# Obstacles to the torsion-subgroup attack on the decision Diffie-Hellman Problem

@article{Koblitz2004ObstaclesTT, title={Obstacles to the torsion-subgroup attack on the decision Diffie-Hellman Problem}, author={Neal Koblitz and Alfred Menezes}, journal={Math. Comput.}, year={2004}, volume={73}, pages={2027-2041} }

Cheng and Uchiyama show that if one is given an elliptic curve, depending on a prime p, that is defined over a number field and has certain properties, then one can solve the Decision Diffie-Hellman Problem (DDHP) in Fp in polynomial time. We show that it is unlikely that an elliptic curve with the desired properties exists.

## 3 Citations

### A One Round Protocol for Tripartite Diffie–Hellman

- Mathematics, Computer ScienceJournal of Cryptology
- 2004

A three participants variation of the Diffie--Hellman protocol is proposed, based on the Weil and Tate pairings on elliptic curves, which were first used in cryptography as cryptanalytic tools for reducing the discrete logarithm problem on some elliptic curve to the discreteLogarithms problem in a finite field.

### Small rational points on elliptic curves over number fields

- Mathematics
- 2005

Let E/k be an elliptic curve over a number field. We obtain some quantitative refinements of results of Hindry-Silverman, giving an upper bound for the number of k-rational torsion points, and a…

### Good and Bad Uses of Elliptic Curves in Cryptography

- Mathematics, Computer Science
- 2002

The construction of cryptosystems using elliptic curves is described, the Elliptic Curve Discrete Logarithm Problem is discussed, and the different types of elliptic curve that can be chosen for cryptographic applications are surveyed.

## References

SHOWING 1-10 OF 36 REFERENCES

### The Decision Diffie-Hellman Problem

- Mathematics, Computer ScienceANTS
- 1998

This paper surveys the recent applications of DDH as well as known results regarding its security, and describes some open problems in this area.

### Nonuniform Polynomial Time Algorithm to Solve Decisional Diffie-Hellman Problem in Finite Fields under Conjecture

- Mathematics, Computer ScienceCT-RSA
- 2002

In this paper, we show that curves which are defined over a number field of small degree but have a large torsion group over the number field have considerable cryptographic significance. If those…

### A One Round Protocol for Tripartite Diffie-Hellman

- Mathematics, Computer ScienceANTS
- 2000

A three participants variation of the Diffie-Hellman protocol is proposed, based on the Weil and Tate pairings on elliptic curves, which were first used in cryptography as cryptanalytic tools for reducing the discrete logarithm problem on some elliptic curve to the discreteLogarithms problem in a finite field.

### A One Round Protocol for Tripartite Diffie–Hellman

- Mathematics, Computer ScienceJournal of Cryptology
- 2004

A three participants variation of the Diffie--Hellman protocol is proposed, based on the Weil and Tate pairings on elliptic curves, which were first used in cryptography as cryptanalytic tools for reducing the discrete logarithm problem on some elliptic curve to the discreteLogarithms problem in a finite field.

### Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems

- Mathematics, Computer ScienceEUROCRYPT
- 2001

We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p2) of a particular type of supersingular elliptic curve is at least as…

### Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems

- Mathematics, Computer ScienceJournal of Cryptology
- 2004

Abstract
We show that finding an efficiently computable injective
homomorphism from the XTR subgroup into the group of points over
GF(p2) of a particular type of supersingular elliptic curve is
at…

### Diffie-Hellman is as Strong as Discrete Log for Certain Primes

- Mathematics, Computer ScienceCRYPTO
- 1988

It is proven that both the discrete log problem and the Diffie-Hellman key exchange scheme are (probabilisticly) polynomial-time equivalent if the totient of P-l has only small prime factors with respect to a (fixed)Polynomial in 2logP.

### Counting points of small height on elliptic curves

- Mathematics
- 1989

— Let k be a number field and let E be an elliptic curve defined over k. We prove a counting result which gives, among other things, the existence of a positive constant C, effectively computable in…

### Analysis of the Xedni Calculus Attack

- MathematicsDes. Codes Cryptogr.
- 2000

The practicality of the xedni calculus attack on the elliptic curve discrete logarithm problem (ECDLP) is analyzed, finding that asymptotically the algorithm is virtually certain to fail, because of an absolute bound on the size of the coefficients of a relation satisfied by the lifted points.

### A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack

- Computer Science, MathematicsCRYPTO
- 1998

A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions.…