Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice and Bob, to agree on a shared secret key despite the fact that any of the messages sent between the two of them might be intercepted. That is, the goal of the protocol is to make it impossible to determine the shared secret key for some third party, say Eve, who sees all the communication between Alice and Bob. Let G = 〈g〉 be a cyclic group with generator g. To perform the Diffie-Hellman protocol, first Alice chooses a secret number a < |G|, and Bob chooses a secret b < |G|. Then Alice sends ga to Bob, and Bob sends gb to Alice. Now, Alice computes (gb)a = gab, and Bob computes (ga)b = gab. Thus, the two of them have agreed on a shared secret group element gab ∈ G. The question then is: is it possible for the evesdropper Eve to determine gab from the communications sent between Alice and Bob? Note that there are only two messages sent between Alice and Bob, namely the two group elements ga and gb. Thus the problem becomes: given {ga, gb} compute gab. This is the Diffie-Hellman problem, and the assumption that it is hard (in the sense that no efficient algorithm exists) is central in many cryptographic protocols. One of the reasons for this assumption has to do with the relationship of the Diffie-Hellman problem to the problem of computing discrete logarithms in a cyclic group G. Note that if it were possible to efficiently compute the discrete logarithm a of ga, then an attacker could easily solve the Diffie-Hellman problem by first computing a from ga, and then calculating (gb)a = gab. Thus, the Discrete Log problem is at least as hard as the Diffie-Hellman problem. The other direction of this relationship i.e. whether the Diffie-Hellman problem is as hard as the Discrete Log problem, is a fundamental open question in cryptography. Since the Discrete Log problem is generally thought to be hard, a reduction from Discrete Log to Diffie-Hellman would give strong evidence that the Diffie-Hellman protocol is secure. One of the first steps toward such a reduction was made by den Boer in [1]. He showed that for primes p satisfying a certain condition, there is a reduction from Discrete Log to Diffie-Hellman in the group Z∗ p . The condition required was that φ(p − 1) had only small prime factors. Here φ(n) is Euler’s Totient function which counts the number of positive integers less than n that are coprime to n. This result was later generalized to all groups by Maurer in [2] using elliptic curves, and requiring a different number-theoretic assumption. In this paper, we will present Maurer’s main result, along with the necessary background from number theory.