Under the auspices of the Computational Complexity Foundation (CCF)

REPORTS > DETAIL:

### Paper:

TR98-033 | 12th June 1998 00:00

#### Security of Allmost ALL Discrete Log Bits

TR98-033
Authors: C.P. Schnorr
Publication: 12th June 1998 16:24
Keywords:

Abstract:

Let G be a finite cyclic group with generator \alpha and with
an encoding so that multiplication is computable in polynomial time. We
study the security of bits of the discrete log x when given \exp_{\alpha}(x),
assuming that the exponentiation function \exp_{\alpha}(x) = \alpha^x is one-way.
We reduce he general problem to the case that G has odd order q. If G has odd
order q the security of the least-significant bits of x and of the most
significant bits of the rational number \frac{x}{q} \in [0,1) follows from
the work of Peralta [P85] and Long and Wigderson [LW88]. We generalize
these bits and study the security of consecutive shift bits lsb(2^{-i}x mod q)
for i=k+1,...,k+j. When we restrict \exp_{\alpha} to arguments x
such that some sequence of j consecutive shift bits of x is
constant (i.e., not depending on x) we call it a 2^{-j}-fraction of
\exp_{\alpha}.

For groups of odd group order q we show that every two 2^{-j}-fractions of
\exp_{\alpha} are equally one-way by a polynomial time
transformation: Either they are all one-way or none of them. Our
key theorem shows that arbitrary j consecutive shift bits of
x are simultaneously secure when given \exp_{\alpha}(x) iff the
2^{-j}-fractions of \exp_{\alpha} are one-way. In particular
this applies to the j least-significant bits of x and to the j
most-significant bits of \frac{x}{q} \in [0,1). For one-way \exp_{\alpha}
the individual bits of x are secure when given \exp_{\alpha}(x) by the
method of Hastad, N\"aslund [HN98]. For groups of even order 2^{s}q we
show that the j least-significant bits of \lfloor x/2^s\rfloor, as well
as the j most-significant bits of \frac{x}{q} \in [0,1), are
simultaneously secure iff the 2^{-j}-fractions of \exp_{\alpha'}
are one-way for \alpha' := \alpha^{2^s}.

We use and extend the models of generic algorithms of Nechaev
(1994) and Shoup (1997). We determine the generic complexity of
inverting fractions of \exp_{\alpha} for the case that \alpha has
prime order q. As a consequence, arbitrary segments of
(1-\varepsilon)\lg q consecutive shift bits of random x
are for constant \varepsilon >0 simultaneously secure against generic
attacks. Every generic algorithm using $t$
generic steps (group operations) for distinguishing bit strings of j
consecutive shift bits of x from random bit strings has at most