DiÆe{Hellman Key
Igor E. Shparlinski
Department of Computing, Macquarie University
Sydney, NSW 2109, Australia
igor@ics.mq.edu.au
Abstract
D.Boneh and R.Venkatesanhave recentlyproposedan approach
toproving thatareasonablysmall portions ofmostsignicantbits of
theDiÆe{Hellmankeymoduloaprimeareassecurethethewholekey.
Some further improvements and generalizations have been obtained
by I. M. Gonzales Vasco and I. E. Shparlinski. E. R. Verheul has
obtainedcertainanalogiesoftheseresultsinthecaseofDiÆe{Hellman
keys in extensionsof nite elds, when anoracle isgiven tocompute
a certain polynomial function of the key, for example, the trace in
the background eld. Here we obtain a new result in this direction
concerning the case of so-called \unreliable" oracles. The result has
applicationstothesecurityoftherecentlyproposedbyA.K.Lenstra
and E.R.VerheulXTR cryptosystem.
1 Introduction
Let IF
q
denote anite eld of q elements.
D. Boneh and R. Venkatesan [1] have proposed an approach to proving
that about n 1=2
of most signicantbits ofthe DiÆe{Hellmankeymodulo an
n-bitprimeareassecureasthewholekey. Theirresultshavebeengeneralized
(and slightly corrected) by I. M. Gonzales Vasco and I. Shparlinski [7, 8].
A detailed survey of several other results of this type (including the RSA
cryptosystem and the discrete logarithm problem) has recently been given
lem for the DiÆe{Hellman key in arbitrary nite elds. However instead
of studying the security of the most signicant bits the paper [21] deals
with the security of values of sparsepolynomialsat the values of the DiÆe{
Hellmankeys. Moreprecisely,letusxanelement 2IF
q
andapolynomial
F(X)2IF
q
[X]. It has been shown in [21], under certain naturalconditions,
that if we are given an oracle which for each pair ( x
; y
) with some
inte-gers x and y returns the value of F ( xy
), than this oracle can be used to
construct a polynomial time algorithm to compute the DiÆe{Hellman key
xy
. We remark thatpolynomialsF can beof very largedegree (thusdirect
solving the equation F ( xy
) = A is not feasible) but contain a reasonably
small numberof monomials. The result has been motivated by applications
tothe proofof security of acertainnewcryptosystem,see[2,10,11,12,21].
Hereweobtainageneralizationof Theorem24of[21]tothe\unreliable"
case, when oracle returnsthe result onlyfor a certain very small fraction of
inputs and returns anerror message forother inputs.
2 Preparations
The following estimate on the number of zeros of sparse polynomials is a
version of the similar result from[3,4].
Lemma 1 For r 2 elements a
1 ;:::;a
r 2 IF
q
and integers
1 ;:::;
r 2 ZZ
let us denote by Q the number of solutions of the equation
r
X
i=1 a
i z
i
=0; z 2IF
q :
Then
Q3(q 1)
1 1=(r 1)
d 1=(r 1)
;
where
d= min
1ir max
j6=i gcd(
j
i
;q 1):
Proof. It has been shown in Lemma 7 of [3] (see also Lemma 4 of [4] and
Lemma 3.4of [16]) that
Q2 $
q 1
dL 1=(r 1)
IfL3 r 1
then
Qq 13(q 1)L
1=(r 1)
q >Q:
Otherwise l
L 1=(r 1)
m
12L
1=(r 1)
=3and the result follows. ut
Letus x anelement #2IF
q
of multiplicativeorder t.
Lemma 2 For m 2 elements a
1 ;:::;a
m 2 IF
q
and integers e
1 ;:::;e
m we
denote by W the number of solutionsof the equation
m
X
i=1 a
i #
e
i u
=0; u2[0;t 1]:
Then the bound
W 3t
1 1=(m 1)
D 1=(m 1)
;
holds, where
D= min
1im max
j6=i
gcd(e
j e
i ;t):
Proof. Wewrite# =g (q 1)=t
whereg isaprimitiverootof IF
q
and notethat
each solutionu2[0;t 1] of the previous exponentialequationgivesrise to
(q 1)=t distinct solutions
z
j =g
u+tj
; j =0;:::;(q 1)=t 1;
of the equation
m
X
i=1 a
i z
i
=0; z 2IF
q ;
where
j =e
j
(q 1)=t. Remarking that
gcd(
j
i
;q 1)= q 1
t
gcd(e
j e
i ;t);
from Lemma1 we obtainthat
W 3 t
q 1
(q 1)
1 1=(m 1)
q 1
t D
1=(m 1)
=3t
1 1=(m 1)
D 1=(m 1)
the DiÆe{Hellman Key
Let 2IF
q
be an elementof multiplicativeorder t.
As in[21] we consideran m-sparse polynomial
F(X)= m
X
i=1 c
i X
e
i
2IF
q
[X]; (1)
where c
1 ;:::;c
m 2IF
q and e
1 ;:::;e
m
are pairwise distinctmodulo t.
Let0<"1.
Assumethatwearegivenanoracle O
F;"
suchthatforeveryx2[0;t 1],
given the values of x
and y
, it returns F ( xy
) for at least "t values of
y2[0;t 1] and returnsan error messagefor other values of y2[0;t 1].
Thecase " =1, thatis, the case ofa \noise-free"oraclehas been
consid-ered in [21].
We are ready to prove the main result. For simplicity we assume that t
is a prime number, although analogues of our result hold for composite t as
well. Nevertheless this case allows us to simplify some arguments and it is
also one of the most practicallyimportantcases, see [2,10,11,12, 21].
Theorem 3 Let t be prime, m 2 and let an m-sparse polynomial F be
given by (1). Assume that
1"6t
1=(m 1)
:
GivenanoracleO
F;"
,thereexistsaprobabilisticalgorithmwhichgiven x
and
y
makes the expected number of at most 2m" 1
calls of the oracle O
F;" ,
ex-ecutespolynomial number (mlogq) O(1)
arithmetic operations in IF
q
per each
call and returns xy
for allpairs (x;y)2[0;t 1] 2
.
Proof. Ifx=0the resultistrivial. Letusconsiderapair (x;y)2[0;t 1] 2
with x6=0.
LetU bethesetofu2[0;t 1]forwhichtheoracle,giventhevaluesof x
and y+u
returnsthe valueof F
x(y+u)
. By the conditions of the theorem
jUj "t. We also remark that if y
is known then for any v 2 [0;t 1] the
value of y+v
can easilybe computed as well.
Put#= x
in the interval[0;t 1] and for eachof them feed x
and y+v
in the oracle
O
F;"
untilwend an element u2U and thusnd the values of F
x(y+u)
.
Let us callthis element u
1
. The expected number of oracle calls to nd
such anelementis " 1
2" 1
.
Assume that for some integer k, 2 k m, we have selected k 1
elementsu
1 ;:::;u
k 1
2U with
det(# e i u j ) k 1 i;j=1
6=0: (2)
Weselect elementsv uniformlyand independentlyat randominthe interval
[0;t 1] untilwe nd anelementu
k
2U suchthat
det(# eiuj
) k
i;j=1
6=0: (3)
Weremarkthatifthelastdeterminantvanishesthenu
k
satisesanequation
of the form
1 # e k u k +:::+ k # e 1 u k =0
where, by the assumption (2), wehave
1
=det(# eiuj
) k 1
i;j=1 6=0:
Applying Lemma 2 we obtain that the number of elements u
k
2 U which
satisfy the condition (3) isat least
jUj 3t
1 1=(k 1)
jUj 3t
1 1=(m 1)
1
2 jUj:
Thussuchanelementu
k
2U canbefoundintheexpectednumberofatmost
2" 1
oracle calls with x
and y+v
where elements v are selected uniformly
and independently at random in the interval [0;t 1]. More precisely, we
callthe oracleO
F;"
with x
and y+v
forarandomv 2[0;t 1]untilbothit
returns F (gx(y+v)) and
1 # e k v +:::+ k # e 1 v =0;
and callthe corresponding value u
k
. Because there are at least 0:5jUj2"t
such values of v, the expectednumberof call isat most 2" 1
.
Thereforeaftertheexpectednumberofatmost2m" 1
oraclecallswe
ob-tain melementsu
1
;:::;u
m
2U withcorrespondingvaluesofA
j
=F (# y+u
j
)
for each j =1;:::;m and such that
Theorem 24 of [21]. Indeed, we see from our construction that we have a
nonsingular system of linear equations
m
X
i=1 c
i #
eiuj
# eiy
=A
j
; j =1;:::;m;
from which the vector(c
1 #
e
1 y
;:::;c
m #
e
m y
)can be found and thus weobtain
the values of e
1 xy
;:::; e
m xy
. Because m 2 and t is prime, at least one
of e
1 ;:::;e
m
(which are pairwise distinct modulo t) is relatively prime to t.
Say if gcd(e
1
;t) =1wedene an integer f
1
2[1;t 1] from the congruence
f
1 e
1
1 (modt) and compute
xy
=( e1xy
) f
1
:
Remarkingthatbesidestheexpectednumberoforaclecallsis2m" 1
andthat
the rest of the algorithm canbe implemented indeterministicpolynomialin
mlogq time,weobtain the desired result. ut
4 Remarks
Let q=p r
. Then the trace function
Tr(X)= r 1
X
i=0 X
p i
provides a natural example of a polynomial of the form (1). This function
as wellas the function
L(X)= X
0i6=jr 1 X
p i
+p j
havebeen studiedin[2](withr =6). Our resultsimplyastrongerversionof
Lemma3.1of[2]andthusgivemoresecurityassurancetotheproposedthere
cryptosystem. Thesamecommentalsoappliestotheproposedin[10,11,12]
XTR public key cryptosystem which is based on a more computationally
eÆcientmodication of the ideas of [2].
It iseasy toseethat making more oraclecalls one can replacethe oracle
O
F;"
with a more natural and general oracle e
O
F;"
which returns F( xy
at least "t pairs (x;y) 2 [0;t 1] . For x 2 [0;t 1], let M
x
denote the
number y 2 [0;t 1] for which the oracle e
O
F;"
, given the values of x
and
y
, returnsF ( xy
). Thus,
t
X
x=0 M
x "t
2
:
Let L bethe number of x2[0;t 1] for which M
x
0:5"t. Then
t
X
x=0 M
x
0:5"t(t L)+Lt=0:5"t 2
+(1 0:5")Lt:
Therefore
L
"
2(1 0:5")
t 0:5"t:
Nowweselectarandomu2[0;t 1]andcompute x+u
. Usingpolynomially
many random values of v 2 [0;t 1] with high probability we can test
whether M
x+u
0:5"t. If this is not the case we select another value of
u. After the expected number of t=L 2" 1
random choices of u we nd
a value with M
x+u
0:5"t. Now we apply the same arguments as in the
proof of Theorem 3 with x+u
and y
, recovering (x+u)y
. Now we can nd
xy
= (x+u)y
( y
) u
.
In fact we donot even need the oracle to return the error message. It is
enough to assume that, when it does not compute F ( xy
), it returns just a
random element of IF
q
. Then repeating each oracle call polynomially many
times onecan distinguishbetween correctoutputsandrandomoutputswith
overwhelmingprobability.
On the other hand, it would also be very important to obtain similar
resultsforthe casewherethe oraclereturnsthecorrectvalue ofF ( xy
)fora
certainportionofinputsand returnswrong(butconsistent)resultsforother
inputs (insteadof the error messageora randomelement of IF
q
, thuswrong
outputs cannotbe immediatelyidentied).
Acknowledgment. The author would like to thank Arjen Lenstra
and Eric Verheul for usefuldiscussions and sending preprintsof [10, 11, 12].
References
[1] D. Boneh and R. Venkatesan, `Hardness of computing the most
(1996), 129{142.
[2] A. E.Brouwer,R.Pellikaanand E.R. Verheul,`Doingmorewith fewer
bits', Proc. Asiacrypt'99, Lect. Notes in Comp. Sci., Springer-Verlag,
Berlin, 1716 (1999),321{332.
[3] R. Canetti, J. B. Friedlander, S. Konyagin, M. Larsen, D. Lieman and
I. E. Shparlinski, `On the statisticalproperties of DiÆe{Hellman
distri-butions', Israel J. Math.,120 (2000), 23{46.
[4] J. B. Friedlander, M. Larsen, D. Lieman and I. E. Shparlinski, `On
correlation of binary M-sequences', Designs, Codes and Cryptography,
16 (1999), 249{256.
[5] M.I.GonzalezVascoandM.Naslund,`Asurveyofhardcorefunctions',
Proc. Workshop on Cryptography and Computational Number Theory,
Singapore 1999, Birkhauser, 2001, 227{256.
[6] M. I. Gonzalez Vasco, M. Naslund and I. E. Shparlinski, `The hidden
numberprobleminextension elds and itsapplications',Lect. Notes in
Comp. Sci.,Springer-Verlag, Berlin,2286 (2002),105{117.
[7] M. I. Gonzalez Vasco and I. E. Shparlinski, `On the security of
DiÆe-Hellman bits', Proc. Workshop on Cryptography and Computational
Number Theory, Singapore 1999, Birkhauser, 2001, 257{268.
[8] M. I. Gonzalez Vasco and I. E. Shparlinski, `Security of the most
sig-nicant bits of the Shamir message passing scheme', Math. Comp., 71
(2002), 333{342.
[9] N. A. Howgrave-Graham, P. Q. Nguyen and I. E. Shparlinski, `Hidden
numberproblemwithhiddenmultipliers,timed-releasecryptoandnoisy
exponentiation', Math. Comp., (toappear).
[10] A. K. Lenstra and E. R. Verheul, `The XTR public key system', Lect.
Notes in Comp. Sci.,Springer-Verlag, Berlin,1880 (2000), 1{19.
[11] A. K. Lenstra and E. R. Verheul, `Key improvements to XTR', Lect.
system',Proc.theConf.onPublicKeyCryptographyandComputational
Number Theory, Warsaw 2000,Walter deGruyter, 2001, 151{180.
[13] W.-C. W. Li, M. Naslund and I. E. Shparlinski, `The hidden
num-ber problem with the trace and bit security of XTR and LUC', Proc.
Crypto'02, Santa Barbara 2002, Lect. Notes in Comp. Sci.,
Springer-Verlag, Berlin,(toappear).
[14] M. Naslund, I. E. Shparlinski and W. Whyte, `On the bit security of
NTRU',Preprint, 2002, 1{10.
[15] P.Q.Nguyenand I. E.Shparlinski, `On the insecurityof aserver-aided
RSAprotocol',Lect.NotesinComp.Sci.,Springer-Verlag,Berlin,2248
(2001), 21{35.
[16] I.E.Shparlinski,Numbertheoreticmethodsincryptography: Complexity
lower bounds, Birkhauser, 1999.
[17] I. E. Shparlinski, `On the generalised hidden number problem and bit
security of XTR', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin,
2227 (2001),268{277.
[18] I. E.Shparlinski, `Securityof mostsignicantbits ofg x
2
',Inform. Proc.
Letters, 83 (2002), 109{113.
[19] I.E.Shparlinski,`Playing\Hide-and-Seek"inniteelds: Hidden
num-ber problem and its applications', Proc. 7th Spanish Meeting on
Cryp-tology and Information Security, Univ.of Oviedo, 2002, (toappear).
[20] I. E.Shparlinski,`Exponentialsumsand latticereduction: Applications
tocryptography',Proc. 6th Conference of FiniteFieldsand their
Appli-cations,Oaxaca 2001,Springer-Verlag, Berlin,(to appear).
[21] E.R.Verheul,`Certicatesofrecoverabilitywithscalablerecoveryagent
security',Proc. Inter. Workshopon Practiceabnd Theoryof Public Key
Cryptography (PKC'2000), Lect. Notesin Comp. Sci., Springer-Verlag,