# Bits Security of the Elliptic Curve Diffie-Hellman Secret Keys

@inproceedings{Jetchev2008BitsSO, title={Bits Security of the Elliptic Curve Diffie-Hellman Secret Keys}, author={Dimitar Jetchev and Ramarathnam Venkatesan}, booktitle={CRYPTO}, year={2008} }

We show that the least significant bits (LSB) of the elliptic curve Diffie---Hellman secret keys are hardcore. More precisely, we prove that if one can efficiently predict the LSB with non-negligible advantage on a polynomial fraction of all the curves defined over a given finite field $\mathbb{F}_p$, then with polynomial factor overhead, one can compute the entire Diffie---Hellman secret on a polynomial fraction of all the curves over the same finite field. Our approach is based on random self…

## 15 Citations

### Hardness of Computing Individual Bits for One-Way Functions on Elliptic Curves

- Computer Science, MathematicsCRYPTO
- 2012

It is proved that if one can predict any of the bits of the input to an elliptic curve based one-way function over a finite field, then one can invert the function and thus, solve the Fixed Argument Pairing Inversion problem FAPI-1/FAPI-2.

### Optimal Randomness Extraction from a Diffie-Hellman Element

- Mathematics, Computer ScienceEUROCRYPT
- 2009

A new technique to bound exponential sums is developed that allows us to double the number of extracted bits compared with previous known results proposed at ICALP'06 and can be used to improve previous bounds proposed by Canetti et al.

### On the Bit Security of Elliptic Curve Diffie-Hellman

- Computer Science, MathematicsPublic Key Cryptography
- 2017

The paper improves the result for elliptic curves over extension fields, that shows that computing one component (in the ground field) of the Diffie–Hellman key is as hard to compute as the entire key.

### Bit Security of the Hyperelliptic Curves Diffie-Hellman Problem

- Mathematics, Computer ScienceProvSec
- 2017

It is proved that the least significant bit of each coordinate of hyperelliptic curves Diffie-Hellman secret value in genus 2 is hard as the entire Diffie -Hellman value, and then it is shown that any bit is hardAs the entirediffie- hellman value.

### Improving Bounds on Elliptic Curve Hidden Number Problem for ECDH Key Exchange

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

The Coppersmith method for solving the involved modular multivariate polynomials in the Diffie–Hellman variant of EC-HNP is revisited and it is demonstrated that, for any given positive integer d, a given sufficiently large prime p , and a fixed elliptic curve over the prime field F p, the heuristic result 1 d +1 significantly outperforms both the rigorous bound 56 and heuristic bound 12 .

### Isogenies of Elliptic Curves: A Computational Approach

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2009

Algorithms for computing isogenies are collected and presented with proofs of correctness and complexity analyses that provide alternate explanations that some with a more concrete or computational bias may find more clear.

### RSA and Elliptic Curve Least Significant Bit Security

- Computer Science, MathematicsLATINCRYPT
- 2014

This work implements two algorithms to invert the Elliptic Curve Diffie-Hellman protocol, identifies critical parameters, and modify the sampling to achieve a significant improvement in running times.

### Rounding Technique's Application in Schnorr Signature Algorithm: Known Partially Most Significant Bits of Nonce

- Computer Science, MathematicsATIS
- 2017

It is proved that if there is an oracle which inputs the random nonce and outputs the most significant bits of nonce, the signature private key will be obtained by choosing \(2 \lceil \log q\rceil\) signature pairs randomly.

### Elliptic Curve Cryptography in Practice

- Computer Science, MathematicsFinancial Cryptography
- 2014

It is found that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems.

### Hidden Number Problems

- Computer Science, Mathematics
- 2017

The study presented here provides new results on the hardness of extracting partial information about Diffie–Hellman key exchange by designing algorithms that use the partial information to extract the keys.

## References

SHOWING 1-10 OF 36 REFERENCES

### On the Bits of Elliptic Curve Diffie-Hellman Keys

- Mathematics, Computer ScienceINDOCRYPT
- 2007

A small multiplier version of the hidden number problem is introduced, and its properties are used to analyze the security of certain Diffie-Hellman bits and suggest new character sum conjectures that guarantee the uniqueness of solutions to thehidden number problem.

### On the Unpredictability of Bits of the Elliptic Curve Diffie--Hellman Scheme

- Computer Science, MathematicsCRYPTO
- 2001

If there is an efficient algorithm for predicting the LSB of the x or y coordinate of abG given 〈E, G, aG, bG〉 for a certain family of elliptic curves, then there is a algorithm for computing the Diffie-Hellman function on all curves in this family.

### Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

- Computer Science, MathematicsCRYPTO
- 1996

We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself.…

### The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces

- Mathematics, Computer ScienceDes. Codes Cryptogr.
- 2003

All previously known results for the elliptic curve variant of DSA (ECDSA) were only heuristic, including those of Howgrave-Graham and Smart who introduced the topic.

### Security of the most significant bits of the Shamir message passing scheme

- Computer Science, MathematicsMath. Comput.
- 2000

For the Diffie-Hellman cryptosystem the result of Boneh and Venkatesan has been corrected and generalized and a similar analysis is given for the Shamir message passing scheme, where the results depend on some bounds of exponential sums.

### The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA

- Computer Science, Mathematics
- 2001

The hidden number problem is an idealized version of the problem which HowgraveGraham and Smart recently tried to solve heuristically in their (lattice-based) attacks on DSA and related signature schemes: given a few bits of the random nonces k used in sufficiently many DSA signatures, recover the secret key.

### A hidden number problem in small subgroups

- Mathematics, Computer ScienceMath. Comput.
- 2003

A new modification in the scheme which amplifies the uniformity of distribution of the multipliers t is introduced and this result is extended to subgroups of order at least (log p)/(log log p) 1-e for all primes p, giving applications to the bit security of the Diffie-Hellman secret key.

### The Insecurity of the Digital Signature Algorithm with Partially Known Nonces

- Computer Science, MathematicsJournal of Cryptology
- 2002

A polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k are known for a number of DSA signatures at most linear in log q, under a reasonable assumption on the hash function used in DSA.

### Applied Algebra, Algebraic Algorithms and Error-Correcting Codes

- Computer Science, MathematicsLecture Notes in Computer Science
- 2009

This work discusses the construction of Authentication/Secrecy Codes, performance analysis of M-PSK Signal Constellations in Riemannian Varieties, and fast Decomposition of Polynomials with Known Galois Group.

### Do All Elliptic Curves of the Same Order Have the Same Difficulty of Discrete Log?

- Mathematics, Computer ScienceASIACRYPT
- 2005

It is proved that the common cryptographic practice of selecting elliptic curves using their order as the primary criterion is essentially true, by showing polynomial time random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH).