Dlog is Practically as Hard (or Easy) as DH - Solving Dlogs via DH Oracles on EC Standards

Alexander May, C. Schneider
{"title":"Dlog is Practically as Hard (or Easy) as DH - Solving Dlogs via DH Oracles on EC Standards","authors":"Alexander May, C. Schneider","doi":"10.46586/tches.v2023.i4.146-166","DOIUrl":null,"url":null,"abstract":"Assume that we have a group G of known order q, in which we want to solve discrete logarithms (dlogs). In 1994, Maurer showed how to compute dlogs in G in poly time given a Diffie-Hellman (DH) oracle in G, and an auxiliary elliptic curve ˆÊ (Fq) of smooth order. The problem of Maurer’s reduction of solving dlogs via DH oracles is that no efficient algorithm for constructing such a smooth auxiliary curve is known. Thus, the implications of Maurer’s approach to real-world applications remained widely unclear.In this work, we explicitly construct smooth auxiliary curves for 13 commonly used, standardized elliptic curves of bit-sizes in the range [204, 256], including e.g., NIST P-256, Curve25519, SM2 and GOST R34.10. For all these curves we construct a corresponding cyclic auxiliary curve ˆÊ(Fq), whose order is 39-bit smooth, i.e., its largest factor is of bit-length at most 39 bits.This in turn allows us to compute for all divisors of the order of ˆÊ(Fq) exhaustively a codebook for all discrete logarithms. As a consequence, dlogs on ˆÊ(Fq) can efficiently be computed in a matter of seconds. Our resulting codebook sizes for each auxiliary curve are less than 29 TByte individually, and fit on our hard disk.We also construct auxiliary curves for NIST P-384 and NIST P-521 with a 65-bit and 110-bit smooth order.Further, we provide an efficient implementation of Maurer’s reduction from the dlog computation in G with order q to the dlog computation on its auxiliary curve ˆÊ (Fq). Let us provide a flavor of our results, e.g., when G is the NIST P-256 group, the results for other curves are similar. With the help of our codebook for the auxiliary curve Ê(Fq), and less than 24,000 calls to a DH oracle in G (that we simulate), we can solve discrete logarithms on NIST P-256 in around 30 secs.From a security perspective, our results show that for current elliptic curve standards< the difficulty of solving DH is practically tightly related to the difficulty of computing dlogs. Namely, unless dlogs are easy to compute on these curves G, we provide a very concrete security guarantee that DH in G must also be hard. From a cryptanalytic perspective, our results show a way to efficiently solve discrete logarithms in the presence of a DH oracle.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"1 1","pages":"539"},"PeriodicalIF":0.0000,"publicationDate":"2023-08-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tches.v2023.i4.146-166","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Assume that we have a group G of known order q, in which we want to solve discrete logarithms (dlogs). In 1994, Maurer showed how to compute dlogs in G in poly time given a Diffie-Hellman (DH) oracle in G, and an auxiliary elliptic curve ˆÊ (Fq) of smooth order. The problem of Maurer’s reduction of solving dlogs via DH oracles is that no efficient algorithm for constructing such a smooth auxiliary curve is known. Thus, the implications of Maurer’s approach to real-world applications remained widely unclear.In this work, we explicitly construct smooth auxiliary curves for 13 commonly used, standardized elliptic curves of bit-sizes in the range [204, 256], including e.g., NIST P-256, Curve25519, SM2 and GOST R34.10. For all these curves we construct a corresponding cyclic auxiliary curve ˆÊ(Fq), whose order is 39-bit smooth, i.e., its largest factor is of bit-length at most 39 bits.This in turn allows us to compute for all divisors of the order of ˆÊ(Fq) exhaustively a codebook for all discrete logarithms. As a consequence, dlogs on ˆÊ(Fq) can efficiently be computed in a matter of seconds. Our resulting codebook sizes for each auxiliary curve are less than 29 TByte individually, and fit on our hard disk.We also construct auxiliary curves for NIST P-384 and NIST P-521 with a 65-bit and 110-bit smooth order.Further, we provide an efficient implementation of Maurer’s reduction from the dlog computation in G with order q to the dlog computation on its auxiliary curve ˆÊ (Fq). Let us provide a flavor of our results, e.g., when G is the NIST P-256 group, the results for other curves are similar. With the help of our codebook for the auxiliary curve Ê(Fq), and less than 24,000 calls to a DH oracle in G (that we simulate), we can solve discrete logarithms on NIST P-256 in around 30 secs.From a security perspective, our results show that for current elliptic curve standards< the difficulty of solving DH is practically tightly related to the difficulty of computing dlogs. Namely, unless dlogs are easy to compute on these curves G, we provide a very concrete security guarantee that DH in G must also be hard. From a cryptanalytic perspective, our results show a way to efficiently solve discrete logarithms in the presence of a DH oracle.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Dlog实际上和DH一样难(或容易)——在EC标准上通过DH oracle解决Dlog
假设我们有一个已知阶数为q的群G,我们想在其中求解离散对数(dlog)。1994年,Maurer在给定G中的Diffie-Hellman (DH) oracle和光滑阶的辅助椭圆曲线- Ê (Fq)的情况下,展示了如何在多时间内计算G中的log。Maurer通过DH预言机求解log的约简问题是,没有有效的算法来构造这样一个光滑的辅助曲线。因此,Maurer的方法对实际应用的影响仍然很不清楚。在这项工作中,我们明确地构建了13条常用的、位大小的标准化椭圆曲线的光滑辅助曲线,范围为[204,256],包括NIST P-256、Curve25519、SM2和GOST R34.10。对于所有这些曲线,我们构造了相应的循环辅助曲线- Ê(Fq),其阶数为39位光滑,即其最大因子的位长最多为39位。这反过来又使我们能够为所有离散对数详尽地计算出所有≥Ê(Fq)阶的因数的码本。因此,可以在几秒钟内有效地计算出@ Ê(Fq)上的日志。我们得到的每个辅助曲线的码本大小分别小于29 TByte,并且适合我们的硬盘。我们还以65位和110位的平滑顺序为NIST P-384和NIST P-521构建了辅助曲线。此外,我们提供了一种有效的实现,从G中阶为q的dlog计算到其辅助曲线上的dlog计算- Ê (Fq)。让我们提供一下我们的结果,例如,当G是NIST P-256组时,其他曲线的结果是相似的。在辅助曲线Ê(Fq)的代码本的帮助下,在G中对DH oracle的调用少于24000次(我们模拟的),我们可以在大约30秒内解决NIST P-256上的离散对数。从安全的角度来看,我们的研究结果表明,对于目前的椭圆曲线标准,求解DH的难度实际上与计算log的难度密切相关。也就是说,除非在这些曲线G上的log很容易计算,否则我们提供了一个非常具体的安全保证,即G中的DH也必须是硬的。从密码分析的角度来看,我们的结果显示了一种在存在DH oracle的情况下有效解决离散对数的方法。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Synchronous Distributed Key Generation without Broadcasts Optimizing and Implementing Fischlin's Transform for UC-Secure Zero-Knowledge A Long Tweak Goes a Long Way: High Multi-user Security Authenticated Encryption from Tweakable Block Ciphers Efficient isochronous fixed-weight sampling with applications to NTRU Decentralized Multi-Client Functional Encryption with Strong Security
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1