Diffie–Hellman Problem

The Diffie–Hellman problem (DHP) is a mathematical problem first proposed by Whitfield Diffie and Martin Hellman in the context of cryptography. The motivation for this problem is that many security systems use one-way functions: mathematical operations that are fast to compute, but hard to reverse. For example, they enable encrypting a message, but reversing the encryption is difficult. If solving the DHP were easy, these systems would be easily broken.

Problem description

The Diffie–Hellman problem is stated informally as follows:
: Given an element ''g'' and the values of ''g^x'' and ''g^y'', what is the value of ''g^xy''?

Formally, ''g'' is a generator of some group (typically the multiplicative group of a finite field or an elliptic curve group) and ''x'' and ''y'' are randomly chosen integers.

For example, in the Diffie–Hellman key exchange, an eavesdropper observes ''g^x'' and ''g^y'' exchanged as part of the protocol, and the two parties both compute the shared key ''g^xy''. A fast means of solving the DHP would allow an eavesdropper to violate the privacy of the Diffie–Hellman key exchange and many of its variants, including ElGamal encryption.

Computational complexity

In cryptography, for certain groups, it is ''assumed'' that the DHP is hard, and this is often called the Diffie–Hellman assumption. The problem has survived scrutiny for a few decades and no "easy" solution has yet been publicized.

As of 2006, the most efficient means known to solve the DHP is to solve the discrete logarithm problem (DLP), which is to find ''x'' given ''g'' and ''g''^''x''. In fact, significant progress (by den Boer, Maurer, Wolf, Boneh and Lipton) has been made towards showing that over many groups the DHP is almost as hard as the DLP. There is no proof to date that either the DHP or the DLP is a hard problem, except in generic groups (by Nechaev and Shoup). A proof that either problem is hard implies that P ≠ NP.

Other variants

Many variants of the Diffie–Hellman problem have been considered. The most significant variant is the decisional Diffie–Hellman problem (DDHP), which is to distinguish ''g''^''xy'' from a random group element, given ''g'', ''g''^''x'', and ''g''^''y''. Sometimes the DHP is called the computational Diffie–Hellman problem (CDHP) to more clearly distinguish it from the DDHP. Recently groups with pairings have become popular, and in these groups the DDHP is easy, yet the DHP is still assumed to be hard. For less significant variants of the DHP see the references.

References

* B. den Boer, ''Diffie–Hellman is as strong as discrete log for certain primes'' in Advances in Cryptology – CRYPTO 88, Lecture Notes in Computer Science 403, Springer, p. 530, 1988.
* U. M. Maurer and S. Wolf, ''Diffie–Hellman oracle'' in Advances in Cryptology – CRYPTO 96, (N. Koblitz, ed.), Lecture Notes in Computer Science 1070, Springer, pp. 268–282, 1996.
*
* D. Boneh and R. J. Lipton, ''Algorithms for black-box fields and their application to cryptotography'' in Advances in Cryptology – CRYPTO 96, (N. Koblitz, ed.), Lecture Notes in Computer Science 1070, Springer, pp. 283–297, 1996.
* A. Muzereau, N. P. Smart and F. Vercauteran, ''The equivalence between the DHP and DLP for elliptic curves used in practical applications'', LMS J. Comput. Math., 7, pp. 50–72, 2004. See ww.lms.ac.uk
* D. R. L. Brown and R. P. Gallant
''The Static Diffie–Hellman Problem''
IACR ePrint 2004/306.
* V. I. Nechaev, ''Complexity of a determinate algorithm for the discrete logarithm'', Mathematical Notes, 55 (2), pp. 165–172, 1994.
* V. Shoup, ''Lower bounds for discrete logarithms and related problems'' in Advances in Cryptology – EUROCRYPT 97, (W. Fumy, ed.), Lecture Notes in Computer Science 1233, Springer, pp. 256–266, 1997.
*
*
*
*
*
*

{{DEFAULTSORT:Diffie-Hellman problem
Computational hardness assumptions
Finite fields