Parts X–XI:
Diffie-Hellman & Elliptic Curves

Bartosz Naskręcki

Elements of Cryptanalysis • Adam Mickiewicz University

Chapters 28–33

Part X

Diffie-Hellman & DLP — Chapters 28–30

Chapter 28

Diffie-Hellman & the Discrete Log Problem

DLP & Diffie-Hellman Protocol

Definition — Discrete Logarithm Problem
Given \(g, h \in \mathbb{F}_p^*\), find \(x\) such that \(g^x \equiv h \pmod{p}\).
Diffie-Hellman Key Exchange
Public: prime \(p\), generator \(g\). Alice picks \(a\), sends \(A = g^a\). Bob picks \(b\), sends \(B = g^b\). \[ \text{Shared secret: } K = g^{ab} = B^a = A^b \]
Security Assumptions
CDH: Given \(g^a, g^b\), computing \(g^{ab}\) is hard.
DDH: \((g^a, g^b, g^{ab})\) is indistinguishable from \((g^a, g^b, g^c)\).

DLP Algorithms

AlgorithmComplexityRequirement
Baby-step giant-step\(O(\sqrt{p})\)General
Pollard \(\rho\)\(O(\sqrt{p})\)General
Pohlig-Hellman\(O(\sum \sqrt{p_i})\)Smooth \(p{-}1\)
Index calculus\(L_p[1/3, c]\)\(\mathbb{F}_p^*\)
Safe Primes
Use \(p = 2q + 1\) with \(q\) prime. Then \(|\langle g \rangle| = q\), and Pohlig-Hellman gives no advantage.

Chapter 29

ElGamal Encryption

ElGamal & Digital Signatures

ElGamal Encryption
Key: \(h = g^x \bmod p\). Encrypt message \(m\): \[ (c_1, c_2) = (g^k \bmod p, \; m \cdot h^k \bmod p) \] Decrypt: \(m = c_2 \cdot c_1^{-x} \bmod p\)
Properties
  • IND-CPA secure under the DDH assumption
  • Multiplicatively homomorphic: \(E(m_1) \cdot E(m_2) = E(m_1 m_2)\)
  • Nonce reuse is fatal: if \(k\) is reused, the secret key is recoverable

Chapter 30

Index Calculus Method

Sub-Exponential DLP in \(\mathbb{F}_p^*\)

Three Phases
  1. Relation collection: Find \(g^{r_i}\) that are \(B\)-smooth (factor over a factor base)
  2. Linear algebra: Solve the system \(\bmod (p{-}1)\) to find \(\log_g(\ell)\) for all primes \(\ell \leq B\)
  3. Individual log: Compute \(h \cdot g^s\) until it is \(B\)-smooth, then use known logs
Complexity
\(L_p[1/3, c]\) — sub-exponential in \(\log p\).

This is why \(\mathbb{F}_p^*\) needs 3072-bit primes for 128-bit security, while ECC needs only 256-bit curves.

Part XI

Elliptic Curve Cryptography — Chapters 31–33

Chapter 31

Elliptic Curves & Group Law

The Elliptic Curve Group

Weierstrass Equation
Over \(\mathbb{F}_p\) (\(p > 3\)): \[ E: y^2 = x^3 + ax + b, \quad \Delta = -16(4a^3 + 27b^2) \neq 0 \]
Point Addition
For \(P = (x_1, y_1), Q = (x_2, y_2)\), \(P + Q = (x_3, y_3)\): \[ \lambda = \frac{y_2 - y_1}{x_2 - x_1}, \quad x_3 = \lambda^2 - x_1 - x_2, \quad y_3 = \lambda(x_1 - x_3) - y_1 \] Doubling (\(P = Q\)): \(\lambda = \frac{3x_1^2 + a}{2y_1}\)
Hasse’s Theorem
\(|\#E(\mathbb{F}_p) - (p+1)| \leq 2\sqrt{p}\)

Chapter 32

Point Groups & Counting

Structure & Counting

Structure Theorem
\(E(\mathbb{F}_p) \cong \mathbb{Z}_{n_1} \times \mathbb{Z}_{n_2}\) where \(n_2 | n_1\) and \(n_2 | (p-1)\). Most cryptographic curves: \(E(\mathbb{F}_p) \cong \mathbb{Z}_n\) (cyclic).
Schoof’s Algorithm
Counts \(\#E(\mathbb{F}_p)\) in polynomial time \(O((\log p)^8)\). Uses the Frobenius endomorphism \(\phi: (x,y) \mapsto (x^p, y^p)\) and the characteristic equation: \[ \phi^2 - t\phi + p = 0 \quad \text{on } E \] Compute \(t \bmod \ell\) for small primes \(\ell\); CRT gives \(t\).

Chapter 33

ECC in Practice

ECDH, ECDSA & Security

ECDH
Alice: \(a, A = aG\). Bob: \(b, B = bG\). Shared: \(K = abG\).
ECDSA
Sign: \(k\) random, \(R = kG\), \(r = x(R)\), \(s = k^{-1}(H(m) + dr) \bmod n\). Verify: check that \(s^{-1}(H(m)G + rQ)\) has x-coordinate \(= r\).
SecurityRSADHECC
128-bit30723072256
192-bit76807680384
256-bit1536015360512

ECC advantage: no index calculus ⇒ best attack is Pollard \(\rho\) at \(O(\sqrt{n})\).

Parts X–XI: Summary

ChTopicKey Result
28DH & DLPCDH/DDH assumptions, safe primes, DLP algorithms
29ElGamalIND-CPA under DDH, nonce-reuse vulnerability
30Index calculus\(L_p[1/3]\) sub-exponential DLP in \(\mathbb{F}_p^*\)
31EC group lawChord-tangent addition, Hasse bound
32Point groupsSchoof’s algorithm, structure theorem
33ECC practice256-bit ECC \(\approx\) 3072-bit RSA security

End of Parts X–XI

← Back to Slides Index
← Parts VIII–IX
Parts XII–XV →