On the Security of Diffie-Hellman Bits

Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a “hidden” element α of a finite field \(\mathbb{F}_p \) of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from \(\mathbb{F}_p^* \) We use some recent bounds of exponential sums to generalize this algorithm to the case when t is selected from a quite small subgroup of \(\mathbb{F}_p^* \). Namely, our results apply to subgroups of size at least p 1/3+ɛ for all primes p and to subgroups of size at least p ɛ for almost all primes p, for any fixed ɛ > 0. We also use this generalization to improve (and correct) one of the statements of the aforementioned work about the computational security of the most significant bits of the Diffie-Hellman key.

[1]  Mats Näslund,et al.  A Survey of Hard Core Functions , 2001 .

[2]  I. Vinogradov,et al.  Elements of number theory , 1954 .

[3]  Arjen K. Lenstra,et al.  The XTR Public Key System , 2000, CRYPTO.

[4]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[5]  N. M. Korobov Exponential Sums and their Applications , 1992 .

[6]  Daniele Micciancio,et al.  On the hardness of the shortest vector problem , 1998 .

[7]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[8]  Eric R. Verheul,et al.  Certificates of Recoverability with Scale Recovery Agent Security , 2000, Public Key Cryptography.

[9]  Andries E. Brouwer,et al.  Doing More with Fewer Bits , 1999, ASIACRYPT.

[10]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[11]  R. Kannan ALGORITHMIC GEOMETRY OF NUMBERS , 1987 .

[12]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[13]  I. Shparlinski,et al.  Character Sums with Exponential Functions and their Applications: Introduction , 1999 .

[14]  H. Niederreiter Quasi-Monte Carlo methods and pseudo-random numbers , 1978 .

[15]  Jacques Stern,et al.  Lattice Reduction in Cryptology: An Update , 2000, ANTS.

[16]  Igor E. Shparlinski,et al.  Security of the most significant bits of the Shamir message passing scheme , 2000, Math. Comput..

[17]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[18]  Dan Boneh,et al.  Rounding in lattices and its cryptographic applications , 1997, SODA '97.