Paper 1998/020

Almost All Discrete Log Bits Are Simultaneously Secure

Claus P. Schnorr

Abstract

Let G be a finite cyclic group with generator \alpha and with an encoding so that multiplication is computable in polynomial time. We study the security of bits of the discrete log x when given exp<sub>\alpha</sub>(x), assuming that the exponentiation function exp<sub>\alpha</sub>(x) = \alpha<sup>x</sup> is one-way. We reduce the general problem to the case that G has odd order q. If G has odd order q the security of the least-significant bits of x and of the most significant bits of the rational number x/q \in [0,1) follows from the work of Peralta [P85] and Long and Wigderson [LW88]. We generalize these bits and study the security of consecutive <i> shift bits</i> lsb(2<sup>-i</sup>x mod q) for i=k+1,...,k+j. When we restrict exp<sub>\alpha</sub> to arguments x such that some sequence of j consecutive shift bits of x is constant (i.e., not depending on x) we call it a 2<sup>-j</sup>-<i>fraction</i> of exp<sub>\alpha</sub>. For groups of odd group order q we show that every two 2<sup>-j</sup>-fractions of exp<sub>\alpha</sub> are equally one-way by a polynomial time transformation: Either they are all one-way or none of them. Our <i> key theorem</i> shows that arbitrary j consecutive shift bits of x are simultaneously secure when given exp<sub>\alpha</sub>(x) iff the 2<sup>-j</sup>-fractions of exp<sub>\alpha</sub> are one-way. In particular this applies to the j least-significant bits of x and to the j most-significant bits of x/q \in [0,1). For one-way exp<sub>\alpha</sub> the individual bits of x are secure when given exp<sub>\alpha</sub>(x) by the method of Hastad, Naslund [HN98]. For groups of even order 2<sup>s</sup>q we show that the j least-significant bits of \lfloor x/2<sup>s</sup>\rfloor, as well as the j most-significant bits of x/q \in [0,1), are simultaneously secure iff the 2<sup>-j</sup>-fractions of exp<sub>\alpha'</sub> are one-way for \alpha' := \alpha<sup>2<sup>s</sup> </sup>. We use and extend the models of generic algorithms of Nechaev (1994) and Shoup (1997). We determine the generic complexity of inverting fractions of exp<sub>\alpha</sub> for the case that \alpha has prime order q. As a consequence, arbitrary segments of (1-\varepsilon)\lg q consecutive shift bits of random x are for constant \varepsilon >0 simultaneously secure against generic attacks. Every generic algorithm using t generic steps (group operations) for distinguishing bit strings of j consecutive shift bits of x from random bit strings has at most advantage O((\lg q)j\sqrt{t} (2<sup>j</sup>/q)<sup>1/4</sup>).

Metadata
Available format(s)
PS
Publication info
Published elsewhere. Appeared in the THEORY OF CRYPTOGRAPHY LIBRARY and has been included in the ePrint Archive.
Keywords
Hard bitsecure bitdiscrete logarithmexponentiationfractions of exponentiationsimultaneous security of bitsone-way functiongeneric networkgeneric one-wayness.
Contact author(s)
schnorr @ cs uni-frankfurt de
History
1998-06-06: received
Short URL
https://ia.cr/1998/020
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:1998/020,
      author = {Claus P.  Schnorr},
      title = {Almost All Discrete Log Bits Are Simultaneously Secure},
      howpublished = {Cryptology {ePrint} Archive, Paper 1998/020},
      year = {1998},
      url = {https://eprint.iacr.org/1998/020}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.