## On the statistical properties of Diffie–Hellman distributions

Venue: | MR 2001k:11258 Zbl 0997.11066 |

Citations: | 29 - 10 self |

### BibTeX

@INPROCEEDINGS{Canetti_onthe,

author = {Ran Canetti and John Friedl and Sergei Konyagin and Michael Larsen and Daniel Lieman},

title = {On the statistical properties of Diffie–Hellman distributions},

booktitle = {MR 2001k:11258 Zbl 0997.11066},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an r-th power residue for all small factors of p − 1. The corresponding Diffie-Hellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that given p, ϑ of the above form it is infeasible to distinguish in reasonable time between DH distribution and triples of numbers chosen

### Citations

2845 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...arious questions related to uniform distribution of sequences. Keywords: Diffie--Hellman cryptosystem, Exponential sums, Uniform distribution. 1 Introduction The Diffie-Hellman key exchange algorithm =-=[10]-=- remains one of the cornerstones of modern cryptography to date. The security of this algorithm is based on the assumption that if p is a large prime and g is a generator of ZZ p then the value g xy `... |

1227 |
Probabilistic Encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...obability). 2 Given these limitations of the DHC assumption, it seems useful to say that at the end of the DH key exchange the eavesdropper learns no informationsabout g xy . Using standard machinery =-=[15, 39], th-=-is latter assumption can be formulated roughly as follows: `no probabilistic polynomial time algorithm can, given p; g; g x ; g y ; �� where x; y are chosen uniformly from ZZ p , distinguish with ... |

545 |
Finite Fields
- Lidl, Niederreiter
- 1983
(Show Context)
Citation Context ...eger ks1 a bound is known [19] of a very short exponential sum with # x , roughly of length exp(c log 2=3 m) with some constant c ? 0. Several more bounds of exponential sums with # x can be found in =-=[18, 19, 20, 21, 26, 32]-=-. Although it is not quite clear how to extend Lemma 7 to composite moduli, the bounds of [31, 34, 35] can be generalized, see [28]. All of them can be used to obtain some analogues of the results of ... |

525 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...obability). 2 Given these limitations of the DHC assumption, it seems useful to say that at the end of the DH key exchange the eavesdropper learns no information about g xy . Using standard machinery =-=[17, 41]-=-, this latter assumption can be formulated roughly as follows: ‘no probabilistic polynomial time algorithm can, given p, g, g x , g y , ξ where x, y are chosen uniformly from Z ∗ p, distinguish with n... |

509 |
Heijst, “Group signatures
- Chaum, van
- 1991
(Show Context)
Citation Context ...to see that the DHI assumption is equivalent to the semantic security of El-Gamal encryption [36]. Yet other examples where the DHI assumption is implicit include algorithms for undeniable signatures =-=[8]-=-, Feldman's Verifiable Secret Sharing protocol [13, 27], and many others. Surprisingly, in spite of its centrality, the DHI assumption was made explicit only lately (to the best of our knowledge). Bra... |

274 | Authentication and authenticated key exchanges
- Diffie, Oorschot, et al.
- 1992
(Show Context)
Citation Context ...rst example is the many implementations and applications of the DH key exchange itself, where the value ϑ xy is often assumed to be indistinguishable from random for eavesdroppers (see, for instance, =-=[11]-=-). The DHI assumption is also implicit in the popular El-Gamal encryption scheme [12]. In fact, it is not hard to see that the DHI assumption is equivalent to the semantic security of El-Gamal encrypt... |

241 |
A practical scheme for non-interactive verifiable secret sharing
- Feldman
- 1987
(Show Context)
Citation Context ...e semantic security of El-Gamal encryption [36]. Yet other examples where the DHI assumption is implicit include algorithms for undeniable signatures [8], Feldman's Verifiable Secret Sharing protocol =-=[13, 27]-=-, and many others. Surprisingly, in spite of its centrality, the DHI assumption was made explicit only lately (to the best of our knowledge). Brands suggested it in [4]; it is also used in [5] to cons... |

228 | Lower Bounds for Discrete Logarithms and Related Problems
- Shoup
- 1997
(Show Context)
Citation Context ... (DL): ‘there do not exist polynomial-time algorithms that, given p, g, g x , compute x’. Indeed, a large body of work is aimed at relating the DHC assumption to the DL assumption (see, for instance, =-=[2, 24, 25, 32]-=-). Certainly, the DHC assumption is necessary for the DH key exchange to be valid. But is it sufficient? For instance, the following scenario is consistent with our current knowledge: the DHC assumpti... |

161 |
Sieve methods
- Halberstam, Richert
- 1974
(Show Context)
Citation Context ...w for a fact that it applies to infinitely many p of this simplest type where t is itself a large prime. We do know, for example, as a well-known consequence of sieve methods, due to J.--R. Chen, see =-=[16]-=-, that there are infinitely primes for which (p \Gamma 1)=2 is either prime or else the product of two (large) primes. Nevertheless, it would be nice to know that the simplest case is infinitely often... |

152 | Number-theoretic constructions of efficient pseudo-random functions, The
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...input. In [5] some additional, 4sstronger variants of DHI are suggested and used. Also, Naor and Reingold construct, based on the DHI assumption, pseudorandom functions with some appealing properties =-=[27]-=-. See [27] for a good survey of the DHI assumption and related work. This work. We investigate the validity of the DHI assumption. More specifically, we demonstrate some reassuring statistical propert... |

142 | Foundations of Cryptography (Fragments of a book)", Weizmann Inst
- Goldreich
- 1995
(Show Context)
Citation Context ...te that there exist subsets of the bit positions of g xy that are as difficult to compute as the entire value. We elaborate in the sequel. where c �� denotes `computationally indistinguishable'. (=-=See [39, 14]-=- for details on computational indistinguishability.) We know [17] that for infinitely many primes p all odd prime divisors ` of p \Gamma 1 satisfy `sp 0:275 and we know from [1] that infinitely many p... |

139 |
Über die Gleichverteilung von Zahlen mod. Eins
- Weyl
- 1916
(Show Context)
Citation Context ...pproached quite fast. Pictorially, this means that if one paints the DH-vectors black, and paints all other points in the unit cube white, then the unit cube will be ‘uniformly gray’ throughout. (See =-=[40]-=- for details on this notion of uniformity.) A consequence of this result is that if one restricts attention to some fixed fraction of the most significant bits of (ϑ x , ϑ y , ϑ xy ) then the obtained... |

138 | An efficient off-line electronic cash system based on the representation problem
- Brands
- 1993
(Show Context)
Citation Context ...le Secret Sharing protocol [13, 27], and many others. Surprisingly, in spite of its centrality, the DHI assumption was made explicit only lately (to the best of our knowledge). Brands suggested it in =-=[4]-=-; it is also used in [5] to construct hash functions that hide all partial information on their input. In [5] some additional, stronger variants of DHI are suggested and used. Also, Naor and Reingold ... |

127 |
Quasi-Monte Carlo methods and pseudorandom
- Niederreiter
- 1978
(Show Context)
Citation Context ...) � � � y=0 x=1 � � �t/tk−1 � � tk� = � � ep−1(btky) ep (aρ � y=0 x=1 x � � � )ep−1(bx) � � � ≤ t � � tk� � � ep (aρ � x � � � )ep−1(bx) � � . tk x=1 It follows from Lemma 2 of [21] or Theorem 8.2 of =-=[28]-=- that the last sum does not exceed p 1/2 . Because tk = t/ gcd(k, t), the bound follows. ⊓⊔ We also need the following estimate on the average value of σ1(a, b; t): Lemma5. The identity holds. Proof. ... |

121 | Ten Lectures on the Interface Between Analytic Number Theory and Harmonic - Montgomery - 1994 |

114 | Towards realizing random oracles: Hash functions that hide all partial information
- Canetti
- 1997
(Show Context)
Citation Context ...ol [13, 27], and many others. Surprisingly, in spite of its centrality, the DHI assumption was made explicit only lately (to the best of our knowledge). Brands suggested it in [4]; it is also used in =-=[5]-=- to construct hash functions that hide all partial information on their input. In [5] some additional, stronger variants of DHI are suggested and used. Also, Naor and Reingold construct, based on the ... |

98 |
Ramarathnam Venkatesan. Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes
- Boneh
- 1996
(Show Context)
Citation Context ...to distinguish the Diffie--Hellman triples from random ones cannot be based on statistical data alone. Related Work. Boneh and Venkatessan investigate the relation between the DHI and DHC assumptions =-=[3]-=-. In particular they show that if one can compute the O( p log p) most significant bits of g xy from g; g x ; g y , then one can compute g xy in its entirety. Results with similar flavor are obtained ... |

76 |
Algorithms for Black-Box Fields and their Applications to Cryptography
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ... (DL): `there do not exist polynomial-time algorithms that, given p; g; g x , compute x'. Indeed, a large body of work is aimed at relating the DHC assumption to the DL assumption (see, for instance, =-=[2, 22, 23, 30]-=-). Certainly, the DHC assumption is necessary for the DH key exchange to be valid. But is it sufficient? For instance, the following scenario is consistent with our current knowledge: the DHC assumpti... |

71 |
Elements of Number Theory
- Vinogradov
- 1954
(Show Context)
Citation Context ...� � Hi � � � � a1,a2,a3=0 i=1 �ui=0 ≪ t 5/3 p 1/4 � 3� p−1 � � Hi � � � � i=1 ai=0 �ui=0 � � � ep(aiui) � � � � � � ep(aiui) � � � . Applying the well known estimate (see Problem 11.c to Chapter 3 of =-=[39]-=-) � � p−1 � � H� � � � � ep(au) � = O(p log p), � � (7) a=0 u=0 which holds for 1 ≤ H ≤ p − 1 we obtain the desired estimate. ⊓⊔ Virtually the same proof yields the same result for the most significan... |

70 |
Distributed provers with applications to undeniable signatures
- Pedersen
- 1991
(Show Context)
Citation Context ...e semantic security of El-Gamal encryption [38]. Yet other examples where the DHI assumption is implicit include algorithms for undeniable signatures [8], Feldman’s Verifiable Secret Sharing protocol =-=[13, 29]-=-, and many others. Surprisingly, in spite of its centrality, the DHI assumption was made explicit only lately (to the best of our knowledge). Brands suggested it in [4]; it is also used in [5] to cons... |

69 | Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete algorithms
- Maurer
- 1994
(Show Context)
Citation Context ... (DL): `there do not exist polynomial-time algorithms that, given p; g; g x , compute x'. Indeed, a large body of work is aimed at relating the DHC assumption to the DL assumption (see, for instance, =-=[2, 22, 23, 30]-=-). Certainly, the DHC assumption is necessary for the DH key exchange to be valid. But is it sufficient? For instance, the following scenario is consistent with our current knowledge: the DHC assumpti... |

58 |
Character sums with exponential functions and their applications
- Konyagin, Shparlinski
- 1999
(Show Context)
Citation Context ...er k ≥ 1 a bound is known [21] of a very short exponential sum with ϑ x , roughly of length exp(c log 2/3 m) with some constant c > 0. Several more bounds of exponential sums with ϑ x can be found in =-=[20, 21, 22, 23, 28, 34]-=-. Although it is not quite clear how to extend Lemma 7 to composite moduli, the bounds of [33, 36, 37] can be generalized, see [30]. All of them can be used to obtain some analogues of the results of ... |

46 |
Artin's conjecture for primitive roots
- Heath-Brown
- 1986
(Show Context)
Citation Context ...difficult to compute as the entire value. We elaborate in the sequel. where c �� denotes `computationally indistinguishable'. (See [39, 14] for details on computational indistinguishability.) We k=-=now [17]-=- that for infinitely many primes p all odd prime divisors ` of p \Gamma 1 satisfy `sp 0:275 and we know from [1] that infinitely many primes have a prime divisor `sp 0:677 . The DHI assumption is used... |

40 |
Authentication and Authenticated Key Exchanges", Designs, Codes and Cryptography, v 2 pp 107-125
- Diffie, Oorshot, et al.
- 1992
(Show Context)
Citation Context ...rst example is the many implementations and applications of the DH key exchange itself, where the value # xy is often assumed to be indistinguishable from random for eavesdroppers (see, for instance, =-=[11]-=-). The DHI assumption is also implicit in the popular ElGamal encryption scheme [12]. In fact, it is not hard to see that the DHI assumption is equivalent to the semantic security of El-Gamal encrypti... |

35 |
Shifted primes without large prime factors
- Baker, Harman
- 1998
(Show Context)
Citation Context ...nguishable'. (See [39, 14] for details on computational indistinguishability.) We know [17] that for infinitely many primes p all odd prime divisors ` of p \Gamma 1 satisfy `sp 0:275 and we know from =-=[1]-=- that infinitely many primes have a prime divisor `sp 0:677 . The DHI assumption is used, either explicitly or implicitly, in many cryptographic algorithms and protocols. A first example is the many i... |

32 |
On Computing Logarithms Over Finite Fields
- ElGamal
- 1986
(Show Context)
Citation Context ...lf, where the value # xy is often assumed to be indistinguishable from random for eavesdroppers (see, for instance, [11]). The DHI assumption is also implicit in the popular ElGamal encryption scheme =-=[12]-=-. In fact, it is not hard to see that the DHI assumption is equivalent to the semantic security of El-Gamal encryption [36]. Yet other examples where the DHI assumption is implicit include algorithms ... |

31 |
Exponential sums and their applications
- Korobov
- 1992
(Show Context)
Citation Context ...eger ks1 a bound is known [19] of a very short exponential sum with # x , roughly of length exp(c log 2=3 m) with some constant c ? 0. Several more bounds of exponential sums with # x can be found in =-=[18, 19, 20, 21, 26, 32]-=-. Although it is not quite clear how to extend Lemma 7 to composite moduli, the bounds of [31, 34, 35] can be generalized, see [28]. All of them can be used to obtain some analogues of the results of ... |

30 |
On polynomial approximation of the Discrete Logarithm and the Diffie-Hellman mapping
- Coppersmith, Shparlinski
- 2000
(Show Context)
Citation Context ...obtained by Schrift and Shamir with respect to discrete logarithms over Blum integers [29]. Bounds on character sums and the number of solutions of some equations over finite fields have been used in =-=[9, 33]-=- to derive various lower bounds on the complexity of breaking the Diffie--Hellman cryptosystem and related problems. In a previous work [6] some results on DH distributions have already been obtained.... |

28 | On Certain Exponential Sums and the Distribution of Di¢ e-Hellman Triples
- Canetti, Friedlander, et al.
- 1999
(Show Context)
Citation Context ...s of some equations over finite fields have been used in [9, 33] to derive various lower bounds on the complexity of breaking the Diffie--Hellman cryptosystem and related problems. In a previous work =-=[6]-=- some results on DH distributions have already been obtained. In this paper we improve a number of these results and also generalize them in two substantial ways. First, here we obtain bounds for almo... |

26 |
Finite fields: Theory and computation
- Shparlinski
- 1999
(Show Context)
Citation Context ...dent interest. This new bound allows us to improve some of the results of [6] which are based on bounds for the number of solutions of exponential equations from [33, 36, 37], see also Section 3.3 of =-=[34]-=-. 3 Preparations For integers a, b, and k, we denote by σk(a, b; t) the following exponential sum t� σk(a, b; t) = � aϑ kx� ep−1(bx). ep x=1 9sWe need the following upper bound, which follows quickly ... |

24 |
On the distribution of digits in periodic fractions
- Korobov
- 1972
(Show Context)
Citation Context ...=t k \Gamma1 X y=0 e p\Gamma1 (bt k y) t k X x=1 e p (aae x ) e p\Gamma1 (bx) fi fi fi fi fi fi t t k fi fi fi fi fi t k X x=1 e p (aae x ) e p\Gamma1 (bx) fi fi fi fi fi : It follows from Lemma 2 of =-=[19]-=- or Theorem 8.2 of [26] that the last sum does not exceed p 1=2 . Because t k = t= gcd(k; t), the bound follows. ut We also need the following estimate on the average value of oe 1 (a; b; t): Lemma 5.... |

20 |
Number theoretic methods in cryptography: complexity lower bounds, volume 17 of Progress in computer science and applied logic. Birkhäuser
- Shparlinski
- 1999
(Show Context)
Citation Context ...obtained by Schrift and Shamir with respect to discrete logarithms over Blum integers [31]. Bounds on character sums and the number of solutions of some equations over finite fields have been used in =-=[9, 35]-=- to derive various lower bounds on the complexity of breaking the Diffie–Hellman cryptosystem and related problems. In a previous work [6] some results on DH distributions have already been obtained. ... |

15 | The discrete log is very discreet
- SCHRIFT, SHAMIR
- 1990
(Show Context)
Citation Context ...icant bits of g xy from g, g x , g y , then one can compute g xy in its entirety. Results with similar flavor are obtained by Schrift and Shamir with respect to discrete logarithms over Blum integers =-=[31]-=-. Bounds on character sums and the number of solutions of some equations over finite fields have been used in [9, 35] to derive various lower bounds on the complexity of breaking the Diffie–Hellman cr... |

13 | On the Distribution of the RSA generator
- Friedlander, Lieman, et al.
- 1998
(Show Context)
Citation Context ...iplicative order, whereas there only generators of Z ∗ p are considered. In subsequent work, exponential sum bounds given here are applied [14] to study the correlation of binary M–sequences and also =-=[15]-=- the distribution of the RSA pseudo–random number generator. Organization. In Section 2 we present a short introduction to exponential sums and their usage. Section 3 prepares the ground for the main ... |

6 |
On the construction of a primitive normal basis of a finite field
- Stepanov, Shparlinski
- 1989
(Show Context)
Citation Context ...lynomials which is probably of independent interest. This new bound allows us to improve some of the results of [6] which are based on bounds for the number of solutions of exponential equations from =-=[33, 36, 37]-=-, see also Section 3.3 of [34]. 3 Preparations For integers a, b, and k, we denote by σk(a, b; t) the following exponential sum t� σk(a, b; t) = � aϑ kx� ep−1(bx). ep x=1 9sWe need the following upper... |

6 |
On the construction of primitive elements and primitive normal bases in a finite field
- Stepanov, Shparlinski
- 1989
(Show Context)
Citation Context ...lynomials which is probably of independent interest. This new bound allows us to improve some of the results of [6] which are based on bounds for the number of solutions of exponential equations from =-=[33, 36, 37]-=-, see also Section 3.3 of [34]. 3 Preparations For integers a, b, and k, we denote by σk(a, b; t) the following exponential sum t� σk(a, b; t) = � aϑ kx� ep−1(bx). ep x=1 9sWe need the following upper... |

5 |
The Vinogradov–Mordell–Tietäväinen inequalities
- Chalk
- 1980
(Show Context)
Citation Context ... . . , t, whose smallest non-negative residues modulo p belong to the box B. In this form there is an alternative well-known way of deriving the result from the exponential sum bound (see for example =-=[7]-=-) which does not however apply to the least significant bits. The result is Theorem 10. We have, sup B ∣ Nt(B) − t 2 (p − 1) #B 3 ∣ ≪ t5/3p 1/4 log 3 p. 21 ⊓⊔Of course, the weaker fact that the left ... |

5 | On the complexity of breaking the Diffie–Hellman protocol
- Maurer, Wolf
- 1996
(Show Context)
Citation Context ... (DL): ‘there do not exist polynomial-time algorithms that, given p, g, g x , compute x’. Indeed, a large body of work is aimed at relating the DHC assumption to the DL assumption (see, for instance, =-=[2, 24, 25, 32]-=-). Certainly, the DHC assumption is necessary for the DH key exchange to be valid. But is it sufficient? For instance, the following scenario is consistent with our current knowledge: the DHC assumpti... |

4 |
On zeros of exponential polynomials and related questions
- Poorten, Shparlinski
- 1992
(Show Context)
Citation Context ...nds of exponential sums with ϑ x can be found in [20, 21, 22, 23, 28, 34]. Although it is not quite clear how to extend Lemma 7 to composite moduli, the bounds of [33, 36, 37] can be generalized, see =-=[30]-=-. All of them can be used to obtain some analogues of the results of this paper for composite moduli. Certainly it would be interesting to study what happens on the ‘diagonal’ x = y. Open Question13. ... |

4 |
On prime divisors of recurrence sequences’, Izvestija Vysshih Uchebnyh
- Shparlinski
- 1980
(Show Context)
Citation Context ...lynomials which is probably of independent interest. This new bound allows us to improve some of the results of [6] which are based on bounds for the number of solutions of exponential equations from =-=[33, 36, 37]-=-, see also Section 3.3 of [34]. 3 Preparations For integers a, b, and k, we denote by σk(a, b; t) the following exponential sum t� σk(a, b; t) = � aϑ kx� ep−1(bx). ep x=1 9sWe need the following upper... |

3 |
On correlation of binary M-sequences', Designs, Codes and Cryptography
- Friedlander, Larsen, et al.
- 1996
(Show Context)
Citation Context ...ond, our results apply to any ϑ ∈ Z ∗ p with high enough multiplicative order, whereas there only generators of Z ∗ p are considered. In subsequent work, exponential sum bounds given here are applied =-=[14]-=- to study the correlation of binary M–sequences and also [15] the distribution of the RSA pseudo–random number generator. Organization. In Section 2 we present a short introduction to exponential sums... |

2 |
Exponential sums with finitely generated multiplicative groups and their applications
- Konyagin, Shparlinski
- 1997
(Show Context)
Citation Context ...eger ks1 a bound is known [19] of a very short exponential sum with # x , roughly of length exp(c log 2=3 m) with some constant c ? 0. Several more bounds of exponential sums with # x can be found in =-=[18, 19, 20, 21, 26, 32]-=-. Although it is not quite clear how to extend Lemma 7 to composite moduli, the bounds of [31, 34, 35] can be generalized, see [28]. All of them can be used to obtain some analogues of the results of ... |

2 |
The semantic security of El Gamal encryption is equivalent to the decision Diffie-Hellman
- Tsiounis, Yung
- 1997
(Show Context)
Citation Context ...he DHI assumption is also implicit in the popular El-Gamal encryption scheme [12]. In fact, it is not hard to see that the DHI assumption is equivalent to the semantic security of El-Gamal encryption =-=[38]-=-. Yet other examples where the DHI assumption is implicit include algorithms for undeniable signatures [8], Feldman’s Verifiable Secret Sharing protocol [13, 29], and many others. Surprisingly, in spi... |