Paper 2025/663
Intermundium-DL: Assessing the Resilience of Current Schemes to Discrete-Log-Computation Attacks on Public Parameters
Abstract
We consider adversaries able to perform a nonzero but small number of discrete logarithm computations, as would be expected with near-term quantum computers. Schemes with public parameters consisting of a few group elements are now at risk; could an adversary knowing the discrete logarithms of these elements go on to easily compromise the security of many users? We study this question for known schemes and find, across them, a perhaps surprising variance in the answers. In a first class are schemes, including Okamoto and Katz-Wang signatures, that we show fully retain security even when the discrete logs of the group elements in their parameters are known to the adversary. In a second class are schemes like Cramer-Shoup encryption and the SPAKE2 password-authenticated key exchange protocol that we show retain some partial but still meaningful and valuable security. In the last class are schemes we show by attack to totally break. The distinctions uncovered by these results shed light on the security of classical schemes in a setting of immediate importance, and help make choices moving forward.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- A major revision of an IACR publication in PKC 2025
- Keywords
- discrete logbackdoorOkamotoKatz-WangCramer-ShoupSPAKE2
- Contact author(s)
-
mbellare @ ucsd edu
riepel @ cispa de
lmshea @ ucsd edu - History
- 2025-04-13: approved
- 2025-04-11: received
- See all versions
- Short URL
- https://ia.cr/2025/663
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/663,
author = {Mihir Bellare and Doreen Riepel and Laura Shea},
title = {Intermundium-{DL}: Assessing the Resilience of Current Schemes to Discrete-Log-Computation Attacks on Public Parameters},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/663},
year = {2025},
url = {https://eprint.iacr.org/2025/663}
}
