, . . . ,an−1,an = 1} is called the groupgenerated by a and denoted 〈a〉.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Finite Fields
I Let p be a prime, then Fp = Z/pZ is a finite field with pelements.
I Every non-zero element has inverse for multiplication.I Thus: F∗p,× has p − 1 elements.I Theorem: F∗p,× is cyclic, i.e. there exists a generator α
such that F∗p = {α0, α1, α2, . . .}.I Extension field Fpn : polynomials over Fp modulo irreducible
polynomial P(x) of degree n, i.e. Fp[x ]/(P(x)).
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Discrete Logarithm Problem
I Let (G, ·) be an abelian group.I Discrete Logarithm Problem Given g,h ∈ G, find an x (if
it exists) such thatgx = h.
I The difficulty of this problem depends on the group G:I Very easy: polynomial time algorithm, e.g. (ZN ,+)I Hard: sub-exponential time algorithm, e.g. (Fp,×).I Very hard: exponential time algorithm, e.g. elliptic curve
groups.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Problems Related to DLP
I Given an abelian group (G, ·) and g ∈ G of order n.I Discrete Logarithm Problem (DLP) :
Given h ∈ G such that h = gx find x . (DLP(g,h)→ x)
I Computational Diffie-Hellman Problem (CDH) :Given a = gx and b = gy find c = gxy (CDH(g,a,b)→ c).
I Decisional Diffie-Hellman Problem (DDH) :Given a = gx , b = gy and c = gz , determine if
gxy = gz or equivalently xy ≡ z mod n
(DDH(g,a,b, c)→ true/false)
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Diffie-Hellman Key AgreementDiffie and Hellman (1976): New directions in cryptographyChoose a large prime number p and a generator α mod p
Alice BobxA ∈R [1,p − 1], αxA
−αxA
−−−−−−−−→xB ∈R [1,p − 1], αxB
←αxB
−−−−−−−−−KBA = (αxB)xA KBA = (αxA)xB
I Note: all calculations mod pI Security based on Diffie-Hellman problem: given αxA andαxB compute αxAxB
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
ElGamal Encryption - Key Generation
ElGamal (1985): A public key cryptosystem and a signaturescheme based on discrete logarithms.
Domain Parameter Generation:I Generate a “large prime” p (≥ 1024 bits) such that p − 1 is
divisible by another “large prime” q (> 160 bits).I Compute a generator g of the multiplicative group of order
q in GF (p)∗, via (for some random r )
g ≡ r (p−1)/q mod p
until g 6= 1.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
ElGamal Encryption - Key Generation
Key Generation:I Select a random integer a, 1 ≤ a ≤ q − 1 and compute
h ≡ ga mod p
I Public key = (p,g,h) which can be published.I Private key = a which needs to be kept secret.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
ElGamal - Encryption / Decryption
Bob encrypts a message for Alice as follows:I Obtain Alice’s authentic public key (p,g,h).I Generate random k (1 < k < q − 1) with gcd(k ,p − 1) = 1I r ≡ gk mod p (k and r are ephemeral key pair)I s ≡ hk ·m mod p (0 ≤ m ≤ p − 1)I Ciphertext: c = (r , s)
To recover the message, Alice does the following:I m ≡ s · r−a mod pI Indeed: r−a ≡ g−ka ≡ h−k mod p
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
ElGamal Encryption - Example
I Prime p = 809, then 809− 1 = 808 is divisible by q = 101.I Compute a generator g = 16 of subgroup of GF (p)∗ of
order q.I Alice chooses the private key a = 68 and computes
ga mod p ≡ 1668 mod p ≡ 46.
I Alice’s public key then is (p = 809,g = 16,h = 46), whichcan be published.
I Alice’s private key is a = 68 which she keeps secret.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
ElGamal Encryption - Example
I To encrypt the message m = 100, Bob selects a randominteger k = 89 and computes
r = gk = 342 and s = m · hk = 745.
I Bob then sends the ciphertext (r , s) to Alice.I To decrypt, Alice first computes
r−a mod p ≡ 34233 mod 809 ≡ 49 mod 809,
and recovers m by computing
m ≡ 745 · 49 mod 809 ≡ 100 mod 809.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Outline
Basic Definitions
Algorithms for DLP
Reductions of Hard Problems
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Pohlig and Hellman Reduction
I Let G,+ be a group of order n =∏k
i=1 peii and let Q = xP
I Assume prime p|n and let t = n/p, then
Q′ = tQ = txP = x(tP) = xP ′ = x0P ′
I Note P ′,Q′ are in subgroup of order p, thus x0 ≡ x mod pI Find x mod p and recover x mod p1 · · · pk using CRTI Exercise: algorithm to compute x mod pe with e > 1I Hint: write x mod pe = x0 + x1p + · · ·+ xe−1pe−1
I Conclusion: order of G should contain large prime factor
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Baby-step Giant-step Algorithm
I Assume P has order n, let m =⌈√
n⌉
and write
x = x0 + mx1
with 0 ≤ x0,x1 < m.I Compute baby steps: bi = iP for i = 0, . . . ,m − 1I Store them in table and sort themI Compute giant steps: gj = jmP for j = 0, . . . ,m − 1I For each j check if Q − gj is in table.I If match bi = Q − gj found, then return i + mj .
I Storage: O(m) and time O(q/m).
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Pollard Rho Algorithm: General Case
I Let S be a set |S| = n and f : S → S random mappingI Starting with random value r0 ∈ S, compute
ri+1 = f (ri) for i ≥ 0
I Sequence r0, r1, r2, . . . is deterministic random walkI Since S is finite we must eventually obtain
ri = rj ⇒ ri+1 = f (ri) = f (rj) = rj+1
I Sequence r0, r1, r2, . . . , becomes cyclicI Picture of sequence looks like the Greek letter rho ρ
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Pollard Rho Algorithm: General Case
I The rho-shape has an initial tail and cyclic partI Expected length of both tail and cyclic part is√
πn/8
I Using this in naive way also requires O(√
n) memoryI Main problem in Baby-step Giant-step algorithmI Use Floyd’s cycle finding algorithm (theory) or
distinguished points (practice)
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Pollard Rho: Discrete Logarithms
I Let G denote a group of order n and let Q = xPI Partition G into three sets S1,S2,S3 (O 6∈ S2)I Define the following random walk
Ri+1 = f (Ri) =
Q + Ri Ri ∈ S1,2Ri Ri ∈ S2,P + Ri Ri ∈ S3.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Pollard Rho: Discrete Logarithms
Let Ri = aiP + biQ, then
ai+1 =
ai Ri ∈ S1,2ai (mod n) Ri ∈ S2,ai + 1 (mod n) Ri ∈ S3,
and
bi+1 =
bi + 1 (mod n) Ri ∈ S1,2bi (mod n) Ri ∈ S2,bi Ri ∈ S3.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Pollard Rho: Discrete Logarithms
I Start with the triple
(R0,a0,b0) = (O,0,0)
I Then we have, for all i ,
logP(Ri) = ai + bi logP(Q) = ai + bix.
I Collision Ri = Rj , then ai + bix ≡ aj + bjx mod n
x ≡ai − aj
bj − bimod n
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Parallel Pollard Rho (van Oorschot and Wiener)
I With m processors, m pseudo-random walks starting at
R(i)0 = aiP + biQ
I Each processor needs to compute O(√πn/2/m) iterations
I Naive idea: central server stores all O(√πn/2) points
I Define distinguished points SD ⊂ G and θ = |SD|/|G|I Processors only send distinguished points to central server
O(
√πn/2m
+1θ) time O(θ
√πn/2) space
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Floyd’s Cycle Finding Algorithm
I Given (x1, x2), compute (x2, x4), then (x3, x6) and so on . . .I Given the pair (xi , x2i) we compute
(xi+1, x2i+2) = (f (xi), f (f (x2i)))
I We stop when we find xm = x2m
I Exercise: prove that if tail has length λ and cycle length µ
m = µ ·⌈λ
µ
⌉I Since λ ≤ m ≤ λ+ µ we see that m = O(
√n)
I Detect a collision with O(1) storage
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Black Box Groups: Lower Bound on DLP
I Group G represented by set of strings S = {σ(g) | g ∈ G}I Equality test simply string comparisonI Oracles to compute group operation + and −
A(σ(x), σ(y)) = σ(x + y) and S(σ(x), σ(y)) = σ(x − y)
I Shoup: algorithm that makes m oracle queries and hasinput (σ, σ(1), σ(x)) will return x with probability at mostO(m2/p), with p largest prime factor of |G|.
I Implies that generic algorithm needs√
p group ops.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Index Calculus: General Setting
I G cyclic group of order n, i.e. G =< g > and let h = gx
I Choose a subset S = {s1, . . . , st} ⊂ G called factor baseI S chosen s.t. almost all elements in G can be expressed
efficiently as product of elements from SI Compute logg(si) for i = 1, . . . , t by collecting relationsI Find the DLOG of individual elements using databaseI Gives sub-exponential algorithm Ln(1/2, c) or Ln(1/3, c)
withLn[a,b] = O
(e(b+O(1))(log n)a(log log n)1−a
)
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Index Calculus: Algorithm - Phase 1
1. Select random integer 0 ≤ k < n and compute αk = gk
2. Try to decompose αk over the factor base S
αk = gk =t∏
i=1
scii , ci ≥ 0
3. If αk factors over S, then take DLOG and obtain
k ≡t∑
i=1
ci logg si (mod n) (?)
4. Repeat until t + ε relations found5. Solve linear system (?) mod n to obtain logg si ,1 ≤ i ≤ t
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Index Calculus: Algorithm - Phase 2
1. Select random integer 0 ≤ k < n and compute βk = h · gk
2. Try to decompose βk over the factor base S
βk = hgk =t∏
i=1
sdii , di ≥ 0
3. Repeat until βk decomposes over S4. By taking DLOGs of both sides, obtain
x ≡t∑
i=1
di logg si − k
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Index Calculus in Fp
I Represent Fp as {0, . . . ,p − 1} and embed Fp in ZI Factor base S consists of first t primes pi ,0 < i ≤ tI z ∈ Z is B-smooth if all prime factors of z are less than BI Element z ∈ Fp decomposes over S iff z is pt -smoothI Relation collection: try to factor αk = gk (mod p) for
random exponents kI Problem 1: αk is the same size of pI Problem 2: not possible to use a sieveI More complicated methods exist to generate relations . . .
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Exponential vs. Sub-exponential: Security
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000
50
100
150
200
250
300
350
400
450
500
Keylength conventional systems RSA and DSA
Key
leng
th e
llipt
ic c
urve
sys
tem
Key lengths in bits for equivalent cryptographic strength
ECDSA
RSA & DSA
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Outline
Basic Definitions
Algorithms for DLP
Reductions of Hard Problems
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Reductions
I Let A and B be two computational problems. Then A issaid to polytime reduce to B, written A ≤P B if
I There is an algorithm which solves A using an algorithmwhich solves B.
I This algorithm runs in polynomial time if the algorithm for Bdoes.
I Assume we have an oracle (or efficient algorithm) to solveproblem B.
I We then use this oracle to give an efficient algorithm forproblem A.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Reductions: CDH ≤P DLP
Here we show how to reduce CDH to DLP, i.e. we give anefficient algorithm for solving the CDH given an oracle for theDLP.
I Given gx and gy we wish to find gxy .I First compute y = DLP(g,gy ) using the oracle.I Then compute (gx)y = gxy .I So CDH is no harder than DLP, i.e. CDH ≤P DLP.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Reductions: DDH ≤P CDH
Here we show how to reduce DDH to CDH, i.e. we give anefficient algorithm to solve the DDH given an oracle for theCDH.
I Given elements gx , gy and gz , determine ifz ≡ x · y mod n.
I Using the oracle to solve CDH, compute
gxy = CDH(g,gx ,gy ).
I Then check whether gxy = gz .I So DDH is no harder than CDH, i.e. DDH ≤P CDH.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Inverse Diffie-Hellman Problem
I I-DHP: given g,gx compute gx−1, where x−1 is computed
modulo the order of g.I I-DHP ≤P DHP with one DH call:I Let h = gx , then g = hx−1
, so
DHP(h,g,g) = hx−1·x−1= gx−1
I I-DHP ≤P DHP with log2 n DH-calls:I Recall: x−1 ≡ xϕ(n)−1 mod nI Use DH-oracle and square and multiplyI CDH(g,gx ,gx) = gx2
and CDH(g,gxs,gx t
) = gxs+t
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Reductions: DLP ≤P CDH
I Assume for simplicity that n = q a prime.I Implicit representations (i.e. computing in exponent):
Explicit Implicitx gx
y gy
x + y mod q gx · gy
x · y mod q CDH(g,gx ,gy )
I CDH-oracle enables us to compute implicitly over Fq,+, ·or a strongly algebraic group H defined over Fq.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Reductions: DLP ≤P CDH
I If DLP in Fq, · or H/Fq is easy, we could try to compute xby computing DLPs in implicit representation.
I Since x is determined modulo q, we can write
x ≡ αs mod q
for α a generator modulo q. Goal: compute s instead of x .I den Boer: DLP in Fq is easy when q − 1 is smooth, so
compute s using implicit computations
gx = gαs
I Limitation: only applies to groups G such that ϕ(|G|) issmooth, e.g. if |G| = q, then q − 1 has to be smooth.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Reductions: DLP ≤P CDH
I den Boer: DH-oracle combined with easy DLP in Fq, ·I Limitation: only one choice Fq for each q.I Maurer-Wolf: DH-oracle combined with other auxiliary
groups over Fq, e.g. elliptic curves E/Fq.I Advantage: for each q, all integers in the interval
[q − 2√
q + 1,q + 2√
q + 1]
occur as group order of elliptic curve E/Fq.I Much more likely to find smooth one!
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
Reductions: DLP ≤P CDH
I Let G be finite cyclic group with |G| = pI Given elliptic curve E(Fp) with B-smooth #E(Fp), i.e. all
prime factors qi | #E(Fp) are qi < B.I Given a DH oracle for G, thenI Can compute DLP in G in time
√B (log p)O(1)
I In many cases: DLP =P CDH, but exist examples whereDDH <P CDH.
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography
Basic DefinitionsAlgorithms for DLP
Reductions of Hard Problems
References
I Nigel Smart’s book (chapter 12):http://www.cs.bris.ac.uk/∼nigel/Crypto Book
I Optional: Maurer and Wolf, The Diffie-Hellman Protocolftp://ftp.inf.ethz.ch/pub/crypto/publications/MauWol00c.pdf
Frederik Vercauteren ESAT/COSIC - K.U. Leuven ECRYPT Summer School 2008Discrete Logarithms in Cryptography