Security of Almost ALL Discrete Log Bits

Let G be a finite cyclic group with generator α and with an encoding so that multiplication is computable in polynomial time. We study the security of bits of the discrete log x when given expα(x), assuming that the exponentiation function expα(x) = α is oneway. We reduce he general problem to the case that G has odd order q. If G has odd order q the security of the least-significant bits of x and of the most significant bits of the rational number xq ∈ [0, 1) follows from the work of Peralta [P85] and Long and Wigderson [LW88]. We generalize these bits and study the security of consecutive shift bits lsb(2−ix mod q) for i = k + 1, ..., k + j. When we restrict expα to arguments x such that some sequence of j consecutive shift bits of x is constant (i.e., not depending on x) we call it a 2−j-fraction of expα. For groups of odd group order q we show that every two 2−j-fractions of expα are equally one-way by a polynomial time transformation: Either they are all one-way or none of them. Our key theorem shows that arbitrary j consecutive shift bits of x are simultaneously secure when given expα(x) iff the 2−j-fractions of expα are one-way. In particular this applies to the j least-significant bits of x and to the j most-significant bits of xq ∈ [0, 1). For groups of order 2q with odd q we show that the j least-significant bits of bx/2sc, as well as the j most-significant bits of xq ∈ [0, 1), are simultaneously secure iff the 2−jfractions of expα′ are one-way for α′ := α s . For groups of order 2q with prime q we show that all except the first s bits of x are individually secure when given expα(x) provided that expα is one-way. This result relies on the method of Håstad, Näslund [HN98]. We use and extend the models of generic algorithms of Nechaev (1994) and Shoup (1997). We determine the generic complexity of inverting fractions of expα for the case that α has prime order q. As a consequence, arbitrary segments of (1− ε) lg q consecutive shift bits of random x are for constant ε > 0 simultaneously secure against generic attacks. Every generic algorithm using t generic steps (group operations) for distinguishing bit strings of j consecutive shift bits of x from random bit strings has at most advantage O((lg q) j √ t (2/q) 1 4 ).