Abstract
Assuming the intractability of solving the discrete logarithm with short exponent problem, it was recently shown that the trailing n–ω(log n) bits of the discrete logarithm modulo an n-bit safe prime p are simultaneously hard. However, the question of hardness of the leading bits was left open. In this paper we show that the leading n–ω(log n) bits are also simultaneously hard, or equivalently that the distribution of \(g^s \bmod p\), where g is a generator of \(\mathbb{Z}^*_{p}\) and s is a uniformly chosen short exponent of ω(log n) bits, is indistinguishable from the uniform distribution on \(\mathbb{Z}^*_{p}\). We further show that this result implies the security of a short exponent version of PAK, a password-authenticated key exchange protocol that protects against offline dictionary attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, November 1993, pp. 62–73 (1993)
Blum, M., Micali, S.: How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits. SIAM Journal of Coumputing 13(4), 850–864 (1984)
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password authentication and key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Info. Theory 22(6), 644–654 (1976)
Gennaro, R.: An Improved Pseudo-Random Generator Based on Discrete Log. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 469–481. Springer, Heidelberg (2000)
Goldreich, O., Levin, L.: A hard core predicate for any one way function. In: 21st ACM Symposium on the Theory of Computing, pp. 25–32 (1989)
Goldreich, O., Lindell, Y.: Session-Key Generation using Human Passwords Only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001)
Hastad, J., Naslund, M.: The Security of all RSA and discrete log bits. Preliminary version appears in 39th FOCS, pp. 510–519 (1999) Manuscript
Hastad, J., Schrift, A., Shamir, A.: The discrete logarithm modulo a composite hides O(n) bits. Journal of Computer and System Sciences 47, 376–404 (1993)
Juels, A., Jakobsson, M., Shriver, E., Hillyer, B.: How to turn loaded dice into fair coins. IEEE Transactions on Information Theory 46(3), 911–921 (2000)
The Art of Computer Programming (vol 3): Sorting and Searching. Addison Wesley, Reading (1973)
Lomas, T., Gong, L., Saltzer, J., Needham, R.: Reducing risks from poorly chosen keys. ACM Operating Systems Review 23(5), 14–18 (December 1989); Proceedings of the 12th ACM Symposium on Operation System Principles
Long, D., Wigderson, A.: The discrete log hides O(log n) bits. SIAM Journal of Computing 17, 413–420 (1988)
MacKenzie, P.: The PAK suite: Protocols for password-authenticated key exchange. DIMACS Technical Report 2002-46 (October 2002)
MacKenzie, P., Patel, S., Swaminathan, R.: Password authenticated key exchange based on RSA. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 599–613. Springer, Heidelberg (2000)
Naslund, M.: Universal hash functions and hard core bits. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 356–366. Springer, Heidelberg (1995)
Naslund, M.: All bits in ax+b are hard. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 114–128. Springer, Heidelberg (1996)
van Oorschot, P., Wiener, M.: On Diffie-Hellman key agreement with short exponents. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996)
TIA/EIA/IS-683-C. Over-the-Air service provisioining of mobile stations in spread spectrum systems
Patel, S., Sundaram, G.: An efficient discrete log pseudo random generator. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 304–317. Springer, Heidelberg (1998)
Peralta, R.: Simultaneous security of bits in the discrete log. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 62–72. Springer, Heidelberg (1986)
Pollard, J.M.: Monte Carlo methods for index computation (mod p). Mathematics of Computation 32(143), 918–924 (1978)
Stinson, D.R.: Universal hash families and the leftover hash lemma, and applications to cryptography and computing. J. Combin. Math. Combin. Comput. 42, 3–31 (2002)
Vasco, M.I.G., Naslund, M.: A survey of hard core functions. In: Proceedings of the Workshop on Comp. Number Theory and Cryptography, Singapore 1999, pp. 227–256. Birkhauser, Basel (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mackenzie, P., Patel, S. (2005). Hard Bits of the Discrete Log with Applications to Password Authentication. In: Menezes, A. (eds) Topics in Cryptology – CT-RSA 2005. CT-RSA 2005. Lecture Notes in Computer Science, vol 3376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30574-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-30574-3_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24399-1
Online ISBN: 978-3-540-30574-3
eBook Packages: Computer ScienceComputer Science (R0)