1 / 32

The Discrete Logarithm Problem with Preprocessing

The Discrete Logarithm Problem with Preprocessing. Henry Corrigan-Gibbs and Dmitry Kogan Stanford University Eurocrypt – 1 May 2018 Tel Aviv, Israel. Pairings. DH key exchange. DDH. Signatures (DSA and Schnorr ). Discrete log. The discrete-log problem. Group: of prime order.

claytons
Download Presentation

The Discrete Logarithm Problem with Preprocessing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Discrete Logarithm Problemwith Preprocessing Henry Corrigan-Gibbs and Dmitry KoganStanford UniversityEurocrypt – 1 May 2018Tel Aviv, Israel

  2. Pairings DH keyexchange DDH Signatures(DSA and Schnorr) Discrete log

  3. The discrete-log problem Group: of prime order Solution: Instance: Adversary Why do we believe thisproblem is hard?

  4. Generic lower bounds give us confidence Theorem. [Shoup’97] Every generic discrete-log algorithm that • operates in a group of prime order and • succeeds with probability at least must run in time . Generic attack in 256-bit group takes time. Best attacks on standard EC groups are generic

  5. Generic algorithms can only make “black-box” use of the group operation Generic-group model: • Group is defined by an injective “labeling” function • Algorithm has access to a group-operation oracle: Generic dlog algorithm takes as input , representing ),make queries to , outputs .[Measure running time by query complexity] Very useful way to understand hardness[BB04,B05,M05,D06,B08,Y15,…] [Nechaev’94], [Shoup’97], [Maurer’05]

  6. Existing generic lower boundsdo not account for preprocessing • Premise of generic-group model: the adversary knows nothing about the structure of the group in advance • In reality: the adversary knows a lot about ! • is one of a small number of groups: NIST P-256, Curve25519, … • A realistic adversary can perform -specific preprocessing! • Existing generic-group lower bounds say nothing about preprocessing attacks! [H80, Yao90, FN91, …]

  7. Preprocessing phase Group: Advice: Both algorithmsare generic! Both algorithmsare generic! Online phase Instance: Solution: Initiated by Hellman (1980) in context of OWFs

  8. Preprocessing time Preprocessing phase Group: Advice: Advice size Online phase Online time Instance: Solution: Success prob. Initiated by Hellman (1980) in context of OWFs

  9. Rest of this talk Background: Preprocessing attacks are relevant • Preexisting generic attack on discrete log Our results: Preprocessing lower-bounds and attacks • The generic dlog attack is optimal • Any such attack must use lots of preprocessing: • New preprocessing attack on DDH-like problem Open questions

  10. A preexisting result… • Theorem.[Mihalcik 2010] [Lee, Cheon, Hong 2011] [Bernstein and Lange 2013]There is a generic dlog algorithm with preprocessing that: • uses bits of group-specific advice, • uses online time, and • succeeds with probability , • such that: Will sketch the algorithm for, constant . …. building on prior work onmultiple-discrete-log algorithms[ESST99,KS01,HMCD04,BL12]

  11. Preliminaries Define a pseudo-random walk on : where is a random function … … If you know the dlog of the endpoint of a walk,you know the dlog of the starting point! [M10, LCH11, BL13]

  12. Preprocessing phase • Build chains of length • Store dlogs of chain endpoints • Online phase • Walk steps • When you hit a stored point, output the discrete log Length: Advice: bits chains … … Time: steps Preprocessing time: Advice string [M10, LCH11, BL13]

  13. 256-bit ECDL Generic discrete log • Without preprocessing: time • With preprocessing: time Related preprocessing attacks break: • Multiple discrete log problem [This paper] • One-round Even-Mansour cipher [FJM14] • Merkle-Damgård hash with random IV [CDGS17] Is this dlog attackthe best possible?! “

  14. Pairings DH keyexchange DDH Signatures(DSA and Schnorr) Discrete log Could there exist a generic dlog preprocessing attack with ? Preprocessing attacks might make us worry about 256-bit EC groups

  15. This talk Background: Preprocessing attacks are relevant • Preexisting generic attack on discrete log Our results: Preprocessing lower-bounds and attacks • The generic dlog attack is optimal • Any such attack must use lots of preprocessing: • New preprocessing attack on DDH-like problem Open questions

  16. Theorem.[Our paper]Every generic dlog algorithm with preprocessing that: • uses bits of group-specific advice, • uses online time, and • succeeds with probability , • must satisfy: This bound is tight for the full range of parameters(up to log factors) Shoup’s proof technique (1997) relies on having no informationabout the group when it starts running  Need different proof technique

  17. Theorem.[Our paper]Every generic dlog algorithm with preprocessing that: • uses bits of group-specific advice, • uses online time, and • succeeds with probability , • must satisfy: Online time implies preprocessing Theorem.[Our paper]Furthermore, the preprocessing time must satisfy

  18. Reminder: Generic-group model • A group is defined by an injective “labeling” function • Algorithm has access to a group-operation oracle: E.g., A dlog algorithm takes as input , representing ),make queries to , outputs .

  19. We prove the lower bound using an incompressibility argument [Yao90, GT00, DTT10, DHT12, DGK17…] Use to compress the mapping that defines the group • Adv uses advice and online time such that Encoder compresses well • Random string is incompressible Lower bound on and Similar technique used in [DHT12] (Random) Encoder Decoder Compressedrepresentation Wlog, assume is deterministic

  20. Proof idea: Use preprocessing dlog adversary to build a compressed representation of the mapping . [Yao90, GT00, DHT12] Encoder

  21. Proof idea: Use preprocessing dlog adversary to build a compressed representation of the mapping . [Yao90, GT00, DHT12] Compressedrepresentation of Encoder Responses to ’s queries on “000” First bitstring in image of , representing some Run on instances,for some parameter Responses to ’s queries on “001” … … Rest of

  22. Proof idea: Use preprocessing dlog adversary to build a compressed representation of the mapping . [Yao90, GT00, DHT12] Compressedrepresentation of Decoder • Run on instances • Whenever outputs a dlog, we get one value “for free” … … … Rest of

  23. Claim: Each invocation of allows the encoder to compress by at least one bit. Easy case: The response to all of ’s queries are distinct • outputs a discrete log “for free” Compress by bits Harder case: The response to query is the same as the response to query . • A naïve encoding “pays twice” for the same value No savings  • Instead, encoder writes a pointer to query If the encoder runs on instances, requires bits. Each execution of saves at least 1 bit, when: , or Pointer to query Index of query [DHT12] treats a more difficult version of “hard case”

  24. Completing the proof • We run the adversary on instances • Each execution compresses by ≥ 1 bit • BUT, we have to include the -bit advice string in the encoding = Encodingoverhead

  25. Extra complications • Algorithms that succeed on an -fraction of group elements • Use the random self-reducibility of dlog • Hardcode a good set of random coins for into • Decisional type problems (DDH, etc.) • only outputs 1 bit—prior argument fails because encoding the runtime in bits is too expensive • Run on batches of inputs [See paper for details]

  26. What about Decision Diffie-Hellman (DDH)? DDH problem: Distinguish from Upper boundLower boundTime Discrete log: CDH: DDH: ≤ ≥ sqDDH: For Our new results Our new results Better attack?

  27. Definition. The sqDDH problem is to distinguish from for . • Why it’s interesting: • For generic online-only algs, it’s as hard as discrete log • For generic preprocesssingalgs, we show that it’s “much easier” •  A DDH-like problem that is easier than dlog

  28. This talk Background: Preprocessing attacks are relevant • Preexisting generic attack on discrete log Our results: Preprocessing lower-bounds and attacks • The generic dlog attack is optimal • Any such attack must use lots of preprocessing: • New preprocessing attack on DDH-like problem Open questions

  29. Open questions and recent progress • Tightness of DDH upper/lower bounds? • Is it as hard as dlog or as easy as sqDDH? • Non-generic preprocessing attacks on ECDL? • As we have for Coretti, Dodis, and Guo (2018) • Elegant proofs of generic-group lower bounds using “presampling”(à la Unruh, 2007) • Prove hardness of “one-more” dlog, KEA assumptions, …

  30. This talk Background: Preprocessing attacks are relevant • Preexisting generic attack on discrete log Our results: Preprocessing lower-bounds and attacks • The generic dlog attack is optimal • Any such attack must use lots of preprocessing: • New preprocessing attack on DDH-like problem Open questions Henry –henrycg@cs.stanford.edu Dima –dkogan@cs.stanford.edu https://eprint.iacr.org/2017/1113

More Related