Information Processing Letters 83 (2002) 109–113

Security of most significant bits ofgx2

Igor E. ShparlinskiDepartment of Computing, Macquarie University, Sydney, NSW 2109, Australia

Received 22 August 2000; received in revised form 31 August 2001Communicated by P.M.B. Vitányi

Abstract

Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a “hidden” elementα of a finitefield Fp = {0, . . . , p−1} of p elements from rather short strings of the most significant bits of the remainder modulop of αt forseveral values oft selected uniformly at random fromF∗

p. González Vasco and Shparlinski, using bounds of exponential sums,have generalized this algorithm to the case wheret is selected from a subgroup ofF

∗p. In turn, this has allowed to improve one

of the statements of the aforementioned work about the security of the most significant bits of the Diffie–Hellman key. Namely,it has been shown that having an oracle which, givengx,gy ∈ F

∗p for returns about log1/2p most significant bits ofgxy ∈ F

∗p,

one can construct a polynomial time algorithm to computegxy , provided that the multiplicative order ofg is not too small.Here we use exponential sums of a different type to show that a similar statement holds for a much weaker ‘diagonal’ oracle

which which, givengx ∈ F∗p, returns about log1/2p most significant bits ofgx

2 ∈ F∗p. 2001 Elsevier Science B.V. All rights

reserved.

Keywords:Cryptography; Hidden number problem; Bit security; Exponential sums

1. Introduction

Letp be ann-bit prime and letg ∈ Fp be an elementof multiplicative orderT of the finite fieldFp of pelements.

For integerss andm � 1 we denote by�s�m theremainder ofs on division bym.

In the case ofT = p − 1, that is, wheng is a prim-itive root, Boneh and Venkatesan [2] have proposeda method of recovering a “hidden” elementα ∈ Fp

from aboutn1/2 most significant bits of�αgxi �p , i =1, . . . , d , for d = 2n1/2 integersx1, . . . , xd , chosenuniformly and independently at random in the inter-val [0,p − 2]. This result has been applied to provingsecurity of reasonably small portions of bits of pri-

E-mail address:igor@ics.mq.edu.au (I.E. Shparlinski).

vate keys of several cryptosystems. In particular, inTheorem 2 of [2] the security of then1/2 + lognmost significant bits of the private key�gab�p of theDiffie–Hellman cryptosystem with public keys�ga�pand�gb�p with a, b ∈ [0,p − 2] is considered.

To be more precise, for an integerk � 1 we definefk(t) by the inequalities

(fk(t)− 1

) l

2k� �t�p < fk(t)

l

2k.

Thus, roughly speaking,fk(t) is the integer definedby thek most significant bits of�t�p . We also definetheoracleOk as a ‘black box’ which, given the valuesof X = �gx�p andY = �gy�p , outputs the value offk(g

xy).In [2] a method has been given to compute the

private key �gab�p from the values of�ga�p and

0020-0190/01/$ – see front matter 2001 Elsevier Science B.V. All rights reserved.PII: S0020-0190(01)00315-5

110 I.E. Shparlinski / Information Processing Letters 83 (2002) 109–113

�gb�p in probabilistic polynomial time, using O(n1/2)

calls of the oracleOk with some k of order k =O(n1/2).

As it has been noticed in [7,8], the proof ofTheorem 2 in [2] is not quite correct. Indeed, in orderto apply Theorem 1 of that paper toh = gb thiselement must be a primitive root ofFp . Thus the proofof Theorem 2 of [2] is valid only if gcd(b,p − 1) = 1(of course the same result holds in the case gcd(a,

p − 1)= 1 as well).In [7] new bounds of exponential sums from [10]

have been used to correct and extend some resultsof [2] to the case of elementsg of arbitrary multi-plicative orderT , provided thatT � p1/3+ε for anyprimep andT � pε for almost allp. In particular, ithas been shown in [7] that the statement of Theorem 2of [2] holds for all pairs(a, b). Similarly, the proofTheorem 3 of [2] has been corrected in [8].

Here we prove an analogue of Theorem 2 of [2] andTheorems 4.1 and 4.2 of [7] for a weaker oracle whichworks very similar toOk but only in the ‘diagonal’casex = y. However we need a stronger conditionT � p1/2+ε. We remark that the result is new even inthe caseT = p − 1.

This result is based on bounds of different exponen-tial sums, which have been originally introduced andestimated in [11] and then also studied in [4], in thusTheorem 6 of [4] is one of our main tools.

We also remark that it has been shown in Section 5.3of [12] that if there is an oracle computing�gx2�pfrom X = �gx�p, then there is a deterministic poly-nomial time algorithm to compute�gab�p from �ga�pandY = �gb�p. Thus our result can be considered asan extension of this statement as well (we need onlyO(n1/2) of �gx2�p rather than alln bits as in [12]).

A survey of similar results for other functions ofcryptographic interest has recently been given in [6].

Throughout the paper the implied constants insymbols ‘O’ may occasionally, where obvious, dependon the small positive parameterε and are absoluteotherwise; they all are effective and can be explicitlyevaluated.

2. Hidden number problem

As in [2,3] (and in [5,7,8,13,14]) we need someresults about thehidden number problem, introduced

in [2]. The hidden number problem consists of recov-ering a numberα ∈ Fp such that for many known ran-domt ∈ Fp a certain numberk of the most significantbits of �tα�p are known.

In the case when the values oft are chosen uni-formly and independently at random inF∗

q an poly-nomial time algorithm for the corresponding hiddennumber problem has been designed in [2]. However,it has turned out that for many applications one has tostudy more general setsT from which t is selected,see [5,7,8,13,14].

To present the corresponding result we need severalmore definitions.

We recall that thediscrepancyD(Γ ) of anN -ele-ment sequenceΓ = {γ1, . . . , γN } of elements of theinterval[0,1] is defined as

D(Γ )= supJ⊆[0,1]

∣∣∣∣A(J,N)

N− |J |

∣∣∣∣,where the supremum is extended over all subintervalsJ of [0,1], |J | is the length ofJ , andA(J,N) denotesthe number of pointsγn in J for 0 � n�N − 1.

We say that a finite sequenceT of integers is∆-homogeneously distributed modulop if for any integera ∈ F

∗p the discrepancy of the sequence{�at�p/p}t∈T

is at most∆.The following generalization of Theorem 1 of [2]

(see also [7,8]) has been obtained in [13]. It has alsobeen presented in [5,14].

Lemma 1. Let ω > 0 be an arbitrary absolute con-stant. For a primep, define

k =⌈ω

(logp log log logp

log logp

)1/2⌉and

d = ⌈3 logp/k

⌉.

Let T be a2−k-homogeneously distributed modulopsequence of integer numbers. There exists a proba-bilistic polynomial time algorithmA such that for anyfixedα ∈ F

∗p , given2d integers

ti and ui = fk(αti ), i = 1, . . . , d,

its output satisfies for sufficiently largep

Prt1,...,td∈T

[A(t1, . . . , td ;u1, . . . , ud)= α

]� 1− 1/p,

where the probability is taken over allt1, . . . , tdchosen uniformly and independently at random fromT and all coin tosses of the algorithmA.

I.E. Shparlinski / Information Processing Letters 83 (2002) 109–113 111

Proof. We outline the main steps of the proof givenin [13]. Let us consider the latticeL(p, k, t1, . . . , td)spanned by the rows of the following matrix:

p 0 · · · 0 0

0 p. . .

......

.... . .

. . . 0...

0 . . . 0 p 0t1 . . . . . . td 1/2k+1

.

This vectorw = (�αt1�p, . . . , �αtd�p,α/2k+1) ∈ L(p,k, t1, . . . , td) is close to theknownvectoru = (u1, . . . ,

ud,0), namely‖v − u‖ = O(p2−k).Applying the lattice reduction algorithm of [1]

together with the reduction of [9] from the shortestvector problem to the shortest vector problem, we seethat with probability at least 1− 2−d3

we obtain avectorv ∈L(p, k, t1, . . . , td)‖v − u‖ � p2−k+ωd log logd/9 logd .

Let us estimate the probability thatL(p, k, t1, . . . , td)contains such a vectorv with v �= w. The last inequal-ity implies that

‖v − w‖ � p2−k+ωd log logd/9 logd (1)

provided thatp is large enough. Any vectorv ∈L(p, k, t1, . . . , td) is of the form

v = (βt1 − λ1p, . . . , βtd − λdp,β/2

k+1),with some integersβ andλ1, . . . , λd . Thus (1) impliesthat for alli = 1, . . . , d we have

(α − β)ti ≡ yi (modp) (2)

for someyi ∈ [−h,h] where

h = ⌈p2−k+ωd log logd/9 logd⌉.

For anyγ �≡ 0 (modp), we have

Pry∈T

[γ t ≡ y (modp) | y ∈ [−h,h]] � 2h+ 1

p+ 2−k.

Therefore the probabilityP that the condition (2)holds for all i = 1, . . . , d and at least oneβ �= α, isat most

P � (p − 1)

(2h+ 1

p

)d

� p(3h/p + 2−k)d

= p2−(k−ωd log logd/9 logd+3)d

� 2−kd/2,

provided thatp is large enough. Thus for the abovechoice ofk andd we see thatv �= w with probabilityat most 1/p. ✷

In the next section we study the distribution of themultipliers which arise in our question.

3. Distribution of gx2modulo p

For integersλ, a, r andh let us denote byNλ,a(r, h)

the number ofx ∈ [0, T −1] for which�λgx2+2ax�p ∈[r + 1, r + h].

We need the following asymptotic formula whichshows thatNλ,a(r, h) is close to its expected valueT h/p, provided thatT is of larger order thanp1/2.

Lemma 2. For any ε > 0 there existsδ > 0 suchthat for any elementg ∈ Fp of multiplicative orderT � p1/2+ε the bound

max0�r,h�p−1

max0�a�T−1

maxgcd(λ,p)=1

∣∣∣∣Nλ,a(r, h)− T h

p

∣∣∣∣= O(T 1−δ)

holds.

Proof. From the identity

gx2+2ax = g−a2

g(x+a)2

after the changingx+a with x we see that it is enoughto consider only the casea = 0.

We remark thatNλ,0(r, h) is the number of solutionsx ∈ {0, . . . , T − 1} of the congruence

λgx2 ≡ y (modp), y = r + 1, . . . , r + h.

Using the identity (see Exercise 11.a in Chapter 3of [15])

p−1∑c=0

exp(2π icu/p)={

0, if u �≡ 0 (modp);

p, if u≡ 0 (modp);

we obtain

Nλ,0(r, h)

= 1

p

T−1∑x=0

r+h∑y=r+1

p−1∑c=0

exp

(2π ic(λgx

2 − y)

p

)

112 I.E. Shparlinski / Information Processing Letters 83 (2002) 109–113

= 1

p

p−1∑c=0

T−1∑x=0

exp

(2π icλgx

2

p

)

×r+h∑

y=r+1

exp

(−2π icy

p

).

Separating the termT h/p corresponding toc = 0 weobtain

∣∣∣∣Nλ,0(r, h)− T h

p

∣∣∣∣� 1

p

p−1∑c=1

∣∣∣∣∣T−1∑x=0

exp

(2π icλgx

2

p

)∣∣∣∣∣×

∣∣∣∣∣r+h∑

y=r+1

exp

(−2π icy

p

)∣∣∣∣∣

= 1

p

p−1∑c=1

∣∣∣∣∣T−1∑x=0

exp

(2π icλgx

2

p

)∣∣∣∣∣×

∣∣∣∣∣r+h∑

y=r+1

exp

(2π icy

p

)∣∣∣∣∣.

We estimate the sum overx by using the bound

maxgcd(c,p)=1

∣∣∣∣∣T−1∑x=0

exp

(2π icgx

2

p

)∣∣∣∣∣ = O(T 3/4p1/8+ε/5),

which is a special case of Theorem 6 of [4]. Using theestimate

max0�r,h�p−1

p−1∑c=1

∣∣∣∣∣r+h∑

y=r+1

exp

(2π icy

p

)∣∣∣∣∣ = O(p logp),

see Exercise 11.c in Chapter 3 of [15], we obtain

max0�r,h�p−1

∣∣∣∣Nλ,0(r, h)− T h

p

∣∣∣∣= O

(T 3/4p1/8+ε/8 logp

).

It is easy to see thatT 3/4p1/8+ε/8 � T 1−ε/8 for T �p1/2+ε and anyε > 0 and the result follows. ✷

4. Main result

For each integerk define the diagonal oracleDOk

as an ‘black box’ which given the value ofX = �gx�poutputs the value offk(gx

2).

Theorem 3. Let ω > 0 be an arbitrary absoluteconstant and let

k =⌈ω

(logp log log logp

log logp

)1/2⌉.

For anyε > 0, sufficiently largep and any elementg ∈F

∗p of multiplicative orderT � p1/2+ε, there exists a

polynomial time algorithm which for any pair(a, b) ∈[0, T − 1]2, given the values ofA = �ga�p andB =�gb�p, makesO(log1/2p) calls of the diagonal oracleDOk and computes�gab�p correctly with probabilityat least1− 1/p.

Proof. As we have remarked, it has been shown inSection 5.3 of [12] that if there is an oracle computing�gx2�p from X = �gx�p then there is a deterministicpolynomial time algorithm to compute�gab�p fromA = �ga�p and B = �gb�p for any a and b. Thealgorithm uses the simple observation that

g2ab ≡ g(a+b)2g−a2g−b2

(modp),

a deterministic polynomial time algorithm for findingsquare roots in cyclic groups with known generatorand the Pohlig–Hellman algorithm to select among thetwo square roots (whenT is odd there is only onesquare root and this part is not needed).

Thus it is enough to show that there exists analgorithm to compute�ga2�p fromA= �ga�p .

Let α ≡ ga2(modp). Then

fk(αgx

2+2ax) = fk(g(a+x)2

),

thus we can use the diagonal oracleDOk with theinput�gxA�p to computefk(αgx

2+2ax) for an integerx chosen uniformly at random in the interval[0,p −1]. BecauseT |p−1 the values of residues ofx moduloT are uniformly distributed in the interval[0, T − 1]as well. From Lemma 2 we see that the sequence

gx2+2ax, x = 0, . . . , T − 1,

I.E. Shparlinski / Information Processing Letters 83 (2002) 109–113 113

isp−δ-homogeneously distributed modulop for someδ > 0 depending only onε. Thus Lemma 1 can beapplied and the result follows.✷

We remark that the constants in the above estimatesare effective and can be explicitly evaluated.

References

[1] M. Ajtai, R. Kumar, D. Sivakumar, A sieve algorithm for theshortest lattice vector problem, in: Proc. 33rd ACM Symp. onTheory of Comput., Crete, Greece, July 6–8, 2001, pp. 601–610.

[2] D. Boneh, R. Venkatesan, Hardness of computing the mostsignificant bits of secret keys in Diffie–Hellman and relatedschemes, in: Lecture Notes in Comput. Sci., Vol. 1109,Springer, Berlin, 1996, pp. 129–142.

[3] D. Boneh, R. Venkatesan, Rounding in lattices and its cryp-tographic applications, in: Proc. 8th Annual ACM-SIAMSymp. on Discrete Algorithms, ACM Press, New York, 1997,pp. 675–681.

[4] J.B. Friedlander, J. Hansen, I.E. Shparlinski, Character sumswith exponential functions, Mathematika, to appear.

[5] E. El Mahassni, P.Q. Nguyen, I.E. Shparlinski, The insecurityof Nyberg–Rueppel and other DSA-like signature schemeswith partially known nonces, in: Lecture Notes in Comput.Sci., Vol. 2146, Springer, Berlin, 2001.

[6] M.I. González Vasco, M. Näslund, A survey of hard core func-tions, in: Proc. Workshop on Cryptography and ComputationalNumber Theory, Singapore, 1999, Birkhäuser, Basel, 2001,pp. 227–256.

[7] M.I. González Vasco, I.E. Shparlinski, On the security ofDiffie–Hellman bits, in: Proc. Workshop on Cryptography andComputational Number Theory, Singapore, 1999, Birkhäuser,Basel, 2001, pp. 257–268.

[8] M.I. González Vasco, I.E. Shparlinski, Security of the mostsignificant bits of the Shamir message passing scheme, Math.Comp., to appear.

[9] R. Kannan, Algorithmic geometry of numbers, Ann. Rev.Comput. Sci. 2 (1987) 231–267.

[10] S.V. Konyagin, I.E. Shparlinski, Character Sums with Expo-nential Functions and Their Applications, Cambridge Univ.Press, Cambridge, 1999.

[11] D. Lieman, I.E. Shparlinski, On a new exponential sum,Canad. Math. Bull. 41 (2001) 87–92.

[12] U.M. Maurer, S. Wolf, The relationship between breaking theDiffie–Hellman protocol and computing discrete logarithms,SIAM J. Comput. 28 (1999) 1689–1721.

[13] P.Q. Nguyen, I.E. Shparlinski, The insecurity of the DigitalSignature Algorithm with partially known nonces, J. Cryptol-ogy, to appear.

[14] P.Q. Nguyen, I.E. Shparlinski, The insecurity of the ellip-tic curve Digital Signature Algorithm with partially knownnonces, Preprint, 2001, pp. 1–16.

[15] I.M. Vinogradov, Elements of Number Theory, Dover, NewYork, 1954.