Optimal Randomness Extraction from a Diffie-Hellman Element

  • Céline Chevalier
  • Pierre-Alain Fouque
  • David Pointcheval
  • Sébastien Zimmer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5479)


In this paper, we study a quite simple deterministic randomness extractor from random Diffie-Hellman elements defined over a prime order multiplicative subgroup G of a finite field \({\mathbb Z}_p\) (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Informally speaking, we show that the least significant bits of a random element in \(G\subset {\mathbb Z}_p^*\) or of the abscissa of a random point in \(\mathcal{E}({\mathbb F}_p)\) are indistinguishable from a uniform bit-string. Such an operation is quite efficient, and is a good randomness extractor, since we show that it can extract nearly the same number of bits as the Leftover Hash Lemma can do for most Elliptic Curve parameters and for large subgroups of finite fields. To this aim, we develop a new technique to bound exponential sums that allows us to double the number of extracted bits compared with previous known results proposed at ICALP’06 by Fouque et al. It can also be used to improve previous bounds proposed by Canetti et al. One of the main application of this extractor is to mathematically prove an assumption proposed at Crypto ’07 and used in the security proof of the Elliptic Curve Pseudo Random Generator proposed by the NIST. The second most obvious application is to perform efficient key derivation given Diffie-Hellman elements.


Hash Function Elliptic Curve Elliptic Curf Statistical Distance Security Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, New York (1993)Google Scholar
  3. 3.
    Bombieri, E.: On exponential sums in finite fields. American Journal of Mathematics 88, 71–105 (1966)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Boneh, D.: The decision diffie-hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  5. 5.
    Boneh, D., Shparlinski, I.E.: On the unpredictability of bits of the elliptic curve diffie–hellman scheme. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 201–212. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)Google Scholar
  7. 7.
    Brown, D.R.L., Gjøsteen, K.: A security analysis of the NIST SP 800-90 elliptic curve random number generator. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 466–481. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Canetti, R., Friedlander, J., Konyagin, S., Larsen, M., Lieman, D., Shparlinski, I.: On the Statistical Properties of Diffie-Hellman Distributions. Israel Journal of Mathematics 120, 23–46 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  10. 10.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  12. 12.
    El Gamal, T.: On computing logarithms over finite fields. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 396–402. Springer, Heidelberg (1986)Google Scholar
  13. 13.
    Fouque, P.-A., Pointcheval, D., Stern, J., Zimmer, S.: Hardness of distinguishing the MSB or LSB of secret keys in diffie-hellman schemes. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 240–251. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Fouque, P.-A., Pointcheval, D., Zimmer, S.: HMAC is a randomness extractor and applications to TLS. In: Abe, M., Gligor, V.D. (eds.) ASIACCS, pp. 21–32. ACM Press, New York (2008)CrossRefGoogle Scholar
  15. 15.
    Gennaro, R., Krawczyk, H., Rabin, T.: Secure hashed diffie-hellman over non-DDH groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 361–381. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Gürel, N.: Extracting bits from coordinates of a point of an elliptic curve. Cryptology ePrint Archive, Report 2005/324 (2005),
  17. 17.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM Journal on Computing 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Heath-Brown, D.R., Konyagin, S.: New bounds for Gauss sums derived from k th powers, and for Heilbronn’s exponential sum. Q. J. Math. 51(2), 221–235 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Impagliazzo, R., Zuckerman, D.: How to recycle random bits. In: Proc. of the 30th FOCS, pp. 248–253. IEEE, New York (1989)Google Scholar
  20. 20.
    Jetchev, D., Venkatesan, R.: Bits security of the elliptic curve diffie–hellman secret keys. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 75–92. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Kohel, D.R., Shparlinski, I.E.: On exponential sums and group generators for elliptic curves over finite fields. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 395–404. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Konyagin, S.V., Shparlinski, I.: Character Sums With Exponential Functions and Their Applications. Cambridge University Press, Cambridge (1999)CrossRefzbMATHGoogle Scholar
  23. 23.
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th FOCS, pp. 458–467. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
  24. 24.
    NIST. Recommendation for Random Number Generation Using Deterministic Random Bit Generators. NIST Special Publications 800-90 (March 2007),
  25. 25.
    Shoup, V.: A Computational Introduction to Number Theory and Algebra. Cambridge University Press, Cambridge (2005)CrossRefzbMATHGoogle Scholar
  26. 26.
    Washington, L.: Elliptic Curves: Number Theory and Cryptography. CRC Press, Boca Raton (2003)zbMATHGoogle Scholar
  27. 27.
    Weil, A.: Sur les courbes algébriques et les variétés qui s’en déduisent. In: Actualités scientifiques et industrielles, Publications de l’institut de Mathématique de l’université de Strasbourg, vol. 1041, Paris, Hermann (1948)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Céline Chevalier
    • 1
  • Pierre-Alain Fouque
    • 1
  • David Pointcheval
    • 1
  • Sébastien Zimmer
    • 1
  1. 1.École Normale Supérieure, CNRS-INRIAParisFrance

Personalised recommendations