## The Diffie-Hellman Protocol (1999)

Venue: | DESIGNS, CODES, AND CRYPTOGRAPHY |

Citations: | 30 - 0 self |

### BibTeX

@ARTICLE{Maurer99thediffie-hellman,

author = {Ueli M. Maurer and Stefan Wolf},

title = {The Diffie-Hellman Protocol},

journal = {DESIGNS, CODES, AND CRYPTOGRAPHY},

year = {1999},

volume = {19},

pages = {2000}

}

### Years of Citing Articles

### OpenURL

### Abstract

The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor one-way function, a public-key cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the so-called Diffie-Hellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.

### Citations

3231 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...aphy. The theoretical concepts of a public-key cryptosystem and a digital signature have been realized only two years after Diffie and Hellman's paper by Rivest, Shamir, and Adleman in the RSA-system =-=[50]-=-. However, Diffie and Hellman presented the first protocol with public-key properties, the so-called Diffie-Hellman (DH) protocol for public key distribution. An earlier protocol due to Merkle, called... |

3006 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...enerate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol. 1 Introduction In 1976, Whitfield Diffie and Martin Hellman published their celebrated paper =-=[16]-=- which initiated a revolution in cryptography. Diffie and Hellman can be seen as the founders of modern cryptography. The theoretical concepts of a public-key cryptosystem and a digital signature have... |

2219 | An Introduction to Probability Theory and Its Applications - Feller - 1967 |

1246 | Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms - ElGamal, “A - 1985 |

975 | An Introduction to the Theory of Numbers - Hardy, Wright - 1960 |

796 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...ltiplicative groups of large finite fields (prime fields [16] or extension fields), the multiplicative group of residues modulo a composite number [37], [38], elliptic curves over finite fields [43], =-=[24]-=-, the Jacobian of a hyperelliptic curve over a finite field [23], and the class group of imaginary quadratic fields [9]. This paper is organized as follows. In Section 2, some computational problems r... |

760 | Factoring polynomials with rational coefficients
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ...ber problem can be solved in probabilistic polynomial time. Boneh and Venkatesan proved the following result by using rounding techniques in lattices, based on methods of Lenstra, Lenstra, and Lovasz =-=[29]-=- and Babai [2]. Theorem 10 [6] Let p be prime, n = dlog pe, and let G = Z p . For k = d p ne + dlog ne, it is computationally equivalent to compute all the k most significant bits of the Diffie-Hellma... |

605 | A Classical Introduction to Modern Number Theory - Ireland, Rosen - 1990 |

596 |
Use of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ...the multiplicative groups of large finite fields (prime fields [16] or extension fields), the multiplicative group of residues modulo a composite number [37], [38], elliptic curves over finite fields =-=[43]-=-, [24], the Jacobian of a hyperelliptic curve over a finite field [23], and the class group of imaginary quadratic fields [9]. This paper is organized as follows. In Section 2, some computational prob... |

458 | Introduction to Finite Fields and their Applications - LIDL, NIEDERREITER - 1986 |

330 | An improved algorithm for computing logarithms over GF (p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...roup H can be reduced to the same problem in the minimal non-trivial subgroups of H, i.e., the subgroups of H with prime order, by the following method which is often attributed to Pohlig and Hellman =-=[47]-=-. 5 Let a = h x . For a fixed prime factor q of jHj, consider the group element a jHj=q = h x\DeltajH j=q . The algorithm is based on the following two simple observations. Because (a jHj=q ) q = a jH... |

326 | Efficient identification and signatures for smart cards - Schnorr - 1989 |

317 |
Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ... used in discrete-logarithm based cryptosystems such as the DiffieHellman protocol. They appear to have the advantage that shorter secret keys can be used for the same security level. Menezes et. al. =-=[40]-=- have shown that the DL problem in a supersingular elliptic curve over a finite field can be efficiently reduced to the same problem in the multiplicative group of an extension field of small degree. ... |

305 |
Elliptic Curve Public Key Cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ...iptic curve (called addition) which can be expressed in a constant number of algebraic operations in the coordinates and such that E a;b (p) forms an abelian group with neutral element O. We refer to =-=[42]-=- for an introduction to elliptic curves. We describe how x can be computed from g x . First, the group element g x 3 +ax+b can be computed from g x by O(log p) group operations and two calls to the DH... |

260 | Algorithms for Computer Algebra - Geddes, Czapor, et al. - 1992 |

253 |
Factoring integers with elliptic curves
- Lenstra
- 1987
(Show Context)
Citation Context ...thms is known, such as non-supersingular elliptic curves or Jacobians of hyperelliptic curves. The basic idea of the reduction is as follows. Like in Lenstra's elliptic curve integer factoring method =-=[28]-=-, elliptic curve parameters are chosen at random until a curve with subexponentially-smooth order is generated. The running-time analysis of such an algorithm is based on the following conditions. Fir... |

252 |
Monte Carlo methods for index computation (mod p
- Pollard
(Show Context)
Citation Context ...y is O((log jHj) 2 + B log jHj= log B) or O((log jHj) 2 + p B log jHj) when the baby-step giant-step method is used. An additional general-purpose discrete logarithm algorithm is Pollard's rho-method =-=[48]-=-. Heuristic arguments suggest that this algorithm has approximately the same running time as the baby-step giant-step method, but this has not been rigorously proved. The advantage of Pollard's rho-me... |

247 |
On Lovasz’ lattice reduction and the nearest lattice point problem
- Babai
- 1986
(Show Context)
Citation Context ... be solved in probabilistic polynomial time. Boneh and Venkatesan proved the following result by using rounding techniques in lattices, based on methods of Lenstra, Lenstra, and Lovasz [29] and Babai =-=[2]-=-. Theorem 10 [6] Let p be prime, n = dlog pe, and let G = Z p . For k = d p ne + dlog ne, it is computationally equivalent to compute all the k most significant bits of the Diffie-Hellman key simultan... |

237 | Lower Bounds for Discrete Logarithms and Related Problems
- Shoup
- 1997
(Show Context)
Citation Context ...ly the same running time as the baby-step giant-step method, but this has not been rigorously proved. The advantage of Pollard's rho-method is that it requires virtually no memory space. Shoup showed =-=[55]-=- that no general-purpose discrete logarithm algorithm can be substantially faster than the combination of the Pohlig-Hellman decomposition and the baby-step giant-step method. For a description of the... |

184 |
Elliptic curves over finite fields and the computation of square roots mod p
- Schoof
- 1985
(Show Context)
Citation Context ...braic algorithms which is described in Section 3.7. By using the described method of choosing elliptic curves over GF (p) at random, computing their order in polynomial time by a method due to Schoof =-=[54]-=-, checking the smoothness of this order with the elliptic curve factoring algorithm (and choosing a new curve unless the order is L 1=2 (p)- smooth), and applying the technique described in the previo... |

170 | Computing in the Jacobian of a hyperelliptic curve - Cantor - 1987 |

159 |
Hyperelliptic Cryptosystems
- Koblitz
- 1989
(Show Context)
Citation Context ... extension fields), the multiplicative group of residues modulo a composite number [37], [38], elliptic curves over finite fields [43], [24], the Jacobian of a hyperelliptic curve over a finite field =-=[23]-=-, and the class group of imaginary quadratic fields [9]. This paper is organized as follows. In Section 2, some computational problems related to the DH protocol are discussed such as the Diffie-Hellm... |

153 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...; g v ) only if u = v. The reduction exploits that (g uv ) 2 = g (u+v) 2 (g u 2 ) \Gamma1 (g v 2 ) \Gamma1 . A result related to the above has also been shown for the DHD problem by Naor and Reingold =-=[44]-=-. They proved that the DHD problem in a group 22 G with generator g and of prime order is as hard in the average case as it is in the worst case by giving a method for randomizing the input. When give... |

143 | An Efficient Off-line Electronic Cash System Based on the Representation Problem," Centrum voor Wiskunde en Informatica (CWI
- Brands
- 1993
(Show Context)
Citation Context ...t. This implies that no partial information about g ab can be efficiently extracted from g a and g b . The Diffie-Hellman decision problem is defined as follows. It was first explicitly formulated in =-=[7]-=-. Definition 3 Let G be a finite cyclic group with generator g. Let g a ; g b ; g c be chosen independently and randomly in G according to the uniform distribution. Given the triples (g a ; g b ; g ab... |

116 | Towards realizing random oracles: Hash functions that hide all partial information
- Canetti
- 1997
(Show Context)
Citation Context ...an be hard in a group G if the group order jGj contains at least one large prime factor, whereas the DHD problem can only be hard if jGj is free of small prime factors (see also Section 5.1). Canetti =-=[10]-=- has described the following generalization of the DHD problem for a group G of prime order. Let f be an uninvertible function, i.e., a function for which it is hard to obtain x from f(x) with non-neg... |

99 |
Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes
- Boneh, Venkatesan
- 1996
(Show Context)
Citation Context ...o-called most significant bits. However, it is conceivable that an adversary who is not able to break the Diffie-Hellman protocol can nevertheless compute these bits efficiently. Boneh and Venkatesan =-=[6]-=- investigated the security of the most significant bits in the Diffie-Hellman protocol (and other schemes) in the groups Z p for prime numbers p. They considered the following two functions (where p a... |

79 |
Algorithms for black box fields and their application to cryptography
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ...echnique for proving such equivalence results which was introduced by Maurer [32] as a generalization of an earlier result by den Boer [15], and was 8 further developed by Wolf [60], Boneh and Lipton =-=[5]-=-, Maurer and Wolf [36], and Cherepnev [13]. 3.1 The Diffie-Hellman oracle Definition 4 A Diffie-Hellman oracle (DH oracle for short) for a group G with respect to a given generator g takes as inputs t... |

75 | Almost All Primes Can Be Quickly Certified - Goldwasser, Kilian - 1986 |

74 | Theorems on factorization and primality testing - Pollard - 1974 |

70 | Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms
- Maurer
- 1994
(Show Context)
Citation Context ...garithms efficiently. It was shown that this is true for certain classes of groups. In this section we describe a general technique for proving such equivalence results which was introduced by Maurer =-=[32]-=- as a generalization of an earlier result by den Boer [15], and was 8 further developed by Wolf [60], Boneh and Lipton [5], Maurer and Wolf [36], and Cherepnev [13]. 3.1 The Diffie-Hellman oracle Defi... |

60 | On Diffie-Hellman key agreement with short exponents
- Oorschot, Wiener
- 1996
(Show Context)
Citation Context ...problem in a supersingular elliptic curve over a finite field can be efficiently reduced to the same problem in the multiplicative group of an extension field of small degree. Van Oorschot and Wiener =-=[45]-=- have studied the risk of choosing short exponents in the DH protocol. They presented a combination of Pollard's lambda-method and the Pohlig-Hellman decomposition. Pollard's lambda-method [48] allows... |

58 | Applications of Finite Fields - Menezes |

57 |
A key distribution system equivalent to factoring
- McCurley
- 1988
(Show Context)
Citation Context ...d for application in the DH protocol are the multiplicative groups of large finite fields (prime fields [16] or extension fields), the multiplicative group of residues modulo a composite number [37], =-=[38]-=-, elliptic curves over finite fields [43], [24], the Jacobian of a hyperelliptic curve over a finite field [23], and the class group of imaginary quadratic fields [9]. This paper is organized as follo... |

49 | Primality testing and Abelian varieties over finite fields, volume 1512 of Lecture notes in mathematics - Adleman, Huang - 1992 |

46 | Constructing elliptic curves with given group order over large finite fields - Lay, Zimmer - 1994 |

44 | Non-interective public-key cryptography - Maurer, Yacobi - 1992 |

42 | The relationship between breaking the Diffie-Hellman protocol and computing discrete logarithms
- Maurer, Wolf
- 1999
(Show Context)
Citation Context ...h respect to the Diffie-Hellman protocol, and whether changing the generator of the group can change the complexity of breaking the DH protocol. We assume here that the order of G is known. Theorem 8 =-=[33]-=- Let P be a fixed polynomial. Let G be a cyclic group with generator g. If the number r is such that every prime factor of r is either smaller than B := P (log jGj) or has at least the same multiplici... |

39 | Diffie-Hellman oracles
- Maurer, Wolf
- 1996
(Show Context)
Citation Context ...such equivalence results which was introduced by Maurer [32] as a generalization of an earlier result by den Boer [15], and was 8 further developed by Wolf [60], Boneh and Lipton [5], Maurer and Wolf =-=[36]-=-, and Cherepnev [13]. 3.1 The Diffie-Hellman oracle Definition 4 A Diffie-Hellman oracle (DH oracle for short) for a group G with respect to a given generator g takes as inputs two elements a; b 2 G (... |

37 |
A key-exchange system based on imaginary quadratic fields
- Buchman, Williams
- 1988
(Show Context)
Citation Context ... modulo a composite number [37], [38], elliptic curves over finite fields [43], [24], the Jacobian of a hyperelliptic curve over a finite field [23], and the class group of imaginary quadratic fields =-=[9]-=-. This paper is organized as follows. In Section 2, some computational problems related to the DH protocol are discussed such as the Diffie-Hellman problem, the Diffie-Hellman decision problem, and th... |

27 |
A Note on Elliptic Curves Over Finite Fields
- Rück
- 1987
(Show Context)
Citation Context ... that for any a; b 2 GF (p) p \Gamma 2 p p + 1sjE a;b (GF (p))jsp + 2 p p + 1 ; and that for each d 2 [p \Gamma 2 p p + 1; p + 2 p p + 1] there exists a cyclic elliptic curve over GF (p) with order d =-=[51]-=-. This implies the following non-uniform reduction of the DL problem to the DH problem. For a number n, we define (n) to be the minimum of the set of largest prime factors of the numbers d in the inte... |

26 |
Diffie-Hellman is as strong as discrete log for certain primes
- Boer
- 1990
(Show Context)
Citation Context ...ertain classes of groups. In this section we describe a general technique for proving such equivalence results which was introduced by Maurer [32] as a generalization of an earlier result by den Boer =-=[15]-=-, and was 8 further developed by Wolf [60], Boneh and Lipton [5], Maurer and Wolf [36], and Cherepnev [13]. 3.1 The Diffie-Hellman oracle Definition 4 A Diffie-Hellman oracle (DH oracle for short) for... |

26 |
A simple and fast probabilistic algorithm for computing square roots modulo a prime number
- Peralta
- 1986
(Show Context)
Citation Context ...are the evaluation of a rational function, testing quadratic residuosity of y by comparing (PDH (p\Gamma1)=2 (a)) jGj=p and g jGj=p ; or the computation of square roots using the algorithm of Peralta =-=[46]-=- or a faster method due to Massey [31]. Note that algorithms based on exhaustive search (for example to solve the index search problem, in particular the discrete logarithm problem) lead to explicit r... |

23 |
A hyperelliptic smoothness test
- Lenstra, Pila, et al.
(Show Context)
Citation Context ...H oracle for elliptic curves is given by a subexponential-time algebraic algorithm. In order to obtain an integer factoring algorithm with rigorously proven running time, Lenstra, Pila, and Pomerance =-=[27]-=- have studied the use of hyperelliptic curves of genus 2 instead of elliptic curves. Jacobians of these curves have the advantage that the group order varies in an interval of size [x; x + \Theta(x 3=... |

23 |
The discrete logarithm problem, in Cryptology and Computational
- McCurley
- 1990
(Show Context)
Citation Context ...problem of computing from a 2 G a number s such that g s = a is called the discrete logarithm problem (DL problem) with respect to g. (For a detailed discussion of the discrete logarithm problem, see =-=[39]-=- or Odlyzko's paper in this issue.) For many groups it is not known whether the most efficient way of solving the DH problem is by solving the DL problem first. It is also unknown whether there exist ... |

21 | Factoring with Cyclotomic Polynomials - Bach, Shallit - 1985 |

18 |
Information-theoretically and computationally secure key agreement
- Wolf
- 1999
(Show Context)
Citation Context ...G with respect to g is probabilistic polynomial-time equivalent to computing discrete logarithms in G to the base g. Various types of groups have been proved to be useful auxiliary groups [60], [33], =-=[59]-=-. The use of the groups H p = GF (p) as auxiliary groups leads to the results of den Boer [15], who proved that the DH problem and the DL problem are equivalent for groups G for which '(jGj) is smooth... |

16 | Lower bounds on generic algorithms in groups
- Maurer, Wolf
- 1998
(Show Context)
Citation Context ...ers \Phi n (p) for nsc. For the case where the group order jGj is divisible by a large multiple prime factor p a rather pessimistic result was proved. It follows from a result by Shoup [55] (see also =-=[35]-=-, [34], [59]) that unless additional assumptions are made on G (i.e., on the representation of the group elements), an efficient reduction from the DL problem to the DH problem cannot exist for G. Mor... |

15 |
On a Problem of Oppenheim Concerning "Factorisatio Numerorum
- Canfield, Erdos, et al.
- 1983
(Show Context)
Citation Context ...s of G in time p maxf(p i )g \Delta (log jGj) O(1) : Very little is known about the existence of smooth numbers in the interval of interest, i.e., about (p), for a given prime p. However, it is known =-=[11]-=- that for every fixed u, /(n; n 1=u )=n = u \Gamma(1+o(u))u ; (2) where /(n; y) denotes the number of integerssn with no prime divisorsy. This fact suggests that (n) is polynomial in log n. 15 Smoothn... |

10 | Computing the number of points of elliptic curves over finite fields - Buchmann, Muller - 1991 |

10 | Elliptic Curve Cryptosystems Using Curves of Smooth Order Over the Ring Zn - Vanstone - 1997 |