Both uniform and non-uniform results concerning the security of the Diffie-Hellman key-exchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that reduces the computation of discrete logarithms in G to breaking the Diffie-Hellman protocol in G and has complexity p maxf(p i )g \Delta (log jGj) O(1) , where (p) stands for the minimum of the set of largest prime factors of all the numbers d in the interval [p \Gamma 2 p p+1; p+2 p p+ 1]. Under the unproven but plausible assumption that (p) is polynomial in log p, this reduction implies that the Diffie-Hellman problem and the discrete logarithm problem are polynomial-time equivalent in G. Second, it is proved that the Diffie-Hellman problem and the discrete logarithm problem are equivalent in a uniform sense for groups whose orders belong to certain classes: there exists a p...

The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor one-way function, a public-key cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the so-called Diffie-Hellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.

In this paper, we show several connections between the L-conjecture, proposed by Bürgisser [3], and the boundedness theorem for the torsion points of elliptic curves. Assuming the W Lconjecture, which is a much weaker version of the L-conjecture, a sharper bound is obtained for the number of torsion points over extensions of k on an elliptic curve over a number field k, which improves Masser’s result [10]. It is also shown that the Torsion Theorem for elliptic curves follows directly from the W L-conjecture. Since the current proof of the Torsion Theorem for elliptic curves uses considerable machinery from arithmetic geometry, and the W L-conjecture differs from the trivial lower bound only at a constant factor, this result provides an interesting example where increasing the constant factor in a trivial lower bound of straight-line complexity is very difficult. Our result suggests that the Torsion Theorem may be viewed as a lower bound result in algebraic complexity, and a lot can be learned from the proof of the Uniformly Boundedness Theorem to construct the proofs the W L-conjecture and even the L-conjecture.. 1