Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker: Ramarathnam Venkatesan (Microsoft Research)

DLP Discrete Logarithm Problem: Given g x find x Believed to be hard in some groups: - Z p * - elliptic curves

Hardness of DLP Hardness of the DLP: –specialized algorithms (index-calculus) complexity: depends on the algorithm –generic algorithms (rho, lambda, baby-step giant-step…) complexity: p if group has order p

Constrained DLP Constrained Discrete Logarithm Problem: Given g x find x, when x S Example: S consists of exponents with short addition chains.

Hardness of the Constrained DLP Bad sets (DLP is relatively easy): x with low Hamming weight x [a, b] {x 2 | x < p} Good sets (DLP is hard) - ?

Generic Group Model [Nec94,Sho97] Group G, random encoding σ : G Σ Group operations oracle: σ(g), σ(h), a, b σ(g a h b ) Formally, DLP: given σ(g) and σ(g x ), find x Assume order of g = p is prime

DLP is hard [Nec94,Sho97] Suppose there is an algorithm that solves the DLP in the generic group model: 1. The algorithm makes n queries σ(g), σ(g x ), σ(g a 1 x+b 1 ), σ(g a 2 x+b 2 ),…, σ(g a n x+b n ) 2. The simulator answers randomly but consistently, treating x as a formal variable. 3. The algorithm outputs its guess y 4. The simulator chooses x at random. 5. The simulator loses if there is: inconsistency: g a i x+b i = g a j x+b j for some i, j; x = y. Pr < n 2 / p Pr = 1 / p

DLP is hard [Nec94,Sho97] Probability of success of any algorithm for the DLP in the generic group model is at most: n 2 /p + 1/p, where n is the number of group operations.

Graphical representation Queries: σ(g),σ(g x ),σ(g a 1 x+b 1 ),σ(g a 2 x+b 2 ),…, σ(g a n x+b n ) ZpZp ZpZp 0 a1x+b1a1x+b1 a2x+b2a2x+b2 1 x a3x+b3a3x+b3 x success y

Graphical representation Queries: σ(g),σ(g x ),σ(g a 1 x+b 1 ),σ(g a 2 x+b 2 ),…, σ(g a n x+b n ) ZpZp ZpZp 0 a1x+b1a1x+b1 a2x+b2a2x+b2 1 x a3x+b3a3x+b3 x = failure y

Attack The argument is tight: if for some σ(g a i x+b i ) = σ(g a j x+b j ), computing x is easy

Constrained DLP ZpZp ZpZp 0 a1x+b1a1x+b1 a2x+b2a2x+b2 1 x a3x+b3a3x+b3 given σ(g) and σ(g x ), find x S S

Generic complexity of S C α (S) = generic α- complexity of S Z p is the smallest such that their covers an α -fraction of S. ZpZp 0 S number of lines intersection set

Bound Adversary who is making at most n queries succeeds in solving DLP: with probability at most n 2 /p + 1/p DLP constrained to set S : If n < C α (S), probability is at most α + 1/|S|

Whats known about C α (S)? Obvious: C α (S) < α p (omitting constants) C α (S) < α|S| C α (S) > α|S| ZpZp 0 ZpZp S

Simple bounds p |S||S| αp αpαp Cα(S)Cα(S) log scale p sweet spot: small set, high complexity

Random subsets [Sch01] p |S||S| αp αpαp Cα(S)Cα(S) log scale p random subsets

Problem p |S||S| αp αpαp Cα(S)Cα(S) log scale p random subsetsshort description???

Relaxing the problem: C bsgs1 C bsgs1 (S) = baby-step-giant-step -1- complexity Two lists: g a 1, g a 2,…, g a n and g x-b 1, g x-b 2,…, g x-b n ZpZp 0 a1a1 a2a2 a3a3 x-b 1 x-b 2 a1+b2a1+b2 a2+b2a2+b2 a3+b1a3+b1

Modular weak Sidon set [EN77] S is such that for any distinct s 1, s 2, s 3, s 4 S s 1 + s 2 s 3 + s 4 (mod p) ZpZp 0 a1a1 a2a2 x-b 1 x-b 2 a1+b2a1+b2 a2+b2a2+b2 a2+b1a2+b1 a1+b1a1+b1 all four cannot belong to S

Zarankiewicz bound a1a1 b2b2 b1b1 a2a2 a1+b1a1+b1 a1+b2a1+b2 a2+b1a2+b1 a2+b2a2+b2 How many elements of S can be in the table? S is such that for any distinct s 1, s 2, s 3, s 4 S s 1 + s 2 s 3 + s 4 (mod p) Zarankiewicz bound: at most n 3/2 C bsgs1 (S) >|S| 2/3

Weak modular Sidon sets S is such that for any distinct s 1, s 2, s 3, s 4 S s 1 + s 2 s 3 + s 4 (mod p) Explicit constructions for such sets exist of size O(p 1/2 ). Higher order Sidon sets : s 1 + s 2 + s 3 s 4 + s 5 + s 6 (mod p) Turan-type bound: C bsgs1 (S) < |S| 3/4

A harder problem: C bsgs C bsgs (S) = baby-step-giant-step - complexity Two lists: g a 1, g a 2,…, g a n and g с 1 x-b 1, g c 2 x-b 2,…, g c n x-b n ZpZp 0 a1a1 a2a2 a3a3 c 1 x-b 1 c 2 x-b 2 x3x3 x2x2 x1x1 y1y1 y2y2 y3y3

Harder the problem: C bsgs S : for any six distinct x 1, x 2, x 3, y 1, y 2, y 3 S (x 1 -x 2 )/(x 2 -x 3 ) (y 1 -y 2 )/(y 2 -y 3 ) (mod p) ZpZp 0 a1a1 a2a2 a3a3 c 1 x-b 1 c 2 x-b 2 x3x3 x2x2 x1x1 y1y1 y2y2 y3y3 all six cannot belong to S

Zarankiewicz bound (b1,c1)(b1,c1) a2a2 a1a1 How many elements of S can be in the table? S : for any six distinct x 1, x 2, x 3, y 1, y 2, y 3 S (x 1 -x 2 )/(x 2 -x 3 ) (y 1 -y 2 )/(y 2 -y 3 ) (mod p) Zarankiewicz bound: still at most n 3/2 C bsgs (S) > |S| 2/3 (b2,c2)(b2,c2) (b3,c3)(b3,c3) x1x1 x2x2 x3x3 y1y1 y2y2 y3y3

How to construct? S : for any six distinct x 1, x 2, x 3, y 1, y 2, y 3 S (x 1 -x 2 )/(x 2 -x 3 ) (y 1 -y 2 )/(y 2 -y 3 ) (mod p) Six-wise independent set of size p 1/6

Generic complexity ZpZp l1l1 Smallest possible theorem involves 7 lines: l2l2 l3l3 l4l4 lxlx lyly lzlz x1x1 y1y1 x2x2 z1z1 x3x3 x4x4 y2y2 y3y3 z2z2 y4y4 z3z3 z4z4

Bipartite Menelaus theorem S : for any twelve distinct x 1, x 2, x 3, x 4, y 1, y 2, y 3, y 4, z 1, z 2, z 3, z 4 S x 1 -y 1 x 1 -z 1 z 1 (x 1 -y 1 ) y 1 (x 1 -z 1 ) x 2 -y 2 x 2 -z 2 z 2 (x 2 -y 2 ) y 2 (x 2 -z 2 ) x 3 -y 3 x 3 -z 3 z 3 (x 3 -y 3 ) y 3 (x 3 -z 3 ) x 4 -y 4 x 4 -z 4 z 4 (x 4 -y 4 ) y 4 (x 4 -z 4 ) det 0 degree 6 polynomial

How to construct? 12-wise independent set of size p 1/12 C(S) > |S| 3/5

Conclusion p |S||S| αp αpαp Cα(S)Cα(S) log scale p random subsets C bsgs1 C bsgs p 1/6 p 1/12 C (αp) 1/20 (αp) 1/9 p 1/3 (αp) 1/4

Open problems Better constructions: - stronger bounds - explicit Constrained DLP for natural sets: - short addition chains - compressible binary representation - three-way products xyz