Statistics for fixed points of x ↦ x^x mod p

Statistics for fixed points of x 7→ x x mod p Matthew Friedrichsen and Joshua Holden Forging a (variant) ElGamal Digital Signature Frank the Forger wants to solve for r and s in: (1) g H (m) ≡ y s r r (mod p ). He knows m , g , y , and p but not the discrete log of y mod p base g . He could: I calculate the discrete log of y , I or he could solve r r ≡ g H (m) y -s (mod p ) for r . We wish to shed light on the difficulty of the second attack by studying the self-power map, x 7→ x x mod p . Figure 1: The self-power map modulo 13 Is x 7→ x x mod p “random”? Heuristic 1. For all p, if x , y are chosen uniformly at random from {1,..., p - 1} with ord p x = d, then Pr[x x ≡ y (mod p )] ≈ ( 1 d if ord p y | d , 0 otherwise. Counts of the fixed points are not normally distributed This work investigates the number of fixed points of the self-power map, i.e., solutions to (2) x x ≡ x (mod p ). Let F (p ) be the number of solutions to (2) such that 1 ≤ x ≤ p - 1. How are these counts distributed? The figures show that the distribution is not (quite) normal. Figure 2: Histogram and Probability Plot of z -statistics for 238 six-digit primes The counts for most orders are binomially distributed Let F d (p ) be the number of solutions to (2) with 1 ≤ x ≤ p - 1 and ord p x = d . Assume x values behave independently. Prediction 2. Pr[F d (p )= k ]= φ(d ) k 1 d k d - 1 d φ(d )-k A chi-squared goodness-of-fit test gives p -value ≈ 0.198 which does not refute the prediction. We also tried a sliding window chi-squared test on the data sorted by order. The resulting p -values should be uniformly distributed but are not for small and large d . 1 10 100 1000 10000 100000 0 0.2 0.4 0.6 0.8 1 Order p-value Figure 3: Logarithmic plot showing p -values of the sliding window test for 238 six-digit primes Dependencies matter for small and large orders For small and large orders it turns out that the independence assumption is violated. Theorem 3. (a) The x-values of order 3 cannot both be fixed points. (b) The x-values of order 4 cannot both be fixed points. (c) The x-values of order 6 are both fixed points or neither is. There are similar effects for d =(p - 1)/3 and d =(p - 1)/4, and possibly a few others. F d (p 29 = 0 F d (p 29 = 1 F d (p 29 = 2 n = 116, p = 0.79 N O O P P order 3 n = 120, p = 0.36 N O O P P order 4 n = 116, p = 0.8 N O O P P order 6 Number of primes: predicted (P), observed (O), and not possible (N). F d (p 29 = 0 F d (p 29 = 1 F d (p 29 = 2 0 25 50 75 100 n = 116, p = 0.46 O O O P P P order (p - 129 3 0 25 50 75 100 n = 54, p = 0.33 O O O P P P order (p - 129 4, p ≡ 1 (mod 8) 0 25 50 75 100 n = 66, p = 0.48 N O O P P order (p - 129 4, p ≡ 5 (mod 8) Figure 4: Predictions and observations for fixed points of small and large orders in 238 six-digit primes Our predictions based on these dependencies are not refuted by chi-squared tests.

Upload
joshua-holden
Category

Education
view
29
download
2

Embed Size (px):

Transcript of Statistics for fixed points of x ↦ x^x mod p

Page 1: Statistics for fixed points of x ↦ x^x mod p

Statistics for fixed points of x 7→ xx mod pMatthew Friedrichsen and Joshua Holden

Forging a (variant) ElGamal Digital Signature

Frank the Forger wants to solve for r and s in:

(1) g H(m) ≡ y sr r (mod p).

He knows m, g , y , and p but not the discrete log ofy mod p base g . He could:

I calculate the discrete log of y ,I or he could solve r r ≡ g H(m)y−s (mod p) for r .

We wish to shed light on the difficulty of the secondattack by studying the self-power map,x 7→ xx mod p.

Figure 1: The self-power map modulo 13

Is x 7→ xx mod p “random”?Heuristic 1.For all p, if x , y are chosen uniformly at random from {1, . . . , p − 1} withordp x = d, then

Pr[xx ≡ y (mod p)] ≈

{1d if ordp y | d ,

0 otherwise.

Counts of the fixed points are not normally distributedThis work investigates the number of fixed points of the self-power map, i.e., solutions to

(2) xx ≡ x (mod p).

Let F (p) be the number of solutions to (2) such that 1 ≤ x ≤ p − 1. How are thesecounts distributed? The figures show that the distribution is not (quite) normal.

Figure 2: Histogram and Probability Plot of z-statistics for 238 six-digit primes

The counts for most orders are binomially distributedLet Fd(p) be the number of solutions to (2) with 1 ≤ x ≤ p − 1 and ordp x = d .

Assume x values behave independently.

Prediction 2.

Pr[Fd(p) = k] =

(φ(d)

)(1

)k (d − 1

)φ(d)−k

A chi-squared goodness-of-fit test gives

p-value ≈ 0.198

which does not refute the prediction.

We also tried a sliding window chi-squaredtest on the data sorted by order. Theresulting p-values should be uniformlydistributed but are not for small and large d .

100

1000

10000

100000

0 0.2 0.4 0.6 0.8 1

Ord

p-value

Figure 3: Logarithmic plot showing p-values ofthe sliding window test for 238 six-digit primes

Dependencies matter for small and large ordersFor small and large orders it turns out that the independence assumption is violated.

Theorem 3. (a) The x-values of order 3 cannot both be fixed points.(b) The x-values of order 4 cannot both be fixed points.(c) The x-values of order 6 are both fixed points or neither is.

There are similar effects for d = (p − 1)/3 and d = (p − 1)/4, and possibly a few others.

Number of primes: predicted (P), observed (O), and not possible (N).

Fd(p) = 0

Fd(p) = 1

Fd(p) = 2

0 25 50 75 100

n = 116, p = 0.79N

order 3

0 25 50 75 100

n = 120, p = 0.36N

order 4

0 25 50 75 100