On the Bits of Elliptic Curve Diffie-Hellman Keys

  • David Jao
  • Dimitar Jetchev
  • Ramarathnam Venkatesan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4859)


We study the security of elliptic curve Diffie-Hellman secret keys in the presence of oracles that provide partial information on the value of the key. Unlike the corresponding problem for finite fields, little is known about this problem, and in the case of elliptic curves the difficulty of representing large point multiplications in an algebraic manner leads to new obstacles that are not present in the case of finite fields. To circumvent this obstruction, we introduce a small multiplier version of the hidden number problem, and we use its properties to analyze the security of certain Diffie-Hellman bits. We suggest new character sum conjectures that guarantee the uniqueness of solutions to the hidden number problem, and provide some evidence in support of the conjectures by showing that they hold on average in certain cases. We also present a Gröbner basis algorithm for solving the hidden number problem and recovering the Diffie-Hellman secret key when the elliptic curve is defined over a constant degree extension field and the oracle is a coordinate function in the polynomial basis.


Elliptic Curve Elliptic Curf Cayley Graph Partial Information Weierstrass Equation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akavia, A., Goldwasser, S., Safra, S.: Proving hard-core predicates using list decoding. In: FOCS 2003. Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science, p. 146. IEEE Computer Society, Washington, DC (2003)CrossRefGoogle Scholar
  2. 2.
    Boneh, D., Halevi, S., Howgrave-Graham, N.: The modular inversion hidden number problem. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 36–51. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Shparlinski, I.: On the unpredictability of bits of the elliptic curve Diffie-Hellman scheme. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 201–212. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemess. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Boneh, D., Venkatesan, R.: Rounding in lattices and its cryptographic applications. In: Proceedings of the Eighth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 675–681. ACM, New York (1997)Google Scholar
  6. 6.
    Bourgain, J.: New bounds on exponential sums related to the Diffie-Hellman distributions. C.R. Math. Acad. Sci. Paris 338(11), 825–830 (2004)zbMATHMathSciNetGoogle Scholar
  7. 7.
    Bourgain, J.: Estimates on exponential sums related to the Diffie-Hellman distributions. Geom. Funct. Anal. 15(1), 1–34 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Bourgain, J.: On an exponential sum related to the Diffie-Hellman cryptosystem. Int. Math. Res. Not., pages Art. ID 61271, 15 (2006)Google Scholar
  9. 9.
    Canetti, R., Friedlander, J., Konyagin, S., Larsen, M., Lieman, D., Shparlinski, I.: On the statistical properties of Diffie-Hellman distributions. Israel J. Math. 120, 23–46 (2000)zbMATHMathSciNetGoogle Scholar
  10. 10.
    Canetti, R., Friedlander, J., Shparlinski, I.: On certain exponential sums and the distribution of Diffie-Hellman triples. J. London Math. Soc (2), 59(3), 799–812 (1999)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Deligne, P.: Cohomologie étale. In: de Boutot, J.F., Grothendieck, A., Illusie et, L., Verdier, J.L. (eds.) Séminaire de Géométrie Algébrique du Bois-Marie SGA 4\({1\over 2}\), Avec la collaboration. Lecture Notes in Mathematics, vol. 569, Springer, Berlin (1977)Google Scholar
  12. 12.
    Friedlander, J., Shparlinski, I.: On the distribution of the power generator. Math. Comp (electronic) 70(236), 1575–1589 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Galbraith, S., Hopkins, H., Shparlinski, I.: Secure bilinear Diffie-Hellman bits. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 370–378. Springer, Heidelberg (2004)Google Scholar
  14. 14.
    Goldreich, O., Impagliazzo, R., Levin, L., Venkatesan, R., Zuckerman, D.: Security preserving amplification of hardness. In: 31st Annual Symposium on Foundations of Computer Science, vol. I, II, pp. 318–326. IEEE Comput. Soc. Press, Los Alamitos, CA (1990)CrossRefGoogle Scholar
  15. 15.
    González Vasco, M.I., Shparlinski, I.: On the security of Diffie-Hellman bits. In: Cryptography and computational number theory, Progr. Comput. Sci. Appl. Logic, vol. 20, pp. 257–268. Birkhäuser, Basel (2001)Google Scholar
  16. 16.
    González Vasco, M.I., Shparlinski, I.: Security of the most significant bits of the Shamir message passing scheme. Math. Comp (electronic) 71(237), 333–342 (2002)zbMATHCrossRefGoogle Scholar
  17. 17.
    Howgrave-Graham, N., Nguyen, P., Shparlinski, I.: Hidden number problem with hidden multipliers, timed-release crypto, and noisy exponentiation. Math. Comp (electronic) 72(243), 1473–1485 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Jao, D., Miller, S.D., Venkatesan, R.: Do all elliptic curves of the same order have the same difficulty of discrete log? In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 21–40. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Nguyen, P.: The dark side of the hidden number problem: lattice attacks on DSA. In: Cryptography and computational number theory, Progr. Comput. Sci. Appl. Logic, Birkhäuser, Basel, vol. 20, pp. 321–330 (2001)Google Scholar
  21. 21.
    Nguyen, P., Shparlinski, I.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptology 15(3), 151–176 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Nguyen, P., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Shparlinski, I.: On the generalised hidden number problem and bit security of XTR. In: Bozta, S., Sphparlinski, I. (eds.) Applied Algebra, Algebraic Algorithms and Error-Correcting Codes. LNCS, vol. 2227, pp. 268–277. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Shparlinski, I.: Cryptographic applications of analytic number theory. In: Progress in Computer Science and Applied Logic, Complexity lower bounds and pseudorandomness, vol. 22, Birkhäuser Verlag, Basel (2003)Google Scholar
  25. 25.
    Shparlinski, I.: Playing ‘hide-and-seek’ with numbers: the hidden number problem, lattices and exponential sums. In: Public-key cryptography, Proc. Sympos. Appl. Math., vol. 62, pp. 153–177. Amer. Math. Soc., Providence, RI (2005)Google Scholar
  26. 26.
    Silverman, J.: The arithmetic of elliptic curves. In: Graduate Texts in Mathematics, vol. 106, Springer, New York (1992) Corrected reprint of the 1986 originalGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • David Jao
    • 1
  • Dimitar Jetchev
    • 2
  • Ramarathnam Venkatesan
    • 3
    • 4
  1. 1.University of Waterloo, Waterloo ON N2L3G1Canada
  2. 2.Dept. of Mathematics, University of California at Berkeley, Berkeley, CA 94720 
  3. 3.Microsoft Research India Private Limited, ”Scientia”, No:196/36, 2nd Main Road, Sadashivnagar, Bangalore – 560080India
  4. 4.Microsoft Research, 1 Microsoft Way, Redmond WA 98052 

Personalised recommendations