On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields

  • Robert Granger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6477)


We show that for any elliptic curve \(E(\mathbb{F}_{q^n})\), if an adversary has access to a Static Diffie-Hellman Problem (Static DHP) oracle, then by making \(O(q^{1-\frac{1}{n+1}})\) Static DHP oracle queries during an initial learning phase, for fixed n > 1 and q → ∞ the adversary can solve any further instance of the Static DHP in heuristic time \(\tilde{O}(q^{1-\frac{1}{n+1}})\). Our proposal also solves the Delayed Target DHP as defined by Freeman, and naturally extends to provide algorithms for solving the Delayed Target DLP, the One-More DHP and One-More DLP, as studied by Koblitz and Menezes in the context of Jacobians of hyperelliptic curves of small genus. We also argue that for any group in which index calculus can be effectively applied, the above problems have a natural relationship, and will always be easier than the DLP. While practical only for very small n, our algorithm reduces the security provided by the elliptic curves defined over \(\mathbb{F}_{p^2}\) and \(\mathbb{F}_{p^4}\) proposed by Galbraith, Lin and Scott at EUROCRYPT 2009, should they be used in any protocol where a user can be made to act as a proxy Static DHP oracle, or if used in protocols whose security is related to any of the above problems.


  1. 1.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. Journal of Cryptology 16, 185–215 (2003)MATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 149–162. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Boldyreva, A.: Efficient threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: The user language. J. Symbolic Comput., 24(3-4), 235–265 (1997)MATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Brown, D.R.L., Gallant, R.P.: The Static Diffie-Hellman Problem, Cryptology ePrint Archive, Report 2004/306 (2004)Google Scholar
  7. 7.
    Chaum, D., van Antwerpen, H.: Undeniable signatures. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 212–217. Springer, Heidelberg (1990)Google Scholar
  8. 8.
    Cheon, J.: Security analysis of the Strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)Google Scholar
  10. 10.
    Diem, C.: On the discrete logarithm problem in class groups of curves. Mathematics of Computation (to appear)Google Scholar
  11. 11.
    Diem, C.: On the discrete logarithm problem in elliptic curves (2009) (preprint)Google Scholar
  12. 12.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inform. Theory 22(6), 644–654 (1976)MATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Digital Signature Standard (DSS). FIPS PUB 186-2 (2000)Google Scholar
  14. 14.
    Duursma, I., Gaudry, P., Morain, F.: Speeding up the Discrete Log Computation on Curves with Automorphisms. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 103–121. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  15. 15.
    El Gamal, T.: A public-key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  16. 16.
    Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139(1-3), 61–88 (1999)MATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Ford, W., Kaliski, B.: Server-assisted generation of a strong secret from a password. In: 9th International Workshop on Enabling Technologies, WET ICE 2000, IEEE Press, Los Alamitos (2000)Google Scholar
  18. 18.
    Freeman, D.: Pairing-based identification schemes, technical report HPL-2005-154, Hewlett-Packard Laboratories (2005)Google Scholar
  19. 19.
    Frey, G.: How to disguise an elliptic curve, Talk at Waterloo Workshop on the ECDLP (1998), http://cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html
  20. 20.
    Frey, G., Rück, H.G.: A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves. Math. Comp., 62, 865–874 (1994)MATHMathSciNetGoogle Scholar
  21. 21.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 518–535. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  22. 22.
    Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil Descent Attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. 23.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. Journal of Symbolic Computation 44, 1690–1702 (2009)MATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. Journal of Cryptology 15, 19–46 (2002)CrossRefMathSciNetGoogle Scholar
  26. 26.
    Gaudry, P., Thomé, E., Thériault, N., Diem, C.: A Double Large Prime Variation for Small Genus Hyperelliptic Index Calculus. Math. Comp. 76(257), 475–492 (2007)MATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Gianni, P., Mora, T.: Algebraic solution of systems of polynomial equation using Gröbner bases. In: Huguet, L., Poli, A. (eds.) AAECC 1987. LNCS, vol. 356, pp. 247–257. Springer, Heidelberg (1989)Google Scholar
  28. 28.
    Granger, R., Joux, A., Vitse, V.: New timings for oracle-assisted SDHP on the IPSEC Oakley ‘Well Known Group’ 3 curve. Web announcement on Number Theory List (July 8th, 2010), http://listserv.nodak.edu/archives/nmbrthry.html
  29. 29.
    Hankerson, D., Karabina, K., Menezes, A.J.: Analyzing the Galbraith-Lin-Scott point multiplication method for elliptic curves over binary fields. IEEE Transactions on Computers 58, 1411–1420 (2009)CrossRefMathSciNetGoogle Scholar
  30. 30.
    Hess, F.: The GHS Attack Revisited. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 374–387. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  31. 31.
    IETF, The Oakley Key Determination Protocol, IETF RFC 2412 (November 1998)Google Scholar
  32. 32.
    Jao, D., Yoshida, K.: Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem. In: Shacham, H., Waters, B. (eds.) Pairing-Based Cryptography – Pairing 2009. LNCS, vol. 5671, pp. 1–16. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  33. 33.
    Joux, A., Lercier, R.: The Function Field Sieve in the Medium Prime Case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254–270. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  34. 34.
    Joux, A., Lercier, R., Naccache, D., Thomé, E.: Oracle-Assisted Static Diffie-Hellman Is Easier Than Discrete Logarithms. In: Parker, M.G. (ed.) Cryptography and Coding. LNCS, vol. 5921, pp. 351–367. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  35. 35.
    Joux, A., Lercier, R., Smart, N.P., Vercauteren, F.: The Number Field Sieve in the Medium Prime Case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  36. 36.
    Joux, A., Naccache, D., Thomé, E.: When e-th roots become easier than factoring. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 13–28. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  37. 37.
    Joux, A., Vitse, V.: Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields. Application to the static Diffie-Hellman problem on E(Fq5), Cryptology ePrint Archive, Report 2010/157 (2010)Google Scholar
  38. 38.
    Koblitz, N., Menezes, A.J.: Another look at non-standard discrete log and Diffie-Hellman problems. Journal of Mathematical Cryptology 2(4), 311–326 (2008)MATHCrossRefMathSciNetGoogle Scholar
  39. 39.
    Koblitz, N., Menezes, A.J.: Intractable problems in cryptography. In: Proceedings of the 9th International Conference on Finite Fields and Their Applications. AMS, ProvidenceGoogle Scholar
  40. 40.
    Koblitz, N., Menezes, A.J.: The brave new world of bodacious assumptions in cryptography. Notices of the AMS 57, 357–365 (2010)MATHMathSciNetGoogle Scholar
  41. 41.
    Lakshman, Y.N.: On the complexity of computing Gröbner bases for zero-dimensional ideals. Ph. D.Thesis, RPI, Troy (1990)Google Scholar
  42. 42.
    Maurer, U.M., Wolf, S.: The Diffie-Hellman Protocol. Designs, Codes, and Cryptography 19, 147–171 (2000)MATHCrossRefMathSciNetGoogle Scholar
  43. 43.
    Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to a finite field. IEEE Trans. Info. Theory 39, 1639–1646 (1993)MATHCrossRefMathSciNetGoogle Scholar
  44. 44.
    Menezes, A., Teske, E., Weng, A.: Weak Fields for ECC. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 366–386. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  45. 45.
    Satoh, T., Araki, K.: Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comm. Math. Univ. Sancti Pauli 47, 81–92 (1998)MATHMathSciNetGoogle Scholar
  46. 46.
    Semaev, I.A.: Evaluation of discrete logarithms on some elliptic curves. Math. Comp., 67, 353–356 (1998)MATHCrossRefMathSciNetGoogle Scholar
  47. 47.
    Semaev, I.: Summation Polynomials and the discrete logarithm problem on elliptic curves, Cryptology ePrint Archive, Report 2004/031 (2004)Google Scholar
  48. 48.
    Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. Journal of Cryptology 12, 141–151 (1999)MATHCrossRefMathSciNetGoogle Scholar
  49. 49.
    Smart, N.P.: How Secure are Elliptic Curves over Composite Extension Fields? In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 30–39. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  50. 50.
    Thériault, N.: Index calculus attack for hyperelliptic curves of small genus. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 75–92. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  51. 51.
    Wiener, M.J., Zuccherato, R.J.: Faster Attacks on Elliptic Curve Cryptosystems. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 190–200. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Robert Granger
    • 1
  1. 1.Claude Shannon Institute, School of ComputingDublin City UniversityDublin 9Ireland

Personalised recommendations