Security Analysis of the Strong Diffie-Hellman Problem

  • Jung Hee Cheon
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4004)


Let g be an element of prime order p in an abelian group and \(\alpha\in {{\mathbb Z}}_p\). We show that if g, g α , and \(g^{\alpha^d}\) are given for a positive divisor d of p–1, we can compute the secret α in \(O(\log p \cdot (\sqrt{p/d}+\sqrt d))\) group operations using \(O(\max\{\sqrt{p/d},\sqrt d\})\) memory. If \(g^{\alpha^i}\) (i=0,1,2,..., d) are provided for a positive divisor d of p+1, α can be computed in \(O(\log p \cdot (\sqrt{p/d}+d))\) group operations using \(O(\max\{\sqrt{p/d},\sqrt d\})\) memory. This implies that the strong Diffie-Hellman problem and its related problems have computational complexity reduced by \(O(\sqrt d)\) from that of the discrete logarithm problem for such primes.

Further we apply this algorithm to the schemes based on the Diffie-Hellman problem on an abelian group of prime order p. As a result, we reduce the complexity of recovering the secret key from \(O(\sqrt p)\) to \(O(\sqrt{p/d})\) for Boldyreva’s blind signature and the original ElGamal scheme when p–1 (resp. p+1) has a divisor dp 1/2 (resp. dp 1/3) and d signature or decryption queries are allowed.


Discrete logarithm Diffie-Hellman strong Diffie-Hellman ElGamal encryption blind signature 


  1. [ABR98]
    Abdalla, M., Bellare, M., Rogaway, P.: DHAES: An encryption scheme based on Diffie-Hellman problem. IEEE P1363a Submission (1998), available at:
  2. [BB04e]
    Boneh, D., Boyen, X.: Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. [BB04s]
    Boneh, D., Boyen, X.: Short Signatures Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. [BBG05]
    Boneh, D., Boyen, X., Goh, E.: Hierarchical Identity Based Encryption with Constant Size Ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. [BBS04]
    Boneh, D., Boyen, X., Shacham, H.: Short Group Signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. [BD94]
    Burmester, M., Desmedt, Y.: A Secure and Efficient Conference Key Distribution System (Extended Abstract). In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275–286. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  7. [BGW05]
    Boneh, D., Gentry, C., Waters, B.: Collution Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. [BLS01]
    Boneh, D., Lynn, B., Shacham, H.: Short Signatures from the Weil Pairing. ASIACRYPT 2001 17(4), 297–319 (2004); Extended abstract in proceedings of Asiacrypt 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001) Google Scholar
  9. [Boe88]
    den Boer, B.: Diffie-Hellman is as Strong as Discrete Log for Certain Primes. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 530–539. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  10. [Bol03]
    Boldyreva, A.: Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. [DY05]
    Dodis, Y., Yampolskiy, A.: A Verifiable Random Function with Short Proofs and Keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. [ElG85]
    Elgamal, T.: A Public Key Cryptosystem and a Signature Scheme based on Discrete Logarithms. IEEE Transactions on Information Theory 31(4), 469–472 (1985)MathSciNetCrossRefMATHGoogle Scholar
  13. [Gor84]
    Gordon, J.: Strong Primes are Easy to Find. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 216–223. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  14. [KM05]
    Koblitz, N., Menezes, A.: Pairing-based Cryptography at High Security Levels. In: IMA Conference of Cryptography and Coding 2005, pp. 13–36 (2005)Google Scholar
  15. [MIRACL]
    Scott, M.: Multiprecision Integer and Rational Arithmetic C/C++ Library, available at:
  16. [MOV]
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefMATHGoogle Scholar
  17. [MSK02]
    Mitsunari, S., Sakai, R., Kasahara, M.: A New Traitor Tracing. IEICE Trans. Fundamentals E85-A(2), 481–484 (2002)Google Scholar
  18. [MW99]
    Maurer, U., Wolf, S.: The Relationship Between Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms. SIAM J. Comput. 28(5), 1689–1721 (1999)MathSciNetCrossRefMATHGoogle Scholar
  19. [NIST]
    Recommended Elliptic Curves for Federal Government Use (1999), available at:
  20. [Pol78]
    Pollard, J.: Monte Carlo Methods for Index Computation (\(\bmod p\)). Mathematics of Computation 32, 918–924 (1978)MathSciNetMATHGoogle Scholar
  21. [Sho97]
    Shoup, V.: Lower bounds for Discrete Logarithms and Related Problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  22. [Tes98]
    Teske, E.: Speeding up Pollard’s Rho Method for Computing Discrete Logarithms. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 541–554. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jung Hee Cheon
    • 1
  1. 1.ISaC and Dept. of MathematicsSeoul National UniversityRepublic of Korea

Personalised recommendations