Advertisement

The Security of Polynomial Information of Diffie-Hellman Key

Conference paper
  • 1k Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9543)

Abstract

In this paper, we study the relations between the security of Diffie-Hellman (DH) key and the leakage of polynomial information of it again. Given a fixed sparse polynomial F(X) and an oracle, which returns value of polynomial of DH key i.e., \(F(g^{xy})\) when called by \(g^{x}\) and \(g^{y}\), we obtain a probabilistic algorithm to recover the key. It is an extension of Shparlinski’s result in 2004. This shows that finding polynomial information of DH key is as difficult as the whole key again. Furthermore, we study a variant of DH problem given 2 and \(g^{y}\) to compute \(2^{y}\) and the n-DH problem with this method respectively, and obtain similar results.

Keywords

Diffie-Hellman key m-sparse polynomial Polynomial information n-DH problem 

1 Introduction

In 1976, Diffie and Hellman proposed a practical method to agree on a secret key over an insecure channel called Diffie-Hellman (DH) key exchange protocol. Let \(g\in F_{p}^{*}\) be an element of multiplicative order t. In DH key exchange protocol over \(F^{*} _{p}\), two parties calculate \(g^{a},g^{b}\) respectively, where \(a,b\in [0,t-1]\) and exchange them to form their common key \(K=g^{ab}\). The element K has the same bit length n as p and n is chosen to make this protocol secure. Since then, many new cryptosystems have been proposed based on DH protocol.

In general, after the key exchange protocol is finished, both parties need to switch to a private key cryptosystem. For practicality and speed, they may wish to use a block cipher and therefore need to derive a much shorter bit string from K. A natural way would be to use a block of bits from \(g^{ab}\). So when we analyze the security of DH key, bit security is an important aspect. Boneh and Venkatesan proved that a part (32 bits) of the most significant bits (MSB) is as secure as the whole (1024 bits) key. They showed that finding \(n^{1/2}\) MSB of K is as difficult as the whole key in [2, 3]. A detailed survey of several other results of this type of problem has been given in [4].

Verheul [5] studies another aspect of DH key. Assume \(q=p^{t}\; and \;\gamma \in F_{q}\) is a generator of a group. If \(g(x)=\sum _{i=0}^{t}a_{i}x^{i}\) is an irreducible polynomial of degree t in \(F_{p}[X]\), then we can describe the extension field \(F_{q}\) as \(F_{p}[x]/g(x)\), i.e., each element f in \(F_{q}\) can be uniquely written modulo g(x), as a polynomial of degree \(<t\). In this setting, for any i less than t, let \(f_{i}\) denote the i-th coefficient of an element f. There exists a function that would be a linear mapping from \(F_{q}\) onto \(F_{p}\) and its value is the coefficient \(f_{i}\). [5] proves that this function can be expressed as \(F(X)=\Sigma _{i=1}^{m}c_{i}X^{e_{i}}(c_{i}\in F_{q})\) and \(c_{i}\) can be easily determined. [5] also studies the security of polynomial information of DH key and proves that finding coefficients \(f_{i}\) (i.e., polynomial information \(F(\gamma ^{xy})\)) of DH key \(\gamma ^{xy}\) is as difficult as the whole key.

As an application of [5, 6] gives a variant of DH scheme. In this variant, both parties send each other the minimal polynomials of \(\gamma ^{x},\gamma ^{y}\) rather than the element themselves and the exchanged key is some coefficient of non-constant term of the minimal polynomial of \(\gamma ^{xy}\). This coefficient can be expressed as \(F(\gamma ^{xy})\) and the polynomial F must have a very large degree, such that it is unfeasible to find \(\gamma ^{xy}\) by solving the equation \(F(\gamma ^{xy})=A\). [5, 6] proves that if we are given an oracle which for each pair \((\gamma ^{x},\gamma ^{y})\) returns \(F(\gamma ^{xy})\), then one can construct a polynomial time algorithm to recover \(\gamma ^{xy}\). This shows that the variant are at least as secure as the original DH scheme over a multiplicative group of \(F_{q}\). So the security of polynomial information of DH key is closely related to the security of DH key.

Shparlinski’s result [1] is a generalization of [5, 6]. It studies the security of polynomial transformations of DH key. Indeed, this polynomial transformation is a value of given polynomial function of the key. And [1] also extends [5] to the unreliable oracle case, that is, the oracle returns correct result only for a certain very small fraction of inputs and an error message for other inputs. Then an algorithm is given making expected number of calls of the oracle, to return \(\gamma ^{xy}\). It is deterministic when correct answers could be obtained from oracle. But it requires that the error answers of oracle could be identified. Moreover, in [1], only one part of the input to oracle is random and the other is fixed.

Here we improve the oracle and algorithm in [1] to get a probabilistic algorithm to recover DH key. In this improvement, not only the error from oracle could be not identified, but also both parts of inputs are random. In our algorithm, we use the Chebyshev inequality to identify error answers of the oracle. And for the two parts random inputs \((\gamma ^{x},\gamma ^{y})\) of the oracle, we use the Markov inequality to find a good y which makes us have a sufficient advantage in receiving correct answers from the oracle taking over x only. Thus we can solve a nonsingular system of linear equations to recover DH key. As corollaries, we study two special cases. Finally, we use the same method to study variants of DH problem, i.e., given 2 and \(g^{y}\) trying to recover the key \(2^{y}\) and the n-DH problem.

2 Preliminaries

In order to show our algorithms, we need an estimate on the number of zeros of polynomials from [1] and two important inequalities. Let \(F_{q}\) be a finite field of q elements and \(F^{*}_{p}\) be a multiplicative subgroup of \(F_{q}\), where p is a prime.

Lemma 1

([1]). For \(m\ge 2\), elements \(a_{1},a_{2},\ldots ,a_{m}\in F^{*}_{q}\) and integers \(e_{1},\ldots ,e_{m}\), an element \(\theta \in F_{q}\) of multiplicative order t. We denote by W the number of solutions of the equation \(\sum _{i=1}^{m}a_{i}\theta ^{e_{i}u}=0,u\in [0,t-1]\). Then \(W\le 3t^{1-1/(m-1)}D^{1/(m-1)},\) where \(D=min_{1 \le i\le m}max_{j\ne i}gcd(e_{j}-e_{i},t).\)

Let \(E(\xi )\) be the expected value of a random variable \(\xi \) and \(D (\xi )\) be the variance value of \(\xi \). So \(E_{\xi }[g(\xi )]\) denotes the expected value of a random variable \(g(\xi )\), where the function g only depends on the distribution of \(\xi \).

Theorem 1

(Markov). For a positive c and a random variable \(\xi \) upper bounded by M, \(Pr[\xi \ge E(\xi )/c]\ge M^{-1}(1-1/c)E(\xi )\).

Theorem 2

(Chebyshev). For an arbitrary positive \(\delta \), \(Pr[|\xi -E(\xi )|\ge \delta ]\le D(\xi )/\delta ^{2}\).

3 The Security of Polynomial Information of DH Key

Let \(\gamma \) be an element in \(F_{q}\) of multiplicative order t. We consider an m-sparse polynomial \(F(X)=\sum _{i=1}^{m}c_{i}X^{e_{i}}\in F_{q}[X]\), where \(c_{1},\ldots ,c_{m}\in F^{*}_{q}\) and \(e_{1},\ldots ,e_{m}\) are pairwise distinct modulo t.

3.1 The Polynomial Information from an Imperfect Oracle

Let \(0<\varepsilon \le 1\). Assume there exists an oracle \(O_{F,\varepsilon }\) satisfying that, given values of \((\gamma ^{x},\gamma ^{y})\) to the oracle, it returns correct values of \(F(\gamma ^{xy})\) for at least \(\varepsilon t^{2}\) pairs \((x,y)\in [0,t-1]^{2}\) and returns a random element of \(F^{*}_{p}\) for other pairs of \((x,y)\in [0,t-1]^{2}\). The case \(\varepsilon =1\) is a noise-free oracle which had been considered in [5]. So the following discussion only involves in the case of \(\varepsilon <1\).

Here we try to construct a nonsingular system of linear equations using polynomial information from the oracle. We firstly study how to select the coefficient matrix of this equation system.

Given \(\theta \in F^{*}_{p}\), for a vector \(\overrightarrow{u}=(u_{1},u_{2},\ldots ,u_{m})\), we say that \(\overrightarrow{u}\) is good if \(det(\theta ^{e_{i}u_{j}})_{i,j\ne 1}^{m} \ne 0\). We set \(U=\{\overrightarrow{u}|\overrightarrow{u}\;is\; good\}\). Here we estimate the possibility of finding a good \(\overrightarrow{u}\).

Assume that for some \(k(2\le k\le m)\), we have already found \(k-1\) elements \(u_{1},u_{2},\ldots ,u_{k-1}\in [0,t-1]\) with
$$\begin{aligned} det(\theta ^{e_{i}u_{j}})_{i,j\ne 1}^{k-1} \ne 0 \end{aligned}$$
(1)
We select element \(u_{k}\in [0,t-1]\) until
$$\begin{aligned} det(\theta ^{e_{i}u_{j}})_{i,j\ne 1}^{k} \ne 0 \end{aligned}$$
(2)
We know that if the determinant (2) vanishes then \(u_{k}\) is a solution of equation
$$\begin{aligned} \bigtriangleup _{1}^{e_{k}u_{k}}+\cdots +\bigtriangleup _{k}^{e_{1}u_{k}}=0 \end{aligned}$$
(3)
where, by (1), \(\bigtriangleup _{1}=det(\theta ^{e_{i}u_{j}})_{i,j}^{k-1}\ne 0\).

Applying Lemma 1, the number of elements \(u_{k}\in [0,t-1]\) satisfying (3) is at most \(3t^{1-1/(k-1)}\). So the probability of finding \(u_{k}\in [0,t-1]\) which satisfy (2) is at least \(1-3t^{-1/(k-1)}\). If we select \(u_{1},u_{2},..,u_{m}\in [0,t-1]\) uniformly and independently at random to get the vector \(\overrightarrow{u}=(u_{1},u_{2},\ldots ,u_{m})\), then \(Pr[\overrightarrow{u}\in U]\ge \prod _{i=2}^{m}(1-3t^{-\frac{1}{i-1}})\).

Since both parts of inputs to this oracle are random, for input \((\gamma ^{x},\gamma ^{y})\) of oracle, using idea of [1], we hope that we could choose a set of good y with a high probability such that, for each good y, we have a sufficient advantage in receiving correct answers from the oracle taking over x only. Then we can query oracle by randomizing the \(\gamma ^{x}\)-component, fixing a good y. Thus, we can obtain a probabilistic algorithm to recover \(\gamma ^{xy}\) with a high probability.

Let \(\varepsilon _{y}\) be the average success probability of \(O_{F,\varepsilon }\), taken over random x for a given y. Thus, \(E_{y}[\varepsilon _{y}]=\varepsilon \). For \(k=\lceil \log \frac{2}{\varepsilon }\rceil \), we say that y is j-good if \(\varepsilon _{y}\in [2^{-j},2^{-j+1})\), \(j=1,2,\ldots ,k\). Let \(S_{j}=\{y|y\;is\;\) \(j\)-\(good\}\) (thus we ignore any y satisfying \(\varepsilon _{y}<\varepsilon /2\)). By Theorem 1, for \(c=2,M=1\), \(Pr[\varepsilon _{y}\ge \frac{\varepsilon }{2}]\ge \frac{\varepsilon }{2}\).

If all j satisfy \(Pr[(y+v)\in S_{j}]<\frac{\varepsilon \cdot 2^{j-2}}{k}\), then
$$\frac{\varepsilon }{2}\le \sum _{j=1}^{k}2^{-j+1}Pr[(y+v)\in S_{j}]<\sum _{j=1}^{k}2^{-j+1}\cdot \frac{\varepsilon \cdot 2^{j-2}}{k}=\frac{\varepsilon }{2},$$
which is a contradiction. So there must exist j such that \(Pr[(y+v)\in S_{j}]\ge \frac{\varepsilon \cdot 2^{j-2}}{k}\). It means that we could find a suitable v such that \(y+v\) is j-good.
Now we present a probabilistic algorithm (Algorithm 1) to look for a suitable v.

In Algorithm 1, for every \(r_{i}\), we can compute correct values of \(\gamma ^{r_{i}(y+v)}\) to determine whether the output \(A_{i}\) of the oracle in step 2 is correct. So in step 4, we can get an approximate value of \(\varepsilon _{y+v}\) for some v. Because \(k=\lceil \log \frac{2}{\varepsilon }\rceil \), we know that if y is j-good, that is, \(\varepsilon _{y+v}\in [2^{-j},2^{-j+1})\), the value of \(\varepsilon _{y+v}\) must satisfy \(\varepsilon _{y+v}\ge \frac{\varepsilon }{2}\). Thus if Algorithm 1 finds a suitable v satisfying \(\varepsilon _{y+v}\ge \frac{\varepsilon }{2}\), we can get j and \(y+v\in S_{j}\) with the probability of at least \(\frac{\varepsilon }{2}\).

Based on Algorithm 1, we get Algorithm 2 which can output DH key by calling oracle \(O_{F,\varepsilon }\).

Theorem 3

Let t be a prime, \(m\ge 2\) and an m-sparse polynomial \(F(X)=\sum _{i=1}^{m}c_{i}X^{e_{i}}\in F_{q}[X]\), where \(c_{1},\ldots ,c_{m}\in F^{*}_{q}\) and \(e_{1},\ldots ,e_{m}\) are pairwise distinct modulo t. Given an oracle \(O_{F,\varepsilon }\), Algorithm 2 can output DH key with a probability at least \(\frac{\varepsilon }{2}\cdot (1-\frac{1}{n\delta ^{2}\cdot 2^{jm}})\cdot (1-3t^{-\frac{1}{m-1}})^{m-1}\) in time polynomial in (mnB) by making \(mn+B\) calls to the oracle. In particular, if \(t\ge (\frac{3}{1-2^{-\frac{1}{m-1}}})^{m-1}\) and \(\delta \ge (\frac{1}{n\cdot 2^{jm}})^{\frac{1}{2}}\), DH key could be found with a probability of at least \(\frac{\varepsilon }{4}\).

Proof

After running steps 1, 2, 3 of Algorithm 2, we can get a nonsingular system of linear equations
$$(\theta ^{e_{i}u_{j}})_{i,j=1}^{m}\cdot \left( \begin{array}{c} c_{1}\theta ^{xe_{1}} \\ \vdots \\ c_{m}\theta ^{xe_{m}} \end{array} \right) = \left( \begin{array}{c} A_{1} \\ \vdots \\ A_{m} \end{array} \right) $$
Because the coefficient matrix is non-singular, we can solve the system of equations to get the values of \((c_{1}\theta ^{xe_{1}},\ldots ,c_{m}\theta ^{xe_{m}})\). Because \(m\ge 2\) and \(e_{1},\ldots ,e_{m}\) are pairwise distinct modulo t, at least one of \(e_{1},\ldots ,e_{m}\) is relatively prime to t. So we can find an integer \(f_{i}\in [0,t-1]\) satisfying \(e_{i}f_{i}\equiv 1(mod\;t)\) and compute \(\theta ^{x}=(\theta ^{xe_{i}})^{f_{i}}\), that is, \((\gamma ^{^{y+v}})^{x}\). Thus we can get a candidate value of \(\gamma ^{xy}\) from \((\gamma ^{^{y+v}})^{x}=\gamma ^{xy}\cdot \gamma ^{xv}\).

Then we estimate the probability of which step 5 outputs a correct value of DH key. When we use \((\gamma ^{x+u_{i}},\gamma ^{y+v})\) to call the oracle, it returns the correct value of \(F(\gamma ^{(x+u_{i})(y+v)})\) with probability at least \(2^{-j}\). So after repeating steps 2, 3, 4 one time, we can get the correct \(\gamma ^{xy}\) with probability at least \(2^{-jm}\). From Theorem 2, with the increasing number of repetitions n in step 5, the value of \(\frac{z}{n}\) infinitely close to \(2^{-jm}\). Thus the value of \(\delta \) should be chosen as small as possible, but at this time, the value of n will be very big. In order to keep the efficiency of the algorithm, one should make a trade-off in choosing the value of \(\delta \in (0,1)\). Here by Theorem 2, we know that the output of step 5 is correct with the probability of \(Pr[|\frac{z}{n}-2^{-jm}|\le \delta ]\ge 1-\frac{2^{-jm}(1-2^{-jm})}{n\delta ^{2}}\).

The success of the Algorithm 2 means that steps 1, 2, 5 run successfully. So the successful probability of Algorithm 2 is:
$$\begin{aligned} \begin{aligned} Pr[Algorithm\;2\;succeeds] \ge&\frac{\varepsilon }{2}\cdot (1-\frac{2^{-jm}(1-2^{-jm})}{n\delta ^{2}})\cdot \prod _{i=2}^{m}(1-3t^{-\frac{1}{i-1}}) \\ \ge&\frac{\varepsilon }{2}\cdot (1-\frac{1}{n\delta ^{2}\cdot 2^{jm}})\cdot (1-3t^{-\frac{1}{m-1}})^{m-1} \end{aligned} \end{aligned}$$
Obviously, Algorithm 1 run in polynomial time poly(B) and steps 2, 3, 4, 5 of Algorithm 2 are done in polynomial time poly(mn). So Algorithm 2 is done in time polynomial in (mnB). When Algorithm 2 succeeds, we run the step 1 one time with B calls to the oracle and repeat step 2, 3, 4 n times with mn calls. Thus, we make the totally number of \(mn+B\) calls to the oracle.

If \(t\ge (\frac{3}{1-2^{-\frac{1}{m-1}}})^{m-1}\), we know \(\prod _{i=2}^{m}(1-3t^{-\frac{1}{i-1}})\ge \frac{1}{2}\). In order to output DH key with a probability at least \(\frac{\varepsilon }{4}\), one can choose the value of \(\delta \) at least \((\frac{1}{n\cdot 2^{jm}})^{\frac{1}{2}}\). This completes the proof.

3.2 Further Discussions on Another Two Cases

From Sect. 3.1, we can get two special cases. In these cases, we give two algorithms which can recover DH key by calling two special oracles respectively.

Assume that there is a special oracle \(\tilde{O}_{F,\varepsilon }\) satisfying that, for every \(x\in [0,t-1]\), when we use \((\gamma ^{x},\gamma ^{y})\) to make a call of the oracle, it returns the correct value of \(F(\gamma ^{xy})\) for at least \(\varepsilon t\) values of \(y\in [0,t-1]\) and returns a random element of \(F^{*}_{p}\) for other values of \(y\in [0,t-1]\). Here the error output from oracle \(\tilde{O}_{F,\varepsilon }\) could not be identified.

We give Algorithm 3 to recover DH key by calling oracle \(\tilde{O}_{F,\varepsilon }\).

Theorem 4

Let t be a prime, \(m\ge 2\) and an m-sparse polynomial \(F(X)=\sum _{i=1}^{m}c_{i}X^{e_{i}}\in F_{q}[X]\), where \(c_{1},\ldots ,c_{m}\in F^{*}_{q}\) and \(e_{1},\ldots ,e_{m}\) are pairwise distinct modulo t. Given an oracle \(\tilde{O}_{F,\varepsilon }\), Algorithm 3 can output DH key with a probability of at least \((1-\frac{\varepsilon ^{m}}{n\delta ^{2}})\cdot (1-3t^{-\frac{1}{m-1}})^{m-1}\) in time polynomial in mn by making mn calls to the oracle.

Proof

The proof is similar to Theorem 3, except that the probability of success is different. Using \((\gamma ^{x},\gamma ^{y+u_{j}})\) to call the oracle, it returns the correct value of \(F(\gamma ^{x(y+u_{_{j}})})\) with probability at least \(\varepsilon \). So after repeating steps 1, 2, 3 one time, we can get the correct \(\gamma ^{xy}\) with probability at least \(\varepsilon ^{m}\). By Theorem 2, for some \(0<\delta <1\), the output of step 4 is correct with the probability of \(Pr[|\frac{z}{n}-\varepsilon ^{m}|\le \delta ]\ge 1-\frac{\varepsilon ^{m}(1-\varepsilon ^{m})}{n\delta ^{2}}\).

The success of Algorithm 3 means that steps 1, 4 run successfully. So the successful probability of Algorithm 3 is:
$$\begin{aligned} \begin{aligned} Pr[Algorithm\;3\;succeeds] \ge&(1-\frac{\varepsilon ^{m}(1-\varepsilon ^{m})}{n\delta ^{2}})\cdot \prod _{i=2}^{m}(1-3t^{-\frac{1}{i-1}}) \\ \ge&(1-\frac{\varepsilon ^{m}}{n\delta ^{2}})\cdot (1-3t^{-\frac{1}{m-1}})^{m-1} \end{aligned} \end{aligned}$$
Obviously, when the Algorithm 3 succeeds, we repeat step 1, 2, 3 n times. Thus, we make the totally number of mn calls to the oracle.

Assume that there is another special oracle \(\hat{O}_{F,\varepsilon }\) satisfying that, given values of \((\gamma ^{x},\gamma ^{y})\) to the oracle, it returns correct values of \(F(\gamma ^{xy})\) for at least \(\varepsilon t^{2}\) pairs \((x,y)\in [0,t-1]^{2}\) and returns an error message for other pairs of \((x,y)\in [0,t-1]^{2}\). The oracle \(\hat{O}_{F,\varepsilon }\) makes two parts of inputs randomize instead of only one part in [1].

Here we give Algorithm 4 to recover DH key by calling oracle \(\hat{O}_{F,\varepsilon }\).

Theorem 5

Let t be a prime, \(m\ge 2\) and an m-sparse polynomial \(F(X)=\sum _{i=1}^{m}c_{i}X^{e_{i}}\in F_{q}[X]\), where \(c_{1},\ldots ,c_{m}\in F^{*}_{q}\) and \(e_{1},\ldots ,e_{m}\) are pairwise distinct modulo t. Given an oracle \(\hat{O}_{F,\varepsilon }\), Algorithm 4 can output DH key with a probability of at least \(\frac{\varepsilon }{2^{jm+1}}\cdot (1-3t^{-\frac{1}{m-1}})^{m-1}\) in time polynomial in (mB) by making \(m+B\) calls to the oracle.

Proof

The proof is similar to Theorem 3 except for the probability of success. The success of Algorithm 4 means that steps 1, 2 run successfully. Step 2 can find a suitable \(u_{j}\) such that oracle returns the correct values of \(F(\gamma ^{(x+u_{j})(y+v)})\) and \(det(\theta ^{e_{i}u_{j}})_{i,j=1}^{m}\ne 0\). So step 2 runs successfully with probability of at least \((2^{-j})^{m}\prod _{i=2}^{m}(1-3t^{-\frac{1}{i-1}})\).

Thus, the successful probability of Algorithm 4 is:
$$\begin{aligned} \begin{aligned} Pr[Algorithm\;4\;succeeds] \ge&\frac{\varepsilon }{2}\cdot (2^{-j})^{m}\cdot \prod _{i=2}^{m}(1-3t^{-\frac{1}{i-1}}) \\ \ge&\frac{\varepsilon }{2^{jm+1}}\cdot (1-3t^{-\frac{1}{m-1}})^{m-1} \end{aligned} \end{aligned}$$
When Algorithm 4 succeeds, we run the step 1 one time with B calls to the oracle and the step 2 one time with m calls. Thus, we make the totally number of \(m+B\) calls to the oracle.

Algorithms 2–4 all show that finding polynomial information of DH key is as difficult as the whole key.

4 Some Variants of DH Problem and Their Polynomial Information Security

In this section, we present some variants of DH problem, such as, \(DH_{g}(2,g^{y})\), the n-DH problem and Multiple DH problem. For these variants, we give algorithms and theorems with the similar method to Sect. 3 respectively. All theorems show that finding polynomial information of DH key of these variants is also as difficult as the whole key.

4.1 DH Problem \(DH_{g}(2,g^{y})\)

In [2], there is a new variant of the DH key exchange protocol. Say Alice and Bob wish to perform secret key over p. Alice picks a random number x in the range \([1,p-1]\) such that \(gcd(x,p-1)=1\), computes \(g=2^{x}(mod\;p)\) and sends g to Bob. Bob picks a random number y in \([1,p-1]\) and sends \(g^{y}\) to Alice. The key they agree on is \(\alpha =2^{y}(mod\;p)\). Clearly Bob can compute this value. Alice can compute this value since \(2^{y}=g^{yx^{^{-1}}}(mod\;p)\). So this variant of DH can be described as knowing 2 and \(g^{y}\) to recover the key \(2^{y}\), denoted \(DH_{g}(2,g^{y})\). There is an oracle \(O_{F,\varepsilon }\) whose definition is the same as Sect. 3.1.

Corollary 1

Given the oracle \(O_{F,\varepsilon }\), \(2^{y}\) can be recovered from \((2,g^{y})\) running Algorithm 2.

Proof

We use \((2,g^{y})\) as the inputs of the oracle \(O_{F,\varepsilon }\). Then running Algorithm 2 given input \((p,\delta ,g,2,g^{y})\), we can get the value of \(2^{y}\).

4.2 The n-DH Problem

In [7], Cash, Kiltz and Shoup proposed a new computational problem and named it the twin Diffie-Hellman (twin DH) problem with the meaning that given a random triple of the form \((\gamma ^{x_{1}},\gamma ^{x_{2}},\gamma ^{y})\in F^{3}_{q}\), compute \(\gamma ^{x_{1}y}\) and \(\gamma ^{x_{2}y}\). [8] presented a modification of the twin DH problem by extending the number of the (ordinary) DH instances from 2 to an arbitrary integer n, and name it the n-DH problem. The n-DH problem is that given a random \(n+1\) tuple of the form \((\gamma ^{x_{1}},\ldots ,\gamma ^{x_{n}},\gamma ^{y})\in F^{n+1}_{q}\), compute \((\gamma ^{x_{1}y},\ldots ,\gamma ^{x_{n}y})\).

Assume that there is a n-DH oracle \(O^{n}_{F,\varepsilon }\) satisfying that, for every \(x_{i}\in [0,t-1]\), \(i=1,2,..,n\), given the values of \((\gamma ^{x_{i}},\gamma ^{y})\), it returns correct \(F(\gamma ^{x_{i}y})\) for at least \(\varepsilon t\) values of \(y\in [0,t-1]\) and returns an error message for other values of \(y\in [0,t-1]\).

Here we can construct an algorithm using similar method to recover n-DH key by calling oracle \(O^{n}_{F,\varepsilon }\).

Theorem 6

Let t be a prime, \(m\ge 2\) and an m-sparse polynomial \(F(X)=\sum _{i=1}^{m}c_{i}X^{e_{i}}\in F_{q}[X]\), where \(c_{1},\ldots ,c_{m}\in F^{*}_{q}\) and \(e_{1},\ldots ,e_{m}\) are pairwise distinct modulo t. Given the oracle \(O^{n}_{F,\varepsilon }\), Algorithm 5 can output n-DH key with a probability of at least \(\varepsilon ^{mn}\cdot (1-3t^{-\frac{1}{m-1}})^{(m-1)n}\) in time polynomial in mn by making mn calls to the oracle.

Proof

It can easily imply from Theorem 5 that there exists an algorithm one can get value of \(\gamma ^{x_{1}y}\) with a probability of at least \(\varepsilon ^{m}\cdot (1-3t^{-\frac{1}{m-1}})^{(m-1)}\). Algorithm 5 is n repeats of Algorithm 4, so it can output the value of n-DH key with a probability of at least \(\varepsilon ^{mn}\cdot (1-3t^{-\frac{1}{m-1}})^{(m-1)n}\).

4.3 Multiple DH Problem

Based on Sect. 4.2, we define another variant of DH problem. It can be described as knowing \(\gamma ^{x_{1}},\gamma ^{x_{2}},\ldots ,\gamma ^{x_{n}}\) to recover the key \(\gamma ^{\prod _{i=1}^{n}x_{i}}\).

Assume that there is a Multiple DH oracle \(O_{F,\varepsilon }^{M}\) satisfying that, for every \(x_{1},x_{2},\ldots ,x_{n}\in [0,t-1]\), given values of \((\gamma ^{x_{1}},\gamma ^{x_{2}},\ldots ,\gamma ^{x_{n}})\), it returns correct \(F(\gamma ^{\prod _{i=1}^{n}x_{i}})\) for at least \(\varepsilon t\) values of \(x_{n}\in [0,t-1]\) and returns an error message for other values of \(x_{n}\in [0,t-1]\).

Here we can construct a recursion algorithm using similar method to Sect. 3 to recover Multiple DH key by calling oracle \(O_{F,\varepsilon }^{M}\).

Theorem 7

Let t be a prime, \(m\ge 2\) and an m-sparse polynomial \(F(X)=\sum _{i=1}^{m}c_{i}X^{e_{i}}\in F_{q}[X]\), where \(c_{1},\ldots ,c_{m}\in F^{*}_{q}\) and \(e_{1},\ldots ,e_{m}\) are pairwise distinct modulo t. Given the oracle \(O^{M}_{F,\varepsilon }\), Algorithm 6 which given \((\gamma ^{x_{1}},\gamma ^{x_{2}},\ldots ,\gamma ^{x_{n}})\) makes the expected number of at most \(2m\varepsilon ^{-1}(n-1)\) calls of the oracle, it returns the value of \(\gamma ^{\prod _{i=1}^{n}x_{i}}\).

Proof

Theorem 5 has proved that there exists an algorithm one can get value of \(\gamma ^{x_{1}x_{2}}\). We can easily know it needs the expected number of at most \(2m\varepsilon ^{-1}\) calls of the oracle. Algorithm 6 is \(n-1\) recursions of Algorithm 4, so it can output the value of \(\gamma ^{\prod _{i=1}^{n}x_{i}}\) by the expected number of at most \(2m\varepsilon ^{-1}(n-1)\) calls of the oracle.

5 Conclusion

In this paper, we study the relations between security of DH key and its polynomial information, and give several algorithms to recover DH key \(\gamma ^{xy}\) for different DH problems. These algorithms construct systems of equations to recover DH key by making polynomial number of calls to oracle to find polynomial information of DH key with a certain probability. And all these algorithms imply that finding polynomial information of DH key is as difficult as the whole key.

References

  1. 1.
    Shparlinski, I.E.: Security of polynomial transformations of the Diffie-Hellman key. Finite Fields Appl. 10(1), 123–131 (2004)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  3. 3.
    Vasco, M.I.G., Shparlinski, I.E.: On the security of Diffie-Hellman bits. In: Proceedings of the Workshop on Cryptography and Computer Number Theory, Singapore, 1999, pp. 257–268. Birkhauser, Basel (2001)CrossRefGoogle Scholar
  4. 4.
    Vasco, M.I.G., Naslund, M.: A survey of hard core functions. In: Proceedings of the Workshop on Cryptography and Computational Number Theory, Singapore, 1999, pp. 227–256. Birkhauser, Basel (2001)CrossRefGoogle Scholar
  5. 5.
    Verheul, E.R.: Certificates of recoverability with scalable recovery agent security. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 258–275. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Brouwer, A.E., Pellikaan, R., Verheul, E.R.: Doing more with fewer bits. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 321–332. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  7. 7.
    Cash, D.M., Kiltz, E., Shoup, V.: The twin Diffie-Hellman problem and applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Chen, L., Chen, Y.: The n-Diffie-Hellman problem and its applications. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 119–134. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Data Assurance Communication Security Research CenterChinese Academy of SciencesBeijingChina
  3. 3.University of Chinese Academy SciencesBeijingChina

Personalised recommendations