1 / 31

Hard Instances of the Constrained Discrete Logarithm Problem

Hard Instances of the Constrained Discrete Logarithm Problem. Ilya Mironov Microsoft Research Anton Mityagin UCSD Kobbi Nissim Ben Gurion University Speaker: Ramarathnam Venkatesan (Microsoft Research). DLP. Discrete Logarithm Problem: Given g x find x

john
Download Presentation

Hard Instances of the Constrained Discrete Logarithm Problem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hard Instances of the Constrained DiscreteLogarithm Problem Ilya Mironov Microsoft Research Anton Mityagin UCSD Kobbi Nissim Ben Gurion University Speaker: Ramarathnam Venkatesan (Microsoft Research)

  2. DLP • Discrete Logarithm Problem: • Given gx find x • Believed to be hard in some groups: • - Zp* • - elliptic curves

  3. Hardness of DLP • Hardness of the DLP: • specialized algorithms (index-calculus) complexity: depends on the algorithm • generic algorithms (rho, lambda, baby-step giant-step…) complexity: √pif group has order p

  4. Constrained DLP • Constrained Discrete Logarithm Problem: • Given gx find x, whenxS • Example: S consists of exponents with short addition chains.

  5. Hardness of the Constrained DLP • Bad sets (DLP is relatively easy): • x with low Hamming weight • x  [a, b] • {x2 | x < √p} • Good sets (DLP is hard) - ?

  6. Generic Group Model [Nec94,Sho97] • Group G, random encoding σ:GΣ • Group operations oracle: • σ(g),σ(h),a,bσ(gahb) • Formally, DLP: • given σ(g) and σ(gx), find x • Assume order of g = p is prime

  7. DLP is hard [Nec94,Sho97] • Suppose there is an algorithm that solves the DLP in the generic group model: • The algorithm makes n queriesσ(g), σ(gx), σ(ga1x+b1), σ(ga2x+b2),…, σ(ganx+bn) • The simulator answers randomly but consistently, treating x as a formal variable. • The algorithm outputs its guess y • The simulator chooses x at random. • The simulator loses if there is: • inconsistency: gaix+bi = gajx+bjfor some i, j; • x = y. Pr < n2/p Pr = 1/p

  8. DLP is hard [Nec94,Sho97] • Probability of success of any algorithm for the DLP in the generic group model is at most: • n2/p + 1/p, • where n is the number of group operations.

  9. Graphical representation • Queries: σ(g),σ(gx),σ(ga1x+b1),σ(ga2x+b2),…, σ(ganx+bn) x Zp a1x+b1 a3x+b3 success a2x+b2 1 Zp y x 0

  10. Graphical representation = • Queries: σ(g),σ(gx),σ(ga1x+b1),σ(ga2x+b2),…, σ(ganx+bn) x Zp a1x+b1 a3x+b3 failure a2x+b2 1 Zp x y 0

  11. Attack • The argument is tight: • if for some σ(gaix+bi)=σ(gajx+bj), computing x is easy

  12. Constrained DLP given σ(g) and σ(gx), findxS x Zp a1x+b1 a3x+b3 a2x+b2 1 Zp 0 S

  13. Generic complexity of S • Cα(S) = generic α-complexity of SZp is the smallest such that their covers an α-fraction of S. number of lines intersection set Zp 0 S

  14. Bound • Adversary who is making at most n queries succeeds in solving • DLP: with probability at most • n2/p + 1/p • DLP constrained to set S: If n < Cα(S), probability is at most • α + 1/|S|

  15. What’s known about Cα(S)? • Obvious: Cα(S) < √αp (omitting constants) • Cα(S) < α|S| • Cα(S) >√α|S| Zp Zp 0 S

  16. Simple bounds Cα(S) αp sweet spot: small set, high complexity √αp |S| log scale p √p

  17. Random subsets [Sch01] Cα(S) αp random subsets √αp |S| log scale p √p

  18. Problem Cα(S) αp short description??? random subsets √αp |S| log scale p √p

  19. Relaxing the problem: Cbsgs1 • Cbsgs1(S) = baby-step-giant-step-1-complexity • Two lists: ga1, ga2,…, gan and gx-b1, gx-b2,…, gx-bn x-b1 x-b2 a1 a2 a3 Zp a2+b2 0 a3+b1 a1+b2

  20. Modular weak Sidon set [EN77] • S is such that for any distinct s1,s2,s3,s4S • s1 + s2 ≠ s3 + s4 (mod p) x-b1 all four cannot belong to S x-b2 a1 a2 Zp a2+b1 a2+b2 0 a1+b1 a1+b2

  21. Zarankiewicz bound • S is such that for any distinct s1,s2,s3,s4S • s1 + s2 ≠ s3 + s4 (mod p) a2 a1 How many elements of S can be in the table? b1 a1+b1 a2+b1 Zarankiewicz bound: at most n3/2 Cbsgs1(S) >|S|2/3 b2 a1+b2 a2+b2

  22. Weak modular Sidon sets • S is such that for any distinct s1,s2,s3,s4S • s1 + s2 ≠ s3 + s4 (mod p) • Explicit constructions for such sets exist of size O(p1/2). • Higher order Sidon sets : • s1 + s2 + s3 ≠ s4 + s5 + s6 (mod p) • Turan-type bound: • Cbsgs1(S) < |S|3/4

  23. A harder problem: Cbsgs • Cbsgs(S) = baby-step-giant-step-complexity • Two lists: ga1, ga2,…, gan and gс1x-b1,gc2x-b2,…,gcnx-bn c2x-b2 c1x-b1 a1 a2 a3 Zp x3 0 x2 x1 y1 y2 y3

  24. Harder the problem: Cbsgs • S: for any six distinct x1,x2,x3,y1,y2,y3S • (x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p) c2x-b2 c1x-b1 a1 all six cannot belong to S a2 a3 Zp x3 0 x2 x1 y1 y2 y3

  25. Zarankiewicz bound • S: for any six distinct x1,x2,x3,y1,y2,y3S • (x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p) (b2,c2) How many elements of S can be in the table? (b3,c3) (b1,c1) Zarankiewicz bound: still at most n3/2 Cbsgs(S) > |S|2/3 x1 x2 x3 a1 a2 y1 y2 y3

  26. How to construct? • S: for any six distinct x1,x2,x3,y1,y2,y3S • (x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p) “Six-wise independent set” of size p1/6

  27. Generic complexity “Smallest” possible theorem involves 7 lines: l1 lz l2 ly lx l3 l4 Zp x1 z3 y1 z1 x4 z2 y4 z4 y3 x2 x3 y2

  28. Bipartite Menelaus theorem • S: for any twelve distinctx1,x2,x3,x4, y1,y2,y3,y4,z1,z2,z3,z4  S • x1-y1 x1-z1 z1(x1-y1)y1(x1-z1) • x2-y2 x2-z2 z2(x2-y2)y2(x2-z2) • x3-y3 x3-z3 z3(x3-y3)y3(x3-z3) • x4-y4 x4-z4 z4(x4-y4)y4(x4-z4) ≠0 det degree 6 polynomial

  29. How to construct? • “12-wise independent set” of size p1/12 • C(S) > |S|3/5

  30. Conclusion random subsets Cα(S) αp √αp Cbsgs1 (αp)1/4 Cbsgs C (αp)1/9 (αp)1/20 |S| p1/12 p1/6 p1/3 p √p log scale

  31. Open problems • Better constructions: - stronger bounds • - explicit • Constrained DLP for natural sets: • - short addition chains • - compressible binary representation • - three-way products xyz

More Related