The Diffie–Hellman problem - Mathematics of Public Key Cryptography

Cryptography Reference

In-Depth Information

Proof Let A be a perfect oracle that on input ( g,g a ) outputs the least significant bit of

a<r . In other words, if the binary expansion of a is i = 0 a i 2 i then A outputs a 0 .We

will use A to compute a .

Thefirststepistocall A ( g,h ) to get a 0 . Once this has been obtained we set h =

≤

hg − a 0 .

Then h =

g 2 a 1 + 4 a 2 +··· .Let u

2 − 1

( r

1) / 2(mod r ) and define

( h ) u .

h 1 =

g a 1 + 2 a 2 +···

Then h 1 =

so calling A ( g,h 1 )gives a 1 .For i

2 , 3 ,... compute h i =

( h i − 1 g − a i − 1 ) u and a i =

A ( g,h i ), which computes the binary expansion of a . This reduction

runs in polynomial-time and requires polynomially many calls to the oracle A .

Exercise 21.6.4 Give an alternative proof of Theorem 21.6.3 based on bounding the

unknown a in the range

1) r/ 2 j

a<lr/ 2 j .

( l

−

≤

1) r/ 2 j

a<lr/ 2 j and if

Initially, one sets l

1 and j

0. At step j , if one has ( l

−

≤

1) r/ 2 j + 1

a/ 2 <lr/ 2 j + 1

and if a is odd then (2 j

1) r/ 2 j + 1

a is even then ( l

−

≤

−

≤

r ) / 2 < (2 j

l ) r/ 2 j + 1 . Show that when j

one can compute 2 − j a (mod r )

( a

log 2 ( r )

exactly and hence deduce a .

Exercise 21.6.5 Since one can correctly guess the least significant bit of the DLP with

probability 1/2, why does Theorem 21.6.3 not prove that DLP is easy?

One should also consider the case of a DL-LSB oracle that only works with some

noticeable probability . It is then necessary to randomise the calls to the oracle, but the

problem is to determine the LSB of a given the LSBs of some algebraically related values.

The trick is to guess some u

O (log(1 / ))

O (log(log( r ))) most significant bits of a and

g a where the u most significant bits of a are zero).

One can then call the oracle on h g y for random 0

set them to zero (i.e., replace h by h =

r/ 2 u and take a majority vote

to get the result. For details of the argument see Blum and Micali [ 68 ].

We conclude that computing the LSB of the DLP is as hard as computing the whole

DLP; such bits are called hardcore bits .

≤

−

} ∗ be a function computable in polynomial-time

(i.e., there is some polynomial p ( n ) such that for x

} ∗ →{

Definition 21.6.6 Let f :

{

0 , 1

n one can compute f ( x )inat

∈{

0 , 1

}

{

} ∗ →{

}

most p ( n ) bit operations). A function b :

is a hardcore bit or hardcore

predicate for f if, for all probabilistic polynomial-time algorithms A ,the advantage

Adv x ∈{ 0 , 1 } n A ( f ( x ))

0 , 1

b ( x )

is negligible as a function of n .

We now give some candidate hardcore predicates for the DLP. We also restate the

meaning of hardcore bit for functions defined on

} ∗ .

{

0 , 1 ,...,r

−

}

rather than

{

0 , 1

Mathematics of Public Key Cryptography

Search WWH ::

Custom Search

Home