An efficient discrete log pseudo random generator

  • Sarvar Patel
  • Ganapathy S. Sundaram
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


The exponentiation function in a finite field of order p (a prime number) is believed to be a one-way function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which is also believed to be hard to compute. Under this intractibility assumption we show that discrete exponentiation modulo a prime p can hide nΩ(log n) bits (n = [log p] and p=2q+1, where q is also a prime). We prove simultaneous security by showing that any information about the nΩ(log n) bits can be used to discover the discrete log of g s mod p where s has Ω(log n) bits. For all practical purposes, the size of s can be a constant c bits. This leads to a very efficient pseudo-random number generator which produces nc bits per iteration. For example, when n = 1024 bits and c = 128 bits our pseudo-random number generator produces a little less than 900 bits per exponentiation.


  1. [1]
    W. Alexi, B. Chor, O. Goldreich and C. P. Schnorr, RSA/Rabin bits are 1/2+1/poly(log N) secure, Proceedings of 25th FOCS, 449–457, 1984.Google Scholar
  2. [2]
    M. Ben-Or, B. Chor, A. Shamir, On the cryptographic security of single RSA bits, Proceedings of 15th STOC, 421–430, 1983.Google Scholar
  3. [3]
    L. Blum, M. Blum, and M. Shub, A simple secure pseudo-random number generator, SIAM J. Computing, 15 No. 2:364–383, 1986.zbMATHMathSciNetCrossRefGoogle Scholar
  4. [4]
    M. Blum, and S. Micali, How to generate cryptographically strong sequences of pseudo random bits, SIAM J. Computing, 13 No. 4:850–864, 1984.zbMATHMathSciNetCrossRefGoogle Scholar
  5. [5]
    R. B. Boppana, and R. Hirschfeld, Pseudorrandom generators and complexity classes, Advances in Computing Research, 5 (S. Micali, Ed.), JAI Press, CT.Google Scholar
  6. [6]
    U. S. Department of Commerce/ N. I. S. T, Digital Signature Standard, FIPS 186, May 1994.Google Scholar
  7. [7]
    O. Goldreich, and L. A. Levin, A hard-core predicate for all one way functions, Proceedings of 21st STOC, 25–32, 1989.Google Scholar
  8. [8]
    S. Goldwasser, and A. Micali, Probabilistic encryption, Journal of Computer and Systems Science, 28: 270–299, 1984.zbMATHMathSciNetCrossRefGoogle Scholar
  9. [9]
    J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby, Construction of pseudo-random generator from any one-way function, SIAM J. Computing, to appear.Google Scholar
  10. [10]
    J. Hastad, A. W. Schrift, and A. Shamir, The discrete logarithm modulo a composite modulus hides O(n) bits, Journal of Computer and System Sciences, 47: 376–404, 1993.zbMATHMathSciNetCrossRefGoogle Scholar
  11. [11]
    R. Impagliazzo, L. A. Levin, and M. Luby, Pseudo-random generation from one-way functions, Proceddings of 20th STOC, 12–24, 1988.Google Scholar
  12. [12]
    B. S. Kaliski, A pseudo-random bit generator based on elliptic logarithms, Advances in Cryptology — CRYPTO '86 (LNCS 263), 84–103, 1987.zbMATHMathSciNetGoogle Scholar
  13. [13]
    J. Kilian, S. Micali, and R. Ostrovsky, Minimum resource zero-knowledge proofs, Procedings of 30th FOCS, 474–489, 1989.Google Scholar
  14. [14]
    D. E. Knuth, The Art of Computer Programming (vol S): Sorting and Searching, Addison Wesley, 1973.Google Scholar
  15. [15]
    N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, 48:203–209, 1987.zbMATHMathSciNetCrossRefGoogle Scholar
  16. [16]
    D. L. Long, and A. Wigderson, The discrete log hides O(log n) bits, SIAM J. Computing, 17:363–372, 1988.zbMATHMathSciNetCrossRefGoogle Scholar
  17. [17]
    V. Miller, Elliptic curves and cryptography, Advances in Cryptology — CRYPTO '85 (LNCS 218), 417–426, 1986.zbMATHGoogle Scholar
  18. [18]
    M. Naor, Bit commitment using pseudo-randomness, Advances in Cryptology — CRYPTO '89 (LNCS 435), 128–136, 1989.MathSciNetGoogle Scholar
  19. [19]
    P. van Oorschot, M. Wiener, On Diffie-Hellman key agreement with short exponents, Advances in Cryptology — EUROCRYPT '96 (LNCS 1070), 332–343, 1996.Google Scholar
  20. [20]
    R. Peralta, Simultaneous security of bits in the discrete log, Advances in Cryptology — EUROCRYPT '85 (LNCS 219), 62–72, 1986.zbMATHMathSciNetGoogle Scholar
  21. [21]
    S. C. Pohlig, and M. E. Hellman, An improved algorithm for computing over GF(p) and its cryptographic significance, IEEE Trans. IT, 24: 106–110, 1978.zbMATHMathSciNetGoogle Scholar
  22. [22]
    J. M. Pollard, Monte Carlo methods for index compution (mod p), Mathematics of Computation, 32, No. 143:918–924, 1978.zbMATHMathSciNetCrossRefGoogle Scholar
  23. [24]
    U. V. Vazirani, and V. V. Vazirani, Efficient and secure pseudo-random number generators, Proceedings of 25th FOCS, 458–463, 1984.Google Scholar
  24. [25]
    A. C. Yao, Theory and applications of trapdoor functions, Proceedings of 23rd FOCS, 80–91, 1982.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Sarvar Patel
    • 1
  • Ganapathy S. Sundaram
    • 1
  1. 1.Bell LabsWhippanyUSA

Personalised recommendations