The Discrete Logarithm Problem with Preprocessing Henry - - PowerPoint PPT Presentation

The Discrete Logarithm Problem with Preprocessing

Henry Corrigan-Gibbs and Dmitry Kogan Stanford University

Eurocrypt – 1 May 2018 Tel Aviv, Israel

38

Signatures

(DSA and Schnorr)

39

Signatures

(DSA and Schnorr)

DH key exchange

40

Signatures

(DSA and Schnorr)

DH key exchange DDH

41

Signatures

(DSA and Schnorr)

DH key exchange DDH Pairings

42

The discrete-log problem

Group: ! = #

• f prime order $

Instance: #% ∈ ! Solution: ' ∈ ℤ) Adversary *

43

The discrete-log problem

Group: ! = #

• f prime order $

Instance: #% ∈ ! Solution: ' ∈ ℤ) Adversary * Why do we believe this problem is hard?

44

Generic lower bounds give us confidence

Th

• Theorem. [Shoup’97] Every ge

generic discrete-log algorithm that

• operates in a group of prime order ! and
• succeeds with probability at least ½

must run in time Ω(!%/').

45

Generic lower bounds give us confidence

Th

• Theorem. [Shoup’97] Every ge

generic discrete-log algorithm that

• operates in a group of prime order ! and
• succeeds with probability at least ½

must run in time Ω(!%/').

Generic attack in 256-bit group takes ≈ 2%'+ time.

46

Generic lower bounds give us confidence

Th

• Theorem. [Shoup’97] Every ge

generic discrete-log algorithm that

• operates in a group of prime order ! and
• succeeds with probability at least ½

must run in time Ω(!%/').

Generic attack in 256-bit group takes ≈ 2%'+ time.

47

Best attacks on standard EC groups are generic

Generic algorithms can only make “black-box” use of the group operation

Ge Generic-gr group up model del:

• Group is defined by an injective “l

“lab abeling” function

!: ℤ$ → 0,1 ∗

• Algorithm has access to a gr

group up-op

• peration
• n or
• racle:

*+ ! , , ! - ↦ ! , + -

Generic dlog algorithm takes as input ! 1 , ! 0 , representing (2, 23), make queries to *+, outputs 0.

[Measure running time by query complexity]

48 [Nechaev’94], [Shoup’97], [Maurer’05]

Generic algorithms can only make “black-box” use of the group operation

Ge Generic-gr group up model del:

• Group is defined by an injective “l

“lab abeling” function

!: ℤ$ → 0,1 ∗

• Algorithm has access to a gr

group up-op

• peration
• n or
• racle:

*+ ! , , ! - ↦ ! , + -

Generic dlog algorithm takes as input ! 1 , ! 0 , representing (2, 23), make queries to *+, outputs 0.

[Measure running time by query complexity]

49 [Nechaev’94], [Shoup’97], [Maurer’05]

Very useful way to understand hardness

[BB04,B05,M05,D06, B08,Y15,…]

Existing generic lower bounds do do not account fo for preprocessing

• Premise of generic-group model: the adversary kno

knows s no nothi hing ng about the structure of the group ! in advance

• In reality: the adversary knows a lot about !!

Ø ! is one of a small number of groups: NIST P-256, Curve25519, …

• A realistic adversary can perform !-specific preprocessing!
• Existing generic-group lower bounds say nothing about

preprocessing attacks! [H80, Yao90, FN91, …]

50

Existing generic lower bounds do do not account fo for preprocessing

• Premise of generic-group model: the adversary kno

knows s no nothi hing ng about the structure of the group ! in advance

• In reality: the adversary knows a lot about !!

Ø ! is one of a small number of groups: NIST P-256, Curve25519, …

• A realistic adversary can perform !-specific preprocessing!
• Existing generic-group lower bounds say nothing about

preprocessing attacks! [H80, Yao90, FN91, …]

51

Existing generic lower bounds do do not account fo for preprocessing

• Premise of generic-group model: the adversary kno

knows s no nothi hing ng about the structure of the group ! in advance

• In reality: the adversary knows a lot about !!

Ø ! is one of a small number of groups: NIST P-256, Curve25519, …

• A realistic adversary can perform !-specific preprocessing!
• Existing generic-group lower bounds say nothing about

preprocessing attacks! [H80, Yao90, FN91, …]

52

Existing generic lower bounds do do not account fo for preprocessing

• Premise of generic-group model: the adversary kno

knows s no nothi hing ng about the structure of the group ! in advance

• In reality: the adversary knows a lot about !!

Ø ! is one of a small number of groups: NIST P-256, Curve25519, …

• A realistic adversary can perform !-specific preprocessing!
• Existing generic-group lower bounds say nothing about

preprocessing attacks! [H80, Yao90, FN91, …]

53

!" !# Preprocessing phase

Group: $ = & Advice: '($ Solution: ) ∈ ℤ, Instance: &- ∈ $

Online phase

Initiated by Hellman (1980) in context of OWFs

54

!" !# Preprocessing phase

Group: $ = & Advice: '($ Solution: ) ∈ ℤ, Instance: &- ∈ $

Online phase

Initiated by Hellman (1980) in context of OWFs

Both algorithms are generic! Both algorithms are generic!

55

!" !# Preprocessing phase

Group: $ = & Advice: '($ Solution: ) ∈ ℤ, Instance: &- ∈ $

Online phase

56

Initiated by Hellman (1980) in context of OWFs

!" !# Preprocessing phase

Group: $ = & Advice: '($ Solution: ) ∈ ℤ, Instance: &- ∈ $

Online phase

Preprocessing time .

57

Initiated by Hellman (1980) in context of OWFs

!" !# Preprocessing phase

Group: $ = & Advice: '($ Solution: ) ∈ ℤ, Instance: &- ∈ $

Online phase

Advice size . Preprocessing time /

58

Initiated by Hellman (1980) in context of OWFs

!" !# Preprocessing phase

Group: $ = & Advice: '($ Solution: ) ∈ ℤ, Instance: &- ∈ $

Online phase

Advice size . Online time / Preprocessing time 0

59

Initiated by Hellman (1980) in context of OWFs

!" !# Preprocessing phase

Group: $ = & Advice: '($ Solution: ) ∈ ℤ, Instance: &- ∈ $

Online phase

Advice size . Online time / Preprocessing time 0 Success prob. 1

60

Initiated by Hellman (1980) in context of OWFs

Rest of this talk

Background: Preprocessing attacks are relevant

• Preexisting ! = # = $

%('(/*) generic attack on discrete log

Our results: Preprocessing lower-bounds and attacks

• The $

%('(/*) generic dlog attack is optimal

• Any such attack must use lots of preprocessing: Ω('-/*)
• New $

%('(/.) preprocessing attack on DDH-like problem

Open questions

61

Rest of this talk

Background: Preprocessing attacks are relevant

• Preexisting ! = # = $

%('(/*) generic attack on discrete log

Our results: Preprocessing lower-bounds and attacks

• The $

%('(/*) generic dlog attack is optimal

• Any such attack must use lots of preprocessing: Ω('-/*)
• New $

%('(/.) preprocessing attack on DDH-like problem

Open questions

62

Th

• Theorem. [Mihalcik 2010] [Lee, Cheon, Hong 2011] [Bernstein and Lange 2013]

There is a generic dlog algorithm with preprocessing that:

• uses ! bits of group-specific advice,
• uses " online time, and
• succeeds with probability #,

such that: !"$ = & '(#))

63

A preexisting result…

…. building on prior work on multiple-discrete-log algorithms [ESST99,KS01,HMCD04,BL12]

Th

• Theorem. [Mihalcik 2010] [Lee, Cheon, Hong 2011] [Bernstein and Lange 2013]

There is a generic dlog algorithm with preprocessing that:

• uses ! bits of group-specific advice,
• uses " online time, and
• succeeds with probability #,

such that: !"$ = & '(#))

Will sketch the algorithm for ! = " = )+/-, constant #.

64

A preexisting result…

…. building on prior work on multiple-discrete-log algorithms [ESST99,KS01,HMCD04,BL12]

Th

• Theorem. [Mihalcik 2010] [Lee, Cheon, Hong 2011] [Bernstein and Lange 2013]

There is a generic dlog algorithm with preprocessing that:

• uses ! bits of group-specific advice,
• uses " online time, and
• succeeds with probability #,

such that: !"$ = & '(#))

65

A preexisting result…

…. building on prior work on multiple-discrete-log algorithms [ESST99,KS01,HMCD04,BL12]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

66

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"#

67

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&)

68

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%&)%&*

69

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%&)%&*

…

70

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%∑+ &+ "#%&)%&,

…

71

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%∑+ &+ "#%&)%&,

…

= -.

72

If you know the dlog of the endpoint of a walk, you know the dlog of the starting point!

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%∑+ &+ "#%&)%&,

…

= -.

73

/

If you know the dlog of the endpoint of a walk, you know the dlog of the starting point!

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%∑+ &+ "#%&)%&,

…

= -.

74

/

If you know the dlog of the endpoint of a walk, you know the dlog of the starting point!

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%∑+ &+ "#%&)%&,

…

= -.

75

/

…

If you know the dlog of the endpoint of a walk, you know the dlog of the starting point!

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%∑+ &+ "#%&)%&,

…

= -.

76

/

…

If you know the dlog of the endpoint of a walk, you know the dlog of the starting point!

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%∑+ &+ "#%&)%&,

…

= -.

77

/

…

If you know the dlog of the endpoint of a walk, you know the dlog of the starting point!

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%∑+ &+ "#%&)%&,

…

= -.

78

/

…

If you know the dlog of the endpoint of a walk, you know the dlog of the starting point!

[M10, LCH11, BL13]

Preliminaries

Define a pseudo-random walk on !:

"# ↦ "#%&

where ' = Hash "# is a random function

"# "#%&) "#%∑+ &+ "#%&)%&,

…

= -.

79

/

…

If you know the dlog of the endpoint of a walk, you know the dlog of the starting point!

[M10, LCH11, BL13]

Advice string

!"/$ chains Length: !"/$

…

Preprocessing phase

• Build !"/$ chains of

length !"/$

• Store dlogs of chain

endpoints Online phase

• Walk %(!"/$) steps
• When you hit a

stored point, output the discrete log

…

80

[M10, LCH11, BL13]

Advice string

!"/$ chains Length: !"/$

…

Preprocessing phase

• Build !"/$ chains of

length !"/$

• Store dlogs of chain

endpoints Online phase

• Walk %(!"/$) steps
• When you hit a

stored point, output the discrete log

Advice: ( %(!"/$) bits

…

81

[M10, LCH11, BL13]

Advice string

!"/$ chains Length: !"/$

…

Preprocessing phase

• Build !"/$ chains of

length !"/$

• Store dlogs of chain

endpoints Online phase

• Walk %(!"/$) steps
• When you hit a

stored point, output the discrete log

Advice: ( %(!"/$) bits

…

82

[M10, LCH11, BL13]

Advice string

!"/$ chains Length: !"/$

…

Preprocessing phase

• Build !"/$ chains of

length !"/$

• Store dlogs of chain

endpoints Online phase

• Walk %(!"/$) steps
• When you hit a

stored point, output the discrete log

Advice: ( %(!"/$) bits

…

)*

83

[M10, LCH11, BL13]

Advice string

!"/$ chains Length: !"/$

…

Preprocessing phase

• Build !"/$ chains of

length !"/$

• Store dlogs of chain

endpoints Online phase

• Walk %(!"/$) steps
• When you hit a

stored point, output the discrete log

Advice: ( %(!"/$) bits

…

)*

84

[M10, LCH11, BL13]

Advice string

!"/$ chains Length: !"/$

…

Preprocessing phase

• Build !"/$ chains of

length !"/$

• Store dlogs of chain

endpoints Online phase

• Walk %(!"/$) steps
• When you hit a

stored point, output the discrete log

Advice: ( %(!"/$) bits

…

)*

85

[M10, LCH11, BL13]

Advice string

!"/$ chains Length: !"/$

…

Preprocessing phase

• Build !"/$ chains of

length !"/$

• Store dlogs of chain

endpoints Online phase

• Walk %(!"/$) steps
• When you hit a

stored point, output the discrete log

Advice: ( %(!"/$) bits

…

)*

86

[M10, LCH11, BL13]

Advice string

!"/$ chains Length: !"/$

…

Preprocessing phase

• Build !"/$ chains of

length !"/$

• Store dlogs of chain

endpoints Online phase

• Walk %(!"/$) steps
• When you hit a

stored point, output the discrete log

Advice: ( %(!"/$) bits Time: ( %(!"/$) steps

…

)*

87

[M10, LCH11, BL13]

Advice string

!"/$ chains Length: !"/$

…

Preprocessing phase

• Build !"/$ chains of

length !"/$

• Store dlogs of chain

endpoints Online phase

• Walk %(!"/$) steps
• When you hit a

stored point, output the discrete log

Advice: ( %(!"/$) bits Time: ( %(!"/$) steps

…

)*

88

Preprocessing time: + Ω(!-/$)

[M10, LCH11, BL13]

Generic discrete log à Without preprocessing: Ω "#/%

&'&( ti time

à With preprocessing: ) *("#/,)

&(. ti time

Related preprocessing attacks break:

• Multiple discrete log problem

[This paper]

• One-round Even-Mansour cipher

[FJM14]

• Merkle-Damgård hash with random IV

[CDGS17]

“

25 256-bi bit ECDL

89

Generic discrete log à Without preprocessing: Ω "#/%

&'&( ti time

à With preprocessing: ) *("#/,)

&(. ti time

Related preprocessing attacks break:

• Multiple discrete log problem

[This paper]

• One-round Even-Mansour cipher

[FJM14]

• Merkle-Damgård hash with random IV

[CDGS17] 25 256-bi bit ECDL

90

Generic discrete log à Without preprocessing: Ω "#/%

&'&( ti time

à With preprocessing: ) *("#/,)

&(. ti time

Related preprocessing attacks break:

• Multiple discrete log problem

[This paper]

• One-round Even-Mansour cipher

[FJM14]

• Merkle-Damgård hash with random IV

[CDGS17] Is this dlog attack the best possible?! 25 256-bi bit ECDL

91

Generic discrete log à Without preprocessing: Ω "#/%

&'&( ti time

à With preprocessing: ) *("#/,)

&(. ti time

Related preprocessing attacks break:

• Multiple discrete log problem

[This paper]

• One-round Even-Mansour cipher

[FJM14]

• Merkle-Damgård hash with random IV

[CDGS17] 25 256-bi bit ECDL

92

Signatures

(DSA and Schnorr)

DH key exchange DDH Pairings

93

Signatures

(DSA and Schnorr)

DH key exchange DDH Pairings

Could there exist a generic dlog preprocessing attack with ! = # = $%/%'?

94

Signatures

(DSA and Schnorr)

DH key exchange DDH Pairings

Could there exist a generic dlog preprocessing attack with ! = # = $%/%'?

Preprocessing attacks might make us worry about 256-bit EC groups95

96

This talk

Background: Preprocessing attacks are relevant

• Preexisting ! = # = $

%('(/*) generic attack on discrete log

Our results: Preprocessing lower-bounds and attacks

• The $

%('(/*) generic dlog attack is optimal

• Any such attack must use lots of preprocessing: Ω('-/*)
• New $

%('(/.) preprocessing attack on DDH-like problem

Open questions

97

Th

• Theorem. [Our paper]

Every generic dlog algorithm with preprocessing that:

• uses ! bits of group-specific advice,
• uses " online time, and
• succeeds with probability #,

must satisfy: !"$ = & Ω(#))

98

Th

• Theorem. [Our paper]

Every generic dlog algorithm with preprocessing that:

• uses ! bits of group-specific advice,
• uses " online time, and
• succeeds with probability #,

must satisfy: !"$ = & Ω(#))

This bound is tight for the full range of parameters (up to log factors)

99

Th

• Theorem. [Our paper]

Every generic dlog algorithm with preprocessing that:

• uses ! bits of group-specific advice,
• uses " online time, and
• succeeds with probability #,

must satisfy: !"$ = & Ω(#))

100

Th

• Theorem. [Our paper]

Every generic dlog algorithm with preprocessing that:

• uses ! bits of group-specific advice,
• uses " online time, and
• succeeds with probability #,

must satisfy: !"$ = & Ω(#))

101

Shoup’s proof technique (1997) relies on + having no information about the group , when it starts running à Need different proof technique

Th

• Theorem. [Our paper]

Every generic dlog algorithm with preprocessing that:

• uses ! bits of group-specific advice,
• uses " online time, and
• succeeds with probability #,

must satisfy: !"$ = & Ω(#))

102

Th

• Theorem. [Our paper]

Furthermore, the preprocessing time ! must satisfy !" + "$ = Ω(()) Th

• Theorem. [Our paper]

Every generic dlog algorithm with preprocessing that:

• uses + bits of group-specific advice,
• uses " online time, and
• succeeds with probability (,

must satisfy: +"$ = , Ω(())

103

Th

• Theorem. [Our paper]

Furthermore, the preprocessing time ! must satisfy !" + "$ = Ω(()) Th

• Theorem. [Our paper]

Every generic dlog algorithm with preprocessing that:

• uses + bits of group-specific advice,
• uses " online time, and
• succeeds with probability (,

must satisfy: +"$ = , Ω(())

104

Online time )-// implies Ω()$//) preprocessing

Th

• Theorem. [Our paper]

Furthermore, the preprocessing time ! must satisfy !" + "$ = Ω(()) Th

• Theorem. [Our paper]

Every generic dlog algorithm with preprocessing that:

• uses + bits of group-specific advice,
• uses " online time, and
• succeeds with probability (,

must satisfy: +"$ = , Ω(())

105

Reminder: Generic-group model

• A group is defined by an injective “l

“lab abeling” function

!: ℤ$ → 0,1 ∗

• Algorithm has access to a gr

group up-op

• peration
• n or
• racle:

*+ ! , , ! - ↦ ! , + -

E.g., A dlog algorithm takes as input ! 1 , ! 0 , representing (2, 23), make queries to *+, outputs 0.

106

We prove the lower bound using an incompressibility argument

Use ! to compress the mapping ": ℤ% → 0,1 ∗ that defines the group

• Adv ! uses advice + and online time , such that +,- = /(1)

⇒ Encoder compresses well

• Random string is incompressible

⇒ Lower bound on + and ,

Encoder Decoder

Enc(") ! !

Compressed representation

[Yao90, GT00, DTT10, DHT12, DGK17…]

107

(Random)

4 "(4) 1 101 2 110 3 001 … 4 "(4) 1 101 2 110 3 001 … Similar technique used in [DHT12]

We prove the lower bound using an incompressibility argument

Use ! to compress the mapping ": ℤ% → 0,1 ∗ that defines the group

• Adv ! uses advice + and online time , such that +,- = /(1)

⇒ Encoder compresses well

• Random string is incompressible

⇒ Lower bound on + and ,

Encoder Decoder

Enc(") ! !

Compressed representation

[Yao90, GT00, DTT10, DHT12, DGK17…]

108

(Random)

4 "(4) 1 101 2 110 3 001 … 4 "(4) 1 101 2 110 3 001 … Similar technique used in [DHT12]

We prove the lower bound using an incompressibility argument

Use ! to compress the mapping ": ℤ% → 0,1 ∗ that defines the group

• Adv ! uses advice + and online time , such that +,- = /(1)

⇒ Encoder compresses well

• Random string is incompressible

⇒ Lower bound on + and ,

Encoder Decoder

Enc(") ! !

Compressed representation

[Yao90, GT00, DTT10, DHT12, DGK17…]

109

(Random)

4 "(4) 1 101 2 110 3 001 … 4 "(4) 1 101 2 110 3 001 … Similar technique used in [DHT12]

We prove the lower bound using an incompressibility argument

Use ! to compress the mapping ": ℤ% → 0,1 ∗ that defines the group

• Adv ! uses advice + and online time , such that +,- = /(1)

⇒ Encoder compresses well

• Random string is incompressible

⇒ Lower bound on + and ,

Encoder Decoder

Enc(") ! !

Compressed representation

[Yao90, GT00, DTT10, DHT12, DGK17…]

110

(Random)

4 "(4) 1 101 2 110 3 001 … 4 "(4) 1 101 2 110 3 001 …

Wlog, assume ! is deterministic

Similar technique used in [DHT12]

We prove the lower bound using an incompressibility argument

Use ! to compress the mapping ": ℤ% → 0,1 ∗ that defines the group

• Adv ! uses advice + and online time , such that +,- = /(1)

⇒ Encoder compresses well

• Random string is incompressible

⇒ Lower bound on + and ,

Encoder Decoder

Enc(") ! !

Compressed representation

[Yao90, GT00, DTT10, DHT12, DGK17…]

111

(Random)

4 "(4) 1 101 2 110 3 001 … 4 "(4) 1 101 2 110 3 001 … Similar technique used in [DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

& %(&) 1 101 2 110 3 001 4 000 5 1111 …

112

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

Compressed representation of %

& %(&) 1 101 2 110 3 001 4 000 5 1111 …

113

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

& %(&) 1 101 2 110 3 001 4 000 5 1111 …

114

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

& %(&) 1 101 2 110 3 001 4 000 5 1111 …

115

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

' %(') 1 101 2 110 3 001 4 000 5 1111 …

116

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

* %(*) 1 101 2 110 3 001 4 000 5 1111 …

117

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

* %(*) 1 101 2 110 3 001 4 000 5 1111 … First bitstring in image of %, representing some +,

118

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

* %(*) 1 101 2 110 3 001 4 000 5 1111 …

119

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

* %(*) 1 101 2 110 3 001 4 000 5 1111 …

120

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

Responses to !$’s queries on “000”

* %(*) 1 101 2 110 3 001 4 000 5 1111 …

121

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

Responses to !$’s queries on “000”

!$(001)

+ %(+) 1 101 2 110 3 001 4 000 5 1111 …

122

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

Responses to !$’s queries on “000”

!$(001)

+ %(+) 1 101 2 110 3 001 4 000 5 1111 …

123

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

Responses to !$’s queries on “000”

!$(001)

Responses to !$’s queries on “001”

+ %(+) 1 101 2 110 3 001 4 000 5 1111 …

124

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

Responses to !$’s queries on “000”

!$(001)

Responses to !$’s queries on “001”

… …

+ %(+) 1 101 2 110 3 001 4 000 5 1111 …

125

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

Responses to !$’s queries on “000”

!$(001)

Responses to !$’s queries on “001”

… …

Run !$ on + instances, for some parameter +

, %(,) 1 101 2 110 3 001 4 000 5 1111 …

126

[Yao90, GT00, DHT12]

Pr Proof

• of idea:

a: Use preprocessing dlog adversary !", !$ to build a compressed representation of the mapping %. Encoder

!"

Compressed representation of %

st&

!$(000)

Responses to !$’s queries on “000”

!$(001)

Responses to !$’s queries on “001”

Rest of %

… …

Run !$ on + instances, for some parameter +

, %(,) 1 101 2 110 3 001 4 000 5 1111 …

127

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

128

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

129

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

130

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

" 2 = ?

131

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

" 2 = ? “110”

132

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

" 2 = ? “110”

133

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

134

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

" 5 = ?

135

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

" 5 = ? “111”

136

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

" 5 = ? “111”

137

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

" 5 = ? “111”

138

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

139

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

%((001)

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

140

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

%((001)

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

141

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

%((001)

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

" 1 = ?

142

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

%((001)

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

“101” " 1 = ?

143

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

%((001)

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

“101” " 1 = ?

144

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

%((001)

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

“101” " 1 = ?

145

[Yao90, GT00, DHT12]

! "(!) 1 101 2 110 3 001 4 000 5 1111 …

Pr Proof

• of idea:

a: Use preprocessing dlog adversary %&, %( to build a compressed representation of the mapping ".

Compressed representation of "

st) Decoder

%((000)

110 111 … 101 …

Rest of "

…

%((001)

…

• Run %( on - instances
• Whenever %( outputs a

dlog, we get one value "(!) “for free”

“101” " 1 = ?

146

[Yao90, GT00, DHT12]

Easy case: The response to all of !"’s queries are distinct

• !" outputs a discrete log “for free” ⇒

Compress by ≈ log ( bits

Harder case: The response to query ) is the same as the response to query )′ < ).

• A naïve encoding “pays twice” for the same value ,(.) ⇒ No savings L
• Instead, encoder writes a pointer to query )′

If the encoder runs !" on 0 instances, requires log 01 + log 1 bits.

147

Index of query ) Pointer to query )′

Cl Claim: m: Each invocation of !" allows the encoder to compress , by at least one bit.

[DHT12] treats a more difficult version of “hard case”

Easy case: The response to all of !"’s queries are distinct

• !" outputs a discrete log “for free” ⇒

Compress by ≈ log ( bits

Harder case: The response to query ) is the same as the response to query )′ < ).

• A naïve encoding “pays twice” for the same value ,(.) ⇒ No savings L
• Instead, encoder writes a pointer to query )′

If the encoder runs !" on 0 instances, requires log 01 + log 1 bits.

148

Index of query ) Pointer to query )′

Cl Claim: m: Each invocation of !" allows the encoder to compress , by at least one bit.

[DHT12] treats a more difficult version of “hard case”

Easy case: The response to all of !"’s queries are distinct

• !" outputs a discrete log “for free” ⇒

Compress by ≈ log ( bits

Harder case: The response to query ) is the same as the response to query )′ < ).

• A naïve encoding “pays twice” for the same value ,(.) ⇒ No savings L
• Instead, encoder writes a pointer to query )′

If the encoder runs !" on 0 instances, requires log 01 + log 1 bits.

149

Index of query ) Pointer to query )′

Cl Claim: m: Each invocation of !" allows the encoder to compress , by at least one bit.

[DHT12] treats a more difficult version of “hard case”

Easy case: The response to all of !"’s queries are distinct

• !" outputs a discrete log “for free” ⇒

Compress by ≈ log ( bits

Harder case: The response to query ) is the same as the response to query )′ < ).

• A naïve encoding “pays twice” for the same value ,(.) ⇒ No savings L
• Instead, encoder writes a pointer to query )′

If the encoder runs !" on 0 instances, requires log 01 + log 1 bits.

150

Index of query ) Pointer to query )′

Cl Claim: m: Each invocation of !" allows the encoder to compress , by at least one bit.

[DHT12] treats a more difficult version of “hard case”

Easy case: The response to all of !"’s queries are distinct

• !" outputs a discrete log “for free” ⇒

Compress by ≈ log ( bits

Harder case: The response to query ) is the same as the response to query )′ < ).

• A naïve encoding “pays twice” for the same value ,(.) ⇒ No savings L
• Instead, encoder writes a pointer to query )′

If the encoder runs !" on 0 instances, requires log 01 + log 1 bits.

151

Index of query ) Pointer to query )′

Cl Claim: m: Each invocation of !" allows the encoder to compress , by at least one bit.

[DHT12] treats a more difficult version of “hard case”

Easy case: The response to all of !"’s queries are distinct

• !" outputs a discrete log “for free” ⇒

Compress by ≈ log ( bits

Harder case: The response to query ) is the same as the response to query )′ < ).

• A naïve encoding “pays twice” for the same value ,(.) ⇒ No savings L
• Instead, encoder writes a pointer to query )′

If the encoder runs !" on 0 instances, requires log 01 + log 1 bits.

152

Index of query ) Pointer to query )′

Each execution of 34 saves at least 1 bit, when: 567 89: < 567;, or 8 < ;/9:

Cl Claim: m: Each invocation of !" allows the encoder to compress , by at least one bit.

[DHT12] treats a more difficult version of “hard case”

Completing the proof

• We run the adversary !" on # = %/'( instances
• Each execution compresses by ≥ 1 bit
• BUT, we have to include the )-bit advice string in the encoding

= ) − +

,- ≥ 0

⇒ )'( = Ω % ∎

153

Encoding

• verhead

Extra complications

• Algorithms that succeed on an !-fraction of group elements

Use the random self-reducibility of dlog Hardcode a good set of random coins for "# into En Enc $

• Decisional type problems (DDH, etc.)

"# only outputs 1 bit—prior argument fails because encoding the runtime in log ( bits is too expensive Run "# on batches of inputs [See paper for details]

154

DDH problem: Distinguish !, !#, !$, !#$ from !, !#, !$, !% Up Upper bou

• und

Lo Lower b bound Ti Time & Discrete log: '&( = * + ,- '&( = . Ω ,-

• 0/2

CDH: '&( = * + ,- '&( = . Ω ,-

• 0/2

DDH: '&( = * + ,- '&( = . Ω ,(- ≤ -0/2 ≥ -0/3 sqDDH: '&( = * + ,(- '&( = . Ω ,(-

• 0/3

What about Decision Diffie-Hellman (DDH)?

155

For , = -40/2 ' = -0/2

DDH problem: Distinguish !, !#, !$, !#$ from !, !#, !$, !% Up Upper bou

• und

Lo Lower b bound Ti Time & Discrete log: '&( = * + ,- '&( = . Ω ,-

• 0/2

CDH: '&( = * + ,- '&( = . Ω ,-

• 0/2

DDH: '&( = * + ,- '&( = . Ω ,(- ≤ -0/2 ≥ -0/3 sqDDH: '&( = * + ,(- '&( = . Ω ,(-

• 0/3

What about Decision Diffie-Hellman (DDH)?

156

For , = -40/2 ' = -0/2

DDH problem: Distinguish !, !#, !$, !#$ from !, !#, !$, !% Up Upper bou

• und

Lo Lower b bound Ti Time & Discrete log: '&( = * + ,- '&( = . Ω ,-

• 0/2

CDH: '&( = * + ,- '&( = . Ω ,-

• 0/2

DDH: '&( = * + ,- '&( = . Ω ,(- ≤ -0/2 ≥ -0/3 sqDDH: '&( = * + ,(- '&( = . Ω ,(-

• 0/3

What about Decision Diffie-Hellman (DDH)?

157

For , = -40/2 ' = -0/2

DDH problem: Distinguish !, !#, !$, !#$ from !, !#, !$, !% Up Upper bou

• und

Lo Lower b bound Ti Time & Discrete log: '&( = * + ,- '&( = . Ω ,-

• 0/2

CDH: '&( = * + ,- '&( = . Ω ,-

• 0/2

DDH: '&( = * + ,- '&( = . Ω ,(- ≤ -0/2 ≥ -0/3 sqDDH: '&( = * + ,(- '&( = . Ω ,(-

• 0/3

What about Decision Diffie-Hellman (DDH)?

158

Better attack?

For , = -40/2 ' = -0/2

DDH problem: Distinguish !, !#, !$, !#$ from !, !#, !$, !% Up Upper bou

• und

Lo Lower b bound Ti Time & Discrete log: '&( = * + ,- '&( = . Ω ,-

• 0/2

CDH: '&( = * + ,- '&( = . Ω ,-

• 0/2

DDH: '&( = * + ,- '&( = . Ω ,(- ≤ -0/2 ≥ -0/3 sqDDH: '&( = * + ,(- '&( = . Ω ,(-

• 0/3

What about Decision Diffie-Hellman (DDH)?

159

For , = -40/2 ' = -0/2

DDH problem: Distinguish !, !#, !$, !#$ from !, !#, !$, !% Up Upper bou

• und

Lo Lower b bound Ti Time & Discrete log: '&( = * + ,- '&( = . Ω ,-

• 0/2

CDH: '&( = * + ,- '&( = . Ω ,-

• 0/2

DDH: '&( = * + ,- '&( = . Ω ,(- ≤ -0/2 ≥ -0/3 sqDDH: '&( = * + ,(- '&( = . Ω ,(-

• 0/3

What about Decision Diffie-Hellman (DDH)?

160

For , = -40/2 ' = -0/2

DDH problem: Distinguish !, !#, !$, !#$ from !, !#, !$, !% Up Upper bou

• und

Lo Lower b bound Ti Time & Discrete log: '&( = * + ,- '&( = . Ω ,-

• 0/2

CDH: '&( = * + ,- '&( = . Ω ,-

• 0/2

DDH: '&( = * + ,- '&( = . Ω ,(- ≤ -0/2 ≥ -0/3 sqDDH: '&( = * + ,(- '&( = . Ω ,(-

• 0/3

What about Decision Diffie-Hellman (DDH)?

161

Our new results Our new results

For , = -40/2 ' = -0/2

De

• Definition. The sqDDH problem is to distinguish

!, !#, ! #$ from !, !#, !%

for &, ' ←) ℤ+.

Why it’s interesting:

• For generic online-only algs,

it’s as hard as discrete log

• For generic preprocesssing algs,

we show that it’s “much easier” à A DDH-like problem that is easier than dlog

162

De

• Definition. The sqDDH problem is to distinguish

!, !#, ! #$ from !, !#, !%

for &, ' ←) ℤ+.

Why it’s interesting:

• For generic online-only algs,

it’s as hard as discrete log

• For generic preprocesssing algs,

we show that it’s “much easier” à A DDH-like problem that is easier than dlog

163

De

• Definition. The sqDDH problem is to distinguish

!, !#, ! #$ from !, !#, !%

for &, ' ←) ℤ+.

Why it’s interesting:

• For generic online-only algs,

it’s as hard as discrete log

• For generic preprocesssing algs,

we show that it’s “much easier” à A DDH-like problem that is easier than dlog

164

De

• Definition. The sqDDH problem is to distinguish

!, !#, ! #$ from !, !#, !%

for &, ' ←) ℤ+.

Why it’s interesting:

• For generic online-only algs,

it’s as hard as discrete log

• For generic preprocesssing algs,

we show that it’s “much easier” à A DDH-like problem that is easier than dlog

165

This talk

Background: Preprocessing attacks are relevant

• Preexisting ! = # = $

%('(/*) generic attack on discrete log

Our results: Preprocessing lower-bounds and attacks

• The $

%('(/*) generic dlog attack is optimal

• Any such attack must use lots of preprocessing: Ω('-/*)
• New $

%('(/.) preprocessing attack on DDH-like problem

Open questions

166

Open questions and recent progress

• Tightness of DDH upper/lower bounds?
• Is it as hard as dlog or as easy as sqDDH?
• Non-generic preprocessing attacks on ECDL?
• As we have for ℤ"

∗

Coretti, Dodis, and Guo (2018)

• Elegant proofs of generic-group lower bounds using “presampling”

(à la Unruh, 2007)

• Prove hardness of “one-more” dlog, KEA assumptions, …

167

This talk

Background: Preprocessing attacks are relevant

• Preexisting ! = # = $

%('(/*) generic attack on discrete log

Our results: Preprocessing lower-bounds and attacks

• The $

%('(/*) generic dlog attack is optimal

• Any such attack must use lots of preprocessing: Ω('-/*)
• New $

%('(/.) preprocessing attack on DDH-like problem

Open questions

168

This talk

Background: Preprocessing attacks are relevant

• Preexisting ! = # = $

%('(/*) generic attack on discrete log

Our results: Preprocessing lower-bounds and attacks

• The $

%('(/*) generic dlog attack is optimal

• Any such attack must use lots of preprocessing: Ω('-/*)
• New $

%('(/.) preprocessing attack on DDH-like problem

Open questions

169

Henry – henrycg@cs.stanford.edu Dima – dkogan@cs.stanford.edu https://eprint.iacr.org/2017/1113