Birthday attack to discrete logarithm

Birthday attack to discrete logarithm Li An-Ping Beijing 1000 80, P.R. China apli0001@sina.com Abstract: The discrete logarithm in a finite group of larg e order has been widely applied in public key cryptosystem. In this p aper, we will present a probabilistic algorith m for discrete logarithm. Keywords: discrete logarit hm, collisions, probability, birthday paradox, linear sy stem. 1. Introduction The generalized Discre te Logarithm problem (GDLP) has bee n taken as an intrac table problem widely applied in public key cry ptosystems since it fir stly was proposed by W . Dif fie and M.E. Hellman in their key exchange sy stem [1]. The problem is the one to find the solution for t he exponential e quation x ab = in a group G . Since then , there hav e been sev eral algo rithms for GDLP presented, in which main three ones are th at, the baby-step giant-step algorithm, Silver - Pohlig- Hellm an’ s algorithm and th e index calcul us algorithm . Suppose that t he order of G || GN = , then the require d operations of the first algorithm will take about () ON group multiplication s and (l o g ) ON N ⋅ comparisons. The second one is sim ilar to the method of solving the congru ence in number the ory by resolve the equat ion into the subgro ups of group G with the order of prime powers, so it is mo re ef ficient if the prime factors of group G all are smaller . In the cas e the base groups G are from the multip lication groups of finite fields, t he index calculu s is the most powerful one. For th e detail about GDLP , re fe r to see [2] and A.M. Odlyzko’ s survey pa pers [3], [4]. In this paper , we will present a probabil istic algorithm for discrete log arithm, which is a developm ent of the birthday atta ck. As usual, for two integers x and r , we will represent [] ( 1 ) ( 1 ) , r xx x x r = ⋅− ⋅ ⋅− +  and [] ( 1 ) ( 1 ) . r xx x x r =⋅ + ⋅ ⋅ + −  Let A be a set of t elements, in which elem ents repetitions are allowed, suppose that t here are just td − different elements i n A , then we call A has d collisions. 2. The description and an alysis Suppose that G is the base grou p of discrete logarit hm, the order of G , || GN = , and gG ∈ is a generator of G . Let {| 1 } i x i Sy g i m == ≤ ≤ be a set of m public keys . Denoted by 1/ 2 1 nN ⎡⎤ =+ ⎢⎥ , for each ,1 , i y Si m ∈≤ ≤ arbitrary takes n distinct integers () ,1 i j rj n ≤≤ , and makes a set () {| 1 } , 1 . i j r ii Sy j n i m =≤ ≤ ≤ ≤ Moreover , arbitrary takes n disti nct integers (0) ,1 j rj n ≤ ≤ , and makes a set () 0 {| 1 } . i j r Sg j n =≤ ≤ Proposition 1 Let 0 i im S ≤≤ Ω= ∪ , suppose that k is a non-negati ve integer , km ≤ , denoted by () k p Ω (or simply , k p ) the probability t hat there are at least k collisions in the se t Ω , it has 2 (1 ) 2 1( 1 ) / ! . mk k p em k ε −+ + ≥− ⋅ + ( 2 . 1 ) where 32 2( ) / 3 . Tk N ε − ≺ Proof. Let || ( 1 ) Tm n =Ω= + , for each integer ,0 , ii m ≤ < denoted by i λ the num ber of all possible -subse ts T of N distinct elements with i collisions, then it is easy to know that 1 [] / ! , Ti i Ti i iN NT CT i i C C λ −− − =⋅ − =⋅ Hence, 23 2 1 00 2 0 1 2 1 2 2 2 1 (1 ) 2 ( ) / 3 2 1/ ( [ ] / ! ) 1 [ ] [ ] / [ ] 2 1( 1 ) ( 1 ) / ! ) 2 1 exp( )( 1 ) / ! 22 1 exp( )( 1 ) / ! 1( 1 ) / ! . Ti T ki T i i T ik ik i ik iT k k iT k k iT k mT k N k p NT N T C N i mi Ni i mk Ni ii mk NN em k λ −− ≤< ≤< ≤< ≤< − ≤< − ≤< − −+ + − ≥− ≥− ⋅ ⋅ ≥− − ⋅ + + − ≥− + + − ≥− + + ≥− ⋅ + ∑∑ ∑ ∏ ∑ ∑  From the propositio n above, we know that the pr obability () m p Ω will be greater than 0.99 as 2 m ≥ . Clearly , a collision in the se t Ω is just a linear equation of the privacy keys 1 {} m i x , say in detail, if ,0 ij ≠ () ( ) () ( ) mod , ij st rr ij ij s i t j yy r x r x N =⇔ ⋅ = ⋅ and () ( 0 ) () ( 0 ) mod . i st rr i ij s i t yy r x r N =⇔ ⋅ = So, in the case th at these m linear equations are linear independe nt, then all t he privacy keys 1 {} m i x will be discovered by solvin g the obtained linear system . On the other hand, we know the probab ility that ran domly take m m -ve ctors which are linear independent is very great, which is about 1( 1 / ) N − . It is clear that the main com putations require d in this new analysis are the comparisons to find m coll isions in the set Ω and the group m ultiplications in making the sets i S . By the sim ple way that cla ssifying the el ements of Ω in bits one by one, t he required comparisons to order the elements in Ω are about (l o g ) OT T , which is about equal to the re quired comparisons in the baby-step giant-step a lgorithm. If properly selec ting the constants () i j r , the amount of group multiplication s required in the new algorithm also will be abo ut equal to th e one of t he baby-step giant-step algorithm . However , in the case that m is greater , we can reduce the size n of the sets i S into 1/ 2 2 1 1 N n m ⎡⎤ ⎛⎞ =+ ⎢⎥ ⎜⎟ + ⎝⎠ ⎢⎥ ⎢⎥ , then we have the following est imation 2( 1 ) 1 () 1 ( 2 2 ) / ! 2 1. 2 mm m m pe m m e e m ε ε π −+ + −+ Ω≥ − ⋅ + ⎛⎞ ≥− ⎜⎟ ⎝⎠ ( 2 . 2 ) So, in this way , the required gro up multiplicatio ns in the presented alg orithm will be less than the ones in the baby-step giant- step algorithm. Finally , similar to Silver - Pohlig- Hellman’ s algorithm, we can resolve the origi nal GDLP into the subgroups of the cyclic group generat ed by element g , and then apply this an alysis above to the subgroups. References [1] W. Diffie, M.E. Hellm an, “New directions in cryptography”, IEEE Transactions on Information Theor y , 22(1976), 644–654. [2] A. Menezes, P . van Oorschot, S. V anstone, Handbook of Applied Cryptograp gy , CRC Press, 1997. [3] A.M. Odlyzko, “D iscrete logarithms in finit e fields and their cryptographic significanc e”, Advances in Crypt ology –Proceedi ngs of EURO CRYPT 84 (LNCS 209) , 224–314, 198 5. [4] ------------, Discrete logarithms : The past and the future, Designs, Codes, and cryptography 19 (2000), pp. 129-145.