Hard Instances of the Constrained Discrete Logarithm Problem
Hard Instances of the Constrained Discrete Logarithm Problem Ilya Mironov Anton Mityagin Kobbi Nissim Microsoft Research UCSD Ben Gurion University Speaker: Ramarathnam Venkatesan (Microsoft Research)
DLP Discrete Logarithm Problem: Given g find x x Believed to be hard in some groups: - Zp* - elliptic curves
Hardness of DLP Hardness of the DLP: – specialized algorithms (index-calculus) complexity: depends on the algorithm – generic algorithms (rho, lambda, baby-step giant-step…) complexity: √p if group has order p
Constrained DLP Constrained Discrete Logarithm Problem: Given g find x, when x S x Example: S consists of exponents with short addition chains.
Hardness of the Constrained DLP Bad sets (DLP is relatively easy): x with low Hamming weight x [a, b] {x 2 | x < √p} Good sets (DLP is hard) - ?
Generic Group Model [Nec 94, Sho 97] Group G, random encoding σ: G Σ Group operations oracle: σ(g), σ(h), a, b σ(gahb) Formally, DLP: given σ(g) and σ(gx), find x Assume order of g = p is prime
DLP is hard [Nec 94, Sho 97] Suppose there is an algorithm that solves the DLP in the generic group model: 1. The algorithm makes n queries σ(g), σ(gx), σ(ga 1 x+b 1), σ(ga 2 x+b 2), …, σ(ganx+bn) 2. The simulator answers randomly but consistently, treating x as a formal variable. 3. The algorithm outputs its guess y 4. The simulator chooses x at random. 2/p Pr < n 5. The simulator loses if there is: — inconsistency: gaix+bi = gajx+bj for some i, j; — x = y. Pr = 1/p
DLP is hard [Nec 94, Sho 97] Probability of success of any algorithm for the DLP in the generic group model is at most: n 2/p + 1/p, where n is the number of group operations.
Graphical representation Queries: σ(g), σ(gx), σ(ga 1 x+b 1), σ(ga 2 x+b 2), …, σ(ganx+bn) x Zp a 1 x+b 1 success a 3 x+b 3 a 2 x+b 2 0 x y 1 Zp
Graphical representation a 2 x+b 2), …, σ(ganx+bn) Queries: σ(g), σ(gx), σ(ga 1 x+b 1), σ(g = x Zp a 1 x+b 1 failure a 3 x+b 3 a 2 x+b 2 0 x y 1 Zp
Attack The argument is tight: if for some σ(gaix+bi) = σ(gajx+bj), computing x is easy
Constrained DLP given σ(g) and σ(gx), find x S Zp x a 1 x+b 1 a 3 x+b 3 a 2 x+b 2 0 1 Zp S
Generic complexity of S Cα(S) = generic α-complexity of S Zp is the smallest number of lines such that their intersection set covers an α-fraction of S. 0 Zp S
Bound Adversary who is making at most n queries succeeds in solving DLP: with probability at most n 2/p + 1/p DLP constrained to set S: If n < Cα(S), probability is at most α + 1/|S|
What’s known about Cα(S)? Obvious: Cα(S) < √ α p (omitting constants) Cα(S) < α|S| Cα(S) > √ α|S| Zp 0 S Zp
Simple bounds αp Cα(S) sweet spot: small set, high complexity √αp log scale √p p |S|
Random subsets [Sch 01] αp Cα(S) random subsets √αp log scale √p p |S|
Problem αp Cα(S) short random description? ? ? subsets √αp log scale √p p |S|
Relaxing the problem: Cbsgs 1(S) = baby-step-giant-step-1 -complexity Two lists: ga 1, ga 2, …, gan and gx-b 1, gx-b 2, …, gx-bn x-b 1 x-b 2 a 1 a 2 a 3 0 a 3+b 1 a 2+b 2 a 1+b 2 Zp
Modular weak Sidon set [EN 77] S is such that for any distinct s 1, s 2, s 3, s 4 S s 1 + s 2 ≠ s 3 + s 4 (mod p) all four cannot belong to S x-b 1 x-b 2 a 1 a 2 0 a 2+b 1 a 1+b 1 a 2+b 2 a 1+b 2 Zp
Zarankiewicz bound S is such that for any distinct s 1, s 2, s 3, s 4 S s 1 + s 2 ≠ s 3 + s 4 (mod p) a 2 a 1 How many elements of S can be in the table? b 1 a 1+b 1 a 2+b 1 Zarankiewicz bound: b 2 a 1+b 2 a 2+b 2 at most n 3/2 Cbsgs 1(S) >|S|2/3
Weak modular Sidon sets S is such that for any distinct s 1, s 2, s 3, s 4 S s 1 + s 2 ≠ s 3 + s 4 (mod p) Explicit constructions for such sets exist of size O(p 1/2). Higher order Sidon sets : s 1 + s 2 + s 3 ≠ s 4 + s 5 + s 6 (mod p) Turan-type bound: Cbsgs 1(S) < |S|3/4
A harder problem: Cbsgs(S) = baby-step-giant-step-complexity Two lists: ga 1, ga 2, …, gan and gс1 x-b 1, gc 2 x-b 2, …, gcnx-bn c 2 x-b 2 c 1 x-b 1 a 2 a 3 0 x 3 x 2 x 1 y 2 y 3 Zp
Harder the problem: Cbsgs S: for any six distinct x 1, x 2, x 3, y 1, y 2, y 3 S (x 1 -x 2)/(x 2 -x 3) ≠ (y 1 -y 2)/(y 2 -y 3) (mod p) c 2 x-b 2 c 1 x-b 1 all six cannot belong to S 0 x 3 x 2 x 1 y 2 y 3 a 2 a 3 Zp
Zarankiewicz bound S: for any six distinct x 1, x 2, x 3, y 1, y 2, y 3 S (x 1 -x 2)/(x 2 -x 3) ≠ (y 1 -y 2)/(y 2 -y 3) (mod p) (b 2, c 2) (b 3, c 3) (b 1, c 1) How many elements of S can be in the table? a 1 x 2 x 3 Zarankiewicz bound: still at most n 3/2 a 2 y 1 y 2 y 3 Cbsgs(S) > |S|2/3
How to construct? S: for any six distinct x 1, x 2, x 3, y 1, y 2, y 3 S (x 1 -x 2)/(x 2 -x 3) ≠ (y 1 -y 2)/(y 2 -y 3) (mod p) “Six-wise independent set” of size p 1/6
Generic complexity “Smallest” possible theorem involves 7 lines: lx ly lz l 1 l 2 l 3 l 4 x 1 y 1 z 1 x 4 y 3 z 2 y 4 x 2 x 3 y 2 z 3 z 4 Zp
Bipartite Menelaus theorem S: for any twelve distinct x 1, x 2, x 3, x 4, y 1, y 2, y 3, y 4, z 1, z 2, z 3, z 4 S x 1 -y 1 x 2 -y 2 det x 3 -y 3 x 4 -y 4 x 1 -z 1 x 2 -z 2 x 3 -z 3 x 4 -z 4 z 1(x 1 -y 1) z 2(x 2 -y 2) z 3(x 3 -y 3) z 4(x 4 -y 4) y 1(x 1 -z 1) y 2(x 2 -z 2) ≠ 0 y 3(x 3 -z 3) y 4(x 4 -z 4) degree 6 polynomial
How to construct? “ 12 -wise independent set” of size p 1/12 C(S) > |S|3/5
Conclusion αp Cα(S) random subsets √αp Cbsgs 1 (αp)1/4 (αp)1/9 (αp)1/20 log scale Cbsgs C p 1/12 p 1/6 p 1/3 √p p |S|
Open problems Better constructions: - stronger bounds - explicit Constrained DLP for natural sets: - short addition chains - compressible binary representation - three-way products xyz
- Slides: 31