Playing Hide-and-Seek in Finite Fields: Hidden Number Problem and - PDF document

Playing “Hide-and-Seek” in Finite Fields: Hidden Number Problem and Its Applications Igor E. Shparlinski Centre for Advanced Computing: Algorithms and Cryptography Macquarie University igor@comp.mq.edu.au

Introduction We describe a rather surprising, yet powerful, combination of • exponential sums • lattice reduction algorithms . This combination has led to a number of cryp- tographic applications, helping to make rigorous several heuristic approaches. It provides a two edge sword to: • prove important security results; • create powerful attacks

Examples: • Bit security of the – Diffie–Hellman key exchange system, – Shamir message passing scheme, – XTR cryptosystem, – Rivest–Shamir–Wagner timed-release crypto. • Attacks on the – Digital Signature Scheme (DSA), – Nyberg–Rueppel Signature Scheme.

Notation p = prime number I F p = finite field of p elements. ⌊ s ⌋ m = the remainder of s on division by m . For ℓ > 0, MSB ℓ,p ( x ) denotes any integer u such that |⌊ x ⌋ p − u | ≤ p/ 2 ℓ +1 . MSB ℓ,p ( x ) ≈ ℓ most significant bits of x . However this definition is more flexible. In particular, ℓ need not be an integer .

Hidden Number Problem (HNP) Boneh and Venkatesan, 1996 HNP : Recover α ∈ I F p such that for many known random t ∈ I F p we are given MSB ℓ,p ( αt ) for some ℓ > 0 . B&V, 1996: a polynomial time algorithm to solve HNP with ℓ ≈ log 1 / 2 p . The algorithm is based on lattice reduction. Lattices Let { b 1 , . . . , b s } be a set of linearly independent R s . The set of vectors vectors in I s � L = { z | z = c i b i , c 1 , . . . , c s ∈ Z Z } i =1 is called an s -dimensional full rank lattice. The set { b 1 , . . . , b s } is called a basis of L .

The closest vector problem R s find a lattice vec- CVP: Given a vector r ∈ I tor v ∈ L with � r − v � = min z ∈ L � r − z � . CVP is NP -complete. Approximate solution? Lenstra, Lenstra and Lov´ asz, 1982 Kannan, 1987 Schnorr, 1987 Lemma 1 There exists a deterministic polyno- mial time algorithm which, for a given lattice L R s , finds a lattice vector v ∈ L and a vector r ∈ I satisfying the inequality Cs log 2 log s � � � r − v � ≤ exp min z ∈ L � r − z � . log s for some absolute constant C > 0 . LLL: stretch factor 2 s/ 2 (can be used as well) Working with 2 o ( s ) is technically easier

HNP and CVP — B&V, 1996 Let d ≥ 1 be integer. Given t i , u i = MSB ℓ,p ( αt i ), i = 1 , . . . , d , we build the lattice L ( p, ℓ, t 1 , . . . , t d ) spanned by the rows of the matrix:   p 0 . . . 0 0 . . ... . . 0 p . .     . . ... ... . .   . 0 . .     0 0 0 . . . p     1 / 2 ℓ +1 t 1 t 2 . . . t d The unknown vector v = ( ⌊ αt 1 ⌋ p , . . . , ⌊ αt d ⌋ p , α/ 2 ℓ +1 ) • belongs to L ( p, ℓ, t 1 , . . . , t d ) • is close to the known vector u = ( u 1 , . . . , u d , 0): � p 2 − ℓ � � v − u � = O . Idea: Apply a CVP algorithm and hope that it will output v .

How to make it rigorous? We show that for almost all t 1 , . . . , t d , v is the only lattice vector which can be so close to u . In fact, even within the approximation factor of Lemma 1, that is within the distance of order p 2 − ℓ + o ( d ) , this is still the only lattice vector. Assume that w ≡ ( βt 1 , . . . , βt d , β/ 2 ℓ +1 ) (mod p ), with β �≡ α (mod p ) is another lattice vector with � w − u � ≤ p 2 − ℓ + o ( d ) . Then � w − v � ≤ p 2 − ℓ + o ( d ) . (1) Therefore for each i = 1 , . . . , d ( α − β ) t i ∈ [ − p 2 − ℓ + o ( d ) , p 2 − ℓ + o ( d ) ] (mod p ) For every fixed γ �≡ 0 (mod p ) (mod p )) ≤ 2 h + 1 Pr F p ( γt ∈ [ − h, h ] (2) p t ∈ I

Thus Pr F p ( γt i ∈ [ − h, h ] (mod p ) , i = 1 , . . . , d ) t 1 ,...,t d ∈ I � d � 2 h + 1 ≤ . p In our settings h = p 2 − ℓ + o ( d ) . γ = α − β and Because β (and thus γ = α − β ) may belong to p − 1 distinct residue classes we conclude that (1) holds with probability at most 2 − ℓ + o ( d ) � d . � P ≤ p log 1 / 2 p � � Choose ℓ = d = 2 . Then P ≤ 1 p. CVP algorithm returns v with prob. ≥ 1 − 1 /p

Extended HNP HNP : Recover α ∈ I F p such that for many known random t ∈ I F p we are given MSB ℓ,p ( αt ) for some ℓ > 0 . The condition that t is selected uniformly at ran- dom from I F p is too restrictive for applications. Typically t is selected from a certain finite se- quence T of elements of I F p which • may have a nice and well-studied number the- oretic structure (bit security of Diffie–Hellman key), • may be rather “ugly” looking (attacks on DSA and Nyberg–Rueppel). EHNP : Recover α ∈ I F p such that for many known random t ∈ T we are given MSB ℓ,p ( αt ) for some ℓ > 0 . The same arguments as above apply to the EHNP . . . but one needs an analogue of (2). ⇓ T must have some uniformity of distribution properties.

Distribution of Sequences Discrepancy D (Γ) of an N -element sequence Γ = { γ 1 , . . . , γ N } of elements of the interval [0 , 1] is defined as � � A ( J, N ) � � sup − | J | � , � � � � N J ⊆ [0 , 1] � where | J | is the length of the interval J and A ( J, N ) = # { γ n ∈ J, 1 ≤ n ≤ N } . A finite sequence T of integers is ∆ -homogeneously distributed modulo p (∆-HD p ) if for any a ∈ [1 , p − 1], {⌊ at ⌋ p /p } , t ∈ T , has the discrepancy at most ∆.

Putting Together For a ∆-HD p sequence T instead of (2) we get (mod p )) ≤ 2 h + 1 t ∈T ( γt ∈ [ − h, h ] Pr + ∆ . p Nguyen&Shparlinski, 2000: Theorem 2 Let ℓ = ⌈ log 1 / 2 p ⌉ + ⌈ log log p ⌉ and . Let T be 2 − log 1 / 2 p -HD p . There log 1 / 2 p � � d = 2 exists a deterministic polynomial time algorithm A such that for any fixed integer α ∈ [0 , p − 1] , given 2 d integers u i = MSB ℓ,p ( αt i ) , i = 1 , . . . , d, t i and its output satisfies t 1 ,...,t d ∈T [ A ( t 1 , . . . , t d ; u 1 , . . . , u d ) = α ] Pr ≥ 1 − 2 − (log p ) 1 / 2 log log p if t 1 , . . . , t d are chosen uniformly and indepen- dently at random from the elements of T .

Discrepancy and Exponential Sums Polya–Vinogradov, 1918: T is ∆-HD p with  � �   log p � �  . � � � ∆ = O max exp (2 πict/p ) � � # T 1 ≤ c ≤ p − 1 � � t ∈T � � To use it we need an improvement up on the trivial bound � � � � � � � exp (2 πict/p ) � ≤ # T � � � � t ∈T � In many situatuions we have such resuslt which are quite enough . . . but what if only a very weak bound of the above esponential sums is know?

Using Very Weak Bounds Shparlinski&Winterhof, 2003: We can amplify it but considering k -sums { t 1 + . . . + t k | t 1 , . . . , t k ∈ T } . The discrepancy of this sequence:  k  � �  log p � � � � � ∆ k = O max exp (2 πict/p )  .   � � # T 1 ≤ c ≤ p − 1 � � t ∈T � � Any nontrvial saving γ against the trivial bound � � � � � � � exp (2 πict/p ) � ≤ γ # T � � � � t ∈T � will be risen to the k th power!

Important Example Konyagin, 1992: For any 1 > ε > 0 there exists a constant c ( ε ) > 0 F ∗ such that for any subgroup G ⊆ I p of order log p T ≥ (log log p ) 1 − ε the bound � � � � c ( ε ) � � � � � max 1 − e p ( λr ) � ≤ T � � (log p ) 1+ ε gcd( λ,p )=1 � � r ∈G � holds. Konyagin&Shparlinski, 1999: For larger subgroups stronger bounds are known.

Modifications to the Algorithm Chose t 11 , . . . , t 1 k , . . . , t d 1 , . . . , t dk ∈ G and get integers u ij with � � � � � < p/ 2 ℓ +1 , � � αr ij p − u ij i = 1 , . . . , d, j = 1 , . . . , k. � � � For i = 1 , 2 , . . . , d we put   k k k   � � � � �   v i = αr ij p , t i = t ij , u i = u ij   j =1 j =1 j =1 p The rest of the algorithm remains the same.

Good News: Bit Security of the Diffie–Hellman Key Diffie–Hellman (DH) problem: Given an element g of order τ modulo p , recover K = ⌊ g xy ⌋ p from ⌊ g x ⌋ p and ⌊ g y ⌋ p . Typically, either τ = p − 1 or τ = q – a large prime divisor of p − 1 The size of p and τ is determined by the present state of art in the discrete logarithm problem . Typically, p is about 500 bits, τ is at least 160 bits. However after the common DH key K = g xy is established, only a small portion of bits of K will be used as a common key for some private key cryptosystem.

Assume that finding K is infeasible. Is it still infeasible to find certain bits of K ? Private Key | Public Key Boneh&Venkatesan, 1996: for τ = p − 1 (- small gap in the proof) Gonz´ alez Vasco&Shparlinski, 2000: for “any” τ (+ fixing the gap in BV) YES!!! Assume we know how to recover ℓ most signif- icant bits of ⌊ g xy ⌋ p from from X = ⌊ g x ⌋ p and Y = ⌊ g y ⌋ p . Select a random u ∈ [0 , τ − 1] and apply this al- � g y + u � gorithm to X = ⌊ g x ⌋ p and U = ⌊ Y g u ⌋ p = p : � g x ( y + u ) � = MSB ℓ,p ( g xy g xu ) = MSB ℓ,p ( αt ) MSB ℓ,p EHNP with α = g xy and t = g xu , u ∈ [0 , τ − 1]!!!