Improved lower bound for Diffie–Hellman problem using multiplicative group of a finite field as auxiliary group

1.1 Summary of existing work

To study the hardness of DHP the traditional method, and the only method known so far, involves reduction arguments from DLP to DHP. In this subsection, we will summarize those reduction arguments. In such reductions, one tries to solve DLP efficiently (in polynomial time of the input bit), using the existence of the a solution of DHP as sub-routine. If there exists such an algorithm, we say that DLP reduces to DHP in polynomial time, denoted by DLP ≤𝑃 DHP. Informally, if DLP ≤𝑃 DHP, it implies that DHP is at least as hard as DLP, or equivalently, DLP is no harder than DHP. Clearly, existence of any such reduction algorithm in case of elliptic curve groups would imply that ECDHP is hard, since ECDLP is hard to solve.

The first published result regarding the equivalence between DLP ad DHP was due to den Boer [6]. He proved the equivalence in the group 𝔽p× if ϕ⁢(p-1)(not p-1) is smooth, where ϕ is Euler’s totient function. Later on, Maurer attempted to generalize the idea of den Boer to any generic group 𝔾 by introducing the technique of implicit representation of elements of a finite field [11]. Soon after, Maurer and Wolf extended the idea of den Boer in another sense by using the concept of auxiliary groups in constructing such reduction algorithms: den Boer was using 𝔽p× as auxiliary group but Maurer and Wolf proposed to also use the elliptic curve over 𝔽p as auxiliary group. They showed that DLP ≤𝑃 DHP for any group 𝔾 of prime order p if we are able to find an elliptic curve over 𝔽p with smooth order [13, 12, 14, 15]. Smooth order of the auxiliary elliptic curve was the main reason behind the polynomial time reduction of DLP to DHP in their algorithm because it ensures that the total number of group operations as well as the total number of calls to the DH-oracle required in their algorithm remain polynomial in the input size. However, it is exceptionally hard, in general, to construct an elliptic curve over 𝔽p of smooth order for large p, resulting in the failure of above theorem. Therefore, some alternate method was needed to study the hardness of DHP in general.

In 2004, Muzereau, Smart and Vercauteren [18] re-visited the Maurer and Wolf reduction algorithm of DLP to DHP for special case of elliptic curve groups over finite field. They explicitly constructed auxiliary elliptic curves, which were required in the reduction algorithm, for a number of elliptic curves recommended for practical implementation in SEC 2 [20] by Standard for Efficient Cryptography Group(SECG) at Certicom Corporation. We will refer to those recommended elliptic curves in SEC 2 as SECG curves [20] throughout this paper. However, the orders of the auxiliary elliptic curves constructed were not smooth enough, making the cost of the reduction algorithm exponential. Therefore, their reduction algorithm with those auxiliary elliptic curves failed to prove the polynomial reduction of ECDLP to ECDHP for those recommended SECG curves. Nevertheless, all was not lost as it might seem, since they were the first to give precise estimate of the number of group operations needed in such a reduction algorithm and showed how to use such a reduction algorithm to estimate the minimum number of group operations required to solve ECDHP on those SECG curves [18, Table 1, Table 2].

Bentahar later applied the idea similar to Muzereau, Smart and Vercauteren [18] but constructed different auxiliary elliptic curves over 𝔽p to improve those estimates of Muzereau, Smart and Vercauteren on the exact lower bounds for ECDHP on those important SECG curves [2, Table 1, Table 2]. Since those lower bounds for ECDHP are assumed to be beyond the reach of present computational power, it establishes the security of several protocols relying on the hardness of ECDHP on those recommended SECG curves. This shows the significance of this remarkable approach.

In another related work, Brown and Gallant [4, Theorem 1] presented a generic algorithm reducing DLP to static Diffie–Hellman problem (SDHP). SDHP is a special case of DHP. They also gave the minimum number of group operations required to solve SDHP [4, Corollary 1] on any group of order p where the best algorithm to solve DLP requires at least p, for example the group of points on an elliptic curve over a finite field.

1.2 Our contribution

The algorithms of Muzereau, Smart and Vercauteren [18] and Bentahar [2] both use the same reduction algorithm suggested by Maurer and Wolf. They used suitable elliptic curves over a finite field as auxiliary groups for estimating the lower bound for DHP. Our contribution in this paper is that we have presented a DLP to DHP reduction algorithm that, even though it uses the multiplicative group of a finite field as an auxiliary group like den Boer [6], does not require the Chinese Remainder Theorem. We want to emphasize that earlier work of den Boer [6] (with 𝔽p× as the auxiliary group) or Maurer and Wolf [13, 12, 14, 15] (with elliptic curve over 𝔽p as the auxiliary group) both require the Chinese Remainder Theorem. This absence of the Chinese Remainder Theorem makes this reduction different from previous reductions. However, our work in estimating the lower bound for DHP may be seen as an application of the den Boer reduction algorithm with 𝔽p× as auxiliary group which is in contrast to the fact that Muzereau, Smart and Vercauteren [18] as well as Bentahar [2] both applied the Maurer and Wolf reduction algorithm with elliptic curves as auxiliary groups. The application of 𝔽p× as auxiliary group in context of estimating the lower bound for DHP is a new idea.

Owing to this difference between our algorithm and previous algorithms and the change in the auxiliary group from an elliptic curve over a finite field to the multiplicative group of a finite field, our reduction algorithm requires a very small number of DH-oracle calls. Thus, it results in increasing the lower bound for DHP because the lower bound for DHP is inversely proportional to the number of calls to the DH-oracle. When applied to SECG curves studied first by Muzereau, Smart and Vercauteren and then by Bentahar, our reduction algorithm improves the previous lower bounds for ECDHP.

More precisely, assuming that the best algorithm to solve DLP on an elliptic curve of order p takes at least p group operations, Muzereau, Smart and Vercauteren gave the following estimate on the lower bound for ECDHP [18, Theorem 4]:

Under the same assumption as above that the best known algorithm to solve ECDLP on an elliptic curve of order p requires at least p group operations, our reduction algorithm will prove the following theorem which improves the lower bound for ECDHP given in Theorem 1:

The significance of the above result is that it applies to almost all the recommended SECG curves because such a divisor d exists for almost all of those curves where prime p is either the order of those elliptic curve groups or the largest prime divisor (with a very small co-factor of either 2 or 4). Therefore, the above reduction gives us the tightest lower bound for ECDHP on these SECG curves.

Moreover, for curves SECP521R1, SECT409R1, SECT571R1, SECT571K1, Bentahar was unable to construct the auxiliary elliptic curves. However, we had no problem applying our algorithm to these curves and the lower bound estimates of ECDHP on these curves are also given here. Moreover, we have also extended our idea beyond SECG curves and estimated the lower bounds for ECDHP on non-SECG curves such as Curve25519 and Curve448 (recently added by Crypto Forum Research Group (CFRG)) [10], Brainpool curves [17], pairing friendly Barreto–Naehrig curves (BN curves) [1], CFRG BN curves [8].

The rest of the paper is organized as follows. In Section 2, we mention some notations and definitions that will be required to understand the material of this paper. Our main contributions are described in Section 3 and Section 4. In Section 3, we present a reduction algorithm of DLP to DHP without using the Chinese Remainder Theorem and prove Theorem 2 regarding the improved lower bound for ECDHP as a result of that reduction algorithm. In Section 4, we present the improved lower bounds for ECDHP for various SECG curves (Table 1 and Table 2), along with the similar estimates of ECDHP on some additional non-SECG elliptic curves (Table 3). Finally, we conclude in Section 5.

2.1 Implicit representation of elements of 𝔽p

Let 𝔾 be a cyclic group with generator P whose order is a prime number p. Let y∈𝔽p. Then y⁢P∈𝔾 is called the implicit representation of y∈Fp(with respect to G and P). We denote this by y↝y⁢P.

Let y⁢P,z⁢P∈𝔾 be implicit representations of y,z∈𝔽p, respectively. Then the following basic algebraic operations in 𝔽p can also be realized in 𝔾 as follows:

1. Equality testing: y=z if and only if y⁢P=z⁢P.

2. Addition: y+z↝y⁢P+z⁢P (one group operation in 𝔾).

3. Subtraction: y-z↝y⁢P-z⁢P(O⁢(log⁡p) group operations in 𝔾).

4. Multiplication: y⋅z↝y⁢z⁢P=𝒟⁢ℋ⁢(y⁢P,z⁢P) (one call to DH-oracle).

5. Inversion: y-1=yp-2=y⁢⋯⁢y↝yp-2⁢P (O(log2p) DH-oracle calls by using binary expansion).

Observe that the DH-oracle is used only for multiplication and inversion in 𝔽p. Therefore, the number of DH-oracle calls required in the reduction algorithm increases with the increase of the number of multiplication and inversions in 𝔽p required in the reduction algorithm. We will see the importance of this in later sections.

2.2 Auxiliary groups

As the name suggests, any group (other than the group 𝔾) is called an auxiliary group if it can be used to achieve the targeted goal of an algorithm. In the present context of DLP to DHP reduction, the goal is to solve DLP using the DH-oracle calls and implicit representations. Therefore, two essential properties of a possible auxiliary group ℍ are:

1. Elements of ℍ can be represented as m-tuples of elements of 𝔽p for some m≥1.

2. Group operation in this auxiliary group ℍ can be defined from algebraic operations in 𝔽p.

Note that if ℍ has these two properties, then any computation in ℍ (for example, equality testing, exponentiation in ℍ) can also be performed on their implicitly represented elements of 𝔾. Interestingly, den Boer was the first to use 𝔽p× as the auxiliary group [6], even though there was no mention of the term “auxiliary group” in his work. Later on, Maurer and Wolf coined the term “auxiliary group” and extended den Boer’s idea by also using elliptic curve as auxiliary group. They called elliptic curves E¯⁢(𝔽p) and subgroups of 𝔽pn× for some n≥1 as applicable auxiliary groups over Fp. For more details, refer to [14].

2.3 General idea of solving DLP using auxiliary groups and implicit representation computation

Let 𝔾 be a cyclic group generated by P and order of P is a prime p. To solve DLP for Q, one requires to find the integer x where Q=x⁢P. Moreover, we also have access to a DH-oracle on 𝔾 and we are allowed to make calls to the DH-oracle to solve DLP on 𝔾. To this end, using auxiliary groups over 𝔽p and computation on implicitly represented elements of 𝔽p, the general idea for a DLP to DHP reduction algorithm can be described as follows:

1. Choose a cyclic auxiliary group ℍ over 𝔽p generated by ζ0.

2. Embed the unknown x into an implicitly represented element c of ℍ.

3. Compute the discrete logarithm of c with respect to ζ0 in ℍ explicitly, using computation (in 𝔾) of implicitly represented elements of 𝔽p. Observe that computing implicit representations of finite field elements is exactly the place where the DH-oracle is used.

4. Extract the unknown x from the discrete logarithm of c with respect to ζ0 found in the last step.

It is interesting to note that all DLP to DHP reduction algorithms known so far are based on the above general idea. More intriguing is the fact that only elliptic curves over 𝔽p of smooth order have been used as auxiliary groups and studied extensively, except den Boer who used 𝔽p× as auxiliary group [6].

If we take ℍ=E¯⁢(𝔽p) as the auxiliary group with smooth order N where the elliptic curve E¯⁢(𝔽p) is given by Y2=X3+A⁢X+B, A,B∈𝔽p, and generated by P0=(x0,y0)∈ℍ, the reduction algorithm of Muzereau, Smart and Vercauteren [18] (which follows the above general idea) embeds the unknown x implicitly into c=Q0=(x,y)∈ℍ for some y∈𝔽p. After that, the discrete logarithm k of Q0 with respect to P0 is computed explicitly using computations on implicitly represented elements. The last step is to extractx from k⁢P0(=Q0) which is the abscissa of the point Q0. Observe that Q0=(x,y) was not explicitly known before the computation of k. However, once we have k, we can compute Q0explicitly using P0 and k as Q0=k⁢P0. Muzereau, Smart and Vercauteren first computed k modulo each prime power of N by repeatedly applying the Pohlig–Hellman algorithm on implicitly represented elements along with exhaustive search to find a collision, then used the Chinese Remainder Theorem to find k. Bentahar also applied the same method. We call this several instances of Pohlig–Hellman algorithm and exhaustive search in their reduction algorithms collectively as sub-algorithm A. For more details on this reduction, see [18].

In the following section, we present the proof of Theorem 2 by using a reduction algorithm that uses 𝔽p× as auxiliary group (instead of an elliptic curve over 𝔽p) but without using the Chinese Remainder Theorem. The absence of the Chinese Remainder Theorem is what makes this reduction algorithm different from existing ones.

3.1 DLP to DHP reduction using 𝔽p× as auxiliary group

We first present two lemmas which will lead to the proof of Theorem 2. The reduction algorithm given in Lemma 2 is similar to den Boer’s reduction [6] in the sense that 𝔽p× plays a major role in both reductions. The reduction is motivated by Gallant and Brown[4, Theorem 1] and of Cheon’s work[5, Theorem 1]. The central idea used in both of them is exactly the same once one particular element is known. However, their goals were different. While Gallant and Brown used SDHP oracle to compute that particular element, Cheon included the existence of that particular element in the assumption only. As a result, work of Gallant and Brown yields a reduction algorithm of DLP to SDHP while Cheon’s work leads towards solving DLPwAI.

In our case, Lemma 1 computes that particular element using small number of calls to a DH-oracle which gives the DLP to DHP reduction algorithm in Lemma 2. We also observed that the reduction algorithm fits perfectly well into the general idea of implicit representation formulated by Maurer and Wolf but with 𝔽p× as auxiliary group. Thus, for the sake of consistency, we present our algorithm into that setting only.

Now, we present our DLP to DHP reduction algorithm using implicit representations with 𝔽p× as auxiliary group in the following lemma:

3.2 Proof of Theorem 2

Since proving computational equivalence of DLP and DHP is very hard in general, the next best thing would be to somehow estimate the minimum number of group operations required to solve DHP. That is exactly what Muzereau, Smart and Vercauteren [18] did for the elliptic curves groups [20] recommended for practical implementation by SECG. Their idea was to construct a DLP to DHP reduction algorithm in which the total number of group operations needed in the reduction algorithm should be very small, thus insignificant when compared to the cost of solving DLP. Once we have such a reduction algorithm, they proposed that ratio of the cost of DLP and the number of calls to the DH-oracle needed in the algorithm gives the minimum number of group operations required by any algorithm to break DHP. This is how the above reduction algorithm can also be used to estimate the minimum cost of DHP. These estimates of the lower bound for DHP in view of the above reduction may also be seen as an application of the den Boer reduction algorithm with 𝔽p× as auxiliary group which is in contrast to the fact that Muzereau, Smart and Vercauteren [18] and Bentahar [2] both applied the Maurer and Wolf reduction algorithm with elliptic curves as the auxiliary groups to get their estimates of DHP. The application of 𝔽p× as auxiliary group in context of estimating the lower bound for DHP is not reported before and seems to be an interesting idea.

4.1 Improved value of TDH

The difference between sub-algorithm A and sub-algorithm B as well as the change of auxiliary group from E¯⁢(𝔽p) to 𝔽p× both have their implications on the number of DH-oracle calls, consequently affecting the value of TDH. Since sub-algorithm A used in previous reduction algorithms required several iterations of the Pohlig–Hellman algorithm, one had to compute a large number of implicitly represented elements in those reduction algorithms. Therefore, a large number of DH-oracle calls were needed in the previous reduction algorithms. On the other hand, our reduction algorithm while using sub-algorithm B requires only one implicitly represented element xd⁢P of xd∈𝔽p×. This element can be computed by using at most n≤2⁢[log2⁡d] DH-oracle calls which can further be made really small by taking small value of d.

Recall that the addition operation in E¯⁢(𝔽p) requires many multiplications in 𝔽p (one multiplication in 𝔽p means one DH-oracle call to compute the implicit representation) and many inversions in 𝔽p (one inversion in 𝔽p means on average 32⁢[log2⁡p] calls to the DH-oracle to compute the implicit representation). Thus, in terms of DH-oracle calls, computing the sum of elements in E¯⁢(𝔽p) is much more expensive than multiplying elements in 𝔽p×.

Since our main aim through this reduction algorithm is to increase the value of TDH which is inversely proportional to the number of DH-oracle calls n, it will be nice to reduce the number of DH-oracle calls as much as possible. That is exactly what our reduction algorithm does using sub-algorithm B and 𝔽p× as auxiliary group. This shows that the advantage of our reduction algorithm in achieving the improved value of TDH, over the previous reduction algorithms which used sub-algorithm A and ℍ=E¯⁢(𝔽p) as auxiliary group.

4.2 Tightest lower bound for ECDHP for SECG and non-SECG curves

In this subsection, we study the positive effect of our reduction on the lower bound for ECDHP for various important SECG curve parameters [20] and present the improved lower bound for ECDHP on those SECG curves (see Table 1 and Table 2). These SECG curves are recommended in SEC 2 by Standard of Efficient Cryptography Group (SECG) at Certicom Corporation to be used for practical purposes and we are calling those curves SECG curves. These SECG curves are divided into two sub-categories: curves over prime fields of large odd characteristic and curves over binary fields. The prime p denotes the order of those SECG curves defined over prime fields of odd characteristic. For the remaining SECG curves defined over binary fields, p denotes the prime divisor of the order of the curve, with a very small co-factor of either 2 or 4.

It should also be noted that SECG curves [20] include all curves recommended by NIST [19] and the most used ones in ANSI [21]. These covers the most commonly used curves in practice. Thus, these are important curves from the point of view of public key cryptography. Moreover, we have also extended our idea to previously uncovered non-SECG curves such as CFRG curves (Curve25519, Curve448) [10], pairing friendly Barreto–Naehrig curves (also known as BN curves) [1], some more pairing friendly curves given by CFRG [8], and Brainpool curves [17]. We have presented the similar estimates of ECDHP on those non-SECG curves (see Table 3). CFRG curves (Curve25519, Curve448) [10] are recently proposed by the Crypto Forum Research Group (CFRG) and they are already under consideration to be included in the NIST curves. Four pairing friendly curves (also known as BN curves) were given by Barreto and Naehrig in [1] and we are calling them BN160, BN192, BN224 and BN256 depending upon their field sizes. Some more pairing friendly BN curves were proposed by CFRG [8] which also include BN224 and BN256. Brainpool curves [17] are another set of curve parameters which are given by CFRG.

Muzereau, Smart and Vercauteren [18] used the value of TDH as the lower bound on group operations to break DH-protocol and also gave the estimates for TDH on various SECG curves. Thereafter, Bentahar [2] improved the previous values of TDH given by Muzereau, Smart and Vercauteren and his estimates remain the best estimates till date. Now, in our algorithm, with 𝔽p× as the auxiliary group, we have

where d is some divisor of p-1. As per the discussion above, to achieve a tighter (larger) value of TDH using our reduction algorithm, one should try to make n≤2⁢[log2⁡d] as small as possible, which forces d to be small as well. On the other hand, we have to make sure that M≈p3, so that it does not violate M≪CECDLP=p. It is not hard to see that for really small value of d, M is inversely proportional to d. Therefore, too small value of d must not be used to avoid the violation of M≪CECDLP=p. Also note that d≈p3 yields M≈p3 in our reduction algorithm.

Keeping all these in mind, we factored p-1 and found that most of SECG curves contain divisors d which are between p3 and p and we have taken the smallest such d in the range p3 and p to compute the values in Tables 1 and 2 given below. For those curves where such a divisor d does not exist, we have chosen the largest d less than p3 to compute the values in the tables. For exact values of the d in case of various curves, see the appendix.

For those choices of d, we calculated the exact number of the DH-oracle calls, n≤2⁢[log2⁡d], using binary expansion of d. The values of n thus achieved are significantly small as compared with the values of n shown by Bentahar [2] (and much smaller than those in the work of Muzereau, Smart and Vercauteren [18]). Consequently, these significantly small values of n resulted in much tighter (larger) values of TDH for all SECG curves. Therefore, it implies that we have given the tightest lower bound, known so far, on ECDHP for all SECG curves [20] (except SECP224K1). In other words, our results show the gap between the cost of ECDHP and ECDHP to be the least (known so far) for these curves and it leads us one step closer towards the computational equivalence of ECDHP and ECDLP for these important curves.

One additional advantage of our algorithm is that the values of M in our algorithm are less than or of almost same order as the ones given by Bentahar [2] for most of SECG curves.

Table 1 and Table 2 present the key values, log2⁡M, log2⁡n and log2⁡TDH for various SECG curves. The tables also have the value of log2⁡|E| which refers to the assumed minimum cost of solving DLP in that particular SECG curve E. The column under ADV in Table 1 and Table 2 shows the number of security bits gained by the values of TDH in our algorithm over the previous best known values of TDH given by Bentahar [2]. Moreover, the present algorithm works for the curves SECP521R1, SECT571R1, SECT571K1 as well which were out of reach in previous work due to inability to construct auxiliary elliptic curves, and Tables 1 and 2 give the key data for these curves as well. Table 3 presents the key values log2⁡M, log2⁡n and log2⁡TDH for various non-SECG curves which were not covered in the previous works [18, 2].

It should also be remarked that the current algorithm fails for the SECG curve SECP224K1, and three non-SECG curves BRAINPOOL224R1, BRAINPOOL256R1 and BRAINPOOL320R1 as there does not exist any divisor of p-1 of appropriate size. Therefore, Bentahar’s result still gives the tightest value of TDH for the curve SECP224K1.

To understand the advantage gained by our result over the work of Bentahar [2], as an example we consider the security of ECDHP for SECP256R1. The best known algorithm at present to solve ECDLP on this curve takes on an average 2128 group operations. Now, our algorithm implies that ECDHP cannot be solved in less than 2121.00 group operations, in contrast to 2115.40 group operations from the work of Bentahar [2]. This shows that there is a gain factor of 25.60 over the previous best known result given by Bentahar for the curve SECP256R1, see Table 1. If we assume that today’s computational power is incapable of performing 2121.00 group operations (which is considered to be true by many), then ECDHP on the curve SECP256R1 is secure and any cryptography protocol which rely on DHP for its security can safely be implemented on the curve SECP256R1, under the assumption above.