Rounding in lattices and its cryptographic applications
SODA '97 Proceedings of the eighth annual ACM-SIAM symposium on Discrete algorithms
The Relationship Between Breaking the Diffie--Hellman Protocol and Computing Discrete Logarithms
SIAM Journal on Computing
A sieve algorithm for the shortest lattice vector problem
STOC '01 Proceedings of the thirty-third annual ACM symposium on Theory of computing
A Tool Box of Cryptographic Functions Related to the Diffie-Hellman Function
INDOCRYPT '01 Proceedings of the Second International Conference on Cryptology in India: Progress in Cryptology
Hidden number problem with hidden multipliers, timed-release crypto, and noisy exponentiation
Mathematics of Computation
On the hardness of approximating the permanent of structured matrices
Computational Complexity
On the complexity of the discrete logarithm and Diffie-Hellman problems
Journal of Complexity - Special issue on coding and cryptography
A generalization of DDH with applications to protocol analysis and computational soundness
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
On the bit security of the weak Diffie-Hellman problem
Information Processing Letters
Security of polynomial transformations of the Diffie-Hellman key
Finite Fields and Their Applications
| Hi-index | 0.89 |
Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a "hidden" element α of a finite field Fp = {0,..., p - 1 } of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from F*p. González Vasco and Shparlinski, using bounds of exponential sums, have generalized this algorithm to the case where t is selected from a subgroup of F*p. In turn, this has allowed to improve one of the statements of the aforementioned work about the security of the most significant bits of the Diffie-Hellman key. Namely, it has been shown that having an oracle which, given gx, gy ∈ F*p for returns about log1/2 p most significant bits of gxy ∈ F*p, one can construct a polynomial time algorithm to compute gxy, provided that the multiplicative order of g is not too small. Here we use exponential sums of a different type to show that a similar statement holds for a much weaker 'diagonal' oracle which which, given gx ∈ F*p, returns about log1/2p most significant bits of gx2 ∈ F*p.