On the Security of Diffie-Hellman Bits

Abstract: Abstract. Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a "hidden" element α of a finite field IFp of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from IF * p . We use some recent bounds of exponential sums to generalize this algorithm to the case when t is selected from a quite small subgroup of IF * p . Namely, our results apply to subgroups of size at least p 1/3… Show more

“…The algorithm of [1] has been extended in several directions. In particular, in [8] it is generalised to all sufficiently large subgroups G ⊆ F * p . This and other generalisations have led to a number of cryptographic applications, see [22,23,24].…”

“…More precisely, our result applies to any subgroup G ⊆ F * p of size #G ≥ log p/(log log p) 1−ε ; thus, it includes all subgroups of cryptographically interesting sizes. As in [1], our method is based on lattice reduction algorithms, and it also makes use of exponential sums, though not in such a direct way as in [8]. Namely, we introduce certain new arguments allowing us to amplify the uniformity of distribution properties of small subgroups G. This allows us to use the bound of exponential sums from [10] with elements of G, which is very moderate in strength (and does not imply any uniformity of distribution properties of G which would be the crucial argument of the method of [8]).…”

“…As in [1], our method is based on lattice reduction algorithms, and it also makes use of exponential sums, though not in such a direct way as in [8]. Namely, we introduce certain new arguments allowing us to amplify the uniformity of distribution properties of small subgroups G. This allows us to use the bound of exponential sums from [10] with elements of G, which is very moderate in strength (and does not imply any uniformity of distribution properties of G which would be the crucial argument of the method of [8]). The bound of [10], however, has the very important advantage over the bounds of [3,9,11,12] that it applies to subgroups of order #G ≥ log p/(log log p) 1−ε .…”

A hidden number problem in small subgroups

“…The algorithm of [1] has been extended in several directions. In particular, in [8] it is generalised to all sufficiently large subgroups G ⊆ F * p . This and other generalisations have led to a number of cryptographic applications, see [22,23,24].…”

“…More precisely, our result applies to any subgroup G ⊆ F * p of size #G ≥ log p/(log log p) 1−ε ; thus, it includes all subgroups of cryptographically interesting sizes. As in [1], our method is based on lattice reduction algorithms, and it also makes use of exponential sums, though not in such a direct way as in [8]. Namely, we introduce certain new arguments allowing us to amplify the uniformity of distribution properties of small subgroups G. This allows us to use the bound of exponential sums from [10] with elements of G, which is very moderate in strength (and does not imply any uniformity of distribution properties of G which would be the crucial argument of the method of [8]).…”

“…As in [1], our method is based on lattice reduction algorithms, and it also makes use of exponential sums, though not in such a direct way as in [8]. Namely, we introduce certain new arguments allowing us to amplify the uniformity of distribution properties of small subgroups G. This allows us to use the bound of exponential sums from [10] with elements of G, which is very moderate in strength (and does not imply any uniformity of distribution properties of G which would be the crucial argument of the method of [8]). The bound of [10], however, has the very important advantage over the bounds of [3,9,11,12] that it applies to subgroups of order #G ≥ log p/(log log p) 1−ε .…”

A hidden number problem in small subgroups

“…The proof of Theorem 2 in [1], dealing with security of most significant bits of the Diffie-Hellman key, suffers from a similar problem. In [3] the result of Theorem 1 of [1] has been extended to the case when g is not necessarily a primitive root but an element of multiplicative order T , provided that T ≥ p 1/3+ε for any prime p and T ≥ p ε for almost all p. It has also been shown that this statement allows us to close the gap in the proof of Theorem 2 of [1]. Namely it is shown that by having an oracle which computes n 1/2 + log n most significant bits of the private key g ab rem p from the values of the public keys A = (g a rem p) and B = g b rem p one can construct a probabilistic polynomial time algorithm for computing the whole key g ab rem p for all pairs (a, b) ∈ [0, T − 1] 2 , where T is the multiplicative order of g.…”

“…The method of [3] relies on some bounds of exponential sums and results about the distribution of exponential functions in residue classes. Here we use a similar approach to study the bit security of the Shamir message passing scheme.…”

Security of the most significant bits of the Shamir message passing scheme

Data encryption standard (DES)