The distributed discrete logarithm (DDL) problem was introduced by Boyle, Gilboa and Ishai at CRYPTO 2016. A protocol solving this problem was the main tool used in the share conversion procedure of their homomorphic secret sharing (HSS) scheme which allows non-interactive evaluation of branching programs among two parties over shares of secret inputs. Let g be a generator of a multiplicative group $${\mathbb {G}}$$ G . Given a random group element $$g^{x}$$ g x and an unknown integer $$b \in [-M,M]$$ b ∈ [ - M , M ] for a small M , two parties A and B (that cannot communicate) successfully solve DDL if $$A(g^{x}) - B(g^{x+b}) = b$$ A ( g x ) - B ( g x + b ) = b . Otherwise, the parties err. In the DDL protocol of Boyle et al., A and B run in time T and have error probability that is roughly linear in M / T . Since it has a significant impact on the HSS scheme’s performance, a major open problem raised by Boyle et al. was to reduce the error probability as a function of T . In this paper we devise a new DDL protocol that substantially reduces the error probability to $$O(M \cdot T^{-2})$$ O ( M · T - 2 ) . Our new protocol improves the asymptotic evaluation time complexity of the HSS scheme by Boyle et al. on branching programs of size S from $$O(S^2)$$ O ( S 2 ) to $$O(S^{3/2})$$ O ( S 3 / 2 ) . We further show that our protocol is optimal up to a constant factor for all relevant cryptographic group families, unless one can solve the discrete logarithm problem in a short interval of length R in time $$o(\sqrt{R})$$ o ( R ) . Our DDL protocol is based on a new type of random walk that is composed of several iterations in which the expected step length gradually increases. We believe that this random walk is of independent interest and will find additional applications.

中文翻译：

---

具有同态秘密共享应用的最优分布式离散日志协议

分布式离散对数 (DDL) 问题由 Boyle、Gilboa 和 Ishai 在 CRYPTO 2016 上提出。解决此问题的协议是其同态秘密共享 (HSS) 方案的共享转换过程中使用的主要工具，该方案允许非交互式评估两方之间关于秘密输入份额的分支程序。设 g 是乘法群 $${\mathbb {G}}$$ G 的生成器。给定一个随机组元素 $$g^{x}$$ gx 和一个未知整数 $$b \in [-M,M]$$ b ∈ [ - M , M ] 对于一个小 M ，两方 A 和 B （无法通信）如果 $$A(g^{x}) - B(g^{x+b}) = b$$ A ( gx ) - B ( gx + b ) = b ，则成功解决 DDL。否则，当事人就错了。在 Boyle 等人的 DDL 协议中，A 和 B 在时间 T 中运行，并且在 M / T 中具有大致线性的错误概率。由于它对 HSS 方案的性能有重大影响，Boyle 等人提出了一个主要的开放问题。是为了减少作为 T 函数的错误概率。在本文中，我们设计了一种新的 DDL 协议，该协议将错误概率大大降低到 $$O(M \cdot T^{-2})$$ O ( M · T - 2 ) 。我们的新协议提高了 Boyle 等人的 HSS 方案的渐近评估时间复杂度。在大小为 S 的分支程序上，从 $$O(S^2)$$ O ( S 2 ) 到 $$O(S^{3/2})$$ O ( S 3 / 2 ) 。我们进一步表明，我们的协议对于所有相关的密码组族在一个常数因子下是最优的，除非可以在时间为 $$o(\sqrt{R})$$ o 的长度为 R 的短间隔内解决离散对数问题(R)。我们的 DDL 协议基于一种新型的随机游走，它由多次迭代组成，其中预期步长逐渐增加。我们相信这种随机游走是独立的，并且会找到更多的应用。