Advertisement

Computing Low-Weight Discrete Logarithms

  • Bailey Kacsmar
  • Sarah Plosker
  • Ryan Henry
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10719)

Abstract

We propose some new baby-step giant-step algorithms for computing “low-weight” discrete logarithms; that is, for computing discrete logarithms in which the radix-b representation of the exponent is known to have only a small number of nonzero digits. Prior to this work, such algorithms had been proposed for the case where the exponent is known to have low Hamming weight (i.e., the radix-2 case). Our new algorithms (i) improve the best-known deterministic complexity for the radix-2 case, and then (ii) generalize from radix-2 to arbitrary radixes \(b>1\). We also discuss how our new algorithms can be used to attack several recent Verifier-based Password Authenticated Key Exchange (VPAKE) protocols from the cryptographic literature with the conclusion that the new algorithms render those constructions completely insecure in practice.

Keywords

Discrete logarithms Baby-step giant-step Meet-in-the-middle Cryptanalysis Verifier-based Password Authenticated Key Exchange (VPAKE) 

Notes

Acknowledgements

We thank Doug Stinson, Itai Dinur, and the anonymous referees for their valuable feedback. Sarah Plosker is supported by the Natural Sciences and Engineering Research Council of Canada, the Canada Foundation for Innovation, and the Canada Research Chairs Program. Ryan Henry is supported by the National Science Foundation under Grant No. 1565375.

Supplementary material

References

  1. 1.
    Agnew, G.B., Mullin, R.C., Onyszchuk, M.I., Vanstone, S.A.: An implementation for a fast public-key cryptosystem. J. Cryptol. 3(2), 63–79 (1991).  https://doi.org/10.1007/BF00196789 MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Benhamouda, F., Pointcheval, D.: Verifier-based password-authenticated key exchange: new models and constructions. IACR Cryptology ePrint Archive, Report 2013/833, October 2013. https://eprint.iacr.org/2013/833.pdf
  3. 3.
    Cheon, J.H., Kim, H.T.: Analysis of low Hamming weight products. Discrete Appl. Mathe. 156(12), 2264–2269 (2008).  https://doi.org/10.1016/j.dam.2007.09.018 MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Coppersmith, D.: Personal communication to Scott Vanstone, July 1997. See [Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography, p. 128 Chapter 3]Google Scholar
  5. 5.
    Coppersmith, D., Seroussi, G.: On the minimum distance of some quadratic residue codes. IEEE Trans. Inf. Theory 30(2), 407–411 (1984).  https://doi.org/10.1109/TIT.1984.1056861 MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Coron, J.S., Lefranc, D., Poupard, G.: A new baby-step giant-step algorithm and some applications to cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 47–60. Springer, Heidelberg (2005).  https://doi.org/10.1007/11545262_4 CrossRefGoogle Scholar
  7. 7.
    Girault, M., Lefranc, D.: Public key authentication with one (online) single addition. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 413–427. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28632-5_30 CrossRefGoogle Scholar
  8. 8.
    Heiman, R.: A note on discrete logarithms with special structure. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 454–457. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-47555-9_38 CrossRefGoogle Scholar
  9. 9.
    Hoffstein, J., Silverman, J.H.: Random small Hamming weight products with applications to cryptography. Discrete Appl. Mathe. 130(1), 37–49 (2003).  https://doi.org/10.1016/S0166-218X(02)00588-7 MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45682-1_4 CrossRefGoogle Scholar
  11. 11.
    Kacsmar, B., Plosker, S., Henry, R.: Computing low-weight discrete logarithms. IACR Cryptology ePrint Archive, Report 2017/720, July 2017. https://eprint.iacr.org/2017/720
  12. 12.
    Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 295–312. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11212-1_17 Google Scholar
  13. 13.
    Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. IACR Cryptology ePrint Archive, Report 2014/242, April 2014. https://eprint.iacr.org/2014/242
  14. 14.
    Kiefer, F., Manulis, M.: Blind password registration for two-server password authenticated key exchange and secret sharing protocols. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 95–114. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-45871-7_7 CrossRefGoogle Scholar
  15. 15.
    Kiefer, F., Manulis, M.: Blind password registration for verifier-based PAKE. In: Proceedings of AsiaPKC@AsiaCCS 2016, Xi’an, China, pp. 39–48, May 2016.  https://doi.org/10.1145/2898420.2898424
  16. 16.
    Kim, S., Cheon, J.H.: A parameterized splitting system and its application to the discrete logarithm problem with low hamming weight product exponents. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 328–343. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78440-1_19 CrossRefGoogle Scholar
  17. 17.
    Kim, S., Cheon, J.H.: Parameterized splitting systems for the discrete logarithm. IEEE Trans. Inf. Theory Parameterized Splitting Syst. Discrete Logarithm 56(5), 2528–2535 (2010).  https://doi.org/10.1109/TIT.2010.2044071 MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Koblitz, N.: CM-curves with good cryptographic properties. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 279–287. Springer, Heidelberg (1992).  https://doi.org/10.1007/3-540-46766-1_22 Google Scholar
  19. 19.
    Kreher, D.L., Stinson, D.R.: Combinatorial Algorithms: Generation, Enumeration, and Search. CRC Press, New York (1998)zbMATHGoogle Scholar
  20. 20.
    May, A., Ozerov, I.: A generic algorithm for small weight discrete logarithms in composite groups. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 278–289. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-13051-4_17 CrossRefGoogle Scholar
  21. 21.
    Menezes, A., Vanstone, S.: The implementation of elliptic curve cryptosystems. In: Seberry, J., Pieprzyk, J. (eds.) AUSCRYPT 1990. LNCS, vol. 453, pp. 1–13. Springer, Heidelberg (1990).  https://doi.org/10.1007/BFb0030345 CrossRefGoogle Scholar
  22. 22.
    Montenegro, R., Tetali, P.: How long does it take to catch a wild kangaroo? In: Proceedings of STOC 2009, Bethesda, MD, USA, pp. 553–560, May–June 2009.  https://doi.org/10.1145/1536414.1536490
  23. 23.
    Muir, J.A., Stinson, D.R.: On the low Hamming weight discrete logarithm problem for nonadjacent representations. Appl. Algebra Eng. Commun. Comput. (AAECC) 16(6), 461–472 (2006).  https://doi.org/10.1007/s00200-005-0187-7 MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Odlyzko, A.: Personal communication to Rafi Heiman, July 1992. See [8; Page 1 and Reference [Odl]]Google Scholar
  25. 25.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992).  https://doi.org/10.1007/3-540-46766-1_9 Google Scholar
  26. 26.
    Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over \(GF(p)\) and its cryptographic significance. IEEE Trans. Inf. Theory 24(1), 106–110 (1978).  https://doi.org/10.1109/TIT.1978.1055817 MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Pollard, J.M.: Kangaroos, monopoly and discrete logarithms. J. Cryptol. 13(4), 437–447 (2000).  https://doi.org/10.1007/s001450010010 MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Shanks, D.: Class number, a theory of factorization, and genera. In: Proceedings of Symposium of Pure Mathematics, vol. 20, Providence, RI, USA, pp. 415–440, July–August 1969Google Scholar
  29. 29.
    Stinson, D.R.: Some baby-step giant-step algorithms for the low Hamming weight discrete logarithm problem. Mathe. Comput. 71(237), 379–391 (2002).  https://doi.org/10.1090/S0025-5718-01-01310-2 MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Teske, E.: Square-root algorithms for the discrete logarithm problem (a survey). In: Proceedings of the International Conference on Public Key Cryptography and Computational Number Theory, De Gruyter Proceedings in Mathematics, Warsaw, Poland, pp. 283–301, September 2000. http://www.degruyter.com/view/product/61167
  31. 31.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: Proceedings of CCS 1994, Fairfax, VA, USA, pp. 210–218, November 1994.  https://doi.org/10.1145/191177.191231
  32. 32.
    van Oorschot, P.C., Wiener, M.J.: On Diffie-Hellman key agreement with short exponents. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68339-9_29 CrossRefGoogle Scholar
  33. 33.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999).  https://doi.org/10.1007/PL00003816 MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Yang, X., Jiang, H., Xu, Q., Hou, M., Wei, X., Zhao, M., Choo, K.-K.R.: A provably-secure and efficient verifier-based anonymous password-authenticated key exchange protocol. In: Proceedings of TrustCom/BigDataSE/ISPA 2016, pp. 670–677, Tianjin, China, August 2016.  https://doi.org/10.1109/TrustCom.2016.0124

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.University of WaterlooWaterlooCanada
  2. 2.Brandon UniversityBrandonCanada
  3. 3.Indiana UniversityBloomingtonUSA

Personalised recommendations