On the Diiculty of Breaking the Diie-hellman Protocol

Let G be a cyclic group with generator g and order jGj with known factorization. We prove that, given an appropriate auxiliary group H p for each large prime factor p of jGj, breaking the Diie-Hellman protocol and computing discrete logarithms are polynomial-time equivalent for G. Appropriate auxiliary groups H p are elliptic curves over GF (p) or extension elds, subgroups of the multiplicative groups of such extension elds and Jacobians of hyperelliptic curves. Under a number-theoretic conjecture on smooth numbers, there exists a side information string S of length at most 2 log jGj, which depends only on jGj, such that given S, breaking the DH protocol and computing discrete logarithms are equivalent for G. We give a long list of expressions in p such that if for each large prime factor p of jGj, one of the expressions in the list is smooth, then S is eeciently constructable. It is also shown how to construct DH groups satisfying provable equivalence.