Security of Polynomial Transformations of the Diffie--Hellman Key

DiÆe{Hellman Key

Igor E. Shparlinski

Department of Computing, Macquarie University

Sydney, NSW 2109, Australia

igor@ics.mq.edu.au

Abstract

D.Boneh and R.Venkatesanhave recentlyproposedan approach

toproving thatareasonablysmall portions ofmostsignicantbits of

theDiÆe{Hellmankeymoduloaprimeareassecurethethewholekey.

Some further improvements and generalizations have been obtained

by I. M. Gonzales Vasco and I. E. Shparlinski. E. R. Verheul has

obtainedcertainanalogiesoftheseresultsinthecaseofDiÆe{Hellman

keys in extensionsof nite elds, when anoracle isgiven tocompute

a certain polynomial function of the key, for example, the trace in

the background eld. Here we obtain a new result in this direction

concerning the case of so-called \unreliable" oracles. The result has

applicationstothesecurityoftherecentlyproposedbyA.K.Lenstra

and E.R.VerheulXTR cryptosystem.

1 Introduction

Let IF

q

denote anite eld of q elements.

D. Boneh and R. Venkatesan [1] have proposed an approach to proving

that about n 1=2

of most signicantbits ofthe DiÆe{Hellmankeymodulo an

n-bitprimeareassecureasthewholekey. Theirresultshavebeengeneralized

(and slightly corrected) by I. M. Gonzales Vasco and I. Shparlinski [7, 8].

A detailed survey of several other results of this type (including the RSA

cryptosystem and the discrete logarithm problem) has recently been given

lem for the DiÆe{Hellman key in arbitrary nite elds. However instead

of studying the security of the most signicant bits the paper [21] deals

with the security of values of sparsepolynomialsat the values of the DiÆe{

Hellmankeys. Moreprecisely,letusxanelement 2IF

q

andapolynomial

F(X)2IF

q

[X]. It has been shown in [21], under certain naturalconditions,

that if we are given an oracle which for each pair ( x

; y

) with some

inte-gers x and y returns the value of F ( xy

), than this oracle can be used to

construct a polynomial time algorithm to compute the DiÆe{Hellman key

xy

. We remark thatpolynomialsF can beof very largedegree (thusdirect

solving the equation F ( xy

) = A is not feasible) but contain a reasonably

small numberof monomials. The result has been motivated by applications

tothe proofof security of acertainnewcryptosystem,see[2,10,11,12,21].

Hereweobtainageneralizationof Theorem24of[21]tothe\unreliable"

case, when oracle returnsthe result onlyfor a certain very small fraction of

inputs and returns anerror message forother inputs.

2 Preparations

The following estimate on the number of zeros of sparse polynomials is a

version of the similar result from[3,4].

Lemma 1 For r 2 elements a

1 ;:::;a

r 2 IF

q

and integers

1 ;:::;

r 2 ZZ

let us denote by Q the number of solutions of the equation

r

X

i=1 a

i z

i

=0; z 2IF

q :

Then

Q3(q 1)

1 1=(r 1)

d 1=(r 1)

;

where

d= min

1ir max

j6=i gcd(

j

i

;q 1):

Proof. It has been shown in Lemma 7 of [3] (see also Lemma 4 of [4] and

Lemma 3.4of [16]) that

Q2 $

q 1

dL 1=(r 1)

IfL3 r 1

then

Qq 13(q 1)L

1=(r 1)

q >Q:

Otherwise l

L 1=(r 1)

m

12L

1=(r 1)

=3and the result follows. ut

Letus x anelement #2IF

q

of multiplicativeorder t.

Lemma 2 For m 2 elements a

1 ;:::;a

m 2 IF

q

and integers e

1 ;:::;e

m we

denote by W the number of solutionsof the equation

m

X

i=1 a

i #

e

i u

=0; u2[0;t 1]:

Then the bound

W 3t

1 1=(m 1)

D 1=(m 1)

;

holds, where

D= min

1im max

j6=i

gcd(e

j e

i ;t):

Proof. Wewrite# =g (q 1)=t

whereg isaprimitiverootof IF

q

and notethat

each solutionu2[0;t 1] of the previous exponentialequationgivesrise to

(q 1)=t distinct solutions

z

j =g

u+tj

; j =0;:::;(q 1)=t 1;

of the equation

m

X

i=1 a

i z

i

=0; z 2IF

q ;

where

j =e

j

(q 1)=t. Remarking that

gcd(

j

i

;q 1)= q 1

t

gcd(e

j e

i ;t);

from Lemma1 we obtainthat

W 3 t

q 1

(q 1)

1 1=(m 1)

q 1

t D

1=(m 1)

=3t

1 1=(m 1)

D 1=(m 1)

the DiÆe{Hellman Key

Let 2IF

q

be an elementof multiplicativeorder t.

As in[21] we consideran m-sparse polynomial

F(X)= m

X

i=1 c

i X

e

i

2IF

q

[X]; (1)

where c

1 ;:::;c

m 2IF

q and e

1 ;:::;e

m

are pairwise distinctmodulo t.

Let0<"1.

Assumethatwearegivenanoracle O

F;"

suchthatforeveryx2[0;t 1],

given the values of x

and y

, it returns F ( xy

) for at least "t values of

y2[0;t 1] and returnsan error messagefor other values of y2[0;t 1].

Thecase " =1, thatis, the case ofa \noise-free"oraclehas been

consid-ered in [21].

We are ready to prove the main result. For simplicity we assume that t

is a prime number, although analogues of our result hold for composite t as

well. Nevertheless this case allows us to simplify some arguments and it is

also one of the most practicallyimportantcases, see [2,10,11,12, 21].

Theorem 3 Let t be prime, m 2 and let an m-sparse polynomial F be

given by (1). Assume that

1"6t

1=(m 1)

:

GivenanoracleO

F;"

,thereexistsaprobabilisticalgorithmwhichgiven x

and

y

makes the expected number of at most 2m" 1

calls of the oracle O

F;" ,

ex-ecutespolynomial number (mlogq) O(1)

arithmetic operations in IF

q

per each

call and returns xy

for allpairs (x;y)2[0;t 1] 2

.

Proof. Ifx=0the resultistrivial. Letusconsiderapair (x;y)2[0;t 1] 2

with x6=0.

LetU bethesetofu2[0;t 1]forwhichtheoracle,giventhevaluesof x

and y+u

returnsthe valueof F

x(y+u)

. By the conditions of the theorem

jUj "t. We also remark that if y

is known then for any v 2 [0;t 1] the

value of y+v

can easilybe computed as well.

Put#= x

in the interval[0;t 1] and for eachof them feed x

and y+v

in the oracle

O

F;"

untilwend an element u2U and thusnd the values of F

x(y+u)

.

Let us callthis element u

1

. The expected number of oracle calls to nd

such anelementis " 1

2" 1

.

Assume that for some integer k, 2 k m, we have selected k 1

elementsu

1 ;:::;u

k 1

2U with

det(# e i u j ) k 1 i;j=1

6=0: (2)

Weselect elementsv uniformlyand independentlyat randominthe interval

[0;t 1] untilwe nd anelementu

k

2U suchthat

det(# eiuj

) k

i;j=1

6=0: (3)

Weremarkthatifthelastdeterminantvanishesthenu

k

satisesanequation

of the form

1 # e k u k +:::+ k # e 1 u k =0

where, by the assumption (2), wehave

1

=det(# eiuj

) k 1

i;j=1 6=0:

Applying Lemma 2 we obtain that the number of elements u

k

2 U which

satisfy the condition (3) isat least

jUj 3t

1 1=(k 1)

jUj 3t

1 1=(m 1)

1

2 jUj:

Thussuchanelementu

k

2U canbefoundintheexpectednumberofatmost

2" 1

oracle calls with x

and y+v

where elements v are selected uniformly

and independently at random in the interval [0;t 1]. More precisely, we

callthe oracleO

F;"

with x

and y+v

forarandomv 2[0;t 1]untilbothit

returns F (gx(y+v)) and

1 # e k v +:::+ k # e 1 v =0;

and callthe corresponding value u

k

. Because there are at least 0:5jUj2"t

such values of v, the expectednumberof call isat most 2" 1

.

Thereforeaftertheexpectednumberofatmost2m" 1

oraclecallswe

ob-tain melementsu

1

;:::;u

m

2U withcorrespondingvaluesofA

j

=F (# y+u

j

)

for each j =1;:::;m and such that

Theorem 24 of [21]. Indeed, we see from our construction that we have a

nonsingular system of linear equations

m

X

i=1 c

i #

eiuj

# eiy

=A

j

; j =1;:::;m;

from which the vector(c

1 #

e

1 y

;:::;c

m #

e

m y

)can be found and thus weobtain

the values of e

1 xy

;:::; e

m xy

. Because m 2 and t is prime, at least one

of e

1 ;:::;e

m

(which are pairwise distinct modulo t) is relatively prime to t.

Say if gcd(e

1

;t) =1wedene an integer f

1

2[1;t 1] from the congruence

f

1 e

1

1 (modt) and compute

xy

=( e1xy

) f

1

:

Remarkingthatbesidestheexpectednumberoforaclecallsis2m" 1

andthat

the rest of the algorithm canbe implemented indeterministicpolynomialin

mlogq time,weobtain the desired result. ut

4 Remarks

Let q=p r

. Then the trace function

Tr(X)= r 1

X

i=0 X

p i

provides a natural example of a polynomial of the form (1). This function

as wellas the function

L(X)= X

0i6=jr 1 X

p i

+p j

havebeen studiedin[2](withr =6). Our resultsimplyastrongerversionof

Lemma3.1of[2]andthusgivemoresecurityassurancetotheproposedthere

cryptosystem. Thesamecommentalsoappliestotheproposedin[10,11,12]

XTR public key cryptosystem which is based on a more computationally

eÆcientmodication of the ideas of [2].

It iseasy toseethat making more oraclecalls one can replacethe oracle

O

F;"

with a more natural and general oracle e

O

F;"

which returns F( xy

at least "t pairs (x;y) 2 [0;t 1] . For x 2 [0;t 1], let M

x

denote the

number y 2 [0;t 1] for which the oracle e

O

F;"

, given the values of x

and

y

, returnsF ( xy

). Thus,

t

X

x=0 M

x "t

2

:

Let L bethe number of x2[0;t 1] for which M

x

0:5"t. Then

t

X

x=0 M

x

0:5"t(t L)+Lt=0:5"t 2

+(1 0:5")Lt:

Therefore

L

"

2(1 0:5")

t 0:5"t:

Nowweselectarandomu2[0;t 1]andcompute x+u

. Usingpolynomially

many random values of v 2 [0;t 1] with high probability we can test

whether M

x+u

0:5"t. If this is not the case we select another value of

u. After the expected number of t=L 2" 1

random choices of u we nd

a value with M

x+u

0:5"t. Now we apply the same arguments as in the

proof of Theorem 3 with x+u

and y

, recovering (x+u)y

. Now we can nd

xy

= (x+u)y

( y

) u

.

In fact we donot even need the oracle to return the error message. It is

enough to assume that, when it does not compute F ( xy

), it returns just a

random element of IF

q

. Then repeating each oracle call polynomially many

times onecan distinguishbetween correctoutputsandrandomoutputswith

overwhelmingprobability.

On the other hand, it would also be very important to obtain similar

resultsforthe casewherethe oraclereturnsthecorrectvalue ofF ( xy

)fora

certainportionofinputsand returnswrong(butconsistent)resultsforother

inputs (insteadof the error messageora randomelement of IF

q

, thuswrong

outputs cannotbe immediatelyidentied).

Acknowledgment. The author would like to thank Arjen Lenstra

and Eric Verheul for usefuldiscussions and sending preprintsof [10, 11, 12].

References

[1] D. Boneh and R. Venkatesan, `Hardness of computing the most

(1996), 129{142.

[2] A. E.Brouwer,R.Pellikaanand E.R. Verheul,`Doingmorewith fewer

bits', Proc. Asiacrypt'99, Lect. Notes in Comp. Sci., Springer-Verlag,

Berlin, 1716 (1999),321{332.

[3] R. Canetti, J. B. Friedlander, S. Konyagin, M. Larsen, D. Lieman and

I. E. Shparlinski, `On the statisticalproperties of DiÆe{Hellman

distri-butions', Israel J. Math.,120 (2000), 23{46.

[4] J. B. Friedlander, M. Larsen, D. Lieman and I. E. Shparlinski, `On

correlation of binary M-sequences', Designs, Codes and Cryptography,

16 (1999), 249{256.

[5] M.I.GonzalezVascoandM.Naslund,`Asurveyofhardcorefunctions',

Proc. Workshop on Cryptography and Computational Number Theory,

Singapore 1999, Birkhauser, 2001, 227{256.

[6] M. I. Gonzalez Vasco, M. Naslund and I. E. Shparlinski, `The hidden

numberprobleminextension elds and itsapplications',Lect. Notes in

Comp. Sci.,Springer-Verlag, Berlin,2286 (2002),105{117.

[7] M. I. Gonzalez Vasco and I. E. Shparlinski, `On the security of

DiÆe-Hellman bits', Proc. Workshop on Cryptography and Computational

Number Theory, Singapore 1999, Birkhauser, 2001, 257{268.

[8] M. I. Gonzalez Vasco and I. E. Shparlinski, `Security of the most

sig-nicant bits of the Shamir message passing scheme', Math. Comp., 71

(2002), 333{342.

[9] N. A. Howgrave-Graham, P. Q. Nguyen and I. E. Shparlinski, `Hidden

numberproblemwithhiddenmultipliers,timed-releasecryptoandnoisy

exponentiation', Math. Comp., (toappear).

[10] A. K. Lenstra and E. R. Verheul, `The XTR public key system', Lect.

Notes in Comp. Sci.,Springer-Verlag, Berlin,1880 (2000), 1{19.

[11] A. K. Lenstra and E. R. Verheul, `Key improvements to XTR', Lect.

system',Proc.theConf.onPublicKeyCryptographyandComputational

Number Theory, Warsaw 2000,Walter deGruyter, 2001, 151{180.

[13] W.-C. W. Li, M. Naslund and I. E. Shparlinski, `The hidden

num-ber problem with the trace and bit security of XTR and LUC', Proc.

Crypto'02, Santa Barbara 2002, Lect. Notes in Comp. Sci.,

Springer-Verlag, Berlin,(toappear).

[14] M. Naslund, I. E. Shparlinski and W. Whyte, `On the bit security of

NTRU',Preprint, 2002, 1{10.

[15] P.Q.Nguyenand I. E.Shparlinski, `On the insecurityof aserver-aided

RSAprotocol',Lect.NotesinComp.Sci.,Springer-Verlag,Berlin,2248

(2001), 21{35.

[16] I.E.Shparlinski,Numbertheoreticmethodsincryptography: Complexity

lower bounds, Birkhauser, 1999.

[17] I. E. Shparlinski, `On the generalised hidden number problem and bit

security of XTR', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin,

2227 (2001),268{277.

[18] I. E.Shparlinski, `Securityof mostsignicantbits ofg x

2

',Inform. Proc.

Letters, 83 (2002), 109{113.

[19] I.E.Shparlinski,`Playing\Hide-and-Seek"inniteelds: Hidden

num-ber problem and its applications', Proc. 7th Spanish Meeting on

Cryp-tology and Information Security, Univ.of Oviedo, 2002, (toappear).

[20] I. E.Shparlinski,`Exponentialsumsand latticereduction: Applications

tocryptography',Proc. 6th Conference of FiniteFieldsand their

Appli-cations,Oaxaca 2001,Springer-Verlag, Berlin,(to appear).

[21] E.R.Verheul,`Certicatesofrecoverabilitywithscalablerecoveryagent

security',Proc. Inter. Workshopon Practiceabnd Theoryof Public Key

Cryptography (PKC'2000), Lect. Notesin Comp. Sci., Springer-Verlag,