Polynomial representations of the Diffie-Hellman mapping (original) (raw)

On Polynomial Approximation of the Discrete Logarithm and the Diffie—Hellman Mapping

Journal of Cryptology, 2000

We obtain several lower bounds, exponential in terms of lg p, on the degrees of polynomials and algebraic functions coinciding with values of the discrete logarithm modulo a prime p at sufficiently many points; the number of points can be as little as p 1/2+ε . We also obtain improved lower bounds on the degree and sensitivity of Boolean functions on bits of x deciding whether x is a quadratic residue. Similar bounds are also proved for the Diffie-Hellman mapping g x → g x 2 , where g is a primitive root of a finite field of q elements F q . These results can be used to obtain lower bounds on the parallel arithmetic and Boolean complexity of computing the discrete logarithm and breaking the Diffie-Hellman cryptosystem. The method is based on bounds of character sums and numbers of solutions of some polynomial equations.

Lower bounds on weight and degree of bivariate polynomials related to the Diffie-Hellman mapping

We obtain lower bounds on degree and weight of bivariate polynomials representing the Diffie-Hellman mapping for finite fields and the Diffie-Hellman mapping for elliptic curves over finite fields. This complements and improves several earlier results. We also consider some closely related bivariate mappings called P -Diffie-Hellman mappings introduced by the first author. We show that the existence of a low degree polynomial representing a P -Diffie-Hellman mapping would lead to an efficient algorithm for solving the Diffie-Hellman problem. Motivated by this result we prove lower bounds on weight and degree of such interpolation polynomials, as well.

Polynomial Interpolation of Cryptographic Functions Related to the Diffie-Hellman Problem

2003

Recently, the first author introduced some cryptographic functions closely related to the Diffie-Hellman problem called P-Diffie-Hellman functions. We show that the existence of a low-degree polynomial representing a P-Diffie-Hellman function on a large set would lead to an efficient algorithm for solving the Diffie-Hellman problem. Motivated by this result we prove lower bounds on the degree of such interpolation polynomials. Analogously, we introduce a class of functions related to the discrete logarithm and show similar reduction and interpolation results.

A Polynomial Representation of the Diffie-Hellman Mapping

Applicable Algebra in Engineering, Communication and Computing, 2002

Let F q be the finite field of order q and γ be an element of F q of order d. The construction of an explicit polynomial f (X) ∈ F q [X] of degree ≤ d − 1 with the property f γ i = γ i 2 for 0 ≤ i ≤ d − 1 is described. In particular the exact degree and sparsity of f are determined.

On the interpolation of bivariate polynomials related to the Diffie-Hellman mapping

Bulletin of the Australian Mathematical Society, 2004

We obtain lower bounds on degree and weight of bivariate polynomials representing the Diffie-Hellman mapping for finite fields and the Diffie-Hellman mapping for elliptic curves over finite fields. This complements and improves several earlier results. We also consider some closely related bivariate mappings called P-Diffie-Hellman mappings introduced by the first author. We show that the existence of a low degree polynomial representing a P-Diffie-Hellman mapping would lead to an efficient algorithm for solving the Diffie-Hellman problem. Motivated by this result we prove lower bounds on weight and degree of such interpolation polynomials, as well. P -d h ( 7 I , 7 y ) = 7 i ' ( l ' ! ' ) , for a bivariate polynomial P of small degree D > 2 with respect to d. (See also for the univariate analogue.) If D is small then these investigations are motivated by an efficient

Polynomial interpolation of cryptographic functions related to Diffie–Hellman and discrete logarithm problem

Discrete Applied Mathematics, 2006

On the complexity of the discrete logarithm and Diffie–Hellman problems

Journal of Complexity, 2004

The discrete logarithm problem plays a central role in cryptographic protocols and computational number theory. To establish the exact complexity, not only of the discrete logarithm problem but also of its relatives, the Diffie-Hellman (DH) problem and the decision DH problem, is of some importance. These problems can be set in a variety of groups, and in some of these they can assume different characteristics. This work considers the bit complexity of the DH and the decision DH problems. It was previously shown by Boneh and Venkatesan that it is as hard to compute Oð ffiffi ffi n p Þ of the most significant bits of the DH function, as it is to compute the whole function, implying that if the DH function is difficult then so is computing this number of bits of it. The main result of this paper is to show that if the decision DH problem is hard then computing the two most significant bits of the DH function is hard. To place the result in perspective a brief overview of relevant recent advances on related problems is given.

Comparison of the complexity of Diffie–Hellman and discrete logarithm problems

Journal of Computer Virology and Hacking Techniques, 2020

The article presents an algorithm for solving the discrete logarithm problem with an oracle, solving the Diffie-Hellman problem. Certified the discrete logarithm problem is considered. The Diffie-Hellman oracle works with elements of the original group, but with new group operations that are compositions of the Diffie-Hellman oracle. In particular, a universal (generic) algorithm can be substituted as the Diffie-Hellman oracle. The result is improved since 1996-the degree of logarithm in the estimation of the complexity of the algorithm presented is reduced to one. Of course, this does not affect the property of polynomial reduction of the considered problems to each other but excludes from the evaluation in a sense unnecessary terms.

A note on the interpolation of the Diffie-Hellman mapping

Bulletin of the Australian Mathematical Society, 2001

We obtain lower bounds on the degrees of polynomials representing the Diffie-Hellman mapping f (γx, γy) = γxy, where γ is a nonzero element of Fq of order d, x runs through a subset of [0,d – 1], and y runs through a set of consecutive integers.

On the bit security of the Diffie-Hellman key

Applicable Algebra in Engineering, Communication and Computing, 2006

Let IF p be a finite field of p elements, where p is prime. The bit security of the Diffie-Hellman function over subgroups of IF * p and of an elliptic curve over IF p , is considered. It is shown that if the Decision Diffie-Hellman problem is hard in these groups, then the two most significant bits of the Diffie-Hellman function are secure. Under the weaker assumption of the computational (rather than decisional) hardness of the Diffie-Hellman problems, only about (log p) 1/2 bits are known to be secure.

Linear Complexity and Polynomial Degree of a Function Over a Finite Field

Finite Fields with Applications to Coding Theory, Cryptography and Related Areas, 2002

We compare the complexities of the polynomial representation and the periodic sequence representation of a function over a finite field in the complexity measures degree and linear complexity. We prove a sharp inequality describing the relation between degree and linear complexity. These investigations are motivated by results on some cryptographic functions. In particular, as an application of the above mentioned inequality we prove new lower bounds on the linear complexity of sequences related to the Diffie-Hellman mapping.

Interpolation of the Elliptic Curve Diffie-Hellman Mapping

Lecture Notes in Computer Science, 2003

We prove lower bounds on the degree of polynomials interpolating the Diffie-Hellman mapping for elliptic curves over finite fields and some related mappings including the discrete logarithm. Our results support the assumption that the elliptic curve Diffie-Hellman key exchange and related cryptosystems are secure.

Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities

Journal of Cryptology, 1997

We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N , and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N = P Q if we are given the high order 1 4 log 2 N bits of P.

On the Index of Diffie-Hellman Mapping

2020

Let γ be a generator of a cyclic group G of order n. The least index of a self-mapping f of G is the index of the largest subgroup U of G such that f(x)x^-r is constant on each coset of U for some positive integer r. We determine the index of the univariate Diffie-Hellman mapping d(γ^a)=γ^a^2, a=0,1,…,n-1, and show that any mapping of small index coincides with d only on a small subset of G. Moreover, we prove similar results for the bivariate Diffie-Hellman mapping D(γ^a,γ^b)=γ^ab, a,b=0,1,…,n-1. In the special case that G is a subgroup of the multiplicative group of a finite field we present improvements.

On the key exchange with nonlinear polynomial

2014

We say that the sequence g n , n ≥ 3, n → ∞ of polynomial transformation bijective maps of free module K n over commutative ring K is a sequence of stable degree if the order of g n is growing with n and the degree of each nonidentical polynomial map of kind g n k is an independent constant c. A transformation b = τ g n k τ −1 , where τ is affine bijection, n is large and k is relatively small, can be used as a base of group theoretical Diffie-Hellman key exchange algorithm for the Cremona group C(K n) of all regular automorphisms of K n. The specific feature of this method is that the order of the base may be unknown for the adversary because of the complexity of its computation. The exchange can be implemented by tools of Computer Algebra (symbolic computations). The adversary can not use the degree of righthandside in b x = d to evaluate unknown x in this form for the discrete logarithm problem. In the paper we introduce the explicit constructions of sequences of elements of stable degree for cases c = 3 for each commutative ring K containing at least 3 regular elements and discuss the implementation of related key exchange and public key algorithms.

A note on complete polynomials over finite fields and their applications in cryptography

Finite Fields and Their Applications, 2014

A recursive construction of complete mappings over finite fields is provided in this work. These permutation polynomials, characterized by the property that both f (x) ∈ F q [x] and its associated mapping f (x) + x are permutations, have an important application in cryptography in the construction of bent-negabent functions which actually leads to some new classes of these functions. Furthermore, we also provide a recursive construction of mappings over finite fields of odd characteristic, having an interesting property that both f (x) and f (x + c) + f (x) are permutations for every c ∈ F q. Both the multivariate and univariate representations are treated and some results concerning fixed points and the cycle structure of these permutations are given. Finally, we utilize our main result for the construction of so-called negabent functions and bent functions over finite fields.

A lower bound on the mod 6 degree of the OR function

Computational Complexity, 1998

We examine the computational power of modu1a.r r~iimfing, where the modulus m is not a prime power, i n th,e setting of polynomials an boolean variables over %,,,. In particular, we say that a polynomial P weakly i*vprc.wnts a. boolean function f [both have n vari-~i h l ~s ) if for any inputs x and y in we have I ' ( T ) f P(y) whenever f(x) # f(4. Barrington, i ~c i g c l , a.nd Rudich [S] investigated the minimal deqivr of a polynomial representing the OR function in ill.i.7 iua.y, proving an upper bound of O(n'/') (where I' i.7 ihe number of distinct primes dividing m) and ( I lower bound of w ( 1 ) . Here we show a lower bound R(1ngn) when m is a product of two primes and ()((log n)l/('-l)) in general. While many lower bounds nrv known for a much stronger form of representation of a, function b y a polynomial 5, 121, using this liberal ( f i n d , we argue, more natural 5 definition very little is k7rown. While the degree is known to be Q(1ogn) for th.r gcnemlited inner product because of its high comtnun.icaiion complexity [g], our bound is the best known /or On y junction of low communication complexity and f1:i.y m.oduhs not a prime power.

On finding small solutions of modular multivariate polynomial equations

Lecture Notes in Computer Science, 1998

Let P(x)-0 (rood N) be a modular multivariate polynomial equation, in m variables, and total degree k with a small root x0. We show that there is an algorithm which determines c(~ 1) integer polynomial equations (in m variables) of total degree polynomial in cmklog N, in time polynomial in craklog N, such that each of the equations has xo as a root. This algorithm is an extension of Coppersmith's algorithm [2], which guarantees only one polynomial equation. It remains an open problem to determine xo from these linearly independent equations (which may not be algebraically independent) in polynomial time. The algorithm can be used to attack an RSA scheme with small exponent in which a message is padded with random bits in multiple locations. Given two encryptions of the same underlying message with multiple random paddings of total size about 1/9 of the length N (for exponent 3 RSA), the algorithm can be used to obtain the message.