Security analysis of the strong diffie-hellman problem

  • Authors:

  • Jung Hee Cheon

  • Affiliations:

  • ISaC and Dept. of Mathematics, Seoul National University, Republic of Korea

  • Venue:
  • EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

Let g be an element of prime order p in an abelian group and $\alpha\in {{\mathbb Z}}_p$. We show that if g, gα, and $g^{\alpha^d}$ are given for a positive divisor d of p–1, we can compute the secret α in $O(\log p \cdot (\sqrt{p/d}+\sqrt d))$ group operations using $O(\max\{\sqrt{p/d},\sqrt d\})$ memory. If $g^{\alpha^i}$ (i=0,1,2,..., d) are provided for a positive divisor d of p+1, α can be computed in $O(\log p \cdot (\sqrt{p/d}+d))$ group operations using $O(\max\{\sqrt{p/d},\sqrt d\})$ memory. This implies that the strong Diffie-Hellman problem and its related problems have computational complexity reduced by $O(\sqrt d)$ from that of the discrete logarithm problem for such primes. Further we apply this algorithm to the schemes based on the Diffie-Hellman problem on an abelian group of prime order p. As a result, we reduce the complexity of recovering the secret key from $O(\sqrt p)$ to $O(\sqrt{p/d})$ for Boldyreva's blind signature and the original ElGamal scheme when p–1 (resp. p+1) has a divisor d ≤p1/2 (resp. d ≤p1/3) and d signature or decryption queries are allowed.