Relationships Between Diffie-Hellman and “Index Oracles”

  • Adam Young
  • Moti Yung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3352)


The Computational Diffie-Hellman problem and its decisional variant are at the heart of many cryptographic applications. Yet, their exact computational power and their relationship to the Discrete Logarithm problem and the Decision Diffie-Hellman problem (DDH) is not fully understood in all settings. In order to extend the current understanding of the problem we introduce a new decision problem that we call the Jacobi Discrete Logarithm problem. We argue that this is a natural problem and we analyze it in groups in which Decision Diffie-Hellman (DDH) is believed to be intractable. In short, the JDL problem is to return the Jacobi symbol of the exponent x in g x . We show that JDL is random self-reducible and that it lies in between the Computational Diffie-Hellman (CDH) problem and DDH. Our analysis involves the notion of a powering oracle. Maurer and Wolf showed that a squaring oracle that returns \(g^{u^2}\) on input g u is actually equivalent to a DH oracle. It is weaker in the sense that it can be posed as a specialized DH oracle that need only respond correctly when u = v. In this paper we extend the study of the relationships between Diffie-Hellman and oracles for problems which manipulate or give partial information about the index of their input. We do so by presenting a reduction that shows that a powering oracle that responds with \(g^{u^a} mod P\) when given g u for an unknown a that is poly-logarithmic in p, is equivalent to DH. Technically, our reduction utilizes the inverse of a particular type of Vandermonde matrix. This inverse matrix has recursively defined entries. Implications for large values of a are also given.


Diffie-Hellman (DH) Computational Diffie-Hellman Decision Diffie-Hellman Discrete-Log Public Key Cryptography Oracles Black-Box Reductions JDL LDL 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BBM02]
    Bender, C., Brody, D., Meister, B.: Inverse of a Vandermonde Matrix. Preprint (2002), downloaded from
  2. [Bo88]
    Den Boer, B.: Diffie-Hellman is as strong as discrete log for certain primes. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 530–539. Springer, Heidelberg (1988)Google Scholar
  3. [Bon98]
    Boneh, D.: The Decision Diffie-Hellman Problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. [BV96]
    Boneh, D., Venkatesan, R.: Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)Google Scholar
  5. [CS98]
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 13. Springer, Heidelberg (1998)Google Scholar
  6. [DH76]
    Diffie, W., Hellman, M.: New Directions in Cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)zbMATHMathSciNetCrossRefGoogle Scholar
  7. [ElG85]
    ElGamal, T.: A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  8. [Ga59]
    Gantmacher, F.R.: The Theory of Matrices, vol. 1. AMS Chelsea Publishing (1959)Google Scholar
  9. [GKP]
    Graham, R., Knuth, D., Patashnik, O.: Concrete Mathematics, Ch. 6 - Special Numbers, 2nd edn. Addison-Wesley, Reading (1994)zbMATHGoogle Scholar
  10. [JN01]
    Joux, A., Nguyen, K.: Separating Decision Diffie-Hellman from Diffie-Hellman in Cryptographic Groups, Available at
  11. [Ki01]
    Kiltz, E.: A Tool Box of Cryptographic Functions Related to the Diffie-Hellman Function. In: Pandu Rangan, C., Ding, C. (eds.) INDOCRYPT 2001. LNCS, vol. 2247, pp. 339–350. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. [Ma94]
    Maurer, U.: Towards proving the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 271–281. Springer, Heidelberg (1994)Google Scholar
  13. [Me01]
    Menezes, A.J.: Combinatorics and Optimization 331 - Coding Theory. Handout on Vandermonde Matrices, Downloaded by http from,
  14. [MW96]
    Maurer, U., Wolf, S.: Diffie-Hellman Oracles. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 268–282. Springer, Heidelberg (1996)Google Scholar
  15. [MW98]
    Maurer, U., Wolf, S.: The Relationship Bewteen Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms. SIAM Journal of Computing 28, 1689–1721 (1999)zbMATHMathSciNetCrossRefGoogle Scholar
  16. [MvOV99]
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1999)Google Scholar
  17. [NR97]
    Naor, M., Reingold, O.: Number theoretic constructions of efficient pseudo random functions. In: Proceedings of the 38th Symposium on Foundations of Computer Science—FOCS 1997, pp. 458–467 (1997)Google Scholar
  18. [PH78]
    Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. on Information Theory 24(1), 106–110 (1978)zbMATHMathSciNetCrossRefGoogle Scholar
  19. [SL97]
    Lindhurst, S.: Computing Roots in Finite Fields and Groups with a Jaunt through sums of Digits. Doctoral Dissertation (advisor - Eric Bach), Chapter 3 - Extensions of Shanks Algorithm (1997), downloaded from
  20. [St96]
    Stadler, M.: Publicly verifiable secret sharing. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Adam Young
    • 1
  • Moti Yung
    • 2
  1. 1.Cigital, Inc 
  2. 2.Dept. of Computer ScienceColumbia University 

Personalised recommendations