Security of Allmost ALL Discrete Log Bits
نویسنده
چکیده
13 2 ?j-fraction of exp. (The complexity decreases from counting Turing steps to counting generic steps. We get the intersection of two sets of group elements at zero generic costs as equality tests are for free.) Corollary 12. The minimal length t of generic networks that invert a 2 ?j-fraction of exp is (p q2 ?j). Theorem 13. Every generic network A of length t with input y = exp (x) 2 G distinguishes L j (x) and random z 2 R 0; 2 j) at most with advantage := j Pr y A(L j (x); exp (x)) = 1 ] ? Pr y;z A(z; exp (x)) = 1 ] j O(n j p t (2 j =q) 1 4). Proof. The given generic network A of length t and advantage yields by Yao's argument K97, section 3.5, Lemma P1] for some j 0 < j a generic prediction algorithm O j 0 of length t which, for given L j 0(x) and exp (x), predicts ls j 0 +1 (x) with advantage " =j. By Proposition 2 L j 0(x) is equivalent to the rst j 0 shift bits of x. Theorem 5 yields a generic algorithm for the inversion of the 2 ?j-fraction of exp corresponding to the known L j (x) which uses oracle O j 0 as subroutine with t generic steps. Each iteration of the inversion algorithm of Theorem 5 performs an additional generic step to transform exp (x) into exp (x new). Each oracle call O j 0 ? L j 0(x + x i); exp (x + x i) requires one further generic step to compute E N (x+x i). So we get a generic inversion algorithm of length O(n 2 ?2 j 2 t). By Corollary 12 we must have O(n 2 ?2 j 2 t) = (p q 2 ?j) hence = O(n j p t (2 j =q) 1 4). Conclusions. Given random exp (x); L j (x) is generically indistinguishable from random z 2 R 0; 2 j) provided that j < (1 ?) lg q for xed > 0. This is because such j satisses 2 j =q < q , and thus the advantage of Theorem 13 becomes negligible for t poly(n). Hence, all except an arbitrarily small-fraction of the bits of x are simultaneously secure against generic attacks. Note that can converge to 0 as q …
منابع مشابه
An Efficient Discrete Log Pseudo Random Generator
The exponentiation function in a finite field of order p (a prime number) is believed to be a one-way function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which is also believed to be hard to compute. Under this intractibility assumption we show that discrete exponent...
متن کاملThe Security of All Bits Using List Decoding
The relation between list decoding and hard-core predicates has provided a clean and easy methodology to prove the hardness of certain predicates. So far this methodology has only been used to prove that the O(log log N) least and most significant bits of any function with multiplicative access —which include the most common number theoretic trapdoor permutations— are secure. In this paper we s...
متن کاملSecurity of Almost ALL Discrete Log Bits
Let G be a finite cyclic group with generator α and with an encoding so that multiplication is computable in polynomial time. We study the security of bits of the discrete log x when given expα(x), assuming that the exponentiation function expα(x) = α is oneway. We reduce he general problem to the case that G has odd order q. If G has odd order q the security of the least-significant bits of x ...
متن کاملEfficient Primitives from Exponentiation in Zp
Since Diffie-Hellman [14], many secure systems, based on discrete logarithm or DiffieHellman assumption in Zp, were introduced in the literature. In this work, we investigate the possibility to construct efficient primitives from exponentiation techniques over Zp. Consequently, we propose a new pseudorandom generator, where its security is proven under the decisional Diffie-Hellman assumption. ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- Electronic Colloquium on Computational Complexity (ECCC)
دوره 5 شماره
صفحات -
تاریخ انتشار 1998