Discrete Logarithm Problems with Auxiliary Inputs

AbstractLet g be an element of prime order p in an abelian group, and let α∈ℤp. We show that if g,gα, and $g^{\alpha^{d}}$ are given for a positive divisor d of p−1, the secret key α can be computed deterministically in $O(\sqrt{p/d}+\sqrt{d})$ exponentiations by using $O(\max\{\sqrt{p/d},\sqrt{d}\})$ storage. If $g^{\alpha^{i}}$ (i=0,1,2,…,2d) is given for a positive divisor d of p+1, α can be computed in $O(\sqrt{p/d}+d)$ exponentiations by using $O(\max\{\sqrt{p/d},\sqrt{d}\})$ storage. We also propose space-efficient but probabilistic algorithms for the same problem, which have the same computational complexities with the deterministic algorithm.As applications of the proposed algorithms, we show that the strong Diffie–Hellman problem and related problems with public $g^{\alpha},\ldots,g^{\alpha^{d}}$ have computational complexity up to $O(\sqrt{d}/\log p)$ less than the generic algorithm complexity of the discrete logarithm problem when p−1 (resp. p+1) has a divisor d≤p1/2 (resp. d≤p1/3). Under the same conditions for d, the algorithm is also applicable to recovering the secret key in $O(\sqrt{p/d}\cdot \log p)$ for Boldyreva’s blind signature scheme and the textbook ElGamal scheme when d signature or decryption queries are allowed.

[1]  Igor E. Shparlinski,et al.  On Finding Primitive Roots in Finite Fields , 1996, Theor. Comput. Sci..

[2]  Mihir Bellare,et al.  DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem , 1999, IACR Cryptol. ePrint Arch..

[3]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[4]  선동규 Elliptic curves with the minimized security loss of the strong Diffie-Hellman problem , 2007 .

[5]  G. Tenenbaum Introduction to Analytic and Probabilistic Number Theory , 1995 .

[6]  Takakazu Satoh On Generalization of Cheon's Algorithm , 2009, IACR Cryptol. ePrint Arch..

[7]  Loo-Keng Hua,et al.  On the least primitive root of a prime , 1942 .

[8]  Victor Shoup,et al.  Searching for primitive roots in finite fields , 1990, STOC '90.

[9]  Edlyn Teske,et al.  Speeding Up Pollard's Rho Method for Computing Discrete Logarithms , 1998, ANTS.

[10]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[11]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[12]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[13]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[14]  Bert den Boer Diffie-Hellman is as Strong as Discrete Log for Certain Primes , 1988, CRYPTO.

[15]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[16]  Yvo Desmedt,et al.  A Secure and Efficient Conference Key Distribution System (Extended Abstract) , 1994, EUROCRYPT.

[17]  Antoine Joux,et al.  Why Textbook ElGamal and RSA Encryption Are Insecure , 2000, ASIACRYPT.

[18]  Victor Shoup,et al.  A computational introduction to number theory and algebra , 2005 .

[19]  K. Ford The distribution of integers with a divisor in a given interval , 2004, math/0401223.

[20]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[21]  M. Kasahara,et al.  A New Traitor Tracing , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[22]  Daniel R. L. Brown,et al.  The Static Diffie-Hellman Problem , 2004, IACR Cryptology ePrint Archive.

[23]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[24]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[25]  John Gordon,et al.  Strong Primes are Easy to Find , 1985, EUROCRYPT.

[26]  Kazuto Matsuo,et al.  Remarks on Cheon's Algorithms for Pairing-Related Problems , 2007, Pairing.

[27]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[28]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[29]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[30]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[31]  David Jao,et al.  Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem , 2009, Pairing.

[32]  E. Bach Explicit bounds for primality testing and related problems , 1990 .

[33]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[34]  Ueli Maurer,et al.  The Relationship Between Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms , 1999, SIAM J. Comput..

[35]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[36]  Xavier Boyen,et al.  The Uber-Assumption Family , 2008, Pairing.

[37]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[38]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[39]  Tatsuaki Okamoto,et al.  Efficient Blind and Partially Blind Signatures Without Random Oracles , 2006, IACR Cryptol. ePrint Arch..