## Hardness of distinguishing the MSB or LSB of secret keys (2006)

### Cached

### Download Links

Venue: | in Diffie-Hellman schemes, ICALP |

Citations: | 8 - 3 self |

### BibTeX

@INPROCEEDINGS{Fouque06hardnessof,

author = {Pierre-alain Fouque and David Pointcheval and Jacques Stern and Sébastien Zimmer},

title = {Hardness of distinguishing the MSB or LSB of secret keys},

booktitle = {in Diffie-Hellman schemes, ICALP},

year = {2006},

pages = {240--251},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. In this paper we introduce very simple deterministic randomness extractors for Diffie-Hellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bit-string of the same length. This allows us to show that under the Decisional Diffie-Hellman assumption we can deterministically derive a uniformly random bit-string from a Diffie-Hellman exchange in the standard model. Then, we show that it can be used in key exchange or encryption scheme to avoid the leftover hash lemma and universal hash functions. Keywords: Diffie-Hellman transform, randomness extraction, least significant bits, exponential sums. 1

### Citations

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ...ash lemma and universal hash functions. Keywords: Diffie-Hellman transform, randomness extraction, least significant bits, exponential sums. 1 Introduction Motivation. The Diffie-Hellman key exchange =-=[15]-=- is a classical tool allowing two entities to agree on a common random element in a group G.Itmapsapair of group elements (g x ,g y )tog xy .Sincex and y are randomly chosen, the latter value is unifo... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...,33]. In practice, designers prefer to apply hash functions, such as md5 orsha-1, to the Diffie-Hellman element. This solution can be proven secure under the CDH assumption in the random oracle model =-=[2]-=-, under the assumption that the compression function acts as a random oracle [13], but not in the standard model (unless one makes additional non-standard assumptions [1,16, 18]). In this paper, we an... |

726 | A pseudorandom generator from any one-way function
- H˚astad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...ng, i.e. extract the computational entropy injected by the DDH assumption in the Diffie-Hellman element. To solve this problem, different methods have been proposed. Thanks to the Leftover Hash Lemma =-=[23,25]-=-, one can extract entropy hidden within g z by means of a family of universal hash functions. This solution has the advantage of being proven in the standard model and does not require any cryptograph... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...xor the generated bit-string with the message. This way, the encryption scheme is still IND-CPA secure. Our extractor can be used in this context to extract randomness. Cramer-Shoup Encryption Scheme =-=[14, 31]-=-. The Cramer-Shoup encryption scheme is an improvement of the El Gamal encryption scheme which is IND-CCA secure. The principle is the same as in El Gamal, it hides m multiplying it with a random elem... |

366 | A hard-core predicate for all one-way functions - Goldreich, Levin - 1989 |

314 |
A Public-Key Cryptosystem and Signature Scheme Based on Discrete Logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...xponentiations modulo an integer of 1024 bits. It means that if we need a 128-long bit-string, the subgroup should have approximately 2 731 elements. 5.2 Encryption Schemes El Gamal Encryption Scheme =-=[17]-=-. In the El Gamal encryption scheme, the message must be an element of a cyclic group G of order q. Alice generates a random element x in Zq and publishes y = g x where g is a generator of G. To encry... |

221 | bounds for discrete logarithms and related problems - Shoup, “Lower - 1997 |

196 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ...y from g xy we need that no information leaks and further assumptions are required. Among those, the DDH is perhaps the most popular assumption and allows cryptographers to construct secure protocols =-=[4]-=-. It states the intractability of distinguishing DH-triples (g x ,g y ,g xy ) from random triples (g x ,g y ,g z ). Under the decisional Diffie-Hellman assumption (DDH) one can securely agree on a ran... |

183 | How to recycle random bits
- Impagliazzo, Zuckerman
- 1989
(Show Context)
Citation Context ...ng, i.e. extract the computational entropy injected by the DDH assumption in the Diffie-Hellman element. To solve this problem, different methods have been proposed. Thanks to the Leftover Hash Lemma =-=[23,25]-=-, one can extract entropy hidden within g z by means of a family of universal hash functions. This solution has the advantage of being proven in the standard model and does not require any cryptograph... |

112 | A Computational Introduction to Number Theory and Algebra
- Shoup
- 2005
(Show Context)
Citation Context ... et al. uniformly distributed in {0, 1} k ,andletAdenote a random variable taking values in {0, 1} n ,withiand A mutually independent. Let γ = γ(A), then: � 2kγ SD(〈i,hi(A)〉, 〈i,Uk〉) ≤ . 2 Proof. See =-=[32]-=-. � The Leftover Hash Lemma extracts nearly all of the entropy available whatever the randomness sources are, but it needs to invest few additional truly random bits. To overcome this problem, it was ... |

96 |
Hardness of computing the most significant bits of secret keys
- Boneh, Venkatesan
- 1109
(Show Context)
Citation Context ... the assumption that the compression functions of the hash-based constructions under review (the hash functions md5orsha-1) are a family of almost universal hash functions, which is not realistic. In =-=[5, 6]-=-, Boneh and Venkatesan show that the k most significant bits or least significant bits of g xy are hard to compute. Namely, they prove that given an oracle which takes as input (g x ,g y ) and returns... |

87 |
The oracle DiffieHellman assumptions and an analysis of DHIES
- Abdalla, Bellare, et al.
- 2001
(Show Context)
Citation Context ...on in the random oracle model [2], under the assumption that the compression function acts as a random oracle [13], but not in the standard model (unless one makes additional non-standard assumptions =-=[1, 16,18]-=-). In this paper, we analyze a quite simple and efficient randomness extractor for Diffie-Hellman distributions. The security relies on the DDH assumption in the standard model. Related Works. To extr... |

84 |
Universal hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...ily of universal hash functions. This solution has the advantage of being proven in the standard model and does not require any cryptographic assumption. One can indeed easily construct such families =-=[10]-=-, and they are furthermore quite efficient to compute. However it requires extra randomness which needs to be of good quality (unbiased) and independent of the random secret g z . Consequently, in a k... |

81 |
KONYAGIN: “Estimate for the number of sums and products and for exponential sums in fields of prime order
- BOURGAIN, GLIBICHUK, et al.
(Show Context)
Citation Context ...ts obtained on this random extractor, one idea would be to find a better bound than √ �� p on M = �� �q−1 maxa x=0 ep(agx �� � ) � . There are several results which decrease this bound, as these from =-=[7,24]-=-. Many of them are asymptotic, and do not explicit the constants involved. However, by looking carefully at the proof in [24] or [26] we can find them: Theorem 9 ([26]). With the notations of the prev... |

74 | Merkle-Damg˚ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ..., to the Diffie-Hellman element. This solution can be proven secure under the CDH assumption in the random oracle model [2], under the assumption that the compression function acts as a random oracle =-=[13]-=-, but not in the standard model (unless one makes additional non-standard assumptions [1,16, 18]). In this paper, we analyze a quite simple and efficient randomness extractor for Diffie-Hellman distri... |

67 | Using Hash function s as a hedge against chosen ciphertext attack
- Shoup
- 2000
(Show Context)
Citation Context ...xor the generated bit-string with the message. This way, the encryption scheme is still IND-CPA secure. Our extractor can be used in this context to extract randomness. Cramer-Shoup Encryption Scheme =-=[14, 31]-=-. The Cramer-Shoup encryption scheme is an improvement of the El Gamal encryption scheme which is IND-CCA secure. The principle is the same as in El Gamal, it hides m multiplying it with a random elem... |

59 | On Di e-Hellman key agreement with short exponents
- Oorschot, Wiener
- 1996
(Show Context)
Citation Context ... the CDH one. 6.1 The s-DLSE Assumption To speed up our randomness extractor, we can use a group in which the additional Short Exponent Discrete Logarithm (DLSE) assumption holds. First introduced in =-=[34]-=-, it is formalized in [29] and [18] as follows: Assumption 1 (s-DLSE [29]). Let s be an integer, G = {Gn}n be a family of cyclic groups where each Gn has a generator gn and ord(Gn) =qn > 2n .We say th... |

57 |
Character sums with exponential functions and their applications
- Konyagin, Shparlinski
- 1999
(Show Context)
Citation Context ...sum is a geometric sum. We use the inequality sin(y) ≥ 2y/π if 0 ≤ y ≤ π/2 for the second inequality. In summary we have: 2Δ ≤ 2k p + 2kM log2 (p) . (1) q Using the bound M ≤ √ p that can be found in =-=[26]-=-, 2n−1 <p<2n and 2ℓ−1 ≤ q<2ℓ , we obtain the expected result. Consequently, since the min entropy of X, asanelementofZ ⋆ p but randomly distributed in G, equals log 2 (|G|)=log 2 (q), the previous pro... |

57 | Extracting randomness from samplable distributions
- Trevisan, Vadhan
- 2000
(Show Context)
Citation Context ...for cryptographic purposes. They allow us to study a very simple deterministic randomness extractor. Deterministic extractors have been recently introduced in complexity theory by Trevisan and Vadhan =-=[28]-=-. We describe here a deterministic randomness extractor which is provably secure in the standard model, under classical assumptions. We focus on the distribution induced by the DDH in a prime subgroup... |

34 | Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes
- Dodis, Gennaro, et al.
- 2004
(Show Context)
Citation Context ...heoretical and is not widely used in standard protocols for the simple reason that families of universal hash functions are not present in cryptographic softwares, while they would be quite efficient =-=[16, 33]-=-. In practice, designers prefer to apply hash functions, such as md5 or sha-1, to the Diffie-Hellman element. This solution can be proven secure under the CDH assumption in the random oracle model [2]... |

29 | On the statistical properties of Diffie-Hellman distributions
- Canetti, Friedlander, et al.
- 2000
(Show Context)
Citation Context ...ot exist. Our Result. In this paper, we use the exponential sum techniques to analyze cryptographic schemes. These techniques date back to the beginning of the last century, but we borrowed them from =-=[9, 8]-=- where they are used for cryptographic purposes. They allow us to study a very simple deterministic randomness extractor. Deterministic extractors have been recently introduced in complexity theory by... |

26 | On certain exponential sums and the distribution of Diffie-Hellman triples
- Canetti, Friedlander, et al.
- 1999
(Show Context)
Citation Context ...y relies on the DDH assumption in the standard model. Related Works. To extract randomness from a Diffie-Hellman secret, one approach is to focus on the distribution induced by the DDH assumption. In =-=[9]-=-, Canetti et al. show that given the k most significant bits of gx and gy , one cannot distinguish, in the statistical sense, the k most significant bits of gxy from a random k bit-string. As Boneh ob... |

25 | Rounding in lattices and its cryptographic applications
- Boneh, Venkatesan
- 1997
(Show Context)
Citation Context ... the assumption that the compression functions of the hash-based constructions under review (the hash functions md5orsha-1) are a family of almost universal hash functions, which is not realistic. In =-=[5, 6]-=-, Boneh and Venkatesan show that the k most significant bits or least significant bits of g xy are hard to compute. Namely, they prove that given an oracle which takes as input (g x ,g y ) and returns... |

24 |
On the distribution of digits in periodic fractions
- Korobov
- 1972
(Show Context)
Citation Context ...atistically close to truly random bits. To prove this result, we apply the exponential sum techniques in order to find an upper bound on the statistical distance. It is very similar to the results of =-=[27]-=- who studies the distribution of fractional parts of ag x /p in given intervals of [0, 1]. Our result does not require the DDH assumption. However, as it is precised in section 5, to apply it in a cry... |

22 | On the security of Diffie-Hellman bits
- Vasco, Shparlinski
- 2000
(Show Context)
Citation Context ...y than by guessing them. However, the techniques used cannot take into account such faulty oracles. Moreover their proof is known to contain a gap which was fixed by Gonzales-Vasco and Shparlinski in =-=[21]-=-. The result of [5, 6] is improved in [21, 20] and in [3]. In the latter, it is shown that under the DDH assumption the two most significant bits of the Diffie-Hellman result are hard to compute. Our ... |

21 | Secure hashed Diffie-Hellman over non-DDH groups
- Gennaro, Krawczyk, et al.
- 2004
(Show Context)
Citation Context ...on in the random oracle model [2], under the assumption that the compression function acts as a random oracle [13], but not in the standard model (unless one makes additional non-standard assumptions =-=[1,16, 18]-=-). In this paper, we analyze a quite simple and efficient randomness extractor for Diffie-Hellman distributions. The security relies on the DDH assumption in the standard model. Related Works. To extr... |

20 | Sundaram: “An efficient discrete log pseudo random generator
- Patel, S
- 1998
(Show Context)
Citation Context ...SE Assumption To speed up our randomness extractor, we can use a group in which the additional Short Exponent Discrete Logarithm (DLSE) assumption holds. First introduced in [34], it is formalized in =-=[29]-=- and [18] as follows: Assumption 1 (s-DLSE [29]) Let s be an integer, G = {Gn}n be a family of cyclic groups where each Gn has a generator gn and ord(Gn) = qn > 2 n . We say that the s-DLSE Assumption... |

13 | The Twist-Augmented Technique for Key Exchange
- Chevassut, Fouque, et al.
- 2006
(Show Context)
Citation Context ...of gxy from a random k bit-string. As Boneh observes [4], this is quite interesting but cannot be applied to practical protocols because an adversary always learns all of gx and gy . Chevassut et al. =-=[11,12]-=- review a quite simple and optimal randomness extractor but which can be applied to Z⋆ p, with a safe prime p only. This randomness extractor is very efficient but requires high computational effort t... |

10 | Extracting bits from coordinates of a point of an elliptic curve
- Gurel
- 2005
(Show Context)
Citation Context ... effort to compute gx , gy and gxy because of the requirement of a large group. They also presented a new technique (TAU [12]) but which applies to specific elliptic curves only. Independently, Gürel =-=[22]-=- proved that, under the DDH assumption over an elliptic curve, the most significant bits of the Diffie-Hellman transform are statistically close to a random bit-string, when the elliptic curve is defi... |

10 |
An efficient discrete log pseudo random generator
- Patel, Sundaram
- 1998
(Show Context)
Citation Context ...SE Assumption To speed up our randomness extractor, we can use a group in which the additional Short Exponent Discrete Logarithm (DLSE) assumption holds. First introduced in [34], it is formalized in =-=[29]-=- and [18] as follows: Assumption 1 (s-DLSE [29]). Let s be an integer, G = {Gn}n be a family of cyclic groups where each Gn has a generator gn and ord(Gn) =qn > 2n .We say that the s-DLSE Assumption h... |

9 |
Key derivation and randomness extraction. Cryptology ePrint Archive, Report 2005/061
- Chevassut, Fouque, et al.
- 2005
(Show Context)
Citation Context ...of gxy from a random k bit-string. As Boneh observes [4], this is quite interesting but cannot be applied to practical protocols because an adversary always learns all of gx and gy . Chevassut et al. =-=[11,12]-=- review a quite simple and optimal randomness extractor but which can be applied to Z⋆ p, with a safe prime p only. This randomness extractor is very efficient but requires high computational effort t... |

4 |
Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC modes
- Dodis, Gennaro, et al.
- 2004
(Show Context)
Citation Context ...heoretical and is not widely used in standard protocols for the simple reason that families of universal hash functions are not present in cryptographic softwares, while they would be quite efficient =-=[16,33]-=-. In practice, designers prefer to apply hash functions, such as md5 orsha-1, to the Diffie-Hellman element. This solution can be proven secure under the CDH assumption in the random oracle model [2],... |

4 |
New results on the hardness of Diffie-Hellman bits
- Vasco, Näslund, et al.
- 2004
(Show Context)
Citation Context ...niques used cannot take into account such faulty oracles. Moreover their proof is known to contain a gap which was fixed by Gonzales-Vasco and Shparlinski in [21]. The result of [5, 6] is improved in =-=[21, 20]-=- and in [3]. In the latter, it is shown that under the DDH assumption the two most significant bits of the Diffie-Hellman result are hard to compute. Our main result here tells that under the DDH assu... |

3 | ACE: The Advanced Cryptographic Engine
- Schweinberger, Shoup
- 2000
(Show Context)
Citation Context ...heoretical and is not widely used in standard protocols for the simple reason that families of universal hash functions are not present in cryptographic softwares, while they would be quite efficient =-=[16,33]-=-. In practice, designers prefer to apply hash functions, such as md5 orsha-1, to the Diffie-Hellman element. This solution can be proven secure under the CDH assumption in the random oracle model [2],... |

2 |
The oracle diffie-hellman assumptions andananalysis of DHIES
- Abdalla, Bellare, et al.
(Show Context)
Citation Context ...on in the random oracle model [2], under the assumption that the compression function acts as a random oracle [13], but not in the standard model (unless one makes additional non-standard assumptions =-=[1,16, 18]-=-). In this paper, we analyze a quite simple and efficient randomness extractor for Diffie-Hellman distributions. The security relies on the DDH assumption in the standard model. Related Works. To extr... |

2 |
S.: New bounds for Gauss sums derived from k th powers, and for Heilbronn’s exponential
- Heath-Brown, Konyagin
- 2000
(Show Context)
Citation Context ...ts obtained on this random extractor, one idea would be to find a better bound than √ �� p on M = �� �q−1 maxa x=0 ep(agx �� � ) � . There are several results which decrease this bound, as these from =-=[7,24]-=-. Many of them are asymptotic, and do not explicit the constants involved. However, by looking carefully at the proof in [24] or [26] we can find them: Theorem 9 ([26]). With the notations of the prev... |

1 | On the bit security of the DiffieHellman key
- Blake, Garefalakis, et al.
- 2006
(Show Context)
Citation Context ...ot take into account such faulty oracles. Moreover their proof is known to contain a gap which was fixed by Gonzales-Vasco and Shparlinski in [21]. The result of [5, 6] is improved in [21, 20] and in =-=[3]-=-. In the latter, it is shown that under the DDH assumption the two most significant bits of the Diffie-Hellman result are hard to compute. Our main result here tells that under the DDH assumption, a g... |