Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:

Slides:



Advertisements
Similar presentations
Dov Gordon & Jonathan Katz University of Maryland.
Advertisements

ECE555 Lecture 10 Nam Sung Kim University of Wisconsin – Madison
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO.
1. 2 Memória (R-bit register) Circuito Combinatório D1D1 DRDR TRTR T1T1 X1X1 XLXL Y1Y1 YNYN clockreset MEF.
robot con 6 gradi di mobilità
Measurement of a Pond Basics of plane geometry Idea of the Coordinate Plane Confining an Area Practical skill Cooperation in the Group Lake measurement.
Analysis of Algorithms
Instructions for using this template. Remember this is Jeopardy, so where I have written Answer this is the prompt the students will see, and where I.
Markov models and HMMs. Probabilistic Inference P(X,H,E) P(X|E=e) = P(X,E=e) / P(E=e) with P(X,E=e) = sum h P(X, H=h, E=e) P(X,E=e) = sum h,x P(X=x, H=h,
1 Program verification: flowchart programs (Book: chapter 7)
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Computing with adversarial noise Aram Harrow (UW -> MIT) Matt Hastings (Duke/MSR) Anup Rao (UW)
MANE 4240 & CIVL 4240 Introduction to Finite Elements
Sublinear Algorithms … Lecture 23: April 20.
Sep 16, 2013 Lirong Xia Computational social choice The easy-to-compute axiom.
INHERENT LIMITATIONS OF COMPUTER PROGRAMS CSci 4011.
1 Parallel Algorithms (chap. 30, 1 st edition) Parallel: perform more than one operation at a time. PRAM model: Parallel Random Access Model. p0p0 p1p1.
Russell Impagliazzo ( IAS & UCSD ) Ragesh Jaiswal ( Columbia U. ) Valentine Kabanets ( IAS & SFU ) Avi Wigderson ( IAS ) ( based on [IJKW08, IKW09] )
CSci 4011 INHERENT LIMITATIONS OF COMPUTER PROGRAMS.
Ideal Parent Structure Learning School of Engineering & Computer Science The Hebrew University, Jerusalem, Israel Gal Elidan with Iftach Nachman and Nir.
1 Comnet 2010 Communication Networks Recitation 4 Scheduling & Drop Policies.
Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.
Science Fair Project Clare Cronin and Carolina Perez-Vargas
A D ICHOTOMY ON T HE C OMPLEXITY OF C ONSISTENT Q UERY A NSWERING FOR A TOMS W ITH S IMPLE K EYS Paris Koutris Dan Suciu University of Washington.
Numbers & Geometry Points and Distances. 6/3/2013 Numbers and Geometry 2 Distance d between numbers a and b d = Example: | = Points and Distances.
Roghibin's blog EQUILIBRIUM OF RIGID BODIES KESETIMBANG AN BENDA TEGAR.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Functions Rosen 1.8.
Equations of Lines Equations of Lines
Submodularity for Distributed Sensing Problems Zeyn Saigol IR Lab, School of Computer Science University of Birmingham 6 th July 2010.
1. – (–2) 4 3. x – 2(3x – 1) 4. 3(y 2 + 6y) –5x + 2 Simplify each expression. – y y.
On / By / With The building blocks of the Mplus language.
Lectures on NP-hard problems and Approximation algorithms
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
Boolean Satisfiability The most fundamental NP-complete problem, and now a powerful technology for solving many real world problems.
Faster Query Answering in Probabilistic Databases using Read-Once Functions Sudeepa Roy Joint work with Vittorio Perduca Val Tannen University of Pennsylvania.
Efficient Algorithms via Precision Sampling Robert Krauthgamer (Weizmann Institute) joint work with: Alexandr Andoni (Microsoft Research) Krzysztof Onak.
Problems and Their Classes
Sep 15, 2014 Lirong Xia Computational social choice The easy-to-compute axiom.
Inapproximability of Hypergraph Vertex-Cover. A k-uniform hypergraph H= : V – a set of vertices E - a collection of k-element subsets of V Example: k=3.
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
ENGIN112 L15: Magnitude Comparator and Multiplexers October 6, 2003 ENGIN 112 Intro to Electrical and Computer Engineering Lecture 15 Magnitude Comparators.
LECTURE 25. Course: “Design of Systems: Structural Approach” Dept. “Communication Networks &Systems”, Faculty of Radioengineering & Cybernetics Moscow.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
PODC 2007 © 2007 IBM Corporation Constructing Scalable Overlays for Pub/Sub With Many Topics Problems, Algorithms, and Evaluation G. Chockler, R. Melamed,
MS 101: Algorithms Instructor Neelima Gupta
Spatial Information Systems (SIS) COMP Spatial data structures (1)
SATISFIABILITY Eric L. Frederich.
XDI RDF Cell Graphs V This document introduces a notation for graphing XDI RDF statements called cell graphing. The motivation is to have an.
1 General Structural Equation (LISREL) Models Week 3 #2 A.Multiple Group Models with > 2 groups B.Relationship to ANOVA, ANCOVA models C.Introduction to.
22 22 33 33 11 11 X1 X2 X3 X4 X5 X6 X7 X8 X9                    2,1  3,1  3,2 2,1 1,1 3,1 4,2 5,2 6,2 7,3 8,3 9,3.
Lecture 8: Lattices and Elliptic Curves
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.
Complexity 19-1 Complexity Andrei Bulatov More Probabilistic Algorithms.
Foundations of Privacy Lecture 11 Lecturer: Moni Naor.
Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei
Nattee Niparnan. Easy & Hard Problem What is “difficulty” of problem? Difficult for computer scientist to derive algorithm for the problem? Difficult.
Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.
Public key ciphers 2 Session 6.
Resource bounded dimension and learning Elvira Mayordomo, U. Zaragoza CIRM, 2009 Joint work with Ricard Gavaldà, María López-Valdés, and Vinodchandran.
1/19 Minimizing weighted completion time with precedence constraints Nikhil Bansal (IBM) Subhash Khot (NYU)
11 RSA Variants.  Scheme ◦ Select s.t. p and q = 3 mod 4 ◦ n=pq, public key =n, private key =p,q ◦ y= e k (x)=x (x+b) mod n ◦ x=d k (y)=  y mod n.
Homework 3 As announced: not due today 
Finding Large Set Covers Faster via the Representation Method
Constrained Bipartite Vertex Cover: The Easy Kernel is Essentially Tight Bart M. P. Jansen June 4th, WORKER 2015, Nordfjordeid, Norway.
The Curve Merger (Dvir & Widgerson, 2008)
Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups Essam Ghadafi University of the West of England Jens Groth University.
Presentation transcript:

Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker: Ramarathnam Venkatesan (Microsoft Research)

DLP Discrete Logarithm Problem: Given g x find x Believed to be hard in some groups: - Z p * - elliptic curves

Hardness of DLP Hardness of the DLP: –specialized algorithms (index-calculus) complexity: depends on the algorithm –generic algorithms (rho, lambda, baby-step giant-step…) complexity: p if group has order p

Constrained DLP Constrained Discrete Logarithm Problem: Given g x find x, when x S Example: S consists of exponents with short addition chains.

Hardness of the Constrained DLP Bad sets (DLP is relatively easy): x with low Hamming weight x [a, b] {x 2 | x < p} Good sets (DLP is hard) - ?

Generic Group Model [Nec94,Sho97] Group G, random encoding σ : G Σ Group operations oracle: σ(g), σ(h), a, b σ(g a h b ) Formally, DLP: given σ(g) and σ(g x ), find x Assume order of g = p is prime

DLP is hard [Nec94,Sho97] Suppose there is an algorithm that solves the DLP in the generic group model: 1. The algorithm makes n queries σ(g), σ(g x ), σ(g a 1 x+b 1 ), σ(g a 2 x+b 2 ),…, σ(g a n x+b n ) 2. The simulator answers randomly but consistently, treating x as a formal variable. 3. The algorithm outputs its guess y 4. The simulator chooses x at random. 5. The simulator loses if there is: inconsistency: g a i x+b i = g a j x+b j for some i, j; x = y. Pr < n 2 / p Pr = 1 / p

DLP is hard [Nec94,Sho97] Probability of success of any algorithm for the DLP in the generic group model is at most: n 2 /p + 1/p, where n is the number of group operations.

Graphical representation Queries: σ(g),σ(g x ),σ(g a 1 x+b 1 ),σ(g a 2 x+b 2 ),…, σ(g a n x+b n ) ZpZp ZpZp 0 a1x+b1a1x+b1 a2x+b2a2x+b2 1 x a3x+b3a3x+b3 x success y

Graphical representation Queries: σ(g),σ(g x ),σ(g a 1 x+b 1 ),σ(g a 2 x+b 2 ),…, σ(g a n x+b n ) ZpZp ZpZp 0 a1x+b1a1x+b1 a2x+b2a2x+b2 1 x a3x+b3a3x+b3 x = failure y

Attack The argument is tight: if for some σ(g a i x+b i ) = σ(g a j x+b j ), computing x is easy

Constrained DLP ZpZp ZpZp 0 a1x+b1a1x+b1 a2x+b2a2x+b2 1 x a3x+b3a3x+b3 given σ(g) and σ(g x ), find x S S

Generic complexity of S C α (S) = generic α- complexity of S Z p is the smallest such that their covers an α -fraction of S. ZpZp 0 S number of lines intersection set

Bound Adversary who is making at most n queries succeeds in solving DLP: with probability at most n 2 /p + 1/p DLP constrained to set S : If n < C α (S), probability is at most α + 1/|S|

Whats known about C α (S)? Obvious: C α (S) < α p (omitting constants) C α (S) < α|S| C α (S) > α|S| ZpZp 0 ZpZp S

Simple bounds p |S||S| αp αpαp Cα(S)Cα(S) log scale p sweet spot: small set, high complexity

Random subsets [Sch01] p |S||S| αp αpαp Cα(S)Cα(S) log scale p random subsets

Problem p |S||S| αp αpαp Cα(S)Cα(S) log scale p random subsetsshort description???

Relaxing the problem: C bsgs1 C bsgs1 (S) = baby-step-giant-step -1- complexity Two lists: g a 1, g a 2,…, g a n and g x-b 1, g x-b 2,…, g x-b n ZpZp 0 a1a1 a2a2 a3a3 x-b 1 x-b 2 a1+b2a1+b2 a2+b2a2+b2 a3+b1a3+b1

Modular weak Sidon set [EN77] S is such that for any distinct s 1, s 2, s 3, s 4 S s 1 + s 2 s 3 + s 4 (mod p) ZpZp 0 a1a1 a2a2 x-b 1 x-b 2 a1+b2a1+b2 a2+b2a2+b2 a2+b1a2+b1 a1+b1a1+b1 all four cannot belong to S

Zarankiewicz bound a1a1 b2b2 b1b1 a2a2 a1+b1a1+b1 a1+b2a1+b2 a2+b1a2+b1 a2+b2a2+b2 How many elements of S can be in the table? S is such that for any distinct s 1, s 2, s 3, s 4 S s 1 + s 2 s 3 + s 4 (mod p) Zarankiewicz bound: at most n 3/2 C bsgs1 (S) >|S| 2/3

Weak modular Sidon sets S is such that for any distinct s 1, s 2, s 3, s 4 S s 1 + s 2 s 3 + s 4 (mod p) Explicit constructions for such sets exist of size O(p 1/2 ). Higher order Sidon sets : s 1 + s 2 + s 3 s 4 + s 5 + s 6 (mod p) Turan-type bound: C bsgs1 (S) < |S| 3/4

A harder problem: C bsgs C bsgs (S) = baby-step-giant-step - complexity Two lists: g a 1, g a 2,…, g a n and g с 1 x-b 1, g c 2 x-b 2,…, g c n x-b n ZpZp 0 a1a1 a2a2 a3a3 c 1 x-b 1 c 2 x-b 2 x3x3 x2x2 x1x1 y1y1 y2y2 y3y3

Harder the problem: C bsgs S : for any six distinct x 1, x 2, x 3, y 1, y 2, y 3 S (x 1 -x 2 )/(x 2 -x 3 ) (y 1 -y 2 )/(y 2 -y 3 ) (mod p) ZpZp 0 a1a1 a2a2 a3a3 c 1 x-b 1 c 2 x-b 2 x3x3 x2x2 x1x1 y1y1 y2y2 y3y3 all six cannot belong to S

Zarankiewicz bound (b1,c1)(b1,c1) a2a2 a1a1 How many elements of S can be in the table? S : for any six distinct x 1, x 2, x 3, y 1, y 2, y 3 S (x 1 -x 2 )/(x 2 -x 3 ) (y 1 -y 2 )/(y 2 -y 3 ) (mod p) Zarankiewicz bound: still at most n 3/2 C bsgs (S) > |S| 2/3 (b2,c2)(b2,c2) (b3,c3)(b3,c3) x1x1 x2x2 x3x3 y1y1 y2y2 y3y3

How to construct? S : for any six distinct x 1, x 2, x 3, y 1, y 2, y 3 S (x 1 -x 2 )/(x 2 -x 3 ) (y 1 -y 2 )/(y 2 -y 3 ) (mod p) Six-wise independent set of size p 1/6

Generic complexity ZpZp l1l1 Smallest possible theorem involves 7 lines: l2l2 l3l3 l4l4 lxlx lyly lzlz x1x1 y1y1 x2x2 z1z1 x3x3 x4x4 y2y2 y3y3 z2z2 y4y4 z3z3 z4z4

Bipartite Menelaus theorem S : for any twelve distinct x 1, x 2, x 3, x 4, y 1, y 2, y 3, y 4, z 1, z 2, z 3, z 4 S x 1 -y 1 x 1 -z 1 z 1 (x 1 -y 1 ) y 1 (x 1 -z 1 ) x 2 -y 2 x 2 -z 2 z 2 (x 2 -y 2 ) y 2 (x 2 -z 2 ) x 3 -y 3 x 3 -z 3 z 3 (x 3 -y 3 ) y 3 (x 3 -z 3 ) x 4 -y 4 x 4 -z 4 z 4 (x 4 -y 4 ) y 4 (x 4 -z 4 ) det 0 degree 6 polynomial

How to construct? 12-wise independent set of size p 1/12 C(S) > |S| 3/5

Conclusion p |S||S| αp αpαp Cα(S)Cα(S) log scale p random subsets C bsgs1 C bsgs p 1/6 p 1/12 C (αp) 1/20 (αp) 1/9 p 1/3 (αp) 1/4

Open problems Better constructions: - stronger bounds - explicit Constrained DLP for natural sets: - short addition chains - compressible binary representation - three-way products xyz