Download presentation
Presentation is loading. Please wait.
1
The Discrete Logarithm Problem with Preprocessing
Henry Corrigan-Gibbs and Dmitry Kogan Stanford University Eurocrypt β 1 May Tel Aviv, Israel
2
Signatures (DSA and Schnorr)
Pairings DH key exchange DDH Signatures (DSA and Schnorr) Discrete log
3
The discrete-log problem
Group: πΎ= π of prime order π Solution: π₯β β€ π Instance: π π₯ βπΎ Adversary π Why do we believe this problem is hard?
4
Generic lower bounds give us confidence
Theorem. [Shoupβ97] Every generic discrete-log algorithm that operates in a group of prime order π and succeeds with probability at least Β½ must run in time Ξ©( π 1/2 ). Generic attack in 256-bit group takes β time. Best attacks on standard EC groups are generic
5
Very useful way to understand hardness [BB04,B05,M05,D06, B08,Y15,β¦]
Generic algorithms can only make βblack-boxβ use of the group operation Generic-group model: Group is defined by an injective βlabelingβ function π: β€ π β 0,1 β Algorithm has access to a group-operation oracle: πͺ π π π , π π β¦ π π+π Generic dlog algorithm takes as input π 1 , π π₯ , representing (π, π π₯ ), make queries to πͺ π , outputs π₯. [Measure running time by query complexity] Very useful way to understand hardness [BB04,B05,M05,D06, B08,Y15,β¦] [Nechaevβ94], [Shoupβ97], [Maurerβ05]
![Very useful way to understand hardness [BB04,B05,M05,D06, B08,Y15,β¦]](http://slideplayer.com./slide/14422640/90/images/5/Very+useful+way+to+understand+hardness+%5BBB04%2CB05%2CM05%2CD06%2C+B08%2CY15%2C%E2%80%A6%5D.jpg "Generic algorithms can only make black-box use of the group operation. Generic-group model: Group is defined by an injective labeling function π: β€ π β 0,1 β Algorithm has access to a group-operation oracle: πͺ π π π , π π β¦ π π+π. Generic dlog algorithm takes as input π 1 , π π₯ , representing (π, π π₯ ), make queries to πͺ π , outputs π₯. [Measure running time by query complexity] Very useful way to understand hardness [BB04,B05,M05,D06, B08,Y15,β¦] [Nechaevβ94], [Shoupβ97], [Maurerβ05]")
6
Existing generic lower bounds do not account for preprocessing
Premise of generic-group model: the adversary knows nothing about the structure of the group πΎ in advance In reality: the adversary knows a lot about πΎ! πΎ is one of a small number of groups: NIST P-256, Curve25519, β¦ A realistic adversary can perform πΎ-specific preprocessing! Existing generic-group lower bounds say nothing about preprocessing attacks! [H80, Yao90, FN91, β¦]
7
Preprocessing phase π 0 Online phase π 1 Group: πΎ= π Advice: π π‘ πΎ
Both algorithms are generic! Both algorithms are generic! Online phase Instance: π π₯ βπΎ Solution: π₯β β€ π π 1 Initiated by Hellman (1980) in context of OWFs
8
Preprocessing phase π 0 Online phase π 1 Preprocessing time π
Group: πΎ= π Advice: π π‘ πΎ π 0 Advice size π Online phase Online time π Instance: π π₯ βπΎ Solution: π₯β β€ π π 1 Success prob. π Initiated by Hellman (1980) in context of OWFs
9
Rest of this talk Background: Preprocessing attacks are relevant
Preexisting π=π= π ( π 1/3 ) generic attack on discrete log Our results: Preprocessing lower-bounds and attacks The π ( π 1/3 ) generic dlog attack is optimal Any such attack must use lots of preprocessing: Ξ©( π 2/3 ) New π ( π 1/5 ) preprocessing attack on DDH-like problem Open questions
10
Will sketch the algorithm for π=π= π 1/3 , constant π.
A preexisting resultβ¦ Theorem. [Mihalcik 2010] [Lee, Cheon, Hong 2011] [Bernstein and Lange 2013] There is a generic dlog algorithm with preprocessing that: uses π bits of group-specific advice, uses π online time, and succeeds with probability π, such that: π π 2 = π (ππ) Will sketch the algorithm for π=π= π 1/3 , constant π. Escott, Sager, Selkirk, Tsapakidis (CryptoBytes) β Reusing DPs Kuhn and Struik - Multiple Dlog Hitchcock, Montague, Carter, Dawson (2004) β Implications of using fixed curves Lee, Cheon, Hong (2011) - Dlog for IBE β¦. building on prior work on multiple-discrete-log algorithms [ESST99,KS01,HMCD04,BL12]
11
β¦ β¦ Preliminaries π π₯ π π₯+ πΌ 1 π π₯+ πΌ 1 + πΌ 2 π π₯+ π πΌ π =π π
Define a pseudo-random walk on πΎ: π π₯ β¦ π π₯+πΌ where πΌ=Hash π π₯ is a random function π π₯ π π₯+ πΌ 1 π π₯+ πΌ 1 + πΌ 2 π π₯+ π πΌ π β¦ =π π β¦ π₯ π¦ If you know the dlog of the endpoint of a walk, you know the dlog of the starting point! [M10, LCH11, BL13]
12
Preprocessing time: Ξ© ( π 2/3 )
Preprocessing phase Build π 1/3 chains of length π 1/3 Store dlogs of chain endpoints Online phase Walk π( π 1/3 ) steps When you hit a stored point, output the discrete log Length: π 1/3 Advice: π ( π 1/3 ) bits π 1/3 chains β¦ β¦ π π₯ Time: π ( π 1/3 ) steps Preprocessing time: Ξ© ( π 2/3 ) Advice string [M10, LCH11, BL13]
13
Is this dlog attack the best possible?!
Generic discrete log Without preprocessing: Ξ© π 1/ π πππ time With preprocessing: π ( π 1/3 ) π ππ time Related preprocessing attacks break: Multiple discrete log problem [This paper] One-round Even-Mansour cipher [FJM14] Merkle-DamgΓ₯rd hash with random IV [CDGS17] 256-bit ECDL Is this dlog attack the best possible?! β
14
Discrete log Pairings DH key exchange DDH Signatures (DSA and Schnorr)
Could there exist a generic dlog preprocessing attack with π=π= π 1/10 ? Preprocessing attacks might make us worry about 256-bit EC groups
16
This talk Background: Preprocessing attacks are relevant
Preexisting π=π= π ( π 1/3 ) generic attack on discrete log Our results: Preprocessing lower-bounds and attacks The π ( π 1/3 ) generic dlog attack is optimal Any such attack must use lots of preprocessing: Ξ©( π 2/3 ) New π ( π 1/5 ) preprocessing attack on DDH-like problem Open questions
17
uses π bits of group-specific advice, uses π online time, and
Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: uses π bits of group-specific advice, uses π online time, and succeeds with probability π, must satisfy: π π 2 = Ξ© (ππ) This bound is tight for the full range of parameters (up to log factors) Shoupβs proof technique (1997) relies on π having no information about the group πΎ when it starts running ο Need different proof technique
18
Online time π 1/3 implies Ξ©( π 2/3 ) preprocessing
Theorem. [Our paper] Every generic dlog algorithm with preprocessing that: uses π bits of group-specific advice, uses π online time, and succeeds with probability π, must satisfy: π π 2 = Ξ© (ππ) Online time π 1/3 implies Ξ©( π 2/3 ) preprocessing Theorem. [Our paper] Furthermore, the preprocessing time π must satisfy ππ+ π 2 =Ξ©(ππ)
19
Reminder: Generic-group model
A group is defined by an injective βlabelingβ function π: β€ π β 0,1 β Algorithm has access to a group-operation oracle: πͺ π π π , π π β¦ π π+π E.g., A dlog algorithm takes as input π 1 , π π₯ , representing (π, π π₯ ), make queries to πͺ π , outputs π₯.
20
We prove the lower bound using an incompressibility argument
[Yao90, GT00, DTT10, DHT12, DGK17β¦] Use π to compress the mapping π: β€ π β 0,1 β that defines the group Adv π uses advice π and online time π such that π π 2 =π(π) β Encoder compresses well Random string is incompressible β Lower bound on π and π Similar technique used in [DHT12] (Random) Encoder Decoder π π(π) 1 101 2 110 3 001 β¦ π π(π) 1 101 2 110 3 001 β¦ Compressed representation π Enc(π) π Wlog, assume π is deterministic
21
Proof idea: Use preprocessing dlog adversary π 0 , π 1 to build a compressed representation of the mapping π. [Yao90, GT00, DHT12] Encoder π π(π) 1 101 2 110 3 001 4 000 5 1111 β¦
22
Proof idea: Use preprocessing dlog adversary π 0 , π 1 to build a compressed representation of the mapping π. [Yao90, GT00, DHT12] Compressed representation of π Encoder π 0 s t π π π(π) 1 101 2 110 3 001 4 000 5 1111 β¦ Responses to π 1 βs queries on β000β π 1 (000) First bitstring in image of π, representing some π π₯ Run π 1 on πΌ instances, for some parameter πΌ Responses to π 1 βs queries on β001β π 1 (001) β¦ β¦ Rest of π
23
Compressed representation of π
Proof idea: Use preprocessing dlog adversary π 0 , π 1 to build a compressed representation of the mapping π. [Yao90, GT00, DHT12] Compressed representation of π Decoder s t π π π(π) 1 101 2 110 3 001 4 000 5 1111 β¦ Run π 1 on πΌ instances Whenever π 1 outputs a dlog, we get one value π(π) βfor freeβ β¦ π 5 = ? π 2 = ? π 1 (000) β111β β110β π 1 = ? β¦ π 1 (001) β101β β¦ β¦ Rest of π
24
Easy case: The response to all of π 1 βs queries are distinct
Claim: Each invocation of π 1 allows the encoder to compress π by at least one bit. Easy case: The response to all of π 1 βs queries are distinct π 1 outputs a discrete log βfor freeβ β Compress by βlog π bits Harder case: The response to query π‘ is the same as the response to query π‘β²<π‘. A naΓ―ve encoding βpays twiceβ for the same value π(π) β No savings ο Instead, encoder writes a pointer to query π‘β² If the encoder runs π 1 on πΌ instances, requires log πΌπ log π bits. Each execution of π π saves at least 1 bit, when: π₯π¨π π° π» π <π₯π¨π π΅, or π°<π΅/ π» π Pointer to query π‘β² Index of query π‘ [DHT12] treats a more difficult version of βhard caseβ
25
Completing the proof We run the adversary π 1 on πΌ=π/ π 2 instances
Each execution compresses by β₯ 1 bit BUT, we have to include the π-bit advice string in the encoding = πβ π π 2 β₯ β π π 2 =Ξ© π β Encoding overhead
26
Extra complications Algorithms that succeed on an π-fraction of group elements Use the random self-reducibility of dlog Hardcode a good set of random coins for π 1 into Enc π Decisional type problems (DDH, etc.) π 1 only outputs 1 bitβprior argument fails because encoding the runtime in log π bits is too expensive Run π 1 on batches of inputs [See paper for details]
27
What about Decision Diffie-Hellman (DDH)?
DDH problem: Distinguish π, π π₯ , π π¦ , π π₯π¦ from π, π π₯ , π π¦ , π π§ Upper bound Lower bound Time π Discrete log: π π 2 = π ππ π π 2 = Ξ© ππ π 1/4 CDH: π π 2 = π ππ π π 2 = Ξ© ππ π 1/4 DDH: π π 2 = π ππ π π 2 = Ξ© π 2 π β€ π 1/4 β₯ π 1/8 sqDDH: π π 2 = π π 2 π π π 2 = Ξ© π 2 π π 1/8 For π= π β1/4 π= π 1/4 Our new results Our new results Better attack?
28
π, π π₯ , π π₯ 2 from π, π π₯ , π π¦ for π₯,π¦ β π
β€ π .
Definition. The sqDDH problem is to distinguish π, π π₯ , π π₯ from π, π π₯ , π π¦ for π₯,π¦ β π
β€ π . Why itβs interesting: For generic online-only algs, itβs as hard as discrete log For generic preprocesssing algs, we show that itβs βmuch easierβ ο A DDH-like problem that is easier than dlog
29
This talk Background: Preprocessing attacks are relevant
Preexisting π=π= π ( π 1/3 ) generic attack on discrete log Our results: Preprocessing lower-bounds and attacks The π ( π 1/3 ) generic dlog attack is optimal Any such attack must use lots of preprocessing: Ξ©( π 2/3 ) New π ( π 1/5 ) preprocessing attack on DDH-like problem Open questions
30
Open questions and recent progress
Tightness of DDH upper/lower bounds? Is it as hard as dlog or as easy as sqDDH? Non-generic preprocessing attacks on ECDL? As we have for β€ π β Coretti, Dodis, and Guo (2018) Elegant proofs of generic-group lower bounds using βpresamplingβ (Γ la Unruh, 2007) Prove hardness of βone-moreβ dlog, KEA assumptions, β¦
31
This talk Background: Preprocessing attacks are relevant
Preexisting π=π= π ( π 1/3 ) generic attack on discrete log Our results: Preprocessing lower-bounds and attacks The π ( π 1/3 ) generic dlog attack is optimal Any such attack must use lots of preprocessing: Ξ©( π 2/3 ) New π ( π 1/5 ) preprocessing attack on DDH-like problem Open questions Henry β Dima β
Similar presentations
