Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Statistics for fixed points of x ↦ x^x mod p

87 views

Published on

ANTS XI, 2014.

Published in: Education
  • Be the first to comment

  • Be the first to like this

Statistics for fixed points of x ↦ x^x mod p

  1. 1. Statistics for fixed points of x → xx mod p Matthew Friedrichsen and Joshua Holden Forging a (variant) ElGamal Digital Signature Frank the Forger wants to solve for r and s in: (1) gH(m) ≡ ys rr (mod p). He knows m, g, y, and p but not the discrete log of y mod p base g. He could: calculate the discrete log of y, or he could solve rr ≡ gH(m) y−s (mod p) for r. We wish to shed light on the difficulty of the second attack by studying the self-power map, x → xx mod p. Figure 1: The self-power map modulo 13 Is x → xx mod p “random”? Heuristic 1.For all p, if x, y are chosen uniformly at random from {1, . . . , p − 1} with ordp x = d, then Pr[xx ≡ y (mod p)] ≈ 1 d if ordp y | d, 0 otherwise. Counts of the fixed points are not normally distributed This work investigates the number of fixed points of the self-power map, i.e., solutions to (2) xx ≡ x (mod p). Let F(p) be the number of solutions to (2) such that 1 ≤ x ≤ p − 1. How are these counts distributed? The figures show that the distribution is not (quite) normal. Figure 2: Histogram and Probability Plot of z-statistics for 238 six-digit primes The counts for most orders are binomially distributed Let Fd(p) be the number of solutions to (2) with 1 ≤ x ≤ p − 1 and ordp x = d. Assume x values behave independently. Prediction 2. Pr[Fd(p) = k] = φ(d) k 1 d k d − 1 d φ(d)−k A chi-squared goodness-of-fit test gives p-value ≈ 0.198 which does not refute the prediction. We also tried a sliding window chi-squared test on the data sorted by order. The resulting p-values should be uniformly distributed but are not for small and large d. 1 10 100 1000 10000 100000 0 0.2 0.4 0.6 0.8 1 Order p-value Figure 3: Logarithmic plot showing p-values of the sliding window test for 238 six-digit primes Dependencies matter for small and large orders For small and large orders it turns out that the independence assumption is violated. Theorem 3. (a) The x-values of order 3 cannot both be fixed points. (b) The x-values of order 4 cannot both be fixed points. (c) The x-values of order 6 are both fixed points or neither is. There are similar effects for d = (p − 1)/3 and d = (p − 1)/4, and possibly a few others. Number of primes: predicted (P), observed (O), and not possible (N). Fd(p) = 0 Fd(p) = 1 Fd(p) = 2 0 25 50 75 100 n = 116, p = 0.79 N O O P P order 3 0 25 50 75 100 n = 120, p = 0.36 N O O P P order 4 0 25 50 75 100 n = 116, p = 0.8 N O O P P order 6 Number of primes: predicted (P), observed (O), and not possible (N). Fd(p) = 0 Fd(p) = 1 Fd(p) = 2 0 25 50 75 100 n = 116, p = 0.46 O O O P P P order (p − 1) 3 0 25 50 75 100 n = 54, p = 0.33 O O O P P P order (p − 1) 4, p ≡ 1 (mod 8) 0 25 50 75 100 n = 66, p = 0.48 N O O P P order (p − 1) 4, p ≡ 5 (mod 8) Figure 4: Predictions and observations for fixed points of small and large orders in 238 six-digit primes Our predictions based on these dependencies are not refuted by chi-squared tests.

×