Understanding Group Choices for Discrete Log Assumption
Explore the concept of group choices for the discrete logarithm assumption in cyclic groups, prime-order groups, and prime-order subgroups. Learn why certain groups are believed to make the discrete logarithm problem hard and how to select optimal groups for cryptographic applications.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Group choice for the Discrete Log Assumption Slides by Prof. Jonathan Katz. Lightly edited by me.
Recall Cyclic group G of order q with generator g G G = {g0, g1, , gq-1} For any h G, define logg h {0, , q-1} as logg h = x gx = h The discrete logarithm problem in G is to compute logg h We also discussed the (related, but not identical) Diffie-Hellman problems
Group selection The discrete logarithm problem is not hard in all groups! For example, it is easy in N (for any N, and for any generator) Nevertheless, there are certain groups where the problem is believed to be hard Note: since all cyclic groups of the same order are isomorphic, the group representation matters!
Group selection For cryptographic applications, best to use prime- order groups The dlog problem becomes easier if the order of the group has small prime factors DDH is easy if the group order has small prime factors. Prime-order groups have several nice features E.g., every element except identity is a generator Two common choices of groups for cryptography DDH believed to be as hard as dlog in these groups
Group selection: choice 1 Prime-order subgroup of *p, p prime E.g., let p = tq + 1 for p, q prime So *p has order p-1 = tq Take the subgroup of tth powers, i.e., G = { [xt mod p]| x *p } *p G is a group Can show that it has order (p-1)/t = q Since q is prime, G must be cyclic Generalizations based on finite fields also used
Group selection: choice 1 Prime-order subgroup of *p, p prime E.g., let p = tq + 1 for p, q prime So *p has order p-1 = tq Take the subgroup of tth powers, i.e., G = { [xt mod p]| x *p } *p G is a group Can show that it has order (p-1)/t = q Since q is prime, G must be cyclic Generalizations based on finite fields also used
Group selection: choice 1 Prime-order subgroup of *p, p prime E.g., let p = tq + 1 for p, q prime So *p has order p-1 = tq Take the subgroup of tth powers, i.e., G = { [xt mod p]| x *p } *p G is a group Can show that it has order (p-1)/t = q Since q is prime, G must be cyclic Generalizations based on finite fields also used
Group selection: choice 1 Prime-order subgroup of *p, p prime E.g., let p = tq + 1 for p, q prime So *p has order p-1 = tq Take the subgroup of tth powers, i.e., G = { [xt mod p]| x *p } *p G is a group Can show that it has order (p-1)/t = q Since q is prime, G must be cyclic Generalizations based on finite fields also used
Group selection: choice 2 Prime-order subgroup of an elliptic curve group See book for the basic details These have the advantage of giving stronger security with smaller parameters (for reasons to be explained shortly)
Group selection We will describe cryptographic schemes in an abstract cyclic group Can ignore details of the underlying group in the analysis Can instantiate with any (appropriate) group in an implementation
