hard instances of the constrained discrete logarithm problem n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Hard Instances of the Constrained Discrete Logarithm Problem PowerPoint Presentation
Download Presentation
Hard Instances of the Constrained Discrete Logarithm Problem

Loading in 2 Seconds...

play fullscreen
1 / 31

Hard Instances of the Constrained Discrete Logarithm Problem - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on

Hard Instances of the Constrained Discrete Logarithm Problem. Ilya Mironov Microsoft Research Anton Mityagin UCSD Kobbi Nissim Ben Gurion University Speaker: Ramarathnam Venkatesan (Microsoft Research). DLP. Discrete Logarithm Problem: Given g x find x

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Hard Instances of the Constrained Discrete Logarithm Problem' - john


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hard instances of the constrained discrete logarithm problem

Hard Instances of the Constrained DiscreteLogarithm Problem

Ilya Mironov Microsoft Research

Anton Mityagin UCSD

Kobbi Nissim Ben Gurion University

Speaker: Ramarathnam Venkatesan

(Microsoft Research)

slide2
DLP
  • Discrete Logarithm Problem:
  • Given gx find x
  • Believed to be hard in some groups:
  • - Zp*
  • - elliptic curves
hardness of dlp
Hardness of DLP
  • Hardness of the DLP:
    • specialized algorithms (index-calculus)

complexity: depends on the algorithm

    • generic algorithms (rho, lambda, baby-step giant-step…)

complexity: √pif group has order p

constrained dlp
Constrained DLP
  • Constrained Discrete Logarithm Problem:
  • Given gx find x, whenxS
  • Example: S consists of exponents with short addition chains.
hardness of the constrained dlp
Hardness of the Constrained DLP
  • Bad sets (DLP is relatively easy):
  • x with low Hamming weight
  • x  [a, b]
  • {x2 | x < √p}
  • Good sets (DLP is hard) - ?
generic group model nec94 sho97
Generic Group Model [Nec94,Sho97]
  • Group G, random encoding σ:GΣ
  • Group operations oracle:
  • σ(g),σ(h),a,bσ(gahb)
  • Formally, DLP:
  • given σ(g) and σ(gx), find x
  • Assume order of g = p is prime
dlp is hard nec94 sho97
DLP is hard [Nec94,Sho97]
  • Suppose there is an algorithm that solves the DLP in the generic group model:
  • The algorithm makes n queriesσ(g), σ(gx), σ(ga1x+b1), σ(ga2x+b2),…, σ(ganx+bn)
  • The simulator answers randomly but consistently, treating x as a formal variable.
  • The algorithm outputs its guess y
  • The simulator chooses x at random.
  • The simulator loses if there is:
    • inconsistency: gaix+bi = gajx+bjfor some i, j;
    • x = y.

Pr < n2/p

Pr = 1/p

dlp is hard nec94 sho971
DLP is hard [Nec94,Sho97]
  • Probability of success of any algorithm for the DLP in the generic group model is at most:
  • n2/p + 1/p,
  • where n is the number of group operations.
graphical representation
Graphical representation
  • Queries: σ(g),σ(gx),σ(ga1x+b1),σ(ga2x+b2),…, σ(ganx+bn)

x

Zp

a1x+b1

a3x+b3

success

a2x+b2

1

Zp

y

x

0

graphical representation1
Graphical representation

=

  • Queries: σ(g),σ(gx),σ(ga1x+b1),σ(ga2x+b2),…, σ(ganx+bn)

x

Zp

a1x+b1

a3x+b3

failure

a2x+b2

1

Zp

x

y

0

attack
Attack
  • The argument is tight:
  • if for some σ(gaix+bi)=σ(gajx+bj), computing x is easy
constrained dlp1
Constrained DLP

given σ(g) and σ(gx), findxS

x

Zp

a1x+b1

a3x+b3

a2x+b2

1

Zp

0

S

generic complexity of s
Generic complexity of S
  • Cα(S) = generic α-complexity of SZp is the smallest such that their covers an α-fraction of S.

number of lines

intersection set

Zp

0

S

bound
Bound
  • Adversary who is making at most n queries succeeds in solving
  • DLP: with probability at most
  • n2/p + 1/p
  • DLP constrained to set S: If n < Cα(S), probability is at most
  • α + 1/|S|
what s known about c s
What’s known about Cα(S)?
  • Obvious: Cα(S) < √αp (omitting constants)
  • Cα(S) < α|S|
  • Cα(S) >√α|S|

Zp

Zp

0

S

simple bounds
Simple bounds

Cα(S)

αp

sweet spot:

small set,

high complexity

√αp

|S|

log scale

p

√p

random subsets sch01
Random subsets [Sch01]

Cα(S)

αp

random subsets

√αp

|S|

log scale

p

√p

problem
Problem

Cα(S)

αp

short description???

random subsets

√αp

|S|

log scale

p

√p

relaxing the problem c bsgs1
Relaxing the problem: Cbsgs1
  • Cbsgs1(S) = baby-step-giant-step-1-complexity
  • Two lists: ga1, ga2,…, gan and gx-b1, gx-b2,…, gx-bn

x-b1

x-b2

a1

a2

a3

Zp

a2+b2

0

a3+b1

a1+b2

modular weak sidon set en77
Modular weak Sidon set [EN77]
  • S is such that for any distinct s1,s2,s3,s4S
  • s1 + s2 ≠ s3 + s4 (mod p)

x-b1

all four cannot belong to S

x-b2

a1

a2

Zp

a2+b1

a2+b2

0

a1+b1

a1+b2

zarankiewicz bound
Zarankiewicz bound
  • S is such that for any distinct s1,s2,s3,s4S
  • s1 + s2 ≠ s3 + s4 (mod p)

a2

a1

How many elements of

S can be in the table?

b1

a1+b1

a2+b1

Zarankiewicz bound:

at most n3/2

Cbsgs1(S) >|S|2/3

b2

a1+b2

a2+b2

weak modular sidon sets
Weak modular Sidon sets
  • S is such that for any distinct s1,s2,s3,s4S
  • s1 + s2 ≠ s3 + s4 (mod p)
  • Explicit constructions for such sets exist of size O(p1/2).
  • Higher order Sidon sets :
  • s1 + s2 + s3 ≠ s4 + s5 + s6 (mod p)
  • Turan-type bound:
  • Cbsgs1(S) < |S|3/4
a harder problem c bsgs
A harder problem: Cbsgs
  • Cbsgs(S) = baby-step-giant-step-complexity
  • Two lists: ga1, ga2,…, gan and gс1x-b1,gc2x-b2,…,gcnx-bn

c2x-b2

c1x-b1

a1

a2

a3

Zp

x3

0

x2

x1

y1

y2

y3

harder the problem c bsgs
Harder the problem: Cbsgs
  • S: for any six distinct x1,x2,x3,y1,y2,y3S
  • (x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p)

c2x-b2

c1x-b1

a1

all six cannot belong to S

a2

a3

Zp

x3

0

x2

x1

y1

y2

y3

zarankiewicz bound1
Zarankiewicz bound
  • S: for any six distinct x1,x2,x3,y1,y2,y3S
  • (x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p)

(b2,c2)

How many elements of

S can be in the table?

(b3,c3)

(b1,c1)

Zarankiewicz bound:

still at most n3/2

Cbsgs(S) > |S|2/3

x1

x2

x3

a1

a2

y1

y2

y3

how to construct
How to construct?
  • S: for any six distinct x1,x2,x3,y1,y2,y3S
  • (x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p)

“Six-wise independent set” of size p1/6

generic complexity
Generic complexity

“Smallest” possible theorem involves 7 lines:

l1

lz

l2

ly

lx

l3

l4

Zp

x1

z3

y1

z1

x4

z2

y4

z4

y3

x2

x3

y2

bipartite menelaus theorem
Bipartite Menelaus theorem
  • S: for any twelve distinctx1,x2,x3,x4, y1,y2,y3,y4,z1,z2,z3,z4  S
  • x1-y1 x1-z1 z1(x1-y1)y1(x1-z1)
  • x2-y2 x2-z2 z2(x2-y2)y2(x2-z2)
  • x3-y3 x3-z3 z3(x3-y3)y3(x3-z3)
  • x4-y4 x4-z4 z4(x4-y4)y4(x4-z4)

≠0

det

degree 6 polynomial

how to construct1
How to construct?
  • “12-wise independent set” of size p1/12
  • C(S) > |S|3/5
conclusion
Conclusion

random subsets

Cα(S)

αp

√αp

Cbsgs1

(αp)1/4

Cbsgs

C

(αp)1/9

(αp)1/20

|S|

p1/12

p1/6

p1/3

p

√p

log scale

open problems
Open problems
  • Better constructions: - stronger bounds
  • - explicit
  • Constrained DLP for natural sets:
  • - short addition chains
  • - compressible binary representation
  • - three-way products xyz