Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

  title={Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes},
  author={Dan Boneh and Ramarathnam Venkatesan},
  booktitle={Annual International Cryptology Conference},
We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself. This is done by studying the following hidden number problem: Given an oracle Oα(x) that on input x computes the k most significant bits of α ċ gx mod p, find α modulo p. Our solution can be used to show the hardness of MSB'S in other schemes such s ElGamal's public key system, Shamir's message… 

The Security of All Private-key Bits in Isogeny-based Schemes

  • Barak Shani
  • Computer Science, Mathematics
    IACR Cryptol. ePrint Arch.
  • 2019

Hardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes

Very simple deterministic randomness extractors for Diffie-Hellman distributions are introduced and it is shown that the k most significant bits or the k least significant bits of a random element in a subgroup of $\mathbb Z^\star_p$ are indistinguishable from a random bit-string of the same length.

Bits Security of the Elliptic Curve Diffie-Hellman Secret Keys

We show that the least significant bits (LSB) of the elliptic curve Diffie---Hellman secret keys are hardcore. More precisely, we prove that if one can efficiently predict the LSB with non-negligible

Security of polynomial transformations of the Diffie-Hellman key

  • I. Shparlinski
  • Computer Science, Mathematics
    Finite Fields Their Appl.
  • 2000

Polynomial analysis of DH secrete key and bit security

The generalized “even-and-odd test” method is used to recover the least significantp-adic ‘bits’ of representations of the Lucas Cryptosystem secret keys, and all the bits of the secrete key of XTR can be recovered form any bit of the exponent.

On the Bits of Elliptic Curve Diffie-Hellman Keys

A small multiplier version of the hidden number problem is introduced, and its properties are used to analyze the security of certain Diffie-Hellman bits and suggest new character sum conjectures that guarantee the uniqueness of solutions to thehidden number problem.

On the bit security of the Diffie-Hellman key

It is shown that if the Decision Diffie-Hellman problem is hard in groups of subgroups of *p and of an elliptic curve over p, then the two most significant bits of the Diffie -Hellman function are secure.

The Security of Polynomial Information of Diffie-Hellman Key

It is shown that finding polynomial information of DH key is as difficult as the whole key again, using a probabilistic algorithm to recover the key.

Security of the most significant bits of the Shamir message passing scheme

For the Diffie-Hellman cryptosystem the result of Boneh and Venkatesan has been corrected and generalized and a similar analysis is given for the Shamir message passing scheme, where the results depend on some bounds of exponential sums.

The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES

In this paper, natural assumptions under which DHIES achieves security under chosen-ciphertext attack are found and the assumptions made about the Diffie-Hellman problem are investigated, and they provide security lower bounds.



Relationships Among the Computational Powers of Breaking Discrete Log Cryptosystems

The complexity of breaking cryptosystems of which security is based on the discrete logarithm problem, and the complexity of several languages related to those computing problems, is investigated.

Efficient cryptographic schemes provably as secure as subset sum

  • R. ImpagliazzoM. Naor
  • Computer Science, Mathematics
    30th Annual Symposium on Foundations of Computer Science
  • 1989
We show very efficient constructions for a pseudorandom generator and for a universal one-way hash function based on the intractability of the subset-sum problem for certain dimensions. (Pseudorandom

Finding a Small Root of a Univariate Modular Equation

We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N1/k. We give two applications to RSA encryption with exponent 3.

A public key cryptosystem and a signature scheme based on discrete logarithms

  • Taher El Gamal
  • Computer Science, Mathematics
    IEEE Trans. Inf. Theory
  • 1984
A new signature scheme is proposed, together with an imple- mentation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.

How to generate cryptographically strong sequences of pseudo random bits

  • M. BlumS. Micali
  • Computer Science, Mathematics
    23rd Annual Symposium on Foundations of Computer Science (sfcs 1982)
  • 1982
A more operative definition of Randomness should be pursued in the light of modern Complexity Theory.

A hard-core predicate for all one-way functions

This paper proves a conjecture of [Levin 87, sec. 5.6.2] that the scalar product of Boolean vectors p, g, x is a hard-core of every one-way function ƒ, and extends to multiple (up to the logarithm of security) such bits and to any distribution on the <italic>x</italic>.

Reconstructing Truncated Integer Variables Satisfying Linear Congruences

A general polynomial time algorithm is proposed to find small integer solutions to systems of linear congruences and will solve most problems when twice as much information as that necessary to uniquely determine the variables is available.

Generating EIGamal Signatures Without Knowing the Secret Key

A new method to forge ElGamal signatures if the public parameters of the system are not chosen properly is presented, and this attack shows that forging Elgamal signatures is sometimes easier than the underlying discrete logarithm problem.

The Discrete Logarithm Hides O(log n) Bits

It is shown that obtaining any information about the “most significant” bits of x, given $g^x (\bmod p)$, is equivalent to computing discrete logarithms $\b mod p$.

RSA and Rabin Functions: Certain Parts are as Hard as the Whole

The RSA and Rabin encryption functions are computationally equivalent, which implies that an adversary, given the RSA/Rabin ciphertext, cannot have a non-negligible advantage in guessing the least-significant bit of the plaintext, unless he can invert RSA/factor N.