# Lower bounds on generic algorithms in groups

## Abstract

In this paper we consider generic algorithms for computational problems in cyclic groups. The model of a generic algorithm was proposed by Shoup at Eurocrypt '97. A generic algorithm is a generalpurpose algorithm that does not make use of any particular property of the representation of the group elements. Shoup proved the hardness of the discrete logarithm problem and the Diffie-Hellman problem with respect to such algorithms for groups whose order contains a large prime factor. By extending Shoup's technique we prove lower bounds on the complexity of generic algorithms solving different problems in cyclic groups, and in particular of a generic reduction of the discrete logarithm problem to the Diffie-Hellman problem. It is shown that the two problems are not computationally equivalent in a generic sense for groups whose orders contain a multiple large prime factor. This complements earlier results which stated this equivalence for all other groups. Furthermore, it is shown that no generic algorithm exists that computes *p*-th roots efficiently in a group whose order is divisible by *p2* if *p* is a large prime.

## Keywords

Diffie-Hellman protocol discrete logarithms generic algorithms roots in finite groups complexity lower bounds## References

- 1.D. Boneh and R. J. Lipton, Algorithms for black-box fields and their application to cryptography,
*Advances in Cryptology — CRYPTO '96*, Lecture Notes in Computer Science, Vol. 1109, pp. 283–297, Springer-Verlag, 1996.Google Scholar - 2.B. den Boer, Diffie-Hellman is as strong as discrete log for certain primes,
*Advances in Cryptology — CRYPTO '88*, Lecture Notes in Computer Science, Vol. 403, pp. 530–539, Springer-Verlag, 1989.Google Scholar - 3.W. Diffie and M. E. Hellman, New directions in cryptography,
*IEEE Transactions on Information Theory*, Vol. 22, No. 6, pp. 644–654, 1976.MATHMathSciNetCrossRefGoogle Scholar - 4.J. L. Massey, Advanced Technology Seminars Short Course Notes, pp. 6.66–6.68, Zürich, 1993.Google Scholar
- 5.U. M. Maurer, Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms,
*Advances in Cryptology — CRYPTO '94*, Lecture Notes in Computer Science, Vol. 839, pp. 271–281, Springer-Verlag, 1994.Google Scholar - 6.U. M. Maurer and S. Wolf, The relationship between breaking the Diffie-Hellman protocol and computing discrete logarithms, to appear in
*SIAM Journal of Computing*, 1998.Google Scholar - 7.U. M. Maurer and S. Wolf, Diffie-Hellman oracles,
*Advances in Cryptology — CRYPTO '96*, Lecture Notes in Computer Science, Vol. 1109, pp. 268–282, Springer-Verlag, 1996.Google Scholar - 8.K. S. McCurley, The discrete logarithm problem, in
*Cryptology and computational number theory*, C. Pomerance (Ed.), Proc. of Symp. in Applied Math., Vol. 42, pp. 49–74, American Mathematical Society, 1990.Google Scholar - 9.A. J. Menezes,
*Elliptic curve public key cryptosystems*, Kluwer Academic Publishers, 1993.Google Scholar - 10.S. C. Pohlig and M. E. Hellman, An improved algorithm for computing logarithms over
*GF(p)*and its cryptographic significance,*IEEE Transactions on Information Theory*, Vol. 24, No. 1, pp. 106–110, 1978.MATHMathSciNetCrossRefGoogle Scholar - 11.J. T. Schwartz, Fast probabilistic algorithms for verification of polynomial identities,
*Journal of the ACM*, Vol. 27, No. 4, pp. 701–717, 1980.MATHCrossRefGoogle Scholar - 12.V. Shoup, Lower bounds for discrete logarithms and related problems,
*Advances in Cryptology — EUROCRYPT '97*, Lecture Notes in Computer Science, Vol. 1233, pp. 256–266, Springer-Verlag, 1997.Google Scholar