Annual International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2006: Advances in Cryptology - EUROCRYPT 2006 pp 1-11

Security Analysis of the Strong Diffie-Hellman Problem

  • Jung Hee Cheon
Conference paper

DOI: 10.1007/11761679_1

Volume 4004 of the book series Lecture Notes in Computer Science (LNCS)


Let g be an element of prime order p in an abelian group and \(\alpha\in {{\mathbb Z}}_p\). We show that if g, gα, and \(g^{\alpha^d}\) are given for a positive divisor d of p–1, we can compute the secret α in \(O(\log p \cdot (\sqrt{p/d}+\sqrt d))\) group operations using \(O(\max\{\sqrt{p/d},\sqrt d\})\) memory. If \(g^{\alpha^i}\) (i=0,1,2,..., d) are provided for a positive divisor d of p+1, α can be computed in \(O(\log p \cdot (\sqrt{p/d}+d))\) group operations using \(O(\max\{\sqrt{p/d},\sqrt d\})\) memory. This implies that the strong Diffie-Hellman problem and its related problems have computational complexity reduced by \(O(\sqrt d)\) from that of the discrete logarithm problem for such primes.

Further we apply this algorithm to the schemes based on the Diffie-Hellman problem on an abelian group of prime order p. As a result, we reduce the complexity of recovering the secret key from \(O(\sqrt p)\) to \(O(\sqrt{p/d})\) for Boldyreva’s blind signature and the original ElGamal scheme when p–1 (resp. p+1) has a divisor dp1/2 (resp. dp1/3) and d signature or decryption queries are allowed.


Discrete logarithmDiffie-Hellmanstrong Diffie-HellmanElGamal encryptionblind signature
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jung Hee Cheon
    • 1
  1. 1.ISaC and Dept. of MathematicsSeoul National UniversityRepublic of Korea