Hard Bits of the Discrete Log with Applications to Password Authentication

Assuming the intractability of solving the discrete logarithm with short exponent problem, it was recently shown that the trailing n–ω(log n) bits of the discrete logarithm modulo an n-bit safe prime p are simultaneously hard. However, the question of hardness of the leading bits was left open. In this paper we show that the leading n–ω(log n) bits are also simultaneously hard, or equivalently that the distribution of $g^s \bmod p$, where g is a generator of $\mathbb{Z}^*_{p}$ and s is a uniformly chosen short exponent of ω(log n) bits, is indistinguishable from the uniform distribution on $\mathbb{Z}^*_{p}$. We further show that this result implies the security of a short exponent version of PAK, a password-authenticated key exchange protocol that protects against offline dictionary attacks.

[1]  Paul C. van Oorschot,et al.  On Diffie-Hellman Key Agreement with Short Exponents , 1996, EUROCRYPT.

[2]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[3]  Avi Wigderson,et al.  The Discrete Logarithm Hides O(log n) Bits , 1988, SIAM J. Comput..

[4]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[5]  Adi Shamir,et al.  The Discrete Logarithm Modulo a Composite Hides O(n) Bits , 1993, J. Comput. Syst. Sci..

[6]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[7]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[8]  J. Loxton,et al.  Number Theory and Cryptography , 1990 .

[9]  Johan Håstad,et al.  The Security of All RSA and Discrete Log Bits , 1998 .

[10]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’95 , 2001, Lecture Notes in Computer Science.

[12]  Sarvar Patel,et al.  An Efficient Discrete Log Pseudo Random Generator , 1998, CRYPTO.

[13]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[14]  Markus Jakobsson,et al.  How to turn loaded dice into fair coins , 2000, IEEE Trans. Inf. Theory.

[15]  Mats Näslund,et al.  All Bits ax+b mod p are Hard (Extended Abstract) , 1996, CRYPTO.

[16]  Franz Pichler,et al.  Advances in Cryptology — EUROCRYPT’ 85 , 2000, Lecture Notes in Computer Science.

[17]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[18]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[19]  Donald E. Knuth,et al.  The Art of Computer Programming, Vol. 3: Sorting and Searching , 1974 .

[20]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[21]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[22]  M. Näslund All Bits in ax + b mod p are Hard , 1996, CRYPTO 1996.

[23]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[24]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[25]  Mats Näslund Universal Hash Functions & Hard Core Bits , 1995, EUROCRYPT.

[26]  Johan Håstad,et al.  The security of individual RSA bits , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[27]  Jerome H. Saltzer,et al.  Reducing risks from poorly chosen keys , 1989, SOSP '89.

[28]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[29]  René Peralta,et al.  Simultaneous Security of Bits in the Discrete Log , 1985, EUROCRYPT.

[30]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[31]  Rosario Gennaro,et al.  An Improved Pseudo-random Generator Based on Discrete Log , 2000, CRYPTO.

[32]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[33]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[34]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[35]  Mats Näslund,et al.  A Survey of Hard Core Functions , 2001 .

[36]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.