Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Statistics for fixed points of x ↦ x^x mod p

134 Aufrufe

Veröffentlicht am

ANTS XI, 2014.

Veröffentlicht in: Bildung
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Statistics for fixed points of x ↦ x^x mod p

  1. 1. Statistics for fixed points of x → xx mod p Matthew Friedrichsen and Joshua Holden Forging a (variant) ElGamal Digital Signature Frank the Forger wants to solve for r and s in: (1) gH(m) ≡ ys rr (mod p). He knows m, g, y, and p but not the discrete log of y mod p base g. He could: calculate the discrete log of y, or he could solve rr ≡ gH(m) y−s (mod p) for r. We wish to shed light on the difficulty of the second attack by studying the self-power map, x → xx mod p. Figure 1: The self-power map modulo 13 Is x → xx mod p “random”? Heuristic 1.For all p, if x, y are chosen uniformly at random from {1, . . . , p − 1} with ordp x = d, then Pr[xx ≡ y (mod p)] ≈ 1 d if ordp y | d, 0 otherwise. Counts of the fixed points are not normally distributed This work investigates the number of fixed points of the self-power map, i.e., solutions to (2) xx ≡ x (mod p). Let F(p) be the number of solutions to (2) such that 1 ≤ x ≤ p − 1. How are these counts distributed? The figures show that the distribution is not (quite) normal. Figure 2: Histogram and Probability Plot of z-statistics for 238 six-digit primes The counts for most orders are binomially distributed Let Fd(p) be the number of solutions to (2) with 1 ≤ x ≤ p − 1 and ordp x = d. Assume x values behave independently. Prediction 2. Pr[Fd(p) = k] = φ(d) k 1 d k d − 1 d φ(d)−k A chi-squared goodness-of-fit test gives p-value ≈ 0.198 which does not refute the prediction. We also tried a sliding window chi-squared test on the data sorted by order. The resulting p-values should be uniformly distributed but are not for small and large d. 1 10 100 1000 10000 100000 0 0.2 0.4 0.6 0.8 1 Order p-value Figure 3: Logarithmic plot showing p-values of the sliding window test for 238 six-digit primes Dependencies matter for small and large orders For small and large orders it turns out that the independence assumption is violated. Theorem 3. (a) The x-values of order 3 cannot both be fixed points. (b) The x-values of order 4 cannot both be fixed points. (c) The x-values of order 6 are both fixed points or neither is. There are similar effects for d = (p − 1)/3 and d = (p − 1)/4, and possibly a few others. Number of primes: predicted (P), observed (O), and not possible (N). Fd(p) = 0 Fd(p) = 1 Fd(p) = 2 0 25 50 75 100 n = 116, p = 0.79 N O O P P order 3 0 25 50 75 100 n = 120, p = 0.36 N O O P P order 4 0 25 50 75 100 n = 116, p = 0.8 N O O P P order 6 Number of primes: predicted (P), observed (O), and not possible (N). Fd(p) = 0 Fd(p) = 1 Fd(p) = 2 0 25 50 75 100 n = 116, p = 0.46 O O O P P P order (p − 1) 3 0 25 50 75 100 n = 54, p = 0.33 O O O P P P order (p − 1) 4, p ≡ 1 (mod 8) 0 25 50 75 100 n = 66, p = 0.48 N O O P P order (p − 1) 4, p ≡ 5 (mod 8) Figure 4: Predictions and observations for fixed points of small and large orders in 238 six-digit primes Our predictions based on these dependencies are not refuted by chi-squared tests.

×