Computing Small Discrete Logarithms Faster

Self Cite

Abstract. AES-128, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols are frequently conjectured to provide a security level of 2 128 . Extensive cryptanalysis of these primitives appears to have stabilized sufficiently to support such conjectures.In the literature on provable concrete security it is standard to define 2 b security as the nonexistence of high-probability attack algorithms taking time ≤2b . However, this paper provides overwhelming evidence for the existence of high-probability attack algorithms against AES-128, NIST P-256, DSA-3072, and RSA-3072 taking time considerably below 2 128 , contradicting the standard security conjectures.These attack algorithms are not realistic; do not indicate any actual security problem; do not indicate any risk to cryptographic users; and do not indicate any failure in previous cryptanalysis. Any actual use of these attack algorithms would be much more expensive than the conventional 2 128 attack algorithms. However, this expense is not visible to the standard definitions of security. Consequently the standard definitions of security fail to accurately model actual security.The underlying problem is that the standard set of algorithms, namely the set of algorithms taking time ≤2 b , fails to accurately model the set of algorithms that an attacker can carry out. This paper analyzes this failure in detail, and analyzes several ideas for fixing the security definitions.

Section: Precomputed Distinguished Pointssupporting

confidence: 70%

“…Our followup paper [22] experimentally verified the algorithm stated above, improved it to 1.77 · 3 √ additions using 3 √ distinguished points, extended it to DLPs in intervals (using slightly more additions), and showed constructive applications in various protocols.…”

mentioning

confidence: 66%

Non-uniform Cracks in the Concrete: The Power of Free Precomputation

Bernstein

Lange

2013

Self Cite

“…, L}, for some polynomially bounded integer L. Then, computing the required discrete logarithm may be performed in time O(L 1/2 ) using Pollard's kangaroo method [52]. As reported in [10], this can be reduced to O(L 1/3 ) operations by precomputing a table of size O(L 1/3 ). Note that even though the functionality is limited (decryption may not be performed efficiently for all key vectors and for all message vectors), while proving security we will let the adversary query any key vector in Z q .…”

Section: Definition 2 ([50]mentioning

confidence: 99%

Fully Secure Functional Encryption for Inner Products, from Standard Assumptions

Agrawal

Libert

Stehlé

2016

181

158

Abstract. Functional encryption is a modern public-key paradigm where a master secret key can be used to derive sub-keys SKF associated with certain functions F in such a way that the decryption operation reveals F (M ), if M is the encrypted message, and nothing else. Recently, Abdalla et al. gave simple and efficient realizations of the primitive for the computation of linear functions on encrypted data: given an encryption of a vector y over some specified base ring, a secret key SKx for the vector x allows computing x, y . Their technique surprisingly allows for instantiations under standard assumptions, like the hardness of the Decision Diffie-Hellman (DDH) and Learning-with-Errors (LWE) problems. Their constructions, however, are only proved secure against selective adversaries, which have to declare the challenge messages M0 and M1 at the outset of the game. In this paper, we provide constructions that provably achieve security against more realistic adaptive attacks (where the messages M0 and M1 may be chosen in the challenge phase, based on the previously collected information) for the same inner product functionality. Our constructions are obtained from hash proof systems endowed with homomorphic properties over the key space. They are (almost) as efficient as those of Abdalla et al. and rely on the same hardness assumptions. In addition, we obtain a solution based on Paillier's composite residuosity assumption, which was an open problem even in the case of selective adversaries. We also propose LWE-based schemes that allow evaluation of inner products modulo a prime p, as opposed to the schemes of Abdalla et al. that are restricted to evaluations of integer inner products of short integer vectors. We finally propose a solution based on Paillier's composite residuosity assumption that enables evaluation of inner products modulo an RSA integer N = p · q. We demonstrate that the functionality of inner products over a prime field is powerful and can be used to construct bounded collusion FE for all circuits.

“…. , l − 1} ⊆ Z p of size l. For example, Boneh-Goh-Nissim homomorphic encryption [5] requires solving DL for exponents chosen from such an interval, and Bernstein and Lange [2] suggested preprocessing methods to speed up such computations. We remark that with trivial modifications, all of our results (except those about the worstcase SHQ problems) also apply to Interval-MDL and the corresponding Interval-SHQ: in the upper bounds for advantages, simply replace the group order p with the interval size l. For example, the bound in Corollary 2 becomes…”

Section: Interval-mdlmentioning

confidence: 99%

“…A user who has the factorization can solve DL on small groups so the discrete logarithm problem is feasible, but an adversary has to solve the DL problem in a large group. For these cases, efficient algorithms for solving DL is crucial, and for example, Lee, Cheon, and Hong [9] and Bernstein and Lange [2] showed how to speed up the solution of the discrete logarithm problem via precomputation. When considered as a whole, these become algorithms for solving the multiple discrete logarithm problem.…”

Section: Introductionmentioning

confidence: 99%

Generic Hardness of the Multiple Discrete Logarithm Problem

Yun

2015

Abstract. We study generic hardness of the multiple discrete logarithm problem, where the solver has to solve n instances of the discrete logarithm problem simultaneously. There are known generic algorithms which perform O( √ np) group operations, where p is the group order, but no generic lower bound was known other than the trivial bound. In this paper we prove the tight generic lower bound, showing that the previously known algorithms are asymptotically optimal. We establish the lower bound by studying hardness of a related computational problem which we call the search-by-hyperplane-queries problem, which may be of independent interest.