Newsgroups: sci.crypt
Path: msuinfo!caen!zaphod.mps.ohio-state.edu!qt.cs.utexas.edu!yale.edu!jvnc.net!darwin.sura.net!gatech!news.ans.net!yktnews!admin!yktnews!victor
From: victor@watson.ibm.com (Victor Miller)
Subject: Re: Discrete log question (was Re: Field Elliptical Encryption)
Sender: news@watson.ibm.com (NNTP News Poster)
Message-ID: <VICTOR.92Feb3113633@irt.watson.ibm.com>
In-Reply-To: kasdan@cunixa.cc.columbia.edu's message of Mon, 3 Feb 1992 15:06:50 GMT
Date: Mon, 3 Feb 1992 16:36:33 GMT
Reply-To: victor@watson.ibm.com
Disclaimer: This posting represents the poster's views, not necessarily those of IBM
References: <1992Jan29.003819.26360@msuinfo.cl.msu.edu>
	<VICTOR.92Jan31185659@irt.watson.ibm.com>
	<1992Feb3.150650.7565@cunixf.cc.columbia.edu>
Nntp-Posting-Host: irt.watson.ibm.com
Organization: IBM, T.J. Watson Research Center

Here's a short description of the Diffie-Hellman key-exchange
protocol, and related stuff:

Suppose that two parties (A and B) want to agree on a common PRIVATE
key where the only means of communication is a public channel.  Here's
what DH proposed:  Let p be a large prime [ it was later observed by
many that this could work over any large finite field ] and g a
primitive root mod p.  Both p and g are public.  A chooses a random
integer a mod p-1 and B chooses a random b mod p-1.  A sends g^a mod p
to B and B send g^b mod p to A.  Both may then calculate g^{ab} mod p
easily, but any eavesdropper only knows g^a and g^b.  Diffie and
Hellman hypothesized (still unproven), that the only way to recover
g^{ab} from g^a and g^b would be to solve the "discrete log problem":
find a given g^a.  They further observed that as long as p-1 had a
large prime factor that the only way that they knew to solve this was
via the "Baby step Giant Step method" (they thought that they invented
this, but it was really invented by Dan Shanks): Let k be about
sqrt(p-1), an integer.  Tabulate g^i for i=0, ... , k.  Now, if you're
given x=g^a (a unknown), successively compute x g^{-ik} for i from 0
up to about k, and search the table for a match.  This takes time and
space about sqrt(p).  Unknown to Diffie and Hellman, Western and
Miller had already invented the so-called "index calculus attack"
which was subsequently rediscovered by Len Adleman (the A in RSA).  It
works like this:

Fix a parameter K (specified later).  Do the following precomputation:

1) Choose a mod p-1 at random, set x=g^a mod p

2) Treating x as an integer, check if it completely factors into
primes <=K.  If it doesn't go back to step 1)

3) If it factors, g^a = p_1^{r_1} ... p_k^{r_k}, we have an equation:

a = r_1 ind 2 + r_2 ind 3 + ... + r_s ind p_k

where p_1 (=2) up to p_k are the primes less than K.

Repeat these three steps until we've gathered enough equations to
solve for ind p_i.

Now, to find an individual discrete log of x we do the following:

1) Choose a mod p-1 at random.

2) Check if x g^{-a} treated as an integer factors into primes <=K. If
it doesn't go back to step 1).

3) If it does, we have the discrete log of x:

x^g{-a} = p_1^{s_1} ... p_k^{s_k} so

ind x = a + s_1 ind 2 + ... + s_k ind p_k

The choice of K which makes the algorithm fastest (this is where the
tricky analysis comes in), is approximately 

L[1;x] where L[a;x] = exp(sqrt(log x)^a (log log x)^{1-a}).

See an extensive paper by Andrew Odlyzko in the proceedings of
Eurocrypt (I think 1987, but I might be off by a year) about index
calculus attacks.

I argued that the analogous system using elliptic curves wasn't
vulnerable to such attacks.

Incidentally, the DH key exchange protocol is easily made into a PK
system by changing the timing:  Have everyone choose an exponent a mod
p-1 at random, and publish g^{a}.  If you want to send me a message,
choose a b mod p-1 at random, and send me g^b mod p plus the message
encrypted with the key K^b where K is my public key (really g^a for
some a).  Tito El Gamal noticed this, and further used a cipher (like
the Vernam cipher) crypt(x) := x*g^a, where a is chosen at random mod p-1.
--
			Victor S. Miller
			Vnet and Bitnet:  VICTOR at WATSON
			Internet: victor@watson.ibm.com
			IBM, TJ Watson Research Center
