On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields

We show that for any elliptic curve \(E(\mathbb{F}_{q^n})\), if an adversary has access to a Static Diffie-Hellman Problem (Static DHP) oracle, then by making \(O(q^{1-\frac{1}{n+1}})\) Static DHP oracle queries during an initial learning phase, for fixed n > 1 and q → ∞ the adversary can solve any further instance of the Static DHP in heuristic time \(\tilde{O}(q^{1-\frac{1}{n+1}})\). Our proposal also solves the Delayed Target DHP as defined by Freeman, and naturally extends to provide algorithms for solving the Delayed Target DLP, the One-More DHP and One-More DLP, as studied by Koblitz and Menezes in the context of Jacobians of hyperelliptic curves of small genus. We also argue that for any group in which index calculus can be effectively applied, the above problems have a natural relationship, and will always be easier than the DLP. While practical only for very small n, our algorithm reduces the security provided by the elliptic curves defined over \(\mathbb{F}_{p^2}\) and \(\mathbb{F}_{p^4}\) proposed by Galbraith, Lin and Scott at EUROCRYPT 2009, should they be used in any protocol where a user can be made to act as a proxy Static DHP oracle, or if used in protocols whose security is related to any of the above problems.

[1]  Alfred Menezes,et al.  Analyzing the Galbraith-Lin-Scott Point Multiplication Method for Elliptic Curves over Binary Fields , 2009, IEEE Transactions on Computers.

[2]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[3]  Daniel R. L. Brown,et al.  The Static Diffie-Hellman Problem , 2004, IACR Cryptology ePrint Archive.

[4]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[5]  Burton S. Kaliski,et al.  Server-assisted generation of a strong secret from a password , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[6]  Alfred Menezes,et al.  The Brave New World of Bodacious Assumptions in Cryptography , 2010 .

[7]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[8]  David Jao,et al.  Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem , 2009, Pairing.

[9]  Nigel P. Smart,et al.  How Secure Are Elliptic Curves over Composite Extension Fields? , 2001, EUROCRYPT.

[10]  Frederik Vercauteren,et al.  The Number Field Sieve in the Medium Prime Case , 2006, CRYPTO.

[11]  Michael J. Wiener,et al.  Faster Attacks on Elliptic Curve Cryptosystems , 1998, Selected Areas in Cryptography.

[12]  Igor A. Semaev Summation polynomials and the discrete logarithm problem on elliptic curves , 2004, IACR Cryptol. ePrint Arch..

[13]  Florian Hess,et al.  The GHS Attack Revisited , 2003, EUROCRYPT.

[14]  Nicolas Thériault,et al.  A double large prime variation for small genus hyperelliptic index calculus , 2004, Math. Comput..

[15]  Iwan M. Duursma,et al.  Speeding up the Discrete Log Computation on Curves with Automorphisms , 1999, ASIACRYPT.

[16]  Alfred Menezes,et al.  Weak Fields for ECC , 2004, CT-RSA.

[17]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[18]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[19]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[20]  Patrizia M. Gianni,et al.  Algebraic Solution of Systems of Polynomial Equations Using Groebner Bases , 1987, AAECC.

[21]  Erich Kaltofen,et al.  On the complexity of computing grobner bases for zero-dimensional polynomial ideals , 1990 .

[22]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[23]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[24]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[25]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[26]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[27]  C. Diem On the discrete logarithm problem in elliptic curves , 2010, Compositio Mathematica.

[28]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[29]  Antoine Joux,et al.  When e-th Roots Become Easier Than Factoring , 2007, ASIACRYPT.

[30]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[31]  Alfred Menezes,et al.  Another look at non-standard discrete log and Diffie-Hellman problems , 2008, J. Math. Cryptol..

[32]  Antoine Joux,et al.  Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields , 2011, Journal of Cryptology.

[33]  Pierrick Gaudry,et al.  Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem , 2009, J. Symb. Comput..

[34]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[35]  Michael Scott,et al.  Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves , 2009, Journal of Cryptology.

[36]  Antoine Joux,et al.  Oracle-Assisted Static Diffie-Hellman Is Easier Than Discrete Logarithms , 2009, IMACC.

[37]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[38]  Claus Diem On the discrete logarithm problem in class groups of curves , 2011, Math. Comput..

[39]  Mihir Bellare,et al.  GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks , 2002, CRYPTO.

[40]  Nigel P. Smart Elliptic Curve Cryptosystems over Small Fields of Odd Characteristic , 1999, Journal of Cryptology.

[41]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[42]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[43]  Nicolas Thériault,et al.  Index Calculus Attack for Hyperelliptic Curves of Small Genus , 2003, ASIACRYPT.

[44]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[45]  Antoine Joux,et al.  The Function Field Sieve in the Medium Prime Case , 2006, EUROCRYPT.

[46]  Y. N. Lakshman,et al.  On the complexity of computing a Gröbner basis for the radical of a zero dimensional ideal , 1990, STOC '90.

[47]  Alfred Menezes,et al.  Intractable Problems in Cryptography , 2010, IACR Cryptol. ePrint Arch..

[48]  Ueli Maurer,et al.  The Diffie–Hellman Protocol , 2000, Des. Codes Cryptogr..

[49]  Steven D. Galbraith,et al.  Extending the GHS Weil Descent Attack , 2002, EUROCRYPT.

[50]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[51]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1993, IEEE Trans. Inf. Theory.