D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in diffiehellman and related schemes. In N. Koblitz, editor, Advances in Cryptology -- CRYPTO'96, volume 1109 of Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany, Aug. 1996.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....several cryptographic applications and outline some possible directions for further research. 1 Introduction and Notation In this paper we describe a series of recent results devoted to various aspects of the hidden number problem. This direction of research, introduced by Boneh and Venkatesan [9, 10] in 1996, has proved to have a wide spectrum of applications. It also provides cross fertilisation among mathematics, computer science and cryptography. It is enough to say that many of the results in this area are based on a rather surprising combination of two celebrated number theoretic ....

....permanent and some other linear algebar functions. Acknowledgement. The author thanks Ricardo Dahab and Isabel Gonzalez Vasco for careful reading the manuscript and for many fruitful discussions. 2 HNP over IF p IF p HNP We start with the IF p HNP, introduced by Boneh and Venkatesan in [9], which has originated the whole direction of research: IF p HNP: Recover a number # p , chosen independently and uniformly at random, for some # 0. Using an ingenious reduction to the closest vector problem and a certain lattice reduction algorithm, Boneh and Venkatesan [9] ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....divisor q of the order l(p) of 2 modulo p and then compute g r (mod p) where r = l(p) q. Obviously g generates a group of order q. Now, to compute g (mod p) one just computes y rx (mod q) and then g (mod p) There is also one more reason to use 2 as the base. It has been shown in [4] that in this case a slight modification of the corresponding Di#e Hellman key exchange scheme has a very important property of bit security (provided the whole scheme is secure in the traditional sense) More precisely, it has been shown in [4] that recovering even a certain bit of information ....

....reason to use 2 as the base. It has been shown in [4] that in this case a slight modification of the corresponding Di#e Hellman key exchange scheme has a very important property of bit security (provided the whole scheme is secure in the traditional sense) More precisely, it has been shown in [4] that recovering even a certain bit of information about the modified secret Di#e Hellman key modulo p (deciding whether it belongs to the interval [0, p 1) 2] is as hard as the recovering the whole key. On the other hand, if the multiplicative order of 2 modulo p is smooth then the ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes,' Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....apply to structured matrices. Indeed, the transformation described in the proof of Theorem 5.2 of [14] does not preserve structural properties as being symmetric or Toeplitz. Our method takes advantage of recent advances in the hidden number problem, a problem introduced by Boneh and Venkatesan [4, 5]. The approach of [4, 5] which is based on lattice reduction algorithms) combined with exponential sum techniques has led to a number of results in cryptography and complexity theory [13, 15, 16, 21, 25, 26, 28, 29, 30, 31] Here we show that the above combination of two celebrated techniques, ....

....Indeed, the transformation described in the proof of Theorem 5.2 of [14] does not preserve structural properties as being symmetric or Toeplitz. Our method takes advantage of recent advances in the hidden number problem, a problem introduced by Boneh and Venkatesan [4, 5] The approach of [4, 5] (which is based on lattice reduction algorithms) combined with exponential sum techniques has led to a number of results in cryptography and complexity theory [13, 15, 16, 21, 25, 26, 28, 29, 30, 31] Here we show that the above combination of two celebrated techniques, lattice reduction and ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Die{Hellman and related schemes', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129-142.

....G: Recover a number # IF p such that for k elements t 1 , t d # G, chosen independently and uniformly at random from we are given k pairs (t h , MSB # (#t h ) h = 1, d, for some # 0. For = IF # p this problem has been introduced and studied by Boneh and Venkatesan [1, 2]. In [1] a polynomial time algorithm is designed which recovers # for some # and k = O(log p) The algorithm of [1] has been extended in several directions. In particular, in [5] it is generalised to all su#ciently large subgroups p . This and other generalisations have led to a number of ....

....a number # IF p such that for k elements t 1 , t d # G, chosen independently and uniformly at random from we are given k pairs (t h , MSB # (#t h ) h = 1, d, for some # 0. For = IF # p this problem has been introduced and studied by Boneh and Venkatesan [1, 2] In [1] a polynomial time algorithm is designed which recovers # for some # and k = O(log p) The algorithm of [1] has been extended in several directions. In particular, in [5] it is generalised to all su#ciently large subgroups p . This and other generalisations have led to a number of ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....k was as small as 2 in [53] making provable results useful. We will see in the next section a particular case of a system of linear modular equations for which the generic method can be replaced by another lattice based method. 4 The hidden number problem 4. 1 Hardness of Diffie Hellman bits In [24], Boneh and Venkatesan used the LLL algorithm to solve the hidden number problem, which enables to prove the hardness of the most significant bits of secret keys in Diffie Hellman and related schemes in prime fields. This was the first positive application of LLL in cryptology. Recall the ....

....time (in n) algorithm A, that on input q, g, g outputs the most significant bits of g . Then there is also an expected polynomial time algorithm that on input q, g, g , g and the factorization of q Gamma 1, computes all of g . The above result is slightly different from [24], due to a small gap in the proof of [24] spotted by [63] The same result holds for the least significant bits. For a more general statement when g is not necessarily a generator, and the factorization of q Gamma 1 is unknown, see [63] For analogous results in other groups, we refer to [136] ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In Proc. of Crypto '96, LNCS. IACR, Springer-Verlag, 1996.

....since e(1) j m(1) mod q) as polynomials. And it is easily malleable using multiplications by X of polynomials (circular shifts) 5 The hidden number problem 5.1 Hardness of Diffie Hellman bits There is only one example known in which the LLL algorithm plays a positive role in cryptology. In [18], Boneh and Venkatesan used LLL to solve the hidden number problem, which enables to prove the hardness of the most significant bits of secret keys in Diffie Hellman and related schemes in prime fields. Recall the Diffie Hellman key exchange protocol [36] Alice and Bob fix a finite cyclic G and a ....

....time (in n) algorithm A, that on input q, g, g , outputs the most significant bits of g . Then there is also an expected polynomial time algorithm that on input q, g, g , g and the factorization of q Gamma 1, computes all of g . The above result is slightly different from [18]. The same result holds for the least significant bits. For a more general statement when g is not necessarily a generator, and the factorization of q Gamma 1 is unknown, see [51] No such results are known for other groups (there is some kind of analogous result [113] for finite fields though) ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes. In Proc. of Crypto '96, LNCS. IACR, Springer-Verlag, 1996.

....with x on at least the l th most significant digits. The hidden number problem is the task of recovering the hidden number b when we are given MSB l;q (bbt i c q ) for many random but known t i 2 F q . The hidden number problem has been studied quite extensively since first being introduced in [4] by Boneh and Venkatesan. We shall present an overview of the basic lattice strategy for solving such problems in the next section. We now discuss the MQV protocol. We let F be a finite field and E be an elliptic curve over F whose order is divisible by a prime q of size 2 f . For any Q 2 ....

....of b, using the algorithms of Babai and LLL. Stage Two: We recover the rest of the bits of b using an analogue of the baby step giant step algorithm, or using Pollard s Lambda method. 3 Theoretical Analyse of the Lattice Stage Here we outline the Boneh and Venkatesan algorithm proposed in [4] as presented in [9] The only modification being we do not choose our multipliers t i uniformly in F q . We present our analyse quite generally, and not just to the MQV specific problem, in that we assume that the multipliers t i are of the form flff i where ff i are chosen uniformly in A = fa 2 ....

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In Advances in Cryptology -- CRYPTO '96, Springer LNCS 1109, 129--142, 1996.

....Question 13.19 of [22] Our contribution is to extend the techniques to general Boolean predicates and to improve on the bound on the spectral norm that is directly implied by the results of Shparlinski and Shaltiel. Comparison with the result from Boneh and Venkatesan. Boneh and Venkatesan [2] showed that log p bits of the Diffie Hellman function are hard to compute simultaneously if the Diffie Hellman function itself is hard to compute . The given proof contains a flaw that was later fixed in [25] The polynomial time reduction holds in the standard model. The difference to our ....

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. Proc. of CRYPTO 1996, pages 129--142, 1996.

.... function, a modified Diffie Hellman function (MDH) the elliptic curve Diffie Hellman function (ECDH) as introduced in [4] and Paillier s function are new results (marked by darker leaves) The Hidden Number problem (at least in a similar fashion) was first introduced by Boneh and Venkatesan [5] and successfully exploited to show that the collection of the x TSg n un biased most significant bits are a hard core function of the E1Gamal and the Diffie Hellman function. An error in the proof in [5] was spotted and corrected by [24] See also [20] how to apply lattice based techniques to ....

....Number problem (at least in a similar fashion) was first introduced by Boneh and Venkatesan [5] and successfully exploited to show that the collection of the x TSg n un biased most significant bits are a hard core function of the E1Gamal and the Diffie Hellman function. An error in the proof in [5] was spotted and corrected by [24] See also [20] how to apply lattice based techniques to solve the Hidden Number problem. In addition we exploit the hidden number problem to present a new general and efficient construction of hard core predicates for any (modified) one way function as an ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffle-Hellman and related schemes. Proc. of CRYPTO 1996, pages 129-142, 1996.

....(EXP) function are similar there is no straightforward way to conclude the result from each other, i.e. to deduce the bitsecurity of EXP directly from the bitsecurity of RSA. The figure on the left illustrates this connection. The hidden number problem was introduced by Boneh and Venkatesan [1] and used to show the security of the collection of p log n unbiased most significant bits of the Diffie Hellman function. Main Results. Under some reasonable combinatorial assumptions, every bit is a hard core of the following functions: 1. The RSA encryption function. 2. The ElGamal ....

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. Proc. of CRYPTO

.... Some heuristic arguments of this attack have been sharpened by Nguyen [22] Nguyen and Shparlinski [23] following the approach of [22] have improved the analysis of the attack of Howgrave Graham and Smart [11] using the work of Boneh and Venkatesan on the hardness of Di#eHellman bits [4]. They showed that there is a provable polynomial time attack against DSA when the nonces are partially known, under two reasonable assumptions: the size of q should not be too small compared to p, and the probability of collisions for the hash function h should not be too large compared to 1 q. ....

....key when only # = 3 least significant bits of the nonces are known for about 100 signatures. 1.5. Overview of our attack Like [23] our attack follows Nguyen s approach [22] that reduces the DSA ECDSA problem to a variant of hidden number problem (HNP) introduced in 1996 by Boneh and Venkatesan [4, 5]. HNP can be stated as follows: recover a number # # IF q such that for many known random t # IF q a certain number # of the most significant bits of ##t# q are known. Here, the notion of most significant bits is tailored to modular residues and does not match the usual definition for ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Di#e-Hellman and related schemes. In Proc. of Crypto '96, volume 1109 of LNCS. IACR, Springer-Verlag, 1996.

....we want to use our bit shared secret DH key with a crypto system requiring a key size of and . 14 this prevents straightforward IP spoofing; this property is also achieved by SYN Cookies ( 37] citeRFC1644, 31] Although some bits of the shared secret are provably secure [12] the security of the vast majority of bits in the shared DH secret key is not known (i.e. it is not known whether an attacker can compute knowledge about them 15 ) The shared DH secret is indistinguishable from an element chosen at random from the group if and only if the Decisional ....

BONEH, D., AND VENKATESAN, R. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes (extended abstract). In Advances in Cryptology---CRYPTO '96 (18--22 Aug. 1996), N. Koblitz, Ed., vol. 1109 of Lecture Notes in Computer Science, Springer-Verlag, pp. 129--142.

....the logarithm is completely trivial to compute. Therefore, one would like to understand how finding approximate or partial solutions is related to the hardness of the exact version of the problem. Here we study some variants of the hidden number problem introduced in 1996 by Boneh and Venkatesan [4, 5]. This problem can be stated as follows: recover a number # # IF p such that for polynomially many (in terms of log p) known random # # IF p certain approximations to the values of ## are known. In [4, 5] Boneh and Venkatesan proposed a polynomial time algorithm for this problem when the ....

....some variants of the hidden number problem introduced in 1996 by Boneh and Venkatesan [4, 5] This problem can be stated as follows: recover a number # # IF p such that for polynomially many (in terms of log p) known random # # IF p certain approximations to the values of ## are known. In [4, 5] Boneh and Venkatesan proposed a polynomial time algorithm for this problem when the absolute approximating error is at most p exp c log 1 2 p with some absolute constant c 0. This result has found a large number of applications to studying the bit security of Di#e Hellman, Shamir and ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....integers s and m # 1 we denote by #s# m the remainder of s on division by m and we write #r# m = min #r# m , m #r# m We also use log z to denote the binary logarithm of z 0. In this paper, we study a variant of the hidden number problem introduced in 1996 by Boneh and Venkatesan [4, 5]. The original problem can be stated as follows: recover a number a # IF p such that for many known random t # IF p approximations to the values of #at# p are known. It turned out that for many applications, including some results about the bit security of Di#e Hellman, Shamir and several ....

....attacking the DSA and DSA like signature schemes (both heuristically [10, 18] and rigorously [6, 19, 20] the condition that t is selected uniformly at random from IF p is too restrictive. It has been systematically exploited in the aforementioned papers [6, 8, 9, 19, 20, 27] that the method of [4, 5] can be adjusted to the case when t is selected from a sequence which has some uniformity of distribution property. Thus bounds of exponential sums of various kinds have been used in these papers, as exponential sums are a natural tool to establish uniformity results. Similar results about ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....the future we will have to prove the security of practical schemes for much weaker assumptions. For several public key schemes it was proved that computing certain bits of the secret (the plaintext or the shared key in case of the Diffie Hellman protocol) is as hard as computing the entire value [3, 13, 39]. 8 Cryptographic Protocols Cryptographic protocols, often based on public key functionality, are among the most delicate and fascinating topics in cryptography. In the past decade there has been an extensive research activity on various types of protocols, in particular on interactive proofs ....

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, Advances in Cryptology - CRYPTO '96, Lecture Notes in Computer Science, vol. 1109, pp. 129--142, Springer-Verlag, 1996.

....Let p be an n bit prime and let IF p be a field of p elements. For integers s and q # 1 we denote by (s rem q) the remainder of s on division by q. We also use log z to denote the binary logarithm of z 0. The Shamir message passing scheme can be described in the following way, see [2], as well as Protocol 12.22 from [8] To send a message m # [0, p 1] from Alice to Bob: # Alice selects a random a # [0, p 2] with gcd(a, p 1) 1, computes A = m a rem p) and sends A to Bob. # Bob selects a random b # [0, p 2] with gcd(b, p 1) 1, computes B ....

....# Alice finds u # [0, p 2] satisfying the congruence au # 1 (mod p 1) computes C = B u rem p) and sends C to Bob. # Bob finds v # [0, p 2] satisfying the congruence bv # 1 (mod p 1) computes m = C v rem p) Given a primitive root g # IF p , Boneh and Venkatesan [2] have proposed a method of recovering a hidden element # # IF p from about n 1 2 most significant bits of (#g x i rem p) i = 1, d, for d = l 2n 1 2 m integers x 1 , x d , chosen uniformly and independently at random in the interval [0, p 2] This result has been ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....natural method is to use the block consisting of its first k bits in a binary representation, the so called most significant bits. However, it is conceivable that an adversary who is not able to break the Diffie Hellman protocol can nevertheless compute these bits efficiently. Boneh and Venkatesan [6] investigated the security of the most significant bits in the Diffie Hellman protocol (and other schemes) in the groups Z p for prime numbers p. They considered the following two functions (where p and k are fixed) 24 Definition 7 For any ff; h 2 Z p , let N k ff;h (x) msb k (ff Delta ....

....yields g uv . The question remains for which k the hidden number problem can be solved in probabilistic polynomial time. Boneh and Venkatesan proved the following result by using rounding techniques in lattices, based on methods of Lenstra, Lenstra, and Lovasz [29] and Babai [2] Theorem 10 [6] Let p be prime, n = dlog pe, and let G = Z p . For k = d p ne dlog ne, it is computationally equivalent to compute all the k most significant bits of the Diffie Hellman key simultaneously and to solve the DH problem. For any 0 and sufficiently large p, this holds for k = Delta p log ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, Advances in Cryptology - CRYPTO '96, Lecture Notes in Computer Science, Vol. 1109, pp. 129--142, Springer-Verlag, 1996.

....IF is represented by the elements 0, p 1 . For integers s and m # 1 we denote by #s# m the remainder of s on division by m. We also use log z to denote the binary logarithm of z 0. Here we study a variant of the hidden number problem introduced in 1996 by Boneh and Venkatesan [1, 2]. This problem can be stated as follows: recover a number # # IF such that for polynomially many known random t # IF approximations to the values of ##t# p are known. It has turned out that for many applications, including some results about the bit security of Di#e Hellman, Shamir and ....

....sums of various have been used in these papers, which are a natural tool to establish the corresponding uniformity of distribution property. In particular, the case when t is selected from a small subgroup of IF has been studied in [7] and used to generalize (and correct) some results of [1] about the bit security of the Di#e Hellman key. The results of [7] are based on bounds of exponential sums with elements of subgroups of IF, namely on Theorem 3.4 and Theorem 5.5 of [12] Unfortunately analogues of these results for the extension field IK are not known and thus for subgroups of ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....to be represented by the elements 0, p 1 . For integers s and m # 1 we denote by #s# m the remainder of s on division by m. We also use log z to denote the binary logarithm of z 0. Here we study a variant of the hidden number problem introduced in 1996 by Boneh and Venkatesan [2, 3]. This problem can be stated as follows: recover a number # # IF p such that for many known random t # IF p approximations to the values of ##t# p are known. It has turned out that for many applications, including some results about the bit security of Di#e Hellman, Shamir and several other ....

....(following the heuristic arguments of [12, 21] the DSA and DSA like signature schemes [6, 22, 23] the condition that t is selected uniformly at random from IF p is too restrictive. It has been systematically exploited in the aforementioned papers [6, 8, 9, 22, 23, 28] that the method of [2, 3] can be adjusted to the case when t is selected from a sequence which has some uniformity of distribution property. Thus bounds of various exponential sums of various have been used in these papers, which is a natural tool to establish the corresponding uniformity of distribution property. Here we ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....Let p be an n bit prime and let IF p be a field of p elements. For integers s and q # 1 we denote by (s rem q) the remainder of s on division by q. We also use log z to denote the binary logarithm of z 0. The Shamir message passing scheme can be described in the following way, see [1], as well as Protocol 12.22 from [9] To send a message m # [0, p 1] from Alice to Bob: # Alice selects a random a # [0, p 2] with gcd(a, p 1) 1, computes A = m a rem p) and sends A to Bob. # Bob selects a random b # [0, p 2] with gcd(b, p 1) 1, computes B = ....

....# Alice finds u # [0, p 2] satisfying the congruence au # 1 (mod p 1) computes C = B u rem p) and sends C to Bob. # Bob finds v # [0, p 2] satisfying the congruence bv # 1 (mod p 1) computes m = C v rem p) Given a primitive root g # IF p , Boneh and Venkatesan [1] have proposed a method of recovering a hidden element # # IF p from about n 1 2 most significant bits of (#g x i rem p) i = 1, d, for d = 2n 1 2 integers x 1 , x d , chosen uniformly and independently at random in the interval [0, p 2] This result has been ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....p be an n bit prime and let g # IF p be an element of multiplicative order T of the finite field IF p of p elements. For integers s and m # 1 we denote by #s# m the remainder of s on division by m. 1 In the case of T = p 1, that is, when g is a primitive root, Boneh and Venkatesan [1] have proposed a method of recovering a hidden element # # IF p from about n 1 2 most significant bits of ##g x i # p , i = 1, d, for d = l 2n 1 2 m integers x 1 , x d , chosen uniformly and independently at random in the interval [0, p 2] This result has been ....

..... d, for d = l 2n 1 2 m integers x 1 , x d , chosen uniformly and independently at random in the interval [0, p 2] This result has been applied to proving security of reasonably small portions of bits of private keys of several cryptosystems. In particular, in Theorem 2 of [1] the security of the l n 1 2 m #log n# most significant bits of the private key j g ab k p of the Di#e Hellman cryptosystem with public keys #g a # p and j g b k p with a, b # [0, p 2] is considered. To be more precise, for an integer k # 1 we define f k (t) by ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....example, the trace in the background field. Here we obtain some new results in this direction concerning the case of so called unreliable oracles. Keywords: Di#e Hellman keys, Cryptography, Finite fields 1 Introduction Let IF q denote a finite field of q elements. D. Boneh and R. Venkatesan [1] have proposed an approach to proving that about n 1 2 of most significant bits of the Di#e Hellman key modulo an n bit prime are as secure as the whole key. Unfortunately the proof of their main result is not quite correct (because the multipliers in their 1 proof of Theorem 2 of [1] are not ....

....[1] have proposed an approach to proving that about n 1 2 of most significant bits of the Di#e Hellman key modulo an n bit prime are as secure as the whole key. Unfortunately the proof of their main result is not quite correct (because the multipliers in their 1 proof of Theorem 2 of [1] are not uniformly distributed thus Theorem 1 of their paper does not apply) The proof of Theorem 3 in [1] dealing with other cryptosystems, su#ers from a similar problem. Their results have been corrected and generalized by I. M. Gonzales Vasco and I. Shparlinski [6, 7] A detailed survey of ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes', Proc. Crypto'96 , Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....that p 1 has some large prime factor, and that g is replaced by # which is chosen to 1 Here and for the rest of this section the calculations are made modulo p, unless stated otherwise. 2 We note that this statement is incorrect if some is replaced by any . For example it is shown in [3] that if one can compute the O( # log p) most significant bits of g xy then one can compute g xy in its entirety. 3 be a r th power residue for all small factors r of p 1. For example we could assume that p 1 = 2# where # is a prime and that # is a quadratic residue, i.e. # is a ....

....like to mention that any result that either refutes or provides further assurance in the DHI assumption will be of great interest for the cryptographic community. In particular, relating the DHI assumption to the DHC assumption is an interesting direction. The recent work of Boneh and Venkatessan [3] can be regarded as a step in this direction. Also, studying the statistical properties of the DH distribution is a promising direction. Direct extensions of our result may include generalizations to other subsets of bits (as opposed to the most significant ones) For instance, the least ....

D. Boneh and R. Venkatessan, `Hardness of computing the most significant bits of secrete keys in Di#e--Hellman and related schemes', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

....either, even with the same attack. In fact, they indicate a potential weakness in this implementation. 1.4. Overview of our attack Our attack follows Nguyen s approach [19] that reduces the DSA problem to a variant of hidden number problem (HNP) introduced in 1996 by Boneh and Venkatesan [5, 6]. HNP can be stated as follows: recover a number ff 2 IF q such that for many known random t 2 IF q a certain number of the most significant bits of bfftc q are known. Here, the notion of most significant bits is tailored to modular residues and does not match the usual definition for integers. ....

....HNP can be stated as follows: recover a number ff 2 IF q such that for many known random t 2 IF q a certain number of the most significant bits of bfftc q are known. Here, the notion of most significant bits is tailored to modular residues and does not match the usual definition for integers. In [5], the most significant bits of an element x 2 IF q are defined as an integer v such that (v Gamma 1)q=2 x vq=2 : Note that from such an integer v, one can derive an integer u such that jx Gamma uj q=2 1 : 1) For convenience, any such integer u will be denoted MSB ;q (x) ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In Proc. of Crypto '96, volume 1109 of LNCS. IACR, Springer-Verlag, 1996.

....order T , where IF p is the finite field of p elements. For integers s and m # 1 we denote by (s remm) the remainder of s on division by m. We also use log z to denote the binary logarithm of z 0. In the case of T = p 1, that is, when g is a primitive root, Boneh and Venkatesan [2] have proposed a method of recovering a hidden element # # IF p from about n 1 2 most significant bits of (#g x i rem p) i = 1, d, for d = 2n 1 2 integers x 1 , x d , chosen uniformly and independently at random in the interval [0, p 2] This result has been ....

....1, d, for d = 2n 1 2 integers x 1 , x d , chosen uniformly and independently at random in the interval [0, p 2] This result has been applied to proving security of reasonably small portions of bits of private keys of several cryptosystems. In particular, in Theorem 2 of [2] the security of the n 1 2 #log n# most significant bits of the private key g ab rem p of the Di#e Hellman cryptosystem with public keys (g a rem p) and g b rem p with a, b # [0, p 2] is considered. Namely, a method has been given to recover, in polynomial time, ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes, Lect. Notes in Comp. Sci., SpringerVerlag, Berlin, 1109 (1996), 129--142.

....either, even with the same attack. In fact, they indicate a potential weakness in this implementation. 1.4. Overview of our attack Our attack follows Nguyen s approach [19] that reduces the DSA problem to a variant of hidden number problem (HNP) introduced in 1996 by Boneh and Venkatesan [5, 6]. HNP can be stated as follows: recover a number # # IF q such that for many known random t # IF q a certain number # of the most significant bits of ##t# q are known. Here, the notion of most significant bits is tailored to modular residues and does not match the usual definition for ....

....can be stated as follows: recover a number # # IF q such that for many known random t # IF q a certain number # of the most significant bits of ##t# q are known. Here, the notion of most significant bits is tailored to modular residues and does not match the usual definition for integers. In [5], the # most significant bits of an element x # IF q are defined as an integer v such that (v 1)q 2 # # x vq 2 # . Note that from such an integer v, one can derive an integer u such that x u # q 2 # 1 . 1) For convenience, any such integer u will be denoted MSB #,q (x) ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Di#e-Hellman and related schemes. In Proc. of Crypto '96, volume 1109 of LNCS. IACR, Springer-Verlag, 1996.

....e(1) j m(1) mod q) as polynomials. And it is easily malleable using multiplications by X of polynomials (circular shifts) 14 5 The hidden number problem 5.1 Hardness of Diffie Hellman bits There is only one example known in which the LLL algorithm plays a positive role in cryptology. In [18], Boneh and Venkatesan used LLL to solve the hidden number problem, which enables to prove the hardness of the most significant bits of secret keys in Diffie Hellman and related schemes in prime fields. Recall the Diffie Hellman key exchange protocol [36] Alice and Bob fix a finite cyclic G and a ....

....A, that on input q, g, g a and g b , outputs the most significant bits of g ab . Then there is also an expected polynomial time algorithm that on input q, g, g a , g b and the factorization of q Gamma 1, computes all of g ab . The above result is slightly different 11 from [18]. The same result holds for the least significant bits. For a more general statement when g is not necessarily a generator, and the factorization of q Gamma 1 is unknown, see [51] No such results are known for other groups (there is some kind of analogous result [113] for finite fields though) ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes. In Proc. of Crypto '96, LNCS. IACR, Springer-Verlag, 1996.

....g, g a , and g b is as hard as the discrete log problem in general. See [MaurerW] for the latest references on this topic, which will not be covered here. For references on another important subject, namely that of bit security of the discrete log, which will also not be dealt with here, see [BonehV, HastadN]. However, a fast discrete log algorithm would definitely destroy the utility of the widely used DiffieHellman protocol. This factor has stimulated an outpouring of research on the complexity of discrete logs. This paper is a brief survey of the current state of the art in algorithms for discrete ....

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. pp. 129--142 in Advances in Cryptology - CRYPTO '96, N. Koblitz, ed., Lecture Notes in Computer Science #1109, Springer, 1996.

....size of the one time residue g b (modP ) that needs to accompany every bit vector. This method has an important advantage in that its security is based directly on the well established Diffie Hellman key agreement protocol. This is further reinforced by a recent result by Boneh and Venkatesan [9] that evaluates the hardness of (the adversary) computing the leftmost 32 bits of a Diffie Hellman key. Another benefit is that, even if all secret set members collude (without knowing that they constitute the entire set) they are unable to determine the cardinality of the set. As an aside, there ....

D. Boneh and R. Venkatesan, Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes, CRYPTO'96.

....Our point is the opposite and rather more modest. The results here give evidence that any attempt to distinguish the Diffie Hellman triples from random ones cannot be based on statistical data alone. Related Work. Boneh and Venkatessan investigate the relation between the DHI and DHC assumptions [3]. In particular they show that if one can compute the O( p log p) most significant bits of g xy from g; g x ; g y , then one can compute g xy in its entirety. Results with similar flavor are obtained by Schrift and Shamir with respect to discrete logarithms over Blum integers [29] ....

D. Boneh and R. Venkatessan, `Hardness of computing the most significant bits of secrete keys in Diffie--Hellman and related schemes', CRYPTO '96, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

No context found.

D. Boneh and R. Venkatesan, Hardness of computing most significant bits in secret keys in Diffie-Hellman and related schemes, Advances in Cryptology - CRYPTO '96, LNCS, vol. 1109, Springer, 1996, pp. 129-142. 5

....denote the remainder of an integer s on division by p. We also use log z to denote the binary logarithm of z 0. In the classical settings G is selected as the multiplicative group F # p of a finite field of p elements (and thus g is a primitive root of F p ) In this case, Boneh and Venkatesan [5] showed that about log 1 2 p most significant bits of #g xy # p are as hard to find as #g xy # p itself. The result is based on lattice reduction techniques. A similar result holds for the least significant bits as well. Gonzalez Vasco and Shparlinski [10] used exponential sums to extend ....

....p itself. The result is based on lattice reduction techniques. A similar result holds for the least significant bits as well. Gonzalez Vasco and Shparlinski [10] used exponential sums to extend this result to subgroups G of F # p . It has turned out that the lattice reduction technique used in [5] coupled with the exponential sum technique lead to a series of new results about the bits security of some cryptographic constructions [11, 14, 22, 23] as well as to attacks on some of them [6, 13, 17, 18] However the case where G is the point group of an elliptic curve has turned out to be ....

[Article contains additional citation context not shown here]

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes', In Proc. Crypto '96 , Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142. Recent version available at http://crypto.stanford.edu/~dabo/.

....Morristown NJ 07960 Abstract We analyze a lattice rounding technique using a natural matrix norm. We present its application to proving in a non uniform model the hardness of computing 2 log log p bits of the secret keys of Diffie Hellman and related protocols from the public keys. Earlier in [2] it was shown that p log p bits are hard to compute. 1 Introduction Lattice basis reduction techniques have proven to be very useful in diverse areas. Examples include cryptography, settling number theoretic conjectures, and diophantine approximation. Rounding a given vector to an approximately ....

....techniques have proven to be very useful in diverse areas. Examples include cryptography, settling number theoretic conjectures, and diophantine approximation. Rounding a given vector to an approximately closest vector in a given lattice was first studied in this context by Babai [1] Recently in [2] rounding in lattices was used to study the hardness of computing the most significant bits of secret keys obtained using the Diffie Hellman protocol and related schemes. Motivated by this, we study a new lattice rounding technique which is used to improve on the results of [2] in a non uniform ....

[Article contains additional citation context not shown here]

D. Boneh, Venkatesan R., "Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes", Proc. of Crypto, 1996.

.... the generalized Diffie Hellman assumption is equivalent to the decisional version of the standard Diffie Hellman assumption (as shown in [8] Two examples of results that support the validity of the decisional version of the standard Diffie Hellman can be found in the work of Boneh and Venkatesan [1] and in the work of Shoup [7] Boneh and Venkatesan showed that computing the k ( p log P ) most significant bits of g a Deltab (given hg; g a ; g b i) is as hard as computing g a Deltab itself. Shoup showed that the DDH Problem is hard for what he calls a generic algorithm. ....

D. Boneh and R. Venkatesan, Hardness of computing most significant bits in secret keys in Diffie-Hellman and related schemes, Advances in Cryptology - CRYPTO '96, LNCS, vol. 1109, Springer, 1996, pp. 129-142.

....open problem. Nonetheless, one may try to prove weaker results regarding the security of Diffie Hellman bits. Unfortunately, even proving that computing one bit of g ab given g a and g b is as hard as cdh is open. Currently, the only result along these lines is due to Boneh and Venkatesan [4]. At the moment these results only apply to the group Z p and its subgroups. We define the k most significant bits of an elements x 2 Z p as the k most significant bits of x when viewed as an integer in the range [0; p) Theorem 3.3 (Boneh Venkatesan) Let p be an n bit prime and g 2 Z p ....

....assumption, e.g. cdh, or factoring For instance, let N = pq where p = 2p 1 1 and q = 2q 1 1 with p; q; p 1 ; q 1 prime. Does the ddh assumption in Z N follow from the hardness of distinguishing quadratic residues from non residues with Jacobi symbol 1 3. Can one improve the results of [4] (see Section 3.3) and show that in Z p the single most significant bit of the Diffie Hellman secret is as hard to compute as the entire secret al..so, does a similar result to that of [4] hold in the group of points of an elliptic curve Acknowledgments The author thanks Victor Shoup for many ....

[Article contains additional citation context not shown here]

D. Boneh, R. Venkatesan, "Hardness of computing most significant bits in secret keys of Diffie-Hellman and related schemes", Proc. of Crypto '96, pp. 129--142.

No context found.

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in diffiehellman and related schemes. In N. Koblitz, editor, Advances in Cryptology -- CRYPTO'96, volume 1109 of Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany, Aug. 1996.

No context found.

Boneh, D., and Venkatesan, R.: Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes, in Proc. of CRYPTO '96, pp. 129-142, Springer-Verlag, 1996.

No context found.

D. Boneh and R. Venkatesan, Hardness of Computing the Most Significant Bits of Secret Keys in Di#e-Hellman and Related Schemes, Advances in Cryptology - CRYPTO'96, Springer-Verlag, LNCS 1109, pp. 126--142, 1996.

No context found.

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e-Hellman and related schemes. Proceedings of Crypto '96, pp. 129-142, 1996.

No context found.

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Di#e-Hellman and related schemes. In N. Koblitz, editor, Advances in Cryptology -- CRYPTO'96, volume 1109 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, August 1996. Springer-Verlag, Berlin Germany.

No context found.

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. Advances in Cryptology -- Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996. 25

No context found.

D. Boneh and R. Venkatesan, Hardness of Computing the Most Significant Bits of Secret Keys in Di#e-Hellman and Related Schemes, Advances in Cryptology - CRYPTO'96, Springer-Verlag, LNCS 1109, pp. 126--142, 1996.

No context found.

D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e-Hellman and related schemes. Proceedings of Crypto '96, pp. 129-142, 1996.

No context found.

D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Di#e-Hellman and related schemes. In Advances (CRYPTO 96), volume 1109 of Lecture Notes in Computer Science, pages 129--142. Springer-Verlag, August 1996.

No context found.

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

No context found.

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

No context found.

D. Boneh and R. Venkatesan, `Hardness of computing the most significant bits of secret keys in Di#e--Hellman and related schemes', Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129--142.

No context found.

D.Boneh and R.Venkatesan, Hardness of computing the most significant bits of secret keys in Di#e-Hellman and related schemes, Advances in Cryptology-Crypto' 96 , vol 1109 LNCS. pages 129-142, Springer-Verlag, 1996.

No context found.

D. Boneh and R. Venkatesan, Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes, CRYPTO'96, 1996

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC