Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop - - PowerPoint PPT Presentation

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4)

Jung Hee Cheon (partly joint work with Taechan Kim and Yongsu Song)

Department of Mathematical Sciences and ISaC-RIM Seoul National University

December 13, 2013

1 / 41

Discrete Logarithm Problem with Auxiliary Inputs

Outline

1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI

2 / 41

Discrete Logarithm Problem with Auxiliary Inputs

Discrete Logarithm Problem (DLP)

Let G = g be a cyclic group of prime order p. Discrete Logarithm Problem(DLP): Find α ∈ Fp when g, gα are given.

CDHP: given (g, g α, g β), compute g αβ DDHP: given (g, g α, g β, g γ), decide if g γ = g αβ

Pubelic Key Encryption, Digital Signature, Authentication, etc Baby-Step Giant-Step (BSGS)

Let L = ⌈√p⌉. Find a collision between two lists L1 = {g −i : i ∈ [0, L)}, L2 = {g Lj : j ∈ [0, L)} O(√p) computations and storage

Pollard’s ρ, Pohlig-Hellman, Index calculus (NFS, FFS)

3 / 41

Discrete Logarithm Problem with Auxiliary Inputs

Relax the problems

Why?

To design a new system with additional properties To prove the security without random oracles

How to get a good grade in an exam?

Flexible grading More Hints before the test

4 / 41

Discrete Logarithm Problem with Auxiliary Inputs

Relax the problems: Flexible Grading

Flexible RSA Problem (BP97,CS99,GHR99): Given a composite n and a message m ∈ Zn find (e, m1/e) for some e > 2 (Decisional) Linear Assumption (BBS04): Given g, g1, g2, gc

1 , gd 2 , v ∈ G, decide if v = gc+d

Let d = 0, a = x−1, ac = y. Given g x−1, g y, v decide if v = g c+d = g xy

5 / 41

Discrete Logarithm Problem with Auxiliary Inputs

Relax the problems: More Hints (1/2)

ℓ-Weak DHP: Given g, gα, · · · , gαℓ, compute g1/α

Traitor Tracing [Mitsunari-Sakai-Kasahara02]

ℓ-Strong DHP: Given g, gα, · · · , gαℓ, compute gαℓ+1

Short Signatures without Random Oracle[BB04s] Short Group Signatures[BBS04]

One More DL: With n-queries to DL oracle, solve (n + 1) DL problems.

GQ/Schnorr Identification One More DH

6 / 41

Discrete Logarithm Problem with Auxiliary Inputs

Relax the problems: More Hints (2/2)

e : G1 × G2 → G ′: a bilinear map ℓ-Bilinear DHI: Given g, gα, · · · , gαℓ, compute e(g, g)1/α

Identity-based Encryptions[BB04e] Verifiable Random Functions[DY05]

ℓ-Bilinear DHE: Given h, g, · · · , gαℓ−1, gαℓ+1, · · · , gα2ℓ, compute e(g, h)αℓ

HIBE with constant-size ciphertext[BBG05] Public Key Broadcast Encryption[BGW05]

7 / 41

Discrete Logarithm Problem with Auxiliary Inputs

Variants of DL problems on Pairing Groups

Refer to http://www.ecrypt.eu.org/wiki

Find 36 variants of DL in http://www.ecrypt.eu.org/ wiki/index.php/Discrete_Logarithms Find 8 variants of BDL in http://www.ecrypt.eu.org/wiki/index.php/Pairings

Are they secure?

Assume it is as secure as DL Find reductions or dedicated attacks Estimate the complexity in the generic group model

Attacks or Reductions: very few results

8 / 41

Discrete Logarithm Problem with Auxiliary Inputs

Discrete Logarithm with Auxiliary Inputs (DLPwAI)

Many of DL variants has auxiliary inputs g, gα, . . . , gαd Question: are they as hard as DL?

In the generic group model, the complexity of SDL is lower bounded by O(

• p/d) group operations when d < p1/3.

O(√p) for the DL

d-DLPwAI: Given g, gα, . . . , gαd, compute α ∈ Fp.

9 / 41

p ± 1 algorithm

Outline

1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI

10 / 41

p ± 1 algorithm

p − 1 has a small divisor d [Brown-Gallant05], [JoC’10,C.]

Assume (g, g1 = gα, gd = gαd) are given for d|p − 1 Let ξ be a generator of Z∗

p and ζ := ξd

Idea: Put α = ξz1+z2

p−1 d

for 0 ≤ z1 < p−1

d , 0 ≤ z2 < d. Then

compute z1 s.t. gαd = gζz

1 and then z2 independently.

αd = ζz1 contained in a subgroup of order p−1

d

Apply BSGS: αdζ−u = ζLv for 0 ≤ u, v < L :=

• p−1

d

• Check the equality: gd = g ζz1

O(

• p−1

d

• ) complexity and memory

11 / 41

p ± 1 algorithm

p − 1 has a small divisor d [Brown-Gallant05], [JoC’10,C.]

α = ξz1+z2

p−1 d . Once we know z1 ∈ [0, p−1

d ) and αd = ζz1,

find z2 ∈ [0, d) such that αξ−z1 = ξz2

p−1 d

Check the equality: g ξ−z1

1

= (g ξ

p−1 d )z2

Apply BSGS: O( √ d) computations and storage

Total: log p · O

• p−1

d

+ √ d

• multiplications in Zp

It has the minimum O(p1/4) when d = p1/2 What can you do when given {gαi|0 ≤ i ≤ ℓ, ℓ ∤ p − 1}

12 / 41

Generalized algorithms

Outline

1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI

13 / 41

Generalized algorithms

Use a field embedding [C.-Kim-Lee’12]

Let pn − 1 = DE for 0 < D < p, and d = Φn(p)/D ξ: a generator of F∗

pn, 1n: the identity of F∗ pn

H: the subgroup of order D generated by ζ = ξE. The idea of (generalized) Cheon’s algorithm Φn(p) cases: use the embedding for θ ∈ Fpn, Fp − → H ⊆ Fpn α − → β = (α + ξτ)rE, where H is a (small) subgroup of order pn−1

E

. Find z ∈ [0, D) such that β = ζz in H ⊂ Fpn

14 / 41

Generalized algorithms

Baby-step Giant-step phase

Given rE =

n−1

• i=0

eipi, |ei| < p/2, Sp(rE) = max{

• ei>0

ei,

• ei<0

ei} is called the sum of signed digits, denoted by e. β = (α · 1n + ξτ)rE = n−1

i=0 (α · 1n + ξpi τ )ei = τ−1

j=0 fj(α)ξj τ

τ−1

j=0 ¯

fj(α)ξj

τ

where fj and ¯ fj are polynomials over Fp with degree ≤ e Need gαi for 1 ≤ i ≤ e = Sp(rE) for O( √ D) attack Find z ∈ [0, D) s.t. gβ = gζz or (gβ)ζ−u⌈

√ D⌉ = gζv for

0 ≤ u, v < ⌈ √ D⌉.

15 / 41

Generalized algorithms

Attack Scenario

Suppose a prime p and g, gα, · · · , gαd are given. Find an appropriate divisor D < p of Φn(p) for some n for the n-th cyclotomic polynomial Φn(x) Find r s.t. Sp(rE) ≤ d and gcd(r, D) = 1. Apply the algorithm to recover α The complexity of the attack is about O( √ D + Sp(rE))

16 / 41

Generalized algorithms

However...

(Minkowski Thm) Lattice reductions gives r with Sp(rE) ≤ E 1/φ(n) ≈ p/D1/φ(n) when DE = Φn(p) It is optimal except when every prime divisor of D divides n(p2 − 1). Investigate the exceptional case C.-Kim-Lee’12: (n ≥ 3) In most cases, the compleixty is greater than √p

17 / 41

Generalized algorithms

n=2 case

Φ2(p) = p + 1 has a small divisor d Total compleixty: log p · O

• p+1

d

+ d

• ,

can be lowered down to O(p1/3) when d ≈ p1/3 This algorithm requires all of gαi’s for all 0 ≤ i ≤ d

What can you do if one is missing? e.g. g α2

18 / 41

Applications

Outline

1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI

19 / 41

Applications

Examples

NIST Curves

B-163: p − 1 = 2 · 53 · 383 · 21179· (a 132 bit prime) K-163: p − 1 = 24 · 43 · 73· (a 16 bit prime) (an 18 bit prime) (a 112 bit prime) P-192: p − 1 = 24 · 5 · 2389· (an 83 bit prime) (a 92 bit prime)

BGW Broadcast Encryption for n users is based on 2n-BDHE

E +(F397) has a subgroup G of 151 bit prime order Pollard rho: O(276) elliptic curve operations Proposed attack: O(259) Exponentiations for n = 232 Need 220 bit prime for 280 security with 264 users

Implementation on E(F3127) with 41-bit d took 14 hours on a PC (Izu-Takenaka-Yasuda, ARES2010) Sakemi et al, Solving a Discrete Logarithm Problem with Auxiliary Input on a 160-bit Elliptic Curve, PKC 2012

20 / 41

Applications

Boneh-Boyen Signature and Strong DL (Jao and Yoshida)

Boneh-Boyen signature is of form (m, g1/(α−m)), where m is a message. If (m1, g1/(α−m1)), · · · , (md, g1/(α−md)) are given. Let g1 = g1/ d

i=1(α−mi), then one obtains g1, gα

1 , · · · , gαd 1

using partial fraction decomposition. Then α is recovered by using Previous algorithm.

21 / 41

Applications

Partial Fraction Decomposition

Let f (x) ∈ Fp[x] be a polynomial of degree d. Partial fraction decomposition says f (x) (x − m1) · · · (x − mk) = q(x) +

k

• i=1

Ai x − mi with deg q(x) = d − k and Ai ∈ Fp.

22 / 41

Applications

Boneh-Boyen Signature and Strong DL

Futhermore, if (mi, g1/(α−mi)) for i = 1, · · · , k and gαj for j = 1, · · · , d − k are given. We also obtain an instance of SDL, g1, gα

1 , · · · , gαd 1

for g1 = g1/ k

i=1(α−mi) . 23 / 41

Applications

Summary

log p factor can be removed by precomputation table (Kozaki-Kutsuma-Matsuo, Pairing 2007) Given {gαi|0 ≤ i ≤ ℓ} and {g1/(α−mi)|0 ≤ i ≤ k}

If d|p − 1 and d ≤ kℓ, DL is solved in O(

• (p − 1)/d +

√ d) If d|p + 1 and d ≤ kℓ, DL is solved in O(

• (p + 1)/d + d)

The complexity is reduced by √ d from O(√q)

Is there any prime p s.t. both p − 1 and p + 1 are almost prime?

24 / 41

Polynomial with small image size

Outline

1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI

25 / 41

Polynomial with small image size

Attack Scenario

Suppose a polynomial f (x) ∈ Fp[x] of degree d has a small image size |Im(f )| = v Take two lists L = {r1, · · · , rm}, L′ = {s1, · · · , sm} for randomly chosen ri and sj from Fp Compute and find a collision between following two lists: gL = {gf (riα) : 1 ≤ i ≤ m}, gL′ = {gf (sj) : 1 ≤ j ≤ m} One solves the equation f (riα) = f (sj) in α from a collision Obstacles:

Compute g L efficiently with g, g α, · · · , g αd Decide an appropriate size m of lists Find suitable polynomials f

26 / 41

Polynomial with small image size

Compute g L: Exponent FFT

Suppose f (x) = adxd + · · · + a1x + a0 ∈ Fp[x] and denote gf (x) := (ga0, · · · , gad). Let w ∈ Fp be a primitive d-th root of unity. If we are given gf (x), h(x), and w, then we can compute;

g DFTw(f ) := (g f (1), g f (w), · · · , g f (w d−1)) in O(d log d) group exponentiations. g f (x)h(x) in O(d log d) group exponentiations using the exponent FFT. g f (x) mod h(x) in O(d log d) group exponentiations. Here deg(f ) = 2d, deg(h) = d. (via Newton Method)

27 / 41

Polynomial with small image size

Compute g L: Exponent FFT

Thus for given gf (x), computing gf (1), · · · , gf (d) is done in O(d log2 d) group exponentiation. If the primitive d-th root w / ∈ Fp, then use Schonhage-Strassen multiplication.

28 / 41

Polynomial with small image size

Length of lists: Birthday Problem

Consider V (f ) := {f (x) : x ∈ Fp} = {f1, . . . , fv}. pi: the probability that f (x) = fi for randomly chosen x ∈ Fp

Assume that p1 = · · · = pv = 1

v .

By the birthday paradox, we have a collision after ≈ π

2 v

elements are picked up. We can set the size of the lists to be m = ⌈ π

2 v⌉.

The problem reduces to find a polynomial with small value set.

29 / 41

Polynomial with small image size

Polynomial finding: General Theory

v := |Im(f )| ≥ ⌊p−1

d ⌋ + 1

v = ⌊ p−1

d ⌋ + 1 iff d|p − 1 and f (x) = (x + β)d + γ

Mean value of the image set size: Expected value E(v) over all polynomials f of degree d is p ·

• 1 − 1

2! + · · · + (−1)d 1 d!

• ≈ p/e

Very few candidates for our algorithm

30 / 41

Polynomial with small image size

Polynomial finding: Monomial

If f (x) = xd with d|(p − 1), |Im(f )| = p−1

d

= L2 Collision finds (gαd)ud = gvd and α = v/u. Complexity is O

• d log d × L

d

• = O
• p−1

d

log d

• exponentiations

31 / 41

Polynomial with small image size

Polynomial finding: Extension Field case

If D|Φn(p), let f (x) = (x · 1 + ζ)E for ζ ∈ Fpn, Φn(p) = DE. Suppose that we can write f (x) = f1(x)θ1 + · · · + fn(x)θn where (θ1, · · · , θn) is a basis for Fpn. For x ∈ Fp, |Im(f )| ≤ D, we have |Im(fk)| ≤ D where k = 1, · · · , n. Compute gfk(iα) and gfk(j) for i, j = 1, · · · , √ D using the exponent FFT. We find a collision and have α by solving the equation. However, the degree of f is not small enough.

32 / 41

Polynomial with small image size

Rational function: Elliptic Curves

If f (x) = φm(x)

ψ2

m(x) and m|#E(Fp), |Im(f )| = #E(Fp)

m

≈ p

m.

Compute gφm(α), · · · , gφm(q′α) and gψ2

m(α), · · · , gψ2 m(q′α) in

O(q′ log d) Expo. We obtain gf (α), · · · , gf (q′α), gf (1), · · · , gf (q′) if

e(g a, g b) = ha/b or IE(g b) = h1/b oracle queries are allowed.

If f (x) = ψ2

m(x), then |ker(f )| = m and |Im(f )| =?

33 / 41

Polynomial with small image size

Application to the Dickson Polynomial

Dickson Polynomial: For a ∈ Fp and d ≥ 1 an integer, let Dd(x, a) =

⌊d/2⌋

• k=0

d d − k d − k k

• (−a)kxd−2k ∈ Fp[x].

Value set of Dickson Polynomial: If a is a quadratic non-residue and d is odd, then R(d,p−1) = p − 1 2(d, p − 1) and R(d,p+1) = p + 1 2(d, p + 1). If d|(p + 1), then R1 = p−1

2

and Rd = p+1

2d .

34 / 41

Polynomial with small image size

Application to the Dickson Polynomial

d-to-1 for p+1

2

elements of Fp Complexity: O

• p+1

d

log2 d

• exponentiations

Note that |Im(Dd(x, a))| = p−1

2

+ p+1

2d is not small enough

35 / 41

Generalized DLPwAI

Outline

1 Discrete Logarithm Problem with Auxiliary Inputs 2 p ± 1 algorithm 3 Generalized algorithms 4 Applications 5 Polynomial with small image size 6 Generalized DLPwAI

36 / 41

Generalized DLPwAI

Application with Sparse Polynomial [C-Kim-Song13]

Consider f (x) = x + xr + · · · xrd−1 ∈ Fp[x], where rd = 1 mod (p − 1). Then f (x) = f (xr) = · · · = f (xrd−1), so it is d-to-1 map. Due to its high degree, hard to compute f (r1), · · · , f (rm) efficiently for random ri’s. f (ζix) = ζif (x) if ζr = ζ mod (p − 1). In this case, the multipoint evaluation can be replaced by simple scalar multiplications.

37 / 41

Generalized DLPwAI

Application with Sparse Polynomial [C-Kim-Song13]

Consider subsets of Zp for the discrete log α: α := {α, αr, . . . , αrd−1} → f (α), ζα := {ζα, ζαr, . . . , ζαrd−1} → ζf (α), . . . ζr−1α := {ζr−1α, ζr−1αr, . . . , ζr−1αrd−1} → ζr−1f (α). The sets are disjoint unless f (α) = 0. The table size is dr. A random β ∈ Fp is in ζiα for some i w.h.p. if dr ≈ p.

38 / 41

Generalized DLPwAI

Application with Sparse Polynomial [C-Kim-Song13]

For given g, gα, gαr , · · · , gαrd−1 , compute gf (α) = d

i=1 gαri

. For random β, find k = i · ⌈√r⌉ + j such that f (β) = ζkf (α),

• gf (β)(ζ−⌈√r⌉)i

=

• gf (α)ζj

. Then β ∈ ζk{α, αr, . . . , αrd−1}. Find ℓ ∈ [0, d − 1] s.t. β = ζkαrℓ Recover α = (βζ−i)r−ℓ in O(√r + d) ≥ O(p1/3) where dr ≈ p

39 / 41

Generalized DLPwAI

Generalized DLPwAI

Generalized DLPwAI (GDLPwAI): Find α ∈ Fp when gαe1, . . . , gαed are given. We can solve the GDLPwAI when ei ∈ K for a multiplicative subgroup of Z×

p−1.

The time complexity is O

• p

|K| √ λ + |K|

• , where

λ = gcd(x − 1 : x ∈ K).

40 / 41

Generalized DLPwAI

Summary and Open Problem

We can solve the DLwAI more efficiently if there is a polynomial f : Fp → Fp of low degree with small value set. We have such f ’s if

p − 1 or p + 1 has an appropriate divisor f is rational f has large degree p is a power of prime

Except these cases, not known if there is such a polynomial. Substitutional Polynomials: If f (x) − f (y) = 0 has r absolutely irreducible factors, many elements has r preimages under f which yields O(

• p/r) algorithm. (More precisely,

d

i=1 i2Ri = rp + O(d2p))

41 / 41