Optimal Randomness Extraction from a Diffie-Hellman Element

  • Authors:

  • Céline Chevalier;Pierre-Alain Fouque;David Pointcheval;Sébastien Zimmer

  • Affiliations:

  • École Normale Supérieure, CNRS-INRIA, Paris, France;École Normale Supérieure, CNRS-INRIA, Paris, France;École Normale Supérieure, CNRS-INRIA, Paris, France;École Normale Supérieure, CNRS-INRIA, Paris, France

  • Venue:
  • EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
  • Year:
  • 2009

Quantified Score

Hi-index 0.00

Visualization

Abstract

In this paper, we study a quite simple deterministic randomness extractor from random Diffie-Hellman elements defined over a prime order multiplicative subgroup G of a finite field ${\mathbb Z}_p$ (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Informally speaking, we show that the least significant bits of a random element in $G\subset {\mathbb Z}_p^*$ or of the abscissa of a random point in $\mathcal{E}({\mathbb F}_p)$ are indistinguishable from a uniform bit-string. Such an operation is quite efficient, and is a good randomness extractor, since we show that it can extract nearly the same number of bits as the Leftover Hash Lemma can do for most Elliptic Curve parameters and for large subgroups of finite fields. To this aim, we develop a new technique to bound exponential sums that allows us to double the number of extracted bits compared with previous known results proposed at ICALP'06 by Fouque et al . It can also be used to improve previous bounds proposed by Canetti et al . One of the main application of this extractor is to mathematically prove an assumption proposed at Crypto '07 and used in the security proof of the Elliptic Curve Pseudo Random Generator proposed by the NIST. The second most obvious application is to perform efficient key derivation given Diffie-Hellman elements.