Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton...
-
Upload
alyssa-mackay -
Category
Documents
-
view
216 -
download
2
Transcript of Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton...
![Page 1: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/1.jpg)
Hard Instances of the Constrained DiscreteLogarithm ProblemIlya Mironov Microsoft ResearchAnton Mityagin UCSDKobbi Nissim Ben Gurion University
Speaker: Ramarathnam Venkatesan(Microsoft Research)
![Page 2: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/2.jpg)
DLP
Discrete Logarithm Problem:
Given gx find x
Believed to be hard in some groups: - Zp
*
- elliptic curves
![Page 3: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/3.jpg)
Hardness of DLP
Hardness of the DLP:– specialized algorithms (index-calculus)
complexity: depends on the algorithm
– generic algorithms (rho, lambda, baby-step giant-step…)
complexity: √p if group has order p
![Page 4: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/4.jpg)
Constrained DLP
Constrained Discrete Logarithm Problem:
Given gx find x, when x S
Example: S consists of exponents with short addition chains.
![Page 5: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/5.jpg)
Hardness of the Constrained DLP
Bad sets (DLP is relatively easy):x with low Hamming weightx [a, b]
{x2 | x < √p}
Good sets (DLP is hard) - ?
![Page 6: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/6.jpg)
Generic Group Model [Nec94,Sho97]
Group G, random encoding σ:GΣ
Group operations oracle:σ(g),σ(h),a,b σ(gahb)
Formally, DLP:given σ(g) and σ(gx), find x
Assume order of g = p is prime
![Page 7: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/7.jpg)
DLP is hard [Nec94,Sho97]
Suppose there is an algorithm that solves the DLP in the generic group model:1. The algorithm makes n queries
σ(g), σ(gx), σ(ga1x+b1), σ(ga2x+b2),…, σ(ganx+bn)2. The simulator answers randomly but consistently, treating x as a formal variable.3. The algorithm outputs its guess y4. The simulator chooses x at random.5. The simulator loses if there is:
— inconsistency: gaix+bi = gajx+bj for some i, j;— x = y.
Pr < n2/p
Pr = 1/p
![Page 8: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/8.jpg)
DLP is hard [Nec94,Sho97]
Probability of success of any algorithm for the DLP in the generic group model is at most:
n2/p + 1/p,where n is the number of group operations.
![Page 9: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/9.jpg)
Graphical representation
Queries: σ(g),σ(gx),σ(ga1x+b1),σ(ga2x+b2),…, σ(ganx+bn)
Zp
Zp
0
a1x+b1
a2x+b2
1
x
a3x+b3
x
success
y
![Page 10: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/10.jpg)
Graphical representation
Queries: σ(g),σ(gx),σ(ga1x+b1),σ(ga2x+b2),…, σ(ganx+bn)
Zp
Zp
0
a1x+b1
a2x+b2
1
x
a3x+b3
x
=
failure
y
![Page 11: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/11.jpg)
Attack
The argument is tight:if for some σ(gaix+bi) = σ(gajx+bj), computing x is easy
![Page 12: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/12.jpg)
Constrained DLP
Zp
Zp
0
a1x+b1
a2x+b2
1
x
a3x+b3
given σ(g) and σ(gx), find xS
S
![Page 13: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/13.jpg)
Generic complexity of S
Cα(S) = generic α-complexity of S Zp is the smallest such that their covers an α-fraction of S.
Zp0S
number of linesintersection set
![Page 14: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/14.jpg)
Bound
Adversary who is making at most n queries succeeds in solving DLP: with probability at most
n2/p + 1/p
DLP constrained to set S: If n < Cα(S), probability is at most
α + 1/|S|
![Page 15: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/15.jpg)
What’s known about Cα(S)?
Obvious: Cα(S) < √ α p (omitting constants)
Cα(S) < α|S|
Cα(S) > √ α|S|
Zp0
Zp
S
![Page 16: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/16.jpg)
Simple bounds
p|S|
√αp
αpCα(S)
log scale √p
sweet spot:small set, high complexity
![Page 17: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/17.jpg)
Random subsets [Sch01]
p|S|
√αp
αpCα(S)
log scale √p
random subsets
![Page 18: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/18.jpg)
Problem
p|S|
√αp
αpCα(S)
log scale √p
random subsetsshort description???
![Page 19: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/19.jpg)
Relaxing the problem: Cbsgs1
Cbsgs1(S) = baby-step-giant-step-1-complexityTwo lists: ga1, ga2,…, gan and gx-b1, gx-b2,…, gx-bn
Zp0
a1
a2
a3
x-b1
x-b2
a1+b2a2+b2a3+b1
![Page 20: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/20.jpg)
Modular weak Sidon set [EN77]
S is such that for any distinct s1,s2,s3,s4S
s1 + s2 ≠ s3 + s4 (mod p)
Zp0
a1
a2
x-b1
x-b2
a1+b2a2+b2a2+b1 a1+b1
all four cannot belong to S
![Page 21: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/21.jpg)
Zarankiewicz bound
a1
b2
b1
a2
a1+b1
a1+b2
a2+b1
a2+b2
How many elements ofS can be in the table?
S is such that for any distinct s1,s2,s3,s4S
s1 + s2 ≠ s3 + s4 (mod p)
Zarankiewicz bound:at most n3/2
Cbsgs1(S) >|S|2/3
![Page 22: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/22.jpg)
Weak modular Sidon sets
S is such that for any distinct s1,s2,s3,s4S
s1 + s2 ≠ s3 + s4 (mod p)
Explicit constructions for such sets exist of size O(p1/2).
Higher order Sidon sets :s1 + s2 + s3 ≠ s4 + s5 + s6 (mod p)
Turan-type bound:Cbsgs1(S) < |S|3/4
![Page 23: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/23.jpg)
A harder problem: Cbsgs
Cbsgs(S) = baby-step-giant-step-complexityTwo lists: ga1, ga2,…, gan and gс1x-b1,gc2x-b2,…,gcnx-bn
Zp0
a1
a2
a3
c1x-b1c2x-b2
x3 x2 x1 y1 y2 y3
![Page 24: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/24.jpg)
Harder the problem: Cbsgs
S: for any six distinct x1,x2,x3,y1,y2,y3S
(x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p)
Zp0
a1
a2
a3
c1x-b1c2x-b2
x3 x2 x1 y1 y2 y3
all six cannot belong to S
![Page 25: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/25.jpg)
Zarankiewicz bound
(b1,c1)
a2
a1
How many elements ofS can be in the table?
S: for any six distinct x1,x2,x3,y1,y2,y3S
(x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p)
Zarankiewicz bound:still at most n3/2
Cbsgs(S) > |S|2/3
(b2,c2)(b3,c3)
x1 x2 x3
y1 y2 y3
![Page 26: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/26.jpg)
How to construct?
S: for any six distinct x1,x2,x3,y1,y2,y3S
(x1-x2)/(x2-x3) ≠ (y1-y2)/(y2-y3) (mod p)
“Six-wise independent set” of size p1/6
![Page 27: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/27.jpg)
Generic complexity
Zp
l1
“Smallest” possible theorem involves 7 lines:
l2
l3
l4
lx
lylz
x1 y1x2
z1x3
x4y2
y3 z2 y4 z3 z4
![Page 28: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/28.jpg)
Bipartite Menelaus theorem
S: for any twelve distinct x1,x2,x3,x4, y1,y2,y3,y4,z1,z2,z3,z4 S
x1-y1 x1-z1 z1(x1-y1) y1(x1-z1)
x2-y2 x2-z2 z2(x2-y2) y2(x2-z2)
x3-y3 x3-z3 z3(x3-y3) y3(x3-z3)
x4-y4 x4-z4 z4(x4-y4) y4(x4-z4)
det ≠0
degree 6 polynomial
![Page 29: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/29.jpg)
How to construct?
“12-wise independent set” of size p1/12
C(S) > |S|3/5
![Page 30: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/30.jpg)
Conclusion
p|S|
√αp
αpCα(S)
log scale √p
random subsets
Cbsgs1
Cbsgs
p1/6p1/12
C(αp)1/20(αp)1/9
p1/3
(αp)1/4
![Page 31: Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:](https://reader037.fdocuments.in/reader037/viewer/2022110303/5513f0cd5503463a298b5fdd/html5/thumbnails/31.jpg)
Open problems
Better constructions: - stronger bounds- explicit
Constrained DLP for natural sets:- short addition chains- compressible binary
representation- three-way products xyz