Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop - PowerPoint PPT Presentation

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly joint work with Taechan Kim and Yongsu Song) Department of Mathematical Sciences and ISaC-RIM Seoul National University December 13, 2013 1 / 41

Discrete Logarithm Problem with Auxiliary Inputs Outline 1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI 2 / 41

Discrete Logarithm Problem with Auxiliary Inputs Discrete Logarithm Problem (DLP) Let G = � g � be a cyclic group of prime order p . Discrete Logarithm Problem(DLP): Find α ∈ F p when g , g α are given. CDHP: given ( g , g α , g β ), compute g αβ DDHP: given ( g , g α , g β , g γ ), decide if g γ = g αβ Pubelic Key Encryption, Digital Signature, Authentication, etc Baby-Step Giant-Step (BSGS) Let L = ⌈√ p ⌉ . Find a collision between two lists L 1 = { g − i : i ∈ [0 , L ) } , L 2 = { g Lj : j ∈ [0 , L ) } O ( √ p ) computations and storage Pollard’s ρ , Pohlig-Hellman, Index calculus (NFS, FFS) 3 / 41

Discrete Logarithm Problem with Auxiliary Inputs Relax the problems Why? To design a new system with additional properties To prove the security without random oracles How to get a good grade in an exam? Flexible grading More Hints before the test 4 / 41

Discrete Logarithm Problem with Auxiliary Inputs Relax the problems: Flexible Grading Flexible RSA Problem (BP97,CS99,GHR99): Given a composite n and a message m ∈ Z n find ( e , m 1 / e ) for some e > 2 (Decisional) Linear Assumption (BBS04): Given g , g 1 , g 2 , g c 1 , g d 2 , v ∈ G , decide if v = g c + d Let d = 0, a = x − 1 , ac = y . Given g x − 1 , g y , v decide if v = g c + d = g xy 5 / 41

Discrete Logarithm Problem with Auxiliary Inputs Relax the problems: More Hints (1/2) ℓ -Weak DHP: Given g , g α , · · · , g α ℓ , compute g 1 /α Traitor Tracing [Mitsunari-Sakai-Kasahara02] ℓ -Strong DHP: Given g , g α , · · · , g α ℓ , compute g α ℓ +1 Short Signatures without Random Oracle[BB04s] Short Group Signatures[BBS04] One More DL: With n -queries to DL oracle, solve ( n + 1) DL problems. GQ/Schnorr Identification One More DH 6 / 41

Discrete Logarithm Problem with Auxiliary Inputs Relax the problems: More Hints (2/2) e : G 1 × G 2 → G ′ : a bilinear map ℓ -Bilinear DHI: Given g , g α , · · · , g α ℓ , compute e ( g , g ) 1 /α Identity-based Encryptions[BB04e] Verifiable Random Functions[DY05] ℓ -Bilinear DHE: Given h , g , · · · , g α ℓ − 1 , g α ℓ +1 , · · · , g α 2 ℓ , compute e ( g , h ) α ℓ HIBE with constant-size ciphertext[BBG05] Public Key Broadcast Encryption[BGW05] 7 / 41

Discrete Logarithm Problem with Auxiliary Inputs Variants of DL problems on Pairing Groups Refer to http://www.ecrypt.eu.org/wiki Find 36 variants of DL in http://www.ecrypt.eu.org/ wiki/index.php/Discrete_Logarithms Find 8 variants of BDL in http://www.ecrypt.eu.org/wiki/index.php/Pairings Are they secure? Assume it is as secure as DL Find reductions or dedicated attacks Estimate the complexity in the generic group model Attacks or Reductions: very few results 8 / 41

Discrete Logarithm Problem with Auxiliary Inputs Discrete Logarithm with Auxiliary Inputs (DLPwAI) Many of DL variants has auxiliary inputs g , g α , . . . , g α d Question: are they as hard as DL? In the generic group model, the complexity of SDL is lower � p / d ) group operations when d < p 1 / 3 . bounded by O ( O ( √ p ) for the DL d -DLPwAI: Given g , g α , . . . , g α d , compute α ∈ F p . 9 / 41

p ± 1 algorithm Outline 1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI 10 / 41

p ± 1 algorithm p − 1 has a small divisor d [Brown-Gallant05], [JoC’10,C.] Assume ( g , g 1 = g α , g d = g α d ) are given for d | p − 1 Let ξ be a generator of Z ∗ p and ζ := ξ d p − 1 Idea: Put α = ξ z 1 + z 2 for 0 ≤ z 1 < p − 1 d , 0 ≤ z 2 < d . Then d compute z 1 s.t. g α d = g ζ z 1 and then z 2 independently. α d = ζ z 1 contained in a subgroup of order p − 1 d �� � Apply BSGS: α d ζ − u = ζ Lv for 0 ≤ u , v < L := p − 1 d Check the equality: g d = g ζ z 1 �� � p − 1 O ( ) complexity and memory d 11 / 41

p ± 1 algorithm p − 1 has a small divisor d [Brown-Gallant05], [JoC’10,C.] p − 1 d ) and α d = ζ z 1 , d . Once we know z 1 ∈ [0 , p − 1 α = ξ z 1 + z 2 p − 1 find z 2 ∈ [0 , d ) such that αξ − z 1 = ξ z 2 d p − 1 Check the equality: g ξ − z 1 d ) z 2 = ( g ξ √ 1 Apply BSGS: O ( d ) computations and storage √ �� � p − 1 Total: log p · O + d multiplications in Z p d It has the minimum O ( p 1 / 4 ) when d = p 1 / 2 What can you do when given { g α i | 0 ≤ i ≤ ℓ, ℓ ∤ p − 1 } 12 / 41

Generalized algorithms Outline 1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI 13 / 41

Generalized algorithms Use a field embedding [C.-Kim-Lee’12] Let p n − 1 = DE for 0 < D < p , and d = Φ n ( p ) / D ξ : a generator of F ∗ p n , 1 n : the identity of F ∗ p n H : the subgroup of order D generated by ζ = ξ E . The idea of (generalized) Cheon’s algorithm Φ n ( p ) cases: use the embedding for θ ∈ F p n , F p − → H ⊆ F p n β = ( α + ξ τ ) rE , α �− → where H is a (small) subgroup of order p n − 1 . E Find z ∈ [0 , D ) such that β = ζ z in H ⊂ F p n 14 / 41

Generalized algorithms Baby-step Giant-step phase n − 1 � � � e i p i , | e i | < p / 2, S p ( rE ) = max { Given rE = e i , e i } i =0 e i > 0 e i < 0 is called the sum of signed digits , denoted by e . � τ − 1 j =0 f j ( α ) ξ j β = ( α · 1 n + ξ τ ) rE = � n − 1 i =0 ( α · 1 n + ξ p i τ ) e i = τ � τ − 1 j =0 ¯ f j ( α ) ξ j τ where f j and ¯ f j are polynomials over F p with degree ≤ e √ Need g α i for 1 ≤ i ≤ e = S p ( rE ) for O ( D ) attack √ Find z ∈ [0 , D ) s.t. g β = g ζ z or ( g β ) ζ − u ⌈ D ⌉ = g ζ v for √ 0 ≤ u , v < ⌈ D ⌉ . 15 / 41

Generalized algorithms Attack Scenario Suppose a prime p and g , g α , · · · , g α d are given. Find an appropriate divisor D < p of Φ n ( p ) for some n for the n -th cyclotomic polynomial Φ n ( x ) Find r s.t. S p ( rE ) ≤ d and gcd( r , D ) = 1. Apply the algorithm to recover α √ The complexity of the attack is about O ( D + S p ( rE )) 16 / 41

Generalized algorithms However... (Minkowski Thm) Lattice reductions gives r with S p ( rE ) ≤ E 1 /φ ( n ) ≈ p / D 1 /φ ( n ) when DE = Φ n ( p ) It is optimal except when every prime divisor of D divides n ( p 2 − 1). Investigate the exceptional case C.-Kim-Lee’12: ( n ≥ 3) In most cases, the compleixty is greater than √ p 17 / 41

Generalized algorithms n=2 case Φ 2 ( p ) = p + 1 has a small divisor d �� � p +1 Total compleixty: log p · O + d , d can be lowered down to O ( p 1 / 3 ) when d ≈ p 1 / 3 This algorithm requires all of g α i ’s for all 0 ≤ i ≤ d What can you do if one is missing? e.g. g α 2 18 / 41

Applications Outline 1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI 19 / 41

Applications Examples NIST Curves B-163: p − 1 = 2 · 53 · 383 · 21179 · (a 132 bit prime) K-163: p − 1 = 24 · 43 · 73 · (a 16 bit prime) (an 18 bit prime) (a 112 bit prime) P-192: p − 1 = 24 · 5 · 2389 · (an 83 bit prime) (a 92 bit prime) BGW Broadcast Encryption for n users is based on 2 n -BDHE E + ( F 3 97 ) has a subgroup G of 151 bit prime order Pollard rho: O (2 76 ) elliptic curve operations Proposed attack: O (2 59 ) Exponentiations for n = 2 32 Need 220 bit prime for 2 80 security with 2 64 users Implementation on E ( F 3 127 ) with 41-bit d took 14 hours on a PC (Izu-Takenaka-Yasuda, ARES2010) Sakemi et al, Solving a Discrete Logarithm Problem with Auxiliary Input on a 160-bit Elliptic Curve, PKC 2012 20 / 41

Applications Boneh-Boyen Signature and Strong DL (Jao and Yoshida) Boneh-Boyen signature is of form ( m , g 1 / ( α − m ) ), where m is a message. If ( m 1 , g 1 / ( α − m 1 ) ) , · · · , ( m d , g 1 / ( α − m d ) ) are given. Let g 1 = g 1 / � d 1 , · · · , g α d i =1 ( α − m i ) , then one obtains g 1 , g α 1 using partial fraction decomposition. Then α is recovered by using Previous algorithm. 21 / 41

Applications Partial Fraction Decomposition Let f ( x ) ∈ F p [ x ] be a polynomial of degree d . Partial fraction decomposition says k f ( x ) A i � ( x − m 1 ) · · · ( x − m k ) = q ( x ) + x − m i i =1 with deg q ( x ) = d − k and A i ∈ F p . 22 / 41

Applications Boneh-Boyen Signature and Strong DL Futhermore, if ( m i , g 1 / ( α − m i ) ) for i = 1 , · · · , k and g α j for j = 1 , · · · , d − k are given. 1 , · · · , g α d We also obtain an instance of SDL, g 1 , g α for 1 g 1 = g 1 / � k i =1 ( α − m i ) . 23 / 41