Hard Instances of the Constrained Discrete Logarithm Problem

1 / 31

# Hard Instances of the Constrained Discrete Logarithm Problem - PowerPoint PPT Presentation

Hard Instances of the Constrained Discrete Logarithm Problem. Ilya Mironov Microsoft Research Anton Mityagin UCSD Kobbi Nissim Ben Gurion University Speaker: Ramarathnam Venkatesan (Microsoft Research). DLP. Discrete Logarithm Problem: Given g x find x

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Hard Instances of the Constrained Discrete Logarithm Problem' - john

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Hard Instances of the Constrained DiscreteLogarithm Problem

Ilya Mironov Microsoft Research

Anton Mityagin UCSD

Kobbi Nissim Ben Gurion University

Speaker: Ramarathnam Venkatesan

(Microsoft Research)

DLP
• Discrete Logarithm Problem:
• Given gx find x
• Believed to be hard in some groups:
• - Zp*
• - elliptic curves
Hardness of DLP
• Hardness of the DLP:
• specialized algorithms (index-calculus)

complexity: depends on the algorithm

• generic algorithms (rho, lambda, baby-step giant-step…)

complexity: √pif group has order p

Constrained DLP
• Constrained Discrete Logarithm Problem:
• Given gx find x, whenxS
• Example: S consists of exponents with short addition chains.
Hardness of the Constrained DLP
• Bad sets (DLP is relatively easy):
• x with low Hamming weight
• x  [a, b]
• {x2 | x < √p}
• Good sets (DLP is hard) - ?
Generic Group Model [Nec94,Sho97]
• Group G, random encoding σ:GΣ
• Group operations oracle:
• σ(g),σ(h),a,bσ(gahb)
• Formally, DLP:
• given σ(g) and σ(gx), find x
• Assume order of g = p is prime
DLP is hard [Nec94,Sho97]
• Suppose there is an algorithm that solves the DLP in the generic group model:
• The algorithm makes n queriesσ(g), σ(gx), σ(ga1x+b1), σ(ga2x+b2),…, σ(ganx+bn)
• The simulator answers randomly but consistently, treating x as a formal variable.
• The algorithm outputs its guess y
• The simulator chooses x at random.
• The simulator loses if there is:
• inconsistency: gaix+bi = gajx+bjfor some i, j;
• x = y.

Pr < n2/p

Pr = 1/p

DLP is hard [Nec94,Sho97]
• Probability of success of any algorithm for the DLP in the generic group model is at most:
• n2/p + 1/p,
• where n is the number of group operations.
Graphical representation
• Queries: σ(g),σ(gx),σ(ga1x+b1),σ(ga2x+b2),…, σ(ganx+bn)

x

Zp

a1x+b1

a3x+b3

success

a2x+b2

1

Zp

y

x

0

Graphical representation

=

• Queries: σ(g),σ(gx),σ(ga1x+b1),σ(ga2x+b2),…, σ(ganx+bn)

x

Zp

a1x+b1

a3x+b3

failure

a2x+b2

1

Zp

x

y

0

Attack
• The argument is tight:
• if for some σ(gaix+bi)=σ(gajx+bj), computing x is easy
Constrained DLP

given σ(g) and σ(gx), findxS

x

Zp

a1x+b1

a3x+b3

a2x+b2

1

Zp

0

S

Generic complexity of S
• Cα(S) = generic α-complexity of SZp is the smallest such that their covers an α-fraction of S.

number of lines

intersection set

Zp

0

S

Bound
• Adversary who is making at most n queries succeeds in solving
• DLP: with probability at most
• n2/p + 1/p
• DLP constrained to set S: If n < Cα(S), probability is at most
• α + 1/|S|
• Obvious: Cα(S) < √αp (omitting constants)
• Cα(S) < α|S|
• Cα(S) >√α|S|

Zp

Zp

0

S

Simple bounds

Cα(S)

αp

sweet spot:

small set,

high complexity

√αp

|S|

log scale

p

√p

Random subsets [Sch01]

Cα(S)

αp

random subsets

√αp

|S|

log scale

p

√p

Problem

Cα(S)

αp

short description???

random subsets

√αp

|S|

log scale

p

√p

Relaxing the problem: Cbsgs1
• Cbsgs1(S) = baby-step-giant-step-1-complexity
• Two lists: ga1, ga2,…, gan and gx-b1, gx-b2,…, gx-bn

x-b1

x-b2

a1

a2

a3

Zp

a2+b2

0

a3+b1

a1+b2

Modular weak Sidon set [EN77]
• S is such that for any distinct s1,s2,s3,s4S
• s1 + s2 ≠ s3 + s4 (mod p)

x-b1

all four cannot belong to S

x-b2

a1

a2

Zp

a2+b1

a2+b2

0

a1+b1

a1+b2

Zarankiewicz bound
• S is such that for any distinct s1,s2,s3,s4S
• s1 + s2 ≠ s3 + s4 (mod p)

a2

a1

How many elements of

S can be in the table?

b1

a1+b1

a2+b1

Zarankiewicz bound:

at most n3/2

Cbsgs1(S) >|S|2/3

b2

a1+b2

a2+b2

Weak modular Sidon sets
• S is such that for any distinct s1,s2,s3,s4S
• s1 + s2 ≠ s3 + s4 (mod p)
• Explicit constructions for such sets exist of size O(p1/2).
• Higher order Sidon sets :
• s1 + s2 + s3 ≠ s4 + s5 + s6 (mod p)
• Turan-type bound:
• Cbsgs1(S) < |S|3/4
A harder problem: Cbsgs
• Cbsgs(S) = baby-step-giant-step-complexity
• Two lists: ga1, ga2,…, gan and gс1x-b1,gc2x-b2,…,gcnx-bn

c2x-b2

c1x-b1

a1

a2

a3

Zp

x3

0

x2

x1

y1

y2

y3

Harder the problem: Cbsgs
• S: for any six distinct x1,x2,x3,y1,y2,y3S
• (x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p)

c2x-b2

c1x-b1

a1

all six cannot belong to S

a2

a3

Zp

x3

0

x2

x1

y1

y2

y3

Zarankiewicz bound
• S: for any six distinct x1,x2,x3,y1,y2,y3S
• (x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p)

(b2,c2)

How many elements of

S can be in the table?

(b3,c3)

(b1,c1)

Zarankiewicz bound:

still at most n3/2

Cbsgs(S) > |S|2/3

x1

x2

x3

a1

a2

y1

y2

y3

How to construct?
• S: for any six distinct x1,x2,x3,y1,y2,y3S
• (x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p)

“Six-wise independent set” of size p1/6

Generic complexity

“Smallest” possible theorem involves 7 lines:

l1

lz

l2

ly

lx

l3

l4

Zp

x1

z3

y1

z1

x4

z2

y4

z4

y3

x2

x3

y2

Bipartite Menelaus theorem
• S: for any twelve distinctx1,x2,x3,x4, y1,y2,y3,y4,z1,z2,z3,z4  S
• x1-y1 x1-z1 z1(x1-y1)y1(x1-z1)
• x2-y2 x2-z2 z2(x2-y2)y2(x2-z2)
• x3-y3 x3-z3 z3(x3-y3)y3(x3-z3)
• x4-y4 x4-z4 z4(x4-y4)y4(x4-z4)

≠0

det

degree 6 polynomial

How to construct?
• “12-wise independent set” of size p1/12
• C(S) > |S|3/5
Conclusion

random subsets

Cα(S)

αp

√αp

Cbsgs1

(αp)1/4

Cbsgs

C

(αp)1/9

(αp)1/20

|S|

p1/12

p1/6

p1/3

p

√p

log scale

Open problems
• Better constructions: - stronger bounds
• - explicit
• Constrained DLP for natural sets: