Skip to main content Accessibility help
×
Home
Hostname: page-component-768ffcd9cc-5rkl9 Total loading time: 0.273 Render date: 2022-12-02T08:35:45.776Z Has data issue: true Feature Flags: { "useRatesEcommerce": false } hasContentIssue true

The discrete logarithm problem for exponents of bounded height

Published online by Cambridge University Press:  01 August 2014

Simon R. Blackburn
Affiliation:
Department of Mathematics, Royal Holloway University of London, Egham, Surrey, TW20 0EX, United Kingdom email s.blackburn@rhul.ac.uk
Sam Scott
Affiliation:
Department of Mathematics, Royal Holloway University of London, Egham, Surrey, TW20 0EX, United Kingdom email sam.scott.2012@live.rhul.ac.uk

Abstract

HTML view is not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

Let $\def \xmlpi #1{}\def \mathsfbi #1{\boldsymbol {\mathsf {#1}}}\let \le =\leqslant \let \leq =\leqslant \let \ge =\geqslant \let \geq =\geqslant \def \Pr {\mathit {Pr}}\def \Fr {\mathit {Fr}}\def \Rey {\mathit {Re}}G$ be a cyclic group written multiplicatively (and represented in some concrete way). Let $n$ be a positive integer (much smaller than the order of $G$). Let $g,h\in G$. The bounded height discrete logarithm problem is the task of finding positive integers $a$ and $b$ (if they exist) such that $a\leq n$, $b\leq n$ and $g^a=h^b$. (Provided that $b$ is coprime to the order of $g$, we have $h=g^{a/b}$ where $a/b$ is a rational number of height at most $n$. This motivates the terminology.)

The paper provides a reduction to the two-dimensional discrete logarithm problem, so the bounded height discrete logarithm problem can be solved using a low-memory heuristic algorithm for the two-dimensional discrete logarithm problem due to Gaudry and Schost. The paper also provides a low-memory heuristic algorithm to solve the bounded height discrete logarithm problem in a generic group directly, without using a reduction to the two-dimensional discrete logarithm problem. This new algorithm is inspired by (but differs from) the Gaudry–Schost algorithm. Both algorithms use $O(n)$ group operations, but the new algorithm is faster and simpler than the Gaudry–Schost algorithm when used to solve the bounded height discrete logarithm problem. Like the Gaudry–Schost algorithm, the new algorithm can easily be carried out in a distributed fashion.

The bounded height discrete logarithm problem is relevant to a class of attacks on the privacy of a key establishment protocol recently published by EMVCo for comment. This protocol is intended to protect the communications between a chip-based payment card and a terminal using elliptic curve cryptography. The paper comments on the implications of these attacks for the design of any final version of the EMV protocol.

Type
Research Article
Copyright
© The Author(s) 2014 

References

Brzuska, C., Smart, N., Warinschi, B. and Watson, G. J., ‘An analysis of the EMV channel establishment protocol’, Proceedings of 2013 ACM SIGSAC Conference on Computer and Communications Security (ACM, New York, 2013) 373386.Google Scholar
EMVCo, EMV ECC key establishment protocols, draft for comments, November 2012. Available from http://www.emvco.com/specifications.aspx?id=243.Google Scholar
EMVCo, Worldwide EMV card and terminal deployment, http://www.emvco.com/about_emvco.aspx?id=202, retrieved 5th February 2014.Google Scholar
Galbraith, S. D., Mathematics of public key cryptography (Cambridge University Press, Cambridge, 2012).CrossRefGoogle Scholar
Gaudry, P. and Schost, É., ‘A low-memory parallel version of Matsuo, Chao and Tsujii’s algorithm’, ANTS VI, Lecture Notes in Computer Science 3076 (ed. Buell, D. A.; Spinger, Berlin, 2004) 208222.Google Scholar
National Institute of Standards and Technology (NIST), Recommended elliptic curves for federal government use, July 1999.Google Scholar
van Oorschot, P. C. and Wiener, M. J., ‘On Diffie–Hellman key agreement with short exponents’, Eurocrypt ’96, Lecture Notes in Computer Science 1070 (ed. Maurer, U.; Springer, Berlin, 1996) 332343.CrossRefGoogle Scholar
Pollard, J. M., ‘Monte Carlo methods for index computation (mod p)’, Math. Comp. 32 (1978) 918924.Google Scholar
Stein, W. A. et al. , Sage mathematics software (version 5.11), The Sage Development Team, 2013,http://www.sagemath.org.Google Scholar
You have Access
1
Cited by

Save article to Kindle

To save this article to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

The discrete logarithm problem for exponents of bounded height
Available formats
×

Save article to Dropbox

To save this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you used this feature, you will be asked to authorise Cambridge Core to connect with your Dropbox account. Find out more about saving content to Dropbox.

The discrete logarithm problem for exponents of bounded height
Available formats
×

Save article to Google Drive

To save this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you used this feature, you will be asked to authorise Cambridge Core to connect with your Google Drive account. Find out more about saving content to Google Drive.

The discrete logarithm problem for exponents of bounded height
Available formats
×
×

Reply to: Submit a response

Please enter your response.

Your details

Please enter a valid email address.

Conflicting interests

Do you have any conflicting interests? *