1

Black box generic models prohibit calculation of discrete logarithm in groups of order $q=2p+1$ where $p,q$ are random primes to $\Omega(\sqrt{p})$ steps (refer Discrete Logarithm in the generic group model is hard - Theorem by Shoup).

Do the black box generic models also prohibit MSB of discrete logarithm to $\Omega(\sqrt{p})$ steps or is it possible black box generic algorithms can get MSB of discrete logarithms in $polylog(p)$ steps?

Note to compute discrete logarithm once you know MSB is trivial but there is interaction (branching depending on MSB is $0$ or $1$) which I am not sure the Black Box models forbid.

Turbo
  • 1,045
  • 6
  • 15

1 Answers1

1

which I am not sure the Black Box models forbid"

What the Black Box model forbids is performing any operation on the group elements other than a specific set of operations. In your case, the allowed operations would be:

  • The group operation (given $A$ and $B$, return $A \times B$)

  • The group inversion operation.

  • Comparing two group elements for equality.

  • Your msbit oracle (because you're extending the black box model to contain this operation).

Any other operations on group elements are forbidden.

On the other hand, any operations are things which are not group elements are fair game. For example, your msbit oracle returns a bit; this bit is not a group element, and so doing things such as:

 if (oracle_returned_a_one) {
     do_this();
 } else {
     do_that();
 }

are perfectly in play.

So, unless the prime is just above a power of 2, that is, $p = 2^k + \ell$ for $2^k / \text{polylog}(p) < \ell < 2^k$, it should be obvious that you can compute the discrete log with a polynomial number of queries (specifically, $k + \text{polylog}(p)$ queries)

poncho
  • 154,064
  • 12
  • 239
  • 382