Showing papers by "Sarvar Patel published in 2005"

Hard bits of the discrete log with applications to password authentication

Abstract: Assuming the intractability of solving the discrete logarithm with short exponent problem, it was recently shown that the trailing n–ω(log n) bits of the discrete logarithm modulo an n-bit safe prime p are simultaneously hard. However, the question of hardness of the leading bits was left open. In this paper we show that the leading n–ω(log n) bits are also simultaneously hard, or equivalently that the distribution of $g^s \bmod p$, where g is a generator of $\mathbb{Z}^*_{p}$ and s is a uniformly chosen short exponent of ω(log n) bits, is indistinguishable from the uniform distribution on $\mathbb{Z}^*_{p}$. We further show that this result implies the security of a short exponent version of PAK, a password-authenticated key exchange protocol that protects against offline dictionary attacks.