Hostname: page-component-78c5997874-94fs2 Total loading time: 0 Render date: 2024-11-10T17:04:18.702Z Has data issue: false hasContentIssue false
  • English
  • Français

The discrete logarithm problem for exponents of bounded height

Part of: Communication, information Finite fields and commutative rings (number-theoretic aspects)

Published online by Cambridge University Press:  01 August 2014

Simon R. Blackburn  and
Sam Scott
Simon R. Blackburn
Affiliation:
Department of Mathematics, Royal Holloway University of London, Egham, Surrey, TW20 0EX, United Kingdom email s.blackburn@rhul.ac.uk
Sam Scott
Affiliation:
Department of Mathematics, Royal Holloway University of London, Egham, Surrey, TW20 0EX, United Kingdom email sam.scott.2012@live.rhul.ac.uk

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

Let $\def \xmlpi #1{}\def \mathsfbi #1{\boldsymbol {\mathsf {#1}}}\let \le =\leqslant \let \leq =\leqslant \let \ge =\geqslant \let \geq =\geqslant \def \Pr {\mathit {Pr}}\def \Fr {\mathit {Fr}}\def \Rey {\mathit {Re}}G$ be a cyclic group written multiplicatively (and represented in some concrete way). Let $n$ be a positive integer (much smaller than the order of $G$). Let $g,h\in G$. The bounded height discrete logarithm problem is the task of finding positive integers $a$ and $b$ (if they exist) such that $a\leq n$, $b\leq n$ and $g^a=h^b$. (Provided that $b$ is coprime to the order of $g$, we have $h=g^{a/b}$ where $a/b$ is a rational number of height at most $n$. This motivates the terminology.)

The paper provides a reduction to the two-dimensional discrete logarithm problem, so the bounded height discrete logarithm problem can be solved using a low-memory heuristic algorithm for the two-dimensional discrete logarithm problem due to Gaudry and Schost. The paper also provides a low-memory heuristic algorithm to solve the bounded height discrete logarithm problem in a generic group directly, without using a reduction to the two-dimensional discrete logarithm problem. This new algorithm is inspired by (but differs from) the Gaudry–Schost algorithm. Both algorithms use $O(n)$ group operations, but the new algorithm is faster and simpler than the Gaudry–Schost algorithm when used to solve the bounded height discrete logarithm problem. Like the Gaudry–Schost algorithm, the new algorithm can easily be carried out in a distributed fashion.

The bounded height discrete logarithm problem is relevant to a class of attacks on the privacy of a key establishment protocol recently published by EMVCo for comment. This protocol is intended to protect the communications between a chip-based payment card and a terminal using elliptic curve cryptography. The paper comments on the implications of these attacks for the design of any final version of the EMV protocol.

MSC classification

Secondary: 11T71: Algebraic coding theory; cryptography 94A60: Cryptography
Type
Research Article
Information
LMS Journal of Computation and Mathematics , Volume 17 , Special Issue A: Algorithmic Number Theory Symposium XI , 2014 , pp. 148 - 156
Copyright
© The Author(s) 2014 

References

Brzuska, C., Smart, N., Warinschi, B. and Watson, G. J., ‘An analysis of the EMV channel establishment protocol’, Proceedings of 2013 ACM SIGSAC Conference on Computer and Communications Security (ACM, New York, 2013) 373386.Google Scholar
EMVCo, EMV ECC key establishment protocols, draft for comments, November 2012. Available from http://www.emvco.com/specifications.aspx?id=243.Google Scholar
EMVCo, Worldwide EMV card and terminal deployment, http://www.emvco.com/about_emvco.aspx?id=202, retrieved 5th February 2014.Google Scholar
Galbraith, S. D., Mathematics of public key cryptography (Cambridge University Press, Cambridge, 2012).CrossRefGoogle Scholar
Gaudry, P. and Schost, É., ‘A low-memory parallel version of Matsuo, Chao and Tsujii’s algorithm’, ANTS VI, Lecture Notes in Computer Science 3076 (ed. Buell, D. A.; Spinger, Berlin, 2004) 208222.Google Scholar
National Institute of Standards and Technology (NIST), Recommended elliptic curves for federal government use, July 1999.Google Scholar
van Oorschot, P. C. and Wiener, M. J., ‘On Diffie–Hellman key agreement with short exponents’, Eurocrypt ’96, Lecture Notes in Computer Science 1070 (ed. Maurer, U.; Springer, Berlin, 1996) 332343.Google Scholar
Pollard, J. M., ‘Monte Carlo methods for index computation (mod p)’, Math. Comp. 32 (1978) 918924.Google Scholar
Stein, W. A. et al. , Sage mathematics software (version 5.11), The Sage Development Team, 2013,http://www.sagemath.org.Google Scholar