Generic Hardness of the Multiple Discrete Logarithm Problem

Transcription

1 Generc Hardness of the Multple Dscrete Logarthm Problem Aaram Yun Ulsan Natonal Insttute of Scence and Technology (UNIST) Republc of Korea Abstract. We study generc hardness of the multple dscrete logarthm problem, where the solver has to solve n nstances of the dscrete logarthm problem smultaneously. There are known generc algorthms whch perform O( np) group operatons, where p s the group order, but no generc lower bound was known other than the trval bound. In ths paper we prove the tght generc lower bound, showng that the prevously known algorthms are asymptotcally optmal. We establsh the lower bound by studyng hardness of a related computatonal problem whch we call the search-by-hyperplane-queres problem, whch may be of ndependent nterest. Keywords: multple dscrete logarthm, search-by-hyperplane-queres, generc group model 1 Introducton Multple Dscrete Logarthm Problem. Let G be a cyclc group of order p, where p s prme, and let g be a generator of G. Then the Dscrete Logarthm (DL) problem s defned as follows: gven (G, p, g, g α ) for a unform random α $ Z p, fnd out α. Smlarly, the Multple Dscrete Logarthm (MDL) problem s defned as follows: gven (G, p, g, g α 1,..., g αn $ ), for ndependently chosen unform random elements α 1,..., α n Z p, fnd out α = (α 1,..., α n ). The dscrete logarthm problem (and related varants lke the Dffe-Hellman problem) s used for many cryptographc constructons and ts hardness was studed wdely. On the other hand, as far as we know, there are no cryptographc constructons whose securty s based on the multple dscrete logarthm problem. Stll, the multple dscrete logarthm problem s relevant n the context of standard curves n the ellptc curve cryptography. Snce generatng good ellptc curves s rather computatonally expensve, some standards lke NIST s FIPS 186 [1] recommend usng a few standard curves to nstantate cryptographc schemes. Hence, n such a settng, we naturally have to consder the multple dscrete logarthm problem. Htchcock et al. [7] analyzed effcency of algorthms solvng the multple dscrete logarthm problem to see how usng such a standard curve affects securty. Moreover, some cryptographc constructons requre a user to solve small dscrete logarthm problems: ether the group order p s small, or the exponent α s chosen from a small subset I Z p. One such example s the Boneh-Goh-Nssm homomorphc encrypton [5], where n order to decrypt a cphertext, a user has to frst compute g m from the gven cphertext and then solve the dscrete logarthm to recover the message m. Another example s the Maurer-Yacob dentty-based encrypton [10]. Ther constructon uses a trapdoor dscrete logarthm group, where the dscrete logarthm problem s feasble to a user who has the trapdoor nformaton, whle hard for those who do not. They acheve ths by usng a composte-order group, and then the trapdoor nformaton s the factorzaton of the group order. A user who

2 has the factorzaton can solve DL on small groups so the dscrete logarthm problem s feasble, but an adversary has to solve the DL problem n a large group. For these cases, effcent algorthms for solvng DL s crucal, and for example, Lee, Cheon, and Hong [9] and Bernsten and Lange [] showed how to speed up the soluton of the dscrete logarthm problem va precomputaton. When consdered as a whole, these become algorthms for solvng the multple dscrete logarthm problem. Generc Group Model. In general, hardness of a cryptographc problem based on a group does not depend solely on the somorphsm class of the underlyng group. For example, whle we beleve that, f we carefully choose an ellptc curve and a subgroup G of prme order p on t, then the dscrete logarthm problem on G would be dffcult, we also know that the same problem s trval on the addtve group Z p whch s nonetheless somorphc to G. What s mportant s how the same somorphsm class s encoded to a concrete representaton. When ξ : Z p {0, 1} t s an njectve functon, we say that ξ s an encodng of the group Z p. In such a case, we may defne G := ξ(z p ), and make G nto a group by gvng G the unque group structure nduced from the bjecton ξ : Z p G. Conversely, we can see that any concrete cyclc group wth prme order p should come from such an encodng ξ : Z p {0, 1} t together wth functons µ : {0, 1} t {0, 1} t {0, 1} t, ι : {0, 1} t {0, 1} t such that µ G G and ι G gve multplcaton and nverson on G, respectvely. Also, a sophstcated algorthm may analyze and explot structures of such an encodng to solve group-based computatonal problems. Naturally, such an algorthm s specfc to that partcular encodng. On the other hand, there are many generc algorthms whch are agnostc to the partcular encodng used. One such example s the Baby-Step-Gant-Step algorthm for solvng the dscrete logarthm problem: BSGS algorthm does not assume anythng about the group encodng, except that t s ndeed a group encodng, therefore t works for any cyclc group, even though better algorthms exst for some specfc groups. Generc hardness of a cryptographc problem, that s, hardness aganst such generc algorthms, was studed for many group-based cryptographc problems. Whle a proof of generc hardness cannot really replace serous cryptanalyss for such a problem, at least t serves as a santy check, n the sense that f a problem can be solved effcently even by a generc algorthm, certanly one cannot base cryptographc constructons on such an easy problem. Also, for example on ellptc curves, so far no better non-generc algorthms are known. To analyze such generc algorthms, the generc group model was proposed by Nechaev and Shoup [11, 1]. In the generc group model, to ensure that a generc algorthm cannot explot the encodng of a group, a random encodng, an encodng ξ : Z p {0, 1} t whch s unform randomly chosen from the set of all njectons Z p {0, 1} t, s used. Snce n such a case we cannot expect any effcent algorthms for group laws, the group laws are gven by oracles: the algorthm makes oracle queres by gvng encodngs of group elements lke ξ(α), ξ(β), and the oracle returns the result of multplcaton or dvson of these elements n encoded form. In the generc group model, we consder the query complexty of an algorthm to measure ts effcency. Generc Algorthms for DL and MDL Problems. Shoup [1] analyzed generc hardness of the dscrete logarthm problem. He showed that any generc DL solver whch makes at most q queres to the group law oracles has the success probablty at most O(q /p). In other words,

3 any generc DL solver wth some constant success probablty should make at least Ω( p) queres. As explaned before, there are generc algorthms for DL wth asymptotcally tght matchng upper bounds. The Baby-Step-Gant-Step algorthm s an example, and Pollard s rho algorthm s another. Both algorthms perform O( p) group operatons. And ths gves us a trval generc algorthm for solvng MDL: smply repeat such an asymptotcally optmal generc algorthm n tmes, where n s the total number of DL nstances. The total complexty would be O(n p). In fact, there s a better generc algorthm for MDL. Kuhn and Struk [8] extended Pollard s rho to a generc algorthm solvng MDL. Ther algorthm performs O( np) group operatons. On the other hand, as far as we know, precse generc hardness of MDL s not known. Clearly, solvng n DL nstances would be at least as hard as solvng one sngle DL nstance, therefore Shoup s lower bound Ω( p) apples here. Kuhn and Struk [8] conjectured that the tght lower bound would be Ω( np), but ths has never been proved yet. Ths means that even the hghly mprobable possblty of a generc algorthm solvng n DL nstances wthn O( p), ndependent of n, s not yet elmnated! Perhaps one reason for ths stuaton mght be that, most of the prevous results on generc hardness of cryptographc problems were based solely on the standard technque also orgnated from Shoup [1]: nstead of choosng the hdden exponents (for example, α 1,..., α n n the MDL) at the begnnng, the game s modfed so that the exponents are chosen at the end of the game, and all responses to the group law queres are made wth respect to polynomals of those exponents, where the undetermned exponents are consdered as unknown varables. In ths modfed game, usually t s straghtforward to show that the solver has only small probablty of wnnng. The proof also has to analyze the dfference between the two games, but when the number of queres s not too large, t s possble to show that the dfference s agan small, by usng the Schwartz-Zppel lemma. In other words, ths technque formalzes the followng ntuton: as long as the number of queres s not too large, nterestng thngs rarely happen, not much useful nformaton s revealed to the solver, and the solver cannot perform well. Despte the smplcty and genercty, ths technque was hghly effectve, beng able to establsh asymptotcally tght lower bounds for problems lke the dscrete logarthm problem [1], the Dffe-Hellman problem [1], the strong Dffe-Hellman problem [3], the decson lnear problem [4], and many others. On the other hand, for the stuaton of MDL, we do consder cases where the solver makes queres more than the Shoup bound p. Therefore, a solver does obtan some nontrval nformaton, and Shoup s technque breaks down. In order to establsh a nontrval lower bound for MDL, a more careful analyss of the problem s needed. In ths paper, we show that the conjecture of Kuhn and Struk s ndeed correct: any generc algorthm solvng MDL wth constant success probablty should make at least Ω( np) queres to the group law oracles. Search-by-Hyperplane-Queres Problem. To crcumvent the lmtaton of Shoup s technque, we establsh the generc lower bound of MDL by analyzng a closely related problem, whch we call Search-by-Hyperplane-Queres (SHQ) problem. In the SHQ problem, a unform random pont α = (α 1,..., α n ) of the n-dmensonal affne space Z n p s hdden, and the goal of the solver s to fnd the pont α. Of course, the success probablty of any unaded solver s at most 1/p n. Therefore, we allow any solver to make adaptve hyperplane queres. Recall that 3

4 an affne hyperplane H Z n p can be descrbed by an equaton of form a 1 X a n X n = b, where a 1,..., a n, b Z p. A hyperplane query s asked by specfyng a hyperplane H va the coeffcents a 1,..., a n, b, and the ntended meanng of the query s s α H? A SHQ solver may make a seres of adaptve hyperplane queres, and use the nformaton ganed by such queres to fnd the hdden pont α. We are gong to show that any SHQ solver whch makes at most q hyperplane queres has success probablty at most O((eq/np) n ), where e s the base of the natural logarthm. Therefore, any SHQ solver wth some constant success probablty should make Ω(np) queres. Then, we are gong to show that ths lower bound for the SHQ problem mples the Ω( np) lower bound for the MDL problem. Snce the SHQ problem looks nterestng by tself, we also analyze the worst-case verson of the SHQ problem, and show that any worst-case SHQ solver has to make at least n(p 1) queres. Ths s a tght lower bound; there s a correspondng solver realzng the bound. Moreover, we also analyze another varant of the worst-case verson where a solver s allowed to output a lst L whch contans the correct answer α, nstead of unquely dentfyng the correct soluton. We agan establsh a tght lower bound for ths verson. Multple Dscrete Logarthm Problem n the Generc Group Model.1 Generc Group Model Let p be a prme number, and let ξ : Z p {0, 1} t be a random encodng of Z p, that s, a unform randomly chosen functon among all njectve functons of form Z p {0, 1} t for some t satsfyng t log p. We defne the group law oracle µ as the oracle satsfyng the followng: µ(b, ξ(α), ξ(β)) = ξ(α + ( 1) b β mod p), where b {0, 1} s a bt ndcatng whether multplcaton or dvson s ntended. In the generc group model, we consder the generc algorthm, whch s a probablstc algorthm A to whch s ntally gven a lst of group elements ξ(β 1 ),..., ξ(β k ), encoded by the random encodng ξ. Also, whle runnng, the algorthm A can make group law queres to the oracle µ. Fnally A halts wth an output. Note that ξ s never explctly gven to A, but only mplctly va the ntal nput and the group law oracles.. Multple Dscrete Logarthm Problem Let G be a cyclc group of order p, where p s prme, and let g be a generator of G. Also, let n be an nteger. We requre that n = o(p): formally, we consder a famly of such numbers, so that there s a man parameter λ, and both n and p are functons of λ, and n(λ)/p(λ) 0, as λ. Then we may defne the Multple Dscrete Logarthm (MDL) problem as: Gven (G, p, g, g α 1,..., g αn $ ), fnd out (α 1,..., α n ), where α 1,..., α n Z p are ndependently chosen unform random elements. We consder the MDL problem n the generc group model. Hence, for a generc algorthm A, we defne Adv mdl p,n (A), the advantage of A n solvng the MDL problem as Adv mdl p,n (A) = Pr[A µ (p, ξ(1), ξ(α 1 ),..., ξ(α n )) = (α 1,..., α n )], 4

5 where the probablty s over the random choce of ξ, α 1,..., α n, and the nternal randomness of A. For any generc MDL solver A, let us say that A solves MDL wth constant advantage f there exsts some constant c > 0 such that for any value of the parameter λ. Adv mdl p,n (A) c, Remark 1. We remark that the condton n = o(p) we mpose here s rather natural. It s reasonable to assume that n, the number of DL nstances n consderaton, s polynomally bounded, so n = o(p) holds f p s exponentally large. But the condton s much less demandng than that. It may hold even when p s not exponentally large n comparson wth n, for example, when n = Θ(λ) and p = Θ(λ ), or when n = Θ(1) and p = Θ(λ). Remark. Whle we may extend our examnaton of MDL solvers to nclude those wth nonneglgble success probablty, that would complcate the relatonshp between n, p, and the number of queres, snce a solver may make trade-offs between the number of queres and the success probablty. In fact, we may amplfy any such non-neglgble probablty to a constant probablty wth slowdown by at most a polynomal factor. So, standardzng ths trade-off by nsstng some constant success probablty s reasonable, and ths approach s adopted by many authors, ncludng Shoup [1]. 3 Search-by-Hyperplane-Queres Problem In ths secton, we descrbe the Search-by-Hyperplane-Queres (SHQ) problem. Let p be a prme number and Z n p be the n-dmensonal affne space over the fnte feld Z p. As n the MDL problem, we assume that n = o(p). 1 Let X 1,..., X n be the canoncal coordnate functons of Z n p. Then, an affne hyperplane H n Z n p can be wrtten by a formula of form a 1 X a n X n = b for some a 1,..., a n, b Z p, wth a 0 for some. Sometmes we represent such a hyperplane H by the lnear expresson a 1 X a n X n b, or even smply by the tuple (a 1,..., a n, b). Let α Z n p be a pont n the affne space. We defne H( α, H) := { 1 f α H, 0 otherwse. The SHQ problem s as follows: pck a unform random pont α of Z n p. The goal of the problem s to correctly guess the hdden pont α. Wthout anythng else, the probablty of correct guess s p n. Therefore, up to some q adaptve hyperplane queres are allowed: a solver for ths problem s allowed to submt up to q hyperplane queres H 1,..., H q adaptvely, and for each such query, the result H( α, H ) s gven. In other words, the solver s gven the hyperplane query oracle H( α, ). For a SHQ solver A, we defne Adv shq p,n(a), the advantage of A n solvng SHQ, as Adv shq p,n(a) = Pr[A H( α, ) (p, n) = α], 1 In fact, for SHQ we only requre p n = o(1), whch s mpled by the gven condton. 5

6 where the probablty s over the random choce of α and the nternal randomness of A. For any SHQ solver A, let us say that A solves SHQ wth constant advantage f there exsts some constant c > 0 such that for any value of the parameter λ. Adv shq p,n(a) c, Worst-Case SHQ. We may also consder the worst-case verson of the SHQ problem: nstead of searchng for the unform randomly chosen α wth constant advantage, the worst-case SHQ problem s to fnd any nstance α Z n p. Formally, we say that a generc algorthm A solves SHQ n the worst case wthn q queres, f for any α Z n p, A H( α, ) (p, n) always outputs α after at most q queres. Example 1 (Brute-force solver). Here we exhbt a very smple, brute-force SHQ solver. We dentfy Z p wth {0, 1,..., p 1}, and consder hyperplanes of form X = j, where = 1,..., n, and j = 1,..., p 1. There are total n(p 1) such hyperplanes, and we see that non-adaptve hyperplane queres for these q := n(p 1) hyperplanes are enough to correctly fnd any α: let α = (α 1,..., α n ). For any, f H( α, X = j) = 1 for some j = 1,..., p 1, then α = j. On the other hand, f H( α, X = j) = 0 for all j = 1,..., p 1, then clearly α = 0. So n ths way the brute-force solver completely determnes all coordnates of α. Whle the above brute-force solver looks very trval, t turns out that t s actually optmal, by Theorem at Secton 5. 4 Relatonshp Between the Two Problems In ths secton, we show that MDL and SHQ are closely related, and any hardness result for SHQ mmedately produces a hardness result for MDL. Theorem 1. Let A be any generc MDL solver whch makes at most q queres. Then, usng A, t s possble to construct a SHQ solver B whch makes at most (q +n)(q +n+1)/ queres, and satsfyng Adv shq p,n(b) Adv mdl p,n (A). Proof. We descrbe how B works. Frst B receves (p, n) as the nput, and B also has access to the oracle H( α, ), for a unform randomly chosen α = (α 1,..., α n ) $ Z n p. For convenence, let us defne α 0 := 1. The solver B has to smulate a random encodng ξ : Z p {0, 1} t for A. To do ths, B mantans two sequences, {s } and {L }, where s {0, 1} t are random btstrngs generated by B and gven to A as smulated output of the encodng functon ξ, and L are lnear functons of form L (X 1,..., X n ) = a 1 X a n X n + b Z p [X 1,..., X n ]. The dea s to smulate the random encodng ξ, by pretendng s = ξ(l ( α)) for (s, L ) T. $ Intalzaton: Here B prepares the smulaton of the ntal nput to A: B chooses s 0 {0, 1} t, and defnes L 0 := 1. Next, B chooses s 1,..., s n recursvely as follows: when choosng s, f there s some j < wth H( α, X = X j ) = 1 then B pcks smallest such j and $ defnes s := s j. Otherwse, B chooses s {0, 1} t \ {s 0,..., s 1 }. And, L s defned as X. Let ctr be n. Fnally, B runs A(p, s 0, s 1, s,..., s n ). 6

7 Queres: when A makes a query µ(b, s, s j ) for some 0, j ctr and b {0, 1}, B ncrements ctr ctr + 1, then defnes s ctr and L ctr as follows: L ctr s smply defned as L + ( 1) b L j. Now, f there s k < ctr wth H( α, L ctr = L k ) = 1, then B pcks the smallest $ such k and defnes s ctr := s k. Otherwse, B randomly pcks s ctr {0, 1} t \{s 0,..., s ctr 1 }. Fnally, B returns s ctr as the answer to the query. Output: eventually, A halts wth output β = (β 1,..., β n ) Z n p. B then also outputs β and halts. Now, let us analyze the SHQ solver B. At the ntalzaton phase, B can choose s after makng hyperplane queres; so B makes n = n(n + 1)/ hyperplane queres up to ths pont. Smlarly, to determne s ctr, B has to make ctr hyperplane queres. In total, the number of hyperplane queres B makes s bounded by n(n + 1) Next we have to show that + n+q ctr=n+1 ctr = n(n + 1) + nq + q(q + 1) = n + n + q + q + nq (q + n)(q + n + 1) =. Adv shq p,n(b) Adv mdl p,n (A). In fact, we wll show that Adv shq p,n(b) = Adv mdl p,n (A). For ths, we need only to show that the smulated nput (p, s 0, s 1,..., s n ) gven to A has the same dstrbuton as n the orgnal generc MDL problem, and also the smulated group law oracle has the same dstrbuton as n the orgnal generc MDL problem. Let ξ : Z p {0, 1} t be a random encodng, and let s := ξ(α ) for = 0, 1,..., n, and let s n+1, s n+,... be the sequence of btstrngs whch would be gven as the answers to the oracle queres made by A, when A s engaged n the real MDL game wth ξ. Fnally, let α := ξ 1 (s ) for = n + 1, n +,.... Then, we need only to show the followng: the random varables s ctr and s ctr are dentcally dstrbuted for any ctr {1,..., q + n}, condtoned on the event that s = s and α = L ( α), for all = 0, 1,,..., ctr 1. Let us prove ths only for ctr > n: the case for s 0,..., s n can be done smlarly. Suppose that the group law query of A s µ(b, s, s j ) when determnng the btstrng s ctr. Then, s ctr s easy to compute: s = ξ(α ), s j = ξ(α j), so s ctr = ξ(α + ( 1) b α j ). Also, α ctr = ξ 1 (s ctr) = α + ( 1) b α j = L ( α) + ( 1) b L j ( α) = (L + ( 1) b L j )( α) = L ctr ( α). We need to compare ths s ctr wth s ctr computed by the algorthm B. $ When there s no k < ctr wth H( α, L ctr = L k ) = 1: n ths case, we have s ctr {0, 1} t \ {s 0,..., s ctr 1 }. But, ths means that L ctr ( α) L k ( α), that s, α ctr α k for k = 0,..., ctr 1. So s = ξ(α ctr) s unformly dstrbuted on {0, 1} t \ {ξ(α 0 ),..., ξ(α ctr 1 )}. Snce s = s = ξ(α ) by assumpton, we see that s ctr and s ctr are dentcally dstrbuted n ths case. Here we may assume that µ never makes group law queres usng btstrngs outsde of s, because B may ensure that A can guess btstrngs n ξ(z p) only wth neglgble probablty, by suffcently enlargng the bt length t. 7

8 Otherwse: let k be the smallest ndex such that H( α, L ctr = L k ) = 1. Then s ctr s defned to be s k. On the other hand, ths means that L ctr ( α) = L k ( α), n other words α ctr = α k, so s ctr = ξ(α ctr ) = ξ(α k ) = s k. Snce we have s k = s k by assumpton, we see that s ctr and s k are n fact the same n ths case. Hence, n both cases, we see that s ctr and s ctr are dentcally dstrbuted. Therefore the theorem follows. 5 Query Complexty of the SHQ Problem In ths secton, we analyze the complexty of the SHQ problem. In fact, we are gong to analyze both the worst-case verson and the average-case verson. 5.1 Useless Queres One crucal noton that we are gong to use s that of useless queres. Let us defne a hyperplane query H useless, f t s possble to know that the return value H( α, H) should be 1 before makng the query, based on the return values for the prevous hyperplane queres made: for example, f the solver A prevously made a query H and receved the answer H( α, H) = 1, then makng the same query H agan wll defntely gve the same answer 1. Another example s that, f A prevously made p 1 queres X 1 = j for j = 1,..., p 1 and receved answer H( α, X 1 = j) = 0 for all j = 1,..., p 1, then A can deduce that H( α, X 1 = 0) = 1, so the hyperplane query X 1 = 0 s useless. In general, suppose so far A made q = r + s hyperplane queres H 1,..., H r, H 1,..., H s, and assume that H( α, H ) = 1 for = 1,..., r, and H( α, H j ) = 0 for j = 1,..., s. Then the nformaton gven by the answers to the queres s exactly r s α H \ H j. Hence, we may formally defne a hyperplane query H made at ths pont as useless f r H \ j=1 s H j H. j=1 If a query H s not useless, we call t useful. Note that t s possble to determne f H s useless or not algorthmcally. Snce we only consder the query complexty of solvers, ths does not even have to be effcent. Remark 3. Whle t s possble to extend the defnton of useless queres to nclude all queres whch are destned to return 0 as the answer, we choose not to. Ths s because later we want to force a solver to make exactly q useful queres. So f a solver does not make enough queres, then we modfy t to make addtonal useful queres. In fact, we modfy a solver to make addtonal queres whch are destned to return 0, whch would all be useful accordng to our current defnton. 8

9 5. Worst-Case SHQ Theorem. Any worst-case SHQ solver should make at least n(p 1) queres. Proof. Let A be a worst-case SHQ solver. We show that, wthout loss of generalty, we may assume that A never asks useless queres. Suppose that A s a solver whch may ask useless queres. Then, we construct a solver B as follows: B runs A nternally, and eventually outputs A s output. When A asks a hyperplane query H, B frst determnes f t s useless or not. If t s useless, then B reples wth 1. If t s useful, then B makes the same oracle query, receves the answer bt b, and returns the same bt b to the solver A. So, B s a worst-case SHQ solver whch makes no more queres than A, and B also does not make any useless queres. If we show ths theorem for B, then the result for A mmedately follows. Now, let A be a worst-case SHQ solver whch never makes useless queres. Suppose that A makes at most q queres, and q < n(p 1). Let H 1, H,..., H q be the affne hyperplanes quered by A, represented by lnear equatons: let H (X 1,..., X n ) = a 1 X a n X n b. Then we show that q H p n. Frst, we cannot have that q H = p n ; n ths case, we have q H = Z n p, so q 1 Z n p \ H H q, whch shows that the last query H q s useless. Next, suppose that q H = p n 1. Let Z n p \ q H, whch s a sngleton, be { β = (β 1,..., β n )}. Then, we defne F Z p [X 1,..., X n ] as F (X 1,..., X n ) := q (a 1 (X 1 + β 1 ) + + a n (X n + β n ) b ). We can easly see that deg(f ) = q < n(p 1), F ( 0) 0, and F ( x) = 0 for any x 0, whch contradcts Theorem 1.8 of Bruen [6], whch we quote as Theorem 3 below. Therefore, whenever q < n(p 1), there should be at least two ponts β γ Z n p whch are not on q H. Ths allows us to use the standard adversary argument aganst A: for any such SHQ solver A, whenever A asks a hyperplane query H, answer wth 0. In the end, f A outputs β, pretend that α = γ, and f A outputs any pont other than β, pretend that α = β. Ths shows that A n general does not solve the worst-case SHQ problem. Therefore, q should be at least n(p 1) f A s any worst-case SHQ solver. Theorem 3 (Theorem 1.8 of [6]). Let F n Z p [X 1,..., X n ] satsfy the followng condtons. 1. F ( 0) 0. F ( x) = 0 f x 0 Then deg(f ) n(p 1). For the proof of Theorem 3, we refer to [6]. 9

10 5.3 Worst-Case SHQ wth Uncertanty Theorem shows that the brute-force SHQ solver gven n Example 1 s actually optmal n that, f any algorthm A makes at most q < n(p 1) queres, then A s not a worst-case SHQ solver: there are nstances where A cannot fnd the correct answer. Therefore, f an algorthm A makes at most q < n(p 1) queres, then the best A could do mght be to output a lst L whch contans the correct soluton α, nstead of unquely dentfyng the correct soluton. For such an algorthm, let us call L the uncertanty. We call an algorthm A as the worst-case SHQ solver wth uncertanty level u, f A always outputs a lst L contanng the correct soluton α, and L u. The solver n Example 1 can easly be modfed to output such a lst, even when q < n(p 1): let q = r(p 1) + s for some r, s Z wth 0 s < p 1. the solver makes r(p 1) hyperplane queres of form H( α, X = j) for = 1,..., r, j = 1,..., p 1, to completely determne α 1,..., α r, and makes addtonal s queres of form H( α, X r+1 = j) for j = 1,..., s. If H( α, X r+1 = j) = 1 for some j, then the brute-force solver knows α 1,..., α r, α r+1, and so t outputs the lst L consstng of ponts (α 1,..., α r+1, β r+,..., β n ), for (β r+,..., β n ). On the other hand, f none of the s queres return 0, then t outputs the lst L consstng of ponts (α 1,..., α r, γ, β r+,..., β n ), Z n r 1 p where γ {1,..., s} and (β r+,..., β n ) Zp n r 1. Therefore, L (p s)p n r 1 n both cases. So, the brute-force SHQ solver can be consdered as a worst-case SHQ solver wth uncertanty level u = (p s)p n r 1. The queston s, can we fnd a SHQ solver wth the same q but smaller uncertanty level? We show that the brute-force solver s stll optmal even n ths context: Theorem 4. Let A be a worst-case SHQ solver wth uncertanty level u. Suppose A makes at most q hyperplane queres, and let q = r(p 1) + s wth 0 s < p 1. Then, u should be at least (p s)p n r 1. Proof. Agan we may assume that A never makes useless queres. Let H 1, H,..., H q be the affne hyperplanes quered by A, represented by lnear equatons: let Then, we smply defne F Z p [X 1,..., X n ] as H (X 1,..., X n ) = a 1 X a n X n b. F (X 1,..., X n ) := q H (X 1,..., X n ). Let Z(F ) Z n p be the set of β Z n p such that F ( β) = 0. Clearly, Z(F ) = q H. Snce A never makes useless queres, q H Z n p, as n Theorem. Then, by Theorem 3.6 of Sorensen [13] whch we quote as Theorem 5 below, we have q H p n (p s)p n r 1. Now, suppose that A s a solver wth uncertanty level u < (p s)p n r 1. Then, we can use the standard adversary argument as follows: for any query H of A, reply wth 0. Let L 10

11 be the fnal output of A. Snce H p n (p s)p n r 1 and L < (p s)p n r 1, we have q L H < p n, hence there exsts some α Z n p such that α L ( H ). Ths shows that wth respect to ths partcular α, the answer 0 to all the queres was consstent, and despte ths α L, contradctng that A s a worst-case solver wth uncertanty level u. Therefore, for any such solver A, u should be at least (p s)p n r 1. The proof of Theorem 4 reles on the followng Theorem 5, whch estmates the number of ratonal ponts on codmenson-1 algebrac sets. Theorem 5 (Theorem 3.6 of [13]). Let F Z p [X 1,..., X n ] be a polynomal of degree q, wth q n(p 1). Let q = r(p 1) + s, 0 s < p 1, and let Z(F ) denote the number of zeros of F n Z n p. Then, Z(F ) = p n or Z(F ) p n (p s)p n r 1. For the proof of Theorem 5, we refer to [13]. 5.4 Average-Case SHQ Now let us return to the average-case SHQ, whch s related to MDL. Theorem 6. Let A be any SHQ solver whch makes at most q hyperplane queres. Then, Adv shq p,n(a) 1 p n n =0. Proof. Let A be a SHQ solver whch makes at most q hyperplane queres. We are gong to argue that we may safely assume that A satsfes certan propertes. Frst, usng essentally the same argument as n Theorem, WLOG we may assume that A never makes useless queres. Second, we may also assume that A makes exactly q (useful) queres: f A s a SHQ solver never makng useless queres, then we defne a SHQ solver B as follows: B ntalzes a counter ctr 0, runs A nternally, and whenever A makes a query H, then B makes the same query, receves the answer bt b, then returns the bt b to the solver A, and ncrements the counter: ctr ctr + 1. Eventually, A wll halt wth an output α. Snce ctr counts the number of hyperplane queres made by A, we have ctr q. Then B makes q ctr addtonal hyperplane queres whch are not useless as follows: n case there was at least one hyperplane query H made by A wth 0 as the answer, all of the q ctr remanng queres made by B wll be H: surely ths query s not useless, for the answer should be 0. On the other hand, n case there was at least one hyperplane query H made by A wth 1 as the answer, let us wrte H as H(X 1,..., X n ) = a 1 X a n X n b. Then, let H 0 be the correspondng lnear hyperplane defned by H 0 (X 1,..., X n ) = a 1 X a n X n. Clearly, H 0 Z n p, so there exsts a vector v Z n p satsfyng v H 0. In fact, we may easly fnd such a v: snce (a 1,..., a n ) 0, WLOG 11

12 we may assume a 1 0. Then, v := (a 1, 0, 0,..., 0) s such an example. Now, let H be the hyperplane H + v, whch s a parallel translaton of H by v. We may show that H( α, H ) = 0: suppose not, then α H = H + v, and α H by assumpton. Then, from these two we may conclude that v H 0, whch contradcts the constructon of v. Therefore, n ths case B makes q ctr queres, all of them H. Agan these queres are not useless. Fnally, B halts wth the answer α, whch was the output of A. By the constructon, B makes exactly q useful queres, but snce the output of B s dentcal to that of A, we have Adv shq p,n(b) = Adv shq p,n(a). So, f we prove ths theorem for B, the theorem for A clearly follows. Therefore, now assume that our SHQ solver A makes exactly q useful queres. In general, A may be probablstc, consumng fnte but unbounded number of random bts. Therefore, let us wrte A H( α, ) (p, n; r) as the output of the algorthm A wth nput p, n, whle havng access to the oracle H( α, ) and when the randomness used s r = (r 1, r, r 3,... ) {0, 1}. Then we observe that, once α, r, and the algorthm A are fxed, the queres made by A and the correspondng answers are also fxed. More precsely, let H 1,..., H q be the hyperplane queres made by A wth some fxed α, r, and let b 1,..., b q be the answer bts: b = H( α, H ). Let us defne H := (H 1,..., H q ) and b := (b 1,..., b q ). Then, n fact, we can see that A, r, and b completely determne H, and A, r, and α completely determne b. So we use the followng notaton: H = H (A) r ( b), b = B (A) r ( α). Sometmes we just wrte H( b), B( α) to smplfy notaton, when the context s clear. Moreover, we see that the output A H( α, ) (p, n; r) of the algorthm A s completely determned by A, r, and the vector b. So we may wrte A H( α, ) (p, n; r) as A r ( b). Agan, sometmes we just wrte A( b), suppressng r. For a randomly chosen α, snce the output A r ( b) s determned by b = B( α), whch s n turn determned by α, we may wrte A H( α, ) (p, n; r) = A(B( α)). Now, let us fx the randomness r, and let us compute the advantage of A, whch s Pr[A H( α, ) (p, n; r) = α], where the probablty s only over the random choce of α. Here, to emphasze that t s a random varable, we used the bold typeface to wrte α. We then have Pr[A H( α, ) (p, n; r) = α] = Pr[A(B( α)) = α] = Pr[ α = α] Pr[A(B( α)) = α α = α] α = 1 p n Pr[A(B( α)) = α], α where α s a random varable wth unform dstrbuton on Z n p, and α s used for possble concrete values of α. Note that Pr[A(B( α)) = α] should be ether 0 or 1, for any α, because all randomness s fxed: we have Pr[A(B( α)) = α] = 1 ff A(B( α)) = α. Contnung, Pr[A H( α, ) (p, n; r) = α] = 1 p n Pr[A(B( α)) = α], α = 1 p n b = 1 p n 1 b α:b( α)= b α:b( α)= b Pr[A(B( α)) = α], Pr[A( b) = α],

13 We can see that, n the above, for any b, Pr[A( b) = α] 1, α:b( α)= b where the sum s over all α satsfyng B( α) = b. Indeed, the only α whch can possbly make Pr[A( b) = α] = 1 s α = A( b), so f B(A( b)) = b, then the above value s 1, and f B(A( b)) b then the above value s 0. Therefore, we see that Pr[A H( α, ) (p, n; r) = α] 1 p n b 1 = the number of all possble b s p n. Any b = B(α) s a btstrng of length q, and moreover, n any such b, 1 cannot occur more than n tmes. Ths s because we assumed that the algorthm A never makes useless queres; suppose H 1,..., H m are hyperplane queres made by A wth 1 as the answer. Then, all of these hyperplanes ntersect ( α s on all of them). Moreover, due to the fact that all these queres were useful, we have H 1 H H +1, for all = 1,,..., m 1. But then each addtonal hyperplane should decrement the dmenson of the ntersecton by 1, so there can be at most n such hyperplanes, and there can be at most n 1s n any b. Hence we have, Pr[A H( α, ) (p, n; r) = α] 1 p n n =0. Fnally, the theorem s satsfed for general A, because when condtoned on any randomness r, the success probablty s bounded by the same upper bound p n n =0 ( q ). Corollary 1. Let A be any SHQ solver whch makes at most q hyperplane queres. Then, Adv shq p,n(a) 1 p n + 1 ( ) eq n. np Proof. The proof follows from Theorem 6 and the followng Theorem 7. Remark 4. If we wrte q as q = npδ for some δ, then Corollary 1 says that the advantage of the solver A s bounded by p n + (eδ) n /. Snce we assume that n = o(p), certanly p n n/p = o(1). Now we want to show that δ = Ω(1). Suppose not. Then we may fnd an ncreasng sequence {λ } of values of the parameter λ such that δ(λ ) 0 as 0. Then, eδ(λ ) < 1 eventually, and then (eδ(λ )) n / eδ(λ )/ 0 as 0. Therefore, ths contradcts that A solves SHQ wth constant advantage. Ths shows that f A solves SHQ wth constant advantage, then δ = q/np = Ω(1). In short, a SHQ solver wth constant advantage should make Ω(np) queres. 13

14 Theorem 7. We have n 1 ( eq ) n n for any postve ntegers q, n satsfyng 1 n q. The proof of Theorem 7 s n Appendx A. 6 Concluson 6.1 Generc Hardness of MDL By combnng the results so far, we obtan the followng corollary: Corollary. Let A be any generc MDL solver whch makes at most q queres. Then, Adv mdl p,n (A) 1 p n + 1 ( ) e(q + n + 1) n. np Proof. Ths follows drectly from Theorem 1 and Corollary 1. Let us wrte q = npδ for some δ. Then, the upper bound of Adv mdl p,n (A) n Corollary can be expanded as 1 p n + 1 ( e( npδ + n + 1) np ) n = 1 p n + 1 ( eδ n + eδ p + eδ + en np p + e p + e ) n. np Suppose that A solves MDL wth constant advantage. Then we can see that δ = Ω(1): suppose not, then we may assume that we can fnd an ncreasng sequence {λ } of values of the parameter λ such that δ(λ ) 0 as 0. Then, δ(λ ) s eventually bounded by 1/e, and snce we assume that n = o(p), we have eδ(λ ) + eδ(λ ) as 0. Therefore, n(λ ) p(λ ) + eδ(λ ) n(λ )p(λ ) + en(λ ) p(λ ) + e p(λ ) + ( 1 p(λ ) n(λ ) + 1 e( ) n n(λ )p(λ )δ + n(λ ) + 1) 0, n(λ )p(λ ) e n(λ )p(λ ) 0, as 0, contradctng that A has constant advantage. Hence, we conclude that δ = q/ np = Ω(1). Therefore, f a generc MDL solver has constant advantage, then t should make Ω( np) queres. Ths affrmatvely settles Kuhn and Struk s conjecture [8]. 14

15 6. Interval-MDL We may also consder Interval-MDL, where nstead of the exponents α 1,..., α n are chosen from the whole group Z p, they are chosen from an nterval {0, 1,..., l 1} Z p of sze l. For example, Boneh-Goh-Nssm homomorphc encrypton [5] requres solvng DL for exponents chosen from such an nterval, and Bernsten and Lange [] suggested preprocessng methods to speed up such computatons. We remark that wth trval modfcatons, all of our results (except those about the worstcase SHQ problems) also apply to Interval-MDL and the correspondng Interval-SHQ: n the upper bounds for advantages, smply replace the group order p wth the nterval sze l. For example, the bound n Corollary becomes 1 l n + 1 ( ) e(q + n + 1) n, nl and a generc Interval-MDL solver wth constant advantage should make Ω( nl) queres, assumng n = o(l). Ths s because our proof technques, especally that of Theorem 6, work equally well for the nterval verson. For that matter, the sze-l subset does not even have to be an nterval: any subset of sze l would do. Acknowledgments. Ths research was supported by Basc Scence Research Program through the Natonal Research Foundaton of Korea (NRF) funded by the Mnstry of Educaton (No ). References 1. Dgtal sgnature standard (DSS). NIST (Natonal Insttute of Standards and Technology) FIPS (013). Bernsten, D.J., Lange, T.: Computng small dscrete logarthms faster. In: Galbrath, S.D., Nand, M. (eds.) INDOCRYPT 01. LNCS, vol. 7668, pp Sprnger, Hedelberg (01) 3. Boneh, D., Boyen, X.: Short sgnatures wthout random oracles and the SDH assumpton n blnear groups. J. Cryptol. 1(), (008) 4. Boneh, D., Boyen, X., Shacham, H.: Short group sgnatures. In: Frankln, M.K. (ed.) CRYPTO 004. LNCS, vol. 315, pp Sprnger, Hedelberg (004) 5. Boneh, D., Goh, E.J., Nssm, K.: Evaluatng -DNF formulas on cphertexts. In: Klan, J. (ed.) TCC 005. LNCS, vol. 3378, pp Sprnger, Hedelberg (005) 6. Bruen, A.A.: Polynomal multplctes over fnte felds and ntersecton sets. Journal of Combnatoral Theory, Seres A 60(1), (199) 7. Htchcock, Y., Montague, P., Carter, G., Dawson, E.: The effcency of solvng multple dscrete logarthm problems and the mplcatons for the securty of fxed ellptc curves. Internatonal Journal of Informaton Securty 3(), (004) 8. Kuhn, F., Struk, R.: Random walks revsted: Extensons of Pollard s Rho algorthm for computng multple dscrete logarthms. In: Vaudenay, S., Youssef, A.M. (eds.) Selected Areas n Cryptography. LNCS, vol. 59, pp Sprnger, Hedelberg (001) 9. Lee, H.T., Cheon, J.H., Hong, J.: Acceleratng ID-based encrypton based on trapdoor DL usng precomputaton. Cryptology eprnt Archve, Report 011/187 (011), Maurer, U.M., Yacob, Y.: A non-nteractve publc-key dstrbuton system. Desgns, Codes and Cryptography 9(3), (1996) 11. Nechaev, V.I.: Complexty of a determnate algorthm for the dscrete logarthm. Mathematcal Notes 55(), (1994) 1. Shoup, V.: Lower bounds for dscrete logarthms and related problems. In: Fumy, W. (ed.) EUROCRYPT LNCS, vol. 133, pp Sprnger, Hedelberg (1997) 13. Sørensen, A.B.: On the number of ratonal ponts on codmenson-1 algebrac sets n P n (F q). Dscrete Mathematcs 135(1-3), (1994) 15

16 A Proof of Theorem 7 Before provng Theorem 7, we need a techncal lemma: Lemma 1. Suppose that q 5 and n q 3. Then, q n n+1 (n + 1) Proof. Lettng S := n ( q ), we may wrte the nequalty (1) as Ths can be smplfed as But,. (1) ( ( )) q qs (n + 1) S +. () n + 1 ( ) n + 1 q S. (3) q n 1 n + 1 ( ) n + 1 q = n + 1 q n 1 n + 1 q n 1 = q n q n 1 So, the nequalty (1) s equvalent to whch n turn s equvalent to ( 1 + = q n q n 1 1 q n 1 q! (n + 1)!(q n 1)! q! n!(q n)! ). ( q n ) n ( ) 1 q q n 1 n n 1 n (4), (5). (6) So let us prove ths nequalty (6). Consder the functon f(n) := (n 1)(q 1 n). As a functon of n, ths s a quadratc concave functon wth f(1) = f(q 1) = 0. Snce we assume n q 3, we have f(n) mn(f(), f(q 3)). Snce f() = q 3 and f(q 3) = (q 4), we have (n 1)(q 1 n), (7) for any n =,..., q 3. Smple calculaton shows that ths s equvalent to 1 (q n 1)n 1 q n + 1. (8) 16

17 Then, ( ) ( ) 1 q 1 q = q n 1 n (q n 1)n n n ( ) 1 q q n + 1 n n n q n + 1 q! n!(q n)! = q! (n 1)!(q n + 1)! ( ) n 1 q =. n 1 (9) Now we are ready to prove Theorem 7: Theorem 7. We have n for any postve ntegers q, n satsfyng 1 n q. 1 ( eq ) n (10) n Proof. The proof s based on case analyss. Frst, we prove the nequalty when q 5 and 1 n q. From Lemma 1, we have q n for q 5 and n q 3. Then, snce e (1 + 1/n) n, we have whch s equvalent to eq n ( n eq n+1 (n + 1) ( ) ( q n (n + 1) n) ) n n Also, when n = 1, the above nequalty (13) s whch s equvalent to ( ) ( 1 q eq 1 eq ( n + 1 eq ), (11) n+1 ) n+1 n+1 whch s certanly satsfed when q 5. So, ( ) n n n eq, (1). (13), (14) e q, (15) 17 (16)

18 s a decreasng functon for n {1,,..., q }. Then, for any n = 1,,..., q, we have ( n eq ) n n ( ) ( q 1 eq ) 1 1 = 1 e 1, (17) provng the nequalty (10) when q 5 and 1 n q. Therefore, we need to handle the remanng cases: when q 4, or when n = q 1, q. Case n = q: Then the nequalty (10) s equvalent to q 1 1 ( ) eq q = eq q. (18) Ths holds when q e q /, whch can be wrtten as q/(q + 1) log So ths nequalty holds when q 3; then q/(q + 1) 0.75 > log. We can also check that q 1 e q / holds for q = 1, separately. Case n = q 1: Then the nequalty (10) s equvalent to q q 1 e q 1 q 1. (19) Snce the rght-hand sde s greater than e q 1 /, the nequalty s satsfed f q e q 1 /. Frst, we can check that q e q 1 / holds f q 6. And we can also separately check the nequalty (19) for q =,..., 5. Ths fnshes ths case. Case q 4: Here, we need only to show that the nequalty (10) holds when n = 1 or (of course when n q). Ths s because, when q = 1,, then n = 1, cases cover all possbltes. Also, when q = 3, 4, then n = 1,, and n = q 1, q cases cover all possbltes. Hence, Case n = 1: Then the nequalty (10) s equvalent to q 1 ( eq 1 whch holds trvally, snce e. Case n = : Then the nequalty (10) s equvalent to ), (0) q + q(q 1) = q(q + 1) 1 ( eq ). (1) Smplfyng, we get whch holds for q. 1 q e , () 4 18