Designs, Codes and Cryptography

, Volume 52, Issue 3, pp 381–390 | Cite as

The Diffie–Hellman problem and generalization of Verheul’s theorem



Bilinear pairings on elliptic curves have been of much interest in cryptography recently. Most of the protocols involving pairings rely on the hardness of the bilinear Diffie–Hellman problem. In contrast to the discrete log (or Diffie–Hellman) problem in a finite field, the difficulty of this problem has not yet been much studied. In 2001, Verheul (Advances in Cryptology—EUROCRYPT 2001, LNCS 2045, pp. 195–210, 2001) proved that on a certain class of curves, the discrete log and Diffie–Hellman problems are unlikely to be provably equivalent to the same problems in a corresponding finite field unless both Diffie–Hellman problems are easy. In this paper we generalize Verheul’s theorem and discuss the implications on the security of pairing based systems.


Elliptic curves Pairings Public key cryptography Diffie–Hellman problem Distortion maps 

Mathematics Subject Classifications (2000)

14H52 11G20 14G15 14Q05 11T71 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bostan A., Morain F., Salvy B., Schost É.: Fast algorithms for computing isogenies between elliptic curves. Math. Comput. 77, 1755–1778 (2008)CrossRefMathSciNetGoogle Scholar
  2. 2.
    Bröker R.: Constructing supersingular elliptic curves. J. Combinatorics Number Theory (2008), to appear.Google Scholar
  3. 3.
    Cox D.: Primes of the form x 2 + ny 2. Wiley, New York (1989)Google Scholar
  4. 4.
    den Boer B.: Diffie–Hellman is as strong as discrete log for certain primes. In: Advances in Cryptology ’88. Lect. Notes in Comput. Sci., vol. 403, pp. 530–539. Springer, Berlin (1989).Google Scholar
  5. 5.
    Elkies N.: Elliptic and modular curves over finite fields and related computational issues. In: Buell D.A., Teitelbaum J.T. (eds.) Computational Perspectives on Number Theory: Proceedings of a Conference in Honor of AOL Atkin, pp. 21–76 (1997).Google Scholar
  6. 6.
    Galbraith S., Paterson K.G.: In: Blake I.F., Seroussi G., Smart N.P. (eds.) Pairings, Ch. IX and X of Advances in Elliptic Curve Cryptography. London Math. Soc. Lecture Note Ser., vol. 317. Cambridge University Press (2005).Google Scholar
  7. 7.
    Galbraith S., Rotger V.: Easy decision Diffie–Hellman groups. LMS J. Comput. Math. 7, 201–218 (2004)MATHMathSciNetGoogle Scholar
  8. 8.
    Galbriath S., O hEigeartaigh C., Sheedy C.: Simplified pairing computation and security implications. J. Math. Cryptol. 1, 267–281 (2007)CrossRefMathSciNetGoogle Scholar
  9. 9.
    Galbraith S., Hess F., Vercauteren F.: Aspects of pairing inversion. IEEE Trans. Inform. Theory 12, 5719–5728 (2008)CrossRefGoogle Scholar
  10. 10.
    Joux A.: The Weil and Tate pairings as building blocks for public key cryptosystems (survey). In: ANTS-V: Proceedings of the 5th International Symposium on Algorithmic Number Theory. Lect. Notes in Comput. Sci., vol. 2369, pp. 20–32. Springer (2002).Google Scholar
  11. 11.
    Koblitz N., Menezes A.: Pairing-based cryptography at high security levels. In: Smart N. (ed.) Cryptography and Coding. Lect. Notes in Comput. Sci., vol. 3796, pp. 13–36. Springer (2005).Google Scholar
  12. 12.
    Kohel D.: Endomorphism rings of elliptic curves over finite fields. PhD thesis, University of California at Berkeley (1996).Google Scholar
  13. 13.
    Lenstra A., Verheul E.: The XTR public key system. In: Advances in Cryptology-CRYPTO 2000. Lect. Notes in Comput. Sci., vol. 1880, pp. 1–19. Springer (2000).Google Scholar
  14. 14.
    Maurer U., Wolf S.: The Diffie–Hellman protocol. Des. Codes Cryptogr. 19, 147–171 (2000)MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Menezes A.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers (1993).Google Scholar
  16. 16.
    Menezes A., Okamoto T., Vanstone S.: Reducing elliptic curve logarithms to logarithms in finite fields. IEEE Trans. Inform. Theory IT-39, 1639–1646 (1993)CrossRefMathSciNetGoogle Scholar
  17. 17.
    Menezes A., Vanstone S.: ECSTR (XTR): Elliptic Curve Singular Trace Representation, Rump Session of Crypto (2000).Google Scholar
  18. 18.
    Moody D.: The Diffie–Hellman problem and generalization of Verheuls theorem, Cryptology ePrint Archive, Report 2008/456 (2008). Available at
  19. 19.
    Morales D.: Cheon’s algorithm, pairing inversion and the discrete logarithm problem, Cryptology ePrint Archive, Report 2008/300 (2008). Available at
  20. 20.
    Satoh T.: On Degrees of Polynomial Interpolations Related to Elliptic Curves, International Workshop, WCC 2005, Bergen, Norway, March 2005, Revised and Selected Papers, Lect. Notes in Comput. Sci., vol. 3969, pp. 155–163. Springer (2006).Google Scholar
  21. 21.
    Satoh T.: On polynomial interpolations related to Verheul homomorphisms. LMS J. Comput. Math. 9, 135–158 (2006)MATHMathSciNetGoogle Scholar
  22. 22.
    Satoh T.: On pairing inversion problems. In: Pairing Conference 2007. Lect. Notes in Comput. Sci., vol. 4575, pp. 317–328. Springer (2007).Google Scholar
  23. 23.
    Satoh T.: Closed formulae for the Weil pairing inversion. Finite Fields Appl. 14, 743–765 (2008)MATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Silverman J.: The Arithmetic of Elliptic Curves. Springer, New York (1986)MATHGoogle Scholar
  25. 25.
    Stark H.M.: Class numbers of complex quadratic fields. In: Kuyk W. (ed.) Modular Functions of One Variable I. Lecture Notes in Math., vol. 320, pp. 153–174. Springer (1973).Google Scholar
  26. 26.
    Verheul E.: Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. In: Advances in Cryptology—EUROCRYPT 2001. Lect. Notes in Comput. Sci., vol. 2045, pp. 195–210. Springer (2001).Google Scholar
  27. 27.
    Verheul E.: Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptol. 17, 277–296 (2004)MATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Washington L.: Elliptic Curves (Number Theory and Cryptography), 2nd edn. Chapman & Hall, Boca Raton, FL (2008)MATHGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  1. 1.Department of MathematicsUniversity of WashingtonSeattleUSA

Personalised recommendations