Quantum Complexity for Discrete Logarithms and Related Problems

This paper studies the quantum computational complexity of the discrete logarithm (DL) and related group-theoretic problems in the context of generic algorithms -- that is, algorithms that do not exploit any properties of the group encoding. We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model. Shor's algorithm for the DL problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and almost matching algorithms of the DL and related problems in this model. More precisely, we prove the following results for a cyclic group $G$ of prime order. - Any generic quantum DL algorithm must make $\Omega(\log |G|)$ depth of group operations. This shows that Shor's algorithm is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms. - We observe that variations of Shor's algorithm can take advantage of classical computations to reduce the number of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithms and show that these algorithms are almost optimal in this model. Any generic hybrid algorithm for the DL problem with a total number of group operations $Q$ must make $\Omega(\log |G|/\log Q)$ quantum group operations of depth $\Omega(\log\log |G| - \log\log Q)$. - When the quantum memory can only store $t$ group elements and use quantum random access memory of $r$ group elements, any generic hybrid algorithm must make either $\Omega(\sqrt{|G|})$ group operations in total or $\Omega(\log |G|/\log (tr))$ quantum group operations. As a side contribution, we show a multiple DL problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol

On Insecure Uses of BGN for Privacy Preserving Data Aggregation Protocols

The notion of aggregator oblivious (AO) security for privacy preserving data aggregation was formalized with a specific construction of AO-secure blinding technique over a cyclic group by Shi et al. Some of proposals of data aggregation protocols use the blinding technique of Shi et al. for BGN cryptosystem, an additive homomorphic encryption. Previously, there have been some security analysis on some of BGN based data aggregation protocols in the context of integrity or authenticity of data. Even with such security analysis, the BGN cryptosystem has been a popular building block of privacy preserving data aggregation protocol. In this paper, we study the privacy issues in the blinding technique of Shi et al. used for BGN cryptosystem. We show that the blinding techniques for the BGN cryptosystem used in several protocols are not privacy preserving against the recipient, the decryptor. Our analysis is based on the fact that the BGN cryptosystem uses a pairing e:GxG-->G_T and the existence of the pairing makes the DDH problem on G easy to solve. We also suggest how to prevent such privacy leakage in the blinding technique of Shi et al. used for BGN cryptosystem.Comment: 11 page

Quantum Complexity for Discrete Logarithms and Related Problems

This paper studies the quantum computational complexity of the discrete logarithm and related group-theoretic problems in the context of ``generic algorithms\u27\u27---that is, algorithms that do not exploit any properties of the group encoding. We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model, as a quantum analog of its classical counterpart. Shor\u27s algorithm for the discrete logarithm problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and (almost) matching algorithms of the discrete logarithm and related problems in this model. More precisely, we prove the following results for a cyclic group $\mathcal G$ of prime order. (1) Any generic quantum discrete logarithm algorithm must make $\Omega(\log |\mathcal G|)$ depth of group operation queries. This shows that Shor\u27s algorithm that makes $O(\log |\mathcal G|)$ group operations is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms. (2) We observe that some (known) variations of Shor\u27s algorithm can take advantage of classical computations to reduce the number and depth of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithm that captures these variants, and show that these algorithms are almost optimal in this model. Any generic hybrid quantum-classical algorithm for the discrete logarithm problem with a total number of (classical or quantum) group operations $Q$ must make $\Omega(\log |\mathcal G|/\log Q)$ quantum group operations of depth $\Omega(\log\log |\mathcal G| - \log\log Q)$. In particular, if $Q={\rm poly}\log |\mathcal G|$, classical group operations can only save the number of quantum queries by a factor of $O(\log\log |\mathcal G|)$ and the quantum depth remains as $\Omega(\log\log |\mathcal G|)$. (3) When the quantum memory can only store $t$ group elements and use quantum random access memory (qRAM) of $r$ group elements, any generic hybrid quantum-classical algorithm must make either $\Omega(\sqrt{|\mathcal G|})$ group operation queries in total or $\Omega(\log |\mathcal G|/\log (tr))$ quantum group operation queries. In particular, classical queries cannot reduce the number of quantum queries beyond $\Omega(\log |\mathcal G|/\log (tr))$. As a side contribution, we show a multiple discrete logarithm problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol

Discrete subgroups of the special linear group with thin limit sets

In this paper, we construct a discrete Zariski-dense subgroup Gamma of SL(n+1, R) whose limit set on P-n is 'thin', that is, contained in a C-N-smooth curve, for any n >= 3 and N > 0. We achieve this by applying the ping-pong lemma to the action of a specially chosen generating set S on the N-th order jet bundle over P-n. We also show that in a sense this is the best possible result: we show that there does not exist any Zariski-dense subgroup Gamma subset of SL(3, R) whose limit set is contained in a C-2-smooth curve, and there does not exist any Zariski-dense subgroup Gamma subset of SL(n+1, R) whose limit set is contained in a C-infinity-smooth curve.e.clos

Generic Hardness of the Multiple Discrete Logarithm Problem

We study generic hardness of the multiple discrete logarithm problem, where the solver has to solve n instances of the discrete logarithm problem simultaneously. There are known generic algorithms which perform O(???np) group operations, where p is the group order, but no generic lower bound was known other than the trivial bound. In this paper we prove the tight generic lower bound, showing that the previously known algorithms are asymptotically optimal. We establish the lower bound by studying hardness of a related computational problem which we call the search-by-hyperplane-queries problem, which may be of independent interest

A Strongly Unforgeable Homomorphic MAC over Integers

Homomorphic MAC is a cryptographic primitive which protects authenticity of data, while allowing homomorphic evaluation of such protected data. In this paper, we present a new homomorphic MAC, which is based on integers, relying only on the existence of secure PRFs, and having efficiency comparable to the practical Catalano-Fiore homomorphic MAC. Our scheme is unforgeable even when MAC verification queries are allowed to the adversary, and we achieve this by showing strong unforgeability of our scheme.clos

Secure Fully Homomorphic Authenticated Encryption

Homomorphic authenticated encryption allows implicit computation on plaintexts using corresponding ciphertexts without losing privacy, and provides authenticity of the computation and the resultant plaintext of the computation when performing a decryption. However, due to its special functionality, the security notions of the homomorphic authenticated encryption is somewhat complicated and the construction of fully homomorphic authenticated encryption has never been given. In this work, we propose a new security notion and the first construction of fully homomorphic authenticated encryption. Our new security notion is a unified definition for data privacy and authenticity of homomorphic authenticated encryption. Moreover, our security notion is simpler and stronger than the previous ones. To realize our new security notion, we also suggest a construction of fully homomorphic authenticated encryption via generic construction. We combine a fully homomorphic encryption and two homomorphic authenticators, one fully homomorphic and one OR-homomorphic, to construct a fully homomorphic authenticated encryption that satisfies our security notion. Our construction requires its fully homomorphic encryption to be indistinguishable under chosen plaintext attacks and its homomorphic authenticators to be unforgeable under selectively chosen plaintext queries. Our construction also supports multiple datasets and amortized efficiency. For efficiency, we also construct a multi-dataset fully homomorphic authenticator scheme, which is a variant of the first fully homomorphic signature scheme. Our multi-dataset fully homomorphic authenticator scheme satisfies the security requirement of our generic construction above and supports amortized efficiency

Anonymous Signatures Revisited

We revisit the notion of the anonymous signature, first formalized by Yang, Wong, Deng and Wang [10], and then further developed by Fischlin [4] and Zhang and Imai [11]. We present a new formalism of anonymous signature, where instead of the message, a part of the signature is withheld to maintain anonymity. We introduce the notion unpretendability to guarantee infeasibility for someone other than the correct signer to pretend authorship of the message and signature. Our definition retains applicability for all previous applications of the anonymous signature, provides stronger security, and is conceptually simpler. We give a generic construction from any ordinary signature scheme, and also show that the short signature scheme by Boneh and Boyen [2] can be naturally regarded as such a secure anonymous signature scheme according to our formalism