Keywords

1 Introduction

The notion of hardcore functions goes back almost to the invention of public key cryptography. Loosely speaking, for a one-way function f, a function b is a hardcore function for f if given f(x) it is hard to compute b(x) (while given x, computing b(x) is easy).

The main interest is in functions b that output some bits of x, which gives this research field the name bit security. That is, while computing x from f(x) is computationally hard by definition, one tries to assess the hardness of computing partial information about x. This can be done by providing an (efficient) algorithm that computes b(x), or more commonly by reducing the problem of computing x to computing b(x). That is, one provides an (efficient) algorithm that inverts f given an algorithm that computes b on f.

For popular candidates for one-way functions, such as the RSA function (\(RSA_{N,e}(x)=x^e \text { mod } N\)) and discrete exponentiation in a subgroup of prime order (\(EXP_g(x)=g^x\); g has prime order), all single-bit functions are known to be hardcore. This result, which is standard these days, took more than 15 years to achieve, where year after year small improvements were made. An important aspect to consider is the success in computing b(x). The mentioned result applies to every algorithm that computes b(x) with a non-negligible success over a trivial guess. See [11] for a survey on hardcore functions which presents the developments over the years.

The notion of a hardcore function can be generalized to suit the Diffie–Hellman key exchange protocol. Let \((G, \cdot )\) be a group and let \(g \in G\). For a function b, given \(g^u\) and \(g^v\), we consider the hardness of computing b(s) for (the Diffie–Hellman key) \(s=g^{uv}\). Proving bit security for Diffie–Hellman key exchange has known less success than the aforementioned results. For \(G=\mathbb {Z}^*_p\), the multiplicative group of integers modulo a prime p, the \(\sqrt{\log p} + \log \log p\) most (and least) significant bits of s are hard to compute as s itself [9] (see also [13]; a similar result holds for twice as many consecutive inner bits, as a consequence of [19, Sect. 5.1]). For \(G={\mathbb {F}}^*_{p^m}\), the multiplicative group of a finite extension field, represented as a vector space over \({\mathbb {F}}_p\), computing a single component of s is as hard to compute as s itself [25], which follows from the fact that a single component of a product st is linear in all of the components of s. Moreover, using this linearity, a result in a similar fashion to the case of \(G=\mathbb {Z}^*_p\) can be obtained from [22] for a single component (see also [16]). These results need – essentially – a perfect success in computing the partial information.

The case of the elliptic curve Diffie–Hellman key exchange protocol has known even fewer results, mainly because of the inherent nonlinearity of the problem. For elliptic curves over prime fields there are no known (non-trivial) results. For the group of elliptic curve points over an extension field of degree 2, computing a single component of the x-coordinate of s is as hard to compute as s itself [14, Remark 3.1]. This result requires perfect success in computing the component. We mention that for the case of elliptic curves over prime fields it is claimed in [7] that computing the top \((1-\epsilon )\) fraction of bits of the x-coordinate of s, for \(\epsilon \approx 0.02\), is as hard as computing all of them, but a proof is not provided, probably since it is a weak result, as the authors mentioned. Obtaining bit security results for elliptic curve Diffie–Hellman keys has been an open problem for almost 20 years [6, Sect. 5] (see also [11, Sect. 5]).

Some results on hardness of bits, related to the elliptic curve Diffie–Hellman protocol, were given by Boneh and Shparlinski [8] and by Jetchev and Venkatesan [15] (building on [8] and assuming the generalized Riemann hypothesis). These results differ from ours in two aspects. They do not provide hardness of bits for the elliptic curve Diffie–Hellman protocol for a single fixed curve. Furthermore, the techniques used to achieve these results are very different from ours, as they reduce the problem to an easier linear problem, while we keep working with the non-linear addition law.

In this paper we study the bit security of the elliptic curve Diffie–Hellman key exchange protocol. Our main result is Theorem 2, where we show that about 5 / 6 of the most significant bits of the x-coordinate of the Diffie–Hellman key are as hard to compute as the entire key. As above, this result holds if one assumes a perfect success in computing these bits. This result directly follows from the solution to the elliptic curve hidden number problem given in Theorem 1. This solution is based on the ideas behind the solution to the modular inversion hidden number problem given in [7] and follows the formal proof given by Ling, Shparlinski, Steinfeld and Wang [17] (earlier ideas already appear in [2, 3]).

Additional results are given in Sect. 6. In Sect. 6.1 we show how to derive the same result for the least significant bits. Section 6.2 addresses the case of elliptic curves over extension fields. This problem was first studied by Jao, Jetchev and Venkatesan [14]. We improve the known result to hold for both coordinates of the Diffie–Hellman key and to any constant extension degree. More details on these results appear in the full version of this paper [21].

As the literature on the elliptic curve hidden number problem is very minimal and incomplete, short discussions – some of which are quite trivial – appear throughout the paper in order to give a complete and comprehensive study of the problem. We hope that this work will initiate the study of bit security of elliptic curve Diffie–Hellman key exchange that will lead to improvements either in the number of hardcore bits or in the required success probability for computing them.

2 Mathematical Background

Throughout the paper \(p>3\) is an m-bit prime number and \({\mathbb {F}}_p\) is the field with p elements represented by \(\{-\frac{p-1}{2},\ldots ,\frac{p-1}{2}\}\). For \(k>0\) and \(x \in {\mathbb {F}}_p\), we denote by \(\text {MSB}_k(x)\) any \(h \in {\mathbb {F}}_p\) such that \(| x - h | \le \frac{p}{2^{k+1}}\).Footnote 1 We have \(h = \text {MSB}_k(x) = x - e\) for \(|e| \le \frac{p}{2^{k+1}}\), which we loosely call noise.

2.1 Elliptic Curves

Throughout the paper E is an elliptic curve over \({\mathbb {F}}_p\), given in a short Weierstrass form

$$\begin{aligned} y^2 = x^3 + ax + b, \quad a,b \in {\mathbb {F}}_p \quad \text {and} \quad 4a^3+27b^2 \ne 0 \,. \end{aligned}$$

A point \(P=(x,y) \in {\mathbb {F}}^2_p\) that satisfies this equation is a point on the curve E. We denote the x-coordinate (resp. y-coordinate) of a given point P by \(x_P\) or \(P_x\) (resp. \(y_P\) or \(P_y\)). The set of points on E, together with the point at infinity O, is known to be an abelian group. Hasse’s theorem states that the number of points \(\#E\) on the curve \(E({\mathbb {F}}_p)\) satisfies

$$\begin{aligned} |\#E-p-1| \le 2\sqrt{p} \,. \end{aligned}$$

The (additive) inverse of a point \(Q=(x_Q, y_Q)\) is \(-Q=(x_Q, -y_Q)\). For an integer n we denote by [n]P the successive n-time addition of a point P; \([-n]P=[n](-P)\). Addition of points \(P=(x_P, y_P)\) and \(Q=(x_Q, y_Q)\), where \(P \ne \pm Q\), is given by the following formula. Let \(s = s_{P+Q} = \frac{y_P - y_Q}{x_P - x_Q}\), then

$$\begin{aligned} (P+Q)_x = s^2 - x_P - x_Q \quad \text {and} \quad (P+Q)_y = -(y_P +s((P+Q)_x - x_P)) \,. \end{aligned}$$

2.2 Lattices

Let \(B = \{b_1,\ldots ,b_r\}\) a set of linearly independent vectors in the Euclidean space \(\mathbb {R}^s\), for some integers \(r \le s\). The set \(L = \left\{ \sum _{i=1}^r n_ib_i \ | \ n_i \in \mathbb {Z}\right\} \) is called an r-dimensional lattice and B is a basis for L. The (Euclidean) norm of a vector \(v \in \mathbb {R}^s\) is denoted by \(\Vert v\Vert \).

For a lattice L in \(\mathbb {R}^s\) and a real number \(\gamma \ge 1\), the \(\gamma \) -shortest vector problem (\(\gamma \)-SVP) is to find a non-zero lattice vector \(v \in L\) with norm not larger than \(\gamma \) times the norm of the shortest non-zero vector in L. In other words, \(\Vert v\Vert \le \gamma \min \{\Vert u\Vert \ | \ 0 \ne u \in L \}\).

This problem is a fundamental problem in lattice cryptography. References to surveys and state-of-the-art algorithms for \(\gamma \)-SVP are given in Sect. 1.2 in the work of Ling, Shparlinski, Steinfeld and Wang [17], and like their work our result uses the \(\gamma \)-SVP algorithms of Schnorr [20] and Micciancio–Voulgaris [18].

3 Hidden Number Problems

The hidden number problem was introduced by Boneh and Venkatesan [9] in order to study bit security of the Diffie–Hellman key exchange protocol in the multiplicative group of integers modulo a prime p. This problem is formulated as follows.

figure a

Various natural variants of this problem can be considered, such as changing the group the elements are taken from and the function the oracle is simulating. Moreover, one can consider oracles with different probability of producing the correct answer. The survey [24] covers many of these generalizations as well as different applications.

The elliptic curve equivalent, known as the elliptic curve hidden number problem, is formulated as follows for \(\psi \in \{x,y\}\).

figure b

The elliptic curve hidden number problem, to the best of our knowledge, was first considered (more generally, and only for the x-coordinate) by Boneh, Halevi and Howgrave-Graham [7], and besides being mentioned in the surveys [23, 24] there is no other literature about it.Footnote 2 We remark that there are no known solutions to this problem, even for large k’s (except, of course, of trivial cases, i.e., \(k \ge \log p - O(\log \log p)\)).

A relatedFootnote 3 non-linear problem is the modular inversion hidden number problem, which was introduced by Boneh, Halevi and Howgrave-Graham [7]. It is formulated as follows.

figure c

We now explain the relation between the elliptic curve hidden number problem and bit security of the elliptic curve Diffie–Hellman key exchange protocol.

Remark 1

Given an elliptic curve E over a field \({\mathbb {F}}_q\), a point \(Q \in E\) and the values [a]Q and [b]Q, the Diffie–Hellman key P is the value \(P = ECDH_Q([a]Q, [b]Q) = [ab]Q\). Suppose one has an oracle that on input [u]Q and [v]Q outputs some partial information on [uv]Q. Then, one can choose an integer t and calculate [t]Q, and by adding [t]Q and [a]Q, one gets \([a]Q+[t]Q = [a+t]Q\). Querying the oracle on [b]Q and \([a+t]Q\), one gets partial information on \([(a+t)b]Q = [ab]Q+[tb]Q = P + [t]([b]Q) = P + [t]R\), for \(R=[b]Q\). Repeating for several t’s, if it is possible to solve the elliptic curve hidden number problem, one can find the Diffie–Hellman key \(P=[ab]Q\).

In the proof below we use the fact that one can get \(\text {MSB}_k(x_P)\) for the secret point P. This can be easily justified by taking \(t=0\) in EC-HNP, or equivalently querying the oracle from Remark 1 on [a]Q and [b]Q. Moreover,

Remark 2

Similar to HNP [9, Sect. 4.1] and MIHNP [7, Sect. 2.1], EC-HNP can be self-randomized. Indeed, given \(\{(Q_i, {\mathcal O}((P+Q_i)_\psi ))\}_{1\le i\le n}\), for an oracle \({\mathcal O}\), choose \(1\le i_0 \le n\), and define a new secret \(P' := P+Q_{i_0}\). Let \(Q_i':=Q_i-Q_{i_0}\), then we have \(P+Q_i = P' + Q_i'\), and so \({\mathcal O}((P'+Q_i')_\psi )={\mathcal O}((P+Q_i)_\psi )\). If one can find \(P'\), recovering \(P = P'-Q_{i_0}\) is easy. This shows that given \(\{(Q_i, {\mathcal O}((P+Q_i)_\psi ))\}_i\), one can randomize the secret P as well as the ‘multipliers’ \(Q_i\). Alternatively, if access to the oracle is still provided, one can query on \(t_{i_0}+t_i\) to receive \({\mathcal O}((P'+Q_i)_\psi )\), as well as taking the approach of [9, Sect. 4.1]. This self-randomization allows us to assume without loss of generality that R in EC-HNP is a generator for \(\langle Q \rangle \).

4 Main Results

The main result is Theorem 2, which gives the first bit security result for prime-field elliptic curve Diffie–Hellman key exchange. This result follows from the following theorem, which shows how to recover the secret point in EC-HNP\(_x\) given a \(\gamma \)-SVP algorithm.

Theorem 1

Let E be an elliptic curve over a prime field \({\mathbb {F}}_p\), let n be an integer and k a real number. Let an unknown \(P=(x_P,y_P) \in E{\setminus }\{O\}\) and a known generator \(R \in E{\setminus }\{O\}\) be points on the curve. Let \({\mathcal O}\) be a function such that \({\mathcal O}(t) = \text {MSB}_k((P + [t]R)_x)\), and denote \(Q_i:=[t_i]R\). Then, given a \(\gamma \)-SVP algorithm, there exists a deterministic polynomial-time algorithm that recovers the unknown \(x_P\) with \(2n+1\) calls to \({\mathcal O}\) and a single call to the \(\gamma \)-SVP algorithm on a \((3n+3)\)-dimensional lattice with polynomially bounded basis, except with probability

$$\begin{aligned} {\mathcal P}_1 \le \frac{8^n(6\eta \varDelta +1)^{6n+3}}{(p-2\sqrt{p}-2)^n} + \frac{16(6\eta \varDelta +1)^6}{p-2\sqrt{p}-2} + \frac{2n+3}{p-2\sqrt{p}} \end{aligned}$$

over the choices of \(x_{Q_1},\ldots ,x_{Q_n}\), when it returns no answer or a wrong answer, where \(\eta = 2\gamma \sqrt{3n+1}\) and \(\varDelta = \lceil \frac{p}{2^{k+1}}\rceil \).Footnote 4 If the correct x-coordinate \(x_P\) has been recovered, the algorithm determines which of the two candidates \(\pm y_P\) is the correct y-coordinate, except with probability

$$\begin{aligned} {\mathcal P}_2 \le \frac{(16\varDelta )^n}{(p-2\sqrt{p}-2)^n} \end{aligned}$$

over the choices of \(x_{Q_1},\ldots ,x_{Q_n}\).

Remark 3

In the theorem, as in the corollary below, R is taken to be a generator of E in order to give precise bounds on the probabilities. Both results hold even if R is not a generator of E, as long as it generates a “large enough” subgroup. The size of the subgroup appears in the denominator of the probabilities bounds (see footnote 7), and so the results also hold if the subgroup’s order is greater than \(p{/}poly(\log (p))\), for example. For substantially smaller subgroups, one would need to adjust the value for k.

The following corollary shows that one can solve EC-HNP\(_x\) given an oracle for \(k>(\frac{5}{6}+\epsilon )m\) most significant bits (where m is the bit length of p, and for any constant \(\epsilon \)). Similar to Ling et al. [17], we consider two different SVP approximation algorithms to show the influence of \(\epsilon \) on the running time and the minimum allowed value for p.

Corollary 1

Fix \(0< \delta \le 3\epsilon < 1/2\). Let \(n_0=\lceil \frac{1}{6\epsilon } \rceil \), p be an m-bit prime, E be an elliptic curve over \({\mathbb {F}}_p\) and \(k>(5{/}6+\epsilon )m\). There exist deterministic algorithms \(A_i\), for \(i=1,2\), that solve EC-HNP\(_x\) (with \(\text {MSB}_k\) and a generator R) for \(m\ge m_i\), with probability at least \(1-p^{-\delta }\) over the choices of \(x_{Q_1},\ldots ,x_{Q_{n_0}}\) where

$$\begin{aligned} m_1 = \lceil c_1\epsilon ^{-1}\log \epsilon ^{-1} \rceil \quad and \quad m_2 = \lceil c_2\epsilon ^{-2}\frac{(\log \log \epsilon ^{-1})^2}{\log \epsilon ^{-1}} \rceil \,, \end{aligned}$$

for some absolute effectively computable constants \(c_1,c_2\), and their running time is \(T_i\) where

$$\begin{aligned} T_1 = (2^{\epsilon ^{-1}}m)^{O(1)} \quad and \quad T_2 = (\epsilon ^{-1}m)^{O(1)} \,. \end{aligned}$$

As a consequence, following Remark 1, we get a hardcore function for the elliptic curve Diffie–Hellman problem and the following bit security result for elliptic curve Diffie–Hellman key exchange.

Theorem 2

Fix \(0< \delta \le 3\epsilon < 1{/}2\). Let p be an m-bit prime, E be an elliptic curve over \({\mathbb {F}}_p\), a point \(P \in E{\setminus }\{O\}\) of order at least \(p{/}poly(\log (p))\) and \(k>(5{/}6+\epsilon )m\). Given an efficient algorithm to compute \(\text {MSB}_k\left( ([ab]P)_x\right) \) from [a]P and [b]P, there exists a deterministic polynomial-time algorithm that computes [ab]P with probability at least \(1-p^\delta \).

In a nutshell, the approach of solving non-linear problems like MIHNP and EC-HNP is to form some polynomials with desired small roots, and use a lattice basis reduction algorithm to find some of these roots. The polynomials’ degree, the number of their monomials, and subsequently the dimension of the lattice, play a main role in the quality of the result one can obtain.

4.1 Our Approach

The first obstacle in approaching EC-HNP is the nonlinearity (over the ground field) of the addition rule. This can be easily overcome by the “linearization” approach of Boneh et al. [7], which we adopt, but at the cost of not being able to use Babai’s algorithm for closest lattice point [1]. This prevents non-linear problems, like MIHNP and EC-HNP, of achieving results as good as the result for the linear HNP.

The second obstacle in approaching EC-HNP\(_x\) (and similarly EC-HNP\(_y\)) is that while one only gets partial information of \(x_P\), the formula for \((P+Q)_x\) also involves (the unbounded unknown) \(y_P\). Similar to the approach of [7], one can isolate this unknown in one equation, and substitute to all of the other equations, hence ‘losing’ one equation. Doing so will impose an extra bounded unknown in each equation, as well as many additional monomials, coming from the noise term of the equation we use to eliminate \(y_P\).Footnote 5 This will therefore result in a significantly large dimension of the lattice one constructs.Footnote 6 Instead, we show how one can combine two correlated equations to eliminate \(y_P\). This helps us to define one bounded unknown (twice as large) while keeping the number of monomials relatively small. Taking this approach we form new equations from pairs of initial equations, causing a ‘loss’ of about half of the equations.

Formally, we proceed as follows.

Eliminating y \(_{{\varvec{P}}}{} \mathbf{.}\) For some integer t consider the pair \(Q =[t]R,-Q =[-t]R \in E\), and suppose \(P\ne \pm Q\). Let \(P=(x_P, y_P)\) and \(Q=(x_Q, y_Q)\), therefore \(-Q=(x_Q, -y_Q)\), and write \(s_{P+Q} = \frac{y_P - y_Q}{x_P - x_Q}\) and \(s_{P-Q} = \frac{y_P - y_{-Q}}{x_P - x_{-Q}} = \frac{y_P + y_Q}{x_P - x_Q}\). The following operations take place in \({\mathbb {F}}_p\).

$$\begin{aligned} \begin{aligned} (P+Q)_x + (P-Q)_x&= s_{P+Q}^2 - x_P - x_Q + s_{P-Q}^2 - x_P - x_Q \\&= \left( \frac{y_P - y_Q}{x_P - x_Q}\right) ^2 + \left( \frac{y_P + y_Q}{x_P - x_Q}\right) ^2 - 2x_P - 2x_Q \\&= 2 \left( \frac{y^2_P + y^2_Q}{(x_P - x_Q)^2} - x_P - x_Q \right) \\&= 2 \left( \frac{x_Qx^2_P + (a+x^2_Q) x_P + ax_Q + 2b}{(x_P - x_Q)^2} \right) . \end{aligned} \end{aligned}$$
(1)

Constructing Polynomials with Small Roots. Write \(h_0 = \text {MSB}_k(x_P) = x_P - e_0\), \(h = \text {MSB}_k((P+Q)_x) = (P+Q)_x - e\) and \(h' = \text {MSB}_k((P-Q)_x) = (P-Q)_x - e'\). Letting \(\widetilde{h} = h + h'\) and \(\widetilde{e} = e + e'\) and plugging \(x_P = h_0 + e_0\) in (1) we get

Multiplying by \((h_0 + e_0 - x_Q)^2\) and rearranging we get that the following bivariate polynomial

satisfies \(F(e_0,\widetilde{e}) \equiv 0 \mod p\).

Repeating with n different \(Q_i\) leads to n polynomials of the form

$$\begin{aligned} F_i(X,Y) = X^2Y + A_iX^2 + A_{0,i}XY + B_iX + B_{0,i}Y + C_i \,, \end{aligned}$$
(2)

that satisfy \(F_i(e_0,\widetilde{e}_i) \equiv 0 \mod p\). Our aim is to find “small” roots for \(F_i\); if one of these roots satisfies \(X=e_0\), we can substitute in \(h_0\) and recover \(x_P\).

We start with a simple argument that shows that indeed we expect to solve EC-HNP\(_x\) with more than the top 5 / 6 fraction of the bits. The argument is identical to the argument given in [7, Sect. 3.1].

4.2 A Simple Heuristic Argument

The solutions to the system of the n polynomials in (2) can be represented by a lattice of dimension \(4n+3\), as follows. The lattice is spanned by the rows of a matrix M of the following structure

$$ M = \begin{pmatrix} E &{} R \\ 0 &{} P \end{pmatrix} $$

where E and P are diagonal square matrices of dimensions \(3n + 3\) and n, respectively, and R is a \((3n+3) \times n\) matrix. Each of the first \(3n+3\) rows of M is associated with one of the terms in (2), and each of the last n columns is associated with one of these equations. For example, for \(n=2\) we get the matrix (m is the bit size of p and k the number of bits we get)

figure d

For \(e_0, \widetilde{e}_i\), the last n columns give us equations over the integers:

$$\begin{aligned} e^2_0\widetilde{e}_i + A_ie^2_0 + A_{0,i}e_0\widetilde{e}_i + B_ie_0 + B_{0,i}\widetilde{e}_i + C_i - k_ip = 0 \, . \end{aligned}$$

For the corresponding solution vector

$$\begin{aligned} \mathbf {v} := \langle 1, \widetilde{e}_1, \ldots , \widetilde{e}_n, e_0, e_0\widetilde{e}_1, \ldots , e_0\widetilde{e}_n, e^2_0, e^2_0\widetilde{e}_1,\ldots ,e^2_0\widetilde{e}_n, k_1,\ldots ,k_n \rangle \,, \end{aligned}$$

we get that \(\mathbf {v} M = \)

figure e

Therefore, \(\mathbf {v} M\) is a lattice point with \(3n+3\) non-zero entries, all of which are smaller than 1, so its Euclidean norm is smaller than \(\sqrt{3n+3}\).

The determinant of the lattice is \(\frac{p^n}{2^{(m-k)(6n+3)}}\). We apply the heuristic for short lattice vectors and expect that \(\mathbf {v}M\) is the shortest vector if \(\sqrt{3n+3} \ll \sqrt{4n+3}\left( 2^{(k-m)(6n+3)}p^n\right) ^{1{/}(4n+3)}\). Substituting \(p = 2^{m+O(1)}\) and ignoring lower terms we get \(2^k\gg 2^{5{/}6 m}\), and so we expect that \(\mathbf {v}M\) is the shortest lattice vector when we get more than \(\frac{5}{6}m\) bits. Therefore, this becomes a problem of recovering the shortest lattice vector.

Boneh et al. [7] suggest using Coppersmith’s method [10] and construct a lattice that leads to a smaller bound on the number of bits one needs in order to recover the secret element in this kind of non-linear problems. This approach has to assume linear independence of the equations involved, and therefore does not provide a proof, but only a heuristic. Since the aim of this paper is to prove bit security, we do not follow this path.

We now turn to a complete formal proof of Theorem 1. It follows the same arguments as in the proof of Theorem 1 in [17], where necessary adaptations have been made.

5 Proofs

The proof of Theorem 1 is very technical. The algorithm of recovering \(x_P\) appears in Algorithm 1, but we first lay the groundwork, so that the probability analysis that appears after the algorithm could be understood. We first give an overview of the key points of the proof.

Overview

In the algorithmic part:

  • Using \({\mathcal O}\), we construct the polynomial relations (as in (2) above)

    $$\begin{aligned} F_i(X,Y) = X^2Y + A_iX^2 + A_{0,i}XY + B_iX + B_{0,i}Y + C_i \, \end{aligned}$$

    for which \(F_i(e_0,\widetilde{e}_i) \equiv 0 \mod p\).

  • Using these relations, we construct a lattice (see (4)), such that the vector

    $$\begin{aligned} \mathbf {e} := (\varDelta ^3,\varDelta ^2e_0,\varDelta ^2\widetilde{e}_1,\ldots ,\varDelta ^2\widetilde{e}_n,\varDelta e^2_0,\varDelta e_0\widetilde{e}_1,\ldots ,\varDelta e_0\widetilde{e}_n,e^2_0\widetilde{e}_1,\ldots ,e^2_0\widetilde{e}_n) \end{aligned}$$

    is a short lattice vector.

  • We run a \(\gamma \)-SVP algorithm on the lattice to receive a short lattice vector

    $$\begin{aligned} \mathbf {f} := (\varDelta ^3f_0',\varDelta ^2f_0,\varDelta ^2f_1\ldots ,\varDelta ^2f_n,\varDelta f_{0,0},\varDelta f_{0,1},\ldots ,\varDelta f_{0,n},f_{00,1},\ldots ,f_{00,n}) \,. \end{aligned}$$

    As \(\mathbf {e}\) and \(\mathbf {f}\) are two short lattice vectors, we expect them to be a (scalar) multiple of each other.

  • Supposing this is the case, the scalar \(f_0'\) is found by observing the first coordinate of \(\mathbf {e}\) and \(\mathbf {f}\). We then compute \(e_0 = f_0{/}f_0'\) provided \(f_0'\ne 0\).

  • From the relation \(h_0 = x_P - e_0\) we derive \(x_P = h_0 + e_0\).

The second part of the proof analyzes the success probability of the algorithm, as follows:

  • If \(e_0 \ne f_0{/}f_0'\) or \(f_0'=0\) the algorithm fails.

  • To derive the probability of these events we form a certain family of low-degree polynomials (see (12)), for which we are interested in their set of zeros. The number of polynomials in the family is a function of \(\varDelta = \lceil \frac{p}{2^{k+1}} \rceil \), and so a function of k.

  • Claim 5.1 shows that if \(y_P\ne 0\), then the polynomials are not identically zero.

  • We show that these events occur if the points \(x_{Q_i}\) are roots of some of these polynomials. Thus, we derive an exact expression of the probability of these events to hold.

The last part of the proof shows how one can determine the correct value for \(y_P\) using a consistency check with all of the given values.

5.1 Proof of Theorem 1

Assume without loss of generality \(3\eta \varDelta \le 3\eta \varDelta ^3<p\), as otherwise the bound on the probability makes the claim trivial, and that the unknown P is chosen uniformly at random (see Remark 2). Throughout, unless stated otherwise, ij are indices such that \(1 \le i \le n\) and \(0 \le j \le n\). Set \(t_0=0\), choose \(t_i \in [1,\#E-1]\) independently and uniformly at random, and query the oracle \({\mathcal O}\) on \(\pm t_j\) to get the \(2n+1\) values \({\mathcal O}(\pm t_j)\) denoted by \(h_0 = \text {MSB}_k(P_x) = x_P - e_0\), \(h_i = \text {MSB}_k((P+Q_i)_x) = (P+Q_i)_x - e_i\) and \(h_{i'} = \text {MSB}_k((P-Q_i)_x) = (P-Q_i)_x - e_{i'}\), for some integers \(-\varDelta \le e_j, e_{i'} \le \varDelta \). Denote \(\widetilde{h}_i = h_i + h_{i'}\) and \(\widetilde{e}_i = e_i + e_{i'}\), and suppose \(P\ne \pm Q_i\).

The following has been shown in Sect. 4.1. For every \(1 \le i \le n\), one has

Consider the polynomials

$$\begin{aligned} F_i(X,Y) := X^2Y + A_iX^2 + A_{0,i}XY + B_iX + B_{0,i}Y + C_i \, , \end{aligned}$$

where (all congruences hold mod p)

figure f

It holds that \(F(e_0,\widetilde{e}_i) \equiv 0 \pmod {p}\) for every \(1 \le i \le n\). As \(e_0,\widetilde{e}_i\) are relatively small, one hopes that finding a small solution to one of these polynomials would allow to recover \(e_0\) and subsequently P. To achieve this goal, we use these relations to construct a lattice and apply the \(\gamma \)-SVP algorithm.

Formally, we start by ‘balancing’ the coefficients (as lattice basis reduction algorithms work better where all the coefficients are of similar size). For every \(1 \le i \le n\), set

(3)

The vector

$$\begin{aligned} \mathbf {e} = (\varDelta ^3,\varDelta ^2e_0,\varDelta ^2\widetilde{e}_1,\ldots ,\varDelta ^2\widetilde{e}_n,\varDelta e^2_0,\varDelta e_0\widetilde{e}_1,\ldots ,\varDelta e_0\widetilde{e}_n,e^2_0\widetilde{e}_1,\ldots ,e^2_0\widetilde{e}_n) \end{aligned}$$

belongs to the lattice L consisting of solutions

$$\begin{aligned} \mathbf {x} = (x_0',x_0,x_1,\ldots ,x_n,x_{0,0},x_{0,1},\ldots ,x_{0,n},x_{00,1},\ldots ,x_{00,n}) \in \mathbb {Z}^{3n+3} \end{aligned}$$

of the congruences

The lattice L is generated by the rows of a \((3n+3) \times (3n+3)\) matrix M of the following structure:

$$\begin{aligned} M = \begin{pmatrix} \mathbf {\Delta ^2} &{} 0 &{} M_1 \\ 0 &{} \mathbf {\Delta } &{} M_2 \\ 0 &{} 0 &{} P \end{pmatrix} \end{aligned}$$
(4)

where \(\mathbf {\Delta ^2}\), \(\mathbf {\Delta }\) and P are diagonal square matrices of dimensions \(n + 2\), \(n+1\) and n, respectively, such that the diagonal of P consists of the prime p, the matrix \(\mathbf {\Delta }\) consists of \({\varDelta }\) and the matrix \(\mathbf {\Delta ^2}\) of \(\varDelta ^2\), except of the first diagonal entry which is \(\varDelta ^3\); and the matrices \(M_1\) and \(M_2\) are of dimensions \((n+2) \times n\) and \((n+1) \times n\) respectively, given by

$$ M_1 = \begin{pmatrix} -C_1 &{} -C_2 &{} \dots &{} -C_n \\ -B_1 &{} -B_2 &{} &{} -B_n \\ -B_{0,1} &{} 0 &{} &{} 0 \\ 0 &{} -B_{0,2} &{} &{} \\ \vdots &{} 0 &{} \ddots \\ &{} \vdots \\ 0 &{} 0 &{} &{} -B_{0,n} \end{pmatrix} \, , \quad \quad M_2 = \begin{pmatrix} -A_1 &{} -A_2 &{} \dots &{} -A_n \\ -A_{0,1} &{} 0 &{} &{} 0 \\ 0 &{} -A_{0,2} &{} &{} \vdots \\ \vdots &{} 0 &{} \ddots &{} \\ &{} \vdots \\ 0 &{} 0 &{} &{} -A_{0,n} \end{pmatrix} \, . $$

As \({|\widetilde{e}_i| = |e_i + e_{i'}| \le 2\varDelta }\) for every \(1 \le i \le n\), we have

$$\begin{aligned} \Vert \mathbf {e}\Vert \le \sqrt{3\varDelta ^6 + 12n\varDelta ^6} = \sqrt{3 + 12n}\varDelta ^3 \le 2\varDelta ^3\sqrt{3n+1} \,. \end{aligned}$$

Run the \(\gamma \)-SVP algorithm and denote the vector it outputs by

$$\begin{aligned} \mathbf {f} = (\varDelta ^3f_0',\varDelta ^2f_0,\varDelta ^2f_1\ldots ,\varDelta ^2f_n,\varDelta f_{0,0},\varDelta f_{0,1},\ldots ,\varDelta f_{0,n},f_{00,1},\ldots ,f_{00,n}) \,, \end{aligned}$$
(5)

where \(f_0',f_j,f_{0,j},f_{00,i} \in \mathbb {Z}\). Notice that

$$\begin{aligned} \Vert \mathbf {f}\Vert \le \gamma \Vert \mathbf {e}\Vert \le 2\gamma \varDelta ^3\sqrt{3n+1} = \eta \varDelta ^3 \text { for } \eta =2\gamma \sqrt{3n+1} \,, \end{aligned}$$

and also that

As \(\mathbf {e},\mathbf {f}\) are both short lattice vectors, we expect them to be scalar multiples of each other. Therefore, let

where

(6)

Notice that if \(f_0' \ne 0\) and also one of the coordinates of \(\mathbf {d}\) (except of the first one) is zero, we can recover some previously unknown information. More precisely, suppose \(f_0' \ne 0\), then

$$\begin{aligned}&\text {If } d_0 = 0, \text { then } e_0 = f_0{/}f_0' \,; \end{aligned}$$
(7)
$$\begin{aligned}&\text {If } d_i = 0, \text { then } \widetilde{e}_i = f_i{/}f_0' \,, \quad 1 \le i \le n \,; \end{aligned}$$
(8)
$$\begin{aligned}&\text {If } d_{0,0} = 0, \text { then } e^2_0 = f_{0,0}{/}f_0' \,; \end{aligned}$$
(9)
$$\begin{aligned}&\text {If } d_{0,i} = 0, \text { then } e_0\widetilde{e}_i = f_{0,i}{/}f_0' \,, \quad 1 \le i \le n \,; \end{aligned}$$
(10)
$$\begin{aligned}&\text {If } d_{00,i} = 0, \text { then } e^2_0\widetilde{e}_i = f_{00,i}{/}f_0' \,, \quad 1 \le i \le n \, . \end{aligned}$$
(11)

As \(\widetilde{e}_i = e_i + e_{i'}\) it is unclear how to use these values in general to recover the secret \(x_P\). We therefore focus on \(e_0\), from which we derive \(x_P\). Although there are several ways to recover \(e_0\) from these equations, for the sake of the proof we only focus on (7), thus in case \(f_0' \ne 0\) we take \(h_0+f_0{/}f_0'\) as the candidate for \(x_P\), and if \(f_0' = 0\), we fail. We remark that a more involved approach can be taken (to determine \(e_0\) and in the case \(f_0' = 0\)), using the consistency check in Appendix A.

A pseudocode for the algorithm that recovers \(x_P\) is the following.

figure g

Probability of Failure

We now define the following events:

  1. (E-1)

    \(y_P = 0\);

  2. (E-2)

    \(d_0 \ne 0\) and (E-1) does not hold;

  3. (E-3)

    \(f_0' = 0\) and (E-1) and (E-2) do not hold.

It is clear that if none of the events hold, one can recover \(x_P\). The requirement \(y_P \ne 0\) will be made clear in Claim 5.1 below.

As there are at most 3 values for \(x_P \in {\mathbb {F}}_p\) that satisfy the equation \(x^3_P+ax_P+b \equiv 0 \pmod {p}\), and since P is assumed to be chosen uniformly at random, the probability that (E-1) holds satisfies

$$\begin{aligned} \text {Pr[(E-1)]} \le \frac{3}{\#E-1} \le \frac{3}{p-2\sqrt{p}} \,. \end{aligned}$$

In order to derive a bound on the probability of the other events we form some useful equations. As

$$\begin{aligned} c_i\varDelta ^3 + b_i\varDelta ^2e_0 + b_{0,i}\varDelta ^2\widetilde{e}_i + a_i\varDelta e^2_0 + a_{0,i}\varDelta e_0\widetilde{e}_i + e^2_0\widetilde{e}_i \equiv 0 \pmod {p}, \ 1 \le i \le n \, , \end{aligned}$$

and

$$\begin{aligned} c_i\varDelta ^3f_0' + b_i\varDelta ^2f_0 + b_{0,i}\varDelta ^2f_i + a_i\varDelta f_{0,0} + a_{0,i}\varDelta f_{0,i} + f_{00,i} \equiv 0 \pmod {p}, \ 1 \le i \le n \, , \end{aligned}$$

we get (by the definition of \(\mathbf {d}\))

$$\begin{aligned} b_i\varDelta ^2d_0 + b_{0,i}\varDelta ^2d_i + a_i\varDelta d_{0,0} + a_{0,i}\varDelta d_{0,i} + d_{00,i} \equiv 0 \pmod {p}, \ 1 \le i \le n \, , \end{aligned}$$

and therefore (using (3) above)

$$\begin{aligned} B_id_0 + B_{0,i}d_i + A_id_{0,0} + A_{0,i}d_{0,i} + d_{00,i} \equiv 0 \pmod {p}, \ 1 \le i \le n \, . \end{aligned}$$

Multiplying by \((x_P-x_{Q_i})^2\) and using the definitions for \(A_i,A_{0,i},B_i\) and \(B_{0,i}\) we get for every \(1 \le i \le n\)

$$\begin{aligned} {\begin{matrix} (x_P-x_{Q_i})^2\Big (&{}2[\widetilde{h}_i(h_0-x_{Q_i})-2h_0x_{Q_i}-a-x^2_{Q_i}]d_0 + (h^2_0-2h_0x_{Q_i}+x^2_{Q_i})d_i \\ &{}+ (\widetilde{h}_i-2x_{Q_i})d_{0,0} + 2(h_0-x_{Q_i})d_{0,i} + d_{00,i}\Big ) \equiv 0 \pmod {p} \, , \end{matrix}} \end{aligned}$$

which simplifies, as a polynomial in \(x_{Q_i}\), to

$$\begin{aligned} U_ix^4_{Q_i} - V_ix^3_{Q_i} + W_ix^2_{Q_i} + Y_ix_{Q_i} + Z_i \equiv 0 \pmod {p}, \ 1 \le i \le n \, , \end{aligned}$$
(12)

where (all congruences hold mod p)

(13)

We now show that if for some \(1 \le i \le n\) the left hand side of (12) is the constant zero polynomial, then \(d_0=0=d_{0,0}\). We conclude that if \(d_0\ne 0\) or \(d_{0,0}\ne 0\), then the left hand side of (12) is a non-constant polynomial in \(x_{Q_i}\) (of degree at most 4) for every \(1 \le i \le n\).

Claim

Let \(1 \le i \le n\), and assume \(y_P\ne 0\). The left hand side of (12) is constant if and only if \(d_0=d_{0,0}=d_i=d_{0,i}=d_{00,i}=0\).

Proof

The first implication is clear from (13). Suppose that the left hand side of (12) is constant for some \(1 \le i \le n\). Then \(U_i \equiv V_i \equiv W_i \equiv Y_i \equiv Z_i \equiv 0 \pmod {p}\). One can express the latter as a system of 5 equations in the 5 variables \(d_0,d_i,d_{0,0},d_{0,i}\) and \(d_{00,i}\). A non-zero solution exists if and only if the system is singular. We show that the system is nonsingular if and only if \(y_P\ne 0\), which completes the proof.

We use the first 4 equations to eliminate \(d_i,d_{0,i},d_{00,i}\) and remain with the “global” variables \(d_0,d_{0,0}\). One then has

$$\begin{aligned} -2(2x^3_P+3e_0x^2_P+2ax_P+ae_0+2b)d_0 +(3x^2_P+a)d_{0,0} \equiv 0 \pmod {p} \,, \end{aligned}$$

which simplifies to

$$\begin{aligned} -4y_Pd_0 -2e_0(3x^2_P+a)d_0 +(3x^2_P+a)d_{0,0} \equiv 0 \pmod {p} \,. \end{aligned}$$

If \(3x^2_P+a \equiv 0 \pmod {p}\), then \(y_P d_0 \equiv 0 \pmod {p}\). Otherwise, one can express \(d_{0,0}\) in terms of \(d_0\). Plugging this value, with the other recovered variables, to the last equation, one gets

$$\begin{aligned} (x^6_P+2ax^4_P+2bx^3_P+a^2x^2_P+2abx_P+b^2)d_0 \equiv y^4_P d_0 \equiv 0 \pmod {p} \,. \end{aligned}$$

In both cases, since \(y_P\ne 0\), we have \(d_0 \equiv d_{0,0} \equiv d_i \equiv d_{0,i} \equiv d_{00,i} \equiv 0 \pmod {p}\), and since all of these values are of size smaller than p (as we suppose \(3\eta \varDelta<3\eta \varDelta ^3<p\)), the claim follows.    \(\blacksquare \)

We use this claim to bound the probabilities of (E-2) and (E-3), which will prove the first claim in the theorem. The probability of events (E-2) and (E-3) is taken over the choice of the points \(Q_i\) for \(1 \le i \le n\). That is, we consider the number of n-tuples

$$\begin{aligned} (x_{Q_1},\ldots ,x_{Q_n}) \in \left( E_x{\setminus }\{x_P\}\right) ^n \end{aligned}$$

such that (E-2) holds or (E-3) holds, where \(E_x := \{z\in {\mathbb {F}}_p \ | \ \exists Q \in E, Q_x=z \}\).Footnote 7 Note that \(\#E-1\le 2|E_x|\le \#E+2\).

Probability of Event (E- \(\mathbf {2}\) ). Assume (E-2) holds, that is \(d_0\ne 0\) and \(y_P\ne 0\), and fix some values of \(d_j,d_{0,j}\) for \(0 \le j \le n\) and \(d_{00,i}\) for \(1 \le i \le n\). Let us consider the number of n-tuples

$$\begin{aligned} (x_{Q_1},\ldots ,x_{Q_n}) \in \left( E_x{\setminus }\{x_P\}\right) ^n \end{aligned}$$

satisfying (12).

Since \(d_0\ne 0\) Claim 5.1 shows that the left hand side of (12) is nonconstant for all \(1 \le i \le n\). Thus, as all the relations in (12) are satisfied, there are at most 4 values \(x_{Q_i}\) that satisfy each relation, and so there are at most \(4^n\) n-tuples that satisfy these n non-constant polynomials.

From (6) above we get: as \(d_0\ne 0\) it can take at most \({4\eta \varDelta }\) values, each \(d_i\) can take at most \(6\eta \varDelta +1\) values, \(d_{0,0}\) can take at most \(4\eta \varDelta ^2+1\) values, each \(d_{0,i}\) can take at most \(6\eta \varDelta ^2+1\) values, and each \(d_{00,i}\) can take at most \(6\eta \varDelta ^3+1\) values. Therefore, there are at most

n-tuples \((x_{Q_1},\ldots ,x_{Q_n})\) for which event (E-2) happens. Denote them by \({\mathcal Q}\). The probability that \(d_0 \ne 0\) (given \(y_P\ne 0\)) satisfies

$$\begin{aligned} \text {Pr[(E-2)]} \le \frac{|{\mathcal Q}|}{\left| E_x{\setminus }\{x_P\}\right| ^n} < \frac{4^n(6\eta \varDelta +1)^{6n+3}}{\left( \frac{1}{2}(\#E-1)-1\right) ^n} \le \frac{8^n(6\eta \varDelta +1)^{6n+3}}{(p-2\sqrt{p}-2)^n} \,. \end{aligned}$$

Probability of Event (E- \(\mathbf {3}\) ). Assume (E-3) holds, that is \(f_0'=0,d_0=0\) and \(y_P\ne 0\). We may suppose that for all the n-tuples in \({\mathcal Q}\) event (E-3) holds, and thus consider the remaining n-tuples which are not in \({\mathcal Q}\). We first notice that \(d_{0,0}=0\). Indeed, if \(d_{0,0}\ne 0\), then by Claim 5.1 the left hand side of (12) is nonconstant for all \(1 \le i \le n\). In that case, the only n-tuples that satisfy (12) are in \({\mathcal Q}\). We therefore have \(f_0=f_0'e_0-d_0=0=f_0'e^2_0-d_{0,0}=f_{0,0}\).

Consider the set \(S=\{i\in \{1,\ldots ,n\} \ | \ d_i=d_{0,i}=d_{00,i}=0 \}\). Let \(l=|S|\), and notice that if \(l=n\) then \(f_0=f_i=f_{0,0}=f_{0,i}=f_{00,i}=0\), and since \(f_0'=0\) by assumption then \(\mathbf {f}=0\). As \(\mathbf {f}\) is a non-zero vector by construction, \(l<n\).

Fix some values of \(d_i,d_{0,i}, d_{00,i}\) for \(1 \le i \le n\). We now consider the number of n-tuples

$$\begin{aligned} (x_{Q_1},\ldots ,x_{Q_n}) \notin {\mathcal Q}\end{aligned}$$

satisfying (12). If \(i \in S\) then the left hand side of (12) is the constant zero, and so there are \(|E_x|-1\) possible values for \(x_{Q_i}\) satisfying (12). If \(i \notin S\) then either \(d_i \ne 0\) or \(d_{0,i} \ne 0\) or \(d_{00,i} \ne 0\) and by Claim 5.1 the left hand side of (12) is nonconstant, so there are at most 4 solutions \(x_{Q_i}\) to the corresponding equation in (12).

Overall, there are at most \(4^{n-l} (|E_x|-1)^l\) n-tuples \((x_{Q_1},\ldots ,x_{Q_n})\notin {\mathcal Q}\) that satisfy (12). The possible values for each \(d_i,d_{0,i},d_{00,i}\) for each \(i \notin S\) are given above. So overall there are at most

n-tuples \((x_{Q_1},\ldots ,x_{Q_n})\notin {\mathcal Q}\) for which event (E-3) happens. Denote them by \({\mathcal Q}'\). Over these tuples (not in Q), the probability that \(f_0' = 0\) (given \(d_0=0\) and \(y_P\ne 0\)) is bounded by

If \(\frac{16(6\eta \varDelta +1)^6}{p-2\sqrt{p}-2} < 1\), then the latter is smaller than \(\frac{16(6\eta \varDelta +1)^6}{p-2\sqrt{p}-2}\). In any case we get that this probability is bounded by

$$\begin{aligned} \frac{16(6\eta \varDelta +1)^6}{p-2\sqrt{p}-2} \,. \end{aligned}$$

We finally get that the probability that event (E-3) happens satisfies

$$\begin{aligned} \text {Pr[(E-3)]} \le \frac{|{\mathcal Q}|}{\left| E_x{\setminus }\{x_P\}\right| ^n} + \frac{|{\mathcal Q}'|}{\left| E_x{\setminus }\{x_P\}\right| ^n} < \frac{8^n(6\eta \varDelta +1)^{6n+3}}{(p-2\sqrt{p}-2)^n} + \frac{16(6\eta \varDelta +1)^6}{p-2\sqrt{p}-2} \,. \end{aligned}$$

Notice that the probability that \(Q_i=\pm P\) for some \(1\le i\le n\) is

$$\begin{aligned} \frac{2}{\#E-1} \le \frac{2}{p-2\sqrt{p}} \,. \end{aligned}$$

Thus, the probability that \(Q_i=\pm P\) for any \(1\le i\le n\) is bounded by

$$\begin{aligned} \frac{2n}{p-2\sqrt{p}} \,. \end{aligned}$$

This concludes the first claim in the theorem.

Now suppose \(x_P\) has been recovered. To determine which of the two values \(\pm \sqrt{x^3_P+ax_P+b}\) is the correct y-coordinate of P, we run the consistency check, which is presented in Appendix A, on both candidates. It is clear that the correct candidate will pass the test. If both candidates pass the consistency check then we cannot determine the point P. We analyze the probability of the event in which the incorrect candidate \(-P=(x_P,-y_P)\) passes the test.

We consider how many \(Q_i\) lead the system to be consistent with both \(\pm y_P\). Recall that

$$\begin{aligned} h_i + e_i = \left( \frac{y_{Q_i}-y_P}{x_{Q_i}-x_P}\right) ^2 - x_P - x_{Q_i} = \frac{x_P x^2_{Q_i} + (a+x^2_P)x_{Q_i} + ax_P + 2b - 2y_{Q_i}y_P}{(x_{Q_i} - x_P)^2}. \end{aligned}$$

If \(-P\) passes the test, then there exist \(\bar{e}_i\) with \({|\bar{e}_i|\le \varDelta }\) such that \(h_i = (P-Q_i)_x - \bar{e}_i\), for all \(1\le i\le n\). We therefore have

$$\begin{aligned} h_i + \bar{e}_i = \left( \frac{y_{Q_i}+y_P}{x_{Q_i}-x_P}\right) ^2 - x_P - x_{Q_i} =\frac{x_P x^2_{Q_i} + (a+x^2_P)x_{Q_i} + ax_P + 2b + 2y_{Q_i}y_P}{(x_{Q_i} - x_P)^2}. \end{aligned}$$

Subtracting one from the other and multiplying by \((x_P - x_{Q_i})^2\) we get

$$\begin{aligned} (e_i - \bar{e}_i)(x_P - x_{Q_i})^2 = -4y_Py_{Q_i} \,. \end{aligned}$$

Squaring both sides and rearranging results in

$$\begin{aligned} (e_i - \bar{e}_i)^2(x_P - x_{Q_i})^4 - 16y^2_P(x^3_{Q_i}+ax_{Q_i}+b) \equiv 0 \pmod {p} \,. \end{aligned}$$

This is a non-constant polynomial in \(x_{Q_i}\) of degree 4 and therefore for every \(\bar{e}_i\) there are at most 4 values for \(x_{Q_i}\) that satisfy this equation. Since there are at most \({2\varDelta }\) possible values for each \(\bar{e}_i\), and since we can form n such equations,Footnote 8 we conclude that the probability that the point \((x_P,- y_P)\) passes the consistency check is bounded by

$$\begin{aligned} \frac{4^n(2\varDelta )^n}{(|E_x|-1)^n}\le \frac{(16\varDelta )^n}{(p-2\sqrt{p}-2)^n} \,. \end{aligned}$$

This concludes the proof.

5.2 Proof of Corollary 1

Consider the bounds on \({\mathcal P}_1\) and \({\mathcal P}_2\) in Theorem 1. One needs \(1-{\mathcal P}_1-{\mathcal P}_2 \ge 1-p^{-\delta }\), therefore \({\mathcal P}_1 + {\mathcal P}_2 \le p^{-\delta }\), for the claim to hold. As \({\mathcal P}_2\) is smaller than the first bound on \({\mathcal P}_1\) in Theorem 1 we get that \({\mathcal P}_1 + {\mathcal P}_2\) is bounded by

$$\begin{aligned} 2\frac{8^n(6\eta \varDelta +1)^{6n+3}}{(p-2\sqrt{p}-2)^n} + \frac{16(6\eta \varDelta +1)^6}{p-2\sqrt{p}-2} + \frac{2n+3}{p-2\sqrt{p}} \,. \end{aligned}$$
(14)

It is sufficient to bound the latter by \(p^{-\delta }\).

Consider the third term in (14). For the claim to hold, one needs

$$\begin{aligned} \frac{2n_0+3}{p-2\sqrt{p}} < \frac{1}{p^\delta } \,, \end{aligned}$$

from which it is easy to derive the minimal p (thus the minimal bit size m of p) for the condition to hold. We therefore let \(\delta '\) such that \(p^{-\delta '}= p^{-\delta } - \frac{2n_0+3}{p-2\sqrt{p}}\) (assuming the later is positive) and bound each of the other terms in (14) by \(\frac{p^{-\delta '}}{2}\). Notice that \(\delta '>\delta \).

Plugging \(p=2^{m+O(1)}\) and \(\varDelta =2^{m-k+O(1)}\) in the first term (14), and since \(k>(5{/}6+\epsilon )m\), we have

The latter is smaller than \(\frac{p^{-\delta '}}{2} = 2^{-\delta '(m-1+O(1))}\) if \((6n+3)(\log \eta -\epsilon m)+m{/}2+O(n)\le -\delta '(m+O(1))\), which simplifies to (for some sufficiently large absolute constant \(C_0\))

$$\begin{aligned} (6n+3)(\epsilon -m^{-1}(\log \eta +C_0)) \ge \delta ' + \frac{1}{2} > \delta + \frac{1}{2} \,. \end{aligned}$$
(15)

Using \({3\epsilon \ge \delta }\) and \(n\ge n_0\), it is easy to verify that (for a sufficiently large absolute constant \(C_1\))

$$\begin{aligned} m > \epsilon ^{-1}(2\log \eta +C_1) \end{aligned}$$
(16)

implies (15).

Similarly, to show that the second term in (14) is bounded by \(\frac{p^{-\delta '}}{2}\) one gets the condition (for some sufficiently large absolute constant \(C_2\))

$$\begin{aligned} 6(\epsilon -m^{-1}(\log \eta +C_3)) \ge \delta ' > \delta \,, \end{aligned}$$

which can be shown to hold when (for a sufficiently large absolute constant \(C_3\))

$$\begin{aligned} m > (6\log \eta +C_3)(6\epsilon -\delta )^{-1} \,. \end{aligned}$$

The latter is implied by (15), therefore by (16), provided \(C_0\) is large enough.

For \(A_1\) we apply the 1-SVP algorithm (with running time \(\tilde{O}(2^{2d})\)) of Micciancio and Voulgaris [18] to a lattice of dimension \(d=3n_0+3\), which gives \(\eta = 2\sqrt{3n_0+1}\). For \(A_2\), we use the \(2^{O(d(\log \log d)^2{/}\log d)}\)-SVP algorithm (with running time \(\tilde{O}(d)\)) of Schnorr [20] for the dimension \(d=3n_0+3\), which gives \(\eta =2^{n_0+2} \sqrt{3n_0+1}\). Using \(n_0 = \lceil \frac{1}{6\epsilon } \rceil \), the bounds \(m_i\) follow.

6 Additional Results

The techniques presented in the previous sections can be used to show some additional results, which we briefly sketch here. Considering EC-HNP with the \(\text {LSB}_k\) function, similar results can be derived for the least significant 5 / 6 bits of the x-coordinate as we show in Sect. 6.1. In Sect. 6.2 we address the bit security of the Diffie–Hellman key exchange protocol in elliptic curves over extension fields \({\mathbb {F}}_q\). We refer to the full version of this paper [21] for more details.

6.1 EC-HNP with Least Significant Bits

As we allow k to take any (positive) real value, we define \(\text {LSB}_k\) by \(\text {LSB}_k(x) := x \pmod {\lceil 2^k \rceil }\). In other words, \(\text {LSB}_k(x)\) gives x mod l for \(2 \le l=\lceil 2^k \rceil \le p\), not necessarily a power of 2.

Let \(h = \text {LSB}_k((P+Q)_x) = (P+Q)_x \mod l = (s_{P+Q}^2 - x_P - x_Q -qp) - le\) for some q and \(|e|<\frac{p}{2l}\le \frac{p}{2^{k+1}}\). For \(u=l^{-1} \in \mathbb {Z}^*_p\) we have (where the operations are in \({\mathbb {F}}_p\))

Now let \(h_0 = \text {LSB}_k(x_P) = x_P - le_0\) and \(h' = \text {LSB}_k((P-Q)_x) = (P-Q)_x \mod l = (s_{P-Q}^2 - x_P - x_Q -rp) - le'\) for some r and \(|e_0|,|e'|<\frac{p}{2l}\le \frac{p}{2^{k+1}}\). Then

$$\begin{aligned} \overline{h'} := h' u \equiv u\left( \left( \frac{y_P + y_Q}{x_P - x_Q}\right) ^2 - x_P - x_Q\right) - e' \pmod p \,. \end{aligned}$$

Letting \(\widetilde{h} = \overline{h} + \overline{h'}\) and \(\widetilde{e} = e + e'\) and plugging \(x_P = h_0 + le_0\) in (1) above we get

Multiplying by \((h_0 + le_0 - x_Q)^2\) results in a bivariate polynomial in \(e_0,\widetilde{e}\) of degree 3, similar to (2) above. We expect to get a similar result to the one presented above.

6.2 Bit Security of Elliptic Curve Diffie–Hellman over Extension Fields

The field \({\mathbb {F}}_q={\mathbb {F}}_{p^d}\) is a d-dimensional vector space over \({\mathbb {F}}_p\). We fix a basis \(\{\mathbf {b_1},\ldots ,\mathbf {b_d}\}\) for \({\mathbb {F}}_q\), and represent points \(\mathbf {x} \in {\mathbb {F}}_q\) with respect to that basis: for \(\mathbf {x} = \sum _{i=1}^d x^i \mathbf {b_i}\) we write \(\mathbf {x}=(x^1,\ldots ,x^d)\). We consider \(E({\mathbb {F}}_q)\), the group of elliptic curve points over \({\mathbb {F}}_q\).

For the elliptic curve hidden number problem in this setting, a natural question is whether the ability to recover one component allows to recover the entire secret point. This problem, in the elliptic curve context, was studied by Jao, Jetchev and Venkatesan (JJV) [14]. They consider the following hidden number problem for elliptic curves, which they call multiplier elliptic curve hidden number problem: Given an oracle \({\mathcal O}\) that computes a single component of the x-coordinate of the map \(r \rightarrow [r]P\), that is \({\mathcal O}(r) = ([r]P)_x^i\), recover the point P.

The algorithm given by JJV to this problem is polynomial in \(\log (p)\) but not in d, and therefore suits problems where one fixes the degree d and let \(\log p\) grow. That is, for extension fields \({\mathbb {F}}_{p^d}\) of a constant degree. However, there is a drawback in JJV’s approach: they can only work with small multipliers r. As a consequence, it is not clear that by considering only small multipliers, this hidden number problem has a unique solution, or a small set of solutions.Footnote 9

This leads them to give precise statements only for degrees 2 and 3 (Propositions 3.1 and 3.2), but to leave the constant degree case (Sect. 3.3) with a description of a general approach, and so a proof of bit security cannot be derived in this case. Moreover, we show that the solution for \(d=3\) is incomplete. The approach presented here overcomes this drawback, and therefore gives a complete solution to any constant extension degree. Moreover, the solution holds for the y-coordinate as well. Our solution is based on (a generalization of) the algorithm given by JJV.

In a nutshell, the essence of the solution is to construct a system of (small degree) polynomials for which \(\mathbf {x_P} = (x^1_P,\ldots ,x^d_P)\) is a simultaneous solution, which will result in some small number of candidates for P.

Improved Results. Our approach overcomes the drawback in the previous work, as the ‘multipliers’ Q are not restricted to any (short) interval. As already mentioned in [14], in the case of random multipliers, it is easy to argue for uniqueness.Footnote 10

Proposition 1

Let E be an elliptic curve over an extension field \({\mathbb {F}}_{p^d}\). There exists an algorithm, polynomial in \(\log p\), that solves EC-HNP given an oracle that outputs a complete component of either the x or y coordinates.

Proof

(sketch). Consider the x-coordinate case. Similar to the solution of EC-HNP over a prime field, one queries the oracle \({\mathcal O}\) on \(\pm t\) to get one component of \((P+[t]R)_x\) and \((P-[t]R)_x\). Denote \(Q:=[t]R\), and let \(\{\mathbf {b_1,\ldots ,b_d}\}\) be a basis for \({\mathbb {F}}_p^d\). It holds that

$$\begin{aligned} (P+Q)_x + (P-Q)_x = 2 \left( \frac{\mathbf {x}_Q\mathbf {x}^2_P + (\mathbf {a}+\mathbf {x}^2_Q) \mathbf {x}_P + \mathbf {a}\mathbf {x}_Q + 2\mathbf {b}}{(\mathbf {x}_P - \mathbf {x}_Q)^2} \right) = \frac{R_1(x^1_P,\ldots ,x^d_P)}{R_2(x^1_P,\ldots ,x^d_P)}, \end{aligned}$$

where \(R_1,R_2\) are polynomials (depending on \(x_Q\)) of degree 2 in \({\mathbb {F}}_p^d[x^1,\ldots ,x^d]\). Rewrite

$$\begin{aligned} \frac{R_1(x^1,\ldots ,x^d)}{R_2(x^1,\ldots ,x^d)} = \frac{R^1_1 \mathbf {b}_1 + \ldots + R^d_1 \mathbf {b}_d}{R^1_2 \mathbf {b}_1 + \ldots + R^d_2 \mathbf {b}_d} \,, \end{aligned}$$

where for \(1\le j\le d\) each polynomial \(R^j_1(x^1,\ldots ,x^d), R^j_2(x^1,\ldots ,x^d)\) has coefficients in \({\mathbb {F}}_p\). We “rationalize” the denominator to express

$$\begin{aligned} \frac{R_1(x^1,\ldots ,x^d)}{R_2(x^1,\ldots ,x^d)} = r^1(x^1,\ldots ,x^d)\mathbf {b}_1 + \ldots + r^d(x^1,\ldots ,x^d)\mathbf {b}_d \,, \end{aligned}$$

where \(r^j\) are rational functions with coefficients in \({\mathbb {F}}_p\), of degree at most 2d.

We suppose to have access to component i, that is, we know \((P+Q)_x^i\) and \((P-Q)_x^i\). We have

$$\begin{aligned} {\mathcal O}(t) + {\mathcal O}(-t) = (P+Q)^i_x + (P-Q)^i_x = r^i(x^1_P,\ldots ,x^d_P) = \frac{r^i_{Q,1}(x^1_P,\ldots ,x^d_P)}{r^i_{Q,2}(x^1_P,\ldots ,x^d_P)} \,. \end{aligned}$$

Multiplying by \(r^i_{Q,2}(x^1,\ldots ,x^d)\) and rearranging we get the following polynomial

$$\begin{aligned} g_Q(x^1,\ldots ,x^d) := r^i_{Q,1}(x^1,\ldots ,x^d) - r^i_{Q,2}(x^1,\ldots ,x^d)\left( (P+Q)^i_x + (P-Q)^i_x\right) \,, \end{aligned}$$

where \(g_Q(\mathbf {x}_P) = g_Q(x^1_P,\ldots ,x^d_P) = 0\), and \(g_Q\) is of degree at most 2d.

We repeat with different points Q and look for a simultaneous solution to the system \(\{g_Q=0\}\). When choosing the Q’s uniformly and independently, standard arguments (like the root counting above) can be used to show that a sufficiently large system \(\{g_Q\}\) is expected to have a unique (simultaneous) root.

The case of the y-coordinate is a simple adaptation of the method, where one takes the third-degree polynomial

$$\begin{aligned} (P+Q)_y - (P-Q)_y = 2\mathbf {y}_Q \left( \frac{\mathbf {x}^3_P + 3\mathbf {x}_Q\mathbf {x}^2_P + 3\mathbf {a}\mathbf {x}_P + \mathbf {a}\mathbf {x}_Q + 4\mathbf {b}}{(\mathbf {x}_P - \mathbf {x}_Q)^3} \right) \,. \end{aligned}$$

   \(\blacksquare \)

Corollary 2

For an elliptic curve defined over a constant-degree extension field, computing a single component of the Diffie–Hellman key (for either the x or y coordinates) is as hard as computing the entire key.

We refer to the full version of this paper [21] for a general method and a comparison between JJV’s approach and our approach. We finish with a correction to JJV’s work.

Correction. We finish with a couple of remarks regarding the solution for \(d=3\) in [14, Sect. 3.2]. In this case JJV take the resultant of two bivariate polynomials of degree 10, 25 in each variable. First, as we show in Appendix B, this resultant is a univariate polynomial of degree at most 500, not 250 as written there. More importantly, while the resultant’s degree is bounded by a constant value, in general it can also be identically zero, which will then not yield a constant-sized set of possible solutions (as the zero polynomial is satisfied by every point). This point is important, especially because the authors identify a problem with showing uniqueness of the solution, or the existence of a small set of solutions. However, the paper [14] does not treat this point.

7 Comments

It is desirable to get bit security results also in the case of an imperfect oracle. The main obstacle in achieving such a result is that the lattice constructed by the algorithm has to be of an exact shape, which will not be achieved in general if some equations are not of the right form. It should be noted that like other problems (see for example [9, Sect. 4.1] for HNP) one can consider an imperfect oracle which is very likely to answer all the queries correctly, when its inputs are random. In addition, one can consider the approach suggested in [12] for imperfect oracles.

A natural question is whether a similar strong bit security result can be shown for the y-coordinate of the elliptic curve Diffie–Hellman key. Unfortunately, the trick presented in this paper, using 2 correlated equations to eliminate one variable, seems out of reach when one works with the y-coordinate. We remark that one can still get some results using the approaches described in Sect. 4.1, but they ought to be weak results.

Moreover, while Weierstrass equations are normally used to represent elliptic curves, Edwards curves are also of interest. The y-coordinate in Edwards curves is considered analogous to the x-coordinate in Weierstrass curves. One therefore expects to have analogous equations for \((P+Q)_y + (P-Q)_y\) and for the y-coordinate of point multiplication, i.e. \(([r]P)_y\). It is of interest to get solutions for the elliptic curve hidden number problem using Edwards curves as well.