Solving Discrete Logarithms with Partial Knowledge of the Key

Discrete Log Problem (DLP)Let G be a cyclic group of prime order p andlet g be a generator of G.Given β ∈ G, the discrete logarithm problemis to determine α such that g α = β.The presumed computational difficulty ofsolving the DLP in appropriate groups is thebasis of many cryptosystems and protocols.The primary reason for the popularity of ECCover RSA is that there are currently no knownsubexponential algorithms to solve the DLP ingroups used in ECC.Indocrypt’07 - Discrete Log – p.2

Generic Groups“Generic Group” refers to a group whosestructure we do not know.It is presented in the form of a “Black Box”.Indocrypt’07 - Discrete Log – p.3

Generic Groups“Generic Group” refers to a group whosestructure we do not know.It is presented in the form of a “Black Box”.Each group element has a unique encoding.Indocrypt’07 - Discrete Log – p.3

Generic Groups“Generic Group” refers to a group whosestructure we do not know.It is presented in the form of a “Black Box”.Each group element has a unique encoding.Given the encoding of two elements g and hof the group, the black box canIndocrypt’07 - Discrete Log – p.3

Generic Groups“Generic Group” refers to a group whosestructure we do not know.It is presented in the form of a “Black Box”.Each group element has a unique encoding.Given the encoding of two elements g and hof the group, the black box canproduce g · h, in unit time.Indocrypt’07 - Discrete Log – p.3

Generic Groups“Generic Group” refers to a group whosestructure we do not know.It is presented in the form of a “Black Box”.Each group element has a unique encoding.Given the encoding of two elements g and hof the group, the black box canproduce g · h, in unit time.decide whether g = h, in unit time.Indocrypt’07 - Discrete Log – p.3

Generic Groups“Generic Group” refers to a group whosestructure we do not know.It is presented in the form of a “Black Box”.Each group element has a unique encoding.Given the encoding of two elements g and hof the group, the black box canproduce g · h, in unit time.decide whether g = h, in unit time.compute any given power of g(including g −1 ), in time O(log p).Indocrypt’07 - Discrete Log – p.3

Algorithms for DLP inGeneric GroupsBaby-step Rho Kangaroo ∗Giant-stepShanks Pollard PollardDeterministic Probabilistic ProbabilisticTime O( √ p) O( √ p) O( √ b − a)Space O( √ p) O(1) O(1)∗ Assumes that DL is known to lie in the interval [a, b]Indocrypt’07 - Discrete Log – p.4

Lower BoundsVictor Shoup has established a lower boundof Ω( √ p) for any probabilistic algorithm thatcan solve the DLP for generic groups.Indocrypt’07 - Discrete Log – p.5

Lower BoundsVictor Shoup has established a lower boundof Ω( √ p) for any probabilistic algorithm thatcan solve the DLP for generic groups.Hence the Baby-step Giant-step method andthe rho method are optimal algorithms tosolve the DLP and cannot be improvedfurther (except possibly by a constant factor).Indocrypt’07 - Discrete Log – p.5

Lower BoundsVictor Shoup has established a lower boundof Ω( √ p) for any probabilistic algorithm thatcan solve the DLP for generic groups.Hence the Baby-step Giant-step method andthe rho method are optimal algorithms tosolve the DLP and cannot be improvedfurther (except possibly by a constant factor).The reason for the popularity of the ECC isthat the only known algorithms to solve theDLP over elliptic curve groups are the genericalgorithms.Indocrypt’07 - Discrete Log – p.5

Side Channel Attacks“Side Channel Attacks” focus on theimplementation of an algorithm rather thanthe specification to break a cryptosystem.Indocrypt’07 - Discrete Log – p.6

Side Channel Attacks“Side Channel Attacks” focus on theimplementation of an algorithm rather thanthe specification to break a cryptosystem.By observing the implementation beingexecuted, the attacker can make correlationsbetween the events that occur in theprocessor and the data being processed.Indocrypt’07 - Discrete Log – p.6

Side Channel Attacks“Side Channel Attacks” focus on theimplementation of an algorithm rather thanthe specification to break a cryptosystem.By observing the implementation beingexecuted, the attacker can make correlationsbetween the events that occur in theprocessor and the data being processed.Famous examples include Timing basedattacks and Power Analysis based attacks.Indocrypt’07 - Discrete Log – p.6

Problem ConsideredWe assume that some partial informationabout the secret key is revealed by sidechannel attacks.Indocrypt’07 - Discrete Log – p.7

Problem ConsideredWe assume that some partial informationabout the secret key is revealed by sidechannel attacks.We can certainly ignore the extra informationand use a generic algorithm of complexityO( √ p) to break the system.Indocrypt’07 - Discrete Log – p.7

Problem ConsideredWe assume that some partial informationabout the secret key is revealed by sidechannel attacks.We can certainly ignore the extra informationand use a generic algorithm of complexityO( √ p) to break the system.We can do an exhaustive search using theextra information to break the system.Indocrypt’07 - Discrete Log – p.7

Problem ConsideredWe assume that some partial informationabout the secret key is revealed by sidechannel attacks.We can certainly ignore the extra informationand use a generic algorithm of complexityO( √ p) to break the system.We can do an exhaustive search using theextra information to break the system.Can we do something in between? In otherwords, can we use the partial informationintelligently to break the system?Indocrypt’07 - Discrete Log – p.7

Nature of Partial InformationWe consider two different scenarios based onthe nature of partial information revealed.Indocrypt’07 - Discrete Log – p.8

Nature of Partial InformationWe consider two different scenarios based onthe nature of partial information revealed.In the first scenario, we assume that asequence of contiguous bits of the key isrevealed.Indocrypt’07 - Discrete Log – p.8

Nature of Partial InformationWe consider two different scenarios based onthe nature of partial information revealed.In the first scenario, we assume that asequence of contiguous bits of the key isrevealed.In the second scenario, we assume thatincomplete information about the“Square and Multiply Chain” (used toefficiently exponentiate) is revealed.Indocrypt’07 - Discrete Log – p.8

Contiguous bits are knownThe goal is to come up with an algorithm whosecomplexity will be square root of the size of theremaining key space (and thus optimal)Indocrypt’07 - Discrete Log – p.9

Contiguous bits are knownThe goal is to come up with an algorithm whosecomplexity will be square root of the size of theremaining key space (and thus optimal)Left Part is Known Can simply use KangarooAlgorithm.Indocrypt’07 - Discrete Log – p.9

Contiguous bits are knownThe goal is to come up with an algorithm whosecomplexity will be square root of the size of theremaining key space (and thus optimal)Left Part is Known Can simply use KangarooAlgorithm.Right Part is Known Can be solved in optimal timeas shown by Teske.Indocrypt’07 - Discrete Log – p.9

Contiguous bits are knownThe goal is to come up with an algorithm whosecomplexity will be square root of the size of theremaining key space (and thus optimal)Left Part is Known Can simply use KangarooAlgorithm.Right Part is Known Can be solved in optimal timeas shown by Teske.Middle Part is Known Has not been studied in theLiterature.Indocrypt’07 - Discrete Log – p.9

Middle Part is KnownAssume that we know M and N such thatα = α 1 MN + α 2 M + α 3where 0 ≤ α 2 < N is known and with0 ≤ α 3 < M.Indocrypt’07 - Discrete Log – p.10

Middle Part is KnownAssume that we know M and N such thatα = α 1 MN + α 2 M + α 3where 0 ≤ α 2 < N is known and with0 ≤ α 3 < M.Suppose, we are given an integer r,0 < r < p, such that we can write rMN askp + s with |s| < p/2. Then,rα = rα 1 MN + rα 2 M + rα 3= α 1 kp + sα 1 + rα 2 M + rα 3= α 1 kp + rα 2 M + α ′ Indocrypt’07 - Discrete Log – p.10

Reducing to KangarooAlgorithmg αr = g α 1kp+rα 2 M+α ′(g α ) r = (g p ) α 1k g rα 2M g α′β r = g rα 2M g α′ Indocrypt’07 - Discrete Log – p.11

Reducing to KangarooAlgorithmg αr = g α 1kp+rα 2 M+α ′(g α ) r = (g p ) α 1k g rα 2M g α′β r = g rα 2M g α′Denoting ( β × g −α 2M ) rby β ′ , the aboveequation can be written in the form β ′ = g α′ .Indocrypt’07 - Discrete Log – p.11

Reducing to KangarooAlgorithmg αr = g α 1kp+rα 2 M+α ′(g α ) r = (g p ) α 1k g rα 2M g α′β r = g rα 2M g α′Denoting ( β × g −α 2M ) rby β ′ , the aboveequation can be written in the form β ′ = g α′ .Note that β ′ can be computed from β as r, α 2 ,and M are known.Indocrypt’07 - Discrete Log – p.11

Reducing to KangarooAlgorithmg αr = g α 1kp+rα 2 M+α ′(g α ) r = (g p ) α 1k g rα 2M g α′β r = g rα 2M g α′Denoting ( β × g −α 2M ) rby β ′ , the aboveequation can be written in the form β ′ = g α′ .Note that β ′ can be computed from β as r, α 2 ,and M are known.Invoke Kangaroo Algorithm to compute α ′ .Indocrypt’07 - Discrete Log – p.11

Bounding Interval SizeWhen s is positive, α ′ = α 3 r + α 1 s must be inthe interval[( p)]0, r(M − 1) + sMN − 1Indocrypt’07 - Discrete Log – p.12

Bounding Interval SizeWhen s is positive, α ′ = α 3 r + α 1 s must be inthe interval[( p)]0, r(M − 1) + sMN − 1Similary, if s is negative, α ′ must be in theinterval[ ( p) ]sMN − 1 , r(M − 1)Indocrypt’07 - Discrete Log – p.12

Bounding Interval SizeWhen s is positive, α ′ = α 3 r + α 1 s must be inthe interval[( p)]0, r(M − 1) + sMN − 1Similary, if s is negative, α ′ must be in theinterval[ ( p) ]sMN − 1 , r(M − 1)In both cases we can restrict the value of α ′ toan interval of length rM + |s|pMN . Indocrypt’07 - Discrete Log – p.12

Minimizing Interval SizeWe want to select the parameters r and ssuch that the interval size is minimized.Indocrypt’07 - Discrete Log – p.13

Minimizing Interval SizeWe want to select the parameters r and ssuch that the interval size is minimized.We can do so, by using Dirichlet’s Theoremon rational approximations.Indocrypt’07 - Discrete Log – p.13

Minimizing Interval SizeWe want to select the parameters r and ssuch that the interval size is minimized.We can do so, by using Dirichlet’s Theoremon rational approximations.We can guarantee that the size of the intervalis at most O(2p/ √ N).Indocrypt’07 - Discrete Log – p.13

Minimizing Interval SizeWe want to select the parameters r and ssuch that the interval size is minimized.We can do so, by using Dirichlet’s Theoremon rational approximations.We can guarantee that the size of the intervalis at most O(2p/ √ N).So, the time complexity of the overallalgorithm will be O( √ 2p 1/2/ N 1/4 ).Indocrypt’07 - Discrete Log – p.13

RemarksOnce α ′ is known, we can solve the easydiophantine equation α ′ = rα 3 + sα 1 andextract α 1 and α 3 .Indocrypt’07 - Discrete Log – p.14

RemarksOnce α ′ is known, we can solve the easydiophantine equation α ′ = rα 3 + sα 1 andextract α 1 and α 3 .Together with the known middle part α 2 , weget the discrete log α.Indocrypt’07 - Discrete Log – p.14

RemarksOnce α ′ is known, we can solve the easydiophantine equation α ′ = rα 3 + sα 1 andextract α 1 and α 3 .Together with the known middle part α 2 , weget the discrete log α.The complexity that we are able to get is notquite optimal in the general case.Indocrypt’07 - Discrete Log – p.14

RemarksOnce α ′ is known, we can solve the easydiophantine equation α ′ = rα 3 + sα 1 andextract α 1 and α 3 .Together with the known middle part α 2 , weget the discrete log α.The complexity that we are able to get is notquite optimal in the general case.However, if p is Mersenne prime (or if p issufficiently close to 2 l ), we are able to getoptimal complexity.Indocrypt’07 - Discrete Log – p.14

Square and MultiplyAlgorithmFor example, to compute g 43Write 43 in binary as 101011.Indocrypt’07 - Discrete Log – p.15

Square and MultiplyAlgorithmFor example, to compute g 43Write 43 in binary as 101011.Replace each 0 by S (Square) and 1 by SM(Square and Multiply) to get SMSSMSSMSM.Indocrypt’07 - Discrete Log – p.15

Square and MultiplyAlgorithmFor example, to compute g 43Write 43 in binary as 101011.Replace each 0 by S (Square) and 1 by SM(Square and Multiply) to get SMSSMSSMSM.Start with h = 1 and do the operations(Squaring h and Multiplying h by g) specifiedby the above string from left to right, storingthe result back in h each time.Indocrypt’07 - Discrete Log – p.15

Square and MultiplyAlgorithmFor example, to compute g 43Write 43 in binary as 101011.Replace each 0 by S (Square) and 1 by SM(Square and Multiply) to get SMSSMSSMSM.Start with h = 1 and do the operations(Squaring h and Multiplying h by g) specifiedby the above string from left to right, storingthe result back in h each time.1 → 1 → g → g 2 → g 4 → g 5 → g 10 → g 20 →g 21 → g 42 → g 43 Indocrypt’07 - Discrete Log – p.15

AssumptionsIn the second scenario, we assume that(incomplete) information about the “Squareand Multiply Chain” is revealed by the sidechannel attacks. Specifically, we assume thatIndocrypt’07 - Discrete Log – p.16

AssumptionsIn the second scenario, we assume that(incomplete) information about the “Squareand Multiply Chain” is revealed by the sidechannel attacks. Specifically, we assume thatthe total length n of the square and multiplychain is known.Indocrypt’07 - Discrete Log – p.16

AssumptionsIn the second scenario, we assume that(incomplete) information about the “Squareand Multiply Chain” is revealed by the sidechannel attacks. Specifically, we assume thatthe total length n of the square and multiplychain is known.the number m of M’s is known.Indocrypt’07 - Discrete Log – p.16

AssumptionsIn the second scenario, we assume that(incomplete) information about the “Squareand Multiply Chain” is revealed by the sidechannel attacks. Specifically, we assume thatthe total length n of the square and multiplychain is known.the number m of M’s is known.Exact positions of m − i of the M’s areknown.Indocrypt’07 - Discrete Log – p.16

AssumptionsIn the second scenario, we assume that(incomplete) information about the “Squareand Multiply Chain” is revealed by the sidechannel attacks. Specifically, we assume thatthe total length n of the square and multiplychain is known.the number m of M’s is known.Exact positions of m − i of the M’s areknown.The problem is to utilize the partialinformation and figure out the entire chain.Indocrypt’07 - Discrete Log – p.16

ObservationsWe need to figure out the exact positions ofthe remaining i M’s. Then, the entire chain isdetermined.Indocrypt’07 - Discrete Log – p.17

ObservationsWe need to figure out the exact positions ofthe remaining i M’s. Then, the entire chain isdetermined.We can do an exhaustive search in timeO(n i ). Guess the positions of the i M’s andthen check whether the guess is right.Indocrypt’07 - Discrete Log – p.17

ObservationsWe need to figure out the exact positions ofthe remaining i M’s. Then, the entire chain isdetermined.We can do an exhaustive search in timeO(n i ). Guess the positions of the i M’s andthen check whether the guess is right.We can make use of the fact that every Mshould be preceded and followed by a S. But,this will not affect the asymptotics.Indocrypt’07 - Discrete Log – p.17

A solution using anadditional assumptionSuppose that somehow we can split the chaininto two parts such that i/2 M’s are on the leftpart and the remaining i/2 M’s are on theright part.β = g α = g a2x +b= ( g 2x ) agbIndocrypt’07 - Discrete Log – p.18

A solution using anadditional assumptionSuppose that somehow we can split the chaininto two parts such that i/2 M’s are on the leftpart and the remaining i/2 M’s are on theright part.β = g α = g a2x +b= ( g 2x ) agbIf we denote g −2x by h, then the aboveequation reduces toβ −1 × g b = h a Indocrypt’07 - Discrete Log – p.18

AlgorithmMake a guess a for the left part.Indocrypt’07 - Discrete Log – p.19

AlgorithmMake a guess a for the left part.Compute h a .Indocrypt’07 - Discrete Log – p.19

AlgorithmMake a guess a for the left part.Compute h a .Record the pair (a, h a ) in a table.Indocrypt’07 - Discrete Log – p.19

AlgorithmMake a guess a for the left part.Compute h a .Record the pair (a, h a ) in a table.Repeat the above for each possible guess a.Indocrypt’07 - Discrete Log – p.19

AlgorithmMake a guess a for the left part.Compute h a .Record the pair (a, h a ) in a table.Repeat the above for each possible guess a.Sort the table based on second column.Indocrypt’07 - Discrete Log – p.19

AlgorithmMake a guess a for the left part.Compute h a .Record the pair (a, h a ) in a table.Repeat the above for each possible guess a.Sort the table based on second column.Space Complexity is O(n i/2 ) ignoringlogarithmic terms.Indocrypt’07 - Discrete Log – p.19

Algorithm - Contd.Make a guess b for the right part.Indocrypt’07 - Discrete Log – p.20

Algorithm - Contd.Make a guess b for the right part.Compute y = β −1 × g b .Indocrypt’07 - Discrete Log – p.20

Algorithm - Contd.Make a guess b for the right part.Compute y = β −1 × g b .Check if y is in the second column of somerow of the table.Indocrypt’07 - Discrete Log – p.20

Algorithm - Contd.Make a guess b for the right part.Compute y = β −1 × g b .Check if y is in the second column of somerow of the table.If so, the guess is correct, and thecorresponding a is in the first column.Indocrypt’07 - Discrete Log – p.20

Algorithm - Contd.Make a guess b for the right part.Compute y = β −1 × g b .Check if y is in the second column of somerow of the table.If so, the guess is correct, and thecorresponding a is in the first column.If not, the guess is wrong and we makeanother guess for b until we succeed.Indocrypt’07 - Discrete Log – p.20

Algorithm - Contd.Make a guess b for the right part.Compute y = β −1 × g b .Check if y is in the second column of somerow of the table.If so, the guess is correct, and thecorresponding a is in the first column.If not, the guess is wrong and we makeanother guess for b until we succeed.Time Complexity is O(n i/2 ) ignoringlogarithmic terms.Indocrypt’07 - Discrete Log – p.20

Getting rid of theassumptionWe don’t really need the additionalassumption.Indocrypt’07 - Discrete Log – p.21

Getting rid of theassumptionWe don’t really need the additionalassumption.There are only O(n) ways of dividing thechain into two parts.Indocrypt’07 - Discrete Log – p.21

Getting rid of theassumptionWe don’t really need the additionalassumption.There are only O(n) ways of dividing thechain into two parts.One of them must have the property that i/2M’s are in each part. So, we try each way ofsplitting the chain, one position at a time.Indocrypt’07 - Discrete Log – p.21

Getting rid of theassumptionWe don’t really need the additionalassumption.There are only O(n) ways of dividing thechain into two parts.One of them must have the property that i/2M’s are in each part. So, we try each way ofsplitting the chain, one position at a time.The overall complexity of the algorithm will beO(n 1+ ⌊ i 2⌋ ).Indocrypt’07 - Discrete Log – p.21

Conclusion and OpenProblemsUnder two different scenarios of partialinformation we have better algorithms to findthe discrete log.Indocrypt’07 - Discrete Log – p.22

Conclusion and OpenProblemsUnder two different scenarios of partialinformation we have better algorithms to findthe discrete log.At present, we don’t know how to solve thediscrete log problem efficiently when the bitsrevealed are not in contiguous postions.Indocrypt’07 - Discrete Log – p.22

Conclusion and OpenProblemsUnder two different scenarios of partialinformation we have better algorithms to findthe discrete log.At present, we don’t know how to solve thediscrete log problem efficiently when the bitsrevealed are not in contiguous postions.Sometimes, one uses the NAF(Non-adjacent Form) representation to do theexponentiation. If we know partial informationabout the NAF we don’t know how to solvethe discrete log problem efficiently.Indocrypt’07 - Discrete Log – p.22