CS 6260
Number-theoretic primitives
•
As no encryption scheme besides the
OneTimePad is unconditionally secure, we need
to find some building blocks - hard problems
(assumptions) to base security of our new
encryption schemes on.
•
Block ciphers and their PRF security is not an
option since now we don’t have shared keys in
the public-key (asymmetric-key) setting.
•
Let’s consider the discrete log related problems
and the RSA problem.
Bellare and Rogaway
Bellare and Rogaway
3
3
10.1.2
logarithmproblem
problem
10.1.2 The
Thediscrete
discrete logarithm
The
description
logarithmproblem
problem
given
above
the adversary
is as
given as
The
descriptionof
of the
the discrete
discrete logarithm
given
above
was was
thatthat
the adversary
is given
input
X, and
andisisconsidered
considered
successful
it can
output
(X).would
We would
inputsome
somegroup
groupelement
element X,
successful
if itifcan
output
DLogDLog
G,g We
G,g (X).
like
totoassociate
adversaryAAsome
some
advantage
function
measuring
howitwell
like
associateto
to aa specific
specific adversary
advantage
function
measuring
how well
doesitindoes in
solvingthis
thisproblem.
problem. The
The measure
look
at the
fraction
of group
elements
for which
solving
measureadopted
adoptedis istoto
look
at the
fraction
of group
elements
for which
adversaryisis able
able to
to compute
compute the
In other
words,
we imagine
the group
thetheadversary
thediscrete
discretelogarithm.
logarithm.
In other
words,
we imagine
the group
elementXXgiven
givento
to the
the adversary
adversary as
at at
random.
element
asbeing
beingdrawn
drawn
random.
• Def. Let G be a cyclic group and let m = |G|. Let g be a
Let G be a cyclic group and let m = |G|. The discrete
Definition 10.1 Let G be agenerator.
of order m,the
let following
g be a generator
of G, andassociated
A be an with
Consider
experiment
logarithm function DLogG,g(a): G ! Zm takes a G and returns
Definition
10.1 Let G be a cyclic
cyclicgroup
group
of order m,
let
g be a generator
of G,let
and
let A be an
algorithm that returns an integer
in Zm . We consider
the following experiment:
an
adversary
A.
algorithm that returns an integer in Zm . We consider the following experiment:
i
Discrete-log related problems
•
i
•
Zm such that g = a.
DL problem
•
There are several computational problems related to this
function:
•
Experiment Expdl
G,gdl(A)
Experiment
Exp
$
x (A)
x←
Z
;
X
←
gG,g
$ m
x
←
Z
;
X
←
gx
m
x ← A(X)
x =
A(X)
Ifx g←
X then return 1 else return 0
•
dl-advantage of A is defined
as
• Discrete-logarithm (DL) problem
NUMBER-THEORETICThe
PRIMITIVES
!
"
The
dl-advantage
of
A
is
defined
as
Thedldl-advantage
of dlA is defined as
• Computational Diffie-Hellman (CDH) problem
• Adv
G,g (A) = Pr Exp
! G,g (A) = 1 . "
• Decisional Diffie-Hellman (DDH) problem
Advdl (A) = Pr Expdl (A) = 1 .
If g x = X then return 1 else return 0
2
G,g
G,g
•
Recall that the discrete exponentiation
function takes input
i ∈ Zm and returns the group element
g i . The discrete logarithm function is the inverse of the discrete exponentiation function. The
Recall that the discrete exponentiation
function takes input i ∈ Zm and returns the group element
•
definition above simply measures the one-wayness of the discrete exponentiation
function according
g i .to The
discrete
logarithm
function
is
the inverse
of emphasize
the discrete
exponentiation
function. The
the standard definition•ofThe
one-way
function.
It is to problem
this
thattocertain
partsinofGthe
discrete
logarithm
is
said
be hard
if the
definition
above
simply
measures
the
one-wayness
of
the
discrete
exponentiation
function
according
experiment are written the way
they are.
dl-advantage
of any adversary with reasonable resources is
to theThe
standard
one-way function. It is to emphasize this that certain parts of the
(mod |G|)?
discretedefinition
logarithm of
problem
small. is said to hard in G if the dl-advantage of any adversary of
experiment
written
way
they are.here means the time-complexity of the adversary, which
reasonable are
resources
is the
small.
Resources
The discrete
problem is said to hard in G if the dl-advantage of any adversary of
includes
its codelogarithm
size as usual.
Problem
Given
Figure out
Discrete logarithm (DL)
gx
x
Computational Diffie-Hellman (CDH)
g x , gy
g xy
Decisional Diffie-Hellman (DDH)
g x , gy , gz
Is z ≡ xy
Figure 10.1: An informal description of three discrete logarithm related problems
over a cyclic
reasonable
resources is small. Resources here means the time-complexity of the adversary, which
group G with generator g. For each problem we indicate the input to the attacker,includes
and
what
the
10.1.3
Diffie-Hellman problem
its The
code Computational
size as usual.
attacker must figure out to “win.” The formal definitions are in the text.
As above, the transition from the informal description to the formal definition involves considering
10.1.3
Computational
Diffie-Hellman
problem
the groupThe
elements
X, Y to be drawn
at random.
compute
two
lists:
X, Y are
random
groupworlds”
elements,
but The
the adversary
manner ingets
which
Z X,
is Y,
chosen
The world,
formalization
considers
a “two
setting.
input
Z. In depends
either on the
world.
World
1, Zgroup
= g xyelements,
where
x but
= for
DLog
and
(Y ). depends
In World
Z is chosen
world,
X, Y Inare
random
the manner
in. which
Z is G,g
chosen
on0,the
Xg −b
bG,g=(X)
0, 1,
. .y,=n DLog
at random
group,
of X,
Y .y The
adversary
decide
world.
In Worldfrom
1, Z the
= g xy
whereindependently
x = nDLog
(X)
and
= DLog
(Y ). must
In World
0, Ziniswhich
chosenworld it is.
G,g
G,g
a
The Computational
Diffie-Hellman
problem to the formal definition involves considering
(g ) offrom
forYthe
ainformal
=adversary
0, 1, .description
. . ,must
n decide
above,
the transition from
the informal description
(Noticefrom
thatthe
this
is a independently
little different
of Fig.
10.1 world
whichitsaid
at random
group,
X,
. The
in which
is. that the
xy , because
(Notice
that
this
is
a
little
different
from
the
informal
description
of
10.1
which
said
that
group
elements
X,
Y
to
be
drawn
at
random.
adversary
is
trying
to
determine
whether
or
not
Z
=
g
if bycorresponding
chance
Z=
g xythe
in
Worldof
0, a, b
in both lists.Fig.The
values
the transition from the informal description to the formal definition involves consideringand then find a group element that is contained xy
adversary
is declare
trying
tothe
determine
whether
or not Zif=itg answers
, because
if by chance Z = g xy in World 0,
−b
n
a
we
will
adversary
unsuccessful
1.)
satisfy Xg = (g ) , and thus DLogG,g (X) = an
+ b. The details follow.
CDH
DDH
elements X, Y to be drawn at random.
finition 10.2 Let G be a cyclic group of order m, let g be a generator of G, and let A we
be will
an declare the adversary unsuccessful if it answers 1.)
Def. Let
Let G
G be
be aa cyclic
cyclicgroup
group
order
m. g Let
be a generator.
• 10.3
G be of
a cyclic
group
order
m. Let g experiment:
be a generator.
Definition
of of
order
m, let
be ag generator
of G, let A be an
• aDef.
orithm
returns
anLet
element
G. We
consider
the
following
n 10.2 that
Let G
be
cyclic
group
of
order
m,
let gofbe
a generator
of G,
and let A be anAlgorithm
Absgs (X)
Definition
10.3
Letreturns
G be aathe
cyclic
group
order
letconsider
g be
a generator
of G,experiments:
let A be an
Consider
following
associated
with
an
Consider the following experiment associated with an
algorithm
that
bit,
and
let bofbeexperiments
a bit.m,We
the following
√
that returns an element of G. We consider the
following experiment:
returns
n ←algorithm
! m# ;that
N←
g n a bit, and
adversary
A.let b be a bit. We consider the following experiments:
adversary
A.
Experiment
Expcdh
ddh-0
ddh-1
G,g (A)
−b ] ←ddh
Experiment
Experiment
cdh
G,g (A)
G,g (A)
ddh-Exp
0
For
b
=
0,
.
.
.
,
n
do
B[Xg
bExp
-1 (A)
$
$
ExperimentxExp
(A)
Experiment
Exp
(A)
Experiment
Exp
$
G,g
$
G,g
G,g
←
Z
;
y
←
Z
m
m
•
x
←
Z
x
←
Z
•
$
$
$
For a = 0, . . . , n do x ←$ Zm $ m
x←
Zm $ m
x←
Zm X
; y←
←
gZxm; Y ← g y
y ← Zm
y ← Zm
$
a
$
x
y
Y
←
N
y
←
Z
y
←
Z
m
m
•
$
X←g Z
; Y←←A(X,
g Y)
•
z
←
xy
mod
m
$
z←
Zm
xy mod
m
If B[Y ] is definedz ←
then
x
] g;y x; 1Z←
agzz ← Zm
0 g←
x ; B[Y
Z ← A(X, Y )
xy
X
←
Y
←
←
x ; Y ← gy ; Z ← gz
←
g xg;y ;YZ←←ggyz; Z ← g z
xX
If
Z
=
g
then
return
1
else
return
0
X
←
g
X
←
g
;
Y
←
•
Return ax1 + x•0
If Z = g xy then return 1 else return 0
d
←
A(X,
Y,
Z)
d
←
A(X,
d ← A(X, Y, Z)
d ← A(X, Y, Z) Y, Z)
Return
d
d
e cdh-advantage •ofThe
A iscdh-advantage
defined as
Return
d
Return Return
d
•
of A is defined as
dvantage of A is defined as
This algorithm is interesting because it shows that there is a better way to compute the discrete
!
"
!
"
ddh-advantage
ofdefined
A is defined
asof A is defined as
The The
ddh-advantage
of Acdh-advantage
is
as
The
• to
• Advcdh (A)
logarithm
of
X than
do an
exhaustive
search
for it. However, it does not yield a practical discrete
Advcdh
= cdh
Pr Expcdh
G,g
G,g (A) = 1 .
= (A)
Pr Exp
!
!
"
!
"
!"
"
G,g
G,g (A) = 1 .
1/2
ddh
ddh
-1 work
ddh
ddhone
-1 (A)
ddh-0
logarithm computation
method,
because
can
in− groups
large
Adv
(A)
=
Pr
Exp
=
−=
Pr1 Exp
(A)ddh
= 1-0 (A)
. enough
Adv
(A)
=
Pr
Exp
Pr
= 1 . that an O(|G| )
G,g
G,g Exp
G,g 1(A)
G,g
• G,g G,g
The computational Diffie-Hellman (CDH) problem is said to be
•
ain,
the
CDH
problem
is
said
to
be
hard
in
G
if
the
cdh-advantage
of
any
adversary
of
reasonable
algorithm is not really feasible. There are however better algorithms in some specific groups.
e CDH problem is said
toin
beGhard
in G
if the cdh-advantage
any adversary
hard
if the
cdh-advantage
of anyofadversary
withof reasonable
Again,
the DDH
problem
is saidistosaid
beDiffie-Hellman
hard
G if the
of any adversary
of
Theproblem
decisional
problem
is
toreasonable
be hard
ources
is where
small, the
where
the resource
in question
is the adversary’s
time complexity.
Again,
the•DDH
to beinhard
in Gddh-advantage
if(DDH)
the ddh-advantage
of said
any adversary
of reasonable
is small,
resource
in question
is is
thesmall.
adversary’s
time complexity.
reasonable
resources
ts code size as usual.
1.3
The Computational Diffie-Hellman problem
resources
is small,
the
in question
is of
theany
adversary’s
time complexity.
inwhere
G ifwhere
theresource
ddh-advantage
adversary
with
resources
is small,
the
resource
in question
is the
adversary’s
timereasonable
complexity.
10.2.2
Relations between problems
•
Fix a group and a generator
Can solve
DL
Can solve
CDH
Can solve
DDH
Integers modulo a prime
resources is small.
10.1.5
between
the
Naturally,
the Relations
firstRelations
specific
group
to problems
consider
is the integers modulo a prime, which we know is
10.1.5
between
the problems
∗
cyclic. Relative
So let to
G a=fixed
Zp for
some
prime
p and
letG,g ifbeyoua can
generator
g.problem
We consider
group
G and
generator
g for
solve theofDL
then youthe different
Relative to a fixed group G and generator g for G, if you can solve the DL problem then you
can in
solve
the CDH problem, and if you can solve the CDH problem then you can solve the DDH
problems
turn.
can solve the CDH problem, and if you can solve the CDH problem then you can solve the DDH
So noting
if DL is easy
then
is easy, and
if CDH is easy then
DDH is easy.
We problem.
begin
by
that
theCDH
Decisional
Diffie-Hellman
problem
easyEquivalently,
thisEquivalently,
group. Some
problem.
So if DL
is easy
then
CDH is easy,
and if CDH is
easy thenisDDH
isin
easy.
if DDH is hard then CDH is hard, and if CDH is hard then DL is hard.
ifofDDH
is
hard
then
CDH
is
hard,
and
if
CDH
is
hard
then
DL
is
hard.
indicationWe
this
already
appeared
in
the
chapter
on
Computational
Number
Theory.
note that the converses of these statements are not known to be true. There are groupsIn particular
We note
that
theCDH
converses
of appear
thesewith
statements
known
to
be true.
areprobability
groups
we sawwhere
thereDDH
that
DH
key
g xy and
is aDL
square
3/4
a non-square
with
isthe
easy,
while
to beprobability
hard. are
(Wenot
will
seeand
examples
of suchThere
groups
where
DDH
is
easy,
while
CDH
DL.where
appear
to be
hard.
(We
will
see
examples group
of such element
groups is
later.)
Correspondingly,
there could
beand
groups
CDH
iswe
easy
but
DL
is hard.
1/4 if x,
y are
chosen at random
from
Zp−1
However,
know
that
a random
later.)
Correspondingly,
there could
be groups
where and
CDH
is easy
but DL is to
hard.
The
following
Proposition
provides
the
formal
statement
proof
corresponding
the
above
is antoalgorithm
solves
theinDL
a square with probability
1/2. groups
Thus, athere
strategy
tell whichthat
world
we are
when given a triple
• For most
Theif following
Proposition
provides
the you
formal
and proof
corresponding
to the above
claim that
you can solve
the DL problem
then
canstatement
solve the CDH
problem,
and if you can
1/2
X, Y, Zsolve
is to
test
whether
or
not
Z
is
a
square
mod
p.
If
so,
bet
on
World
1,
else
problem
in
O(|G|
)
claim
that problem
if you can
solve
then
you can solve the CDH problem, on
andWorld
if you 0.
can(We
the CDH
then
you the
can DL
solveproblem
the DDH
problem.
also know solve
thatthe
theCDH
Jacobi
symbol
can
be
computed
via
an
exponentiation
mod
p,
so
testing
for
problem then you can
! solve the DDH problem.
Let’s
consider
G=Zp and
for let
a prime
p.
• efficiently,
10.4
Let G be aspecifically
cyclic group
g be
a generator
of G. Let Adl shows
be an adversary
squaresProposition
can be done
in
cubic
time.)
A computation
that this adversary
(against
the
DLenough
problem).
Then
exists
an
adversary
problem)
Proposition
10.4 to
Let
G bethere
a cyclic
and
let gAbe
generator
ofCDH
G.
Let
Adl besuch
an
adversary
cdha
has advantage
1/4,
show
that
thegroup
DDH
problem
is(against
easy. the
The
Proposition
below
presents
! , and
Claim.
[DDH
is there
easy].
Letan
p adversary
! 3 be aAprime,
let the
G=Z
that(against the DL
•
problem).
Then
exists
(against
CDH
problem)
such
cdh
p
a slightly better attack that achieves dladvantage 1/2,
and provides the details of the analysis.
cdh
that
DDH is
hard
•
CDH is
hard
DL is
hard
The computational complexity of the problems
depend on the choice of a group.
).
G,g (Adl ) ≤
G,g (Acdh
let g be aAdv
generator
of Adv
G. Then
there
is an adversary A,(10.2)
cdhtime to do one exponentiation in
∗
Furthermore
theLet
running
of a
Acdh
is
thedllet
that
A≤
Adv
(AGof
)=
Advthe
. a generator of G. Then
(10.2)
dl3
G,g (A
Proposition
10.5
p ≥time
3 be
prime,
Zplus
letcdhg) be
there
with
running
time G,g
O(|p|
)dlsuch
that
p , and
G. Similarly
let
A
be
an
adversary
(against
the
CDH
problem).
Then
there
exists
an
adversary
cdh
3
Furthermore the running time of A
is the that of A plus the time to do one exponentiation in
cdh ) such that dl
is an adversary A, with running time O(|p|
G. Similarly let Acdh be an adversary (against the CDH problem). Then there exists an adversary
1
Advddh
.
G,g (A) =
2
Let x = DLogG,g (X) and y = DLogG,g (Y ). We know that the value s computed by our adversary
xysmod
Since
is distributed
the
probability
Since s is distributed
ofindependently
probability
that
Jalways
=that
s 1.isInJ1/2.
A equals
J (gindependently
p). But in World
1,Z,
Z =the
g xy mod
p, soof
ourZ,
adversary
will
of to
Proposition
10.5:
TheX,input
our adversary
p (Z) = s is
p (Z) return
Proposition 10.5: Proof
The input
our adversary A
is a triple
Y, Z oftogroup
elements, A is a triple X, Y, Zp of group elements,
xy
World
0,
Z
is
distributed
uniformly
over
G,
so
xy or as a random
and the whether
adversary
is trying
togdetermine
whether
Zelement,
was chosen as g or as a random group element,
dversary is trying to determine
Z was
chosen as
group
xthe CDH and DL problems.
x
(p − 1)/2 that
1 It appears
Now
we
consider
that the best ap
y are the discrete logarithms
and the
Y , respectively.
We know that
if we
know
Jrespectively.
where of
x, X
y are
discrete logarithms
of X
and
Y , Now
We know that
we know
the ifCDH
DL
problems.
It =appears
p (g ) we consider
p (g
Prand
[JpJ
(Z)
= )1] =
Pr [Jp (Z) = −1]
=
. the best approach to s
xy
x
y
∗
p
−
1
2 discrete logarithms. (This h
y
xy
x
y
), we can predict Jp (gand
). J
Our
adversary’s strategy is to compute J (g ) and Jp (g )strategy
and
∗
is
to
compute
J
(g
)
and
J
(g
)
and
CDH
in
problem
in
Z
is
via
the
computation
of
p (g ), we can predict Jp (g ). Ourp adversary’s
p
p
p
in problem
inis Z
is viaindependently
the computation
of discrete logarithms. (This has not been
whether or not the challenge
value
Z has the
Jacobi
symbol
value that
g xyZought
toCDH
have.
Since sthat
distributed
of Z, the probability that Jp (Z) = s is 1/2.
then see
whether
or
not
the
challenge
value
has
the
Jacobi symbol value
gpxy ought
to
have.algorithm
!of primes.) Thus, the
Proof.
The
idea
is
to
compute
and
analyze
the
Legendre
general,
but
there
are
proofs
for
some
special
classes
•
The
best
to
solve
the CDH
problem
in ZThus,
detail, it works as follows:
•
p is (seems
general, but there
are proofs
for some special classes
of primes.)
the main quest
In more detail,
works as follows:
Now we consider the CDH and DL problems. It appears that the best approach to solving the
symbols
of the it
inputs.
hard is the
computation
logarithms.
This
depends
both
on the si
be) by solvingof
thediscrete
DL problem.
CDH in problem in
is via the computation
of discrete
logarithms.
(This has
not been
in
hard is the computation
ofZ∗pto
discrete
logarithms.
This
depends
both
on proved
the size
and
stru
The
currently
best
algorithm
is
the
GNFS
(General
Number
Field
Sieve
general, but there areThe
proofs
for
some
special
classes
of
primes.)
Thus,
the
main
question
is
how
best algorithm
to solve the DL Field
problem
is the which has
• of (seemingly)
The currently
best
algorithm
is the
GNFS
Sieve)
hard istime
the computation
discrete
logarithms.
This(General
depends bothNumber
on the size and structure
of p.
of theGNFS
form
(General
Number
Field
Sieve) that
runs
Field Sieve) which
has a running
time of the formThe currently best algorithm is the GNFS (General Number
1/3
2/3
(C+o(1))·ln(p) ·(ln ln(p))
y A(X, Y, Z)
X) = 1 or Jp (Y ) =•1 Adversary A(X, Y, Z)
hen s ← 1 Else s ← −1 If Jp (X) = 1 or Jp (Y ) = 1
•
Z) = s then return 1 else return
0 s ← 1 Else s ← −1
Then
•
O(e
)
•
(C+o(1))·ln(p)1/3 ·(ln ln(p))2/3
(C+o(1))·ln(p) ·(ln ln(p))
O(e
)
)
where C •≈ 1.92. ForO(ecertain classes of primes,
the value of C(10.4)
is even smaller.
where
C
≈
1.92.
For
certain
classes
of
primes,
the
value
of
C
is
even
smaller.
These algorithms are
We know that the Jacobi symbol can be computed via
an exponentiation
modulo
p,
which
we
know
where
C
≈
1.92.
For
certain
classes
of
primes,
the
value
of
C
is
even
smaller.
These
algo
heuristic,
the
the
time but
bounds
not
proven, but
appear
heuristic,
in 3the sensein
that
thesense
run timethat
bounds
arerun
not proven,
appear are
to hold
in practice.
! O(|p|3 ) time. "Thus, the time-complexity of the above adversary
takes
is
O(|p|
).
We
now
claim
where
C "1.92.
ddh-1
Pr ExpG,g (A) = 1 = 1
the prime
factorization
of
the
order bounds
of the group
is known,
logarithm
heuristic, in theIfsense
the run
time
are
not the
proven,
but appear
to the
holddiscre
in p
Ifthat
the
prime
factorization
of the
order
ofdiscrete
the group
is problem
known,
that
over the group can be
decomposed
into a set of discrete
logarithm
problems
over
subgroups. As a
!
"
!
"
If
the
prime
factorization
of
order
of
the
group
is
known:
1
over
be
decomposed
into
a is
set
of discrete
problems
If the prime
factorization
theprime
order
of theof pgroup
thelogarithm
discrete
logarithm
-0
-1
result,
if p − 1 the
= pα1 group
· · · pαnofiscan
the
factorization
− 1, then
theknown,
discrete
logarithm
problem
Pr Expddh
=
.
G,g (A) = 1
Pr Expddh
= 1
α1
G,g (A) = 1
2
α
∗
n
in Z
be solved
on p
the
order
result,
if pin−time
1=
· · · pofan set
the
prime
factorization
of
p−
then
thesubgro
discr
over
the group
can
be
decomposed
ofthe
discrete
logarithm
problems
over
p can
,is
the
DL problem
can be solved
in 1,
time
1 into
!
"
n
1
α1 Z∗ can
α
#
ddh-0
n
!
"
!
"
in
be
solved
in
time
on
the
order
of
√
1 (A)
1
Pr ExpG,g
=result,
1 = if p
. − 1 = p · ·p· p in is
prime
factorization of p − 1, then the discrete logarith
ddh-1
ddh-0
thethe
order
of
If J (Z) = s then return 1 else return 0
time of the form
that the Jacobi symbol can bepcomputed via an exponentiation modulo p, which we know
3
p|3 ) time. Thus, the
Wetime-complexity
claim that of the above adversary is O(|p| ). We now claim
ng, we get
1/3
1
Advddh
ExpG,g (A) and
= 1 noting
− Pr Exp
(A) = 1 = the
1 − Legendre
=
that
symbol 2
G,g (A) = Prsubtracting
G,g computing
2
2
in we
Z∗p get
can
takes
cubic
time
in
|p|
(computed
via
exponentiation)
we get
d. Let us now see whySubtracting,
the two equations
above are true.
1
2/3
n
n
αi · ( pi + |p|) .
i=1
n
be solved in time Thus
on the
order
of
#
if we want the DL problem to be hard,√then at least one
•
αi · ( pi + |p|) .
the statement.
!
"
!
"
1
1 prime factor needs
n to be large. E.g. p=2q+1, where q is a
ddh that the value s computed
ddh-1
ddh-0
DLogG,g (X) and y = DLogG,g (Y ). Adv
We know
by
our
adversary
#
(A)
=
Pr
Exp
(A)
=
1
−
Pr
Exp
(A)
=
1
=
1
−
=
√
i=1
G,g
Jp (g xy mod p). But in World 1, Z = g xyG,g
mod p, so our adversary
will always return 1. In G,g
2
2 large prime.
αi · ( pi + |p|) .
Z is distributed uniformly
over
G,
so
as desired. Let us now see why the two equations above are true.
i=1
(p − 1)/2
1
Pr [Jp (Z) =
1] x==Pr
[Jp (Z)
−1] and
= y = DLog
=G,g (Y
. ). We know that the value s computed by our adversary
Let
DLog
G,g=(X)
p−1
2
A equals Jp (g xy mod p). But in World 1, Z = g xy mod p, so our adversary will always return 1. In
distributed independently of Z, the
probability that Jp (Z) = s is 1/2.
World 0, Z is distributed uniformly over G, so
consider the CDH and DL problems. It appears that the best approach to solving the
(p − 1)/2
problem in Z∗p is via the computation of discretePr
logarithms.
[Jp (Z) = (This
1] =hasPrnot
[Jpbeen
(Z) proved
= −1]in =
=
p−1
but there are proofs• for
special
classes
of primes.)
Thus,tothe
question is how
Wesome
often
want
the DDH
problem
bemain
hard.
he computation of discrete
This depends
both on theof
size
of p. that Jp (Z) = s
Sincelogarithms.
s is distributed
independently
Z,and
thestructure
probability
DDH
problem
is believed
to be
hard
in several
groups,
• Theis the
urrently best algorithm
GNFS
(General
Number Field
Sieve)
which
has a running
e.g.
he form
Now we consider the CDH and DL problems. It appears that the best
1/3
1
.
2
is 1/2.
approach to solving the
2/3
(C+o(1))·ln(p) ·(ln ln(p))
O(ein
) the computation of discrete
(10.4)
CDH
in Z∗p is via
logarithms. (This has not been proved in
!problem
! where
QR(Zp
) -the subgroup
of quadratic residues of Zp
•
general,
but there
areofproofs
forsmaller.
some special
classes of
≈ 1.92. For certain classes
of primes,
the value
C is even
These algorithms
areprimes.) Thus, the main question is how
p=2q+1,
p,q,
It’sappear
a cyclic
group
of prime
order.
in the sense that the hard
run
time
bounds
areare
not primes.
proven,
but
to hold
in practice.
is the
computation
of discrete
logarithms.
This
depends
both on the size and structure of p.
prime factorization of theThe
order
of
the
group
is
known,
the
discrete
logarithm
problem
currently best algorithm is the GNFS (General Number Field Sieve) which has a running
group can be decomposed into a set of discrete logarithm problems over subgroups. As a
time of the form
p − 1 = pα1 1 · · · pαnn is the prime factorization of p − 1, then the discrete logarithm 1/3
problem 2/3
O(e(C+o(1))·ln(p) ·(ln ln(p)) )
(10.4)
be solved in time on the order of
n
where C#
≈ 1.92.
√ For certain classes of primes, the value of C is even smaller. These algorithms are
αi · ( pi + |p|) .
heuristic,
in
the
sense that the run time bounds are not proven, but appear to hold in practice.
i=1
If the prime factorization of the order of the group is known, the discrete logarithm problem
over the group can be decomposed into a set of discrete logarithm problems over subgroups. As a
result, if p − 1 = pα1 1 · · · pαnn is the prime factorization of p − 1, then the discrete logarithm problem
in Z∗p can be solved in time on the order of
n
#
i=1
√
αi · ( pi + |p|) .