The Discrete-Logarithm Problem with Preprocessing

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10821)

Abstract

This paper studies discrete-log algorithms that use preprocessing. In our model, an adversary may use a very large amount of precomputation to produce an “advice” string about a specific group (e.g., NIST P-256). In a subsequent online phase, the adversary’s task is to use the preprocessed advice to quickly compute discrete logarithms in the group. Motivated by surprising recent preprocessing attacks on the discrete-log problem, we study the power and limits of such algorithms.

In particular, we focus on generic algorithms—these are algorithms that operate in every cyclic group. We show that any generic discrete-log algorithm with preprocessing that uses an S-bit advice string, runs in online time T, and succeeds with probability \(\epsilon \), in a group of prime order N, must satisfy \(ST^2 = {\widetilde{\varOmega }}(\epsilon N)\). Our lower bound, which is tight up to logarithmic factors, uses a synthesis of incompressibility techniques and classic methods for generic-group lower bounds. We apply our techniques to prove related lower bounds for the CDH, DDH, and multiple-discrete-log problems.

Finally, we demonstrate two new generic preprocessing attacks: one for the multiple-discrete-log problem and one for certain decisional-type problems in groups. This latter result demonstrates that, for generic algorithms with preprocessing, distinguishing tuples of the form \((g,{g^x}, {g^{(x^2)}})\) from random is much easier than the discrete-log problem.

Notes

Acknowledgements

We would like to thank Dan Boneh for encouraging us to undertake this project and for his advice along the way. We thank Omer Reingold, David Wu, and Benedikt Bünz for fruitful discussions during the early stages of this work. Saba Eskandarian, Steven Galbraith, Sam Kim, and Florian Tramèr gave suggestions that improved the presentation. This work was supported by NSF, DARPA, the Stanford Cyber Initiative, the Simons foundation, a grant from ONR, and an NDSEG Fellowship.

References

  1. 1.
    Abadi, M., Feigenbaum, J., Kilian, J.: On hiding information from an oracle. In: STOC (1987).  https://doi.org/10.1145/28395.28417
  2. 2.
    Abusalah, H., Alwen, J., Cohen, B., Khilko, D., Pietrzak, K., Reyzin, L.: Beyond Hellman’s time-memory trade-offs with applications to proofs of space. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 357–379. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_13CrossRefGoogle Scholar
  3. 3.
    Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: CCS (2015).  https://doi.org/10.1145/2810103.2813707
  4. 4.
    Aggarwal, D., Maurer, U.: Breaking RSA generically is equivalent to factoring. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 36–53. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_2CrossRefGoogle Scholar
  5. 5.
    Arora, S., Barak, B.: Computational Complexity: A Modern Approach. Cambridge University Press, Cambridge (2009)CrossRefMATHGoogle Scholar
  6. 6.
    Babai, L., Szemeredi, E.: On the complexity of matrix group problems I. In: FOCS (1984).  https://doi.org/10.1109/sfcs.1984.715919
  7. 7.
    Bărbulescu, R.: Improvements on the Discrete Logarithm Problem in GF\((p)\). Master’s thesis, Ècole Normale Supérieure de Lyon (2011). https://hal.inria.fr/inria-00588713
  8. 8.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_1CrossRefGoogle Scholar
  9. 9.
    Barkan, E., Biham, E., Shamir, A.: Rigorous bounds on cryptanalytic time/memory tradeoffs. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 1–21. Springer, Heidelberg (2006).  https://doi.org/10.1007/11818175_1CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS (1993).  https://doi.org/10.1145/168588.168596
  11. 11.
    Bernstein, D., Lange, T.: Two grumpy giants and a baby. In: The Open Book Series, vol. 1, no. 1, pp. 87–111 (2013).  https://doi.org/10.2140/obs.2013.1.87
  12. 12.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_14CrossRefGoogle Scholar
  13. 13.
    Bernstein, D.J., Lange, T.: Non-uniform cracks in the concrete: the power of free precomputation. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 321–340. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-42045-0_17CrossRefGoogle Scholar
  14. 14.
    Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054851CrossRefGoogle Scholar
  15. 15.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24676-3_4CrossRefGoogle Scholar
  16. 16.
    Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_26CrossRefGoogle Scholar
  17. 17.
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_13CrossRefGoogle Scholar
  18. 18.
    Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30576-7_18CrossRefGoogle Scholar
  19. 19.
    Boyen, X.: The uber-assumption family. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 39–56. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85538-5_3CrossRefGoogle Scholar
  20. 20.
    Brown, D.: On the provable security of ECDSA. In: Advances in Elliptic Curve Cryptography, pp. 21–40. Cambridge University Press (2005).  https://doi.org/10.1017/cbo9780511546570.004
  21. 21.
    Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Des. Codes Crypt. 35(1), 119–152 (2005).  https://doi.org/10.1007/s10623-003-6154-zMathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Chung, K.M., Lin, H., Mahmoody, M., Pass, R.: On the power of nonuniformity in proofs of security. In: ITCS (2013). http://doi.acm.org/10.1145/2422436.2422480
  23. 23.
    Coppersmith, D.: Modifications to the number field sieve. J. Cryptology 6(3), 169–180 (1993)MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Coretti, S., Dodis, Y., Guo, S., Steinberger, J.: Random oracles and non-uniformity. Cryptology ePrint Archive, Report 2017/937 (2017). https://eprint.iacr.org/2017/937
  25. 25.
    Corrigan-Gibbs, H., Kogan, D.: The discrete-logarithm problem with preprocessing. Cryptology ePrint Archive, Report 2017/1113 (2017). https://eprint.iacr.org/2017/1113
  26. 26.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055717Google Scholar
  27. 27.
    Damgård, I., Koprowski, M.: Generic lower bounds for root extraction and signature schemes in general groups. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 256–271. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_17CrossRefGoogle Scholar
  28. 28.
    De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and PRGs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 649–665. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_35CrossRefGoogle Scholar
  29. 29.
    Dent, A.W.: Adapting the weaknesses of the random oracle model to the generic group model. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 100–109. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-36178-2_6CrossRefGoogle Scholar
  30. 30.
    Dent, A.W.: The hardness of the DHK problem in the generic group model. Cryptology ePrint Archive, Report 2006/156 (2006). https://eprint.iacr.org/2006/156
  31. 31.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefMATHGoogle Scholar
  32. 32.
    Dodis, Y., Guo, S., Katz, J.: Fixing cracks in the concrete: random oracles with auxiliary input, revisited. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 473–495. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_16CrossRefGoogle Scholar
  33. 33.
    Dodis, Y., Haitner, I., Tentes, A.: On the instantiability of hash-and-sign RSA signatures. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 112–132. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28914-9_7CrossRefGoogle Scholar
  34. 34.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985).  https://doi.org/10.1007/3-540-39568-7_2CrossRefGoogle Scholar
  35. 35.
    Fiat, A., Naor, M.: Rigorous time/space tradeoffs for inverting functions. In: STOC (1991). http://doi.acm.org/10.1145/103418.103473
  36. 36.
    Fischlin, M.: A note on security proofs in the generic model. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 458–469. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_35CrossRefGoogle Scholar
  37. 37.
    Fouque, P.-A., Joux, A., Mavromati, C.: Multi-user collisions: applications to discrete logarithm, Even-Mansour and PRINCE. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 420–438. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_22Google Scholar
  38. 38.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptology 23(2), 224–280 (2010).  https://doi.org/10.1007/s00145-009-9048-zMathSciNetCrossRefMATHGoogle Scholar
  39. 39.
    Galbraith, S.D., Gaudry, P.: Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Crypt. 78(1), 51–72 (2016).  https://doi.org/10.1007/s10623-015-0146-7MathSciNetCrossRefMATHGoogle Scholar
  40. 40.
    Galbraith, S.D., Ruprai, R.S.: Using equivalence classes to accelerate solving the discrete logarithm problem in a short interval. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 368–383. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13013-7_22CrossRefGoogle Scholar
  41. 41.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002).  https://doi.org/10.1007/s00145-001-0011-xMathSciNetCrossRefMATHGoogle Scholar
  42. 42.
    Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: FOCS (2000).  https://doi.org/10.1109/SFCS.2000.892119
  43. 43.
    Gennaro, R.: An improved pseudo-random generator based on discrete log. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 469–481. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_29CrossRefGoogle Scholar
  44. 44.
    Gordon, D.M.: Discrete logarithms in GF\((P)\) using the number field sieve. SIAM J. Discrete Math. 6(1), 124–138 (1993).  https://doi.org/10.1137/0406010MathSciNetCrossRefMATHGoogle Scholar
  45. 45.
    Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980).  https://doi.org/10.1109/TIT.1980.1056220MathSciNetCrossRefMATHGoogle Scholar
  46. 46.
    Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001).  https://doi.org/10.1007/s102070100002CrossRefGoogle Scholar
  47. 47.
    Joux, A., Odlyzko, A., Pierrot, C.: The past, evolving present, and future of the discrete logarithm. In: Koç, Ç.K. (ed.) Open Problems in Mathematics and Computational Science, pp. 5–36. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-10683-0_2Google Scholar
  48. 48.
    Kim, T.: Multiple discrete logarithm problems with auxiliary inputs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 174–188. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48797-6_8CrossRefGoogle Scholar
  49. 49.
    Koblitz, N., Menezes, A.: Another look at generic groups. Adv. Math. Commun. 1(1), 13–28 (2007).  https://doi.org/10.3934/amc.2007.1.13MathSciNetCrossRefMATHGoogle Scholar
  50. 50.
    Koblitz, N., Menezes, A.: Intractable problems in cryptography. In: Conference on Finite Fields and Their Applications (2010).  https://doi.org/10.1090/conm/518/10212
  51. 51.
    Koblitz, N., Menezes, A., Vanstone, S.: The state of elliptic curve cryptography. Des. Codes Cryptogr. 19(2–3), 173–193 (2000).  https://doi.org/10.1023/A:1008354106356MathSciNetCrossRefMATHGoogle Scholar
  52. 52.
    Koshiba, T., Kurosawa, K.: Short exponent Diffie-Hellman problems. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 173–186. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24632-9_13CrossRefGoogle Scholar
  53. 53.
    Kravitz, D.W.: Digital signature algorithm. US Patent 5,231,668 (1993)Google Scholar
  54. 54.
    Kuhn, F., Struik, R.: Random walks revisited: extensions of Pollard’s Rho algorithm for computing multiple discrete logarithms. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 212–229. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45537-X_17CrossRefGoogle Scholar
  55. 55.
    Leander, G., Rupp, A.: On the equivalence of RSA and factoring regarding generic ring algorithms. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 241–251. Springer, Heidelberg (2006).  https://doi.org/10.1007/11935230_16CrossRefGoogle Scholar
  56. 56.
    Matyukhin, D.V.: On asymptotic complexity of computing discrete logarithms over GF\((p)\). Discrete Math. Appl. 13(1), 27–50 (2003).  https://doi.org/10.1515/156939203321669546MathSciNetCrossRefMATHGoogle Scholar
  57. 57.
    Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005).  https://doi.org/10.1007/11586821_1CrossRefGoogle Scholar
  58. 58.
    Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993).  https://doi.org/10.1109/18.259647MathSciNetCrossRefMATHGoogle Scholar
  59. 59.
    Mihalcik, J.P.: An analysis of algorithms for solving discrete logarithms in fixed groups. Master’s thesis, Naval Postgraduate School (2010). https://calhoun.nps.edu/bitstream/handle/10945/5395/10Mar_Mihalcik.pdf
  60. 60.
    Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979).  https://doi.org/10.1145/359168.359172CrossRefGoogle Scholar
  61. 61.
    Nechaev, V.I.: Complexity of a determinate algorithm for the discrete logarithm. Math. Notes 55(2), 165–172 (1994).  https://doi.org/10.1007/bf02113297MathSciNetCrossRefMATHGoogle Scholar
  62. 62.
    Odlyzko, A.: Discrete logarithms: the past and the future. Des. Codes Cryptogr. 19(2), 129–145 (2000).  https://doi.org/10.1023/A:1008350005447MathSciNetCrossRefMATHGoogle Scholar
  63. 63.
    Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_36CrossRefGoogle Scholar
  64. 64.
    van Oorschot, P.C., Wiener, M.J.: On Diffie-Hellman key agreement with short exponents. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68339-9_29Google Scholar
  65. 65.
    Patel, S., Sundaram, G.S.: An efficient discrete log pseudo random generator. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 304–317. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055737Google Scholar
  66. 66.
    Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over \({GF}(p)\) and its cryptographic significance (corresp.). IEEE Trans. Inf. Theory 24(1), 106–110 (1978).  https://doi.org/10.1109/tit.1978.1055817CrossRefMATHGoogle Scholar
  67. 67.
    Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comput. 32(143), 918–924 (1978).  https://doi.org/10.2307/2006496MathSciNetMATHGoogle Scholar
  68. 68.
    Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_22CrossRefGoogle Scholar
  69. 69.
    Schnorr, C.P., Jakobsson, M.: Security of signed ElGamal encryption. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 73–89. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_7CrossRefGoogle Scholar
  70. 70.
    Shanks, D.: Class number, a theory of factorization, and genera (1971).  https://doi.org/10.1090/pspum/020/0316385
  71. 71.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_18Google Scholar
  72. 72.
    Smart, N.P.: The exact security of ECIES in the generic group model. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 73–84. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45325-3_8CrossRefGoogle Scholar
  73. 73.
    Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193–196 (1999).  https://doi.org/10.1007/s001459900052MathSciNetCrossRefMATHGoogle Scholar
  74. 74.
    Unruh, D.: Random oracles and auxiliary input. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 205–223. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_12CrossRefGoogle Scholar
  75. 75.
    Wang, P., Zhang, F.: Computing elliptic curve discrete logarithms with the negation map. Inf. Sci. 195, 277–286 (2012).  https://doi.org/10.1016/j.ins.2012.01.044MathSciNetCrossRefMATHGoogle Scholar
  76. 76.
    Wee, H.: On obfuscating point functions. In: STOC (2005). http://doi.acm.org/10.1145/1060590.1060669
  77. 77.
    Yao, A.C.C.: Coherent functions and program checkers. In: STOC (1990). http://doi.acm.org/10.1145/100216.100226
  78. 78.
    Ying, J.H.M., Kunihiro, N.: Bounds in various generalized settings of the discrete logarithm problem. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 498–517. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-61204-1_25CrossRefGoogle Scholar
  79. 79.
    Yun, A.: Generic hardness of the multiple discrete logarithm problem. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 817–836. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_27Google Scholar
  80. 80.
    Zhang, F., Wang, P., Galbraith, S.: Computing elliptic curve discrete logarithms with improved baby-step giant-step algorithm. Adv. Math. Commun. 11(3), 453–469 (2017).  https://doi.org/10.3934/amc.2017038MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Stanford UniversityStanfordUSA

Personalised recommendations