# Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

@inproceedings{Boneh1996HardnessOC, title={Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes}, author={Dan Boneh and Ramarathnam Venkatesan}, booktitle={CRYPTO}, year={1996} }

We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself. This is done by studying the following hidden number problem: Given an oracle Oα(x) that on input x computes the k most significant bits of α ċ gx mod p, find α modulo p. Our solution can be used to show the hardness of MSB'S in other schemes such s ElGamal's public key system, Shamir's message…

## 289 Citations

### The Security of All Private-key Bits in Isogeny-based Schemes

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

### Hardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes

- Computer Science, MathematicsICALP
- 2006

Very simple deterministic randomness extractors for Diffie-Hellman distributions are introduced and it is shown that the k most significant bits or the k least significant bits of a random element in a subgroup of $\mathbb Z^\star_p$ are indistinguishable from a random bit-string of the same length.

### Bits Security of the Elliptic Curve Diffie-Hellman Secret Keys

- Computer Science, MathematicsCRYPTO
- 2008

We show that the least significant bits (LSB) of the elliptic curve Diffie---Hellman secret keys are hardcore. More precisely, we prove that if one can efficiently predict the LSB with non-negligible…

### Security of polynomial transformations of the Diffie-Hellman key

- Computer Science, MathematicsFinite Fields Their Appl.
- 2000

### Polynomial analysis of DH secrete key and bit security

- Computer Science, MathematicsWuhan University Journal of Natural Sciences
- 2008

The generalized “even-and-odd test” method is used to recover the least significantp-adic ‘bits’ of representations of the Lucas Cryptosystem secret keys, and all the bits of the secrete key of XTR can be recovered form any bit of the exponent.

### On the Bits of Elliptic Curve Diffie-Hellman Keys

- Mathematics, Computer ScienceINDOCRYPT
- 2007

A small multiplier version of the hidden number problem is introduced, and its properties are used to analyze the security of certain Diffie-Hellman bits and suggest new character sum conjectures that guarantee the uniqueness of solutions to thehidden number problem.

### On the bit security of the Diffie-Hellman key

- Mathematics, Computer ScienceApplicable Algebra in Engineering, Communication and Computing
- 2005

It is shown that if the Decision Diffie-Hellman problem is hard in groups of subgroups of *p and of an elliptic curve over p, then the two most significant bits of the Diffie -Hellman function are secure.

### The Security of Polynomial Information of Diffie-Hellman Key

- Computer Science, MathematicsICICS
- 2015

It is shown that finding polynomial information of DH key is as difficult as the whole key again, using a probabilistic algorithm to recover the key.

### Security of the most significant bits of the Shamir message passing scheme

- Computer Science, MathematicsMath. Comput.
- 2000

For the Diffie-Hellman cryptosystem the result of Boneh and Venkatesan has been corrected and generalized and a similar analysis is given for the Shamir message passing scheme, where the results depend on some bounds of exponential sums.

### The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES

- Computer Science, MathematicsCT-RSA
- 2001

In this paper, natural assumptions under which DHIES achieves security under chosen-ciphertext attack are found and the assumptions made about the Diffie-Hellman problem are investigated, and they provide security lower bounds.

## References

SHOWING 1-10 OF 20 REFERENCES

### Relationships Among the Computational Powers of Breaking Discrete Log Cryptosystems

- Computer Science, MathematicsEUROCRYPT
- 1995

The complexity of breaking cryptosystems of which security is based on the discrete logarithm problem, and the complexity of several languages related to those computing problems, is investigated.

### Efficient cryptographic schemes provably as secure as subset sum

- Computer Science, Mathematics30th Annual Symposium on Foundations of Computer Science
- 1989

We show very efficient constructions for a pseudorandom generator and for a universal one-way hash function based on the intractability of the subset-sum problem for certain dimensions. (Pseudorandom…

### Finding a Small Root of a Univariate Modular Equation

- Computer Science, MathematicsEUROCRYPT
- 1996

We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N1/k. We give two applications to RSA encryption with exponent 3.…

### A public key cryptosystem and a signature scheme based on discrete logarithms

- Computer Science, MathematicsIEEE Trans. Inf. Theory
- 1984

A new signature scheme is proposed, together with an imple- mentation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.

### How to generate cryptographically strong sequences of pseudo random bits

- Computer Science, Mathematics23rd Annual Symposium on Foundations of Computer Science (sfcs 1982)
- 1982

A more operative definition of Randomness should be pursued in the light of modern Complexity Theory.

### A hard-core predicate for all one-way functions

- Mathematics, Computer ScienceSTOC '89
- 1989

This paper proves a conjecture of [Levin 87, sec. 5.6.2] that the scalar product of Boolean vectors p, g, x is a hard-core of every one-way function ƒ, and extends to multiple (up to the logarithm of security) such bits and to any distribution on the <italic>x</italic>.

### Reconstructing Truncated Integer Variables Satisfying Linear Congruences

- Mathematics, Computer ScienceSIAM J. Comput.
- 1988

A general polynomial time algorithm is proposed to find small integer solutions to systems of linear congruences and will solve most problems when twice as much information as that necessary to uniquely determine the variables is available.

### Generating EIGamal Signatures Without Knowing the Secret Key

- Computer Science, MathematicsEUROCRYPT
- 1996

A new method to forge ElGamal signatures if the public parameters of the system are not chosen properly is presented, and this attack shows that forging Elgamal signatures is sometimes easier than the underlying discrete logarithm problem.

### The Discrete Logarithm Hides O(log n) Bits

- Computer Science, MathematicsSIAM J. Comput.
- 1988

It is shown that obtaining any information about the “most significant” bits of x, given $g^x (\bmod p)$, is equivalent to computing discrete logarithms $\b mod p$.

### RSA and Rabin Functions: Certain Parts are as Hard as the Whole

- Mathematics, Computer ScienceSIAM J. Comput.
- 1988

The RSA and Rabin encryption functions are computationally equivalent, which implies that an adversary, given the RSA/Rabin ciphertext, cannot have a non-negligible advantage in guessing the least-significant bit of the plaintext, unless he can invert RSA/factor N.